Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need Help with Rootkit.Boot.Pihar.c


  • This topic is locked This topic is locked
20 replies to this topic

#1 mn_sailor

mn_sailor

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ham Lake, MN
  • Local time:02:16 AM

Posted 05 November 2012 - 10:22 AM

Hi All and Many thanks in advance,

My son's Vista computer was not booting (nothing from HD). I inspected and cleaned the hardware and found that the BIOS was fine, but the boot loader did nothing (cursor blinking in upper left corner). I created a BartPE boot CD and was able to see data on the hard drive and successfully ran some diagnostics on the drive. Then I ran TDSSKiller from the BartPE environment and it found and cleaned Pihar.c. The computer then booted from the hard drive into Windows Vista.

Next I ran MBAM and the log is included below.

****
Can you help me with the next steps in cleaning this machine?
****

Thanks so much!!

mn_sailor


Malwarebytes Anti-Malware 1.65.1.1000
www.malwarebytes.org

Database version: v2012.11.04.05

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
BRENT :: BRENT-PC [administrator]

11/4/2012 5:30:44 PM
mbam-log-2012-11-04 (17-30-44).txt

Scan type: Full scan (C:\|D:\|G:\|H:\|I:\|J:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 360615
Time elapsed: 1 hour(s), 57 minute(s), 22 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 11
HKCR\CLSID\{11111111-1111-1111-1111-110011441179} (PUP.GamePlayLabs) -> No action taken.
HKCR\TypeLib\{44444444-4444-4444-4444-440044444479} (PUP.GamePlayLabs) -> No action taken.
HKCR\Interface\{55555555-5555-5555-5555-550055445579} (PUP.GamePlayLabs) -> No action taken.
HKCR\CrossriderApp0004479.BHO.1 (PUP.GamePlayLabs) -> No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110011441179} (PUP.GamePlayLabs) -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{11111111-1111-1111-1111-110011441179} (PUP.GamePlayLabs) -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{11111111-1111-1111-1111-110011441179} (PUP.GamePlayLabs) -> No action taken.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{11111111-1111-1111-1111-110011441179} (PUP.GamePlayLabs) -> No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{11111111-1111-1111-1111-110011441179} (PUP.GamePlayLabs) -> No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Giant Savings (PUP.GamePlayLabs) -> No action taken.
HKCU\SOFTWARE\INSTALLEDBROWSEREXTENSIONS\215 APPS (PUP.CrossFire.SA) -> No action taken.

Registry Values Detected: 1
HKCU\Software\InstalledBrowserExtensions\215 Apps|4479 (PUP.CrossFire.SA) -> Data: Giant Savings -> No action taken.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 10
C:\Program Files\Giant Savings\Giant Savings.dll (PUP.GamePlayLabs) -> No action taken.
C:\Program Files\Giant Savings\Giant Savings.exe (PUP.GamePlayLabs) -> No action taken.
C:\Program Files\Giant Savings\Giant SavingsGui.exe (PUP.GamePlayLabs) -> No action taken.
C:\Program Files\Giant Savings\Uninstall.exe (PUP.GamePlayLabs) -> No action taken.
C:\Users\BRENT\AppData\Local\Temp\is754907076\GiantSavings_US.exe (PUP.GamePlayLabs) -> No action taken.
C:\ProgramData\Microsoft\Windows\DRM\BE17.tmp (Trojan.Agent.EXPD1) -> Quarantined and deleted successfully.
C:\Users\BRENT\AppData\Local\Temp\CDF0.tmp (Trojan.Agent.EXPD1) -> Quarantined and deleted successfully.
C:\Users\BRENT\AppData\Local\Temp\82FE.tmp (Trojan.Agent.MRGGen) -> Quarantined and deleted successfully.
C:\Users\BRENT\AppData\Local\Temp\Temp1_FedEx_Invoice__Copy_N44-134 (2).zip\FedEx_Invoice _Copy_N44-134.exe (Trojan.VUPX.ABI1) -> Quarantined and deleted successfully.
C:\Users\BRENT\AppData\Local\Temp\Temp1_FedEx_Invoice__Copy_N44-134.zip\FedEx_Invoice _Copy_N44-134.exe (Trojan.VUPX.ABI1) -> Quarantined and deleted successfully.

(end)

BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:16 AM

Posted 05 November 2012 - 09:29 PM

Greetings and Welcome to The Forums!!

My name is Gringo and I'll be glad to help you with your malware problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.




I need to get some reports to get a base to start from so I need you to run these programs first.


-DeFogger-

  • Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger may ask you to reboot the machine, if it does - click OK
Do not re-enable these drivers until otherwise instructed.


-Security Check-

  • Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


-Download DDS-

  • Please download DDS from one of the links below and save it to your desktop:

    Posted Image
    Download DDS and save it to your desktop

    Link1
    Link2
    Link3


    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
    • DDS.txt
    • Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply

information and logs

  • In your next post I need the following

  • both reports from DDS
  • report from security check
  • let me know of any problems you may have had

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 mn_sailor

mn_sailor
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ham Lake, MN
  • Local time:02:16 AM

Posted 05 November 2012 - 11:21 PM

Hi Gringo,

Thanks for your help. DDS and SecurityCheck logs are included below. SecurityCheck took a while to complete, but I had no other problems.

There is a pop-up that appears regularly asking me to search for and install a driver for new hardware (wireless adapter, I think). I cancel this as the WiFi is working fine at the moment.

mn_sailor

*************************************

DDS (Ver_2012-11-05.02) - NTFS_x86
Internet Explorer: 9.0.8112.16450
Run by BRENT at 22:01:42 on 2012-11-05
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.894.144 [GMT -6:00]
.
AV: Panda Cloud Antivirus *Enabled/Updated* {86971480-9989-6750-B122-681A86518D59}
SP: Panda Cloud Antivirus *Enabled/Updated* {3DF6F564-BFB3-68DE-8B92-5368FDD6C7E4}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Program Files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\System32\LEXBCES.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Panda Security\Panda Cloud Antivirus\PSANHost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\RitzPix E-Z Print & Share\OurPictures.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\DWL-G520M Wireless 108G MIMO PCI Adapter\AIRPLUS.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\sdclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil11e_ActiveX.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=desktop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=desktop
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Giant Savings: {11111111-1111-1111-1111-110011441179} - c:\program files\giant savings\Giant Savings.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [OurPictures] "c:\program files\ritzpix e-z print & share\OurPictures.exe" /AutoStart
uRun: [Download] "c:\users\brent\appdata\local\supportsoft\ddoctorv2\brent\SSGet.exe" 120 "http://pcmctbc.cmc.motive.com/motivedocs/EasySolveInstaller.exe" "EasySolveInstaller.exe"
uRun: [chromium] c:\users\brent\appdata\local\google\chrome\application\chrome.exe --no-startup-window
uRun: [svñhîst] c:\users\brent\appdata\local\temp\irb700.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] c:\program files\windows defender\MSASCui.exe -hide
mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
mRun: [OsdMaestro] "c:\program files\hewlett-packard\on-screen osd indicator\OSD.exe"
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [DPService] "c:\program files\hp\dvdplay\DPService.exe"
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [PSUNMain] "c:\program files\panda security\panda cloud antivirus\PSUNMain.exe" /Traybar
mRunOnce: [Launcher] c:\windows\sminst\launcher.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\d-link~1.lnk - c:\program files\dwl-g520m wireless 108g mimo pci adapter\Reg.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\dwl-g5~1.lnk - c:\program files\dwl-g520m wireless 108g mimo pci adapter\AIRPLUS.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
TCP: NameServer = 75.75.76.76 75.75.75.75 10.10.1.1
TCP: Interfaces\{102FDB63-F87E-48CF-B049-6CFA35BFEC03} : DHCPNameServer = 75.75.76.76 75.75.75.75 10.10.1.1
TCP: Interfaces\{6B2941A7-18E2-4B08-A83B-2A0EB8A6F1B4} : DHCPNameServer = 192.168.0.1
TCP: Interfaces\{A0BE55B5-D48C-49D3-B5BC-9203A0566E7B} : DHCPNameServer = 65.24.7.10 65.24.7.11
LSA: Security Packages = kerberos msv1_0 schannel wdigest tspkg
.
============= SERVICES / DRIVERS ===============
.
R1 PSINKNC;PSINKNC;c:\windows\system32\drivers\PSINKNC.sys [2011-11-23 126216]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-6-18 21504]
R2 NanoServiceMain;Panda Cloud Antivirus Service;c:\program files\panda security\panda cloud antivirus\PSANHost.exe [2011-4-28 140608]
R2 PSINAflt;PSINAflt;c:\windows\system32\drivers\PSINAflt.sys [2012-1-5 144136]
R2 PSINFile;PSINFile;c:\windows\system32\drivers\PSINFile.sys [2011-4-28 99400]
R2 PSINProc;PSINProc;c:\windows\system32\drivers\PSINProc.sys [2011-4-28 111176]
R2 PSINProt;PSINProt;c:\windows\system32\drivers\PSINProt.sys [2011-11-30 112904]
R2 UMVPFSrv;UMVPFSrv;c:\program files\common files\logishrd\lvmvfm\UMVPFSrv.exe [2012-1-18 450848]
R3 AR5513;DWL-G520M Wireless 108G MIMO PCI Adapter;c:\windows\system32\drivers\ar5513.sys [2009-6-28 355328]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 HidCom;USB-HID -> COM Driver Service;c:\windows\system32\drivers\BdHidCom.sys [2007-6-25 17408]
S3 OlCamudp;OLYMPUS Digital Camera;c:\windows\system32\drivers\olcamudp.sys [2007-8-4 10379]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== File Associations ===============
.
ShellExec: FRONTPG.EXE: edit=c:\progra~1\micros~3\office\FRONTPG.EXE
.
=============== Created Last 30 ================
.
2012-11-04 23:08:53 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-11-04 22:51:52 6918632 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{b4656132-edd6-4582-88f1-670ed1ca333c}\mpengine.dll
2012-11-04 16:15:44 269746176 ----a-w- C:\bst5.tmp
2012-10-10 13:32:09 985088 ----a-w- c:\windows\system32\crypt32.dll
2012-10-10 13:32:09 98304 ----a-w- c:\windows\system32\cryptnet.dll
2012-10-10 13:32:09 133120 ----a-w- c:\windows\system32\cryptsvc.dll
2012-10-10 13:32:00 172544 ----a-w- c:\windows\system32\wintrust.dll
2012-10-10 13:31:46 2048 ----a-w- c:\windows\system32\tzres.dll
2012-10-10 13:31:32 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-10-10 13:31:31 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
.
==================== Find3M ====================
.
2012-08-24 06:59:17 1800704 ----a-w- c:\windows\system32\jscript9.dll
2012-08-24 06:51:27 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-08-24 06:51:02 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-08-24 06:47:26 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-08-24 06:47:12 420864 ----a-w- c:\windows\system32\vbscript.dll
2012-08-24 06:43:58 2382848 ----a-w- c:\windows\system32\mshtml.tlb
.
============= FINISH: 22:03:15.16 ===============


*****************************

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-05.02)
.
Microsoft® Windows Vista™ Home Basic
Boot Device: \Device\HarddiskVolume1
Install Date: 4/26/2007 10:20:40 PM
System Uptime: 11/5/2012 4:42:29 PM (6 hours ago)
.
Motherboard: ASUSTek Computer INC. | | NARRA
Processor: AMD Sempron™ Processor 3400+ | Socket AM2 | 1000/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 226 GiB total, 156.581 GiB free.
D: is FIXED (NTFS) - 7 GiB total, 5.693 GiB free.
E: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {36fc9e60-c465-11cf-8056-444553540000}
Description: USB Mass Storage Device
Device ID: USB\VID_0BDA&PID_0111\20021111153705700
Manufacturer: Compatible USB storage device
Name: USB Mass Storage Device
PNP Device ID: USB\VID_0BDA&PID_0111\20021111153705700
Service: USBSTOR
.
==== System Restore Points ===================
.
RP1249: 10/2/2012 6:21:51 AM - Windows Update
RP1250: 10/4/2012 10:05:12 PM - Scheduled Checkpoint
RP1251: 10/5/2012 2:51:14 PM - Windows Update
RP1252: 10/6/2012 9:01:08 AM - Scheduled Checkpoint
RP1254: 10/8/2012 8:03:49 AM - Scheduled Checkpoint
RP1255: 10/10/2012 8:31:30 AM - Windows Update
RP1256: 10/11/2012 6:39:10 AM - Windows Update
RP1257: 10/12/2012 12:00:25 AM - Scheduled Checkpoint
RP1258: 10/13/2012 12:01:21 AM - Scheduled Checkpoint
RP1259: 10/14/2012 7:18:07 AM - Scheduled Checkpoint
RP1260: 10/15/2012 12:00:32 AM - Scheduled Checkpoint
RP1261: 10/16/2012 10:08:23 AM - Windows Update
RP1262: 10/17/2012 2:05:00 PM - Scheduled Checkpoint
RP1263: 10/18/2012 11:23:56 AM - Scheduled Checkpoint
RP1264: 10/19/2012 11:22:22 AM - Scheduled Checkpoint
RP1265: 10/20/2012 12:34:30 PM - Scheduled Checkpoint
RP1266: 10/21/2012 1:57:33 PM - Scheduled Checkpoint
RP1267: 10/22/2012 11:07:12 AM - Scheduled Checkpoint
RP1268: 10/23/2012 10:01:20 AM - Windows Update
RP1269: 10/24/2012 7:54:51 AM - Scheduled Checkpoint
RP1270: 11/4/2012 4:50:36 PM - Windows Update
.
==== Installed Programs ======================
.
32 Bit HP CIO Components Installer
Activation Assistant for the 2007 Microsoft Office suites
ActiveCheck component for HP Active Support Library
Adobe Acrobat 4.0
Adobe ActiveShare 1.2
Adobe Flash Player 11 ActiveX
Adobe PhotoDeluxe Home Edition 4.0
Adobe Reader 8.1.3
AutoUpdate
BPD_Scan
BPDSoftware
BPDSoftware_Ini
BufferChm
Comcast Desktop Software (v1.2.0.9)
CustomerResearchQFolder
Destinations
DeviceManagementQFolder
DivX
DocProc
DocProcQFolder
DVD Play
DWL-G520M Wireless 108G MIMO PCI Adapter
eSupportQFolder
Fax
Giant Savings
Hardware Diagnostic Tools
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Active Support Library
HP Active Support Library 32 bit components
HP Customer Experience Enhancements
HP Customer Feedback
HP Customer Participation Program 8.0
HP Easy Setup - Core
HP Easy Setup - Frontend
HP Imaging Device Functions 8.0
HP OCR Software 8.0
HP Officejet All-In-One Series
HP On-Screen Cap/Num/Scroll Lock Indicator
HP Photosmart Essential
HP Photosmart Essential 2.0
HP Photosmart Essential2.5
HP Solution Center 8.0
HP Total Care Advisor
HP Update
HPAsset component for HP Active Support Library
HPProductAssistant
J2SE Runtime Environment 5.0 Update 11
Java Auto Updater
Java™ 6 Update 22
Java™ 6 Update 26
Java™ 6 Update 3
Java™ 6 Update 5
Java™ 6 Update 7
Java™ SE Runtime Environment 6 Update 1
LiveUpdate Notice (Symantec Corporation)
Malwarebytes Anti-Malware version 1.65.1.1000
MarketResearch
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Application Error Reporting
Microsoft Office 2000 Disc 2
Microsoft Office 2000 Premium
Microsoft Silverlight
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Works
Move Media Player
MSN
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
My HP Games
NVIDIA Drivers
Panda Cloud Antivirus
Picasa 3
PSSWCORE
Python 2.4.3
QuickTime
RealPlayer
Realtek High Definition Audio Driver
Rhapsody Player Engine
RitzPix E-Z Print & Share
Roxio Activation Module
Scan
Scientific-Atlanta WebSTAR 2000 series Cable Modem
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
SolutionCenter
Status
Toolbox
TrayApp
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
WebReg
.
==== Event Viewer Messages From Past Week ========
.
11/5/2012 8:24:37 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the IPBusEnum service.
11/4/2012 9:45:19 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Microsoft .NET Framework NGEN v4.0.30319_X86 service to connect.
11/4/2012 9:42:20 PM, Error: Service Control Manager [7000] - The Parallel port driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
11/4/2012 9:42:12 PM, Error: Microsoft-Windows-TerminalServices-LocalSessionManager [1048] - Terminal Service start failed. The relevant status code was The configuration data for this product is corrupt. Contact your support personnel. .
11/4/2012 9:36:31 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the UMVPFSrv service.
.
==== End Of File ===========================


**************************

Results of screen317's Security Check version 0.99.54
Windows Vista Service Pack 2 x86 (UAC is enabled)
Internet Explorer 9
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
Panda Cloud Antivirus
WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
Malwarebytes Anti-Malware version 1.65.1.1000
Java™ 6 Update 26
Java™ 6 Update 22
Java™ SE Runtime Environment 6 Update 1
Java™ 6 Update 3
Java™ 6 Update 5
Java™ 6 Update 7
Java version out of Date!
Adobe Reader 8 Adobe Reader out of Date!
````````Process Check: objlist.exe by Laurent````````
Windows Defender MSASCui.exe
Panda Security Panda Cloud Antivirus PSANHost.exe
Panda Security Panda Cloud Antivirus PSUNMain.exe
Windows Defender MSASCui.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 0 %
````````````````````End of Log``````````````````````

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:16 AM

Posted 05 November 2012 - 11:26 PM

Hello


These are the programs I would like you to run next, if you have any problems with these just skip it and run the next one.


