suchek
-
Posts
30 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Posts posted by suchek
-
-
Maurice, I'll work on burning the CD. I can do this from a separate, non-infected machine.
A few questions:
1) Since I've already reformatted the C-drive and reinstalled the OS, there's no data that I'm trying to retain. This is probably a dumb question, but could the suspicious 4th partition be deleted or reformatted?
2) Should I reformat the Recovery D-drive?
3) "IF you have an attached external HDD drive, please disconnect it now." — Is there an infection risk to external and flash drives?
I don't currently have an external HDD attached, but I did use an external HDD to back up my data before reformatting. And I was using a USB flash drive last night to install all the instructed scanning programs. Since the infected machine is compromised, I've taken it offline altogether. I come to this forum from a separate machine, download the scanning programs to a USB drive, and then transfer them via USB to the infected machine. Then I use the USB to transfer the results logs from the infected machine to my clean machine for posting.
Do I need to be worried about the flash drive or the external HDD harboring an infection? I did vaccinate both with the Panda USB vaccine. But they had been connected to the infected machine a couple times, prior to reformatting, before I was able to apply the vaccine.
-
Hi, Maurice. Thank you very much for your help. I was able to run all the scans you instructed, and the logs are pasted below.
As a side note: I had shut down the infected machine after posting my initial help request yesterday. When I rebooted today to run the scans, the "Malicious software was removed" notification was no longer popping up from the task bar. The popup hasn't recurred yet during this session.
However, I'm still not using the machine other than to follow your instructions. I also disconnected it from the internet and disabled the wireless adapter.
Scan notes:
• RogueKiller, in addition to the RKReport.txt file also produced a folder, "RK_Quarantine," containing three files: Eula.txt, PhysicalDriver0_User.dat, and QuarantineReport.txt. Do you need the content of either of the text files?
• aswMBR did NOT have the "Fix" button enabled after completing its scan.
• TDSS scan resulted in "No threats found"; there were no prompts to cure, skip, or reboot. I didn't make any adjustments to the "Change parameters" options before beginning the TDSS scan. The default options checked in "Objects to scan" were system memory, services and drivers, and boot sectors; loaded modules were NOT checked. Neither of the "Additional Options" — Verify file digital signatures, Detect TDLFS file system — were checked.
• ListParts64, when launched, had a "List BCD" option that was not checked, by default.
--------------------------------------------------------------------------------
aswMBR Log
aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-10-16 20:44:57
-----------------------------
20:44:57.223 OS Version: Windows x64 6.1.7601 Service Pack 1
20:44:57.223 Number of processors: 4 586 0x2505
20:44:57.223 ComputerName: V-PC UserName: v
20:44:57.769 Initialize success
20:45:43.120 AVAST engine defs: 12101601
20:47:24.329 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
20:47:24.345 Disk 0 Vendor: SAMSUNG_ 2AJ1 Size: 610480MB BusType: 3
20:47:24.345 Disk 0 MBR read successfully
20:47:24.345 Disk 0 MBR scan
20:47:24.360 Disk 0 Windows 7 default MBR code
20:47:24.360 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 100 MB offset 2048
20:47:24.376 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 15000 MB offset 206848
20:47:24.391 Disk 0 Partition 3 80 (A) 07 HPFS/NTFS NTFS 595364 MB offset 30926848
20:47:24.423 Disk 0 Partition 4 00 17 Hidd HPFS/NTFS NTFS 10 MB offset 1250234368
20:47:24.469 Disk 0 scanning C:\Windows\system32\drivers
20:47:29.493 Service scanning
20:47:44.484 Modules scanning
20:47:44.484 Scan finished successfully
21:06:23.911 Disk 0 MBR has been saved successfully to "C:\Users\v\Desktop\MBR.dat"
21:06:23.911 The log file has been saved successfully to "C:\Users\v\Desktop\aswMBR.txt"
--------------------------------------------------------------------------------
TDSSKiller Log
21:14:19.0692 3376 TDSS rootkit removing tool 2.8.13.0 Oct 12 2012 17:26:47
21:14:19.0723 3376 ============================================================
21:14:19.0723 3376 Current date / time: 2012/10/16 21:14:19.0723
21:14:19.0723 3376 SystemInfo:
21:14:19.0723 3376
21:14:19.0723 3376 OS Version: 6.1.7601 ServicePack: 1.0
21:14:19.0723 3376 Product type: Workstation
21:14:19.0723 3376 ComputerName: V-PC
21:14:19.0723 3376 UserName: v
21:14:19.0723 3376 Windows directory: C:\Windows
21:14:19.0723 3376 System windows directory: C:\Windows
21:14:19.0723 3376 Running under WOW64
21:14:19.0723 3376 Processor architecture: Intel x64
21:14:19.0723 3376 Number of processors: 4
21:14:19.0723 3376 Page size: 0x1000
21:14:19.0723 3376 Boot type: Normal boot
21:14:19.0723 3376 ============================================================
21:14:20.0004 3376 Drive \Device\Harddisk0\DR0 - Size: 0x950B056000 (596.17 Gb), SectorSize: 0x200, Cylinders: 0x13001, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000040
21:14:20.0020 3376 ============================================================
21:14:20.0020 3376 \Device\Harddisk0\DR0:
21:14:20.0020 3376 MBR partitions:
21:14:20.0020 3376 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x32800, BlocksNum 0x1D4C000
21:14:20.0020 3376 \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x1D7E800, BlocksNum 0x48AD22B0
21:14:20.0020 3376 ============================================================
21:14:20.0035 3376 C: <-> \Device\Harddisk0\DR0\Partition2
21:14:20.0082 3376 D: <-> \Device\Harddisk0\DR0\Partition1
21:14:20.0082 3376 ============================================================
21:14:20.0082 3376 Initialize success
21:14:20.0082 3376 ============================================================
21:21:47.0741 1072 ============================================================
21:21:47.0741 1072 Scan started
21:21:47.0741 1072 Mode: Manual;
21:21:47.0741 1072 ============================================================
21:21:48.0255 1072 ================ Scan system memory ========================
21:21:48.0255 1072 System memory - ok
21:21:48.0255 1072 ================ Scan services =============================
21:21:48.0411 1072 [ A87D604AEA360176311474C87A63BB88 ] 1394ohci C:\Windows\system32\drivers\1394ohci.sys
21:21:48.0427 1072 1394ohci - ok
21:21:48.0474 1072 [ D81D9E70B8A6DD14D42D7B4EFA65D5F2 ] ACPI C:\Windows\system32\drivers\ACPI.sys
21:21:48.0474 1072 ACPI - ok
21:21:48.0505 1072 [ 99F8E788246D495CE3794D7E7821D2CA ] AcpiPmi C:\Windows\system32\drivers\acpipmi.sys
21:21:48.0505 1072 AcpiPmi - ok
21:21:48.0567 1072 [ 2F6B34B83843F0C5118B63AC634F5BF4 ] adp94xx C:\Windows\system32\drivers\adp94xx.sys
21:21:48.0583 1072 adp94xx - ok
21:21:48.0630 1072 [ 597F78224EE9224EA1A13D6350CED962 ] adpahci C:\Windows\system32\drivers\adpahci.sys
21:21:48.0630 1072 adpahci - ok
21:21:48.0645 1072 [ E109549C90F62FB570B9540C4B148E54 ] adpu320 C:\Windows\system32\drivers\adpu320.sys
21:21:48.0645 1072 adpu320 - ok
21:21:48.0692 1072 [ 4B78B431F225FD8624C5655CB1DE7B61 ] AeLookupSvc C:\Windows\System32\aelupsvc.dll
21:21:48.0692 1072 AeLookupSvc - ok
21:21:48.0833 1072 [ A6FB9DB8F1A86861D955FD6975977AE0 ] AESTFilters C:\Program Files\IDT\WDM\AESTSr64.exe
21:21:48.0833 1072 AESTFilters - ok
21:21:48.0879 1072 [ 1C7857B62DE5994A75B054A9FD4C3825 ] AFD C:\Windows\system32\drivers\afd.sys
21:21:48.0879 1072 AFD - ok
21:21:48.0942 1072 [ 608C14DBA7299D8CB6ED035A68A15799 ] agp440 C:\Windows\system32\drivers\agp440.sys
21:21:48.0942 1072 agp440 - ok
21:21:48.0989 1072 [ 3290D6946B5E30E70414990574883DDB ] ALG C:\Windows\System32\alg.exe
21:21:48.0989 1072 ALG - ok
21:21:49.0004 1072 [ 5812713A477A3AD7363C7438CA2EE038 ] aliide C:\Windows\system32\drivers\aliide.sys
21:21:49.0004 1072 aliide - ok
21:21:49.0035 1072 [ 388E79AF1C9E4D84A8559FA77F804CF6 ] AMD External Events Utility C:\Windows\system32\atiesrxx.exe
21:21:49.0035 1072 AMD External Events Utility - ok
21:21:49.0035 1072 [ 1FF8B4431C353CE385C875F194924C0C ] amdide C:\Windows\system32\drivers\amdide.sys
21:21:49.0035 1072 amdide - ok
21:21:49.0067 1072 [ 7024F087CFF1833A806193EF9D22CDA9 ] AmdK8 C:\Windows\system32\drivers\amdk8.sys
21:21:49.0082 1072 AmdK8 - ok
21:21:49.0269 1072 [ 79A11CB10FF02A8425DABBB040249F7D ] amdkmdag C:\Windows\system32\DRIVERS\atikmdag.sys
21:21:49.0410 1072 amdkmdag - ok
21:21:49.0457 1072 [ 6F6D47246FBB0CF65619684A0F89179E ] amdkmdap C:\Windows\system32\DRIVERS\atikmpag.sys
21:21:49.0457 1072 amdkmdap - ok
21:21:49.0488 1072 [ 1E56388B3FE0D031C44144EB8C4D6217 ] AmdPPM C:\Windows\system32\drivers\amdppm.sys
21:21:49.0488 1072 AmdPPM - ok
21:21:49.0519 1072 [ 6EC6D772EAE38DC17C14AED9B178D24B ] amdsata C:\Windows\system32\drivers\amdsata.sys
21:21:49.0519 1072 amdsata - ok
21:21:49.0550 1072 [ F67F933E79241ED32FF46A4F29B5120B ] amdsbs C:\Windows\system32\drivers\amdsbs.sys
21:21:49.0566 1072 amdsbs - ok
21:21:49.0566 1072 [ 1142A21DB581A84EA5597B03A26EBAA0 ] amdxata C:\Windows\system32\drivers\amdxata.sys
21:21:49.0566 1072 amdxata - ok
21:21:49.0613 1072 [ 89A69C3F2F319B43379399547526D952 ] AppID C:\Windows\system32\drivers\appid.sys
21:21:49.0613 1072 AppID - ok
21:21:49.0659 1072 [ 0BC381A15355A3982216F7172F545DE1 ] AppIDSvc C:\Windows\System32\appidsvc.dll
21:21:49.0659 1072 AppIDSvc - ok
21:21:49.0659 1072 [ 3977D4A871CA0D4F2ED1E7DB46829731 ] Appinfo C:\Windows\System32\appinfo.dll
21:21:49.0659 1072 Appinfo - ok
21:21:49.0675 1072 [ C484F8CEB1717C540242531DB7845C4E ] arc C:\Windows\system32\drivers\arc.sys
21:21:49.0675 1072 arc - ok
21:21:49.0706 1072 [ 019AF6924AEFE7839F61C830227FE79C ] arcsas C:\Windows\system32\drivers\arcsas.sys
21:21:49.0706 1072 arcsas - ok
21:21:49.0722 1072 [ 769765CE2CC62867468CEA93969B2242 ] AsyncMac C:\Windows\system32\DRIVERS\asyncmac.sys
21:21:49.0722 1072 AsyncMac - ok
21:21:49.0769 1072 [ 02062C0B390B7729EDC9E69C680A6F3C ] atapi C:\Windows\system32\drivers\atapi.sys
21:21:49.0769 1072 atapi - ok
21:21:49.0909 1072 [ 2D648572BA9A610952FCAFBA1E119C2D ] AtiHdmiService C:\Windows\system32\drivers\AtiHdmi.sys
21:21:49.0909 1072 AtiHdmiService - ok
21:21:50.0081 1072 [ 79A11CB10FF02A8425DABBB040249F7D ] atikmdag C:\Windows\system32\DRIVERS\atikmdag.sys
21:21:50.0112 1072 atikmdag - ok
21:21:50.0174 1072 [ F23FEF6D569FCE88671949894A8BECF1 ] AudioEndpointBuilder C:\Windows\System32\Audiosrv.dll
21:21:50.0190 1072 AudioEndpointBuilder - ok
21:21:50.0190 1072 [ F23FEF6D569FCE88671949894A8BECF1 ] AudioSrv C:\Windows\System32\Audiosrv.dll
21:21:50.0205 1072 AudioSrv - ok
21:21:50.0252 1072 [ A6BF31A71B409DFA8CAC83159E1E2AFF ] AxInstSV C:\Windows\System32\AxInstSV.dll
21:21:50.0252 1072 AxInstSV - ok
21:21:50.0299 1072 [ 3E5B191307609F7514148C6832BB0842 ] b06bdrv C:\Windows\system32\drivers\bxvbda.sys
21:21:50.0299 1072 b06bdrv - ok
21:21:50.0377 1072 [ B5ACE6968304A3900EEB1EBFD9622DF2 ] b57nd60a C:\Windows\system32\DRIVERS\b57nd60a.sys
21:21:50.0393 1072 b57nd60a - ok
21:21:50.0502 1072 [ AC4E2D84DE54CD3A013AEFF0CC56095C ] BCM42RLY C:\Windows\system32\drivers\BCM42RLY.sys
21:21:50.0502 1072 BCM42RLY - ok
21:21:50.0611 1072 [ 8B5D16D20774FC3727F44E161BE2C0AC ] BCM43XX C:\Windows\system32\DRIVERS\bcmwl664.sys
21:21:50.0627 1072 BCM43XX - ok
21:21:50.0736 1072 [ D224B2E6BB543F1D8F1177D57FEC2950 ] BcmVWL C:\Windows\system32\DRIVERS\bcmvwl64.sys
21:21:50.0736 1072 BcmVWL - ok
21:21:50.0751 1072 [ FDE360167101B4E45A96F939F388AEB0 ] BDESVC C:\Windows\System32\bdesvc.dll
21:21:50.0751 1072 BDESVC - ok
21:21:50.0783 1072 [ 16A47CE2DECC9B099349A5F840654746 ] Beep C:\Windows\system32\drivers\Beep.sys
21:21:50.0783 1072 Beep - ok
21:21:50.0861 1072 [ 82974D6A2FD19445CC5171FC378668A4 ] BFE C:\Windows\System32\bfe.dll
21:21:50.0876 1072 BFE - ok
21:21:50.0923 1072 [ 1EA7969E3271CBC59E1730697DC74682 ] BITS C:\Windows\System32\qmgr.dll
21:21:50.0939 1072 BITS - ok
21:21:50.0985 1072 [ 61583EE3C3A17003C4ACD0475646B4D3 ] blbdrive C:\Windows\system32\DRIVERS\blbdrive.sys
21:21:50.0985 1072 blbdrive - ok
21:21:51.0017 1072 [ 6C02A83164F5CC0A262F4199F0871CF5 ] bowser C:\Windows\system32\DRIVERS\bowser.sys
21:21:51.0017 1072 bowser - ok
21:21:51.0079 1072 [ F09EEE9EDC320B5E1501F749FDE686C8 ] BrFiltLo C:\Windows\system32\drivers\BrFiltLo.sys
21:21:51.0079 1072 BrFiltLo - ok
21:21:51.0095 1072 [ B114D3098E9BDB8BEA8B053685831BE6 ] BrFiltUp C:\Windows\system32\drivers\BrFiltUp.sys
21:21:51.0095 1072 BrFiltUp - ok
21:21:51.0141 1072 [ 8EF0D5C41EC907751B8429162B1239ED ] Browser C:\Windows\System32\browser.dll
21:21:51.0141 1072 Browser - ok
21:21:51.0157 1072 [ 43BEA8D483BF1870F018E2D02E06A5BD ] Brserid C:\Windows\System32\Drivers\Brserid.sys
21:21:51.0157 1072 Brserid - ok
21:21:51.0173 1072 [ A6ECA2151B08A09CACECA35C07F05B42 ] BrSerWdm C:\Windows\System32\Drivers\BrSerWdm.sys
21:21:51.0173 1072 BrSerWdm - ok
21:21:51.0188 1072 [ B79968002C277E869CF38BD22CD61524 ] BrUsbMdm C:\Windows\System32\Drivers\BrUsbMdm.sys
21:21:51.0188 1072 BrUsbMdm - ok
21:21:51.0188 1072 [ A87528880231C54E75EA7A44943B38BF ] BrUsbSer C:\Windows\System32\Drivers\BrUsbSer.sys
21:21:51.0188 1072 BrUsbSer - ok
21:21:51.0204 1072 [ 9DA669F11D1F894AB4EB69BF546A42E8 ] BTHMODEM C:\Windows\system32\drivers\bthmodem.sys
21:21:51.0204 1072 BTHMODEM - ok
21:21:51.0251 1072 [ 95F9C2976059462CBBF227F7AAB10DE9 ] bthserv C:\Windows\system32\bthserv.dll
21:21:51.0266 1072 bthserv - ok
21:21:51.0282 1072 [ B8BD2BB284668C84865658C77574381A ] cdfs C:\Windows\system32\DRIVERS\cdfs.sys
21:21:51.0282 1072 cdfs - ok
21:21:51.0297 1072 [ F036CE71586E93D94DAB220D7BDF4416 ] cdrom C:\Windows\system32\DRIVERS\cdrom.sys
21:21:51.0297 1072 cdrom - ok
21:21:51.0360 1072 [ F17D1D393BBC69C5322FBFAFACA28C7F ] CertPropSvc C:\Windows\System32\certprop.dll
21:21:51.0360 1072 CertPropSvc - ok
21:21:51.0407 1072 [ D7CD5C4E1B71FA62050515314CFB52CF ] circlass C:\Windows\system32\drivers\circlass.sys
21:21:51.0407 1072 circlass - ok
21:21:51.0438 1072 [ FE1EC06F2253F691FE36217C592A0206 ] CLFS C:\Windows\system32\CLFS.sys
21:21:51.0438 1072 CLFS - ok
21:21:51.0563 1072 [ D88040F816FDA31C3B466F0FA0918F29 ] clr_optimization_v2.0.50727_32 C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
21:21:51.0578 1072 clr_optimization_v2.0.50727_32 - ok
21:21:51.0672 1072 [ D1CEEA2B47CB998321C579651CE3E4F8 ] clr_optimization_v2.0.50727_64 C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
21:21:51.0672 1072 clr_optimization_v2.0.50727_64 - ok
21:21:51.0703 1072 [ 0840155D0BDDF1190F84A663C284BD33 ] CmBatt C:\Windows\system32\DRIVERS\CmBatt.sys
