Jump to content

Windows Command Processor (trojan)-Win32/Kryptik.AHES trojan


Recommended Posts

I haven't closed RougueKiller since the first time I used it, so there are some ticked items in the registry. When I try to close it, it gives me a warning saying that I still have some non-deleted selected items. Should I delete those and restart, or would you like me to just close it and rerun the scan?

Link to post
Share on other sites

  • Replies 53
  • Created
  • Last Reply

Top Posters In This Topic

RogueKiller V7.6.1 [06/28/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows Vista (6.0.6002 Service Pack 2) 32 bits version

Started in : Normal mode

User: Patrick Fong [Admin rights]

Mode: Remove -- Date: 06/28/2012 23:53:11

¤¤¤ Bad processes: 2 ¤¤¤

[sVCHOST] svchost.exe -- C:\Windows\system32\svchost.exe -> KILLED [TermProc]

[sVCHOST] svchost.exe -- C:\Windows\system32\svchost.exe -> KILLED [TermProc]

¤¤¤ Registry Entries: 9 ¤¤¤

[sUSP PATH] HKCU\[...]\Run : TchAhayq (C:\Users\Patrick Fong\AppData\Local\lvpnwwpd\tchahayq.exe) -> DELETED

[sUSP PATH] HKLM\[...]\Winlogon : Userinit (C:\Windows\system32\userinit.exe,,C:\Users\Patrick Fong\AppData\Local\lvpnwwpd\tchahayq.exe) -> REPLACED (C:\Windows\system32\userinit.exe,)

[HJ] HKLM\[...]\System : EnableLUA (0) -> REPLACED (1)

[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)

[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

[HJ] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

[HJ] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

[HJ] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> REPLACED (0)

[HJ] HKCU\[...]\NewStartPanel : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤

SSDT[64] : NtCreateKey @ 0x829FB140 -> HOOKED (\??\C:\Users\PATRIC~1\AppData\Local\Temp\bnihhwug.sys @ 0x9D0026AC)

SSDT[65] : NtCreateKeyTransacted @ 0x829A0FB2 -> HOOKED (\??\C:\Users\PATRIC~1\AppData\Local\Temp\bnihhwug.sys @ 0x9D002708)

SSDT[189] : NtOpenKey @ 0x82A14696 -> HOOKED (\??\C:\Users\PATRIC~1\AppData\Local\Temp\bnihhwug.sys @ 0x9D002562)

SSDT[190] : NtOpenKeyTransacted @ 0x829A0F57 -> HOOKED (\??\C:\Users\PATRIC~1\AppData\Local\Temp\bnihhwug.sys @ 0x9D002604)

S_SSDT[572] : Unknown -> HOOKED (Unknown @ 0xA901D1FC)

S_SSDT[573] : Unknown -> HOOKED (Unknown @ 0x9FF8838C)

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST3320820AS ATA Device +++++

--- User ---

[MBR] 517d979d7e41c90176b4180f0e37411e

[bSP] 2552b2d2227b2ea2b3c92a526a1a6f5d : HP tatooed MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 296355 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 606935700 | Size: 8887 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[2].txt >>

RKreport[1].txt ; RKreport[2].txt

Link to post
Share on other sites

I had you get ERUNT way early on. Locate ERUNT.exe + do a right-click on it + select Run as Administrator.

This is to make a snapshot backup of registry.

Next:

Temp file Cleaner by OldTimer

Download TFC by OldTimer to your desktop

  • Please double-click TFC.exe to run it. (Note: If you are running on Vista or Windows 7, right-click on the file and choose Run As Administrator).
  • It will close all programs when run, so make sure you have saved all your work before you begin.
  • Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
  • IF prompted to Reboot, reply "Yes".

Next:

You will want to print out or copy these instructions to Notepad for offline reference!

These steps are for member madara only. If you are a casual viewer, do NOT try this on your system!

If you are not madara and have a similar problem, do NOT post here; start your own topic

Do not run or start any other programs while these utilities and tools are in use!

Do NOT run any other tools on your own or do any fixes other than what is listed here.

If you have questions, please ask before you do something on your own.

But it is important that you get going on these following steps.

=

Close any of your open programs while you run these tools.

On most all of the following programs and tools, you will need to do a right-click on the program link or shortcut or desktop icon (as appropriate) and then select "Run as Administrator". Please remember that as you go along and use these tools, each in turn.

Step 1

If you have a prior copy of Combofix, delete it now

Download Combofix from any of the links below, and SAVE it to your Desktop.

Link 1

Link 2

**Note: It is important that it is saved directly to your Desktop and not run straight away from download **

Turn OFF your antivirus, otherwise it will interfere. How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Have infinite patience during the run & scan by Combofix. It has many phases: some 50+ stages

It will display it's "stage" within the Command prompt window. Do NOT panic if it seems slow to change ! It has lots of work.

You may notice the desktop icons disappear. Do NOT panic, as that is expected behavior.

Combofix my take as little as 10 minutes and perhaps as much as 30-40 minutes. Time taken will depend on speed of your system and how much there is to scan & how much it needs to clean.

If this is on a notebook system, make sure first the notebook is connected to wall-power (AC power)or a UPS system

Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.

Right- click on Combo-Fix.exe on your Desktop cf-icon.jpg and select "Run as Administrator".

  • A window may open with a warning or prompts. Accept the EULA and follow the prompts during the start phase of Combofix.
    When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.

A caution - Do not run Combofix more than once.

Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.

If this occurs, please reboot to restore the desktop.

A file will be created at => C:\Combofix.txt.

Note:

Do not mouseclick combofix's window nor run any program while Combofix is running.

That may cause it to stall.

Reply with a copy of the C:\Combofix.txt log for review

RE-Enable your antivirus app.

Link to post
Share on other sites

ComboFix 12-06-28.03 - Patrick Fong 29/06/2012 7:09.7.2 - x86

Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.61.1033.18.2047.1259 [GMT 10:00]

Running from: c:\users\Patrick Fong\Desktop\ComboFix.exe

AV: Trend Micro Titanium Maximum Security 2012 *Disabled/Updated* {7193B549-236F-55EE-9AEC-F65279E59A92}

SP: Trend Micro Titanium Maximum Security 2012 *Disabled/Updated* {CAF254AD-0555-5A60-A05C-CD200262D02F}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\users\Patrick Fong\AppData\Local\amfmkrxk.log

c:\users\Patrick Fong\AppData\Local\hsivcopd.log

c:\users\Patrick Fong\AppData\Local\jlypkcri.log

c:\users\Patrick Fong\AppData\Local\lvpnwwpd\tchahayq.exe

c:\users\Patrick Fong\AppData\Local\narfqwth.log

c:\users\Patrick Fong\AppData\Local\vtofbvlp.log

c:\users\Patrick Fong\AppData\Local\wqexycde.log

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Legacy_MICORSOFT_WINDOWS_SERVICE

.

.

((((((((((((((((((((((((( Files Created from 2012-05-28 to 2012-06-28 )))))))))))))))))))))))))))))))

.

.

2012-06-28 21:17 . 2012-06-28 21:20 -------- d-----w- c:\users\Patrick Fong\AppData\Local\temp

2012-06-28 21:17 . 2012-06-28 21:17 -------- d-----w- c:\users\IUSR_NMPR\AppData\Local\temp

2012-06-28 21:17 . 2012-06-28 21:17 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-06-26 02:09 . 2012-06-28 13:41 0 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2012-06-25 10:07 . 2012-06-25 10:08 -------- d-----w- c:\program files\ERUNT

2012-06-22 11:55 . 2012-06-02 22:19 53784 ----a-w- c:\windows\system32\wuauclt.exe

2012-06-22 11:55 . 2012-06-02 22:19 45080 ----a-w- c:\windows\system32\wups2.dll

2012-06-22 11:55 . 2012-06-02 22:19 1933848 ----a-w- c:\windows\system32\wuaueng.dll

2012-06-22 11:55 . 2012-06-02 22:12 2422272 ----a-w- c:\windows\system32\wucltux.dll

2012-06-22 11:54 . 2012-06-02 22:19 35864 ----a-w- c:\windows\system32\wups.dll

2012-06-22 11:54 . 2012-06-02 22:19 577048 ----a-w- c:\windows\system32\wuapi.dll

2012-06-22 11:54 . 2012-06-02 22:12 88576 ----a-w- c:\windows\system32\wudriver.dll

2012-06-21 03:16 . 2012-06-02 05:19 171904 ----a-w- c:\windows\system32\wuwebv.dll

2012-06-21 03:16 . 2012-06-02 05:12 33792 ----a-w- c:\windows\system32\wuapp.exe

2012-06-21 00:15 . 2012-06-21 00:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-06-21 00:15 . 2012-04-04 05:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-06-20 13:13 . 2012-06-28 21:16 -------- d-----w- c:\users\Patrick Fong\AppData\Local\lvpnwwpd

2012-06-16 05:32 . 2012-06-16 05:32 -------- d-----w- c:\programdata\Tarma Installer

2012-06-16 05:31 . 2012-06-20 14:09 -------- d-----w- c:\program files\1ClickDownload

2012-06-13 11:39 . 2012-04-23 16:00 984064 ----a-w- c:\windows\system32\crypt32.dll

2012-06-13 11:39 . 2012-04-23 16:00 98304 ----a-w- c:\windows\system32\cryptnet.dll

2012-06-13 11:39 . 2012-04-23 16:00 133120 ----a-w- c:\windows\system32\cryptsvc.dll

2012-06-13 11:39 . 2012-05-01 14:03 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2012-06-13 11:39 . 2012-05-15 19:51 2045440 ----a-w- c:\windows\system32\win32k.sys

2012-06-11 12:45 . 2012-06-11 12:45 -------- d-----w- c:\users\Patrick Fong\AppData\Local\Trend Micro

2012-06-11 12:37 . 2012-06-11 12:08 92432 ----a-w- c:\windows\system32\drivers\tmtdi.sys

2012-06-11 12:25 . 2012-06-11 12:08 68368 ----a-w- c:\windows\system32\drivers\tmevtmgr.sys

2012-06-11 12:25 . 2012-06-11 12:08 205072 ----a-w- c:\windows\system32\drivers\tmcomm.sys

2012-06-11 12:25 . 2012-06-11 12:08 81168 ----a-w- c:\windows\system32\drivers\tmactmon.sys

2012-06-11 12:19 . 2012-06-11 12:19 56 ----a-w- c:\windows\system32\SupportTool.exe.bat

2012-06-11 12:14 . 2012-06-28 21:07 -------- d-----w- c:\programdata\Trend Micro

2012-06-11 12:05 . 2012-06-11 12:17 -------- d-----w- c:\program files\Trend Micro

2012-06-09 05:05 . 2012-06-09 05:05 -------- d--h--w- c:\programdata\Common Files

2012-06-08 13:08 . 2012-05-08 16:40 6737808 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{FB267CAB-EDFB-4DFE-9356-7F650B410C37}\mpengine.dll

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-04-03 08:16 . 2012-05-11 11:44 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe

2012-04-03 08:16 . 2012-05-11 11:44 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

"TchAhayq"="c:\users\Patrick Fong\AppData\Local\lvpnwwpd\tchahayq.exe" [bU]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2006-09-28 65536]

"KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536]

"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]

"RtHDVCpl"="RtHDVCpl.exe" [2008-01-15 4874240]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 39792]

"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]

"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 56080]

"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-07-25 563984]

"CCUTRAYICON"="c:\program files\Intel\IntelDH\CCU\CCU_TrayIcon.exe" [2006-09-11 176128]

"D-Link D-Link DWA-125"="c:\program files\D-Link\DWA-125 revA\AirGCFG.exe" [2010-05-21 1024000]

"WZCSLDR2"="c:\program files\D-Link\DWA-125 revA\WZCSLDR2.exe" [2010-04-20 122880]

"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-02-06 622592]

"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2006-07-19 65536]

"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-07-25 2027792]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]

"Trend Micro Titanium"="c:\program files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe" [2012-02-27 1304792]

"Trend Micro Client Framework"="c:\program files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe" [2012-02-27 133424]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"Launcher"="c:\windows\SMINST\launcher.exe" [2007-03-07 44168]

.

c:\users\Patrick Fong\Desktop\Programs\Startup\

tchahayq.exe [2012-6-20 92216]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

Canon LBP5200 Status Window.lnk - c:\windows\System32\spool\drivers\w32x86\3\CNAC3LAK.EXE [2004-9-24 50848]

Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-11-16 67128]

Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-11-16 692224]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-3-22 65588]

NETGEAR WNA1100 Smart Wizard.lnk - c:\program files\NETGEAR\WNA1100\WNA1100.exe [2012-3-4 4545024]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Canon LBP5200 Status Window.lnk]

path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Canon LBP5200 Status Window.lnk

backup=c:\windows\pss\Canon LBP5200 Status Window.lnk.CommonStartup

backupExtension=.CommonStartup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeAAMUpdater-1.0]

2010-03-05 17:44 500208 ------w- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2010-05-14 01:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]

"AntiVirusOverride"=dword:00000001

.

S3 3xHybrid;ASUSTek SAA713x PCI Card;c:\windows\system32\DRIVERS\3xHybrid.sys [x]

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com.au/

mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_AU&c=73&bd=Pavilion&pf=desktop

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000

TCP: DhcpNameServer = 192.168.0.1

Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-06-29 07:19

Windows 6.0.6002 Service Pack 2 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\npggsvc]

"ImagePath"="c:\windows\system32\GameMon.des -service"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'Explorer.exe'(10252)

c:\program files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\nvvsvc.exe

c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

c:\windows\system32\nvvsvc.exe

c:\windows\system32\CNAC3RPK.EXE

c:\program files\Trend Micro\AMSP\coreServiceShell.exe

c:\program files\Intel\IntelDH\CCU\AlertService.exe

c:\program files\Trend Micro\AMSP\coreFrameworkHost.exe

c:\program files\Trend Micro\UniClient\UiFrmWrk\uiSeAgnt.exe

c:\program files\Trend Micro\AMSP\AMSP_LogServer.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\users\Patrick Fong\AppData\Roaming\HP SimpleSave Application\uUACTokenSvc.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe

c:\program files\D-Link\DWA-125 revA\ANIWZCSdS.exe

c:\program files\D-Link\DWA-125 revA\ANIWConnService.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe

c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

c:\windows\system32\WUDFHost.exe

c:\windows\system32\conime.exe

c:\windows\ehome\ehsched.exe

c:\windows\ehome\ehRecvr.exe

c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe

c:\program files\Windows Media Player\wmpnetwk.exe

.

**************************************************************************

.

Completion time: 2012-06-29 07:26:55 - machine was rebooted

ComboFix-quarantined-files.txt 2012-06-28 21:26

ComboFix2.txt 2012-06-25 11:06

ComboFix3.txt 2012-06-22 13:12

ComboFix4.txt 2012-06-21 12:52

ComboFix5.txt 2012-06-28 21:08

.

Pre-Run: 80,945,614,848 bytes free

Post-Run: 80,471,130,112 bytes free

.

- - End Of File - - 76374AE8CCCF8BD79D09F1D97723E0E5

Link to post
Share on other sites

This is a persistent bugger. We will squash it, though. Please continue to have patience.

We Need to Run a Batch Script

  1. Press the Windows-key on keyboard.
  2. In the 10-16-2011%204-33-46%20PM.png box, type notepad and press Enter.
  3. Highlight the contents of the following codebox, and copy and paste that text into NOTEPAD.
    reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v TchAhayq /f
    rd /s /q c:\users\Patrick Fong\AppData\Local\lvpnwwpd
    del /q c:\users\Patrick Fong\Desktop\Programs\Startup\tchahayq.exe
    rd /s /q c:\users\Patrick Fong\Desktop\Programs\Startup
    del /f /q "%~f0"


  4. Select File -> Save AS.
  5. Press the Desktop button on the left side of the save dialog.
  6. In the 10-16-2011%204-37-58%20PM.png box, type in Fix.bat.
  7. Press 10-16-2011%204-36-39%20PM.png.
  8. Close Notepad.
  9. Right click 10-16-2011%204-34-34%20PM.png on your desktop, and choose 10-16-2011%204-40-48%20PM.png.
  10. Press Yes if prompted by User Account Control.

