Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

task manager and registry editor greyed out


  • This topic is locked This topic is locked
26 replies to this topic

#1 stefanbonnarens

stefanbonnarens

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:29 PM

Posted 21 April 2014 - 03:52 AM

Hi all

 

I was infected which greyed out my task manager. Also when starting task manager or registry editor with command prompt was impossible. an error message saying that these functions were disabled by my administrator popped up.

Scanning with McAfee and BitDefender did not solve the issue. I ran CCLeaner but this did not do the trick and I tried Malwarebytes as well but (I think) the virus prevented it from running. You can run the Chameleon function of Malwarebytes but this did not help either.

Luckily with COmbofix my task manager and registry editor are accessible once again but Malwarebytes refuses to start and I also notice that Notepad prevents me from saving files. when I want to do save as, notepad crashes and I can do no more else then closing it with task manager.

I ran DDS and this is the log:
 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 11.0.9600.17041  BrowserJavaVersion: 10.55.2
Run by Stefano.Bonnarens at 10:40:36 on 2014-04-21
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.3055.1899 [GMT 2:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
c:\Program Files\Fingerprint Sensor\AtService.exe
C:\Windows\system32\nvvsvc.exe
C:\Program Files\IDT\WDM\STacSV.exe
C:\Windows\system32\Hpservice.exe
C:\Program Files\DisplayLink Core Software\DisplayLinkManager.exe
C:\Windows\system32\vcsFPService.exe
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\ActivIdentity\ac.sharedstore.exe
C:\Program Files\ActivIdentity\ActivClient\acevents.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\IDT\WDM\aestsrv.exe
C:\Windows\system32\afasrv32.exe
C:\Program Files\LSI SoftModem\agrsmsvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Hewlett-Packard\Shared\HPDrvMntSvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Program Files\McAfee\Endpoint Encryption Agent\MfeEpeHost.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\QUALCOMM\QDLService2k\QDLService2kHP.exe
C:\Program Files\TeamViewer\Version8\TeamViewer_Service.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\Windows\System32\WUDFHost.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
C:\Program Files\RA2HP\HPRAService.exe
C:\Program Files\Microsoft Office Communicator\communicator.exe
C:\Program Files\Citrix\ICA Client\concentr.exe
C:\Program Files\ActivIdentity\ActivClient\acevents.exe
C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Citrix\ICA Client\wfcrun32.exe
C:\Program Files\McAfee\Endpoint Encryption\EpePcMonitor.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\McAfee\Endpoint Encryption for Files and Folders\MfeFfCore.exe
C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Users\stefano.bonnarens\AppData\Local\Microsoft\SkyDrive\SkyDrive.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\ActivIdentity\ActivClient\acsagent.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft Office\Office14\GROOVE.EXE
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\VolCtrl.exe
C:\Program Files\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Program Files\Intel\Intel® Management Engine Components\IMSS\PrivacyIconClient.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k regsvc
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxps://www.google.be/
uProxyServer = 137.183.234.10:8080
uProxyOverride = *.hpcds.com;*.hpcds.net;*.hpcds.be;*.synstar.net;*.synstar.be;*.hpcds.net;*.autodiscover.hpcds.com;<local>
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office14\GROOVEEX.DLL
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [OfficeSyncProcess] "c:\program files\microsoft office\office14\MSOSYNC.EXE"
uRun: [SkyDrive] "c:\users\stefano.bonnarens\appdata\local\microsoft\skydrive\SkyDrive.exe" /background
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [IMSS] "c:\program files\intel\intel® management engine components\imss\PIconStartup.exe"
mRun: [NUSB3MON] "c:\program files\nec electronics\usb 3.0 host controller driver\application\nusb3mon.exe"
mRun: [HPRAService] c:\program files\ra2hp\HPRAService.exe
mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
mRun: [Communicator] "c:\program files\microsoft office communicator\communicator.exe" /fromrunkey
mRun: [ConnectionCenter] "c:\program files\citrix\ica client\concentr.exe" /startup
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [acevents] "c:\program files\actividentity\activclient\acevents.exe"
mRun: [accrdsub] "c:\program files\actividentity\activclient\accrdsub.exe"
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [EpeFprTrainer] "c:\program files\mcafee\endpoint encryption\EpeFprTrainer.exe"
mRun: [MfeEpePcMonitor] "c:\program files\mcafee\endpoint encryption\EpePcMonitor.exe"
mRun: [SysTrayApp] c:\program files\idt\wdm\sttray.exe
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [MfeFfCore] "c:\program files\mcafee\endpoint encryption for files and folders\MfeFfCore.exe"
StartupFolder: c:\users\stefan~1.bon\appdata\roaming\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office14\GROOVE.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\activc~1.lnk - c:\program files\actividentity\activclient\acsagent.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: HideSCAHealth = dword:1
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: dontdisplaylastusername = dword:1
mPolicies-System: legalnoticecaption = Hewlett Packard CDS  - *** IMPORTANT NOTICE ***
mPolicies-System: legalnoticetext = This is a private computer system on a private computer network., ALL access can be logged and monitored., UNAUTHORIZED users are not allowed, and any attempt to enter the network , or this system without permissions may lead to personal liability and disciplinary.
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
Trusted Zone: hp.com
Trusted Zone: vimeo.com
DPF: {4B54A9DE-EF1C-4EBE-A328-7C28EA3B433A} - hxxp://quickscan.bitdefender.com/qsax/qsax.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab
TCP: NameServer = 192.168.2.1
TCP: Interfaces\{07EB2382-465B-46B2-9399-476C8267F97B} : DHCPNameServer = 192.168.42.129
TCP: Interfaces\{7A92906E-A9EB-4F75-9FA5-9F471D686A45} : DHCPNameServer = 192.168.2.1
TCP: Interfaces\{7A92906E-A9EB-4F75-9FA5-9F471D686A45}\5414F57455543545 : DHCPNameServer = 195.238.2.21 195.238.2.22
TCP: Interfaces\{7A92906E-A9EB-4F75-9FA5-9F471D686A45}\8455147554940274730303D2551303 : DHCPNameServer = 192.168.43.1
Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
AppInit_DLLs= c:\progra~1\citrix\icacli~1\RSHook.dll
SSODL: WebCheck - <orphaned>
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office14\GROOVEEX.DLL
LSA: Notification Packages =  EpePcNp32 scecli
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\34.0.1847.116\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\stefano.bonnarens\appdata\roaming\mozilla\firefox\profiles\lbn2h2uu.default\
FF - prefs.js: network.proxy.ftp - 10.40.40.180
FF - prefs.js: network.proxy.ftp_port - 8080
FF - prefs.js: network.proxy.http - 10.40.40.180
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.socks - 10.40.40.180
FF - prefs.js: network.proxy.socks_port - 8080
FF - prefs.js: network.proxy.ssl - 10.40.40.180
FF - prefs.js: network.proxy.ssl_port - 8080
FF - prefs.js: network.proxy.type - 2
FF - plugin: c:\progra~1\micros~1\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~1\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\adobe\reader 11.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\citrix\ica client\npicaN.dll
FF - plugin: c:\program files\google\update\1.3.23.9\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre7\bin\dtplugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.30214.0\npctrlui.dll
FF - plugin: c:\users\stefano.bonnarens\appdata\locallow\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\windows\system32\adobe\director\np32dsw_1205146.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_12_0_0_77.dll
.
============= SERVICES / DRIVERS ===============
.
R0 MfeEEAlg;MfeEEAlg;c:\windows\system32\drivers\MfeEEAlg.sys [2014-1-29 62576]
R0 MfeEpeOpal;MfeEpeOpal;c:\windows\system32\drivers\MfeEpeOpal.sys [2013-4-5 79912]
R0 MfeEpePc;MfeEpePc;c:\windows\system32\drivers\MfeEpePc.sys [2013-4-5 103848]
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [2011-4-25 65584]
R2 ac.sharedstore;ActivIdentity Shared Store Service;c:\program files\common files\actividentity\ac.sharedstore.exe [2009-6-3 207400]
R2 AESTFilters;Andrea ST Filters Service;c:\program files\idt\wdm\AEstSrv.exe [2011-2-23 81920]
R2 AfaService;Afa Card Reader Service;c:\windows\system32\afasrv32.exe [2012-12-17 65536]
R2 ATService;AuthenTec Fingerprint Service;c:\program files\fingerprint sensor\AtService.exe [2008-6-12 1164536]
R2 DisplayLinkService;DisplayLinkManager;c:\program files\displaylink core software\DisplayLinkManager.exe [2010-9-21 5236072]
R2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files\hewlett-packard\shared\HPDrvMntSvc.exe [2012-6-5 197536]
R2 hpsrv;HP Service;c:\windows\system32\hpservice.exe [2011-5-13 26168]
R2 McAfee Endpoint Encryption Agent;McAfee Endpoint Encryption Agent;c:\program files\mcafee\endpoint encryption agent\MfeEpeHost.exe [2013-4-5 1865760]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2013-3-22 130080]
R2 QDLService2kHP;Qualcomm Gobi 2000 Download Service (HP);c:\program files\qualcomm\qdlservice2k\QDLService2kHP.exe [2010-10-21 332096]
R2 TeamViewer8;TeamViewer 8;c:\program files\teamviewer\version8\TeamViewer_Service.exe [2012-12-17 3574624]
R2 UNS;Intel® Management & Security Application User Notification Service;c:\program files\intel\intel® management engine components\uns\UNS.exe [2011-1-20 2320920]
R2 vcsFPService;Validity VCS Fingerprint Service;c:\windows\system32\vcsFPService.exe [2010-2-18 1664304]
R3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2010-4-14 45736]
R3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2011-1-20 227896]
R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k6232.sys [2011-5-5 266408]
R3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [2009-10-26 125696]
R3 NETwNs32;___ Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\drivers\NETwNs32.sys [2010-10-18 7122944]
R3 nusb3hub;NEC Electronics USB 3.0 Hub Driver;c:\windows\system32\drivers\nusb3hub.sys [2009-11-20 58880]
R3 nusb3xhc;NEC Electronics USB 3.0 Host Controller Driver;c:\windows\system32\drivers\nusb3xhc.sys [2009-11-20 137728]
R3 qcfilterhp2k;HP un2420 Mobile Broadband Module USB Device Filter;c:\windows\system32\drivers\qcfilterhp2k.sys [2010-10-21 5248]
R3 qcombushp;Gobi 2000 USB Composite Device Driver(03F0-251D);c:\windows\system32\drivers\qcombushp.sys [2010-10-21 106184]
R3 qcusbnethp2k;Gobi 2000 USB-NDIS miniport(03F0-251D);c:\windows\system32\drivers\qcusbnethp2k.sys [2010-10-21 374784]
R3 qcusbserhp2k;Gobi 2000 USB Device for Legacy Serial Communication(03F0-251D);c:\windows\system32\drivers\qcusbserhp2k.sys [2010-10-21 190592]
R3 rismc32;RICOH Smart Card Reader;c:\windows\system32\drivers\rismc32.sys [2011-1-20 49152]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
S3 aksbus;ActivIdentity Virtual Reader Enumerator;c:\windows\system32\drivers\aksbus.sys [2007-4-6 13647]
S3 AKSIM;ActivKey Sim;c:\windows\system32\drivers\aksim.sys [2007-4-6 27008]
S3 akspcsc;ActivIdentity Virtual PC/SC Device Driver;c:\windows\system32\drivers\akspcsc.sys [2007-4-6 10161]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 CpqDtct;CpqDtct;c:\windows\system32\drivers\Cpqdtct.sys [2011-2-24 67016]
S3 HPKBCCID;HP Keyboard Smart Card Driver;c:\windows\system32\drivers\HPKBCCID.sys [2012-3-5 48000]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\ieetwcollector.exe [2014-4-8 108032]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys [2014-3-29 107736]
S3 NETw5s32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\drivers\NETw5s32.sys [2010-1-13 6755840]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2014-4-8 14848]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-14 20992]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2014-4-8 49152]
S3 VBoxUSB;VirtualBox USB;c:\windows\system32\drivers\VBoxUSB.sys [2014-3-26 95520]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2011-7-27 1343400]
S3 xhc200w;xhc200w;c:\swsetup\sp48109\32\xhc200w.sys [2010-2-2 25232]
.
=============== File Associations ===============
.
FileExt: .txt: txtfile=c:\windows\system32\NOTEPAD.EXE %1 [UserChoice]
FileExt: .js: Applications\iexplore.exe="c:\program files\internet explorer\iexplore.exe" %1 [UserChoice]
.
=============== Created Last 30 ================
.
2014-04-20 20:32:28 -------- d-sh--w- C:\$RECYCLE.BIN
2014-04-20 19:51:23 98816 ----a-w- c:\windows\sed.exe
2014-04-20 19:51:23 256000 ----a-w- c:\windows\PEV.exe
2014-04-20 19:51:23 208896 ----a-w- c:\windows\MBR.exe
2014-04-20 19:04:46 -------- d-----w- C:\usb folder
2014-04-20 19:00:43 227328 ------w- C:\test.exe
2014-04-20 06:33:46 -------- d-----w- c:\programdata\BDLogging
2014-04-20 06:33:40 74512 ----a-w- c:\windows\system32\bdsandboxuiskin.dll
2014-04-20 06:33:40 511328 ----a-w- c:\windows\capicom.dll
2014-04-20 06:33:40 27168 ----a-w- c:\windows\system32\bdsandboxuh.dll
2014-04-20 06:30:21 -------- d-----w- c:\programdata\Bitdefender
2014-04-20 06:30:18 -------- d-----w- c:\program files\Bitdefender
2014-04-20 06:30:00 -------- d-----w- c:\program files\common files\Bitdefender
2014-04-20 06:19:25 -------- d-----w- c:\users\stefano.bonnarens\appdata\roaming\QuickScan
2014-04-19 20:56:29 -------- d-----w- c:\windows\pss
2014-04-19 19:08:29 -------- d-----w- c:\users\stefano.bonnarens\appdata\roaming\AVG2014
2014-04-19 19:07:26 -------- d-----w- c:\users\stefano.bonnarens\appdata\roaming\TuneUp Software
2014-04-19 19:05:20 -------- d-----w- c:\programdata\AVG2014
2014-04-19 19:05:20 -------- d-----w- C:\$AVG
2014-04-19 19:04:05 -------- d--h--w- c:\programdata\Common Files
2014-04-19 19:04:05 -------- d-----w- c:\users\stefano.bonnarens\appdata\local\MFAData
2014-04-19 19:04:05 -------- d-----w- c:\users\stefano.bonnarens\appdata\local\Avg2014
2014-04-19 19:04:05 -------- d-----w- c:\programdata\MFAData
2014-04-17 19:16:32 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2014-04-09 21:50:20 -------- d-sh--w- c:\users\stefano.bonnarens\appdata\local\EmieUserList
2014-04-09 21:50:20 -------- d-sh--w- c:\users\stefano.bonnarens\appdata\local\EmieSiteList
2014-04-08 21:22:53 14848 ----a-w- c:\windows\system32\drivers\rdpvideominiport.sys
2014-04-08 21:22:53 12800 ----a-w- c:\windows\system32\RdpGroupPolicyExtension.dll
2014-04-08 21:22:52 221184 ----a-w- c:\windows\system32\rdpudd.dll
2014-04-08 21:22:52 192000 ----a-w- c:\windows\system32\rdpendp_winip.dll
2014-04-08 21:22:51 2739712 ----a-w- c:\windows\system32\rdpcorets.dll
2014-04-08 21:19:44 32256 ----a-w- c:\windows\system32\TsUsbGDCoInstaller.dll
2014-04-08 21:19:44 12800 ----a-w- c:\windows\system32\TsUsbRedirectionGroupPolicyControl.exe
2014-04-08 21:19:43 855552 ----a-w- c:\windows\system32\rdvidcrl.dll
2014-04-08 21:19:43 76288 ----a-w- c:\windows\system32\TSWbPrxy.exe
2014-04-08 21:19:43 53248 ----a-w- c:\windows\system32\tsgqec.dll
2014-04-08 21:19:43 50176 ----a-w- c:\windows\system32\MsRdpWebAccess.dll
2014-04-08 21:19:43 49152 ----a-w- c:\windows\system32\drivers\TsUsbFlt.sys
2014-04-08 21:19:43 350208 ----a-w- c:\windows\system32\wksprt.exe
2014-04-08 21:19:43 17920 ----a-w- c:\windows\system32\wksprtPS.dll
2014-04-08 21:19:43 14336 ----a-w- c:\windows\system32\TsUsbRedirectionGroupPolicyExtension.dll
2014-04-08 21:19:42 5698048 ----a-w- c:\windows\system32\mstscax.dll
2014-04-08 21:19:42 1068544 ----a-w- c:\windows\system32\mstsc.exe
2014-04-08 21:11:59 61952 ----a-w- c:\windows\system32\iesetup.dll
2014-04-08 20:56:12 7969936 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{e52f9f9f-5f1a-4130-a344-578ef2c3cf2b}\mpengine.dll
2014-04-08 20:54:41 792576 ----a-w- c:\windows\system32\TSWorkspace.dll
2014-04-08 20:54:33 27072 ----a-w- c:\windows\system32\drivers\Diskdump.sys
2014-04-08 20:54:33 234432 ----a-w- c:\windows\system32\drivers\msiscsi.sys
2014-04-08 20:54:33 2048 ----a-w- c:\windows\system32\iologmsg.dll
2014-04-08 20:54:33 149440 ----a-w- c:\windows\system32\drivers\storport.sys
2014-04-08 20:54:31 514560 ----a-w- c:\windows\system32\qdvd.dll
2014-04-08 20:54:21 96768 ----a-w- c:\windows\system32\drivers\umdf\WUDFUsbccidDriver.dll
2014-04-08 20:54:19 1212352 ----a-w- c:\windows\system32\drivers\ntfs.sys
2014-04-05 17:10:29 1247744 ----a-w- c:\windows\system32\DWrite.dll
2014-04-03 18:57:34 -------- d-----w- c:\program files\McAfeeold2
2014-03-29 20:13:25 380928 ----a-w- c:\windows\system32\aestecap.dll
2014-03-29 20:13:24 86016 ----a-w- c:\windows\system32\AESTCom.dll
2014-03-29 20:13:24 495708 ----a-w- c:\windows\sttray.exe
2014-03-29 20:13:24 1953792 ----a-w- c:\windows\system32\stlang.dll
2014-03-29 20:13:24 12705884 ----a-w- c:\windows\system32\idtcpl.cpl
2014-03-29 20:03:37 140288 ----a-w- c:\windows\system32\aestacap.dll
2014-03-29 18:53:31 107736 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-03-29 18:52:50 -------- d-----w- c:\programdata\Malwarebytes
2014-03-29 18:52:27 -------- d-----w- c:\users\stefano.bonnarens\appdata\local\Programs
2014-03-29 18:15:30 -------- d-----w- c:\program files\CCleaner
2014-03-29 16:46:00 204064 ----a-w- c:\windows\system32\drivers\VBoxDrv.sys
2014-03-29 16:45:56 104736 ----a-w- c:\windows\system32\drivers\VBoxUSBMon.sys
2014-03-29 16:45:52 -------- d-----w- c:\program files\Oracle
2014-03-26 19:23:06 116512 ----a-w- c:\windows\system32\drivers\VBoxNetAdp.sys
2014-03-26 19:23:04 95520 ----a-w- c:\windows\system32\drivers\VBoxUSB.sys
2014-03-26 19:23:04 126752 ----a-w- c:\windows\system32\drivers\VBoxNetFlt.sys
2014-03-26 19:23:00 174880 ----a-w- c:\windows\system32\VBoxNetFltNobj.dll
2014-03-24 21:37:27 -------- d-----w- c:\windows\Migration
2014-03-24 21:29:22 417792 ----a-w- c:\windows\system32\WMPhoto.dll
2014-03-24 21:29:19 1230336 ----a-w- c:\windows\system32\WindowsCodecs.dll
2014-03-24 21:28:35 3419136 ----a-w- c:\windows\system32\d2d1.dll
2014-03-24 21:28:35 1987584 ----a-w- c:\windows\system32\d3d10warp.dll
.
==================== Find3M  ====================
.
2014-04-17 19:40:29 70832 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2014-04-17 19:40:29 692400 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2014-03-31 07:35:10 231584 ------w- c:\windows\system32\MpSigStub.exe
2014-03-17 20:12:34 9728 ---ha-w- c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2014-03-06 08:32:07 2724864 ----a-w- c:\windows\system32\mshtml.tlb
2014-03-06 08:31:27 4096 ----a-w- c:\windows\system32\ieetwcollectorres.dll
2014-03-06 08:02:33 455168 ----a-w- c:\windows\system32\vbscript.dll
2014-03-06 08:01:01 51200 ----a-w- c:\windows\system32\ieetwproxystub.dll
2014-03-06 07:46:36 4254720 ----a-w- c:\windows\system32\jscript9.dll
2014-03-06 07:38:13 112128 ----a-w- c:\windows\system32\ieUnatt.exe
2014-03-06 07:38:10 108032 ----a-w- c:\windows\system32\ieetwcollector.exe
2014-03-06 07:36:40 592896 ----a-w- c:\windows\system32\jscript9diag.dll
2014-03-06 07:28:01 646144 ----a-w- c:\windows\system32\MsSpellCheckingFacility.exe
2014-03-06 07:13:43 32256 ----a-w- c:\windows\system32\JavaScriptCollectionAgent.dll
2014-03-06 06:40:39 1967104 ----a-w- c:\windows\system32\inetcpl.cpl
2014-03-06 05:41:49 1789440 ----a-w- c:\windows\system32\wininet.dll
2014-02-07 01:07:56 2349056 ----a-w- c:\windows\system32\win32k.sys
2014-02-04 02:04:11 509440 ----a-w- c:\windows\system32\qedit.dll
2014-01-29 02:06:47 381440 ----a-w- c:\windows\system32\wer.dll
2014-01-28 02:07:07 185344 ----a-w- c:\windows\system32\wwansvc.dll
.
=================== ROOTKIT  ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.1.7601
.
CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.
device: opened successfully
user: error reading MBR
.
Disk trace:
called modules: >>UNKNOWN [0x83C49000]<< >>UNKNOWN [0x83C12000]<< >>UNKNOWN [0x9940D000]<< >>UNKNOWN [0x870FB000]<< >>UNKNOWN [0x870EA000]<< >>UNKNOWN [0x870AF000]<< >>UNKNOWN [0x843C6000]<< >>UNKNOWN [0x86A22000]<< >>UNKNOWN [0x843E9000]<< >>UNKNOWN [0x8E8AB000]<< >>UNKNOWN [0x9021F000]<<
_asm { DEC EBP; POP EDX; NOP ; ADD [EBX], AL; ADD [EAX], AL; ADD [EAX+EAX], AL; ADD [EAX], AL;  }
1 ntkrnlpa!IofCallDriver[0x83C7FBBA] -> \Device\Harddisk0\DR0[0x8C2CBAC8]
\Driver\Disk[0x8C2CAF38] -> IRP_MJ_CREATE -> 0x870FF39F
3 [0x870FF59E] -> ntkrnlpa!IofCallDriver[0x83C7FBBA] -> [0x8C2CA150]
\Driver\hpdskflt[0x8C28EA40] -> IRP_MJ_CREATE -> 0x870B0EB2
5 [0x870B0F92] -> ntkrnlpa!IofCallDriver[0x83C7FBBA] -> \Device\Ide\IdeDeviceP0T0L0-0[0x8C17C908]
\Driver\atapi[0x8C1378C8] -> IRP_MJ_CREATE -> 0x843E08CE
kernel: MBR read successfully
_asm { CLI ; JMP 0x26;  }
user != kernel MBR !!!
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.
.
============= FINISH: 10:41:49.26 ===============