21:21:51.0703 1072 CmBatt - ok
21:21:51.0703 1072 [ E19D3F095812725D88F9001985B94EDD ] cmdide C:\Windows\system32\drivers\cmdide.sys
21:21:51.0703 1072 cmdide - ok
21:21:51.0797 1072 [ 9AC4F97C2D3E93367E2148EA940CD2CD ] CNG C:\Windows\system32\Drivers\cng.sys
21:21:51.0797 1072 CNG - ok
21:21:51.0843 1072 [ 102DE219C3F61415F964C88E9085AD14 ] Compbatt C:\Windows\system32\DRIVERS\compbatt.sys
21:21:51.0843 1072 Compbatt - ok
21:21:51.0859 1072 [ 03EDB043586CCEBA243D689BDDA370A8 ] CompositeBus C:\Windows\system32\DRIVERS\CompositeBus.sys
21:21:51.0859 1072 CompositeBus - ok
21:21:51.0875 1072 COMSysApp - ok
21:21:51.0875 1072 [ 1C827878A998C18847245FE1F34EE597 ] crcdisk C:\Windows\system32\drivers\crcdisk.sys
21:21:51.0875 1072 crcdisk - ok
21:21:51.0921 1072 [ 15597883FBE9B056F276ADA3AD87D9AF ] CryptSvc C:\Windows\system32\cryptsvc.dll
21:21:51.0921 1072 CryptSvc - ok
21:21:51.0953 1072 [ 5C627D1B1138676C0A7AB2C2C190D123 ] DcomLaunch C:\Windows\system32\rpcss.dll
21:21:51.0953 1072 DcomLaunch - ok
21:21:51.0984 1072 [ 3CEC7631A84943677AA8FA8EE5B6B43D ] defragsvc C:\Windows\System32\defragsvc.dll
21:21:51.0999 1072 defragsvc - ok
21:21:52.0015 1072 [ 9BB2EF44EAA163B29C4A4587887A0FE4 ] DfsC C:\Windows\system32\Drivers\dfsc.sys
21:21:52.0015 1072 DfsC - ok
21:21:52.0031 1072 [ 43D808F5D9E1A18E5EEB5EBC83969E4E ] Dhcp C:\Windows\system32\dhcpcore.dll
21:21:52.0031 1072 Dhcp - ok
21:21:52.0046 1072 [ 13096B05847EC78F0977F2C0F79E9AB3 ] discache C:\Windows\system32\drivers\discache.sys
21:21:52.0046 1072 discache - ok
21:21:52.0124 1072 [ 9819EEE8B5EA3784EC4AF3B137A5244C ] Disk C:\Windows\system32\drivers\disk.sys
21:21:52.0124 1072 Disk - ok
21:21:52.0155 1072 [ 16835866AAA693C7D7FCEBA8FFF706E4 ] Dnscache C:\Windows\System32\dnsrslvr.dll
21:21:52.0155 1072 Dnscache - ok
21:21:52.0187 1072 [ B1FB3DDCA0FDF408750D5843591AFBC6 ] dot3svc C:\Windows\System32\dot3svc.dll
21:21:52.0187 1072 dot3svc - ok
21:21:52.0202 1072 [ B26F4F737E8F9DF4F31AF6CF31D05820 ] DPS C:\Windows\system32\dps.dll
21:21:52.0218 1072 DPS - ok
21:21:52.0280 1072 [ 9B19F34400D24DF84C858A421C205754 ] drmkaud C:\Windows\system32\drivers\drmkaud.sys
21:21:52.0280 1072 drmkaud - ok
21:21:52.0311 1072 [ F5BEE30450E18E6B83A5012C100616FD ] DXGKrnl C:\Windows\System32\drivers\dxgkrnl.sys
21:21:52.0327 1072 DXGKrnl - ok
21:21:52.0389 1072 [ E2DDA8726DA9CB5B2C4000C9018A9633 ] EapHost C:\Windows\System32\eapsvc.dll
21:21:52.0389 1072 EapHost - ok
21:21:52.0483 1072 [ DC5D737F51BE844D8C82C695EB17372F ] ebdrv C:\Windows\system32\drivers\evbda.sys
21:21:52.0514 1072 ebdrv - ok
21:21:52.0545 1072 [ C118A82CD78818C29AB228366EBF81C3 ] EFS C:\Windows\System32\lsass.exe
21:21:52.0545 1072 EFS - ok
21:21:52.0655 1072 [ C4002B6B41975F057D98C439030CEA07 ] ehRecvr C:\Windows\ehome\ehRecvr.exe
21:21:52.0670 1072 ehRecvr - ok
21:21:52.0686 1072 [ 4705E8EF9934482C5BB488CE28AFC681 ] ehSched C:\Windows\ehome\ehsched.exe
21:21:52.0686 1072 ehSched - ok
21:21:52.0733 1072 [ 0E5DA5369A0FCAEA12456DD852545184 ] elxstor C:\Windows\system32\drivers\elxstor.sys
21:21:52.0733 1072 elxstor - ok
21:21:52.0748 1072 [ 34A3C54752046E79A126E15C51DB409B ] ErrDev C:\Windows\system32\drivers\errdev.sys
21:21:52.0748 1072 ErrDev - ok
21:21:52.0779 1072 [ 4166F82BE4D24938977DD1746BE9B8A0 ] EventSystem C:\Windows\system32\es.dll
21:21:52.0795 1072 EventSystem - ok
21:21:52.0857 1072 [ A510C654EC00C1E9BDD91EEB3A59823B ] exfat C:\Windows\system32\drivers\exfat.sys
21:21:52.0857 1072 exfat - ok
21:21:52.0857 1072 [ 0ADC83218B66A6DB380C330836F3E36D ] fastfat C:\Windows\system32\drivers\fastfat.sys
21:21:52.0873 1072 fastfat - ok
21:21:52.0920 1072 [ DBEFD454F8318A0EF691FDD2EAAB44EB ] Fax C:\Windows\system32\fxssvc.exe
21:21:52.0920 1072 Fax - ok
21:21:52.0935 1072 [ D765D19CD8EF61F650C384F62FAC00AB ] fdc C:\Windows\system32\drivers\fdc.sys
21:21:52.0935 1072 fdc - ok
21:21:52.0951 1072 [ 0438CAB2E03F4FB61455A7956026FE86 ] fdPHost C:\Windows\system32\fdPHost.dll
21:21:52.0967 1072 fdPHost - ok
21:21:52.0967 1072 [ 802496CB59A30349F9A6DD22D6947644 ] FDResPub C:\Windows\system32\fdrespub.dll
21:21:52.0967 1072 FDResPub - ok
21:21:52.0982 1072 [ 655661BE46B5F5F3FD454E2C3095B930 ] FileInfo C:\Windows\system32\drivers\fileinfo.sys
21:21:52.0982 1072 FileInfo - ok
21:21:52.0982 1072 [ 5F671AB5BC87EEA04EC38A6CD5962A47 ] Filetrace C:\Windows\system32\drivers\filetrace.sys
21:21:52.0982 1072 Filetrace - ok
21:21:52.0998 1072 [ C172A0F53008EAEB8EA33FE10E177AF5 ] flpydisk C:\Windows\system32\drivers\flpydisk.sys
21:21:52.0998 1072 flpydisk - ok
21:21:53.0013 1072 [ DA6B67270FD9DB3697B20FCE94950741 ] FltMgr C:\Windows\system32\drivers\fltmgr.sys
21:21:53.0013 1072 FltMgr - ok
21:21:53.0045 1072 [ B4447F606BB19FD8AD0BAFB59B90F5D9 ] FontCache C:\Windows\system32\FntCache.dll
21:21:53.0060 1072 FontCache - ok
21:21:53.0107 1072 [ A8B7F3818AB65695E3A0BB3279F6DCE6 ] FontCache3.0.0.0 C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
21:21:53.0107 1072 FontCache3.0.0.0 - ok
21:21:53.0107 1072 [ D43703496149971890703B4B1B723EAC ] FsDepends C:\Windows\system32\drivers\FsDepends.sys
21:21:53.0107 1072 FsDepends - ok
21:21:53.0185 1072 [ 6BD9295CC032DD3077C671FCCF579A7B ] Fs_Rec C:\Windows\system32\drivers\Fs_Rec.sys
21:21:53.0185 1072 Fs_Rec - ok
21:21:53.0216 1072 [ 1F7B25B858FA27015169FE95E54108ED ] fvevol C:\Windows\system32\DRIVERS\fvevol.sys
21:21:53.0216 1072 fvevol - ok
21:21:53.0247 1072 [ 8C778D335C9D272CFD3298AB02ABE3B6 ] gagp30kx C:\Windows\system32\drivers\gagp30kx.sys
21:21:53.0247 1072 gagp30kx - ok
21:21:53.0279 1072 [ 277BBC7E1AA1EE957F573A10ECA7EF3A ] gpsvc C:\Windows\System32\gpsvc.dll
21:21:53.0294 1072 gpsvc - ok
21:21:53.0325 1072 [ F2523EF6460FC42405B12248338AB2F0 ] hcw85cir C:\Windows\system32\drivers\hcw85cir.sys
21:21:53.0325 1072 hcw85cir - ok
21:21:53.0372 1072 [ 975761C778E33CD22498059B91E7373A ] HdAudAddService C:\Windows\system32\drivers\HdAudio.sys
21:21:53.0372 1072 HdAudAddService - ok
21:21:53.0388 1072 [ 97BFED39B6B79EB12CDDBFEED51F56BB ] HDAudBus C:\Windows\system32\DRIVERS\HDAudBus.sys
21:21:53.0388 1072 HDAudBus - ok
21:21:53.0450 1072 [ B6AC71AAA2B10848F57FC49D55A651AF ] HECIx64 C:\Windows\system32\DRIVERS\HECIx64.sys
21:21:53.0450 1072 HECIx64 - ok
21:21:53.0466 1072 [ 78E86380454A7B10A5EB255DC44A355F ] HidBatt C:\Windows\system32\drivers\HidBatt.sys
21:21:53.0466 1072 HidBatt - ok
21:21:53.0466 1072 [ 7FD2A313F7AFE5C4DAB14798C48DD104 ] HidBth C:\Windows\system32\drivers\hidbth.sys
21:21:53.0466 1072 HidBth - ok
21:21:53.0481 1072 [ 0A77D29F311B88CFAE3B13F9C1A73825 ] HidIr C:\Windows\system32\drivers\hidir.sys
21:21:53.0481 1072 HidIr - ok
21:21:53.0513 1072 [ BD9EB3958F213F96B97B1D897DEE006D ] hidserv C:\Windows\system32\hidserv.dll
21:21:53.0513 1072 hidserv - ok
21:21:53.0544 1072 [ 9592090A7E2B61CD582B612B6DF70536 ] HidUsb C:\Windows\system32\DRIVERS\hidusb.sys
21:21:53.0544 1072 HidUsb - ok
21:21:53.0575 1072 [ 387E72E739E15E3D37907A86D9FF98E2 ] hkmsvc C:\Windows\system32\kmsvc.dll
21:21:53.0575 1072 hkmsvc - ok
21:21:53.0591 1072 [ EFDFB3DD38A4376F93E7985173813ABD ] HomeGroupListener C:\Windows\system32\ListSvc.dll
21:21:53.0591 1072 HomeGroupListener - ok
21:21:53.0622 1072 [ 908ACB1F594274965A53926B10C81E89 ] HomeGroupProvider C:\Windows\system32\provsvc.dll
21:21:53.0622 1072 HomeGroupProvider - ok
21:21:53.0637 1072 [ 39D2ABCD392F3D8A6DCE7B60AE7B8EFC ] HpSAMD C:\Windows\system32\drivers\HpSAMD.sys
21:21:53.0637 1072 HpSAMD - ok
21:21:53.0700 1072 [ 0EA7DE1ACB728DD5A369FD742D6EEE28 ] HTTP C:\Windows\system32\drivers\HTTP.sys
21:21:53.0700 1072 HTTP - ok
21:21:53.0715 1072 [ A5462BD6884960C9DC85ED49D34FF392 ] hwpolicy C:\Windows\system32\drivers\hwpolicy.sys
21:21:53.0715 1072 hwpolicy - ok
21:21:53.0747 1072 [ FA55C73D4AFFA7EE23AC4BE53B4592D3 ] i8042prt C:\Windows\system32\DRIVERS\i8042prt.sys
21:21:53.0747 1072 i8042prt - ok
21:21:53.0809 1072 [ 2064090C9FAAD92C090D77E50E735B2E ] iaStor C:\Windows\system32\DRIVERS\iaStor.sys
21:21:53.0809 1072 iaStor - ok
21:21:53.0934 1072 [ A9BE186ABF28B3D3D698CB855EDF457E ] IAStorDataMgrSvc C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
21:21:53.0934 1072 IAStorDataMgrSvc - ok
21:21:53.0981 1072 [ 3DF4395A7CF8B7A72A5F4606366B8C2D ] iaStorV C:\Windows\system32\drivers\iaStorV.sys
21:21:53.0996 1072 iaStorV - ok
21:21:54.0059 1072 [ 5988FC40F8DB5B0739CD1E3A5D0D78BD ] idsvc C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe
21:21:54.0074 1072 idsvc - ok
21:21:54.0090 1072 [ 5C18831C61933628F5BB0EA2675B9D21 ] iirsp C:\Windows\system32\drivers\iirsp.sys
21:21:54.0090 1072 iirsp - ok
21:21:54.0137 1072 [ FCD84C381E0140AF901E58D48882D26B ] IKEEXT C:\Windows\System32\ikeext.dll
21:21:54.0137 1072 IKEEXT - ok
21:21:54.0199 1072 [ DD587A55390ED2295BCE6D36AD567DA9 ] Impcd C:\Windows\system32\DRIVERS\Impcd.sys
21:21:54.0199 1072 Impcd - ok
21:21:54.0215 1072 [ F00F20E70C6EC3AA366910083A0518AA ] intelide C:\Windows\system32\drivers\intelide.sys
21:21:54.0215 1072 intelide - ok
21:21:54.0230 1072 [ ADA036632C664CAA754079041CF1F8C1 ] intelppm C:\Windows\system32\DRIVERS\intelppm.sys
21:21:54.0230 1072 intelppm - ok
21:21:54.0277 1072 [ 098A91C54546A3B878DAD6A7E90A455B ] IPBusEnum C:\Windows\system32\ipbusenum.dll
21:21:54.0277 1072 IPBusEnum - ok
21:21:54.0293 1072 [ C9F0E1BD74365A8771590E9008D22AB6 ] IpFilterDriver C:\Windows\system32\DRIVERS\ipfltdrv.sys
21:21:54.0293 1072 IpFilterDriver - ok
21:21:54.0324 1072 [ A34A587FFFD45FA649FBA6D03784D257 ] iphlpsvc C:\Windows\System32\iphlpsvc.dll
21:21:54.0324 1072 iphlpsvc - ok
21:21:54.0339 1072 [ 0FC1AEA580957AA8817B8F305D18CA3A ] IPMIDRV C:\Windows\system32\drivers\IPMIDrv.sys
21:21:54.0339 1072 IPMIDRV - ok
21:21:54.0339 1072 [ AF9B39A7E7B6CAA203B3862582E9F2D0 ] IPNAT C:\Windows\system32\drivers\ipnat.sys
21:21:54.0339 1072 IPNAT - ok
21:21:54.0417 1072 [ 3ABF5E7213EB28966D55D58B515D5CE9 ] IRENUM C:\Windows\system32\drivers\irenum.sys
21:21:54.0417 1072 IRENUM - ok
21:21:54.0417 1072 [ 2F7B28DC3E1183E5EB418DF55C204F38 ] isapnp C:\Windows\system32\drivers\isapnp.sys
21:21:54.0417 1072 isapnp - ok
21:21:54.0464 1072 [ D931D7309DEB2317035B07C9F9E6B0BD ] iScsiPrt C:\Windows\system32\drivers\msiscsi.sys
21:21:54.0464 1072 iScsiPrt - ok
21:21:54.0480 1072 [ BC02336F1CBA7DCC7D1213BB588A68A5 ] kbdclass C:\Windows\system32\DRIVERS\kbdclass.sys
21:21:54.0480 1072 kbdclass - ok
21:21:54.0480 1072 [ 0705EFF5B42A9DB58548EEC3B26BB484 ] kbdhid C:\Windows\system32\DRIVERS\kbdhid.sys
21:21:54.0480 1072 kbdhid - ok
21:21:54.0542 1072 [ C118A82CD78818C29AB228366EBF81C3 ] KeyIso C:\Windows\system32\lsass.exe
21:21:54.0542 1072 KeyIso - ok
21:21:54.0573 1072 [ 97A7070AEA4C058B6418519E869A63B4 ] KSecDD C:\Windows\system32\Drivers\ksecdd.sys
21:21:54.0573 1072 KSecDD - ok
21:21:54.0605 1072 [ 26C43A7C2862447EC59DEDA188D1DA07 ] KSecPkg C:\Windows\system32\Drivers\ksecpkg.sys
21:21:54.0605 1072 KSecPkg - ok
21:21:54.0620 1072 [ 6869281E78CB31A43E969F06B57347C4 ] ksthunk C:\Windows\system32\drivers\ksthunk.sys
21:21:54.0620 1072 ksthunk - ok
21:21:54.0683 1072 [ 6AB66E16AA859232F64DEB66887A8C9C ] KtmRm C:\Windows\system32\msdtckrm.dll
21:21:54.0698 1072 KtmRm - ok
21:21:54.0729 1072 [ D9F42719019740BAA6D1C6D536CBDAA6 ] LanmanServer C:\Windows\system32\srvsvc.dll
21:21:54.0729 1072 LanmanServer - ok
21:21:54.0761 1072 [ 851A1382EED3E3A7476DB004F4EE3E1A ] LanmanWorkstation C:\Windows\System32\wkssvc.dll
21:21:54.0761 1072 LanmanWorkstation - ok
21:21:54.0823 1072 [ 1538831CF8AD2979A04C423779465827 ] lltdio C:\Windows\system32\DRIVERS\lltdio.sys
21:21:54.0823 1072 lltdio - ok
21:21:54.0854 1072 [ C1185803384AB3FEED115F79F109427F ] lltdsvc C:\Windows\System32\lltdsvc.dll
21:21:54.0854 1072 lltdsvc - ok
21:21:54.0854 1072 [ F993A32249B66C9D622EA5592A8B76B8 ] lmhosts C:\Windows\System32\lmhsvc.dll
21:21:54.0854 1072 lmhosts - ok
21:21:54.0979 1072 [ 23DE5B62B0445A6F874BE633C95B483E ] LMS C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
21:21:54.0979 1072 LMS - ok
21:21:55.0057 1072 [ 1A93E54EB0ECE102495A51266DCDB6A6 ] LSI_FC C:\Windows\system32\drivers\lsi_fc.sys
21:21:55.0057 1072 LSI_FC - ok
21:21:55.0057 1072 [ 1047184A9FDC8BDBFF857175875EE810 ] LSI_SAS C:\Windows\system32\drivers\lsi_sas.sys
21:21:55.0073 1072 LSI_SAS - ok
21:21:55.0073 1072 [ 30F5C0DE1EE8B5BC9306C1F0E4A75F93 ] LSI_SAS2 C:\Windows\system32\drivers\lsi_sas2.sys
21:21:55.0073 1072 LSI_SAS2 - ok
21:21:55.0088 1072 [ 0504EACAFF0D3C8AED161C4B0D369D4A ] LSI_SCSI C:\Windows\system32\drivers\lsi_scsi.sys
21:21:55.0088 1072 LSI_SCSI - ok
21:21:55.0104 1072 [ 43D0F98E1D56CCDDB0D5254CFF7B356E ] luafv C:\Windows\system32\drivers\luafv.sys
21:21:55.0104 1072 luafv - ok
21:21:55.0135 1072 [ 0BE09CD858ABF9DF6ED259D57A1A1663 ] Mcx2Svc C:\Windows\system32\Mcx2Svc.dll
21:21:55.0135 1072 Mcx2Svc - ok
21:21:55.0135 1072 [ A55805F747C6EDB6A9080D7C633BD0F4 ] megasas C:\Windows\system32\drivers\megasas.sys
21:21:55.0135 1072 megasas - ok
21:21:55.0182 1072 [ BAF74CE0072480C3B6B7C13B2A94D6B3 ] MegaSR C:\Windows\system32\drivers\MegaSR.sys
21:21:55.0182 1072 MegaSR - ok
21:21:55.0197 1072 [ E40E80D0304A73E8D269F7141D77250B ] MMCSS C:\Windows\system32\mmcss.dll
21:21:55.0197 1072 MMCSS - ok
21:21:55.0197 1072 [ 800BA92F7010378B09F9ED9270F07137 ] Modem C:\Windows\system32\drivers\modem.sys
21:21:55.0213 1072 Modem - ok
21:21:55.0213 1072 [ B03D591DC7DA45ECE20B3B467E6AADAA ] monitor C:\Windows\system32\DRIVERS\monitor.sys
21:21:55.0213 1072 monitor - ok
21:21:55.0229 1072 [ 7D27EA49F3C1F687D357E77A470AEA99 ] mouclass C:\Windows\system32\DRIVERS\mouclass.sys
21:21:55.0229 1072 mouclass - ok
21:21:55.0229 1072 [ D3BF052C40B0C4166D9FD86A4288C1E6 ] mouhid C:\Windows\system32\DRIVERS\mouhid.sys
21:21:55.0229 1072 mouhid - ok
21:21:55.0244 1072 [ 32E7A3D591D671A6DF2DB515A5CBE0FA ] mountmgr C:\Windows\system32\drivers\mountmgr.sys
21:21:55.0244 1072 mountmgr - ok
21:21:55.0260 1072 [ A44B420D30BD56E145D6A2BC8768EC58 ] mpio C:\Windows\system32\drivers\mpio.sys
21:21:55.0260 1072 mpio - ok
21:21:55.0275 1072 [ 6C38C9E45AE0EA2FA5E551F2ED5E978F ] mpsdrv C:\Windows\system32\drivers\mpsdrv.sys
21:21:55.0275 1072 mpsdrv - ok
21:21:55.0291 1072 [ 54FFC9C8898113ACE189D4AA7199D2C1 ] MpsSvc C:\Windows\system32\mpssvc.dll
21:21:55.0291 1072 MpsSvc - ok
21:21:55.0307 1072 [ DC722758B8261E1ABAFD31A3C0A66380 ] MRxDAV C:\Windows\system32\drivers\mrxdav.sys
21:21:55.0307 1072 MRxDAV - ok
21:21:55.0338 1072 [ C2B4651001A867FF3F8865863B592991 ] mrxsmb C:\Windows\system32\DRIVERS\mrxsmb.sys
21:21:55.0338 1072 mrxsmb - ok
21:21:55.0400 1072 [ 7E79946AFC5F799AB62982282BE5AC13 ] mrxsmb10 C:\Windows\system32\DRIVERS\mrxsmb10.sys
21:21:55.0400 1072 mrxsmb10 - ok
21:21:55.0416 1072 [ 5FB954100CEA2BFEC6446FBBECAA3F79 ] mrxsmb20 C:\Windows\system32\DRIVERS\mrxsmb20.sys
21:21:55.0416 1072 mrxsmb20 - ok
