Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

100% CPU renders machine useless...I NEED HELP!


  • This topic is locked This topic is locked
36 replies to this topic

#1 ConMe

ConMe

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Orange County, California, USA
  • Local time:01:30 PM

Posted 09 November 2012 - 02:57 PM

Hello and advanced appreciation for your time and guidance. Affected machine is an HP Compaq 6710b Notebook PC with an Intel Core 2 Duo T7250 @ 2.00GHz running Windows 7 Ultimate 32-bit. 4GB RAM, 8000MB+ Virtual, 75GB HD w/ 3 partitions (100MB-created automatically during partitioning phase of Installation and thereafter hidden and unaccessible, 26.?GB-C: & 48.?GB-D:). Running Microsoft Security Essentials, updated and scanned multiple times a day for nearly 2 years without a hiccup. That is until the end of beginning of September. One day, all of the sudden, no warnings, CPU was at 100% and would not let up. Knowing just enough about computers to make me dangerous, paired with an "I grew up on MacGuyver" sense of solution, I figured I could get that machine going in a day....2 days max! I'm smart, inquisitive, driven, no problem. Yeah, I have a degree from UCLA...in history. I'm a Union Steamfitter and Welder by trade, what the F&%$@! was I thinking. So I go to BestBuy (9/12) and purchase a new laptop to investigate how to fix old laptop and to finish researching, developing, and packaging a business proposal with a deadline I was slamming together. So here I am, committing every waking hour to multitasking these 2 priorities like a gosh dang Crackhead/Tweaker. Hours, upon hours, upon countless hours of Proposal...Solution...Proposal...Solution. Then one afternoon, about a week later and 2 days shy of my presentation, I get up from the couch where I've been posted up for the last 72hours straight to make lunch in the kitchen. So I get everything together and pig out, then go outside to smoke, and head back in to desrtoythebathroom! Retrun to the kitchen to eat more and more, then back outside to smoke again and think HEY, that scans probably done and can get the n, and both desktops are empty with the exception of the Recycle Bin. I had crap all over the desktops and on the new one had put a pic of me holding my victorious 4year old son up in the air after a soccer match, GONE! As it ends up, pretty much on both laptops, all my folders were there, but all my files within those folders, GONE. BYE BYE! Maybe they were there hidden somewhere, but I couldn't find them and trust me I spent like the next 72hours straight trying. It was then I discovered a whole other thing going on and a lot more personal than an old laptop being maxed out and rendered useless. I discovered this whole web that was spun about the new laptop that involved remote connections, and task scheduler, backup and restore, tunneling, my webcam and microphone. Basically any new or changed items and everything along the way was being gathered, compressed, stored, and waiting for the remote connection to pick up the goods. So that was when I began what is now a long chain of Clean/custom installs and as soon as they were done installing and I set up new account and logged on (Trigger), and I still don't know how (BIOS?), BAM!task scheduler was already sending out crap (action). So after countless hours, two brand new/then destroyed laptops, the original laptop, a busted ego, and neighbors that fear me....I throw in the towel,turn it over to the experts, and ask for help.
So you're looking at pretty much a clean install of Windows 7 Ultimate 32-bit SP1. And of course, 100% CPU. No other updates have been installed (I've tried automatic Updates and I get about 3 files at a time and it takes literally 6-8 hours to get those).
What I have done though is the following:
-Cleaned the laptop internally and externally, bought canned air from Costco & handled it.
-My web browser has no toolbars, no BHO's and minimal add-ons, maybe two.
-I've ran Disk Cleanup
-I've ran CCleaner
-I've analyzed hard drives but didn't defragment as drives were 0%, 1%, and 4% fragmented.
-I've ran CHKDSK /f
-I've ran SFC /SCANNOW
-I've configured Win7 services per Black Viper's "Safe" platform w/ a few of the "tweaked" (which did drop CPU down for a short while, then something else takes over)
-Microsoft Security Essentials is installed, updated, and active.
-no backup, as there is nothing on the laptop I want.
-Crap...... and would love to eventually make sure the following are clean
3TB Seagate Expansion Drive
2TB Western Digital MyBookLive!
1TB Seagate GoFlex Drive
3 x 32GB Corsair Voyager Flash Drives
-I am getting ready to run Defogger, DDS, and Gmer.

Defogger done.

DDS done, see attached log Attached File  attach.txt   806bytes   1 downloads and copied log as follows:


DDS (Ver_2012-11-05.02) - NTFS_x86
Internet Explorer: 8.0.7601.17514
Run by BROKEN at 1:15:05 on 2012-11-09
#Option MBR scan is disabled.
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.3063.2411 [GMT -8:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {B140BF4E-23BB-4198-90AB-A51A4C60A69C}
SP: Microsoft Security Essentials *Disabled/Updated* {0A215EAA-0581-4E16-AA1B-9E6837E7EC21}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2011-4-11 62464]
.
=============== Created Last 30 ================
.
2012-11-08 19:30:39 388096 ----a-r- c:\users\broken\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2012-11-08 19:29:40 -------- d-----w- c:\program files\Trend Micro
2012-11-08 17:35:32 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-11-08 17:29:52 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-11-08 17:29:48 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-11-08 17:21:25 740784 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{9ba55e2f-80c4-424a-a966-61507e9e2a0a}\gapaengine.dll
2012-11-08 17:15:05 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-11-08 17:03:04 6918632 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\{e29c2d13-ee6d-463f-8e67-8118964096ee}\mpengine.dll
2012-11-08 16:45:17 -------- d-----w- c:\program files\Microsoft Security Client
2012-11-08 14:02:40 -------- d-sh--w- c:\windows\Installer
2012-11-08 13:21:16 -------- d-----w- c:\users\broken\appdata\local\VirtualStore
2012-11-08 13:18:06 -------- d-sh--w- C:\Recovery
2012-11-08 12:09:10 -------- d-----w- c:\windows\Panther
.
==================== Find3M ====================
.
2012-08-31 06:03:50 99272 ----a-w- c:\windows\system32\drivers\NisDrvWFP.sys
2012-08-31 06:03:50 193552 ----a-w- c:\windows\system32\drivers\MpFilter.sys
.
============= FINISH: 1:20:39.69 ===========



Gmer done, see attached log: Attached File  ark.txt   2.2KB   0 downloads

Thanks again for your involvement, I look forward to your comments.

Edited by ConMe, 09 November 2012 - 03:19 PM.


BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:30 PM

Posted 09 November 2012 - 05:22 PM

Greetings and Welcome to The Forums!!

My name is Gringo and I'll be glad to help you with your malware problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.




These are the programs I would like you to run next, if you have any problems with these just skip it and run the next one.

-Security Check-

  • Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

-AdwCleaner-

  • Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

--RogueKiller--

  • Download & SAVE to your Desktop RogueKiller or from here
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 ConMe

ConMe
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Orange County, California, USA
  • Local time:01:30 PM

Posted 09 November 2012 - 11:33 PM

Thanks for getting involved right away, I appreciate your help. I am so looking forward to resolving this situation. Please let me know if there is anything else I can do or contribute from MY SIDE to make this process go smoothly and ultimately successfully. Sorry for the initial delay in immediately responding, my cell phone was somehow on mute and I didn't hear the email notifications going off. FYI...I'm communicating with you on a different computer than the one we're trouble shooting. My process is: Read what you have to say, download applications involved with process, burn to disc (DVD), load into infected computer and carry out directions exactly as outlined, burn any logs to DVD, load in non-infected computer and attach to my response. If this is okay, great. If not, let me know what to do.

Attached please find the following logs

1) Security Check: 1 Log Attached File  checkup.txt   785bytes   0 downloads

2) AdwCleaner: 1 Log Attached File  AdwCleanerS1.txt   641bytes   1 downloads

3) RogueKiller: 2 Logs (for whatever reason, it produced 2 logs upon restart that were 3 seconds apart Attached File  RKreport1_S_11092012_02d1914.txt   1.38KB   2 downloads Attached File  RKreport2_D_11092012_02d1917.txt   1.43KB   0 downloads

MY 2cents: steps provided were easy to understand and exactly what were required to carryout outlined goals. Applications were user friendly and simple to use. After last reboot before compiling this response, computer is still running at 100% CPU.

Thanks again and I look forward to the next step.

Chris

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:30 PM

Posted 09 November 2012 - 11:44 PM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 ConMe

ConMe
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Orange County, California, USA
  • Local time:01:30 PM

Posted 10 November 2012 - 01:41 AM

So I downloaded Combofix and burnt it to DVD.

Tried to delete the Program and log icons from the last step and it just hangs and hangs at "preparing to recycle" "Discovering items", Windows Explorer window keeps popping up "not responding should it restart or wait for application to respond".

That's when I noticed there was a whole bunch of weird stuff going on....

Suddenly there are a bunch of new icons on my desktop

1) Computer-scared to do anything to



2) Folder named BROKEN, which is my user name. It is the folder associated with a new library that has been created along with the normal Documents, Pictures, Videos, and music libraries. It is a "library under Computer, not under User. Launched task manager-Applications to end task of file deletion and see an icon "sharing ??????" ???? are not part of the name, I really forget what the rest was named. That ended quickly and proper like while the other items are still hung up and cracked out. So I go to BROKEN library to see who it is sharing with and it says "WWW/BleepingComputer/Gringo/homepc"....Just kidding! The desktop froze up on me and shutdown.

.
3) Folder named RK_Quarentine. It has the following 5 items within:

a) Quarentine Report

B) PhysicalDrive0_User.dat

c) NewStartPanel_{20D04FE0-0.......

d) NewStartPanel_{59031a47-0.......

e) EULA



New Icons in start menu: Calculator, Snipping Tool, Sticky Notes, Paint, and Magnifier.

CRAZINESS!

Launching Combofix, Gonna go grab In-N-Out while that runs, I'll be back in 30mins

THANK YOU!

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:30 PM

Posted 10 November 2012 - 01:51 AM

Hello

#2 is normal and was done by combofix but will get cleared when it runs to completion

#3 normal and those icons are normal icons also

Ok lets try this, I want you to run combofix in safe mode but it is very important that when combofix reboots the computer for you to direct it back into safe mode so it can finish the scan.

Boot into Safe Mode

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.

after combofix has finished its scan please post the report back here.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 ConMe

ConMe
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Orange County, California, USA
  • Local time:01:30 PM

Posted 10 November 2012 - 02:49 AM

I started running Combofix before I left to grab In-n-Out, just got back and it's at Completed Stage_7. All that stuff that was going on was before I had even put the disk with Combofix into the affected/infected computer. Would RougueKiller, Security Check, or AdwCleaner have created a Library folder, or computer icon? Yes, the folder RK_Quarentine folder, but the other two?

Combofix Update....Com[leted Stage_10.

In the top of the Combofix AutoScan window it says "typically doesn't take longer than 10 minutes However, scan times for infected machines may easily double". This scan has been going for about 55-60 mins and is now at stage 16, with 30+stages to go.... Is that fairly typical?

Thanks again! Would have grabbed you In-n-Out if you were local, but it would have got cold by the time I got it to you in Puerto Rico...or even have gone Bad!!!

#8 ConMe

ConMe
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Orange County, California, USA
  • Local time:01:30 PM

Posted 10 November 2012 - 05:57 AM

Hello there.

Combofix just finished. It took over 3 hrs in Normal Mode. Yikes!

Here's the log

ComboFix 12-11-09.02 - BROKEN 11/09/2012 23:06:06.1.2 - x86
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.3063.2429 [GMT -8:00]
Running from: c:\users\BROKEN\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {B140BF4E-23BB-4198-90AB-A51A4C60A69C}
SP: Microsoft Security Essentials *Disabled/Updated* {0A215EAA-0581-4E16-AA1B-9E6837E7EC21}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-10-10 to 2012-11-10 )))))))))))))))))))))))))))))))
.
.
2012-11-10 08:37 . 2012-11-10 08:37 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-11-10 04:39 . 2012-08-08 00:18 740784 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2012-11-10 04:38 . 2012-08-08 00:18 740784 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{FEA9286C-05A3-421A-8118-5C5AFEA99330}\gapaengine.dll
2012-11-10 04:28 . 2012-10-17 09:32 6918632 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{BB886A10-911B-4E1C-8225-CC756CCC0FF7}\mpengine.dll
2012-11-10 04:20 . 2012-10-17 09:32 6918632 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-11-09 23:42 . 2012-11-09 23:43 -------- d-----w- c:\windows\system32\Wat
2012-11-08 17:35 . 2012-06-02 22:19 45080 ----a-w- c:\windows\system32\wups2.dll
2012-11-08 17:35 . 2012-06-02 22:19 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-11-08 17:35 . 2012-06-02 22:12 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-11-08 17:35 . 2012-06-02 22:19 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-11-08 17:31 . 2012-06-02 22:19 35864 ----a-w- c:\windows\system32\wups.dll
2012-11-08 17:31 . 2012-06-02 22:12 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-11-08 17:31 . 2012-06-02 22:19 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-11-08 17:29 . 2012-06-02 23:19 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-11-08 17:29 . 2012-06-02 23:12 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-11-08 17:15 . 2012-01-31 12:44 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-11-08 16:45 . 2012-11-08 16:52 -------- d-----w- c:\program files\Microsoft Security Client
2012-11-08 14:02 . 2012-11-10 01:39 -------- d-sh--w- c:\windows\Installer
2012-11-08 13:20 . 2012-11-10 00:53 -------- d-----w- c:\users\BROKEN
2012-11-08 13:18 . 2012-11-08 13:18 -------- d-----w- C:\Recovery
2012-11-08 12:09 . 2012-11-08 13:18 -------- d-----w- c:\windows\Panther
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-31 06:03 . 2012-08-31 06:03 99272 ----a-w- c:\windows\system32\drivers\NisDrvWFP.sys
2012-08-31 06:03 . 2012-08-31 06:03 193552 ----a-w- c:\windows\system32\drivers\MpFilter.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-13 947176]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ SSDPSRV upnphost SCardSvr TBS FontCache fdrespub AppIDSvc QWAVE wcncsvc SensrSvc
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\MsMpEng.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\windows\system32\sppsvc.exe
.
**************************************************************************
.
Completion time: 2012-11-10 01:14:05 - machine was rebooted
ComboFix-quarantined-files.txt 2012-11-10 09:13
.
Pre-Run: 14,678,138,880 bytes free
Post-Run: 14,644,686,848 bytes free
.
- - End Of File - - 14F5E1772132A99F665614F39C0967FE


Thanks so much for taking a look at this log and figuring out what we do next.

I eagerly await your direction.

Chris

Edited by ConMe, 10 November 2012 - 06:25 AM.


#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:30 PM

Posted 10 November 2012 - 06:06 AM

Greetings

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 ConMe

ConMe
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Orange County, California, USA
  • Local time:01:30 PM

Posted 10 November 2012 - 09:31 AM

Hello and Thank You Gringo for your valuable time and wisdom.

I ran both the outlined programs without issue.

