Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Sirefef, conedex variants with olmarik.AYD trojan


  • This topic is locked This topic is locked
19 replies to this topic

#1 _Relolelo

_Relolelo

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:52 AM

Posted 25 August 2012 - 05:15 PM

Hi guys,

I told my sister to sign up on this website, so I'm log in since she has no clue what to do or say.

What she told me that she opened up an attachment from a friend, and that's when hell broke loose.
We currently have NOD32 Eset smart security 5.2.9.1 and MBAM as our antiviruses. However these pesky viruses wont go away and keep regenerating. Hopefully you guys can help us out. :/
I followed the instructions you guys have. I have downloaded dds, a gmer, and disabled the cd emulator.

Currently, she has the following;
Wing32/sirefef.fc trojan under C:\WINDOWS\SYSTEM32\SERVICES
Win32/Olmarik.AYD trojan under C:\ProgramData\Microsoft\Windows\DRM\7F3D.tmp
Win32/Conedex.E trojan under C:\Windows\Installer\{a0ac0dbb-9c23-59da-b987-f455195afed9}\U\000000cb.@
Win32/Conedex.D trojan under C:\Windows\Installer\{a0ac0dbb-9c23-59da-b987-f455195afed9}\U\00000004.@

However, before I was able to get my hands on this computer, she took it upon her own hands to fix the problem, so she downloaded the sirefefremover and olmarik cleaner from ESET. Dunno if they worked or not.

Hopefuly you guys can help.

Heres the DDS log

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_31
Run by Ardena Tejada at 15:58:13 on 2012-08-24
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.1916.959 [GMT -6:00]
.
AV: ESET Smart Security 5.2 *Enabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
SP: ESET Smart Security 5.2 *Enabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: ESET Personal firewall *Enabled* {4FE52EC8-CB26-1113-0EFE-8842E2773BAA}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\Microsoft\BingBar\7.1.361.0\SeaPort.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe
C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe
"C:\Windows\System32\svchost.exe" -k LocalServiceDns
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~3\office14\GROOVEEX.DLL
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - c:\program files\windows live\companion\companioncore.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~3\office14\URLREDIR.DLL
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\microsoft\bingbar\7.1.361.0\BingExt.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "c:\program files\microsoft\bingbar\7.1.361.0\BingExt.dll"
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
StartupFolder: c:\users\ardena~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~3\office14\ONBttnIE.dll/105
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - c:\program files\windows live\companion\companioncore.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
LSP: mswsock.dll
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{DFB61F24-5790-4A24-B330-E95B1B93F57E} : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{DFB61F24-5790-4A24-B330-E95B1B93F57E}\541676C656 : DhcpNameServer = 68.94.156.1 68.94.157.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~3\office14\GROOVEEX.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\ardena tejada\appdata\roaming\mozilla\firefox\profiles\gehnh8tj.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\progra~1\micros~3\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~3\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\canon\mycamera download plugin\NPCIG.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\4.1.10329.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_3_300_271.dll
.
---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.brc - BRI/1
.
============= SERVICES / DRIVERS ===============
.
R0 epfwwfp;epfwwfp;c:\windows\system32\drivers\epfwwfp.sys [2012-3-14 50624]
R1 eamonm;eamonm;c:\windows\system32\drivers\eamonm.sys [2012-3-14 169080]
R1 EpfwLWF;Epfw NDIS LightWeight Filter;c:\windows\system32\drivers\EpfwLWF.sys [2012-3-14 33656]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2012-7-27 63960]
R2 ekrn;ESET Service;c:\program files\eset\eset smart security\ekrn.exe [2012-3-7 913144]
R3 BBUpdate;BBUpdate;c:\program files\microsoft\bingbar\7.1.361.0\SeaPort.EXE [2012-2-10 240408]
R3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\drivers\L1C62x86.sys [2011-4-19 69232]
S2 BBSvc;BingBar Service;c:\program files\microsoft\bingbar\7.1.361.0\BBSvc.EXE [2012-2-10 193816]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-1 250056]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 esihdrv;esihdrv;c:\users\ardena~1\appdata\local\temp\esihdrv.sys [2012-7-24 107256]
S3 fssfltr;fssfltr;c:\windows\system32\drivers\fssfltr.sys [2012-6-19 39272]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2012-3-8 1492840]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2011-6-12 31125880]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-4-25 113120]
S3 OlmarikFixer;Olmarik fixer kernel-mode driver;c:\windows\system32\drivers\OlmarikFixer.sys [2012-7-24 23368]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2012-3-18 52224]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2012-3-17 1343400]
S3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\zune\WMZuneComm.exe [2011-8-5 268512]
S4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\windows live\mesh\wlcrasvc.exe [2010-9-22 51040]
.
=============== Created Last 30 ================
.
2012-08-24 21:26:01 -------- d-----w- c:\users\ardena tejada\appdata\local\{C13BAF29-14DE-4E8C-9B2F-16AEFC5D9FFA}
2012-08-24 03:50:48 -------- d-----w- c:\users\ardena tejada\appdata\local\{02DF9075-7F3F-474A-8F8D-EE6707E2E224}
2012-08-22 17:47:57 -------- d-----w- c:\users\ardena tejada\appdata\local\{D8E6FA24-ADBE-493D-8371-F13314DE5306}
2012-08-22 00:30:14 -------- d-----w- c:\users\ardena tejada\appdata\local\{445643F5-CF8C-4FEC-AA14-8FCC054280FD}
2012-08-21 04:17:46 -------- d-----w- c:\users\ardena tejada\appdata\local\{81349928-6469-4387-B39E-6A6FD3690E36}
2012-08-20 19:23:46 -------- d-----w- c:\users\ardena tejada\appdata\local\{A6B287F0-A2CD-49AE-863F-5D8D4419898F}
2012-08-20 04:19:06 -------- d-----w- c:\users\ardena tejada\appdata\local\{D3E0FEFC-FEA7-453A-B3C8-1600181B1EEA}
2012-08-16 22:37:58 -------- d-----w- c:\users\ardena tejada\appdata\local\{EDE6715D-E002-4E89-BB5D-47C186746413}
2012-08-16 22:37:44 -------- d-----w- c:\users\ardena tejada\appdata\local\{4B109320-FDF4-41A8-AAB8-8DB884F991C7}
2012-08-16 08:03:47 -------- d-----w- c:\users\ardena tejada\appdata\local\{82A786D5-C9C8-4FA5-A32E-45FDA3FCC3B8}
2012-08-16 08:03:35 -------- d-----w- c:\users\ardena tejada\appdata\local\{32838C1F-8A18-4F72-AABE-A805AC22923A}
2012-08-15 19:08:16 -------- d-----w- c:\users\ardena tejada\appdata\local\{5CECF2B3-8010-4B59-8481-2656FD8E3BCB}
2012-08-15 19:08:02 -------- d-----w- c:\users\ardena tejada\appdata\local\{898D3D80-AC13-4A07-A98E-FB103972A519}
2012-08-14 03:46:58 -------- d-----w- c:\users\ardena tejada\appdata\local\{CDF530AA-D642-4BBC-9DD1-28B90E643FD6}
2012-08-12 22:16:12 -------- d-----w- c:\users\ardena tejada\appdata\local\{A2F2F073-4BA2-447A-9A13-39465700EFDE}
2012-08-12 22:15:59 -------- d-----w- c:\users\ardena tejada\appdata\local\{0D07C348-C3CF-4483-BCD9-D00A1D92E67B}
2012-08-12 04:13:20 -------- d-----w- c:\users\ardena tejada\appdata\local\{997C2DC8-C272-4702-AC6D-33DF92CCFB45}
2012-08-12 04:12:48 -------- d-----w- c:\users\ardena tejada\appdata\local\{39FB47B0-297B-43B9-A28F-F1554E2EA7AD}
2012-08-11 04:37:09 -------- d-----w- c:\users\ardena tejada\appdata\local\{A97FB5A6-6A7E-4C80-8AB5-2DCC273DE4BD}
2012-08-11 04:36:56 -------- d-----w- c:\users\ardena tejada\appdata\local\{EFB212FB-EDC2-443A-85EE-5F3195E1A5D3}
2012-08-09 22:39:35 -------- d-----w- c:\users\ardena tejada\appdata\local\{E59B7E35-F560-4F9C-A521-901476900948}
2012-08-09 22:39:23 -------- d-----w- c:\users\ardena tejada\appdata\local\{6D3B62B1-231F-4628-AA73-BAA031F72E90}
2012-08-08 21:25:58 -------- d-----w- c:\users\ardena tejada\appdata\local\{DCF6B943-A223-479C-8564-98D882D8E25E}
2012-08-08 21:25:44 -------- d-----w- c:\users\ardena tejada\appdata\local\{8E5C1B42-2CD8-4806-B468-069CFAB2EC65}
2012-08-08 05:41:27 -------- d-----w- c:\users\ardena tejada\appdata\local\{92103A20-57AF-4102-8E20-916F4AE63F57}
2012-08-08 05:41:15 -------- d-----w- c:\users\ardena tejada\appdata\local\{C0102D8F-BDD0-407E-AE0F-1EC98749D7A7}
2012-08-07 03:47:03 -------- d-----w- c:\users\ardena tejada\appdata\local\{1D48C116-F652-465D-A7A9-60970D49383C}
2012-08-07 03:46:51 -------- d-----w- c:\users\ardena tejada\appdata\local\{09BC1246-5849-4919-8FA4-E30CC2E27FC7}
2012-08-05 20:56:53 -------- d-----w- c:\users\ardena tejada\appdata\local\{046FFE51-E42F-4935-B393-8431D77850AC}
2012-08-05 20:56:41 -------- d-----w- c:\users\ardena tejada\appdata\local\{5E0FDFA5-A411-4A27-A3B0-5E9E452F7622}
2012-08-05 07:06:10 -------- d-----w- c:\users\ardena tejada\appdata\local\{0D0AA73E-AB3A-417B-970E-EBDA949D59E2}
2012-08-05 07:05:58 -------- d-----w- c:\users\ardena tejada\appdata\local\{B3A4767F-A457-447B-9560-2A7ABA23F69A}
2012-08-04 18:20:32 -------- d-----w- c:\users\ardena tejada\appdata\local\{CAC08B6A-D204-43E5-B47F-3A6583076F5C}
2012-08-04 05:02:03 -------- d-----w- c:\users\ardena tejada\appdata\local\{73B0C0E3-9E53-487C-A7CB-9742E40DB43E}
2012-08-04 05:01:51 -------- d-----w- c:\users\ardena tejada\appdata\local\{FBFBECAD-3DCD-4860-A72A-72C2BD904A68}
2012-08-03 04:52:31 -------- d-----w- c:\users\ardena tejada\appdata\local\{9CAFD491-FB5B-455B-BF8E-D5E84659BFC5}
2012-08-03 04:52:18 -------- d-----w- c:\users\ardena tejada\appdata\local\{455FD3C6-0037-45CE-827C-9A21F1F6D1E1}
2012-08-01 21:04:26 -------- d-----w- c:\users\ardena tejada\appdata\local\{F7FFA84D-BD2E-439B-9B2C-C8BC96DF586D}
2012-08-01 21:04:14 -------- d-----w- c:\users\ardena tejada\appdata\local\{77CDDC58-9C22-413E-86BF-7C86B1B1D470}
2012-08-01 05:29:14 -------- d-----w- c:\users\ardena tejada\appdata\local\{F9CC75E5-F833-4C5B-BFD8-F3E143CE9A58}
2012-08-01 05:29:01 -------- d-----w- c:\users\ardena tejada\appdata\local\{113F94C6-4F56-457B-BE9F-B610A121B3AB}
2012-07-31 04:03:16 -------- d-----w- c:\users\ardena tejada\appdata\local\{8F4A35EC-D642-4F64-B4FF-07D89ED9AB93}
2012-07-31 04:03:01 -------- d-----w- c:\users\ardena tejada\appdata\local\{7EDF9CF3-FE65-4E10-81A6-057F869A48FD}
2012-07-31 03:19:24 -------- d-----w- c:\users\ardena tejada\appdata\local\{FD175317-5D53-4B73-ABF6-123030E0F851}
2012-07-31 02:49:35 -------- d-----w- c:\users\ardena tejada\appdata\local\{5BB1AD39-03DD-4E3B-96FD-EDB25D24D796}
2012-07-30 22:58:06 -------- d-----w- c:\users\ardena tejada\appdata\local\{0CA7424F-83A0-4107-81A4-77FFF4F2798D}
2012-07-29 18:57:04 -------- d-----w- c:\users\ardena tejada\appdata\local\{7A693F5D-88E6-4912-AD35-84FA0DD57D81}
2012-07-29 18:56:52 -------- d-----w- c:\users\ardena tejada\appdata\local\{F3F283D9-0669-4DF7-8B9E-A81796824293}
2012-07-28 19:48:26 -------- d-----w- c:\users\ardena tejada\appdata\local\{F8931D99-3699-48A2-BBBE-0E1D719BDE87}
2012-07-28 19:48:13 -------- d-----w- c:\users\ardena tejada\appdata\local\{AB139F98-C432-45AF-B153-55810A90E65A}
2012-07-27 22:43:17 -------- d-----w- c:\users\ardena tejada\appdata\local\{30E8D511-A9D2-4F39-9A54-0381F31FFA0C}
2012-07-27 22:43:04 -------- d-----w- c:\users\ardena tejada\appdata\local\{A63BC93D-733A-4117-8DFE-BD11D6D82697}
2012-07-27 20:51:30 184248 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
2012-07-27 04:24:55 -------- d-----w- c:\users\ardena tejada\appdata\local\{1D700D36-B096-4FA6-AA3A-C3AC219D40DE}
2012-07-27 04:24:42 -------- d-----w- c:\users\ardena tejada\appdata\local\{5268F9B7-08C8-4843-983F-82B3207B3AE3}
2012-07-26 18:57:08 -------- d-----w- c:\users\ardena tejada\appdata\local\{688560B0-4619-4903-9DB9-7313E4894ABA}
2012-07-25 22:29:42 -------- d-----w- c:\users\ardena tejada\appdata\local\{D403D3A3-1B96-4475-A468-5F27D3CA426F}
2012-07-25 22:29:28 -------- d-----w- c:\users\ardena tejada\appdata\local\{205682E9-4BE4-4DBB-A44C-F79F6FE5DB4F}
.
==================== Find3M ====================
.
2012-08-17 00:37:34 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-08-17 00:37:34 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-07-24 22:55:49 23368 ----a-w- c:\windows\system32\drivers\OlmarikFixer.sys
2012-06-06 05:05:52 1390080 ----a-w- c:\windows\system32\msxml6.dll
2012-06-06 05:05:52 1236992 ----a-w- c:\windows\system32\msxml3.dll
2012-06-06 05:03:06 805376 ----a-w- c:\windows\system32\cdosys.dll
2012-06-02 22:12:32 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:12:13 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 21:19:42 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 21:12:20 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-06-02 08:33:25 1800192 ----a-w- c:\windows\system32\jscript9.dll
2012-06-02 08:25:08 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-06-02 08:25:03 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-06-02 08:20:33 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-06-02 08:16:52 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-06-02 04:45:04 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-06-02 04:45:03 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2012-06-02 04:40:59 369336 ----a-w- c:\windows\system32\drivers\cng.sys
2012-06-02 04:40:39 225280 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 04:39:10 219136 ----a-w- c:\windows\system32\ncrypt.dll
2012-05-31 18:25:14 237072 ------w- c:\windows\system32\MpSigStub.exe
.
============= FINISH: 15:59:38.67 ===============

And here is the Gmer log

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-08-24 16:48:16
Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdePort1 WDC_WD2500BEVT-00A23T0 rev.01.01A01
Running: os25t4ep.exe; Driver: C:\Users\ARDENA~1\AppData\Local\Temp\kgloapow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwCreateThread [0x8D4E17F0]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwLoadDriver [0x8D4E18B0]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSetSystemInformation [0x8D4E1870]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSystemDebugControl [0x8D4E1830]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwRollbackEnlistment + 140D 828823C9 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 828BBD52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntkrnlpa.exe!KeRemoveQueueEx + 1203 828C2EB8 4 Bytes [F0, 17, 4E, 8D]
.text ntkrnlpa.exe!KeRemoveQueueEx + 1313 828C2FC8 4 Bytes [B0, 18, 4E, 8D]
.text ntkrnlpa.exe!KeRemoveQueueEx + 161F 828C32D4 4 Bytes [70, 18, 4E, 8D]
.text ntkrnlpa.exe!KeRemoveQueueEx + 1667 828C331C 4 Bytes [30, 18, 4E, 8D]
? C:\Users\ARDENA~1\AppData\Local\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

? C:\Windows\system32\services.exe[496] C:\Windows\system32\smss.exe image checksum mismatch; time/date stamp mismatch; unknown module: mswsock.dllunknown module: MSWSOCK.dll
.text C:\Program Files\ESET\ESET Smart Security\ekrn.exe[1484] kernel32.dll!SetUnhandledExceptionFilter 769AF4FB 4 Bytes [C2, 04, 00, 00]
.text C:\Windows\System32\svchost.exe[2600] USER32.dll!GetCursorPos 75CCA4B3 5 Bytes JMP 00B4000A
.text C:\Windows\System32\svchost.exe[2600] USER32.dll!DialogBoxIndirectParamAorW 75CF3B40 5 Bytes JMP 00B5000A
.text C:\Windows\System32\svchost.exe[2600] ole32.dll!CoCreateInstance 760D9D0B 5 Bytes JMP 00B3000A

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\00000046 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

---- EOF - GMER 1.0.15 ----

Since I'm new here, if I made a mistake please correct me.
Thanks for your help guys, I'll be waiting for your reply :)

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:52 PM

Posted 26 August 2012 - 04:11 AM

Greetings and Welcome to The Forums!!

