Jump to content


Photo
- - - - -

Rootkit.0Access and Trojan.Dropper.BCMiner

Rootkit.0Access Trojan.Dropper.BCMiner

  • This topic is locked This topic is locked
18 replies to this topic

#1 Rfacio

Rfacio

    New Member

  • Members
  • Pip
  • 15 posts

Posted 17 August 2012 - 07:37 PM

Post Merged


We look for post with 0 replies, so when you reply to your own topic, we assume you're being helped.

Please be patient, someone will assist you as soon as possible.



Hello, I've got this nasty Rootkit and Trojan on my computer that MalwareBytes cannot get rid of, and ever since my Malwarebytes detected it, I've been hearing this noise from my speakers that sounds like someone rustling around with a mic. The thing is, my PC does not have a mic plugged in to it so it's really freaking me out. Dunno if it's related to these two things but either way I'd really like to get rid of them.

Please help!?

Here's the MBAM log along with the DDS logs:

Also, I am unable to run Rogue Killer. I've tried three times.
Twice I got a blue screen of death, and the third time, just as it was about to finish the Scan, it "Stopped working unexpectedly" and force closed.
Please help, this is extremely aggravating :(



.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_31
Run by Kandice at 17:26:30 on 2012-08-17
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.1919.925 [GMT -7:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\PnkBstrB.exe
C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe
C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe
C:\Program Files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Real\RealPlayer\Update\realsched.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\AirPort\APAgent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Citrix\ICA Client\concentr.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\ProgramData\Anti-phishing Domain Advisor\visicom_antiphishing.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Users\Kandice\AppData\Local\Facebook\Update\FacebookUpdate.exe
C:\Users\Kandice\AppData\Local\Soft32\Soft32 Updater\Soft32 Updater.exe
C:\Program Files\Citrix\ICA Client\wfcrun32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://blekkosearch.mystart.com/blekkotb_soc/?source=86adbc52&toolbarid=blekkotb_soc&u=20120515F6FD4721BCE920F80623E344&tbp=homepage
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
mURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\programdata\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Somoto Toolbar: {652853ad-5592-4231-88c6-706613a52e61} - c:\program files\somototoolbar\vmntemplateX.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: Somoto Toolbar: {652853ad-5592-4231-88c6-706613a52e61} - c:\program files\somototoolbar\vmntemplateX.dll
{e7df6bff-55a5-4eb7-a673-4ed3e9456d39}
uRun: [AdobeBridge]
uRun: [Facebook Update] "c:\users\kandice\appdata\local\facebook\update\FacebookUpdate.exe" /c /nocrashserver
uRun: [Soft32 Updater.exe] c:\users\kandice\appdata\local\soft32\soft32 updater\Soft32 Updater.exe /SILENT
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [SwitchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe
mRun: [AdobeCS5.5ServiceManager] "c:\program files\common files\adobe\cs5.5servicemanager\CS5.5ServiceManager.exe" -launchedbylogin
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [ROC_roc_dec12] "c:\program files\avg secure search\ROC_roc_dec12.exe" /PROMPT /CMPID=roc_dec12
mRun: [AirPort Base Station Agent] "c:\program files\airport\APAgent.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ConnectionCenter] "c:\program files\citrix\ica client\concentr.exe" /startup
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Anti-phishing Domain Advisor] "c:\programdata\anti-phishing domain advisor\visicom_antiphishing.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [ROC_roc_ssl_v12] "c:\program files\avg secure search\ROC_roc_ssl_v12.exe" / /PROMPT /CMPID=roc_ssl_v12
mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/w...&"ver=10.0.1424
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
LSP: mswsock.dll
Trusted Zone: intuit.com\ttlc
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {C8BC46C7-921C-4102-B67D-F1F7E65FB0BE} - hxxps://battlefield.play4free.com/static/updater/BP4FUpdater_1.0.53.2.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{5ABC3ABC-3CF7-49CF-8E24-F4867B867FD5} : DhcpNameServer = 209.18.47.61 209.18.47.62
Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\kandice\appdata\roaming\mozilla\firefox\profiles\6n7x2el9.default\
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?btnI=I%27m+Feeling+Lucky&ie=UTF-8&oe=UTF-8&q=
FF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\4.1.10329.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprpchromebrowserrecordext.dll
FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\users\kandice\appdata\local\facebook\video\skype\npFacebookVideoCalling.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_3_300_271.dll
.
============= SERVICES / DRIVERS ===============
.
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [2010-7-14 65584]
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2012-4-3 63928]
R2 cvhsvc;Client Virtualization Handler;c:\program files\common files\microsoft shared\virtualization handler\CVHSVC.EXE [2012-1-4 822624]
R2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\common files\intuit\update service v4\IntuitUpdateService.exe [2011-8-25 13672]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-8-6 655944]
R2 sftlist;Application Virtualization Client;c:\program files\microsoft application virtualization client\sftlist.exe [2011-10-1 508776]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-8-6 22344]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-8-17 40776]
R3 Sftfs;Sftfs;c:\windows\system32\drivers\Sftfslh.sys [2011-10-1 579944]
R3 Sftplay;Sftplay;c:\windows\system32\drivers\Sftplaylh.sys [2011-10-1 194408]
R3 Sftredir;Sftredir;c:\windows\system32\drivers\Sftredirlh.sys [2011-10-1 21864]
R3 Sftvol;Sftvol;c:\windows\system32\drivers\Sftvollh.sys [2011-10-1 19304]
R3 sftvsa;Application Virtualization Service Agent;c:\program files\microsoft application virtualization client\sftvsa.exe [2011-10-1 219496]
R3 VST_DPV;VST_DPV;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]
R3 VSTHWBS2;VSTHWBS2;c:\windows\system32\drivers\VSTBS23.SYS [2009-7-13 266752]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 RelevantKnowledge;RelevantKnowledge;c:\program files\relevantknowledge\rlservice.exe /service --> c:\program files\relevantknowledge\rlservice.exe [?]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-10 250056]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg10\toolbar\toolbarbroker.exe --> c:\program files\avg\avg10\toolbar\ToolbarBroker.exe [?]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-5-4 113120]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2011-6-18 1343400]
.
=============== Created Last 30 ================
.
2012-08-18 00:14:28 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-08-10 02:10:07 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-08-08 02:09:03 56200 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{a9131960-9fff-4927-9c77-7902715cc7cd}\offreg.dll
2012-08-07 22:58:17 6891424 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{a9131960-9fff-4927-9c77-7902715cc7cd}\mpengine.dll
2012-08-07 00:55:36 -------- d-----w- c:\users\kandice\appdata\roaming\Malwarebytes
2012-08-07 00:55:31 -------- d-----w- c:\programdata\Malwarebytes
2012-08-07 00:55:30 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-08-07 00:55:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
.
==================== Find3M ====================
.
2012-08-15 04:09:50 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-08-15 04:09:50 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-06-12 02:44:03 2344448 ----a-w- c:\windows\system32\win32k.sys
2012-06-06 05:09:46 1389568 ----a-w- c:\windows\system32\msxml6.dll
2012-06-06 05:09:46 1236992 ----a-w- c:\windows\system32\msxml3.dll
2012-06-02 22:19:42 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 22:12:32 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:12:20 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-06-02 22:12:13 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 08:33:25 1800192 ----a-w- c:\windows\system32\jscript9.dll
2012-06-02 08:25:08 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-06-02 08:25:03 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-06-02 08:20:33 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-06-02 08:16:52 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-06-02 04:51:16 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-06-02 04:51:16 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2012-06-02 04:50:00 369336 ----a-w- c:\windows\system32\drivers\cng.sys
2012-06-02 04:48:35 225280 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 04:47:31 219136 ----a-w- c:\windows\system32\ncrypt.dll
2012-05-31 19:25:14 237072 ------w- c:\windows\system32\MpSigStub.exe
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.1.7600 Disk: ST380811 rev.3.AD -> Harddisk0\DR0 ->
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll >>UNKNOWN [0x85E0E4B1]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x85e1593c]; MOV EAX, [0x85e15ab0]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x82A5B458] -> \Device\Harddisk0\DR0[0x85BA5030]
3 CLASSPNP[0x887A859E] -> ntkrnlpa!IofCallDriver[0x82A5B458] -> [0x84BC8700]
5 ACPI[0x832163B2] -> ntkrnlpa!IofCallDriver[0x82A5B458] -> \00000059[0x854F5890]
\Driver\nvstor[0x85D4C4B8] -> IRP_MJ_CREATE -> 0x85E0E4B1
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [BP+0x0], 0x0; }
detected disk devices:
\Device\00000059 -> \??\SCSI#Disk&Ven_ST380811&Prod_0AS#4&a64abbf&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 17:28:02.97 ===============

Attached Files



#2 MrCharlie

MrCharlie

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 28,152 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Posted 18 August 2012 - 06:53 AM

Welcome to the forum.

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller to your desktop.

For Windows XP, double-click to start.
For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.


Click Scan to scan the system.
When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#3 Rfacio

Rfacio

    New Member

  • Members
  • Pip
  • 15 posts

Posted 18 August 2012 - 10:57 AM

Thank you MrCharlie.
I've downloaded and attempted to run Rogue Killer numerous times without any success. Half the time the program "Stops Working Unexpectedly" every time its scanning MBR and the other half I get a blue screen of death referencing a Stoport.sys. I've also tried running it in safe mode but it seems to auto close when it's about to finish the scan and no log is created.
Anything else I can do to get this information to you?

#4 MrCharlie

MrCharlie

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 28,152 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Posted 18 August 2012 - 10:59 AM

Uncheck MBR and try it again, MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#5 Rfacio

Rfacio

    New Member

  • Members
  • Pip
  • 15 posts

Posted 18 August 2012 - 11:41 AM

6.6 [08/10/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7600 ) 32 bits version
Started in : Normal mode
User: Kandice [Admin rights]
Mode: Scan -- Date: 08/18/2012 09:39:45

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 6 ¤¤¤
[SUSP PATH] HKCU\[...]\Run : Soft32 Updater.exe (C:\Users\Kandice\AppData\Local\Soft32\Soft32 Updater\Soft32 Updater.exe /SILENT) -> FOUND
[SUSP PATH] HKLM\[...]\Run : Anti-phishing Domain Advisor ("C:\ProgramData\Anti-phishing Domain Advisor\visicom_antiphishing.exe") -> FOUND
[SUSP PATH] HKUS\S-1-5-21-1829147003-1944629146-3105163407-1000[...]\Run : Soft32 Updater.exe (C:\Users\Kandice\AppData\Local\Soft32\Soft32 Updater\Soft32 Updater.exe /SILENT) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][FILE] @ : c:\windows\installer\{ec2e5983-b05b-1ba5-249a-a173358625fc}\@ --> FOUND
[ZeroAccess][FOLDER] U : c:\windows\installer\{ec2e5983-b05b-1ba5-249a-a173358625fc}\U --> FOUND
[ZeroAccess][FOLDER] L : c:\windows\installer\{ec2e5983-b05b-1ba5-249a-a173358625fc}\L --> FOUND
[ZeroAccess][FILE] Desktop.ini : c:\windows\assembly\gac\desktop.ini --> FOUND
[Susp.ASLR][ASLR WIPED-OFF] services.exe : c:\windows\system32\services.exe --> FOUND
[ZeroAccess][Sig found] services.exe : c:\windows\system32\services.exe --> FOUND

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤


¤¤¤ MBR Check: ¤¤¤

Finished : << RKreport[1].txt >>
RKreport[1].txt





#6 MrCharlie

MrCharlie

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 28,152 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Posted 18 August 2012 - 12:43 PM

Here you go......

Your computer is infected with a nasty rootkit. Please read the following information first.

You're infected with Rootkit.ZeroAccess, a BackDoor Trojan.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall
http://www.dslreports.com/faq/10063

I will try my best to clean this machine but I can't guarantee that it will be 100% secure afterwards.

Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.


-----------------------------------------

Please make sure system restore is running and create a new restore point before continuing!

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

How to tell > 32 or 64 bit

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]FRST will let you know when the scan is complete and has written the FRST.txt to file, close out this message, then type the following into the search box:
services.exe
[*]Now press the Search button
[*]When the search is complete, search.txt will also be written to your USB
[*]Type exit and reboot the computer normally
[*]Please copy and paste both logs in your reply.(FRST.txt and Search.txt)[/list]
MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#7 Rfacio

Rfacio

    New Member

  • Members
  • Pip
  • 15 posts

Posted 18 August 2012 - 03:03 PM

Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 18-08-2012
Ran by SYSTEM at 18-08-2012 12:47:49
Running from J:\
Windows 7 Professional (X86) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [TkBellExe] "C:\Program Files\Real\RealPlayer\Update\realsched.exe" -osboot [273544 2011-07-29] (RealNetworks, Inc.)
HKLM\...\Run: [AdobeAAMUpdater-1.0] "C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [499608 2011-03-15] (Adobe Systems Incorporated)
HKLM\...\Run: [SwitchBoard] C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated)
HKLM\...\Run: [AdobeCS5.5ServiceManager] "C:\Program Files\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" -launchedbylogin [1523360 2011-01-12] (Adobe Systems Incorporated)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)
HKLM\...\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2011-11-01] (Apple Inc.)
HKLM\...\Run: [ROC_roc_dec12] "C:\Program Files\AVG Secure Search\ROC_roc_dec12.exe" /PROMPT /CMPID=roc_dec12 [x]
HKLM\...\Run: [AirPort Base Station Agent] "C:\Program Files\AirPort\APAgent.exe" [771360 2009-11-11] (Apple Inc.)
HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2011-10-24] (Apple Inc.)
HKLM\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [421736 2012-01-16] (Apple Inc.)
HKLM\...\Run: [ConnectionCenter] "C:\Program Files\Citrix\ICA Client\concentr.exe" /startup [305088 2011-04-25] (Citrix Systems, Inc.)
HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)
HKLM\...\Run: [Anti-phishing Domain Advisor] "C:\ProgramData\Anti-phishing Domain Advisor\visicom_antiphishing.exe" [217256 2011-07-29] (Visicom Media Inc. (Powered by Panda Security))
HKLM\...\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray [462920 2012-07-03] (Malwarebytes Corporation)
HKLM\...\Run: [ROC_roc_ssl_v12] "C:\Program Files\AVG Secure Search\ROC_roc_ssl_v12.exe" / /PROMPT /CMPID=roc_ssl_v12 [x]
HKU\Administrator\...\RunOnce: [spchecker] "C:\Program Files\AVG\AVG10\Notification\SPCheckerTE.exe" [x]
HKU\Kandice\...\Run: [AdobeBridge] [x]
HKU\Kandice\...\Run: [Facebook Update] "C:\Users\Kandice\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver [138096 2012-07-11] (Facebook Inc.)
HKU\Kandice\...\Run: [Soft32 Updater.exe] C:\Users\Kandice\AppData\Local\Soft32\Soft32 Updater\Soft32 Updater.exe /SILENT [163640 2011-10-19] (I.T.N.T.)
HKLM\...\Runonce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/w...&"ver=10.0.1424 [x]
Tcpip\Parameters: [DhcpNameServer] 209.18.47.61 209.18.47.62

================================ Services (Whitelisted) ==================

2 eventlog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [20992 2009-07-13] (Microsoft Corporation)
2 IntuitUpdateServiceV4; "C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe" [13672 2011-08-25] (Intuit Inc.)
2 MBAMService; "C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe" [655944 2012-07-03] (Malwarebytes Corporation)
2 PnkBstrA; C:\Windows\system32\PnkBstrA.exe [75136 2011-07-30] ()
2 PnkBstrB; C:\Windows\system32\PnkBstrB.exe [189248 2011-07-30] ()
3 AVG Security Toolbar Service; C:\Program Files\AVG\AVG10\Toolbar\ToolbarBroker.exe [x]
2 RelevantKnowledge; C:\Program Files\RelevantKnowledge\rlservice.exe /service [x]

========================== Drivers (Whitelisted) =============

1 ctxusbm; C:\Windows\System32\DRIVERS\ctxusbm.sys [65584 2010-07-14] (Citrix Systems, Inc.)
3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [22344 2012-07-03] (Malwarebytes Corporation)
3 sscdserd; C:\Windows\System32\DRIVERS\sscdserd.sys [73696 2005-08-17] (MCCI)
3 VSTHWBS2; C:\Windows\System32\DRIVERS\VSTBS23.SYS [266752 2009-07-13] (Conexant Systems, Inc.)
3 VST_DPV; C:\Windows\System32\DRIVERS\VSTDPV3.SYS [980992 2009-07-13] (Conexant Systems, Inc.)
0 vfgkjsj; C:\Windows\System32\drivers\aguapud.sys [x]

========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-08-18 12:47 - 2012-08-18 12:47 - 00000000 ____D C:\FRST
2012-08-18 11:07 - 2012-08-18 11:07 - 00897686 ____A (Farbar) C:\Users\Kandice\Desktop\FRST.exe
2012-08-18 08:39 - 2012-08-18 08:39 - 00001885 ____A C:\Users\Kandice\Desktop\RKreport[1].txt
2012-08-18 07:38 - 2012-08-18 07:38 - 00131072 ____A C:\Windows\Minidump\081812-21559-01.dmp
2012-08-17 17:32 - 2012-08-17 17:33 - 00131072 ____A C:\Windows\Minidump\081712-20404-01.dmp
2012-08-17 17:12 - 2012-08-17 17:13 - 00131072 ____A C:\Windows\Minidump\081712-34554-01.dmp
2012-08-17 17:11 - 2012-08-18 08:39 - 00000000 ____D C:\Users\Kandice\Desktop\RK_Quarantine
2012-08-17 17:09 - 2012-08-17 17:09 - 01558528 ____A C:\Users\Kandice\Desktop\RogueKiller.exe
2012-08-17 16:31 - 2012-08-17 16:31 - 00017103 ____A C:\Users\Kandice\Desktop\DDS.txt
2012-08-17 16:31 - 2012-08-17 16:31 - 00015294 ____A C:\Users\Kandice\Desktop\Attach.txt
2012-08-14 21:07 - 2012-08-14 21:07 - 00607260 ____R (Swearware) C:\Users\Kandice\Desktop\dds.scr
2012-08-12 16:40 - 2012-08-12 16:40 - 00155848 ____A C:\Windows\Minidump\081212-44413-01.dmp
2012-08-09 18:10 - 2012-08-09 18:10 - 00000000 __SHD C:\Windows\System32\%APPDATA%
2012-08-09 17:30 - 2012-08-09 17:30 - 00000000 ____D C:\Windows\Sun
2012-08-08 16:17 - 2012-08-08 16:17 - 03879800 ____A (AVG Technologies) C:\Users\Kandice\Downloads\avg_free_stb_all_2012_2197_cnet.exe
2012-08-06 16:55 - 2012-08-06 16:55 - 00001071 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-08-06 16:55 - 2012-08-06 16:55 - 00000000 ____D C:\Users\Kandice\AppData\Roaming\Malwarebytes
2012-08-06 16:55 - 2012-08-06 16:55 - 00000000 ____D C:\Users\All Users\Malwarebytes
2012-08-06 16:55 - 2012-08-06 16:55 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2012-08-06 16:55 - 2012-07-03 12:46 - 00022344 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-08-06 16:52 - 2012-08-06 16:54 - 10651696 ____A (Malwarebytes Corporation ) C:\Users\Kandice\Downloads\mbam-consumer.exe
2012-07-22 20:59 - 2012-07-22 20:59 - 04252784 ____A (Hewlett-Packard Company ) C:\Users\Kandice\Downloads\WG_US_walgreens-agent.exe