Step 2

  • Download & SAVE to your Desktop >> Tigzy's RogueKillerfrom here << or
    >> from here <<
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.
    For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on Scan button at upper right of screen.
  • Wait until the Status box shows "Scan Finished"
  • Click on Report and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller

Rerun Combofix

Turn off your antivirus, then re-RUN Combofix again.

When done, copy and paste the C:\Combofix.txt

NEXT

Please follow my guidance. Ask if you have questions.

I am going to ask you to read very carefully. I am asking you to download to unique folder !!

Step 1. Close and save any open documents, and exit programs that you started.

Step 2. Download TDSSKiller.exe and SAVE it to a special folder

http://support.kaspe.../tdsskiller.exe

and be sure to SAVE it in this folder --> C:\Program Files\Malwarebytes' Anti-Malware\Chameleon

Step 3. Install the Chameleon driver by doing the following:

Press the Windows key + R and in the Run box, copy and paste the following command then press Enter. Copy All of the line from beginning to end {from the double-quote ...all the way to the last o ......ALL

"C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\mbam-chameleon.exe" /o

A black DOS prompt will appear with a prompt to press any key to continue, please do.

Step 4

Please read carefully and follow these steps.

  • Double-Click on TDSSKiller.exe to run the application, then on Start Scan.
    If running Vista or Windows 7, do a RIGHT-Click and select Run as Administrator to start TDSSKILLER.exe.
  • If an infected file is detected, the default action will be Cure, click on Continue.
    TDSSKillerMal-1.png
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    TDSSKillerCompleted.png
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please Copy & Paste that log in reply.

Link to post
Share on other sites

RogueKiller V7.6.1 [06/28/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows Vista (6.0.6002 Service Pack 2) 32 bits version

Started in : Normal mode

User: Patrick Fong [Admin rights]

Mode: Scan -- Date: 06/29/2012 21:33:02

¤¤¤ Bad processes: 3 ¤¤¤

[sVCHOST] svchost.exe -- C:\Windows\system32\svchost.exe -> KILLED [TermProc]

[sVCHOST] svchost.exe -- C:\Windows\system32\svchost.exe -> KILLED [TermProc]

[sUSP PATH] lhfujcbahkhdwheq.exe -- C:\Users\PATRIC~1\AppData\Local\Temp\lhfujcbahkhdwheq.exe -> KILLED [TermProc]

¤¤¤ Registry Entries: 2 ¤¤¤

[sUSP PATH] HKCU\[...]\Run : TchAhayq (C:\Users\Patrick Fong\AppData\Local\lvpnwwpd\tchahayq.exe) -> FOUND

[sUSP PATH] HKUS\S-1-5-21-517934540-472169772-531085458-1001[...]\Run : TchAhayq (C:\Users\Patrick Fong\AppData\Local\lvpnwwpd\tchahayq.exe) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤

SSDT[64] : NtCreateKey @ 0x82A37140 -> HOOKED (Unknown @ 0x86F1F06C)

SSDT[67] : NtCreateMutant @ 0x82A68812 -> HOOKED (Unknown @ 0x86E9FB1C)

SSDT[72] : NtCreateProcess @ 0x82AD9DAB -> HOOKED (Unknown @ 0x86E17C2C)

SSDT[73] : NtCreateProcessEx @ 0x82AD9DF6 -> HOOKED (Unknown @ 0x86E17D5C)

SSDT[77] : NtCreateSymbolicLinkObject @ 0x82A0835A -> HOOKED (Unknown @ 0x86EF25EC)

SSDT[78] : NtCreateThread @ 0x82AD9BE0 -> HOOKED (Unknown @ 0x86E0C814)

SSDT[123] : NtDeleteKey @ 0x829FA727 -> HOOKED (Unknown @ 0x86E9F2E4)

SSDT[126] : NtDeleteValueKey @ 0x829F5CC8 -> HOOKED (Unknown @ 0x86F84B8C)

SSDT[129] : NtDuplicateObject @ 0x82A40551 -> HOOKED (Unknown @ 0x86EF25B4)

SSDT[165] : NtLoadDriver @ 0x829B3DEE -> HOOKED (Unknown @ 0x86EF2C24)

SSDT[194] : NtOpenProcess @ 0x82A68FAE -> HOOKED (Unknown @ 0x86D932D4)

SSDT[197] : NtOpenSection @ 0x82A5966D -> HOOKED (Unknown @ 0x86F84B54)

SSDT[201] : NtOpenThread @ 0x82A644FF -> HOOKED (Unknown @ 0x86BC3BE4)

SSDT[267] : NtRenameKey @ 0x82A9C6AC -> HOOKED (Unknown @ 0x86E7B92C)

SSDT[280] : NtRestoreKey @ 0x82A9ADB2 -> HOOKED (Unknown @ 0x86E7B8F4)

SSDT[317] : NtSetSystemInformation @ 0x82A2EEEB -> HOOKED (Unknown @ 0x86E9FAE4)

SSDT[324] : NtSetValueKey @ 0x82A263C2 -> HOOKED (Unknown @ 0x86E9F5E4)

SSDT[334] : NtTerminateProcess @ 0x82A39143 -> HOOKED (Unknown @ 0x86E9FE0C)

SSDT[335] : NtTerminateThread @ 0x82A64534 -> HOOKED (Unknown @ 0x86E10814)

SSDT[358] : NtWriteVirtualMemory @ 0x82A5592D -> HOOKED (Unknown @ 0x86E0C84C)

SSDT[382] : NtCreateThreadEx @ 0x82A63FE9 -> HOOKED (Unknown @ 0x86EF2C5C)

SSDT[383] : NtCreateUserProcess @ 0x82A11C11 -> HOOKED (Unknown @ 0x86EF3154)

S_SSDT[572] : Unknown -> HOOKED (Unknown @ 0x84EFA6BC)

S_SSDT[573] : Unknown -> HOOKED (Unknown @ 0xA35BFEEC)

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST3320820AS ATA Device +++++

--- User ---

[MBR] 517d979d7e41c90176b4180f0e37411e

[bSP] 2552b2d2227b2ea2b3c92a526a1a6f5d : HP tatooed MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 296355 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 606935700 | Size: 8887 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[3].txt >>

RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt

Link to post
Share on other sites

RogueKiller V7.6.1 [06/28/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows Vista (6.0.6002 Service Pack 2) 32 bits version

Started in : Normal mode

User: Patrick Fong [Admin rights]

Mode: Scan -- Date: 06/29/2012 21:33:02

¤¤¤ Bad processes: 3 ¤¤¤

[sVCHOST] svchost.exe -- C:\Windows\system32\svchost.exe -> KILLED [TermProc]

[sVCHOST] svchost.exe -- C:\Windows\system32\svchost.exe -> KILLED [TermProc]

[sUSP PATH] lhfujcbahkhdwheq.exe -- C:\Users\PATRIC~1\AppData\Local\Temp\lhfujcbahkhdwheq.exe -> KILLED [TermProc]

¤¤¤ Registry Entries: 2 ¤¤¤

[sUSP PATH] HKCU\[...]\Run : TchAhayq (C:\Users\Patrick Fong\AppData\Local\lvpnwwpd\tchahayq.exe) -> FOUND

[sUSP PATH] HKUS\S-1-5-21-517934540-472169772-531085458-1001[...]\Run : TchAhayq (C:\Users\Patrick Fong\AppData\Local\lvpnwwpd\tchahayq.exe) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤

SSDT[64] : NtCreateKey @ 0x82A37140 -> HOOKED (Unknown @ 0x86F1F06C)

SSDT[67] : NtCreateMutant @ 0x82A68812 -> HOOKED (Unknown @ 0x86E9FB1C)

SSDT[72] : NtCreateProcess @ 0x82AD9DAB -> HOOKED (Unknown @ 0x86E17C2C)

SSDT[73] : NtCreateProcessEx @ 0x82AD9DF6 -> HOOKED (Unknown @ 0x86E17D5C)

SSDT[77] : NtCreateSymbolicLinkObject @ 0x82A0835A -> HOOKED (Unknown @ 0x86EF25EC)

SSDT[78] : NtCreateThread @ 0x82AD9BE0 -> HOOKED (Unknown @ 0x86E0C814)

SSDT[123] : NtDeleteKey @ 0x829FA727 -> HOOKED (Unknown @ 0x86E9F2E4)

SSDT[126] : NtDeleteValueKey @ 0x829F5CC8 -> HOOKED (Unknown @ 0x86F84B8C)

SSDT[129] : NtDuplicateObject @ 0x82A40551 -> HOOKED (Unknown @ 0x86EF25B4)

SSDT[165] : NtLoadDriver @ 0x829B3DEE -> HOOKED (Unknown @ 0x86EF2C24)

SSDT[194] : NtOpenProcess @ 0x82A68FAE -> HOOKED (Unknown @ 0x86D932D4)

SSDT[197] : NtOpenSection @ 0x82A5966D -> HOOKED (Unknown @ 0x86F84B54)

SSDT[201] : NtOpenThread @ 0x82A644FF -> HOOKED (Unknown @ 0x86BC3BE4)

SSDT[267] : NtRenameKey @ 0x82A9C6AC -> HOOKED (Unknown @ 0x86E7B92C)

SSDT[280] : NtRestoreKey @ 0x82A9ADB2 -> HOOKED (Unknown @ 0x86E7B8F4)

SSDT[317] : NtSetSystemInformation @ 0x82A2EEEB -> HOOKED (Unknown @ 0x86E9FAE4)

SSDT[324] : NtSetValueKey @ 0x82A263C2 -> HOOKED (Unknown @ 0x86E9F5E4)

SSDT[334] : NtTerminateProcess @ 0x82A39143 -> HOOKED (Unknown @ 0x86E9FE0C)

SSDT[335] : NtTerminateThread @ 0x82A64534 -> HOOKED (Unknown @ 0x86E10814)

SSDT[358] : NtWriteVirtualMemory @ 0x82A5592D -> HOOKED (Unknown @ 0x86E0C84C)

SSDT[382] : NtCreateThreadEx @ 0x82A63FE9 -> HOOKED (Unknown @ 0x86EF2C5C)

SSDT[383] : NtCreateUserProcess @ 0x82A11C11 -> HOOKED (Unknown @ 0x86EF3154)

S_SSDT[572] : Unknown -> HOOKED (Unknown @ 0x84EFA6BC)

S_SSDT[573] : Unknown -> HOOKED (Unknown @ 0xA35BFEEC)

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST3320820AS ATA Device +++++

--- User ---

[MBR] 517d979d7e41c90176b4180f0e37411e

[bSP] 2552b2d2227b2ea2b3c92a526a1a6f5d : HP tatooed MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 296355 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 606935700 | Size: 8887 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[3].txt >>

RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt

Link to post
Share on other sites

ComboFix 12-06-28.03 - Patrick Fong 29/06/2012 21:38:09.8.2 - x86

Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.61.1033.18.2047.962 [GMT 10:00]

Running from: c:\users\Patrick Fong\Desktop\ComboFix.exe

AV: Trend Micro Titanium Maximum Security 2012 *Disabled/Updated* {7193B549-236F-55EE-9AEC-F65279E59A92}

SP: Trend Micro Titanium Maximum Security 2012 *Disabled/Updated* {CAF254AD-0555-5A60-A05C-CD200262D02F}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\users\Patrick Fong\AppData\Local\amfmkrxk.log

c:\users\Patrick Fong\AppData\Local\hsivcopd.log

c:\users\Patrick Fong\AppData\Local\jlypkcri.log

c:\users\Patrick Fong\AppData\Local\lvpnwwpd\tchahayq.exe

c:\users\Patrick Fong\AppData\Local\narfqwth.log

c:\users\Patrick Fong\AppData\Local\vtofbvlp.log

c:\users\Patrick Fong\AppData\Local\wqexycde.log

.

.

((((((((((((((((((((((((( Files Created from 2012-05-28 to 2012-06-29 )))))))))))))))))))))))))))))))

.

.

2012-06-29 11:45 . 2012-06-29 11:47 -------- d-----w- c:\users\Patrick Fong\AppData\Local\temp

2012-06-29 11:45 . 2012-06-29 11:45 -------- d-----w- c:\users\IUSR_NMPR\AppData\Local\temp

2012-06-29 11:45 . 2012-06-29 11:45 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-06-26 02:09 . 2012-06-28 13:41 0 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2012-06-25 10:07 . 2012-06-25 10:08 -------- d-----w- c:\program files\ERUNT

2012-06-22 11:55 . 2012-06-02 22:19 53784 ----a-w- c:\windows\system32\wuauclt.exe

2012-06-22 11:55 . 2012-06-02 22:19 45080 ----a-w- c:\windows\system32\wups2.dll

2012-06-22 11:55 . 2012-06-02 22:19 1933848 ----a-w- c:\windows\system32\wuaueng.dll

2012-06-22 11:55 . 2012-06-02 22:12 2422272 ----a-w- c:\windows\system32\wucltux.dll

2012-06-22 11:54 . 2012-06-02 22:19 35864 ----a-w- c:\windows\system32\wups.dll

2012-06-22 11:54 . 2012-06-02 22:19 577048 ----a-w- c:\windows\system32\wuapi.dll

2012-06-22 11:54 . 2012-06-02 22:12 88576 ----a-w- c:\windows\system32\wudriver.dll

2012-06-21 03:16 . 2012-06-02 05:19 171904 ----a-w- c:\windows\system32\wuwebv.dll

2012-06-21 03:16 . 2012-06-02 05:12 33792 ----a-w- c:\windows\system32\wuapp.exe

2012-06-21 00:15 . 2012-06-21 00:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-06-21 00:15 . 2012-04-04 05:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-06-20 13:13 . 2012-06-29 11:45 -------- d-----w- c:\users\Patrick Fong\AppData\Local\lvpnwwpd

2012-06-16 05:32 . 2012-06-16 05:32 -------- d-----w- c:\programdata\Tarma Installer

2012-06-16 05:31 . 2012-06-20 14:09 -------- d-----w- c:\program files\1ClickDownload

2012-06-13 11:39 . 2012-04-23 16:00 984064 ----a-w- c:\windows\system32\crypt32.dll

2012-06-13 11:39 . 2012-04-23 16:00 98304 ----a-w- c:\windows\system32\cryptnet.dll

2012-06-13 11:39 . 2012-04-23 16:00 133120 ----a-w- c:\windows\system32\cryptsvc.dll

2012-06-13 11:39 . 2012-05-01 14:03 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2012-06-13 11:39 . 2012-05-15 19:51 2045440 ----a-w- c:\windows\system32\win32k.sys

2012-06-11 12:45 . 2012-06-11 12:45 -------- d-----w- c:\users\Patrick Fong\AppData\Local\Trend Micro

2012-06-11 12:37 . 2012-06-11 12:08 92432 ----a-w- c:\windows\system32\drivers\tmtdi.sys

2012-06-11 12:25 . 2012-06-11 12:08 68368 ----a-w- c:\windows\system32\drivers\tmevtmgr.sys

2012-06-11 12:25 . 2012-06-11 12:08 205072 ----a-w- c:\windows\system32\drivers\tmcomm.sys

2012-06-11 12:25 . 2012-06-11 12:08 81168 ----a-w- c:\windows\system32\drivers\tmactmon.sys

2012-06-11 12:19 . 2012-06-11 12:19 56 ----a-w- c:\windows\system32\SupportTool.exe.bat

2012-06-11 12:14 . 2012-06-28 21:07 -------- d-----w- c:\programdata\Trend Micro

2012-06-11 12:05 . 2012-06-11 12:17 -------- d-----w- c:\program files\Trend Micro

2012-06-09 05:05 . 2012-06-09 05:05 -------- d--h--w- c:\programdata\Common Files

2012-06-08 13:08 . 2012-05-08 16:40 6737808 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{FB267CAB-EDFB-4DFE-9356-7F650B410C37}\mpengine.dll

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-04-03 08:16 . 2012-05-11 11:44 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe

2012-04-03 08:16 . 2012-05-11 11:44 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

"TchAhayq"="c:\users\Patrick Fong\AppData\Local\lvpnwwpd\tchahayq.exe" [bU]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2006-09-28 65536]

"KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536]

"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]

"RtHDVCpl"="RtHDVCpl.exe" [2008-01-15 4874240]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 39792]

"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]

"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 56080]

"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-07-25 563984]

"CCUTRAYICON"="c:\program files\Intel\IntelDH\CCU\CCU_TrayIcon.exe" [2006-09-11 176128]

"D-Link D-Link DWA-125"="c:\program files\D-Link\DWA-125 revA\AirGCFG.exe" [2010-05-21 1024000]

"WZCSLDR2"="c:\program files\D-Link\DWA-125 revA\WZCSLDR2.exe" [2010-04-20 122880]

"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-02-06 622592]

"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2006-07-19 65536]

"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-07-25 2027792]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]

"Trend Micro Titanium"="c:\program files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe" [2012-02-27 1304792]

"Trend Micro Client Framework"="c:\program files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe" [2012-02-27 133424]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"Launcher"="c:\windows\SMINST\launcher.exe" [2007-03-07 44168]

.

c:\users\Patrick Fong\Desktop\Programs\Startup\

tchahayq.exe [2012-6-20 92216]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

Canon LBP5200 Status Window.lnk - c:\windows\System32\spool\drivers\w32x86\3\CNAC3LAK.EXE [2004-9-24 50848]

Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-11-16 67128]

Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-11-16 692224]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-3-22 65588]

NETGEAR WNA1100 Smart Wizard.lnk - c:\program files\NETGEAR\WNA1100\WNA1100.exe [2012-3-4 4545024]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Canon LBP5200 Status Window.lnk]

path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Canon LBP5200 Status Window.lnk

backup=c:\windows\pss\Canon LBP5200 Status Window.lnk.CommonStartup

backupExtension=.CommonStartup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeAAMUpdater-1.0]

2010-03-05 17:44 500208 ------w- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2010-05-14 01:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]

"AntiVirusOverride"=dword:00000001

.