My name is Gringo and I'll be glad to help you with your computer problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

Security Check

  • Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.



Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 _Relolelo

_Relolelo
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:52 AM

Posted 28 August 2012 - 05:12 PM

Here is the security check log


Results of screen317's Security Check version 0.99.46
Windows 7 Service Pack 1 x86
Internet Explorer 9
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
ESET Smart Security 5.2
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
Malwarebytes Anti-Malware version 1.61.0.1400
Java 7 Update 6
Adobe Flash Player 11.3.300.271
Adobe Reader X (10.1.4)
Mozilla Firefox (14.0.1)
````````Process Check: objlist.exe by Laurent````````
ESET NOD32 Antivirus egui.exe
ESET NOD32 Antivirus ekrn.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 4%
````````````````````End of Log``````````````````````

and here is the combofix log

ComboFix 12-08-25.04 - Ardena Tejada 08/27/2012 21:26:18.2.1 - x86
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.1916.1166 [GMT -6:00]
Running from: c:\users\Ardena Tejada\Desktop\ComboFix.exe
AV: ESET Smart Security 5.2 *Disabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
FW: ESET Personal firewall *Enabled* {4FE52EC8-CB26-1113-0EFE-8842E2773BAA}
SP: ESET Smart Security 5.2 *Disabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-07-28 to 2012-08-28 )))))))))))))))))))))))))))))))
.
.
2012-08-28 03:35 . 2012-08-28 03:35 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-08-28 02:41 . 2012-08-28 03:35 -------- d-----w- c:\users\Ardena Tejada\AppData\Local\temp
2012-08-28 01:44 . 2012-08-28 01:44 -------- d-----w- c:\program files\Common Files\Java
2012-08-28 01:44 . 2012-08-28 01:43 821736 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-08-28 01:43 . 2012-08-28 01:43 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-08-28 01:43 . 2012-08-28 01:43 -------- d-----w- c:\program files\Java
2012-08-28 01:40 . 2012-08-28 01:40 -------- d-----w- c:\programdata\McAfee
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-28 01:43 . 2012-03-18 04:02 746984 ----a-w- c:\windows\system32\deployJava1.dll
2012-08-17 00:37 . 2012-04-01 19:14 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-08-17 00:37 . 2012-03-17 22:20 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-24 22:55 . 2012-07-24 22:55 23368 ----a-w- c:\windows\system32\drivers\OlmarikFixer.sys
2012-07-16 08:41 . 2012-07-24 22:54 6891424 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{AF082A02-E03E-44BD-9E79-F00339BD434B}\mpengine.dll
2012-06-06 05:05 . 2012-07-24 07:38 1390080 ----a-w- c:\windows\system32\msxml6.dll
2012-06-06 05:05 . 2012-07-24 07:38 1236992 ----a-w- c:\windows\system32\msxml3.dll
2012-06-06 05:03 . 2012-07-24 07:38 805376 ----a-w- c:\windows\system32\cdosys.dll
2012-06-02 22:19 . 2012-06-21 19:06 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-21 19:06 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-21 19:06 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-21 19:06 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:19 . 2012-06-21 19:06 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:12 . 2012-06-21 19:06 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:12 . 2012-06-21 19:06 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 21:19 . 2012-06-21 19:05 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 21:12 . 2012-06-21 19:05 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-06-02 08:33 . 2012-07-24 07:39 1800192 ----a-w- c:\windows\system32\jscript9.dll
2012-06-02 08:25 . 2012-07-24 07:39 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-06-02 08:25 . 2012-07-24 07:39 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-06-02 08:20 . 2012-07-24 07:39 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-06-02 08:16 . 2012-07-24 07:39 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-06-02 04:45 . 2012-07-24 07:39 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-06-02 04:45 . 2012-07-24 07:39 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2012-06-02 04:40 . 2012-07-24 07:39 369336 ----a-w- c:\windows\system32\drivers\cng.sys
2012-06-02 04:40 . 2012-07-24 07:39 225280 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 04:39 . 2012-07-24 07:39 219136 ----a-w- c:\windows\system32\ncrypt.dll
2012-05-31 18:25 . 2012-03-20 19:58 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-08-06 04:18 . 2012-03-18 04:33 136672 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-14 1348904]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-02-12 137752]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-02-12 171032]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-02-12 172568]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2011-08-05 159456]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2010-06-10 49208]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2012-03-07 3117344]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
.
c:\users\Ardena Tejada\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 BBSvc;BingBar Service;c:\program files\Microsoft\BingBar\7.1.361.0\BBSvc.exe [x]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
R3 esihdrv;esihdrv;c:\users\ARDENA~1\AppData\Local\Temp\esihdrv.sys [x]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [x]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [x]
R3 OlmarikFixer;Olmarik fixer kernel-mode driver;c:\windows\system32\drivers\OlmarikFixer.sys [x]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\Zune\WMZuneComm.exe [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [x]
S0 epfwwfp;epfwwfp;c:\windows\system32\DRIVERS\epfwwfp.sys [x]
S1 eamonm;eamonm;c:\windows\system32\DRIVERS\eamonm.sys [x]
S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [x]
S1 EpfwLWF;Epfw NDIS LightWeight Filter;c:\windows\system32\DRIVERS\EpfwLWF.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]
S2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [x]
S3 BBUpdate;BBUpdate;c:\program files\Microsoft\BingBar\7.1.361.0\SeaPort.exe [x]
S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x86.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-28 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-01 00:37]
.
2012-08-24 c:\windows\Tasks\hpwebreg_xxxxxxxxxx.job
- c:\program files\HP\HP Deskjet 1000 J110 series\Bin\hpwebreg.exe [2010-11-17 02:16]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~3\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\users\Ardena Tejada\AppData\Roaming\Mozilla\Firefox\Profiles\gehnh8tj.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: network.proxy.type - 0
FF - user.js: general.useragent.extra.brc - BRI/1
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-08-27 21:38:48
ComboFix-quarantined-files.txt 2012-08-28 03:38
.
Pre-Run: 180,094,103,552 bytes free
Post-Run: 180,049,776,640 bytes free
.
- - End Of File - - 49B44A2CB06E7D655C2A056013B46967

In the process of this, I made a mistake by accident.
This is what happened, by accident I deleted the first combofix log that it created. Because I turned off the computer, I got a message that it said windows will be configured to its earlier stage, so this combofix log that you are seeing is the one I did after I saw that message. I ran combofix again but forgot that it deletes everythign that is in the recycle bin. I am such a fool for this, and I apologize for this stupid mistake. I feel so bad.
I do remember reading the first log, cleaned the services.exe that was infected and quarantine all the other viruses execept olmarik,and that the file spoolsv.exe was missing.
By any chance you wouldn't know how to recover a deleted file (the first combofix log)??
I am sooo soo sorry for this huge mistake.

And to answer your question on how the computer is doing, its doing fine, however, for some reason, I cannot connect to google, but can use all other websites. Dunno if combofix did something that cause this.

Thank you for your help, I'll be awaiting your reply.

to note, spoolsv.exe does not show up in my processes in task manager.

Edited by _Relolelo, 28 August 2012 - 05:13 PM.


#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:52 PM

Posted 28 August 2012 - 07:47 PM

Hello

I would like to see a report that combofix makes.

extra combofix report

  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box
C:\Qoobox\ComboFix-quarantined-files.txt
  • click ok

copy and paste the report into this topic for me to review

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 _Relolelo

_Relolelo
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:52 AM

Posted 28 August 2012 - 10:14 PM

Hello Gringo,
here is the extra combofix report

2012-08-28 02:34:15 . 2012-08-28 03:32:48 7,052 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2012-08-28 02:23:57 . 2012-08-28 03:26:18 164 ----a-w- C:\Qoobox\Quarantine\catchme.log
2012-08-28 02:13:12 . 2012-08-28 02:13:12 804 ----a-w- C:\Qoobox\Quarantine\C\Windows\Installer\{a0ac0dbb-9c23-59da-b987-f455195afed9}\L\00000004.@.vir
2012-07-26 21:40:45 . 2012-07-26 21:40:45 232,960 ----a-w- C:\Qoobox\Quarantine\C\Windows\Installer\{a0ac0dbb-9c23-59da-b987-f455195afed9}\U\00000008.@.vir
2012-06-01 20:45:35 . 2012-06-01 20:45:35 231,430 ----a-w- C:\Qoobox\Quarantine\C\Users\Ardena Tejada\AppData\Local\Microsoft\Windows\Temporary Internet Files\{D245A438-A74E-4D8A-9CDE-AE6A5A7BF843}.xps.vir
2012-04-19 04:46:45 . 2012-04-19 04:46:45 156,246 ----a-w- C:\Qoobox\Quarantine\C\Users\Ardena Tejada\AppData\Local\Microsoft\Windows\Temporary Internet Files\{CA7BF4BF-58B6-4B63-B733-EB5ADAC6329D}.xps.vir
2012-03-17 21:50:59 . 2011-11-17 05:38:39 2,048 ----a-w- C:\Qoobox\Quarantine\C\Windows\Installer\{a0ac0dbb-9c23-59da-b987-f455195afed9}\@.vir
2009-07-13 23:11:26 . 2009-07-14 01:14:36 259,072 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\services.exe.vir


I also want to add that for some reason the security updates are not installing, do you know why?

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:52 PM

Posted 28 August 2012 - 10:19 PM

Greetings


By any chance you wouldn't know how to recover a deleted file (the first combofix log)??

combofix does not backup files in the recycle bin, so there is no backups



I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 _Relolelo

_Relolelo
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:52 AM

Posted 29 August 2012 - 10:33 PM

Here is the TDSSkiller log

I can already tell that it took out the olmarik virus haha :)


