TechSpot

Infected with Sirefef.r & sirefef.ah

By Josh1976
Jul 25, 2012
  1. Hello,

    I was hoping to get some help as my office computer was infected by an employee. I have gotten the sirefef.r and .ah message. it did go into a looping sequence that I was able to get it out of.

    Below is a copy of the frst log that is requested in many of the help topics for the sirefef.r/ah virus.

    Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 25-07-2012 01
    Ran by SYSTEM at 25-07-2012 14:53:01
    Running from F:\
    Windows 7 Professional (X86) OS Language: English(US)
    The current controlset is ControlSet001

    ========================== Registry (Whitelisted) =============

    HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2010-11-29] (Apple Inc.)
    HKLM\...\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe [405504 2008-02-15] (IDT, Inc.)
    HKLM\...\Run: [mmlweb] C:\Windows\system32\mmlweb.exe [49152 2007-06-28] (MURATA MACHINERY,LTD.)
    HKLM\...\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [63048 2010-09-17] (LogMeIn, Inc.)
    HKLM\...\Run: [Intuit SyncManager] C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe startup [1439496 2010-10-19] (Intuit Inc. All rights reserved.)
    HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [254696 2011-06-09] (Sun Microsystems, Inc.)
    HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-04-03] (Adobe Systems Incorporated)
    HKU\user\...\Run: [Google Update] "C:\Users\user\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2011-06-15] (Google Inc.)
    HKU\user\...\Run: [GoogleDriveSync] "C:\Program Files\Google\Drive\googledrivesync.exe" /autostart [12163848 2012-06-20] (Google)
    HKU\user\...\Run: [chromium] C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe --no-startup-window [1250328 2012-07-09] (Google Inc.)
    Tcpip\Parameters: [DhcpNameServer] 71.242.0.12 71.252.0.12
    Startup: C:\Users\All Users\Start Menu\Programs\Startup\Muratec OB Document Download Manager.lnk
    ShortcutTarget: Muratec OB Document Download Manager.lnk -> C:\Program Files\Muratec\OfficeBridge\Download\DOWNUTY.exe (MURATA MACHINERY,LTD.)
    Startup: C:\Users\All Users\Start Menu\Programs\Startup\Muratec OB InfoMonitor.lnk
    ShortcutTarget: Muratec OB InfoMonitor.lnk -> C:\Program Files\Muratec\OfficeBridge\Imonitor\Imonitor2.exe (MURATA MACHINERY,LTD.)
    Startup: C:\Users\All Users\Start Menu\Programs\Startup\Muratec OB Scan to Print Monitor.lnk
    ShortcutTarget: Muratec OB Scan to Print Monitor.lnk -> C:\Program Files\Muratec\OfficeBridge\ScanToPM\ScanToPM.exe (MURATA MACHINERY,LTD.)
    Startup: C:\Users\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
    ShortcutTarget: QuickBooks Update Agent.lnk -> C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Inc.)
    Startup: C:\Users\user\Start Menu\Programs\Startup\NexDef Plug-in.lnk
    ShortcutTarget: NexDef Plug-in.lnk -> (No File)

    ================================ Services (Whitelisted) ==================

    2 eventlog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [20992 2009-07-13] (Microsoft Corporation)
    2 LMIGuardianSvc; "C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe" [374184 2012-07-12] (LogMeIn, Inc.)
    2 LMIMaint; "C:\Program Files\LogMeIn\x86\RaMaint.exe" [136616 2012-07-12] (LogMeIn, Inc.)
    2 LogMeIn; "C:\Program Files\LogMeIn\x86\LogMeIn.exe" [390528 2010-11-08] (LogMeIn, Inc.)
    2 LPDSVC; C:\Windows\System32\lpdsvc.dll [38400 2009-07-13] (Microsoft Corporation)
    2 simptcp; C:\Windows\System32\tcpsvcs.exe [9216 2009-07-13] (Microsoft Corporation)
    2 SNMP; C:\Windows\System32\snmp.exe [47616 2010-11-20] (Microsoft Corporation)
    2 STacSV; C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_124a1a436c563c4c\STacSV.exe [102400 2008-02-15] (IDT, Inc.)
    3 IDriverT; "c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe" [x]
    2 QBCFMonitorService; "c:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe" [x]
    3 QBFCService; "c:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe" [x]

