Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ZeroAccess rootkit infection


  • This topic is locked This topic is locked
18 replies to this topic

#1 CRussum

CRussum

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:03:50 AM

Posted 29 November 2012 - 11:14 PM

I have run into a mysterious issue I can't seem to get any traction on. Microsoft Security Essentials alerts me about every 5 minutes that it has quarantined a problem, Trojan:JS/Medfos.b.

I have run multiple scan from various anti-malware products and they pick up nothing.

I have scanned with the latest versions of:

Microsoft Security Essentials
Malwarebytes Anti-Maleware
Microsoft Safety Scanner

None of them detect anything wrong, so I am at a loss on where to begin to get rid of this.

Machine specifics:
Desktop running Windows Vista 32-bit

After posting in the "Am I infected" forum, Broni walked me through a couple of steps and logs. Here is that link:
http://www.bleepingcomputer.com/forums/topic476878.html/page__gopid__2909038#entry2909038

I have been refered here and here is my DDS.txt log and attached Attach.txt log.

And thank you in advance for the help,
Chris

DDS.txt log:

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 9.0.8112.16455
Run by Deathstar at 20:22:53 on 2012-11-29
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3326.1853 [GMT -7:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {B140BF4E-23BB-4198-90AB-A51A4C60A69C}
SP: Microsoft Security Essentials *Enabled/Updated* {0A215EAA-0581-4E16-AA1B-9E6837E7EC21}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\nvvsvc.exe
C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\Windows\system32\SLsvc.exe
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\System32\Ctxfihlp.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Dokan\DokanLibrary\mounter.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\SYSTEM32\CTXFISPI.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\system32\HPSIsvc.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\svchost.exe -k LPDService
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
.
============== Pseudo HJT Report ===============
.
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [acincr] "c:\windows\system32\rundll32.exe" "c:\users\deathstar\appdata\roaming\acincr.dll",Long_FromVoidPtr
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRunOnce: [Z1] c:\users\deathstar\desktop\mbar-1.01.0.1009\mbar\mbar.exe /cleanup /s
uPolicies-Explorer: HideSCAHealth = dword:1
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
LSP: mswsock.dll
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
TCP: NameServer = 192.168.0.1
TCP: Interfaces\{1DBA9EA4-48AE-4C25-89D3-DFDFE93F1846} : DHCPNameServer = 192.168.0.1
LSA: Security Packages = kerberos msv1_0 schannel wdigest tspkg
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2012-8-30 193552]
R1 MpKsl8c260bf9;MpKsl8c260bf9;c:\programdata\microsoft\microsoft antimalware\definition updates\{64275b5f-dcad-4906-b27b-aa763e6b4e8e}\MpKsl8c260bf9.sys [2012-11-29 29904]
R2 Dokan;Dokan;c:\windows\system32\drivers\dokan.sys [2011-1-10 95744]
R2 DokanMounter;DokanMounter;c:\program files\dokan\dokanlibrary\mounter.exe [2011-1-10 14848]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2011-11-6 21504]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2012-10-2 382824]
R3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [2010-5-5 171096]
R3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [2010-5-5 1324120]
R3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [2010-5-5 72792]
R3 HPSIService;HP SI Service;c:\windows\system32\HPSIsvc.exe [2011-11-26 99896]
R3 mvusbews;USB EWS Device;c:\windows\system32\drivers\mvusbews.sys [2011-11-26 17408]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2011-11-5 79360]
S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [2010-5-5 171096]
S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [2010-5-5 1324120]
S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [2010-5-5 72792]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2012-8-30 99272]
S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2012-9-12 287824]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-11-30 02:39:23 29904 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{64275b5f-dcad-4906-b27b-aa763e6b4e8e}\MpKsl8c260bf9.sys
2012-11-30 02:13:30 60872 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{64275b5f-dcad-4906-b27b-aa763e6b4e8e}\offreg.dll
2012-11-30 02:07:51 6812136 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\{64275b5f-dcad-4906-b27b-aa763e6b4e8e}\mpengine.dll
2012-11-30 02:07:17 6812136 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2012-11-19 07:27:05 2557288 ----a-w- c:\windows\system32\nvsvcr.dll
2012-11-19 07:19:01 985088 ----a-w- c:\windows\system32\crypt32.dll
2012-11-19 07:19:00 98304 ----a-w- c:\windows\system32\cryptnet.dll
2012-11-19 07:19:00 133120 ----a-w- c:\windows\system32\cryptsvc.dll
2012-11-19 07:18:57 75776 ----a-w- c:\windows\system32\synceng.dll
2012-11-19 07:18:43 2048 ----a-w- c:\windows\system32\tzres.dll
2012-11-19 07:18:40 172544 ----a-w- c:\windows\system32\wintrust.dll
2012-11-19 07:18:16 2047488 ----a-w- c:\windows\system32\win32k.sys
2012-11-19 07:18:15 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-11-19 07:18:15 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-11-19 07:10:44 -------- d-----w- c:\users\deathstar\appdata\local\ElevatedDiagnostics
2012-11-19 03:26:37 -------- d-----w- c:\program files\Microsoft Security Client
2012-11-17 23:25:53 535040 ----a-w- c:\users\deathstar\appdata\roaming\acincr.dll
2012-11-17 23:25:07 -------- d-----w- c:\users\deathstar\appdata\local\QuickSet
2012-11-16 08:45:38 6918632 ------w- c:\programdata\microsoft\windows defender\definition updates\{44dc8e87-fe0d-471d-8a3b-027e87d9b217}\mpengine.dll
.
==================== Find3M ====================
.
2012-11-19 17:29:06 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-11-19 17:29:05 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-10-11 04:15:04 1867112 ----a-w- c:\windows\system32\nvcuvenc.dll
2012-10-11 04:15:00 2574696 ----a-w- c:\windows\system32\nvcuvid.dll
2012-10-11 04:14:50 888168 ----a-w- c:\windows\system32\nvdispgenco32.dll
2012-10-11 04:14:50 12501352 ----a-w- c:\windows\system32\nvwgf2um.dll
2012-10-11 04:14:46 17559912 ----a-w- c:\windows\system32\nvcompiler.dll
2012-10-11 04:14:44 2428776 ----a-w- c:\windows\system32\nvapi.dll
2012-10-11 04:14:42 7697768 ----a-w- c:\windows\system32\nvcuda.dll
2012-10-11 04:14:28 10837352 ----a-w- c:\windows\system32\drivers\nvlddmkm.sys
2012-10-11 04:14:22 19906920 ----a-w- c:\windows\system32\nvoglv32.dll
2012-10-11 04:14:22 1009512 ----a-w- c:\windows\system32\nvdispco32.dll
2012-10-11 04:14:16 6127464 ----a-w- c:\windows\system32\nvopencl.dll
2012-10-11 04:14:16 15309160 ----a-w- c:\windows\system32\nvd3dum.dll
2012-10-08 07:56:24 1800704 ----a-w- c:\windows\system32\jscript9.dll
2012-10-08 07:48:03 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-10-08 07:47:44 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-10-08 07:44:05 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-10-08 07:43:21 420864 ----a-w- c:\windows\system32\vbscript.dll
2012-10-08 07:40:56 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-10-02 20:15:52 430952 ----a-w- c:\windows\system32\nvStreaming.exe
2012-10-02 19:29:42 645992 ----a-w- c:\windows\system32\nvvsvc.exe
2012-10-02 19:29:41 62312 ----a-w- c:\windows\system32\nvshext.dll
2012-10-02 19:29:41 108392 ----a-w- c:\windows\system32\nvmctray.dll
2012-10-02 19:29:22 2853224 ----a-w- c:\windows\system32\nvsvc.dll
2012-10-02 19:28:53 3965288 ----a-w- c:\windows\system32\nvcpl.dll
2012-09-30 02:54:26 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
.
============= FINISH: 20:24:19.28 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:50 AM

Posted 30 November 2012 - 07:27 AM

Greetings and Welcome to The Forums!!

My name is Gringo and I'll be glad to help you with your malware problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.




These are the programs I would like you to run next, if you have any problems with these just skip it and run the next one.

-Security Check-

  • Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

-AdwCleaner-

  • Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

--RogueKiller--

  • Download & SAVE to your Desktop RogueKiller or from here
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 CRussum

CRussum
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:03:50 AM

Posted 30 November 2012 - 10:16 AM

Gringo,
Thanks for the help! Here are the log files:

Checkup.txt:
Results of screen317's Security Check version 0.99.56
Windows Vista Service Pack 2 x86 (UAC is disabled!)
Internet Explorer 9
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
Microsoft Security Essentials
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
Malwarebytes Anti-Malware version 1.65.1.1000
Java™ 6 Update 31
Java 2 Runtime Environment, SE v1.4.2_06
Java version out of Date!
Adobe Reader 10.1.1 Adobe Reader out of Date!
````````Process Check: objlist.exe by Laurent````````
Microsoft Security Essentials MSMpEng.exe
Microsoft Security Essentials msseces.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 0 %
````````````````````End of Log``````````````````````


AdwCleaner[S1].txt:
# AdwCleaner v2.010 - Logfile created 11/30/2012 at 07:49:10
# Updated 29/11/2012 by Xplode
# Operating system : Windows Vista ™ Home Premium Service Pack 2 (32 bits)
# User : Deathstar - DEATHSTAR-PC
# Boot Mode : Normal
# Running from : C:\Users\Deathstar\Desktop\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****


***** [Registry] *****


***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16421

[OK] Registry is clean.

*************************

AdwCleaner[S1].txt - [536 octets] - [30/11/2012 07:49:10]

########## EOF - C:\AdwCleaner[S1].txt - [595 octets] ##########


RKreport[1].txt:
RogueKiller V8.3.1 [Nov 29 2012] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User : Deathstar [Admin rights]
Mode : Scan -- Date : 11/30/2012 08:11:32

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 3 ¤¤¤
[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 localhost
::1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: NVIDIA JBOD 465.76G +++++
--- User ---
[MBR] 196c4efb12ad7cf2f294be92d4f8f89c
[BSP] 598cc5fb1d5007e269b7c689c62e64a3 : Windows Vista MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 476938 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[1]_S_11302012_02d0811.txt >>
RKreport[1]_S_11302012_02d0811.txt



Thanks,
Chris

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:50 AM

Posted 30 November 2012 - 10:29 AM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 CRussum

CRussum
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:03:50 AM

Posted 30 November 2012 - 10:54 PM

Combofix seemed to run through its steps without any problems. I did get the "illegal operation attempted...." and restarted. Computer boots up fine with a few changes to UAC, etc. But now when I start IE9, it just locks up and won't allow me to do anything. I will close IE9, "end process" in Task Manager and when I restart IE9, it won't bring up any websites. Restarting the computer doesn't fix anything.

So at this time I am unable to post any logs to this site or move forward on a solution. I am posting here now via my laptop.

Thanks,
Chris

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:50 AM

Posted 30 November 2012 - 11:14 PM

Greetings,

first I would like you to go here and click on the fixit button - http://support.microsoft.com/kb/923737


Then I want you to do the following

  • Start Internet Explorer.
  • click on "safety"
  • click on "Delete Browsing History"
  • make sure all boxes are checked
  • click on "Delete"
  • click on "Tools",
  • click "Internet Options".
  • On the "Advanced" tab, click "Reset"
  • put a check mark next to "Delete Personal Settings"
  • click "Reset" to confirm
  • when complete click the "Close" button
  • restart IE


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 CRussum

CRussum
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:03:50 AM

Posted 30 November 2012 - 11:59 PM

Had some success with disabling most of the IE9 add-ons.