21:21:55.0463 1072 [ C25F0BAFA182CBCA2DD3C851C2E75796 ] msahci C:\Windows\system32\drivers\msahci.sys
21:21:55.0463 1072 msahci - ok
21:21:55.0478 1072 [ DB801A638D011B9633829EB6F663C900 ] msdsm C:\Windows\system32\drivers\msdsm.sys
21:21:55.0478 1072 msdsm - ok
21:21:55.0509 1072 [ DE0ECE52236CFA3ED2DBFC03F28253A8 ] MSDTC C:\Windows\System32\msdtc.exe
21:21:55.0509 1072 MSDTC - ok
21:21:55.0509 1072 [ AA3FB40E17CE1388FA1BEDAB50EA8F96 ] Msfs C:\Windows\system32\drivers\Msfs.sys
21:21:55.0509 1072 Msfs - ok
21:21:55.0541 1072 [ F9D215A46A8B9753F61767FA72A20326 ] mshidkmdf C:\Windows\System32\drivers\mshidkmdf.sys
21:21:55.0541 1072 mshidkmdf - ok
21:21:55.0541 1072 [ D916874BBD4F8B07BFB7FA9B3CCAE29D ] msisadrv C:\Windows\system32\drivers\msisadrv.sys
21:21:55.0541 1072 msisadrv - ok
21:21:55.0572 1072 [ 808E98FF49B155C522E6400953177B08 ] MSiSCSI C:\Windows\system32\iscsiexe.dll
21:21:55.0572 1072 MSiSCSI - ok
21:21:55.0572 1072 msiserver - ok
21:21:55.0603 1072 [ 49CCF2C4FEA34FFAD8B1B59D49439366 ] MSKSSRV C:\Windows\system32\drivers\MSKSSRV.sys
21:21:55.0603 1072 MSKSSRV - ok
21:21:55.0619 1072 [ BDD71ACE35A232104DDD349EE70E1AB3 ] MSPCLOCK C:\Windows\system32\drivers\MSPCLOCK.sys
21:21:55.0619 1072 MSPCLOCK - ok
21:21:55.0619 1072 [ 4ED981241DB27C3383D72092B618A1D0 ] MSPQM C:\Windows\system32\drivers\MSPQM.sys
21:21:55.0619 1072 MSPQM - ok
21:21:55.0634 1072 [ 759A9EEB0FA9ED79DA1FB7D4EF78866D ] MsRPC C:\Windows\system32\drivers\MsRPC.sys
21:21:55.0650 1072 MsRPC - ok
21:21:55.0650 1072 [ 0EED230E37515A0EAEE3C2E1BC97B288 ] mssmbios C:\Windows\system32\DRIVERS\mssmbios.sys
21:21:55.0650 1072 mssmbios - ok
21:21:55.0650 1072 [ 2E66F9ECB30B4221A318C92AC2250779 ] MSTEE C:\Windows\system32\drivers\MSTEE.sys
21:21:55.0650 1072 MSTEE - ok
21:21:55.0665 1072 [ 7EA404308934E675BFFDE8EDF0757BCD ] MTConfig C:\Windows\system32\drivers\MTConfig.sys
21:21:55.0665 1072 MTConfig - ok
21:21:55.0665 1072 [ F9A18612FD3526FE473C1BDA678D61C8 ] Mup C:\Windows\system32\Drivers\mup.sys
21:21:55.0665 1072 Mup - ok
21:21:55.0728 1072 [ 582AC6D9873E31DFA28A4547270862DD ] napagent C:\Windows\system32\qagentRT.dll
21:21:55.0743 1072 napagent - ok
21:21:55.0806 1072 [ 1EA3749C4114DB3E3161156FFFFA6B33 ] NativeWifiP C:\Windows\system32\DRIVERS\nwifi.sys
21:21:55.0806 1072 NativeWifiP - ok
21:21:55.0837 1072 [ 79B47FD40D9A817E932F9D26FAC0A81C ] NDIS C:\Windows\system32\drivers\ndis.sys
21:21:55.0853 1072 NDIS - ok
21:21:55.0853 1072 [ 9F9A1F53AAD7DA4D6FEF5BB73AB811AC ] NdisCap C:\Windows\system32\DRIVERS\ndiscap.sys
21:21:55.0868 1072 NdisCap - ok
21:21:55.0884 1072 [ 30639C932D9FEF22B31268FE25A1B6E5 ] NdisTapi C:\Windows\system32\DRIVERS\ndistapi.sys
21:21:55.0884 1072 NdisTapi - ok
21:21:55.0884 1072 [ 136185F9FB2CC61E573E676AA5402356 ] Ndisuio C:\Windows\system32\DRIVERS\ndisuio.sys
21:21:55.0884 1072 Ndisuio - ok
21:21:55.0899 1072 [ 53F7305169863F0A2BDDC49E116C2E11 ] NdisWan C:\Windows\system32\DRIVERS\ndiswan.sys
21:21:55.0899 1072 NdisWan - ok
21:21:55.0899 1072 [ 015C0D8E0E0421B4CFD48CFFE2825879 ] NDProxy C:\Windows\system32\drivers\NDProxy.sys
21:21:55.0899 1072 NDProxy - ok
21:21:55.0915 1072 [ 86743D9F5D2B1048062B14B1D84501C4 ] NetBIOS C:\Windows\system32\DRIVERS\netbios.sys
21:21:55.0915 1072 NetBIOS - ok
21:21:55.0931 1072 [ 09594D1089C523423B32A4229263F068 ] NetBT C:\Windows\system32\DRIVERS\netbt.sys
21:21:55.0931 1072 NetBT - ok
21:21:55.0946 1072 [ C118A82CD78818C29AB228366EBF81C3 ] Netlogon C:\Windows\system32\lsass.exe
21:21:55.0946 1072 Netlogon - ok
21:21:56.0009 1072 [ 847D3AE376C0817161A14A82C8922A9E ] Netman C:\Windows\System32\netman.dll
21:21:56.0009 1072 Netman - ok
21:21:56.0024 1072 [ 5F28111C648F1E24F7DBC87CDEB091B8 ] netprofm C:\Windows\System32\netprofm.dll
21:21:56.0040 1072 netprofm - ok
21:21:56.0071 1072 [ 3E5A36127E201DDF663176B66828FAFE ] NetTcpPortSharing C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe
21:21:56.0071 1072 NetTcpPortSharing - ok
21:21:56.0087 1072 [ 77889813BE4D166CDAB78DDBA990DA92 ] nfrd960 C:\Windows\system32\drivers\nfrd960.sys
21:21:56.0087 1072 nfrd960 - ok
21:21:56.0149 1072 [ 1EE99A89CC788ADA662441D1E9830529 ] NlaSvc C:\Windows\System32\nlasvc.dll
21:21:56.0149 1072 NlaSvc - ok
21:21:56.0165 1072 [ 1E4C4AB5C9B8DD13179BBDC75A2A01F7 ] Npfs C:\Windows\system32\drivers\Npfs.sys
21:21:56.0165 1072 Npfs - ok
21:21:56.0180 1072 [ D54BFDF3E0C953F823B3D0BFE4732528 ] nsi C:\Windows\system32\nsisvc.dll
21:21:56.0180 1072 nsi - ok
21:21:56.0180 1072 [ E7F5AE18AF4168178A642A9247C63001 ] nsiproxy C:\Windows\system32\drivers\nsiproxy.sys
21:21:56.0196 1072 nsiproxy - ok
21:21:56.0227 1072 [ 05D78AA5CB5F3F5C31160BDB955D0B7C ] Ntfs C:\Windows\system32\drivers\Ntfs.sys
21:21:56.0243 1072 Ntfs - ok
21:21:56.0243 1072 [ 9899284589F75FA8724FF3D16AED75C1 ] Null C:\Windows\system32\drivers\Null.sys
21:21:56.0243 1072 Null - ok
21:21:56.0258 1072 [ 786DB821BFD57C0551DBBE4F75384A7D ] nusb3hub C:\Windows\system32\drivers\nusb3hub.sys
21:21:56.0258 1072 nusb3hub - ok
21:21:56.0289 1072 [ DAA8005CAF745042BB427A1ED7433354 ] nusb3xhc C:\Windows\system32\drivers\nusb3xhc.sys
21:21:56.0289 1072 nusb3xhc - ok
21:21:56.0336 1072 [ 5D9FD91F3D38DC9DA01E3CB5FA89CD48 ] nvraid C:\Windows\system32\drivers\nvraid.sys
21:21:56.0336 1072 nvraid - ok
21:21:56.0352 1072 [ F7CD50FE7139F07E77DA8AC8033D1832 ] nvstor C:\Windows\system32\drivers\nvstor.sys
21:21:56.0352 1072 nvstor - ok
21:21:56.0399 1072 [ 270D7CD42D6E3979F6DD0146650F0E05 ] nv_agp C:\Windows\system32\drivers\nv_agp.sys
21:21:56.0399 1072 nv_agp - ok
21:21:56.0399 1072 [ 3589478E4B22CE21B41FA1BFC0B8B8A0 ] ohci1394 C:\Windows\system32\drivers\ohci1394.sys
21:21:56.0399 1072 ohci1394 - ok
21:21:56.0430 1072 [ 3EAC4455472CC2C97107B5291E0DCAFE ] p2pimsvc C:\Windows\system32\pnrpsvc.dll
21:21:56.0430 1072 p2pimsvc - ok
21:21:56.0461 1072 [ 927463ECB02179F88E4B9A17568C63C3 ] p2psvc C:\Windows\system32\p2psvc.dll
21:21:56.0461 1072 p2psvc - ok
21:21:56.0477 1072 [ 0086431C29C35BE1DBC43F52CC273887 ] Parport C:\Windows\system32\drivers\parport.sys
21:21:56.0477 1072 Parport - ok
21:21:56.0508 1072 [ E9766131EEADE40A27DC27D2D68FBA9C ] partmgr C:\Windows\system32\drivers\partmgr.sys
21:21:56.0508 1072 partmgr - ok
21:21:56.0523 1072 [ 3AEAA8B561E63452C655DC0584922257 ] PcaSvc C:\Windows\System32\pcasvc.dll
21:21:56.0523 1072 PcaSvc - ok
21:21:56.0555 1072 [ 94575C0571D1462A0F70BDE6BD6EE6B3 ] pci C:\Windows\system32\drivers\pci.sys
21:21:56.0555 1072 pci - ok
21:21:56.0601 1072 [ B5B8B5EF2E5CB34DF8DCF8831E3534FA ] pciide C:\Windows\system32\drivers\pciide.sys
21:21:56.0601 1072 pciide - ok
21:21:56.0633 1072 [ B2E81D4E87CE48589F98CB8C05B01F2F ] pcmcia C:\Windows\system32\drivers\pcmcia.sys
21:21:56.0633 1072 pcmcia - ok
21:21:56.0633 1072 [ D6B9C2E1A11A3A4B26A182FFEF18F603 ] pcw C:\Windows\system32\drivers\pcw.sys
21:21:56.0633 1072 pcw - ok
21:21:56.0648 1072 [ 68769C3356B3BE5D1C732C97B9A80D6E ] PEAUTH C:\Windows\system32\drivers\peauth.sys
21:21:56.0648 1072 PEAUTH - ok
21:21:56.0742 1072 [ E495E408C93141E8FC72DC0C6046DDFA ] PerfHost C:\Windows\SysWow64\perfhost.exe
21:21:56.0742 1072 PerfHost - ok
21:21:56.0804 1072 [ C7CF6A6E137463219E1259E3F0F0DD6C ] pla C:\Windows\system32\pla.dll
21:21:56.0835 1072 pla - ok
21:21:56.0867 1072 [ B806E50427511BCF4AD8E8239C3E25FA ] PlugPlay C:\Windows\system32\umpnpmgr.dll
21:21:56.0882 1072 PlugPlay - ok
21:21:56.0898 1072 [ 7195581CEC9BB7D12ABE54036ACC2E38 ] PNRPAutoReg C:\Windows\system32\pnrpauto.dll
21:21:56.0898 1072 PNRPAutoReg - ok
21:21:56.0913 1072 [ 3EAC4455472CC2C97107B5291E0DCAFE ] PNRPsvc C:\Windows\system32\pnrpsvc.dll
21:21:56.0913 1072 PNRPsvc - ok
21:21:56.0945 1072 [ 4F15D75ADF6156BF56ECED6D4A55C389 ] PolicyAgent C:\Windows\System32\ipsecsvc.dll
21:21:56.0945 1072 PolicyAgent - ok
21:21:56.0960 1072 [ 6BA9D927DDED70BD1A9CADED45F8B184 ] Power C:\Windows\system32\umpo.dll
21:21:56.0960 1072 Power - ok
21:21:57.0007 1072 [ F92A2C41117A11A00BE01CA01A7FCDE9 ] PptpMiniport C:\Windows\system32\DRIVERS\raspptp.sys
21:21:57.0007 1072 PptpMiniport - ok
21:21:57.0007 1072 [ 0D922E23C041EFB1C3FAC2A6F943C9BF ] Processor C:\Windows\system32\drivers\processr.sys
21:21:57.0023 1072 Processor - ok
21:21:57.0069 1072 [ 5C78838B4D166D1A27DB3A8A820C799A ] ProfSvc C:\Windows\system32\profsvc.dll
21:21:57.0069 1072 ProfSvc - ok
21:21:57.0101 1072 [ C118A82CD78818C29AB228366EBF81C3 ] ProtectedStorage C:\Windows\system32\lsass.exe
21:21:57.0101 1072 ProtectedStorage - ok
21:21:57.0132 1072 [ 0557CF5A2556BD58E26384169D72438D ] Psched C:\Windows\system32\DRIVERS\pacer.sys
21:21:57.0132 1072 Psched - ok
21:21:57.0225 1072 [ A53A15A11EBFD21077463EE2C7AFEEF0 ] ql2300 C:\Windows\system32\drivers\ql2300.sys
21:21:57.0241 1072 ql2300 - ok
21:21:57.0241 1072 [ 4F6D12B51DE1AAEFF7DC58C4D75423C8 ] ql40xx C:\Windows\system32\drivers\ql40xx.sys
21:21:57.0257 1072 ql40xx - ok
21:21:57.0272 1072 [ 906191634E99AEA92C4816150BDA3732 ] QWAVE C:\Windows\system32\qwave.dll
21:21:57.0272 1072 QWAVE - ok
21:21:57.0272 1072 [ 76707BB36430888D9CE9D705398ADB6C ] QWAVEdrv C:\Windows\system32\drivers\qwavedrv.sys
21:21:57.0288 1072 QWAVEdrv - ok
21:21:57.0288 1072 [ 5A0DA8AD5762FA2D91678A8A01311704 ] RasAcd C:\Windows\system32\DRIVERS\rasacd.sys
21:21:57.0288 1072 RasAcd - ok
21:21:57.0319 1072 [ 7ECFF9B22276B73F43A99A15A6094E90 ] RasAgileVpn C:\Windows\system32\DRIVERS\AgileVpn.sys
21:21:57.0319 1072 RasAgileVpn - ok
21:21:57.0335 1072 [ 8F26510C5383B8DBE976DE1CD00FC8C7 ] RasAuto C:\Windows\System32\rasauto.dll
21:21:57.0350 1072 RasAuto - ok
21:21:57.0366 1072 [ 471815800AE33E6F1C32FB1B97C490CA ] Rasl2tp C:\Windows\system32\DRIVERS\rasl2tp.sys
21:21:57.0366 1072 Rasl2tp - ok
21:21:57.0381 1072 [ EE867A0870FC9E4972BA9EAAD35651E2 ] RasMan C:\Windows\System32\rasmans.dll
21:21:57.0397 1072 RasMan - ok
21:21:57.0397 1072 [ 855C9B1CD4756C5E9A2AA58A15F58C25 ] RasPppoe C:\Windows\system32\DRIVERS\raspppoe.sys
21:21:57.0397 1072 RasPppoe - ok
21:21:57.0428 1072 [ E8B1E447B008D07FF47D016C2B0EEECB ] RasSstp C:\Windows\system32\DRIVERS\rassstp.sys
21:21:57.0428 1072 RasSstp - ok
21:21:57.0444 1072 [ 77F665941019A1594D887A74F301FA2F ] rdbss C:\Windows\system32\DRIVERS\rdbss.sys
21:21:57.0444 1072 rdbss - ok
21:21:57.0459 1072 [ 302DA2A0539F2CF54D7C6CC30C1F2D8D ] rdpbus C:\Windows\system32\drivers\rdpbus.sys
21:21:57.0459 1072 rdpbus - ok
21:21:57.0459 1072 [ CEA6CC257FC9B7715F1C2B4849286D24 ] RDPCDD C:\Windows\system32\DRIVERS\RDPCDD.sys
21:21:57.0459 1072 RDPCDD - ok
21:21:57.0475 1072 [ BB5971A4F00659529A5C44831AF22365 ] RDPENCDD C:\Windows\system32\drivers\rdpencdd.sys
21:21:57.0475 1072 RDPENCDD - ok
21:21:57.0491 1072 [ 216F3FA57533D98E1F74DED70113177A ] RDPREFMP C:\Windows\system32\drivers\rdprefmp.sys
21:21:57.0491 1072 RDPREFMP - ok
21:21:57.0506 1072 [ E61608AA35E98999AF9AAEEEA6114B0A ] RDPWD C:\Windows\system32\drivers\RDPWD.sys
21:21:57.0522 1072 RDPWD - ok
21:21:57.0522 1072 [ 34ED295FA0121C241BFEF24764FC4520 ] rdyboost C:\Windows\system32\drivers\rdyboost.sys
21:21:57.0537 1072 rdyboost - ok
21:21:57.0553 1072 [ 254FB7A22D74E5511C73A3F6D802F192 ] RemoteAccess C:\Windows\System32\mprdim.dll
21:21:57.0553 1072 RemoteAccess - ok
21:21:57.0584 1072 [ E4D94F24081440B5FC5AA556C7C62702 ] RemoteRegistry C:\Windows\system32\regsvc.dll
21:21:57.0584 1072 RemoteRegistry - ok
21:21:57.0615 1072 [ E4DC58CF7B3EA515AE917FF0D402A7BB ] RpcEptMapper C:\Windows\System32\RpcEpMap.dll
21:21:57.0631 1072 RpcEptMapper - ok
21:21:57.0647 1072 [ D5BA242D4CF8E384DB90E6A8ED850B8C ] RpcLocator C:\Windows\system32\locator.exe
21:21:57.0662 1072 RpcLocator - ok
21:21:57.0678 1072 [ 5C627D1B1138676C0A7AB2C2C190D123 ] RpcSs C:\Windows\system32\rpcss.dll
21:21:57.0678 1072 RpcSs - ok
21:21:57.0693 1072 [ DDC86E4F8E7456261E637E3552E804FF ] rspndr C:\Windows\system32\DRIVERS\rspndr.sys
21:21:57.0693 1072 rspndr - ok
21:21:57.0740 1072 [ FD978B2BF8A9B2390DCBEF435E9C1F9F ] RTL8167 C:\Windows\system32\DRIVERS\Rt64win7.sys
21:21:57.0740 1072 RTL8167 - ok
21:21:57.0756 1072 [ C118A82CD78818C29AB228366EBF81C3 ] SamSs C:\Windows\system32\lsass.exe
21:21:57.0756 1072 SamSs - ok
21:21:57.0771 1072 [ AC03AF3329579FFFB455AA2DAABBE22B ] sbp2port C:\Windows\system32\drivers\sbp2port.sys
21:21:57.0771 1072 sbp2port - ok
21:21:57.0787 1072 [ 9B7395789E3791A3B6D000FE6F8B131E ] SCardSvr C:\Windows\System32\SCardSvr.dll
21:21:57.0803 1072 SCardSvr - ok
21:21:57.0803 1072 [ 253F38D0D7074C02FF8DEB9836C97D2B ] scfilter C:\Windows\system32\DRIVERS\scfilter.sys
21:21:57.0803 1072 scfilter - ok
21:21:57.0865 1072 [ 262F6592C3299C005FD6BEC90FC4463A ] Schedule C:\Windows\system32\schedsvc.dll
21:21:57.0881 1072 Schedule - ok
21:21:57.0881 1072 [ F17D1D393BBC69C5322FBFAFACA28C7F ] SCPolicySvc C:\Windows\System32\certprop.dll
21:21:57.0881 1072 SCPolicySvc - ok
21:21:57.0896 1072 [ 6EA4234DC55346E0709560FE7C2C1972 ] SDRSVC C:\Windows\System32\SDRSVC.dll
21:21:57.0912 1072 SDRSVC - ok
21:21:57.0974 1072 [ 3EA8A16169C26AFBEB544E0E48421186 ] secdrv C:\Windows\system32\drivers\secdrv.sys
21:21:57.0974 1072 secdrv - ok
21:21:57.0990 1072 [ BC617A4E1B4FA8DF523A061739A0BD87 ] seclogon C:\Windows\system32\seclogon.dll
21:21:57.0990 1072 seclogon - ok
21:21:58.0021 1072 [ C32AB8FA018EF34C0F113BD501436D21 ] SENS C:\Windows\System32\sens.dll
21:21:58.0021 1072 SENS - ok
21:21:58.0052 1072 [ 0336CFFAFAAB87A11541F1CF1594B2B2 ] SensrSvc C:\Windows\system32\sensrsvc.dll
21:21:58.0052 1072 SensrSvc - ok
21:21:58.0099 1072 [ CB624C0035412AF0DEBEC78C41F5CA1B ] Serenum C:\Windows\system32\drivers\serenum.sys
21:21:58.0099 1072 Serenum - ok
21:21:58.0115 1072 [ C1D8E28B2C2ADFAEC4BA89E9FDA69BD6 ] Serial C:\Windows\system32\drivers\serial.sys
21:21:58.0115 1072 Serial - ok
21:21:58.0115 1072 [ 1C545A7D0691CC4A027396535691C3E3 ] sermouse C:\Windows\system32\drivers\sermouse.sys
21:21:58.0115 1072 sermouse - ok
21:21:58.0146 1072 [ 0B6231BF38174A1628C4AC812CC75804 ] SessionEnv C:\Windows\system32\sessenv.dll
21:21:58.0146 1072 SessionEnv - ok
21:21:58.0161 1072 [ A554811BCD09279536440C964AE35BBF ] sffdisk C:\Windows\system32\drivers\sffdisk.sys
21:21:58.0161 1072 sffdisk - ok
21:21:58.0161 1072 [ FF414F0BAEFEBA59BC6C04B3DB0B87BF ] sffp_mmc C:\Windows\system32\drivers\sffp_mmc.sys
21:21:58.0161 1072 sffp_mmc - ok
21:21:58.0161 1072 [ DD85B78243A19B59F0637DCF284DA63C ] sffp_sd C:\Windows\system32\drivers\sffp_sd.sys
21:21:58.0161 1072 sffp_sd - ok
21:21:58.0161 1072 [ A9D601643A1647211A1EE2EC4E433FF4 ] sfloppy C:\Windows\system32\drivers\sfloppy.sys
21:21:58.0177 1072 sfloppy - ok
21:21:58.0193 1072 [ B95F6501A2F8B2E78C697FEC401970CE ] SharedAccess C:\Windows\System32\ipnathlp.dll
21:21:58.0193 1072 SharedAccess - ok
21:21:58.0239 1072 [ AAF932B4011D14052955D4B212A4DA8D ] ShellHWDetection C:\Windows\System32\shsvcs.dll
21:21:58.0255 1072 ShellHWDetection - ok
21:21:58.0286 1072 [ 843CAF1E5FDE1FFD5FF768F23A51E2E1 ] SiSRaid2 C:\Windows\system32\drivers\SiSRaid2.sys
