Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

GreenDot MoneyPak Infection


  • This topic is locked This topic is locked
24 replies to this topic

#1 ski.smitty

ski.smitty

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:08:36 PM

Posted 30 August 2012 - 10:05 AM

Hey there Bleeping Computer team, I'm in dire need of your help once more.

I seem to have been infected with the GreenDot MoneyPak infection. I've already followed the advice on this thread but am not having luck. Last night I successfully ran a full deep clean and cleaned out a ton of infections (I am able to log into my computer in safe mode with networking). I am re-attempting this morning by running rkill first and then doing another deep clean with Emsisoft emergency kit. I'm doubtful this will work the second time though.

I've also tried doing a system restore to a copy for a few days back (the only copy my system had, actually) and it did not work, so I'm afraid that might not be an option either.

The following is my hijackthis log, which I hoped could be useful (I'll be at work all day and wanted to get you guys as much information as possible).

Logfile of HijackThis v1.99.1
Scan saved at 9:03:48 AM, on 8/30/2012
Platform: Unknown Windows (WinNT 6.01.3505 SP1)
MSIE: Internet Explorer v8.00 (8.00.7601.17514)

Running processes:
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe
C:\Users\Marsh\Desktop\hijackthis_sfx.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.xfinity.com/?cid=insDate03312012
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\Windows\system32\userinit.exe,"C:\Users\Marsh\AppData\Roaming\xsecva\xsecva.exe" -s,
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Aimersoft Helper Compact.exe] C:\Program Files (x86)\Common Files\Aimersoft\Aimersoft Helper Compact\ASHelper.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [AMD AVT] Cmd.exe /c start "AMD Accelerated Video Transcoding device initialization" /min "C:\Program Files (x86)\AMD AVT\bin\kdbsync.exe" aml
O4 - HKLM\..\Run: [XSECVA] "C:\Users\Marsh\AppData\Roaming\xsecva\xsecva.exe" -s
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun
O4 - HKCU\..\Run: [XSECVA] "C:\Users\Marsh\AppData\Roaming\xsecva\xsecva.exe" -s
O4 - HKCU\..\Run: [] C:\Users\Marsh\AppData\Local\Temp\craoxwnsem.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
O11 - Options group: [INTERNATIONAL] International
O13 - Gopher Prefix:
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/select/asusTek_sys_ctrl3.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files (x86)\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing)
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\Windows\system32\GameMon.des.exe (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: Skype C2C Service - Skype Technologies S.A. - C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe
O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Program Files (x86)\Skype\Updater\Updater.exe
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %PROGRAMFILES%\Windows Media Player\wmpnetwk.exe (file missing)

All help is much appreciated!

BC AdBot (Login to Remove)

 


#2 ski.smitty

ski.smitty
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:08:36 PM

Posted 30 August 2012 - 09:26 PM

Avast in safe mode has allowed me to log back on to normal mode, but I get a pop up every 3 minutes or so saying another infection was blocked. Repeat infection scans show the virus is still alive and well even after boxing or deleting them; they come right back.

Here is my DDS Report, I'm on Windows 7 64-bit so no GMER file to attach.

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 10.5.1
Run by Marsh at 20:20:57 on 2012-08-30
.
============== Running Processes ===============
.
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Windows\SysWOW64\PnkBstrA.exe
C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe
C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe
C:\Users\Marsh\Desktop\dds.com
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.xfinity.com/?cid=insDate03312012
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
mWinlogon: Userinit=C:\Windows\system32\userinit.exe,"C:\Users\Marsh\AppData\Roaming\xsecva\xsecva.exe" -s,
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
uRun: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun
mRun: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [Aimersoft Helper Compact.exe] C:\Program Files (x86)\Common Files\Aimersoft\Aimersoft Helper Compact\ASHelper.exe
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [AMD AVT] Cmd.exe /c start "AMD Accelerated Video Transcoding device initialization" /min "C:\Program Files (x86)\AMD AVT\bin\kdbsync.exe" aml
mRun: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} - hxxp://support.asus.com/select/asusTek_sys_ctrl3.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 75.75.76.76 75.75.75.75
TCP: Interfaces\{60AC8C14-F941-4447-A21B-ACBFF449C884} : DhcpNameServer = 75.75.76.76 75.75.75.75
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO-X64: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll
BHO-X64: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO-X64: SkypeIEPluginBHO - No File
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll
TB-X64: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
mRun-x64: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [Aimersoft Helper Compact.exe] C:\Program Files (x86)\Common Files\Aimersoft\Aimersoft Helper Compact\ASHelper.exe
mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun-x64: [AMD AVT] Cmd.exe /c start "AMD Accelerated Video Transcoding device initialization" /min "C:\Program Files (x86)\AMD AVT\bin\kdbsync.exe" aml
mRun-x64: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Marsh\AppData\Roaming\Mozilla\Firefox\Profiles\tlntkwso.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox
FF - plugin: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npatgpc.dll
FF - plugin: C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\dtplugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\plugin2\npjp2.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_262.dll
.
============= SERVICES / DRIVERS ===============
.
R? clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86
R? clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64
R? cpudrv64;cpudrv64
R? dump_wmimmc;dump_wmimmc
R? EagleX64;EagleX64
R? GGSAFERDriver;GGSAFER Driver
R? MozillaMaintenance;Mozilla Maintenance Service
R? npggsvc;nProtect GameGuard Service
R? RdpVideoMiniport;Remote Desktop Video Miniport Driver
R? SkypeUpdate;Skype Updater
R? Synth3dVsc;Synth3dVsc
R? TsUsbFlt;TsUsbFlt
R? tsusbhub;tsusbhub
R? VGPU;VGPU
R? WatAdminSvc;Windows Activation Technologies Service
S? A2DDA;A2 Direct Disk Access Support Driver
S? AMD External Events Utility;AMD External Events Utility
S? amdkmdag;amdkmdag
S? amdkmdap;amdkmdap
S? aswFsBlk;aswFsBlk
S? aswMonFlt;aswMonFlt
S? aswSnx;aswSnx
S? aswSP;aswSP
S? AtiHDAudioService;AMD Function Driver for HD Audio Service
S? avast! Antivirus;avast! Antivirus
S? RTL8167;Realtek 8167 NT Driver
S? Skype C2C Service;Skype C2C Service
.
=============== Created Last 30 ================
.
2012-08-31 00:05:43 54072 ----a-w- C:\Windows\System32\drivers\aswRdr2.sys
2012-08-31 00:05:41 969200 ----a-w- C:\Windows\System32\drivers\aswSnx.sys
2012-08-31 00:05:41 71600 ----a-w- C:\Windows\System32\drivers\aswMonFlt.sys
2012-08-31 00:05:31 41224 ----a-w- C:\Windows\avastSS.scr
2012-08-30 03:48:36 -------- d-sh--w- C:\Windows\SysWow64\%APPDATA%
2012-08-30 03:30:33 -------- d-----w- C:\Users\Marsh\AppData\Local\{12AFD388-F253-11E1-8270-B8AC6F996F26}
2012-08-30 03:30:29 649728 ----a-w- C:\Users\Marsh\AppData\Roaming\vcaux.dll
2012-08-30 03:29:40 157696 ----a-w- C:\Users\Marsh\AppData\Roaming\dletre.dll
2012-08-30 03:28:38 -------- d-----w- C:\Users\Marsh\AppData\Roaming\xsecva
2012-08-29 02:47:29 -------- d-----w- C:\Program Files (x86)\AMD AVT
2012-08-29 02:47:27 -------- d-----w- C:\Program Files (x86)\AMD APP
2012-08-29 02:47:20 -------- d-----w- C:\Program Files\Common Files\ATI Technologies
2012-08-29 02:47:20 -------- d-----w- C:\Program Files (x86)\Common Files\ATI Technologies
2012-08-29 02:46:45 -------- d-----w- C:\Program Files (x86)\ATI Technologies
2012-08-29 02:45:29 -------- d-----w- C:\Program Files\ATI Technologies
2012-08-19 03:48:25 -------- d-----w- C:\Games
2012-08-19 03:44:10 -------- d-----w- C:\Program Files\Nexus Mod Manager
2012-08-19 00:14:13 -------- d-----w- C:\Program Files (x86)\The Elder Scrolls V Skyrim
2012-08-18 00:29:07 -------- d-----w- C:\Users\Marsh\AppData\Local\ashampoo
2012-08-18 00:29:07 -------- d-----w- C:\ProgramData\ashampoo
2012-08-18 00:23:58 -------- d-----w- C:\Users\Marsh\AppData\Local\MediaMonkey
2012-08-18 00:20:40 -------- d-----w- C:\Users\Marsh\AppData\Local\Aimersoft
2012-08-18 00:20:39 -------- d-----w- C:\Program Files (x86)\Common Files\Aimersoft
.
==================== Find3M ====================
.
2012-08-30 14:57:14 73416 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-08-30 14:57:14 696520 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2012-07-18 18:15:06 3148800 ----a-w- C:\Windows\System32\win32k.sys
2012-07-04 22:13:27 59392 ----a-w- C:\Windows\System32\browcli.dll
2012-07-04 22:13:27 136704 ----a-w- C:\Windows\System32\browser.dll
2012-07-04 21:14:34 41984 ----a-w- C:\Windows\SysWow64\browcli.dll
2012-07-04 08:32:22 187392 ----a-w- C:\Windows\System32\clinfo.exe
2012-07-04 06:59:32 11922944 ----a-w- C:\Windows\System32\drivers\atikmdag.sys
2012-07-04 06:52:04 26016256 ----a-w- C:\Windows\System32\atio6axx.dll
2012-07-04 06:35:46 19586048 ----a-w- C:\Windows\SysWow64\atioglxx.dll
2012-07-04 06:27:18 159744 ----a-w- C:\Windows\System32\atiapfxx.exe
2012-07-04 06:27:08 918528 ----a-w- C:\Windows\SysWow64\aticfx32.dll
2012-07-04 06:25:14 1081856 ----a-w- C:\Windows\System32\aticfx64.dll
2012-07-04 06:21:46 442368 ----a-w- C:\Windows\System32\ATIDEMGX.dll
2012-07-04 06:21:40 514048 ----a-w- C:\Windows\System32\atieclxx.exe
2012-07-04 06:20:54 238080 ----a-w- C:\Windows\System32\atiesrxx.exe
2012-07-04 06:19:30 120320 ----a-w- C:\Windows\System32\atitmm64.dll
2012-07-04 06:19:16 21504 ----a-w- C:\Windows\System32\atimuixx.dll
2012-07-04 06:19:12 59392 ----a-w- C:\Windows\System32\atiedu64.dll
2012-07-04 06:19:06 43520 ----a-w- C:\Windows\SysWow64\ati2edxx.dll
2012-07-04 06:18:18 6811648 ----a-w- C:\Windows\SysWow64\atidxx32.dll
2012-07-04 05:57:18 7510528 ----a-w- C:\Windows\System32\atidxx64.dll
2012-07-04 05:36:34 1053696 ----a-w- C:\Windows\System32\atiumd6v.dll
2012-07-04 05:36:24 69632 ----a-w- C:\Windows\System32\coinst_8.97.100.3.dll
2012-07-04 05:36:14 1960960 ----a-w- C:\Windows\SysWow64\atiumdmv.dll
2012-07-04 05:35:42 4261376 ----a-w- C:\Windows\System32\atiumd6a.dll
2012-07-04 05:35:14 6245888 ----a-w- C:\Windows\SysWow64\atiumdag.dll
2012-07-04 05:28:52 4749312 ----a-w- C:\Windows\SysWow64\atiumdva.dll
2012-07-04 05:24:02 7477760 ----a-w- C:\Windows\System32\atiumd64.dll
2012-07-04 05:11:42 56320 ----a-w- C:\Windows\System32\atimpc64.dll
2012-07-04 05:11:42 56320 ----a-w- C:\Windows\System32\amdpcom64.dll
2012-07-04 05:11:40 535552 ----a-w- C:\Windows\System32\atiadlxx.dll
2012-07-04 05:11:38 56832 ----a-w- C:\Windows\SysWow64\atimpc32.dll
2012-07-04 05:11:38 56832 ----a-w- C:\Windows\SysWow64\amdpcom32.dll
2012-07-04 05:11:30 364544 ----a-w- C:\Windows\SysWow64\atiadlxy.dll
2012-07-04 05:11:18 17920 ----a-w- C:\Windows\System32\atig6pxx.dll
2012-07-04 05:11:16 14848 ----a-w- C:\Windows\SysWow64\atiglpxx.dll
2012-07-04 05:11:16 14848 ----a-w- C:\Windows\System32\atiglpxx.dll
2012-07-04 05:11:12 41984 ----a-w- C:\Windows\System32\atig6txx.dll
2012-07-04 05:11:04 33280 ----a-w- C:\Windows\SysWow64\atigktxx.dll
2012-07-04 05:10:56 359936 ----a-w- C:\Windows\System32\drivers\atikmpag.sys
2012-07-04 05:10:04 55296 ----a-w- C:\Windows\System32\atiuxp64.dll
2012-07-04 05:09:56 42496 ----a-w- C:\Windows\SysWow64\atiuxpag.dll
2012-07-04 05:09:50 45056 ----a-w- C:\Windows\System32\atiu9p64.dll
2012-07-04 05:09:42 32768 ----a-w- C:\Windows\SysWow64\atiu9pag.dll
2012-07-04 05:09:10 53248 ----a-w- C:\Windows\System32\drivers\ati2erec.dll
2012-07-04 05:04:30 51200 ----a-w- C:\Windows\System32\aticalrt64.dll
2012-07-04 05:04:28 46080 ----a-w- C:\Windows\SysWow64\aticalrt.dll
2012-07-04 05:04:22 44544 ----a-w- C:\Windows\System32\aticalcl64.dll
2012-07-04 05:04:18 44544 ----a-w- C:\Windows\SysWow64\aticalcl.dll
2012-07-04 05:04:08 15827456 ----a-w- C:\Windows\System32\aticaldd64.dll
2012-07-04 04:59:40 13402112 ----a-w- C:\Windows\SysWow64\aticaldd.dll
2012-06-27 07:06:53 1188864 ----a-w- C:\Windows\System32\wininet.dll
2012-06-27 05:53:07 981504 ----a-w- C:\Windows\SysWow64\wininet.dll
2012-06-27 04:53:10 1638912 ----a-w- C:\Windows\System32\mshtml.tlb
2012-06-27 04:10:55 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2012-06-18 18:51:31 476936 ----a-w- C:\Windows\SysWow64\npdeployJava1.dll
2012-06-16 05:16:04 609792 ----a-w- C:\Windows\System32\vbscript.dll
2012-06-16 04:26:57 428032 ----a-w- C:\Windows\SysWow64\vbscript.dll
2012-06-11 19:50:30 75264 ----a-w- C:\Windows\System32\OpenVideo64.dll
2012-06-11 19:50:24 65024 ----a-w- C:\Windows\SysWow64\OpenVideo.dll
2012-06-11 19:50:18 63488 ----a-w- C:\Windows\System32\OVDecode64.dll
2012-06-11 19:50:14 56320 ----a-w- C:\Windows\SysWow64\OVDecode.dll
2012-06-11 19:50:06 16457728 ----a-w- C:\Windows\System32\amdocl64.dll
2012-06-11 19:49:22 13008896 ----a-w- C:\Windows\SysWow64\amdocl.dll
2012-06-07 02:59:42 1070152 ----a-w- C:\Windows\SysWow64\MSCOMCTL.OCX
2012-06-06 06:06:16 2004480 ----a-w- C:\Windows\System32\msxml6.dll
2012-06-06 06:06:16 1881600 ----a-w- C:\Windows\System32\msxml3.dll
2012-06-06 06:02:54 1133568 ----a-w- C:\Windows\System32\cdosys.dll
2012-06-06 05:05:52 1390080 ----a-w- C:\Windows\SysWow64\msxml6.dll
2012-06-06 05:05:52 1236992 ----a-w- C:\Windows\SysWow64\msxml3.dll
2012-06-06 05:03:06 805376 ----a-w- C:\Windows\SysWow64\cdosys.dll
2012-06-02 22:15:31 2622464 ----a-w- C:\Windows\System32\wucltux.dll
2012-06-02 22:15:08 99840 ----a-w- C:\Windows\System32\wudriver.dll
2012-06-02 21:19:42 186752 ----a-w- C:\Windows\System32\wuwebv.dll
2012-06-02 21:15:12 36864 ----a-w- C:\Windows\System32\wuapp.exe
2012-06-02 05:50:10 458704 ----a-w- C:\Windows\System32\drivers\cng.sys
2012-06-02 05:48:16 95600 ----a-w- C:\Windows\System32\drivers\ksecdd.sys
2012-06-02 05:48:16 151920 ----a-w- C:\Windows\System32\drivers\ksecpkg.sys
2012-06-02 05:45:31 340992 ----a-w- C:\Windows\System32\schannel.dll
2012-06-02 05:44:21 307200 ----a-w- C:\Windows\System32\ncrypt.dll
2012-06-02 04:40:42 22016 ----a-w- C:\Windows\SysWow64\secur32.dll
2012-06-02 04:40:39 225280 ----a-w- C:\Windows\SysWow64\schannel.dll
2012-06-02 04:39:10 219136 ----a-w- C:\Windows\SysWow64\ncrypt.dll
2012-06-02 04:34:09 96768 ----a-w- C:\Windows\SysWow64\sspicli.dll
.
============= FINISH: 20:23:01.12 ===============

#3 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:36 PM

Posted 02 September 2012 - 02:31 AM

Greetings and Welcome to The Forums!!

My name is Gringo and I'll be glad to help you with your computer problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

Security Check

  • Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.



Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#4 ski.smitty

ski.smitty
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:08:36 PM

Posted 02 September 2012 - 03:17 AM

Hey Gringo, very excited to receive your assistance, thank you!

I tried running SecurityCheck and received a crash both times, with an "AutoIt Error" popping up that says in the white error box "Line -1: Error: Variable must be of type "Object".

I'm running it in safe mode with networking, from the desktop.

As for combofix, I'll run that next and post the log.

Update: Combofix didn't seem to run its course properly. It ran, a green bar popped up and looked like it was loading stuff, then another screen flashed that looked like it was loading info, then the program finishes loading and closes. The computer does nothing after this.

I opened up Task Manager and noticed a program called ctfmon.exe was running. I closed it, attempted to run combofix again and noticed ctfmon.exe popped right back up (if this is combofix's exe then my bad, but I thought this was worth noting).

So, I unfortunately have no logs to post, as neither program worked (or were nuked by the viruses I have on my computer) :(

Edited by ski.smitty, 02 September 2012 - 03:27 AM.


#5 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:36 PM

Posted 02 September 2012 - 03:52 AM

Hello

download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst64.exe and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.

[*]First Press the Scan button.
[*]It will make a log (FRST.txt)

[*]Second Type the following in the edit box after "Search:". services.exe
[*]Click the Search button
[*]It will make a log (Search.txt)
[/list]
I want you to poste Both the FRST.txt report and the Search.txt into your reply to me

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#6 ski.smitty

ski.smitty
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:08:36 PM

Posted 02 September 2012 - 06:35 PM

FRST Report:

Scan result of Farbar Recovery Scan Tool Version: 02-09-2012 03
Ran by SYSTEM at 02-09-2012 14:59:09
Running from I:\
Windows 7 Ultimate (X64) OS Language: English(US)
The current controlset is ControlSet002

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [8317472 2009-11-03] (Realtek Semiconductor)
HKLM-x32\...\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [30040 2009-02-26] (Microsoft Corporation)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [252296 2012-01-17] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [Aimersoft Helper Compact.exe] C:\Program Files (x86)\Common Files\Aimersoft\Aimersoft Helper Compact\ASHelper.exe [x]
HKLM-x32\...\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [641704 2012-07-04] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [AMD AVT] Cmd.exe /c start "AMD Accelerated Video Transcoding device initialization" /min "C:\Program Files (x86)\AMD AVT\bin\kdbsync.exe" aml [20992 2012-03-19] ()
HKLM-x32\...\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui [4282728 2012-08-21] (AVAST Software)
HKLM-x32\...\Winlogon: [Userinit] C:\Windows\system32\userinit.exe,"C:\Users\Marsh\AppData\Roaming\xsecva\xsecva.exe" -s, [x]
Tcpip\Parameters: [DhcpNameServer] 75.75.76.76 75.75.75.75

==================== Services (Whitelisted) ======

2 avast! Antivirus; "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" [44808 2012-08-21] (AVAST Software)
2 PnkBstrA; C:\Windows\SysWow64\PnkBstrA.exe [75064 2010-06-13] ()
2 Winmgmt; C:\Windows\System32\wbem\WMIsvc.dll [x]

==================== Drivers (Whitelisted) ===================

2 aswFsBlk; C:\Windows\System32\Drivers\aswFsBlk.sys [25232 2012-08-21] (AVAST Software)
2 aswMonFlt; C:\Windows\System32\Drivers\aswMonFlt.sys [71600 2012-08-21] (AVAST Software)
1 aswRdr; C:\Windows\System32\Drivers\aswrdr2.sys [54072 2012-08-21] (AVAST Software)
1 aswSnx; C:\Windows\System32\Drivers\aswSnx.sys [969200 2012-08-21] (AVAST Software)
1 aswSP; C:\Windows\System32\Drivers\aswSP.sys [359464 2012-08-21] (AVAST Software)
1 aswTdi; C:\Windows\System32\Drivers\aswTdi.sys [59728 2012-08-21] (AVAST Software)
2 atksgt; C:\Windows\System32\Drivers\atksgt.sys [314016 2010-03-12] ()
3 hamachi; C:\Windows\System32\Drivers\hamachi.sys [33856 2009-03-18] (LogMeIn, Inc.)
2 lirsgt; C:\Windows\System32\Drivers\lirsgt.sys [43680 2010-03-12] ()
0 sptd; C:\Windows\System32\Drivers\sptd.sys [834544 2010-05-11] (Duplex Secure Ltd.)
1 A2DDA; \??\C:\Users\Marsh\Desktop\Run\a2ddax64.sys [x]
3 cpudrv64; \??\C:\Program Files (x86)\SystemRequirementsLab\cpudrv64.sys [x]
3 dump_wmimmc; \??\c:\program files (x86)\steam\steamapps\common\ava\Binaries\GameGuard\dump_wmimmc.sys [x]
3 EagleX64; \??\C:\Windows\system32\drivers\EagleX64.sys [x]
3 GGSAFERDriver; \??\C:\Program Files (x86)\Garena Plus\Room\safedrv.sys [x]
3 NPPTNT2; \??\C:\Windows\system32\npptNT2.sys [x]
3 Synth3dVsc; C:\Windows\System32\drivers\synth3dvsc.sys [x]
3 tsusbhub; C:\Windows\System32\drivers\tsusbhub.sys [x]
3 VGPU; C:\Windows\System32\drivers\rdvgkmd.sys [x]