 

Attached Files



BC AdBot (Login to Remove)

 


m

#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,549 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:29 AM

Posted 26 April 2014 - 03:55 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/531823 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from the following link if you no longer have it available and save it to your destop.

    DDS.com Download Link
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control can be found HERE.

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 polskamachina

polskamachina

  • Malware Study Hall Senior
  • 3,834 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:29 AM

Posted 26 April 2014 - 08:36 PM

Hi stefanbonnarens  :)

 

My name is polskamachina and I will be assisting you with your malware problems. Please give me some time to review your situation and I will get back to you with further instructions. In the meantime, can you please copy and paste your ComboFix log, located here -> C:\Combofix\combofix.txt, in your next reply to me?

 

Thanks for your patience.

 

polskamachina


Member of the Bleeping Computer A.I.I. early response team!

#4 stefanbonnarens

stefanbonnarens
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:29 PM

Posted 27 April 2014 - 07:03 AM

Hi Polskamachina

 

I found a combofix.txt under C:\ (not under c:\combofix). I hope this is OK for you:

 

ComboFix 14-04-20.01 - Stefano.Bonnarens 20/04/2014  21:53:56.1.4 - x86
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.3055.2012 [GMT 2:00]
Running from: E:\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\1397975410.bdinstall.bin
c:\programdata\1397981845.bdinstall.bin
c:\programdata\1397981955.bdinstall.bin
c:\programdata\1397984326.bdinstall.bin
.
.
(((((((((((((((((((((((((   Files Created from 2014-03-20 to 2014-04-20  )))))))))))))))))))))))))))))))
.
.
2014-04-20 19:04 . 2014-04-20 19:20 -------- d-----w- C:\usb folder
2014-04-20 19:00 . 2010-11-20 12:17 227328 ------w- C:\test.exe
2014-04-20 09:33 . 2014-04-20 19:46 73432 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-04-20 09:33 . 2014-04-20 09:33 -------- d-----w- c:\program files\Malwarebytes Anti-Malware
2014-04-20 09:33 . 2014-04-03 07:51 51416 ----a-w- c:\windows\system32\drivers\mwac.sys
2014-04-20 09:33 . 2014-04-03 07:50 23256 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-04-20 06:33 . 2014-04-20 06:35 -------- d-----w- c:\programdata\BDLogging
2014-04-20 06:33 . 2013-11-04 13:47 74512 ----a-w- c:\windows\system32\bdsandboxuiskin.dll
2014-04-20 06:33 . 2013-11-04 13:46 27168 ----a-w- c:\windows\system32\bdsandboxuh.dll
2014-04-20 06:33 . 2007-04-11 08:11 511328 ----a-w- c:\windows\capicom.dll
2014-04-20 06:30 . 2014-04-20 08:19 -------- d-----w- c:\programdata\Bitdefender
2014-04-20 06:30 . 2014-04-20 09:27 -------- d-----w- c:\program files\Bitdefender
2014-04-20 06:30 . 2014-04-20 08:19 -------- d-----w- c:\program files\Common Files\Bitdefender
2014-04-20 06:19 . 2014-04-20 06:19 -------- d-----w- c:\users\stefano.bonnarens\AppData\Roaming\QuickScan
2014-04-19 19:08 . 2014-04-19 19:08 -------- d-----w- c:\users\stefano.bonnarens\AppData\Roaming\AVG2014
2014-04-19 19:07 . 2014-04-19 19:07 -------- d-----w- c:\users\stefano.bonnarens\AppData\Roaming\TuneUp Software
2014-04-19 19:05 . 2014-04-20 06:07 -------- d-----w- c:\programdata\AVG2014
2014-04-19 19:05 . 2014-04-19 21:03 -------- d-----w- C:\$AVG
2014-04-19 19:04 . 2014-04-20 06:07 -------- d-----w- c:\programdata\MFAData
2014-04-19 19:04 . 2014-04-20 06:05 -------- d-----w- c:\users\stefano.bonnarens\AppData\Local\Avg2014
2014-04-19 19:04 . 2014-04-19 19:04 -------- d--h--w- c:\programdata\Common Files
2014-04-19 19:04 . 2014-04-19 19:04 -------- d-----w- c:\users\stefano.bonnarens\AppData\Local\MFAData
2014-04-17 19:16 . 2014-04-14 18:13 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2014-04-09 21:50 . 2014-04-09 21:50 -------- d-sh--w- c:\users\stefano.bonnarens\AppData\Local\EmieUserList
2014-04-09 21:50 . 2014-04-09 21:50 -------- d-sh--w- c:\users\stefano.bonnarens\AppData\Local\EmieSiteList
2014-04-08 21:22 . 2012-08-23 14:44 14848 ----a-w- c:\windows\system32\drivers\rdpvideominiport.sys
2014-04-08 21:22 . 2012-08-23 13:52 12800 ----a-w- c:\windows\system32\RdpGroupPolicyExtension.dll
2014-04-08 21:22 . 2012-08-23 14:48 221184 ----a-w- c:\windows\system32\rdpudd.dll
2014-04-08 21:22 . 2012-08-23 11:12 192000 ----a-w- c:\windows\system32\rdpendp_winip.dll
2014-04-08 21:22 . 2012-08-23 10:08 2739712 ----a-w- c:\windows\system32\rdpcorets.dll
2014-04-08 21:19 . 2013-10-02 00:32 12800 ----a-w- c:\windows\system32\TsUsbRedirectionGroupPolicyControl.exe
2014-04-08 21:19 . 2013-10-01 23:45 32256 ----a-w- c:\windows\system32\TsUsbGDCoInstaller.dll
2014-04-08 21:19 . 2013-10-02 00:42 49152 ----a-w- c:\windows\system32\drivers\TsUsbFlt.sys
2014-04-08 21:19 . 2013-10-02 00:30 14336 ----a-w- c:\windows\system32\TsUsbRedirectionGroupPolicyExtension.dll
2014-04-08 21:19 . 2013-10-02 00:14 50176 ----a-w- c:\windows\system32\MsRdpWebAccess.dll
2014-04-08 21:19 . 2013-10-02 00:14 17920 ----a-w- c:\windows\system32\wksprtPS.dll
2014-04-08 21:19 . 2013-10-01 23:58 53248 ----a-w- c:\windows\system32\tsgqec.dll
2014-04-08 21:19 . 2013-10-01 23:08 855552 ----a-w- c:\windows\system32\rdvidcrl.dll
2014-04-08 21:19 . 2013-10-01 23:00 76288 ----a-w- c:\windows\system32\TSWbPrxy.exe
2014-04-08 21:19 . 2013-10-01 22:53 350208 ----a-w- c:\windows\system32\wksprt.exe
2014-04-08 21:19 . 2013-10-01 22:34 1068544 ----a-w- c:\windows\system32\mstsc.exe
2014-04-08 21:19 . 2013-10-01 20:55 5698048 ----a-w- c:\windows\system32\mstscax.dll
2014-04-08 21:11 . 2014-03-06 08:02 61952 ----a-w- c:\windows\system32\iesetup.dll
2014-04-08 20:56 . 2014-03-17 08:16 7969936 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{E52F9F9F-5F1A-4130-A344-578EF2C3CF2B}\mpengine.dll
2014-04-08 20:54 . 2013-09-25 01:57 792576 ----a-w- c:\windows\system32\TSWorkspace.dll
2014-04-08 20:54 . 2014-02-04 02:07 149440 ----a-w- c:\windows\system32\drivers\storport.sys
2014-04-08 20:54 . 2014-02-04 02:07 234432 ----a-w- c:\windows\system32\drivers\msiscsi.sys
2014-04-08 20:54 . 2014-02-04 02:07 27072 ----a-w- c:\windows\system32\drivers\Diskdump.sys
2014-04-08 20:54 . 2014-02-04 02:00 2048 ----a-w- c:\windows\system32\iologmsg.dll
2014-04-08 20:54 . 2012-05-04 09:59 514560 ----a-w- c:\windows\system32\qdvd.dll
2014-04-08 20:54 . 2014-01-29 02:07 96768 ----a-w- c:\windows\system32\drivers\UMDF\WUDFUsbccidDriver.dll
2014-04-08 20:54 . 2014-01-24 02:18 1212352 ----a-w- c:\windows\system32\drivers\ntfs.sys
2014-04-05 17:10 . 2013-04-09 23:34 1247744 ----a-w- c:\windows\system32\DWrite.dll
2014-04-03 18:57 . 2014-04-03 18:58 -------- d-----w- c:\program files\McAfeeold2
2014-03-29 20:13 . 2009-10-08 21:45 380928 ----a-w- c:\windows\system32\aestecap.dll
2014-03-29 20:13 . 2010-09-07 23:05 495708 ----a-w- c:\windows\sttray.exe
2014-03-29 20:13 . 2010-09-07 23:05 1953792 ----a-w- c:\windows\system32\stlang.dll
2014-03-29 20:13 . 2010-09-07 23:05 12705884 ----a-w- c:\windows\system32\idtcpl.cpl
2014-03-29 20:13 . 2009-03-01 22:47 86016 ----a-w- c:\windows\system32\AESTCom.dll
2014-03-29 20:03 . 2010-01-25 23:28 140288 ----a-w- c:\windows\system32\aestacap.dll
2014-03-29 18:53 . 2014-04-20 19:28 107736 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-03-29 18:52 . 2014-03-29 18:52 -------- d-----w- c:\programdata\Malwarebytes
2014-03-29 18:52 . 2014-03-29 18:52 -------- d-----w- c:\users\stefano.bonnarens\AppData\Local\Programs
2014-03-29 18:15 . 2014-03-29 18:15 -------- d-----w- c:\program files\CCleaner
2014-03-29 16:46 . 2014-03-26 19:24 204064 ----a-w- c:\windows\system32\drivers\VBoxDrv.sys
2014-03-29 16:45 . 2014-03-26 19:23 104736 ----a-w- c:\windows\system32\drivers\VBoxUSBMon.sys
2014-03-29 16:45 . 2014-03-29 16:45 -------- d-----w- c:\program files\Oracle
2014-03-26 19:23 . 2014-03-26 19:23 116512 ----a-w- c:\windows\system32\drivers\VBoxNetAdp.sys
2014-03-26 19:23 . 2014-03-26 19:23 95520 ----a-w- c:\windows\system32\drivers\VBoxUSB.sys
2014-03-26 19:23 . 2014-03-26 19:23 126752 ----a-w- c:\windows\system32\drivers\VBoxNetFlt.sys
2014-03-26 19:23 . 2014-03-26 19:23 174880 ----a-w- c:\windows\system32\VBoxNetFltNobj.dll
2014-03-24 21:37 . 2014-03-24 21:37 -------- d-----w- c:\windows\Migration
2014-03-24 21:29 . 2013-11-23 18:26 417792 ----a-w- c:\windows\system32\WMPhoto.dll
2014-03-24 21:29 . 2014-02-04 02:04 1230336 ----a-w- c:\windows\system32\WindowsCodecs.dll
2014-03-24 21:28 . 2013-12-24 23:09 1987584 ----a-w- c:\windows\system32\d3d10warp.dll
2014-03-24 21:28 . 2013-11-26 08:16 3419136 ----a-w- c:\windows\system32\d2d1.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-04-17 19:40 . 2012-04-01 20:08 692400 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2014-04-17 19:40 . 2011-07-28 08:32 70832 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2014-03-31 07:35 . 2011-01-20 14:07 231584 ------w- c:\windows\system32\MpSigStub.exe
2014-03-17 20:12 . 2014-03-17 20:12 9728 ---ha-w- c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2014-03-17 20:12 . 2014-03-17 20:12 906240 ----a-w- c:\windows\system32\FntCache.dll
2014-03-17 20:12 . 2014-03-17 20:12 604160 ----a-w- c:\windows\system32\d3d10level9.dll
2014-03-17 20:12 . 2014-03-17 20:12 5632 ---ha-w- c:\windows\system32\api-ms-win-downlevel-shlwapi-l2-1-0.dll
2014-03-17 20:12 . 2014-03-17 20:12 5632 ---ha-w- c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
2014-03-17 20:12 . 2014-03-17 20:12 4096 ---ha-w- c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
2014-03-17 20:12 . 2014-03-17 20:12 364544 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2014-03-17 20:12 . 2014-03-17 20:12 3584 ---ha-w- c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
2014-03-17 20:12 . 2014-03-17 20:12 3072 ---ha-w- c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
2014-03-17 20:12 . 2014-03-17 20:12 3072 ---ha-w- c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
2014-03-17 20:12 . 2014-03-17 20:12 293376 ----a-w- c:\windows\system32\dxgi.dll
2014-03-17 20:12 . 2014-03-17 20:12 2560 ---ha-w- c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
2014-03-17 20:12 . 2014-03-17 20:12 249856 ----a-w- c:\windows\system32\d3d10_1core.dll
2014-03-17 20:12 . 2014-03-17 20:12 2284544 ----a-w- c:\windows\system32\msmpeg2vdec.dll
2014-03-17 20:12 . 2014-03-17 20:12 220160 ----a-w- c:\windows\system32\d3d10core.dll
2014-03-17 20:12 . 2014-03-17 20:12 207872 ----a-w- c:\windows\system32\WindowsCodecsExt.dll
2014-03-17 20:12 . 2014-03-17 20:12 187392 ----a-w- c:\windows\system32\UIAnimation.dll
2014-03-17 20:12 . 2014-03-17 20:12 161792 ----a-w- c:\windows\system32\d3d10_1.dll
2014-03-17 20:12 . 2014-03-17 20:12 1158144 ----a-w- c:\windows\system32\XpsPrint.dll
2014-03-17 20:12 . 2014-03-17 20:12 1080832 ----a-w- c:\windows\system32\d3d10.dll
2014-03-17 20:12 . 2014-03-17 20:12 10752 ---ha-w- c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
2014-02-07 01:07 . 2014-03-17 14:20 2349056 ----a-w- c:\windows\system32\win32k.sys
2014-02-04 02:04 . 2014-03-17 14:18 509440 ----a-w- c:\windows\system32\qedit.dll
2014-01-29 02:06 . 2014-03-17 14:17 381440 ----a-w- c:\windows\system32\wer.dll
2014-01-28 02:07 . 2014-03-17 14:18 185344 ----a-w- c:\windows\system32\wwansvc.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive1]
@="{F241C880-6982-4CE5-8CF7-7085BA96DA5A}"
[HKEY_CLASSES_ROOT\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}]
2014-04-05 11:58 223432 ----a-w- c:\users\stefano.bonnarens\AppData\Local\Microsoft\SkyDrive\17.0.4035.0328\SkyDriveShell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive2]
@="{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}"
[HKEY_CLASSES_ROOT\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}]
2014-04-05 11:58 223432 ----a-w- c:\users\stefano.bonnarens\AppData\Local\Microsoft\SkyDrive\17.0.4035.0328\SkyDriveShell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive3]
@="{BBACC218-34EA-4666-9D7A-C78F2274A524}"
[HKEY_CLASSES_ROOT\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}]
2014-04-05 11:58 223432 ----a-w- c:\users\stefano.bonnarens\AppData\Local\Microsoft\SkyDrive\17.0.4035.0328\SkyDriveShell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\CeDesktopIntegration]
@="{3CEC3E6D-ECF2-4B49-8A41-3B16DF8B9C3F}"
[HKEY_CLASSES_ROOT\CLSID\{3CEC3E6D-ECF2-4B49-8A41-3B16DF8B9C3F}]
2013-05-05 10:09 878624 ----a-w- c:\program files\McAfee\Endpoint Encryption for Files and Folders\MfeFfDesktopIntegration.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OfficeSyncProcess"="c:\program files\Microsoft Office\Office14\MSOSYNC.EXE" [2013-04-22 720064]
"SkyDrive"="c:\users\stefano.bonnarens\AppData\Local\Microsoft\SkyDrive\SkyDrive.exe" [2014-04-05 257224]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1174016]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2010-02-25 287800]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-06-03 1791272]
"IMSS"="c:\program files\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe" [2010-03-03 111640]
"NUSB3MON"="c:\program files\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2009-11-20 106496]
"HPRAService"="c:\program files\RA2HP\HPRAService.exe" [2010-04-01 135168]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2012-11-05 89184]
"Communicator"="c:\program files\Microsoft Office Communicator\communicator.exe" [2013-04-10 5164712]
"ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2012-07-27 380088]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-11-21 959904]
"acevents"="c:\program files\ActivIdentity\ActivClient\acevents.exe" [2009-06-03 153640]
"accrdsub"="c:\program files\ActivIdentity\ActivClient\accrdsub.exe" [2009-06-03 400936]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2013-03-22 337440]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-07-02 254336]
"EpeFprTrainer"="c:\program files\McAfee\Endpoint Encryption\EpeFprTrainer.exe" [2013-04-05 2549792]
"MfeEpePcMonitor"="c:\program files\McAfee\Endpoint Encryption\EpePcMonitor.exe" [2013-04-05 272416]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2010-09-07 495708]
"nwiz"="c:\program files\NVIDIA Corporation\nview\nwiz.exe" [2013-09-05 2586912]
"MfeFfCore"="c:\program files\McAfee\Endpoint Encryption for Files and Folders\MfeFfCore.exe" [2013-05-05 354336]
.
c:\users\stefano.bonnarens\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft SharePoint Workspace.lnk - c:\program files\Microsoft Office\Office14\GROOVE.EXE /TrayOnly [2013-12-19 30814400]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
ActivClient Agent.lnk - c:\program files\ActivIdentity\ActivClient\acsagent.exe [2009-6-3 130600]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2009-9-4 795936]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2002-10-11 106560]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"HideSCAHealth"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Citrix\ICACLI~1\RSHook.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ   EpePcNp32 scecli
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^VPN Client.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\VPN Client.lnk
backup=c:\windows\pss\VPN Client.lnk.CommonStartup
backupExtension=.CommonStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uninstall C:
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uninstall C:\Users
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uninstall c:\users\stefano.bonnarens
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uninstall c:\users\stefano.bonnarens\AppData
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uninstall c:\users\stefano.bonnarens\AppData\Local
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uninstall c:\users\stefano.bonnarens\AppData\Local\Microsoft
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uninstall c:\users\stefano.bonnarens\AppData\Local\Microsoft\SkyDrive
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uninstall c:\users\stefano.bonnarens\AppData\Local\Microsoft\SkyDrive\17.0.4029.0217]
rmdir [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rmcna]
2013-09-20 20:34 205473 ----a-w- c:\windows\rmcna\rmcna2.exe
.
R2 AfaService;Afa Card Reader Service;c:\windows\system32\afasrv32.exe [2012-12-17 65536]
R3 AESTAud;IDT AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [x]
R3 aksbus;ActivIdentity Virtual Reader Enumerator;c:\windows\system32\DRIVERS\aksbus.sys [2007-04-06 13647]
R3 AKSIM;ActivKey Sim;c:\windows\system32\drivers\aksim.sys [2007-04-06 27008]
R3 akspcsc;ActivIdentity Virtual PC/SC Device Driver;c:\windows\system32\DRIVERS\akspcsc.sys [2007-04-06 10161]
R3 CpqDtct;CpqDtct;c:\windows\system32\Drivers\Cpqdtct.sys [2011-02-24 67016]
R3 HPKBCCID;HP Keyboard Smart Card Driver;c:\windows\system32\DRIVERS\HPKBCCID.sys [2012-03-05 48000]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe [2014-03-06 108032]
R3 MFE_RR;MFE_RR;c:\users\STEFAN~1.BON\AppData\Local\Temp\mfe_rr.sys [x]
R3 NETw5s32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\NETw5s32.sys [2010-01-13 6755840]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2012-08-23 14848]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2013-10-02 49152]
R3 VBoxUSB;VirtualBox USB;c:\windows\system32\Drivers\VBoxUSB.sys [2014-03-26 95520]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-07-27 1343400]
R3 xhc200w;xhc200w;c:\swsetup\SP48109\32\xhc200w.sys [2010-02-02 25232]
S0 MfeEEAlg;MfeEEAlg; [x]
S0 MfeEpeOpal;MfeEpeOpal; [x]
S0 MfeEpePc;MfeEpePc; [x]
S1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\DRIVERS\ctxusbm.sys [2011-04-24 65584]
S1 VBoxDrv;VirtualBox Service;c:\windows\system32\DRIVERS\VBoxDrv.sys [2014-03-26 204064]
S1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\DRIVERS\VBoxUSBMon.sys [2014-03-26 104736]
S2 ac.sharedstore;ActivIdentity Shared Store Service;c:\program files\Common Files\ActivIdentity\ac.sharedstore.exe [2009-06-03 207400]
S2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\aestsrv.exe [2009-03-01 81920]
S2 ATService;AuthenTec Fingerprint Service;c:\program files\Fingerprint Sensor\AtService.exe [2008-06-12 1164536]
S2 DisplayLinkService;DisplayLinkManager;c:\program files\DisplayLink Core Software\DisplayLinkManager.exe [2010-09-21 5236072]
S2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2012-06-05 197536]
S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [2011-05-13 26168]
S2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes Anti-Malware\mbamscheduler.exe [2014-04-03 1809720]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes Anti-Malware\mbamservice.exe [2014-04-03 857912]
S2 McAfee Endpoint Encryption Agent;McAfee Endpoint Encryption Agent;c:\program files\McAfee\Endpoint Encryption Agent\MfeEpeHost.exe [2013-04-05 1865760]
S2 QDLService2kHP;Qualcomm Gobi 2000 Download Service (HP);c:\program files\QUALCOMM\QDLService2k\QDLService2kHP.exe [2010-10-21 332096]
S2 TeamViewer8;TeamViewer 8;c:\program files\TeamViewer\Version8\TeamViewer_Service.exe [2013-04-23 3574624]
S2 UNS;Intel® Management & Security Application User Notification Service;c:\program files\Intel\Intel® Management Engine Components\UNS\UNS.exe [2010-03-03 2320920]
S2 vcsFPService;Validity VCS Fingerprint Service;c:\windows\system32\vcsFPService.exe [2010-02-18 1664304]
S3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2010-04-13 45736]
S3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2010-02-25 227896]
S3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\DRIVERS\e1k6232.sys [2011-05-04 266408]
S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [2009-10-26 125696]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2014-04-03 23256]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys [2014-04-20 107736]
S3 MBAMWebAccessControl;MBAMWebAccessControl;c:\windows\system32\drivers\mwac.sys [2014-04-03 51416]
S3 NETwNs32;___ Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\NETwNs32.sys [2010-10-18 7122944]
S3 nusb3hub;NEC Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys [2009-11-20 58880]
S3 nusb3xhc;NEC Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys [2009-11-20 137728]
S3 qcfilterhp2k;HP un2420 Mobile Broadband Module USB Device Filter;c:\windows\system32\DRIVERS\qcfilterhp2k.sys [2010-10-21 5248]
S3 qcombushp;Gobi 2000 USB Composite Device Driver(03F0-251D);c:\windows\system32\DRIVERS\qcombushp.sys [2010-10-21 106184]
S3 qcusbnethp2k;Gobi 2000 USB-NDIS miniport(03F0-251D);c:\windows\system32\DRIVERS\qcusbnethp2k.sys [2010-10-21 374784]
S3 qcusbserhp2k;Gobi 2000 USB Device for Legacy Serial Communication(03F0-251D);c:\windows\system32\DRIVERS\qcusbserhp2k.sys [2010-10-21 190592]
S3 rismc32;RICOH Smart Card Reader;c:\windows\system32\DRIVERS\rismc32.sys [2009-07-20 49152]
S3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\DRIVERS\VBoxNetAdp.sys [2014-03-26 116512]
S3 VBoxNetFlt;VirtualBox Bridged Networking Service;c:\windows\system32\DRIVERS\VBoxNetFlt.sys [2014-03-26 126752]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MBAMSWISSARMY
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ   Pml Driver HPZ12 Net Driver HPZ12
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2009-06-17 11:11 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-04-09 20:14 1077576 ----a-w- c:\program files\Google\Chrome\Application\34.0.1847.116\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-04-20 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-01 19:40]
.
2014-04-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-01-10 09:52]
.
2014-04-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-01-10 09:52]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyServer = 137.183.234.10:8080
uInternet Settings,ProxyOverride = *.hpcds.com;*.hpcds.net;*.hpcds.be;*.synstar.net;*.synstar.be;*.hpcds.net;*.autodiscover.hpcds.com;<local>
Trusted Zone: avaaz.org\secure
Trusted Zone: belgium.be\fas.services
Trusted Zone: hp.com
Trusted Zone: vimeo.com
FF - ProfilePath - c:\users\stefano.bonnarens\AppData\Roaming\Mozilla\Firefox\Profiles\lbn2h2uu.default\
FF - prefs.js: network.proxy.ftp - 10.40.40.180
FF - prefs.js: network.proxy.ftp_port - 8080
FF - prefs.js: network.proxy.http - 10.40.40.180
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.socks - 10.40.40.180
FF - prefs.js: network.proxy.socks_port - 8080
FF - prefs.js: network.proxy.ssl - 10.40.40.180
FF - prefs.js: network.proxy.ssl_port - 8080
FF - prefs.js: network.proxy.type - 2
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
HKLM-Run-InstallerLauncher - c:\program files\Common Files\Bitdefender\SetupInformation\{6F57816A-791A-4159-A75F-CFD0C7EA4FBF}\setuplauncher.exe
HKU-Default-Run-Bitdefender Wallet Agent - c:\program files\Bitdefender\Bitdefender\pmbxag.exe
HKU-Default-Run-Bitdefender Wallet - c:\program files\Bitdefender\Bitdefender\pwdmanui.exe
HKU-Default-Run-Bitdefender Wallet Application Agent - c:\program files\Bitdefender\Bitdefender\bdapppassmgr.exe
AddRemove-LSI Soft Modem - c:\windows\agrsmdel
.
.
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.1.7601 
.
CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.
device: opened successfully
user: error reading MBR 
kernel: MBR read successfully
user != kernel MBR !!! 
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_13_0_0_182_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_13_0_0_182_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
   00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(676)
c:\windows\system32\EpePcNp32.DLL
.
Completion time: 2014-04-20  22:32:13
ComboFix-quarantined-files.txt  2014-04-20 20:32
.
Pre-Run: 147,960,635,392 bytes free
Post-Run: 147,826,495,488 bytes free
.
- - End Of File - - 5CC93A7DF2C00301BE358F5B8A644E74
9D92E6F73154BF84DBD874EA21D5F0B3
 