20:50:45.0166 1532 TDSS rootkit removing tool 2.8.8.0 Aug 24 2012 13:27:48
20:50:45.0732 1532 ============================================================
20:50:45.0732 1532 Current date / time: 2012/08/29 20:50:45.0732
20:50:45.0732 1532 SystemInfo:
20:50:45.0732 1532
20:50:45.0732 1532 OS Version: 6.1.7601 ServicePack: 1.0
20:50:45.0732 1532 Product type: Workstation
20:50:45.0733 1532 ComputerName: OWNER-PC
20:50:45.0733 1532 UserName: Ardena Tejada
20:50:45.0733 1532 Windows directory: C:\Windows
20:50:45.0733 1532 System windows directory: C:\Windows
20:50:45.0733 1532 Processor architecture: Intel x86
20:50:45.0733 1532 Number of processors: 1
20:50:45.0733 1532 Page size: 0x1000
20:50:45.0733 1532 Boot type: Normal boot
20:50:45.0733 1532 ============================================================
20:50:47.0279 1532 Drive \Device\Harddisk0\DR0 - Size: 0x3A38B2E000 (232.89 Gb), SectorSize: 0x200, Cylinders: 0x76C1, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
20:50:47.0351 1532 ============================================================
20:50:47.0351 1532 \Device\Harddisk0\DR0:
20:50:47.0351 1532 MBR partitions:
20:50:47.0351 1532 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x32000
20:50:47.0351 1532 \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x32800, BlocksNum 0x1D192800
20:50:47.0351 1532 ============================================================
20:50:47.0374 1532 C: <-> \Device\Harddisk0\DR0\Partition2
20:50:47.0374 1532 ============================================================
20:50:47.0374 1532 Initialize success
20:50:47.0374 1532 ============================================================
20:51:05.0843 2428 ============================================================
20:51:05.0843 2428 Scan started
20:51:05.0843 2428 Mode: Manual;
20:51:05.0843 2428 ============================================================
20:51:06.0623 2428 ================ Scan system memory ========================
20:51:06.0623 2428 System memory - ok
20:51:06.0623 2428 ================ Scan services =============================
20:51:06.0825 2428 [ 1B133875B8AA8AC48969BD3458AFE9F5 ] 1394ohci C:\Windows\system32\drivers\1394ohci.sys
20:51:06.0825 2428 1394ohci - ok
20:51:06.0857 2428 [ CEA80C80BED809AA0DA6FEBC04733349 ] ACPI C:\Windows\system32\drivers\ACPI.sys
20:51:06.0857 2428 ACPI - ok
20:51:06.0919 2428 [ 1EFBC664ABFF416D1D07DB115DCB264F ] AcpiPmi C:\Windows\system32\drivers\acpipmi.sys
20:51:06.0919 2428 AcpiPmi - ok
20:51:07.0028 2428 [ D19C4EE2AC7C47B8F5F84FFF1A789D8A ] AdobeARMservice C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
20:51:07.0028 2428 AdobeARMservice - ok
20:51:07.0153 2428 [ A9D3B95E8466BD58EEB8A1154654E162 ] AdobeFlashPlayerUpdateSvc C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
20:51:07.0153 2428 AdobeFlashPlayerUpdateSvc - ok
20:51:07.0215 2428 [ 21E785EBD7DC90A06391141AAC7892FB ] adp94xx C:\Windows\system32\DRIVERS\adp94xx.sys
20:51:07.0231 2428 adp94xx - ok
20:51:07.0262 2428 [ 0C676BC278D5B59FF5ABD57BBE9123F2 ] adpahci C:\Windows\system32\DRIVERS\adpahci.sys
20:51:07.0262 2428 adpahci - ok
20:51:07.0293 2428 [ 7C7B5EE4B7B822EC85321FE23A27DB33 ] adpu320 C:\Windows\system32\DRIVERS\adpu320.sys
20:51:07.0293 2428 adpu320 - ok
20:51:07.0340 2428 [ 8B5EEFEEC1E6D1A72A06C526628AD161 ] AeLookupSvc C:\Windows\System32\aelupsvc.dll
20:51:07.0340 2428 AeLookupSvc - ok
20:51:07.0403 2428 [ 9EBBBA55060F786F0FCAA3893BFA2806 ] AFD C:\Windows\system32\drivers\afd.sys
20:51:07.0403 2428 AFD - ok
20:51:07.0434 2428 [ 507812C3054C21CEF746B6EE3D04DD6E ] agp440 C:\Windows\system32\drivers\agp440.sys
20:51:07.0434 2428 agp440 - ok
20:51:07.0481 2428 [ 8B30250D573A8F6B4BD23195160D8707 ] aic78xx C:\Windows\system32\DRIVERS\djsvs.sys
20:51:07.0481 2428 aic78xx - ok
20:51:07.0527 2428 [ 18A54E132947CD98FEA9ACCC57F98F13 ] ALG C:\Windows\System32\alg.exe
20:51:07.0527 2428 ALG - ok
20:51:07.0574 2428 [ 0D40BCF52EA90FC7DF2AEAB6503DEA44 ] aliide C:\Windows\system32\drivers\aliide.sys
20:51:07.0574 2428 aliide - ok
20:51:07.0605 2428 [ 3C6600A0696E90A463771C7422E23AB5 ] amdagp C:\Windows\system32\drivers\amdagp.sys
20:51:07.0605 2428 amdagp - ok
20:51:07.0605 2428 [ CD5914170297126B6266860198D1D4F0 ] amdide C:\Windows\system32\drivers\amdide.sys
20:51:07.0621 2428 amdide - ok
20:51:07.0652 2428 [ 00DDA200D71BAC534BF56A9DB5DFD666 ] AmdK8 C:\Windows\system32\DRIVERS\amdk8.sys
20:51:07.0668 2428 AmdK8 - ok
20:51:07.0668 2428 [ 3CBF30F5370FDA40DD3E87DF38EA53B6 ] AmdPPM C:\Windows\system32\DRIVERS\amdppm.sys
20:51:07.0668 2428 AmdPPM - ok
20:51:07.0699 2428 [ D320BF87125326F996D4904FE24300FC ] amdsata C:\Windows\system32\drivers\amdsata.sys
20:51:07.0699 2428 amdsata - ok
20:51:07.0730 2428 [ EA43AF0C423FF267355F74E7A53BDABA ] amdsbs C:\Windows\system32\DRIVERS\amdsbs.sys
20:51:07.0730 2428 amdsbs - ok
20:51:07.0761 2428 [ 46387FB17B086D16DEA267D5BE23A2F2 ] amdxata C:\Windows\system32\drivers\amdxata.sys
20:51:07.0761 2428 amdxata - ok
20:51:07.0808 2428 [ AEA177F783E20150ACE5383EE368DA19 ] AppID C:\Windows\system32\drivers\appid.sys
20:51:07.0808 2428 AppID - ok
20:51:07.0855 2428 [ 62A9C86CB6085E20DB4823E4E97826F5 ] AppIDSvc C:\Windows\System32\appidsvc.dll
20:51:07.0855 2428 AppIDSvc - ok
20:51:07.0933 2428 [ FB1959012294D6AD43E5304DF65E3C26 ] Appinfo C:\Windows\System32\appinfo.dll
20:51:07.0933 2428 Appinfo - ok
20:51:08.0011 2428 [ 2932004F49677BD84DBC72EDB754FFB3 ] arc C:\Windows\system32\DRIVERS\arc.sys
20:51:08.0011 2428 arc - ok
20:51:08.0027 2428 [ 5D6F36C46FD283AE1B57BD2E9FEB0BC7 ] arcsas C:\Windows\system32\DRIVERS\arcsas.sys
20:51:08.0027 2428 arcsas - ok
20:51:08.0058 2428 [ ADD2ADE1C2B285AB8378D2DAAF991481 ] AsyncMac C:\Windows\system32\DRIVERS\asyncmac.sys
20:51:08.0073 2428 AsyncMac - ok
20:51:08.0120 2428 [ 338C86357871C167A96AB976519BF59E ] atapi C:\Windows\system32\drivers\atapi.sys
20:51:08.0120 2428 atapi - ok
20:51:08.0183 2428 [ AC4ADAC154563AB41CC79B0257BC685A ] athr C:\Windows\system32\DRIVERS\athr.sys
20:51:08.0229 2428 athr - ok
20:51:08.0307 2428 [ CE3B4E731638D2EF62FCB419BE0D39F0 ] AudioEndpointBuilder C:\Windows\System32\Audiosrv.dll
20:51:08.0307 2428 AudioEndpointBuilder - ok
20:51:08.0323 2428 [ CE3B4E731638D2EF62FCB419BE0D39F0 ] Audiosrv C:\Windows\System32\Audiosrv.dll
20:51:08.0339 2428 Audiosrv - ok
20:51:08.0385 2428 [ 6E30D02AAC9CAC84F421622E3A2F6178 ] AxInstSV C:\Windows\System32\AxInstSV.dll
20:51:08.0385 2428 AxInstSV - ok
20:51:08.0432 2428 [ 1A231ABEC60FD316EC54C66715543CEC ] b06bdrv C:\Windows\system32\DRIVERS\bxvbdx.sys
20:51:08.0432 2428 b06bdrv - ok
20:51:08.0479 2428 [ BD8869EB9CDE6BBE4508D869929869EE ] b57nd60x C:\Windows\system32\DRIVERS\b57nd60x.sys
20:51:08.0526 2428 b57nd60x - ok
20:51:08.0666 2428 [ A2494901E7226B356B8C1005C45F1C5F ] BBSvc C:\Program Files\Microsoft\BingBar\7.1.361.0\BBSvc.exe
20:51:08.0666 2428 BBSvc - ok
20:51:08.0729 2428 [ 63B1CBBAE4790B5BAC98F01BF9449722 ] BBUpdate C:\Program Files\Microsoft\BingBar\7.1.361.0\SeaPort.exe
20:51:08.0729 2428 BBUpdate - ok
20:51:08.0775 2428 [ EE1E9C3BB8228AE423DD38DB69128E71 ] BDESVC C:\Windows\System32\bdesvc.dll
20:51:08.0775 2428 BDESVC - ok
20:51:08.0822 2428 [ 505506526A9D467307B3C393DEDAF858 ] Beep C:\Windows\system32\drivers\Beep.sys
20:51:08.0822 2428 Beep - ok
20:51:08.0916 2428 [ 1E2BAC209D184BB851E1A187D8A29136 ] BFE C:\Windows\System32\bfe.dll
20:51:08.0916 2428 BFE - ok
20:51:08.0947 2428 [ 2287078ED48FCFC477B05B20CF38F36F ] blbdrive C:\Windows\system32\DRIVERS\blbdrive.sys
20:51:08.0978 2428 blbdrive - ok
20:51:09.0009 2428 [ 8F2DA3028D5FCBD1A060A3DE64CD6506 ] bowser C:\Windows\system32\DRIVERS\bowser.sys
20:51:09.0009 2428 bowser - ok
20:51:09.0056 2428 [ 9F9ACC7F7CCDE8A15C282D3F88B43309 ] BrFiltLo C:\Windows\system32\DRIVERS\BrFiltLo.sys
20:51:09.0056 2428 BrFiltLo - ok
20:51:09.0072 2428 [ 56801AD62213A41F6497F96DEE83755A ] BrFiltUp C:\Windows\system32\DRIVERS\BrFiltUp.sys
20:51:09.0072 2428 BrFiltUp - ok
20:51:09.0119 2428 [ 77361D72A04F18809D0EFB6CCEB74D4B ] BridgeMP C:\Windows\system32\DRIVERS\bridge.sys
20:51:09.0150 2428 BridgeMP - ok
20:51:09.0197 2428 [ 6E11F33D14D020F58D5E02E4D67DFA19 ] Browser C:\Windows\System32\browser.dll
20:51:09.0197 2428 Browser - ok
20:51:09.0212 2428 [ 845B8CE732E67F3B4133164868C666EA ] Brserid C:\Windows\System32\Drivers\Brserid.sys
20:51:09.0212 2428 Brserid - ok
20:51:09.0228 2428 [ 203F0B1E73ADADBBB7B7B1FABD901F6B ] BrSerWdm C:\Windows\System32\Drivers\BrSerWdm.sys
20:51:09.0228 2428 BrSerWdm - ok
20:51:09.0243 2428 [ BD456606156BA17E60A04E18016AE54B ] BrUsbMdm C:\Windows\System32\Drivers\BrUsbMdm.sys
20:51:09.0243 2428 BrUsbMdm - ok
20:51:09.0259 2428 [ AF72ED54503F717A43268B3CC5FAEC2E ] BrUsbSer C:\Windows\System32\Drivers\BrUsbSer.sys
20:51:09.0259 2428 BrUsbSer - ok
20:51:09.0275 2428 [ ED3DF7C56CE0084EB2034432FC56565A ] BTHMODEM C:\Windows\system32\DRIVERS\bthmodem.sys
20:51:09.0275 2428 BTHMODEM - ok
20:51:09.0321 2428 [ 1DF19C96EEF6C29D1C3E1A8678E07190 ] bthserv C:\Windows\system32\bthserv.dll
20:51:09.0321 2428 bthserv - ok
20:51:09.0493 2428 catchme - ok
20:51:09.0524 2428 [ 77EA11B065E0A8AB902D78145CA51E10 ] cdfs C:\Windows\system32\DRIVERS\cdfs.sys
20:51:09.0524 2428 cdfs - ok
20:51:09.0571 2428 [ BE167ED0FDB9C1FA1133953C18D5A6C9 ] cdrom C:\Windows\system32\DRIVERS\cdrom.sys
20:51:09.0571 2428 cdrom - ok
20:51:09.0618 2428 [ 319C6B309773D063541D01DF8AC6F55F ] CertPropSvc C:\Windows\System32\certprop.dll
20:51:09.0618 2428 CertPropSvc - ok
20:51:09.0649 2428 [ 3FE3FE94A34DF6FB06E6418D0F6A0060 ] circlass C:\Windows\system32\DRIVERS\circlass.sys
20:51:09.0665 2428 circlass - ok
20:51:09.0680 2428 [ 635181E0E9BBF16871BF5380D71DB02D ] CLFS C:\Windows\system32\CLFS.sys
20:51:09.0696 2428 CLFS - ok
20:51:09.0789 2428 [ D88040F816FDA31C3B466F0FA0918F29 ] clr_optimization_v2.0.50727_32 C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
20:51:09.0789 2428 clr_optimization_v2.0.50727_32 - ok
20:51:09.0883 2428 [ C5A75EB48E2344ABDC162BDA79E16841 ] clr_optimization_v4.0.30319_32 C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
20:51:09.0883 2428 clr_optimization_v4.0.30319_32 - ok
20:51:09.0899 2428 [ DEA805815E587DAD1DD2C502220B5616 ] CmBatt C:\Windows\system32\DRIVERS\CmBatt.sys
20:51:09.0914 2428 CmBatt - ok
20:51:09.0945 2428 [ C537B1DB64D495B9B4717B4D6D9EDBF2 ] cmdide C:\Windows\system32\drivers\cmdide.sys
20:51:09.0945 2428 cmdide - ok
20:51:09.0992 2428 [ 247B4CE2DAB1160CD422D532D5241E1F ] CNG C:\Windows\system32\Drivers\cng.sys
20:51:09.0992 2428 CNG - ok
20:51:10.0055 2428 [ A6023D3823C37043986713F118A89BEE ] Compbatt C:\Windows\system32\DRIVERS\compbatt.sys
20:51:10.0055 2428 Compbatt - ok
20:51:10.0101 2428 [ CBE8C58A8579CFE5FCCF809E6F114E89 ] CompositeBus C:\Windows\system32\drivers\CompositeBus.sys
20:51:10.0101 2428 CompositeBus - ok
20:51:10.0133 2428 COMSysApp - ok
20:51:10.0148 2428 [ 2C4EBCFC84A9B44F209DFF6C6E6C61D1 ] crcdisk C:\Windows\system32\DRIVERS\crcdisk.sys
20:51:10.0148 2428 crcdisk - ok
20:51:10.0195 2428 [ 06E771AA596B8761107AB57E99F128D7 ] CryptSvc C:\Windows\system32\cryptsvc.dll
20:51:10.0195 2428 CryptSvc - ok
20:51:10.0257 2428 [ 7660F01D3B38ACA1747E397D21D790AF ] DcomLaunch C:\Windows\system32\rpcss.dll
20:51:10.0257 2428 DcomLaunch - ok
20:51:10.0289 2428 [ 8D6E10A2D9A5EED59562D9B82CF804E1 ] defragsvc C:\Windows\System32\defragsvc.dll
20:51:10.0304 2428 defragsvc - ok
20:51:10.0351 2428 [ F024449C97EC1E464AAFFDA18593DB88 ] DfsC C:\Windows\system32\Drivers\dfsc.sys
20:51:10.0367 2428 DfsC - ok
20:51:10.0413 2428 [ E9E01EB683C132F7FA27CD607B8A2B63 ] Dhcp C:\Windows\system32\dhcpcore.dll
20:51:10.0429 2428 Dhcp - ok
20:51:10.0460 2428 [ 1A050B0274BFB3890703D490F330C0DA ] discache C:\Windows\system32\drivers\discache.sys
20:51:10.0460 2428 discache - ok
20:51:10.0523 2428 [ 565003F326F99802E68CA78F2A68E9FF ] Disk C:\Windows\system32\DRIVERS\disk.sys
20:51:10.0523 2428 Disk - ok
20:51:10.0569 2428 [ 33EF4861F19A0736B11314AAD9AE28D0 ] Dnscache C:\Windows\System32\dnsrslvr.dll
20:51:10.0569 2428 Dnscache - ok
20:51:10.0616 2428 [ 366BA8FB4B7BB7435E3B9EACB3843F67 ] dot3svc C:\Windows\System32\dot3svc.dll
20:51:10.0616 2428 dot3svc - ok
20:51:10.0663 2428 [ 8EC04CA86F1D68DA9E11952EB85973D6 ] DPS C:\Windows\system32\dps.dll
20:51:10.0663 2428 DPS - ok
20:51:10.0710 2428 [ B918E7C5F9BF77202F89E1A9539F2EB4 ] drmkaud C:\Windows\system32\drivers\drmkaud.sys
20:51:10.0741 2428 drmkaud - ok
20:51:10.0819 2428 [ 23F5D28378A160352BA8F817BD8C71CB ] DXGKrnl C:\Windows\System32\drivers\dxgkrnl.sys
20:51:10.0819 2428 DXGKrnl - ok
20:51:10.0897 2428 [ 8A45015E85A4DCE0086B9973F0FD9A20 ] eamonm C:\Windows\system32\DRIVERS\eamonm.sys
20:51:10.0897 2428 eamonm - ok
20:51:10.0959 2428 [ 8600142FA91C1B96367D3300AD0F3F3A ] EapHost C:\Windows\System32\eapsvc.dll
20:51:10.0959 2428 EapHost - ok
20:51:11.0069 2428 [ 024E1B5CAC09731E4D868E64DBFB4AB0 ] ebdrv C:\Windows\system32\DRIVERS\evbdx.sys
20:51:11.0131 2428 ebdrv - ok
20:51:11.0162 2428 [ 81951F51E318AECC2D68559E47485CC4 ] EFS C:\Windows\System32\lsass.exe
20:51:11.0178 2428 EFS - ok
20:51:11.0225 2428 [ 5412ED24FFFCA64E2F0168399B86C952 ] ehdrv C:\Windows\system32\DRIVERS\ehdrv.sys
20:51:11.0240 2428 ehdrv - ok
20:51:11.0318 2428 [ A8C362018EFC87BEB013EE28F29C0863 ] ehRecvr C:\Windows\ehome\ehRecvr.exe
20:51:11.0318 2428 ehRecvr - ok
20:51:11.0349 2428 [ D389BFF34F80CAEDE417BF9D1507996A ] ehSched C:\Windows\ehome\ehsched.exe
20:51:11.0365 2428 ehSched - ok
20:51:11.0505 2428 [ AD4FAADE819E0DA9933BEA7C01D2C763 ] ekrn C:\Program Files\ESET\ESET Smart Security\ekrn.exe
20:51:11.0505 2428 ekrn - ok
20:51:11.0552 2428 [ 0ED67910C8C326796FAA00B2BF6D9D3C ] elxstor C:\Windows\system32\DRIVERS\elxstor.sys
20:51:11.0552 2428 elxstor - ok
20:51:11.0630 2428 [ 774BABCB1144513DC86992003740B774 ] epfw C:\Windows\system32\DRIVERS\epfw.sys
20:51:11.0630 2428 epfw - ok
20:51:11.0708 2428 [ 2C22CC39309EE06AE870C183BF2A769D ] EpfwLWF C:\Windows\system32\DRIVERS\EpfwLWF.sys
20:51:11.0755 2428 EpfwLWF - ok
20:51:11.0817 2428 [ 2B4E5F01A4E786B422F4D617B51FA7D9 ] epfwwfp C:\Windows\system32\DRIVERS\epfwwfp.sys
20:51:11.0817 2428 epfwwfp - ok
20:51:11.0864 2428 [ 8FC3208352DD3912C94367A206AB3F11 ] ErrDev C:\Windows\system32\drivers\errdev.sys
20:51:11.0864 2428 ErrDev - ok
20:51:11.0927 2428 esihdrv - ok
20:51:11.0958 2428 [ F6916EFC29D9953D5D0DF06882AE8E16 ] EventSystem C:\Windows\system32\es.dll
20:51:11.0973 2428 EventSystem - ok
20:51:11.0989 2428 [ 2DC9108D74081149CC8B651D3A26207F ] exfat C:\Windows\system32\drivers\exfat.sys
20:51:12.0005 2428 exfat - ok
20:51:12.0020 2428 [ 7E0AB74553476622FB6AE36F73D97D35 ] fastfat C:\Windows\system32\drivers\fastfat.sys
20:51:12.0020 2428 fastfat - ok
