Jump to content

Babylon Internet Browser Injector


Recommended Posts

Hello, this is my first time posting in the MalwareBytes forums so I do hope I have followed instructions correctly.

My mom's laptop has been infected by a toolbar that she agreed to use while quickly installing some program. She says she can't remember what the program was, but there was a Babylon Toolbar on all the browsers afterwards. At first I could get rid of the toolbar, but links began to reroute when searched through google to ad websites. I tried running Malware which detected 3 items. I removed them and gave the computer back to my mom. The toolbar didn't come back but the broswer kept rerouting. After another scan with MalwareBytes, 5 items were found. The probelm still persisted. And after a third run the same 5 infections were found. I left the computer alone for a few days and when I came back MalwareBytes had been deleted. I found this out today, and I know this has gotten much more harmful than it was. I was able to reinstall MalwareBytes, and I did run another scan which found 7 items. I did not delete the,. and I have all the logs if that will help.

I understand this now more than a simple browser injector, and I hope you are able to help me. I will provide any information as needed.

Attached is the DDS.txt, and I did not upload the Attach.txt because it said in the file not to unless requested.

Best Regards,

Pan

DDS.txt

Link to post
Share on other sites

  • Staff

Hello and Welcome!!

My name is Gringo and I'll be glad to help you with your computer problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us


  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.

    [*]Please do not attach logs or use code boxes, just copy and paste the text.

    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.

    [*]Please read every post completely before doing anything.

    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.

    [*]Please provide feedback about your experience as we go.

    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.

NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

Security Check

  • Download Security Check by screen317 from
here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.

Link 1
Link 2
Link 3

1. Close any open browsers or any other programs that are open.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

Link to post
Share on other sites

Hello Gringo, I do believe you helped me previously in the bleeping computer forums. I look forward to your continued help. I have copied into this reply at the bottom both files generated by the Security Check and Combofix in their respective orders.

The computer itself I have not touched since I last ran MalwareBytes, but I tried using the browser before running all the programs you listed in your post. The browser did not reroute at all. This again was before the scans you just provided, so I do not know if the problem is fixed or not. The last time I ran MalwareBytes it detected more items (8) than its previous scan (5), I don't know if it's a possibility MalwareBytes found the problem or not. Considering that the infection did uninstall MalwareBytes before the most recent scan I ran, which I had to reinstall it for, I do want to take extra precautions in making sure the infection is dealt with.

After running Security Check and Combofix, the browser still does not reroute links. I also tried using multiple browsers to see if it was browser specific, and the results were the same. Upon restarting the computer though, my mother reported it booting up much faster than normal. Other miscellaneous and irrelevant problems she was having (java errors, notifications popping up) were fixed too, I assume this is due to some sort of reset that Combofix used. In the end, the problem appears fixed, but if you could, I would greatly appreciate a quick look over to make sure the infection is gone. Also, any advice on how to best avoid problems like this happening in the future or changes I should make to the computer I would greatly appreciate as well.

Best Regards,

Pan

Results of screen317's Security Check version 0.99.41

Windows 7 x64 (UAC is enabled)

Out of date service pack!!

Internet Explorer 9

``````````````Antivirus/Firewall Check:``````````````

Windows Firewall Disabled!

Lavasoft Ad-Watch Live! Anti-Virus

WMI entry may not exist for antivirus; attempting automatic update.

`````````Anti-malware/Other Utilities Check:`````````

Ad-Aware

Malwarebytes Anti-Malware version 1.61.0.1400

Java™ 6 Update 29

Java version out of date!

Adobe Flash Player 11.0.1.152 Flash Player out of Date!

Adobe Reader X (10.1.1)

Mozilla Firefox (8.0.1)

````````Process Check: objlist.exe by Laurent````````

Ad-Aware AAWService.exe is disabled!

Ad-Aware AAWTray.exe is disabled!

Zone Labs ZoneAlarm zlclient.exe