 



#5 polskamachina

polskamachina

  • Malware Study Hall Senior
  • 3,834 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:29 AM

Posted 29 April 2014 - 11:37 AM

Hi stefanbonnarens :)
 
I would like to officially welcome you to Bleeping Computer. What follows below are some ground rules for this forum.

I will reply as soon as possible (typically within 24-48 hours). In turn, I ask that you please respond within 72 hours. If you know you will be away longer than that, please let me know.

I am in California at GMT-7 Hours (Pacific Standard Time). If I do not respond to you within 48 hours, feel free to send me a private message.

Some points for you to keep in mind:

  • Do NOT run any tools unless instructed to do so.
  • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Do not attach logs or use code boxes, just copy and paste the text.
  • I cannot see your computer. Periodically update me on the condition of your computer, and provide as much detail as you can in every post.
  • Once things seem to be working again, please do not abandon the thread. I will give an "all-clean" message at the very end.
  • NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planned. You can put them on a CD/DVD, external drive or a flash drive, anywhere except on the computer.
  • NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. Please remember to copy the entire post so you do not miss any instructions.

Let's get started with the fixing:
 
Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!

  • Right-click on TDSSKiller.exe and select Run As Administrator to run the tool for known TDSS variants. 
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    Note: If Cure is not an option, Skip instead, do not choose Delete unless instructed.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

Let me know if you have any questions.
 
polskamachina


Member of the Bleeping Computer A.I.I. early response team!

#6 stefanbonnarens

stefanbonnarens
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:29 PM

Posted 30 April 2014 - 03:14 PM

Hi polskamachina

 

First of all thank you very much for your help and apologies for the late reply. 
This is the log file:

 