============ 3 Months Modified Files ========================

2012-08-18 11:12 - 2009-07-13 20:34 - 00014976 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-08-18 11:12 - 2009-07-13 20:34 - 00014976 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-08-18 11:10 - 2011-06-16 00:09 - 00727008 ____A C:\Windows\System32\PerfStringBackup.INI
2012-08-18 11:09 - 2012-04-10 21:25 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-08-18 11:09 - 2009-07-13 20:39 - 00038822 ____A C:\Windows\setupact.log
2012-08-18 11:07 - 2012-08-18 11:07 - 00897686 ____A (Farbar) C:\Users\Kandice\Desktop\FRST.exe
2012-08-18 08:59 - 2011-08-25 16:21 - 00000936 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1829147003-1944629146-3105163407-1000UA.job
2012-08-18 08:39 - 2012-08-18 08:39 - 00001885 ____A C:\Users\Kandice\Desktop\RKreport[1].txt
2012-08-18 07:45 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-08-18 07:38 - 2012-08-18 07:38 - 00131072 ____A C:\Windows\Minidump\081812-21559-01.dmp
2012-08-18 01:42 - 2011-08-25 02:18 - 00079882 ____A C:\Windows\PFRO.log
2012-08-18 00:44 - 2009-07-13 20:53 - 00025102 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-08-17 17:33 - 2012-08-17 17:32 - 00131072 ____A C:\Windows\Minidump\081712-20404-01.dmp
2012-08-17 17:13 - 2012-08-17 17:12 - 00131072 ____A C:\Windows\Minidump\081712-34554-01.dmp
2012-08-17 17:09 - 2012-08-17 17:09 - 01558528 ____A C:\Users\Kandice\Desktop\RogueKiller.exe
2012-08-17 16:31 - 2012-08-17 16:31 - 00017103 ____A C:\Users\Kandice\Desktop\DDS.txt
2012-08-17 16:31 - 2012-08-17 16:31 - 00015294 ____A C:\Users\Kandice\Desktop\Attach.txt
2012-08-17 14:59 - 2011-08-25 16:21 - 00000914 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1829147003-1944629146-3105163407-1000Core.job
2012-08-15 07:50 - 2011-06-16 06:57 - 01772221 ____A C:\Windows\WindowsUpdate.log
2012-08-14 21:07 - 2012-08-14 21:07 - 00607260 ____R (Swearware) C:\Users\Kandice\Desktop\dds.scr
2012-08-14 20:09 - 2012-04-10 21:25 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2012-08-14 20:09 - 2011-07-16 19:32 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2012-08-12 16:40 - 2012-08-12 16:40 - 00155848 ____A C:\Windows\Minidump\081212-44413-01.dmp
2012-08-08 16:17 - 2012-08-08 16:17 - 03879800 ____A (AVG Technologies) C:\Users\Kandice\Downloads\avg_free_stb_all_2012_2197_cnet.exe
2012-08-06 16:55 - 2012-08-06 16:55 - 00001071 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-08-06 16:54 - 2012-08-06 16:52 - 10651696 ____A (Malwarebytes Corporation ) C:\Users\Kandice\Downloads\mbam-consumer.exe
2012-07-22 20:59 - 2012-07-22 20:59 - 04252784 ____A (Hewlett-Packard Company ) C:\Users\Kandice\Downloads\WG_US_walgreens-agent.exe
2012-07-11 02:21 - 2009-07-13 20:33 - 03631352 ____A C:\Windows\System32\FNTCACHE.DAT
2012-07-11 02:01 - 2011-06-16 09:28 - 57442464 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-07-03 12:46 - 2012-08-06 16:55 - 00022344 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-06-11 18:44 - 2012-07-11 02:00 - 02344448 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-08 20:46 - 2012-07-10 23:49 - 12868608 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-06-05 21:09 - 2012-07-10 23:50 - 01389568 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-06-05 21:09 - 2012-07-10 23:50 - 01236992 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-06-02 14:19 - 2012-06-21 08:14 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-21 08:14 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-21 08:14 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-06-21 08:13 - 00577048 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 14:19 - 2012-06-21 08:13 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 14:19 - 2012-06-21 08:13 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 14:12 - 2012-06-21 08:14 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:12 - 2012-06-21 08:13 - 00088576 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 14:12 - 2012-06-21 08:13 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-02 01:07 - 2012-07-11 02:03 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-02 00:43 - 2012-07-11 02:03 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-02 00:33 - 2012-07-11 02:03 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-06-02 00:26 - 2012-07-11 02:03 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-02 00:25 - 2012-07-11 02:03 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-06-02 00:25 - 2012-07-11 02:03 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-02 00:23 - 2012-07-11 02:03 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-02 00:21 - 2012-07-11 02:03 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-02 00:20 - 2012-07-11 02:03 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-06-02 00:19 - 2012-07-11 02:03 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-02 00:19 - 2012-07-11 02:03 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-02 00:17 - 2012-07-11 02:03 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-02 00:16 - 2012-07-11 02:03 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-02 00:14 - 2012-07-11 02:03 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-01 20:51 - 2012-07-10 23:50 - 00134000 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
2012-06-01 20:51 - 2012-07-10 23:50 - 00067440 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-06-01 20:50 - 2012-07-10 23:50 - 00369336 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
2012-06-01 20:48 - 2012-07-10 23:50 - 00225280 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-06-01 20:47 - 2012-07-10 23:50 - 00219136 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-05-31 11:25 - 2011-06-16 00:21 - 00237072 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe
2012-05-27 13:33 - 2011-06-25 20:19 - 00060104 ____A C:\Users\Kandice\AppData\Local\GDIPFONTCACHEV1.DAT
2012-05-27 13:29 - 2012-05-27 13:28 - 00157016 ____A C:\Windows\Minidump\052712-37596-01.dmp


ZeroAccess:
C:\Windows\Installer\{ec2e5983-b05b-1ba5-249a-a173358625fc}
C:\Windows\Installer\{ec2e5983-b05b-1ba5-249a-a173358625fc}\@
C:\Windows\Installer\{ec2e5983-b05b-1ba5-249a-a173358625fc}\L
C:\Windows\Installer\{ec2e5983-b05b-1ba5-249a-a173358625fc}\U
C:\Windows\Installer\{ec2e5983-b05b-1ba5-249a-a173358625fc}\L\00000004.@
C:\Windows\Installer\{ec2e5983-b05b-1ba5-249a-a173358625fc}\L\201d3dde

ZeroAccess:
C:\Windows\assembly\GAC\Desktop.ini

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe A302BBFF2A7278C0E239EE5D471D86A9 ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 20%
Total physical RAM: 1918.52 MB
Available physical RAM: 1518.78 MB
Total Pagefile: 1918.52 MB
Available Pagefile: 1517.41 MB
Total Virtual: 2047.88 MB
Available Virtual: 1970.3 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:74.41 GB) (Free:23.67 GB) NTFS
7 Drive j: () (Removable) (Total:29.8 GB) (Free:29.75 GB) FAT32
8 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
9 Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.06 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 74 GB 0 B
Disk 1 No Media 0 B 0 B
Disk 2 No Media 0 B 0 B
Disk 3 No Media 0 B 0 B
Disk 4 No Media 0 B 0 B
Disk 5 Online 29 GB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 100 MB 1024 KB
Partition 2 Primary 74 GB 101 MB

==================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y System Rese NTFS Partition 100 MB Healthy

==================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 74 GB Healthy

==================================================================================

Partitions of Disk 5:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 29 GB 16 KB

==================================================================================

Disk: 5
Partition 1
Type : 0C
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 7 J FAT32 Removable 29 GB Healthy

==================================================================================

Last Boot: 2012-08-16 23:09

======================= End Of Log ==========================


Farbar Recovery Scan Tool Version: 18-08-2012
Ran by SYSTEM at 2012-08-18 12:51:18
Running from J:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe
[2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) 5F1B6A9C35D3D5CA72D6D6FDEF9747D6

C:\Windows\System32\services.exe
[2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) A302BBFF2A7278C0E239EE5D471D86A9

=== End Of Search ===

#8 MrCharlie

MrCharlie

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 28,152 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Posted 18 August 2012 - 03:38 PM

OK, here you go......Please carefully carry out this procedure!!!!!!

Please download the attached fixlist.txt and copy it to your flashdrive.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options. (as you did before)

Run FRST64 or FRST (which ever one you're using) and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#9 Rfacio

Rfacio

    New Member

  • Members
  • Pip
  • 15 posts

Posted 18 August 2012 - 03:59 PM

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 18-08-2012
Ran by SYSTEM at 2012-08-18 13:53:35 Run:1
Running from J:\

==============================================

C:\Windows\Installer\{ec2e5983-b05b-1ba5-249a-a173358625fc} moved successfully.
C:\Windows\assembly\GAC\Desktop.ini moved successfully.
C:\Windows\System32\services.exe moved successfully.
C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe copied successfully to C:\Windows\System32\services.exe

==== End of Fixlog ====

#10 MrCharlie

MrCharlie

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 28,152 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Posted 18 August 2012 - 04:09 PM

Well Done, lets run ComboFix to clear up any leftovers.

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingc...to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#11 Rfacio

Rfacio

    New Member

  • Members
  • Pip
  • 15 posts

Posted 18 August 2012 - 05:14 PM

ComboFix 12-08-18.03 - Kandice 08/18/2012 14:44:01.2.2 - x86
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.1919.1272 [GMT -7:00]
Running from: c:\users\Kandice\Desktop\ComboFix.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\somototoolbar\vmNTemplatex.dll
c:\program files\StartNow Toolbar
c:\program files\StartNow Toolbar\ToolbarUpdaterService.exe
c:\users\Kandice\AppData\Local\Soft32\Soft32 Updater\Soft32 Updater.exe
c:\users\Kandice\AppData\Roaming\Mozilla\Firefox\Profiles\6n7x2el9.default\extensions\crossriderapp2258@crossrider.com
c:\users\Kandice\AppData\Roaming\Mozilla\Firefox\Profiles\6n7x2el9.default\extensions\crossriderapp2258@crossrider.com\chrome.manifest
c:\users\Kandice\AppData\Roaming\Mozilla\Firefox\Profiles\6n7x2el9.default\extensions\crossriderapp2258@crossrider.com\chrome\content\background.html
c:\users\Kandice\AppData\Roaming\Mozilla\Firefox\Profiles\6n7x2el9.default\extensions\crossriderapp2258@crossrider.com\chrome\content\browser.xul
c:\users\Kandice\AppData\Roaming\Mozilla\Firefox\Profiles\6n7x2el9.default\extensions\crossriderapp2258@crossrider.com\chrome\content\crossrider.js
c:\users\Kandice\AppData\Roaming\Mozilla\Firefox\Profiles\6n7x2el9.default\extensions\crossriderapp2258@crossrider.com\chrome\content\crossriderapi.js
c:\users\Kandice\AppData\Roaming\Mozilla\Firefox\Profiles\6n7x2el9.default\extensions\crossriderapp2258@crossrider.com\chrome\content\dialog.js
c:\users\Kandice\AppData\Roaming\Mozilla\Firefox\Profiles\6n7x2el9.default\extensions\crossriderapp2258@crossrider.com\chrome\content\options.js
c:\users\Kandice\AppData\Roaming\Mozilla\Firefox\Profiles\6n7x2el9.default\extensions\crossriderapp2258@crossrider.com\chrome\content\options.xul
c:\users\Kandice\AppData\Roaming\Mozilla\Firefox\Profiles\6n7x2el9.default\extensions\crossriderapp2258@crossrider.com\chrome\content\search_dialog.xul
c:\users\Kandice\AppData\Roaming\Mozilla\Firefox\Profiles\6n7x2el9.default\extensions\crossriderapp2258@crossrider.com\chrome\content\update.html
c:\users\Kandice\AppData\Roaming\Mozilla\Firefox\Profiles\6n7x2el9.default\extensions\crossriderapp2258@crossrider.com\defaults\preferences\prefs.js
c:\users\Kandice\AppData\Roaming\Mozilla\Firefox\Profiles\6n7x2el9.default\extensions\crossriderapp2258@crossrider.com\install.rdf
c:\users\Kandice\AppData\Roaming\Mozilla\Firefox\Profiles\6n7x2el9.default\extensions\crossriderapp2258@crossrider.com\locale\en-US\translations.dtd
c:\users\Kandice\AppData\Roaming\Mozilla\Firefox\Profiles\6n7x2el9.default\extensions\crossriderapp2258@crossrider.com\skin\button1.png
c:\users\Kandice\AppData\Roaming\Mozilla\Firefox\Profiles\6n7x2el9.default\extensions\crossriderapp2258@crossrider.com\skin\button2.png
c:\users\Kandice\AppData\Roaming\Mozilla\Firefox\Profiles\6n7x2el9.default\extensions\crossriderapp2258@crossrider.com\skin\button3.png
c:\users\Kandice\AppData\Roaming\Mozilla\Firefox\Profiles\6n7x2el9.default\extensions\crossriderapp2258@crossrider.com\skin\button4.png
c:\users\Kandice\AppData\Roaming\Mozilla\Firefox\Profiles\6n7x2el9.default\extensions\crossriderapp2258@crossrider.com\skin\button5.png
c:\users\Kandice\AppData\Roaming\Mozilla\Firefox\Profiles\6n7x2el9.default\extensions\crossriderapp2258@crossrider.com\skin\crossrider_statusbar.png
c:\users\Kandice\AppData\Roaming\Mozilla\Firefox\Profiles\6n7x2el9.default\extensions\crossriderapp2258@crossrider.com\skin\icon128.png
c:\users\Kandice\AppData\Roaming\Mozilla\Firefox\Profiles\6n7x2el9.default\extensions\crossriderapp2258@crossrider.com\skin\icon16.png
c:\users\Kandice\AppData\Roaming\Mozilla\Firefox\Profiles\6n7x2el9.default\extensions\crossriderapp2258@crossrider.com\skin\icon24.png
c:\users\Kandice\AppData\Roaming\Mozilla\Firefox\Profiles\6n7x2el9.default\extensions\crossriderapp2258@crossrider.com\skin\icon48.png
c:\users\Kandice\AppData\Roaming\Mozilla\Firefox\Profiles\6n7x2el9.default\extensions\crossriderapp2258@crossrider.com\skin\panelarrow-up.png
c:\users\Kandice\AppData\Roaming\Mozilla\Firefox\Profiles\6n7x2el9.default\extensions\crossriderapp2258@crossrider.com\skin\popup.css
c:\users\Kandice\AppData\Roaming\Mozilla\Firefox\Profiles\6n7x2el9.default\extensions\crossriderapp2258@crossrider.com\skin\popup.html
c:\users\Kandice\AppData\Roaming\Mozilla\Firefox\Profiles\6n7x2el9.default\extensions\crossriderapp2258@crossrider.com\skin\popup_binding.xml
c:\users\Kandice\AppData\Roaming\Mozilla\Firefox\Profiles\6n7x2el9.default\extensions\crossriderapp2258@crossrider.com\skin\skin.css
c:\users\Kandice\AppData\Roaming\Mozilla\Firefox\Profiles\6n7x2el9.default\extensions\crossriderapp2258@crossrider.com\skin\update.css
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_RelevantKnowledge
.
.
((((((((((((((((((((((((( Files Created from 2012-07-18 to 2012-08-18 )))))))))))))))))))))))))))))))
.
.
2012-08-18 21:52 . 2012-08-18 21:55 -------- d-----w- c:\users\Kandice\AppData\Local\temp
2012-08-18 21:52 . 2012-08-18 21:52 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-08-18 21:52 . 2012-08-18 21:52 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2012-08-18 20:47 . 2012-08-18 20:47 -------- d-----w- C:\FRST
2012-08-18 03:37 . 2012-08-18 03:37 -------- d-----w- c:\users\Kandice\AppData\Local\ElevatedDiagnostics
2012-08-10 02:10 . 2012-08-10 02:10 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-08-10 01:30 . 2012-08-10 01:30 -------- d-----w- c:\windows\Sun
2012-08-08 02:09 . 2012-08-08 08:54 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{A9131960-9FFF-4927-9C77-7902715CC7CD}\offreg.dll
2012-08-07 22:58 . 2012-06-29 08:44 6891424 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{A9131960-9FFF-4927-9C77-7902715CC7CD}\mpengine.dll
2012-08-07 00:55 . 2012-08-07 00:55 -------- d-----w- c:\users\Kandice\AppData\Roaming\Malwarebytes
2012-08-07 00:55 . 2012-08-07 00:55 -------- d-----w- c:\programdata\Malwarebytes
2012-08-07 00:55 . 2012-08-07 00:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-08-07 00:55 . 2012-07-03 20:46 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-15 04:09 . 2012-04-11 05:25 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-08-15 04:09 . 2011-07-17 03:32 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-12 02:44 . 2012-07-11 10:00 2344448 ----a-w- c:\windows\system32\win32k.sys
2012-06-06 05:09 . 2012-07-11 07:50 1389568 ----a-w- c:\windows\system32\msxml6.dll
2012-06-06 05:09 . 2012-07-11 07:50 1236992 ----a-w- c:\windows\system32\msxml3.dll
2012-06-02 22:19 . 2012-06-21 16:13 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 22:19 . 2012-06-21 16:14 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-21 16:14 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-21 16:13 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-21 16:13 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:19 . 2012-06-21 16:14 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:12 . 2012-06-21 16:14 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:12 . 2012-06-21 16:13 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-06-02 22:12 . 2012-06-21 16:13 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 08:33 . 2012-07-11 10:03 1800192 ----a-w- c:\windows\system32\jscript9.dll
2012-06-02 08:25 . 2012-07-11 10:03 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-06-02 08:25 . 2012-07-11 10:03 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-06-02 08:20 . 2012-07-11 10:03 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-06-02 08:16 . 2012-07-11 10:03 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-06-02 04:51 . 2012-07-11 07:50 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-06-02 04:51 . 2012-07-11 07:50 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2012-06-02 04:50 . 2012-07-11 07:50 369336 ----a-w- c:\windows\system32\drivers\cng.sys
2012-06-02 04:48 . 2012-07-11 07:50 225280 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 04:47 . 2012-07-11 07:50 219136 ----a-w- c:\windows\system32\ncrypt.dll
2012-06-01 13:43 . 2012-06-01 13:43 163048 ----a-w- c:\programdata\Microsoft\Windows\Sqm\Manifest\Sqm10141.bin
2012-05-31 19:25 . 2011-06-16 08:21 237072 ------w- c:\windows\system32\MpSigStub.exe
2011-04-25 08:58 . 2011-04-25 08:58 124864 ----a-w- c:\program files\mozilla firefox\plugins\CCMSDK.dll
2011-04-25 09:48 . 2011-04-25 09:48 13760 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2011-04-25 09:00 . 2011-04-25 09:00 71104 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2011-04-25 08:59 . 2011-04-25 08:59 92096 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2011-04-25 08:58 . 2011-04-25 08:58 22976 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2011-04-25 08:57 . 2011-04-25 08:57 255936 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2011-04-25 08:58 . 2011-04-25 08:58 32192 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2011-04-25 08:58 . 2011-04-25 08:58 40896 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2011-04-25 08:51 . 2011-04-25 08:51 898480 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2011-04-25 09:00 . 2011-04-25 09:00 24512 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
2012-07-23 23:05 . 2011-10-22 02:43 136672 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Facebook Update"="c:\users\Kandice\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2012-07-11 138096]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="c:\program files\Real\RealPlayer\Update\realsched.exe" [2011-07-29 273544]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2011-03-16 499608]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS5.5ServiceManager"="c:\program files\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" [2011-01-12 1523360]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
"AirPort Base Station Agent"="c:\program files\AirPort\APAgent.exe" [2009-11-11 771360]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-01-17 421736]
"ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2011-04-25 305088]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"Anti-phishing Domain Advisor"="c:\programdata\Anti-phishing Domain Advisor\visicom_antiphishing.exe" [2011-07-29 217256]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http://www.avg.com/w...&ver=10.0.1424" [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
R0 vfgkjsj;vfgkjsj;c:\windows\System32\drivers\aguapud.sys [x]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
R3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG10\Toolbar\ToolbarBroker.exe [x]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [x]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [x]
R3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\DRIVERS\ctxusbm.sys [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]
S2 cvhsvc;Client Virtualization Handler;c:\program files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [x]
S2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [x]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [x]
S2 sftlist;Application Virtualization Client;c:\program files\Microsoft Application Virtualization Client\sftlist.exe [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [x]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [x]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [x]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [x]
S3 sftvsa;Application Virtualization Service Agent;c:\program files\Microsoft Application Virtualization Client\sftvsa.exe [x]
S3 VST_DPV;VST_DPV;c:\windows\system32\DRIVERS\VSTDPV3.SYS [x]
S3 VSTHWBS2;VSTHWBS2;c:\windows\system32\DRIVERS\VSTBS23.SYS [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-18 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-11 04:09]
.
2012-08-17 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1829147003-1944629146-3105163407-1000Core.job
- c:\users\Kandice\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-08-26 22:54]
.
2012-08-18 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1829147003-1944629146-3105163407-1000UA.job
- c:\users\Kandice\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-08-26 22:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://blekkosearch.mystart.com/blekkotb_soc/?source=86adbc52&toolbarid=blekkotb_soc&u=20120515F6FD4721BCE920F80623E344&tbp=homepage
uInternet Settings,ProxyOverride = *.local
Trusted Zone: intuit.com\ttlc
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
FF - ProfilePath - c:\users\Kandice\AppData\Roaming\Mozilla\Firefox\Profiles\6n7x2el9.default\
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?btnI=I%27m+Feeling+Lucky&ie=UTF-8&oe=UTF-8&q=
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file)
HKCU-Run-AdobeBridge - (no file)
HKCU-Run-Soft32 Updater.exe - c:\users\Kandice\AppData\Local\Soft32\Soft32 Updater\Soft32 Updater.exe
HKLM-Run-ROC_roc_dec12 - c:\program files\AVG Secure Search\ROC_roc_dec12.exe
HKLM-Run-ROC_roc_ssl_v12 - c:\program files\AVG Secure Search\ROC_roc_ssl_v12.exe
AddRemove-facetheme - c:\program files\Object\facetheme_uninstall.exe
AddRemove-{87686C21-8A15-4b4d-A3F1-11141D9BE094} - c:\users\Kandice\Desktop\uninstaller.exe
.
.
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.1.7600 Disk: ST380811 rev.3.AD -> Harddisk0\DR0 ->
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll >>UNKNOWN [0x85E0E4B1]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x85e1593c]; MOV EAX, [0x85e15ab0]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x82A4B458] -> \Device\Harddisk0\DR0[0x85BA6030]
3 CLASSPNP[0x8878859E] -> ntkrnlpa!IofCallDriver[0x82A4B458] -> [0x84BC8C90]
5 ACPI[0x832133B2] -> ntkrnlpa!IofCallDriver[0x82A4B458] -> \0000005b[0x85494938]
\Driver\nvstor[0x85D30718] -> IRP_MJ_CREATE -> 0x85E0E4B1
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [BP+0x0], 0x0; }
detected disk devices:
\Device\0000005b -> \??\SCSI#Disk&Ven_ST380811&Prod_0AS#4&a64abbf&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(2640)
c:\programdata\Anti-phishing Domain Advisor\visicom_antiphishing.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\msiexec.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\windows\system32\conhost.exe
c:\program files\Citrix\ICA Client\wfcrun32.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\sppsvc.exe
c:\windows\system32\taskhost.exe
.
**************************************************************************
.
Completion time: 2012-08-18 15:04:04 - machine was rebooted
ComboFix-quarantined-files.txt 2012-08-18 22:04
.
Pre-Run: 33,752,752,128 bytes free
Post-Run: 35,045,670,912 bytes free
.
- - End Of File - - 14F7F7B35A9948BF586820F07E3D7159