-AdwCleaner-

  • Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

--RogueKiller--

  • Download & SAVE to your Desktop RogueKiller or from here
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 mn_sailor

mn_sailor
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ham Lake, MN
  • Local time:02:16 AM

Posted 06 November 2012 - 12:07 AM

AdwCleaner and RogueKiller logs:

*******************

# AdwCleaner v2.006 - Logfile created 11/05/2012 at 22:40:09
# Updated 30/10/2012 by Xplode
# Operating system : Windows Vista ™ Home Basic Service Pack 2 (32 bits)
# User : BRENT - BRENT-PC
# Boot Mode : Normal
# Running from : C:\Users\BRENT\Desktop\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

File Deleted : C:\user.js
Folder Deleted : C:\Program Files\Giant Savings
Folder Deleted : C:\ProgramData\Babylon
Folder Deleted : C:\Users\BRENT\AppData\Local\Giant Savings
Folder Deleted : C:\Users\BRENT\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhkplhfnhceodhffomolpfigojocbpcb
Folder Deleted : C:\Users\BRENT\AppData\Local\Google\Chrome\User Data\Default\Extensions\ndkhncnongaclekkbelchmeafffimifj
Folder Deleted : C:\Users\BRENT\AppData\Local\Temp\BabylonToolbar
Folder Deleted : C:\Users\BRENT\AppData\Roaming\Babylon
Folder Deleted : C:\Users\BRENT\AppData\Roaming\Mozilla\Firefox\Profiles\bsm4ixld.default\extensions\crossriderapp4479@crossrider.com
Folder Deleted : C:\Users\BRENT\AppData\Roaming\Mozilla\Firefox\Profiles\bsm4ixld.default\extensions\ffxtlbr@babylon.com

***** [Registry] *****

Key Deleted : HKCU\Software\AppDataLow\Software
Key Deleted : HKCU\Software\Cr_Installer
Key Deleted : HKCU\Software\InstalledBrowserExtensions
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4D79-A620-CCE0C0A66CC9}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Giant Savings
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{11111111-1111-1111-1111-110011441179}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{11111111-1111-1111-1111-110011441179}
Key Deleted : HKLM\Software\Babylon
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escort.DLL
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{11111111-1111-1111-1111-110011441179}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{22222222-2222-2222-2222-220022442279}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{2EECD738-5844-4A99-B4B6-146BF802613B}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{33333333-3333-3333-3333-330033443379}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E46C8196-B634-44A1-AF6E-957C64278AB1}
Key Deleted : HKLM\SOFTWARE\Classes\CrossriderApp0004479.BHO
Key Deleted : HKLM\SOFTWARE\Classes\CrossriderApp0004479.BHO.1
Key Deleted : HKLM\SOFTWARE\Classes\CrossriderApp0004479.FBApi
Key Deleted : HKLM\SOFTWARE\Classes\CrossriderApp0004479.FBApi.1
Key Deleted : HKLM\SOFTWARE\Classes\CrossriderApp0004479.Sandbox
Key Deleted : HKLM\SOFTWARE\Classes\CrossriderApp0004479.Sandbox.1
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{55555555-5555-5555-5555-550055445579}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{66666666-6666-6666-6666-660066446679}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{77777777-7777-7777-7777-770077447779}
Key Deleted : HKLM\SOFTWARE\Classes\Prod.cap
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440044444479}
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\ndkhncnongaclekkbelchmeafffimifj
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{11111111-1111-1111-1111-110011441179}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110011441179}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{11111111-1111-1111-1111-110011441179}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Giant Savings

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16421

[OK] Registry is clean.

-\\ Mozilla Firefox v [Unable to get version]

Profile name : default
File : C:\Users\BRENT\AppData\Roaming\Mozilla\Firefox\Profiles\bsm4ixld.default\prefs.js

C:\Users\BRENT\AppData\Roaming\Mozilla\Firefox\Profiles\bsm4ixld.default\user.js ... Deleted !

Deleted : user_pref("extensions.BabylonToolbar.admin", false);
Deleted : user_pref("extensions.BabylonToolbar.aflt", "babsst");
Deleted : user_pref("extensions.BabylonToolbar.babExt", "");
Deleted : user_pref("extensions.BabylonToolbar.babTrack", "affID=109935&tt=060612_5_");
Deleted : user_pref("extensions.BabylonToolbar.bbDpng", 23);
Deleted : user_pref("extensions.BabylonToolbar.dfltLng", "en");
Deleted : user_pref("extensions.BabylonToolbar.dfltSrch", false);
Deleted : user_pref("extensions.BabylonToolbar.hmpg", false);
Deleted : user_pref("extensions.BabylonToolbar.id", "d28879440000000000000013461cfe9b");
Deleted : user_pref("extensions.BabylonToolbar.instlDay", "15514");
Deleted : user_pref("extensions.BabylonToolbar.instlRef", "sst");
Deleted : user_pref("extensions.BabylonToolbar.lastDP", 23);
Deleted : user_pref("extensions.BabylonToolbar.lastVrsnTs", "1.5.3.1720:32:10");
Deleted : user_pref("extensions.BabylonToolbar.mntrFFxVrsn", "13.0");
Deleted : user_pref("extensions.BabylonToolbar.newTab", true);
Deleted : user_pref("extensions.BabylonToolbar.newTabUrl", "hxxp://search.babylon.com/?babsrc=NT_bb");
Deleted : user_pref("extensions.BabylonToolbar.noFFXTlbr", false);
Deleted : user_pref("extensions.BabylonToolbar.prdct", "BabylonToolbar");
Deleted : user_pref("extensions.BabylonToolbar.propectorlck", 79062296);
Deleted : user_pref("extensions.BabylonToolbar.prtnrId", "babylon");
Deleted : user_pref("extensions.BabylonToolbar.ptch_0717", true);
Deleted : user_pref("extensions.BabylonToolbar.smplGrp", "none");
Deleted : user_pref("extensions.BabylonToolbar.srcExt", "ss");
Deleted : user_pref("extensions.BabylonToolbar.tlbrId", "tb9");
Deleted : user_pref("extensions.BabylonToolbar.vrsn", "1.5.3.17");
Deleted : user_pref("extensions.BabylonToolbar.vrsnTs", "1.5.3.1720:32:10");
Deleted : user_pref("extensions.BabylonToolbar.vrsni", "1.5.3.17");
Deleted : user_pref("extensions.BabylonToolbar_i.aflt", "babsst");
Deleted : user_pref("extensions.BabylonToolbar_i.babExt", "");
Deleted : user_pref("extensions.BabylonToolbar_i.babTrack", "affID=109935&tt=060612_5_");
Deleted : user_pref("extensions.BabylonToolbar_i.hardId", "d28879440000000000000013461cfe9b");
Deleted : user_pref("extensions.BabylonToolbar_i.id", "d28879440000000000000013461cfe9b");
Deleted : user_pref("extensions.BabylonToolbar_i.instlDay", "15514");
Deleted : user_pref("extensions.BabylonToolbar_i.instlRef", "sst");
Deleted : user_pref("extensions.BabylonToolbar_i.newTab", false);
Deleted : user_pref("extensions.BabylonToolbar_i.prdct", "BabylonToolbar");
Deleted : user_pref("extensions.BabylonToolbar_i.prtnrId", "babylon");
Deleted : user_pref("extensions.BabylonToolbar_i.smplGrp", "none");
Deleted : user_pref("extensions.BabylonToolbar_i.srcExt", "ss");
Deleted : user_pref("extensions.BabylonToolbar_i.tlbrId", "tb9");
Deleted : user_pref("extensions.BabylonToolbar_i.vrsn", "1.5.3.17");
Deleted : user_pref("extensions.BabylonToolbar_i.vrsnTs", "1.5.3.1720:32:10");
Deleted : user_pref("extensions.BabylonToolbar_i.vrsni", "1.5.3.17");
Deleted : user_pref("extensions.crossriderapp4479.4479.InstallationThankYouPage", true);
Deleted : user_pref("extensions.crossriderapp4479.4479.InstallationTime", 1340415091);
Deleted : user_pref("extensions.crossriderapp4479.4479.InstallationUserSettings.searchUserConifrmation", false[...]
Deleted : user_pref("extensions.crossriderapp4479.4479.InstallationUserSettings.setHomepage", false);
Deleted : user_pref("extensions.crossriderapp4479.4479.InstallationUserSettings.setNewTab", false);
Deleted : user_pref("extensions.crossriderapp4479.4479.InstallationUserSettings.setSearch", false);
Deleted : user_pref("extensions.crossriderapp4479.4479.active", true);
Deleted : user_pref("extensions.crossriderapp4479.4479.addressbar", "");
Deleted : user_pref("extensions.crossriderapp4479.4479.affid", "0");
Deleted : user_pref("extensions.crossriderapp4479.4479.backgroundjs", "\n\n/**********************************[...]
Deleted : user_pref("extensions.crossriderapp4479.4479.backgroundver", 2);
Deleted : user_pref("extensions.crossriderapp4479.4479.can_run_bg_code", true);
Deleted : user_pref("extensions.crossriderapp4479.4479.certdomaininstaller", "");
Deleted : user_pref("extensions.crossriderapp4479.4479.changeprevious", false);
Deleted : user_pref("extensions.crossriderapp4479.4479.cookie.InstallationTime.expiration", "Fri Feb 01 2030 0[...]
Deleted : user_pref("extensions.crossriderapp4479.4479.cookie.InstallationTime.value", "1340415091");
Deleted : user_pref("extensions.crossriderapp4479.4479.cookie.InstallerParams.expiration", "Fri Feb 01 2030 00[...]
Deleted : user_pref("extensions.crossriderapp4479.4479.cookie._GPL_aoi.expiration", "Fri Feb 01 2030 00:00:00 [...]
Deleted : user_pref("extensions.crossriderapp4479.4479.cookie._GPL_aoi.value", "1340415091");
Deleted : user_pref("extensions.crossriderapp4479.4479.cookie._GPL_geo.expiration", "Fri Jun 29 2012 20:34:11 [...]
Deleted : user_pref("extensions.crossriderapp4479.4479.cookie._GPL_geo.value", "%7B%22geoplugin_request%22%3A%[...]
Deleted : user_pref("extensions.crossriderapp4479.4479.cookie._GPL_hotfix20111102645.expiration", "Fri Feb 01 [...]
Deleted : user_pref("extensions.crossriderapp4479.4479.cookie._GPL_hotfix20111102645.value", "%221%22");
Deleted : user_pref("extensions.crossriderapp4479.4479.cookie._GPL_installer_params.expiration", "Fri Feb 01 2[...]
Deleted : user_pref("extensions.crossriderapp4479.4479.cookie._GPL_installer_params.value", "%7B%22source_id%2[...]
Deleted : user_pref("extensions.crossriderapp4479.4479.cookie._GPL_parent_zoneid.expiration", "Fri Feb 01 2030[...]
Deleted : user_pref("extensions.crossriderapp4479.4479.cookie._GPL_parent_zoneid.value", "%2242870%22");
Deleted : user_pref("extensions.crossriderapp4479.4479.cookie._GPL_product_id.expiration", "Fri Feb 01 2030 00[...]
Deleted : user_pref("extensions.crossriderapp4479.4479.cookie._GPL_product_id.value", "%221242%22");
Deleted : user_pref("extensions.crossriderapp4479.4479.cookie._GPL_zoneid.expiration", "Fri Feb 01 2030 00:00:[...]
Deleted : user_pref("extensions.crossriderapp4479.4479.cookie._GPL_zoneid.value", "%2248072%22");
Deleted : user_pref("extensions.crossriderapp4479.4479.description", "Save big with Giant Savings! Coupons dis[...]
Deleted : user_pref("extensions.crossriderapp4479.4479.domain", "");
Deleted : user_pref("extensions.crossriderapp4479.4479.emailsig", "");
Deleted : user_pref("extensions.crossriderapp4479.4479.enablesearch", false);
Deleted : user_pref("extensions.crossriderapp4479.4479.exposesites", "");
Deleted : user_pref("extensions.crossriderapp4479.4479.fbremoteurl", "");
Deleted : user_pref("extensions.crossriderapp4479.4479.group", 0);
Deleted : user_pref("extensions.crossriderapp4479.4479.homepage", "");
Deleted : user_pref("extensions.crossriderapp4479.4479.iframe", false);
Deleted : user_pref("extensions.crossriderapp4479.4479.internaldb.InstallerIdentifiers.expiration", "Fri Feb 0[...]
Deleted : user_pref("extensions.crossriderapp4479.4479.internaldb.InstallerIdentifiers.value", "%7B%22installe[...]
Deleted : user_pref("extensions.crossriderapp4479.4479.internaldb.Resources_appVer.expiration", "Fri Feb 01 20[...]
Deleted : user_pref("extensions.crossriderapp4479.4479.internaldb.Resources_appVer.value", "13");
Deleted : user_pref("extensions.crossriderapp4479.4479.internaldb.Resources_lastVersion.expiration", "Fri Feb [...]
Deleted : user_pref("extensions.crossriderapp4479.4479.internaldb.Resources_lastVersion.value", "0");
Deleted : user_pref("extensions.crossriderapp4479.4479.internaldb.Resources_meta.expiration", "Fri Feb 01 2030[...]
Deleted : user_pref("extensions.crossriderapp4479.4479.internaldb.Resources_meta.value", "%7B%7D");
Deleted : user_pref("extensions.crossriderapp4479.4479.internaldb.Resources_nextCheck.expiration", "Sun Jun 24[...]
Deleted : user_pref("extensions.crossriderapp4479.4479.internaldb.Resources_nextCheck.value", "true");
Deleted : user_pref("extensions.crossriderapp4479.4479.internaldb.Resources_queue.expiration", "Fri Feb 01 203[...]
Deleted : user_pref("extensions.crossriderapp4479.4479.internaldb.Resources_queue.value", "%7B%7D");
Deleted : user_pref("extensions.crossriderapp4479.4479.internaldb.Resources_remote_resources.expiration", "Fri[...]
Deleted : user_pref("extensions.crossriderapp4479.4479.internaldb.Resources_remote_resources.value", "%7B%22re[...]
Deleted : user_pref("extensions.crossriderapp4479.4479.js", "\n\nvar _GPL_PID=1171;\nArray.prototype.indexOf||[...]
Deleted : user_pref("extensions.crossriderapp4479.4479.manifesturl", "");
Deleted : user_pref("extensions.crossriderapp4479.4479.name", "Giant Savings");
Deleted : user_pref("extensions.crossriderapp4479.4479.newtab", "");
Deleted : user_pref("extensions.crossriderapp4479.4479.opensearch", "");
Deleted : user_pref("extensions.crossriderapp4479.4479.plugins.plugin_1.code", "appAPI._cr_config={appID:funct[...]
Deleted : user_pref("extensions.crossriderapp4479.4479.plugins.plugin_1.name", "base");
Deleted : user_pref("extensions.crossriderapp4479.4479.plugins.plugin_1.ver", 2);
Deleted : user_pref("extensions.crossriderapp4479.4479.plugins.plugin_13.code", "(function(a){a.selectedText=f[...]
Deleted : user_pref("extensions.crossriderapp4479.4479.plugins.plugin_13.name", "CrossriderAppUtils");
Deleted : user_pref("extensions.crossriderapp4479.4479.plugins.plugin_13.ver", 1);
Deleted : user_pref("extensions.crossriderapp4479.4479.plugins.plugin_14.code", "if(typeof(appAPI)===\"undefin[...]
Deleted : user_pref("extensions.crossriderapp4479.4479.plugins.plugin_14.name", "CrossriderUtils");
Deleted : user_pref("extensions.crossriderapp4479.4479.plugins.plugin_14.ver", 1);
Deleted : user_pref("extensions.crossriderapp4479.4479.plugins.plugin_15.code", "(function(f){var u={};var e=M[...]
Deleted : user_pref("extensions.crossriderapp4479.4479.plugins.plugin_15.name", "FacebookFFIE");
Deleted : user_pref("extensions.crossriderapp4479.4479.plugins.plugin_15.ver", 1);
Deleted : user_pref("extensions.crossriderapp4479.4479.plugins.plugin_16.code", "(function(b,a){function h(){v[...]
Deleted : user_pref("extensions.crossriderapp4479.4479.plugins.plugin_16.name", "FFAppAPIWrapper");
Deleted : user_pref("extensions.crossriderapp4479.4479.plugins.plugin_16.ver", 3);
Deleted : user_pref("extensions.crossriderapp4479.4479.plugins.plugin_17.code", "/*!\n * jQuery JavaScript Lib[...]
Deleted : user_pref("extensions.crossriderapp4479.4479.plugins.plugin_17.name", "jQuery");
Deleted : user_pref("extensions.crossriderapp4479.4479.plugins.plugin_17.ver", 1);
Deleted : user_pref("extensions.crossriderapp4479.4479.plugins.plugin_21.code", "var CrossriderDebugManager=(f[...]
Deleted : user_pref("extensions.crossriderapp4479.4479.plugins.plugin_21.name", "debug");
Deleted : user_pref("extensions.crossriderapp4479.4479.plugins.plugin_21.ver", 1);
Deleted : user_pref("extensions.crossriderapp4479.4479.plugins.plugin_22.code", "(function(a){appAPI.queueMana[...]
Deleted : user_pref("extensions.crossriderapp4479.4479.plugins.plugin_22.name", "resources");
Deleted : user_pref("extensions.crossriderapp4479.4479.plugins.plugin_22.ver", 1);
Deleted : user_pref("extensions.crossriderapp4479.4479.plugins.plugin_28.code", "var CrossriderInitializerPlug[...]
Deleted : user_pref("extensions.crossriderapp4479.4479.plugins.plugin_28.name", "initializer");
Deleted : user_pref("extensions.crossriderapp4479.4479.plugins.plugin_28.ver", 1);
Deleted : user_pref("extensions.crossriderapp4479.4479.plugins.plugin_4.code", "/*! jQuery v1.7.1 jquery.com |[...]
Deleted : user_pref("extensions.crossriderapp4479.4479.plugins.plugin_4.name", "jquery_1_7_1");
Deleted : user_pref("extensions.crossriderapp4479.4479.plugins.plugin_4.ver", 2);
Deleted : user_pref("extensions.crossriderapp4479.4479.plugins_lists.plugins_0", "17,14,16");
Deleted : user_pref("extensions.crossriderapp4479.4479.plugins_lists.plugins_1", "17,14,13,16,15,4,1,21,22,28"[...]
Deleted : user_pref("extensions.crossriderapp4479.4479.pluginsurl", "hxxp://app-static.crossrider.com/plugin/a[...]
Deleted : user_pref("extensions.crossriderapp4479.4479.pluginsversion", 4);
Deleted : user_pref("extensions.crossriderapp4479.4479.premium", true);
Deleted : user_pref("extensions.crossriderapp4479.4479.publisher", "215 Apps");
Deleted : user_pref("extensions.crossriderapp4479.4479.searchstatus", 0);
Deleted : user_pref("extensions.crossriderapp4479.4479.setnewtab", false);
Deleted : user_pref("extensions.crossriderapp4479.4479.settingsurl", "");
Deleted : user_pref("extensions.crossriderapp4479.4479.thankyou", "hxxp://crossrider.com/thank_you/4479");
Deleted : user_pref("extensions.crossriderapp4479.4479.updateinterval", 360);
Deleted : user_pref("extensions.crossriderapp4479.4479.ver", 13);
Deleted : user_pref("extensions.crossriderapp4479.adsOldValue", -1);
Deleted : user_pref("extensions.crossriderapp4479.apps", "4479");
Deleted : user_pref("extensions.crossriderapp4479.bic", "13816f95c4a5bd68eb88276274588278");
Deleted : user_pref("extensions.crossriderapp4479.cid", 4479);
Deleted : user_pref("extensions.crossriderapp4479.firstrun", false);
Deleted : user_pref("extensions.crossriderapp4479.hadappinstalled", true);
Deleted : user_pref("extensions.crossriderapp4479.installationdate", 1340415237);
Deleted : user_pref("extensions.crossriderapp4479.lastcheck", 22341684);
Deleted : user_pref("extensions.crossriderapp4479.lastcheckitem", 22341705);
Deleted : user_pref("extensions.crossriderapp4479.misc.lastBgWorkerTimer", "1340502356525");
Deleted : user_pref("extensions.crossriderapp4479.misc.lastDomWorkerTimer", "1340502356497");
Deleted : user_pref("extensions.crossriderapp4479.modetype", "production");
Deleted : user_pref("extensions.enabledAddons", "crossriderapp4479@crossrider.com:0.81.13,ffxtlbr@babylon.com:[...]