Here is my ComboFix.txt log:
ComboFix 12-12-01.01 - Deathstar 11/30/2012 20:08:28.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3326.2200 [GMT -7:00]
Running from: c:\users\Deathstar\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {B140BF4E-23BB-4198-90AB-A51A4C60A69C}
SP: Microsoft Security Essentials *Disabled/Updated* {0A215EAA-0581-4E16-AA1B-9E6837E7EC21}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Deathstar\g2mdlhlpx.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-11-01 to 2012-12-01 )))))))))))))))))))))))))))))))
.
.
2012-11-30 14:51 . 2012-11-30 14:51 29904 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A0D4D335-715A-466B-8DA0-A23354B6B940}\MpKslc7be3212.sys
2012-11-30 06:36 . 2012-11-08 18:00 6812136 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A0D4D335-715A-466B-8DA0-A23354B6B940}\mpengine.dll
2012-11-30 02:07 . 2012-11-08 18:00 6812136 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-11-19 07:27 . 2012-10-02 19:29 2557288 ----a-w- c:\windows\system32\nvsvcr.dll
2012-11-19 07:19 . 2012-06-02 00:02 985088 ----a-w- c:\windows\system32\crypt32.dll
2012-11-19 07:19 . 2012-06-02 00:02 98304 ----a-w- c:\windows\system32\cryptnet.dll
2012-11-19 07:19 . 2012-06-02 00:02 133120 ----a-w- c:\windows\system32\cryptsvc.dll
2012-11-19 07:18 . 2012-09-25 16:19 75776 ----a-w- c:\windows\system32\synceng.dll
2012-11-19 07:18 . 2012-09-13 13:28 2048 ----a-w- c:\windows\system32\tzres.dll
2012-11-19 07:18 . 2012-08-24 15:53 172544 ----a-w- c:\windows\system32\wintrust.dll
2012-11-19 07:18 . 2012-10-12 14:29 2047488 ----a-w- c:\windows\system32\win32k.sys
2012-11-19 07:18 . 2012-08-29 11:27 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-11-19 07:18 . 2012-08-29 11:27 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-11-19 07:10 . 2012-11-25 02:17 -------- d-----w- c:\users\Deathstar\AppData\Local\ElevatedDiagnostics
2012-11-19 03:26 . 2012-11-19 03:26 -------- d-----w- c:\program files\Microsoft Security Client
2012-11-17 23:25 . 2012-11-17 23:25 -------- d-----w- c:\users\Deathstar\AppData\Local\QuickSet
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-11-19 17:29 . 2012-04-10 17:45 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-11-19 17:29 . 2011-11-06 17:03 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-10-12 05:56 . 2012-11-16 08:45 6918632 ------w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{44DC8E87-FE0D-471D-8A3B-027E87D9B217}\mpengine.dll
2012-10-11 04:15 . 2012-10-11 04:15 1867112 ----a-w- c:\windows\system32\nvcuvenc.dll
2012-10-11 04:15 . 2012-10-11 04:15 2574696 ----a-w- c:\windows\system32\nvcuvid.dll
2012-10-11 04:14 . 2012-10-11 04:14 888168 ----a-w- c:\windows\system32\nvdispgenco32.dll
2012-10-11 04:14 . 2012-10-11 04:14 12501352 ----a-w- c:\windows\system32\nvwgf2um.dll
2012-10-11 04:14 . 2012-10-11 04:14 17559912 ----a-w- c:\windows\system32\nvcompiler.dll
2012-10-11 04:14 . 2011-11-06 02:16 2428776 ----a-w- c:\windows\system32\nvapi.dll
2012-10-11 04:14 . 2012-10-11 04:14 7697768 ----a-w- c:\windows\system32\nvcuda.dll
2012-10-11 04:14 . 2012-10-11 04:14 10837352 ----a-w- c:\windows\system32\drivers\nvlddmkm.sys
2012-10-11 04:14 . 2012-10-11 04:14 19906920 ----a-w- c:\windows\system32\nvoglv32.dll
2012-10-11 04:14 . 2011-11-06 02:16 1009512 ----a-w- c:\windows\system32\nvdispco32.dll
2012-10-11 04:14 . 2012-10-11 04:14 6127464 ----a-w- c:\windows\system32\nvopencl.dll
2012-10-11 04:14 . 2012-10-11 04:14 15309160 ----a-w- c:\windows\system32\nvd3dum.dll
2012-10-02 20:15 . 2012-10-02 20:15 430952 ----a-w- c:\windows\system32\nvStreaming.exe
2012-10-02 19:29 . 2011-11-06 02:18 645992 ----a-w- c:\windows\system32\nvvsvc.exe
2012-10-02 19:29 . 2011-11-06 02:18 62312 ----a-w- c:\windows\system32\nvshext.dll
2012-10-02 19:29 . 2011-11-06 02:17 108392 ----a-w- c:\windows\system32\nvmctray.dll
2012-10-02 19:29 . 2011-11-06 02:17 2853224 ----a-w- c:\windows\system32\nvsvc.dll
2012-10-02 19:28 . 2011-11-06 02:17 3965288 ----a-w- c:\windows\system32\nvcpl.dll
2012-09-30 02:54 . 2012-07-09 21:47 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTxfiHlp"="CTXFIHLP.EXE" [2010-05-06 25600]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-13 947176]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-06-06 19:55 937920 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-01-18 21:02 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSLC7BE3212
*NewlyCreated* - TRUESIGHT
*Deregistered* - TrueSight
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
LPDService REG_MULTI_SZ LPDSVC
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: DhcpNameServer = 192.168.0.1
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-EPSON Stylus Photo R280 Series - c:\windows\system32\spool\DRIVERS\W32X86\3\E_FATICKA.EXE
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-11-30 20:12
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTxfiHlp = CTXFIHLP.EXE?
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_110_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_110_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2012-11-30 20:14:43
ComboFix-quarantined-files.txt 2012-12-01 03:14
.
Pre-Run: 370,813,337,600 bytes free
Post-Run: 371,530,362,880 bytes free
.
- - End Of File - - 7A431A19A66754063C672ADA7529D8A4