    ========================== Drivers (Whitelisted) =============

    3 androidusb; C:\Windows\System32\Drivers\ssadadb.sys [30312 2011-01-12] (Google Inc)
    2 LMIInfo; \??\C:\Program Files\LogMeIn\x86\RaInfo.sys [12856 2010-09-17] (LogMeIn, Inc.)
    3 lmimirr; C:\Windows\System32\DRIVERS\lmimirr.sys [10144 2010-09-17] (LogMeIn, Inc.)
    2 LMIRfsDriver; \??\C:\Windows\system32\drivers\LMIRfsDriver.sys [47640 2010-09-17] (LogMeIn, Inc.)
    3 sscdbus; C:\Windows\System32\DRIVERS\sscdbus.sys [104648 2011-01-12] (MCCI Corporation)
    3 sscdmdfl; C:\Windows\System32\DRIVERS\sscdmdfl.sys [14920 2011-01-12] (MCCI Corporation)
    3 sscdmdm; C:\Windows\System32\DRIVERS\sscdmdm.sys [132424 2011-01-12] (MCCI Corporation)
    4 LMIRfsClientNP; [x]

    ========================== NetSvcs (Whitelisted) ===========


    ============ One Month Created Files and Folders ==============

    2012-07-25 14:52 - 2012-07-25 14:53 - 00000000 ____D C:\FRST
    2012-07-25 09:51 - 2012-07-25 09:52 - 00892822 ____A (Farbar) C:\Users\user\Downloads\FRST.exe
    2012-07-25 09:49 - 2012-07-25 09:50 - 10288512 ____A (Microsoft Corporation) C:\Users\user\Downloads\mseinstall.exe
    2012-07-25 09:08 - 2012-07-25 09:08 - 00000000 ____D C:\Windows\System32\appmgmt
    2012-07-25 06:45 - 2012-07-25 13:00 - 00000000 ____D C:\Users\All Users\Spybot - Search & Destroy
    2012-07-25 06:45 - 2012-07-25 13:00 - 00000000 ____D C:\Program Files\Spybot - Search & Destroy
    2012-07-24 13:42 - 2012-07-25 08:33 - 00000000 ___HD C:\Users\user\AppData\Roaming\890E9E35
    2012-07-21 15:24 - 2012-07-25 13:00 - 00000000 ____D C:\Windows\Minidump
    2012-07-21 15:24 - 2012-07-21 15:24 - 340223470 ____A C:\Windows\MEMORY.DMP
    2012-07-21 15:24 - 2012-07-21 15:24 - 00162240 ____A C:\Windows\Minidump\072112-38750-01.dmp
    2012-07-21 15:04 - 2012-07-21 15:04 - 00311808 ____A C:\Users\user\AppData\Local\fycmy.exe
    2012-07-20 16:11 - 2012-07-25 13:00 - 00000000 __SHD C:\Windows\System32\%APPDATA%
    2012-07-17 06:35 - 2012-07-17 06:35 - 00000247 ____A C:\user.js
    2012-07-16 08:57 - 2012-07-16 08:57 - 00000000 ____D C:\Users\user\AppData\Roaming\com.pageone.Curator
    2012-07-16 08:57 - 2012-07-16 08:57 - 00000000 ____D C:\Program Files\PageOneTraffic
    2012-07-15 13:03 - 2012-07-16 13:54 - 00016981 ____A C:\Users\user\Desktop\free state payroll we 71512.xlsx
    2012-07-15 13:03 - 2012-07-15 13:03 - 00017002 ____A C:\Users\user\Desktop\free state payroll we 7112.xlsx
    2012-07-15 08:02 - 2012-07-15 08:02 - 00000000 ____D C:\Users\user\Documents\Out of the Park Developments
    2012-07-10 23:05 - 2012-06-02 01:07 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
    2012-07-10 23:05 - 2012-06-02 00:43 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
    2012-07-10 23:05 - 2012-06-02 00:33 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
    2012-07-10 23:05 - 2012-06-02 00:26 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
    2012-07-10 23:05 - 2012-06-02 00:25 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
    2012-07-10 23:05 - 2012-06-02 00:25 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
    2012-07-10 23:05 - 2012-06-02 00:23 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
    2012-07-10 23:05 - 2012-06-02 00:21 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
    2012-07-10 23:05 - 2012-06-02 00:20 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
    2012-07-10 23:05 - 2012-06-02 00:19 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
    2012-07-10 23:05 - 2012-06-02 00:19 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
    2012-07-10 23:05 - 2012-06-02 00:17 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
    2012-07-10 23:05 - 2012-06-02 00:16 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
    2012-07-10 23:05 - 2012-06-02 00:14 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
    2012-07-10 23:01 - 2012-06-11 18:40 - 02345984 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
    2012-07-10 13:18 - 2012-06-05 21:05 - 01390080 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
    2012-07-10 13:18 - 2012-06-05 21:05 - 01236992 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
    2012-07-10 13:18 - 2012-06-01 20:45 - 00134000 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
    2012-07-10 13:18 - 2012-06-01 20:45 - 00067440 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
    2012-07-10 13:18 - 2012-06-01 20:40 - 00369336 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
    2012-07-10 13:18 - 2012-06-01 20:40 - 00225280 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
    2012-07-10 13:18 - 2012-06-01 20:39 - 00219136 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
    2012-07-10 13:18 - 2010-06-25 19:24 - 00002048 ____A (Microsoft Corporation) C:\Windows\System32\msxml3r.dll
    2012-07-10 13:17 - 2012-06-08 20:41 - 12873728 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
    2012-07-10 13:17 - 2012-06-05 21:03 - 00805376 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll
    2012-07-07 10:08 - 2012-07-07 10:08 - 00000000 ____D C:\Users\user\.autobahn
    2012-07-07 10:07 - 2012-07-07 10:08 - 00000000 ____D C:\Users\user\AppData\Local\Autobahn
    2012-07-05 12:48 - 2012-07-11 13:50 - 00009712 ____A C:\Users\user\Desktop\MONTHLY MANAGER SCHEDULE July and august (1).xlsx
    2012-07-04 08:49 - 2012-07-04 08:49 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_Kernel_WinUsb_01009.Wdf

