Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser Redirect


  • This topic is locked This topic is locked
20 replies to this topic

#1 llama2200

llama2200

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:06:12 AM

Posted 26 November 2012 - 06:30 PM

Utilizing Windows XP, a browser redirect occurs when performing searches via a search engine. Redirect does not appear to occur when URL entered manually (e.g., typing in www.bleepingcomputer.com leads to this website, but attempts to reach same from Google are redirected).

"exploit" identified by Malwarebytes and Security Essentials and supposedly removed, but reappears after rebooting. Redirect occurs even after removal, before rebooting. Rkill unable to identify any malicious scripts.

Example of supposed identification and removal:

MBAM log reports the following: C:\Documents and Settings\MGamble\Local Settings\Temp\0.9111886121660088 (Exploit.Drop.9) -> Quarantined and deleted successfully.

Security Essentials identifies "Exploit: Java/CVE-2012-0506.D!ldr" and logs the following:
file:C:\DOCUME~1\MGamble\LOCALS~1\Temp\jar_cache1727138323650903580.tmp->m.class
file:C:\DOCUME~1\MGamble\LOCALS~1\Temp\jar_cache2264749817365393537.tmp->m.class
file:C:\DOCUME~1\MGamble\LOCALS~1\Temp\jar_cache2921567432983782396.tmp->m.class
file:C:\DOCUME~1\MGamble\LOCALS~1\Temp\jar_cache6986208585841274374.tmp->m.class



DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_37
Run by MGamble at 17:24:21 on 2012-11-26
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1910.573 [GMT -6:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
============== Running Processes ================
.
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\system32\vcsFPService.exe
C:\Program Files\NETGEAR\NETGEAR ProSafe VPN Client\IPSecMon.exe
C:\Program Files\NETGEAR\NETGEAR ProSafe VPN Client\IreIKE.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\idt\wdm\STacSV.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\System32\accelerometerST.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Hewlett-Packard\HP Power Assistant\HPPA_Main.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\AESTFltr.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Microsoft\BingBar\SeaPort.EXE
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Hewlett-Packard\HP SkyRoom\Hp.Skyroom.Windows.Service.exe
c:\Program Files\Hewlett-Packard\Shared\HPDrvMntSvc.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Citrix\GoToMeeting\880\g2mstart.exe
C:\Program Files\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Citrix\GoToMeeting\880\g2mcomm.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\NETGEAR\NETGEAR ProSafe VPN Client\SafeCfg.exe
C:\Program Files\Citrix\GoToMeeting\880\g2mlauncher.exe
C:\Program Files\Hewlett-Packard\HP Power Assistant\HPPA_Service.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\Program Files\Hewlett-Packard\HP SkyRoom\remote graphics sender\rgsendersvc.exe
C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE
C:\WINDOWS\system32\mqtgsvc.exe
c:\Program Files\Hewlett-Packard\HP SkyRoom\remote graphics sender\rgsender.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
c:\Program Files\Hewlett-Packard\HP SkyRoom\remote graphics sender\rgsender_gui.exe
c:\Program Files\Hewlett-Packard\HP SkyRoom\remote graphics sender\plugins\ice\Hp.SkyRoom.Windows.RgsPlugin.Authentication\Hp.SkyRoom.Windows.RgsPlugin.Authentication.exe
c:\Program Files\Hewlett-Packard\HP SkyRoom\remote graphics sender\plugins\ice\Hp.SkyRoom.Windows.RgsPlugin.Lens\Hp.SkyRoom.Windows.RgsPlugin.Lens.exe
c:\Program Files\Hewlett-Packard\HP SkyRoom\remote graphics sender\plugins\ice\Hp.SkyRoom.Windows.RgsPlugin.Licensing\Hp.SkyRoom.Windows.RgsPlugin.Licensing.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\PROGRA~1\MICROS~4\Office14\OUTLOOK.EXE
C:\Program Files\Intel\Intel® Management Engine Components\IMSS\PrivacyIconClient.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat.exe
C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\BillP Studios\WinPatrol\WinPatrolEx.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchFilterHost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearch Bar = hxxp://www.bing.com/sphome.aspx?mkt={SUB_RFC1766}
uSearch Page = hxxp://www.bing.com
mSearchAssistant = hxxp://www.bing.com/sphome.aspx?mkt={SUB_RFC1766}
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} -
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SmartSelect Class: {F4971EE7-DAA0-4053-9964-665D8EE6A077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} -
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [GoToMeeting] "c:\program files\citrix\gotomeeting\880\g2mstart.exe" "/Trigger RunAtLogon"
mRun: [AccelerometerSysTrayApplet] c:\windows\system32\accelerometerST.exe
mRun: [MsmqIntCert] regsvr32 /s mqrt.dll
mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [HPPowerAssistant] c:\program files\hewlett-packard\hp power assistant\HPPA_Main.exe /hidden
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [HPWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWA_Main.exe /hidden
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [IMSS] "c:\program files\intel\intel® management engine components\imss\PIconStartup.exe"
mRun: [AESTFltr] c:\windows\system32\AESTFltr.exe /NoDlg
mRun: [snp2uvc] rundll32.exe c:\windows\system32\csnp2uvc.dll,ResetCIDS
mRun: [Cpqset] "c:\program files\hewlett-packard\default settings\cpqset.exe"
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [ControlCenter2.0] c:\program files\brother\controlcenter2\brctrcen.exe /autorun
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] c:\program files\scansoft\paperport\pptd40nt.exe
mRun: [IndexSearch] c:\program files\scansoft\paperport\IndexSearch.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [Synchronization Manager] c:\windows\system32\mobsync.exe /logon
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRun: [PCHealth] rundll32.exe "c:\documents and settings\mgamble\local settings\application data\wmtools downloaded files\pchealth\vcaebxjlk.dll",DllRegisterServerW
StartupFolder: c:\docume~1\mgamble\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\mgamble\application data\dropbox\bin\Dropbox.exe
StartupFolder: c:\docume~1\mgamble\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office14\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\netgear prosafe vpn client\SafeCfg.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-System: RunStartupScriptSync = dword:1
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~4\office14\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: c:\windows\system32\iavlsp.dll
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.2/jinstall-1_4_2_19-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
TCP: NameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{D9C7FE4A-C175-4743-ADC9-5696310FD2F3} : DHCPNameServer = 209.18.47.61 209.18.47.62
Notify: igfxcui - igfxdev.dll
SEH: Windows Desktop Search Namespace Manager - {56F9679E-7826-4C84-81F3-532071A8BCC5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\mgamble\application data\mozilla\firefox\profiles\k5uifqq9.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\documents and settings\mgamble\application data\mozilla\plugins\npatgpc.dll
FF - plugin: c:\progra~1\micros~4\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~4\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\adobe\acrobat 9.0\acrobat\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\4.1.10329.0\npctrlui.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_5_502_110.dll
FF - plugin: c:\windows\system32\npdeployJava1.dll
FF - plugin: c:\windows\system32\npptools.dll
FF - ExtSQL: 2012-11-26 15:33; {CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA}; c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA}
FF - ExtSQL: !HIDDEN! 2010-08-28 12:59; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
.
============= SERVICES / DRIVERS ===============
.
R1 IPSECDRV;SafeNet IPSec Plugin;c:\windows\system32\drivers\IpSecDrv.sys [2010-12-20 138296]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 165264]
R1 MpKsl0b2ca193;MpKsl0b2ca193;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ec0f7d03-e3f7-4229-99de-04a2db1cd4f6}\MpKsl0b2ca193.sys [2012-11-26 29904]
R2 BBUpdate;BBUpdate;c:\program files\microsoft\bingbar\SeaPort.EXE [2011-6-15 249648]
R2 Crypto;Crypto;c:\windows\system32\drivers\Crypto.sys [2010-12-20 536634]
R2 HP Power Assistant Service;HP Power Assistant Service;c:\program files\hewlett-packard\hp power assistant\HPPA_Service.exe [2009-11-19 102968]
R2 HP Wireless Assistant Service;HP Wireless Assistant Service;c:\program files\hewlett-packard\hp wireless assistant\HPWA_Service.exe [2009-11-19 102968]
R2 Hp.Skyroom.Windows.Service;HP SkyRoom;c:\program files\hewlett-packard\hp skyroom\Hp.Skyroom.Windows.Service.exe [2009-11-20 124984]
R2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files\hewlett-packard\shared\HPDrvMntSvc.exe [2009-11-12 250936]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-4-17 11032]
R2 rgsender;Remote Graphics Sender Service;c:\program files\hewlett-packard\hp skyroom\remote graphics sender\rgsendersvc.exe [2010-8-28 379904]
R2 UNS;Intel® Management & Security Application User Notification Service;c:\program files\intel\intel® management engine components\uns\UNS.exe [2010-8-28 2320920]
R2 vcsFPService;Validity VCS Fingerprint Service;c:\windows\system32\vcsFPService.exe [2009-10-21 1639728]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2010-8-28 113664]
R3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2010-1-15 228408]
R3 DniVap;SafeNet WAN Miniport (VA);c:\windows\system32\drivers\vap.sys [2010-12-20 29184]
R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [2010-1-15 166568]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2008-7-23 44800]
R3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [2010-8-28 125696]
R3 IntcDAud;Intel® Display Audio;c:\windows\system32\drivers\IntcDAud.sys [2010-8-28 205824]
R3 rismc32;RICOH Smart Card Reader;c:\windows\system32\drivers\rismc32.sys [2010-1-15 49152]
S3 BBSvc;Bing Bar Update Service;c:\program files\microsoft\bingbar\BBSvc.EXE [2011-7-7 195336]
.
=============== File Associations ===============
.
FileExt: .vbe: VBEFile=NOTEPAD.EXE %1
FileExt: .vbs: VBSFile=NOTEPAD.EXE %1
FileExt: .js: JSFile=NOTEPAD.EXE %1
FileExt: .jse: JSEFile=NOTEPAD.EXE %1
FileExt: .wsf: WSFFile=NOTEPAD.EXE %1
.
=============== Created Last 30 ================
.
2012-11-26 21:33:34 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-11-26 21:33:34 477168 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-11-26 21:19:22 60872 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ec0f7d03-e3f7-4229-99de-04a2db1cd4f6}\offreg.dll
2012-11-26 21:19:22 29904 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ec0f7d03-e3f7-4229-99de-04a2db1cd4f6}\MpKsl0b2ca193.sys
2012-11-26 21:02:36 6812136 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ec0f7d03-e3f7-4229-99de-04a2db1cd4f6}\mpengine.dll
2012-10-29 14:16:00 96224 ----a-w- c:\program files\mozilla firefox\webapprt-stub.exe
2012-10-29 14:16:00 91104 ----a-w- c:\program files\mozilla firefox\smime3.dll
2012-10-29 14:16:00 889848 ----a-w- c:\program files\mozilla firefox\uninstall\helper.exe
2012-10-29 14:16:00 270816 ----a-w- c:\program files\mozilla firefox\updater.exe
2012-10-29 14:16:00 19424 ----a-w- c:\program files\mozilla firefox\xpcom.dll
2012-10-29 14:16:00 157272 ----a-w- c:\program files\mozilla firefox\webapp-uninstaller.exe
2012-10-29 14:16:00 155104 ----a-w- c:\program files\mozilla firefox\softokn3.dll
2012-10-29 14:16:00 14676448 ----a-w- c:\program files\mozilla firefox\xul.dll
2012-10-29 14:16:00 145376 ----a-w- c:\program files\mozilla firefox\ssl3.dll
.
==================== Find3M ====================
.
2012-11-26 21:33:09 473072 ----a-w- c:\windows\system32\deployJava1.dll
2012-11-26 21:09:08 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-11-26 21:09:08 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-10-25 09:12:26 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2012-10-25 09:12:26 69632 ----a-w- c:\windows\system32\QuickTime.qts
2012-10-09 17:26:06 10220472 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
2012-09-30 01:54:26 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
.
============= FINISH: 17:25:03.95 ===============

Attached Files


Edited by llama2200, 26 November 2012 - 06:35 PM.


BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:12 AM

Posted 26 November 2012 - 09:10 PM

Greetings and Welcome to The Forums!!

My name is Gringo and I'll be glad to help you with your malware problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.




These are the programs I would like you to run next, if you have any problems with these just skip it and run the next one.

-Security Check-

  • Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

-AdwCleaner-

  • Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

--RogueKiller--

  • Download & SAVE to your Desktop RogueKiller or from here
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 llama2200

llama2200
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:06:12 AM

Posted 26 November 2012 - 09:46 PM

Thanks, Gringo!

Security Check report as follows:

Results of screen317's Security Check version 0.99.56
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
Microsoft Security Essentials
Antivirus up to date! (On Access scanning disabled!)
`````````Anti-malware/Other Utilities Check:`````````
WinPatrol
SpywareBlaster 4.6
Malwarebytes Anti-Malware version 1.65.1.1000
CCleaner
Java™ 6 Update 37
Java 7 Update 9
Java 2 Runtime Environment, SE v1.4.2_19
Adobe Flash Player 11.5.502.110
Mozilla Firefox 16.0.2 Firefox out of Date!
````````Process Check: objlist.exe by Laurent````````
Microsoft Security Essentials msseces.exe
Windows Defender MSMpEng.exe
WinPatrol winpatrol.exe
Microsoft Security Client Antimalware MsMpEng.exe
BillP Studios WinPatrol winpatrol.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:: 24% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````


AdwCleaner report as follows:

# AdwCleaner v2.009 - Logfile created 11/26/2012 at 20:32:50
# Updated 24/11/2012 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : MGamble - MIPL3
# Boot Mode : Normal
# Running from : C:\Documents and Settings\MGamble\Desktop\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

Folder Deleted : C:\Documents and Settings\All Users\Application Data\InstallMate

***** [Registry] *****


***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

-\\ Mozilla Firefox v16.0.2 (en-US)

Profile name : default
File : C:\Documents and Settings\MGamble\Application Data\Mozilla\Firefox\Profiles\k5uifqq9.default\prefs.js

[OK] File is clean.

*************************

AdwCleaner[S1].txt - [813 octets] - [26/11/2012 20:32:50]

########## EOF - C:\AdwCleaner[S1].txt - [872 octets] ##########


RKreport[1] as follows:

RogueKiller V8.3.1 [Nov 26 2012] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : MGamble [Admin rights]
Mode : Scan -- Date : 11/26/2012 20:37:06

Bad processes : 0

Registry Entries : 5
[RUN][NOTFOUND] HKUS\.DEFAULT[...]\Run : PCHealth (rundll32.exe "C:\Documents and Settings\MGamble\Local Settings\Application Data\WMTools Downloaded Files\PCHealth\vcaebxjlk.dll",DllRegisterServerW) -> FOUND
[RUN][NOTFOUND] HKUS\S-1-5-19[...]\Run : PCHealth (rundll32.exe "C:\Documents and Settings\MGamble\Local Settings\Application Data\WMTools Downloaded Files\PCHealth\vcaebxjlk.dll",DllRegisterServerW) -> FOUND
[RUN][NOTFOUND] HKUS\S-1-5-20[...]\Run : PCHealth (rundll32.exe "C:\Documents and Settings\MGamble\Local Settings\Application Data\WMTools Downloaded Files\PCHealth\vcaebxjlk.dll",DllRegisterServerW) -> FOUND
[RUN][NOTFOUND] HKUS\S-1-5-18[...]\Run : PCHealth (rundll32.exe "C:\Documents and Settings\MGamble\Local Settings\Application Data\WMTools Downloaded Files\PCHealth\vcaebxjlk.dll",DllRegisterServerW) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

Particular Files / Folders:

Driver : [LOADED]

HOSTS File:
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost


MBR Check:

+++++ PhysicalDrive0: ST9250410AS +++++
--- User ---
[MBR] f3dd19676955963a7910ea2ba0565005
[BSP] 80eb7ad0ce6ef08723d17a02689905ad : Windows Vista MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 236400 Mo
1 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 484166970 | Size: 2055 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1]_S_11262012_02d2037.txt >>
RKreport[1]_S_11262012_02d2037.txt

RKreport[2] as follows:

RogueKiller V8.3.1 [Nov 26 2012] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : MGamble [Admin rights]
Mode : Remove -- Date : 11/26/2012 20:37:29

Bad processes : 0

Registry Entries : 4
[RUN][NOTFOUND] HKUS\.DEFAULT[...]\Run : PCHealth (rundll32.exe "C:\Documents and Settings\MGamble\Local Settings\Application Data\WMTools Downloaded Files\PCHealth\vcaebxjlk.dll",DllRegisterServerW) -> DELETED
[RUN][NOTFOUND] HKUS\S-1-5-19[...]\Run : PCHealth (rundll32.exe "C:\Documents and Settings\MGamble\Local Settings\Application Data\WMTools Downloaded Files\PCHealth\vcaebxjlk.dll",DllRegisterServerW) -> DELETED
[RUN][NOTFOUND] HKUS\S-1-5-20[...]\Run : PCHealth (rundll32.exe "C:\Documents and Settings\MGamble\Local Settings\Application Data\WMTools Downloaded Files\PCHealth\vcaebxjlk.dll",DllRegisterServerW) -> DELETED
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

Particular Files / Folders:

Driver : [LOADED]

HOSTS File:
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost


MBR Check:

+++++ PhysicalDrive0: ST9250410AS +++++
--- User ---
[MBR] f3dd19676955963a7910ea2ba0565005
[BSP] 80eb7ad0ce6ef08723d17a02689905ad : Windows Vista MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 236400 Mo
1 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 484166970 | Size: 2055 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[2]_D_11262012_02d2037.txt >>
RKreport[1]_S_11262012_02d2037.txt ; RKreport[2]_D_11262012_02d2037.txt


Also note that the redirect appears to be limited to accessing a first video link from a search engine result page (e.g., selecting a first video search result redirects, but subsequent selections do not; selecting at least a standard webpage search result does not appear to redirect).

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:12 AM

Posted 27 November 2012 - 07:06 AM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 llama2200

llama2200
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:06:12 AM

Posted 27 November 2012 - 03:39 PM

The Combofix report is below. After restarting Winpatrol, it notified me of changes made to HOSTs, a change to .JS, .url, .vbs, .vbe file type associations, using Microsoft Windows Script Host, using Run a DLL as an APP, and others. I assumed that these were changes caused by Combofix and allowed them.

The redirect problem continues to occur.