#12 MrCharlie

MrCharlie

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 28,152 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Posted 18 August 2012 - 05:28 PM

Please download and run TDSSKiller to your desktop as outlined below:

Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

For Windows XP, double-click to start.
For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.


Posted Image

-------------------------

Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

Posted Image

------------------------

Click the Start Scan button.

Posted Image

-----------------------

If a suspicious object is detected, the default action will be Skip, click on Continue
If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
Skip and click on Continue


Posted Image

----------------------

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.


Posted Image


--------------------

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.
Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.

-------------------

Here's a summary of what to do if you would like to print it out:

If a suspicious object is detected, the default action will be Skip, click on Continue
If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
Skip and click on Continue

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#13 Rfacio

Rfacio

    New Member

  • Members
  • Pip
  • 15 posts

Posted 18 August 2012 - 05:46 PM

15:37:38.0453 1132 TDSS rootkit removing tool 2.8.6.0 Aug 13 2012 17:24:05
15:37:39.0046 1132 ============================================================
15:37:39.0046 1132 Current date / time: 2012/08/18 15:37:39.0046
15:37:39.0046 1132 SystemInfo:
15:37:39.0046 1132
15:37:39.0046 1132 OS Version: 6.1.7600 ServicePack: 0.0
15:37:39.0046 1132 Product type: Workstation
15:37:39.0046 1132 ComputerName: CASTELLLANOS
15:37:39.0046 1132 UserName: Kandice
15:37:39.0046 1132 Windows directory: C:\Windows
15:37:39.0046 1132 System windows directory: C:\Windows
15:37:39.0046 1132 Processor architecture: Intel x86
15:37:39.0046 1132 Number of processors: 2
15:37:39.0046 1132 Page size: 0x1000
15:37:39.0046 1132 Boot type: Normal boot
15:37:39.0046 1132 ============================================================
15:37:39.0670 1132 Drive \Device\Harddisk0\DR0 - Size: 0x12A05F2000 (74.51 Gb), SectorSize: 0x200, Cylinders: 0x285D, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xF0, Type 'K0', Flags 0x00000050
15:37:39.0685 1132 Drive \Device\Harddisk5\DR5 - Size: 0x774488000 (29.82 Gb), SectorSize: 0x200, Cylinders: 0xF34, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
15:37:39.0685 1132 ============================================================
15:37:39.0685 1132 \Device\Harddisk0\DR0:
15:37:39.0685 1132 MBR partitions:
15:37:39.0685 1132 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x32000
15:37:39.0685 1132 \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x32800, BlocksNum 0x94CF800
15:37:39.0685 1132 \Device\Harddisk5\DR5:
15:37:39.0685 1132 MBR partitions:
15:37:39.0685 1132 \Device\Harddisk5\DR5\Partition1: MBR, Type 0xC, StartLBA 0x20, BlocksNum 0x3BA2420
15:37:39.0685 1132 ============================================================
15:37:39.0716 1132 C: <-> \Device\Harddisk0\DR0\Partition2
15:37:39.0716 1132 ============================================================
15:37:39.0716 1132 Initialize success
15:37:39.0716 1132 ============================================================
15:38:17.0749 0272 ============================================================
15:38:17.0749 0272 Scan started
15:38:17.0749 0272 Mode: Manual; SigCheck; TDLFS;
15:38:17.0749 0272 ============================================================
15:38:18.0467 0272 ================ Scan services =============================
15:38:18.0685 0272 [ 6d2aca41739bfe8cb86ee8e85f29697d ] 1394ohci C:\Windows\system32\DRIVERS\1394ohci.sys
15:38:18.0794 0272 1394ohci - ok
15:38:18.0841 0272 [ f0e07d144c8685b8774bc32fc8da4df0 ] ACPI C:\Windows\system32\DRIVERS\ACPI.sys
15:38:18.0857 0272 ACPI - ok
15:38:18.0888 0272 [ 98d81ca942d19f7d9153b095162ac013 ] AcpiPmi C:\Windows\system32\DRIVERS\acpipmi.sys
15:38:18.0919 0272 AcpiPmi - ok
15:38:19.0169 0272 [ 62b7936f9036dd6ed36e6a7efa805dc0 ] AdobeARMservice C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
15:38:19.0200 0272 AdobeARMservice - ok
15:38:19.0294 0272 [ a9d3b95e8466bd58eeb8a1154654e162 ] AdobeFlashPlayerUpdateSvc C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
15:38:19.0309 0272 AdobeFlashPlayerUpdateSvc - ok
15:38:19.0372 0272 [ 21e785ebd7dc90a06391141aac7892fb ] adp94xx C:\Windows\system32\DRIVERS\adp94xx.sys
15:38:19.0387 0272 adp94xx - ok
15:38:19.0434 0272 [ 0c676bc278d5b59ff5abd57bbe9123f2 ] adpahci C:\Windows\system32\DRIVERS\adpahci.sys
15:38:19.0450 0272 adpahci - ok
15:38:19.0481 0272 [ 7c7b5ee4b7b822ec85321fe23a27db33 ] adpu320 C:\Windows\system32\DRIVERS\adpu320.sys
15:38:19.0496 0272 adpu320 - ok
15:38:19.0543 0272 [ 8b5eefeec1e6d1a72a06c526628ad161 ] AeLookupSvc C:\Windows\System32\aelupsvc.dll
15:38:19.0574 0272 AeLookupSvc - ok
15:38:19.0637 0272 [ 0db7a48388d54d154ebec120461a0fcd ] AFD C:\Windows\system32\drivers\afd.sys
15:38:19.0730 0272 AFD - ok
15:38:19.0762 0272 [ 507812c3054c21cef746b6ee3d04dd6e ] agp440 C:\Windows\system32\DRIVERS\agp440.sys
15:38:19.0793 0272 agp440 - ok
15:38:19.0840 0272 [ 8b30250d573a8f6b4bd23195160d8707 ] aic78xx C:\Windows\system32\DRIVERS\djsvs.sys
15:38:19.0855 0272 aic78xx - ok
15:38:19.0902 0272 [ 18a54e132947cd98fea9accc57f98f13 ] ALG C:\Windows\System32\alg.exe
15:38:19.0933 0272 ALG - ok
15:38:19.0980 0272 [ 0d40bcf52ea90fc7df2aeab6503dea44 ] aliide C:\Windows\system32\DRIVERS\aliide.sys
15:38:19.0996 0272 aliide - ok
15:38:19.0996 0272 [ 3c6600a0696e90a463771c7422e23ab5 ] amdagp C:\Windows\system32\DRIVERS\amdagp.sys
15:38:20.0011 0272 amdagp - ok
15:38:20.0027 0272 [ cd5914170297126b6266860198d1d4f0 ] amdide C:\Windows\system32\DRIVERS\amdide.sys
15:38:20.0042 0272 amdide - ok
15:38:20.0136 0272 [ 00dda200d71bac534bf56a9db5dfd666 ] AmdK8 C:\Windows\system32\DRIVERS\amdk8.sys
15:38:20.0167 0272 AmdK8 - ok
15:38:20.0198 0272 [ 3cbf30f5370fda40dd3e87df38ea53b6 ] AmdPPM C:\Windows\system32\DRIVERS\amdppm.sys
15:38:20.0308 0272 AmdPPM - ok
15:38:20.0386 0272 [ 19ce906b4cdc11fc4fef5745f33a63b6 ] amdsata C:\Windows\system32\drivers\amdsata.sys
15:38:20.0417 0272 amdsata - ok
15:38:20.0448 0272 [ ea43af0c423ff267355f74e7a53bdaba ] amdsbs C:\Windows\system32\DRIVERS\amdsbs.sys
15:38:20.0464 0272 amdsbs - ok
15:38:20.0495 0272 [ 869e67d66be326a5a9159fba8746fa70 ] amdxata C:\Windows\system32\drivers\amdxata.sys
15:38:20.0510 0272 amdxata - ok
15:38:20.0557 0272 [ feb834c02ce1e84b6a38f953ca067706 ] AppID C:\Windows\system32\drivers\appid.sys
15:38:20.0604 0272 AppID - ok
15:38:20.0666 0272 [ 62a9c86cb6085e20db4823e4e97826f5 ] AppIDSvc C:\Windows\System32\appidsvc.dll
15:38:20.0776 0272 AppIDSvc - ok
15:38:20.0807 0272 [ 7dead9e3f65dcb2794f2711003bbf650 ] Appinfo C:\Windows\System32\appinfo.dll
15:38:20.0822 0272 Appinfo - ok
15:38:20.0932 0272 [ 3debbecf665dcdde3a95d9b902010817 ] Apple Mobile Device C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
15:38:20.0947 0272 Apple Mobile Device - ok
15:38:20.0994 0272 [ a45d184df6a8803da13a0b329517a64a ] AppMgmt C:\Windows\System32\appmgmts.dll
15:38:21.0025 0272 AppMgmt - ok
15:38:21.0056 0272 [ 2932004f49677bd84dbc72edb754ffb3 ] arc C:\Windows\system32\DRIVERS\arc.sys
15:38:21.0072 0272 arc - ok
15:38:21.0103 0272 [ 5d6f36c46fd283ae1b57bd2e9feb0bc7 ] arcsas C:\Windows\system32\DRIVERS\arcsas.sys
15:38:21.0119 0272 arcsas - ok
15:38:21.0150 0272 [ add2ade1c2b285ab8378d2daaf991481 ] AsyncMac C:\Windows\system32\DRIVERS\asyncmac.sys
15:38:21.0197 0272 AsyncMac - ok
15:38:21.0228 0272 [ 338c86357871c167a96ab976519bf59e ] atapi C:\Windows\system32\DRIVERS\atapi.sys
15:38:21.0244 0272 atapi - ok
15:38:21.0290 0272 [ 510c873bfa135aa829f4180352772734 ] AudioEndpointBuilder C:\Windows\System32\Audiosrv.dll
15:38:21.0337 0272 AudioEndpointBuilder - ok
15:38:21.0368 0272 [ 510c873bfa135aa829f4180352772734 ] Audiosrv C:\Windows\System32\Audiosrv.dll
15:38:21.0400 0272 Audiosrv - ok
15:38:21.0431 0272 AVG Security Toolbar Service - ok
15:38:21.0478 0272 [ dd6a431b43e34b91a767d1ce33728175 ] AxInstSV C:\Windows\System32\AxInstSV.dll
15:38:21.0540 0272 AxInstSV - ok
15:38:21.0602 0272 [ 1a231abec60fd316ec54c66715543cec ] b06bdrv C:\Windows\system32\DRIVERS\bxvbdx.sys
15:38:21.0634 0272 b06bdrv - ok
15:38:21.0680 0272 [ bd8869eb9cde6bbe4508d869929869ee ] b57nd60x C:\Windows\system32\DRIVERS\b57nd60x.sys
15:38:21.0727 0272 b57nd60x - ok
15:38:21.0774 0272 [ ee1e9c3bb8228ae423dd38db69128e71 ] BDESVC C:\Windows\System32\bdesvc.dll
15:38:21.0821 0272 BDESVC - ok
15:38:21.0836 0272 [ 505506526a9d467307b3c393dedaf858 ] Beep C:\Windows\system32\drivers\Beep.sys
15:38:21.0868 0272 Beep - ok
15:38:21.0930 0272 [ 85ac71c045ceb054ed48a7841aae0c11 ] BFE C:\Windows\System32\bfe.dll
15:38:21.0992 0272 BFE - ok
15:38:22.0039 0272 [ 2287078ed48fcfc477b05b20cf38f36f ] blbdrive C:\Windows\system32\DRIVERS\blbdrive.sys
15:38:22.0055 0272 blbdrive - ok
15:38:22.0164 0272 [ db5bea73edaf19ac68b2c0fad0f92b1a ] Bonjour Service C:\Program Files\Bonjour\mDNSResponder.exe
15:38:22.0180 0272 Bonjour Service - ok
15:38:22.0211 0272 [ 9a5c671b7fbae4865149bb11f59b91b2 ] bowser C:\Windows\system32\DRIVERS\bowser.sys
15:38:22.0258 0272 bowser - ok
15:38:22.0289 0272 [ 9f9acc7f7ccde8a15c282d3f88b43309 ] BrFiltLo C:\Windows\system32\DRIVERS\BrFiltLo.sys
15:38:22.0320 0272 BrFiltLo - ok
15:38:22.0351 0272 [ 56801ad62213a41f6497f96dee83755a ] BrFiltUp C:\Windows\system32\DRIVERS\BrFiltUp.sys
15:38:22.0367 0272 BrFiltUp - ok
15:38:22.0414 0272 [ 77361d72a04f18809d0efb6cceb74d4b ] BridgeMP C:\Windows\system32\DRIVERS\bridge.sys
15:38:22.0460 0272 BridgeMP - ok
15:38:22.0492 0272 [ 598e1280e7ff3744f4b8329366cc5635 ] Browser C:\Windows\System32\browser.dll
15:38:22.0523 0272 Browser - ok
15:38:22.0554 0272 [ 845b8ce732e67f3b4133164868c666ea ] Brserid C:\Windows\System32\Drivers\Brserid.sys
15:38:22.0570 0272 Brserid - ok
15:38:22.0601 0272 [ 203f0b1e73adadbbb7b7b1fabd901f6b ] BrSerWdm C:\Windows\System32\Drivers\BrSerWdm.sys
15:38:22.0632 0272 BrSerWdm - ok
15:38:22.0632 0272 [ bd456606156ba17e60a04e18016ae54b ] BrUsbMdm C:\Windows\System32\Drivers\BrUsbMdm.sys
15:38:22.0663 0272 BrUsbMdm - ok
15:38:22.0679 0272 [ af72ed54503f717a43268b3cc5faec2e ] BrUsbSer C:\Windows\System32\Drivers\BrUsbSer.sys
15:38:22.0710 0272 BrUsbSer - ok
15:38:22.0726 0272 [ ed3df7c56ce0084eb2034432fc56565a ] BTHMODEM C:\Windows\system32\DRIVERS\bthmodem.sys
15:38:22.0757 0272 BTHMODEM - ok
15:38:22.0804 0272 [ 1df19c96eef6c29d1c3e1a8678e07190 ] bthserv C:\Windows\system32\bthserv.dll
15:38:22.0882 0272 bthserv - ok
15:38:23.0022 0272 catchme - ok
15:38:23.0053 0272 [ 77ea11b065e0a8ab902d78145ca51e10 ] cdfs C:\Windows\system32\DRIVERS\cdfs.sys
15:38:23.0100 0272 cdfs - ok
15:38:23.0147 0272 [ ba6e70aa0e6091bc39de29477d866a77 ] cdrom C:\Windows\system32\DRIVERS\cdrom.sys
15:38:23.0162 0272 cdrom - ok
15:38:23.0225 0272 [ 628a9e30ec5e18dd5de6be4dbdc12198 ] CertPropSvc C:\Windows\System32\certprop.dll
15:38:23.0303 0272 CertPropSvc - ok
15:38:23.0318 0272 [ 3fe3fe94a34df6fb06e6418d0f6a0060 ] circlass C:\Windows\system32\DRIVERS\circlass.sys
15:38:23.0334 0272 circlass - ok
15:38:23.0365 0272 [ 635181e0e9bbf16871bf5380d71db02d ] CLFS C:\Windows\system32\CLFS.sys
15:38:23.0381 0272 CLFS - ok
15:38:23.0474 0272 [ d88040f816fda31c3b466f0fa0918f29 ] clr_optimization_v2.0.50727_32 C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
15:38:23.0490 0272 clr_optimization_v2.0.50727_32 - ok
15:38:23.0599 0272 [ c5a75eb48e2344abdc162bda79e16841 ] clr_optimization_v4.0.30319_32 C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
15:38:23.0615 0272 clr_optimization_v4.0.30319_32 - ok
15:38:23.0630 0272 [ dea805815e587dad1dd2c502220b5616 ] CmBatt C:\Windows\system32\DRIVERS\CmBatt.sys
15:38:23.0662 0272 CmBatt - ok
15:38:23.0662 0272 [ c537b1db64d495b9b4717b4d6d9edbf2 ] cmdide C:\Windows\system32\DRIVERS\cmdide.sys
15:38:23.0677 0272 cmdide - ok
15:38:23.0740 0272 [ db5e008b3744dd60c8498cbbf2a1cfa6 ] CNG C:\Windows\system32\Drivers\cng.sys
15:38:23.0802 0272 CNG - ok
15:38:23.0849 0272 [ a6023d3823c37043986713f118a89bee ] Compbatt C:\Windows\system32\DRIVERS\compbatt.sys
15:38:23.0864 0272 Compbatt - ok
15:38:23.0896 0272 [ f1724ba27e97d627f808fb0ba77a28a6 ] CompositeBus C:\Windows\system32\DRIVERS\CompositeBus.sys
15:38:23.0927 0272 CompositeBus - ok
15:38:23.0942 0272 COMSysApp - ok
15:38:23.0958 0272 [ 2c4ebcfc84a9b44f209dff6c6e6c61d1 ] crcdisk C:\Windows\system32\DRIVERS\crcdisk.sys
15:38:23.0974 0272 crcdisk - ok