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:50 AM

Posted 01 December 2012 - 12:03 AM

Greetings

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 CRussum

CRussum
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:03:50 AM

Posted 01 December 2012 - 12:43 AM

TDSSKiller report:
22:15:42.0814 2964 TDSS rootkit removing tool 2.8.15.0 Oct 31 2012 21:47:35
22:15:43.0267 2964 ============================================================
22:15:43.0267 2964 Current date / time: 2012/11/30 22:15:43.0267
22:15:43.0267 2964 SystemInfo:
22:15:43.0267 2964
22:15:43.0267 2964 OS Version: 6.0.6002 ServicePack: 2.0
22:15:43.0267 2964 Product type: Workstation
22:15:43.0267 2964 ComputerName: DEATHSTAR-PC
22:15:43.0267 2964 UserName: Deathstar
22:15:43.0267 2964 Windows directory: C:\Windows
22:15:43.0267 2964 System windows directory: C:\Windows
22:15:43.0267 2964 Processor architecture: Intel x86
22:15:43.0267 2964 Number of processors: 2
22:15:43.0267 2964 Page size: 0x1000
22:15:43.0267 2964 Boot type: Normal boot
22:15:43.0267 2964 ============================================================
22:15:46.0402 2964 Drive \Device\Harddisk0\DR0 - Size: 0x7470C00000 (465.76 Gb), SectorSize: 0x200, Cylinders: 0xED81, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
22:15:46.0449 2964 ============================================================
22:15:46.0449 2964 \Device\Harddisk0\DR0:
22:15:46.0449 2964 MBR partitions:
22:15:46.0449 2964 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x3A385000
22:15:46.0449 2964 ============================================================
22:15:46.0465 2964 C: <-> \Device\Harddisk0\DR0\Partition1
22:15:46.0465 2964 ============================================================
22:15:46.0465 2964 Initialize success
22:15:46.0465 2964 ============================================================
22:16:00.0988 1472 ============================================================
22:16:00.0988 1472 Scan started
22:16:00.0988 1472 Mode: Manual;
22:16:00.0988 1472 ============================================================
22:16:01.0160 1472 ================ Scan system memory ========================
22:16:01.0160 1472 System memory - ok
22:16:01.0160 1472 ================ Scan services =============================
22:16:01.0394 1472 [ 82B296AE1892FE3DBEE00C9CF92F8AC7 ] ACPI C:\Windows\system32\drivers\acpi.sys
22:16:01.0394 1472 ACPI - ok
22:16:01.0472 1472 [ 11A52CF7B265631DEEB24C6149309EFF ] AdobeARMservice C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
22:16:01.0472 1472 AdobeARMservice - ok
22:16:01.0550 1472 [ 2EDC5BBAC6C651ECE337BDE8ED97C9FB ] adp94xx C:\Windows\system32\drivers\adp94xx.sys
22:16:01.0550 1472 adp94xx - ok
22:16:01.0581 1472 [ B84088CA3CDCA97DA44A984C6CE1CCAD ] adpahci C:\Windows\system32\drivers\adpahci.sys
22:16:01.0581 1472 adpahci - ok
22:16:01.0597 1472 [ 7880C67BCCC27C86FD05AA2AFB5EA469 ] adpu160m C:\Windows\system32\drivers\adpu160m.sys
22:16:01.0628 1472 adpu160m - ok
22:16:01.0643 1472 [ 9AE713F8E30EFC2ABCCD84904333DF4D ] adpu320 C:\Windows\system32\drivers\adpu320.sys
22:16:01.0643 1472 adpu320 - ok
22:16:01.0737 1472 [ 9D1FDA9E086BA64E3C93C9DE32461BCF ] AeLookupSvc C:\Windows\System32\aelupsvc.dll
22:16:01.0737 1472 AeLookupSvc - ok
22:16:01.0768 1472 [ 3911B972B55FEA0478476B2E777B29FA ] AFD C:\Windows\system32\drivers\afd.sys
22:16:01.0768 1472 AFD - ok
22:16:01.0846 1472 [ EF23439CDD587F64C2C1B8825CEAD7D8 ] agp440 C:\Windows\system32\drivers\agp440.sys
22:16:01.0846 1472 agp440 - ok
22:16:01.0862 1472 [ AE1FDF7BF7BB6C6A70F67699D880592A ] aic78xx C:\Windows\system32\drivers\djsvs.sys
22:16:01.0862 1472 aic78xx - ok
22:16:01.0924 1472 [ A1545B731579895D8CC44FC0481C1192 ] ALG C:\Windows\System32\alg.exe
22:16:01.0924 1472 ALG - ok
22:16:01.0924 1472 [ 90395B64600EBB4552E26E178C94B2E4 ] aliide C:\Windows\system32\drivers\aliide.sys
22:16:01.0924 1472 aliide - ok
22:16:01.0987 1472 [ 2B13E304C9DFDFA5EB582F6A149FA2C7 ] amdagp C:\Windows\system32\drivers\amdagp.sys
22:16:01.0987 1472 amdagp - ok
22:16:02.0002 1472 [ 0577DF1D323FE75A739C787893D300EA ] amdide C:\Windows\system32\drivers\amdide.sys
22:16:02.0002 1472 amdide - ok
22:16:02.0018 1472 [ DC487885BCEF9F28EECE6FAC0E5DDFC5 ] AmdK7 C:\Windows\system32\drivers\amdk7.sys
22:16:02.0018 1472 AmdK7 - ok
22:16:02.0033 1472 [ 0CA0071DA4315B00FC1328CA86B425DA ] AmdK8 C:\Windows\system32\drivers\amdk8.sys
22:16:02.0033 1472 AmdK8 - ok
22:16:02.0049 1472 [ C6D704C7F0434DC791AAC37CAC4B6E14 ] Appinfo C:\Windows\System32\appinfo.dll
22:16:02.0065 1472 Appinfo - ok
22:16:02.0080 1472 [ 5F673180268BB1FDB69C99B6619FE379 ] arc C:\Windows\system32\drivers\arc.sys
22:16:02.0080 1472 arc - ok
22:16:02.0143 1472 [ 957F7540B5E7F602E44648C7DE5A1C05 ] arcsas C:\Windows\system32\drivers\arcsas.sys
22:16:02.0143 1472 arcsas - ok
22:16:02.0189 1472 [ 53B202ABEE6455406254444303E87BE1 ] AsyncMac C:\Windows\system32\DRIVERS\asyncmac.sys
22:16:02.0205 1472 AsyncMac - ok
22:16:02.0252 1472 [ 1F05B78AB91C9075565A9D8A4B880BC4 ] atapi C:\Windows\system32\drivers\atapi.sys
22:16:02.0252 1472 atapi - ok
22:16:02.0330 1472 [ 68E2A1A0407A66CF50DA0300852424AB ] AudioEndpointBuilder C:\Windows\System32\Audiosrv.dll
22:16:02.0330 1472 AudioEndpointBuilder - ok
22:16:02.0330 1472 [ 68E2A1A0407A66CF50DA0300852424AB ] Audiosrv C:\Windows\System32\Audiosrv.dll
22:16:02.0345 1472 Audiosrv - ok
22:16:02.0361 1472 [ 67E506B75BD5326A3EC7B70BD014DFB6 ] Beep C:\Windows\system32\drivers\Beep.sys
22:16:02.0361 1472 Beep - ok
22:16:02.0392 1472 [ C789AF0F724FDA5852FB9A7D3A432381 ] BFE C:\Windows\System32\bfe.dll
22:16:02.0392 1472 BFE - ok
22:16:02.0470 1472 [ 93952506C6D67330367F7E7934B6A02F ] BITS C:\Windows\system32\qmgr.dll
22:16:02.0470 1472 BITS - ok
22:16:02.0486 1472 blbdrive - ok
22:16:02.0548 1472 [ 35F376253F687BDE63976CCB3F2108CA ] bowser C:\Windows\system32\DRIVERS\bowser.sys
22:16:02.0548 1472 bowser - ok
22:16:02.0626 1472 [ 9F9ACC7F7CCDE8A15C282D3F88B43309 ] BrFiltLo C:\Windows\system32\drivers\brfiltlo.sys
22:16:02.0626 1472 BrFiltLo - ok
22:16:02.0673 1472 [ 56801AD62213A41F6497F96DEE83755A ] BrFiltUp C:\Windows\system32\drivers\brfiltup.sys
22:16:02.0673 1472 BrFiltUp - ok
22:16:02.0735 1472 [ A3629A0C4226F9E9C72FAAEEBC3AD33C ] Browser C:\Windows\System32\browser.dll
22:16:02.0735 1472 Browser - ok
22:16:02.0767 1472 [ B304E75CFF293029EDDF094246747113 ] Brserid C:\Windows\system32\drivers\brserid.sys
22:16:02.0767 1472 Brserid - ok
22:16:02.0767 1472 [ 203F0B1E73ADADBBB7B7B1FABD901F6B ] BrSerWdm C:\Windows\system32\drivers\brserwdm.sys
22:16:02.0782 1472 BrSerWdm - ok
22:16:02.0829 1472 [ BD456606156BA17E60A04E18016AE54B ] BrUsbMdm C:\Windows\system32\drivers\brusbmdm.sys
22:16:02.0829 1472 BrUsbMdm - ok
22:16:02.0876 1472 [ AF72ED54503F717A43268B3CC5FAEC2E ] BrUsbSer C:\Windows\system32\drivers\brusbser.sys
22:16:02.0876 1472 BrUsbSer - ok
22:16:02.0891 1472 [ AD07C1EC6665B8B35741AB91200C6B68 ] BTHMODEM C:\Windows\system32\drivers\bthmodem.sys
22:16:02.0891 1472 BTHMODEM - ok
22:16:02.0923 1472 [ 248DFA5762DDE38DFDDBBD44149E9D7A ] BVRPMPR5 C:\Windows\system32\drivers\BVRPMPR5.SYS
22:16:02.0923 1472 BVRPMPR5 - ok
22:16:03.0001 1472 catchme - ok
22:16:03.0032 1472 [ 7ADD03E75BEB9E6DD102C3081D29840A ] cdfs C:\Windows\system32\DRIVERS\cdfs.sys
22:16:03.0032 1472 cdfs - ok
22:16:03.0125 1472 [ 6B4BFFB9BECD728097024276430DB314 ] cdrom C:\Windows\system32\DRIVERS\cdrom.sys
22:16:03.0125 1472 cdrom - ok
22:16:03.0188 1472 [ 312EC3E37A0A1F2006534913E37B4423 ] CertPropSvc C:\Windows\System32\certprop.dll
22:16:03.0203 1472 CertPropSvc - ok
22:16:03.0250 1472 [ DA8E0AFC7BAA226C538EF53AC2F90897 ] circlass C:\Windows\system32\drivers\circlass.sys
22:16:03.0266 1472 circlass - ok
22:16:03.0313 1472 [ D7659D3B5B92C31E84E53C1431F35132 ] CLFS C:\Windows\system32\CLFS.sys
22:16:03.0313 1472 CLFS - ok
22:16:03.0391 1472 [ 8EE772032E2FE80A924F3B8DD5082194 ] clr_optimization_v2.0.50727_32 C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
22:16:03.0391 1472 clr_optimization_v2.0.50727_32 - ok
22:16:03.0437 1472 [ C5A75EB48E2344ABDC162BDA79E16841 ] clr_optimization_v4.0.30319_32 C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
22:16:03.0437 1472 clr_optimization_v4.0.30319_32 - ok
22:16:03.0484 1472 [ 45201046C776FFDAF3FC8A0029C581C8 ] cmdide C:\Windows\system32\drivers\cmdide.sys
22:16:03.0500 1472 cmdide - ok
22:16:03.0500 1472 [ 82B8C91D327CFECF76CB58716F7D4997 ] Compbatt C:\Windows\system32\drivers\compbatt.sys
22:16:03.0500 1472 Compbatt - ok
22:16:03.0515 1472 COMSysApp - ok
22:16:03.0547 1472 [ 2A213AE086BBEC5E937553C7D9A2B22C ] crcdisk C:\Windows\system32\drivers\crcdisk.sys
22:16:03.0562 1472 crcdisk - ok
22:16:03.0640 1472 [ C0EAD9F8AB83D41FF07303C75589C2B8 ] Creative Audio Engine Licensing Service C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe
22:16:03.0640 1472 Creative Audio Engine Licensing Service - ok
22:16:03.0687 1472 [ 22A7F883508176489F559EE745B5BF5D ] Crusoe C:\Windows\system32\drivers\crusoe.sys
22:16:03.0687 1472 Crusoe - ok
22:16:03.0749 1472 [ F1E8C34892336D33EDDCDFE44E474F64 ] CryptSvc C:\Windows\system32\cryptsvc.dll
22:16:03.0749 1472 CryptSvc - ok
22:16:03.0812 1472 [ B9106942EB5DD0E034AB40A9D48D056E ] CT20XUT C:\Windows\system32\drivers\CT20XUT.SYS
22:16:03.0827 1472 CT20XUT - ok
22:16:03.0827 1472 [ B9106942EB5DD0E034AB40A9D48D056E ] CT20XUT.SYS C:\Windows\System32\drivers\CT20XUT.SYS
22:16:03.0827 1472 CT20XUT.SYS - ok
22:16:03.0890 1472 [ F2B1D0A3D21BD0D9F46457CBCEC1A0E9 ] ctac32k C:\Windows\system32\drivers\ctac32k.sys
22:16:03.0890 1472 ctac32k - ok
22:16:03.0983 1472 [ 44F60A5E3C3A8A6BBA4C280948EA6095 ] ctaud2k C:\Windows\system32\drivers\ctaud2k.sys
22:16:03.0983 1472 ctaud2k - ok
22:16:04.0077 1472 [ 07BA6D17E66879018B30B6C3F976EBED ] CTAudSvcService C:\Program Files\Creative\Shared Files\CTAudSvc.exe
22:16:04.0093 1472 CTAudSvcService - ok
22:16:04.0186 1472 [ 8CBE82D6BBF206E144F22CB33FAB1F2C ] ctdvda2k C:\Windows\system32\drivers\ctdvda2k.sys
22:16:04.0202 1472 ctdvda2k - ok
22:16:04.0280 1472 [ 4AE083D16AC9FC9BDF98498F93426226 ] CTEXFIFX C:\Windows\system32\drivers\CTEXFIFX.SYS
22:16:04.0295 1472 CTEXFIFX - ok
22:16:04.0358 1472 [ 4AE083D16AC9FC9BDF98498F93426226 ] CTEXFIFX.SYS C:\Windows\System32\drivers\CTEXFIFX.SYS
22:16:04.0373 1472 CTEXFIFX.SYS - ok
22:16:04.0405 1472 [ B610BFE02F9FC0CB0B1CDE3EC4C13FFA ] CTHWIUT C:\Windows\system32\drivers\CTHWIUT.SYS
22:16:04.0405 1472 CTHWIUT - ok
22:16:04.0420 1472 [ B610BFE02F9FC0CB0B1CDE3EC4C13FFA ] CTHWIUT.SYS C:\Windows\System32\drivers\CTHWIUT.SYS
22:16:04.0420 1472 CTHWIUT.SYS - ok
22:16:04.0467 1472 [ F0F19A13C948E5289601E354B08E0941 ] ctprxy2k C:\Windows\system32\drivers\ctprxy2k.sys
22:16:04.0467 1472 ctprxy2k - ok
22:16:04.0529 1472 [ C7B2C36A6203A5F3D0A378FD78C5DDD6 ] ctsfm2k C:\Windows\system32\drivers\ctsfm2k.sys
22:16:04.0529 1472 ctsfm2k - ok
22:16:04.0639 1472 [ 3B5B4D53FEC14F7476CA29A20CC31AC9 ] DcomLaunch C:\Windows\system32\rpcss.dll
22:16:04.0654 1472 DcomLaunch - ok
22:16:04.0701 1472 [ 622C41A07CA7E6DD91770F50D532CB6C ] DfsC C:\Windows\system32\Drivers\dfsc.sys
22:16:04.0701 1472 DfsC - ok
22:16:04.0810 1472 [ 2CC3DCFB533A1035B13DCAB6160AB38B ] DFSR C:\Windows\system32\DFSR.exe
22:16:04.0826 1472 DFSR - ok
22:16:04.0919 1472 [ 9028559C132146FB75EB7ACF384B086A ] Dhcp C:\Windows\System32\dhcpcsvc.dll
22:16:04.0919 1472 Dhcp - ok
22:16:05.0013 1472 [ 5D4AEFC3386920236A548271F8F1AF6A ] disk C:\Windows\system32\drivers\disk.sys
22:16:05.0013 1472 disk - ok
22:16:05.0044 1472 [ 57D762F6F5974AF0DA2BE88A3349BAAA ] Dnscache C:\Windows\System32\dnsrslvr.dll
22:16:05.0044 1472 Dnscache - ok
22:16:05.0075 1472 [ 99BA7D125927C2B3DFE7373673C29DA4 ] Dokan C:\Windows\system32\drivers\dokan.sys
22:16:05.0075 1472 Dokan - ok
22:16:05.0107 1472 [ 7F5C325B16A5A237F2DF6932BF853621 ] DokanMounter C:\Program Files\Dokan\DokanLibrary\mounter.exe
22:16:05.0107 1472 DokanMounter - ok
22:16:05.0122 1472 [ 324FD74686B1EF5E7C19A8AF49E748F6 ] dot3svc C:\Windows\System32\dot3svc.dll
22:16:05.0122 1472 dot3svc - ok
22:16:05.0185 1472 [ A622E888F8AA2F6B49E9BC466F0E5DEF ] DPS C:\Windows\system32\dps.dll
22:16:05.0185 1472 DPS - ok
22:16:05.0263 1472 [ 97FEF831AB90BEE128C9AF390E243F80 ] drmkaud C:\Windows\system32\drivers\drmkaud.sys
22:16:05.0263 1472 drmkaud - ok
22:16:05.0325 1472 [ C68AC676B0EF30CFBB1080ADCE49EB1F ] DXGKrnl C:\Windows\System32\drivers\dxgkrnl.sys
22:16:05.0341 1472 DXGKrnl - ok
22:16:05.0403 1472 [ F88FB26547FD2CE6D0A5AF2985892C48 ] E1G60 C:\Windows\system32\DRIVERS\E1G60I32.sys
22:16:05.0403 1472 E1G60 - ok
22:16:05.0481 1472 [ C0B95E40D85CD807D614E264248A45B9 ] EapHost C:\Windows\System32\eapsvc.dll
22:16:05.0481 1472 EapHost - ok
22:16:05.0543 1472 [ 7F64EA048DCFAC7ACF8B4D7B4E6FE371 ] Ecache C:\Windows\system32\drivers\ecache.sys
22:16:05.0543 1472 Ecache - ok
22:16:05.0621 1472 [ 9BE3744D295A7701EB425332014F0797 ] ehRecvr C:\Windows\ehome\ehRecvr.exe
22:16:05.0637 1472 ehRecvr - ok
22:16:05.0699 1472 [ AD1870C8E5D6DD340C829E6074BF3C3F ] ehSched C:\Windows\ehome\ehsched.exe
22:16:05.0699 1472 ehSched - ok
22:16:05.0715 1472 [ C27C4EE8926E74AA72EFCAB24C5242C3 ] ehstart C:\Windows\ehome\ehstart.dll
22:16:05.0715 1472 ehstart - ok
22:16:05.0731 1472 [ E8F3F21A71720C84BCF423B80028359F ] elxstor C:\Windows\system32\drivers\elxstor.sys
22:16:05.0731 1472 elxstor - ok
22:16:05.0840 1472 [ 4E6B23DFC917EA39306B529B773950F4 ] EMDMgmt C:\Windows\system32\emdmgmt.dll