Here is the TDSSKiller log

04:34:20.0589 1648 TDSS rootkit removing tool 2.8.15.0 Oct 31 2012 21:47:35
04:34:21.0213 1648 ============================================================
04:34:21.0213 1648 Current date / time: 2012/11/10 04:34:21.0213
04:34:21.0213 1648 SystemInfo:
04:34:21.0213 1648
04:34:21.0213 1648 OS Version: 6.1.7601 ServicePack: 1.0
04:34:21.0213 1648 Product type: Workstation
04:34:21.0229 1648 ComputerName: BROKEN-PC
04:34:21.0244 1648 UserName: BROKEN
04:34:21.0244 1648 Windows directory: C:\Windows
04:34:21.0244 1648 System windows directory: C:\Windows
04:34:21.0244 1648 Processor architecture: Intel x86
04:34:21.0244 1648 Number of processors: 2
04:34:21.0244 1648 Page size: 0x1000
04:34:21.0244 1648 Boot type: Normal boot
04:34:21.0244 1648 ============================================================
04:34:34.0364 1648 Drive \Device\Harddisk0\DR0 - Size: 0x12A1F16000 (74.53 Gb), SectorSize: 0x200, Cylinders: 0x2601, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
04:34:34.0426 1648 ============================================================
04:34:34.0426 1648 \Device\Harddisk0\DR0:
04:34:34.0426 1648 MBR partitions:
04:34:34.0426 1648 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x32000
04:34:34.0426 1648 \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x32800, BlocksNum 0x348A000
04:34:34.0442 1648 \Device\Harddisk0\DR0\Partition3: MBR, Type 0x7, StartLBA 0x34BC800, BlocksNum 0x6052800
04:34:34.0442 1648 ============================================================
04:34:34.0473 1648 C: <-> \Device\Harddisk0\DR0\Partition2
04:34:34.0535 1648 D: <-> \Device\Harddisk0\DR0\Partition3
04:34:34.0551 1648 ============================================================
04:34:34.0551 1648 Initialize success
04:34:34.0551 1648 ============================================================
04:34:44.0348 1788 ============================================================
04:34:44.0348 1788 Scan started
04:34:44.0379 1788 Mode: Manual;
04:34:44.0395 1788 ============================================================
04:34:45.0767 1788 ================ Scan system memory ========================
04:34:45.0783 1788 System memory - ok
04:34:45.0783 1788 ================ Scan services =============================
04:34:46.0828 1788 [ 1B133875B8AA8AC48969BD3458AFE9F5 ] 1394ohci C:\Windows\system32\drivers\1394ohci.sys
04:34:46.0891 1788 1394ohci - ok
04:34:47.0125 1788 [ CEA80C80BED809AA0DA6FEBC04733349 ] ACPI C:\Windows\system32\drivers\ACPI.sys
04:34:47.0203 1788 ACPI - ok
04:34:47.0390 1788 [ 1EFBC664ABFF416D1D07DB115DCB264F ] AcpiPmi C:\Windows\system32\drivers\acpipmi.sys
04:34:47.0421 1788 AcpiPmi - ok
04:34:47.0717 1788 [ 21E785EBD7DC90A06391141AAC7892FB ] adp94xx C:\Windows\system32\drivers\adp94xx.sys
04:34:47.0905 1788 adp94xx - ok
04:34:48.0170 1788 [ 0C676BC278D5B59FF5ABD57BBE9123F2 ] adpahci C:\Windows\system32\drivers\adpahci.sys
04:34:48.0263 1788 adpahci - ok
04:34:48.0513 1788 [ 7C7B5EE4B7B822EC85321FE23A27DB33 ] adpu320 C:\Windows\system32\drivers\adpu320.sys
04:34:48.0575 1788 adpu320 - ok
04:34:48.0950 1788 [ 8B5EEFEEC1E6D1A72A06C526628AD161 ] AeLookupSvc C:\Windows\System32\aelupsvc.dll
04:34:48.0981 1788 AeLookupSvc - ok
04:34:49.0231 1788 [ 1151FD4FB0216CFED887BFDE29EBD516 ] AFD C:\Windows\system32\drivers\afd.sys
04:34:49.0371 1788 AFD - ok
04:34:49.0964 1788 [ 7E10E3BB9B258AD8A9300F91214D67B9 ] AgereSoftModem C:\Windows\system32\DRIVERS\AGRSM.sys
04:34:50.0229 1788 AgereSoftModem - ok
04:34:50.0463 1788 [ 507812C3054C21CEF746B6EE3D04DD6E ] agp440 C:\Windows\system32\drivers\agp440.sys
04:34:50.0525 1788 agp440 - ok
04:34:50.0806 1788 [ 8B30250D573A8F6B4BD23195160D8707 ] aic78xx C:\Windows\system32\drivers\djsvs.sys
04:34:50.0853 1788 aic78xx - ok
04:34:51.0212 1788 [ 18A54E132947CD98FEA9ACCC57F98F13 ] ALG C:\Windows\System32\alg.exe
04:34:51.0290 1788 ALG - ok
04:34:51.0524 1788 [ 0D40BCF52EA90FC7DF2AEAB6503DEA44 ] aliide C:\Windows\system32\drivers\aliide.sys
04:34:51.0555 1788 aliide - ok
04:34:51.0773 1788 [ 3C6600A0696E90A463771C7422E23AB5 ] amdagp C:\Windows\system32\drivers\amdagp.sys
04:34:51.0820 1788 amdagp - ok
04:34:52.0023 1788 [ CD5914170297126B6266860198D1D4F0 ] amdide C:\Windows\system32\drivers\amdide.sys
04:34:52.0054 1788 amdide - ok
04:34:52.0366 1788 [ 00DDA200D71BAC534BF56A9DB5DFD666 ] AmdK8 C:\Windows\system32\drivers\amdk8.sys
04:34:52.0397 1788 AmdK8 - ok
04:34:52.0850 1788 [ 3CBF30F5370FDA40DD3E87DF38EA53B6 ] AmdPPM C:\Windows\system32\drivers\amdppm.sys
04:34:52.0881 1788 AmdPPM - ok
04:34:53.0224 1788 [ E7F4D42D8076EC60E21715CD11743A0D ] amdsata C:\Windows\system32\drivers\amdsata.sys
04:34:53.0271 1788 amdsata - ok
04:34:53.0614 1788 [ EA43AF0C423FF267355F74E7A53BDABA ] amdsbs C:\Windows\system32\drivers\amdsbs.sys
04:34:53.0661 1788 amdsbs - ok
04:34:53.0989 1788 [ 146459D2B08BFDCBFA856D9947043C81 ] amdxata C:\Windows\system32\drivers\amdxata.sys
04:34:54.0004 1788 amdxata - ok
04:34:54.0332 1788 [ AEA177F783E20150ACE5383EE368DA19 ] AppID C:\Windows\system32\drivers\appid.sys
04:34:54.0363 1788 AppID - ok
04:34:54.0659 1788 [ 62A9C86CB6085E20DB4823E4E97826F5 ] AppIDSvc C:\Windows\System32\appidsvc.dll
04:34:54.0691 1788 AppIDSvc - ok
04:34:55.0034 1788 [ FB1959012294D6AD43E5304DF65E3C26 ] Appinfo C:\Windows\System32\appinfo.dll
04:34:55.0065 1788 Appinfo - ok
04:34:55.0393 1788 [ A45D184DF6A8803DA13A0B329517A64A ] AppMgmt C:\Windows\System32\appmgmts.dll
04:34:55.0455 1788 AppMgmt - ok
04:34:55.0767 1788 [ 2932004F49677BD84DBC72EDB754FFB3 ] arc C:\Windows\system32\drivers\arc.sys
04:34:55.0798 1788 arc - ok
04:34:56.0266 1788 [ 5D6F36C46FD283AE1B57BD2E9FEB0BC7 ] arcsas C:\Windows\system32\drivers\arcsas.sys
04:34:56.0329 1788 arcsas - ok
04:34:56.0547 1788 [ ADD2ADE1C2B285AB8378D2DAAF991481 ] AsyncMac C:\Windows\system32\DRIVERS\asyncmac.sys
04:34:56.0578 1788 AsyncMac - ok
04:34:56.0781 1788 [ 338C86357871C167A96AB976519BF59E ] atapi C:\Windows\system32\drivers\atapi.sys
04:34:56.0812 1788 atapi - ok
04:34:57.0155 1788 [ CE3B4E731638D2EF62FCB419BE0D39F0 ] AudioEndpointBuilder C:\Windows\System32\Audiosrv.dll
04:34:57.0296 1788 AudioEndpointBuilder - ok
04:34:57.0592 1788 [ CE3B4E731638D2EF62FCB419BE0D39F0 ] Audiosrv C:\Windows\System32\Audiosrv.dll
04:34:57.0733 1788 Audiosrv - ok
04:34:57.0951 1788 [ 6E30D02AAC9CAC84F421622E3A2F6178 ] AxInstSV C:\Windows\System32\AxInstSV.dll
04:34:58.0013 1788 AxInstSV - ok
04:34:58.0294 1788 [ 1A231ABEC60FD316EC54C66715543CEC ] b06bdrv C:\Windows\system32\drivers\bxvbdx.sys
04:34:58.0435 1788 b06bdrv - ok
04:34:58.0747 1788 [ BD8869EB9CDE6BBE4508D869929869EE ] b57nd60x C:\Windows\system32\DRIVERS\b57nd60x.sys
04:34:58.0825 1788 b57nd60x - ok
04:34:59.0230 1788 [ EE1E9C3BB8228AE423DD38DB69128E71 ] BDESVC C:\Windows\System32\bdesvc.dll
04:34:59.0277 1788 BDESVC - ok
04:34:59.0527 1788 [ 505506526A9D467307B3C393DEDAF858 ] Beep C:\Windows\system32\drivers\Beep.sys
04:34:59.0542 1788 Beep - ok
04:34:59.0854 1788 [ 1E2BAC209D184BB851E1A187D8A29136 ] BFE C:\Windows\System32\bfe.dll
04:35:00.0010 1788 BFE - ok
04:35:00.0463 1788 [ E585445D5021971FAE10393F0F1C3961 ] BITS C:\Windows\system32\qmgr.dll
04:35:00.0697 1788 BITS - ok
04:35:00.0915 1788 [ 2287078ED48FCFC477B05B20CF38F36F ] blbdrive C:\Windows\system32\DRIVERS\blbdrive.sys
04:35:00.0993 1788 blbdrive - ok
04:35:01.0180 1788 [ FCAFAEF6798D7B51FF029F99A9898961 ] bowser C:\Windows\system32\DRIVERS\bowser.sys
04:35:01.0227 1788 bowser - ok
04:35:01.0445 1788 [ 9F9ACC7F7CCDE8A15C282D3F88B43309 ] BrFiltLo C:\Windows\system32\drivers\BrFiltLo.sys
04:35:01.0477 1788 BrFiltLo - ok
04:35:01.0726 1788 [ 56801AD62213A41F6497F96DEE83755A ] BrFiltUp C:\Windows\system32\drivers\BrFiltUp.sys
04:35:01.0757 1788 BrFiltUp - ok
04:35:01.0945 1788 [ 77361D72A04F18809D0EFB6CCEB74D4B ] BridgeMP C:\Windows\system32\DRIVERS\bridge.sys
04:35:02.0023 1788 BridgeMP - ok
04:35:02.0272 1788 [ 6E11F33D14D020F58D5E02E4D67DFA19 ] Browser C:\Windows\System32\browser.dll
04:35:02.0319 1788 Browser - ok
04:35:02.0662 1788 [ 845B8CE732E67F3B4133164868C666EA ] Brserid C:\Windows\System32\Drivers\Brserid.sys
04:35:02.0772 1788 Brserid - ok
04:35:02.0974 1788 [ 203F0B1E73ADADBBB7B7B1FABD901F6B ] BrSerWdm C:\Windows\System32\Drivers\BrSerWdm.sys
04:35:03.0021 1788 BrSerWdm - ok
04:35:03.0177 1788 [ BD456606156BA17E60A04E18016AE54B ] BrUsbMdm C:\Windows\System32\Drivers\BrUsbMdm.sys
04:35:03.0208 1788 BrUsbMdm - ok
04:35:03.0458 1788 [ AF72ED54503F717A43268B3CC5FAEC2E ] BrUsbSer C:\Windows\System32\Drivers\BrUsbSer.sys
04:35:03.0489 1788 BrUsbSer - ok
04:35:03.0598 1788 [ ED3DF7C56CE0084EB2034432FC56565A ] BTHMODEM C:\Windows\system32\drivers\bthmodem.sys
04:35:03.0630 1788 BTHMODEM - ok
04:35:03.0926 1788 [ 1DF19C96EEF6C29D1C3E1A8678E07190 ] bthserv C:\Windows\system32\bthserv.dll
04:35:03.0973 1788 bthserv - ok
04:35:04.0129 1788 catchme - ok
04:35:04.0472 1788 [ 77EA11B065E0A8AB902D78145CA51E10 ] cdfs C:\Windows\system32\DRIVERS\cdfs.sys
04:35:04.0503 1788 cdfs - ok
04:35:04.0784 1788 [ BE167ED0FDB9C1FA1133953C18D5A6C9 ] cdrom C:\Windows\system32\DRIVERS\cdrom.sys
04:35:04.0846 1788 cdrom - ok
04:35:05.0065 1788 [ 319C6B309773D063541D01DF8AC6F55F ] CertPropSvc C:\Windows\System32\certprop.dll
04:35:05.0127 1788 CertPropSvc - ok
04:35:05.0361 1788 [ 3FE3FE94A34DF6FB06E6418D0F6A0060 ] circlass C:\Windows\system32\drivers\circlass.sys
04:35:05.0408 1788 circlass - ok
04:35:05.0673 1788 [ 635181E0E9BBF16871BF5380D71DB02D ] CLFS C:\Windows\system32\CLFS.sys
04:35:05.0767 1788 CLFS - ok
04:35:06.0063 1788 [ D88040F816FDA31C3B466F0FA0918F29 ] clr_optimization_v2.0.50727_32 C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
04:35:06.0126 1788 clr_optimization_v2.0.50727_32 - ok
04:35:06.0360 1788 [ DEA805815E587DAD1DD2C502220B5616 ] CmBatt C:\Windows\system32\DRIVERS\CmBatt.sys
04:35:06.0391 1788 CmBatt - ok
04:35:06.0656 1788 [ C537B1DB64D495B9B4717B4D6D9EDBF2 ] cmdide C:\Windows\system32\drivers\cmdide.sys
04:35:06.0765 1788 cmdide - ok
04:35:07.0108 1788 [ 1B675691ED940766149C93E8F4488D68 ] CNG C:\Windows\system32\Drivers\cng.sys
04:35:07.0249 1788 CNG - ok
04:35:07.0467 1788 [ A6023D3823C37043986713F118A89BEE ] Compbatt C:\Windows\system32\DRIVERS\compbatt.sys
04:35:07.0498 1788 Compbatt - ok
04:35:07.0732 1788 [ CBE8C58A8579CFE5FCCF809E6F114E89 ] CompositeBus C:\Windows\system32\DRIVERS\CompositeBus.sys
04:35:07.0764 1788 CompositeBus - ok
04:35:07.0998 1788 COMSysApp - ok
04:35:08.0356 1788 [ 2C4EBCFC84A9B44F209DFF6C6E6C61D1 ] crcdisk C:\Windows\system32\drivers\crcdisk.sys
04:35:08.0388 1788 crcdisk - ok
04:35:08.0778 1788 [ A585BEBF7D054BD9618EDA0922D5484A ] CryptSvc C:\Windows\system32\cryptsvc.dll
04:35:08.0871 1788 CryptSvc - ok
04:35:09.0183 1788 [ 3C2177A897B4CA2788C6FB0C3FD81D4B ] CSC C:\Windows\system32\drivers\csc.sys
04:35:09.0324 1788 CSC - ok
04:35:09.0885 1788 [ 15F93B37F6801943360D9EB42485D5D3 ] CscService C:\Windows\System32\cscsvc.dll
04:35:10.0088 1788 CscService - ok
04:35:10.0540 1788 [ 7660F01D3B38ACA1747E397D21D790AF ] DcomLaunch C:\Windows\system32\rpcss.dll
04:35:10.0728 1788 DcomLaunch - ok
04:35:11.0024 1788 [ 8D6E10A2D9A5EED59562D9B82CF804E1 ] defragsvc C:\Windows\System32\defragsvc.dll
