Jump to content

stubborn trojan? - moneypak remnants


tonylogue

Recommended Posts

Hi, I'm having trouble with some spyware. I had the fbi moneypak virus and thought I had gotten rid of it with combofix - mbytes, avira, spybot, all came up empty handed. First I had to use (in safe mode) Spybot's startup tool, which allowed me to disable the offending processes and download combofix etc.

I don't think it's gone, though. I didn't notice anything for a week, and now it's back. I've found traces of it even after doing a system restore to before it had gotten on my system (I did this after running combofix) - strange processes, programs closed out of, issues with updating avira and mbytes, although the classic FBI warning hasn't returned. Here's the

I got the virus trying to download this tool: http://macfreedom.com/ . I'm thinking of maybe contacting them about it?

Here is my combofix log. I'm trying to find my mbytes logs but it doesn't look like they're being saved under the "logs" tab - the only thing there are protection logs with two entries.

ComboFix 12-09-15.02 - admin 09/16/2012 11:31:44.4.2 - x86

Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.3046.2140 [GMT -4:00]

Running from: c:\users\admin\Downloads\ComboFix.exe

AV: Avira Desktop *Disabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}

SP: Avira Desktop *Disabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}

SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

* Created a new restore point

.

.

((((((((((((((((((((((((( Files Created from 2012-08-16 to 2012-09-16 )))))))))))))))))))))))))))))))

.

.

2012-09-16 15:39 . 2012-09-16 15:39 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-09-16 05:55 . 2012-09-16 05:55 -------- d-----w- c:\windows\Sun

2012-09-09 16:37 . 2012-09-09 21:22 -------- d-----w- c:\programdata\Spybot - Search & Destroy

2012-09-09 16:37 . 2012-09-09 16:46 -------- d-----w- c:\program files\Spybot - Search & Destroy

2012-09-09 16:16 . 2012-09-09 16:16 -------- d-----w- c:\users\admin\AppData\Roaming\LockHunter

2012-09-09 16:15 . 2012-09-09 16:15 -------- d-----w- c:\program files\LockHunter

2012-09-09 16:06 . 2012-09-09 16:06 -------- d-----w- c:\program files\Unlocker

2012-09-02 17:58 . 2012-08-28 05:50 7022536 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{B31E9A40-8225-4EF1-9669-C7107F56646C}\mpengine.dll

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-09-07 21:04 . 2012-04-01 02:01 22856 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-07-06 02:06 . 2012-08-04 20:32 772544 ----a-w- c:\windows\system32\npDeployJava1.dll

2012-07-06 02:06 . 2012-01-02 22:52 687544 ----a-w- c:\windows\system32\deployJava1.dll

2012-09-08 22:04 . 2012-09-08 22:04 266720 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((( SnapShot@2012-09-09_21.15.29 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-07-14 04:55 . 2012-09-16 15:06 39018 c:\windows\System32\wdi\BootPerformanceDiagnostics_SystemData.bin

- 2009-07-14 04:50 . 2012-06-30 21:22 86016 c:\windows\System32\DriverStore\infpub.dat

+ 2009-07-14 04:50 . 2012-09-15 14:43 86016 c:\windows\System32\DriverStore\infpub.dat

+ 2011-12-22 06:17 . 2012-09-16 06:03 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat

+ 2011-12-22 06:17 . 2012-09-16 06:03 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat

+ 2012-09-16 06:03 . 2012-09-16 06:03 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012012091620120917\index.dat

+ 2009-07-14 04:41 . 2012-09-16 06:03 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat

+ 2012-09-16 06:03 . 2012-09-16 06:03 49120 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT

+ 2011-12-22 04:20 . 2012-09-16 15:06 6748 c:\windows\System32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2550561185-2726018632-1417654521-1000_UserData.bin

+ 2012-09-16 15:04 . 2012-09-16 15:04 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat

- 2012-09-09 20:24 . 2012-09-09 20:24 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat

+ 2012-09-16 15:04 . 2012-09-16 15:04 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat

- 2012-09-09 20:24 . 2012-09-09 20:24 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat

+ 2012-01-03 15:11 . 2012-09-16 02:34 256926 c:\windows\System32\wdi\SuspendPerformanceDiagnostics_SystemData_S4.bin

+ 2009-07-14 04:50 . 2012-09-15 14:43 143360 c:\windows\System32\DriverStore\infstrng.dat

- 2009-07-14 04:50 . 2012-06-30 21:22 143360 c:\windows\System32\DriverStore\infstrng.dat

- 2009-07-14 04:50 . 2012-04-27 21:11 143360 c:\windows\System32\DriverStore\infstor.dat

+ 2009-07-14 04:50 . 2012-09-15 14:43 143360 c:\windows\System32\DriverStore\infstor.dat

- 2009-07-14 04:47 . 2012-09-08 15:22 386900 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat

+ 2009-07-14 04:47 . 2012-09-16 06:10 386900 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2009-05-18 1314816]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-08-06 141848]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-08-06 173592]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-04-23 1725736]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2012-08-09 348664]

"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-08-01 1821576]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"aux"=wdmaud.drv

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2012-01-03 07:37 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCSSync]

2010-03-13 19:54 91520 ----a-w- c:\program files\Microsoft Office\Office14\BCSSync.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]

2012-01-03 16:53 136176 ----atw- c:\users\admin\AppData\Local\Google\Update\GoogleUpdate.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]

2012-09-07 21:04 766536 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe

.

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"Google Update"="c:\users\admin\AppData\Local\Google\Update\GoogleUpdate.exe" /c

"GoogleChrome"=c:\users\admin\AppData\Local\Temp\gwey362.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe"

"LPwFqeMgUjq.exe"=c:\programdata\LPwFqeMgUjq.exe

.

R0 fcnpve;fcnpve;c:\windows\System32\drivers\vyuqw.sys [x]

R0 xhdniqq;xhdniqq;c:\windows\System32\drivers\naqafc.sys [x]

R3 dc3d;MS Hardware Device Detection Driver;c:\windows\system32\DRIVERS\dc3d.sys [x]

R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [x]

R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [x]

R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [x]

R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]

R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [x]

R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [x]

R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [x]

R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]

R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [x]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]

R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]

R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]

R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]

R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [x]

R4 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]

R4 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [x]

S1 avkmgr;avkmgr;c:\windows\system32\DRIVERS\avkmgr.sys [x]

S1 ISODisk;ISODisk; [x]

S2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [x]

S2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [x]

S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [x]

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]

S3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [x]

.

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - WS2IFSL

.

Contents of the 'Scheduled Tasks' folder

.

2012-09-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2550561185-2726018632-1417654521-1000Core.job

- c:\users\admin\AppData\Local\Google\Update\GoogleUpdate.exe [2012-01-03 16:53]

.

2012-09-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2550561185-2726018632-1417654521-1000UA.job

- c:\users\admin\AppData\Local\Google\Update\GoogleUpdate.exe [2012-01-03 16:53]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT3072254

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - c:\progra~1\MICROS~4\Office14\ONBttnIE.dll/105

TCP: DhcpNameServer = 209.18.47.61 209.18.47.62

TCP: Interfaces\{47EC3087-0E6A-4E01-93D5-7839AF07758B}: NameServer = 208.67.222.222,208.67.220.220

TCP: Interfaces\{7FF1253D-B963-41A6-9643-09DDFE635276}: NameServer = 208.67.222.222,208.67.220.220

TCP: Interfaces\{7FF1253D-B963-41A6-9643-09DDFE635276}\2456C6B696E6F554E68616E6365646F575962756C6563737F5734383542444: NameServer = 208.67.222.222,208.67.220.220

DPF: {816BE035-1450-40D0-8A3B-BA7825A83A77} - hxxp://support.lenovo.com/Resources/Lenovo/AutoDetect/Lenovo_AutoDetect2.cab

FF - ProfilePath - c:\users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\yv5hcagm.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3072254&SearchSource=3&q={searchTerms}

FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT3072254&SearchSource=13

FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3072254&SearchSource=2&q=

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Completion time: 2012-09-16 11:41:42

ComboFix-quarantined-files.txt 2012-09-16 15:41

ComboFix2.txt 2012-09-16 07:12

ComboFix3.txt 2012-09-16 06:22

ComboFix4.txt 2012-09-09 21:18

.

Pre-Run: 46,094,725,120 bytes free

Post-Run: 46,003,908,608 bytes free

.

- - End Of File - - 763C3723A00D69E10348D6075CF9BC70

Thank you very much.

Edited by Maurice Naggar
Link to post
Share on other sites

Hello tonylogue.

Combofix should never be run without the guidance of a trained helper.

Do NOT run any tools or fixes on your own.

Also, do NOT enclose any logs/reports in quote blocks or code blocks.

Just make sure to Copy and Paste all contents directly into main-body of reply box.

Turn off TEA Timer !

Start Spybot-S&D, switch to the Advanced mode via the menu bar item Mode

then select Advanced Mode

On the left hand side, slect Tools

Then click on the Resident icon in the list

Uncheck Resident TeaTimer and OK any prompts.

Now Logoff & Restart your computer fresh.

Step 1

1. Go >> Here << and download ERUNT

(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)

2. Install ERUNT by following the prompts

(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)

3. Start ERUNT

(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)

4. Choose a location for the backup

(the default location is C:\WINDOWS\ERDNT which is acceptable).

5. Make sure that at least the first two check boxes are ticked

6. Press OK

7. Press YES to create the folder.

Step 2

To show all files:

  • Go to your Desktop
  • Double-Click the Computer icon.
  • From the menu options, Select Tools, then Folder Options.
  • Next click the View tab.
  • Locate and uncheck Hide file extensions for known file types.
  • Locate and uncheck Hide protected operating system files (Recommended).
  • Locate and click Show hidden files and folders and drives.
  • Click Apply > OK.

Step 3

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

For directions on how, see How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Do NOT turn off the firewall

Download aswMBR.exe ( 511KB ) to your desktop.

On Windows 7 or Vista, RIGHT click on aswMBR.exe and select Run As Administrator to start.

On Windows XP, double click the exe to start.

change the a-v scan to None.

uncheck trace disk IO calls

Click the "Scan" button to start scan

On completion of the scan (Note if the Fix button is enabled (not the FixMBR button) and tell me) click save log, save it to your desktop and post in your next reply

Do not click any FIX button. We just need an initial report.

Step 4

Please read carefully and follow these steps.

  • Download TDSSKiller and save it to your Desktop.
  • Double-Click on TDSSKiller.exe to run the application, then on Start Scan.
    If running Vista or Windows 7, do a RIGHT-Click and select Run as Administrator to start TDSSKILLER.exe.
  • If an infected file is detected, the default action will be Cure, click on Continue.
    TDSSKillerMal-1.png
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
    Skip and click on Continue
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    TDSSKillerCompleted.png
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Step 5

  • Download & SAVE to your Desktop >> Tigzy's RogueKillerfrom here << or
    >> from here <<
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.
    For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on Scan button at upper right of screen.
  • Wait until the Status box shows "Scan Finished"
  • Click on Report and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller

Do NOT click any FIX buttons !

Step 6

RE-Enable your antivirus program. excl.png

Then copy/paste the following into your post (in order):

  • the contents of aswMBR report;
  • the contents of TDSSKILLER log;
  • the contents of RKReport log;

Be sure to do a Preview prior to pressing Submit because all reports may not fit into 1 single reply. You may have to do more than 1 reply.

Do not use the attachment feature to place any of your reports. Always put them in-line inside the body of reply.

Edited by Maurice Naggar
Turn OFF Tea Timer
Link to post
Share on other sites

answMBR.txt, the fix button was not enabled:

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software

Run date: 2012-09-16 12:18:54

-----------------------------

12:18:54.813 OS Version: Windows 6.1.7601 Service Pack 1

12:18:54.813 Number of processors: 2 586 0xF0D

12:18:54.815 ComputerName: LAPTOP1 UserName: admin

12:19:15.025 Initialize success

12:21:14.765 AVAST engine defs: 12091400

12:21:54.347 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0

12:21:54.352 Disk 0 Vendor: HITACHI_HTS541612J9SA00 SBDIC7UP Size: 114473MB BusType: 3

12:21:54.370 Disk 0 MBR read successfully

12:21:54.376 Disk 0 MBR scan

12:21:54.410 Disk 0 Windows 7 default MBR code

12:21:54.414 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 114470 MB offset 63

12:21:54.427 Disk 0 scanning sectors +234435600

12:21:54.639 Disk 0 scanning C:\Windows\system32\drivers

12:22:24.857 Service scanning

12:24:20.074 Modules scanning

12:25:37.704 Scan finished successfully

12:25:59.319 Disk 0 MBR has been saved successfully to "C:\Users\admin\Desktop\MBR.dat"

12:25:59.319 The log file has been saved successfully to "C:\Users\admin\Desktop\aswMBR.txt"

TDS Killer:

12:27:36.0970 0568 TDSS rootkit removing tool 2.8.8.0 Aug 24 2012 13:27:48

12:27:37.0301 0568 ============================================================

12:27:37.0301 0568 Current date / time: 2012/09/16 12:27:37.0301

12:27:37.0301 0568 SystemInfo:

12:27:37.0301 0568

12:27:37.0301 0568 OS Version: 6.1.7601 ServicePack: 1.0

12:27:37.0301 0568 Product type: Workstation

12:27:37.0301 0568 ComputerName: LAPTOP1

12:27:37.0301 0568 UserName: admin

12:27:37.0301 0568 Windows directory: C:\Windows

12:27:37.0301 0568 System windows directory: C:\Windows

12:27:37.0301 0568 Processor architecture: Intel x86

12:27:37.0301 0568 Number of processors: 2

12:27:37.0301 0568 Page size: 0x1000

12:27:37.0301 0568 Boot type: Normal boot

12:27:37.0301 0568 ============================================================

12:27:41.0443 0568 Drive \Device\Harddisk0\DR0 - Size: 0x1BF2976000 (111.79 Gb), SectorSize: 0x200, Cylinders: 0x3C91, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xF0, Type 'K0', Flags 0x00000050

12:27:41.0460 0568 ============================================================

12:27:41.0460 0568 \Device\Harddisk0\DR0:

12:27:41.0466 0568 MBR partitions:

12:27:41.0466 0568 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0xDF933D1

12:27:41.0466 0568 ============================================================

12:27:41.0653 0568 C: <-> \Device\Harddisk0\DR0\Partition1

12:27:41.0653 0568 ============================================================

12:27:41.0653 0568 Initialize success

12:27:41.0653 0568 ============================================================

12:27:59.0174 2584 ============================================================

12:27:59.0174 2584 Scan started

12:27:59.0174 2584 Mode: Manual;

12:27:59.0174 2584 ============================================================

12:28:00.0060 2584 ================ Scan system memory ========================

12:28:00.0060 2584 System memory - ok

12:28:00.0061 2584 ================ Scan services =============================

12:28:01.0754 2584 [ 1B133875B8AA8AC48969BD3458AFE9F5 ] 1394ohci C:\Windows\system32\DRIVERS\1394ohci.sys

12:28:01.0757 2584 1394ohci - ok

12:28:01.0836 2584 [ CEA80C80BED809AA0DA6FEBC04733349 ] ACPI C:\Windows\system32\drivers\ACPI.sys

12:28:01.0848 2584 ACPI - ok

12:28:01.0939 2584 [ 1EFBC664ABFF416D1D07DB115DCB264F ] AcpiPmi C:\Windows\system32\drivers\acpipmi.sys

12:28:01.0952 2584 AcpiPmi - ok

12:28:02.0161 2584 [ 6C61BCEB60C2C187E6F96001FD69493E ] ADIHdAudAddService C:\Windows\system32\drivers\ADIHdAud.sys

12:28:02.0168 2584 ADIHdAudAddService - ok

12:28:02.0430 2584 [ 11A52CF7B265631DEEB24C6149309EFF ] AdobeARMservice C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe

12:28:02.0432 2584 AdobeARMservice - ok

12:28:02.0557 2584 [ 21E785EBD7DC90A06391141AAC7892FB ] adp94xx C:\Windows\system32\drivers\adp94xx.sys

12:28:02.0681 2584 adp94xx - ok

12:28:02.0771 2584 [ 0C676BC278D5B59FF5ABD57BBE9123F2 ] adpahci C:\Windows\system32\drivers\adpahci.sys

12:28:02.0808 2584 adpahci - ok

12:28:02.0858 2584 [ 7C7B5EE4B7B822EC85321FE23A27DB33 ] adpu320 C:\Windows\system32\drivers\adpu320.sys

12:28:02.0885 2584 adpu320 - ok

12:28:02.0961 2584 [ 4DC6B0772D1698F04FC79053A21C8260 ] AEADIFilters C:\Windows\system32\AEADISRV.EXE

12:28:02.0975 2584 AEADIFilters - ok

12:28:03.0022 2584 [ 8B5EEFEEC1E6D1A72A06C526628AD161 ] AeLookupSvc C:\Windows\System32\aelupsvc.dll

12:28:03.0023 2584 AeLookupSvc - ok

12:28:03.0168 2584 [ 9EBBBA55060F786F0FCAA3893BFA2806 ] AFD C:\Windows\system32\drivers\afd.sys

12:28:03.0189 2584 AFD - ok

12:28:03.0273 2584 [ 507812C3054C21CEF746B6EE3D04DD6E ] agp440 C:\Windows\system32\drivers\agp440.sys

12:28:03.0276 2584 agp440 - ok

12:28:03.0362 2584 [ 8B30250D573A8F6B4BD23195160D8707 ] aic78xx C:\Windows\system32\drivers\djsvs.sys

12:28:03.0443 2584 aic78xx - ok

12:28:03.0575 2584 [ 18A54E132947CD98FEA9ACCC57F98F13 ] ALG C:\Windows\System32\alg.exe

12:28:03.0578 2584 ALG - ok

12:28:03.0663 2584 [ 0D40BCF52EA90FC7DF2AEAB6503DEA44 ] aliide C:\Windows\system32\drivers\aliide.sys

12:28:03.0680 2584 aliide - ok

12:28:03.0713 2584 [ 3C6600A0696E90A463771C7422E23AB5 ] amdagp C:\Windows\system32\drivers\amdagp.sys

12:28:03.0736 2584 amdagp - ok

12:28:03.0785 2584 [ CD5914170297126B6266860198D1D4F0 ] amdide C:\Windows\system32\drivers\amdide.sys

12:28:03.0807 2584 amdide - ok

12:28:03.0854 2584 [ 00DDA200D71BAC534BF56A9DB5DFD666 ] AmdK8 C:\Windows\system32\drivers\amdk8.sys

12:28:03.0855 2584 AmdK8 - ok

12:28:03.0875 2584 [ 3CBF30F5370FDA40DD3E87DF38EA53B6 ] AmdPPM C:\Windows\system32\drivers\amdppm.sys

12:28:03.0908 2584 AmdPPM - ok

12:28:04.0009 2584 [ D320BF87125326F996D4904FE24300FC ] amdsata C:\Windows\system32\drivers\amdsata.sys

12:28:04.0011 2584 amdsata - ok

12:28:04.0074 2584 [ EA43AF0C423FF267355F74E7A53BDABA ] amdsbs C:\Windows\system32\drivers\amdsbs.sys

12:28:04.0080 2584 amdsbs - ok

12:28:04.0168 2584 [ 46387FB17B086D16DEA267D5BE23A2F2 ] amdxata C:\Windows\system32\drivers\amdxata.sys

12:28:04.0170 2584 amdxata - ok

12:28:04.0414 2584 [ 0A1CC583E8147004E4AD4625D7FBF88C ] AntiVirSchedulerService C:\Program Files\Avira\AntiVir Desktop\sched.exe

12:28:04.0417 2584 AntiVirSchedulerService - ok

12:28:04.0500 2584 [ C9A36EF935ACED86AEDF93E97E606911 ] AntiVirService C:\Program Files\Avira\AntiVir Desktop\avguard.exe

12:28:04.0502 2584 AntiVirService - ok

12:28:05.0392 2584 [ AEA177F783E20150ACE5383EE368DA19 ] AppID C:\Windows\system32\drivers\appid.sys

12:28:05.0395 2584 AppID - ok

12:28:05.0470 2584 [ 62A9C86CB6085E20DB4823E4E97826F5 ] AppIDSvc C:\Windows\System32\appidsvc.dll

12:28:05.0473 2584 AppIDSvc - ok

12:28:05.0570 2584 [ FB1959012294D6AD43E5304DF65E3C26 ] Appinfo C:\Windows\System32\appinfo.dll

12:28:05.0581 2584 Appinfo - ok

12:28:05.0827 2584 [ 3DEBBECF665DCDDE3A95D9B902010817 ] Apple Mobile Device C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

12:28:05.0829 2584 Apple Mobile Device - ok

12:28:05.0982 2584 [ A45D184DF6A8803DA13A0B329517A64A ] AppMgmt C:\Windows\System32\appmgmts.dll

12:28:06.0010 2584 AppMgmt - ok

12:28:06.0117 2584 [ 2932004F49677BD84DBC72EDB754FFB3 ] arc C:\Windows\system32\drivers\arc.sys

12:28:06.0141 2584 arc - ok

12:28:06.0175 2584 [ 5D6F36C46FD283AE1B57BD2E9FEB0BC7 ] arcsas C:\Windows\system32\drivers\arcsas.sys

12:28:06.0208 2584 arcsas - ok

12:28:06.0251 2584 [ ADD2ADE1C2B285AB8378D2DAAF991481 ] AsyncMac C:\Windows\system32\DRIVERS\asyncmac.sys

12:28:06.0253 2584 AsyncMac - ok

12:28:06.0279 2584 [ 338C86357871C167A96AB976519BF59E ] atapi C:\Windows\system32\drivers\atapi.sys

12:28:06.0280 2584 atapi - ok

12:28:06.0439 2584 [ CE3B4E731638D2EF62FCB419BE0D39F0 ] AudioEndpointBuilder C:\Windows\System32\Audiosrv.dll

12:28:06.0456 2584 AudioEndpointBuilder - ok

12:28:06.0500 2584 [ CE3B4E731638D2EF62FCB419BE0D39F0 ] Audiosrv C:\Windows\System32\Audiosrv.dll

12:28:06.0504 2584 Audiosrv - ok

12:28:06.0558 2584 [ D5541F0AFB767E85FC412FC609D96A74 ] avgntflt C:\Windows\system32\DRIVERS\avgntflt.sys

12:28:06.0585 2584 avgntflt - ok

12:28:06.0686 2584 [ 7D967A682D4694DF7FA57D63A2DB01FE ] avipbb C:\Windows\system32\DRIVERS\avipbb.sys

12:28:06.0691 2584 avipbb - ok

12:28:06.0747 2584 [ 271CFD1A989209B1964E24D969552BF7 ] avkmgr C:\Windows\system32\DRIVERS\avkmgr.sys

12:28:06.0792 2584 avkmgr - ok

12:28:06.0905 2584 [ 6E30D02AAC9CAC84F421622E3A2F6178 ] AxInstSV C:\Windows\System32\AxInstSV.dll

12:28:06.0922 2584 AxInstSV - ok

12:28:07.0034 2584 [ 1A231ABEC60FD316EC54C66715543CEC ] b06bdrv C:\Windows\system32\drivers\bxvbdx.sys

12:28:07.0052 2584 b06bdrv - ok

12:28:07.0178 2584 [ BD8869EB9CDE6BBE4508D869929869EE ] b57nd60x C:\Windows\system32\DRIVERS\b57nd60x.sys