==================== NetSvcs (Whitelisted) =================


==================== One Month Created Files and Folders ======================

2012-09-02 14:47 - 2012-09-02 14:59 - 00000000 ____D C:\FRST
2012-09-02 12:41 - 2012-09-02 12:41 - 01454439 ____A (Farbar) C:\Users\Marsh\Desktop\FRST64.exe
2012-09-02 00:17 - 2012-09-02 00:24 - 00000000 ___SD C:\32788R22FWJFW
2012-09-02 00:17 - 2012-09-02 00:17 - 00000000 ____D C:\Windows\erdnt
2012-09-02 00:11 - 2012-09-02 00:11 - 00003899 ____A C:\Users\Marsh\Desktop\Directions.txt
2012-09-02 00:00 - 2012-09-02 00:14 - 00854124 ____A C:\Users\Marsh\Desktop\SecurityCheck.exe
2012-08-30 18:02 - 2012-09-02 00:15 - 04742651 ____R (Swearware) C:\Users\Marsh\Desktop\ComboFix.exe
2012-08-30 17:44 - 2012-08-30 17:47 - 00001936 ____A C:\Windows\PFRO.log
2012-08-30 16:05 - 2012-08-30 16:05 - 00000350 ___AH C:\Windows\Tasks\avast! Emergency Update.job
2012-08-30 16:05 - 2012-08-21 01:13 - 00969200 ____A (AVAST Software) C:\Windows\System32\Drivers\aswSnx.sys
2012-08-30 16:05 - 2012-08-21 01:13 - 00359464 ____A (AVAST Software) C:\Windows\System32\Drivers\aswSP.sys
2012-08-30 16:05 - 2012-08-21 01:13 - 00071600 ____A (AVAST Software) C:\Windows\System32\Drivers\aswMonFlt.sys
2012-08-30 16:05 - 2012-08-21 01:13 - 00059728 ____A (AVAST Software) C:\Windows\System32\Drivers\aswTdi.sys
2012-08-30 16:05 - 2012-08-21 01:13 - 00054072 ____A (AVAST Software) C:\Windows\System32\Drivers\aswRdr2.sys
2012-08-30 16:05 - 2012-08-21 01:13 - 00025232 ____A (AVAST Software) C:\Windows\System32\Drivers\aswFsBlk.sys
2012-08-30 16:05 - 2012-08-21 01:12 - 00227648 ____A (AVAST Software) C:\Windows\SysWOW64\aswBoot.exe
2012-08-30 16:05 - 2012-08-21 01:12 - 00041224 ____A (AVAST Software) C:\Windows\avastSS.scr
2012-08-30 07:03 - 2012-08-30 07:03 - 00000000 ____D C:\Program Files\HijackThis
2012-08-29 22:24 - 2012-08-31 20:33 - 00001096 ____A C:\Windows\WindowsUpdate.log
2012-08-29 22:12 - 2012-09-02 12:54 - 00000784 ____A C:\Windows\setupact.log
2012-08-29 22:12 - 2012-08-29 22:12 - 00000000 ____A C:\Windows\setuperr.log
2012-08-29 19:48 - 2012-08-29 19:48 - 00000000 __SHD C:\Windows\SysWOW64\%APPDATA%
2012-08-29 19:30 - 2012-08-29 19:35 - 00000000 ____A C:\Users\Marsh\AppData\Local\
2012-08-29 19:30 - 2012-08-29 19:30 - 00649728 ____A (Stardock Systems, Inc) C:\Users\Marsh\AppData\Roaming\vcaux.dll
2012-08-29 19:30 - 2012-08-29 19:30 - 00000000 ____D C:\Users\Marsh\AppData\Local\{12AFD388-F253-11E1-8270-B8AC6F996F26}
2012-08-29 19:29 - 2012-08-29 19:28 - 00157696 ____A C:\Users\Marsh\AppData\Roaming\dletre.dll
2012-08-29 19:28 - 2012-08-29 22:11 - 00000000 ____D C:\Users\Marsh\AppData\Roaming\xsecva
2012-08-28 18:49 - 2012-08-28 18:49 - 00000000 ____D C:\Users\All Users\ATI
2012-08-28 18:47 - 2012-08-28 18:47 - 00000000 ____D C:\Program Files\Common Files\ATI Technologies
2012-08-28 18:47 - 2012-08-28 18:47 - 00000000 ____D C:\Program Files (x86)\AMD AVT
2012-08-28 18:47 - 2012-08-28 18:47 - 00000000 ____D C:\Program Files (x86)\AMD APP
2012-08-28 18:46 - 2012-08-28 18:46 - 00000000 ____D C:\Program Files (x86)\ATI Technologies
2012-08-28 18:45 - 2012-08-28 18:47 - 00000000 ____D C:\Program Files\ATI Technologies
2012-08-25 08:26 - 2012-08-26 10:42 - 00000000 ____D C:\Users\Marsh\Downloads\Braveheart.1995.1080p.x264.DTS.4AUDIO-WAF
2012-08-21 19:27 - 2012-08-21 22:11 - 00000000 ____D C:\Users\Marsh\AppData\Roaming\Adobe
2012-08-21 19:27 - 2012-08-21 19:27 - 00000000 ____D C:\Users\Marsh\AppData\Roaming\Macromedia
2012-08-20 22:33 - 2012-08-20 22:54 - 00000000 ____D C:\Users\Marsh\Downloads\The Lord of the Rings - The Complete Recordings [OST]
2012-08-19 22:03 - 2012-08-20 20:19 - 00000000 ____D C:\Users\Marsh\Downloads\The West Wing Deluxe DVD Boxset Season 1, 2, 3, 4, 5, 6 & 7 + Extras (Extra Episode's etc)
2012-08-19 14:19 - 2012-08-19 14:19 - 00001507 ____A C:\Users\Marsh\Desktop\skse_loader - Shortcut.lnk
2012-08-18 19:48 - 2012-08-18 19:48 - 00000000 ____D C:\Games
2012-08-18 19:44 - 2012-08-25 22:11 - 00000000 ____D C:\Users\Marsh\Documents\Nexus Mod Manager
2012-08-18 19:44 - 2012-08-23 19:52 - 00000934 ____A C:\Users\Public\Desktop\Nexus Mod Manager.lnk
2012-08-18 19:44 - 2012-08-18 19:44 - 00000000 ____D C:\Program Files\Nexus Mod Manager
2012-08-18 16:14 - 2012-08-25 22:11 - 00000000 ____D C:\Program Files (x86)\The Elder Scrolls V Skyrim
2012-08-18 14:24 - 2012-08-18 14:54 - 00000000 ____D C:\Users\Marsh\Downloads\rzr-skrm
2012-08-17 16:29 - 2012-08-17 16:29 - 00000000 ____D C:\Users\Marsh\AppData\Local\ashampoo
2012-08-17 16:29 - 2012-08-17 16:29 - 00000000 ____D C:\Users\All Users\ashampoo
2012-08-17 16:23 - 2012-08-17 16:23 - 00000000 ____D C:\Users\Marsh\AppData\Local\MediaMonkey
2012-08-17 16:20 - 2012-08-17 16:20 - 00000000 ____D C:\Users\Marsh\AppData\Local\Aimersoft
2012-08-15 21:43 - 2012-08-17 07:10 - 00000000 ____D C:\Users\Marsh\Downloads\Bronson.LIMITED.720p.BluRay.x264-iNFAMOUS
2012-08-15 07:15 - 2012-07-18 10:15 - 03148800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-08-15 07:15 - 2012-07-04 14:16 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\netapi32.dll
2012-08-15 07:15 - 2012-07-04 14:13 - 00136704 ____A (Microsoft Corporation) C:\Windows\System32\browser.dll
2012-08-15 07:15 - 2012-07-04 14:13 - 00059392 ____A (Microsoft Corporation) C:\Windows\System32\browcli.dll
2012-08-15 07:15 - 2012-07-04 13:16 - 00057344 ____A (Microsoft Corporation) C:\Windows\SysWOW64\netapi32.dll
2012-08-15 07:15 - 2012-07-04 13:14 - 00041984 ____A (Microsoft Corporation) C:\Windows\SysWOW64\browcli.dll
2012-08-15 07:15 - 2012-06-26 23:06 - 01494016 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-08-15 07:15 - 2012-06-26 23:06 - 01188864 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-08-15 07:15 - 2012-06-26 23:06 - 00134144 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-08-15 07:15 - 2012-06-26 23:03 - 09059840 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-08-15 07:15 - 2012-06-26 23:03 - 00735744 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2012-08-15 07:15 - 2012-06-26 23:03 - 00097792 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-08-15 07:15 - 2012-06-26 23:02 - 12297216 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-08-15 07:15 - 2012-06-26 23:02 - 02453504 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-08-15 07:15 - 2012-06-26 23:02 - 00247808 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-08-15 07:15 - 2012-06-26 23:02 - 00064512 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-08-15 07:15 - 2012-06-26 21:53 - 01231360 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-08-15 07:15 - 2012-06-26 21:53 - 00981504 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-08-15 07:15 - 2012-06-26 21:53 - 00132096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-08-15 07:15 - 2012-06-26 21:51 - 06027776 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-08-15 07:15 - 2012-06-26 21:51 - 00627712 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2012-08-15 07:15 - 2012-06-26 21:51 - 00067584 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-08-15 07:15 - 2012-06-26 21:50 - 11020800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-08-15 07:15 - 2012-06-26 21:50 - 02073600 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-08-15 07:15 - 2012-06-26 21:50 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-08-15 07:15 - 2012-06-26 21:50 - 00048128 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-08-15 07:15 - 2012-06-26 20:53 - 01638912 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-08-15 07:15 - 2012-06-26 20:10 - 01638912 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-08-15 07:15 - 2012-06-15 21:16 - 00609792 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2012-08-15 07:15 - 2012-06-15 21:15 - 00911360 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-08-15 07:15 - 2012-06-15 20:26 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-08-15 07:15 - 2012-06-15 20:26 - 00428032 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2012-08-15 07:15 - 2012-05-13 21:26 - 00956928 ____A (Microsoft Corporation) C:\Windows\System32\localspl.dll
2012-08-08 21:48 - 2012-08-08 22:02 - 00000000 ____D C:\Users\Marsh\Downloads\[ www.Torrentday.com ] - Heavy Metal 1981 BRRip XvidHD 720p-NPW
2012-08-07 19:44 - 2012-08-07 19:44 - 00000000 ____D C:\Users\Marsh\Downloads\Midnight.in.Paris.720p.BluRay.x264-MHD
2012-08-05 21:45 - 2012-08-05 21:46 - 00000000 ____D C:\Users\Marsh\Downloads\Moby

==================== 3 Months Modified Files ================================

2012-09-02 12:57 - 2009-07-13 20:45 - 00018816 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-09-02 12:57 - 2009-07-13 20:45 - 00018816 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-09-02 12:55 - 2012-05-31 15:20 - 00000324 ____A C:\Windows\Tasks\GlaryInitialize.job
2012-09-02 12:54 - 2012-08-29 22:12 - 00000784 ____A C:\Windows\setupact.log
2012-09-02 12:54 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-09-02 12:41 - 2012-09-02 12:41 - 01454439 ____A (Farbar) C:\Users\Marsh\Desktop\FRST64.exe
2012-09-02 00:15 - 2012-08-30 18:02 - 04742651 ____R (Swearware) C:\Users\Marsh\Desktop\ComboFix.exe
2012-09-02 00:14 - 2012-09-02 00:00 - 00854124 ____A C:\Users\Marsh\Desktop\SecurityCheck.exe
2012-09-02 00:11 - 2012-09-02 00:11 - 00003899 ____A C:\Users\Marsh\Desktop\Directions.txt
2012-09-01 17:31 - 2012-03-28 22:43 - 00045270 ____A C:\Users\Marsh\AppData\Roaming\room_v3.dat
2012-08-31 20:33 - 2012-08-29 22:24 - 00001096 ____A C:\Windows\WindowsUpdate.log
2012-08-30 17:47 - 2012-08-30 17:44 - 00001936 ____A C:\Windows\PFRO.log
2012-08-30 16:05 - 2012-08-30 16:05 - 00000350 ___AH C:\Windows\Tasks\avast! Emergency Update.job
2012-08-30 16:05 - 2010-02-23 22:53 - 00000000 ____A C:\Windows\SysWOW64\config.nt
2012-08-30 06:57 - 2012-05-26 12:06 - 00696520 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-08-30 06:57 - 2011-06-20 00:05 - 00073416 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-08-29 22:12 - 2012-08-29 22:12 - 00000000 ____A C:\Windows\setuperr.log
2012-08-29 19:35 - 2012-08-29 19:30 - 00000000 ____A C:\Users\Marsh\AppData\Local\
2012-08-29 19:30 - 2012-08-29 19:30 - 00649728 ____A (Stardock Systems, Inc) C:\Users\Marsh\AppData\Roaming\vcaux.dll
2012-08-29 19:28 - 2012-08-29 19:29 - 00157696 ____A C:\Users\Marsh\AppData\Roaming\dletre.dll
2012-08-29 16:06 - 2010-11-25 04:10 - 00002034 ___AH C:\Users\Marsh\Documents\Default.rdp
2012-08-28 19:06 - 2012-05-31 15:20 - 00001026 ____A C:\Users\Marsh\Desktop\Glary Utilities.lnk
2012-08-23 19:52 - 2012-08-18 19:44 - 00000934 ____A C:\Users\Public\Desktop\Nexus Mod Manager.lnk
2012-08-21 01:13 - 2012-08-30 16:05 - 00969200 ____A (AVAST Software) C:\Windows\System32\Drivers\aswSnx.sys
2012-08-21 01:13 - 2012-08-30 16:05 - 00359464 ____A (AVAST Software) C:\Windows\System32\Drivers\aswSP.sys
2012-08-21 01:13 - 2012-08-30 16:05 - 00071600 ____A (AVAST Software) C:\Windows\System32\Drivers\aswMonFlt.sys
2012-08-21 01:13 - 2012-08-30 16:05 - 00059728 ____A (AVAST Software) C:\Windows\System32\Drivers\aswTdi.sys
2012-08-21 01:13 - 2012-08-30 16:05 - 00054072 ____A (AVAST Software) C:\Windows\System32\Drivers\aswRdr2.sys
2012-08-21 01:13 - 2012-08-30 16:05 - 00025232 ____A (AVAST Software) C:\Windows\System32\Drivers\aswFsBlk.sys
2012-08-21 01:12 - 2012-08-30 16:05 - 00227648 ____A (AVAST Software) C:\Windows\SysWOW64\aswBoot.exe
2012-08-21 01:12 - 2012-08-30 16:05 - 00041224 ____A (AVAST Software) C:\Windows\avastSS.scr
2012-08-21 01:12 - 2011-04-29 15:39 - 00285328 ____A (AVAST Software) C:\Windows\System32\aswBoot.exe
2012-08-19 14:19 - 2012-08-19 14:19 - 00001507 ____A C:\Users\Marsh\Desktop\skse_loader - Shortcut.lnk
2012-08-15 14:53 - 2009-07-13 20:45 - 00416720 ____A C:\Windows\System32\FNTCACHE.DAT
2012-08-15 07:52 - 2009-10-14 04:51 - 62134624 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-08-02 18:15 - 2012-08-02 18:15 - 00002353 ____A C:\Users\Marsh\Desktop\Third Age - Total War.lnk
2012-07-31 11:23 - 2010-07-26 22:34 - 00001102 ____A C:\Users\Public\Desktop\StarCraft II.lnk
2012-07-29 20:24 - 2009-12-17 22:58 - 00109496 ____A C:\Users\Marsh\AppData\Local\GDIPFONTCACHEV1.DAT
2012-07-26 13:25 - 2012-07-26 13:25 - 00006493 ____A C:\Users\Marsh\AppData\Local\recently-used.xbel
2012-07-26 11:59 - 2012-07-26 11:59 - 00045389 ____A C:\Users\Marsh\Documents\Untitled.wma
2012-07-21 09:03 - 2012-05-30 20:00 - 00000866 ____A C:\Users\Public\Desktop\CCleaner.lnk
2012-07-18 10:15 - 2012-08-15 07:15 - 03148800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-07-10 17:18 - 2009-07-13 18:34 - 00000478 ____A C:\Windows\win.ini
2012-07-09 21:39 - 2012-07-09 21:39 - 00001958 ____A C:\Users\Marsh\Desktop\Day Z.lnk
2012-07-07 22:38 - 2012-06-18 10:51 - 00174064 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe
2012-07-07 22:38 - 2012-06-18 10:51 - 00174064 ____A (Oracle Corporation) C:\Windows\SysWOW64\java.exe
2012-07-04 14:16 - 2012-08-15 07:15 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\netapi32.dll
2012-07-04 14:13 - 2012-08-15 07:15 - 00136704 ____A (Microsoft Corporation) C:\Windows\System32\browser.dll
2012-07-04 14:13 - 2012-08-15 07:15 - 00059392 ____A (Microsoft Corporation) C:\Windows\System32\browcli.dll
2012-07-04 13:16 - 2012-08-15 07:15 - 00057344 ____A (Microsoft Corporation) C:\Windows\SysWOW64\netapi32.dll
2012-07-04 13:14 - 2012-08-15 07:15 - 00041984 ____A (Microsoft Corporation) C:\Windows\SysWOW64\browcli.dll
2012-07-04 00:32 - 2012-07-04 00:32 - 00187392 ____A C:\Windows\System32\clinfo.exe
2012-07-03 22:59 - 2012-07-03 22:59 - 11922944 ____A (Advanced Micro Devices, Inc.) C:\Windows\System32\Drivers\atikmdag.sys
2012-07-03 22:52 - 2012-07-03 22:52 - 26016256 ____A (Advanced Micro Devices, Inc.) C:\Windows\System32\atio6axx.dll
2012-07-03 22:35 - 2012-07-03 22:35 - 19586048 ____A (Advanced Micro Devices, Inc.) C:\Windows\SysWOW64\atioglxx.dll
2012-07-03 22:28 - 2012-07-03 22:28 - 00246000 ____A C:\Windows\SysWOW64\atiapfxx.blb
2012-07-03 22:28 - 2012-07-03 22:28 - 00246000 ____A C:\Windows\System32\atiapfxx.blb
2012-07-03 22:27 - 2012-07-03 22:27 - 00918528 ____A (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\aticfx32.dll
2012-07-03 22:27 - 2012-07-03 22:27 - 00159744 ____A (Advanced Micro Devices, Inc.) C:\Windows\System32\atiapfxx.exe
2012-07-03 22:25 - 2012-07-03 22:25 - 01081856 ____A (Advanced Micro Devices, Inc. ) C:\Windows\System32\aticfx64.dll
2012-07-03 22:21 - 2012-07-03 22:21 - 00514048 ____A (AMD) C:\Windows\System32\atieclxx.exe
2012-07-03 22:21 - 2012-07-03 22:21 - 00442368 ____A (Advanced Micro Devices, Inc.) C:\Windows\System32\ATIDEMGX.dll
2012-07-03 22:20 - 2012-07-03 22:20 - 00238080 ____A (AMD) C:\Windows\System32\atiesrxx.exe
2012-07-03 22:19 - 2012-07-03 22:19 - 00120320 ____A (AMD) C:\Windows\System32\atitmm64.dll
2012-07-03 22:19 - 2012-07-03 22:19 - 00059392 ____A (ATI Technologies, Inc.) C:\Windows\System32\atiedu64.dll
2012-07-03 22:19 - 2012-07-03 22:19 - 00043520 ____A (ATI Technologies, Inc.) C:\Windows\SysWOW64\ati2edxx.dll
2012-07-03 22:19 - 2012-07-03 22:19 - 00021504 ____A (AMD) C:\Windows\System32\atimuixx.dll
2012-07-03 22:18 - 2012-07-03 22:18 - 06811648 ____A (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\atidxx32.dll
2012-07-03 21:57 - 2012-07-03 21:57 - 07510528 ____A (Advanced Micro Devices, Inc. ) C:\Windows\System32\atidxx64.dll
2012-07-03 21:36 - 2012-07-03 21:36 - 01960960 ____A (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\atiumdmv.dll
2012-07-03 21:36 - 2012-07-03 21:36 - 01053696 ____A (Advanced Micro Devices, Inc. ) C:\Windows\System32\atiumd6v.dll
2012-07-03 21:36 - 2012-07-03 21:36 - 00069632 ____A (AMD) C:\Windows\System32\coinst_8.97.100.3.dll
2012-07-03 21:35 - 2012-07-03 21:35 - 06245888 ____A (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\atiumdag.dll
2012-07-03 21:35 - 2012-07-03 21:35 - 04261376 ____A (Advanced Micro Devices, Inc. ) C:\Windows\System32\atiumd6a.dll
2012-07-03 21:34 - 2012-07-03 21:34 - 02818784 ____A C:\Windows\System32\atiumd6a.cap
2012-07-03 21:28 - 2012-07-03 21:28 - 04749312 ____A (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\atiumdva.dll
2012-07-03 21:27 - 2012-07-03 21:27 - 02852480 ____A C:\Windows\SysWOW64\atiumdva.cap
2012-07-03 21:24 - 2012-07-03 21:24 - 07477760 ____A (Advanced Micro Devices, Inc. ) C:\Windows\System32\atiumd64.dll
2012-07-03 21:11 - 2012-07-03 21:11 - 00535552 ____A (Advanced Micro Devices, Inc.) C:\Windows\System32\atiadlxx.dll
2012-07-03 21:11 - 2012-07-03 21:11 - 00364544 ____A (Advanced Micro Devices, Inc.) C:\Windows\SysWOW64\atiadlxy.dll
2012-07-03 21:11 - 2012-07-03 21:11 - 00056832 ____A (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\atimpc32.dll
2012-07-03 21:11 - 2012-07-03 21:11 - 00056832 ____A (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\amdpcom32.dll
2012-07-03 21:11 - 2012-07-03 21:11 - 00056320 ____A (Advanced Micro Devices, Inc. ) C:\Windows\System32\atimpc64.dll
2012-07-03 21:11 - 2012-07-03 21:11 - 00056320 ____A (Advanced Micro Devices, Inc. ) C:\Windows\System32\amdpcom64.dll
2012-07-03 21:11 - 2012-07-03 21:11 - 00041984 ____A (Advanced Micro Devices, Inc. ) C:\Windows\System32\atig6txx.dll
2012-07-03 21:11 - 2012-07-03 21:11 - 00033280 ____A (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\atigktxx.dll
2012-07-03 21:11 - 2012-07-03 21:11 - 00017920 ____A (Advanced Micro Devices, Inc. ) C:\Windows\System32\atig6pxx.dll
2012-07-03 21:11 - 2012-07-03 21:11 - 00014848 ____A (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\atiglpxx.dll
2012-07-03 21:11 - 2012-07-03 21:11 - 00014848 ____A (Advanced Micro Devices, Inc. ) C:\Windows\System32\atiglpxx.dll
2012-07-03 21:10 - 2012-07-03 21:10 - 00359936 ____A (Advanced Micro Devices, Inc.) C:\Windows\System32\Drivers\atikmpag.sys
2012-07-03 21:10 - 2012-07-03 21:10 - 00055296 ____A (Advanced Micro Devices, Inc. ) C:\Windows\System32\atiuxp64.dll
2012-07-03 21:09 - 2012-07-03 21:09 - 00053248 ____A (Advanced Micro Devices, Inc.) C:\Windows\System32\Drivers\ati2erec.dll
2012-07-03 21:09 - 2012-07-03 21:09 - 00045056 ____A (Advanced Micro Devices, Inc. ) C:\Windows\System32\atiu9p64.dll
2012-07-03 21:09 - 2012-07-03 21:09 - 00042496 ____A (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\atiuxpag.dll
2012-07-03 21:09 - 2012-07-03 21:09 - 00032768 ____A (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\atiu9pag.dll
2012-07-03 21:04 - 2012-07-03 21:04 - 15827456 ____A (Advanced Micro Devices Inc.) C:\Windows\System32\aticaldd64.dll
2012-07-03 21:04 - 2012-07-03 21:04 - 00051200 ____A (Advanced Micro Devices Inc.) C:\Windows\System32\aticalrt64.dll
2012-07-03 21:04 - 2012-07-03 21:04 - 00046080 ____A (Advanced Micro Devices Inc.) C:\Windows\SysWOW64\aticalrt.dll
2012-07-03 21:04 - 2012-07-03 21:04 - 00044544 ____A (Advanced Micro Devices Inc.) C:\Windows\SysWOW64\aticalcl.dll
2012-07-03 21:04 - 2012-07-03 21:04 - 00044544 ____A (Advanced Micro Devices Inc.) C:\Windows\System32\aticalcl64.dll
2012-07-03 20:59 - 2012-07-03 20:59 - 13402112 ____A (Advanced Micro Devices Inc.) C:\Windows\SysWOW64\aticaldd.dll
2012-06-27 20:12 - 2009-07-13 21:08 - 00032568 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-06-26 23:06 - 2012-08-15 07:15 - 01494016 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-26 23:06 - 2012-08-15 07:15 - 01188864 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-26 23:06 - 2012-08-15 07:15 - 00134144 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-26 23:03 - 2012-08-15 07:15 - 09059840 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-26 23:03 - 2012-08-15 07:15 - 00735744 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2012-06-26 23:03 - 2012-08-15 07:15 - 00097792 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-26 23:02 - 2012-08-15 07:15 - 12297216 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-26 23:02 - 2012-08-15 07:15 - 02453504 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-26 23:02 - 2012-08-15 07:15 - 00247808 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-26 23:02 - 2012-08-15 07:15 - 00064512 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-26 21:53 - 2012-08-15 07:15 - 01231360 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-06-26 21:53 - 2012-08-15 07:15 - 00981504 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-06-26 21:53 - 2012-08-15 07:15 - 00132096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-06-26 21:51 - 2012-08-15 07:15 - 06027776 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-06-26 21:51 - 2012-08-15 07:15 - 00627712 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2012-06-26 21:51 - 2012-08-15 07:15 - 00067584 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-06-26 21:50 - 2012-08-15 07:15 - 11020800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-06-26 21:50 - 2012-08-15 07:15 - 02073600 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-06-26 21:50 - 2012-08-15 07:15 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-06-26 21:50 - 2012-08-15 07:15 - 00048128 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-06-26 20:53 - 2012-08-15 07:15 - 01638912 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-26 20:10 - 2012-08-15 07:15 - 01638912 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-06-19 17:12 - 2012-06-19 17:12 - 00016811 ____A C:\Users\Marsh\Documents\StatExcel.xlsx
2012-06-18 10:51 - 2012-06-18 10:51 - 00476936 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\npdeployJava1.dll
2012-06-15 21:16 - 2012-08-15 07:15 - 00609792 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2012-06-15 21:15 - 2012-08-15 07:15 - 00911360 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-15 20:26 - 2012-08-15 07:15 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-06-15 20:26 - 2012-08-15 07:15 - 00428032 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2012-06-13 13:11 - 2009-07-13 21:13 - 00810516 ____A C:\Windows\System32\PerfStringBackup.INI
2012-06-11 11:50 - 2012-06-11 11:50 - 16457728 ____A (Advanced Micro Devices Inc.) C:\Windows\System32\amdocl64.dll
2012-06-11 11:50 - 2012-06-11 11:50 - 00075264 ____A (Advanced Micro Devices Inc.) C:\Windows\System32\OpenVideo64.dll
2012-06-11 11:50 - 2012-06-11 11:50 - 00065024 ____A (Advanced Micro Devices Inc.) C:\Windows\SysWOW64\OpenVideo.dll
2012-06-11 11:50 - 2012-06-11 11:50 - 00063488 ____A (Advanced Micro Devices Inc.) C:\Windows\System32\OVDecode64.dll
2012-06-11 11:50 - 2012-06-11 11:50 - 00056320 ____A (Advanced Micro Devices Inc.) C:\Windows\SysWOW64\OVDecode.dll
2012-06-11 11:49 - 2012-06-11 11:49 - 13008896 ____A (Advanced Micro Devices Inc.) C:\Windows\SysWOW64\amdocl.dll
2012-06-08 21:43 - 2012-07-10 13:14 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-06-08 20:41 - 2012-07-10 13:14 - 12873728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2012-06-06 18:59 - 2012-06-06 18:59 - 01070152 ____A (Microsoft Corporation) C:\Windows\SysWOW64\MSCOMCTL.OCX
2012-06-05 22:06 - 2012-07-10 13:14 - 02004480 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-06-05 22:06 - 2012-07-10 13:14 - 01881600 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-06-05 22:02 - 2012-07-10 13:13 - 01133568 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll
2012-06-05 21:05 - 2012-07-10 13:14 - 01390080 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll
2012-06-05 21:05 - 2012-07-10 13:14 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
2012-06-05 21:03 - 2012-07-10 13:13 - 00805376 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cdosys.dll


