View Full Version : A dirty little bug is in my house
mnyyoungs
2011-10-26, 20:16
Hi All! I've something that an antibiotic won't do anything for. I'd love some help. I've read through and am pretty sure I've followed all the steps correctly. I have a slightly above average understanding of pc's but am by no means an xpert and these logs, mean very little to me. As such, I don't want to break my life-line, my best buddy, my co-hort in the outside world! ;). I ran the ERU last night but have the laptop continuously crashing...might have to give you the logs in additional posts.....
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.19154 BrowserJavaVersion: 1.6.0_22
Run by Family at 14:16:54 on 2011-10-26
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.2.1033.18.2037.764 [GMT -4:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\2129821162:360844673.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\explorer.exe
C:\Windows\system32\taskeng.exe
C:\ProgramData\Clickfree\C2NPlus\UACProxy.exe
C:\Windows\system32\CSHelper.exe
C:\Windows\system32\dlbxcoms.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\ProgramData\Clickfree\C2NPlus\Reminder\SacNetAgent.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\STacSV.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\System32\WerFault.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\ProgramData\Clickfree\C2NPlus\Reminder\SacReminder.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
"C:\Windows\system32\svchost.exe"
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uSearch Page =
uWindow Title = Internet Explorer provided by Dell
uSearch Bar =
mDefault_Page_URL = hxxp://www.google.ca/ig/dell?hl=en&client=dell-row&channel=ca&ibd=2071122
mSearch Bar = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
mSearchAssistant =
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
uWinlogon: Shell=c:\users\family\appdata\local\ea7df27e\X
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - McAfee Phishing Filter
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: Yontoo Layers: {fd72061e-9fde-484d-a58a-0bab4151cad8} - Yontoo Layers
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
uRun: [SacReminderHDDV2N] c:\programdata\clickfree\c2nplus\reminder\SacReminder.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [DLBXCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLBXtime.dll,_RunDLLEntry@16
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
StartupFolder: c:\users\family\appdata\roaming\micros~1\windows\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
uPolicies-explorer: NoThumbnailCache = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: DisableStartupSound = 1 (0x1)
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
LSP: mswsock.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/uno1/GAME_UNO1.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{764E5182-D195-4A9C-8CDE-86780F3355D6} : DhcpNameServer = 192.168.1.1
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\intuit\quickbooks 2011\HelpAsyncPluggableProtocol.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\common files\avg secure search\viprotocolinstaller\8.0.1\ViProtocol.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~2\GOEC62~1.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\family\appdata\roaming\mozilla\firefox\profiles\85q3ua9k.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2418376&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.sympatico.ca/
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4e2b35e5&v=7.008.031.001&i=23&tp=ab&iy=b&ychte=ca&lng=en-GB&q=
FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - component: c:\program files\avg\avg2012\firefox4\components\avgssff4.dll
FF - component: c:\program files\avg\avg2012\firefox4\components\avgssff5.dll
FF - component: c:\program files\avg\avg2012\firefox4\components\avgssff6.dll
FF - component: c:\program files\avg\avg2012\firefox4\components\avgssff7.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\google updater\2.4.2432.1652\npCIDetect14.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\family\appdata\roaming\facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\users\family\appdata\roaming\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\users\family\appdata\roaming\mozilla\firefox\profiles\85q3ua9k.default\extensions\support@ancestry.com\plugins\npImgCtl.dll
FF - plugin: c:\users\family\program files\dna\plugins\npbtdna.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Adobe DLM (powered by getPlus(R)): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
FF - Ext: Canadian English Dictionary: http://forums.spybot.info/misc.php?do=email_dev&email=ZW4tQ0FAZGljdGlvbmFyaWVzLmFkZG9ucy5tb3ppbGxhLm9yZw== - %profile%\extensions\en-CA@dictionaries.addons.mozilla.org
FF - Ext: Ancestry.com Advanced Image Viewer: http://forums.spybot.info/misc.php?do=email_dev&email=c3VwcG9ydEBhbmNlc3RyeS5jb20= - %profile%\extensions\support@ancestry.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: AVG Security Toolbar em:version=7.008.031.001 em:displayname=AVG Security Toolbar em:iconURL=chrome://tavgp/skin/logo.ico em:creator=AVG Technologies em:description=AVG Security Toolbar em:homepageURL=http://www.avg.com >: avg@igeared - c:\program files\avg\avg10\toolbar\firefox\avg@igeared
FF - Ext: AVG Safe Search: {1E73965B-8B48-48be-9C8D-68B920ABC1C4} - c:\program files\avg\avg2012\Firefox4
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-7-11 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-9-13 32592]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-12-6 64288]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-7-11 229840]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-8-8 40016]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-7-11 295248]
R1 ElRawDisk;ElRawDisk;c:\windows\system32\drivers\rsdrv.sys [2010-11-27 22312]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2010-12-6 101720]
R2 CFUACProxy_c2nplus;CFUACProxy_c2nplus;c:\programdata\clickfree\c2nplus\UACProxy.exe [2011-4-3 87368]
R2 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [2009-3-20 266240]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-9-30 21504]
R2 SacNetAgentService_C57C4F854F53;SacNetAgentService_C57C4F854F53;c:\programdata\clickfree\c2nplus\reminder\SacNetAgent.exe [2011-4-3 157296]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2011-7-23 1153368]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-7-11 134736]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-7-11 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-7-11 16720]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2007-11-22 179712]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\AVGIDSAgent.exe [2011-9-12 5265248]
S2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2011-8-2 192776]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate1c9834ebde52a90;Google Update Service (gupdate1c9834ebde52a90);c:\program files\google\update\GoogleUpdate.exe [2009-1-30 133104]
S2 vToolbarUpdater;vToolbarUpdater;c:\program files\common files\avg secure search\vtoolbarupdater\8.0.1\ToolbarUpdater.exe [2011-10-8 246600]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg10\toolbar\ToolbarBroker.exe [2011-7-23 1025352]
S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2009-10-17 54632]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2011-9-9 30192]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-1-30 133104]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 AESTFilters;Andrea ST Filters Service;c:\windows\system32\AEstSrv.exe [2007-11-22 73728]
.
=============== File Associations ===============
.
regfile=regedit.exe "%1" %*
.
=============== Created Last 30 ================
.
2011-10-25 23:55:28 56200 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{460a1ddd-02b4-43e1-8a2d-b57b1c65334a}\offreg.dll
2011-10-25 23:55:18 6668624 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{460a1ddd-02b4-43e1-8a2d-b57b1c65334a}\mpengine.dll
2011-10-25 22:48:06 6144 ----a-w- c:\program files\internet explorer\iecompat.dll
2011-10-24 17:56:35 -------- d-sh--w- c:\windows\system32\%APPDATA%
2011-10-24 17:36:43 163840 ----a-w- c:\users\family\taskmgr.exe
2011-10-24 17:36:42 25088 --sha-w- c:\users\family\wevtapi.dll
2011-10-24 17:36:42 -------- d-sh--w- c:\users\family\appdata\local\ea7df27e
2011-10-12 15:35:57 238080 ----a-w- c:\windows\system32\oleacc.dll
2011-10-12 15:35:56 563712 ----a-w- c:\windows\system32\oleaut32.dll
2011-10-12 15:35:56 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2011-10-12 15:35:56 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2011-10-08 14:44:33 -------- d-----w- c:\program files\common files\AVG Secure Search
2011-10-08 14:44:28 -------- d-----w- c:\program files\AVG Secure Search
2011-10-08 14:41:06 -------- d-----w- c:\users\family\appdata\roaming\AVG2012
2011-10-08 14:39:59 -------- d-----w- c:\programdata\AVG2012
.
==================== Find3M ====================
.
2011-10-25 23:46:59 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-09-30 23:06:24 916480 ----a-w- c:\windows\system32\wininet.dll
2011-09-30 23:02:06 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-09-30 23:01:51 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-09-30 23:01:34 71680 ----a-w- c:\windows\system32\iesetup.dll
2011-09-30 23:01:34 109056 ----a-w- c:\windows\system32\iesysprep.dll
2011-09-30 22:07:25 385024 ----a-w- c:\windows\system32\html.iec
2011-09-30 21:29:54 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2011-09-30 21:28:36 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-09-13 10:30:10 32592 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2011-09-06 13:30:12 2043392 ----a-w- c:\windows\system32\win32k.sys
2011-08-31 21:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-24 11:57:31 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-11 04:09:49 0 ----a-w- c:\windows\system32\ConduitEngine.tmp
2011-07-29 16:01:34 293376 ----a-w- c:\windows\system32\psisdecd.dll
2011-07-29 16:01:33 217088 ----a-w- c:\windows\system32\psisrndr.ax
2011-07-29 16:00:14 57856 ----a-w- c:\windows\system32\MSDvbNP.ax
2011-07-29 16:00:05 69632 ----a-w- c:\windows\system32\Mpeg2Data.ax
.
============= FINISH: 14:19:31.82 ===============
Hi and Welcome!! :) My name is Jeff. I would be more than happy to take a look at your malware results logs and help you with solving any malware problems you might have. Logs can take a while to research, so please be patient and know that I am working hard to get you a clean and functional system back in your hands. I'd be grateful if you would note the following:
The fixes are specific to your problem and should only be used for the issues on this machine.
It's often worth reading through these instructions and printing them for ease of reference.
If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
Please reply to this thread. Do not start a new topic.
IMPORTANT NOTE : Please do not delete, download or install anything unless instructed to do so.
DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision. Doing so could make your system inoperable and could require a full reinstall of your Operating System and losing all your programs and data.
Having said that....Let's get going!! :thumbup:
----------
**WARNING**Unfortunately one or more of the infections I have identified are Backdoor Trojans, IRCBots or other Malware capable of stealing very important information. You need to stop using all Internet Banking sites, change passwords to all sites with sensitive information from a clean computer and phone your bank to inform them that you may be a victim of identify theft. More often than not, we advise users that a full reinstallation of their Operating System is the only way to ensure that their computer will ever be 100% clean again.
What you have on your system is called the ZeroAccess rootkit. It is an extremely nasty infection! I would highly recommend to format and reinstall your operating system entirely. This infection, even after being cleaned has even shown to destroy internet connections completely.
If you would like to format and reinstall your Operating System please let me know and I can assist you with that.
If you would like to continue with the cleaning, please let me know and I will be more than happy to help. :)
----------
mnyyoungs
2011-10-29, 04:47
Ohhhhhh JEFF!!!! Are you going to say, "Trick or Treat" soon???? UGH....ok....here's the scoop. I've been away from home for 7 weeks and did a clickfree back up before I left. Is there any way to determine or estimate when this little parasite found it's way into my computer? If we can't. I'd like to try to clean or disable or whatever we can do, so that I can safely save the newer files before the format and make a list of ALL the programs I'd need to gather and download again UGHHHHH....this is worse than a root canal while having one's toe nails pulled!!!!! Also, I'd need to find the disks for computer in order to do this work. FINALLY, are you able to walk me though a format and re-install of windows...it's been forever since i've done it....ummmmm.....Windows 1...maybe 2 ;) None of this new fangled, high tech stuff!
I do completely and utterly appreciate your assistance. I will be back in the home saddle this weekend and raring to fix up my 'puter! Please advise. :D
Hi mnyyoungs,
Ohhhhhh JEFF!!!! Are you going to say, "Trick or Treat" soon???? I wish that I were kidding. :red: There is no way to accurately determine when this infection got onto your system unfortunately.
If you want we can attempt to clean the system, but we MAY end up having to reformat. If you want to give it a go please do the following:
Please download TDSSKiller.zip (http://support.kaspersky.com/downloads/utils/tdsskiller.zip)
Extract it to your desktop
Double click TDSSKiller.exe
Press Start Scan
Only if Malicious objects are found then ensure Cure is selected
Then click Continue > Reboot now
Copy and paste the log in your next reply
A copy of the log will be saved automatically to the root of the drive (typically C:\)
mnyyoungs
2011-10-30, 15:41
Jeff...here is the NON Trick or Treat log....it would NOT let me select Cure for the second mal. item found....delete was what came up, no Cure. I chose quarantine. I have NOT run this a second time. Please advise. I am in airport h e double hockey sticks now and have been for the past 24 hours....I'm not doing much, so here's hoping you get a chance to look at it while I'm in this purgatory...lol... Thanks again!
10:36:17.0148 2828 TDSS rootkit removing tool 2.6.14.0 Oct 28 2011 11:11:01
10:36:17.0301 2828 ============================================================
10:36:17.0301 2828 Current date / time: 2011/10/30 10:36:17.0301
10:36:17.0301 2828 SystemInfo:
10:36:17.0301 2828
10:36:17.0301 2828 OS Version: 6.0.6002 ServicePack: 2.0
10:36:17.0301 2828 Product type: Workstation
10:36:17.0301 2828 ComputerName: FAMILY-PC
10:36:17.0302 2828 UserName: Family
10:36:17.0302 2828 Windows directory: C:\Windows
10:36:17.0302 2828 System windows directory: C:\Windows
10:36:17.0302 2828 Processor architecture: Intel x86
10:36:17.0302 2828 Number of processors: 2
10:36:17.0302 2828 Page size: 0x1000
10:36:17.0302 2828 Boot type: Normal boot
10:36:17.0302 2828 ============================================================
10:36:18.0190 2828 Initialize success
10:36:25.0661 1228 ============================================================
10:36:25.0661 1228 Scan started
10:36:25.0661 1228 Mode: Manual;
10:36:25.0662 1228 ============================================================
10:36:26.0745 1228 ACPI (82b296ae1892fe3dbee00c9cf92f8ac7) C:\Windows\system32\drivers\acpi.sys
10:36:26.0753 1228 ACPI - ok
10:36:26.0980 1228 adp94xx (2edc5bbac6c651ece337bde8ed97c9fb) C:\Windows\system32\drivers\adp94xx.sys
10:36:27.0004 1228 adp94xx - ok
10:36:27.0374 1228 adpahci (b84088ca3cdca97da44a984c6ce1ccad) C:\Windows\system32\drivers\adpahci.sys
10:36:27.0383 1228 adpahci - ok
10:36:27.0818 1228 adpu160m (7880c67bccc27c86fd05aa2afb5ea469) C:\Windows\system32\drivers\adpu160m.sys
10:36:27.0822 1228 adpu160m - ok
10:36:28.0370 1228 adpu320 (9ae713f8e30efc2abccd84904333df4d) C:\Windows\system32\drivers\adpu320.sys
10:36:28.0375 1228 adpu320 - ok
10:36:28.0518 1228 AFD (3911b972b55fea0478476b2e777b29fa) C:\Windows\system32\drivers\afd.sys
10:36:28.0525 1228 AFD - ok
10:36:28.0711 1228 agp440 (8b10ce1c1f9f1d47e4deb1a547a00cd4) C:\Windows\system32\drivers\agp440.sys
10:36:28.0746 1228 agp440 - ok
10:36:29.0077 1228 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
10:36:29.0090 1228 aic78xx - ok
10:36:29.0547 1228 aliide (dc67a153fdb8105b25d05334b5e1d8e2) C:\Windows\system32\drivers\aliide.sys
10:36:29.0549 1228 aliide - ok
10:36:29.0753 1228 amdagp (848f27e5b27c1c253f6cefdc1a5d8f21) C:\Windows\system32\drivers\amdagp.sys
10:36:29.0756 1228 amdagp - ok
10:36:29.0961 1228 amdide (835c4c3355088298a5ebd818fa31430f) C:\Windows\system32\drivers\amdide.sys
10:36:29.0990 1228 amdide - ok
10:36:30.0090 1228 AmdK7 (dc487885bcef9f28eece6fac0e5ddfc5) C:\Windows\system32\drivers\amdk7.sys
10:36:30.0093 1228 AmdK7 - ok
10:36:30.0202 1228 AmdK8 (0ca0071da4315b00fc1328ca86b425da) C:\Windows\system32\drivers\amdk8.sys
10:36:30.0228 1228 AmdK8 - ok
10:36:30.0366 1228 ApfiltrService (350f19eb5fe4ec37a2414df56cde1aa8) C:\Windows\system32\DRIVERS\Apfiltr.sys
10:36:30.0371 1228 ApfiltrService - ok
10:36:30.0506 1228 arc (5f673180268bb1fdb69c99b6619fe379) C:\Windows\system32\drivers\arc.sys
10:36:30.0509 1228 arc - ok
10:36:30.0632 1228 arcsas (957f7540b5e7f602e44648c7de5a1c05) C:\Windows\system32\drivers\arcsas.sys
10:36:30.0664 1228 arcsas - ok
10:36:30.0780 1228 AsyncMac (53b202abee6455406254444303e87be1) C:\Windows\system32\DRIVERS\asyncmac.sys
10:36:30.0782 1228 AsyncMac - ok
10:36:30.0909 1228 atapi (1f05b78ab91c9075565a9d8a4b880bc4) C:\Windows\system32\drivers\atapi.sys
10:36:30.0911 1228 atapi - ok
10:36:31.0126 1228 AVGIDSDriver (4cbb56fbc9c0cbc517e6e3a6889ebddc) C:\Windows\system32\DRIVERS\AVGIDSDriver.Sys
10:36:31.0130 1228 AVGIDSDriver - ok
10:36:31.0233 1228 AVGIDSEH (459bce188232e2fe6152423efef65d76) C:\Windows\system32\DRIVERS\AVGIDSEH.Sys
10:36:31.0235 1228 AVGIDSEH - ok
10:36:31.0287 1228 AVGIDSFilter (91d9abe7e88eac7c167cba4ed4d983bf) C:\Windows\system32\DRIVERS\AVGIDSFilter.Sys
10:36:31.0289 1228 AVGIDSFilter - ok
10:36:31.0392 1228 AVGIDSShim (54d710b7d2e30e1ddc8ce2c6e685576b) C:\Windows\system32\DRIVERS\AVGIDSShim.Sys
10:36:31.0394 1228 AVGIDSShim - ok
10:36:31.0622 1228 Avgldx86 (f4dbbc8d3c5338693da23c59a50f8abc) C:\Windows\system32\DRIVERS\avgldx86.sys
10:36:31.0634 1228 Avgldx86 - ok
10:36:31.0704 1228 Avgmfx86 (1c77ef67f196466adc9924cb288afe87) C:\Windows\system32\DRIVERS\avgmfx86.sys
10:36:31.0707 1228 Avgmfx86 - ok
10:36:31.0850 1228 Avgrkx86 (f2038ed7284b79dcef581468121192a9) C:\Windows\system32\DRIVERS\avgrkx86.sys
10:36:31.0853 1228 Avgrkx86 - ok
10:36:32.0095 1228 Avgtdix (a6d562b612216d8d02a35ebeb92366bd) C:\Windows\system32\DRIVERS\avgtdix.sys
10:36:32.0104 1228 Avgtdix - ok
10:36:32.0341 1228 b57nd60x (32795e299c3aba589a5e04c83d531cdf) C:\Windows\system32\DRIVERS\b57nd60x.sys
10:36:32.0346 1228 b57nd60x - ok
10:36:32.0451 1228 BCM43XX (559db7c7d958c6262cc3efee4ad95cce) C:\Windows\system32\DRIVERS\bcmwl6.sys
10:36:32.0496 1228 BCM43XX - ok
10:36:32.0708 1228 Beep (67e506b75bd5326a3ec7b70bd014dfb6) C:\Windows\system32\drivers\Beep.sys
10:36:32.0709 1228 Beep - ok
10:36:32.0771 1228 blbdrive - ok
10:36:32.0839 1228 bowser (35f376253f687bde63976ccb3f2108ca) C:\Windows\system32\DRIVERS\bowser.sys
10:36:32.0842 1228 bowser - ok
10:36:32.0925 1228 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
10:36:32.0927 1228 BrFiltLo - ok
10:36:33.0007 1228 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
10:36:33.0009 1228 BrFiltUp - ok
10:36:33.0092 1228 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
10:36:33.0095 1228 Brserid - ok
10:36:33.0155 1228 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
10:36:33.0159 1228 BrSerWdm - ok
10:36:33.0282 1228 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
10:36:33.0284 1228 BrUsbMdm - ok
10:36:33.0375 1228 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys
10:36:33.0377 1228 BrUsbSer - ok
10:36:33.0548 1228 BTHMODEM (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys
10:36:33.0550 1228 BTHMODEM - ok
10:36:33.0696 1228 cdfs (7add03e75beb9e6dd102c3081d29840a) C:\Windows\system32\DRIVERS\cdfs.sys
10:36:33.0700 1228 cdfs - ok
10:36:33.0768 1228 cdrom (17ad374538e70b02e38949a93f15d646) C:\Windows\system32\DRIVERS\cdrom.sys
10:36:33.0772 1228 cdrom ( Rootkit.Win32.ZAccess.g ) - infected
10:36:33.0772 1228 cdrom - detected Rootkit.Win32.ZAccess.g (0)
10:36:33.0932 1228 circlass (da8e0afc7baa226c538ef53ac2f90897) C:\Windows\system32\drivers\circlass.sys
10:36:33.0934 1228 circlass - ok
10:36:34.0069 1228 CLFS (d7659d3b5b92c31e84e53c1431f35132) C:\Windows\system32\CLFS.sys
10:36:34.0103 1228 CLFS - ok
10:36:34.0397 1228 CmBatt (99afc3795b58cc478fbbbcdc658fcb56) C:\Windows\system32\DRIVERS\CmBatt.sys
10:36:34.0399 1228 CmBatt - ok
10:36:34.0521 1228 cmdide (e79cbb2195e965f6e3256e2c1b23fd1c) C:\Windows\system32\drivers\cmdide.sys
10:36:34.0523 1228 cmdide - ok
10:36:34.0577 1228 Compbatt (6afef0b60fa25de07c0968983ee4f60a) C:\Windows\system32\DRIVERS\compbatt.sys
10:36:34.0580 1228 Compbatt - ok
10:36:34.0624 1228 crcdisk (2a213ae086bbec5e937553c7d9a2b22c) C:\Windows\system32\drivers\crcdisk.sys
10:36:34.0626 1228 crcdisk - ok
10:36:34.0699 1228 Crusoe (22a7f883508176489f559ee745b5bf5d) C:\Windows\system32\drivers\crusoe.sys
10:36:34.0701 1228 Crusoe - ok
10:36:34.0845 1228 DfsC (622c41a07ca7e6dd91770f50d532cb6c) C:\Windows\system32\Drivers\dfsc.sys
10:36:34.0849 1228 DfsC - ok
10:36:34.0967 1228 disk (5d4aefc3386920236a548271f8f1af6a) C:\Windows\system32\drivers\disk.sys
10:36:34.0969 1228 disk - ok
10:36:35.0107 1228 drmkaud (97fef831ab90bee128c9af390e243f80) C:\Windows\system32\drivers\drmkaud.sys
10:36:35.0109 1228 drmkaud - ok
10:36:35.0202 1228 DSproct (413f2d5f9d802688242c23b38f767ecb) C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys
10:36:35.0204 1228 DSproct - ok
10:36:35.0265 1228 dsunidrv (dfeabb7cfffadea4a912ab95bdc3177a) C:\Windows\system32\DRIVERS\dsunidrv.sys
10:36:35.0266 1228 dsunidrv - ok
10:36:35.0491 1228 DXGKrnl (c68ac676b0ef30cfbb1080adce49eb1f) C:\Windows\System32\drivers\dxgkrnl.sys
10:36:35.0536 1228 DXGKrnl - ok
10:36:35.0652 1228 e1express (7505290504c8e2d172fa378cc0497bcc) C:\Windows\system32\DRIVERS\e1e6032.sys
10:36:35.0688 1228 e1express - ok
10:36:35.0855 1228 E1G60 (f88fb26547fd2ce6d0a5af2985892c48) C:\Windows\system32\DRIVERS\E1G60I32.sys
10:36:35.0860 1228 E1G60 - ok
10:36:35.0921 1228 ea7df27e (8f2bb1827cac01aee6a16e30a1260199) C:\Windows\2129821162:360844673.exe
10:36:35.0923 1228 Suspicious file (Hidden): C:\Windows\2129821162:360844673.exe. md5: 8f2bb1827cac01aee6a16e30a1260199
10:36:35.0924 1228 ea7df27e ( Rootkit.Win32.PMax.gen ) - infected
10:36:35.0924 1228 ea7df27e - detected Rootkit.Win32.PMax.gen (0)
10:36:36.0043 1228 Ecache (7f64ea048dcfac7acf8b4d7b4e6fe371) C:\Windows\system32\drivers\ecache.sys
10:36:36.0048 1228 Ecache - ok
10:36:36.0175 1228 ElRawDisk (b8eac99b14772bdc36ca963aed109fa2) C:\Windows\system32\drivers\rsdrv.sys
10:36:36.0202 1228 ElRawDisk - ok
10:36:36.0358 1228 elxstor (e8f3f21a71720c84bcf423b80028359f) C:\Windows\system32\drivers\elxstor.sys
10:36:36.0368 1228 elxstor - ok
10:36:36.0574 1228 exfat (22b408651f9123527bcee54b4f6c5cae) C:\Windows\system32\drivers\exfat.sys
10:36:36.0579 1228 exfat - ok
10:36:36.0665 1228 fastfat (1e9b9a70d332103c52995e957dc09ef8) C:\Windows\system32\drivers\fastfat.sys
10:36:36.0670 1228 fastfat - ok
10:36:36.0767 1228 fdc (63bdada84951b9c03e641800e176898a) C:\Windows\system32\DRIVERS\fdc.sys
10:36:36.0769 1228 fdc - ok
10:36:36.0905 1228 FileInfo (a8c0139a884861e3aae9cfe73b208a9f) C:\Windows\system32\drivers\fileinfo.sys
10:36:36.0908 1228 FileInfo - ok
10:36:36.0987 1228 Filetrace (0ae429a696aecbc5970e3cf2c62635ae) C:\Windows\system32\drivers\filetrace.sys
10:36:36.0989 1228 Filetrace - ok
10:36:37.0032 1228 flpydisk (6603957eff5ec62d25075ea8ac27de68) C:\Windows\system32\DRIVERS\flpydisk.sys
10:36:37.0034 1228 flpydisk - ok
10:36:37.0204 1228 FltMgr (01334f9ea68e6877c4ef05d3ea8abb05) C:\Windows\system32\drivers\fltmgr.sys
10:36:37.0232 1228 FltMgr - ok
10:36:37.0414 1228 fssfltr (b74b0578fd1d3f897e95f2a2b69ea051) C:\Windows\system32\DRIVERS\fssfltr.sys
10:36:37.0418 1228 fssfltr - ok
10:36:37.0522 1228 Fs_Rec (65ea8b77b5851854f0c55c43fa51a198) C:\Windows\system32\drivers\Fs_Rec.sys
10:36:37.0524 1228 Fs_Rec - ok
10:36:37.0596 1228 FTDIBUS (7c17235845d5ae3fb33ead47b5881521) C:\Windows\system32\drivers\ftdibus.sys
10:36:37.0599 1228 FTDIBUS - ok
10:36:37.0729 1228 FTSER2K (23220a4709cc5785f9633ba71416145c) C:\Windows\system32\drivers\ftser2k.sys
10:36:37.0733 1228 FTSER2K - ok
10:36:37.0931 1228 gagp30kx (4e1cd0a45c50a8882616cae5bf82f3c5) C:\Windows\system32\drivers\gagp30kx.sys
10:36:37.0944 1228 gagp30kx - ok
10:36:38.0034 1228 GEARAspiWDM - ok
10:36:38.0382 1228 HDAudBus (062452b7ffd68c8c042a6261fe8dff4a) C:\Windows\system32\DRIVERS\HDAudBus.sys
10:36:38.0405 1228 HDAudBus - ok
10:36:38.0480 1228 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys
10:36:38.0482 1228 HidBth - ok
10:36:38.0584 1228 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys
10:36:38.0587 1228 HidIr - ok
10:36:38.0750 1228 HidUsb (cca4b519b17e23a00b826c55716809cc) C:\Windows\system32\DRIVERS\hidusb.sys
10:36:38.0761 1228 HidUsb - ok
10:36:39.0061 1228 HpCISSs (df353b401001246853763c4b7aaa6f50) C:\Windows\system32\drivers\hpcisss.sys
10:36:39.0063 1228 HpCISSs - ok
10:36:39.0198 1228 HSF_DPV (e9e589c9ab799f52e18f057635a2b362) C:\Windows\system32\DRIVERS\HSX_DPV.sys
10:36:39.0276 1228 HSF_DPV - ok
10:36:39.0495 1228 HSXHWAZL (7845d2385f4dc7dfb3ccaf0c2fa4948e) C:\Windows\system32\DRIVERS\HSXHWAZL.sys
10:36:39.0534 1228 HSXHWAZL - ok
10:36:39.0822 1228 HTTP (f870aa3e254628ebeafe754108d664de) C:\Windows\system32\drivers\HTTP.sys
10:36:39.0845 1228 HTTP - ok
10:36:39.0953 1228 i2omp (324c2152ff2c61abae92d09f3cca4d63) C:\Windows\system32\drivers\i2omp.sys
10:36:39.0956 1228 i2omp - ok
10:36:40.0085 1228 i8042prt (22d56c8184586b7a1f6fa60be5f5a2bd) C:\Windows\system32\DRIVERS\i8042prt.sys
10:36:40.0119 1228 i8042prt - ok
10:36:40.0208 1228 iaStor (fd7f9d74c2b35dbda400804a3f5ed5d8) C:\Windows\system32\drivers\iastor.sys
10:36:40.0213 1228 iaStor - ok
10:36:40.0335 1228 iaStorV (c957bf4b5d80b46c5017bf0101e6c906) C:\Windows\system32\drivers\iastorv.sys
10:36:40.0343 1228 iaStorV - ok
10:36:40.0689 1228 igfx (bbace0293b73bf8c7cb591f2d06f26fa) C:\Windows\system32\DRIVERS\igdkmd32.sys
10:36:40.0793 1228 igfx - ok
10:36:40.0902 1228 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
10:36:40.0904 1228 iirsp - ok
10:36:41.0011 1228 intelide (0084046c084d68e494f8cf36bcf08186) C:\Windows\system32\DRIVERS\intelide.sys
10:36:41.0013 1228 intelide - ok
10:36:41.0076 1228 intelppm (224191001e78c89dfa78924c3ea595ff) C:\Windows\system32\DRIVERS\intelppm.sys
10:36:41.0078 1228 intelppm - ok
10:36:41.0283 1228 IpFilterDriver (62c265c38769b864cb25b4bcf62df6c3) C:\Windows\system32\DRIVERS\ipfltdrv.sys
10:36:41.0285 1228 IpFilterDriver - ok
10:36:41.0323 1228 IpInIp - ok
10:36:41.0379 1228 IPMIDRV (40f34f8aba2a015d780e4b09138b6c17) C:\Windows\system32\drivers\ipmidrv.sys
10:36:41.0382 1228 IPMIDRV - ok
10:36:41.0503 1228 IPNAT (8793643a67b42cec66490b2a0cf92d68) C:\Windows\system32\DRIVERS\ipnat.sys
10:36:41.0508 1228 IPNAT - ok
10:36:41.0597 1228 IRENUM (109c0dfb82c3632fbd11949b73aeeac9) C:\Windows\system32\drivers\irenum.sys
10:36:41.0599 1228 IRENUM - ok
10:36:41.0666 1228 isapnp (2f8ece2699e7e2070545e9b0960a8ed2) C:\Windows\system32\drivers\isapnp.sys
10:36:41.0669 1228 isapnp - ok
10:36:41.0749 1228 iScsiPrt (232fa340531d940aac623b121a595034) C:\Windows\system32\DRIVERS\msiscsi.sys
10:36:41.0754 1228 iScsiPrt - ok
10:36:42.0030 1228 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
10:36:42.0032 1228 iteatapi - ok
10:36:42.0084 1228 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
10:36:42.0087 1228 iteraid - ok
10:36:42.0154 1228 kbdclass (37605e0a8cf00cbba538e753e4344c6e) C:\Windows\system32\DRIVERS\kbdclass.sys
10:36:42.0157 1228 kbdclass - ok
10:36:42.0316 1228 kbdhid (ede59ec70e25c24581add1fbec7325f7) C:\Windows\system32\DRIVERS\kbdhid.sys
10:36:42.0351 1228 kbdhid - ok
10:36:42.0464 1228 KSecDD (86165728af9bf72d6442a894fdfb4f8b) C:\Windows\system32\Drivers\ksecdd.sys
10:36:42.0487 1228 KSecDD - ok
10:36:42.0573 1228 Lbd (b7c19ec8b0dd7efa58ad41ffeb8b8cda) C:\Windows\system32\DRIVERS\Lbd.sys
10:36:42.0576 1228 Lbd - ok
10:36:42.0739 1228 lltdio (d1c5883087a0c3f1344d9d55a44901f6) C:\Windows\system32\DRIVERS\lltdio.sys
10:36:42.0741 1228 lltdio - ok
10:36:42.0833 1228 LSI_FC (a2262fb9f28935e862b4db46438c80d2) C:\Windows\system32\drivers\lsi_fc.sys
10:36:42.0837 1228 LSI_FC - ok
10:36:42.0937 1228 LSI_SAS (30d73327d390f72a62f32c103daf1d6d) C:\Windows\system32\drivers\lsi_sas.sys
10:36:42.0940 1228 LSI_SAS - ok
10:36:43.0240 1228 LSI_SCSI (e1e36fefd45849a95f1ab81de0159fe3) C:\Windows\system32\drivers\lsi_scsi.sys
10:36:43.0243 1228 LSI_SCSI - ok
10:36:43.0320 1228 luafv (8f5c7426567798e62a3b3614965d62cc) C:\Windows\system32\drivers\luafv.sys
10:36:43.0323 1228 luafv - ok
10:36:43.0385 1228 LVPr2Mon (1a7db7a00a4b0d8da24cd691a4547291) C:\Windows\system32\DRIVERS\LVPr2Mon.sys
10:36:43.0388 1228 LVPr2Mon - ok
10:36:43.0558 1228 LVRS (37072ec9299e825f4335cc554b6fac6a) C:\Windows\system32\DRIVERS\lvrs.sys
10:36:43.0603 1228 LVRS - ok
10:36:44.0331 1228 LVUVC (a240e42a7402e927a71b6e8aa4629b13) C:\Windows\system32\DRIVERS\lvuvc.sys
10:36:44.0579 1228 LVUVC - ok
10:36:44.0727 1228 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\Windows\system32\DRIVERS\mdmxsdk.sys
10:36:44.0730 1228 mdmxsdk - ok
10:36:44.0782 1228 megasas (d153b14fc6598eae8422a2037553adce) C:\Windows\system32\drivers\megasas.sys
10:36:44.0784 1228 megasas - ok
10:36:45.0089 1228 Modem (e13b5ea0f51ba5b1512ec671393d09ba) C:\Windows\system32\drivers\modem.sys
10:36:45.0091 1228 Modem - ok
10:36:45.0333 1228 monitor (0a9bb33b56e294f686abb7c1e4e2d8a8) C:\Windows\system32\DRIVERS\monitor.sys
10:36:45.0335 1228 monitor - ok
10:36:45.0401 1228 mouclass (5bf6a1326a335c5298477754a506d263) C:\Windows\system32\DRIVERS\mouclass.sys
10:36:45.0403 1228 mouclass - ok
10:36:45.0441 1228 mouhid (93b8d4869e12cfbe663915502900876f) C:\Windows\system32\DRIVERS\mouhid.sys
10:36:45.0444 1228 mouhid - ok
10:36:45.0827 1228 MountMgr (bdafc88aa6b92f7842416ea6a48e1600) C:\Windows\system32\drivers\mountmgr.sys
10:36:45.0869 1228 MountMgr - ok
10:36:45.0954 1228 mpio (583a41f26278d9e0ea548163d6139397) C:\Windows\system32\drivers\mpio.sys
10:36:45.0958 1228 mpio - ok
10:36:46.0294 1228 mpsdrv (22241feba9b2defa669c8cb0a8dd7d2e) C:\Windows\system32\drivers\mpsdrv.sys
10:36:46.0331 1228 mpsdrv - ok
10:36:46.0400 1228 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
10:36:46.0402 1228 Mraid35x - ok
10:36:46.0489 1228 MREMP50 (80b2ec735495823ae5771a5f603e73bd) C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS
10:36:46.0492 1228 MREMP50 - ok
10:36:46.0572 1228 MREMP50a64 - ok
10:36:46.0603 1228 MRESP50 (37d7c22f7e26da90e2d2d260e5d27846) C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS
10:36:46.0605 1228 MRESP50 - ok
10:36:46.0645 1228 MRESP50a64 - ok
10:36:46.0706 1228 MRxDAV (82cea0395524aacfeb58ba1448e8325c) C:\Windows\system32\drivers\mrxdav.sys
10:36:46.0711 1228 MRxDAV - ok
10:36:46.0776 1228 mrxsmb (1e94971c4b446ab2290deb71d01cf0c2) C:\Windows\system32\DRIVERS\mrxsmb.sys
10:36:46.0782 1228 mrxsmb - ok
10:36:46.0898 1228 mrxsmb10 (4fccb34d793b116423209c0f8b7a3b03) C:\Windows\system32\DRIVERS\mrxsmb10.sys
10:36:46.0938 1228 mrxsmb10 - ok
10:36:46.0998 1228 mrxsmb20 (c3cb1b40ad4a0124d617a1199b0b9d7c) C:\Windows\system32\DRIVERS\mrxsmb20.sys
10:36:47.0002 1228 mrxsmb20 - ok
10:36:47.0063 1228 msahci (d420bc42a637ac3cc4f411220549c0dc) C:\Windows\system32\drivers\msahci.sys
10:36:47.0065 1228 msahci - ok
10:36:47.0155 1228 msdsm (3fc82a2ae4cc149165a94699183d3028) C:\Windows\system32\drivers\msdsm.sys
10:36:47.0159 1228 msdsm - ok
10:36:47.0251 1228 Msfs (a9927f4a46b816c92f461acb90cf8515) C:\Windows\system32\drivers\Msfs.sys
10:36:47.0253 1228 Msfs - ok
10:36:47.0316 1228 msisadrv (0f400e306f385c56317357d6dea56f62) C:\Windows\system32\drivers\msisadrv.sys
10:36:47.0319 1228 msisadrv - ok
10:36:47.0451 1228 MSKSSRV (d8c63d34d9c9e56c059e24ec7185cc07) C:\Windows\system32\drivers\MSKSSRV.sys
10:36:47.0453 1228 MSKSSRV - ok
10:36:47.0579 1228 MSPCLOCK (1d373c90d62ddb641d50e55b9e78d65e) C:\Windows\system32\drivers\MSPCLOCK.sys
10:36:47.0581 1228 MSPCLOCK - ok
10:36:47.0631 1228 MSPQM (b572da05bf4e098d4bba3a4734fb505b) C:\Windows\system32\drivers\MSPQM.sys
10:36:47.0633 1228 MSPQM - ok
10:36:47.0752 1228 MsRPC (b49456d70555de905c311bcda6ec6adb) C:\Windows\system32\drivers\MsRPC.sys
10:36:47.0758 1228 MsRPC - ok
10:36:47.0894 1228 mssmbios (e384487cb84be41d09711c30ca79646c) C:\Windows\system32\DRIVERS\mssmbios.sys
10:36:47.0929 1228 mssmbios - ok
10:36:48.0070 1228 MSTEE (7199c1eec1e4993caf96b8c0a26bd58a) C:\Windows\system32\drivers\MSTEE.sys
10:36:48.0106 1228 MSTEE - ok
10:36:48.0275 1228 Mup (6a57b5733d4cb702c8ea4542e836b96c) C:\Windows\system32\Drivers\mup.sys
10:36:48.0278 1228 Mup - ok
10:36:48.0422 1228 NativeWifiP (85c44fdff9cf7e72a40dcb7ec06a4416) C:\Windows\system32\DRIVERS\nwifi.sys
10:36:48.0427 1228 NativeWifiP - ok
10:36:48.0988 1228 NDIS (1357274d1883f68300aeadd15d7bbb42) C:\Windows\system32\drivers\ndis.sys
10:36:49.0023 1228 NDIS - ok
10:36:49.0137 1228 NdisTapi (0e186e90404980569fb449ba7519ae61) C:\Windows\system32\DRIVERS\ndistapi.sys
10:36:49.0140 1228 NdisTapi - ok
10:36:49.0218 1228 Ndisuio (d6973aa34c4d5d76c0430b181c3cd389) C:\Windows\system32\DRIVERS\ndisuio.sys
10:36:49.0220 1228 Ndisuio - ok
10:36:49.0286 1228 NdisWan (818f648618ae34f729fdb47ec68345c3) C:\Windows\system32\DRIVERS\ndiswan.sys
10:36:49.0290 1228 NdisWan - ok
10:36:49.0420 1228 NDProxy (71dab552b41936358f3b541ae5997fb3) C:\Windows\system32\drivers\NDProxy.sys
10:36:49.0423 1228 NDProxy - ok
10:36:49.0676 1228 NetBIOS (bcd093a5a6777cf626434568dc7dba78) C:\Windows\system32\DRIVERS\netbios.sys