`````````````````System Health check`````````````````

Total Fragmentation on Drive C: 0%

````````````````````End of Log``````````````````````

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

ComboFix 12-05-29.01 - JWB 05/29/2012 22:16:07.1.2 - x64

Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3999.2498 [GMT -5:00]

Running from: c:\users\JWB\Desktop\ComboFix.exe

AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}

FW: ZoneAlarm Firewall *Enabled* {D17DF357-CFF5-F001-D1C1-FCD21DFE3D5E}

SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

C:\Install.exe

.

.

((((((((((((((((((((((((( Files Created from 2012-04-28 to 2012-05-30 )))))))))))))))))))))))))))))))

.

.

2012-05-30 03:22 . 2012-05-30 03:22 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-05-30 03:13 . 2012-05-08 17:02 8955792 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{F81D5BE6-649F-4C7B-89F9-3D3746EA80F2}\mpengine.dll

2012-05-27 19:48 . 2012-04-04 20:56 24904 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-05-20 02:21 . 2012-05-20 02:21 -------- d-----w- c:\users\JWB\AppData\Roaming\Malwarebytes

2012-05-20 02:21 . 2012-05-20 02:21 -------- d-----w- c:\programdata\Malwarebytes

2012-05-20 02:21 . 2012-05-27 19:48 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware

2012-05-18 03:18 . 2012-05-18 03:18 -------- d-----w- c:\users\JWB\AppData\Local\adaware

2012-05-18 03:18 . 2012-05-27 17:20 -------- d-----w- c:\programdata\Ad-Aware Browsing Protection

2012-05-18 03:17 . 2012-05-27 17:20 -------- d-----w- c:\program files (x86)\Ad-Aware Antivirus

2012-05-18 03:16 . 2012-05-18 03:21 -------- d-----w- c:\users\JWB\AppData\Roaming\Ad-Aware Antivirus

2012-05-11 02:45 . 2012-03-17 07:55 75632 ----a-w- c:\windows\system32\drivers\partmgr.sys

2012-05-11 02:45 . 2012-03-03 06:29 1541120 ----a-w- c:\windows\system32\DWrite.dll

2012-05-11 02:45 . 2012-03-03 05:40 1074176 ----a-w- c:\windows\SysWow64\DWrite.dll

2012-05-11 02:45 . 2012-03-03 06:29 320512 ----a-w- c:\windows\system32\d3d10_1core.dll

2012-05-11 02:45 . 2012-03-03 06:29 197120 ----a-w- c:\windows\system32\d3d10_1.dll

2012-05-11 02:45 . 2012-03-03 06:29 1837568 ----a-w- c:\windows\system32\d3d10warp.dll

2012-05-11 02:45 . 2012-03-03 06:29 902656 ----a-w- c:\windows\system32\d2d1.dll

2012-05-11 02:45 . 2012-03-03 05:40 1170944 ----a-w- c:\windows\SysWow64\d3d10warp.dll

2012-05-11 02:45 . 2012-03-03 05:40 739840 ----a-w- c:\windows\SysWow64\d2d1.dll

2012-05-11 02:45 . 2012-03-03 05:40 218624 ----a-w- c:\windows\SysWow64\d3d10_1core.dll

2012-05-11 02:45 . 2012-03-03 05:40 161792 ----a-w- c:\windows\SysWow64\d3d10_1.dll

2012-05-11 02:44 . 2012-04-02 05:34 5504880 ----a-w- c:\windows\system32\ntoskrnl.exe

2012-05-11 02:44 . 2012-04-02 03:01 3143680 ----a-w- c:\windows\system32\win32k.sys

2012-05-11 02:44 . 2012-04-02 04:46 3958128 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe

2012-05-11 02:44 . 2012-04-02 04:46 3902320 ----a-w- c:\windows\SysWow64\ntoskrnl.exe

2012-05-11 02:44 . 2012-03-30 11:09 1895280 ----a-w- c:\windows\system32\drivers\tcpip.sys

2012-05-11 02:44 . 2012-04-02 05:24 1367552 ----a-w- c:\program files\Common Files\Microsoft Shared\ink\journal.dll

2012-05-11 02:44 . 2012-04-02 04:40 936960 ----a-w- c:\program files (x86)\Common Files\Microsoft Shared\ink\journal.dll

2012-05-08 04:43 . 2012-05-08 04:43 254 ----a-w- C:\user.js

2012-05-08 04:43 . 2012-05-27 17:20 -------- d-----w- c:\program files (x86)\BabylonToolbar

2012-05-08 04:42 . 2012-05-27 22:05 -------- d-----w- c:\program files (x86)\v-Grabber

2012-05-08 04:42 . 2012-05-08 04:42 -------- d-----w- c:\users\JWB\AppData\Local\Babylon

2012-05-08 04:42 . 2012-05-08 04:42 -------- d-----w- c:\users\JWB\AppData\Roaming\Babylon

2012-05-08 04:42 . 2012-05-08 04:42 -------- d-----w- c:\programdata\Babylon

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-03-01 06:54 . 2012-04-11 13:40 22896 ----a-w- c:\windows\system32\drivers\fs_rec.sys

2012-03-01 06:45 . 2012-04-11 13:40 220672 ----a-w- c:\windows\system32\wintrust.dll

2012-03-01 06:40 . 2012-04-11 13:40 80896 ----a-w- c:\windows\system32\imagehlp.dll

2012-03-01 06:35 . 2012-04-11 13:40 5120 ----a-w- c:\windows\system32\wmi.dll

2012-03-01 05:49 . 2012-04-11 13:40 172544 ----a-w- c:\windows\SysWow64\wintrust.dll

2012-03-01 05:45 . 2012-04-11 13:40 158720 ----a-w- c:\windows\SysWow64\imagehlp.dll

2012-03-01 05:40 . 2012-04-11 13:40 5120 ----a-w- c:\windows\SysWow64\wmi.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files (x86)\Ask.com\GenericAskToolbar.dll" [2012-01-03 1514152]

.

[HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]

.

[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{ABD3B5E1-B268-407B-A150-2641DAB8D898}]

2009-06-08 21:41 120104 ----a-w- c:\program files (x86)\Common Files\Homepage Protection\HomepageProtection.dll

.

[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]

2012-01-03 21:31 1514152 ----a-w- c:\program files (x86)\Ask.com\GenericAskToolbar.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]

"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files (x86)\Ask.com\GenericAskToolbar.dll" [2012-01-03 1514152]

.

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]

[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"LightScribe Control Panel"="c:\program files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe" [2009-06-17 2363392]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"QPService"="c:\program files (x86)\HP\QuickPlay\QPService.exe" [2009-06-24 468264]

"UCam_Menu"="c:\program files (x86)\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2009-02-18 218408]

"QlbCtrl.exe"="c:\program files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2009-06-24 320056]

"UpdatePRCShortCut"="c:\program files (x86)\Hewlett-Packard\Recovery\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]

"WirelessAssistant"="c:\program files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2009-07-23 498744]

"ZoneAlarm Client"="c:\program files (x86)\Zone Labs\ZoneAlarm\zlclient.exe" [2011-03-18 1043968]

"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]

"ApnUpdater"="c:\program files (x86)\Ask.com\Updater\Updater.exe" [2012-01-03 1391272]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

Amazon Unbox.lnk - c:\program files (x86)\Amazon\Amazon Unbox Video\ADVWindowsClientSystemTray.exe [2011-11-23 97384]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]

"aux"=wdmaud.drv

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

.

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-04-13 116648]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files (x86)\Lavasoft\Ad-Aware\AAWService.exe [2012-05-13 2152688]

R3 BBSvc;Bing Bar Update Service;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-07-08 195336]

R3 dc3d;MS Hardware Device Detection Driver;c:\windows\system32\DRIVERS\dc3d.sys [x]

R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-04-13 116648]

R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files (x86)\Lavasoft\Ad-Aware\KernExplorer64.sys [2011-11-06 17152]

R3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [x]

R3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys [x]

R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]

R3 RtsUIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys [x]

R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [x]

R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [x]

R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [x]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]

R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [x]

S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [x]

S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]

S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]

S2 BBUpdate;BBUpdate;c:\program files (x86)\Microsoft\BingBar\SeaPort.EXE [2011-06-15 249648]

S2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe [2009-07-14 27136]

S3 CAXHWAZL;CAXHWAZL;c:\windows\system32\DRIVERS\CAXHWAZL.sys [x]

S3 Com4QLBEx;Com4QLBEx;c:\program files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2009-05-05 228408]

S3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [x]

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]

.

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - WS2IFSL

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]

2009-06-17 19:11 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe

.

Contents of the 'Scheduled Tasks' folder

.

2012-05-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-04-13 21:21]

.

2012-05-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-04-13 21:21]

.

2012-05-30 c:\windows\Tasks\HPCeeScheduleForJWB.job

- c:\program files (x86)\hewlett-packard\sdp\ceement\HPCEE.exe [2009-08-17 21:38]

.

.

--------- x86-64 -----------

.

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"cAudioFilterAgent"="c:\program files\Conexant\cAudioFilterAgent\cAudioFilterAgent64.exe" [2009-07-14 495104]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-02-12 162328]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-02-12 386584]

"Persistence"="c:\windows\system32\igfxpers.exe" [2011-02-12 417304]

"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-08-01 2417032]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"LoadAppInit_DLLs"=0x0

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.theenglishcottage.com/webmail

uLocal Page = c:\windows\system32\blank.htm

mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_US&c=94&bd=Pavilion&pf=cnnb

mLocal Page = c:\windows\SysWOW64\blank.htm

TCP: Interfaces\{7B5D90F8-DB72-4ADD-AD43-C9F3D991AA80}: NameServer = 75.75.75.75

FF - ProfilePath - c:\users\JWB\AppData\Roaming\Mozilla\Firefox\Profiles\4p68j9eq.default\

FF - prefs.js: browser.search.selectedEngine - Search the web (Babylon)

FF - prefs.js: browser.startup.homepage - hxxps://midge.lookhosting.com:2096/

FF - prefs.js: keyword.URL - hxxp://search.babylon.com/?affID=109935&tt=290412_1_ctrl&babsrc=KW_ss&mntrId=3cd4f9010000000000000c607632b9d8&q=

FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=109935&tt=290412_1_ctrl

FF - user.js: extensions.BabylonToolbar_i.babExt -

FF - user.js: extensions.BabylonToolbar_i.srcExt - ss

FF - user.js: extensions.BabylonToolbar_i.id - 3cd4f9010000000000000c607632b9d8

FF - user.js: extensions.BabylonToolbar_i.hardId - 3cd4f9010000000000000c607632b9d8

FF - user.js: extensions.BabylonToolbar_i.instlDay - 15468

FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17

FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17

FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.1723:43

FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon

FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar

FF - user.js: extensions.BabylonToolbar_i.aflt - babsst

FF - user.js: extensions.BabylonToolbar_i.smplGrp - none

FF - user.js: extensions.BabylonToolbar_i.tlbrId - tb9

FF - user.js: extensions.BabylonToolbar_i.instlRef - sst

.

- - - - ORPHANS REMOVED - - - -

.

HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe

.

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11f_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11f_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11f.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.10"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11f.ocx, 1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11f.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11f.ocx, 1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

------------------------ Other Running Processes ------------------------

.

c:\program files (x86)\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe

c:\program files (x86)\Common Files\LightScribe\LSSrvc.exe

c:\program files (x86)\CyberLink\Shared files\RichVideo.exe

c:\program files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe

.

**************************************************************************

.

Completion time: 2012-05-29 22:37:30 - machine was rebooted

ComboFix-quarantined-files.txt 2012-05-30 03:37

.

Pre-Run: 74,151,350,272 bytes free

Post-Run: 74,428,735,488 bytes free

.

- - End Of File - - A247B0C688E561A32352E562254970E9

Link to post
Share on other sites

  • Staff

Hello

Lets get a deeper look into the system and see if something shows up.

Download and run OTL

Download OTL by Old Timer and save it to your Desktop.

  • Double click on OTL.exe to run it.
  • Under Output, ensure that Minimal Output is selected.
  • Under Extra Registry section, select Use SafeList.
  • Click the Scan All Users checkbox.
  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened and the that I need posted back here
    • Extra.txt <-- Will be minimized - save this one on your desktop in case I ask for it later

    [*]Please post the contents of OTL.txt in your next reply.

Gringo

Link to post
Share on other sites

Here are the results of the OTL scan:

OTL logfile created on: 5/30/2012 12:52:05 PM - Run 1

OTL by OldTimer - Version 3.2.44.0 Folder = C:\Users\JWB\Desktop

64bit- Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation

Internet Explorer (Version = 9.0.8112.16421)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.91 Gb Total Physical Memory | 2.79 Gb Available Physical Memory | 71.52% Memory free

7.81 Gb Paging File | 6.60 Gb Available in Paging File | 84.49% Paging File free

Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)

Drive C: | 220.82 Gb Total Space | 69.42 Gb Free Space | 31.44% Space Free | Partition Type: NTFS

Drive D: | 11.87 Gb Total Space | 2.00 Gb Free Space | 16.86% Space Free | Partition Type: NTFS

Computer Name: STATION4 | User Name: JWB | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Users\JWB\Desktop\OTL.exe (OldTimer Tools)

PRC - C:\Program Files (x86)\Ask.com\Updater\Updater.exe (Ask)

PRC - C:\Program Files (x86)\Amazon\Amazon Unbox Video\ADVWindowsClientSystemTray.exe (Amazon.com)

PRC - C:\Program Files (x86)\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe (Amazon.com)

PRC - C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE (Microsoft Corporation)

PRC - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated)

PRC - C:\Windows\SysWOW64\ZoneLabs\vsmon.exe (Check Point Software Technologies LTD)

PRC - C:\Program Files (x86)\Zone Labs\ZoneAlarm\zlclient.exe (Check Point Software Technologies LTD)

========== Modules (No Company Name) ==========

MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\90d42781d5b19478870e412f7b7c71eb\System.Windows.Forms.ni.dll ()

MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\e65dbd1b68789fc21b9fb3c605b699a7\System.Drawing.ni.dll ()

MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\b5b9223f5e18a1089a4fe3a896909d9d\System.Xml.ni.dll ()

MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System\2ebb3c259eab50af565e3a8dba6ad20e\System.ni.dll ()

MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\5858678a79aae31262b0214424245d06\mscorlib.ni.dll ()

MOD - C:\Program Files (x86)\Common Files\LightScribe\QtGui4.dll ()

MOD - C:\Program Files (x86)\Common Files\LightScribe\QtCore4.dll ()

MOD - C:\Program Files (x86)\Common Files\LightScribe\plugins\imageformats\qjpeg4.dll ()

========== Win32 Services (SafeList) ==========

SRV:64bit: - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)

SRV:64bit: - (RemoteAccess) -- C:\Windows\SysNative\mprdim.dll (Microsoft Corporation)

SRV:64bit: - (Mcx2Svc) -- C:\Windows\SysNative\Mcx2Svc.dll (Microsoft Corporation)

SRV - (Lavasoft Ad-Aware Service) -- C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft Limited)

SRV - (ADVService) -- C:\Program Files (x86)\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe (Amazon.com)

SRV - (BBSvc) -- C:\Program Files (x86)\Microsoft\BingBar\BBSvc.EXE (Microsoft Corporation.)

SRV - (BBUpdate) -- C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE (Microsoft Corporation)

SRV - (AdobeARMservice) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated)

SRV - (vsmon) -- C:\Windows\SysWOW64\ZoneLabs\vsmon.exe (Check Point Software Technologies LTD)

SRV - (clr_optimization_v4.0.30319_32) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (Microsoft Corporation)

SRV - (RemoteAccess) -- C:\Windows\SysWOW64\mprdim.dll (Microsoft Corporation)

SRV - (HsfXAudioService) -- C:\Windows\SysWOW64\XAudio64.dll (Conexant Systems, Inc.)

SRV - (clr_optimization_v2.0.50727_32) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)

SRV - (clr_optimization_v2.0.50727_64) -- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe (Microsoft Corporation)

SRV - (GameConsoleService) -- C:\Program Files (x86)\HP Games\HP Game Console\GameConsoleService.exe (WildTangent, Inc.)

========== Driver Services (SafeList) ==========

DRV:64bit: - (Fs_Rec) -- C:\Windows\SysNative\drivers\fs_rec.sys (Microsoft Corporation)

DRV:64bit: - (Lbd) -- C:\Windows\SysNative\drivers\Lbd.sys (Lavasoft AB)

DRV:64bit: - (Point64) -- C:\Windows\SysNative\drivers\point64.sys (Microsoft Corporation)

DRV:64bit: - (NuidFltr) -- C:\Windows\SysNative\drivers\nuidfltr.sys (Microsoft Corporation)

DRV:64bit: - (dc3d) -- C:\Windows\SysNative\drivers\dc3d.sys (Microsoft Corporation)

DRV:64bit: - (amdsata) -- C:\Windows\SysNative\drivers\amdsata.sys (Advanced Micro Devices)

DRV:64bit: - (amdxata) -- C:\Windows\SysNative\drivers\amdxata.sys (Advanced Micro Devices)

DRV:64bit: - (igfx) -- C:\Windows\SysNative\drivers\igdkmd64.sys (Intel Corporation)

DRV:64bit: - (Vsdatant) -- C:\Windows\SysNative\drivers\vsdatant.sys (Check Point Software Technologies LTD)

DRV:64bit: - (CnxtHdAudService) -- C:\Windows\SysNative\drivers\CHDRT64.sys (Conexant Systems Inc.)

DRV:64bit: - (sdbus) -- C:\Windows\SysNative\drivers\sdbus.sys (Microsoft Corporation)

DRV:64bit: - (athr) -- C:\Windows\SysNative\drivers\athrx.sys (Atheros Communications, Inc.)

DRV:64bit: - (amdsbs) -- C:\Windows\SysNative\drivers\amdsbs.sys (AMD Technologies Inc.)

DRV:64bit: - (LSI_SAS2) -- C:\Windows\SysNative\drivers\lsi_sas2.sys (LSI Corporation)

DRV:64bit: - (HpSAMD) -- C:\Windows\SysNative\drivers\HpSAMD.sys (Hewlett-Packard Company)

DRV:64bit: - (crcdisk) -- C:\Windows\SysNative\drivers\crcdisk.sys (Microsoft Corporation)

DRV:64bit: - (stexstor) -- C:\Windows\SysNative\drivers\stexstor.sys (Promise Technology)

DRV:64bit: - (udfs) -- C:\Windows\SysNative\drivers\udfs.sys (Microsoft Corporation)

DRV:64bit: - (cdfs) -- C:\Windows\SysNative\drivers\cdfs.sys (Microsoft Corporation)

DRV:64bit: - (XAudio) -- C:\Windows\SysNative\drivers\XAudio64.sys (Conexant Systems, Inc.)

DRV:64bit: - (HSF_DPV) -- C:\Windows\SysNative\drivers\CAX_DPV.sys (Conexant Systems, Inc.)

DRV:64bit: - (mdmxsdk) -- C:\Windows\SysNative\drivers\mdmxsdk.sys (Conexant)

DRV:64bit: - (winachsf) -- C:\Windows\SysNative\drivers\CAX_CNXT.sys (Conexant Systems, Inc.)

DRV:64bit: - (CAXHWAZL) -- C:\Windows\SysNative\drivers\CAXHWAZL.sys (Conexant Systems, Inc.)

DRV:64bit: - (SynTP) -- C:\Windows\SysNative\drivers\SynTP.sys (Synaptics Incorporated)

DRV:64bit: - (SrvHsfV92) -- C:\Windows\SysNative\drivers\VSTDPV6.SYS (Conexant Systems, Inc.)

DRV:64bit: - (SrvHsfWinac) -- C:\Windows\SysNative\drivers\VSTCNXT6.SYS (Conexant Systems, Inc.)

DRV:64bit: - (SrvHsfHDA) -- C:\Windows\SysNative\drivers\VSTAZL6.SYS (Conexant Systems, Inc.)

DRV:64bit: - (yukonw7) -- C:\Windows\SysNative\drivers\yk62x64.sys (Marvell)

DRV:64bit: - (netw5v64) Intel® -- C:\Windows\SysNative\drivers\netw5v64.sys (Intel Corporation)

DRV:64bit: - (ebdrv) -- C:\Windows\SysNative\drivers\evbda.sys (Broadcom Corporation)

DRV:64bit: - (b06bdrv) -- C:\Windows\SysNative\drivers\bxvbda.sys (Broadcom Corporation)

DRV:64bit: - (b57nd60a) -- C:\Windows\SysNative\drivers\b57nd60a.sys (Broadcom Corporation)

DRV:64bit: - (hcw85cir) -- C:\Windows\SysNative\drivers\hcw85cir.sys (Hauppauge Computer Works, Inc.)

DRV:64bit: - (RSUSBSTOR) -- C:\Windows\SysNative\drivers\RtsUStor.sys (Realtek Semiconductor Corp.)

DRV:64bit: - (IntcHdmiAddService) Intel® -- C:\Windows\SysNative\drivers\IntcHdmi.sys (Intel® Corporation)

DRV:64bit: - (RTL8167) -- C:\Windows\SysNative\drivers\Rt64win7.sys (Realtek )

DRV:64bit: - (HpqKbFiltr) -- C:\Windows\SysNative\drivers\HpqKbFiltr.sys (Hewlett-Packard Development Company, L.P.)

DRV - (Lavasoft Kernexplorer) -- C:\Program Files (x86)\Lavasoft\Ad-Aware\kernexplorer64.sys ()

DRV - (WIMMount) -- C:\Windows\SysWOW64\drivers\wimmount.sys (Microsoft Corporation)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...avilion&pf=cnnb

IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {403CE8DA-BA42-478B-945D-BCD60FB70B3C}

IE:64bit: - HKLM\..\SearchScopes\{397CFBAF-01FE-4A0D-950E-041F4905DC38}: "URL" = http://www.ask.com/w...}&l=dis&o=ushpl

IE:64bit: - HKLM\..\SearchScopes\{403CE8DA-BA42-478B-945D-BCD60FB70B3C}: "URL" = http://www.bing.com/...rc=IE-SearchBox

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...avilion&pf=cnnb

IE - HKLM\..\SearchScopes,DefaultScope = {403CE8DA-BA42-478B-945D-BCD60FB70B3C}