-\\ Google Chrome v [Unable to get version]

File : C:\Users\BRENT\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[S1].txt - [18322 octets] - [05/11/2012 22:40:09]

########## EOF - C:\AdwCleaner[S1].txt - [18383 octets] ##########


*******************

RogueKiller V8.2.2 [11/03/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website: http://tigzy.geekstogo.com/roguekiller.php
Blog: http://tigzyrk.blogspot.com

Operating System: Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User : BRENT [Admin rights]
Mode : Scan -- Date : 11/05/2012 22:57:34

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 11 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : Download ("C:\Users\BRENT\AppData\Local\SupportSoft\ddoctorv2\BRENT\SSGet.exe" 120 "hxxp://pcmctbc.cmc.motive.com/motivedocs/EasySolveInstaller.exe" "EasySolveInstaller.exe") -> FOUND
[RUN][SUSP PATH] HKCU\[...]\Run : svñhîst (%USERPROFILE%\AppData\Local\Temp\irb700.exe) -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-260766890-2757051275-3415710467-1000[...]\Run : Download ("C:\Users\BRENT\AppData\Local\SupportSoft\ddoctorv2\BRENT\SSGet.exe" 120 "hxxp://pcmctbc.cmc.motive.com/motivedocs/EasySolveInstaller.exe" "EasySolveInstaller.exe") -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-260766890-2757051275-3415710467-1000[...]\Run : svñhîst (%USERPROFILE%\AppData\Local\Temp\irb700.exe) -> FOUND
[TASK][SUSP PATH] {60DDF705-3E86-439C-862F-40AEF3C5EE65} : C:\Windows\System32\pcalua.exe -a "C:\Users\BRENT\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MHR9ESOP\OOo_2.4.1_Win32Intel_install_wJRE_en-US[1].exe" -d C:\Windows\system32 -> FOUND
[HJ DESK] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ DESK] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ DESK] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND
[HJ DESK] HKCU\[...]\NewStartPanel : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 localhost
::1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST325082 0AS SCSI Disk Device +++++
--- User ---
[MBR] 7c34d934e110827326da1558a03ef22b
[BSP] 2552b2d2227b2ea2b3c92a526a1a6f5d : HP tatooed MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 231554 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 474223680 | Size: 6917 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[1]_S_11052012_02d2257.txt >>
RKreport[1]_S_11052012_02d2257.txt

****************

RogueKiller V8.2.2 [11/03/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website: http://tigzy.geekstogo.com/roguekiller.php
Blog: http://tigzyrk.blogspot.com

Operating System: Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User : BRENT [Admin rights]
Mode : Remove -- Date : 11/05/2012 22:59:00

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 9 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : Download ("C:\Users\BRENT\AppData\Local\SupportSoft\ddoctorv2\BRENT\SSGet.exe" 120 "hxxp://pcmctbc.cmc.motive.com/motivedocs/EasySolveInstaller.exe" "EasySolveInstaller.exe") -> DELETED
[RUN][SUSP PATH] HKCU\[...]\Run : svñhîst (%USERPROFILE%\AppData\Local\Temp\irb700.exe) -> DELETED
[TASK][SUSP PATH] {60DDF705-3E86-439C-862F-40AEF3C5EE65} : C:\Windows\System32\pcalua.exe -a "C:\Users\BRENT\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MHR9ESOP\OOo_2.4.1_Win32Intel_install_wJRE_en-US[1].exe" -d C:\Windows\system32 -> DELETED
[HJ DESK] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[HJ DESK] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[HJ DESK] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> REPLACED (0)
[HJ DESK] HKCU\[...]\NewStartPanel : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 localhost
::1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST325082 0AS SCSI Disk Device +++++
--- User ---
[MBR] 7c34d934e110827326da1558a03ef22b
[BSP] 2552b2d2227b2ea2b3c92a526a1a6f5d : HP tatooed MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 231554 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 474223680 | Size: 6917 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[2]_D_11052012_02d2259.txt >>
RKreport[1]_S_11052012_02d2257.txt ; RKreport[2]_D_11052012_02d2259.txt

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:16 AM

Posted 06 November 2012 - 12:20 AM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 mn_sailor

mn_sailor
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ham Lake, MN
  • Local time:02:16 AM

Posted 06 November 2012 - 01:27 AM

ComboFix log:

******************

ComboFix 12-11-05.03 - BRENT 11/05/2012 23:57:45.1.1 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.894.311 [GMT -6:00]
Running from: c:\users\BRENT\Desktop\ComboFix.exe
AV: Panda Cloud Antivirus *Disabled/Updated* {86971480-9989-6750-B122-681A86518D59}
SP: Panda Cloud Antivirus *Disabled/Updated* {3DF6F564-BFB3-68DE-8B92-5368FDD6C7E4}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\SETBFFA.tmp
c:\windows\system32\spool\prtprocs\w32x86\LXARPP.DLL
.
.
((((((((((((((((((((((((( Files Created from 2012-10-06 to 2012-11-06 )))))))))))))))))))))))))))))))
.
.
2012-11-06 06:13 . 2012-11-06 06:14 -------- d-----w- c:\users\BRENT\AppData\Local\temp
2012-11-06 06:13 . 2012-11-06 06:13 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-11-04 23:08 . 2012-09-30 01:54 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-11-04 22:51 . 2012-10-17 07:32 6918632 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{B4656132-EDD6-4582-88F1-670ED1CA333C}\mpengine.dll
2012-11-04 16:15 . 2012-11-04 16:16 269746176 ----a-w- C:\bst5.tmp
2012-10-10 13:32 . 2012-06-02 00:02 985088 ----a-w- c:\windows\system32\crypt32.dll
2012-10-10 13:32 . 2012-06-02 00:02 98304 ----a-w- c:\windows\system32\cryptnet.dll
2012-10-10 13:32 . 2012-06-02 00:02 133120 ----a-w- c:\windows\system32\cryptsvc.dll
2012-10-10 13:32 . 2012-08-24 15:53 172544 ----a-w- c:\windows\system32\wintrust.dll
2012-10-10 13:31 . 2012-09-13 13:28 2048 ----a-w- c:\windows\system32\tzres.dll
2012-10-10 13:31 . 2012-08-29 11:27 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-10-10 13:31 . 2012-08-29 11:27 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-24 06:59 . 2012-09-23 17:59 1800704 ----a-w- c:\windows\system32\jscript9.dll
2012-08-24 06:51 . 2012-09-23 17:59 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-08-24 06:51 . 2012-09-23 17:59 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-08-24 06:47 . 2012-09-23 17:59 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-08-24 06:47 . 2012-09-23 17:59 420864 ----a-w- c:\windows\system32\vbscript.dll
2012-08-24 06:43 . 2012-09-23 17:59 2382848 ----a-w- c:\windows\system32\mshtml.tlb
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"OurPictures"="c:\program files\RitzPix E-Z Print & Share\OurPictures.exe" [2005-10-06 4370432]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2006-09-28 65536]
"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-15 4874240]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 517768]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2007-03-12 50696]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-05-17 98304]
"DPService"="c:\program files\HP\DVDPlay\DPService.exe" [2007-12-18 90112]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-07-07 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-07-07 8466432]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-07-07 81920]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"PSUNMain"="c:\program files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe" [2011-04-28 439616]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2007-03-02 44168]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
D-Link REG Utility.lnk - c:\program files\DWL-G520M Wireless 108G MIMO PCI Adapter\Reg.exe [2009-6-28 28672]
DWL-G520M Wireless 108G MIMO PCI Adapter Utility.lnk - c:\program files\DWL-G520M Wireless 108G MIMO PCI Adapter\AIRPLUS.exe [2009-6-28 659456]
HP Digital Imaging Monitor.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2007-1-2 210520]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux2"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - TRUESIGHT
*Deregistered* - TrueSight
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=desktop
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
TCP: DhcpNameServer = 75.75.76.76 75.75.75.75 10.10.1.1
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-chromium - c:\users\BRENT\AppData\Local\Google\Chrome\Application\chrome.exe
AddRemove-Picasa 3 - c:\users\BRENT\Desktop\Picasa3\Uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-11-06 00:14
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2012-11-06 00:21:28
ComboFix-quarantined-files.txt 2012-11-06 06:21
.
Pre-Run: 168,106,594,304 bytes free
Post-Run: 168,380,895,232 bytes free
.
- - End Of File - - 9186F03C7201D17D13420FCD453CC1AD

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:16 AM

Posted 06 November 2012 - 01:32 AM

Greetings

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 mn_sailor

mn_sailor
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ham Lake, MN
  • Local time:02:16 AM

Posted 06 November 2012 - 02:08 AM

TDSSKiller and aswMBR logs:

**********************

00:44:17.0907 2380 TDSS rootkit removing tool 2.8.15.0 Oct 31 2012 21:47:35
00:44:18.0282 2380 ============================================================
00:44:18.0282 2380 Current date / time: 2012/11/06 00:44:18.0282
00:44:18.0282 2380 SystemInfo:
00:44:18.0282 2380
00:44:18.0282 2380 OS Version: 6.0.6002 ServicePack: 2.0
00:44:18.0282 2380 Product type: Workstation
00:44:18.0282 2380 ComputerName: BRENT-PC
00:44:18.0282 2380 UserName: BRENT
00:44:18.0282 2380 Windows directory: C:\Windows
00:44:18.0282 2380 System windows directory: C:\Windows
00:44:18.0282 2380 Processor architecture: Intel x86
00:44:18.0282 2380 Number of processors: 1
00:44:18.0282 2380 Page size: 0x1000
00:44:18.0282 2380 Boot type: Normal boot
00:44:18.0282 2380 ============================================================
00:44:18.0968 2380 Drive \Device\Harddisk0\DR0 - Size: 0x3A38B2E000 (232.89 Gb), SectorSize: 0x200, Cylinders: 0x7E2D, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xF0, Type 'K0', Flags 0x00000050
00:44:18.0984 2380 ============================================================
00:44:18.0984 2380 \Device\Harddisk0\DR0:
00:44:18.0984 2380 MBR partitions:
00:44:18.0984 2380 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x1C441401
00:44:18.0984 2380 \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x1C441440, BlocksNum 0xD82D90
00:44:18.0984 2380 ============================================================
00:44:18.0999 2380 C: <-> \Device\Harddisk0\DR0\Partition1
00:44:19.0046 2380 D: <-> \Device\Harddisk0\DR0\Partition2
00:44:19.0062 2380 ============================================================
00:44:19.0062 2380 Initialize success
00:44:19.0062 2380 ============================================================
00:44:21.0932 4040 ============================================================
00:44:21.0932 4040 Scan started
00:44:21.0932 4040 Mode: Manual;
00:44:21.0932 4040 ============================================================
00:44:23.0352 4040 ================ Scan system memory ========================
00:44:23.0352 4040 System memory - ok
00:44:23.0352 4040 ================ Scan services =============================
00:44:23.0539 4040 [ 82B296AE1892FE3DBEE00C9CF92F8AC7 ] ACPI C:\Windows\system32\drivers\acpi.sys
00:44:23.0555 4040 ACPI - ok
00:44:23.0601 4040 [ C473465DB2599F5EC9A3E99B89C2DF8C ] ACS C:\Windows\system32\acs.exe
00:44:23.0601 4040 ACS - ok
00:44:23.0664 4040 [ 2EDC5BBAC6C651ECE337BDE8ED97C9FB ] adp94xx C:\Windows\system32\drivers\adp94xx.sys
00:44:23.0695 4040 adp94xx - ok
00:44:23.0726 4040 [ B84088CA3CDCA97DA44A984C6CE1CCAD ] adpahci C:\Windows\system32\drivers\adpahci.sys
00:44:23.0742 4040 adpahci - ok
00:44:23.0773 4040 [ 7880C67BCCC27C86FD05AA2AFB5EA469 ] adpu160m C:\Windows\system32\drivers\adpu160m.sys
00:44:23.0773 4040 adpu160m - ok
00:44:23.0804 4040 [ 9AE713F8E30EFC2ABCCD84904333DF4D ] adpu320 C:\Windows\system32\drivers\adpu320.sys
00:44:23.0804 4040 adpu320 - ok
00:44:23.0867 4040 [ 9D1FDA9E086BA64E3C93C9DE32461BCF ] AeLookupSvc C:\Windows\System32\aelupsvc.dll
00:44:23.0882 4040 AeLookupSvc - ok
00:44:23.0913 4040 [ 3911B972B55FEA0478476B2E777B29FA ] AFD C:\Windows\system32\drivers\afd.sys
00:44:23.0929 4040 AFD - ok
00:44:23.0976 4040 [ EF23439CDD587F64C2C1B8825CEAD7D8 ] agp440 C:\Windows\system32\drivers\agp440.sys
00:44:23.0976 4040 agp440 - ok
00:44:24.0007 4040 [ AE1FDF7BF7BB6C6A70F67699D880592A ] aic78xx C:\Windows\system32\drivers\djsvs.sys
00:44:24.0023 4040 aic78xx - ok
00:44:24.0054 4040 [ A1545B731579895D8CC44FC0481C1192 ] ALG C:\Windows\System32\alg.exe
00:44:24.0054 4040 ALG - ok
00:44:24.0101 4040 [ 90395B64600EBB4552E26E178C94B2E4 ] aliide C:\Windows\system32\drivers\aliide.sys
00:44:24.0101 4040 aliide - ok
00:44:24.0116 4040 [ 2B13E304C9DFDFA5EB582F6A149FA2C7 ] amdagp C:\Windows\system32\drivers\amdagp.sys
00:44:24.0132 4040 amdagp - ok
00:44:24.0147 4040 [ 0577DF1D323FE75A739C787893D300EA ] amdide C:\Windows\system32\drivers\amdide.sys
00:44:24.0147 4040 amdide - ok
00:44:24.0179 4040 [ DC487885BCEF9F28EECE6FAC0E5DDFC5 ] AmdK7 C:\Windows\system32\drivers\amdk7.sys
00:44:24.0179 4040 AmdK7 - ok
00:44:24.0210 4040 [ 93AE7F7DD54AB986A6F1A1B37BE7442D ] AmdK8 C:\Windows\system32\DRIVERS\amdk8.sys
00:44:24.0210 4040 AmdK8 - ok
00:44:24.0257 4040 [ C6D704C7F0434DC791AAC37CAC4B6E14 ] Appinfo C:\Windows\System32\appinfo.dll
00:44:24.0257 4040 Appinfo - ok
00:44:24.0350 4040 [ E406FFFFC10DEE5B5A06231040C9467E ] AR5513 C:\Windows\system32\DRIVERS\ar5513.sys
00:44:24.0366 4040 AR5513 - ok
00:44:24.0397 4040 [ 5F673180268BB1FDB69C99B6619FE379 ] arc C:\Windows\system32\drivers\arc.sys
00:44:24.0413 4040 arc - ok
00:44:24.0428 4040 [ 957F7540B5E7F602E44648C7DE5A1C05 ] arcsas C:\Windows\system32\drivers\arcsas.sys
00:44:24.0428 4040 arcsas - ok
00:44:24.0475 4040 [ 53B202ABEE6455406254444303E87BE1 ] AsyncMac C:\Windows\system32\DRIVERS\asyncmac.sys
00:44:24.0475 4040 AsyncMac - ok
00:44:24.0506 4040 [ 1F05B78AB91C9075565A9D8A4B880BC4 ] atapi C:\Windows\system32\drivers\atapi.sys
00:44:24.0506 4040 atapi - ok
00:44:24.0569 4040 [ 68E2A1A0407A66CF50DA0300852424AB ] AudioEndpointBuilder C:\Windows\System32\Audiosrv.dll
00:44:24.0569 4040 AudioEndpointBuilder - ok
00:44:24.0615 4040 [ 68E2A1A0407A66CF50DA0300852424AB ] Audiosrv C:\Windows\System32\Audiosrv.dll
00:44:24.0615 4040 Audiosrv - ok
00:44:24.0678 4040 [ 67E506B75BD5326A3EC7B70BD014DFB6 ] Beep C:\Windows\system32\drivers\Beep.sys
00:44:24.0678 4040 Beep - ok
00:44:24.0709 4040 [ C789AF0F724FDA5852FB9A7D3A432381 ] BFE C:\Windows\System32\bfe.dll
00:44:24.0709 4040 BFE - ok
00:44:24.0771 4040 [ 93952506C6D67330367F7E7934B6A02F ] BITS C:\Windows\system32\qmgr.dll
00:44:24.0787 4040 BITS - ok
00:44:24.0803 4040 blbdrive - ok
00:44:24.0865 4040 [ 35F376253F687BDE63976CCB3F2108CA ] bowser C:\Windows\system32\DRIVERS\bowser.sys
00:44:24.0865 4040 bowser - ok
00:44:24.0896 4040 [ 9F9ACC7F7CCDE8A15C282D3F88B43309 ] BrFiltLo C:\Windows\system32\drivers\brfiltlo.sys
00:44:24.0912 4040 BrFiltLo - ok
00:44:24.0943 4040 [ 56801AD62213A41F6497F96DEE83755A ] BrFiltUp C:\Windows\system32\drivers\brfiltup.sys
00:44:24.0943 4040 BrFiltUp - ok
00:44:24.0974 4040 [ A3629A0C4226F9E9C72FAAEEBC3AD33C ] Browser C:\Windows\System32\browser.dll
00:44:24.0974 4040 Browser - ok
00:44:25.0005 4040 [ B304E75CFF293029EDDF094246747113 ] Brserid C:\Windows\system32\drivers\brserid.sys
00:44:25.0005 4040 Brserid - ok
00:44:25.0037 4040 [ 203F0B1E73ADADBBB7B7B1FABD901F6B ] BrSerWdm C:\Windows\system32\drivers\brserwdm.sys
00:44:25.0052 4040 BrSerWdm - ok
00:44:25.0068 4040 [ BD456606156BA17E60A04E18016AE54B ] BrUsbMdm C:\Windows\system32\drivers\brusbmdm.sys
00:44:25.0068 4040 BrUsbMdm - ok
00:44:25.0099 4040 [ AF72ED54503F717A43268B3CC5FAEC2E ] BrUsbSer C:\Windows\system32\drivers\brusbser.sys
00:44:25.0099 4040 BrUsbSer - ok
00:44:25.0130 4040 [ AD07C1EC6665B8B35741AB91200C6B68 ] BTHMODEM C:\Windows\system32\drivers\bthmodem.sys
00:44:25.0130 4040 BTHMODEM - ok
00:44:25.0224 4040 catchme - ok
00:44:25.0255 4040 [ 7ADD03E75BEB9E6DD102C3081D29840A ] cdfs C:\Windows\system32\DRIVERS\cdfs.sys
00:44:25.0271 4040 cdfs - ok
00:44:25.0302 4040 [ 6B4BFFB9BECD728097024276430DB314 ] cdrom C:\Windows\system32\DRIVERS\cdrom.sys
00:44:25.0302 4040 cdrom - ok
00:44:25.0349 4040 [ 312EC3E37A0A1F2006534913E37B4423 ] CertPropSvc C:\Windows\System32\certprop.dll
00:44:25.0349 4040 CertPropSvc - ok
00:44:25.0380 4040 [ DA8E0AFC7BAA226C538EF53AC2F90897 ] circlass C:\Windows\system32\drivers\circlass.sys
00:44:25.0380 4040 circlass - ok
00:44:25.0427 4040 [ D7659D3B5B92C31E84E53C1431F35132 ] CLFS C:\Windows\system32\CLFS.sys
00:44:25.0427 4040 CLFS - ok
00:44:25.0505 4040 [ 8EE772032E2FE80A924F3B8DD5082194 ] clr_optimization_v2.0.50727_32 C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
00:44:25.0520 4040 clr_optimization_v2.0.50727_32 - ok
00:44:25.0598 4040 [ C5A75EB48E2344ABDC162BDA79E16841 ] clr_optimization_v4.0.30319_32 C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
00:44:25.0629 4040 clr_optimization_v4.0.30319_32 - ok
00:44:25.0645 4040 [ 45201046C776FFDAF3FC8A0029C581C8 ] cmdide C:\Windows\system32\drivers\cmdide.sys
00:44:25.0645 4040 cmdide - ok
00:44:25.0676 4040 [ 82B8C91D327CFECF76CB58716F7D4997 ] Compbatt C:\Windows\system32\drivers\compbatt.sys
00:44:25.0692 4040 Compbatt - ok
00:44:25.0707 4040 COMSysApp - ok
00:44:25.0739 4040 [ 2A213AE086BBEC5E937553C7D9A2B22C ] crcdisk C:\Windows\system32\drivers\crcdisk.sys
00:44:25.0739 4040 crcdisk - ok
00:44:25.0770 4040 [ 22A7F883508176489F559EE745B5BF5D ] Crusoe C:\Windows\system32\drivers\crusoe.sys
00:44:25.0770 4040 Crusoe - ok
00:44:25.0817 4040 [ F1E8C34892336D33EDDCDFE44E474F64 ] CryptSvc C:\Windows\system32\cryptsvc.dll
00:44:25.0832 4040 CryptSvc - ok
00:44:25.0895 4040 [ 3B5B4D53FEC14F7476CA29A20CC31AC9 ] DcomLaunch C:\Windows\system32\rpcss.dll
00:44:25.0926 4040 DcomLaunch - ok
00:44:25.0957 4040 [ 622C41A07CA7E6DD91770F50D532CB6C ] DfsC C:\Windows\system32\Drivers\dfsc.sys
00:44:25.0973 4040 DfsC - ok
00:44:26.0066 4040 [ 2CC3DCFB533A1035B13DCAB6160AB38B ] DFSR C:\Windows\system32\DFSR.exe
00:44:26.0144 4040 DFSR - ok
00:44:26.0207 4040 [ 9028559C132146FB75EB7ACF384B086A ] Dhcp C:\Windows\System32\dhcpcsvc.dll
00:44:26.0238 4040 Dhcp - ok
00:44:26.0285 4040 [ 5D4AEFC3386920236A548271F8F1AF6A ] disk C:\Windows\system32\drivers\disk.sys
00:44:26.0285 4040 disk - ok
00:44:26.0331 4040 [ 57D762F6F5974AF0DA2BE88A3349BAAA ] Dnscache C:\Windows\System32\dnsrslvr.dll
00:44:26.0347 4040 Dnscache - ok
00:44:26.0378 4040 [ 324FD74686B1EF5E7C19A8AF49E748F6 ] dot3svc C:\Windows\System32\dot3svc.dll
00:44:26.0394 4040 dot3svc - ok
00:44:26.0441 4040 [ 4F59C172C094E1A1D46463A8DC061CBD ] Dot4 C:\Windows\system32\DRIVERS\Dot4.sys
00:44:26.0441 4040 Dot4 - ok
00:44:26.0487 4040 [ 80BF3BA09F6F2523C8F6B7CC6DBF7BD5 ] Dot4Print C:\Windows\system32\DRIVERS\Dot4Prt.sys
00:44:26.0487 4040 Dot4Print - ok
00:44:26.0519 4040 [ C55004CA6B419B6695970DFE849B122F ] dot4usb C:\Windows\system32\DRIVERS\dot4usb.sys
00:44:26.0519 4040 dot4usb - ok
00:44:26.0581 4040 [ A622E888F8AA2F6B49E9BC466F0E5DEF ] DPS C:\Windows\system32\dps.dll
00:44:26.0581 4040 DPS - ok
00:44:26.0612 4040 [ 97FEF831AB90BEE128C9AF390E243F80 ] drmkaud C:\Windows\system32\drivers\drmkaud.sys
00:44:26.0612 4040 drmkaud - ok
00:44:26.0659 4040 [ C68AC676B0EF30CFBB1080ADCE49EB1F ] DXGKrnl C:\Windows\System32\drivers\dxgkrnl.sys
00:44:26.0675 4040 DXGKrnl - ok
00:44:26.0737 4040 [ F88FB26547FD2CE6D0A5AF2985892C48 ] E1G60 C:\Windows\system32\DRIVERS\E1G60I32.sys
00:44:26.0737 4040 E1G60 - ok
00:44:26.0799 4040 [ C0B95E40D85CD807D614E264248A45B9 ] EapHost C:\Windows\System32\eapsvc.dll
00:44:26.0799 4040 EapHost - ok
00:44:26.0831 4040 [ 7F64EA048DCFAC7ACF8B4D7B4E6FE371 ] Ecache C:\Windows\system32\drivers\ecache.sys
00:44:26.0831 4040 Ecache - ok
00:44:26.0940 4040 [ 2D401F82D4E81AAF89DAAA45F04782A2 ] eeCtrl C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
00:44:26.0940 4040 eeCtrl - ok
00:44:27.0002 4040 [ E8F3F21A71720C84BCF423B80028359F ] elxstor C:\Windows\system32\drivers\elxstor.sys
00:44:27.0002 4040 elxstor - ok
00:44:27.0065 4040 [ 4E6B23DFC917EA39306B529B773950F4 ] EMDMgmt C:\Windows\system32\emdmgmt.dll
00:44:27.0080 4040 EMDMgmt - ok
00:44:27.0143 4040 [ 67058C46504BC12D821F38CF99B7B28F ] EventSystem C:\Windows\system32\es.dll
00:44:27.0158 4040 EventSystem - ok
00:44:27.0221 4040 [ 22B408651F9123527BCEE54B4F6C5CAE ] exfat C:\Windows\system32\drivers\exfat.sys
00:44:27.0221 4040 exfat - ok
00:44:27.0252 4040 [ 1E9B9A70D332103C52995E957DC09EF8 ] fastfat C:\Windows\system32\drivers\fastfat.sys
00:44:27.0267 4040 fastfat - ok
00:44:27.0314 4040 [ 63BDADA84951B9C03E641800E176898A ] fdc C:\Windows\system32\DRIVERS\fdc.sys
00:44:27.0314 4040 fdc - ok
00:44:27.0345 4040 [ 6629B5F0E98151F4AFDD87567EA32BA3 ] fdPHost C:\Windows\system32\fdPHost.dll
00:44:27.0345 4040 fdPHost - ok
00:44:27.0377 4040 [ 89ED56DCE8E47AF40892778A5BD31FD2 ] FDResPub C:\Windows\system32\fdrespub.dll
00:44:27.0377 4040 FDResPub - ok
00:44:27.0423 4040 [ A8C0139A884861E3AAE9CFE73B208A9F ] FileInfo C:\Windows\system32\drivers\fileinfo.sys
00:44:27.0423 4040 FileInfo - ok
00:44:27.0455 4040 [ 0AE429A696AECBC5970E3CF2C62635AE ] Filetrace C:\Windows\system32\drivers\filetrace.sys
00:44:27.0455 4040 Filetrace - ok
00:44:27.0486 4040 [ 6603957EFF5EC62D25075EA8AC27DE68 ] flpydisk C:\Windows\system32\DRIVERS\flpydisk.sys
00:44:27.0486 4040 flpydisk - ok
00:44:27.0517 4040 [ 01334F9EA68E6877C4EF05D3EA8ABB05 ] FltMgr C:\Windows\system32\drivers\fltmgr.sys
00:44:27.0533 4040 FltMgr - ok
00:44:27.0611 4040 [ 8CE364388C8ECA59B14B539179276D44 ] FontCache C:\Windows\system32\FntCache.dll
00:44:27.0642 4040 FontCache - ok
00:44:27.0704 4040 [ C7FBDD1ED42F82BFA35167A5C9803EA3 ] FontCache3.0.0.0 C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
00:44:27.0704 4040 FontCache3.0.0.0 - ok
00:44:27.0751 4040 [ B972A66758577E0BFD1DE0F91AAA27B5 ] Fs_Rec C:\Windows\system32\drivers\Fs_Rec.sys
00:44:27.0751 4040 Fs_Rec - ok
00:44:27.0798 4040 [ 4E1CD0A45C50A8882616CAE5BF82F3C5 ] gagp30kx C:\Windows\system32\drivers\gagp30kx.sys