04:35:11.0149 1788 defragsvc - ok
04:35:11.0352 1788 [ F024449C97EC1E464AAFFDA18593DB88 ] DfsC C:\Windows\system32\Drivers\dfsc.sys
04:35:11.0398 1788 DfsC - ok
04:35:11.0695 1788 [ E9E01EB683C132F7FA27CD607B8A2B63 ] Dhcp C:\Windows\system32\dhcpcore.dll
04:35:11.0882 1788 Dhcp - ok
04:35:12.0116 1788 [ 1A050B0274BFB3890703D490F330C0DA ] discache C:\Windows\system32\drivers\discache.sys
04:35:12.0147 1788 discache - ok
04:35:12.0350 1788 [ 565003F326F99802E68CA78F2A68E9FF ] Disk C:\Windows\system32\drivers\disk.sys
04:35:12.0366 1788 Disk - ok
04:35:12.0631 1788 [ 2A958EF85DB1B61FFCA65044FA4BCE9E ] dmvsc C:\Windows\system32\drivers\dmvsc.sys
04:35:12.0693 1788 dmvsc - ok
04:35:12.0958 1788 [ 2FE30D71919C51131405797620E0A714 ] Dnscache C:\Windows\System32\dnsrslvr.dll
04:35:13.0068 1788 Dnscache - ok
04:35:13.0302 1788 [ 366BA8FB4B7BB7435E3B9EACB3843F67 ] dot3svc C:\Windows\System32\dot3svc.dll
04:35:13.0411 1788 dot3svc - ok
04:35:13.0645 1788 [ 8EC04CA86F1D68DA9E11952EB85973D6 ] DPS C:\Windows\system32\dps.dll
04:35:13.0770 1788 DPS - ok
04:35:13.0957 1788 [ B918E7C5F9BF77202F89E1A9539F2EB4 ] drmkaud C:\Windows\system32\drivers\drmkaud.sys
04:35:13.0972 1788 drmkaud - ok
04:35:14.0378 1788 [ 23F5D28378A160352BA8F817BD8C71CB ] DXGKrnl C:\Windows\System32\drivers\dxgkrnl.sys
04:35:14.0565 1788 DXGKrnl - ok
04:35:14.0877 1788 [ 8600142FA91C1B96367D3300AD0F3F3A ] EapHost C:\Windows\System32\eapsvc.dll
04:35:14.0955 1788 EapHost - ok
04:35:16.0359 1788 [ 024E1B5CAC09731E4D868E64DBFB4AB0 ] ebdrv C:\Windows\system32\drivers\evbdx.sys
04:35:18.0184 1788 ebdrv - ok
04:35:18.0621 1788 [ F42309C4191C506B71DB5D1126D26318 ] EFS C:\Windows\System32\lsass.exe
04:35:18.0762 1788 EFS - ok
04:35:19.0542 1788 [ 0ED67910C8C326796FAA00B2BF6D9D3C ] elxstor C:\Windows\system32\drivers\elxstor.sys
04:35:19.0807 1788 elxstor - ok
04:35:20.0134 1788 [ 8FC3208352DD3912C94367A206AB3F11 ] ErrDev C:\Windows\system32\drivers\errdev.sys
04:35:20.0166 1788 ErrDev - ok
04:35:20.0743 1788 [ F6916EFC29D9953D5D0DF06882AE8E16 ] EventSystem C:\Windows\system32\es.dll
04:35:20.0914 1788 EventSystem - ok
04:35:21.0211 1788 [ 2DC9108D74081149CC8B651D3A26207F ] exfat C:\Windows\system32\drivers\exfat.sys
04:35:21.0336 1788 exfat - ok
04:35:21.0679 1788 [ 7E0AB74553476622FB6AE36F73D97D35 ] fastfat C:\Windows\system32\drivers\fastfat.sys
04:35:21.0788 1788 fastfat - ok
04:35:22.0209 1788 [ E817A017F82DF2A1F8CFDBDA29388B29 ] fdc C:\Windows\system32\drivers\fdc.sys
04:35:22.0240 1788 fdc - ok
04:35:22.0584 1788 [ F3222C893BD2F5821A0179E5C71E88FB ] fdPHost C:\Windows\system32\fdPHost.dll
04:35:22.0630 1788 fdPHost - ok
04:35:23.0005 1788 [ 7DBE8CBFE79EFBDEB98C9FB08D3A9A5B ] FDResPub C:\Windows\system32\fdrespub.dll
04:35:23.0052 1788 FDResPub - ok
04:35:23.0348 1788 [ 6CF00369C97F3CF563BE99BE983D13D8 ] FileInfo C:\Windows\system32\drivers\fileinfo.sys
04:35:23.0379 1788 FileInfo - ok
04:35:23.0910 1788 [ 42C51DC94C91DA21CB9196EB64C45DB9 ] Filetrace C:\Windows\system32\drivers\filetrace.sys
04:35:23.0941 1788 Filetrace - ok
04:35:24.0190 1788 [ 87907AA70CB3C56600F1C2FB8841579B ] flpydisk C:\Windows\system32\drivers\flpydisk.sys
04:35:24.0222 1788 flpydisk - ok
04:35:24.0471 1788 [ 7520EC808E0C35E0EE6F841294316653 ] FltMgr C:\Windows\system32\drivers\fltmgr.sys
04:35:24.0658 1788 FltMgr - ok
04:35:25.0532 1788 [ FA6C66E4364D7DA57AADE5DCC03BB999 ] FontCache C:\Windows\system32\FntCache.dll
04:35:25.0891 1788 FontCache - ok
04:35:26.0421 1788 [ E56F39F6B7FDA0AC77A79B0FD3DE1A2F ] FontCache3.0.0.0 C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
04:35:26.0499 1788 FontCache3.0.0.0 - ok
04:35:26.0874 1788 [ 1A16B57943853E598CFF37FE2B8CBF1D ] FsDepends C:\Windows\system32\drivers\FsDepends.sys
04:35:26.0905 1788 FsDepends - ok
04:35:27.0201 1788 [ A574B4360E438977038AAE4BF60D79A2 ] Fs_Rec C:\Windows\system32\drivers\Fs_Rec.sys
04:35:27.0232 1788 Fs_Rec - ok
04:35:27.0607 1788 [ 8A73E79089B282100B9393B644CB853B ] fvevol C:\Windows\system32\DRIVERS\fvevol.sys
04:35:27.0669 1788 fvevol - ok
04:35:28.0153 1788 [ 65EE0C7A58B65E74AE05637418153938 ] gagp30kx C:\Windows\system32\drivers\gagp30kx.sys
04:35:28.0184 1788 gagp30kx - ok
04:35:28.0683 1788 [ E897EAF5ED6BA41E081060C9B447A673 ] gpsvc C:\Windows\System32\gpsvc.dll
04:35:28.0886 1788 gpsvc - ok
04:35:29.0182 1788 [ C44E3C2BAB6837DB337DDEE7544736DB ] hcw85cir C:\Windows\system32\drivers\hcw85cir.sys
04:35:29.0229 1788 hcw85cir - ok
04:35:29.0666 1788 [ A5EF29D5315111C80A5C1ABAD14C8972 ] HdAudAddService C:\Windows\system32\drivers\HdAudio.sys
04:35:29.0806 1788 HdAudAddService - ok
04:35:30.0103 1788 [ 9036377B8A6C15DC2EEC53E489D159B5 ] HDAudBus C:\Windows\system32\DRIVERS\HDAudBus.sys
04:35:30.0212 1788 HDAudBus - ok
04:35:30.0462 1788 [ 1D58A7F3E11A9731D0EAAAA8405ACC36 ] HidBatt C:\Windows\system32\drivers\HidBatt.sys
04:35:30.0508 1788 HidBatt - ok
04:35:30.0758 1788 [ 89448F40E6DF260C206A193A4683BA78 ] HidBth C:\Windows\system32\drivers\hidbth.sys
04:35:30.0820 1788 HidBth - ok
04:35:31.0054 1788 [ CF50B4CF4A4F229B9F3C08351F99CA5E ] HidIr C:\Windows\system32\drivers\hidir.sys
04:35:31.0117 1788 HidIr - ok
04:35:31.0382 1788 [ 2BC6F6A1992B3A77F5F41432CA6B3B6B ] hidserv C:\Windows\System32\hidserv.dll
04:35:31.0460 1788 hidserv - ok
04:35:31.0710 1788 [ 10C19F8290891AF023EAEC0832E1EB4D ] HidUsb C:\Windows\system32\drivers\hidusb.sys
04:35:31.0741 1788 HidUsb - ok
04:35:32.0022 1788 [ 196B4E3F4CCCC24AF836CE58FACBB699 ] hkmsvc C:\Windows\system32\kmsvc.dll
04:35:32.0115 1788 hkmsvc - ok
04:35:32.0396 1788 [ 6658F4404DE03D75FE3BA09F7ABA6A30 ] HomeGroupListener C:\Windows\system32\ListSvc.dll
04:35:32.0536 1788 HomeGroupListener - ok
04:35:32.0895 1788 [ DBC02D918FFF1CAD628ACBE0C0EAA8E8 ] HomeGroupProvider C:\Windows\system32\provsvc.dll
04:35:33.0036 1788 HomeGroupProvider - ok
04:35:33.0223 1788 [ 295FDC419039090EB8B49FFDBB374549 ] HpSAMD C:\Windows\system32\drivers\HpSAMD.sys
04:35:33.0301 1788 HpSAMD - ok
04:35:33.0644 1788 [ 871917B07A141BFF43D76D8844D48106 ] HTTP C:\Windows\system32\drivers\HTTP.sys
04:35:33.0816 1788 HTTP - ok
04:35:34.0018 1788 [ 0C4E035C7F105F1299258C90886C64C5 ] hwpolicy C:\Windows\system32\drivers\hwpolicy.sys
04:35:34.0050 1788 hwpolicy - ok
04:35:34.0268 1788 [ F151F0BDC47F4A28B1B20A0818EA36D6 ] i8042prt C:\Windows\system32\DRIVERS\i8042prt.sys
04:35:34.0299 1788 i8042prt - ok
04:35:34.0705 1788 [ A3CAE5D281DB4CFF7CFF8233507EE5AD ] iaStorV C:\Windows\system32\drivers\iaStorV.sys
04:35:34.0876 1788 iaStorV - ok
04:35:35.0282 1788 [ C521D7EB6497BB1AF6AFA89E322FB43C ] idsvc C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
04:35:35.0547 1788 idsvc - ok
04:35:37.0622 1788 [ AD626F6964F4D364D226C39E06872DD3 ] igfx C:\Windows\system32\DRIVERS\igdkmd32.sys
04:35:38.0854 1788 igfx - ok
04:35:39.0166 1788 [ 4173FF5708F3236CF25195FECD742915 ] iirsp C:\Windows\system32\drivers\iirsp.sys
04:35:39.0198 1788 iirsp - ok
04:35:39.0822 1788 [ F95622F161474511B8D80D6B093AA610 ] IKEEXT C:\Windows\System32\ikeext.dll
04:35:40.0040 1788 IKEEXT - ok
04:35:40.0602 1788 [ A0F12F2C9BA6C72F3987CE780E77C130 ] intelide C:\Windows\system32\drivers\intelide.sys
04:35:40.0617 1788 intelide - ok
04:35:40.0882 1788 [ 3B514D27BFC4ACCB4037BC6685F766E0 ] intelppm C:\Windows\system32\DRIVERS\intelppm.sys
04:35:40.0914 1788 intelppm - ok
04:35:41.0148 1788 [ ACB364B9075A45C0736E5C47BE5CAE19 ] IPBusEnum C:\Windows\system32\ipbusenum.dll
04:35:41.0226 1788 IPBusEnum - ok
04:35:41.0506 1788 [ 709D1761D3B19A932FF0238EA6D50200 ] IpFilterDriver C:\Windows\system32\DRIVERS\ipfltdrv.sys
04:35:41.0584 1788 IpFilterDriver - ok
04:35:42.0068 1788 [ 4D65A07B795D6674312F879D09AA7663 ] iphlpsvc C:\Windows\System32\iphlpsvc.dll
04:35:42.0240 1788 iphlpsvc - ok
04:35:42.0458 1788 [ 4BD7134618C1D2A27466A099062547BF ] IPMIDRV C:\Windows\system32\drivers\IPMIDrv.sys
04:35:42.0536 1788 IPMIDRV - ok
04:35:42.0754 1788 [ A5FA468D67ABCDAA36264E463A7BB0CD ] IPNAT C:\Windows\system32\drivers\ipnat.sys
04:35:42.0832 1788 IPNAT - ok
04:35:43.0098 1788 [ 42996CFF20A3084A56017B7902307E9F ] IRENUM C:\Windows\system32\drivers\irenum.sys
04:35:43.0129 1788 IRENUM - ok
04:35:43.0363 1788 [ 1F32BB6B38F62F7DF1A7AB7292638A35 ] isapnp C:\Windows\system32\drivers\isapnp.sys
04:35:43.0503 1788 isapnp - ok
04:35:43.0800 1788 [ CB7A9ABB12B8415BCE5D74994C7BA3AE ] iScsiPrt C:\Windows\system32\drivers\msiscsi.sys
04:35:43.0909 1788 iScsiPrt - ok
04:35:44.0096 1788 [ ADEF52CA1AEAE82B50DF86B56413107E ] kbdclass C:\Windows\system32\DRIVERS\kbdclass.sys
04:35:44.0127 1788 kbdclass - ok
04:35:44.0346 1788 [ 9E3CED91863E6EE98C24794D05E27A71 ] kbdhid C:\Windows\system32\drivers\kbdhid.sys
04:35:44.0377 1788 kbdhid - ok
04:35:44.0658 1788 [ F42309C4191C506B71DB5D1126D26318 ] KeyIso C:\Windows\system32\lsass.exe
04:35:44.0751 1788 KeyIso - ok
04:35:45.0001 1788 [ 412CEA1AA78CC02A447F5C9E62B32FF1 ] KSecDD C:\Windows\system32\Drivers\ksecdd.sys
04:35:45.0048 1788 KSecDD - ok
04:35:45.0328 1788 [ 26C046977E85B95036453D7B88BA1820 ] KSecPkg C:\Windows\system32\Drivers\ksecpkg.sys
04:35:45.0375 1788 KSecPkg - ok
04:35:45.0750 1788 [ 89A7B9CC98D0D80C6F31B91C0A310FCD ] KtmRm C:\Windows\system32\msdtckrm.dll
04:35:45.0906 1788 KtmRm - ok
04:35:46.0218 1788 [ D64AF876D53ECA3668BB97B51B4E70AB ] LanmanServer C:\Windows\System32\srvsvc.dll
04:35:46.0327 1788 LanmanServer - ok
04:35:46.0748 1788 [ 58405E4F68BA8E4057C6E914F326ABA2 ] LanmanWorkstation C:\Windows\System32\wkssvc.dll
04:35:46.0888 1788 LanmanWorkstation - ok
04:35:47.0185 1788 [ F7611EC07349979DA9B0AE1F18CCC7A6 ] lltdio C:\Windows\system32\DRIVERS\lltdio.sys
04:35:47.0216 1788 lltdio - ok
04:35:47.0544 1788 [ 5700673E13A2117FA3B9020C852C01E2 ] lltdsvc C:\Windows\System32\lltdsvc.dll
04:35:47.0653 1788 lltdsvc - ok
04:35:47.0965 1788 [ 55CA01BA19D0006C8F2639B6C045E08B ] lmhosts C:\Windows\System32\lmhsvc.dll
04:35:48.0027 1788 lmhosts - ok
04:35:48.0417 1788 [ EB119A53CCF2ACC000AC71B065B78FEF ] LSI_FC C:\Windows\system32\drivers\lsi_fc.sys
04:35:48.0495 1788 LSI_FC - ok
04:35:48.0854 1788 [ 8ADE1C877256A22E49B75D1CC9161F9C ] LSI_SAS C:\Windows\system32\drivers\lsi_sas.sys
04:35:48.0901 1788 LSI_SAS - ok
04:35:49.0104 1788 [ DC9DC3D3DAA0E276FD2EC262E38B11E9 ] LSI_SAS2 C:\Windows\system32\drivers\lsi_sas2.sys
04:35:49.0150 1788 LSI_SAS2 - ok
04:35:49.0369 1788 [ 0A036C7D7CAB643A7F07135AC47E0524 ] LSI_SCSI C:\Windows\system32\drivers\lsi_scsi.sys
04:35:49.0416 1788 LSI_SCSI - ok
04:35:49.0696 1788 [ 6703E366CC18D3B6E534F5CF7DF39CEE ] luafv C:\Windows\system32\drivers\luafv.sys
04:35:49.0759 1788 luafv - ok
04:35:49.0946 1788 [ 0FFF5B045293002AB38EB1FD1FC2FB74 ] megasas C:\Windows\system32\drivers\megasas.sys
04:35:49.0993 1788 megasas - ok
04:35:50.0305 1788 [ DCBAB2920C75F390CAF1D29F675D03D6 ] MegaSR C:\Windows\system32\drivers\MegaSR.sys
04:35:50.0398 1788 MegaSR - ok
04:35:50.0617 1788 [ 146B6F43A673379A3C670E86D89BE5EA ] MMCSS C:\Windows\system32\mmcss.dll
04:35:50.0773 1788 MMCSS - ok
04:35:50.0991 1788 [ F001861E5700EE84E2D4E52C712F4964 ] Modem C:\Windows\system32\drivers\modem.sys
04:35:51.0022 1788 Modem - ok
04:35:51.0225 1788 [ 79D10964DE86B292320E9DFE02282A23 ] monitor C:\Windows\system32\DRIVERS\monitor.sys
04:35:51.0256 1788 monitor - ok