IE - HKLM\..\SearchScopes\{397CFBAF-01FE-4A0D-950E-041F4905DC38}: "URL" = http://www.ask.com/w...}&l=dis&o=ushpl

IE - HKLM\..\SearchScopes\{403CE8DA-BA42-478B-945D-BCD60FB70B3C}: "URL" = http://www.bing.com/...rc=IE-SearchBox

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1389045141-546431936-601846973-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.theenglis...age.com/webmail

IE - HKU\S-1-5-21-1389045141-546431936-601846973-1003\..\URLSearchHook: {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask)

IE - HKU\S-1-5-21-1389045141-546431936-601846973-1003\..\SearchScopes,DefaultScope = {0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}

IE - HKU\S-1-5-21-1389045141-546431936-601846973-1003\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://search.babylo...0000c607632b9d8

IE - HKU\S-1-5-21-1389045141-546431936-601846973-1003\..\SearchScopes\{E75786E6-6CED-43E4-A207-43FDD9D1901F}: "URL" = http://websearch.ask...56-947E49C66D0F

IE - HKU\S-1-5-21-1389045141-546431936-601846973-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultengine: "Ask.com"

FF - prefs.js..browser.search.defaultenginename: "Search the web (Babylon)"

FF - prefs.js..browser.search.order.1: "Search the web (Babylon)"

FF - prefs.js..browser.search.selectedEngine: "Search the web (Babylon)"

FF - prefs.js..browser.startup.homepage: "https://midge.lookhosting.com:2096/"

FF - prefs.js..keyword.URL: "http://search.babylon.com/?affID=109935&tt=290412_1_ctrl&babsrc=KW_ss&mntrId=3cd4f9010000000000000c607632b9d8&q="

FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_0_1.dll File not found

FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll ()

FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google)

FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)

FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found

FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8064.0206: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files (x86)\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)

FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files (x86)\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)

FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2009/08/17 15:33:24 | 000,000,000 | ---D | M]

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0.1\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2011/11/28 21:18:56 | 000,000,000 | ---D | M]

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0.1\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins

[2011/11/06 16:24:06 | 000,000,000 | ---D | M] (No name found) -- C:\Users\JWB\AppData\Roaming\Mozilla\Extensions

[2012/05/10 23:41:31 | 000,000,000 | ---D | M] (No name found) -- C:\Users\JWB\AppData\Roaming\Mozilla\Firefox\Profiles\4p68j9eq.default\extensions

[2011/11/06 17:07:01 | 000,000,000 | ---D | M] (PlainOldFavorites) -- C:\Users\JWB\AppData\Roaming\Mozilla\Firefox\Profiles\4p68j9eq.default\extensions\{7E7165E2-0767-448c-852F-5FA8714F2C37}

[2012/03/11 22:32:35 | 000,000,000 | ---D | M] (GOM Player + Ask Toolbar) -- C:\Users\JWB\AppData\Roaming\Mozilla\Firefox\Profiles\4p68j9eq.default\extensions\toolbar@ask.com

[2012/01/03 16:27:44 | 000,002,333 | ---- | M] () -- C:\Users\JWB\AppData\Roaming\Mozilla\Firefox\Profiles\4p68j9eq.default\searchplugins\askcom.xml

[2011/11/06 16:13:57 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions

[2012/02/15 13:14:01 | 000,634,964 | ---- | M] () (No name found) -- C:\USERS\JWB\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\4P68J9EQ.DEFAULT\EXTENSIONS\{D10D0BF8-F5B5-C8B4-A8B2-2B9879E08C5D}.XPI

[2011/11/28 21:18:56 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browsercomps.dll

[2012/05/07 23:42:53 | 000,002,356 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\babylon.xml

[2011/09/28 19:26:50 | 000,002,252 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml

[2011/11/28 21:18:56 | 000,002,040 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\twitter.xml

O1 HOSTS File: ([2012/05/29 22:33:32 | 000,000,027 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O2 - BHO: (Babylon toolbar helper) - {2EECD738-5844-4a99-B4B6-146BF802613B} - C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.5.3.17\bh\BabylonToolbar.dll (Babylon BHO)

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.

O2 - BHO: (hpBHO Class) - {ABD3B5E1-B268-407B-A150-2641DAB8D898} - C:\Program Files (x86)\Common Files\Homepage Protection\HomepageProtection.dll (AOL Products)

O2 - BHO: (Bing Bar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)

O2 - BHO: (GOM Player + Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask)

O3 - HKLM\..\Toolbar: (Bing Bar) - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)

O3 - HKLM\..\Toolbar: (Babylon Toolbar) - {98889811-442D-49dd-99D7-DC866BE87DBC} - C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbarTlbr.dll (Babylon Ltd.)

O3 - HKLM\..\Toolbar: (GOM Player + Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask)

O4:64bit: - HKLM..\Run: [cAudioFilterAgent] C:\Program Files\CONEXANT\cAudioFilterAgent\cAudioFilterAgent64.exe (Conexant Systems, Inc.)

O4:64bit: - HKLM..\Run: [HotKeysCmds] C:\Windows\SysNative\hkcmd.exe (Intel Corporation)

O4:64bit: - HKLM..\Run: [igfxTray] C:\Windows\SysNative\igfxtray.exe (Intel Corporation)

O4:64bit: - HKLM..\Run: [intelliPoint] c:\Program Files\Microsoft IntelliPoint\ipoint.exe (Microsoft Corporation)

O4:64bit: - HKLM..\Run: [Persistence] C:\Windows\SysNative\igfxpers.exe (Intel Corporation)

O4 - HKLM..\Run: [ApnUpdater] C:\Program Files (x86)\Ask.com\Updater\Updater.exe (Ask)

O4 - HKLM..\Run: [updatePRCShortCut] C:\Program Files (x86)\Hewlett-Packard\Recovery\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)

O4 - HKLM..\Run: [ZoneAlarm Client] C:\Program Files (x86)\Zone Labs\ZoneAlarm\zlclient.exe (Check Point Software Technologies LTD)

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3

O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-21-1389045141-546431936-601846973-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-21-1389045141-546431936-601846973-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O16:64bit: - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_14)

O16:64bit: - DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_14)

O16:64bit: - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_14)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_29)

O16 - DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_29)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_29)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{7B5D90F8-DB72-4ADD-AD43-C9F3D991AA80}: NameServer = 75.75.75.75

O18:64bit: - Protocol\Handler\livecall - No CLSID value found

O18:64bit: - Protocol\Handler\ms-itss - No CLSID value found

O18:64bit: - Protocol\Handler\msnim - No CLSID value found

O18:64bit: - Protocol\Handler\wlmailhtml - No CLSID value found

O20:64bit: - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)

O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)

O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)

O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)

O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation)

O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found

O20:64bit: - Winlogon\Notify\igfxcui: DllName - (igfxdev.dll) - C:\Windows\SysNative\igfxdev.dll (Intel Corporation)

O32 - HKLM CDRom: AutoRun - 1

O34 - HKLM BootExecute: (autocheck autochk *)

O35:64bit: - HKLM\..comfile [open] -- "%1" %*

O35:64bit: - HKLM\..exefile [open] -- "%1" %*

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37:64bit: - HKLM\...com [@ = ComFile] -- "%1" %*

O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*

O37 - HKLM\...com [@ = ComFile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)

O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

========== Files/Folders - Created Within 30 Days ==========

[2012/05/30 12:47:24 | 000,595,968 | ---- | C] (OldTimer Tools) -- C:\Users\JWB\Desktop\OTL.exe

[2012/05/29 23:00:56 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN

[2012/05/29 22:14:09 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe

[2012/05/29 22:14:09 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe

[2012/05/29 22:14:09 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe

[2012/05/29 22:14:06 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT

[2012/05/29 22:14:01 | 000,000,000 | ---D | C] -- C:\Qoobox

[2012/05/29 22:07:17 | 004,530,590 | R--- | C] (Swearware) -- C:\Users\JWB\Desktop\ComboFix.exe

[2012/05/27 17:20:31 | 000,607,260 | R--- | C] (Swearware) -- C:\Users\JWB\Desktop\dds.scr

[2012/05/27 14:48:58 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware

[2012/05/27 14:48:56 | 000,024,904 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys

[2012/05/27 14:48:25 | 010,063,000 | ---- | C] (Malwarebytes Corporation ) -- C:\Users\JWB\Desktop\mbam-setup-1.61.0.1400.exe

[2012/05/27 09:22:25 | 000,000,000 | ---D | C] -- C:\Windows\Minidump

[2012/05/19 21:21:43 | 000,000,000 | ---D | C] -- C:\Users\JWB\AppData\Roaming\Malwarebytes

[2012/05/19 21:21:28 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes

[2012/05/19 21:21:26 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware

[2012/05/17 22:18:13 | 000,000,000 | ---D | C] -- C:\Users\JWB\AppData\Local\adaware

[2012/05/17 22:18:02 | 000,000,000 | ---D | C] -- C:\ProgramData\Ad-Aware Browsing Protection

[2012/05/17 22:17:33 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Ad-Aware Antivirus

[2012/05/17 22:16:08 | 000,000,000 | ---D | C] -- C:\Users\JWB\AppData\Roaming\Ad-Aware Antivirus

[2012/05/10 21:45:06 | 001,541,120 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\DWrite.dll

[2012/05/10 21:45:05 | 001,837,568 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\d3d10warp.dll

[2012/05/10 21:45:05 | 000,902,656 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\d2d1.dll

[2012/05/10 21:45:05 | 000,320,512 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\d3d10_1core.dll

[2012/05/10 21:45:05 | 000,197,120 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\d3d10_1.dll

[2012/05/10 21:44:32 | 005,504,880 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ntoskrnl.exe

[2012/05/10 21:44:29 | 003,958,128 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ntkrnlpa.exe

[2012/05/10 21:44:29 | 003,902,320 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ntoskrnl.exe

[2012/05/07 23:43:01 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\BabylonToolbar

[2012/05/07 23:42:25 | 000,000,000 | ---D | C] -- C:\Users\JWB\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\vGrabber

[2012/05/07 23:42:09 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\v-Grabber

[2012/05/07 23:42:04 | 000,000,000 | ---D | C] -- C:\Users\JWB\AppData\Local\Babylon

[2012/05/07 23:42:02 | 000,000,000 | ---D | C] -- C:\Users\JWB\AppData\Roaming\Babylon

[2012/05/07 23:42:02 | 000,000,000 | ---D | C] -- C:\ProgramData\Babylon

[1 C:\Windows\SysNative\drivers\*.tmp files -> C:\Windows\SysNative\drivers\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/05/30 12:46:11 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat

[2012/05/30 12:28:22 | 000,595,968 | ---- | M] (OldTimer Tools) -- C:\Users\JWB\Desktop\OTL.exe

[2012/05/30 12:26:00 | 000,000,892 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job

[2012/05/30 08:29:44 | 000,023,248 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

[2012/05/30 08:29:44 | 000,023,248 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

[2012/05/30 08:23:47 | 000,000,290 | ---- | M] () -- C:\ProgramData\hpqp.ini

[2012/05/30 08:23:46 | 000,000,888 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job

[2012/05/30 08:22:04 | 3145,089,024 | -HS- | M] () -- C:\hiberfil.sys

[2012/05/29 22:33:32 | 000,000,027 | ---- | M] () -- C:\Windows\SysNative\drivers\etc\hosts

[2012/05/29 22:24:16 | 000,000,326 | ---- | M] () -- C:\Windows\tasks\HPCeeScheduleForJWB.job

[2012/05/29 21:55:58 | 004,530,590 | R--- | M] (Swearware) -- C:\Users\JWB\Desktop\ComboFix.exe

[2012/05/29 21:55:12 | 000,853,862 | ---- | M] () -- C:\Users\JWB\Desktop\SecurityCheck.exe

[2012/05/27 17:22:52 | 000,726,444 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI

[2012/05/27 17:22:52 | 000,624,412 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat

[2012/05/27 17:22:52 | 000,106,756 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat

[2012/05/27 17:10:18 | 000,607,260 | R--- | M] (Swearware) -- C:\Users\JWB\Desktop\dds.scr

[2012/05/27 14:48:58 | 000,001,109 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

[2012/05/27 09:22:21 | 234,304,633 | ---- | M] () -- C:\Windows\MEMORY.DMP

[2012/05/19 21:01:02 | 010,063,000 | ---- | M] (Malwarebytes Corporation ) -- C:\Users\JWB\Desktop\mbam-setup-1.61.0.1400.exe

[2012/05/11 08:11:18 | 000,355,576 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT

[2012/05/09 16:19:23 | 000,000,064 | ---- | M] () -- C:\Windows\SysWow64\rp_stats.dat

[2012/05/09 16:19:23 | 000,000,044 | ---- | M] () -- C:\Windows\SysWow64\rp_rules.dat

[2012/05/07 23:43:02 | 000,000,254 | ---- | M] () -- C:\user.js

[1 C:\Windows\SysNative\drivers\*.tmp files -> C:\Windows\SysNative\drivers\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/05/29 22:14:09 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe

[2012/05/29 22:14:09 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe

[2012/05/29 22:14:09 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe

[2012/05/29 22:14:09 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe

[2012/05/29 22:14:09 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe

[2012/05/29 22:07:17 | 000,853,862 | ---- | C] () -- C:\Users\JWB\Desktop\SecurityCheck.exe

[2012/05/27 14:48:58 | 000,001,109 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

[2012/05/27 09:22:21 | 234,304,633 | ---- | C] () -- C:\Windows\MEMORY.DMP

[2012/05/07 23:43:02 | 000,000,254 | ---- | C] () -- C:\user.js

[2011/12/20 23:29:41 | 000,000,512 | ---- | C] () -- C:\Users\JWB\AppData\Roaming\wklnhst.dat

[2011/11/09 16:04:30 | 000,000,064 | ---- | C] () -- C:\Windows\SysWow64\rp_stats.dat

[2011/11/09 16:04:30 | 000,000,044 | ---- | C] () -- C:\Windows\SysWow64\rp_rules.dat

[2011/11/06 01:45:05 | 000,000,290 | ---- | C] () -- C:\ProgramData\hpqp.ini

[2011/02/11 20:15:08 | 000,982,240 | ---- | C] () -- C:\Windows\SysWow64\igkrng500.bin

[2011/02/11 20:15:08 | 000,439,308 | ---- | C] () -- C:\Windows\SysWow64\igcompkrng500.bin

[2011/02/11 20:15:08 | 000,092,356 | ---- | C] () -- C:\Windows\SysWow64\igfcg500m.bin

< End of report >

Link to post
Share on other sites

  • Staff

Hello

Run this custom script and when it is complete I need to know how the computer is doing

Run OTL Script

  • Double-click OTL.exe to start the program.
  • Copy and Paste the following code into the customFix.png textbox. Do not include the word Code

    :OTL
    FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_0_1.dll File not found
    FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
    O18:64bit: - Protocol\Handler\livecall - No CLSID value found
    O18:64bit: - Protocol\Handler\ms-itss - No CLSID value found
    O18:64bit: - Protocol\Handler\msnim - No CLSID value found
    O18:64bit: - Protocol\Handler\wlmailhtml - No CLSID value found
    O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
    O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
    IE:64bit: - HKLM\..\SearchScopes\{397CFBAF-01FE-4A0D-950E-041F4905DC38}: "URL" = http://www.ask.com/w...}&l=dis&o=ushpl
    IE - HKLM\..\SearchScopes\{397CFBAF-01FE-4A0D-950E-041F4905DC38}: "URL" = http://www.ask.com/w...}&l=dis&o=ushpl
    IE - HKU\S-1-5-21-1389045141-546431936-601846973-1003\..\URLSearchHook: {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask)
    IE - HKU\S-1-5-21-1389045141-546431936-601846973-1003\..\SearchScopes,DefaultScope = {0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}
    IE - HKU\S-1-5-21-1389045141-546431936-601846973-1003\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://search.babylo...0000c607632b9d8
    IE - HKU\S-1-5-21-1389045141-546431936-601846973-1003\..\SearchScopes\{E75786E6-6CED-43E4-A207-43FDD9D1901F}: "URL" = http://websearch.ask...56-947E49C66D0F
    FF - prefs.js..browser.search.defaultengine: "Ask.com"
    FF - prefs.js..browser.search.defaultenginename: "Search the web (Babylon)"
    FF - prefs.js..browser.search.order.1: "Search the web (Babylon)"
    FF - prefs.js..browser.search.selectedEngine: "Search the web (Babylon)"
    FF - prefs.js..browser.startup.homepage: "https://midge.lookhosting.com:2096/"
    FF - prefs.js..keyword.URL: "http://search.babylon.com/?affID=109935&tt=290412_1_ctrl&babsrc=KW_ss&mntrId=3cd4f9010000000000000c607632b9d8&q="
    [2012/03/11 22:32:35 | 000,000,000 | ---D | M] (GOM Player + Ask Toolbar) -- C:\Users\JWB\AppData\Roaming\Mozilla\Firefox\Profiles\4p68j9eq.default\extensions\toolbar@ask.com
    [2012/01/03 16:27:44 | 000,002,333 | ---- | M] () -- C:\Users\JWB\AppData\Roaming\Mozilla\Firefox\Profiles\4p68j9eq.default\searchplugins\askcom.xml
    [2012/05/07 23:42:53 | 000,002,356 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\babylon.xml
    O2 - BHO: (Babylon toolbar helper) - {2EECD738-5844-4a99-B4B6-146BF802613B} - C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.5.3.17\bh\BabylonToolbar.dll (Babylon BHO)
    O2 - BHO: (GOM Player + Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask)
    O3 - HKLM\..\Toolbar: (Babylon Toolbar) - {98889811-442D-49dd-99D7-DC866BE87DBC} - C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbarTlbr.dll (Babylon Ltd.)
    O3 - HKLM\..\Toolbar: (GOM Player + Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask)
    O4 - HKLM..\Run: [ApnUpdater] C:\Program Files (x86)\Ask.com\Updater\Updater.exe (Ask)
    [2012/05/07 23:43:01 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\BabylonToolbar
    [2012/05/07 23:42:25 | 000,000,000 | ---D | C] -- C:\Users\JWB\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\vGrabber
    [2012/05/07 23:42:09 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\v-Grabber
    [2012/05/07 23:42:04 | 000,000,000 | ---D | C] -- C:\Users\JWB\AppData\Local\Babylon
    [2012/05/07 23:42:02 | 000,000,000 | ---D | C] -- C:\Users\JWB\AppData\Roaming\Babylon
    [2012/05/07 23:42:02 | 000,000,000 | ---D | C] -- C:\ProgramData\Babylon
    [2012/05/07 23:43:02 | 000,000,254 | ---- | M] () -- C:\user.js
    :Files
    ipconfig /flushdns /c
    :Commands
    [PURITY]
    [emptyjava]
    [EMPTYFLASH]


  • Then click the Run Fix button at the top.
  • Click btnOK.png.
  • OTL may ask to reboot the machine. Please do so if asked.
  • The report should appear in Notepad after the reboot.Copy and Paste that report in your next reply.

Let me know How things are doing

Gringo

Link to post
Share on other sites

Hello,

Below are the results of the custom script you provided to put in the Custom Scans/Fixes box. As for the state of the computer, I am unsure on how to judge if it is operating as it should without the infection. The only visible symptoms to me were that the browser rerouted links at random and always links clicked on through google, also that MalwareBytes was deleted at one point. Since I have started this topic, none of the symptoms have shown themselves. The computer seems to run much faster than it did before, and no other other suspicious activity is being displayed.

Custom Scans/Fix result:

========== OTL ==========

64bit-Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@adobe.com/FlashPlayer\ deleted successfully.

64bit-Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@microsoft.com/GENUINE\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@microsoft.com/GENUINE\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.

64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\livecall\ deleted successfully.

File Protocol\Handler\livecall - No CLSID value found not found.

64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ms-itss\ deleted successfully.

File Protocol\Handler\ms-itss - No CLSID value found not found.

64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\msnim\ deleted successfully.

File Protocol\Handler\msnim - No CLSID value found not found.

64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\wlmailhtml\ deleted successfully.

File Protocol\Handler\wlmailhtml - No CLSID value found not found.

64bit-Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\VMApplet:/pagefile deleted successfully.

Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\VMApplet:/pagefile deleted successfully.

64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{397CFBAF-01FE-4A0D-950E-041F4905DC38}\ deleted successfully.

64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{397CFBAF-01FE-4A0D-950E-041F4905DC38}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{397CFBAF-01FE-4A0D-950E-041F4905DC38}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{397CFBAF-01FE-4A0D-950E-041F4905DC38}\ not found.