20:51:12.0098 2428 [ 967EA5B213E9984CBE270205DF37755B ] Fax C:\Windows\system32\fxssvc.exe
20:51:12.0098 2428 Fax - ok
20:51:12.0114 2428 [ E817A017F82DF2A1F8CFDBDA29388B29 ] fdc C:\Windows\system32\DRIVERS\fdc.sys
20:51:12.0114 2428 fdc - ok
20:51:12.0145 2428 [ F3222C893BD2F5821A0179E5C71E88FB ] fdPHost C:\Windows\system32\fdPHost.dll
20:51:12.0145 2428 fdPHost - ok
20:51:12.0161 2428 [ 7DBE8CBFE79EFBDEB98C9FB08D3A9A5B ] FDResPub C:\Windows\system32\fdrespub.dll
20:51:12.0161 2428 FDResPub - ok
20:51:12.0192 2428 [ 6CF00369C97F3CF563BE99BE983D13D8 ] FileInfo C:\Windows\system32\drivers\fileinfo.sys
20:51:12.0207 2428 FileInfo - ok
20:51:12.0207 2428 [ 42C51DC94C91DA21CB9196EB64C45DB9 ] Filetrace C:\Windows\system32\drivers\filetrace.sys
20:51:12.0223 2428 Filetrace - ok
20:51:12.0239 2428 [ 87907AA70CB3C56600F1C2FB8841579B ] flpydisk C:\Windows\system32\DRIVERS\flpydisk.sys
20:51:12.0239 2428 flpydisk - ok
20:51:12.0270 2428 [ 7520EC808E0C35E0EE6F841294316653 ] FltMgr C:\Windows\system32\drivers\fltmgr.sys
20:51:12.0270 2428 FltMgr - ok
20:51:12.0332 2428 [ B3A5EC6B6B6673DB7E87C2BCDBDDC074 ] FontCache C:\Windows\system32\FntCache.dll
20:51:12.0332 2428 FontCache - ok
20:51:12.0410 2428 [ E56F39F6B7FDA0AC77A79B0FD3DE1A2F ] FontCache3.0.0.0 C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
20:51:12.0410 2428 FontCache3.0.0.0 - ok
20:51:12.0426 2428 [ 1A16B57943853E598CFF37FE2B8CBF1D ] FsDepends C:\Windows\system32\drivers\FsDepends.sys
20:51:12.0738 2428 FsDepends - ok
20:51:12.0800 2428 [ B0082808A6856A252F7CDD939892CE50 ] fssfltr C:\Windows\system32\DRIVERS\fssfltr.sys
20:51:12.0831 2428 fssfltr - ok
20:51:12.0956 2428 [ 28DDEEEC44E988657B732CF404D504CB ] fsssvc C:\Program Files\Windows Live\Family Safety\fsssvc.exe
20:51:13.0003 2428 fsssvc - ok
20:51:13.0034 2428 [ 7DAE5EBCC80E45D3253F4923DC424D05 ] Fs_Rec C:\Windows\system32\drivers\Fs_Rec.sys
20:51:13.0034 2428 Fs_Rec - ok
20:51:13.0112 2428 [ 8A73E79089B282100B9393B644CB853B ] fvevol C:\Windows\system32\DRIVERS\fvevol.sys
20:51:13.0143 2428 fvevol - ok
20:51:13.0221 2428 [ 65EE0C7A58B65E74AE05637418153938 ] gagp30kx C:\Windows\system32\DRIVERS\gagp30kx.sys
20:51:13.0221 2428 gagp30kx - ok
20:51:13.0268 2428 [ E897EAF5ED6BA41E081060C9B447A673 ] gpsvc C:\Windows\System32\gpsvc.dll
20:51:13.0284 2428 gpsvc - ok
20:51:13.0299 2428 [ C44E3C2BAB6837DB337DDEE7544736DB ] hcw85cir C:\Windows\system32\drivers\hcw85cir.sys
20:51:13.0299 2428 hcw85cir - ok
20:51:13.0362 2428 [ A5EF29D5315111C80A5C1ABAD14C8972 ] HdAudAddService C:\Windows\system32\drivers\HdAudio.sys
20:51:13.0377 2428 HdAudAddService - ok
20:51:13.0424 2428 [ 9036377B8A6C15DC2EEC53E489D159B5 ] HDAudBus C:\Windows\system32\drivers\HDAudBus.sys
20:51:13.0424 2428 HDAudBus - ok
20:51:13.0440 2428 [ 1D58A7F3E11A9731D0EAAAA8405ACC36 ] HidBatt C:\Windows\system32\DRIVERS\HidBatt.sys
20:51:13.0440 2428 HidBatt - ok
20:51:13.0455 2428 [ 89448F40E6DF260C206A193A4683BA78 ] HidBth C:\Windows\system32\DRIVERS\hidbth.sys
20:51:13.0455 2428 HidBth - ok
20:51:13.0471 2428 [ CF50B4CF4A4F229B9F3C08351F99CA5E ] HidIr C:\Windows\system32\DRIVERS\hidir.sys
20:51:13.0471 2428 HidIr - ok
20:51:13.0502 2428 [ 2BC6F6A1992B3A77F5F41432CA6B3B6B ] hidserv C:\Windows\System32\hidserv.dll
20:51:13.0502 2428 hidserv - ok
20:51:13.0565 2428 [ 10C19F8290891AF023EAEC0832E1EB4D ] HidUsb C:\Windows\system32\DRIVERS\hidusb.sys
20:51:13.0565 2428 HidUsb - ok
20:51:13.0596 2428 [ 196B4E3F4CCCC24AF836CE58FACBB699 ] hkmsvc C:\Windows\system32\kmsvc.dll
20:51:13.0611 2428 hkmsvc - ok
20:51:13.0643 2428 [ 6658F4404DE03D75FE3BA09F7ABA6A30 ] HomeGroupListener C:\Windows\system32\ListSvc.dll
20:51:13.0658 2428 HomeGroupListener - ok
20:51:13.0705 2428 [ DBC02D918FFF1CAD628ACBE0C0EAA8E8 ] HomeGroupProvider C:\Windows\system32\provsvc.dll
20:51:13.0705 2428 HomeGroupProvider - ok
20:51:13.0752 2428 [ 295FDC419039090EB8B49FFDBB374549 ] HpSAMD C:\Windows\system32\drivers\HpSAMD.sys
20:51:13.0752 2428 HpSAMD - ok
20:51:13.0814 2428 [ 871917B07A141BFF43D76D8844D48106 ] HTTP C:\Windows\system32\drivers\HTTP.sys
20:51:13.0814 2428 HTTP - ok
20:51:13.0861 2428 [ 0C4E035C7F105F1299258C90886C64C5 ] hwpolicy C:\Windows\system32\drivers\hwpolicy.sys
20:51:13.0861 2428 hwpolicy - ok
20:51:13.0908 2428 [ F151F0BDC47F4A28B1B20A0818EA36D6 ] i8042prt C:\Windows\system32\drivers\i8042prt.sys
20:51:13.0908 2428 i8042prt - ok
20:51:13.0955 2428 [ 5CD5F9A5444E6CDCB0AC89BD62D8B76E ] iaStorV C:\Windows\system32\drivers\iaStorV.sys
20:51:13.0970 2428 iaStorV - ok
20:51:14.0048 2428 [ C521D7EB6497BB1AF6AFA89E322FB43C ] idsvc C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
20:51:14.0064 2428 idsvc - ok
20:51:14.0313 2428 [ DCE0B53570703CCE580D066F89EF58CD ] igfx C:\Windows\system32\DRIVERS\igdkmd32.sys
20:51:14.0516 2428 igfx - ok
20:51:14.0579 2428 [ 4173FF5708F3236CF25195FECD742915 ] iirsp C:\Windows\system32\DRIVERS\iirsp.sys
20:51:14.0579 2428 iirsp - ok
20:51:14.0625 2428 [ F95622F161474511B8D80D6B093AA610 ] IKEEXT C:\Windows\System32\ikeext.dll
20:51:14.0625 2428 IKEEXT - ok
20:51:14.0657 2428 [ A0F12F2C9BA6C72F3987CE780E77C130 ] intelide C:\Windows\system32\drivers\intelide.sys
20:51:14.0657 2428 intelide - ok
20:51:14.0703 2428 [ 3B514D27BFC4ACCB4037BC6685F766E0 ] intelppm C:\Windows\system32\DRIVERS\intelppm.sys
20:51:14.0719 2428 intelppm - ok
20:51:14.0750 2428 [ ACB364B9075A45C0736E5C47BE5CAE19 ] IPBusEnum C:\Windows\system32\ipbusenum.dll
20:51:14.0750 2428 IPBusEnum - ok
20:51:14.0766 2428 [ 709D1761D3B19A932FF0238EA6D50200 ] IpFilterDriver C:\Windows\system32\DRIVERS\ipfltdrv.sys
20:51:14.0797 2428 IpFilterDriver - ok
20:51:14.0828 2428 [ 4D65A07B795D6674312F879D09AA7663 ] iphlpsvc C:\Windows\System32\iphlpsvc.dll
20:51:14.0828 2428 iphlpsvc - ok
20:51:14.0875 2428 [ 4BD7134618C1D2A27466A099062547BF ] IPMIDRV C:\Windows\system32\drivers\IPMIDrv.sys
20:51:14.0875 2428 IPMIDRV - ok
20:51:14.0891 2428 [ A5FA468D67ABCDAA36264E463A7BB0CD ] IPNAT C:\Windows\system32\drivers\ipnat.sys
20:51:14.0937 2428 IPNAT - ok
20:51:14.0937 2428 [ 42996CFF20A3084A56017B7902307E9F ] IRENUM C:\Windows\system32\drivers\irenum.sys
20:51:14.0969 2428 IRENUM - ok
20:51:14.0984 2428 [ 1F32BB6B38F62F7DF1A7AB7292638A35 ] isapnp C:\Windows\system32\drivers\isapnp.sys
20:51:14.0984 2428 isapnp - ok
20:51:15.0031 2428 [ CB7A9ABB12B8415BCE5D74994C7BA3AE ] iScsiPrt C:\Windows\system32\drivers\msiscsi.sys
20:51:15.0031 2428 iScsiPrt - ok
20:51:15.0078 2428 [ ADEF52CA1AEAE82B50DF86B56413107E ] kbdclass C:\Windows\system32\drivers\kbdclass.sys
20:51:15.0093 2428 kbdclass - ok
20:51:15.0125 2428 [ 9E3CED91863E6EE98C24794D05E27A71 ] kbdhid C:\Windows\system32\drivers\kbdhid.sys
20:51:15.0125 2428 kbdhid - ok
20:51:15.0140 2428 [ 81951F51E318AECC2D68559E47485CC4 ] KeyIso C:\Windows\system32\lsass.exe
20:51:15.0156 2428 KeyIso - ok
20:51:15.0187 2428 [ B7895B4182C0D16F6EFADEB8081E8D36 ] KSecDD C:\Windows\system32\Drivers\ksecdd.sys
20:51:15.0187 2428 KSecDD - ok
20:51:15.0249 2428 [ D30159AC9237519FBC62C6EC247D2D46 ] KSecPkg C:\Windows\system32\Drivers\ksecpkg.sys
20:51:15.0249 2428 KSecPkg - ok
20:51:15.0281 2428 [ 89A7B9CC98D0D80C6F31B91C0A310FCD ] KtmRm C:\Windows\system32\msdtckrm.dll
20:51:15.0296 2428 KtmRm - ok
20:51:15.0343 2428 [ ED8227578B0A3A3F8545388FB11782C1 ] L1C C:\Windows\system32\DRIVERS\L1C62x86.sys
20:51:15.0359 2428 L1C - ok
20:51:15.0405 2428 [ D64AF876D53ECA3668BB97B51B4E70AB ] LanmanServer C:\Windows\System32\srvsvc.dll
20:51:15.0405 2428 LanmanServer - ok
20:51:15.0452 2428 [ 58405E4F68BA8E4057C6E914F326ABA2 ] LanmanWorkstation C:\Windows\System32\wkssvc.dll
20:51:15.0452 2428 LanmanWorkstation - ok
20:51:15.0515 2428 [ F7611EC07349979DA9B0AE1F18CCC7A6 ] lltdio C:\Windows\system32\DRIVERS\lltdio.sys
20:51:15.0530 2428 lltdio - ok
20:51:15.0577 2428 [ 5700673E13A2117FA3B9020C852C01E2 ] lltdsvc C:\Windows\System32\lltdsvc.dll
20:51:15.0577 2428 lltdsvc - ok
20:51:15.0608 2428 [ 55CA01BA19D0006C8F2639B6C045E08B ] lmhosts C:\Windows\System32\lmhsvc.dll
20:51:15.0608 2428 lmhosts - ok
20:51:15.0639 2428 [ EB119A53CCF2ACC000AC71B065B78FEF ] LSI_FC C:\Windows\system32\DRIVERS\lsi_fc.sys
20:51:15.0655 2428 LSI_FC - ok
20:51:15.0686 2428 [ 8ADE1C877256A22E49B75D1CC9161F9C ] LSI_SAS C:\Windows\system32\DRIVERS\lsi_sas.sys
20:51:15.0686 2428 LSI_SAS - ok
20:51:15.0717 2428 [ DC9DC3D3DAA0E276FD2EC262E38B11E9 ] LSI_SAS2 C:\Windows\system32\DRIVERS\lsi_sas2.sys
20:51:15.0717 2428 LSI_SAS2 - ok
20:51:15.0733 2428 [ 0A036C7D7CAB643A7F07135AC47E0524 ] LSI_SCSI C:\Windows\system32\DRIVERS\lsi_scsi.sys
20:51:15.0733 2428 LSI_SCSI - ok
20:51:15.0749 2428 [ 6703E366CC18D3B6E534F5CF7DF39CEE ] luafv C:\Windows\system32\drivers\luafv.sys
20:51:15.0764 2428 luafv - ok
20:51:15.0795 2428 [ BFB9EE8EE977EFE85D1A3105ABEF6DD1 ] Mcx2Svc C:\Windows\system32\Mcx2Svc.dll
20:51:15.0795 2428 Mcx2Svc - ok
20:51:15.0827 2428 [ 0FFF5B045293002AB38EB1FD1FC2FB74 ] megasas C:\Windows\system32\DRIVERS\megasas.sys
20:51:15.0827 2428 megasas - ok
20:51:15.0858 2428 [ DCBAB2920C75F390CAF1D29F675D03D6 ] MegaSR C:\Windows\system32\DRIVERS\MegaSR.sys
20:51:15.0858 2428 MegaSR - ok
20:51:15.0951 2428 Microsoft SharePoint Workspace Audit Service - ok
20:51:15.0983 2428 [ 146B6F43A673379A3C670E86D89BE5EA ] MMCSS C:\Windows\system32\mmcss.dll
20:51:15.0998 2428 MMCSS - ok
20:51:16.0014 2428 [ F001861E5700EE84E2D4E52C712F4964 ] Modem C:\Windows\system32\drivers\modem.sys
20:51:16.0045 2428 Modem - ok
20:51:16.0061 2428 [ 79D10964DE86B292320E9DFE02282A23 ] monitor C:\Windows\system32\DRIVERS\monitor.sys
20:51:16.0076 2428 monitor - ok
20:51:16.0123 2428 [ FB18CC1D4C2E716B6B903B0AC0CC0609 ] mouclass C:\Windows\system32\DRIVERS\mouclass.sys
20:51:16.0123 2428 mouclass - ok
20:51:16.0154 2428 [ 2C388D2CD01C9042596CF3C8F3C7B24D ] mouhid C:\Windows\system32\DRIVERS\mouhid.sys
20:51:16.0154 2428 mouhid - ok
20:51:16.0201 2428 [ FC8771F45ECCCFD89684E38842539B9B ] mountmgr C:\Windows\system32\drivers\mountmgr.sys
20:51:16.0201 2428 mountmgr - ok
20:51:16.0295 2428 [ 46297FA8E30A6007F14118FC2B942FBC ] MozillaMaintenance C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
20:51:16.0310 2428 MozillaMaintenance - ok
20:51:16.0326 2428 [ 2D699FB6E89CE0D8DA14ECC03B3EDFE0 ] mpio C:\Windows\system32\drivers\mpio.sys
20:51:16.0341 2428 mpio - ok
20:51:16.0357 2428 [ AD2723A7B53DD1AACAE6AD8C0BFBF4D0 ] mpsdrv C:\Windows\system32\drivers\mpsdrv.sys
20:51:16.0373 2428 mpsdrv - ok
20:51:16.0466 2428 [ 9835584E999D25004E1EE8E5F3E3B881 ] MpsSvc C:\Windows\system32\mpssvc.dll
20:51:16.0466 2428 MpsSvc - ok
20:51:16.0513 2428 [ CEB46AB7C01C9F825F8CC6BABC18166A ] MRxDAV C:\Windows\system32\drivers\mrxdav.sys
20:51:16.0513 2428 MRxDAV - ok
20:51:16.0560 2428 [ 5D16C921E3671636C0EBA3BBAAC5FD25 ] mrxsmb C:\Windows\system32\DRIVERS\mrxsmb.sys
20:51:16.0560 2428 mrxsmb - ok
20:51:16.0575 2428 [ 6D17A4791ACA19328C685D256349FEFC ] mrxsmb10 C:\Windows\system32\DRIVERS\mrxsmb10.sys
20:51:16.0575 2428 mrxsmb10 - ok
20:51:16.0622 2428 [ B81F204D146000BE76651A50670A5E9E ] mrxsmb20 C:\Windows\system32\DRIVERS\mrxsmb20.sys
20:51:16.0622 2428 mrxsmb20 - ok
20:51:16.0653 2428 [ 012C5F4E9349E711E11E0F19A8589F0A ] msahci C:\Windows\system32\drivers\msahci.sys
20:51:16.0653 2428 msahci - ok
20:51:16.0685 2428 [ 55055F8AD8BE27A64C831322A780A228 ] msdsm C:\Windows\system32\drivers\msdsm.sys
20:51:16.0700 2428 msdsm - ok
20:51:16.0716 2428 [ E1BCE74A3BD9902B72599C0192A07E27 ] MSDTC C:\Windows\System32\msdtc.exe
20:51:16.0731 2428 MSDTC - ok
20:51:16.0778 2428 [ DAEFB28E3AF5A76ABCC2C3078C07327F ] Msfs C:\Windows\system32\drivers\Msfs.sys
20:51:16.0778 2428 Msfs - ok
20:51:16.0794 2428 [ 3E1E5767043C5AF9367F0056295E9F84 ] mshidkmdf C:\Windows\System32\drivers\mshidkmdf.sys
20:51:16.0794 2428 mshidkmdf - ok
20:51:16.0841 2428 [ 0A4E5757AE09FA9622E3158CC1AEF114 ] msisadrv C:\Windows\system32\drivers\msisadrv.sys
20:51:16.0841 2428 msisadrv - ok
20:51:16.0887 2428 [ 90F7D9E6B6F27E1A707D4A297F077828 ] MSiSCSI C:\Windows\system32\iscsiexe.dll
20:51:16.0887 2428 MSiSCSI - ok
20:51:16.0903 2428 msiserver - ok
20:51:16.0934 2428 [ 8C0860D6366AAFFB6C5BB9DF9448E631 ] MSKSSRV C:\Windows\system32\drivers\MSKSSRV.sys
20:51:16.0934 2428 MSKSSRV - ok
20:51:16.0950 2428 [ 3EA8B949F963562CEDBB549EAC0C11CE ] MSPCLOCK C:\Windows\system32\drivers\MSPCLOCK.sys
20:51:16.0965 2428 MSPCLOCK - ok
20:51:16.0981 2428 [ F456E973590D663B1073E9C463B40932 ] MSPQM C:\Windows\system32\drivers\MSPQM.sys
20:51:16.0981 2428 MSPQM - ok
20:51:17.0012 2428 [ 0E008FC4819D238C51D7C93E7B41E560 ] MsRPC C:\Windows\system32\drivers\MsRPC.sys
20:51:17.0012 2428 MsRPC - ok
20:51:17.0059 2428 [ FC6B9FF600CC585EA38B12589BD4E246 ] mssmbios C:\Windows\system32\drivers\mssmbios.sys
20:51:17.0059 2428 mssmbios - ok
20:51:17.0075 2428 [ B42C6B921F61A6E55159B8BE6CD54A36 ] MSTEE C:\Windows\system32\drivers\MSTEE.sys
20:51:17.0090 2428 MSTEE - ok
20:51:17.0090 2428 [ 33599130F44E1F34631CEA241DE8AC84 ] MTConfig C:\Windows\system32\DRIVERS\MTConfig.sys
20:51:17.0090 2428 MTConfig - ok
20:51:17.0106 2428 [ 159FAD02F64E6381758C990F753BCC80 ] Mup C:\Windows\system32\Drivers\mup.sys
20:51:17.0106 2428 Mup - ok
20:51:17.0153 2428 [ 61D57A5D7C6D9AFE10E77DAE6E1B445E ] napagent C:\Windows\system32\qagentRT.dll
20:51:17.0168 2428 napagent - ok
20:51:17.0231 2428 [ 26384429FCD85D83746F63E798AB1480 ] NativeWifiP C:\Windows\system32\DRIVERS\nwifi.sys
20:51:17.0277 2428 NativeWifiP - ok
20:51:17.0324 2428 [ E7C54812A2AAF43316EB6930C1FFA108 ] NDIS C:\Windows\system32\drivers\ndis.sys
20:51:17.0324 2428 NDIS - ok
20:51:17.0355 2428 [ 0E1787AA6C9191D3D319E8BAFE86F80C ] NdisCap C:\Windows\system32\DRIVERS\ndiscap.sys
20:51:17.0371 2428 NdisCap - ok
20:51:17.0402 2428 [ E4A8AEC125A2E43A9E32AFEEA7C9C888 ] NdisTapi C:\Windows\system32\DRIVERS\ndistapi.sys
20:51:17.0402 2428 NdisTapi - ok
20:51:17.0433 2428 [ D8A65DAFB3EB41CBB622745676FCD072 ] Ndisuio C:\Windows\system32\DRIVERS\ndisuio.sys
20:51:17.0465 2428 Ndisuio - ok
20:51:17.0496 2428 [ 38FBE267E7E6983311179230FACB1017 ] NdisWan C:\Windows\system32\DRIVERS\ndiswan.sys
20:51:17.0527 2428 NdisWan - ok
20:51:17.0558 2428 [ A4BDC541E69674FBFF1A8FF00BE913F2 ] NDProxy C:\Windows\system32\drivers\NDProxy.sys
20:51:17.0558 2428 NDProxy - ok
20:51:17.0621 2428 [ 80B275B1CE3B0E79909DB7B39AF74D51 ] NetBIOS C:\Windows\system32\DRIVERS\netbios.sys
20:51:17.0621 2428 NetBIOS - ok
20:51:17.0667 2428 [ 280122DDCF04B378EDD1AD54D71C1E54 ] NetBT C:\Windows\system32\DRIVERS\netbt.sys
20:51:17.0667 2428 NetBT - ok
20:51:17.0699 2428 [ 81951F51E318AECC2D68559E47485CC4 ] Netlogon C:\Windows\system32\lsass.exe
20:51:17.0699 2428 Netlogon - ok
20:51:17.0745 2428 [ 7CCCFCA7510684768DA22092D1FA4DB2 ] Netman C:\Windows\System32\netman.dll