10:36:49.0679 1228 NetBIOS - ok
10:36:49.0753 1228 netbt (ecd64230a59cbd93c85f1cd1cab9f3f6) C:\Windows\system32\DRIVERS\netbt.sys
10:36:49.0759 1228 netbt - ok
10:36:49.0879 1228 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
10:36:49.0882 1228 nfrd960 - ok
10:36:50.0210 1228 Npfs (d36f239d7cce1931598e8fb90a0dbc26) C:\Windows\system32\drivers\Npfs.sys
10:36:50.0212 1228 Npfs - ok
10:36:50.0267 1228 nsiproxy (609773e344a97410ce4ebf74a8914fcf) C:\Windows\system32\drivers\nsiproxy.sys
10:36:50.0269 1228 nsiproxy - ok
10:36:50.0344 1228 Ntfs (6a4a98cee84cf9e99564510dda4baa47) C:\Windows\system32\drivers\Ntfs.sys
10:36:50.0390 1228 Ntfs - ok
10:36:50.0501 1228 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
10:36:50.0503 1228 ntrigdigi - ok
10:36:50.0614 1228 Null (c5dbbcda07d780bda9b685df333bb41e) C:\Windows\system32\drivers\Null.sys
10:36:50.0616 1228 Null - ok
10:36:50.0681 1228 nvraid (e69e946f80c1c31c53003bfbf50cbb7c) C:\Windows\system32\drivers\nvraid.sys
10:36:50.0685 1228 nvraid - ok
10:36:50.0759 1228 nvstor (9e0ba19a28c498a6d323d065db76dffc) C:\Windows\system32\drivers\nvstor.sys
10:36:50.0762 1228 nvstor - ok
10:36:51.0044 1228 nv_agp (055081fd5076401c1ee1bcab08d81911) C:\Windows\system32\drivers\nv_agp.sys
10:36:51.0048 1228 nv_agp - ok
10:36:51.0090 1228 NwlnkFlt - ok
10:36:51.0124 1228 NwlnkFwd - ok
10:36:51.0219 1228 ohci1394 (6f310e890d46e246e0e261a63d9b36b4) C:\Windows\system32\DRIVERS\ohci1394.sys
10:36:51.0221 1228 ohci1394 - ok
10:36:51.0335 1228 Parport (0fa9b5055484649d63c303fe404e5f4d) C:\Windows\system32\drivers\parport.sys
10:36:51.0338 1228 Parport - ok
10:36:51.0395 1228 partmgr (57389fa59a36d96b3eb09d0cb91e9cdc) C:\Windows\system32\drivers\partmgr.sys
10:36:51.0466 1228 partmgr - ok
10:36:51.0533 1228 Parvdm (4f9a6a8a31413180d0fcb279ad5d8112) C:\Windows\system32\drivers\parvdm.sys
10:36:51.0536 1228 Parvdm - ok
10:36:51.0700 1228 pci (941dc1d19e7e8620f40bbc206981efdb) C:\Windows\system32\drivers\pci.sys
10:36:51.0740 1228 pci - ok
10:36:51.0812 1228 pciide (1636d43f10416aeb483bc6001097b26c) C:\Windows\system32\drivers\pciide.sys
10:36:51.0814 1228 pciide - ok
10:36:51.0958 1228 pcmcia (e6f3fb1b86aa519e7698ad05e58b04e5) C:\Windows\system32\drivers\pcmcia.sys
10:36:51.0964 1228 pcmcia - ok
10:36:52.0114 1228 pcouffin (5b6c11de7e839c05248ced8825470fef) C:\Windows\system32\Drivers\pcouffin.sys
10:36:52.0117 1228 pcouffin - ok
10:36:52.0217 1228 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
10:36:52.0252 1228 PEAUTH - ok
10:36:52.0488 1228 PptpMiniport (ecfffaec0c1ecd8dbc77f39070ea1db1) C:\Windows\system32\DRIVERS\raspptp.sys
10:36:52.0491 1228 PptpMiniport - ok
10:36:52.0668 1228 Processor (0e3cef5d28b40cf273281d620c50700a) C:\Windows\system32\drivers\processr.sys
10:36:52.0670 1228 Processor - ok
10:36:52.0754 1228 PSched (99514faa8df93d34b5589187db3aa0ba) C:\Windows\system32\DRIVERS\pacer.sys
10:36:52.0757 1228 PSched - ok
10:36:52.0878 1228 PxHelp20 (feffcfdc528764a04c8ed63d5fa6e711) C:\Windows\system32\Drivers\PxHelp20.sys
10:36:52.0880 1228 PxHelp20 - ok
10:36:53.0017 1228 qgdttjh - ok
10:36:53.0134 1228 ql2300 (ccdac889326317792480c0a67156a1ec) C:\Windows\system32\drivers\ql2300.sys
10:36:53.0212 1228 ql2300 - ok
10:36:53.0367 1228 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
10:36:53.0371 1228 ql40xx - ok
10:36:53.0491 1228 QWAVEdrv (9f5e0e1926014d17486901c88eca2db7) C:\Windows\system32\drivers\qwavedrv.sys
10:36:53.0494 1228 QWAVEdrv - ok
10:36:53.0693 1228 R300 (e642b131fb74caf4bb8a014f31113142) C:\Windows\system32\DRIVERS\atikmdag.sys
10:36:53.0781 1228 R300 - ok
10:36:53.0867 1228 RasAcd (147d7f9c556d259924351feb0de606c3) C:\Windows\system32\DRIVERS\rasacd.sys
10:36:53.0870 1228 RasAcd - ok
10:36:54.0166 1228 Rasl2tp (a214adbaf4cb47dd2728859ef31f26b0) C:\Windows\system32\DRIVERS\rasl2tp.sys
10:36:54.0170 1228 Rasl2tp - ok
10:36:54.0293 1228 RasPppoe (509a98dd18af4375e1fc40bc175f1def) C:\Windows\system32\DRIVERS\raspppoe.sys
10:36:54.0296 1228 RasPppoe - ok
10:36:54.0401 1228 RasSstp (2005f4a1e05fa09389ac85840f0a9e4d) C:\Windows\system32\DRIVERS\rassstp.sys
10:36:54.0405 1228 RasSstp - ok
10:36:54.0573 1228 rdbss (b14c9d5b9add2f84f70570bbbfaa7935) C:\Windows\system32\DRIVERS\rdbss.sys
10:36:54.0611 1228 rdbss - ok
10:36:54.0689 1228 RDPCDD (89e59be9a564262a3fb6c4f4f1cd9899) C:\Windows\system32\DRIVERS\RDPCDD.sys
10:36:54.0692 1228 RDPCDD - ok
10:36:54.0906 1228 rdpdr (0245418224cfa77bf4b41c2fe0622258) C:\Windows\system32\drivers\rdpdr.sys
10:36:54.0914 1228 rdpdr - ok
10:36:54.0947 1228 RDPENCDD (9d91fe5286f748862ecffa05f8a0710c) C:\Windows\system32\drivers\rdpencdd.sys
10:36:54.0950 1228 RDPENCDD - ok
10:36:55.0025 1228 RDPWD (30bfbdfb7f95559ede971f9ddb9a00ba) C:\Windows\system32\drivers\RDPWD.sys
10:36:55.0031 1228 RDPWD - ok
10:36:55.0144 1228 rimmptsk (d85e3fa9f5b1f29bb4ed185c450d1470) C:\Windows\system32\DRIVERS\rimmptsk.sys
10:36:55.0147 1228 rimmptsk - ok
10:36:55.0251 1228 rimsptsk (db8eb01c58c9fada00c70b1775278ae0) C:\Windows\system32\DRIVERS\rimsptsk.sys
10:36:55.0253 1228 rimsptsk - ok
10:36:55.0303 1228 rismxdp (6c1f93c0760c9f79a1869d07233df39d) C:\Windows\system32\DRIVERS\rixdptsk.sys
10:36:55.0306 1228 rismxdp - ok
10:36:55.0436 1228 RPSKT - ok
10:36:55.0514 1228 rspndr (9c508f4074a39e8b4b31d27198146fad) C:\Windows\system32\DRIVERS\rspndr.sys
10:36:55.0518 1228 rspndr - ok
10:36:55.0785 1228 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys
10:36:55.0789 1228 sbp2port - ok
10:36:55.0876 1228 SBRE (0505da5d357f18a5d42fc5dede6bc9a0) C:\Windows\system32\drivers\SBREdrv.sys
10:36:55.0880 1228 SBRE - ok
10:36:56.0381 1228 sdbus (8f36b54688c31eed4580129040c6a3d3) C:\Windows\system32\DRIVERS\sdbus.sys
10:36:56.0385 1228 sdbus - ok
10:36:56.0527 1228 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
10:36:56.0529 1228 secdrv - ok
10:36:56.0769 1228 Serenum (68e44e331d46f0fb38f0863a84cd1a31) C:\Windows\system32\DRIVERS\serenum.sys
10:36:56.0801 1228 Serenum - ok
10:36:56.0880 1228 Serial (c70d69a918b178d3c3b06339b40c2e1b) C:\Windows\system32\drivers\serial.sys
10:36:56.0884 1228 Serial - ok
10:36:57.0079 1228 sermouse (8af3d28a879bf75db53a0ee7a4289624) C:\Windows\system32\drivers\sermouse.sys
10:36:57.0081 1228 sermouse - ok
10:36:57.0294 1228 sffdisk (3efa810bdca87f6ecc24f9832243fe86) C:\Windows\system32\DRIVERS\sffdisk.sys
10:36:57.0296 1228 sffdisk - ok
10:36:57.0375 1228 sffp_mmc (96ded8b20c734ac41641ce275250e55d) C:\Windows\system32\drivers\sffp_mmc.sys
10:36:57.0377 1228 sffp_mmc - ok
10:36:57.0518 1228 sffp_sd (9f66a46c55d6f1ccabc79bb7afccc545) C:\Windows\system32\DRIVERS\sffp_sd.sys
10:36:57.0520 1228 sffp_sd - ok
10:36:57.0595 1228 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\drivers\sfloppy.sys
10:36:57.0597 1228 sfloppy - ok
10:36:57.0762 1228 sisagp (08072b2fb92477fc813271a84b3a8698) C:\Windows\system32\drivers\sisagp.sys
10:36:57.0765 1228 sisagp - ok
10:36:57.0847 1228 SiSRaid2 (cedd6f4e7d84e9f98b34b3fe988373aa) C:\Windows\system32\drivers\sisraid2.sys
10:36:57.0850 1228 SiSRaid2 - ok
10:36:58.0081 1228 SiSRaid4 (df843c528c4f69d12ce41ce462e973a7) C:\Windows\system32\drivers\sisraid4.sys
10:36:58.0109 1228 SiSRaid4 - ok
10:36:58.0215 1228 Smb (7b75299a4d201d6a6533603d6914ab04) C:\Windows\system32\DRIVERS\smb.sys
10:36:58.0299 1228 Smb - ok
10:36:58.0448 1228 spldr (7aebdeef071fe28b0eef2cdd69102bff) C:\Windows\system32\drivers\spldr.sys
10:36:58.0450 1228 spldr - ok
10:36:58.0570 1228 srv (41987f9fc0e61adf54f581e15029ad91) C:\Windows\system32\DRIVERS\srv.sys
10:36:58.0579 1228 srv - ok
10:36:58.0706 1228 srv2 (ff33aff99564b1aa534f58868cbe41ef) C:\Windows\system32\DRIVERS\srv2.sys
10:36:58.0712 1228 srv2 - ok
10:36:58.0791 1228 srvnet (7605c0e1d01a08f3ecd743f38b834a44) C:\Windows\system32\DRIVERS\srvnet.sys
10:36:58.0795 1228 srvnet - ok
10:36:58.0866 1228 sscdbus (d5dffeaa1e15d4effabb9d9a3068ac5b) C:\Windows\system32\DRIVERS\sscdbus.sys
10:36:58.0901 1228 sscdbus - ok
10:36:59.0025 1228 sscdmdfl (8a1be0c347814f482f493aea619d57f6) C:\Windows\system32\DRIVERS\sscdmdfl.sys
10:36:59.0028 1228 sscdmdfl - ok
10:36:59.0132 1228 sscdmdm (5ab0b1987f682a59b15b78f84c6ad7d0) C:\Windows\system32\DRIVERS\sscdmdm.sys
10:36:59.0136 1228 sscdmdm - ok
10:36:59.0312 1228 sscdserd (751e66eb32efa80633b80f5d7ff0a1d8) C:\Windows\system32\DRIVERS\sscdserd.sys
10:36:59.0351 1228 sscdserd - ok
10:36:59.0495 1228 STHDA (5af135b2e2097d4494b9067ce84e2665) C:\Windows\system32\drivers\stwrt.sys
10:36:59.0506 1228 STHDA - ok
10:36:59.0585 1228 swenum (7ba58ecf0c0a9a69d44b3dca62becf56) C:\Windows\system32\DRIVERS\swenum.sys
10:36:59.0587 1228 swenum - ok
10:36:59.0655 1228 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
10:36:59.0657 1228 Symc8xx - ok
10:36:59.0703 1228 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
10:36:59.0735 1228 Sym_hi - ok
10:36:59.0836 1228 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
10:36:59.0839 1228 Sym_u3 - ok
10:36:59.0975 1228 Tcpip (2756186e287139310997090797e0182b) C:\Windows\system32\drivers\tcpip.sys
10:37:00.0009 1228 Tcpip - ok
10:37:00.0720 1228 Tcpip6 (2756186e287139310997090797e0182b) C:\Windows\system32\DRIVERS\tcpip.sys
10:37:00.0734 1228 Tcpip6 - ok
10:37:00.0864 1228 tcpipreg (608c345a255d82a6289c2d468eb41fd7) C:\Windows\system32\drivers\tcpipreg.sys
10:37:00.0868 1228 tcpipreg - ok
10:37:00.0952 1228 TDPIPE (5dcf5e267be67a1ae926f2df77fbcc56) C:\Windows\system32\drivers\tdpipe.sys
10:37:00.0954 1228 TDPIPE - ok
10:37:01.0013 1228 TDTCP (389c63e32b3cefed425b61ed92d3f021) C:\Windows\system32\drivers\tdtcp.sys
10:37:01.0015 1228 TDTCP - ok
10:37:01.0118 1228 tdx (76b06eb8a01fc8624d699e7045303e54) C:\Windows\system32\DRIVERS\tdx.sys
10:37:01.0121 1228 tdx - ok
10:37:01.0254 1228 TermDD (3cad38910468eab9a6479e2f01db43c7) C:\Windows\system32\DRIVERS\termdd.sys
10:37:01.0258 1228 TermDD - ok
10:37:01.0388 1228 tssecsrv (dcf0f056a2e4f52287264f5ab29cf206) C:\Windows\system32\DRIVERS\tssecsrv.sys
10:37:01.0391 1228 tssecsrv - ok
10:37:01.0610 1228 tunmp (caecc0120ac49e3d2f758b9169872d38) C:\Windows\system32\DRIVERS\tunmp.sys
10:37:01.0612 1228 tunmp - ok
10:37:01.0689 1228 tunnel (300db877ac094feab0be7688c3454a9c) C:\Windows\system32\DRIVERS\tunnel.sys
10:37:01.0691 1228 tunnel - ok
10:37:01.0760 1228 uagp35 (c3ade15414120033a36c0f293d4a4121) C:\Windows\system32\drivers\uagp35.sys
10:37:01.0764 1228 uagp35 - ok
10:37:01.0887 1228 udfs (d9728af68c4c7693cb100b8441cbdec6) C:\Windows\system32\DRIVERS\udfs.sys
10:37:01.0896 1228 udfs - ok
10:37:02.0092 1228 uliagpkx (6d72ef05921abdf59fc45c7ebfe7e8dd) C:\Windows\system32\drivers\uliagpkx.sys
10:37:02.0095 1228 uliagpkx - ok
10:37:02.0177 1228 uliahci (3cd4ea35a6221b85dcc25daa46313f8d) C:\Windows\system32\drivers\uliahci.sys
10:37:02.0185 1228 uliahci - ok
10:37:02.0240 1228 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
10:37:02.0245 1228 UlSata - ok
10:37:02.0432 1228 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
10:37:02.0437 1228 ulsata2 - ok
10:37:02.0566 1228 umbus (32cff9f809ae9aed85464492bf3e32d2) C:\Windows\system32\DRIVERS\umbus.sys
10:37:02.0568 1228 umbus - ok
10:37:02.0645 1228 USBAAPL (1df89c499bf45d878b87ebd4421d462d) C:\Windows\system32\Drivers\usbaapl.sys
10:37:02.0647 1228 USBAAPL - ok
10:37:02.0727 1228 usbaudio (32db9517628ff0d070682aab61e688f0) C:\Windows\system32\drivers\usbaudio.sys
10:37:02.0731 1228 usbaudio - ok
10:37:02.0816 1228 usbccgp (caf811ae4c147ffcd5b51750c7f09142) C:\Windows\system32\DRIVERS\usbccgp.sys
10:37:02.0820 1228 usbccgp - ok
10:37:02.0943 1228 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
10:37:02.0947 1228 usbcir - ok
10:37:03.0040 1228 usbehci (79e96c23a97ce7b8f14d310da2db0c9b) C:\Windows\system32\DRIVERS\usbehci.sys
10:37:03.0043 1228 usbehci - ok
10:37:03.0102 1228 usbhub (4673bbcb006af60e7abddbe7a130ba42) C:\Windows\system32\DRIVERS\usbhub.sys
10:37:03.0109 1228 usbhub - ok
10:37:03.0248 1228 usbohci (38dbc7dd6cc5a72011f187425384388b) C:\Windows\system32\drivers\usbohci.sys
10:37:03.0251 1228 usbohci - ok
10:37:03.0329 1228 usbprint (e75c4b5269091d15a2e7dc0b6d35f2f5) C:\Windows\system32\DRIVERS\usbprint.sys
10:37:03.0331 1228 usbprint - ok
10:37:03.0434 1228 usbscan (a508c9bd8724980512136b039bba65e9) C:\Windows\system32\DRIVERS\usbscan.sys
10:37:03.0437 1228 usbscan - ok
10:37:03.0594 1228 USBSTOR (be3da31c191bc222d9ad503c5224f2ad) C:\Windows\system32\DRIVERS\USBSTOR.SYS
10:37:03.0597 1228 USBSTOR - ok
10:37:03.0675 1228 usbuhci (814d653efc4d48be3b04a307eceff56f) C:\Windows\system32\DRIVERS\usbuhci.sys
10:37:03.0678 1228 usbuhci - ok
10:37:03.0760 1228 usbvideo (e67998e8f14cb0627a769f6530bcb352) C:\Windows\system32\Drivers\usbvideo.sys
10:37:03.0766 1228 usbvideo - ok
10:37:03.0840 1228 usb_rndisx (35c9095fa7076466afbfc5b9ec4b779e) C:\Windows\system32\DRIVERS\usb8023x.sys
10:37:03.0842 1228 usb_rndisx - ok
10:37:03.0958 1228 vga (7d92be0028ecdedec74617009084b5ef) C:\Windows\system32\DRIVERS\vgapnp.sys
10:37:03.0961 1228 vga - ok
10:37:04.0076 1228 VgaSave (2e93ac0a1d8c79d019db6c51f036636c) C:\Windows\System32\drivers\vga.sys
10:37:04.0078 1228 VgaSave - ok
10:37:04.0125 1228 viaagp (d5929a28bdff4367a12caf06af901971) C:\Windows\system32\drivers\viaagp.sys
10:37:04.0128 1228 viaagp - ok
10:37:04.0191 1228 ViaC7 (56a4de5f02f2e88182b0981119b4dd98) C:\Windows\system32\drivers\viac7.sys
10:37:04.0194 1228 ViaC7 - ok
10:37:04.0268 1228 viaide (f3b4762eb85a2aff4999401f14c3262b) C:\Windows\system32\drivers\viaide.sys
10:37:04.0270 1228 viaide - ok
10:37:04.0379 1228 volmgr (69503668ac66c77c6cd7af86fbdf8c43) C:\Windows\system32\drivers\volmgr.sys
10:37:04.0382 1228 volmgr - ok
10:37:04.0479 1228 volmgrx (23e41b834759917bfd6b9a0d625d0c28) C:\Windows\system32\drivers\volmgrx.sys
10:37:04.0488 1228 volmgrx - ok
10:37:04.0566 1228 volsnap (147281c01fcb1df9252de2a10d5e7093) C:\Windows\system32\drivers\volsnap.sys
10:37:04.0573 1228 volsnap - ok
10:37:04.0686 1228 vsmraid (d984439746d42b30fc65a4c3546c6829) C:\Windows\system32\drivers\vsmraid.sys
10:37:04.0691 1228 vsmraid - ok
10:37:04.0788 1228 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
10:37:04.0791 1228 WacomPen - ok
10:37:04.0865 1228 Wanarp (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
10:37:04.0868 1228 Wanarp - ok
10:37:04.0893 1228 Wanarpv6 (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
10:37:04.0895 1228 Wanarpv6 - ok
10:37:05.0014 1228 Wd (afc5ad65b991c1e205cf25cfdbf7a6f4) C:\Windows\system32\drivers\wd.sys
10:37:05.0017 1228 Wd - ok
10:37:05.0114 1228 Wdf01000 (b6f0a7ad6d4bd325fbcd8bac96cd8d96) C:\Windows\system32\drivers\Wdf01000.sys
10:37:05.0148 1228 Wdf01000 - ok
10:37:05.0383 1228 winachsf (4daca8f07537d4d7e3534bb99294aa26) C:\Windows\system32\DRIVERS\HSX_CNXT.sys
10:37:05.0416 1228 winachsf - ok
10:37:05.0582 1228 WmiAcpi (2e7255d172df0b8283cdfb7b433b864e) C:\Windows\system32\DRIVERS\wmiacpi.sys
10:37:05.0584 1228 WmiAcpi - ok
10:37:05.0682 1228 WpdUsb (de9d36f91a4df3d911626643debf11ea) C:\Windows\system32\DRIVERS\wpdusb.sys
10:37:05.0685 1228 WpdUsb - ok
10:37:05.0749 1228 ws2ifsl (e3a3cb253c0ec2494d4a61f5e43a389c) C:\Windows\system32\drivers\ws2ifsl.sys
10:37:05.0752 1228 ws2ifsl - ok
10:37:05.0885 1228 WUDFRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\Windows\system32\DRIVERS\WUDFRd.sys
10:37:05.0889 1228 WUDFRd - ok
10:37:05.0967 1228 XAudio (5a7ff9a18ff6d7e0527fe3abf9204ef8) C:\Windows\system32\DRIVERS\xaudio.sys
10:37:05.0970 1228 XAudio - ok
10:37:06.0092 1228 MBR (0x1B8) (5c616939100b85e558da92b899a0fc36) \Device\Harddisk0\DR0
10:37:06.0136 1228 \Device\Harddisk0\DR0 - ok
10:37:06.0158 1228 Boot (0x1200) (b36b2b1cf28f89c9eb2043708663ea66) \Device\Harddisk0\DR0\Partition0
10:37:06.0161 1228 \Device\Harddisk0\DR0\Partition0 - ok
10:37:06.0170 1228 Boot (0x1200) (bf8884cc45984339a36a4361ad4c2dbd) \Device\Harddisk0\DR0\Partition1
10:37:06.0172 1228 \Device\Harddisk0\DR0\Partition1 - ok
10:37:06.0176 1228 ============================================================
10:37:06.0176 1228 Scan finished
10:37:06.0176 1228 ============================================================
10:37:06.0203 3064 Detected object count: 2
10:37:06.0203 3064 Actual detected object count: 2
10:38:19.0714 3064 VerifyFileNameVersionInfo: GetFileVersionInfoSizeW(C:\Windows\system32\drivers\cdrom.sys) error 1813
10:38:20.0355 3064 Backup copy found, using it..
10:38:20.0371 3064 C:\Windows\system32\DRIVERS\cdrom.sys - will be cured on reboot
10:38:20.0371 3064 cdrom ( Rootkit.Win32.ZAccess.g ) - User select action: Cure
10:38:20.0515 3064 C:\Windows\2129821162:360844673.exe - copied to quarantine
10:38:20.0516 3064 ea7df27e ( Rootkit.Win32.PMax.gen ) - User select action: Quarantine
Hi mnyyoungs,
LOL!! I hate sitting waiting on flights hahahaha!! Lets get this going and try to knock this out.
Download Combofix from either of the links below, and save it to your desktop.
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
**Note: It is important that it is saved directly to your desktop**
--------------------------------------------------------------------
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here (http://forums.whatthetech.com/How_Disable_your_Security_Programs_t96260.html&pid=494216#entry494216)
--------------------------------------------------------------------
Right-Click and Run as Administrator on ComboFix.exe & follow the prompts. When finished, it will produce a report for you.
Please post the C:\ComboFix.txt for further review.
mnyyoungs
2011-10-31, 13:49
my laptop starts up fine, but the mouse seems to be frozen, as such, I need some help! :( Any suggestions. I've tried cont/alt/del..nadda...pulled the battery out to restart...same thing...is that the nasty bug? :( or driver error....lol
Hi mnyyoungs,
It is hard to tell just yet what might be causing the mouse problem, but it is likely the virus. Try to boot into Safe Mode with Networking and follow the earlier instructions for ComboFix. When ComboFix completes there will be a log produced I will need in your next reply.
If you still have a problem let me know. I have provided the instructions below for how to boot into Safe Mode. :)
Reboot Your System in Safe Mode
How to use the F8 method to Start Your Computer in Safe Mode
Restart the computer.
As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
Use the arrow keys to select the Safe mode with Networking menu item
Press Enter.
mnyyoungs
2011-10-31, 19:59
External mouse working on the infected computer, but keyboard and mouse pad aren't working...however, here is the Combo Fix scan....is it good news?!?!?!
ComboFix 11-10-30.03 - Family 31/10/2011 13:44:20.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.2.1033.18.2037.1225 [GMT -4:00]
Running from: c:\users\Family\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Family\AppData\Local\ea7df27e
c:\users\Family\AppData\Local\ea7df27e\@
c:\users\Family\AppData\Local\ea7df27e\U\80000000.@
c:\users\Family\AppData\Local\ea7df27e\U\800000cb.@
c:\users\Family\AppData\Local\ea7df27e\X
c:\users\Family\Documents\~WRL0001.tmp
c:\users\Family\Documents\~WRL3224.tmp
c:\users\Family\g2mdlhlpx.exe
c:\users\Family\wevtapi.dll
c:\windows\$NtUninstallKB59388$
c:\windows\$NtUninstallKB59388$\2762484775
c:\windows\$NtUninstallKB59388$\3934122622\@
c:\windows\$NtUninstallKB59388$\3934122622\L\qnbwvoto
c:\windows\$NtUninstallKB59388$\3934122622\loader.tlb
c:\windows\$NtUninstallKB59388$\3934122622\U\@00000001
c:\windows\$NtUninstallKB59388$\3934122622\U\@000000c0
c:\windows\$NtUninstallKB59388$\3934122622\U\@000000cb
c:\windows\$NtUninstallKB59388$\3934122622\U\@000000cf
c:\windows\$NtUninstallKB59388$\3934122622\U\@80000000
c:\windows\$NtUninstallKB59388$\3934122622\U\@800000c0
c:\windows\$NtUninstallKB59388$\3934122622\U\@800000cb
c:\windows\$NtUninstallKB59388$\3934122622\U\@800000cf
c:\windows\security\Database\tmp.edb
c:\windows\system32\
c:\windows\system32\c_41644.nls
c:\windows\system32\drivers\
.
Infected copy of c:\windows\system32\drivers\dfsc.sys was found and disinfected
Restored copy from - The cat found it :)
Infected copy of c:\program files\AVG\AVG2012\avgwdsvc.exe was found and disinfected
Restored copy from - c:\program files\AVG\AVG2012\
.
Infected copy of c:\programdata\Clickfree\C2NPlus\UACProxy.exe was found and disinfected
Restored copy from - c:\programdata\Clickfree\C2NPlus\
.
c:\windows\system32\CSHelper.exe . . . is infected!!
c:\windows\system32\CSHelper.exe . . . was deleted!! You should re-install the program it pertains to
.
c:\windows\system32\dlbxcoms.exe . . . is infected!!
c:\windows\system32\dlbxcoms.exe . . . was deleted!! You should re-install the program it pertains to
.
c:\windows\2129821162:360844673.exe . . . is infected!!
c:\windows\2129821162:360844673.exe . . . was deleted!! You should re-install the program it pertains to
.
Infected copy of c:\program files\Google\Update\GoogleUpdate.exe was found and disinfected
Restored copy from - c:\combofix\HarddiskVolumeShadowCopy1_!Program Files!Google!Update!GoogleUpdate.exe
.
Infected copy of c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe was found and disinfected
Restored copy from - c:\program files\Google\Common\Google Updater\
.
Infected copy of c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe was found and disinfected
Restored copy from - c:\program files\Common Files\LogiShrd\LVMVFM\
.
Infected copy of c:\program files\Common Files\Motive\McciCMService.exe was found and disinfected
Restored copy from - c:\program files\Common Files\Motive\
.
Infected copy of c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE was found and disinfected
Restored copy from - c:\program files\Common Files\microsoft shared\Source Engine\
.
Infected copy of c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe was found and disinfected
Restored copy from - c:\program files\Common Files\Intuit\QuickBooks\
.
.
c:\windows\system32\STacSV.exe . . . is infected!!
c:\windows\system32\STacSV.exe . . . was deleted!! You should re-install the program it pertains to
.
Infected copy of c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\8.0.1\ToolbarUpdater.exe was found and disinfected
Restored copy from - c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\8.0.1\
.
Infected copy of c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE was found and disinfected
Restored copy from - c:\program files\Common Files\microsoft shared\Windows Live\
.
Infected copy of c:\windows\system32\DRIVERS\xaudio.exe was found and disinfected
Restored copy from - c:\windows\System32\DriverStore\FileRepository\del000fz.inf_291182ff\XAudio.exe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_ea7df27e
.
.
((((((((((((((((((((((((( Files Created from 2011-09-28 to 2011-10-31 )))))))))))))))))))))))))))))))
.
.
2011-10-31 18:23 . 2011-10-31 18:23 63115 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\USERTILE.JS
2011-10-31 18:23 . 2011-10-31 18:23 9310 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXTBOX.JS
2011-10-31 18:23 . 2011-10-31 18:23 8646 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TILEBOX.JS
2011-10-31 18:23 . 2011-10-31 18:23 6429 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UICORE.JS
2011-10-31 18:23 . 2011-10-31 18:23 5927 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXT.JS
2011-10-31 18:23 . 2011-10-31 18:23 4599 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UIRESOURCE.JS
2011-10-31 18:23 . 2011-10-31 18:23 8613 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\SAVEDUSER.JS
2011-10-31 18:18 . 2011-10-31 18:18 1529728 ----a-w- c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
2011-10-31 18:13 . 2011-10-31 18:13 145184 ----a-w- c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
2011-10-30 14:44 . 2011-10-30 14:44 48016 --sha-w- c:\windows\system32\c_41644.nl_
2011-10-30 14:38 . 2011-10-30 14:38 -------- d-----w- C:\TDSSKiller_Quarantine
2011-10-28 08:13 . 2011-10-18 06:28 6668624 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{D208FC11-8E7A-4DE4-917E-F39D40F22D8F}\mpengine.dll
2011-10-26 02:11 . 2011-10-26 02:11 -------- d-----w- c:\program files\ERUNT
2011-10-25 22:48 . 2011-08-13 04:43 6144 ----a-w- c:\program files\Internet Explorer\iecompat.dll
2011-10-24 17:56 . 2011-10-24 17:56 -------- d-sh--w- c:\windows\system32\%APPDATA%
2011-10-24 17:36 . 2008-01-19 07:33 163840 ----a-w- c:\users\Family\taskmgr.exe
2011-10-12 15:35 . 2011-08-25 16:14 238080 ----a-w- c:\windows\system32\oleacc.dll
2011-10-12 15:35 . 2011-08-25 16:15 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2011-10-12 15:35 . 2011-08-25 16:14 563712 ----a-w- c:\windows\system32\oleaut32.dll
2011-10-12 15:35 . 2011-08-25 13:31 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2011-10-08 14:44 . 2011-10-08 14:44 -------- d-----w- c:\program files\Common Files\AVG Secure Search
2011-10-08 14:44 . 2011-10-08 14:44 -------- d-----w- c:\program files\AVG Secure Search
2011-10-08 14:41 . 2011-10-08 14:41 -------- d-----w- c:\users\Family\AppData\Roaming\AVG2012
2011-10-08 14:39 . 2011-10-13 07:58 -------- d-----w- c:\programdata\AVG2012
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-30 14:43 . 2009-07-26 02:26 67072 ----a-w- c:\windows\system32\drivers\cdrom.sys
2011-10-25 23:46 . 2008-07-19 16:29 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-09-13 10:30 . 2011-09-13 10:30 32592 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2011-08-31 21:00 . 2008-05-06 03:54 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-24 11:57 . 2011-08-24 11:57 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-11 04:09 . 2011-08-11 04:09 0 ----a-w- c:\windows\system32\ConduitEngine.tmp
2011-08-08 10:08 . 2011-08-08 10:08 40016 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2011-09-10 00:46 . 2011-09-10 00:46 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2011-04-14 18:01 . 2010-10-25 17:37 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll" [2011-07-26 2532680]
.
[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2011-07-26 14:15 2532680 ----a-w- c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll" [2011-07-26 2532680]
.
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll" [2011-07-26 2532680]
.
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SacReminderHDDV2N"="c:\programdata\Clickfree\C2NPlus\reminder\SacReminder.exe" [2011-01-20 870224]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-11-22 68856]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-26 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-26 154136]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-26 129560]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-09-07 405504]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-09-24 159744]
"DLBXCATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\DLBXtime.dll" [2007-02-22 73728]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2008-11-18 623880]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2011-09-10 30192]
.
c:\users\Family\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2010-10-13 984408]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
"DisableStartupSound"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoThumbnailCache"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /r \??\c:\0autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Digital Line Detect.lnk]
backup=c:\windows\pss\Digital Line Detect.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
backup=c:\windows\pss\Kodak EasyShare software.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickSet.lnk]
backup=c:\windows\pss\QuickSet.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-18 13:58 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
2007-09-24 09:27 159744 ----a-w- c:\program files\DellTPad\Apoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
2008-12-20 04:48 342848 ----a-w- c:\users\Family\Program Files\DNA\btdna.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ECenter]
2007-05-25 06:03 17920 ----a-w- c:\dell\E-Center\EULALauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2011-08-31 21:00 1047208 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2009-07-26 20:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
2007-04-16 22:10 184320 ------w- c:\program files\Dell\MediaDirect\PCMService.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 04:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-11-22 12:06 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-19 07:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
R0 qgdttjh;qgdttjh;c:\windows\System32\drivers\bpfvii.sys [x]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\AVGIDSAgent.exe [2011-09-12 5265248]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [x]
R2 gupdate1c9834ebde52a90;Google Update Service (gupdate1c9834ebde52a90);c:\program files\Google\Update\GoogleUpdate.exe [x]
R3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG10\Toolbar\ToolbarBroker.exe [2011-07-26 1025352]
R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2011-09-10 30192]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [x]
R3 pcouffin;VSO Software pcouffin;c:\windows\system32\Drivers\pcouffin.sys [2008-07-09 47360]
R4 AESTFilters;Andrea ST Filters Service;c:\windows\system32\aestsrv.exe [2007-08-29 73728]
S0 AVGIDSEH;AVGIDSEH;c:\windows\system32\DRIVERS\AVGIDSEH.Sys [2011-07-11 23120]
S0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx86.sys [2011-09-13 32592]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-09-23 64288]
S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx86.sys [2011-07-11 229840]
S1 Avgtdix;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdix.sys [2011-07-11 295248]
S1 ElRawDisk;ElRawDisk;c:\windows\system32\drivers\rsdrv.sys [2009-02-12 22312]
S1 SBRE;SBRE;c:\windows\system32\drivers\SBREdrv.sys [2011-06-28 101720]
S2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [2011-10-31 192776]
S2 CFUACProxy_c2nplus;CFUACProxy_c2nplus;c:\programdata\Clickfree\C2NPlus\UACProxy.exe [2011-10-31 87368]
S2 SacNetAgentService_C57C4F854F53;SacNetAgentService_C57C4F854F53;c:\programdata\Clickfree\C2NPlus\Reminder\SacNetAgent.exe [2011-10-25 157296]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2011-10-31 1153368]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\AVGIDSDriver.Sys [2011-07-11 134736]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\AVGIDSFilter.Sys [2011-07-11 24272]
S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\DRIVERS\AVGIDSShim.Sys [2011-07-11 16720]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2007-05-21 179712]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
bthsvcs REG_MULTI_SZ BthServ
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-31 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2011-10-31 18:10]
.
2010-12-16 c:\windows\Tasks\User_Feed_Synchronization-{1A27E350-4EB9-4A64-8D25-115B91043FBF}.job
- c:\windows\system32\msfeedssync.exe [2011-10-12 21:29]
.
.
------- Supplementary Scan -------
.
mSearch Bar = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
Trusted Zone: internet
Trusted Zone: mcafee.com
TCP: DhcpNameServer = 192.168.2.1
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\Common Files\AVG Secure Search\ViProtocolInstaller\8.0.1\ViProtocol.dll
FF - ProfilePath - c:\users\Family\AppData\Roaming\Mozilla\Firefox\Profiles\85q3ua9k.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2418376&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.sympatico.ca/
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4e2b35e5&v=7.008.031.001&i=23&tp=ab&iy=b&ychte=ca&lng=en-GB&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Adobe DLM (powered by getPlus(R)): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
FF - Ext: Canadian English Dictionary: en-CA@dictionaries.addons.mozilla.org - %profile%\extensions\en-CA@dictionaries.addons.mozilla.org
FF - Ext: Ancestry.com Advanced Image Viewer: support@ancestry.com - %profile%\extensions\support@ancestry.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: AVG Security Toolbar em:version=7.008.031.001 em:displayname=AVG Security Toolbar em:iconURL=chrome://tavgp/skin/logo.ico em:creator=AVG Technologies em:description=AVG Security Toolbar em:homepageURL=http://www.avg.com >: avg@igeared - c:\program files\AVG\AVG10\Toolbar\Firefox\avg@igeared
FF - Ext: AVG Safe Search: {1E73965B-8B48-48be-9C8D-68B920ABC1C4} - c:\program files\AVG\AVG2012\Firefox4
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{9565115d-c7d6-46d3-bd63-b67b481a4368} - (no file)
BHO-{FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - (no file)
HKLM-Run-AVG_TRAY - c:\program files\AVG\AVG10\avgtray.exe
SafeBoot-86822721.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-31 14:23
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLBXCATS = rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\DLBXtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\.kbdclass]
"ImagePath"="\*"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d5,f0,d9,f8,d9,92,fd,4d,ae,29,ae,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d5,f0,d9,f8,d9,92,fd,4d,ae,29,ae,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d5,f0,d9,f8,d9,92,fd,4d,ae,29,ae,\
.
[HKEY_USERS\S-1-5-21-2740605613-3585765697-2305856818-1000\Software\SecuROM\License information*]
"datasecu"=hex:cb,cc,19,08,d8,6d,2e,40,1a,65,bb,68,0a,b9,d8,3d,ed,1e,80,69,df,
e9,de,db,27,4a,44,51,86,72,49,6f,cd,da,71,56,3c,29,57,35,4a,5a,58,0d,a3,ce,\
"rkeysecu"=hex:64,b6,bd,e1,3e,80,9e,c4,40,b4,90,83,87,8e,33,49
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLANExt.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\program files\AVG\AVG2012\avgnsx.exe
c:\program files\AVG\AVG2012\avgemcx.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\8.0.1\ToolbarUpdater.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\Windows Media Player\wmpnscfg.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2011-10-31 14:34:46 - machine was rebooted
ComboFix-quarantined-files.txt 2011-10-31 18:34
.
Pre-Run: 66,512,236,544 bytes free
Post-Run: 65,855,041,536 bytes free
.
- - End Of File - - 2B2AE00A9DEEF47EF37C81E0E8BC7EE4
Hi mnyyoungs,
Good job getting that log. About how good it is the jury is still out, but I will look it over.
Please run TDSSKiller once again and post that log while I am looking over the ComboFix log. :)
mnyyoungs
2011-10-31, 23:15
ok...here's the greek...aka...'puter speak, from that scan.