Registry value HKEY_USERS\S-1-5-21-1389045141-546431936-601846973-1003\Software\Microsoft\Internet Explorer\URLSearchHooks\\{00000000-6E41-4FD3-8538-502F5495E5FC} deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000000-6E41-4FD3-8538-502F5495E5FC}\ deleted successfully.

C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll moved successfully.

HKEY_USERS\S-1-5-21-1389045141-546431936-601846973-1003\Software\Microsoft\Internet Explorer\SearchScopes\\DefaultScope| /E : value set successfully!

Registry key HKEY_USERS\S-1-5-21-1389045141-546431936-601846973-1003\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\ not found.

Registry key HKEY_USERS\S-1-5-21-1389045141-546431936-601846973-1003\Software\Microsoft\Internet Explorer\SearchScopes\{E75786E6-6CED-43E4-A207-43FDD9D1901F}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E75786E6-6CED-43E4-A207-43FDD9D1901F}\ not found.

Prefs.js: "Ask.com" removed from browser.search.defaultengine

Prefs.js: "Search the web (Babylon)" removed from browser.search.defaultenginename

Prefs.js: "Search the web (Babylon)" removed from browser.search.order.1

Prefs.js: "Search the web (Babylon)" removed from browser.search.selectedEngine

Prefs.js: "https://midge.lookhosting.com:2096/" removed from browser.startup.homepage

Prefs.js: "http://search.babylon.com/?affID=109935&tt=290412_1_ctrl&babsrc=KW_ss&mntrId=3cd4f9010000000000000c607632b9d8&q=" removed from keyword.URL

C:\Users\JWB\AppData\Roaming\Mozilla\Firefox\Profiles\4p68j9eq.default\extensions\toolbar@ask.com\searchplugins folder moved successfully.

C:\Users\JWB\AppData\Roaming\Mozilla\Firefox\Profiles\4p68j9eq.default\extensions\toolbar@ask.com\defaults\preferences folder moved successfully.

C:\Users\JWB\AppData\Roaming\Mozilla\Firefox\Profiles\4p68j9eq.default\extensions\toolbar@ask.com\defaults folder moved successfully.

C:\Users\JWB\AppData\Roaming\Mozilla\Firefox\Profiles\4p68j9eq.default\extensions\toolbar@ask.com\chrome\skin folder moved successfully.

C:\Users\JWB\AppData\Roaming\Mozilla\Firefox\Profiles\4p68j9eq.default\extensions\toolbar@ask.com\chrome\content folder moved successfully.

C:\Users\JWB\AppData\Roaming\Mozilla\Firefox\Profiles\4p68j9eq.default\extensions\toolbar@ask.com\chrome folder moved successfully.

C:\Users\JWB\AppData\Roaming\Mozilla\Firefox\Profiles\4p68j9eq.default\extensions\toolbar@ask.com folder moved successfully.

C:\Users\JWB\AppData\Roaming\Mozilla\Firefox\Profiles\4p68j9eq.default\searchplugins\askcom.xml moved successfully.

C:\Program Files (x86)\Mozilla Firefox\searchplugins\babylon.xml moved successfully.

Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2EECD738-5844-4a99-B4B6-146BF802613B}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2EECD738-5844-4a99-B4B6-146BF802613B}\ deleted successfully.

C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.5.3.17\bh\BabylonToolbar.dll moved successfully.

Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}\ deleted successfully.

File C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll not found.

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{98889811-442D-49dd-99D7-DC866BE87DBC} deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{98889811-442D-49dd-99D7-DC866BE87DBC}\ deleted successfully.

C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbarTlbr.dll moved successfully.

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{D4027C7F-154A-4066-A1AD-4243D8127440} deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}\ not found.

File C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll not found.

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ApnUpdater deleted successfully.

C:\Program Files (x86)\Ask.com\Updater\Updater.exe moved successfully.

C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.5.3.17\bh folder moved successfully.

C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.5.3.17 folder moved successfully.

C:\Program Files (x86)\BabylonToolbar\BabylonToolbar folder moved successfully.

C:\Users\JWB\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\vGrabber folder moved successfully.

C:\Program Files (x86)\v-Grabber\imageformats folder moved successfully.

C:\Program Files (x86)\v-Grabber\converter folder moved successfully.

C:\Program Files (x86)\v-Grabber folder moved successfully.

C:\Users\JWB\AppData\Local\Babylon\Setup\HtmlScreens folder moved successfully.

C:\Users\JWB\AppData\Local\Babylon\Setup folder moved successfully.

C:\Users\JWB\AppData\Local\Babylon folder moved successfully.

C:\Users\JWB\AppData\Roaming\Babylon folder moved successfully.

C:\ProgramData\Babylon folder moved successfully.

C:\user.js moved successfully.

========== FILES ==========

< ipconfig /flushdns /c >

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

C:\Users\JWB\Desktop\cmd.bat deleted successfully.

C:\Users\JWB\Desktop\cmd.txt deleted successfully.

========== COMMANDS ==========

[EMPTYJAVA]

User: All Users

User: Default

User: Default User

User: JWB

->Java cache emptied: 178374 bytes

User: Public

Total Java Files Cleaned = 0.00 mb

[EMPTYFLASH]

User: All Users

User: Default

User: Default User

User: JWB

->Flash cache emptied: 8193785 bytes

User: Public

Total Flash Files Cleaned = 8.00 mb

OTL by OldTimer - Version 3.2.44.0 log created on 05302012_133846

Link to post
Share on other sites

  • Staff

Greetings

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

 ClearJavaCache:: 

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe

CFScriptB-4.gif

This will let ComboFix run again.

Restart if you have to.

Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  1. report from Combofix
  2. let me know of any problems you may have had
  3. How is the computer doing now after running the script?

Gringo

Link to post
Share on other sites

  • Staff

Greetings

I have not heard from you in a couple of days so I am coming by to check on you to see if you are having problems or you just need some more time.

Also to remind you that it is very important that we finish the process completely so as to not get reinfected. I will let you know when we are complete and I will ask to remove our tools

Gringo

Link to post
Share on other sites

I apologize for the delay in my response, but thank you for remaining persistent on your end.

At the end of this message is the log created by ComboFix after running the CFScript, it was done in Reduced Functionality mode due to a window stating that ComboFix had expired. If this provides undesirable results, I will reperform the script in a way that you prescribe.

In the post before your most recent, you asked that I check the computer for any abnormal behavior. I did so before running the ComboFix script by letting my mother use her laptop normally, connecting her back to the internet as well. The first thing she did was check her email, which is run off of servers that our family hosts. She could not log in, and we found instantly after this that we were then locked out of our server. Apparently, a SQL injection script was running on the browser when my mother entered her password, which it then used to log into our server and reset all the passwords including the root. Using a backdoor, we were able to regain control of the server and change the passwords. My father concluded that the laptop is being remotely controlled, and that a hard drive wipe would not solve the problem on the laptop. I have kept the laptop unconnected to the internet, and in the short window it was connected the previous events occurred. No other computers or devices in the network seem to have contracted the virus, and it still remains on the laptop. I have not reconnected it since then and will avoid doing so unless absolutely necessary as the infection seem extremely harmful.

ComboFix 12-05-29.01 - JWB 06/05/2012 10:23:22.2.2 - x64

Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3999.2835 [GMT -5:00]

Running from: c:\users\JWB\Desktop\ComboFix.exe

Command switches used :: c:\users\JWB\Desktop\CFScript.txt

AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}

FW: ZoneAlarm Firewall *Enabled* {D17DF357-CFF5-F001-D1C1-FCD21DFE3D5E}

SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

* Created a new restore point

.

- REDUCED FUNCTIONALITY MODE -

.

.

((((((((((((((((((((((((( Files Created from 2012-05-05 to 2012-06-05 )))))))))))))))))))))))))))))))

.

.

2012-06-05 15:25 . 2012-06-05 15:25 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-05-30 18:38 . 2012-05-30 18:38 -------- d-----w- C:\_OTL

2012-05-30 03:13 . 2012-05-08 17:02 8955792 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{F81D5BE6-649F-4C7B-89F9-3D3746EA80F2}\mpengine.dll

2012-05-27 19:48 . 2012-04-04 20:56 24904 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-05-20 02:21 . 2012-05-20 02:21 -------- d-----w- c:\users\JWB\AppData\Roaming\Malwarebytes

2012-05-20 02:21 . 2012-05-20 02:21 -------- d-----w- c:\programdata\Malwarebytes

2012-05-20 02:21 . 2012-05-27 19:48 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware

2012-05-18 03:18 . 2012-05-18 03:18 -------- d-----w- c:\users\JWB\AppData\Local\adaware

2012-05-18 03:18 . 2012-05-27 17:20 -------- d-----w- c:\programdata\Ad-Aware Browsing Protection

2012-05-18 03:17 . 2012-05-27 17:20 -------- d-----w- c:\program files (x86)\Ad-Aware Antivirus

2012-05-18 03:16 . 2012-05-18 03:21 -------- d-----w- c:\users\JWB\AppData\Roaming\Ad-Aware Antivirus

2012-05-11 02:45 . 2012-03-17 07:55 75632 ----a-w- c:\windows\system32\drivers\partmgr.sys

2012-05-11 02:45 . 2012-03-03 06:29 1541120 ----a-w- c:\windows\system32\DWrite.dll

2012-05-11 02:45 . 2012-03-03 05:40 1074176 ----a-w- c:\windows\SysWow64\DWrite.dll

2012-05-11 02:45 . 2012-03-03 06:29 320512 ----a-w- c:\windows\system32\d3d10_1core.dll

2012-05-11 02:45 . 2012-03-03 06:29 197120 ----a-w- c:\windows\system32\d3d10_1.dll

2012-05-11 02:45 . 2012-03-03 06:29 1837568 ----a-w- c:\windows\system32\d3d10warp.dll

2012-05-11 02:45 . 2012-03-03 06:29 902656 ----a-w- c:\windows\system32\d2d1.dll

2012-05-11 02:45 . 2012-03-03 05:40 1170944 ----a-w- c:\windows\SysWow64\d3d10warp.dll

2012-05-11 02:45 . 2012-03-03 05:40 739840 ----a-w- c:\windows\SysWow64\d2d1.dll

2012-05-11 02:45 . 2012-03-03 05:40 218624 ----a-w- c:\windows\SysWow64\d3d10_1core.dll

2012-05-11 02:45 . 2012-03-03 05:40 161792 ----a-w- c:\windows\SysWow64\d3d10_1.dll

2012-05-11 02:44 . 2012-04-02 05:34 5504880 ----a-w- c:\windows\system32\ntoskrnl.exe

2012-05-11 02:44 . 2012-04-02 03:01 3143680 ----a-w- c:\windows\system32\win32k.sys

2012-05-11 02:44 . 2012-04-02 04:46 3958128 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe

2012-05-11 02:44 . 2012-04-02 04:46 3902320 ----a-w- c:\windows\SysWow64\ntoskrnl.exe

2012-05-11 02:44 . 2012-03-30 11:09 1895280 ----a-w- c:\windows\system32\drivers\tcpip.sys

2012-05-11 02:44 . 2012-04-02 05:24 1367552 ----a-w- c:\program files\Common Files\Microsoft Shared\ink\journal.dll

2012-05-11 02:44 . 2012-04-02 04:40 936960 ----a-w- c:\program files (x86)\Common Files\Microsoft Shared\ink\journal.dll

2012-05-08 04:43 . 2012-05-30 18:38 -------- d-----w- c:\program files (x86)\BabylonToolbar

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

.

((((((((((((((((((((((((((((( SnapShot@2012-05-30_03.33.41 )))))))))))))))))))))))))))))))))))))))))

.

- 2009-07-14 04:54 . 2012-05-30 03:24 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat

+ 2009-07-14 04:54 . 2012-06-05 15:26 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat

- 2009-07-14 04:54 . 2012-05-30 03:24 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat

+ 2009-07-14 04:54 . 2012-06-05 15:26 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat

- 2009-07-14 04:54 . 2012-05-30 03:24 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat

+ 2009-07-14 04:54 . 2012-06-05 15:26 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat

+ 2011-11-06 11:36 . 2012-06-05 15:19 72102 c:\windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_S3.bin

+ 2009-08-17 18:30 . 2012-06-05 14:48 39294 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin

+ 2009-07-14 05:10 . 2012-06-05 14:48 57094 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin

+ 2011-11-06 22:47 . 2012-06-05 14:48 11266 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1389045141-546431936-601846973-1003_UserData.bin

+ 2011-11-10 21:12 . 2012-06-05 14:48 8192 c:\windows\system32\Microsoft\Protect\Recovery\Recovery.dat

- 2011-11-10 21:12 . 2011-11-10 21:12 8192 c:\windows\system32\Microsoft\Protect\Recovery\Recovery.dat

- 2012-05-30 03:24 . 2012-05-30 03:24 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat

+ 2012-06-05 15:26 . 2012-06-05 15:26 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat

+ 2012-06-05 15:26 . 2012-06-05 15:26 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat

- 2012-05-30 03:24 . 2012-05-30 03:24 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat

+ 2009-07-14 02:36 . 2012-06-05 15:21 624412 c:\windows\system32\perfh009.dat

- 2009-07-14 02:36 . 2012-05-27 22:22 624412 c:\windows\system32\perfh009.dat

- 2009-07-14 02:36 . 2012-05-27 22:22 106756 c:\windows\system32\perfc009.dat

+ 2009-07-14 02:36 . 2012-06-05 15:21 106756 c:\windows\system32\perfc009.dat

+ 2009-08-17 22:02 . 2012-06-05 06:05 814592 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat

- 2009-07-14 05:01 . 2012-05-30 03:23 331512 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat

+ 2009-07-14 05:01 . 2012-06-05 15:26 331512 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat

+ 2009-07-14 02:34 . 2012-05-30 03:37 10747904 c:\windows\system32\SMI\Store\Machine\schema.dat

- 2009-07-14 02:34 . 2012-05-27 22:28 10747904 c:\windows\system32\SMI\Store\Machine\schema.dat

+ 2011-11-06 22:43 . 2012-05-30 06:52 17758258 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1389045141-546431936-601846973-1003-8192.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{ABD3B5E1-B268-407B-A150-2641DAB8D898}]

2009-06-08 21:41 120104 ----a-w- c:\program files (x86)\Common Files\Homepage Protection\HomepageProtection.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"LightScribe Control Panel"="c:\program files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe" [2009-06-17 2363392]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"QPService"="c:\program files (x86)\HP\QuickPlay\QPService.exe" [2009-06-24 468264]

"UCam_Menu"="c:\program files (x86)\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2009-02-18 218408]

"QlbCtrl.exe"="c:\program files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2009-06-24 320056]

"UpdatePRCShortCut"="c:\program files (x86)\Hewlett-Packard\Recovery\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]

"WirelessAssistant"="c:\program files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2009-07-23 498744]

"ZoneAlarm Client"="c:\program files (x86)\Zone Labs\ZoneAlarm\zlclient.exe" [2011-03-18 1043968]

"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

Amazon Unbox.lnk - c:\program files (x86)\Amazon\Amazon Unbox Video\ADVWindowsClientSystemTray.exe [2011-11-23 97384]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]

"aux"=wdmaud.drv

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

.

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-04-13 116648]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files (x86)\Lavasoft\Ad-Aware\AAWService.exe [2012-05-13 2152688]

R3 BBSvc;Bing Bar Update Service;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-07-08 195336]

R3 dc3d;MS Hardware Device Detection Driver;c:\windows\system32\DRIVERS\dc3d.sys [x]

R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-04-13 116648]

R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files (x86)\Lavasoft\Ad-Aware\KernExplorer64.sys [2011-11-06 17152]

R3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [x]

R3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys [x]

R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]

R3 RtsUIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys [x]

R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [x]

R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [x]

R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [x]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]

R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [x]

S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [x]

S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]

S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]

S2 BBUpdate;BBUpdate;c:\program files (x86)\Microsoft\BingBar\SeaPort.EXE [2011-06-15 249648]

S2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe [2009-07-14 27136]

S3 CAXHWAZL;CAXHWAZL;c:\windows\system32\DRIVERS\CAXHWAZL.sys [x]

S3 Com4QLBEx;Com4QLBEx;c:\program files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2009-05-05 228408]

S3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [x]

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]

.

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]

2009-06-17 19:11 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe

.

Contents of the 'Scheduled Tasks' folder

.

2012-06-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-04-13 21:21]

.

2012-06-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-04-13 21:21]

.

2012-05-30 c:\windows\Tasks\HPCeeScheduleForJWB.job

- c:\program files (x86)\hewlett-packard\sdp\ceement\HPCEE.exe [2009-08-17 21:38]

.

.

--------- x86-64 -----------

.

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [bU]

"cAudioFilterAgent"="c:\program files\Conexant\cAudioFilterAgent\cAudioFilterAgent64.exe" [2009-07-14 495104]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-02-12 162328]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-02-12 386584]

"Persistence"="c:\windows\system32\igfxpers.exe" [2011-02-12 417304]

"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-08-01 2417032]

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.theenglishcottage.com/webmail

uLocal Page = c:\windows\system32\blank.htm

mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_US&c=94&bd=Pavilion&pf=cnnb

mLocal Page = c:\windows\SysWOW64\blank.htm

TCP: Interfaces\{7B5D90F8-DB72-4ADD-AD43-C9F3D991AA80}: NameServer = 75.75.75.75

FF - ProfilePath - c:\users\JWB\AppData\Roaming\Mozilla\Firefox\Profiles\4p68j9eq.default\

FF - prefs.js: browser.search.selectedEngine -

FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=109935&tt=290412_1_ctrl

FF - user.js: extensions.BabylonToolbar_i.babExt -

FF - user.js: extensions.BabylonToolbar_i.srcExt - ss

FF - user.js: extensions.BabylonToolbar_i.id - 3cd4f9010000000000000c607632b9d8

FF - user.js: extensions.BabylonToolbar_i.hardId - 3cd4f9010000000000000c607632b9d8

FF - user.js: extensions.BabylonToolbar_i.instlDay - 15468

FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17

FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17

FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.1723:43

FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon

FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar

FF - user.js: extensions.BabylonToolbar_i.aflt - babsst

FF - user.js: extensions.BabylonToolbar_i.smplGrp - none

FF - user.js: extensions.BabylonToolbar_i.tlbrId - tb9

FF - user.js: extensions.BabylonToolbar_i.instlRef - sst

.

- - - - ORPHANS REMOVED - - - -

.

AddRemove-BabylonToolbar - c:\program files (x86)\BabylonToolbar\BabylonToolbar\1.5.3.17\uninstall.exe

AddRemove-{79A765E1-C399-405B-85AF-466F52E918B0} - c:\program files (x86)\Ask.com\Updater\Updater.exe

.

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11f_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11f_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11f.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.10"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11f.ocx, 1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11f.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11f.ocx, 1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

------------------------ Other Running Processes ------------------------

.

c:\program files (x86)\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe

c:\program files (x86)\Common Files\LightScribe\LSSrvc.exe

c:\program files (x86)\CyberLink\Shared files\RichVideo.exe

c:\program files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe

c:\program files (x86)\Hewlett-Packard\Shared\hpqToaster.exe

.

**************************************************************************

.

Completion time: 2012-06-05 10:31:45 - machine was rebooted

ComboFix-quarantined-files.txt 2012-06-05 15:31

ComboFix2.txt 2012-05-30 03:37

.

Pre-Run: 72,754,200,576 bytes free

Post-Run: 72,568,684,544 bytes free

.

- - End Of File - - A78D727B6CD4A4AAF33C7B617BDEBD87

Link to post
Share on other sites

  • Staff

Greetings

