Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

syshost.exe and a rootkit infection


  • This topic is locked This topic is locked
14 replies to this topic

#1 UnnamedText

UnnamedText

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:57 PM

Posted 29 August 2012 - 04:51 AM

Hi.
I seem to have contracted a rootkit of sorts. The symptoms are that Avira/Windows Defender, Windows Update, and Windows Firewall have all been disabled and cannot be turned back on. I have tried removing several copies of syshost.exe found with Malwarebytes, and while it at first seems to be successful, upon doing another scan at reboot they appear again. I realize I may have jumped the gun with this scan (along with a Spybot scan which turned up nothing), but I have not tried any other virus scanners since.
Although not consistent, occasionally I'll also receive an error for pcwum.dll when trying to open the task manager.


I also had a problem generating the GMER log. The error I get is when opening GMER. It reads
"LoadDriver("C:\Users\Home|AppData\Local\Temp\kxldipow.sys")
error 0xC0000001: A device attached to the system is not functioning."
It proceeds to open, but all options except "Services," "Registry," and "Files" are grayed out. I understand that this is not supposed to happen on a 32-bit OS.


DDS results:


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 10.5.0
Run by Home at 5:03:11 on 2012-08-29
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.2046.1245 [GMT -4:00]
.
AV: Avira Desktop *Disabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
SP: Avira Desktop *Disabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\lxducoms.exe
C:\Program Files\Mediafour\MacDrive 8\MacDrive8Service.exe
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Winamp\winampa.exe
C:\Windows\WindowsMobile\wmdcBase.exe
C:\Program Files\Mediafour\MacDrive 8\MacDrive.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\NetMeter\NetMeter.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Users\Home\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Users\Home\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Users\Home\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\conhost.exe
.
============== Pseudo HJT Report ===============
.
BHO: CorePluginIEBHO Class: {13fa2453-9287-4f18-8554-976d7c02f4ee} - d:\program files\perfect world entertainment\core client\plugins\CorePluginIE.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre7\bin\jp2ssv.dll
uRun: [c:\program files\netmeter\netmeter.exe] c:\program files\netmeter\NetMeter.exe
uRun: [Google Update] "c:\users\home\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [AdobeBridge]
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [amd_dc_opt] c:\program files\amd\dual-core optimizer\amd_dc_opt.exe
mRun: [Windows Mobile-based device management] %WINDIR%\WindowsMobile\wmdcBase.exe
mRun: [MacDrive 8 application] "c:\program files\mediafour\macdrive 8\MacDrive.exe"
mRun: [Getting started with MacDrive 8] "c:\program files\mediafour\macdrive 8\MDGetStarted.exe" /auto
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{B9783537-B3F4-4F44-A5C4-B4B7B80A1023} : DhcpNameServer = 75.75.75.75 75.75.76.76
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\home\appdata\roaming\mozilla\firefox\profiles\uw8c36q2.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.115\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.69\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.99\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.10411.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPDFusionWebFirefox.dll
FF - plugin: c:\program files\nos\bin\np_gp.dll
FF - plugin: c:\program files\onlive\firefoxplugin\npolgdet.dll
FF - plugin: c:\program files\opera\program\plugins\np_gp.dll
FF - plugin: c:\program files\total immersion\dfusionhomewebplugin\NPDFusionWebFirefox.dll
FF - plugin: c:\users\home\appdata\local\google\update\1.3.21.115\npGoogleUpdate3.dll
FF - plugin: c:\users\home\appdata\locallow\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\users\home\appdata\roaming\mozilla\firefox\profiles\uw8c36q2.default\extensions\{000f1ea4-5e08-4564-a29b-29076f63a37a}\plugins\npsoe.dll
FF - plugin: c:\users\home\appdata\roaming\mozilla\firefox\profiles\uw8c36q2.default\extensions\{394dcba4-1f92-4f8e-8ec9-8d2cb90cb69b}\plugins\npLightshot.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_4_402_265.dll
FF - plugin: c:\windows\system32\npdeployJava1.dll
FF - plugin: c:\windows\system32\npmproxy.dll
FF - plugin: d:\program files\perfect world entertainment\core client\plugins\npCorePluginFF.dll
.
---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.brc -
.
============= SERVICES / DRIVERS ===============
.
R0 MDFSYSNT;MacDrive file system driver;c:\windows\system32\drivers\MDFSYSNT.SYS [2010-5-18 232040]
R0 MDPMGRNT;MacDrive partition driver;c:\windows\system32\drivers\MDPMGRNT.SYS [2010-4-28 28512]
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2011-10-21 36000]
R1 CBDisk;CBDisk;c:\windows\system32\drivers\CBDisk.sys [2011-1-6 57800]
R1 hwinterface;hwinterface;c:\windows\system32\drivers\hwinterface.sys [2012-3-17 3026]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-10-21 86224]
R2 lxdu_device;lxdu_device;c:\windows\system32\lxducoms.exe -service --> c:\windows\system32\lxducoms.exe -service [?]
R2 MacDrive8Service;MacDrive 8 service;c:\program files\mediafour\macdrive 8\MacDrive8Service.exe [2010-5-4 192512]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2009-9-27 240232]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-6-10 139776]
S2 AntiVirService;Avira Realtime Protection;c:\program files\avira\antivir desktop\avguard.exe [2011-10-21 110032]
S2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-10-21 83392]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-5-11 136176]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [2012-8-29 232512]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-5-11 136176]
S3 ManyCam;ManyCam Virtual Webcam;c:\windows\system32\drivers\mcvidrv.sys [2012-1-11 32000]
S3 mcaudrv_simple;ManyCam Virtual Microphone;c:\windows\system32\drivers\mcaudrv.sys [2012-2-22 22400]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-4-24 113120]
.
=============== Created Last 30 ================
.
2012-08-29 08:50:38 -------- d-----w- c:\program files\HitmanPro
2012-08-29 08:50:30 -------- d-----w- c:\programdata\HitmanPro
2012-08-29 04:45:05 232512 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
2012-08-29 03:44:39 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-08-29 03:44:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-08-19 06:53:03 -------- d-----w- c:\program files\Speccy
2012-08-17 22:50:54 768512 ----a-w- c:\windows\system32\localspl.dll
2012-08-17 22:50:53 41472 ----a-w- c:\windows\system32\browcli.dll
2012-08-17 22:50:53 102912 ----a-w- c:\windows\system32\browser.dll
2012-08-10 07:15:05 -------- d-----w- c:\programdata\Ask
2012-08-10 02:32:24 -------- d-----w- c:\users\home\appdata\local\data
.
==================== Find3M ====================
.
2012-08-21 21:48:03 73416 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-08-21 21:48:03 696520 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-07-18 17:10:29 2344448 ----a-w- c:\windows\system32\win32k.sys
2012-06-27 06:03:21 981504 ----a-w- c:\windows\system32\wininet.dll
2012-06-27 06:01:19 44544 ----a-w- c:\windows\system32\licmgr10.dll
2012-06-27 04:53:25 386048 ----a-w- c:\windows\system32\html.iec
2012-06-27 04:19:51 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2012-06-14 22:26:02 772592 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-06-14 22:26:02 687600 ----a-w- c:\windows\system32\deployJava1.dll
2012-06-06 05:09:46 1389568 ----a-w- c:\windows\system32\msxml6.dll
2012-06-06 05:09:46 1236992 ----a-w- c:\windows\system32\msxml3.dll
2012-06-02 22:12:32 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:12:13 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 19:19:42 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 19:12:20 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-06-02 04:51:16 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-06-02 04:51:16 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2012-06-02 04:50:00 369336 ----a-w- c:\windows\system32\drivers\cng.sys
2012-06-02 04:48:35 225280 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 04:47:31 219136 ----a-w- c:\windows\system32\ncrypt.dll
.
============= FINISH: 5:04:39.07 ===============







Edit: I realized my mistake. I'm posting attach and ark now.



.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows 7 Ultimate
Boot Device: \Device\HarddiskVolume1
Install Date: 5/1/2010 9:41:57 PM
System Uptime: 8/29/2012 5:01:02 AM (0 hours ago)
.
Motherboard: Gigabyte Technology Co., Ltd. | | P31-S3G
Processor: Intel® Pentium® Dual CPU E2180 @ 2.00GHz | Socket 775 | 2000/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 160 GiB total, 6.71 GiB free.
D: is FIXED (NTFS) - 772 GiB total, 9.179 GiB free.
E: is CDROM ()
G: is FIXED (NTFS) - 932 GiB total, 16.481 GiB free.
H: is FIXED (NTFS) - 932 GiB total, 16.086 GiB free.
.
==== Disabled Device Manager Items =============
.
Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Description: ssmdrv
Device ID: ROOT\LEGACY_SSMDRV\0000
Manufacturer:
Name: ssmdrv
PNP Device ID: ROOT\LEGACY_SSMDRV\0000
Service: ssmdrv
.
Class GUID: {4d36e97d-e325-11ce-bfc1-08002be10318}
Description: DAEMON Tools Virtual Bus
Device ID: ROOT\SYSTEM\0002
Manufacturer: DT Soft Ltd
Name: DAEMON Tools Virtual Bus
PNP Device ID: ROOT\SYSTEM\0002
Service: dtsoftbus01
.
==== System Restore Points ===================
.
RP923: 8/29/2012 12:45:08 AM - Device Driver Package Install: DT Soft Ltd System devices
RP924: 8/29/2012 2:02:57 AM - Device Driver Package Install: DT Soft Ltd System devices
RP925: 8/29/2012 2:27:59 AM - Device Driver Package Install: DT Soft Ltd System devices
.
==== Installed Programs ======================
.
µTorrent
7-Zip 9.20
AaAaAA!!! - A Reckless Disregard for Gravity
AC3File 0.7b
Adobe AIR
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Shockwave Player 11.6
AGwaK3
Another World 15th Anniversary Edition
Aquaria
ArmA 2 Free Uninstall
Armagetron Advanced 0.2.8.3.1.gcc
Audacity 1.3.12 (Unicode)
Auto Gordian Knot 2.55
Avira Free Antivirus
AviSynth 2.5
Back to the Future The Game - Episode 1
Bejeweled 2 Deluxe 1.1
Bejeweled 3
Bejeweled Twist 1.0.3.7482
BioShock
Black Shades (remove only)
Blacklight Retribution
Blacklight: Tango Down
Bloody Good Time
Capture The Dude (remove only)
Cardinal Quest
Carrier
Celestia 1.6.1
Chime
Clementine
Combined Community Codec Pack 2011-11-11
CopyTrans Suite Remove Only
CORE Client
CoreAVC Professional Edition (remove only)
D-Fend Reloaded 1.0.0 (deinstall)
DAEMON Tools Pro
Dev-C++ 5 beta 9 release (4.9.9.2)
DEVIL MAY CRY 4 TRIAL
Driver Sweeper version 2.5.0
Dual-Core Optimizer
Earth Defense Force Insect Armageddon
ESN Sonar
Fallout
Façade
ffdshow [rev 3154] [2009-12-09]
FileZilla Client 3.5.3
FiNCK 1.0
FlashFXP v3
Flight Control HD
Fraps
Future Pinball
Galactic Arms Race
GCFScape 1.8.2
Gear 10/30/2009 Build
Gear Full Circle 10/31/2010 Build
GLtron version 0.70
GoldWave v5.58
Google Chrome
Google Earth
Google SketchUp 8
Google Update Helper
Gotham City Impostors Beta
Gravitron 2
GridRunner Revolution
GTK2-Runtime
gXiso 1.5
Haali Media Splitter
Half-Life 2
Half-Life 2: Deathmatch
Half-Life 2: Episode One
Handbrake 0.9.4
HashCheck Shell Extension (x86-32)
Hedgewars, a free turn-based strategy game
I-Fluid
Ion Assault
Java Auto Updater
Java™ 7 Update 5
Jazz Jackrabbit 2
Just Cause 2
Killing Floor
LAME v3.98.2 for Audacity
Left 4 Dead
Left 4 Dead 2
Left 4 Dead 2 Add-on Support
Legend of Grimrock
MacDrive 8
Malwarebytes Anti-Malware version 1.62.0.1300
Media Player Classic - Home Cinema 1.6.1.4235
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft AppLocale
Microsoft Chart Controls for Microsoft .NET Framework 3.5 (KB2500170)
Microsoft Flight
Microsoft Games for Windows - LIVE Redistributable
Microsoft Games for Windows Marketplace
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022.218
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30411
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
Microsoft Windows Application Compatibility Database
Microsoft XNA Framework Redistributable 3.1
Microsoft XNA Framework Redistributable 4.0
mIRC
Mozilla Firefox 14.0.1 (x86 en-US)
Mozilla Maintenance Service
mpowerplayer
My Game Long Name
MyPaint 0.8.2
Narbacular Drop version 1.4
Naval War: Arctic Circle Demo
Nero 8 Micro
NetMeter 1.1.4 BETA
Nitronic Rush (2011-11-11) version 20111111.0
Notepad++
NVIDIA Drivers
NVIDIA PhysX
NVIDIA PhysX Particle Fluid Demo
NVIDIA Stereoscopic 3D Driver
Oblivion
Oblivion - Construction Set
Oblivion - Horse Armor Pack
Oblivion - Knights of the Nine
Oblivion - Mehrunes Razor
Oblivion - Orrery
Oblivion - Spell Tomes
Oblivion - Thieves Den
Oblivion - Vile Lair
Oblivion - Wizard's Tower
Odamex 0.5.3
OnLive
OpenAL
OpenOffice.org 3.4
Opera 12.01
osu!
Paint.NET v3.5.5
Project64 1.6
Proun
PunkBuster Services
Puzzle Agent - The Mystery of Scoggins
QuickPar 0.9
RAD Video Tools
Rapture3D 2.4.4 Game
Rock of Ages
RollerCoaster Tycoon Deluxe
Söldner Secret Wars - Community Edition version 33900
SABnzbd (remove only)
Sculptris Alpha 6
ScummVM 1.5.0
SDFormatter
Section 8: Prejudice
Secure FTP 2.6.1
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
SecuROM Diagnostic Tool
Shatter
Ship
skidrow
Skulltag
SkyDrift
Soldat 1.5.0
Source SDK Base
Source SDK Base 2007
Space Giraffe
Speccy
Spybot - Search & Destroy
Steam
Stellarium 0.11.0
Streamripper (Remove only)
STREET FIGHTER IV BENCHMARK
Subtitle Workshop 2.51
SumatraPDF
Swarm Arena
swMSM
Tag - IGF Professional 2008
Team Fortress 2
TeamSpeak 3 Client
The Binding Of Isaac
The Ship
Tidalis Demo
TmUnitedForever Update 2010-03-15
Toki Tori 2
Total Immersion D'Fusion @Home Web Plug-In
Tread Marks
Tricky Truck 1.9992
UE3Redist
Unity Web Player
Unofficial Oblivion Patch v3.2.0
Unofficial Official Mods Patch v15
Unofficial Shivering Isles Patch v1.4.0
Unreal Tournament: Game of the Year Edition
VLC media player 2.0.1
VobSub v2.23 (Remove Only)
Vsk5Online
Walkie Tonky
Warsow 1.0
Winamp (remove only)
Windows Live ID Sign-in Assistant
WinHTTrack Website Copier 3.43-9C
winLAME 2010 beta 2
WinRAR archiver
XviD MPEG4 Video Codec (remove only)
Xvid Video Codec
You Have to Win the Game
YS FLIGHT SIMULATOR
Yu-Gi-Oh! Power of Chaos JOEY THE PASSION
Yu-Gi-Oh! Power of Chaos KAIBA THE REVENGE
Yu-Gi-Oh! Power of Chaos YUGI THE DESTINY
ZDaemon (remove only)
Zelda Classic 2.10w
Zen Bound® 2
Zip Motion Block Video codec (Remove Only)
ZScreen 4.8.1.2953
.
==== Event Viewer Messages From Past Week ========
.
8/29/2012 5:02:02 AM, Error: Service Control Manager [7023] - The Function Discovery Resource Publication service terminated with the following error: %%-2147024891
8/29/2012 5:02:02 AM, Error: Service Control Manager [7001] - The HomeGroup Provider service depends on the Function Discovery Resource Publication service which failed to start because of the following error: %%-2147024891
8/29/2012 5:01:48 AM, Error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specified service does not exist as an installed service.
8/29/2012 5:01:46 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: ssmdrv
8/29/2012 5:01:46 AM, Error: Service Control Manager [7024] - The Avira Realtime Protection service terminated with service-specific error A requested file lock operation cannot be processed due to an invalid byte range..
8/29/2012 5:01:20 AM, Error: Service Control Manager [7000] - The avgntflt service failed to start due to the following error: A device attached to the system is not functioning.
8/29/2012 5:00:16 AM, Error: Service Control Manager [7016] - The NVIDIA Display Driver Service service has reported an invalid current state 32.
8/29/2012 4:55:45 AM, Error: Service Control Manager [7000] - The MBAMSwissArmy service failed to start due to the following error: A device attached to the system is not functioning.
8/29/2012 4:49:12 AM, Error: Service Control Manager [7000] - The kxldipow service failed to start due to the following error: A device attached to the system is not functioning.
8/29/2012 2:29:55 AM, Error: Microsoft-Windows-WMPNSS-Service [14356] - A media delivery engine with ID '0x80070057' was not initialized because RegisterDelegate() encountered error ''. Restart your computer, and then restart the WMPNetworkSvc service.
8/29/2012 2:29:55 AM, Error: Microsoft-Windows-WMPNSS-Service [14348] - A new media server was not initialized due to error '0x80070057'. Restart your computer, and then restart the WMPNetworkSvc service. If the problem persists, in Windows Media Player, turn off media sharing, and then turn it back on.
8/29/2012 2:29:55 AM, Error: Microsoft-Windows-WMPNSS-Service [14323] - Service 'WMPNetworkSvc' did not start correctly because MFCreateWMPMDEOpCenter encountered error '0x80070505'. If possible, reinstall Windows Media Player.
8/29/2012 2:29:52 AM, Error: Service Control Manager [7023] - The Software Protection service terminated with the following error: Access is denied.
8/29/2012 2:27:51 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: sptd ssmdrv
8/29/2012 2:02:28 AM, Error: Service Control Manager [7003] - The IPsec Policy Agent service depends the following service: BFE. This service might not be installed.
8/29/2012 2:02:27 AM, Error: Service Control Manager [7003] - The IKE and AuthIP IPsec Keying Modules service depends the following service: BFE. This service might not be installed.
8/29/2012 12:25:02 AM, Error: VDS Basic Provider [1] - Unexpected failure. Error code: 490@01010004
8/28/2012 9:11:09 PM, Error: volsnap [36] - The shadow copies of volume C: were aborted because the shadow copy storage could not grow due to a user imposed limit.
8/28/2012 11:23:13 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the syshost32 service to connect.
8/25/2012 2:23:45 AM, Error: Service Control Manager [7034] - The PnkBstrA service terminated unexpectedly. It has done this 1 time(s).
8/23/2012 9:54:42 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Steam Client Service service to connect.
8/23/2012 9:54:42 PM, Error: Service Control Manager [7000] - The Steam Client Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
.
==== End Of File ===========================



GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-08-29 05:29:40
Windows 6.1.7600
Running: gmer.exe


---- Services - GMER 1.0.15 ----

Service C:\SystemRoot\System32\Drivers\8817fd41e278a8bd.sys (*** hidden *** ) [BOOT] 8817fd41e278a8bd <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\8817fd41e278a8bd@ImagePath \SystemRoot\System32\Drivers\8817fd41e278a8bd.sys
Reg HKLM\SYSTEM\CurrentControlSet\services\8817fd41e278a8bd@Group Boot Bus Extender
Reg HKLM\SYSTEM\CurrentControlSet\services\8817fd41e278a8bd@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\services\8817fd41e278a8bd@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\services\8817fd41e278a8bd@Start 0
Reg HKLM\SYSTEM\CurrentControlSet\services\8817fd41e278a8bd@Tag 1
Reg HKLM\SYSTEM\CurrentControlSet\services\8817fd41e278a8bd@DisplayName syshost.exe
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\000c55f79906
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xC5 0x8B 0x0F 0xB0 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Pro\
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x09 0x1C 0x96 0x26 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x53 0x0F 0xE7 0x62 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0x69 0xCB 0x77 0x76 ...
Reg HKLM\SYSTEM\ControlSet002\services\8817fd41e278a8bd@ImagePath \SystemRoot\System32\Drivers\8817fd41e278a8bd.sys
Reg HKLM\SYSTEM\ControlSet002\services\8817fd41e278a8bd@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet002\services\8817fd41e278a8bd@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\services\8817fd41e278a8bd@Type 1
Reg HKLM\SYSTEM\ControlSet002\services\8817fd41e278a8bd@Start 0
Reg HKLM\SYSTEM\ControlSet002\services\8817fd41e278a8bd@Tag 1
Reg HKLM\SYSTEM\ControlSet002\services\8817fd41e278a8bd@DisplayName syshost.exe
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\000c55f79906 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xC5 0x8B 0x0F 0xB0 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Pro\
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x09 0x1C 0x96 0x26 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x53 0x0F 0xE7 0x62 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0x69 0xCB 0x77 0x76 ...

---- EOF - GMER 1.0.15 ----

Attached Files


Edited by UnnamedText, 29 August 2012 - 12:03 PM.


BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:57 AM

Posted 29 August 2012 - 09:27 AM

Greetings and Welcome to The Forums!!

My name is Gringo and I'll be glad to help you with your computer problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

Security Check

  • Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.



Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 UnnamedText

UnnamedText
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:57 PM

Posted 29 August 2012 - 10:58 AM

Results of screen317's Security Check version 0.99.49
Windows 7 x86 (UAC is disabled!)
Out of date service pack!!
Internet Explorer 8 Out of date!
``````````````Antivirus/Firewall Check:``````````````
Avira Desktop
Antivirus up to date! (On Access scanning disabled!)
`````````Anti-malware/Other Utilities Check:`````````
Spybot - Search & Destroy
Malwarebytes Anti-Malware version 1.62.0.1300
Java™ 7 Update 5
Java version out of Date!
Adobe Flash Player 11.4.402.265
Mozilla Firefox (14.0.1)
Google Chrome 21.0.1180.79
Google Chrome 21.0.1180.83
````````Process Check: objlist.exe by Laurent````````
Avira Antivir avgnt.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 0%
````````````````````End of Log``````````````````````





ComboFix 12-08-28.03 - Home 08/29/2012 11:22:29.1.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.2046.1309 [GMT -4:00]
Running from: c:\users\Home\Desktop\ComboFix.exe
AV: Avira Desktop *Disabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
SP: Avira Desktop *Disabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\1964.lnk
c:\users\Home\7129675364eb20e566bcff43b0312185.jpg
c:\users\Home\AppData\Roaming\01545016.dat
c:\users\Home\AppData\Roaming\Love
c:\users\Home\AppData\Roaming\Love\mari0\mappacks\portal\2-4.txt
c:\users\Home\AppData\Roaming\Love\mari0\options.txt
c:\users\Home\AppData\Roaming\Love\not_tetris_2\highscoresA.txt
c:\users\Home\AppData\Roaming\Love\not_tetris_2\highscoresB.txt
c:\users\Home\AppData\Roaming\Love\not_tetris_2\options.txt
c:\users\Home\AppData\Roaming\Love\ortho_robot\save.txt
c:\users\Home\be1aa1df5f6a678e2b60762abea8fa4c65789e30_full.jpg
c:\windows\apppatch\AppLoc.exe
c:\windows\system32\tmpE0F7.tmp
c:\windows\system32\tmpE175.tmp
D:\install.exe
c:\windows\system32\drivers\8817fd41e278a8bd.sys . . . . Failed to delete
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_8817fd41e278a8bd
-------\Service_8817fd41e278a8bd
.
.
((((((((((((((((((((((((( Files Created from 2012-07-28 to 2012-08-29 )))))))))))))))))))))))))))))))
.
.
2012-08-29 15:33 . 2012-08-29 15:33 63115 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\USERTILE.JS
2012-08-29 15:33 . 2012-08-29 15:33 4599 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UIRESOURCE.JS
2012-08-29 15:33 . 2012-08-29 15:33 9310 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXTBOX.JS
2012-08-29 15:33 . 2012-08-29 15:33 8646 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TILEBOX.JS
2012-08-29 15:33 . 2012-08-29 15:33 8613 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\SAVEDUSER.JS
2012-08-29 15:31 . 2012-08-29 15:31 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-08-29 08:50 . 2012-08-29 08:50 -------- d-----w- c:\program files\HitmanPro
2012-08-29 08:50 . 2012-08-29 08:50 -------- d-----w- c:\programdata\HitmanPro
2012-08-29 04:45 . 2012-08-29 04:45 232512 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
2012-08-29 03:44 . 2012-08-29 03:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-08-29 03:44 . 2012-07-03 17:46 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-08-29 03:24 . 2012-08-29 15:33 71296 ----a-w- c:\windows\system32\drivers\8817fd41e278a8bd.sys
2012-08-19 06:53 . 2012-08-19 06:53 -------- d-----w- c:\program files\Speccy
2012-08-17 22:50 . 2012-05-14 04:37 768512 ----a-w- c:\windows\system32\localspl.dll
2012-08-17 22:50 . 2012-07-04 21:23 41472 ----a-w- c:\windows\system32\browcli.dll
2012-08-17 22:50 . 2012-07-04 21:23 102912 ----a-w- c:\windows\system32\browser.dll
2012-08-10 07:15 . 2012-08-10 07:15 -------- d-----w- c:\programdata\Ask
2012-08-10 02:32 . 2012-08-10 02:51 -------- d-----w- c:\users\Home\AppData\Local\data
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-21 21:48 . 2012-06-14 22:23 73416 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-08-21 21:48 . 2012-06-14 22:23 696520 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-06-14 22:26 . 2012-03-17 16:42 772592 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-06-14 22:26 . 2010-05-02 02:55 687600 ----a-w- c:\windows\system32\deployJava1.dll
2012-06-06 05:09 . 2012-07-11 17:05 1389568 ----a-w- c:\windows\system32\msxml6.dll
2012-06-06 05:09 . 2012-07-11 17:05 1236992 ----a-w- c:\windows\system32\msxml3.dll
2012-06-02 22:19 . 2012-06-21 16:01 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-21 16:01 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-21 16:01 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-21 16:01 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:19 . 2012-06-21 16:01 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:12 . 2012-06-21 16:01 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:12 . 2012-06-21 16:01 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 19:19 . 2012-06-21 16:01 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 19:12 . 2012-06-21 16:01 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-06-02 04:51 . 2012-07-11 17:05 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-06-02 04:51 . 2012-07-11 17:05 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2012-06-02 04:50 . 2012-07-11 17:05 369336 ----a-w- c:\windows\system32\drivers\cng.sys
2012-06-02 04:48 . 2012-07-11 17:05 225280 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 04:47 . 2012-07-11 17:05 219136 ----a-w- c:\windows\system32\ncrypt.dll
2012-07-18 02:38 . 2011-03-27 22:44 136672 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{13FA2453-9287-4F18-8554-976D7C02F4EE}]
2011-08-25 21:04 47120 ----a-w- d:\program files\Perfect World Entertainment\CORE Client\plugins\CorePluginIE.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"c:\program files\NetMeter\NetMeter.exe"="c:\program files\NetMeter\NetMeter.exe" [2009-08-09 293888]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2003-04-02 12288]
"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdcBase.exe" [2007-05-31 648072]
"MacDrive 8 application"="c:\program files\Mediafour\MacDrive 8\MacDrive.exe" [2010-05-25 289792]
"Getting started with MacDrive 8"="c:\program files\Mediafour\MacDrive 8\MDGetStarted.exe" [2010-05-25 175104]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2012-08-08 348664]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux5"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - CFCATCHME
*Deregistered* - CFcatchme
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-11 23:34]
.
2012-08-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-11 23:34]
.
2012-08-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1985814031-383517345-3186675581-1000Core.job
- c:\users\Home\AppData\Local\Google\Update\GoogleUpdate.exe [2010-05-29 23:34]
.
2012-08-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1985814031-383517345-3186675581-1000UA.job
- c:\users\Home\AppData\Local\Google\Update\GoogleUpdate.exe [2010-05-29 23:34]
.
.
------- Supplementary Scan -------
.
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
FF - ProfilePath - c:\users\Home\AppData\Roaming\Mozilla\Firefox\Profiles\uw8c36q2.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - user.js: general.useragent.extra.brc -
.
- - - - ORPHANS REMOVED - - - -
.
ShellIconOverlayIdentifiers-MacDrive volume icons - (no file)
HKCU-Run-AdobeBridge - (no file)
AddRemove-ESN Sonar-0.70.0 - c:\program files\Battlelog Web Plugins\Sonar\esnsonar_uninstall.exe
AddRemove-PunkBusterSvc - d:\program files\Origin Games\Battlefield 3 Beta\pbsvc.exe
AddRemove-Ship - d:\program files\Steam\steamapps\username\UnInstall_Ship.exe
AddRemove-UDK-1182e56c-f480-4715-9127-790759b47233 - d:\program files\Steam\steamapps\common\q.u.b.e. demo\Binaries\UnSetup.exe
AddRemove-UDK-9d699309-1fb6-43dc-a812-bec1838acc94 - d:\program files\Steam\steamapps\common\q.u.b.e. demo\Binaries\UnSetup.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(1476)
c:\program files\Mediafour\MacDrive 8\MDVolumeIcons.dll
c:\program files\Mediafour\MacDrive 8\MACDRAPI.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\nvvsvc.exe
c:\program files\Avira\AntiVir Desktop\sched.exe
c:\windows\system32\taskhost.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\windows\system32\lxducoms.exe
c:\program files\Mediafour\MacDrive 8\MacDrive8Service.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\conhost.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\windows\system32\conhost.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\DllHost.exe
c:\windows\system32\sppsvc.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2012-08-29 11:39:10 - machine was rebooted
ComboFix-quarantined-files.txt 2012-08-29 15:39
.
Pre-Run: 7,411,458,048 bytes free
Post-Run: 7,018,864,640 bytes free
.
- - End Of File - - F910F05FEC91931A01B23CAFEC4BA32B



I received the "Illegal operation attempted on a registry key that has been marked for deletion" for Avira's ipmgui.exe, but a reboot solved this.
The computer seems to be functioning normally now. Avira realtime protection can be enabled/disabled freely, Avira is able to update freely, Windows Defender, Firewall, and Update can be enabled/disabled freely. Task manager opens without any problems.
Everything seems like it was prior to infection, but I know looks can be deceiving. I'm particularly worried about the failure to delete 8817fd41e278a8bd.sys as GMER detected this as a rootkit and would appreciate any advice on what to do or steps I can take next to scan my PC for any other infections.

Edited by UnnamedText, 29 August 2012 - 12:23 PM.


#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:57 AM

Posted 29 August 2012 - 02:39 PM

Greetings UnnamedText

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 UnnamedText

UnnamedText
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:57 PM

Posted 29 August 2012 - 04:18 PM

TDSSKiller ran without problems.