22:16:05.0840 1472 EMDMgmt - ok
22:16:05.0918 1472 [ FB2D6D4D14AE801F5267B0368FC0CB0C ] emupia C:\Windows\system32\drivers\emupia2k.sys
22:16:05.0918 1472 emupia - ok
22:16:05.0980 1472 [ 67058C46504BC12D821F38CF99B7B28F ] EventSystem C:\Windows\system32\es.dll
22:16:05.0996 1472 EventSystem - ok
22:16:06.0058 1472 [ 22B408651F9123527BCEE54B4F6C5CAE ] exfat C:\Windows\system32\drivers\exfat.sys
22:16:06.0058 1472 exfat - ok
22:16:06.0105 1472 [ 1E9B9A70D332103C52995E957DC09EF8 ] fastfat C:\Windows\system32\drivers\fastfat.sys
22:16:06.0105 1472 fastfat - ok
22:16:06.0167 1472 [ 63BDADA84951B9C03E641800E176898A ] fdc C:\Windows\system32\DRIVERS\fdc.sys
22:16:06.0167 1472 fdc - ok
22:16:06.0230 1472 [ 6629B5F0E98151F4AFDD87567EA32BA3 ] fdPHost C:\Windows\system32\fdPHost.dll
22:16:06.0230 1472 fdPHost - ok
22:16:06.0292 1472 [ 89ED56DCE8E47AF40892778A5BD31FD2 ] FDResPub C:\Windows\system32\fdrespub.dll
22:16:06.0292 1472 FDResPub - ok
22:16:06.0308 1472 [ A8C0139A884861E3AAE9CFE73B208A9F ] FileInfo C:\Windows\system32\drivers\fileinfo.sys
22:16:06.0308 1472 FileInfo - ok
22:16:06.0323 1472 [ 0AE429A696AECBC5970E3CF2C62635AE ] Filetrace C:\Windows\system32\drivers\filetrace.sys
22:16:06.0323 1472 Filetrace - ok
22:16:06.0323 1472 [ 6603957EFF5EC62D25075EA8AC27DE68 ] flpydisk C:\Windows\system32\DRIVERS\flpydisk.sys
22:16:06.0323 1472 flpydisk - ok
22:16:06.0370 1472 [ 01334F9EA68E6877C4EF05D3EA8ABB05 ] FltMgr C:\Windows\system32\drivers\fltmgr.sys
22:16:06.0370 1472 FltMgr - ok
22:16:06.0448 1472 [ 8CE364388C8ECA59B14B539179276D44 ] FontCache C:\Windows\system32\FntCache.dll
22:16:06.0448 1472 FontCache - ok
22:16:06.0526 1472 [ C7FBDD1ED42F82BFA35167A5C9803EA3 ] FontCache3.0.0.0 C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
22:16:06.0526 1472 FontCache3.0.0.0 - ok
22:16:06.0573 1472 [ B972A66758577E0BFD1DE0F91AAA27B5 ] Fs_Rec C:\Windows\system32\drivers\Fs_Rec.sys
22:16:06.0573 1472 Fs_Rec - ok
22:16:06.0620 1472 [ 4E1CD0A45C50A8882616CAE5BF82F3C5 ] gagp30kx C:\Windows\system32\drivers\gagp30kx.sys
22:16:06.0620 1472 gagp30kx - ok
22:16:06.0651 1472 [ CD5D0AEEE35DFD4E986A5AA1500A6E66 ] gpsvc C:\Windows\System32\gpsvc.dll
22:16:06.0651 1472 gpsvc - ok
22:16:06.0698 1472 [ 6003BC70F1A8307262BD3C941BDA0B7E ] grmnusb C:\Windows\system32\drivers\grmnusb.sys
22:16:06.0698 1472 grmnusb - ok
22:16:06.0791 1472 [ 7FF1CED1201C169A783B0E81CC561FBA ] ha20x2k C:\Windows\system32\drivers\ha20x2k.sys
22:16:06.0807 1472 ha20x2k - ok
22:16:06.0869 1472 [ FFB271303BA3C59D9C97B7AF1175DE95 ] HDAudBus C:\Windows\system32\drivers\hdaudbus.sys
22:16:06.0869 1472 HDAudBus - ok
22:16:06.0916 1472 [ 1338520E78D90154ED6BE8F84DE5FCEB ] HidBth C:\Windows\system32\drivers\hidbth.sys
22:16:06.0916 1472 HidBth - ok
22:16:06.0932 1472 [ FF3160C3A2445128C5A6D9B076DA519E ] HidIr C:\Windows\system32\drivers\hidir.sys
22:16:06.0932 1472 HidIr - ok
22:16:06.0994 1472 [ 84067081F3318162797385E11A8F0582 ] hidserv C:\Windows\System32\hidserv.dll
22:16:06.0994 1472 hidserv - ok
22:16:07.0057 1472 [ CCA4B519B17E23A00B826C55716809CC ] HidUsb C:\Windows\system32\DRIVERS\hidusb.sys
22:16:07.0057 1472 HidUsb - ok
22:16:07.0103 1472 [ D8AD255B37DA92434C26E4876DB7D418 ] hkmsvc C:\Windows\system32\kmsvc.dll
22:16:07.0119 1472 hkmsvc - ok
22:16:07.0197 1472 [ DF353B401001246853763C4B7AAA6F50 ] HpCISSs C:\Windows\system32\drivers\hpcisss.sys
22:16:07.0197 1472 HpCISSs - ok
22:16:07.0213 1472 [ A9D667F5308982A3305F364EB02458D0 ] HPSIService C:\Windows\system32\HPSIsvc.exe
22:16:07.0228 1472 HPSIService - ok
22:16:07.0275 1472 [ F870AA3E254628EBEAFE754108D664DE ] HTTP C:\Windows\system32\drivers\HTTP.sys
22:16:07.0291 1472 HTTP - ok
22:16:07.0337 1472 [ 324C2152FF2C61ABAE92D09F3CCA4D63 ] i2omp C:\Windows\system32\drivers\i2omp.sys
22:16:07.0337 1472 i2omp - ok
22:16:07.0415 1472 [ 22D56C8184586B7A1F6FA60BE5F5A2BD ] i8042prt C:\Windows\system32\DRIVERS\i8042prt.sys
22:16:07.0415 1472 i8042prt - ok
22:16:07.0415 1472 [ C957BF4B5D80B46C5017BF0101E6C906 ] iaStorV C:\Windows\system32\drivers\iastorv.sys
22:16:07.0415 1472 iaStorV - ok
22:16:07.0540 1472 [ 98477B08E61945F974ED9FDC4CB6BDAB ] idsvc C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
22:16:07.0556 1472 idsvc - ok
22:16:07.0618 1472 [ 2D077BF86E843F901D8DB709C95B49A5 ] iirsp C:\Windows\system32\drivers\iirsp.sys
22:16:07.0618 1472 iirsp - ok
22:16:07.0696 1472 [ 9908D8A397B76CD8D31D0D383C5773C9 ] IKEEXT C:\Windows\System32\ikeext.dll
22:16:07.0696 1472 IKEEXT - ok
22:16:07.0743 1472 [ 97469037714070E45194ED318D636401 ] intelide C:\Windows\system32\drivers\intelide.sys
22:16:07.0743 1472 intelide - ok
22:16:07.0805 1472 [ 224191001E78C89DFA78924C3EA595FF ] intelppm C:\Windows\system32\DRIVERS\intelppm.sys
22:16:07.0805 1472 intelppm - ok
22:16:07.0852 1472 [ 9AC218C6E6105477484C6FDBE7D409A4 ] IPBusEnum C:\Windows\system32\ipbusenum.dll
22:16:07.0852 1472 IPBusEnum - ok
22:16:07.0915 1472 [ 62C265C38769B864CB25B4BCF62DF6C3 ] IpFilterDriver C:\Windows\system32\DRIVERS\ipfltdrv.sys
22:16:07.0915 1472 IpFilterDriver - ok
22:16:07.0977 1472 [ 1998BD97F950680BB55F55A7244679C2 ] iphlpsvc C:\Windows\System32\iphlpsvc.dll
22:16:07.0993 1472 iphlpsvc - ok
22:16:07.0993 1472 IpInIp - ok
22:16:08.0039 1472 [ 40F34F8ABA2A015D780E4B09138B6C17 ] IPMIDRV C:\Windows\system32\drivers\ipmidrv.sys
22:16:08.0039 1472 IPMIDRV - ok
22:16:08.0055 1472 [ 8793643A67B42CEC66490B2A0CF92D68 ] IPNAT C:\Windows\system32\DRIVERS\ipnat.sys
22:16:08.0055 1472 IPNAT - ok
22:16:08.0117 1472 [ 109C0DFB82C3632FBD11949B73AEEAC9 ] IRENUM C:\Windows\system32\drivers\irenum.sys
22:16:08.0117 1472 IRENUM - ok
22:16:08.0164 1472 [ 350FCA7E73CF65BCEF43FAE1E4E91293 ] isapnp C:\Windows\system32\drivers\isapnp.sys
22:16:08.0164 1472 isapnp - ok
22:16:08.0227 1472 [ 232FA340531D940AAC623B121A595034 ] iScsiPrt C:\Windows\system32\DRIVERS\msiscsi.sys
22:16:08.0227 1472 iScsiPrt - ok
22:16:08.0242 1472 [ BCED60D16156E428F8DF8CF27B0DF150 ] iteatapi C:\Windows\system32\drivers\iteatapi.sys
22:16:08.0242 1472 iteatapi - ok
22:16:08.0258 1472 [ 06FA654504A498C30ADCA8BEC4E87E7E ] iteraid C:\Windows\system32\drivers\iteraid.sys
22:16:08.0258 1472 iteraid - ok
22:16:08.0305 1472 [ 37605E0A8CF00CBBA538E753E4344C6E ] kbdclass C:\Windows\system32\DRIVERS\kbdclass.sys
22:16:08.0305 1472 kbdclass - ok
22:16:08.0367 1472 [ EDE59EC70E25C24581ADD1FBEC7325F7 ] kbdhid C:\Windows\system32\DRIVERS\kbdhid.sys
22:16:08.0367 1472 kbdhid - ok
22:16:08.0383 1472 [ A3E186B4B935905B829219502557314E ] KeyIso C:\Windows\system32\lsass.exe
22:16:08.0398 1472 KeyIso - ok
22:16:08.0429 1472 [ 4A1445EFA932A3BAF5BDB02D7131EE20 ] KSecDD C:\Windows\system32\Drivers\ksecdd.sys
22:16:08.0429 1472 KSecDD - ok
22:16:08.0507 1472 [ 8078F8F8F7A79E2E6B494523A828C585 ] KtmRm C:\Windows\system32\msdtckrm.dll
22:16:08.0507 1472 KtmRm - ok
22:16:08.0570 1472 [ 1BF5EEBFD518DD7298434D8C862F825D ] LanmanServer C:\Windows\System32\srvsvc.dll
22:16:08.0585 1472 LanmanServer - ok
22:16:08.0648 1472 [ 1DB69705B695B987082C8BAEC0C6B34F ] LanmanWorkstation C:\Windows\System32\wkssvc.dll
22:16:08.0663 1472 LanmanWorkstation - ok
22:16:08.0726 1472 [ D1C5883087A0C3F1344D9D55A44901F6 ] lltdio C:\Windows\system32\DRIVERS\lltdio.sys
22:16:08.0726 1472 lltdio - ok
22:16:08.0741 1472 [ 2D5A428872F1442631D0959A34ABFF63 ] lltdsvc C:\Windows\System32\lltdsvc.dll
22:16:08.0757 1472 lltdsvc - ok
22:16:08.0819 1472 [ 35D40113E4A5B961B6CE5C5857702518 ] lmhosts C:\Windows\System32\lmhsvc.dll
22:16:08.0819 1472 lmhosts - ok
22:16:08.0897 1472 [ FEE78621BECA00B537CD70A6AFAAE112 ] LPDSVC C:\Windows\system32\lpdsvc.dll
22:16:08.0897 1472 LPDSVC - ok
22:16:08.0960 1472 [ A2262FB9F28935E862B4DB46438C80D2 ] LSI_FC C:\Windows\system32\drivers\lsi_fc.sys
22:16:08.0975 1472 LSI_FC - ok
22:16:09.0022 1472 [ 30D73327D390F72A62F32C103DAF1D6D ] LSI_SAS C:\Windows\system32\drivers\lsi_sas.sys
22:16:09.0022 1472 LSI_SAS - ok
22:16:09.0053 1472 [ E1E36FEFD45849A95F1AB81DE0159FE3 ] LSI_SCSI C:\Windows\system32\drivers\lsi_scsi.sys
22:16:09.0053 1472 LSI_SCSI - ok
22:16:09.0069 1472 [ 8F5C7426567798E62A3B3614965D62CC ] luafv C:\Windows\system32\drivers\luafv.sys
22:16:09.0069 1472 luafv - ok
22:16:09.0085 1472 [ AEF9BABB8A506BC4CE0451A64AADED46 ] Mcx2Svc C:\Windows\system32\Mcx2Svc.dll
22:16:09.0085 1472 Mcx2Svc - ok
22:16:09.0085 1472 [ D153B14FC6598EAE8422A2037553ADCE ] megasas C:\Windows\system32\drivers\megasas.sys
22:16:09.0085 1472 megasas - ok
22:16:09.0163 1472 [ 1076FFCFFAAE8385FD62DFCB25AC4708 ] MMCSS C:\Windows\system32\mmcss.dll
22:16:09.0163 1472 MMCSS - ok
22:16:09.0209 1472 [ E13B5EA0F51BA5B1512EC671393D09BA ] Modem C:\Windows\system32\drivers\modem.sys
22:16:09.0209 1472 Modem - ok
22:16:09.0287 1472 [ 7446E104A5FE5987CA9E4983FBAC4F97 ] monitor C:\Windows\system32\DRIVERS\monitor.sys
22:16:09.0287 1472 monitor - ok
22:16:09.0303 1472 [ 5BF6A1326A335C5298477754A506D263 ] mouclass C:\Windows\system32\DRIVERS\mouclass.sys
22:16:09.0303 1472 mouclass - ok
22:16:09.0319 1472 [ 93B8D4869E12CFBE663915502900876F ] mouhid C:\Windows\system32\DRIVERS\mouhid.sys
22:16:09.0319 1472 mouhid - ok
22:16:09.0381 1472 [ BDAFC88AA6B92F7842416EA6A48E1600 ] MountMgr C:\Windows\system32\drivers\mountmgr.sys
22:16:09.0381 1472 MountMgr - ok
22:16:09.0412 1472 [ EE728AF83850DDAD9A3FCAC0AAB3AD97 ] MpFilter C:\Windows\system32\DRIVERS\MpFilter.sys
22:16:09.0412 1472 MpFilter - ok
22:16:09.0475 1472 [ 583A41F26278D9E0EA548163D6139397 ] mpio C:\Windows\system32\drivers\mpio.sys
22:16:09.0475 1472 mpio - ok
22:16:09.0584 1472 [ A69630D039C38018689190234F866D77 ] MpKslc4aa6162 c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{B38C00E1-0C0A-485D-AFC9-90BE587913CE}\MpKslc4aa6162.sys
22:16:09.0584 1472 MpKslc4aa6162 - ok
22:16:09.0662 1472 [ 22241FEBA9B2DEFA669C8CB0A8DD7D2E ] mpsdrv C:\Windows\system32\drivers\mpsdrv.sys
22:16:09.0662 1472 mpsdrv - ok
22:16:09.0724 1472 [ 5DE62C6E9108F14F6794060A9BDECAEC ] MpsSvc C:\Windows\system32\mpssvc.dll
22:16:09.0740 1472 MpsSvc - ok
22:16:09.0787 1472 [ 4FBBB70D30FD20EC51F80061703B001E ] Mraid35x C:\Windows\system32\drivers\mraid35x.sys
22:16:09.0787 1472 Mraid35x - ok
22:16:09.0802 1472 [ 82CEA0395524AACFEB58BA1448E8325C ] MRxDAV C:\Windows\system32\drivers\mrxdav.sys
22:16:09.0802 1472 MRxDAV - ok
22:16:09.0833 1472 [ 1E94971C4B446AB2290DEB71D01CF0C2 ] mrxsmb C:\Windows\system32\DRIVERS\mrxsmb.sys
22:16:09.0833 1472 mrxsmb - ok
22:16:09.0849 1472 [ 4FCCB34D793B116423209C0F8B7A3B03 ] mrxsmb10 C:\Windows\system32\DRIVERS\mrxsmb10.sys
22:16:09.0849 1472 mrxsmb10 - ok
22:16:09.0911 1472 [ C3CB1B40AD4A0124D617A1199B0B9D7C ] mrxsmb20 C:\Windows\system32\DRIVERS\mrxsmb20.sys
22:16:09.0911 1472 mrxsmb20 - ok
22:16:09.0958 1472 [ 742AED7939E734C36B7E8D6228CE26B7 ] msahci C:\Windows\system32\drivers\msahci.sys
22:16:09.0958 1472 msahci - ok
22:16:10.0036 1472 [ 3FC82A2AE4CC149165A94699183D3028 ] msdsm C:\Windows\system32\drivers\msdsm.sys
22:16:10.0036 1472 msdsm - ok
22:16:10.0099 1472 [ FD7520CC3A80C5FC8C48852BB24C6DED ] MSDTC C:\Windows\System32\msdtc.exe
22:16:10.0114 1472 MSDTC - ok
22:16:10.0130 1472 [ A9927F4A46B816C92F461ACB90CF8515 ] Msfs C:\Windows\system32\drivers\Msfs.sys
22:16:10.0130 1472 Msfs - ok
22:16:10.0208 1472 [ 0F400E306F385C56317357D6DEA56F62 ] msisadrv C:\Windows\system32\drivers\msisadrv.sys
22:16:10.0208 1472 msisadrv - ok
22:16:10.0255 1472 [ 85466C0757A23D9A9AECDC0755203CB2 ] MSiSCSI C:\Windows\system32\iscsiexe.dll
22:16:10.0255 1472 MSiSCSI - ok
22:16:10.0255 1472 msiserver - ok
22:16:10.0317 1472 [ D8C63D34D9C9E56C059E24EC7185CC07 ] MSKSSRV C:\Windows\system32\drivers\MSKSSRV.sys
22:16:10.0317 1472 MSKSSRV - ok
22:16:10.0333 1472 [ E077FCA2A7E79FB9BF67D3E30B5CE593 ] MsMpSvc c:\Program Files\Microsoft Security Client\MsMpEng.exe
22:16:10.0333 1472 MsMpSvc - ok
22:16:10.0395 1472 [ 1D373C90D62DDB641D50E55B9E78D65E ] MSPCLOCK C:\Windows\system32\drivers\MSPCLOCK.sys
22:16:10.0411 1472 MSPCLOCK - ok
22:16:10.0411 1472 [ B572DA05BF4E098D4BBA3A4734FB505B ] MSPQM C:\Windows\system32\drivers\MSPQM.sys
22:16:10.0411 1472 MSPQM - ok
22:16:10.0489 1472 [ B49456D70555DE905C311BCDA6EC6ADB ] MsRPC C:\Windows\system32\drivers\MsRPC.sys
22:16:10.0489 1472 MsRPC - ok
22:16:10.0551 1472 [ E384487CB84BE41D09711C30CA79646C ] mssmbios C:\Windows\system32\DRIVERS\mssmbios.sys
22:16:10.0551 1472 mssmbios - ok
22:16:10.0567 1472 [ 7199C1EEC1E4993CAF96B8C0A26BD58A ] MSTEE C:\Windows\system32\drivers\MSTEE.sys
22:16:10.0567 1472 MSTEE - ok
22:16:10.0629 1472 [ D48659BB24C48345D926ECB45C1EBDF5 ] MTsensor C:\Windows\system32\DRIVERS\ASACPI.sys
22:16:10.0629 1472 MTsensor - ok
22:16:10.0707 1472 [ 6A57B5733D4CB702C8EA4542E836B96C ] Mup C:\Windows\system32\Drivers\mup.sys
22:16:10.0723 1472 Mup - ok
22:16:10.0738 1472 [ 6459E08514811CDEF51B3F635A7A2E78 ] mvusbews C:\Windows\system32\Drivers\mvusbews.sys
22:16:10.0738 1472 mvusbews - ok
22:16:10.0801 1472 [ E4EAF0C5C1B41B5C83386CF212CA9584 ] napagent C:\Windows\system32\qagentRT.dll
22:16:10.0816 1472 napagent - ok
22:16:10.0925 1472 [ 85C44FDFF9CF7E72A40DCB7EC06A4416 ] NativeWifiP C:\Windows\system32\DRIVERS\nwifi.sys
22:16:10.0925 1472 NativeWifiP - ok
22:16:10.0988 1472 [ 1357274D1883F68300AEADD15D7BBB42 ] NDIS C:\Windows\system32\drivers\ndis.sys
22:16:10.0988 1472 NDIS - ok
22:16:11.0066 1472 [ 0E186E90404980569FB449BA7519AE61 ] NdisTapi C:\Windows\system32\DRIVERS\ndistapi.sys
22:16:11.0066 1472 NdisTapi - ok
22:16:11.0081 1472 [ D6973AA34C4D5D76C0430B181C3CD389 ] Ndisuio C:\Windows\system32\DRIVERS\ndisuio.sys