21:21:58.0286 1072 SiSRaid2 - ok
21:21:58.0286 1072 [ 6A6C106D42E9FFFF8B9FCB4F754F6DA4 ] SiSRaid4 C:\Windows\system32\drivers\sisraid4.sys
21:21:58.0286 1072 SiSRaid4 - ok
21:21:58.0302 1072 [ 548260A7B8654E024DC30BF8A7C5BAA4 ] Smb C:\Windows\system32\DRIVERS\smb.sys
21:21:58.0302 1072 Smb - ok
21:21:58.0364 1072 [ 6313F223E817CC09AA41811DAA7F541D ] SNMPTRAP C:\Windows\System32\snmptrap.exe
21:21:58.0364 1072 SNMPTRAP - ok
21:21:58.0380 1072 [ B9E31E5CACDFE584F34F730A677803F9 ] spldr C:\Windows\system32\drivers\spldr.sys
21:21:58.0380 1072 spldr - ok
21:21:58.0411 1072 [ B96C17B5DC1424D56EEA3A99E97428CD ] Spooler C:\Windows\System32\spoolsv.exe
21:21:58.0427 1072 Spooler - ok
21:21:58.0505 1072 [ E17E0188BB90FAE42D83E98707EFA59C ] sppsvc C:\Windows\system32\sppsvc.exe
21:21:58.0583 1072 sppsvc - ok
21:21:58.0614 1072 [ 93D7D61317F3D4BC4F4E9F8A96A7DE45 ] sppuinotify C:\Windows\system32\sppuinotify.dll
21:21:58.0614 1072 sppuinotify - ok
21:21:58.0645 1072 [ 441FBA48BFF01FDB9D5969EBC1838F0B ] srv C:\Windows\system32\DRIVERS\srv.sys
21:21:58.0661 1072 srv - ok
21:21:58.0661 1072 [ B4ADEBBF5E3677CCE9651E0F01F7CC28 ] srv2 C:\Windows\system32\DRIVERS\srv2.sys
21:21:58.0676 1072 srv2 - ok
21:21:58.0707 1072 [ 27E461F0BE5BFF5FC737328F749538C3 ] srvnet C:\Windows\system32\DRIVERS\srvnet.sys
21:21:58.0723 1072 srvnet - ok
21:21:58.0754 1072 [ 51B52FBD583CDE8AA9BA62B8B4298F33 ] SSDPSRV C:\Windows\System32\ssdpsrv.dll
21:21:58.0754 1072 SSDPSRV - ok
21:21:58.0801 1072 [ AB7AEBF58DAD8DAAB7A6C45E6A8885CB ] SstpSvc C:\Windows\system32\sstpsvc.dll
21:21:58.0801 1072 SstpSvc - ok
21:21:58.0941 1072 [ 463E33B1EA7AF1E6EB87B66B831DB41A ] STacSV C:\Program Files\IDT\WDM\STacSV64.exe
21:21:58.0941 1072 STacSV - ok
21:21:58.0973 1072 [ F3817967ED533D08327DC73BC4D5542A ] stexstor C:\Windows\system32\drivers\stexstor.sys
21:21:58.0973 1072 stexstor - ok
21:21:58.0988 1072 [ 4304B75094E106FB5423A290C95841E5 ] STHDA C:\Windows\system32\DRIVERS\stwrt64.sys
21:21:59.0004 1072 STHDA - ok
21:21:59.0066 1072 [ 8DD52E8E6128F4B2DA92CE27402871C1 ] stisvc C:\Windows\System32\wiaservc.dll
21:21:59.0082 1072 stisvc - ok
21:21:59.0082 1072 [ D01EC09B6711A5F8E7E6564A4D0FBC90 ] swenum C:\Windows\system32\DRIVERS\swenum.sys
21:21:59.0082 1072 swenum - ok
21:21:59.0113 1072 [ E08E46FDD841B7184194011CA1955A0B ] swprv C:\Windows\System32\swprv.dll
21:21:59.0113 1072 swprv - ok
21:21:59.0144 1072 [ BF9CCC0BF39B418C8D0AE8B05CF95B7D ] SysMain C:\Windows\system32\sysmain.dll
21:21:59.0175 1072 SysMain - ok
21:21:59.0175 1072 [ E3C61FD7B7C2557E1F1B0B4CEC713585 ] TabletInputService C:\Windows\System32\TabSvc.dll
21:21:59.0175 1072 TabletInputService - ok
21:21:59.0191 1072 [ 40F0849F65D13EE87B9A9AE3C1DD6823 ] TapiSrv C:\Windows\System32\tapisrv.dll
21:21:59.0207 1072 TapiSrv - ok
21:21:59.0222 1072 [ 1BE03AC720F4D302EA01D40F588162F6 ] TBS C:\Windows\System32\tbssvc.dll
21:21:59.0222 1072 TBS - ok
21:21:59.0331 1072 [ ACB82BDA8F46C84F465C1AFA517DC4B9 ] Tcpip C:\Windows\system32\drivers\tcpip.sys
21:21:59.0347 1072 Tcpip - ok
21:21:59.0378 1072 [ ACB82BDA8F46C84F465C1AFA517DC4B9 ] TCPIP6 C:\Windows\system32\DRIVERS\tcpip.sys
21:21:59.0394 1072 TCPIP6 - ok
21:21:59.0425 1072 [ DF687E3D8836BFB04FCC0615BF15A519 ] tcpipreg C:\Windows\system32\drivers\tcpipreg.sys
21:21:59.0425 1072 tcpipreg - ok
21:21:59.0441 1072 [ 3371D21011695B16333A3934340C4E7C ] TDPIPE C:\Windows\system32\drivers\tdpipe.sys
21:21:59.0441 1072 TDPIPE - ok
21:21:59.0472 1072 [ 51C5ECEB1CDEE2468A1748BE550CFBC8 ] TDTCP C:\Windows\system32\drivers\tdtcp.sys
21:21:59.0472 1072 TDTCP - ok
21:21:59.0472 1072 [ DDAD5A7AB24D8B65F8D724F5C20FD806 ] tdx C:\Windows\system32\DRIVERS\tdx.sys
21:21:59.0472 1072 tdx - ok
21:21:59.0519 1072 [ 561E7E1F06895D78DE991E01DD0FB6E5 ] TermDD C:\Windows\system32\DRIVERS\termdd.sys
21:21:59.0519 1072 TermDD - ok
21:21:59.0565 1072 [ 2E648163254233755035B46DD7B89123 ] TermService C:\Windows\System32\termsrv.dll
21:21:59.0565 1072 TermService - ok
21:21:59.0581 1072 [ F0344071948D1A1FA732231785A0664C ] Themes C:\Windows\system32\themeservice.dll
21:21:59.0597 1072 Themes - ok
21:21:59.0597 1072 [ E40E80D0304A73E8D269F7141D77250B ] THREADORDER C:\Windows\system32\mmcss.dll
21:21:59.0597 1072 THREADORDER - ok
21:21:59.0628 1072 [ 7E7AFD841694F6AC397E99D75CEAD49D ] TrkWks C:\Windows\System32\trkwks.dll
21:21:59.0628 1072 TrkWks - ok
21:21:59.0659 1072 [ 773212B2AAA24C1E31F10246B15B276C ] TrustedInstaller C:\Windows\servicing\TrustedInstaller.exe
21:21:59.0659 1072 TrustedInstaller - ok
21:21:59.0675 1072 [ CE18B2CDFC837C99E5FAE9CA6CBA5D30 ] tssecsrv C:\Windows\system32\DRIVERS\tssecsrv.sys
21:21:59.0675 1072 tssecsrv - ok
21:21:59.0690 1072 [ D11C783E3EF9A3C52C0EBE83CC5000E9 ] TsUsbFlt C:\Windows\system32\drivers\tsusbflt.sys
21:21:59.0690 1072 TsUsbFlt - ok
21:21:59.0706 1072 [ 9CC2CCAE8A84820EAECB886D477CBCB8 ] TsUsbGD C:\Windows\system32\drivers\TsUsbGD.sys
21:21:59.0706 1072 TsUsbGD - ok
21:21:59.0768 1072 [ 3566A8DAAFA27AF944F5D705EAA64894 ] tunnel C:\Windows\system32\DRIVERS\tunnel.sys
21:21:59.0784 1072 tunnel - ok
21:21:59.0784 1072 [ B4DD609BD7E282BFC683CEC7EAAAAD67 ] uagp35 C:\Windows\system32\drivers\uagp35.sys
21:21:59.0784 1072 uagp35 - ok
21:21:59.0799 1072 [ FF4232A1A64012BAA1FD97C7B67DF593 ] udfs C:\Windows\system32\DRIVERS\udfs.sys
21:21:59.0815 1072 udfs - ok
21:21:59.0846 1072 [ 3CBDEC8D06B9968ABA702EBA076364A1 ] UI0Detect C:\Windows\system32\UI0Detect.exe
21:21:59.0846 1072 UI0Detect - ok
21:21:59.0877 1072 [ 4BFE1BC28391222894CBF1E7D0E42320 ] uliagpkx C:\Windows\system32\drivers\uliagpkx.sys
21:21:59.0877 1072 uliagpkx - ok
21:21:59.0893 1072 [ DC54A574663A895C8763AF0FA1FF7561 ] umbus C:\Windows\system32\DRIVERS\umbus.sys
21:21:59.0893 1072 umbus - ok
21:21:59.0909 1072 [ B2E8E8CB557B156DA5493BBDDCC1474D ] UmPass C:\Windows\system32\drivers\umpass.sys
21:21:59.0909 1072 UmPass - ok
21:22:00.0002 1072 [ CC3775100ABA633984F73DFAE1F55CAE ] UNS C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
21:22:00.0033 1072 UNS - ok
21:22:00.0080 1072 [ D47EC6A8E81633DD18D2436B19BAF6DE ] upnphost C:\Windows\System32\upnphost.dll
21:22:00.0080 1072 upnphost - ok
21:22:00.0127 1072 [ 481DFF26B4DCA8F4CBAC1F7DCE1D6829 ] usbccgp C:\Windows\system32\DRIVERS\usbccgp.sys
21:22:00.0127 1072 usbccgp - ok
21:22:00.0143 1072 [ AF0892A803FDDA7492F595368E3B68E7 ] usbcir C:\Windows\system32\drivers\usbcir.sys
21:22:00.0143 1072 usbcir - ok
21:22:00.0174 1072 [ 74EE782B1D9C241EFE425565854C661C ] usbehci C:\Windows\system32\DRIVERS\usbehci.sys
21:22:00.0174 1072 usbehci - ok
21:22:00.0205 1072 [ DC96BD9CCB8403251BCF25047573558E ] usbhub C:\Windows\system32\DRIVERS\usbhub.sys
21:22:00.0205 1072 usbhub - ok
21:22:00.0221 1072 [ 58E546BBAF87664FC57E0F6081E4F609 ] usbohci C:\Windows\system32\drivers\usbohci.sys
21:22:00.0221 1072 usbohci - ok
21:22:00.0221 1072 [ 73188F58FB384E75C4063D29413CEE3D ] usbprint C:\Windows\system32\drivers\usbprint.sys
21:22:00.0221 1072 usbprint - ok
21:22:00.0236 1072 [ D76510CFA0FC09023077F22C2F979D86 ] USBSTOR C:\Windows\system32\DRIVERS\USBSTOR.SYS
21:22:00.0236 1072 USBSTOR - ok
21:22:00.0236 1072 [ 81FB2216D3A60D1284455D511797DB3D ] usbuhci C:\Windows\system32\drivers\usbuhci.sys
21:22:00.0236 1072 usbuhci - ok
21:22:00.0283 1072 [ 454800C2BC7F3927CE030141EE4F4C50 ] usbvideo C:\Windows\system32\Drivers\usbvideo.sys
21:22:00.0283 1072 usbvideo - ok
21:22:00.0299 1072 [ EDBB23CBCF2CDF727D64FF9B51A6070E ] UxSms C:\Windows\System32\uxsms.dll
21:22:00.0299 1072 UxSms - ok
21:22:00.0330 1072 [ C118A82CD78818C29AB228366EBF81C3 ] VaultSvc C:\Windows\system32\lsass.exe
21:22:00.0330 1072 VaultSvc - ok
21:22:00.0345 1072 [ C5C876CCFC083FF3B128F933823E87BD ] vdrvroot C:\Windows\system32\drivers\vdrvroot.sys
21:22:00.0361 1072 vdrvroot - ok
21:22:00.0439 1072 [ 8D6B481601D01A456E75C3210F1830BE ] vds C:\Windows\System32\vds.exe
21:22:00.0455 1072 vds - ok
21:22:00.0501 1072 [ DA4DA3F5E02943C2DC8C6ED875DE68DD ] vga C:\Windows\system32\DRIVERS\vgapnp.sys
21:22:00.0501 1072 vga - ok
21:22:00.0517 1072 [ 53E92A310193CB3C03BEA963DE7D9CFC ] VgaSave C:\Windows\System32\drivers\vga.sys
21:22:00.0517 1072 VgaSave - ok
21:22:00.0517 1072 [ 2CE2DF28C83AEAF30084E1B1EB253CBB ] vhdmp C:\Windows\system32\drivers\vhdmp.sys
21:22:00.0517 1072 vhdmp - ok
21:22:00.0611 1072 [ E5689D93FFE4E5D66C0178761240DD54 ] viaide C:\Windows\system32\drivers\viaide.sys
21:22:00.0611 1072 viaide - ok
21:22:00.0611 1072 [ D2AAFD421940F640B407AEFAAEBD91B0 ] volmgr C:\Windows\system32\drivers\volmgr.sys
21:22:00.0611 1072 volmgr - ok
21:22:00.0626 1072 [ A255814907C89BE58B79EF2F189B843B ] volmgrx C:\Windows\system32\drivers\volmgrx.sys
21:22:00.0642 1072 volmgrx - ok
21:22:00.0657 1072 [ 0D08D2F3B3FF84E433346669B5E0F639 ] volsnap C:\Windows\system32\drivers\volsnap.sys
21:22:00.0673 1072 volsnap - ok
21:22:00.0689 1072 [ 5E2016EA6EBACA03C04FEAC5F330D997 ] vsmraid C:\Windows\system32\drivers\vsmraid.sys
21:22:00.0689 1072 vsmraid - ok
21:22:00.0751 1072 [ B60BA0BC31B0CB414593E169F6F21CC2 ] VSS C:\Windows\system32\vssvc.exe
21:22:00.0767 1072 VSS - ok
21:22:00.0767 1072 [ 36D4720B72B5C5D9CB2B9C29E9DF67A1 ] vwifibus C:\Windows\system32\DRIVERS\vwifibus.sys
21:22:00.0767 1072 vwifibus - ok
21:22:00.0782 1072 [ 6A3D66263414FF0D6FA754C646612F3F ] vwififlt C:\Windows\system32\DRIVERS\vwififlt.sys
21:22:00.0782 1072 vwififlt - ok
21:22:00.0798 1072 [ 1C9D80CC3849B3788048078C26486E1A ] W32Time C:\Windows\system32\w32time.dll
21:22:00.0813 1072 W32Time - ok
21:22:00.0813 1072 [ 4E9440F4F152A7B944CB1663D3935A3E ] WacomPen C:\Windows\system32\drivers\wacompen.sys
21:22:00.0829 1072 WacomPen - ok
21:22:00.0860 1072 [ 356AFD78A6ED4457169241AC3965230C ] WANARP C:\Windows\system32\DRIVERS\wanarp.sys
21:22:00.0860 1072 WANARP - ok
21:22:00.0860 1072 [ 356AFD78A6ED4457169241AC3965230C ] Wanarpv6 C:\Windows\system32\DRIVERS\wanarp.sys
21:22:00.0860 1072 Wanarpv6 - ok
21:22:00.0907 1072 [ 78F4E7F5C56CB9716238EB57DA4B6A75 ] wbengine C:\Windows\system32\wbengine.exe
21:22:00.0923 1072 wbengine - ok
21:22:00.0938 1072 [ 3AA101E8EDAB2DB4131333F4325C76A3 ] WbioSrvc C:\Windows\System32\wbiosrvc.dll
21:22:00.0938 1072 WbioSrvc - ok
21:22:00.0938 1072 [ 7368A2AFD46E5A4481D1DE9D14848EDD ] wcncsvc C:\Windows\System32\wcncsvc.dll
21:22:00.0954 1072 wcncsvc - ok
21:22:00.0969 1072 [ 20F7441334B18CEE52027661DF4A6129 ] WcsPlugInService C:\Windows\System32\WcsPlugInService.dll
21:22:00.0969 1072 WcsPlugInService - ok
21:22:00.0969 1072 [ 72889E16FF12BA0F235467D6091B17DC ] Wd C:\Windows\system32\drivers\wd.sys
21:22:00.0969 1072 Wd - ok
21:22:00.0985 1072 [ 441BD2D7B4F98134C3A4F9FA570FD250 ] Wdf01000 C:\Windows\system32\drivers\Wdf01000.sys
21:22:01.0001 1072 Wdf01000 - ok
21:22:01.0016 1072 [ BF1FC3F79B863C914687A737C2F3D681 ] WdiServiceHost C:\Windows\system32\wdi.dll
21:22:01.0016 1072 WdiServiceHost - ok
21:22:01.0016 1072 [ BF1FC3F79B863C914687A737C2F3D681 ] WdiSystemHost C:\Windows\system32\wdi.dll
21:22:01.0016 1072 WdiSystemHost - ok
21:22:01.0032 1072 [ 3DB6D04E1C64272F8B14EB8BC4616280 ] WebClient C:\Windows\System32\webclnt.dll
21:22:01.0032 1072 WebClient - ok
21:22:01.0047 1072 [ C749025A679C5103E575E3B48E092C43 ] Wecsvc C:\Windows\system32\wecsvc.dll
21:22:01.0063 1072 Wecsvc - ok
21:22:01.0063 1072 [ 7E591867422DC788B9E5BD337A669A08 ] wercplsupport C:\Windows\System32\wercplsupport.dll
21:22:01.0063 1072 wercplsupport - ok
21:22:01.0094 1072 [ 6D137963730144698CBD10F202E9F251 ] WerSvc C:\Windows\System32\WerSvc.dll
21:22:01.0094 1072 WerSvc - ok
21:22:01.0125 1072 [ 611B23304BF067451A9FDEE01FBDD725 ] WfpLwf C:\Windows\system32\DRIVERS\wfplwf.sys
21:22:01.0125 1072 WfpLwf - ok
21:22:01.0125 1072 [ 05ECAEC3E4529A7153B3136CEB49F0EC ] WIMMount C:\Windows\system32\drivers\wimmount.sys
21:22:01.0125 1072 WIMMount - ok
21:22:01.0125 1072 WinDefend - ok
21:22:01.0141 1072 WinHttpAutoProxySvc - ok
21:22:01.0188 1072 [ 19B07E7E8915D701225DA41CB3877306 ] Winmgmt C:\Windows\system32\wbem\WMIsvc.dll
21:22:01.0188 1072 Winmgmt - ok
21:22:01.0266 1072 [ BCB1310604AA415C4508708975B3931E ] WinRM C:\Windows\system32\WsmSvc.dll
21:22:01.0297 1072 WinRM - ok
21:22:01.0344 1072 [ 4FADA86E62F18A1B2F42BA18AE24E6AA ] Wlansvc C:\Windows\System32\wlansvc.dll
21:22:01.0359 1072 Wlansvc - ok
21:22:01.0422 1072 [ DE816A0624D54D68E1FB8A9028DCF81A ] wltrysvc C:\Program Files\Dell\DW WLAN Card\WLTRYSVC.EXE
21:22:01.0422 1072 wltrysvc - ok
21:22:01.0437 1072 [ F6FF8944478594D0E414D3F048F0D778 ] WmiAcpi C:\Windows\system32\DRIVERS\wmiacpi.sys
21:22:01.0437 1072 WmiAcpi - ok
21:22:01.0469 1072 [ 38B84C94C5A8AF291ADFEA478AE54F93 ] wmiApSrv C:\Windows\system32\wbem\WmiApSrv.exe
21:22:01.0469 1072 wmiApSrv - ok
21:22:01.0500 1072 WMPNetworkSvc - ok
21:22:01.0531 1072 [ 96C6E7100D724C69FCF9E7BF590D1DCA ] WPCSvc C:\Windows\System32\wpcsvc.dll
21:22:01.0547 1072 WPCSvc - ok
21:22:01.0547 1072 [ 93221146D4EBBF314C29B23CD6CC391D ] WPDBusEnum C:\Windows\system32\wpdbusenum.dll
21:22:01.0547 1072 WPDBusEnum - ok
21:22:01.0562 1072 [ 6BCC1D7D2FD2453957C5479A32364E52 ] ws2ifsl C:\Windows\system32\drivers\ws2ifsl.sys
21:22:01.0562 1072 ws2ifsl - ok
21:22:01.0578 1072 [ E8B1FE6669397D1772D8196DF0E57A9E ] wscsvc C:\Windows\System32\wscsvc.dll
21:22:01.0578 1072 wscsvc - ok
21:22:01.0593 1072 WSearch - ok
21:22:01.0656 1072 [ D9EF901DCA379CFE914E9FA13B73B4C4 ] wuauserv C:\Windows\system32\wuaueng.dll
21:22:01.0687 1072 wuauserv - ok
21:22:01.0718 1072 [ D3381DC54C34D79B22CEE0D65BA91B7C ] WudfPf C:\Windows\system32\drivers\WudfPf.sys
21:22:01.0718 1072 WudfPf - ok
21:22:01.0734 1072 [ CF8D590BE3373029D57AF80914190682 ] WUDFRd C:\Windows\system32\DRIVERS\WUDFRd.sys
21:22:01.0734 1072 WUDFRd - ok
21:22:01.0765 1072 [ 7A95C95B6C4CF292D689106BCAE49543 ] wudfsvc C:\Windows\System32\WUDFSvc.dll
21:22:01.0765 1072 wudfsvc - ok
21:22:01.0781 1072 [ 9A3452B3C2A46C073166C5CF49FAD1AE ] WwanSvc C:\Windows\System32\wwansvc.dll
21:22:01.0781 1072 WwanSvc - ok
21:22:01.0812 1072 ================ Scan global ===============================
21:22:01.0827 1072 [ BA0CD8C393E8C9F83354106093832C7B ] C:\Windows\system32\basesrv.dll
21:22:01.0874 1072 [ EB6A48CC998E1090E44E8E7F1009A640 ] C:\Windows\system32\winsrv.dll
21:22:01.0874 1072 [ EB6A48CC998E1090E44E8E7F1009A640 ] C:\Windows\system32\winsrv.dll
21:22:01.0905 1072 [ D6160F9D869BA3AF0B787F971DB56368 ] C:\Windows\system32\sxssrv.dll
21:22:01.0937 1072 [ 24ACB7E5BE595468E3B9AA488B9B4FCB ] C:\Windows\system32\services.exe
21:22:01.0952 1072 [Global] - ok
21:22:01.0952 1072 ================ Scan MBR ==================================
21:22:01.0968 1072 [ A36C5E4F47E84449FF07ED3517B43A31 ] \Device\Harddisk0\DR0
21:22:02.0139 1072 \Device\Harddisk0\DR0 - ok
21:22:02.0139 1072 ================ Scan VBR ==================================