16:54:08.0856 4868 TDSS rootkit removing tool 2.8.8.0 Aug 24 2012 13:27:48
16:54:10.0354 4868 ============================================================
16:54:10.0354 4868 Current date / time: 2012/08/29 16:54:10.0354
16:54:10.0354 4868 SystemInfo:
16:54:10.0354 4868
16:54:10.0354 4868 OS Version: 6.1.7600 ServicePack: 0.0
16:54:10.0354 4868 Product type: Workstation
16:54:10.0354 4868 ComputerName: HOME-PC
16:54:10.0354 4868 UserName: Home
16:54:10.0354 4868 Windows directory: C:\Windows
16:54:10.0354 4868 System windows directory: C:\Windows
16:54:10.0354 4868 Processor architecture: Intel x86
16:54:10.0354 4868 Number of processors: 2
16:54:10.0354 4868 Page size: 0x1000
16:54:10.0354 4868 Boot type: Normal boot
16:54:10.0354 4868 ============================================================
16:54:11.0945 4868 Drive \Device\Harddisk0\DR0 - Size: 0xE8E0CADE00 (931.51 Gb), SectorSize: 0x200, Cylinders: 0x1DB01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
16:54:11.0945 4868 Drive \Device\Harddisk1\DR1 - Size: 0xE8E0DB6000 (931.51 Gb), SectorSize: 0x200, Cylinders: 0x1DB01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
16:54:11.0945 4868 Drive \Device\Harddisk2\DR2 - Size: 0xE8E0DB6000 (931.51 Gb), SectorSize: 0x200, Cylinders: 0x1DB01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
16:54:11.0945 4868 ============================================================
16:54:11.0945 4868 \Device\Harddisk0\DR0:
16:54:11.0945 4868 MBR partitions:
16:54:11.0945 4868 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x13FFD5D7
16:54:11.0945 4868 \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x13FFD616, BlocksNum 0x607083AB
16:54:11.0945 4868 \Device\Harddisk1\DR1:
16:54:11.0945 4868 MBR partitions:
16:54:11.0945 4868 \Device\Harddisk1\DR1\Partition1: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x74705982
16:54:11.0945 4868 \Device\Harddisk2\DR2:
16:54:11.0945 4868 MBR partitions:
16:54:11.0945 4868 \Device\Harddisk2\DR2\Partition1: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x74705800
16:54:11.0945 4868 ============================================================
16:54:11.0945 4868 C: <-> \Device\Harddisk0\DR0\Partition1
16:54:11.0976 4868 D: <-> \Device\Harddisk0\DR0\Partition2
16:54:11.0992 4868 H: <-> \Device\Harddisk2\DR2\Partition1
16:54:12.0070 4868 G: <-> \Device\Harddisk1\DR1\Partition1
16:54:12.0070 4868 ============================================================
16:54:12.0070 4868 Initialize success
16:54:12.0070 4868 ============================================================
16:54:21.0461 2432 ============================================================
16:54:21.0461 2432 Scan started
16:54:21.0461 2432 Mode: Manual;
16:54:21.0461 2432 ============================================================
16:54:21.0851 2432 ================ Scan system memory ========================
16:54:21.0851 2432 System memory - ok
16:54:21.0851 2432 ================ Scan services =============================
16:54:21.0960 2432 [ 6D2ACA41739BFE8CB86EE8E85F29697D ] 1394ohci C:\Windows\system32\DRIVERS\1394ohci.sys
16:54:21.0976 2432 1394ohci - ok
16:54:22.0007 2432 [ F0E07D144C8685B8774BC32FC8DA4DF0 ] ACPI C:\Windows\system32\DRIVERS\ACPI.sys
16:54:22.0007 2432 ACPI - ok
16:54:22.0023 2432 [ 98D81CA942D19F7D9153B095162AC013 ] AcpiPmi C:\Windows\system32\DRIVERS\acpipmi.sys
16:54:22.0038 2432 AcpiPmi - ok
16:54:22.0085 2432 [ 21E785EBD7DC90A06391141AAC7892FB ] adp94xx C:\Windows\system32\DRIVERS\adp94xx.sys
16:54:22.0116 2432 adp94xx - ok
16:54:22.0132 2432 [ 0C676BC278D5B59FF5ABD57BBE9123F2 ] adpahci C:\Windows\system32\DRIVERS\adpahci.sys
16:54:22.0147 2432 adpahci - ok
16:54:22.0163 2432 [ 7C7B5EE4B7B822EC85321FE23A27DB33 ] adpu320 C:\Windows\system32\DRIVERS\adpu320.sys
16:54:22.0194 2432 adpu320 - ok
16:54:22.0225 2432 [ 8B5EEFEEC1E6D1A72A06C526628AD161 ] AeLookupSvc C:\Windows\System32\aelupsvc.dll
16:54:22.0241 2432 AeLookupSvc - ok
16:54:22.0288 2432 [ 0DB7A48388D54D154EBEC120461A0FCD ] AFD C:\Windows\system32\drivers\afd.sys
16:54:22.0319 2432 AFD - ok
16:54:22.0350 2432 [ 507812C3054C21CEF746B6EE3D04DD6E ] agp440 C:\Windows\system32\DRIVERS\agp440.sys
16:54:22.0381 2432 agp440 - ok
16:54:22.0397 2432 [ 8B30250D573A8F6B4BD23195160D8707 ] aic78xx C:\Windows\system32\DRIVERS\djsvs.sys
16:54:22.0413 2432 aic78xx - ok
16:54:22.0428 2432 [ 18A54E132947CD98FEA9ACCC57F98F13 ] ALG C:\Windows\System32\alg.exe
16:54:22.0428 2432 ALG - ok
16:54:22.0444 2432 [ 0D40BCF52EA90FC7DF2AEAB6503DEA44 ] aliide C:\Windows\system32\DRIVERS\aliide.sys
16:54:22.0475 2432 aliide - ok
16:54:22.0491 2432 [ 3C6600A0696E90A463771C7422E23AB5 ] amdagp C:\Windows\system32\DRIVERS\amdagp.sys
16:54:22.0491 2432 amdagp - ok
16:54:22.0506 2432 [ CD5914170297126B6266860198D1D4F0 ] amdide C:\Windows\system32\DRIVERS\amdide.sys
16:54:22.0522 2432 amdide - ok
16:54:22.0537 2432 [ 00DDA200D71BAC534BF56A9DB5DFD666 ] AmdK8 C:\Windows\system32\DRIVERS\amdk8.sys
16:54:22.0569 2432 AmdK8 - ok
16:54:22.0615 2432 [ AD8FA28D8ED0D0A689A0559085CE0F18 ] AmdLLD C:\Windows\system32\DRIVERS\AmdLLD.sys
16:54:22.0631 2432 AmdLLD - ok
16:54:22.0647 2432 [ 3CBF30F5370FDA40DD3E87DF38EA53B6 ] AmdPPM C:\Windows\system32\DRIVERS\amdppm.sys
16:54:22.0662 2432 AmdPPM - ok
16:54:22.0678 2432 [ 2101A86C25C154F8314B24EF49D7FBC2 ] amdsata C:\Windows\system32\DRIVERS\amdsata.sys
16:54:22.0693 2432 amdsata - ok
16:54:22.0725 2432 [ EA43AF0C423FF267355F74E7A53BDABA ] amdsbs C:\Windows\system32\DRIVERS\amdsbs.sys
16:54:22.0740 2432 amdsbs - ok
16:54:22.0771 2432 [ B81C2B5616F6420A9941EA093A92B150 ] amdxata C:\Windows\system32\DRIVERS\amdxata.sys
16:54:22.0787 2432 amdxata - ok
16:54:22.0881 2432 [ 0A1CC583E8147004E4AD4625D7FBF88C ] AntiVirSchedulerService C:\Program Files\Avira\AntiVir Desktop\sched.exe
16:54:22.0881 2432 AntiVirSchedulerService - ok
16:54:22.0927 2432 [ C9A36EF935ACED86AEDF93E97E606911 ] AntiVirService C:\Program Files\Avira\AntiVir Desktop\avguard.exe
16:54:22.0927 2432 AntiVirService - ok
16:54:22.0927 2432 [ FEB834C02CE1E84B6A38F953CA067706 ] AppID C:\Windows\system32\drivers\appid.sys
16:54:22.0943 2432 AppID - ok
16:54:22.0990 2432 [ 62A9C86CB6085E20DB4823E4E97826F5 ] AppIDSvc C:\Windows\System32\appidsvc.dll
16:54:22.0990 2432 AppIDSvc - ok
16:54:23.0005 2432 [ 7DEAD9E3F65DCB2794F2711003BBF650 ] Appinfo C:\Windows\System32\appinfo.dll
16:54:23.0037 2432 Appinfo - ok
16:54:23.0068 2432 [ A45D184DF6A8803DA13A0B329517A64A ] AppMgmt C:\Windows\System32\appmgmts.dll
16:54:23.0068 2432 AppMgmt - ok
16:54:23.0099 2432 [ 2932004F49677BD84DBC72EDB754FFB3 ] arc C:\Windows\system32\DRIVERS\arc.sys
16:54:23.0099 2432 arc - ok
16:54:23.0130 2432 [ 5D6F36C46FD283AE1B57BD2E9FEB0BC7 ] arcsas C:\Windows\system32\DRIVERS\arcsas.sys
16:54:23.0161 2432 arcsas - ok
16:54:23.0271 2432 [ 776ACEFA0CA9DF0FAA51A5FB2F435705 ] aspnet_state C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe
16:54:23.0271 2432 aspnet_state - ok
16:54:23.0302 2432 [ ADD2ADE1C2B285AB8378D2DAAF991481 ] AsyncMac C:\Windows\system32\DRIVERS\asyncmac.sys
16:54:23.0317 2432 AsyncMac - ok
16:54:23.0333 2432 [ 338C86357871C167A96AB976519BF59E ] atapi C:\Windows\system32\DRIVERS\atapi.sys
16:54:23.0333 2432 atapi - ok
16:54:23.0380 2432 [ F0D933B42CD0594048E4D5200AE9E417 ] atksgt C:\Windows\system32\DRIVERS\atksgt.sys
16:54:23.0411 2432 atksgt - ok
16:54:23.0442 2432 [ 510C873BFA135AA829F4180352772734 ] AudioEndpointBuilder C:\Windows\System32\Audiosrv.dll
16:54:23.0458 2432 AudioEndpointBuilder - ok
16:54:23.0458 2432 [ 510C873BFA135AA829F4180352772734 ] Audiosrv C:\Windows\System32\Audiosrv.dll
16:54:23.0473 2432 Audiosrv - ok
16:54:23.0489 2432 [ D5541F0AFB767E85FC412FC609D96A74 ] avgntflt C:\Windows\system32\DRIVERS\avgntflt.sys
16:54:23.0489 2432 avgntflt - ok
16:54:23.0536 2432 [ 7D967A682D4694DF7FA57D63A2DB01FE ] avipbb C:\Windows\system32\DRIVERS\avipbb.sys
16:54:23.0551 2432 avipbb - ok
16:54:23.0567 2432 [ 271CFD1A989209B1964E24D969552BF7 ] avkmgr C:\Windows\system32\DRIVERS\avkmgr.sys
16:54:23.0583 2432 avkmgr - ok
16:54:23.0629 2432 [ DD6A431B43E34B91A767D1CE33728175 ] AxInstSV C:\Windows\System32\AxInstSV.dll
16:54:23.0661 2432 AxInstSV - ok
16:54:23.0692 2432 [ 1A231ABEC60FD316EC54C66715543CEC ] b06bdrv C:\Windows\system32\DRIVERS\bxvbdx.sys
16:54:23.0707 2432 b06bdrv - ok
16:54:23.0739 2432 [ BD8869EB9CDE6BBE4508D869929869EE ] b57nd60x C:\Windows\system32\DRIVERS\b57nd60x.sys
16:54:23.0754 2432 b57nd60x - ok
16:54:23.0770 2432 [ EE1E9C3BB8228AE423DD38DB69128E71 ] BDESVC C:\Windows\System32\bdesvc.dll
16:54:23.0770 2432 BDESVC - ok
16:54:23.0785 2432 [ 505506526A9D467307B3C393DEDAF858 ] Beep C:\Windows\system32\drivers\Beep.sys
16:54:23.0801 2432 Beep - ok
16:54:23.0832 2432 [ 85AC71C045CEB054ED48A7841AAE0C11 ] BFE C:\Windows\System32\bfe.dll
16:54:23.0832 2432 BFE - ok
16:54:23.0863 2432 [ 53F476476F55A27F580661BDE09C4EC4 ] BITS C:\Windows\system32\qmgr.dll
16:54:23.0879 2432 BITS - ok
16:54:23.0895 2432 [ 2287078ED48FCFC477B05B20CF38F36F ] blbdrive C:\Windows\system32\DRIVERS\blbdrive.sys
16:54:23.0910 2432 blbdrive - ok
16:54:23.0957 2432 [ 9A5C671B7FBAE4865149BB11F59B91B2 ] bowser C:\Windows\system32\DRIVERS\bowser.sys
16:54:23.0973 2432 bowser - ok
16:54:24.0004 2432 [ 9F9ACC7F7CCDE8A15C282D3F88B43309 ] BrFiltLo C:\Windows\system32\DRIVERS\BrFiltLo.sys
16:54:24.0004 2432 BrFiltLo - ok
16:54:24.0019 2432 [ 56801AD62213A41F6497F96DEE83755A ] BrFiltUp C:\Windows\system32\DRIVERS\BrFiltUp.sys
16:54:24.0035 2432 BrFiltUp - ok
16:54:24.0051 2432 [ 77361D72A04F18809D0EFB6CCEB74D4B ] BridgeMP C:\Windows\system32\DRIVERS\bridge.sys
16:54:24.0082 2432 BridgeMP - ok
16:54:24.0113 2432 [ A0E691DC6589D4D2CBE373171D1A49E5 ] Browser C:\Windows\System32\browser.dll
16:54:24.0113 2432 Browser - ok
16:54:24.0144 2432 [ 845B8CE732E67F3B4133164868C666EA ] Brserid C:\Windows\System32\Drivers\Brserid.sys
16:54:24.0160 2432 Brserid - ok
16:54:24.0175 2432 [ 203F0B1E73ADADBBB7B7B1FABD901F6B ] BrSerWdm C:\Windows\System32\Drivers\BrSerWdm.sys
16:54:24.0191 2432 BrSerWdm - ok
16:54:24.0222 2432 [ BD456606156BA17E60A04E18016AE54B ] BrUsbMdm C:\Windows\System32\Drivers\BrUsbMdm.sys
16:54:24.0238 2432 BrUsbMdm - ok
16:54:24.0253 2432 [ AF72ED54503F717A43268B3CC5FAEC2E ] BrUsbSer C:\Windows\System32\Drivers\BrUsbSer.sys
16:54:24.0285 2432 BrUsbSer - ok
16:54:24.0331 2432 [ 2865A5C8E98C70C605F417908CEBB3A4 ] BthEnum C:\Windows\system32\drivers\BthEnum.sys
16:54:24.0331 2432 BthEnum - ok
16:54:24.0347 2432 [ ED3DF7C56CE0084EB2034432FC56565A ] BTHMODEM C:\Windows\system32\DRIVERS\bthmodem.sys
16:54:24.0363 2432 BTHMODEM - ok
16:54:24.0394 2432 [ AD1872E5829E8A2C3B5B4B641C3EAB0E ] BthPan C:\Windows\system32\DRIVERS\bthpan.sys
16:54:24.0409 2432 BthPan - ok
16:54:24.0441 2432 [ 88059FF1DED4472ACD17EEBABD393069 ] BTHPORT C:\Windows\System32\Drivers\BTHport.sys
16:54:24.0456 2432 BTHPORT - ok
16:54:24.0487 2432 [ 1DF19C96EEF6C29D1C3E1A8678E07190 ] bthserv C:\Windows\system32\bthserv.dll
16:54:24.0503 2432 bthserv - ok
16:54:24.0534 2432 [ 80E6384BEEC03B8BD45EDEA29802D657 ] BTHUSB C:\Windows\System32\Drivers\BTHUSB.sys
16:54:24.0550 2432 BTHUSB - ok
16:54:24.0643 2432 catchme - ok
16:54:24.0690 2432 [ 93C568904E116607DF2389907A9D8899 ] CBDisk C:\Windows\system32\drivers\CBDisk.sys
16:54:24.0706 2432 CBDisk - ok
16:54:24.0721 2432 [ 77EA11B065E0A8AB902D78145CA51E10 ] cdfs C:\Windows\system32\DRIVERS\cdfs.sys
16:54:24.0753 2432 cdfs - ok
16:54:24.0784 2432 [ BA6E70AA0E6091BC39DE29477D866A77 ] cdrom C:\Windows\system32\DRIVERS\cdrom.sys
16:54:24.0799 2432 cdrom - ok
16:54:24.0815 2432 [ 628A9E30EC5E18DD5DE6BE4DBDC12198 ] CertPropSvc C:\Windows\System32\certprop.dll
16:54:24.0831 2432 CertPropSvc - ok
16:54:24.0831 2432 CFcatchme - ok
16:54:24.0862 2432 [ 3FE3FE94A34DF6FB06E6418D0F6A0060 ] circlass C:\Windows\system32\DRIVERS\circlass.sys
16:54:24.0877 2432 circlass - ok
16:54:24.0893 2432 [ 635181E0E9BBF16871BF5380D71DB02D ] CLFS C:\Windows\system32\CLFS.sys
16:54:24.0924 2432 CLFS - ok
16:54:24.0987 2432 [ D88040F816FDA31C3B466F0FA0918F29 ] clr_optimization_v2.0.50727_32 C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
16:54:24.0987 2432 clr_optimization_v2.0.50727_32 - ok
16:54:25.0033 2432 [ C5A75EB48E2344ABDC162BDA79E16841 ] clr_optimization_v4.0.30319_32 C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
16:54:25.0049 2432 clr_optimization_v4.0.30319_32 - ok
16:54:25.0080 2432 [ DEA805815E587DAD1DD2C502220B5616 ] CmBatt C:\Windows\system32\DRIVERS\CmBatt.sys