04:35:51.0506 1788 [ FB18CC1D4C2E716B6B903B0AC0CC0609 ] mouclass C:\Windows\system32\DRIVERS\mouclass.sys
04:35:51.0537 1788 mouclass - ok
04:35:51.0756 1788 [ 2C388D2CD01C9042596CF3C8F3C7B24D ] mouhid C:\Windows\system32\drivers\mouhid.sys
04:35:51.0787 1788 mouhid - ok
04:35:52.0099 1788 [ FC8771F45ECCCFD89684E38842539B9B ] mountmgr C:\Windows\system32\drivers\mountmgr.sys
04:35:52.0161 1788 mountmgr - ok
04:35:52.0551 1788 [ EE728AF83850DDAD9A3FCAC0AAB3AD97 ] MpFilter C:\Windows\system32\DRIVERS\MpFilter.sys
04:35:52.0754 1788 MpFilter - ok
04:35:53.0050 1788 [ 2D699FB6E89CE0D8DA14ECC03B3EDFE0 ] mpio C:\Windows\system32\drivers\mpio.sys
04:35:53.0113 1788 mpio - ok
04:35:53.0300 1788 [ AD2723A7B53DD1AACAE6AD8C0BFBF4D0 ] mpsdrv C:\Windows\system32\drivers\mpsdrv.sys
04:35:53.0378 1788 mpsdrv - ok
04:35:53.0784 1788 [ 9835584E999D25004E1EE8E5F3E3B881 ] MpsSvc C:\Windows\system32\mpssvc.dll
04:35:54.0033 1788 MpsSvc - ok
04:35:54.0283 1788 [ CEB46AB7C01C9F825F8CC6BABC18166A ] MRxDAV C:\Windows\system32\drivers\mrxdav.sys
04:35:54.0330 1788 MRxDAV - ok
04:35:54.0579 1788 [ B272B4C3E085EA860C12F2E4FAF2FFA2 ] mrxsmb C:\Windows\system32\DRIVERS\mrxsmb.sys
04:35:54.0657 1788 mrxsmb - ok
04:35:54.0985 1788 [ 9AC33EF26C8A3AD0F117D00EB7301D03 ] mrxsmb10 C:\Windows\system32\DRIVERS\mrxsmb10.sys
04:35:55.0125 1788 mrxsmb10 - ok
04:35:55.0375 1788 [ E0ABDB5ED7E199E242A7D028E76C1D3A ] mrxsmb20 C:\Windows\system32\DRIVERS\mrxsmb20.sys
04:35:55.0453 1788 mrxsmb20 - ok
04:35:55.0656 1788 [ 012C5F4E9349E711E11E0F19A8589F0A ] msahci C:\Windows\system32\drivers\msahci.sys
04:35:55.0687 1788 msahci - ok
04:35:56.0030 1788 [ 55055F8AD8BE27A64C831322A780A228 ] msdsm C:\Windows\system32\drivers\msdsm.sys
04:35:56.0139 1788 msdsm - ok
04:35:56.0358 1788 [ E1BCE74A3BD9902B72599C0192A07E27 ] MSDTC C:\Windows\System32\msdtc.exe
04:35:56.0545 1788 MSDTC - ok
04:35:56.0872 1788 [ DAEFB28E3AF5A76ABCC2C3078C07327F ] Msfs C:\Windows\system32\drivers\Msfs.sys
04:35:56.0919 1788 Msfs - ok
04:35:57.0153 1788 [ 3E1E5767043C5AF9367F0056295E9F84 ] mshidkmdf C:\Windows\System32\drivers\mshidkmdf.sys
04:35:57.0169 1788 mshidkmdf - ok
04:35:57.0418 1788 [ 0A4E5757AE09FA9622E3158CC1AEF114 ] msisadrv C:\Windows\system32\drivers\msisadrv.sys
04:35:57.0434 1788 msisadrv - ok
04:35:57.0808 1788 [ 90F7D9E6B6F27E1A707D4A297F077828 ] MSiSCSI C:\Windows\system32\iscsiexe.dll
04:35:57.0886 1788 MSiSCSI - ok
04:35:58.0058 1788 msiserver - ok
04:35:58.0292 1788 [ 8C0860D6366AAFFB6C5BB9DF9448E631 ] MSKSSRV C:\Windows\system32\drivers\MSKSSRV.sys
04:35:58.0323 1788 MSKSSRV - ok
04:35:58.0744 1788 [ E077FCA2A7E79FB9BF67D3E30B5CE593 ] MsMpSvc C:\Program Files\Microsoft Security Client\MsMpEng.exe
04:35:58.0760 1788 MsMpSvc - ok
04:35:58.0963 1788 [ 3EA8B949F963562CEDBB549EAC0C11CE ] MSPCLOCK C:\Windows\system32\drivers\MSPCLOCK.sys
04:35:58.0994 1788 MSPCLOCK - ok
04:35:59.0275 1788 [ F456E973590D663B1073E9C463B40932 ] MSPQM C:\Windows\system32\drivers\MSPQM.sys
04:35:59.0306 1788 MSPQM - ok
04:35:59.0758 1788 [ 0E008FC4819D238C51D7C93E7B41E560 ] MsRPC C:\Windows\system32\drivers\MsRPC.sys
04:35:59.0805 1788 MsRPC - ok
04:36:00.0133 1788 [ FC6B9FF600CC585EA38B12589BD4E246 ] mssmbios C:\Windows\system32\DRIVERS\mssmbios.sys
04:36:00.0164 1788 mssmbios - ok
04:36:00.0398 1788 [ B42C6B921F61A6E55159B8BE6CD54A36 ] MSTEE C:\Windows\system32\drivers\MSTEE.sys
04:36:00.0460 1788 MSTEE - ok
04:36:00.0648 1788 [ 33599130F44E1F34631CEA241DE8AC84 ] MTConfig C:\Windows\system32\drivers\MTConfig.sys
04:36:00.0679 1788 MTConfig - ok
04:36:00.0944 1788 [ 159FAD02F64E6381758C990F753BCC80 ] Mup C:\Windows\system32\Drivers\mup.sys
04:36:01.0006 1788 Mup - ok
04:36:01.0303 1788 [ 61D57A5D7C6D9AFE10E77DAE6E1B445E ] napagent C:\Windows\system32\qagentRT.dll
04:36:01.0443 1788 napagent - ok
04:36:01.0724 1788 [ 26384429FCD85D83746F63E798AB1480 ] NativeWifiP C:\Windows\system32\DRIVERS\nwifi.sys
04:36:01.0880 1788 NativeWifiP - ok
04:36:02.0286 1788 [ E7C54812A2AAF43316EB6930C1FFA108 ] NDIS C:\Windows\system32\drivers\ndis.sys
04:36:02.0473 1788 NDIS - ok
04:36:02.0707 1788 [ 0E1787AA6C9191D3D319E8BAFE86F80C ] NdisCap C:\Windows\system32\DRIVERS\ndiscap.sys
04:36:02.0754 1788 NdisCap - ok
04:36:02.0988 1788 [ E4A8AEC125A2E43A9E32AFEEA7C9C888 ] NdisTapi C:\Windows\system32\DRIVERS\ndistapi.sys
04:36:03.0019 1788 NdisTapi - ok
04:36:03.0190 1788 [ D8A65DAFB3EB41CBB622745676FCD072 ] Ndisuio C:\Windows\system32\DRIVERS\ndisuio.sys
04:36:03.0237 1788 Ndisuio - ok
04:36:03.0440 1788 [ 38FBE267E7E6983311179230FACB1017 ] NdisWan C:\Windows\system32\DRIVERS\ndiswan.sys
04:36:03.0518 1788 NdisWan - ok
04:36:03.0736 1788 [ A4BDC541E69674FBFF1A8FF00BE913F2 ] NDProxy C:\Windows\system32\drivers\NDProxy.sys
04:36:03.0814 1788 NDProxy - ok
04:36:04.0080 1788 [ 80B275B1CE3B0E79909DB7B39AF74D51 ] NetBIOS C:\Windows\system32\DRIVERS\netbios.sys
04:36:04.0111 1788 NetBIOS - ok
04:36:04.0360 1788 [ 280122DDCF04B378EDD1AD54D71C1E54 ] NetBT C:\Windows\system32\DRIVERS\netbt.sys
04:36:04.0438 1788 NetBT - ok
04:36:04.0657 1788 [ F42309C4191C506B71DB5D1126D26318 ] Netlogon C:\Windows\system32\lsass.exe
04:36:04.0704 1788 Netlogon - ok
04:36:05.0094 1788 [ 7CCCFCA7510684768DA22092D1FA4DB2 ] Netman C:\Windows\System32\netman.dll
04:36:05.0250 1788 Netman - ok
04:36:05.0577 1788 [ 8C338238C16777A802D6A9211EB2BA50 ] netprofm C:\Windows\System32\netprofm.dll
04:36:05.0718 1788 netprofm - ok
04:36:05.0952 1788 [ F476EC40033CDB91EFBE73EB99B8362D ] NetTcpPortSharing C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
04:36:06.0030 1788 NetTcpPortSharing - ok
04:36:07.0293 1788 [ 58218EC6B61B1169CF54AAB0D00F5FE2 ] netw5v32 C:\Windows\system32\DRIVERS\netw5v32.sys
04:36:08.0354 1788 netw5v32 - ok
04:36:08.0728 1788 [ 1D85C4B390B0EE09C7A46B91EFB2C097 ] nfrd960 C:\Windows\system32\drivers\nfrd960.sys
04:36:08.0760 1788 nfrd960 - ok
04:36:08.0994 1788 [ 2CD24A6AF497D0E9B9BF3DA924ED05E6 ] NisDrv C:\Windows\system32\DRIVERS\NisDrvWFP.sys
04:36:09.0087 1788 NisDrv - ok
04:36:09.0321 1788 [ 3B846434055F80D9E89D0742F3ADAD34 ] NisSrv C:\Program Files\Microsoft Security Client\NisSrv.exe
04:36:09.0399 1788 NisSrv - ok
04:36:09.0742 1788 [ 912084381D30D8B89EC4E293053F4710 ] NlaSvc C:\Windows\System32\nlasvc.dll
04:36:09.0852 1788 NlaSvc - ok
04:36:10.0070 1788 [ 1DB262A9F8C087E8153D89BEF3D2235F ] Npfs C:\Windows\system32\drivers\Npfs.sys
04:36:10.0101 1788 Npfs - ok
04:36:10.0444 1788 [ BA387E955E890C8A88306D9B8D06BF17 ] nsi C:\Windows\system32\nsisvc.dll
04:36:10.0538 1788 nsi - ok
04:36:10.0694 1788 [ E9A0A4D07E53D8FEA2BB8387A3293C58 ] nsiproxy C:\Windows\system32\drivers\nsiproxy.sys
04:36:10.0741 1788 nsiproxy - ok
04:36:11.0427 1788 [ 33C3093D09017CFE2E219F2472BFF6EB ] Ntfs C:\Windows\system32\drivers\Ntfs.sys
04:36:11.0770 1788 Ntfs - ok
04:36:11.0973 1788 [ F9756A98D69098DCA8945D62858A812C ] Null C:\Windows\system32\drivers\Null.sys
04:36:12.0004 1788 Null - ok
04:36:12.0332 1788 [ AF2EEC9580C1D32FB7EAF105D9784061 ] nvraid C:\Windows\system32\drivers\nvraid.sys
04:36:12.0426 1788 nvraid - ok
04:36:12.0613 1788 [ 9283C58EBAA2618F93482EB5DABCEC82 ] nvstor C:\Windows\system32\drivers\nvstor.sys
04:36:12.0706 1788 nvstor - ok
04:36:12.0909 1788 [ 5A0983915F02BAE73267CC2A041F717D ] nv_agp C:\Windows\system32\drivers\nv_agp.sys
04:36:12.0987 1788 nv_agp - ok
04:36:13.0221 1788 [ 08A70A1F2CDDE9BB49B885CB817A66EB ] ohci1394 C:\Windows\system32\drivers\ohci1394.sys
04:36:13.0284 1788 ohci1394 - ok
04:36:13.0580 1788 [ 82A8521DDC60710C3D3D3E7325209BEC ] p2pimsvc C:\Windows\system32\pnrpsvc.dll
04:36:13.0798 1788 p2pimsvc - ok
04:36:14.0095 1788 [ 59C3DDD501E39E006DAC31BF55150D91 ] p2psvc C:\Windows\system32\p2psvc.dll
04:36:14.0266 1788 p2psvc - ok
04:36:14.0485 1788 [ 2EA877ED5DD9713C5AC74E8EA7348D14 ] Parport C:\Windows\system32\DRIVERS\parport.sys
04:36:14.0547 1788 Parport - ok
04:36:14.0766 1788 [ BF8F6AF06DA75B336F07E23AEF97D93B ] partmgr C:\Windows\system32\drivers\partmgr.sys
04:36:14.0797 1788 partmgr - ok
04:36:15.0062 1788 [ EB0A59F29C19B86479D36B35983DAADC ] Parvdm C:\Windows\system32\DRIVERS\parvdm.sys
04:36:15.0093 1788 Parvdm - ok
04:36:15.0390 1788 [ 358AB7956D3160000726574083DFC8A6 ] PcaSvc C:\Windows\System32\pcasvc.dll
04:36:15.0546 1788 PcaSvc - ok
04:36:15.0748 1788 [ 673E55C3498EB970088E812EA820AA8F ] pci C:\Windows\system32\drivers\pci.sys
04:36:15.0795 1788 pci - ok
04:36:15.0998 1788 [ AFE86F419014DB4E5593F69FFE26CE0A ] pciide C:\Windows\system32\drivers\pciide.sys
04:36:16.0029 1788 pciide - ok
04:36:16.0294 1788 [ F396431B31693E71E8A80687EF523506 ] pcmcia C:\Windows\system32\DRIVERS\pcmcia.sys
04:36:16.0357 1788 pcmcia - ok
04:36:16.0606 1788 [ 250F6B43D2B613172035C6747AEEB19F ] pcw C:\Windows\system32\drivers\pcw.sys
04:36:16.0638 1788 pcw - ok
04:36:17.0074 1788 [ 9E0104BA49F4E6973749A02BF41344ED ] PEAUTH C:\Windows\system32\drivers\peauth.sys
04:36:17.0293 1788 PEAUTH - ok
04:36:17.0808 1788 [ AF4D64D2A57B9772CF3801950B8058A6 ] PeerDistSvc C:\Windows\system32\peerdistsvc.dll
04:36:18.0135 1788 PeerDistSvc - ok
04:36:19.0165 1788 [ 414BBA67A3DED1D28437EB66AEB8A720 ] pla C:\Windows\system32\pla.dll
04:36:19.0633 1788 pla - ok
04:36:20.0023 1788 [ 92DC6E68D2C856C5C2F21AE9E22112B8 ] PlugPlay C:\Windows\system32\umpnpmgr.dll
04:36:20.0179 1788 PlugPlay - ok
04:36:20.0382 1788 [ 63FF8572611249931EB16BB8EED6AFC8 ] PNRPAutoReg C:\Windows\system32\pnrpauto.dll
04:36:20.0506 1788 PNRPAutoReg - ok
04:36:20.0850 1788 [ 82A8521DDC60710C3D3D3E7325209BEC ] PNRPsvc C:\Windows\system32\pnrpsvc.dll
04:36:20.0959 1788 PNRPsvc - ok
04:36:21.0255 1788 [ 53946B69BA0836BD95B03759530C81EC ] PolicyAgent C:\Windows\System32\ipsecsvc.dll
04:36:21.0396 1788 PolicyAgent - ok
04:36:21.0708 1788 [ F87D30E72E03D579A5199CCB3831D6EA ] Power C:\Windows\system32\umpo.dll
04:36:21.0879 1788 Power - ok
04:36:22.0098 1788 [ 631E3E205AD6D86F2AED6A4A8E69F2DB ] PptpMiniport C:\Windows\system32\DRIVERS\raspptp.sys
04:36:22.0129 1788 PptpMiniport - ok
04:36:22.0332 1788 [ 85B1E3A0C7585BC4AAE6899EC6FCF011 ] Processor C:\Windows\system32\drivers\processr.sys
04:36:22.0378 1788 Processor - ok
04:36:22.0644 1788 [ 43CA4CCC22D52FB58E8988F0198851D0 ] ProfSvc C:\Windows\system32\profsvc.dll
04:36:22.0753 1788 ProfSvc - ok
04:36:22.0940 1788 [ F42309C4191C506B71DB5D1126D26318 ] ProtectedStorage C:\Windows\system32\lsass.exe
04:36:23.0034 1788 ProtectedStorage - ok
04:36:23.0268 1788 [ 6270CCAE2A86DE6D146529FE55B3246A ] Psched C:\Windows\system32\DRIVERS\pacer.sys
04:36:23.0408 1788 Psched - ok
04:36:24.0001 1788 [ AB95ECF1F6659A60DDC166D8315B0751 ] ql2300 C:\Windows\system32\drivers\ql2300.sys
04:36:24.0391 1788 ql2300 - ok
04:36:24.0625 1788 [ B4DD51DD25182244B86737DC51AF2270 ] ql40xx C:\Windows\system32\drivers\ql40xx.sys
04:36:24.0687 1788 ql40xx - ok
04:36:24.0937 1788 [ 31AC809E7707EB580B2BDB760390765A ] QWAVE C:\Windows\system32\qwave.dll
04:36:25.0046 1788 QWAVE - ok
04:36:25.0218 1788 [ 584078CA1B95CA72DF2A27C336F9719D ] QWAVEdrv C:\Windows\system32\drivers\qwavedrv.sys
04:36:25.0249 1788 QWAVEdrv - ok
04:36:25.0498 1788 [ 30A81B53C766D0133BB86D234E5556AB ] RasAcd C:\Windows\system32\DRIVERS\rasacd.sys
04:36:25.0530 1788 RasAcd - ok