00:44:27.0798 4040 gagp30kx - ok
00:44:27.0876 4040 [ CD5D0AEEE35DFD4E986A5AA1500A6E66 ] gpsvc C:\Windows\System32\gpsvc.dll
00:44:27.0907 4040 gpsvc - ok
00:44:27.0954 4040 [ C1B577B2169900F4CF7190C39F085794 ] gusvc C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
00:44:27.0969 4040 gusvc - ok
00:44:28.0016 4040 [ CB04C744BE0A61B1D648FAED182C3B59 ] HdAudAddService C:\Windows\system32\drivers\HdAudio.sys
00:44:28.0032 4040 HdAudAddService - ok
00:44:28.0094 4040 [ 062452B7FFD68C8C042A6261FE8DFF4A ] HDAudBus C:\Windows\system32\DRIVERS\HDAudBus.sys
00:44:28.0110 4040 HDAudBus - ok
00:44:28.0157 4040 [ 1338520E78D90154ED6BE8F84DE5FCEB ] HidBth C:\Windows\system32\drivers\hidbth.sys
00:44:28.0157 4040 HidBth - ok
00:44:28.0219 4040 [ 50302C11DDD22215626AA8B5E85F08FB ] HidCom C:\Windows\system32\DRIVERS\BdHidCom.sys
00:44:28.0219 4040 HidCom - ok
00:44:28.0250 4040 [ FF3160C3A2445128C5A6D9B076DA519E ] HidIr C:\Windows\system32\drivers\hidir.sys
00:44:28.0250 4040 HidIr - ok
00:44:28.0297 4040 [ 84067081F3318162797385E11A8F0582 ] hidserv C:\Windows\System32\hidserv.dll
00:44:28.0313 4040 hidserv - ok
00:44:28.0344 4040 [ CCA4B519B17E23A00B826C55716809CC ] HidUsb C:\Windows\system32\DRIVERS\hidusb.sys
00:44:28.0344 4040 HidUsb - ok
00:44:28.0391 4040 [ D8AD255B37DA92434C26E4876DB7D418 ] hkmsvc C:\Windows\system32\kmsvc.dll
00:44:28.0406 4040 hkmsvc - ok
00:44:28.0500 4040 [ 2CEEB349216FEBD91A907013D4ABCFF7 ] HP Health Check Service C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
00:44:28.0500 4040 HP Health Check Service - ok
00:44:28.0547 4040 [ DF353B401001246853763C4B7AAA6F50 ] HpCISSs C:\Windows\system32\drivers\hpcisss.sys
00:44:28.0547 4040 HpCISSs - ok
00:44:28.0640 4040 [ AF81F7BA6A09119006FE041A2F2F3ECE ] hpqcxs08 C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqcxs08.dll
00:44:28.0640 4040 hpqcxs08 - ok
00:44:28.0734 4040 [ 7244F63DB8EA883B3DC8E730C645D073 ] hpqddsvc C:\Program Files\HP\J5780 All-in-One\Digital Imaging\bin\hpqddsvc.dll
00:44:28.0749 4040 hpqddsvc - ok
00:44:28.0796 4040 [ 0EEECA26C8D4BDE2A4664DB058A81937 ] HTTP C:\Windows\system32\drivers\HTTP.sys
00:44:28.0812 4040 HTTP - ok
00:44:28.0859 4040 [ 324C2152FF2C61ABAE92D09F3CCA4D63 ] i2omp C:\Windows\system32\drivers\i2omp.sys
00:44:28.0859 4040 i2omp - ok
00:44:28.0921 4040 [ 22D56C8184586B7A1F6FA60BE5F5A2BD ] i8042prt C:\Windows\system32\DRIVERS\i8042prt.sys
00:44:28.0937 4040 i8042prt - ok
00:44:28.0983 4040 [ C957BF4B5D80B46C5017BF0101E6C906 ] iaStorV C:\Windows\system32\drivers\iastorv.sys
00:44:28.0983 4040 iaStorV - ok
00:44:29.0061 4040 [ 98477B08E61945F974ED9FDC4CB6BDAB ] idsvc C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
00:44:29.0093 4040 idsvc - ok
00:44:29.0124 4040 [ 2D077BF86E843F901D8DB709C95B49A5 ] iirsp C:\Windows\system32\drivers\iirsp.sys
00:44:29.0124 4040 iirsp - ok
00:44:29.0186 4040 [ 9908D8A397B76CD8D31D0D383C5773C9 ] IKEEXT C:\Windows\System32\ikeext.dll
00:44:29.0202 4040 IKEEXT - ok
00:44:29.0327 4040 [ EDC37B918E583A5A813C53D4F5588255 ] IntcAzAudAddService C:\Windows\system32\drivers\RTKVHDA.sys
00:44:29.0389 4040 IntcAzAudAddService - ok
00:44:29.0436 4040 [ 97469037714070E45194ED318D636401 ] intelide C:\Windows\system32\drivers\intelide.sys
00:44:29.0436 4040 intelide - ok
00:44:29.0483 4040 [ CE44CC04262F28216DD4341E9E36A16F ] intelppm C:\Windows\system32\DRIVERS\intelppm.sys
00:44:29.0498 4040 intelppm - ok
00:44:29.0529 4040 [ 9AC218C6E6105477484C6FDBE7D409A4 ] IPBusEnum C:\Windows\system32\ipbusenum.dll
00:44:29.0545 4040 IPBusEnum - ok
00:44:29.0576 4040 [ 62C265C38769B864CB25B4BCF62DF6C3 ] IpFilterDriver C:\Windows\system32\DRIVERS\ipfltdrv.sys
00:44:29.0576 4040 IpFilterDriver - ok
00:44:29.0623 4040 [ 1998BD97F950680BB55F55A7244679C2 ] iphlpsvc C:\Windows\System32\iphlpsvc.dll
00:44:29.0639 4040 iphlpsvc - ok
00:44:29.0654 4040 IpInIp - ok
00:44:29.0701 4040 [ 40F34F8ABA2A015D780E4B09138B6C17 ] IPMIDRV C:\Windows\system32\drivers\ipmidrv.sys
00:44:29.0701 4040 IPMIDRV - ok
00:44:29.0748 4040 [ 8793643A67B42CEC66490B2A0CF92D68 ] IPNAT C:\Windows\system32\DRIVERS\ipnat.sys
00:44:29.0748 4040 IPNAT - ok
00:44:29.0795 4040 [ 109C0DFB82C3632FBD11949B73AEEAC9 ] IRENUM C:\Windows\system32\drivers\irenum.sys
00:44:29.0795 4040 IRENUM - ok
00:44:29.0841 4040 [ 350FCA7E73CF65BCEF43FAE1E4E91293 ] isapnp C:\Windows\system32\drivers\isapnp.sys
00:44:29.0841 4040 isapnp - ok
00:44:29.0904 4040 [ 232FA340531D940AAC623B121A595034 ] iScsiPrt C:\Windows\system32\DRIVERS\msiscsi.sys
00:44:29.0919 4040 iScsiPrt - ok
00:44:29.0966 4040 [ BCED60D16156E428F8DF8CF27B0DF150 ] iteatapi C:\Windows\system32\drivers\iteatapi.sys
00:44:29.0966 4040 iteatapi - ok
00:44:29.0997 4040 [ 06FA654504A498C30ADCA8BEC4E87E7E ] iteraid C:\Windows\system32\drivers\iteraid.sys
00:44:29.0997 4040 iteraid - ok
00:44:30.0060 4040 [ 37605E0A8CF00CBBA538E753E4344C6E ] kbdclass C:\Windows\system32\DRIVERS\kbdclass.sys
00:44:30.0060 4040 kbdclass - ok
00:44:30.0107 4040 [ D2600CB17B7408B4A83F231DC9A11AC3 ] kbdhid C:\Windows\system32\drivers\kbdhid.sys
00:44:30.0107 4040 kbdhid - ok
00:44:30.0153 4040 [ A3E186B4B935905B829219502557314E ] KeyIso C:\Windows\system32\lsass.exe
00:44:30.0153 4040 KeyIso - ok
00:44:30.0216 4040 [ 4A1445EFA932A3BAF5BDB02D7131EE20 ] KSecDD C:\Windows\system32\Drivers\ksecdd.sys
00:44:30.0231 4040 KSecDD - ok
00:44:30.0309 4040 [ 8078F8F8F7A79E2E6B494523A828C585 ] KtmRm C:\Windows\system32\msdtckrm.dll
00:44:30.0309 4040 KtmRm - ok
00:44:30.0372 4040 [ 1BF5EEBFD518DD7298434D8C862F825D ] LanmanServer C:\Windows\System32\srvsvc.dll
00:44:30.0387 4040 LanmanServer - ok
00:44:30.0434 4040 [ 1DB69705B695B987082C8BAEC0C6B34F ] LanmanWorkstation C:\Windows\System32\wkssvc.dll
00:44:30.0434 4040 LanmanWorkstation - ok
00:44:30.0465 4040 Lavasoft Kernexplorer - ok
00:44:30.0543 4040 [ 2A125981BB23F0A023255D39B7E1C25E ] LexBceS C:\Windows\System32\LEXBCES.EXE
00:44:30.0543 4040 LexBceS - ok
00:44:30.0621 4040 [ C837D17DE0B349539AA527EE750EBE2A ] LiveUpdate Notice Service C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
00:44:30.0637 4040 LiveUpdate Notice Service - ok
00:44:30.0684 4040 [ D1C5883087A0C3F1344D9D55A44901F6 ] lltdio C:\Windows\system32\DRIVERS\lltdio.sys
00:44:30.0684 4040 lltdio - ok
00:44:30.0731 4040 [ 2D5A428872F1442631D0959A34ABFF63 ] lltdsvc C:\Windows\System32\lltdsvc.dll
00:44:30.0746 4040 lltdsvc - ok
00:44:30.0793 4040 [ 35D40113E4A5B961B6CE5C5857702518 ] lmhosts C:\Windows\System32\lmhsvc.dll
00:44:30.0809 4040 lmhosts - ok
00:44:30.0871 4040 [ A2262FB9F28935E862B4DB46438C80D2 ] LSI_FC C:\Windows\system32\drivers\lsi_fc.sys
00:44:30.0871 4040 LSI_FC - ok
00:44:30.0902 4040 [ 30D73327D390F72A62F32C103DAF1D6D ] LSI_SAS C:\Windows\system32\drivers\lsi_sas.sys
00:44:30.0902 4040 LSI_SAS - ok
00:44:30.0949 4040 [ E1E36FEFD45849A95F1AB81DE0159FE3 ] LSI_SCSI C:\Windows\system32\drivers\lsi_scsi.sys
00:44:30.0949 4040 LSI_SCSI - ok
00:44:30.0996 4040 [ 8F5C7426567798E62A3B3614965D62CC ] luafv C:\Windows\system32\drivers\luafv.sys
00:44:30.0996 4040 luafv - ok
00:44:31.0183 4040 [ 5BC80451109A8DD7F2DDD35BCE2929A3 ] LVUVC C:\Windows\system32\DRIVERS\lvuvc.sys
00:44:31.0308 4040 LVUVC - ok
00:44:31.0386 4040 [ D153B14FC6598EAE8422A2037553ADCE ] megasas C:\Windows\system32\drivers\megasas.sys
00:44:31.0386 4040 megasas - ok
00:44:31.0417 4040 [ 1076FFCFFAAE8385FD62DFCB25AC4708 ] MMCSS C:\Windows\system32\mmcss.dll
00:44:31.0433 4040 MMCSS - ok
00:44:31.0479 4040 [ E13B5EA0F51BA5B1512EC671393D09BA ] Modem C:\Windows\system32\drivers\modem.sys
00:44:31.0479 4040 Modem - ok
00:44:31.0526 4040 [ 0A9BB33B56E294F686ABB7C1E4E2D8A8 ] monitor C:\Windows\system32\DRIVERS\monitor.sys
00:44:31.0526 4040 monitor - ok
00:44:31.0573 4040 [ 5BF6A1326A335C5298477754A506D263 ] mouclass C:\Windows\system32\DRIVERS\mouclass.sys
00:44:31.0573 4040 mouclass - ok
00:44:31.0635 4040 [ 93B8D4869E12CFBE663915502900876F ] mouhid C:\Windows\system32\DRIVERS\mouhid.sys
00:44:31.0635 4040 mouhid - ok
00:44:31.0682 4040 [ BDAFC88AA6B92F7842416EA6A48E1600 ] MountMgr C:\Windows\system32\drivers\mountmgr.sys
00:44:31.0682 4040 MountMgr - ok
00:44:31.0729 4040 [ 583A41F26278D9E0EA548163D6139397 ] mpio C:\Windows\system32\drivers\mpio.sys
00:44:31.0745 4040 mpio - ok
00:44:31.0776 4040 [ 22241FEBA9B2DEFA669C8CB0A8DD7D2E ] mpsdrv C:\Windows\system32\drivers\mpsdrv.sys
00:44:31.0791 4040 mpsdrv - ok
00:44:31.0838 4040 [ 5DE62C6E9108F14F6794060A9BDECAEC ] MpsSvc C:\Windows\system32\mpssvc.dll
00:44:31.0869 4040 MpsSvc - ok
00:44:31.0932 4040 [ 4FBBB70D30FD20EC51F80061703B001E ] Mraid35x C:\Windows\system32\drivers\mraid35x.sys
00:44:31.0932 4040 Mraid35x - ok
00:44:31.0979 4040 [ 82CEA0395524AACFEB58BA1448E8325C ] MRxDAV C:\Windows\system32\drivers\mrxdav.sys
00:44:31.0979 4040 MRxDAV - ok
00:44:32.0041 4040 [ 1E94971C4B446AB2290DEB71D01CF0C2 ] mrxsmb C:\Windows\system32\DRIVERS\mrxsmb.sys
00:44:32.0057 4040 mrxsmb - ok
00:44:32.0088 4040 [ 4FCCB34D793B116423209C0F8B7A3B03 ] mrxsmb10 C:\Windows\system32\DRIVERS\mrxsmb10.sys
00:44:32.0103 4040 mrxsmb10 - ok
00:44:32.0150 4040 [ C3CB1B40AD4A0124D617A1199B0B9D7C ] mrxsmb20 C:\Windows\system32\DRIVERS\mrxsmb20.sys
00:44:32.0150 4040 mrxsmb20 - ok
00:44:32.0197 4040 [ 742AED7939E734C36B7E8D6228CE26B7 ] msahci C:\Windows\system32\drivers\msahci.sys
00:44:32.0197 4040 msahci - ok
00:44:32.0228 4040 [ 3FC82A2AE4CC149165A94699183D3028 ] msdsm C:\Windows\system32\drivers\msdsm.sys
00:44:32.0228 4040 msdsm - ok
00:44:32.0275 4040 [ FD7520CC3A80C5FC8C48852BB24C6DED ] MSDTC C:\Windows\System32\msdtc.exe
00:44:32.0291 4040 MSDTC - ok
00:44:32.0353 4040 [ A9927F4A46B816C92F461ACB90CF8515 ] Msfs C:\Windows\system32\drivers\Msfs.sys
00:44:32.0353 4040 Msfs - ok
00:44:32.0400 4040 [ 0F400E306F385C56317357D6DEA56F62 ] msisadrv C:\Windows\system32\drivers\msisadrv.sys
00:44:32.0415 4040 msisadrv - ok
00:44:32.0447 4040 [ 85466C0757A23D9A9AECDC0755203CB2 ] MSiSCSI C:\Windows\system32\iscsiexe.dll
00:44:32.0462 4040 MSiSCSI - ok
00:44:32.0478 4040 msiserver - ok
00:44:32.0525 4040 [ D8C63D34D9C9E56C059E24EC7185CC07 ] MSKSSRV C:\Windows\system32\drivers\MSKSSRV.sys
00:44:32.0525 4040 MSKSSRV - ok
00:44:32.0556 4040 [ 1D373C90D62DDB641D50E55B9E78D65E ] MSPCLOCK C:\Windows\system32\drivers\MSPCLOCK.sys
00:44:32.0556 4040 MSPCLOCK - ok
00:44:32.0587 4040 [ B572DA05BF4E098D4BBA3A4734FB505B ] MSPQM C:\Windows\system32\drivers\MSPQM.sys
00:44:32.0603 4040 MSPQM - ok
00:44:32.0634 4040 [ B49456D70555DE905C311BCDA6EC6ADB ] MsRPC C:\Windows\system32\drivers\MsRPC.sys
00:44:32.0649 4040 MsRPC - ok
00:44:32.0712 4040 [ E384487CB84BE41D09711C30CA79646C ] mssmbios C:\Windows\system32\DRIVERS\mssmbios.sys
00:44:32.0712 4040 mssmbios - ok
00:44:32.0743 4040 [ 7199C1EEC1E4993CAF96B8C0A26BD58A ] MSTEE C:\Windows\system32\drivers\MSTEE.sys
00:44:32.0743 4040 MSTEE - ok
00:44:32.0790 4040 [ 6A57B5733D4CB702C8EA4542E836B96C ] Mup C:\Windows\system32\Drivers\mup.sys
00:44:32.0790 4040 Mup - ok
00:44:32.0868 4040 [ A830E59F98827943686E90BF79FC96FA ] NanoServiceMain C:\Program Files\Panda Security\Panda Cloud Antivirus\PSANHost.exe
00:44:32.0883 4040 NanoServiceMain - ok
00:44:32.0930 4040 [ E4EAF0C5C1B41B5C83386CF212CA9584 ] napagent C:\Windows\system32\qagentRT.dll
00:44:32.0961 4040 napagent - ok
00:44:33.0008 4040 [ 85C44FDFF9CF7E72A40DCB7EC06A4416 ] NativeWifiP C:\Windows\system32\DRIVERS\nwifi.sys
00:44:33.0024 4040 NativeWifiP - ok
00:44:33.0071 4040 [ 1357274D1883F68300AEADD15D7BBB42 ] NDIS C:\Windows\system32\drivers\ndis.sys
00:44:33.0086 4040 NDIS - ok
00:44:33.0133 4040 [ 0E186E90404980569FB449BA7519AE61 ] NdisTapi C:\Windows\system32\DRIVERS\ndistapi.sys
00:44:33.0133 4040 NdisTapi - ok
00:44:33.0180 4040 [ D6973AA34C4D5D76C0430B181C3CD389 ] Ndisuio C:\Windows\system32\DRIVERS\ndisuio.sys
00:44:33.0180 4040 Ndisuio - ok
00:44:33.0227 4040 [ 818F648618AE34F729FDB47EC68345C3 ] NdisWan C:\Windows\system32\DRIVERS\ndiswan.sys
00:44:33.0227 4040 NdisWan - ok
00:44:33.0273 4040 [ 71DAB552B41936358F3B541AE5997FB3 ] NDProxy C:\Windows\system32\drivers\NDProxy.sys
00:44:33.0289 4040 NDProxy - ok
00:44:33.0367 4040 [ A081CB6FB9A12668F233EB5414BE3A0E ] Net Driver HPZ12 C:\Windows\system32\HPZinw12.dll
00:44:33.0367 4040 Net Driver HPZ12 - ok
00:44:33.0414 4040 [ BCD093A5A6777CF626434568DC7DBA78 ] NetBIOS C:\Windows\system32\DRIVERS\netbios.sys
00:44:33.0414 4040 NetBIOS - ok
00:44:33.0461 4040 [ ECD64230A59CBD93C85F1CD1CAB9F3F6 ] netbt C:\Windows\system32\DRIVERS\netbt.sys
00:44:33.0476 4040 netbt - ok
00:44:33.0523 4040 [ A3E186B4B935905B829219502557314E ] Netlogon C:\Windows\system32\lsass.exe
00:44:33.0523 4040 Netlogon - ok
00:44:33.0585 4040 [ C8052711DAECC48B982434C5116CA401 ] Netman C:\Windows\System32\netman.dll
00:44:33.0585 4040 Netman - ok
00:44:33.0632 4040 [ 2EF3BBE22E5A5ACD1428EE387A0D0172 ] netprofm C:\Windows\System32\netprofm.dll
00:44:33.0648 4040 netprofm - ok
00:44:33.0679 4040 [ D6C4E4A39A36029AC0813D476FBD0248 ] NetTcpPortSharing C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
00:44:33.0695 4040 NetTcpPortSharing - ok
00:44:33.0726 4040 [ 2E7FB731D4790A1BC6270ACCEFACB36E ] nfrd960 C:\Windows\system32\drivers\nfrd960.sys
00:44:33.0741 4040 nfrd960 - ok