12:28:07.0218 2584 b57nd60x - ok

12:28:07.0363 2584 [ EE1E9C3BB8228AE423DD38DB69128E71 ] BDESVC C:\Windows\System32\bdesvc.dll

12:28:07.0367 2584 BDESVC - ok

12:28:07.0447 2584 [ 505506526A9D467307B3C393DEDAF858 ] Beep C:\Windows\system32\drivers\Beep.sys

12:28:07.0477 2584 Beep - ok

12:28:07.0693 2584 [ 1E2BAC209D184BB851E1A187D8A29136 ] BFE C:\Windows\System32\bfe.dll

12:28:07.0716 2584 BFE - ok

12:28:07.0922 2584 [ E585445D5021971FAE10393F0F1C3961 ] BITS C:\Windows\system32\qmgr.dll

12:28:07.0944 2584 BITS - ok

12:28:07.0973 2584 [ 2287078ED48FCFC477B05B20CF38F36F ] blbdrive C:\Windows\system32\DRIVERS\blbdrive.sys

12:28:08.0010 2584 blbdrive - ok

12:28:08.0230 2584 [ DB5BEA73EDAF19AC68B2C0FAD0F92B1A ] Bonjour Service C:\Program Files\Bonjour\mDNSResponder.exe

12:28:08.0258 2584 Bonjour Service - ok

12:28:08.0349 2584 [ 8F2DA3028D5FCBD1A060A3DE64CD6506 ] bowser C:\Windows\system32\DRIVERS\bowser.sys

12:28:08.0361 2584 bowser - ok

12:28:08.0463 2584 [ 9F9ACC7F7CCDE8A15C282D3F88B43309 ] BrFiltLo C:\Windows\system32\drivers\BrFiltLo.sys

12:28:08.0465 2584 BrFiltLo - ok

12:28:08.0485 2584 [ 56801AD62213A41F6497F96DEE83755A ] BrFiltUp C:\Windows\system32\drivers\BrFiltUp.sys

12:28:08.0487 2584 BrFiltUp - ok

12:28:08.0547 2584 [ 77361D72A04F18809D0EFB6CCEB74D4B ] BridgeMP C:\Windows\system32\DRIVERS\bridge.sys

12:28:08.0569 2584 BridgeMP - ok

12:28:08.0630 2584 [ 6E11F33D14D020F58D5E02E4D67DFA19 ] Browser C:\Windows\System32\browser.dll

12:28:08.0632 2584 Browser - ok

12:28:08.0711 2584 [ 845B8CE732E67F3B4133164868C666EA ] Brserid C:\Windows\System32\Drivers\Brserid.sys

12:28:08.0731 2584 Brserid - ok

12:28:08.0801 2584 [ 203F0B1E73ADADBBB7B7B1FABD901F6B ] BrSerWdm C:\Windows\System32\Drivers\BrSerWdm.sys

12:28:08.0844 2584 BrSerWdm - ok

12:28:08.0889 2584 [ BD456606156BA17E60A04E18016AE54B ] BrUsbMdm C:\Windows\System32\Drivers\BrUsbMdm.sys

12:28:08.0902 2584 BrUsbMdm - ok

12:28:08.0921 2584 [ AF72ED54503F717A43268B3CC5FAEC2E ] BrUsbSer C:\Windows\System32\Drivers\BrUsbSer.sys

12:28:08.0923 2584 BrUsbSer - ok

12:28:08.0958 2584 [ ED3DF7C56CE0084EB2034432FC56565A ] BTHMODEM C:\Windows\system32\drivers\bthmodem.sys

12:28:08.0960 2584 BTHMODEM - ok

12:28:09.0028 2584 [ 1DF19C96EEF6C29D1C3E1A8678E07190 ] bthserv C:\Windows\system32\bthserv.dll

12:28:09.0086 2584 bthserv - ok

12:28:09.0320 2584 catchme - ok

12:28:09.0475 2584 [ 77EA11B065E0A8AB902D78145CA51E10 ] cdfs C:\Windows\system32\DRIVERS\cdfs.sys

12:28:09.0478 2584 cdfs - ok

12:28:09.0607 2584 [ BE167ED0FDB9C1FA1133953C18D5A6C9 ] cdrom C:\Windows\system32\DRIVERS\cdrom.sys

12:28:09.0625 2584 cdrom - ok

12:28:09.0726 2584 [ 319C6B309773D063541D01DF8AC6F55F ] CertPropSvc C:\Windows\System32\certprop.dll

12:28:09.0728 2584 CertPropSvc - ok

12:28:09.0760 2584 [ 3FE3FE94A34DF6FB06E6418D0F6A0060 ] circlass C:\Windows\system32\drivers\circlass.sys

12:28:09.0795 2584 circlass - ok

12:28:09.0866 2584 [ 635181E0E9BBF16871BF5380D71DB02D ] CLFS C:\Windows\system32\CLFS.sys

12:28:09.0882 2584 CLFS - ok

12:28:10.0136 2584 [ D88040F816FDA31C3B466F0FA0918F29 ] clr_optimization_v2.0.50727_32 C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

12:28:10.0185 2584 clr_optimization_v2.0.50727_32 - ok

12:28:10.0492 2584 [ C5A75EB48E2344ABDC162BDA79E16841 ] clr_optimization_v4.0.30319_32 C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

12:28:10.0497 2584 clr_optimization_v4.0.30319_32 - ok

12:28:10.0893 2584 [ DEA805815E587DAD1DD2C502220B5616 ] CmBatt C:\Windows\system32\DRIVERS\CmBatt.sys

12:28:10.0895 2584 CmBatt - ok

12:28:10.0950 2584 [ C537B1DB64D495B9B4717B4D6D9EDBF2 ] cmdide C:\Windows\system32\drivers\cmdide.sys

12:28:10.0963 2584 cmdide - ok

12:28:11.0064 2584 [ 6427525D76F61D0C519B008D3680E8E7 ] CNG C:\Windows\system32\Drivers\cng.sys

12:28:11.0106 2584 CNG - ok

12:28:11.0168 2584 [ A6023D3823C37043986713F118A89BEE ] Compbatt C:\Windows\system32\DRIVERS\compbatt.sys

12:28:11.0199 2584 Compbatt - ok

12:28:11.0241 2584 [ CBE8C58A8579CFE5FCCF809E6F114E89 ] CompositeBus C:\Windows\system32\DRIVERS\CompositeBus.sys

12:28:11.0276 2584 CompositeBus - ok

12:28:11.0291 2584 COMSysApp - ok

12:28:11.0369 2584 [ 2C4EBCFC84A9B44F209DFF6C6E6C61D1 ] crcdisk C:\Windows\system32\drivers\crcdisk.sys

12:28:11.0378 2584 crcdisk - ok

12:28:11.0523 2584 [ A585BEBF7D054BD9618EDA0922D5484A ] CryptSvc C:\Windows\system32\cryptsvc.dll

12:28:11.0541 2584 CryptSvc - ok

12:28:11.0611 2584 [ 3C2177A897B4CA2788C6FB0C3FD81D4B ] CSC C:\Windows\system32\drivers\csc.sys

12:28:11.0628 2584 CSC - ok

12:28:11.0732 2584 [ 15F93B37F6801943360D9EB42485D5D3 ] CscService C:\Windows\System32\cscsvc.dll

12:28:11.0745 2584 CscService - ok

12:28:11.0828 2584 [ 7CAAF4AF453EF3582FEF65DD72CAA0AA ] dc3d C:\Windows\system32\DRIVERS\dc3d.sys

12:28:11.0852 2584 dc3d - ok

12:28:11.0934 2584 [ 7660F01D3B38ACA1747E397D21D790AF ] DcomLaunch C:\Windows\system32\rpcss.dll

12:28:11.0973 2584 DcomLaunch - ok

12:28:12.0070 2584 [ 8D6E10A2D9A5EED59562D9B82CF804E1 ] defragsvc C:\Windows\System32\defragsvc.dll

12:28:12.0108 2584 defragsvc - ok

12:28:12.0152 2584 [ F024449C97EC1E464AAFFDA18593DB88 ] DfsC C:\Windows\system32\Drivers\dfsc.sys

12:28:12.0165 2584 DfsC - ok

12:28:12.0331 2584 [ E9E01EB683C132F7FA27CD607B8A2B63 ] Dhcp C:\Windows\system32\dhcpcore.dll

12:28:12.0353 2584 Dhcp - ok

12:28:12.0413 2584 [ 1A050B0274BFB3890703D490F330C0DA ] discache C:\Windows\system32\drivers\discache.sys

12:28:12.0413 2584 discache - ok

12:28:12.0535 2584 [ 565003F326F99802E68CA78F2A68E9FF ] Disk C:\Windows\system32\drivers\disk.sys

12:28:12.0561 2584 Disk - ok

12:28:12.0655 2584 [ 2A958EF85DB1B61FFCA65044FA4BCE9E ] dmvsc C:\Windows\system32\drivers\dmvsc.sys

12:28:12.0676 2584 dmvsc - ok

12:28:12.0786 2584 [ 33EF4861F19A0736B11314AAD9AE28D0 ] Dnscache C:\Windows\System32\dnsrslvr.dll

12:28:12.0791 2584 Dnscache - ok

12:28:12.0898 2584 [ 366BA8FB4B7BB7435E3B9EACB3843F67 ] dot3svc C:\Windows\System32\dot3svc.dll

12:28:12.0919 2584 dot3svc - ok

12:28:12.0970 2584 [ 8EC04CA86F1D68DA9E11952EB85973D6 ] DPS C:\Windows\system32\dps.dll

12:28:12.0985 2584 DPS - ok

12:28:13.0098 2584 [ B918E7C5F9BF77202F89E1A9539F2EB4 ] drmkaud C:\Windows\system32\drivers\drmkaud.sys

12:28:13.0116 2584 drmkaud - ok

12:28:13.0309 2584 [ 23F5D28378A160352BA8F817BD8C71CB ] DXGKrnl C:\Windows\System32\drivers\dxgkrnl.sys

12:28:13.0348 2584 DXGKrnl - ok

12:28:13.0467 2584 [ CF0A6015F437161698C5B2A0A12CF052 ] e1express C:\Windows\system32\DRIVERS\e1e6032.sys

12:28:13.0474 2584 e1express - ok

12:28:13.0586 2584 [ 8600142FA91C1B96367D3300AD0F3F3A ] EapHost C:\Windows\System32\eapsvc.dll

12:28:13.0592 2584 EapHost - ok

12:28:14.0135 2584 [ 024E1B5CAC09731E4D868E64DBFB4AB0 ] ebdrv C:\Windows\system32\drivers\evbdx.sys

12:28:14.0288 2584 ebdrv - ok

12:28:14.0361 2584 [ 81951F51E318AECC2D68559E47485CC4 ] EFS C:\Windows\System32\lsass.exe

12:28:14.0397 2584 EFS - ok

12:28:14.0606 2584 [ A8C362018EFC87BEB013EE28F29C0863 ] ehRecvr C:\Windows\ehome\ehRecvr.exe

12:28:14.0641 2584 ehRecvr - ok

12:28:14.0702 2584 [ D389BFF34F80CAEDE417BF9D1507996A ] ehSched C:\Windows\ehome\ehsched.exe

12:28:14.0721 2584 ehSched - ok

12:28:14.0795 2584 [ 0ED67910C8C326796FAA00B2BF6D9D3C ] elxstor C:\Windows\system32\drivers\elxstor.sys

12:28:14.0817 2584 elxstor - ok

12:28:14.0867 2584 [ 8FC3208352DD3912C94367A206AB3F11 ] ErrDev C:\Windows\system32\drivers\errdev.sys

12:28:14.0902 2584 ErrDev - ok

12:28:15.0003 2584 [ F6916EFC29D9953D5D0DF06882AE8E16 ] EventSystem C:\Windows\system32\es.dll

12:28:15.0010 2584 EventSystem - ok

12:28:15.0058 2584 [ 2DC9108D74081149CC8B651D3A26207F ] exfat C:\Windows\system32\drivers\exfat.sys

12:28:15.0062 2584 exfat - ok

12:28:15.0111 2584 [ 7E0AB74553476622FB6AE36F73D97D35 ] fastfat C:\Windows\system32\drivers\fastfat.sys

12:28:15.0114 2584 fastfat - ok

12:28:15.0260 2584 [ 967EA5B213E9984CBE270205DF37755B ] Fax C:\Windows\system32\fxssvc.exe

12:28:15.0278 2584 Fax - ok

12:28:15.0308 2584 fcnpve - ok

12:28:15.0368 2584 [ E817A017F82DF2A1F8CFDBDA29388B29 ] fdc C:\Windows\system32\drivers\fdc.sys

12:28:15.0370 2584 fdc - ok

12:28:15.0436 2584 [ F3222C893BD2F5821A0179E5C71E88FB ] fdPHost C:\Windows\system32\fdPHost.dll

12:28:15.0440 2584 fdPHost - ok

12:28:15.0464 2584 [ 7DBE8CBFE79EFBDEB98C9FB08D3A9A5B ] FDResPub C:\Windows\system32\fdrespub.dll

12:28:15.0495 2584 FDResPub - ok

12:28:15.0521 2584 [ 6CF00369C97F3CF563BE99BE983D13D8 ] FileInfo C:\Windows\system32\drivers\fileinfo.sys

12:28:15.0557 2584 FileInfo - ok

12:28:15.0583 2584 [ 42C51DC94C91DA21CB9196EB64C45DB9 ] Filetrace C:\Windows\system32\drivers\filetrace.sys

12:28:15.0600 2584 Filetrace - ok

12:28:15.0622 2584 [ 87907AA70CB3C56600F1C2FB8841579B ] flpydisk C:\Windows\system32\drivers\flpydisk.sys

12:28:15.0632 2584 flpydisk - ok

12:28:15.0690 2584 [ 7520EC808E0C35E0EE6F841294316653 ] FltMgr C:\Windows\system32\drivers\fltmgr.sys

12:28:15.0694 2584 FltMgr - ok

12:28:15.0912 2584 [ B3A5EC6B6B6673DB7E87C2BCDBDDC074 ] FontCache C:\Windows\system32\FntCache.dll

12:28:15.0933 2584 FontCache - ok

12:28:16.0121 2584 [ E56F39F6B7FDA0AC77A79B0FD3DE1A2F ] FontCache3.0.0.0 C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe

12:28:16.0137 2584 FontCache3.0.0.0 - ok

12:28:16.0164 2584 [ 1A16B57943853E598CFF37FE2B8CBF1D ] FsDepends C:\Windows\system32\drivers\FsDepends.sys

12:28:16.0186 2584 FsDepends - ok

12:28:16.0240 2584 [ A574B4360E438977038AAE4BF60D79A2 ] Fs_Rec C:\Windows\system32\drivers\Fs_Rec.sys

12:28:16.0242 2584 Fs_Rec - ok

12:28:16.0318 2584 [ 8A73E79089B282100B9393B644CB853B ] fvevol C:\Windows\system32\DRIVERS\fvevol.sys

12:28:16.0322 2584 fvevol - ok

12:28:16.0382 2584 [ 65EE0C7A58B65E74AE05637418153938 ] gagp30kx C:\Windows\system32\drivers\gagp30kx.sys

12:28:16.0454 2584 gagp30kx - ok

12:28:16.0514 2584 [ 8182FF89C65E4D38B2DE4BB0FB18564E ] GEARAspiWDM C:\Windows\system32\DRIVERS\GEARAspiWDM.sys

12:28:16.0516 2584 GEARAspiWDM - ok

12:28:16.0665 2584 [ E897EAF5ED6BA41E081060C9B447A673 ] gpsvc C:\Windows\System32\gpsvc.dll

12:28:16.0682 2584 gpsvc - ok

12:28:16.0734 2584 [ C44E3C2BAB6837DB337DDEE7544736DB ] hcw85cir C:\Windows\system32\drivers\hcw85cir.sys

12:28:16.0735 2584 hcw85cir - ok

12:28:16.0899 2584 [ A5EF29D5315111C80A5C1ABAD14C8972 ] HdAudAddService C:\Windows\system32\drivers\HdAudio.sys

12:28:16.0930 2584 HdAudAddService - ok

12:28:16.0989 2584 [ 9036377B8A6C15DC2EEC53E489D159B5 ] HDAudBus C:\Windows\system32\DRIVERS\HDAudBus.sys

12:28:17.0009 2584 HDAudBus - ok

12:28:17.0030 2584 [ 1D58A7F3E11A9731D0EAAAA8405ACC36 ] HidBatt C:\Windows\system32\drivers\HidBatt.sys

12:28:17.0043 2584 HidBatt - ok

12:28:17.0129 2584 [ 89448F40E6DF260C206A193A4683BA78 ] HidBth C:\Windows\system32\drivers\hidbth.sys

12:28:17.0141 2584 HidBth - ok

12:28:17.0190 2584 [ CF50B4CF4A4F229B9F3C08351F99CA5E ] HidIr C:\Windows\system32\drivers\hidir.sys

12:28:17.0209 2584 HidIr - ok

12:28:17.0252 2584 [ 2BC6F6A1992B3A77F5F41432CA6B3B6B ] hidserv C:\Windows\System32\hidserv.dll

12:28:17.0267 2584 hidserv - ok

12:28:17.0337 2584 [ 10C19F8290891AF023EAEC0832E1EB4D ] HidUsb C:\Windows\system32\DRIVERS\hidusb.sys

12:28:17.0345 2584 HidUsb - ok

12:28:17.0415 2584 [ 196B4E3F4CCCC24AF836CE58FACBB699 ] hkmsvc C:\Windows\system32\kmsvc.dll

12:28:17.0421 2584 hkmsvc - ok

12:28:17.0527 2584 [ 6658F4404DE03D75FE3BA09F7ABA6A30 ] HomeGroupListener C:\Windows\system32\ListSvc.dll

12:28:17.0549 2584 HomeGroupListener - ok

12:28:17.0635 2584 [ DBC02D918FFF1CAD628ACBE0C0EAA8E8 ] HomeGroupProvider C:\Windows\system32\provsvc.dll

12:28:17.0667 2584 HomeGroupProvider - ok

12:28:17.0763 2584 [ 295FDC419039090EB8B49FFDBB374549 ] HpSAMD C:\Windows\system32\drivers\HpSAMD.sys

12:28:17.0780 2584 HpSAMD - ok

12:28:18.0059 2584 [ 7BC42C65B5C6281777C1A7605B253BA8 ] HSF_DPV C:\Windows\system32\DRIVERS\HSX_DPV.sys

12:28:18.0078 2584 HSF_DPV - ok

12:28:18.0154 2584 [ 9EBF2D102CCBB6BCDFBF1B7922F8BA2E ] HSXHWAZL C:\Windows\system32\DRIVERS\HSXHWAZL.sys

12:28:18.0211 2584 HSXHWAZL - ok

12:28:18.0309 2584 [ 871917B07A141BFF43D76D8844D48106 ] HTTP C:\Windows\system32\drivers\HTTP.sys

12:28:18.0324 2584 HTTP - ok

12:28:18.0379 2584 [ 0C4E035C7F105F1299258C90886C64C5 ] hwpolicy C:\Windows\system32\drivers\hwpolicy.sys

12:28:18.0380 2584 hwpolicy - ok

12:28:18.0465 2584 [ F151F0BDC47F4A28B1B20A0818EA36D6 ] i8042prt C:\Windows\system32\DRIVERS\i8042prt.sys

12:28:18.0483 2584 i8042prt - ok

12:28:18.0622 2584 [ 5CD5F9A5444E6CDCB0AC89BD62D8B76E ] iaStorV C:\Windows\system32\drivers\iaStorV.sys

12:28:18.0658 2584 iaStorV - ok

12:28:18.0717 2584 [ BF648877413F6160E480814A24942B65 ] IBMPMDRV C:\Windows\system32\DRIVERS\ibmpmdrv.sys

12:28:18.0738 2584 IBMPMDRV - ok

12:28:18.0818 2584 [ A75CE11915E4ECC5E1597D6E0F7BB2DB ] IBMPMSVC C:\Windows\system32\ibmpmsvc.exe

12:28:18.0820 2584 IBMPMSVC - ok

12:28:19.0171 2584 [ C521D7EB6497BB1AF6AFA89E322FB43C ] idsvc C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe

12:28:19.0195 2584 idsvc - ok

12:28:20.0156 2584 [ 1F50623259DF354776DF04C56504A2D7 ] igfx C:\Windows\system32\DRIVERS\igdkmd32.sys

12:28:20.0383 2584 igfx - ok

12:28:20.0496 2584 [ 4173FF5708F3236CF25195FECD742915 ] iirsp C:\Windows\system32\drivers\iirsp.sys

12:28:20.0499 2584 iirsp - ok

12:28:20.0610 2584 [ F95622F161474511B8D80D6B093AA610 ] IKEEXT C:\Windows\System32\ikeext.dll

12:28:20.0625 2584 IKEEXT - ok

12:28:20.0666 2584 [ A0F12F2C9BA6C72F3987CE780E77C130 ] intelide C:\Windows\system32\drivers\intelide.sys

12:28:20.0678 2584 intelide - ok

12:28:20.0725 2584 [ 3B514D27BFC4ACCB4037BC6685F766E0 ] intelppm C:\Windows\system32\DRIVERS\intelppm.sys

12:28:20.0734 2584 intelppm - ok

12:28:20.0780 2584 [ ACB364B9075A45C0736E5C47BE5CAE19 ] IPBusEnum C:\Windows\system32\ipbusenum.dll

12:28:20.0804 2584 IPBusEnum - ok

12:28:20.0861 2584 [ 709D1761D3B19A932FF0238EA6D50200 ] IpFilterDriver C:\Windows\system32\DRIVERS\ipfltdrv.sys

12:28:20.0921 2584 IpFilterDriver - ok

12:28:21.0092 2584 [ 4D65A07B795D6674312F879D09AA7663 ] iphlpsvc C:\Windows\System32\iphlpsvc.dll

12:28:21.0108 2584 iphlpsvc - ok

12:28:21.0139 2584 [ 4BD7134618C1D2A27466A099062547BF ] IPMIDRV C:\Windows\system32\drivers\IPMIDrv.sys

12:28:21.0154 2584 IPMIDRV - ok

12:28:21.0197 2584 [ A5FA468D67ABCDAA36264E463A7BB0CD ] IPNAT C:\Windows\system32\drivers\ipnat.sys

12:28:21.0212 2584 IPNAT - ok

12:28:21.0638 2584 [ 178FE38B7740F598391EB2F51AE4CCAC ] iPod Service C:\Program Files\iPod\bin\iPodService.exe

12:28:21.0683 2584 iPod Service - ok

12:28:21.0809 2584 [ 42996CFF20A3084A56017B7902307E9F ] IRENUM C:\Windows\system32\drivers\irenum.sys

12:28:21.0840 2584 IRENUM - ok

12:28:21.0935 2584 [ 1F32BB6B38F62F7DF1A7AB7292638A35 ] isapnp C:\Windows\system32\drivers\isapnp.sys

12:28:21.0939 2584 isapnp - ok

12:28:22.0076 2584 [ CB7A9ABB12B8415BCE5D74994C7BA3AE ] iScsiPrt C:\Windows\system32\drivers\msiscsi.sys

12:28:22.0105 2584 iScsiPrt - ok

12:28:22.0236 2584 [ 96F2F5884D02535E2D4DFC849836F4A6 ] ISODisk C:\Windows\system32\drivers\ISODisk.sys