16:54:25.0096 2432 CmBatt - ok
16:54:25.0111 2432 [ C537B1DB64D495B9B4717B4D6D9EDBF2 ] cmdide C:\Windows\system32\DRIVERS\cmdide.sys
16:54:25.0111 2432 cmdide - ok
16:54:25.0158 2432 [ DB5E008B3744DD60C8498CBBF2A1CFA6 ] CNG C:\Windows\system32\Drivers\cng.sys
16:54:25.0174 2432 CNG - ok
16:54:25.0189 2432 [ A6023D3823C37043986713F118A89BEE ] Compbatt C:\Windows\system32\DRIVERS\compbatt.sys
16:54:25.0221 2432 Compbatt - ok
16:54:25.0236 2432 [ F1724BA27E97D627F808FB0BA77A28A6 ] CompositeBus C:\Windows\system32\DRIVERS\CompositeBus.sys
16:54:25.0252 2432 CompositeBus - ok
16:54:25.0267 2432 COMSysApp - ok
16:54:25.0283 2432 [ 2C4EBCFC84A9B44F209DFF6C6E6C61D1 ] crcdisk C:\Windows\system32\DRIVERS\crcdisk.sys
16:54:25.0299 2432 crcdisk - ok
16:54:25.0330 2432 [ 520A108A2657F4BCA7FCED9CA7D885DE ] CryptSvc C:\Windows\system32\cryptsvc.dll
16:54:25.0330 2432 CryptSvc - ok
16:54:25.0361 2432 [ 27C9490BDD0AE48911AB8CF1932591ED ] CSC C:\Windows\system32\drivers\csc.sys
16:54:25.0392 2432 CSC - ok
16:54:25.0439 2432 [ 56FB5F222EA30D3D3FC459879772CB73 ] CscService C:\Windows\System32\cscsvc.dll
16:54:25.0439 2432 CscService - ok
16:54:25.0470 2432 [ B82CD39E336973359D7C9BF911E8E84F ] DcomLaunch C:\Windows\system32\rpcss.dll
16:54:25.0486 2432 DcomLaunch - ok
16:54:25.0517 2432 [ 8D6E10A2D9A5EED59562D9B82CF804E1 ] defragsvc C:\Windows\System32\defragsvc.dll
16:54:25.0533 2432 defragsvc - ok
16:54:25.0564 2432 [ 83D1ECEA8FAAE75604C0FA49AC7AD996 ] DfsC C:\Windows\system32\Drivers\dfsc.sys
16:54:25.0564 2432 DfsC - ok
16:54:25.0595 2432 [ C56495FBD770712367CAD35E5DE72DA6 ] Dhcp C:\Windows\system32\dhcpcore.dll
16:54:25.0595 2432 Dhcp - ok
16:54:25.0611 2432 [ 1A050B0274BFB3890703D490F330C0DA ] discache C:\Windows\system32\drivers\discache.sys
16:54:25.0626 2432 discache - ok
16:54:25.0642 2432 [ 565003F326F99802E68CA78F2A68E9FF ] Disk C:\Windows\system32\DRIVERS\disk.sys
16:54:25.0657 2432 Disk - ok
16:54:25.0689 2432 [ B15BE77A2BACF9C3177D27518AFE26A9 ] Dnscache C:\Windows\System32\dnsrslvr.dll
16:54:25.0689 2432 Dnscache - ok
16:54:25.0704 2432 [ 4408C85C21EEA48EB0CE486BAEEF0502 ] dot3svc C:\Windows\System32\dot3svc.dll
16:54:25.0720 2432 dot3svc - ok
16:54:25.0751 2432 [ 7FA81C6E11CAA594ADB52084DA73A1E5 ] DPS C:\Windows\system32\dps.dll
16:54:25.0751 2432 DPS - ok
16:54:25.0782 2432 [ B918E7C5F9BF77202F89E1A9539F2EB4 ] drmkaud C:\Windows\system32\drivers\drmkaud.sys
16:54:25.0782 2432 drmkaud - ok
16:54:25.0829 2432 [ C8EB60A182BEE9AFD6B394C0145A1732 ] dtsoftbus01 C:\Windows\system32\DRIVERS\dtsoftbus01.sys
16:54:25.0829 2432 dtsoftbus01 - ok
16:54:25.0876 2432 [ 8B6C3464D7FAC176500061DBFFF42AD4 ] DXGKrnl C:\Windows\System32\drivers\dxgkrnl.sys
16:54:25.0907 2432 DXGKrnl - ok
16:54:25.0907 2432 EagleXNt - ok
16:54:25.0923 2432 [ 8600142FA91C1B96367D3300AD0F3F3A ] EapHost C:\Windows\System32\eapsvc.dll
16:54:25.0923 2432 EapHost - ok
16:54:25.0985 2432 [ 024E1B5CAC09731E4D868E64DBFB4AB0 ] ebdrv C:\Windows\system32\DRIVERS\evbdx.sys
16:54:26.0047 2432 ebdrv - ok
16:54:26.0094 2432 [ C2243FF9E9AAD0C30E8B1A0914DA15B6 ] EFS C:\Windows\System32\lsass.exe
16:54:26.0094 2432 EFS - ok
16:54:26.0125 2432 [ 3A74A6E33685662B125A3269B1F2114F ] ehRecvr C:\Windows\ehome\ehRecvr.exe
16:54:26.0157 2432 ehRecvr - ok
16:54:26.0188 2432 [ D389BFF34F80CAEDE417BF9D1507996A ] ehSched C:\Windows\ehome\ehsched.exe
16:54:26.0203 2432 ehSched - ok
16:54:26.0250 2432 [ 0ED67910C8C326796FAA00B2BF6D9D3C ] elxstor C:\Windows\system32\DRIVERS\elxstor.sys
16:54:26.0266 2432 elxstor - ok
16:54:26.0297 2432 [ 8FC3208352DD3912C94367A206AB3F11 ] ErrDev C:\Windows\system32\DRIVERS\errdev.sys
16:54:26.0313 2432 ErrDev - ok
16:54:26.0359 2432 [ F6916EFC29D9953D5D0DF06882AE8E16 ] EventSystem C:\Windows\system32\es.dll
16:54:26.0359 2432 EventSystem - ok
16:54:26.0375 2432 [ 2DC9108D74081149CC8B651D3A26207F ] exfat C:\Windows\system32\drivers\exfat.sys
16:54:26.0406 2432 exfat - ok
16:54:26.0437 2432 [ 7E0AB74553476622FB6AE36F73D97D35 ] fastfat C:\Windows\system32\drivers\fastfat.sys
16:54:26.0453 2432 fastfat - ok
16:54:26.0484 2432 [ F7EA23CC5E6BF2181F3F399D54F6EFC1 ] Fax C:\Windows\system32\fxssvc.exe
16:54:26.0500 2432 Fax - ok
16:54:26.0515 2432 [ E817A017F82DF2A1F8CFDBDA29388B29 ] fdc C:\Windows\system32\DRIVERS\fdc.sys
16:54:26.0531 2432 fdc - ok
16:54:26.0547 2432 [ F3222C893BD2F5821A0179E5C71E88FB ] fdPHost C:\Windows\system32\fdPHost.dll
16:54:26.0562 2432 fdPHost - ok
16:54:26.0593 2432 [ 7DBE8CBFE79EFBDEB98C9FB08D3A9A5B ] FDResPub C:\Windows\system32\fdrespub.dll
16:54:26.0593 2432 FDResPub - ok
16:54:26.0609 2432 [ 6CF00369C97F3CF563BE99BE983D13D8 ] FileInfo C:\Windows\system32\drivers\fileinfo.sys
16:54:26.0625 2432 FileInfo - ok
16:54:26.0640 2432 [ 42C51DC94C91DA21CB9196EB64C45DB9 ] Filetrace C:\Windows\system32\drivers\filetrace.sys
16:54:26.0640 2432 Filetrace - ok
16:54:26.0656 2432 [ 87907AA70CB3C56600F1C2FB8841579B ] flpydisk C:\Windows\system32\DRIVERS\flpydisk.sys
16:54:26.0687 2432 flpydisk - ok
16:54:26.0703 2432 [ 7520EC808E0C35E0EE6F841294316653 ] FltMgr C:\Windows\system32\drivers\fltmgr.sys
16:54:26.0718 2432 FltMgr - ok
16:54:26.0749 2432 [ B6512A85815FDC3D560C3705F5BDB93D ] FontCache C:\Windows\system32\FntCache.dll
16:54:26.0765 2432 FontCache - ok
16:54:26.0796 2432 [ E56F39F6B7FDA0AC77A79B0FD3DE1A2F ] FontCache3.0.0.0 C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
16:54:26.0812 2432 FontCache3.0.0.0 - ok
16:54:26.0827 2432 [ 1A16B57943853E598CFF37FE2B8CBF1D ] FsDepends C:\Windows\system32\drivers\FsDepends.sys
16:54:26.0827 2432 FsDepends - ok
16:54:26.0874 2432 [ 500A9814FD9446A8126858A5A7F7D273 ] Fs_Rec C:\Windows\system32\drivers\Fs_Rec.sys
16:54:26.0890 2432 Fs_Rec - ok
16:54:26.0905 2432 [ 5592F5DBA26282D24D2B080EB438A4D7 ] fvevol C:\Windows\system32\DRIVERS\fvevol.sys
16:54:26.0921 2432 fvevol - ok
16:54:26.0952 2432 [ 65EE0C7A58B65E74AE05637418153938 ] gagp30kx C:\Windows\system32\DRIVERS\gagp30kx.sys
16:54:26.0968 2432 gagp30kx - ok
16:54:26.0999 2432 [ 8BA3C04702BF8F927AB36AE8313CA4EE ] gpsvc C:\Windows\System32\gpsvc.dll
16:54:26.0999 2432 gpsvc - ok
16:54:27.0061 2432 [ F02A533F517EB38333CB12A9E8963773 ] gupdate C:\Program Files\Google\Update\GoogleUpdate.exe
16:54:27.0077 2432 gupdate - ok
16:54:27.0108 2432 [ F02A533F517EB38333CB12A9E8963773 ] gupdatem C:\Program Files\Google\Update\GoogleUpdate.exe
16:54:27.0108 2432 gupdatem - ok
16:54:27.0124 2432 [ C44E3C2BAB6837DB337DDEE7544736DB ] hcw85cir C:\Windows\system32\drivers\hcw85cir.sys
16:54:27.0139 2432 hcw85cir - ok
16:54:27.0155 2432 [ 3530CAD25DEBA7DC7DE8BB51632CBC5F ] HdAudAddService C:\Windows\system32\drivers\HdAudio.sys
16:54:27.0202 2432 HdAudAddService - ok
16:54:27.0217 2432 [ 717A2207FD6F13AD3E664C7D5A43C7BF ] HDAudBus C:\Windows\system32\DRIVERS\HDAudBus.sys
16:54:27.0217 2432 HDAudBus - ok
16:54:27.0249 2432 [ 1D58A7F3E11A9731D0EAAAA8405ACC36 ] HidBatt C:\Windows\system32\DRIVERS\HidBatt.sys
16:54:27.0249 2432 HidBatt - ok
16:54:27.0264 2432 [ 89448F40E6DF260C206A193A4683BA78 ] HidBth C:\Windows\system32\DRIVERS\hidbth.sys
16:54:27.0295 2432 HidBth - ok
16:54:27.0327 2432 [ CF50B4CF4A4F229B9F3C08351F99CA5E ] HidIr C:\Windows\system32\DRIVERS\hidir.sys
16:54:27.0327 2432 HidIr - ok
16:54:27.0358 2432 [ 2BC6F6A1992B3A77F5F41432CA6B3B6B ] hidserv C:\Windows\System32\hidserv.dll
16:54:27.0358 2432 hidserv - ok
16:54:27.0389 2432 [ 25072FB35AC90B25F9E4E3BACF774102 ] HidUsb C:\Windows\system32\DRIVERS\hidusb.sys
16:54:27.0405 2432 HidUsb - ok
16:54:27.0436 2432 [ 741C2A45CA8407E374AABA3E330B7872 ] hkmsvc C:\Windows\system32\kmsvc.dll
16:54:27.0467 2432 hkmsvc - ok
16:54:27.0483 2432 [ A768CA158BB06782A2835B907F4873C3 ] HomeGroupListener C:\Windows\system32\ListSvc.dll
16:54:27.0483 2432 HomeGroupListener - ok
16:54:27.0514 2432 [ FB08DEC5EF43D0C66D83B8E9694E7549 ] HomeGroupProvider C:\Windows\system32\provsvc.dll
16:54:27.0529 2432 HomeGroupProvider - ok
16:54:27.0561 2432 [ 295FDC419039090EB8B49FFDBB374549 ] HpSAMD C:\Windows\system32\DRIVERS\HpSAMD.sys
16:54:27.0576 2432 HpSAMD - ok
16:54:27.0607 2432 [ C531C7FD9E8B62021112787C4E2C5A5A ] HTTP C:\Windows\system32\drivers\HTTP.sys
16:54:27.0654 2432 HTTP - ok
16:54:27.0701 2432 [ 448BB2FE30F1DDE9EAA4F0E87B52B687 ] hwinterface C:\Windows\system32\Drivers\hwinterface.sys
16:54:27.0717 2432 hwinterface - ok
16:54:27.0732 2432 [ 8305F33CDE89AD6C7A0763ED0B5A8D42 ] hwpolicy C:\Windows\system32\drivers\hwpolicy.sys
16:54:27.0732 2432 hwpolicy - ok
16:54:27.0748 2432 [ F151F0BDC47F4A28B1B20A0818EA36D6 ] i8042prt C:\Windows\system32\DRIVERS\i8042prt.sys
16:54:27.0763 2432 i8042prt - ok
16:54:27.0795 2432 [ 934AF4D7C5F457B9F0743F4299B77B67 ] iaStorV C:\Windows\system32\DRIVERS\iaStorV.sys
16:54:27.0826 2432 iaStorV - ok
16:54:27.0888 2432 [ DAF66902F08796F9C694901660E5A64A ] IDriverT C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
16:54:27.0919 2432 IDriverT - ok
16:54:27.0982 2432 [ 5AF815EB5BC9802E5A064E2BA62BFC0C ] idsvc C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
16:54:28.0029 2432 idsvc - ok
16:54:28.0060 2432 [ 4173FF5708F3236CF25195FECD742915 ] iirsp C:\Windows\system32\DRIVERS\iirsp.sys
16:54:28.0075 2432 iirsp - ok
16:54:28.0122 2432 [ FAC0EE6562B121B1399D6E855583F7A5 ] IKEEXT C:\Windows\System32\ikeext.dll
16:54:28.0122 2432 IKEEXT - ok
16:54:28.0153 2432 [ A0F12F2C9BA6C72F3987CE780E77C130 ] intelide C:\Windows\system32\DRIVERS\intelide.sys
16:54:28.0153 2432 intelide - ok
16:54:28.0185 2432 [ 3B514D27BFC4ACCB4037BC6685F766E0 ] intelppm C:\Windows\system32\DRIVERS\intelppm.sys
16:54:28.0185 2432 intelppm - ok
16:54:28.0200 2432 [ ACB364B9075A45C0736E5C47BE5CAE19 ] IPBusEnum C:\Windows\system32\ipbusenum.dll
16:54:28.0216 2432 IPBusEnum - ok
16:54:28.0231 2432 [ 709D1761D3B19A932FF0238EA6D50200 ] IpFilterDriver C:\Windows\system32\DRIVERS\ipfltdrv.sys
16:54:28.0231 2432 IpFilterDriver - ok
16:54:28.0263 2432 [ 477397B432A256A50EE7E4339EB9EA14 ] iphlpsvc C:\Windows\System32\iphlpsvc.dll
16:54:28.0278 2432 iphlpsvc - ok
16:54:28.0294 2432 [ E4454B6C37D7FFD5649611F6496308A7 ] IPMIDRV C:\Windows\system32\DRIVERS\IPMIDrv.sys
16:54:28.0309 2432 IPMIDRV - ok
16:54:28.0341 2432 [ A5FA468D67ABCDAA36264E463A7BB0CD ] IPNAT C:\Windows\system32\drivers\ipnat.sys
16:54:28.0356 2432 IPNAT - ok
16:54:28.0387 2432 [ 42996CFF20A3084A56017B7902307E9F ] IRENUM C:\Windows\system32\drivers\irenum.sys
16:54:28.0387 2432 IRENUM - ok
16:54:28.0419 2432 [ 1F32BB6B38F62F7DF1A7AB7292638A35 ] isapnp C:\Windows\system32\DRIVERS\isapnp.sys
16:54:28.0419 2432 isapnp - ok
16:54:28.0450 2432 [ ED46C223AE46C6866AB77CDC41C404B7 ] iScsiPrt C:\Windows\system32\DRIVERS\msiscsi.sys
16:54:28.0465 2432 iScsiPrt - ok
16:54:28.0481 2432 [ ADEF52CA1AEAE82B50DF86B56413107E ] kbdclass C:\Windows\system32\DRIVERS\kbdclass.sys
16:54:28.0512 2432 kbdclass - ok
16:54:28.0528 2432 [ 3D9F0EBF350EDCFD6498057301455964 ] kbdhid C:\Windows\system32\DRIVERS\kbdhid.sys
16:54:28.0528 2432 kbdhid - ok
16:54:28.0543 2432 [ C2243FF9E9AAD0C30E8B1A0914DA15B6 ] KeyIso C:\Windows\system32\lsass.exe
16:54:28.0559 2432 KeyIso - ok
16:54:28.0590 2432 [ 52FC17C8589F11747D01D3CF592673D0 ] KSecDD C:\Windows\system32\Drivers\ksecdd.sys
16:54:28.0621 2432 KSecDD - ok
16:54:28.0621 2432 [ 3E5474B03568CFAB834DA3C38E8C9EFA ] KSecPkg C:\Windows\system32\Drivers\ksecpkg.sys
16:54:28.0637 2432 KSecPkg - ok
16:54:28.0668 2432 [ 89A7B9CC98D0D80C6F31B91C0A310FCD ] KtmRm C:\Windows\system32\msdtckrm.dll
16:54:28.0699 2432 KtmRm - ok
16:54:28.0731 2432 [ 8F6BF790D3168224C16F2AF68A84438C ] LanmanServer C:\Windows\System32\srvsvc.dll
16:54:28.0777 2432 LanmanServer - ok
16:54:28.0809 2432 [ B9891F885DCF1F0513A51CB58493CB1F ] LanmanWorkstation C:\Windows\System32\wkssvc.dll
16:54:28.0840 2432 LanmanWorkstation - ok
16:54:28.0871 2432 [ F8A7212D0864EF5E9185FB95E6623F4D ] lirsgt C:\Windows\system32\DRIVERS\lirsgt.sys
16:54:28.0887 2432 lirsgt - ok
16:54:28.0918 2432 [ F7611EC07349979DA9B0AE1F18CCC7A6 ] lltdio C:\Windows\system32\DRIVERS\lltdio.sys
16:54:28.0918 2432 lltdio - ok
16:54:28.0933 2432 [ 5700673E13A2117FA3B9020C852C01E2 ] lltdsvc C:\Windows\System32\lltdsvc.dll
16:54:28.0949 2432 lltdsvc - ok
16:54:28.0965 2432 [ 55CA01BA19D0006C8F2639B6C045E08B ] lmhosts C:\Windows\System32\lmhsvc.dll
16:54:28.0965 2432 lmhosts - ok
16:54:28.0996 2432 [ EB119A53CCF2ACC000AC71B065B78FEF ] LSI_FC C:\Windows\system32\DRIVERS\lsi_fc.sys
16:54:29.0011 2432 LSI_FC - ok