ZeroAccess:
C:\Windows\Installer\{fa981aa8-48d6-cd4b-544a-be827d883b06}
C:\Windows\Installer\{fa981aa8-48d6-cd4b-544a-be827d883b06}\@
C:\Windows\Installer\{fa981aa8-48d6-cd4b-544a-be827d883b06}\L
C:\Windows\Installer\{fa981aa8-48d6-cd4b-544a-be827d883b06}\U
C:\Windows\Installer\{fa981aa8-48d6-cd4b-544a-be827d883b06}\L\00000004.@
C:\Windows\Installer\{fa981aa8-48d6-cd4b-544a-be827d883b06}\L\201d3dde
C:\Windows\Installer\{fa981aa8-48d6-cd4b-544a-be827d883b06}\U\00000008.@
C:\Windows\Installer\{fa981aa8-48d6-cd4b-544a-be827d883b06}\U\000000cb.@
C:\Windows\Installer\{fa981aa8-48d6-cd4b-544a-be827d883b06}\U\80000000.@

ZeroAccess:
C:\Windows\assembly\GAC_32\Desktop.ini

ZeroAccess:
C:\Windows\assembly\GAC_64\Desktop.ini

==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe 50BEA589F7D7958BDD2528A8F69D05CC ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-08-22 17:56:28
Restore point made on: 2012-08-28 18:53:28

==================== Memory info ===========================

Percentage of memory in use: 16%
Total physical RAM: 4094.49 MB
Available physical RAM: 3431.95 MB
Total Pagefile: 4092.64 MB
Available Pagefile: 3428.4 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

==================== Partitions ============================

2 Drive c: () (Fixed) (Total:465.66 GB) (Free:93.73 GB) NTFS
6 Drive h: (Med II - Disc 1) (CDROM) (Total:4.23 GB) (Free:0 GB) CDFS
7 Drive i: (BLACKBERRY1) (Removable) (Total:6.3 GB) (Free:3.23 GB) FAT32
8 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
9 Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 465 GB 0 B
Disk 1 No Media 0 B 0 B
Disk 2 Online 6449 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 100 MB 1024 KB
Partition 2 Primary 465 GB 101 MB

==================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 Y System Rese NTFS Partition 100 MB Healthy

==================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 C NTFS Partition 465 GB Healthy

==================================================================================

Partitions of Disk 2:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
* Partition 1 Primary 6449 MB 0 B

==================================================================================

Disk: 2
There is no partition selected.

There is no partition selected.
Please select a partition and try again.

==================================================================================

Last Boot: 2012-08-28 16:39

==================== End Of Log =============================






Search Report:


Farbar Recovery Scan Tool Version: 02-09-2012 03
Ran by SYSTEM at 2012-09-02 15:28:56
Running from I:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

C:\Windows\System32\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0329216 ____A (Microsoft Corporation) 50BEA589F7D7958BDD2528A8F69D05CC

====== End Of Search ======

#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:36 PM

Posted 02 September 2012 - 06:48 PM

Hello

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flash drive as fixlist.txt

Replace: C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe C:\Windows\System32\services.exe
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini
C:\Windows\assembly\GAC\Desktop.ini 
C:\Windows\Installer\{fa981aa8-48d6-cd4b-544a-be827d883b06}
HKLM-x32\...\Winlogon: [Userinit] C:\Windows\system32\userinit.exe,"C:\Users\Marsh\AppData\Roaming\xsecva\xsecva.exe" -s, [x]
C:\Users\Marsh\AppData\Roaming\xsecva

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.

Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flash drive (Fixlog.txt) please post it to your reply.

Gringo[/b]
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#8 ski.smitty

ski.smitty
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:08:36 PM

Posted 02 September 2012 - 07:29 PM

Here it is Gringo:

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 02-09-2012 03
Ran by SYSTEM at 2012-09-02 18:25:55 Run:1
Running from I:\

==============================================

C:\Windows\System32\services.exe moved successfully.
C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe copied successfully to C:\Windows\System32\services.exe
C:\Windows\assembly\GAC_32\Desktop.ini moved successfully.
C:\Windows\assembly\GAC_64\Desktop.ini moved successfully.
C:\Windows\assembly\GAC\Desktop.ini not found.
C:\Windows\Installer\{fa981aa8-48d6-cd4b-544a-be827d883b06} moved successfully.
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\\Userinit Value was restored successfully .
C:\Users\Marsh\AppData\Roaming\xsecva moved successfully.

==== End of Fixlog ====

I've also noticed Avast DIDN'T pop up with an alert as soon as I got to my desktop again after restart, which is new. Usually its popping up every 3-4 minutes, especially when I open up my browser.

#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:36 PM

Posted 02 September 2012 - 08:07 PM

I would like you to try and run combofix again for me now



gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 ski.smitty

ski.smitty
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:08:36 PM

Posted 02 September 2012 - 09:04 PM

Combofix ran! I ran it in safe mode in an attempt to ensure extraneous programs weren't running, including avast. Upon restart, avast DID auto-start though while the log was preparing, and I disabled it for an hour. I hope that didn't interfere. I would also like to add that when I hopped into firefox to post this, my avast shield prevented a pop-up virus site, so there's still something lingering on my machine for sure.

Here is the combofix log:

ComboFix 12-09-01.01 - Marsh 09/02/2012 19:42:30.1.4 - x64 NETWORK
Running from: c:\users\Marsh\Desktop\ComboFix.exe
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Marsh\AppData\Local\assembly\tmp
c:\users\Marsh\AppData\Roaming\dletre.dll
c:\users\Marsh\AppData\Roaming\vcaux.dll
c:\windows\SysWow64\URTTemp
c:\windows\SysWow64\URTTemp\regtlib.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-08-03 to 2012-09-03 )))))))))))))))))))))))))))))))
.
.
2012-09-03 01:52 . 2012-09-03 01:52 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-09-02 22:47 . 2012-09-02 22:59 -------- d-----w- C:\FRST
2012-08-31 00:05 . 2012-08-21 09:13 359464 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-08-31 00:05 . 2012-08-21 09:13 25232 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-08-31 00:05 . 2012-08-21 09:13 54072 ----a-w- c:\windows\system32\drivers\aswRdr2.sys
2012-08-31 00:05 . 2012-08-21 09:13 59728 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2012-08-31 00:05 . 2012-08-21 09:13 969200 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-08-31 00:05 . 2012-08-21 09:13 71600 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2012-08-31 00:05 . 2012-08-21 09:12 41224 ----a-w- c:\windows\avastSS.scr
2012-08-31 00:05 . 2012-08-21 09:12 227648 ----a-w- c:\windows\SysWow64\aswBoot.exe
2012-08-30 15:03 . 2012-08-30 15:03 -------- d-----w- c:\program files\HijackThis
2012-08-30 03:48 . 2012-08-30 03:48 -------- d-sh--w- c:\windows\SysWow64\%APPDATA%
2012-08-30 03:30 . 2012-08-30 03:30 -------- d-----w- c:\users\Marsh\AppData\Local\{12AFD388-F253-11E1-8270-B8AC6F996F26}
2012-08-29 02:49 . 2012-08-29 02:49 -------- d-----w- c:\programdata\ATI
2012-08-29 02:47 . 2012-08-29 02:47 -------- d-----w- c:\program files (x86)\AMD AVT
2012-08-29 02:47 . 2012-08-29 02:47 -------- d-----w- c:\program files (x86)\AMD APP
2012-08-29 02:47 . 2012-08-29 02:47 -------- d-----w- c:\program files\Common Files\ATI Technologies
2012-08-29 02:47 . 2012-08-29 02:47 -------- d-----w- c:\program files (x86)\Common Files\ATI Technologies
2012-08-29 02:46 . 2012-08-29 02:46 -------- d-----w- c:\program files (x86)\ATI Technologies
2012-08-29 02:45 . 2012-08-29 02:47 -------- d-----w- c:\program files\ATI Technologies
2012-08-19 03:48 . 2012-08-19 03:48 -------- d-----w- C:\Games
2012-08-19 03:44 . 2012-08-19 03:44 -------- d-----w- c:\program files\Nexus Mod Manager
2012-08-19 00:14 . 2012-09-03 00:36 -------- d-----w- c:\program files (x86)\The Elder Scrolls V Skyrim
2012-08-18 00:29 . 2012-08-18 00:29 -------- d-----w- c:\users\Marsh\AppData\Local\ashampoo
2012-08-18 00:29 . 2012-08-18 00:29 -------- d-----w- c:\programdata\ashampoo
2012-08-18 00:23 . 2012-08-18 00:23 -------- d-----w- c:\users\Marsh\AppData\Local\MediaMonkey
2012-08-18 00:20 . 2012-08-18 00:20 -------- d-----w- c:\users\Marsh\AppData\Local\Aimersoft
2012-08-18 00:20 . 2012-08-18 00:20 -------- d-----w- c:\program files (x86)\Common Files\Aimersoft
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-30 14:57 . 2012-05-26 20:06 696520 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-08-30 14:57 . 2011-06-20 08:05 73416 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-08-21 09:12 . 2011-04-29 23:39 285328 ----a-w- c:\windows\system32\aswBoot.exe
2012-08-15 15:52 . 2009-10-14 12:51 62134624 ----a-w- c:\windows\system32\MRT.exe
2012-07-04 08:32 . 2012-07-04 08:32 187392 ----a-w- c:\windows\system32\clinfo.exe
2012-07-04 06:59 . 2012-07-04 06:59 11922944 ----a-w- c:\windows\system32\drivers\atikmdag.sys
2012-07-04 06:52 . 2012-07-04 06:52 26016256 ----a-w- c:\windows\system32\atio6axx.dll
2012-07-04 06:35 . 2012-07-04 06:35 19586048 ----a-w- c:\windows\SysWow64\atioglxx.dll
2012-07-04 06:27 . 2012-07-04 06:27 159744 ----a-w- c:\windows\system32\atiapfxx.exe
2012-07-04 06:27 . 2012-07-04 06:27 918528 ----a-w- c:\windows\SysWow64\aticfx32.dll
2012-07-04 06:25 . 2012-07-04 06:25 1081856 ----a-w- c:\windows\system32\aticfx64.dll
2012-07-04 06:21 . 2012-07-04 06:21 442368 ----a-w- c:\windows\system32\ATIDEMGX.dll
2012-07-04 06:21 . 2012-07-04 06:21 514048 ----a-w- c:\windows\system32\atieclxx.exe
2012-07-04 06:20 . 2012-07-04 06:20 238080 ----a-w- c:\windows\system32\atiesrxx.exe
2012-07-04 06:19 . 2012-07-04 06:19 120320 ----a-w- c:\windows\system32\atitmm64.dll
2012-07-04 06:19 . 2012-07-04 06:19 21504 ----a-w- c:\windows\system32\atimuixx.dll
2012-07-04 06:19 . 2012-07-04 06:19 59392 ----a-w- c:\windows\system32\atiedu64.dll
2012-07-04 06:19 . 2012-07-04 06:19 43520 ----a-w- c:\windows\SysWow64\ati2edxx.dll
2012-07-04 06:18 . 2012-07-04 06:18 6811648 ----a-w- c:\windows\SysWow64\atidxx32.dll
2012-07-04 05:57 . 2012-07-04 05:57 7510528 ----a-w- c:\windows\system32\atidxx64.dll
2012-07-04 05:36 . 2012-07-04 05:36 1053696 ----a-w- c:\windows\system32\atiumd6v.dll
2012-07-04 05:36 . 2012-07-04 05:36 69632 ----a-w- c:\windows\system32\coinst_8.97.100.3.dll
2012-07-04 05:36 . 2012-07-04 05:36 1960960 ----a-w- c:\windows\SysWow64\atiumdmv.dll
2012-07-04 05:35 . 2012-07-04 05:35 4261376 ----a-w- c:\windows\system32\atiumd6a.dll
2012-07-04 05:35 . 2012-07-04 05:35 6245888 ----a-w- c:\windows\SysWow64\atiumdag.dll
2012-07-04 05:28 . 2012-07-04 05:28 4749312 ----a-w- c:\windows\SysWow64\atiumdva.dll
2012-07-04 05:24 . 2012-07-04 05:24 7477760 ----a-w- c:\windows\system32\atiumd64.dll
2012-07-04 05:11 . 2012-07-04 05:11 56320 ----a-w- c:\windows\system32\atimpc64.dll
2012-07-04 05:11 . 2012-07-04 05:11 56320 ----a-w- c:\windows\system32\amdpcom64.dll
2012-07-04 05:11 . 2012-07-04 05:11 535552 ----a-w- c:\windows\system32\atiadlxx.dll
2012-07-04 05:11 . 2012-07-04 05:11 56832 ----a-w- c:\windows\SysWow64\atimpc32.dll
2012-07-04 05:11 . 2012-07-04 05:11 56832 ----a-w- c:\windows\SysWow64\amdpcom32.dll
2012-07-04 05:11 . 2012-07-04 05:11 364544 ----a-w- c:\windows\SysWow64\atiadlxy.dll
2012-07-04 05:11 . 2012-07-04 05:11 17920 ----a-w- c:\windows\system32\atig6pxx.dll
2012-07-04 05:11 . 2012-07-04 05:11 14848 ----a-w- c:\windows\SysWow64\atiglpxx.dll
2012-07-04 05:11 . 2012-07-04 05:11 14848 ----a-w- c:\windows\system32\atiglpxx.dll
2012-07-04 05:11 . 2012-07-04 05:11 41984 ----a-w- c:\windows\system32\atig6txx.dll
2012-07-04 05:11 . 2012-07-04 05:11 33280 ----a-w- c:\windows\SysWow64\atigktxx.dll
2012-07-04 05:10 . 2012-07-04 05:10 359936 ----a-w- c:\windows\system32\drivers\atikmpag.sys
2012-07-04 05:10 . 2012-07-04 05:10 55296 ----a-w- c:\windows\system32\atiuxp64.dll
2012-07-04 05:09 . 2012-07-04 05:09 42496 ----a-w- c:\windows\SysWow64\atiuxpag.dll
2012-07-04 05:09 . 2012-07-04 05:09 45056 ----a-w- c:\windows\system32\atiu9p64.dll
2012-07-04 05:09 . 2012-07-04 05:09 32768 ----a-w- c:\windows\SysWow64\atiu9pag.dll
2012-07-04 05:09 . 2012-07-04 05:09 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2012-07-04 05:04 . 2012-07-04 05:04 51200 ----a-w- c:\windows\system32\aticalrt64.dll
2012-07-04 05:04 . 2012-07-04 05:04 46080 ----a-w- c:\windows\SysWow64\aticalrt.dll
2012-07-04 05:04 . 2012-07-04 05:04 44544 ----a-w- c:\windows\system32\aticalcl64.dll
2012-07-04 05:04 . 2012-07-04 05:04 44544 ----a-w- c:\windows\SysWow64\aticalcl.dll
2012-07-04 05:04 . 2012-07-04 05:04 15827456 ----a-w- c:\windows\system32\aticaldd64.dll
2012-07-04 04:59 . 2012-07-04 04:59 13402112 ----a-w- c:\windows\SysWow64\aticaldd.dll
2012-06-18 18:51 . 2012-06-18 18:51 476936 ----a-w- c:\windows\SysWow64\npdeployJava1.dll
2012-06-11 19:50 . 2012-06-11 19:50 75264 ----a-w- c:\windows\system32\OpenVideo64.dll
2012-06-11 19:50 . 2012-06-11 19:50 65024 ----a-w- c:\windows\SysWow64\OpenVideo.dll
2012-06-11 19:50 . 2012-06-11 19:50 63488 ----a-w- c:\windows\system32\OVDecode64.dll
2012-06-11 19:50 . 2012-06-11 19:50 56320 ----a-w- c:\windows\SysWow64\OVDecode.dll
2012-06-11 19:50 . 2012-06-11 19:50 16457728 ----a-w- c:\windows\system32\amdocl64.dll
2012-06-11 19:49 . 2012-06-11 19:49 13008896 ----a-w- c:\windows\SysWow64\amdocl.dll
2012-06-09 05:43 . 2012-07-10 21:14 14172672 ----a-w- c:\windows\system32\shell32.dll
2012-06-07 02:59 . 2012-06-07 02:59 1070152 ----a-w- c:\windows\SysWow64\MSCOMCTL.OCX
2012-06-06 06:06 . 2012-07-10 21:14 2004480 ----a-w- c:\windows\system32\msxml6.dll
2012-06-06 06:06 . 2012-07-10 21:14 1881600 ----a-w- c:\windows\system32\msxml3.dll
2012-06-06 06:02 . 2012-07-10 21:13 1133568 ----a-w- c:\windows\system32\cdosys.dll
2012-06-06 05:05 . 2012-07-10 21:14 1390080 ----a-w- c:\windows\SysWow64\msxml6.dll
2012-06-06 05:05 . 2012-07-10 21:14 1236992 ----a-w- c:\windows\SysWow64\msxml3.dll
2012-06-06 05:03 . 2012-07-10 21:13 805376 ----a-w- c:\windows\SysWow64\cdosys.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"AMD AVT"="start AMD Accelerated Video Transcoding device initialization" [X]
"GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-27 30040]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2012-07-04 641704]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-08-21 4282728]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\run-]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe"
"GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
.
R1 A2DDA;A2 Direct Disk Access Support Driver;c:\users\Marsh\Desktop\Run\a2ddax64.sys [x]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-06-08 160944]
R3 cpudrv64;cpudrv64;c:\program files (x86)\SystemRequirementsLab\cpudrv64.sys [x]
R3 dump_wmimmc;dump_wmimmc;c:\program files (x86)\steam\steamapps\common\ava\Binaries\GameGuard\dump_wmimmc.sys [x]
R3 EagleX64;EagleX64;c:\windows\system32\drivers\EagleX64.sys [x]
R3 GGSAFERDriver;GGSAFER Driver;c:\program files (x86)\Garena Plus\Room\safedrv.sys [x]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-07-18 113120]
R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 20992]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-03-10 1255736]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-05-12 834544]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2012-07-04 238080]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2012-08-21 71600]
S2 Skype C2C Service;Skype C2C Service;c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe [2012-07-06 3048136]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2012-07-04 11922944]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2012-07-04 359936]
S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [2012-02-23 95760]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2009-08-20 239616]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - IPNAT
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-31 c:\windows\Tasks\avast! Emergency Update.job
- c:\program files\AVAST Software\Avast\AvastEmUpdate.exe [2012-08-31 09:12]
.
2012-09-03 c:\windows\Tasks\GlaryInitialize.job
- c:\program files (x86)\Glary Utilities\initialize.exe [2012-05-31 14:46]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-08-21 09:11 133400 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-11-03 8317472]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.xfinity.com/?cid=insDate03312012
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 75.75.76.76 75.75.75.75
FF - ProfilePath - c:\users\Marsh\AppData\Roaming\Mozilla\Firefox\Profiles\tlntkwso.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKLM-Run-Aimersoft Helper Compact.exe - c:\program files (x86)\Common Files\Aimersoft\Aimersoft Helper Compact\ASHelper.exe
AddRemove-PunkBusterSvc - c:\windows\system32\pbsvc_apb.exe
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet002\services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1487264099-3403896088-99852959-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*2*E oN]
@Class="Shell"
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-1487264099-3403896088-99852959-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*2*E oN\OpenWithList]
@Class="Shell"
"a"="vlc.exe"
"MRUList"="a"
.
[HKEY_USERS\S-1-5-21-1487264099-3403896088-99852959-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*2*¶O]
@Class="Shell"
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-1487264099-3403896088-99852959-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*2*¶O\OpenWithList]
@Class="Shell"
"a"="vlc.exe"
"MRUList"="a"
.
[HKEY_USERS\S-1-5-21-1487264099-3403896088-99852959-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*n*e*t*COMM\OpenWithList]
@Class="Shell"
"a"="vlc.exe"
"MRUList"="a"
.
[HKEY_USERS\S-1-5-21-1487264099-3403896088-99852959-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{71196B08-9D6A-3884-4650-6D399520104D}*]
"haeghdhikbgkmhaj"=hex:6a,61,68,69,6d,61,66,69,6a,6d,6b,6e,68,66,68,6f,6d,61,
68,61,00,fe
"iakglimhdpeelkbnnd"=hex:6a,61,6d,6e,6c,65,69,6f,66,65,6b,64,65,64,69,65,6e,67,
69,66,00,fe
.
[HKEY_USERS\S-1-5-21-1487264099-3403896088-99852959-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
@Allowed: (Read) (RestrictedCode)
"??"=hex:06,17,ed,18,35,51,8d,a4,0d,4e,9b,04,50,75,5a,53,bf,c3,a5,2e,3d,f3,cf,
56,6a,d1,aa,4a,d2,9c,a6,21,58,c1,1d,53,28,4e,50,b7,d3,1e,b7,ea,83,0a,ff,e8,\
"??"=hex:5c,f1,83,89,34,2e,c3,29,75,49,0f,ac,fc,c3,b8,aa
.
[HKEY_USERS\S-1-5-21-1487264099-3403896088-99852959-1000\Software\SecuROM\License information*]
"datasecu"=hex:5e,4e,54,02,61,26,0d,06,98,cb,de,d5,92,44,3e,a8,16,d5,e2,42,c7,
02,92,fa,47,92,38,0a,e4,12,2f,6c,b6,cb,18,f5,4d,d5,58,a3,19,a9,8e,2a,cd,07,\
"rkeysecu"=hex:2b,99,ae,7f,4c,d4,61,7e,4a,2f,94,5b,95,e8,de,5f
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_265_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_265_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_265_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_265_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_265.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_265.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_265.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_265.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\windows\SysWOW64\PnkBstrA.exe
.
**************************************************************************
.
Completion time: 2012-09-02 19:59:52 - machine was rebooted
ComboFix-quarantined-files.txt 2012-09-03 01:59
.
Pre-Run: 100,300,959,744 bytes free
Post-Run: 100,466,638,848 bytes free
.
- - End Of File - - F533FF0AC0459D92ACA34ACFE7ED109B