ComboFix 12-11-27.01 - MGamble 11/27/2012 14:15:16.1.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1910.1268 [GMT -6:00]
Running from: c:\documents and settings\MGamble\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\MGamble\g2mdlhlpx.exe
C:\Thumbs.db
c:\windows\system32\URTTemp
c:\windows\system32\URTTemp\fusion.dll
c:\windows\system32\URTTemp\mscoree.dll
c:\windows\system32\URTTemp\mscoree.dll.local
c:\windows\system32\URTTemp\mscorsn.dll
c:\windows\system32\URTTemp\mscorwks.dll
c:\windows\system32\URTTemp\msvcr71.dll
c:\windows\system32\URTTemp\regtlib.exe
c:\windows\UNWISE.EXE
F:\Autorun.inf
.
.
((((((((((((((((((((((((( Files Created from 2012-10-27 to 2012-11-27 )))))))))))))))))))))))))))))))
.
.
2012-11-27 02:02 . 2012-11-27 02:02 -------- d-----w- c:\documents and settings\MGamble\Local Settings\Application Data\Sun
2012-11-27 01:50 . 2012-11-08 18:00 6812136 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1E960CB7-E976-40FF-9735-FC5F20E18722}\mpengine.dll
2012-11-27 01:46 . 2012-11-27 01:45 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-11-26 21:41 . 2012-11-26 21:41 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin7.dll
2012-11-26 21:41 . 2012-11-26 21:41 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin6.dll
2012-11-26 21:41 . 2012-11-26 21:41 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin5.dll
2012-11-26 21:41 . 2012-11-26 21:41 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin4.dll
2012-11-26 21:41 . 2012-11-26 21:41 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin3.dll
2012-11-26 21:41 . 2012-11-26 21:41 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin2.dll
2012-11-26 21:41 . 2012-11-26 21:41 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin.dll
2012-11-26 21:41 . 2012-11-26 21:41 -------- d-----w- c:\program files\QuickTime
2012-11-26 21:41 . 2012-11-26 21:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2012-11-26 21:37 . 2012-11-26 21:37 -------- d-----w- c:\program files\Apple Software Update
2012-11-26 21:33 . 2012-11-27 01:45 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-11-26 21:33 . 2012-11-26 21:33 477168 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-11-26 21:30 . 2012-11-26 21:30 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-11-27 01:45 . 2011-01-24 15:30 746984 ----a-w- c:\windows\system32\deployJava1.dll
2012-11-26 21:09 . 2012-04-03 15:19 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-11-26 21:09 . 2011-05-19 13:50 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-11-08 18:00 . 2010-09-29 13:29 6812136 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-10-25 09:12 . 2012-10-25 09:12 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2012-10-25 09:12 . 2012-10-25 09:12 69632 ----a-w- c:\windows\system32\QuickTime.qts
2012-10-09 17:26 . 2012-04-03 15:26 10220472 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
2012-09-30 01:54 . 2011-10-05 18:21 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-10-29 14:16 . 2012-10-29 14:15 261600 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-06-30 04:19 94208 ----a-w- c:\documents and settings\MGamble\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-06-30 04:19 94208 ----a-w- c:\documents and settings\MGamble\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-06-30 04:19 94208 ----a-w- c:\documents and settings\MGamble\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2012-06-30 04:19 94208 ----a-w- c:\documents and settings\MGamble\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-10-13 19549320]
"GoToMeeting"="c:\program files\Citrix\GoToMeeting\880\g2mstart.exe" [2012-03-06 39816]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AccelerometerSysTrayApplet"="c:\windows\System32\accelerometerST.exe" [2009-08-27 70200]
"MsmqIntCert"="mqrt.dll" [2008-04-14 177152]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2009-11-11 287800]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-08-25 186904]
"HPPowerAssistant"="c:\program files\Hewlett-Packard\HP Power Assistant\HPPA_Main.exe" [2009-11-19 1690680]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-10-10 1578280]
"HPWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe" [2009-11-19 363064]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-01-09 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-01-09 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-01-09 144920]
"IMSS"="c:\program files\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe" [2009-11-04 111640]
"AESTFltr"="c:\windows\system32\AESTFltr.exe" [2009-04-22 737280]
"snp2uvc"="c:\windows\system32\csnp2uvc.dll" [2009-09-18 213040]
"Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2009-09-25 75264]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2012-07-31 41944]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2012-07-30 640480]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-11 919008]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2005-11-11 995328]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 40960]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-10-12 59280]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-10-25 421888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2010-12-21 519584]
.
c:\documents and settings\MGamble\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\MGamble\Application Data\Dropbox\bin\Dropbox.exe [2012-8-26 26924984]
OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office14\ONENOTEM.EXE [2010-12-21 227712]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
NETGEAR ProSafe VPN Client.lnk - c:\program files\NETGEAR\NETGEAR ProSafe VPN Client\SafeCfg.exe [2010-12-20 77876]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP SkyRoom\\HP.SkyRoom.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP SkyRoom\\remote graphics receiver\\rgreceiver.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP SkyRoom\\remote graphics sender\\rgsender.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP SkyRoom\\remote graphics sender\\rgsender_gui.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\FileMaker\\FileMaker Pro 11\\FileMaker Pro.exe"=
"c:\\Program Files\\Mozilla Firefox\\plugin-container.exe"=
"c:\\Documents and Settings\\MGamble\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\NETGEAR\\NETGEAR ProSafe VPN Client\\IreIKE.exe"=
"c:\program files\NETGEAR\NETGEAR ProSafe VPN Client\ViewLog.exe"= c:\program files\NETGEAR\NETGEAR ProSafe VPN Client\ViewLog.exe:127.0.0.1/255.255.255.255:Enabled:ViewLog
"c:\program files\NETGEAR\NETGEAR ProSafe VPN Client\CmonApp.exe"= c:\program files\NETGEAR\NETGEAR ProSafe VPN Client\CmonApp.exe:127.0.0.1/255.255.255.255:Enabled:CMonApp
"c:\program files\NETGEAR\NETGEAR ProSafe VPN Client\vpn.exe"= c:\program files\NETGEAR\NETGEAR ProSafe VPN Client\vpn.exe:127.0.0.1/255.255.255.255:Enabled:VPN Connection Manager
.
R1 IPSECDRV;SafeNet IPSec Plugin;c:\windows\system32\drivers\IpSecDrv.sys [12/20/2010 1:45 PM 138296]
R2 BBUpdate;BBUpdate;c:\program files\Microsoft\BingBar\SeaPort.EXE [6/15/2011 4:33 PM 249648]
R2 Crypto;Crypto;c:\windows\system32\drivers\Crypto.sys [12/20/2010 1:45 PM 536634]
R2 HP Power Assistant Service;HP Power Assistant Service;c:\program files\Hewlett-Packard\HP Power Assistant\HPPA_Service.exe [11/19/2009 5:14 PM 102968]
R2 HP Wireless Assistant Service;HP Wireless Assistant Service;c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe [11/19/2009 5:11 PM 102968]
R2 Hp.Skyroom.Windows.Service;HP SkyRoom;c:\program files\Hewlett-Packard\HP SkyRoom\Hp.Skyroom.Windows.Service.exe [11/20/2009 1:10 PM 124984]
R2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files\Hewlett-Packard\Shared\HPDrvMntSvc.exe [11/12/2009 7:32 AM 250936]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [4/17/2007 7:09 PM 11032]
R2 rgsender;Remote Graphics Sender Service;c:\program files\Hewlett-Packard\HP SkyRoom\remote graphics sender\rgsendersvc.exe [8/28/2010 7:22 PM 379904]
R2 UNS;Intel® Management & Security Application User Notification Service;c:\program files\Intel\Intel® Management Engine Components\UNS\UNS.exe [8/28/2010 7:17 PM 2320920]
R2 vcsFPService;Validity VCS Fingerprint Service;c:\windows\system32\vcsFPService.exe [10/21/2009 4:30 PM 1639728]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [8/28/2010 7:17 PM 113664]
R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [1/15/2010 12:52 PM 228408]
R3 DniVap;SafeNet WAN Miniport (VA);c:\windows\system32\drivers\vap.sys [12/20/2010 1:44 PM 29184]
R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [1/15/2010 12:53 PM 166568]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [7/23/2008 1:31 PM 44800]
R3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [8/28/2010 7:12 PM 125696]
R3 IntcDAud;Intel® Display Audio;c:\windows\system32\drivers\IntcDAud.sys [8/28/2010 7:12 PM 205824]
R3 rismc32;RICOH Smart Card Reader;c:\windows\system32\drivers\rismc32.sys [1/15/2010 12:57 PM 49152]
S3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [7/7/2011 6:31 PM 195336]
.
Contents of the 'Scheduled Tasks' folder
.
2012-11-27 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-03 21:09]
.
2012-11-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 23:57]
.
2012-11-27 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 18:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~4\Office14\ONBttnIE.dll/105
LSP: c:\windows\system32\iavlsp.dll
Trusted Zone: server
Trusted Zone: uspto.gov
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
FF - ProfilePath - c:\documents and settings\MGamble\Application Data\Mozilla\Firefox\Profiles\k5uifqq9.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: network.proxy.type - 0
FF - ExtSQL: 2012-11-26 15:33; {CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA}; c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA}
FF - ExtSQL: !HIDDEN! 2010-08-28 12:59; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-Abacus Accounting - S:\uninst.exe
AddRemove-AbacusLaw Accounting Workstation - c:\windows\UNWISE.EXE
AddRemove-AbacusLaw Workstation - c:\windows\UNWISE.EXE
AddRemove-{007811BF-E310-4285-BFC6-55DB29B3EDDE} - c:\docume~1\ALLUSE~1\APPLIC~1\INSTAL~2\{00781~1\Setup.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-11-27 14:19
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = "c:\program files\Hewlett-Packard\Default Settings\cpqset.exe"?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(1420)
c:\windows\system32\iavlsp.dll
.
Completion time: 2012-11-27 14:20:49
ComboFix-quarantined-files.txt 2012-11-27 20:20
.
Pre-Run: 200,616,202,240 bytes free
Post-Run: 201,100,455,936 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 4FBF843266FE1A2D610143ED5580BEB0

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:12 AM

Posted 27 November 2012 - 08:52 PM

Greetings

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 llama2200

llama2200
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:06:12 AM

Posted 28 November 2012 - 01:16 PM

TDSSKiller report as follows:

11:39:52.0546 3108 TDSS rootkit removing tool 2.8.15.0 Oct 31 2012 21:47:35
11:39:53.0125 3108 ============================================================
11:39:53.0125 3108 Current date / time: 2012/11/28 11:39:53.0125
11:39:53.0125 3108 SystemInfo:
11:39:53.0125 3108
11:39:53.0125 3108 OS Version: 5.1.2600 ServicePack: 3.0
11:39:53.0125 3108 Product type: Workstation
11:39:53.0125 3108 ComputerName: MIPL3
11:39:53.0125 3108 UserName: MGamble
11:39:53.0125 3108 Windows directory: C:\WINDOWS
11:39:53.0125 3108 System windows directory: C:\WINDOWS
11:39:53.0125 3108 Processor architecture: Intel x86
11:39:53.0125 3108 Number of processors: 4
11:39:53.0125 3108 Page size: 0x1000
11:39:53.0125 3108 Boot type: Normal boot
11:39:53.0125 3108 ============================================================
11:39:55.0140 3108 Drive \Device\Harddisk0\DR0 - Size: 0x3A38B2E000 (232.89 Gb), SectorSize: 0x200, Cylinders: 0x76C1, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
11:40:01.0156 3108 Drive \Device\Harddisk1\DR3 - Size: 0x3A38B2E000 (232.89 Gb), SectorSize: 0x200, Cylinders: 0x76C1, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
11:40:01.0156 3108 Drive \Device\Harddisk1\DR3 - Size: 0x3A38B2E000 (232.89 Gb), SectorSize: 0x200, Cylinders: 0x76C1, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
11:40:01.0156 3108 ============================================================
11:40:01.0156 3108 \Device\Harddisk0\DR0:
11:40:01.0171 3108 MBR partitions:
11:40:01.0171 3108 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x1CDB8679
11:40:01.0171 3108 \Device\Harddisk0\DR0\Partition2: MBR, Type 0xC, StartLBA 0x1CDBCD3A, BlocksNum 0x403986
11:40:01.0171 3108 \Device\Harddisk1\DR3:
11:40:01.0171 3108 MBR partitions:
11:40:01.0171 3108 \Device\Harddisk1\DR3\Partition1: MBR, Type 0xC, StartLBA 0x3F, BlocksNum 0x1D1C4542
11:40:01.0171 3108 \Device\Harddisk1\DR3:
11:40:01.0171 3108 MBR partitions:
11:40:01.0171 3108 \Device\Harddisk1\DR3\Partition1: MBR, Type 0xC, StartLBA 0x3F, BlocksNum 0x1D1C4542
11:40:01.0171 3108 ============================================================
11:40:01.0250 3108 C: <-> \Device\Harddisk0\DR0\Partition1
11:40:01.0265 3108 D: <-> \Device\Harddisk0\DR0\Partition2
11:40:01.0265 3108 F: <-> \Device\Harddisk1\DR3\Partition1
11:40:01.0265 3108 ============================================================
11:40:01.0265 3108 Initialize success
11:40:01.0265 3108 ============================================================
11:40:05.0859 0512 ============================================================
11:40:05.0859 0512 Scan started
11:40:05.0859 0512 Mode: Manual;
11:40:05.0859 0512 ============================================================
11:40:06.0046 0512 ================ Scan system memory ========================
11:40:06.0046 0512 System memory - ok
11:40:06.0046 0512 ================ Scan services =============================
11:40:06.0250 0512 Abiosdsk - ok
11:40:06.0250 0512 abp480n5 - ok
11:40:06.0265 0512 [ A0BAABB7D3549460E3F8C5AD6F778683 ] Accelerometer C:\WINDOWS\system32\DRIVERS\Accelerometer.sys
11:40:06.0281 0512 Accelerometer - ok
11:40:06.0312 0512 [ 8FD99680A539792A30E97944FDAECF17 ] ACPI C:\WINDOWS\system32\DRIVERS\ACPI.sys
11:40:06.0359 0512 ACPI - ok
11:40:06.0375 0512 [ 9859C0F6936E723E4892D7141B1327D5 ] ACPIEC C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
11:40:06.0390 0512 ACPIEC - ok
11:40:06.0453 0512 [ 0CB0AA071C7B86A64F361DCFDF357329 ] AdobeFlashPlayerUpdateSvc C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
11:40:06.0453 0512 AdobeFlashPlayerUpdateSvc - ok
11:40:06.0453 0512 adpu160m - ok
11:40:06.0484 0512 [ 8BED39E3C35D6A489438B8141717A557 ] aec C:\WINDOWS\system32\drivers\aec.sys
11:40:06.0484 0512 aec - ok
11:40:06.0515 0512 [ 822D53766D57C90C437536232ECE9023 ] AESTAud C:\WINDOWS\system32\drivers\AESTAud.sys
11:40:06.0531 0512 AESTAud - ok
11:40:06.0562 0512 [ 1E44BC1E83D8FD2305F8D452DB109CF9 ] AFD C:\WINDOWS\System32\drivers\afd.sys
11:40:06.0562 0512 AFD - ok
11:40:06.0578 0512 Aha154x - ok
11:40:06.0578 0512 aic78u2 - ok
11:40:06.0593 0512 aic78xx - ok
11:40:06.0625 0512 [ A9A3DAA780CA6C9671A19D52456705B4 ] Alerter C:\WINDOWS\system32\alrsvc.dll
11:40:06.0640 0512 Alerter - ok
11:40:06.0671 0512 [ 8C515081584A38AA007909CD02020B3D ] ALG C:\WINDOWS\System32\alg.exe
11:40:06.0671 0512 ALG - ok
11:40:06.0671 0512 [ 1140AB9938809700B46BB88E46D72A96 ] AliIde C:\WINDOWS\system32\DRIVERS\aliide.sys
11:40:06.0687 0512 AliIde - ok
11:40:06.0687 0512 amsint - ok
11:40:06.0734 0512 [ D8849F77C0B66226335A59D26CB4EDC6 ] AppMgmt C:\WINDOWS\System32\appmgmts.dll
11:40:06.0734 0512 AppMgmt - ok
11:40:06.0750 0512 [ B5B8A80875C1DEDEDA8B02765642C32F ] Arp1394 C:\WINDOWS\system32\DRIVERS\arp1394.sys
11:40:06.0750 0512 Arp1394 - ok
11:40:06.0750 0512 asc - ok
11:40:06.0765 0512 asc3350p - ok
11:40:06.0765 0512 asc3550 - ok
11:40:06.0859 0512 [ 0E5E4957549056E2BF2C49F4F6B601AD ] aspnet_state C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
11:40:06.0859 0512 aspnet_state - ok
11:40:06.0875 0512 [ B153AFFAC761E7F5FCFA822B9C4E97BC ] AsyncMac C:\WINDOWS\system32\DRIVERS\asyncmac.sys
11:40:06.0875 0512 AsyncMac - ok
11:40:06.0875 0512 [ 9F3A2F5AA6875C72BF062C712CFA2674 ] atapi C:\WINDOWS\system32\DRIVERS\atapi.sys
11:40:06.0953 0512 atapi - ok
11:40:06.0953 0512 Atdisk - ok
11:40:06.0984 0512 [ 9916C1225104BA14794209CFA8012159 ] Atmarpc C:\WINDOWS\system32\DRIVERS\atmarpc.sys
11:40:07.0031 0512 Atmarpc - ok
11:40:07.0062 0512 [ DEF7A7882BEC100FE0B2CE2549188F9D ] AudioSrv C:\WINDOWS\System32\audiosrv.dll
11:40:07.0078 0512 AudioSrv - ok
11:40:07.0078 0512 [ D9F724AA26C010A217C97606B160ED68 ] audstub C:\WINDOWS\system32\DRIVERS\audstub.sys
11:40:07.0078 0512 audstub - ok
11:40:07.0187 0512 [ 2ED050291BC1D7F9E322E328DB3AAECF ] BBSvc C:\Program Files\Microsoft\BingBar\BBSvc.EXE
11:40:07.0203 0512 BBSvc - ok
11:40:07.0234 0512 [ 785DE7ABDA13309D6065305542829E76 ] BBUpdate C:\Program Files\Microsoft\BingBar\SeaPort.EXE
11:40:07.0234 0512 BBUpdate - ok
11:40:07.0250 0512 [ DA1F27D85E0D1525F6621372E7B685E9 ] Beep C:\WINDOWS\system32\drivers\Beep.sys
11:40:07.0250 0512 Beep - ok
11:40:07.0296 0512 [ 574738F61FCA2935F5265DC4E5691314 ] BITS C:\WINDOWS\system32\qmgr.dll
11:40:07.0343 0512 BITS - ok
11:40:07.0390 0512 [ 3F56903E124E820AEECE6D471583C6C1 ] Bonjour Service C:\Program Files\Bonjour\mDNSResponder.exe
11:40:07.0390 0512 Bonjour Service - ok
11:40:07.0406 0512 [ A06CE3399D16DB864F55FAEB1F1927A9 ] Browser C:\WINDOWS\System32\browser.dll
11:40:07.0406 0512 Browser - ok
11:40:07.0484 0512 catchme - ok
11:40:07.0515 0512 [ 90A673FC8E12A79AFBED2576F6A7AAF9 ] cbidf2k C:\WINDOWS\system32\drivers\cbidf2k.sys
11:40:07.0546 0512 cbidf2k - ok
11:40:07.0578 0512 [ 0BE5AEF125BE881C4F854C554F2B025C ] CCDECODE C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
11:40:07.0609 0512 CCDECODE - ok
11:40:07.0609 0512 cd20xrnt - ok
11:40:07.0640 0512 [ C1B486A7658353D33A10CC15211A873B ] Cdaudio C:\WINDOWS\system32\drivers\Cdaudio.sys
11:40:07.0640 0512 Cdaudio - ok
11:40:07.0671 0512 [ C885B02847F5D2FD45A24E219ED93B32 ] Cdfs C:\WINDOWS\system32\drivers\Cdfs.sys
11:40:07.0671 0512 Cdfs - ok
11:40:07.0687 0512 [ 4B0A100EAF5C49EF3CCA8C641431EACC ] Cdrom C:\WINDOWS\system32\DRIVERS\cdrom.sys
11:40:07.0687 0512 Cdrom - ok
11:40:07.0703 0512 Changer - ok
11:40:07.0703 0512 [ 1CFE720EB8D93A7158A4EBC3AB178BDE ] CiSvc C:\WINDOWS\system32\cisvc.exe
11:40:07.0703 0512 CiSvc - ok
11:40:07.0718 0512 [ 34CBE729F38138217F9C80212A2A0C82 ] ClipSrv C:\WINDOWS\system32\clipsrv.exe
11:40:07.0734 0512 ClipSrv - ok
11:40:07.0781 0512 [ D87ACAED61E417BBA546CED5E7E36D9C ] clr_optimization_v2.0.50727_32 C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
11:40:07.0781 0512 clr_optimization_v2.0.50727_32 - ok
11:40:07.0812 0512 [ 0F6C187D38D98F8DF904589A5F94D411 ] CmBatt C:\WINDOWS\system32\DRIVERS\CmBatt.sys
11:40:07.0812 0512 CmBatt - ok
11:40:07.0812 0512 CmdIde - ok
11:40:07.0859 0512 [ F9A79C5B27037821112C50A9C8FB367A ] Com4QLBEx C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
11:40:07.0875 0512 Com4QLBEx - ok
11:40:07.0875 0512 [ 6E4C9F21F0FAE8940661144F41B13203 ] Compbatt C:\WINDOWS\system32\DRIVERS\compbatt.sys
11:40:07.0890 0512 Compbatt - ok
11:40:07.0906 0512 COMSysApp - ok
11:40:07.0921 0512 Cpqarray - ok
11:40:07.0968 0512 [ FF47F8C027394814DB9C1361FCC36B85 ] Crypto C:\WINDOWS\system32\Drivers\Crypto.sys
11:40:08.0031 0512 Crypto - ok
11:40:08.0046 0512 [ 3D4E199942E29207970E04315D02AD3B ] CryptSvc C:\WINDOWS\System32\cryptsvc.dll
11:40:08.0046 0512 CryptSvc - ok
11:40:08.0046 0512 dac2w2k - ok
11:40:08.0062 0512 dac960nt - ok
11:40:08.0093 0512 [ 6B27A5C03DFB94B4245739065431322C ] DcomLaunch C:\WINDOWS\system32\rpcss.dll
11:40:08.0109 0512 DcomLaunch - ok
11:40:08.0109 0512 [ 5E38D7684A49CACFB752B046357E0589 ] Dhcp C:\WINDOWS\System32\dhcpcsvc.dll
11:40:08.0125 0512 Dhcp - ok
11:40:08.0125 0512 [ 044452051F3E02E7963599FC8F4F3E25 ] Disk C:\WINDOWS\system32\DRIVERS\disk.sys
11:40:08.0156 0512 Disk - ok
11:40:08.0156 0512 dmadmin - ok
11:40:08.0203 0512 [ D992FE1274BDE0F84AD826ACAE022A41 ] dmboot C:\WINDOWS\system32\drivers\dmboot.sys
11:40:08.0312 0512 dmboot - ok
11:40:08.0343 0512 [ 7C824CF7BBDE77D95C08005717A95F6F ] dmio C:\WINDOWS\system32\drivers\dmio.sys
11:40:08.0375 0512 dmio - ok
11:40:08.0390 0512 [ E9317282A63CA4D188C0DF5E09C6AC5F ] dmload C:\WINDOWS\system32\drivers\dmload.sys
11:40:08.0406 0512 dmload - ok
11:40:08.0421 0512 [ 57EDEC2E5F59F0335E92F35184BC8631 ] dmserver C:\WINDOWS\System32\dmserver.dll
11:40:08.0421 0512 dmserver - ok
11:40:08.0453 0512 [ 8A208DFCF89792A484E76C40E5F50B45 ] DMusic C:\WINDOWS\system32\drivers\DMusic.sys
11:40:08.0453 0512 DMusic - ok
11:40:08.0484 0512 [ 812F9714B6D2D93078BF4D126167C5BA ] DNE C:\WINDOWS\system32\DRIVERS\dne2000.sys
11:40:08.0484 0512 DNE - ok
11:40:08.0500 0512 [ DEA17133E5F64A70C21F1A9E9692F8C3 ] DniVap C:\WINDOWS\system32\DRIVERS\vap.sys
11:40:08.0515 0512 DniVap - ok
11:40:08.0531 0512 [ 5F7E24FA9EAB896051FFB87F840730D2 ] Dnscache C:\WINDOWS\System32\dnsrslvr.dll
11:40:08.0531 0512 Dnscache - ok
11:40:08.0562 0512 [ 0F0F6E687E5E15579EF4DA8DD6945814 ] Dot3svc C:\WINDOWS\System32\dot3svc.dll
11:40:08.0562 0512 Dot3svc - ok
11:40:08.0562 0512 dpti2o - ok
11:40:08.0593 0512 [ 8F5FCFF8E8848AFAC920905FBD9D33C8 ] drmkaud C:\WINDOWS\system32\drivers\drmkaud.sys
11:40:08.0593 0512 drmkaud - ok
11:40:08.0640 0512 [ C08A912BC3257859516D2B71F5E29802 ] e1kexpress C:\WINDOWS\system32\DRIVERS\e1k5132.sys
11:40:08.0640 0512 e1kexpress - ok
11:40:08.0656 0512 [ 2187855A7703ADEF0CEF9EE4285182CC ] EapHost C:\WINDOWS\System32\eapsvc.dll
11:40:08.0671 0512 EapHost - ok
11:40:08.0671 0512 [ BC93B4A066477954555966D77FEC9ECB ] ERSvc C:\WINDOWS\System32\ersvc.dll
11:40:08.0671 0512 ERSvc - ok
11:40:08.0703 0512 [ 65DF52F5B8B6E9BBD183505225C37315 ] Eventlog C:\WINDOWS\system32\services.exe
11:40:08.0703 0512 Eventlog - ok
11:40:08.0734 0512 [ D4991D98F2DB73C60D042F1AEF79EFAE ] EventSystem C:\WINDOWS\system32\es.dll
11:40:08.0765 0512 EventSystem - ok
11:40:08.0781 0512 [ 38D332A6D56AF32635675F132548343E ] Fastfat C:\WINDOWS\system32\drivers\Fastfat.sys
11:40:08.0781 0512 Fastfat - ok
11:40:08.0812 0512 [ 99BC0B50F511924348BE19C7C7313BBF ] FastUserSwitchingCompatibility C:\WINDOWS\System32\shsvcs.dll
11:40:08.0812 0512 FastUserSwitchingCompatibility - ok
11:40:08.0828 0512 [ 92CDD60B6730B9F50F6A1A0C1F8CDC81 ] Fdc C:\WINDOWS\system32\DRIVERS\fdc.sys
11:40:08.0859 0512 Fdc - ok
11:40:08.0875 0512 [ D45926117EB9FA946A6AF572FBE1CAA3 ] Fips C:\WINDOWS\system32\drivers\Fips.sys
11:40:08.0875 0512 Fips - ok
11:40:08.0968 0512 [ F76D04F7413B07DAA029F6520B64B4E8 ] FLEXnet Licensing Service C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
11:40:08.0984 0512 FLEXnet Licensing Service - ok
11:40:09.0000 0512 [ 9D27E7B80BFCDF1CDD9B555862D5E7F0 ] Flpydisk C:\WINDOWS\system32\DRIVERS\flpydisk.sys
11:40:09.0015 0512 Flpydisk - ok
11:40:09.0031 0512 [ B2CF4B0786F8212CB92ED2B50C6DB6B0 ] FltMgr C:\WINDOWS\system32\drivers\fltmgr.sys
11:40:09.0078 0512 FltMgr - ok
11:40:09.0125 0512 [ 8BA7C024070F2B7FDD98ED8A4BA41789 ] FontCache3.0.0.0 C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
11:40:09.0125 0512 FontCache3.0.0.0 - ok
11:40:09.0140 0512 [ 3E1E2BD4F39B0E2B7DC4F4D2BCC2779A ] Fs_Rec C:\WINDOWS\system32\drivers\Fs_Rec.sys
11:40:09.0156 0512 Fs_Rec - ok
11:40:09.0156 0512 [ 6AC26732762483366C3969C9E4D2259D ] Ftdisk C:\WINDOWS\system32\DRIVERS\ftdisk.sys
11:40:09.0187 0512 Ftdisk - ok
11:40:09.0203 0512 [ 0A02C63C8B144BD8C86B103DEE7C86A2 ] Gpc C:\WINDOWS\system32\DRIVERS\msgpc.sys
11:40:09.0203 0512 Gpc - ok
11:40:09.0218 0512 [ 573C7D0A32852B48F3058CFD8026F511 ] HDAudBus C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
11:40:09.0234 0512 HDAudBus - ok
11:40:09.0265 0512 [ A88485DC6A7136C10D9A6C7E38FDFE3C ] HECI C:\WINDOWS\system32\DRIVERS\HECI.sys
11:40:09.0265 0512 HECI - ok
11:40:09.0296 0512 [ 4FCCA060DFE0C51A09DD5C3843888BCD ] helpsvc C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
11:40:09.0296 0512 helpsvc - ok
11:40:09.0296 0512 HidServ - ok
11:40:09.0312 0512 [ CCF82C5EC8A7326C3066DE870C06DAF1 ] HidUsb C:\WINDOWS\system32\DRIVERS\hidusb.sys
11:40:09.0312 0512 HidUsb - ok
11:40:09.0343 0512 [ 8878BD685E490239777BFE51320B88E9 ] hkmsvc C:\WINDOWS\System32\kmsvc.dll
11:40:09.0343 0512 hkmsvc - ok
11:40:09.0375 0512 [ 96D214228969DDB213EF81951E89F699 ] HP Power Assistant Service C:\Program Files\Hewlett-Packard\HP Power Assistant\HPPA_Service.exe
11:40:09.0390 0512 HP Power Assistant Service - ok
11:40:09.0421 0512 [ 45C20CEAA37A497AE187D94AFE94DEB8 ] HP Wireless Assistant Service C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe
11:40:09.0421 0512 HP Wireless Assistant Service - ok
11:40:09.0468 0512 [ A1731B1204CD7EB9C244B0A6F89264DF ] Hp.Skyroom.Windows.Service C:\Program Files\Hewlett-Packard\HP SkyRoom\Hp.Skyroom.Windows.Service.exe
11:40:09.0468 0512 Hp.Skyroom.Windows.Service - ok
11:40:09.0515 0512 [ CD6525B7E42188E6A7489829D11BB8B4 ] HPDrvMntSvc.exe c:\Program Files\Hewlett-Packard\Shared\HPDrvMntSvc.exe
11:40:09.0515 0512 HPDrvMntSvc.exe - ok
11:40:09.0546 0512 [ 9F620E11B80B74F4DAB50A81A5DF357F ] hpdskflt C:\WINDOWS\system32\DRIVERS\hpdskflt.sys
11:40:09.0562 0512 hpdskflt - ok
11:40:09.0562 0512 hpn - ok
11:40:09.0593 0512 [ 35956140E686D53BF676CF0C778880FC ] HpqKbFiltr C:\WINDOWS\system32\DRIVERS\HpqKbFiltr.sys
11:40:09.0593 0512 HpqKbFiltr - ok
11:40:09.0625 0512 [ FDF273A845F1FFCCEADF363AAF47582F ] hpqwmiex C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
11:40:09.0640 0512 hpqwmiex - ok
11:40:09.0703 0512 [ F80A415EF82CD06FFAF0D971528EAD38 ] HTTP C:\WINDOWS\system32\Drivers\HTTP.sys
11:40:09.0718 0512 HTTP - ok
11:40:09.0765 0512 [ 6100A808600F44D999CEBDEF8841C7A3 ] HTTPFilter C:\WINDOWS\System32\w3ssl.dll
11:40:09.0765 0512 HTTPFilter - ok
11:40:09.0781 0512 i2omgmt - ok
11:40:09.0781 0512 i2omp - ok
11:40:09.0812 0512 [ 4A0B06AA8943C1E332520F7440C0AA30 ] i8042prt C:\WINDOWS\system32\DRIVERS\i8042prt.sys
11:40:09.0812 0512 i8042prt - ok
11:40:09.0875 0512 [ F54B3DB096ABD6E9BBBD052FD3878A48 ] IAANTMON C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
11:40:09.0890 0512 IAANTMON - ok
11:40:09.0953 0512 [ ED3D980E2D3E15FE179269699D65F5A7 ] ialm C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
11:40:10.0031 0512 ialm - ok
11:40:10.0078 0512 [ 01446278D4563B3013C92830AE6CBB26 ] iaStor C:\WINDOWS\system32\DRIVERS\iaStor.sys
11:40:10.0078 0512 iaStor - ok
11:40:10.0156 0512 [ C01AC32DC5C03076CFB852CB5DA5229C ] idsvc C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
11:40:10.0171 0512 idsvc - ok
11:40:10.0203 0512 [ 91C5E9F49F32110CED27E2F902FAD607 ] IFXTPM C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS
11:40:10.0203 0512 IFXTPM - ok
11:40:10.0234 0512 [ 083A052659F5310DD8B6A6CB05EDCF8E ] Imapi C:\WINDOWS\system32\DRIVERS\imapi.sys
11:40:10.0234 0512 Imapi - ok
11:40:10.0296 0512 [ 30DEAF54A9755BB8546168CFE8A6B5E1 ] ImapiService C:\WINDOWS\system32\imapi.exe
11:40:10.0296 0512 ImapiService - ok
11:40:10.0343 0512 [ 2DB41BA61D5E44D0667CF126D35DCF34 ] Impcd C:\WINDOWS\system32\DRIVERS\Impcd.sys
11:40:10.0343 0512 Impcd - ok
11:40:10.0343 0512 ini910u - ok
11:40:10.0390 0512 [ F2BFC65DFBCA35734ACCD03C10105F9E ] IntcDAud C:\WINDOWS\system32\DRIVERS\IntcDAud.sys
11:40:10.0406 0512 IntcDAud - ok
11:40:10.0406 0512 [ B5466A9250342A7AA0CD1FBA13420678 ] IntelIde C:\WINDOWS\system32\DRIVERS\intelide.sys
11:40:10.0421 0512 IntelIde - ok
11:40:10.0437 0512 [ 8C953733D8F36EB2133F5BB58808B66B ] intelppm C:\WINDOWS\system32\DRIVERS\intelppm.sys
11:40:10.0437 0512 intelppm - ok
11:40:10.0453 0512 [ 3BB22519A194418D5FEC05D800A19AD0 ] Ip6Fw C:\WINDOWS\system32\drivers\ip6fw.sys
11:40:10.0500 0512 Ip6Fw - ok
11:40:10.0515 0512 [ 731F22BA402EE4B62748ADAF6363C182 ] IpFilterDriver C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
11:40:10.0546 0512 IpFilterDriver - ok
11:40:10.0562 0512 [ B87AB476DCF76E72010632B5550955F5 ] IpInIp C:\WINDOWS\system32\DRIVERS\ipinip.sys
11:40:10.0609 0512 IpInIp - ok
11:40:10.0625 0512 [ CC748EA12C6EFFDE940EE98098BF96BB ] IpNat C:\WINDOWS\system32\DRIVERS\ipnat.sys
11:40:10.0640 0512 IpNat - ok
11:40:10.0640 0512 [ 23C74D75E36E7158768DD63D92789A91 ] IPSec C:\WINDOWS\system32\DRIVERS\ipsec.sys
11:40:10.0640 0512 IPSec - ok
11:40:10.0671 0512 [ 0DAE09EA43F5AFB0A06FBABC4DCCCC34 ] IPSECDRV C:\WINDOWS\system32\Drivers\IPSECDRV.sys
11:40:10.0703 0512 IPSECDRV - ok
11:40:10.0765 0512 [ A3A0B3B8BB724627BC481D36EE32A15E ] IPSECMON C:\Program Files\NETGEAR\NETGEAR ProSafe VPN Client\IPSecMon.exe
11:40:10.0765 0512 IPSECMON - ok
11:40:10.0796 0512 [ E52A6E223CF6F9FF0014CF6D91DFF1CD ] IreIKE C:\Program Files\NETGEAR\NETGEAR ProSafe VPN Client\IreIKE.exe
11:40:10.0812 0512 IreIKE - ok
11:40:10.0812 0512 [ C93C9FF7B04D772627A3646D89F7BF89 ] IRENUM C:\WINDOWS\system32\DRIVERS\irenum.sys
11:40:10.0843 0512 IRENUM - ok
11:40:10.0859 0512 [ 05A299EC56E52649B1CF2FC52D20F2D7 ] isapnp C:\WINDOWS\system32\DRIVERS\isapnp.sys
11:40:10.0906 0512 isapnp - ok
11:40:10.0937 0512 [ 4AC11B2250106774F694DF2DB4FFED61 ] Iviaspi C:\WINDOWS\system32\drivers\iviaspi.sys
11:40:10.0953 0512 Iviaspi - ok
11:40:10.0984 0512 [ 213822072085B5BBAD9AF30AB577D817 ] IviRegMgr C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
11:40:11.0000 0512 IviRegMgr - ok
11:40:11.0125 0512 [ B591E761161D1EF547D76EF236EAA6A5 ] JavaQuickStarterService C:\Program Files\Java\jre7\bin\jqs.exe
11:40:11.0125 0512 JavaQuickStarterService - ok
11:40:11.0171 0512 [ 463C1EC80CD17420A542B7F36A36F128 ] Kbdclass C:\WINDOWS\system32\DRIVERS\kbdclass.sys
11:40:11.0171 0512 Kbdclass - ok
11:40:11.0203 0512 [ 9EF487A186DEA361AA06913A75B3FA99 ] kbdhid C:\WINDOWS\system32\DRIVERS\kbdhid.sys
11:40:11.0203 0512 kbdhid - ok
11:40:11.0218 0512 [ 692BCF44383D056AED41B045A323D378 ] kmixer C:\WINDOWS\system32\drivers\kmixer.sys
11:40:11.0218 0512 kmixer - ok
11:40:11.0234 0512 [ B467646C54CC746128904E1654C750C1 ] KSecDD C:\WINDOWS\system32\drivers\KSecDD.sys
11:40:11.0312 0512 KSecDD - ok
11:40:11.0359 0512 [ 3A7C3CBE5D96B8AE96CE81F0B22FB527 ] lanmanserver C:\WINDOWS\System32\srvsvc.dll
11:40:11.0359 0512 lanmanserver - ok
11:40:11.0406 0512 [ A8888A5327621856C0CEC4E385F69309 ] lanmanworkstation C:\WINDOWS\System32\wkssvc.dll
11:40:11.0421 0512 lanmanworkstation - ok
11:40:11.0421 0512 lbrtfdc - ok
11:40:11.0468 0512 [ A7DB739AE99A796D91580147E919CC59 ] LmHosts C:\WINDOWS\System32\lmhsvc.dll
11:40:11.0468 0512 LmHosts - ok
11:40:11.0546 0512 [ 17A9C5FFA241AAAB275EE5CACEF77686 ] LMS C:\Program Files\Intel\Intel® Management Engine Components\LMS\LMS.exe
11:40:11.0562 0512 LMS - ok
11:40:11.0578 0512 [ 986B1FF5814366D71E0AC5755C88F2D3 ] Messenger C:\WINDOWS\System32\msgsvc.dll
11:40:11.0578 0512 Messenger - ok
11:40:11.0609 0512 [ 4AE068242760A1FB6E1A44BF4E16AFA6 ] mnmdd C:\WINDOWS\system32\drivers\mnmdd.sys
11:40:11.0609 0512 mnmdd - ok
11:40:11.0640 0512 [ D18F1F0C101D06A1C1ADF26EED16FCDD ] mnmsrvc C:\WINDOWS\system32\mnmsrvc.exe
11:40:11.0640 0512 mnmsrvc - ok
11:40:11.0656 0512 [ DFCBAD3CEC1C5F964962AE10E0BCC8E1 ] Modem C:\WINDOWS\system32\drivers\Modem.sys
11:40:11.0687 0512 Modem - ok
11:40:11.0703 0512 [ 35C9E97194C8CFB8430125F8DBC34D04 ] Mouclass C:\WINDOWS\system32\DRIVERS\mouclass.sys
11:40:11.0703 0512 Mouclass - ok
11:40:11.0718 0512 [ B1C303E17FB9D46E87A98E4BA6769685 ] mouhid C:\WINDOWS\system32\DRIVERS\mouhid.sys
11:40:11.0718 0512 mouhid - ok
11:40:11.0734 0512 [ A80B9A0BAD1B73637DBCBBA7DF72D3FD ] MountMgr C:\WINDOWS\system32\drivers\MountMgr.sys
11:40:11.0765 0512 MountMgr - ok
11:40:11.0828 0512 [ 8BE15F71DE6FF33FC56DCDE7B2B9EFE8 ] MozillaMaintenance C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
11:40:11.0828 0512 MozillaMaintenance - ok
11:40:11.0859 0512 [ 7E34BFA1A7B60BBA1DA03D677F16CD63 ] MpFilter C:\WINDOWS\system32\DRIVERS\MpFilter.sys
11:40:11.0859 0512 MpFilter - ok
11:40:11.0937 0512 [ A69630D039C38018689190234F866D77 ] MpKsl6f430275 c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{6CAEE114-02B2-4FCA-9B68-5CC9AE484C1E}\MpKsl6f430275.sys
11:40:11.0937 0512 MpKsl6f430275 - ok
11:40:11.0968 0512 [ 70C14F5CCA5CF73F8A645C73A01D8726 ] MQAC C:\WINDOWS\system32\drivers\mqac.sys
11:40:11.0984 0512 MQAC - ok
11:40:11.0984 0512 mraid35x - ok
11:40:11.0984 0512 [ 11D42BB6206F33FBB3BA0288D3EF81BD ] MRxDAV C:\WINDOWS\system32\DRIVERS\mrxdav.sys
11:40:12.0000 0512 MRxDAV - ok
11:40:12.0046 0512 [ 7D304A5EB4344EBEEAB53A2FE3FFB9F0 ] MRxSmb C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
11:40:12.0062 0512 MRxSmb - ok
11:40:12.0078 0512 [ A137F1470499A205ABBB9AAFB3B6F2B1 ] MSDTC C:\WINDOWS\system32\msdtc.exe
11:40:12.0078 0512 MSDTC - ok
11:40:12.0093 0512 [ C941EA2454BA8350021D774DAF0F1027 ] Msfs C:\WINDOWS\system32\drivers\Msfs.sys
11:40:12.0093 0512 Msfs - ok
11:40:12.0093 0512 MSIServer - ok
11:40:12.0125 0512 [ D1575E71568F4D9E14CA56B7B0453BF1 ] MSKSSRV C:\WINDOWS\system32\drivers\MSKSSRV.sys
11:40:12.0156 0512 MSKSSRV - ok
11:40:12.0203 0512 [ 90DC23D940551DB35367FB1E40575B25 ] MsMpSvc c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
11:40:12.0203 0512 MsMpSvc - ok
11:40:12.0218 0512 [ AFB909B537AAE1BEAE7BBDB6A36D40B0 ] MSMQ C:\WINDOWS\system32\mqsvc.exe