21:22:02.0155 1072 [ B4A651EA79A9998884DA67ECFFB5E2E7 ] \Device\Harddisk0\DR0\Partition1
21:22:02.0155 1072 \Device\Harddisk0\DR0\Partition1 - ok
21:22:02.0155 1072 [ 28971EE490347507F03CFE58A87FDEFA ] \Device\Harddisk0\DR0\Partition2
21:22:02.0171 1072 \Device\Harddisk0\DR0\Partition2 - ok
21:22:02.0171 1072 ============================================================
21:22:02.0171 1072 Scan finished
21:22:02.0171 1072 ============================================================
21:22:02.0186 3580 Detected object count: 0
21:22:02.0186 3580 Actual detected object count: 0
--------------------------------------------------------------------------------
RogueKiller Log
RogueKiller V8.1.1 [10/01/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Website: http://tigzy.geeksto...roguekiller.php
Blog: http://tigzyrk.blogspot.com
Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : v [Admin rights]
Mode : Scan -- Date : 10/16/2012 21:42:22
¤¤¤ Bad processes : 0 ¤¤¤
¤¤¤ Registry Entries : 7 ¤¤¤
[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ] HKLM\[...]\Wow6432Node\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND
[HJ] HKLM\[...]\Wow6432Node\System : EnableLUA (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_TrackProgs (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
¤¤¤ Particular Files / Folders: ¤¤¤
¤¤¤ Driver : [NOT LOADED] ¤¤¤
¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts
¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: SAMSUNG HM641JI +++++
--- User ---
[MBR] 2ac35bb9f6076176f09a43f8d819dd10
[bSP] 204c76306128b9011e19763a2ceaaae7 : Windows 7 MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 15000 Mo
2 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 30926848 | Size: 595364 Mo
3 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 1250234368 | Size: 10 Mo
User = LL1 ... OK!
User = LL2 ... OK!
Finished : << RKreport[1].txt >>
RKreport[1].txt
--------------------------------------------------------------------------------
ListParts64 Log
ListParts by Farbar Version: 15-10-2012
Ran by v (administrator) on 16-10-2012 at 21:51:27
Windows 7 (X64)
Running From: C:\Users\v\Desktop
Language: 0409
************************************************************
========================= Memory info ======================
Percentage of memory in use: 16%
Total physical RAM: 6006.68 MB
Available physical RAM: 4992.23 MB
Total Pagefile: 12011.56 MB
Available Pagefile: 10775.15 MB
Total Virtual: 8192 MB
Available Virtual: 8191.89 MB
======================= Partitions =========================
1 Drive c: () (Fixed) (Total:581.41 GB) (Free:558.83 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
2 Drive d: (Recovery) (Fixed) (Total:14.65 GB) (Free:7.66 GB) NTFS ==>[system with boot components (obtained from reading drive)]
ATTENTION: Malware custom entry on BCD on drive d: detected. Check for MBR/Partition infection.
Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 596 GB 0 B
Partitions of Disk 0:
===============
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 100 MB 1024 KB
Partition 2 Primary 14 GB 101 MB
Partition 3 Primary 581 GB 14 GB
Partition 4 Primary 10 MB 596 GB
======================================================================================================
Disk: 0
Partition 1
Type : DE
Hidden: Yes
Active: No
There is no volume associated with this partition.
======================================================================================================
Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 D Recovery NTFS Partition 14 GB Healthy
======================================================================================================
Disk: 0
Partition 3
Type : 07
Hidden: No
Active: Yes
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 581 GB Healthy System (partition with boot components)
======================================================================================================
Disk: 0
Partition 4
Type : 17 (Suspicious Type)
Hidden: Yes
Active: No
There is no volume associated with this partition.
======================================================================================================
****** End Of Log ******
-
After getting a backdoor Trojan infection (Win32/Kryptik.ALQD.trojan) on my Dell laptop, I reformatted my C-drive yesterday and reinstalled the Win7 OS. Then today, after installing all my Windows security updates, I started getting a popup from my taskbar: "Malicious software was removed from your computer. Click here to complete the removal process."
I don't know if this is a legitimate Windows popup or a rogue? The Trojan I got that led to me reformatting involved rogue HDD popup warnings, so I don't want to click on this "malicious software" taskbar popup unless it's legitimate.
The only actions I've taken on this machine since reinstalling the OS are install my drivers and Windows security updates, set some of my personalization preferences (including turning off UAC notifications), and try to download Firefox. So I'm concerned whether some of the previous infection has lingered in another partition after the reformat/OS reinstall of the C-drive.
I've run full scans w. MBAM, Windows Defender, and the latest Malicious Software Removal Tool, and all three came up clean. This makes me even more suspicious that the "malicious software" popup is a rogue. MBAM and DDS logs are posted below.
When I reinstalled the OS, I saw 4 partitions:
1) Partition 1 was something called "DELLUTILITIES"
2) Partition 2 was the C-drive
3) Partition 3 was the Recovery D-drive (currently using about half of the 14.6GB available)
4) Partition 4 was unnamed, labeled a "System" partition and allocated 10MB of space with no free space available.
I reformatted only the C-drive and reinstalled the OS on the C-drive. I didn't reformat the Recovery drive or either of the two other partitions.
I'm not at all a computer expert. Is it possible that an infection is still lodged in one of the other three partitions that I didn't reformat? I've never had to do a reformat or OS reinstall before. Do I need to reformat the other partitions, in addition to the C-drive, to fully clear the previous infection? (Is that 4th, "System" partition legitimate?)
I posted about the backdoor Trojan I got here: http://forums.malwarebytes.org/index.php?showtopic=116050. I ended up reformatting b/c removal attempts didn't seem to be restoring the machine to its normal state.
--------------------------------------------------------------------------------
Malwarebytes Anti-Malware 1.65.0.1400
www.malwarebytes.org
Database version: v2012.10.16.01
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 8.0.7601.17514
v :: V-PC [administrator]
10/15/2012 7:22:23 PM
mbam-log-2012-10-15 (19-22-23).txt
Scan type: Full scan (C:\|D:\|E:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 258429
Time elapsed: 10 minute(s), 23 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)
--------------------------------------------------------------------------------
.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7601.17514
Run by v at 19:37:41 on 2012-10-15
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.6007.4359 [GMT -7:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\IDT\WDM\STacSV64.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Dell\DW WLAN Card\WLTRYSVC.EXE
C:\Windows\system32\WLANExt.exe
C:\Program Files\Dell\DW WLAN Card\bcmwltry.exe
C:\Windows\system32\conhost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\IDT\WDM\AESTSr64.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskhost.exe
C:\Windows\Explorer.EXE
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Dell\DW WLAN Card\WLTRAY.EXE
C:\Program Files\IDT\WDM\sttray64.exe
C:\Windows\System32\MRT.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
\\?\C:\Windows\system32\wbem\WMIADAP.EXE
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.nytimes.com/
uDefault_Page_URL = hxxp://www.dell.com
mWinlogon: Userinit=userinit.exe
mRun: [startCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [iAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRunOnce: [Malwarebytes Anti-Malware] C:\Program Files\Malware Bytes\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{3E5B10EA-6524-4C13-9369-7EFDF1E4658C} : DhcpNameServer = 192.168.2.1
mRun-x64: [startCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun-x64: [iAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRunOnce-x64: [Malwarebytes Anti-Malware] C:\Program Files\Malware Bytes\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
.
============= SERVICES / DRIVERS ===============
.
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 AESTFilters;Andrea ST Filters Service;C:\Program Files\IDT\WDM\AESTSr64.exe [2012-10-14 89600]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2012-10-14 13336]
R2 UNS;Intel® Management & Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2012-10-14 2320920]
R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
R3 BcmVWL;Broadcom Virtual Wireless;C:\Windows\system32\DRIVERS\bcmvwl64.sys --> C:\Windows\system32\DRIVERS\bcmvwl64.sys [?]
R3 HECIx64;Intel® Management Engine Interface;C:\Windows\system32\DRIVERS\HECIx64.sys --> C:\Windows\system32\DRIVERS\HECIx64.sys [?]
R3 Impcd;Impcd;C:\Windows\system32\DRIVERS\Impcd.sys --> C:\Windows\system32\DRIVERS\Impcd.sys [?]
S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;C:\Windows\system32\drivers\nusb3hub.sys --> C:\Windows\system32\drivers\nusb3hub.sys [?]
S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;C:\Windows\system32\drivers\nusb3xhc.sys --> C:\Windows\system32\drivers\nusb3xhc.sys [?]
S3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\system32\drivers\TsUsbGD.sys --> C:\Windows\system32\drivers\TsUsbGD.sys [?]
.
=============== Created Last 30 ================
.
2012-10-16 02:21:51 -------- d-----w- C:\Users\v\AppData\Roaming\Malwarebytes
2012-10-16 02:21:40 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys
2012-10-16 02:21:40 -------- d-----w- C:\ProgramData\Malwarebytes
2012-10-16 02:19:23 -------- d-----w- C:\Program Files\Malware Bytes
2012-10-16 01:31:13 81408 ----a-w- C:\Windows\System32\imagehlp.dll
2012-10-16 01:31:13 23408 ----a-w- C:\Windows\System32\drivers\fs_rec.sys
2012-10-16 01:31:13 159232 ----a-w- C:\Windows\SysWow64\imagehlp.dll
2012-10-16 01:31:12 5120 ----a-w- C:\Windows\SysWow64\wmi.dll
2012-10-16 01:31:12 5120 ----a-w- C:\Windows\System32\wmi.dll
2012-10-16 01:31:12 220672 ----a-w- C:\Windows\System32\wintrust.dll
2012-10-16 01:31:12 172544 ----a-w- C:\Windows\SysWow64\wintrust.dll
2012-10-16 01:29:57 5559664 ----a-w- C:\Windows\System32\ntoskrnl.exe
2012-10-16 01:28:34 77312 ----a-w- C:\Windows\System32\packager.dll
2012-10-16 01:28:34 67072 ----a-w- C:\Windows\SysWow64\packager.dll
2012-10-14 20:23:13 8199504 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2012-10-14 20:23:11 9308616 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{1A25829E-D24A-4C47-80B2-C4AA902C30B8}\mpengine.dll
2012-10-14 20:12:44 2622464 ----a-w- C:\Windows\System32\wucltux.dll
2012-10-14 20:12:41 99840 ----a-w- C:\Windows\System32\wudriver.dll
2012-10-14 20:12:35 36864 ----a-w- C:\Windows\System32\wuapp.exe
2012-10-14 20:12:35 186752 ----a-w- C:\Windows\System32\wuwebv.dll
2012-10-14 20:02:38 -------- d-----w- C:\Users\v\AppData\Roaming\Intel Corporation
2012-10-14 19:54:58 -------- d-----w- C:\Windows\Panther
2012-10-14 19:54:43 -------- d-sh--w- C:\Boot
2012-10-14 19:54:24 -------- d-----w- C:\Windows\System32\OEM
2012-10-14 19:54:24 -------- d-----w- C:\Hotfix
2012-10-14 19:54:24 -------- d-----w- C:\Drivers
2012-10-14 19:53:21 540696 ----a-w- C:\Windows\System32\drivers\iaStor.sys
2012-10-14 19:52:43 74272 ----a-w- C:\Windows\System32\RtNicProp64.dll
2012-10-14 19:52:43 107552 ----a-w- C:\Windows\System32\RTNUninst64.dll
2012-10-14 19:52:42 325152 ----a-w- C:\Windows\System32\drivers\Rt64win7.sys
2012-10-14 19:52:22 -------- d-----w- C:\Program Files (x86)\Realtek
2012-10-14 19:49:53 -------- d-----w- C:\Program Files (x86)\Common Files\postureAgent
2012-10-14 19:49:33 56344 ----a-w- C:\Windows\System32\drivers\HECIx64.sys
2012-10-14 19:41:21 53248 ----a-r- C:\Windows\SysWow64\CSVer.dll
2012-10-14 19:40:45 -------- d-----w- C:\Intel
2012-10-14 19:33:53 -------- d-----w- C:\Users\v\AppData\Local\ATI
2012-10-14 19:33:16 -------- d-----w- C:\Program Files\Common Files\ATI Technologies
2012-10-14 19:33:09 125456 ----a-w- C:\Windows\System32\drivers\AtiHdmi.sys
2012-10-14 19:32:57 55296 ----a-w- C:\Windows\System32\coinst.dll
2012-10-14 19:32:57 446464 ----a-w- C:\Windows\System32\ATIDEMGX.dll
2012-10-14 19:32:44 -------- d-----w- C:\Program Files (x86)\ATI Technologies
2012-10-14 19:32:08 -------- d-----w- C:\Program Files\ATI
2012-10-14 19:31:20 -------- d-----w- C:\Program Files\ATI Technologies
2012-10-14 19:23:15 -------- d-----w- C:\Users\v\AppData\Local\Diagnostics
2012-10-14 19:19:35 -------- d-----w- C:\Program Files (x86)\Cisco
2012-10-14 19:18:12 1089024 ----a-w- C:\Windows\System32\BCMLogon.dll
2012-10-14 19:18:01 6656 ----a-w- C:\Windows\System32\bcmwlrc.dll
2012-10-14 19:18:01 47632 ----a-w- C:\Windows\System32\drivers\npf.sys
2012-10-14 19:18:01 22520 ----a-w- C:\Windows\System32\drivers\bcm42rly.sys
2012-10-14 19:18:00 73728 ----a-w- C:\Windows\System32\wltrynt.dll
2012-10-14 19:18:00 60928 ----a-w- C:\Windows\System32\bcmwlrmt.dll
2012-10-14 19:18:00 4961800 ----a-w- C:\Windows\SysWow64\vcredist_x64.exe
2012-10-14 19:18:00 4750848 ----a-w- C:\Windows\System32\bcmttls.dll
2012-10-14 19:18:00 459 ----a-w- C:\Windows\SysWow64\vcredist_x64.bat
2012-10-14 19:17:59 8075776 ----a-w- C:\Windows\System32\BCMWLCPL.CPL
2012-10-14 19:17:59 457 ----a-w- C:\Windows\System32\vcredist_x64.bat
2012-10-14 19:17:59 3161088 ----a-w- C:\Windows\System32\vcredist_x64.exe
2012-10-14 19:17:58 95472 ----a-w- C:\Windows\System32\bcmwlcoi.dll
2012-10-14 19:17:58 3555840 ----a-w- C:\Windows\System32\bcmihvui64.dll
2012-10-14 19:17:57 3891200 ----a-w- C:\Windows\System32\bcmihvsrv64.dll
2012-10-14 19:17:57 3058168 ----a-w- C:\Windows\System32\drivers\BCMWL664.SYS
2012-10-14 19:17:38 20984 ----a-w- C:\Windows\System32\drivers\bcmvwl64.sys
2012-10-14 19:17:26 -------- d-----w- C:\dell
2012-10-14 19:12:01 -------- d-----w- C:\Program Files\Dell
2012-10-14 19:08:14 45056 ----a-r- C:\Users\v\AppData\Roaming\Microsoft\Installer\{42929F0F-CE14-47AF-9FC7-FF297A603021}\NewShortcut1_42929F0FCE1447AF9FC7FF297A603021_1.exe
2012-10-14 19:08:11 -------- d-----w- C:\Windows\SysWow64\vmm32
2012-10-14 19:08:11 -------- d-----w- C:\Program Files (x86)\Dell
2012-10-14 19:07:30 -------- d-sh--w- C:\Windows\Installer
2012-10-14 18:57:28 0 ----a-w- C:\Windows\ativpsrm.bin
.