That does not sound good at all - so far the reports have not shown something that serious as to do that

I want you to run these next and lets see if it will show something,

tdsskiller:

Please read carefully and follow these steps.

  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.

  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo

Link to post
Share on other sites

  • Staff

Greetings

I have not heard from you in a couple of days so I am coming by to check on you to see if you are having problems or you just need some more time.

Also to remind you that it is very important that we finish the process completely so as to not get reinfected. I will let you know when we are complete and I will ask to remove our tools

Gringo

Link to post
Share on other sites

I apologize for the delay in my response, the results for both scans are posted below. I have not tried reconnecting to the internet since the server hijack, but once to allow for the Avast virus definitions to be downloaded. I say this because I have not been able to judge any suspicious behavior because of no internet connection, and the only way I could tell would be from another server hijack, which I plan to avoid at all costs.

We might end up trying to wipe the drive soon, but there are many scattered documents and customizations on the computer, which makes transferring data a little difficult. If you can help us fix our problem, I will not rush you but will continue to follow your directions. But if you do suggest a drive wipe, we are willing to do so if needed.

23:23:52.0943 2068 TDSS rootkit removing tool 2.7.36.0 May 21 2012 16:40:16

23:23:52.0959 2068 ============================================================

23:23:52.0959 2068 Current date / time: 2012/06/07 23:23:52.0959

23:23:52.0959 2068 SystemInfo:

23:23:52.0959 2068

23:23:52.0959 2068 OS Version: 6.1.7600 ServicePack: 0.0

23:23:52.0959 2068 Product type: Workstation

23:23:52.0959 2068 ComputerName: STATION4

23:23:52.0959 2068 UserName: JWB

23:23:52.0959 2068 Windows directory: C:\Windows

23:23:52.0959 2068 System windows directory: C:\Windows

23:23:52.0959 2068 Running under WOW64

23:23:52.0959 2068 Processor architecture: Intel x64

23:23:52.0959 2068 Number of processors: 2

23:23:52.0959 2068 Page size: 0x1000

23:23:52.0959 2068 Boot type: Normal boot

23:23:52.0959 2068 ============================================================

23:23:54.0051 2068 Drive \Device\Harddisk0\DR0 - Size: 0x3A38B2E000 (232.89 Gb), SectorSize: 0x200, Cylinders: 0x4BB4D, SectorsPerTrack: 0x3F, TracksPerCylinder: 0x19, Type 'K0', Flags 0x00000040

23:23:54.0066 2068 ============================================================

23:23:54.0066 2068 \Device\Harddisk0\DR0:

23:23:54.0066 2068 MBR partitions:

23:23:54.0066 2068 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x63800

23:23:54.0066 2068 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x64000, BlocksNum 0x1B9A4000

23:23:54.0066 2068 \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x1BA08000, BlocksNum 0x17BD000

23:23:54.0066 2068 ============================================================

23:23:54.0098 2068 C: <-> \Device\Harddisk0\DR0\Partition1

23:23:54.0129 2068 D: <-> \Device\Harddisk0\DR0\Partition2

23:23:54.0129 2068 ============================================================

23:23:54.0129 2068 Initialize success

23:23:54.0129 2068 ============================================================

23:23:58.0684 0288 ============================================================

23:23:58.0684 0288 Scan started

23:23:58.0684 0288 Mode: Manual;

23:23:58.0684 0288 ============================================================

23:24:00.0010 0288 1394ohci (1b00662092f9f9568b995902f0cc40d5) C:\Windows\system32\DRIVERS\1394ohci.sys

23:24:00.0010 0288 1394ohci - ok

23:24:00.0057 0288 ACPI (6f11e88748cdefd2f76aa215f97ddfe5) C:\Windows\system32\DRIVERS\ACPI.sys

23:24:00.0057 0288 ACPI - ok

23:24:00.0088 0288 AcpiPmi (63b05a0420ce4bf0e4af6dcc7cada254) C:\Windows\system32\DRIVERS\acpipmi.sys

23:24:00.0088 0288 AcpiPmi - ok

23:24:00.0166 0288 AdobeARMservice (11a52cf7b265631deeb24c6149309eff) C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

23:24:00.0166 0288 AdobeARMservice - ok

23:24:00.0228 0288 adp94xx (2f6b34b83843f0c5118b63ac634f5bf4) C:\Windows\system32\DRIVERS\adp94xx.sys

23:24:00.0244 0288 adp94xx - ok

23:24:00.0275 0288 adpahci (597f78224ee9224ea1a13d6350ced962) C:\Windows\system32\DRIVERS\adpahci.sys

23:24:00.0275 0288 adpahci - ok

23:24:00.0306 0288 adpu320 (e109549c90f62fb570b9540c4b148e54) C:\Windows\system32\DRIVERS\adpu320.sys

23:24:00.0306 0288 adpu320 - ok

23:24:00.0447 0288 ADVService (96a0ff09e226b023dc6aca253aacee2e) C:\Program Files (x86)\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe

23:24:00.0447 0288 ADVService - ok

23:24:00.0478 0288 AeLookupSvc (4b78b431f225fd8624c5655cb1de7b61) C:\Windows\System32\aelupsvc.dll

23:24:00.0478 0288 AeLookupSvc - ok

23:24:00.0556 0288 AFD (db9d6c6b2cd95a9ca414d045b627422e) C:\Windows\system32\drivers\afd.sys

23:24:00.0556 0288 AFD - ok

23:24:00.0603 0288 agp440 (608c14dba7299d8cb6ed035a68a15799) C:\Windows\system32\DRIVERS\agp440.sys

23:24:00.0603 0288 agp440 - ok

23:24:00.0634 0288 ALG (3290d6946b5e30e70414990574883ddb) C:\Windows\System32\alg.exe

23:24:00.0634 0288 ALG - ok

23:24:00.0681 0288 aliide (5812713a477a3ad7363c7438ca2ee038) C:\Windows\system32\DRIVERS\aliide.sys

23:24:00.0681 0288 aliide - ok

23:24:00.0696 0288 amdide (1ff8b4431c353ce385c875f194924c0c) C:\Windows\system32\DRIVERS\amdide.sys

23:24:00.0696 0288 amdide - ok

23:24:00.0728 0288 AmdK8 (7024f087cff1833a806193ef9d22cda9) C:\Windows\system32\DRIVERS\amdk8.sys

23:24:00.0728 0288 AmdK8 - ok

23:24:00.0728 0288 AmdPPM (1e56388b3fe0d031c44144eb8c4d6217) C:\Windows\system32\DRIVERS\amdppm.sys

23:24:00.0728 0288 AmdPPM - ok

23:24:00.0774 0288 amdsata (ec7ebab00a4d8448bab68d1e49b4beb9) C:\Windows\system32\drivers\amdsata.sys

23:24:00.0774 0288 amdsata - ok

23:24:00.0806 0288 amdsbs (f67f933e79241ed32ff46a4f29b5120b) C:\Windows\system32\DRIVERS\amdsbs.sys

23:24:00.0806 0288 amdsbs - ok

23:24:00.0852 0288 amdxata (db27766102c7bf7e95140a2aa81d042e) C:\Windows\system32\drivers\amdxata.sys

23:24:00.0852 0288 amdxata - ok

23:24:00.0899 0288 AppID (42fd751b27fa0e9c69bb39f39e409594) C:\Windows\system32\drivers\appid.sys

23:24:00.0899 0288 AppID - ok

23:24:00.0930 0288 AppIDSvc (0bc381a15355a3982216f7172f545de1) C:\Windows\System32\appidsvc.dll

23:24:00.0930 0288 AppIDSvc - ok

23:24:00.0977 0288 Appinfo (d065be66822847b7f127d1f90158376e) C:\Windows\System32\appinfo.dll

23:24:00.0977 0288 Appinfo - ok

23:24:01.0055 0288 arc (c484f8ceb1717c540242531db7845c4e) C:\Windows\system32\DRIVERS\arc.sys

23:24:01.0055 0288 arc - ok

23:24:01.0071 0288 arcsas (019af6924aefe7839f61c830227fe79c) C:\Windows\system32\DRIVERS\arcsas.sys

23:24:01.0071 0288 arcsas - ok

23:24:01.0102 0288 AsyncMac (769765ce2cc62867468cea93969b2242) C:\Windows\system32\DRIVERS\asyncmac.sys

23:24:01.0102 0288 AsyncMac - ok

23:24:01.0118 0288 atapi (02062c0b390b7729edc9e69c680a6f3c) C:\Windows\system32\DRIVERS\atapi.sys

23:24:01.0118 0288 atapi - ok

23:24:01.0196 0288 athr (38562a6a9cb10844759eaf2b01a7fcd3) C:\Windows\system32\DRIVERS\athrx.sys

23:24:01.0211 0288 athr - ok

23:24:01.0336 0288 AudioEndpointBuilder (07721a77180edd4d39ccb865bf63c7fd) C:\Windows\System32\Audiosrv.dll

23:24:01.0352 0288 AudioEndpointBuilder - ok

23:24:01.0352 0288 AudioSrv (07721a77180edd4d39ccb865bf63c7fd) C:\Windows\System32\Audiosrv.dll

23:24:01.0367 0288 AudioSrv - ok

23:24:01.0398 0288 AxInstSV (b20b5fa5ca050e9926e4d1db81501b32) C:\Windows\System32\AxInstSV.dll

23:24:01.0398 0288 AxInstSV - ok

23:24:01.0461 0288 b06bdrv (3e5b191307609f7514148c6832bb0842) C:\Windows\system32\DRIVERS\bxvbda.sys

23:24:01.0476 0288 b06bdrv - ok

23:24:01.0523 0288 b57nd60a (b5ace6968304a3900eeb1ebfd9622df2) C:\Windows\system32\DRIVERS\b57nd60a.sys

23:24:01.0523 0288 b57nd60a - ok

23:24:01.0632 0288 BBSvc (2ed050291bc1d7f9e322e328db3aaecf) C:\Program Files (x86)\Microsoft\BingBar\BBSvc.EXE

23:24:01.0632 0288 BBSvc - ok

23:24:01.0710 0288 BBUpdate (785de7abda13309d6065305542829e76) C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE

23:24:01.0710 0288 BBUpdate - ok

23:24:01.0742 0288 BDESVC (fde360167101b4e45a96f939f388aeb0) C:\Windows\System32\bdesvc.dll

23:24:01.0742 0288 BDESVC - ok

23:24:01.0788 0288 Beep (16a47ce2decc9b099349a5f840654746) C:\Windows\system32\drivers\Beep.sys

23:24:01.0788 0288 Beep - ok

23:24:01.0866 0288 BFE (4992c609a6315671463e30f6512bc022) C:\Windows\System32\bfe.dll

23:24:01.0866 0288 BFE - ok

23:24:01.0929 0288 BITS (7f0c323fe3da28aa4aa1bda3f575707f) C:\Windows\system32\qmgr.dll

23:24:01.0944 0288 BITS - ok

23:24:01.0991 0288 blbdrive (61583ee3c3a17003c4acd0475646b4d3) C:\Windows\system32\DRIVERS\blbdrive.sys

23:24:02.0007 0288 blbdrive - ok

23:24:02.0038 0288 bowser (19d20159708e152267e53b66677a4995) C:\Windows\system32\DRIVERS\bowser.sys

23:24:02.0038 0288 bowser - ok

23:24:02.0069 0288 BrFiltLo (f09eee9edc320b5e1501f749fde686c8) C:\Windows\system32\DRIVERS\BrFiltLo.sys

23:24:02.0069 0288 BrFiltLo - ok

23:24:02.0069 0288 BrFiltUp (b114d3098e9bdb8bea8b053685831be6) C:\Windows\system32\DRIVERS\BrFiltUp.sys

23:24:02.0069 0288 BrFiltUp - ok

23:24:02.0132 0288 BridgeMP (5c2f352a4e961d72518261257aae204b) C:\Windows\system32\DRIVERS\bridge.sys

23:24:02.0132 0288 BridgeMP - ok

23:24:02.0178 0288 Browser (94fbc06f294d58d02361918418f996e3) C:\Windows\System32\browser.dll

23:24:02.0178 0288 Browser - ok

23:24:02.0210 0288 Brserid (43bea8d483bf1870f018e2d02e06a5bd) C:\Windows\System32\Drivers\Brserid.sys

23:24:02.0210 0288 Brserid - ok

23:24:02.0241 0288 BrSerWdm (a6eca2151b08a09caceca35c07f05b42) C:\Windows\System32\Drivers\BrSerWdm.sys

23:24:02.0241 0288 BrSerWdm - ok

23:24:02.0241 0288 BrUsbMdm (b79968002c277e869cf38bd22cd61524) C:\Windows\System32\Drivers\BrUsbMdm.sys

23:24:02.0241 0288 BrUsbMdm - ok

23:24:02.0256 0288 BrUsbSer (a87528880231c54e75ea7a44943b38bf) C:\Windows\System32\Drivers\BrUsbSer.sys

23:24:02.0256 0288 BrUsbSer - ok

23:24:02.0256 0288 BTHMODEM (9da669f11d1f894ab4eb69bf546a42e8) C:\Windows\system32\DRIVERS\bthmodem.sys

23:24:02.0256 0288 BTHMODEM - ok

23:24:02.0288 0288 bthserv (95f9c2976059462cbbf227f7aab10de9) C:\Windows\system32\bthserv.dll

23:24:02.0288 0288 bthserv - ok

23:24:02.0350 0288 catchme - ok

23:24:02.0381 0288 CAXHWAZL (d1787e11c6a0078ddeaf8cf3ee2ab293) C:\Windows\system32\DRIVERS\CAXHWAZL.sys

23:24:02.0397 0288 CAXHWAZL - ok

23:24:02.0444 0288 cdfs (b8bd2bb284668c84865658c77574381a) C:\Windows\system32\DRIVERS\cdfs.sys

23:24:02.0444 0288 cdfs - ok

23:24:02.0475 0288 cdrom (83d2d75e1efb81b3450c18131443f7db) C:\Windows\system32\DRIVERS\cdrom.sys

23:24:02.0475 0288 cdrom - ok

23:24:02.0522 0288 CertPropSvc (312e2f82af11e79906898ac3e3d58a1f) C:\Windows\System32\certprop.dll

23:24:02.0522 0288 CertPropSvc - ok

23:24:02.0553 0288 circlass (d7cd5c4e1b71fa62050515314cfb52cf) C:\Windows\system32\DRIVERS\circlass.sys

23:24:02.0553 0288 circlass - ok

23:24:02.0600 0288 CLFS (fe1ec06f2253f691fe36217c592a0206) C:\Windows\system32\CLFS.sys

23:24:02.0600 0288 CLFS - ok

23:24:02.0678 0288 clr_optimization_v2.0.50727_32 (d88040f816fda31c3b466f0fa0918f29) C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

23:24:02.0678 0288 clr_optimization_v2.0.50727_32 - ok

23:24:02.0709 0288 clr_optimization_v2.0.50727_64 (d1ceea2b47cb998321c579651ce3e4f8) C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

23:24:02.0709 0288 clr_optimization_v2.0.50727_64 - ok

23:24:02.0802 0288 clr_optimization_v4.0.30319_32 (c5a75eb48e2344abdc162bda79e16841) C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

23:24:02.0802 0288 clr_optimization_v4.0.30319_32 - ok

23:24:02.0834 0288 clr_optimization_v4.0.30319_64 (c6f9af94dcd58122a4d7e89db6bed29d) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

23:24:02.0834 0288 clr_optimization_v4.0.30319_64 - ok

23:24:02.0849 0288 CmBatt (0840155d0bddf1190f84a663c284bd33) C:\Windows\system32\DRIVERS\CmBatt.sys

23:24:02.0865 0288 CmBatt - ok

23:24:02.0880 0288 cmdide (e19d3f095812725d88f9001985b94edd) C:\Windows\system32\DRIVERS\cmdide.sys

23:24:02.0880 0288 cmdide - ok

23:24:02.0943 0288 CNG (937beb186a735aca91d717044a49d17e) C:\Windows\system32\Drivers\cng.sys

23:24:02.0943 0288 CNG - ok

23:24:03.0021 0288 CnxtHdAudService (a44dfdb81dc62b11760881175e5b2266) C:\Windows\system32\drivers\CHDRT64.sys

23:24:03.0036 0288 CnxtHdAudService - ok

23:24:03.0146 0288 Com4QLBEx (f9a79c5b27037821112c50a9c8fb367a) C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe

23:24:03.0146 0288 Com4QLBEx - ok

23:24:03.0192 0288 Compbatt (102de219c3f61415f964c88e9085ad14) C:\Windows\system32\DRIVERS\compbatt.sys

23:24:03.0192 0288 Compbatt - ok

23:24:03.0224 0288 CompositeBus (f26b3a86f6fa87ca360b879581ab4123) C:\Windows\system32\DRIVERS\CompositeBus.sys

23:24:03.0224 0288 CompositeBus - ok

23:24:03.0239 0288 COMSysApp - ok

23:24:03.0255 0288 crcdisk (1c827878a998c18847245fe1f34ee597) C:\Windows\system32\DRIVERS\crcdisk.sys

23:24:03.0255 0288 crcdisk - ok

23:24:03.0317 0288 CryptSvc (8c57411b66282c01533cb776f98ad384) C:\Windows\system32\cryptsvc.dll

23:24:03.0317 0288 CryptSvc - ok

23:24:03.0380 0288 dc3d (7af9dac504fbd047cbc3e64ae52c92bf) C:\Windows\system32\DRIVERS\dc3d.sys

23:24:03.0380 0288 dc3d - ok

23:24:03.0442 0288 DcomLaunch (7266972e86890e2b30c0c322e906b027) C:\Windows\system32\rpcss.dll

23:24:03.0442 0288 DcomLaunch - ok

23:24:03.0489 0288 defragsvc (3cec7631a84943677aa8fa8ee5b6b43d) C:\Windows\System32\defragsvc.dll

23:24:03.0489 0288 defragsvc - ok

23:24:03.0520 0288 DfsC (9c253ce7311ca60fc11c774692a13208) C:\Windows\system32\Drivers\dfsc.sys

23:24:03.0520 0288 DfsC - ok

23:24:03.0567 0288 Dhcp (ce3b9562d997f69b330d181a8875960f) C:\Windows\system32\dhcpcore.dll

23:24:03.0567 0288 Dhcp - ok

23:24:03.0614 0288 discache (13096b05847ec78f0977f2c0f79e9ab3) C:\Windows\system32\drivers\discache.sys

23:24:03.0629 0288 discache - ok

23:24:03.0660 0288 Disk (9819eee8b5ea3784ec4af3b137a5244c) C:\Windows\system32\DRIVERS\disk.sys

23:24:03.0660 0288 Disk - ok

23:24:03.0692 0288 Dnscache (85cf424c74a1d5ec33533e1dbff9920a) C:\Windows\System32\dnsrslvr.dll

23:24:03.0692 0288 Dnscache - ok

23:24:03.0738 0288 dot3svc (14452acdb09b70964c8c21bf80a13acb) C:\Windows\System32\dot3svc.dll

23:24:03.0738 0288 dot3svc - ok

23:24:03.0754 0288 DPS (8c2ba6bea949ee6e68385f5692bafb94) C:\Windows\system32\dps.dll

23:24:03.0770 0288 DPS - ok

23:24:03.0785 0288 drmkaud (9b19f34400d24df84c858a421c205754) C:\Windows\system32\drivers\drmkaud.sys

23:24:03.0785 0288 drmkaud - ok

23:24:03.0863 0288 DXGKrnl (1633b9abf52784a1331476397a48cbef) C:\Windows\System32\drivers\dxgkrnl.sys

23:24:03.0879 0288 DXGKrnl - ok

23:24:03.0926 0288 EapHost (e2dda8726da9cb5b2c4000c9018a9633) C:\Windows\System32\eapsvc.dll

23:24:03.0926 0288 EapHost - ok

23:24:04.0097 0288 ebdrv (dc5d737f51be844d8c82c695eb17372f) C:\Windows\system32\DRIVERS\evbda.sys

23:24:04.0175 0288 ebdrv - ok

23:24:04.0316 0288 EFS (156f6159457d0aa7e59b62681b56eb90) C:\Windows\System32\lsass.exe

23:24:04.0316 0288 EFS - ok

23:24:04.0409 0288 ehRecvr (47c071994c3f649f23d9cd075ac9304a) C:\Windows\ehome\ehRecvr.exe

23:24:04.0409 0288 ehRecvr - ok

23:24:04.0456 0288 ehSched (4705e8ef9934482c5bb488ce28afc681) C:\Windows\ehome\ehsched.exe

23:24:04.0456 0288 ehSched - ok

23:24:04.0550 0288 elxstor (0e5da5369a0fcaea12456dd852545184) C:\Windows\system32\DRIVERS\elxstor.sys

23:24:04.0550 0288 elxstor - ok

23:24:04.0581 0288 ErrDev (34a3c54752046e79a126e15c51db409b) C:\Windows\system32\DRIVERS\errdev.sys

23:24:04.0581 0288 ErrDev - ok

23:24:04.0643 0288 EventSystem (4166f82be4d24938977dd1746be9b8a0) C:\Windows\system32\es.dll

23:24:04.0643 0288 EventSystem - ok

23:24:04.0690 0288 exfat (a510c654ec00c1e9bdd91eeb3a59823b) C:\Windows\system32\drivers\exfat.sys

23:24:04.0690 0288 exfat - ok

23:24:04.0706 0288 fastfat (0adc83218b66a6db380c330836f3e36d) C:\Windows\system32\drivers\fastfat.sys

23:24:04.0706 0288 fastfat - ok

23:24:04.0768 0288 Fax (d607b2f1bee3992aa6c2c92c0a2f0855) C:\Windows\system32\fxssvc.exe

23:24:04.0784 0288 Fax - ok

23:24:04.0815 0288 fdc (d765d19cd8ef61f650c384f62fac00ab) C:\Windows\system32\DRIVERS\fdc.sys

23:24:04.0815 0288 fdc - ok

23:24:04.0846 0288 fdPHost (0438cab2e03f4fb61455a7956026fe86) C:\Windows\system32\fdPHost.dll

23:24:04.0846 0288 fdPHost - ok

23:24:04.0862 0288 FDResPub (802496cb59a30349f9a6dd22d6947644) C:\Windows\system32\fdrespub.dll

23:24:04.0862 0288 FDResPub - ok

23:24:04.0893 0288 FileInfo (655661be46b5f5f3fd454e2c3095b930) C:\Windows\system32\drivers\fileinfo.sys

23:24:04.0893 0288 FileInfo - ok

23:24:04.0908 0288 Filetrace (5f671ab5bc87eea04ec38a6cd5962a47) C:\Windows\system32\drivers\filetrace.sys

23:24:04.0908 0288 Filetrace - ok

23:24:04.0940 0288 flpydisk (c172a0f53008eaeb8ea33fe10e177af5) C:\Windows\system32\DRIVERS\flpydisk.sys

23:24:04.0940 0288 flpydisk - ok

23:24:04.0955 0288 FltMgr (f7866af72abbaf84b1fa5aa195378c59) C:\Windows\system32\drivers\fltmgr.sys

23:24:04.0955 0288 FltMgr - ok

23:24:05.0018 0288 FontCache (cb5e4b9c319e3c6bb363eb7e58a4a051) C:\Windows\system32\FntCache.dll

23:24:05.0033 0288 FontCache - ok

23:24:05.0096 0288 FontCache3.0.0.0 (8d89e3131c27fdd6932189cb785e1b7a) C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe

23:24:05.0096 0288 FontCache3.0.0.0 - ok

23:24:05.0142 0288 FsDepends (d43703496149971890703b4b1b723eac) C:\Windows\system32\drivers\FsDepends.sys

23:24:05.0142 0288 FsDepends - ok

23:24:05.0189 0288 Fs_Rec (d3e3f93d67821a2db2b3d9fac2dc2064) C:\Windows\system32\drivers\Fs_Rec.sys

23:24:05.0189 0288 Fs_Rec - ok

23:24:05.0236 0288 fvevol (ae87ba80d0ec3b57126ed2cdc15b24ed) C:\Windows\system32\DRIVERS\fvevol.sys

23:24:05.0236 0288 fvevol - ok

23:24:05.0283 0288 gagp30kx (8c778d335c9d272cfd3298ab02abe3b6) C:\Windows\system32\DRIVERS\gagp30kx.sys

23:24:05.0283 0288 gagp30kx - ok

23:24:05.0392 0288 GameConsoleService (c44d560e441f091ea3b72f778ec60de2) C:\Program Files (x86)\HP Games\HP Game Console\GameConsoleService.exe

23:24:05.0392 0288 GameConsoleService - ok

23:24:05.0454 0288 gpsvc (fe5ab4525bc2ec68b9119a6e5d40128b) C:\Windows\System32\gpsvc.dll

23:24:05.0470 0288 gpsvc - ok

23:24:05.0579 0288 gupdate (506708142bc63daba64f2d3ad1dcd5bf) C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

23:24:05.0579 0288 gupdate - ok

23:24:05.0610 0288 gupdatem (506708142bc63daba64f2d3ad1dcd5bf) C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

23:24:05.0610 0288 gupdatem - ok

23:24:05.0642 0288 hcw85cir (f2523ef6460fc42405b12248338ab2f0) C:\Windows\system32\drivers\hcw85cir.sys

23:24:05.0642 0288 hcw85cir - ok

23:24:05.0657 0288 HdAudAddService (6410f6f415b2a5a9037224c41da8bf12) C:\Windows\system32\drivers\HdAudio.sys

23:24:05.0673 0288 HdAudAddService - ok

23:24:05.0704 0288 HDAudBus (0a49913402747a0b67de940fb42cbdbb) C:\Windows\system32\DRIVERS\HDAudBus.sys

23:24:05.0704 0288 HDAudBus - ok

23:24:05.0720 0288 HidBatt (78e86380454a7b10a5eb255dc44a355f) C:\Windows\system32\DRIVERS\HidBatt.sys

23:24:05.0720 0288 HidBatt - ok

23:24:05.0735 0288 HidBth (7fd2a313f7afe5c4dab14798c48dd104) C:\Windows\system32\DRIVERS\hidbth.sys

23:24:05.0735 0288 HidBth - ok

23:24:05.0751 0288 HidIr (0a77d29f311b88cfae3b13f9c1a73825) C:\Windows\system32\DRIVERS\hidir.sys

23:24:05.0751 0288 HidIr - ok

23:24:05.0782 0288 hidserv (bd9eb3958f213f96b97b1d897dee006d) C:\Windows\System32\hidserv.dll

23:24:05.0782 0288 hidserv - ok

23:24:05.0829 0288 HidUsb (b3bf6b5b50006def50b66306d99fcf6f) C:\Windows\system32\DRIVERS\hidusb.sys

23:24:05.0829 0288 HidUsb - ok

23:24:05.0844 0288 hkmsvc (efa58ede58dd74388ffd04cb32681518) C:\Windows\system32\kmsvc.dll

23:24:05.0860 0288 hkmsvc - ok

23:24:05.0876 0288 HomeGroupListener (046b2673767ca626e2cfb7fdf735e9e8) C:\Windows\system32\ListSvc.dll

23:24:05.0876 0288 HomeGroupListener - ok

23:24:05.0907 0288 HomeGroupProvider (06a7422224d9865a5613710a089987df) C:\Windows\system32\provsvc.dll

23:24:05.0907 0288 HomeGroupProvider - ok

23:24:06.0032 0288 HP Health Check Service (0141816a095a3f5a83ffa5b4a47b8023) C:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe

23:24:06.0032 0288 HP Health Check Service - ok

23:24:06.0063 0288 HpqKbFiltr (9af482d058be59cc28bce52e7c4b747c) C:\Windows\system32\DRIVERS\HpqKbFiltr.sys

23:24:06.0063 0288 HpqKbFiltr - ok

23:24:06.0156 0288 hpqwmiex (fdf273a845f1ffcceadf363aaf47582f) C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe

23:24:06.0156 0288 hpqwmiex - ok

23:24:06.0203 0288 HpSAMD (0886d440058f203eba0e1825e4355914) C:\Windows\system32\DRIVERS\HpSAMD.sys

23:24:06.0203 0288 HpSAMD - ok

23:24:06.0312 0288 HsfXAudioService (447256d1c026654c5cd3cc17e7b20631) C:\Windows\SysWOW64\XAudio64.dll

23:24:06.0328 0288 HsfXAudioService - ok

23:24:06.0406 0288 HSF_DPV (26c5d00321937e49b6bc91029947d094) C:\Windows\system32\DRIVERS\CAX_DPV.sys

23:24:06.0422 0288 HSF_DPV - ok