11:40:12.0218 0512 MSMQ - ok
11:40:12.0234 0512 [ 7F955FF3B1BB93376EBE75D5ACCDC6DB ] MSMQTriggers C:\WINDOWS\system32\mqtgsvc.exe
11:40:12.0234 0512 MSMQTriggers - ok
11:40:12.0265 0512 [ 325BB26842FC7CCC1FCCE2C457317F3E ] MSPCLOCK C:\WINDOWS\system32\drivers\MSPCLOCK.sys
11:40:12.0281 0512 MSPCLOCK - ok
11:40:12.0281 0512 [ BAD59648BA099DA4A17680B39730CB3D ] MSPQM C:\WINDOWS\system32\drivers\MSPQM.sys
11:40:12.0312 0512 MSPQM - ok
11:40:12.0328 0512 [ AF5F4F3F14A8EA2C26DE30F7A1E17136 ] mssmbios C:\WINDOWS\system32\DRIVERS\mssmbios.sys
11:40:12.0328 0512 mssmbios - ok
11:40:12.0343 0512 [ E53736A9E30C45FA9E7B5EAC55056D1D ] MSTEE C:\WINDOWS\system32\drivers\MSTEE.sys
11:40:12.0375 0512 MSTEE - ok
11:40:12.0390 0512 [ DE6A75F5C270E756C5508D94B6CF68F5 ] Mup C:\WINDOWS\system32\drivers\Mup.sys
11:40:12.0390 0512 Mup - ok
11:40:12.0406 0512 [ 5B50F1B2A2ED47D560577B221DA734DB ] NABTSFEC C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
11:40:12.0453 0512 NABTSFEC - ok
11:40:12.0484 0512 [ 0102140028FAD045756796E1C685D695 ] napagent C:\WINDOWS\System32\qagentrt.dll
11:40:12.0500 0512 napagent - ok
11:40:12.0515 0512 [ 1DF7F42665C94B825322FAE71721130D ] NDIS C:\WINDOWS\system32\drivers\NDIS.sys
11:40:12.0578 0512 NDIS - ok
11:40:12.0578 0512 [ 7FF1F1FD8609C149AA432F95A8163D97 ] NdisIP C:\WINDOWS\system32\DRIVERS\NdisIP.sys
11:40:12.0609 0512 NdisIP - ok
11:40:12.0640 0512 [ 0109C4F3850DFBAB279542515386AE22 ] NdisTapi C:\WINDOWS\system32\DRIVERS\ndistapi.sys
11:40:12.0640 0512 NdisTapi - ok
11:40:12.0687 0512 [ F927A4434C5028758A842943EF1A3849 ] Ndisuio C:\WINDOWS\system32\DRIVERS\ndisuio.sys
11:40:12.0687 0512 Ndisuio - ok
11:40:12.0687 0512 [ EDC1531A49C80614B2CFDA43CA8659AB ] NdisWan C:\WINDOWS\system32\DRIVERS\ndiswan.sys
11:40:12.0687 0512 NdisWan - ok
11:40:12.0703 0512 [ 9282BD12DFB069D3889EB3FCC1000A9B ] NDProxy C:\WINDOWS\system32\drivers\NDProxy.sys
11:40:12.0703 0512 NDProxy - ok
11:40:12.0718 0512 [ 5D81CF9A2F1A3A756B66CF684911CDF0 ] NetBIOS C:\WINDOWS\system32\DRIVERS\netbios.sys
11:40:12.0718 0512 NetBIOS - ok
11:40:12.0734 0512 [ 74B2B2F5BEA5E9A3DC021D685551BD3D ] NetBT C:\WINDOWS\system32\DRIVERS\netbt.sys
11:40:12.0750 0512 NetBT - ok
11:40:12.0781 0512 [ B857BA82860D7FF85AE29B095645563B ] NetDDE C:\WINDOWS\system32\netdde.exe
11:40:12.0796 0512 NetDDE - ok
11:40:12.0796 0512 [ B857BA82860D7FF85AE29B095645563B ] NetDDEdsdm C:\WINDOWS\system32\netdde.exe
11:40:12.0796 0512 NetDDEdsdm - ok
11:40:12.0812 0512 [ BF2466B3E18E970D8A976FB95FC1CA85 ] Netlogon C:\WINDOWS\system32\lsass.exe
11:40:12.0812 0512 Netlogon - ok
11:40:12.0843 0512 [ 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE ] Netman C:\WINDOWS\System32\netman.dll
11:40:12.0843 0512 Netman - ok
11:40:12.0875 0512 [ D34612C5D02D026535B3095D620626AE ] NetTcpPortSharing C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
11:40:12.0875 0512 NetTcpPortSharing - ok
11:40:13.0031 0512 [ 580207A7C9BDE8BA65401F51F9BA9741 ] NETw5x32 C:\WINDOWS\system32\DRIVERS\NETw5x32.sys
11:40:13.0156 0512 NETw5x32 - ok
11:40:13.0171 0512 [ E9E47CFB2D461FA0FC75B7A74C6383EA ] NIC1394 C:\WINDOWS\system32\DRIVERS\nic1394.sys
11:40:13.0171 0512 NIC1394 - ok
11:40:13.0187 0512 [ 943337D786A56729263071623BBB9DE5 ] Nla C:\WINDOWS\System32\mswsock.dll
11:40:13.0203 0512 Nla - ok
11:40:13.0203 0512 [ 3182D64AE053D6FB034F44B6DEF8034A ] Npfs C:\WINDOWS\system32\drivers\Npfs.sys
11:40:13.0203 0512 Npfs - ok
11:40:13.0218 0512 [ 78A08DD6A8D65E697C18E1DB01C5CDCA ] Ntfs C:\WINDOWS\system32\drivers\Ntfs.sys
11:40:13.0281 0512 Ntfs - ok
11:40:13.0281 0512 [ BF2466B3E18E970D8A976FB95FC1CA85 ] NtLmSsp C:\WINDOWS\system32\lsass.exe
11:40:13.0281 0512 NtLmSsp - ok
11:40:13.0328 0512 [ 156F64A3345BD23C600655FB4D10BC08 ] NtmsSvc C:\WINDOWS\system32\ntmssvc.dll
11:40:13.0343 0512 NtmsSvc - ok
11:40:13.0359 0512 [ 73C1E1F395918BC2C6DD67AF7591A3AD ] Null C:\WINDOWS\system32\drivers\Null.sys
11:40:13.0359 0512 Null - ok
11:40:13.0375 0512 [ B305F3FAD35083837EF46A0BBCE2FC57 ] NwlnkFlt C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
11:40:13.0406 0512 NwlnkFlt - ok
11:40:13.0406 0512 [ C99B3415198D1AAB7227F2C88FD664B9 ] NwlnkFwd C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
11:40:13.0437 0512 NwlnkFwd - ok
11:40:13.0531 0512 [ 785F487A64950F3CB8E9F16253BA3B7B ] odserv C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE
11:40:13.0546 0512 odserv - ok
11:40:13.0546 0512 [ CA33832DF41AFB202EE7AEB05145922F ] ohci1394 C:\WINDOWS\system32\DRIVERS\ohci1394.sys
11:40:13.0593 0512 ohci1394 - ok
11:40:13.0640 0512 [ 9D10F99A6712E28F8ACD5641E3A7EA6B ] ose C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
11:40:13.0640 0512 ose - ok
11:40:13.0812 0512 [ 358A9CCA612C68EB2F07DDAD4CE1D8D7 ] osppsvc C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
11:40:13.0906 0512 osppsvc - ok
11:40:13.0937 0512 [ 5575FAF8F97CE5E713D108C2A58D7C7C ] Parport C:\WINDOWS\system32\DRIVERS\parport.sys
11:40:13.0937 0512 Parport - ok
11:40:13.0937 0512 [ BEB3BA25197665D82EC7065B724171C6 ] PartMgr C:\WINDOWS\system32\drivers\PartMgr.sys
11:40:13.0968 0512 PartMgr - ok
11:40:14.0000 0512 [ 70E98B3FD8E963A6A46A2E6247E0BEA1 ] ParVdm C:\WINDOWS\system32\drivers\ParVdm.sys
11:40:14.0015 0512 ParVdm - ok
11:40:14.0031 0512 [ A219903CCF74233761D92BEF471A07B1 ] PCI C:\WINDOWS\system32\DRIVERS\pci.sys
11:40:14.0078 0512 PCI - ok
11:40:14.0078 0512 PCIDump - ok
11:40:14.0093 0512 [ CCF5F451BB1A5A2A522A76E670000FF0 ] PCIIde C:\WINDOWS\system32\DRIVERS\pciide.sys
11:40:14.0109 0512 PCIIde - ok
11:40:14.0125 0512 [ 9E89EF60E9EE05E3F2EEF2DA7397F1C1 ] Pcmcia C:\WINDOWS\system32\DRIVERS\pcmcia.sys
11:40:14.0156 0512 Pcmcia - ok
11:40:14.0156 0512 PDCOMP - ok
11:40:14.0171 0512 PDFRAME - ok
11:40:14.0171 0512 PDRELI - ok
11:40:14.0187 0512 PDRFRAME - ok
11:40:14.0187 0512 perc2 - ok
11:40:14.0187 0512 perc2hib - ok
11:40:14.0218 0512 [ 65DF52F5B8B6E9BBD183505225C37315 ] PlugPlay C:\WINDOWS\system32\services.exe
11:40:14.0218 0512 PlugPlay - ok
11:40:14.0234 0512 [ BF2466B3E18E970D8A976FB95FC1CA85 ] PolicyAgent C:\WINDOWS\system32\lsass.exe
11:40:14.0234 0512 PolicyAgent - ok
11:40:14.0234 0512 [ EFEEC01B1D3CF84F16DDD24D9D9D8F99 ] PptpMiniport C:\WINDOWS\system32\DRIVERS\raspptp.sys
11:40:14.0234 0512 PptpMiniport - ok
11:40:14.0250 0512 [ BF2466B3E18E970D8A976FB95FC1CA85 ] ProtectedStorage C:\WINDOWS\system32\lsass.exe
11:40:14.0250 0512 ProtectedStorage - ok
11:40:14.0265 0512 [ 09298EC810B07E5D582CB3A3F9255424 ] PSched C:\WINDOWS\system32\DRIVERS\psched.sys
11:40:14.0265 0512 PSched - ok
11:40:14.0296 0512 [ A6A7AD767BF5141665F5C675F671B3E1 ] PSI_SVC_2 C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
11:40:14.0296 0512 PSI_SVC_2 - ok
11:40:14.0312 0512 [ 80D317BD1C3DBC5D4FE7B1678C60CADD ] Ptilink C:\WINDOWS\system32\DRIVERS\ptilink.sys
11:40:14.0312 0512 Ptilink - ok
11:40:14.0312 0512 ql1080 - ok
11:40:14.0328 0512 Ql10wnt - ok
11:40:14.0328 0512 ql12160 - ok
11:40:14.0343 0512 ql1240 - ok
11:40:14.0343 0512 ql1280 - ok
11:40:14.0359 0512 [ FE0D99D6F31E4FAD8159F690D68DED9C ] RasAcd C:\WINDOWS\system32\DRIVERS\rasacd.sys
11:40:14.0359 0512 RasAcd - ok
11:40:14.0390 0512 [ AD188BE7BDF94E8DF4CA0A55C00A5073 ] RasAuto C:\WINDOWS\System32\rasauto.dll
11:40:14.0390 0512 RasAuto - ok
11:40:14.0406 0512 [ 0207D26DDF796A193CCD9F83047BB5FC ] Rasirda C:\WINDOWS\system32\DRIVERS\rasirda.sys
11:40:14.0421 0512 Rasirda - ok
11:40:14.0437 0512 [ 11B4A627BC9614B885C4969BFA5FF8A6 ] Rasl2tp C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
11:40:14.0437 0512 Rasl2tp - ok
11:40:14.0484 0512 [ 76A9A3CBEADD68CC57CDA5E1D7448235 ] RasMan C:\WINDOWS\System32\rasmans.dll
11:40:14.0500 0512 RasMan - ok
11:40:14.0500 0512 [ 5BC962F2654137C9909C3D4603587DEE ] RasPppoe C:\WINDOWS\system32\DRIVERS\raspppoe.sys
11:40:14.0500 0512 RasPppoe - ok
11:40:14.0500 0512 [ FDBB1D60066FCFBB7452FD8F9829B242 ] Raspti C:\WINDOWS\system32\DRIVERS\raspti.sys
11:40:14.0500 0512 Raspti - ok
11:40:14.0531 0512 [ 7AD224AD1A1437FE28D89CF22B17780A ] Rdbss C:\WINDOWS\system32\DRIVERS\rdbss.sys
11:40:14.0531 0512 Rdbss - ok
11:40:14.0546 0512 [ 4912D5B403614CE99C28420F75353332 ] RDPCDD C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
11:40:14.0546 0512 RDPCDD - ok
11:40:14.0562 0512 [ 15CABD0F7C00C47C70124907916AF3F1 ] rdpdr C:\WINDOWS\system32\DRIVERS\rdpdr.sys
11:40:14.0562 0512 rdpdr - ok
11:40:14.0609 0512 [ FC105DD312ED64EB66BFF111E8EC6EAC ] RDPWD C:\WINDOWS\system32\drivers\RDPWD.sys
11:40:14.0609 0512 RDPWD - ok
11:40:14.0625 0512 [ 3C37BF86641BDA977C3BF8A840F3B7FA ] RDSessMgr C:\WINDOWS\system32\sessmgr.exe
11:40:14.0640 0512 RDSessMgr - ok
11:40:14.0656 0512 [ F828DD7E1419B6653894A8F97A0094C5 ] redbook C:\WINDOWS\system32\DRIVERS\redbook.sys
11:40:14.0656 0512 redbook - ok
11:40:14.0671 0512 [ 001B4278407F4303EFC902A2B16F2453 ] regi C:\WINDOWS\system32\drivers\regi.sys
11:40:14.0671 0512 regi - ok
11:40:14.0703 0512 [ 7E699FF5F59B5D9DE5390E3C34C67CF5 ] RemoteAccess C:\WINDOWS\System32\mprdim.dll
11:40:14.0703 0512 RemoteAccess - ok
11:40:14.0718 0512 [ 5B19B557B0C188210A56A6B699D90B8F ] RemoteRegistry C:\WINDOWS\system32\regsvc.dll
11:40:14.0718 0512 RemoteRegistry - ok
11:40:14.0765 0512 [ 559A9654F993B2FAFE900043242874C2 ] rgsender c:\Program Files\Hewlett-Packard\HP SkyRoom\remote graphics sender\rgsendersvc.exe
11:40:14.0781 0512 rgsender - ok
11:40:14.0812 0512 [ DF672613FBBCD58C38BB0BC2694BCFB0 ] rimmptsk C:\WINDOWS\system32\DRIVERS\rimmptsk.sys
11:40:14.0828 0512 rimmptsk - ok
11:40:14.0843 0512 [ 470FC46E2989F6606043C1C5365B15FD ] rismc32 C:\WINDOWS\system32\DRIVERS\rismc32.sys
11:40:14.0843 0512 rismc32 - ok
11:40:14.0875 0512 [ 96F7A9A7BF0C9C0440A967440065D33C ] RMCAST C:\WINDOWS\system32\drivers\RMCast.sys
11:40:14.0875 0512 RMCAST - ok
11:40:14.0906 0512 [ AAED593F84AFA419BBAE8572AF87CF6A ] RpcLocator C:\WINDOWS\system32\locator.exe
11:40:14.0906 0512 RpcLocator - ok
11:40:14.0921 0512 [ 6B27A5C03DFB94B4245739065431322C ] RpcSs C:\WINDOWS\System32\rpcss.dll
11:40:14.0937 0512 RpcSs - ok
11:40:14.0953 0512 [ 471B3F9741D762ABE75E9DEEA4787E47 ] RSVP C:\WINDOWS\system32\rsvp.exe
11:40:14.0968 0512 RSVP - ok
11:40:14.0984 0512 [ BF2466B3E18E970D8A976FB95FC1CA85 ] SamSs C:\WINDOWS\system32\lsass.exe
11:40:14.0984 0512 SamSs - ok
11:40:15.0000 0512 [ 86D007E7A654B9A71D1D7D856B104353 ] SCardSvr C:\WINDOWS\System32\SCardSvr.exe
11:40:15.0000 0512 SCardSvr - ok
11:40:15.0015 0512 [ 0A9A7365A1CA4319AA7C1D6CD8E4EAFA ] Schedule C:\WINDOWS\system32\schedsvc.dll
11:40:15.0015 0512 Schedule - ok
11:40:15.0031 0512 [ 8D04819A3CE51B9EB47E5689B44D43C4 ] sdbus C:\WINDOWS\system32\DRIVERS\sdbus.sys
11:40:15.0031 0512 sdbus - ok
11:40:15.0046 0512 [ 90A3935D05B494A5A39D37E71F09A677 ] Secdrv C:\WINDOWS\system32\DRIVERS\secdrv.sys
11:40:15.0078 0512 Secdrv - ok
11:40:15.0093 0512 [ CBE612E2BB6A10E3563336191EDA1250 ] seclogon C:\WINDOWS\System32\seclogon.dll
11:40:15.0093 0512 seclogon - ok
11:40:15.0093 0512 [ 7FDD5D0684ECA8C1F68B4D99D124DCD0 ] SENS C:\WINDOWS\system32\sens.dll
11:40:15.0109 0512 SENS - ok
11:40:15.0125 0512 [ 0F29512CCD6BEAD730039FB4BD2C85CE ] serenum C:\WINDOWS\system32\DRIVERS\serenum.sys
11:40:15.0125 0512 serenum - ok
11:40:15.0140 0512 [ CCA207A8896D4C6A0C9CE29A4AE411A7 ] Serial C:\WINDOWS\system32\DRIVERS\serial.sys
11:40:15.0140 0512 Serial - ok
11:40:15.0171 0512 [ 8E6B8C671615D126FDC553D1E2DE5562 ] Sfloppy C:\WINDOWS\system32\drivers\Sfloppy.sys
11:40:15.0171 0512 Sfloppy - ok
11:40:15.0187 0512 [ 83F41D0D89645D7235C051AB1D9523AC ] SharedAccess C:\WINDOWS\System32\ipnathlp.dll
11:40:15.0203 0512 SharedAccess - ok
11:40:15.0218 0512 [ 99BC0B50F511924348BE19C7C7313BBF ] ShellHWDetection C:\WINDOWS\System32\shsvcs.dll
11:40:15.0218 0512 ShellHWDetection - ok
11:40:15.0218 0512 Simbad - ok
11:40:15.0234 0512 [ 866D538EBE33709A5C9F5C62B73B7D14 ] SLIP C:\WINDOWS\system32\DRIVERS\SLIP.sys
11:40:15.0265 0512 SLIP - ok
11:40:15.0281 0512 [ 707647A1AA0EDB6CBEF61B0C75C28ED3 ] SMCIRDA C:\WINDOWS\system32\DRIVERS\smcirda.sys
11:40:15.0328 0512 SMCIRDA - ok
11:40:15.0390 0512 [ 4D8A49526AA035B1A8FF3FE6807783F5 ] SNP2UVC C:\WINDOWS\system32\DRIVERS\snp2uvc.sys
11:40:15.0437 0512 SNP2UVC - ok
11:40:15.0437 0512 Sparrow - ok
11:40:15.0468 0512 [ AB8B92451ECB048A4D1DE7C3FFCB4A9F ] splitter C:\WINDOWS\system32\drivers\splitter.sys
11:40:15.0484 0512 splitter - ok
11:40:15.0500 0512 [ 60784F891563FB1B767F70117FC2428F ] Spooler C:\WINDOWS\system32\spoolsv.exe
11:40:15.0500 0512 Spooler - ok
11:40:15.0515 0512 [ 76BB022C2FB6902FD5BDD4F78FC13A5D ] sr C:\WINDOWS\system32\DRIVERS\sr.sys
11:40:15.0578 0512 sr - ok
11:40:15.0578 0512 [ 3805DF0AC4296A34BA4BF93B346CC378 ] srservice C:\WINDOWS\system32\srsvc.dll
11:40:15.0593 0512 srservice - ok
11:40:15.0625 0512 [ 47DDFC2F003F7F9F0592C6874962A2E7 ] Srv C:\WINDOWS\system32\DRIVERS\srv.sys
11:40:15.0640 0512 Srv - ok
11:40:15.0656 0512 [ 0A5679B3714EDAB99E357057EE88FCA6 ] SSDPSRV C:\WINDOWS\System32\ssdpsrv.dll
11:40:15.0656 0512 SSDPSRV - ok
11:40:15.0718 0512 [ 9AF3F5F93041DCEF4DC9E1B07F0CC609 ] STacSV c:\program files\idt\wdm\STacSV.exe
11:40:15.0734 0512 STacSV - ok
11:40:15.0781 0512 [ C2BF767970F54814E6A26650ECE2BD76 ] STHDA C:\WINDOWS\system32\drivers\sthda.sys
11:40:15.0828 0512 STHDA - ok
11:40:15.0859 0512 [ A9573045BAA16EAB9B1085205B82F1ED ] StillCam C:\WINDOWS\system32\DRIVERS\serscan.sys
11:40:15.0859 0512 StillCam - ok
11:40:15.0953 0512 [ 8BAD69CBAC032D4BBACFCE0306174C30 ] stisvc C:\WINDOWS\system32\wiaservc.dll
11:40:15.0968 0512 stisvc - ok
11:40:16.0000 0512 [ 77813007BA6265C4B6098187E6ED79D2 ] streamip C:\WINDOWS\system32\DRIVERS\StreamIP.sys
11:40:16.0031 0512 streamip - ok
11:40:16.0046 0512 [ 3941D127AEF12E93ADDF6FE6EE027E0F ] swenum C:\WINDOWS\system32\DRIVERS\swenum.sys
11:40:16.0046 0512 swenum - ok
11:40:16.0093 0512 [ 8CE882BCC6CF8A62F2B2323D95CB3D01 ] swmidi C:\WINDOWS\system32\drivers\swmidi.sys
11:40:16.0093 0512 swmidi - ok
11:40:16.0093 0512 SwPrv - ok
11:40:16.0109 0512 symc810 - ok
11:40:16.0109 0512 symc8xx - ok
11:40:16.0125 0512 sym_hi - ok
11:40:16.0125 0512 sym_u3 - ok
11:40:16.0156 0512 [ 215A45246C6E2D0A9C263CE1786C8D8A ] SynTP C:\WINDOWS\system32\DRIVERS\SynTP.sys
11:40:16.0156 0512 SynTP - ok
11:40:16.0187 0512 [ 8B83F3ED0F1688B4958F77CD6D2BF290 ] sysaudio C:\WINDOWS\system32\drivers\sysaudio.sys
11:40:16.0203 0512 sysaudio - ok
11:40:16.0218 0512 [ C7ABBC59B43274B1109DF6B24D617051 ] SysmonLog C:\WINDOWS\system32\smlogsvc.exe
11:40:16.0218 0512 SysmonLog - ok
11:40:16.0250 0512 [ 3CB78C17BB664637787C9A1C98F79C38 ] TapiSrv C:\WINDOWS\System32\tapisrv.dll
11:40:16.0265 0512 TapiSrv - ok
11:40:16.0281 0512 [ 9AEFA14BD6B182D61E3119FA5F436D3D ] Tcpip C:\WINDOWS\system32\DRIVERS\tcpip.sys
11:40:16.0281 0512 Tcpip - ok
11:40:16.0312 0512 [ 6471A66807F5E104E4885F5B67349397 ] TDPIPE C:\WINDOWS\system32\drivers\TDPIPE.sys
11:40:16.0312 0512 TDPIPE - ok
11:40:16.0328 0512 [ C56B6D0402371CF3700EB322EF3AAF61 ] TDTCP C:\WINDOWS\system32\drivers\TDTCP.sys
11:40:16.0328 0512 TDTCP - ok
11:40:16.0343 0512 [ 88155247177638048422893737429D9E ] TermDD C:\WINDOWS\system32\DRIVERS\termdd.sys
11:40:16.0343 0512 TermDD - ok
11:40:16.0390 0512 [ FF3477C03BE7201C294C35F684B3479F ] TermService C:\WINDOWS\System32\termsrv.dll
11:40:16.0390 0512 TermService - ok
11:40:16.0406 0512 [ 99BC0B50F511924348BE19C7C7313BBF ] Themes C:\WINDOWS\System32\shsvcs.dll
11:40:16.0406 0512 Themes - ok
11:40:16.0437 0512 [ DB7205804759FF62C34E3EFD8A4CC76A ] TlntSvr C:\WINDOWS\system32\tlntsvr.exe
11:40:16.0437 0512 TlntSvr - ok
11:40:16.0437 0512 TosIde - ok
11:40:16.0453 0512 [ 55BCA12F7F523D35CA3CB833C725F54E ] TrkWks C:\WINDOWS\system32\trkwks.dll
11:40:16.0453 0512 TrkWks - ok
11:40:16.0468 0512 [ 5787B80C2E3C5E2F56C2A233D91FA2C9 ] Udfs C:\WINDOWS\system32\drivers\Udfs.sys
11:40:16.0515 0512 Udfs - ok
11:40:16.0531 0512 ultra - ok
11:40:16.0609 0512 [ 7953D636309B7F505C70667A7A2437CF ] UNS C:\Program Files\Intel\Intel® Management Engine Components\UNS\UNS.exe
11:40:16.0656 0512 UNS - ok
11:40:16.0703 0512 [ 402DDC88356B1BAC0EE3DD1580C76A31 ] Update C:\WINDOWS\system32\DRIVERS\update.sys
11:40:16.0718 0512 Update - ok
11:40:16.0750 0512 [ 1EBAFEB9A3FBDC41B8D9C7F0F687AD91 ] upnphost C:\WINDOWS\System32\upnphost.dll
11:40:16.0750 0512 upnphost - ok
11:40:16.0765 0512 [ 05365FB38FCA1E98F7A566AAAF5D1815 ] UPS C:\WINDOWS\System32\ups.exe
11:40:16.0765 0512 UPS - ok
11:40:16.0781 0512 [ 173F317CE0DB8E21322E71B7E60A27E8 ] usbccgp C:\WINDOWS\system32\DRIVERS\usbccgp.sys
11:40:16.0828 0512 usbccgp - ok
11:40:16.0875 0512 [ 52674B5DBEE499342A599C7771ABECAA ] usbehci C:\WINDOWS\system32\DRIVERS\usbehci.sys
11:40:16.0875 0512 usbehci - ok
11:40:16.0875 0512 [ 1AB3CDDE553B6E064D2E754EFE20285C ] usbhub C:\WINDOWS\system32\DRIVERS\usbhub.sys
11:40:16.0875 0512 usbhub - ok
11:40:16.0921 0512 [ A0B8CF9DEB1184FBDD20784A58FA75D4 ] usbscan C:\WINDOWS\system32\DRIVERS\usbscan.sys
11:40:16.0953 0512 usbscan - ok
11:40:16.0984 0512 [ A32426D9B14A089EAA1D922E0C5801A9 ] USBSTOR C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
11:40:17.0000 0512 USBSTOR - ok
11:40:17.0031 0512 [ 26496F9DEE2D787FC3E61AD54821FFE6 ] usbuhci C:\WINDOWS\system32\DRIVERS\usbuhci.sys
11:40:17.0062 0512 usbuhci - ok
11:40:17.0062 0512 [ 63BBFCA7F390F4C49ED4B96BFB1633E0 ] usbvideo C:\WINDOWS\system32\Drivers\usbvideo.sys
11:40:17.0093 0512 usbvideo - ok
11:40:17.0171 0512 [ D1EC95E67402EC65953937101338CBBF ] vcsFPService C:\WINDOWS\system32\vcsFPService.exe
11:40:17.0234 0512 vcsFPService - ok
11:40:17.0250 0512 [ 0D3A8FAFCEACD8B7625CD549757A7DF1 ] VgaSave C:\WINDOWS\System32\drivers\vga.sys
11:40:17.0265 0512 VgaSave - ok
11:40:17.0265 0512 [ 3B3EFCDA263B8AC14FDF9CBDD0791B2E ] ViaIde C:\WINDOWS\system32\DRIVERS\viaide.sys
11:40:17.0281 0512 ViaIde - ok
11:40:17.0296 0512 [ 4C8FCB5CC53AAB716D810740FE59D025 ] VolSnap C:\WINDOWS\system32\drivers\VolSnap.sys
11:40:17.0328 0512 VolSnap - ok
11:40:17.0359 0512 [ 7A9DB3A67C333BF0BD42E42B8596854B ] VSS C:\WINDOWS\System32\vssvc.exe
11:40:17.0375 0512 VSS - ok
11:40:17.0406 0512 [ 54AF4B1D5459500EF0937F6D33B1914F ] W32Time C:\WINDOWS\system32\w32time.dll
11:40:17.0406 0512 W32Time - ok
11:40:17.0437 0512 [ E20B95BAEDB550F32DD489265C1DA1F6 ] Wanarp C:\WINDOWS\system32\DRIVERS\wanarp.sys
11:40:17.0453 0512 Wanarp - ok
11:40:17.0484 0512 [ D918617B46457B9AC28027722E30F647 ] Wdf01000 C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
11:40:17.0500 0512 Wdf01000 - ok
11:40:17.0500 0512 WDICA - ok
11:40:17.0531 0512 [ 6768ACF64B18196494413695F0C3A00F ] wdmaud C:\WINDOWS\system32\drivers\wdmaud.sys
11:40:17.0546 0512 wdmaud - ok
11:40:17.0593 0512 [ 77A354E28153AD2D5E120A5A8687BC06 ] WebClient C:\WINDOWS\System32\webclnt.dll
11:40:17.0593 0512 WebClient - ok
11:40:17.0687 0512 [ 2D0E4ED081963804CCC196A0929275B5 ] winmgmt C:\WINDOWS\system32\wbem\WMIsvc.dll
11:40:17.0687 0512 winmgmt - ok
11:40:17.0750 0512 [ FD600B032E741EB6AAB509FC630F7C42 ] WinUSB C:\WINDOWS\system32\DRIVERS\WinUSB.sys
11:40:17.0750 0512 WinUSB - ok
11:40:17.0765 0512 [ C7E39EA41233E9F5B86C8DA3A9F1E4A8 ] WmdmPmSN C:\WINDOWS\system32\mspmsnsv.dll
11:40:17.0781 0512 WmdmPmSN - ok
11:40:17.0812 0512 [ E76F8807070ED04E7408A86D6D3A6137 ] Wmi C:\WINDOWS\System32\advapi32.dll
11:40:17.0828 0512 Wmi - ok
11:40:17.0859 0512 [ C42584FD66CE9E17403AEBCA199F7BDB ] WmiAcpi C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
11:40:17.0859 0512 WmiAcpi - ok
11:40:17.0890 0512 [ E0673F1106E62A68D2257E376079F821 ] WmiApSrv C:\WINDOWS\system32\wbem\wmiapsrv.exe
11:40:17.0890 0512 WmiApSrv - ok
11:40:17.0890 0512 [ 6ABE6E225ADB5A751622A9CC3BC19CE8 ] WS2IFSL C:\WINDOWS\System32\drivers\ws2ifsl.sys
11:40:17.0906 0512 WS2IFSL - ok
11:40:17.0921 0512 [ 7C278E6408D1DCE642230C0585A854D5 ] wscsvc C:\WINDOWS\system32\wscsvc.dll
11:40:17.0937 0512 wscsvc - ok
11:40:17.0937 0512 WSearch - ok
11:40:17.0968 0512 [ C98B39829C2BBD34E454150633C62C78 ] WSTCODEC C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
11:40:18.0000 0512 WSTCODEC - ok
11:40:18.0031 0512 [ 35321FB577CDC98CE3EB3A3EB9E4610A ] wuauserv C:\WINDOWS\system32\wuauserv.dll
11:40:18.0062 0512 wuauserv - ok
11:40:18.0093 0512 [ 81DC3F549F44B1C1FFF022DEC9ECF30B ] WZCSVC C:\WINDOWS\System32\wzcsvc.dll
11:40:18.0109 0512 WZCSVC - ok
11:40:18.0140 0512 [ 295D21F14C335B53CB8154E5B1F892B9 ] xmlprov C:\WINDOWS\System32\xmlprov.dll
11:40:18.0156 0512 xmlprov - ok
11:40:18.0171 0512 ================ Scan global ===============================
11:40:18.0187 0512 [ 42F1F4C0AFB08410E5F02D4B13EBB623 ] C:\WINDOWS\system32\basesrv.dll
11:40:18.0281 0512 [ 8C7DCA4B158BF16894120786A7A5F366 ] C:\WINDOWS\system32\winsrv.dll
11:40:18.0312 0512 [ 8C7DCA4B158BF16894120786A7A5F366 ] C:\WINDOWS\system32\winsrv.dll
11:40:18.0343 0512 [ 65DF52F5B8B6E9BBD183505225C37315 ] C:\WINDOWS\system32\services.exe
11:40:18.0343 0512 [Global] - ok
11:40:18.0343 0512 ================ Scan MBR ==================================
11:40:18.0375 0512 [ 5C616939100B85E558DA92B899A0FC36 ] \Device\Harddisk0\DR0
11:40:18.0875 0512 \Device\Harddisk0\DR0 - ok
11:40:18.0890 0512 [ BBB0A0725AD66F38B1A32135F3CB55D6 ] \Device\Harddisk1\DR3
11:40:18.0890 0512 \Device\Harddisk1\DR3 - ok
11:40:18.0906 0512 [ BBB0A0725AD66F38B1A32135F3CB55D6 ] \Device\Harddisk1\DR3
11:40:18.0906 0512 \Device\Harddisk1\DR3 - ok
11:40:18.0906 0512 ================ Scan VBR ==================================
11:40:18.0906 0512 [ 80532A675F084E1DD235BC252C8A58C9 ] \Device\Harddisk0\DR0\Partition1
11:40:18.0906 0512 \Device\Harddisk0\DR0\Partition1 - ok
11:40:18.0937 0512 [ CA7D5438926DBEFDA21DC3EB62781FA9 ] \Device\Harddisk0\DR0\Partition2
11:40:18.0937 0512 \Device\Harddisk0\DR0\Partition2 - ok
11:40:18.0953 0512 [ DA1976590726DFE2A97958BB4B081903 ] \Device\Harddisk1\DR3\Partition1
11:40:18.0953 0512 \Device\Harddisk1\DR3\Partition1 - ok
11:40:18.0953 0512 [ DA1976590726DFE2A97958BB4B081903 ] \Device\Harddisk1\DR3\Partition1
11:40:18.0953 0512 \Device\Harddisk1\DR3\Partition1 - ok
11:40:18.0953 0512 ============================================================
11:40:18.0953 0512 Scan finished
11:40:18.0953 0512 ============================================================
11:40:18.0968 6652 Detected object count: 0
11:40:18.0968 6652 Actual detected object count: 0