S3 3xHybrid;ASUSTek SAA713x PCI Card;c:\windows\system32\DRIVERS\3xHybrid.sys [x]

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com.au/

mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_AU&c=73&bd=Pavilion&pf=desktop

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000

TCP: DhcpNameServer = 192.168.0.1

Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

.

.

**************************************************************************

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files:

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\npggsvc]

"ImagePath"="c:\windows\system32\GameMon.des -service"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'Explorer.exe'(11468)

c:\program files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\nvvsvc.exe

c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

c:\windows\system32\nvvsvc.exe

c:\windows\system32\CNAC3RPK.EXE

c:\program files\Trend Micro\AMSP\coreServiceShell.exe

c:\program files\Intel\IntelDH\CCU\AlertService.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Trend Micro\AMSP\coreFrameworkHost.exe

c:\program files\Trend Micro\UniClient\UiFrmWrk\uiSeAgnt.exe

c:\program files\Trend Micro\AMSP\AMSP_LogServer.exe

c:\users\Patrick Fong\AppData\Roaming\HP SimpleSave Application\uUACTokenSvc.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe

c:\program files\D-Link\DWA-125 revA\ANIWZCSdS.exe

c:\program files\D-Link\DWA-125 revA\ANIWConnService.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe

c:\windows\system32\WUDFHost.exe

c:\windows\system32\conime.exe

c:\windows\ehome\ehsched.exe

c:\windows\ehome\ehRecvr.exe

c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe

c:\program files\Windows Media Player\wmpnetwk.exe

.

**************************************************************************

.

Completion time: 2012-06-29 21:55:13 - machine was rebooted

ComboFix-quarantined-files.txt 2012-06-29 11:55

ComboFix2.txt 2012-06-28 21:26

ComboFix3.txt 2012-06-25 11:06

ComboFix4.txt 2012-06-22 13:12

ComboFix5.txt 2012-06-29 11:36

.

Pre-Run: 80,460,693,504 bytes free

Post-Run: 80,390,008,832 bytes free

.

- - End Of File - - 11B3F412B984A8B5ADFEEBBBAB38FF82

Link to post
Share on other sites

22:08:26.0548 10552 TDSS rootkit removing tool 2.7.42.0 Jun 25 2012 21:18:44

22:08:26.0594 10552 ============================================================

22:08:26.0594 10552 Current date / time: 2012/06/29 22:08:26.0594

22:08:26.0594 10552 SystemInfo:

22:08:26.0594 10552

22:08:26.0594 10552 OS Version: 6.0.6002 ServicePack: 2.0

22:08:26.0594 10552 Product type: Workstation

22:08:26.0594 10552 ComputerName: PATRICKFONG-PC

22:08:26.0594 10552 UserName: Patrick Fong

22:08:26.0594 10552 Windows directory: C:\Windows

22:08:26.0594 10552 System windows directory: C:\Windows

22:08:26.0594 10552 Processor architecture: Intel x86

22:08:26.0594 10552 Number of processors: 2

22:08:26.0594 10552 Page size: 0x1000

22:08:26.0594 10552 Boot type: Normal boot

22:08:26.0594 10552 ============================================================

22:08:27.0062 10552 Drive \Device\Harddisk0\DR0 - Size: 0x4A85D56000 (298.09 Gb), SectorSize: 0x200, Cylinders: 0x9801, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050

22:08:27.0094 10552 Drive \Device\Harddisk5\DR5 - Size: 0x3E300000 (0.97 Gb), SectorSize: 0x200, Cylinders: 0x7E, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'

22:08:27.0094 10552 ============================================================

22:08:27.0094 10552 \Device\Harddisk0\DR0:

22:08:27.0094 10552 MBR partitions:

22:08:27.0094 10552 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x242D1A55

22:08:27.0094 10552 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x242D1A94, BlocksNum 0x115BC2D

22:08:27.0094 10552 \Device\Harddisk5\DR5:

22:08:27.0094 10552 MBR partitions:

22:08:27.0094 10552 \Device\Harddisk5\DR5\Partition0: MBR, Type 0x6, StartLBA 0x20, BlocksNum 0x1F17DF

22:08:27.0094 10552 ============================================================

22:08:27.0125 10552 C: <-> \Device\Harddisk0\DR0\Partition0

22:08:27.0172 10552 D: <-> \Device\Harddisk0\DR0\Partition1

22:08:27.0172 10552 ============================================================

22:08:27.0172 10552 Initialize success

22:08:27.0172 10552 ============================================================

22:08:38.0965 10064 ============================================================

22:08:38.0965 10064 Scan started

22:08:38.0965 10064 Mode: Manual;

22:08:38.0965 10064 ============================================================

22:08:40.0120 10064 3xHybrid (3948303f88d035ff1c84aac07a17b9a9) C:\Windows\system32\DRIVERS\3xHybrid.sys

22:08:40.0198 10064 3xHybrid - ok

22:08:40.0260 10064 ACPI (82b296ae1892fe3dbee00c9cf92f8ac7) C:\Windows\system32\drivers\acpi.sys

22:08:40.0276 10064 ACPI - ok

22:08:40.0338 10064 adp94xx (2edc5bbac6c651ece337bde8ed97c9fb) C:\Windows\system32\drivers\adp94xx.sys

22:08:40.0354 10064 adp94xx - ok

22:08:40.0400 10064 adpahci (b84088ca3cdca97da44a984c6ce1ccad) C:\Windows\system32\drivers\adpahci.sys

22:08:40.0416 10064 adpahci - ok

22:08:40.0432 10064 adpu160m (7880c67bccc27c86fd05aa2afb5ea469) C:\Windows\system32\drivers\adpu160m.sys

22:08:40.0447 10064 adpu160m - ok

22:08:40.0478 10064 adpu320 (9ae713f8e30efc2abccd84904333df4d) C:\Windows\system32\drivers\adpu320.sys

22:08:40.0478 10064 adpu320 - ok

22:08:40.0525 10064 AeLookupSvc (9d1fda9e086ba64e3c93c9de32461bcf) C:\Windows\System32\aelupsvc.dll

22:08:40.0525 10064 AeLookupSvc - ok

22:08:40.0603 10064 AFD (3911b972b55fea0478476b2e777b29fa) C:\Windows\system32\drivers\afd.sys

22:08:40.0619 10064 AFD - ok

22:08:40.0666 10064 agp440 (ef23439cdd587f64c2c1b8825cead7d8) C:\Windows\system32\drivers\agp440.sys

22:08:40.0666 10064 agp440 - ok

22:08:40.0712 10064 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys

22:08:40.0728 10064 aic78xx - ok

22:08:40.0837 10064 AlertService (c86d177967d27c80e466d4ed95c26db9) C:\Program Files\Intel\IntelDH\CCU\AlertService.exe

22:08:40.0837 10064 AlertService - ok

22:08:40.0853 10064 ALG (a1545b731579895d8cc44fc0481c1192) C:\Windows\System32\alg.exe

22:08:40.0853 10064 ALG - ok

22:08:40.0868 10064 aliide (90395b64600ebb4552e26e178c94b2e4) C:\Windows\system32\drivers\aliide.sys

22:08:40.0868 10064 aliide - ok

22:08:40.0915 10064 amdagp (2b13e304c9dfdfa5eb582f6a149fa2c7) C:\Windows\system32\drivers\amdagp.sys

22:08:40.0915 10064 amdagp - ok

22:08:40.0931 10064 amdide (0577df1d323fe75a739c787893d300ea) C:\Windows\system32\drivers\amdide.sys

22:08:40.0946 10064 amdide - ok

22:08:40.0978 10064 AmdK7 (dc487885bcef9f28eece6fac0e5ddfc5) C:\Windows\system32\drivers\amdk7.sys

22:08:40.0978 10064 AmdK7 - ok

22:08:41.0009 10064 AmdK8 (0ca0071da4315b00fc1328ca86b425da) C:\Windows\system32\drivers\amdk8.sys

22:08:41.0009 10064 AmdK8 - ok

22:08:41.0165 10064 Amsp (feb0b5022c012a4a68dabcb711faff03) C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe

22:08:41.0165 10064 Amsp - ok

22:08:41.0212 10064 anodlwf (48e008cf2edcf8fc91a9d3507865a51d) C:\Windows\system32\DRIVERS\anodlwf.sys

22:08:41.0212 10064 anodlwf - ok

22:08:41.0274 10064 Appinfo (c6d704c7f0434dc791aac37cac4b6e14) C:\Windows\System32\appinfo.dll

22:08:41.0274 10064 Appinfo - ok

22:08:41.0383 10064 Apple Mobile Device (5aa788d5a2c6737bb9c45933985bc1b8) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

22:08:41.0383 10064 Apple Mobile Device - ok

22:08:41.0446 10064 AppMgmt (0fe769cae5855b53c90e23f85e7e89ff) C:\Windows\System32\appmgmts.dll

22:08:41.0446 10064 AppMgmt - ok

22:08:41.0492 10064 arc (5f673180268bb1fdb69c99b6619fe379) C:\Windows\system32\drivers\arc.sys

22:08:41.0492 10064 arc - ok

22:08:41.0539 10064 arcsas (957f7540b5e7f602e44648c7de5a1c05) C:\Windows\system32\drivers\arcsas.sys

22:08:41.0539 10064 arcsas - ok

22:08:41.0602 10064 AsyncMac (53b202abee6455406254444303e87be1) C:\Windows\system32\DRIVERS\asyncmac.sys

22:08:41.0602 10064 AsyncMac - ok

22:08:41.0633 10064 atapi (1f05b78ab91c9075565a9d8a4b880bc4) C:\Windows\system32\drivers\atapi.sys

22:08:41.0633 10064 atapi - ok

22:08:41.0742 10064 athur (f1fc2fd87ff77f63cd7f8bf95940b40c) C:\Windows\system32\DRIVERS\athur.sys

22:08:41.0758 10064 athur - ok

22:08:41.0898 10064 AudioEndpointBuilder (68e2a1a0407a66cf50da0300852424ab) C:\Windows\System32\Audiosrv.dll

22:08:41.0898 10064 AudioEndpointBuilder - ok

22:08:41.0914 10064 Audiosrv (68e2a1a0407a66cf50da0300852424ab) C:\Windows\System32\Audiosrv.dll

22:08:41.0914 10064 Audiosrv - ok

22:08:42.0054 10064 BackupService (68b86dd9d455a6a8de6d13c84fb5ce31) C:\Users\Patrick Fong\AppData\Roaming\HP SimpleSave Application\uUACTokenSvc.exe

22:08:42.0054 10064 BackupService - ok

22:08:42.0132 10064 Beep (67e506b75bd5326a3ec7b70bd014dfb6) C:\Windows\system32\drivers\Beep.sys

22:08:42.0132 10064 Beep - ok

22:08:42.0210 10064 BFE (c789af0f724fda5852fb9a7d3a432381) C:\Windows\System32\bfe.dll

22:08:42.0226 10064 BFE - ok

22:08:42.0288 10064 BITS (93952506c6d67330367f7e7934b6a02f) C:\Windows\system32\qmgr.dll

22:08:42.0304 10064 BITS - ok

22:08:42.0304 10064 blbdrive - ok

22:08:42.0397 10064 Bonjour Service (f832f1505ad8b83474bd9a5b1b985e01) C:\Program Files\Bonjour\mDNSResponder.exe

22:08:42.0397 10064 Bonjour Service - ok

22:08:42.0428 10064 bowser (35f376253f687bde63976ccb3f2108ca) C:\Windows\system32\DRIVERS\bowser.sys

22:08:42.0428 10064 bowser - ok

22:08:42.0475 10064 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys

22:08:42.0475 10064 BrFiltLo - ok

22:08:42.0491 10064 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys

22:08:42.0506 10064 BrFiltUp - ok

22:08:42.0538 10064 Browser (a3629a0c4226f9e9c72faaeebc3ad33c) C:\Windows\System32\browser.dll

22:08:42.0538 10064 Browser - ok

22:08:42.0584 10064 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys

22:08:42.0584 10064 Brserid - ok

22:08:42.0647 10064 BrSerIf (56f59a4011f503149ae4de826982ca4f) C:\Windows\system32\Drivers\BrSerIf.sys

22:08:42.0647 10064 BrSerIf - ok

22:08:42.0662 10064 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys

22:08:42.0662 10064 BrSerWdm - ok

22:08:42.0678 10064 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys

22:08:42.0678 10064 BrUsbMdm - ok

22:08:42.0694 10064 BrUsbSer (a24c7b39602218f8dbdb2b6704325fc7) C:\Windows\system32\Drivers\BrUsbSer.sys

22:08:42.0694 10064 BrUsbSer - ok

22:08:42.0725 10064 BTHMODEM (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys

22:08:42.0725 10064 BTHMODEM - ok

22:08:42.0803 10064 BVRPMPR5 (248dfa5762dde38dfddbbd44149e9d7a) C:\Windows\system32\drivers\BVRPMPR5.SYS

22:08:42.0803 10064 BVRPMPR5 - ok

22:08:42.0912 10064 catchme - ok

22:08:42.0974 10064 cdfs (7add03e75beb9e6dd102c3081d29840a) C:\Windows\system32\DRIVERS\cdfs.sys

22:08:42.0974 10064 cdfs - ok

22:08:43.0021 10064 cdrom (6b4bffb9becd728097024276430db314) C:\Windows\system32\DRIVERS\cdrom.sys

22:08:43.0021 10064 cdrom - ok

22:08:43.0084 10064 CertPropSvc (312ec3e37a0a1f2006534913e37b4423) C:\Windows\System32\certprop.dll

22:08:43.0084 10064 CertPropSvc - ok

22:08:43.0130 10064 circlass (e5d4133f37219dbcfe102bc61072589d) C:\Windows\system32\DRIVERS\circlass.sys

22:08:43.0130 10064 circlass - ok

22:08:43.0177 10064 CLFS (d7659d3b5b92c31e84e53c1431f35132) C:\Windows\system32\CLFS.sys

22:08:43.0193 10064 CLFS - ok

22:08:43.0240 10064 clr_optimization_v2.0.50727_32 (8ee772032e2fe80a924f3b8dd5082194) C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