==================== Find3M ====================
.
.
============= FINISH: 19:37:55.34 ===============
--------------------------------------------------------------------------------
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows 7 Home Premium
Boot Device: \Device\HarddiskVolume3
Install Date: 10/14/2012 12:03:36 PM
System Uptime: 10/15/2012 6:37:30 PM (1 hours ago)
.
Motherboard: Dell Inc. | | 0G62V9
Processor: Intel® Core i5 CPU M 460 @ 2.53GHz | CPU 1 | 1188/533mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 581 GiB total, 558.991 GiB free.
D: is FIXED (NTFS) - 15 GiB total, 7.659 GiB free.
E: is CDROM ()
F: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP3: 10/14/2012 12:07:53 PM - Installed Dell Resource CD.
RP4: 10/14/2012 12:11:52 PM - Installed Quickset64.
RP5: 10/14/2012 12:37:32 PM - Installed IDT Audio
RP6: 10/14/2012 12:52:11 PM - Installed Realtek Ethernet Controller Driver For Windows Vista aýOÐU
RP7: 10/14/2012 1:12:25 PM - Windows Update
RP8: 10/14/2012 1:21:50 PM - Windows Update
RP9: 10/15/2012 6:30:20 PM - Windows Update
.
==== Installed Programs ======================
.
Catalyst Control Center - Branding
Catalyst Control Center Graphics Previews Common
Catalyst Control Center Graphics Previews Vista
Catalyst Control Center InstallProxy
Catalyst Control Center Localization All
ccc-core-static
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
Cisco EAP-FAST Module
Cisco LEAP Module
Cisco PEAP Module
Dell Resource CD
IDT Audio
Intel® Management Engine Components
Intel® Rapid Storage Technology
Intel® Turbo Boost Technology Driver
Malwarebytes Anti-Malware version 1.65.0.1400
Realtek Ethernet Controller Driver For Windows 7
.
==== Event Viewer Messages From Past Week ========
.
10/15/2012 7:36:44 PM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk1\DR1.
10/15/2012 6:37:12 PM, Error: Service Control Manager [7034] - The Intel® Management & Security Application User Notification Service service terminated unexpectedly. It has done this 1 time(s).
10/15/2012 6:37:11 PM, Error: Service Control Manager [7034] - The Intel® Rapid Storage Technology service terminated unexpectedly. It has done this 1 time(s).
10/15/2012 6:37:08 PM, Error: Service Control Manager [7031] - The Intel® Management and Security Application Local Management Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 10000 milliseconds: Restart the service.
10/14/2012 11:58:28 AM, Error: Service Control Manager [7024] - The Background Intelligent Transfer Service service terminated with service-specific error %%-2147023781.
10/14/2012 11:58:28 AM, Error: Microsoft-Windows-Bits-Client [16392] - The BITS service failed to start. Error 0x8007045B.
.
==== End Of File ===========================
-
Maniac, I'm not sure what steps to take next? My machine still isn't functioning quite properly (still getting the " *.exe is not a valid Win32 application" error and running into some sort of unidentified program that seems to be running in the background). I haven't uninstalled Combofix or deleted/cleaned up any of the quarantines.
Waiting for instructions ...
Thank you for all your help so far.
-
Hello. I'm being helped by Maniac here: http://forums.malwarebytes.org/index.php?showtopic=116050
I'd sent you a PM on the 22nd about the second thread w. Maniac. I'm sorry for the confusion.
-
Sorry for this follow-up post, Maniac, I just noticed a couple additional issues when I went to shut down the infected machine:
3) When I went to shut down the machine, I got the message that Windows was waiting for background programs to close. The only thing I'd tried to do after booting up was launch TDSSKiller, which failed. I didn't click on, launch, or run anything else, and my computer isn't hooked up to the internet. (I'd disabled the wireless network adapter and turned off my wireless router.) I don't know what was running in the background — the computer was shutting down, so I didn't get to Task Manager — or if I should be worried that I got this background-programs message?
4) Before shutting down, when I tried to do a safe eject of my USB thumb drive, I got the error that the device couldn't be stopped because it was currently in use. I've been getting this "device in use" eject failure since infection, even when all I do is plug in the USB and don't access anything on it or copy anything to/from it. Just now, I had plugged in the USB drive to test it but hadn't interacted with it at all, so should the USB device show as being in use? Prior to infection, I had no issues with being able to stop and safe-eject the USB drive, so long as no file on it was currently being accessed by an active program.
-
Thank you very much! The machine is better, although not quite all the way back to its pre-infection state.
All my programs, folders, and files seem to be visible and accessible now, and I haven't had any recurrences of the HDD or "Write Fault" error messages. Additionally, the rogue HDD-error icon that had appeared in my system tray (red circle w. a white X) is now gone.
However, a couple of things that are still non-functional or a little off:
1) I clicked on the TDSSKiller.exe file on my desktop to see if I could get it to launch. I wasn't going to run the scan — I planned on cancelling if/once the interface launched — but I wanted to see if I could at least launch the program now. TDSSKiller still won't launch. I'm still getting the same "tdsskiller.exe is not a valid Win32 application" error. (I was able to run TDSSKiller on this machine successfully back in June.)
I was noticing that this forum poster reported the same "not a valid Win32 app" error: http://forums.malwarebytes.org/index.php?showtopic=115979
Is the Win32 error I'm getting related to the backdoor Trojan that infected my machine? or is this a separate infection issue?
2) My desktop background, which had been the default Dell/Win 7 aero blue theme, has been a solid black since I first restarted the machine after infection. I'm able to go to my appearance personalization options to change the theme back to the default, but I don't know if the remaining black background is an infection remnant that I need to be worried about. It shows up in my theme personalization options as an "Unsaved Theme." (I'm sorry if this is a dumb question to be worried about. I'm just wary of everything out-of-the-ordinary now.)
-
Maniac, I went ahead and ran the ESET scan w. the additional scan options checked. Log is below.
When the scan was finished, I had the option to choose "Uninstall application on close" and "Delete quarantined files." I left both unchecked, so ESET is still installed.
--------------------------------------------------------------------------------
ESETSmartInstaller@High as CAB hook log:
OnlineScanner64.ocx - registred OK
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.7600.16385 (win7_rtm.090713-1255)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=29ee5187ebb7154aae31e0aeead4bf45
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-09-23 08:53:02
# local_time=2012-09-23 01:53:02 (-0700, US Mountain Standard Time)
# country="United States"
# lang=1033
# osver=6.1.7600 NT
# compatibility_mode=5893 16776573 100 94 0 99973770 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=176332
# found=2
# cleaned=2
# scan_time=3283
C:\Qoobox\Quarantine.zip a variant of Win32/Kryptik.ALQD trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\ProgramData\RMgOYWJNIRmTJbK.exe.vir a variant of Win32/Kryptik.ALQD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
-
ok, I have "Remove found threats" and "Scan for potentially unwanted applications" both checked. There are three additional options; should any of these also be checked?:
• Scan archives
• Scan for potentially unsafe applications
• Enable Anti-Stealth technology
The Anti-Stealth option is checked by default; the other two are not checked.
-
ok, I've created a zip file of the Qoobox Quarantine folder and sent you a PM w. the link to access it.
-
Thank you for your guidance. Maniac. I backed up my data files. Here's the ComboFix log:
--------------------------------------------------------------------------------
ComboFix 12-09-22.02 - v 09/22/2012 21:41:42.2.4 - x64
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.6007.4478 [GMT -7:00]
Running from: c:\users\v\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\RMgOYWJNIRmTJbK.exe
Y:\Autorun.inf
.
.
((((((((((((((((((((((((( Files Created from 2012-08-23 to 2012-09-23 )))))))))))))))))))))))))))))))
.
.
2012-09-23 05:09 . 2012-09-23 05:09 -------- d-----w- c:\users\Public\AppData\Local\temp
2012-09-23 05:09 . 2012-09-23 05:09 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-09-10 18:30 . 2012-09-10 18:30 69000 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{F8A52000-996B-41D1-B1F7-728EC38EA79B}\offreg.dll
2012-09-08 17:20 . 2012-08-23 08:26 9310152 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{F8A52000-996B-41D1-B1F7-728EC38EA79B}\mpengine.dll
2012-09-05 23:18 . 2012-09-05 23:18 -------- d-----w- c:\program files (x86)\Common Files\Java
2012-09-05 23:12 . 2012-09-05 23:12 95208 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
2012-08-31 04:40 . 2012-08-31 04:40 73696 ----a-w- c:\program files (x86)\Mozilla Firefox\breakpadinjector.dll
2012-08-25 02:48 . 2012-08-25 02:48 -------- d-----w- c:\program files (x86)\Amazon
2012-08-25 02:47 . 2012-08-25 02:47 -------- d-----w- c:\program files\Amazon
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-09-05 23:12 . 2011-05-14 04:28 746984 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-09-05 23:09 . 2012-04-04 20:05 696520 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-09-05 23:09 . 2011-05-17 05:19 73416 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-08-16 07:24 . 2011-01-22 19:52 62134624 ----a-w- c:\windows\system32\MRT.exe
2012-07-18 17:31 . 2012-08-16 07:24 3146752 ----a-w- c:\windows\system32\win32k.sys
2012-07-04 22:04 . 2012-08-16 07:24 73216 ----a-w- c:\windows\system32\netapi32.dll
2012-07-04 22:01 . 2012-08-16 07:24 58880 ----a-w- c:\windows\system32\browcli.dll
2012-07-04 22:01 . 2012-08-16 07:24 136704 ----a-w- c:\windows\system32\browser.dll
2012-07-04 21:23 . 2012-08-16 07:24 41472 ----a-w- c:\windows\SysWow64\browcli.dll
2012-06-27 07:03 . 2012-08-16 07:24 1197568 ----a-w- c:\windows\system32\wininet.dll
2012-06-27 07:03 . 2012-08-16 07:24 1501184 ----a-w- c:\windows\system32\urlmon.dll
2012-06-27 07:03 . 2012-08-16 07:24 134144 ----a-w- c:\windows\system32\url.dll
2012-06-27 07:00 . 2012-08-16 07:24 1026560 ----a-w- c:\windows\system32\mstime.dll
2012-06-27 06:59 . 2012-08-16 07:24 9372672 ----a-w- c:\windows\system32\mshtml.dll
2012-06-27 06:59 . 2012-08-16 07:24 97792 ----a-w- c:\windows\system32\mshtmled.dll
2012-06-27 06:59 . 2012-08-16 07:24 82944 ----a-w- c:\windows\system32\msfeedsbs.dll
2012-06-27 06:59 . 2012-08-16 07:24 736256 ----a-w- c:\windows\system32\msfeeds.dll
2012-06-27 06:59 . 2012-08-16 07:24 57856 ----a-w- c:\windows\system32\licmgr10.dll
2012-06-27 06:58 . 2012-08-16 07:24 64512 ----a-w- c:\windows\system32\jsproxy.dll
2012-06-27 06:58 . 2012-08-16 07:24 247808 ----a-w- c:\windows\system32\ieui.dll
2012-06-27 06:58 . 2012-08-16 07:24 2458624 ----a-w- c:\windows\system32\iertutil.dll
2012-06-27 06:58 . 2012-08-16 07:24 12405760 ----a-w- c:\windows\system32\ieframe.dll
2012-06-27 06:58 . 2012-08-16 07:24 256000 ----a-w- c:\windows\system32\iepeers.dll
2012-06-27 06:58 . 2012-08-16 07:24 445952 ----a-w- c:\windows\system32\iedkcs32.dll
2012-06-27 06:55 . 2012-08-16 07:24 12288 ----a-w- c:\windows\system32\msfeedssync.exe
2012-06-27 06:03 . 2012-08-16 07:24 981504 ----a-w- c:\windows\SysWow64\wininet.dll
2012-06-27 06:01 . 2012-08-16 07:24 44544 ----a-w- c:\windows\SysWow64\licmgr10.dll
2012-06-27 05:41 . 2012-08-16 07:24 482816 ----a-w- c:\windows\system32\html.iec
2012-06-27 04:58 . 2012-08-16 07:24 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2012-06-27 04:53 . 2012-08-16 07:24 386048 ----a-w- c:\windows\SysWow64\html.iec
2012-06-27 04:19 . 2012-08-16 07:24 1638912 ----a-w- c:\windows\SysWow64\mshtml.tlb
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files (x86)\Daemon Tools\DAEMON Tools Lite\DTLite.exe" [2012-02-13 3481408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2010-06-08 284696]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-06-02 98304]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"Dell Webcam Central"="c:\program files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" [2009-06-24 409744]
"Desktop Disc Tool"="c:\program files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe" [2009-10-15 498160]
"Dell DataSafe Online"="c:\program files (x86)\Dell DataSafe Online\DataSafeOnline.exe" [2010-02-09 1807680]
"DellSupportCenter"="c:\program files (x86)\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-11-30 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-04-27 421160]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\program files (x86)\Dell DataSafe Local Backup\Components\Scheduler\Launcher.exe" [2010-08-12 163040]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2009-12-29 1082656]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2010-5-28 1324384]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
R3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2010-03-30 53800]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2010-03-30 35104]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-08-31 114144]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2010-03-17 232480]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2010-03-17 325152]
R3 TurboBoost;TurboBoost;c:\program files\Intel\TurboBoost\TurboBoost.exe [2009-11-02 126352]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [2009-06-10 389120]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2009-07-09 55280]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [2012-03-31 283200]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
S2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\AESTSr64.exe [2009-03-03 89600]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-06-02 203264]
S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2009-06-09 155648]
S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-06-08 13336]
S2 SftService;SoftThinks Agent Service;c:\program files (x86)\Dell DataSafe Local Backup\sftservice.EXE [2010-08-20 689472]
S2 TurboB;Turbo Boost UI Monitor driver;c:\windows\system32\DRIVERS\TurboB.sys [2009-11-02 13784]
S2 UNS;Intel® Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2010-03-03 2320920]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2010-06-02 6857728]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2010-06-02 264192]
S3 BcmVWL;Broadcom Virtual Wireless;c:\windows\system32\DRIVERS\bcmvwl64.sys [2010-02-03 20984]
S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys [2009-06-15 172704]
S3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2009-09-17 56344]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-09-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2731273616-2889505413-518904877-1000Core.job
- c:\users\v\AppData\Local\Google\Update\GoogleUpdate.exe [2011-12-30 05:27]
.
2012-09-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2731273616-2889505413-518904877-1000UA.job
- c:\users\v\AppData\Local\Google\Update\GoogleUpdate.exe [2011-12-30 05:27]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2010-06-18 487424]
"Broadcom Wireless Manager UI"="c:\program files\Dell\DW WLAN Card\WLTRAY.exe" [2010-02-03 5712896]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.nytimes.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MIF5BA~1\OFFICE11\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
Trusted Zone: alohaenterprise.com\nextstudent
Trusted Zone: nextstudent.com\exchange
FF - ProfilePath - c:\users\v\AppData\Roaming\Mozilla\Firefox\Profiles\g457744h.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.nytimes.com/
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKLM-Run-RMgOYWJNIRmTJbK.exe - c:\programdata\RMgOYWJNIRmTJbK.exe
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
AddRemove-dBpoweramp Music Converter - c:\windows\system32\SpoonUninstall.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_270_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_270_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\DbgagD\1*]
"value"="?\05\02\1d\02\01#é"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-09-22 22:28:01
ComboFix-quarantined-files.txt 2012-09-23 05:27
.
Pre-Run: 497,562,943,488 bytes free
Post-Run: 498,568,183,808 bytes free
.
- - End Of File - - AC7F5D0FE4598C32CCEC6A901E4C01C9
-
Thank you, Maniac. I downloaded the Panda USB vaccine and have vaccinated my USB drive as well as the machine I've been using to download the cleaner programs. I'd already used the USB drive between the infected machine and the clean one — before you sent the Panda link — so I'm running malware scans on the second machine to make sure it's still clean. So far, scans haven't detected anything.
As far as the infected machine:
1) What steps should I take next? I'm still not able to run TDSSKiller. I get the "not a valid Win32 application" error when I double-click on the tdsskiller.exe icon on the desktop. I tried three different instances of the .exe file — 1 downloaded via Firefox, 1 via IE, and 1 via Chrome.
2) I've noticed that after I run Unhide, the My Documents folder on my desktop (and the files it contains) become visible. However, everything on the C-drive is still hidden. I can see the C-drive icon in the explorer window, but if you click on it or try to expand the folder list, nothing shows up, and the explorer window says that the C-drive folder is empty. I don't know if Unhide is supposed to be unhiding the folders and program files on the C-drive?
3) After running Unhide, I was going to try to back up my data (My Docs, Firefox profile, Outlook data files) to an external drive. I'll vaccinate the drive w. Panda before I use it. Is there a risk of spreading the infection via data files (e.g., .xls, .doc, ,pst, .ost, .pdf, MP3) if I copy these from the infected machine to my external drive? Also, my PST files are among the program files on the C-drive that are still hidden. I'm not sure how to get to those ...
Thank you very much again for the Panda Security link. I'm going to use that to vaccinate all my USB drives.
-
I downloaded TDSSKiller using IE and then Chrome (I'd originally used Firefox), and I got the same error, "tdsskiller.exe is not a valid Win32 application," when trying to run either.
Note: I'm downloading the tdsskiller.exe file from a different machine to a USB drive and then copying the file from the USB drive onto the desktop of the infected machine — I don't know if that makes a difference. Because of the backdoor danger, I didn't want to hook the infected machine up to the internet in order to download the needed cleaner programs. So I've been copying the programs over to the infected machine's desktop from a USB drive.
-
Hello, Maniac. Thank you for the backdoor warning. I understand. Yes, please, I would still like to try to clean this machine. Thank you so much for your help, the speedy reply, and your easy-to-follow instructions.
I'd already disconnected this machine from the Internet and have kept it shut down. After booting up today to run the programs you listed for me, I disabled the wireless adapter before running the programs.