ASWMBR report as follows:

aswMBR version 0.9.9.1707 Copyright© 2011 AVAST Software
Run date: 2012-11-28 11:41:44
-----------------------------
11:41:44.562 OS Version: Windows 5.1.2600 Service Pack 3
11:41:44.562 Number of processors: 4 586 0x2505
11:41:44.562 ComputerName: MIPL3 UserName:
11:41:45.375 Initialize success
11:43:22.875 AVAST engine defs: 12112800
11:43:34.843 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
11:43:34.859 Disk 0 Vendor: ST925041 0006 Size: 238475MB BusType: 3
11:43:34.890 Disk 0 MBR read successfully
11:43:34.906 Disk 0 MBR scan
11:43:34.968 Disk 0 Windows VISTA default MBR code
11:43:34.984 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 236400 MB offset 2048
11:43:35.062 Disk 0 Partition 2 00 0C FAT32 LBA MSDOS5.0 2055 MB offset 484166970
11:43:35.250 Disk 0 scanning sectors +488376000
11:43:35.375 Disk 0 scanning C:\WINDOWS\system32\drivers
11:43:56.171 Service scanning
11:44:07.812 Service MpKsl6f430275 c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{6CAEE114-02B2-4FCA-9B68-5CC9AE484C1E}\MpKsl6f430275.sys **LOCKED** 32
11:44:22.406 Modules scanning
11:44:29.250 Disk 0 trace - called modules:
11:44:29.296 ntkrnlpa.exe CLASSPNP.SYS disk.sys hpdskflt.sys hal.dll ACPI.sys iaStor.sys
11:44:29.328 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8989fab8]
11:44:29.375 3 CLASSPNP.SYS[ba108fd7] -> nt!IofCallDriver -> [0x8a24a680]
11:44:29.406 5 hpdskflt.sys[ba3394e6] -> nt!IofCallDriver -> \Device\00000094[0x8a24f8d8]
11:44:29.453 7 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x8a24b028]
11:44:35.906 AVAST engine scan C:\WINDOWS
11:44:48.609 AVAST engine scan C:\WINDOWS\system32
11:50:51.656 AVAST engine scan C:\WINDOWS\system32\drivers
11:51:26.734 AVAST engine scan C:\Documents and Settings\MGamble
12:09:42.921 AVAST engine scan C:\Documents and Settings\All Users
12:12:00.031 Scan finished successfully
12:13:20.187 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\MGamble\Desktop\MBR.dat"
12:13:20.234 The log file has been saved successfully to "C:\Documents and Settings\MGamble\Desktop\aswMBR.txt"