18:06:19.0752 1136 TDSS rootkit removing tool 2.6.14.0 Oct 28 2011 11:11:01
18:06:20.0160 1136 ============================================================
18:06:20.0160 1136 Current date / time: 2011/10/31 18:06:20.0160
18:06:20.0160 1136 SystemInfo:
18:06:20.0160 1136
18:06:20.0161 1136 OS Version: 6.0.6002 ServicePack: 2.0
18:06:20.0161 1136 Product type: Workstation
18:06:20.0161 1136 ComputerName: FAMILY-PC
18:06:20.0162 1136 UserName: Family
18:06:20.0162 1136 Windows directory: C:\Windows
18:06:20.0162 1136 System windows directory: C:\Windows
18:06:20.0162 1136 Processor architecture: Intel x86
18:06:20.0162 1136 Number of processors: 2
18:06:20.0162 1136 Page size: 0x1000
18:06:20.0162 1136 Boot type: Normal boot
18:06:20.0162 1136 ============================================================
18:06:21.0114 1136 Initialize success
18:06:22.0487 2168 ============================================================
18:06:22.0487 2168 Scan started
18:06:22.0487 2168 Mode: Manual;
18:06:22.0487 2168 ============================================================
18:06:22.0955 2168 .kbdclass - ok
18:06:23.0347 2168 ACPI (82b296ae1892fe3dbee00c9cf92f8ac7) C:\Windows\system32\drivers\acpi.sys
18:06:23.0357 2168 ACPI - ok
18:06:23.0452 2168 adp94xx (2edc5bbac6c651ece337bde8ed97c9fb) C:\Windows\system32\drivers\adp94xx.sys
18:06:23.0462 2168 adp94xx - ok
18:06:23.0531 2168 adpahci (b84088ca3cdca97da44a984c6ce1ccad) C:\Windows\system32\drivers\adpahci.sys
18:06:23.0538 2168 adpahci - ok
18:06:23.0639 2168 adpu160m (7880c67bccc27c86fd05aa2afb5ea469) C:\Windows\system32\drivers\adpu160m.sys
18:06:23.0644 2168 adpu160m - ok
18:06:23.0691 2168 adpu320 (9ae713f8e30efc2abccd84904333df4d) C:\Windows\system32\drivers\adpu320.sys
18:06:23.0695 2168 adpu320 - ok
18:06:23.0800 2168 AFD (3911b972b55fea0478476b2e777b29fa) C:\Windows\system32\drivers\afd.sys
18:06:23.0811 2168 AFD - ok
18:06:23.0990 2168 agp440 (8b10ce1c1f9f1d47e4deb1a547a00cd4) C:\Windows\system32\drivers\agp440.sys
18:06:23.0994 2168 agp440 - ok
18:06:24.0045 2168 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
18:06:24.0048 2168 aic78xx - ok
18:06:24.0102 2168 aliide (dc67a153fdb8105b25d05334b5e1d8e2) C:\Windows\system32\drivers\aliide.sys
18:06:24.0104 2168 aliide - ok
18:06:24.0163 2168 amdagp (848f27e5b27c1c253f6cefdc1a5d8f21) C:\Windows\system32\drivers\amdagp.sys
18:06:24.0166 2168 amdagp - ok
18:06:24.0211 2168 amdide (835c4c3355088298a5ebd818fa31430f) C:\Windows\system32\drivers\amdide.sys
18:06:24.0212 2168 amdide - ok
18:06:24.0346 2168 AmdK7 (dc487885bcef9f28eece6fac0e5ddfc5) C:\Windows\system32\drivers\amdk7.sys
18:06:24.0348 2168 AmdK7 - ok
18:06:24.0393 2168 AmdK8 (0ca0071da4315b00fc1328ca86b425da) C:\Windows\system32\drivers\amdk8.sys
18:06:24.0395 2168 AmdK8 - ok
18:06:24.0479 2168 ApfiltrService (350f19eb5fe4ec37a2414df56cde1aa8) C:\Windows\system32\DRIVERS\Apfiltr.sys
18:06:24.0483 2168 ApfiltrService - ok
18:06:24.0661 2168 arc (5f673180268bb1fdb69c99b6619fe379) C:\Windows\system32\drivers\arc.sys
18:06:24.0663 2168 arc - ok
18:06:24.0730 2168 arcsas (957f7540b5e7f602e44648c7de5a1c05) C:\Windows\system32\drivers\arcsas.sys
18:06:24.0734 2168 arcsas - ok
18:06:24.0804 2168 AsyncMac (53b202abee6455406254444303e87be1) C:\Windows\system32\DRIVERS\asyncmac.sys
18:06:24.0806 2168 AsyncMac - ok
18:06:24.0922 2168 atapi (1f05b78ab91c9075565a9d8a4b880bc4) C:\Windows\system32\drivers\atapi.sys
18:06:24.0923 2168 atapi - ok
18:06:25.0082 2168 AVGIDSDriver (4cbb56fbc9c0cbc517e6e3a6889ebddc) C:\Windows\system32\DRIVERS\AVGIDSDriver.Sys
18:06:25.0086 2168 AVGIDSDriver - ok
18:06:25.0157 2168 AVGIDSEH (459bce188232e2fe6152423efef65d76) C:\Windows\system32\DRIVERS\AVGIDSEH.Sys
18:06:25.0158 2168 AVGIDSEH - ok
18:06:25.0244 2168 AVGIDSFilter (91d9abe7e88eac7c167cba4ed4d983bf) C:\Windows\system32\DRIVERS\AVGIDSFilter.Sys
18:06:25.0246 2168 AVGIDSFilter - ok
18:06:25.0327 2168 AVGIDSShim (54d710b7d2e30e1ddc8ce2c6e685576b) C:\Windows\system32\DRIVERS\AVGIDSShim.Sys
18:06:25.0328 2168 AVGIDSShim - ok
18:06:25.0424 2168 Avgldx86 (f4dbbc8d3c5338693da23c59a50f8abc) C:\Windows\system32\DRIVERS\avgldx86.sys
18:06:25.0430 2168 Avgldx86 - ok
18:06:25.0525 2168 Avgmfx86 (1c77ef67f196466adc9924cb288afe87) C:\Windows\system32\DRIVERS\avgmfx86.sys
18:06:25.0527 2168 Avgmfx86 - ok
18:06:25.0628 2168 Avgrkx86 (f2038ed7284b79dcef581468121192a9) C:\Windows\system32\DRIVERS\avgrkx86.sys
18:06:25.0630 2168 Avgrkx86 - ok
18:06:25.0712 2168 Avgtdix (a6d562b612216d8d02a35ebeb92366bd) C:\Windows\system32\DRIVERS\avgtdix.sys
18:06:25.0720 2168 Avgtdix - ok
18:06:25.0832 2168 b57nd60x (32795e299c3aba589a5e04c83d531cdf) C:\Windows\system32\DRIVERS\b57nd60x.sys
18:06:25.0836 2168 b57nd60x - ok
18:06:25.0969 2168 BCM43XX (559db7c7d958c6262cc3efee4ad95cce) C:\Windows\system32\DRIVERS\bcmwl6.sys
18:06:25.0992 2168 BCM43XX - ok
18:06:26.0076 2168 Beep (67e506b75bd5326a3ec7b70bd014dfb6) C:\Windows\system32\drivers\Beep.sys
18:06:26.0077 2168 Beep - ok
18:06:26.0168 2168 blbdrive - ok
18:06:26.0241 2168 bowser (35f376253f687bde63976ccb3f2108ca) C:\Windows\system32\DRIVERS\bowser.sys
18:06:26.0244 2168 bowser - ok
18:06:26.0338 2168 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
18:06:26.0340 2168 BrFiltLo - ok
18:06:26.0440 2168 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
18:06:26.0441 2168 BrFiltUp - ok
18:06:26.0542 2168 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
18:06:26.0544 2168 Brserid - ok
18:06:26.0595 2168 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
18:06:26.0598 2168 BrSerWdm - ok
18:06:26.0682 2168 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
18:06:26.0684 2168 BrUsbMdm - ok
18:06:26.0737 2168 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys
18:06:26.0739 2168 BrUsbSer - ok
18:06:26.0831 2168 BTHMODEM (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys
18:06:26.0834 2168 BTHMODEM - ok
18:06:26.0878 2168 catchme - ok
18:06:26.0964 2168 cdfs (7add03e75beb9e6dd102c3081d29840a) C:\Windows\system32\DRIVERS\cdfs.sys
18:06:26.0967 2168 cdfs - ok
18:06:27.0025 2168 cdrom (1ec25cea0de6ac4718bf89f9e1778b57) C:\Windows\system32\DRIVERS\cdrom.sys
18:06:27.0030 2168 cdrom - ok
18:06:27.0145 2168 circlass (da8e0afc7baa226c538ef53ac2f90897) C:\Windows\system32\drivers\circlass.sys
18:06:27.0147 2168 circlass - ok
18:06:27.0229 2168 CLFS (d7659d3b5b92c31e84e53c1431f35132) C:\Windows\system32\CLFS.sys
18:06:27.0238 2168 CLFS - ok
18:06:27.0365 2168 CmBatt (99afc3795b58cc478fbbbcdc658fcb56) C:\Windows\system32\DRIVERS\CmBatt.sys
18:06:27.0367 2168 CmBatt - ok
18:06:27.0432 2168 cmdide (e79cbb2195e965f6e3256e2c1b23fd1c) C:\Windows\system32\drivers\cmdide.sys
18:06:27.0434 2168 cmdide - ok
18:06:27.0500 2168 Compbatt (6afef0b60fa25de07c0968983ee4f60a) C:\Windows\system32\DRIVERS\compbatt.sys
18:06:27.0502 2168 Compbatt - ok
18:06:27.0564 2168 crcdisk (2a213ae086bbec5e937553c7d9a2b22c) C:\Windows\system32\drivers\crcdisk.sys
18:06:27.0566 2168 crcdisk - ok
18:06:27.0617 2168 Crusoe (22a7f883508176489f559ee745b5bf5d) C:\Windows\system32\drivers\crusoe.sys
18:06:27.0619 2168 Crusoe - ok
18:06:27.0765 2168 DfsC (622c41a07ca7e6dd91770f50d532cb6c) C:\Windows\system32\Drivers\dfsc.sys
18:06:27.0768 2168 DfsC - ok
18:06:27.0935 2168 disk (5d4aefc3386920236a548271f8f1af6a) C:\Windows\system32\drivers\disk.sys
18:06:27.0937 2168 disk - ok
18:06:28.0086 2168 drmkaud (97fef831ab90bee128c9af390e243f80) C:\Windows\system32\drivers\drmkaud.sys
18:06:28.0088 2168 drmkaud - ok
18:06:28.0184 2168 DSproct (413f2d5f9d802688242c23b38f767ecb) C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys
18:06:28.0185 2168 DSproct - ok
18:06:28.0255 2168 dsunidrv (dfeabb7cfffadea4a912ab95bdc3177a) C:\Windows\system32\DRIVERS\dsunidrv.sys
18:06:28.0258 2168 dsunidrv - ok
18:06:28.0340 2168 DXGKrnl (c68ac676b0ef30cfbb1080adce49eb1f) C:\Windows\System32\drivers\dxgkrnl.sys
18:06:28.0375 2168 DXGKrnl - ok
18:06:28.0471 2168 e1express (7505290504c8e2d172fa378cc0497bcc) C:\Windows\system32\DRIVERS\e1e6032.sys
18:06:28.0476 2168 e1express - ok
18:06:28.0561 2168 E1G60 (f88fb26547fd2ce6d0a5af2985892c48) C:\Windows\system32\DRIVERS\E1G60I32.sys
18:06:28.0565 2168 E1G60 - ok
18:06:28.0667 2168 Ecache (7f64ea048dcfac7acf8b4d7b4e6fe371) C:\Windows\system32\drivers\ecache.sys
18:06:28.0673 2168 Ecache - ok
18:06:28.0798 2168 ElRawDisk (b8eac99b14772bdc36ca963aed109fa2) C:\Windows\system32\drivers\rsdrv.sys
18:06:28.0802 2168 ElRawDisk - ok
18:06:28.0901 2168 elxstor (e8f3f21a71720c84bcf423b80028359f) C:\Windows\system32\drivers\elxstor.sys
18:06:28.0910 2168 elxstor - ok
18:06:29.0052 2168 exfat (22b408651f9123527bcee54b4f6c5cae) C:\Windows\system32\drivers\exfat.sys
18:06:29.0059 2168 exfat - ok
18:06:29.0123 2168 fastfat (1e9b9a70d332103c52995e957dc09ef8) C:\Windows\system32\drivers\fastfat.sys
18:06:29.0128 2168 fastfat - ok
18:06:29.0251 2168 fdc (63bdada84951b9c03e641800e176898a) C:\Windows\system32\DRIVERS\fdc.sys
18:06:29.0252 2168 fdc - ok
18:06:29.0340 2168 FileInfo (a8c0139a884861e3aae9cfe73b208a9f) C:\Windows\system32\drivers\fileinfo.sys
18:06:29.0343 2168 FileInfo - ok
18:06:29.0415 2168 Filetrace (0ae429a696aecbc5970e3cf2c62635ae) C:\Windows\system32\drivers\filetrace.sys
18:06:29.0419 2168 Filetrace - ok
18:06:29.0470 2168 flpydisk (6603957eff5ec62d25075ea8ac27de68) C:\Windows\system32\DRIVERS\flpydisk.sys
18:06:29.0472 2168 flpydisk - ok
18:06:29.0584 2168 FltMgr (01334f9ea68e6877c4ef05d3ea8abb05) C:\Windows\system32\drivers\fltmgr.sys
18:06:29.0591 2168 FltMgr - ok
18:06:29.0756 2168 fssfltr (b74b0578fd1d3f897e95f2a2b69ea051) C:\Windows\system32\DRIVERS\fssfltr.sys
18:06:29.0758 2168 fssfltr - ok
18:06:29.0901 2168 Fs_Rec (65ea8b77b5851854f0c55c43fa51a198) C:\Windows\system32\drivers\Fs_Rec.sys
18:06:29.0904 2168 Fs_Rec - ok
18:06:29.0961 2168 FTDIBUS (7c17235845d5ae3fb33ead47b5881521) C:\Windows\system32\drivers\ftdibus.sys
18:06:29.0964 2168 FTDIBUS - ok
18:06:30.0046 2168 FTSER2K (23220a4709cc5785f9633ba71416145c) C:\Windows\system32\drivers\ftser2k.sys
18:06:30.0049 2168 FTSER2K - ok
18:06:30.0113 2168 gagp30kx (4e1cd0a45c50a8882616cae5bf82f3c5) C:\Windows\system32\drivers\gagp30kx.sys
18:06:30.0116 2168 gagp30kx - ok
18:06:30.0185 2168 GEARAspiWDM - ok
18:06:30.0374 2168 HDAudBus (062452b7ffd68c8c042a6261fe8dff4a) C:\Windows\system32\DRIVERS\HDAudBus.sys
18:06:30.0410 2168 HDAudBus - ok
18:06:30.0555 2168 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys
18:06:30.0556 2168 HidBth - ok
18:06:30.0603 2168 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys
18:06:30.0605 2168 HidIr - ok
18:06:30.0694 2168 HidUsb (cca4b519b17e23a00b826c55716809cc) C:\Windows\system32\DRIVERS\hidusb.sys
18:06:30.0697 2168 HidUsb - ok
18:06:30.0865 2168 HpCISSs (df353b401001246853763c4b7aaa6f50) C:\Windows\system32\drivers\hpcisss.sys
18:06:30.0867 2168 HpCISSs - ok
18:06:31.0026 2168 HSF_DPV (e9e589c9ab799f52e18f057635a2b362) C:\Windows\system32\DRIVERS\HSX_DPV.sys
18:06:31.0048 2168 HSF_DPV - ok
18:06:31.0119 2168 HSXHWAZL (7845d2385f4dc7dfb3ccaf0c2fa4948e) C:\Windows\system32\DRIVERS\HSXHWAZL.sys
18:06:31.0127 2168 HSXHWAZL - ok
18:06:31.0202 2168 HTTP (f870aa3e254628ebeafe754108d664de) C:\Windows\system32\drivers\HTTP.sys
18:06:31.0226 2168 HTTP - ok
18:06:31.0329 2168 i2omp (324c2152ff2c61abae92d09f3cca4d63) C:\Windows\system32\drivers\i2omp.sys
18:06:31.0332 2168 i2omp - ok
18:06:31.0453 2168 i8042prt (22d56c8184586b7a1f6fa60be5f5a2bd) C:\Windows\system32\DRIVERS\i8042prt.sys
18:06:31.0457 2168 i8042prt - ok
18:06:31.0533 2168 iaStor (fd7f9d74c2b35dbda400804a3f5ed5d8) C:\Windows\system32\drivers\iastor.sys
18:06:31.0540 2168 iaStor - ok
18:06:31.0659 2168 iaStorV (c957bf4b5d80b46c5017bf0101e6c906) C:\Windows\system32\drivers\iastorv.sys
18:06:31.0667 2168 iaStorV - ok
18:06:31.0883 2168 igfx (bbace0293b73bf8c7cb591f2d06f26fa) C:\Windows\system32\DRIVERS\igdkmd32.sys
18:06:31.0925 2168 igfx - ok
18:06:32.0124 2168 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
18:06:32.0127 2168 iirsp - ok
18:06:32.0201 2168 intelide (0084046c084d68e494f8cf36bcf08186) C:\Windows\system32\DRIVERS\intelide.sys
18:06:32.0204 2168 intelide - ok
18:06:32.0311 2168 intelppm (224191001e78c89dfa78924c3ea595ff) C:\Windows\system32\DRIVERS\intelppm.sys
18:06:32.0313 2168 intelppm - ok
18:06:32.0417 2168 IpFilterDriver (62c265c38769b864cb25b4bcf62df6c3) C:\Windows\system32\DRIVERS\ipfltdrv.sys
18:06:32.0422 2168 IpFilterDriver - ok
18:06:32.0502 2168 IpInIp - ok
18:06:32.0573 2168 IPMIDRV (40f34f8aba2a015d780e4b09138b6c17) C:\Windows\system32\drivers\ipmidrv.sys
18:06:32.0577 2168 IPMIDRV - ok
18:06:32.0671 2168 IPNAT (8793643a67b42cec66490b2a0cf92d68) C:\Windows\system32\DRIVERS\ipnat.sys
18:06:32.0677 2168 IPNAT - ok
18:06:32.0754 2168 IRENUM (109c0dfb82c3632fbd11949b73aeeac9) C:\Windows\system32\drivers\irenum.sys
18:06:32.0757 2168 IRENUM - ok
18:06:32.0827 2168 isapnp (2f8ece2699e7e2070545e9b0960a8ed2) C:\Windows\system32\drivers\isapnp.sys
18:06:32.0830 2168 isapnp - ok
18:06:32.0917 2168 iScsiPrt (232fa340531d940aac623b121a595034) C:\Windows\system32\DRIVERS\msiscsi.sys
18:06:32.0924 2168 iScsiPrt - ok
18:06:32.0990 2168 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
18:06:32.0993 2168 iteatapi - ok
18:06:33.0093 2168 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
18:06:33.0098 2168 iteraid - ok
18:06:33.0173 2168 kbdhid (ede59ec70e25c24581add1fbec7325f7) C:\Windows\system32\DRIVERS\kbdhid.sys
18:06:33.0176 2168 kbdhid - ok
18:06:33.0266 2168 KSecDD (86165728af9bf72d6442a894fdfb4f8b) C:\Windows\system32\Drivers\ksecdd.sys
18:06:33.0290 2168 KSecDD - ok
18:06:33.0419 2168 Lbd (b7c19ec8b0dd7efa58ad41ffeb8b8cda) C:\Windows\system32\DRIVERS\Lbd.sys
18:06:33.0422 2168 Lbd - ok
18:06:33.0507 2168 lltdio (d1c5883087a0c3f1344d9d55a44901f6) C:\Windows\system32\DRIVERS\lltdio.sys
18:06:33.0511 2168 lltdio - ok
18:06:33.0596 2168 LSI_FC (a2262fb9f28935e862b4db46438c80d2) C:\Windows\system32\drivers\lsi_fc.sys
18:06:33.0600 2168 LSI_FC - ok
18:06:33.0683 2168 LSI_SAS (30d73327d390f72a62f32c103daf1d6d) C:\Windows\system32\drivers\lsi_sas.sys
18:06:33.0687 2168 LSI_SAS - ok
18:06:33.0778 2168 LSI_SCSI (e1e36fefd45849a95f1ab81de0159fe3) C:\Windows\system32\drivers\lsi_scsi.sys
18:06:33.0782 2168 LSI_SCSI - ok
18:06:33.0854 2168 luafv (8f5c7426567798e62a3b3614965d62cc) C:\Windows\system32\drivers\luafv.sys
18:06:33.0858 2168 luafv - ok
18:06:33.0957 2168 LVPr2Mon (1a7db7a00a4b0d8da24cd691a4547291) C:\Windows\system32\DRIVERS\LVPr2Mon.sys
18:06:33.0959 2168 LVPr2Mon - ok
18:06:34.0091 2168 LVRS (37072ec9299e825f4335cc554b6fac6a) C:\Windows\system32\DRIVERS\lvrs.sys
18:06:34.0103 2168 LVRS - ok
18:06:34.0483 2168 LVUVC (a240e42a7402e927a71b6e8aa4629b13) C:\Windows\system32\DRIVERS\lvuvc.sys
18:06:34.0775 2168 LVUVC - ok
18:06:34.0939 2168 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\Windows\system32\DRIVERS\mdmxsdk.sys
18:06:34.0951 2168 mdmxsdk - ok
18:06:35.0083 2168 megasas (d153b14fc6598eae8422a2037553adce) C:\Windows\system32\drivers\megasas.sys
18:06:35.0086 2168 megasas - ok
18:06:35.0167 2168 Modem (e13b5ea0f51ba5b1512ec671393d09ba) C:\Windows\system32\drivers\modem.sys
18:06:35.0169 2168 Modem - ok
18:06:35.0356 2168 monitor (0a9bb33b56e294f686abb7c1e4e2d8a8) C:\Windows\system32\DRIVERS\monitor.sys
18:06:35.0359 2168 monitor - ok
18:06:35.0446 2168 mouclass (5bf6a1326a335c5298477754a506d263) C:\Windows\system32\DRIVERS\mouclass.sys
18:06:35.0451 2168 mouclass - ok
18:06:35.0491 2168 mouhid (93b8d4869e12cfbe663915502900876f) C:\Windows\system32\DRIVERS\mouhid.sys
18:06:35.0494 2168 mouhid - ok
18:06:35.0561 2168 MountMgr (bdafc88aa6b92f7842416ea6a48e1600) C:\Windows\system32\drivers\mountmgr.sys
18:06:35.0564 2168 MountMgr - ok
18:06:35.0722 2168 mpio (583a41f26278d9e0ea548163d6139397) C:\Windows\system32\drivers\mpio.sys
18:06:35.0728 2168 mpio - ok
18:06:35.0817 2168 mpsdrv (22241feba9b2defa669c8cb0a8dd7d2e) C:\Windows\system32\drivers\mpsdrv.sys
18:06:35.0822 2168 mpsdrv - ok
18:06:35.0890 2168 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
18:06:35.0893 2168 Mraid35x - ok
18:06:36.0002 2168 MREMP50 (80b2ec735495823ae5771a5f603e73bd) C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS
18:06:36.0006 2168 MREMP50 - ok
18:06:36.0118 2168 MREMP50a64 - ok
18:06:36.0160 2168 MRESP50 (37d7c22f7e26da90e2d2d260e5d27846) C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS
18:06:36.0164 2168 MRESP50 - ok
18:06:36.0215 2168 MRESP50a64 - ok
18:06:36.0308 2168 MRxDAV (82cea0395524aacfeb58ba1448e8325c) C:\Windows\system32\drivers\mrxdav.sys
18:06:36.0313 2168 MRxDAV - ok
18:06:36.0510 2168 mrxsmb (1e94971c4b446ab2290deb71d01cf0c2) C:\Windows\system32\DRIVERS\mrxsmb.sys
18:06:36.0514 2168 mrxsmb - ok
18:06:36.0655 2168 mrxsmb10 (4fccb34d793b116423209c0f8b7a3b03) C:\Windows\system32\DRIVERS\mrxsmb10.sys
18:06:36.0662 2168 mrxsmb10 - ok
18:06:36.0722 2168 mrxsmb20 (c3cb1b40ad4a0124d617a1199b0b9d7c) C:\Windows\system32\DRIVERS\mrxsmb20.sys
18:06:36.0726 2168 mrxsmb20 - ok
18:06:36.0808 2168 msahci (d420bc42a637ac3cc4f411220549c0dc) C:\Windows\system32\drivers\msahci.sys
18:06:36.0812 2168 msahci - ok
18:06:36.0868 2168 msdsm (3fc82a2ae4cc149165a94699183d3028) C:\Windows\system32\drivers\msdsm.sys
18:06:36.0874 2168 msdsm - ok
18:06:37.0051 2168 Msfs (a9927f4a46b816c92f461acb90cf8515) C:\Windows\system32\drivers\Msfs.sys
18:06:37.0053 2168 Msfs - ok
18:06:37.0117 2168 msisadrv (0f400e306f385c56317357d6dea56f62) C:\Windows\system32\drivers\msisadrv.sys
18:06:37.0120 2168 msisadrv - ok
18:06:37.0219 2168 MSKSSRV (d8c63d34d9c9e56c059e24ec7185cc07) C:\Windows\system32\drivers\MSKSSRV.sys
18:06:37.0222 2168 MSKSSRV - ok
18:06:37.0335 2168 MSPCLOCK (1d373c90d62ddb641d50e55b9e78d65e) C:\Windows\system32\drivers\MSPCLOCK.sys
18:06:37.0338 2168 MSPCLOCK - ok
18:06:37.0399 2168 MSPQM (b572da05bf4e098d4bba3a4734fb505b) C:\Windows\system32\drivers\MSPQM.sys
18:06:37.0402 2168 MSPQM - ok
18:06:37.0475 2168 MsRPC (b49456d70555de905c311bcda6ec6adb) C:\Windows\system32\drivers\MsRPC.sys
18:06:37.0481 2168 MsRPC - ok
18:06:37.0551 2168 mssmbios (e384487cb84be41d09711c30ca79646c) C:\Windows\system32\DRIVERS\mssmbios.sys
18:06:37.0553 2168 mssmbios - ok
18:06:37.0694 2168 MSTEE (7199c1eec1e4993caf96b8c0a26bd58a) C:\Windows\system32\drivers\MSTEE.sys
18:06:37.0697 2168 MSTEE - ok
18:06:37.0758 2168 Mup (6a57b5733d4cb702c8ea4542e836b96c) C:\Windows\system32\Drivers\mup.sys
18:06:37.0760 2168 Mup - ok
18:06:37.0879 2168 NativeWifiP (85c44fdff9cf7e72a40dcb7ec06a4416) C:\Windows\system32\DRIVERS\nwifi.sys
18:06:37.0887 2168 NativeWifiP - ok
18:06:38.0056 2168 NDIS (1357274d1883f68300aeadd15d7bbb42) C:\Windows\system32\drivers\ndis.sys
18:06:38.0092 2168 NDIS - ok
18:06:38.0170 2168 NdisTapi (0e186e90404980569fb449ba7519ae61) C:\Windows\system32\DRIVERS\ndistapi.sys
18:06:38.0174 2168 NdisTapi - ok
18:06:38.0275 2168 Ndisuio (d6973aa34c4d5d76c0430b181c3cd389) C:\Windows\system32\DRIVERS\ndisuio.sys
18:06:38.0278 2168 Ndisuio - ok
18:06:38.0520 2168 NdisWan (818f648618ae34f729fdb47ec68345c3) C:\Windows\system32\DRIVERS\ndiswan.sys
18:06:38.0526 2168 NdisWan - ok
18:06:38.0588 2168 NDProxy (71dab552b41936358f3b541ae5997fb3) C:\Windows\system32\drivers\NDProxy.sys
18:06:38.0593 2168 NDProxy - ok
18:06:38.0666 2168 NetBIOS (bcd093a5a6777cf626434568dc7dba78) C:\Windows\system32\DRIVERS\netbios.sys
18:06:38.0669 2168 NetBIOS - ok
18:06:38.0809 2168 netbt (ecd64230a59cbd93c85f1cd1cab9f3f6) C:\Windows\system32\DRIVERS\netbt.sys
18:06:38.0817 2168 netbt - ok
18:06:38.0924 2168 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
18:06:38.0929 2168 nfrd960 - ok
18:06:39.0011 2168 Npfs (d36f239d7cce1931598e8fb90a0dbc26) C:\Windows\system32\drivers\Npfs.sys
18:06:39.0014 2168 Npfs - ok
18:06:39.0123 2168 nsiproxy (609773e344a97410ce4ebf74a8914fcf) C:\Windows\system32\drivers\nsiproxy.sys
18:06:39.0126 2168 nsiproxy - ok
18:06:39.0239 2168 Ntfs (6a4a98cee84cf9e99564510dda4baa47) C:\Windows\system32\drivers\Ntfs.sys
18:06:39.0285 2168 Ntfs - ok
18:06:39.0368 2168 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
18:06:39.0372 2168 ntrigdigi - ok
18:06:39.0432 2168 Null (c5dbbcda07d780bda9b685df333bb41e) C:\Windows\system32\drivers\Null.sys
18:06:39.0435 2168 Null - ok
18:06:39.0627 2168 nvraid (e69e946f80c1c31c53003bfbf50cbb7c) C:\Windows\system32\drivers\nvraid.sys
18:06:39.0643 2168 nvraid - ok
18:06:39.0738 2168 nvstor (9e0ba19a28c498a6d323d065db76dffc) C:\Windows\system32\drivers\nvstor.sys
18:06:39.0743 2168 nvstor - ok
18:06:39.0857 2168 nv_agp (055081fd5076401c1ee1bcab08d81911) C:\Windows\system32\drivers\nv_agp.sys
18:06:39.0863 2168 nv_agp - ok
18:06:39.0918 2168 NwlnkFlt - ok
18:06:40.0059 2168 NwlnkFwd - ok
18:06:40.0153 2168 ohci1394 (6f310e890d46e246e0e261a63d9b36b4) C:\Windows\system32\DRIVERS\ohci1394.sys
18:06:40.0157 2168 ohci1394 - ok
18:06:40.0314 2168 Parport (0fa9b5055484649d63c303fe404e5f4d) C:\Windows\system32\drivers\parport.sys
18:06:40.0319 2168 Parport - ok
18:06:40.0385 2168 partmgr (57389fa59a36d96b3eb09d0cb91e9cdc) C:\Windows\system32\drivers\partmgr.sys
18:06:40.0388 2168 partmgr - ok
18:06:40.0445 2168 Parvdm (4f9a6a8a31413180d0fcb279ad5d8112) C:\Windows\system32\drivers\parvdm.sys
18:06:40.0448 2168 Parvdm - ok
18:06:40.0524 2168 pci (941dc1d19e7e8620f40bbc206981efdb) C:\Windows\system32\drivers\pci.sys
18:06:40.0529 2168 pci - ok
18:06:40.0635 2168 pciide (1636d43f10416aeb483bc6001097b26c) C:\Windows\system32\drivers\pciide.sys
18:06:40.0637 2168 pciide - ok
18:06:40.0725 2168 pcmcia (e6f3fb1b86aa519e7698ad05e58b04e5) C:\Windows\system32\drivers\pcmcia.sys
18:06:40.0733 2168 pcmcia - ok
18:06:40.0820 2168 pcouffin (5b6c11de7e839c05248ced8825470fef) C:\Windows\system32\Drivers\pcouffin.sys
18:06:40.0824 2168 pcouffin - ok
18:06:41.0078 2168 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
18:06:41.0123 2168 PEAUTH - ok
18:06:41.0278 2168 PptpMiniport (ecfffaec0c1ecd8dbc77f39070ea1db1) C:\Windows\system32\DRIVERS\raspptp.sys
18:06:41.0283 2168 PptpMiniport - ok
18:06:41.0347 2168 Processor (0e3cef5d28b40cf273281d620c50700a) C:\Windows\system32\drivers\processr.sys
18:06:41.0351 2168 Processor - ok
18:06:41.0433 2168 PSched (99514faa8df93d34b5589187db3aa0ba) C:\Windows\system32\DRIVERS\pacer.sys
18:06:41.0437 2168 PSched - ok
18:06:41.0579 2168 PxHelp20 (feffcfdc528764a04c8ed63d5fa6e711) C:\Windows\system32\Drivers\PxHelp20.sys
18:06:41.0581 2168 PxHelp20 - ok
18:06:41.0693 2168 qgdttjh - ok
18:06:41.0824 2168 ql2300 (ccdac889326317792480c0a67156a1ec) C:\Windows\system32\drivers\ql2300.sys
18:06:41.0858 2168 ql2300 - ok
18:06:42.0135 2168 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
18:06:42.0141 2168 ql40xx - ok
18:06:42.0215 2168 QWAVEdrv (9f5e0e1926014d17486901c88eca2db7) C:\Windows\system32\drivers\qwavedrv.sys
18:06:42.0218 2168 QWAVEdrv - ok
18:06:42.0408 2168 R300 (e642b131fb74caf4bb8a014f31113142) C:\Windows\system32\DRIVERS\atikmdag.sys
18:06:42.0485 2168 R300 - ok
18:06:42.0579 2168 RasAcd (147d7f9c556d259924351feb0de606c3) C:\Windows\system32\DRIVERS\rasacd.sys
18:06:42.0583 2168 RasAcd - ok
18:06:42.0735 2168 Rasl2tp (a214adbaf4cb47dd2728859ef31f26b0) C:\Windows\system32\DRIVERS\rasl2tp.sys
18:06:42.0740 2168 Rasl2tp - ok
18:06:42.0872 2168 RasPppoe (509a98dd18af4375e1fc40bc175f1def) C:\Windows\system32\DRIVERS\raspppoe.sys
18:06:42.0876 2168 RasPppoe - ok
18:06:42.0949 2168 RasSstp (2005f4a1e05fa09389ac85840f0a9e4d) C:\Windows\system32\DRIVERS\rassstp.sys
18:06:42.0955 2168 RasSstp - ok
18:06:43.0030 2168 rdbss (b14c9d5b9add2f84f70570bbbfaa7935) C:\Windows\system32\DRIVERS\rdbss.sys
18:06:43.0038 2168 rdbss - ok
18:06:43.0168 2168 RDPCDD (89e59be9a564262a3fb6c4f4f1cd9899) C:\Windows\system32\DRIVERS\RDPCDD.sys
18:06:43.0171 2168 RDPCDD - ok
18:06:43.0308 2168 rdpdr (0245418224cfa77bf4b41c2fe0622258) C:\Windows\system32\drivers\rdpdr.sys
18:06:43.0318 2168 rdpdr - ok
18:06:43.0360 2168 RDPENCDD (9d91fe5286f748862ecffa05f8a0710c) C:\Windows\system32\drivers\rdpencdd.sys
18:06:43.0364 2168 RDPENCDD - ok
18:06:43.0450 2168 RDPWD (30bfbdfb7f95559ede971f9ddb9a00ba) C:\Windows\system32\drivers\RDPWD.sys
18:06:43.0459 2168 RDPWD - ok
18:06:43.0545 2168 rimmptsk (d85e3fa9f5b1f29bb4ed185c450d1470) C:\Windows\system32\DRIVERS\rimmptsk.sys
18:06:43.0549 2168 rimmptsk - ok
18:06:43.0674 2168 rimsptsk (db8eb01c58c9fada00c70b1775278ae0) C:\Windows\system32\DRIVERS\rimsptsk.sys
18:06:43.0678 2168 rimsptsk - ok
18:06:43.0726 2168 rismxdp (6c1f93c0760c9f79a1869d07233df39d) C:\Windows\system32\DRIVERS\rixdptsk.sys
18:06:43.0730 2168 rismxdp - ok
18:06:43.0837 2168 RPSKT - ok
18:06:43.0927 2168 rspndr (9c508f4074a39e8b4b31d27198146fad) C:\Windows\system32\DRIVERS\rspndr.sys
18:06:43.0935 2168 rspndr - ok
18:06:44.0074 2168 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys
18:06:44.0079 2168 sbp2port - ok
18:06:44.0144 2168 SBRE (0505da5d357f18a5d42fc5dede6bc9a0) C:\Windows\system32\drivers\SBREdrv.sys
18:06:44.0149 2168 SBRE - ok
18:06:44.0271 2168 sdbus (8f36b54688c31eed4580129040c6a3d3) C:\Windows\system32\DRIVERS\sdbus.sys
18:06:44.0276 2168 sdbus - ok
18:06:44.0339 2168 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
18:06:44.0342 2168 secdrv - ok
18:06:44.0471 2168 Serenum (68e44e331d46f0fb38f0863a84cd1a31) C:\Windows\system32\DRIVERS\serenum.sys
18:06:44.0474 2168 Serenum - ok
18:06:44.0524 2168 Serial (c70d69a918b178d3c3b06339b40c2e1b) C:\Windows\system32\drivers\serial.sys
18:06:44.0529 2168 Serial - ok
18:06:44.0602 2168 sermouse (8af3d28a879bf75db53a0ee7a4289624) C:\Windows\system32\drivers\sermouse.sys
18:06:44.0605 2168 sermouse - ok
18:06:44.0707 2168 sffdisk (3efa810bdca87f6ecc24f9832243fe86) C:\Windows\system32\DRIVERS\sffdisk.sys
18:06:44.0711 2168 sffdisk - ok
18:06:44.0817 2168 sffp_mmc (96ded8b20c734ac41641ce275250e55d) C:\Windows\system32\drivers\sffp_mmc.sys
18:06:44.0820 2168 sffp_mmc - ok
18:06:44.0879 2168 sffp_sd (9f66a46c55d6f1ccabc79bb7afccc545) C:\Windows\system32\DRIVERS\sffp_sd.sys
18:06:44.0883 2168 sffp_sd - ok
18:06:44.0943 2168 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\drivers\sfloppy.sys
18:06:44.0946 2168 sfloppy - ok
18:06:45.0015 2168 sisagp (08072b2fb92477fc813271a84b3a8698) C:\Windows\system32\drivers\sisagp.sys
18:06:45.0019 2168 sisagp - ok
18:06:45.0135 2168 SiSRaid2 (cedd6f4e7d84e9f98b34b3fe988373aa) C:\Windows\system32\drivers\sisraid2.sys
18:06:45.0138 2168 SiSRaid2 - ok
18:06:45.0229 2168 SiSRaid4 (df843c528c4f69d12ce41ce462e973a7) C:\Windows\system32\drivers\sisraid4.sys
18:06:45.0234 2168 SiSRaid4 - ok
18:06:45.0338 2168 Smb (7b75299a4d201d6a6533603d6914ab04) C:\Windows\system32\DRIVERS\smb.sys
18:06:45.0344 2168 Smb - ok
18:06:45.0437 2168 spldr (7aebdeef071fe28b0eef2cdd69102bff) C:\Windows\system32\drivers\spldr.sys
18:06:45.0440 2168 spldr - ok
18:06:45.0550 2168 srv (41987f9fc0e61adf54f581e15029ad91) C:\Windows\system32\DRIVERS\srv.sys
18:06:45.0573 2168 srv - ok
18:06:45.0774 2168 srv2 (ff33aff99564b1aa534f58868cbe41ef) C:\Windows\system32\DRIVERS\srv2.sys
18:06:45.0779 2168 srv2 - ok
18:06:45.0825 2168 srvnet (7605c0e1d01a08f3ecd743f38b834a44) C:\Windows\system32\DRIVERS\srvnet.sys
18:06:45.0829 2168 srvnet - ok
18:06:45.0941 2168 sscdbus (d5dffeaa1e15d4effabb9d9a3068ac5b) C:\Windows\system32\DRIVERS\sscdbus.sys
18:06:45.0952 2168 sscdbus - ok
18:06:46.0088 2168 sscdmdfl (8a1be0c347814f482f493aea619d57f6) C:\Windows\system32\DRIVERS\sscdmdfl.sys
18:06:46.0091 2168 sscdmdfl - ok
18:06:46.0142 2168 sscdmdm (5ab0b1987f682a59b15b78f84c6ad7d0) C:\Windows\system32\DRIVERS\sscdmdm.sys
18:06:46.0146 2168 sscdmdm - ok
18:06:46.0235 2168 sscdserd (751e66eb32efa80633b80f5d7ff0a1d8) C:\Windows\system32\DRIVERS\sscdserd.sys
18:06:46.0239 2168 sscdserd - ok
18:06:46.0419 2168 STHDA (5af135b2e2097d4494b9067ce84e2665) C:\Windows\system32\drivers\stwrt.sys
18:06:46.0431 2168 STHDA - ok
18:06:46.0519 2168 swenum (7ba58ecf0c0a9a69d44b3dca62becf56) C:\Windows\system32\DRIVERS\swenum.sys
18:06:46.0522 2168 swenum - ok
18:06:46.0626 2168 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
18:06:46.0629 2168 Symc8xx - ok
18:06:46.0684 2168 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
18:06:46.0688 2168 Sym_hi - ok
18:06:46.0744 2168 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
18:06:46.0747 2168 Sym_u3 - ok
18:06:46.0903 2168 Tcpip (2756186e287139310997090797e0182b) C:\Windows\system32\drivers\tcpip.sys
18:06:47.0004 2168 Tcpip - ok
18:06:47.0248 2168 Tcpip6 (2756186e287139310997090797e0182b) C:\Windows\system32\DRIVERS\tcpip.sys
18:06:47.0268 2168 Tcpip6 - ok
18:06:47.0332 2168 tcpipreg (608c345a255d82a6289c2d468eb41fd7) C:\Windows\system32\drivers\tcpipreg.sys
18:06:47.0336 2168 tcpipreg - ok
18:06:47.0398 2168 TDPIPE (5dcf5e267be67a1ae926f2df77fbcc56) C:\Windows\system32\drivers\tdpipe.sys
18:06:47.0401 2168 TDPIPE - ok
18:06:47.0448 2168 TDTCP (389c63e32b3cefed425b61ed92d3f021) C:\Windows\system32\drivers\tdtcp.sys
18:06:47.0452 2168 TDTCP - ok
18:06:47.0574 2168 tdx (76b06eb8a01fc8624d699e7045303e54) C:\Windows\system32\DRIVERS\tdx.sys
18:06:47.0578 2168 tdx - ok
18:06:47.0666 2168 TermDD (3cad38910468eab9a6479e2f01db43c7) C:\Windows\system32\DRIVERS\termdd.sys
18:06:47.0669 2168 TermDD - ok
18:06:47.0788 2168 tssecsrv (dcf0f056a2e4f52287264f5ab29cf206) C:\Windows\system32\DRIVERS\tssecsrv.sys
18:06:47.0792 2168 tssecsrv - ok
18:06:47.0899 2168 tunmp (caecc0120ac49e3d2f758b9169872d38) C:\Windows\system32\DRIVERS\tunmp.sys
18:06:47.0903 2168 tunmp - ok
18:06:47.0978 2168 tunnel (300db877ac094feab0be7688c3454a9c) C:\Windows\system32\DRIVERS\tunnel.sys
18:06:47.0984 2168 tunnel - ok
18:06:48.0064 2168 uagp35 (c3ade15414120033a36c0f293d4a4121) C:\Windows\system32\drivers\uagp35.sys
18:06:48.0068 2168 uagp35 - ok
18:06:48.0140 2168 udfs (d9728af68c4c7693cb100b8441cbdec6) C:\Windows\system32\DRIVERS\udfs.sys
18:06:48.0147 2168 udfs - ok
18:06:48.0242 2168 uliagpkx (6d72ef05921abdf59fc45c7ebfe7e8dd) C:\Windows\system32\drivers\uliagpkx.sys
18:06:48.0249 2168 uliagpkx - ok
18:06:48.0304 2168 uliahci (3cd4ea35a6221b85dcc25daa46313f8d) C:\Windows\system32\drivers\uliahci.sys
18:06:48.0314 2168 uliahci - ok
18:06:48.0445 2168 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
18:06:48.0450 2168 UlSata - ok
18:06:48.0518 2168 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
18:06:48.0522 2168 ulsata2 - ok
18:06:48.0589 2168 umbus (32cff9f809ae9aed85464492bf3e32d2) C:\Windows\system32\DRIVERS\umbus.sys
18:06:48.0594 2168 umbus - ok
18:06:48.0737 2168 USBAAPL (1df89c499bf45d878b87ebd4421d462d) C:\Windows\system32\Drivers\usbaapl.sys
18:06:48.0741 2168 USBAAPL - ok
18:06:48.0816 2168 usbaudio (32db9517628ff0d070682aab61e688f0) C:\Windows\system32\drivers\usbaudio.sys
18:06:48.0821 2168 usbaudio - ok
18:06:48.0901 2168 usbccgp (caf811ae4c147ffcd5b51750c7f09142) C:\Windows\system32\DRIVERS\usbccgp.sys
18:06:48.0905 2168 usbccgp - ok
18:06:49.0069 2168 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
18:06:49.0074 2168 usbcir - ok
18:06:49.0152 2168 usbehci (79e96c23a97ce7b8f14d310da2db0c9b) C:\Windows\system32\DRIVERS\usbehci.sys
18:06:49.0156 2168 usbehci - ok
18:06:49.0215 2168 usbhub (4673bbcb006af60e7abddbe7a130ba42) C:\Windows\system32\DRIVERS\usbhub.sys
18:06:49.0222 2168 usbhub - ok
18:06:49.0357 2168 usbohci (38dbc7dd6cc5a72011f187425384388b) C:\Windows\system32\drivers\usbohci.sys
18:06:49.0360 2168 usbohci - ok
18:06:49.0451 2168 usbprint (e75c4b5269091d15a2e7dc0b6d35f2f5) C:\Windows\system32\DRIVERS\usbprint.sys
18:06:49.0456 2168 usbprint - ok
18:06:49.0562 2168 usbscan (a508c9bd8724980512136b039bba65e9) C:\Windows\system32\DRIVERS\usbscan.sys
18:06:49.0566 2168 usbscan - ok
18:06:49.0646 2168 USBSTOR (be3da31c191bc222d9ad503c5224f2ad) C:\Windows\system32\DRIVERS\USBSTOR.SYS
18:06:49.0650 2168 USBSTOR - ok
18:06:49.0720 2168 usbuhci (814d653efc4d48be3b04a307eceff56f) C:\Windows\system32\DRIVERS\usbuhci.sys
18:06:49.0724 2168 usbuhci - ok
18:06:49.0829 2168 usbvideo (e67998e8f14cb0627a769f6530bcb352) C:\Windows\system32\Drivers\usbvideo.sys
18:06:49.0835 2168 usbvideo - ok
18:06:49.0907 2168 usb_rndisx (35c9095fa7076466afbfc5b9ec4b779e) C:\Windows\system32\DRIVERS\usb8023x.sys
18:06:49.0911 2168 usb_rndisx - ok
18:06:50.0028 2168 vga (7d92be0028ecdedec74617009084b5ef) C:\Windows\system32\DRIVERS\vgapnp.sys
18:06:50.0031 2168 vga - ok
18:06:50.0110 2168 VgaSave (2e93ac0a1d8c79d019db6c51f036636c) C:\Windows\System32\drivers\vga.sys
18:06:50.0116 2168 VgaSave - ok
18:06:50.0176 2168 viaagp (d5929a28bdff4367a12caf06af901971) C:\Windows\system32\drivers\viaagp.sys
18:06:50.0180 2168 viaagp - ok
18:06:50.0306 2168 ViaC7 (56a4de5f02f2e88182b0981119b4dd98) C:\Windows\system32\drivers\viac7.sys
18:06:50.0309 2168 ViaC7 - ok
18:06:50.0385 2168 viaide (f3b4762eb85a2aff4999401f14c3262b) C:\Windows\system32\drivers\viaide.sys
18:06:50.0388 2168 viaide - ok
18:06:50.0457 2168 volmgr (69503668ac66c77c6cd7af86fbdf8c43) C:\Windows\system32\drivers\volmgr.sys
18:06:50.0461 2168 volmgr - ok
18:06:50.0548 2168 volmgrx (23e41b834759917bfd6b9a0d625d0c28) C:\Windows\system32\drivers\volmgrx.sys
18:06:50.0557 2168 volmgrx - ok
18:06:50.0679 2168 volsnap (147281c01fcb1df9252de2a10d5e7093) C:\Windows\system32\drivers\volsnap.sys
18:06:50.0686 2168 volsnap - ok
18:06:50.0842 2168 vsmraid (d984439746d42b30fc65a4c3546c6829) C:\Windows\system32\drivers\vsmraid.sys
18:06:50.0848 2168 vsmraid - ok
18:06:51.0006 2168 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
18:06:51.0008 2168 WacomPen - ok
18:06:51.0077 2168 Wanarp (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
18:06:51.0081 2168 Wanarp - ok
18:06:51.0102 2168 Wanarpv6 (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
18:06:51.0105 2168 Wanarpv6 - ok
18:06:51.0263 2168 Wd (afc5ad65b991c1e205cf25cfdbf7a6f4) C:\Windows\system32\drivers\wd.sys
18:06:51.0266 2168 Wd - ok
18:06:51.0361 2168 Wdf01000 (b6f0a7ad6d4bd325fbcd8bac96cd8d96) C:\Windows\system32\drivers\Wdf01000.sys
18:06:51.0396 2168 Wdf01000 - ok
18:06:51.0619 2168 winachsf (4daca8f07537d4d7e3534bb99294aa26) C:\Windows\system32\DRIVERS\HSX_CNXT.sys
18:06:51.0654 2168 winachsf - ok
18:06:51.0893 2168 WmiAcpi (2e7255d172df0b8283cdfb7b433b864e) C:\Windows\system32\DRIVERS\wmiacpi.sys
18:06:51.0896 2168 WmiAcpi - ok
18:06:52.0119 2168 WpdUsb (de9d36f91a4df3d911626643debf11ea) C:\Windows\system32\DRIVERS\wpdusb.sys
18:06:52.0123 2168 WpdUsb - ok
18:06:52.0195 2168 ws2ifsl (e3a3cb253c0ec2494d4a61f5e43a389c) C:\Windows\system32\drivers\ws2ifsl.sys
18:06:52.0205 2168 ws2ifsl - ok
18:06:52.0442 2168 WUDFRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\Windows\system32\DRIVERS\WUDFRd.sys
18:06:52.0446 2168 WUDFRd - ok
18:06:52.0546 2168 XAudio (5a7ff9a18ff6d7e0527fe3abf9204ef8) C:\Windows\system32\DRIVERS\xaudio.sys
18:06:52.0548 2168 XAudio - ok
18:06:52.0648 2168 MBR (0x1B8) (5c616939100b85e558da92b899a0fc36) \Device\Harddisk0\DR0
18:06:52.0692 2168 \Device\Harddisk0\DR0 - ok
18:06:52.0715 2168 Boot (0x1200) (b36b2b1cf28f89c9eb2043708663ea66) \Device\Harddisk0\DR0\Partition0
18:06:52.0739 2168 \Device\Harddisk0\DR0\Partition0 - ok
18:06:52.0750 2168 Boot (0x1200) (bf8884cc45984339a36a4361ad4c2dbd) \Device\Harddisk0\DR0\Partition1
18:06:52.0752 2168 \Device\Harddisk0\DR0\Partition1 - ok
18:06:52.0758 2168 ============================================================
18:06:52.0758 2168 Scan finished
18:06:52.0758 2168 ============================================================
18:06:52.0792 4672 Detected object count: 0
18:06:52.0792 4672 Actual detected object count: 0
Hi mnyyoungs,
TDSSKiller looked good. :)
-----------
Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
File::
c:\windows\system32\c_41644.nl_
c:\windows\System32\drivers\bpfvii.sys
c:\windows\system32\ConduitEngine.tmp
Firefox::
FF - ProfilePath - c:\users\Family\AppData\Roaming\Mozilla\Firefox\Profiles\85q3ua9k.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2418376&SearchSource=3&q={searchTerms}
RegLock::
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d5,f0,d9,f8,d9,92,fd,4d,ae,29,ae,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d5,f0,d9,f8,d9,92,fd,4d,ae,29,ae,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d5,f0,d9,f8,d9,92,fd,4d,ae,29,ae,\
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
RegNull::
[HKEY_USERS\S-1-5-21-2740605613-3585765697-2305856818-1000\Software\SecuROM\License information*]
"datasecu"=hex:cb,cc,19,08,d8,6d,2e,40,1a,65,bb,68,0a,b9,d8,3d,ed,1e,80,69,df,
e9,de,db,27,4a,44,51,86,72,49,6f,cd,da,71,56,3c,29,57,35,4a,5a,58,0d,a3,ce,\
"rkeysecu"=hex:64,b6,bd,e1,3e,80,9e,c4,40,b4,90,83,87,8e,33,49
Driver::
qgdttjh
Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
http://img.photobucket.com/albums/v706/ried7/CFScriptB-4.gif
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
----------
mnyyoungs
2011-11-01, 17:25
Am working on running, as described, but the program has stalled at:
"deleting files"
Does this mean it's done? Please advise.