22:08:43.0240 10064 clr_optimization_v2.0.50727_32 - ok

22:08:43.0318 10064 clr_optimization_v4.0.30319_32 (c5a75eb48e2344abdc162bda79e16841) C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

22:08:43.0318 10064 clr_optimization_v4.0.30319_32 - ok

22:08:43.0349 10064 cmdide (45201046c776ffdaf3fc8a0029c581c8) C:\Windows\system32\drivers\cmdide.sys

22:08:43.0349 10064 cmdide - ok

22:08:43.0364 10064 Compbatt (82b8c91d327cfecf76cb58716f7d4997) C:\Windows\system32\drivers\compbatt.sys

22:08:43.0364 10064 Compbatt - ok

22:08:43.0364 10064 COMSysApp - ok

22:08:43.0380 10064 crcdisk (2a213ae086bbec5e937553c7d9a2b22c) C:\Windows\system32\drivers\crcdisk.sys

22:08:43.0396 10064 crcdisk - ok

22:08:43.0396 10064 Crusoe (22a7f883508176489f559ee745b5bf5d) C:\Windows\system32\drivers\crusoe.sys

22:08:43.0396 10064 Crusoe - ok

22:08:43.0458 10064 CryptSvc (75c6a297e364014840b48eccd7525e30) C:\Windows\system32\cryptsvc.dll

22:08:43.0458 10064 CryptSvc - ok

22:08:43.0536 10064 CSC (9bdb2e89be8d0ef37b1f25c3d3fc192c) C:\Windows\system32\drivers\csc.sys

22:08:43.0552 10064 CSC - ok

22:08:43.0630 10064 CscService (0a2095f92f6ae4fe6484d911b0c21e95) C:\Windows\System32\cscsvc.dll

22:08:43.0630 10064 CscService - ok

22:08:43.0708 10064 DcomLaunch (3b5b4d53fec14f7476ca29a20cc31ac9) C:\Windows\system32\rpcss.dll

22:08:43.0708 10064 DcomLaunch - ok

22:08:43.0754 10064 DfsC (622c41a07ca7e6dd91770f50d532cb6c) C:\Windows\system32\Drivers\dfsc.sys

22:08:43.0754 10064 DfsC - ok

22:08:43.0864 10064 DFSR (2cc3dcfb533a1035b13dcab6160ab38b) C:\Windows\system32\DFSR.exe

22:08:43.0942 10064 DFSR - ok

22:08:44.0082 10064 Dhcp (9028559c132146fb75eb7acf384b086a) C:\Windows\System32\dhcpcsvc.dll

22:08:44.0098 10064 Dhcp - ok

22:08:44.0160 10064 disk (5d4aefc3386920236a548271f8f1af6a) C:\Windows\system32\drivers\disk.sys

22:08:44.0160 10064 disk - ok

22:08:44.0207 10064 Dnscache (57d762f6f5974af0da2be88a3349baaa) C:\Windows\System32\dnsrslvr.dll

22:08:44.0222 10064 Dnscache - ok

22:08:44.0269 10064 dot3svc (324fd74686b1ef5e7c19a8af49e748f6) C:\Windows\System32\dot3svc.dll

22:08:44.0285 10064 dot3svc - ok

22:08:44.0316 10064 DPS (a622e888f8aa2f6b49e9bc466f0e5def) C:\Windows\system32\dps.dll

22:08:44.0332 10064 DPS - ok

22:08:44.0378 10064 DQLWinService (a0b584c33f55545d56f9e71fb4e203ac) C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe

22:08:44.0378 10064 DQLWinService - ok

22:08:44.0425 10064 drmkaud (97fef831ab90bee128c9af390e243f80) C:\Windows\system32\drivers\drmkaud.sys

22:08:44.0425 10064 drmkaud - ok

22:08:44.0472 10064 DXGKrnl (c68ac676b0ef30cfbb1080adce49eb1f) C:\Windows\System32\drivers\dxgkrnl.sys

22:08:44.0488 10064 DXGKrnl - ok

22:08:44.0566 10064 D_Link_DWA-125 (f195fbc375342bd25c936982245a8fb0) C:\Program Files\D-Link\DWA-125 revA\ANIWZCSdS.exe

22:08:44.0566 10064 D_Link_DWA-125 - ok

22:08:44.0597 10064 D_Link_DWA-125_WPS (c062a2b158ed9c643d24f8e33a607c9f) C:\Program Files\D-Link\DWA-125 revA\ANIWConnService.exe

22:08:44.0597 10064 D_Link_DWA-125_WPS - ok

22:08:44.0659 10064 e1express (04944f4fc4f0477185f5d26ae0ddb90e) C:\Windows\system32\DRIVERS\e1e6032.sys

22:08:44.0675 10064 e1express - ok

22:08:44.0737 10064 E1G60 (f88fb26547fd2ce6d0a5af2985892c48) C:\Windows\system32\DRIVERS\E1G60I32.sys

22:08:44.0753 10064 E1G60 - ok

22:08:44.0768 10064 EagleNT - ok

22:08:44.0815 10064 EapHost (c0b95e40d85cd807d614e264248a45b9) C:\Windows\System32\eapsvc.dll

22:08:44.0815 10064 EapHost - ok

22:08:44.0878 10064 Ecache (7f64ea048dcfac7acf8b4d7b4e6fe371) C:\Windows\system32\drivers\ecache.sys

22:08:44.0893 10064 Ecache - ok

22:08:44.0956 10064 ehRecvr (9be3744d295a7701eb425332014f0797) C:\Windows\ehome\ehRecvr.exe

22:08:44.0971 10064 ehRecvr - ok

22:08:44.0987 10064 ehSched (ad1870c8e5d6dd340c829e6074bf3c3f) C:\Windows\ehome\ehsched.exe

22:08:45.0002 10064 ehSched - ok

22:08:45.0002 10064 ehstart (c27c4ee8926e74aa72efcab24c5242c3) C:\Windows\ehome\ehstart.dll

22:08:45.0002 10064 ehstart - ok

22:08:45.0049 10064 elxstor (e8f3f21a71720c84bcf423b80028359f) C:\Windows\system32\drivers\elxstor.sys

22:08:45.0065 10064 elxstor - ok

22:08:45.0127 10064 EMDMgmt (4e6b23dfc917ea39306b529b773950f4) C:\Windows\system32\emdmgmt.dll

22:08:45.0143 10064 EMDMgmt - ok

22:08:45.0205 10064 EventSystem (67058c46504bc12d821f38cf99b7b28f) C:\Windows\system32\es.dll

22:08:45.0205 10064 EventSystem - ok

22:08:45.0252 10064 exfat (22b408651f9123527bcee54b4f6c5cae) C:\Windows\system32\drivers\exfat.sys

22:08:45.0268 10064 exfat - ok

22:08:45.0299 10064 fastfat (1e9b9a70d332103c52995e957dc09ef8) C:\Windows\system32\drivers\fastfat.sys

22:08:45.0299 10064 fastfat - ok

22:08:45.0346 10064 Fax (dfba0f60fa301e5b1bfb1403a93ee23e) C:\Windows\system32\fxssvc.exe

22:08:45.0361 10064 Fax - ok

22:08:45.0392 10064 fdc (63bdada84951b9c03e641800e176898a) C:\Windows\system32\DRIVERS\fdc.sys

22:08:45.0392 10064 fdc - ok

22:08:45.0408 10064 fdPHost (6629b5f0e98151f4afdd87567ea32ba3) C:\Windows\system32\fdPHost.dll

22:08:45.0408 10064 fdPHost - ok

22:08:45.0439 10064 FDResPub (89ed56dce8e47af40892778a5bd31fd2) C:\Windows\system32\fdrespub.dll

22:08:45.0439 10064 FDResPub - ok

22:08:45.0470 10064 FileInfo (a8c0139a884861e3aae9cfe73b208a9f) C:\Windows\system32\drivers\fileinfo.sys

22:08:45.0470 10064 FileInfo - ok

22:08:45.0502 10064 Filetrace (0ae429a696aecbc5970e3cf2c62635ae) C:\Windows\system32\drivers\filetrace.sys

22:08:45.0502 10064 Filetrace - ok

22:08:45.0533 10064 flpydisk (6603957eff5ec62d25075ea8ac27de68) C:\Windows\system32\DRIVERS\flpydisk.sys

22:08:45.0533 10064 flpydisk - ok

22:08:45.0564 10064 FltMgr (01334f9ea68e6877c4ef05d3ea8abb05) C:\Windows\system32\drivers\fltmgr.sys

22:08:45.0564 10064 FltMgr - ok

22:08:45.0658 10064 FontCache (8ce364388c8eca59b14b539179276d44) C:\Windows\system32\FntCache.dll

22:08:45.0689 10064 FontCache - ok

22:08:45.0736 10064 FontCache3.0.0.0 (c7fbdd1ed42f82bfa35167a5c9803ea3) C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe

22:08:45.0751 10064 FontCache3.0.0.0 - ok

22:08:45.0767 10064 Fs_Rec (b972a66758577e0bfd1de0f91aaa27b5) C:\Windows\system32\drivers\Fs_Rec.sys

22:08:45.0767 10064 Fs_Rec - ok

22:08:45.0798 10064 fvevol (fecf4c2e42440a8d132bf94eee3c3fc9) C:\Windows\system32\DRIVERS\fvevol.sys

22:08:45.0814 10064 fvevol - ok

22:08:45.0845 10064 gagp30kx (4e1cd0a45c50a8882616cae5bf82f3c5) C:\Windows\system32\drivers\gagp30kx.sys

22:08:45.0845 10064 gagp30kx - ok

22:08:45.0907 10064 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\Windows\system32\Drivers\GEARAspiWDM.sys

22:08:45.0907 10064 GEARAspiWDM - ok

22:08:45.0938 10064 gpsvc (cd5d0aeee35dfd4e986a5aa1500a6e66) C:\Windows\System32\gpsvc.dll

22:08:45.0954 10064 gpsvc - ok

22:08:46.0032 10064 HdAudAddService (3f90e001369a07243763bd5a523d8722) C:\Windows\system32\drivers\HdAudio.sys

22:08:46.0048 10064 HdAudAddService - ok

22:08:46.0110 10064 HDAudBus (062452b7ffd68c8c042a6261fe8dff4a) C:\Windows\system32\DRIVERS\HDAudBus.sys

22:08:46.0126 10064 HDAudBus - ok

22:08:46.0141 10064 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys

22:08:46.0141 10064 HidBth - ok

22:08:46.0172 10064 HidIr (d8df3722d5e961baa1292aa2f12827e2) C:\Windows\system32\DRIVERS\hidir.sys

22:08:46.0172 10064 HidIr - ok

22:08:46.0188 10064 hidserv (84067081f3318162797385e11a8f0582) C:\Windows\System32\hidserv.dll

22:08:46.0204 10064 hidserv - ok

22:08:46.0219 10064 HidUsb (cca4b519b17e23a00b826c55716809cc) C:\Windows\system32\DRIVERS\hidusb.sys

22:08:46.0219 10064 HidUsb - ok

22:08:46.0250 10064 hkmsvc (d8ad255b37da92434c26e4876db7d418) C:\Windows\system32\kmsvc.dll

22:08:46.0250 10064 hkmsvc - ok

22:08:46.0282 10064 HpCISSs (df353b401001246853763c4b7aaa6f50) C:\Windows\system32\drivers\hpcisss.sys

22:08:46.0282 10064 HpCISSs - ok

22:08:46.0313 10064 HTTP (f870aa3e254628ebeafe754108d664de) C:\Windows\system32\drivers\HTTP.sys

22:08:46.0344 10064 HTTP - ok

22:08:46.0360 10064 i2omp (324c2152ff2c61abae92d09f3cca4d63) C:\Windows\system32\drivers\i2omp.sys

22:08:46.0375 10064 i2omp - ok

22:08:46.0438 10064 i8042prt (22d56c8184586b7a1f6fa60be5f5a2bd) C:\Windows\system32\DRIVERS\i8042prt.sys

22:08:46.0438 10064 i8042prt - ok

22:08:46.0469 10064 iaStor (997e8f5939f2d12cd9f2e6b395724c16) C:\Windows\system32\drivers\iastor.sys

22:08:46.0469 10064 iaStor - ok

22:08:46.0500 10064 iaStorV (c957bf4b5d80b46c5017bf0101e6c906) C:\Windows\system32\drivers\iastorv.sys

22:08:46.0516 10064 iaStorV - ok

22:08:46.0609 10064 IDriverT (6f95324909b502e2651442c1548ab12f) c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

22:08:46.0609 10064 IDriverT - ok

22:08:46.0703 10064 idsvc (98477b08e61945f974ed9fdc4cb6bdab) C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe

22:08:46.0718 10064 idsvc - ok

22:08:46.0812 10064 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys

22:08:46.0812 10064 iirsp - ok

22:08:46.0874 10064 IKEEXT (9908d8a397b76cd8d31d0d383c5773c9) C:\Windows\System32\ikeext.dll

22:08:46.0890 10064 IKEEXT - ok

22:08:47.0030 10064 IntcAzAudAddService (84ed2154239f9d013bbd3220755ada8b) C:\Windows\system32\drivers\RTKVHDA.sys

22:08:47.0093 10064 IntcAzAudAddService - ok

22:08:47.0233 10064 intelide (97469037714070e45194ed318d636401) C:\Windows\system32\DRIVERS\intelide.sys

22:08:47.0233 10064 intelide - ok

22:08:47.0280 10064 intelppm (224191001e78c89dfa78924c3ea595ff) C:\Windows\system32\DRIVERS\intelppm.sys

22:08:47.0280 10064 intelppm - ok

22:08:47.0311 10064 IPBusEnum (9ac218c6e6105477484c6fdbe7d409a4) C:\Windows\system32\ipbusenum.dll

22:08:47.0311 10064 IPBusEnum - ok

22:08:47.0342 10064 IpFilterDriver (62c265c38769b864cb25b4bcf62df6c3) C:\Windows\system32\DRIVERS\ipfltdrv.sys

22:08:47.0342 10064 IpFilterDriver - ok

22:08:47.0374 10064 iphlpsvc (1998bd97f950680bb55f55a7244679c2) C:\Windows\System32\iphlpsvc.dll

22:08:47.0389 10064 iphlpsvc - ok

22:08:47.0389 10064 IpInIp - ok

22:08:47.0420 10064 IPMIDRV (40f34f8aba2a015d780e4b09138b6c17) C:\Windows\system32\drivers\ipmidrv.sys

22:08:47.0420 10064 IPMIDRV - ok

22:08:47.0452 10064 IPNAT (8793643a67b42cec66490b2a0cf92d68) C:\Windows\system32\DRIVERS\ipnat.sys

22:08:47.0452 10064 IPNAT - ok

22:08:47.0483 10064 IRENUM (109c0dfb82c3632fbd11949b73aeeac9) C:\Windows\system32\drivers\irenum.sys

22:08:47.0483 10064 IRENUM - ok

22:08:47.0498 10064 isapnp (350fca7e73cf65bcef43fae1e4e91293) C:\Windows\system32\drivers\isapnp.sys

22:08:47.0498 10064 isapnp - ok

22:08:47.0530 10064 iScsiPrt (232fa340531d940aac623b121a595034) C:\Windows\system32\DRIVERS\msiscsi.sys

22:08:47.0545 10064 iScsiPrt - ok

22:08:47.0639 10064 ISSM (e29ba28f76c5a703e7f30f74cf36df22) C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe

22:08:47.0639 10064 ISSM - ok

22:08:47.0654 10064 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys

22:08:47.0670 10064 iteatapi - ok

22:08:47.0717 10064 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys

22:08:47.0717 10064 iteraid - ok

22:08:47.0795 10064 jswpsapi (cf9ba304b8047b9582d72d9bfef42eae) C:\Program Files\NETGEAR\WNA1100\jswpsapi.exe

22:08:47.0810 10064 jswpsapi - ok

22:08:47.0857 10064 kbdclass (37605e0a8cf00cbba538e753e4344c6e) C:\Windows\system32\DRIVERS\kbdclass.sys

22:08:47.0857 10064 kbdclass - ok

22:08:47.0873 10064 kbdhid (ede59ec70e25c24581add1fbec7325f7) C:\Windows\system32\DRIVERS\kbdhid.sys