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:12 AM

Posted 28 November 2012 - 09:03 PM

Hello

Lets get a deeper look into the system and see if something shows up.

Download and run OTL

Download OTL by Old Timer and save it to your Desktop.
  • Double click on OTL.exe to run it.
  • Under Output, ensure that Minimal Output is selected.
  • Under Extra Registry section, select Use SafeList.
  • Click the Scan All Users checkbox.
  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened and the that I need posted back here
    • Extra.txt <-- Will be minimized - save this one on your desktop in case I ask for it later
  • Please post the contents of OTL.txt in your next reply.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 llama2200

llama2200
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:06:12 AM

Posted 28 November 2012 - 09:15 PM

OTL report follows. For the record, the redirect continues to occur.

OTL logfile created on: 11/28/2012 8:04:57 PM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\MGamble\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.86 Gb Total Physical Memory | 0.95 Gb Available Physical Memory | 50.79% Memory free
3.71 Gb Paging File | 2.82 Gb Available in Paging File | 75.83% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 230.86 Gb Total Space | 187.01 Gb Free Space | 81.01% Space Free | Partition Type: NTFS
Drive D: | 2.00 Gb Total Space | 1.50 Gb Free Space | 74.91% Space Free | Partition Type: FAT32

Computer Name: MIPL3 | User Name: MGamble | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\MGamble\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Java\jre7\bin\jqs.exe (Oracle Corporation)
PRC - C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
PRC - C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe (Adobe Systems Inc.)
PRC - C:\Program Files\Citrix\GoToMeeting\880\g2mstart.exe (Citrix Online, a division of Citrix Systems, Inc.)
PRC - C:\Program Files\Citrix\GoToMeeting\880\g2mlauncher.exe (Citrix Online, a division of Citrix Systems, Inc.)
PRC - C:\Program Files\Citrix\GoToMeeting\880\g2mcomm.exe (Citrix Online, a division of Citrix Systems, Inc.)
PRC - C:\Program Files\Microsoft\BingBar\SeaPort.EXE (Microsoft Corporation)
PRC - C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe (BillP Studios)
PRC - C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation)
PRC - C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
PRC - c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe (Microsoft Corporation)
PRC - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (Macrovision Europe Ltd.)
PRC - C:\Program Files\Hewlett-Packard\HP SkyRoom\Hp.Skyroom.Windows.Service.exe (Hewlett-Packard)
PRC - c:\Program Files\Hewlett-Packard\HP SkyRoom\remote graphics sender\Plugins\Ice\Hp.SkyRoom.Windows.RgsPlugin.Licensing\Hp.SkyRoom.Windows.RgsPlugin.Licensing.exe (Hewlett-Packard)
PRC - c:\Program Files\Hewlett-Packard\HP SkyRoom\remote graphics sender\Plugins\Ice\Hp.SkyRoom.Windows.RgsPlugin.Lens\Hp.SkyRoom.Windows.RgsPlugin.Lens.exe (Hewlett-Packard)
PRC - c:\Program Files\Hewlett-Packard\HP SkyRoom\remote graphics sender\Plugins\Ice\Hp.SkyRoom.Windows.RgsPlugin.Authentication\Hp.SkyRoom.Windows.RgsPlugin.Authentication.exe (Hewlett-Packard)
PRC - C:\Program Files\Hewlett-Packard\HP Power Assistant\HPPA_Main.exe (Hewlett-Packard)
PRC - C:\Program Files\Hewlett-Packard\HP Power Assistant\HPPA_Service.exe (Hewlett-Packard)
PRC - C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe (Hewlett-Packard)
PRC - C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe (Hewlett-Packard)
PRC - c:\Program Files\Hewlett-Packard\HP SkyRoom\remote graphics sender\rgsender.exe (Hewlett-Packard)
PRC - c:\Program Files\Hewlett-Packard\HP SkyRoom\remote graphics sender\rgsendersvc.exe (Hewlett-Packard, Inc.)
PRC - c:\Program Files\Hewlett-Packard\HP SkyRoom\remote graphics sender\rgsender_gui.exe (Hewlett-Packard)
PRC - c:\Program Files\IDT\WDM\stacsv.exe (IDT, Inc.)
PRC - c:\Program Files\Hewlett-Packard\Shared\HPDrvMntSvc.exe (Hewlett-Packard Company)
PRC - C:\Program Files\Intel\Intel® Management Engine Components\UNS\UNS.exe (Intel Corporation)
PRC - C:\Program Files\Intel\Intel® Management Engine Components\LMS\LMS.exe (Intel Corporation)
PRC - C:\Program Files\Intel\Intel® Management Engine Components\IMSS\PrivacyIconClient.exe (Intel Corporation)
PRC - C:\WINDOWS\system32\vcsFPService.exe (Validity Sensors, Inc.)
PRC - C:\WINDOWS\system32\accelerometerST.exe (Hewlett-Packard Corporation)
PRC - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe (Intel Corporation)
PRC - C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)
PRC - C:\WINDOWS\system32\AESTFltr.exe (Andrea Electronics Corporation)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\NETGEAR\NETGEAR ProSafe VPN Client\SafeCfg.exe (SafeNet)
PRC - C:\Program Files\NETGEAR\NETGEAR ProSafe VPN Client\IreIKE.exe (SafeNet)
PRC - C:\Program Files\NETGEAR\NETGEAR ProSafe VPN Client\IPSecMon.exe (SafeNet)
PRC - C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe (Protexis Inc.)
PRC - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe (InterVideo)
PRC - C:\Program Files\Brother\ControlCenter2\brctrcen.exe (Brother Industries, Ltd.)


========== Modules (No Company Name) ==========

MOD - C:\Program Files\Mozilla Firefox\mozjs.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web\62e34cfb5a8b233667c7c5a47a32ad93\System.Web.ni.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\abef85f2fb8ba830eda73e2d12e8d41e\System.ServiceProcess.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Management\90b90e700e59d73d6d692cf74e1ba16e\System.Management.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Configuration\bce0720436dc6cb76006377f295ea365\System.Configuration.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Xml\70cacc44f0b4257f6037eda7a59a0aeb\System.Xml.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\71a2ae9ad561a62181cbd9fb11e9de7a\System.Windows.Forms.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Drawing\c10bea3c4bb7ef654651141bf9419090\System.Drawing.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Core\d507b9e0e50e453793ee5e01c07a5485\System.Core.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\c2ebcc8d60422f224b4088f3d7a2ac1f\PresentationFramework.Luna.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\054488924fcc579cce9fa0209dafe28b\PresentationFramework.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\PresentationCore\b2f0318713eca304eaa9d86fc17edb96\PresentationCore.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\WindowsBase\1adc4ae51a5ac63e896a1402749ca495\WindowsBase.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\af39f6e644af02873b9bae319f2bfb13\System.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\ca87ba84221991839abbe7d4bc9c6721\mscorlib.ni.dll ()
MOD - C:\Program Files\BillP Studios\WinPatrol\sqlite3.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\hpCASLLibrary\3.0.1.1__67b8d1b5179ba5f8\hpCASLLibrary.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\Interop.HPQWMIEXLib\1.0.0.0__67b8d1b5179ba5f8\Interop.HPQWMIEXLib.dll ()
MOD - C:\Program Files\Hewlett-Packard\HP Power Assistant\Graphs.dll ()
MOD - C:\Program Files\Hewlett-Packard\HP Power Assistant\HardwareAccess.dll ()
MOD - C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HardwareAccess.dll ()
MOD - C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_LogicLayer.dll ()
MOD - c:\Program Files\Hewlett-Packard\HP SkyRoom\remote graphics sender\QtGui4.dll ()
MOD - c:\Program Files\Hewlett-Packard\HP SkyRoom\remote graphics sender\QtCore4.dll ()
MOD - c:\Program Files\Hewlett-Packard\HP SkyRoom\remote graphics sender\Plugins\Ice\Hp.SkyRoom.Windows.RgsPlugin.Licensing\icessl32.dll ()
MOD - c:\Program Files\Hewlett-Packard\HP SkyRoom\remote graphics sender\Plugins\Ice\Hp.SkyRoom.Windows.RgsPlugin.Lens\icessl32.dll ()
MOD - c:\Program Files\Hewlett-Packard\HP SkyRoom\remote graphics sender\Plugins\Ice\Hp.SkyRoom.Windows.RgsPlugin.Authentication\icessl32.dll ()
MOD - C:\Program Files\Hewlett-Packard\HP SkyRoom\icessl32.dll ()
MOD - c:\Program Files\Hewlett-Packard\HP SkyRoom\remote graphics sender\Plugins\Ice\Hp.SkyRoom.Windows.RgsPlugin.Licensing\iceutil32.dll ()
MOD - c:\Program Files\Hewlett-Packard\HP SkyRoom\remote graphics sender\Plugins\Ice\Hp.SkyRoom.Windows.RgsPlugin.Lens\iceutil32.dll ()
MOD - c:\Program Files\Hewlett-Packard\HP SkyRoom\remote graphics sender\Plugins\Ice\Hp.SkyRoom.Windows.RgsPlugin.Authentication\iceutil32.dll ()
MOD - C:\Program Files\Hewlett-Packard\HP SkyRoom\iceutil32.dll ()
MOD - c:\Program Files\Hewlett-Packard\HP SkyRoom\remote graphics sender\Plugins\Ice\Hp.SkyRoom.Windows.RgsPlugin.Licensing\bzip2.dll ()
MOD - c:\Program Files\Hewlett-Packard\HP SkyRoom\remote graphics sender\Plugins\Ice\Hp.SkyRoom.Windows.RgsPlugin.Lens\bzip2.dll ()
MOD - c:\Program Files\Hewlett-Packard\HP SkyRoom\remote graphics sender\Plugins\Ice\Hp.SkyRoom.Windows.RgsPlugin.Authentication\bzip2.dll ()
MOD - C:\Program Files\Hewlett-Packard\HP SkyRoom\bzip2.dll ()
MOD - c:\Program Files\Hewlett-Packard\HP SkyRoom\remote graphics sender\Plugins\Ice\Hp.SkyRoom.Windows.RgsPlugin.Licensing\ice32.dll ()
MOD - c:\Program Files\Hewlett-Packard\HP SkyRoom\remote graphics sender\Plugins\Ice\Hp.SkyRoom.Windows.RgsPlugin.Lens\ice32.dll ()
MOD - c:\Program Files\Hewlett-Packard\HP SkyRoom\remote graphics sender\Plugins\Ice\Hp.SkyRoom.Windows.RgsPlugin.Authentication\ice32.dll ()
MOD - C:\Program Files\Hewlett-Packard\HP SkyRoom\ice32.dll ()
MOD - C:\WINDOWS\system32\msdmo.dll ()
MOD - c:\Program Files\Hewlett-Packard\HP SkyRoom\remote graphics sender\iceutil32.dll ()
MOD - c:\Program Files\Hewlett-Packard\HP SkyRoom\remote graphics sender\icessl32.dll ()
MOD - c:\Program Files\Hewlett-Packard\HP SkyRoom\remote graphics sender\ice32.dll ()
MOD - c:\Program Files\Hewlett-Packard\HP SkyRoom\remote graphics sender\bzip2.dll ()
MOD - C:\WINDOWS\system32\BrMuSNMP.dll ()
MOD - C:\WINDOWS\system32\nsldap32v50.dll ()


========== Services (SafeList) ==========

SRV - (HidServ) -- %SystemRoot%\System32\hidserv.dll File not found
SRV - (JavaQuickStarterService) -- C:\Program Files\Java\jre7\bin\jqs.exe (Oracle Corporation)
SRV - (AdobeFlashPlayerUpdateSvc) -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe (Adobe Systems Incorporated)
SRV - (MozillaMaintenance) -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe (Mozilla Foundation)
SRV - (BBSvc) -- C:\Program Files\Microsoft\BingBar\BBSvc.EXE (Microsoft Corporation.)
SRV - (BBUpdate) -- C:\Program Files\Microsoft\BingBar\SeaPort.EXE (Microsoft Corporation)
SRV - (MsMpSvc) -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe (Microsoft Corporation)
SRV - (FLEXnet Licensing Service) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (Macrovision Europe Ltd.)
SRV - (Hp.Skyroom.Windows.Service) -- C:\Program Files\Hewlett-Packard\HP SkyRoom\Hp.Skyroom.Windows.Service.exe (Hewlett-Packard)
SRV - (HP Power Assistant Service) -- C:\Program Files\Hewlett-Packard\HP Power Assistant\HPPA_Service.exe (Hewlett-Packard)
SRV - (HP Wireless Assistant Service) -- C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe (Hewlett-Packard)
SRV - (rgsender) -- c:\Program Files\Hewlett-Packard\HP SkyRoom\remote graphics sender\rgsendersvc.exe (Hewlett-Packard, Inc.)
SRV - (STacSV) -- c:\Program Files\IDT\WDM\stacsv.exe (IDT, Inc.)
SRV - (HPDrvMntSvc.exe) -- c:\Program Files\Hewlett-Packard\Shared\HPDrvMntSvc.exe (Hewlett-Packard Company)
SRV - (UNS) -- C:\Program Files\Intel\Intel® Management Engine Components\UNS\UNS.exe (Intel Corporation)
SRV - (LMS) -- C:\Program Files\Intel\Intel® Management Engine Components\LMS\LMS.exe (Intel Corporation)
SRV - (vcsFPService) -- C:\WINDOWS\system32\vcsFPService.exe (Validity Sensors, Inc.)
SRV - (IAANTMON) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe (Intel Corporation)
SRV - (IreIKE) -- C:\Program Files\NETGEAR\NETGEAR ProSafe VPN Client\IreIKE.exe (SafeNet)
SRV - (IPSECMON) -- C:\Program Files\NETGEAR\NETGEAR ProSafe VPN Client\IPSecMon.exe (SafeNet)
SRV - (PSI_SVC_2) -- C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe (Protexis Inc.)
SRV - (IviRegMgr) -- C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe (InterVideo)