THANKS!!!!
Hi mnyyoungs,
If ComboFix stalls just go ahead and run it again using the instructions I provided before. If you still have problems just let me know. :bigthumb:
mnyyoungs
2011-11-02, 01:09
urg....quick q. should the blue box say anything in it when I've followed your directions re: notebook, disable any clean-ware, and drag note-file into combo fix. I get nadda...blue box opens...cursor bounces...and nothing else...also getting A LOT of spybot notices about changes to the system....no spybot in the tray to disable...so I didn't...but should I be getting notices of system changes, at this point unless it's that bug i've got?
Hi mnyyoungs,
I am sorry you are having these troubles. This infection that is on your system is the real-deal so this may take some time.
What I would like for you to do is just uninstall Spybot completely. We can reinstall it later. Go to Control Panel > Programs and Features and then delete Spybot.
------------
Delete your ComboFix icon and then get a fresh copy using the links I provided earlier. Once you get a fresh copy of ComboFix please try to run the cfscript.txt that we created earlier. If you are still having problems let me know. :)
mnyyoungs
2011-11-02, 23:56
Hi Jeff....Combo Fix removed and re-installed after I removed Spybot. I'm still waiting for a log, but the program has been hung up on "Completed Stage__50" for quite some time.
Now as far as my data that i'd like to save from this laptop...since this does not seem to be going well. Would word, excel, powerpoint files, photos and some .exe extensions....be affected by this rootkit that I don't seem to be able to give the bootkick to?
Also, WHO makes these nasty things...do these delinquent masterminds really get what they want when they cause this havoc to people? I mean, really...I believe in Karma, so I'd hope they get "theirs" but besides Karma, does "Big Brother" find them and take them to one of North America's plush prisons? Seriously, WHO does this crap and why?
Hi mnyyoungs,
WHO makes these nasty things...do these delinquent masterminds really get what they want when they cause this havoc to people?LOL!! I have no idea but they do get more creative.
As far as what you should backup, I have been treating this with the idea that ANY .exe should be considered infected throughout the system. Saving photos, music, word documents and such should be just fine but nothing else. Absolutely no .exe files at all though.
If ComboFix has not completed yet, go ahead and reboot then take a look in your C:\ drive and look for the most recent copy of ComboFix.txt and post that into your next reply. :)
mnyyoungs
2011-11-03, 22:42
I've followed the steps you mentioned in your last post. I've followed them and it's still getting hung up at the same place. There is NO Log in the C: drive either.....any further suggestions? Now, if I was using ehemmmm, Adult sites, or opening those incessant emails about how I've won a gazillion dollars from a long lost uncle, I wouldn't be so angry about this computer trauma....but I'm a clean surfer! lol.
I'm afraid to use my click-free to back up my personal files....I wonder if this nasty bug is what caused my external hard drive to give up the fight a few weeks ago....it wasn't that old....garrrrrrr.
Hi mnyyoungs,
I wouldn't be so angry about this computer trauma....but I'm a clean surfer! lol.It is amazing the places that people can pick up these infections. There is just never any way to really tell.
Let's try something different. You will need a jump drive for this next part (or a CD).
I want you to delete ComboFix from your desktop.
Download a fresh copy of ComboFix to a USB drive from another computer, but before saving it to the USB drive I want you to rename it to svchost.exe.
Now transfer it to the infected computer and save it to C:\Windows.
Now move the CFScript.txt that you made on your desktop to C:\Windows as well.
Drag the cfscript.txt onto svchost.exe and let it run.
If there is a log created post that into your next reply. If you still have problems let me know.
mnyyoungs
2011-11-05, 15:37
Hi Jeff....still no go. I've followed your instructions, again, and it gets hung up at stage 50, then nothing. When I close the box, what remains is a blue screen and I have to pull the plug and batter to re-start. There is no log except something that is called PFRO, that was created between when the program ran and when I rebooted. It is a txt document.
Please advise and thank you for your valiant effort, Jeff. :)
Hi mnyyoungs,
Lets try this again but I have re-written the fix...please do the following using the new ComboFix you just downloaded to your system.
Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
SkipFix::
File::
c:\windows\system32\c_41644.nl_
c:\windows\System32\drivers\bpfvii.sys
c:\windows\system32\ConduitEngine.tmp
Firefox::
FF - ProfilePath - c:\users\Family\AppData\Roaming\Mozilla\Firefox\Profiles\85q3ua9k.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2418376&SearchSource=3&q={searchTerms}
RegLock::
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d5,f0,d9,f8,d9,92,fd,4d,ae,29,ae,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d5,f0,d9,f8,d9,92,fd,4d,ae,29,ae,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d5,f0,d9,f8,d9,92,fd,4d,ae,29,ae,\
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
RegNull::
[HKEY_USERS\S-1-5-21-2740605613-3585765697-2305856818-1000\Software\SecuROM\License information*]
"datasecu"=hex:cb,cc,19,08,d8,6d,2e,40,1a,65,bb,68,0a,b9,d8,3d,ed,1e,80,69,df,
e9,de,db,27,4a,44,51,86,72,49,6f,cd,da,71,56,3c,29,57,35,4a,5a,58,0d,a3,ce,\
"rkeysecu"=hex:64,b6,bd,e1,3e,80,9e,c4,40,b4,90,83,87,8e,33,49
Driver::
qgdttjh
Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
http://img.photobucket.com/albums/v706/ried7/CFScriptB-4.gif
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
----------
mnyyoungs
2011-11-06, 04:00
I ran the new script in the new and renamed combo fix. I've been sitting on a "please wait" screen with a blinking cursor for about 3 hours now....any suggestions? Heading to slumber-land so I'm going to hibernate this computer until the am. Is this driver error?????
Hi mnyyoungs,
Sorry that this is taking so long. Let's try to get this to run another way.
Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
KillAll::
File::
c:\windows\system32\c_41644.nl_
c:\windows\System32\drivers\bpfvii.sys
c:\windows\system32\ConduitEngine.tmp
Firefox::
FF - ProfilePath - c:\users\Family\AppData\Roaming\Mozilla\Firefox\Profiles\85q3ua9k.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2418376&SearchSource=3&q={searchTerms}
RegLock::
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d5,f0,d9,f8,d9,92,fd,4d,ae,29,ae,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d5,f0,d9,f8,d9,92,fd,4d,ae,29,ae,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d5,f0,d9,f8,d9,92,fd,4d,ae,29,ae,\
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
RegNull::
[HKEY_USERS\S-1-5-21-2740605613-3585765697-2305856818-1000\Software\SecuROM\License information*]
"datasecu"=hex:cb,cc,19,08,d8,6d,2e,40,1a,65,bb,68,0a,b9,d8,3d,ed,1e,80,69,df,
e9,de,db,27,4a,44,51,86,72,49,6f,cd,da,71,56,3c,29,57,35,4a,5a,58,0d,a3,ce,\
"rkeysecu"=hex:64,b6,bd,e1,3e,80,9e,c4,40,b4,90,83,87,8e,33,49
Driver::
qgdttjh
Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
http://img.photobucket.com/albums/v706/ried7/CFScriptB-4.gif
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
----------
mnyyoungs
2011-11-07, 02:45
Ok, as she sighs, here's the deal now....I have a series of what look like combo fix and the renamed combofix, svchost. There may be other, but the windows seem to be in some sort of a loop and flash far too quickly for me to get a good look at what each of the boxes says. They flash along a diagonal 5/6 times then start at the top left hand corner again. I've tried to shut it down using task manager and that did not do anything. I've tried completely deleting combofix and svchost, but it continues to do the same thing. I've restarted, completely shut down and have this kookie thing keep happening. That said, I have not re-run the new script....I'm afraid to use my clickfree back up, in the event the data is affected in the back up so I've picked up a large usb key, but can't even get the info when it's doing the freaky windows flash dance! lol.
I really appreciate you assistance, and no apologies are needed. You didn't break my computer. :)
Hi mnyyoungs,
I am going to get some more opinions on this infection on your computer. I will return as quickly as I can.
mnyyoungs
2011-11-07, 03:04
MUCH appreciated!
Hi mnyyoungs,
If you need to do the following in Safe Mode than that is just fine.
-------------
Please download aswMBR (http://public.avast.com/~gmerek/aswMBR.exe ) to your desktop.
Right click and Run as Administrator the aswMBR icon to run it.
When asked if you want to download Avast's virus definitions please select Yes.
Click the Scan button to start scan.
When it finishes, press the save log button, save the logfile to your desktop and post its contents in your next reply.
http://i1190.photobucket.com/albums/z454/Blottedisk/aswMBRscan-1.png (http://i1190.photobucket.com/albums/z454/Blottedisk/aswMBRscan.png )
Click the image to enlarge it
----------
mnyyoungs
2011-11-07, 23:30
Arrrrrgggggggggggggggggggggggggg
mnyyoungs
2011-11-07, 23:40
aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-11-07 12:52:45
-----------------------------
12:52:45.323 OS Version: Windows 6.0.6002 Service Pack 2
12:52:45.323 Number of processors: 2 586 0xF0D
12:52:45.339 ComputerName: FAMILY-PC UserName: Family
12:52:55.245 Initialize success
12:57:58.046 AVAST engine defs: 11110700
12:58:26.235 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
12:58:26.235 Disk 0 Vendor: FUJITSU_ 0085 Size: 114473MB BusType: 3
12:58:26.266 Disk 0 MBR read successfully
12:58:26.266 Disk 0 MBR scan
12:58:26.360 Disk 0 Windows VISTA default MBR code
12:58:26.360 Disk 0 scanning sectors +234438656
12:58:26.547 Disk 0 scanning C:\Windows\system32\drivers
12:58:59.167 Service scanning
12:59:00.056 Service .kbdclass \* **LOCKED** 123
12:59:01.429 Modules scanning
12:59:33.908 Disk 0 trace - called modules:
12:59:33.939 ntkrnlpa.exe CLASSPNP.SYS disk.sys iastor.sys hal.dll
12:59:33.955 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x84c6f540]
12:59:33.955 3 CLASSPNP.SYS[87fa98b3] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x84c4d030]
12:59:35.546 AVAST engine scan C:\Windows
12:59:47.293 AVAST engine scan C:\Windows\system32
13:07:11.347 AVAST engine scan C:\Windows\system32\drivers
13:07:38.460 AVAST engine scan C:\Users\Family
13:17:08.640 AVAST engine scan C:\ProgramData
13:20:05.746 Scan finished successfully
13:26:46.973 Disk 0 MBR has been saved successfully to "C:\Users\Family\Desktop\MBR.dat"
13:26:46.988 The log file has been saved successfully to "C:\Users\Family\Desktop\aswMBR.txt"
mnyyoungs
2011-11-07, 23:44
ok...now my desktop is acting uber funny...I was using a USB key to try to get the log onto my desktop. However, everything from the USB key kept disappearing.....grrrrr....could thing thing REALLY have effected the USB key and NOW my other computer? I still cannot use a keyboard on the affected computer and it will NOT let me even use an external keyboard. The external mouse is still working though. I was going to do the back up on the key...now I'm kinda worried about it! :-s
Hi mnyyoungs,
Yes I believe unfortunately it would be a very good idea to back up anything you might like to save. I am still looking over this infection, but like I mentioned this is one of the worst out there. I will be back as quickly as I can.
mnyyoungs
2011-11-08, 04:37
no problem! thank you!
Hi mnyyoungs,
Please delete all copies of ComboFix that are on your system using right-click > delete.
----------
Download ComboFix from one of these locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.infospyware.net/antimalware/combofix/)
----------
Once ComboFix is downloaded and ran, post the newly created log into your next reply.
mnyyoungs
2011-11-09, 00:05
Oooooooohhhhhh if I ever got the chance to run into the little b-tard(s) that wrote this thing....I would wrap them in bacon and dip them into a Great Lake....Lake Superior, the most scary and let the STURGEON nibble at them....ok....I've vented....whatever they've done has renamed combo fix....so I"m going though ALL the files on C to determine that I've got it deleted.....actually....deer rud, might be a better option...left in Northern Ontario in the spring....heck...the deer wouldn't even have a chance before the mosquitoes and black flies, got them...lol....sorry...I digressed....
LOL!! Now that was funny!! Yeah this infection is a monster.
There should have only been ComboFix possibly on the Desktop and renamed as C:\Windows\svchost.exe (It will show the same icon as ComboFix normally...). When you get ComboFix ran again post the new log into your next reply.
mnyyoungs
2011-11-09, 02:07
ok..here is the COMBOFIX log...finally...it was not run with ANY of the scripts you've written previously. Please note and advise...although I'd disabled AVG, it popped up part-way though the COMBOFIX scan. Would you like it re-run or should it be run with any of the scripts????
ComboFix 11-11-08.02 - Family 08/11/2011 19:32:36.7.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.2.1033.18.2037.1084 [GMT -5:00]
Running from: F:\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2011-10-09 to 2011-11-09 )))))))))))))))))))))))))))))))
.
.
2011-11-09 00:54 . 2011-11-09 00:54 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-10-31 18:18 . 2011-11-09 00:56 -------- d-----w- c:\users\Family\AppData\Local\temp
2011-10-31 18:18 . 2011-10-31 18:18 1529728 ----a-w- c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
2011-10-31 18:13 . 2011-10-31 18:13 145184 ----a-w- c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
2011-10-30 14:38 . 2011-10-30 14:38 -------- d-----w- C:\TDSSKiller_Quarantine
2011-10-28 08:13 . 2011-10-18 06:28 6668624 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{D208FC11-8E7A-4DE4-917E-F39D40F22D8F}\mpengine.dll
2011-10-25 22:48 . 2011-08-13 04:43 6144 ----a-w- c:\program files\Internet Explorer\iecompat.dll
2011-10-24 17:56 . 2011-10-24 17:56 -------- d-sh--w- c:\windows\system32\%APPDATA%
2011-10-12 15:35 . 2011-08-25 16:14 238080 ----a-w- c:\windows\system32\oleacc.dll
2011-10-12 15:35 . 2011-08-25 16:15 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2011-10-12 15:35 . 2011-08-25 16:14 563712 ----a-w- c:\windows\system32\oleaut32.dll
2011-10-12 15:35 . 2011-08-25 13:31 4096 ----a-w- c:\windows\system32\oleaccrc.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-30 14:43 . 2009-07-26 02:26 67072 ----a-w- c:\windows\system32\drivers\cdrom.sys
2011-10-25 23:46 . 2008-07-19 16:29 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-09-13 10:30 . 2011-09-13 10:30 32592 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2011-08-31 21:00 . 2008-05-06 03:54 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-24 11:57 . 2011-08-24 11:57 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-10 00:46 . 2011-09-10 00:46 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2011-04-14 18:01 . 2010-10-25 17:37 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll" [2011-07-26 2532680]
.
[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2011-07-26 14:15 2532680 ----a-w- c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll" [2011-07-26 2532680]
.
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll" [2011-07-26 2532680]
.
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SacReminderHDDV2N"="c:\programdata\Clickfree\C2NPlus\reminder\SacReminder.exe" [2011-01-20 870224]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-11-22 68856]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-26 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-26 154136]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-26 129560]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-09-07 405504]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-09-24 159744]
"DLBXCATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\DLBXtime.dll" [2007-02-22 73728]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2008-11-18 623880]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2011-09-10 30192]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2011-09-23 2404704]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2010-10-13 984408]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
"DisableStartupSound"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoThumbnailCache"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /r \??\C:\0autocheck autochk *
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Digital Line Detect.lnk]
backup=c:\windows\pss\Digital Line Detect.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
backup=c:\windows\pss\Kodak EasyShare software.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickSet.lnk]
backup=c:\windows\pss\QuickSet.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-18 13:58 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
2007-09-24 09:27 159744 ----a-w- c:\program files\DellTPad\Apoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
2008-12-20 04:48 342848 ----a-w- c:\users\Family\Program Files\DNA\btdna.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ECenter]
2007-05-25 06:03 17920 ----a-w- c:\dell\E-Center\EULALauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2011-08-31 21:00 1047208 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2009-07-26 20:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
2007-04-16 22:10 184320 ------w- c:\program files\Dell\MediaDirect\PCMService.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 04:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-11-22 12:06 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-19 07:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
R2 CFUACProxy_c2nplus;CFUACProxy_c2nplus;c:\programdata\Clickfree\C2NPlus\UACProxy.exe [2011-10-31 87368]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [x]
R2 gupdate1c9834ebde52a90;Google Update Service (gupdate1c9834ebde52a90);c:\program files\Google\Update\GoogleUpdate.exe [x]
R2 SacNetAgentService_C57C4F854F53;SacNetAgentService_C57C4F854F53;c:\programdata\Clickfree\C2NPlus\Reminder\SacNetAgent.exe [2011-10-25 157296]
R3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG10\Toolbar\ToolbarBroker.exe [2011-07-26 1025352]
R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2011-09-10 30192]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [x]
R3 pcouffin;VSO Software pcouffin;c:\windows\system32\Drivers\pcouffin.sys [2008-07-09 47360]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 AESTFilters;Andrea ST Filters Service;c:\windows\system32\aestsrv.exe [2007-08-29 73728]
S0 AVGIDSEH;AVGIDSEH;c:\windows\system32\DRIVERS\AVGIDSEH.Sys [2011-07-11 23120]
S0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx86.sys [2011-09-13 32592]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-09-23 64288]
S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx86.sys [2011-07-11 229840]
S1 Avgtdix;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdix.sys [2011-07-11 295248]
S1 ElRawDisk;ElRawDisk;c:\windows\system32\drivers\rsdrv.sys [2009-02-12 22312]
S1 SBRE;SBRE;c:\windows\system32\drivers\SBREdrv.sys [2011-06-28 101720]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\AVGIDSAgent.exe [2011-09-12 5265248]
S2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [2011-10-31 192776]
S2 vToolbarUpdater;vToolbarUpdater;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\8.0.1\ToolbarUpdater.exe [2011-10-31 246600]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\AVGIDSDriver.Sys [2011-07-11 134736]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\AVGIDSFilter.Sys [2011-07-11 24272]
S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\DRIVERS\AVGIDSShim.Sys [2011-07-11 16720]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2007-05-21 179712]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
bthsvcs REG_MULTI_SZ BthServ
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-09 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2011-10-31 18:10]
.
2010-12-16 c:\windows\Tasks\User_Feed_Synchronization-{1A27E350-4EB9-4A64-8D25-115B91043FBF}.job
- c:\windows\system32\msfeedssync.exe [2011-10-12 21:29]
.
.
------- Supplementary Scan -------
.
mSearch Bar = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
Trusted Zone: internet
Trusted Zone: mcafee.com
TCP: DhcpNameServer = 192.168.2.1
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\Common Files\AVG Secure Search\ViProtocolInstaller\8.0.1\ViProtocol.dll
FF - ProfilePath - c:\users\Family\AppData\Roaming\Mozilla\Firefox\Profiles\85q3ua9k.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.sympatico.ca/
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4e2b35e5&v=7.008.031.001&i=23&tp=ab&iy=b&ychte=ca&lng=en-GB&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Adobe DLM (powered by getPlus(R)): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
FF - Ext: Canadian English Dictionary: en-CA@dictionaries.addons.mozilla.org - %profile%\extensions\en-CA@dictionaries.addons.mozilla.org
FF - Ext: Ancestry.com Advanced Image Viewer: support@ancestry.com - %profile%\extensions\support@ancestry.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: AVG Security Toolbar em:version=7.008.031.001 em:displayname=AVG Security Toolbar em:iconURL=chrome://tavgp/skin/logo.ico em:creator=AVG Technologies em:description=AVG Security Toolbar em:homepageURL=http://www.avg.com >: avg@igeared - c:\program files\AVG\AVG10\Toolbar\Firefox\avg@igeared
FF - Ext: AVG Safe Search: {1E73965B-8B48-48be-9C8D-68B920ABC1C4} - c:\program files\AVG\AVG2012\Firefox4
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{9565115d-c7d6-46d3-bd63-b67b481a4368} - (no file)
AddRemove-Powerful Employment Policies - c:\powerful employment policies\Uninst.isu
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-08 19:56
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLBXCATS = rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\DLBXtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\.kbdclass]
"ImagePath"="\*"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(428)
c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
.
Completion time: 2011-11-08 20:02:01
ComboFix-quarantined-files.txt 2011-11-09 01:01
.
Pre-Run: 55,374,176,256 bytes free
Post-Run: 55,262,498,816 bytes free
.
- - End Of File - - B88686C2CD4BF1E9101B67A2A90D4823
Hi mnyyoungs,
ok..here is the COMBOFIX log...finally...it was not run with ANY of the scripts you've written previously. Please note and advise...although I'd disabled AVG, it popped up part-way though the COMBOFIX scan. Would you like it re-run or should it be run with any of the scripts????No no...you ran it just right. :) Thank you.
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1 (http://jpshortstuff.247fixes.com/SystemLook.exe)
Download Mirror #2 (http://images.malwareremoval.com/jpshortstuff/SystemLook.exe)
Right-click and Run as Administrator SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:
:reg
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\.kbdclass /s
:filefind
*kbdclass.sys
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
mnyyoungs
2011-11-09, 13:35
tout fini!!!
SystemLook 30.07.11 by jpshortstuff
Log created at 07:27 on 09/11/2011 by Family
Administrator - Elevation successful
========== reg ==========
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\.kbdclass]
"Type"= 0x0000000001 (1)
"Start"= 0x0000000003 (3)
"ImagePath"="\*"
========== filefind ==========
Searching for "*kbdclass.sys"
C:\Windows\System32\DriverStore\FileRepository\keyboard.inf_93b1c41f\kbdclass.sys --a---- 32872 bytes [10:25 02/11/2006] [09:49 02/11/2006] 1A48765F92BA1A88445FC25C9C9D94FC
C:\Windows\System32\DriverStore\FileRepository\keyboard.inf_a81145df\kbdclass.sys --a---- 35384 bytes [08:13 29/02/2008] [08:13 29/02/2008] B076B2AB806B3F696DAB21375389101C
C:\Windows\System32\DriverStore\FileRepository\keyboard.inf_da7e599e\kbdclass.sys --a---- 35384 bytes [02:27 01/10/2008] [07:41 19/01/2008] 37605E0A8CF00CBBA538E753E4344C6E
C:\Windows\System32\DriverStore\FileRepository\keyboard.inf_f55d5e51\kbdclass.sys --a---- 35384 bytes [02:27 01/10/2008] [07:41 19/01/2008] 37605E0A8CF00CBBA538E753E4344C6E
C:\Windows\winsxs\x86_keyboard.inf_31bf3856ad364e35_6.0.6000.16609_none_957131ccdbca3f9c\kbdclass.sys --a---- 35384 bytes [08:13 29/02/2008] [08:13 29/02/2008] B076B2AB806B3F696DAB21375389101C
C:\Windows\winsxs\x86_keyboard.inf_31bf3856ad364e35_6.0.6000.20734_none_95d55d61f504b486\kbdclass.sys --a---- 35384 bytes [08:13 29/02/2008] [08:13 29/02/2008] C9B0CF786D5F151A43C7BE8E243F2819
C:\Windows\winsxs\x86_keyboard.inf_31bf3856ad364e35_6.0.6001.18000_none_974e6dd8d8f8ec7e\kbdclass.sys --a---- 35384 bytes [02:27 01/10/2008] [07:41 19/01/2008] 37605E0A8CF00CBBA538E753E4344C6E
C:\Windows\winsxs\x86_keyboard.inf_31bf3856ad364e35_6.0.6002.18005_none_9939e6e4d61ab7ca\kbdclass.sys --a---- 35384 bytes [02:27 01/10/2008] [07:41 19/01/2008] 37605E0A8CF00CBBA538E753E4344C6E
-= EOF =-
Hi mnyyoungs,
Please download Junction.zip (http://download.sysinternals.com/Files/Junction.zip) and save it to your desktop.
Unzip it and extract junction.exe to your C:\ drive. So it appears as C:\junction.exe
Next,
Now copy (Ctrl +C) and paste (Ctrl +V) the text inside the code box below into Notepad.
@ECHO OFF
cd c:\
junction -s c:\>log.txt
start log.txt
del %0
Save it to your desktop as File name: junc.bat
Save as type: All Files
Next,
Double click junc.bat to run it. (accept any alerts) A log will be presented. Copy and paste or attach the content of the log in your next reply.
mnyyoungs
2011-11-09, 19:36
http://download.cnet.com/WinRAR-32-bit/3000-2250_4-10007677.html
mnyyoungs
2011-11-09, 19:50
ok..sorry I had to use the forum to post a link for an extraction program. I"m not sure how to delete it. Remember I have no keyboard on the infected computer. OK, I got the same message with the newly downloaded unzip program....wasn't there a time when WINZip was part of Windows? lol.
drum roll, please....here is the error message when trying to unzip:
c:\Users\Family\Desktop\Junction.zip: Cannot create junction.exe
Access is denied
nothing further...going to see if I can get a copy of Winzip...and try it...in the event it's a program issue and not a Trojan issue.
thank you!
heather
mnyyoungs
2011-11-09, 19:54
http://download.cnet.com/WinZip/3000-2250_4-10003164.html
mnyyoungs
2011-11-09, 20:20
Ok..sorry again about having to use this site to paste links for the zip downloads...got winzip to extract it...follow your directions...get a black box pop us stating:
C:\Windows\system32\cmd.exe
Access is denied
then a pop up window (blue/gray-windows coloured)
log.txt
Windows cannot find 'log.txt'. Make sure you typed the name correctly, and then try again.
Junction is definitely in C:
Hi mnyyoungs,
Grrrrrr...this crazy infection LOL!!!
Try this instead...
Please download Junction.zip (http://download.sysinternals.com/Files/Junction.zip) and save it to your desktop.
Unzip it and put junction.exe in the Windows directory (C:\Windows) so you have C:\Windows\Junction.exe
Now go to Start > Run to open a run box > Copy and paste the following command in the open run box and click OK:
cmd /c junction -s c:\ >log.txt&log.txt& del log.txt
A command window will open and the system will be scanned.
Wait until a log file opens.
Copy and paste log in your next reply
mnyyoungs
2011-11-09, 22:44
ok..finally got Junction put into c:\windows....pasted the comand into run and ran....it flashed before my eyes...then nadda...hmmmm....woud you like me to try it in safe mode?????
Hi,
Hopefully this should work. I ran it on my own system. :)
Please download Junction.zip (http://download.sysinternals.com/Files/Junction.zip) and save it to your desktop.
Right-click junction.zip and select Extract all. Once extracted, cut/paste junction.exe to your C:\ drive. So it appears as C:\junction.exe
Next,
Now copy (Ctrl +C) and paste (Ctrl +V) the text inside the code box below into Notepad.
@ECHO OFF
cd c:\
junction -s c:\>log.txt
start log.txt
del %0
Save it to your desktop as File name: junc.bat
Save as type: All Files
Next,
Right-click and Run as Admin... junc.bat to run it. (accept any alerts) A log will be presented or created in C:\log.txt. Copy and paste or attach the content of the log in your next reply.
mnyyoungs
2011-11-10, 00:50
Junction v1.06 - Windows junction creator and reparse point viewer
Copyright (C) 2000-2010 Mark Russinovich
Sysinternals - www.sysinternals.com
\\?\c:\\Documents and Settings: JUNCTION
Print Name : C:\Users
Substitute Name: C:\Users
Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.