12:28:22.0250 2584 ISODisk - ok

12:28:22.0301 2584 [ ADEF52CA1AEAE82B50DF86B56413107E ] kbdclass C:\Windows\system32\DRIVERS\kbdclass.sys

12:28:22.0303 2584 kbdclass - ok

12:28:22.0373 2584 [ 9E3CED91863E6EE98C24794D05E27A71 ] kbdhid C:\Windows\system32\drivers\kbdhid.sys

12:28:22.0428 2584 kbdhid - ok

12:28:22.0484 2584 [ 81951F51E318AECC2D68559E47485CC4 ] KeyIso C:\Windows\system32\lsass.exe

12:28:22.0486 2584 KeyIso - ok

12:28:22.0519 2584 [ F4647BB23DB9038A7536CF6B68F4207F ] KSecDD C:\Windows\system32\Drivers\ksecdd.sys

12:28:22.0530 2584 KSecDD - ok

12:28:22.0560 2584 [ E73CAE53BBB72BA26918492C6B4C229D ] KSecPkg C:\Windows\system32\Drivers\ksecpkg.sys

12:28:22.0563 2584 KSecPkg - ok

12:28:22.0615 2584 [ 89A7B9CC98D0D80C6F31B91C0A310FCD ] KtmRm C:\Windows\system32\msdtckrm.dll

12:28:22.0630 2584 KtmRm - ok

12:28:22.0736 2584 [ D64AF876D53ECA3668BB97B51B4E70AB ] LanmanServer C:\Windows\System32\srvsvc.dll

12:28:22.0752 2584 LanmanServer - ok

12:28:22.0801 2584 [ 58405E4F68BA8E4057C6E914F326ABA2 ] LanmanWorkstation C:\Windows\System32\wkssvc.dll

12:28:22.0806 2584 LanmanWorkstation - ok

12:28:22.0888 2584 [ F7611EC07349979DA9B0AE1F18CCC7A6 ] lltdio C:\Windows\system32\DRIVERS\lltdio.sys

12:28:22.0889 2584 lltdio - ok

12:28:23.0003 2584 [ 5700673E13A2117FA3B9020C852C01E2 ] lltdsvc C:\Windows\System32\lltdsvc.dll

12:28:23.0013 2584 lltdsvc - ok

12:28:23.0054 2584 [ 55CA01BA19D0006C8F2639B6C045E08B ] lmhosts C:\Windows\System32\lmhsvc.dll

12:28:23.0069 2584 lmhosts - ok

12:28:23.0113 2584 [ EB119A53CCF2ACC000AC71B065B78FEF ] LSI_FC C:\Windows\system32\drivers\lsi_fc.sys

12:28:23.0127 2584 LSI_FC - ok

12:28:23.0150 2584 [ 8ADE1C877256A22E49B75D1CC9161F9C ] LSI_SAS C:\Windows\system32\drivers\lsi_sas.sys

12:28:23.0168 2584 LSI_SAS - ok

12:28:23.0244 2584 [ DC9DC3D3DAA0E276FD2EC262E38B11E9 ] LSI_SAS2 C:\Windows\system32\drivers\lsi_sas2.sys

12:28:23.0247 2584 LSI_SAS2 - ok

12:28:23.0274 2584 [ 0A036C7D7CAB643A7F07135AC47E0524 ] LSI_SCSI C:\Windows\system32\drivers\lsi_scsi.sys

12:28:23.0290 2584 LSI_SCSI - ok

12:28:23.0310 2584 [ 6703E366CC18D3B6E534F5CF7DF39CEE ] luafv C:\Windows\system32\drivers\luafv.sys

12:28:23.0320 2584 luafv - ok

12:28:23.0427 2584 [ 65E794E86468B61F2BC79ABC48BC4433 ] MBAMProtector C:\Windows\system32\drivers\mbam.sys

12:28:23.0429 2584 MBAMProtector - ok

12:28:23.0769 2584 [ 0DCF16B1449811EFA47AB52CAC84093C ] MBAMScheduler C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe

12:28:23.0780 2584 MBAMScheduler - ok

12:28:23.0946 2584 [ 9EAABA4D601004BEA4DAA6E146E19A96 ] MBAMService C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

12:28:23.0979 2584 MBAMService - ok

12:28:24.0070 2584 [ 0DB7527DB188C7D967A37BB51BBF3963 ] MBAMSwissArmy C:\Windows\system32\drivers\mbamswissarmy.sys

12:28:24.0073 2584 MBAMSwissArmy - ok

12:28:24.0159 2584 [ BFB9EE8EE977EFE85D1A3105ABEF6DD1 ] Mcx2Svc C:\Windows\system32\Mcx2Svc.dll

12:28:24.0165 2584 Mcx2Svc - ok

12:28:24.0231 2584 [ 0CEA2D0D3FA284B85ED5B68365114F76 ] mdmxsdk C:\Windows\system32\DRIVERS\mdmxsdk.sys

12:28:24.0233 2584 mdmxsdk - ok

12:28:24.0281 2584 [ 0FFF5B045293002AB38EB1FD1FC2FB74 ] megasas C:\Windows\system32\drivers\megasas.sys

12:28:24.0292 2584 megasas - ok

12:28:24.0347 2584 [ DCBAB2920C75F390CAF1D29F675D03D6 ] MegaSR C:\Windows\system32\drivers\MegaSR.sys

12:28:24.0351 2584 MegaSR - ok

12:28:24.0509 2584 Microsoft SharePoint Workspace Audit Service - ok

12:28:25.0428 2584 [ 146B6F43A673379A3C670E86D89BE5EA ] MMCSS C:\Windows\system32\mmcss.dll

12:28:25.0434 2584 MMCSS - ok

12:28:25.0566 2584 [ F001861E5700EE84E2D4E52C712F4964 ] Modem C:\Windows\system32\drivers\modem.sys

12:28:25.0569 2584 Modem - ok

12:28:25.0618 2584 [ 79D10964DE86B292320E9DFE02282A23 ] monitor C:\Windows\system32\DRIVERS\monitor.sys

12:28:25.0628 2584 monitor - ok

12:28:25.0686 2584 [ FB18CC1D4C2E716B6B903B0AC0CC0609 ] mouclass C:\Windows\system32\DRIVERS\mouclass.sys

12:28:25.0713 2584 mouclass - ok

12:28:25.0758 2584 [ 2C388D2CD01C9042596CF3C8F3C7B24D ] mouhid C:\Windows\system32\DRIVERS\mouhid.sys

12:28:25.0771 2584 mouhid - ok

12:28:25.0813 2584 [ FC8771F45ECCCFD89684E38842539B9B ] mountmgr C:\Windows\system32\drivers\mountmgr.sys

12:28:25.0815 2584 mountmgr - ok

12:28:26.0016 2584 [ CB8AF049AC9BE419A77ADAE288673359 ] MozillaMaintenance C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe

12:28:26.0032 2584 MozillaMaintenance - ok

12:28:26.0104 2584 [ 2D699FB6E89CE0D8DA14ECC03B3EDFE0 ] mpio C:\Windows\system32\drivers\mpio.sys

12:28:26.0107 2584 mpio - ok

12:28:26.0127 2584 [ AD2723A7B53DD1AACAE6AD8C0BFBF4D0 ] mpsdrv C:\Windows\system32\drivers\mpsdrv.sys

12:28:26.0143 2584 mpsdrv - ok

12:28:26.0298 2584 [ 9835584E999D25004E1EE8E5F3E3B881 ] MpsSvc C:\Windows\system32\mpssvc.dll

12:28:26.0309 2584 MpsSvc - ok

12:28:26.0359 2584 [ CEB46AB7C01C9F825F8CC6BABC18166A ] MRxDAV C:\Windows\system32\drivers\mrxdav.sys

12:28:26.0415 2584 MRxDAV - ok

12:28:26.0466 2584 [ 5D16C921E3671636C0EBA3BBAAC5FD25 ] mrxsmb C:\Windows\system32\DRIVERS\mrxsmb.sys

12:28:26.0476 2584 mrxsmb - ok

12:28:26.0527 2584 [ 6D17A4791ACA19328C685D256349FEFC ] mrxsmb10 C:\Windows\system32\DRIVERS\mrxsmb10.sys

12:28:26.0536 2584 mrxsmb10 - ok

12:28:26.0594 2584 [ B81F204D146000BE76651A50670A5E9E ] mrxsmb20 C:\Windows\system32\DRIVERS\mrxsmb20.sys

12:28:26.0597 2584 mrxsmb20 - ok

12:28:26.0621 2584 [ 012C5F4E9349E711E11E0F19A8589F0A ] msahci C:\Windows\system32\drivers\msahci.sys

12:28:26.0633 2584 msahci - ok

12:28:26.0669 2584 [ 55055F8AD8BE27A64C831322A780A228 ] msdsm C:\Windows\system32\drivers\msdsm.sys

12:28:26.0690 2584 msdsm - ok

12:28:26.0743 2584 [ E1BCE74A3BD9902B72599C0192A07E27 ] MSDTC C:\Windows\System32\msdtc.exe

12:28:26.0748 2584 MSDTC - ok

12:28:26.0783 2584 [ DAEFB28E3AF5A76ABCC2C3078C07327F ] Msfs C:\Windows\system32\drivers\Msfs.sys

12:28:26.0816 2584 Msfs - ok

12:28:26.0841 2584 [ 3E1E5767043C5AF9367F0056295E9F84 ] mshidkmdf C:\Windows\System32\drivers\mshidkmdf.sys

12:28:26.0855 2584 mshidkmdf - ok

12:28:26.0875 2584 [ 0A4E5757AE09FA9622E3158CC1AEF114 ] msisadrv C:\Windows\system32\drivers\msisadrv.sys

12:28:26.0876 2584 msisadrv - ok

12:28:26.0944 2584 [ 90F7D9E6B6F27E1A707D4A297F077828 ] MSiSCSI C:\Windows\system32\iscsiexe.dll

12:28:26.0960 2584 MSiSCSI - ok

12:28:26.0969 2584 msiserver - ok

12:28:27.0018 2584 [ 8C0860D6366AAFFB6C5BB9DF9448E631 ] MSKSSRV C:\Windows\system32\drivers\MSKSSRV.sys

12:28:27.0049 2584 MSKSSRV - ok

12:28:27.0102 2584 [ 3EA8B949F963562CEDBB549EAC0C11CE ] MSPCLOCK C:\Windows\system32\drivers\MSPCLOCK.sys

12:28:27.0120 2584 MSPCLOCK - ok

12:28:27.0147 2584 [ F456E973590D663B1073E9C463B40932 ] MSPQM C:\Windows\system32\drivers\MSPQM.sys

12:28:27.0148 2584 MSPQM - ok

12:28:27.0190 2584 [ 0E008FC4819D238C51D7C93E7B41E560 ] MsRPC C:\Windows\system32\drivers\MsRPC.sys

12:28:27.0194 2584 MsRPC - ok

12:28:27.0228 2584 [ FC6B9FF600CC585EA38B12589BD4E246 ] mssmbios C:\Windows\system32\DRIVERS\mssmbios.sys

12:28:27.0240 2584 mssmbios - ok

12:28:27.0299 2584 [ B42C6B921F61A6E55159B8BE6CD54A36 ] MSTEE C:\Windows\system32\drivers\MSTEE.sys

12:28:27.0316 2584 MSTEE - ok

12:28:27.0361 2584 [ 33599130F44E1F34631CEA241DE8AC84 ] MTConfig C:\Windows\system32\drivers\MTConfig.sys

12:28:27.0382 2584 MTConfig - ok

12:28:27.0408 2584 [ 159FAD02F64E6381758C990F753BCC80 ] Mup C:\Windows\system32\Drivers\mup.sys

12:28:27.0427 2584 Mup - ok

12:28:27.0489 2584 [ 61D57A5D7C6D9AFE10E77DAE6E1B445E ] napagent C:\Windows\system32\qagentRT.dll

12:28:27.0508 2584 napagent - ok

12:28:27.0576 2584 [ 26384429FCD85D83746F63E798AB1480 ] NativeWifiP C:\Windows\system32\DRIVERS\nwifi.sys

12:28:27.0581 2584 NativeWifiP - ok

12:28:27.0745 2584 [ E7C54812A2AAF43316EB6930C1FFA108 ] NDIS C:\Windows\system32\drivers\ndis.sys

12:28:27.0763 2584 NDIS - ok

12:28:27.0816 2584 [ 0E1787AA6C9191D3D319E8BAFE86F80C ] NdisCap C:\Windows\system32\DRIVERS\ndiscap.sys

12:28:27.0830 2584 NdisCap - ok

12:28:27.0874 2584 [ E4A8AEC125A2E43A9E32AFEEA7C9C888 ] NdisTapi C:\Windows\system32\DRIVERS\ndistapi.sys

12:28:27.0893 2584 NdisTapi - ok

12:28:27.0943 2584 [ D8A65DAFB3EB41CBB622745676FCD072 ] Ndisuio C:\Windows\system32\DRIVERS\ndisuio.sys

12:28:27.0959 2584 Ndisuio - ok

12:28:27.0984 2584 [ 38FBE267E7E6983311179230FACB1017 ] NdisWan C:\Windows\system32\DRIVERS\ndiswan.sys

12:28:28.0004 2584 NdisWan - ok

12:28:28.0031 2584 [ A4BDC541E69674FBFF1A8FF00BE913F2 ] NDProxy C:\Windows\system32\drivers\NDProxy.sys

12:28:28.0049 2584 NDProxy - ok

12:28:28.0143 2584 [ 80B275B1CE3B0E79909DB7B39AF74D51 ] NetBIOS C:\Windows\system32\DRIVERS\netbios.sys

12:28:28.0146 2584 NetBIOS - ok

12:28:28.0231 2584 [ 280122DDCF04B378EDD1AD54D71C1E54 ] NetBT C:\Windows\system32\DRIVERS\netbt.sys

12:28:28.0237 2584 NetBT - ok

12:28:28.0306 2584 [ 81951F51E318AECC2D68559E47485CC4 ] Netlogon C:\Windows\system32\lsass.exe

12:28:28.0309 2584 Netlogon - ok

12:28:28.0425 2584 [ 7CCCFCA7510684768DA22092D1FA4DB2 ] Netman C:\Windows\System32\netman.dll

12:28:28.0438 2584 Netman - ok

12:28:28.0562 2584 [ 8C338238C16777A802D6A9211EB2BA50 ] netprofm C:\Windows\System32\netprofm.dll

12:28:28.0597 2584 netprofm - ok

12:28:28.0785 2584 [ F476EC40033CDB91EFBE73EB99B8362D ] NetTcpPortSharing C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe

12:28:28.0790 2584 NetTcpPortSharing - ok

12:28:29.0502 2584 [ 58218EC6B61B1169CF54AAB0D00F5FE2 ] netw5v32 C:\Windows\system32\DRIVERS\netw5v32.sys

12:28:29.0724 2584 netw5v32 - ok

12:28:29.0836 2584 [ 1D85C4B390B0EE09C7A46B91EFB2C097 ] nfrd960 C:\Windows\system32\drivers\nfrd960.sys

12:28:29.0838 2584 nfrd960 - ok

12:28:30.0010 2584 [ 912084381D30D8B89EC4E293053F4710 ] NlaSvc C:\Windows\System32\nlasvc.dll

12:28:30.0041 2584 NlaSvc - ok

12:28:30.0085 2584 [ 1DB262A9F8C087E8153D89BEF3D2235F ] Npfs C:\Windows\system32\drivers\Npfs.sys

12:28:30.0097 2584 Npfs - ok

12:28:30.0147 2584 [ BA387E955E890C8A88306D9B8D06BF17 ] nsi C:\Windows\system32\nsisvc.dll

12:28:30.0173 2584 nsi - ok

12:28:30.0200 2584 [ E9A0A4D07E53D8FEA2BB8387A3293C58 ] nsiproxy C:\Windows\system32\drivers\nsiproxy.sys

12:28:30.0201 2584 nsiproxy - ok

12:28:30.0583 2584 [ 81189C3D7763838E55C397759D49007A ] Ntfs C:\Windows\system32\drivers\Ntfs.sys

12:28:30.0611 2584 Ntfs - ok

12:28:30.0760 2584 [ 37BE10FF10A92031FC5A01E8363925CC ] NuidFltr C:\Windows\system32\DRIVERS\NuidFltr.sys

12:28:30.0768 2584 NuidFltr - ok

12:28:30.0838 2584 [ F9756A98D69098DCA8945D62858A812C ] Null C:\Windows\system32\drivers\Null.sys

12:28:30.0852 2584 Null - ok

12:28:30.0961 2584 [ B3E25EE28883877076E0E1FF877D02E0 ] nvraid C:\Windows\system32\drivers\nvraid.sys

12:28:30.0966 2584 nvraid - ok

12:28:31.0033 2584 [ 4380E59A170D88C4F1022EFF6719A8A4 ] nvstor C:\Windows\system32\drivers\nvstor.sys

12:28:31.0037 2584 nvstor - ok

12:28:31.0071 2584 [ 5A0983915F02BAE73267CC2A041F717D ] nv_agp C:\Windows\system32\drivers\nv_agp.sys

12:28:31.0084 2584 nv_agp - ok

12:28:31.0138 2584 [ 08A70A1F2CDDE9BB49B885CB817A66EB ] ohci1394 C:\Windows\system32\drivers\ohci1394.sys

12:28:31.0140 2584 ohci1394 - ok

12:28:31.0374 2584 [ 9D10F99A6712E28F8ACD5641E3A7EA6B ] ose C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE

12:28:31.0377 2584 ose - ok

12:28:32.0046 2584 [ 358A9CCA612C68EB2F07DDAD4CE1D8D7 ] osppsvc C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

12:28:32.0243 2584 osppsvc - ok

12:28:32.0317 2584 [ 82A8521DDC60710C3D3D3E7325209BEC ] p2pimsvc C:\Windows\system32\pnrpsvc.dll

12:28:32.0324 2584 p2pimsvc - ok

12:28:32.0458 2584 [ 59C3DDD501E39E006DAC31BF55150D91 ] p2psvc C:\Windows\system32\p2psvc.dll

12:28:32.0495 2584 p2psvc - ok

12:28:32.0612 2584 [ 2EA877ED5DD9713C5AC74E8EA7348D14 ] Parport C:\Windows\system32\drivers\parport.sys

12:28:32.0626 2584 Parport - ok

12:28:32.0683 2584 [ BF8F6AF06DA75B336F07E23AEF97D93B ] partmgr C:\Windows\system32\drivers\partmgr.sys

12:28:32.0703 2584 partmgr - ok

12:28:32.0735 2584 [ EB0A59F29C19B86479D36B35983DAADC ] Parvdm C:\Windows\system32\drivers\parvdm.sys

12:28:32.0752 2584 Parvdm - ok

12:28:32.0804 2584 [ 358AB7956D3160000726574083DFC8A6 ] PcaSvc C:\Windows\System32\pcasvc.dll

12:28:32.0822 2584 PcaSvc - ok

12:28:32.0864 2584 [ 673E55C3498EB970088E812EA820AA8F ] pci C:\Windows\system32\drivers\pci.sys

12:28:32.0867 2584 pci - ok

12:28:32.0937 2584 [ AFE86F419014DB4E5593F69FFE26CE0A ] pciide C:\Windows\system32\drivers\pciide.sys

12:28:32.0940 2584 pciide - ok

12:28:33.0010 2584 [ F396431B31693E71E8A80687EF523506 ] pcmcia C:\Windows\system32\DRIVERS\pcmcia.sys

12:28:33.0016 2584 pcmcia - ok

12:28:33.0053 2584 [ 250F6B43D2B613172035C6747AEEB19F ] pcw C:\Windows\system32\drivers\pcw.sys

12:28:33.0072 2584 pcw - ok

12:28:33.0232 2584 [ 9E0104BA49F4E6973749A02BF41344ED ] PEAUTH C:\Windows\system32\drivers\peauth.sys

12:28:33.0261 2584 PEAUTH - ok

12:28:33.0569 2584 [ AF4D64D2A57B9772CF3801950B8058A6 ] PeerDistSvc C:\Windows\system32\peerdistsvc.dll

12:28:33.0590 2584 PeerDistSvc - ok

12:28:34.0049 2584 [ 414BBA67A3DED1D28437EB66AEB8A720 ] pla C:\Windows\system32\pla.dll

12:28:34.0115 2584 pla - ok

12:28:34.0198 2584 [ EC7BC28D207DA09E79B3E9FAF8B232CA ] PlugPlay C:\Windows\system32\umpnpmgr.dll

12:28:34.0213 2584 PlugPlay - ok

12:28:34.0285 2584 [ 63FF8572611249931EB16BB8EED6AFC8 ] PNRPAutoReg C:\Windows\system32\pnrpauto.dll

12:28:34.0292 2584 PNRPAutoReg - ok

12:28:34.0361 2584 [ 82A8521DDC60710C3D3D3E7325209BEC ] PNRPsvc C:\Windows\system32\pnrpsvc.dll

12:28:34.0365 2584 PNRPsvc - ok

12:28:34.0495 2584 [ 896D916DE06F5502D301E8C4DC442AE8 ] Point32 C:\Windows\system32\DRIVERS\point32.sys

12:28:34.0507 2584 Point32 - ok

12:28:34.0565 2584 [ 53946B69BA0836BD95B03759530C81EC ] PolicyAgent C:\Windows\System32\ipsecsvc.dll

12:28:34.0594 2584 PolicyAgent - ok

12:28:34.0689 2584 [ F87D30E72E03D579A5199CCB3831D6EA ] Power C:\Windows\system32\umpo.dll

12:28:34.0703 2584 Power - ok

12:28:34.0794 2584 [ 631E3E205AD6D86F2AED6A4A8E69F2DB ] PptpMiniport C:\Windows\system32\DRIVERS\raspptp.sys

12:28:34.0809 2584 PptpMiniport - ok

12:28:34.0846 2584 [ 85B1E3A0C7585BC4AAE6899EC6FCF011 ] Processor C:\Windows\system32\drivers\processr.sys

12:28:34.0861 2584 Processor - ok

12:28:34.0935 2584 [ 43CA4CCC22D52FB58E8988F0198851D0 ] ProfSvc C:\Windows\system32\profsvc.dll

12:28:34.0940 2584 ProfSvc - ok

12:28:34.0984 2584 [ 81951F51E318AECC2D68559E47485CC4 ] ProtectedStorage C:\Windows\system32\lsass.exe

12:28:34.0986 2584 ProtectedStorage - ok

12:28:35.0029 2584 [ 6270CCAE2A86DE6D146529FE55B3246A ] Psched C:\Windows\system32\DRIVERS\pacer.sys

12:28:35.0041 2584 Psched - ok

12:28:35.0265 2584 [ AB95ECF1F6659A60DDC166D8315B0751 ] ql2300 C:\Windows\system32\drivers\ql2300.sys

12:28:35.0292 2584 ql2300 - ok

12:28:35.0358 2584 [ B4DD51DD25182244B86737DC51AF2270 ] ql40xx C:\Windows\system32\drivers\ql40xx.sys

12:28:35.0386 2584 ql40xx - ok

12:28:35.0437 2584 [ 31AC809E7707EB580B2BDB760390765A ] QWAVE C:\Windows\system32\qwave.dll

12:28:35.0444 2584 QWAVE - ok

12:28:35.0473 2584 [ 584078CA1B95CA72DF2A27C336F9719D ] QWAVEdrv C:\Windows\system32\drivers\qwavedrv.sys