========== Driver Services (SafeList) ==========

DRV - (WDICA) -- File not found
DRV - (PDRFRAME) -- File not found
DRV - (PDRELI) -- File not found
DRV - (PDFRAME) -- File not found
DRV - (PDCOMP) -- File not found
DRV - (PCIDump) -- File not found
DRV - (lbrtfdc) -- File not found
DRV - (i2omgmt) -- File not found
DRV - (Changer) -- File not found
DRV - (catchme) -- C:\DOCUME~1\MGamble\LOCALS~1\Temp\catchme.sys File not found
DRV - (aswMBR) -- C:\DOCUME~1\MGamble\LOCALS~1\Temp\aswMBR.sys File not found
DRV - (MpKsl6f430275) -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{6CAEE114-02B2-4FCA-9B68-5CC9AE484C1E}\MpKsl6f430275.sys (Microsoft Corporation)
DRV - (STHDA) -- C:\WINDOWS\system32\drivers\sthda.sys (IDT, Inc.)
DRV - (e1kexpress) -- C:\WINDOWS\system32\drivers\e1k5132.sys (Intel Corporation)
DRV - (Impcd) -- C:\WINDOWS\system32\drivers\Impcd.sys (Intel Corporation)
DRV - (IntcDAud) -- C:\WINDOWS\system32\drivers\IntcDAud.sys (Intel® Corporation)
DRV - (NETw5x32) -- C:\WINDOWS\system32\drivers\NETw5x32.sys (Intel Corporation)
DRV - (SNP2UVC) -- C:\WINDOWS\system32\drivers\snp2uvc.sys ()
DRV - (HECI) -- C:\WINDOWS\system32\drivers\HECI.sys (Intel Corporation)
DRV - (rismc32) -- C:\WINDOWS\system32\drivers\rismc32.sys (RICOH Company, Ltd.)
DRV - (rimmptsk) -- C:\WINDOWS\system32\drivers\rimmptsk.sys (REDC)
DRV - (AESTAud) -- C:\WINDOWS\system32\drivers\AESTAud.sys (Andrea Electronics Corporation)
DRV - (IFXTPM) -- C:\WINDOWS\system32\drivers\ifxtpm.sys (Infineon Technologies AG)
DRV - (hpdskflt) -- C:\WINDOWS\system32\drivers\hpdskflt.sys (Hewlett-Packard Corporation)
DRV - (Accelerometer) -- C:\WINDOWS\system32\drivers\Accelerometer.sys (Hewlett-Packard Corporation)
DRV - (RMCAST) -- C:\WINDOWS\system32\drivers\rmcast.sys (Microsoft Corporation)
DRV - (MQAC) -- C:\WINDOWS\system32\drivers\mqac.sys (Microsoft Corporation)
DRV - (IPSECDRV) -- C:\WINDOWS\system32\drivers\IpSecDrv.sys (SafeNet)
DRV - (Crypto) -- C:\WINDOWS\system32\drivers\Crypto.sys (SafeNet)
DRV - (DniVap) -- C:\WINDOWS\system32\drivers\vap.sys (Deterministic Networks Inc.)
DRV - (DNE) -- C:\WINDOWS\system32\drivers\dne2000.sys (Deterministic Networks, Inc.)
DRV - (HpqKbFiltr) -- C:\WINDOWS\system32\drivers\HpqKbFiltr.sys (Hewlett-Packard Development Company, L.P.)
DRV - (regi) -- C:\WINDOWS\system32\drivers\regi.sys (InterVideo)
DRV - (WinUSB) -- C:\WINDOWS\system32\drivers\winusb.sys (Microsoft Corporation)
DRV - (SMCIRDA) -- C:\WINDOWS\system32\drivers\smcirda.sys (SMC)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope =
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKLM\..\SearchScopes\{6B2A4A5B-6C59-4F5C-AEF7-D8DEE6879B33}: "URL" = http://www.bing.com/search?q={searchTerms}&form=CMNTDF&pc=CMNTDF&src=IE-SearchBox


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\..\SearchScopes,DefaultScope =

IE - HKU\S-1-5-20\..\SearchScopes,DefaultScope =
IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-2537623308-1057917524-3779015933-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.bing.com
IE - HKU\S-1-5-21-2537623308-1057917524-3779015933-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-2537623308-1057917524-3779015933-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\S-1-5-21-2537623308-1057917524-3779015933-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 12 B1 DE 5F 69 7C CB 01 [binary data]
IE - HKU\S-1-5-21-2537623308-1057917524-3779015933-1006\..\SearchScopes,DefaultScope =
IE - HKU\S-1-5-21-2537623308-1057917524-3779015933-1006\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKU\S-1-5-21-2537623308-1057917524-3779015933-1006\..\SearchScopes\{F1624F55-D415-4C83-8492-4470A9C2AD2B}: "URL" = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:{language}:{referrer:source}&ie={inputEncoding?}&oe={outputEncoding?}
IE - HKU\S-1-5-21-2537623308-1057917524-3779015933-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-2537623308-1057917524-3779015933-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.google.com"
FF - prefs.js..extensions.enabledAddons: bgdndijoxi@bgdndijoxi.org:2.5
FF - prefs.js..extensions.enabledAddons: {CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA}:6.0.37
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..network.proxy.type: 0
FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_5_502_110.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.9.2: C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.9.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~1\MICROS~4\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~1\MICROS~4\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\Adobe Acrobat: C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Air\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 16.0.2\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/11/26 15:41:58 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 16.0.2\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/11/27 12:35:44 | 000,000,000 | ---D | M]

[2011/02/24 08:57:33 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\MGamble\Application Data\Mozilla\Extensions
[2012/11/26 13:31:14 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\MGamble\Application Data\Mozilla\Firefox\Profiles\k5uifqq9.default\extensions
[2011/03/04 08:56:15 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\MGamble\Application Data\Mozilla\Firefox\Profiles\k5uifqq9.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2004/08/04 10:00:00 | 000,004,816 | ---- | M] () (No name found) -- C:\Documents and Settings\MGamble\Application Data\Mozilla\Firefox\Profiles\k5uifqq9.default\extensions\bgdndijoxi@bgdndijoxi.org.xpi
[2012/11/26 15:33:35 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/11/26 15:33:35 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA}
[2012/10/29 08:16:34 | 000,261,600 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2012/08/28 21:25:04 | 000,002,465 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012/10/19 15:56:43 | 000,002,058 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

O1 HOSTS File: ([2012/11/27 14:19:21 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
O2 - BHO: (Bing Bar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O2 - BHO: (SmartSelect Class) - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Bing Bar) - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
O3 - HKU\S-1-5-21-2537623308-1057917524-3779015933-1006\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O3 - HKU\S-1-5-21-2537623308-1057917524-3779015933-1006\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AccelerometerSysTrayApplet] C:\WINDOWS\system32\accelerometerST.exe (Hewlett-Packard Corporation)
O4 - HKLM..\Run: [Acrobat Assistant 8.0] C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [Adobe Acrobat Speed Launcher] C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AESTFltr] C:\WINDOWS\System32\AESTFltr.exe (Andrea Electronics Corporation)
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe (Brother Industries, Ltd.)
O4 - HKLM..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe ()
O4 - HKLM..\Run: [HPPowerAssistant] C:\Program Files\Hewlett-Packard\HP Power Assistant\HPPA_Main.exe (Hewlett-Packard)
O4 - HKLM..\Run: [HPWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe (Hewlett-Packard)
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)
O4 - HKLM..\Run: [IMSS] C:\Program Files\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe ()
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [MsmqIntCert] C:\WINDOWS\System32\mqrt.dll (Microsoft Corporation)
O4 - HKLM..\Run: [snp2uvc] C:\WINDOWS\System32\csnp2uvc.dll ( )
O4 - HKLM..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe (BillP Studios)
O4 - HKU\S-1-5-21-2537623308-1057917524-3779015933-1006..\Run: [GoToMeeting] C:\Program Files\Citrix\GoToMeeting\880\g2mstart.exe (Citrix Online, a division of Citrix Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NETGEAR ProSafe VPN Client.lnk = C:\Program Files\NETGEAR\NETGEAR ProSafe VPN Client\SafeCfg.exe (SafeNet)
O4 - Startup: C:\Documents and Settings\MGamble\Start Menu\Programs\Startup\Dropbox.lnk = C:\Documents and Settings\MGamble\Application Data\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
O4 - Startup: C:\Documents and Settings\MGamble\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-2537623308-1057917524-3779015933-1006\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-2537623308-1057917524-3779015933-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-2537623308-1057917524-3779015933-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-2537623308-1057917524-3779015933-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Append Link Target to Existing PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Append to Existing PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert Link Target to Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office14\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Se&nd to OneNote - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9 - Extra Button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll (Apple Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINDOWS\System32\iavlsp.dll (iolo technologies, LLC)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINDOWS\System32\iavlsp.dll (iolo technologies, LLC)
O10 - Protocol_Catalog9\Catalog_Entries\000000000022 - C:\WINDOWS\System32\iavlsp.dll (iolo technologies, LLC)
O15 - HKU\S-1-5-21-2537623308-1057917524-3779015933-1006\..Trusted Domains: server ([]file in Trusted sites)
O15 - HKU\S-1-5-21-2537623308-1057917524-3779015933-1006\..Trusted Domains: uspto.gov ([]* in Trusted sites)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.microsoft.com/sites/production/ieawsdc32.cab (Microsoft Office Template and Media Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab (Reg Error: Value error.)
O16 - DPF: {CAFEEFAC-0014-0002-0019-ABCDEFFEDCBA} http://java.sun.com/update/1.4.2/jinstall-1_4_2_19-windows-i586.cab (Java Plug-in 1.4.2_19)
O16 - DPF: {CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab (Java Plug-in 1.6.0_37)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab (Java Plug-in 1.6.0_37)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 209.18.47.61 209.18.47.62
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = marshalliplaw.local
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{D9C7FE4A-C175-4743-ADC9-5696310FD2F3}: DhcpNameServer = 209.18.47.61 209.18.47.62
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\HP Wallpaper.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\HP Wallpaper.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012/11/28 20:04:01 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\MGamble\Desktop\OTL.exe
[2012/11/28 11:37:55 | 004,732,416 | ---- | C] (AVAST Software) -- C:\Documents and Settings\MGamble\Desktop\aswMBR.exe
[2012/11/28 11:37:39 | 002,213,976 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\MGamble\Desktop\tdsskiller.exe
[2012/11/27 15:01:13 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2012/11/27 14:12:27 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2012/11/27 14:10:58 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2012/11/27 14:10:58 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2012/11/27 14:10:58 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2012/11/27 14:10:58 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2012/11/27 14:10:47 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/11/27 14:10:34 | 000,000,000 | ---D | C] -- C:\WINDOWS\erdnt
[2012/11/27 13:59:38 | 005,007,302 | R--- | C] (Swearware) -- C:\Documents and Settings\MGamble\Desktop\ComboFix.exe
[2012/11/26 20:36:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\MGamble\Desktop\RK_Quarantine
[2012/11/26 20:02:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\MGamble\Local Settings\Application Data\Sun
[2012/11/26 19:46:06 | 000,246,760 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\javaws.exe
[2012/11/26 19:46:01 | 000,174,056 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\javaw.exe
[2012/11/26 19:46:01 | 000,174,056 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\java.exe
[2012/11/26 19:46:01 | 000,093,672 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\WindowsAccessBridge.dll
[2012/11/26 17:24:21 | 000,000,000 | R--D | C] -- C:\Documents and Settings\MGamble\Start Menu\Programs\Administrative Tools
[2012/11/26 17:22:43 | 000,688,992 | R--- | C] (Swearware) -- C:\Documents and Settings\MGamble\Desktop\dds.com
[2012/11/26 15:47:08 | 001,754,528 | ---- | C] (Bleeping Computer, LLC) -- C:\Documents and Settings\MGamble\My Documents\rkill.exe
[2012/11/26 15:41:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\QuickTime
[2012/11/26 15:41:22 | 000,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2012/11/26 15:41:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Apple Computer
[2012/11/26 15:37:58 | 000,000,000 | ---D | C] -- C:\Program Files\Apple Software Update
[2012/11/26 15:33:34 | 000,477,168 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\npdeployJava1.dll
[2012/11/26 15:33:34 | 000,143,872 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\javacpl.cpl
[2012/11/26 15:30:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\McAfee
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/11/28 20:04:06 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\MGamble\Desktop\OTL.exe
[2012/11/28 19:26:00 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2012/11/28 12:15:05 | 000,002,265 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
[2012/11/28 12:13:20 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\MGamble\Desktop\MBR.dat
[2012/11/28 11:38:34 | 004,732,416 | ---- | M] (AVAST Software) -- C:\Documents and Settings\MGamble\Desktop\aswMBR.exe
[2012/11/28 11:37:49 | 002,213,976 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\MGamble\Desktop\tdsskiller.exe
[2012/11/28 08:41:11 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2012/11/28 08:40:49 | 000,476,808 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/11/28 08:40:49 | 000,082,766 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/11/28 08:36:41 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/11/28 08:35:57 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/11/28 08:35:54 | 2002,542,592 | -HS- | M] () -- C:\hiberfil.sys
[2012/11/27 14:19:21 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2012/11/27 14:12:35 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2012/11/27 14:00:26 | 005,007,302 | R--- | M] (Swearware) -- C:\Documents and Settings\MGamble\Desktop\ComboFix.exe
[2012/11/26 20:32:01 | 000,480,125 | ---- | M] () -- C:\Documents and Settings\MGamble\Desktop\adwcleaner.exe
[2012/11/26 20:31:46 | 000,752,128 | ---- | M] () -- C:\Documents and Settings\MGamble\Desktop\RogueKiller.exe
[2012/11/26 20:28:12 | 000,856,731 | ---- | M] () -- C:\Documents and Settings\MGamble\Desktop\SecurityCheck.exe
[2012/11/26 19:45:47 | 000,093,672 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\WindowsAccessBridge.dll
[2012/11/26 19:45:38 | 000,246,760 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\javaws.exe
[2012/11/26 19:45:38 | 000,174,056 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\javaw.exe
[2012/11/26 19:45:38 | 000,174,056 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\java.exe
[2012/11/26 19:45:38 | 000,143,872 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\javacpl.cpl
[2012/11/26 19:45:37 | 000,746,984 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\deployJava1.dll
[2012/11/26 17:21:31 | 000,688,992 | R--- | M] (Swearware) -- C:\Documents and Settings\MGamble\Desktop\dds.com
[2012/11/26 15:46:32 | 001,754,528 | ---- | M] (Bleeping Computer, LLC) -- C:\Documents and Settings\MGamble\My Documents\rkill.exe
[2012/11/26 15:41:47 | 000,001,604 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\QuickTime Player.lnk
[2012/11/26 15:38:01 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2012/11/26 15:33:09 | 000,477,168 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\npdeployJava1.dll
[2012/11/26 15:09:08 | 000,697,272 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe
[2012/11/26 15:09:08 | 000,073,656 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2012/11/26 13:33:51 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/11/13 16:10:01 | 000,017,443 | ---- | M] () -- C:\Documents and Settings\MGamble\Desktop\DigitalCert.epf
[2012/11/07 08:44:56 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/11/28 12:13:20 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\MGamble\Desktop\MBR.dat
[2012/11/27 14:12:35 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2012/11/27 14:12:28 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2012/11/27 14:10:58 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2012/11/27 14:10:58 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2012/11/27 14:10:58 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2012/11/27 14:10:58 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2012/11/27 14:10:58 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2012/11/26 20:31:46 | 000,480,125 | ---- | C] () -- C:\Documents and Settings\MGamble\Desktop\adwcleaner.exe
[2012/11/26 20:31:26 | 000,752,128 | ---- | C] () -- C:\Documents and Settings\MGamble\Desktop\RogueKiller.exe
[2012/11/26 20:28:33 | 000,856,731 | ---- | C] () -- C:\Documents and Settings\MGamble\Desktop\SecurityCheck.exe
[2012/11/26 15:41:47 | 000,001,604 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\QuickTime Player.lnk
[2012/07/13 14:42:27 | 000,711,240 | ---- | C] () -- C:\WINDOWS\is-IALU2.exe
[2011/10/19 14:11:52 | 000,000,871 | ---- | C] () -- C:\Documents and Settings\MGamble\cert.cer
[2011/02/24 08:57:21 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2010/12/20 13:44:59 | 000,143,360 | ---- | C] () -- C:\WINDOWS\System32\nsldap32v50.dll
[2010/11/20 23:06:29 | 000,014,482 | RHS- | C] () -- C:\Documents and Settings\All Users\ntuser.pol
[2010/09/01 20:05:21 | 000,000,024 | ---- | C] () -- C:\Documents and Settings\MGamble\lawsys.ini
[2010/08/28 16:32:20 | 001,343,904 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

========== ZeroAccess Check ==========

[2004/08/07 15:09:18 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2010/06/24 06:10:44 | 001,509,888 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2009/02/09 06:10:48 | 000,473,600 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2008/04/14 07:42:10 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

< End of report >

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:12 AM

Posted 28 November 2012 - 09:50 PM

Hello

Run this custom script and when it is complete I need to know how the computer is doing

Run OTL Script

  • Double-click OTL.exe to start the program.
  • Copy and Paste the following code into the Posted Image textbox. Do not include the word Code
    :OTL
    FF - user.js - File not found
    O3 - HKU\S-1-5-21-2537623308-1057917524-3779015933-1006\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
    FF - prefs.js..extensions.enabledAddons: bgdndijoxi@bgdndijoxi.org:2.5
    [2004/08/04 10:00:00 | 000,004,816 | ---- | M] () (No name found) -- C:\Documents and Settings\MGamble\Application Data\Mozilla\Firefox\Profiles\k5uifqq9.default\extensions\bgdndijoxi@bgdndijoxi.org.xpi
    
    :Files
    ipconfig /flushdns /c
    :Commands
    [PURITY]
    [emptyjava]
    [EMPTYFLASH]
    
  • Then click the Run Fix button at the top.
  • Click Posted Image.
  • OTL may ask to reboot the machine. Please do so if asked.
  • The report should appear in Notepad after the reboot.Copy and Paste that report in your next reply.