20:51:17.0745 2428 Netman - ok
20:51:17.0761 2428 [ 8C338238C16777A802D6A9211EB2BA50 ] netprofm C:\Windows\System32\netprofm.dll
20:51:17.0761 2428 netprofm - ok
20:51:17.0823 2428 [ F476EC40033CDB91EFBE73EB99B8362D ] NetTcpPortSharing C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
20:51:17.0823 2428 NetTcpPortSharing - ok
20:51:17.0870 2428 [ 1D85C4B390B0EE09C7A46B91EFB2C097 ] nfrd960 C:\Windows\system32\DRIVERS\nfrd960.sys
20:51:17.0870 2428 nfrd960 - ok
20:51:17.0917 2428 [ 912084381D30D8B89EC4E293053F4710 ] NlaSvc C:\Windows\System32\nlasvc.dll
20:51:17.0933 2428 NlaSvc - ok
20:51:17.0948 2428 [ 1DB262A9F8C087E8153D89BEF3D2235F ] Npfs C:\Windows\system32\drivers\Npfs.sys
20:51:17.0948 2428 Npfs - ok
20:51:17.0995 2428 [ BA387E955E890C8A88306D9B8D06BF17 ] nsi C:\Windows\system32\nsisvc.dll
20:51:17.0995 2428 nsi - ok
20:51:18.0011 2428 [ E9A0A4D07E53D8FEA2BB8387A3293C58 ] nsiproxy C:\Windows\system32\drivers\nsiproxy.sys
20:51:18.0011 2428 nsiproxy - ok
20:51:18.0089 2428 [ 81189C3D7763838E55C397759D49007A ] Ntfs C:\Windows\system32\drivers\Ntfs.sys
20:51:18.0120 2428 Ntfs - ok
20:51:18.0167 2428 [ F9756A98D69098DCA8945D62858A812C ] Null C:\Windows\system32\drivers\Null.sys
20:51:18.0167 2428 Null - ok
20:51:18.0198 2428 [ B3E25EE28883877076E0E1FF877D02E0 ] nvraid C:\Windows\system32\drivers\nvraid.sys
20:51:18.0198 2428 nvraid - ok
20:51:18.0276 2428 [ 4380E59A170D88C4F1022EFF6719A8A4 ] nvstor C:\Windows\system32\drivers\nvstor.sys
20:51:18.0276 2428 nvstor - ok
20:51:18.0307 2428 [ 5A0983915F02BAE73267CC2A041F717D ] nv_agp C:\Windows\system32\drivers\nv_agp.sys
20:51:18.0307 2428 nv_agp - ok
20:51:18.0354 2428 [ 08A70A1F2CDDE9BB49B885CB817A66EB ] ohci1394 C:\Windows\system32\drivers\ohci1394.sys
20:51:18.0354 2428 ohci1394 - ok
20:51:18.0416 2428 [ 3DBFD3E9DC5E225187C81D94EDB45D29 ] OlmarikFixer C:\Windows\system32\drivers\OlmarikFixer.sys
20:51:18.0416 2428 OlmarikFixer - ok
20:51:18.0479 2428 [ 9D10F99A6712E28F8ACD5641E3A7EA6B ] ose C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
20:51:18.0479 2428 ose - ok
20:51:18.0635 2428 [ 358A9CCA612C68EB2F07DDAD4CE1D8D7 ] osppsvc C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
20:51:18.0775 2428 osppsvc - ok
20:51:18.0822 2428 [ 82A8521DDC60710C3D3D3E7325209BEC ] p2pimsvc C:\Windows\system32\pnrpsvc.dll
20:51:18.0822 2428 p2pimsvc - ok
20:51:18.0837 2428 [ 59C3DDD501E39E006DAC31BF55150D91 ] p2psvc C:\Windows\system32\p2psvc.dll
20:51:18.0853 2428 p2psvc - ok
20:51:18.0884 2428 [ 2EA877ED5DD9713C5AC74E8EA7348D14 ] Parport C:\Windows\system32\DRIVERS\parport.sys
20:51:18.0884 2428 Parport - ok
20:51:18.0931 2428 [ 3F34A1B4C5F6475F320C275E63AFCE9B ] partmgr C:\Windows\system32\drivers\partmgr.sys
20:51:18.0931 2428 partmgr - ok
20:51:18.0947 2428 [ EB0A59F29C19B86479D36B35983DAADC ] Parvdm C:\Windows\system32\DRIVERS\parvdm.sys
20:51:18.0947 2428 Parvdm - ok
20:51:18.0993 2428 [ 358AB7956D3160000726574083DFC8A6 ] PcaSvc C:\Windows\System32\pcasvc.dll
20:51:19.0009 2428 PcaSvc - ok
20:51:19.0040 2428 [ 673E55C3498EB970088E812EA820AA8F ] pci C:\Windows\system32\drivers\pci.sys
20:51:19.0056 2428 pci - ok
20:51:19.0071 2428 [ AFE86F419014DB4E5593F69FFE26CE0A ] pciide C:\Windows\system32\drivers\pciide.sys
20:51:19.0071 2428 pciide - ok
20:51:19.0103 2428 [ F396431B31693E71E8A80687EF523506 ] pcmcia C:\Windows\system32\DRIVERS\pcmcia.sys
20:51:19.0103 2428 pcmcia - ok
20:51:19.0134 2428 [ 250F6B43D2B613172035C6747AEEB19F ] pcw C:\Windows\system32\drivers\pcw.sys
20:51:19.0134 2428 pcw - ok
20:51:19.0181 2428 [ 9E0104BA49F4E6973749A02BF41344ED ] PEAUTH C:\Windows\system32\drivers\peauth.sys
20:51:19.0196 2428 PEAUTH - ok
20:51:19.0290 2428 [ 414BBA67A3DED1D28437EB66AEB8A720 ] pla C:\Windows\system32\pla.dll
20:51:19.0321 2428 pla - ok
20:51:19.0383 2428 [ EC7BC28D207DA09E79B3E9FAF8B232CA ] PlugPlay C:\Windows\system32\umpnpmgr.dll
20:51:19.0399 2428 PlugPlay - ok
20:51:19.0430 2428 [ 63FF8572611249931EB16BB8EED6AFC8 ] PNRPAutoReg C:\Windows\system32\pnrpauto.dll
20:51:19.0430 2428 PNRPAutoReg - ok
20:51:19.0461 2428 [ 82A8521DDC60710C3D3D3E7325209BEC ] PNRPsvc C:\Windows\system32\pnrpsvc.dll
20:51:19.0461 2428 PNRPsvc - ok
20:51:19.0508 2428 [ 53946B69BA0836BD95B03759530C81EC ] PolicyAgent C:\Windows\System32\ipsecsvc.dll
20:51:19.0508 2428 PolicyAgent - ok
20:51:19.0571 2428 [ F87D30E72E03D579A5199CCB3831D6EA ] Power C:\Windows\system32\umpo.dll
20:51:19.0571 2428 Power - ok
20:51:19.0617 2428 [ 631E3E205AD6D86F2AED6A4A8E69F2DB ] PptpMiniport C:\Windows\system32\DRIVERS\raspptp.sys
20:51:19.0633 2428 PptpMiniport - ok
20:51:19.0664 2428 [ 85B1E3A0C7585BC4AAE6899EC6FCF011 ] Processor C:\Windows\system32\DRIVERS\processr.sys
20:51:19.0664 2428 Processor - ok
20:51:19.0711 2428 [ CADEFAC453040E370A1BDFF3973BE00D ] ProfSvc C:\Windows\system32\profsvc.dll
20:51:19.0711 2428 ProfSvc - ok
20:51:19.0742 2428 [ 81951F51E318AECC2D68559E47485CC4 ] ProtectedStorage C:\Windows\system32\lsass.exe
20:51:19.0742 2428 ProtectedStorage - ok
20:51:19.0789 2428 [ 6270CCAE2A86DE6D146529FE55B3246A ] Psched C:\Windows\system32\DRIVERS\pacer.sys
20:51:19.0789 2428 Psched - ok
20:51:19.0836 2428 [ AB95ECF1F6659A60DDC166D8315B0751 ] ql2300 C:\Windows\system32\DRIVERS\ql2300.sys
20:51:19.0867 2428 ql2300 - ok
20:51:19.0898 2428 [ B4DD51DD25182244B86737DC51AF2270 ] ql40xx C:\Windows\system32\DRIVERS\ql40xx.sys
20:51:19.0898 2428 ql40xx - ok
20:51:19.0929 2428 [ 31AC809E7707EB580B2BDB760390765A ] QWAVE C:\Windows\system32\qwave.dll
20:51:19.0945 2428 QWAVE - ok
20:51:19.0961 2428 [ 584078CA1B95CA72DF2A27C336F9719D ] QWAVEdrv C:\Windows\system32\drivers\qwavedrv.sys
20:51:19.0961 2428 QWAVEdrv - ok
20:51:19.0976 2428 [ 30A81B53C766D0133BB86D234E5556AB ] RasAcd C:\Windows\system32\DRIVERS\rasacd.sys
20:51:19.0992 2428 RasAcd - ok
20:51:20.0054 2428 [ 57EC4AEF73660166074D8F7F31C0D4FD ] RasAgileVpn C:\Windows\system32\DRIVERS\AgileVpn.sys
20:51:20.0070 2428 RasAgileVpn - ok
20:51:20.0085 2428 [ A60F1839849C0C00739787FD5EC03F13 ] RasAuto C:\Windows\System32\rasauto.dll
20:51:20.0101 2428 RasAuto - ok
20:51:20.0117 2428 [ D9F91EAFEC2815365CBE6D167E4E332A ] Rasl2tp C:\Windows\system32\DRIVERS\rasl2tp.sys
20:51:20.0148 2428 Rasl2tp - ok
20:51:20.0195 2428 [ CB9E04DC05EACF5B9A36CA276D475006 ] RasMan C:\Windows\System32\rasmans.dll
20:51:20.0195 2428 RasMan - ok
20:51:20.0210 2428 [ 0FE8B15916307A6AC12BFB6A63E45507 ] RasPppoe C:\Windows\system32\DRIVERS\raspppoe.sys
20:51:20.0241 2428 RasPppoe - ok
20:51:20.0273 2428 [ 44101F495A83EA6401D886E7FD70096B ] RasSstp C:\Windows\system32\DRIVERS\rassstp.sys
20:51:20.0288 2428 RasSstp - ok
20:51:20.0335 2428 [ D528BC58A489409BA40334EBF96A311B ] rdbss C:\Windows\system32\DRIVERS\rdbss.sys
20:51:20.0335 2428 rdbss - ok
20:51:20.0366 2428 [ 0D8F05481CB76E70E1DA06EE9F0DA9DF ] rdpbus C:\Windows\system32\DRIVERS\rdpbus.sys
20:51:20.0366 2428 rdpbus - ok
20:51:20.0397 2428 [ 23DAE03F29D253AE74C44F99E515F9A1 ] RDPCDD C:\Windows\system32\DRIVERS\RDPCDD.sys
20:51:20.0397 2428 RDPCDD - ok
20:51:20.0460 2428 [ 5A53CA1598DD4156D44196D200C94B8A ] RDPENCDD C:\Windows\system32\drivers\rdpencdd.sys
20:51:20.0460 2428 RDPENCDD - ok
20:51:20.0475 2428 [ 44B0A53CD4F27D50ED461DAE0C0B4E1F ] RDPREFMP C:\Windows\system32\drivers\rdprefmp.sys
20:51:20.0475 2428 RDPREFMP - ok
20:51:20.0522 2428 [ F031683E6D1FEA157ABB2FF260B51E61 ] RDPWD C:\Windows\system32\drivers\RDPWD.sys
20:51:20.0522 2428 RDPWD - ok
20:51:20.0569 2428 [ 518395321DC96FE2C9F0E96AC743B656 ] rdyboost C:\Windows\system32\drivers\rdyboost.sys
20:51:20.0569 2428 rdyboost - ok
20:51:20.0616 2428 [ 7B5E1419717FAC363A31CC302895217A ] RemoteAccess C:\Windows\System32\mprdim.dll
20:51:20.0616 2428 RemoteAccess - ok
20:51:20.0647 2428 [ CB9A8683F4EF2BF99E123D79950D7935 ] RemoteRegistry C:\Windows\system32\regsvc.dll
20:51:20.0663 2428 RemoteRegistry - ok
20:51:20.0694 2428 [ 78D072F35BC45D9E4E1B61895C152234 ] RpcEptMapper C:\Windows\System32\RpcEpMap.dll
20:51:20.0709 2428 RpcEptMapper - ok
20:51:20.0741 2428 [ 94D36C0E44677DD26981D2BFEEF2A29D ] RpcLocator C:\Windows\system32\locator.exe
20:51:20.0741 2428 RpcLocator - ok
20:51:20.0772 2428 [ 7660F01D3B38ACA1747E397D21D790AF ] RpcSs C:\Windows\System32\rpcss.dll
20:51:20.0772 2428 RpcSs - ok
20:51:20.0819 2428 [ 032B0D36AD92B582D869879F5AF5B928 ] rspndr C:\Windows\system32\DRIVERS\rspndr.sys
20:51:20.0865 2428 rspndr - ok
20:51:20.0897 2428 [ 81951F51E318AECC2D68559E47485CC4 ] SamSs C:\Windows\system32\lsass.exe
20:51:20.0897 2428 SamSs - ok
20:51:20.0943 2428 [ 05D860DA1040F111503AC416CCEF2BCA ] sbp2port C:\Windows\system32\drivers\sbp2port.sys
20:51:20.0943 2428 sbp2port - ok
20:51:20.0990 2428 [ 8FC518FFE9519C2631D37515A68009C4 ] SCardSvr C:\Windows\System32\SCardSvr.dll
20:51:20.0990 2428 SCardSvr - ok
20:51:21.0021 2428 [ 0693B5EC673E34DC147E195779A4DCF6 ] scfilter C:\Windows\system32\DRIVERS\scfilter.sys
20:51:21.0021 2428 scfilter - ok
20:51:21.0068 2428 [ A04BB13F8A72F8B6E8B4071723E4E336 ] Schedule C:\Windows\system32\schedsvc.dll
20:51:21.0084 2428 Schedule - ok
20:51:21.0115 2428 [ 319C6B309773D063541D01DF8AC6F55F ] SCPolicySvc C:\Windows\System32\certprop.dll
20:51:21.0115 2428 SCPolicySvc - ok
20:51:21.0146 2428 [ 08236C4BCE5EDD0A0318A438AF28E0F7 ] SDRSVC C:\Windows\System32\SDRSVC.dll
20:51:21.0146 2428 SDRSVC - ok
20:51:21.0193 2428 [ 90A3935D05B494A5A39D37E71F09A677 ] secdrv C:\Windows\system32\drivers\secdrv.sys
20:51:21.0193 2428 secdrv - ok
20:51:21.0224 2428 [ A59B3A4442C52060CC7A85293AA3546F ] seclogon C:\Windows\system32\seclogon.dll
20:51:21.0224 2428 seclogon - ok
20:51:21.0271 2428 [ DCB7FCDCC97F87360F75D77425B81737 ] SENS C:\Windows\system32\sens.dll
20:51:21.0271 2428 SENS - ok
20:51:21.0302 2428 [ 50087FE1EE447009C9CC2997B90DE53F ] SensrSvc C:\Windows\system32\sensrsvc.dll
20:51:21.0302 2428 SensrSvc - ok
20:51:21.0333 2428 [ 9AD8B8B515E3DF6ACD4212EF465DE2D1 ] Serenum C:\Windows\system32\DRIVERS\serenum.sys
20:51:21.0349 2428 Serenum - ok
20:51:21.0365 2428 [ 5FB7FCEA0490D821F26F39CC5EA3D1E2 ] Serial C:\Windows\system32\DRIVERS\serial.sys
20:51:21.0365 2428 Serial - ok
20:51:21.0380 2428 [ 79BFFB520327FF916A582DFEA17AA813 ] sermouse C:\Windows\system32\DRIVERS\sermouse.sys
20:51:21.0380 2428 sermouse - ok
20:51:21.0443 2428 [ 4AE380F39A0032EAB7DD953030B26D28 ] SessionEnv C:\Windows\system32\sessenv.dll
20:51:21.0458 2428 SessionEnv - ok
20:51:21.0489 2428 [ 9F976E1EB233DF46FCE808D9DEA3EB9C ] sffdisk C:\Windows\system32\drivers\sffdisk.sys
20:51:21.0489 2428 sffdisk - ok
20:51:21.0505 2428 [ 932A68EE27833CFD57C1639D375F2731 ] sffp_mmc C:\Windows\system32\drivers\sffp_mmc.sys
20:51:21.0505 2428 sffp_mmc - ok
20:51:21.0536 2428 [ 6D4CCAEDC018F1CF52866BBBAA235982 ] sffp_sd C:\Windows\system32\drivers\sffp_sd.sys
20:51:21.0536 2428 sffp_sd - ok
20:51:21.0567 2428 [ DB96666CC8312EBC45032F30B007A547 ] sfloppy C:\Windows\system32\DRIVERS\sfloppy.sys
20:51:21.0567 2428 sfloppy - ok
20:51:21.0614 2428 [ D1A079A0DE2EA524513B6930C24527A2 ] SharedAccess C:\Windows\System32\ipnathlp.dll
20:51:21.0614 2428 SharedAccess - ok
20:51:21.0645 2428 [ 414DA952A35BF5D50192E28263B40577 ] ShellHWDetection C:\Windows\System32\shsvcs.dll
20:51:21.0661 2428 ShellHWDetection - ok
20:51:21.0677 2428 [ 2565CAC0DC9FE0371BDCE60832582B2E ] sisagp C:\Windows\system32\drivers\sisagp.sys
20:51:21.0692 2428 sisagp - ok
20:51:21.0723 2428 [ A9F0486851BECB6DDA1D89D381E71055 ] SiSRaid2 C:\Windows\system32\DRIVERS\SiSRaid2.sys
20:51:21.0723 2428 SiSRaid2 - ok
20:51:21.0739 2428 [ 3727097B55738E2F554972C3BE5BC1AA ] SiSRaid4 C:\Windows\system32\DRIVERS\sisraid4.sys
20:51:21.0755 2428 SiSRaid4 - ok
20:51:21.0786 2428 [ 3E21C083B8A01CB70BA1F09303010FCE ] Smb C:\Windows\system32\DRIVERS\smb.sys
20:51:21.0817 2428 Smb - ok
20:51:21.0864 2428 [ 6A984831644ECA1A33FFEAE4126F4F37 ] SNMPTRAP C:\Windows\System32\snmptrap.exe
20:51:21.0864 2428 SNMPTRAP - ok
20:51:21.0879 2428 [ 95CF1AE7527FB70F7816563CBC09D942 ] spldr C:\Windows\system32\drivers\spldr.sys
20:51:21.0879 2428 spldr - ok
20:51:21.0895 2428 Spooler - ok
20:51:21.0989 2428 [ CF87A1DE791347E75B98885214CED2B8 ] sppsvc C:\Windows\system32\sppsvc.exe
20:51:22.0020 2428 sppsvc - ok
20:51:22.0051 2428 [ B0180B20B065D89232A78A40FE56EAA6 ] sppuinotify C:\Windows\system32\sppuinotify.dll
20:51:22.0067 2428 sppuinotify - ok
20:51:22.0113 2428 [ E4C2764065D66EA1D2D3EBC28FE99C46 ] srv C:\Windows\system32\DRIVERS\srv.sys
20:51:22.0113 2428 srv - ok
20:51:22.0129 2428 [ 03F0545BD8D4C77FA0AE1CEEDFCC71AB ] srv2 C:\Windows\system32\DRIVERS\srv2.sys
20:51:22.0145 2428 srv2 - ok
20:51:22.0176 2428 [ BE6BD660CAA6F291AE06A718A4FA8ABC ] srvnet C:\Windows\system32\DRIVERS\srvnet.sys
20:51:22.0176 2428 srvnet - ok
20:51:22.0207 2428 [ D887C9FD02AC9FA880F6E5027A43E118 ] SSDPSRV C:\Windows\System32\ssdpsrv.dll
20:51:22.0207 2428 SSDPSRV - ok
20:51:22.0238 2428 [ D318F23BE45D5E3A107469EB64815B50 ] SstpSvc C:\Windows\system32\sstpsvc.dll
20:51:22.0238 2428 SstpSvc - ok
20:51:22.0269 2428 [ DB32D325C192B801DF274BFD12A7E72B ] stexstor C:\Windows\system32\DRIVERS\stexstor.sys
20:51:22.0269 2428 stexstor - ok
20:51:22.0347 2428 [ E1FB3706030FB4578A0D72C2FC3689E4 ] StiSvc C:\Windows\System32\wiaservc.dll
20:51:22.0347 2428 StiSvc - ok
20:51:22.0394 2428 [ E58C78A848ADD9610A4DB6D214AF5224 ] swenum C:\Windows\system32\drivers\swenum.sys
20:51:22.0394 2428 swenum - ok
20:51:22.0441 2428 [ A28BD92DF340E57B024BA433165D34D7 ] swprv C:\Windows\System32\swprv.dll
20:51:22.0441 2428 swprv - ok
20:51:22.0535 2428 [ 70534D1E4F9AC990536D5FB5B550B3DE ] SynTP C:\Windows\system32\DRIVERS\SynTP.sys
20:51:22.0566 2428 SynTP - ok
20:51:22.0628 2428 [ 36650D618CA34C9D357DFD3D89B2C56F ] SysMain C:\Windows\system32\sysmain.dll
20:51:22.0628 2428 SysMain - ok
20:51:22.0675 2428 [ 763FECDC3D30C815FE72DD57936C6CD1 ] TabletInputService C:\Windows\System32\TabSvc.dll
20:51:22.0675 2428 TabletInputService - ok
20:51:22.0722 2428 [ 613BF4820361543956909043A265C6AC ] TapiSrv C:\Windows\System32\tapisrv.dll
20:51:22.0722 2428 TapiSrv - ok
20:51:22.0753 2428 [ B799D9FDB26111737F58288D8DC172D9 ] TBS C:\Windows\System32\tbssvc.dll
20:51:22.0769 2428 TBS - ok
20:51:22.0847 2428 [ 7FA2E0F8B072BD04B77B421480B6CC22 ] Tcpip C:\Windows\system32\drivers\tcpip.sys
20:51:22.0878 2428 Tcpip - ok
20:51:22.0909 2428 [ 7FA2E0F8B072BD04B77B421480B6CC22 ] TCPIP6 C:\Windows\system32\DRIVERS\tcpip.sys
20:51:22.0925 2428 TCPIP6 - ok
20:51:22.0971 2428 [ CCA24162E055C3714CE5A88B100C64ED ] tcpipreg C:\Windows\system32\drivers\tcpipreg.sys
20:51:23.0003 2428 tcpipreg - ok
20:51:23.0049 2428 [ 1CB91B2BD8F6DD367DFC2EF26FD751B2 ] TDPIPE C:\Windows\system32\drivers\tdpipe.sys
20:51:23.0065 2428 TDPIPE - ok