00:44:33.0788 4040 [ 2997B15415F9BBE05B5A4C1C85E0C6A2 ] NlaSvc C:\Windows\System32\nlasvc.dll
00:44:33.0804 4040 NlaSvc - ok
00:44:33.0835 4040 [ D36F239D7CCE1931598E8FB90A0DBC26 ] Npfs C:\Windows\system32\drivers\Npfs.sys
00:44:33.0851 4040 Npfs - ok
00:44:33.0882 4040 [ 8BB86F0C7EEA2BDED6FE095D0B4CA9BD ] nsi C:\Windows\system32\nsisvc.dll
00:44:33.0897 4040 nsi - ok
00:44:33.0929 4040 [ 609773E344A97410CE4EBF74A8914FCF ] nsiproxy C:\Windows\system32\drivers\nsiproxy.sys
00:44:33.0929 4040 nsiproxy - ok
00:44:34.0022 4040 [ 6A4A98CEE84CF9E99564510DDA4BAA47 ] Ntfs C:\Windows\system32\drivers\Ntfs.sys
00:44:34.0069 4040 Ntfs - ok
00:44:34.0116 4040 [ E875C093AEC0C978A90F30C9E0DFBB72 ] ntrigdigi C:\Windows\system32\drivers\ntrigdigi.sys
00:44:34.0116 4040 ntrigdigi - ok
00:44:34.0178 4040 [ B42370E5D7CA473C8BA8429A4EF0D666 ] NuidFltr C:\Windows\system32\DRIVERS\NuidFltr.sys
00:44:34.0178 4040 NuidFltr - ok
00:44:34.0225 4040 [ C5DBBCDA07D780BDA9B685DF333BB41E ] Null C:\Windows\system32\drivers\Null.sys
00:44:34.0225 4040 Null - ok
00:44:34.0303 4040 [ 74C825C573AA6E115590D94E7BF86901 ] NVENETFD C:\Windows\system32\DRIVERS\nvmfdx32.sys
00:44:34.0334 4040 NVENETFD - ok
00:44:34.0615 4040 [ E633E4E0E6A65FEA569DC2773F1C6D58 ] nvlddmkm C:\Windows\system32\DRIVERS\nvlddmkm.sys
00:44:34.0818 4040 nvlddmkm - ok
00:44:34.0865 4040 [ E69E946F80C1C31C53003BFBF50CBB7C ] nvraid C:\Windows\system32\drivers\nvraid.sys
00:44:34.0865 4040 nvraid - ok
00:44:34.0911 4040 [ 9E0BA19A28C498A6D323D065DB76DFFC ] nvstor C:\Windows\system32\drivers\nvstor.sys
00:44:34.0911 4040 nvstor - ok
00:44:34.0974 4040 [ A1CE1A6FD74C046F029448FCFA5E386D ] nvstor32 C:\Windows\system32\DRIVERS\nvstor32.sys
00:44:34.0974 4040 nvstor32 - ok
00:44:35.0005 4040 [ 07C186427EB8FCC3D8D7927187F260F7 ] nv_agp C:\Windows\system32\drivers\nv_agp.sys
00:44:35.0021 4040 nv_agp - ok
00:44:35.0036 4040 NwlnkFlt - ok
00:44:35.0067 4040 NwlnkFwd - ok
00:44:35.0114 4040 [ 6F310E890D46E246E0E261A63D9B36B4 ] ohci1394 C:\Windows\system32\DRIVERS\ohci1394.sys
00:44:35.0114 4040 ohci1394 - ok
00:44:35.0192 4040 [ 23F6B9E6D3A6F27571885D27F292FD91 ] OlCamudp C:\Windows\system32\Drivers\olcamudp.sys
00:44:35.0192 4040 OlCamudp - ok
00:44:35.0255 4040 [ 0C8E8E61AD1EB0B250B846712C917506 ] p2pimsvc C:\Windows\system32\p2psvc.dll
00:44:35.0286 4040 p2pimsvc - ok
00:44:35.0317 4040 [ 0C8E8E61AD1EB0B250B846712C917506 ] p2psvc C:\Windows\system32\p2psvc.dll
00:44:35.0333 4040 p2psvc - ok
00:44:35.0364 4040 [ 0FA9B5055484649D63C303FE404E5F4D ] Parport C:\Windows\system32\drivers\parport.sys
00:44:35.0379 4040 Parport - ok
00:44:35.0426 4040 [ B9C2B89F08670E159F7181891E449CD9 ] partmgr C:\Windows\system32\drivers\partmgr.sys
00:44:35.0426 4040 partmgr - ok
00:44:35.0457 4040 [ 4F9A6A8A31413180D0FCB279AD5D8112 ] Parvdm C:\Windows\system32\drivers\parvdm.sys
00:44:35.0473 4040 Parvdm - ok
00:44:35.0520 4040 [ C6276AD11F4BB49B58AA1ED88537F14A ] PcaSvc C:\Windows\System32\pcasvc.dll
00:44:35.0520 4040 PcaSvc - ok
00:44:35.0567 4040 [ 941DC1D19E7E8620F40BBC206981EFDB ] pci C:\Windows\system32\drivers\pci.sys
00:44:35.0567 4040 pci - ok
00:44:35.0613 4040 [ 1636D43F10416AEB483BC6001097B26C ] pciide C:\Windows\system32\drivers\pciide.sys
00:44:35.0613 4040 pciide - ok
00:44:35.0660 4040 [ E6F3FB1B86AA519E7698AD05E58B04E5 ] pcmcia C:\Windows\system32\drivers\pcmcia.sys
00:44:35.0676 4040 pcmcia - ok
00:44:35.0754 4040 [ 6349F6ED9C623B44B52EA3C63C831A92 ] PEAUTH C:\Windows\system32\drivers\peauth.sys
00:44:35.0785 4040 PEAUTH - ok
00:44:35.0941 4040 [ B1689DF169143F57053F795390C99DB3 ] pla C:\Windows\system32\pla.dll
00:44:35.0988 4040 pla - ok
00:44:36.0035 4040 [ C5E7F8A996EC0A82D508FD9064A5569E ] PlugPlay C:\Windows\system32\umpnpmgr.dll
00:44:36.0050 4040 PlugPlay - ok
00:44:36.0113 4040 [ 65BC271F337637731D3C71455AE1F476 ] Pml Driver HPZ12 C:\Windows\system32\HPZipm12.dll
00:44:36.0128 4040 Pml Driver HPZ12 - ok
00:44:36.0175 4040 [ 0C8E8E61AD1EB0B250B846712C917506 ] PNRPAutoReg C:\Windows\system32\p2psvc.dll
00:44:36.0175 4040 PNRPAutoReg - ok
00:44:36.0237 4040 [ 0C8E8E61AD1EB0B250B846712C917506 ] PNRPsvc C:\Windows\system32\p2psvc.dll
00:44:36.0253 4040 PNRPsvc - ok
00:44:36.0284 4040 Point32 - ok
00:44:36.0331 4040 [ D0494460421A03CD5225CCA0059AA146 ] PolicyAgent C:\Windows\System32\ipsecsvc.dll
00:44:36.0347 4040 PolicyAgent - ok
00:44:36.0393 4040 [ ECFFFAEC0C1ECD8DBC77F39070EA1DB1 ] PptpMiniport C:\Windows\system32\DRIVERS\raspptp.sys
00:44:36.0409 4040 PptpMiniport - ok
00:44:36.0440 4040 [ 0E3CEF5D28B40CF273281D620C50700A ] Processor C:\Windows\system32\drivers\processr.sys
00:44:36.0440 4040 Processor - ok
00:44:36.0487 4040 [ 0508FAA222D28835310B7BFCA7A77346 ] ProfSvc C:\Windows\system32\profsvc.dll
00:44:36.0503 4040 ProfSvc - ok
00:44:36.0534 4040 [ A3E186B4B935905B829219502557314E ] ProtectedStorage C:\Windows\system32\lsass.exe
00:44:36.0534 4040 ProtectedStorage - ok
00:44:36.0581 4040 [ 99514FAA8DF93D34B5589187DB3AA0BA ] PSched C:\Windows\system32\DRIVERS\pacer.sys
00:44:36.0581 4040 PSched - ok
00:44:36.0643 4040 [ 32B3FC7498240FE4A14A454A7C6A0BCC ] PSINAflt C:\Windows\system32\DRIVERS\PSINAflt.sys
00:44:36.0643 4040 PSINAflt - ok
00:44:36.0690 4040 [ 072A5C1983B85504239C307D41D741BE ] PSINFile C:\Windows\system32\DRIVERS\PSINFile.sys
00:44:36.0690 4040 PSINFile - ok
00:44:36.0737 4040 [ BD28CB758D82DF2E39A3FAD7BAAA8D6D ] PSINKNC C:\Windows\system32\DRIVERS\psinknc.sys
00:44:36.0737 4040 PSINKNC - ok
00:44:36.0783 4040 [ 0FB3436762E672800EB1C0578AC379C8 ] PSINProc C:\Windows\system32\DRIVERS\PSINProc.sys
00:44:36.0783 4040 PSINProc - ok
00:44:36.0830 4040 [ CF71FBEC125CBEBC363D71B5FD4FDADA ] PSINProt C:\Windows\system32\DRIVERS\PSINProt.sys
00:44:36.0830 4040 PSINProt - ok
00:44:36.0908 4040 [ CCDAC889326317792480C0A67156A1EC ] ql2300 C:\Windows\system32\drivers\ql2300.sys
00:44:36.0939 4040 ql2300 - ok
00:44:36.0986 4040 [ 81A7E5C076E59995D54BC1ED3A16E60B ] ql40xx C:\Windows\system32\drivers\ql40xx.sys
00:44:37.0002 4040 ql40xx - ok
00:44:37.0049 4040 [ E9ECAE663F47E6CB43962D18AB18890F ] QWAVE C:\Windows\system32\qwave.dll
00:44:37.0064 4040 QWAVE - ok
00:44:37.0111 4040 [ 9F5E0E1926014D17486901C88ECA2DB7 ] QWAVEdrv C:\Windows\system32\drivers\qwavedrv.sys
00:44:37.0127 4040 QWAVEdrv - ok
00:44:37.0158 4040 [ 147D7F9C556D259924351FEB0DE606C3 ] RasAcd C:\Windows\system32\DRIVERS\rasacd.sys
00:44:37.0158 4040 RasAcd - ok
00:44:37.0205 4040 [ F6A452EB4CEADBB51C9E0EE6B3ECEF0F ] RasAuto C:\Windows\System32\rasauto.dll
00:44:37.0220 4040 RasAuto - ok
00:44:37.0251 4040 [ A214ADBAF4CB47DD2728859EF31F26B0 ] Rasl2tp C:\Windows\system32\DRIVERS\rasl2tp.sys
00:44:37.0267 4040 Rasl2tp - ok
00:44:37.0314 4040 [ 75D47445D70CA6F9F894B032FBC64FCF ] RasMan C:\Windows\System32\rasmans.dll
00:44:37.0329 4040 RasMan - ok
00:44:37.0376 4040 [ 509A98DD18AF4375E1FC40BC175F1DEF ] RasPppoe C:\Windows\system32\DRIVERS\raspppoe.sys
00:44:37.0376 4040 RasPppoe - ok
00:44:37.0423 4040 [ 2005F4A1E05FA09389AC85840F0A9E4D ] RasSstp C:\Windows\system32\DRIVERS\rassstp.sys
00:44:37.0423 4040 RasSstp - ok
00:44:37.0470 4040 [ B14C9D5B9ADD2F84F70570BBBFAA7935 ] rdbss C:\Windows\system32\DRIVERS\rdbss.sys
00:44:37.0485 4040 rdbss - ok
00:44:37.0517 4040 [ 89E59BE9A564262A3FB6C4F4F1CD9899 ] RDPCDD C:\Windows\system32\DRIVERS\RDPCDD.sys
00:44:37.0517 4040 RDPCDD - ok
00:44:37.0595 4040 [ E8BD98D46F2ED77132BA927FCCB47D8B ] rdpdr C:\Windows\system32\drivers\rdpdr.sys
00:44:37.0595 4040 rdpdr - ok
00:44:37.0626 4040 [ 9D91FE5286F748862ECFFA05F8A0710C ] RDPENCDD C:\Windows\system32\drivers\rdpencdd.sys
00:44:37.0626 4040 RDPENCDD - ok
00:44:37.0688 4040 [ C127EBD5AFAB31524662C48DFCEB773A ] RDPWD C:\Windows\system32\drivers\RDPWD.sys
00:44:37.0688 4040 RDPWD - ok
00:44:37.0751 4040 [ BCDD6B4804D06B1F7EBF29E53A57ECE9 ] RemoteAccess C:\Windows\System32\mprdim.dll
00:44:37.0751 4040 RemoteAccess - ok
00:44:37.0782 4040 [ 9E6894EA18DAFF37B63E1005F83AE4AB ] RemoteRegistry C:\Windows\system32\regsvc.dll
00:44:37.0797 4040 RemoteRegistry - ok
00:44:37.0844 4040 [ F17713D108ACA124A139FDE877EEF68A ] RimUsb C:\Windows\system32\Drivers\RimUsb.sys
00:44:37.0844 4040 RimUsb - ok
00:44:37.0891 4040 [ 5123F83CBC4349D065534EEB6BBDC42B ] RpcLocator C:\Windows\system32\locator.exe
00:44:37.0891 4040 RpcLocator - ok
00:44:37.0938 4040 [ 3B5B4D53FEC14F7476CA29A20CC31AC9 ] RpcSs C:\Windows\system32\rpcss.dll
00:44:37.0953 4040 RpcSs - ok
00:44:37.0985 4040 [ 9C508F4074A39E8B4B31D27198146FAD ] rspndr C:\Windows\system32\DRIVERS\rspndr.sys
00:44:37.0985 4040 rspndr - ok
00:44:38.0016 4040 [ A3E186B4B935905B829219502557314E ] SamSs C:\Windows\system32\lsass.exe
00:44:38.0031 4040 SamSs - ok
00:44:38.0078 4040 [ 3CE8F073A557E172B330109436984E30 ] sbp2port C:\Windows\system32\drivers\sbp2port.sys
00:44:38.0078 4040 sbp2port - ok
00:44:38.0125 4040 [ 77B7A11A0C3D78D3386398FBBEA1B632 ] SCardSvr C:\Windows\System32\SCardSvr.dll
00:44:38.0141 4040 SCardSvr - ok
00:44:38.0203 4040 [ 1A58069DB21D05EB2AB58EE5753EBE8D ] Schedule C:\Windows\system32\schedsvc.dll
00:44:38.0234 4040 Schedule - ok
00:44:38.0265 4040 [ 312EC3E37A0A1F2006534913E37B4423 ] SCPolicySvc C:\Windows\System32\certprop.dll
00:44:38.0265 4040 SCPolicySvc - ok
00:44:38.0297 4040 [ 716313D9F6B0529D03F726D5AAF6F191 ] SDRSVC C:\Windows\System32\SDRSVC.dll
00:44:38.0297 4040 SDRSVC - ok
00:44:38.0343 4040 [ 90A3935D05B494A5A39D37E71F09A677 ] secdrv C:\Windows\system32\drivers\secdrv.sys
00:44:38.0343 4040 secdrv - ok
00:44:38.0406 4040 [ FD5199D4D8A521005E4B5EE7FE00FA9B ] seclogon C:\Windows\system32\seclogon.dll
00:44:38.0406 4040 seclogon - ok
00:44:38.0437 4040 [ A9BBAB5759771E523F55563D6CBE140F ] SENS C:\Windows\system32\sens.dll
00:44:38.0453 4040 SENS - ok
00:44:38.0484 4040 [ CE9EC966638EF0B10B864DDEDF62A099 ] Serenum C:\Windows\system32\DRIVERS\serenum.sys
00:44:38.0484 4040 Serenum - ok
00:44:38.0531 4040 [ C70D69A918B178D3C3B06339B40C2E1B ] Serial C:\Windows\system32\drivers\serial.sys
00:44:38.0531 4040 Serial - ok
00:44:38.0577 4040 [ 8AF3D28A879BF75DB53A0EE7A4289624 ] sermouse C:\Windows\system32\drivers\sermouse.sys
00:44:38.0577 4040 sermouse - ok
00:44:38.0671 4040 [ D2193326F729B163125610DBF3E17D57 ] SessionEnv C:\Windows\system32\sessenv.dll
00:44:38.0671 4040 SessionEnv - ok
00:44:38.0718 4040 [ 103B79418DA647736EE95645F305F68A ] sffdisk C:\Windows\system32\drivers\sffdisk.sys
00:44:38.0718 4040 sffdisk - ok
00:44:38.0765 4040 [ 8FD08A310645FE872EEEC6E08C6BF3EE ] sffp_mmc C:\Windows\system32\drivers\sffp_mmc.sys
00:44:38.0765 4040 sffp_mmc - ok
00:44:38.0796 4040 [ 9CFA05FCFCB7124E69CFC812B72F9614 ] sffp_sd C:\Windows\system32\drivers\sffp_sd.sys
00:44:38.0796 4040 sffp_sd - ok
00:44:38.0827 4040 [ 46ED8E91793B2E6F848015445A0AC188 ] sfloppy C:\Windows\system32\drivers\sfloppy.sys
00:44:38.0843 4040 sfloppy - ok
00:44:38.0889 4040 [ E1499BD0FF76B1B2FBBF1AF339D91165 ] SharedAccess C:\Windows\System32\ipnathlp.dll
00:44:38.0889 4040 SharedAccess - ok
00:44:38.0952 4040 [ C7230FBEE14437716701C15BE02C27B8 ] ShellHWDetection C:\Windows\System32\shsvcs.dll
00:44:38.0967 4040 ShellHWDetection - ok
00:44:38.0999 4040 [ D2A595D6EEBEEAF4334F8E50EFBC9931 ] sisagp C:\Windows\system32\drivers\sisagp.sys
00:44:38.0999 4040 sisagp - ok
00:44:39.0045 4040 [ CEDD6F4E7D84E9F98B34B3FE988373AA ] SiSRaid2 C:\Windows\system32\drivers\sisraid2.sys
00:44:39.0045 4040 SiSRaid2 - ok
00:44:39.0077 4040 [ DF843C528C4F69D12CE41CE462E973A7 ] SiSRaid4 C:\Windows\system32\drivers\sisraid4.sys
00:44:39.0092 4040 SiSRaid4 - ok
00:44:39.0248 4040 [ 862BB4CBC05D80C5B45BE430E5EF872F ] slsvc C:\Windows\system32\SLsvc.exe
00:44:39.0342 4040 slsvc - ok
00:44:39.0389 4040 [ 6EDC422215CD78AA8A9CDE6B30ABBD35 ] SLUINotify C:\Windows\system32\SLUINotify.dll
00:44:39.0389 4040 SLUINotify - ok
00:44:39.0435 4040 [ 7B75299A4D201D6A6533603D6914AB04 ] Smb C:\Windows\system32\DRIVERS\smb.sys
00:44:39.0451 4040 Smb - ok
00:44:39.0498 4040 [ 2A146A055B4401C16EE62D18B8E2A032 ] SNMPTRAP C:\Windows\System32\snmptrap.exe
00:44:39.0498 4040 SNMPTRAP - ok
00:44:39.0560 4040 [ 7AEBDEEF071FE28B0EEF2CDD69102BFF ] spldr C:\Windows\system32\drivers\spldr.sys
00:44:39.0560 4040 spldr - ok
00:44:39.0607 4040 [ 8554097E5136C3BF9F69FE578A1B35F4 ] Spooler C:\Windows\System32\spoolsv.exe
00:44:39.0607 4040 Spooler - ok
00:44:39.0669 4040 [ 41987F9FC0E61ADF54F581E15029AD91 ] srv C:\Windows\system32\DRIVERS\srv.sys
00:44:39.0685 4040 srv - ok
00:44:39.0732 4040 [ FF33AFF99564B1AA534F58868CBE41EF ] srv2 C:\Windows\system32\DRIVERS\srv2.sys
00:44:39.0732 4040 srv2 - ok
00:44:39.0779 4040 [ 7605C0E1D01A08F3ECD743F38B834A44 ] srvnet C:\Windows\system32\DRIVERS\srvnet.sys
00:44:39.0779 4040 srvnet - ok
00:44:39.0825 4040 [ 03D50B37234967433A5EA5BA72BC0B62 ] SSDPSRV C:\Windows\System32\ssdpsrv.dll
00:44:39.0825 4040 SSDPSRV - ok
00:44:39.0903 4040 [ 6F1A32E7B7B30F004D9A20AFADB14944 ] SstpSvc C:\Windows\system32\sstpsvc.dll
00:44:39.0903 4040 SstpSvc - ok
00:44:39.0966 4040 [ 5DE7D67E49B88F5F07F3E53C4B92A352 ] stisvc C:\Windows\System32\wiaservc.dll
00:44:39.0997 4040 stisvc - ok
00:44:40.0028 4040 [ 7BA58ECF0C0A9A69D44B3DCA62BECF56 ] swenum C:\Windows\system32\DRIVERS\swenum.sys
00:44:40.0028 4040 swenum - ok
00:44:40.0075 4040 [ F21FD248040681CCA1FB6C9A03AAA93D ] swprv C:\Windows\System32\swprv.dll