.\\?\c:\\Documents and Settings\All Users: SYMBOLIC LINK
Print Name : C:\ProgramData
Substitute Name: \??\C:\ProgramData
\\?\c:\\Documents and Settings\Default User: JUNCTION
Print Name : C:\Users\Default
Substitute Name: C:\Users\Default
\\?\c:\\Documents and Settings\All Users\Application Data: JUNCTION
Print Name : C:\ProgramData
Substitute Name: C:\ProgramData
\\?\c:\\Documents and Settings\All Users\Desktop: JUNCTION
Print Name : C:\Users\Public\Desktop
Substitute Name: C:\Users\Public\Desktop
\\?\c:\\Documents and Settings\All Users\Documents: JUNCTION
Print Name : C:\Users\Public\Documents
Substitute Name: C:\Users\Public\Documents
\\?\c:\\Documents and Settings\All Users\Favorites: JUNCTION
Print Name : C:\Users\Public\Favorites
Substitute Name: C:\Users\Public\Favorites
\\?\c:\\Documents and Settings\All Users\Start Menu: JUNCTION
Print Name : C:\ProgramData\Microsoft\Windows\Start Menu
Substitute Name: C:\ProgramData\Microsoft\Windows\Start Menu
\\?\c:\\Documents and Settings\All Users\Templates: JUNCTION
Print Name : C:\ProgramData\Microsoft\Windows\Templates
Substitute Name: C:\ProgramData\Microsoft\Windows\Templates
.\\?\c:\\Documents and Settings\All Users\Application Data\Application Data: JUNCTION
Print Name : C:\ProgramData
Substitute Name: C:\ProgramData
\\?\c:\\Documents and Settings\All Users\Application Data\Desktop: JUNCTION
Print Name : C:\Users\Public\Desktop
Substitute Name: C:\Users\Public\Desktop
\\?\c:\\Documents and Settings\All Users\Application Data\Documents: JUNCTION
Print Name : C:\Users\Public\Documents
Substitute Name: C:\Users\Public\Documents
\\?\c:\\Documents and Settings\All Users\Application Data\Favorites: JUNCTION
Print Name : C:\Users\Public\Favorites
Substitute Name: C:\Users\Public\Favorites
\\?\c:\\Documents and Settings\All Users\Application Data\Start Menu: JUNCTION
Print Name : C:\ProgramData\Microsoft\Windows\Start Menu
Substitute Name: C:\ProgramData\Microsoft\Windows\Start Menu
\\?\c:\\Documents and Settings\All Users\Application Data\Templates: JUNCTION
Print Name : C:\ProgramData\Microsoft\Windows\Templates
Substitute Name: C:\ProgramData\Microsoft\Windows\Templates
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data: JUNCTION
Print Name : C:\ProgramData
Substitute Name: C:\ProgramData
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Desktop: JUNCTION
Print Name : C:\Users\Public\Desktop
Substitute Name: C:\Users\Public\Desktop
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Documents: JUNCTION
Print Name : C:\Users\Public\Documents
Substitute Name: C:\Users\Public\Documents
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Favorites: JUNCTION
Print Name : C:\Users\Public\Favorites
Substitute Name: C:\Users\Public\Favorites
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Start Menu: JUNCTION
Print Name : C:\ProgramData\Microsoft\Windows\Start Menu
Substitute Name: C:\ProgramData\Microsoft\Windows\Start Menu
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Templates: JUNCTION
Print Name : C:\ProgramData\Microsoft\Windows\Templates
Substitute Name: C:\ProgramData\Microsoft\Windows\Templates
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data: JUNCTION
Print Name : C:\ProgramData
Substitute Name: C:\ProgramData
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Desktop: JUNCTION
Print Name : C:\Users\Public\Desktop
Substitute Name: C:\Users\Public\Desktop
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Documents: JUNCTION
Print Name : C:\Users\Public\Documents
Substitute Name: C:\Users\Public\Documents
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Favorites: JUNCTION
Print Name : C:\Users\Public\Favorites
Substitute Name: C:\Users\Public\Favorites
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Start Menu: JUNCTION
Print Name : C:\ProgramData\Microsoft\Windows\Start Menu
Substitute Name: C:\ProgramData\Microsoft\Windows\Start Menu
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Templates: JUNCTION
Print Name : C:\ProgramData\Microsoft\Windows\Templates
Substitute Name: C:\ProgramData\Microsoft\Windows\Templates
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data: JUNCTION
Print Name : C:\ProgramData
Substitute Name: C:\ProgramData
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Desktop: JUNCTION
Print Name : C:\Users\Public\Desktop
Substitute Name: C:\Users\Public\Desktop
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Documents: JUNCTION
Print Name : C:\Users\Public\Documents
Substitute Name: C:\Users\Public\Documents
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Favorites: JUNCTION
Print Name : C:\Users\Public\Favorites
Substitute Name: C:\Users\Public\Favorites
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Start Menu: JUNCTION
Print Name : C:\ProgramData\Microsoft\Windows\Start Menu
Substitute Name: C:\ProgramData\Microsoft\Windows\Start Menu
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Templates: JUNCTION
Print Name : C:\ProgramData\Microsoft\Windows\Templates
Substitute Name: C:\ProgramData\Microsoft\Windows\Templates
.\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data: JUNCTION
Print Name : C:\ProgramData
Substitute Name: C:\ProgramData
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop: JUNCTION
Print Name : C:\Users\Public\Desktop
Substitute Name: C:\Users\Public\Desktop
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Documents: JUNCTION
Print Name : C:\Users\Public\Documents
Substitute Name: C:\Users\Public\Documents
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Favorites: JUNCTION
Print Name : C:\Users\Public\Favorites
Substitute Name: C:\Users\Public\Favorites
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu: JUNCTION
Print Name : C:\ProgramData\Microsoft\Windows\Start Menu
Substitute Name: C:\ProgramData\Microsoft\Windows\Start Menu
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Templates: JUNCTION
Print Name : C:\ProgramData\Microsoft\Windows\Templates
Substitute Name: C:\ProgramData\Microsoft\Windows\Templates
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data: JUNCTION
Print Name : C:\ProgramData
Substitute Name: C:\ProgramData
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop: JUNCTION
Print Name : C:\Users\Public\Desktop
Substitute Name: C:\Users\Public\Desktop
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents: JUNCTION
Print Name : C:\Users\Public\Documents
Substitute Name: C:\Users\Public\Documents
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Favorites: JUNCTION
Print Name : C:\Users\Public\Favorites
Substitute Name: C:\Users\Public\Favorites
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu: JUNCTION
Print Name : C:\ProgramData\Microsoft\Windows\Start Menu
Substitute Name: C:\ProgramData\Microsoft\Windows\Start Menu
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Templates: JUNCTION
Print Name : C:\ProgramData\Microsoft\Windows\Templates
Substitute Name: C:\ProgramData\Microsoft\Windows\Templates
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data: JUNCTION
Print Name : C:\ProgramData
Substitute Name: C:\ProgramData
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop: JUNCTION
Print Name : C:\Users\Public\Desktop
Substitute Name: C:\Users\Public\Desktop
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents: JUNCTION
Print Name : C:\Users\Public\Documents
Substitute Name: C:\Users\Public\Documents
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Favorites: JUNCTION
Print Name : C:\Users\Public\Favorites
Substitute Name: C:\Users\Public\Favorites
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu: JUNCTION
Print Name : C:\ProgramData\Microsoft\Windows\Start Menu
Substitute Name: C:\ProgramData\Microsoft\Windows\Start Menu
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Templates: JUNCTION
Print Name : C:\ProgramData\Microsoft\Windows\Templates
Substitute Name: C:\ProgramData\Microsoft\Windows\Templates
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data: JUNCTION
Print Name : C:\ProgramData
Substitute Name: C:\ProgramData
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop: JUNCTION
Print Name : C:\Users\Public\Desktop
Substitute Name: C:\Users\Public\Desktop
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents: JUNCTION
Print Name : C:\Users\Public\Documents
Substitute Name: C:\Users\Public\Documents
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Favorites: JUNCTION
Print Name : C:\Users\Public\Favorites
Substitute Name: C:\Users\Public\Favorites
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu: JUNCTION
Print Name : C:\ProgramData\Microsoft\Windows\Start Menu
Substitute Name: C:\ProgramData\Microsoft\Windows\Start Menu
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Templates: JUNCTION
Print Name : C:\ProgramData\Microsoft\Windows\Templates
Substitute Name: C:\ProgramData\Microsoft\Windows\Templates
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data: JUNCTION
Print Name : C:\ProgramData
Substitute Name: C:\ProgramData
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop: JUNCTION
Print Name : C:\Users\Public\Desktop
Substitute Name: C:\Users\Public\Desktop
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents: JUNCTION
Print Name : C:\Users\Public\Documents
Substitute Name: C:\Users\Public\Documents
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Favorites: JUNCTION
Print Name : C:\Users\Public\Favorites
Substitute Name: C:\Users\Public\Favorites
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu: JUNCTION
Print Name : C:\ProgramData\Microsoft\Windows\Start Menu
Substitute Name: C:\ProgramData\Microsoft\Windows\Start Menu
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Templates: JUNCTION
Print Name : C:\ProgramData\Microsoft\Windows\Templates
Substitute Name: C:\ProgramData\Microsoft\Windows\Templates
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data: JUNCTION
Print Name : C:\ProgramData
Substitute Name: C:\ProgramData
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop: JUNCTION
Print Name : C:\Users\Public\Desktop
Substitute Name: C:\Users\Public\Desktop
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents: JUNCTION
Print Name : C:\Users\Public\Documents
Substitute Name: C:\Users\Public\Documents
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Favorites: JUNCTION
Print Name : C:\Users\Public\Favorites
Substitute Name: C:\Users\Public\Favorites
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu: JUNCTION
Print Name : C:\ProgramData\Microsoft\Windows\Start Menu
Substitute Name: C:\ProgramData\Microsoft\Windows\Start Menu
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Templates: JUNCTION
Print Name : C:\ProgramData\Microsoft\Windows\Templates
Substitute Name: C:\ProgramData\Microsoft\Windows\Templates
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data: JUNCTION
Print Name : C:\ProgramData
Substitute Name: C:\ProgramData
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop: JUNCTION
Print Name : C:\Users\Public\Desktop
Substitute Name: C:\Users\Public\Desktop
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents: JUNCTION
Print Name : C:\Users\Public\Documents
Substitute Name: C:\Users\Public\Documents
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Favorites: JUNCTION
Print Name : C:\Users\Public\Favorites
Substitute Name: C:\Users\Public\Favorites
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu: JUNCTION
Print Name : C:\ProgramData\Microsoft\Windows\Start Menu
Substitute Name: C:\ProgramData\Microsoft\Windows\Start Menu
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Templates: JUNCTION
Print Name : C:\ProgramData\Microsoft\Windows\Templates
Substitute Name: C:\ProgramData\Microsoft\Windows\Templates
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data: JUNCTION
Print Name : C:\ProgramData
Substitute Name: C:\ProgramData
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop: JUNCTION
Print Name : C:\Users\Public\Desktop
Substitute Name: C:\Users\Public\Desktop
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents: JUNCTION
Print Name : C:\Users\Public\Documents
Substitute Name: C:\Users\Public\Documents
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Favorites: JUNCTION
Print Name : C:\Users\Public\Favorites
Substitute Name: C:\Users\Public\Favorites
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu: JUNCTION
Print Name : C:\ProgramData\Microsoft\Windows\Start Menu
Substitute Name: C:\ProgramData\Microsoft\Windows\Start Menu
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Templates: JUNCTION
Print Name : C:\ProgramData\Microsoft\Windows\Templates
Substitute Name: C:\ProgramData\Microsoft\Windows\Templates
.\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data: JUNCTION
Print Name : C:\ProgramData
Substitute Name: C:\ProgramData
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop: JUNCTION
Print Name : C:\Users\Public\Desktop
Substitute Name: C:\Users\Public\Desktop
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents: JUNCTION
Print Name : C:\Users\Public\Documents
Substitute Name: C:\Users\Public\Documents
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Favorites: JUNCTION
Print Name : C:\Users\Public\Favorites
Substitute Name: C:\Users\Public\Favorites
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu: JUNCTION
Print Name : C:\ProgramData\Microsoft\Windows\Start Menu
Substitute Name: C:\ProgramData\Microsoft\Windows\Start Menu
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Templates: JUNCTION
Print Name : C:\ProgramData\Microsoft\Windows\Templates
Substitute Name: C:\ProgramData\Microsoft\Windows\Templates
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data: JUNCTION
Print Name : C:\ProgramData
Substitute Name: C:\ProgramData
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop: JUNCTION
Print Name : C:\Users\Public\Desktop
Substitute Name: C:\Users\Public\Desktop
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents: JUNCTION
Print Name : C:\Users\Public\Documents
Substitute Name: C:\Users\Public\Documents
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Favorites: JUNCTION
Print Name : C:\Users\Public\Favorites
Substitute Name: C:\Users\Public\Favorites
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu: JUNCTION
Print Name : C:\ProgramData\Microsoft\Windows\Start Menu
Substitute Name: C:\ProgramData\Microsoft\Windows\Start Menu
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Templates: JUNCTION
Print Name : C:\ProgramData\Microsoft\Windows\Templates
Substitute Name: C:\ProgramData\Microsoft\Windows\Templates
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data: JUNCTION
Print Name : C:\ProgramData
Substitute Name: C:\ProgramData
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop: JUNCTION
Print Name : C:\Users\Public\Desktop
Substitute Name: C:\Users\Public\Desktop
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents: JUNCTION
Print Name : C:\Users\Public\Documents
Substitute Name: C:\Users\Public\Documents
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Favorites: JUNCTION
Print Name : C:\Users\Public\Favorites
Substitute Name: C:\Users\Public\Favorites
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu: JUNCTION
Print Name : C:\ProgramData\Microsoft\Windows\Start Menu
Substitute Name: C:\ProgramData\Microsoft\Windows\Start Menu
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Templates: JUNCTION
Print Name : C:\ProgramData\Microsoft\Windows\Templates
Substitute Name: C:\ProgramData\Microsoft\Windows\Templates
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data: JUNCTION
Print Name : C:\ProgramData
Substitute Name: C:\ProgramData
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop: JUNCTION
Print Name : C:\Users\Public\Desktop
Substitute Name: C:\Users\Public\Desktop
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents: JUNCTION
Print Name : C:\Users\Public\Documents
Substitute Name: C:\Users\Public\Documents
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Favorites: JUNCTION
Print Name : C:\Users\Public\Favorites
Substitute Name: C:\Users\Public\Favorites
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu: JUNCTION
Print Name : C:\ProgramData\Microsoft\Windows\Start Menu
Substitute Name: C:\ProgramData\Microsoft\Windows\Start Menu
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Templates: JUNCTION
Print Name : C:\ProgramData\Microsoft\Windows\Templates
Substitute Name: C:\ProgramData\Microsoft\Windows\Templates
.\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data: JUNCTION
Print Name : C:\ProgramData
Substitute Name: C:\ProgramData
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop: JUNCTION
Print Name : C:\Users\Public\Desktop
Substitute Name: C:\Users\Public\Desktop
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents: JUNCTION
Print Name : C:\Users\Public\Documents
Substitute Name: C:\Users\Public\Documents
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Favorites: JUNCTION
Print Name : C:\Users\Public\Favorites
Substitute Name: C:\Users\Public\Favorites
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu: JUNCTION
Print Name : C:\ProgramData\Microsoft\Windows\Start Menu
Substitute Name: C:\ProgramData\Microsoft\Windows\Start Menu
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Templates: JUNCTION
Print Name : C:\ProgramData\Microsoft\Windows\Templates
Substitute Name: C:\ProgramData\Microsoft\Windows\Templates
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data: JUNCTION
Print Name : C:\ProgramData
Substitute Name: C:\ProgramData
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop: JUNCTION
Print Name : C:\Users\Public\Desktop
Substitute Name: C:\Users\Public\Desktop
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents: JUNCTION
Print Name : C:\Users\Public\Documents
Substitute Name: C:\Users\Public\Documents
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Favorites: JUNCTION
Print Name : C:\Users\Public\Favorites
Substitute Name: C:\Users\Public\Favorites
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu: JUNCTION
Print Name : C:\ProgramData\Microsoft\Windows\Start Menu
Substitute Name: C:\ProgramData\Microsoft\Windows\Start Menu
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Templates: JUNCTION
Print Name : C:\ProgramData\Microsoft\Windows\Templates
Substitute Name: C:\ProgramData\Microsoft\Windows\Templates
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data: JUNCTION
Print Name : C:\ProgramData
Substitute Name: C:\ProgramData
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop: JUNCTION
Print Name : C:\Users\Public\Desktop
Substitute Name: C:\Users\Public\Desktop
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents: JUNCTION
Print Name : C:\Users\Public\Documents
Substitute Name: C:\Users\Public\Documents
.
mnyyoungs
2011-11-10, 00:52
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Favorites: JUNCTION
Print Name : C:\Users\Public\Favorites
Substitute Name: C:\Users\Public\Favorites
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu: JUNCTION
Print Name : C:\ProgramData\Microsoft\Windows\Start Menu
Substitute Name: C:\ProgramData\Microsoft\Windows\Start Menu
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Templates: JUNCTION
Print Name : C:\ProgramData\Microsoft\Windows\Templates
Substitute Name: C:\ProgramData\Microsoft\Windows\Templates
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data: JUNCTION
Print Name : C:\ProgramData
Substitute Name: C:\ProgramData
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop: JUNCTION
Print Name : C:\Users\Public\Desktop
Substitute Name: C:\Users\Public\Desktop
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents: JUNCTION
Print Name : C:\Users\Public\Documents
Substitute Name: C:\Users\Public\Documents
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Favorites: JUNCTION
Print Name : C:\Users\Public\Favorites
Substitute Name: C:\Users\Public\Favorites
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu: JUNCTION
Print Name : C:\ProgramData\Microsoft\Windows\Start Menu
Substitute Name: C:\ProgramData\Microsoft\Windows\Start Menu
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Templates: JUNCTION
Print Name : C:\ProgramData\Microsoft\Windows\Templates
Substitute Name: C:\ProgramData\Microsoft\Windows\Templates
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data: JUNCTION
Print Name : C:\ProgramData
Substitute Name: C:\ProgramData
.\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop: JUNCTION
Print Name : C:\Users\Public\Desktop
Substitute Name: C:\Users\Public\Desktop
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents: JUNCTION
Print Name : C:\Users\Public\Documents
Substitute Name: C:\Users\Public\Documents
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Favorites: JUNCTION
Print Name : C:\Users\Public\Favorites
Substitute Name: C:\Users\Public\Favorites
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu: JUNCTION
Print Name : C:\ProgramData\Microsoft\Windows\Start Menu
Substitute Name: C:\ProgramData\Microsoft\Windows\Start Menu
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Templates: JUNCTION
Print Name : C:\ProgramData\Microsoft\Windows\Templates
Substitute Name: C:\ProgramData\Microsoft\Windows\Templates
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data: JUNCTION
Print Name : C:\ProgramData
Substitute Name: C:\ProgramData
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop: JUNCTION
Print Name : C:\Users\Public\Desktop
Substitute Name: C:\Users\Public\Desktop
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents: JUNCTION
Print Name : C:\Users\Public\Documents
Substitute Name: C:\Users\Public\Documents
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Favorites: JUNCTION
Print Name : C:\Users\Public\Favorites
Substitute Name: C:\Users\Public\Favorites
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu: JUNCTION
Print Name : C:\ProgramData\Microsoft\Windows\Start Menu
Substitute Name: C:\ProgramData\Microsoft\Windows\Start Menu
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Templates: JUNCTION
Print Name : C:\ProgramData\Microsoft\Windows\Templates
Substitute Name: C:\ProgramData\Microsoft\Windows\Templates
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data: JUNCTION
Print Name : C:\ProgramData
Substitute Name: C:\ProgramData
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop: JUNCTION
Print Name : C:\Users\Public\Desktop
Substitute Name: C:\Users\Public\Desktop
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents: JUNCTION
Print Name : C:\Users\Public\Documents
Substitute Name: C:\Users\Public\Documents
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Favorites: JUNCTION
Print Name : C:\Users\Public\Favorites
Substitute Name: C:\Users\Public\Favorites
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu: JUNCTION
Print Name : C:\ProgramData\Microsoft\Windows\Start Menu
Substitute Name: C:\ProgramData\Microsoft\Windows\Start Menu
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Templates: JUNCTION
Print Name : C:\ProgramData\Microsoft\Windows\Templates
Substitute Name: C:\ProgramData\Microsoft\Windows\Templates
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data: JUNCTION
Print Name : C:\ProgramData
Substitute Name: C:\ProgramData
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop: JUNCTION
Print Name : C:\Users\Public\Desktop
Substitute Name: C:\Users\Public\Desktop
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents: JUNCTION
Print Name : C:\Users\Public\Documents
Substitute Name: C:\Users\Public\Documents
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Favorites: JUNCTION
Print Name : C:\Users\Public\Favorites
Substitute Name: C:\Users\Public\Favorites
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu: JUNCTION
Print Name : C:\ProgramData\Microsoft\Windows\Start Menu
Substitute Name: C:\ProgramData\Microsoft\Windows\Start Menu
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Templates: JUNCTION
Print Name : C:\ProgramData\Microsoft\Windows\Templates
Substitute Name: C:\ProgramData\Microsoft\Windows\Templates
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data: JUNCTION
Print Name : C:\ProgramData
Substitute Name: C:\ProgramData
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop: JUNCTION
Print Name : C:\Users\Public\Desktop
Substitute Name: C:\Users\Public\Desktop
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents: JUNCTION
Print Name : C:\Users\Public\Documents
Substitute Name: C:\Users\Public\Documents
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Favorites: JUNCTION
Print Name : C:\Users\Public\Favorites
Substitute Name: C:\Users\Public\Favorites
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu: JUNCTION
Print Name : C:\ProgramData\Microsoft\Windows\Start Menu
Substitute Name: C:\ProgramData\Microsoft\Windows\Start Menu
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Templates: JUNCTION
Print Name : C:\ProgramData\Microsoft\Windows\Templates
Substitute Name: C:\ProgramData\Microsoft\Windows\Templates
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data: JUNCTION
Print Name : C:\ProgramData
Substitute Name: C:\ProgramData
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop: JUNCTION
Print Name : C:\Users\Public\Desktop
Substitute Name: C:\Users\Public\Desktop
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents: JUNCTION
Print Name : C:\Users\Public\Documents
Substitute Name: C:\Users\Public\Documents
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Favorites: JUNCTION
Print Name : C:\Users\Public\Favorites
Substitute Name: C:\Users\Public\Favorites
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu: JUNCTION
Print Name : C:\ProgramData\Microsoft\Windows\Start Menu
Substitute Name: C:\ProgramData\Microsoft\Windows\Start Menu
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Templates: JUNCTION
Print Name : C:\ProgramData\Microsoft\Windows\Templates
Substitute Name: C:\ProgramData\Microsoft\Windows\Templates
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data: JUNCTION
Print Name : C:\ProgramData
Substitute Name: C:\ProgramData
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop: JUNCTION
Print Name : C:\Users\Public\Desktop
Substitute Name: C:\Users\Public\Desktop
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents: JUNCTION
Print Name : C:\Users\Public\Documents
Substitute Name: C:\Users\Public\Documents
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Favorites: JUNCTION
Print Name : C:\Users\Public\Favorites
Substitute Name: C:\Users\Public\Favorites
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu: JUNCTION
Print Name : C:\ProgramData\Microsoft\Windows\Start Menu
Substitute Name: C:\ProgramData\Microsoft\Windows\Start Menu
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Templates: JUNCTION
Print Name : C:\ProgramData\Microsoft\Windows\Templates
Substitute Name: C:\ProgramData\Microsoft\Windows\Templates
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data: JUNCTION
Print Name : C:\ProgramData
Substitute Name: C:\ProgramData
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop: JUNCTION
Print Name : C:\Users\Public\Desktop
Substitute Name: C:\Users\Public\Desktop
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents: JUNCTION
Print Name : C:\Users\Public\Documents
Substitute Name: C:\Users\Public\Documents
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Favorites: JUNCTION
Print Name : C:\Users\Public\Favorites
Substitute Name: C:\Users\Public\Favorites
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu: JUNCTION
Print Name : C:\ProgramData\Microsoft\Windows\Start Menu
Substitute Name: C:\ProgramData\Microsoft\Windows\Start Menu
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Templates: JUNCTION
Print Name : C:\ProgramData\Microsoft\Windows\Templates
Substitute Name: C:\ProgramData\Microsoft\Windows\Templates
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data: JUNCTION
Print Name : C:\ProgramData
Substitute Name: C:\ProgramData
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop: JUNCTION
Print Name : C:\Users\Public\Desktop
Substitute Name: C:\Users\Public\Desktop
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents: JUNCTION
Print Name : C:\Users\Public\Documents
Substitute Name: C:\Users\Public\Documents
\\?\c:\\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Favorites: JUNCTION
Print Name : C:\Users\Public\Favorites
Substitute Name: C:\Users\Public\Favorites
.
Hi,
Lets use systemlook again. :)
Right-click and Run as Administrator SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:
:regfind
*kbdclass*
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
mnyyoungs
2011-11-11, 02:24
your request is my command.
SystemLook 30.07.11 by jpshortstuff
Log created at 20:20 on 10/11/2011 by Family
Administrator - Elevation successful
========== regfind ==========
Searching for "*kbdclass*"
No data found.
-= EOF =-
Lets look at another....
Right-click and Run as Administrator SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:
:regfind
*.kbdclass*
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
mnyyoungs
2011-11-11, 03:17
SystemLook 30.07.11 by jpshortstuff
Log created at 21:11 on 10/11/2011 by Family
Administrator - Elevation successful
========== regfind ==========
Searching for "*.kbdclass*"
No data found.
-= EOF =-
Hi mnyyoungs,
Please download MiniRegTool.zip (http://download.bleepingcomputer.com/farbar/MiniRegTool.zip) and unzip it.
Please click on List Locked Keys and Query Keys. Now copy/paste the following into the search box
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\kbdclass]
Press Go
Let the program run completely and then post the log that is created into your next reply.
mnyyoungs
2011-11-11, 15:28
this is that scan's results...
MiniRegTool by Farbar
Ran by Family (administrator) on 2011-11-11 at 09:09:58
===============================================
Locked Keys:
============
Hi mnyyoungs,
ESET Online Scanner
I'd like us to scan your machine with ESET Online Scan
Note: It is recommended to disable on-board anti-virus program and anti-spyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your anti-virus along with your anti-spyware programs.
As a Vista/Win7 user you will need to right click your browser icon and select "Run as Administrator" in order to run this scan.
Do not use this instance of your browser for anything besides doing this scan
When the scan is complete and the results saved, close that instance of your browser
Open a new one the usual way and post the results in this topic.
Right-click and Run as Administartor on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan (http://eset.com/onlinescan)
Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetOnline.png button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
Click on http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
Double click on the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstallDesktopIcon.png icon on your desktop.
Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetAcceptTerms.png
Click the Start button.
Accept any security warnings from your browser.
Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetScanArchives.png
Make sure that the option "Remove found threats" is Unchecked
Push the Start button.
ESET will then download updates for itself, install itself, and begin
scanning your computer. Please be patient as this can take some time.
When the scan completes, push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetListThreats.png
Push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetExport.png, and save the file to your desktop using a unique name, such as
ESETScan. Include the contents of this report in your next reply.
Push the Back button.
Push Finish
http://www.eset.com/onlinescan/
----------
Once you get that completed please re-run aswMBR.exe
----------
In your next reply please post the logs created by ESET online scan and aswMBR.exe.
mnyyoungs
2011-11-12, 22:16
Here is the First Scan...
C:\Config.Msi\89120.rbf a variant of Win32/Adware.ErrorRepair application
C:\Documents and Settings\Family\AppData\Roaming\AVG\Rescue\PC Tuneup 2011\110830165148805.rsc Win32/Spy.Zbot.ZR trojan
C:\Documents and Settings\Family\Downloads\PageRageSetup.exe probably a variant of Win32/Adware.HFXSRJX application
C:\Program Files\AVG\AVG2012\avgrsx.exe Win32/Patched.HN trojan
C:\Program Files\Google\Chrome\Application\15.0.874.106\Installer\setup.exe Win32/Patched.HN trojan
C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe Win32/Patched.HN trojan
C:\TDSSKiller_Quarantine\30.10.2011_10.36.17\pmax0000\svc0000\tsk0000.dta Win32/Sirefef.CT trojan
C:\Users\Family\AppData\Roaming\AVG\Rescue\PC Tuneup 2011\110830165148805.rsc Win32/Spy.Zbot.ZR trojan
C:\Users\Family\Downloads\PageRageSetup.exe probably a variant of Win32/Adware.HFXSRJX application
C:\Windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.0.6002.18451_none_894b9dbde369cb1f\dfsc.sys a variant of Win32/Rootkit.Kryptik.DM trojan
mnyyoungs
2011-11-12, 22:18
and now the second...
aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-11-12 16:14:18
-----------------------------
16:14:18.126 OS Version: Windows 6.0.6002 Service Pack 2
16:14:18.126 Number of processors: 2 586 0xF0D
16:14:18.127 ComputerName: FAMILY-PC UserName: Family
16:14:27.063 Initialize success
16:14:52.423 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
16:14:52.426 Disk 0 Vendor: FUJITSU_ 0085 Size: 114473MB BusType: 3
16:14:52.493 Disk 0 MBR read successfully
16:14:52.496 Disk 0 MBR scan
16:14:52.500 Disk 0 Windows VISTA default MBR code
16:14:52.512 Disk 0 scanning sectors +234438656
16:14:52.635 Disk 0 scanning C:\Windows\system32\drivers
16:15:04.205 Service scanning
16:15:04.763 Service .kbdclass \* **LOCKED** 123
16:15:05.833 Modules scanning
16:15:18.276 Disk 0 trace - called modules:
16:15:18.305 ntkrnlpa.exe CLASSPNP.SYS disk.sys iastor.sys hal.dll
16:15:18.308 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85564758]
16:15:18.312 3 CLASSPNP.SYS[87fa68b3] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x84c14030]
16:15:18.316 Scan finished successfully
16:17:24.794 Disk 0 MBR has been saved successfully to "C:\Users\Family\Desktop\MBR.dat"
16:17:24.799 The log file has been saved successfully to "C:\Users\Family\Desktop\aswMBRR.txt"
Lets try systemlook.exe again.
Right-click and Run as Administrator SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:
:Reg
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Kbdclass
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\.Kbdclass
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kbdclass
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.Kbdclass
HKEY_LOCAL_MACHINE\SYSTEM\Select
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
mnyyoungs
2011-11-13, 06:02
SystemLook 30.07.11 by jpshortstuff
Log created at 00:00 on 13/11/2011 by Family
Administrator - Elevation successful
========== Reg ==========
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Kbdclass]
(Unable to open key - key not found)
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\.Kbdclass]
"Type"= 0x0000000001 (1)
"Start"= 0x0000000003 (3)
"ImagePath"="\*"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kbdclass]
(Unable to open key - key not found)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.Kbdclass]
"Type"= 0x0000000001 (1)
"Start"= 0x0000000003 (3)
"ImagePath"="\*"
[HKEY_LOCAL_MACHINE\SYSTEM\Select]
"Current"= 0x0000000001 (1)
"Default"= 0x0000000001 (1)
"Failed"= 0x0000000000 (0)
"LastKnownGood"= 0x0000000002 (2)
-= EOF =-
Hi mnyyoungs,
I need some information on some unidentified files. We will use Virustotal Please submit these files for analysis
To submit a file to virustotal, please click VirusTotal (www.virustotal.com)
copy and paste the following into the upload a file box (one at a time if more than one file is listed)
C:\Config.Msi\89120.rbf
C:\Documents and Settings\Family\Downloads\PageRageSetup.exe
scroll down a bit and click "send file", wait for the results and post them in your next reply.
Please note that sometimes the scans take a few minutes. Please ensure that the scan has completed and the results are complete before submitting the next sample. Also please make sure each result is clearly identified as to which sample they belong to.
----------
mnyyoungs
2011-11-14, 03:58
C:\Config.Msi\89120.rbf -- ** Maximum size exceeded: you have tried to upload a file which is larger than 20MB**
mnyyoungs
2011-11-14, 04:05
File already submitted: The file sent has already been analysed by VirusTotal in the past. This is same basic info regarding the sample itself and its last analysis:
MD5: b2770db7f4935c810f7dd5ccf69791a9
Date first seen: 2011-07-23 01:14:08 (UTC)
Date last seen: 2011-09-08 22:57:32 (UTC)
Detection ratio: 10/44
What do you wish to do?
Reanalyse View last report
Antivirus Version Last Update Result
AhnLab-V3 2011.09.08.01 2011.09.08 -
AntiVir 7.11.14.152 2011.09.08 -
Antiy-AVL 2.0.3.7 2011.09.08 -
Avast 4.8.1351.0 2011.09.08 -
Avast5 5.0.677.0 2011.09.08 -
AVG 10.0.0.1190 2011.09.09 -
BitDefender 7.2 2011.09.09 -
ByteHero 1.0.0.1 2011.08.22 -
CAT-QuickHeal 11.00 2011.09.08 -
ClamAV 0.97.0.0 2011.09.09 -
Commtouch 5.3.2.6 2011.09.09 -
Comodo 10043 2011.09.08 UnclassifiedMalware
DrWeb 5.0.2.03300 2011.09.09 -
Emsisoft 5.1.0.11 2011.09.08 Trojan.Agent3!IK
eSafe 7.0.17.0 2011.09.07 -
eTrust-Vet 36.1.8547 2011.09.08 -
F-Prot 4.6.2.117 2011.09.09 -
F-Secure 9.0.16440.0 2011.09.09 -
Fortinet 4.3.370.0 2011.09.08 -
GData 22 2011.09.08 -
Ikarus T3.1.1.107.0 2011.09.08 Trojan.Agent3
Jiangmin 13.0.900 2011.09.08 -
K7AntiVirus 9.112.5108 2011.09.08 Adware
Kaspersky 9.0.0.837 2011.09.08 -
McAfee 5.400.0.1158 2011.09.08 Artemis!B2770DB7F493
McAfee-GW-Edition 2010.1D 2011.09.08 Artemis!B2770DB7F493
Microsoft 1.7604 2011.09.08 -
NOD32 6448 2011.09.09 probably a variant of Win32/Adware.HFXSRJX
Norman 6.07.11 2011.09.08 W32/Agent.VBAZ.dropper
nProtect 2011-09-08.02 2011.09.08 -
Panda 10.0.3.5 2011.09.08 -
PCTools 8.0.0.5 2011.09.08 -
Prevx 3.0 2011.09.09 -
Rising 23.74.02.03 2011.09.07 -
Sophos 4.69.0 2011.09.09 -
SUPERAntiSpyware 4.40.0.1006 2011.09.09 -
Symantec 20111.2.0.82 2011.09.08 -
TheHacker 6.7.0.1.291 2011.09.08 -
TrendMicro 9.500.0.1008 2011.09.06 -
TrendMicro-HouseCall 9.500.0.1008 2011.09.09 -
VBA32 3.12.16.4 2011.09.08 Adware.Yontoo.a
VIPRE 10413 2011.09.08 Yontoo (v)
ViRobot 2011.9.8.4663 2011.09.08 -
VirusBuster 14.0.204.1 2011.09.08 -
Additional information
Show all
MD5 : b2770db7f4935c810f7dd5ccf69791a9
SHA1 : 7bdfe18dedeb58e79522e325ba58fef7c3993ec0
SHA256: fdb9b313700faac8370ff779c930c2977a3c8080bf743b3c8826992b731390dc
ssdeep: 12288:NI7Omj7TPjx9kfwgB6kYSoSeTSyrdrfM6hEOAccBornce61pOy5VmxuCk:GvTr0fzANSa
Q2EuapOfLk
File size : 670976 bytes
First seen: 2011-07-23 01:14:08
Last seen : 2011-09-08 22:57:32
Magic: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
TrID:
Generic Win/DOS Executable (49.9%)
DOS Executable Generic (49.8%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
sigcheck:
publisher....: Yontoo LLC
copyright....: Copyright (c) 2011 Yontoo LLC. All rights reserved.
product......: Yontoo Layers Runtime
description..: Installer
original name: n/a
internal name: TSULoader
file version.: 2011.7.20.1540
comments.....: WinNT (x86) Unicode
signers......: -
signing date.: -
verified.....: Unsigned
PEiD: -
PEInfo: PE structure information
[[ basic data ]]
entrypointaddress: 0x1627
timedatestamp....: 0x4C6DB95D (Thu Aug 19 23:08:13 2010)
machinetype......: 0x14C (Intel I386)
[[ 5 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
.text, 0x1000, 0x1DB6, 0x1E00, 6.49, 7508f33e50f18a2454cd55b62913deee
.rdata, 0x3000, 0x90E, 0xA00, 4.3, d71c5473f843570f56b8eab5487551ac
.data, 0x4000, 0x8, 0x0, 0.0, d41d8cd98f00b204e9800998ecf8427e
.rsrc, 0x5000, 0x1F0C, 0x2000, 4.4, b1e195d753eb6b16e975204ea83b8a64
.reloc, 0x7000, 0x154, 0x200, 3.22, 44d995d95911f517ba48d8fef2897b8b
[[ 4 import(s) ]]
kernel32.dll: HeapAlloc, HeapFree, OutputDebugStringW, CloseHandle, GetExitCodeProcess, GetLastError, lstrlenW, lstrcpynW, UnmapViewOfFile, MultiByteToWideChar, MapViewOfFile, CreateFileMappingW, GetFileSize, CreateFileW, GetCommandLineW, ExitProcess, Sleep, DeleteFileW, SetFileAttributesW, GetFileAttributesW, lstrcatW, GetTempPathW, GetModuleHandleW, GetModuleFileNameW, GetSystemInfo, GetProcAddress, GetModuleHandleA, GetVersionExW, GetCurrentProcessId, GetProcessHeap, ReadFile, WriteFile, SetFileTime, SetFilePointer
shell32.dll: ShellExecuteExW
user32.dll: MessageBoxW, wvsprintfW, PeekMessageW, DispatchMessageW, TranslateMessage, MsgWaitForMultipleObjects, wsprintfW
version.dll: GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
Androguard:
-
ExifTool:
file metadata
FileSize: 655 kB
FileType: DOS EXE
MIMEType: application/octet-stream
Symantec reputation:Suspicious.Insight
VT Community
1
User:
Anonymous
Reputation:
1 credits
Comment date:
2011-08-07 18:17:30 (UTC)
THIS IS A REALLY BAD FILE, THESE PEEPS ARE NOTHING MORE THAN SCAMMERS TRYING TO HARM YOU!
Tags: Malware, yontoo, artemis, b2770db7f493
mnyyoungs
2011-11-14, 04:06
C:\Config.Msi\89120.rbf -- ** Maximum size exceeded: you have tried to upload a file which is larger than 20MB**
this file is 36MB...please advise AND THANK YOU!!!!!
Hi mnyyoungs,
Let's use MediaFire.
Please go here (http://www.mediafire.com/) and we can take a look at that file. :)
Click on the large grey folder > Press the small + symbol and browse to where you have that file saved > select Open > press Begin Upload > select Copy Link and then copy and paste that link into your next reply. I can get it from there. :)
Let me know if you have any problems with that.
mnyyoungs
2011-11-14, 05:45
http://www.mediafire.com/?tglj18v8585s5v5
Hi mnyyoungs,
Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
File::
C:\Config.Msi\89120.rbf
C:\Documents and Settings\Family\AppData\Roaming\AVG\Rescue\PC Tuneup 2011\110830165148805.rsc
C:\Documents and Settings\Family\Downloads\PageRageSetup.exe
C:\Program Files\AVG\AVG2012\avgrsx.exe
C:\Program Files\Google\Chrome\Application\15.0.874.106\Installer\setup.exe
C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe
C:\TDSSKiller_Quarantine\30.10.2011_10.36.17\pmax0000\svc0000\tsk0000.dta
C:\Users\Family\AppData\Roaming\AVG\Rescue\PC Tuneup 2011\110830165148805.rsc
C:\Users\Family\Downloads\PageRageSetup.exe
C:\Windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.0.6002.18451_none_894b9dbde369cb1f\dfsc.sys
Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
http://img.photobucket.com/albums/v706/ried7/CFScriptB-4.gif
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
----------
mnyyoungs
2011-11-15, 00:14
I am running this set of instructions now. However, something is corrupt with the AVG. It it not allowing me to uninstall the program OR disable it...I'll post the results shortly.
mnyyoungs
2011-11-15, 00:53
Part 1
ComboFix 11-11-14.02 - Family 14/11/2011 18:17:18.8.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.2.1033.18.2037.1033 [GMT -5:00]
Running from: C:\ComboFix.exe
Command switches used :: c:\users\Family\Desktop\CFScript.txt
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\config.msi\89120.rbf"
"c:\documents and settings\Family\AppData\Roaming\AVG\Rescue\PC Tuneup 2011\110830165148805.rsc"
"c:\documents and settings\Family\Downloads\PageRageSetup.exe"
"c:\program files\AVG\AVG2012\avgrsx.exe"
"c:\program files\Google\Chrome\Application\15.0.874.106\Installer\setup.exe"
"c:\program files\Google\Google Toolbar\GoogleToolbarUser_32.exe"
"c:\tdsskiller_quarantine\30.10.2011_10.36.17\pmax0000\svc0000\tsk0000.dta"
"c:\users\Family\AppData\Roaming\AVG\Rescue\PC Tuneup 2011\110830165148805.rsc"
"c:\users\Family\Downloads\PageRageSetup.exe"
"c:\windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.0.6002.1845"
.
.
((((((((((((((((((((((((( Files Created from 2011-10-14 to 2011-11-14 )))))))))))))))))))))))))))))))
.
.
2011-11-14 23:40 . 2011-11-14 23:41 -------- d-----w- c:\users\Family\AppData\Local\temp
2011-11-14 23:40 . 2011-11-14 23:40 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-11-12 17:56 . 2011-11-12 17:56 -------- d-----w- c:\program files\ESET
2011-11-09 19:05 . 2011-11-09 19:05 -------- d-----w- c:\users\Family\AppData\Local\WinZip
2011-11-09 19:03 . 2011-11-09 19:04 -------- d-----w- c:\programdata\WinZip
2011-10-31 18:18 . 2011-10-31 18:18 1529728 ----a-w- c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
2011-10-31 18:13 . 2011-10-31 18:13 145184 ----a-w- c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
2011-10-30 14:38 . 2011-10-30 14:38 -------- d-----w- C:\TDSSKiller_Quarantine
2011-10-28 08:13 . 2011-10-18 06:28 6668624 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{D208FC11-8E7A-4DE4-917E-F39D40F22D8F}\mpengine.dll
2011-10-25 22:48 . 2011-08-13 04:43 6144 ----a-w- c:\program files\Internet Explorer\iecompat.dll
2011-10-24 17:56 . 2011-10-24 17:56 -------- d-sh--w- c:\windows\system32\%APPDATA%
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-30 14:43 . 2009-07-26 02:26 67072 ----a-w- c:\windows\system32\drivers\cdrom.sys
2011-10-25 23:46 . 2008-07-19 16:29 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-09-30 23:06 . 2011-10-12 15:36 916480 ----a-w- c:\windows\system32\wininet.dll
2011-09-30 23:02 . 2011-10-12 15:36 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-09-30 23:01 . 2011-10-12 15:36 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-09-30 23:01 . 2011-10-12 15:36 71680 ----a-w- c:\windows\system32\iesetup.dll
2011-09-30 23:01 . 2011-10-12 15:36 109056 ----a-w- c:\windows\system32\iesysprep.dll
2011-09-30 22:07 . 2011-10-12 15:36 385024 ----a-w- c:\windows\system32\html.iec
2011-09-30 21:29 . 2011-10-12 15:36 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2011-09-30 21:28 . 2011-10-12 15:36 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-09-13 10:30 . 2011-09-13 10:30 32592 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2011-09-06 13:30 . 2011-10-12 15:36 2043392 ----a-w- c:\windows\system32\win32k.sys
2011-08-31 21:00 . 2008-05-06 03:54 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-25 16:15 . 2011-10-12 15:35 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2011-08-25 16:14 . 2011-10-12 15:35 238080 ----a-w- c:\windows\system32\oleacc.dll
2011-08-25 16:14 . 2011-10-12 15:35 563712 ----a-w- c:\windows\system32\oleaut32.dll
2011-08-25 13:31 . 2011-10-12 15:35 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2011-08-24 11:57 . 2011-08-24 11:57 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-04-14 18:01 . 2010-10-25 17:37 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll" [2011-07-26 2532680]
.
[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2011-07-26 14:15 2532680 ----a-w- c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll" [2011-07-26 2532680]
.
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll" [2011-07-26 2532680]
.
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SacReminderHDDV2N"="c:\programdata\Clickfree\C2NPlus\reminder\SacReminder.exe" [2011-01-20 870224]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-11-22 68856]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-26 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-26 154136]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-26 129560]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-09-07 405504]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-09-24 159744]
"DLBXCATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\DLBXtime.dll" [2007-02-22 73728]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2008-11-18 623880]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2010-10-13 984408]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK32.EXE [2011-10-22 611144]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
"DisableStartupSound"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoThumbnailCache"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /r \??\C:\0autocheck autochk *
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Digital Line Detect.lnk]
backup=c:\windows\pss\Digital Line Detect.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
backup=c:\windows\pss\Kodak EasyShare software.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickSet.lnk]
backup=c:\windows\pss\QuickSet.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-18 13:58 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
2007-09-24 09:27 159744 ----a-w- c:\program files\DellTPad\Apoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
2008-12-20 04:48 342848 ----a-w- c:\users\Family\Program Files\DNA\btdna.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ECenter]
2007-05-25 06:03 17920 ----a-w- c:\dell\E-Center\EULALauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2011-08-31 21:00 1047208 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2009-07-26 20:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
2007-04-16 22:10 184320 ------w- c:\program files\Dell\MediaDirect\PCMService.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 04:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-11-22 12:06 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-19 07:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
R2 CFUACProxy_c2nplus;CFUACProxy_c2nplus;c:\programdata\Clickfree\C2NPlus\UACProxy.exe [2011-10-31 87368]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [x]
R2 gupdate1c9834ebde52a90;Google Update Service (gupdate1c9834ebde52a90);c:\program files\Google\Update\GoogleUpdate.exe [x]
R2 SacNetAgentService_C57C4F854F53;SacNetAgentService_C57C4F854F53;c:\programdata\Clickfree\C2NPlus\Reminder\SacNetAgent.exe [2011-10-25 157296]
R3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG10\Toolbar\ToolbarBroker.exe [2011-07-26 1025352]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [x]
R3 pcouffin;VSO Software pcouffin;c:\windows\system32\Drivers\pcouffin.sys [2008-07-09 47360]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 AESTFilters;Andrea ST Filters Service;c:\windows\system32\aestsrv.exe [2007-08-29 73728]
S0 AVGIDSEH;AVGIDSEH;c:\windows\system32\DRIVERS\AVGIDSEH.Sys [2011-07-11 23120]
S0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx86.sys [2011-09-13 32592]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-09-23 64288]
S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx86.sys [2011-07-11 229840]
S1 Avgtdix;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdix.sys [2011-07-11 295248]
S1 ElRawDisk;ElRawDisk;c:\windows\system32\drivers\rsdrv.sys [2009-02-12 22312]
S1 SBRE;SBRE;c:\windows\system32\drivers\SBREdrv.sys [2011-06-28 101720]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\AVGIDSAgent.exe [2011-09-12 5265248]
S2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [2011-10-31 192776]
S2 vToolbarUpdater;vToolbarUpdater;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\8.0.1\ToolbarUpdater.exe [2011-10-31 246600]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\AVGIDSDriver.Sys [2011-07-11 134736]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\AVGIDSFilter.Sys [2011-07-11 24272]
S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\DRIVERS\AVGIDSShim.Sys [2011-07-11 16720]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2007-05-21 179712]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
bthsvcs REG_MULTI_SZ BthServ
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-14 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2011-10-31 18:10]
.