23:24:06.0546 0288 HTTP (cee049cac4efa7f4e1e4ad014414a5d4) C:\Windows\system32\drivers\HTTP.sys

23:24:06.0562 0288 HTTP - ok

23:24:06.0578 0288 hwpolicy (f17766a19145f111856378df337a5d79) C:\Windows\system32\drivers\hwpolicy.sys

23:24:06.0578 0288 hwpolicy - ok

23:24:06.0593 0288 i8042prt (fa55c73d4affa7ee23ac4be53b4592d3) C:\Windows\system32\DRIVERS\i8042prt.sys

23:24:06.0593 0288 i8042prt - ok

23:24:06.0640 0288 iaStorV (b75e45c564e944a2657167d197ab29da) C:\Windows\system32\drivers\iaStorV.sys

23:24:06.0656 0288 iaStorV - ok

23:24:06.0765 0288 idsvc (2f2be70d3e02b6fa877921ab9516d43c) C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe

23:24:06.0765 0288 idsvc - ok

23:24:07.0186 0288 igfx (c6238c6abd6ac99f5d152da4e9439a3d) C:\Windows\system32\DRIVERS\igdkmd64.sys

23:24:07.0389 0288 igfx - ok

23:24:07.0514 0288 iirsp (5c18831c61933628f5bb0ea2675b9d21) C:\Windows\system32\DRIVERS\iirsp.sys

23:24:07.0514 0288 iirsp - ok

23:24:07.0576 0288 IKEEXT (c5b4683680df085b57bc53e5ef34861f) C:\Windows\System32\ikeext.dll

23:24:07.0576 0288 IKEEXT - ok

23:24:07.0638 0288 IntcHdmiAddService (d485d3bd3e2179aa86853a182f70699f) C:\Windows\system32\drivers\IntcHdmi.sys

23:24:07.0638 0288 IntcHdmiAddService - ok

23:24:07.0654 0288 intelide (f00f20e70c6ec3aa366910083a0518aa) C:\Windows\system32\DRIVERS\intelide.sys

23:24:07.0654 0288 intelide - ok

23:24:07.0685 0288 intelppm (ada036632c664caa754079041cf1f8c1) C:\Windows\system32\DRIVERS\intelppm.sys

23:24:07.0685 0288 intelppm - ok

23:24:07.0732 0288 IPBusEnum (098a91c54546a3b878dad6a7e90a455b) C:\Windows\system32\ipbusenum.dll

23:24:07.0732 0288 IPBusEnum - ok

23:24:07.0748 0288 IpFilterDriver (722dd294df62483cecaae6e094b4d695) C:\Windows\system32\DRIVERS\ipfltdrv.sys

23:24:07.0748 0288 IpFilterDriver - ok

23:24:07.0810 0288 iphlpsvc (f8e058d17363ec580e4b7232778b6cb5) C:\Windows\System32\iphlpsvc.dll

23:24:07.0810 0288 iphlpsvc - ok

23:24:07.0810 0288 IPMIDRV (e2b4a4494db7cb9b89b55ca268c337c5) C:\Windows\system32\DRIVERS\IPMIDrv.sys

23:24:07.0826 0288 IPMIDRV - ok

23:24:07.0857 0288 IPNAT (af9b39a7e7b6caa203b3862582e9f2d0) C:\Windows\system32\drivers\ipnat.sys

23:24:07.0857 0288 IPNAT - ok

23:24:07.0888 0288 IRENUM (3abf5e7213eb28966d55d58b515d5ce9) C:\Windows\system32\drivers\irenum.sys

23:24:07.0888 0288 IRENUM - ok

23:24:07.0904 0288 isapnp (2f7b28dc3e1183e5eb418df55c204f38) C:\Windows\system32\DRIVERS\isapnp.sys

23:24:07.0904 0288 isapnp - ok

23:24:07.0935 0288 iScsiPrt (fa4d2557de56d45b0a346f93564be6e1) C:\Windows\system32\DRIVERS\msiscsi.sys

23:24:07.0935 0288 iScsiPrt - ok

23:24:07.0950 0288 kbdclass (bc02336f1cba7dcc7d1213bb588a68a5) C:\Windows\system32\DRIVERS\kbdclass.sys

23:24:07.0966 0288 kbdclass - ok

23:24:08.0013 0288 kbdhid (6def98f8541e1b5dceb2c822a11f7323) C:\Windows\system32\DRIVERS\kbdhid.sys

23:24:08.0013 0288 kbdhid - ok

23:24:08.0075 0288 KeyIso (156f6159457d0aa7e59b62681b56eb90) C:\Windows\system32\lsass.exe

23:24:08.0075 0288 KeyIso - ok

23:24:08.0091 0288 KSecDD (16c1b906fc5ead84769f90b736b6bf0e) C:\Windows\system32\Drivers\ksecdd.sys

23:24:08.0091 0288 KSecDD - ok

23:24:08.0106 0288 KSecPkg (0b711550c56444879d71c7daabda6c83) C:\Windows\system32\Drivers\ksecpkg.sys

23:24:08.0106 0288 KSecPkg - ok

23:24:08.0138 0288 ksthunk (6869281e78cb31a43e969f06b57347c4) C:\Windows\system32\drivers\ksthunk.sys

23:24:08.0138 0288 ksthunk - ok

23:24:08.0184 0288 KtmRm (6ab66e16aa859232f64deb66887a8c9c) C:\Windows\system32\msdtckrm.dll

23:24:08.0184 0288 KtmRm - ok

23:24:08.0231 0288 LanmanServer (81f1d04d4d0e433099365127375fd501) C:\Windows\System32\srvsvc.dll

23:24:08.0231 0288 LanmanServer - ok

23:24:08.0262 0288 LanmanWorkstation (27026eac8818e8a6c00a1cad2f11d29a) C:\Windows\System32\wkssvc.dll

23:24:08.0262 0288 LanmanWorkstation - ok

23:24:08.0465 0288 Lavasoft Ad-Aware Service (93b3ef77866490c7daba054f6cbfcd51) C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe

23:24:08.0481 0288 Lavasoft Ad-Aware Service - ok

23:24:08.0637 0288 Lavasoft Kernexplorer (9a7fa6371f68335fd3c3d6488bc5a9f8) C:\Program Files (x86)\Lavasoft\Ad-Aware\KernExplorer64.sys

23:24:08.0637 0288 Lavasoft Kernexplorer - ok

23:24:08.0793 0288 Lbd (c8b3131857931ae76798a741cc52b021) C:\Windows\system32\DRIVERS\Lbd.sys

23:24:08.0793 0288 Lbd - ok

23:24:08.0871 0288 LightScribeService (83d8be94e1cbcbe2ea8372db1a95a159) C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe

23:24:08.0871 0288 LightScribeService - ok

23:24:08.0918 0288 lltdio (1538831cf8ad2979a04c423779465827) C:\Windows\system32\DRIVERS\lltdio.sys

23:24:08.0918 0288 lltdio - ok

23:24:08.0949 0288 lltdsvc (c1185803384ab3feed115f79f109427f) C:\Windows\System32\lltdsvc.dll

23:24:08.0964 0288 lltdsvc - ok

23:24:08.0980 0288 lmhosts (f993a32249b66c9d622ea5592a8b76b8) C:\Windows\System32\lmhsvc.dll

23:24:08.0980 0288 lmhosts - ok

23:24:09.0027 0288 LSI_FC (1a93e54eb0ece102495a51266dcdb6a6) C:\Windows\system32\DRIVERS\lsi_fc.sys

23:24:09.0027 0288 LSI_FC - ok

23:24:09.0058 0288 LSI_SAS (1047184a9fdc8bdbff857175875ee810) C:\Windows\system32\DRIVERS\lsi_sas.sys

23:24:09.0058 0288 LSI_SAS - ok

23:24:09.0074 0288 LSI_SAS2 (30f5c0de1ee8b5bc9306c1f0e4a75f93) C:\Windows\system32\DRIVERS\lsi_sas2.sys

23:24:09.0074 0288 LSI_SAS2 - ok

23:24:09.0105 0288 LSI_SCSI (0504eacaff0d3c8aed161c4b0d369d4a) C:\Windows\system32\DRIVERS\lsi_scsi.sys

23:24:09.0105 0288 LSI_SCSI - ok

23:24:09.0120 0288 luafv (43d0f98e1d56ccddb0d5254cff7b356e) C:\Windows\system32\drivers\luafv.sys

23:24:09.0120 0288 luafv - ok

23:24:09.0167 0288 Mcx2Svc (f84c8f1000bc11e3b7b23cbd3baff111) C:\Windows\system32\Mcx2Svc.dll

23:24:09.0167 0288 Mcx2Svc - ok

23:24:09.0214 0288 mdmxsdk (e4f44ec214b3e381e1fc844a02926666) C:\Windows\system32\DRIVERS\mdmxsdk.sys

23:24:09.0214 0288 mdmxsdk - ok

23:24:09.0245 0288 megasas (a55805f747c6edb6a9080d7c633bd0f4) C:\Windows\system32\DRIVERS\megasas.sys

23:24:09.0245 0288 megasas - ok

23:24:09.0276 0288 MegaSR (baf74ce0072480c3b6b7c13b2a94d6b3) C:\Windows\system32\DRIVERS\MegaSR.sys

23:24:09.0276 0288 MegaSR - ok

23:24:09.0323 0288 MMCSS (e40e80d0304a73e8d269f7141d77250b) C:\Windows\system32\mmcss.dll

23:24:09.0323 0288 MMCSS - ok

23:24:09.0339 0288 Modem (800ba92f7010378b09f9ed9270f07137) C:\Windows\system32\drivers\modem.sys

23:24:09.0339 0288 Modem - ok

23:24:09.0386 0288 monitor (b03d591dc7da45ece20b3b467e6aadaa) C:\Windows\system32\DRIVERS\monitor.sys

23:24:09.0386 0288 monitor - ok

23:24:09.0417 0288 mouclass (7d27ea49f3c1f687d357e77a470aea99) C:\Windows\system32\DRIVERS\mouclass.sys

23:24:09.0417 0288 mouclass - ok

23:24:09.0448 0288 mouhid (d3bf052c40b0c4166d9fd86a4288c1e6) C:\Windows\system32\DRIVERS\mouhid.sys

23:24:09.0448 0288 mouhid - ok

23:24:09.0479 0288 mountmgr (791af66c4d0e7c90a3646066386fb571) C:\Windows\system32\drivers\mountmgr.sys

23:24:09.0479 0288 mountmgr - ok

23:24:09.0510 0288 mpio (609d1d87649ecc19796f4d76d4c15cea) C:\Windows\system32\DRIVERS\mpio.sys

23:24:09.0510 0288 mpio - ok

23:24:09.0526 0288 mpsdrv (6c38c9e45ae0ea2fa5e551f2ed5e978f) C:\Windows\system32\drivers\mpsdrv.sys

23:24:09.0526 0288 mpsdrv - ok

23:24:09.0588 0288 MpsSvc (aecab449567d1846dad63ece49e893e3) C:\Windows\system32\mpssvc.dll

23:24:09.0588 0288 MpsSvc - ok

23:24:09.0620 0288 MRxDAV (30524261bb51d96d6fcbac20c810183c) C:\Windows\system32\drivers\mrxdav.sys

23:24:09.0620 0288 MRxDAV - ok

23:24:09.0651 0288 mrxsmb (040d62a9d8ad28922632137acdd984f2) C:\Windows\system32\DRIVERS\mrxsmb.sys

23:24:09.0651 0288 mrxsmb - ok

23:24:09.0682 0288 mrxsmb10 (f0067552f8f9b33d7c59403ab808a3cb) C:\Windows\system32\DRIVERS\mrxsmb10.sys

23:24:09.0682 0288 mrxsmb10 - ok

23:24:09.0698 0288 mrxsmb20 (3c142d31de9f2f193218a53fe2632051) C:\Windows\system32\DRIVERS\mrxsmb20.sys

23:24:09.0713 0288 mrxsmb20 - ok

23:24:09.0729 0288 msahci (5c37497276e3b3a5488b23a326a754b7) C:\Windows\system32\DRIVERS\msahci.sys

23:24:09.0729 0288 msahci - ok

23:24:09.0744 0288 msdsm (8d27b597229aed79430fb9db3bcbfbd0) C:\Windows\system32\DRIVERS\msdsm.sys

23:24:09.0744 0288 msdsm - ok

23:24:09.0791 0288 MSDTC (de0ece52236cfa3ed2dbfc03f28253a8) C:\Windows\System32\msdtc.exe

23:24:09.0791 0288 MSDTC - ok

23:24:09.0838 0288 Msfs (aa3fb40e17ce1388fa1bedab50ea8f96) C:\Windows\system32\drivers\Msfs.sys

23:24:09.0838 0288 Msfs - ok

23:24:09.0838 0288 mshidkmdf (f9d215a46a8b9753f61767fa72a20326) C:\Windows\System32\drivers\mshidkmdf.sys

23:24:09.0838 0288 mshidkmdf - ok

23:24:09.0869 0288 msisadrv (d916874bbd4f8b07bfb7fa9b3ccae29d) C:\Windows\system32\DRIVERS\msisadrv.sys

23:24:09.0869 0288 msisadrv - ok

23:24:09.0916 0288 MSiSCSI (808e98ff49b155c522e6400953177b08) C:\Windows\system32\iscsiexe.dll

23:24:09.0916 0288 MSiSCSI - ok

23:24:09.0916 0288 msiserver - ok

23:24:09.0947 0288 MSKSSRV (49ccf2c4fea34ffad8b1b59d49439366) C:\Windows\system32\drivers\MSKSSRV.sys

23:24:09.0947 0288 MSKSSRV - ok

23:24:09.0947 0288 MSPCLOCK (bdd71ace35a232104ddd349ee70e1ab3) C:\Windows\system32\drivers\MSPCLOCK.sys

23:24:09.0947 0288 MSPCLOCK - ok

23:24:09.0963 0288 MSPQM (4ed981241db27c3383d72092b618a1d0) C:\Windows\system32\drivers\MSPQM.sys

23:24:09.0963 0288 MSPQM - ok

23:24:10.0010 0288 MsRPC (89cb141aa8616d8c6a4610fa26c60964) C:\Windows\system32\drivers\MsRPC.sys

23:24:10.0025 0288 MsRPC - ok

23:24:10.0041 0288 mssmbios (0eed230e37515a0eaee3c2e1bc97b288) C:\Windows\system32\DRIVERS\mssmbios.sys

23:24:10.0041 0288 mssmbios - ok

23:24:10.0041 0288 MSTEE (2e66f9ecb30b4221a318c92ac2250779) C:\Windows\system32\drivers\MSTEE.sys

23:24:10.0041 0288 MSTEE - ok

23:24:10.0072 0288 MTConfig (7ea404308934e675bffde8edf0757bcd) C:\Windows\system32\DRIVERS\MTConfig.sys

23:24:10.0072 0288 MTConfig - ok

23:24:10.0088 0288 Mup (f9a18612fd3526fe473c1bda678d61c8) C:\Windows\system32\Drivers\mup.sys

23:24:10.0088 0288 Mup - ok

23:24:10.0134 0288 napagent (4987e079a4530fa737a128be54b63b12) C:\Windows\system32\qagentRT.dll

23:24:10.0150 0288 napagent - ok

23:24:10.0197 0288 NativeWifiP (1ea3749c4114db3e3161156ffffa6b33) C:\Windows\system32\DRIVERS\nwifi.sys

23:24:10.0197 0288 NativeWifiP - ok

23:24:10.0259 0288 NDIS (cad515dbd07d082bb317d9928ce8962c) C:\Windows\system32\drivers\ndis.sys

23:24:10.0259 0288 NDIS - ok

23:24:10.0290 0288 NdisCap (9f9a1f53aad7da4d6fef5bb73ab811ac) C:\Windows\system32\DRIVERS\ndiscap.sys

23:24:10.0290 0288 NdisCap - ok

23:24:10.0337 0288 NdisTapi (30639c932d9fef22b31268fe25a1b6e5) C:\Windows\system32\DRIVERS\ndistapi.sys

23:24:10.0337 0288 NdisTapi - ok

23:24:10.0368 0288 Ndisuio (f105ba1e22bf1f2ee8f005d4305e4bec) C:\Windows\system32\DRIVERS\ndisuio.sys

23:24:10.0368 0288 Ndisuio - ok

23:24:10.0384 0288 NdisWan (557dfab9ca1fcb036ac77564c010dad3) C:\Windows\system32\DRIVERS\ndiswan.sys

23:24:10.0384 0288 NdisWan - ok

23:24:10.0400 0288 NDProxy (659b74fb74b86228d6338d643cd3e3cf) C:\Windows\system32\drivers\NDProxy.sys

23:24:10.0400 0288 NDProxy - ok

23:24:10.0431 0288 NetBIOS (86743d9f5d2b1048062b14b1d84501c4) C:\Windows\system32\DRIVERS\netbios.sys

23:24:10.0431 0288 NetBIOS - ok

23:24:10.0446 0288 NetBT (9162b273a44ab9dce5b44362731d062a) C:\Windows\system32\DRIVERS\netbt.sys

23:24:10.0446 0288 NetBT - ok

23:24:10.0509 0288 Netlogon (156f6159457d0aa7e59b62681b56eb90) C:\Windows\system32\lsass.exe

23:24:10.0509 0288 Netlogon - ok

23:24:10.0556 0288 Netman (847d3ae376c0817161a14a82c8922a9e) C:\Windows\System32\netman.dll

23:24:10.0571 0288 Netman - ok

23:24:10.0602 0288 netprofm (5f28111c648f1e24f7dbc87cdeb091b8) C:\Windows\System32\netprofm.dll

23:24:10.0602 0288 netprofm - ok

23:24:10.0665 0288 NetTcpPortSharing (3e5a36127e201ddf663176b66828fafe) C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe

23:24:10.0680 0288 NetTcpPortSharing - ok

23:24:10.0883 0288 netw5v64 (64428dfdaf6e88366cb51f45a79c5f69) C:\Windows\system32\DRIVERS\netw5v64.sys

23:24:11.0008 0288 netw5v64 - ok

23:24:11.0148 0288 nfrd960 (77889813be4d166cdab78ddba990da92) C:\Windows\system32\DRIVERS\nfrd960.sys

23:24:11.0148 0288 nfrd960 - ok

23:24:11.0180 0288 NlaSvc (d9a0ce66046d6efa0c61baa885cba0a8) C:\Windows\System32\nlasvc.dll

23:24:11.0195 0288 NlaSvc - ok

23:24:11.0211 0288 Npfs (1e4c4ab5c9b8dd13179bbdc75a2a01f7) C:\Windows\system32\drivers\Npfs.sys

23:24:11.0226 0288 Npfs - ok

23:24:11.0242 0288 nsi (d54bfdf3e0c953f823b3d0bfe4732528) C:\Windows\system32\nsisvc.dll

23:24:11.0242 0288 nsi - ok

23:24:11.0242 0288 nsiproxy (e7f5ae18af4168178a642a9247c63001) C:\Windows\system32\drivers\nsiproxy.sys

23:24:11.0242 0288 nsiproxy - ok

23:24:11.0351 0288 Ntfs (378e0e0dfea67d98ae6ea53adbbd76bc) C:\Windows\system32\drivers\Ntfs.sys

23:24:11.0367 0288 Ntfs - ok

23:24:11.0523 0288 NuidFltr (317020d31f1696334679b9d0416eb62e) C:\Windows\system32\DRIVERS\NuidFltr.sys

23:24:11.0523 0288 NuidFltr - ok

23:24:11.0554 0288 Null (9899284589f75fa8724ff3d16aed75c1) C:\Windows\system32\drivers\Null.sys

23:24:11.0554 0288 Null - ok

23:24:11.0585 0288 nvraid (a4d9c9a608a97f59307c2f2600edc6a4) C:\Windows\system32\drivers\nvraid.sys

23:24:11.0601 0288 nvraid - ok

23:24:11.0616 0288 nvstor (6c1d5f70e7a6a3fd1c90d840edc048b9) C:\Windows\system32\drivers\nvstor.sys

23:24:11.0616 0288 nvstor - ok

23:24:11.0648 0288 nv_agp (270d7cd42d6e3979f6dd0146650f0e05) C:\Windows\system32\DRIVERS\nv_agp.sys

23:24:11.0663 0288 nv_agp - ok

23:24:11.0663 0288 ohci1394 (3589478e4b22ce21b41fa1bfc0b8b8a0) C:\Windows\system32\DRIVERS\ohci1394.sys

23:24:11.0663 0288 ohci1394 - ok

23:24:11.0710 0288 p2pimsvc (3eac4455472cc2c97107b5291e0dcafe) C:\Windows\system32\pnrpsvc.dll

23:24:11.0710 0288 p2pimsvc - ok

23:24:11.0741 0288 p2psvc (927463ecb02179f88e4b9a17568c63c3) C:\Windows\system32\p2psvc.dll

23:24:11.0741 0288 p2psvc - ok

23:24:11.0772 0288 Parport (0086431c29c35be1dbc43f52cc273887) C:\Windows\system32\DRIVERS\parport.sys

23:24:11.0772 0288 Parport - ok

23:24:11.0835 0288 partmgr (90061b1acfe8ccaa5345750ffe08d8b8) C:\Windows\system32\drivers\partmgr.sys

23:24:11.0835 0288 partmgr - ok

23:24:11.0866 0288 PcaSvc (3aeaa8b561e63452c655dc0584922257) C:\Windows\System32\pcasvc.dll

23:24:11.0866 0288 PcaSvc - ok

23:24:11.0897 0288 pci (f36f6504009f2fb0dfd1b17a116ad74b) C:\Windows\system32\DRIVERS\pci.sys

23:24:11.0897 0288 pci - ok

23:24:11.0913 0288 pciide (b5b8b5ef2e5cb34df8dcf8831e3534fa) C:\Windows\system32\DRIVERS\pciide.sys

23:24:11.0913 0288 pciide - ok

23:24:11.0944 0288 pcmcia (b2e81d4e87ce48589f98cb8c05b01f2f) C:\Windows\system32\DRIVERS\pcmcia.sys

23:24:11.0944 0288 pcmcia - ok

23:24:11.0991 0288 pcw (d6b9c2e1a11a3a4b26a182ffef18f603) C:\Windows\system32\drivers\pcw.sys

23:24:11.0991 0288 pcw - ok

23:24:12.0053 0288 PEAUTH (68769c3356b3be5d1c732c97b9a80d6e) C:\Windows\system32\drivers\peauth.sys

23:24:12.0069 0288 PEAUTH - ok

23:24:12.0147 0288 PerfHost (e495e408c93141e8fc72dc0c6046ddfa) C:\Windows\SysWow64\perfhost.exe

23:24:12.0147 0288 PerfHost - ok

23:24:12.0225 0288 pla (557e9a86f65f0de18c9b6751dfe9d3f1) C:\Windows\system32\pla.dll

23:24:12.0240 0288 pla - ok

23:24:12.0287 0288 PlugPlay (98b1721b8718164293b9701b98c52d77) C:\Windows\system32\umpnpmgr.dll

23:24:12.0287 0288 PlugPlay - ok

23:24:12.0318 0288 PNRPAutoReg (7195581cec9bb7d12abe54036acc2e38) C:\Windows\system32\pnrpauto.dll

23:24:12.0318 0288 PNRPAutoReg - ok

23:24:12.0350 0288 PNRPsvc (3eac4455472cc2c97107b5291e0dcafe) C:\Windows\system32\pnrpsvc.dll

23:24:12.0350 0288 PNRPsvc - ok

23:24:12.0428 0288 Point64 (4f0878fd62d5f7444c5f1c4c66d9d293) C:\Windows\system32\DRIVERS\point64.sys

23:24:12.0428 0288 Point64 - ok

23:24:12.0474 0288 PolicyAgent (166eb40d1f5b47e615de3d0fffe5f243) C:\Windows\System32\ipsecsvc.dll

23:24:12.0474 0288 PolicyAgent - ok

23:24:12.0506 0288 Power (6ba9d927dded70bd1a9caded45f8b184) C:\Windows\system32\umpo.dll

23:24:12.0506 0288 Power - ok

23:24:12.0552 0288 PptpMiniport (27cc19e81ba5e3403c48302127bda717) C:\Windows\system32\DRIVERS\raspptp.sys

23:24:12.0552 0288 PptpMiniport - ok

23:24:12.0568 0288 Processor (0d922e23c041efb1c3fac2a6f943c9bf) C:\Windows\system32\DRIVERS\processr.sys

23:24:12.0568 0288 Processor - ok

23:24:12.0599 0288 ProfSvc (f381975e1f4346de875cb07339ce8d3a) C:\Windows\system32\profsvc.dll

23:24:12.0599 0288 ProfSvc - ok

23:24:12.0662 0288 ProtectedStorage (156f6159457d0aa7e59b62681b56eb90) C:\Windows\system32\lsass.exe

23:24:12.0662 0288 ProtectedStorage - ok

23:24:12.0708 0288 Psched (ee992183bd8eaefd9973f352e587a299) C:\Windows\system32\DRIVERS\pacer.sys

23:24:12.0708 0288 Psched - ok

23:24:12.0771 0288 ql2300 (a53a15a11ebfd21077463ee2c7afeef0) C:\Windows\system32\DRIVERS\ql2300.sys

23:24:12.0786 0288 ql2300 - ok

23:24:12.0911 0288 ql40xx (4f6d12b51de1aaeff7dc58c4d75423c8) C:\Windows\system32\DRIVERS\ql40xx.sys

23:24:12.0911 0288 ql40xx - ok

23:24:12.0942 0288 QWAVE (906191634e99aea92c4816150bda3732) C:\Windows\system32\qwave.dll

23:24:12.0942 0288 QWAVE - ok

23:24:12.0958 0288 QWAVEdrv (76707bb36430888d9ce9d705398adb6c) C:\Windows\system32\drivers\qwavedrv.sys

23:24:12.0974 0288 QWAVEdrv - ok

23:24:13.0005 0288 RasAcd (5a0da8ad5762fa2d91678a8a01311704) C:\Windows\system32\DRIVERS\rasacd.sys

23:24:13.0005 0288 RasAcd - ok

23:24:13.0036 0288 RasAgileVpn (7ecff9b22276b73f43a99a15a6094e90) C:\Windows\system32\DRIVERS\AgileVpn.sys

23:24:13.0036 0288 RasAgileVpn - ok

23:24:13.0052 0288 RasAuto (8f26510c5383b8dbe976de1cd00fc8c7) C:\Windows\System32\rasauto.dll

23:24:13.0067 0288 RasAuto - ok

23:24:13.0083 0288 Rasl2tp (87a6e852a22991580d6d39adc4790463) C:\Windows\system32\DRIVERS\rasl2tp.sys

23:24:13.0083 0288 Rasl2tp - ok

23:24:13.0114 0288 RasMan (47394ed3d16d053f5906efe5ab51cc83) C:\Windows\System32\rasmans.dll

23:24:13.0130 0288 RasMan - ok

23:24:13.0176 0288 RasPppoe (855c9b1cd4756c5e9a2aa58a15f58c25) C:\Windows\system32\DRIVERS\raspppoe.sys

23:24:13.0176 0288 RasPppoe - ok

23:24:13.0176 0288 RasSstp (e8b1e447b008d07ff47d016c2b0eeecb) C:\Windows\system32\DRIVERS\rassstp.sys

23:24:13.0176 0288 RasSstp - ok

23:24:13.0208 0288 rdbss (3bac8142102c15d59a87757c1d41dce5) C:\Windows\system32\DRIVERS\rdbss.sys

23:24:13.0208 0288 rdbss - ok

23:24:13.0223 0288 rdpbus (302da2a0539f2cf54d7c6cc30c1f2d8d) C:\Windows\system32\DRIVERS\rdpbus.sys

23:24:13.0239 0288 rdpbus - ok

23:24:13.0286 0288 RDPCDD (cea6cc257fc9b7715f1c2b4849286d24) C:\Windows\system32\DRIVERS\RDPCDD.sys

23:24:13.0286 0288 RDPCDD - ok

23:24:13.0286 0288 RDPENCDD (bb5971a4f00659529a5c44831af22365) C:\Windows\system32\drivers\rdpencdd.sys

23:24:13.0286 0288 RDPENCDD - ok

23:24:13.0301 0288 RDPREFMP (216f3fa57533d98e1f74ded70113177a) C:\Windows\system32\drivers\rdprefmp.sys

23:24:13.0301 0288 RDPREFMP - ok

23:24:13.0348 0288 RDPWD (074ac702d8b8b660b0e1371555995386) C:\Windows\system32\drivers\RDPWD.sys

23:24:13.0348 0288 RDPWD - ok

23:24:13.0395 0288 rdyboost (634b9a2181d98f15941236886164ec8b) C:\Windows\system32\drivers\rdyboost.sys

23:24:13.0395 0288 rdyboost - ok

23:24:13.0442 0288 RemoteAccess (254fb7a22d74e5511c73a3f6d802f192) C:\Windows\System32\mprdim.dll

23:24:13.0442 0288 RemoteAccess - ok

23:24:13.0473 0288 RemoteRegistry (e4d94f24081440b5fc5aa556c7c62702) C:\Windows\system32\regsvc.dll

23:24:13.0473 0288 RemoteRegistry - ok

23:24:13.0551 0288 RichVideo (498eb62a160674e793fa40fd65390625) C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe

23:24:13.0551 0288 RichVideo - ok

23:24:13.0566 0288 RpcEptMapper (e4dc58cf7b3ea515ae917ff0d402a7bb) C:\Windows\System32\RpcEpMap.dll

23:24:13.0582 0288 RpcEptMapper - ok

23:24:13.0613 0288 RpcLocator (d5ba242d4cf8e384db90e6a8ed850b8c) C:\Windows\system32\locator.exe

23:24:13.0613 0288 RpcLocator - ok

23:24:13.0644 0288 RpcSs (7266972e86890e2b30c0c322e906b027) C:\Windows\System32\rpcss.dll

23:24:13.0644 0288 RpcSs - ok

23:24:13.0707 0288 rspndr (ddc86e4f8e7456261e637e3552e804ff) C:\Windows\system32\DRIVERS\rspndr.sys

23:24:13.0707 0288 rspndr - ok

23:24:13.0738 0288 RSUSBSTOR (2db8116d52b19216812c4e6d5d837810) C:\Windows\system32\Drivers\RtsUStor.sys

23:24:13.0754 0288 RSUSBSTOR - ok

23:24:13.0800 0288 RTL8167 (b49dc435ae3695bac5623dd94b05732d) C:\Windows\system32\DRIVERS\Rt64win7.sys

23:24:13.0800 0288 RTL8167 - ok

23:24:13.0816 0288 RtsUIR - ok

23:24:13.0863 0288 SamSs (156f6159457d0aa7e59b62681b56eb90) C:\Windows\system32\lsass.exe

23:24:13.0863 0288 SamSs - ok

23:24:13.0894 0288 sbp2port (e3bbb89983daf5622c1d50cf49f28227) C:\Windows\system32\DRIVERS\sbp2port.sys

23:24:13.0894 0288 sbp2port - ok

23:24:13.0941 0288 SCardSvr (9b7395789e3791a3b6d000fe6f8b131e) C:\Windows\System32\SCardSvr.dll

23:24:13.0941 0288 SCardSvr - ok

23:24:13.0956 0288 scfilter (c94da20c7e3ba1dca269bc8460d98387) C:\Windows\system32\DRIVERS\scfilter.sys

23:24:13.0956 0288 scfilter - ok

23:24:14.0019 0288 Schedule (624d0f5ff99428bb90a5b8a4123e918e) C:\Windows\system32\schedsvc.dll

23:24:14.0034 0288 Schedule - ok

23:24:14.0066 0288 SCPolicySvc (312e2f82af11e79906898ac3e3d58a1f) C:\Windows\System32\certprop.dll

23:24:14.0066 0288 SCPolicySvc - ok

23:24:14.0128 0288 sdbus (2c8d162efaf73abd36d8bcbb6340cae7) C:\Windows\system32\drivers\sdbus.sys

23:24:14.0128 0288 sdbus - ok