00:44:40.0106 4040 swprv - ok
00:44:40.0153 4040 [ 192AA3AC01DF071B541094F251DEED10 ] Symc8xx C:\Windows\system32\drivers\symc8xx.sys
00:44:40.0153 4040 Symc8xx - ok
00:44:40.0184 4040 [ 8C8EB8C76736EBAF3B13B633B2E64125 ] Sym_hi C:\Windows\system32\drivers\sym_hi.sys
00:44:40.0200 4040 Sym_hi - ok
00:44:40.0231 4040 [ 8072AF52B5FD103BBBA387A1E49F62CB ] Sym_u3 C:\Windows\system32\drivers\sym_u3.sys
00:44:40.0231 4040 Sym_u3 - ok
00:44:40.0293 4040 [ 9A51B04E9886AA4EE90093586B0BA88D ] SysMain C:\Windows\system32\sysmain.dll
00:44:40.0309 4040 SysMain - ok
00:44:40.0356 4040 [ 2DCA225EAE15F42C0933E998EE0231C3 ] TabletInputService C:\Windows\System32\TabSvc.dll
00:44:40.0356 4040 TabletInputService - ok
00:44:40.0418 4040 [ D7673E4B38CE21EE54C59EEEB65E2483 ] TapiSrv C:\Windows\System32\tapisrv.dll
00:44:40.0434 4040 TapiSrv - ok
00:44:40.0481 4040 [ CB05822CD9CC6C688168E113C603DBE7 ] TBS C:\Windows\System32\tbssvc.dll
00:44:40.0481 4040 TBS - ok
00:44:40.0543 4040 [ 27D470DABC77BC60D0A3B0E4DEB6CB91 ] Tcpip C:\Windows\system32\drivers\tcpip.sys
00:44:40.0590 4040 Tcpip - ok
00:44:40.0652 4040 [ 27D470DABC77BC60D0A3B0E4DEB6CB91 ] Tcpip6 C:\Windows\system32\DRIVERS\tcpip.sys
00:44:40.0652 4040 Tcpip6 - ok
00:44:40.0699 4040 [ 608C345A255D82A6289C2D468EB41FD7 ] tcpipreg C:\Windows\system32\drivers\tcpipreg.sys
00:44:40.0699 4040 tcpipreg - ok
00:44:40.0746 4040 [ 5DCF5E267BE67A1AE926F2DF77FBCC56 ] TDPIPE C:\Windows\system32\drivers\tdpipe.sys
00:44:40.0761 4040 TDPIPE - ok
00:44:40.0793 4040 [ 389C63E32B3CEFED425B61ED92D3F021 ] TDTCP C:\Windows\system32\drivers\tdtcp.sys
00:44:40.0808 4040 TDTCP - ok
00:44:40.0855 4040 [ 76B06EB8A01FC8624D699E7045303E54 ] tdx C:\Windows\system32\DRIVERS\tdx.sys
00:44:40.0855 4040 tdx - ok
00:44:40.0902 4040 [ 3CAD38910468EAB9A6479E2F01DB43C7 ] TermDD C:\Windows\system32\DRIVERS\termdd.sys
00:44:40.0902 4040 TermDD - ok
00:44:40.0949 4040 [ BB95DA09BEF6E7A131BFF3BA5032090D ] TermService C:\Windows\System32\termsrv.dll
00:44:40.0964 4040 TermService - ok
00:44:40.0995 4040 [ C7230FBEE14437716701C15BE02C27B8 ] Themes C:\Windows\system32\shsvcs.dll
00:44:41.0011 4040 Themes - ok
00:44:41.0042 4040 [ 1076FFCFFAAE8385FD62DFCB25AC4708 ] THREADORDER C:\Windows\system32\mmcss.dll
00:44:41.0042 4040 THREADORDER - ok
00:44:41.0089 4040 [ EC74E77D0EB004BD3A809B5F8FB8C2CE ] TrkWks C:\Windows\System32\trkwks.dll
00:44:41.0105 4040 TrkWks - ok
00:44:41.0151 4040 [ 97D9D6A04E3AD9B6C626B9931DB78DBA ] TrustedInstaller C:\Windows\servicing\TrustedInstaller.exe
00:44:41.0151 4040 TrustedInstaller - ok
00:44:41.0214 4040 [ DCF0F056A2E4F52287264F5AB29CF206 ] tssecsrv C:\Windows\system32\DRIVERS\tssecsrv.sys
00:44:41.0214 4040 tssecsrv - ok
00:44:41.0261 4040 [ CAECC0120AC49E3D2F758B9169872D38 ] tunmp C:\Windows\system32\DRIVERS\tunmp.sys
00:44:41.0261 4040 tunmp - ok
00:44:41.0307 4040 [ 300DB877AC094FEAB0BE7688C3454A9C ] tunnel C:\Windows\system32\DRIVERS\tunnel.sys
00:44:41.0307 4040 tunnel - ok
00:44:41.0370 4040 [ C3ADE15414120033A36C0F293D4A4121 ] uagp35 C:\Windows\system32\drivers\uagp35.sys
00:44:41.0370 4040 uagp35 - ok
00:44:41.0417 4040 [ D9728AF68C4C7693CB100B8441CBDEC6 ] udfs C:\Windows\system32\DRIVERS\udfs.sys
00:44:41.0432 4040 udfs - ok
00:44:41.0495 4040 [ ECEF404F62863755951E09C802C94AD5 ] UI0Detect C:\Windows\system32\UI0Detect.exe
00:44:41.0510 4040 UI0Detect - ok
00:44:41.0541 4040 [ 75E6890EBFCE0841D3291B02E7A8BDB0 ] uliagpkx C:\Windows\system32\drivers\uliagpkx.sys
00:44:41.0557 4040 uliagpkx - ok
00:44:41.0604 4040 [ 3CD4EA35A6221B85DCC25DAA46313F8D ] uliahci C:\Windows\system32\drivers\uliahci.sys
00:44:41.0619 4040 uliahci - ok
00:44:41.0651 4040 [ 8514D0E5CD0534467C5FC61BE94A569F ] UlSata C:\Windows\system32\drivers\ulsata.sys
00:44:41.0666 4040 UlSata - ok
00:44:41.0697 4040 [ 38C3C6E62B157A6BC46594FADA45C62B ] ulsata2 C:\Windows\system32\drivers\ulsata2.sys
00:44:41.0713 4040 ulsata2 - ok
00:44:41.0760 4040 [ 32CFF9F809AE9AED85464492BF3E32D2 ] umbus C:\Windows\system32\DRIVERS\umbus.sys
00:44:41.0760 4040 umbus - ok
00:44:41.0822 4040 [ 67A95B9D129ED5399E7965CD09CF30E7 ] UMVPFSrv C:\Program Files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe
00:44:41.0838 4040 UMVPFSrv - ok
00:44:41.0900 4040 [ 68308183F4AE0BE7BF8ECD07CB297999 ] upnphost C:\Windows\System32\upnphost.dll
00:44:41.0916 4040 upnphost - ok
00:44:41.0963 4040 [ 32DB9517628FF0D070682AAB61E688F0 ] usbaudio C:\Windows\system32\drivers\usbaudio.sys
00:44:41.0978 4040 usbaudio - ok
00:44:42.0009 4040 [ CAF811AE4C147FFCD5B51750C7F09142 ] usbccgp C:\Windows\system32\DRIVERS\usbccgp.sys
00:44:42.0009 4040 usbccgp - ok
00:44:42.0056 4040 [ E9476E6C486E76BC4898074768FB7131 ] usbcir C:\Windows\system32\drivers\usbcir.sys
00:44:42.0056 4040 usbcir - ok
00:44:42.0119 4040 [ D21CDE1C635BCC5053463579EEE453CF ] USBCM C:\Windows\system32\DRIVERS\Sacm2A.sys
00:44:42.0119 4040 USBCM - ok
00:44:42.0181 4040 [ 79E96C23A97CE7B8F14D310DA2DB0C9B ] usbehci C:\Windows\system32\DRIVERS\usbehci.sys
00:44:42.0181 4040 usbehci - ok
00:44:42.0228 4040 [ 4673BBCB006AF60E7ABDDBE7A130BA42 ] usbhub C:\Windows\system32\DRIVERS\usbhub.sys
00:44:42.0243 4040 usbhub - ok
00:44:42.0275 4040 [ CE697FEE0D479290D89BEC80DFE793B7 ] usbohci C:\Windows\system32\DRIVERS\usbohci.sys
00:44:42.0290 4040 usbohci - ok
00:44:42.0321 4040 [ E75C4B5269091D15A2E7DC0B6D35F2F5 ] usbprint C:\Windows\system32\DRIVERS\usbprint.sys
00:44:42.0321 4040 usbprint - ok
00:44:42.0368 4040 [ A508C9BD8724980512136B039BBA65E9 ] usbscan C:\Windows\system32\DRIVERS\usbscan.sys
00:44:42.0368 4040 usbscan - ok
00:44:42.0431 4040 [ BE3DA31C191BC222D9AD503C5224F2AD ] USBSTOR C:\Windows\system32\DRIVERS\USBSTOR.SYS
00:44:42.0431 4040 USBSTOR - ok
00:44:42.0477 4040 [ 325DBBACB8A36AF9988CCF40EAC228CC ] usbuhci C:\Windows\system32\DRIVERS\usbuhci.sys
00:44:42.0477 4040 usbuhci - ok
00:44:42.0540 4040 [ E67998E8F14CB0627A769F6530BCB352 ] usbvideo C:\Windows\system32\Drivers\usbvideo.sys
00:44:42.0540 4040 usbvideo - ok
00:44:42.0587 4040 [ 1509E705F3AC1D474C92454A5C2DD81F ] UxSms C:\Windows\System32\uxsms.dll
00:44:42.0602 4040 UxSms - ok
00:44:42.0649 4040 [ CD88D1B7776DC17A119049742EC07EB4 ] vds C:\Windows\System32\vds.exe
00:44:42.0665 4040 vds - ok
00:44:42.0727 4040 [ 7D92BE0028ECDEDEC74617009084B5EF ] vga C:\Windows\system32\DRIVERS\vgapnp.sys
00:44:42.0727 4040 vga - ok
00:44:42.0774 4040 [ 2E93AC0A1D8C79D019DB6C51F036636C ] VgaSave C:\Windows\System32\drivers\vga.sys
00:44:42.0774 4040 VgaSave - ok
00:44:42.0805 4040 [ 045D9961E591CF0674A920B6BA3BA5CB ] viaagp C:\Windows\system32\drivers\viaagp.sys
00:44:42.0805 4040 viaagp - ok
00:44:42.0836 4040 [ 56A4DE5F02F2E88182B0981119B4DD98 ] ViaC7 C:\Windows\system32\drivers\viac7.sys
00:44:42.0852 4040 ViaC7 - ok
00:44:42.0883 4040 [ FD2E3175FCADA350C7AB4521DCA187EC ] viaide C:\Windows\system32\drivers\viaide.sys
00:44:42.0883 4040 viaide - ok
00:44:42.0914 4040 [ 69503668AC66C77C6CD7AF86FBDF8C43 ] volmgr C:\Windows\system32\drivers\volmgr.sys
00:44:42.0914 4040 volmgr - ok
00:44:42.0977 4040 [ 23E41B834759917BFD6B9A0D625D0C28 ] volmgrx C:\Windows\system32\drivers\volmgrx.sys
00:44:42.0992 4040 volmgrx - ok
00:44:43.0039 4040 [ 147281C01FCB1DF9252DE2A10D5E7093 ] volsnap C:\Windows\system32\drivers\volsnap.sys
00:44:43.0039 4040 volsnap - ok
00:44:43.0086 4040 [ D984439746D42B30FC65A4C3546C6829 ] vsmraid C:\Windows\system32\drivers\vsmraid.sys
00:44:43.0086 4040 vsmraid - ok
00:44:43.0164 4040 [ DB3D19F850C6EB32BDCB9BC0836ACDDB ] VSS C:\Windows\system32\vssvc.exe
00:44:43.0226 4040 VSS - ok
00:44:43.0289 4040 [ 96EA68B9EB310A69C25EBB0282B2B9DE ] W32Time C:\Windows\system32\w32time.dll
00:44:43.0289 4040 W32Time - ok
00:44:43.0335 4040 [ 48DFEE8F1AF7C8235D4E626F0C4FE031 ] WacomPen C:\Windows\system32\drivers\wacompen.sys
00:44:43.0351 4040 WacomPen - ok
00:44:43.0398 4040 [ 55201897378CCA7AF8B5EFD874374A26 ] Wanarp C:\Windows\system32\DRIVERS\wanarp.sys
00:44:43.0398 4040 Wanarp - ok
00:44:43.0413 4040 [ 55201897378CCA7AF8B5EFD874374A26 ] Wanarpv6 C:\Windows\system32\DRIVERS\wanarp.sys
00:44:43.0413 4040 Wanarpv6 - ok
00:44:43.0476 4040 [ A3CD60FD826381B49F03832590E069AF ] wcncsvc C:\Windows\System32\wcncsvc.dll
00:44:43.0491 4040 wcncsvc - ok
00:44:43.0538 4040 [ 11BCB7AFCDD7AADACB5746F544D3A9C7 ] WcsPlugInService C:\Windows\System32\WcsPlugInService.dll
00:44:43.0554 4040 WcsPlugInService - ok
00:44:43.0585 4040 [ AFC5AD65B991C1E205CF25CFDBF7A6F4 ] Wd C:\Windows\system32\drivers\wd.sys
00:44:43.0585 4040 Wd - ok
00:44:43.0647 4040 [ B6F0A7AD6D4BD325FBCD8BAC96CD8D96 ] Wdf01000 C:\Windows\system32\drivers\Wdf01000.sys
00:44:43.0679 4040 Wdf01000 - ok
00:44:43.0725 4040 [ ABFC76B48BB6C96E3338D8943C5D93B5 ] WdiServiceHost C:\Windows\system32\wdi.dll
00:44:43.0725 4040 WdiServiceHost - ok
00:44:43.0757 4040 [ ABFC76B48BB6C96E3338D8943C5D93B5 ] WdiSystemHost C:\Windows\system32\wdi.dll
00:44:43.0757 4040 WdiSystemHost - ok
00:44:43.0819 4040 [ 04C37D8107320312FBAE09926103D5E2 ] WebClient C:\Windows\System32\webclnt.dll
00:44:43.0835 4040 WebClient - ok
00:44:43.0881 4040 [ AE3736E7E8892241C23E4EBBB7453B60 ] Wecsvc C:\Windows\system32\wecsvc.dll
00:44:43.0881 4040 Wecsvc - ok
00:44:43.0944 4040 [ 670FF720071ED741206D69BD995EA453 ] wercplsupport C:\Windows\System32\wercplsupport.dll
00:44:43.0944 4040 wercplsupport - ok
00:44:43.0975 4040 [ 32B88481D3B326DA6DEB07B1D03481E7 ] WerSvc C:\Windows\System32\WerSvc.dll
00:44:43.0991 4040 WerSvc - ok
00:44:44.0069 4040 [ 4575AA12561C5648483403541D0D7F2B ] WinDefend C:\Program Files\Windows Defender\mpsvc.dll
00:44:44.0084 4040 WinDefend - ok
00:44:44.0162 4040 [ 097A8291DF541F9B9AF2C500797CDCAA ] WinDriver6 C:\Windows\system32\drivers\windrvr6.sys
00:44:44.0178 4040 WinDriver6 - ok
00:44:44.0193 4040 WinHttpAutoProxySvc - ok
00:44:44.0240 4040 [ 6B2A1D0E80110E3D04E6863C6E62FD8A ] Winmgmt C:\Windows\system32\wbem\WMIsvc.dll
00:44:44.0256 4040 Winmgmt - ok
00:44:44.0334 4040 [ 7CFE68BDC065E55AA5E8421607037511 ] WinRM C:\Windows\system32\WsmSvc.dll
00:44:44.0396 4040 WinRM - ok
00:44:44.0474 4040 [ C008405E4FEEB069E30DA1D823910234 ] Wlansvc C:\Windows\System32\wlansvc.dll
00:44:44.0505 4040 Wlansvc - ok
00:44:44.0552 4040 [ 701A9F884A294327E9141D73746EE279 ] WmiAcpi C:\Windows\system32\drivers\wmiacpi.sys
00:44:44.0552 4040 WmiAcpi - ok
00:44:44.0615 4040 [ 43BE3875207DCB62A85C8C49970B66CC ] wmiApSrv C:\Windows\system32\wbem\WmiApSrv.exe
00:44:44.0646 4040 wmiApSrv - ok
00:44:44.0708 4040 [ 3978704576A121A9204F8CC49A301A9B ] WMPNetworkSvc C:\Program Files\Windows Media Player\wmpnetwk.exe
00:44:44.0739 4040 WMPNetworkSvc - ok
00:44:44.0771 4040 [ CFC5A04558F5070CEE3E3A7809F3FF52 ] WPCSvc C:\Windows\System32\wpcsvc.dll
00:44:44.0786 4040 WPCSvc - ok
00:44:44.0833 4040 [ 801FBDB89D472B3C467EB112A0FC9246 ] WPDBusEnum C:\Windows\system32\wpdbusenum.dll
00:44:44.0833 4040 WPDBusEnum - ok
00:44:44.0895 4040 [ DE9D36F91A4DF3D911626643DEBF11EA ] WpdUsb C:\Windows\system32\DRIVERS\wpdusb.sys
00:44:44.0895 4040 WpdUsb - ok
00:44:45.0036 4040 [ DCF3E3EDF5109EE8BC02FE6E1F045795 ] WPFFontCache_v0400 C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
00:44:45.0067 4040 WPFFontCache_v0400 - ok
00:44:45.0114 4040 [ E3A3CB253C0EC2494D4A61F5E43A389C ] ws2ifsl C:\Windows\system32\drivers\ws2ifsl.sys
00:44:45.0114 4040 ws2ifsl - ok
00:44:45.0161 4040 [ 1CA6C40261DDC0425987980D0CD2AAAB ] wscsvc C:\Windows\system32\wscsvc.dll
00:44:45.0176 4040 wscsvc - ok
00:44:45.0192 4040 WSearch - ok
00:44:45.0301 4040 [ FC3EC24FCE372C89423E015A2AC1A31E ] wuauserv C:\Windows\system32\wuaueng.dll
00:44:45.0379 4040 wuauserv - ok
00:44:45.0441 4040 [ AC13CB789D93412106B0FB6C7EB2BCB6 ] WUDFRd C:\Windows\system32\DRIVERS\WUDFRd.sys
00:44:45.0441 4040 WUDFRd - ok
00:44:45.0488 4040 [ 575A4190D989F64732119E4114045A4F ] wudfsvc C:\Windows\System32\WUDFSvc.dll
00:44:45.0488 4040 wudfsvc - ok
00:44:45.0551 4040 ================ Scan global ===============================
00:44:45.0566 4040 [ F31EEBC1A1C81FD04005489CC3DCDFE7 ] C:\Windows\system32\basesrv.dll
00:44:45.0644 4040 [ D2293B069E4B63DC17B2F08D45E71124 ] C:\Windows\system32\winsrv.dll
00:44:45.0691 4040 [ D2293B069E4B63DC17B2F08D45E71124 ] C:\Windows\system32\winsrv.dll
00:44:45.0738 4040 [ D4E6D91C1349B7BFB3599A6ADA56851B ] C:\Windows\system32\services.exe
00:44:45.0753 4040 [Global] - ok
00:44:45.0753 4040 ================ Scan MBR ==================================
00:44:45.0769 4040 [ 8913823FF508CCF109DB74B636C301DA ] \Device\Harddisk0\DR0
00:44:46.0393 4040 \Device\Harddisk0\DR0 - ok
00:44:46.0393 4040 ================ Scan VBR ==================================
00:44:46.0409 4040 [ AB6FE4AC23BAEB34E098BFE484207C6C ] \Device\Harddisk0\DR0\Partition1
00:44:46.0409 4040 \Device\Harddisk0\DR0\Partition1 - ok
00:44:46.0424 4040 [ D88968449CBE294910EBD2F1B500EA83 ] \Device\Harddisk0\DR0\Partition2
00:44:46.0424 4040 \Device\Harddisk0\DR0\Partition2 - ok
00:44:46.0440 4040 ============================================================
00:44:46.0440 4040 Scan finished
00:44:46.0440 4040 ============================================================
00:44:46.0471 2104 Detected object count: 0
00:44:46.0487 2104 Actual detected object count: 0