04:36:25.0764 1788 [ 57EC4AEF73660166074D8F7F31C0D4FD ] RasAgileVpn C:\Windows\system32\DRIVERS\AgileVpn.sys
04:36:25.0795 1788 RasAgileVpn - ok
04:36:26.0107 1788 [ A60F1839849C0C00739787FD5EC03F13 ] RasAuto C:\Windows\System32\rasauto.dll
04:36:26.0232 1788 RasAuto - ok
04:36:26.0434 1788 [ D9F91EAFEC2815365CBE6D167E4E332A ] Rasl2tp C:\Windows\system32\DRIVERS\rasl2tp.sys
04:36:26.0497 1788 Rasl2tp - ok
04:36:26.0887 1788 [ CB9E04DC05EACF5B9A36CA276D475006 ] RasMan C:\Windows\System32\rasmans.dll
04:36:27.0105 1788 RasMan - ok
04:36:27.0308 1788 [ 0FE8B15916307A6AC12BFB6A63E45507 ] RasPppoe C:\Windows\system32\DRIVERS\raspppoe.sys
04:36:27.0370 1788 RasPppoe - ok
04:36:27.0604 1788 [ 44101F495A83EA6401D886E7FD70096B ] RasSstp C:\Windows\system32\DRIVERS\rassstp.sys
04:36:27.0636 1788 RasSstp - ok
04:36:27.0916 1788 [ D528BC58A489409BA40334EBF96A311B ] rdbss C:\Windows\system32\DRIVERS\rdbss.sys
04:36:28.0010 1788 rdbss - ok
04:36:28.0197 1788 [ 0D8F05481CB76E70E1DA06EE9F0DA9DF ] rdpbus C:\Windows\system32\DRIVERS\rdpbus.sys
04:36:28.0213 1788 rdpbus - ok
04:36:28.0494 1788 [ 23DAE03F29D253AE74C44F99E515F9A1 ] RDPCDD C:\Windows\system32\DRIVERS\RDPCDD.sys
04:36:28.0540 1788 RDPCDD - ok
04:36:28.0884 1788 [ B973FCFC50DC1434E1970A146F7E3885 ] RDPDR C:\Windows\system32\drivers\rdpdr.sys
04:36:28.0946 1788 RDPDR - ok
04:36:29.0133 1788 [ 5A53CA1598DD4156D44196D200C94B8A ] RDPENCDD C:\Windows\system32\drivers\rdpencdd.sys
04:36:29.0164 1788 RDPENCDD - ok
04:36:29.0461 1788 [ 44B0A53CD4F27D50ED461DAE0C0B4E1F ] RDPREFMP C:\Windows\system32\drivers\rdprefmp.sys
04:36:29.0476 1788 RDPREFMP - ok
04:36:29.0944 1788 [ 68A0387F58E226DEEE23D9715955572A ] RdpVideoMiniport C:\Windows\system32\drivers\rdpvideominiport.sys
04:36:29.0991 1788 RdpVideoMiniport - ok
04:36:30.0225 1788 [ 288B06960D78428FF89E811632684E20 ] RDPWD C:\Windows\system32\drivers\RDPWD.sys
04:36:30.0350 1788 RDPWD - ok
04:36:30.0631 1788 [ 518395321DC96FE2C9F0E96AC743B656 ] rdyboost C:\Windows\system32\drivers\rdyboost.sys
04:36:30.0709 1788 rdyboost - ok
04:36:31.0005 1788 [ 7B5E1419717FAC363A31CC302895217A ] RemoteAccess C:\Windows\System32\mprdim.dll
04:36:31.0255 1788 RemoteAccess - ok
04:36:31.0504 1788 [ CB9A8683F4EF2BF99E123D79950D7935 ] RemoteRegistry C:\Windows\system32\regsvc.dll
04:36:31.0629 1788 RemoteRegistry - ok
04:36:31.0832 1788 [ 78D072F35BC45D9E4E1B61895C152234 ] RpcEptMapper C:\Windows\System32\RpcEpMap.dll
04:36:31.0941 1788 RpcEptMapper - ok
04:36:32.0238 1788 [ 94D36C0E44677DD26981D2BFEEF2A29D ] RpcLocator C:\Windows\system32\locator.exe
04:36:32.0331 1788 RpcLocator - ok
04:36:32.0628 1788 [ 7660F01D3B38ACA1747E397D21D790AF ] RpcSs C:\Windows\system32\rpcss.dll
04:36:32.0768 1788 RpcSs - ok
04:36:32.0986 1788 [ 032B0D36AD92B582D869879F5AF5B928 ] rspndr C:\Windows\system32\DRIVERS\rspndr.sys
04:36:33.0033 1788 rspndr - ok
04:36:33.0236 1788 [ 7FA7F2E249A5DCBB7970630E15E1F482 ] s3cap C:\Windows\system32\drivers\vms3cap.sys
04:36:33.0298 1788 s3cap - ok
04:36:33.0517 1788 [ F42309C4191C506B71DB5D1126D26318 ] SamSs C:\Windows\system32\lsass.exe
04:36:33.0564 1788 SamSs - ok
04:36:33.0876 1788 [ 05D860DA1040F111503AC416CCEF2BCA ] sbp2port C:\Windows\system32\drivers\sbp2port.sys
04:36:33.0938 1788 sbp2port - ok
04:36:34.0156 1788 [ 8FC518FFE9519C2631D37515A68009C4 ] SCardSvr C:\Windows\System32\SCardSvr.dll
04:36:34.0281 1788 SCardSvr - ok
04:36:34.0453 1788 [ 0693B5EC673E34DC147E195779A4DCF6 ] scfilter C:\Windows\system32\DRIVERS\scfilter.sys
04:36:34.0484 1788 scfilter - ok
04:36:34.0983 1788 [ A04BB13F8A72F8B6E8B4071723E4E336 ] Schedule C:\Windows\system32\schedsvc.dll
04:36:35.0264 1788 Schedule - ok
04:36:35.0467 1788 [ 319C6B309773D063541D01DF8AC6F55F ] SCPolicySvc C:\Windows\System32\certprop.dll
04:36:35.0498 1788 SCPolicySvc - ok
04:36:35.0763 1788 [ 08236C4BCE5EDD0A0318A438AF28E0F7 ] SDRSVC C:\Windows\System32\SDRSVC.dll
04:36:35.0872 1788 SDRSVC - ok
04:36:36.0075 1788 [ 90A3935D05B494A5A39D37E71F09A677 ] secdrv C:\Windows\system32\drivers\secdrv.sys
04:36:36.0106 1788 secdrv - ok
04:36:36.0325 1788 [ A59B3A4442C52060CC7A85293AA3546F ] seclogon C:\Windows\system32\seclogon.dll
04:36:36.0418 1788 seclogon - ok
04:36:36.0652 1788 [ DCB7FCDCC97F87360F75D77425B81737 ] SENS C:\Windows\system32\sens.dll
04:36:36.0777 1788 SENS - ok
04:36:37.0027 1788 [ 50087FE1EE447009C9CC2997B90DE53F ] SensrSvc C:\Windows\system32\sensrsvc.dll
04:36:37.0136 1788 SensrSvc - ok
04:36:37.0308 1788 [ 9AD8B8B515E3DF6ACD4212EF465DE2D1 ] Serenum C:\Windows\system32\drivers\serenum.sys
04:36:37.0339 1788 Serenum - ok
04:36:37.0542 1788 [ 5FB7FCEA0490D821F26F39CC5EA3D1E2 ] Serial C:\Windows\system32\drivers\serial.sys
04:36:37.0588 1788 Serial - ok
04:36:37.0791 1788 [ 79BFFB520327FF916A582DFEA17AA813 ] sermouse C:\Windows\system32\drivers\sermouse.sys
04:36:37.0885 1788 sermouse - ok
04:36:38.0384 1788 [ 4AE380F39A0032EAB7DD953030B26D28 ] SessionEnv C:\Windows\system32\sessenv.dll
04:36:38.0540 1788 SessionEnv - ok
04:36:38.0696 1788 [ 9F976E1EB233DF46FCE808D9DEA3EB9C ] sffdisk C:\Windows\system32\drivers\sffdisk.sys
04:36:38.0727 1788 sffdisk - ok
04:36:38.0946 1788 [ 932A68EE27833CFD57C1639D375F2731 ] sffp_mmc C:\Windows\system32\drivers\sffp_mmc.sys
04:36:38.0992 1788 sffp_mmc - ok
04:36:39.0180 1788 [ 6D4CCAEDC018F1CF52866BBBAA235982 ] sffp_sd C:\Windows\system32\drivers\sffp_sd.sys
04:36:39.0211 1788 sffp_sd - ok
04:36:39.0382 1788 [ DB96666CC8312EBC45032F30B007A547 ] sfloppy C:\Windows\system32\drivers\sfloppy.sys
04:36:39.0429 1788 sfloppy - ok
04:36:39.0741 1788 [ D1A079A0DE2EA524513B6930C24527A2 ] SharedAccess C:\Windows\System32\ipnathlp.dll
04:36:39.0866 1788 SharedAccess - ok
04:36:40.0162 1788 [ 414DA952A35BF5D50192E28263B40577 ] ShellHWDetection C:\Windows\System32\shsvcs.dll
04:36:40.0334 1788 ShellHWDetection - ok
04:36:40.0552 1788 [ 2565CAC0DC9FE0371BDCE60832582B2E ] sisagp C:\Windows\system32\drivers\sisagp.sys
04:36:40.0615 1788 sisagp - ok
04:36:40.0849 1788 [ A9F0486851BECB6DDA1D89D381E71055 ] SiSRaid2 C:\Windows\system32\drivers\SiSRaid2.sys
04:36:40.0911 1788 SiSRaid2 - ok
04:36:41.0176 1788 [ 3727097B55738E2F554972C3BE5BC1AA ] SiSRaid4 C:\Windows\system32\drivers\sisraid4.sys
04:36:41.0223 1788 SiSRaid4 - ok
04:36:41.0442 1788 [ 3E21C083B8A01CB70BA1F09303010FCE ] Smb C:\Windows\system32\DRIVERS\smb.sys
04:36:41.0488 1788 Smb - ok
04:36:41.0785 1788 [ 6A984831644ECA1A33FFEAE4126F4F37 ] SNMPTRAP C:\Windows\System32\snmptrap.exe
04:36:41.0863 1788 SNMPTRAP - ok
04:36:42.0050 1788 [ 95CF1AE7527FB70F7816563CBC09D942 ] spldr C:\Windows\system32\drivers\spldr.sys
04:36:42.0081 1788 spldr - ok
04:36:42.0409 1788 [ 866A43013535DC8587C258E43579C764 ] Spooler C:\Windows\System32\spoolsv.exe
04:36:42.0580 1788 Spooler - ok
04:36:43.0579 1788 [ CF87A1DE791347E75B98885214CED2B8 ] sppsvc C:\Windows\system32\sppsvc.exe
04:36:44.0452 1788 sppsvc - ok
04:36:44.0827 1788 [ B0180B20B065D89232A78A40FE56EAA6 ] sppuinotify C:\Windows\system32\sppuinotify.dll
04:36:44.0936 1788 sppuinotify - ok
04:36:45.0217 1788 [ 112127C3B2E64D7680CC39CD0A39DD7E ] srv C:\Windows\system32\DRIVERS\srv.sys
04:36:45.0326 1788 srv - ok
04:36:45.0654 1788 [ E5DD784A4EE5EBC72A86C677C988FCDB ] srv2 C:\Windows\system32\DRIVERS\srv2.sys
04:36:45.0825 1788 srv2 - ok
04:36:45.0997 1788 [ CDBE627E16CC9E98F343D73F8E81D258 ] srvnet C:\Windows\system32\DRIVERS\srvnet.sys
04:36:46.0059 1788 srvnet - ok
04:36:46.0278 1788 [ D887C9FD02AC9FA880F6E5027A43E118 ] SSDPSRV C:\Windows\System32\ssdpsrv.dll
04:36:46.0434 1788 SSDPSRV - ok
04:36:46.0621 1788 [ D318F23BE45D5E3A107469EB64815B50 ] SstpSvc C:\Windows\system32\sstpsvc.dll
04:36:46.0746 1788 SstpSvc - ok
04:36:46.0964 1788 [ DB32D325C192B801DF274BFD12A7E72B ] stexstor C:\Windows\system32\drivers\stexstor.sys
04:36:46.0995 1788 stexstor - ok
04:36:47.0432 1788 [ E1FB3706030FB4578A0D72C2FC3689E4 ] StiSvc C:\Windows\System32\wiaservc.dll
04:36:47.0666 1788 StiSvc - ok
04:36:47.0931 1788 [ 472AF0311073DCECEAA8FA18BA2BDF89 ] storflt C:\Windows\system32\drivers\vmstorfl.sys
04:36:47.0962 1788 storflt - ok
04:36:48.0212 1788 [ DCAFFD62259E0BDB433DD67B5BB37619 ] storvsc C:\Windows\system32\drivers\storvsc.sys
04:36:48.0259 1788 storvsc - ok
04:36:48.0540 1788 [ E58C78A848ADD9610A4DB6D214AF5224 ] swenum C:\Windows\system32\DRIVERS\swenum.sys
04:36:48.0586 1788 swenum - ok
04:36:48.0961 1788 [ A28BD92DF340E57B024BA433165D34D7 ] swprv C:\Windows\System32\swprv.dll
04:36:49.0117 1788 swprv - ok
04:36:49.0335 1788 [ F2AD8960812FD111E20E84659EF19D43 ] Synth3dVsc C:\Windows\system32\drivers\synth3dvsc.sys
04:36:49.0382 1788 Synth3dVsc - ok
04:36:49.0850 1788 [ 36650D618CA34C9D357DFD3D89B2C56F ] SysMain C:\Windows\system32\sysmain.dll
04:36:50.0240 1788 SysMain - ok
04:36:50.0505 1788 [ 763FECDC3D30C815FE72DD57936C6CD1 ] TabletInputService C:\Windows\System32\TabSvc.dll
04:36:50.0630 1788 TabletInputService - ok
04:36:51.0067 1788 [ 613BF4820361543956909043A265C6AC ] TapiSrv C:\Windows\System32\tapisrv.dll
04:36:51.0254 1788 TapiSrv - ok
04:36:51.0488 1788 [ B799D9FDB26111737F58288D8DC172D9 ] TBS C:\Windows\System32\tbssvc.dll
04:36:51.0582 1788 TBS - ok
04:36:52.0330 1788 [ 37E8FA3779668837CA9E2C36D2415949 ] Tcpip C:\Windows\system32\drivers\tcpip.sys
04:36:52.0986 1788 Tcpip - ok
04:36:54.0109 1788 [ 37E8FA3779668837CA9E2C36D2415949 ] TCPIP6 C:\Windows\system32\DRIVERS\tcpip.sys
04:36:54.0873 1788 TCPIP6 - ok
04:36:55.0310 1788 [ CCA24162E055C3714CE5A88B100C64ED ] tcpipreg C:\Windows\system32\drivers\tcpipreg.sys
04:36:55.0357 1788 tcpipreg - ok
04:36:55.0684 1788 [ 1CB91B2BD8F6DD367DFC2EF26FD751B2 ] TDPIPE C:\Windows\system32\drivers\tdpipe.sys
04:36:55.0747 1788 TDPIPE - ok
04:36:55.0918 1788 [ 2C10395BAA4847F83042813C515CC289 ] TDTCP C:\Windows\system32\drivers\tdtcp.sys
04:36:55.0965 1788 TDTCP - ok
04:36:56.0324 1788 [ B459575348C20E8121D6039DA063C704 ] tdx C:\Windows\system32\DRIVERS\tdx.sys
04:36:56.0465 1788 tdx - ok
04:36:56.0652 1788 [ 04DBF4B01EA4BF25A9A3E84AFFAC9B20 ] TermDD C:\Windows\system32\DRIVERS\termdd.sys
04:36:56.0683 1788 TermDD - ok
04:36:56.0901 1788 [ 052306FD76793D5D5AB5D9891FD1ADBB ] terminpt C:\Windows\system32\drivers\terminpt.sys
04:36:56.0933 1788 terminpt - ok
04:36:57.0291 1788 [ 382C804C92811BE57829D8E550A900E2 ] TermService C:\Windows\System32\termsrv.dll
04:36:57.0557 1788 TermService - ok
04:36:57.0775 1788 [ 42FB6AFD6B79D9FE07381609172E7CA4 ] Themes C:\Windows\system32\themeservice.dll
04:36:57.0869 1788 Themes - ok
04:36:58.0087 1788 [ 146B6F43A673379A3C670E86D89BE5EA ] THREADORDER C:\Windows\system32\mmcss.dll
04:36:58.0165 1788 THREADORDER - ok
04:36:58.0399 1788 [ 5AD05191DC8B444A7BA4D79B76C42A30 ] TPM C:\Windows\system32\drivers\tpm.sys
04:36:58.0430 1788 TPM - ok
04:36:58.0633 1788 [ 4792C0378DB99A9BC2AE2DE6CFFF0C3A ] TrkWks C:\Windows\System32\trkwks.dll
04:36:58.0758 1788 TrkWks - ok
04:36:58.0992 1788 [ 2C49B175AEE1D4364B91B531417FE583 ] TrustedInstaller C:\Windows\servicing\TrustedInstaller.exe
04:36:59.0085 1788 TrustedInstaller - ok
04:36:59.0444 1788 [ 254BB140EEE3C59D6114C1A86B636877 ] tssecsrv C:\Windows\system32\DRIVERS\tssecsrv.sys
04:36:59.0475 1788 tssecsrv - ok
04:36:59.0756 1788 [ FD1D6C73E6333BE727CBCC6054247654 ] TsUsbFlt C:\Windows\system32\drivers\tsusbflt.sys