2010-12-16 c:\windows\Tasks\User_Feed_Synchronization-{1A27E350-4EB9-4A64-8D25-115B91043FBF}.job
- c:\windows\system32\msfeedssync.exe [2011-10-12 21:29]
.
.
mnyyoungs
2011-11-15, 00:53
Part 2
------- Supplementary Scan -------
.
mSearch Bar = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
Trusted Zone: internet
Trusted Zone: mcafee.com
TCP: DhcpNameServer = 192.168.2.1
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\Common Files\AVG Secure Search\ViProtocolInstaller\8.0.1\ViProtocol.dll
FF - ProfilePath - c:\users\Family\AppData\Roaming\Mozilla\Firefox\Profiles\85q3ua9k.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.sympatico.ca/
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4e2b35e5&v=7.008.031.001&i=23&tp=ab&iy=b&ychte=ca&lng=en-GB&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Adobe DLM (powered by getPlus(R)): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
FF - Ext: Canadian English Dictionary: en-CA@dictionaries.addons.mozilla.org - %profile%\extensions\en-CA@dictionaries.addons.mozilla.org
FF - Ext: Ancestry.com Advanced Image Viewer: support@ancestry.com - %profile%\extensions\support@ancestry.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: AVG Security Toolbar em:version=7.008.031.001 em:displayname=AVG Security Toolbar em:iconURL=chrome://tavgp/skin/logo.ico em:creator=AVG Technologies em:description=AVG Security Toolbar em:homepageURL=http://www.avg.com >: avg@igeared - c:\program files\AVG\AVG10\Toolbar\Firefox\avg@igeared
FF - Ext: AVG Safe Search: {1E73965B-8B48-48be-9C8D-68B920ABC1C4} - c:\program files\AVG\AVG2012\Firefox4
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-14 18:41
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLBXCATS = rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\DLBXtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\.kbdclass]
"ImagePath"="\*"
.
Completion time: 2011-11-14 18:46:42
ComboFix-quarantined-files.txt 2011-11-14 23:46
ComboFix2.txt 2011-11-09 01:02
.
Pre-Run: 54,251,012,096 bytes free
Post-Run: 54,177,079,296 bytes free
.
- - End Of File - - 6638062CFCC0A2CA4BAB1C28A42BAA51
Hi mnyyoungs,
Please download and run ERUNT (http://www.snapfiles.com/get/erunt.html) (Emergency Recovery Utility NT). This program allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed. **Remember if you are using Windows Vista as your operating system right-click the executable and Run as Administrator.
----------
I would like you to take the following steps:
Click Start then Run type Notepad and click Ok
Copy and Paste the contents of the Code box below into Notepad
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kbdclass]
"DisplayName"="Keyboard Class Driver"
"Group"="Keyboard Class"
"ImagePath"=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,\
52,00,49,00,56,00,45,00,52,00,53,00,5c,00,6b,00,62,00,64,00,63,00,6c,00,61,\
00,73,00,73,00,2e,00,73,00,79,00,73,00,00,00
"ErrorControl"=dword:00000001
"Start"=dword:00000001
"Type"=dword:00000001
"Tag"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kbdclass\Parameters]
"ConnectMultiplePorts"=dword:00000000
"KeyboardDataQueueSize"=dword:00000064
"KeyboardDeviceBaseName"="KeyboardClass"
"MaximumPortsServiced"=dword:00000003
"SendOutputToAllPorts"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kbdclass\Enum]
"0"="Root\\RDP_KBD\\0000"
"Count"=dword:00000002
"NextInstance"=dword:00000002
"1"="ACPI\\PNP0303\\4&19f4fe01&0"
Save as regfix.reg to your Desktop
Make sure to save file type as All Files
Now right-click regfix.reg and select Merge
-----------
Right-click and Run as Administrator SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:
:reg
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kbdclass
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
--------------------
Is your keyboard working again? :)
mnyyoungs
2011-11-16, 16:34
No keyboard not working still...so I'm mousing it or cutting and pasting letters from the various notepad files.
SystemLook 30.07.11 by jpshortstuff
Log created at 10:32 on 16/11/2011 by Family
Administrator - Elevation successful
========== reg ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kbdclass]
"DisplayName"="Keyboard Class Driver"
"Group"="Keyboard Class"
"ImagePath"="system32\DRIVERS\kbdclass.sys"
"ErrorControl"= 0x0000000001 (1)
"Start"= 0x0000000001 (1)
"Type"= 0x0000000001 (1)
"Tag"= 0x0000000002 (2)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kbdclass\Enum]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kbdclass\Parameters]
-= EOF =-
Hi mnyyoungs,
Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
FCopy::
C:\Windows\System32\DriverStore\FileRepository\keyboard.inf_a81145df\kbdclass.sys | C:\Windows\System32\DRIVERS\kbdclass.sys
Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
http://img.photobucket.com/albums/v706/ried7/CFScriptB-4.gif
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
----------
Try the keyboard now. Is it working? :)
mnyyoungs
2011-11-17, 03:43
Jeff, how are we coming on this process..just a check in...I am finding it facilitating....albeit frustrating, at times, too! lol Here is the combofix report from your last post....AND I have a working KEYBOARD! My computer thank you and want's to know if you'll marry it!!!!! lol...
ComboFix 11-11-14.02 - Family 16/11/2011 21:11:51.9.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.2.1033.18.2037.1136 [GMT -5:00]
Running from: C:\ComboFix.exe
Command switches used :: c:\users\Family\Desktop\CFScript.txt
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
--------------- FCopy ---------------
.
c:\windows\System32\DriverStore\FileRepository\keyboard.inf_a81145df\kbdclass.sys --> c:\windows\System32\DRIVERS\kbdclass.sys
.
((((((((((((((((((((((((( Files Created from 2011-10-17 to 2011-11-17 )))))))))))))))))))))))))))))))
.
.
2011-11-17 02:32 . 2011-11-17 02:33 -------- d-----w- c:\users\Family\AppData\Local\temp
2011-11-17 02:32 . 2011-11-17 02:32 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-11-17 02:11 . 2008-02-29 08:13 35384 ----a-w- c:\windows\system32\drivers\kbdclass.sys
2011-11-17 02:06 . 2011-11-17 02:06 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{D208FC11-8E7A-4DE4-917E-F39D40F22D8F}\offreg.dll
2011-11-16 15:27 . 2011-11-16 15:27 -------- d-----w- c:\program files\ERUNT
2011-11-16 15:22 . 2011-11-16 15:22 63115 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\USERTILE.JS
2011-11-16 15:22 . 2011-11-16 15:22 4599 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UIRESOURCE.JS
2011-11-16 15:22 . 2011-11-16 15:22 9310 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXTBOX.JS
2011-11-16 15:22 . 2011-11-16 15:22 8646 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TILEBOX.JS
2011-11-16 15:22 . 2011-11-16 15:22 6429 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UICORE.JS
2011-11-16 15:22 . 2011-11-16 15:22 5927 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXT.JS
2011-11-16 15:22 . 2011-11-16 15:22 8613 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\SAVEDUSER.JS
2011-11-16 15:22 . 2011-11-16 15:22 1651 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\QUERYSTRING.JS
2011-11-16 15:22 . 2011-11-16 15:22 6910 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\NEWUSERCOMM.JS
2011-11-16 15:22 . 2011-11-16 15:22 18541 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\LOCALIZATION.JS
2011-11-16 15:22 . 2011-11-16 15:22 8288 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\IMAGE.JS
2011-11-16 15:22 . 2011-11-16 15:22 6208 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\LINK.JS
2011-11-16 15:21 . 2011-11-16 15:21 51852 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\EXTERNALWRAPPER.JS
2011-11-16 15:21 . 2011-11-16 15:21 20719 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\DIVWRAPPER.JS
2011-11-16 15:21 . 2011-11-16 15:21 23327 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\COMBOBOX.JS
2011-11-16 15:21 . 2011-11-16 15:21 7271 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\CHECKBOX.JS
2011-11-16 15:21 . 2011-11-16 15:21 8782 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\BUTTON.JS
2011-11-12 17:56 . 2011-11-12 17:56 -------- d-----w- c:\program files\ESET
2011-11-09 19:05 . 2011-11-09 19:05 -------- d-----w- c:\users\Family\AppData\Local\WinZip
2011-11-09 19:03 . 2011-11-09 19:04 -------- d-----w- c:\programdata\WinZip
2011-10-31 18:18 . 2011-10-31 18:18 1529728 ----a-w- c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
2011-10-31 18:13 . 2011-10-31 18:13 145184 ----a-w- c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
2011-10-30 14:38 . 2011-10-30 14:38 -------- d-----w- C:\TDSSKiller_Quarantine
2011-10-28 08:13 . 2011-10-18 06:28 6668624 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{D208FC11-8E7A-4DE4-917E-F39D40F22D8F}\mpengine.dll
2011-10-25 22:48 . 2011-08-13 04:43 6144 ----a-w- c:\program files\Internet Explorer\iecompat.dll
2011-10-24 17:56 . 2011-10-24 17:56 -------- d-sh--w- c:\windows\system32\%APPDATA%
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-30 14:43 . 2009-07-26 02:26 67072 ----a-w- c:\windows\system32\drivers\cdrom.sys
2011-10-25 23:46 . 2008-07-19 16:29 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-09-30 23:06 . 2011-10-12 15:36 916480 ----a-w- c:\windows\system32\wininet.dll
2011-09-30 23:02 . 2011-10-12 15:36 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-09-30 23:01 . 2011-10-12 15:36 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-09-30 23:01 . 2011-10-12 15:36 71680 ----a-w- c:\windows\system32\iesetup.dll
2011-09-30 23:01 . 2011-10-12 15:36 109056 ----a-w- c:\windows\system32\iesysprep.dll
2011-09-30 22:07 . 2011-10-12 15:36 385024 ----a-w- c:\windows\system32\html.iec
2011-09-30 21:29 . 2011-10-12 15:36 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2011-09-30 21:28 . 2011-10-12 15:36 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-09-06 13:30 . 2011-10-12 15:36 2043392 ----a-w- c:\windows\system32\win32k.sys
2011-08-31 21:00 . 2008-05-06 03:54 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-25 16:15 . 2011-10-12 15:35 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2011-08-25 16:14 . 2011-10-12 15:35 238080 ----a-w- c:\windows\system32\oleacc.dll
2011-08-25 16:14 . 2011-10-12 15:35 563712 ----a-w- c:\windows\system32\oleaut32.dll
2011-08-25 13:31 . 2011-10-12 15:35 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2011-08-24 11:57 . 2011-08-24 11:57 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-04-14 18:01 . 2010-10-25 17:37 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SacReminderHDDV2N"="c:\programdata\Clickfree\C2NPlus\reminder\SacReminder.exe" [2011-01-20 870224]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-11-22 68856]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-26 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-26 154136]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-26 129560]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-09-07 405504]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-09-24 159744]
"DLBXCATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\DLBXtime.dll" [2007-02-22 73728]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2008-11-18 623880]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVZOVgtTlNWVkwtTzRCWlEtUUlNQ0wtUVREQ0gtNElKTUg&inst=NzctNzYxOTIwNjE3LUZMMTArMS1ERFQrMjM4NDAtVFVHKzMtREQxMEYrMS1TVDEwRkFQUCsxLUYxME0xMkFOKzItRjEwTTEyQSsxLUYxME0xMkFCKzEtVTEw" [?]
.
c:\users\Family\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2010-10-13 984408]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK32.EXE [2011-10-22 611144]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
"DisableStartupSound"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoThumbnailCache"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /r \??\C:\0autocheck autochk *
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Digital Line Detect.lnk]
backup=c:\windows\pss\Digital Line Detect.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
backup=c:\windows\pss\Kodak EasyShare software.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickSet.lnk]
backup=c:\windows\pss\QuickSet.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-18 13:58 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
2007-09-24 09:27 159744 ----a-w- c:\program files\DellTPad\Apoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
2008-12-20 04:48 342848 ----a-w- c:\users\Family\Program Files\DNA\btdna.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ECenter]
2007-05-25 06:03 17920 ----a-w- c:\dell\E-Center\EULALauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2011-08-31 21:00 1047208 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2009-07-26 20:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
2007-04-16 22:10 184320 ------w- c:\program files\Dell\MediaDirect\PCMService.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 04:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-11-22 12:06 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-19 07:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
R2 CFUACProxy_c2nplus;CFUACProxy_c2nplus;c:\programdata\Clickfree\C2NPlus\UACProxy.exe [2011-10-31 87368]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [x]
R2 gupdate1c9834ebde52a90;Google Update Service (gupdate1c9834ebde52a90);c:\program files\Google\Update\GoogleUpdate.exe [x]
R2 SacNetAgentService_C57C4F854F53;SacNetAgentService_C57C4F854F53;c:\programdata\Clickfree\C2NPlus\Reminder\SacNetAgent.exe [2011-10-25 157296]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [x]
R3 pcouffin;VSO Software pcouffin;c:\windows\system32\Drivers\pcouffin.sys [2008-07-09 47360]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 AESTFilters;Andrea ST Filters Service;c:\windows\system32\aestsrv.exe [2007-08-29 73728]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-09-23 64288]
S1 ElRawDisk;ElRawDisk;c:\windows\system32\drivers\rsdrv.sys [2009-02-12 22312]
S1 SBRE;SBRE;c:\windows\system32\drivers\SBREdrv.sys [2011-06-28 101720]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2007-05-21 179712]
S4 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\AVGIDSDriver.Sys [x]
S4 AVGIDSEH;AVGIDSEH;c:\windows\system32\DRIVERS\AVGIDSEH.Sys [x]
S4 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\AVGIDSFilter.Sys [x]
S4 AVGIDSShim;AVGIDSShim;c:\windows\system32\DRIVERS\AVGIDSShim.Sys [x]
S4 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx86.sys [x]
S4 Avgtdix;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdix.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - Avgldx86
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
bthsvcs REG_MULTI_SZ BthServ
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-17 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2011-10-31 18:10]
.
2010-12-16 c:\windows\Tasks\User_Feed_Synchronization-{1A27E350-4EB9-4A64-8D25-115B91043FBF}.job
- c:\windows\system32\msfeedssync.exe [2011-10-12 21:29]
.
.
------- Supplementary Scan -------
.
mSearch Bar = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
Trusted Zone: internet
Trusted Zone: mcafee.com
TCP: DhcpNameServer = 192.168.2.1
FF - ProfilePath - c:\users\Family\AppData\Roaming\Mozilla\Firefox\Profiles\85q3ua9k.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.sympatico.ca/
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4e2b35e5&v=7.008.031.001&i=23&tp=ab&iy=b&ychte=ca&lng=en-GB&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Adobe DLM (powered by getPlus(R)): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
FF - Ext: Canadian English Dictionary: en-CA@dictionaries.addons.mozilla.org - %profile%\extensions\en-CA@dictionaries.addons.mozilla.org
FF - Ext: Ancestry.com Advanced Image Viewer: support@ancestry.com - %profile%\extensions\support@ancestry.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-16 21:33
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLBXCATS = rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\DLBXtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\.kbdclass]
"ImagePath"="\*"
.
Completion time: 2011-11-16 21:38:13
ComboFix-quarantined-files.txt 2011-11-17 02:38
ComboFix2.txt 2011-11-14 23:46
ComboFix3.txt 2011-11-09 01:02
.
Pre-Run: 54,547,578,880 bytes free
Post-Run: 53,052,522,496 bytes free
.
- - End Of File - - 1D30503FAD01C21A35046BBA7619DA4D
Hi mnyyoungs,
LOL!! Glad that you have your keyboard back. This has really been a team effort. :)
Here is the AVG uninstall tool (http://download.avg.com/filedir/util/support/avg_remover_stf_x86_2011_1322.exe) to help with the removal of AVG. Usually AVG is bad about leaving behind bits and pieces of itself on a computer. After you have downloaded the tool please right-click and run the program.
---------------
Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
DDS::
Trusted Zone: internet
Trusted Zone: mcafee.com
ReglockDel::
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\.kbdclass]
Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
http://img.photobucket.com/albums/v706/ried7/CFScriptB-4.gif
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
----------
mnyyoungs
2011-11-19, 20:03
Have we solved the RootKit/virus problem? My apologies if you are busy and haven't gotten back to it. Have a great Saturday!
Hi mnyyoungs,
No need to apologize. :) It seems like the main infection has been neutralized yes. Were you able to run ComboFix with the fix I previously gave instructions for? If so please post the log that was created. I hope you are having a great Saturday as well!!
mnyyoungs
2011-11-20, 12:51
Please advise, Combo Fix states that there is a newer version and that it has expired. I've tried removing and downloading again, but get the same messages. Thank you!
Hi mnyyoungs,
Go ahead and delete your copy of ComboFix using right-click > delete and then download a fresh copy from
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
If you still have problems please let me know. :)
mnyyoungs
2011-11-20, 16:27
here it is in 2 parts....
ComboFix 11-11-20.01 - Family 20/11/2011 9:50.10.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.2.1033.18.2037.1214 [GMT -5:00]
Running from: c:\users\Family\Downloads\ComboFix.exe
Command switches used :: c:\users\Family\Desktop\CFScript.txt
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_COMSysApp
.
.
((((((((((((((((((((((((( Files Created from 2011-10-20 to 2011-11-20 )))))))))))))))))))))))))))))))
.
.
2011-11-20 15:11 . 2011-11-20 15:15 -------- d-----w- c:\users\Family\AppData\Local\temp
2011-11-20 15:11 . 2011-11-20 15:11 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-11-17 02:11 . 2008-02-29 08:13 35384 ----a-w- c:\windows\system32\drivers\kbdclass.sys
2011-11-16 15:27 . 2011-11-16 15:27 -------- d-----w- c:\program files\ERUNT
2011-11-12 17:56 . 2011-11-12 17:56 -------- d-----w- c:\program files\ESET
2011-11-09 19:05 . 2011-11-09 19:05 -------- d-----w- c:\users\Family\AppData\Local\WinZip
2011-11-09 19:03 . 2011-11-09 19:04 -------- d-----w- c:\programdata\WinZip
2011-10-31 18:18 . 2011-10-31 18:18 1529728 ----a-w- c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
2011-10-31 18:13 . 2011-10-31 18:13 145184 ----a-w- c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
2011-10-30 14:38 . 2011-10-30 14:38 -------- d-----w- C:\TDSSKiller_Quarantine
2011-10-28 08:13 . 2011-10-18 06:28 6668624 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{D208FC11-8E7A-4DE4-917E-F39D40F22D8F}\mpengine.dll
2011-10-25 22:48 . 2011-08-13 04:43 6144 ----a-w- c:\program files\Internet Explorer\iecompat.dll
2011-10-24 17:56 . 2011-10-24 17:56 -------- d-sh--w- c:\windows\system32\%APPDATA%
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-30 14:43 . 2009-07-26 02:26 67072 ----a-w- c:\windows\system32\drivers\cdrom.sys
2011-10-25 23:46 . 2008-07-19 16:29 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-09-30 23:06 . 2011-10-12 15:36 916480 ----a-w- c:\windows\system32\wininet.dll
2011-09-30 23:02 . 2011-10-12 15:36 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-09-30 23:01 . 2011-10-12 15:36 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-09-30 23:01 . 2011-10-12 15:36 71680 ----a-w- c:\windows\system32\iesetup.dll
2011-09-30 23:01 . 2011-10-12 15:36 109056 ----a-w- c:\windows\system32\iesysprep.dll
2011-09-30 22:07 . 2011-10-12 15:36 385024 ----a-w- c:\windows\system32\html.iec
2011-09-30 21:29 . 2011-10-12 15:36 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2011-09-30 21:28 . 2011-10-12 15:36 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-09-06 13:30 . 2011-10-12 15:36 2043392 ----a-w- c:\windows\system32\win32k.sys
2011-08-31 21:00 . 2008-05-06 03:54 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-25 16:15 . 2011-10-12 15:35 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2011-08-25 16:14 . 2011-10-12 15:35 238080 ----a-w- c:\windows\system32\oleacc.dll
2011-08-25 16:14 . 2011-10-12 15:35 563712 ----a-w- c:\windows\system32\oleaut32.dll
2011-08-25 13:31 . 2011-10-12 15:35 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2011-08-24 11:57 . 2011-08-24 11:57 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-04-14 18:01 . 2010-10-25 17:37 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SacReminderHDDV2N"="c:\programdata\Clickfree\C2NPlus\reminder\SacReminder.exe" [2011-01-20 870224]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-11-22 68856]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-26 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-26 154136]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-26 129560]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-09-07 405504]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-09-24 159744]
"DLBXCATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\DLBXtime.dll" [2007-02-22 73728]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2008-11-18 623880]
.
c:\users\Family\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2010-10-13 984408]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK32.EXE [2011-10-22 611144]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
"DisableStartupSound"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoThumbnailCache"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /r \??\C:\0autocheck autochk *
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Digital Line Detect.lnk]
backup=c:\windows\pss\Digital Line Detect.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
backup=c:\windows\pss\Kodak EasyShare software.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickSet.lnk]
backup=c:\windows\pss\QuickSet.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-18 13:58 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
2007-09-24 09:27 159744 ----a-w- c:\program files\DellTPad\Apoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
2008-12-20 04:48 342848 ----a-w- c:\users\Family\Program Files\DNA\btdna.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ECenter]
2007-05-25 06:03 17920 ----a-w- c:\dell\E-Center\EULALauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2011-08-31 21:00 1047208 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2009-07-26 20:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
2007-04-16 22:10 184320 ------w- c:\program files\Dell\MediaDirect\PCMService.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 04:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-11-22 12:06 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-19 07:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [x]
R2 gupdate1c9834ebde52a90;Google Update Service (gupdate1c9834ebde52a90);c:\program files\Google\Update\GoogleUpdate.exe [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [x]
R3 pcouffin;VSO Software pcouffin;c:\windows\system32\Drivers\pcouffin.sys [2008-07-09 47360]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 AESTFilters;Andrea ST Filters Service;c:\windows\system32\aestsrv.exe [2007-08-29 73728]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-09-23 64288]
S1 ElRawDisk;ElRawDisk;c:\windows\system32\drivers\rsdrv.sys [2009-02-12 22312]
S1 SBRE;SBRE;c:\windows\system32\drivers\SBREdrv.sys [2011-06-28 101720]
S2 CFUACProxy_c2nplus;CFUACProxy_c2nplus;c:\programdata\Clickfree\C2NPlus\UACProxy.exe [2011-10-31 87368]
S2 SacNetAgentService_C57C4F854F53;SacNetAgentService_C57C4F854F53;c:\programdata\Clickfree\C2NPlus\Reminder\SacNetAgent.exe [2011-10-25 157296]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2007-05-21 179712]
.
.
Hi mnyyoungs,
Could your repost the log that was created by ComboFix and let me know what remaining issues you are having with your system. :)
mnyyoungs
2011-11-20, 20:13
here it is again
ComboFix 11-11-20.01 - Family 20/11/2011 9:50.10.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.2.1033.18.2037.1214 [GMT -5:00]
Running from: c:\users\Family\Downloads\ComboFix.exe
Command switches used :: c:\users\Family\Desktop\CFScript.txt
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_COMSysApp
.
.
((((((((((((((((((((((((( Files Created from 2011-10-20 to 2011-11-20 )))))))))))))))))))))))))))))))
.
.
2011-11-20 15:11 . 2011-11-20 15:15 -------- d-----w- c:\users\Family\AppData\Local\temp
2011-11-20 15:11 . 2011-11-20 15:11 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-11-17 02:11 . 2008-02-29 08:13 35384 ----a-w- c:\windows\system32\drivers\kbdclass.sys
2011-11-16 15:27 . 2011-11-16 15:27 -------- d-----w- c:\program files\ERUNT
2011-11-12 17:56 . 2011-11-12 17:56 -------- d-----w- c:\program files\ESET
2011-11-09 19:05 . 2011-11-09 19:05 -------- d-----w- c:\users\Family\AppData\Local\WinZip
2011-11-09 19:03 . 2011-11-09 19:04 -------- d-----w- c:\programdata\WinZip
2011-10-31 18:18 . 2011-10-31 18:18 1529728 ----a-w- c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
2011-10-31 18:13 . 2011-10-31 18:13 145184 ----a-w- c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
2011-10-30 14:38 . 2011-10-30 14:38 -------- d-----w- C:\TDSSKiller_Quarantine
2011-10-28 08:13 . 2011-10-18 06:28 6668624 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{D208FC11-8E7A-4DE4-917E-F39D40F22D8F}\mpengine.dll
2011-10-25 22:48 . 2011-08-13 04:43 6144 ----a-w- c:\program files\Internet Explorer\iecompat.dll
2011-10-24 17:56 . 2011-10-24 17:56 -------- d-sh--w- c:\windows\system32\%APPDATA%
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-30 14:43 . 2009-07-26 02:26 67072 ----a-w- c:\windows\system32\drivers\cdrom.sys
2011-10-25 23:46 . 2008-07-19 16:29 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-09-30 23:06 . 2011-10-12 15:36 916480 ----a-w- c:\windows\system32\wininet.dll
2011-09-30 23:02 . 2011-10-12 15:36 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-09-30 23:01 . 2011-10-12 15:36 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-09-30 23:01 . 2011-10-12 15:36 71680 ----a-w- c:\windows\system32\iesetup.dll
2011-09-30 23:01 . 2011-10-12 15:36 109056 ----a-w- c:\windows\system32\iesysprep.dll
2011-09-30 22:07 . 2011-10-12 15:36 385024 ----a-w- c:\windows\system32\html.iec
2011-09-30 21:29 . 2011-10-12 15:36 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2011-09-30 21:28 . 2011-10-12 15:36 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-09-06 13:30 . 2011-10-12 15:36 2043392 ----a-w- c:\windows\system32\win32k.sys
2011-08-31 21:00 . 2008-05-06 03:54 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-25 16:15 . 2011-10-12 15:35 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2011-08-25 16:14 . 2011-10-12 15:35 238080 ----a-w- c:\windows\system32\oleacc.dll
2011-08-25 16:14 . 2011-10-12 15:35 563712 ----a-w- c:\windows\system32\oleaut32.dll
2011-08-25 13:31 . 2011-10-12 15:35 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2011-08-24 11:57 . 2011-08-24 11:57 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-04-14 18:01 . 2010-10-25 17:37 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SacReminderHDDV2N"="c:\programdata\Clickfree\C2NPlus\reminder\SacReminder.exe" [2011-01-20 870224]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-11-22 68856]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-26 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-26 154136]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-26 129560]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-09-07 405504]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-09-24 159744]
"DLBXCATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\DLBXtime.dll" [2007-02-22 73728]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2008-11-18 623880]
.
c:\users\Family\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2010-10-13 984408]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK32.EXE [2011-10-22 611144]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
"DisableStartupSound"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoThumbnailCache"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /r \??\C:\0autocheck autochk *
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Digital Line Detect.lnk]
backup=c:\windows\pss\Digital Line Detect.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
backup=c:\windows\pss\Kodak EasyShare software.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickSet.lnk]
backup=c:\windows\pss\QuickSet.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-18 13:58 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
2007-09-24 09:27 159744 ----a-w- c:\program files\DellTPad\Apoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
2008-12-20 04:48 342848 ----a-w- c:\users\Family\Program Files\DNA\btdna.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ECenter]
2007-05-25 06:03 17920 ----a-w- c:\dell\E-Center\EULALauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2011-08-31 21:00 1047208 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2009-07-26 20:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
2007-04-16 22:10 184320 ------w- c:\program files\Dell\MediaDirect\PCMService.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 04:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-11-22 12:06 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-19 07:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [x]
R2 gupdate1c9834ebde52a90;Google Update Service (gupdate1c9834ebde52a90);c:\program files\Google\Update\GoogleUpdate.exe [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [x]
R3 pcouffin;VSO Software pcouffin;c:\windows\system32\Drivers\pcouffin.sys [2008-07-09 47360]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 AESTFilters;Andrea ST Filters Service;c:\windows\system32\aestsrv.exe [2007-08-29 73728]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-09-23 64288]
S1 ElRawDisk;ElRawDisk;c:\windows\system32\drivers\rsdrv.sys [2009-02-12 22312]
S1 SBRE;SBRE;c:\windows\system32\drivers\SBREdrv.sys [2011-06-28 101720]
S2 CFUACProxy_c2nplus;CFUACProxy_c2nplus;c:\programdata\Clickfree\C2NPlus\UACProxy.exe [2011-10-31 87368]
S2 SacNetAgentService_C57C4F854F53;SacNetAgentService_C57C4F854F53;c:\programdata\Clickfree\C2NPlus\Reminder\SacNetAgent.exe [2011-10-25 157296]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2007-05-21 179712]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
bthsvcs REG_MULTI_SZ BthServ
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-20 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2011-10-31 18:10]
.
2010-12-16 c:\windows\Tasks\User_Feed_Synchronization-{1A27E350-4EB9-4A64-8D25-115B91043FBF}.job
- c:\windows\system32\msfeedssync.exe [2011-10-12 21:29]
.
.
------- Supplementary Scan -------
.
mSearch Bar = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.2.1
FF - ProfilePath - c:\users\Family\AppData\Roaming\Mozilla\Firefox\Profiles\85q3ua9k.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.sympatico.ca/
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4e2b35e5&v=7.008.031.001&i=23&tp=ab&iy=b&ychte=ca&lng=en-GB&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Adobe DLM (powered by getPlus(R)): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
FF - Ext: Canadian English Dictionary: en-CA@dictionaries.addons.mozilla.org - %profile%\extensions\en-CA@dictionaries.addons.mozilla.org
FF - Ext: Ancestry.com Advanced Image Viewer: support@ancestry.com - %profile%\extensions\support@ancestry.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
mnyyoungs
2011-11-20, 20:16
Part 2...The system is very slow...other than that...it seems fine! Now you said that the rootkit is "neutralized" does that mean....if it gets wet or eats after midnight it will come back...lol...sorry for th Gremlin's reference...couldn't help it...lol.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-20 10:14
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLBXCATS = rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\DLBXtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\.kbdclass]
"ImagePath"="\*"
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLANExt.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Windows Media Player\wmpnscfg.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
.
**************************************************************************
.
Completion time: 2011-11-20 10:24:31 - machine was rebooted
ComboFix-quarantined-files.txt 2011-11-20 15:24
ComboFix2.txt 2011-11-17 02:38
ComboFix3.txt 2011-11-14 23:46
ComboFix4.txt 2011-11-09 01:02
.
Pre-Run: 53,153,501,184 bytes free
Post-Run: 53,019,660,288 bytes free
.
- - End Of File - - 2863A7BBFF4D39711F1ACCA3D821B1FD
Hi mnyyoungs,
LOL!! I just saw that movie the other day. I couldn't believe it when I saw it again!! I remember seeing it in the theater when it first came out. :laugh:
Looks like we have a bad registry key wanting to hang around. Please do the following and then post the logs created by OTM and TDSSKiller.
----------
Please download OTM (http://oldtimer.geekstogo.com/OTM.exe) by OldTimer.
Save it to your desktop.
Please Right-click and Run as Administrator OTM and then click >> run.
Copy the lines inside the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
:Processes
explorer.exe
:Reg
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\.kbdclass]
:Commands
[purity]
[start explorer]
[Reboot]
Return to OTM, right click in the "Paste Instructions for items to be Moved" window (under the yellow bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTM
Note: If an item cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
--------------
Now run TDSSKiller again and post the new log that is created.
mnyyoungs
2011-11-20, 22:51
Log 1...
========== PROCESSES ==========
Process explorer.exe killed successfully!
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\.kbdclass\ deleted successfully.
========== COMMANDS ==========
OTM by OldTimer - Version 3.1.19.0 log created on 11202011_164146
mnyyoungs
2011-11-20, 23:03
log 2....