22:11:52.0833 0x1f60  TDSS rootkit removing tool 3.0.0.34 Apr 29 2014 18:20:10
22:11:56.0038 0x1f60  ============================================================
22:11:56.0039 0x1f60  Current date / time: 2014/04/30 22:11:56.0038
22:11:56.0039 0x1f60  SystemInfo:
22:11:56.0039 0x1f60  
22:11:56.0039 0x1f60  OS Version: 6.1.7601 ServicePack: 1.0
22:11:56.0039 0x1f60  Product type: Workstation
22:11:56.0039 0x1f60  ComputerName: CND137H0MY-LT
22:11:56.0040 0x1f60  UserName: Stefano.Bonnarens
22:11:56.0040 0x1f60  Windows directory: C:\Windows
22:11:56.0040 0x1f60  System windows directory: C:\Windows
22:11:56.0040 0x1f60  Processor architecture: Intel x86
22:11:56.0040 0x1f60  Number of processors: 4
22:11:56.0040 0x1f60  Page size: 0x1000
22:11:56.0040 0x1f60  Boot type: Normal boot
22:11:56.0040 0x1f60  ============================================================
22:12:00.0296 0x1f60  KLMD registered as C:\Windows\system32\drivers\09923181.sys
22:12:00.0958 0x1f60  System UUID: {68779BE1-DCF8-2F2D-35B4-6548C2027CC3}
22:12:01.0624 0x1f60  Drive \Device\Harddisk0\DR0 - Size: 0x4A85D56000 (298.09 Gb), SectorSize: 0x200, Cylinders: 0x9801, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
22:12:01.0626 0x1f60  ============================================================
22:12:01.0626 0x1f60  \Device\Harddisk0\DR0:
22:12:01.0627 0x1f60  MBR partitions:
22:12:01.0627 0x1f60  \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x2734B
22:12:01.0627 0x1f60  \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x2738A, BlocksNum 0x1D19D1F7
22:12:01.0627 0x1f60  ============================================================
22:12:01.0638 0x1f60  Initialize success
22:12:01.0638 0x1f60  ============================================================
22:12:04.0205 0x1ff4  ============================================================
22:12:04.0205 0x1ff4  Scan started
22:12:04.0205 0x1ff4  Mode: Manual; 
22:12:04.0205 0x1ff4  ============================================================
22:12:04.0205 0x1ff4  KSN ping started
22:12:07.0890 0x1ff4  KSN ping finished: true
22:12:08.0618 0x1ff4  ================ Scan system memory ========================
22:12:08.0618 0x1ff4  System memory - ok
22:12:08.0619 0x1ff4  ================ Scan services =============================
22:12:08.0803 0x1ff4  1394ohci - ok
22:12:08.0940 0x1ff4  ac.sharedstore - ok
22:12:09.0024 0x1ff4  Accelerometer - ok
22:12:09.0035 0x1ff4  ACPI - ok
22:12:09.0058 0x1ff4  AcpiPmi - ok
22:12:09.0132 0x1ff4  AdobeARMservice - ok
22:12:09.0158 0x1ff4  AdobeFlashPlayerUpdateSvc - ok
22:12:09.0167 0x1ff4  adp94xx - ok
22:12:09.0171 0x1ff4  adpahci - ok
22:12:09.0175 0x1ff4  adpu320 - ok
22:12:09.0181 0x1ff4  AeLookupSvc - ok
22:12:09.0215 0x1ff4  AESTAud - ok
22:12:09.0233 0x1ff4  AESTFilters - ok
22:12:09.0348 0x1ff4  AfaService - ok
22:12:09.0403 0x1ff4  AFD - ok
22:12:09.0426 0x1ff4  AgereModemAudio - ok
22:12:09.0434 0x1ff4  AgereSoftModem - ok
22:12:09.0439 0x1ff4  agp440 - ok
22:12:09.0442 0x1ff4  aic78xx - ok
22:12:09.0555 0x1ff4  aksbus - ok
22:12:09.0655 0x1ff4  AKSIM - ok
22:12:09.0663 0x1ff4  akspcsc - ok
22:12:09.0672 0x1ff4  ALG - ok
22:12:09.0697 0x1ff4  aliide - ok
22:12:09.0702 0x1ff4  amdagp - ok
22:12:09.0706 0x1ff4  amdide - ok
22:12:09.0710 0x1ff4  AmdK8 - ok
22:12:09.0714 0x1ff4  AmdPPM - ok
22:12:09.0718 0x1ff4  amdsata - ok
22:12:09.0723 0x1ff4  amdsbs - ok
22:12:09.0727 0x1ff4  amdxata - ok
22:12:09.0732 0x1ff4  AppID - ok
22:12:09.0738 0x1ff4  AppIDSvc - ok
22:12:09.0742 0x1ff4  Appinfo - ok
22:12:09.0769 0x1ff4  AppMgmt - ok
22:12:09.0773 0x1ff4  arc - ok
22:12:09.0776 0x1ff4  arcsas - ok
22:12:09.0797 0x1ff4  aspnet_state - ok
22:12:09.0883 0x1ff4  AsyncMac - ok
22:12:09.0890 0x1ff4  atapi - ok
22:12:09.0896 0x1ff4  ATService - ok
22:12:09.0920 0x1ff4  AudioEndpointBuilder - ok
22:12:09.0925 0x1ff4  Audiosrv - ok
22:12:09.0941 0x1ff4  AxInstSV - ok
22:12:09.0944 0x1ff4  b06bdrv - ok
22:12:09.0948 0x1ff4  b57nd60x - ok
22:12:09.0994 0x1ff4  BBSvc - ok
22:12:10.0077 0x1ff4  BBUpdate - ok
22:12:10.0087 0x1ff4  BDESVC - ok
22:12:10.0116 0x1ff4  Beep - ok
22:12:10.0125 0x1ff4  BFE - ok
22:12:10.0171 0x1ff4  BingDesktopUpdate - ok
22:12:10.0429 0x1ff4  BITS - ok
22:12:10.0555 0x1ff4  blbdrive - ok
22:12:10.0588 0x1ff4  bowser - ok
22:12:10.0593 0x1ff4  BrFiltLo - ok
22:12:10.0598 0x1ff4  BrFiltUp - ok
22:12:10.0698 0x1ff4  BridgeMP - ok
22:12:10.0710 0x1ff4  Browser - ok
22:12:10.0718 0x1ff4  Brserid - ok
22:12:10.0727 0x1ff4  BrSerWdm - ok
22:12:10.0732 0x1ff4  BrUsbMdm - ok
22:12:10.0737 0x1ff4  BrUsbSer - ok
22:12:10.0784 0x1ff4  BthEnum - ok
22:12:10.0789 0x1ff4  BTHMODEM - ok
22:12:10.0794 0x1ff4  BthPan - ok
22:12:10.0813 0x1ff4  BTHPORT - ok
22:12:10.0820 0x1ff4  bthserv - ok
22:12:10.0848 0x1ff4  BTHUSB - ok
22:12:10.0882 0x1ff4  btusbflt - ok
22:12:10.0904 0x1ff4  catchme - ok
22:12:10.0924 0x1ff4  cdfs - ok
22:12:10.0929 0x1ff4  cdrom - ok
22:12:10.0936 0x1ff4  CertPropSvc - ok
22:12:10.0941 0x1ff4  circlass - ok
22:12:10.0947 0x1ff4  CLFS - ok
22:12:10.0973 0x1ff4  clr_optimization_v2.0.50727_32 - ok
22:12:11.0047 0x1ff4  clr_optimization_v4.0.30319_32 - ok
22:12:11.0053 0x1ff4  CmBatt - ok
22:12:11.0058 0x1ff4  cmdide - ok
22:12:11.0064 0x1ff4  CNG - ok
22:12:11.0070 0x1ff4  Com4QLBEx - ok
22:12:11.0075 0x1ff4  Compbatt - ok
22:12:11.0097 0x1ff4  CompositeBus - ok
22:12:11.0102 0x1ff4  COMSysApp - ok
22:12:11.0149 0x1ff4  CpqDtct - ok
22:12:11.0157 0x1ff4  crcdisk - ok
22:12:11.0170 0x1ff4  CryptSvc - ok
22:12:11.0199 0x1ff4  CSC - ok
22:12:11.0204 0x1ff4  CscService - ok
22:12:11.0232 0x1ff4  ctxusbm - ok
22:12:11.0284 0x1ff4  CVirtA - ok
22:12:11.0290 0x1ff4  CVPND - ok
22:12:11.0295 0x1ff4  CVPNDRVA - ok
22:12:11.0303 0x1ff4  DcomLaunch - ok
22:12:11.0307 0x1ff4  defragsvc - ok
22:12:11.0312 0x1ff4  DfsC - ok
22:12:11.0318 0x1ff4  Dhcp - ok
22:12:11.0322 0x1ff4  discache - ok
22:12:11.0326 0x1ff4  Disk - ok
22:12:11.0341 0x1ff4  DisplayLinkService - ok
22:12:11.0366 0x1ff4  DNE - ok
22:12:11.0373 0x1ff4  Dnscache - ok
22:12:11.0378 0x1ff4  dot3svc - ok
22:12:11.0383 0x1ff4  DPS - ok
22:12:11.0387 0x1ff4  drmkaud - ok
22:12:11.0392 0x1ff4  DXGKrnl - ok
22:12:11.0402 0x1ff4  e1kexpress - ok
22:12:11.0440 0x1ff4  EapHost - ok
22:12:11.0447 0x1ff4  ebdrv - ok
22:12:11.0454 0x1ff4  EFS - ok
22:12:11.0459 0x1ff4  ehRecvr - ok
22:12:11.0478 0x1ff4  ehSched - ok
22:12:11.0483 0x1ff4  elxstor - ok
22:12:11.0487 0x1ff4  ErrDev - ok
22:12:11.0533 0x1ff4  EventSystem - ok
22:12:11.0538 0x1ff4  exfat - ok
22:12:11.0542 0x1ff4  fastfat - ok
22:12:11.0546 0x1ff4  Fax - ok
22:12:11.0550 0x1ff4  fdc - ok
22:12:11.0556 0x1ff4  fdPHost - ok
22:12:11.0562 0x1ff4  FDResPub - ok
22:12:11.0589 0x1ff4  FileInfo - ok
22:12:11.0594 0x1ff4  Filetrace - ok
22:12:11.0599 0x1ff4  flpydisk - ok
22:12:11.0604 0x1ff4  FltMgr - ok
22:12:11.0609 0x1ff4  FontCache - ok
22:12:11.0613 0x1ff4  FontCache3.0.0.0 - ok
22:12:11.0618 0x1ff4  FsDepends - ok
22:12:11.0622 0x1ff4  Fs_Rec - ok
22:12:11.0634 0x1ff4  fvevol - ok
22:12:11.0638 0x1ff4  gagp30kx - ok
22:12:11.0644 0x1ff4  gpsvc - ok
22:12:11.0701 0x1ff4  gupdate - ok
22:12:11.0736 0x1ff4  gupdatem - ok
22:12:11.0846 0x1ff4  gusvc - ok
22:12:11.0855 0x1ff4  hcw85cir - ok
22:12:11.0864 0x1ff4  HdAudAddService - ok
22:12:11.0883 0x1ff4  HDAudBus - ok
22:12:11.0888 0x1ff4  HECI - ok
22:12:11.0892 0x1ff4  HidBatt - ok
22:12:11.0896 0x1ff4  HidBth - ok
22:12:11.0900 0x1ff4  HidIr - ok
22:12:11.0906 0x1ff4  hidserv - ok
22:12:11.0911 0x1ff4  HidUsb - ok
22:12:11.0916 0x1ff4  hkmsvc - ok
22:12:11.0922 0x1ff4  HomeGroupListener - ok
22:12:11.0927 0x1ff4  HomeGroupProvider - ok
22:12:11.0931 0x1ff4  HPDrvMntSvc.exe - ok
22:12:11.0985 0x1ff4  hpdskflt - ok
22:12:12.0079 0x1ff4  HPKBCCID - ok
22:12:12.0090 0x1ff4  HpqKbFiltr - ok
22:12:12.0100 0x1ff4  hpqwmiex - ok
22:12:12.0109 0x1ff4  HpSAMD - ok
22:12:12.0115 0x1ff4  hpsrv - ok
22:12:12.0121 0x1ff4  HTTP - ok
22:12:12.0127 0x1ff4  hwpolicy - ok
22:12:12.0132 0x1ff4  i8042prt - ok
22:12:12.0138 0x1ff4  iaStorV - ok
22:12:12.0144 0x1ff4  IDriverT - ok
22:12:12.0152 0x1ff4  idsvc - ok
22:12:12.0322 0x1ff4  IEEtwCollectorService - ok
22:12:12.0331 0x1ff4  iirsp - ok
22:12:12.0345 0x1ff4  IKEEXT - ok
22:12:12.0432 0x1ff4  Impcd - ok
22:12:12.0444 0x1ff4  intelide - ok
22:12:12.0453 0x1ff4  intelppm - ok
22:12:12.0464 0x1ff4  IPBusEnum - ok
22:12:12.0471 0x1ff4  IpFilterDriver - ok
22:12:12.0477 0x1ff4  iphlpsvc - ok
22:12:12.0481 0x1ff4  IPMIDRV - ok
22:12:12.0495 0x1ff4  IPNAT - ok
22:12:12.0499 0x1ff4  IRENUM - ok
22:12:12.0503 0x1ff4  isapnp - ok
22:12:12.0507 0x1ff4  iScsiPrt - ok
22:12:12.0540 0x1ff4  kbdclass - ok
22:12:12.0567 0x1ff4  kbdhid - ok
22:12:12.0585 0x1ff4  KeyIso - ok
22:12:12.0594 0x1ff4  KSecDD - ok
22:12:12.0627 0x1ff4  KSecPkg - ok
22:12:12.0638 0x1ff4  KtmRm - ok
22:12:12.0695 0x1ff4  LanmanServer - ok
22:12:12.0708 0x1ff4  LanmanWorkstation - ok
22:12:12.0740 0x1ff4  LightScribeService - ok
22:12:12.0749 0x1ff4  lltdio - ok
22:12:12.0760 0x1ff4  lltdsvc - ok
22:12:12.0769 0x1ff4  lmhosts - ok
22:12:12.0774 0x1ff4  LMS - ok
22:12:12.0780 0x1ff4  LSI_FC - ok
22:12:12.0791 0x1ff4  LSI_SAS - ok
22:12:12.0796 0x1ff4  LSI_SAS2 - ok
22:12:12.0800 0x1ff4  LSI_SCSI - ok
22:12:12.0816 0x1ff4  luafv - ok
22:12:12.0827 0x1ff4  MBAMSwissArmy - ok
22:12:12.0940 0x1ff4  McAfee Endpoint Encryption Agent - ok
22:12:13.0005 0x1ff4  McAfeeFramework - ok
22:12:13.0017 0x1ff4  Mcx2Svc - ok
22:12:13.0027 0x1ff4  megasas - ok
22:12:13.0036 0x1ff4  MegaSR - ok
22:12:13.0057 0x1ff4  MfeEEAlg - ok
22:12:13.0062 0x1ff4  MfeEpeOpal - ok
22:12:13.0081 0x1ff4  MfeEpePc - ok
22:12:13.0128 0x1ff4  MFE_RR - ok
22:12:13.0179 0x1ff4  Microsoft SharePoint Workspace Audit Service - ok
22:12:13.0185 0x1ff4  MMCSS - ok
22:12:13.0190 0x1ff4  Modem - ok
22:12:13.0195 0x1ff4  monitor - ok
22:12:13.0200 0x1ff4  mouclass - ok
22:12:13.0205 0x1ff4  mouhid - ok
22:12:13.0210 0x1ff4  mountmgr - ok
22:12:13.0289 0x1ff4  MozillaMaintenance - ok
22:12:13.0328 0x1ff4  MpFilter - ok
22:12:13.0335 0x1ff4  mpio - ok
22:12:13.0343 0x1ff4  mpsdrv - ok
22:12:13.0352 0x1ff4  MpsSvc - ok
22:12:13.0360 0x1ff4  MRxDAV - ok
22:12:13.0367 0x1ff4  mrxsmb - ok
22:12:13.0374 0x1ff4  mrxsmb10 - ok
22:12:13.0380 0x1ff4  mrxsmb20 - ok