16:54:29.0027 2432 [ 8ADE1C877256A22E49B75D1CC9161F9C ] LSI_SAS C:\Windows\system32\DRIVERS\lsi_sas.sys
16:54:29.0043 2432 LSI_SAS - ok
16:54:29.0074 2432 [ DC9DC3D3DAA0E276FD2EC262E38B11E9 ] LSI_SAS2 C:\Windows\system32\DRIVERS\lsi_sas2.sys
16:54:29.0089 2432 LSI_SAS2 - ok
16:54:29.0105 2432 [ 0A036C7D7CAB643A7F07135AC47E0524 ] LSI_SCSI C:\Windows\system32\DRIVERS\lsi_scsi.sys
16:54:29.0121 2432 LSI_SCSI - ok
16:54:29.0152 2432 [ 6703E366CC18D3B6E534F5CF7DF39CEE ] luafv C:\Windows\system32\drivers\luafv.sys
16:54:29.0183 2432 luafv - ok
16:54:29.0214 2432 lxdu_device - ok
16:54:29.0292 2432 [ 21E456F36D414E0B1FE9264EB91B66D1 ] MacDrive8Service C:\Program Files\Mediafour\MacDrive 8\MacDrive8Service.exe
16:54:29.0292 2432 MacDrive8Service - ok
16:54:29.0339 2432 [ 8E17D513D8011B0EE03C355EAAB0E0CC ] ManyCam C:\Windows\system32\DRIVERS\mcvidrv.sys
16:54:29.0355 2432 ManyCam - ok
16:54:29.0370 2432 [ 562D95E00E14A944DEBE655DECBD3F5B ] mcaudrv_simple C:\Windows\system32\drivers\mcaudrv.sys
16:54:29.0401 2432 mcaudrv_simple - ok
16:54:29.0448 2432 [ E2B0887816ED336685954E3D8FDAA51D ] Mcx2Svc C:\Windows\system32\Mcx2Svc.dll
16:54:29.0448 2432 Mcx2Svc - ok
16:54:29.0479 2432 [ E763E272AC8DDF62F50FFA1750F255DA ] MDFSYSNT C:\Windows\system32\drivers\MDFSYSNT.sys
16:54:29.0511 2432 MDFSYSNT - ok
16:54:29.0542 2432 [ 2E4ABB4A374D49E665FE1B61C3B2DC7B ] MDPMGRNT C:\Windows\system32\drivers\MDPMGRNT.sys
16:54:29.0557 2432 MDPMGRNT - ok
16:54:29.0573 2432 [ 0FFF5B045293002AB38EB1FD1FC2FB74 ] megasas C:\Windows\system32\DRIVERS\megasas.sys
16:54:29.0589 2432 megasas - ok
16:54:29.0620 2432 [ DCBAB2920C75F390CAF1D29F675D03D6 ] MegaSR C:\Windows\system32\DRIVERS\MegaSR.sys
16:54:29.0635 2432 MegaSR - ok
16:54:29.0651 2432 [ 146B6F43A673379A3C670E86D89BE5EA ] MMCSS C:\Windows\system32\mmcss.dll
16:54:29.0651 2432 MMCSS - ok
16:54:29.0667 2432 [ F001861E5700EE84E2D4E52C712F4964 ] Modem C:\Windows\system32\drivers\modem.sys
16:54:29.0682 2432 Modem - ok
16:54:29.0729 2432 [ 79D10964DE86B292320E9DFE02282A23 ] monitor C:\Windows\system32\DRIVERS\monitor.sys
16:54:29.0729 2432 monitor - ok
16:54:29.0745 2432 [ FB18CC1D4C2E716B6B903B0AC0CC0609 ] mouclass C:\Windows\system32\DRIVERS\mouclass.sys
16:54:29.0760 2432 mouclass - ok
16:54:29.0791 2432 [ 2C388D2CD01C9042596CF3C8F3C7B24D ] mouhid C:\Windows\system32\DRIVERS\mouhid.sys
16:54:29.0823 2432 mouhid - ok
16:54:29.0838 2432 [ 921C18727C5920D6C0300736646931C2 ] mountmgr C:\Windows\system32\drivers\mountmgr.sys
16:54:29.0854 2432 mountmgr - ok
16:54:29.0916 2432 [ 46297FA8E30A6007F14118FC2B942FBC ] MozillaMaintenance C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
16:54:29.0932 2432 MozillaMaintenance - ok
16:54:29.0963 2432 [ 2AF5997438C55FB79D33D015C30E1974 ] mpio C:\Windows\system32\DRIVERS\mpio.sys
16:54:29.0994 2432 mpio - ok
16:54:30.0010 2432 [ AD2723A7B53DD1AACAE6AD8C0BFBF4D0 ] mpsdrv C:\Windows\system32\drivers\mpsdrv.sys
16:54:30.0025 2432 mpsdrv - ok
16:54:30.0072 2432 [ 5CD996CECF45CBC3E8D109C86B82D69E ] MpsSvc C:\Windows\system32\mpssvc.dll
16:54:30.0103 2432 MpsSvc - ok
16:54:30.0119 2432 [ B1BE47008D20E43DA3ADC37C24CDB89D ] MRxDAV C:\Windows\system32\drivers\mrxdav.sys
16:54:30.0135 2432 MRxDAV - ok
16:54:30.0181 2432 [ CA7570E42522E24324A12161DB14EC02 ] mrxsmb C:\Windows\system32\DRIVERS\mrxsmb.sys
16:54:30.0197 2432 mrxsmb - ok
16:54:30.0228 2432 [ F965C3AB2B2AE5C378F4562486E35051 ] mrxsmb10 C:\Windows\system32\DRIVERS\mrxsmb10.sys
16:54:30.0244 2432 mrxsmb10 - ok
16:54:30.0259 2432 [ 25C38264A3C72594DD21D355D70D7A5D ] mrxsmb20 C:\Windows\system32\DRIVERS\mrxsmb20.sys
16:54:30.0275 2432 mrxsmb20 - ok
16:54:30.0291 2432 [ 4326D168944123F38DD3B2D9C37A0B12 ] msahci C:\Windows\system32\DRIVERS\msahci.sys
16:54:30.0291 2432 msahci - ok
16:54:30.0322 2432 [ 455029C7174A2DBB03DBA8A0D8BDDD9A ] msdsm C:\Windows\system32\DRIVERS\msdsm.sys
16:54:30.0322 2432 msdsm - ok
16:54:30.0337 2432 [ E1BCE74A3BD9902B72599C0192A07E27 ] MSDTC C:\Windows\System32\msdtc.exe
16:54:30.0353 2432 MSDTC - ok
16:54:30.0384 2432 [ DAEFB28E3AF5A76ABCC2C3078C07327F ] Msfs C:\Windows\system32\drivers\Msfs.sys
16:54:30.0384 2432 Msfs - ok
16:54:30.0400 2432 [ 3E1E5767043C5AF9367F0056295E9F84 ] mshidkmdf C:\Windows\System32\drivers\mshidkmdf.sys
16:54:30.0415 2432 mshidkmdf - ok
16:54:30.0431 2432 [ 0A4E5757AE09FA9622E3158CC1AEF114 ] msisadrv C:\Windows\system32\DRIVERS\msisadrv.sys
16:54:30.0431 2432 msisadrv - ok
16:54:30.0462 2432 [ 90F7D9E6B6F27E1A707D4A297F077828 ] MSiSCSI C:\Windows\system32\iscsiexe.dll
16:54:30.0478 2432 MSiSCSI - ok
16:54:30.0478 2432 msiserver - ok
16:54:30.0493 2432 [ 8C0860D6366AAFFB6C5BB9DF9448E631 ] MSKSSRV C:\Windows\system32\drivers\MSKSSRV.sys
16:54:30.0509 2432 MSKSSRV - ok
16:54:30.0525 2432 [ 3EA8B949F963562CEDBB549EAC0C11CE ] MSPCLOCK C:\Windows\system32\drivers\MSPCLOCK.sys
16:54:30.0525 2432 MSPCLOCK - ok
16:54:30.0556 2432 [ F456E973590D663B1073E9C463B40932 ] MSPQM C:\Windows\system32\drivers\MSPQM.sys
16:54:30.0571 2432 MSPQM - ok
16:54:30.0587 2432 [ 0E008FC4819D238C51D7C93E7B41E560 ] MsRPC C:\Windows\system32\drivers\MsRPC.sys
16:54:30.0603 2432 MsRPC - ok
16:54:30.0618 2432 [ FC6B9FF600CC585EA38B12589BD4E246 ] mssmbios C:\Windows\system32\DRIVERS\mssmbios.sys
16:54:30.0618 2432 mssmbios - ok
16:54:30.0634 2432 [ B42C6B921F61A6E55159B8BE6CD54A36 ] MSTEE C:\Windows\system32\drivers\MSTEE.sys
16:54:30.0634 2432 MSTEE - ok
16:54:30.0649 2432 [ 33599130F44E1F34631CEA241DE8AC84 ] MTConfig C:\Windows\system32\DRIVERS\MTConfig.sys
16:54:30.0649 2432 MTConfig - ok
16:54:30.0665 2432 [ 159FAD02F64E6381758C990F753BCC80 ] Mup C:\Windows\system32\Drivers\mup.sys
16:54:30.0681 2432 Mup - ok
16:54:30.0696 2432 [ 80284F1985C70C86F0B5F86DA2DFE1DF ] napagent C:\Windows\system32\qagentRT.dll
16:54:30.0727 2432 napagent - ok
16:54:30.0759 2432 [ 26384429FCD85D83746F63E798AB1480 ] NativeWifiP C:\Windows\system32\DRIVERS\nwifi.sys
16:54:30.0790 2432 NativeWifiP - ok
16:54:30.0821 2432 [ 23759D175A0A9BAAF04D05047BC135A8 ] NDIS C:\Windows\system32\drivers\ndis.sys
16:54:30.0821 2432 NDIS - ok
16:54:30.0837 2432 [ 0E1787AA6C9191D3D319E8BAFE86F80C ] NdisCap C:\Windows\system32\DRIVERS\ndiscap.sys
16:54:30.0868 2432 NdisCap - ok
16:54:30.0883 2432 [ E4A8AEC125A2E43A9E32AFEEA7C9C888 ] NdisTapi C:\Windows\system32\DRIVERS\ndistapi.sys
16:54:30.0899 2432 NdisTapi - ok
16:54:30.0915 2432 [ B30AE7F2B6D7E343B0DF32E6C08FCE75 ] Ndisuio C:\Windows\system32\DRIVERS\ndisuio.sys
16:54:30.0930 2432 Ndisuio - ok
16:54:30.0946 2432 [ 267C415EADCBE53C9CA873DEE39CF3A4 ] NdisWan C:\Windows\system32\DRIVERS\ndiswan.sys
16:54:30.0977 2432 NdisWan - ok
16:54:31.0008 2432 [ AF7E7C63DCEF3F8772726F86039D6EB4 ] NDProxy C:\Windows\system32\drivers\NDProxy.sys
16:54:31.0008 2432 NDProxy - ok
16:54:31.0024 2432 [ 80B275B1CE3B0E79909DB7B39AF74D51 ] NetBIOS C:\Windows\system32\DRIVERS\netbios.sys
16:54:31.0055 2432 NetBIOS - ok
16:54:31.0071 2432 [ DD52A733BF4CA5AF84562A5E2F963B91 ] NetBT C:\Windows\system32\DRIVERS\netbt.sys
16:54:31.0086 2432 NetBT - ok
16:54:31.0102 2432 [ C2243FF9E9AAD0C30E8B1A0914DA15B6 ] Netlogon C:\Windows\system32\lsass.exe
16:54:31.0102 2432 Netlogon - ok
16:54:31.0133 2432 [ 7CCCFCA7510684768DA22092D1FA4DB2 ] Netman C:\Windows\System32\netman.dll
16:54:31.0133 2432 Netman - ok
16:54:31.0180 2432 [ D22CD77D4F0D63D1169BB35911BFF12D ] NetMsmqActivator C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
16:54:31.0195 2432 NetMsmqActivator - ok
16:54:31.0195 2432 [ D22CD77D4F0D63D1169BB35911BFF12D ] NetPipeActivator C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
16:54:31.0195 2432 NetPipeActivator - ok
16:54:31.0211 2432 [ 8C338238C16777A802D6A9211EB2BA50 ] netprofm C:\Windows\System32\netprofm.dll
16:54:31.0227 2432 netprofm - ok
16:54:31.0227 2432 [ D22CD77D4F0D63D1169BB35911BFF12D ] NetTcpActivator C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
16:54:31.0227 2432 NetTcpActivator - ok
16:54:31.0242 2432 [ D22CD77D4F0D63D1169BB35911BFF12D ] NetTcpPortSharing C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
16:54:31.0242 2432 NetTcpPortSharing - ok
16:54:31.0258 2432 [ 1D85C4B390B0EE09C7A46B91EFB2C097 ] nfrd960 C:\Windows\system32\DRIVERS\nfrd960.sys
16:54:31.0273 2432 nfrd960 - ok
16:54:31.0289 2432 [ 2226496E34BD40734946A054B1CD657F ] NlaSvc C:\Windows\System32\nlasvc.dll
16:54:31.0320 2432 NlaSvc - ok
16:54:31.0336 2432 [ 1DB262A9F8C087E8153D89BEF3D2235F ] Npfs C:\Windows\system32\drivers\Npfs.sys
16:54:31.0367 2432 Npfs - ok
16:54:31.0383 2432 [ BA387E955E890C8A88306D9B8D06BF17 ] nsi C:\Windows\system32\nsisvc.dll
16:54:31.0398 2432 nsi - ok
16:54:31.0398 2432 [ E9A0A4D07E53D8FEA2BB8387A3293C58 ] nsiproxy C:\Windows\system32\drivers\nsiproxy.sys
16:54:31.0398 2432 nsiproxy - ok
16:54:31.0445 2432 [ 3795DCD21F740EE799FB7223234215AF ] Ntfs C:\Windows\system32\drivers\Ntfs.sys
16:54:31.0492 2432 Ntfs - ok
16:54:31.0507 2432 [ F9756A98D69098DCA8945D62858A812C ] Null C:\Windows\system32\drivers\Null.sys
16:54:31.0523 2432 Null - ok
16:54:31.0726 2432 [ 8B75F652726A2BA3197860F300514E3F ] nvlddmkm C:\Windows\system32\DRIVERS\nvlddmkm.sys
16:54:31.0944 2432 nvlddmkm - ok
16:54:31.0991 2432 [ 3F3D04B1D08D43C16EA7963954EC768D ] nvraid C:\Windows\system32\DRIVERS\nvraid.sys
16:54:32.0022 2432 nvraid - ok
16:54:32.0038 2432 [ C99F251A5DE63C6F129CF71933ACED0F ] nvstor C:\Windows\system32\DRIVERS\nvstor.sys
16:54:32.0053 2432 nvstor - ok
16:54:32.0069 2432 [ 387DC341E2AED29EB8F67B6EE53BB43B ] nvsvc C:\Windows\system32\nvvsvc.exe
16:54:32.0069 2432 nvsvc - ok
16:54:32.0085 2432 [ 5A0983915F02BAE73267CC2A041F717D ] nv_agp C:\Windows\system32\DRIVERS\nv_agp.sys
16:54:32.0116 2432 nv_agp - ok
16:54:32.0131 2432 [ 08A70A1F2CDDE9BB49B885CB817A66EB ] ohci1394 C:\Windows\system32\DRIVERS\ohci1394.sys
16:54:32.0131 2432 ohci1394 - ok
16:54:32.0163 2432 [ 82A8521DDC60710C3D3D3E7325209BEC ] p2pimsvc C:\Windows\system32\pnrpsvc.dll
16:54:32.0163 2432 p2pimsvc - ok
16:54:32.0178 2432 [ 59C3DDD501E39E006DAC31BF55150D91 ] p2psvc C:\Windows\system32\p2psvc.dll
16:54:32.0194 2432 p2psvc - ok
16:54:32.0209 2432 [ 2EA877ED5DD9713C5AC74E8EA7348D14 ] Parport C:\Windows\system32\DRIVERS\parport.sys
16:54:32.0225 2432 Parport - ok
16:54:32.0256 2432 [ 66D3415C159741ADE7038A277EFFF99F ] partmgr C:\Windows\system32\drivers\partmgr.sys
16:54:32.0256 2432 partmgr - ok
16:54:32.0272 2432 [ EB0A59F29C19B86479D36B35983DAADC ] Parvdm C:\Windows\system32\DRIVERS\parvdm.sys
16:54:32.0287 2432 Parvdm - ok
16:54:32.0303 2432 [ 358AB7956D3160000726574083DFC8A6 ] PcaSvc C:\Windows\System32\pcasvc.dll
16:54:32.0319 2432 PcaSvc - ok
16:54:32.0334 2432 [ C858CB77C577780ECC456A892E7E7D0F ] pci C:\Windows\system32\DRIVERS\pci.sys
16:54:32.0350 2432 pci - ok
16:54:32.0381 2432 [ AFE86F419014DB4E5593F69FFE26CE0A ] pciide C:\Windows\system32\DRIVERS\pciide.sys
16:54:32.0381 2432 pciide - ok
16:54:32.0397 2432 [ F396431B31693E71E8A80687EF523506 ] pcmcia C:\Windows\system32\DRIVERS\pcmcia.sys
16:54:32.0412 2432 pcmcia - ok
16:54:32.0428 2432 [ 250F6B43D2B613172035C6747AEEB19F ] pcw C:\Windows\system32\drivers\pcw.sys
16:54:32.0443 2432 pcw - ok
16:54:32.0475 2432 [ 9E0104BA49F4E6973749A02BF41344ED ] PEAUTH C:\Windows\system32\drivers\peauth.sys
16:54:32.0521 2432 PEAUTH - ok
16:54:32.0553 2432 [ AF4D64D2A57B9772CF3801950B8058A6 ] PeerDistSvc C:\Windows\system32\peerdistsvc.dll
16:54:32.0568 2432 PeerDistSvc - ok
16:54:32.0615 2432 [ 9C1BFF7910C89A1D12E57343475840CB ] pla C:\Windows\system32\pla.dll
16:54:32.0677 2432 pla - ok
16:54:32.0740 2432 [ 71DEF5EC79774C798342D0EA16E41780 ] PlugPlay C:\Windows\system32\umpnpmgr.dll
16:54:32.0740 2432 PlugPlay - ok
16:54:32.0802 2432 [ 3A2BDD76E7D2A5F40A7174793D1BA794 ] PnkBstrA C:\Windows\system32\PnkBstrA.exe
16:54:32.0802 2432 PnkBstrA - ok
16:54:32.0818 2432 [ 63FF8572611249931EB16BB8EED6AFC8 ] PNRPAutoReg C:\Windows\system32\pnrpauto.dll
16:54:32.0849 2432 PNRPAutoReg - ok
16:54:32.0880 2432 [ 82A8521DDC60710C3D3D3E7325209BEC ] PNRPsvc C:\Windows\system32\pnrpsvc.dll
16:54:32.0880 2432 PNRPsvc - ok
16:54:32.0911 2432 [ 48E1B75C6DC0232FD92BAAE4BD344721 ] PolicyAgent C:\Windows\System32\ipsecsvc.dll
16:54:32.0943 2432 PolicyAgent - ok
16:54:32.0943 2432 [ DBFF83F709A91049621C1D35DD45C92C ] Power C:\Windows\system32\umpo.dll
16:54:32.0958 2432 Power - ok
16:54:32.0974 2432 [ 631E3E205AD6D86F2AED6A4A8E69F2DB ] PptpMiniport C:\Windows\system32\DRIVERS\raspptp.sys
16:54:33.0005 2432 PptpMiniport - ok