12:28:35.0475 2584 QWAVEdrv - ok

12:28:35.0499 2584 [ 30A81B53C766D0133BB86D234E5556AB ] RasAcd C:\Windows\system32\DRIVERS\rasacd.sys

12:28:35.0529 2584 RasAcd - ok

12:28:35.0656 2584 [ 57EC4AEF73660166074D8F7F31C0D4FD ] RasAgileVpn C:\Windows\system32\DRIVERS\AgileVpn.sys

12:28:35.0671 2584 RasAgileVpn - ok

12:28:35.0715 2584 [ A60F1839849C0C00739787FD5EC03F13 ] RasAuto C:\Windows\System32\rasauto.dll

12:28:35.0727 2584 RasAuto - ok

12:28:35.0787 2584 [ D9F91EAFEC2815365CBE6D167E4E332A ] Rasl2tp C:\Windows\system32\DRIVERS\rasl2tp.sys

12:28:35.0821 2584 Rasl2tp - ok

12:28:35.0968 2584 [ CB9E04DC05EACF5B9A36CA276D475006 ] RasMan C:\Windows\System32\rasmans.dll

12:28:35.0984 2584 RasMan - ok

12:28:36.0042 2584 [ 0FE8B15916307A6AC12BFB6A63E45507 ] RasPppoe C:\Windows\system32\DRIVERS\raspppoe.sys

12:28:36.0057 2584 RasPppoe - ok

12:28:36.0080 2584 [ 44101F495A83EA6401D886E7FD70096B ] RasSstp C:\Windows\system32\DRIVERS\rassstp.sys

12:28:36.0098 2584 RasSstp - ok

12:28:36.0187 2584 [ D528BC58A489409BA40334EBF96A311B ] rdbss C:\Windows\system32\DRIVERS\rdbss.sys

12:28:36.0195 2584 rdbss - ok

12:28:36.0222 2584 [ 0D8F05481CB76E70E1DA06EE9F0DA9DF ] rdpbus C:\Windows\system32\DRIVERS\rdpbus.sys

12:28:36.0229 2584 rdpbus - ok

12:28:36.0261 2584 [ 23DAE03F29D253AE74C44F99E515F9A1 ] RDPCDD C:\Windows\system32\DRIVERS\RDPCDD.sys

12:28:36.0262 2584 RDPCDD - ok

12:28:36.0352 2584 [ B973FCFC50DC1434E1970A146F7E3885 ] RDPDR C:\Windows\system32\drivers\rdpdr.sys

12:28:36.0358 2584 RDPDR - ok

12:28:36.0409 2584 [ 5A53CA1598DD4156D44196D200C94B8A ] RDPENCDD C:\Windows\system32\drivers\rdpencdd.sys

12:28:36.0410 2584 RDPENCDD - ok

12:28:36.0440 2584 [ 44B0A53CD4F27D50ED461DAE0C0B4E1F ] RDPREFMP C:\Windows\system32\drivers\rdprefmp.sys

12:28:36.0440 2584 RDPREFMP - ok

12:28:36.0486 2584 [ 68A0387F58E226DEEE23D9715955572A ] RdpVideoMiniport C:\Windows\system32\drivers\rdpvideominiport.sys

12:28:36.0497 2584 RdpVideoMiniport - ok

12:28:36.0574 2584 [ 244C83332F44589AE98FC347F11B2693 ] RDPWD C:\Windows\system32\drivers\RDPWD.sys

12:28:36.0593 2584 RDPWD - ok

12:28:36.0665 2584 [ 518395321DC96FE2C9F0E96AC743B656 ] rdyboost C:\Windows\system32\drivers\rdyboost.sys

12:28:36.0672 2584 rdyboost - ok

12:28:36.0818 2584 [ 7B5E1419717FAC363A31CC302895217A ] RemoteAccess C:\Windows\System32\mprdim.dll

12:28:36.0825 2584 RemoteAccess - ok

12:28:36.0909 2584 [ CB9A8683F4EF2BF99E123D79950D7935 ] RemoteRegistry C:\Windows\system32\regsvc.dll

12:28:36.0921 2584 RemoteRegistry - ok

12:28:36.0986 2584 [ 6C1F93C0760C9F79A1869D07233DF39D ] rismxdp C:\Windows\system32\DRIVERS\rixdptsk.sys

12:28:36.0997 2584 rismxdp - ok

12:28:37.0048 2584 [ 78D072F35BC45D9E4E1B61895C152234 ] RpcEptMapper C:\Windows\System32\RpcEpMap.dll

12:28:37.0051 2584 RpcEptMapper - ok

12:28:37.0112 2584 [ 94D36C0E44677DD26981D2BFEEF2A29D ] RpcLocator C:\Windows\system32\locator.exe

12:28:37.0134 2584 RpcLocator - ok

12:28:37.0236 2584 [ 7660F01D3B38ACA1747E397D21D790AF ] RpcSs C:\Windows\system32\rpcss.dll

12:28:37.0250 2584 RpcSs - ok

12:28:37.0349 2584 [ 032B0D36AD92B582D869879F5AF5B928 ] rspndr C:\Windows\system32\DRIVERS\rspndr.sys

12:28:37.0365 2584 rspndr - ok

12:28:37.0401 2584 [ 7FA7F2E249A5DCBB7970630E15E1F482 ] s3cap C:\Windows\system32\drivers\vms3cap.sys

12:28:37.0416 2584 s3cap - ok

12:28:37.0495 2584 [ 81951F51E318AECC2D68559E47485CC4 ] SamSs C:\Windows\system32\lsass.exe

12:28:37.0500 2584 SamSs - ok

12:28:37.0550 2584 [ 05D860DA1040F111503AC416CCEF2BCA ] sbp2port C:\Windows\system32\drivers\sbp2port.sys

12:28:37.0560 2584 sbp2port - ok

12:28:37.0710 2584 [ 8FC518FFE9519C2631D37515A68009C4 ] SCardSvr C:\Windows\System32\SCardSvr.dll

12:28:37.0720 2584 SCardSvr - ok

12:28:37.0787 2584 [ 0693B5EC673E34DC147E195779A4DCF6 ] scfilter C:\Windows\system32\DRIVERS\scfilter.sys

12:28:37.0790 2584 scfilter - ok

12:28:37.0999 2584 [ A04BB13F8A72F8B6E8B4071723E4E336 ] Schedule C:\Windows\system32\schedsvc.dll

12:28:38.0023 2584 Schedule - ok

12:28:38.0059 2584 [ 319C6B309773D063541D01DF8AC6F55F ] SCPolicySvc C:\Windows\System32\certprop.dll

12:28:38.0061 2584 SCPolicySvc - ok

12:28:38.0194 2584 [ 0328BE1C7F1CBA23848179F8762E391C ] sdbus C:\Windows\system32\DRIVERS\sdbus.sys

12:28:38.0204 2584 sdbus - ok

12:28:38.0263 2584 [ 08236C4BCE5EDD0A0318A438AF28E0F7 ] SDRSVC C:\Windows\System32\SDRSVC.dll

12:28:38.0309 2584 SDRSVC - ok

12:28:38.0396 2584 [ 90A3935D05B494A5A39D37E71F09A677 ] secdrv C:\Windows\system32\drivers\secdrv.sys

12:28:38.0407 2584 secdrv - ok

12:28:38.0433 2584 [ A59B3A4442C52060CC7A85293AA3546F ] seclogon C:\Windows\system32\seclogon.dll

12:28:38.0451 2584 seclogon - ok

12:28:38.0509 2584 [ DCB7FCDCC97F87360F75D77425B81737 ] SENS C:\Windows\system32\sens.dll

12:28:38.0537 2584 SENS - ok

12:28:38.0589 2584 [ 50087FE1EE447009C9CC2997B90DE53F ] SensrSvc C:\Windows\system32\sensrsvc.dll

12:28:38.0601 2584 SensrSvc - ok

12:28:38.0644 2584 [ 9AD8B8B515E3DF6ACD4212EF465DE2D1 ] Serenum C:\Windows\system32\drivers\serenum.sys

12:28:38.0660 2584 Serenum - ok

12:28:38.0697 2584 [ 5FB7FCEA0490D821F26F39CC5EA3D1E2 ] Serial C:\Windows\system32\drivers\serial.sys

12:28:38.0700 2584 Serial - ok

12:28:38.0761 2584 [ 79BFFB520327FF916A582DFEA17AA813 ] sermouse C:\Windows\system32\drivers\sermouse.sys

12:28:38.0769 2584 sermouse - ok

12:28:38.0828 2584 [ 4AE380F39A0032EAB7DD953030B26D28 ] SessionEnv C:\Windows\system32\sessenv.dll

12:28:38.0862 2584 SessionEnv - ok

12:28:38.0908 2584 [ 9F976E1EB233DF46FCE808D9DEA3EB9C ] sffdisk C:\Windows\system32\drivers\sffdisk.sys

12:28:38.0924 2584 sffdisk - ok

12:28:38.0963 2584 [ 932A68EE27833CFD57C1639D375F2731 ] sffp_mmc C:\Windows\system32\drivers\sffp_mmc.sys

12:28:38.0981 2584 sffp_mmc - ok

12:28:38.0998 2584 [ 6D4CCAEDC018F1CF52866BBBAA235982 ] sffp_sd C:\Windows\system32\drivers\sffp_sd.sys

12:28:39.0009 2584 sffp_sd - ok

12:28:39.0062 2584 [ DB96666CC8312EBC45032F30B007A547 ] sfloppy C:\Windows\system32\drivers\sfloppy.sys

12:28:39.0064 2584 sfloppy - ok

12:28:39.0216 2584 [ D1A079A0DE2EA524513B6930C24527A2 ] SharedAccess C:\Windows\System32\ipnathlp.dll

12:28:39.0227 2584 SharedAccess - ok

12:28:39.0373 2584 [ 414DA952A35BF5D50192E28263B40577 ] ShellHWDetection C:\Windows\System32\shsvcs.dll

12:28:39.0424 2584 ShellHWDetection - ok

12:28:39.0455 2584 [ 2565CAC0DC9FE0371BDCE60832582B2E ] sisagp C:\Windows\system32\drivers\sisagp.sys

12:28:39.0468 2584 sisagp - ok

12:28:39.0574 2584 [ A9F0486851BECB6DDA1D89D381E71055 ] SiSRaid2 C:\Windows\system32\drivers\SiSRaid2.sys

12:28:39.0577 2584 SiSRaid2 - ok

12:28:39.0623 2584 [ 3727097B55738E2F554972C3BE5BC1AA ] SiSRaid4 C:\Windows\system32\drivers\sisraid4.sys

12:28:39.0634 2584 SiSRaid4 - ok

12:28:39.0673 2584 [ 3E21C083B8A01CB70BA1F09303010FCE ] Smb C:\Windows\system32\DRIVERS\smb.sys

12:28:39.0708 2584 Smb - ok

12:28:39.0818 2584 [ 6A984831644ECA1A33FFEAE4126F4F37 ] SNMPTRAP C:\Windows\System32\snmptrap.exe

12:28:39.0852 2584 SNMPTRAP - ok

12:28:39.0884 2584 [ 95CF1AE7527FB70F7816563CBC09D942 ] spldr C:\Windows\system32\drivers\spldr.sys

12:28:39.0903 2584 spldr - ok

12:28:39.0986 2584 [ 866A43013535DC8587C258E43579C764 ] Spooler C:\Windows\System32\spoolsv.exe

12:28:40.0006 2584 Spooler - ok

12:28:40.0748 2584 [ CF87A1DE791347E75B98885214CED2B8 ] sppsvc C:\Windows\system32\sppsvc.exe

12:28:40.0931 2584 sppsvc - ok

12:28:40.0988 2584 [ B0180B20B065D89232A78A40FE56EAA6 ] sppuinotify C:\Windows\system32\sppuinotify.dll

12:28:41.0029 2584 sppuinotify - ok

12:28:41.0092 2584 [ E4C2764065D66EA1D2D3EBC28FE99C46 ] srv C:\Windows\system32\DRIVERS\srv.sys

12:28:41.0117 2584 srv - ok

12:28:41.0228 2584 [ 03F0545BD8D4C77FA0AE1CEEDFCC71AB ] srv2 C:\Windows\system32\DRIVERS\srv2.sys

12:28:41.0238 2584 srv2 - ok

12:28:41.0365 2584 [ E00FDFAFF025E94F9821153750C35A6D ] SrvHsfHDA C:\Windows\system32\DRIVERS\VSTAZL3.SYS

12:28:41.0422 2584 SrvHsfHDA - ok

12:28:41.0561 2584 [ CEB4E3B6890E1E42DCA6694D9E59E1A0 ] SrvHsfV92 C:\Windows\system32\DRIVERS\VSTDPV3.SYS

12:28:41.0599 2584 SrvHsfV92 - ok

12:28:41.0839 2584 [ BC0C7EA89194C299F051C24119000E17 ] SrvHsfWinac C:\Windows\system32\DRIVERS\VSTCNXT3.SYS

12:28:41.0863 2584 SrvHsfWinac - ok

12:28:41.0923 2584 [ BE6BD660CAA6F291AE06A718A4FA8ABC ] srvnet C:\Windows\system32\DRIVERS\srvnet.sys

12:28:41.0956 2584 srvnet - ok

12:28:42.0046 2584 [ D887C9FD02AC9FA880F6E5027A43E118 ] SSDPSRV C:\Windows\System32\ssdpsrv.dll

12:28:42.0057 2584 SSDPSRV - ok

12:28:42.0130 2584 [ A36EE93698802CD899F98BFD553D8185 ] ssmdrv C:\Windows\system32\DRIVERS\ssmdrv.sys

12:28:42.0163 2584 ssmdrv - ok

12:28:42.0265 2584 [ D318F23BE45D5E3A107469EB64815B50 ] SstpSvc C:\Windows\system32\sstpsvc.dll

12:28:42.0283 2584 SstpSvc - ok

12:28:42.0416 2584 [ DB32D325C192B801DF274BFD12A7E72B ] stexstor C:\Windows\system32\drivers\stexstor.sys

12:28:42.0479 2584 stexstor - ok

12:28:42.0736 2584 [ E1FB3706030FB4578A0D72C2FC3689E4 ] StiSvc C:\Windows\System32\wiaservc.dll

12:28:42.0755 2584 StiSvc - ok

12:28:42.0811 2584 [ 472AF0311073DCECEAA8FA18BA2BDF89 ] storflt C:\Windows\system32\drivers\vmstorfl.sys

12:28:42.0829 2584 storflt - ok

12:28:42.0858 2584 [ DCAFFD62259E0BDB433DD67B5BB37619 ] storvsc C:\Windows\system32\drivers\storvsc.sys

12:28:42.0891 2584 storvsc - ok

12:28:42.0936 2584 [ E58C78A848ADD9610A4DB6D214AF5224 ] swenum C:\Windows\system32\DRIVERS\swenum.sys

12:28:42.0952 2584 swenum - ok

12:28:43.0041 2584 [ A28BD92DF340E57B024BA433165D34D7 ] swprv C:\Windows\System32\swprv.dll

12:28:43.0055 2584 swprv - ok

12:28:43.0073 2584 [ F2AD8960812FD111E20E84659EF19D43 ] Synth3dVsc C:\Windows\system32\drivers\synth3dvsc.sys

12:28:43.0082 2584 Synth3dVsc - ok

12:28:43.0247 2584 [ D7DC30B8B41E7A913C3FCCC0631E72EC ] SynTP C:\Windows\system32\DRIVERS\SynTP.sys

12:28:43.0284 2584 SynTP - ok

12:28:43.0579 2584 [ 36650D618CA34C9D357DFD3D89B2C56F ] SysMain C:\Windows\system32\sysmain.dll

12:28:43.0605 2584 SysMain - ok

12:28:43.0652 2584 [ 763FECDC3D30C815FE72DD57936C6CD1 ] TabletInputService C:\Windows\System32\TabSvc.dll

12:28:43.0656 2584 TabletInputService - ok

12:28:43.0738 2584 [ 613BF4820361543956909043A265C6AC ] TapiSrv C:\Windows\System32\tapisrv.dll

12:28:43.0770 2584 TapiSrv - ok

12:28:43.0842 2584 [ B799D9FDB26111737F58288D8DC172D9 ] TBS C:\Windows\System32\tbssvc.dll

12:28:43.0887 2584 TBS - ok

12:28:44.0122 2584 [ 65D10B191C59C5501A1263FC33F6894B ] Tcpip C:\Windows\system32\drivers\tcpip.sys

12:28:44.0146 2584 Tcpip - ok

12:28:44.0222 2584 [ 65D10B191C59C5501A1263FC33F6894B ] TCPIP6 C:\Windows\system32\DRIVERS\tcpip.sys

12:28:44.0232 2584 TCPIP6 - ok

12:28:44.0335 2584 [ CCA24162E055C3714CE5A88B100C64ED ] tcpipreg C:\Windows\system32\drivers\tcpipreg.sys

12:28:44.0349 2584 tcpipreg - ok

12:28:44.0417 2584 [ 1CB91B2BD8F6DD367DFC2EF26FD751B2 ] TDPIPE C:\Windows\system32\drivers\tdpipe.sys

12:28:44.0427 2584 TDPIPE - ok

12:28:44.0494 2584 [ 2C2C5AFE7EE4F620D69C23C0617651A8 ] TDTCP C:\Windows\system32\drivers\tdtcp.sys

12:28:44.0496 2584 TDTCP - ok

12:28:44.0539 2584 [ B459575348C20E8121D6039DA063C704 ] tdx C:\Windows\system32\DRIVERS\tdx.sys

12:28:44.0548 2584 tdx - ok

12:28:44.0582 2584 [ 04DBF4B01EA4BF25A9A3E84AFFAC9B20 ] TermDD C:\Windows\system32\DRIVERS\termdd.sys

12:28:44.0584 2584 TermDD - ok

12:28:44.0644 2584 [ 052306FD76793D5D5AB5D9891FD1ADBB ] terminpt C:\Windows\system32\drivers\terminpt.sys

12:28:44.0661 2584 terminpt - ok

12:28:44.0731 2584 [ 382C804C92811BE57829D8E550A900E2 ] TermService C:\Windows\System32\termsrv.dll

12:28:44.0755 2584 TermService - ok

12:28:44.0774 2584 [ 42FB6AFD6B79D9FE07381609172E7CA4 ] Themes C:\Windows\system32\themeservice.dll

12:28:44.0778 2584 Themes - ok

12:28:44.0840 2584 [ 146B6F43A673379A3C670E86D89BE5EA ] THREADORDER C:\Windows\system32\mmcss.dll

12:28:44.0848 2584 THREADORDER - ok

12:28:44.0954 2584 [ 5AD05191DC8B444A7BA4D79B76C42A30 ] TPM C:\Windows\system32\drivers\tpm.sys

12:28:44.0961 2584 TPM - ok

12:28:45.0035 2584 [ 4792C0378DB99A9BC2AE2DE6CFFF0C3A ] TrkWks C:\Windows\System32\trkwks.dll

12:28:45.0051 2584 TrkWks - ok

12:28:45.0177 2584 [ 2C49B175AEE1D4364B91B531417FE583 ] TrustedInstaller C:\Windows\servicing\TrustedInstaller.exe

12:28:45.0187 2584 TrustedInstaller - ok

12:28:45.0265 2584 [ 254BB140EEE3C59D6114C1A86B636877 ] tssecsrv C:\Windows\system32\DRIVERS\tssecsrv.sys

12:28:45.0282 2584 tssecsrv - ok

12:28:45.0305 2584 [ FD1D6C73E6333BE727CBCC6054247654 ] TsUsbFlt C:\Windows\system32\drivers\tsusbflt.sys

12:28:45.0322 2584 TsUsbFlt - ok

12:28:45.0346 2584 [ 01246F0BAAD7B68EC0F472AA41E33282 ] TsUsbGD C:\Windows\system32\drivers\TsUsbGD.sys

12:28:45.0357 2584 TsUsbGD - ok

12:28:45.0437 2584 [ 045ACB987C650D8186C6B4A692223860 ] tsusbhub C:\Windows\system32\drivers\tsusbhub.sys

12:28:45.0442 2584 tsusbhub - ok

12:28:45.0504 2584 [ B2FA25D9B17A68BB93D58B0556E8C90D ] tunnel C:\Windows\system32\DRIVERS\tunnel.sys

12:28:45.0537 2584 tunnel - ok

12:28:45.0570 2584 [ 750FBCB269F4D7DD2E420C56B795DB6D ] uagp35 C:\Windows\system32\drivers\uagp35.sys

12:28:45.0583 2584 uagp35 - ok

12:28:45.0638 2584 [ EE43346C7E4B5E63E54F927BABBB32FF ] udfs C:\Windows\system32\DRIVERS\udfs.sys

12:28:45.0646 2584 udfs - ok

12:28:45.0713 2584 [ 8344FD4FCE927880AA1AA7681D4927E5 ] UI0Detect C:\Windows\system32\UI0Detect.exe

12:28:45.0754 2584 UI0Detect - ok

12:28:45.0789 2584 [ 44E8048ACE47BEFBFDC2E9BE4CBC8880 ] uliagpkx C:\Windows\system32\drivers\uliagpkx.sys

12:28:45.0803 2584 uliagpkx - ok

12:28:45.0851 2584 [ D295BED4B898F0FD999FCFA9B32B071B ] umbus C:\Windows\system32\DRIVERS\umbus.sys

12:28:45.0860 2584 umbus - ok

12:28:45.0902 2584 [ 7550AD0C6998BA1CB4843E920EE0FEAC ] UmPass C:\Windows\system32\drivers\umpass.sys

12:28:45.0904 2584 UmPass - ok

12:28:45.0956 2584 [ 409994A8EACEEE4E328749C0353527A0 ] UmRdpService C:\Windows\System32\umrdp.dll

12:28:45.0963 2584 UmRdpService - ok

12:28:46.0079 2584 [ 833FBB672460EFCE8011D262175FAD33 ] upnphost C:\Windows\System32\upnphost.dll

12:28:46.0092 2584 upnphost - ok

12:28:46.0192 2584 [ 83CAFCB53201BBAC04D822F32438E244 ] USBAAPL C:\Windows\system32\Drivers\usbaapl.sys

12:28:46.0237 2584 USBAAPL - ok

12:28:46.0297 2584 [ BD9C55D7023C5DE374507ACC7A14E2AC ] usbccgp C:\Windows\system32\drivers\usbccgp.sys

12:28:46.0364 2584 usbccgp - ok

12:28:46.0472 2584 [ 04EC7CEC62EC3B6D9354EEE93327FC82 ] usbcir C:\Windows\system32\drivers\usbcir.sys

12:28:46.0517 2584 usbcir - ok

12:28:46.0599 2584 [ F92DE757E4B7CE9C07C5E65423F3AE3B ] usbehci C:\Windows\system32\DRIVERS\usbehci.sys

12:28:46.0618 2584 usbehci - ok

12:28:46.0727 2584 [ 8DC94AEC6A7E644A06135AE7506DC2E9 ] usbhub C:\Windows\system32\DRIVERS\usbhub.sys

12:28:46.0735 2584 usbhub - ok

12:28:46.0821 2584 [ E185D44FAC515A18D9DEDDC23C2CDF44 ] usbohci C:\Windows\system32\drivers\usbohci.sys

12:28:46.0823 2584 usbohci - ok

12:28:46.0912 2584 [ 797D862FE0875E75C7CC4C1AD7B30252 ] usbprint C:\Windows\system32\drivers\usbprint.sys