15:38:24.0036 0272 [ 520a108a2657f4bca7fced9ca7d885de ] CryptSvc C:\Windows\system32\cryptsvc.dll
15:38:24.0067 0272 CryptSvc - ok
15:38:24.0083 0272 [ 27c9490bdd0ae48911ab8cf1932591ed ] CSC C:\Windows\system32\drivers\csc.sys
15:38:24.0114 0272 CSC - ok
15:38:24.0161 0272 [ 56fb5f222ea30d3d3fc459879772cb73 ] CscService C:\Windows\System32\cscsvc.dll
15:38:24.0223 0272 CscService - ok
15:38:24.0301 0272 [ cb6ff7012bb5d59d7c12350db795ce1f ] ctxusbm C:\Windows\system32\DRIVERS\ctxusbm.sys
15:38:24.0332 0272 ctxusbm - ok
15:38:24.0473 0272 [ 72794d112cbaff3bc0c29bf7350d4741 ] cvhsvc C:\Program Files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
15:38:24.0504 0272 cvhsvc - ok
15:38:24.0535 0272 [ b82cd39e336973359d7c9bf911e8e84f ] DcomLaunch C:\Windows\system32\rpcss.dll
15:38:24.0598 0272 DcomLaunch - ok
15:38:24.0629 0272 [ 8d6e10a2d9a5eed59562d9b82cf804e1 ] defragsvc C:\Windows\System32\defragsvc.dll
15:38:24.0676 0272 defragsvc - ok
15:38:24.0722 0272 [ 83d1ecea8faae75604c0fa49ac7ad996 ] DfsC C:\Windows\system32\Drivers\dfsc.sys
15:38:24.0754 0272 DfsC - ok
15:38:24.0800 0272 [ c56495fbd770712367cad35e5de72da6 ] Dhcp C:\Windows\system32\dhcpcore.dll
15:38:24.0832 0272 Dhcp - ok
15:38:24.0863 0272 [ 1a050b0274bfb3890703d490f330c0da ] discache C:\Windows\system32\drivers\discache.sys
15:38:24.0894 0272 discache - ok
15:38:24.0941 0272 [ 565003f326f99802e68ca78f2a68e9ff ] Disk C:\Windows\system32\DRIVERS\disk.sys
15:38:24.0956 0272 Disk - ok
15:38:25.0003 0272 [ b15be77a2bacf9c3177d27518afe26a9 ] Dnscache C:\Windows\System32\dnsrslvr.dll
15:38:25.0066 0272 Dnscache - ok
15:38:25.0097 0272 [ 4408c85c21eea48eb0ce486baeef0502 ] dot3svc C:\Windows\System32\dot3svc.dll
15:38:25.0159 0272 dot3svc - ok
15:38:25.0175 0272 [ 7fa81c6e11caa594adb52084da73a1e5 ] DPS C:\Windows\system32\dps.dll
15:38:25.0237 0272 DPS - ok
15:38:25.0284 0272 [ b918e7c5f9bf77202f89e1a9539f2eb4 ] drmkaud C:\Windows\system32\drivers\drmkaud.sys
15:38:25.0300 0272 drmkaud - ok
15:38:25.0362 0272 [ 1679a4669326cb1a67cc95658d273234 ] DXGKrnl C:\Windows\System32\drivers\dxgkrnl.sys
15:38:25.0409 0272 DXGKrnl - ok
15:38:25.0456 0272 [ 8600142fa91c1b96367d3300ad0f3f3a ] EapHost C:\Windows\System32\eapsvc.dll
15:38:25.0502 0272 EapHost - ok
15:38:25.0643 0272 [ 024e1b5cac09731e4d868e64dbfb4ab0 ] ebdrv C:\Windows\system32\DRIVERS\evbdx.sys
15:38:25.0814 0272 ebdrv - ok
15:38:25.0861 0272 [ c2243ff9e9aad0c30e8b1a0914da15b6 ] EFS C:\Windows\System32\lsass.exe
15:38:25.0892 0272 EFS - ok
15:38:25.0970 0272 [ 1697c39978cd69f6fbc15302edcece1f ] ehRecvr C:\Windows\ehome\ehRecvr.exe
15:38:26.0017 0272 ehRecvr - ok
15:38:26.0048 0272 [ d389bff34f80caede417bf9d1507996a ] ehSched C:\Windows\ehome\ehsched.exe
15:38:26.0080 0272 ehSched - ok
15:38:26.0142 0272 [ 0ed67910c8c326796faa00b2bf6d9d3c ] elxstor C:\Windows\system32\DRIVERS\elxstor.sys
15:38:26.0189 0272 elxstor - ok
15:38:26.0204 0272 [ 8fc3208352dd3912c94367a206ab3f11 ] ErrDev C:\Windows\system32\DRIVERS\errdev.sys
15:38:26.0251 0272 ErrDev - ok
15:38:26.0314 0272 [ f6916efc29d9953d5d0df06882ae8e16 ] EventSystem C:\Windows\system32\es.dll
15:38:26.0360 0272 EventSystem - ok
15:38:26.0392 0272 [ 2dc9108d74081149cc8b651d3a26207f ] exfat C:\Windows\system32\drivers\exfat.sys
15:38:26.0423 0272 exfat - ok
15:38:26.0454 0272 [ 7e0ab74553476622fb6ae36f73d97d35 ] fastfat C:\Windows\system32\drivers\fastfat.sys
15:38:26.0485 0272 fastfat - ok
15:38:26.0548 0272 [ f7ea23cc5e6bf2181f3f399d54f6efc1 ] Fax C:\Windows\system32\fxssvc.exe
15:38:26.0579 0272 Fax - ok
15:38:26.0610 0272 [ e817a017f82df2a1f8cfdbda29388b29 ] fdc C:\Windows\system32\DRIVERS\fdc.sys
15:38:26.0641 0272 fdc - ok
15:38:26.0657 0272 [ f3222c893bd2f5821a0179e5c71e88fb ] fdPHost C:\Windows\system32\fdPHost.dll
15:38:26.0735 0272 fdPHost - ok
15:38:26.0766 0272 [ 7dbe8cbfe79efbdeb98c9fb08d3a9a5b ] FDResPub C:\Windows\system32\fdrespub.dll
15:38:26.0797 0272 FDResPub - ok
15:38:26.0828 0272 [ 6cf00369c97f3cf563be99be983d13d8 ] FileInfo C:\Windows\system32\drivers\fileinfo.sys
15:38:26.0828 0272 FileInfo - ok
15:38:26.0860 0272 [ 42c51dc94c91da21cb9196eb64c45db9 ] Filetrace C:\Windows\system32\drivers\filetrace.sys
15:38:26.0891 0272 Filetrace - ok
15:38:26.0922 0272 [ 87907aa70cb3c56600f1c2fb8841579b ] flpydisk C:\Windows\system32\DRIVERS\flpydisk.sys
15:38:26.0953 0272 flpydisk - ok
15:38:27.0000 0272 [ 7520ec808e0c35e0ee6f841294316653 ] FltMgr C:\Windows\system32\drivers\fltmgr.sys
15:38:27.0016 0272 FltMgr - ok
15:38:27.0109 0272 [ 7fe4995528a7529a761875151ee3d512 ] FontCache C:\Windows\system32\FntCache.dll
15:38:27.0203 0272 FontCache - ok
15:38:27.0296 0272 [ e56f39f6b7fda0ac77a79b0fd3de1a2f ] FontCache3.0.0.0 C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
15:38:27.0312 0272 FontCache3.0.0.0 - ok
15:38:27.0343 0272 [ 1a16b57943853e598cff37fe2b8cbf1d ] FsDepends C:\Windows\system32\drivers\FsDepends.sys
15:38:27.0359 0272 FsDepends - ok
15:38:27.0406 0272 [ 500a9814fd9446a8126858a5a7f7d273 ] Fs_Rec C:\Windows\system32\drivers\Fs_Rec.sys
15:38:27.0421 0272 Fs_Rec - ok
15:38:27.0468 0272 [ dafbd9fe39197495aed6d51f3b85b5d2 ] fvevol C:\Windows\system32\DRIVERS\fvevol.sys
15:38:27.0499 0272 fvevol - ok
15:38:27.0546 0272 [ 65ee0c7a58b65e74ae05637418153938 ] gagp30kx C:\Windows\system32\DRIVERS\gagp30kx.sys
15:38:27.0562 0272 gagp30kx - ok
15:38:27.0608 0272 [ 8182ff89c65e4d38b2de4bb0fb18564e ] GEARAspiWDM C:\Windows\system32\DRIVERS\GEARAspiWDM.sys
15:38:27.0608 0272 GEARAspiWDM - ok
15:38:27.0655 0272 [ 8ba3c04702bf8f927ab36ae8313ca4ee ] gpsvc C:\Windows\System32\gpsvc.dll
15:38:27.0702 0272 gpsvc - ok
15:38:27.0718 0272 [ c44e3c2bab6837db337ddee7544736db ] hcw85cir C:\Windows\system32\drivers\hcw85cir.sys
15:38:27.0780 0272 hcw85cir - ok
15:38:27.0842 0272 [ 3530cad25deba7dc7de8bb51632cbc5f ] HdAudAddService C:\Windows\system32\drivers\HdAudio.sys
15:38:27.0874 0272 HdAudAddService - ok
15:38:27.0905 0272 [ 717a2207fd6f13ad3e664c7d5a43c7bf ] HDAudBus C:\Windows\system32\DRIVERS\HDAudBus.sys
15:38:27.0936 0272 HDAudBus - ok
15:38:27.0952 0272 [ 1d58a7f3e11a9731d0eaaaa8405acc36 ] HidBatt C:\Windows\system32\DRIVERS\HidBatt.sys
15:38:27.0983 0272 HidBatt - ok
15:38:27.0998 0272 [ 89448f40e6df260c206a193a4683ba78 ] HidBth C:\Windows\system32\DRIVERS\hidbth.sys
15:38:28.0030 0272 HidBth - ok
15:38:28.0045 0272 [ cf50b4cf4a4f229b9f3c08351f99ca5e ] HidIr C:\Windows\system32\DRIVERS\hidir.sys
15:38:28.0076 0272 HidIr - ok
15:38:28.0108 0272 [ 2bc6f6a1992b3a77f5f41432ca6b3b6b ] hidserv C:\Windows\System32\hidserv.dll
15:38:28.0170 0272 hidserv - ok
15:38:28.0232 0272 [ 25072fb35ac90b25f9e4e3bacf774102 ] HidUsb C:\Windows\system32\DRIVERS\hidusb.sys
15:38:28.0279 0272 HidUsb - ok
15:38:28.0326 0272 [ 741c2a45ca8407e374aaba3e330b7872 ] hkmsvc C:\Windows\system32\kmsvc.dll
15:38:28.0388 0272 hkmsvc - ok
15:38:28.0404 0272 [ a768ca158bb06782a2835b907f4873c3 ] HomeGroupListener C:\Windows\system32\ListSvc.dll
15:38:28.0435 0272 HomeGroupListener - ok
15:38:28.0466 0272 [ fb08dec5ef43d0c66d83b8e9694e7549 ] HomeGroupProvider C:\Windows\system32\provsvc.dll
15:38:28.0498 0272 HomeGroupProvider - ok
15:38:28.0529 0272 [ 295fdc419039090eb8b49ffdbb374549 ] HpSAMD C:\Windows\system32\DRIVERS\HpSAMD.sys
15:38:28.0544 0272 HpSAMD - ok
15:38:28.0576 0272 [ c531c7fd9e8b62021112787c4e2c5a5a ] HTTP C:\Windows\system32\drivers\HTTP.sys
15:38:28.0638 0272 HTTP - ok
15:38:28.0654 0272 [ 8305f33cde89ad6c7a0763ed0b5a8d42 ] hwpolicy C:\Windows\system32\drivers\hwpolicy.sys
15:38:28.0669 0272 hwpolicy - ok
15:38:28.0700 0272 [ f151f0bdc47f4a28b1b20a0818ea36d6 ] i8042prt C:\Windows\system32\DRIVERS\i8042prt.sys
15:38:28.0716 0272 i8042prt - ok
15:38:28.0778 0272 [ 71f1a494fedf4b33c02c4a6a28d6d9e9 ] iaStorV C:\Windows\system32\drivers\iaStorV.sys
15:38:28.0810 0272 iaStorV - ok
15:38:28.0888 0272 [ 5af815eb5bc9802e5a064e2ba62bfc0c ] idsvc C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
15:38:28.0950 0272 idsvc - ok
15:38:28.0997 0272 [ 4173ff5708f3236cf25195fecd742915 ] iirsp C:\Windows\system32\DRIVERS\iirsp.sys
15:38:28.0997 0272 iirsp - ok
15:38:29.0044 0272 [ fac0ee6562b121b1399d6e855583f7a5 ] IKEEXT C:\Windows\System32\ikeext.dll
15:38:29.0090 0272 IKEEXT - ok
15:38:29.0106 0272 [ a0f12f2c9ba6c72f3987ce780e77c130 ] intelide C:\Windows\system32\DRIVERS\intelide.sys
15:38:29.0122 0272 intelide - ok
15:38:29.0168 0272 [ 3b514d27bfc4accb4037bc6685f766e0 ] intelppm C:\Windows\system32\DRIVERS\intelppm.sys
15:38:29.0184 0272 intelppm - ok
15:38:29.0278 0272 [ 1663a135865f0ba6e853353e98e67f2a ] IntuitUpdateServiceV4 C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
15:38:29.0293 0272 IntuitUpdateServiceV4 - ok
15:38:29.0340 0272 [ acb364b9075a45c0736e5c47be5cae19 ] IPBusEnum C:\Windows\system32\ipbusenum.dll
15:38:29.0418 0272 IPBusEnum - ok
15:38:29.0434 0272 [ 709d1761d3b19a932ff0238ea6d50200 ] IpFilterDriver C:\Windows\system32\DRIVERS\ipfltdrv.sys
15:38:29.0480 0272 IpFilterDriver - ok
15:38:29.0574 0272 [ 477397b432a256a50ee7e4339eb9ea14 ] iphlpsvc C:\Windows\System32\iphlpsvc.dll
15:38:29.0605 0272 iphlpsvc - ok
15:38:29.0636 0272 [ e4454b6c37d7ffd5649611f6496308a7 ] IPMIDRV C:\Windows\system32\DRIVERS\IPMIDrv.sys
15:38:29.0668 0272 IPMIDRV - ok
15:38:29.0683 0272 [ a5fa468d67abcdaa36264e463a7bb0cd ] IPNAT C:\Windows\system32\drivers\ipnat.sys
15:38:29.0730 0272 IPNAT - ok
15:38:29.0792 0272 [ 49918803b661367023bf325cf602afdc ] iPod Service C:\Program Files\iPod\bin\iPodService.exe
15:38:29.0824 0272 iPod Service - ok
15:38:29.0855 0272 [ 42996cff20a3084a56017b7902307e9f ] IRENUM C:\Windows\system32\drivers\irenum.sys
15:38:29.0886 0272 IRENUM - ok
15:38:29.0902 0272 [ 1f32bb6b38f62f7df1a7ab7292638a35 ] isapnp C:\Windows\system32\DRIVERS\isapnp.sys
15:38:29.0917 0272 isapnp - ok
15:38:29.0964 0272 [ ed46c223ae46c6866ab77cdc41c404b7 ] iScsiPrt C:\Windows\system32\DRIVERS\msiscsi.sys
15:38:29.0980 0272 iScsiPrt - ok
15:38:30.0011 0272 [ adef52ca1aeae82b50df86b56413107e ] kbdclass C:\Windows\system32\DRIVERS\kbdclass.sys
15:38:30.0026 0272 kbdclass - ok
15:38:30.0058 0272 [ 3d9f0ebf350edcfd6498057301455964 ] kbdhid C:\Windows\system32\DRIVERS\kbdhid.sys
15:38:30.0073 0272 kbdhid - ok
15:38:30.0089 0272 [ c2243ff9e9aad0c30e8b1a0914da15b6 ] KeyIso C:\Windows\system32\lsass.exe
15:38:30.0104 0272 KeyIso - ok
15:38:30.0151 0272 [ 52fc17c8589f11747d01d3cf592673d0 ] KSecDD C:\Windows\system32\Drivers\ksecdd.sys
15:38:30.0167 0272 KSecDD - ok
15:38:30.0214 0272 [ 3e5474b03568cfab834da3c38e8c9efa ] KSecPkg C:\Windows\system32\Drivers\ksecpkg.sys
15:38:30.0214 0272 KSecPkg - ok
15:38:30.0260 0272 [ 89a7b9cc98d0d80c6f31b91c0a310fcd ] KtmRm C:\Windows\system32\msdtckrm.dll
15:38:30.0354 0272 KtmRm - ok
15:38:30.0432 0272 [ 8f6bf790d3168224c16f2af68a84438c ] LanmanServer C:\Windows\System32\srvsvc.dll
15:38:30.0479 0272 LanmanServer - ok
15:38:30.0526 0272 [ b9891f885dcf1f0513a51cb58493cb1f ] LanmanWorkstation C:\Windows\System32\wkssvc.dll
15:38:30.0572 0272 LanmanWorkstation - ok
15:38:30.0619 0272 [ f7611ec07349979da9b0ae1f18ccc7a6 ] lltdio C:\Windows\system32\DRIVERS\lltdio.sys
15:38:30.0650 0272 lltdio - ok
15:38:30.0697 0272 [ 5700673e13a2117fa3b9020c852c01e2 ] lltdsvc C:\Windows\System32\lltdsvc.dll
15:38:30.0728 0272 lltdsvc - ok
15:38:30.0760 0272 [ 55ca01ba19d0006c8f2639b6c045e08b ] lmhosts C:\Windows\System32\lmhsvc.dll
15:38:30.0791 0272 lmhosts - ok
15:38:30.0838 0272 [ eb119a53ccf2acc000ac71b065b78fef ] LSI_FC C:\Windows\system32\DRIVERS\lsi_fc.sys
15:38:30.0853 0272 LSI_FC - ok
15:38:30.0869 0272 [ 8ade1c877256a22e49b75d1cc9161f9c ] LSI_SAS C:\Windows\system32\DRIVERS\lsi_sas.sys
15:38:30.0884 0272 LSI_SAS - ok
15:38:30.0900 0272 [ dc9dc3d3daa0e276fd2ec262e38b11e9 ] LSI_SAS2 C:\Windows\system32\DRIVERS\lsi_sas2.sys
15:38:30.0916 0272 LSI_SAS2 - ok
15:38:30.0931 0272 [ 0a036c7d7cab643a7f07135ac47e0524 ] LSI_SCSI C:\Windows\system32\DRIVERS\lsi_scsi.sys
15:38:30.0947 0272 LSI_SCSI - ok
15:38:30.0978 0272 [ 6703e366cc18d3b6e534f5cf7df39cee ] luafv C:\Windows\system32\drivers\luafv.sys
15:38:31.0025 0272 luafv - ok
15:38:31.0072 0272 [ 6dfe7f2e8e8a337263aa5c92a215f161 ] MBAMProtector C:\Windows\system32\drivers\mbam.sys
15:38:31.0087 0272 MBAMProtector - ok
15:38:31.0118 0272 [ 43683e970f008c93c9429ef428147a54 ] MBAMService C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
15:38:31.0134 0272 MBAMService - ok
15:38:31.0150 0272 [ e2b0887816ed336685954e3d8fdaa51d ] Mcx2Svc C:\Windows\system32\Mcx2Svc.dll
15:38:31.0165 0272 Mcx2Svc - ok
15:38:31.0196 0272 [ 0fff5b045293002ab38eb1fd1fc2fb74 ] megasas C:\Windows\system32\DRIVERS\megasas.sys
15:38:31.0228 0272 megasas - ok
15:38:31.0259 0272 [ dcbab2920c75f390caf1d29f675d03d6 ] MegaSR C:\Windows\system32\DRIVERS\MegaSR.sys
15:38:31.0306 0272 MegaSR - ok
15:38:31.0321 0272 [ 146b6f43a673379a3c670e86d89be5ea ] MMCSS C:\Windows\system32\mmcss.dll