04:36:59.0787 1788 TsUsbFlt - ok
04:37:00.0021 1788 [ 01246F0BAAD7B68EC0F472AA41E33282 ] TsUsbGD C:\Windows\system32\drivers\TsUsbGD.sys
04:37:00.0053 1788 TsUsbGD - ok
04:37:00.0271 1788 [ 045ACB987C650D8186C6B4A692223860 ] tsusbhub C:\Windows\system32\drivers\tsusbhub.sys
04:37:00.0411 1788 tsusbhub - ok
04:37:00.0770 1788 [ B2FA25D9B17A68BB93D58B0556E8C90D ] tunnel C:\Windows\system32\DRIVERS\tunnel.sys
04:37:00.0817 1788 tunnel - ok
04:37:01.0020 1788 [ 750FBCB269F4D7DD2E420C56B795DB6D ] uagp35 C:\Windows\system32\drivers\uagp35.sys
04:37:01.0067 1788 uagp35 - ok
04:37:01.0332 1788 [ EE43346C7E4B5E63E54F927BABBB32FF ] udfs C:\Windows\system32\DRIVERS\udfs.sys
04:37:01.0425 1788 udfs - ok
04:37:01.0925 1788 [ 8344FD4FCE927880AA1AA7681D4927E5 ] UI0Detect C:\Windows\system32\UI0Detect.exe
04:37:02.0034 1788 UI0Detect - ok
04:37:02.0221 1788 [ 44E8048ACE47BEFBFDC2E9BE4CBC8880 ] uliagpkx C:\Windows\system32\drivers\uliagpkx.sys
04:37:02.0268 1788 uliagpkx - ok
04:37:02.0486 1788 [ D295BED4B898F0FD999FCFA9B32B071B ] umbus C:\Windows\system32\DRIVERS\umbus.sys
04:37:02.0533 1788 umbus - ok
04:37:02.0689 1788 [ 7550AD0C6998BA1CB4843E920EE0FEAC ] UmPass C:\Windows\system32\drivers\umpass.sys
04:37:02.0736 1788 UmPass - ok
04:37:03.0063 1788 [ 409994A8EACEEE4E328749C0353527A0 ] UmRdpService C:\Windows\System32\umrdp.dll
04:37:03.0204 1788 UmRdpService - ok
04:37:03.0485 1788 [ 833FBB672460EFCE8011D262175FAD33 ] upnphost C:\Windows\System32\upnphost.dll
04:37:03.0641 1788 upnphost - ok
04:37:03.0875 1788 [ 7E72E7D7E0757D59481D530FD2B0BFAE ] usbccgp C:\Windows\system32\drivers\usbccgp.sys
04:37:03.0921 1788 usbccgp - ok
04:37:04.0093 1788 [ 04EC7CEC62EC3B6D9354EEE93327FC82 ] usbcir C:\Windows\system32\drivers\usbcir.sys
04:37:04.0171 1788 usbcir - ok
04:37:04.0374 1788 [ CFBCE999C057D78979A181C9C60F208E ] usbehci C:\Windows\system32\DRIVERS\usbehci.sys
04:37:04.0452 1788 usbehci - ok
04:37:04.0701 1788 [ 9D22AAD9AC6A07C691A1113E5F860868 ] usbhub C:\Windows\system32\DRIVERS\usbhub.sys
04:37:04.0826 1788 usbhub - ok
04:37:05.0076 1788 [ A6FB7957EA7AFB1165991E54CE934B74 ] usbohci C:\Windows\system32\drivers\usbohci.sys
04:37:05.0107 1788 usbohci - ok
04:37:05.0341 1788 [ 797D862FE0875E75C7CC4C1AD7B30252 ] usbprint C:\Windows\system32\drivers\usbprint.sys
04:37:05.0388 1788 usbprint - ok
04:37:05.0606 1788 [ BF63EBFC6979FEFB2BC03DF7989A0C1A ] USBSTOR C:\Windows\system32\DRIVERS\USBSTOR.SYS
04:37:05.0762 1788 USBSTOR - ok
04:37:05.0981 1788 [ 78780C3EBCE17405B1CCD07A3A8A7D72 ] usbuhci C:\Windows\system32\DRIVERS\usbuhci.sys
04:37:06.0043 1788 usbuhci - ok
04:37:06.0261 1788 [ 081E6E1C91AEC36758902A9F727CD23C ] UxSms C:\Windows\System32\uxsms.dll
04:37:06.0355 1788 UxSms - ok
04:37:06.0573 1788 [ F42309C4191C506B71DB5D1126D26318 ] VaultSvc C:\Windows\system32\lsass.exe
04:37:06.0651 1788 VaultSvc - ok
04:37:06.0839 1788 [ A059C4C3EDB09E07D21A8E5C0AABD3CB ] vdrvroot C:\Windows\system32\drivers\vdrvroot.sys
04:37:06.0870 1788 vdrvroot - ok
04:37:07.0322 1788 [ C3CD30495687C2A2F66A65CA6FD89BE9 ] vds C:\Windows\System32\vds.exe
04:37:07.0556 1788 vds - ok
04:37:07.0743 1788 [ 17C408214EA61696CEC9C66E388B14F3 ] vga C:\Windows\system32\DRIVERS\vgapnp.sys
04:37:07.0806 1788 vga - ok
04:37:08.0009 1788 [ 8E38096AD5C8570A6F1570A61E251561 ] VgaSave C:\Windows\System32\drivers\vga.sys
04:37:08.0040 1788 VgaSave - ok
04:37:08.0227 1788 VGPU - ok
04:37:08.0570 1788 [ 5461686CCA2FDA57B024547733AB42E3 ] vhdmp C:\Windows\system32\drivers\vhdmp.sys
04:37:08.0633 1788 vhdmp - ok
04:37:08.0789 1788 [ C829317A37B4BEA8F39735D4B076E923 ] viaagp C:\Windows\system32\drivers\viaagp.sys
04:37:08.0835 1788 viaagp - ok
04:37:09.0101 1788 [ E02F079A6AA107F06B16549C6E5C7B74 ] ViaC7 C:\Windows\system32\drivers\viac7.sys
04:37:09.0132 1788 ViaC7 - ok
04:37:09.0303 1788 [ E43574F6A56A0EE11809B48C09E4FD3C ] viaide C:\Windows\system32\drivers\viaide.sys
04:37:09.0335 1788 viaide - ok
04:37:09.0678 1788 [ C2F2911156FDC7817C52829C86DA494E ] vmbus C:\Windows\system32\drivers\vmbus.sys
04:37:09.0787 1788 vmbus - ok
04:37:10.0005 1788 [ D4D77455211E204F370D08F4963063CE ] VMBusHID C:\Windows\system32\drivers\VMBusHID.sys
04:37:10.0052 1788 VMBusHID - ok
04:37:10.0224 1788 [ 4C63E00F2F4B5F86AB48A58CD990F212 ] volmgr C:\Windows\system32\drivers\volmgr.sys
04:37:10.0255 1788 volmgr - ok
04:37:10.0551 1788 [ B5BB72067DDDDBBFB04B2F89FF8C3C87 ] volmgrx C:\Windows\system32\drivers\volmgrx.sys
04:37:10.0645 1788 volmgrx - ok
04:37:10.0879 1788 [ F497F67932C6FA693D7DE2780631CFE7 ] volsnap C:\Windows\system32\drivers\volsnap.sys
04:37:10.0988 1788 volsnap - ok
04:37:11.0207 1788 [ 9DFA0CC2F8855A04816729651175B631 ] vsmraid C:\Windows\system32\drivers\vsmraid.sys
04:37:11.0347 1788 vsmraid - ok
04:37:11.0815 1788 [ 209A3B1901B83AEB8527ED211CCE9E4C ] VSS C:\Windows\system32\vssvc.exe
04:37:12.0174 1788 VSS - ok
04:37:12.0392 1788 [ 90567B1E658001E79D7C8BBD3DDE5AA6 ] vwifibus C:\Windows\System32\drivers\vwifibus.sys
04:37:12.0423 1788 vwifibus - ok
04:37:12.0704 1788 [ 55187FD710E27D5095D10A472C8BAF1C ] W32Time C:\Windows\system32\w32time.dll
04:37:12.0891 1788 W32Time - ok
04:37:13.0250 1788 [ DE3721E89C653AA281428C8A69745D90 ] WacomPen C:\Windows\system32\drivers\wacompen.sys
04:37:13.0297 1788 WacomPen - ok
04:37:13.0453 1788 [ 3C3C78515F5AB448B022BDF5B8FFDD2E ] WANARP C:\Windows\system32\DRIVERS\wanarp.sys
04:37:13.0484 1788 WANARP - ok
04:37:13.0656 1788 [ 3C3C78515F5AB448B022BDF5B8FFDD2E ] Wanarpv6 C:\Windows\system32\DRIVERS\wanarp.sys
04:37:13.0703 1788 Wanarpv6 - ok
04:37:14.0327 1788 [ 353A04C273EC58475D8633E75CCD5604 ] WatAdminSvc C:\Windows\system32\Wat\WatAdminSvc.exe
04:37:14.0717 1788 WatAdminSvc - ok
04:37:15.0263 1788 [ 691E3285E53DCA558E1A84667F13E15A ] wbengine C:\Windows\system32\wbengine.exe
04:37:15.0684 1788 wbengine - ok
04:37:15.0918 1788 [ 9614B5D29DC76AC3C29F6D2D3AA70E67 ] WbioSrvc C:\Windows\System32\wbiosrvc.dll
04:37:16.0043 1788 WbioSrvc - ok
04:37:16.0323 1788 [ 34EEE0DFAADB4F691D6D5308A51315DC ] wcncsvc C:\Windows\System32\wcncsvc.dll
04:37:16.0495 1788 wcncsvc - ok
04:37:16.0698 1788 [ 5D930B6357A6D2AF4D7653BDABBF352F ] WcsPlugInService C:\Windows\System32\WcsPlugInService.dll
04:37:16.0838 1788 WcsPlugInService - ok
04:37:17.0072 1788 [ 1112A9BADACB47B7C0BB0392E3158DFF ] Wd C:\Windows\system32\drivers\wd.sys
04:37:17.0150 1788 Wd - ok
04:37:17.0509 1788 [ 9950E3D0F08141C7E89E64456AE7DC73 ] Wdf01000 C:\Windows\system32\drivers\Wdf01000.sys
04:37:17.0634 1788 Wdf01000 - ok
04:37:17.0868 1788 [ 46EF9DC96265FD0B423DB72E7C38C2A5 ] WdiServiceHost C:\Windows\system32\wdi.dll
04:37:17.0977 1788 WdiServiceHost - ok
04:37:18.0117 1788 [ 46EF9DC96265FD0B423DB72E7C38C2A5 ] WdiSystemHost C:\Windows\system32\wdi.dll
04:37:18.0227 1788 WdiSystemHost - ok
04:37:18.0617 1788 [ A9D880F97530D5B8FEE278923349929D ] WebClient C:\Windows\System32\webclnt.dll
04:37:18.0757 1788 WebClient - ok
04:37:19.0007 1788 [ 760F0AFE937A77CFF27153206534F275 ] Wecsvc C:\Windows\system32\wecsvc.dll
04:37:19.0116 1788 Wecsvc - ok
04:37:19.0334 1788 [ AC804569BB2364FB6017370258A4091B ] wercplsupport C:\Windows\System32\wercplsupport.dll
04:37:19.0428 1788 wercplsupport - ok
04:37:19.0724 1788 [ 08E420D873E4FD85241EE2421B02C4A4 ] WerSvc C:\Windows\System32\WerSvc.dll
04:37:19.0865 1788 WerSvc - ok
04:37:20.0067 1788 [ 8B9A943F3B53861F2BFAF6C186168F79 ] WfpLwf C:\Windows\system32\DRIVERS\wfplwf.sys
04:37:20.0099 1788 WfpLwf - ok
04:37:20.0317 1788 [ 5CF95B35E59E2A38023836FFF31BE64C ] WIMMount C:\Windows\system32\drivers\wimmount.sys
04:37:20.0442 1788 WIMMount - ok
04:37:20.0832 1788 [ 3FAE8F94296001C32EAB62CD7D82E0FD ] WinDefend C:\Program Files\Windows Defender\mpsvc.dll
04:37:21.0019 1788 WinDefend - ok
04:37:21.0253 1788 WinHttpAutoProxySvc - ok
04:37:21.0690 1788 [ F62E510B6AD4C21EB9FE8668ED251826 ] Winmgmt C:\Windows\system32\wbem\WMIsvc.dll
04:37:21.0752 1788 Winmgmt - ok
04:37:22.0220 1788 [ 1B91CD34EA3A90AB6A4EF0550174F4CC ] WinRM C:\Windows\system32\WsmSvc.dll
04:37:22.0610 1788 WinRM - ok
04:37:23.0297 1788 [ 16935C98FF639D185086A3529B1F2067 ] Wlansvc C:\Windows\System32\wlansvc.dll
04:37:23.0640 1788 Wlansvc - ok
04:37:23.0889 1788 [ 0217679B8FCA58714C3BF2726D2CA84E ] WmiAcpi C:\Windows\system32\DRIVERS\wmiacpi.sys
04:37:23.0921 1788 WmiAcpi - ok
04:37:24.0342 1788 [ 6EB6B66517B048D87DC1856DDF1F4C3F ] wmiApSrv C:\Windows\system32\wbem\WmiApSrv.exe
04:37:24.0404 1788 wmiApSrv - ok
04:37:24.0623 1788 [ A2F0EC770A92F2B3F9DE6D518E11409C ] WPCSvc C:\Windows\System32\wpcsvc.dll
04:37:24.0747 1788 WPCSvc - ok
04:37:24.0919 1788 [ AA53356D60AF47EACC85BC617A4F3F66 ] WPDBusEnum C:\Windows\system32\wpdbusenum.dll
04:37:25.0106 1788 WPDBusEnum - ok
04:37:25.0325 1788 [ 6DB3276587B853BF886B69528FDB048C ] ws2ifsl C:\Windows\system32\drivers\ws2ifsl.sys
04:37:25.0371 1788 ws2ifsl - ok
04:37:25.0668 1788 [ 6F5D49EFE0E7164E03AE773A3FE25340 ] wscsvc C:\Windows\system32\wscsvc.dll
04:37:25.0808 1788 wscsvc - ok
04:37:26.0760 1788 [ FC3EC24FCE372C89423E015A2AC1A31E ] wuauserv C:\Windows\system32\wuaueng.dll
04:37:27.0337 1788 wuauserv - ok
04:37:27.0540 1788 [ E714A1C0354636837E20CCBF00888EE7 ] WudfPf C:\Windows\system32\drivers\WudfPf.sys
04:37:27.0587 1788 WudfPf - ok
04:37:27.0789 1788 [ 1023EE888C9B47178C5293ED5336AB69 ] WUDFRd C:\Windows\system32\DRIVERS\WUDFRd.sys
04:37:27.0867 1788 WUDFRd - ok
04:37:28.0133 1788 [ 8D1E1E529A2C9E9B6A85B55A345F7629 ] wudfsvc C:\Windows\System32\WUDFSvc.dll
04:37:28.0257 1788 wudfsvc - ok
04:37:28.0538 1788 [ FF2D745B560F7C71B31F30F4D49F73D2 ] WwanSvc C:\Windows\System32\wwansvc.dll
04:37:28.0679 1788 WwanSvc - ok
04:37:29.0006 1788 ================ Scan global ===============================
04:37:29.0225 1788 [ DAB748AE0439955ED2FA22357533DDDB ] C:\Windows\system32\basesrv.dll
04:37:29.0427 1788 [ A9F564F254E9DDDE120A7135767EC24B ] C:\Windows\system32\winsrv.dll
04:37:29.0693 1788 [ A9F564F254E9DDDE120A7135767EC24B ] C:\Windows\system32\winsrv.dll
04:37:29.0942 1788 [ 364455805E64882844EE9ACB72522830 ] C:\Windows\system32\sxssrv.dll
04:37:30.0207 1788 [ 5F1B6A9C35D3D5CA72D6D6FDEF9747D6 ] C:\Windows\system32\services.exe
04:37:30.0348 1788 [Global] - ok
04:37:30.0363 1788 ================ Scan MBR ==================================
04:37:30.0504 1788 [ A36C5E4F47E84449FF07ED3517B43A31 ] \Device\Harddisk0\DR0
04:37:32.0064 1788 \Device\Harddisk0\DR0 - ok
04:37:32.0079 1788 ================ Scan VBR ==================================
04:37:32.0157 1788 [ 3C46F796B04F6E22AC5AFD959BAAD2E5 ] \Device\Harddisk0\DR0\Partition1
04:37:32.0220 1788 \Device\Harddisk0\DR0\Partition1 - ok
04:37:32.0423 1788 [ 5C1124CD471CD84D9264C17D33CCCB4F ] \Device\Harddisk0\DR0\Partition2
04:37:32.0454 1788 \Device\Harddisk0\DR0\Partition2 - ok
04:37:32.0657 1788 [ E4DD10E3747084D937EE22AA2C6170F2 ] \Device\Harddisk0\DR0\Partition3
04:37:32.0719 1788 \Device\Harddisk0\DR0\Partition3 - ok
04:37:32.0750 1788 ============================================================
04:37:32.0750 1788 Scan finished
04:37:32.0750 1788 ============================================================
04:37:33.0218 1704 Detected object count: 0
04:37:33.0218 1704 Actual detected object count: 0