22:16:11.0081 1472 Ndisuio - ok
22:16:11.0128 1472 [ 818F648618AE34F729FDB47EC68345C3 ] NdisWan C:\Windows\system32\DRIVERS\ndiswan.sys
22:16:11.0128 1472 NdisWan - ok
22:16:11.0144 1472 [ 71DAB552B41936358F3B541AE5997FB3 ] NDProxy C:\Windows\system32\drivers\NDProxy.sys
22:16:11.0144 1472 NDProxy - ok
22:16:11.0159 1472 [ BCD093A5A6777CF626434568DC7DBA78 ] NetBIOS C:\Windows\system32\DRIVERS\netbios.sys
22:16:11.0159 1472 NetBIOS - ok
22:16:11.0222 1472 [ ECD64230A59CBD93C85F1CD1CAB9F3F6 ] netbt C:\Windows\system32\DRIVERS\netbt.sys
22:16:11.0222 1472 netbt - ok
22:16:11.0284 1472 [ A3E186B4B935905B829219502557314E ] Netlogon C:\Windows\system32\lsass.exe
22:16:11.0284 1472 Netlogon - ok
22:16:11.0300 1472 [ C8052711DAECC48B982434C5116CA401 ] Netman C:\Windows\System32\netman.dll
22:16:11.0300 1472 Netman - ok
22:16:11.0347 1472 [ 2EF3BBE22E5A5ACD1428EE387A0D0172 ] netprofm C:\Windows\System32\netprofm.dll
22:16:11.0362 1472 netprofm - ok
22:16:11.0425 1472 [ D6C4E4A39A36029AC0813D476FBD0248 ] NetTcpPortSharing C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
22:16:11.0425 1472 NetTcpPortSharing - ok
22:16:11.0487 1472 [ 2E7FB731D4790A1BC6270ACCEFACB36E ] nfrd960 C:\Windows\system32\drivers\nfrd960.sys
22:16:11.0487 1472 nfrd960 - ok
22:16:11.0565 1472 [ 2CD24A6AF497D0E9B9BF3DA924ED05E6 ] NisDrv C:\Windows\system32\DRIVERS\NisDrvWFP.sys
22:16:11.0565 1472 NisDrv - ok
22:16:11.0596 1472 [ 3B846434055F80D9E89D0742F3ADAD34 ] NisSrv c:\Program Files\Microsoft Security Client\NisSrv.exe
22:16:11.0596 1472 NisSrv - ok
22:16:11.0690 1472 [ 2997B15415F9BBE05B5A4C1C85E0C6A2 ] NlaSvc C:\Windows\System32\nlasvc.dll
22:16:11.0690 1472 NlaSvc - ok
22:16:11.0752 1472 [ D36F239D7CCE1931598E8FB90A0DBC26 ] Npfs C:\Windows\system32\drivers\Npfs.sys
22:16:11.0752 1472 Npfs - ok
22:16:11.0830 1472 [ 8BB86F0C7EEA2BDED6FE095D0B4CA9BD ] nsi C:\Windows\system32\nsisvc.dll
22:16:11.0830 1472 nsi - ok
22:16:11.0846 1472 [ 609773E344A97410CE4EBF74A8914FCF ] nsiproxy C:\Windows\system32\drivers\nsiproxy.sys
22:16:11.0846 1472 nsiproxy - ok
22:16:11.0924 1472 [ 6A4A98CEE84CF9E99564510DDA4BAA47 ] Ntfs C:\Windows\system32\drivers\Ntfs.sys
22:16:11.0924 1472 Ntfs - ok
22:16:11.0986 1472 [ E875C093AEC0C978A90F30C9E0DFBB72 ] ntrigdigi C:\Windows\system32\drivers\ntrigdigi.sys
22:16:11.0986 1472 ntrigdigi - ok
22:16:12.0033 1472 [ C5DBBCDA07D780BDA9B685DF333BB41E ] Null C:\Windows\system32\drivers\Null.sys
22:16:12.0033 1472 Null - ok
22:16:12.0127 1472 [ D958A2B5F6AD5C3B8CCDC4D7DA62466C ] NVENETFD C:\Windows\system32\DRIVERS\nvmfdx32.sys
22:16:12.0142 1472 NVENETFD - ok
22:16:12.0423 1472 [ 0A1B502CBC8230DA74BEFBAADDB58916 ] nvlddmkm C:\Windows\system32\DRIVERS\nvlddmkm.sys
22:16:12.0501 1472 nvlddmkm - ok
22:16:12.0563 1472 [ 6F785DB62A6D8F3FAFD3E5695277E849 ] nvraid C:\Windows\system32\drivers\nvraid.sys
22:16:12.0563 1472 nvraid - ok
22:16:12.0626 1472 [ CA4CCEFF1D43F48A289536451FD39D04 ] nvrd32 C:\Windows\system32\DRIVERS\nvrd32.sys
22:16:12.0626 1472 nvrd32 - ok
22:16:12.0688 1472 [ 4A5FCAB82D9BF6AF8A023A66802FE9E9 ] nvstor C:\Windows\system32\drivers\nvstor.sys
22:16:12.0688 1472 nvstor - ok
22:16:12.0751 1472 [ F2D7CCD75132F19119108E07A4FD0A12 ] nvstor32 C:\Windows\system32\DRIVERS\nvstor32.sys
22:16:12.0751 1472 nvstor32 - ok
22:16:12.0829 1472 [ EB5A13F9139F20AD71ADF4BF79C3AA29 ] nvsvc C:\Windows\system32\nvvsvc.exe
22:16:12.0829 1472 nvsvc - ok
22:16:12.0969 1472 [ 0629259E3AF6BB0534FCECA208973404 ] nvUpdatusService C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
22:16:12.0985 1472 nvUpdatusService - ok
22:16:13.0031 1472 [ 07C186427EB8FCC3D8D7927187F260F7 ] nv_agp C:\Windows\system32\drivers\nv_agp.sys
22:16:13.0047 1472 nv_agp - ok
22:16:13.0047 1472 NwlnkFlt - ok
22:16:13.0047 1472 NwlnkFwd - ok
22:16:13.0172 1472 [ 785F487A64950F3CB8E9F16253BA3B7B ] odserv C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE
22:16:13.0187 1472 odserv - ok
22:16:13.0250 1472 [ 6F310E890D46E246E0E261A63D9B36B4 ] ohci1394 C:\Windows\system32\DRIVERS\ohci1394.sys
22:16:13.0250 1472 ohci1394 - ok
22:16:13.0265 1472 [ 5A432A042DAE460ABE7199B758E8606C ] ose C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
22:16:13.0265 1472 ose - ok
22:16:13.0359 1472 [ AC5BF1A610EFFAAE9CFC48CB53483F08 ] ossrv C:\Windows\system32\drivers\ctoss2k.sys
22:16:13.0359 1472 ossrv - ok
22:16:13.0437 1472 [ 0C8E8E61AD1EB0B250B846712C917506 ] p2pimsvc C:\Windows\system32\p2psvc.dll
22:16:13.0453 1472 p2pimsvc - ok
22:16:13.0468 1472 [ 0C8E8E61AD1EB0B250B846712C917506 ] p2psvc C:\Windows\system32\p2psvc.dll
22:16:13.0468 1472 p2psvc - ok
22:16:13.0546 1472 [ 8A79FDF04A73428597E2CAF9D0D67850 ] Parport C:\Windows\system32\DRIVERS\parport.sys
22:16:13.0546 1472 Parport - ok
22:16:13.0577 1472 [ B9C2B89F08670E159F7181891E449CD9 ] partmgr C:\Windows\system32\drivers\partmgr.sys
22:16:13.0577 1472 partmgr - ok
22:16:13.0577 1472 [ 6C580025C81CAF3AE9E3617C22CAD00E ] Parvdm C:\Windows\system32\DRIVERS\parvdm.sys
22:16:13.0577 1472 Parvdm - ok
22:16:13.0640 1472 [ C6276AD11F4BB49B58AA1ED88537F14A ] PcaSvc C:\Windows\System32\pcasvc.dll
22:16:13.0640 1472 PcaSvc - ok
22:16:13.0718 1472 [ 941DC1D19E7E8620F40BBC206981EFDB ] pci C:\Windows\system32\drivers\pci.sys
22:16:13.0718 1472 pci - ok
22:16:13.0718 1472 [ 1636D43F10416AEB483BC6001097B26C ] pciide C:\Windows\system32\drivers\pciide.sys
22:16:13.0718 1472 pciide - ok
22:16:13.0780 1472 [ E6F3FB1B86AA519E7698AD05E58B04E5 ] pcmcia C:\Windows\system32\drivers\pcmcia.sys
22:16:13.0796 1472 pcmcia - ok
22:16:13.0811 1472 [ 6349F6ED9C623B44B52EA3C63C831A92 ] PEAUTH C:\Windows\system32\drivers\peauth.sys
22:16:13.0827 1472 PEAUTH - ok
22:16:13.0905 1472 [ B1689DF169143F57053F795390C99DB3 ] pla C:\Windows\system32\pla.dll
22:16:13.0921 1472 pla - ok
22:16:13.0983 1472 [ C5E7F8A996EC0A82D508FD9064A5569E ] PlugPlay C:\Windows\system32\umpnpmgr.dll
22:16:13.0983 1472 PlugPlay - ok
22:16:14.0045 1472 [ 0C8E8E61AD1EB0B250B846712C917506 ] PNRPAutoReg C:\Windows\system32\p2psvc.dll
22:16:14.0045 1472 PNRPAutoReg - ok
22:16:14.0061 1472 [ 0C8E8E61AD1EB0B250B846712C917506 ] PNRPsvc C:\Windows\system32\p2psvc.dll
22:16:14.0061 1472 PNRPsvc - ok
22:16:14.0155 1472 [ D0494460421A03CD5225CCA0059AA146 ] PolicyAgent C:\Windows\System32\ipsecsvc.dll
22:16:14.0155 1472 PolicyAgent - ok
22:16:14.0233 1472 [ ECFFFAEC0C1ECD8DBC77F39070EA1DB1 ] PptpMiniport C:\Windows\system32\DRIVERS\raspptp.sys
22:16:14.0233 1472 PptpMiniport - ok
22:16:14.0279 1472 [ 0E3CEF5D28B40CF273281D620C50700A ] Processor C:\Windows\system32\drivers\processr.sys
22:16:14.0279 1472 Processor - ok
22:16:14.0342 1472 [ 0508FAA222D28835310B7BFCA7A77346 ] ProfSvc C:\Windows\system32\profsvc.dll
22:16:14.0342 1472 ProfSvc - ok
22:16:14.0357 1472 [ A3E186B4B935905B829219502557314E ] ProtectedStorage C:\Windows\system32\lsass.exe
22:16:14.0357 1472 ProtectedStorage - ok
22:16:14.0420 1472 [ 99514FAA8DF93D34B5589187DB3AA0BA ] PSched C:\Windows\system32\DRIVERS\pacer.sys
22:16:14.0420 1472 PSched - ok
22:16:14.0498 1472 [ CCDAC889326317792480C0A67156A1EC ] ql2300 C:\Windows\system32\drivers\ql2300.sys
22:16:14.0498 1472 ql2300 - ok
22:16:14.0560 1472 [ 81A7E5C076E59995D54BC1ED3A16E60B ] ql40xx C:\Windows\system32\drivers\ql40xx.sys
22:16:14.0560 1472 ql40xx - ok
22:16:14.0623 1472 [ E9ECAE663F47E6CB43962D18AB18890F ] QWAVE C:\Windows\system32\qwave.dll
22:16:14.0638 1472 QWAVE - ok
22:16:14.0685 1472 [ 9F5E0E1926014D17486901C88ECA2DB7 ] QWAVEdrv C:\Windows\system32\drivers\qwavedrv.sys
22:16:14.0685 1472 QWAVEdrv - ok
22:16:14.0747 1472 [ 147D7F9C556D259924351FEB0DE606C3 ] RasAcd C:\Windows\system32\DRIVERS\rasacd.sys
22:16:14.0747 1472 RasAcd - ok
22:16:14.0763 1472 [ F6A452EB4CEADBB51C9E0EE6B3ECEF0F ] RasAuto C:\Windows\System32\rasauto.dll
22:16:14.0763 1472 RasAuto - ok
22:16:14.0810 1472 [ A214ADBAF4CB47DD2728859EF31F26B0 ] Rasl2tp C:\Windows\system32\DRIVERS\rasl2tp.sys
22:16:14.0810 1472 Rasl2tp - ok
22:16:14.0825 1472 [ 75D47445D70CA6F9F894B032FBC64FCF ] RasMan C:\Windows\System32\rasmans.dll
22:16:14.0825 1472 RasMan - ok
22:16:14.0903 1472 [ 509A98DD18AF4375E1FC40BC175F1DEF ] RasPppoe C:\Windows\system32\DRIVERS\raspppoe.sys
22:16:14.0903 1472 RasPppoe - ok
22:16:14.0919 1472 [ 2005F4A1E05FA09389AC85840F0A9E4D ] RasSstp C:\Windows\system32\DRIVERS\rassstp.sys
22:16:14.0919 1472 RasSstp - ok
22:16:14.0935 1472 [ B14C9D5B9ADD2F84F70570BBBFAA7935 ] rdbss C:\Windows\system32\DRIVERS\rdbss.sys
22:16:14.0935 1472 rdbss - ok
22:16:14.0950 1472 [ 89E59BE9A564262A3FB6C4F4F1CD9899 ] RDPCDD C:\Windows\system32\DRIVERS\RDPCDD.sys
22:16:14.0950 1472 RDPCDD - ok
22:16:15.0013 1472 [ E8BD98D46F2ED77132BA927FCCB47D8B ] rdpdr C:\Windows\system32\drivers\rdpdr.sys
22:16:15.0013 1472 rdpdr - ok
22:16:15.0044 1472 [ 9D91FE5286F748862ECFFA05F8A0710C ] RDPENCDD C:\Windows\system32\drivers\rdpencdd.sys
22:16:15.0059 1472 RDPENCDD - ok
22:16:15.0106 1472 [ C127EBD5AFAB31524662C48DFCEB773A ] RDPWD C:\Windows\system32\drivers\RDPWD.sys
22:16:15.0122 1472 RDPWD - ok
22:16:15.0184 1472 [ BCDD6B4804D06B1F7EBF29E53A57ECE9 ] RemoteAccess C:\Windows\System32\mprdim.dll
22:16:15.0184 1472 RemoteAccess - ok
22:16:15.0247 1472 [ 9E6894EA18DAFF37B63E1005F83AE4AB ] RemoteRegistry C:\Windows\system32\regsvc.dll
22:16:15.0247 1472 RemoteRegistry - ok
22:16:15.0325 1472 [ 5123F83CBC4349D065534EEB6BBDC42B ] RpcLocator C:\Windows\system32\locator.exe
22:16:15.0325 1472 RpcLocator - ok
22:16:15.0356 1472 [ 3B5B4D53FEC14F7476CA29A20CC31AC9 ] RpcSs C:\Windows\system32\rpcss.dll
22:16:15.0356 1472 RpcSs - ok
22:16:15.0418 1472 [ 9C508F4074A39E8B4B31D27198146FAD ] rspndr C:\Windows\system32\DRIVERS\rspndr.sys
22:16:15.0418 1472 rspndr - ok
22:16:15.0434 1472 [ A3E186B4B935905B829219502557314E ] SamSs C:\Windows\system32\lsass.exe
22:16:15.0434 1472 SamSs - ok
22:16:15.0496 1472 [ 3CE8F073A557E172B330109436984E30 ] sbp2port C:\Windows\system32\drivers\sbp2port.sys
22:16:15.0496 1472 sbp2port - ok
22:16:15.0559 1472 [ 77B7A11A0C3D78D3386398FBBEA1B632 ] SCardSvr C:\Windows\System32\SCardSvr.dll
22:16:15.0559 1472 SCardSvr - ok
22:16:15.0637 1472 [ 1A58069DB21D05EB2AB58EE5753EBE8D ] Schedule C:\Windows\system32\schedsvc.dll
22:16:15.0652 1472 Schedule - ok
22:16:15.0699 1472 [ 312EC3E37A0A1F2006534913E37B4423 ] SCPolicySvc C:\Windows\System32\certprop.dll
22:16:15.0699 1472 SCPolicySvc - ok
22:16:15.0761 1472 [ 716313D9F6B0529D03F726D5AAF6F191 ] SDRSVC C:\Windows\System32\SDRSVC.dll
22:16:15.0777 1472 SDRSVC - ok
22:16:15.0793 1472 [ 90A3935D05B494A5A39D37E71F09A677 ] secdrv C:\Windows\system32\drivers\secdrv.sys
22:16:15.0793 1472 secdrv - ok
22:16:15.0808 1472 [ FD5199D4D8A521005E4B5EE7FE00FA9B ] seclogon C:\Windows\system32\seclogon.dll
22:16:15.0808 1472 seclogon - ok
22:16:15.0855 1472 [ A9BBAB5759771E523F55563D6CBE140F ] SENS C:\Windows\system32\sens.dll
22:16:15.0871 1472 SENS - ok
22:16:15.0933 1472 [ 68E44E331D46F0FB38F0863A84CD1A31 ] Serenum C:\Windows\system32\drivers\serenum.sys
22:16:15.0949 1472 Serenum - ok
22:16:15.0964 1472 [ C70D69A918B178D3C3B06339B40C2E1B ] Serial C:\Windows\system32\drivers\serial.sys
22:16:15.0964 1472 Serial - ok
22:16:16.0027 1472 [ 8AF3D28A879BF75DB53A0EE7A4289624 ] sermouse C:\Windows\system32\drivers\sermouse.sys
22:16:16.0027 1472 sermouse - ok
22:16:16.0073 1472 [ D2193326F729B163125610DBF3E17D57 ] SessionEnv C:\Windows\system32\sessenv.dll
22:16:16.0105 1472 SessionEnv - ok
22:16:16.0151 1472 [ 103B79418DA647736EE95645F305F68A ] sffdisk C:\Windows\system32\drivers\sffdisk.sys
22:16:16.0151 1472 sffdisk - ok
22:16:16.0151 1472 [ 8FD08A310645FE872EEEC6E08C6BF3EE ] sffp_mmc C:\Windows\system32\drivers\sffp_mmc.sys
22:16:16.0151 1472 sffp_mmc - ok
22:16:16.0167 1472 [ 9CFA05FCFCB7124E69CFC812B72F9614 ] sffp_sd C:\Windows\system32\drivers\sffp_sd.sys
22:16:16.0167 1472 sffp_sd - ok
22:16:16.0229 1472 [ 46ED8E91793B2E6F848015445A0AC188 ] sfloppy C:\Windows\system32\drivers\sfloppy.sys
22:16:16.0229 1472 sfloppy - ok
22:16:16.0307 1472 [ E1499BD0FF76B1B2FBBF1AF339D91165 ] SharedAccess C:\Windows\System32\ipnathlp.dll
22:16:16.0307 1472 SharedAccess - ok
22:16:16.0370 1472 [ C7230FBEE14437716701C15BE02C27B8 ] ShellHWDetection C:\Windows\System32\shsvcs.dll
22:16:16.0370 1472 ShellHWDetection - ok
22:16:16.0432 1472 [ D2A595D6EEBEEAF4334F8E50EFBC9931 ] sisagp C:\Windows\system32\drivers\sisagp.sys
22:16:16.0432 1472 sisagp - ok
22:16:16.0495 1472 [ CEDD6F4E7D84E9F98B34B3FE988373AA ] SiSRaid2 C:\Windows\system32\drivers\sisraid2.sys
22:16:16.0495 1472 SiSRaid2 - ok
22:16:16.0510 1472 [ DF843C528C4F69D12CE41CE462E973A7 ] SiSRaid4 C:\Windows\system32\drivers\sisraid4.sys
22:16:16.0510 1472 SiSRaid4 - ok
22:16:16.0635 1472 [ 862BB4CBC05D80C5B45BE430E5EF872F ] slsvc C:\Windows\system32\SLsvc.exe
22:16:16.0651 1472 slsvc - ok
22:16:16.0682 1472 [ 6EDC422215CD78AA8A9CDE6B30ABBD35 ] SLUINotify C:\Windows\system32\SLUINotify.dll
22:16:16.0682 1472 SLUINotify - ok
22:16:16.0744 1472 [ 7B75299A4D201D6A6533603D6914AB04 ] Smb C:\Windows\system32\DRIVERS\smb.sys
22:16:16.0744 1472 Smb - ok
22:16:16.0807 1472 [ 2A146A055B4401C16EE62D18B8E2A032 ] SNMPTRAP C:\Windows\System32\snmptrap.exe
22:16:16.0807 1472 SNMPTRAP - ok
22:16:16.0885 1472 [ 7AEBDEEF071FE28B0EEF2CDD69102BFF ] spldr C:\Windows\system32\drivers\spldr.sys
22:16:16.0885 1472 spldr - ok
22:16:16.0900 1472 [ 8554097E5136C3BF9F69FE578A1B35F4 ] Spooler C:\Windows\System32\spoolsv.exe
22:16:16.0900 1472 Spooler - ok