15:38:31.0352 0272 MMCSS - ok
15:38:31.0368 0272 [ f001861e5700ee84e2d4e52c712f4964 ] Modem C:\Windows\system32\drivers\modem.sys
15:38:31.0430 0272 Modem - ok
15:38:31.0477 0272 [ 79d10964de86b292320e9dfe02282a23 ] monitor C:\Windows\system32\DRIVERS\monitor.sys
15:38:31.0493 0272 monitor - ok
15:38:31.0540 0272 [ fb18cc1d4c2e716b6b903b0ac0cc0609 ] mouclass C:\Windows\system32\DRIVERS\mouclass.sys
15:38:31.0555 0272 mouclass - ok
15:38:31.0571 0272 [ 2c388d2cd01c9042596cf3c8f3c7b24d ] mouhid C:\Windows\system32\DRIVERS\mouhid.sys
15:38:31.0602 0272 mouhid - ok
15:38:31.0618 0272 [ 921c18727c5920d6c0300736646931c2 ] mountmgr C:\Windows\system32\drivers\mountmgr.sys
15:38:31.0633 0272 mountmgr - ok
15:38:31.0696 0272 [ 46297fa8e30a6007f14118fc2b942fbc ] MozillaMaintenance C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
15:38:31.0727 0272 MozillaMaintenance - ok
15:38:31.0758 0272 [ 2af5997438c55fb79d33d015c30e1974 ] mpio C:\Windows\system32\DRIVERS\mpio.sys
15:38:31.0789 0272 mpio - ok
15:38:31.0820 0272 [ ad2723a7b53dd1aacae6ad8c0bfbf4d0 ] mpsdrv C:\Windows\system32\drivers\mpsdrv.sys
15:38:31.0852 0272 mpsdrv - ok
15:38:31.0914 0272 [ 5cd996cecf45cbc3e8d109c86b82d69e ] MpsSvc C:\Windows\system32\mpssvc.dll
15:38:31.0976 0272 MpsSvc - ok
15:38:31.0992 0272 [ b1be47008d20e43da3adc37c24cdb89d ] MRxDAV C:\Windows\system32\drivers\mrxdav.sys
15:38:32.0008 0272 MRxDAV - ok
15:38:32.0054 0272 [ ca7570e42522e24324a12161db14ec02 ] mrxsmb C:\Windows\system32\DRIVERS\mrxsmb.sys
15:38:32.0086 0272 mrxsmb - ok
15:38:32.0132 0272 [ f965c3ab2b2ae5c378f4562486e35051 ] mrxsmb10 C:\Windows\system32\DRIVERS\mrxsmb10.sys
15:38:32.0179 0272 mrxsmb10 - ok
15:38:32.0210 0272 [ 25c38264a3c72594dd21d355d70d7a5d ] mrxsmb20 C:\Windows\system32\DRIVERS\mrxsmb20.sys
15:38:32.0242 0272 mrxsmb20 - ok
15:38:32.0273 0272 [ 4326d168944123f38dd3b2d9c37a0b12 ] msahci C:\Windows\system32\DRIVERS\msahci.sys
15:38:32.0288 0272 msahci - ok
15:38:32.0320 0272 [ 455029c7174a2dbb03dba8a0d8bddd9a ] msdsm C:\Windows\system32\DRIVERS\msdsm.sys
15:38:32.0335 0272 msdsm - ok
15:38:32.0366 0272 [ e1bce74a3bd9902b72599c0192a07e27 ] MSDTC C:\Windows\System32\msdtc.exe
15:38:32.0398 0272 MSDTC - ok
15:38:32.0444 0272 [ daefb28e3af5a76abcc2c3078c07327f ] Msfs C:\Windows\system32\drivers\Msfs.sys
15:38:32.0460 0272 Msfs - ok
15:38:32.0476 0272 [ 3e1e5767043c5af9367f0056295e9f84 ] mshidkmdf C:\Windows\System32\drivers\mshidkmdf.sys
15:38:32.0507 0272 mshidkmdf - ok
15:38:32.0522 0272 [ 0a4e5757ae09fa9622e3158cc1aef114 ] msisadrv C:\Windows\system32\DRIVERS\msisadrv.sys
15:38:32.0538 0272 msisadrv - ok
15:38:32.0585 0272 [ 90f7d9e6b6f27e1a707d4a297f077828 ] MSiSCSI C:\Windows\system32\iscsiexe.dll
15:38:32.0647 0272 MSiSCSI - ok
15:38:32.0663 0272 msiserver - ok
15:38:32.0710 0272 [ 8c0860d6366aaffb6c5bb9df9448e631 ] MSKSSRV C:\Windows\system32\drivers\MSKSSRV.sys
15:38:32.0741 0272 MSKSSRV - ok
15:38:32.0756 0272 [ 3ea8b949f963562cedbb549eac0c11ce ] MSPCLOCK C:\Windows\system32\drivers\MSPCLOCK.sys
15:38:32.0803 0272 MSPCLOCK - ok
15:38:32.0803 0272 [ f456e973590d663b1073e9c463b40932 ] MSPQM C:\Windows\system32\drivers\MSPQM.sys
15:38:32.0834 0272 MSPQM - ok
15:38:32.0850 0272 [ 0e008fc4819d238c51d7c93e7b41e560 ] MsRPC C:\Windows\system32\drivers\MsRPC.sys
15:38:32.0866 0272 MsRPC - ok
15:38:32.0881 0272 [ fc6b9ff600cc585ea38b12589bd4e246 ] mssmbios C:\Windows\system32\DRIVERS\mssmbios.sys
15:38:32.0897 0272 mssmbios - ok
15:38:32.0912 0272 [ b42c6b921f61a6e55159b8be6cd54a36 ] MSTEE C:\Windows\system32\drivers\MSTEE.sys
15:38:32.0944 0272 MSTEE - ok
15:38:32.0959 0272 [ 33599130f44e1f34631cea241de8ac84 ] MTConfig C:\Windows\system32\DRIVERS\MTConfig.sys
15:38:32.0975 0272 MTConfig - ok
15:38:32.0990 0272 [ 159fad02f64e6381758c990f753bcc80 ] Mup C:\Windows\system32\Drivers\mup.sys
15:38:33.0006 0272 Mup - ok
15:38:33.0037 0272 [ 80284f1985c70c86f0b5f86da2dfe1df ] napagent C:\Windows\system32\qagentRT.dll
15:38:33.0084 0272 napagent - ok
15:38:33.0131 0272 [ 26384429fcd85d83746f63e798ab1480 ] NativeWifiP C:\Windows\system32\DRIVERS\nwifi.sys
15:38:33.0146 0272 NativeWifiP - ok
15:38:33.0193 0272 [ 23759d175a0a9baaf04d05047bc135a8 ] NDIS C:\Windows\system32\drivers\ndis.sys
15:38:33.0240 0272 NDIS - ok
15:38:33.0271 0272 [ 0e1787aa6c9191d3d319e8bafe86f80c ] NdisCap C:\Windows\system32\DRIVERS\ndiscap.sys
15:38:33.0318 0272 NdisCap - ok
15:38:33.0365 0272 [ e4a8aec125a2e43a9e32afeea7c9c888 ] NdisTapi C:\Windows\system32\DRIVERS\ndistapi.sys
15:38:33.0412 0272 NdisTapi - ok
15:38:33.0427 0272 [ b30ae7f2b6d7e343b0df32e6c08fce75 ] Ndisuio C:\Windows\system32\DRIVERS\ndisuio.sys
15:38:33.0474 0272 Ndisuio - ok
15:38:33.0505 0272 [ 267c415eadcbe53c9ca873dee39cf3a4 ] NdisWan C:\Windows\system32\DRIVERS\ndiswan.sys
15:38:33.0536 0272 NdisWan - ok
15:38:33.0552 0272 [ af7e7c63dcef3f8772726f86039d6eb4 ] NDProxy C:\Windows\system32\drivers\NDProxy.sys
15:38:33.0583 0272 NDProxy - ok
15:38:33.0614 0272 [ 80b275b1ce3b0e79909db7b39af74d51 ] NetBIOS C:\Windows\system32\DRIVERS\netbios.sys
15:38:33.0661 0272 NetBIOS - ok
15:38:33.0692 0272 [ dd52a733bf4ca5af84562a5e2f963b91 ] NetBT C:\Windows\system32\DRIVERS\netbt.sys
15:38:33.0739 0272 NetBT - ok
15:38:33.0770 0272 [ c2243ff9e9aad0c30e8b1a0914da15b6 ] Netlogon C:\Windows\system32\lsass.exe
15:38:33.0770 0272 Netlogon - ok
15:38:33.0833 0272 [ 7cccfca7510684768da22092d1fa4db2 ] Netman C:\Windows\System32\netman.dll
15:38:33.0880 0272 Netman - ok
15:38:33.0895 0272 [ 8c338238c16777a802d6a9211eb2ba50 ] netprofm C:\Windows\System32\netprofm.dll
15:38:33.0942 0272 netprofm - ok
15:38:33.0973 0272 [ fe2aa5a684b0dd9b1fae57b7817c198b ] NetTcpPortSharing C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
15:38:33.0989 0272 NetTcpPortSharing - ok
15:38:34.0036 0272 [ 1d85c4b390b0ee09c7a46b91efb2c097 ] nfrd960 C:\Windows\system32\DRIVERS\nfrd960.sys
15:38:34.0051 0272 nfrd960 - ok
15:38:34.0098 0272 [ 2226496e34bd40734946a054b1cd657f ] NlaSvc C:\Windows\System32\nlasvc.dll
15:38:34.0176 0272 NlaSvc - ok
15:38:34.0192 0272 [ 1db262a9f8c087e8153d89bef3d2235f ] Npfs C:\Windows\system32\drivers\Npfs.sys
15:38:34.0223 0272 Npfs - ok
15:38:34.0238 0272 [ ba387e955e890c8a88306d9b8d06bf17 ] nsi C:\Windows\system32\nsisvc.dll
15:38:34.0270 0272 nsi - ok
15:38:34.0301 0272 [ e9a0a4d07e53d8fea2bb8387a3293c58 ] nsiproxy C:\Windows\system32\drivers\nsiproxy.sys
15:38:34.0332 0272 nsiproxy - ok
15:38:34.0426 0272 [ 187002ce05693c306f43c873f821381f ] Ntfs C:\Windows\system32\drivers\Ntfs.sys
15:38:34.0488 0272 Ntfs - ok
15:38:34.0519 0272 [ f9756a98d69098dca8945d62858a812c ] Null C:\Windows\system32\drivers\Null.sys
15:38:34.0582 0272 Null - ok
15:38:34.0644 0272 [ b5e37e31c053bc9950455a257526514b ] NVENETFD C:\Windows\system32\DRIVERS\nvm62x32.sys
15:38:34.0675 0272 NVENETFD - ok
15:38:34.0910 0272 [ b0881dda5a8160422561ffab7f0008b1 ] nvlddmkm C:\Windows\system32\DRIVERS\nvlddmkm.sys
15:38:35.0238 0272 nvlddmkm - ok
15:38:35.0285 0272 [ f1b0bed906f97e16f6d0c3629d2f21c6 ] nvraid C:\Windows\system32\drivers\nvraid.sys
15:38:35.0300 0272 nvraid - ok
15:38:35.0363 0272 [ 4520b63899e867f354ee012d34e11536 ] nvstor C:\Windows\system32\drivers\nvstor.sys
15:38:35.0363 0272 nvstor - ok
15:38:35.0409 0272 [ 5a0983915f02bae73267cc2a041f717d ] nv_agp C:\Windows\system32\DRIVERS\nv_agp.sys
15:38:35.0425 0272 nv_agp - ok
15:38:35.0456 0272 [ 08a70a1f2cdde9bb49b885cb817a66eb ] ohci1394 C:\Windows\system32\DRIVERS\ohci1394.sys
15:38:35.0487 0272 ohci1394 - ok
15:38:35.0550 0272 [ 9d10f99a6712e28f8acd5641e3a7ea6b ] ose C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
15:38:35.0581 0272 ose - ok
15:38:35.0769 0272 [ 358a9cca612c68eb2f07ddad4ce1d8d7 ] osppsvc C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
15:38:35.0972 0272 osppsvc - ok
15:38:36.0003 0272 [ 82a8521ddc60710c3d3d3e7325209bec ] p2pimsvc C:\Windows\system32\pnrpsvc.dll
15:38:36.0050 0272 p2pimsvc - ok
15:38:36.0112 0272 [ 59c3ddd501e39e006dac31bf55150d91 ] p2psvc C:\Windows\system32\p2psvc.dll
15:38:36.0159 0272 p2psvc - ok
15:38:36.0190 0272 [ 2ea877ed5dd9713c5ac74e8ea7348d14 ] Parport C:\Windows\system32\DRIVERS\parport.sys
15:38:36.0222 0272 Parport - ok
15:38:36.0284 0272 [ 66d3415c159741ade7038a277efff99f ] partmgr C:\Windows\system32\drivers\partmgr.sys
15:38:36.0300 0272 partmgr - ok
15:38:36.0300 0272 [ eb0a59f29c19b86479d36b35983daadc ] Parvdm C:\Windows\system32\DRIVERS\parvdm.sys
15:38:36.0346 0272 Parvdm - ok
15:38:36.0378 0272 [ 358ab7956d3160000726574083dfc8a6 ] PcaSvc C:\Windows\System32\pcasvc.dll
15:38:36.0393 0272 PcaSvc - ok
15:38:36.0409 0272 [ c858cb77c577780ecc456a892e7e7d0f ] pci C:\Windows\system32\DRIVERS\pci.sys
15:38:36.0424 0272 pci - ok
15:38:36.0440 0272 [ afe86f419014db4e5593f69ffe26ce0a ] pciide C:\Windows\system32\DRIVERS\pciide.sys
15:38:36.0456 0272 pciide - ok
15:38:36.0471 0272 [ f396431b31693e71e8a80687ef523506 ] pcmcia C:\Windows\system32\DRIVERS\pcmcia.sys
15:38:36.0487 0272 pcmcia - ok
15:38:36.0502 0272 [ 250f6b43d2b613172035c6747aeeb19f ] pcw C:\Windows\system32\drivers\pcw.sys
15:38:36.0502 0272 pcw - ok
15:38:36.0534 0272 [ 9e0104ba49f4e6973749a02bf41344ed ] PEAUTH C:\Windows\system32\drivers\peauth.sys
15:38:36.0596 0272 PEAUTH - ok
15:38:36.0643 0272 [ af4d64d2a57b9772cf3801950b8058a6 ] PeerDistSvc C:\Windows\system32\peerdistsvc.dll
15:38:36.0736 0272 PeerDistSvc - ok
15:38:36.0814 0272 [ 9c1bff7910c89a1d12e57343475840cb ] pla C:\Windows\system32\pla.dll
15:38:36.0908 0272 pla - ok
15:38:36.0970 0272 [ 71def5ec79774c798342d0ea16e41780 ] PlugPlay C:\Windows\system32\umpnpmgr.dll
15:38:37.0002 0272 PlugPlay - ok
15:38:37.0095 0272 [ 1713d9de407313138118d501b0e3c05b ] PnkBstrA C:\Windows\system32\PnkBstrA.exe
15:38:37.0126 0272 PnkBstrA - ok
15:38:37.0189 0272 [ 27f1be4a53441c9f1f48b9adc145b0a5 ] PnkBstrB C:\Windows\system32\PnkBstrB.exe
15:38:37.0220 0272 PnkBstrB - ok
15:38:37.0251 0272 [ 63ff8572611249931eb16bb8eed6afc8 ] PNRPAutoReg C:\Windows\system32\pnrpauto.dll
15:38:37.0282 0272 PNRPAutoReg - ok
15:38:37.0314 0272 [ 82a8521ddc60710c3d3d3e7325209bec ] PNRPsvc C:\Windows\system32\pnrpsvc.dll
15:38:37.0329 0272 PNRPsvc - ok
15:38:37.0360 0272 [ 48e1b75c6dc0232fd92baae4bd344721 ] PolicyAgent C:\Windows\System32\ipsecsvc.dll
15:38:37.0407 0272 PolicyAgent - ok
15:38:37.0438 0272 [ dbff83f709a91049621c1d35dd45c92c ] Power C:\Windows\system32\umpo.dll
15:38:37.0470 0272 Power - ok
15:38:37.0516 0272 [ 631e3e205ad6d86f2aed6a4a8e69f2db ] PptpMiniport C:\Windows\system32\DRIVERS\raspptp.sys
15:38:37.0548 0272 PptpMiniport - ok
15:38:37.0579 0272 [ 85b1e3a0c7585bc4aae6899ec6fcf011 ] Processor C:\Windows\system32\DRIVERS\processr.sys
15:38:37.0579 0272 Processor - ok
15:38:37.0641 0272 [ aea3bdbdba667aa6f678cb38907e4f5e ] ProfSvc C:\Windows\system32\profsvc.dll
15:38:37.0672 0272 ProfSvc - ok
15:38:37.0688 0272 [ c2243ff9e9aad0c30e8b1a0914da15b6 ] ProtectedStorage C:\Windows\system32\lsass.exe
15:38:37.0704 0272 ProtectedStorage - ok
15:38:37.0735 0272 [ 6270ccae2a86de6d146529fe55b3246a ] Psched C:\Windows\system32\DRIVERS\pacer.sys
15:38:37.0782 0272 Psched - ok
15:38:37.0828 0272 [ ab95ecf1f6659a60ddc166d8315b0751 ] ql2300 C:\Windows\system32\DRIVERS\ql2300.sys
15:38:37.0891 0272 ql2300 - ok
15:38:37.0906 0272 [ b4dd51dd25182244b86737dc51af2270 ] ql40xx C:\Windows\system32\DRIVERS\ql40xx.sys
15:38:37.0922 0272 ql40xx - ok
15:38:37.0953 0272 [ 31ac809e7707eb580b2bdb760390765a ] QWAVE C:\Windows\system32\qwave.dll
15:38:37.0984 0272 QWAVE - ok
15:38:38.0016 0272 [ 584078ca1b95ca72df2a27c336f9719d ] QWAVEdrv C:\Windows\system32\drivers\qwavedrv.sys
15:38:38.0031 0272 QWAVEdrv - ok
15:38:38.0062 0272 [ 30a81b53c766d0133bb86d234e5556ab ] RasAcd C:\Windows\system32\DRIVERS\rasacd.sys
15:38:38.0094 0272 RasAcd - ok
15:38:38.0125 0272 [ 57ec4aef73660166074d8f7f31c0d4fd ] RasAgileVpn C:\Windows\system32\DRIVERS\AgileVpn.sys
15:38:38.0172 0272 RasAgileVpn - ok
15:38:38.0203 0272 [ a60f1839849c0c00739787fd5ec03f13 ] RasAuto C:\Windows\System32\rasauto.dll
15:38:38.0250 0272 RasAuto - ok
15:38:38.0265 0272 [ d9f91eafec2815365cbe6d167e4e332a ] Rasl2tp C:\Windows\system32\DRIVERS\rasl2tp.sys
15:38:38.0328 0272 Rasl2tp - ok
15:38:38.0390 0272 [ 0ce66ec736b7fc526d78f7624c7d2a94 ] RasMan C:\Windows\System32\rasmans.dll
15:38:38.0468 0272 RasMan - ok
15:38:38.0499 0272 [ 0fe8b15916307a6ac12bfb6a63e45507 ] RasPppoe C:\Windows\system32\DRIVERS\raspppoe.sys
15:38:38.0546 0272 RasPppoe - ok
15:38:38.0577 0272 [ 44101f495a83ea6401d886e7fd70096b ] RasSstp C:\Windows\system32\DRIVERS\rassstp.sys
15:38:38.0608 0272 RasSstp - ok
15:38:38.0624 0272 [ 835d7e81bf517a3b72384bdcc85e1ce6 ] rdbss C:\Windows\system32\DRIVERS\rdbss.sys
15:38:38.0655 0272 rdbss - ok
15:38:38.0671 0272 [ 0d8f05481cb76e70e1da06ee9f0da9df ] rdpbus C:\Windows\system32\DRIVERS\rdpbus.sys