22:12:13.0385 0x1ff4  msahci - ok
22:12:13.0391 0x1ff4  msdsm - ok
22:12:13.0396 0x1ff4  MSDTC - ok
22:12:13.0412 0x1ff4  Msfs - ok
22:12:13.0416 0x1ff4  mshidkmdf - ok
22:12:13.0423 0x1ff4  msisadrv - ok
22:12:13.0428 0x1ff4  MSiSCSI - ok
22:12:13.0432 0x1ff4  msiserver - ok
22:12:13.0437 0x1ff4  MSKSSRV - ok
22:12:13.0486 0x1ff4  MsMpSvc - ok
22:12:13.0495 0x1ff4  MSPCLOCK - ok
22:12:13.0506 0x1ff4  MSPQM - ok
22:12:13.0516 0x1ff4  MsRPC - ok
22:12:13.0526 0x1ff4  mssmbios - ok
22:12:13.0533 0x1ff4  MSTEE - ok
22:12:13.0540 0x1ff4  MTConfig - ok
22:12:13.0548 0x1ff4  Mup - ok
22:12:13.0556 0x1ff4  napagent - ok
22:12:13.0580 0x1ff4  NativeWifiP - ok
22:12:13.0587 0x1ff4  NDIS - ok
22:12:13.0592 0x1ff4  NdisCap - ok
22:12:13.0597 0x1ff4  NdisTapi - ok
22:12:13.0602 0x1ff4  Ndisuio - ok
22:12:13.0607 0x1ff4  NdisWan - ok
22:12:13.0613 0x1ff4  NDProxy - ok
22:12:13.0657 0x1ff4  Net Driver HPZ12 - ok
22:12:13.0663 0x1ff4  NetBIOS - ok
22:12:13.0694 0x1ff4  NetBT - ok
22:12:13.0713 0x1ff4  Netlogon - ok
22:12:13.0728 0x1ff4  Netman - ok
22:12:13.0746 0x1ff4  NetMsmqActivator - ok
22:12:13.0754 0x1ff4  NetPipeActivator - ok
22:12:13.0762 0x1ff4  netprofm - ok
22:12:13.0768 0x1ff4  NetTcpActivator - ok
22:12:13.0776 0x1ff4  NetTcpPortSharing - ok
22:12:13.0793 0x1ff4  NETw5s32 - ok
22:12:13.0814 0x1ff4  NETwNs32 - ok
22:12:13.0819 0x1ff4  nfrd960 - ok
22:12:13.0866 0x1ff4  NisDrv - ok
22:12:13.0872 0x1ff4  NisSrv - ok
22:12:13.0879 0x1ff4  NlaSvc - ok
22:12:13.0918 0x1ff4  Npfs - ok
22:12:13.0929 0x1ff4  nsi - ok
22:12:13.0939 0x1ff4  nsiproxy - ok
22:12:13.0954 0x1ff4  Ntfs - ok
22:12:13.0964 0x1ff4  Null - ok
22:12:14.0004 0x1ff4  nusb3hub - ok
22:12:14.0011 0x1ff4  nusb3xhc - ok
22:12:14.0021 0x1ff4  NVHDA - ok
22:12:14.0029 0x1ff4  nvlddmkm - ok
22:12:14.0037 0x1ff4  nvraid - ok
22:12:14.0043 0x1ff4  nvstor - ok
22:12:14.0092 0x1ff4  nvsvc - ok
22:12:14.0156 0x1ff4  nv_agp - ok
22:12:14.0161 0x1ff4  ohci1394 - ok
22:12:14.0237 0x1ff4  ose - ok
22:12:14.0264 0x1ff4  osppsvc - ok
22:12:14.0272 0x1ff4  p2pimsvc - ok
22:12:14.0277 0x1ff4  p2psvc - ok
22:12:14.0282 0x1ff4  Parport - ok
22:12:14.0288 0x1ff4  partmgr - ok
22:12:14.0293 0x1ff4  Parvdm - ok
22:12:14.0299 0x1ff4  PcaSvc - ok
22:12:14.0303 0x1ff4  pci - ok
22:12:14.0308 0x1ff4  pciide - ok
22:12:14.0312 0x1ff4  pcmcia - ok
22:12:14.0317 0x1ff4  pcw - ok
22:12:14.0322 0x1ff4  PEAUTH - ok
22:12:14.0328 0x1ff4  PeerDistSvc - ok
22:12:14.0345 0x1ff4  pla - ok
22:12:14.0352 0x1ff4  PlugPlay - ok
22:12:14.0398 0x1ff4  Pml Driver HPZ12 - ok
22:12:14.0412 0x1ff4  PNRPAutoReg - ok
22:12:14.0426 0x1ff4  PNRPsvc - ok
22:12:14.0460 0x1ff4  PolicyAgent - ok
22:12:14.0478 0x1ff4  Power - ok
22:12:14.0485 0x1ff4  PptpMiniport - ok
22:12:14.0493 0x1ff4  Processor - ok
22:12:14.0503 0x1ff4  ProfSvc - ok
22:12:14.0510 0x1ff4  ProtectedStorage - ok
22:12:14.0515 0x1ff4  Psched - ok
22:12:14.0542 0x1ff4  PxHelp20 - ok
22:12:14.0549 0x1ff4  qcfilterhp2k - ok
22:12:14.0554 0x1ff4  qcombushp - ok
22:12:14.0588 0x1ff4  qcusbnethp2k - ok
22:12:14.0593 0x1ff4  qcusbserhp2k - ok
22:12:14.0599 0x1ff4  QDLService2kHP - ok
22:12:14.0604 0x1ff4  ql2300 - ok
22:12:14.0609 0x1ff4  ql40xx - ok
22:12:14.0617 0x1ff4  QWAVE - ok
22:12:14.0623 0x1ff4  QWAVEdrv - ok
22:12:14.0629 0x1ff4  RasAcd - ok
22:12:14.0635 0x1ff4  RasAgileVpn - ok
22:12:14.0641 0x1ff4  RasAuto - ok
22:12:14.0650 0x1ff4  Rasl2tp - ok
22:12:14.0662 0x1ff4  RasMan - ok
22:12:14.0667 0x1ff4  RasPppoe - ok
22:12:14.0673 0x1ff4  RasSstp - ok
22:12:14.0679 0x1ff4  rdbss - ok
22:12:14.0684 0x1ff4  rdpbus - ok
22:12:14.0691 0x1ff4  RDPCDD - ok
22:12:14.0699 0x1ff4  RDPDR - ok
22:12:14.0704 0x1ff4  RDPENCDD - ok
22:12:14.0712 0x1ff4  RDPREFMP - ok
22:12:14.0734 0x1ff4  RdpVideoMiniport - ok
22:12:14.0739 0x1ff4  RDPWD - ok
22:12:14.0745 0x1ff4  rdyboost - ok
22:12:14.0751 0x1ff4  RemoteAccess - ok
22:12:14.0758 0x1ff4  RemoteRegistry - ok
22:12:14.0774 0x1ff4  RFCOMM - ok
22:12:14.0818 0x1ff4  rimmptsk - ok
22:12:14.0828 0x1ff4  rimsptsk - ok
22:12:14.0839 0x1ff4  rismc32 - ok
22:12:14.0846 0x1ff4  rismxdp - ok
22:12:14.0862 0x1ff4  RoxMediaDB9 - ok
22:12:14.0872 0x1ff4  RpcEptMapper - ok
22:12:14.0878 0x1ff4  RpcLocator - ok
22:12:14.0885 0x1ff4  RpcSs - ok
22:12:14.0890 0x1ff4  rspndr - ok
22:12:14.0896 0x1ff4  s3cap - ok
22:12:14.0902 0x1ff4  SamSs - ok
22:12:14.0906 0x1ff4  sbp2port - ok
22:12:14.0912 0x1ff4  SCardSvr - ok
22:12:14.0917 0x1ff4  scfilter - ok
22:12:14.0923 0x1ff4  Schedule - ok
22:12:14.0929 0x1ff4  SCPolicySvc - ok
22:12:14.0933 0x1ff4  sdbus - ok
22:12:14.0939 0x1ff4  SDRSVC - ok
22:12:14.0944 0x1ff4  secdrv - ok
22:12:14.0949 0x1ff4  seclogon - ok
22:12:14.0955 0x1ff4  SENS - ok
22:12:14.0961 0x1ff4  SensrSvc - ok
22:12:14.0966 0x1ff4  Serenum - ok
22:12:14.0985 0x1ff4  Serial - ok
22:12:14.0992 0x1ff4  sermouse - ok
22:12:15.0007 0x1ff4  SessionEnv - ok
22:12:15.0012 0x1ff4  sffdisk - ok
22:12:15.0016 0x1ff4  sffp_mmc - ok
22:12:15.0022 0x1ff4  sffp_sd - ok
22:12:15.0027 0x1ff4  sfloppy - ok
22:12:15.0081 0x1ff4  SharedAccess - ok
22:12:15.0097 0x1ff4  ShellHWDetection - ok
22:12:15.0103 0x1ff4  sisagp - ok
22:12:15.0109 0x1ff4  SiSRaid2 - ok
22:12:15.0123 0x1ff4  SiSRaid4 - ok
22:12:15.0128 0x1ff4  Smb - ok
22:12:15.0156 0x1ff4  SNMPTRAP - ok
22:12:15.0162 0x1ff4  SNP2UVC - ok
22:12:15.0167 0x1ff4  spldr - ok
22:12:15.0173 0x1ff4  Spooler - ok
22:12:15.0178 0x1ff4  sppsvc - ok
22:12:15.0191 0x1ff4  sppuinotify - ok
22:12:15.0205 0x1ff4  srv - ok
22:12:15.0212 0x1ff4  srv2 - ok
22:12:15.0217 0x1ff4  srvnet - ok
22:12:15.0242 0x1ff4  SSDPSRV - ok
22:12:15.0283 0x1ff4  SstpSvc - ok
22:12:15.0289 0x1ff4  STacSV - ok
22:12:15.0295 0x1ff4  stexstor - ok
22:12:15.0301 0x1ff4  STHDA - ok
22:12:15.0325 0x1ff4  StiSvc - ok
22:12:15.0332 0x1ff4  stllssvr - ok
22:12:15.0339 0x1ff4  storflt - ok
22:12:15.0345 0x1ff4  StorSvc - ok
22:12:15.0396 0x1ff4  storvsc - ok
22:12:15.0411 0x1ff4  swenum - ok
22:12:15.0421 0x1ff4  swprv - ok
22:12:15.0432 0x1ff4  SynTP - ok
22:12:15.0442 0x1ff4  SysMain - ok
22:12:15.0449 0x1ff4  TabletInputService - ok
22:12:15.0455 0x1ff4  TapiSrv - ok
22:12:15.0461 0x1ff4  TBS - ok
22:12:15.0468 0x1ff4  Tcpip - ok
22:12:15.0473 0x1ff4  TCPIP6 - ok
22:12:15.0518 0x1ff4  tcpipreg - ok
22:12:15.0527 0x1ff4  TDPIPE - ok
22:12:15.0533 0x1ff4  TDTCP - ok
22:12:15.0540 0x1ff4  tdx - ok
22:12:15.0634 0x1ff4  TeamViewer8 - ok
22:12:15.0648 0x1ff4  TermDD - ok
22:12:15.0661 0x1ff4  TermService - ok
22:12:15.0673 0x1ff4  Themes - ok
22:12:15.0686 0x1ff4  THREADORDER - ok
22:12:15.0696 0x1ff4  TPM - ok
22:12:15.0710 0x1ff4  TrkWks - ok
22:12:15.0744 0x1ff4  TrustedInstaller - ok
22:12:15.0752 0x1ff4  tssecsrv - ok
22:12:15.0778 0x1ff4  TsUsbFlt - ok
22:12:15.0797 0x1ff4  tunnel - ok
22:12:15.0804 0x1ff4  uagp35 - ok
22:12:15.0811 0x1ff4  udfs - ok
22:12:15.0822 0x1ff4  UI0Detect - ok
22:12:15.0828 0x1ff4  uliagpkx - ok
22:12:15.0833 0x1ff4  umbus - ok
22:12:15.0857 0x1ff4  UmPass - ok
22:12:15.0873 0x1ff4  UmRdpService - ok
22:12:15.0879 0x1ff4  UNS - ok
22:12:15.0887 0x1ff4  upnphost - ok
22:12:15.0984 0x1ff4  usbaudio - ok
22:12:16.0015 0x1ff4  usbccgp - ok
22:12:16.0026 0x1ff4  usbcir - ok
22:12:16.0056 0x1ff4  usbehci - ok
22:12:16.0064 0x1ff4  usbhub - ok
22:12:16.0099 0x1ff4  usbohci - ok
22:12:16.0117 0x1ff4  usbprint - ok
22:12:16.0126 0x1ff4  USBSTOR - ok
22:12:16.0135 0x1ff4  usbuhci - ok
22:12:16.0146 0x1ff4  usbvideo - ok
22:12:16.0220 0x1ff4  usb_rndisx - ok
22:12:16.0236 0x1ff4  UxSms - ok
22:12:16.0249 0x1ff4  VaultSvc - ok
22:12:16.0262 0x1ff4  VBoxDrv - ok
22:12:16.0332 0x1ff4  VBoxNetAdp - ok
22:12:16.0345 0x1ff4  VBoxNetFlt - ok
22:12:16.0365 0x1ff4  VBoxUSB - ok
22:12:16.0381 0x1ff4  VBoxUSBMon - ok
22:12:16.0405 0x1ff4  vcsFPService - ok
22:12:16.0424 0x1ff4  vdrvroot - ok
22:12:16.0431 0x1ff4  vds - ok
22:12:16.0437 0x1ff4  vga - ok
22:12:16.0443 0x1ff4  VgaSave - ok
22:12:16.0451 0x1ff4  vhdmp - ok
22:12:16.0455 0x1ff4  viaagp - ok
22:12:16.0461 0x1ff4  ViaC7 - ok
22:12:16.0467 0x1ff4  viaide - ok
22:12:16.0474 0x1ff4  vmbus - ok
22:12:16.0495 0x1ff4  VMBusHID - ok
22:12:16.0502 0x1ff4  volmgr - ok
22:12:16.0509 0x1ff4  volmgrx - ok
22:12:16.0515 0x1ff4  volsnap - ok
22:12:16.0522 0x1ff4  vpcbus - ok
22:12:16.0529 0x1ff4  vpcnfltr - ok
22:12:16.0558 0x1ff4  vpcusb - ok
22:12:16.0565 0x1ff4  vpcvmm - ok
22:12:16.0572 0x1ff4  vsmraid - ok
22:12:16.0579 0x1ff4  VSS - ok
22:12:16.0586 0x1ff4  vwifibus - ok
22:12:16.0593 0x1ff4  vwififlt - ok
22:12:16.0600 0x1ff4  vwifimp - ok
22:12:16.0607 0x1ff4  W32Time - ok
22:12:16.0617 0x1ff4  WacomPen - ok
22:12:16.0623 0x1ff4  WANARP - ok
22:12:16.0630 0x1ff4  Wanarpv6 - ok
22:12:16.0637 0x1ff4  WatAdminSvc - ok
22:12:16.0645 0x1ff4  wbengine - ok
22:12:16.0652 0x1ff4  WbioSrvc - ok
22:12:16.0659 0x1ff4  wcncsvc - ok
22:12:16.0665 0x1ff4  WcsPlugInService - ok
22:12:16.0672 0x1ff4  Wd - ok
22:12:16.0678 0x1ff4  Wdf01000 - ok
22:12:16.0684 0x1ff4  WdiServiceHost - ok
22:12:16.0690 0x1ff4  WdiSystemHost - ok
22:12:16.0697 0x1ff4  WebClient - ok
22:12:16.0703 0x1ff4  Wecsvc - ok
22:12:16.0709 0x1ff4  wercplsupport - ok
22:12:16.0715 0x1ff4  WerSvc - ok
22:12:16.0721 0x1ff4  WfpLwf - ok
22:12:16.0727 0x1ff4  WIMMount - ok
22:12:16.0751 0x1ff4  WinDefend - ok
22:12:16.0775 0x1ff4  WinHttpAutoProxySvc - ok
22:12:16.0783 0x1ff4  Winmgmt - ok
22:12:16.0790 0x1ff4  WinRM - ok
22:12:16.0814 0x1ff4  WinUSB - ok
22:12:16.0824 0x1ff4  Wlansvc - ok
22:12:16.0831 0x1ff4  WmiAcpi - ok
22:12:16.0842 0x1ff4  wmiApSrv - ok
22:12:16.0849 0x1ff4  WMPNetworkSvc - ok
22:12:16.0856 0x1ff4  WPCSvc - ok
22:12:16.0863 0x1ff4  WPDBusEnum - ok
22:12:16.0870 0x1ff4  ws2ifsl - ok
22:12:16.0878 0x1ff4  wscsvc - ok
22:12:16.0883 0x1ff4  WSearch - ok
22:12:16.0894 0x1ff4  wuauserv - ok
22:12:16.0922 0x1ff4  WudfPf - ok
22:12:16.0928 0x1ff4  WUDFRd - ok
22:12:16.0951 0x1ff4  wudfsvc - ok
22:12:16.0983 0x1ff4  WwanSvc - ok
22:12:16.0997 0x1ff4  xhc200w - ok
22:12:17.0145 0x1ff4  ================ Scan global ===============================
22:12:17.0249 0x1ff4  [ Global ] - ok
22:12:17.0252 0x1ff4  ================ Scan MBR ==================================
22:12:17.0274 0x1ff4  [ 9D92E6F73154BF84DBD874EA21D5F0B3 ] \Device\Harddisk0\DR0
22:12:18.0177 0x1ff4  \Device\Harddisk0\DR0 - ok