22:08:47.0888 10064 kbdhid - ok

22:08:47.0904 10064 KeyIso (a3e186b4b935905b829219502557314e) C:\Windows\system32\lsass.exe

22:08:47.0904 10064 KeyIso - ok

22:08:47.0935 10064 KSecDD (2b2f1638466e8cb091400c9019cc730e) C:\Windows\system32\Drivers\ksecdd.sys

22:08:47.0966 10064 KSecDD - ok

22:08:48.0029 10064 KtmRm (8078f8f8f7a79e2e6b494523a828c585) C:\Windows\system32\msdtckrm.dll

22:08:48.0044 10064 KtmRm - ok

22:08:48.0107 10064 L8042Kbd (d88846f9f4f27ae9be584a6e5b6b8753) C:\Windows\system32\DRIVERS\L8042Kbd.sys

22:08:48.0107 10064 L8042Kbd - ok

22:08:48.0122 10064 L8042mou (bea61fda2103f6f51b14eb0872e8a050) C:\Windows\system32\DRIVERS\L8042mou.Sys

22:08:48.0138 10064 L8042mou - ok

22:08:48.0154 10064 LanmanServer (1bf5eebfd518dd7298434d8c862f825d) C:\Windows\System32\srvsvc.dll

22:08:48.0154 10064 LanmanServer - ok

22:08:48.0216 10064 LanmanWorkstation (1db69705b695b987082c8baec0c6b34f) C:\Windows\System32\wkssvc.dll

22:08:48.0232 10064 LanmanWorkstation - ok

22:08:48.0341 10064 LightScribeService (793ff718477345cd5d232c50bed1e452) c:\Program Files\Common Files\LightScribe\LSSrvc.exe

22:08:48.0341 10064 LightScribeService - ok

22:08:48.0372 10064 lltdio (d1c5883087a0c3f1344d9d55a44901f6) C:\Windows\system32\DRIVERS\lltdio.sys

22:08:48.0372 10064 lltdio - ok

22:08:48.0403 10064 lltdsvc (2d5a428872f1442631d0959a34abff63) C:\Windows\System32\lltdsvc.dll

22:08:48.0403 10064 lltdsvc - ok

22:08:48.0434 10064 lmhosts (35d40113e4a5b961b6ce5c5857702518) C:\Windows\System32\lmhsvc.dll

22:08:48.0434 10064 lmhosts - ok

22:08:48.0466 10064 LMouKE (cab504e38fced9a56d87d838e9ba13e9) C:\Windows\system32\DRIVERS\LMouKE.Sys

22:08:48.0481 10064 LMouKE - ok

22:08:48.0512 10064 LSI_FC (a2262fb9f28935e862b4db46438c80d2) C:\Windows\system32\drivers\lsi_fc.sys

22:08:48.0512 10064 LSI_FC - ok

22:08:48.0528 10064 LSI_SAS (30d73327d390f72a62f32c103daf1d6d) C:\Windows\system32\drivers\lsi_sas.sys

22:08:48.0528 10064 LSI_SAS - ok

22:08:48.0559 10064 LSI_SCSI (e1e36fefd45849a95f1ab81de0159fe3) C:\Windows\system32\drivers\lsi_scsi.sys

22:08:48.0559 10064 LSI_SCSI - ok

22:08:48.0590 10064 luafv (8f5c7426567798e62a3b3614965d62cc) C:\Windows\system32\drivers\luafv.sys

22:08:48.0606 10064 luafv - ok

22:08:48.0715 10064 LVcKap (fb548ff809634bfa866312b37d8a18ae) C:\Windows\system32\DRIVERS\LVcKap.sys

22:08:48.0762 10064 LVcKap - ok

22:08:48.0856 10064 LVCOMSer (14e4cc4d46169759d874f57604ea6be5) C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

22:08:48.0856 10064 LVCOMSer - ok

22:08:49.0027 10064 LVMVDrv (fe3fb994f8702d9e37648927819b74b8) C:\Windows\system32\DRIVERS\LVMVDrv.sys

22:08:49.0090 10064 LVMVDrv - ok

22:08:49.0168 10064 LVPr2Mon (c7ea51f1ab10b0b2b443f4d5589fc1a5) C:\Windows\system32\DRIVERS\LVPr2Mon.sys

22:08:49.0183 10064 LVPr2Mon - ok

22:08:49.0199 10064 LVPrcSrv (b2d04e813ba12ab179daf0b9fdecba3d) C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

22:08:49.0199 10064 LVPrcSrv - ok

22:08:49.0246 10064 LVSrvLauncher (a7a2ef5000007ca361da1e2b99df8c57) C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe

22:08:49.0261 10064 LVSrvLauncher - ok

22:08:49.0308 10064 LVUSBSta (caef4c05ba2c1acad4ebcaa4261cd55d) C:\Windows\system32\drivers\LVUSBSta.sys

22:08:49.0308 10064 LVUSBSta - ok

22:08:49.0370 10064 M1 Server (7b073fd0133346d0e555353f164057d7) C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe

22:08:49.0370 10064 M1 Server - ok

22:08:49.0433 10064 mbamchameleon (5dc35c6ecff38c91db3511c63d0000d9) C:\Windows\system32\drivers\mbamchameleon.sys

22:08:49.0433 10064 mbamchameleon - ok

22:08:49.0464 10064 MBAMProtector (fb097bbc1a18f044bd17bd2fccf97865) C:\Windows\system32\drivers\mbam.sys

22:08:49.0464 10064 MBAMProtector - ok

22:08:49.0526 10064 MBAMService (ba400ed640bca1eae5c727ae17c10207) C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

22:08:49.0526 10064 MBAMService - ok

22:08:49.0573 10064 MBAMSwissArmy - ok

22:08:49.0604 10064 MCLServiceATL (7bba15ca5a2aa4e50c7cbfb78d11db25) C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe

22:08:49.0604 10064 MCLServiceATL - ok

22:08:49.0636 10064 Mcx2Svc (aef9babb8a506bc4ce0451a64aaded46) C:\Windows\system32\Mcx2Svc.dll

22:08:49.0636 10064 Mcx2Svc - ok

22:08:49.0682 10064 megasas (d153b14fc6598eae8422a2037553adce) C:\Windows\system32\drivers\megasas.sys

22:08:49.0682 10064 megasas - ok

22:08:49.0698 10064 MMCSS (1076ffcffaae8385fd62dfcb25ac4708) C:\Windows\system32\mmcss.dll

22:08:49.0698 10064 MMCSS - ok

22:08:49.0729 10064 Modem (e13b5ea0f51ba5b1512ec671393d09ba) C:\Windows\system32\drivers\modem.sys

22:08:49.0729 10064 Modem - ok

22:08:49.0776 10064 monitor (0a9bb33b56e294f686abb7c1e4e2d8a8) C:\Windows\system32\DRIVERS\monitor.sys

22:08:49.0776 10064 monitor - ok

22:08:49.0807 10064 mouclass (5bf6a1326a335c5298477754a506d263) C:\Windows\system32\DRIVERS\mouclass.sys

22:08:49.0807 10064 mouclass - ok

22:08:49.0838 10064 mouhid (93b8d4869e12cfbe663915502900876f) C:\Windows\system32\DRIVERS\mouhid.sys

22:08:49.0838 10064 mouhid - ok

22:08:49.0885 10064 MountMgr (bdafc88aa6b92f7842416ea6a48e1600) C:\Windows\system32\drivers\mountmgr.sys

22:08:49.0885 10064 MountMgr - ok

22:08:49.0948 10064 mpio (583a41f26278d9e0ea548163d6139397) C:\Windows\system32\drivers\mpio.sys

22:08:49.0948 10064 mpio - ok

22:08:49.0979 10064 mpsdrv (22241feba9b2defa669c8cb0a8dd7d2e) C:\Windows\system32\drivers\mpsdrv.sys

22:08:49.0979 10064 mpsdrv - ok

22:08:50.0026 10064 MpsSvc (5de62c6e9108f14f6794060a9bdecaec) C:\Windows\system32\mpssvc.dll

22:08:50.0026 10064 MpsSvc - ok

22:08:50.0057 10064 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys

22:08:50.0057 10064 Mraid35x - ok

22:08:50.0072 10064 MRxDAV (82cea0395524aacfeb58ba1448e8325c) C:\Windows\system32\drivers\mrxdav.sys

22:08:50.0088 10064 MRxDAV - ok

22:08:50.0119 10064 mrxsmb (1e94971c4b446ab2290deb71d01cf0c2) C:\Windows\system32\DRIVERS\mrxsmb.sys

22:08:50.0119 10064 mrxsmb - ok

22:08:50.0150 10064 mrxsmb10 (4fccb34d793b116423209c0f8b7a3b03) C:\Windows\system32\DRIVERS\mrxsmb10.sys

22:08:50.0166 10064 mrxsmb10 - ok

22:08:50.0197 10064 mrxsmb20 (c3cb1b40ad4a0124d617a1199b0b9d7c) C:\Windows\system32\DRIVERS\mrxsmb20.sys

22:08:50.0197 10064 mrxsmb20 - ok

22:08:50.0213 10064 msahci (742aed7939e734c36b7e8d6228ce26b7) C:\Windows\system32\drivers\msahci.sys

22:08:50.0213 10064 msahci - ok

22:08:50.0244 10064 msdsm (3fc82a2ae4cc149165a94699183d3028) C:\Windows\system32\drivers\msdsm.sys

22:08:50.0244 10064 msdsm - ok

22:08:50.0291 10064 MSDTC (fd7520cc3a80c5fc8c48852bb24c6ded) C:\Windows\System32\msdtc.exe

22:08:50.0291 10064 MSDTC - ok

22:08:50.0353 10064 Msfs (a9927f4a46b816c92f461acb90cf8515) C:\Windows\system32\drivers\Msfs.sys

22:08:50.0353 10064 Msfs - ok

22:08:50.0384 10064 msisadrv (0f400e306f385c56317357d6dea56f62) C:\Windows\system32\drivers\msisadrv.sys

22:08:50.0400 10064 msisadrv - ok

22:08:50.0416 10064 MSiSCSI (85466c0757a23d9a9aecdc0755203cb2) C:\Windows\system32\iscsiexe.dll

22:08:50.0431 10064 MSiSCSI - ok

22:08:50.0431 10064 msiserver - ok

22:08:50.0462 10064 MSKSSRV (d8c63d34d9c9e56c059e24ec7185cc07) C:\Windows\system32\drivers\MSKSSRV.sys

22:08:50.0478 10064 MSKSSRV - ok

22:08:50.0494 10064 MSPCLOCK (1d373c90d62ddb641d50e55b9e78d65e) C:\Windows\system32\drivers\MSPCLOCK.sys

22:08:50.0494 10064 MSPCLOCK - ok

22:08:50.0509 10064 MSPQM (b572da05bf4e098d4bba3a4734fb505b) C:\Windows\system32\drivers\MSPQM.sys

22:08:50.0509 10064 MSPQM - ok

22:08:50.0540 10064 MsRPC (b49456d70555de905c311bcda6ec6adb) C:\Windows\system32\drivers\MsRPC.sys

22:08:50.0556 10064 MsRPC - ok

22:08:50.0587 10064 mssmbios (e384487cb84be41d09711c30ca79646c) C:\Windows\system32\DRIVERS\mssmbios.sys

22:08:50.0587 10064 mssmbios - ok

22:08:50.0603 10064 MSTEE (7199c1eec1e4993caf96b8c0a26bd58a) C:\Windows\system32\drivers\MSTEE.sys

22:08:50.0603 10064 MSTEE - ok

22:08:50.0618 10064 Mup (6a57b5733d4cb702c8ea4542e836b96c) C:\Windows\system32\Drivers\mup.sys

22:08:50.0634 10064 Mup - ok

22:08:50.0665 10064 napagent (e4eaf0c5c1b41b5c83386cf212ca9584) C:\Windows\system32\qagentRT.dll

22:08:50.0681 10064 napagent - ok

22:08:50.0743 10064 NativeWifiP (85c44fdff9cf7e72a40dcb7ec06a4416) C:\Windows\system32\DRIVERS\nwifi.sys

22:08:50.0759 10064 NativeWifiP - ok

22:08:50.0837 10064 NDIS (1357274d1883f68300aeadd15d7bbb42) C:\Windows\system32\drivers\ndis.sys

22:08:50.0837 10064 NDIS - ok

22:08:50.0852 10064 NdisTapi (0e186e90404980569fb449ba7519ae61) C:\Windows\system32\DRIVERS\ndistapi.sys

22:08:50.0868 10064 NdisTapi - ok

22:08:50.0884 10064 Ndisuio (d6973aa34c4d5d76c0430b181c3cd389) C:\Windows\system32\DRIVERS\ndisuio.sys

22:08:50.0899 10064 Ndisuio - ok

22:08:50.0915 10064 NdisWan (818f648618ae34f729fdb47ec68345c3) C:\Windows\system32\DRIVERS\ndiswan.sys

22:08:50.0930 10064 NdisWan - ok

22:08:50.0962 10064 NDProxy (71dab552b41936358f3b541ae5997fb3) C:\Windows\system32\drivers\NDProxy.sys

22:08:50.0962 10064 NDProxy - ok

22:08:50.0962 10064 NetBIOS (bcd093a5a6777cf626434568dc7dba78) C:\Windows\system32\DRIVERS\netbios.sys

22:08:50.0977 10064 NetBIOS - ok

22:08:50.0993 10064 netbt (ecd64230a59cbd93c85f1cd1cab9f3f6) C:\Windows\system32\DRIVERS\netbt.sys

22:08:51.0008 10064 netbt - ok

22:08:51.0040 10064 Netlogon (a3e186b4b935905b829219502557314e) C:\Windows\system32\lsass.exe

22:08:51.0040 10064 Netlogon - ok

22:08:51.0071 10064 Netman (c8052711daecc48b982434c5116ca401) C:\Windows\System32\netman.dll

22:08:51.0071 10064 Netman - ok

22:08:51.0118 10064 netprofm (2ef3bbe22e5a5acd1428ee387a0d0172) C:\Windows\System32\netprofm.dll

22:08:51.0118 10064 netprofm - ok

22:08:51.0180 10064 netr28u (575cc69d5aa74b8633f4022adcf58d96) C:\Windows\system32\DRIVERS\Dnetr28u.sys

22:08:51.0180 10064 netr28u - ok

22:08:51.0258 10064 netr73 (2f0bac1fab90244b644a7ae590257e1d) C:\Windows\system32\DRIVERS\netr73.sys

22:08:51.0258 10064 netr73 - ok

22:08:51.0305 10064 NetTcpPortSharing (d6c4e4a39a36029ac0813d476fbd0248) C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe

22:08:51.0320 10064 NetTcpPortSharing - ok

22:08:51.0336 10064 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys

22:08:51.0336 10064 nfrd960 - ok

22:08:51.0367 10064 NlaSvc (2997b15415f9bbe05b5a4c1c85e0c6a2) C:\Windows\System32\nlasvc.dll

22:08:51.0367 10064 NlaSvc - ok

22:08:51.0398 10064 Npfs (d36f239d7cce1931598e8fb90a0dbc26) C:\Windows\system32\drivers\Npfs.sys

22:08:51.0398 10064 Npfs - ok

22:08:51.0414 10064 npggsvc - ok

22:08:51.0445 10064 nsi (8bb86f0c7eea2bded6fe095d0b4ca9bd) C:\Windows\system32\nsisvc.dll

22:08:51.0461 10064 nsi - ok

22:08:51.0476 10064 nsiproxy (609773e344a97410ce4ebf74a8914fcf) C:\Windows\system32\drivers\nsiproxy.sys

22:08:51.0476 10064 nsiproxy - ok

22:08:51.0539 10064 Ntfs (6a4a98cee84cf9e99564510dda4baa47) C:\Windows\system32\drivers\Ntfs.sys

22:08:51.0554 10064 Ntfs - ok

22:08:51.0570 10064 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys

22:08:51.0570 10064 ntrigdigi - ok

22:08:51.0601 10064 Null (c5dbbcda07d780bda9b685df333bb41e) C:\Windows\system32\drivers\Null.sys