15:38:38.0702 0272 rdpbus - ok
15:38:38.0718 0272 [ 1e016846895b15a99f9a176a05029075 ] RDPCDD C:\Windows\system32\DRIVERS\RDPCDD.sys
15:38:38.0749 0272 RDPCDD - ok
15:38:38.0780 0272 [ c5ff95883ffef704d50c40d21cfb3ab5 ] RDPDR C:\Windows\system32\drivers\rdpdr.sys
15:38:38.0842 0272 RDPDR - ok
15:38:38.0889 0272 [ 5a53ca1598dd4156d44196d200c94b8a ] RDPENCDD C:\Windows\system32\drivers\rdpencdd.sys
15:38:38.0952 0272 RDPENCDD - ok
15:38:38.0967 0272 [ 44b0a53cd4f27d50ed461dae0c0b4e1f ] RDPREFMP C:\Windows\system32\drivers\rdprefmp.sys
15:38:39.0014 0272 RDPREFMP - ok
15:38:39.0061 0272 [ c5b8d47a4688de9d335204ea757c2240 ] RDPWD C:\Windows\system32\drivers\RDPWD.sys
15:38:39.0092 0272 RDPWD - ok
15:38:39.0139 0272 [ 4ea225bf1cf05e158853f30a99ca29a7 ] rdyboost C:\Windows\system32\drivers\rdyboost.sys
15:38:39.0154 0272 rdyboost - ok
15:38:39.0186 0272 [ 7b5e1419717fac363a31cc302895217a ] RemoteAccess C:\Windows\System32\mprdim.dll
15:38:39.0217 0272 RemoteAccess - ok
15:38:39.0248 0272 [ cb9a8683f4ef2bf99e123d79950d7935 ] RemoteRegistry C:\Windows\system32\regsvc.dll
15:38:39.0279 0272 RemoteRegistry - ok
15:38:39.0326 0272 [ 78d072f35bc45d9e4e1b61895c152234 ] RpcEptMapper C:\Windows\System32\RpcEpMap.dll
15:38:39.0373 0272 RpcEptMapper - ok
15:38:39.0388 0272 [ 94d36c0e44677dd26981d2bfeef2a29d ] RpcLocator C:\Windows\system32\locator.exe
15:38:39.0420 0272 RpcLocator - ok
15:38:39.0435 0272 [ b82cd39e336973359d7c9bf911e8e84f ] RpcSs C:\Windows\system32\rpcss.dll
15:38:39.0466 0272 RpcSs - ok
15:38:39.0513 0272 [ 032b0d36ad92b582d869879f5af5b928 ] rspndr C:\Windows\system32\DRIVERS\rspndr.sys
15:38:39.0576 0272 rspndr - ok
15:38:39.0622 0272 [ 5423d8437051e89dd34749f242c98648 ] s3cap C:\Windows\system32\DRIVERS\vms3cap.sys
15:38:39.0654 0272 s3cap - ok
15:38:39.0685 0272 [ c2243ff9e9aad0c30e8b1a0914da15b6 ] SamSs C:\Windows\system32\lsass.exe
15:38:39.0700 0272 SamSs - ok
15:38:39.0747 0272 [ 34ee0c44b724e3e4ce2eff29126de5b5 ] sbp2port C:\Windows\system32\DRIVERS\sbp2port.sys
15:38:39.0763 0272 sbp2port - ok
15:38:39.0794 0272 [ 8fc518ffe9519c2631d37515a68009c4 ] SCardSvr C:\Windows\System32\SCardSvr.dll
15:38:39.0825 0272 SCardSvr - ok
15:38:39.0856 0272 [ a95c54b2ac3cc9c73fcdf9e51a1d6b51 ] scfilter C:\Windows\system32\DRIVERS\scfilter.sys
15:38:39.0888 0272 scfilter - ok
15:38:39.0950 0272 [ df1e5c82e4d09cf8105cc644980c4803 ] Schedule C:\Windows\system32\schedsvc.dll
15:38:39.0981 0272 Schedule - ok
15:38:39.0997 0272 [ 628a9e30ec5e18dd5de6be4dbdc12198 ] SCPolicySvc C:\Windows\System32\certprop.dll
15:38:40.0028 0272 SCPolicySvc - ok
15:38:40.0059 0272 [ 5fd90abdbfaee85986802622cbb03446 ] SDRSVC C:\Windows\System32\SDRSVC.dll
15:38:40.0090 0272 SDRSVC - ok
15:38:40.0137 0272 [ 90a3935d05b494a5a39d37e71f09a677 ] secdrv C:\Windows\system32\drivers\secdrv.sys
15:38:40.0200 0272 secdrv - ok
15:38:40.0231 0272 [ a59b3a4442c52060cc7a85293aa3546f ] seclogon C:\Windows\system32\seclogon.dll
15:38:40.0293 0272 seclogon - ok
15:38:40.0324 0272 [ dcb7fcdcc97f87360f75d77425b81737 ] SENS C:\Windows\system32\sens.dll
15:38:40.0371 0272 SENS - ok
15:38:40.0402 0272 [ 50087fe1ee447009c9cc2997b90de53f ] SensrSvc C:\Windows\system32\sensrsvc.dll
15:38:40.0434 0272 SensrSvc - ok
15:38:40.0449 0272 [ 9ad8b8b515e3df6acd4212ef465de2d1 ] Serenum C:\Windows\system32\DRIVERS\serenum.sys
15:38:40.0465 0272 Serenum - ok
15:38:40.0496 0272 [ 5fb7fcea0490d821f26f39cc5ea3d1e2 ] Serial C:\Windows\system32\DRIVERS\serial.sys
15:38:40.0527 0272 Serial - ok
15:38:40.0543 0272 [ 79bffb520327ff916a582dfea17aa813 ] sermouse C:\Windows\system32\DRIVERS\sermouse.sys
15:38:40.0558 0272 sermouse - ok
15:38:40.0605 0272 [ 8f55ce568c543d5adf45c409d16718fc ] SessionEnv C:\Windows\system32\sessenv.dll
15:38:40.0636 0272 SessionEnv - ok
15:38:40.0668 0272 [ 9f976e1eb233df46fce808d9dea3eb9c ] sffdisk C:\Windows\system32\DRIVERS\sffdisk.sys
15:38:40.0683 0272 sffdisk - ok
15:38:40.0714 0272 [ 932a68ee27833cfd57c1639d375f2731 ] sffp_mmc C:\Windows\system32\DRIVERS\sffp_mmc.sys
15:38:40.0730 0272 sffp_mmc - ok
15:38:40.0730 0272 [ 4f1e5b0fe7c8050668dbfade8999aefb ] sffp_sd C:\Windows\system32\DRIVERS\sffp_sd.sys
15:38:40.0761 0272 sffp_sd - ok
15:38:40.0777 0272 [ db96666cc8312ebc45032f30b007a547 ] sfloppy C:\Windows\system32\DRIVERS\sfloppy.sys
15:38:40.0792 0272 sfloppy - ok
15:38:40.0870 0272 [ d9b734638dd8dba9d59aad3189cd0fad ] Sftfs C:\Windows\system32\DRIVERS\Sftfslh.sys
15:38:40.0933 0272 Sftfs - ok
15:38:41.0026 0272 [ cb73bc422c07fb611f194da18d1e7f36 ] sftlist C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe
15:38:41.0058 0272 sftlist - ok
15:38:41.0089 0272 [ 2f61bd46c0bff4eb36e1e359ca17bfc5 ] Sftplay C:\Windows\system32\DRIVERS\Sftplaylh.sys
15:38:41.0104 0272 Sftplay - ok
15:38:41.0136 0272 [ 518bac0179f94304f422696b47c0ec12 ] Sftredir C:\Windows\system32\DRIVERS\Sftredirlh.sys
15:38:41.0151 0272 Sftredir - ok
15:38:41.0167 0272 [ 747325236d88b3f05ffd27ff9ec711c5 ] Sftvol C:\Windows\system32\DRIVERS\Sftvollh.sys
15:38:41.0182 0272 Sftvol - ok
15:38:41.0198 0272 [ a5812f0281ca5081bf696626f9bf324d ] sftvsa C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe
15:38:41.0214 0272 sftvsa - ok
15:38:41.0260 0272 [ d1a079a0de2ea524513b6930c24527a2 ] SharedAccess C:\Windows\System32\ipnathlp.dll
15:38:41.0307 0272 SharedAccess - ok
15:38:41.0338 0272 [ cd2e48fa5b29ee2b3b5858056d246ef2 ] ShellHWDetection C:\Windows\System32\shsvcs.dll
15:38:41.0370 0272 ShellHWDetection - ok
15:38:41.0401 0272 [ 2565cac0dc9fe0371bdce60832582b2e ] sisagp C:\Windows\system32\DRIVERS\sisagp.sys
15:38:41.0416 0272 sisagp - ok
15:38:41.0463 0272 [ a9f0486851becb6dda1d89d381e71055 ] SiSRaid2 C:\Windows\system32\DRIVERS\SiSRaid2.sys
15:38:41.0463 0272 SiSRaid2 - ok
15:38:41.0479 0272 [ 3727097b55738e2f554972c3be5bc1aa ] SiSRaid4 C:\Windows\system32\DRIVERS\sisraid4.sys
15:38:41.0494 0272 SiSRaid4 - ok
15:38:41.0526 0272 [ 3e21c083b8a01cb70ba1f09303010fce ] Smb C:\Windows\system32\DRIVERS\smb.sys
15:38:41.0604 0272 Smb - ok
15:38:41.0666 0272 [ 6a984831644eca1a33ffeae4126f4f37 ] SNMPTRAP C:\Windows\System32\snmptrap.exe
15:38:41.0682 0272 SNMPTRAP - ok
15:38:41.0713 0272 [ 95cf1ae7527fb70f7816563cbc09d942 ] spldr C:\Windows\system32\drivers\spldr.sys
15:38:41.0728 0272 spldr - ok
15:38:41.0775 0272 [ d1bb750eb51694de183e08b9c33be5b2 ] Spooler C:\Windows\System32\spoolsv.exe
15:38:41.0806 0272 Spooler - ok
15:38:41.0916 0272 [ 4c287f9069fedbd791178876ee9de536 ] sppsvc C:\Windows\system32\sppsvc.exe
15:38:41.0962 0272 sppsvc - ok
15:38:41.0994 0272 [ d8e3e19eebdab49dd4a8d3062ead4ec7 ] sppuinotify C:\Windows\system32\sppuinotify.dll
15:38:42.0087 0272 sppuinotify - ok
15:38:42.0150 0272 [ c4a027b8c0bd3fc0699f41fa5e9e0c87 ] srv C:\Windows\system32\DRIVERS\srv.sys
15:38:42.0196 0272 srv - ok
15:38:42.0212 0272 [ 414bb592cad8a79649d01f9d94318fb3 ] srv2 C:\Windows\system32\DRIVERS\srv2.sys
15:38:42.0228 0272 srv2 - ok
15:38:42.0259 0272 [ ff207d67700aa18242aaf985d3e7d8f4 ] srvnet C:\Windows\system32\DRIVERS\srvnet.sys
15:38:42.0290 0272 srvnet - ok
15:38:42.0337 0272 [ d5dffeaa1e15d4effabb9d9a3068ac5b ] sscdbus C:\Windows\system32\DRIVERS\sscdbus.sys
15:38:42.0368 0272 sscdbus - ok
15:38:42.0399 0272 [ 8a1be0c347814f482f493aea619d57f6 ] sscdmdfl C:\Windows\system32\DRIVERS\sscdmdfl.sys
15:38:42.0430 0272 sscdmdfl - ok
15:38:42.0446 0272 [ 5ab0b1987f682a59b15b78f84c6ad7d0 ] sscdmdm C:\Windows\system32\DRIVERS\sscdmdm.sys
15:38:42.0477 0272 sscdmdm - ok
15:38:42.0540 0272 [ 751e66eb32efa80633b80f5d7ff0a1d8 ] sscdserd C:\Windows\system32\DRIVERS\sscdserd.sys
15:38:42.0571 0272 sscdserd - ok
15:38:42.0602 0272 [ d887c9fd02ac9fa880f6e5027a43e118 ] SSDPSRV C:\Windows\System32\ssdpsrv.dll
15:38:42.0649 0272 SSDPSRV - ok
15:38:42.0664 0272 [ d318f23be45d5e3a107469eb64815b50 ] SstpSvc C:\Windows\system32\sstpsvc.dll
15:38:42.0696 0272 SstpSvc - ok
15:38:42.0727 0272 [ db32d325c192b801df274bfd12a7e72b ] stexstor C:\Windows\system32\DRIVERS\stexstor.sys
15:38:42.0742 0272 stexstor - ok
15:38:42.0789 0272 [ a22825e7bb7018e8af3e229a5af17221 ] StiSvc C:\Windows\System32\wiaservc.dll
15:38:42.0805 0272 StiSvc - ok
15:38:42.0836 0272 [ 957e346ca948668f2496a6ccf6ff82cc ] storflt C:\Windows\system32\DRIVERS\vmstorfl.sys
15:38:42.0852 0272 storflt - ok
15:38:42.0883 0272 [ 0bf669f0a910beda4a32258d363af2a5 ] StorSvc C:\Windows\system32\storsvc.dll
15:38:42.0898 0272 StorSvc - ok
15:38:42.0945 0272 [ d5751969dc3e4b88bf482ac8ec9fe019 ] storvsc C:\Windows\system32\DRIVERS\storvsc.sys
15:38:42.0961 0272 storvsc - ok
15:38:42.0976 0272 [ e58c78a848add9610a4db6d214af5224 ] swenum C:\Windows\system32\DRIVERS\swenum.sys
15:38:42.0992 0272 swenum - ok
15:38:43.0210 0272 [ f577910a133a592234ebaad3f3afa258 ] SwitchBoard C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
15:38:43.0288 0272 SwitchBoard ( UnsignedFile.Multi.Generic ) - warning
15:38:43.0288 0272 SwitchBoard - detected UnsignedFile.Multi.Generic (1)
15:38:43.0335 0272 [ a28bd92df340e57b024ba433165d34d7 ] swprv C:\Windows\System32\swprv.dll
15:38:43.0398 0272 swprv - ok
15:38:43.0444 0272 [ 04105c8da62353589c29bdaeb8d88bd8 ] SysMain C:\Windows\system32\sysmain.dll
15:38:43.0476 0272 SysMain - ok
15:38:43.0507 0272 [ fcfb6c552fbc0da299799cbd50ad9fd4 ] TabletInputService C:\Windows\System32\TabSvc.dll
15:38:43.0538 0272 TabletInputService - ok
15:38:43.0554 0272 [ 2f46b0c70a4adc8c90cf825da3b4feaf ] TapiSrv C:\Windows\System32\tapisrv.dll
15:38:43.0585 0272 TapiSrv - ok
15:38:43.0600 0272 [ b799d9fdb26111737f58288d8dc172d9 ] TBS C:\Windows\System32\tbssvc.dll
15:38:43.0647 0272 TBS - ok
15:38:43.0725 0272 [ 55e9965552741f3850cb22cbba9671ed ] Tcpip C:\Windows\system32\drivers\tcpip.sys
15:38:43.0788 0272 Tcpip - ok
15:38:43.0850 0272 [ 55e9965552741f3850cb22cbba9671ed ] TCPIP6 C:\Windows\system32\DRIVERS\tcpip.sys
15:38:43.0881 0272 TCPIP6 - ok
15:38:43.0912 0272 [ e64444523add154f86567c469bc0b17f ] tcpipreg C:\Windows\system32\drivers\tcpipreg.sys
15:38:43.0944 0272 tcpipreg - ok
15:38:43.0959 0272 [ 1875c1490d99e70e449e3afae9fcbadf ] TDPIPE C:\Windows\system32\drivers\tdpipe.sys
15:38:43.0975 0272 TDPIPE - ok
15:38:44.0022 0272 [ 7156308896d34ea75a582f9a09e50c17 ] TDTCP C:\Windows\system32\drivers\tdtcp.sys
15:38:44.0053 0272 TDTCP - ok
15:38:44.0084 0272 [ cb39e896a2a83702d1737bfd402b3542 ] tdx C:\Windows\system32\DRIVERS\tdx.sys
15:38:44.0131 0272 tdx - ok
15:38:44.0146 0272 [ c36f41ee20e6999dbf4b0425963268a5 ] TermDD C:\Windows\system32\DRIVERS\termdd.sys
15:38:44.0162 0272 TermDD - ok
15:38:44.0209 0272 [ a01e50a04d7b1960b33e92b9080e6a94 ] TermService C:\Windows\System32\termsrv.dll
15:38:44.0240 0272 TermService - ok
15:38:44.0256 0272 [ 42fb6afd6b79d9fe07381609172e7ca4 ] Themes C:\Windows\system32\themeservice.dll
15:38:44.0287 0272 Themes - ok
15:38:44.0287 0272 [ 146b6f43a673379a3c670e86d89be5ea ] THREADORDER C:\Windows\system32\mmcss.dll
15:38:44.0318 0272 THREADORDER - ok
15:38:44.0365 0272 [ 4792c0378db99a9bc2ae2de6cfff0c3a ] TrkWks C:\Windows\System32\trkwks.dll
15:38:44.0412 0272 TrkWks - ok
15:38:44.0458 0272 [ 41a4c781d2286208d397d72099304133 ] TrustedInstaller C:\Windows\servicing\TrustedInstaller.exe
15:38:44.0474 0272 TrustedInstaller - ok
15:38:44.0490 0272 [ 98ae6fa07d12cb4ec5cf4a9bfa5f4242 ] tssecsrv C:\Windows\system32\DRIVERS\tssecsrv.sys
15:38:44.0536 0272 tssecsrv - ok
15:38:44.0568 0272 [ 3e461d890a97f9d4c168f5fda36e1d00 ] tunnel C:\Windows\system32\DRIVERS\tunnel.sys
15:38:44.0599 0272 tunnel - ok
15:38:44.0630 0272 [ 750fbcb269f4d7dd2e420c56b795db6d ] uagp35 C:\Windows\system32\DRIVERS\uagp35.sys
15:38:44.0646 0272 uagp35 - ok
15:38:44.0677 0272 [ 09cc3e16f8e5ee7168e01cf8fcbe061a ] udfs C:\Windows\system32\DRIVERS\udfs.sys
15:38:44.0708 0272 udfs - ok
15:38:44.0739 0272 [ 8344fd4fce927880aa1aa7681d4927e5 ] UI0Detect C:\Windows\system32\UI0Detect.exe
15:38:44.0786 0272 UI0Detect - ok
15:38:44.0833 0272 [ 44e8048ace47befbfdc2e9be4cbc8880 ] uliagpkx C:\Windows\system32\DRIVERS\uliagpkx.sys
15:38:44.0864 0272 uliagpkx - ok
15:38:44.0895 0272 [ 049b3a50b3d646baeeee9eec9b0668dc ] umbus C:\Windows\system32\DRIVERS\umbus.sys
15:38:44.0926 0272 umbus - ok
15:38:44.0942 0272 [ 7550ad0c6998ba1cb4843e920ee0feac ] UmPass C:\Windows\system32\DRIVERS\umpass.sys
15:38:44.0973 0272 UmPass - ok
15:38:45.0004 0272 [ 8ecaca5454844f66386f7be4ae0d7cd1 ] UmRdpService C:\Windows\System32\umrdp.dll
15:38:45.0020 0272 UmRdpService - ok
15:38:45.0036 0272 [ 833fbb672460efce8011d262175fad33 ] upnphost C:\Windows\System32\upnphost.dll
15:38:45.0098 0272 upnphost - ok
15:38:45.0129 0272 [ 83cafcb53201bbac04d822f32438e244 ] USBAAPL C:\Windows\system32\Drivers\usbaapl.sys
15:38:45.0176 0272 USBAAPL - ok
15:38:45.0223 0272 [ c31ae588e403042632dc796cf09e30b0 ] usbccgp C:\Windows\system32\DRIVERS\usbccgp.sys