and the AswMember log

aswMBR version 0.9.9.1707 Copyright© 2011 AVAST Software
Run date: 2012-11-10 04:42:58
-----------------------------
04:42:58.546 OS Version: Windows 6.1.7601 Service Pack 1
04:42:58.546 Number of processors: 2 586 0xF0D
04:42:58.608 ComputerName: BROKEN-PC UserName: BROKEN
04:43:02.383 Initialize success
04:58:35.721 AVAST engine defs: 12111001
04:59:26.670 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-2
04:59:26.764 Disk 0 Vendor: FUJITSU_MHY2080BH 890B Size: 76319MB BusType: 11
04:59:26.951 Disk 0 MBR read successfully
04:59:27.060 Disk 0 MBR scan
04:59:27.232 Disk 0 Windows 7 default MBR code
04:59:27.388 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
04:59:27.606 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 26900 MB offset 206848
04:59:27.825 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 49317 MB offset 55298048
04:59:28.074 Disk 0 scanning sectors +156299264
04:59:28.433 Disk 0 scanning C:\Windows\system32\drivers
05:01:43.280 Service scanning
05:06:19.588 Modules scanning
05:08:03.234 Disk 0 trace - called modules:
05:08:03.811
05:08:06.339 AVAST engine scan C:\Windows
05:08:28.803 AVAST engine scan C:\Windows\system32
05:42:12.423 AVAST engine scan C:\Windows\system32\drivers
05:45:00.544 AVAST engine scan C:\Users\BROKEN
05:45:37.594 AVAST engine scan C:\ProgramData
05:46:07.546 Scan finished successfully
06:04:55.678 Disk 0 MBR has been saved successfully to "C:\Users\BROKEN\Desktop\MBR.dat"
06:04:55.943 The log file has been saved successfully to "C:\Users\BROKEN\Desktop\aswMBR.txt"


One question, what is that blank space on the AswMBR log at 5:08? Is that typical?


AswMember also created a MBR.DAT file, but you didn't mention that, so I'm not sending it, but maintain it if you need it.


Also, Just a reminder that I will continue to Turn Off Microsoft Security Essentials, Firewall and Windows Update before every new set of guideline and Turn On the same after completion of suggested tasks.

I again appreciate your attention to my struggle and look forward to your next suggestions.

I look forward to your reply.

My Best,
Chris

Edited by ConMe, 10 November 2012 - 09:35 AM.


#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:30 PM

Posted 10 November 2012 - 12:25 PM

Hello

One question, what is that blank space on the AswMBR log at 5:08? Is that typical? - I have not noticed it before but at this time I will not worry about it

AswMember also created a MBR.DAT file, but you didn't mention that, so I'm not sending it, but maintain it if you need it. Perfect, If we need it I will let you know what you need to do

Also, Just a reminder that I will continue to Turn Off Microsoft Security Essentials, Firewall and Windows Update before every new set of guideline and Turn On the same after completion of suggested tasks. - that is excatly what you need to do

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 ConMe

ConMe
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Orange County, California, USA
  • Local time:01:30 PM

Posted 10 November 2012 - 01:46 PM

Darn it, I just tried to post, but it lost it somehow...

Anyways wanted to let you know that I got that script cooking in CF with no issues. If it's anything like the last one, it's going to be a few.....

Wanted to give you two things to think about:

1) Because of the multiple clean/custom installs I have done, and because this thing always seems to start back right where it left off, is it possible that I have something malicious in either:

a) My BIOS

B) my HD has 3 partitions, the first being created by force and has to always be a minimum of 100MB. After formatting, it always ends up saying 86MB free. It's the only partition I lose space on after partitioning. I forget, either Intel, HP, or Compaq said somewhere that that is saved for Recovery files.....blah...blah,...blah. The thing I've noticed in a few of these logs is that the first partition is always offset by I believe 2048kb. Is it possible that something is "up in there"

c) my motherboard has this super-secret "pre-boot" hiding spot on it that has to be accessed at a very specific time in the start-up and that window of time can be adjusted in the BIOS. I believe it is related to some sort of pre-boot logon for a network adapter????maybe??? But I believe there is a limited amount of space there also to potentially store something malicious, unpleasant, and crafty!

2) and secondly, Whatever this thing is....it's putting these desktop.ini files everywhere. I'd say about 50% of the folder I open have one just sitting there or after a reboot there will be 1 or 2 just sitting on my desktop. I have been trashing them but it does no good....

CF update......Completed update_18.

Oh and I almost forgot.....THANK YOU GRINGO!!!!!!

#13 ConMe

ConMe
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Orange County, California, USA
  • Local time:01:30 PM

Posted 10 November 2012 - 03:37 PM

So the CFSript specific scan in ComboFix just finished. Machine still remains the same. Turning on Windows Firewall, Windows Updates and MSE is a chore with all the laggy choppy stuttering going onHere is the cfscriptLOG.txt:

ComboFix 12-11-09.02 - BROKEN 11/10/2012 10:07:56.2.2 - x86
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.3063.2369 [GMT -8:00]
Running from: c:\users\BROKEN\Desktop\ComboFix.exe
Command switches used :: c:\users\BROKEN\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {B140BF4E-23BB-4198-90AB-A51A4C60A69C}
SP: Microsoft Security Essentials *Disabled/Updated* {0A215EAA-0581-4E16-AA1B-9E6837E7EC21}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2012-10-10 to 2012-11-10 )))))))))))))))))))))))))))))))
.
.
2012-11-10 19:32 . 2012-11-10 19:32 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-11-10 14:29 . 2012-10-17 09:32 6918632 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{D1A53A37-987C-4F36-8C63-D952AEFC4544}\mpengine.dll
2012-11-10 14:23 . 2012-10-17 09:32 6918632 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-11-10 04:39 . 2012-08-08 00:18 740784 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2012-11-10 04:38 . 2012-08-08 00:18 740784 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{FEA9286C-05A3-421A-8118-5C5AFEA99330}\gapaengine.dll
2012-11-10 00:31 . 2011-04-29 04:57 759296 ----a-w- c:\program files\Common Files\Microsoft Shared\VGX\VGX.dll
2012-11-09 23:42 . 2012-11-09 23:43 -------- d-----w- c:\windows\system32\Wat
2012-11-08 17:35 . 2012-06-02 22:19 45080 ----a-w- c:\windows\system32\wups2.dll
2012-11-08 17:35 . 2012-06-02 22:19 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-11-08 17:35 . 2012-06-02 22:12 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-11-08 17:35 . 2012-06-02 22:19 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-11-08 17:31 . 2012-06-02 22:19 35864 ----a-w- c:\windows\system32\wups.dll
2012-11-08 17:31 . 2012-06-02 22:12 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-11-08 17:31 . 2012-06-02 22:19 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-11-08 17:29 . 2012-06-02 23:19 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-11-08 17:29 . 2012-06-02 23:12 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-11-08 17:15 . 2012-01-31 12:44 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-11-08 16:45 . 2012-11-08 16:52 -------- d-----w- c:\program files\Microsoft Security Client
2012-11-08 14:02 . 2012-11-10 01:39 -------- d-sh--w- c:\windows\Installer
2012-11-08 13:20 . 2012-11-10 00:53 -------- d-----w- c:\users\BROKEN
2012-11-08 13:18 . 2012-11-08 13:18 -------- d-----w- C:\Recovery
2012-11-08 12:09 . 2012-11-08 13:18 -------- d-----w- c:\windows\Panther
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-31 06:03 . 2012-08-31 06:03 99272 ----a-w- c:\windows\system32\drivers\NisDrvWFP.sys
2012-08-31 06:03 . 2012-08-31 06:03 193552 ----a-w- c:\windows\system32\drivers\MpFilter.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-13 947176]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 40141409
*NewlyCreated* - ASWMBR
*Deregistered* - 40141409
*Deregistered* - aswMBR
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ SSDPSRV upnphost SCardSvr TBS FontCache fdrespub AppIDSvc QWAVE wcncsvc SensrSvc
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
TCP: DhcpNameServer = 192.168.15.1
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-11-10 12:00:24
ComboFix-quarantined-files.txt 2012-11-10 20:00
ComboFix2.txt 2012-11-10 09:14
.
Pre-Run: 11,641,184,256 bytes free
Post-Run: 11,733,999,616 bytes free
.
- - End Of File - - 7705619FAEFDFAF66576D7FA873133C4


Looks to me like the only addition to the new log is the C:\Program Files\Common Files\Microsoft Shared\VGX\VGX.dll file.

And the only thing missing are the other running proccesses I actually forgot to, or just didn't get shutdown last time ie MSMpEng, taskhost, conhost, and sppsvc

Also, have got the same warning/error when trying to open up three different files. The first 2 I closed the error message and tried to reopen the attempted files and they opened the second time. I just tried opening Windows Program Compatibility troubleshooter and It will not open and continues to display the error C:Windows\System32\msdt.exe Illegal operationattempted on a registry key that has been marked for deletion.

Sorry this is such a pain in the Nalgas, but I do appreciate your involvement and input!

I look forward to hearing from you soon as I'm eager to find a solution to this mess. You got this Gringo, YOU GOT THIS!

Best Regards,

Chris

Edited by ConMe, 10 November 2012 - 04:19 PM.


#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:30 PM

Posted 10 November 2012 - 05:56 PM

Hello

Lets get a deeper look into the system and see if something shows up.

Download and run OTL

Download OTL by Old Timer and save it to your Desktop.
  • Double click on OTL.exe to run it.
  • Under Output, ensure that Minimal Output is selected.
  • Under Extra Registry section, select Use SafeList.
  • Click the Scan All Users checkbox.
  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened and the that I need posted back here
    • Extra.txt <-- Will be minimized - save this one on your desktop in case I ask for it later
  • Please post the contents of OTL.txt in your next reply.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 ConMe

ConMe
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Orange County, California, USA
  • Local time:01:30 PM

Posted 11 November 2012 - 12:57 AM

Hey Gringo,

Here's that Log from the OTL scan, gotta run out quick to the store before they close. Be back in 30 mins. Hopefully you're working all night baby! This thing is definitely in my BIOS, if you could look into that, I would greatly appreciate it. I figured some stuff out, I'll tell you all about it when I get back.