17:01:17.0669 0680 TDSS rootkit removing tool 2.6.19.0 Nov 16 2011 12:18:50
17:01:18.0075 0680 ============================================================
17:01:18.0075 0680 Current date / time: 2011/11/20 17:01:18.0075
17:01:18.0075 0680 SystemInfo:
17:01:18.0075 0680
17:01:18.0091 0680 OS Version: 6.0.6002 ServicePack: 2.0
17:01:18.0091 0680 Product type: Workstation
17:01:18.0091 0680 ComputerName: FAMILY-PC
17:01:18.0091 0680 UserName: Family
17:01:18.0091 0680 Windows directory: C:\Windows
17:01:18.0091 0680 System windows directory: C:\Windows
17:01:18.0091 0680 Processor architecture: Intel x86
17:01:18.0091 0680 Number of processors: 2
17:01:18.0091 0680 Page size: 0x1000
17:01:18.0091 0680 Boot type: Normal boot
17:01:18.0091 0680 ============================================================
17:01:20.0462 0680 Initialize success
17:01:34.0096 0968 ============================================================
17:01:34.0096 0968 Scan started
17:01:34.0096 0968 Mode: Manual;
17:01:34.0096 0968 ============================================================
17:01:34.0876 0968 ACPI (82b296ae1892fe3dbee00c9cf92f8ac7) C:\Windows\system32\drivers\acpi.sys
17:01:34.0876 0968 ACPI - ok
17:01:35.0001 0968 adp94xx (2edc5bbac6c651ece337bde8ed97c9fb) C:\Windows\system32\drivers\adp94xx.sys
17:01:35.0017 0968 adp94xx - ok
17:01:35.0126 0968 adpahci (b84088ca3cdca97da44a984c6ce1ccad) C:\Windows\system32\drivers\adpahci.sys
17:01:35.0126 0968 adpahci - ok
17:01:35.0173 0968 adpu160m (7880c67bccc27c86fd05aa2afb5ea469) C:\Windows\system32\drivers\adpu160m.sys
17:01:35.0173 0968 adpu160m - ok
17:01:35.0219 0968 adpu320 (9ae713f8e30efc2abccd84904333df4d) C:\Windows\system32\drivers\adpu320.sys
17:01:35.0235 0968 adpu320 - ok
17:01:35.0344 0968 AFD (3911b972b55fea0478476b2e777b29fa) C:\Windows\system32\drivers\afd.sys
17:01:35.0344 0968 AFD - ok
17:01:35.0485 0968 agp440 (8b10ce1c1f9f1d47e4deb1a547a00cd4) C:\Windows\system32\drivers\agp440.sys
17:01:35.0485 0968 agp440 - ok
17:01:35.0531 0968 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
17:01:35.0531 0968 aic78xx - ok
17:01:35.0594 0968 aliide (dc67a153fdb8105b25d05334b5e1d8e2) C:\Windows\system32\drivers\aliide.sys
17:01:35.0594 0968 aliide - ok
17:01:35.0625 0968 amdagp (848f27e5b27c1c253f6cefdc1a5d8f21) C:\Windows\system32\drivers\amdagp.sys
17:01:35.0641 0968 amdagp - ok
17:01:35.0719 0968 amdide (835c4c3355088298a5ebd818fa31430f) C:\Windows\system32\drivers\amdide.sys
17:01:35.0719 0968 amdide - ok
17:01:35.0828 0968 AmdK7 (dc487885bcef9f28eece6fac0e5ddfc5) C:\Windows\system32\drivers\amdk7.sys
17:01:35.0828 0968 AmdK7 - ok
17:01:35.0875 0968 AmdK8 (0ca0071da4315b00fc1328ca86b425da) C:\Windows\system32\drivers\amdk8.sys
17:01:35.0875 0968 AmdK8 - ok
17:01:35.0999 0968 ApfiltrService (350f19eb5fe4ec37a2414df56cde1aa8) C:\Windows\system32\DRIVERS\Apfiltr.sys
17:01:35.0999 0968 ApfiltrService - ok
17:01:36.0187 0968 arc (5f673180268bb1fdb69c99b6619fe379) C:\Windows\system32\drivers\arc.sys
17:01:36.0187 0968 arc - ok
17:01:36.0296 0968 arcsas (957f7540b5e7f602e44648c7de5a1c05) C:\Windows\system32\drivers\arcsas.sys
17:01:36.0296 0968 arcsas - ok
17:01:36.0389 0968 AsyncMac (53b202abee6455406254444303e87be1) C:\Windows\system32\DRIVERS\asyncmac.sys
17:01:36.0389 0968 AsyncMac - ok
17:01:36.0452 0968 atapi (1f05b78ab91c9075565a9d8a4b880bc4) C:\Windows\system32\drivers\atapi.sys
17:01:36.0452 0968 atapi - ok
17:01:36.0623 0968 b57nd60x (32795e299c3aba589a5e04c83d531cdf) C:\Windows\system32\DRIVERS\b57nd60x.sys
17:01:36.0623 0968 b57nd60x - ok
17:01:36.0717 0968 BCM43XX (559db7c7d958c6262cc3efee4ad95cce) C:\Windows\system32\DRIVERS\bcmwl6.sys
17:01:36.0748 0968 BCM43XX - ok
17:01:36.0842 0968 Beep (67e506b75bd5326a3ec7b70bd014dfb6) C:\Windows\system32\drivers\Beep.sys
17:01:36.0842 0968 Beep - ok
17:01:36.0951 0968 blbdrive - ok
17:01:37.0013 0968 bowser (35f376253f687bde63976ccb3f2108ca) C:\Windows\system32\DRIVERS\bowser.sys
17:01:37.0029 0968 bowser - ok
17:01:37.0107 0968 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
17:01:37.0107 0968 BrFiltLo - ok
17:01:37.0138 0968 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
17:01:37.0154 0968 BrFiltUp - ok
17:01:37.0263 0968 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
17:01:37.0263 0968 Brserid - ok
17:01:37.0310 0968 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
17:01:37.0310 0968 BrSerWdm - ok
17:01:37.0357 0968 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
17:01:37.0357 0968 BrUsbMdm - ok
17:01:37.0403 0968 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys
17:01:37.0403 0968 BrUsbSer - ok
17:01:37.0466 0968 BTHMODEM (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys
17:01:37.0481 0968 BTHMODEM - ok
17:01:37.0653 0968 catchme - ok
17:01:37.0778 0968 cdfs (7add03e75beb9e6dd102c3081d29840a) C:\Windows\system32\DRIVERS\cdfs.sys
17:01:37.0778 0968 cdfs - ok
17:01:37.0856 0968 cdrom (1ec25cea0de6ac4718bf89f9e1778b57) C:\Windows\system32\DRIVERS\cdrom.sys
17:01:37.0856 0968 cdrom - ok
17:01:37.0949 0968 circlass (da8e0afc7baa226c538ef53ac2f90897) C:\Windows\system32\drivers\circlass.sys
17:01:37.0949 0968 circlass - ok
17:01:38.0012 0968 CLFS (d7659d3b5b92c31e84e53c1431f35132) C:\Windows\system32\CLFS.sys
17:01:38.0027 0968 CLFS - ok
17:01:38.0199 0968 CmBatt (99afc3795b58cc478fbbbcdc658fcb56) C:\Windows\system32\DRIVERS\CmBatt.sys
17:01:38.0199 0968 CmBatt - ok
17:01:38.0261 0968 cmdide (e79cbb2195e965f6e3256e2c1b23fd1c) C:\Windows\system32\drivers\cmdide.sys
17:01:38.0261 0968 cmdide - ok
17:01:38.0308 0968 Compbatt (6afef0b60fa25de07c0968983ee4f60a) C:\Windows\system32\DRIVERS\compbatt.sys
17:01:38.0308 0968 Compbatt - ok
17:01:38.0355 0968 crcdisk (2a213ae086bbec5e937553c7d9a2b22c) C:\Windows\system32\drivers\crcdisk.sys
17:01:38.0355 0968 crcdisk - ok
17:01:38.0433 0968 Crusoe (22a7f883508176489f559ee745b5bf5d) C:\Windows\system32\drivers\crusoe.sys
17:01:38.0449 0968 Crusoe - ok
17:01:38.0636 0968 DfsC (622c41a07ca7e6dd91770f50d532cb6c) C:\Windows\system32\Drivers\dfsc.sys
17:01:38.0636 0968 DfsC - ok
17:01:38.0792 0968 disk (5d4aefc3386920236a548271f8f1af6a) C:\Windows\system32\drivers\disk.sys
17:01:38.0792 0968 disk - ok
17:01:38.0901 0968 drmkaud (97fef831ab90bee128c9af390e243f80) C:\Windows\system32\drivers\drmkaud.sys
17:01:38.0901 0968 drmkaud - ok
17:01:38.0995 0968 DSproct (413f2d5f9d802688242c23b38f767ecb) C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys
17:01:38.0995 0968 DSproct - ok
17:01:39.0073 0968 dsunidrv (dfeabb7cfffadea4a912ab95bdc3177a) C:\Windows\system32\DRIVERS\dsunidrv.sys
17:01:39.0073 0968 dsunidrv - ok
17:01:39.0166 0968 DXGKrnl (c68ac676b0ef30cfbb1080adce49eb1f) C:\Windows\System32\drivers\dxgkrnl.sys
17:01:39.0197 0968 DXGKrnl - ok
17:01:39.0275 0968 e1express (7505290504c8e2d172fa378cc0497bcc) C:\Windows\system32\DRIVERS\e1e6032.sys
17:01:39.0275 0968 e1express - ok
17:01:39.0463 0968 E1G60 (f88fb26547fd2ce6d0a5af2985892c48) C:\Windows\system32\DRIVERS\E1G60I32.sys
17:01:39.0463 0968 E1G60 - ok
17:01:39.0556 0968 Ecache (7f64ea048dcfac7acf8b4d7b4e6fe371) C:\Windows\system32\drivers\ecache.sys
17:01:39.0556 0968 Ecache - ok
17:01:39.0681 0968 ElRawDisk (b8eac99b14772bdc36ca963aed109fa2) C:\Windows\system32\drivers\rsdrv.sys
17:01:39.0697 0968 ElRawDisk - ok
17:01:39.0790 0968 elxstor (e8f3f21a71720c84bcf423b80028359f) C:\Windows\system32\drivers\elxstor.sys
17:01:39.0790 0968 elxstor - ok
17:01:39.0946 0968 exfat (22b408651f9123527bcee54b4f6c5cae) C:\Windows\system32\drivers\exfat.sys
17:01:39.0962 0968 exfat - ok
17:01:40.0055 0968 fastfat (1e9b9a70d332103c52995e957dc09ef8) C:\Windows\system32\drivers\fastfat.sys
17:01:40.0055 0968 fastfat - ok
17:01:40.0180 0968 fdc (63bdada84951b9c03e641800e176898a) C:\Windows\system32\DRIVERS\fdc.sys
17:01:40.0180 0968 fdc - ok
17:01:40.0258 0968 FileInfo (a8c0139a884861e3aae9cfe73b208a9f) C:\Windows\system32\drivers\fileinfo.sys
17:01:40.0258 0968 FileInfo - ok
17:01:40.0321 0968 Filetrace (0ae429a696aecbc5970e3cf2c62635ae) C:\Windows\system32\drivers\filetrace.sys
17:01:40.0336 0968 Filetrace - ok
17:01:40.0367 0968 flpydisk (6603957eff5ec62d25075ea8ac27de68) C:\Windows\system32\DRIVERS\flpydisk.sys
17:01:40.0383 0968 flpydisk - ok
17:01:40.0477 0968 FltMgr (01334f9ea68e6877c4ef05d3ea8abb05) C:\Windows\system32\drivers\fltmgr.sys
17:01:40.0477 0968 FltMgr - ok
17:01:40.0695 0968 fssfltr (b74b0578fd1d3f897e95f2a2b69ea051) C:\Windows\system32\DRIVERS\fssfltr.sys
17:01:40.0695 0968 fssfltr - ok
17:01:40.0820 0968 Fs_Rec (65ea8b77b5851854f0c55c43fa51a198) C:\Windows\system32\drivers\Fs_Rec.sys
17:01:40.0820 0968 Fs_Rec - ok
17:01:40.0898 0968 FTDIBUS (7c17235845d5ae3fb33ead47b5881521) C:\Windows\system32\drivers\ftdibus.sys
17:01:40.0898 0968 FTDIBUS - ok
17:01:40.0991 0968 FTSER2K (23220a4709cc5785f9633ba71416145c) C:\Windows\system32\drivers\ftser2k.sys
17:01:40.0991 0968 FTSER2K - ok
17:01:41.0054 0968 gagp30kx (4e1cd0a45c50a8882616cae5bf82f3c5) C:\Windows\system32\drivers\gagp30kx.sys
17:01:41.0054 0968 gagp30kx - ok
17:01:41.0085 0968 GEARAspiWDM - ok
17:01:41.0288 0968 HDAudBus (062452b7ffd68c8c042a6261fe8dff4a) C:\Windows\system32\DRIVERS\HDAudBus.sys
17:01:41.0303 0968 HDAudBus - ok
17:01:41.0350 0968 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys
17:01:41.0350 0968 HidBth - ok
17:01:41.0413 0968 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys
17:01:41.0413 0968 HidIr - ok
17:01:41.0475 0968 HidUsb (cca4b519b17e23a00b826c55716809cc) C:\Windows\system32\DRIVERS\hidusb.sys
17:01:41.0475 0968 HidUsb - ok
17:01:41.0569 0968 HpCISSs (df353b401001246853763c4b7aaa6f50) C:\Windows\system32\drivers\hpcisss.sys
17:01:41.0569 0968 HpCISSs - ok
17:01:41.0693 0968 HSF_DPV (e9e589c9ab799f52e18f057635a2b362) C:\Windows\system32\DRIVERS\HSX_DPV.sys
17:01:41.0740 0968 HSF_DPV - ok
17:01:41.0803 0968 HSXHWAZL (7845d2385f4dc7dfb3ccaf0c2fa4948e) C:\Windows\system32\DRIVERS\HSXHWAZL.sys
17:01:41.0803 0968 HSXHWAZL - ok
17:01:41.0896 0968 HTTP (f870aa3e254628ebeafe754108d664de) C:\Windows\system32\drivers\HTTP.sys
17:01:41.0927 0968 HTTP - ok
17:01:42.0037 0968 i2omp (324c2152ff2c61abae92d09f3cca4d63) C:\Windows\system32\drivers\i2omp.sys
17:01:42.0037 0968 i2omp - ok
17:01:42.0161 0968 i8042prt (22d56c8184586b7a1f6fa60be5f5a2bd) C:\Windows\system32\DRIVERS\i8042prt.sys
17:01:42.0161 0968 i8042prt - ok
17:01:42.0239 0968 iaStor (fd7f9d74c2b35dbda400804a3f5ed5d8) C:\Windows\system32\drivers\iastor.sys
17:01:42.0239 0968 iaStor - ok
17:01:42.0364 0968 iaStorV (c957bf4b5d80b46c5017bf0101e6c906) C:\Windows\system32\drivers\iastorv.sys
17:01:42.0364 0968 iaStorV - ok
17:01:42.0505 0968 igfx (bbace0293b73bf8c7cb591f2d06f26fa) C:\Windows\system32\DRIVERS\igdkmd32.sys
17:01:42.0536 0968 igfx - ok
17:01:42.0567 0968 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
17:01:42.0567 0968 iirsp - ok
17:01:42.0707 0968 intelide (0084046c084d68e494f8cf36bcf08186) C:\Windows\system32\DRIVERS\intelide.sys
17:01:42.0723 0968 intelide - ok
17:01:42.0785 0968 intelppm (224191001e78c89dfa78924c3ea595ff) C:\Windows\system32\DRIVERS\intelppm.sys
17:01:42.0785 0968 intelppm - ok
17:01:42.0879 0968 IpFilterDriver (62c265c38769b864cb25b4bcf62df6c3) C:\Windows\system32\DRIVERS\ipfltdrv.sys
17:01:42.0879 0968 IpFilterDriver - ok
17:01:42.0941 0968 IpInIp - ok
17:01:43.0035 0968 IPMIDRV (40f34f8aba2a015d780e4b09138b6c17) C:\Windows\system32\drivers\ipmidrv.sys
17:01:43.0051 0968 IPMIDRV - ok
17:01:43.0113 0968 IPNAT (8793643a67b42cec66490b2a0cf92d68) C:\Windows\system32\DRIVERS\ipnat.sys
17:01:43.0129 0968 IPNAT - ok
17:01:43.0191 0968 IRENUM (109c0dfb82c3632fbd11949b73aeeac9) C:\Windows\system32\drivers\irenum.sys
17:01:43.0207 0968 IRENUM - ok
17:01:43.0347 0968 isapnp (2f8ece2699e7e2070545e9b0960a8ed2) C:\Windows\system32\drivers\isapnp.sys
17:01:43.0347 0968 isapnp - ok
17:01:43.0441 0968 iScsiPrt (232fa340531d940aac623b121a595034) C:\Windows\system32\DRIVERS\msiscsi.sys
17:01:43.0441 0968 iScsiPrt - ok
17:01:43.0487 0968 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
17:01:43.0487 0968 iteatapi - ok
17:01:43.0628 0968 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
17:01:43.0628 0968 iteraid - ok
17:01:43.0737 0968 kbdclass (b076b2ab806b3f696dab21375389101c) C:\Windows\system32\DRIVERS\kbdclass.sys
17:01:43.0737 0968 kbdclass - ok
17:01:43.0846 0968 kbdhid (ede59ec70e25c24581add1fbec7325f7) C:\Windows\system32\DRIVERS\kbdhid.sys
17:01:43.0846 0968 kbdhid - ok
17:01:43.0955 0968 KSecDD (86165728af9bf72d6442a894fdfb4f8b) C:\Windows\system32\Drivers\ksecdd.sys
17:01:43.0971 0968 KSecDD - ok
17:01:44.0096 0968 Lbd (b7c19ec8b0dd7efa58ad41ffeb8b8cda) C:\Windows\system32\DRIVERS\Lbd.sys
17:01:44.0096 0968 Lbd - ok
17:01:44.0205 0968 lltdio (d1c5883087a0c3f1344d9d55a44901f6) C:\Windows\system32\DRIVERS\lltdio.sys
17:01:44.0205 0968 lltdio - ok
17:01:44.0299 0968 LSI_FC (a2262fb9f28935e862b4db46438c80d2) C:\Windows\system32\drivers\lsi_fc.sys
17:01:44.0299 0968 LSI_FC - ok
17:01:44.0377 0968 LSI_SAS (30d73327d390f72a62f32c103daf1d6d) C:\Windows\system32\drivers\lsi_sas.sys
17:01:44.0377 0968 LSI_SAS - ok
17:01:44.0439 0968 LSI_SCSI (e1e36fefd45849a95f1ab81de0159fe3) C:\Windows\system32\drivers\lsi_scsi.sys
17:01:44.0455 0968 LSI_SCSI - ok
17:01:44.0517 0968 luafv (8f5c7426567798e62a3b3614965d62cc) C:\Windows\system32\drivers\luafv.sys
17:01:44.0517 0968 luafv - ok
17:01:44.0611 0968 LVPr2Mon (1a7db7a00a4b0d8da24cd691a4547291) C:\Windows\system32\DRIVERS\LVPr2Mon.sys
17:01:44.0611 0968 LVPr2Mon - ok
17:01:44.0735 0968 LVRS (37072ec9299e825f4335cc554b6fac6a) C:\Windows\system32\DRIVERS\lvrs.sys
17:01:44.0751 0968 LVRS - ok
17:01:45.0110 0968 LVUVC (a240e42a7402e927a71b6e8aa4629b13) C:\Windows\system32\DRIVERS\lvuvc.sys
17:01:45.0219 0968 LVUVC - ok
17:01:45.0344 0968 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\Windows\system32\DRIVERS\mdmxsdk.sys
17:01:45.0344 0968 mdmxsdk - ok
17:01:45.0437 0968 megasas (d153b14fc6598eae8422a2037553adce) C:\Windows\system32\drivers\megasas.sys
17:01:45.0437 0968 megasas - ok
17:01:45.0500 0968 Modem (e13b5ea0f51ba5b1512ec671393d09ba) C:\Windows\system32\drivers\modem.sys
17:01:45.0500 0968 Modem - ok
17:01:45.0593 0968 monitor (0a9bb33b56e294f686abb7c1e4e2d8a8) C:\Windows\system32\DRIVERS\monitor.sys
17:01:45.0593 0968 monitor - ok
17:01:45.0656 0968 mouclass (5bf6a1326a335c5298477754a506d263) C:\Windows\system32\DRIVERS\mouclass.sys
17:01:45.0656 0968 mouclass - ok
17:01:45.0749 0968 mouhid (93b8d4869e12cfbe663915502900876f) C:\Windows\system32\DRIVERS\mouhid.sys
17:01:45.0749 0968 mouhid - ok
17:01:45.0812 0968 MountMgr (bdafc88aa6b92f7842416ea6a48e1600) C:\Windows\system32\drivers\mountmgr.sys
17:01:45.0812 0968 MountMgr - ok
17:01:45.0905 0968 mpio (583a41f26278d9e0ea548163d6139397) C:\Windows\system32\drivers\mpio.sys
17:01:45.0905 0968 mpio - ok
17:01:45.0968 0968 mpsdrv (22241feba9b2defa669c8cb0a8dd7d2e) C:\Windows\system32\drivers\mpsdrv.sys
17:01:45.0983 0968 mpsdrv - ok
17:01:46.0093 0968 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
17:01:46.0093 0968 Mraid35x - ok
17:01:46.0217 0968 MREMP50 (80b2ec735495823ae5771a5f603e73bd) C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS
17:01:46.0217 0968 MREMP50 - ok
17:01:46.0264 0968 MREMP50a64 - ok
17:01:46.0342 0968 MRESP50 (37d7c22f7e26da90e2d2d260e5d27846) C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS
17:01:46.0342 0968 MRESP50 - ok
17:01:46.0420 0968 MRESP50a64 - ok
17:01:46.0514 0968 MRxDAV (82cea0395524aacfeb58ba1448e8325c) C:\Windows\system32\drivers\mrxdav.sys
17:01:46.0514 0968 MRxDAV - ok
17:01:46.0561 0968 mrxsmb (1e94971c4b446ab2290deb71d01cf0c2) C:\Windows\system32\DRIVERS\mrxsmb.sys
17:01:46.0576 0968 mrxsmb - ok
17:01:46.0748 0968 mrxsmb10 (4fccb34d793b116423209c0f8b7a3b03) C:\Windows\system32\DRIVERS\mrxsmb10.sys
17:01:46.0763 0968 mrxsmb10 - ok
17:01:46.0857 0968 mrxsmb20 (c3cb1b40ad4a0124d617a1199b0b9d7c) C:\Windows\system32\DRIVERS\mrxsmb20.sys
17:01:46.0857 0968 mrxsmb20 - ok
17:01:46.0919 0968 msahci (d420bc42a637ac3cc4f411220549c0dc) C:\Windows\system32\drivers\msahci.sys
17:01:46.0919 0968 msahci - ok
17:01:46.0966 0968 msdsm (3fc82a2ae4cc149165a94699183d3028) C:\Windows\system32\drivers\msdsm.sys
17:01:46.0966 0968 msdsm - ok
17:01:47.0075 0968 Msfs (a9927f4a46b816c92f461acb90cf8515) C:\Windows\system32\drivers\Msfs.sys
17:01:47.0075 0968 Msfs - ok
17:01:47.0185 0968 msisadrv (0f400e306f385c56317357d6dea56f62) C:\Windows\system32\drivers\msisadrv.sys
17:01:47.0185 0968 msisadrv - ok
17:01:47.0294 0968 MSKSSRV (d8c63d34d9c9e56c059e24ec7185cc07) C:\Windows\system32\drivers\MSKSSRV.sys
17:01:47.0294 0968 MSKSSRV - ok
17:01:47.0325 0968 MSPCLOCK (1d373c90d62ddb641d50e55b9e78d65e) C:\Windows\system32\drivers\MSPCLOCK.sys
17:01:47.0341 0968 MSPCLOCK - ok
17:01:47.0387 0968 MSPQM (b572da05bf4e098d4bba3a4734fb505b) C:\Windows\system32\drivers\MSPQM.sys
17:01:47.0387 0968 MSPQM - ok
17:01:47.0465 0968 MsRPC (b49456d70555de905c311bcda6ec6adb) C:\Windows\system32\drivers\MsRPC.sys
17:01:47.0465 0968 MsRPC - ok
17:01:47.0575 0968 mssmbios (e384487cb84be41d09711c30ca79646c) C:\Windows\system32\DRIVERS\mssmbios.sys
17:01:47.0575 0968 mssmbios - ok
17:01:47.0668 0968 MSTEE (7199c1eec1e4993caf96b8c0a26bd58a) C:\Windows\system32\drivers\MSTEE.sys
17:01:47.0668 0968 MSTEE - ok
17:01:47.0731 0968 Mup (6a57b5733d4cb702c8ea4542e836b96c) C:\Windows\system32\Drivers\mup.sys
17:01:47.0731 0968 Mup - ok
17:01:47.0887 0968 NativeWifiP (85c44fdff9cf7e72a40dcb7ec06a4416) C:\Windows\system32\DRIVERS\nwifi.sys
17:01:47.0887 0968 NativeWifiP - ok
17:01:47.0980 0968 NDIS (1357274d1883f68300aeadd15d7bbb42) C:\Windows\system32\drivers\ndis.sys
17:01:47.0996 0968 NDIS - ok
17:01:48.0074 0968 NdisTapi (0e186e90404980569fb449ba7519ae61) C:\Windows\system32\DRIVERS\ndistapi.sys
17:01:48.0074 0968 NdisTapi - ok
17:01:48.0183 0968 Ndisuio (d6973aa34c4d5d76c0430b181c3cd389) C:\Windows\system32\DRIVERS\ndisuio.sys
17:01:48.0183 0968 Ndisuio - ok
17:01:48.0230 0968 NdisWan (818f648618ae34f729fdb47ec68345c3) C:\Windows\system32\DRIVERS\ndiswan.sys
17:01:48.0230 0968 NdisWan - ok
17:01:48.0308 0968 NDProxy (71dab552b41936358f3b541ae5997fb3) C:\Windows\system32\drivers\NDProxy.sys
17:01:48.0308 0968 NDProxy - ok
17:01:48.0370 0968 NetBIOS (bcd093a5a6777cf626434568dc7dba78) C:\Windows\system32\DRIVERS\netbios.sys
17:01:48.0370 0968 NetBIOS - ok
17:01:48.0495 0968 netbt (ecd64230a59cbd93c85f1cd1cab9f3f6) C:\Windows\system32\DRIVERS\netbt.sys
17:01:48.0511 0968 netbt - ok
17:01:48.0604 0968 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
17:01:48.0604 0968 nfrd960 - ok
17:01:48.0682 0968 Npfs (d36f239d7cce1931598e8fb90a0dbc26) C:\Windows\system32\drivers\Npfs.sys
17:01:48.0682 0968 Npfs - ok
17:01:48.0745 0968 nsiproxy (609773e344a97410ce4ebf74a8914fcf) C:\Windows\system32\drivers\nsiproxy.sys
17:01:48.0760 0968 nsiproxy - ok
17:01:48.0932 0968 Ntfs (6a4a98cee84cf9e99564510dda4baa47) C:\Windows\system32\drivers\Ntfs.sys
17:01:49.0025 0968 Ntfs - ok
17:01:49.0213 0968 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
17:01:49.0213 0968 ntrigdigi - ok
17:01:49.0400 0968 Null (c5dbbcda07d780bda9b685df333bb41e) C:\Windows\system32\drivers\Null.sys
17:01:49.0400 0968 Null - ok
17:01:49.0447 0968 nvraid (e69e946f80c1c31c53003bfbf50cbb7c) C:\Windows\system32\drivers\nvraid.sys
17:01:49.0447 0968 nvraid - ok
17:01:49.0493 0968 nvstor (9e0ba19a28c498a6d323d065db76dffc) C:\Windows\system32\drivers\nvstor.sys
17:01:49.0493 0968 nvstor - ok
17:01:49.0618 0968 nv_agp (055081fd5076401c1ee1bcab08d81911) C:\Windows\system32\drivers\nv_agp.sys
17:01:49.0618 0968 nv_agp - ok
17:01:49.0649 0968 NwlnkFlt - ok
17:01:49.0727 0968 NwlnkFwd - ok
17:01:49.0821 0968 ohci1394 (6f310e890d46e246e0e261a63d9b36b4) C:\Windows\system32\DRIVERS\ohci1394.sys
17:01:49.0821 0968 ohci1394 - ok
17:01:49.0899 0968 Parport (0fa9b5055484649d63c303fe404e5f4d) C:\Windows\system32\drivers\parport.sys
17:01:49.0899 0968 Parport - ok
17:01:49.0946 0968 partmgr (57389fa59a36d96b3eb09d0cb91e9cdc) C:\Windows\system32\drivers\partmgr.sys
17:01:49.0961 0968 partmgr - ok
17:01:50.0008 0968 Parvdm (4f9a6a8a31413180d0fcb279ad5d8112) C:\Windows\system32\drivers\parvdm.sys
17:01:50.0008 0968 Parvdm - ok
17:01:50.0117 0968 pci (941dc1d19e7e8620f40bbc206981efdb) C:\Windows\system32\drivers\pci.sys
17:01:50.0117 0968 pci - ok
17:01:50.0164 0968 pciide (1636d43f10416aeb483bc6001097b26c) C:\Windows\system32\drivers\pciide.sys
17:01:50.0164 0968 pciide - ok
17:01:50.0227 0968 pcmcia (e6f3fb1b86aa519e7698ad05e58b04e5) C:\Windows\system32\drivers\pcmcia.sys
17:01:50.0242 0968 pcmcia - ok
17:01:50.0320 0968 pcouffin (5b6c11de7e839c05248ced8825470fef) C:\Windows\system32\Drivers\pcouffin.sys
17:01:50.0320 0968 pcouffin - ok
17:01:50.0461 0968 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
17:01:50.0492 0968 PEAUTH - ok
17:01:50.0648 0968 PptpMiniport (ecfffaec0c1ecd8dbc77f39070ea1db1) C:\Windows\system32\DRIVERS\raspptp.sys
17:01:50.0648 0968 PptpMiniport - ok
17:01:50.0710 0968 Processor (0e3cef5d28b40cf273281d620c50700a) C:\Windows\system32\drivers\processr.sys
17:01:50.0710 0968 Processor - ok
17:01:50.0804 0968 PSched (99514faa8df93d34b5589187db3aa0ba) C:\Windows\system32\DRIVERS\pacer.sys
17:01:50.0819 0968 PSched - ok
17:01:50.0944 0968 PxHelp20 (feffcfdc528764a04c8ed63d5fa6e711) C:\Windows\system32\Drivers\PxHelp20.sys
17:01:50.0944 0968 PxHelp20 - ok
17:01:51.0116 0968 ql2300 (ccdac889326317792480c0a67156a1ec) C:\Windows\system32\drivers\ql2300.sys
17:01:51.0163 0968 ql2300 - ok
17:01:51.0256 0968 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
17:01:51.0256 0968 ql40xx - ok
17:01:51.0334 0968 QWAVEdrv (9f5e0e1926014d17486901c88eca2db7) C:\Windows\system32\drivers\qwavedrv.sys
17:01:51.0334 0968 QWAVEdrv - ok
17:01:51.0475 0968 R300 (e642b131fb74caf4bb8a014f31113142) C:\Windows\system32\DRIVERS\atikmdag.sys
17:01:51.0537 0968 R300 - ok
17:01:51.0631 0968 RasAcd (147d7f9c556d259924351feb0de606c3) C:\Windows\system32\DRIVERS\rasacd.sys
17:01:51.0631 0968 RasAcd - ok
17:01:51.0740 0968 Rasl2tp (a214adbaf4cb47dd2728859ef31f26b0) C:\Windows\system32\DRIVERS\rasl2tp.sys
17:01:51.0740 0968 Rasl2tp - ok
17:01:51.0802 0968 RasPppoe (509a98dd18af4375e1fc40bc175f1def) C:\Windows\system32\DRIVERS\raspppoe.sys
17:01:51.0802 0968 RasPppoe - ok
17:01:51.0865 0968 RasSstp (2005f4a1e05fa09389ac85840f0a9e4d) C:\Windows\system32\DRIVERS\rassstp.sys
17:01:51.0865 0968 RasSstp - ok
17:01:51.0927 0968 rdbss (b14c9d5b9add2f84f70570bbbfaa7935) C:\Windows\system32\DRIVERS\rdbss.sys
17:01:51.0943 0968 rdbss - ok
17:01:52.0083 0968 RDPCDD (89e59be9a564262a3fb6c4f4f1cd9899) C:\Windows\system32\DRIVERS\RDPCDD.sys
17:01:52.0083 0968 RDPCDD - ok
17:01:52.0161 0968 rdpdr (0245418224cfa77bf4b41c2fe0622258) C:\Windows\system32\drivers\rdpdr.sys
17:01:52.0161 0968 rdpdr - ok
17:01:52.0223 0968 RDPENCDD (9d91fe5286f748862ecffa05f8a0710c) C:\Windows\system32\drivers\rdpencdd.sys
17:01:52.0223 0968 RDPENCDD - ok
17:01:52.0286 0968 RDPWD (30bfbdfb7f95559ede971f9ddb9a00ba) C:\Windows\system32\drivers\RDPWD.sys
17:01:52.0301 0968 RDPWD - ok
17:01:52.0411 0968 rimmptsk (d85e3fa9f5b1f29bb4ed185c450d1470) C:\Windows\system32\DRIVERS\rimmptsk.sys
17:01:52.0411 0968 rimmptsk - ok
17:01:52.0504 0968 rimsptsk (db8eb01c58c9fada00c70b1775278ae0) C:\Windows\system32\DRIVERS\rimsptsk.sys
17:01:52.0504 0968 rimsptsk - ok
17:01:52.0535 0968 rismxdp (6c1f93c0760c9f79a1869d07233df39d) C:\Windows\system32\DRIVERS\rixdptsk.sys
17:01:52.0535 0968 rismxdp - ok
17:01:52.0660 0968 RPSKT - ok
17:01:52.0754 0968 rspndr (9c508f4074a39e8b4b31d27198146fad) C:\Windows\system32\DRIVERS\rspndr.sys
17:01:52.0785 0968 rspndr - ok
17:01:52.0863 0968 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys
17:01:52.0863 0968 sbp2port - ok
17:01:52.0988 0968 SBRE (0505da5d357f18a5d42fc5dede6bc9a0) C:\Windows\system32\drivers\SBREdrv.sys
17:01:52.0988 0968 SBRE - ok
17:01:53.0097 0968 sdbus (8f36b54688c31eed4580129040c6a3d3) C:\Windows\system32\DRIVERS\sdbus.sys
17:01:53.0097 0968 sdbus - ok
17:01:53.0159 0968 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
17:01:53.0159 0968 secdrv - ok
17:01:53.0269 0968 Serenum (68e44e331d46f0fb38f0863a84cd1a31) C:\Windows\system32\DRIVERS\serenum.sys
17:01:53.0269 0968 Serenum - ok
17:01:53.0315 0968 Serial (c70d69a918b178d3c3b06339b40c2e1b) C:\Windows\system32\drivers\serial.sys
17:01:53.0315 0968 Serial - ok
17:01:53.0393 0968 sermouse (8af3d28a879bf75db53a0ee7a4289624) C:\Windows\system32\drivers\sermouse.sys
17:01:53.0393 0968 sermouse - ok
17:01:53.0487 0968 sffdisk (3efa810bdca87f6ecc24f9832243fe86) C:\Windows\system32\DRIVERS\sffdisk.sys
17:01:53.0487 0968 sffdisk - ok
17:01:53.0549 0968 sffp_mmc (96ded8b20c734ac41641ce275250e55d) C:\Windows\system32\drivers\sffp_mmc.sys
17:01:53.0549 0968 sffp_mmc - ok
17:01:53.0659 0968 sffp_sd (9f66a46c55d6f1ccabc79bb7afccc545) C:\Windows\system32\DRIVERS\sffp_sd.sys
17:01:53.0659 0968 sffp_sd - ok
17:01:53.0705 0968 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\drivers\sfloppy.sys
17:01:53.0721 0968 sfloppy - ok
17:01:53.0783 0968 sisagp (08072b2fb92477fc813271a84b3a8698) C:\Windows\system32\drivers\sisagp.sys
17:01:53.0783 0968 sisagp - ok
17:01:53.0861 0968 SiSRaid2 (cedd6f4e7d84e9f98b34b3fe988373aa) C:\Windows\system32\drivers\sisraid2.sys
17:01:53.0861 0968 SiSRaid2 - ok
17:01:53.0986 0968 SiSRaid4 (df843c528c4f69d12ce41ce462e973a7) C:\Windows\system32\drivers\sisraid4.sys
17:01:53.0986 0968 SiSRaid4 - ok
17:01:54.0142 0968 Smb (7b75299a4d201d6a6533603d6914ab04) C:\Windows\system32\DRIVERS\smb.sys
17:01:54.0142 0968 Smb - ok
17:01:54.0236 0968 spldr (7aebdeef071fe28b0eef2cdd69102bff) C:\Windows\system32\drivers\spldr.sys
17:01:54.0251 0968 spldr - ok
17:01:54.0376 0968 srv (41987f9fc0e61adf54f581e15029ad91) C:\Windows\system32\DRIVERS\srv.sys
17:01:54.0376 0968 srv - ok
17:01:54.0470 0968 srv2 (ff33aff99564b1aa534f58868cbe41ef) C:\Windows\system32\DRIVERS\srv2.sys
17:01:54.0485 0968 srv2 - ok
17:01:54.0532 0968 srvnet (7605c0e1d01a08f3ecd743f38b834a44) C:\Windows\system32\DRIVERS\srvnet.sys
17:01:54.0532 0968 srvnet - ok
17:01:54.0626 0968 sscdbus (d5dffeaa1e15d4effabb9d9a3068ac5b) C:\Windows\system32\DRIVERS\sscdbus.sys
17:01:54.0626 0968 sscdbus - ok
17:01:54.0751 0968 sscdmdfl (8a1be0c347814f482f493aea619d57f6) C:\Windows\system32\DRIVERS\sscdmdfl.sys
17:01:54.0751 0968 sscdmdfl - ok
17:01:54.0797 0968 sscdmdm (5ab0b1987f682a59b15b78f84c6ad7d0) C:\Windows\system32\DRIVERS\sscdmdm.sys
17:01:54.0797 0968 sscdmdm - ok
17:01:54.0860 0968 sscdserd (751e66eb32efa80633b80f5d7ff0a1d8) C:\Windows\system32\DRIVERS\sscdserd.sys
17:01:54.0860 0968 sscdserd - ok
17:01:54.0985 0968 STHDA (5af135b2e2097d4494b9067ce84e2665) C:\Windows\system32\drivers\stwrt.sys
17:01:54.0985 0968 STHDA - ok
17:01:55.0094 0968 swenum (7ba58ecf0c0a9a69d44b3dca62becf56) C:\Windows\system32\DRIVERS\swenum.sys
17:01:55.0094 0968 swenum - ok
17:01:55.0172 0968 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
17:01:55.0172 0968 Symc8xx - ok
17:01:55.0219 0968 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
17:01:55.0219 0968 Sym_hi - ok
17:01:55.0265 0968 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
17:01:55.0265 0968 Sym_u3 - ok
17:01:55.0375 0968 Tcpip (2756186e287139310997090797e0182b) C:\Windows\system32\drivers\tcpip.sys
17:01:55.0406 0968 Tcpip - ok
17:01:55.0562 0968 Tcpip6 (2756186e287139310997090797e0182b) C:\Windows\system32\DRIVERS\tcpip.sys
17:01:55.0577 0968 Tcpip6 - ok
17:01:55.0671 0968 tcpipreg (608c345a255d82a6289c2d468eb41fd7) C:\Windows\system32\drivers\tcpipreg.sys
17:01:55.0687 0968 tcpipreg - ok
17:01:55.0780 0968 TDPIPE (5dcf5e267be67a1ae926f2df77fbcc56) C:\Windows\system32\drivers\tdpipe.sys
17:01:55.0796 0968 TDPIPE - ok
17:01:55.0936 0968 TDTCP (389c63e32b3cefed425b61ed92d3f021) C:\Windows\system32\drivers\tdtcp.sys
17:01:55.0936 0968 TDTCP - ok
17:01:56.0045 0968 tdx (76b06eb8a01fc8624d699e7045303e54) C:\Windows\system32\DRIVERS\tdx.sys
17:01:56.0045 0968 tdx - ok
17:01:56.0108 0968 TermDD (3cad38910468eab9a6479e2f01db43c7) C:\Windows\system32\DRIVERS\termdd.sys
17:01:56.0108 0968 TermDD - ok
17:01:56.0217 0968 tssecsrv (dcf0f056a2e4f52287264f5ab29cf206) C:\Windows\system32\DRIVERS\tssecsrv.sys
17:01:56.0217 0968 tssecsrv - ok
17:01:56.0295 0968 tunmp (caecc0120ac49e3d2f758b9169872d38) C:\Windows\system32\DRIVERS\tunmp.sys
17:01:56.0311 0968 tunmp - ok
17:01:56.0404 0968 tunnel (300db877ac094feab0be7688c3454a9c) C:\Windows\system32\DRIVERS\tunnel.sys
17:01:56.0404 0968 tunnel - ok
17:01:56.0467 0968 uagp35 (c3ade15414120033a36c0f293d4a4121) C:\Windows\system32\drivers\uagp35.sys
17:01:56.0467 0968 uagp35 - ok
17:01:56.0529 0968 udfs (d9728af68c4c7693cb100b8441cbdec6) C:\Windows\system32\DRIVERS\udfs.sys
17:01:56.0545 0968 udfs - ok
17:01:56.0591 0968 uliagpkx (6d72ef05921abdf59fc45c7ebfe7e8dd) C:\Windows\system32\drivers\uliagpkx.sys
17:01:56.0607 0968 uliagpkx - ok
17:01:56.0654 0968 uliahci (3cd4ea35a6221b85dcc25daa46313f8d) C:\Windows\system32\drivers\uliahci.sys
17:01:56.0669 0968 uliahci - ok
17:01:56.0810 0968 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
17:01:56.0810 0968 UlSata - ok
17:01:56.0872 0968 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
17:01:56.0872 0968 ulsata2 - ok
17:01:56.0935 0968 umbus (32cff9f809ae9aed85464492bf3e32d2) C:\Windows\system32\DRIVERS\umbus.sys
17:01:56.0935 0968 umbus - ok
17:01:57.0075 0968 USBAAPL (1df89c499bf45d878b87ebd4421d462d) C:\Windows\system32\Drivers\usbaapl.sys
17:01:57.0075 0968 USBAAPL - ok
17:01:57.0200 0968 usbaudio (32db9517628ff0d070682aab61e688f0) C:\Windows\system32\drivers\usbaudio.sys
17:01:57.0200 0968 usbaudio - ok
17:01:57.0262 0968 usbccgp (caf811ae4c147ffcd5b51750c7f09142) C:\Windows\system32\DRIVERS\usbccgp.sys
17:01:57.0278 0968 usbccgp - ok
17:01:57.0325 0968 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
17:01:57.0340 0968 usbcir - ok
17:01:57.0403 0968 usbehci (79e96c23a97ce7b8f14d310da2db0c9b) C:\Windows\system32\DRIVERS\usbehci.sys
17:01:57.0418 0968 usbehci - ok
17:01:57.0496 0968 usbhub (4673bbcb006af60e7abddbe7a130ba42) C:\Windows\system32\DRIVERS\usbhub.sys
17:01:57.0496 0968 usbhub - ok
17:01:57.0543 0968 usbohci (38dbc7dd6cc5a72011f187425384388b) C:\Windows\system32\drivers\usbohci.sys
17:01:57.0543 0968 usbohci - ok
17:01:57.0590 0968 usbprint (e75c4b5269091d15a2e7dc0b6d35f2f5) C:\Windows\system32\DRIVERS\usbprint.sys
17:01:57.0605 0968 usbprint - ok
17:01:57.0715 0968 usbscan (a508c9bd8724980512136b039bba65e9) C:\Windows\system32\DRIVERS\usbscan.sys
17:01:57.0715 0968 usbscan - ok
17:01:57.0808 0968 USBSTOR (be3da31c191bc222d9ad503c5224f2ad) C:\Windows\system32\DRIVERS\USBSTOR.SYS
17:01:57.0824 0968 USBSTOR - ok
17:01:57.0871 0968 usbuhci (814d653efc4d48be3b04a307eceff56f) C:\Windows\system32\DRIVERS\usbuhci.sys
17:01:57.0886 0968 usbuhci - ok
17:01:57.0949 0968 usbvideo (e67998e8f14cb0627a769f6530bcb352) C:\Windows\system32\Drivers\usbvideo.sys
17:01:57.0949 0968 usbvideo - ok
17:01:58.0042 0968 usb_rndisx (35c9095fa7076466afbfc5b9ec4b779e) C:\Windows\system32\DRIVERS\usb8023x.sys
17:01:58.0042 0968 usb_rndisx - ok
17:01:58.0151 0968 vga (7d92be0028ecdedec74617009084b5ef) C:\Windows\system32\DRIVERS\vgapnp.sys
17:01:58.0151 0968 vga - ok
17:01:58.0214 0968 VgaSave (2e93ac0a1d8c79d019db6c51f036636c) C:\Windows\System32\drivers\vga.sys
17:01:58.0214 0968 VgaSave - ok
17:01:58.0261 0968 viaagp (d5929a28bdff4367a12caf06af901971) C:\Windows\system32\drivers\viaagp.sys
17:01:58.0261 0968 viaagp - ok
17:01:58.0307 0968 ViaC7 (56a4de5f02f2e88182b0981119b4dd98) C:\Windows\system32\drivers\viac7.sys
17:01:58.0307 0968 ViaC7 - ok
17:01:58.0370 0968 viaide (f3b4762eb85a2aff4999401f14c3262b) C:\Windows\system32\drivers\viaide.sys
17:01:58.0370 0968 viaide - ok
17:01:58.0495 0968 volmgr (69503668ac66c77c6cd7af86fbdf8c43) C:\Windows\system32\drivers\volmgr.sys
17:01:58.0495 0968 volmgr - ok
17:01:58.0541 0968 volmgrx (23e41b834759917bfd6b9a0d625d0c28) C:\Windows\system32\drivers\volmgrx.sys
17:01:58.0557 0968 volmgrx - ok
17:01:58.0635 0968 volsnap (147281c01fcb1df9252de2a10d5e7093) C:\Windows\system32\drivers\volsnap.sys
17:01:58.0651 0968 volsnap - ok
17:01:58.0713 0968 vsmraid (d984439746d42b30fc65a4c3546c6829) C:\Windows\system32\drivers\vsmraid.sys
17:01:58.0713 0968 vsmraid - ok
17:01:58.0822 0968 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
17:01:58.0822 0968 WacomPen - ok
17:01:58.0885 0968 Wanarp (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
17:01:58.0885 0968 Wanarp - ok
17:01:58.0900 0968 Wanarpv6 (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
17:01:58.0916 0968 Wanarpv6 - ok
17:01:58.0978 0968 Wd (afc5ad65b991c1e205cf25cfdbf7a6f4) C:\Windows\system32\drivers\wd.sys
17:01:58.0978 0968 Wd - ok
17:01:59.0056 0968 Wdf01000 (b6f0a7ad6d4bd325fbcd8bac96cd8d96) C:\Windows\system32\drivers\Wdf01000.sys
17:01:59.0087 0968 Wdf01000 - ok
17:01:59.0243 0968 winachsf (4daca8f07537d4d7e3534bb99294aa26) C:\Windows\system32\DRIVERS\HSX_CNXT.sys
17:01:59.0275 0968 winachsf - ok
17:01:59.0431 0968 WmiAcpi (2e7255d172df0b8283cdfb7b433b864e) C:\Windows\system32\DRIVERS\wmiacpi.sys
17:01:59.0431 0968 WmiAcpi - ok
17:01:59.0524 0968 WpdUsb (de9d36f91a4df3d911626643debf11ea) C:\Windows\system32\DRIVERS\wpdusb.sys
17:01:59.0524 0968 WpdUsb - ok
17:01:59.0649 0968 ws2ifsl (e3a3cb253c0ec2494d4a61f5e43a389c) C:\Windows\system32\drivers\ws2ifsl.sys
17:01:59.0649 0968 ws2ifsl - ok
17:01:59.0774 0968 WUDFRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\Windows\system32\DRIVERS\WUDFRd.sys
17:01:59.0774 0968 WUDFRd - ok
17:01:59.0836 0968 XAudio (5a7ff9a18ff6d7e0527fe3abf9204ef8) C:\Windows\system32\DRIVERS\xaudio.sys
17:01:59.0836 0968 XAudio - ok
17:01:59.0914 0968 MBR (0x1B8) (5c616939100b85e558da92b899a0fc36) \Device\Harddisk0\DR0
17:01:59.0945 0968 \Device\Harddisk0\DR0 - ok
17:01:59.0977 0968 Boot (0x1200) (b36b2b1cf28f89c9eb2043708663ea66) \Device\Harddisk0\DR0\Partition0
17:01:59.0977 0968 \Device\Harddisk0\DR0\Partition0 - ok
17:01:59.0977 0968 Boot (0x1200) (bf8884cc45984339a36a4361ad4c2dbd) \Device\Harddisk0\DR0\Partition1
17:01:59.0977 0968 \Device\Harddisk0\DR0\Partition1 - ok
17:01:59.0992 0968 ============================================================
17:01:59.0992 0968 Scan finished
17:01:59.0992 0968 ============================================================
17:02:00.0008 3352 Detected object count: 0
17:02:00.0008 3352 Actual detected object count: 0
mnyyoungs
2011-11-20, 23:42
Update, Jeff...I've tried to run updates for Windows and get errors..when I troubleshoot this one of the suggestions MS gives is a check disk may correct the problem...however, I cannot get check disk to run at boot up. I don't want to go messing with things, in the event they are critical to your side of the nasty little carcase we'll call rootkit..lol
Hi mnyyoungs,
I really think that we are making headway with this. Outside of the chkdsk message you got how is your system running now?
-----------
mnyyoungs
2011-11-21, 01:20
so far so good...it seems...just minorly fiddling until I get the go ahead from you to install new virus/malware/spyware tools..etc...and clean up from our work together. :)
Hi mnyyoungs,
Lets keep our fingers crossed. :fear:
------------
I see that you have Malwarebytes on your system. Please open Malwarebytes, update it and then run a Quick Scan. Please save the log that is created for your next reply.