16:54:33.0021 2432 [ 85B1E3A0C7585BC4AAE6899EC6FCF011 ] Processor C:\Windows\system32\DRIVERS\processr.sys
16:54:33.0021 2432 Processor - ok
16:54:33.0052 2432 [ 630CF26F0227498B7D5A92B12548960F ] ProfSvc C:\Windows\system32\profsvc.dll
16:54:33.0052 2432 ProfSvc - ok
16:54:33.0067 2432 [ C2243FF9E9AAD0C30E8B1A0914DA15B6 ] ProtectedStorage C:\Windows\system32\lsass.exe
16:54:33.0067 2432 ProtectedStorage - ok
16:54:33.0114 2432 [ 6270CCAE2A86DE6D146529FE55B3246A ] Psched C:\Windows\system32\DRIVERS\pacer.sys
16:54:33.0130 2432 Psched - ok
16:54:33.0177 2432 [ AB95ECF1F6659A60DDC166D8315B0751 ] ql2300 C:\Windows\system32\DRIVERS\ql2300.sys
16:54:33.0239 2432 ql2300 - ok
16:54:33.0255 2432 [ B4DD51DD25182244B86737DC51AF2270 ] ql40xx C:\Windows\system32\DRIVERS\ql40xx.sys
16:54:33.0270 2432 ql40xx - ok
16:54:33.0286 2432 [ 31AC809E7707EB580B2BDB760390765A ] QWAVE C:\Windows\system32\qwave.dll
16:54:33.0333 2432 QWAVE - ok
16:54:33.0364 2432 [ 584078CA1B95CA72DF2A27C336F9719D ] QWAVEdrv C:\Windows\system32\drivers\qwavedrv.sys
16:54:33.0364 2432 QWAVEdrv - ok
16:54:33.0442 2432 [ 8F97D374AD1857E1EED85A79F29A1D3D ] RapiMgr C:\Windows\WindowsMobile\rapimgr.dll
16:54:33.0457 2432 RapiMgr - ok
16:54:33.0457 2432 [ 30A81B53C766D0133BB86D234E5556AB ] RasAcd C:\Windows\system32\DRIVERS\rasacd.sys
16:54:33.0489 2432 RasAcd - ok
16:54:33.0520 2432 [ 57EC4AEF73660166074D8F7F31C0D4FD ] RasAgileVpn C:\Windows\system32\DRIVERS\AgileVpn.sys
16:54:33.0535 2432 RasAgileVpn - ok
16:54:33.0567 2432 [ A60F1839849C0C00739787FD5EC03F13 ] RasAuto C:\Windows\System32\rasauto.dll
16:54:33.0582 2432 RasAuto - ok
16:54:33.0598 2432 [ D9F91EAFEC2815365CBE6D167E4E332A ] Rasl2tp C:\Windows\system32\DRIVERS\rasl2tp.sys
16:54:33.0613 2432 Rasl2tp - ok
16:54:33.0645 2432 [ 0CE66EC736B7FC526D78F7624C7D2A94 ] RasMan C:\Windows\System32\rasmans.dll
16:54:33.0660 2432 RasMan - ok
16:54:33.0676 2432 [ 0FE8B15916307A6AC12BFB6A63E45507 ] RasPppoe C:\Windows\system32\DRIVERS\raspppoe.sys
16:54:33.0691 2432 RasPppoe - ok
16:54:33.0723 2432 [ 44101F495A83EA6401D886E7FD70096B ] RasSstp C:\Windows\system32\DRIVERS\rassstp.sys
16:54:33.0723 2432 RasSstp - ok
16:54:33.0738 2432 [ 835D7E81BF517A3B72384BDCC85E1CE6 ] rdbss C:\Windows\system32\DRIVERS\rdbss.sys
16:54:33.0769 2432 rdbss - ok
16:54:33.0785 2432 [ 0D8F05481CB76E70E1DA06EE9F0DA9DF ] rdpbus C:\Windows\system32\DRIVERS\rdpbus.sys
16:54:33.0801 2432 rdpbus - ok
16:54:33.0816 2432 [ 1E016846895B15A99F9A176A05029075 ] RDPCDD C:\Windows\system32\DRIVERS\RDPCDD.sys
16:54:33.0832 2432 RDPCDD - ok
16:54:33.0863 2432 [ C5FF95883FFEF704D50C40D21CFB3AB5 ] RDPDR C:\Windows\system32\drivers\rdpdr.sys
16:54:33.0879 2432 RDPDR - ok
16:54:33.0894 2432 [ 5A53CA1598DD4156D44196D200C94B8A ] RDPENCDD C:\Windows\system32\drivers\rdpencdd.sys
16:54:33.0925 2432 RDPENCDD - ok
16:54:33.0941 2432 [ 44B0A53CD4F27D50ED461DAE0C0B4E1F ] RDPREFMP C:\Windows\system32\drivers\rdprefmp.sys
16:54:33.0957 2432 RDPREFMP - ok
16:54:34.0003 2432 [ C5B8D47A4688DE9D335204EA757C2240 ] RDPWD C:\Windows\system32\drivers\RDPWD.sys
16:54:34.0019 2432 RDPWD - ok
16:54:34.0050 2432 [ 4EA225BF1CF05E158853F30A99CA29A7 ] rdyboost C:\Windows\system32\drivers\rdyboost.sys
16:54:34.0066 2432 rdyboost - ok
16:54:34.0097 2432 [ 7B5E1419717FAC363A31CC302895217A ] RemoteAccess C:\Windows\System32\mprdim.dll
16:54:34.0113 2432 RemoteAccess - ok
16:54:34.0128 2432 [ CB9A8683F4EF2BF99E123D79950D7935 ] RemoteRegistry C:\Windows\system32\regsvc.dll
16:54:34.0128 2432 RemoteRegistry - ok
16:54:34.0175 2432 [ CB928D9E6DAF51879DD6BA8D02F01321 ] RFCOMM C:\Windows\system32\DRIVERS\rfcomm.sys
16:54:34.0206 2432 RFCOMM - ok
16:54:34.0237 2432 [ 78D072F35BC45D9E4E1B61895C152234 ] RpcEptMapper C:\Windows\System32\RpcEpMap.dll
16:54:34.0237 2432 RpcEptMapper - ok
16:54:34.0253 2432 [ 94D36C0E44677DD26981D2BFEEF2A29D ] RpcLocator C:\Windows\system32\locator.exe
16:54:34.0269 2432 RpcLocator - ok
16:54:34.0284 2432 [ B82CD39E336973359D7C9BF911E8E84F ] RpcSs C:\Windows\system32\rpcss.dll
16:54:34.0300 2432 RpcSs - ok
16:54:34.0315 2432 [ 032B0D36AD92B582D869879F5AF5B928 ] rspndr C:\Windows\system32\DRIVERS\rspndr.sys
16:54:34.0315 2432 rspndr - ok
16:54:34.0331 2432 [ 7DFD48E24479B68B258D8770121155A0 ] RTL8167 C:\Windows\system32\DRIVERS\Rt86win7.sys
16:54:34.0347 2432 RTL8167 - ok
16:54:34.0362 2432 [ 5423D8437051E89DD34749F242C98648 ] s3cap C:\Windows\system32\DRIVERS\vms3cap.sys
16:54:34.0393 2432 s3cap - ok
16:54:34.0409 2432 [ C2243FF9E9AAD0C30E8B1A0914DA15B6 ] SamSs C:\Windows\system32\lsass.exe
16:54:34.0409 2432 SamSs - ok
16:54:34.0440 2432 [ 34EE0C44B724E3E4CE2EFF29126DE5B5 ] sbp2port C:\Windows\system32\DRIVERS\sbp2port.sys
16:54:34.0456 2432 sbp2port - ok
16:54:34.0471 2432 [ 8FC518FFE9519C2631D37515A68009C4 ] SCardSvr C:\Windows\System32\SCardSvr.dll
16:54:34.0487 2432 SCardSvr - ok
16:54:34.0487 2432 [ A95C54B2AC3CC9C73FCDF9E51A1D6B51 ] scfilter C:\Windows\system32\DRIVERS\scfilter.sys
16:54:34.0503 2432 scfilter - ok
16:54:34.0549 2432 [ DF1E5C82E4D09CF8105CC644980C4803 ] Schedule C:\Windows\system32\schedsvc.dll
16:54:34.0549 2432 Schedule - ok
16:54:34.0581 2432 [ 628A9E30EC5E18DD5DE6BE4DBDC12198 ] SCPolicySvc C:\Windows\System32\certprop.dll
16:54:34.0581 2432 SCPolicySvc - ok
16:54:34.0596 2432 [ 5FD90ABDBFAEE85986802622CBB03446 ] SDRSVC C:\Windows\System32\SDRSVC.dll
16:54:34.0612 2432 SDRSVC - ok
16:54:34.0627 2432 [ 90A3935D05B494A5A39D37E71F09A677 ] secdrv C:\Windows\system32\drivers\secdrv.sys
16:54:34.0643 2432 secdrv - ok
16:54:34.0659 2432 [ A59B3A4442C52060CC7A85293AA3546F ] seclogon C:\Windows\system32\seclogon.dll
16:54:34.0674 2432 seclogon - ok
16:54:34.0690 2432 [ DCB7FCDCC97F87360F75D77425B81737 ] SENS C:\Windows\system32\sens.dll
16:54:34.0690 2432 SENS - ok
16:54:34.0721 2432 [ 50087FE1EE447009C9CC2997B90DE53F ] SensrSvc C:\Windows\system32\sensrsvc.dll
16:54:34.0721 2432 SensrSvc - ok
16:54:34.0737 2432 [ 9AD8B8B515E3DF6ACD4212EF465DE2D1 ] Serenum C:\Windows\system32\DRIVERS\serenum.sys
16:54:34.0752 2432 Serenum - ok
16:54:34.0768 2432 [ 5FB7FCEA0490D821F26F39CC5EA3D1E2 ] Serial C:\Windows\system32\DRIVERS\serial.sys
16:54:34.0783 2432 Serial - ok
16:54:34.0799 2432 [ 79BFFB520327FF916A582DFEA17AA813 ] sermouse C:\Windows\system32\DRIVERS\sermouse.sys
16:54:34.0815 2432 sermouse - ok
16:54:34.0846 2432 [ 8F55CE568C543D5ADF45C409D16718FC ] SessionEnv C:\Windows\system32\sessenv.dll
16:54:34.0877 2432 SessionEnv - ok
16:54:34.0893 2432 [ 9F976E1EB233DF46FCE808D9DEA3EB9C ] sffdisk C:\Windows\system32\DRIVERS\sffdisk.sys
16:54:34.0908 2432 sffdisk - ok
16:54:34.0908 2432 [ 932A68EE27833CFD57C1639D375F2731 ] sffp_mmc C:\Windows\system32\DRIVERS\sffp_mmc.sys
16:54:34.0924 2432 sffp_mmc - ok
16:54:34.0939 2432 [ 4F1E5B0FE7C8050668DBFADE8999AEFB ] sffp_sd C:\Windows\system32\DRIVERS\sffp_sd.sys
16:54:34.0939 2432 sffp_sd - ok
16:54:34.0939 2432 [ DB96666CC8312EBC45032F30B007A547 ] sfloppy C:\Windows\system32\DRIVERS\sfloppy.sys
16:54:34.0955 2432 sfloppy - ok
16:54:34.0986 2432 [ D1A079A0DE2EA524513B6930C24527A2 ] SharedAccess C:\Windows\System32\ipnathlp.dll
16:54:35.0017 2432 SharedAccess - ok
16:54:35.0033 2432 [ CD2E48FA5B29EE2B3B5858056D246EF2 ] ShellHWDetection C:\Windows\System32\shsvcs.dll
16:54:35.0064 2432 ShellHWDetection - ok
16:54:35.0064 2432 [ 2565CAC0DC9FE0371BDCE60832582B2E ] sisagp C:\Windows\system32\DRIVERS\sisagp.sys
16:54:35.0095 2432 sisagp - ok
16:54:35.0111 2432 [ A9F0486851BECB6DDA1D89D381E71055 ] SiSRaid2 C:\Windows\system32\DRIVERS\SiSRaid2.sys
16:54:35.0142 2432 SiSRaid2 - ok
16:54:35.0158 2432 [ 3727097B55738E2F554972C3BE5BC1AA ] SiSRaid4 C:\Windows\system32\DRIVERS\sisraid4.sys
16:54:35.0173 2432 SiSRaid4 - ok
16:54:35.0189 2432 [ 3E21C083B8A01CB70BA1F09303010FCE ] Smb C:\Windows\system32\DRIVERS\smb.sys
16:54:35.0220 2432 Smb - ok
16:54:35.0251 2432 [ 6A984831644ECA1A33FFEAE4126F4F37 ] SNMPTRAP C:\Windows\System32\snmptrap.exe
16:54:35.0251 2432 SNMPTRAP - ok
16:54:35.0267 2432 [ 95CF1AE7527FB70F7816563CBC09D942 ] spldr C:\Windows\system32\drivers\spldr.sys
16:54:35.0298 2432 spldr - ok
16:54:35.0329 2432 [ D1BB750EB51694DE183E08B9C33BE5B2 ] Spooler C:\Windows\System32\spoolsv.exe
16:54:35.0345 2432 Spooler - ok
16:54:35.0407 2432 [ 4C287F9069FEDBD791178876EE9DE536 ] sppsvc C:\Windows\system32\sppsvc.exe
16:54:35.0470 2432 sppsvc - ok
16:54:35.0485 2432 [ D8E3E19EEBDAB49DD4A8D3062EAD4EC7 ] sppuinotify C:\Windows\system32\sppuinotify.dll
16:54:35.0501 2432 sppuinotify - ok
16:54:35.0517 2432 sptd - ok
16:54:35.0563 2432 [ C4A027B8C0BD3FC0699F41FA5E9E0C87 ] srv C:\Windows\system32\DRIVERS\srv.sys
16:54:35.0595 2432 srv - ok
16:54:35.0626 2432 [ 414BB592CAD8A79649D01F9D94318FB3 ] srv2 C:\Windows\system32\DRIVERS\srv2.sys
16:54:35.0657 2432 srv2 - ok
16:54:35.0688 2432 [ FF207D67700AA18242AAF985D3E7D8F4 ] srvnet C:\Windows\system32\DRIVERS\srvnet.sys
16:54:35.0704 2432 srvnet - ok
16:54:35.0719 2432 [ D887C9FD02AC9FA880F6E5027A43E118 ] SSDPSRV C:\Windows\System32\ssdpsrv.dll
16:54:35.0719 2432 SSDPSRV - ok
16:54:35.0766 2432 [ A36EE93698802CD899F98BFD553D8185 ] ssmdrv C:\Windows\system32\DRIVERS\ssmdrv.sys
16:54:35.0766 2432 ssmdrv - ok
16:54:35.0766 2432 [ D318F23BE45D5E3A107469EB64815B50 ] SstpSvc C:\Windows\system32\sstpsvc.dll
16:54:35.0797 2432 SstpSvc - ok
16:54:35.0829 2432 Steam Client Service - ok
16:54:35.0891 2432 [ 55141DBD546F86517D2381522BA0D1F1 ] Stereo Service C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
16:54:35.0891 2432 Stereo Service - ok
16:54:35.0922 2432 [ DB32D325C192B801DF274BFD12A7E72B ] stexstor C:\Windows\system32\DRIVERS\stexstor.sys
16:54:35.0938 2432 stexstor - ok
16:54:35.0969 2432 [ A22825E7BB7018E8AF3E229A5AF17221 ] StiSvc C:\Windows\System32\wiaservc.dll
16:54:35.0985 2432 StiSvc - ok
16:54:36.0000 2432 [ 957E346CA948668F2496A6CCF6FF82CC ] storflt C:\Windows\system32\DRIVERS\vmstorfl.sys
16:54:36.0016 2432 storflt - ok
16:54:36.0031 2432 [ D5751969DC3E4B88BF482AC8EC9FE019 ] storvsc C:\Windows\system32\DRIVERS\storvsc.sys
16:54:36.0047 2432 storvsc - ok
16:54:36.0063 2432 [ E58C78A848ADD9610A4DB6D214AF5224 ] swenum C:\Windows\system32\DRIVERS\swenum.sys
16:54:36.0078 2432 swenum - ok
16:54:36.0094 2432 [ A28BD92DF340E57B024BA433165D34D7 ] swprv C:\Windows\System32\swprv.dll
16:54:36.0109 2432 swprv - ok
16:54:36.0141 2432 [ 04105C8DA62353589C29BDAEB8D88BD8 ] SysMain C:\Windows\system32\sysmain.dll
16:54:36.0172 2432 SysMain - ok
16:54:36.0187 2432 [ FCFB6C552FBC0DA299799CBD50AD9FD4 ] TabletInputService C:\Windows\System32\TabSvc.dll
16:54:36.0203 2432 TabletInputService - ok
16:54:36.0219 2432 [ 2F46B0C70A4ADC8C90CF825DA3B4FEAF ] TapiSrv C:\Windows\System32\tapisrv.dll
16:54:36.0234 2432 TapiSrv - ok
16:54:36.0234 2432 [ B799D9FDB26111737F58288D8DC172D9 ] TBS C:\Windows\System32\tbssvc.dll
16:54:36.0234 2432 TBS - ok
16:54:36.0297 2432 [ 55E9965552741F3850CB22CBBA9671ED ] Tcpip C:\Windows\system32\drivers\tcpip.sys
16:54:36.0359 2432 Tcpip - ok
16:54:36.0375 2432 [ 55E9965552741F3850CB22CBBA9671ED ] TCPIP6 C:\Windows\system32\DRIVERS\tcpip.sys
16:54:36.0390 2432 TCPIP6 - ok
16:54:36.0406 2432 [ E64444523ADD154F86567C469BC0B17F ] tcpipreg C:\Windows\system32\drivers\tcpipreg.sys
16:54:36.0437 2432 tcpipreg - ok
16:54:36.0453 2432 [ 1875C1490D99E70E449E3AFAE9FCBADF ] TDPIPE C:\Windows\system32\drivers\tdpipe.sys
16:54:36.0468 2432 TDPIPE - ok
16:54:36.0499 2432 [ 7156308896D34EA75A582F9A09E50C17 ] TDTCP C:\Windows\system32\drivers\tdtcp.sys
16:54:36.0499 2432 TDTCP - ok
16:54:36.0531 2432 [ CB39E896A2A83702D1737BFD402B3542 ] tdx C:\Windows\system32\DRIVERS\tdx.sys
16:54:36.0546 2432 tdx - ok
16:54:36.0577 2432 [ C36F41EE20E6999DBF4B0425963268A5 ] TermDD C:\Windows\system32\DRIVERS\termdd.sys
16:54:36.0593 2432 TermDD - ok
16:54:36.0624 2432 [ A01E50A04D7B1960B33E92B9080E6A94 ] TermService C:\Windows\System32\termsrv.dll
16:54:36.0640 2432 TermService - ok
16:54:36.0640 2432 [ 42FB6AFD6B79D9FE07381609172E7CA4 ] Themes C:\Windows\system32\themeservice.dll
16:54:36.0640 2432 Themes - ok
16:54:36.0655 2432 [ 146B6F43A673379A3C670E86D89BE5EA ] THREADORDER C:\Windows\system32\mmcss.dll
16:54:36.0655 2432 THREADORDER - ok
16:54:36.0671 2432 [ 4792C0378DB99A9BC2AE2DE6CFFF0C3A ] TrkWks C:\Windows\System32\trkwks.dll
16:54:36.0702 2432 TrkWks - ok
16:54:36.0733 2432 [ 41A4C781D2286208D397D72099304133 ] TrustedInstaller C:\Windows\servicing\TrustedInstaller.exe
16:54:36.0749 2432 TrustedInstaller - ok