My ,

Chris

OTL logfile created on: 11/10/2012 7:08:46 PM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\BROKEN\Desktop
Ultimate Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7601.17514)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.99 Gb Total Physical Memory | 2.36 Gb Available Physical Memory | 78.80% Memory free
9.34 Gb Paging File | 8.69 Gb Available in Paging File | 93.12% Paging File free
Paging file location(s): c:\pagefile.sys 6500 8000 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 26.27 Gb Total Space | 10.79 Gb Free Space | 41.06% Space Free | Partition Type: NTFS
Drive D: | 48.16 Gb Total Space | 48.07 Gb Free Space | 99.81% Space Free | Partition Type: NTFS
Drive E: | 4.38 Gb Total Space | 4.06 Gb Free Space | 92.70% Space Free | Partition Type: UDF

Computer Name: BROKEN-PC | User Name: BROKEN | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Users\BROKEN\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Microsoft Security Client\MsMpEng.exe (Microsoft Corporation)
PRC - C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
PRC - C:\Windows\System32\taskhost.exe (Microsoft Corporation)


========== Modules (No Company Name) ==========


========== Services (SafeList) ==========

SRV - (WatAdminSvc) -- C:\Windows\System32\Wat\WatAdminSvc.exe (Microsoft Corporation)
SRV - (NisSrv) -- C:\Program Files\Microsoft Security Client\NisSrv.exe (Microsoft Corporation)
SRV - (MsMpSvc) -- C:\Program Files\Microsoft Security Client\MsMpEng.exe (Microsoft Corporation)
SRV - (SensrSvc) -- C:\Windows\System32\sensrsvc.dll (Microsoft Corporation)
SRV - (PeerDistSvc) -- C:\Windows\System32\PeerDistSvc.dll (Microsoft Corporation)
SRV - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)


========== Driver Services (SafeList) ==========

DRV - (VGPU) -- System32\drivers\rdvgkmd.sys File not found
DRV - (catchme) -- C:\Users\BROKEN\AppData\Local\Temp\catchme.sys File not found
DRV - (NisDrv) -- C:\Windows\System32\drivers\NisDrvWFP.sys (Microsoft Corporation)
DRV - (RdpVideoMiniport) -- C:\Windows\System32\drivers\rdpvideominiport.sys (Microsoft Corporation)
DRV - (TsUsbFlt) -- C:\Windows\System32\drivers\TsUsbFlt.sys (Microsoft Corporation)
DRV - (vmbus) -- C:\Windows\System32\drivers\vmbus.sys (Microsoft Corporation)
DRV - (tsusbhub) -- C:\Windows\System32\drivers\tsusbhub.sys (Microsoft Corporation)
DRV - (Synth3dVsc) -- C:\Windows\System32\drivers\Synth3dVsc.sys (Microsoft Corporation)
DRV - (dmvsc) -- C:\Windows\System32\drivers\dmvsc.sys (Microsoft Corporation)
DRV - (storflt) -- C:\Windows\System32\drivers\vmstorfl.sys (Microsoft Corporation)
DRV - (storvsc) -- C:\Windows\System32\drivers\storvsc.sys (Microsoft Corporation)
DRV - (TsUsbGD) -- C:\Windows\System32\drivers\TsUsbGD.sys (Microsoft Corporation)
DRV - (terminpt) -- C:\Windows\System32\drivers\terminpt.sys (Microsoft Corporation)
DRV - (VMBusHID) -- C:\Windows\System32\drivers\VMBusHID.sys (Microsoft Corporation)
DRV - (s3cap) -- C:\Windows\System32\drivers\vms3cap.sys (Microsoft Corporation)
DRV - (Serial) -- C:\Windows\System32\drivers\serial.sys (Brother Industries Ltd.)
DRV - (TPM) -- C:\Windows\System32\drivers\tpm.sys (Microsoft Corporation)
DRV - (AgereSoftModem) -- C:\Windows\System32\drivers\AGRSM.sys (LSI Corp)
DRV - (netw5v32) -- C:\Windows\System32\drivers\netw5v32.sys (Intel Corporation)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope =
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC




IE - HKU\S-1-5-19\..\SearchScopes,DefaultScope =

IE - HKU\S-1-5-20\..\SearchScopes,DefaultScope =

IE - HKU\S-1-5-21-3749330893-3777264295-742365940-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-3749330893-3777264295-742365940-1000\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-21-3749330893-3777264295-742365940-1000\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKU\S-1-5-21-3749330893-3777264295-742365940-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found



O1 HOSTS File: ([2012/11/10 00:46:28 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O4 - HKLM..\Run: [MSC] C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-3749330893-3777264295-742365940-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-3749330893-3777264295-742365940-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3749330893-3777264295-742365940-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-3749330893-3777264295-742365940-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: LogonHoursAction = 2
O7 - HKU\S-1-5-21-3749330893-3777264295-742365940-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DontDisplayLogonHoursWarnings = 1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.15.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{1F7E4FA0-C3D4-4BC0-8FB6-4709CF339839}: DhcpNameServer = 192.168.15.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 13:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

========== Files/Folders - Created Within 30 Days ==========

[2012/11/10 19:02:38 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\BROKEN\Desktop\OTL.exe
[2012/11/10 12:00:44 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2012/11/10 12:00:44 | 000,000,000 | ---D | C] -- C:\Users\BROKEN\AppData\Local\temp
[2012/11/10 11:51:08 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2012/11/10 04:07:28 | 004,732,416 | ---- | C] (AVAST Software) -- C:\Users\BROKEN\Desktop\aswMBR.exe
[2012/11/10 04:07:08 | 002,213,976 | ---- | C] (Kaspersky Lab ZAO) -- C:\Users\BROKEN\Desktop\tdsskiller.exe
[2012/11/09 22:47:12 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2012/11/09 22:47:12 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2012/11/09 22:47:11 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2012/11/09 22:43:58 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/11/09 22:41:46 | 000,000,000 | ---D | C] -- C:\Windows\erdnt
[2012/11/09 22:37:01 | 004,998,937 | R--- | C] (Swearware) -- C:\Users\BROKEN\Desktop\ComboFix.exe
[2012/11/09 15:42:48 | 000,000,000 | ---D | C] -- C:\Windows\System32\Wat
[2012/11/08 23:49:47 | 000,000,000 | ---D | C] -- C:\Users\BROKEN\Desktop\Defogger
[2012/11/08 09:35:43 | 000,045,080 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wups2.dll
[2012/11/08 09:35:32 | 002,422,272 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wucltux.dll
[2012/11/08 09:31:47 | 000,035,864 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wups.dll
[2012/11/08 09:31:45 | 000,088,576 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wudriver.dll
[2012/11/08 09:31:38 | 000,577,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wuapi.dll
[2012/11/08 09:29:52 | 000,171,904 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wuwebv.dll
[2012/11/08 09:29:48 | 000,033,792 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wuapp.exe
[2012/11/08 09:15:05 | 000,237,072 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\MpSigStub.exe
[2012/11/08 08:45:17 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Client
[2012/11/08 08:37:51 | 000,000,000 | ---D | C] -- C:\Users\BROKEN\Desktop\Drivers HP Intel
[2012/11/08 06:02:40 | 000,000,000 | -HSD | C] -- C:\Windows\Installer
[2012/11/08 05:24:46 | 000,000,000 | R--D | C] -- C:\Users\BROKEN\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
[2012/11/08 05:24:46 | 000,000,000 | R--D | C] -- C:\Users\BROKEN\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools
[2012/11/08 05:24:44 | 000,000,000 | R--D | C] -- C:\Users\BROKEN\Searches
[2012/11/08 05:24:42 | 000,000,000 | -H-D | C] -- C:\Users\BROKEN\Application Data\Microsoft\Internet Explorer\Quick Launch\User Pinned
[2012/11/08 05:24:08 | 000,000,000 | ---D | C] -- C:\Users\BROKEN\AppData\Roaming\Identities
[2012/11/08 05:23:43 | 000,000,000 | R--D | C] -- C:\Users\BROKEN\Contacts
[2012/11/08 05:21:16 | 000,000,000 | ---D | C] -- C:\Users\BROKEN\AppData\Local\VirtualStore
[2012/11/08 05:20:50 | 000,000,000 | -HSD | C] -- C:\Users\BROKEN\AppData\Local\Temporary Internet Files
[2012/11/08 05:20:50 | 000,000,000 | -HSD | C] -- C:\Users\BROKEN\Templates
[2012/11/08 05:20:50 | 000,000,000 | -HSD | C] -- C:\Users\BROKEN\Start Menu
[2012/11/08 05:20:50 | 000,000,000 | -HSD | C] -- C:\Users\BROKEN\SendTo
[2012/11/08 05:20:50 | 000,000,000 | -HSD | C] -- C:\Users\BROKEN\Recent
[2012/11/08 05:20:50 | 000,000,000 | -HSD | C] -- C:\Users\BROKEN\PrintHood
[2012/11/08 05:20:50 | 000,000,000 | -HSD | C] -- C:\Users\BROKEN\NetHood
[2012/11/08 05:20:50 | 000,000,000 | -HSD | C] -- C:\Users\BROKEN\Documents\My Videos
[2012/11/08 05:20:50 | 000,000,000 | -HSD | C] -- C:\Users\BROKEN\Documents\My Pictures
[2012/11/08 05:20:50 | 000,000,000 | -HSD | C] -- C:\Users\BROKEN\Documents\My Music
[2012/11/08 05:20:50 | 000,000,000 | -HSD | C] -- C:\Users\BROKEN\My Documents
[2012/11/08 05:20:50 | 000,000,000 | -HSD | C] -- C:\Users\BROKEN\Local Settings
[2012/11/08 05:20:50 | 000,000,000 | -HSD | C] -- C:\Users\BROKEN\AppData\Local\History
[2012/11/08 05:20:50 | 000,000,000 | -HSD | C] -- C:\Users\BROKEN\Cookies
[2012/11/08 05:20:50 | 000,000,000 | -HSD | C] -- C:\Users\BROKEN\Application Data
[2012/11/08 05:20:50 | 000,000,000 | -HSD | C] -- C:\Users\BROKEN\AppData\Local\Application Data
[2012/11/08 05:20:44 | 000,000,000 | ---D | C] -- C:\Users\BROKEN\AppData\Local\Microsoft
[2012/11/08 05:20:44 | 000,000,000 | ---D | C] -- C:\Users\BROKEN\AppData\Roaming\Media Center Programs
[2012/11/08 05:20:43 | 000,000,000 | --SD | C] -- C:\Users\BROKEN\AppData\Roaming\Microsoft
[2012/11/08 05:20:43 | 000,000,000 | R--D | C] -- C:\Users\BROKEN\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance
[2012/11/08 05:20:43 | 000,000,000 | R--D | C] -- C:\Users\BROKEN\Desktop
[2012/11/08 05:20:43 | 000,000,000 | R--D | C] -- C:\Users\BROKEN\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
[2012/11/08 05:20:43 | 000,000,000 | -H-D | C] -- C:\Users\BROKEN\AppData
[2012/11/08 05:20:42 | 000,000,000 | R--D | C] -- C:\Users\BROKEN\Videos
[2012/11/08 05:20:42 | 000,000,000 | R--D | C] -- C:\Users\BROKEN\Saved Games
[2012/11/08 05:20:42 | 000,000,000 | R--D | C] -- C:\Users\BROKEN\Pictures
[2012/11/08 05:20:42 | 000,000,000 | R--D | C] -- C:\Users\BROKEN\Music
[2012/11/08 05:20:42 | 000,000,000 | R--D | C] -- C:\Users\BROKEN\Links
[2012/11/08 05:20:42 | 000,000,000 | R--D | C] -- C:\Users\BROKEN\Favorites
[2012/11/08 05:20:42 | 000,000,000 | R--D | C] -- C:\Users\BROKEN\Downloads
[2012/11/08 05:20:42 | 000,000,000 | R--D | C] -- C:\Users\BROKEN\Documents
[2012/11/08 05:18:06 | 000,000,000 | ---D | C] -- C:\Recovery
[2012/11/08 04:23:34 | 000,000,000 | ---D | C] -- C:\Windows\SoftwareDistribution
[2012/11/08 04:20:16 | 000,000,000 | ---D | C] -- C:\Windows\Prefetch
[2012/11/08 04:14:04 | 000,000,000 | -HSD | C] -- C:\System Volume Information
[2012/11/08 04:09:10 | 000,000,000 | ---D | C] -- C:\Windows\Panther

========== Files - Modified Within 30 Days ==========

[2012/11/10 18:34:26 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\BROKEN\Desktop\OTL.exe
[2012/11/10 18:33:34 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/11/10 18:33:07 | 2409,078,784 | -HS- | M] () -- C:\hiberfil.sys
[2012/11/10 14:34:33 | 000,016,640 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012/11/10 14:34:32 | 000,016,640 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012/11/10 03:27:25 | 004,732,416 | ---- | M] (AVAST Software) -- C:\Users\BROKEN\Desktop\aswMBR.exe
[2012/11/10 03:26:36 | 002,213,976 | ---- | M] (Kaspersky Lab ZAO) -- C:\Users\BROKEN\Desktop\tdsskiller.exe
[2012/11/10 00:46:28 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2012/11/09 21:01:29 | 004,998,937 | R--- | M] (Swearware) -- C:\Users\BROKEN\Desktop\ComboFix.exe
[2012/11/09 16:53:32 | 000,000,632 | RHS- | M] () -- C:\Users\BROKEN\ntuser.pol
[2012/11/09 04:50:46 | 000,594,316 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2012/11/09 04:50:46 | 000,096,648 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2012/11/09 04:50:23 | 000,000,000 | -H-- | M] () -- C:\Windows\System32\drivers\Msft_User_WpdFs_01_09_00.Wdf
[2012/11/08 11:04:15 | 000,000,000 | ---- | M] () -- C:\Users\BROKEN\defogger_reenable
[2012/11/08 08:53:05 | 000,001,945 | ---- | M] () -- C:\Windows\epplauncher.mif
[2012/11/08 08:02:23 | 000,000,057 | ---- | M] () -- C:\Windows\System32\mapisvc.inf
[2012/11/08 05:49:56 | 000,001,407 | ---- | M] () -- C:\Users\BROKEN\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2012/11/08 04:58:50 | 000,266,808 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2012/11/08 04:52:22 | 000,116,385 | ---- | M] () -- C:\Windows\System32\license.rtf

========== Files Created - No Company Name ==========

[2012/11/09 22:47:12 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2012/11/09 22:47:12 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2012/11/09 22:47:12 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2012/11/09 22:47:11 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2012/11/09 22:47:11 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2012/11/09 16:24:11 | 000,000,632 | RHS- | C] () -- C:\Users\BROKEN\ntuser.pol
[2012/11/09 04:50:23 | 000,000,000 | -H-- | C] () -- C:\Windows\System32\drivers\Msft_User_WpdFs_01_09_00.Wdf
[2012/11/08 11:04:15 | 000,000,000 | ---- | C] () -- C:\Users\BROKEN\defogger_reenable
[2012/11/08 08:53:05 | 000,001,945 | ---- | C] () -- C:\Windows\epplauncher.mif
[2012/11/08 08:51:09 | 000,002,117 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk
[2012/11/08 05:49:55 | 000,001,407 | ---- | C] () -- C:\Users\BROKEN\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2012/11/08 05:25:19 | 000,001,413 | ---- | C] () -- C:\Users\BROKEN\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
[2012/11/08 05:20:46 | 000,000,290 | ---- | C] () -- C:\Users\BROKEN\Application Data\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.lnk
[2012/11/08 05:20:46 | 000,000,272 | ---- | C] () -- C:\Users\BROKEN\Application Data\Microsoft\Internet Explorer\Quick Launch\Window Switcher.lnk
[2012/11/08 04:14:04 | 2409,078,784 | -HS- | C] () -- C:\hiberfil.sys
[2010/11/20 13:29:34 | 000,080,896 | ---- | C] () -- C:\Windows\System32\RDVGHelper.exe
[2010/11/20 13:29:26 | 000,066,048 | ---- | C] () -- C:\Windows\System32\PrintBrmUi.exe

========== ZeroAccess Check ==========

[2009/07/13 20:42:31 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2010/11/20 13:29:11 | 012,872,192 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2010/11/20 13:29:20 | 000,606,208 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2009/07/13 17:16:17 | 000,342,528 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

< End of report >


PS Here's a hint: SQL






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users