22:12:18.0178 0x1ff4  ================ Scan VBR ==================================
22:12:18.0190 0x1ff4  [ 3D2AE27E8D4F8F06535D0D2FD4E90C29 ] \Device\Harddisk0\DR0\Partition1
22:12:18.0195 0x1ff4  \Device\Harddisk0\DR0\Partition1 - ok
22:12:18.0254 0x1ff4  [ 46228554E293B24B27FF736A43EA6BC8 ] \Device\Harddisk0\DR0\Partition2
22:12:18.0272 0x1ff4  \Device\Harddisk0\DR0\Partition2 - ok
22:12:19.0510 0x1ff4  AV detected via SS2: Microsoft Security Essentials, C:\Program Files\Microsoft Security Client\msseces.exe ( 4.5.216.0 ), 0x61000 ( enabled : updated )
22:12:19.0520 0x1ff4  Win FW state via NFP2: enabled
22:12:23.0824 0x1ff4  ============================================================
22:12:23.0824 0x1ff4  Scan finished
22:12:23.0824 0x1ff4  ============================================================
22:12:23.0838 0x1fec  Detected object count: 0
22:12:23.0838 0x1fec  Actual detected object count: 0
22:12:56.0575 0x0da8  ============================================================
22:12:56.0575 0x0da8  Scan started
22:12:56.0575 0x0da8  Mode: Manual; 
22:12:56.0575 0x0da8  ============================================================
22:12:56.0575 0x0da8  KSN ping started
22:13:01.0083 0x0da8  KSN ping finished: true
22:13:01.0738 0x0da8  ================ Scan system memory ========================
22:13:01.0738 0x0da8  System memory - ok
22:13:01.0738 0x0da8  ================ Scan services =============================
22:13:01.0754 0x0da8  1394ohci - ok
22:13:01.0770 0x0da8  ac.sharedstore - ok
22:13:01.0770 0x0da8  Accelerometer - ok
22:13:01.0770 0x0da8  ACPI - ok
22:13:01.0770 0x0da8  AcpiPmi - ok
22:13:01.0785 0x0da8  AdobeARMservice - ok
22:13:01.0785 0x0da8  AdobeFlashPlayerUpdateSvc - ok
22:13:01.0785 0x0da8  adp94xx - ok
22:13:01.0785 0x0da8  adpahci - ok
22:13:01.0801 0x0da8  adpu320 - ok
22:13:01.0801 0x0da8  AeLookupSvc - ok
22:13:01.0801 0x0da8  AESTAud - ok
22:13:01.0801 0x0da8  AESTFilters - ok
22:13:01.0816 0x0da8  AfaService - ok
22:13:01.0816 0x0da8  AFD - ok
22:13:01.0816 0x0da8  AgereModemAudio - ok
22:13:01.0816 0x0da8  AgereSoftModem - ok
22:13:01.0816 0x0da8  agp440 - ok
22:13:01.0832 0x0da8  aic78xx - ok
22:13:01.0832 0x0da8  aksbus - ok
22:13:01.0832 0x0da8  AKSIM - ok
22:13:01.0832 0x0da8  akspcsc - ok
22:13:01.0848 0x0da8  ALG - ok
22:13:01.0848 0x0da8  aliide - ok
22:13:01.0848 0x0da8  amdagp - ok
22:13:01.0848 0x0da8  amdide - ok
22:13:01.0848 0x0da8  AmdK8 - ok
22:13:01.0863 0x0da8  AmdPPM - ok
22:13:01.0863 0x0da8  amdsata - ok
22:13:01.0863 0x0da8  amdsbs - ok
22:13:01.0863 0x0da8  amdxata - ok
22:13:01.0879 0x0da8  AppID - ok
22:13:01.0879 0x0da8  AppIDSvc - ok
22:13:01.0879 0x0da8  Appinfo - ok
22:13:01.0879 0x0da8  AppMgmt - ok
22:13:01.0879 0x0da8  arc - ok
22:13:01.0894 0x0da8  arcsas - ok
22:13:01.0894 0x0da8  aspnet_state - ok
22:13:01.0894 0x0da8  AsyncMac - ok
22:13:01.0910 0x0da8  atapi - ok
22:13:01.0910 0x0da8  ATService - ok
22:13:01.0910 0x0da8  AudioEndpointBuilder - ok
22:13:01.0926 0x0da8  Audiosrv - ok
22:13:01.0926 0x0da8  AxInstSV - ok
22:13:01.0926 0x0da8  b06bdrv - ok
22:13:01.0926 0x0da8  b57nd60x - ok
22:13:01.0941 0x0da8  BBSvc - ok
22:13:01.0941 0x0da8  BBUpdate - ok
22:13:01.0941 0x0da8  BDESVC - ok
22:13:01.0941 0x0da8  Beep - ok
22:13:01.0957 0x0da8  BFE - ok
22:13:01.0957 0x0da8  BingDesktopUpdate - ok
22:13:01.0957 0x0da8  BITS - ok
22:13:01.0957 0x0da8  blbdrive - ok
22:13:01.0972 0x0da8  bowser - ok
22:13:01.0972 0x0da8  BrFiltLo - ok
22:13:01.0972 0x0da8  BrFiltUp - ok
22:13:01.0988 0x0da8  BridgeMP - ok
22:13:02.0004 0x0da8  Browser - ok
22:13:02.0004 0x0da8  Brserid - ok
22:13:02.0004 0x0da8  BrSerWdm - ok
22:13:02.0019 0x0da8  BrUsbMdm - ok
22:13:02.0019 0x0da8  BrUsbSer - ok
22:13:02.0019 0x0da8  BthEnum - ok
22:13:02.0019 0x0da8  BTHMODEM - ok
22:13:02.0035 0x0da8  BthPan - ok
22:13:02.0035 0x0da8  BTHPORT - ok
22:13:02.0035 0x0da8  bthserv - ok
22:13:02.0035 0x0da8  BTHUSB - ok
22:13:02.0050 0x0da8  btusbflt - ok
22:13:02.0050 0x0da8  catchme - ok
22:13:02.0050 0x0da8  cdfs - ok
22:13:02.0050 0x0da8  cdrom - ok
22:13:02.0066 0x0da8  CertPropSvc - ok
22:13:02.0066 0x0da8  circlass - ok
22:13:02.0066 0x0da8  CLFS - ok
22:13:02.0066 0x0da8  clr_optimization_v2.0.50727_32 - ok
22:13:02.0082 0x0da8  clr_optimization_v4.0.30319_32 - ok
22:13:02.0082 0x0da8  CmBatt - ok
22:13:02.0082 0x0da8  cmdide - ok
22:13:02.0097 0x0da8  CNG - ok
22:13:02.0097 0x0da8  Com4QLBEx - ok
22:13:02.0097 0x0da8  Compbatt - ok
22:13:02.0113 0x0da8  CompositeBus - ok
22:13:02.0113 0x0da8  COMSysApp - ok
22:13:02.0128 0x0da8  CpqDtct - ok
22:13:02.0128 0x0da8  crcdisk - ok
22:13:02.0128 0x0da8  CryptSvc - ok
22:13:02.0144 0x0da8  CSC - ok
22:13:02.0144 0x0da8  CscService - ok
22:13:02.0160 0x0da8  ctxusbm - ok
22:13:02.0160 0x0da8  CVirtA - ok
22:13:02.0160 0x0da8  CVPND - ok
22:13:02.0175 0x0da8  CVPNDRVA - ok
22:13:02.0175 0x0da8  DcomLaunch - ok
22:13:02.0191 0x0da8  defragsvc - ok
22:13:02.0191 0x0da8  DfsC - ok
22:13:02.0191 0x0da8  Dhcp - ok
22:13:02.0191 0x0da8  discache - ok
22:13:02.0206 0x0da8  Disk - ok
22:13:02.0206 0x0da8  DisplayLinkService - ok
22:13:02.0206 0x0da8  DNE - ok
22:13:02.0222 0x0da8  Dnscache - ok
22:13:02.0222 0x0da8  dot3svc - ok
22:13:02.0222 0x0da8  DPS - ok
22:13:02.0238 0x0da8  drmkaud - ok
22:13:02.0238 0x0da8  DXGKrnl - ok
22:13:02.0253 0x0da8  e1kexpress - ok
22:13:02.0253 0x0da8  EapHost - ok
22:13:02.0253 0x0da8  ebdrv - ok
22:13:02.0253 0x0da8  EFS - ok
22:13:02.0269 0x0da8  ehRecvr - ok
22:13:02.0316 0x0da8  ehSched - ok
22:13:02.0362 0x0da8  elxstor - ok
22:13:02.0394 0x0da8  ErrDev - ok
22:13:02.0394 0x0da8  EventSystem - ok
22:13:02.0409 0x0da8  exfat - ok
22:13:02.0409 0x0da8  fastfat - ok
22:13:02.0409 0x0da8  Fax - ok
22:13:02.0409 0x0da8  fdc - ok
22:13:02.0425 0x0da8  fdPHost - ok
22:13:02.0425 0x0da8  FDResPub - ok
22:13:02.0425 0x0da8  FileInfo - ok
22:13:02.0425 0x0da8  Filetrace - ok
22:13:02.0440 0x0da8  flpydisk - ok
22:13:02.0440 0x0da8  FltMgr - ok
22:13:02.0440 0x0da8  FontCache - ok
22:13:02.0440 0x0da8  FontCache3.0.0.0 - ok
22:13:02.0456 0x0da8  FsDepends - ok
22:13:02.0456 0x0da8  Fs_Rec - ok
22:13:02.0456 0x0da8  fvevol - ok
22:13:02.0472 0x0da8  gagp30kx - ok
22:13:02.0472 0x0da8  gpsvc - ok
22:13:02.0472 0x0da8  gupdate - ok
22:13:02.0487 0x0da8  gupdatem - ok
22:13:02.0487 0x0da8  gusvc - ok
22:13:02.0487 0x0da8  hcw85cir - ok
22:13:02.0487 0x0da8  HdAudAddService - ok
22:13:02.0503 0x0da8  HDAudBus - ok
22:13:02.0503 0x0da8  HECI - ok
22:13:02.0503 0x0da8  HidBatt - ok
22:13:02.0503 0x0da8  HidBth - ok
22:13:02.0518 0x0da8  HidIr - ok
22:13:02.0518 0x0da8  hidserv - ok
22:13:02.0518 0x0da8  HidUsb - ok
22:13:02.0534 0x0da8  hkmsvc - ok
22:13:02.0534 0x0da8  HomeGroupListener - ok
22:13:02.0534 0x0da8  HomeGroupProvider - ok
22:13:02.0534 0x0da8  HPDrvMntSvc.exe - ok
22:13:02.0550 0x0da8  hpdskflt - ok
22:13:02.0550 0x0da8  HPKBCCID - ok
22:13:02.0550 0x0da8  HpqKbFiltr - ok
22:13:02.0550 0x0da8  hpqwmiex - ok
22:13:02.0565 0x0da8  HpSAMD - ok
22:13:02.0565 0x0da8  hpsrv - ok
22:13:02.0565 0x0da8  HTTP - ok
22:13:02.0596 0x0da8  hwpolicy - ok
22:13:02.0643 0x0da8  i8042prt - ok
22:13:02.0659 0x0da8  iaStorV - ok
22:13:02.0674 0x0da8  IDriverT - ok
22:13:02.0737 0x0da8  idsvc - ok
22:13:02.0752 0x0da8  IEEtwCollectorService - ok
22:13:02.0752 0x0da8  iirsp - ok
22:13:02.0752 0x0da8  IKEEXT - ok
22:13:02.0752 0x0da8  Impcd - ok
22:13:02.0768 0x0da8  intelide - ok
22:13:02.0768 0x0da8  intelppm - ok
22:13:02.0768 0x0da8  IPBusEnum - ok
22:13:02.0784 0x0da8  IpFilterDriver - ok
22:13:02.0784 0x0da8  iphlpsvc - ok
22:13:02.0784 0x0da8  IPMIDRV - ok
22:13:02.0784 0x0da8  IPNAT - ok
22:13:02.0799 0x0da8  IRENUM - ok
22:13:02.0799 0x0da8  isapnp - ok
22:13:02.0799 0x0da8  iScsiPrt - ok
22:13:02.0799 0x0da8  kbdclass - ok
22:13:02.0815 0x0da8  kbdhid - ok
22:13:02.0815 0x0da8  KeyIso - ok
22:13:02.0815 0x0da8  KSecDD - ok
22:13:02.0830 0x0da8  KSecPkg - ok
22:13:02.0846 0x0da8  KtmRm - ok
22:13:02.0846 0x0da8  LanmanServer - ok
22:13:02.0846 0x0da8  LanmanWorkstation - ok
22:13:02.0862 0x0da8  LightScribeService - ok
22:13:02.0862 0x0da8  lltdio - ok
22:13:02.0862 0x0da8  lltdsvc - ok
22:13:02.0877 0x0da8  lmhosts - ok
22:13:02.0877 0x0da8  LMS - ok
22:13:02.0893 0x0da8  LSI_FC - ok
22:13:02.0893 0x0da8  LSI_SAS - ok
22:13:02.0893 0x0da8  LSI_SAS2 - ok
22:13:02.0893 0x0da8  LSI_SCSI - ok
22:13:02.0908 0x0da8  luafv - ok
22:13:02.0908 0x0da8  MBAMSwissArmy - ok
22:13:02.0908 0x0da8  McAfee Endpoint Encryption Agent - ok
22:13:02.0908 0x0da8  McAfeeFramework - ok
22:13:02.0924 0x0da8  Mcx2Svc - ok
22:13:02.0924 0x0da8  megasas - ok
22:13:02.0924 0x0da8  MegaSR - ok
22:13:02.0924 0x0da8  MfeEEAlg - ok
22:13:02.0940 0x0da8  MfeEpeOpal - ok
22:13:02.0940 0x0da8  MfeEpePc - ok
22:13:02.0940 0x0da8  MFE_RR - ok
22:13:02.0955 0x0da8  Microsoft SharePoint Workspace Audit Service - ok
22:13:02.0955 0x0da8  MMCSS - ok
22:13:02.0955 0x0da8  Modem - ok
22:13:02.0955 0x0da8  monitor - ok
22:13:02.0971 0x0da8  mouclass - ok
22:13:02.0971 0x0da8  mouhid - ok
22:13:02.0971 0x0da8  mountmgr - ok
22:13:02.0986 0x0da8  MozillaMaintenance - ok
22:13:02.0986 0x0da8  MpFilter - ok
22:13:02.0986 0x0da8  mpio - ok
22:13:03.0002 0x0da8  mpsdrv - ok
22:13:03.0002 0x0da8  MpsSvc - ok
22:13:03.0002 0x0da8  MRxDAV - ok
22:13:03.0018 0x0da8  mrxsmb - ok
22:13:03.0018 0x0da8  mrxsmb10 - ok
22:13:03.0018 0x0da8  mrxsmb20 - ok
22:13:03.0018 0x0da8  msahci - ok
22:13:03.0033 0x0da8  msdsm - ok
22:13:03.0033 0x0da8  MSDTC - ok
22:13:03.0033 0x0da8  Msfs - ok
22:13:03.0049 0x0da8  mshidkmdf - ok
22:13:03.0049 0x0da8  msisadrv - ok
22:13:03.0064 0x0da8  MSiSCSI - ok
22:13:03.0064 0x0da8  msiserver - ok
22:13:03.0064 0x0da8  MSKSSRV - ok
22:13:03.0064 0x0da8  MsMpSvc - ok
22:13:03.0080 0x0da8  MSPCLOCK - ok
22:13:03.0080 0x0da8  MSPQM - ok
22:13:03.0080 0x0da8  MsRPC - ok
22:13:03.0096 0x0da8  mssmbios - ok
22:13:03.0096 0x0da8  MSTEE - ok
22:13:03.0096 0x0da8  MTConfig - ok
22:13:03.0111 0x0da8  Mup - ok
22:13:03.0111 0x0da8  napagent - ok
22:13:03.0111 0x0da8  NativeWifiP - ok
22:13:03.0127 0x0da8  NDIS - ok
22:13:03.0127 0x0da8  NdisCap - ok
22:13:03.0127 0x0da8  NdisTapi - ok
22:13:03.0127 0x0da8  Ndisuio - ok
22:13:03.0142 0x0da8  NdisWan - ok
22:13:03.0142 0x0da8  NDProxy - ok
22:13:03.0142 0x0da8  Net Driver HPZ12 - ok