20:51:23.0096 2428 [ 2C2C5AFE7EE4F620D69C23C0617651A8 ] TDTCP C:\Windows\system32\drivers\tdtcp.sys
20:51:23.0112 2428 TDTCP - ok
20:51:23.0159 2428 [ B459575348C20E8121D6039DA063C704 ] tdx C:\Windows\system32\DRIVERS\tdx.sys
20:51:23.0205 2428 tdx - ok
20:51:23.0221 2428 [ 04DBF4B01EA4BF25A9A3E84AFFAC9B20 ] TermDD C:\Windows\system32\drivers\termdd.sys
20:51:23.0221 2428 TermDD - ok
20:51:23.0268 2428 [ 382C804C92811BE57829D8E550A900E2 ] TermService C:\Windows\System32\termsrv.dll
20:51:23.0283 2428 TermService - ok
20:51:23.0315 2428 [ 42FB6AFD6B79D9FE07381609172E7CA4 ] Themes C:\Windows\system32\themeservice.dll
20:51:23.0315 2428 Themes - ok
20:51:23.0330 2428 [ 146B6F43A673379A3C670E86D89BE5EA ] THREADORDER C:\Windows\system32\mmcss.dll
20:51:23.0330 2428 THREADORDER - ok
20:51:23.0377 2428 [ 4792C0378DB99A9BC2AE2DE6CFFF0C3A ] TrkWks C:\Windows\System32\trkwks.dll
20:51:23.0377 2428 TrkWks - ok
20:51:23.0455 2428 [ 2C49B175AEE1D4364B91B531417FE583 ] TrustedInstaller C:\Windows\servicing\TrustedInstaller.exe
20:51:23.0455 2428 TrustedInstaller - ok
20:51:23.0502 2428 [ 254BB140EEE3C59D6114C1A86B636877 ] tssecsrv C:\Windows\system32\DRIVERS\tssecsrv.sys
20:51:23.0549 2428 tssecsrv - ok
20:51:23.0611 2428 [ FD1D6C73E6333BE727CBCC6054247654 ] TsUsbFlt C:\Windows\system32\drivers\tsusbflt.sys
20:51:23.0642 2428 TsUsbFlt - ok
20:51:23.0705 2428 [ B2FA25D9B17A68BB93D58B0556E8C90D ] tunnel C:\Windows\system32\DRIVERS\tunnel.sys
20:51:23.0705 2428 tunnel - ok
20:51:23.0751 2428 [ 792A8B80F8188ABA4B2BE271583F3E46 ] TVALZ C:\Windows\system32\DRIVERS\TVALZ_O.SYS
20:51:23.0751 2428 TVALZ - ok
20:51:23.0798 2428 [ 750FBCB269F4D7DD2E420C56B795DB6D ] uagp35 C:\Windows\system32\DRIVERS\uagp35.sys
20:51:23.0798 2428 uagp35 - ok
20:51:23.0829 2428 [ EE43346C7E4B5E63E54F927BABBB32FF ] udfs C:\Windows\system32\DRIVERS\udfs.sys
20:51:23.0876 2428 udfs - ok
20:51:23.0923 2428 [ 8344FD4FCE927880AA1AA7681D4927E5 ] UI0Detect C:\Windows\system32\UI0Detect.exe
20:51:23.0923 2428 UI0Detect - ok
20:51:23.0970 2428 [ 44E8048ACE47BEFBFDC2E9BE4CBC8880 ] uliagpkx C:\Windows\system32\drivers\uliagpkx.sys
20:51:23.0970 2428 uliagpkx - ok
20:51:24.0048 2428 [ D295BED4B898F0FD999FCFA9B32B071B ] umbus C:\Windows\system32\drivers\umbus.sys
20:51:24.0048 2428 umbus - ok
20:51:24.0079 2428 [ 7550AD0C6998BA1CB4843E920EE0FEAC ] UmPass C:\Windows\system32\DRIVERS\umpass.sys
20:51:24.0079 2428 UmPass - ok
20:51:24.0126 2428 [ 833FBB672460EFCE8011D262175FAD33 ] upnphost C:\Windows\System32\upnphost.dll
20:51:24.0126 2428 upnphost - ok
20:51:24.0157 2428 [ BD9C55D7023C5DE374507ACC7A14E2AC ] usbccgp C:\Windows\system32\DRIVERS\usbccgp.sys
20:51:24.0188 2428 usbccgp - ok
20:51:24.0235 2428 [ 04EC7CEC62EC3B6D9354EEE93327FC82 ] usbcir C:\Windows\system32\drivers\usbcir.sys
20:51:24.0251 2428 usbcir - ok
20:51:24.0282 2428 [ F92DE757E4B7CE9C07C5E65423F3AE3B ] usbehci C:\Windows\system32\DRIVERS\usbehci.sys
20:51:24.0297 2428 usbehci - ok
20:51:24.0329 2428 [ 8DC94AEC6A7E644A06135AE7506DC2E9 ] usbhub C:\Windows\system32\DRIVERS\usbhub.sys
20:51:24.0407 2428 usbhub - ok
20:51:24.0438 2428 [ E185D44FAC515A18D9DEDDC23C2CDF44 ] usbohci C:\Windows\system32\drivers\usbohci.sys
20:51:24.0438 2428 usbohci - ok
20:51:24.0485 2428 [ 797D862FE0875E75C7CC4C1AD7B30252 ] usbprint C:\Windows\system32\DRIVERS\usbprint.sys
20:51:24.0500 2428 usbprint - ok
20:51:24.0547 2428 [ 576096CCBC07E7C4EA4F5E6686D6888F ] usbscan C:\Windows\system32\DRIVERS\usbscan.sys
20:51:24.0578 2428 usbscan - ok
20:51:24.0625 2428 [ F991AB9CC6B908DB552166768176896A ] USBSTOR C:\Windows\system32\DRIVERS\USBSTOR.SYS
20:51:24.0625 2428 USBSTOR - ok
20:51:24.0672 2428 [ 68DF884CF41CDADA664BEB01DAF67E3D ] usbuhci C:\Windows\system32\DRIVERS\usbuhci.sys
20:51:24.0687 2428 usbuhci - ok
20:51:24.0719 2428 [ 081E6E1C91AEC36758902A9F727CD23C ] UxSms C:\Windows\System32\uxsms.dll
20:51:24.0719 2428 UxSms - ok
20:51:24.0734 2428 [ 81951F51E318AECC2D68559E47485CC4 ] VaultSvc C:\Windows\system32\lsass.exe
20:51:24.0734 2428 VaultSvc - ok
20:51:24.0781 2428 [ A059C4C3EDB09E07D21A8E5C0AABD3CB ] vdrvroot C:\Windows\system32\drivers\vdrvroot.sys
20:51:24.0781 2428 vdrvroot - ok
20:51:24.0828 2428 [ C3CD30495687C2A2F66A65CA6FD89BE9 ] vds C:\Windows\System32\vds.exe
20:51:24.0843 2428 vds - ok
20:51:24.0875 2428 [ 17C408214EA61696CEC9C66E388B14F3 ] vga C:\Windows\system32\DRIVERS\vgapnp.sys
20:51:24.0906 2428 vga - ok
20:51:24.0937 2428 [ 8E38096AD5C8570A6F1570A61E251561 ] VgaSave C:\Windows\System32\drivers\vga.sys
20:51:24.0937 2428 VgaSave - ok
20:51:24.0984 2428 [ 5461686CCA2FDA57B024547733AB42E3 ] vhdmp C:\Windows\system32\drivers\vhdmp.sys
20:51:24.0984 2428 vhdmp - ok
20:51:25.0031 2428 [ C829317A37B4BEA8F39735D4B076E923 ] viaagp C:\Windows\system32\drivers\viaagp.sys
20:51:25.0031 2428 viaagp - ok
20:51:25.0046 2428 [ E02F079A6AA107F06B16549C6E5C7B74 ] ViaC7 C:\Windows\system32\DRIVERS\viac7.sys
20:51:25.0046 2428 ViaC7 - ok
20:51:25.0062 2428 [ E43574F6A56A0EE11809B48C09E4FD3C ] viaide C:\Windows\system32\drivers\viaide.sys
20:51:25.0077 2428 viaide - ok
20:51:25.0109 2428 [ 4C63E00F2F4B5F86AB48A58CD990F212 ] volmgr C:\Windows\system32\drivers\volmgr.sys
20:51:25.0109 2428 volmgr - ok
20:51:25.0140 2428 [ B5BB72067DDDDBBFB04B2F89FF8C3C87 ] volmgrx C:\Windows\system32\drivers\volmgrx.sys
20:51:25.0140 2428 volmgrx - ok
20:51:25.0171 2428 [ F497F67932C6FA693D7DE2780631CFE7 ] volsnap C:\Windows\system32\drivers\volsnap.sys
20:51:25.0171 2428 volsnap - ok
20:51:25.0202 2428 [ 9DFA0CC2F8855A04816729651175B631 ] vsmraid C:\Windows\system32\DRIVERS\vsmraid.sys
20:51:25.0202 2428 vsmraid - ok
20:51:25.0265 2428 [ 209A3B1901B83AEB8527ED211CCE9E4C ] VSS C:\Windows\system32\vssvc.exe
20:51:25.0296 2428 VSS - ok
20:51:25.0311 2428 [ 90567B1E658001E79D7C8BBD3DDE5AA6 ] vwifibus C:\Windows\system32\DRIVERS\vwifibus.sys
20:51:25.0343 2428 vwifibus - ok
20:51:25.0389 2428 [ 7090D3436EEB4E7DA3373090A23448F7 ] vwififlt C:\Windows\system32\DRIVERS\vwififlt.sys
20:51:25.0421 2428 vwififlt - ok
20:51:25.0467 2428 [ 55187FD710E27D5095D10A472C8BAF1C ] W32Time C:\Windows\system32\w32time.dll
20:51:25.0467 2428 W32Time - ok
20:51:25.0499 2428 [ DE3721E89C653AA281428C8A69745D90 ] WacomPen C:\Windows\system32\DRIVERS\wacompen.sys
20:51:25.0499 2428 WacomPen - ok
20:51:25.0545 2428 [ 3C3C78515F5AB448B022BDF5B8FFDD2E ] WANARP C:\Windows\system32\DRIVERS\wanarp.sys
20:51:25.0561 2428 WANARP - ok
20:51:25.0577 2428 [ 3C3C78515F5AB448B022BDF5B8FFDD2E ] Wanarpv6 C:\Windows\system32\DRIVERS\wanarp.sys
20:51:25.0577 2428 Wanarpv6 - ok
20:51:25.0670 2428 [ 353A04C273EC58475D8633E75CCD5604 ] WatAdminSvc C:\Windows\system32\Wat\WatAdminSvc.exe
20:51:25.0701 2428 WatAdminSvc - ok
20:51:25.0764 2428 [ 691E3285E53DCA558E1A84667F13E15A ] wbengine C:\Windows\system32\wbengine.exe
20:51:25.0795 2428 wbengine - ok
20:51:25.0842 2428 [ 9614B5D29DC76AC3C29F6D2D3AA70E67 ] WbioSrvc C:\Windows\System32\wbiosrvc.dll
20:51:25.0857 2428 WbioSrvc - ok
20:51:25.0889 2428 [ 34EEE0DFAADB4F691D6D5308A51315DC ] wcncsvc C:\Windows\System32\wcncsvc.dll
20:51:25.0904 2428 wcncsvc - ok
20:51:25.0920 2428 [ 5D930B6357A6D2AF4D7653BDABBF352F ] WcsPlugInService C:\Windows\System32\WcsPlugInService.dll
20:51:25.0920 2428 WcsPlugInService - ok
20:51:25.0951 2428 [ 1112A9BADACB47B7C0BB0392E3158DFF ] Wd C:\Windows\system32\DRIVERS\wd.sys
20:51:25.0951 2428 Wd - ok
20:51:25.0982 2428 [ 9950E3D0F08141C7E89E64456AE7DC73 ] Wdf01000 C:\Windows\system32\drivers\Wdf01000.sys
20:51:25.0982 2428 Wdf01000 - ok
20:51:26.0013 2428 [ 46EF9DC96265FD0B423DB72E7C38C2A5 ] WdiServiceHost C:\Windows\system32\wdi.dll
20:51:26.0013 2428 WdiServiceHost - ok
20:51:26.0029 2428 [ 46EF9DC96265FD0B423DB72E7C38C2A5 ] WdiSystemHost C:\Windows\system32\wdi.dll
20:51:26.0029 2428 WdiSystemHost - ok
20:51:26.0076 2428 [ A9D880F97530D5B8FEE278923349929D ] WebClient C:\Windows\System32\webclnt.dll
20:51:26.0076 2428 WebClient - ok
20:51:26.0123 2428 [ 760F0AFE937A77CFF27153206534F275 ] Wecsvc C:\Windows\system32\wecsvc.dll
20:51:26.0123 2428 Wecsvc - ok
20:51:26.0154 2428 [ AC804569BB2364FB6017370258A4091B ] wercplsupport C:\Windows\System32\wercplsupport.dll
20:51:26.0154 2428 wercplsupport - ok
20:51:26.0201 2428 [ 08E420D873E4FD85241EE2421B02C4A4 ] WerSvc C:\Windows\System32\WerSvc.dll
20:51:26.0201 2428 WerSvc - ok
20:51:26.0247 2428 [ 8B9A943F3B53861F2BFAF6C186168F79 ] WfpLwf C:\Windows\system32\DRIVERS\wfplwf.sys
20:51:26.0263 2428 WfpLwf - ok
20:51:26.0279 2428 [ 5CF95B35E59E2A38023836FFF31BE64C ] WIMMount C:\Windows\system32\drivers\wimmount.sys
20:51:26.0310 2428 WIMMount - ok
20:51:26.0419 2428 [ 3FAE8F94296001C32EAB62CD7D82E0FD ] WinDefend C:\Program Files\Windows Defender\mpsvc.dll
20:51:26.0419 2428 WinDefend - ok
20:51:26.0435 2428 WinHttpAutoProxySvc - ok
20:51:26.0528 2428 [ F62E510B6AD4C21EB9FE8668ED251826 ] Winmgmt C:\Windows\system32\wbem\WMIsvc.dll
20:51:26.0528 2428 Winmgmt - ok
20:51:26.0591 2428 [ 1B91CD34EA3A90AB6A4EF0550174F4CC ] WinRM C:\Windows\system32\WsmSvc.dll
20:51:26.0606 2428 WinRM - ok
20:51:26.0684 2428 [ A67E5F9A400F3BD1BE3D80613B45F708 ] WinUSB C:\Windows\system32\DRIVERS\WinUSB.sys
20:51:26.0684 2428 WinUSB - ok
20:51:26.0731 2428 [ 16935C98FF639D185086A3529B1F2067 ] Wlansvc C:\Windows\System32\wlansvc.dll
20:51:26.0731 2428 Wlansvc - ok
20:51:26.0809 2428 [ 6067ACEF367E79914AF628FA1E9B5330 ] wlcrasvc C:\Program Files\Windows Live\Mesh\wlcrasvc.exe
20:51:26.0809 2428 wlcrasvc - ok
20:51:26.0918 2428 [ FB01D4AE207B9EFDBABFC55DC95C7E31 ] wlidsvc C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
20:51:26.0965 2428 wlidsvc - ok
20:51:26.0996 2428 [ 0217679B8FCA58714C3BF2726D2CA84E ] WmiAcpi C:\Windows\system32\drivers\wmiacpi.sys
20:51:26.0996 2428 WmiAcpi - ok
20:51:27.0043 2428 [ 6EB6B66517B048D87DC1856DDF1F4C3F ] wmiApSrv C:\Windows\system32\wbem\WmiApSrv.exe
20:51:27.0043 2428 wmiApSrv - ok
20:51:27.0152 2428 [ 3B40D3A61AA8C21B88AE57C58AB3122E ] WMPNetworkSvc C:\Program Files\Windows Media Player\wmpnetwk.exe
20:51:27.0183 2428 WMPNetworkSvc - ok
20:51:27.0324 2428 [ 017695393AFFFED8DE58ABD1B085BE6D ] WMZuneComm C:\Program Files\Zune\WMZuneComm.exe
20:51:27.0324 2428 WMZuneComm - ok
20:51:27.0371 2428 [ A2F0EC770A92F2B3F9DE6D518E11409C ] WPCSvc C:\Windows\System32\wpcsvc.dll
20:51:27.0371 2428 WPCSvc - ok
20:51:27.0417 2428 [ AA53356D60AF47EACC85BC617A4F3F66 ] WPDBusEnum C:\Windows\system32\wpdbusenum.dll
20:51:27.0417 2428 WPDBusEnum - ok
20:51:27.0464 2428 [ 6DB3276587B853BF886B69528FDB048C ] ws2ifsl C:\Windows\system32\drivers\ws2ifsl.sys
20:51:27.0464 2428 ws2ifsl - ok
20:51:27.0527 2428 [ 6F5D49EFE0E7164E03AE773A3FE25340 ] wscsvc C:\Windows\system32\wscsvc.dll
20:51:27.0527 2428 wscsvc - ok
20:51:27.0542 2428 WSearch - ok
20:51:27.0620 2428 [ FC3EC24FCE372C89423E015A2AC1A31E ] wuauserv C:\Windows\system32\wuaueng.dll
20:51:27.0636 2428 wuauserv - ok
20:51:27.0667 2428 [ E714A1C0354636837E20CCBF00888EE7 ] WudfPf C:\Windows\system32\drivers\WudfPf.sys
20:51:27.0683 2428 WudfPf - ok
20:51:27.0729 2428 [ 1023EE888C9B47178C5293ED5336AB69 ] WUDFRd C:\Windows\system32\DRIVERS\WUDFRd.sys
20:51:27.0729 2428 WUDFRd - ok
20:51:27.0776 2428 [ 8D1E1E529A2C9E9B6A85B55A345F7629 ] wudfsvc C:\Windows\System32\WUDFSvc.dll
20:51:27.0776 2428 wudfsvc - ok
20:51:27.0823 2428 [ FF2D745B560F7C71B31F30F4D49F73D2 ] WwanSvc C:\Windows\System32\wwansvc.dll
20:51:27.0839 2428 WwanSvc - ok
20:51:28.0010 2428 [ 1076DF9ADE4E13EA3BF39D2165AEB903 ] ZuneNetworkSvc C:\Program Files\Zune\ZuneNss.exe
20:51:28.0151 2428 ZuneNetworkSvc - ok
20:51:28.0229 2428 [ DE1CDB333A402B279F04D627122FA08E ] ZuneWlanCfgSvc C:\Program Files\Zune\ZuneWlanCfgSvc.exe
20:51:28.0244 2428 ZuneWlanCfgSvc - ok
20:51:28.0260 2428 ================ Scan global ===============================
20:51:28.0307 2428 [ DAB748AE0439955ED2FA22357533DDDB ] C:\Windows\system32\basesrv.dll
20:51:28.0353 2428 [ 183B4188D5D91B271613EC3EFD1B3CEF ] C:\Windows\system32\winsrv.dll
20:51:28.0353 2428 [ 183B4188D5D91B271613EC3EFD1B3CEF ] C:\Windows\system32\winsrv.dll
20:51:28.0400 2428 [ 364455805E64882844EE9ACB72522830 ] C:\Windows\system32\sxssrv.dll
20:51:28.0431 2428 [ 5F1B6A9C35D3D5CA72D6D6FDEF9747D6 ] C:\Windows\system32\services.exe
20:51:28.0431 2428 [Global] - ok
20:51:28.0447 2428 ================ Scan MBR ==================================
20:51:28.0447 2428 [ A36C5E4F47E84449FF07ED3517B43A31 ] \Device\Harddisk0\DR0
20:51:28.0447 2428 Suspicious mbr (Forged): \Device\Harddisk0\DR0
20:51:28.0509 2428 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.c ) - infected
20:51:28.0509 2428 \Device\Harddisk0\DR0 - detected Rootkit.Boot.Pihar.c (0)
20:51:28.0509 2428 ================ Scan VBR ==================================
20:51:28.0509 2428 [ BC1ECFB28B2B23A46CE92B52D7B6846F ] \Device\Harddisk0\DR0\Partition1
20:51:28.0509 2428 \Device\Harddisk0\DR0\Partition1 - ok
20:51:28.0572 2428 [ CC21DDDA3732D51F0EEFF30F32680065 ] \Device\Harddisk0\DR0\Partition2
20:51:28.0572 2428 \Device\Harddisk0\DR0\Partition2 - ok
20:51:28.0572 2428 ============================================================
20:51:28.0572 2428 Scan finished
20:51:28.0572 2428 ============================================================
20:51:28.0587 3240 Detected object count: 1
20:51:28.0587 3240 Actual detected object count: 1
20:51:38.0852 3240 \Device\Harddisk0\DR0\# - copied to quarantine
20:51:38.0852 3240 \Device\Harddisk0\DR0 - copied to quarantine
20:51:38.0899 3240 \Device\Harddisk0\DR0\TDLFS\ldrm - copied to quarantine
20:51:38.0899 3240 \Device\Harddisk0\DR0\TDLFS\cmd64.dll - copied to quarantine
20:51:39.0773 3240 \Device\Harddisk0\DR0\TDLFS\sub.dll - copied to quarantine
20:51:40.0350 3240 \Device\Harddisk0\DR0\TDLFS\subx.dll - copied to quarantine
20:51:40.0896 3240 \Device\Harddisk0\DR0\TDLFS\drv32 - copied to quarantine
20:51:41.0442 3240 \Device\Harddisk0\DR0\TDLFS\drv64 - copied to quarantine
20:51:41.0941 3240 \Device\Harddisk0\DR0\TDLFS\config.ini - copied to quarantine
20:51:41.0941 3240 \Device\Harddisk0\DR0\TDLFS\servers.dat - copied to quarantine
20:51:41.0988 3240 \Device\Harddisk0\DR0\TDLFS\ldr16 - copied to quarantine
20:51:42.0003 3240 \Device\Harddisk0\DR0\TDLFS\ldr32 - copied to quarantine
20:51:42.0721 3240 \Device\Harddisk0\DR0\TDLFS\ldr64 - copied to quarantine
20:51:43.0251 3240 \Device\Harddisk0\DR0\TDLFS\s - copied to quarantine
20:51:43.0251 3240 \Device\Harddisk0\DR0\TDLFS\u - copied to quarantine
20:51:43.0283 3240 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.c ) - will be cured on reboot
20:51:43.0314 3240 \Device\Harddisk0\DR0 - ok
20:51:43.0361 3240 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.c ) - User select action: Cure
20:52:15.0949 4040 Deinitialize success