12:28:46.0931 2584 usbprint - ok

12:28:46.0985 2584 [ F991AB9CC6B908DB552166768176896A ] USBSTOR C:\Windows\system32\DRIVERS\USBSTOR.SYS

12:28:46.0998 2584 USBSTOR - ok

12:28:47.0049 2584 [ 68DF884CF41CDADA664BEB01DAF67E3D ] usbuhci C:\Windows\system32\DRIVERS\usbuhci.sys

12:28:47.0063 2584 usbuhci - ok

12:28:47.0136 2584 [ 081E6E1C91AEC36758902A9F727CD23C ] UxSms C:\Windows\System32\uxsms.dll

12:28:47.0144 2584 UxSms - ok

12:28:47.0219 2584 [ 81951F51E318AECC2D68559E47485CC4 ] VaultSvc C:\Windows\system32\lsass.exe

12:28:47.0223 2584 VaultSvc - ok

12:28:47.0340 2584 [ A059C4C3EDB09E07D21A8E5C0AABD3CB ] vdrvroot C:\Windows\system32\drivers\vdrvroot.sys

12:28:47.0343 2584 vdrvroot - ok

12:28:47.0445 2584 [ C3CD30495687C2A2F66A65CA6FD89BE9 ] vds C:\Windows\System32\vds.exe

12:28:47.0471 2584 vds - ok

12:28:47.0512 2584 [ 17C408214EA61696CEC9C66E388B14F3 ] vga C:\Windows\system32\DRIVERS\vgapnp.sys

12:28:47.0526 2584 vga - ok

12:28:47.0547 2584 [ 8E38096AD5C8570A6F1570A61E251561 ] VgaSave C:\Windows\System32\drivers\vga.sys

12:28:47.0578 2584 VgaSave - ok

12:28:47.0587 2584 VGPU - ok

12:28:47.0726 2584 [ 5461686CCA2FDA57B024547733AB42E3 ] vhdmp C:\Windows\system32\drivers\vhdmp.sys

12:28:47.0744 2584 vhdmp - ok

12:28:47.0817 2584 [ C829317A37B4BEA8F39735D4B076E923 ] viaagp C:\Windows\system32\drivers\viaagp.sys

12:28:47.0835 2584 viaagp - ok

12:28:47.0864 2584 [ E02F079A6AA107F06B16549C6E5C7B74 ] ViaC7 C:\Windows\system32\drivers\viac7.sys

12:28:47.0881 2584 ViaC7 - ok

12:28:47.0907 2584 [ E43574F6A56A0EE11809B48C09E4FD3C ] viaide C:\Windows\system32\drivers\viaide.sys

12:28:47.0909 2584 viaide - ok

12:28:48.0007 2584 [ C2F2911156FDC7817C52829C86DA494E ] vmbus C:\Windows\system32\drivers\vmbus.sys

12:28:48.0022 2584 vmbus - ok

12:28:48.0065 2584 [ D4D77455211E204F370D08F4963063CE ] VMBusHID C:\Windows\system32\drivers\VMBusHID.sys

12:28:48.0080 2584 VMBusHID - ok

12:28:48.0126 2584 [ 4C63E00F2F4B5F86AB48A58CD990F212 ] volmgr C:\Windows\system32\drivers\volmgr.sys

12:28:48.0135 2584 volmgr - ok

12:28:48.0226 2584 [ B5BB72067DDDDBBFB04B2F89FF8C3C87 ] volmgrx C:\Windows\system32\drivers\volmgrx.sys

12:28:48.0243 2584 volmgrx - ok

12:28:48.0291 2584 [ F497F67932C6FA693D7DE2780631CFE7 ] volsnap C:\Windows\system32\drivers\volsnap.sys

12:28:48.0296 2584 volsnap - ok

12:28:48.0402 2584 [ 9DFA0CC2F8855A04816729651175B631 ] vsmraid C:\Windows\system32\drivers\vsmraid.sys

12:28:48.0420 2584 vsmraid - ok

12:28:48.0631 2584 [ 209A3B1901B83AEB8527ED211CCE9E4C ] VSS C:\Windows\system32\vssvc.exe

12:28:48.0664 2584 VSS - ok

12:28:48.0689 2584 [ 90567B1E658001E79D7C8BBD3DDE5AA6 ] vwifibus C:\Windows\System32\drivers\vwifibus.sys

12:28:48.0723 2584 vwifibus - ok

12:28:48.0821 2584 [ 55187FD710E27D5095D10A472C8BAF1C ] W32Time C:\Windows\system32\w32time.dll

12:28:48.0835 2584 W32Time - ok

12:28:48.0931 2584 [ DE3721E89C653AA281428C8A69745D90 ] WacomPen C:\Windows\system32\drivers\wacompen.sys

12:28:48.0944 2584 WacomPen - ok

12:28:48.0984 2584 [ 3C3C78515F5AB448B022BDF5B8FFDD2E ] WANARP C:\Windows\system32\DRIVERS\wanarp.sys

12:28:49.0013 2584 WANARP - ok

12:28:49.0020 2584 [ 3C3C78515F5AB448B022BDF5B8FFDD2E ] Wanarpv6 C:\Windows\system32\DRIVERS\wanarp.sys

12:28:49.0021 2584 Wanarpv6 - ok

12:28:49.0405 2584 [ 353A04C273EC58475D8633E75CCD5604 ] WatAdminSvc C:\Windows\system32\Wat\WatAdminSvc.exe

12:28:49.0433 2584 WatAdminSvc - ok

12:28:49.0803 2584 [ 691E3285E53DCA558E1A84667F13E15A ] wbengine C:\Windows\system32\wbengine.exe

12:28:49.0838 2584 wbengine - ok

12:28:49.0970 2584 [ 9614B5D29DC76AC3C29F6D2D3AA70E67 ] WbioSrvc C:\Windows\System32\wbiosrvc.dll

12:28:49.0982 2584 WbioSrvc - ok

12:28:50.0074 2584 [ 34EEE0DFAADB4F691D6D5308A51315DC ] wcncsvc C:\Windows\System32\wcncsvc.dll

12:28:50.0089 2584 wcncsvc - ok

12:28:50.0133 2584 [ 5D930B6357A6D2AF4D7653BDABBF352F ] WcsPlugInService C:\Windows\System32\WcsPlugInService.dll

12:28:50.0150 2584 WcsPlugInService - ok

12:28:50.0196 2584 [ 1112A9BADACB47B7C0BB0392E3158DFF ] Wd C:\Windows\system32\drivers\wd.sys

12:28:50.0199 2584 Wd - ok

12:28:50.0321 2584 [ 9950E3D0F08141C7E89E64456AE7DC73 ] Wdf01000 C:\Windows\system32\drivers\Wdf01000.sys

12:28:50.0351 2584 Wdf01000 - ok

12:28:50.0430 2584 [ 46EF9DC96265FD0B423DB72E7C38C2A5 ] WdiServiceHost C:\Windows\system32\wdi.dll

12:28:50.0448 2584 WdiServiceHost - ok

12:28:50.0454 2584 [ 46EF9DC96265FD0B423DB72E7C38C2A5 ] WdiSystemHost C:\Windows\system32\wdi.dll

12:28:50.0458 2584 WdiSystemHost - ok

12:28:50.0511 2584 [ A9D880F97530D5B8FEE278923349929D ] WebClient C:\Windows\System32\webclnt.dll

12:28:50.0525 2584 WebClient - ok

12:28:50.0560 2584 [ 760F0AFE937A77CFF27153206534F275 ] Wecsvc C:\Windows\system32\wecsvc.dll

12:28:50.0568 2584 Wecsvc - ok

12:28:50.0599 2584 [ AC804569BB2364FB6017370258A4091B ] wercplsupport C:\Windows\System32\wercplsupport.dll

12:28:50.0614 2584 wercplsupport - ok

12:28:50.0659 2584 [ 08E420D873E4FD85241EE2421B02C4A4 ] WerSvc C:\Windows\System32\WerSvc.dll

12:28:50.0691 2584 WerSvc - ok

12:28:50.0758 2584 [ 8B9A943F3B53861F2BFAF6C186168F79 ] WfpLwf C:\Windows\system32\DRIVERS\wfplwf.sys

12:28:50.0772 2584 WfpLwf - ok

12:28:50.0797 2584 [ 5CF95B35E59E2A38023836FFF31BE64C ] WIMMount C:\Windows\system32\drivers\wimmount.sys

12:28:50.0808 2584 WIMMount - ok

12:28:50.0938 2584 [ 5A77AC34A0FFB70CE8B35B524FEDE9BA ] winachsf C:\Windows\system32\DRIVERS\HSX_CNXT.sys

12:28:50.0958 2584 winachsf - ok

12:28:51.0208 2584 [ 3FAE8F94296001C32EAB62CD7D82E0FD ] WinDefend C:\Program Files\Windows Defender\mpsvc.dll

12:28:51.0227 2584 WinDefend - ok

12:28:51.0241 2584 WinHttpAutoProxySvc - ok

12:28:51.0387 2584 [ F62E510B6AD4C21EB9FE8668ED251826 ] Winmgmt C:\Windows\system32\wbem\WMIsvc.dll

12:28:51.0402 2584 Winmgmt - ok

12:28:51.0679 2584 [ 1B91CD34EA3A90AB6A4EF0550174F4CC ] WinRM C:\Windows\system32\WsmSvc.dll

12:28:51.0718 2584 WinRM - ok

12:28:51.0947 2584 [ A67E5F9A400F3BD1BE3D80613B45F708 ] WinUsb C:\Windows\system32\DRIVERS\WinUSB.sys

12:28:52.0003 2584 WinUsb - ok

12:28:52.0314 2584 [ 16935C98FF639D185086A3529B1F2067 ] Wlansvc C:\Windows\System32\wlansvc.dll

12:28:52.0352 2584 Wlansvc - ok

12:28:52.0466 2584 [ 0217679B8FCA58714C3BF2726D2CA84E ] WmiAcpi C:\Windows\system32\DRIVERS\wmiacpi.sys

12:28:52.0480 2584 WmiAcpi - ok

12:28:52.0626 2584 [ 6EB6B66517B048D87DC1856DDF1F4C3F ] wmiApSrv C:\Windows\system32\wbem\WmiApSrv.exe

12:28:52.0657 2584 wmiApSrv - ok

12:28:53.0002 2584 [ 3B40D3A61AA8C21B88AE57C58AB3122E ] WMPNetworkSvc C:\Program Files\Windows Media Player\wmpnetwk.exe

12:28:53.0069 2584 WMPNetworkSvc - ok

12:28:53.0124 2584 [ A2F0EC770A92F2B3F9DE6D518E11409C ] WPCSvc C:\Windows\System32\wpcsvc.dll

12:28:53.0136 2584 WPCSvc - ok

12:28:53.0163 2584 [ AA53356D60AF47EACC85BC617A4F3F66 ] WPDBusEnum C:\Windows\system32\wpdbusenum.dll

12:28:53.0177 2584 WPDBusEnum - ok

12:28:53.0273 2584 [ 6DB3276587B853BF886B69528FDB048C ] ws2ifsl C:\Windows\system32\drivers\ws2ifsl.sys

12:28:53.0294 2584 ws2ifsl - ok

12:28:53.0340 2584 [ 6F5D49EFE0E7164E03AE773A3FE25340 ] wscsvc C:\Windows\system32\wscsvc.dll

12:28:53.0359 2584 wscsvc - ok

12:28:53.0452 2584 [ 553F6CCD7C58EB98D4A8FBDAF283D7A9 ] WSDPrintDevice C:\Windows\system32\DRIVERS\WSDPrint.sys

12:28:53.0454 2584 WSDPrintDevice - ok

12:28:53.0465 2584 WSearch - ok

12:28:53.0915 2584 [ FC3EC24FCE372C89423E015A2AC1A31E ] wuauserv C:\Windows\system32\wuaueng.dll

12:28:53.0975 2584 wuauserv - ok

12:28:54.0010 2584 [ E714A1C0354636837E20CCBF00888EE7 ] WudfPf C:\Windows\system32\drivers\WudfPf.sys

12:28:54.0046 2584 WudfPf - ok

12:28:54.0081 2584 [ 1023EE888C9B47178C5293ED5336AB69 ] WUDFRd C:\Windows\system32\DRIVERS\WUDFRd.sys

12:28:54.0084 2584 WUDFRd - ok

12:28:54.0170 2584 [ 8D1E1E529A2C9E9B6A85B55A345F7629 ] wudfsvc C:\Windows\System32\WUDFSvc.dll

12:28:54.0179 2584 wudfsvc - ok

12:28:54.0246 2584 [ FF2D745B560F7C71B31F30F4D49F73D2 ] WwanSvc C:\Windows\System32\wwansvc.dll

12:28:54.0278 2584 WwanSvc - ok

12:28:54.0338 2584 [ 88AF537264F2B818DA15479CEEAF5D7C ] XAudio C:\Windows\system32\DRIVERS\xaudio.sys

12:28:54.0341 2584 XAudio - ok

12:28:54.0456 2584 [ 15A317674A08DF26BE65164D959E9203 ] XAudioService C:\Windows\system32\DRIVERS\xaudio.exe

12:28:54.0471 2584 XAudioService - ok

12:28:54.0487 2584 xhdniqq - ok

12:28:54.0541 2584 ================ Scan global ===============================

12:28:54.0586 2584 [ DAB748AE0439955ED2FA22357533DDDB ] C:\Windows\system32\basesrv.dll

12:28:54.0697 2584 [ 183B4188D5D91B271613EC3EFD1B3CEF ] C:\Windows\system32\winsrv.dll

12:28:54.0741 2584 [ 183B4188D5D91B271613EC3EFD1B3CEF ] C:\Windows\system32\winsrv.dll

12:28:54.0815 2584 [ 364455805E64882844EE9ACB72522830 ] C:\Windows\system32\sxssrv.dll

12:28:54.0982 2584 [ 5F1B6A9C35D3D5CA72D6D6FDEF9747D6 ] C:\Windows\system32\services.exe

12:28:55.0026 2584 [Global] - ok

12:28:55.0026 2584 ================ Scan MBR ==================================

12:28:55.0036 2584 [ A36C5E4F47E84449FF07ED3517B43A31 ] \Device\Harddisk0\DR0

12:28:55.0749 2584 \Device\Harddisk0\DR0 - ok

12:28:55.0750 2584 ================ Scan VBR ==================================

12:28:55.0770 2584 [ 732A7FFF4C0E6B2D443801B0C8BA8A1A ] \Device\Harddisk0\DR0\Partition1

12:28:55.0850 2584 \Device\Harddisk0\DR0\Partition1 - ok

12:28:55.0851 2584 ============================================================

12:28:55.0851 2584 Scan finished

12:28:55.0851 2584 ============================================================

12:28:55.0872 4848 Detected object count: 0

12:28:55.0872 4848 Actual detected object count: 0

RK report:

RogueKiller V8.0.3 [09/13/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 32 bits version

Started in : Normal mode

User : admin [Admin rights]

Mode : Scan -- Date : 09/16/2012 12:35:21

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 12 ¤¤¤

[TASK][sUSP PATH] {2E71EAB2-3413-48CC-852A-4856668E43D2} : C:\Users\admin\Desktop\crusader\Stronghold_Crusader_Extreme.exe -> FOUND

[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND

[HJ SMENU] HKCU\[...]\Advanced : Start_ShowUser (0) -> FOUND

[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND

[HJ SMENU] HKCU\[...]\Advanced : Start_ShowPrinters (0) -> FOUND

[HJ SMENU] HKCU\[...]\Advanced : Start_ShowSetProgramAccessAndDefaults (0) -> FOUND

[HJ SMENU] HKCU\[...]\Advanced : Start_TrackProgs (0) -> FOUND

[HJ DESK] HKCU\[...]\ClassicStartMenu : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ DESK] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

[HJ DESK] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

SSDT[84] : NtCreateSection @ 0x82C2A00D -> HOOKED (Unknown @ 0x9059FDC6)

SSDT[299] : NtRequestWaitReplyPort @ 0x82C44A03 -> HOOKED (Unknown @ 0x9059FDD0)

SSDT[316] : NtSetContextThread @ 0x82CE3F2F -> HOOKED (Unknown @ 0x9059FDCB)

SSDT[347] : NtSetSecurityObject @ 0x82C086EA -> HOOKED (Unknown @ 0x9059FDD5)

SSDT[368] : NtSystemDebugControl @ 0x82C8C63C -> HOOKED (Unknown @ 0x9059FDDA)

SSDT[370] : NtTerminateProcess @ 0x82C61B8D -> HOOKED (Unknown @ 0x9059FD67)

S_SSDT[585] : Unknown -> HOOKED (Unknown @ 0x9059FDEE)

S_SSDT[588] : Unknown -> HOOKED (Unknown @ 0x9059FDF3)

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: HITACHI HTS541612J9SA00 ATA Device +++++

--- User ---

[MBR] 083c3b5e2710c71ef97830c99fd713ae

[bSP] 1e7270ec67cfa289ccfbebe654b2b814 : Windows 7 MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 114470 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[1].txt >>

RKreport[1].txt

Link to post
Share on other sites

See this advisory on the Internet Crime Complaint Center regarding ransomware

http://www.ic3.gov/media/2012/120530.aspx

Advise me if you have access to a clean computer system. You need to change all your online passwords (especially banking & CC ones) but only using a clean pc.

This system likely has some serious backdoor trojans, spyware, and possibly, a rookit.

This is a point where you need to decide about whether to make a clean start.

A backdoor trojan allows hackers to remotely control your computer, steal critical system information, and download and execute files.

You are strongly advised to do the following immediately.

1. Contact your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and ask them to put a watch on your accounts or change all your account numbers.

2. From a clean computer, change ALL your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups.

3. Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.These trojans leave a backdoor open on the system that can allow a hacker total and complete access to your computer. (Remote access trojan) Hackers can operate your computer just as if they were sitting in front of it. Hackers can watch everything you are doing on the computer, play tricks, do screenshots, log passwords, start and stop programs.

* Take any other steps you think appropriate for an attempted identity theft.

You should also understand that once a system has been compromised by a Trojan backdoor, it can never really be trusted again unless you completely reformat the hard drives and reinstall Windows fresh. While we usually can successfully remove malware like this, we cannot guarantee that it is totally gone, and that your system is completely safe to use for future financial information and/or transactions. I would recommend that you do a full reformat and reinstall of Windows rather than clean the system.

Let me know what you decide. :excl:

Here is some additional information: What Is A Backdoor Trojan? http://www.geekstogo.com/2007/10/03/what-is-a-backdoor-trojan

Danger: Remote Access Trojans http://www.microsoft.com/technet/security/alerts/info/virusrat.mspx

Consumers – Identity Theft http://www.ftc.gov/bcp/edu/microsites/idtheft/consumers/index.html

When should I re-format? How should I reinstall? http://www.dslreports.com/faq/10063

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? http://www.dslreports.com/faq/10451

Should you decide to go ahead hunting for & trying to remove malware, do this:

eusa_hand.gif Again, Stop putting Quote blocks around reports, please. That actually makes it harder for me to read easily.

These steps are for tonylogue only. If you are a casual viewer, do NOT try this on your system!

If you are not tonylogue and have a similar problem, do NOT post here; start your own topic

The fixes in this Topic are for this system only :excl: Do not apply the fix-instructions from this topic to any other system!

Do not do any websurfing on this system. Only go to this forum and the sites I guide you to for tools or online scans.

Please follow my guidance

eusa_hand.gif If you are a casual viewer, do NOT try this on your system!

If you are not the originating-member-poster and have a similar problem, do NOT post here; start your own topic

Do not run or start any other programs while these utilities and tools are in use!

icon_arrow.gifDo NOT run any other tools on your own or do any fixes other than what is listed here.

If you have questions, please ask before you do something on your own.

But it is important that you get going on these following steps.

Close any of your open programs while you run these tools.

RogueKiller

  • Disable your anti-virus program, How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • Right-Click RogueKiller and select Run as Administrator.
  • Wait until Prescan finishes.
    Select these lines for removal
    [TASK][sUSP PATH] {2E71EAB2-3413-48CC-852A-4856668E43D2} : C:\Users\admin\Desktop\crusader\Stronghold_Crusader_Extreme.exe -> FOUND
    [HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
    [HJ SMENU] HKCU\[...]\Advanced : Start_ShowUser (0) -> FOUND
    [HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
    [HJ SMENU] HKCU\[...]\Advanced : Start_ShowPrinters (0) -> FOUND
    [HJ SMENU] HKCU\[...]\Advanced : Start_ShowSetProgramAccessAndDefaults (0) -> FOUND
    [HJ SMENU] HKCU\[...]\Advanced : Start_TrackProgs (0) -> FOUND
    [HJ DESK] HKCU\[...]\ClassicStartMenu : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
    [HJ DESK] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
    [HJ DESK] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND
    [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
    [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
  • On the RogueKiller console, click the Registry tab.
  • Then press the Delete button.
  • When done, logoff & Restart the system.
  • The log will be found as RKreport
    Copy & Paste the contents into next reply.

Step 2

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

For directions on how, see How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Do NOT turn off the firewall

Please download Rkill by Grinler and save it to your desktop.


Link 2
Link 3
Link 4
Double-click on the Rkill desktop icon to run the tool.
If using Vista or Windows 7, right-click on it and Run As Administrator.
A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
If not, delete the file, then download and use the one provided in Link 2.
If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
If the tool does not run from any of the links provided, please let me know.
If your antivirus program gives a prompt message, respond positive to allow RKILL to run.
If a malware-rogue gives a message regarding RKILL, proceed forward to running RKILL

IF you still have a problem running RKILL, you can download iExplore.exe or eXplorer.exe, which are renamed copies of rkill.com, and try them instead.

When all done, rkill.txt log file will be on your desktop. Copy & Paste contents of Rkill.txt into a reply.

More Information about Rkill can be found at this link: http://www.bleepingcomputer.com/forums/topic308364.html

Step 3

Temporarily turn OFF your antivirus program.

Save and close any work documents, close any apps that you started.

Start your MBAM MalwareBytes' Anti-Malware.

Click the Settings Tab and then the General Settings sub-tab. Make sure all option lines have a checkmark.

Then click the Scanner settings sub-tab in second row of tabs. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.

If prompted for a Restart, do that.

When done, click the Scanner tab.

Do a Quick Scan.

When the scan is complete, click OK, then Show Results to view the results.

Make sure that everything is checked, and click Remove Selected.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Copy and Paste the MBAM scan log into a new reply.

Re-enable your antivirus program.