22:13:03.0142 0x0da8  NetBIOS - ok
22:13:03.0158 0x0da8  NetBT - ok
22:13:03.0158 0x0da8  Netlogon - ok
22:13:03.0174 0x0da8  Netman - ok
22:13:03.0174 0x0da8  NetMsmqActivator - ok
22:13:03.0174 0x0da8  NetPipeActivator - ok
22:13:03.0189 0x0da8  netprofm - ok
22:13:03.0189 0x0da8  NetTcpActivator - ok
22:13:03.0189 0x0da8  NetTcpPortSharing - ok
22:13:03.0189 0x0da8  NETw5s32 - ok
22:13:03.0205 0x0da8  NETwNs32 - ok
22:13:03.0205 0x0da8  nfrd960 - ok
22:13:03.0205 0x0da8  NisDrv - ok
22:13:03.0220 0x0da8  NisSrv - ok
22:13:03.0220 0x0da8  NlaSvc - ok
22:13:03.0220 0x0da8  Npfs - ok
22:13:03.0236 0x0da8  nsi - ok
22:13:03.0236 0x0da8  nsiproxy - ok
22:13:03.0236 0x0da8  Ntfs - ok
22:13:03.0252 0x0da8  Null - ok
22:13:03.0252 0x0da8  nusb3hub - ok
22:13:03.0252 0x0da8  nusb3xhc - ok
22:13:03.0267 0x0da8  NVHDA - ok
22:13:03.0267 0x0da8  nvlddmkm - ok
22:13:03.0267 0x0da8  nvraid - ok
22:13:03.0267 0x0da8  nvstor - ok
22:13:03.0283 0x0da8  nvsvc - ok
22:13:03.0283 0x0da8  nv_agp - ok
22:13:03.0283 0x0da8  ohci1394 - ok
22:13:03.0298 0x0da8  ose - ok
22:13:03.0298 0x0da8  osppsvc - ok
22:13:03.0298 0x0da8  p2pimsvc - ok
22:13:03.0314 0x0da8  p2psvc - ok
22:13:03.0314 0x0da8  Parport - ok
22:13:03.0314 0x0da8  partmgr - ok
22:13:03.0314 0x0da8  Parvdm - ok
22:13:03.0330 0x0da8  PcaSvc - ok
22:13:03.0330 0x0da8  pci - ok
22:13:03.0330 0x0da8  pciide - ok
22:13:03.0345 0x0da8  pcmcia - ok
22:13:03.0408 0x0da8  pcw - ok
22:13:03.0486 0x0da8  PEAUTH - ok
22:13:03.0486 0x0da8  PeerDistSvc - ok
22:13:03.0517 0x0da8  pla - ok
22:13:03.0548 0x0da8  PlugPlay - ok
22:13:03.0579 0x0da8  Pml Driver HPZ12 - ok
22:13:03.0595 0x0da8  PNRPAutoReg - ok
22:13:03.0595 0x0da8  PNRPsvc - ok
22:13:03.0595 0x0da8  PolicyAgent - ok
22:13:03.0610 0x0da8  Power - ok
22:13:03.0610 0x0da8  PptpMiniport - ok
22:13:03.0626 0x0da8  Processor - ok
22:13:03.0626 0x0da8  ProfSvc - ok
22:13:03.0626 0x0da8  ProtectedStorage - ok
22:13:03.0642 0x0da8  Psched - ok
22:13:03.0642 0x0da8  PxHelp20 - ok
22:13:03.0642 0x0da8  qcfilterhp2k - ok
22:13:03.0642 0x0da8  qcombushp - ok
22:13:03.0657 0x0da8  qcusbnethp2k - ok
22:13:03.0657 0x0da8  qcusbserhp2k - ok
22:13:03.0657 0x0da8  QDLService2kHP - ok
22:13:03.0673 0x0da8  ql2300 - ok
22:13:03.0673 0x0da8  ql40xx - ok
22:13:03.0673 0x0da8  QWAVE - ok
22:13:03.0688 0x0da8  QWAVEdrv - ok
22:13:03.0688 0x0da8  RasAcd - ok
22:13:03.0688 0x0da8  RasAgileVpn - ok
22:13:03.0688 0x0da8  RasAuto - ok
22:13:03.0704 0x0da8  Rasl2tp - ok
22:13:03.0704 0x0da8  RasMan - ok
22:13:03.0704 0x0da8  RasPppoe - ok
22:13:03.0720 0x0da8  RasSstp - ok
22:13:03.0720 0x0da8  rdbss - ok
22:13:03.0720 0x0da8  rdpbus - ok
22:13:03.0735 0x0da8  RDPCDD - ok
22:13:03.0735 0x0da8  RDPDR - ok
22:13:03.0735 0x0da8  RDPENCDD - ok
22:13:03.0751 0x0da8  RDPREFMP - ok
22:13:03.0766 0x0da8  RdpVideoMiniport - ok
22:13:03.0766 0x0da8  RDPWD - ok
22:13:03.0766 0x0da8  rdyboost - ok
22:13:03.0782 0x0da8  RemoteAccess - ok
22:13:03.0782 0x0da8  RemoteRegistry - ok
22:13:03.0798 0x0da8  RFCOMM - ok
22:13:03.0798 0x0da8  rimmptsk - ok
22:13:03.0813 0x0da8  rimsptsk - ok
22:13:03.0829 0x0da8  rismc32 - ok
22:13:03.0891 0x0da8  rismxdp - ok
22:13:03.0907 0x0da8  RoxMediaDB9 - ok
22:13:03.0907 0x0da8  RpcEptMapper - ok
22:13:03.0907 0x0da8  RpcLocator - ok
22:13:03.0922 0x0da8  RpcSs - ok
22:13:03.0922 0x0da8  rspndr - ok
22:13:03.0922 0x0da8  s3cap - ok
22:13:03.0938 0x0da8  SamSs - ok
22:13:03.0938 0x0da8  sbp2port - ok
22:13:03.0938 0x0da8  SCardSvr - ok
22:13:03.0954 0x0da8  scfilter - ok
22:13:03.0954 0x0da8  Schedule - ok
22:13:03.0954 0x0da8  SCPolicySvc - ok
22:13:03.0954 0x0da8  sdbus - ok
22:13:03.0969 0x0da8  SDRSVC - ok
22:13:03.0969 0x0da8  secdrv - ok
22:13:03.0969 0x0da8  seclogon - ok
22:13:03.0985 0x0da8  SENS - ok
22:13:03.0985 0x0da8  SensrSvc - ok
22:13:03.0985 0x0da8  Serenum - ok
22:13:04.0000 0x0da8  Serial - ok
22:13:04.0016 0x0da8  sermouse - ok
22:13:04.0032 0x0da8  SessionEnv - ok
22:13:04.0032 0x0da8  sffdisk - ok
22:13:04.0032 0x0da8  sffp_mmc - ok
22:13:04.0032 0x0da8  sffp_sd - ok
22:13:04.0047 0x0da8  sfloppy - ok
22:13:04.0047 0x0da8  SharedAccess - ok
22:13:04.0047 0x0da8  ShellHWDetection - ok
22:13:04.0063 0x0da8  sisagp - ok
22:13:04.0063 0x0da8  SiSRaid2 - ok
22:13:04.0063 0x0da8  SiSRaid4 - ok
22:13:04.0078 0x0da8  Smb - ok
22:13:04.0078 0x0da8  SNMPTRAP - ok
22:13:04.0094 0x0da8  SNP2UVC - ok
22:13:04.0094 0x0da8  spldr - ok
22:13:04.0094 0x0da8  Spooler - ok
22:13:04.0110 0x0da8  sppsvc - ok
22:13:04.0110 0x0da8  sppuinotify - ok
22:13:04.0110 0x0da8  srv - ok
22:13:04.0125 0x0da8  srv2 - ok
22:13:04.0125 0x0da8  srvnet - ok
22:13:04.0125 0x0da8  SSDPSRV - ok
22:13:04.0141 0x0da8  SstpSvc - ok
22:13:04.0141 0x0da8  STacSV - ok
22:13:04.0141 0x0da8  stexstor - ok
22:13:04.0156 0x0da8  STHDA - ok
22:13:04.0219 0x0da8  StiSvc - ok
22:13:04.0219 0x0da8  stllssvr - ok
22:13:04.0234 0x0da8  storflt - ok
22:13:04.0250 0x0da8  StorSvc - ok
22:13:04.0250 0x0da8  storvsc - ok
22:13:04.0250 0x0da8  swenum - ok
22:13:04.0266 0x0da8  swprv - ok
22:13:04.0266 0x0da8  SynTP - ok
22:13:04.0266 0x0da8  SysMain - ok
22:13:04.0281 0x0da8  TabletInputService - ok
22:13:04.0281 0x0da8  TapiSrv - ok
22:13:04.0281 0x0da8  TBS - ok
22:13:04.0297 0x0da8  Tcpip - ok
22:13:04.0297 0x0da8  TCPIP6 - ok
22:13:04.0312 0x0da8  tcpipreg - ok
22:13:04.0312 0x0da8  TDPIPE - ok
22:13:04.0328 0x0da8  TDTCP - ok
22:13:04.0328 0x0da8  tdx - ok
22:13:04.0328 0x0da8  TeamViewer8 - ok
22:13:04.0344 0x0da8  TermDD - ok
22:13:04.0344 0x0da8  TermService - ok
22:13:04.0344 0x0da8  Themes - ok
22:13:04.0359 0x0da8  THREADORDER - ok
22:13:04.0359 0x0da8  TPM - ok
22:13:04.0375 0x0da8  TrkWks - ok
22:13:04.0375 0x0da8  TrustedInstaller - ok
22:13:04.0390 0x0da8  tssecsrv - ok
22:13:04.0390 0x0da8  TsUsbFlt - ok
22:13:04.0406 0x0da8  tunnel - ok
22:13:04.0406 0x0da8  uagp35 - ok
22:13:04.0422 0x0da8  udfs - ok
22:13:04.0422 0x0da8  UI0Detect - ok
22:13:04.0437 0x0da8  uliagpkx - ok
22:13:04.0437 0x0da8  umbus - ok
22:13:04.0453 0x0da8  UmPass - ok
22:13:04.0453 0x0da8  UmRdpService - ok
22:13:04.0453 0x0da8  UNS - ok
22:13:04.0468 0x0da8  upnphost - ok
22:13:04.0468 0x0da8  usbaudio - ok
22:13:04.0484 0x0da8  usbccgp - ok
22:13:04.0484 0x0da8  usbcir - ok
22:13:04.0500 0x0da8  usbehci - ok
22:13:04.0500 0x0da8  usbhub - ok
22:13:04.0515 0x0da8  usbohci - ok
22:13:04.0515 0x0da8  usbprint - ok
22:13:04.0515 0x0da8  USBSTOR - ok
22:13:04.0531 0x0da8  usbuhci - ok
22:13:04.0531 0x0da8  usbvideo - ok
22:13:04.0546 0x0da8  usb_rndisx - ok
22:13:04.0546 0x0da8  UxSms - ok
22:13:04.0546 0x0da8  VaultSvc - ok
22:13:04.0562 0x0da8  VBoxDrv - ok
22:13:04.0562 0x0da8  VBoxNetAdp - ok
22:13:04.0562 0x0da8  VBoxNetFlt - ok
22:13:04.0578 0x0da8  VBoxUSB - ok
22:13:04.0578 0x0da8  VBoxUSBMon - ok
22:13:04.0578 0x0da8  vcsFPService - ok
22:13:04.0593 0x0da8  vdrvroot - ok
22:13:04.0593 0x0da8  vds - ok
22:13:04.0593 0x0da8  vga - ok
22:13:04.0609 0x0da8  VgaSave - ok
22:13:04.0609 0x0da8  vhdmp - ok
22:13:04.0609 0x0da8  viaagp - ok
22:13:04.0624 0x0da8  ViaC7 - ok
22:13:04.0624 0x0da8  viaide - ok
22:13:04.0624 0x0da8  vmbus - ok
22:13:04.0640 0x0da8  VMBusHID - ok
22:13:04.0640 0x0da8  volmgr - ok
22:13:04.0656 0x0da8  volmgrx - ok
22:13:04.0656 0x0da8  volsnap - ok
22:13:04.0656 0x0da8  vpcbus - ok
22:13:04.0671 0x0da8  vpcnfltr - ok
22:13:04.0671 0x0da8  vpcusb - ok
22:13:04.0671 0x0da8  vpcvmm - ok
22:13:04.0687 0x0da8  vsmraid - ok
22:13:04.0687 0x0da8  VSS - ok
22:13:04.0687 0x0da8  vwifibus - ok
22:13:04.0702 0x0da8  vwififlt - ok
22:13:04.0702 0x0da8  vwifimp - ok
22:13:04.0718 0x0da8  W32Time - ok
22:13:04.0718 0x0da8  WacomPen - ok
22:13:04.0718 0x0da8  WANARP - ok
22:13:04.0734 0x0da8  Wanarpv6 - ok
22:13:04.0734 0x0da8  WatAdminSvc - ok
22:13:04.0734 0x0da8  wbengine - ok
22:13:04.0749 0x0da8  WbioSrvc - ok
22:13:04.0749 0x0da8  wcncsvc - ok
22:13:04.0765 0x0da8  WcsPlugInService - ok
22:13:04.0780 0x0da8  Wd - ok
22:13:04.0780 0x0da8  Wdf01000 - ok
22:13:04.0796 0x0da8  WdiServiceHost - ok
22:13:04.0812 0x0da8  WdiSystemHost - ok
22:13:04.0812 0x0da8  WebClient - ok
22:13:04.0827 0x0da8  Wecsvc - ok
22:13:04.0827 0x0da8  wercplsupport - ok
22:13:04.0843 0x0da8  WerSvc - ok
22:13:04.0843 0x0da8  WfpLwf - ok
22:13:04.0858 0x0da8  WIMMount - ok
22:13:04.0858 0x0da8  WinDefend - ok
22:13:04.0874 0x0da8  WinHttpAutoProxySvc - ok
22:13:04.0890 0x0da8  Winmgmt - ok
22:13:04.0905 0x0da8  WinRM - ok
22:13:04.0921 0x0da8  WinUSB - ok
22:13:04.0921 0x0da8  Wlansvc - ok
22:13:04.0936 0x0da8  WmiAcpi - ok
22:13:04.0952 0x0da8  wmiApSrv - ok
22:13:04.0952 0x0da8  WMPNetworkSvc - ok
22:13:04.0968 0x0da8  WPCSvc - ok
22:13:04.0968 0x0da8  WPDBusEnum - ok
22:13:04.0983 0x0da8  ws2ifsl - ok
22:13:04.0999 0x0da8  wscsvc - ok
22:13:05.0014 0x0da8  WSearch - ok
22:13:05.0014 0x0da8  wuauserv - ok
22:13:05.0030 0x0da8  WudfPf - ok
22:13:05.0030 0x0da8  WUDFRd - ok
22:13:05.0046 0x0da8  wudfsvc - ok
22:13:05.0046 0x0da8  WwanSvc - ok
22:13:05.0061 0x0da8  xhc200w - ok
22:13:05.0108 0x0da8  ================ Scan global ===============================
22:13:05.0108 0x0da8  [ Global ] - ok
22:13:05.0108 0x0da8  ================ Scan MBR ==================================
22:13:05.0124 0x0da8  [ 9D92E6F73154BF84DBD874EA21D5F0B3 ] \Device\Harddisk0\DR0
22:13:05.0857 0x0da8  \Device\Harddisk0\DR0 - ok
22:13:05.0857 0x0da8  ================ Scan VBR ==================================
22:13:05.0872 0x0da8  [ 3D2AE27E8D4F8F06535D0D2FD4E90C29 ] \Device\Harddisk0\DR0\Partition1
22:13:05.0872 0x0da8  \Device\Harddisk0\DR0\Partition1 - ok
22:13:05.0888 0x0da8  [ 46228554E293B24B27FF736A43EA6BC8 ] \Device\Harddisk0\DR0\Partition2
22:13:05.0888 0x0da8  \Device\Harddisk0\DR0\Partition2 - ok
22:13:05.0904 0x0da8  AV detected via SS2: Microsoft Security Essentials, C:\Program Files\Microsoft Security Client\msseces.exe ( 4.5.216.0 ), 0x61000 ( enabled : updated )
22:13:05.0904 0x0da8  Win FW state via NFP2: enabled
22:13:09.0819 0x0da8  ============================================================
22:13:09.0819 0x0da8  Scan finished
22:13:09.0819 0x0da8  ============================================================
22:13:09.0819 0x13b0  Detected object count: 0
22:13:09.0819 0x13b0  Actual detected object count: 0