Let me know How things are doing

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 llama2200

llama2200
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:06:12 AM

Posted 28 November 2012 - 10:02 PM

Report as follows below. At the present time, I am unable to replicate the browser redirect, so the last fix may have done the trick. I will continue monitoring, as well as performing any further actions you think are necessary.

========== OTL ==========
Registry value HKEY_USERS\S-1-5-21-2537623308-1057917524-3779015933-1006\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{21FA44EF-376D-4D53-9B0F-8A89D3229068} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{21FA44EF-376D-4D53-9B0F-8A89D3229068}\ not found.
Prefs.js: bgdndijoxi@bgdndijoxi.org:2.5 removed from extensions.enabledAddons
C:\Documents and Settings\MGamble\Application Data\Mozilla\Firefox\Profiles\k5uifqq9.default\extensions\bgdndijoxi@bgdndijoxi.org.xpi moved successfully.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\MGamble\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\MGamble\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYJAVA]

User: Administrator

User: All Users

User: Default User

User: Edward Marshall

User: LocalService

User: MGamble
->Java cache emptied: 3380727 bytes

User: MGamble.MARSHALLIPLAW

User: NetworkService

Total Java Files Cleaned = 3.00 mb


[EMPTYFLASH]

User: Administrator

User: All Users

User: Default User

User: Edward Marshall

User: LocalService

User: MGamble
->Flash cache emptied: 108490 bytes

User: MGamble.MARSHALLIPLAW

User: NetworkService

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.69.0 log created on 11282012_205613

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:12 AM

Posted 28 November 2012 - 10:11 PM

Greetings

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 llama2200

llama2200
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:06:12 AM

Posted 28 November 2012 - 10:46 PM

Combofix report below. During operation, Combofix reported an update, which was accepted. It was not immediately clear whether the CFscript was utilized as planned after that, as Combofix appeared to simply scan as before, although I could easily be mistaken. After Combofix ran, Windows reported a change of IE homepage, which was declined, resetting the homepage to bing.com. The redirect has still not reoccurred.

ComboFix 12-11-28.02 - MGamble 11/28/2012 21:33:54.2.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1910.1054 [GMT -6:00]
Running from: c:\documents and settings\MGamble\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\MGamble\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((( Files Created from 2012-10-28 to 2012-11-29 )))))))))))))))))))))))))))))))
.
.
2012-11-29 02:56 . 2012-11-29 02:56 -------- d-----w- C:\_OTL
2012-11-28 17:39 . 2012-11-28 17:39 29904 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{6CAEE114-02B2-4FCA-9B68-5CC9AE484C1E}\MpKsl6f430275.sys
2012-11-28 14:47 . 2012-11-08 18:00 6812136 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{6CAEE114-02B2-4FCA-9B68-5CC9AE484C1E}\mpengine.dll
2012-11-27 18:35 . 2012-07-30 20:52 103904 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2012-11-27 02:02 . 2012-11-27 02:02 -------- d-----w- c:\documents and settings\MGamble\Local Settings\Application Data\Sun
2012-11-27 01:46 . 2012-11-27 01:45 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-11-26 21:37 . 2012-11-26 21:37 -------- d-----w- c:\program files\Apple Software Update
2012-11-26 21:33 . 2012-11-27 01:45 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-11-26 21:33 . 2012-11-26 21:33 477168 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-11-26 21:30 . 2012-11-26 21:30 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-11-27 01:45 . 2011-01-24 15:30 746984 ----a-w- c:\windows\system32\deployJava1.dll
2012-11-26 21:09 . 2012-04-03 15:19 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-11-26 21:09 . 2011-05-19 13:50 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-11-08 18:00 . 2010-09-29 13:29 6812136 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-10-25 09:12 . 2012-10-25 09:12 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2012-10-25 09:12 . 2012-10-25 09:12 69632 ----a-w- c:\windows\system32\QuickTime.qts
2012-10-09 17:26 . 2012-04-03 15:26 10220472 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
2012-09-30 01:54 . 2011-10-05 18:21 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-10-29 14:16 . 2012-10-29 14:15 261600 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-06-30 04:19 94208 ----a-w- c:\documents and settings\MGamble\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-06-30 04:19 94208 ----a-w- c:\documents and settings\MGamble\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-06-30 04:19 94208 ----a-w- c:\documents and settings\MGamble\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2012-06-30 04:19 94208 ----a-w- c:\documents and settings\MGamble\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-10-13 19549320]
"GoToMeeting"="c:\program files\Citrix\GoToMeeting\880\g2mstart.exe" [2012-03-06 39816]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AccelerometerSysTrayApplet"="c:\windows\System32\accelerometerST.exe" [2009-08-27 70200]
"MsmqIntCert"="mqrt.dll" [2008-04-14 177152]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2009-11-11 287800]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-08-25 186904]
"HPPowerAssistant"="c:\program files\Hewlett-Packard\HP Power Assistant\HPPA_Main.exe" [2009-11-19 1690680]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-10-10 1578280]
"HPWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe" [2009-11-19 363064]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-01-09 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-01-09 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-01-09 144920]
"IMSS"="c:\program files\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe" [2009-11-04 111640]
"AESTFltr"="c:\windows\system32\AESTFltr.exe" [2009-04-22 737280]
"snp2uvc"="c:\windows\system32\csnp2uvc.dll" [2009-09-18 213040]
"Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2009-09-25 75264]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2012-07-31 41944]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2012-07-30 640480]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-11 919008]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2005-11-11 995328]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 40960]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-10-12 59280]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-10-25 421888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2011-05-15 325512]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2010-12-21 519584]
.
c:\documents and settings\MGamble\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\MGamble\Application Data\Dropbox\bin\Dropbox.exe [2012-8-26 26924984]
OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office14\ONENOTEM.EXE [2010-12-21 227712]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
NETGEAR ProSafe VPN Client.lnk - c:\program files\NETGEAR\NETGEAR ProSafe VPN Client\SafeCfg.exe [2010-12-20 77876]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP SkyRoom\\HP.SkyRoom.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP SkyRoom\\remote graphics receiver\\rgreceiver.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP SkyRoom\\remote graphics sender\\rgsender.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP SkyRoom\\remote graphics sender\\rgsender_gui.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\FileMaker\\FileMaker Pro 11\\FileMaker Pro.exe"=
"c:\\Program Files\\Mozilla Firefox\\plugin-container.exe"=
"c:\\Documents and Settings\\MGamble\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\NETGEAR\\NETGEAR ProSafe VPN Client\\IreIKE.exe"=
"c:\program files\NETGEAR\NETGEAR ProSafe VPN Client\ViewLog.exe"= c:\program files\NETGEAR\NETGEAR ProSafe VPN Client\ViewLog.exe:127.0.0.1/255.255.255.255:Enabled:ViewLog
"c:\program files\NETGEAR\NETGEAR ProSafe VPN Client\CmonApp.exe"= c:\program files\NETGEAR\NETGEAR ProSafe VPN Client\CmonApp.exe:127.0.0.1/255.255.255.255:Enabled:CMonApp
"c:\program files\NETGEAR\NETGEAR ProSafe VPN Client\vpn.exe"= c:\program files\NETGEAR\NETGEAR ProSafe VPN Client\vpn.exe:127.0.0.1/255.255.255.255:Enabled:VPN Connection Manager
.
R1 IPSECDRV;SafeNet IPSec Plugin;c:\windows\system32\drivers\IpSecDrv.sys [12/20/2010 1:45 PM 138296]
R1 MpKsl6f430275;MpKsl6f430275;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{6CAEE114-02B2-4FCA-9B68-5CC9AE484C1E}\MpKsl6f430275.sys [11/28/2012 11:39 AM 29904]
R2 BBUpdate;BBUpdate;c:\program files\Microsoft\BingBar\SeaPort.EXE [6/15/2011 4:33 PM 249648]
R2 Crypto;Crypto;c:\windows\system32\drivers\Crypto.sys [12/20/2010 1:45 PM 536634]
R2 HP Power Assistant Service;HP Power Assistant Service;c:\program files\Hewlett-Packard\HP Power Assistant\HPPA_Service.exe [11/19/2009 5:14 PM 102968]
R2 HP Wireless Assistant Service;HP Wireless Assistant Service;c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe [11/19/2009 5:11 PM 102968]
R2 Hp.Skyroom.Windows.Service;HP SkyRoom;c:\program files\Hewlett-Packard\HP SkyRoom\Hp.Skyroom.Windows.Service.exe [11/20/2009 1:10 PM 124984]
R2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files\Hewlett-Packard\Shared\HPDrvMntSvc.exe [11/12/2009 7:32 AM 250936]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [4/17/2007 7:09 PM 11032]
R2 rgsender;Remote Graphics Sender Service;c:\program files\Hewlett-Packard\HP SkyRoom\remote graphics sender\rgsendersvc.exe [8/28/2010 7:22 PM 379904]
R2 UNS;Intel® Management & Security Application User Notification Service;c:\program files\Intel\Intel® Management Engine Components\UNS\UNS.exe [8/28/2010 7:17 PM 2320920]
R2 vcsFPService;Validity VCS Fingerprint Service;c:\windows\system32\vcsFPService.exe [10/21/2009 4:30 PM 1639728]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [8/28/2010 7:17 PM 113664]
R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [1/15/2010 12:52 PM 228408]
R3 DniVap;SafeNet WAN Miniport (VA);c:\windows\system32\drivers\vap.sys [12/20/2010 1:44 PM 29184]
R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [1/15/2010 12:53 PM 166568]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [7/23/2008 1:31 PM 44800]
R3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [8/28/2010 7:12 PM 125696]
R3 IntcDAud;Intel® Display Audio;c:\windows\system32\drivers\IntcDAud.sys [8/28/2010 7:12 PM 205824]
R3 rismc32;RICOH Smart Card Reader;c:\windows\system32\drivers\rismc32.sys [1/15/2010 12:57 PM 49152]
S3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [7/7/2011 6:31 PM 195336]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 29091182
*NewlyCreated* - ASWMBR
*NewlyCreated* - MPKSL6F430275
*Deregistered* - 29091182
*Deregistered* - aswMBR
.
Contents of the 'Scheduled Tasks' folder
.
2012-11-29 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-03 21:09]
.
2012-11-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 23:57]
.
2012-11-28 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 18:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~4\Office14\ONBttnIE.dll/105
LSP: c:\windows\system32\iavlsp.dll
Trusted Zone: server
Trusted Zone: uspto.gov
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
FF - ProfilePath - c:\documents and settings\MGamble\Application Data\Mozilla\Firefox\Profiles\k5uifqq9.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - ExtSQL: 2012-11-26 15:33; {CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA}; c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA}
FF - ExtSQL: !HIDDEN! 2010-08-28 12:59; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-11-28 21:38
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = "c:\program files\Hewlett-Packard\Default Settings\cpqset.exe"?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(1404)
c:\windows\system32\iavlsp.dll
.
- - - - - - - > 'explorer.exe'(7376)
c:\windows\system32\WININET.dll
c:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL
c:\documents and settings\MGamble\Application Data\Dropbox\bin\DropboxExt.14.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2012-11-28 21:39:59
ComboFix-quarantined-files.txt 2012-11-29 03:39
ComboFix2.txt 2012-11-27 20:20
.
Pre-Run: 200,791,285,760 bytes free
Post-Run: 200,924,758,016 bytes free
.
- - End Of File - - 34D04F836CBBACE16C4933EC07801940

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:12 AM

Posted 28 November 2012 - 10:53 PM

These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

You can remove these programs using add/remove or you can use the free uninstaller from Revo (Revo does allot better of a job)

Programs to remove

Bing Bar
Java 2 Runtime Environment, SE v1.4.2_19
Java™ 6 Update 37
[/list]


  • Please download and install Revo Uninstaller Free
  • Double click Revo Uninstaller to run it.
  • From the list of programs double click on The Program to remove
  • When prompted if you want to uninstall click Yes.
  • Be sure the Moderate option is selected then click Next.
  • The program will run, If prompted again click Yes
  • when the built-in uninstaller is finished click on Next.
  • Once the program has searched for leftovers click Next.
  • Check/tick the bolded items only on the list then click Delete
  • when prompted click on Yes and then on next.
  • put a check on any folders that are found and select delete
  • when prompted select yes then on next
  • Once done click Finish.
.



Install Java:

Please go here to install Java

  • click on the Free Java Download Button
  • click on Agree and start Free download
  • click on Run
  • click on run again
  • click on install
  • when install is complete click on close

Clean Out Temp Files

  • This small application you may want to keep and use once a week to keep the computer clean.

    Download CCleaner from here http://www.ccleaner.com/

  • Run the installer to install the application.
  • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
  • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
  • Click Run Cleaner.
  • Close CCleaner.

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidentally close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a log file button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the Analyze This button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 llama2200

llama2200
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:06:12 AM

Posted 28 November 2012 - 11:35 PM

No noted changes to operation; redirect has not reoccurred. MBAM report follows:

Malwarebytes Anti-Malware 1.65.1.1000
www.malwarebytes.org

Database version: v2012.11.29.02

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
MGamble :: MIPL3 [administrator]

11/28/2012 10:22:16 PM
mbam-log-2012-11-28 (22-22-16).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 263952
Time elapsed: 8 minute(s), 27 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

HijackThis report follows:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:31:58 PM, on 11/28/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\vcsFPService.exe
C:\Program Files\NETGEAR\NETGEAR ProSafe VPN Client\IPSecMon.exe
C:\Program Files\NETGEAR\NETGEAR ProSafe VPN Client\IreIKE.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\idt\wdm\STacSV.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Hewlett-Packard\HP SkyRoom\Hp.Skyroom.Windows.Service.exe
c:\Program Files\Hewlett-Packard\Shared\HPDrvMntSvc.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Hewlett-Packard\HP Power Assistant\HPPA_Service.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\WINDOWS\system32\mqsvc.exe
c:\Program Files\Hewlett-Packard\HP SkyRoom\remote graphics sender\rgsendersvc.exe
c:\Program Files\Hewlett-Packard\HP SkyRoom\remote graphics sender\rgsender.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\Program Files\Hewlett-Packard\HP SkyRoom\remote graphics sender\rgsender_gui.exe
c:\Program Files\Hewlett-Packard\HP SkyRoom\remote graphics sender\plugins\ice\Hp.SkyRoom.Windows.RgsPlugin.Authentication\Hp.SkyRoom.Windows.RgsPlugin.Authentication.exe
c:\Program Files\Hewlett-Packard\HP SkyRoom\remote graphics sender\plugins\ice\Hp.SkyRoom.Windows.RgsPlugin.Lens\Hp.SkyRoom.Windows.RgsPlugin.Lens.exe
c:\Program Files\Hewlett-Packard\HP SkyRoom\remote graphics sender\plugins\ice\Hp.SkyRoom.Windows.RgsPlugin.Licensing\Hp.SkyRoom.Windows.RgsPlugin.Licensing.exe
C:\WINDOWS\System32\accelerometerST.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\AESTFltr.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Citrix\GoToMeeting\880\g2mstart.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Citrix\GoToMeeting\880\g2mcomm.exe
C:\Program Files\Citrix\GoToMeeting\880\g2mlauncher.exe
C:\Program Files\NETGEAR\NETGEAR ProSafe VPN Client\SafeCfg.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\MGamble\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.bing.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~4\Office14\URLREDIR.DLL
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [AccelerometerSysTrayApplet] C:\WINDOWS\System32\accelerometerST.exe
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [HPPowerAssistant] C:\Program Files\Hewlett-Packard\HP Power Assistant\HPPA_Main.exe /hidden
O4 - HKLM\..\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HPWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe /hidden
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IMSS] "C:\Program Files\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe"
O4 - HKLM\..\Run: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg
O4 - HKLM\..\Run: [snp2uvc] rundll32.exe C:\WINDOWS\system32\csnp2uvc.dll,ResetCIDS
O4 - HKLM\..\Run: [Cpqset] "C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe"
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [GoToMeeting] "C:\Program Files\Citrix\GoToMeeting\880\g2mstart.exe" "/Trigger RunAtLogon"
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: Dropbox.lnk = C:\Documents and Settings\MGamble\Application Data\Dropbox\bin\Dropbox.exe
O4 - Startup: OneNote 2010 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE
O4 - Global Startup: NETGEAR ProSafe VPN Client.lnk = C:\Program Files\NETGEAR\NETGEAR ProSafe VPN Client\SafeCfg.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\MICROS~4\Office14\ONBttnIE.dll/105
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O15 - Trusted Zone: *.uspto.gov
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = marshalliplaw.local
O17 - HKLM\Software\..\Telephony: DomainName = marshalliplaw.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = marshalliplaw.local
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: HP Power Assistant Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Power Assistant\HPPA_Service.exe
O23 - Service: HP Wireless Assistant Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe
O23 - Service: HP SkyRoom (Hp.Skyroom.Windows.Service) - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP SkyRoom\Hp.Skyroom.Windows.Service.exe
O23 - Service: HP Quick Synchronization Service (HPDrvMntSvc.exe) - Hewlett-Packard Company - c:\Program Files\Hewlett-Packard\Shared\HPDrvMntSvc.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: SafeNet Monitor Service (IPSECMON) - SafeNet - C:\Program Files\NETGEAR\NETGEAR ProSafe VPN Client\IPSecMon.exe
O23 - Service: SafeNet IKE Service (IreIKE) - SafeNet - C:\Program Files\NETGEAR\NETGEAR ProSafe VPN Client\IreIKE.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Intel® Management and Security Application Local Management Service (LMS) - Intel Corporation - C:\Program Files\Intel\Intel® Management Engine Components\LMS\LMS.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: Remote Graphics Sender Service (rgsender) - Hewlett-Packard, Inc. - c:\Program Files\Hewlett-Packard\HP SkyRoom\remote graphics sender\rgsendersvc.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - c:\program files\idt\wdm\STacSV.exe
O23 - Service: Intel® Management & Security Application User Notification Service (UNS) - Intel Corporation - C:\Program Files\Intel\Intel® Management Engine Components\UNS\UNS.exe
O23 - Service: Validity VCS Fingerprint Service (vcsFPService) - Validity Sensors, Inc. - C:\WINDOWS\system32\vcsFPService.exe

--
End of file - 14785 bytes




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users