Edited by Maurice Naggar
Link to post
Share on other sites

rkreport:

RogueKiller V8.0.3 [09/13/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 32 bits version

Started in : Normal mode

User : admin [Admin rights]

Mode : Remove -- Date : 09/16/2012 14:09:37

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 12 ¤¤¤

[TASK][sUSP PATH] {2E71EAB2-3413-48CC-852A-4856668E43D2} : C:\Users\admin\Desktop\crusader\Stronghold_Crusader_Extreme.exe -> DELETED

[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED

[HJ SMENU] HKCU\[...]\Advanced : Start_ShowUser (0) -> REPLACED (1)

[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> REPLACED (1)

[HJ SMENU] HKCU\[...]\Advanced : Start_ShowPrinters (0) -> REPLACED (1)

[HJ SMENU] HKCU\[...]\Advanced : Start_ShowSetProgramAccessAndDefaults (0) -> REPLACED (1)

[HJ SMENU] HKCU\[...]\Advanced : Start_TrackProgs (0) -> REPLACED (1)

[HJ DESK] HKCU\[...]\ClassicStartMenu : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)

[HJ DESK] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

[HJ DESK] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> REPLACED (0)

[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

SSDT[84] : NtCreateSection @ 0x82C7800D -> HOOKED (Unknown @ 0x9070894E)

SSDT[299] : NtRequestWaitReplyPort @ 0x82C92A03 -> HOOKED (Unknown @ 0x90708958)

SSDT[316] : NtSetContextThread @ 0x82D31F2F -> HOOKED (Unknown @ 0x90708953)

SSDT[347] : NtSetSecurityObject @ 0x82C566EA -> HOOKED (Unknown @ 0x9070895D)

SSDT[368] : NtSystemDebugControl @ 0x82CDA63C -> HOOKED (Unknown @ 0x90708962)

SSDT[370] : NtTerminateProcess @ 0x82CAFB8D -> HOOKED (Unknown @ 0x907088EF)

S_SSDT[585] : Unknown -> HOOKED (Unknown @ 0x90708976)

S_SSDT[588] : Unknown -> HOOKED (Unknown @ 0x9070897B)

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: HITACHI HTS541612J9SA00 ATA Device +++++

--- User ---

[MBR] 083c3b5e2710c71ef97830c99fd713ae

[bSP] 1e7270ec67cfa289ccfbebe654b2b814 : Windows 7 MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 114470 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[3].txt >>

RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt

rkill.txt:

Rkill 2.3.15 by Lawrence Abrams (Grinler)

http://www.bleepingcomputer.com/

Copyright 2008-2012 BleepingComputer.com

More Information about Rkill can be found at this link:

http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 09/16/2012 02:20:27 PM in x86 mode.

Windows Version: Windows 7 Ultimate Service Pack 1

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* No malware processes found to kill.

Checking Registry for malware related settings:

* No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* No issues found.

Checking Windows Service Integrity:

* pcmcia => system32\DRIVERS\pcmcia.sys [incorrect ImagePath]

Searching for Missing Digital Signatures:

* No issues found.

Program finished at: 09/16/2012 02:20:49 PM

Execution time: 0 hours(s), 0 minute(s), and 22 seconds(s)

mbam:

Malwarebytes Anti-Malware 1.65.0.1400

www.malwarebytes.org

Database version: v2012.09.16.09

Windows 7 Service Pack 1 x86 NTFS

Internet Explorer 9.0.8112.16421

admin :: LAPTOP1 [administrator]

9/16/2012 2:28:37 PM

mbam-log-2012-09-16 (14-28-37).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 199142

Time elapsed: 4 minute(s), 49 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

Link to post
Share on other sites

MBAM quick scan is good. Let's get some other reports for review.

Download OTL by OldTimer to your desktop: http://oldtimer.geekstogo.com/OTL.exe

  • Close all open windows on the Task Bar. Click the icon (for Vista, or Windows 7 Right click the icon and Run as Administrator) to start the program.
  • In the lower right corner, checkmark "LOP Check" and checkmark "Purity Check".
  • Now click Run Scan at Top left and let the program run uninterrupted. It will take about 4 minutes.
  • It will produce two logs for you, one will pop up called OTL.txt, the other will be saved on your desktop and called Extras.txt.
  • Exit Notepad. Remember where you've saved these 2 files as we will need both of them shortly!
  • Exit OTL by clicking the X at top right.

Download Security Check by screen317 and save it to your Desktop: here

  • Run Security Check
  • Follow the onscreen instructions inside of the command window.
  • A Notepad document should open automatically called checkup.txt; close Notepad. We will need this log, too, so remember where you've saved it!

Then copy/paste the following into your post (in order):
  • the contents of OTL.txt;
  • the contents of Extras.txt ; and
  • the contents of checkup.txt

Be sure to do a Preview prior to pressing Submit because all reports may not fit into 1 single reply. You may have to do more than 1 reply.

Do not use the attachment feature to place any of your reports. Always put them in-line inside the body of reply.

Link to post
Share on other sites

OTL logfile created on: 9/16/2012 3:18:44 PM - Run 1

OTL by OldTimer - Version 3.2.61.5 Folder = C:\Users\admin\Downloads

Ultimate Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation

Internet Explorer (Version = 9.0.8112.16421)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.97 Gb Total Physical Memory | 1.81 Gb Available Physical Memory | 60.84% Memory free

5.95 Gb Paging File | 4.65 Gb Available in Paging File | 78.10% Paging File free

Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files

Drive C: | 111.79 Gb Total Space | 41.83 Gb Free Space | 37.42% Space Free | Partition Type: NTFS

Computer Name: LAPTOP1 | User Name: admin | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: Current user

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/09/16 15:12:15 | 000,600,064 | ---- | M] (OldTimer Tools) -- C:\Users\admin\Downloads\OTL.exe

PRC - [2012/09/08 18:04:21 | 000,917,984 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe

PRC - [2012/09/07 17:04:46 | 000,676,936 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

PRC - [2012/09/07 17:04:46 | 000,399,432 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe

PRC - [2012/09/07 17:04:44 | 000,766,536 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

PRC - [2012/08/09 15:01:01 | 000,348,664 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

PRC - [2012/05/08 10:58:17 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe

PRC - [2012/05/08 10:58:17 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe

PRC - [2012/05/08 10:58:17 | 000,080,336 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

PRC - [2011/06/24 00:22:20 | 000,271,360 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\conhost.exe

PRC - [2011/02/25 01:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe

PRC - [2010/11/20 17:29:19 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe

PRC - [2010/04/23 01:16:46 | 000,128,296 | ---- | M] (Synaptics Incorporated) -- C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

PRC - [2008/07/15 18:09:52 | 000,090,112 | ---- | M] (Andrea Electronics Corporation) -- C:\Windows\System32\AEADISRV.EXE

========== Modules (No Company Name) ==========

MOD - [2012/09/08 18:04:21 | 002,244,064 | ---- | M] () -- C:\Program Files\Mozilla Firefox\mozjs.dll

MOD - [2011/12/22 09:19:55 | 008,527,008 | ---- | M] () -- C:\Windows\System32\Macromed\Flash\NPSWF32.dll

MOD - [2011/05/28 23:04:56 | 000,140,288 | ---- | M] () -- C:\Program Files\WinRAR\RarExt.dll

MOD - [2011/03/17 01:11:16 | 004,297,568 | ---- | M] () -- C:\Program Files\Common Files\microsoft shared\OFFICE14\Cultures\OFFICE.ODF

MOD - [2010/10/20 16:45:26 | 008,801,120 | ---- | M] () -- C:\Program Files\Microsoft Office\Office14\1033\GrooveIntlResource.dll

========== Services (SafeList) ==========

SRV - [2012/09/08 18:04:21 | 000,114,144 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)

SRV - [2012/09/07 17:04:46 | 000,676,936 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)

SRV - [2012/09/07 17:04:46 | 000,399,432 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe -- (MBAMScheduler)

SRV - [2012/05/08 10:58:17 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)

SRV - [2012/05/08 10:58:17 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)

SRV - [2011/12/22 05:59:31 | 001,343,400 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\Wat\WatAdminSvc.exe -- (WatAdminSvc)

SRV - [2011/06/12 12:15:00 | 031,125,880 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Microsoft Office\Office14\GROOVE.EXE -- (Microsoft SharePoint Workspace Audit Service)

SRV - [2011/06/06 13:55:28 | 000,064,952 | ---- | M] (Adobe Systems Incorporated) [Disabled | Stopped] -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)

SRV - [2009/07/13 21:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)

SRV - [2009/07/13 21:16:12 | 001,004,544 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\PeerDistSvc.dll -- (PeerDistSvc)

SRV - [2009/07/13 21:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)

SRV - [2008/07/15 18:09:52 | 000,090,112 | ---- | M] (Andrea Electronics Corporation) [Auto | Running] -- C:\Windows\System32\AEADISRV.EXE -- (AEADIFilters)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | Boot | Stopped] -- System32\drivers\naqafc.sys -- (xhdniqq)

DRV - File not found [Kernel | On_Demand | Stopped] -- System32\drivers\rdvgkmd.sys -- (VGPU)

DRV - File not found [Kernel | Boot | Stopped] -- System32\drivers\vyuqw.sys -- (fcnpve)

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Users\admin\AppData\Local\Temp\catchme.sys -- (catchme)

DRV - [2012/09/16 14:04:54 | 000,014,080 | ---- | M] () [Kernel | On_Demand | Unknown] -- C:\Windows\System32\drivers\TrueSight.sys -- (TrueSight)

DRV - [2012/09/07 17:04:46 | 000,022,856 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\Windows\System32\drivers\mbam.sys -- (MBAMProtector)

DRV - [2012/05/08 10:58:17 | 000,137,928 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\avipbb.sys -- (avipbb)

DRV - [2012/05/08 10:58:17 | 000,083,392 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\Windows\System32\drivers\avgntflt.sys -- (avgntflt)

DRV - [2011/09/16 00:55:04 | 000,036,000 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\avkmgr.sys -- (avkmgr)

DRV - [2011/05/18 09:09:04 | 000,040,320 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\dc3d.sys -- (dc3d)

DRV - [2010/11/20 17:29:34 | 000,015,872 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\rdpvideominiport.sys -- (RdpVideoMiniport)

DRV - [2010/11/20 17:29:24 | 000,052,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt)

DRV - [2010/11/20 17:29:03 | 000,175,360 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\vmbus.sys -- (vmbus)

DRV - [2010/11/20 17:29:03 | 000,112,640 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\tsusbhub.sys -- (tsusbhub)

DRV - [2010/11/20 17:29:03 | 000,077,184 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\Synth3dVsc.sys -- (Synth3dVsc)

DRV - [2010/11/20 17:29:03 | 000,062,464 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\dmvsc.sys -- (dmvsc)

DRV - [2010/11/20 17:29:03 | 000,040,704 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\vmstorfl.sys -- (storflt)

DRV - [2010/11/20 17:29:03 | 000,035,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\winusb.sys -- (WinUsb)

DRV - [2010/11/20 17:29:03 | 000,028,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\storvsc.sys -- (storvsc)

DRV - [2010/11/20 17:29:03 | 000,027,264 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TsUsbGD.sys -- (TsUsbGD)

DRV - [2010/11/20 17:29:03 | 000,025,600 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\terminpt.sys -- (terminpt)

DRV - [2010/11/20 17:29:03 | 000,017,920 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\VMBusHID.sys -- (VMBusHID)

DRV - [2010/11/20 17:29:03 | 000,005,632 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\vms3cap.sys -- (s3cap)

DRV - [2010/06/17 16:14:27 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\ssmdrv.sys -- (ssmdrv)

DRV - [2009/07/13 20:18:07 | 000,017,920 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\WSDPrint.sys -- (WSDPrintDevice)

DRV - [2009/07/13 19:12:52 | 000,030,720 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\tpm.sys -- (TPM)

DRV - [2009/07/13 18:02:51 | 004,231,168 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\netw5v32.sys -- (netw5v32)

DRV - [2009/07/13 18:02:50 | 000,211,456 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\e1e6032.sys -- (e1express)

DRV - [2006/11/27 18:44:52 | 000,008,192 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\XAudio.sys -- (XAudio)

DRV - [2006/11/14 18:35:20 | 000,037,376 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rixdptsk.sys -- (rismxdp)

DRV - [2006/04/26 02:03:56 | 000,009,600 | ---- | M] () [Kernel | System | Running] -- C:\Windows\System32\drivers\ISODisk.sys -- (ISODisk)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\..\URLSearchHook: {e9df9360-97f8-4690-afe6-996c80790da4} - No CLSID value found

IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}

IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://search.condui...&ctid=CT3072254

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-US

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = A9 15 A5 06 F1 EF CC 01 [binary data]

IE - HKCU\..\SearchScopes,DefaultScope = {B01C3BAA-F4F6-49A1-9071-1F5FBEA2460A}

IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...Box&FORM=IE8SRC

IE - HKCU\..\SearchScopes\{B01C3BAA-F4F6-49A1-9071-1F5FBEA2460A}: "URL" = http://www.google.co...utputEncoding?}

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultthis.engineName: "uTorrentControl Customized Web Search"

FF - prefs.js..browser.search.defaulturl: "http://search.conduit.com/ResultsExt.aspx?ctid=CT3072254&SearchSource=3&q={searchTerms}"

FF - prefs.js..browser.startup.homepage: "http://search.conduit.com/?ctid=CT3072254&SearchSource=13"

FF - prefs.js..extensions.enabledAddons: {e9df9360-97f8-4690-afe6-996c80790da4}:3.15.1.0

FF - prefs.js..keyword.URL: "http://search.conduit.com/ResultsExt.aspx?ctid=CT3072254&SearchSource=2&q="

FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()

FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found

FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll File not found

FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)

FF - HKLM\Software\MozillaPlugins\@divx.com/DivX VOD Helper,version=1.0.0: C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)

FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.5.1: C:\Windows\system32\npDeployJava1.dll (Oracle Corporation)

FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.5.1: C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\plugin2\npjp2.dll (Oracle Corporation)

FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found

FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10111.0\npctrl.dll ( Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~1\MICROS~4\Office14\NPAUTHZ.DLL (Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~1\MICROS~4\Office14\NPSPWRAP.DLL (Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\admin\AppData\Local\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)

FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\admin\AppData\Local\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{23fcfd51-4958-4f00-80a3-ae97e717ed8b}: C:\Program Files\DivX\DivX Plus Web Player\firefox\DivXHTML5 [2012/04/21 14:56:10 | 000,000,000 | ---D | M]

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 15.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/09/08 18:04:22 | 000,000,000 | ---D | M]

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 15.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/09/08 18:04:14 | 000,000,000 | ---D | M]

[2011/12/22 09:18:31 | 000,000,000 | ---D | M] (No name found) -- C:\Users\admin\AppData\Roaming\Mozilla\Extensions

[2012/08/28 12:48:09 | 000,000,000 | ---D | M] (No name found) -- C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\yv5hcagm.default\extensions

[2012/08/28 12:48:09 | 000,000,000 | ---D | M] (uTorrentControl Community Toolbar) -- C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\yv5hcagm.default\extensions\{e9df9360-97f8-4690-afe6-996c80790da4}

[2012/03/07 12:29:20 | 000,000,933 | ---- | M] () -- C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\yv5hcagm.default\searchplugins\conduit.xml

[2012/09/08 18:04:12 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions

[2012/09/08 18:04:22 | 000,266,720 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll

[2012/09/08 18:04:18 | 000,002,465 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml

[2012/09/08 18:04:18 | 000,002,253 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

========== Chrome ==========

CHR - homepage: http://search.condui...SearchSource=48

CHR - default_search_provider: Google (Enabled)

CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}sourceid=chrome&ie={inputEncoding}

CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&hl={language}&q={searchTerms}

CHR - homepage: http://search.condui...SearchSource=48

CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer

CHR - plugin: Native Client (Enabled) = C:\Users\admin\AppData\Local\Google\Chrome\Application\21.0.1180.89\ppGoogleNaClPluginChrome.dll

CHR - plugin: Chrome PDF Viewer (Disabled) = C:\Users\admin\AppData\Local\Google\Chrome\Application\21.0.1180.89\pdf.dll

CHR - plugin: Shockwave Flash (Enabled) = C:\Users\admin\AppData\Local\Google\Chrome\Application\21.0.1180.89\gcswf32.dll

CHR - plugin: Shockwave Flash (Disabled) = C:\Users\admin\AppData\Local\Google\Chrome\User Data\PepperFlash\11.1.31.203\pepflashplayer.dll

CHR - plugin: Shockwave Flash (Disabled) = C:\Windows\system32\Macromed\Flash\NPSWF32.dll

CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll

CHR - plugin: Microsoft\u00AE Windows Media Player Firefox Plugin (Enabled) = C:\Program Files\Mozilla Firefox\plugins\np-mswmp.dll

CHR - plugin: Java Deployment Toolkit 6.0.310.5 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

CHR - plugin: Java™ Platform SE 6 U31 (Enabled) = C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll

CHR - plugin: Microsoft Office 2010 (Enabled) = C:\PROGRA~1\MICROS~4\Office14\NPAUTHZ.DLL

CHR - plugin: Microsoft Office 2010 (Enabled) = C:\PROGRA~1\MICROS~4\Office14\NPSPWRAP.DLL

CHR - plugin: DivX VOD Helper Plug-in (Enabled) = C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll

CHR - plugin: DivX Plus Web Player (Enabled) = C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll

CHR - plugin: iTunes Application Detector (Enabled) = C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll

CHR - plugin: Google Update (Enabled) = C:\Users\admin\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll

CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files\Microsoft Silverlight\4.1.10111.0\npctrl.dll

CHR - Extension: YouTube = C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\

CHR - Extension: Google Search = C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\

CHR - Extension: DivX Plus Web Player HTML5 \u003Cvideo\u003E = C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nneajnkjbffgblleaoojgaacokifdkhm\2.1.2.145_0\

CHR - Extension: Gmail = C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\

O1 HOSTS File: ([2012/09/09 17:15:21 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O2 - BHO: (DivX Plus Web Player HTML5 <video>) - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll (DivX, LLC)

O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)

O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)

O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll (Oracle Corporation)

O2 - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)

O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll (Oracle Corporation)

O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG)

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3

O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office14\EXCEL.EXE (Microsoft Corporation)

O8 - Extra context menu item: Se&nd to OneNote - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)

O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)

O9 - Extra 'Tools' menuitem : Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)

O9 - Extra Button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)

O9 - Extra 'Tools' menuitem : OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)

O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)

O16 - DPF: {816BE035-1450-40D0-8A3B-BA7825A83A77} http://support.lenov...AutoDetect2.cab (IASRunner Class)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 209.18.47.61 209.18.47.62

O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{47EC3087-0E6A-4E01-93D5-7839AF07758B}: DhcpNameServer = 10.0.1.1

O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{47EC3087-0E6A-4E01-93D5-7839AF07758B}: NameServer = 208.67.222.222,208.67.220.220

O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{7FF1253D-B963-41A6-9643-09DDFE635276}: DhcpNameServer = 209.18.47.61 209.18.47.62

O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{7FF1253D-B963-41A6-9643-09DDFE635276}: NameServer = 208.67.222.222,208.67.220.220

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)

O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)

O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)

O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2009/06/10 17:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]

O34 - HKLM BootExecute: (autocheck autochk *)

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = ComFile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)

O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

========== Files/Folders - Created Within 30 Days ==========

[2012/09/16 12:34:13 | 000,000,000 | ---D | C] -- C:\Users\admin\Desktop\RK_Quarantine

[2012/09/16 12:10:35 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ERUNT

[2012/09/16 12:10:35 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT

[2012/09/16 11:41:45 | 000,000,000 | ---D | C] -- C:\Windows\temp

[2012/09/16 11:41:14 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN

[2012/09/16 01:55:43 | 000,000,000 | ---D | C] -- C:\Windows\Sun

[2012/09/09 17:02:57 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe

[2012/09/09 17:02:57 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe

[2012/09/09 17:02:57 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe

[2012/09/09 17:01:20 | 000,000,000 | ---D | C] -- C:\Qoobox

[2012/09/09 16:59:40 | 000,000,000 | ---D | C] -- C:\Windows\erdnt

[2012/09/09 12:37:16 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot - Search & Destroy

[2012/09/09 12:37:12 | 000,000,000 | ---D | C] -- C:\ProgramData\Spybot - Search & Destroy

[2012/09/09 12:37:12 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy

[2012/09/09 12:16:13 | 000,000,000 | ---D | C] -- C:\Users\admin\AppData\Roaming\LockHunter

[2012/09/09 12:15:15 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LockHunter

[2012/09/09 12:15:14 | 000,000,000 | ---D | C] -- C:\Program Files\LockHunter

[2012/09/09 12:06:57 | 000,000,000 | ---D | C] -- C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Unlocker

[2012/09/09 12:06:57 | 000,000,000 | ---D | C] -- C:\Program Files\Unlocker

[2012/09/08 18:04:10 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox

[7939 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/09/16 15:10:02 | 000,000,908 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2550561185-2726018632-1417654521-1000UA.job

[2012/09/16 14:19:33 | 000,021,872 | ---- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

[2012/09/16 14:19:33 | 000,021,872 | ---- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

[2012/09/16 14:11:53 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat

[2012/09/16 14:11:43 | 2395,705,344 | -HS- | M] () -- C:\hiberfil.sys

[2012/09/16 14:04:54 | 000,014,080 | ---- | M] () -- C:\Windows\System32\drivers\TrueSight.sys

[2012/09/16 12:25:59 | 000,000,512 | ---- | M] () -- C:\Users\admin\Desktop\MBR.dat

[2012/09/16 12:10:35 | 000,000,898 | ---- | M] () -- C:\Users\admin\Desktop\NTREGOPT.lnk

[2012/09/16 12:10:35 | 000,000,879 | ---- | M] () -- C:\Users\admin\Desktop\ERUNT.lnk

[2012/09/16 02:25:51 | 000,001,071 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

[2012/09/15 21:10:00 | 000,000,856 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2550561185-2726018632-1417654521-1000Core.job

[2012/09/09 17:15:21 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts

[2012/09/09 12:37:17 | 000,001,244 | ---- | M] () -- C:\Users\admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk

[2012/09/09 12:37:17 | 000,001,220 | ---- | M] () -- C:\Users\admin\Desktop\Spybot - Search & Destroy.lnk

[2012/09/08 10:54:56 | 000,000,903 | ---- | M] () -- C:\Users\admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Freedom.lnk

[2012/09/07 17:04:46 | 000,022,856 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys

[2012/09/04 14:08:34 | 000,002,452 | ---- | M] () -- C:\Users\admin\Desktop\Google Chrome.lnk

[7939 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/09/16 14:04:54 | 000,014,080 | ---- | C] () -- C:\Windows\System32\drivers\TrueSight.sys

[2012/09/16 12:25:59 | 000,000,512 | ---- | C] () -- C:\Users\admin\Desktop\MBR.dat

[2012/09/16 12:10:35 | 000,000,898 | ---- | C] () -- C:\Users\admin\Desktop\NTREGOPT.lnk

[2012/09/16 12:10:35 | 000,000,879 | ---- | C] () -- C:\Users\admin\Desktop\ERUNT.lnk

[2012/09/16 02:25:51 | 000,001,071 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

[2012/09/09 17:02:57 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe

[2012/09/09 17:02:57 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe

[2012/09/09 17:02:57 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe

[2012/09/09 17:02:57 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe

[2012/09/09 17:02:57 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe

[2012/09/09 12:37:17 | 000,001,244 | ---- | C] () -- C:\Users\admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk

[2012/09/09 12:37:17 | 000,001,220 | ---- | C] () -- C:\Users\admin\Desktop\Spybot - Search & Destroy.lnk

[2012/09/08 10:54:56 | 000,000,903 | ---- | C] () -- C:\Users\admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Freedom.lnk

[2012/07/26 15:25:35 | 000,186,844 | ---- | C] () -- C:\Windows\System32\mlfcache.dat

[2012/05/11 12:30:00 | 000,151,552 | ---- | C] () -- C:\Windows\unswat.exe

[2012/05/11 12:28:35 | 000,000,332 | ---- | C] () -- C:\Windows\SIERRA.INI

[2012/03/19 21:12:54 | 000,000,218 | ---- | C] () -- C:\Users\admin\.recently-used.xbel

[2012/01/11 15:27:10 | 000,004,096 | ---- | C] () -- C:\Windows\d3dx.dat

[2012/01/07 00:05:52 | 000,009,600 | ---- | C] () -- C:\Windows\System32\drivers\ISODisk.sys

[2012/01/05 01:07:30 | 000,094,208 | ---- | C] () -- C:\Windows\System32\zmbv.dll

[2011/12/22 00:18:48 | 000,140,288 | ---- | C] () -- C:\Windows\System32\igfxtvcx.dll

[2010/11/20 17:29:34 | 000,080,896 | ---- | C] () -- C:\Windows\System32\RDVGHelper.exe

[2010/11/20 17:29:26 | 000,066,048 | ---- | C] () -- C:\Windows\System32\PrintBrmUi.exe

========== LOP Check ==========

[2012/08/15 16:45:12 | 000,000,000 | ---D | M] -- C:\Users\admin\AppData\Roaming\Bad Wolf Software

[2012/03/19 21:12:55 | 000,000,000 | ---D | M] -- C:\Users\admin\AppData\Roaming\BitLord

[2012/04/27 17:13:03 | 000,000,000 | ---D | M] -- C:\Users\admin\AppData\Roaming\DAEMON Tools Pro

[2012/09/09 12:16:14 | 000,000,000 | ---D | M] -- C:\Users\admin\AppData\Roaming\LockHunter

[2012/01/01 18:52:21 | 000,000,000 | ---D | M] -- C:\Users\admin\AppData\Roaming\Python-Eggs

[2012/09/08 16:20:55 | 000,000,000 | ---D | M] -- C:\Users\admin\AppData\Roaming\uTorrent

[2009/07/14 00:53:46 | 000,012,902 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========

< End of report >

OTL Extras logfile created on: 9/16/2012 3:18:44 PM - Run 1

OTL by OldTimer - Version 3.2.61.5 Folder = C:\Users\admin\Downloads

Ultimate Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation

Internet Explorer (Version = 9.0.8112.16421)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.97 Gb Total Physical Memory | 1.81 Gb Available Physical Memory | 60.84% Memory free

5.95 Gb Paging File | 4.65 Gb Available in Paging File | 78.10% Paging File free

Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files

Drive C: | 111.79 Gb Total Space | 41.83 Gb Free Space | 37.42% Space Free | Partition Type: NTFS

Computer Name: LAPTOP1 | User Name: admin | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: Current user

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)

.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)

exefile [open] -- "%1" %*

helpfile [open] -- Reg Error: Key error.

hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)

htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office14\msohtmed.exe" %1 (Microsoft Corporation)

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()

Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()

Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [explore] -- Reg Error: Value error.