Here is the aswMBR log:

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-08-29 20:56:39
-----------------------------
20:56:39.354 OS Version: Windows 6.1.7601 Service Pack 1
20:56:39.354 Number of processors: 1 586 0x170A
20:56:39.354 ComputerName: OWNER-PC UserName:
20:56:59.182 Initialize success
21:10:42.241 AVAST engine defs: 12082901
21:10:54.596 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-1
21:10:54.596 Disk 0 Vendor: WDC_WD2500BEVT-00A23T0 01.01A01 Size: 238475MB BusType: 11
21:10:54.643 Disk 0 MBR read successfully
21:10:54.643 Disk 0 MBR scan
21:10:54.643 Disk 0 Windows 7 default MBR code
21:10:54.658 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
21:10:54.674 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 238373 MB offset 206848
21:10:54.674 Disk 0 scanning sectors +488394752
21:10:54.736 Disk 0 scanning C:\Windows\system32\drivers
21:11:12.536 Service scanning
21:11:53.018 Modules scanning
21:12:21.987 Disk 0 trace - called modules:
21:12:22.003 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll ataport.SYS PCIIDEX.SYS msahci.sys
21:12:22.518 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8558d648]
21:12:22.518 3 CLASSPNP.SYS[8820459e] -> nt!IofCallDriver -> [0x85490918]
21:12:22.518 5 ACPI.sys[880c73d4] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-1[0x85485030]
21:12:23.719 AVAST engine scan C:\Windows
21:12:29.288 AVAST engine scan C:\Windows\system32
21:16:02.322 AVAST engine scan C:\Windows\system32\drivers
21:16:19.794 AVAST engine scan C:\Users\Ardena Tejada
21:21:57.862 AVAST engine scan C:\ProgramData
21:23:15.051 Scan finished successfully
21:23:51.555 Disk 0 MBR has been saved successfully to "C:\Users\Ardena Tejada\Desktop\MBR.dat"
21:23:51.571 The log file has been saved successfully to "C:\Users\Ardena Tejada\Desktop\aswMBR.txt"