Edited by ski.smitty, 02 September 2012 - 09:05 PM.


#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:36 PM

Posted 02 September 2012 - 09:25 PM

Greetings

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 ski.smitty

ski.smitty
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:08:36 PM

Posted 02 September 2012 - 10:05 PM

Tdsskiller log:

20:28:11.0123 3368 TDSS rootkit removing tool 2.8.8.0 Aug 24 2012 13:27:48
20:28:11.0669 3368 ============================================================
20:28:11.0669 3368 Current date / time: 2012/09/02 20:28:11.0669
20:28:11.0669 3368 SystemInfo:
20:28:11.0669 3368
20:28:11.0669 3368 OS Version: 6.1.7601 ServicePack: 1.0
20:28:11.0669 3368 Product type: Workstation
20:28:11.0669 3368 ComputerName: MARSH-PC
20:28:11.0669 3368 UserName: Marsh
20:28:11.0669 3368 Windows directory: C:\Windows
20:28:11.0669 3368 System windows directory: C:\Windows
20:28:11.0669 3368 Running under WOW64
20:28:11.0669 3368 Processor architecture: Intel x64
20:28:11.0669 3368 Number of processors: 4
20:28:11.0669 3368 Page size: 0x1000
20:28:11.0669 3368 Boot type: Normal boot
20:28:11.0669 3368 ============================================================
20:28:12.0839 3368 Drive \Device\Harddisk0\DR0 - Size: 0x7470AFDE00 (465.76 Gb), SectorSize: 0x200, Cylinders: 0xFC59, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xF0, Type 'K0', Flags 0x00000040
20:28:12.0839 3368 ============================================================
20:28:12.0839 3368 \Device\Harddisk0\DR0:
20:28:12.0839 3368 MBR partitions:
20:28:12.0839 3368 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x32000
20:28:12.0839 3368 \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x32800, BlocksNum 0x3A352000
20:28:12.0839 3368 ============================================================
20:28:12.0870 3368 C: <-> \Device\Harddisk0\DR0\Partition2
20:28:12.0870 3368 ============================================================
20:28:12.0870 3368 Initialize success
20:28:12.0870 3368 ============================================================
20:29:00.0936 3716 ============================================================
20:29:00.0936 3716 Scan started
20:29:00.0936 3716 Mode: Manual;
20:29:00.0936 3716 ============================================================
20:29:01.0342 3716 ================ Scan system memory ========================
20:29:01.0342 3716 System memory - ok
20:29:01.0342 3716 ================ Scan services =============================
20:29:01.0451 3716 [ A87D604AEA360176311474C87A63BB88 ] 1394ohci C:\Windows\system32\drivers\1394ohci.sys
20:29:01.0467 3716 1394ohci - ok
20:29:01.0498 3716 A2DDA - ok
20:29:01.0545 3716 [ D81D9E70B8A6DD14D42D7B4EFA65D5F2 ] ACPI C:\Windows\system32\drivers\ACPI.sys
20:29:01.0545 3716 ACPI - ok
20:29:01.0576 3716 [ 99F8E788246D495CE3794D7E7821D2CA ] AcpiPmi C:\Windows\system32\drivers\acpipmi.sys
20:29:01.0576 3716 AcpiPmi - ok
20:29:01.0623 3716 [ 2F6B34B83843F0C5118B63AC634F5BF4 ] adp94xx C:\Windows\system32\DRIVERS\adp94xx.sys
20:29:01.0638 3716 adp94xx - ok
20:29:01.0654 3716 [ 597F78224EE9224EA1A13D6350CED962 ] adpahci C:\Windows\system32\DRIVERS\adpahci.sys
20:29:01.0654 3716 adpahci - ok
20:29:01.0669 3716 [ E109549C90F62FB570B9540C4B148E54 ] adpu320 C:\Windows\system32\DRIVERS\adpu320.sys
20:29:01.0669 3716 adpu320 - ok
20:29:01.0716 3716 [ 4B78B431F225FD8624C5655CB1DE7B61 ] AeLookupSvc C:\Windows\System32\aelupsvc.dll
20:29:01.0716 3716 AeLookupSvc - ok
20:29:01.0779 3716 [ 1C7857B62DE5994A75B054A9FD4C3825 ] AFD C:\Windows\system32\drivers\afd.sys
20:29:01.0794 3716 AFD - ok
20:29:01.0825 3716 [ 608C14DBA7299D8CB6ED035A68A15799 ] agp440 C:\Windows\system32\drivers\agp440.sys
20:29:01.0825 3716 agp440 - ok
20:29:01.0841 3716 [ 3290D6946B5E30E70414990574883DDB ] ALG C:\Windows\System32\alg.exe
20:29:01.0841 3716 ALG - ok
20:29:01.0857 3716 [ 5812713A477A3AD7363C7438CA2EE038 ] aliide C:\Windows\system32\drivers\aliide.sys
20:29:01.0872 3716 aliide - ok
20:29:01.0935 3716 [ E20DDDFBD0DBE7D8EAD4D7A51D654367 ] AMD External Events Utility C:\Windows\system32\atiesrxx.exe
20:29:01.0950 3716 AMD External Events Utility - ok
20:29:01.0981 3716 [ 1FF8B4431C353CE385C875F194924C0C ] amdide C:\Windows\system32\drivers\amdide.sys
20:29:02.0013 3716 amdide - ok
20:29:02.0028 3716 [ 7024F087CFF1833A806193EF9D22CDA9 ] AmdK8 C:\Windows\system32\DRIVERS\amdk8.sys
20:29:02.0028 3716 AmdK8 - ok
20:29:02.0247 3716 [ 4284FB1240537A33E6EC417EFD87D40F ] amdkmdag C:\Windows\system32\DRIVERS\atikmdag.sys
20:29:02.0418 3716 amdkmdag - ok
20:29:02.0434 3716 [ 6C25C497E05EFD0CB6033A0444FC9B51 ] amdkmdap C:\Windows\system32\DRIVERS\atikmpag.sys
20:29:02.0434 3716 amdkmdap - ok
20:29:02.0449 3716 [ 1E56388B3FE0D031C44144EB8C4D6217 ] AmdPPM C:\Windows\system32\DRIVERS\amdppm.sys
20:29:02.0449 3716 AmdPPM - ok
20:29:02.0481 3716 [ D4121AE6D0C0E7E13AA221AA57EF2D49 ] amdsata C:\Windows\system32\drivers\amdsata.sys
20:29:02.0481 3716 amdsata - ok
20:29:02.0496 3716 [ F67F933E79241ED32FF46A4F29B5120B ] amdsbs C:\Windows\system32\DRIVERS\amdsbs.sys
20:29:02.0496 3716 amdsbs - ok
20:29:02.0512 3716 [ 540DAF1CEA6094886D72126FD7C33048 ] amdxata C:\Windows\system32\drivers\amdxata.sys
20:29:02.0512 3716 amdxata - ok
20:29:02.0543 3716 [ 89A69C3F2F319B43379399547526D952 ] AppID C:\Windows\system32\drivers\appid.sys
20:29:02.0543 3716 AppID - ok
20:29:02.0559 3716 [ 0BC381A15355A3982216F7172F545DE1 ] AppIDSvc C:\Windows\System32\appidsvc.dll
20:29:02.0559 3716 AppIDSvc - ok
20:29:02.0590 3716 [ 3977D4A871CA0D4F2ED1E7DB46829731 ] Appinfo C:\Windows\System32\appinfo.dll
20:29:02.0590 3716 Appinfo - ok
20:29:02.0621 3716 [ 4ABA3E75A76195A3E38ED2766C962899 ] AppMgmt C:\Windows\System32\appmgmts.dll
20:29:02.0621 3716 AppMgmt - ok
20:29:02.0652 3716 [ C484F8CEB1717C540242531DB7845C4E ] arc C:\Windows\system32\DRIVERS\arc.sys
20:29:02.0652 3716 arc - ok
20:29:02.0668 3716 [ 019AF6924AEFE7839F61C830227FE79C ] arcsas C:\Windows\system32\DRIVERS\arcsas.sys
20:29:02.0668 3716 arcsas - ok
20:29:02.0761 3716 [ 9217D874131AE6FF8F642F124F00A555 ] aspnet_state C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
20:29:02.0761 3716 aspnet_state - ok
20:29:02.0793 3716 [ 55142B4F7A7E4C9C151C6000A6BF7809 ] aswFsBlk C:\Windows\system32\drivers\aswFsBlk.sys
20:29:02.0793 3716 aswFsBlk - ok
20:29:02.0824 3716 [ AA9FDE3D630160B47DAB21BF8250111C ] aswMonFlt C:\Windows\system32\drivers\aswMonFlt.sys
20:29:02.0824 3716 aswMonFlt - ok
20:29:02.0855 3716 [ 2A6675C24DF5159A9506CD13ECE5ABE9 ] aswRdr C:\Windows\System32\Drivers\aswrdr2.sys
20:29:02.0855 3716 aswRdr - ok
20:29:02.0902 3716 [ 4E38475BDB51A867CCBA7D5DF7FDFC0C ] aswSnx C:\Windows\system32\drivers\aswSnx.sys
20:29:02.0917 3716 aswSnx - ok
20:29:02.0949 3716 [ 9A49D80D65451AF22913AEF772CC3DA9 ] aswSP C:\Windows\system32\drivers\aswSP.sys
20:29:02.0964 3716 aswSP - ok
20:29:02.0980 3716 [ C3EC420451AC5300A22190AE38418FBA ] aswTdi C:\Windows\system32\drivers\aswTdi.sys
20:29:02.0980 3716 aswTdi - ok
20:29:02.0995 3716 [ 769765CE2CC62867468CEA93969B2242 ] AsyncMac C:\Windows\system32\DRIVERS\asyncmac.sys
20:29:02.0995 3716 AsyncMac - ok
20:29:03.0042 3716 [ 02062C0B390B7729EDC9E69C680A6F3C ] atapi C:\Windows\system32\drivers\atapi.sys
20:29:03.0042 3716 atapi - ok
20:29:03.0105 3716 [ 24464B908E143D2561E9E452FEE97309 ] AtiHDAudioService C:\Windows\system32\drivers\AtihdW76.sys
20:29:03.0105 3716 AtiHDAudioService - ok
20:29:03.0136 3716 [ 2D648572BA9A610952FCAFBA1E119C2D ] AtiHdmiService C:\Windows\system32\drivers\AtiHdmi.sys
20:29:03.0136 3716 AtiHdmiService - ok
20:29:03.0307 3716 [ 4284FB1240537A33E6EC417EFD87D40F ] atikmdag C:\Windows\system32\DRIVERS\atikmdag.sys
20:29:03.0370 3716 atikmdag - ok
20:29:03.0417 3716 [ FC0E8778C000291CAF60EB88C011E931 ] atksgt C:\Windows\system32\DRIVERS\atksgt.sys
20:29:03.0432 3716 atksgt - ok
20:29:03.0463 3716 [ F23FEF6D569FCE88671949894A8BECF1 ] AudioEndpointBuilder C:\Windows\System32\Audiosrv.dll
20:29:03.0479 3716 AudioEndpointBuilder - ok
20:29:03.0495 3716 [ F23FEF6D569FCE88671949894A8BECF1 ] AudioSrv C:\Windows\System32\Audiosrv.dll
20:29:03.0495 3716 AudioSrv - ok
20:29:03.0573 3716 [ 04AC21E821F259845BD7367CEE057290 ] avast! Antivirus C:\Program Files\AVAST Software\Avast\AvastSvc.exe
20:29:03.0573 3716 avast! Antivirus - ok
20:29:03.0619 3716 [ A6BF31A71B409DFA8CAC83159E1E2AFF ] AxInstSV C:\Windows\System32\AxInstSV.dll
20:29:03.0619 3716 AxInstSV - ok
20:29:03.0651 3716 [ 3E5B191307609F7514148C6832BB0842 ] b06bdrv C:\Windows\system32\DRIVERS\bxvbda.sys
20:29:03.0666 3716 b06bdrv - ok
20:29:03.0697 3716 [ B5ACE6968304A3900EEB1EBFD9622DF2 ] b57nd60a C:\Windows\system32\DRIVERS\b57nd60a.sys
20:29:03.0713 3716 b57nd60a - ok
20:29:03.0744 3716 [ FDE360167101B4E45A96F939F388AEB0 ] BDESVC C:\Windows\System32\bdesvc.dll
20:29:03.0744 3716 BDESVC - ok
20:29:03.0760 3716 [ 16A47CE2DECC9B099349A5F840654746 ] Beep C:\Windows\system32\drivers\Beep.sys
20:29:03.0760 3716 Beep - ok
20:29:03.0822 3716 [ 82974D6A2FD19445CC5171FC378668A4 ] BFE C:\Windows\System32\bfe.dll
20:29:03.0838 3716 BFE - ok
20:29:03.0853 3716 [ 61583EE3C3A17003C4ACD0475646B4D3 ] blbdrive C:\Windows\system32\DRIVERS\blbdrive.sys
20:29:03.0853 3716 blbdrive - ok
20:29:03.0885 3716 [ 6C02A83164F5CC0A262F4199F0871CF5 ] bowser C:\Windows\system32\DRIVERS\bowser.sys
20:29:03.0885 3716 bowser - ok
20:29:03.0900 3716 [ F09EEE9EDC320B5E1501F749FDE686C8 ] BrFiltLo C:\Windows\system32\DRIVERS\BrFiltLo.sys
20:29:03.0900 3716 BrFiltLo - ok
20:29:03.0900 3716 [ B114D3098E9BDB8BEA8B053685831BE6 ] BrFiltUp C:\Windows\system32\DRIVERS\BrFiltUp.sys
20:29:03.0900 3716 BrFiltUp - ok
20:29:03.0916 3716 [ 5C2F352A4E961D72518261257AAE204B ] BridgeMP C:\Windows\system32\DRIVERS\bridge.sys
20:29:03.0931 3716 BridgeMP - ok
20:29:03.0947 3716 [ 05F5A0D14A2EE1D8255C2AA0E9E8E694 ] Browser C:\Windows\System32\browser.dll
20:29:03.0963 3716 Browser - ok
20:29:03.0978 3716 [ 43BEA8D483BF1870F018E2D02E06A5BD ] Brserid C:\Windows\System32\Drivers\Brserid.sys
20:29:03.0978 3716 Brserid - ok
20:29:03.0978 3716 [ A6ECA2151B08A09CACECA35C07F05B42 ] BrSerWdm C:\Windows\System32\Drivers\BrSerWdm.sys
20:29:03.0994 3716 BrSerWdm - ok
20:29:03.0994 3716 [ B79968002C277E869CF38BD22CD61524 ] BrUsbMdm C:\Windows\System32\Drivers\BrUsbMdm.sys
20:29:03.0994 3716 BrUsbMdm - ok
20:29:04.0009 3716 [ A87528880231C54E75EA7A44943B38BF ] BrUsbSer C:\Windows\System32\Drivers\BrUsbSer.sys
20:29:04.0009 3716 BrUsbSer - ok
20:29:04.0025 3716 [ 9DA669F11D1F894AB4EB69BF546A42E8 ] BTHMODEM C:\Windows\system32\DRIVERS\bthmodem.sys
20:29:04.0025 3716 BTHMODEM - ok
20:29:04.0041 3716 [ 95F9C2976059462CBBF227F7AAB10DE9 ] bthserv C:\Windows\system32\bthserv.dll
20:29:04.0041 3716 bthserv - ok
20:29:04.0041 3716 catchme - ok
20:29:04.0087 3716 [ B8BD2BB284668C84865658C77574381A ] cdfs C:\Windows\system32\DRIVERS\cdfs.sys
20:29:04.0087 3716 cdfs - ok
20:29:04.0119 3716 [ F036CE71586E93D94DAB220D7BDF4416 ] cdrom C:\Windows\system32\DRIVERS\cdrom.sys
20:29:04.0119 3716 cdrom - ok
20:29:04.0150 3716 [ F17D1D393BBC69C5322FBFAFACA28C7F ] CertPropSvc C:\Windows\System32\certprop.dll
20:29:04.0150 3716 CertPropSvc - ok
20:29:04.0181 3716 [ D7CD5C4E1B71FA62050515314CFB52CF ] circlass C:\Windows\system32\DRIVERS\circlass.sys
20:29:04.0181 3716 circlass - ok
20:29:04.0212 3716 [ FE1EC06F2253F691FE36217C592A0206 ] CLFS C:\Windows\system32\CLFS.sys
20:29:04.0212 3716 CLFS - ok
20:29:04.0275 3716 [ D88040F816FDA31C3B466F0FA0918F29 ] clr_optimization_v2.0.50727_32 C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
20:29:04.0275 3716 clr_optimization_v2.0.50727_32 - ok
20:29:04.0321 3716 [ D1CEEA2B47CB998321C579651CE3E4F8 ] clr_optimization_v2.0.50727_64 C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
20:29:04.0321 3716 clr_optimization_v2.0.50727_64 - ok
20:29:04.0415 3716 [ C5A75EB48E2344ABDC162BDA79E16841 ] clr_optimization_v4.0.30319_32 C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
20:29:04.0415 3716 clr_optimization_v4.0.30319_32 - ok
20:29:04.0446 3716 [ C6F9AF94DCD58122A4D7E89DB6BED29D ] clr_optimization_v4.0.30319_64 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
20:29:04.0446 3716 clr_optimization_v4.0.30319_64 - ok
20:29:04.0462 3716 [ 0840155D0BDDF1190F84A663C284BD33 ] CmBatt C:\Windows\system32\DRIVERS\CmBatt.sys
20:29:04.0462 3716 CmBatt - ok
20:29:04.0493 3716 [ E19D3F095812725D88F9001985B94EDD ] cmdide C:\Windows\system32\drivers\cmdide.sys
20:29:04.0493 3716 cmdide - ok
20:29:04.0524 3716 [ 9AC4F97C2D3E93367E2148EA940CD2CD ] CNG C:\Windows\system32\Drivers\cng.sys
20:29:04.0555 3716 CNG - ok
20:29:04.0555 3716 [ 102DE219C3F61415F964C88E9085AD14 ] Compbatt C:\Windows\system32\DRIVERS\compbatt.sys
20:29:04.0555 3716 Compbatt - ok
20:29:04.0571 3716 [ 03EDB043586CCEBA243D689BDDA370A8 ] CompositeBus C:\Windows\system32\drivers\CompositeBus.sys
20:29:04.0571 3716 CompositeBus - ok
20:29:04.0571 3716 COMSysApp - ok
20:29:04.0633 3716 cpudrv64 - ok
20:29:04.0649 3716 [ 1C827878A998C18847245FE1F34EE597 ] crcdisk C:\Windows\system32\DRIVERS\crcdisk.sys
20:29:04.0665 3716 crcdisk - ok
20:29:04.0696 3716 [ 4F5414602E2544A4554D95517948B705 ] CryptSvc C:\Windows\system32\cryptsvc.dll
20:29:04.0696 3716 CryptSvc - ok
20:29:04.0727 3716 [ 54DA3DFD29ED9F1619B6F53F3CE55E49 ] CSC C:\Windows\system32\drivers\csc.sys
20:29:04.0743 3716 CSC - ok
20:29:04.0789 3716 [ 3AB183AB4D2C79DCF459CD2C1266B043 ] CscService C:\Windows\System32\cscsvc.dll
20:29:04.0805 3716 CscService - ok
20:29:04.0836 3716 [ 5C627D1B1138676C0A7AB2C2C190D123 ] DcomLaunch C:\Windows\system32\rpcss.dll
20:29:04.0852 3716 DcomLaunch - ok
20:29:04.0867 3716 [ 3CEC7631A84943677AA8FA8EE5B6B43D ] defragsvc C:\Windows\System32\defragsvc.dll
20:29:04.0883 3716 defragsvc - ok
20:29:04.0899 3716 [ 9BB2EF44EAA163B29C4A4587887A0FE4 ] DfsC C:\Windows\system32\Drivers\dfsc.sys
20:29:04.0914 3716 DfsC - ok
20:29:04.0914 3716 [ 43D808F5D9E1A18E5EEB5EBC83969E4E ] Dhcp C:\Windows\system32\dhcpcore.dll
20:29:04.0930 3716 Dhcp - ok
20:29:04.0930 3716 [ 13096B05847EC78F0977F2C0F79E9AB3 ] discache C:\Windows\system32\drivers\discache.sys
20:29:04.0930 3716 discache - ok
20:29:04.0945 3716 [ 9819EEE8B5EA3784EC4AF3B137A5244C ] Disk C:\Windows\system32\DRIVERS\disk.sys
20:29:04.0945 3716 Disk - ok
20:29:04.0977 3716 [ 16835866AAA693C7D7FCEBA8FFF706E4 ] Dnscache C:\Windows\System32\dnsrslvr.dll
20:29:04.0977 3716 Dnscache - ok
20:29:05.0008 3716 [ B1FB3DDCA0FDF408750D5843591AFBC6 ] dot3svc C:\Windows\System32\dot3svc.dll
20:29:05.0023 3716 dot3svc - ok
20:29:05.0055 3716 [ B26F4F737E8F9DF4F31AF6CF31D05820 ] DPS C:\Windows\system32\dps.dll
20:29:05.0055 3716 DPS - ok
20:29:05.0086 3716 [ 9B19F34400D24DF84C858A421C205754 ] drmkaud C:\Windows\system32\drivers\drmkaud.sys
20:29:05.0086 3716 drmkaud - ok
20:29:05.0257 3716 dump_wmimmc - ok
20:29:05.0289 3716 [ F5BEE30450E18E6B83A5012C100616FD ] DXGKrnl C:\Windows\System32\drivers\dxgkrnl.sys
20:29:05.0304 3716 DXGKrnl - ok
20:29:05.0320 3716 [ EDC6E9C057C9D7F83EEA22B4CEF5DCAD ] E1G60 C:\Windows\system32\DRIVERS\E1G6032E.sys
20:29:05.0320 3716 E1G60 - ok
20:29:05.0351 3716 EagleX64 - ok
20:29:05.0382 3716 [ E2DDA8726DA9CB5B2C4000C9018A9633 ] EapHost C:\Windows\System32\eapsvc.dll
20:29:05.0382 3716 EapHost - ok
20:29:05.0445 3716 [ DC5D737F51BE844D8C82C695EB17372F ] ebdrv C:\Windows\system32\DRIVERS\evbda.sys
20:29:05.0491 3716 ebdrv - ok
20:29:05.0523 3716 [ C118A82CD78818C29AB228366EBF81C3 ] EFS C:\Windows\System32\lsass.exe
20:29:05.0538 3716 EFS - ok
20:29:05.0554 3716 [ C4002B6B41975F057D98C439030CEA07 ] ehRecvr C:\Windows\ehome\ehRecvr.exe
20:29:05.0569 3716 ehRecvr - ok
20:29:05.0601 3716 [ 4705E8EF9934482C5BB488CE28AFC681 ] ehSched C:\Windows\ehome\ehsched.exe
20:29:05.0601 3716 ehSched - ok
20:29:05.0632 3716 [ 0E5DA5369A0FCAEA12456DD852545184 ] elxstor C:\Windows\system32\DRIVERS\elxstor.sys
20:29:05.0647 3716 elxstor - ok
20:29:05.0679 3716 [ 34A3C54752046E79A126E15C51DB409B ] ErrDev C:\Windows\system32\drivers\errdev.sys
20:29:05.0679 3716 ErrDev - ok
20:29:05.0741 3716 [ 4166F82BE4D24938977DD1746BE9B8A0 ] EventSystem C:\Windows\system32\es.dll
20:29:05.0741 3716 EventSystem - ok
20:29:05.0757 3716 [ A510C654EC00C1E9BDD91EEB3A59823B ] exfat C:\Windows\system32\drivers\exfat.sys
20:29:05.0757 3716 exfat - ok
20:29:05.0788 3716 [ 0ADC83218B66A6DB380C330836F3E36D ] fastfat C:\Windows\system32\drivers\fastfat.sys
20:29:05.0788 3716 fastfat - ok
20:29:05.0835 3716 [ DBEFD454F8318A0EF691FDD2EAAB44EB ] Fax C:\Windows\system32\fxssvc.exe
20:29:05.0850 3716 Fax - ok
20:29:05.0881 3716 [ D765D19CD8EF61F650C384F62FAC00AB ] fdc C:\Windows\system32\DRIVERS\fdc.sys
20:29:05.0881 3716 fdc - ok
20:29:05.0897 3716 [ 0438CAB2E03F4FB61455A7956026FE86 ] fdPHost C:\Windows\system32\fdPHost.dll
20:29:05.0897 3716 fdPHost - ok
20:29:05.0913 3716 [ 802496CB59A30349F9A6DD22D6947644 ] FDResPub C:\Windows\system32\fdrespub.dll
20:29:05.0913 3716 FDResPub - ok
20:29:05.0928 3716 [ 655661BE46B5F5F3FD454E2C3095B930 ] FileInfo C:\Windows\system32\drivers\fileinfo.sys
20:29:05.0928 3716 FileInfo - ok
20:29:05.0928 3716 [ 5F671AB5BC87EEA04EC38A6CD5962A47 ] Filetrace C:\Windows\system32\drivers\filetrace.sys
20:29:05.0928 3716 Filetrace - ok
20:29:05.0944 3716 [ C172A0F53008EAEB8EA33FE10E177AF5 ] flpydisk C:\Windows\system32\DRIVERS\flpydisk.sys
20:29:05.0944 3716 flpydisk - ok
20:29:05.0975 3716 [ DA6B67270FD9DB3697B20FCE94950741 ] FltMgr C:\Windows\system32\drivers\fltmgr.sys
20:29:05.0975 3716 FltMgr - ok
20:29:06.0022 3716 [ 5C4CB4086FB83115B153E47ADD961A0C ] FontCache C:\Windows\system32\FntCache.dll
20:29:06.0037 3716 FontCache - ok
20:29:06.0069 3716 [ A8B7F3818AB65695E3A0BB3279F6DCE6 ] FontCache3.0.0.0 C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
20:29:06.0069 3716 FontCache3.0.0.0 - ok
20:29:06.0084 3716 [ D43703496149971890703B4B1B723EAC ] FsDepends C:\Windows\system32\drivers\FsDepends.sys
20:29:06.0084 3716 FsDepends - ok
20:29:06.0115 3716 [ 6BD9295CC032DD3077C671FCCF579A7B ] Fs_Rec C:\Windows\system32\drivers\Fs_Rec.sys
20:29:06.0115 3716 Fs_Rec - ok
20:29:06.0147 3716 [ 1F7B25B858FA27015169FE95E54108ED ] fvevol C:\Windows\system32\DRIVERS\fvevol.sys
20:29:06.0147 3716 fvevol - ok
20:29:06.0162 3716 [ 8C778D335C9D272CFD3298AB02ABE3B6 ] gagp30kx C:\Windows\system32\DRIVERS\gagp30kx.sys
20:29:06.0162 3716 gagp30kx - ok
20:29:06.0240 3716 GGSAFERDriver - ok
20:29:06.0271 3716 [ 277BBC7E1AA1EE957F573A10ECA7EF3A ] gpsvc C:\Windows\System32\gpsvc.dll
20:29:06.0303 3716 gpsvc - ok
20:29:06.0334 3716 [ 1E6438D4EA6E1174A3B3B1EDC4DE660B ] hamachi C:\Windows\system32\DRIVERS\hamachi.sys
20:29:06.0349 3716 hamachi - ok
20:29:06.0349 3716 [ F2523EF6460FC42405B12248338AB2F0 ] hcw85cir C:\Windows\system32\drivers\hcw85cir.sys
20:29:06.0349 3716 hcw85cir - ok
20:29:06.0381 3716 [ 975761C778E33CD22498059B91E7373A ] HdAudAddService C:\Windows\system32\drivers\HdAudio.sys
20:29:06.0396 3716 HdAudAddService - ok
20:29:06.0427 3716 [ 97BFED39B6B79EB12CDDBFEED51F56BB ] HDAudBus C:\Windows\system32\drivers\HDAudBus.sys
20:29:06.0427 3716 HDAudBus - ok
20:29:06.0459 3716 [ 78E86380454A7B10A5EB255DC44A355F ] HidBatt C:\Windows\system32\DRIVERS\HidBatt.sys
20:29:06.0459 3716 HidBatt - ok
20:29:06.0459 3716 [ 7FD2A313F7AFE5C4DAB14798C48DD104 ] HidBth C:\Windows\system32\DRIVERS\hidbth.sys
20:29:06.0459 3716 HidBth - ok
20:29:06.0474 3716 [ 0A77D29F311B88CFAE3B13F9C1A73825 ] HidIr C:\Windows\system32\DRIVERS\hidir.sys
20:29:06.0474 3716 HidIr - ok
20:29:06.0505 3716 [ BD9EB3958F213F96B97B1D897DEE006D ] hidserv C:\Windows\System32\hidserv.dll
20:29:06.0505 3716 hidserv - ok
20:29:06.0537 3716 [ 9592090A7E2B61CD582B612B6DF70536 ] HidUsb C:\Windows\system32\DRIVERS\hidusb.sys
20:29:06.0537 3716 HidUsb - ok
20:29:06.0568 3716 [ 387E72E739E15E3D37907A86D9FF98E2 ] hkmsvc C:\Windows\system32\kmsvc.dll
20:29:06.0568 3716 hkmsvc - ok
20:29:06.0599 3716 [ EFDFB3DD38A4376F93E7985173813ABD ] HomeGroupListener C:\Windows\system32\ListSvc.dll
20:29:06.0599 3716 HomeGroupListener - ok