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"cval" = 1

"FirewallDisableNotify" = 0

"AntiVirusDisableNotify" = 0

"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

"VistaSp1" = Reg Error: Unknown registry data type -- File not found

"AntiVirusOverride" = 0

"AntiSpywareOverride" = 0

"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]

"DisableSR" = 0

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

"EnableFirewall" = 1

"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"EnableFirewall" = 1

"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]

"EnableFirewall" = 1

"DisableNotifications" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]

"{03C5CF9A-40C1-4BFA-97B1-DC12BE0996AE}" = rport=138 | protocol=17 | dir=out | app=system |

"{08215F23-187E-48FC-8BBA-C4944937B005}" = rport=139 | protocol=6 | dir=out | app=system |

"{097E5A7F-0D31-4029-A76D-7A7309004523}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |

"{0BBF74A9-0095-45DE-9F29-C4C8E556B0DF}" = lport=10243 | protocol=6 | dir=in | app=system |

"{11D331F7-5E1A-4FFE-A684-153DB216A6E2}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |

"{1318377E-0FC0-4C75-8900-45D8B9E7C7F7}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |

"{1BC41948-A518-4364-BCFF-26DDAAA628ED}" = lport=139 | protocol=6 | dir=in | app=system |

"{1CBAB3A8-5F0A-40D9-9EEF-59E9BC279A64}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |

"{244BB51E-AB09-4FC4-9CA5-AEF26F191BD6}" = rport=445 | protocol=6 | dir=out | app=system |

"{36108098-43CA-4A58-9C18-6D8A5ECEE0AC}" = lport=445 | protocol=6 | dir=in | app=system |

"{38AD9C2D-E3A2-4043-9E95-3B78258033C7}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |

"{4956968E-DEB0-47CB-8712-D358009714E4}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |

"{4A448289-DBBF-4DBC-9B99-7A863127A362}" = lport=6004 | protocol=17 | dir=in | app=c:\program files\microsoft office\office14\outlook.exe |

"{64DC0F7F-DCA0-41AA-8864-5ECB2386D91C}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |

"{6AA5159A-9268-4B84-8B4E-813BE841FFA0}" = lport=23 | protocol=6 | dir=in | name=cthulu |

"{6BC097FA-AA18-4EE5-9312-DBC85097E382}" = lport=137 | protocol=17 | dir=in | app=system |

"{721CEBF9-A4EB-4791-83CC-AF52129095E8}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |

"{78F17C56-B52E-4264-B0D7-CE51DAD1C6F0}" = rport=10243 | protocol=6 | dir=out | app=system |

"{A623301B-1D98-4227-B724-9091897DAFEC}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |

"{AAA3F04F-9508-4812-A094-80C694982233}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |

"{B039D0E7-4D1A-4399-A71A-4D5FE13EC6E5}" = lport=8889 | protocol=6 | dir=in | name=cthulu2 |

"{CF83398F-B8B3-4CBE-9B64-DA8C61B7E994}" = lport=2869 | protocol=6 | dir=in | app=system |

"{D874B5C3-E894-4314-9AED-0C0F101D9170}" = rport=137 | protocol=17 | dir=out | app=system |

"{EF48BEBD-EDB3-4685-BCA0-F83444B0BC37}" = lport=138 | protocol=17 | dir=in | app=system |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]

"{0DBB002E-2444-409B-A729-6CAFAF40A291}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |

"{0EE187FB-1826-4996-B6B3-959F48771BE5}" = protocol=17 | dir=in | app=c:\program files\utorrent\utorrent.exe |

"{1C2CB117-B7F2-4201-9616-6F68D4EBDF1F}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |

"{1DA227B9-C1FD-452F-AA7C-18F2E7D04F16}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |

"{20ED6475-F5A8-480C-BAAA-A5C46D3AD6C5}" = dir=in | app=c:\program files\itunes\itunes.exe |

"{227F7F94-2717-4DD9-860A-F4B19275D034}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |

"{2C47194B-3AFD-4682-9E1A-44E19C4758B8}" = protocol=6 | dir=in | app=c:\program files\utorrent\utorrent.exe |

"{2F190788-CC7E-48B9-84E5-01C257E1640F}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |

"{3369648F-9CB9-473E-8BF0-5BA855982D8A}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |

"{5AB06F3F-6CC4-4488-B101-DBDD2A19183B}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |

"{5F5C32BB-892B-428D-A0D9-D536FA586479}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office14\onenote.exe |

"{5F9D81ED-9490-4BE7-ABEE-51C86C2BA757}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |

"{70B0706E-03C0-4F41-ABEA-5E433F747548}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |

"{7BD347FB-D59A-4967-B4D9-2999B8057C42}" = dir=in | app=c:\program files\common files\apple\apple application support\webkit2webprocess.exe |

"{84DF1414-244C-4492-AC96-7372CD7578CB}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office14\onenote.exe |

"{98A9ADEC-0658-4ADC-B25C-E1F5E0880393}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |

"{A86961F6-7258-4804-A359-7A9008DECF27}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |

"{B799508A-B697-45A8-9DF0-588A9815DCBB}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |

"{BED2FBB3-6A98-4732-8C79-14801072164A}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |

"{CD341A35-7D07-4AE6-A885-5346F1D920BB}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office14\groove.exe |

"{D19C1F1A-CA1C-4B1B-BD5E-DAEE3F2194C9}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |

"{DE716889-643F-4D4A-AE49-55DA379B77AC}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |

"{E2098161-08E0-4D19-81CE-54FDD1F7B03D}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |

"{F1881817-6F58-4E67-8428-7AE37664DDAC}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |

"{F4562600-6EBB-4067-88CD-9032F4C00BA6}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office14\groove.exe |

"{FD4FC019-B857-4611-AE8E-F207B9E7C552}" = protocol=6 | dir=out | app=system |

"TCP Query User{8941C185-3C9A-419D-9B08-4922BD058717}C:\program files\bitlord 2\bitlord files\deluged.exe" = protocol=6 | dir=in | app=c:\program files\bitlord 2\bitlord files\deluged.exe |

"UDP Query User{249F60FE-B620-48A9-BB39-9E84278267B5}C:\program files\bitlord 2\bitlord files\deluged.exe" = protocol=17 | dir=in | app=c:\program files\bitlord 2\bitlord files\deluged.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{0f571b70-6401-48cd-945d-45e2e8b559f8}" = Image Resizer for Windows

"{1111706F-666A-4037-7777-211328764D10}" = JavaFX 2.1.1

"{163AAB30-30A0-469E-B4CF-906D26857D7D}" = Image Resizer for Windows

"{26A24AE4-039D-4CA4-87B4-2F83217005FF}" = Java™ 7 Update 5

"{343666E2-A059-48AC-AD67-230BF74E2DB2}" = Apple Application Support

"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile

"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater

"{529125EF-E3AC-4B74-97E6-F688A7C0F1BF}" = Paint.NET v3.5.10

"{69464949-AD9C-4C98-933F-C32FFC86F3C8}" = Doomsday

"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin

"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update

"{79155F2B-9895-49D7-8612-D92580E0DE5B}" = Bonjour

"{8153ED9A-C94A-426E-9880-5E6775C08B62}" = Apple Mobile Device Support

"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight

"{8C3727F2-8E37-49E4-820C-03B1677F53B6}" = Stronghold Crusader

"{90140000-0011-0000-0000-0000000FF1CE}" = Microsoft Office Professional Plus 2010

"{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{047B0968-E622-4FAA-9B4B-121FA109EDDE}" = Microsoft Office 2010 Service Pack 1 (SP1)

"{90140000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2010

"{90140000-0015-0409-0000-0000000FF1CE}_Office14.PROPLUS_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)

"{90140000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2010

"{90140000-0016-0409-0000-0000000FF1CE}_Office14.PROPLUS_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)

"{90140000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2010

"{90140000-0018-0409-0000-0000000FF1CE}_Office14.PROPLUS_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)

"{90140000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2010

"{90140000-0019-0409-0000-0000000FF1CE}_Office14.PROPLUS_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)

"{90140000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2010

"{90140000-001A-0409-0000-0000000FF1CE}_Office14.PROPLUS_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)

"{90140000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2010

"{90140000-001B-0409-0000-0000000FF1CE}_Office14.PROPLUS_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)

"{90140000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2010

"{90140000-001F-0409-0000-0000000FF1CE}_Office14.PROPLUS_{99ACCA38-6DD3-48A8-96AE-A283C9759279}" = Microsoft Office 2010 Service Pack 1 (SP1)

"{90140000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2010

"{90140000-001F-040C-0000-0000000FF1CE}_Office14.PROPLUS_{46298F6A-1E7E-4D4A-B5F5-106A4F0E48C6}" = Microsoft Office 2010 Service Pack 1 (SP1)

"{90140000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2010

"{90140000-001F-0C0A-0000-0000000FF1CE}_Office14.PROPLUS_{DEA87BE2-FFCC-4F33-9946-FCBE55A1E998}" = Microsoft Office 2010 Service Pack 1 (SP1)

"{90140000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2010

"{90140000-002C-0409-0000-0000000FF1CE}_Office14.PROPLUS_{7CA93DF4-8902-449E-A42E-4C5923CFBDE3}" = Microsoft Office 2010 Service Pack 1 (SP1)

"{90140000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2010

"{90140000-0044-0409-0000-0000000FF1CE}_Office14.PROPLUS_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)

"{90140000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2010

"{90140000-006E-0409-0000-0000000FF1CE}_Office14.PROPLUS_{4560037C-E356-444A-A015-D21F487D809E}" = Microsoft Office 2010 Service Pack 1 (SP1)

"{90140000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2010

"{90140000-00A1-0409-0000-0000000FF1CE}_Office14.PROPLUS_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)

"{90140000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2010

"{90140000-00BA-0409-0000-0000000FF1CE}_Office14.PROPLUS_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)

"{90140000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2010

"{90140000-0115-0409-0000-0000000FF1CE}_Office14.PROPLUS_{4560037C-E356-444A-A015-D21F487D809E}" = Microsoft Office 2010 Service Pack 1 (SP1)

"{90140000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2010

"{90140000-0117-0409-0000-0000000FF1CE}_Office14.PROPLUS_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)

"{933B4015-4618-4716-A828-5289FC03165F}" = VC80CRTRedist - 8.0.50727.6195

"{942E5031-2BD6-4C1B-918C-C8A1CBAE7B8C}" = Microsoft IntelliPoint 8.2

"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting

"{97A19679-4C07-4B34-8ACB-D5565C3440FC}" = Stronghold

"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.1)

"{AE7CB755-7C0B-4D11-8E5D-D6B6C1090A7B}" = Victoria

"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy

"{B7DBF6E8-0D17-4BE4-853B-ACD6EFBD4A1F}" = iTunes

"{BF731945-7AAD-45E3-A202-A60C9213915C}_is1" = ISODisk 1.1

"{CA5DD6E1-B508-4922-815D-479E3228B17A}" = Europa Universalis 2

"{DB15384B-67E0-4771-9A2D-7E607EEE3EE5}" = Stronghold: LOTR

"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219

"{FE23D063-934D-4829-A0D8-00634CE79B4A}" = Adobe AIR

"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022

"Adobe AIR" = Adobe AIR

"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX

"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin

"AnalogX CacheBooster" = AnalogX CacheBooster

"Avira AntiVir Desktop" = Avira Free Antivirus

"CCleaner" = CCleaner

"CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_10140588" = ThinkPad Modem

"DivX Setup" = DivX Setup

"ERUNT_is1" = ERUNT 1.1j

"HDMI" = Intel® Graphics Media Accelerator Driver

"Hearts of Iron 2 Doomsday_is1" = Hearts of Iron 2 Doomsday Armageddon

"LockHunter_is1" = LockHunter 2.0 beta 2, 32 bit

"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.65.0.1400

"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile

"Microsoft IntelliPoint 8.2" = Microsoft IntelliPoint 8.2

"Mozilla Firefox 15.0.1 (x86 en-US)" = Mozilla Firefox 15.0.1 (x86 en-US)

"MozillaMaintenanceService" = Mozilla Maintenance Service

"Office14.PROPLUS" = Microsoft Office Professional Plus 2010

"Power Management Driver" = ThinkPad Power Management Driver

"Q10" = Q10 Editor

"Swat2" = Police Quest: SWAT2

"SynTPDeinstKey" = ThinkPad UltraNav Driver

"TVWiz" = Intel® TV Wizard

"Unlocker" = Unlocker 1.9.1

"Victoria Revolutions_is1" = Victoria Revolutions 1.0

"VLC media player" = VLC media player 1.1.11

"WinRAR archiver" = WinRAR 4.01 (32-bit)

"XCOM-Total Pack" = XCOM-Total Pack

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"Google Chrome" = Google Chrome

========== Last 20 Event Log Errors ==========

[ Application Events ]

Error - 9/16/2012 2:13:17 AM | Computer Name = Laptop1 | Source = WinMgmt | ID = 10

Description =

Error - 9/16/2012 2:16:02 AM | Computer Name = Laptop1 | Source = VSS | ID = 18

Description =

Error - 9/16/2012 2:16:02 AM | Computer Name = Laptop1 | Source = VSS | ID = 8193

Description =

Error - 9/16/2012 2:16:02 AM | Computer Name = Laptop1 | Source = System Restore | ID = 8193

Description =

Error - 9/16/2012 3:08:03 AM | Computer Name = Laptop1 | Source = VSS | ID = 18

Description =

Error - 9/16/2012 3:08:04 AM | Computer Name = Laptop1 | Source = VSS | ID = 8193

Description =

Error - 9/16/2012 3:08:05 AM | Computer Name = Laptop1 | Source = System Restore | ID = 8193

Description =

Error - 9/16/2012 11:06:21 AM | Computer Name = Laptop1 | Source = WinMgmt | ID = 10

Description =

Error - 9/16/2012 1:11:56 PM | Computer Name = Laptop1 | Source = WinMgmt | ID = 10

Description =

Error - 9/16/2012 2:13:34 PM | Computer Name = Laptop1 | Source = WinMgmt | ID = 10

Description =

[ System Events ]

Error - 9/16/2012 5:59:20 AM | Computer Name = Laptop1 | Source = DCOM | ID = 10005

Description =

Error - 9/16/2012 11:05:03 AM | Computer Name = Laptop1 | Source = Service Control Manager | ID = 7026

Description = The following boot-start or system-start driver(s) failed to load:

fcnpve xhdniqq

Error - 9/16/2012 11:06:02 AM | Computer Name = Laptop1 | Source = DCOM | ID = 10016

Description =

Error - 9/16/2012 11:31:34 AM | Computer Name = Laptop1 | Source = Service Control Manager | ID = 7030

Description = The PEVSystemStart service is marked as an interactive service. However,

the system is configured to not allow interactive services. This service may not

function properly.

Error - 9/16/2012 11:36:16 AM | Computer Name = Laptop1 | Source = Service Control Manager | ID = 7030

Description = The PEVSystemStart service is marked as an interactive service. However,

the system is configured to not allow interactive services. This service may not

function properly.

Error - 9/16/2012 11:39:43 AM | Computer Name = Laptop1 | Source = Service Control Manager | ID = 7030

Description = The PEVSystemStart service is marked as an interactive service. However,

the system is configured to not allow interactive services. This service may not

function properly.

Error - 9/16/2012 1:10:36 PM | Computer Name = Laptop1 | Source = Service Control Manager | ID = 7026

Description = The following boot-start or system-start driver(s) failed to load:

fcnpve xhdniqq

Error - 9/16/2012 1:11:32 PM | Computer Name = Laptop1 | Source = DCOM | ID = 10016

Description =

Error - 9/16/2012 2:12:26 PM | Computer Name = Laptop1 | Source = Service Control Manager | ID = 7026

Description = The following boot-start or system-start driver(s) failed to load:

fcnpve xhdniqq

Error - 9/16/2012 2:13:02 PM | Computer Name = Laptop1 | Source = DCOM | ID = 10016

Description =

< End of report >

Results of screen317's Security Check version 0.99.50

Windows 7 Service Pack 1 x86 (UAC is enabled)

Internet Explorer 9

``````````````Antivirus/Firewall Check:``````````````

Windows Firewall Enabled!

Avira Desktop

Antivirus out of date!

`````````Anti-malware/Other Utilities Check:`````````

Spybot - Search & Destroy

Malwarebytes Anti-Malware version 1.65.0.1400

CCleaner

JavaFX 2.1.1

Java™ 7 Update 5

Java version out of Date!

Adobe Flash Player 11.1.102.55

Adobe Reader X 10.1.1 Adobe Reader out of Date!

Mozilla Firefox (15.0.1)

Google Chrome 21.0.1180.83

Google Chrome 21.0.1180.89

````````Process Check: objlist.exe by Laurent````````

Malwarebytes Anti-Malware mbamservice.exe

Malwarebytes Anti-Malware mbamgui.exe

Avira Antivir avgnt.exe

Avira Antivir avguard.exe

Malwarebytes' Anti-Malware mbamscheduler.exe