I booted up in Normal mode and was able to run both Unhide and RKill. (I was able to run the rkill.exe version.) Logs are below.
However, when I try to run TDSSKiller from my desktop, I get this error:
C:\Users\[...]\Desktop\tdsskiller.exe is not a valid Win32 application.
--------------------------------------------------------------------------------
Unhide by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2012 BleepingComputer.com
More Information about Unhide.exe can be found at this link:
http://www.bleepingcomputer.com/forums/topic405109.html
Program started at: 09/18/2012 11:18:10 PM
Windows Version: Windows 7
Please be patient while your files are made visible again.
Processing the C:\ drive
Finished processing the C:\ drive. 214278 files processed.
Processing the E:\ drive
Finished processing the E:\ drive. 995 files processed.
Restoring the Start Menu.
* 154 Shortcuts and Desktop items were restored.
Searching for Windows Registry changes made by FakeHDD rogues.
- Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
- Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
- Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
* DisableTaskMgr policy was found and deleted!
- Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop
* HidNoChangingWallPaperden policy was found and deleted!
- Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
* Start_ShowControlPanel was set to 0! It was set back to 1!
* Start_ShowHelp was set to 0! It was set back to 1!
* Start_ShowMyComputer was set to 0! It was set back to 1!
* Start_ShowMyDocs was set to 0! It was set back to 1!
* Start_ShowMyMusic was set to 0! It was set back to 1!
* Start_ShowMyPics was set to 0! It was set back to 1!
* Start_ShowPrinters was set to 0! It was set back to 1!
* Start_ShowRun was set to 0! It was set back to 1!
* Start_ShowSearch was set to 0! It was set back to 1!
* Start_ShowSetProgramAccessAndDefaults was set to 0! It was set back to 1!
* Start_ShowRecentDocs was set to 0! It was set back to 2!
* Start_ShowNetConn was set to 0! It was set back to 1!
* Start_ShowNetPlaces was set to 0! It was set back to 1!
* Start_TrackDocs was set to 0! It was set back to 1!
* Start_TrackProgs was set to 0! It was set back to 1!
* Start_ShowUser was set to 0! It was set back to 1!
* Start_ShowMyGames was set to 0! It was set back to 1!
Restarting Explorer.exe in order to apply changes.
Program finished at: 09/18/2012 11:23:20 PM
Execution time: 0 hours(s), 5 minute(s), and 10 seconds(s)
--------------------------------------------------------------------------------
Rkill 2.3.15 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2012 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingcomputer.com/forums/topic308364.html
Program started at: 09/18/2012 11:26:28 PM in x64 mode.
Windows Version: Windows 7 Home Premium
Checking for Windows services to stop:
* No malware services found to stop.
Checking for processes to terminate:
* C:\ProgramData\RMgOYWJNIRmTJbK.exe (PID: 3540) [AU-HEUR]
1 proccess terminated!
Checking Registry for malware related settings:
* No issues found in the Registry.
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
* HKLM\Software\Classes\exefile\shell\open\command\\IsolatedCommand was changed. It was reset to "%1" %*!
* HKLM\Software\Classes\exefile\shell\runas\command\\IsolatedCommand was changed. It was reset to "%1" %*!
Performing miscellaneous checks:
* SMTMP folder detected. Please see this link for more information: http://www.bleepingcomputer.com/forums/topic405109.html
Checking Windows Service Integrity:
* No issues found.
Searching for Missing Digital Signatures:
* No issues found.
Program finished at: 09/18/2012 11:26:41 PM
Execution time: 0 hours(s), 0 minute(s), and 13 seconds(s)
-
Hello. I believe I've picked up a fake HDD virus. MBAM detects two PUM.Hijack.StartMenu items but stalls out when I attempt to remove.
After clicking to a website from Google search, a PDF began auto-downloading in my Firefox downloads. Suddenly, programs began shutting down, and I started getting several critical HDD error messages:
• "Device initialization failed"
• "Critical Error. Drive sector not found error"
• "Critical error. Hard drive controller failure"
• "Data Error Reading Drive C:\"
• "System message - Write Fault Error. A write command during the test has failed to complete. This may be due to a media or read/write error. The system generates an exception reference to an invalid system memory address."
I tried to run MBAM, but the scan aborted after a few minutes and MBAM was shut down.
I booted up in Safe Mode. All folders, files, system files, programs, documents, etc. are now unviewable.
I was able to run MBAM.exe using the Run command. MBAM detects two PUM.Hijack.StartMenu items, but when I attempt to remove, MBAM freezes. I shut MBAM down and ran it again and was able to produce the log.
MBAM and DDS logs below. Any help you can provide is very much appreciated.
--------------------------------------------------------------------------------
Malwarebytes Anti-Malware 1.65.0.1400
www.malwarebytes.org
Database version: v2012.09.10.08
Windows 7 x64 FAT (Safe Mode)
Internet Explorer 8.0.7600.16385
v :: V-PC [administrator]
9/15/2012 10:37:34 AM
mbam-log-2012-09-15 (11-10-41).txt
Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 360753
Time elapsed: 31 minute(s), 39 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 2
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)
--------------------------------------------------------------------------------
.
DDS (Ver_2011-08-26.01) - NTFSAMD64 MINIMAL
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 10.7.2
Run by v at 11:15:58 on 2012-09-15
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.6007.4713 [GMT -7:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\Explorer.EXE
C:\Windows\system32\ctfmon.exe
C:\Windows\system32\taskmgr.exe
C:\Program Files (x86)\Malwarebytes\Malwarebytes' Anti-Malware\mbam.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.nytimes.com/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
uRun: [DAEMON Tools Lite] "C:\Program Files (x86)\Daemon Tools\DAEMON Tools Lite\DTLite.exe" -autorun
uRun: [Google Update] "C:\Users\v\AppData\Local\Google\Update\GoogleUpdate.exe" /c
mRun: [iAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun: [startCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Dell Webcam Central] "C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" /mode2
mRun: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe"
mRun: [Dell DataSafe Online] "C:\Program Files (x86)\Dell DataSafe Online\DataSafeOnline.exe" /m
mRun: [DellSupportCenter] "C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [RMgOYWJNIRmTJbK.exe] C:\ProgramData\RMgOYWJNIRmTJbK.exe
mRunOnce: [Launcher] C:\Program Files (x86)\Dell DataSafe Local Backup\Components\Scheduler\Launcher.exe
mRunOnce: [Malwarebytes Anti-Malware] C:\Program Files (x86)\Malwarebytes\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MIF5BA~1\OFFICE11\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MIF5BA~1\OFFICE11\REFIEBAR.DLL
Trusted Zone: alohaenterprise.com\nextstudent
Trusted Zone: nextstudent.com\exchange
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{60DC434B-7369-4C0B-AA1A-DBA2FA0F87E9} : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{60DC434B-7369-4C0B-AA1A-DBA2FA0F87E9}\140707C65602E4564777F627B602564693632693 : DhcpNameServer = 10.0.1.1
TCP: Interfaces\{60DC434B-7369-4C0B-AA1A-DBA2FA0F87E9}\14E64627F696461405 : DhcpNameServer = 192.168.43.1
Handler: cozi - {5356518D-FE9C-4E08-9C1F-1E872ECD367F} - C:\Program Files (x86)\Cozi Express\CoziProtocolHandler.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO-X64: Search Helper: {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
BHO-X64: Search Helper - No File
BHO-X64: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO-X64: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Skype add-on for Internet Explorer: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO-X64: SkypeIEPluginBHO - No File
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
BHO-X64: Windows Live Toolbar Helper: {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
TB-X64: &Windows Live Toolbar: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
mRun-x64: [iAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun-x64: [startCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun-x64: [Dell Webcam Central] "C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" /mode2
mRun-x64: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe"
mRun-x64: [Dell DataSafe Online] "C:\Program Files (x86)\Dell DataSafe Online\DataSafeOnline.exe" /m
mRun-x64: [DellSupportCenter] "C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun-x64: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [RMgOYWJNIRmTJbK.exe] C:\ProgramData\RMgOYWJNIRmTJbK.exe
mRunOnce-x64: [Launcher] C:\Program Files (x86)\Dell DataSafe Local Backup\Components\Scheduler\Launcher.exe
mRunOnce-x64: [Malwarebytes Anti-Malware] C:\Program Files (x86)\Malwarebytes\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
IE-X64: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\v\AppData\Roaming\Mozilla\Firefox\Profiles\g457744h.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.nytimes.com/
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\dtplugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\3.0.40624.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npatgpc.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Users\v\AppData\Local\Google\Update\1.3.21.115\npGoogleUpdate3.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_271.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_4_402_265.dll
.
============= SERVICES / DRIVERS ===============
.
R0 PxHlpa64;PxHlpa64;C:\Windows\system32\Drivers\PxHlpa64.sys --> C:\Windows\system32\Drivers\PxHlpa64.sys [?]
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;C:\Windows\system32\DRIVERS\dtsoftbus01.sys --> C:\Windows\system32\DRIVERS\dtsoftbus01.sys [?]
R3 HECIx64;Intel® Management Engine Interface;C:\Windows\system32\DRIVERS\HECIx64.sys --> C:\Windows\system32\DRIVERS\HECIx64.sys [?]
S1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
S2 AESTFilters;Andrea ST Filters Service;C:\Program Files\IDT\WDM\AESTSr64.exe [2010-12-29 89600]
S2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
S2 DockLoginService;Dock Login Service;C:\Program Files\Dell\DellDock\DockLogin.exe [2009-6-9 155648]
S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-12-29 13336]
S2 SftService;SoftThinks Agent Service;C:\Program Files (x86)\Dell DataSafe Local Backup\SftService.exe [2010-12-29 689472]
S2 TurboB;Turbo Boost UI Monitor driver;C:\Windows\system32\DRIVERS\TurboB.sys --> C:\Windows\system32\DRIVERS\TurboB.sys [?]
S2 UNS;Intel® Management & Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2010-12-29 2320920]
S3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
S3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
S3 BcmVWL;Broadcom Virtual Wireless;C:\Windows\system32\DRIVERS\bcmvwl64.sys --> C:\Windows\system32\DRIVERS\bcmvwl64.sys [?]
S3 btusbflt;Bluetooth USB Filter;C:\Windows\system32\drivers\btusbflt.sys --> C:\Windows\system32\drivers\btusbflt.sys [?]
S3 btwl2cap;Bluetooth L2CAP Service;C:\Windows\system32\DRIVERS\btwl2cap.sys --> C:\Windows\system32\DRIVERS\btwl2cap.sys [?]
S3 CtClsFlt;Creative Camera Class Upper Filter Driver;C:\Windows\system32\DRIVERS\CtClsFlt.sys --> C:\Windows\system32\DRIVERS\CtClsFlt.sys [?]
S3 MozillaMaintenance;Mozilla Maintenance Service;C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-5-5 114144]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\Windows\system32\Drivers\RtsUStor.sys --> C:\Windows\system32\Drivers\RtsUStor.sys [?]
S3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
S3 TurboBoost;TurboBoost;C:\Program Files\Intel\TurboBoost\TurboBoost.exe [2009-11-2 126352]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk62x64.sys --> C:\Windows\system32\DRIVERS\yk62x64.sys [?]
.
=============== Created Last 30 ================
.
2012-09-10 23:12:52 379904 ---ha-w- C:\ProgramData\RMgOYWJNIRmTJbK.exe
2012-09-10 18:30:18 69000 ---ha-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{F8A52000-996B-41D1-B1F7-728EC38EA79B}\offreg.dll
2012-09-08 17:20:51 9310152 ---ha-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{F8A52000-996B-41D1-B1F7-728EC38EA79B}\mpengine.dll
2012-09-05 23:12:55 95208 ---ha-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2012-08-31 04:40:47 73696 ---ha-w- C:\Program Files (x86)\Mozilla Firefox\breakpadinjector.dll
2012-08-25 02:48:21 -------- d--h--w- C:\Program Files (x86)\Amazon
2012-08-25 02:47:33 -------- d--h--w- C:\Program Files\Amazon
.
==================== Find3M ====================
.
2012-09-05 23:12:51 746984 ---ha-w- C:\Windows\SysWow64\deployJava1.dll
2012-09-05 23:09:16 73416 ---ha-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-09-05 23:09:16 696520 ---ha-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2012-07-18 17:31:12 3146752 ----a-w- C:\Windows\System32\win32k.sys
2012-07-04 22:01:38 58880 ----a-w- C:\Windows\System32\browcli.dll
2012-07-04 22:01:38 136704 ----a-w- C:\Windows\System32\browser.dll
2012-07-04 21:23:55 41472 ----a-w- C:\Windows\SysWow64\browcli.dll
2012-06-27 07:03:25 1197568 ----a-w- C:\Windows\System32\wininet.dll
2012-06-27 06:59:12 57856 ----a-w- C:\Windows\System32\licmgr10.dll
2012-06-27 06:03:21 981504 ----a-w- C:\Windows\SysWow64\wininet.dll
2012-06-27 06:01:19 44544 ----a-w- C:\Windows\SysWow64\licmgr10.dll
2012-06-27 05:41:43 482816 ----a-w- C:\Windows\System32\html.iec
2012-06-27 04:58:58 1638912 ----a-w- C:\Windows\System32\mshtml.tlb
2012-06-27 04:53:25 386048 ----a-w- C:\Windows\SysWow64\html.iec
2012-06-27 04:19:51 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2012-06-19 15:53:55 129024 ---ha-w- C:\Windows\RegBootClean64.exe
2012-06-19 15:53:41 21520 ---ha-w- C:\Windows\DCEBoot64.exe
.
============= FINISH: 11:23:53.71 ===============
--------------------------------------------------------------------------------
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows 7 Home Premium
Boot Device: \Device\HarddiskVolume2
Install Date: 1/22/2011 11:58:55 PM
System Uptime: 9/15/2012 10:25:16 AM (1 hours ago)
.
Motherboard: Dell Inc. | | 0G62V9
Processor: Intel® Core™ i5 CPU M 460 @ 2.53GHz | CPU 1 | 2533/533mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 581 GiB total, 464.071 GiB free.
D: is CDROM ()
E: is Removable
F: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Description: Security Processor Loader Driver
Device ID: ROOT\LEGACY_SPLDR\0000
Manufacturer:
Name: Security Processor Loader Driver
PNP Device ID: ROOT\LEGACY_SPLDR\0000
Service: spldr
.
==== System Restore Points ===================
.
RP165: 8/12/2012 11:01:41 PM - Windows Update
RP166: 8/16/2012 12:24:32 AM - Windows Update
RP168: 8/23/2012 11:02:05 PM - Windows Update
RP169: 8/28/2012 7:23:09 PM - Windows Update
RP170: 9/4/2012 7:41:30 AM - Windows Update
RP171: 9/5/2012 4:10:17 PM - Installed Java 7 Update 7
RP172: 9/8/2012 10:20:02 AM - Windows Update
.
==== Installed Programs ======================
.
Across Lite
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader 9.1
Advanced Audio FX Engine
Amazon MP3 Downloader 1.0.15
Apple Application Support
Apple Software Update
Catalyst Control Center - Branding
Catalyst Control Center Graphics Previews Common
Catalyst Control Center Graphics Previews Vista
Catalyst Control Center InstallProxy
Catalyst Control Center Localization All
ccc-core-static
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
Cisco EAP-FAST Module
Cisco LEAP Module
Cisco PEAP Module
Compatibility Pack for the 2007 Office system
Consumer In-Home Service Agreement
Cozi
DAEMON Tools Lite
dBpoweramp Music Converter
Dell DataSafe Local Backup
Dell DataSafe Local Backup - Support Software
Dell DataSafe Online
Dell Dock
Dell Getting Started Guide
Dell Support Center (Support Software)
Dell Webcam Central
Google Chrome
GoToAssist 8.0.0.514
GoToMeeting 5.3.0.970
GPL Ghostscript Lite 8.70
IDT Audio
Intel® Control Center
Intel® Management Engine Components
Intel® Rapid Storage Technology
Java 7 Update 7
Java Auto Updater
JavaFX 2.1.1
Junk Mail filter update
Live! Cam Avatar Creator
LoJack Factory Installer
Malwarebytes Anti-Malware version 1.65.0.1400
Microsoft Choice Guard
Microsoft Office 2010
Microsoft Office Professional Edition 2003
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox 15.0 (x86 en-US)
Mozilla Maintenance Service
MSVCRT
QuickTime
Realtek USB 2.0 Card Reader
Rosetta Stone Version 3
Roxio Burn
Security Update for CAPICOM (KB931906)
Skype Toolbars
Skype™ 4.2
VLC media player 1.1.11
WebEx
WildTangent Games
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Movie Maker
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Toolbar
Windows Live Upload Tool
Windows Live Writer
Windows Media Player Firefox Plugin
.
==== Event Viewer Messages From Past Week ========
.
9/15/2012 10:26:16 AM, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.
9/15/2012 10:26:15 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
9/15/2012 10:26:15 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
9/15/2012 10:26:15 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
9/15/2012 10:26:15 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
9/15/2012 10:26:14 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
9/15/2012 10:26:09 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
9/15/2012 10:25:49 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD DfsC discache NetBIOS NetBT nsiproxy Psched rdbss spldr tdx vwififlt Wanarpv6 WfpLwf ws2ifsl
9/15/2012 10:25:49 AM, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
9/15/2012 10:25:49 AM, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
9/15/2012 10:25:49 AM, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
9/15/2012 10:25:49 AM, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
9/15/2012 10:25:49 AM, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
9/15/2012 10:25:49 AM, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service driver. service which failed to start because of the following error: A device attached to the system is not functioning.
9/15/2012 10:25:49 AM, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
9/15/2012 10:25:49 AM, Error: Service Control Manager [7001] - The Network Connections service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
9/15/2012 10:25:49 AM, Error: Service Control Manager [7001] - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
9/15/2012 10:25:49 AM, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.
9/15/2012 10:25:49 AM, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
9/15/2012 10:25:49 AM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
.
==== End Of File ===========================
-
I was able to boot up in Safe Mode. All files (C-drive, Start Menu, documents, everything) are hidden and inaccessible due to the infection. I ran MBAM.exe using the Run command. A full scan found two PUM.Hijack.StartMenu items, but nothing else.
DDS.txt log below. I have the Attach.txt and MBAM logs as well; if you need me to post them, just let me know.
Thank you very much for your help.
--------------------------------------------------------------------------------
.
DDS (Ver_2011-08-26.01) - NTFSAMD64 MINIMAL
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 10.7.2
Run by v at 11:15:58 on 2012-09-15
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.6007.4713 [GMT -7:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\Explorer.EXE
C:\Windows\system32\ctfmon.exe
C:\Windows\system32\taskmgr.exe
C:\Program Files (x86)\Malwarebytes\Malwarebytes' Anti-Malware\mbam.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.nytimes.com/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
uRun: [DAEMON Tools Lite] "C:\Program Files (x86)\Daemon Tools\DAEMON Tools Lite\DTLite.exe" -autorun
uRun: [Google Update] "C:\Users\v\AppData\Local\Google\Update\GoogleUpdate.exe" /c
mRun: [iAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun: [startCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Dell Webcam Central] "C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" /mode2
mRun: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe"
mRun: [Dell DataSafe Online] "C:\Program Files (x86)\Dell DataSafe Online\DataSafeOnline.exe" /m
mRun: [DellSupportCenter] "C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [RMgOYWJNIRmTJbK.exe] C:\ProgramData\RMgOYWJNIRmTJbK.exe
mRunOnce: [Launcher] C:\Program Files (x86)\Dell DataSafe Local Backup\Components\Scheduler\Launcher.exe
mRunOnce: [Malwarebytes Anti-Malware] C:\Program Files (x86)\Malwarebytes\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MIF5BA~1\OFFICE11\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MIF5BA~1\OFFICE11\REFIEBAR.DLL
Trusted Zone: alohaenterprise.com\nextstudent
Trusted Zone: nextstudent.com\exchange
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{60DC434B-7369-4C0B-AA1A-DBA2FA0F87E9} : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{60DC434B-7369-4C0B-AA1A-DBA2FA0F87E9}\140707C65602E4564777F627B602564693632693 : DhcpNameServer = 10.0.1.1
TCP: Interfaces\{60DC434B-7369-4C0B-AA1A-DBA2FA0F87E9}\14E64627F696461405 : DhcpNameServer = 192.168.43.1
Handler: cozi - {5356518D-FE9C-4E08-9C1F-1E872ECD367F} - C:\Program Files (x86)\Cozi Express\CoziProtocolHandler.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO-X64: Search Helper: {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
BHO-X64: Search Helper - No File
BHO-X64: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO-X64: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Skype add-on for Internet Explorer: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO-X64: SkypeIEPluginBHO - No File
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
BHO-X64: Windows Live Toolbar Helper: {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
TB-X64: &Windows Live Toolbar: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
mRun-x64: [iAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun-x64: [startCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun-x64: [Dell Webcam Central] "C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" /mode2
mRun-x64: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe"
mRun-x64: [Dell DataSafe Online] "C:\Program Files (x86)\Dell DataSafe Online\DataSafeOnline.exe" /m
mRun-x64: [DellSupportCenter] "C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun-x64: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [RMgOYWJNIRmTJbK.exe] C:\ProgramData\RMgOYWJNIRmTJbK.exe
mRunOnce-x64: [Launcher] C:\Program Files (x86)\Dell DataSafe Local Backup\Components\Scheduler\Launcher.exe
mRunOnce-x64: [Malwarebytes Anti-Malware] C:\Program Files (x86)\Malwarebytes\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
IE-X64: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\v\AppData\Roaming\Mozilla\Firefox\Profiles\g457744h.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.nytimes.com/
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\dtplugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\3.0.40624.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npatgpc.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Users\v\AppData\Local\Google\Update\1.3.21.115\npGoogleUpdate3.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_271.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_4_402_265.dll
.