16:54:36.0765 2432 [ 98AE6FA07D12CB4EC5CF4A9BFA5F4242 ] tssecsrv C:\Windows\system32\DRIVERS\tssecsrv.sys
16:54:36.0765 2432 tssecsrv - ok
16:54:36.0796 2432 [ 3E461D890A97F9D4C168F5FDA36E1D00 ] tunnel C:\Windows\system32\DRIVERS\tunnel.sys
16:54:36.0796 2432 tunnel - ok
16:54:36.0811 2432 [ 750FBCB269F4D7DD2E420C56B795DB6D ] uagp35 C:\Windows\system32\DRIVERS\uagp35.sys
16:54:36.0827 2432 uagp35 - ok
16:54:36.0858 2432 [ 09CC3E16F8E5EE7168E01CF8FCBE061A ] udfs C:\Windows\system32\DRIVERS\udfs.sys
16:54:36.0874 2432 udfs - ok
16:54:36.0905 2432 [ 8344FD4FCE927880AA1AA7681D4927E5 ] UI0Detect C:\Windows\system32\UI0Detect.exe
16:54:36.0921 2432 UI0Detect - ok
16:54:36.0936 2432 [ 44E8048ACE47BEFBFDC2E9BE4CBC8880 ] uliagpkx C:\Windows\system32\DRIVERS\uliagpkx.sys
16:54:36.0952 2432 uliagpkx - ok
16:54:36.0952 2432 [ 049B3A50B3D646BAEEEE9EEC9B0668DC ] umbus C:\Windows\system32\DRIVERS\umbus.sys
16:54:36.0967 2432 umbus - ok
16:54:36.0983 2432 [ 7550AD0C6998BA1CB4843E920EE0FEAC ] UmPass C:\Windows\system32\DRIVERS\umpass.sys
16:54:36.0999 2432 UmPass - ok
16:54:37.0030 2432 [ 8ECACA5454844F66386F7BE4AE0D7CD1 ] UmRdpService C:\Windows\System32\umrdp.dll
16:54:37.0061 2432 UmRdpService - ok
16:54:37.0092 2432 [ 833FBB672460EFCE8011D262175FAD33 ] upnphost C:\Windows\System32\upnphost.dll
16:54:37.0108 2432 upnphost - ok
16:54:37.0155 2432 [ 2436A42AAB4AD48A9B714E5B0F344627 ] usbaudio C:\Windows\system32\drivers\usbaudio.sys
16:54:37.0170 2432 usbaudio - ok
16:54:37.0186 2432 [ 8455C4ED038EFD09E99327F9D2D48FFA ] usbccgp C:\Windows\system32\DRIVERS\usbccgp.sys
16:54:37.0201 2432 usbccgp - ok
16:54:37.0233 2432 [ 04EC7CEC62EC3B6D9354EEE93327FC82 ] usbcir C:\Windows\system32\DRIVERS\usbcir.sys
16:54:37.0248 2432 usbcir - ok
16:54:37.0264 2432 [ 1C333BFD60F2FED2C7AD5DAF533CB742 ] usbehci C:\Windows\system32\DRIVERS\usbehci.sys
16:54:37.0279 2432 usbehci - ok
16:54:37.0295 2432 [ EE6EF93CCFA94FAE8C6AB298273D8AE2 ] usbhub C:\Windows\system32\DRIVERS\usbhub.sys
16:54:37.0342 2432 usbhub - ok
16:54:37.0357 2432 [ A6FB7957EA7AFB1165991E54CE934B74 ] usbohci C:\Windows\system32\DRIVERS\usbohci.sys
16:54:37.0373 2432 usbohci - ok
16:54:37.0389 2432 [ 797D862FE0875E75C7CC4C1AD7B30252 ] usbprint C:\Windows\system32\DRIVERS\usbprint.sys
16:54:37.0420 2432 usbprint - ok
16:54:37.0435 2432 [ D8889D56E0D27E57ED4591837FE71D27 ] USBSTOR C:\Windows\system32\DRIVERS\USBSTOR.SYS
16:54:37.0451 2432 USBSTOR - ok
16:54:37.0451 2432 [ 78780C3EBCE17405B1CCD07A3A8A7D72 ] usbuhci C:\Windows\system32\DRIVERS\usbuhci.sys
16:54:37.0482 2432 usbuhci - ok
16:54:37.0513 2432 [ F642A7E4BF78CFA359CCA0A3557C28D7 ] usbvideo C:\Windows\system32\Drivers\usbvideo.sys
16:54:37.0529 2432 usbvideo - ok
16:54:37.0576 2432 [ D82F43D15FDAA666856C0190CB73E7C9 ] usb_rndisx C:\Windows\system32\DRIVERS\usb8023x.sys
16:54:37.0576 2432 usb_rndisx - ok
16:54:37.0591 2432 [ 081E6E1C91AEC36758902A9F727CD23C ] UxSms C:\Windows\System32\uxsms.dll
16:54:37.0607 2432 UxSms - ok
16:54:37.0623 2432 [ C2243FF9E9AAD0C30E8B1A0914DA15B6 ] VaultSvc C:\Windows\system32\lsass.exe
16:54:37.0623 2432 VaultSvc - ok
16:54:37.0638 2432 [ A059C4C3EDB09E07D21A8E5C0AABD3CB ] vdrvroot C:\Windows\system32\DRIVERS\vdrvroot.sys
16:54:37.0638 2432 vdrvroot - ok
16:54:37.0654 2432 [ 8C4E7C49D3641BC9E299E466A7F8867D ] vds C:\Windows\System32\vds.exe
16:54:37.0685 2432 vds - ok
16:54:37.0701 2432 [ 17C408214EA61696CEC9C66E388B14F3 ] vga C:\Windows\system32\DRIVERS\vgapnp.sys
16:54:37.0716 2432 vga - ok
16:54:37.0747 2432 [ 8E38096AD5C8570A6F1570A61E251561 ] VgaSave C:\Windows\System32\drivers\vga.sys
16:54:37.0747 2432 VgaSave - ok
16:54:37.0779 2432 [ 3BE6E1F3A4F1AFEC8CEE0D7883F93583 ] vhdmp C:\Windows\system32\DRIVERS\vhdmp.sys
16:54:37.0810 2432 vhdmp - ok
16:54:37.0841 2432 [ C829317A37B4BEA8F39735D4B076E923 ] viaagp C:\Windows\system32\DRIVERS\viaagp.sys
16:54:37.0841 2432 viaagp - ok
16:54:37.0857 2432 [ E02F079A6AA107F06B16549C6E5C7B74 ] ViaC7 C:\Windows\system32\DRIVERS\viac7.sys
16:54:37.0872 2432 ViaC7 - ok
16:54:37.0888 2432 [ E43574F6A56A0EE11809B48C09E4FD3C ] viaide C:\Windows\system32\DRIVERS\viaide.sys
16:54:37.0903 2432 viaide - ok
16:54:37.0935 2432 [ 379B349F65F453D2A6E75EA6B7448E49 ] vmbus C:\Windows\system32\DRIVERS\vmbus.sys
16:54:37.0950 2432 vmbus - ok
16:54:37.0966 2432 [ EC2BBAB4B84D0738C6C83D2234DC36FE ] VMBusHID C:\Windows\system32\DRIVERS\VMBusHID.sys
16:54:37.0966 2432 VMBusHID - ok
16:54:37.0981 2432 [ 384E5A2AA49934295171E499F86BA6F3 ] volmgr C:\Windows\system32\DRIVERS\volmgr.sys
16:54:38.0013 2432 volmgr - ok
16:54:38.0028 2432 [ B5BB72067DDDDBBFB04B2F89FF8C3C87 ] volmgrx C:\Windows\system32\drivers\volmgrx.sys
16:54:38.0059 2432 volmgrx - ok
16:54:38.0091 2432 [ 58DF9D2481A56EDDE167E51B334D44FD ] volsnap C:\Windows\system32\DRIVERS\volsnap.sys
16:54:38.0106 2432 volsnap - ok
16:54:38.0122 2432 [ 9DFA0CC2F8855A04816729651175B631 ] vsmraid C:\Windows\system32\DRIVERS\vsmraid.sys
16:54:38.0137 2432 vsmraid - ok
16:54:38.0184 2432 [ 7EA2BCD94D9CFAF4C556F5CC94532A6C ] VSS C:\Windows\system32\vssvc.exe
16:54:38.0200 2432 VSS - ok
16:54:38.0215 2432 [ 90567B1E658001E79D7C8BBD3DDE5AA6 ] vwifibus C:\Windows\System32\drivers\vwifibus.sys
16:54:38.0215 2432 vwifibus - ok
16:54:38.0231 2432 [ 55187FD710E27D5095D10A472C8BAF1C ] W32Time C:\Windows\system32\w32time.dll
16:54:38.0247 2432 W32Time - ok
16:54:38.0262 2432 [ DE3721E89C653AA281428C8A69745D90 ] WacomPen C:\Windows\system32\DRIVERS\wacompen.sys
16:54:38.0278 2432 WacomPen - ok
16:54:38.0309 2432 [ 692A712062146E96D28BA0B7D75DE31B ] WANARP C:\Windows\system32\DRIVERS\wanarp.sys
16:54:38.0325 2432 WANARP - ok
16:54:38.0340 2432 [ 692A712062146E96D28BA0B7D75DE31B ] Wanarpv6 C:\Windows\system32\DRIVERS\wanarp.sys
16:54:38.0340 2432 Wanarpv6 - ok
16:54:38.0387 2432 [ 7790B77FE1E5EE47DCC66247095BB4C9 ] wbengine C:\Windows\system32\wbengine.exe
16:54:38.0418 2432 wbengine - ok
16:54:38.0434 2432 [ 9614B5D29DC76AC3C29F6D2D3AA70E67 ] WbioSrvc C:\Windows\System32\wbiosrvc.dll
16:54:38.0449 2432 WbioSrvc - ok
16:54:38.0496 2432 [ 59E19BD13C3BDB857646B9E436BA27F7 ] WcesComm C:\Windows\WindowsMobile\wcescomm.dll
16:54:38.0527 2432 WcesComm - ok
16:54:38.0543 2432 [ D0F88AA11EE1A62BCC6D6A8A7783CA11 ] wcncsvc C:\Windows\System32\wcncsvc.dll
16:54:38.0543 2432 wcncsvc - ok
16:54:38.0574 2432 [ 5D930B6357A6D2AF4D7653BDABBF352F ] WcsPlugInService C:\Windows\System32\WcsPlugInService.dll
16:54:38.0574 2432 WcsPlugInService - ok
16:54:38.0590 2432 [ 1112A9BADACB47B7C0BB0392E3158DFF ] Wd C:\Windows\system32\DRIVERS\wd.sys
16:54:38.0605 2432 Wd - ok
16:54:38.0637 2432 [ 9950E3D0F08141C7E89E64456AE7DC73 ] Wdf01000 C:\Windows\system32\drivers\Wdf01000.sys
16:54:38.0668 2432 Wdf01000 - ok
16:54:38.0699 2432 [ 46EF9DC96265FD0B423DB72E7C38C2A5 ] WdiServiceHost C:\Windows\system32\wdi.dll
16:54:38.0715 2432 WdiServiceHost - ok
16:54:38.0715 2432 [ 46EF9DC96265FD0B423DB72E7C38C2A5 ] WdiSystemHost C:\Windows\system32\wdi.dll
16:54:38.0715 2432 WdiSystemHost - ok
16:54:38.0730 2432 [ D87C7D2C517F82A5AB7A73E203063D9E ] WebClient C:\Windows\System32\webclnt.dll
16:54:38.0746 2432 WebClient - ok
16:54:38.0746 2432 [ 760F0AFE937A77CFF27153206534F275 ] Wecsvc C:\Windows\system32\wecsvc.dll
16:54:38.0761 2432 Wecsvc - ok
16:54:38.0777 2432 [ AC804569BB2364FB6017370258A4091B ] wercplsupport C:\Windows\System32\wercplsupport.dll
16:54:38.0793 2432 wercplsupport - ok
16:54:38.0824 2432 [ 08E420D873E4FD85241EE2421B02C4A4 ] WerSvc C:\Windows\System32\WerSvc.dll
16:54:38.0839 2432 WerSvc - ok
16:54:38.0855 2432 [ 8B9A943F3B53861F2BFAF6C186168F79 ] WfpLwf C:\Windows\system32\DRIVERS\wfplwf.sys
16:54:38.0855 2432 WfpLwf - ok
16:54:38.0871 2432 [ 5CF95B35E59E2A38023836FFF31BE64C ] WIMMount C:\Windows\system32\drivers\wimmount.sys
16:54:38.0886 2432 WIMMount - ok
16:54:38.0949 2432 [ 3FAE8F94296001C32EAB62CD7D82E0FD ] WinDefend C:\Program Files\Windows Defender\mpsvc.dll
16:54:38.0964 2432 WinDefend - ok
16:54:38.0980 2432 WinHttpAutoProxySvc - ok
16:54:39.0011 2432 [ F62E510B6AD4C21EB9FE8668ED251826 ] Winmgmt C:\Windows\system32\wbem\WMIsvc.dll
16:54:39.0042 2432 Winmgmt - ok
16:54:39.0089 2432 [ C4F5D3901D1B41D602DDC196E0B95B51 ] WinRM C:\Windows\system32\WsmSvc.dll
16:54:39.0105 2432 WinRM - ok
16:54:39.0151 2432 [ 30FC6E5448D0CBAAA95280EEEF7FEDAE ] WinUsb C:\Windows\system32\DRIVERS\WinUsb.sys
16:54:39.0167 2432 WinUsb - ok
16:54:39.0198 2432 [ 16935C98FF639D185086A3529B1F2067 ] Wlansvc C:\Windows\System32\wlansvc.dll
16:54:39.0229 2432 Wlansvc - ok
16:54:39.0339 2432 [ 5144AE67D60EC653F97DDF3FEED29E77 ] wlidsvc C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
16:54:39.0370 2432 wlidsvc - ok
16:54:39.0401 2432 [ 0217679B8FCA58714C3BF2726D2CA84E ] WmiAcpi C:\Windows\system32\DRIVERS\wmiacpi.sys
16:54:39.0401 2432 WmiAcpi - ok
16:54:39.0432 2432 [ 6EB6B66517B048D87DC1856DDF1F4C3F ] wmiApSrv C:\Windows\system32\wbem\WmiApSrv.exe
16:54:39.0432 2432 wmiApSrv - ok
16:54:39.0479 2432 [ 77FBD400984CF72BA0FC4B3489D65F74 ] WMPNetworkSvc C:\Program Files\Windows Media Player\wmpnetwk.exe
16:54:39.0510 2432 WMPNetworkSvc - ok
16:54:39.0510 2432 [ A2F0EC770A92F2B3F9DE6D518E11409C ] WPCSvc C:\Windows\System32\wpcsvc.dll
16:54:39.0541 2432 WPCSvc - ok
16:54:39.0557 2432 [ B7F658A2EBC07129538AD9AB35212637 ] WPDBusEnum C:\Windows\system32\wpdbusenum.dll
16:54:39.0573 2432 WPDBusEnum - ok
16:54:39.0588 2432 [ 6DB3276587B853BF886B69528FDB048C ] ws2ifsl C:\Windows\system32\drivers\ws2ifsl.sys
16:54:39.0588 2432 ws2ifsl - ok
16:54:39.0619 2432 [ 6F5D49EFE0E7164E03AE773A3FE25340 ] wscsvc C:\Windows\system32\wscsvc.dll
16:54:39.0651 2432 wscsvc - ok
16:54:39.0651 2432 WSearch - ok
16:54:39.0729 2432 [ FC3EC24FCE372C89423E015A2AC1A31E ] wuauserv C:\Windows\system32\wuaueng.dll
16:54:39.0791 2432 wuauserv - ok
16:54:39.0791 2432 [ 6F9B6C0C93232CFF47D0F72D6DB1D21E ] WudfPf C:\Windows\system32\drivers\WudfPf.sys
16:54:39.0822 2432 WudfPf - ok
16:54:39.0853 2432 [ F91FF1E51FCA30B3C3981DB7D5924252 ] WUDFRd C:\Windows\system32\DRIVERS\WUDFRd.sys
16:54:39.0885 2432 WUDFRd - ok
16:54:39.0900 2432 [ DDEE3682FE97037C45F4D7AB467CB8B6 ] wudfsvc C:\Windows\System32\WUDFSvc.dll
16:54:39.0931 2432 wudfsvc - ok
16:54:39.0963 2432 [ FF2D745B560F7C71B31F30F4D49F73D2 ] WwanSvc C:\Windows\System32\wwansvc.dll
16:54:39.0978 2432 WwanSvc - ok
16:54:39.0994 2432 XDva391 - ok
16:54:40.0056 2432 [ C26C68BCBAC1F33F890C226769759209 ] xusb21 C:\Windows\system32\DRIVERS\xusb21.sys
16:54:40.0056 2432 xusb21 - ok
16:54:40.0087 2432 ================ Scan global ===============================
16:54:40.0103 2432 [ 9A595DF601070DA78C40481120DD2C06 ] C:\Windows\system32\basesrv.dll
16:54:40.0134 2432 [ 008F51AE989C3DF1CBAF8B39DC423CCC ] C:\Windows\system32\winsrv.dll
16:54:40.0150 2432 [ 008F51AE989C3DF1CBAF8B39DC423CCC ] C:\Windows\system32\winsrv.dll
16:54:40.0165 2432 [ 364455805E64882844EE9ACB72522830 ] C:\Windows\system32\sxssrv.dll
16:54:40.0197 2432 [ 5F1B6A9C35D3D5CA72D6D6FDEF9747D6 ] C:\Windows\system32\services.exe
16:54:40.0197 2432 [Global] - ok
16:54:40.0197 2432 ================ Scan MBR ==================================
16:54:40.0212 2432 [ A36C5E4F47E84449FF07ED3517B43A31 ] \Device\Harddisk0\DR0
16:54:40.0665 2432 \Device\Harddisk0\DR0 - ok
16:54:40.0665 2432 [ 5C616939100B85E558DA92B899A0FC36 ] \Device\Harddisk1\DR1
16:54:40.0774 2432 \Device\Harddisk1\DR1 - ok
16:54:40.0774 2432 [ A36C5E4F47E84449FF07ED3517B43A31 ] \Device\Harddisk2\DR2
16:54:40.0774 2432 \Device\Harddisk2\DR2 - ok
16:54:40.0774 2432 ================ Scan VBR ==================================
16:54:40.0789 2432 [ F3A17956E5F25556C609AE427E10F88D ] \Device\Harddisk0\DR0\Partition1
16:54:40.0789 2432 \Device\Harddisk0\DR0\Partition1 - ok
16:54:40.0805 2432 [ E26643E1BAAA74CA18B2703A30421F8A ] \Device\Harddisk0\DR0\Partition2
16:54:40.0821 2432 \Device\Harddisk0\DR0\Partition2 - ok
16:54:40.0821 2432 [ 42D210B92298D7060500FFD84A5B38B2 ] \Device\Harddisk1\DR1\Partition1
16:54:40.0821 2432 \Device\Harddisk1\DR1\Partition1 - ok
16:54:40.0836 2432 [ 849664F8CF4237EC21DA1B3B65CA0440 ] \Device\Harddisk2\DR2\Partition1
16:54:40.0836 2432 \Device\Harddisk2\DR2\Partition1 - ok
16:54:40.0836 2432 ============================================================
16:54:40.0836 2432 Scan finished
16:54:40.0836 2432 ============================================================
16:54:40.0852 5180 Detected object count: 0
16:54:40.0852 5180 Actual detected object count: 0
16:55:34.0444 4848 Deinitialize success