22:08:51.0601 10064 Null - ok

22:08:51.0648 10064 NVHDA (b4f70fac4ea61cf150823aa063a39ff9) C:\Windows\system32\drivers\nvhda32v.sys

22:08:51.0664 10064 NVHDA - ok

22:08:52.0022 10064 nvlddmkm (377140a534d013bd661c69f1741de43c) C:\Windows\system32\DRIVERS\nvlddmkm.sys

22:08:52.0085 10064 nvlddmkm - ok

22:08:52.0210 10064 nvraid (e69e946f80c1c31c53003bfbf50cbb7c) C:\Windows\system32\drivers\nvraid.sys

22:08:52.0210 10064 nvraid - ok

22:08:52.0241 10064 nvstor (9e0ba19a28c498a6d323d065db76dffc) C:\Windows\system32\drivers\nvstor.sys

22:08:52.0241 10064 nvstor - ok

22:08:52.0288 10064 nvsvc (4ed813efd77a9b7e57e341cdc1c5cbc4) C:\Windows\system32\nvvsvc.exe

22:08:52.0288 10064 nvsvc - ok

22:08:52.0319 10064 nv_agp (07c186427eb8fcc3d8d7927187f260f7) C:\Windows\system32\drivers\nv_agp.sys

22:08:52.0334 10064 nv_agp - ok

22:08:52.0334 10064 NwlnkFlt - ok

22:08:52.0350 10064 NwlnkFwd - ok

22:08:52.0428 10064 odserv (785f487a64950f3cb8e9f16253ba3b7b) C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE

22:08:52.0459 10064 odserv - ok

22:08:52.0506 10064 ohci1394 (6f310e890d46e246e0e261a63d9b36b4) C:\Windows\system32\DRIVERS\ohci1394.sys

22:08:52.0506 10064 ohci1394 - ok

22:08:52.0537 10064 ose (5a432a042dae460abe7199b758e8606c) C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE

22:08:52.0537 10064 ose - ok

22:08:52.0615 10064 p2pimsvc (0c8e8e61ad1eb0b250b846712c917506) C:\Windows\system32\p2psvc.dll

22:08:52.0631 10064 p2pimsvc - ok

22:08:52.0631 10064 p2psvc (0c8e8e61ad1eb0b250b846712c917506) C:\Windows\system32\p2psvc.dll

22:08:52.0646 10064 p2psvc - ok

22:08:52.0678 10064 Parport (0fa9b5055484649d63c303fe404e5f4d) C:\Windows\system32\drivers\parport.sys

22:08:52.0693 10064 Parport - ok

22:08:52.0724 10064 partmgr (b9c2b89f08670e159f7181891e449cd9) C:\Windows\system32\drivers\partmgr.sys

22:08:52.0724 10064 partmgr - ok

22:08:52.0740 10064 Parvdm (4f9a6a8a31413180d0fcb279ad5d8112) C:\Windows\system32\drivers\parvdm.sys

22:08:52.0740 10064 Parvdm - ok

22:08:52.0771 10064 PcaSvc (c6276ad11f4bb49b58aa1ed88537f14a) C:\Windows\System32\pcasvc.dll

22:08:52.0771 10064 PcaSvc - ok

22:08:52.0802 10064 pci (941dc1d19e7e8620f40bbc206981efdb) C:\Windows\system32\drivers\pci.sys

22:08:52.0802 10064 pci - ok

22:08:52.0849 10064 pciide (1636d43f10416aeb483bc6001097b26c) C:\Windows\system32\drivers\pciide.sys

22:08:52.0849 10064 pciide - ok

22:08:52.0880 10064 pcmcia (e6f3fb1b86aa519e7698ad05e58b04e5) C:\Windows\system32\drivers\pcmcia.sys

22:08:52.0896 10064 pcmcia - ok

22:08:52.0958 10064 pcouffin (5b6c11de7e839c05248ced8825470fef) C:\Windows\system32\Drivers\pcouffin.sys

22:08:52.0958 10064 pcouffin - ok

22:08:53.0021 10064 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys

22:08:53.0068 10064 PEAUTH - ok

22:08:53.0099 10064 pepifilter (c5d5ea6a29523e0f6016741e9851c6db) C:\Windows\system32\DRIVERS\lv302af.sys

22:08:53.0099 10064 pepifilter - ok

22:08:53.0192 10064 PID_PEPI (3f96dcd4ac98c8e0d3c03c24fd49a2fe) C:\Windows\system32\DRIVERS\LV302V32.SYS

22:08:53.0224 10064 PID_PEPI - ok

22:08:53.0380 10064 pla (b1689df169143f57053f795390c99db3) C:\Windows\system32\pla.dll

22:08:53.0411 10064 pla - ok

22:08:53.0473 10064 PlugPlay (c5e7f8a996ec0a82d508fd9064a5569e) C:\Windows\system32\umpnpmgr.dll

22:08:53.0489 10064 PlugPlay - ok

22:08:53.0536 10064 PNRPAutoReg (0c8e8e61ad1eb0b250b846712c917506) C:\Windows\system32\p2psvc.dll

22:08:53.0536 10064 PNRPAutoReg - ok

22:08:53.0551 10064 PNRPsvc (0c8e8e61ad1eb0b250b846712c917506) C:\Windows\system32\p2psvc.dll

22:08:53.0551 10064 PNRPsvc - ok

22:08:53.0582 10064 PolicyAgent (d0494460421a03cd5225cca0059aa146) C:\Windows\System32\ipsecsvc.dll

22:08:53.0598 10064 PolicyAgent - ok

22:08:53.0645 10064 PptpMiniport (ecfffaec0c1ecd8dbc77f39070ea1db1) C:\Windows\system32\DRIVERS\raspptp.sys

22:08:53.0660 10064 PptpMiniport - ok

22:08:53.0676 10064 Processor (0e3cef5d28b40cf273281d620c50700a) C:\Windows\system32\drivers\processr.sys

22:08:53.0676 10064 Processor - ok

22:08:53.0707 10064 ProfSvc (0508faa222d28835310b7bfca7a77346) C:\Windows\system32\profsvc.dll

22:08:53.0723 10064 ProfSvc - ok

22:08:53.0738 10064 ProtectedStorage (a3e186b4b935905b829219502557314e) C:\Windows\system32\lsass.exe

22:08:53.0754 10064 ProtectedStorage - ok

22:08:53.0801 10064 Ps2 (390c204ced3785609ab24e9c52054a84) C:\Windows\system32\DRIVERS\PS2.sys

22:08:53.0801 10064 Ps2 - ok

22:08:53.0832 10064 PSched (99514faa8df93d34b5589187db3aa0ba) C:\Windows\system32\DRIVERS\pacer.sys

22:08:53.0832 10064 PSched - ok

22:08:53.0848 10064 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\Windows\system32\Drivers\PxHelp20.sys

22:08:53.0863 10064 PxHelp20 - ok

22:08:54.0097 10064 ql2300 (ccdac889326317792480c0a67156a1ec) C:\Windows\system32\drivers\ql2300.sys

22:08:54.0097 10064 ql2300 - ok

22:08:54.0113 10064 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys

22:08:54.0128 10064 ql40xx - ok

22:08:54.0160 10064 QWAVE (e9ecae663f47e6cb43962d18ab18890f) C:\Windows\system32\qwave.dll

22:08:54.0175 10064 QWAVE - ok

22:08:54.0206 10064 QWAVEdrv (9f5e0e1926014d17486901c88eca2db7) C:\Windows\system32\drivers\qwavedrv.sys

22:08:54.0206 10064 QWAVEdrv - ok

22:08:54.0238 10064 RasAcd (147d7f9c556d259924351feb0de606c3) C:\Windows\system32\DRIVERS\rasacd.sys

22:08:54.0238 10064 RasAcd - ok

22:08:54.0300 10064 RasAuto (f6a452eb4ceadbb51c9e0ee6b3ecef0f) C:\Windows\System32\rasauto.dll

22:08:54.0300 10064 RasAuto - ok

22:08:54.0331 10064 Rasl2tp (a214adbaf4cb47dd2728859ef31f26b0) C:\Windows\system32\DRIVERS\rasl2tp.sys

22:08:54.0331 10064 Rasl2tp - ok

22:08:54.0378 10064 RasMan (75d47445d70ca6f9f894b032fbc64fcf) C:\Windows\System32\rasmans.dll

22:08:54.0378 10064 RasMan - ok

22:08:54.0409 10064 RasPppoe (509a98dd18af4375e1fc40bc175f1def) C:\Windows\system32\DRIVERS\raspppoe.sys

22:08:54.0409 10064 RasPppoe - ok

22:08:54.0456 10064 RasSstp (2005f4a1e05fa09389ac85840f0a9e4d) C:\Windows\system32\DRIVERS\rassstp.sys

22:08:54.0456 10064 RasSstp - ok

22:08:54.0472 10064 rdbss (b14c9d5b9add2f84f70570bbbfaa7935) C:\Windows\system32\DRIVERS\rdbss.sys

22:08:54.0472 10064 rdbss - ok

22:08:54.0518 10064 RDPCDD (89e59be9a564262a3fb6c4f4f1cd9899) C:\Windows\system32\DRIVERS\RDPCDD.sys

22:08:54.0518 10064 RDPCDD - ok

22:08:54.0550 10064 rdpdr (943b18305eae3935598a9b4a3d560b4c) C:\Windows\system32\DRIVERS\rdpdr.sys

22:08:54.0565 10064 rdpdr - ok

22:08:54.0565 10064 RDPENCDD (9d91fe5286f748862ecffa05f8a0710c) C:\Windows\system32\drivers\rdpencdd.sys

22:08:54.0565 10064 RDPENCDD - ok

22:08:54.0612 10064 RDPWD (c127ebd5afab31524662c48dfceb773a) C:\Windows\system32\drivers\RDPWD.sys

22:08:54.0628 10064 RDPWD - ok

22:08:54.0768 10064 Remote UI Service (752402f6bd5fa012805813c329f88dd3) C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe

22:08:54.0799 10064 Remote UI Service - ok

22:08:54.0877 10064 RemoteAccess (bcdd6b4804d06b1f7ebf29e53a57ece9) C:\Windows\System32\mprdim.dll

22:08:54.0877 10064 RemoteAccess - ok

22:08:54.0955 10064 RemoteRegistry (9e6894ea18daff37b63e1005f83ae4ab) C:\Windows\system32\regsvc.dll

22:08:54.0955 10064 RemoteRegistry - ok

22:08:55.0033 10064 RoxMediaDB9 (062d1268cfcf569ba5fbcfd1bea88d2a) c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe

22:08:55.0064 10064 RoxMediaDB9 - ok

22:08:55.0096 10064 RpcLocator (5123f83cbc4349d065534eeb6bbdc42b) C:\Windows\system32\locator.exe

22:08:55.0096 10064 RpcLocator - ok

22:08:55.0142 10064 RpcSs (3b5b4d53fec14f7476ca29a20cc31ac9) C:\Windows\System32\rpcss.dll

22:08:55.0142 10064 RpcSs - ok

22:08:55.0205 10064 rspndr (9c508f4074a39e8b4b31d27198146fad) C:\Windows\system32\DRIVERS\rspndr.sys

22:08:55.0205 10064 rspndr - ok

22:08:55.0220 10064 SamSs (a3e186b4b935905b829219502557314e) C:\Windows\system32\lsass.exe

22:08:55.0220 10064 SamSs - ok

22:08:55.0252 10064 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys

22:08:55.0252 10064 sbp2port - ok

22:08:55.0298 10064 SCardSvr (77b7a11a0c3d78d3386398fbbea1b632) C:\Windows\System32\SCardSvr.dll

22:08:55.0298 10064 SCardSvr - ok

22:08:55.0361 10064 Schedule (1a58069db21d05eb2ab58ee5753ebe8d) C:\Windows\system32\schedsvc.dll

22:08:55.0376 10064 Schedule - ok

22:08:55.0392 10064 SCPolicySvc (312ec3e37a0a1f2006534913e37b4423) C:\Windows\System32\certprop.dll

22:08:55.0392 10064 SCPolicySvc - ok

22:08:55.0408 10064 SDRSVC (716313d9f6b0529d03f726d5aaf6f191) C:\Windows\System32\SDRSVC.dll

22:08:55.0408 10064 SDRSVC - ok

22:08:55.0439 10064 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys

22:08:55.0439 10064 secdrv - ok

22:08:55.0470 10064 seclogon (fd5199d4d8a521005e4b5ee7fe00fa9b) C:\Windows\system32\seclogon.dll

22:08:55.0470 10064 seclogon - ok

22:08:55.0486 10064 SENS (a9bbab5759771e523f55563d6cbe140f) C:\Windows\system32\sens.dll

22:08:55.0501 10064 SENS - ok

22:08:55.0517 10064 Serenum (68e44e331d46f0fb38f0863a84cd1a31) C:\Windows\system32\drivers\serenum.sys

22:08:55.0517 10064 Serenum - ok

22:08:55.0532 10064 Serial (c70d69a918b178d3c3b06339b40c2e1b) C:\Windows\system32\drivers\serial.sys

22:08:55.0548 10064 Serial - ok

22:08:55.0564 10064 sermouse (8af3d28a879bf75db53a0ee7a4289624) C:\Windows\system32\drivers\sermouse.sys

22:08:55.0564 10064 sermouse - ok

22:08:55.0595 10064 SessionEnv (d2193326f729b163125610dbf3e17d57) C:\Windows\system32\sessenv.dll

22:08:55.0595 10064 SessionEnv - ok

22:08:55.0610 10064 sffdisk (103b79418da647736ee95645f305f68a) C:\Windows\system32\drivers\sffdisk.sys

22:08:55.0610 10064 sffdisk - ok

22:08:55.0626 10064 sffp_mmc (8fd08a310645fe872eeec6e08c6bf3ee) C:\Windows\system32\drivers\sffp_mmc.sys

22:08:55.0626 10064 sffp_mmc - ok

22:08:55.0642 10064 sffp_sd (9cfa05fcfcb7124e69cfc812b72f9614) C:\Windows\system32\drivers\sffp_sd.sys

22:08:55.0642 10064 sffp_sd - ok

22:08:55.0642 10064 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\drivers\sfloppy.sys

22:08:55.0657 10064 sfloppy - ok

22:08:55.0673 10064 SharedAccess (e1499bd0ff76b1b2fbbf1af339d91165) C:\Windows\System32\ipnathlp.dll

22:08:55.0688 10064 SharedAccess - ok

22:08:55.0720 10064 ShellHWDetection (c7230fbee14437716701c15be02c27b8) C:\Windows\System32\shsvcs.dll

22:08:55.0735 10064 ShellHWDetection - ok

22:08:55.0751 10064 sisagp (d2a595d6eebeeaf4334f8e50efbc9931) C:\Windows\system32\drivers\sisagp.sys

22:08:55.0751 10064 sisagp - ok

22:08:55.0766 10064 SiSRaid2 (cedd6f4e7d84e9f98b34b3fe988373aa) C:\Windows\system32\drivers\sisraid2.sys

22:08:55.0766 10064 SiSRaid2 - ok

22:08:55.0798 10064 SiSRaid4 (df843c528c4f69d12ce41ce462e973a7) C:\Windows\system32\drivers\sisraid4.sys

22:08:55.0798 10064 SiSRaid4 - ok

22:08:55.0938 10064 slsvc (862bb4cbc05d80c5b45be430e5ef872f) C:\Windows\system32\SLsvc.exe

22:08:56.0000 10064 slsvc - ok

22:08:56.0094 10064 SLUINotify (6edc422215cd78aa8a9cde6b30abbd35) C:\Windows\system32\SLUINotify.dll

22:08:56.0094 10064 SLUINotify - ok

22:08:56.0141 10064 Smb (7b75299a4d201d6a6533603d6914ab04) C:\Windows\system32\DRIVERS\smb.sys

22:08:56.0156 10064 Smb - ok

22:08:56.0188 10064 SNMPTRAP (2a146a055b4401c16ee62d18b8e2a032) C:\Windows\System32\snmptrap.exe