22:16:16.0963 1472 [ 41987F9FC0E61ADF54F581E15029AD91 ] srv C:\Windows\system32\DRIVERS\srv.sys
22:16:16.0963 1472 srv - ok
22:16:17.0025 1472 [ FF33AFF99564B1AA534F58868CBE41EF ] srv2 C:\Windows\system32\DRIVERS\srv2.sys
22:16:17.0041 1472 srv2 - ok
22:16:17.0087 1472 [ 7605C0E1D01A08F3ECD743F38B834A44 ] srvnet C:\Windows\system32\DRIVERS\srvnet.sys
22:16:17.0087 1472 srvnet - ok
22:16:17.0165 1472 [ 03D50B37234967433A5EA5BA72BC0B62 ] SSDPSRV C:\Windows\System32\ssdpsrv.dll
22:16:17.0165 1472 SSDPSRV - ok
22:16:17.0197 1472 [ 6F1A32E7B7B30F004D9A20AFADB14944 ] SstpSvc C:\Windows\system32\sstpsvc.dll
22:16:17.0197 1472 SstpSvc - ok
22:16:17.0243 1472 [ F0359F7CE712D69ACEF0886BDB4792ED ] Stereo Service C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
22:16:17.0243 1472 Stereo Service - ok
22:16:17.0337 1472 [ 5DE7D67E49B88F5F07F3E53C4B92A352 ] stisvc C:\Windows\System32\wiaservc.dll
22:16:17.0337 1472 stisvc - ok
22:16:17.0384 1472 [ 7BA58ECF0C0A9A69D44B3DCA62BECF56 ] swenum C:\Windows\system32\DRIVERS\swenum.sys
22:16:17.0384 1472 swenum - ok
22:16:17.0446 1472 [ F21FD248040681CCA1FB6C9A03AAA93D ] swprv C:\Windows\System32\swprv.dll
22:16:17.0446 1472 swprv - ok
22:16:17.0524 1472 [ 192AA3AC01DF071B541094F251DEED10 ] Symc8xx C:\Windows\system32\drivers\symc8xx.sys
22:16:17.0524 1472 Symc8xx - ok
22:16:17.0540 1472 [ 8C8EB8C76736EBAF3B13B633B2E64125 ] Sym_hi C:\Windows\system32\drivers\sym_hi.sys
22:16:17.0540 1472 Sym_hi - ok
22:16:17.0555 1472 [ 8072AF52B5FD103BBBA387A1E49F62CB ] Sym_u3 C:\Windows\system32\drivers\sym_u3.sys
22:16:17.0555 1472 Sym_u3 - ok
22:16:17.0571 1472 [ 9A51B04E9886AA4EE90093586B0BA88D ] SysMain C:\Windows\system32\sysmain.dll
22:16:17.0587 1472 SysMain - ok
22:16:17.0649 1472 [ 2DCA225EAE15F42C0933E998EE0231C3 ] TabletInputService C:\Windows\System32\TabSvc.dll
22:16:17.0649 1472 TabletInputService - ok
22:16:17.0727 1472 [ D7673E4B38CE21EE54C59EEEB65E2483 ] TapiSrv C:\Windows\System32\tapisrv.dll
22:16:17.0743 1472 TapiSrv - ok
22:16:17.0805 1472 [ CB05822CD9CC6C688168E113C603DBE7 ] TBS C:\Windows\System32\tbssvc.dll
22:16:17.0805 1472 TBS - ok
22:16:17.0883 1472 [ 27D470DABC77BC60D0A3B0E4DEB6CB91 ] Tcpip C:\Windows\system32\drivers\tcpip.sys
22:16:17.0883 1472 Tcpip - ok
22:16:17.0899 1472 [ 27D470DABC77BC60D0A3B0E4DEB6CB91 ] Tcpip6 C:\Windows\system32\DRIVERS\tcpip.sys
22:16:17.0914 1472 Tcpip6 - ok
22:16:17.0977 1472 [ 608C345A255D82A6289C2D468EB41FD7 ] tcpipreg C:\Windows\system32\drivers\tcpipreg.sys
22:16:17.0977 1472 tcpipreg - ok
22:16:17.0992 1472 [ 5DCF5E267BE67A1AE926F2DF77FBCC56 ] TDPIPE C:\Windows\system32\drivers\tdpipe.sys
22:16:17.0992 1472 TDPIPE - ok
22:16:18.0008 1472 [ 389C63E32B3CEFED425B61ED92D3F021 ] TDTCP C:\Windows\system32\drivers\tdtcp.sys
22:16:18.0008 1472 TDTCP - ok
22:16:18.0008 1472 [ 76B06EB8A01FC8624D699E7045303E54 ] tdx C:\Windows\system32\DRIVERS\tdx.sys
22:16:18.0008 1472 tdx - ok
22:16:18.0086 1472 [ 3CAD38910468EAB9A6479E2F01DB43C7 ] TermDD C:\Windows\system32\DRIVERS\termdd.sys
22:16:18.0086 1472 TermDD - ok
22:16:18.0179 1472 [ BB95DA09BEF6E7A131BFF3BA5032090D ] TermService C:\Windows\System32\termsrv.dll
22:16:18.0179 1472 TermService - ok
22:16:18.0226 1472 [ C7230FBEE14437716701C15BE02C27B8 ] Themes C:\Windows\system32\shsvcs.dll
22:16:18.0242 1472 Themes - ok
22:16:18.0257 1472 [ 1076FFCFFAAE8385FD62DFCB25AC4708 ] THREADORDER C:\Windows\system32\mmcss.dll
22:16:18.0257 1472 THREADORDER - ok
22:16:18.0320 1472 [ EC74E77D0EB004BD3A809B5F8FB8C2CE ] TrkWks C:\Windows\System32\trkwks.dll
22:16:18.0335 1472 TrkWks - ok
22:16:18.0351 1472 [ 97D9D6A04E3AD9B6C626B9931DB78DBA ] TrustedInstaller C:\Windows\servicing\TrustedInstaller.exe
22:16:18.0351 1472 TrustedInstaller - ok
22:16:18.0413 1472 [ DCF0F056A2E4F52287264F5AB29CF206 ] tssecsrv C:\Windows\system32\DRIVERS\tssecsrv.sys
22:16:18.0413 1472 tssecsrv - ok
22:16:18.0476 1472 [ CAECC0120AC49E3D2F758B9169872D38 ] tunmp C:\Windows\system32\DRIVERS\tunmp.sys
22:16:18.0476 1472 tunmp - ok
22:16:18.0491 1472 [ 300DB877AC094FEAB0BE7688C3454A9C ] tunnel C:\Windows\system32\DRIVERS\tunnel.sys
22:16:18.0491 1472 tunnel - ok
22:16:18.0554 1472 [ C3ADE15414120033A36C0F293D4A4121 ] uagp35 C:\Windows\system32\drivers\uagp35.sys
22:16:18.0554 1472 uagp35 - ok
22:16:18.0632 1472 [ D9728AF68C4C7693CB100B8441CBDEC6 ] udfs C:\Windows\system32\DRIVERS\udfs.sys
22:16:18.0632 1472 udfs - ok
22:16:18.0694 1472 [ ECEF404F62863755951E09C802C94AD5 ] UI0Detect C:\Windows\system32\UI0Detect.exe
22:16:18.0694 1472 UI0Detect - ok
22:16:18.0741 1472 [ 75E6890EBFCE0841D3291B02E7A8BDB0 ] uliagpkx C:\Windows\system32\drivers\uliagpkx.sys
22:16:18.0741 1472 uliagpkx - ok
22:16:18.0803 1472 [ 3CD4EA35A6221B85DCC25DAA46313F8D ] uliahci C:\Windows\system32\drivers\uliahci.sys
22:16:18.0803 1472 uliahci - ok
22:16:18.0819 1472 [ 8514D0E5CD0534467C5FC61BE94A569F ] UlSata C:\Windows\system32\drivers\ulsata.sys
22:16:18.0819 1472 UlSata - ok
22:16:18.0835 1472 [ 38C3C6E62B157A6BC46594FADA45C62B ] ulsata2 C:\Windows\system32\drivers\ulsata2.sys
22:16:18.0835 1472 ulsata2 - ok
22:16:18.0897 1472 [ 32CFF9F809AE9AED85464492BF3E32D2 ] umbus C:\Windows\system32\DRIVERS\umbus.sys
22:16:18.0897 1472 umbus - ok
22:16:18.0959 1472 [ 68308183F4AE0BE7BF8ECD07CB297999 ] upnphost C:\Windows\System32\upnphost.dll
22:16:18.0975 1472 upnphost - ok
22:16:19.0053 1472 [ 32DB9517628FF0D070682AAB61E688F0 ] usbaudio C:\Windows\system32\drivers\usbaudio.sys
22:16:19.0053 1472 usbaudio - ok
22:16:19.0115 1472 [ CAF811AE4C147FFCD5B51750C7F09142 ] usbccgp C:\Windows\system32\DRIVERS\usbccgp.sys
22:16:19.0115 1472 usbccgp - ok
22:16:19.0178 1472 [ E9476E6C486E76BC4898074768FB7131 ] usbcir C:\Windows\system32\drivers\usbcir.sys
22:16:19.0178 1472 usbcir - ok
22:16:19.0256 1472 [ 79E96C23A97CE7B8F14D310DA2DB0C9B ] usbehci C:\Windows\system32\DRIVERS\usbehci.sys
22:16:19.0256 1472 usbehci - ok
22:16:19.0271 1472 [ 4673BBCB006AF60E7ABDDBE7A130BA42 ] usbhub C:\Windows\system32\DRIVERS\usbhub.sys
22:16:19.0271 1472 usbhub - ok
22:16:19.0318 1472 [ CE697FEE0D479290D89BEC80DFE793B7 ] usbohci C:\Windows\system32\DRIVERS\usbohci.sys
22:16:19.0318 1472 usbohci - ok
22:16:19.0396 1472 [ E75C4B5269091D15A2E7DC0B6D35F2F5 ] usbprint C:\Windows\system32\DRIVERS\usbprint.sys
22:16:19.0396 1472 usbprint - ok
22:16:19.0412 1472 [ BE3DA31C191BC222D9AD503C5224F2AD ] USBSTOR C:\Windows\system32\DRIVERS\USBSTOR.SYS
22:16:19.0412 1472 USBSTOR - ok
22:16:19.0459 1472 [ 325DBBACB8A36AF9988CCF40EAC228CC ] usbuhci C:\Windows\system32\DRIVERS\usbuhci.sys
22:16:19.0459 1472 usbuhci - ok
22:16:19.0552 1472 [ 1509E705F3AC1D474C92454A5C2DD81F ] UxSms C:\Windows\System32\uxsms.dll
22:16:19.0552 1472 UxSms - ok
22:16:19.0630 1472 [ CD88D1B7776DC17A119049742EC07EB4 ] vds C:\Windows\System32\vds.exe
22:16:19.0646 1472 vds - ok
22:16:19.0771 1472 [ 7D92BE0028ECDEDEC74617009084B5EF ] vga C:\Windows\system32\DRIVERS\vgapnp.sys
22:16:19.0771 1472 vga - ok
22:16:19.0817 1472 [ 2E93AC0A1D8C79D019DB6C51F036636C ] VgaSave C:\Windows\System32\drivers\vga.sys
22:16:19.0817 1472 VgaSave - ok
22:16:19.0833 1472 [ 045D9961E591CF0674A920B6BA3BA5CB ] viaagp C:\Windows\system32\drivers\viaagp.sys
22:16:19.0833 1472 viaagp - ok
22:16:19.0880 1472 [ 56A4DE5F02F2E88182B0981119B4DD98 ] ViaC7 C:\Windows\system32\drivers\viac7.sys
22:16:19.0880 1472 ViaC7 - ok
22:16:19.0895 1472 [ FD2E3175FCADA350C7AB4521DCA187EC ] viaide C:\Windows\system32\drivers\viaide.sys
22:16:19.0895 1472 viaide - ok
22:16:19.0895 1472 [ 69503668AC66C77C6CD7AF86FBDF8C43 ] volmgr C:\Windows\system32\drivers\volmgr.sys
22:16:19.0895 1472 volmgr - ok
22:16:19.0958 1472 [ 23E41B834759917BFD6B9A0D625D0C28 ] volmgrx C:\Windows\system32\drivers\volmgrx.sys
22:16:19.0958 1472 volmgrx - ok
22:16:20.0036 1472 [ 147281C01FCB1DF9252DE2A10D5E7093 ] volsnap C:\Windows\system32\drivers\volsnap.sys
22:16:20.0051 1472 volsnap - ok
22:16:20.0098 1472 [ D984439746D42B30FC65A4C3546C6829 ] vsmraid C:\Windows\system32\drivers\vsmraid.sys
22:16:20.0098 1472 vsmraid - ok
22:16:20.0161 1472 [ DB3D19F850C6EB32BDCB9BC0836ACDDB ] VSS C:\Windows\system32\vssvc.exe
22:16:20.0176 1472 VSS - ok
22:16:20.0207 1472 [ 96EA68B9EB310A69C25EBB0282B2B9DE ] W32Time C:\Windows\system32\w32time.dll
22:16:20.0223 1472 W32Time - ok
22:16:20.0254 1472 [ 48DFEE8F1AF7C8235D4E626F0C4FE031 ] WacomPen C:\Windows\system32\drivers\wacompen.sys
22:16:20.0254 1472 WacomPen - ok
22:16:20.0285 1472 [ 55201897378CCA7AF8B5EFD874374A26 ] Wanarp C:\Windows\system32\DRIVERS\wanarp.sys
22:16:20.0301 1472 Wanarp - ok
22:16:20.0301 1472 [ 55201897378CCA7AF8B5EFD874374A26 ] Wanarpv6 C:\Windows\system32\DRIVERS\wanarp.sys
22:16:20.0301 1472 Wanarpv6 - ok
22:16:20.0317 1472 [ A3CD60FD826381B49F03832590E069AF ] wcncsvc C:\Windows\System32\wcncsvc.dll
22:16:20.0317 1472 wcncsvc - ok
22:16:20.0379 1472 [ 11BCB7AFCDD7AADACB5746F544D3A9C7 ] WcsPlugInService C:\Windows\System32\WcsPlugInService.dll
22:16:20.0395 1472 WcsPlugInService - ok
22:16:20.0410 1472 [ AFC5AD65B991C1E205CF25CFDBF7A6F4 ] Wd C:\Windows\system32\drivers\wd.sys
22:16:20.0410 1472 Wd - ok
22:16:20.0426 1472 [ B6F0A7AD6D4BD325FBCD8BAC96CD8D96 ] Wdf01000 C:\Windows\system32\drivers\Wdf01000.sys
22:16:20.0426 1472 Wdf01000 - ok
22:16:20.0488 1472 [ ABFC76B48BB6C96E3338D8943C5D93B5 ] WdiServiceHost C:\Windows\system32\wdi.dll
22:16:20.0488 1472 WdiServiceHost - ok
22:16:20.0488 1472 [ ABFC76B48BB6C96E3338D8943C5D93B5 ] WdiSystemHost C:\Windows\system32\wdi.dll
22:16:20.0488 1472 WdiSystemHost - ok
22:16:20.0566 1472 [ 04C37D8107320312FBAE09926103D5E2 ] WebClient C:\Windows\System32\webclnt.dll
22:16:20.0566 1472 WebClient - ok
22:16:20.0675 1472 [ 905214925A88311FCE52F66153DE7610 ] Wecsvc C:\Windows\system32\wecsvc.dll
22:16:20.0675 1472 Wecsvc - ok
22:16:20.0675 1472 [ 670FF720071ED741206D69BD995EA453 ] wercplsupport C:\Windows\System32\wercplsupport.dll
22:16:20.0691 1472 wercplsupport - ok
22:16:20.0753 1472 [ 32B88481D3B326DA6DEB07B1D03481E7 ] WerSvc C:\Windows\System32\WerSvc.dll
22:16:20.0769 1472 WerSvc - ok
22:16:20.0894 1472 [ 4575AA12561C5648483403541D0D7F2B ] WinDefend C:\Program Files\Windows Defender\mpsvc.dll
22:16:20.0894 1472 WinDefend - ok
22:16:20.0894 1472 WinHttpAutoProxySvc - ok
22:16:21.0081 1472 [ 6B2A1D0E80110E3D04E6863C6E62FD8A ] Winmgmt C:\Windows\system32\wbem\WMIsvc.dll
22:16:21.0081 1472 Winmgmt - ok
22:16:21.0190 1472 [ 01874D4689C212460FBABF0ECD7CB7F7 ] WinRM C:\Windows\system32\WsmSvc.dll
22:16:21.0190 1472 WinRM - ok
22:16:21.0268 1472 [ C008405E4FEEB069E30DA1D823910234 ] Wlansvc C:\Windows\System32\wlansvc.dll
22:16:21.0284 1472 Wlansvc - ok
22:16:21.0346 1472 [ 701A9F884A294327E9141D73746EE279 ] WmiAcpi C:\Windows\system32\drivers\wmiacpi.sys
22:16:21.0362 1472 WmiAcpi - ok
22:16:21.0377 1472 [ 43BE3875207DCB62A85C8C49970B66CC ] wmiApSrv C:\Windows\system32\wbem\WmiApSrv.exe
22:16:21.0377 1472 wmiApSrv - ok
22:16:21.0487 1472 [ 3978704576A121A9204F8CC49A301A9B ] WMPNetworkSvc C:\Program Files\Windows Media Player\wmpnetwk.exe
22:16:21.0502 1472 WMPNetworkSvc - ok
22:16:21.0549 1472 [ CFC5A04558F5070CEE3E3A7809F3FF52 ] WPCSvc C:\Windows\System32\wpcsvc.dll
22:16:21.0565 1472 WPCSvc - ok
22:16:21.0580 1472 [ 801FBDB89D472B3C467EB112A0FC9246 ] WPDBusEnum C:\Windows\system32\wpdbusenum.dll
22:16:21.0580 1472 WPDBusEnum - ok
22:16:21.0611 1472 [ DE9D36F91A4DF3D911626643DEBF11EA ] WpdUsb C:\Windows\system32\DRIVERS\wpdusb.sys
22:16:21.0611 1472 WpdUsb - ok
22:16:21.0705 1472 [ DCF3E3EDF5109EE8BC02FE6E1F045795 ] WPFFontCache_v0400 C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
22:16:21.0705 1472 WPFFontCache_v0400 - ok
22:16:21.0767 1472 [ E3A3CB253C0EC2494D4A61F5E43A389C ] ws2ifsl C:\Windows\system32\drivers\ws2ifsl.sys
22:16:21.0783 1472 ws2ifsl - ok
22:16:21.0845 1472 [ 1CA6C40261DDC0425987980D0CD2AAAB ] wscsvc C:\Windows\system32\wscsvc.dll
22:16:21.0845 1472 wscsvc - ok
22:16:21.0845 1472 WSearch - ok
22:16:21.0939 1472 [ FC3EC24FCE372C89423E015A2AC1A31E ] wuauserv C:\Windows\system32\wuaueng.dll
22:16:21.0986 1472 wuauserv - ok
22:16:22.0048 1472 [ AC13CB789D93412106B0FB6C7EB2BCB6 ] WUDFRd C:\Windows\system32\DRIVERS\WUDFRd.sys
22:16:22.0048 1472 WUDFRd - ok
22:16:22.0111 1472 [ 575A4190D989F64732119E4114045A4F ] wudfsvc C:\Windows\System32\WUDFSvc.dll
22:16:22.0126 1472 wudfsvc - ok
22:16:22.0126 1472 ================ Scan global ===============================
22:16:22.0251 1472 [ F31EEBC1A1C81FD04005489CC3DCDFE7 ] C:\Windows\system32\basesrv.dll
22:16:22.0282 1472 [ D2293B069E4B63DC17B2F08D45E71124 ] C:\Windows\system32\winsrv.dll
22:16:22.0282 1472 [ D2293B069E4B63DC17B2F08D45E71124 ] C:\Windows\system32\winsrv.dll
22:16:22.0376 1472 [ D4E6D91C1349B7BFB3599A6ADA56851B ] C:\Windows\system32\services.exe
22:16:22.0376 1472 [Global] - ok
22:16:22.0376 1472 ================ Scan MBR ==================================
22:16:22.0438 1472 [ 5C616939100B85E558DA92B899A0FC36 ] \Device\Harddisk0\DR0
22:16:22.0891 1472 \Device\Harddisk0\DR0 - ok
22:16:22.0891 1472 ================ Scan VBR ==================================
22:16:22.0891 1472 [ 2A5306846F8ED44745747B49D4957F15 ] \Device\Harddisk0\DR0\Partition1
22:16:22.0891 1472 \Device\Harddisk0\DR0\Partition1 - ok
22:16:22.0891 1472 ============================================================
22:16:22.0891 1472 Scan finished
22:16:22.0891 1472 ============================================================
22:16:22.0891 0616 Detected object count: 0
22:16:22.0891 0616 Actual detected object count: 0