23:24:14.0159 0288 SDRSVC (765a27c3279ce11d14cb9e4f5869fca5) C:\Windows\System32\SDRSVC.dll

23:24:14.0159 0288 SDRSVC - ok

23:24:14.0190 0288 secdrv (3ea8a16169c26afbeb544e0e48421186) C:\Windows\system32\drivers\secdrv.sys

23:24:14.0190 0288 secdrv - ok

23:24:14.0222 0288 seclogon (463b386ebc70f98da5dff85f7e654346) C:\Windows\system32\seclogon.dll

23:24:14.0222 0288 seclogon - ok

23:24:14.0253 0288 SENS (c32ab8fa018ef34c0f113bd501436d21) C:\Windows\system32\sens.dll

23:24:14.0253 0288 SENS - ok

23:24:14.0284 0288 SensrSvc (0336cffafaab87a11541f1cf1594b2b2) C:\Windows\system32\sensrsvc.dll

23:24:14.0284 0288 SensrSvc - ok

23:24:14.0300 0288 Serenum (cb624c0035412af0debec78c41f5ca1b) C:\Windows\system32\DRIVERS\serenum.sys

23:24:14.0300 0288 Serenum - ok

23:24:14.0331 0288 Serial (c1d8e28b2c2adfaec4ba89e9fda69bd6) C:\Windows\system32\DRIVERS\serial.sys

23:24:14.0331 0288 Serial - ok

23:24:14.0346 0288 sermouse (1c545a7d0691cc4a027396535691c3e3) C:\Windows\system32\DRIVERS\sermouse.sys

23:24:14.0346 0288 sermouse - ok

23:24:14.0378 0288 SessionEnv (c3bc61ce47ff6f4e88ab8a3b429a36af) C:\Windows\system32\sessenv.dll

23:24:14.0378 0288 SessionEnv - ok

23:24:14.0424 0288 sffdisk (a554811bcd09279536440c964ae35bbf) C:\Windows\system32\drivers\sffdisk.sys

23:24:14.0424 0288 sffdisk - ok

23:24:14.0440 0288 sffp_mmc (ff414f0baefeba59bc6c04b3db0b87bf) C:\Windows\system32\drivers\sffp_mmc.sys

23:24:14.0440 0288 sffp_mmc - ok

23:24:14.0471 0288 sffp_sd (178298f767fe638c9fedcbdef58bb5e4) C:\Windows\system32\drivers\sffp_sd.sys

23:24:14.0471 0288 sffp_sd - ok

23:24:14.0502 0288 sfloppy (a9d601643a1647211a1ee2ec4e433ff4) C:\Windows\system32\DRIVERS\sfloppy.sys

23:24:14.0502 0288 sfloppy - ok

23:24:14.0549 0288 SharedAccess (b95f6501a2f8b2e78c697fec401970ce) C:\Windows\System32\ipnathlp.dll

23:24:14.0549 0288 SharedAccess - ok

23:24:14.0596 0288 ShellHWDetection (0298ac45d0efffb2db4baa7dd186e7bf) C:\Windows\System32\shsvcs.dll

23:24:14.0612 0288 ShellHWDetection - ok

23:24:14.0627 0288 SiSRaid2 (843caf1e5fde1ffd5ff768f23a51e2e1) C:\Windows\system32\DRIVERS\SiSRaid2.sys

23:24:14.0627 0288 SiSRaid2 - ok

23:24:14.0658 0288 SiSRaid4 (6a6c106d42e9ffff8b9fcb4f754f6da4) C:\Windows\system32\DRIVERS\sisraid4.sys

23:24:14.0658 0288 SiSRaid4 - ok

23:24:14.0705 0288 Smb (548260a7b8654e024dc30bf8a7c5baa4) C:\Windows\system32\DRIVERS\smb.sys

23:24:14.0705 0288 Smb - ok

23:24:14.0783 0288 SNMPTRAP (6313f223e817cc09aa41811daa7f541d) C:\Windows\System32\snmptrap.exe

23:24:14.0783 0288 SNMPTRAP - ok

23:24:14.0799 0288 spldr (b9e31e5cacdfe584f34f730a677803f9) C:\Windows\system32\drivers\spldr.sys

23:24:14.0799 0288 spldr - ok

23:24:14.0846 0288 Spooler (f8e1fa03cb70d54a9892ac88b91d1e7b) C:\Windows\System32\spoolsv.exe

23:24:14.0846 0288 Spooler - ok

23:24:14.0986 0288 sppsvc (913d843498553a1bc8f8dbad6358e49f) C:\Windows\system32\sppsvc.exe

23:24:15.0048 0288 sppsvc - ok

23:24:15.0158 0288 sppuinotify (93d7d61317f3d4bc4f4e9f8a96a7de45) C:\Windows\system32\sppuinotify.dll

23:24:15.0158 0288 sppuinotify - ok

23:24:15.0220 0288 srv (2408c0366d96bcdf63e8f1c78e4a29c5) C:\Windows\system32\DRIVERS\srv.sys

23:24:15.0220 0288 srv - ok

23:24:15.0251 0288 srv2 (76548f7b818881b47d8d1ae1be9c11f8) C:\Windows\system32\DRIVERS\srv2.sys

23:24:15.0251 0288 srv2 - ok

23:24:15.0298 0288 SrvHsfHDA (0c4540311e11664b245a263e1154cef8) C:\Windows\system32\DRIVERS\VSTAZL6.SYS

23:24:15.0298 0288 SrvHsfHDA - ok

23:24:15.0345 0288 SrvHsfV92 (02071d207a9858fbe3a48cbfd59c4a04) C:\Windows\system32\DRIVERS\VSTDPV6.SYS

23:24:15.0360 0288 SrvHsfV92 - ok

23:24:15.0516 0288 SrvHsfWinac (18e40c245dbfaf36fd0134a7ef2df396) C:\Windows\system32\DRIVERS\VSTCNXT6.SYS

23:24:15.0532 0288 SrvHsfWinac - ok

23:24:15.0563 0288 srvnet (0af6e19d39c70844c5caa8fb0183c36e) C:\Windows\system32\DRIVERS\srvnet.sys

23:24:15.0563 0288 srvnet - ok

23:24:15.0610 0288 SSDPSRV (51b52fbd583cde8aa9ba62b8b4298f33) C:\Windows\System32\ssdpsrv.dll

23:24:15.0626 0288 SSDPSRV - ok

23:24:15.0626 0288 SstpSvc (ab7aebf58dad8daab7a6c45e6a8885cb) C:\Windows\system32\sstpsvc.dll

23:24:15.0641 0288 SstpSvc - ok

23:24:15.0672 0288 stexstor (f3817967ed533d08327dc73bc4d5542a) C:\Windows\system32\DRIVERS\stexstor.sys

23:24:15.0672 0288 stexstor - ok

23:24:15.0735 0288 stisvc (52d0e33b681bd0f33fdc08812fee4f7d) C:\Windows\System32\wiaservc.dll

23:24:15.0750 0288 stisvc - ok

23:24:15.0766 0288 swenum (d01ec09b6711a5f8e7e6564a4d0fbc90) C:\Windows\system32\DRIVERS\swenum.sys

23:24:15.0766 0288 swenum - ok

23:24:15.0828 0288 swprv (e08e46fdd841b7184194011ca1955a0b) C:\Windows\System32\swprv.dll

23:24:15.0828 0288 swprv - ok

23:24:15.0891 0288 SynTP (bcf305959b53b200ceb2ad25ad22f8a7) C:\Windows\system32\DRIVERS\SynTP.sys

23:24:15.0891 0288 SynTP - ok

23:24:15.0984 0288 SysMain (3c1284516a62078fb68f768de4f1a7be) C:\Windows\system32\sysmain.dll

23:24:16.0031 0288 SysMain - ok

23:24:16.0140 0288 TabletInputService (238935c3cf2854886dc7cbb2a0e2cc66) C:\Windows\System32\TabSvc.dll

23:24:16.0156 0288 TabletInputService - ok

23:24:16.0172 0288 TapiSrv (884264ac597b690c5707c89723bb8e7b) C:\Windows\System32\tapisrv.dll

23:24:16.0187 0288 TapiSrv - ok

23:24:16.0218 0288 TBS (1be03ac720f4d302ea01d40f588162f6) C:\Windows\System32\tbssvc.dll

23:24:16.0218 0288 TBS - ok

23:24:16.0390 0288 Tcpip (624c5b3aa4c99b3184bb922d9ece3ff0) C:\Windows\system32\drivers\tcpip.sys

23:24:16.0406 0288 Tcpip - ok

23:24:16.0624 0288 TCPIP6 (624c5b3aa4c99b3184bb922d9ece3ff0) C:\Windows\system32\DRIVERS\tcpip.sys

23:24:16.0640 0288 TCPIP6 - ok

23:24:16.0920 0288 tcpipreg (76d078af6f587b162d50210f761eb9ed) C:\Windows\system32\drivers\tcpipreg.sys

23:24:16.0920 0288 tcpipreg - ok

23:24:16.0952 0288 TDPIPE (3371d21011695b16333a3934340c4e7c) C:\Windows\system32\drivers\tdpipe.sys

23:24:16.0952 0288 TDPIPE - ok

23:24:16.0983 0288 TDTCP (7518f7bcfd4b308abc9192bacaf6c970) C:\Windows\system32\drivers\tdtcp.sys

23:24:16.0983 0288 TDTCP - ok

23:24:17.0030 0288 tdx (079125c4b17b01fcaeebce0bcb290c0f) C:\Windows\system32\DRIVERS\tdx.sys

23:24:17.0030 0288 tdx - ok

23:24:17.0045 0288 TermDD (c448651339196c0e869a355171875522) C:\Windows\system32\DRIVERS\termdd.sys

23:24:17.0045 0288 TermDD - ok

23:24:17.0108 0288 TermService (0f05ec2887bfe197ad82a13287d2f404) C:\Windows\System32\termsrv.dll

23:24:17.0108 0288 TermService - ok

23:24:17.0123 0288 Themes (f0344071948d1a1fa732231785a0664c) C:\Windows\system32\themeservice.dll

23:24:17.0139 0288 Themes - ok

23:24:17.0154 0288 THREADORDER (e40e80d0304a73e8d269f7141d77250b) C:\Windows\system32\mmcss.dll

23:24:17.0154 0288 THREADORDER - ok

23:24:17.0201 0288 TrkWks (7e7afd841694f6ac397e99d75cead49d) C:\Windows\System32\trkwks.dll

23:24:17.0201 0288 TrkWks - ok

23:24:17.0264 0288 TrustedInstaller (840f7fb849f5887a49ba18c13b2da920) C:\Windows\servicing\TrustedInstaller.exe

23:24:17.0264 0288 TrustedInstaller - ok

23:24:17.0279 0288 tssecsrv (61b96c26131e37b24e93327a0bd1fb95) C:\Windows\system32\DRIVERS\tssecsrv.sys

23:24:17.0279 0288 tssecsrv - ok

23:24:17.0342 0288 tunnel (3836171a2cdf3af8ef10856db9835a70) C:\Windows\system32\DRIVERS\tunnel.sys

23:24:17.0342 0288 tunnel - ok

23:24:17.0357 0288 uagp35 (b4dd609bd7e282bfc683cec7eaaaad67) C:\Windows\system32\DRIVERS\uagp35.sys

23:24:17.0357 0288 uagp35 - ok

23:24:17.0388 0288 udfs (d47baead86c65d4f4069d7ce0a4edceb) C:\Windows\system32\DRIVERS\udfs.sys

23:24:17.0388 0288 udfs - ok

23:24:17.0420 0288 UI0Detect (3cbdec8d06b9968aba702eba076364a1) C:\Windows\system32\UI0Detect.exe

23:24:17.0435 0288 UI0Detect - ok

23:24:17.0451 0288 uliagpkx (4bfe1bc28391222894cbf1e7d0e42320) C:\Windows\system32\DRIVERS\uliagpkx.sys

23:24:17.0451 0288 uliagpkx - ok

23:24:17.0498 0288 umbus (eab6c35e62b1b0db0d1b48b671d3a117) C:\Windows\system32\DRIVERS\umbus.sys

23:24:17.0498 0288 umbus - ok

23:24:17.0529 0288 UmPass (b2e8e8cb557b156da5493bbddcc1474d) C:\Windows\system32\DRIVERS\umpass.sys

23:24:17.0529 0288 UmPass - ok

23:24:17.0576 0288 upnphost (d47ec6a8e81633dd18d2436b19baf6de) C:\Windows\System32\upnphost.dll

23:24:17.0576 0288 upnphost - ok

23:24:17.0607 0288 usbccgp (7b6a127c93ee590e4d79a5f2a76fe46f) C:\Windows\system32\DRIVERS\usbccgp.sys

23:24:17.0607 0288 usbccgp - ok

23:24:17.0622 0288 USBCCID - ok

23:24:17.0654 0288 usbcir (af0892a803fdda7492f595368e3b68e7) C:\Windows\system32\DRIVERS\usbcir.sys

23:24:17.0654 0288 usbcir - ok

23:24:17.0685 0288 usbehci (92969ba5ac44e229c55a332864f79677) C:\Windows\system32\DRIVERS\usbehci.sys

23:24:17.0685 0288 usbehci - ok

23:24:17.0716 0288 usbhub (e7df1cfd28ca86b35ef5add0735ceef3) C:\Windows\system32\DRIVERS\usbhub.sys

23:24:17.0732 0288 usbhub - ok

23:24:17.0747 0288 usbohci (f1bb1e55f1e7a65c5839ccc7b36d773e) C:\Windows\system32\drivers\usbohci.sys

23:24:17.0747 0288 usbohci - ok

23:24:17.0778 0288 usbprint (73188f58fb384e75c4063d29413cee3d) C:\Windows\system32\DRIVERS\usbprint.sys

23:24:17.0778 0288 usbprint - ok

23:24:17.0810 0288 USBSTOR (f39983647bc1f3e6100778ddfe9dce29) C:\Windows\system32\DRIVERS\USBSTOR.SYS

23:24:17.0810 0288 USBSTOR - ok

23:24:17.0825 0288 usbuhci (bc3070350a491d84b518d7cca9abd36f) C:\Windows\system32\DRIVERS\usbuhci.sys

23:24:17.0825 0288 usbuhci - ok

23:24:17.0888 0288 usbvideo (7cb8c573c6e4a2714402cc0a36eab4fe) C:\Windows\System32\Drivers\usbvideo.sys

23:24:17.0903 0288 usbvideo - ok

23:24:17.0919 0288 UxSms (edbb23cbcf2cdf727d64ff9b51a6070e) C:\Windows\System32\uxsms.dll

23:24:17.0919 0288 UxSms - ok

23:24:17.0997 0288 VaultSvc (156f6159457d0aa7e59b62681b56eb90) C:\Windows\system32\lsass.exe

23:24:17.0997 0288 VaultSvc - ok

23:24:18.0028 0288 vdrvroot (c5c876ccfc083ff3b128f933823e87bd) C:\Windows\system32\DRIVERS\vdrvroot.sys

23:24:18.0028 0288 vdrvroot - ok

23:24:18.0090 0288 vds (44d73e0bbc1d3c8981304ba15135c2f2) C:\Windows\System32\vds.exe

23:24:18.0106 0288 vds - ok

23:24:18.0153 0288 vga (da4da3f5e02943c2dc8c6ed875de68dd) C:\Windows\system32\DRIVERS\vgapnp.sys

23:24:18.0153 0288 vga - ok

23:24:18.0184 0288 VgaSave (53e92a310193cb3c03bea963de7d9cfc) C:\Windows\System32\drivers\vga.sys

23:24:18.0184 0288 VgaSave - ok

23:24:18.0200 0288 vhdmp (c82e748660f62a242b2dfac1442f22a4) C:\Windows\system32\DRIVERS\vhdmp.sys

23:24:18.0200 0288 vhdmp - ok

23:24:18.0215 0288 viaide (e5689d93ffe4e5d66c0178761240dd54) C:\Windows\system32\DRIVERS\viaide.sys

23:24:18.0215 0288 viaide - ok

23:24:18.0246 0288 volmgr (2b1a3dae2b4e70dbba822b7a03fbd4a3) C:\Windows\system32\DRIVERS\volmgr.sys

23:24:18.0246 0288 volmgr - ok

23:24:18.0262 0288 volmgrx (99b0cbb569ca79acaed8c91461d765fb) C:\Windows\system32\drivers\volmgrx.sys

23:24:18.0278 0288 volmgrx - ok

23:24:18.0293 0288 volsnap (58f82eed8ca24b461441f9c3e4f0bf5c) C:\Windows\system32\DRIVERS\volsnap.sys

23:24:18.0293 0288 volsnap - ok

23:24:18.0371 0288 Vsdatant (48bfa6276bcc0535f5f8898107ed489a) C:\Windows\system32\DRIVERS\vsdatant.sys

23:24:18.0371 0288 Vsdatant - ok

23:24:18.0449 0288 vsmon - ok

23:24:18.0512 0288 vsmraid (5e2016ea6ebaca03c04feac5f330d997) C:\Windows\system32\DRIVERS\vsmraid.sys

23:24:18.0512 0288 vsmraid - ok

23:24:18.0590 0288 VSS (787898bf9fb6d7bd87a36e2d95c899ba) C:\Windows\system32\vssvc.exe

23:24:18.0605 0288 VSS - ok

23:24:18.0730 0288 vwifibus (36d4720b72b5c5d9cb2b9c29e9df67a1) C:\Windows\system32\DRIVERS\vwifibus.sys

23:24:18.0730 0288 vwifibus - ok

23:24:18.0761 0288 vwififlt (6a3d66263414ff0d6fa754c646612f3f) C:\Windows\system32\DRIVERS\vwififlt.sys

23:24:18.0761 0288 vwififlt - ok

23:24:18.0808 0288 W32Time (1c9d80cc3849b3788048078c26486e1a) C:\Windows\system32\w32time.dll

23:24:18.0808 0288 W32Time - ok

23:24:18.0839 0288 WacomPen (4e9440f4f152a7b944cb1663d3935a3e) C:\Windows\system32\DRIVERS\wacompen.sys

23:24:18.0839 0288 WacomPen - ok

23:24:18.0870 0288 WANARP (47ca49400643effd3f1c9a27e1d69324) C:\Windows\system32\DRIVERS\wanarp.sys

23:24:18.0870 0288 WANARP - ok

23:24:18.0886 0288 Wanarpv6 (47ca49400643effd3f1c9a27e1d69324) C:\Windows\system32\DRIVERS\wanarp.sys

23:24:18.0886 0288 Wanarpv6 - ok

23:24:18.0980 0288 WatAdminSvc (3cec96de223e49eaae3651fcf8faea6c) C:\Windows\system32\Wat\WatAdminSvc.exe

23:24:18.0995 0288 WatAdminSvc - ok

23:24:19.0073 0288 wbengine (5ab1bb85bd8b5089cc5d64200dedae68) C:\Windows\system32\wbengine.exe

23:24:19.0089 0288 wbengine - ok

23:24:19.0198 0288 WbioSrvc (3aa101e8edab2db4131333f4325c76a3) C:\Windows\System32\wbiosrvc.dll

23:24:19.0214 0288 WbioSrvc - ok

23:24:19.0245 0288 wcncsvc (dd1bae8ebfc653824d29ccf8c9054d68) C:\Windows\System32\wcncsvc.dll

23:24:19.0245 0288 wcncsvc - ok

23:24:19.0276 0288 WcsPlugInService (20f7441334b18cee52027661df4a6129) C:\Windows\System32\WcsPlugInService.dll

23:24:19.0276 0288 WcsPlugInService - ok

23:24:19.0338 0288 Wd (72889e16ff12ba0f235467d6091b17dc) C:\Windows\system32\DRIVERS\wd.sys

23:24:19.0338 0288 Wd - ok

23:24:19.0370 0288 Wdf01000 (441bd2d7b4f98134c3a4f9fa570fd250) C:\Windows\system32\drivers\Wdf01000.sys

23:24:19.0370 0288 Wdf01000 - ok

23:24:19.0416 0288 WdiServiceHost (bf1fc3f79b863c914687a737c2f3d681) C:\Windows\system32\wdi.dll

23:24:19.0416 0288 WdiServiceHost - ok

23:24:19.0416 0288 WdiSystemHost (bf1fc3f79b863c914687a737c2f3d681) C:\Windows\system32\wdi.dll

23:24:19.0416 0288 WdiSystemHost - ok

23:24:19.0448 0288 WebClient (733006127f235be7c35354ebee7b9a7b) C:\Windows\System32\webclnt.dll

23:24:19.0448 0288 WebClient - ok

23:24:19.0479 0288 Wecsvc (c749025a679c5103e575e3b48e092c43) C:\Windows\system32\wecsvc.dll

23:24:19.0479 0288 Wecsvc - ok

23:24:19.0526 0288 wercplsupport (7e591867422dc788b9e5bd337a669a08) C:\Windows\System32\wercplsupport.dll

23:24:19.0526 0288 wercplsupport - ok

23:24:19.0557 0288 WerSvc (6d137963730144698cbd10f202e9f251) C:\Windows\System32\WerSvc.dll

23:24:19.0557 0288 WerSvc - ok

23:24:19.0619 0288 WfpLwf (611b23304bf067451a9fdee01fbdd725) C:\Windows\system32\DRIVERS\wfplwf.sys

23:24:19.0619 0288 WfpLwf - ok

23:24:19.0650 0288 WIMMount (05ecaec3e4529a7153b3136ceb49f0ec) C:\Windows\system32\drivers\wimmount.sys

23:24:19.0650 0288 WIMMount - ok

23:24:19.0713 0288 winachsf (a6ea7a3fc4b00f48535b506db1e86efd) C:\Windows\system32\DRIVERS\CAX_CNXT.sys

23:24:19.0728 0288 winachsf - ok

23:24:19.0760 0288 WinDefend - ok

23:24:19.0775 0288 WinHttpAutoProxySvc - ok

23:24:19.0838 0288 Winmgmt (19b07e7e8915d701225da41cb3877306) C:\Windows\system32\wbem\WMIsvc.dll

23:24:19.0838 0288 Winmgmt - ok

23:24:19.0931 0288 WinRM (41fbb751936b387f9179e7f03a74fe29) C:\Windows\system32\WsmSvc.dll

23:24:19.0947 0288 WinRM - ok

23:24:20.0134 0288 Wlansvc (4fada86e62f18a1b2f42ba18ae24e6aa) C:\Windows\System32\wlansvc.dll

23:24:20.0150 0288 Wlansvc - ok

23:24:20.0212 0288 WmiAcpi (f6ff8944478594d0e414d3f048f0d778) C:\Windows\system32\DRIVERS\wmiacpi.sys

23:24:20.0212 0288 WmiAcpi - ok

23:24:20.0274 0288 wmiApSrv (38b84c94c5a8af291adfea478ae54f93) C:\Windows\system32\wbem\WmiApSrv.exe

23:24:20.0274 0288 wmiApSrv - ok

23:24:20.0352 0288 WMPNetworkSvc - ok

23:24:20.0368 0288 WPCSvc (96c6e7100d724c69fcf9e7bf590d1dca) C:\Windows\System32\wpcsvc.dll

23:24:20.0384 0288 WPCSvc - ok

23:24:20.0384 0288 WPDBusEnum (2e57ddf2880a7e52e76f41c7e96d327b) C:\Windows\system32\wpdbusenum.dll

23:24:20.0399 0288 WPDBusEnum - ok

23:24:20.0415 0288 ws2ifsl (6bcc1d7d2fd2453957c5479a32364e52) C:\Windows\system32\drivers\ws2ifsl.sys

23:24:20.0415 0288 ws2ifsl - ok

23:24:20.0446 0288 wscsvc (8f9f3969933c02da96eb0f84576db43e) C:\Windows\system32\wscsvc.dll

23:24:20.0462 0288 wscsvc - ok

23:24:20.0462 0288 WSearch - ok

23:24:20.0571 0288 wuauserv (38340204a2d0228f1e87740fc5e554a7) C:\Windows\system32\wuaueng.dll

23:24:20.0602 0288 wuauserv - ok

23:24:20.0727 0288 WudfPf (7cadc74271dd6461c452c271b30bd378) C:\Windows\system32\drivers\WudfPf.sys

23:24:20.0727 0288 WudfPf - ok

23:24:20.0758 0288 WUDFRd (3b197af0fff08aa66b6b2241ca538d64) C:\Windows\system32\DRIVERS\WUDFRd.sys

23:24:20.0758 0288 WUDFRd - ok

23:24:20.0789 0288 wudfsvc (b551d6637aa0e132c18ac6e504f7b79b) C:\Windows\System32\WUDFSvc.dll

23:24:20.0789 0288 wudfsvc - ok

23:24:20.0820 0288 WwanSvc (9a3452b3c2a46c073166c5cf49fad1ae) C:\Windows\System32\wwansvc.dll

23:24:20.0820 0288 WwanSvc - ok

23:24:20.0867 0288 XAudio (e8f3fa126a06f8e7088f63757112a186) C:\Windows\system32\DRIVERS\XAudio64.sys

23:24:20.0867 0288 XAudio - ok

23:24:20.0914 0288 yukonw7 (b3eeacf62445e24fbb2cd4b0fb4db026) C:\Windows\system32\DRIVERS\yk62x64.sys

23:24:20.0914 0288 yukonw7 - ok

23:24:20.0961 0288 MBR (0x1B8) (8065ab345e5f3212518e1e127758d69e) \Device\Harddisk0\DR0

23:24:21.0117 0288 \Device\Harddisk0\DR0 - ok

23:24:21.0132 0288 Boot (0x1200) (19aeb0d8f0355f65ae0c48884c51c1fa) \Device\Harddisk0\DR0\Partition0

23:24:21.0132 0288 \Device\Harddisk0\DR0\Partition0 - ok

23:24:21.0148 0288 Boot (0x1200) (ace762bdcc351084bb7bb50039c62459) \Device\Harddisk0\DR0\Partition1

23:24:21.0148 0288 \Device\Harddisk0\DR0\Partition1 - ok

23:24:21.0179 0288 Boot (0x1200) (9fef7041c5e9ca36849b5f477e9abbe0) \Device\Harddisk0\DR0\Partition2

23:24:21.0179 0288 \Device\Harddisk0\DR0\Partition2 - ok

23:24:21.0179 0288 ============================================================

23:24:21.0179 0288 Scan finished

23:24:21.0179 0288 ============================================================

23:24:21.0195 3012 Detected object count: 0

23:24:21.0195 3012 Actual detected object count: 0

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software

Run date: 2012-06-08 11:50:26

-----------------------------

11:50:26.294 OS Version: Windows x64 6.1.7600

11:50:26.294 Number of processors: 2 586 0x170A

11:50:26.294 ComputerName: STATION4 UserName: JWB

11:50:29.055 Initialize success

11:51:31.779 AVAST engine download error: 0

11:52:07.690 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0

11:52:07.690 Disk 0 Vendor: TOSHIBA_MK2555GSX FG002C Size: 238475MB BusType: 11

11:52:07.705 Disk 0 MBR read successfully

11:52:07.705 Disk 0 MBR scan

11:52:07.721 Disk 0 unknown MBR code

11:52:07.737 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 199 MB offset 2048

11:52:07.737 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 226120 MB offset 409600

11:52:07.768 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 12154 MB offset 463503360

11:52:07.799 Disk 0 scanning C:\Windows\system32\drivers

11:52:14.273 Service scanning

11:52:49.139 Service Vsdatant C:\Windows\system32\DRIVERS\vsdatant.sys **LOCKED** 32

11:52:53.226 Modules scanning

11:52:53.226 Disk 0 trace - called modules:

11:52:53.788 ntoskrnl.exe CLASSPNP.SYS disk.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys

11:52:53.804 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004c7b4e0]

11:52:53.804 3 CLASSPNP.SYS[fffff880010d243f] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa80047b7060]

11:52:53.819 Scan finished successfully

11:53:15.347 Disk 0 MBR has been saved successfully to "C:\Users\JWB\Desktop\MBR.dat"

11:53:15.363 The log file has been saved successfully to "C:\Users\JWB\Desktop\aswMBR.txt"

Link to post
Share on other sites

  • Staff

Hello

download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:

  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:


    • Startup Repair
      System Restore
      Windows Complete PC Restore
      Windows Memory Diagnostic Tool
      Command Prompt

[*]Select Command Prompt

[*]In the command window type in notepad and press Enter.

[*]The notepad opens. Under File menu select Open.

[*]Select "Computer" and find your flash drive letter and close the notepad.

[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter

Note: Replace letter e with the drive letter of your flash drive.

[*]The tool will start to run.

[*]When the tool opens click Yes to disclaimer.

[*]Press Scan button.

[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

Gringo

Link to post
Share on other sites

Hello,

Here are the results of the FRST log produced by the FRST64 scan.

Scan result of Farbar Recovery Scan Tool Version: 08-06-2012 02

Ran by SYSTEM at 08-06-2012 15:07:21

Running from G:\

Windows 7 Home Premium (X64) OS Language: English(US)

The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [synTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [1808168 2009-06-18] (Synaptics Incorporated)

HKLM\...\Run: [cAudioFilterAgent] C:\Program Files\Conexant\cAudioFilterAgent\cAudioFilterAgent64.exe [495104 2009-07-14] (Conexant Systems, Inc.)

HKLM\...\Run: [igfxTray] C:\Windows\system32\igfxtray.exe [162328 2011-02-11] (Intel Corporation)

HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [386584 2011-02-11] (Intel Corporation)

HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [417304 2011-02-11] (Intel Corporation)

HKLM\...\Run: [intelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2417032 2011-08-01] (Microsoft Corporation)

HKLM-x32\...\Run: [QPService] "C:\Program Files (x86)\HP\QuickPlay\QPService.exe" [468264 2009-06-23] (CyberLink Corp.)

HKLM-x32\...\Run: [uCam_Menu] "C:\Program Files (x86)\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\YouCam" UpdateWithCreateOnce "Software\CyberLink\YouCam\2.0" [218408 2009-02-17] (CyberLink Corp.)