#7 polskamachina

polskamachina

  • Malware Study Hall Senior
  • 3,834 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:29 AM

Posted 02 May 2014 - 08:24 PM

Hi stefanbonnarens
 
No need for apologies. Your response was timely. :)
 
Try this please. You will need a USB drive.

Download GETxPUD.exe to the desktop of your clean computer

  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.
  • Remove the USB & CD and insert it in the sick computer
  • Boot the Sick computer with the CD you just burned
  • The computer must be set to boot from the CD
  • Gently tap F12 and choose to boot from the CD
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Press Tool at the top
  • Choose Open Terminal
  • Type the following and press enter:

    dd if=/dev/sda of=mbr.bin bs=512 count=1
  • Press Enter
  • After it has finished a file will be located on your USB drive named mbr.bin
  • Remove the USB drive and insert it back in your working computer and navigate to mbr.bin, zip it up and attach it to your next reply.

This will allow me to have a look at the MasterBootRecord of your drive and see if it is infected.

 

Let me know if you have any questions.

 

polskamachina


Member of the Bleeping Computer A.I.I. early response team!

#8 stefanbonnarens

stefanbonnarens
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:29 PM

Posted 03 May 2014 - 06:58 AM

Hi polskamachina

 

I tried to run GetxPUD on a clean PC but it said it did not install correctly. When I tried to use the recommended installation settings nothing happens (I do not see a GetxPUD folder).

What I did see is that it installed programs like HulaToo, Oxy. Are they related or not?

 

Kind regards

 

Stefan



#9 polskamachina

polskamachina

  • Malware Study Hall Senior
  • 3,834 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:29 AM

Posted 04 May 2014 - 01:07 PM

Hi Stefan :)
 
I'm sorry you're having difficulty running the GETxPUD installation. I tried downloading and running the GETxPUD.exe file on my system and thought the same thing happened to me. I got a prompt asking me if it was OK to launch, then I clicked on, Ok. Then, just as you said, nothing else seemed to happen. I ran the program again. Same result. But then I took a closer look at my desktop icons and finally found the GETxPUD folder icon. Is it possible you have overlooked it too? If you do locate the folder and open it, you should have three files in there:

  • BurnCDCC.exe
  • get&burn.bat
  • WGET.exe

Let me know if you were successful. Regarding your question about HulaToo and Oxy, are those icons executable files that were installed on your desktop after you ran the GETxPUD.exe file? Those files were not installed on my system.

 

If you're still having trouble with the GETxPUD file, you may download the iso file directly here and then burn it to a CD.
 
polskamachina


Member of the Bleeping Computer A.I.I. early response team!

#10 stefanbonnarens

stefanbonnarens
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:29 PM

Posted 04 May 2014 - 04:35 PM

Hi Polskamachina

 

We are getting further. I did find the GetXPUD folder and could download the ISO to a CD.
I started the infected PC with the CD rom and saw a screen with XPUD and a list of languages to choose from. I chose English but instead of seeing menus (File, ...) i got a command prompt like window with some info ending in sh-4.0# 
In the command prompt like window i saw a long list of info (sorry but screencapturing was not possible)

 

Assuming this is like a shell to type commands in...which commands should i enter??

 

Kind regards

 

Stefan



#11 polskamachina

polskamachina

  • Malware Study Hall Senior
  • 3,834 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:29 AM

Posted 06 May 2014 - 12:32 AM

Hi Stefan :)
 
It sounds like your system bypassed the graphical user interface and went directly to the terminal output. Please reboot your pc with the xPUD boot disk in place. If for some reason you wind up with the same scenario, please type in the following command:

dd if=/dev/sda of=/mnt/sdb1/mbr.bin bs=512 count=1
 
If things do proceed normally, please use these directions when reaching the main menu:

  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Press Tool at the top
  • Choose Open Terminal
  • Type the following and press enter: dd if=/dev/sda of=mbr.bin bs=512 count=1
  • After it has finished a file will be located on your USB drive named mbr.bin
  • Remove the USB drive and insert it back in your working computer and navigate to mbr.bin, zip it up and attach it to your next reply.

This will allow me to have a look at the MasterBootRecord of your drive and see if it is infected.
 

Let me know if you have any questions.

polskamachina


Member of the Bleeping Computer A.I.I. early response team!

#12 stefanbonnarens

stefanbonnarens
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:29 PM

Posted 06 May 2014 - 02:53 PM

Hi Polskamachina

 

I typed the command you wrote (dd if=/dev/sda of=/mnt/sdb1/mbr.bin bs=512 count=1) 

but the computer says there is no such file.(mnt/sdb1/mbr.bin)

 

Kind regards

 

Stefan



#13 polskamachina

polskamachina

  • Malware Study Hall Senior
  • 3,834 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:29 AM

Posted 08 May 2014 - 10:10 AM

Hi Stefan :)

Let's try something else instead:

  • On a clean machine, please download Farbar Recovery Scan Tool and save it to the root folder of a flash drive.
  • Next, please copy the single line of text below, exactly as is, and paste it into Notepad:
    SaveMbr: Drive=0
     Then save the file as fixlist.txt in the same location on youf flashdrive as FRST.exe
  • Remove the flashdrive from the clean computer and plug it into the infected PC.
  • To enter System Recovery Options from the Advanced Boot Options:
    • Restart the infected computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.
    Note: In case you cannot enter System Recovery Options by using F8 method, you can use Windows installation disc, or make a repair disc. Any Windows installation disc or a repair disc made on another computer can be used.
    To make a repair disk on Windows 7 consult: http://www.sevenforums.com/tutorials/2083-system-repair-disc-create.html


    To enter System Recovery Options by using Windows installation disc:
    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.
  • On the System Recovery Options menu you will get the following options:

    Startup Repair
    System Restore
    Windows Complete PC Restore
    Windows Memory Diagnostic Tool
    Command Prompt


    Select Command Prompt
  • Once in the Command Prompt:
    • In the command window type in notepad and press Enter.
    • Notepad will open. Under File menu select Open.
    • Select "Computer" and find your flash drive letter, remember this letter, and then close Notepad.
    • In the command window type e:\frst and press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press the Fix button.
    • Two files will be created. One will be fixlog.txt. The other will be mbrdump.txt They will both be located on the flash drive.
    • Attach the mbrdump.txt file via the Attach Files upload interface at the bottom of your reply window and also please copy and paste the fixlog.txt directly into your next reply to me.

Let me know if you have any questions.

polskamachina


Member of the Bleeping Computer A.I.I. early response team!

#14 stefanbonnarens

stefanbonnarens
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:29 PM

Posted 08 May 2014 - 04:17 PM

Hi polskamachina

 

This time more luck:

 

Here is the fixlog.txt file

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 08-05-2014 02
Ran by SYSTEM at 2014-05-08 23:12:47 Run:1
Running from F:\
Boot Mode: Recovery
==============================================

Content of fixlist:
*****************
SaveMbr: Drive=0
*****************

MBRDUMP.txt is made successfully.

==== End of Fixlog ====

 

Hope this will help you

 

Kind regards

 

Stefan

Attached Files



#15 polskamachina

polskamachina

  • Malware Study Hall Senior
  • 3,834 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:29 AM

Posted 10 May 2014 - 10:15 AM

Hi Stefan :)
 
The MBRDUMP report shows that it may have a problem. One explanation for its nonstandard form is that your drive is using McAfee drive encryption software. Are you knowingly using this encryption software?

 
polskamachina


Member of the Bleeping Computer A.I.I. early response team!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users