============= SERVICES / DRIVERS ===============
.
R0 PxHlpa64;PxHlpa64;C:\Windows\system32\Drivers\PxHlpa64.sys --> C:\Windows\system32\Drivers\PxHlpa64.sys [?]
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;C:\Windows\system32\DRIVERS\dtsoftbus01.sys --> C:\Windows\system32\DRIVERS\dtsoftbus01.sys [?]
R3 HECIx64;Intel® Management Engine Interface;C:\Windows\system32\DRIVERS\HECIx64.sys --> C:\Windows\system32\DRIVERS\HECIx64.sys [?]
S1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
S2 AESTFilters;Andrea ST Filters Service;C:\Program Files\IDT\WDM\AESTSr64.exe [2010-12-29 89600]
S2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
S2 DockLoginService;Dock Login Service;C:\Program Files\Dell\DellDock\DockLogin.exe [2009-6-9 155648]
S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-12-29 13336]
S2 SftService;SoftThinks Agent Service;C:\Program Files (x86)\Dell DataSafe Local Backup\SftService.exe [2010-12-29 689472]
S2 TurboB;Turbo Boost UI Monitor driver;C:\Windows\system32\DRIVERS\TurboB.sys --> C:\Windows\system32\DRIVERS\TurboB.sys [?]
S2 UNS;Intel® Management & Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2010-12-29 2320920]
S3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
S3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
S3 BcmVWL;Broadcom Virtual Wireless;C:\Windows\system32\DRIVERS\bcmvwl64.sys --> C:\Windows\system32\DRIVERS\bcmvwl64.sys [?]
S3 btusbflt;Bluetooth USB Filter;C:\Windows\system32\drivers\btusbflt.sys --> C:\Windows\system32\drivers\btusbflt.sys [?]
S3 btwl2cap;Bluetooth L2CAP Service;C:\Windows\system32\DRIVERS\btwl2cap.sys --> C:\Windows\system32\DRIVERS\btwl2cap.sys [?]
S3 CtClsFlt;Creative Camera Class Upper Filter Driver;C:\Windows\system32\DRIVERS\CtClsFlt.sys --> C:\Windows\system32\DRIVERS\CtClsFlt.sys [?]
S3 MozillaMaintenance;Mozilla Maintenance Service;C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-5-5 114144]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\Windows\system32\Drivers\RtsUStor.sys --> C:\Windows\system32\Drivers\RtsUStor.sys [?]
S3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
S3 TurboBoost;TurboBoost;C:\Program Files\Intel\TurboBoost\TurboBoost.exe [2009-11-2 126352]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk62x64.sys --> C:\Windows\system32\DRIVERS\yk62x64.sys [?]
.
=============== Created Last 30 ================
.
2012-09-10 23:12:52 379904 ---ha-w- C:\ProgramData\RMgOYWJNIRmTJbK.exe
2012-09-10 18:30:18 69000 ---ha-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{F8A52000-996B-41D1-B1F7-728EC38EA79B}\offreg.dll
2012-09-08 17:20:51 9310152 ---ha-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{F8A52000-996B-41D1-B1F7-728EC38EA79B}\mpengine.dll
2012-09-05 23:12:55 95208 ---ha-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2012-08-31 04:40:47 73696 ---ha-w- C:\Program Files (x86)\Mozilla Firefox\breakpadinjector.dll
2012-08-25 02:48:21 -------- d--h--w- C:\Program Files (x86)\Amazon
2012-08-25 02:47:33 -------- d--h--w- C:\Program Files\Amazon
.
==================== Find3M ====================
.
2012-09-05 23:12:51 746984 ---ha-w- C:\Windows\SysWow64\deployJava1.dll
2012-09-05 23:09:16 73416 ---ha-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-09-05 23:09:16 696520 ---ha-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2012-07-18 17:31:12 3146752 ----a-w- C:\Windows\System32\win32k.sys
2012-07-04 22:01:38 58880 ----a-w- C:\Windows\System32\browcli.dll
2012-07-04 22:01:38 136704 ----a-w- C:\Windows\System32\browser.dll
2012-07-04 21:23:55 41472 ----a-w- C:\Windows\SysWow64\browcli.dll
2012-06-27 07:03:25 1197568 ----a-w- C:\Windows\System32\wininet.dll
2012-06-27 06:59:12 57856 ----a-w- C:\Windows\System32\licmgr10.dll
2012-06-27 06:03:21 981504 ----a-w- C:\Windows\SysWow64\wininet.dll
2012-06-27 06:01:19 44544 ----a-w- C:\Windows\SysWow64\licmgr10.dll
2012-06-27 05:41:43 482816 ----a-w- C:\Windows\System32\html.iec
2012-06-27 04:58:58 1638912 ----a-w- C:\Windows\System32\mshtml.tlb
2012-06-27 04:53:25 386048 ----a-w- C:\Windows\SysWow64\html.iec
2012-06-27 04:19:51 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2012-06-19 15:53:55 129024 ---ha-w- C:\Windows\RegBootClean64.exe
2012-06-19 15:53:41 21520 ---ha-w- C:\Windows\DCEBoot64.exe
.
============= FINISH: 11:23:53.71 ===============
-
Hello. I believe I've been hit with the Smart HDD virus or something similar. I can't run MBAM, so I don't know for sure. But I'm getting similar critical hard-drive error messages to those that have been reported with Smart HDD.
I've tried to start up in Safe Mode. I get a Windows Error Recovery message that allows me to choose only between "Launch Startup Repair" and "Start Windows Normally." I didn't want to run Startup Repair until I'd consulted this forum.
I'm running Win7, 64-bit, on a Dell Inspiron laptop. Any help that you can provide would be very much appreciated.
I'm sorry I don't have the DDS scan yet, since my computer shut down after infection. But here's the chain of events:
• Using Firefox, I ran a Google search and clicked on a link in the Google search results to go to a recognized website.
• As soon as I clicked over to the website, a PDF began downloading. I hadn't clicked on anything within the site itself that should have prompted a PDF download. I tried to cancel the download in my FF downloads window, but the download had already completed. My open Adobe Acrobat windows immediately closed.
• Since an auto-PDF download was how I picked up a Trojan.Dropper.BCMiner infection a couple months ago, I immediately started a MBAM scan. I was able to update MBAM and initiate the scan.
• While MBAM was running, I tried to also initiate a Windows Defender scan. I couldn't launch Windows Defender at all; I couldn't even get to the Windows Defender launch interface.
• While MBAM was running, my open Firefox windows suddenly closed, and then my open IE window. I was able to re-open FF, but I couldn't connect to any websites — my wireless connection had been disconnected. My network was still online, so I tried to reconnect. I got a seeming Windows message prompting me to connect an Ethernet cable to my laptop. I ignored the error and connected to my wireless network.
• Then my FF shut down again. Concerned that I might be open to remote-control of my laptop, I disconnected from my wireless network to take my computer offline.
• Then I got a seeming Windows message popup, with an exclamation mark in a yellow triangle, telling me that Windows had encountered an error during an IO something-or-other and that it was recommended that I do a HDD "Scan and Repair" to prevent possible data loss. There were a couple grammar errors in the message, so I ignored it.
• Next, the MBAM scan suddenly aborted mid-scan, and MBAM shut down.
• Then I got a string of 10 or so popup error dialogs, also marked with an exclamation mark in a yellow triangle, that said, "System message - Write Fault Error. A write command during the test has failed to complete. This may be due to a media or read/write error. The system generates an exception reference to an invalid system memory address." The three button options were "Cancel," "Try Again," and "Continue."
• I ignored these pop-ups as well, and then I started getting error mesages from the system tray/notifications section of my toolbar. The messages popped up one at a time. When I didn't click on an error message, a new error notification would pop up after a few minutes. The notifications cycled repeatedly through 5 different messages: "Device initialization failed" (marked with a white X in a red circle). "Critical Error. Drive sector not found error" (exclamation mark in a yellow triangle). "Critical error. Hard drive controller failure" (excla. mark in a yellow triangle). "Data Error Reading Drive C:\" (X in red circle). And one more error message about insufficient system resources.
• While I was writing down the errors, all the icons in my Quick Launch toolbar disappeared.
• Then I got another string of those popup "Write Fault Error" dialogs, and then another string after several minutes.
• I didn't click on anything. After about 15–20 minutes, my computer, of its own accord, cleared all the pop-up dialogs that were on the desktop, as well as the IO/HDD "Scan and Repair" window; then it logged itself off and shut itself down and began to restart Windows. At that point, I force-shut it down before it could restart Windows.
• When I attempted to boot up in Safe Mode, I got this message: "Windows Error Recovery. Windows failed to start. A recent hardware or software change might be the cause. If Windows files have been damaged or configured incorrectly, Startup Repair can hel pdiagnose and fixe the problem. If power was interrupted during startup, choose Start Windows Normally. (Use the arrow keys to highlight your choice.)" And then my two options are "Launch Startup Repair (recommended)" and "Start Windows Normally." I didn't want to launch Startup Repair unless instructed.
If I should run the Startup Repair in order to be able to boot up in Safe Mode and run MBAM, please let me know. Whatever it is I picked up went after my desktop fairly aggressively, and I'm just not sure what I should do next.
-
ok, I did a SHIFT-DELETE to permanently remove the folder. I removed the entire ESET folder, since there was nothing else in it other than the Quarantine sub-folder.
Thank you again, Maniac, for all your help -- your easy-to-follow instructions, your patience in answering my questions, and the consistently quick replies, even while you're assisting several other users at the same time.
Most of all, thank you for your time and generosity in helping a complete stranger. I hope that you'll please keep doing what you're doing here on the MBAM forums. Users like me would be lost to malware if it weren't for the kind help of removal experts like you.
Cheers! And thank you.
-
Thank you, Maniac.
I ran the OTL cleanup, and it's removed itself, ComboFix, TDSS Killer, and all the text logs for these.
For ESET, I selected "Uninstall application on close." There's still an ESET directory in my program files. This directory contains a folder, "Quarantine," that currently holds 21 files (all of *.NDF, *.NDQ, and *.NDI type) totaling 14.2MB: C:\Program Files\ESET\ESET Online Scanner\Quarantine
Should I do anything to delete/remove this Quarantine folder or the files in it?
-
So far, everything looks good
Programs and processes are moving quickly again. I've launched and conducted searches w. three different browsers (IE, FF, Chrome), and the spam/advertising pop-ups and redirects seem to be gone.
Thank you! I'm so grateful to you for your help.
I have a question that I forgot to ask this in my previous post: I still have the ESET Scanner window open. It has two options that that can be selected before clicking "Finish":
- Uninstall application on close
- Delete quarantined files
Should I select either or both of those?
-
ESET found and cleaned 10 threats. Here's the log:
-------------------------------------------------------
ESETSmartInstaller@High as CAB hook log:
OnlineScanner64.ocx - registred OK
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.7600.16385 (win7_rtm.090713-1255)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=29ee5187ebb7154aae31e0aeead4bf45
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-06-20 07:50:18
# local_time=2012-06-20 12:50:18 (-0700, US Mountain Standard Time)
# country="United States"
# lang=1033
# osver=6.1.7600 NT
# compatibility_mode=5893 16776574 100 94 0 91762638 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=174713
# found=10
# cleaned=10
# scan_time=2630
C:\Program Files (x86)\Daemon Tools\DTLite4453-0297.exe Win32/OpenCandy application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files (x86)\Dell DataSafe Local Backup\hstart.exe a variant of Win32/HiddenStart.A application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\hstart.exe a variant of Win32/HiddenStart.A application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Windows\assembly\GAC_32\Desktop.ini.vir Win32/Sirefef.EZ trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Windows\assembly\GAC_64\Desktop.ini.vir Win64/Sirefef.AD trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Windows\System32\Services.exe.vir Win64/Patched.B.Gen trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\_OTL\MovedFiles\06192012_171202\C_Windows\Installer\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\U\00000008.@ Win64/Agent.BA trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\_OTL\MovedFiles\06192012_171202\C_Windows\Installer\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\U\80000000.@ Win64/Sirefef.AE trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\_OTL\MovedFiles\06192012_171202\C_Windows\Installer\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\U\80000032.@ probably a variant of Win32/Sirefef.EU trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\_OTL\MovedFiles\06192012_171202\C_Windows\Installer\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\U\80000064.@ Win64/Sirefef.AE trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
-
ok, I downloaded the ESET scanner, accepted the Terms of Use, and am getting ready to run the scan.
In the Computer Scan Settings, these options are selected by default:
- Remove found threats
- Scan for potentially unwanted applications
- Enable Anti-Stealth technology
These two options are NOT selected. Should I select either of them?:
- Scan archives
- Scan for potentially unsafe applications
-
ok, ComboFix was preparing the log report after I logged back in:
-------------------------------------------------------
ComboFix 12-06-20.01 - v 06/20/2012 8:45.1.4 - x64
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.6007.4454 [GMT -7:00]
Running from: c:\users\v\Desktop\ComboFix.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\v\g2mdlhlpx.exe
c:\windows\assembly\GAC_32\Desktop.ini
c:\windows\assembly\GAC_64\Desktop.ini
.
Infected copy of c:\windows\system32\Services.exe was found and disinfected
Restored copy from - c:\windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-05-20 to 2012-06-20 )))))))))))))))))))))))))))))))
.
.
2012-06-20 15:51 . 2012-06-20 15:51 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-06-20 00:12 . 2012-06-20 00:12 -------- d-----w- C:\_OTL
2012-06-19 15:53 . 2012-06-19 15:53 21520 ----a-w- c:\windows\DCEBoot64.exe
2012-06-19 15:53 . 2012-06-19 15:53 129024 ----a-w- c:\windows\RegBootClean64.exe
2012-06-19 11:12 . 2012-06-19 11:13 -------- d-----w- c:\program files (x86)\Kaspersky
2012-06-19 09:42 . 2012-06-19 09:42 -------- d-sh--w- c:\windows\SysWow64\%APPDATA%
2012-06-16 04:18 . 2012-05-08 17:02 8955792 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{04148417-5380-469B-A127-3C937C84097A}\mpengine.dll
2012-06-16 04:13 . 2012-06-16 04:13 -------- d-----w- c:\users\v\AppData\Local\Macromedia
2012-05-29 02:01 . 2012-05-29 02:01 -------- d-----w- c:\users\v\.swt
2012-05-29 02:01 . 2012-05-29 02:01 -------- d-----w- c:\users\v\AppData\Local\CRE
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-16 04:11 . 2012-04-04 20:05 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-06-16 04:11 . 2011-05-17 05:19 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-04-21 02:51 . 2011-05-14 04:28 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-04-04 22:56 . 2011-05-08 22:51 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-31 22:01 . 2012-03-31 22:01 283200 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files (x86)\Daemon Tools\DAEMON Tools Lite\DTLite.exe" [2012-02-13 3481408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2010-06-08 284696]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-06-02 98304]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"Dell Webcam Central"="c:\program files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" [2009-06-24 409744]
"Desktop Disc Tool"="c:\program files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe" [2009-10-15 498160]
"Dell DataSafe Online"="c:\program files (x86)\Dell DataSafe Online\DataSafeOnline.exe" [2010-02-09 1807680]
"DellSupportCenter"="c:\program files (x86)\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-11-30 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-04-27 421160]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\program files (x86)\Dell DataSafe Local Backup\Components\Scheduler\Launcher.exe" [2010-08-12 163040]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2009-12-29 1082656]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2010-5-28 1324384]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
R3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [x]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [x]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-05-05 129976]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]
R3 TurboBoost;TurboBoost;c:\program files\Intel\TurboBoost\TurboBoost.exe [2009-11-02 126352]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\AESTSr64.exe [2009-03-03 89600]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2009-06-09 155648]
S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-06-08 13336]
S2 SftService;SoftThinks Agent Service;c:\program files (x86)\Dell DataSafe Local Backup\sftservice.EXE [2010-08-20 689472]
S2 TurboB;Turbo Boost UI Monitor driver;c:\windows\system32\DRIVERS\TurboB.sys [x]
S2 UNS;Intel® Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2010-03-03 2320920]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 BcmVWL;Broadcom Virtual Wireless;c:\windows\system32\DRIVERS\bcmvwl64.sys [x]
S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys [x]
S3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2012-06-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2731273616-2889505413-518904877-1000Core.job
- c:\users\v\AppData\Local\Google\Update\GoogleUpdate.exe [2011-12-30 05:27]
.
2012-06-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2731273616-2889505413-518904877-1000UA.job
- c:\users\v\AppData\Local\Google\Update\GoogleUpdate.exe [2011-12-30 05:27]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickSet"="c:\program files\Dell\QuickSet\QuickSet.exe" [2010-01-06 3179288]
"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2010-06-18 487424]
"Broadcom Wireless Manager UI"="c:\program files\Dell\DW WLAN Card\WLTRAY.exe" [2010-02-03 5712896]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.nytimes.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MIF5BA~1\OFFICE11\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
Trusted Zone: alohaenterprise.com\nextstudent
Trusted Zone: nextstudent.com\exchange
TCP: DhcpNameServer = 192.168.2.1
FF - ProfilePath - c:\users\v\AppData\Roaming\Mozilla\Firefox\Profiles\g457744h.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.nytimes.com/
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
AddRemove-dBpoweramp Music Converter - c:\windows\system32\SpoonUninstall.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\DbgagD\1*]
"value"="?\05\02\1d\02\01#é"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Bonjour\mDNSResponder.exe
c:\program files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
c:\program files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files (x86)\Dell Support Center\bin\sprtsvc.exe
c:\program files (x86)\Dell DataSafe Local Backup\Components\Scheduler\STService.exe
c:\windows\SysWOW64\wscript.exe
.
**************************************************************************
.
Completion time: 2012-06-20 09:29:57 - machine was rebooted
ComboFix-quarantined-files.txt 2012-06-20 16:29
.
Pre-Run: 506,999,537,664 bytes free
Post-Run: 506,747,592,704 bytes free
.
- - End Of File - - DD86F03D7F50FDA2E13D41198FCADCDA
-
Hi, Maniac.
I don't have the Combofix log for you yet; I'm not quite sure what to do next.
I've run Combofix before -- last year -- on an XP machine that had a TDSS infection, and the entire process went as described in the Bleeping Computer step-by-step guide. Running Combofix this time, however, on my Win7 machine, went a little differently:
1. Combofix never disconnected me from the Internet.
2. It never changed my clock format.
3. After running the 50 stages, it gave a message that it had detected an infected system file, attempted to restore, and then restored successfully.
4. Then it indicated that it was deleting some files.
5. Then in restarted Windows.
It didn't give me a message that it was preparing a log report or display the log report before it rebooted.
So my computer has been rebooted, and I haven't logged back in yet to the machine. Once I log in, what should I do? Should I look for the log file? Or do I need to do something else w. Combofix?
I tried to turn off Windows Firewall before I ran Combofix, but I got error messages when I tried to access any of the Windows Firewall settings. (I assumed b/c of the current infection.) I don't know if this would have interfered?
Possible rogue security popup? 'Malicious software was removed from your computer'
in Resolved Malware Removal Logs
Posted
Thank you, Maurice. I've burned the Gparted CD.