HKLM-x32\...\Run: [QlbCtrl.exe] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start [320056 2009-06-24] ( Hewlett-Packard Development Company, L.P.)

HKLM-x32\...\Run: [updatePRCShortCut] "C:\Program Files (x86)\Hewlett-Packard\Recovery\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\Hewlett-Packard\Recovery" UpdateWithCreateOnce "Software\CyberLink\PowerRecover" [222504 2009-05-19] (CyberLink Corp.)

HKLM-x32\...\Run: [WirelessAssistant] C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe [498744 2009-07-23] (Hewlett-Packard)

HKLM-x32\...\Run: [ZoneAlarm Client] "C:\Program Files (x86)\Zone Labs\ZoneAlarm\zlclient.exe" [1043968 2011-03-17] (Check Point Software Technologies LTD)

HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [937920 2011-06-06] (Adobe Systems Incorporated)

HKU\Default\...\Run: [HPADVISOR] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN [1668664 2009-07-15] (Hewlett-Packard)

HKU\Default User\...\Run: [HPADVISOR] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN [1668664 2009-07-15] (Hewlett-Packard)

HKU\JWB\...\Run: [LightScribe Control Panel] C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden [2363392 2009-06-17] (Hewlett-Packard Company)

Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)

Tcpip\..\Interfaces\{7B5D90F8-DB72-4ADD-AD43-C9F3D991AA80}: [NameServer]75.75.75.75

Startup: C:\Users\All Users\Start Menu\Programs\Startup\Amazon Unbox.lnk

ShortcutTarget: Amazon Unbox.lnk -> C:\Program Files (x86)\Amazon\Amazon Unbox Video\ADVWindowsClientSystemTray.exe (Amazon.com)

==================== Services (Whitelisted) ======

2 ADVService; "C:\Program Files (x86)\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe" [25704 2011-11-23] (Amazon.com)

2 BBUpdate; "C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE" [249648 2011-06-15] (Microsoft Corporation)

2 Lavasoft Ad-Aware Service; "C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe" [2152688 2012-05-13] (Lavasoft Limited)

2 RichVideo; "C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe" [247152 2009-01-21] ()

2 vsmon; C:\Windows\SysWOW64\ZoneLabs\vsmon.exe -service [2435592 2011-03-17] (Check Point Software Technologies LTD)

========================== Drivers (Whitelisted) =============

3 IntcHdmiAddService; C:\Windows\System32\drivers\IntcHdmi.sys [138752 2009-05-26] (Intel® Corporation)

3 Lavasoft Kernexplorer; \??\C:\Program Files (x86)\Lavasoft\Ad-Aware\KernExplorer64.sys [17152 2011-11-06] ()

0 Lbd; C:\Windows\System32\Drivers\Lbd.sys [69376 2011-11-03] (Lavasoft AB)

3 Point64; C:\Windows\System32\Drivers\Point64.sys [45416 2011-08-01] (Microsoft Corporation)

3 RSUSBSTOR; C:\Windows\System32\Drivers\RtsUStor.sys [216064 2009-06-04] (Realtek Semiconductor Corp.)

1 Vsdatant; C:\Windows\System32\Drivers\Vsdatant.sys [458840 2010-05-15] (Check Point Software Technologies LTD)

3 catchme; \??\C:\ComboFix\catchme.sys [x]

3 RtsUIR; C:\Windows\System32\DRIVERS\Rts516xIR.sys [x]

3 USBCCID; C:\Windows\System32\DRIVERS\RtsUCcid.sys [x]

========================== NetSvcs (Whitelisted) ===========

============ One Month Created Files and Folders ==============

2012-06-08 15:07 - 2012-06-08 15:07 - 00000000 ____D C:\FRST

2012-06-08 08:53 - 2012-06-08 08:53 - 00001735 ____A C:\Users\JWB\Desktop\aswMBR.txt

2012-06-08 08:53 - 2012-06-08 08:53 - 00000512 ____A C:\Users\JWB\Desktop\MBR.dat

2012-06-07 20:25 - 2012-06-07 20:25 - 00061307 ____A C:\Users\JWB\Desktop\New Text Document.txt

2012-06-07 20:23 - 2012-06-07 20:25 - 00122698 ____A C:\TDSSKiller.2.7.36.0_07.06.2012_23.23.52_log.txt

2012-06-07 16:36 - 2012-06-07 16:35 - 04731392 ____A (AVAST Software) C:\Users\JWB\Desktop\aswMBR.exe

2012-06-07 16:36 - 2012-06-07 16:35 - 02127960 ____A (Kaspersky Lab ZAO) C:\Users\JWB\Desktop\tdsskiller.exe

2012-06-06 20:00 - 2012-06-06 20:00 - 00000000 __SHD C:\$RECYCLE.BIN

2012-06-05 07:31 - 2012-06-05 07:31 - 00019726 ____A C:\ComboFix.txt

2012-06-05 07:21 - 2012-06-05 07:31 - 00000000 ____D C:\ComboFix

2012-05-30 10:38 - 2012-05-30 10:38 - 00000000 ____D C:\_OTL

2012-05-30 09:55 - 2012-05-30 09:55 - 00083836 ____A C:\Users\JWB\Desktop\Extras.Txt

2012-05-30 09:55 - 2012-05-30 09:55 - 00057716 ____A C:\Users\JWB\Desktop\OTL.Txt

2012-05-30 09:47 - 2012-05-30 09:28 - 00595968 ____A (OldTimer Tools) C:\Users\JWB\Desktop\OTL.exe

2012-05-29 19:14 - 2012-06-05 07:31 - 00000000 ____D C:\Qoobox

2012-05-29 19:14 - 2012-05-29 19:35 - 00000000 ____D C:\Windows\ERDNT

2012-05-29 19:14 - 2011-06-25 22:45 - 00256000 ____A C:\Windows\PEV.exe

2012-05-29 19:14 - 2010-11-07 09:20 - 00208896 ____A C:\Windows\MBR.exe

2012-05-29 19:14 - 2009-04-19 20:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe

2012-05-29 19:14 - 2000-08-30 16:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe

2012-05-29 19:14 - 2000-08-30 16:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe

2012-05-29 19:14 - 2000-08-30 16:00 - 00098816 ____A C:\Windows\sed.exe

2012-05-29 19:14 - 2000-08-30 16:00 - 00080412 ____A C:\Windows\grep.exe

2012-05-29 19:14 - 2000-08-30 16:00 - 00068096 ____A C:\Windows\zip.exe

2012-05-29 19:07 - 2012-05-29 18:55 - 04530590 ____R (Swearware) C:\Users\JWB\Desktop\ComboFix.exe

2012-05-29 19:07 - 2012-05-29 18:55 - 00853862 ____A C:\Users\JWB\Desktop\SecurityCheck.exe

2012-05-27 14:20 - 2012-05-27 14:10 - 00607260 ____R (Swearware) C:\Users\JWB\Desktop\dds.scr

2012-05-27 11:48 - 2012-05-27 11:48 - 00001109 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

2012-05-27 11:48 - 2012-05-19 18:01 - 10063000 ____A (Malwarebytes Corporation ) C:\Users\JWB\Desktop\mbam-setup-1.61.0.1400.exe

2012-05-27 11:48 - 2012-04-04 12:56 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys

2012-05-27 06:22 - 2012-05-27 06:22 - 234304633 ____A C:\Windows\MEMORY.DMP

2012-05-27 06:22 - 2012-05-27 06:22 - 00274872 ____A C:\Windows\Minidump\052712-17503-01.dmp

2012-05-27 06:22 - 2012-05-27 06:22 - 00000000 ____D C:\Windows\Minidump

2012-05-19 18:21 - 2012-05-27 11:48 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware

2012-05-19 18:21 - 2012-05-19 18:21 - 00000000 ____D C:\Users\JWB\AppData\Roaming\Malwarebytes

2012-05-19 18:21 - 2012-05-19 18:21 - 00000000 ____D C:\Users\All Users\Malwarebytes

2012-05-17 19:18 - 2012-05-27 09:20 - 00000000 ____D C:\Users\All Users\Ad-Aware Browsing Protection

2012-05-17 19:18 - 2012-05-17 19:18 - 00000012 ____A C:\Users\JWB\Downloads\FSSC.dat

2012-05-17 19:18 - 2012-05-17 19:18 - 00000000 ____D C:\Users\JWB\AppData\Local\adaware

2012-05-17 19:17 - 2012-05-27 09:20 - 00000000 ____D C:\Program Files (x86)\Ad-Aware Antivirus

2012-05-17 19:16 - 2012-05-17 19:21 - 00000000 ____D C:\Users\JWB\AppData\Roaming\Ad-Aware Antivirus

2012-05-10 18:45 - 2012-03-16 23:55 - 00075632 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\partmgr.sys

2012-05-10 18:45 - 2012-03-02 22:29 - 01837568 ____A (Microsoft Corporation) C:\Windows\System32\d3d10warp.dll

2012-05-10 18:45 - 2012-03-02 22:29 - 01541120 ____A (Microsoft Corporation) C:\Windows\System32\DWrite.dll

2012-05-10 18:45 - 2012-03-02 22:29 - 00902656 ____A (Microsoft Corporation) C:\Windows\System32\d2d1.dll

2012-05-10 18:45 - 2012-03-02 22:29 - 00320512 ____A (Microsoft Corporation) C:\Windows\System32\d3d10_1core.dll

2012-05-10 18:45 - 2012-03-02 22:29 - 00197120 ____A (Microsoft Corporation) C:\Windows\System32\d3d10_1.dll

2012-05-10 18:45 - 2012-03-02 21:40 - 01170944 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d10warp.dll

2012-05-10 18:45 - 2012-03-02 21:40 - 01074176 ____A (Microsoft Corporation) C:\Windows\SysWOW64\DWrite.dll

2012-05-10 18:45 - 2012-03-02 21:40 - 00739840 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d2d1.dll

2012-05-10 18:45 - 2012-03-02 21:40 - 00218624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d10_1core.dll

2012-05-10 18:45 - 2012-03-02 21:40 - 00161792 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d10_1.dll

2012-05-10 18:44 - 2012-04-01 21:34 - 05504880 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe

2012-05-10 18:44 - 2012-04-01 20:46 - 03958128 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe

2012-05-10 18:44 - 2012-04-01 20:46 - 03902320 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe

2012-05-10 18:44 - 2012-04-01 19:01 - 03143680 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

2012-05-10 18:44 - 2012-03-30 03:09 - 01895280 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys

============ 3 Months Modified Files and Folders =============

2012-06-08 12:04 - 2011-11-06 13:04 - 00000000 ____D C:\Windows\Internet Logs

2012-06-08 12:04 - 2011-11-05 22:45 - 00000290 ____A C:\Users\All Users\hpqp.ini

2012-06-08 12:04 - 2009-07-13 21:13 - 00726444 ____A C:\Windows\System32\PerfStringBackup.INI

2012-06-08 12:03 - 2012-04-13 13:21 - 00000888 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

2012-06-08 12:03 - 2011-11-06 15:10 - 00033301 ____A C:\Windows\setupact.log

2012-06-08 12:03 - 2011-11-05 22:39 - 01370311 ____A C:\Windows\WindowsUpdate.log

2012-06-08 12:03 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2012-06-08 12:02 - 2012-04-13 13:21 - 00000892 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job

2012-06-08 08:54 - 2009-07-13 20:45 - 00023248 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2012-06-08 08:54 - 2009-07-13 20:45 - 00023248 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2012-06-08 08:53 - 2012-06-08 08:53 - 00001735 ____A C:\Users\JWB\Desktop\aswMBR.txt

2012-06-08 08:53 - 2012-06-08 08:53 - 00000512 ____A C:\Users\JWB\Desktop\MBR.dat

2012-06-07 20:25 - 2012-06-07 20:25 - 00061307 ____A C:\Users\JWB\Desktop\New Text Document.txt

2012-06-07 20:25 - 2012-06-07 20:23 - 00122698 ____A C:\TDSSKiller.2.7.36.0_07.06.2012_23.23.52_log.txt

2012-06-07 16:35 - 2012-06-07 16:36 - 04731392 ____A (AVAST Software) C:\Users\JWB\Desktop\aswMBR.exe

2012-06-07 16:35 - 2012-06-07 16:36 - 02127960 ____A (Kaspersky Lab ZAO) C:\Users\JWB\Desktop\tdsskiller.exe

2012-06-06 20:08 - 2011-11-08 16:36 - 00000000 ____D C:\Users\JWB\AppData\Roaming\Spotify

2012-06-06 20:00 - 2012-06-06 20:00 - 00000000 __SHD C:\$RECYCLE.BIN

2012-06-05 07:31 - 2012-06-05 07:31 - 00019726 ____A C:\ComboFix.txt

2012-06-05 07:31 - 2012-06-05 07:21 - 00000000 ____D C:\ComboFix

2012-06-05 07:31 - 2012-05-29 19:14 - 00000000 ____D C:\Qoobox

2012-06-05 07:27 - 2009-07-13 18:34 - 00000215 ____A C:\Windows\system.ini

2012-06-05 07:27 - 2009-07-13 18:34 - 00000027 ____A C:\Windows\System32\Drivers\etc\hosts

2012-06-05 07:26 - 2011-11-06 15:09 - 00002812 ____A C:\Windows\PFRO.log

2012-06-04 22:02 - 2011-11-06 14:02 - 00000000 ____D C:\Users\JWB\AppData\Roaming\XnView

2012-06-04 20:24 - 2011-11-09 21:33 - 00000021 ____A C:\Users\All Users\hpqp.txt

2012-05-30 10:38 - 2012-05-30 10:38 - 00000000 ____D C:\_OTL

2012-05-30 10:38 - 2012-05-07 20:43 - 00000000 ____D C:\Program Files (x86)\BabylonToolbar

2012-05-30 10:38 - 2012-03-11 19:32 - 00000000 ____D C:\Program Files (x86)\Ask.com

2012-05-30 09:55 - 2012-05-30 09:55 - 00083836 ____A C:\Users\JWB\Desktop\Extras.Txt

2012-05-30 09:55 - 2012-05-30 09:55 - 00057716 ____A C:\Users\JWB\Desktop\OTL.Txt

2012-05-30 09:28 - 2012-05-30 09:47 - 00595968 ____A (OldTimer Tools) C:\Users\JWB\Desktop\OTL.exe

2012-05-29 19:35 - 2012-05-29 19:14 - 00000000 ____D C:\Windows\ERDNT

2012-05-29 19:24 - 2011-11-13 15:38 - 00000326 ____A C:\Windows\Tasks\HPCeeScheduleForJWB.job

2012-05-29 19:11 - 2011-11-06 13:18 - 00000000 ____D C:\users\JWB

2012-05-29 18:55 - 2012-05-29 19:07 - 04530590 ____R (Swearware) C:\Users\JWB\Desktop\ComboFix.exe

2012-05-29 18:55 - 2012-05-29 19:07 - 00853862 ____A C:\Users\JWB\Desktop\SecurityCheck.exe

2012-05-27 14:10 - 2012-05-27 14:20 - 00607260 ____R (Swearware) C:\Users\JWB\Desktop\dds.scr

2012-05-27 11:48 - 2012-05-27 11:48 - 00001109 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

2012-05-27 11:48 - 2012-05-19 18:21 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware

2012-05-27 09:21 - 2011-11-09 21:33 - 00000000 ____D C:\Users\JWB\AppData\Local\QuickPlay

2012-05-27 09:21 - 2011-11-06 13:05 - 00000000 ____D C:\Windows\SysWOW64\ZoneLabs

2012-05-27 09:20 - 2012-05-17 19:18 - 00000000 ____D C:\Users\All Users\Ad-Aware Browsing Protection

2012-05-27 09:20 - 2012-05-17 19:17 - 00000000 ____D C:\Program Files (x86)\Ad-Aware Antivirus

2012-05-27 09:20 - 2011-11-08 16:36 - 00000000 ____D C:\Users\JWB\AppData\Local\Spotify

2012-05-27 09:20 - 2011-11-06 12:58 - 00000000 ____D C:\Users\All Users\Lavasoft

2012-05-27 09:20 - 2011-11-06 12:58 - 00000000 ____D C:\Program Files (x86)\Lavasoft

2012-05-27 09:20 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\registration

2012-05-27 06:22 - 2012-05-27 06:22 - 234304633 ____A C:\Windows\MEMORY.DMP

2012-05-27 06:22 - 2012-05-27 06:22 - 00274872 ____A C:\Windows\Minidump\052712-17503-01.dmp

2012-05-27 06:22 - 2012-05-27 06:22 - 00000000 ____D C:\Windows\Minidump

2012-05-27 06:22 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\config\TxR

2012-05-19 18:21 - 2012-05-19 18:21 - 00000000 ____D C:\Users\JWB\AppData\Roaming\Malwarebytes

2012-05-19 18:21 - 2012-05-19 18:21 - 00000000 ____D C:\Users\All Users\Malwarebytes

2012-05-19 18:01 - 2012-05-27 11:48 - 10063000 ____A (Malwarebytes Corporation ) C:\Users\JWB\Desktop\mbam-setup-1.61.0.1400.exe

2012-05-17 19:21 - 2012-05-17 19:16 - 00000000 ____D C:\Users\JWB\AppData\Roaming\Ad-Aware Antivirus

2012-05-17 19:18 - 2012-05-17 19:18 - 00000012 ____A C:\Users\JWB\Downloads\FSSC.dat

2012-05-17 19:18 - 2012-05-17 19:18 - 00000000 ____D C:\Users\JWB\AppData\Local\adaware

2012-05-11 05:11 - 2009-07-13 20:45 - 00355576 ____A C:\Windows\System32\FNTCACHE.DAT

2012-05-11 05:10 - 2009-08-17 10:34 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight

2012-05-11 04:52 - 2011-11-05 22:34 - 57848688 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe

2012-05-10 06:45 - 2011-11-06 13:18 - 00000000 ____D C:\Users\JWB\AppData\LocalLow

2012-05-09 13:19 - 2011-11-09 13:04 - 00000064 ____A C:\Windows\SysWOW64\rp_stats.dat

2012-05-09 13:19 - 2011-11-09 13:04 - 00000044 ____A C:\Windows\SysWOW64\rp_rules.dat

2012-05-04 20:52 - 2011-11-06 13:19 - 00085992 ____A C:\Users\JWB\AppData\Local\GDIPFONTCACHEV1.DAT

2012-04-29 18:55 - 2011-11-06 13:38 - 00000000 ____D C:\Users\JWB\Documents\Household

2012-04-26 20:42 - 2011-11-09 09:35 - 00034568 ____A C:\Users\JWB\Documents\stmt.txt

2012-04-26 19:31 - 2011-11-06 13:32 - 00000000 ____D C:\Users\JWB\Desktop\DCIM

2012-04-25 07:08 - 2012-01-01 23:11 - 01278462 ____A C:\Windows\ntbtlog.txt

2012-04-20 11:27 - 2012-04-13 13:21 - 00000000 ____D C:\Program Files (x86)\Google

2012-04-14 09:45 - 2012-04-14 09:45 - 00282382 ____A C:\Users\JWB\Documents\Kony2012.pdf

2012-04-13 13:21 - 2012-04-13 13:21 - 00000000 ____D C:\Users\JWB\AppData\Local\Google

2012-04-09 04:27 - 2011-11-06 13:40 - 00000000 ____D C:\Users\JWB\Documents\School

2012-04-04 12:56 - 2012-05-27 11:48 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys

2012-04-02 23:22 - 2012-04-02 23:22 - 00010226 ____A C:\Users\JWB\Documents\schedule alt.odt

2012-04-02 23:20 - 2011-11-06 13:40 - 00000000 ____D C:\Users\JWB\Documents\My Font Groups

2012-04-01 21:34 - 2012-05-10 18:44 - 05504880 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe

2012-04-01 20:46 - 2012-05-10 18:44 - 03958128 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe

2012-04-01 20:46 - 2012-05-10 18:44 - 03902320 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe

2012-04-01 19:01 - 2012-05-10 18:44 - 03143680 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

2012-03-30 03:09 - 2012-05-10 18:44 - 01895280 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys

2012-03-23 08:07 - 2012-03-23 08:07 - 00065536 __ASH C:\Windows\System32\config\COMPONENTS{0ee1684a-72f6-11e1-a1fc-001f16ec93c6}.TxR.blf

2012-03-20 18:49 - 2012-03-20 18:49 - 00016384 __ASH C:\Users\JWB\Thumbs.db

2012-03-17 17:29 - 2012-03-11 19:31 - 00001155 ____A C:\Users\Public\Desktop\GOM Player.lnk

2012-03-16 23:55 - 2012-05-10 18:45 - 00075632 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\partmgr.sys

2012-03-16 16:14 - 2012-03-16 16:14 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_Kernel_point64_01009.Wdf

2012-03-16 16:14 - 2012-03-16 16:14 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_Kernel_NuidFltr_01009.Wdf

2012-03-16 16:14 - 2012-03-16 16:14 - 00000000 ____D C:\Program Files\Microsoft IntelliPoint

2012-03-16 16:05 - 2012-03-16 16:05 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_Kernel_dc3d_01009.Wdf

2012-03-13 19:05 - 2011-11-06 13:18 - 00000000 ____D C:\Users\JWB\AppData\Local\VirtualStore

========================= Known DLLs (Whitelisted) ============

========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\SysWOW64\wininit.exe => MD5 is legit

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\SysWOW64\explorer.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\SysWOW64\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\SysWOW64\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\SysWOW64\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 17%

Total physical RAM: 3999.19 MB

Available physical RAM: 3304.75 MB

Total Pagefile: 3997.34 MB

Available Pagefile: 3291.9 MB

Total Virtual: 8192 MB

Available Virtual: 8191.9 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:220.82 GB) (Free:67.16 GB) NTFS ==>[system with boot components (obtained from reading drive)]

2 Drive e: (RECOVERY) (Fixed) (Total:11.87 GB) (Free:2 GB) NTFS

4 Drive g: (NICE BOAT) (Removable) (Total:0.98 GB) (Free:0.98 GB) FAT

5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

6 Drive y: (SYSTEM) (Fixed) (Total:0.19 GB) (Free:0.16 GB) NTFS ==>[system with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt

-------- ------------- ------- ------- --- ---

Disk 0 Online 232 GB 0 B

Disk 1 Online 1008 MB 0 B

Partitions of Disk 0:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 199 MB 1024 KB

Partition 2 Primary 220 GB 200 MB

Partition 3 Primary 11 GB 221 GB

======================================================================================================

Disk: 0

Partition 1

Type : 07

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 1 Y SYSTEM NTFS Partition 199 MB Healthy

======================================================================================================

Disk: 0

Partition 2

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 2 C NTFS Partition 220 GB Healthy

======================================================================================================

Disk: 0

Partition 3

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 3 E RECOVERY NTFS Partition 11 GB Healthy

======================================================================================================

Partitions of Disk 1:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 1008 MB 16 KB

======================================================================================================

Disk: 1

Partition 1

Type : 06

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 4 G NICE BOAT FAT Removable 1008 MB Healthy

======================================================================================================

==========================================================

Last Boot: 2012-06-06 21:58

======================= End Of Log ==========================

Link to post
Share on other sites

  • Staff

Hello

Sorry for the delay I have gone over these reports a few times and I do not see anything that will cause what you discribe

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flash drive as fixlist.txt


2012-05-30 10:38 - 2012-05-07 20:43 - 00000000 ____D C:\Program Files (x86)\BabylonToolbar
2012-05-30 10:38 - 2012-03-11 19:32 - 00000000 ____D C:\Program Files (x86)\Ask.com

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.

Run FRST64 and press the Fix button just once and wait.

The tool will make a log on the flash drive (Fixlog.txt) please post it to your reply.

Gringo

Link to post
Share on other sites

Hello,

Here are the results of the FRST fix using the fixlist.txt you provided:

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 08-06-2012 02

Ran by SYSTEM at 2012-06-11 13:23:11 Run:1

Running from H:\

==============================================

C:\Program Files (x86)\BabylonToolbar moved successfully.

C:\Program Files (x86)\Ask.com moved successfully.

==== End of Fixlog ====

Link to post
Share on other sites

Hello,

I'm afraid that is something we cannot risk, the server that the email account is hosted on also contains our clients websites and emails as well. We have a web development company, and the possibility of exposing our clients web, personal, or financial information is something we cannot do. If there is no other way to figure out if the infection is solved, we will wipe the laptop. And I apologize if I have wasted your time in this.

Pan

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.