15:38:45.0254 0272 usbccgp - ok
15:38:45.0285 0272 [ 04ec7cec62ec3b6d9354eee93327fc82 ] usbcir C:\Windows\system32\DRIVERS\usbcir.sys
15:38:45.0301 0272 usbcir - ok
15:38:45.0316 0272 [ e4c436d914768ce965d5e659ba7eebd8 ] usbehci C:\Windows\system32\DRIVERS\usbehci.sys
15:38:45.0332 0272 usbehci - ok
15:38:45.0379 0272 [ bdcd7156ec37448f08633fd899823620 ] usbhub C:\Windows\system32\DRIVERS\usbhub.sys
15:38:45.0394 0272 usbhub - ok
15:38:45.0410 0272 [ eb2d819a639015253c871cda09d91d58 ] usbohci C:\Windows\system32\DRIVERS\usbohci.sys
15:38:45.0426 0272 usbohci - ok
15:38:45.0472 0272 [ 797d862fe0875e75c7cc4c1ad7b30252 ] usbprint C:\Windows\system32\DRIVERS\usbprint.sys
15:38:45.0504 0272 usbprint - ok
15:38:45.0566 0272 [ 576096ccbc07e7c4ea4f5e6686d6888f ] usbscan C:\Windows\system32\DRIVERS\usbscan.sys
15:38:45.0613 0272 usbscan - ok
15:38:45.0628 0272 [ 1c4287739a93594e57e2a9e6a3ed7353 ] USBSTOR C:\Windows\system32\DRIVERS\USBSTOR.SYS
15:38:45.0660 0272 USBSTOR - ok
15:38:45.0706 0272 [ 22480bf4e5a09192e5e30ba4dde79fa4 ] usbuhci C:\Windows\system32\drivers\usbuhci.sys
15:38:45.0738 0272 usbuhci - ok
15:38:45.0753 0272 [ 081e6e1c91aec36758902a9f727cd23c ] UxSms C:\Windows\System32\uxsms.dll
15:38:45.0784 0272 UxSms - ok
15:38:45.0800 0272 [ c2243ff9e9aad0c30e8b1a0914da15b6 ] VaultSvc C:\Windows\system32\lsass.exe
15:38:45.0816 0272 VaultSvc - ok
15:38:45.0862 0272 [ a059c4c3edb09e07d21a8e5c0aabd3cb ] vdrvroot C:\Windows\system32\DRIVERS\vdrvroot.sys
15:38:45.0862 0272 vdrvroot - ok
15:38:45.0909 0272 [ 8c4e7c49d3641bc9e299e466a7f8867d ] vds C:\Windows\System32\vds.exe
15:38:45.0940 0272 vds - ok
15:38:45.0956 0272 vfgkjsj - ok
15:38:45.0972 0272 [ 17c408214ea61696cec9c66e388b14f3 ] vga C:\Windows\system32\DRIVERS\vgapnp.sys
15:38:45.0987 0272 vga - ok
15:38:46.0003 0272 [ 8e38096ad5c8570a6f1570a61e251561 ] VgaSave C:\Windows\System32\drivers\vga.sys
15:38:46.0034 0272 VgaSave - ok
15:38:46.0050 0272 [ 3be6e1f3a4f1afec8cee0d7883f93583 ] vhdmp C:\Windows\system32\DRIVERS\vhdmp.sys
15:38:46.0065 0272 vhdmp - ok
15:38:46.0096 0272 [ c829317a37b4bea8f39735d4b076e923 ] viaagp C:\Windows\system32\DRIVERS\viaagp.sys
15:38:46.0112 0272 viaagp - ok
15:38:46.0128 0272 [ e02f079a6aa107f06b16549c6e5c7b74 ] ViaC7 C:\Windows\system32\DRIVERS\viac7.sys
15:38:46.0143 0272 ViaC7 - ok
15:38:46.0174 0272 [ e43574f6a56a0ee11809b48c09e4fd3c ] viaide C:\Windows\system32\DRIVERS\viaide.sys
15:38:46.0174 0272 viaide - ok
15:38:46.0190 0272 [ 379b349f65f453d2a6e75ea6b7448e49 ] vmbus C:\Windows\system32\DRIVERS\vmbus.sys
15:38:46.0206 0272 vmbus - ok
15:38:46.0221 0272 [ ec2bbab4b84d0738c6c83d2234dc36fe ] VMBusHID C:\Windows\system32\DRIVERS\VMBusHID.sys
15:38:46.0237 0272 VMBusHID - ok
15:38:46.0252 0272 [ 384e5a2aa49934295171e499f86ba6f3 ] volmgr C:\Windows\system32\DRIVERS\volmgr.sys
15:38:46.0268 0272 volmgr - ok
15:38:46.0284 0272 [ b5bb72067ddddbbfb04b2f89ff8c3c87 ] volmgrx C:\Windows\system32\drivers\volmgrx.sys
15:38:46.0315 0272 volmgrx - ok
15:38:46.0330 0272 [ 58df9d2481a56edde167e51b334d44fd ] volsnap C:\Windows\system32\DRIVERS\volsnap.sys
15:38:46.0346 0272 volsnap - ok
15:38:46.0393 0272 [ 9dfa0cc2f8855a04816729651175b631 ] vsmraid C:\Windows\system32\DRIVERS\vsmraid.sys
15:38:46.0408 0272 vsmraid - ok
15:38:46.0455 0272 [ 7ea2bcd94d9cfaf4c556f5cc94532a6c ] VSS C:\Windows\system32\vssvc.exe
15:38:46.0518 0272 VSS - ok
15:38:46.0564 0272 [ 682fcf7d2eb5158cd30408e976562408 ] VSTHWBS2 C:\Windows\system32\DRIVERS\VSTBS23.SYS
15:38:46.0611 0272 VSTHWBS2 - ok
15:38:46.0642 0272 [ ceb4e3b6890e1e42dca6694d9e59e1a0 ] VST_DPV C:\Windows\system32\DRIVERS\VSTDPV3.SYS
15:38:46.0674 0272 VST_DPV - ok
15:38:46.0689 0272 [ 90567b1e658001e79d7c8bbd3dde5aa6 ] vwifibus C:\Windows\System32\drivers\vwifibus.sys
15:38:46.0720 0272 vwifibus - ok
15:38:46.0752 0272 [ 55187fd710e27d5095d10a472c8baf1c ] W32Time C:\Windows\system32\w32time.dll
15:38:46.0798 0272 W32Time - ok
15:38:46.0814 0272 [ de3721e89c653aa281428c8a69745d90 ] WacomPen C:\Windows\system32\DRIVERS\wacompen.sys
15:38:46.0830 0272 WacomPen - ok
15:38:46.0861 0272 [ 692a712062146e96d28ba0b7d75de31b ] WANARP C:\Windows\system32\DRIVERS\wanarp.sys
15:38:46.0892 0272 WANARP - ok
15:38:46.0908 0272 [ 692a712062146e96d28ba0b7d75de31b ] Wanarpv6 C:\Windows\system32\DRIVERS\wanarp.sys
15:38:46.0939 0272 Wanarpv6 - ok
15:38:47.0032 0272 [ 353a04c273ec58475d8633e75ccd5604 ] WatAdminSvc C:\Windows\system32\Wat\WatAdminSvc.exe
15:38:47.0110 0272 WatAdminSvc - ok
15:38:47.0173 0272 [ 7790b77fe1e5ee47dcc66247095bb4c9 ] wbengine C:\Windows\system32\wbengine.exe
15:38:47.0235 0272 wbengine - ok
15:38:47.0266 0272 [ 9614b5d29dc76ac3c29f6d2d3aa70e67 ] WbioSrvc C:\Windows\System32\wbiosrvc.dll
15:38:47.0298 0272 WbioSrvc - ok
15:38:47.0344 0272 [ 6d9b75275c3e3a5f51aef81affadb2b6 ] wcncsvc C:\Windows\System32\wcncsvc.dll
15:38:47.0376 0272 wcncsvc - ok
15:38:47.0407 0272 [ 5d930b6357a6d2af4d7653bdabbf352f ] WcsPlugInService C:\Windows\System32\WcsPlugInService.dll
15:38:47.0454 0272 WcsPlugInService - ok
15:38:47.0485 0272 [ 1112a9badacb47b7c0bb0392e3158dff ] Wd C:\Windows\system32\DRIVERS\wd.sys
15:38:47.0500 0272 Wd - ok
15:38:47.0516 0272 [ 9950e3d0f08141c7e89e64456ae7dc73 ] Wdf01000 C:\Windows\system32\drivers\Wdf01000.sys
15:38:47.0547 0272 Wdf01000 - ok
15:38:47.0563 0272 [ 46ef9dc96265fd0b423db72e7c38c2a5 ] WdiServiceHost C:\Windows\system32\wdi.dll
15:38:47.0594 0272 WdiServiceHost - ok
15:38:47.0610 0272 [ 46ef9dc96265fd0b423db72e7c38c2a5 ] WdiSystemHost C:\Windows\system32\wdi.dll
15:38:47.0625 0272 WdiSystemHost - ok
15:38:47.0672 0272 [ bb5ec38f8d4600119b4720bc5d4211f1 ] WebClient C:\Windows\System32\webclnt.dll
15:38:47.0703 0272 WebClient - ok
15:38:47.0719 0272 [ 760f0afe937a77cff27153206534f275 ] Wecsvc C:\Windows\system32\wecsvc.dll
15:38:47.0750 0272 Wecsvc - ok
15:38:47.0766 0272 [ ac804569bb2364fb6017370258a4091b ] wercplsupport C:\Windows\System32\wercplsupport.dll
15:38:47.0797 0272 wercplsupport - ok
15:38:47.0828 0272 [ 08e420d873e4fd85241ee2421b02c4a4 ] WerSvc C:\Windows\System32\WerSvc.dll
15:38:47.0859 0272 WerSvc - ok
15:38:47.0906 0272 [ 8b9a943f3b53861f2bfaf6c186168f79 ] WfpLwf C:\Windows\system32\DRIVERS\wfplwf.sys
15:38:47.0922 0272 WfpLwf - ok
15:38:47.0937 0272 [ 5cf95b35e59e2a38023836fff31be64c ] WIMMount C:\Windows\system32\drivers\wimmount.sys
15:38:47.0953 0272 WIMMount - ok
15:38:47.0984 0272 [ bc0c7ea89194c299f051c24119000e17 ] winachsf C:\Windows\system32\DRIVERS\VSTCNXT3.SYS
15:38:48.0015 0272 winachsf - ok
15:38:48.0109 0272 [ 3fae8f94296001c32eab62cd7d82e0fd ] WinDefend C:\Program Files\Windows Defender\mpsvc.dll
15:38:48.0156 0272 WinDefend - ok
15:38:48.0171 0272 WinHttpAutoProxySvc - ok
15:38:48.0218 0272 [ f62e510b6ad4c21eb9fe8668ed251826 ] Winmgmt C:\Windows\system32\wbem\WMIsvc.dll
15:38:48.0265 0272 Winmgmt - ok
15:38:48.0312 0272 [ c4f5d3901d1b41d602ddc196e0b95b51 ] WinRM C:\Windows\system32\WsmSvc.dll
15:38:48.0343 0272 WinRM - ok
15:38:48.0421 0272 [ 30fc6e5448d0cbaaa95280eeef7fedae ] WinUsb C:\Windows\system32\DRIVERS\WinUsb.sys
15:38:48.0436 0272 WinUsb - ok
15:38:48.0468 0272 [ 16935c98ff639d185086a3529b1f2067 ] Wlansvc C:\Windows\System32\wlansvc.dll
15:38:48.0514 0272 Wlansvc - ok
15:38:48.0546 0272 [ 0217679b8fca58714c3bf2726d2ca84e ] WmiAcpi C:\Windows\system32\DRIVERS\wmiacpi.sys
15:38:48.0561 0272 WmiAcpi - ok
15:38:48.0624 0272 [ 6eb6b66517b048d87dc1856ddf1f4c3f ] wmiApSrv C:\Windows\system32\wbem\WmiApSrv.exe
15:38:48.0670 0272 wmiApSrv - ok
15:38:48.0764 0272 [ 77fbd400984cf72ba0fc4b3489d65f74 ] WMPNetworkSvc C:\Program Files\Windows Media Player\wmpnetwk.exe
15:38:48.0826 0272 WMPNetworkSvc - ok
15:38:48.0858 0272 [ a2f0ec770a92f2b3f9de6d518e11409c ] WPCSvc C:\Windows\System32\wpcsvc.dll
15:38:48.0889 0272 WPCSvc - ok
15:38:48.0904 0272 [ b7f658a2ebc07129538ad9ab35212637 ] WPDBusEnum C:\Windows\system32\wpdbusenum.dll
15:38:48.0920 0272 WPDBusEnum - ok
15:38:48.0951 0272 [ 6db3276587b853bf886b69528fdb048c ] ws2ifsl C:\Windows\system32\drivers\ws2ifsl.sys
15:38:48.0998 0272 ws2ifsl - ok
15:38:49.0060 0272 [ a661a76333057b383a06e65f0073222f ] wscsvc C:\Windows\system32\wscsvc.dll
15:38:49.0092 0272 wscsvc - ok
15:38:49.0092 0272 WSearch - ok
15:38:49.0201 0272 [ fc3ec24fce372c89423e015a2ac1a31e ] wuauserv C:\Windows\system32\wuaueng.dll
15:38:49.0326 0272 wuauserv - ok
15:38:49.0341 0272 [ 6f9b6c0c93232cff47d0f72d6db1d21e ] WudfPf C:\Windows\system32\drivers\WudfPf.sys
15:38:49.0388 0272 WudfPf - ok
15:38:49.0419 0272 [ f91ff1e51fca30b3c3981db7d5924252 ] WUDFRd C:\Windows\system32\DRIVERS\WUDFRd.sys
15:38:49.0466 0272 WUDFRd - ok
15:38:49.0513 0272 [ ddee3682fe97037c45f4d7ab467cb8b6 ] wudfsvc C:\Windows\System32\WUDFSvc.dll
15:38:49.0560 0272 wudfsvc - ok
15:38:49.0575 0272 [ ff2d745b560f7c71b31f30f4d49f73d2 ] WwanSvc C:\Windows\System32\wwansvc.dll
15:38:49.0606 0272 WwanSvc - ok
15:38:49.0622 0272 ================ Scan global ===============================
15:38:49.0653 0272 (9a595df601070da78c40481120dd2c06) C:\Windows\system32\basesrv.dll
15:38:49.0700 0272 (008f51ae989c3df1cbaf8b39dc423ccc) C:\Windows\system32\winsrv.dll
15:38:49.0716 0272 (008f51ae989c3df1cbaf8b39dc423ccc) C:\Windows\system32\winsrv.dll
15:38:49.0731 0272 (364455805e64882844ee9acb72522830) C:\Windows\system32\sxssrv.dll
15:38:49.0778 0272 (5f1b6a9c35d3d5ca72d6d6fdef9747d6) C:\Windows\system32\services.exe
15:38:49.0794 0272 [Global] - ok
15:38:49.0794 0272 ================ Scan MBR ==================================
15:38:49.0794 0272 MBR (0x1B8) (a36c5e4f47e84449ff07ed3517b43a31) \Device\Harddisk0\DR0
15:38:49.0794 0272 Suspicious mbr (Forged): \Device\Harddisk0\DR0
15:38:49.0840 0272 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.c ) - infected
15:38:49.0840 0272 \Device\Harddisk0\DR0 - detected Rootkit.Boot.Pihar.c (0)
15:38:49.0903 0272 \Device\Harddisk0\DR0 ( TDSS File System ) - warning
15:38:49.0903 0272 \Device\Harddisk0\DR0 - detected TDSS File System (1)
15:38:49.0918 0272 MBR (0x1B8) (5fb38429d5d77768867c76dcbdb35194) \Device\Harddisk5\DR5
15:38:50.0012 0272 \Device\Harddisk5\DR5 - ok
15:38:50.0012 0272 ================ Scan VBR ==================================
15:38:50.0028 0272 Boot (0x1200) (75cfe68c8d1116d3be601340de2d8639) \Device\Harddisk0\DR0\Partition1
15:38:50.0028 0272 \Device\Harddisk0\DR0\Partition1 - ok
15:38:50.0059 0272 Boot (0x1200) (fb21fdf75728c9394a18c3787e8a0e68) \Device\Harddisk0\DR0\Partition2
15:38:50.0059 0272 \Device\Harddisk0\DR0\Partition2 - ok
15:38:50.0059 0272 Boot (0x1200) (8c1032da28837cdc46b0e1bab453c018) \Device\Harddisk5\DR5\Partition1
15:38:50.0059 0272 \Device\Harddisk5\DR5\Partition1 - ok
15:38:50.0059 0272 ============================================================
15:38:50.0059 0272 Scan finished
15:38:50.0059 0272 ============================================================
15:38:50.0074 2716 Detected object count: 3
15:38:50.0074 2716 Actual detected object count: 3
15:40:19.0973 2716 SwitchBoard ( UnsignedFile.Multi.Generic ) - skipped by user
15:40:19.0973 2716 SwitchBoard ( UnsignedFile.Multi.Generic ) - User select action: Skip
15:40:20.0654 2716 \Device\Harddisk0\DR0\# - copied to quarantine
15:40:20.0657 2716 \Device\Harddisk0\DR0 - copied to quarantine
15:40:20.0763 2716 \Device\Harddisk0\DR0\TDLFS\ldrm - copied to quarantine
15:40:20.0775 2716 \Device\Harddisk0\DR0\TDLFS\cmd.dll - copied to quarantine
15:40:20.0779 2716 \Device\Harddisk0\DR0\TDLFS\cmd64.dll - copied to quarantine
15:40:20.0784 2716 \Device\Harddisk0\DR0\TDLFS\sub.dll - copied to quarantine
15:40:20.0789 2716 \Device\Harddisk0\DR0\TDLFS\subx.dll - copied to quarantine
15:40:20.0800 2716 \Device\Harddisk0\DR0\TDLFS\drv32 - copied to quarantine
15:40:20.0808 2716 \Device\Harddisk0\DR0\TDLFS\drv64 - copied to quarantine
15:40:20.0811 2716 \Device\Harddisk0\DR0\TDLFS\servers.dat - copied to quarantine
15:40:20.0814 2716 \Device\Harddisk0\DR0\TDLFS\config.ini - copied to quarantine
15:40:20.0817 2716 \Device\Harddisk0\DR0\TDLFS\ldr16 - copied to quarantine
15:40:20.0821 2716 \Device\Harddisk0\DR0\TDLFS\ldr32 - copied to quarantine
15:40:20.0825 2716 \Device\Harddisk0\DR0\TDLFS\ldr64 - copied to quarantine
15:40:20.0827 2716 \Device\Harddisk0\DR0\TDLFS\s - copied to quarantine
15:40:20.0828 2716 \Device\Harddisk0\DR0\TDLFS\u - copied to quarantine
15:40:20.0882 2716 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.c ) - will be cured on reboot
15:40:20.0883 2716 \Device\Harddisk0\DR0 - ok
15:40:20.0899 2716 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.c ) - User select action: Cure
15:40:20.0900 2716 \Device\Harddisk0\DR0 ( TDSS File System ) - skipped by user
15:40:20.0900 2716 \Device\Harddisk0\DR0 ( TDSS File System ) - User select action: Skip
15:40:25.0540 2940 Deinitialize success