I would like to add, that for some reason I can not connect to google. I don't know why. Do you have any ideas why??

I think after all this I will uninstall firefox and install it again.

thanks alot gringo!

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:52 PM

Posted 29 August 2012 - 10:36 PM

Greetings

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 _Relolelo

_Relolelo
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:52 AM

Posted 30 August 2012 - 07:52 PM

Here is the combofix log:

ComboFix 12-08-30.05 - Ardena Tejada 08/30/2012 18:18:15.3.1 - x86
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.1916.1162 [GMT -6:00]
Running from: c:\users\Ardena Tejada\Desktop\ComboFix.exe
Command switches used :: c:\users\Ardena Tejada\Desktop\CFScript.txt
AV: ESET Smart Security 5.2 *Disabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
FW: ESET Personal firewall *Enabled* {4FE52EC8-CB26-1113-0EFE-8842E2773BAA}
SP: ESET Smart Security 5.2 *Disabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2012-07-28 to 2012-08-31 )))))))))))))))))))))))))))))))
.
.
2012-08-31 00:29 . 2012-08-31 00:29 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-08-31 00:26 . 2012-08-31 00:26 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{AF082A02-E03E-44BD-9E79-F00339BD434B}\offreg.dll
2012-08-30 02:51 . 2012-08-30 02:51 -------- d-----w- C:\TDSSKiller_Quarantine
2012-08-28 21:45 . 2012-08-28 21:45 -------- d-----w- c:\program files\EASEUS
2012-08-28 21:30 . 2012-08-28 21:30 -------- d-----w- c:\program files\East Imperial Soft
2012-08-28 02:41 . 2012-08-31 00:29 -------- d-----w- c:\users\Ardena Tejada\AppData\Local\temp
2012-08-28 01:44 . 2012-08-28 01:44 -------- d-----w- c:\program files\Common Files\Java
2012-08-28 01:44 . 2012-08-28 01:43 821736 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-08-28 01:43 . 2012-08-28 01:43 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-08-28 01:43 . 2012-08-28 01:43 -------- d-----w- c:\program files\Java
2012-08-28 01:40 . 2012-08-28 01:40 -------- d-----w- c:\programdata\McAfee
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-28 01:43 . 2012-03-18 04:02 746984 ----a-w- c:\windows\system32\deployJava1.dll
2012-08-17 00:37 . 2012-04-01 19:14 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-08-17 00:37 . 2012-03-17 22:20 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-24 22:55 . 2012-07-24 22:55 23368 ----a-w- c:\windows\system32\drivers\OlmarikFixer.sys
2012-07-16 08:41 . 2012-07-24 22:54 6891424 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{AF082A02-E03E-44BD-9E79-F00339BD434B}\mpengine.dll
2012-06-06 05:05 . 2012-07-24 07:38 1390080 ----a-w- c:\windows\system32\msxml6.dll
2012-06-06 05:05 . 2012-07-24 07:38 1236992 ----a-w- c:\windows\system32\msxml3.dll
2012-06-06 05:03 . 2012-07-24 07:38 805376 ----a-w- c:\windows\system32\cdosys.dll
2012-06-02 22:19 . 2012-06-21 19:06 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-21 19:06 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-21 19:06 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-21 19:06 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:19 . 2012-06-21 19:06 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:12 . 2012-06-21 19:06 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:12 . 2012-06-21 19:06 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 21:19 . 2012-06-21 19:05 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 21:12 . 2012-06-21 19:05 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-06-02 08:33 . 2012-07-24 07:39 1800192 ----a-w- c:\windows\system32\jscript9.dll
2012-06-02 08:25 . 2012-07-24 07:39 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-06-02 08:25 . 2012-07-24 07:39 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-06-02 08:20 . 2012-07-24 07:39 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-06-02 08:16 . 2012-07-24 07:39 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-06-02 04:45 . 2012-07-24 07:39 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-06-02 04:45 . 2012-07-24 07:39 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2012-06-02 04:40 . 2012-07-24 07:39 369336 ----a-w- c:\windows\system32\drivers\cng.sys
2012-06-02 04:40 . 2012-07-24 07:39 225280 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 04:39 . 2012-07-24 07:39 219136 ----a-w- c:\windows\system32\ncrypt.dll
2012-08-06 04:18 . 2012-03-18 04:33 136672 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-08-28_02.47.01 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-03-17 22:37 . 2012-08-31 00:07 28526 c:\windows\System32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 04:55 . 2012-08-31 00:07 41016 c:\windows\System32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2012-03-17 22:04 . 2012-08-31 00:07 11034 c:\windows\System32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3313179747-164077108-3523984921-1001_UserData.bin
+ 2009-07-14 02:05 . 2012-08-28 21:51 37950 c:\windows\System32\perfc009.dat
- 2009-07-14 02:05 . 2012-08-25 03:58 37950 c:\windows\System32\perfc009.dat
- 2012-08-24 07:16 . 2012-08-28 02:44 65536 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2012-08-24 07:16 . 2012-08-31 00:05 65536 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2012-08-28 02:14 . 2012-08-28 02:44 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-08-31 00:05 . 2012-08-31 00:05 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-08-31 00:05 . 2012-08-31 00:05 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-08-28 02:14 . 2012-08-28 02:44 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-07-14 02:05 . 2012-08-25 03:58 308122 c:\windows\System32\perfh009.dat
+ 2009-07-14 02:05 . 2012-08-28 21:51 308122 c:\windows\System32\perfh009.dat
+ 2009-07-14 04:47 . 2012-08-30 03:34 432424 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2009-07-14 04:47 . 2012-08-28 02:13 432424 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2012-03-17 21:42 . 2012-08-28 02:44 5292032 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2012-03-17 21:42 . 2012-08-31 00:05 5292032 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:41 . 2012-08-28 02:44 10551296 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:41 . 2012-08-31 00:05 10551296 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2012-03-18 05:23 . 2012-08-30 03:35 27014488 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-3313179747-164077108-3523984921-1001-8192.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-14 1348904]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-02-12 137752]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-02-12 171032]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-02-12 172568]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2011-08-05 159456]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2010-06-10 49208]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2012-03-07 3117344]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
.
c:\users\Ardena Tejada\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 BBSvc;BingBar Service;c:\program files\Microsoft\BingBar\7.1.361.0\BBSvc.exe [x]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
R3 esihdrv;esihdrv;c:\users\ARDENA~1\AppData\Local\Temp\esihdrv.sys [x]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [x]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [x]
R3 OlmarikFixer;Olmarik fixer kernel-mode driver;c:\windows\system32\drivers\OlmarikFixer.sys [x]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\Zune\WMZuneComm.exe [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [x]
S0 epfwwfp;epfwwfp;c:\windows\system32\DRIVERS\epfwwfp.sys [x]
S1 eamonm;eamonm;c:\windows\system32\DRIVERS\eamonm.sys [x]
S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [x]
S1 EpfwLWF;Epfw NDIS LightWeight Filter;c:\windows\system32\DRIVERS\EpfwLWF.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]
S2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [x]
S3 BBUpdate;BBUpdate;c:\program files\Microsoft\BingBar\7.1.361.0\SeaPort.exe [x]
S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x86.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-31 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-01 00:37]
.
2012-08-24 c:\windows\Tasks\hpwebreg_xxxxxxxxxx.job
- c:\program files\HP\HP Deskjet 1000 J110 series\Bin\hpwebreg.exe [2010-11-17 02:16]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~3\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\users\Ardena Tejada\AppData\Roaming\Mozilla\Firefox\Profiles\gehnh8tj.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: network.proxy.type - 0
FF - user.js: general.useragent.extra.brc - BRI/1
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-52692104.sys
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-08-30 18:45:17
ComboFix-quarantined-files.txt 2012-08-31 00:45
ComboFix2.txt 2012-08-28 03:38
.
Pre-Run: 184,236,462,080 bytes free
Post-Run: 183,965,839,360 bytes free
.
- - End Of File - - 7F4129148C3408D6B53344A6417CACF5


No notifications from Eset have popped up or anything virus related.

However, I would like to add that the security updates are not installing and tell me it failed every time I try to install them. Do you have any idea why?

Thank you.

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:52 PM

Posted 30 August 2012 - 08:15 PM

Greetings _Relolelo


Let me look into the update problem


These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

You can remove these programs using add/remove or you can use the free uninstaller from Revo (Revo does allot better of a job)

Programs to remove

Bing Bar
Bing Rewards Client Installer
Java™ 6 Update 31
[/list]


  • Please download and install Revo Uninstaller Free
  • Double click Revo Uninstaller to run it.
  • From the list of programs double click on The Program to remove
  • When prompted if you want to uninstall click Yes.
  • Be sure the Moderate option is selected then click Next.
  • The program will run, If prompted again click Yes
  • when the built-in uninstaller is finished click on Next.
  • Once the program has searched for leftovers click Next.
  • Check/tick the bolded items only on the list then click Delete
  • when prompted click on Yes and then on next.
  • put a check on any folders that are found and select delete
  • when prompted select yes then on next
  • Once done click Finish.
.

Update Adobe Reader

Recently there have been vulnerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

You can download it from http://www.adobe.com/products/acrobat/readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions.
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

If you don't like Adobe Reader (53 MB), you can download Foxit PDF Reader(7 MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

Note: When installing FoxitReader, be careful not to install anything to do with AskBar.
[/list]

Install Java:

Please go here to install Java

  • click on the Free Java Download Button
  • click on Agree and start Free download
  • click on Run
  • click on run again
  • click on install
  • when install is complete click on close

Clean Out Temp Files

  • This small application you may want to keep and use once a week to keep the computer clean.

    Download CCleaner from here http://www.ccleaner.com/

  • Run the installer to install the application.
  • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
  • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
  • Click Run Cleaner.
  • Close CCleaner.

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidentally close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a log file button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the Analyze This button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 _Relolelo

_Relolelo
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:52 AM

Posted 31 August 2012 - 01:32 AM

I unistalled and installed the programs you told me to.

Here is the mbam log:

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.08.31.03

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
Ardena Tejada :: OWNER-PC [administrator]

8/31/2012 12:15:20 AM
mbam-log-2012-08-31 (00-15-20).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 187737
Time elapsed: 4 minute(s), 11 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


and here is the hjt log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 12:21:51 AM, on 8/31/2012
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16447)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
C:\Users\Ardena Tejada\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office14\GROOVEEX.DLL
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Messenger Companion Helper - {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files\Windows Live\Companion\companioncore.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~3\Office14\URLREDIR.DLL
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [BCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - Startup: OpenOffice.org 3.3.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\MICROS~3\Office14\ONBttnIE.dll/105
O9 - Extra button: @C:\Program Files\Windows Live\Companion\companionlang.dll,-600 - {0000036B-C524-4050-81A0-243669A86B9F} - C:\Program Files\Windows Live\Companion\companioncore.dll
O9 - Extra button: @C:\Program Files\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)

--
End of file - 6162 bytes


the computer is running fine, I can know connect to google, however I am just wondering why the security update for windows 7 won't donwload the updates. That is my only concern now.

You have helped me so much man! thanks!

#12 _Relolelo

_Relolelo
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:52 AM

Posted 31 August 2012 - 01:48 AM

I tried updating again but it didn't work.

This is the code I get for the error:

code 80246008

Hopefully, this helps you more than it will for me.

Thank you.

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:52 PM

Posted 31 August 2012 - 05:14 AM

I have uploaded a file and i want you to download it and run it, if it asks to merge please allow it



Restart the computer and check the updates

Attached Files


Edited by gringo_pr, 31 August 2012 - 05:15 AM.

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 _Relolelo

_Relolelo
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:52 AM

Posted 01 September 2012 - 04:08 PM

I did what you told me to do. Ran it, updated, restarted, and everything is installed correctly.

Every problem I had has now officially disappeared.

I'm guessing now its clean up time??

Thank you so much gringo!!
:)

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:52 PM

Posted 01 September 2012 - 05:56 PM

Greetings

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded start-up entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    • O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
      O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
      O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
      O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
      O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
      O4 - Startup: OpenOffice.org 3.3.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

    NOTE**You can research each of those lines >here< and see if you want to keep them or not
    just copy the name between the brackets and paste into the search space
    O4 - HKLM\..\Run: [IntelliPoint]


NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scanner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the Run ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the add/on to be installed
    • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings, ensure the options
    Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • wait for the virus definitions to be downloaded
  • Wait for the scan to finish

When the scan is complete

  • If no threats were found
  • put a checkmark in "Uninstall application on close"
  • close program
  • report to me that nothing was found

  • If threats were found
  • click on "list of threats found"
  • click on "export to text file" and save it as ESET SCAN and save to the desktop
  • Click on back
  • put a checkmark in "Uninstall application on close"
  • click on finish
  • close program
  • copy and paste the report here


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users