22:08:56.0188 10064 SNMPTRAP - ok

22:08:56.0203 10064 spldr (7aebdeef071fe28b0eef2cdd69102bff) C:\Windows\system32\drivers\spldr.sys

22:08:56.0219 10064 spldr - ok

22:08:56.0234 10064 Spooler (8554097e5136c3bf9f69fe578a1b35f4) C:\Windows\System32\spoolsv.exe

22:08:56.0250 10064 Spooler - ok

22:08:56.0281 10064 srv (41987f9fc0e61adf54f581e15029ad91) C:\Windows\system32\DRIVERS\srv.sys

22:08:56.0297 10064 srv - ok

22:08:56.0328 10064 srv2 (ff33aff99564b1aa534f58868cbe41ef) C:\Windows\system32\DRIVERS\srv2.sys

22:08:56.0344 10064 srv2 - ok

22:08:56.0344 10064 srvnet (7605c0e1d01a08f3ecd743f38b834a44) C:\Windows\system32\DRIVERS\srvnet.sys

22:08:56.0359 10064 srvnet - ok

22:08:56.0390 10064 SSDPSRV (03d50b37234967433a5ea5ba72bc0b62) C:\Windows\System32\ssdpsrv.dll

22:08:56.0390 10064 SSDPSRV - ok

22:08:56.0437 10064 SstpSvc (6f1a32e7b7b30f004d9a20afadb14944) C:\Windows\system32\sstpsvc.dll

22:08:56.0453 10064 SstpSvc - ok

22:08:56.0578 10064 Stereo Service (29662881a46db66730c62a4f1bfa3dc2) C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe

22:08:56.0578 10064 Stereo Service - ok

22:08:56.0609 10064 stisvc (5de7d67e49b88f5f07f3e53c4b92a352) C:\Windows\System32\wiaservc.dll

22:08:56.0624 10064 stisvc - ok

22:08:56.0671 10064 stllssvr (4cfeb2bd9723489da072b300940ea287) c:\Program Files\Common Files\SureThing Shared\stllssvr.exe

22:08:56.0671 10064 stllssvr - ok

22:08:56.0718 10064 swenum (7ba58ecf0c0a9a69d44b3dca62becf56) C:\Windows\system32\DRIVERS\swenum.sys

22:08:56.0718 10064 swenum - ok

22:08:56.0749 10064 swprv (f21fd248040681cca1fb6c9a03aaa93d) C:\Windows\System32\swprv.dll

22:08:56.0765 10064 swprv - ok

22:08:56.0780 10064 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys

22:08:56.0780 10064 Symc8xx - ok

22:08:56.0796 10064 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys

22:08:56.0796 10064 Sym_hi - ok

22:08:56.0812 10064 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys

22:08:56.0812 10064 Sym_u3 - ok

22:08:56.0858 10064 SysMain (9a51b04e9886aa4ee90093586b0ba88d) C:\Windows\system32\sysmain.dll

22:08:56.0874 10064 SysMain - ok

22:08:56.0890 10064 TabletInputService (2dca225eae15f42c0933e998ee0231c3) C:\Windows\System32\TabSvc.dll

22:08:56.0905 10064 TabletInputService - ok

22:08:56.0936 10064 TapiSrv (d7673e4b38ce21ee54c59eeeb65e2483) C:\Windows\System32\tapisrv.dll

22:08:56.0952 10064 TapiSrv - ok

22:08:56.0983 10064 TBS (cb05822cd9cc6c688168e113c603dbe7) C:\Windows\System32\tbssvc.dll

22:08:56.0983 10064 TBS - ok

22:08:57.0030 10064 Tcpip (27d470dabc77bc60d0a3b0e4deb6cb91) C:\Windows\system32\drivers\tcpip.sys

22:08:57.0061 10064 Tcpip - ok

22:08:57.0077 10064 Tcpip6 (27d470dabc77bc60d0a3b0e4deb6cb91) C:\Windows\system32\DRIVERS\tcpip.sys

22:08:57.0077 10064 Tcpip6 - ok

22:08:57.0108 10064 tcpipreg (608c345a255d82a6289c2d468eb41fd7) C:\Windows\system32\drivers\tcpipreg.sys

22:08:57.0108 10064 tcpipreg - ok

22:08:57.0124 10064 TDPIPE (5dcf5e267be67a1ae926f2df77fbcc56) C:\Windows\system32\drivers\tdpipe.sys

22:08:57.0139 10064 TDPIPE - ok

22:08:57.0155 10064 TDTCP (389c63e32b3cefed425b61ed92d3f021) C:\Windows\system32\drivers\tdtcp.sys

22:08:57.0155 10064 TDTCP - ok

22:08:57.0186 10064 tdx (76b06eb8a01fc8624d699e7045303e54) C:\Windows\system32\DRIVERS\tdx.sys

22:08:57.0186 10064 tdx - ok

22:08:57.0202 10064 TermDD (3cad38910468eab9a6479e2f01db43c7) C:\Windows\system32\DRIVERS\termdd.sys

22:08:57.0217 10064 TermDD - ok

22:08:57.0248 10064 TermService (bb95da09bef6e7a131bff3ba5032090d) C:\Windows\System32\termsrv.dll

22:08:57.0264 10064 TermService - ok

22:08:57.0311 10064 Themes (c7230fbee14437716701c15be02c27b8) C:\Windows\system32\shsvcs.dll

22:08:57.0311 10064 Themes - ok

22:08:57.0326 10064 THREADORDER (1076ffcffaae8385fd62dfcb25ac4708) C:\Windows\system32\mmcss.dll

22:08:57.0326 10064 THREADORDER - ok

22:08:57.0373 10064 tmactmon (e8e528896ff2595cfada88749cd72ef8) C:\Windows\system32\DRIVERS\tmactmon.sys

22:08:57.0373 10064 tmactmon - ok

22:08:57.0404 10064 tmcomm (1837512d4aab862bd297a2ef035fba14) C:\Windows\system32\DRIVERS\tmcomm.sys

22:08:57.0404 10064 tmcomm - ok

22:08:57.0451 10064 tmevtmgr (dbac510d1c7cc66b7a78eb2264f3072e) C:\Windows\system32\DRIVERS\tmevtmgr.sys

22:08:57.0451 10064 tmevtmgr - ok

22:08:57.0467 10064 tmtdi (a6e20b094a8d3e3f46d10bbe7e1ebb82) C:\Windows\system32\DRIVERS\tmtdi.sys

22:08:57.0482 10064 tmtdi - ok

22:08:57.0498 10064 TrkWks (ec74e77d0eb004bd3a809b5f8fb8c2ce) C:\Windows\System32\trkwks.dll

22:08:57.0498 10064 TrkWks - ok

22:08:57.0545 10064 TrustedInstaller (97d9d6a04e3ad9b6c626b9931db78dba) C:\Windows\servicing\TrustedInstaller.exe

22:08:57.0545 10064 TrustedInstaller - ok

22:08:57.0592 10064 tssecsrv (dcf0f056a2e4f52287264f5ab29cf206) C:\Windows\system32\DRIVERS\tssecsrv.sys

22:08:57.0592 10064 tssecsrv - ok

22:08:57.0607 10064 tunmp (caecc0120ac49e3d2f758b9169872d38) C:\Windows\system32\DRIVERS\tunmp.sys

22:08:57.0623 10064 tunmp - ok

22:08:57.0638 10064 tunnel (300db877ac094feab0be7688c3454a9c) C:\Windows\system32\DRIVERS\tunnel.sys

22:08:57.0638 10064 tunnel - ok

22:08:57.0670 10064 uagp35 (c3ade15414120033a36c0f293d4a4121) C:\Windows\system32\drivers\uagp35.sys

22:08:57.0670 10064 uagp35 - ok

22:08:57.0701 10064 udfs (d9728af68c4c7693cb100b8441cbdec6) C:\Windows\system32\DRIVERS\udfs.sys

22:08:57.0716 10064 udfs - ok

22:08:57.0748 10064 UI0Detect (ecef404f62863755951e09c802c94ad5) C:\Windows\system32\UI0Detect.exe

22:08:57.0748 10064 UI0Detect - ok

22:08:57.0763 10064 uliagpkx (75e6890ebfce0841d3291b02e7a8bdb0) C:\Windows\system32\drivers\uliagpkx.sys

22:08:57.0763 10064 uliagpkx - ok

22:08:57.0779 10064 uliahci (3cd4ea35a6221b85dcc25daa46313f8d) C:\Windows\system32\drivers\uliahci.sys

22:08:57.0794 10064 uliahci - ok

22:08:57.0826 10064 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys

22:08:57.0826 10064 UlSata - ok

22:08:57.0841 10064 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys

22:08:57.0857 10064 ulsata2 - ok

22:08:57.0872 10064 umbus (32cff9f809ae9aed85464492bf3e32d2) C:\Windows\system32\DRIVERS\umbus.sys

22:08:57.0872 10064 umbus - ok

22:08:57.0904 10064 UmRdpService (8a66360f38f81e960e2367b428cbd5d9) C:\Windows\System32\umrdp.dll

22:08:57.0919 10064 UmRdpService - ok

22:08:57.0950 10064 upnphost (68308183f4ae0be7bf8ecd07cb297999) C:\Windows\System32\upnphost.dll

22:08:57.0950 10064 upnphost - ok

22:08:57.0982 10064 USBAAPL (5c2bdc152bbab34f36473deaf7713f22) C:\Windows\system32\Drivers\usbaapl.sys

22:08:57.0982 10064 USBAAPL - ok

22:08:58.0028 10064 usbaudio (32db9517628ff0d070682aab61e688f0) C:\Windows\system32\drivers\usbaudio.sys

22:08:58.0028 10064 usbaudio - ok

22:08:58.0075 10064 usbccgp (caf811ae4c147ffcd5b51750c7f09142) C:\Windows\system32\DRIVERS\usbccgp.sys

22:08:58.0091 10064 usbccgp - ok

22:08:58.0106 10064 usbcir (47b9770ea21436de4ad5aea7926e0900) C:\Windows\system32\DRIVERS\usbcir.sys

22:08:58.0106 10064 usbcir - ok

22:08:58.0122 10064 usbehci (79e96c23a97ce7b8f14d310da2db0c9b) C:\Windows\system32\DRIVERS\usbehci.sys

22:08:58.0122 10064 usbehci - ok

22:08:58.0153 10064 usbhub (4673bbcb006af60e7abddbe7a130ba42) C:\Windows\system32\DRIVERS\usbhub.sys

22:08:58.0169 10064 usbhub - ok

22:08:58.0184 10064 usbohci (38dbc7dd6cc5a72011f187425384388b) C:\Windows\system32\drivers\usbohci.sys

22:08:58.0184 10064 usbohci - ok

22:08:58.0200 10064 usbprint (e75c4b5269091d15a2e7dc0b6d35f2f5) C:\Windows\system32\DRIVERS\usbprint.sys

22:08:58.0216 10064 usbprint - ok

22:08:58.0231 10064 usbscan (a508c9bd8724980512136b039bba65e9) C:\Windows\system32\DRIVERS\usbscan.sys

22:08:58.0247 10064 usbscan - ok

22:08:58.0262 10064 USBSTOR (be3da31c191bc222d9ad503c5224f2ad) C:\Windows\system32\DRIVERS\USBSTOR.SYS

22:08:58.0278 10064 USBSTOR - ok

22:08:58.0309 10064 usbuhci (814d653efc4d48be3b04a307eceff56f) C:\Windows\system32\DRIVERS\usbuhci.sys

22:08:58.0309 10064 usbuhci - ok

22:08:58.0356 10064 UxSms (1509e705f3ac1d474c92454a5c2dd81f) C:\Windows\System32\uxsms.dll

22:08:58.0356 10064 UxSms - ok

22:08:58.0403 10064 vds (cd88d1b7776dc17a119049742ec07eb4) C:\Windows\System32\vds.exe

22:08:58.0418 10064 vds - ok

22:08:58.0465 10064 vga (87b06e1f30b749a114f74622d013f8d4) C:\Windows\system32\DRIVERS\vgapnp.sys

22:08:58.0465 10064 vga - ok

22:08:58.0481 10064 VgaSave (2e93ac0a1d8c79d019db6c51f036636c) C:\Windows\System32\drivers\vga.sys

22:08:58.0481 10064 VgaSave - ok

22:08:58.0512 10064 viaagp (045d9961e591cf0674a920b6ba3ba5cb) C:\Windows\system32\drivers\viaagp.sys

22:08:58.0512 10064 viaagp - ok

22:08:58.0528 10064 ViaC7 (56a4de5f02f2e88182b0981119b4dd98) C:\Windows\system32\drivers\viac7.sys

22:08:58.0528 10064 ViaC7 - ok

22:08:58.0543 10064 viaide (fd2e3175fcada350c7ab4521dca187ec) C:\Windows\system32\drivers\viaide.sys

22:08:58.0543 10064 viaide - ok

22:08:58.0574 10064 volmgr (69503668ac66c77c6cd7af86fbdf8c43) C:\Windows\system32\drivers\volmgr.sys

22:08:58.0574 10064 volmgr - ok

22:08:58.0606 10064 volmgrx (23e41b834759917bfd6b9a0d625d0c28) C:\Windows\system32\drivers\volmgrx.sys

22:08:58.0621 10064 volmgrx - ok

22:08:58.0652 10064 volsnap (147281c01fcb1df9252de2a10d5e7093) C:\Windows\system32\drivers\volsnap.sys

22:08:58.0668 10064 volsnap - ok

22:08:58.0715 10064 vsmraid (d984439746d42b30fc65a4c3546c6829) C:\Windows\system32\drivers\vsmraid.sys

22:08:58.0715 10064 vsmraid - ok

22:08:58.0777 10064 VSS (db3d19f850c6eb32bdcb9bc0836acddb) C:\Windows\system32\vssvc.exe

22:08:58.0824 10064 VSS - ok

22:08:58.0855 10064 W32Time (96ea68b9eb310a69c25ebb0282b2b9de) C:\Windows\system32\w32time.dll

22:08:58.0855 10064 W32Time - ok

22:08:58.0902 10064 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys

22:08:58.0902 10064 WacomPen - ok

22:08:58.0949 10064 Wanarp (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys

22:08:58.0949 10064 Wanarp - ok

22:08:58.0949 10064 Wanarpv6 (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys

22:08:58.0949 10064 Wanarpv6 - ok

22:08:58.0996 10064 wbengine (20b23332885dfb93fe0185362ee811e9) C:\Windows\system32\wbengine.exe

22:08:59.0027 10064 wbengine - ok

22:08:59.0089 10064 wcncsvc (a3cd60fd826381b49f03832590e069af) C:\Windows\System32\wcncsvc.dll

22:08:59.0105 10064 wcncsvc - ok

22:08:59.0136 10064 WcsPlugInService (11bcb7afcdd7aadacb5746f544d3a9c7) C:\Windows\System32\WcsPlugInService.dll

22:08:59.0136 10064 WcsPlugInService - ok

22:08:59.0183 10064 Wd (afc5ad65b991c1e205cf25cfdbf7a6f4) C:\Windows\system32\drivers\wd.sys

22:08:59.0183 10064 Wd - ok

22:08:59.0245 10064 Wdf01000 (b6f0a7ad6d4bd325fbcd8bac96cd8d96) C:\Windows\system32\drivers\Wdf01000.sys

22:08:59.0308 10064 Wdf01000 - ok

22:08:59.0339 10064 WdiServiceHost (abfc76b48bb6c96e3338d8943c5d93b5) C:\Windows\system32\wdi.dll

22:08:59.0339 10064 WdiServiceHost - ok

22:08:59.0339 10064 WdiSystemHost (abfc76b48bb6c96e3338d8943c5d93b5) C:\Windows\system32\wdi.dll

22:08:59.0354 10064 WdiSystemHost - ok

22:08:59.0386 10064 WebClient (04c37d8107320312fbae09926103d5e2) C:\Windows\System32\webclnt.dll

22:08:59.0401 10064 WebClient - ok

22:08:59.0432 10064 Wecsvc (ae3736e7e8892241c23e4ebbb7453b60) C:\Windows\system32\wecsvc.dll