20:29:06.0630 3716 [ 908ACB1F594274965A53926B10C81E89 ] HomeGroupProvider C:\Windows\system32\provsvc.dll
20:29:06.0646 3716 HomeGroupProvider - ok
20:29:06.0661 3716 [ 39D2ABCD392F3D8A6DCE7B60AE7B8EFC ] HpSAMD C:\Windows\system32\drivers\HpSAMD.sys
20:29:06.0661 3716 HpSAMD - ok
20:29:06.0708 3716 [ 0EA7DE1ACB728DD5A369FD742D6EEE28 ] HTTP C:\Windows\system32\drivers\HTTP.sys
20:29:06.0724 3716 HTTP - ok
20:29:06.0739 3716 [ A5462BD6884960C9DC85ED49D34FF392 ] hwpolicy C:\Windows\system32\drivers\hwpolicy.sys
20:29:06.0739 3716 hwpolicy - ok
20:29:06.0771 3716 [ FA55C73D4AFFA7EE23AC4BE53B4592D3 ] i8042prt C:\Windows\system32\drivers\i8042prt.sys
20:29:06.0771 3716 i8042prt - ok
20:29:06.0802 3716 [ AAAF44DB3BD0B9D1FB6969B23ECC8366 ] iaStorV C:\Windows\system32\drivers\iaStorV.sys
20:29:06.0817 3716 iaStorV - ok
20:29:06.0895 3716 [ 1CF03C69B49ACB70C722DF92755C0C8C ] IDriverT C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
20:29:06.0895 3716 IDriverT - ok
20:29:06.0927 3716 [ 5988FC40F8DB5B0739CD1E3A5D0D78BD ] idsvc C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe
20:29:06.0942 3716 idsvc - ok
20:29:06.0973 3716 [ 5C18831C61933628F5BB0EA2675B9D21 ] iirsp C:\Windows\system32\DRIVERS\iirsp.sys
20:29:06.0973 3716 iirsp - ok
20:29:07.0020 3716 [ FCD84C381E0140AF901E58D48882D26B ] IKEEXT C:\Windows\System32\ikeext.dll
20:29:07.0083 3716 IKEEXT - ok
20:29:07.0239 3716 [ 49A81307E807C0EAAD6510589DD92A3D ] IntcAzAudAddService C:\Windows\system32\drivers\RTKVHD64.sys
20:29:07.0285 3716 IntcAzAudAddService - ok
20:29:07.0301 3716 [ F00F20E70C6EC3AA366910083A0518AA ] intelide C:\Windows\system32\drivers\intelide.sys
20:29:07.0301 3716 intelide - ok
20:29:07.0301 3716 [ ADA036632C664CAA754079041CF1F8C1 ] intelppm C:\Windows\system32\DRIVERS\intelppm.sys
20:29:07.0301 3716 intelppm - ok
20:29:07.0332 3716 [ 098A91C54546A3B878DAD6A7E90A455B ] IPBusEnum C:\Windows\system32\ipbusenum.dll
20:29:07.0332 3716 IPBusEnum - ok
20:29:07.0363 3716 [ C9F0E1BD74365A8771590E9008D22AB6 ] IpFilterDriver C:\Windows\system32\DRIVERS\ipfltdrv.sys
20:29:07.0379 3716 IpFilterDriver - ok
20:29:07.0426 3716 [ A34A587FFFD45FA649FBA6D03784D257 ] iphlpsvc C:\Windows\System32\iphlpsvc.dll
20:29:07.0441 3716 iphlpsvc - ok
20:29:07.0473 3716 [ 0FC1AEA580957AA8817B8F305D18CA3A ] IPMIDRV C:\Windows\system32\drivers\IPMIDrv.sys
20:29:07.0473 3716 IPMIDRV - ok
20:29:07.0488 3716 [ AF9B39A7E7B6CAA203B3862582E9F2D0 ] IPNAT C:\Windows\system32\drivers\ipnat.sys
20:29:07.0488 3716 IPNAT - ok
20:29:07.0504 3716 [ 3ABF5E7213EB28966D55D58B515D5CE9 ] IRENUM C:\Windows\system32\drivers\irenum.sys
20:29:07.0504 3716 IRENUM - ok
20:29:07.0535 3716 [ 2F7B28DC3E1183E5EB418DF55C204F38 ] isapnp C:\Windows\system32\drivers\isapnp.sys
20:29:07.0535 3716 isapnp - ok
20:29:07.0566 3716 [ D931D7309DEB2317035B07C9F9E6B0BD ] iScsiPrt C:\Windows\system32\drivers\msiscsi.sys
20:29:07.0582 3716 iScsiPrt - ok
20:29:07.0582 3716 [ BC02336F1CBA7DCC7D1213BB588A68A5 ] kbdclass C:\Windows\system32\DRIVERS\kbdclass.sys
20:29:07.0582 3716 kbdclass - ok
20:29:07.0613 3716 [ 0705EFF5B42A9DB58548EEC3B26BB484 ] kbdhid C:\Windows\system32\DRIVERS\kbdhid.sys
20:29:07.0613 3716 kbdhid - ok
20:29:07.0613 3716 [ C118A82CD78818C29AB228366EBF81C3 ] KeyIso C:\Windows\system32\lsass.exe
20:29:07.0629 3716 KeyIso - ok
20:29:07.0660 3716 [ 97A7070AEA4C058B6418519E869A63B4 ] KSecDD C:\Windows\system32\Drivers\ksecdd.sys
20:29:07.0660 3716 KSecDD - ok
20:29:07.0691 3716 [ 26C43A7C2862447EC59DEDA188D1DA07 ] KSecPkg C:\Windows\system32\Drivers\ksecpkg.sys
20:29:07.0691 3716 KSecPkg - ok
20:29:07.0707 3716 [ 6869281E78CB31A43E969F06B57347C4 ] ksthunk C:\Windows\system32\drivers\ksthunk.sys
20:29:07.0707 3716 ksthunk - ok
20:29:07.0738 3716 [ 6AB66E16AA859232F64DEB66887A8C9C ] KtmRm C:\Windows\system32\msdtckrm.dll
20:29:07.0738 3716 KtmRm - ok
20:29:07.0769 3716 [ D9F42719019740BAA6D1C6D536CBDAA6 ] LanmanServer C:\Windows\System32\srvsvc.dll
20:29:07.0769 3716 LanmanServer - ok
20:29:07.0800 3716 [ 851A1382EED3E3A7476DB004F4EE3E1A ] LanmanWorkstation C:\Windows\System32\wkssvc.dll
20:29:07.0816 3716 LanmanWorkstation - ok
20:29:07.0863 3716 [ 156AB2E56DC3CA0B582E3362E07CDED7 ] lirsgt C:\Windows\system32\DRIVERS\lirsgt.sys
20:29:07.0863 3716 lirsgt - ok
20:29:07.0878 3716 [ 1538831CF8AD2979A04C423779465827 ] lltdio C:\Windows\system32\DRIVERS\lltdio.sys
20:29:07.0878 3716 lltdio - ok
20:29:07.0909 3716 [ C1185803384AB3FEED115F79F109427F ] lltdsvc C:\Windows\System32\lltdsvc.dll
20:29:07.0909 3716 lltdsvc - ok
20:29:07.0925 3716 [ F993A32249B66C9D622EA5592A8B76B8 ] lmhosts C:\Windows\System32\lmhsvc.dll
20:29:07.0925 3716 lmhosts - ok
20:29:07.0941 3716 [ 1A93E54EB0ECE102495A51266DCDB6A6 ] LSI_FC C:\Windows\system32\DRIVERS\lsi_fc.sys
20:29:07.0941 3716 LSI_FC - ok
20:29:07.0956 3716 [ 1047184A9FDC8BDBFF857175875EE810 ] LSI_SAS C:\Windows\system32\DRIVERS\lsi_sas.sys
20:29:07.0956 3716 LSI_SAS - ok
20:29:07.0972 3716 [ 30F5C0DE1EE8B5BC9306C1F0E4A75F93 ] LSI_SAS2 C:\Windows\system32\DRIVERS\lsi_sas2.sys
20:29:07.0972 3716 LSI_SAS2 - ok
20:29:08.0003 3716 [ 0504EACAFF0D3C8AED161C4B0D369D4A ] LSI_SCSI C:\Windows\system32\DRIVERS\lsi_scsi.sys
20:29:08.0003 3716 LSI_SCSI - ok
20:29:08.0019 3716 [ 43D0F98E1D56CCDDB0D5254CFF7B356E ] luafv C:\Windows\system32\drivers\luafv.sys
20:29:08.0019 3716 luafv - ok
20:29:08.0065 3716 [ 79D51E7F5926E8CE1B3EBECEBAE28CFF ] mcdbus C:\Windows\system32\DRIVERS\mcdbus.sys
20:29:08.0065 3716 mcdbus - ok
20:29:08.0097 3716 [ 0BE09CD858ABF9DF6ED259D57A1A1663 ] Mcx2Svc C:\Windows\system32\Mcx2Svc.dll
20:29:08.0097 3716 Mcx2Svc - ok
20:29:08.0112 3716 [ A55805F747C6EDB6A9080D7C633BD0F4 ] megasas C:\Windows\system32\DRIVERS\megasas.sys
20:29:08.0112 3716 megasas - ok
20:29:08.0128 3716 [ BAF74CE0072480C3B6B7C13B2A94D6B3 ] MegaSR C:\Windows\system32\DRIVERS\MegaSR.sys
20:29:08.0128 3716 MegaSR - ok
20:29:08.0221 3716 [ 123271BD5237AB991DC5C21FDF8835EB ] Microsoft Office Groove Audit Service C:\Program Files (x86)\Microsoft Office\Office12\GrooveAuditService.exe
20:29:08.0221 3716 Microsoft Office Groove Audit Service - ok
20:29:08.0253 3716 [ E40E80D0304A73E8D269F7141D77250B ] MMCSS C:\Windows\system32\mmcss.dll
20:29:08.0253 3716 MMCSS - ok
20:29:08.0268 3716 [ 800BA92F7010378B09F9ED9270F07137 ] Modem C:\Windows\system32\drivers\modem.sys
20:29:08.0268 3716 Modem - ok
20:29:08.0299 3716 [ B03D591DC7DA45ECE20B3B467E6AADAA ] monitor C:\Windows\system32\DRIVERS\monitor.sys
20:29:08.0299 3716 monitor - ok
20:29:08.0331 3716 [ 7D27EA49F3C1F687D357E77A470AEA99 ] mouclass C:\Windows\system32\DRIVERS\mouclass.sys
20:29:08.0331 3716 mouclass - ok
20:29:08.0346 3716 [ D3BF052C40B0C4166D9FD86A4288C1E6 ] mouhid C:\Windows\system32\DRIVERS\mouhid.sys
20:29:08.0346 3716 mouhid - ok
20:29:08.0377 3716 [ 32E7A3D591D671A6DF2DB515A5CBE0FA ] mountmgr C:\Windows\system32\drivers\mountmgr.sys
20:29:08.0377 3716 mountmgr - ok
20:29:08.0424 3716 [ 46297FA8E30A6007F14118FC2B942FBC ] MozillaMaintenance C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
20:29:08.0424 3716 MozillaMaintenance - ok
20:29:08.0471 3716 [ A44B420D30BD56E145D6A2BC8768EC58 ] mpio C:\Windows\system32\drivers\mpio.sys
20:29:08.0471 3716 mpio - ok
20:29:08.0471 3716 [ 6C38C9E45AE0EA2FA5E551F2ED5E978F ] mpsdrv C:\Windows\system32\drivers\mpsdrv.sys
20:29:08.0471 3716 mpsdrv - ok
20:29:08.0502 3716 [ DC722758B8261E1ABAFD31A3C0A66380 ] MRxDAV C:\Windows\system32\drivers\mrxdav.sys
20:29:08.0502 3716 MRxDAV - ok
20:29:08.0549 3716 [ A5D9106A73DC88564C825D317CAC68AC ] mrxsmb C:\Windows\system32\DRIVERS\mrxsmb.sys
20:29:08.0549 3716 mrxsmb - ok
20:29:08.0580 3716 [ D711B3C1D5F42C0C2415687BE09FC163 ] mrxsmb10 C:\Windows\system32\DRIVERS\mrxsmb10.sys
20:29:08.0596 3716 mrxsmb10 - ok
20:29:08.0596 3716 [ 9423E9D355C8D303E76B8CFBD8A5C30C ] mrxsmb20 C:\Windows\system32\DRIVERS\mrxsmb20.sys
20:29:08.0596 3716 mrxsmb20 - ok
20:29:08.0627 3716 [ C25F0BAFA182CBCA2DD3C851C2E75796 ] msahci C:\Windows\system32\drivers\msahci.sys
20:29:08.0627 3716 msahci - ok
20:29:08.0643 3716 [ DB801A638D011B9633829EB6F663C900 ] msdsm C:\Windows\system32\drivers\msdsm.sys
20:29:08.0643 3716 msdsm - ok
20:29:08.0658 3716 [ DE0ECE52236CFA3ED2DBFC03F28253A8 ] MSDTC C:\Windows\System32\msdtc.exe
20:29:08.0658 3716 MSDTC - ok
20:29:08.0689 3716 [ AA3FB40E17CE1388FA1BEDAB50EA8F96 ] Msfs C:\Windows\system32\drivers\Msfs.sys
20:29:08.0689 3716 Msfs - ok
20:29:08.0689 3716 [ F9D215A46A8B9753F61767FA72A20326 ] mshidkmdf C:\Windows\System32\drivers\mshidkmdf.sys
20:29:08.0689 3716 mshidkmdf - ok
20:29:08.0721 3716 [ D916874BBD4F8B07BFB7FA9B3CCAE29D ] msisadrv C:\Windows\system32\drivers\msisadrv.sys
20:29:08.0721 3716 msisadrv - ok
20:29:08.0752 3716 [ 808E98FF49B155C522E6400953177B08 ] MSiSCSI C:\Windows\system32\iscsiexe.dll
20:29:08.0752 3716 MSiSCSI - ok
20:29:08.0767 3716 msiserver - ok
20:29:08.0783 3716 [ 49CCF2C4FEA34FFAD8B1B59D49439366 ] MSKSSRV C:\Windows\system32\drivers\MSKSSRV.sys
20:29:08.0783 3716 MSKSSRV - ok
20:29:08.0799 3716 [ BDD71ACE35A232104DDD349EE70E1AB3 ] MSPCLOCK C:\Windows\system32\drivers\MSPCLOCK.sys
20:29:08.0799 3716 MSPCLOCK - ok
20:29:08.0799 3716 [ 4ED981241DB27C3383D72092B618A1D0 ] MSPQM C:\Windows\system32\drivers\MSPQM.sys
20:29:08.0799 3716 MSPQM - ok
20:29:08.0845 3716 [ 759A9EEB0FA9ED79DA1FB7D4EF78866D ] MsRPC C:\Windows\system32\drivers\MsRPC.sys
20:29:08.0845 3716 MsRPC - ok
20:29:08.0861 3716 [ 0EED230E37515A0EAEE3C2E1BC97B288 ] mssmbios C:\Windows\system32\drivers\mssmbios.sys
20:29:08.0861 3716 mssmbios - ok
20:29:08.0861 3716 [ 2E66F9ECB30B4221A318C92AC2250779 ] MSTEE C:\Windows\system32\drivers\MSTEE.sys
20:29:08.0861 3716 MSTEE - ok
20:29:08.0877 3716 [ 7EA404308934E675BFFDE8EDF0757BCD ] MTConfig C:\Windows\system32\DRIVERS\MTConfig.sys
20:29:08.0877 3716 MTConfig - ok
20:29:08.0892 3716 [ F9A18612FD3526FE473C1BDA678D61C8 ] Mup C:\Windows\system32\Drivers\mup.sys
20:29:08.0892 3716 Mup - ok
20:29:08.0939 3716 [ 582AC6D9873E31DFA28A4547270862DD ] napagent C:\Windows\system32\qagentRT.dll
20:29:08.0955 3716 napagent - ok
20:29:08.0986 3716 [ 1EA3749C4114DB3E3161156FFFFA6B33 ] NativeWifiP C:\Windows\system32\DRIVERS\nwifi.sys
20:29:08.0986 3716 NativeWifiP - ok
20:29:09.0033 3716 [ 79B47FD40D9A817E932F9D26FAC0A81C ] NDIS C:\Windows\system32\drivers\ndis.sys
20:29:09.0033 3716 NDIS - ok
20:29:09.0048 3716 [ 9F9A1F53AAD7DA4D6FEF5BB73AB811AC ] NdisCap C:\Windows\system32\DRIVERS\ndiscap.sys
20:29:09.0048 3716 NdisCap - ok
20:29:09.0048 3716 [ 30639C932D9FEF22B31268FE25A1B6E5 ] NdisTapi C:\Windows\system32\DRIVERS\ndistapi.sys
20:29:09.0048 3716 NdisTapi - ok
20:29:09.0079 3716 [ 136185F9FB2CC61E573E676AA5402356 ] Ndisuio C:\Windows\system32\DRIVERS\ndisuio.sys
20:29:09.0095 3716 Ndisuio - ok
20:29:09.0126 3716 [ 53F7305169863F0A2BDDC49E116C2E11 ] NdisWan C:\Windows\system32\DRIVERS\ndiswan.sys
20:29:09.0126 3716 NdisWan - ok
20:29:09.0157 3716 [ 015C0D8E0E0421B4CFD48CFFE2825879 ] NDProxy C:\Windows\system32\drivers\NDProxy.sys
20:29:09.0157 3716 NDProxy - ok
20:29:09.0173 3716 [ 86743D9F5D2B1048062B14B1D84501C4 ] NetBIOS C:\Windows\system32\DRIVERS\netbios.sys
20:29:09.0173 3716 NetBIOS - ok
20:29:09.0235 3716 [ 09594D1089C523423B32A4229263F068 ] NetBT C:\Windows\system32\DRIVERS\netbt.sys
20:29:09.0235 3716 NetBT - ok
20:29:09.0251 3716 [ C118A82CD78818C29AB228366EBF81C3 ] Netlogon C:\Windows\system32\lsass.exe
20:29:09.0251 3716 Netlogon - ok
20:29:09.0282 3716 [ 847D3AE376C0817161A14A82C8922A9E ] Netman C:\Windows\System32\netman.dll
20:29:09.0282 3716 Netman - ok
20:29:09.0313 3716 [ D22CD77D4F0D63D1169BB35911BFF12D ] NetMsmqActivator C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
20:29:09.0329 3716 NetMsmqActivator - ok
20:29:09.0329 3716 [ D22CD77D4F0D63D1169BB35911BFF12D ] NetPipeActivator C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
20:29:09.0329 3716 NetPipeActivator - ok
20:29:09.0360 3716 [ 5F28111C648F1E24F7DBC87CDEB091B8 ] netprofm C:\Windows\System32\netprofm.dll
20:29:09.0376 3716 netprofm - ok
20:29:09.0391 3716 [ D22CD77D4F0D63D1169BB35911BFF12D ] NetTcpActivator C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
20:29:09.0391 3716 NetTcpActivator - ok
20:29:09.0391 3716 [ D22CD77D4F0D63D1169BB35911BFF12D ] NetTcpPortSharing C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
20:29:09.0391 3716 NetTcpPortSharing - ok
20:29:09.0407 3716 [ 77889813BE4D166CDAB78DDBA990DA92 ] nfrd960 C:\Windows\system32\DRIVERS\nfrd960.sys
20:29:09.0407 3716 nfrd960 - ok
20:29:09.0454 3716 [ 1EE99A89CC788ADA662441D1E9830529 ] NlaSvc C:\Windows\System32\nlasvc.dll
20:29:09.0454 3716 NlaSvc - ok
20:29:09.0469 3716 [ 1E4C4AB5C9B8DD13179BBDC75A2A01F7 ] Npfs C:\Windows\system32\drivers\Npfs.sys
20:29:09.0469 3716 Npfs - ok
20:29:09.0485 3716 npggsvc - ok
20:29:09.0485 3716 NPPTNT2 - ok
20:29:09.0516 3716 [ D54BFDF3E0C953F823B3D0BFE4732528 ] nsi C:\Windows\system32\nsisvc.dll
20:29:09.0516 3716 nsi - ok
20:29:09.0532 3716 [ E7F5AE18AF4168178A642A9247C63001 ] nsiproxy C:\Windows\system32\drivers\nsiproxy.sys
20:29:09.0532 3716 nsiproxy - ok
20:29:09.0579 3716 [ A2F74975097F52A00745F9637451FDD8 ] Ntfs C:\Windows\system32\drivers\Ntfs.sys
20:29:09.0594 3716 Ntfs - ok
20:29:09.0610 3716 [ 9899284589F75FA8724FF3D16AED75C1 ] Null C:\Windows\system32\drivers\Null.sys
20:29:09.0610 3716 Null - ok
20:29:09.0641 3716 [ 0A92CB65770442ED0DC44834632F66AD ] nvraid C:\Windows\system32\drivers\nvraid.sys
20:29:09.0641 3716 nvraid - ok
20:29:09.0672 3716 [ DAB0E87525C10052BF65F06152F37E4A ] nvstor C:\Windows\system32\drivers\nvstor.sys
20:29:09.0688 3716 nvstor - ok
20:29:09.0735 3716 [ 270D7CD42D6E3979F6DD0146650F0E05 ] nv_agp C:\Windows\system32\drivers\nv_agp.sys
20:29:09.0735 3716 nv_agp - ok
20:29:09.0813 3716 [ 785F487A64950F3CB8E9F16253BA3B7B ] odserv C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE
20:29:09.0813 3716 odserv - ok
20:29:09.0844 3716 [ 3589478E4B22CE21B41FA1BFC0B8B8A0 ] ohci1394 C:\Windows\system32\drivers\ohci1394.sys
20:29:09.0844 3716 ohci1394 - ok
20:29:09.0875 3716 [ 5A432A042DAE460ABE7199B758E8606C ] ose C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
20:29:09.0891 3716 ose - ok
20:29:09.0922 3716 [ 3EAC4455472CC2C97107B5291E0DCAFE ] p2pimsvc C:\Windows\system32\pnrpsvc.dll
20:29:09.0937 3716 p2pimsvc - ok
20:29:09.0969 3716 [ 927463ECB02179F88E4B9A17568C63C3 ] p2psvc C:\Windows\system32\p2psvc.dll
20:29:09.0984 3716 p2psvc - ok
20:29:10.0015 3716 [ 0086431C29C35BE1DBC43F52CC273887 ] Parport C:\Windows\system32\DRIVERS\parport.sys
20:29:10.0031 3716 Parport - ok
20:29:10.0047 3716 [ E9766131EEADE40A27DC27D2D68FBA9C ] partmgr C:\Windows\system32\drivers\partmgr.sys
20:29:10.0047 3716 partmgr - ok
20:29:10.0062 3716 [ 3AEAA8B561E63452C655DC0584922257 ] PcaSvc C:\Windows\System32\pcasvc.dll
20:29:10.0062 3716 PcaSvc - ok
20:29:10.0109 3716 [ 94575C0571D1462A0F70BDE6BD6EE6B3 ] pci C:\Windows\system32\drivers\pci.sys
20:29:10.0109 3716 pci - ok
20:29:10.0140 3716 [ B5B8B5EF2E5CB34DF8DCF8831E3534FA ] pciide C:\Windows\system32\drivers\pciide.sys
20:29:10.0140 3716 pciide - ok
20:29:10.0156 3716 [ B2E81D4E87CE48589F98CB8C05B01F2F ] pcmcia C:\Windows\system32\DRIVERS\pcmcia.sys
20:29:10.0156 3716 pcmcia - ok
20:29:10.0171 3716 [ D6B9C2E1A11A3A4B26A182FFEF18F603 ] pcw C:\Windows\system32\drivers\pcw.sys
20:29:10.0171 3716 pcw - ok
20:29:10.0203 3716 [ 68769C3356B3BE5D1C732C97B9A80D6E ] PEAUTH C:\Windows\system32\drivers\peauth.sys
20:29:10.0218 3716 PEAUTH - ok
20:29:10.0265 3716 [ B9B0A4299DD2D76A4243F75FD54DC680 ] PeerDistSvc C:\Windows\system32\peerdistsvc.dll
20:29:10.0296 3716 PeerDistSvc - ok
20:29:10.0374 3716 [ E495E408C93141E8FC72DC0C6046DDFA ] PerfHost C:\Windows\SysWow64\perfhost.exe
20:29:10.0390 3716 PerfHost - ok
20:29:10.0437 3716 [ C7CF6A6E137463219E1259E3F0F0DD6C ] pla C:\Windows\system32\pla.dll
20:29:10.0468 3716 pla - ok
20:29:10.0499 3716 [ 25FBDEF06C4D92815B353F6E792C8129 ] PlugPlay C:\Windows\system32\umpnpmgr.dll
20:29:10.0515 3716 PlugPlay - ok
20:29:10.0530 3716 PnkBstrA - ok
20:29:10.0530 3716 [ 7195581CEC9BB7D12ABE54036ACC2E38 ] PNRPAutoReg C:\Windows\system32\pnrpauto.dll
20:29:10.0546 3716 PNRPAutoReg - ok
20:29:10.0546 3716 [ 3EAC4455472CC2C97107B5291E0DCAFE ] PNRPsvc C:\Windows\system32\pnrpsvc.dll
20:29:10.0561 3716 PNRPsvc - ok
20:29:10.0577 3716 [ 4F15D75ADF6156BF56ECED6D4A55C389 ] PolicyAgent C:\Windows\System32\ipsecsvc.dll
20:29:10.0593 3716 PolicyAgent - ok
20:29:10.0624 3716 [ 6BA9D927DDED70BD1A9CADED45F8B184 ] Power C:\Windows\system32\umpo.dll
20:29:10.0639 3716 Power - ok
20:29:10.0671 3716 [ F92A2C41117A11A00BE01CA01A7FCDE9 ] PptpMiniport C:\Windows\system32\DRIVERS\raspptp.sys
20:29:10.0671 3716 PptpMiniport - ok
20:29:10.0686 3716 [ 0D922E23C041EFB1C3FAC2A6F943C9BF ] Processor C:\Windows\system32\DRIVERS\processr.sys
20:29:10.0686 3716 Processor - ok
20:29:10.0702 3716 [ 5C78838B4D166D1A27DB3A8A820C799A ] ProfSvc C:\Windows\system32\profsvc.dll
20:29:10.0717 3716 ProfSvc - ok
20:29:10.0717 3716 [ C118A82CD78818C29AB228366EBF81C3 ] ProtectedStorage C:\Windows\system32\lsass.exe
20:29:10.0717 3716 ProtectedStorage - ok
20:29:10.0749 3716 [ 0557CF5A2556BD58E26384169D72438D ] Psched C:\Windows\system32\DRIVERS\pacer.sys
20:29:10.0764 3716 Psched - ok
20:29:10.0795 3716 [ A53A15A11EBFD21077463EE2C7AFEEF0 ] ql2300 C:\Windows\system32\DRIVERS\ql2300.sys
20:29:10.0811 3716 ql2300 - ok
20:29:10.0827 3716 [ 4F6D12B51DE1AAEFF7DC58C4D75423C8 ] ql40xx C:\Windows\system32\DRIVERS\ql40xx.sys
20:29:10.0842 3716 ql40xx - ok
20:29:10.0873 3716 [ 906191634E99AEA92C4816150BDA3732 ] QWAVE C:\Windows\system32\qwave.dll
20:29:10.0873 3716 QWAVE - ok
20:29:10.0889 3716 [ 76707BB36430888D9CE9D705398ADB6C ] QWAVEdrv C:\Windows\system32\drivers\qwavedrv.sys
20:29:10.0889 3716 QWAVEdrv - ok
20:29:10.0905 3716 [ 5A0DA8AD5762FA2D91678A8A01311704 ] RasAcd C:\Windows\system32\DRIVERS\rasacd.sys
20:29:10.0905 3716 RasAcd - ok
20:29:10.0936 3716 [ 7ECFF9B22276B73F43A99A15A6094E90 ] RasAgileVpn C:\Windows\system32\DRIVERS\AgileVpn.sys
20:29:10.0936 3716 RasAgileVpn - ok
20:29:10.0936 3716 [ 8F26510C5383B8DBE976DE1CD00FC8C7 ] RasAuto C:\Windows\System32\rasauto.dll
20:29:10.0951 3716 RasAuto - ok
20:29:10.0983 3716 [ 471815800AE33E6F1C32FB1B97C490CA ] Rasl2tp C:\Windows\system32\DRIVERS\rasl2tp.sys
20:29:10.0983 3716 Rasl2tp - ok
20:29:11.0014 3716 [ EE867A0870FC9E4972BA9EAAD35651E2 ] RasMan C:\Windows\System32\rasmans.dll
20:29:11.0029 3716 RasMan - ok
20:29:11.0029 3716 [ 855C9B1CD4756C5E9A2AA58A15F58C25 ] RasPppoe C:\Windows\system32\DRIVERS\raspppoe.sys
20:29:11.0045 3716 RasPppoe - ok
20:29:11.0045 3716 [ E8B1E447B008D07FF47D016C2B0EEECB ] RasSstp C:\Windows\system32\DRIVERS\rassstp.sys
20:29:11.0045 3716 RasSstp - ok
20:29:11.0107 3716 [ 77F665941019A1594D887A74F301FA2F ] rdbss C:\Windows\system32\DRIVERS\rdbss.sys
20:29:11.0107 3716 rdbss - ok
20:29:11.0123 3716 [ 302DA2A0539F2CF54D7C6CC30C1F2D8D ] rdpbus C:\Windows\system32\DRIVERS\rdpbus.sys
20:29:11.0123 3716 rdpbus - ok
20:29:11.0123 3716 [ CEA6CC257FC9B7715F1C2B4849286D24 ] RDPCDD C:\Windows\system32\DRIVERS\RDPCDD.sys
20:29:11.0123 3716 RDPCDD - ok
20:29:11.0154 3716 [ 1B6163C503398B23FF8B939C67747683 ] RDPDR C:\Windows\system32\drivers\rdpdr.sys
20:29:11.0154 3716 RDPDR - ok
20:29:11.0170 3716 [ BB5971A4F00659529A5C44831AF22365 ] RDPENCDD C:\Windows\system32\drivers\rdpencdd.sys
20:29:11.0170 3716 RDPENCDD - ok
20:29:11.0170 3716 [ 216F3FA57533D98E1F74DED70113177A ] RDPREFMP C:\Windows\system32\drivers\rdprefmp.sys
20:29:11.0170 3716 RDPREFMP - ok
20:29:11.0248 3716 [ 70CBA1A0C98600A2AA1863479B35CB90 ] RdpVideoMiniport C:\Windows\system32\drivers\rdpvideominiport.sys
20:29:11.0248 3716 RdpVideoMiniport - ok
20:29:11.0279 3716 [ E61608AA35E98999AF9AAEEEA6114B0A ] RDPWD C:\Windows\system32\drivers\RDPWD.sys
20:29:11.0279 3716 RDPWD - ok
20:29:11.0310 3716 [ 34ED295FA0121C241BFEF24764FC4520 ] rdyboost C:\Windows\system32\drivers\rdyboost.sys
20:29:11.0310 3716 rdyboost - ok
20:29:11.0357 3716 [ 254FB7A22D74E5511C73A3F6D802F192 ] RemoteAccess C:\Windows\System32\mprdim.dll