I had an incident with aswMBR and Avira though. During the beginning of the aswMBR scan, Avira popped up with a security alert. The description of the detection read "A virus or unwanted program 'TR/Trash.Gen' was found in file 'C:\Windows\System32\drivers\8817fd41e278a8bd.sys.' It denied access to the file but I have not yet removed it nor closed the alert. Am I wrong in assuming I should turn Avira's realtime protection off before scanning?
aswMBR also was unable to complete the scan before it stopped working and crashed.

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:57 AM

Posted 29 August 2012 - 04:34 PM

Greetings

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 UnnamedText

UnnamedText
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:57 PM

Posted 29 August 2012 - 11:50 PM

There has been no change that I have noticed on my PC since the first run of ComboFix.


ComboFix 12-08-29.03 - Home 08/30/2012 0:33.2.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.2046.1244 [GMT -4:00]
Running from: c:\users\Home\Desktop\ComboFix.exe
Command switches used :: c:\users\Home\Desktop\CFScript.txt
AV: Avira Desktop *Disabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
SP: Avira Desktop *Disabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-07-28 to 2012-08-30 )))))))))))))))))))))))))))))))
.
.
2012-08-30 04:43 . 2012-08-30 04:43 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-08-29 15:31 . 2012-08-30 04:43 -------- d-----w- c:\users\Home\AppData\Local\temp
2012-08-29 08:50 . 2012-08-29 08:50 -------- d-----w- c:\program files\HitmanPro
2012-08-29 08:50 . 2012-08-29 08:50 -------- d-----w- c:\programdata\HitmanPro
2012-08-29 04:45 . 2012-08-29 04:45 232512 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
2012-08-29 03:44 . 2012-08-29 03:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-08-29 03:44 . 2012-07-03 17:46 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-08-19 06:53 . 2012-08-19 06:53 -------- d-----w- c:\program files\Speccy
2012-08-17 22:50 . 2012-05-14 04:37 768512 ----a-w- c:\windows\system32\localspl.dll
2012-08-17 22:50 . 2012-07-04 21:23 41472 ----a-w- c:\windows\system32\browcli.dll
2012-08-17 22:50 . 2012-07-04 21:23 102912 ----a-w- c:\windows\system32\browser.dll
2012-08-10 07:15 . 2012-08-10 07:15 -------- d-----w- c:\programdata\Ask
2012-08-10 02:32 . 2012-08-10 02:51 -------- d-----w- c:\users\Home\AppData\Local\data
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-21 21:48 . 2012-06-14 22:23 73416 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-08-21 21:48 . 2012-06-14 22:23 696520 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-06-14 22:26 . 2012-03-17 16:42 772592 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-06-14 22:26 . 2010-05-02 02:55 687600 ----a-w- c:\windows\system32\deployJava1.dll
2012-06-06 05:09 . 2012-07-11 17:05 1389568 ----a-w- c:\windows\system32\msxml6.dll
2012-06-06 05:09 . 2012-07-11 17:05 1236992 ----a-w- c:\windows\system32\msxml3.dll
2012-06-02 22:19 . 2012-06-21 16:01 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-21 16:01 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-21 16:01 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-21 16:01 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:19 . 2012-06-21 16:01 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:12 . 2012-06-21 16:01 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:12 . 2012-06-21 16:01 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 19:19 . 2012-06-21 16:01 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 19:12 . 2012-06-21 16:01 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-06-02 04:51 . 2012-07-11 17:05 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-06-02 04:51 . 2012-07-11 17:05 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2012-06-02 04:50 . 2012-07-11 17:05 369336 ----a-w- c:\windows\system32\drivers\cng.sys
2012-06-02 04:48 . 2012-07-11 17:05 225280 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 04:47 . 2012-07-11 17:05 219136 ----a-w- c:\windows\system32\ncrypt.dll
2012-07-18 02:38 . 2011-03-27 22:44 136672 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{13FA2453-9287-4F18-8554-976D7C02F4EE}]
2011-08-25 21:04 47120 ----a-w- d:\program files\Perfect World Entertainment\CORE Client\plugins\CorePluginIE.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"c:\program files\NetMeter\NetMeter.exe"="c:\program files\NetMeter\NetMeter.exe" [2009-08-09 293888]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2003-04-02 12288]
"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdcBase.exe" [2007-05-31 648072]
"MacDrive 8 application"="c:\program files\Mediafour\MacDrive 8\MacDrive.exe" [2010-05-25 289792]
"Getting started with MacDrive 8"="c:\program files\Mediafour\MacDrive 8\MDGetStarted.exe" [2010-05-25 175104]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2012-08-08 348664]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux5"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [x]
R3 CFcatchme;CFcatchme;c:\users\Home\AppData\Local\Temp\CFcatchme.sys [x]
R3 EagleXNt;EagleXNt;c:\windows\system32\drivers\EagleXNt.sys [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [x]
R3 ManyCam;ManyCam Virtual Webcam;c:\windows\system32\DRIVERS\mcvidrv.sys [x]
R3 mcaudrv_simple;ManyCam Virtual Microphone;c:\windows\system32\drivers\mcaudrv.sys [x]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [x]
R3 XDva391;XDva391;c:\windows\system32\XDva391.sys [x]
R4 sptd;sptd;c:\windows\\SystemRoot\System32\Drivers\sptd.sys [x]
S0 MDFSYSNT;MacDrive file system driver; [x]
S0 MDPMGRNT;MacDrive partition driver; [x]
S1 avkmgr;avkmgr;c:\windows\system32\DRIVERS\avkmgr.sys [x]
S1 CBDisk;CBDisk;c:\windows\system32\drivers\CBDisk.sys [x]
S2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [x]
S2 lxdu_device;lxdu_device;c:\windows\system32\lxducoms.exe [x]
S2 MacDrive8Service;MacDrive 8 service;c:\program files\Mediafour\MacDrive 8\MacDrive8Service.exe [x]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [x]
S3 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 53576540
*NewlyCreated* - ASWMBR
*Deregistered* - 53576540
*Deregistered* - aswMBR
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-11 23:34]
.
2012-08-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-11 23:34]
.
2012-08-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1985814031-383517345-3186675581-1000Core.job
- c:\users\Home\AppData\Local\Google\Update\GoogleUpdate.exe [2010-05-29 23:34]
.
2012-08-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1985814031-383517345-3186675581-1000UA.job
- c:\users\Home\AppData\Local\Google\Update\GoogleUpdate.exe [2010-05-29 23:34]
.
.
------- Supplementary Scan -------
.
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
FF - ProfilePath - c:\users\Home\AppData\Roaming\Mozilla\Firefox\Profiles\uw8c36q2.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - user.js: general.useragent.extra.brc -
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-08-30 00:46:09
ComboFix-quarantined-files.txt 2012-08-30 04:46
.
Pre-Run: 6,699,130,880 bytes free
Post-Run: 6,750,175,232 bytes free
.
- - End Of File - - F25FFED396DA118F6716DDAB3A196B77

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:57 AM

Posted 30 August 2012 - 12:00 AM

Hello

:P2P Warning!:

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
Once upon a time, P2P file sharing was fairly safe. That is no longer true. P2P programs form a direct conduit on to your computer, their security measures are easily circumvented and malware writers are increasingly exploiting them to spread their wares on to your computer. Further to that, if your P2P program is not configured correctly, your computer may be sharing more files than you realise. There have been cases where people's passwords, address books and other personal, private, and financial details have been exposed to a file sharing network by a badly configured program.

Please read these short reports on the dangers of peer-2-peer programs and file sharing.

FBI Cyber Education Letter
File sharing infects 500,000 computers
USAToday
infoworld


These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

You can remove these programs using add/remove or you can use the free uninstaller from Revo (Revo does allot better of a job)

Programs to remove

µTorrent
[/list]


  • Please download and install Revo Uninstaller Free
  • Double click Revo Uninstaller to run it.
  • From the list of programs double click on The Program to remove
  • When prompted if you want to uninstall click Yes.
  • Be sure the Moderate option is selected then click Next.
  • The program will run, If prompted again click Yes
  • when the built-in uninstaller is finished click on Next.
  • Once the program has searched for leftovers click Next.
  • Check/tick the bolded items only on the list then click Delete
  • when prompted click on Yes and then on next.
  • put a check on any folders that are found and select delete
  • when prompted select yes then on next
  • Once done click Finish.
.



Clean Out Temp Files

  • This small application you may want to keep and use once a week to keep the computer clean.

    Download CCleaner from here http://www.ccleaner.com/

  • Run the installer to install the application.
  • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
  • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
  • Click Run Cleaner.
  • Close CCleaner.

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidentally close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a log file button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the Analyze This button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 UnnamedText

UnnamedText
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:57 PM

Posted 30 August 2012 - 12:32 AM

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.08.29.10

Windows 7 x86 NTFS
Internet Explorer 8.0.7600.16385
Home :: HOME-PC [administrator]

8/30/2012 1:19:01 AM
mbam-log-2012-08-30 (01-19-01).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 199661
Time elapsed: 6 minute(s), 32 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)









Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 1:28:00 AM, on 8/30/2012
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.17051)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskhost.exe
C:\Windows\Explorer.EXE
C:\Program Files\Winamp\winampa.exe
C:\Windows\WindowsMobile\wmdcBase.exe
C:\Program Files\Mediafour\MacDrive 8\MacDrive.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\NetMeter\NetMeter.exe
C:\Windows\system32\wuauclt.exe
C:\Users\Home\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Home\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Home\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Home\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Home\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Home\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Home\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Home\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Home\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Home\Desktop\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: CorePluginIEBHO - {13FA2453-9287-4F18-8554-976D7C02F4EE} - D:\Program Files\Perfect World Entertainment\CORE Client\Plugins\CorePluginIE.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [Windows Mobile-based device management] %WINDIR%\WindowsMobile\wmdcBase.exe
O4 - HKLM\..\Run: [MacDrive 8 application] "C:\Program Files\Mediafour\MacDrive 8\MacDrive.exe"
O4 - HKLM\..\Run: [Getting started with MacDrive 8] "C:\Program Files\Mediafour\MacDrive 8\MDGetStarted.exe" /auto
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [C:\Program Files\NetMeter\NetMeter.exe] C:\Program Files\NetMeter\NetMeter.exe
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O23 - Service: Avira Scheduler (AntiVirSchedulerService) - Avira Operations GmbH & Co. KG - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira Realtime Protection (AntiVirService) - Avira Operations GmbH & Co. KG - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: lxdu_device - - C:\Windows\system32\lxducoms.exe
O23 - Service: MacDrive 8 service (MacDrive8Service) - Mediafour Corporation - C:\Program Files\Mediafour\MacDrive 8\MacDrive8Service.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe

--
End of file - 5111 bytes





I did not have any problems with these steps. My PC is still running smoothly with no symptoms.

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:57 AM

Posted 30 August 2012 - 12:42 AM

Greetings

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded start-up entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    • O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
      O4 - HKLM\..\Run: [Windows Mobile-based device management] %WINDIR%\WindowsMobile\wmdcBase.exe
      O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

    NOTE**You can research each of those lines >here< and see if you want to keep them or not
    just copy the name between the brackets and paste into the search space
    O4 - HKLM\..\Run: [IntelliPoint]


NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scanner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the Run ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the add/on to be installed
    • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings, ensure the options
    Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • wait for the virus definitions to be downloaded
  • Wait for the scan to finish

When the scan is complete

  • If no threats were found
  • put a checkmark in "Uninstall application on close"
  • close program
  • report to me that nothing was found

  • If threats were found
  • click on "list of threats found"
  • click on "export to text file" and save it as ESET SCAN and save to the desktop
  • Click on back
  • put a checkmark in "Uninstall application on close"
  • click on finish
  • close program
  • copy and paste the report here


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 UnnamedText

UnnamedText
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:57 PM

Posted 30 August 2012 - 11:29 AM

I'm happy to report that nothing was found.

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:57 AM

Posted 30 August 2012 - 08:04 PM

Very well done!! This is my general post for when your logs show no more signs of malware - Please let me know if you still are having problems with your computer and what these problems are.


:Why we need to remove some of our tools:

Some of the tools we have used to clean your computer were made by fellow malware fighters and are very powerful and if used incorrectly or at the wrong time can make the computer an expensive paper weight.
They are updated all the time and some of them more than once a day so by the time you are ready to use them again they will already be outdated.

The following procedures will implement some cleanup procedures to remove these tools. It will also reset your System Restore by flushing out previous restore points and create a new restore point. It will also remove all the backups our tools may have made.
:DeFogger:

Note** Defogger only needs to be run if it was run when we first started. If you have not already run it then skip this.

  • To re-enable your Emulation drivers, double click DeFogger to run the tool.
  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK.
Your Emulation drivers are now re-enabled.
:Uninstall ComboFix:

  • turn off all active protection software
  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box ComboFix /Uninstall and click OK.
  • Note the space between the X and the /Uninstall, it needs to be there.
  • Posted Image

:Remove the rest of our tools:

Please download OTCleanIt and save it to desktop. This tool will remove all the tools we used to clean your pc.
  • Double-click OTCleanIt.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.
  • If asked to restart the computer, please do so
Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.

:The programs you can keep:

Some of the programs that we have used would be a good idea to keep and used often in helping to keep the computer clean. I use these programs on my computer.

Revo Uninstaller Free - this is the uninstaller that I had you download and works allot better than add/remove in windows and has saved me more than once from corrupted installs and uninstalls

CCleaner - This is a good program to clean out temp files, I would use this once a week or before any malware scan to remove unwanted temp files - It has a built in registry cleaner but I would leave that alone and not use any registry cleaner

Malwarebytes' Anti-Malware The Gold standard today in antimalware scanners

:Security programs:

One of the questions I am asked all the time is "What programs do you use" I have at this time 4 computers in my home and I have this setup on all 4 of them.


  • Microsoft Security Essentials - provides real-time protection for your home PC that guards against viruses, spyware, and other malicious software.
  • WinPatrol As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.
  • Malwarebytes' Anti-Malware Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
    totally free but for real-time protection you will have to pay a small one-time fee. We used this to help clean your computer and recomend keeping it and using often. (I have upgraded to the paid version of MBAM and I am glad I did)

    Note** If you decide to install MSE you will need to uninstall your present Antivirus

:Security awareness:

The other question I am asked all the time is "How can I prevent this from happening again." and the short answer to that is to be aware of what is out there and how to start spotting dangers.

Here are some articles that are must reads and should be read by everybody in your household that uses the internet

internetsafety

Internet Safety for Kids

Here is some more reading for you from some of my colleges

PC Safety and Security - What Do I Need? from my friends at Tech Support Forum

COMPUTER SECURITY - a short guide to staying safer online from my friends at Malware Removal

quoted from Tech Support Forum

Conclusion

There is no such thing as ‘perfect security’. This applies to many things, not just computer systems. Using the above guide you should be able to take all the reasonable steps you can to prevent infection. However, the most important part of all this is you, the user. Surf sensibly and think before you download a file or click on a link. Take a few moments to assess the possible risks and you should be able to enjoy all the internet has to offer.


I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can then be closed.

I Will Keep This Open For About Three Days, If Anything Comes Up - Just Come Back And Let Me Know, after that time you will have to send me a PM

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 UnnamedText

UnnamedText
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:57 PM

Posted 01 September 2012 - 03:01 AM

Just thought I'd run a few more scans with Avira, Malwarebytes, Spybot S&D, Superantispyware, and Avast before replying. I also looked over a few things with HiJackThis and autoruns.
All turned up clean!

Thank you for the all of the assistance, your speedy advice was a huge help for me and my PC!

Edited by UnnamedText, 01 September 2012 - 03:17 AM.


#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:57 AM

Posted 01 September 2012 - 03:03 AM

you are more than welcome


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:57 AM

Posted 03 September 2012 - 11:19 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users