22:08:59.0432 10064 Wecsvc - ok

22:08:59.0464 10064 wercplsupport (670ff720071ed741206d69bd995ea453) C:\Windows\System32\wercplsupport.dll

22:08:59.0464 10064 wercplsupport - ok

22:08:59.0495 10064 WerSvc (32b88481d3b326da6deb07b1d03481e7) C:\Windows\System32\WerSvc.dll

22:08:59.0495 10064 WerSvc - ok

22:08:59.0588 10064 WinDefend (4575aa12561c5648483403541d0d7f2b) C:\Program Files\Windows Defender\mpsvc.dll

22:08:59.0588 10064 WinDefend - ok

22:08:59.0604 10064 WinHttpAutoProxySvc - ok

22:08:59.0666 10064 Winmgmt (6b2a1d0e80110e3d04e6863c6e62fd8a) C:\Windows\system32\wbem\WMIsvc.dll

22:08:59.0666 10064 Winmgmt - ok

22:08:59.0729 10064 WinRM (7cfe68bdc065e55aa5e8421607037511) C:\Windows\system32\WsmSvc.dll

22:08:59.0760 10064 WinRM - ok

22:08:59.0807 10064 Wlansvc (c008405e4feeb069e30da1d823910234) C:\Windows\System32\wlansvc.dll

22:08:59.0822 10064 Wlansvc - ok

22:08:59.0869 10064 WmiAcpi (701a9f884a294327e9141d73746ee279) C:\Windows\system32\drivers\wmiacpi.sys

22:08:59.0869 10064 WmiAcpi - ok

22:08:59.0932 10064 wmiApSrv (43be3875207dcb62a85c8c49970b66cc) C:\Windows\system32\wbem\WmiApSrv.exe

22:08:59.0932 10064 wmiApSrv - ok

22:09:00.0041 10064 WMPNetworkSvc (3978704576a121a9204f8cc49a301a9b) C:\Program Files\Windows Media Player\wmpnetwk.exe

22:09:00.0056 10064 WMPNetworkSvc - ok

22:09:00.0088 10064 WPCSvc (cfc5a04558f5070cee3e3a7809f3ff52) C:\Windows\System32\wpcsvc.dll

22:09:00.0088 10064 WPCSvc - ok

22:09:00.0119 10064 WPDBusEnum (801fbdb89d472b3c467eb112a0fc9246) C:\Windows\system32\wpdbusenum.dll

22:09:00.0119 10064 WPDBusEnum - ok

22:09:00.0197 10064 WpdUsb (de9d36f91a4df3d911626643debf11ea) C:\Windows\system32\DRIVERS\wpdusb.sys

22:09:00.0197 10064 WpdUsb - ok

22:09:00.0322 10064 WPFFontCache_v0400 (dcf3e3edf5109ee8bc02fe6e1f045795) C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe

22:09:00.0337 10064 WPFFontCache_v0400 - ok

22:09:00.0368 10064 ws2ifsl (e3a3cb253c0ec2494d4a61f5e43a389c) C:\Windows\system32\drivers\ws2ifsl.sys

22:09:00.0368 10064 ws2ifsl - ok

22:09:00.0400 10064 wscsvc (1ca6c40261ddc0425987980d0cd2aaab) C:\Windows\system32\wscsvc.dll

22:09:00.0400 10064 wscsvc - ok

22:09:00.0400 10064 WSearch - ok

22:09:00.0509 10064 wuauserv (fc3ec24fce372c89423e015a2ac1a31e) C:\Windows\system32\wuaueng.dll

22:09:00.0571 10064 wuauserv - ok

22:09:00.0680 10064 WUDFRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\Windows\system32\DRIVERS\WUDFRd.sys

22:09:00.0680 10064 WUDFRd - ok

22:09:00.0712 10064 wudfsvc (575a4190d989f64732119e4114045a4f) C:\Windows\System32\WUDFSvc.dll

22:09:00.0712 10064 wudfsvc - ok

22:09:00.0743 10064 XDva348 - ok

22:09:00.0743 10064 XDva359 - ok

22:09:00.0790 10064 MBR (0x1B8) (8913823ff508ccf109db74b636c301da) \Device\Harddisk0\DR0

22:09:00.0821 10064 \Device\Harddisk0\DR0 - ok

22:09:00.0821 10064 MBR (0x1B8) (e5fa06aca0d60ba9c870d0ef3d9898c9) \Device\Harddisk5\DR5

22:09:02.0755 10064 \Device\Harddisk5\DR5 - ok

22:09:02.0755 10064 Boot (0x1200) (18762cb94749c7c97f8702dff6cdd263) \Device\Harddisk0\DR0\Partition0

22:09:02.0771 10064 \Device\Harddisk0\DR0\Partition0 - ok

22:09:02.0771 10064 Boot (0x1200) (3d659c9e5cc9f1959c6d0ff3339866ea) \Device\Harddisk0\DR0\Partition1

22:09:02.0771 10064 \Device\Harddisk0\DR0\Partition1 - ok

22:09:02.0771 10064 Boot (0x1200) (e230c62268d1a82615f925992afc735d) \Device\Harddisk5\DR5\Partition0

22:09:02.0771 10064 \Device\Harddisk5\DR5\Partition0 - ok

22:09:02.0771 10064 ============================================================

22:09:02.0771 10064 Scan finished

22:09:02.0771 10064 ============================================================

22:09:02.0786 11616 Detected object count: 0

22:09:02.0786 11616 Actual detected object count: 0

22:19:40.0340 6268 Deinitialize success

Link to post
Share on other sites

Much better report. Very good result from TDSSKILLER --- nothing detected.

We 'may" have turned the corner on this long-lasting-hunt. But need a few more checks.

A Full scan with MBAM may take an hour or two, perhaps more, depending on yur system ---- but is well worth it.

Turn OFF your antivirus program, so that it does not interfere.

Save and close any work documents, close any apps that you started.

Start your MBAM MalwareBytes' Anti-Malware.

Click the Settings Tab and then the General Settings sub-tab. Make sure all option lines have a checkmark.

Then click the Scanner settings sub-tab in second row of tabs. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.

If prompted for a Restart, do that.

When done, click the Scanner tab.

Do a FULL Scan.

When the scan is complete, click OK, then Show Results to view the results.

Make sure that everything is checked, and click Remove Selected.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Post (Copy and Paste) the MBAM scan log.

NEXT:

A online scan at ESET Online may take several hours --- but once more, well worth it.

You will want to print out or copy these instructions to Notepad for offline reference!

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

For directions on how, see How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Do NOT turn off the firewall

Close all open browsers at this point.

Start Internet Explorer (fresh) by pressing Start >> Internet Explorer >> Right-Click and select Run As Administrator.

Using Internet Explorer browser only, go to ESET Online Scanner website:

http://www.eset.com/onlinescan/

  • Accept the Terms of Use and press Start button;
  • Approve the install of the required ActiveX Control, then follow on-screen instructions;
  • Enable (check) the Remove found threats option, and run the scan.
  • After the scan completes, the Details tab in the Results window will display what was found and removed.
    • A logfile is created and located at C:\Program Files (x86)\Eset\EsetOnlineScanner\log.txt.

    Look at contents of this file using Notepad.

    The Frequently Asked Questions for ESET Online Scanner can be viewed here

    http://go.eset.com/u...ine-scanner/faq

    • It is emphasized to temporarily disable any pc-resident {active} antivirus program prior to any on-line scan by any on-line scanner.
      (And the prompt re-enabling when finished.)
    • If you use Firefox, you have to install IETab, an add-on. This is to enable ActiveX support.
    • Do not use the system while the scan is running. Once the full scan is underway, go take a long break popcorn.gifpepsi.gif

Re-enable the antivirus program.

Reply with copy of the Eset scan log for review, AND

tell me, How is the system (generally) now :excl:

Link to post
Share on other sites

Bad news, I still can't run MBAM in normal mode so I'm currently running the scan in safe mode with networking. The same goes for the ESET Online Scanner; I can't access the website in normal mode of the infected computer. I will try ESET in safe mode once MBAM is finished.

Also, when I turned my computer on this morning (in normal mode), the Windows Command Processor popup appeared again.

Link to post
Share on other sites

MBAM ran in safe mode with networking.

Malwarebytes Anti-Malware (Trial) 1.61.0.1400

www.malwarebytes.org

Database version: v2012.06.29.12

Windows Vista Service Pack 2 x86 NTFS (Safe Mode/Networking)

Internet Explorer 9.0.8112.16421

Patrick Fong :: PATRICKFONG-PC [administrator]

Protection: Disabled

30/06/2012 10:46:25 AM

mbam-log-2012-06-30 (10-46-25).txt

Scan type: Full scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 420748

Time elapsed: 1 hour(s), 1 minute(s), 55 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

Link to post
Share on other sites

Also ran ESET online scanner in safe mode with networking. Here is the log.

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)

# OnlineScanner.ocx=1.0.0.6583

# api_version=3.0.2

# EOSSerial=9fe70c67ed45ca4ea6b5006bb84e666c

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2012-06-30 03:11:32

# local_time=2012-06-30 01:11:32 (+1000, AUS Eastern Standard Time)

# country="Australia"

# lang=1033

# osver=6.0.6002 NT Service Pack 2

# compatibility_mode=512 16777215 100 0 1608473 1608473 0 0

# compatibility_mode=5892 16776574 100 100 1652098 178551185 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=211431

# found=6

# cleaned=6

# scan_time=3961

C:\Qoobox\Quarantine\C\Users\Patrick Fong\AppData\Local\lvpnwwpd\tchahayq.exe.vir a variant of Win32/Kryptik.AHES trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Users\Patrick Fong\AppData\Local\lvpnwwpd\tchahayq.exe a variant of Win32/Kryptik.AHES trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Users\Patrick Fong\AppData\Local\temp\lhfujcbahkhdwheq.exe a variant of Win32/Kryptik.AHES trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Users\Patrick Fong\Desktop\Programs\Startup\tchahayq.exe a variant of Win32/Kryptik.AHES trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Users\Patrick Fong\Desktop\RK_Quarantine\lhfujcbahkhdwheq.exe.vir a variant of Win32/Kryptik.AHES trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Users\Patrick Fong\Desktop\RK_Quarantine\tchahayq.exe.vir a variant of Win32/Kryptik.AHES trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

Link to post
Share on other sites

This system has a very persistent and self-replicating trojan. We have been at it for two weeks. It is past time for a frank and very serious realization.

The ESET online scan shows that the Win32-kryptic.AHES trojan has re-appeared. And as you reported, the "Windows Command Processor" rogue has re-appeared (again). icon_twisted.gif

Please answer each of the following questions in a correspondingly-numbered list in your very next reply (no need to quote this post):

1a. Does the computer-in-question belong to your company or does it belong to you, or a friend/relative?

1b. Did Vista come preinstalled on the computer when you bought it, did you do a clean install of Vista, or did you upgrade from XP to Vista?

2a. Was TrendMicro pre-installed on this system or did you intentionally choose to install it?

2b. In Windows Explorer [WinKey+E], navigate to &

  • right-click on C:\Program Files\trend micro <<---this folder
  • Select Properties: What is the Created date displayed on the resulting General tab?

2c. What anti-virus application was installed before you got TrendMicro, was your subscription still current, and did you uninstall it before you installed TrendMicro?

3. Has a Norton application or other antivirus application EVER been installed on the computer?

4. Did a Norton free-trial or a McAfee free-trial come preinstalled on the computer when you bought it? (Doesn't matter if you never used or Activated it.)

5. Has this system ever been without antivirus program installed & active ?

6. Do you have the Windows Vista operating system DVD?

7. Do you have a full image backup of this system from before the trojan infection getting in ?

Warning on trojans

This system has some serious backdoor trojans, spyware, and likely, a rookit.

This is a point where you need to decide about whether to make a clean start.

According to the information provided in logs, one or more of the identified infections is a backdoor trojan. This allows hackers to remotely control your computer, steal critical system information, and download and execute files.

You are strongly advised to do the following immediately.

1. Call your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and ask them to put a watch on your accounts or change all your account numbers.

2. From a clean computer, change ALL your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups.

3. Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.These trojans leave a backdoor open on the system that can allow a hacker total and complete access to your computer. (Remote access trojan) Hackers can operate your computer just as if they were sitting in front of it. Hackers can watch everything you are doing on the computer, play tricks, do screenshots, log passwords, start and stop programs.

* Take any other steps you think appropriate for an attempted identity theft.

You should also understand that once a system has been compromised by a Trojan backdoor, it can never really be trusted again unless you completely reformat the hard drives and reinstall Windows fresh. While we usually can successfully remove malware like this, we cannot guarantee that it is totally gone, and that your system is completely safe to use for future financial information and/or transactions. I would recommend that you do a full reformat and reinstall of Windows rather than clean the system.

I suggest that you backup important files and reinstall everything from scratch. There are so many changes that could have been done if that backdoor was used.

Here is some additional information: What Is A Backdoor Trojan? http://www.geekstogo...backdoor-trojan

Danger: Remote Access Trojans http://www.microsoft...o/virusrat.mspx

Consumers – Identity Theft http://www.ftc.gov/b...mers/index.html

When should I re-format? How should I reinstall? http://www.dslreports.com/faq/10063

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? http://www.dslreports.com/faq/10451

Rootkits: The Obscure Hacker Attack http://www.microsoft...tip/st1005.mspx

Help: I Got Hacked. Now What Do I Do? http://www.microsoft...gmt/sm0504.mspx

Help: I Got Hacked. Now What Do I Do? Part II http://www.microsoft...gmt/sm0704.mspx

Microsoft Says Recovery from Malware Becoming Impossible http://www.eweek.com...,1945808,00.asp

Please answer my questions from above, and let me know what you decide.

A complete wipe (nuke) and pave followed by a clean re-install is the safest thing to do.

Should you still decide on trying to cure this infection, I must put a timecap of 2 days before calling a total halt.

We have already been at it for a week. It would have been faster to wipe & re-install earlier.

Only if you still want to keep trying with this saga:

Run the Microsoft Windows Defender Offline. This is an "offline" tool that you boot the pc with and scan your system for malware.

To get started, find a blank CD, DVD, or USB flash drive with at least 250 MB of free space and then download and run the tool—the tool will help you create the removable media.

The basic sequence of steps are

a) Download and SAVE the tool to a unique folder/location on your pc

b) Create the CD/DVD/USB-flash drive with tool

c) Set pc to boot from the offline media

d) Place media in & restart system

e) Run the tool. Have infinite patience & have it scan the entire system. Remove any malware that is found.

Download & info link http://windows.micro...efender-offline

The frequently asked questions for this tool

http://windows.micro...der-offline-faq

Another How-to article on WDO http://www.sevenforu...er-offline.html

Link to post
Share on other sites

1a) The computer belongs to me.

1b) Vista came pre-installed on our computer.

2a) We chose to install it, in early-mid June after our Norton 360 subscription ran out.

2b) June 11, 2012

2c) Norton 360. No, Norton expired for ~3 days before TrendMicro was activated. Yes I uninstalled Norton before installing Trend.

3) Yes, we've only had Norton installed on this computer.

4) A Norton free-trial came pre-installed.

5) Yes, only the ~3 days between Norton expiring and Trend being activated in June, 2012.

6) No, I don't think so. I will have a look around but I don't remember ever seeing one.

7) We only ever backed up to a HP SimpleSave external hard drive. That was also a long time ago. We haven't used this computer for important things as much recently as we have two new computers for our work-related stuff.

We've decided to follow your advice and do a full reformat. If I can't find a disc with the Vista operating system, is there any other way to get it back? Or will I have to go and buy the disc? Also, in the past we did use this computer for internet banking, university sites, emails and entered other personal information. How far back can this virus go in terms of gathering personal information? I will still be changing all my passwords and alerting my bank.

Can you help us through the reformatting process, please?

Thank you for all your help.

Pat

Link to post
Share on other sites

OK. Tell me who is the manufacturer of this pc?

You indicated you did not have the Vista DVD. Let's take a peek to see if the OEM manufacturer has a recovery partition on the HDD.

Please download Listparts

Run the tool, click Scan and post the log (Result.txt) it makes.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.