20:29:11.0357 3716 RemoteAccess - ok
20:29:11.0373 3716 [ E4D94F24081440B5FC5AA556C7C62702 ] RemoteRegistry C:\Windows\system32\regsvc.dll
20:29:11.0373 3716 RemoteRegistry - ok
20:29:11.0404 3716 [ E4DC58CF7B3EA515AE917FF0D402A7BB ] RpcEptMapper C:\Windows\System32\RpcEpMap.dll
20:29:11.0404 3716 RpcEptMapper - ok
20:29:11.0435 3716 [ D5BA242D4CF8E384DB90E6A8ED850B8C ] RpcLocator C:\Windows\system32\locator.exe
20:29:11.0435 3716 RpcLocator - ok
20:29:11.0482 3716 [ 5C627D1B1138676C0A7AB2C2C190D123 ] RpcSs C:\Windows\system32\rpcss.dll
20:29:11.0482 3716 RpcSs - ok
20:29:11.0497 3716 [ DDC86E4F8E7456261E637E3552E804FF ] rspndr C:\Windows\system32\DRIVERS\rspndr.sys
20:29:11.0497 3716 rspndr - ok
20:29:11.0529 3716 [ 3B01789EE4EAEE97F5EB46B711387D5E ] RTL8167 C:\Windows\system32\DRIVERS\Rt64win7.sys
20:29:11.0529 3716 RTL8167 - ok
20:29:11.0560 3716 [ E60C0A09F997826C7627B244195AB581 ] s3cap C:\Windows\system32\drivers\vms3cap.sys
20:29:11.0560 3716 s3cap - ok
20:29:11.0575 3716 [ C118A82CD78818C29AB228366EBF81C3 ] SamSs C:\Windows\system32\lsass.exe
20:29:11.0575 3716 SamSs - ok
20:29:11.0622 3716 [ AC03AF3329579FFFB455AA2DAABBE22B ] sbp2port C:\Windows\system32\drivers\sbp2port.sys
20:29:11.0622 3716 sbp2port - ok
20:29:11.0638 3716 [ 9B7395789E3791A3B6D000FE6F8B131E ] SCardSvr C:\Windows\System32\SCardSvr.dll
20:29:11.0653 3716 SCardSvr - ok
20:29:11.0685 3716 [ 253F38D0D7074C02FF8DEB9836C97D2B ] scfilter C:\Windows\system32\DRIVERS\scfilter.sys
20:29:11.0685 3716 scfilter - ok
20:29:11.0731 3716 [ 262F6592C3299C005FD6BEC90FC4463A ] Schedule C:\Windows\system32\schedsvc.dll
20:29:11.0731 3716 Schedule - ok
20:29:11.0778 3716 [ F17D1D393BBC69C5322FBFAFACA28C7F ] SCPolicySvc C:\Windows\System32\certprop.dll
20:29:11.0778 3716 SCPolicySvc - ok
20:29:11.0809 3716 [ 6EA4234DC55346E0709560FE7C2C1972 ] SDRSVC C:\Windows\System32\SDRSVC.dll
20:29:11.0825 3716 SDRSVC - ok
20:29:11.0825 3716 [ 3EA8A16169C26AFBEB544E0E48421186 ] secdrv C:\Windows\system32\drivers\secdrv.sys
20:29:11.0825 3716 secdrv - ok
20:29:11.0872 3716 [ BC617A4E1B4FA8DF523A061739A0BD87 ] seclogon C:\Windows\system32\seclogon.dll
20:29:11.0872 3716 seclogon - ok
20:29:11.0903 3716 [ C32AB8FA018EF34C0F113BD501436D21 ] SENS C:\Windows\system32\sens.dll
20:29:11.0919 3716 SENS - ok
20:29:11.0919 3716 [ 0336CFFAFAAB87A11541F1CF1594B2B2 ] SensrSvc C:\Windows\system32\sensrsvc.dll
20:29:11.0934 3716 SensrSvc - ok
20:29:11.0934 3716 [ CB624C0035412AF0DEBEC78C41F5CA1B ] Serenum C:\Windows\system32\DRIVERS\serenum.sys
20:29:11.0934 3716 Serenum - ok
20:29:11.0934 3716 [ C1D8E28B2C2ADFAEC4BA89E9FDA69BD6 ] Serial C:\Windows\system32\DRIVERS\serial.sys
20:29:11.0934 3716 Serial - ok
20:29:11.0965 3716 [ 1C545A7D0691CC4A027396535691C3E3 ] sermouse C:\Windows\system32\DRIVERS\sermouse.sys
20:29:11.0965 3716 sermouse - ok
20:29:12.0028 3716 [ 0B6231BF38174A1628C4AC812CC75804 ] SessionEnv C:\Windows\system32\sessenv.dll
20:29:12.0028 3716 SessionEnv - ok
20:29:12.0043 3716 [ A554811BCD09279536440C964AE35BBF ] sffdisk C:\Windows\system32\drivers\sffdisk.sys
20:29:12.0043 3716 sffdisk - ok
20:29:12.0059 3716 [ FF414F0BAEFEBA59BC6C04B3DB0B87BF ] sffp_mmc C:\Windows\system32\drivers\sffp_mmc.sys
20:29:12.0059 3716 sffp_mmc - ok
20:29:12.0075 3716 [ DD85B78243A19B59F0637DCF284DA63C ] sffp_sd C:\Windows\system32\drivers\sffp_sd.sys
20:29:12.0075 3716 sffp_sd - ok
20:29:12.0106 3716 [ A9D601643A1647211A1EE2EC4E433FF4 ] sfloppy C:\Windows\system32\DRIVERS\sfloppy.sys
20:29:12.0106 3716 sfloppy - ok
20:29:12.0168 3716 [ B95F6501A2F8B2E78C697FEC401970CE ] SharedAccess C:\Windows\System32\ipnathlp.dll
20:29:12.0168 3716 SharedAccess - ok
20:29:12.0199 3716 [ AAF932B4011D14052955D4B212A4DA8D ] ShellHWDetection C:\Windows\System32\shsvcs.dll
20:29:12.0215 3716 ShellHWDetection - ok
20:29:12.0293 3716 [ 843CAF1E5FDE1FFD5FF768F23A51E2E1 ] SiSRaid2 C:\Windows\system32\DRIVERS\SiSRaid2.sys
20:29:12.0293 3716 SiSRaid2 - ok
20:29:12.0309 3716 [ 6A6C106D42E9FFFF8B9FCB4F754F6DA4 ] SiSRaid4 C:\Windows\system32\DRIVERS\sisraid4.sys
20:29:12.0309 3716 SiSRaid4 - ok
20:29:12.0433 3716 [ 0F97E7A47A52F4A36969F0FC319654C2 ] Skype C2C Service C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe
20:29:12.0480 3716 Skype C2C Service - ok
20:29:12.0511 3716 [ DDAA5F4A6B958FC313EBD02DD925752F ] SkypeUpdate C:\Program Files (x86)\Skype\Updater\Updater.exe
20:29:12.0511 3716 SkypeUpdate - ok
20:29:12.0543 3716 [ 548260A7B8654E024DC30BF8A7C5BAA4 ] Smb C:\Windows\system32\DRIVERS\smb.sys
20:29:12.0543 3716 Smb - ok
20:29:12.0574 3716 [ 6313F223E817CC09AA41811DAA7F541D ] SNMPTRAP C:\Windows\System32\snmptrap.exe
20:29:12.0574 3716 SNMPTRAP - ok
20:29:12.0589 3716 [ B9E31E5CACDFE584F34F730A677803F9 ] spldr C:\Windows\system32\drivers\spldr.sys
20:29:12.0589 3716 spldr - ok
20:29:12.0636 3716 [ B96C17B5DC1424D56EEA3A99E97428CD ] Spooler C:\Windows\System32\spoolsv.exe
20:29:12.0636 3716 Spooler - ok
20:29:12.0714 3716 [ E17E0188BB90FAE42D83E98707EFA59C ] sppsvc C:\Windows\system32\sppsvc.exe
20:29:12.0761 3716 sppsvc - ok
20:29:12.0777 3716 [ 93D7D61317F3D4BC4F4E9F8A96A7DE45 ] sppuinotify C:\Windows\system32\sppuinotify.dll
20:29:12.0792 3716 sppuinotify - ok
20:29:12.0839 3716 [ 602884696850C86434530790B110E8EB ] sptd C:\Windows\system32\Drivers\sptd.sys
20:29:12.0839 3716 Suspicious file (NoAccess): C:\Windows\system32\Drivers\sptd.sys. md5: 602884696850C86434530790B110E8EB
20:29:12.0839 3716 sptd ( LockedFile.Multi.Generic ) - warning
20:29:12.0839 3716 sptd - detected LockedFile.Multi.Generic (1)
20:29:12.0870 3716 [ 441FBA48BFF01FDB9D5969EBC1838F0B ] srv C:\Windows\system32\DRIVERS\srv.sys
20:29:12.0886 3716 srv - ok
20:29:12.0901 3716 [ B4ADEBBF5E3677CCE9651E0F01F7CC28 ] srv2 C:\Windows\system32\DRIVERS\srv2.sys
20:29:12.0901 3716 srv2 - ok
20:29:12.0917 3716 [ 27E461F0BE5BFF5FC737328F749538C3 ] srvnet C:\Windows\system32\DRIVERS\srvnet.sys
20:29:12.0917 3716 srvnet - ok
20:29:12.0948 3716 [ 51B52FBD583CDE8AA9BA62B8B4298F33 ] SSDPSRV C:\Windows\System32\ssdpsrv.dll
20:29:12.0948 3716 SSDPSRV - ok
20:29:12.0964 3716 [ AB7AEBF58DAD8DAAB7A6C45E6A8885CB ] SstpSvc C:\Windows\system32\sstpsvc.dll
20:29:12.0964 3716 SstpSvc - ok
20:29:12.0995 3716 Steam Client Service - ok
20:29:13.0011 3716 [ F3817967ED533D08327DC73BC4D5542A ] stexstor C:\Windows\system32\DRIVERS\stexstor.sys
20:29:13.0011 3716 stexstor - ok
20:29:13.0057 3716 [ 8DD52E8E6128F4B2DA92CE27402871C1 ] stisvc C:\Windows\System32\wiaservc.dll
20:29:13.0073 3716 stisvc - ok
20:29:13.0104 3716 [ 7785DC213270D2FC066538DAF94087E7 ] storflt C:\Windows\system32\drivers\vmstorfl.sys
20:29:13.0104 3716 storflt - ok
20:29:13.0135 3716 [ D34E4943D5AC096C8EDEEBFD80D76E23 ] storvsc C:\Windows\system32\drivers\storvsc.sys
20:29:13.0135 3716 storvsc - ok
20:29:13.0151 3716 [ D01EC09B6711A5F8E7E6564A4D0FBC90 ] swenum C:\Windows\system32\drivers\swenum.sys
20:29:13.0151 3716 swenum - ok
20:29:13.0167 3716 [ E08E46FDD841B7184194011CA1955A0B ] swprv C:\Windows\System32\swprv.dll
20:29:13.0182 3716 swprv - ok
20:29:13.0182 3716 Synth3dVsc - ok
20:29:13.0245 3716 [ BF9CCC0BF39B418C8D0AE8B05CF95B7D ] SysMain C:\Windows\system32\sysmain.dll
20:29:13.0276 3716 SysMain - ok
20:29:13.0307 3716 [ E3C61FD7B7C2557E1F1B0B4CEC713585 ] TabletInputService C:\Windows\System32\TabSvc.dll
20:29:13.0323 3716 TabletInputService - ok
20:29:13.0354 3716 [ 40F0849F65D13EE87B9A9AE3C1DD6823 ] TapiSrv C:\Windows\System32\tapisrv.dll
20:29:13.0354 3716 TapiSrv - ok
20:29:13.0401 3716 [ 1BE03AC720F4D302EA01D40F588162F6 ] TBS C:\Windows\System32\tbssvc.dll
20:29:13.0401 3716 TBS - ok
20:29:13.0447 3716 [ ACB82BDA8F46C84F465C1AFA517DC4B9 ] Tcpip C:\Windows\system32\drivers\tcpip.sys
20:29:13.0463 3716 Tcpip - ok
20:29:13.0494 3716 [ ACB82BDA8F46C84F465C1AFA517DC4B9 ] TCPIP6 C:\Windows\system32\DRIVERS\tcpip.sys
20:29:13.0510 3716 TCPIP6 - ok
20:29:13.0541 3716 [ DF687E3D8836BFB04FCC0615BF15A519 ] tcpipreg C:\Windows\system32\drivers\tcpipreg.sys
20:29:13.0541 3716 tcpipreg - ok
20:29:13.0572 3716 [ 3371D21011695B16333A3934340C4E7C ] TDPIPE C:\Windows\system32\drivers\tdpipe.sys
20:29:13.0572 3716 TDPIPE - ok
20:29:13.0603 3716 [ 51C5ECEB1CDEE2468A1748BE550CFBC8 ] TDTCP C:\Windows\system32\drivers\tdtcp.sys
20:29:13.0603 3716 TDTCP - ok
20:29:13.0635 3716 [ DDAD5A7AB24D8B65F8D724F5C20FD806 ] tdx C:\Windows\system32\DRIVERS\tdx.sys
20:29:13.0635 3716 tdx - ok
20:29:13.0650 3716 [ 561E7E1F06895D78DE991E01DD0FB6E5 ] TermDD C:\Windows\system32\drivers\termdd.sys
20:29:13.0650 3716 TermDD - ok
20:29:13.0697 3716 [ 2E648163254233755035B46DD7B89123 ] TermService C:\Windows\System32\termsrv.dll
20:29:13.0697 3716 TermService - ok
20:29:13.0728 3716 [ F0344071948D1A1FA732231785A0664C ] Themes C:\Windows\system32\themeservice.dll
20:29:13.0728 3716 Themes - ok
20:29:13.0759 3716 [ E40E80D0304A73E8D269F7141D77250B ] THREADORDER C:\Windows\system32\mmcss.dll
20:29:13.0759 3716 THREADORDER - ok
20:29:13.0775 3716 [ 7E7AFD841694F6AC397E99D75CEAD49D ] TrkWks C:\Windows\System32\trkwks.dll
20:29:13.0775 3716 TrkWks - ok
20:29:13.0822 3716 [ 773212B2AAA24C1E31F10246B15B276C ] TrustedInstaller C:\Windows\servicing\TrustedInstaller.exe
20:29:13.0837 3716 TrustedInstaller - ok
20:29:13.0869 3716 [ CE18B2CDFC837C99E5FAE9CA6CBA5D30 ] tssecsrv C:\Windows\system32\DRIVERS\tssecsrv.sys
20:29:13.0869 3716 tssecsrv - ok
20:29:13.0900 3716 [ D11C783E3EF9A3C52C0EBE83CC5000E9 ] TsUsbFlt C:\Windows\system32\drivers\tsusbflt.sys
20:29:13.0900 3716 TsUsbFlt - ok
20:29:13.0931 3716 tsusbhub - ok
20:29:13.0962 3716 [ 3566A8DAAFA27AF944F5D705EAA64894 ] tunnel C:\Windows\system32\DRIVERS\tunnel.sys
20:29:13.0962 3716 tunnel - ok
20:29:13.0978 3716 [ B4DD609BD7E282BFC683CEC7EAAAAD67 ] uagp35 C:\Windows\system32\DRIVERS\uagp35.sys
20:29:13.0978 3716 uagp35 - ok
20:29:14.0009 3716 [ FF4232A1A64012BAA1FD97C7B67DF593 ] udfs C:\Windows\system32\DRIVERS\udfs.sys
20:29:14.0009 3716 udfs - ok
20:29:14.0071 3716 [ 3CBDEC8D06B9968ABA702EBA076364A1 ] UI0Detect C:\Windows\system32\UI0Detect.exe
20:29:14.0071 3716 UI0Detect - ok
20:29:14.0103 3716 [ 4BFE1BC28391222894CBF1E7D0E42320 ] uliagpkx C:\Windows\system32\drivers\uliagpkx.sys
20:29:14.0103 3716 uliagpkx - ok
20:29:14.0134 3716 [ DC54A574663A895C8763AF0FA1FF7561 ] umbus C:\Windows\system32\drivers\umbus.sys
20:29:14.0134 3716 umbus - ok
20:29:14.0149 3716 [ B2E8E8CB557B156DA5493BBDDCC1474D ] UmPass C:\Windows\system32\DRIVERS\umpass.sys
20:29:14.0149 3716 UmPass - ok
20:29:14.0149 3716 [ A293DCD756D04D8492A750D03B9A297C ] UmRdpService C:\Windows\System32\umrdp.dll
20:29:14.0165 3716 UmRdpService - ok
20:29:14.0181 3716 [ D47EC6A8E81633DD18D2436B19BAF6DE ] upnphost C:\Windows\System32\upnphost.dll
20:29:14.0196 3716 upnphost - ok
20:29:14.0227 3716 [ 6F1A3157A1C89435352CEB543CDB359C ] usbccgp C:\Windows\system32\DRIVERS\usbccgp.sys
20:29:14.0227 3716 usbccgp - ok
20:29:14.0259 3716 [ AF0892A803FDDA7492F595368E3B68E7 ] usbcir C:\Windows\system32\drivers\usbcir.sys
20:29:14.0259 3716 usbcir - ok
20:29:14.0305 3716 [ C025055FE7B87701EB042095DF1A2D7B ] usbehci C:\Windows\system32\DRIVERS\usbehci.sys
20:29:14.0305 3716 usbehci - ok
20:29:14.0352 3716 [ 287C6C9410B111B68B52CA298F7B8C24 ] usbhub C:\Windows\system32\DRIVERS\usbhub.sys
20:29:14.0352 3716 usbhub - ok
20:29:14.0368 3716 [ 9840FC418B4CBD632D3D0A667A725C31 ] usbohci C:\Windows\system32\drivers\usbohci.sys
20:29:14.0368 3716 usbohci - ok
20:29:14.0383 3716 [ 73188F58FB384E75C4063D29413CEE3D ] usbprint C:\Windows\system32\DRIVERS\usbprint.sys
20:29:14.0383 3716 usbprint - ok
20:29:14.0415 3716 [ FED648B01349A3C8395A5169DB5FB7D6 ] USBSTOR C:\Windows\system32\DRIVERS\USBSTOR.SYS
20:29:14.0415 3716 USBSTOR - ok
20:29:14.0430 3716 [ 62069A34518BCF9C1FD9E74B3F6DB7CD ] usbuhci C:\Windows\system32\DRIVERS\usbuhci.sys
20:29:14.0430 3716 usbuhci - ok
20:29:14.0446 3716 [ EDBB23CBCF2CDF727D64FF9B51A6070E ] UxSms C:\Windows\System32\uxsms.dll
20:29:14.0446 3716 UxSms - ok
20:29:14.0461 3716 [ C118A82CD78818C29AB228366EBF81C3 ] VaultSvc C:\Windows\system32\lsass.exe
20:29:14.0461 3716 VaultSvc - ok
20:29:14.0493 3716 [ C5C876CCFC083FF3B128F933823E87BD ] vdrvroot C:\Windows\system32\drivers\vdrvroot.sys
20:29:14.0493 3716 vdrvroot - ok
20:29:14.0539 3716 [ 8D6B481601D01A456E75C3210F1830BE ] vds C:\Windows\System32\vds.exe
20:29:14.0555 3716 vds - ok
20:29:14.0571 3716 [ DA4DA3F5E02943C2DC8C6ED875DE68DD ] vga C:\Windows\system32\DRIVERS\vgapnp.sys
20:29:14.0571 3716 vga - ok
20:29:14.0586 3716 [ 53E92A310193CB3C03BEA963DE7D9CFC ] VgaSave C:\Windows\System32\drivers\vga.sys
20:29:14.0586 3716 VgaSave - ok
20:29:14.0617 3716 VGPU - ok
20:29:14.0633 3716 [ 2CE2DF28C83AEAF30084E1B1EB253CBB ] vhdmp C:\Windows\system32\drivers\vhdmp.sys
20:29:14.0633 3716 vhdmp - ok
20:29:14.0664 3716 [ E5689D93FFE4E5D66C0178761240DD54 ] viaide C:\Windows\system32\drivers\viaide.sys
20:29:14.0664 3716 viaide - ok
20:29:14.0695 3716 [ 86EA3E79AE350FEA5331A1303054005F ] vmbus C:\Windows\system32\drivers\vmbus.sys
20:29:14.0695 3716 vmbus - ok
20:29:14.0727 3716 [ 7DE90B48F210D29649380545DB45A187 ] VMBusHID C:\Windows\system32\drivers\VMBusHID.sys
20:29:14.0727 3716 VMBusHID - ok
20:29:14.0742 3716 [ D2AAFD421940F640B407AEFAAEBD91B0 ] volmgr C:\Windows\system32\drivers\volmgr.sys
20:29:14.0742 3716 volmgr - ok
20:29:14.0773 3716 [ A255814907C89BE58B79EF2F189B843B ] volmgrx C:\Windows\system32\drivers\volmgrx.sys
20:29:14.0789 3716 volmgrx - ok
20:29:14.0805 3716 [ 0D08D2F3B3FF84E433346669B5E0F639 ] volsnap C:\Windows\system32\drivers\volsnap.sys
20:29:14.0805 3716 volsnap - ok
20:29:14.0836 3716 [ 5E2016EA6EBACA03C04FEAC5F330D997 ] vsmraid C:\Windows\system32\DRIVERS\vsmraid.sys
20:29:14.0836 3716 vsmraid - ok
20:29:14.0883 3716 [ B60BA0BC31B0CB414593E169F6F21CC2 ] VSS C:\Windows\system32\vssvc.exe
20:29:14.0929 3716 VSS - ok
20:29:14.0929 3716 [ 36D4720B72B5C5D9CB2B9C29E9DF67A1 ] vwifibus C:\Windows\System32\drivers\vwifibus.sys
20:29:14.0929 3716 vwifibus - ok
20:29:14.0976 3716 [ 1C9D80CC3849B3788048078C26486E1A ] W32Time C:\Windows\system32\w32time.dll
20:29:14.0992 3716 W32Time - ok
20:29:15.0007 3716 [ 4E9440F4F152A7B944CB1663D3935A3E ] WacomPen C:\Windows\system32\DRIVERS\wacompen.sys
20:29:15.0007 3716 WacomPen - ok
20:29:15.0023 3716 [ 356AFD78A6ED4457169241AC3965230C ] WANARP C:\Windows\system32\DRIVERS\wanarp.sys
20:29:15.0023 3716 WANARP - ok
20:29:15.0039 3716 [ 356AFD78A6ED4457169241AC3965230C ] Wanarpv6 C:\Windows\system32\DRIVERS\wanarp.sys
20:29:15.0039 3716 Wanarpv6 - ok
20:29:15.0085 3716 [ 3CEC96DE223E49EAAE3651FCF8FAEA6C ] WatAdminSvc C:\Windows\system32\Wat\WatAdminSvc.exe
20:29:15.0117 3716 WatAdminSvc - ok
20:29:15.0163 3716 [ 78F4E7F5C56CB9716238EB57DA4B6A75 ] wbengine C:\Windows\system32\wbengine.exe
20:29:15.0195 3716 wbengine - ok
20:29:15.0210 3716 [ 3AA101E8EDAB2DB4131333F4325C76A3 ] WbioSrvc C:\Windows\System32\wbiosrvc.dll
20:29:15.0210 3716 WbioSrvc - ok
20:29:15.0241 3716 [ 7368A2AFD46E5A4481D1DE9D14848EDD ] wcncsvc C:\Windows\System32\wcncsvc.dll
20:29:15.0257 3716 wcncsvc - ok
20:29:15.0273 3716 [ 20F7441334B18CEE52027661DF4A6129 ] WcsPlugInService C:\Windows\System32\WcsPlugInService.dll
20:29:15.0273 3716 WcsPlugInService - ok
20:29:15.0288 3716 [ 72889E16FF12BA0F235467D6091B17DC ] Wd C:\Windows\system32\DRIVERS\wd.sys
20:29:15.0304 3716 Wd - ok
20:29:15.0319 3716 [ 441BD2D7B4F98134C3A4F9FA570FD250 ] Wdf01000 C:\Windows\system32\drivers\Wdf01000.sys
20:29:15.0335 3716 Wdf01000 - ok
20:29:15.0335 3716 [ BF1FC3F79B863C914687A737C2F3D681 ] WdiServiceHost C:\Windows\system32\wdi.dll
20:29:15.0351 3716 WdiServiceHost - ok
20:29:15.0351 3716 [ BF1FC3F79B863C914687A737C2F3D681 ] WdiSystemHost C:\Windows\system32\wdi.dll
20:29:15.0351 3716 WdiSystemHost - ok
20:29:15.0397 3716 [ 3DB6D04E1C64272F8B14EB8BC4616280 ] WebClient C:\Windows\System32\webclnt.dll
20:29:15.0413 3716 WebClient - ok
20:29:15.0413 3716 [ C749025A679C5103E575E3B48E092C43 ] Wecsvc C:\Windows\system32\wecsvc.dll
20:29:15.0429 3716 Wecsvc - ok
20:29:15.0460 3716 [ 7E591867422DC788B9E5BD337A669A08 ] wercplsupport C:\Windows\System32\wercplsupport.dll
20:29:15.0460 3716 wercplsupport - ok
20:29:15.0460 3716 [ 6D137963730144698CBD10F202E9F251 ] WerSvc C:\Windows\System32\WerSvc.dll
20:29:15.0475 3716 WerSvc - ok
20:29:15.0491 3716 [ 611B23304BF067451A9FDEE01FBDD725 ] WfpLwf C:\Windows\system32\DRIVERS\wfplwf.sys
20:29:15.0491 3716 WfpLwf - ok
20:29:15.0507 3716 [ 05ECAEC3E4529A7153B3136CEB49F0EC ] WIMMount C:\Windows\system32\drivers\wimmount.sys
20:29:15.0507 3716 WIMMount - ok
20:29:15.0538 3716 WinDefend - ok
20:29:15.0553 3716 WinHttpAutoProxySvc - ok
20:29:15.0569 3716 Winmgmt - ok
20:29:15.0631 3716 [ BCB1310604AA415C4508708975B3931E ] WinRM C:\Windows\system32\WsmSvc.dll
20:29:15.0663 3716 WinRM - ok
20:29:15.0725 3716 [ 4FADA86E62F18A1B2F42BA18AE24E6AA ] Wlansvc C:\Windows\System32\wlansvc.dll
20:29:15.0741 3716 Wlansvc - ok
20:29:15.0834 3716 [ 98F138897EF4246381D197CB81846D62 ] wlidsvc C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
20:29:15.0881 3716 wlidsvc - ok
20:29:15.0912 3716 [ F6FF8944478594D0E414D3F048F0D778 ] WmiAcpi C:\Windows\system32\drivers\wmiacpi.sys
20:29:15.0912 3716 WmiAcpi - ok
20:29:15.0928 3716 WMPNetworkSvc - ok
20:29:15.0943 3716 [ 96C6E7100D724C69FCF9E7BF590D1DCA ] WPCSvc C:\Windows\System32\wpcsvc.dll
20:29:15.0943 3716 WPCSvc - ok
20:29:15.0975 3716 [ 93221146D4EBBF314C29B23CD6CC391D ] WPDBusEnum C:\Windows\system32\wpdbusenum.dll
20:29:15.0975 3716 WPDBusEnum - ok
20:29:16.0021 3716 [ 6BCC1D7D2FD2453957C5479A32364E52 ] ws2ifsl C:\Windows\system32\drivers\ws2ifsl.sys
20:29:16.0021 3716 ws2ifsl - ok
20:29:16.0037 3716 [ E8B1FE6669397D1772D8196DF0E57A9E ] wscsvc C:\Windows\system32\wscsvc.dll
20:29:16.0053 3716 wscsvc - ok
20:29:16.0053 3716 WSearch - ok
20:29:16.0146 3716 [ D9EF901DCA379CFE914E9FA13B73B4C4 ] wuauserv C:\Windows\system32\wuaueng.dll
20:29:16.0162 3716 wuauserv - ok
20:29:16.0177 3716 [ D3381DC54C34D79B22CEE0D65BA91B7C ] WudfPf C:\Windows\system32\drivers\WudfPf.sys
20:29:16.0177 3716 WudfPf - ok
20:29:16.0209 3716 [ CF8D590BE3373029D57AF80914190682 ] WUDFRd C:\Windows\system32\DRIVERS\WUDFRd.sys
20:29:16.0209 3716 WUDFRd - ok
20:29:16.0255 3716 [ 7A95C95B6C4CF292D689106BCAE49543 ] wudfsvc C:\Windows\System32\WUDFSvc.dll
20:29:16.0255 3716 wudfsvc - ok
20:29:16.0287 3716 [ 9A3452B3C2A46C073166C5CF49FAD1AE ] WwanSvc C:\Windows\System32\wwansvc.dll
20:29:16.0287 3716 WwanSvc - ok
20:29:16.0287 3716 ================ Scan global ===============================
20:29:16.0333 3716 [ BA0CD8C393E8C9F83354106093832C7B ] C:\Windows\system32\basesrv.dll
20:29:16.0365 3716 [ EB6A48CC998E1090E44E8E7F1009A640 ] C:\Windows\system32\winsrv.dll
20:29:16.0380 3716 [ EB6A48CC998E1090E44E8E7F1009A640 ] C:\Windows\system32\winsrv.dll
20:29:16.0411 3716 [ D6160F9D869BA3AF0B787F971DB56368 ] C:\Windows\system32\sxssrv.dll
20:29:16.0443 3716 [ 24ACB7E5BE595468E3B9AA488B9B4FCB ] C:\Windows\system32\services.exe
20:29:16.0443 3716 [Global] - ok
20:29:16.0458 3716 ================ Scan MBR ==================================
20:29:16.0458 3716 [ A36C5E4F47E84449FF07ED3517B43A31 ] \Device\Harddisk0\DR0
20:29:16.0568 3716 \Device\Harddisk0\DR0 - ok
20:29:16.0568 3716 ================ Scan VBR ==================================
20:29:16.0568 3716 [ 1664E21BFCE5E2081D9651D3C2DC3110 ] \Device\Harddisk0\DR0\Partition1
20:29:16.0568 3716 \Device\Harddisk0\DR0\Partition1 - ok
20:29:16.0583 3716 [ A611BE112A8E5491D9292BDDBFBAB2FA ] \Device\Harddisk0\DR0\Partition2
20:29:16.0583 3716 \Device\Harddisk0\DR0\Partition2 - ok
20:29:16.0583 3716 ============================================================
20:29:16.0583 3716 Scan finished
20:29:16.0583 3716 ============================================================
20:29:16.0599 2576 Detected object count: 1
20:29:16.0599 2576 Actual detected object count: 1
20:29:20.0967 2576 sptd ( LockedFile.Multi.Generic ) - skipped by user
20:29:20.0967 2576 sptd ( LockedFile.Multi.Generic ) - User select action: Skip