#14 MrCharlie

MrCharlie

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 28,152 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Posted 18 August 2012 - 05:55 PM

Run TDSSKiller again and choose Delete for this one only: (no need to post the log)

15:40:20.0900 2716 \Device\Harddisk0\DR0 ( TDSS File System ) - skipped by user
15:40:20.0900 2716 \Device\Harddisk0\DR0 ( TDSS File System ) - User select action: Skip


-------------------------------------

Then using ComboFix.......

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:
4. If ComboFix wants to update.....please allow it to.

Driver::
vfgkjsj
File::
c:\windows\System32\drivers\aguapud.sys
ClearJavaCache::


Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

CAUTION: Do not mouse-click ComboFix while it is running. It may cause it to stall.

After reboot, (in case it asks to reboot)......
Please provide the contents of the ComboFix log (C:\ComboFix.txt) in your next reply.

MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#15 Rfacio

Rfacio

    New Member

  • Members
  • Pip
  • 15 posts

Posted 18 August 2012 - 06:35 PM

ComboFix 12-08-18.03 - Kandice 08/18/2012 16:12:01.3.2 - x86
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.1919.1282 [GMT -7:00]
Running from: c:\users\Kandice\Desktop\ComboFix.exe
Command switches used :: c:\users\Kandice\Desktop\CFScript.txt
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\windows\System32\drivers\aguapud.sys"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\Mozilla Firefox\searchplugins\search.xml
c:\users\Kandice\AppData\Roaming\Mozilla\Firefox\Profiles\6n7x2el9.default\searchplugins\bing-zugo.xml
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_vfgkjsj
.
.
((((((((((((((((((((((((( Files Created from 2012-07-18 to 2012-08-18 )))))))))))))))))))))))))))))))
.
.
2012-08-18 23:18 . 2012-08-18 23:29 -------- d-----w- c:\users\Kandice\AppData\Local\temp
2012-08-18 23:18 . 2012-08-18 23:18 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-08-18 23:18 . 2012-08-18 23:18 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2012-08-18 22:40 . 2012-08-18 23:05 -------- d-----w- C:\TDSSKiller_Quarantine
2012-08-18 20:47 . 2012-08-18 20:47 -------- d-----w- C:\FRST
2012-08-18 03:37 . 2012-08-18 03:37 -------- d-----w- c:\users\Kandice\AppData\Local\ElevatedDiagnostics
2012-08-10 02:10 . 2012-08-10 02:10 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-08-10 01:30 . 2012-08-10 01:30 -------- d-----w- c:\windows\Sun
2012-08-08 02:09 . 2012-08-08 08:54 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{A9131960-9FFF-4927-9C77-7902715CC7CD}\offreg.dll
2012-08-07 22:58 . 2012-06-29 08:44 6891424 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{A9131960-9FFF-4927-9C77-7902715CC7CD}\mpengine.dll
2012-08-07 00:55 . 2012-08-07 00:55 -------- d-----w- c:\users\Kandice\AppData\Roaming\Malwarebytes
2012-08-07 00:55 . 2012-08-07 00:55 -------- d-----w- c:\programdata\Malwarebytes
2012-08-07 00:55 . 2012-08-07 00:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-08-07 00:55 . 2012-07-03 20:46 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-15 04:09 . 2012-04-11 05:25 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-08-15 04:09 . 2011-07-17 03:32 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-12 02:44 . 2012-07-11 10:00 2344448 ----a-w- c:\windows\system32\win32k.sys
2012-06-06 05:09 . 2012-07-11 07:50 1389568 ----a-w- c:\windows\system32\msxml6.dll
2012-06-06 05:09 . 2012-07-11 07:50 1236992 ----a-w- c:\windows\system32\msxml3.dll
2012-06-02 22:19 . 2012-06-21 16:13 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 22:19 . 2012-06-21 16:14 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-21 16:14 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-21 16:13 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-21 16:13 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:19 . 2012-06-21 16:14 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:12 . 2012-06-21 16:14 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:12 . 2012-06-21 16:13 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-06-02 22:12 . 2012-06-21 16:13 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 08:33 . 2012-07-11 10:03 1800192 ----a-w- c:\windows\system32\jscript9.dll
2012-06-02 08:25 . 2012-07-11 10:03 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-06-02 08:25 . 2012-07-11 10:03 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-06-02 08:20 . 2012-07-11 10:03 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-06-02 08:16 . 2012-07-11 10:03 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-06-02 04:51 . 2012-07-11 07:50 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-06-02 04:51 . 2012-07-11 07:50 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2012-06-02 04:50 . 2012-07-11 07:50 369336 ----a-w- c:\windows\system32\drivers\cng.sys
2012-06-02 04:48 . 2012-07-11 07:50 225280 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 04:47 . 2012-07-11 07:50 219136 ----a-w- c:\windows\system32\ncrypt.dll
2012-06-01 13:43 . 2012-06-01 13:43 163048 ----a-w- c:\programdata\Microsoft\Windows\Sqm\Manifest\Sqm10141.bin
2012-05-31 19:25 . 2011-06-16 08:21 237072 ------w- c:\windows\system32\MpSigStub.exe
2011-04-25 08:58 . 2011-04-25 08:58 124864 ----a-w- c:\program files\mozilla firefox\plugins\CCMSDK.dll
2011-04-25 09:48 . 2011-04-25 09:48 13760 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2011-04-25 09:00 . 2011-04-25 09:00 71104 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2011-04-25 08:59 . 2011-04-25 08:59 92096 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2011-04-25 08:58 . 2011-04-25 08:58 22976 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2011-04-25 08:57 . 2011-04-25 08:57 255936 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2011-04-25 08:58 . 2011-04-25 08:58 32192 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2011-04-25 08:58 . 2011-04-25 08:58 40896 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2011-04-25 08:51 . 2011-04-25 08:51 898480 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2011-04-25 09:00 . 2011-04-25 09:00 24512 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
2012-07-23 23:05 . 2011-10-22 02:43 136672 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Facebook Update"="c:\users\Kandice\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2012-07-11 138096]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="c:\program files\Real\RealPlayer\Update\realsched.exe" [2011-07-29 273544]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2011-03-16 499608]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS5.5ServiceManager"="c:\program files\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" [2011-01-12 1523360]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
"AirPort Base Station Agent"="c:\program files\AirPort\APAgent.exe" [2009-11-11 771360]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-01-17 421736]
"ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2011-04-25 305088]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"Anti-phishing Domain Advisor"="c:\programdata\Anti-phishing Domain Advisor\visicom_antiphishing.exe" [2011-07-29 217256]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http://www.avg.com/w...&ver=10.0.1424" [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
R3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG10\Toolbar\ToolbarBroker.exe [x]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [x]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [x]
R3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\DRIVERS\ctxusbm.sys [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]
S2 cvhsvc;Client Virtualization Handler;c:\program files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [x]
S2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [x]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [x]
S2 sftlist;Application Virtualization Client;c:\program files\Microsoft Application Virtualization Client\sftlist.exe [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [x]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [x]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [x]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [x]
S3 sftvsa;Application Virtualization Service Agent;c:\program files\Microsoft Application Virtualization Client\sftvsa.exe [x]
S3 VST_DPV;VST_DPV;c:\windows\system32\DRIVERS\VSTDPV3.SYS [x]
S3 VSTHWBS2;VSTHWBS2;c:\windows\system32\DRIVERS\VSTBS23.SYS [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-18 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-11 04:09]
.
2012-08-18 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1829147003-1944629146-3105163407-1000Core.job
- c:\users\Kandice\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-08-26 22:54]
.
2012-08-18 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1829147003-1944629146-3105163407-1000UA.job
- c:\users\Kandice\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-08-26 22:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://blekkosearch.mystart.com/blekkotb_soc/?source=86adbc52&toolbarid=blekkotb_soc&u=20120515F6FD4721BCE920F80623E344&tbp=homepage
uInternet Settings,ProxyOverride = *.local
Trusted Zone: intuit.com\ttlc
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
FF - ProfilePath - c:\users\Kandice\AppData\Roaming\Mozilla\Firefox\Profiles\6n7x2el9.default\
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?btnI=I%27m+Feeling+Lucky&ie=UTF-8&oe=UTF-8&q=
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-40020475.sys
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(1316)
c:\programdata\Anti-phishing Domain Advisor\visicom_antiphishing.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\windows\system32\WUDFHost.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\program files\Citrix\ICA Client\wfcrun32.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2012-08-18 16:33:15 - machine was rebooted
ComboFix-quarantined-files.txt 2012-08-18 23:33
.
Pre-Run: 34,816,262,144 bytes free
Post-Run: 34,757,246,976 bytes free
.
- - End Of File - - 966E270CD0DD1AED9652932C3C1AD7F2

#16 MrCharlie

MrCharlie

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 28,152 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Posted 18 August 2012 - 06:48 PM

Looks Good.....You really had a bad infection.

Please Update and run a Quick Scan with MBAM, post the report.

Make sure that everything is checked, and click Remove Selected.

Please let me know how computer is running now, MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#17 Rfacio

Rfacio

    New Member

  • Members
  • Pip
  • 15 posts

Posted 18 August 2012 - 07:03 PM

Malwarebytes Anti-Malware (PRO) 1.62.0.1300
www.malwarebytes.org

Database version: v2012.08.18.06

Windows 7 x86 NTFS
Internet Explorer 9.0.8112.16421
Kandice :: CASTELLLANOS [administrator]

Protection: Enabled

8/18/2012 4:57:43 PM
mbam-log-2012-08-18 (16-57-43).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 207259
Time elapsed: 4 minute(s), 6 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)



OMG Thank you so much!!! No threats detected. The computer already seems to running a lot better too!

#18 MrCharlie

MrCharlie

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 28,152 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Posted 18 August 2012 - 07:17 PM

Great Posted Image

A little clean up to do....

Please Uninstall ComboFix: (if you used it)

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

Posted Image

Then hit enter.
This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

(If that doesn't work.....you can simply rename ComboFix.exe to Uninstall.exe and double click it to complete the uninstall)

---------------------------------

Please download OTL from one of the links below: (you may already have OTL on the system)
http://oldtimer.geekstogo.com/OTL.exe
http://oldtimer.geekstogo.com/OTL.com
http://www.itxassoci...T-Tools/OTL.exe

Save it to your desktop.

Run OTL and hit the CleanUp button. (This will cleanup the tools and logs used including itself)

Any other programs or logs you can manually delete.
IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, C:\FRST, etc....

-------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#19 Maurice Naggar

Maurice Naggar

    Staff

  • Moderators
  • PipPipPipPipPipPip
  • 14,550 posts
  • Gender:Male
  • Location:USA
  • Interests:Security, Windows, Windows Update, malware prevention

Posted 20 August 2012 - 06:38 AM

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!
Maurice Naggar
Product Support

staff.png

Follow us: Twitter, Become a fan: Facebook

I close my threads if there is 5 days without a response.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users