************************


aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-11-06 00:46:30
-----------------------------
00:46:30.568 OS Version: Windows 6.0.6002 Service Pack 2
00:46:30.568 Number of processors: 1 586 0x5F02
00:46:30.584 ComputerName: BRENT-PC UserName: BRENT
00:47:11.830 Initialize success
00:48:37.747 AVAST engine defs: 12110600
00:49:06.529 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000052
00:49:06.560 Disk 0 Vendor: ST325082 3.AH Size: 238475MB BusType: 6
00:49:06.576 Disk 0 MBR read successfully
00:49:06.591 Disk 0 MBR scan
00:49:06.622 Disk 0 unknown MBR code
00:49:06.638 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 231554 MB offset 63
00:49:06.669 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 6917 MB offset 474223680
00:49:06.716 Disk 0 scanning sectors +488391120
00:49:06.841 Disk 0 scanning C:\Windows\system32\drivers
00:49:21.146 Service scanning
00:49:53.968 Modules scanning
00:50:07.041 Disk 0 trace - called modules:
00:50:07.088 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll storport.sys nvstor32.sys
00:50:07.135 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x852105e0]
00:50:07.150 3 CLASSPNP.SYS[863a18b3] -> nt!IofCallDriver -> [0x83a90f08]
00:50:07.150 5 acpi.sys[806146bc] -> nt!IofCallDriver -> \Device\00000052[0x843eba58]
00:50:08.461 AVAST engine scan C:\Windows
00:50:15.574 AVAST engine scan C:\Windows\system32
00:55:09.993 AVAST engine scan C:\Windows\system32\drivers
00:55:43.143 AVAST engine scan C:\Users\BRENT
01:02:53.823 Disk 0 MBR has been saved successfully to "C:\Users\BRENT\Desktop\MBR.dat"
01:02:53.870 The log file has been saved successfully to "C:\Users\BRENT\Desktop\aswMBR.txt"

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:16 AM

Posted 06 November 2012 - 02:18 AM

Greetings

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 mn_sailor

mn_sailor
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ham Lake, MN
  • Local time:02:16 AM

Posted 06 November 2012 - 09:14 AM

Hi Gringo,

The computer seems fine. I think it is much more responsive than it was before it crashed. And the data all seems to be OK.

mn_sailor

ComboFix from script:

***************************

ComboFix 12-11-05.03 - BRENT 11/06/2012 2:58.2.1 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.894.332 [GMT -6:00]
Running from: c:\users\BRENT\Desktop\ComboFix.exe
Command switches used :: c:\users\BRENT\Desktop\CFScript.txt
AV: Panda Cloud Antivirus *Disabled/Updated* {86971480-9989-6750-B122-681A86518D59}
SP: Panda Cloud Antivirus *Disabled/Updated* {3DF6F564-BFB3-68DE-8B92-5368FDD6C7E4}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-10-06 to 2012-11-06 )))))))))))))))))))))))))))))))
.
.
2012-11-06 09:15 . 2012-11-06 09:15 -------- d-----w- c:\users\BRENT\AppData\Local\temp
2012-11-06 09:15 . 2012-11-06 09:15 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-11-04 23:08 . 2012-09-30 01:54 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-11-04 22:51 . 2012-10-17 07:32 6918632 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{B4656132-EDD6-4582-88F1-670ED1CA333C}\mpengine.dll
2012-11-04 16:15 . 2012-11-04 16:16 269746176 ----a-w- C:\bst5.tmp
2012-10-10 13:32 . 2012-06-02 00:02 985088 ----a-w- c:\windows\system32\crypt32.dll
2012-10-10 13:32 . 2012-06-02 00:02 98304 ----a-w- c:\windows\system32\cryptnet.dll
2012-10-10 13:32 . 2012-06-02 00:02 133120 ----a-w- c:\windows\system32\cryptsvc.dll
2012-10-10 13:32 . 2012-08-24 15:53 172544 ----a-w- c:\windows\system32\wintrust.dll
2012-10-10 13:31 . 2012-09-13 13:28 2048 ----a-w- c:\windows\system32\tzres.dll
2012-10-10 13:31 . 2012-08-29 11:27 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-10-10 13:31 . 2012-08-29 11:27 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-24 06:59 . 2012-09-23 17:59 1800704 ----a-w- c:\windows\system32\jscript9.dll
2012-08-24 06:51 . 2012-09-23 17:59 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-08-24 06:51 . 2012-09-23 17:59 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-08-24 06:47 . 2012-09-23 17:59 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-08-24 06:47 . 2012-09-23 17:59 420864 ----a-w- c:\windows\system32\vbscript.dll
2012-08-24 06:43 . 2012-09-23 17:59 2382848 ----a-w- c:\windows\system32\mshtml.tlb
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"OurPictures"="c:\program files\RitzPix E-Z Print & Share\OurPictures.exe" [2005-10-06 4370432]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2006-09-28 65536]
"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-15 4874240]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 517768]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2007-03-12 50696]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-05-17 98304]
"DPService"="c:\program files\HP\DVDPlay\DPService.exe" [2007-12-18 90112]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-07-07 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-07-07 8466432]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-07-07 81920]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"PSUNMain"="c:\program files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe" [2011-04-28 439616]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2007-03-02 44168]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
D-Link REG Utility.lnk - c:\program files\DWL-G520M Wireless 108G MIMO PCI Adapter\Reg.exe [2009-6-28 28672]
DWL-G520M Wireless 108G MIMO PCI Adapter Utility.lnk - c:\program files\DWL-G520M Wireless 108G MIMO PCI Adapter\AIRPLUS.exe [2009-6-28 659456]
HP Digital Imaging Monitor.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2007-1-2 210520]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux2"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 95812194
*NewlyCreated* - ASWMBR
*Deregistered* - 95812194
*Deregistered* - aswMBR
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=desktop
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
TCP: DhcpNameServer = 75.75.76.76 75.75.75.75 10.10.1.1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-11-06 03:15
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(1716)
c:\program files\Hewlett-Packard\HP Advisor\Pillars\Market\MLDeskBand.dll
.
Completion time: 2012-11-06 03:19:49
ComboFix-quarantined-files.txt 2012-11-06 09:19
ComboFix2.txt 2012-11-06 06:21
.
Pre-Run: 168,046,313,472 bytes free
Post-Run: 168,181,432,320 bytes free
.
- - End Of File - - 53E02EDD0F50D68423976B533FE2E258

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:16 AM

Posted 06 November 2012 - 11:31 AM

These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

You can remove these programs using add/remove or you can use the free uninstaller from Revo (Revo does allot better of a job)

Programs to remove

Adobe Reader 8.1.3
Giant Savings
J2SE Runtime Environment 5.0 Update 11
Java™ 6 Update 22
Java™ 6 Update 26
Java™ 6 Update 3
Java™ 6 Update 5
Java™ 6 Update 7
Java™ SE Runtime Environment 6 Update 1
[/list]


  • Please download and install Revo Uninstaller Free
  • Double click Revo Uninstaller to run it.
  • From the list of programs double click on The Program to remove
  • When prompted if you want to uninstall click Yes.
  • Be sure the Moderate option is selected then click Next.
  • The program will run, If prompted again click Yes
  • when the built-in uninstaller is finished click on Next.
  • Once the program has searched for leftovers click Next.
  • Check/tick the bolded items only on the list then click Delete
  • when prompted click on Yes and then on next.
  • put a check on any folders that are found and select delete
  • when prompted select yes then on next
  • Once done click Finish.
.

Update Adobe Reader

Recently there have been vulnerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

You can download it from http://www.adobe.com/products/acrobat/readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions.
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

If you don't like Adobe Reader (53 MB), you can download Foxit PDF Reader(7 MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

Note: When installing FoxitReader, be careful not to install anything to do with AskBar.
[/list]

Install Java:

Please go here to install Java

  • click on the Free Java Download Button
  • click on Agree and start Free download
  • click on Run
  • click on run again
  • click on install
  • when install is complete click on close

Clean Out Temp Files

  • This small application you may want to keep and use once a week to keep the computer clean.

    Download CCleaner from here http://www.ccleaner.com/

  • Run the installer to install the application.
  • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
  • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
  • Click Run Cleaner.
  • Close CCleaner.

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidentally close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a log file button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the Analyze This button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 mn_sailor

mn_sailor
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ham Lake, MN
  • Local time:02:16 AM

Posted 06 November 2012 - 01:10 PM

Thanks Gringo.

I'm at work now, but I will do these next steps when I return home tonight.

mn_sailor

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:16 AM

Posted 06 November 2012 - 01:37 PM

see you then


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 mn_sailor

mn_sailor
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ham Lake, MN
  • Local time:02:16 AM

Posted 07 November 2012 - 01:15 AM

Hi Gringo,

It took a litle while (with breaks to watch election coverage), but I removed the programs you suggested, installed the latest Adobe Reader and Java software, cleaned the system with CCleaner, re-ran MBAM, and created a HijackThis log.

The logs are below. The computer seems to be working fine.

mn_sailor

******************

Malwarebytes Anti-Malware 1.65.1.1000
www.malwarebytes.org

Database version: v2012.11.07.01

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
BRENT :: BRENT-PC [administrator]

11/6/2012 11:33:14 PM
mbam-log-2012-11-06 (23-33-14).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 194705
Time elapsed: 7 minute(s), 29 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

****************

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 12:05:32 AM, on 11/7/2012
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v9.00 (9.00.8112.16450)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\hp\support\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\RitzPix E-Z Print & Share\OurPictures.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\DWL-G520M Wireless 108G MIMO PCI Adapter\AIRPLUS.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil11e_ActiveX.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Users\BRENT\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [OsdMaestro] "C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Health Check Scheduler] C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DPService] "C:\Program Files\HP\DVDPlay\DPService.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PSUNMain] "C:\Program Files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe" /Traybar
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [OurPictures] "C:\Program Files\RitzPix E-Z Print & Share\OurPictures.exe" /AutoStart
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: D-Link REG Utility.lnk = C:\Program Files\DWL-G520M Wireless 108G MIMO PCI Adapter\Reg.exe
O4 - Global Startup: DWL-G520M Wireless 108G MIMO PCI Adapter Utility.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\Windows\system32\acs.exe
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\Windows\System32\LEXBCES.EXE
O23 - Service: Panda Cloud Antivirus Service (NanoServiceMain) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Cloud Antivirus\PSANHost.exe
O23 - Service: UMVPFSrv - Logitech Inc. - C:\Program Files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe

--
End of file - 5275 bytes




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users