aswMBR log:

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-09-02 20:30:59
-----------------------------
20:30:59.680 OS Version: Windows x64 6.1.7601 Service Pack 1
20:30:59.680 Number of processors: 4 586 0x170A
20:30:59.680 ComputerName: MARSH-PC UserName: Marsh
20:31:00.990 Initialize success
20:31:01.037 AVAST engine defs: 12090201
20:31:03.439 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-4
20:31:03.439 Disk 0 Vendor: WDC_WD5000AAKS-00A7B0 01.03B01 Size: 476938MB BusType: 3
20:31:03.470 Disk 0 MBR read successfully
20:31:03.470 Disk 0 MBR scan
20:31:03.470 Disk 0 Windows 7 default MBR code
20:31:03.486 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
20:31:03.486 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 476836 MB offset 206848
20:31:03.502 Disk 0 scanning C:\Windows\system32\drivers
20:31:09.789 Service scanning
20:31:19.258 Service sptd C:\Windows\System32\Drivers\sptd.sys **LOCKED** 32
20:31:22.471 Modules scanning
20:31:22.471 Disk 0 trace - called modules:
20:31:22.471 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa80046d72c0]<<spzz.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys
20:31:22.487 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004aef060]
20:31:22.487 3 CLASSPNP.SYS[fffff8800180143f] -> nt!IofCallDriver -> [0xfffffa80047f9e40]
20:31:22.487 5 ACPI.sys[fffff8800103a7a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP3T0L0-4[0xfffffa800487d060]
20:31:22.503 \Driver\atapi[0xfffffa80047f4ad0] -> IRP_MJ_CREATE -> 0xfffffa80046d72c0
20:31:23.267 AVAST engine scan C:\Windows
20:31:25.186 AVAST engine scan C:\Windows\system32
20:33:10.564 AVAST engine scan C:\Windows\system32\drivers
20:33:18.941 AVAST engine scan C:\Users\Marsh
20:36:42.850 AVAST engine scan C:\ProgramData
20:48:24.327 Scan finished successfully
21:04:28.176 Disk 0 MBR has been saved successfully to "C:\Users\Marsh\Desktop\MBR.dat"
21:04:28.181 The log file has been saved successfully to "C:\Users\Marsh\Desktop\aswMBR.txt"