aswMBR log:

aswMBR version 0.9.9.1707 Copyright© 2011 AVAST Software
Run date: 2012-11-30 22:17:53
-----------------------------
22:17:53.899 OS Version: Windows 6.0.6002 Service Pack 2
22:17:53.899 Number of processors: 2 586 0xF0B
22:17:53.899 ComputerName: DEATHSTAR-PC UserName: Deathstar
22:18:23.007 Initialize success
22:20:39.403 AVAST engine defs: 12113001
22:21:02.085 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\0000005b
22:21:02.085 Disk 0 Vendor: NVIDIA__ Size: 476940MB BusType: 8
22:21:02.101 Disk 0 MBR read successfully
22:21:02.101 Disk 0 MBR scan
22:21:02.101 Disk 0 Windows VISTA default MBR code
22:21:02.117 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 476938 MB offset 2048
22:21:02.132 Disk 0 scanning sectors +976771072
22:21:02.226 Disk 0 scanning C:\Windows\system32\drivers
22:21:19.277 Service scanning
22:21:33.597 Service MpKslc4aa6162 c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{B38C00E1-0C0A-485D-AFC9-90BE587913CE}\MpKslc4aa6162.sys **LOCKED** 32
22:21:57.684 Modules scanning
22:22:06.373 Disk 0 trace - called modules:
22:22:06.404 ntoskrnl.exe CLASSPNP.SYS disk.sys nvrd32.sys hal.dll acpi.sys storport.sys nvstor32.sys tcpip.sys NETIO.SYS
22:22:06.420 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86227ac8]
22:22:06.420 3 CLASSPNP.SYS[827458b3] -> nt!IofCallDriver -> \Device\0000005b[0x8561b030]
22:22:06.420 5 nvrd32.sys[827776a8] -> nt!IofCallDriver -> [0x851bea10]
22:22:06.435 7 acpi.sys[826486bc] -> nt!IofCallDriver -> \Device\00000058[0x851fbae0]
22:22:07.668 AVAST engine scan C:\Windows
22:22:13.284 AVAST engine scan C:\Windows\system32
22:26:19.296 AVAST engine scan C:\Windows\system32\drivers
22:26:54.053 AVAST engine scan C:\Users\Deathstar
22:30:01.393 AVAST engine scan C:\ProgramData
22:35:22.800 Scan finished successfully
22:42:49.834 Disk 0 MBR has been saved successfully to "C:\Users\Deathstar\Desktop\MBR.dat"
22:42:49.850 The log file has been saved successfully to "C:\Users\Deathstar\Desktop\aswMBR2.txt"