----------
Now please run DDS once more so we can get a last look.
mnyyoungs
2011-11-21, 15:38
Malware Bytes log...
Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org
Database version: 8206
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.19154
21/11/2011 9:37:31 AM
mbam-log-2011-11-21 (09-37-31).txt
Scan type: Full scan (C:\|D:\|)
Objects scanned: 295715
Time elapsed: 2 hour(s), 5 minute(s), 8 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
c:\tdsskiller_quarantine\30.10.2011_10.36.17\pmax0000\svc0000\tsk0000.dta (Backdoor.0Access) -> Quarantined and deleted successfully.
mnyyoungs
2011-11-21, 15:59
...and tadaaaa DDS
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.19154 BrowserJavaVersion: 1.6.0_22
Run by Family at 9:50:41 on 2011-11-21
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.2.1033.18.2037.1146 [GMT -5:00]
.
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\ProgramData\Clickfree\C2NPlus\UACProxy.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\ProgramData\Clickfree\C2NPlus\Reminder\SacNetAgent.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
C:\Program Files\DellTPad\Apoint.exe
C:\ProgramData\Clickfree\C2NPlus\Reminder\SacReminder.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\WinZip\WZQKPICK32.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
mSearch Bar = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
mURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - McAfee Phishing Filter
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
uRun: [SacReminderHDDV2N] c:\programdata\clickfree\c2nplus\reminder\SacReminder.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [DLBXCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLBXtime.dll,_RunDLLEntry@16
mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\users\family\appdata\roaming\micros~1\windows\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK32.EXE
uPolicies-explorer: NoThumbnailCache = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: DisableStartupSound = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/uno1/GAME_UNO1.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{764E5182-D195-4A9C-8CDE-86780F3355D6} : DhcpNameServer = 192.168.2.1
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\intuit\quickbooks 2011\HelpAsyncPluggableProtocol.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\family\appdata\roaming\mozilla\firefox\profiles\85q3ua9k.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.sympatico.ca/
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4e2b35e5&v=7.008.031.001&i=23&tp=ab&iy=b&ychte=ca&lng=en-GB&q=
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\google updater\2.4.2432.1652\npCIDetect14.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\family\appdata\roaming\facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\users\family\appdata\roaming\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\users\family\appdata\roaming\mozilla\firefox\profiles\85q3ua9k.default\extensions\support@ancestry.com\plugins\npImgCtl.dll
FF - plugin: c:\users\family\program files\dna\plugins\npbtdna.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Adobe DLM (powered by getPlus(R)): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
FF - Ext: Canadian English Dictionary: en-CA@dictionaries.addons.mozilla.org - %profile%\extensions\en-CA@dictionaries.addons.mozilla.org
FF - Ext: Ancestry.com Advanced Image Viewer: support@ancestry.com - %profile%\extensions\support@ancestry.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-12-5 64288]
R1 ElRawDisk;ElRawDisk;c:\windows\system32\drivers\rsdrv.sys [2010-11-27 22312]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2010-12-5 101720]
R2 CFUACProxy_c2nplus;CFUACProxy_c2nplus;c:\programdata\clickfree\c2nplus\UACProxy.exe [2011-10-31 87368]
R2 SacNetAgentService_C57C4F854F53;SacNetAgentService_C57C4F854F53;c:\programdata\clickfree\c2nplus\reminder\SacNetAgent.exe [2011-4-3 157296]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2011-10-31 1153368]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2007-11-22 179712]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 CSHelper;CopySafe Helper Service;c:\windows\system32\cshelper.exe --> c:\windows\system32\CSHelper.exe [?]
S2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-9-30 21504]
S2 gupdate1c9834ebde52a90;Google Update Service (gupdate1c9834ebde52a90);c:\program files\google\update\googleupdate.exe /svc --> c:\program files\google\update\GoogleUpdate.exe [?]
S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2009-10-17 54632]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\googleupdate.exe /medsvc --> c:\program files\google\update\GoogleUpdate.exe [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 AESTFilters;Andrea ST Filters Service;c:\windows\system32\AEstSrv.exe [2007-11-22 73728]
.
=============== Created Last 30 ================
.
2011-11-21 14:49:05 56200 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{d208fc11-8e7a-4de4-917e-f39d40f22d8f}\offreg.dll
2011-11-21 11:48:16 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-21 11:48:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-11-20 21:41:46 -------- d-----w- C:\_OTM
2011-11-20 15:24:35 -------- d-----w- c:\users\family\appdata\local\temp
2011-11-20 15:22:35 -------- d-sh--w- C:\$RECYCLE.BIN
2011-11-20 14:46:48 98816 ----a-w- c:\windows\sed.exe
2011-11-20 14:46:48 518144 ----a-w- c:\windows\SWREG.exe
2011-11-20 14:46:48 256000 ----a-w- c:\windows\PEV.exe
2011-11-20 14:46:48 208896 ----a-w- c:\windows\MBR.exe
2011-11-20 14:46:36 -------- d-----w- C:\ComboFix
2011-11-17 02:11:42 35384 ----a-w- c:\windows\system32\drivers\kbdclass.sys
2011-11-14 22:57:57 4293777 ------r- C:\ComboFix.exe
2011-11-12 17:56:56 -------- d-----w- c:\program files\ESET
2011-11-09 19:05:01 -------- d-----w- c:\users\family\appdata\local\WinZip
2011-10-31 18:18:20 1529728 ----a-w- c:\program files\common files\microsoft shared\windows live\WLIDSVC.EXE
2011-10-31 18:13:51 145184 ----a-w- c:\program files\common files\microsoft shared\source engine\OSE.EXE
2011-10-30 14:38:20 -------- d-----w- C:\TDSSKiller_Quarantine
2011-10-28 08:13:47 6668624 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{d208fc11-8e7a-4de4-917e-f39d40f22d8f}\mpengine.dll
2011-10-25 22:48:06 6144 ----a-w- c:\program files\internet explorer\iecompat.dll
2011-10-24 17:56:35 -------- d-sh--w- c:\windows\system32\%APPDATA%
.
==================== Find3M ====================
.
2011-10-30 14:43:29 67072 ----a-w- c:\windows\system32\drivers\cdrom.sys
2011-09-30 23:06:24 916480 ----a-w- c:\windows\system32\wininet.dll
2011-09-30 23:02:06 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-09-30 23:01:51 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-09-30 23:01:34 71680 ----a-w- c:\windows\system32\iesetup.dll
2011-09-30 23:01:34 109056 ----a-w- c:\windows\system32\iesysprep.dll
2011-09-30 22:07:25 385024 ----a-w- c:\windows\system32\html.iec
2011-09-30 21:29:54 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2011-09-30 21:28:36 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-09-06 13:30:12 2043392 ----a-w- c:\windows\system32\win32k.sys
2011-08-25 16:15:04 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2011-08-25 16:14:01 563712 ----a-w- c:\windows\system32\oleaut32.dll
2011-08-25 16:14:01 238080 ----a-w- c:\windows\system32\oleacc.dll
2011-08-25 13:31:01 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2011-08-24 11:57:31 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
============= FINISH: 9:57:43.36 ===============
Hi mnyyoungs,
Malwarebytes looks good as well as DDS. :)
How is your system behaving?
mnyyoungs
2011-11-21, 18:34
and DDS
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume3
Install Date: 22/11/2007 6:44:16 AM
System Uptime: 21/11/2011 9:48:24 AM (0 hours ago)
.
Motherboard: Dell Inc. | | 0DT492
Processor: Intel(R) Pentium(R) Dual CPU T2310 @ 1.46GHz | Microprocessor | 1467/133mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 99 GiB total, 49.597 GiB free.
D: is FIXED (NTFS) - 10 GiB total, 6.033 GiB free.
E: is CDROM (UDF)
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
.
==== Installed Programs ======================
.
.
Update for Microsoft Office 2007 (KB2508958)
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Photoshop CS
Adobe Reader 8.2.0
Adobe Shockwave Player 11.5
AnswerWorks 5.0 English Runtime
ArtistScope Plugin IE
Bonjour
Browser Address Error Redirector
Computrace
Conexant HDA D330 MDC V.92 Modem
Dell Driver Download Manager
Dell Driver Download Manager - 1
Dell Touchpad
DellSupport
DivX Converter
DivX Plus DirectShow Filters
DivX Setup
DNA
ERUNT 1.1j
ESET Online Scanner v3
Eusing Free Registry Cleaner
Facebook Plug-In
Google Chrome
Google Update Helper
Google Updater
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Internet Check-Up
Java Auto Updater
Java(TM) 6 Update 22
Java(TM) 6 Update 7
Junk Mail filter update
Logitech Vid HD
Logitech Webcam Software
Logitech Webcam Software Driver Package
Malwarebytes' Anti-Malware version 1.51.2.1300
Malwarebytes' RogueRemover
MediaDirect
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Office 2007 Primary Interop Assemblies
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office Live Add-in 1.5
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual Studio 2005 Tools for Office Runtime
Microsoft Works
Move Networks Media Player for Internet Explorer
Mozilla Firefox (3.6.24)
MSVCRT
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
MSXML4SP2
OGA Notifier 2.0.0048.0
OpenOffice.org Installer 1.0
Personal Ancestral File 5
QuickBooks
QuickBooks Pro 2011
Quicken 2009
QuickSet
QuickTime
Roxio Creator Audio
Roxio Creator BDAV Plugin
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Express Labeler
Roxio MyDVD DE
Roxio Update Manager
RPS CRT
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB2553074)
Security Update for 2007 Microsoft Office System (KB2553089)
Security Update for 2007 Microsoft Office System (KB2553090)
Security Update for 2007 Microsoft Office System (KB2584063)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft Office Excel 2007 (KB2553073)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB2535818)
Security Update for Microsoft Office PowerPoint Viewer 2007 (KB2464623)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Skype™ 4.2
Soap 3.0 Toolkit
Sonic Activation Module
Spybot - Search & Destroy
SupportSoft Assisted Service
System Requirements Lab
Taxman 2004 Version 1.1
Taxman 2005 Upgrade 1.2
Taxman 2006 Upgrade 1.3
Taxman 2007 Upgrade 1.6
Taxman 2008 Upgrade 1.5
Taxman 2009 Version 1.3
Taxman 2010 Upgrade 1.0
UFile 2007
UFile 2008
UFile 2009
UFile 2010
UFile Updater 2007
UFile Updater 2008
UFile Updater 2009
UFile Updater 2010
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office 2007 System (KB2539530)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
User's Guides
VC80CRTRedist - 8.0.50727.4053
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Visual Studio 2005 Tools for Office Second Edition Runtime
VLC media player 0.9.9
Windows Driver Package - FTDI CDM Driver Package (02/17/2009 2.04.16)
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Family Safety
Windows Live ID Sign-in Assistant
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sync
Windows Live Toolbar
Windows Live Upload Tool
Windows Live Writer
Windows Media Player Firefox Plugin
WinZip 16.0
.
==== Event Viewer Messages From Past Week ========
.
21/11/2011 9:51:13 AM, Error: Service Control Manager [7000] - The Google Update Service (gupdate1c9834ebde52a90) service failed to start due to the following error: The system cannot find the file specified.
21/11/2011 9:49:10 AM, Error: Service Control Manager [7000] - The SigmaTel Audio Service service failed to start due to the following error: The system cannot find the file specified.
21/11/2011 9:49:10 AM, Error: Service Control Manager [7000] - The Security Services Driver (x86) service failed to start due to the following error: The system cannot find the file specified.
21/11/2011 9:49:10 AM, Error: Service Control Manager [7000] - The dlbx_device service failed to start due to the following error: The system cannot find the file specified.
21/11/2011 9:49:10 AM, Error: Service Control Manager [7000] - The CopySafe Helper Service service failed to start due to the following error: The system cannot find the file specified.
20/11/2011 6:44:42 AM, Error: Service Control Manager [7034] - The XAudioService service terminated unexpectedly. It has done this 1 time(s).
20/11/2011 6:44:33 AM, Error: Service Control Manager [7034] - The Process Monitor service terminated unexpectedly. It has done this 1 time(s).
20/11/2011 6:44:30 AM, Error: Service Control Manager [7034] - The SacNetAgentService_C57C4F854F53 service terminated unexpectedly. It has done this 1 time(s).
20/11/2011 6:44:30 AM, Error: Service Control Manager [7034] - The CFUACProxy_c2nplus service terminated unexpectedly. It has done this 1 time(s).
20/11/2011 5:36:08 PM, Error: Microsoft-Windows-PrintSpooler [19] - The print spooler failed to share printer Samsung ML-2010 Series with shared resource name Samsung ML-2010 Series. Error 2114. The printer cannot be used by others on the network.
20/11/2011 3:08:54 PM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80070002: Windows Internet Explorer 9 for Windows Vista.
20/11/2011 10:11:32 AM, Error: Service Control Manager [7030] - The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
16/11/2011 9:43:56 PM, Error: Service Control Manager [7038] - The FontCache service was unable to log on as NT AUTHORITY\LocalService with the currently configured password due to the following error: A system shutdown is in progress. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
16/11/2011 9:43:56 PM, Error: Service Control Manager [7000] - The Windows Font Cache Service service failed to start due to the following error: The service did not start due to a logon failure.
.
==== End Of File ===========================
mnyyoungs
2011-11-21, 18:36
ooops sorry for the DDS twice...a couple quirky things but I'm hoping that updating windows sorts that out...Malwarebytes wouldn't run for me earlier, so I had to uninstall and reinstall...but I imagine that things like that will happen since the infection was deep....what are your thoughts/suggestions/next step(s)?
Hi mnyyoungs,
It looks like one of our tools worked a little too hard. :)
Please navigate to C:\QooBox and post the contents of ComboFix-quarantined-files.txt.
Thank you.
mnyyoungs
2011-11-22, 23:30
WOW...if this means something to you, then you are more my hero than you were a few minutes ago!!!
2011-11-20 15:02:51 . 2011-11-20 15:02:51 4,464 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Service_COMSysApp.reg.dat
2011-11-17 02:35:36 . 2011-11-17 02:35:36 171 ----a-w- C:\Qoobox\Quarantine\Registry_backups\WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829}.reg.dat
2011-11-17 02:35:34 . 2011-11-17 02:35:34 132 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829}.reg.dat
2011-11-14 23:16:45 . 2011-11-20 14:49:46 0 ----a-w- C:\Qoobox\Quarantine\catchme.txt
2011-11-09 01:00:22 . 2011-11-09 01:00:22 580 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-Powerful Employment Policies.reg.dat
2011-11-09 00:58:43 . 2011-11-09 00:58:43 118 ----a-w- C:\Qoobox\Quarantine\Registry_backups\URLSearchHooks-{9565115d-c7d6-46d3-bd63-b67b481a4368}.reg.dat
2011-11-09 00:45:42 . 2011-11-20 15:02:09 7,213 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2011-11-09 00:28:00 . 2011-11-20 14:49:45 350 ----a-w- C:\Qoobox\Quarantine\catchme.log
WOW...if this means something to you, then you are more my hero than you were a few minutes ago!!!LOL!! Your my hero for sticking through all of this!!
------------------
Qoobox is the backup folder for items removed by combofix. it usually is removed when combofix is removed in the proper manner.
Please navigate to this file:
C:\Qoobox\Quarantine\Registry_backups\Service_COMSysApp.reg.dat
Right click it and click rename
Remove the .dat file extension so the file now looks like this:
C:\Qoobox\Quarantine\Registry_backups\Service_COMSysApp.reg
Left click on a blank spot near the filename and make sure it looks like the above
Right click the file and click merge
Accept any warnings
Let me know if it was successful.
mnyyoungs
2011-11-23, 01:28
aweeee gorsh..thank you...it's been educational, to say the least!
Ok..this reg.dat file is showing it is a dat file, but the name is only .reg. However when I look at it in properties, it is reg.dat. Does that make sense...not sure what you would like me to do.
file name - Service_COMSysApp.reg
:-s
Click start > run (you can use the search box also) . Copy and paste the following line in the box and click ok.
regedit /e "%userprofile%\desktop\lookCOM.txt" "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\COMSysApp"
Don't miss the quote mark at the end,
You will now have a notepad on your desktop named lookcom.txt. Please post it's contents.
mnyyoungs
2011-11-23, 01:50
Batting a thousand today...this didn't provide anything on the desktop...I copied ALL of the command and tried both search and run. I get a request to perform the task from windows...then nadda.
Ok lets try this.
Click Start > Run type Notepad click OK.
This will open an empty Notepad file.
Copy/Paste the contents of the box below into Notepad.
@echo off
regedit.exe /e "%userprofile%\Desktop\look.txt" "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\COMSysApp"
Notepad.exe %userprofile%\Desktop\look.txt
Del look.txt
Del %0
Click Format and ensure Wordwrap is unchecked.
Save as RegExp.bat
Save as file type All Files or it won't work.
Now double click on RegExp.bat to run it.
A file look.txt will open on your Desktop, please post the contents in your next reply.
mnyyoungs
2011-11-23, 13:18
Look - notepad is blank. To recap, I saved the RegExp.bat notepad file to the desktop. Double clicked on it. The system asked for my permission to run. Then identified that there was no desktop file to save it to, create one. I said yes....voila...nadda. :-s zoinkies shaggy! I think there's a ghost in there!
zoinkies shaggy! I think there's a ghost in there!ru roh! :laugh:
I don't think so luckily.
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1 (http://jpshortstuff.247fixes.com/SystemLook.exe)
Download Mirror #2 (http://images.malwareremoval.com/jpshortstuff/SystemLook.exe)
Right-click and Run as Administrator SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:
:reg
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\COMSysApp /s
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
mnyyoungs
2011-11-24, 00:02
taaaa daaaaa.....
SystemLook 30.07.11 by jpshortstuff
Log created at 18:02 on 23/11/2011 by Family
Administrator - Elevation successful
========== reg ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\COMSysApp]
(Unable to open key - key not found)
-= EOF =-
Hi mnyyoungs,
That is what I thought. The restore from Qoobox did not take. Lets try it again.
Please navigate to this file:
C:\Qoobox\Quarantine\Registry_backups\Service_COMSysApp.reg.dat
Right click it and click rename
Remove the .dat file extension so the file now looks like this:
C:\Qoobox\Quarantine\Registry_backups\Service_COMSysApp.reg
Left click on a blank spot near the filename and make sure it looks like the above
Right click the file and click merge
Accept any warnings
Let me know if it was successful.
mnyyoungs
2011-11-24, 13:02
:-s the file does not have a reg.dat extension for me to rename.
"C:\Qoobox\Quarantine\Registry_backups\Service_COMSysApp.reg"
although it does show as a dat file listed under "type"
I cannot proceed with the instructions, as is. :(
Hi mnyyoungs,
Go ahead and delete your copy of ComboFix, download a fresh copy and then run a new scan. Please post the log into your next reply. :)
mnyyoungs
2011-11-24, 17:27
ComboFix 11-11-23.03 - Family 24/11/2011 11:00:03.11.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.2.1033.18.2037.1286 [GMT -5:00]
Running from: c:\users\Family\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2011-10-24 to 2011-11-24 )))))))))))))))))))))))))))))))
.
.
2011-11-24 16:20 . 2011-11-24 16:20 -------- d-----w- c:\users\Family\AppData\Local\temp
2011-11-24 16:20 . 2011-11-24 16:20 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-11-21 11:48 . 2011-11-21 11:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-11-21 11:48 . 2011-08-31 22:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-20 21:41 . 2011-11-20 21:41 -------- d-----w- C:\_OTM
2011-11-17 02:11 . 2008-02-29 08:13 35384 ----a-w- c:\windows\system32\drivers\kbdclass.sys
2011-11-16 15:27 . 2011-11-16 15:27 -------- d-----w- c:\program files\ERUNT
2011-11-12 17:56 . 2011-11-12 17:56 -------- d-----w- c:\program files\ESET
2011-11-09 19:05 . 2011-11-09 19:05 -------- d-----w- c:\users\Family\AppData\Local\WinZip
2011-11-09 19:03 . 2011-11-09 19:04 -------- d-----w- c:\programdata\WinZip
2011-10-31 18:18 . 2011-10-31 18:18 1529728 ----a-w- c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
2011-10-31 18:13 . 2011-10-31 18:13 145184 ----a-w- c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
2011-10-30 14:38 . 2011-10-30 14:38 -------- d-----w- C:\TDSSKiller_Quarantine
2011-10-28 08:13 . 2011-10-18 06:28 6668624 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{D208FC11-8E7A-4DE4-917E-F39D40F22D8F}\mpengine.dll
2011-10-25 22:48 . 2011-08-13 04:43 6144 ----a-w- c:\program files\Internet Explorer\iecompat.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-30 14:43 . 2009-07-26 02:26 67072 ----a-w- c:\windows\system32\drivers\cdrom.sys
2011-09-30 23:06 . 2011-10-12 15:36 916480 ----a-w- c:\windows\system32\wininet.dll
2011-09-30 23:02 . 2011-10-12 15:36 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-09-30 23:01 . 2011-10-12 15:36 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-09-30 23:01 . 2011-10-12 15:36 71680 ----a-w- c:\windows\system32\iesetup.dll
2011-09-30 23:01 . 2011-10-12 15:36 109056 ----a-w- c:\windows\system32\iesysprep.dll
2011-09-30 22:07 . 2011-10-12 15:36 385024 ----a-w- c:\windows\system32\html.iec
2011-09-30 21:29 . 2011-10-12 15:36 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2011-09-30 21:28 . 2011-10-12 15:36 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-09-06 13:30 . 2011-10-12 15:36 2043392 ----a-w- c:\windows\system32\win32k.sys
2011-04-14 18:01 . 2010-10-25 17:37 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SacReminderHDDV2N"="c:\programdata\Clickfree\C2NPlus\reminder\SacReminder.exe" [2011-01-20 870224]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-11-22 68856]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-26 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-26 154136]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-26 129560]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-09-07 405504]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-09-24 159744]
"DLBXCATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\DLBXtime.dll" [2007-02-22 73728]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2008-11-18 623880]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-08-31 1047208]
.
c:\users\Family\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2010-10-13 984408]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK32.EXE [2011-10-22 611144]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
"DisableStartupSound"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoThumbnailCache"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /r \??\C:\0autocheck autochk *
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Digital Line Detect.lnk]
backup=c:\windows\pss\Digital Line Detect.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
backup=c:\windows\pss\Kodak EasyShare software.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickSet.lnk]
backup=c:\windows\pss\QuickSet.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-18 13:58 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
2007-09-24 09:27 159744 ----a-w- c:\program files\DellTPad\Apoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
2008-12-20 04:48 342848 ----a-w- c:\users\Family\Program Files\DNA\btdna.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ECenter]
2007-05-25 06:03 17920 ----a-w- c:\dell\E-Center\EULALauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2011-08-31 22:00 1047208 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2009-07-26 20:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
2007-04-16 22:10 184320 ------w- c:\program files\Dell\MediaDirect\PCMService.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 04:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-11-22 12:06 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-19 07:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
R2 CFUACProxy_c2nplus;CFUACProxy_c2nplus;c:\programdata\Clickfree\C2NPlus\UACProxy.exe [2011-10-31 87368]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [x]
R2 gupdate1c9834ebde52a90;Google Update Service (gupdate1c9834ebde52a90);c:\program files\Google\Update\GoogleUpdate.exe [x]
R2 SacNetAgentService_C57C4F854F53;SacNetAgentService_C57C4F854F53;c:\programdata\Clickfree\C2NPlus\Reminder\SacNetAgent.exe [2011-10-25 157296]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [x]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [x]
R3 pcouffin;VSO Software pcouffin;c:\windows\system32\Drivers\pcouffin.sys [2008-07-09 47360]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 AESTFilters;Andrea ST Filters Service;c:\windows\system32\aestsrv.exe [2007-08-29 73728]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-09-23 64288]
S1 ElRawDisk;ElRawDisk;c:\windows\system32\drivers\rsdrv.sys [2009-02-12 22312]
S1 SBRE;SBRE;c:\windows\system32\drivers\SBREdrv.sys [2011-06-28 101720]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2011-10-31 1153368]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2007-05-21 179712]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
bthsvcs REG_MULTI_SZ BthServ
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-24 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2011-10-31 18:10]
.
2010-12-16 c:\windows\Tasks\User_Feed_Synchronization-{1A27E350-4EB9-4A64-8D25-115B91043FBF}.job
- c:\windows\system32\msfeedssync.exe [2011-10-12 21:29]
.
.
------- Supplementary Scan -------
.
mSearch Bar = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.2.1
FF - ProfilePath - c:\users\Family\AppData\Roaming\Mozilla\Firefox\Profiles\85q3ua9k.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.sympatico.ca/
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4e2b35e5&v=7.008.031.001&i=23&tp=ab&iy=b&ychte=ca&lng=en-GB&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Adobe DLM (powered by getPlus(R)): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
FF - Ext: Canadian English Dictionary: en-CA@dictionaries.addons.mozilla.org - %profile%\extensions\en-CA@dictionaries.addons.mozilla.org
FF - Ext: Ancestry.com Advanced Image Viewer: support@ancestry.com - %profile%\extensions\support@ancestry.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-24 11:20
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLBXCATS = rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\DLBXtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2011-11-24 11:25:50
ComboFix-quarantined-files.txt 2011-11-24 16:25
ComboFix2.txt 2011-11-17 02:38
ComboFix3.txt 2011-11-14 23:46
ComboFix4.txt 2011-11-09 01:02
.
Pre-Run: 53,239,291,904 bytes free
Post-Run: 53,025,878,016 bytes free
.
- - End Of File - - E9AAB4F6F4642F1C49009A2742B198F6
Hi mnyyoungs,
I haven't forgotten about you. :) Working some details out about your logs. I will return as quickly as I can.
mnyyoungs
2011-11-27, 02:56
No probs, Jeff...happy deep fried turkey, football, parade and psycho shopping day!
Hi mnyyuoungs,
Lets unhide some extensions so that you can see them and then restore that entry.
Click on Control Panel
Click on Folder Options
Click on View Tab
Check: Show hidden files,folders, or drives
Uncheck: Hide Extentons for known file types
Press OK
======================================================
Please navigate to C:\QooBox and post the contents of ComboFix-quarantined-files.txt.
========================================
Qoobox is the backup folder for items removed by combofix. it usually is removed when combofix is removed in the proper manner.
Please navigate to this file:
C:\Qoobox\Quarantine\Registry_backups\Service_COMSysApp.reg.dat
Right click it and click rename
Remove the .dat file extension so the file now looks like this:
C:\Qoobox\Quarantine\Registry_backups\Service_COMSysApp.reg
Left click on a blank spot near the filename and make sure it looks like the above
Right click the file and click merge
Accept any warnings
Let me know if it was successful.
mnyyoungs
2011-11-28, 18:44
Qoobox quarantined files
2011-11-20 15:02:51 . 2011-11-20 15:02:51 4,464 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Service_COMSysApp.reg.dat
2011-11-17 02:35:36 . 2011-11-17 02:35:36 171 ----a-w- C:\Qoobox\Quarantine\Registry_backups\WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829}.reg.dat
2011-11-17 02:35:34 . 2011-11-17 02:35:34 132 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829}.reg.dat
2011-11-14 23:16:45 . 2011-11-20 14:49:46 0 ----a-w- C:\Qoobox\Quarantine\catchme.txt
2011-11-09 01:00:22 . 2011-11-09 01:00:22 580 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-Powerful Employment Policies.reg.dat
2011-11-09 00:58:43 . 2011-11-09 00:58:43 118 ----a-w- C:\Qoobox\Quarantine\Registry_backups\URLSearchHooks-{9565115d-c7d6-46d3-bd63-b67b481a4368}.reg.dat
2011-11-09 00:45:42 . 2011-11-24 16:11:38 7,278 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2011-11-09 00:28:00 . 2011-11-24 16:00:02
mnyyoungs
2011-11-28, 18:47
step 2 seems to be fine. File now reads service_COMSysApp.reg and has been merged.
Hi mnyyoungs,
Great job! How is your system running? :)
---------
Right-click and Run as Administrator SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:
:reg
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\COMSysApp /s
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
mnyyoungs
2011-11-28, 21:07
nothing quirky other than not being able to do updates, re:previous post. Although I have not tried since before. Here is the log:
SystemLook 30.07.11 by jpshortstuff
Log created at 15:06 on 28/11/2011 by Family
Administrator - Elevation successful
========== reg ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\COMSysApp]
"ImagePath"="%SystemRoot%\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}"
"Start"= 0x0000000003 (3)
"Type"= 0x0000000010 (16)
"DisplayName"="@comres.dll,-947"
"Description"="@comres.dll,-948"
"ObjectName"="LocalSystem"
"ErrorControl"= 0x0000000001 (1)
"DependOnService"="RpcSs EventSystem SENS"
"RequiredPrivileges"="SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeChangeNotifyPrivilege SeCreateGlobalPrivilege SeDebugPrivilege SeImpersonatePrivilege SeIncreaseQuotaPrivilege"
"FailureActions"=1e 00 00 00 00 00 00 00 00 00 00 00 03 00 00 00 14 00 00 00 01 00 00 00 e8 03 00 00 01 00 00 00 88 13 00 00 00 00 00 00 00 00 00 00 (REG_BINARY)
-= EOF =-
Hi,
Good...that service merged nicely. :)
---------
nothing quirky other than not being able to do updatesWhat can you not update now?
mnyyoungs
2011-11-28, 21:39
Nothing like a good merge, eh?
I get a windows error code: WindowsUpdate_80096001. This is the one I'd gotten before regarding drive error and the check for errors was not running when the computer was reboot...ed.
mnyyoungs
2011-11-28, 21:51
"The task image is corrupt or has been tampered with.User+Feed+Synchronization-{1A27E350-4EB9-4A64-8D25-115B91043FBF}
Hi mnyyoungs,
Lets get the Windows update going. Visit the page here (http://support.microsoft.com/kb/971058) and use the Fix It button. :) Follow the prompts and when completed try to update Windows again.
mnyyoungs
2011-11-29, 03:43
same thing...same error and cannot get error check to run. :-s
Hi mnyyoungs,
I am still looking over some things with your logs with colleagues to make sure you are taken care of properly. :)
mnyyoungs
2011-12-01, 01:39
You are the best!!!!!
Hi mnyyoungs,
I need some information on some unidentified files. We will use Virustotal Please submit these files for analysis
To submit a file to virustotal, please click VirusTotal (www.virustotal.com)
copy and paste the following into the upload a file box (one at a time if more than one file is listed)
c:\windows\system32\wuauclt.exe
scroll down a bit and click "send file", wait for the results and post them in your next reply.
Please note that sometimes the scans take a few minutes. Please ensure that the scan has completed and the results are complete before submitting the next sample. Also please make sure each result is clearly identified as to which sample they belong to.
----------
mnyyoungs
2011-12-01, 23:23
14 VT Community user(s) with a total of 43357 reputation credit(s) say(s) this sample is goodware. 4 VT Community user(s) with a total of 4 reputation credit(s) say(s) this sample is malware.
File name:
wuauclt.exe
Submission date:
2011-12-01 13:53:19 (UTC)
Current status:
finished
Result:
0 /43 (0.0%)
VT Community
goodware
Safety score: 100.0%
Compact
Print results
Antivirus Version Last Update Result
AhnLab-V3 2011.12.01.00 2011.12.01 -
AntiVir 7.11.18.164 2011.12.01 -
Antiy-AVL 2.0.3.7 2011.12.01 -
Avast 6.0.1289.0 2011.12.01 -
AVG 10.0.0.1190 2011.12.01 -
BitDefender 7.2 2011.12.01 -
ByteHero 1.0.0.1 2011.11.29 -
CAT-QuickHeal 12.00 2011.12.01 -
ClamAV 0.97.3.0 2011.12.01 -
Commtouch 5.3.2.6 2011.12.01 -
Comodo 10799 2011.12.01 -
DrWeb 5.0.2.03300 2011.12.01 -
Emsisoft 5.1.0.11 2011.12.01 -
eSafe 7.0.17.0 2011.11.30 -
eTrust-Vet 37.0.9597 2011.12.01 -
F-Prot 4.6.5.141 2011.11.29 -
F-Secure 9.0.16440.0 2011.12.01 -
Fortinet 4.3.388.0 2011.12.01 -
GData 22.292/22.544 2011.12.01 -
Ikarus T3.1.1.109.0 2011.12.01 -
Jiangmin 13.0.900 2011.11.30 -
K7AntiVirus 9.119.5570 2011.11.30 -
Kaspersky 9.0.0.837 2011.12.01 -
McAfee 5.400.0.1158 2011.12.01 -
McAfee-GW-Edition 2010.1D 2011.12.01 -
Microsoft 1.7903 2011.12.01 -
NOD32 6668 2011.12.01 -
Norman 6.07.13 2011.12.01 -
nProtect 2011-12-01.01 2011.12.01 -
Panda 10.0.3.5 2011.11.30 -
PCTools 8.0.0.5 2011.12.01 -
Prevx 3.0 2011.12.01 -
Rising 23.86.03.01 2011.12.01 -
Sophos 4.71.0 2011.12.01 -
SUPERAntiSpyware 4.40.0.1006 2011.12.01 -
Symantec 20111.2.0.82 2011.12.01 -
TheHacker 6.7.0.1.352 2011.11.30 -
TrendMicro 9.500.0.1008 2011.12.01 -
TrendMicro-HouseCall 9.500.0.1008 2011.12.01 -
VBA32 3.12.16.4 2011.12.01 -
VIPRE 11187 2011.12.01 -
ViRobot 2011.12.1.4803 2011.12.01 -
VirusBuster 14.1.93.0 2011.11.30 -
Additional information
Show all
MD5 : 62bb79160f86cd962f312c68c6239bfd
SHA1 : c2de8148e1a8e8f097e3a40232ddb04efd0a7cc6
SHA256: 2fa2506b5c8b4469d2b36c803cceac15e831c3f8a4af065aca72da8f385f24c0
Hi mnyyoungs,
Please download GetPartitions from the link below to your Desktop
getpartitions.exe (http://www.osvemu.com/getpartitions.exe)
Double-Click (right-click and Run as Administrator Vista/7 users) the icon to run it.
When complete it will produce a log found at C:\DiskReport.txt
Please post the contents of that log into your next reply.
----------
mnyyoungs
2011-12-02, 00:31
as you requested...
Microsoft DiskPart version 6.0.6002
Copyright (C) 1999-2007 Microsoft Corporation.
On computer: FAMILY-PC
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
Volume 0 E US-Direct ( UDF DVD-ROM 176 MB Healthy
Volume 1 D RECOVERY NTFS Partition 10 GB Healthy
Volume 2 C OS NTFS Partition 99 GB Healthy System
Hi mnyyoungs,
I would like for you to visit this page again here (http://support.microsoft.com/kb/971058) with the FixIt button.
Download and install the Windows Fix-It tool.
Run the tool and when asked if you want to Run in Aggressive Mode click on that box to do so.
Let it run and then when complete try to run Windows Update again. :)
Let me know if that fixed it up for you.
mnyyoungs
2011-12-02, 13:42
Ok, here's the new scoop...ran the link 3 times looking for the "aggressive" button. No button, but the WinFix said it had fixed the problem. Restarted, still getting the same error when I try to update. Did a search and found another WinFix with the aggressive button. Ran it in aggressive mode, restarted. Still won't update, same error. :-s Tried to run Disk Check. Restarted the computer and disk check did not run..... GULP...I tell ya, ghosts!
Hi mnyyoungs,
I would like to review the log that is created when Windows updates itself.
Click Start > in the Start Search box type Run.
When Run populates above left-click on Run.
In the Open box, type windowsupdate.log, and then click OK.
Copy/Paste the information provided in the windowsupdate.log into your next reply.
mnyyoungs
2011-12-02, 18:35
the log you requested is massive! can I give it to you as an attachment? Otherwise, I would have to paste in aprox 12-15 messages.
Yes that is not a problem at all. :)
mnyyoungs
2011-12-03, 02:44
The log is attached.
mnyyoungs
2011-12-03, 02:47
or so I thought...it's 1.42mb and is too large. I'll break it down for you.
Instead of doing that you can upload them to Mediafire and give me the link that is provided once it is done and I can look at it there.
Mediafire (http://www.mediafire.com/)
mnyyoungs
2011-12-03, 15:20
voila! you know all the tricks!
http://www.mediafire.com/?t6a86ofhk6157qu
Hi mnyyoungs,
I need for you to try to update another way. Please be sure to disable all antivirus and/or antispyware programs.
Please open Internet Explorer.
Select Tools > Windows Update.
Now go through and attempt to manually download and install all Windows updates.
Once you are complete reboot your system.
Let me know if that did anything. :)
mnyyoungs
2011-12-08, 02:20
That didn't work, either, Jeff. Same error message.
Hi mnyyoungs,
I have to say that I don't believe that this is malware that is causing the problems at this time. I do believe however that it is a result of that awful ZeroAccess rootkit that was on your system and has damaged your system.
At this time I think that you would be better served visiting the Windows forum at What the Tech found here (http://forums.whatthetech.com/index.php?showforum=119). The Tech Team there will be better suited for helping your with the problems that you are having now. You will be in great hands with any of the Tech Team members that help you and I know they will do what they can to get you on the right track.
Please go to the Windows forum using the link I provided (remember to register there...it's free) and post a new topic. In the topic explain your problems and be sure to post a link to the topic here so that they will be able to see what has been done.
mnyyoungs
2011-12-10, 01:38
Jeff, you have been stellar in your directions and your patience with this issue! Your time and efforts are appreciated more than you know. Thank you so, very much and have a wonderful and Happy Holidays!
Hi mnyyoungs,
Thank you so much for your kind words. I wish you and yours a happy holiday season as well.
I will leave this topic open so when you finish at the Windows forum you can come back and we will remove all of the tools that are still remaining on your system. I don't want to remove them until things are settled for you. Let me know how it goes. :bigthumb:
mnyyoungs
2011-12-10, 17:19
Thank you, Jeff and I will!!!
Hi mnyyoungs,
I want to be sure to give you this last set of instructions even though I have not heard from you. It will help you to properly remove our tools and also give you some good information on computer security. :)
----------
IT APPEARS THAT YOUR LOGS ARE NOW CLEAN :D SO LETS DO A COUPLE OF THINGS TO WRAP THIS UP!! :D
This infection appears to have been cleaned, but I can not give you any absolute guarantees. As a precaution, I would go ahead and change all of your passwords as this is especially important after an infection.
----------
The following will implement some cleanup procedures as well as reset System Restore points:
Click Start > Run and copy/paste the following text into the Run box as shown and click OK.
Combofix /Uninstall
(Note: There is a space between the ..X and the /U that needs to be there.)
http://i1224.photobucket.com/albums/ee380/jeffce74/CF.jpg
----------
Double-click OTM.exe to start the program.
Close all other programs apart from OTM as this step will require a reboot
On the OTM main screen, press the CLEANUP button
Say Yes to the prompt and then allow the program to reboot your computer.
----------
Any of the logs that you created for use in the forums or remaining tools that have not yet been removed can be deleted so they aren't cluttering up your desktop.
Here are some tips to reduce the potential for spyware infection in the future:
1. Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
2. Enable Protected Mode in Internet Explorer. This helps Windows Vista users stay more protected from attack by running Internet Explorer with restricted privileges as well as reducing the ability to write, alter or destroy data on your system or install malicious code. To make sure this is running follow these steps:
Open Internet Explorer
Click on Tools > Internet Options
Press Security tab
Select Internet zone then place check next to Enable Protected Mode if not already done
Do the same for Local Intranet, Trusted Sites and Restricted Sites and then press Apply
Restart Internet Explorer and in the bottom right corner of your screen you will see Protected Mode: On showing you it is enabled.
3. Use and update an anti-virus software - I can not overemphasize the need for you to use and update your anti-virus application on a regular basis. With the ever increasing number of new variants of malware arriving on the scene daily, you become very susceptible to an attack without updated protection.
4. Firewall
Using a third-party firewall will allow you to give/deny access for applications that want to go online. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a firewall in its default configuration can lower your risk greatly. A tutorial on firewalls can be found here (http://www.bleepingcomputer.com/forums/tutorial60.html). **There are firewalls listed in this tutorial that could be downloaded and used but I would personally only recommend using one of the following two below:
Online Armor Free (http://download.cnet.com/Online-Armor-Free/3000-10435_4-10426782.html)
Agnitum Outpost Firewall Free (http://download.cnet.com/Agnitum-Outpost-Firewall-Free/3000-10435_4-10913746.html)
5. Make sure you keep your Windows OS current. Windows XP users can visit Windows update (http://v4.windowsupdate.microsoft.com/en/default.asp) regularly to download and install any critical updates and service packs. Windows Vista/7 users can open the Start menu > All Programs > Windows Update > Check for Updates (in left hand task pane) to update these systems. Without these you are leaving the back door open.
6. Consider a custom hosts file such as MVPS HOSTS (http://www.mvps.org/winhelp2002/hosts.htm). This custom hosts file effectively blocks a wide range of unwanted ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers. For information on how to download and install, please read this tutorial by WinHelp2002 (http://www.mvps.org/winhelp2002/hosts.htm)
Note: Be sure to follow the instructions to disable the DNS Client service before installing a custom hosts file.
7. WOT (http://www.mywot.com/) (Web of Trust) As "Googling" is such an integral part of internet life, this free browser add on warns you about risky websites that try to scam visitors, deliver malware or send spam. It is especially helpful when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites. WOT has an add-on available for Firefox, Internet Explorer as well as Google Chrome.
8.Finally, I strongly recommend that you read TonyKlein's good advice So how did I get infected in the first place? (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Please reply to this thread once more if you are satisfied so that we can mark the problem as resolved.
Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance.
If you are the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.