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:36 PM

Posted 02 September 2012 - 10:22 PM

Greetings

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

DDS::
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555

RegNull::
[HKEY_USERS\S-1-5-21-1487264099-3403896088-99852959-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{71196B08-9D6A-3884-4650-6D399520104D}*]

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 ski.smitty

ski.smitty
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:08:36 PM

Posted 02 September 2012 - 11:03 PM

Combofix Log:

ComboFix 12-09-01.01 - Marsh 09/02/2012 21:41:16.2.4 - x64
Running from: c:\users\Marsh\Desktop\ComboFix.exe
Command switches used :: c:\users\Marsh\Desktop\CFScript.txt
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2012-08-03 to 2012-09-03 )))))))))))))))))))))))))))))))
.
.
2012-09-03 03:49 . 2012-09-03 03:49 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-09-02 22:47 . 2012-09-02 22:59 -------- d-----w- C:\FRST
2012-08-31 00:05 . 2012-08-21 09:13 359464 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-08-31 00:05 . 2012-08-21 09:13 25232 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-08-31 00:05 . 2012-08-21 09:13 54072 ----a-w- c:\windows\system32\drivers\aswRdr2.sys
2012-08-31 00:05 . 2012-08-21 09:13 59728 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2012-08-31 00:05 . 2012-08-21 09:13 969200 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-08-31 00:05 . 2012-08-21 09:13 71600 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2012-08-31 00:05 . 2012-08-21 09:12 41224 ----a-w- c:\windows\avastSS.scr
2012-08-31 00:05 . 2012-08-21 09:12 227648 ----a-w- c:\windows\SysWow64\aswBoot.exe
2012-08-30 15:03 . 2012-08-30 15:03 -------- d-----w- c:\program files\HijackThis
2012-08-30 03:48 . 2012-08-30 03:48 -------- d-sh--w- c:\windows\SysWow64\%APPDATA%
2012-08-30 03:30 . 2012-08-30 03:30 -------- d-----w- c:\users\Marsh\AppData\Local\{12AFD388-F253-11E1-8270-B8AC6F996F26}
2012-08-29 02:49 . 2012-08-29 02:49 -------- d-----w- c:\programdata\ATI
2012-08-29 02:47 . 2012-08-29 02:47 -------- d-----w- c:\program files (x86)\AMD AVT
2012-08-29 02:47 . 2012-08-29 02:47 -------- d-----w- c:\program files (x86)\AMD APP
2012-08-29 02:47 . 2012-08-29 02:47 -------- d-----w- c:\program files\Common Files\ATI Technologies
2012-08-29 02:47 . 2012-08-29 02:47 -------- d-----w- c:\program files (x86)\Common Files\ATI Technologies
2012-08-29 02:46 . 2012-08-29 02:46 -------- d-----w- c:\program files (x86)\ATI Technologies
2012-08-29 02:45 . 2012-08-29 02:47 -------- d-----w- c:\program files\ATI Technologies
2012-08-19 03:48 . 2012-08-19 03:48 -------- d-----w- C:\Games
2012-08-19 03:44 . 2012-08-19 03:44 -------- d-----w- c:\program files\Nexus Mod Manager
2012-08-19 00:14 . 2012-09-03 02:20 -------- d-----w- c:\program files (x86)\The Elder Scrolls V Skyrim
2012-08-18 00:29 . 2012-08-18 00:29 -------- d-----w- c:\users\Marsh\AppData\Local\ashampoo
2012-08-18 00:29 . 2012-08-18 00:29 -------- d-----w- c:\programdata\ashampoo
2012-08-18 00:23 . 2012-08-18 00:23 -------- d-----w- c:\users\Marsh\AppData\Local\MediaMonkey
2012-08-18 00:20 . 2012-08-18 00:20 -------- d-----w- c:\users\Marsh\AppData\Local\Aimersoft
2012-08-18 00:20 . 2012-08-18 00:20 -------- d-----w- c:\program files (x86)\Common Files\Aimersoft
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-30 14:57 . 2012-05-26 20:06 696520 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-08-30 14:57 . 2011-06-20 08:05 73416 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-08-21 09:12 . 2011-04-29 23:39 285328 ----a-w- c:\windows\system32\aswBoot.exe
2012-08-15 15:52 . 2009-10-14 12:51 62134624 ----a-w- c:\windows\system32\MRT.exe
2012-07-04 08:32 . 2012-07-04 08:32 187392 ----a-w- c:\windows\system32\clinfo.exe
2012-07-04 06:59 . 2012-07-04 06:59 11922944 ----a-w- c:\windows\system32\drivers\atikmdag.sys
2012-07-04 06:52 . 2012-07-04 06:52 26016256 ----a-w- c:\windows\system32\atio6axx.dll
2012-07-04 06:35 . 2012-07-04 06:35 19586048 ----a-w- c:\windows\SysWow64\atioglxx.dll
2012-07-04 06:27 . 2012-07-04 06:27 159744 ----a-w- c:\windows\system32\atiapfxx.exe
2012-07-04 06:27 . 2012-07-04 06:27 918528 ----a-w- c:\windows\SysWow64\aticfx32.dll
2012-07-04 06:25 . 2012-07-04 06:25 1081856 ----a-w- c:\windows\system32\aticfx64.dll
2012-07-04 06:21 . 2012-07-04 06:21 442368 ----a-w- c:\windows\system32\ATIDEMGX.dll
2012-07-04 06:21 . 2012-07-04 06:21 514048 ----a-w- c:\windows\system32\atieclxx.exe
2012-07-04 06:20 . 2012-07-04 06:20 238080 ----a-w- c:\windows\system32\atiesrxx.exe
2012-07-04 06:19 . 2012-07-04 06:19 120320 ----a-w- c:\windows\system32\atitmm64.dll
2012-07-04 06:19 . 2012-07-04 06:19 21504 ----a-w- c:\windows\system32\atimuixx.dll
2012-07-04 06:19 . 2012-07-04 06:19 59392 ----a-w- c:\windows\system32\atiedu64.dll
2012-07-04 06:19 . 2012-07-04 06:19 43520 ----a-w- c:\windows\SysWow64\ati2edxx.dll
2012-07-04 06:18 . 2012-07-04 06:18 6811648 ----a-w- c:\windows\SysWow64\atidxx32.dll
2012-07-04 05:57 . 2012-07-04 05:57 7510528 ----a-w- c:\windows\system32\atidxx64.dll
2012-07-04 05:36 . 2012-07-04 05:36 1053696 ----a-w- c:\windows\system32\atiumd6v.dll
2012-07-04 05:36 . 2012-07-04 05:36 69632 ----a-w- c:\windows\system32\coinst_8.97.100.3.dll
2012-07-04 05:36 . 2012-07-04 05:36 1960960 ----a-w- c:\windows\SysWow64\atiumdmv.dll
2012-07-04 05:35 . 2012-07-04 05:35 4261376 ----a-w- c:\windows\system32\atiumd6a.dll
2012-07-04 05:35 . 2012-07-04 05:35 6245888 ----a-w- c:\windows\SysWow64\atiumdag.dll
2012-07-04 05:28 . 2012-07-04 05:28 4749312 ----a-w- c:\windows\SysWow64\atiumdva.dll
2012-07-04 05:24 . 2012-07-04 05:24 7477760 ----a-w- c:\windows\system32\atiumd64.dll
2012-07-04 05:11 . 2012-07-04 05:11 56320 ----a-w- c:\windows\system32\atimpc64.dll
2012-07-04 05:11 . 2012-07-04 05:11 56320 ----a-w- c:\windows\system32\amdpcom64.dll
2012-07-04 05:11 . 2012-07-04 05:11 535552 ----a-w- c:\windows\system32\atiadlxx.dll
2012-07-04 05:11 . 2012-07-04 05:11 56832 ----a-w- c:\windows\SysWow64\atimpc32.dll
2012-07-04 05:11 . 2012-07-04 05:11 56832 ----a-w- c:\windows\SysWow64\amdpcom32.dll
2012-07-04 05:11 . 2012-07-04 05:11 364544 ----a-w- c:\windows\SysWow64\atiadlxy.dll
2012-07-04 05:11 . 2012-07-04 05:11 17920 ----a-w- c:\windows\system32\atig6pxx.dll
2012-07-04 05:11 . 2012-07-04 05:11 14848 ----a-w- c:\windows\SysWow64\atiglpxx.dll
2012-07-04 05:11 . 2012-07-04 05:11 14848 ----a-w- c:\windows\system32\atiglpxx.dll
2012-07-04 05:11 . 2012-07-04 05:11 41984 ----a-w- c:\windows\system32\atig6txx.dll
2012-07-04 05:11 . 2012-07-04 05:11 33280 ----a-w- c:\windows\SysWow64\atigktxx.dll
2012-07-04 05:10 . 2012-07-04 05:10 359936 ----a-w- c:\windows\system32\drivers\atikmpag.sys
2012-07-04 05:10 . 2012-07-04 05:10 55296 ----a-w- c:\windows\system32\atiuxp64.dll
2012-07-04 05:09 . 2012-07-04 05:09 42496 ----a-w- c:\windows\SysWow64\atiuxpag.dll
2012-07-04 05:09 . 2012-07-04 05:09 45056 ----a-w- c:\windows\system32\atiu9p64.dll
2012-07-04 05:09 . 2012-07-04 05:09 32768 ----a-w- c:\windows\SysWow64\atiu9pag.dll
2012-07-04 05:09 . 2012-07-04 05:09 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2012-07-04 05:04 . 2012-07-04 05:04 51200 ----a-w- c:\windows\system32\aticalrt64.dll
2012-07-04 05:04 . 2012-07-04 05:04 46080 ----a-w- c:\windows\SysWow64\aticalrt.dll
2012-07-04 05:04 . 2012-07-04 05:04 44544 ----a-w- c:\windows\system32\aticalcl64.dll
2012-07-04 05:04 . 2012-07-04 05:04 44544 ----a-w- c:\windows\SysWow64\aticalcl.dll
2012-07-04 05:04 . 2012-07-04 05:04 15827456 ----a-w- c:\windows\system32\aticaldd64.dll
2012-07-04 04:59 . 2012-07-04 04:59 13402112 ----a-w- c:\windows\SysWow64\aticaldd.dll
2012-06-18 18:51 . 2012-06-18 18:51 476936 ----a-w- c:\windows\SysWow64\npdeployJava1.dll
2012-06-11 19:50 . 2012-06-11 19:50 75264 ----a-w- c:\windows\system32\OpenVideo64.dll
2012-06-11 19:50 . 2012-06-11 19:50 65024 ----a-w- c:\windows\SysWow64\OpenVideo.dll
2012-06-11 19:50 . 2012-06-11 19:50 63488 ----a-w- c:\windows\system32\OVDecode64.dll
2012-06-11 19:50 . 2012-06-11 19:50 56320 ----a-w- c:\windows\SysWow64\OVDecode.dll
2012-06-11 19:50 . 2012-06-11 19:50 16457728 ----a-w- c:\windows\system32\amdocl64.dll
2012-06-11 19:49 . 2012-06-11 19:49 13008896 ----a-w- c:\windows\SysWow64\amdocl.dll
2012-06-09 05:43 . 2012-07-10 21:14 14172672 ----a-w- c:\windows\system32\shell32.dll
2012-06-07 02:59 . 2012-06-07 02:59 1070152 ----a-w- c:\windows\SysWow64\MSCOMCTL.OCX
2012-06-06 06:06 . 2012-07-10 21:14 2004480 ----a-w- c:\windows\system32\msxml6.dll
2012-06-06 06:06 . 2012-07-10 21:14 1881600 ----a-w- c:\windows\system32\msxml3.dll
2012-06-06 06:02 . 2012-07-10 21:13 1133568 ----a-w- c:\windows\system32\cdosys.dll
2012-06-06 05:05 . 2012-07-10 21:14 1390080 ----a-w- c:\windows\SysWow64\msxml6.dll
2012-06-06 05:05 . 2012-07-10 21:14 1236992 ----a-w- c:\windows\SysWow64\msxml3.dll
2012-06-06 05:03 . 2012-07-10 21:13 805376 ----a-w- c:\windows\SysWow64\cdosys.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-09-03_01.54.22 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-08-30 23:56 . 2012-09-03 03:50 49152 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2012-08-30 23:56 . 2012-09-03 01:54 49152 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-11-11 06:15 . 2012-09-03 01:55 38040 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-09-03 01:55 43048 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2009-12-18 06:49 . 2012-09-03 01:55 20932 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1487264099-3403896088-99852959-1000_UserData.bin
+ 2009-12-18 07:44 . 2012-09-03 01:57 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-12-18 07:44 . 2012-08-31 02:02 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-12-18 07:44 . 2012-08-31 02:02 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-12-18 07:44 . 2012-09-03 01:57 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-08-31 02:02 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2012-09-03 01:57 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-12-18 06:59 . 2012-09-03 01:54 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-12-18 06:59 . 2012-09-03 03:51 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-12-18 06:59 . 2012-09-03 03:51 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-12-18 06:59 . 2012-09-03 01:54 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-12-18 06:59 . 2012-09-03 03:51 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-12-18 06:59 . 2012-09-03 01:54 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-12-18 09:38 . 2012-09-03 01:54 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-12-18 09:38 . 2012-09-03 03:51 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-12-18 09:38 . 2012-09-03 03:51 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-12-18 09:38 . 2012-09-03 01:54 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2012-09-03 01:53 . 2012-09-03 01:53 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-09-03 03:50 . 2012-09-03 03:50 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-09-03 03:50 . 2012-09-03 03:50 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-09-03 01:53 . 2012-09-03 01:53 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-07-14 04:54 . 2012-09-03 03:50 393216 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 04:54 . 2012-09-03 01:54 393216 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 05:01 . 2012-09-03 01:36 390028 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 05:01 . 2012-09-03 03:49 390028 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 04:54 . 2012-09-03 03:50 3112960 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-09-03 01:54 3112960 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2010-04-03 10:54 . 2012-09-03 03:49 29145784 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1487264099-3403896088-99852959-1000-12288.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"AMD AVT"="start AMD Accelerated Video Transcoding device initialization" [X]
"GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-27 30040]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2012-07-04 641704]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-08-21 4282728]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\run-]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe"
"GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
.
R1 A2DDA;A2 Direct Disk Access Support Driver;c:\users\Marsh\Desktop\Run\a2ddax64.sys [x]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-06-08 160944]
R3 cpudrv64;cpudrv64;c:\program files (x86)\SystemRequirementsLab\cpudrv64.sys [x]
R3 dump_wmimmc;dump_wmimmc;c:\program files (x86)\steam\steamapps\common\ava\Binaries\GameGuard\dump_wmimmc.sys [x]
R3 EagleX64;EagleX64;c:\windows\system32\drivers\EagleX64.sys [x]
R3 GGSAFERDriver;GGSAFER Driver;c:\program files (x86)\Garena Plus\Room\safedrv.sys [x]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-07-18 113120]
R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 20992]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-03-10 1255736]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-05-12 834544]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2012-07-04 238080]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2012-08-21 71600]
S2 Skype C2C Service;Skype C2C Service;c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe [2012-07-06 3048136]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2012-07-04 11922944]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2012-07-04 359936]
S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [2012-02-23 95760]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2009-08-20 239616]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-31 c:\windows\Tasks\avast! Emergency Update.job
- c:\program files\AVAST Software\Avast\AvastEmUpdate.exe [2012-08-31 09:12]
.
2012-09-03 c:\windows\Tasks\GlaryInitialize.job
- c:\program files (x86)\Glary Utilities\initialize.exe [2012-05-31 14:46]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-08-21 09:11 133400 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-11-03 8317472]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.xfinity.com/?cid=insDate03312012
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 75.75.76.76 75.75.75.75
FF - ProfilePath - c:\users\Marsh\AppData\Roaming\Mozilla\Firefox\Profiles\tlntkwso.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet002\services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1487264099-3403896088-99852959-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*2*E oN]
@Class="Shell"
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-1487264099-3403896088-99852959-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*2*E oN\OpenWithList]
@Class="Shell"
"a"="vlc.exe"
"MRUList"="a"
.
[HKEY_USERS\S-1-5-21-1487264099-3403896088-99852959-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*2*O]
@Class="Shell"
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-1487264099-3403896088-99852959-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*2*O\OpenWithList]
@Class="Shell"
"a"="vlc.exe"
"MRUList"="a"
.
[HKEY_USERS\S-1-5-21-1487264099-3403896088-99852959-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*n*e*t*COMM\OpenWithList]
@Class="Shell"
"a"="vlc.exe"
"MRUList"="a"
.
[HKEY_USERS\S-1-5-21-1487264099-3403896088-99852959-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
@Allowed: (Read) (RestrictedCode)
"??"=hex:06,17,ed,18,35,51,8d,a4,0d,4e,9b,04,50,75,5a,53,bf,c3,a5,2e,3d,f3,cf,
56,6a,d1,aa,4a,d2,9c,a6,21,58,c1,1d,53,28,4e,50,b7,d3,1e,b7,ea,83,0a,ff,e8,\
"??"=hex:5c,f1,83,89,34,2e,c3,29,75,49,0f,ac,fc,c3,b8,aa
.
[HKEY_USERS\S-1-5-21-1487264099-3403896088-99852959-1000\Software\SecuROM\License information*]
"datasecu"=hex:5e,4e,54,02,61,26,0d,06,98,cb,de,d5,92,44,3e,a8,16,d5,e2,42,c7,
02,92,fa,47,92,38,0a,e4,12,2f,6c,b6,cb,18,f5,4d,d5,58,a3,19,a9,8e,2a,cd,07,\
"rkeysecu"=hex:2b,99,ae,7f,4c,d4,61,7e,4a,2f,94,5b,95,e8,de,5f
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_265_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_265_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_265_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_265_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_265.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_265.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_265.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_265.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\windows\SysWOW64\PnkBstrA.exe
.
**************************************************************************
.
Completion time: 2012-09-02 21:56:48 - machine was rebooted
ComboFix-quarantined-files.txt 2012-09-03 03:56
ComboFix2.txt 2012-09-03 01:59
.
Pre-Run: 100,808,089,600 bytes free
Post-Run: 100,735,684,608 bytes free
.
- - End Of File - - 07DEC401B0AEDDAEFF4F39537E4CBF87





Avast isn't popping up at me every few minutes, and that's an improvement. I loaded up some 10 or so websites and none of them were redirected or attempted to redirect (this is a big change, before this last combofix process I'd still get redireted on every 5th page or so I loaded to some unknown virus-looking site name).

I'm also not seeing ctfmon.exe in the windows task manager processes, so I think we're square there.

Honestly, unless you can glean anything from that log I think I'm cleaned up, or mostly so.

One quick question, I had to use a mobile device for a usb drive as I had no others available to me. Was there any chance the infection spread to it? (I've not noticed anything wrong, just slightly worried) I had it plugged in as a usb connection.

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:36 PM

Posted 02 September 2012 - 11:19 PM

Hello

I would like to see a report that combofix makes.

extra combofix report

  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box
C:\Qoobox\Add-Remove Programs.txt
  • click ok

copy and paste the report into this topic for me to review

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users