`````````````````System Health check`````````````````

Total Fragmentation on Drive C: 0%

````````````````````End of Log``````````````````````

Link to post
Share on other sites

Reminder: Do NOT do any websurfing, browsing, online games, online banking, online transactions of any kind.

Only go to this forum and the websites I guide you to for tools.

1

Disable CD-ROM Emulation Software:

Please download the following tool DeFogger to your desktop.

Double click DeFogger to run the tool.

The application window will appear

Click the Disable button to disable your CD Emulation drivers.

Click Yes to continue

A 'Finished!' message will appear

Click OK

DeFogger will now ask to reboot the machine - click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.

2

Turn off your antivirus so that it does not interfere

How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

  • Please double-click OTL.exe otlDesktopIcon.png to run it. (Note: If you are running on Windows 7 or Vista, right-click on the file and choose Run As Administrator).
  • Copy all the lines in between the **** stars lines **** below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    *****************************************************************
    :otl
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://search.condui...&ctid=CT3072254
    FF - prefs.js..browser.search.defaultthis.engineName: "uTorrentControl Customized Web Search"
    FF - prefs.js..browser.search.defaulturl: "http://search.conduit.com/ResultsExt.aspx?ctid=CT3072254&SearchSource=3&q={searchTerms}"
    FF - prefs.js..browser.startup.homepage: "http://search.conduit.com/?ctid=CT3072254&SearchSource=13"
    FF - prefs.js..keyword.URL: "http://search.conduit.com/ResultsExt.aspx?ctid=CT3072254&SearchSource=2&q="
    CHR - homepage: http://search.condui...SearchSource=48
    :files
    C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\yv5hcagm.default\extensions\{e9df9360-97f8-4690-afe6-996c80790da4}
    C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\yv5hcagm.default\searchplugins\conduit.xml
    C:\Users\admin\AppData\Roaming\uTorrent
    recycler /alldrives
    :Commands
    [purity]
    [emptytemp]
    [CREATERESTOREPOINT]
    [EMPTYFLASH]
    [emptyjava]
    [Reboot]
    *****************************************************************
  • Return to OTL. Right click in the customFix.png window (under the aqua-blue bar) and choose Paste.
  • Close any browser(s) windows that may be open.
  • Using your mouse, click on the red-lettered button runFixbutton.png.
  • Once you see a message box "Fix complete! Click OK to open the fix log."
    Click the OK button
  • The log will open in Notepad (your default text editor).
  • Save the log. Post a copy of that log in a new reply.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.

If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

3

Re-check and make sure your antivirus app is OFF.

Download and Save McAfee Stinger to your Desktop

http://www.mcafee.com/us/downloads/free-tools/stinger.aspx

Close all browsers before starting. Disable your antivirus program and anti-malware,if any.

How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

On Windows 7 & Vista systems, Right Click stinger-icon.gif and select Run as Administrator.

On XP, double-click to start it.

The GUI interface will look like this

stinger2.png

The C drive is the default for scanning.

Press the Preferences button. In the top right-block "On virus detection", click Rename

In the bottom block "Heuristic network check for suspicious files" select High

Click the Scan Now button.

When done, use the File menu and select Save report to file

Stinger.txt is the log report and will be saved to your Desktop. I will need a copy of that log in a new reply.

RE-Enable your anti-virus program.

Stinger is a standalone utility used to detect and remove specific malware. It is not a full scan for all types of malware or viruses.

It is not intended as virus protection.

4

Download, & save & then run the MS Safety scanner

http://www.microsoft.com/security/scanner/en-us/default.aspx

Let me know the result.

5

Download Dr.Web CureIt to the desktop.

  • Turn OFF your antivirus program.
    How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs
  • Doubleclick the drweb-cureit.exe file, then on Start and allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, chose the Complete Scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow drweb.jpg at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look and see if you can click the following icon next to the files found:
    check.gif
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    move.gif
  • This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer to allow files that were in use to be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.

NOTE: During the scan, a pop-up window will open asking for full version purchase. Simply close the window by clicking on X in upper right corner.

Re-Enable your antivirus program when all done.

Link to post
Share on other sites

All processes killed

========== OTL ==========

HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page| /E : value set successfully!

Prefs.js: "uTorrentControl Customized Web Search" removed from browser.search.defaultthis.engineName

Prefs.js: "http://search.conduit.com/ResultsExt.aspx?ctid=CT3072254&SearchSource=3&q={searchTerms}" removed from browser.search.defaulturl

Prefs.js: "http://search.conduit.com/?ctid=CT3072254&SearchSource=13" removed from browser.startup.homepage

Prefs.js: "http://search.conduit.com/ResultsExt.aspx?ctid=CT3072254&SearchSource=2&q=" removed from keyword.URL

Use Chrome's Settings page to change the HomePage.

========== FILES ==========

C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\yv5hcagm.default\extensions\{e9df9360-97f8-4690-afe6-996c80790da4}\searchplugin folder moved successfully.

C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\yv5hcagm.default\extensions\{e9df9360-97f8-4690-afe6-996c80790da4}\Plugins folder moved successfully.

C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\yv5hcagm.default\extensions\{e9df9360-97f8-4690-afe6-996c80790da4}\modules folder moved successfully.

C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\yv5hcagm.default\extensions\{e9df9360-97f8-4690-afe6-996c80790da4}\META-INF folder moved successfully.

C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\yv5hcagm.default\extensions\{e9df9360-97f8-4690-afe6-996c80790da4}\defaults folder moved successfully.

C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\yv5hcagm.default\extensions\{e9df9360-97f8-4690-afe6-996c80790da4}\components folder moved successfully.

C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\yv5hcagm.default\extensions\{e9df9360-97f8-4690-afe6-996c80790da4}\chrome folder moved successfully.

C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\yv5hcagm.default\extensions\{e9df9360-97f8-4690-afe6-996c80790da4} folder moved successfully.

C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\yv5hcagm.default\searchplugins\conduit.xml moved successfully.

C:\Users\admin\AppData\Roaming\uTorrent\dlimagecache folder moved successfully.

C:\Users\admin\AppData\Roaming\uTorrent\Cache folder moved successfully.

C:\Users\admin\AppData\Roaming\uTorrent\apps folder moved successfully.

C:\Users\admin\AppData\Roaming\uTorrent folder moved successfully.

recycler not found in C:\

========== COMMANDS ==========

[EMPTYTEMP]

User: admin

->Temp folder emptied: 69359092 bytes

->Temporary Internet Files folder emptied: 65873396 bytes

->Java cache emptied: 76914568 bytes

->FireFox cache emptied: 315718026 bytes

->Google Chrome cache emptied: 9713088 bytes

->Flash cache emptied: 28749 bytes

User: All Users

User: Default

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

->Flash cache emptied: 56475 bytes

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

->Flash cache emptied: 0 bytes

User: Public

->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 0 bytes

%systemroot%\System32 .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 5445 bytes

RecycleBin emptied: 0 bytes

Total Files Cleaned = 513.00 mb

Restore point Set: OTL Restore Point

[EMPTYFLASH]

User: admin

->Flash cache emptied: 0 bytes

User: All Users

User: Default

->Flash cache emptied: 0 bytes

User: Default User

->Flash cache emptied: 0 bytes

User: Public

Total Flash Files Cleaned = 0.00 mb

[EMPTYJAVA]

User: admin

->Java cache emptied: 0 bytes

User: All Users

User: Default

User: Default User

User: Public

Total Java Files Cleaned = 0.00 mb

OTL by OldTimer - Version 3.2.61.5 log created on 09162012_195536

Files\Folders moved on Reboot...

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

McAfee® Labs Stinger Version 10.2.0.785 built on Sep 14 2012

Copyright © 2012 McAfee, Inc. All Rights Reserved.

Virus data file v1000.0000 created on Sep 14 2012.

Ready to scan for 4933 viruses, trojans and variants.

Scan initiated on Mon Sep 17 01:05:04 2012

Rootkit scan result : Clean

Master Boot Record(s):....1

Possibly Infected:.............0

Boot Sector(s):.................1

Possibly Infected: ............0

Number of clean files: 17904

MS safety scanner said it was clean.

I messed up and didn't save the cureit file, it found a lot of stuff (3 of them). I have the quarantine files and the cureit.log .

Link to post
Share on other sites

If you have the log from DrWeb Cure-It then copy and paste it into a new reply.

Follow-up with an online scan at ESET. It may perhaps take a couple of hours or so.

You will want to print out or copy these instructions to Notepad for offline reference!

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

For directions on how, see How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Do NOT turn off the firewall

Close all open browsers at this point.

Start Internet Explorer (fresh) by pressing Start >> Internet Explorer >> Right-Click and select Run As Administrator.

Using Internet Explorer browser only, go to ESET Online Scanner website:

http://www.eset.com/onlinescan/

  • Accept the Terms of Use and press Start button;
  • Approve the install of the required ActiveX Control, then follow on-screen instructions;
  • Enable (check) the Remove found threats option, and run the scan.
  • After the scan completes, the Details tab in the Results window will display what was found and removed.
    • A logfile is created and located at C:\Program Files (x86)\Eset\EsetOnlineScanner\log.txt.

    Look at contents of this file using Notepad.

    The Frequently Asked Questions for ESET Online Scanner can be viewed here

    http://go.eset.com/us/online-scanner/faq

    • It is emphasized to temporarily disable any pc-resident {active} antivirus program prior to any on-line scan by any on-line scanner.
      (And the prompt re-enabling when finished.)
    • If you use Firefox, you have to install IETab, an add-on. This is to enable ActiveX support.
    • Do not use the system while the scan is running. Once the full scan is underway, go take a long break popcorn.gifpepsi.gif

Re-enable the antivirus program.

Reply with copy of the Eset scan log and tell me, How is the system now ?

There is also some follow-up needed by you: your Avira antivirus is out of date for definitions.

Start Avira.

Then from the menu, or pressing F9 function key, or select Update >> Start Update.

Insure the definitions are the latest.

Link to post
Share on other sites

I couldn't figure out the Dr web log, there are 3 files in the quarantine now. The only log I have is basically a list of every file I have on my computer (CureIt.log).

The EST log found one file I exported the found threats file,

C:\Users\admin\Downloads\Unlocker1.9.1.exe a variant of Win32/Toolbar.Babylon application cleaned by deleting - quarantined

the log.txt you directed me to only says

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

The eset window is still open and I haven't told it to delete quarantined files or uninstall.

Thank you again.

Link to post
Share on other sites

Please only reply on the forum. You should not be using this pc to browse the internet until after we have cured this case.

To Reset Firefox to its default state:

Start Firefox

in the address bar, type in

about:support

Click on the Reset Firefox button at top right of screen.

Also see http://support.mozilla.org/en-US/kb/reset-preferences-fix-problems?s=reset+search+options&r=2&as=s

2

javaicon.gifYour Java runtime is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

  • Accept the EULA & Download the latest version of >> Windows Offline << from here
    or >> from here <<
    and save it to your desktop.
  • Get the Offline version that corresponds to your "bit-tedness" of your Windows (32-bit or 64-bit)
    How to determine whether a computer is running a 32-bit version or 64-bit version of the Windows operating system
  • Close any programs you may have running - especially your web browser(s).
  • Go to Start > Settings > Control Panel, select Programs and Features and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-7u7-windows-i586.exe to install the newest version.
    ( jre-7u7-windows-x64.exe if this is a 64-bit Windows o.s.)

  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup) javaicon.gif
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      • Applications and Applets
        Trace and Log Files

      [*]Click OK on Delete Temporary Files Window

      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

      [*]Click OK to leave the Temporary Files Window

Small tweaks for Java runtime, since most all users do not need to load Java at each Windows startup:

Click Advanced Tab. Expand the Miscellaneous item.

UN-check the line Java quick starter

Press Apply then OK. Close the applet when done.

3

Older versions of Adobe Reader pose a potential security risk.

De-install your Adobe Reader: Use Control Panel's Program and Features, Un-install Adobe Reader.

Get latest Adobe Reader version

http://get.adobe.com/reader/

Be sure to un-check the box for Free McAfee Security Scan or any "toolbar" (if offered )

4

I suggest you get and run the Microsoft Windows Defender Offline. This is an "offline" tool that you boot the pc with and scan your system for malware.

To get started, find a blank CD, DVD, or USB flash drive with at least 250 MB of free space and then download and run the tool—the tool will help you create the removable media.

The basic sequence of steps are

a) Download and SAVE the tool to a unique folder/location on your pc

b) Create the CD/DVD/USB-flash drive with tool

c) Set pc to boot from the offline media

d) Place media in & restart system

e) Run the tool. Have infinite patience & have it scan the entire system. Remove any malware that is found.

Download & info link http://windows.microsoft.com/en-US/windows/what-is-windows-defender-offline

The frequently asked questions for this tool

http://windows.microsoft.com/en-US/windows/windows-defender-offline-faq

5

Download >> Farbar's Service Scanner utility << and Save to your Desktop.

If using Windows 7 or Vista, Right-Click on fss.exe and select Run As Admisnitrator.

If using XP, double-click to start.

Answer Yes to ok when prompted.

If your firewall then puts out a prompt, again, allow it to run.

Once FSS is on-screen, be sure the following items are checkmarked:

  • Internet Services
  • Windows Firewall
  • System Restore
  • Security Center/Action Center
  • Windows Update
  • Windows Defender

Click on "Scan".

It will create a log (FSS.txt) in the same directory the tool is run.

Copy & Paste contents of FSS.txt into your reply.

Now, then, How is the system now ?

Link to post
Share on other sites

The moneypak FBI window appeared again this morning. It definitely seems to be using adobe/java vulnerabilities to dl.

Unfortunately I need this computer for work, so leaving it idle while we fix it is not an option.

It seems that all of our work hasn't done much. Sorry if that's because of my errors.

Link to post
Share on other sites

See Grinler's article at Bleepingcomputer

http://www.bleepingcomputer.com/virus-removal/remove-fbi-monkeypak-ransomware

See the section titled Automated Removal Instructions

Follow his instructions to get into Safe Mode with Networking

and do the rest of the steps listed after that (including the tool from from Emsisoft

Report back with the results.

And I still would suggest your doing the steps I outlined earlier today.

Link to post
Share on other sites

We can set aside the Secunia scan. You are saying the Emsisoft scan found nothing ?

and I need to know, Have you done the 5 things I outlined on the 18th ? Please let me know.

and do this:

Turn off your antivirus.

Save and close any work documents, close any apps that you started.

Start your MBAM MalwareBytes' Anti-Malware.

Click the Settings Tab and then the General Settings sub-tab. Make sure all option lines have a checkmark.

Then click the Scanner settings sub-tab in second row of tabs. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.

If prompted for a Restart, do that.

When done, click the Scanner tab.

Do a FULL Scan.

When the scan is complete, click OK, then Show Results to view the results.

Make sure that everything is checked, and click Remove Selected.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

When done, Copy and Paste the MBAM scan log.

Turn on your antivirus program.

Link to post
Share on other sites

Yes, emsisoft found nothing. I attempted to to those 5 steps, but when I try to uninstall old versions of java/adobe I get an error message:

The Windows Installer Service could not be accessed. This can occur if the Windows Installer is not correctly installed. Contact your support personnel for assistance.

I didn't know if I should proceed through the 5 steps, given that I couldn't get through 2 and 3.

I have run several updated mbytes scans and they turn up nothing. I will run another now, but I'm not optimistic.

Link to post
Share on other sites

I couldn't do step 3 either, for the same reason I couldn't do 2.

As for 4, I'll have to buy some blank cds I guess.

Here is the FSS log from step 5:

Farbar Service Scanner Version: 06-08-2012

Ran by admin (administrator) on 19-09-2012 at 13:19:27

Running from "C:\Users\admin\Downloads"

Microsoft Windows 7 Ultimate Service Pack 1 (X86)

Boot Mode: Network

****************************************************************

Internet Services:

============

Connection Status:

==============

Localhost is accessible.

LAN connected.

Google IP is accessible.

Google.com is accessible.

Yahoo IP is accessible.

Yahoo.com is accessible.

Windows Firewall:

=============

Firewall Disabled Policy:

==================

System Restore:

============

SDRSVC Service is not running. Checking service configuration:

The start type of SDRSVC service is OK.

The ImagePath of SDRSVC service is OK.

The ServiceDll of SDRSVC service is OK.

VSS Service is not running. Checking service configuration:

The start type of VSS service is OK.

The ImagePath of VSS service is OK.

System Restore Disabled Policy:

========================

Action Center:

============

wscsvc Service is not running. Checking service configuration:

The start type of wscsvc service is OK.

The ImagePath of wscsvc service is OK.

The ServiceDll of wscsvc service is OK.

Windows Update:

============

wuauserv Service is not running. Checking service configuration:

The start type of wuauserv service is OK.

The ImagePath of wuauserv service is OK.

The ServiceDll of wuauserv service is OK.

BITS Service is not running. Checking service configuration:

The start type of BITS service is set to Demand. The default start type is Auto.

The ImagePath of BITS service is OK.

The ServiceDll of BITS service is OK.

EventSystem Service is not running. Checking service configuration:

The start type of EventSystem service is OK.

The ImagePath of EventSystem service is OK.

The ServiceDll of EventSystem service is OK.

Windows Autoupdate Disabled Policy:

============================

Windows Defender:

==============

Other Services:

==============

File Check:

========

C:\Windows\system32\nsisvc.dll => MD5 is legit

C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit

C:\Windows\system32\dhcpcore.dll => MD5 is legit

C:\Windows\system32\Drivers\afd.sys => MD5 is legit

C:\Windows\system32\Drivers\tdx.sys => MD5 is legit

C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit

C:\Windows\system32\dnsrslvr.dll => MD5 is legit

C:\Windows\system32\mpssvc.dll => MD5 is legit

C:\Windows\system32\bfe.dll => MD5 is legit

C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit

C:\Windows\system32\SDRSVC.dll => MD5 is legit

C:\Windows\system32\vssvc.exe => MD5 is legit

C:\Windows\system32\wscsvc.dll => MD5 is legit

C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit

C:\Windows\system32\wuaueng.dll => MD5 is legit

C:\Windows\system32\qmgr.dll => MD5 is legit

C:\Windows\system32\es.dll => MD5 is legit

C:\Windows\system32\cryptsvc.dll => MD5 is legit

C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit

C:\Windows\system32\svchost.exe => MD5 is legit

C:\Windows\system32\rpcss.dll => MD5 is legit

**** End of log ****

Here is the mbam log, it found two items:

Malwarebytes Anti-Malware 1.65.0.1400

www.malwarebytes.org

Database version: v2012.09.19.09

Windows 7 Service Pack 1 x86 NTFS (Safe Mode/Networking)

Internet Explorer 9.0.8112.16421

admin :: LAPTOP1 [administrator]

9/19/2012 12:01:25 PM

mbam-log-2012-09-19 (12-01-25).txt

Scan type: Full scan (C:\|)

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 318746

Time elapsed: 36 minute(s), 22 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 1

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|GoogleChrome (Backdoor.Agent) -> Data: C:\Users\admin\AppData\Local\Temp\appipu.exe -> Quarantined and deleted successfully.

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 1

C:\Users\admin\AppData\Local\Temp\appipu.exe (Backdoor.Agent) -> Quarantined and deleted successfully.

(end)

Link to post
Share on other sites

Proceed with the following.

Download TFC by OldTimer and SAVE it to your desktop

  • Double-click TFC.exe to run it. (Note: If you are running on Vista or Windows 7, right-click on the file and choose Run As Administrator).
  • It will close all programs when run, so make sure you have saved all your work before you begin.
  • Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
  • Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

Step 2

Windows services

This will be a batch-fix .

  • Press the Windows-key on keyboard.
  • In the 10-16-2011%204-33-46%20PM.png box, type notepad and press Enter.
  • Highlight the contents of the following codebox, and copy and paste that text into NOTEPAD.
    @Echo off
    sc stop wuauserv
    sc stop bits
    sc config dcomlaunch start= auto
    sc config nsi start= auto
    sc config dhcp start= auto
    sc config rpcss start= auto
    sc config winmgmt start= auto
    sc config wscsvc start= delayed-auto
    sc config bits start= delayed-auto
    sc config wuauserv start= delayed-auto
    sc config sdrsvc start= manual
    sc config vss start= auto
    sc config eventlog start= auto
    sc config bfe start= auto
    sc config eventsystem start= auto
    sc start sdrsvc
    sc start vss
    sc start rpcss
    sc start eventsystem
    sc start bfe
    sc start bits
    sc start wuauserv
    shutdown -r -t 1
    del %0


  • Select File -> Save AS.
  • Press the Desktop button on the left side of the save dialog.
  • In the 10-16-2011%204-37-58%20PM.png box, type in Fix.bat.
  • Press 10-16-2011%204-36-39%20PM.png.
  • Close Notepad.
  • Right click Fix.bat on your desktop, and choose 10-16-2011%204-40-48%20PM.png.
  • Press Yes if prompted by User Account Control.

This procedure will do its tasks and then it will Restart Windows.

Step 3

Check for missing or disabled Windows services, by doing the following, and post detailed results when done !!

From Start button, (or Win-key +R) and in the searcht-box type in MSCONFIG and press OK or Enter.

On Vista or Windows 7, press Windows-key on keybooard, and type in MSCONFIG

You should see the General tab. Click the General tab. It should have Normal startup selected (in the radio-box=selection)

IF it does not, then you click on Normal startup.

Click on Services tab. To get it's display of services.

Keep a written list of any changes from my list of services below. That way you and I have a reference document.

Look at the bottom line Hide all Microsoft services

IF and only IF its is checkmarked, then un-check it.

the list of servies may be shown in non-alphabetical order, so ....

Look at the heading titled "Service". Click on it as needed so the list is sorted and top of list starts with the "A" services.

You can toggle as needed to get the desired order.

IF any of below services are NOT shown, don't panic & do not stop, just write down the info for me and proceed with the others !

Then using the scroll-bar scroll down the list

Look for Background Intelligent Transfer Service. Is it shown? Is it checked? If not, click on that checkbox to checkmark.

Look for Base Filtering Agent. Is it shown? Is it checked? If not, click on that checkbox to checkmark.

Look for COM+ Event System. Is it shown? Is it checked? If not, click on that checkbox to checkmark.

Look for COM+ System Application. Is it shown? Is it checked? If not, click on that checkbox to checkmark.

Look for Cryptographic Services. Is it shown? Is it checked? If not, click on that checkbox to checkmark.

Look for Ipsec Policy Agent. Is it shown? Is it checked? If not, click on that checkbox to checkmark.

Look for Remote Procedure Call (RPC) Locator. Is it shown ? Is it checked? If not, click on that checkbox to checkmark.

Look for RPC Endpoint Mapper. Is it shown ? Is it checked? If not, click on that checkbox to checkmark.

Look for Windows Firewall. Is it shown ? Is it checked? If not, click on that checkbox to checkmark.

Look for Windows Installer. Is it shown ? Is it checked? If not, click on that checkbox to checkmark.

Look for Windows Management Instrumentation. Is it shown ? Is it checked? If not, click on that checkbox to checkmark.

Look for Windows Update. Is it shown ? Is it checked? If not, click on that checkbox to checkmark.

When done, press the Apply button, and the OK button.

You're likely to be prompted to Restart Windows, do so.

If not prompted, you do a Logoff and Restart of Windows.

Then report back here with details.

If any of the services are not shown, just let me know which.

Link to post
Share on other sites

Not sure if the batch fix worked, it brought up a cmd window that closed out almost immediately and restarted. One line I did notice was "access is denied," but maybe it's supposed to say that?

All the services you mentioned are shown and checked. The only discrepancy is I have Base Filtering Engine rather than Agent.

Link to post
Share on other sites

The batch fix does execute very fast.

Let's have you run FSS one more time, then post the new report.

If using Windows 7 or Vista, Right-Click on fss.exe and select Run As Admisnitrator.

If using XP, double-click to start.

Answer Yes to ok when prompted.

If your firewall then puts out a prompt, again, allow it to run.

Once FSS is on-screen, be sure the following items are checkmarked:

  • Internet Services
  • Windows Firewall
  • System Restore
  • Security Center/Action Center
  • Windows Update
  • Windows Defender

Click on "Scan".

It will create a log (FSS.txt) in the same directory the tool is run.

Copy & Paste contents of FSS.txt into your reply.

And advise me, is the "ransomware" popup /issue gone ?

Link to post
Share on other sites

Here is the scan.

Farbar Service Scanner Version: 06-08-2012

Ran by admin (administrator) on 19-09-2012 at 15:04:00

Running from "C:\Users\admin\Downloads"

Microsoft Windows 7 Ultimate Service Pack 1 (X86)

Boot Mode: Network

****************************************************************

Internet Services:

============

Connection Status:

==============

Localhost is accessible.

LAN connected.

Google IP is accessible.

Google.com is accessible.

Yahoo IP is accessible.

Yahoo.com is accessible.

Windows Firewall:

=============

Firewall Disabled Policy:

==================

System Restore:

============

SDRSVC Service is not running. Checking service configuration:

The start type of SDRSVC service is OK.

The ImagePath of SDRSVC service is OK.

The ServiceDll of SDRSVC service is OK.

VSS Service is not running. Checking service configuration:

The start type of VSS service is set to Auto. The default start type is 3.

The ImagePath of VSS service is OK.

System Restore Disabled Policy:

========================

Action Center:

============

wscsvc Service is not running. Checking service configuration:

The start type of wscsvc service is OK.

The ImagePath of wscsvc service is OK.

The ServiceDll of wscsvc service is OK.

Windows Update:

============

wuauserv Service is not running. Checking service configuration:

The start type of wuauserv service is OK.

The ImagePath of wuauserv service is OK.

The ServiceDll of wuauserv service is OK.

BITS Service is not running. Checking service configuration:

The start type of BITS service is OK.

The ImagePath of BITS service is OK.

The ServiceDll of BITS service is OK.

EventSystem Service is not running. Checking service configuration:

The start type of EventSystem service is OK.

The ImagePath of EventSystem service is OK.

The ServiceDll of EventSystem service is OK.

Windows Autoupdate Disabled Policy:

============================

Windows Defender:

==============

Other Services:

==============

File Check:

========

C:\Windows\system32\nsisvc.dll => MD5 is legit

C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit

C:\Windows\system32\dhcpcore.dll => MD5 is legit

C:\Windows\system32\Drivers\afd.sys => MD5 is legit

C:\Windows\system32\Drivers\tdx.sys => MD5 is legit

C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit

C:\Windows\system32\dnsrslvr.dll => MD5 is legit

C:\Windows\system32\mpssvc.dll => MD5 is legit

C:\Windows\system32\bfe.dll => MD5 is legit

C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit

C:\Windows\system32\SDRSVC.dll => MD5 is legit

C:\Windows\system32\vssvc.exe => MD5 is legit

C:\Windows\system32\wscsvc.dll => MD5 is legit

C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit

C:\Windows\system32\wuaueng.dll => MD5 is legit

C:\Windows\system32\qmgr.dll => MD5 is legit

C:\Windows\system32\es.dll => MD5 is legit

C:\Windows\system32\cryptsvc.dll => MD5 is legit

C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit

C:\Windows\system32\svchost.exe => MD5 is legit

C:\Windows\system32\rpcss.dll => MD5 is legit

**** End of log ****

I've been in safe mode w/ networking to prevent the ransomware from coming up. Like I said, I was getting a lot of random error-messages from java in firefox, and I think since the only files I can't uninstall are the ones you mentioned, that they are still compromised and will re-download the ransomware in unsafe mode.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.