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:50 AM

Posted 01 December 2012 - 01:20 AM

Greetings

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 CRussum

CRussum
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:03:50 AM

Posted 01 December 2012 - 02:04 AM

No problems when running ComboFix. Here is the log:

ComboFix 12-12-01.01 - Deathstar 11/30/2012 23:32:55.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3326.2278 [GMT -7:00]
Running from: c:\users\Deathstar\Desktop\ComboFix.exe
Command switches used :: c:\users\Deathstar\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {B140BF4E-23BB-4198-90AB-A51A4C60A69C}
SP: Microsoft Security Essentials *Disabled/Updated* {0A215EAA-0581-4E16-AA1B-9E6837E7EC21}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-11-01 to 2012-12-01 )))))))))))))))))))))))))))))))
.
.
2012-12-01 06:36 . 2012-12-01 06:36 -------- d-----w- c:\users\Deathstar\AppData\Local\temp
2012-12-01 06:36 . 2012-12-01 06:36 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2012-12-01 06:36 . 2012-12-01 06:36 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-12-01 04:53 . 2012-12-01 04:53 29904 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B38C00E1-0C0A-485D-AFC9-90BE587913CE}\MpKslc4aa6162.sys
2012-12-01 03:19 . 2012-11-08 18:00 6812136 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B38C00E1-0C0A-485D-AFC9-90BE587913CE}\mpengine.dll
2012-11-30 02:07 . 2012-11-08 18:00 6812136 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-11-19 07:27 . 2012-10-02 19:29 2557288 ----a-w- c:\windows\system32\nvsvcr.dll
2012-11-19 07:19 . 2012-06-02 00:02 985088 ----a-w- c:\windows\system32\crypt32.dll
2012-11-19 07:19 . 2012-06-02 00:02 98304 ----a-w- c:\windows\system32\cryptnet.dll
2012-11-19 07:19 . 2012-06-02 00:02 133120 ----a-w- c:\windows\system32\cryptsvc.dll
2012-11-19 07:18 . 2012-09-25 16:19 75776 ----a-w- c:\windows\system32\synceng.dll
2012-11-19 07:18 . 2012-09-13 13:28 2048 ----a-w- c:\windows\system32\tzres.dll
2012-11-19 07:18 . 2012-08-24 15:53 172544 ----a-w- c:\windows\system32\wintrust.dll
2012-11-19 07:18 . 2012-10-12 14:29 2047488 ----a-w- c:\windows\system32\win32k.sys
2012-11-19 07:18 . 2012-08-29 11:27 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-11-19 07:18 . 2012-08-29 11:27 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-11-19 07:10 . 2012-11-25 02:17 -------- d-----w- c:\users\Deathstar\AppData\Local\ElevatedDiagnostics
2012-11-19 03:26 . 2012-11-19 03:26 -------- d-----w- c:\program files\Microsoft Security Client
2012-11-17 23:25 . 2012-11-17 23:25 -------- d-----w- c:\users\Deathstar\AppData\Local\QuickSet
2012-11-16 08:45 . 2012-10-12 05:56 6918632 ------w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{44DC8E87-FE0D-471D-8A3B-027E87D9B217}\mpengine.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-11-19 17:29 . 2012-04-10 17:45 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-11-19 17:29 . 2011-11-06 17:03 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-10-11 04:15 . 2012-10-11 04:15 1867112 ----a-w- c:\windows\system32\nvcuvenc.dll
2012-10-11 04:15 . 2012-10-11 04:15 2574696 ----a-w- c:\windows\system32\nvcuvid.dll
2012-10-11 04:14 . 2012-10-11 04:14 888168 ----a-w- c:\windows\system32\nvdispgenco32.dll
2012-10-11 04:14 . 2012-10-11 04:14 12501352 ----a-w- c:\windows\system32\nvwgf2um.dll
2012-10-11 04:14 . 2012-10-11 04:14 17559912 ----a-w- c:\windows\system32\nvcompiler.dll
2012-10-11 04:14 . 2011-11-06 02:16 2428776 ----a-w- c:\windows\system32\nvapi.dll
2012-10-11 04:14 . 2012-10-11 04:14 7697768 ----a-w- c:\windows\system32\nvcuda.dll
2012-10-11 04:14 . 2012-10-11 04:14 10837352 ----a-w- c:\windows\system32\drivers\nvlddmkm.sys
2012-10-11 04:14 . 2012-10-11 04:14 19906920 ----a-w- c:\windows\system32\nvoglv32.dll
2012-10-11 04:14 . 2011-11-06 02:16 1009512 ----a-w- c:\windows\system32\nvdispco32.dll
2012-10-11 04:14 . 2012-10-11 04:14 6127464 ----a-w- c:\windows\system32\nvopencl.dll
2012-10-11 04:14 . 2012-10-11 04:14 15309160 ----a-w- c:\windows\system32\nvd3dum.dll
2012-10-02 20:15 . 2012-10-02 20:15 430952 ----a-w- c:\windows\system32\nvStreaming.exe
2012-10-02 19:29 . 2011-11-06 02:18 645992 ----a-w- c:\windows\system32\nvvsvc.exe
2012-10-02 19:29 . 2011-11-06 02:18 62312 ----a-w- c:\windows\system32\nvshext.dll
2012-10-02 19:29 . 2011-11-06 02:17 108392 ----a-w- c:\windows\system32\nvmctray.dll
2012-10-02 19:29 . 2011-11-06 02:17 2853224 ----a-w- c:\windows\system32\nvsvc.dll
2012-10-02 19:28 . 2011-11-06 02:17 3965288 ----a-w- c:\windows\system32\nvcpl.dll
2012-09-30 02:54 . 2012-07-09 21:47 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTxfiHlp"="CTXFIHLP.EXE" [2010-05-06 25600]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-13 947176]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-06-06 19:55 937920 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-01-18 21:02 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 59337558
*NewlyCreated* - MPKSLC4AA6162
*Deregistered* - 59337558
*Deregistered* - aswMBR
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
LPDService REG_MULTI_SZ LPDSVC
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://hotmail.com/
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: DhcpNameServer = 192.168.0.1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-11-30 23:36
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTxfiHlp = CTXFIHLP.EXE?
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_110_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_110_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2012-11-30 23:38:23
ComboFix-quarantined-files.txt 2012-12-01 06:38
ComboFix2.txt 2012-12-01 03:14
.
Pre-Run: 368,171,675,648 bytes free
Post-Run: 368,342,220,800 bytes free
.
- - End Of File - - E4925BF56892E97D55F3104A74D48D3C

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:50 AM

Posted 01 December 2012 - 02:15 AM

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

You can remove these programs using add/remove or you can use the free uninstaller from Revo (Revo does allot better of a job)

Programs to remove

Java 2 Runtime Environment, SE v1.4.2_06
Java™ 6 Update 31
[/list]


  • Please download and install Revo Uninstaller Free
  • Double click Revo Uninstaller to run it.
  • From the list of programs double click on The Program to remove
  • When prompted if you want to uninstall click Yes.
  • Be sure the Moderate option is selected then click Next.
  • The program will run, If prompted again click Yes
  • when the built-in uninstaller is finished click on Next.
  • Once the program has searched for leftovers click Next.
  • Check/tick the bolded items only on the list then click Delete
  • when prompted click on Yes and then on next.
  • put a check on any folders that are found and select delete
  • when prompted select yes then on next
  • Once done click Finish.
.



Install Java:

Please go here to install Java

  • click on the Free Java Download Button
  • click on Agree and start Free download
  • click on Run
  • click on run again
  • click on install
  • when install is complete click on close

Clean Out Temp Files

  • This small application you may want to keep and use once a week to keep the computer clean.

    Download CCleaner from here http://www.ccleaner.com/

  • Run the installer to install the application.
  • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
  • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
  • Click Run Cleaner.
  • Close CCleaner.

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidentally close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a log file button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the Analyze This button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 CRussum

CRussum
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:03:50 AM

Posted 01 December 2012 - 02:48 AM

No problems running any program.


MBAM log:

Malwarebytes Anti-Malware 1.65.1.1000
www.malwarebytes.org

Database version: v2012.12.01.04

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Deathstar :: DEATHSTAR-PC [administrator]

12/1/2012 12:37:44 AM
mbam-log-2012-12-01 (00-37-44).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 210870
Time elapsed: 4 minute(s), 3 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

HijackThis log:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 12:46:55 AM, on 12/1/2012
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v9.00 (9.00.8112.16455)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\Ctxfihlp.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Windows\System32\mobsync.exe
C:\Windows\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\System32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Deathstar\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKUS\S-1-5-21-1720979704-1297754616-1217966847-1001\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'UpdatusUser')
O4 - HKUS\S-1-5-21-1720979704-1297754616-1217966847-1001\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'UpdatusUser')
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O15 - Trusted Zone: *.soe.com
O15 - Trusted Zone: *.sony.com
O16 - DPF: {BEA7310D-06C4-4339-A784-DC3804819809} (Photo Upload Plugin Class) - http://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe
O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTAudSvc.exe
O23 - Service: DokanMounter - Unknown owner - C:\Program Files\Dokan\DokanLibrary\mounter.exe
O23 - Service: HP SI Service (HPSIService) - HP - C:\Windows\system32\HPSIsvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe

--
End of file - 3904 bytes

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:50 AM

Posted 01 December 2012 - 02:52 AM

Greetings

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded start-up entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    • O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
      O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
      O4 - HKUS\S-1-5-21-1720979704-1297754616-1217966847-1001\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'UpdatusUser')
      O4 - HKUS\S-1-5-21-1720979704-1297754616-1217966847-1001\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'UpdatusUser')
  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

    NOTE**You can research each of those lines >here< and see if you want to keep them or not
    just copy the name between the brackets and paste into the search space
    O4 - HKLM\..\Run: [IntelliPoint]


NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scanner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the Run ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the add/on to be installed
    • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings, ensure the options
    Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • wait for the virus definitions to be downloaded
  • Wait for the scan to finish

When the scan is complete

  • If no threats were found
  • put a checkmark in "Uninstall application on close"
  • close program
  • report to me that nothing was found

  • If threats were found
  • click on "list of threats found"
  • click on "export to text file" and save it as ESET SCAN and save to the desktop
  • Click on back
  • put a checkmark in "Uninstall application on close"
  • click on finish
  • close program
  • copy and paste the report here


Gringo

Edited by gringo_pr, 01 December 2012 - 02:52 AM.

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 CRussum

CRussum
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:03:50 AM

Posted 01 December 2012 - 03:07 AM

Nothing was found by the Eset Online Scanner.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users