    ============ 3 Months Modified Files ========================

    2012-07-25 10:32 - 2011-06-15 09:57 - 00000882 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
    2012-07-25 10:04 - 2009-07-13 20:34 - 00013456 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2012-07-25 10:04 - 2009-07-13 20:34 - 00013456 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2012-07-25 09:57 - 2011-06-15 09:57 - 00000878 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
    2012-07-25 09:57 - 2011-01-07 10:42 - 01911362 ____A C:\Windows\WindowsUpdate.log
    2012-07-25 09:57 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2012-07-25 09:57 - 2009-07-13 20:39 - 00046013 ____A C:\Windows\setupact.log
    2012-07-25 09:55 - 2011-01-07 11:19 - 00039014 ____A C:\Windows\PFRO.log
    2012-07-25 09:53 - 2011-01-07 10:50 - 00730274 ____A C:\Windows\System32\PerfStringBackup.INI
    2012-07-25 09:52 - 2012-07-25 09:51 - 00892822 ____A (Farbar) C:\Users\user\Downloads\FRST.exe
    2012-07-25 09:50 - 2012-07-25 09:49 - 10288512 ____A (Microsoft Corporation) C:\Users\user\Downloads\mseinstall.exe
    2012-07-25 09:09 - 2011-02-22 18:20 - 00001945 ____A C:\Windows\epplauncher.mif
    2012-07-25 07:10 - 2011-11-26 17:53 - 00179512 ____A C:\Users\user\Documents\2012 schedule.xlsx
    2012-07-21 15:24 - 2012-07-21 15:24 - 340223470 ____A C:\Windows\MEMORY.DMP
    2012-07-21 15:24 - 2012-07-21 15:24 - 00162240 ____A C:\Windows\Minidump\072112-38750-01.dmp
    2012-07-21 15:24 - 2009-07-13 20:57 - 00067584 ___AS C:\Windows\bootstat(28).dat
    2012-07-21 15:04 - 2012-07-21 15:04 - 00311808 ____A C:\Users\user\AppData\Local\fycmy.exe
    2012-07-20 17:04 - 2009-07-13 20:53 - 00019590 ____A C:\Windows\Tasks\SCHEDLGU.TXT
    2012-07-20 16:57 - 2011-07-10 12:34 - 00000904 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-429206791-1674625279-1837712758-1001UA.job
    2012-07-20 11:57 - 2011-07-10 12:34 - 00000852 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-429206791-1674625279-1837712758-1001Core.job
    2012-07-17 06:35 - 2012-07-17 06:35 - 00000247 ____A C:\user.js
    2012-07-16 13:54 - 2012-07-15 13:03 - 00016981 ____A C:\Users\user\Desktop\free state payroll we 71512.xlsx
    2012-07-15 13:03 - 2012-07-15 13:03 - 00017002 ____A C:\Users\user\Desktop\free state payroll we 7112.xlsx
    2012-07-12 05:27 - 2011-01-10 14:10 - 00087456 ____A (LogMeIn, Inc.) C:\Windows\System32\LMIinit.dll
    2012-07-12 05:27 - 2011-01-10 14:10 - 00083392 ____A (LogMeIn, Inc.) C:\Windows\System32\LMIRfsClientNP.dll
    2012-07-12 05:27 - 2011-01-10 14:10 - 00030624 ____A (LogMeIn, Inc.) C:\Windows\System32\LMIport.dll
    2012-07-11 13:50 - 2012-07-05 12:48 - 00009712 ____A C:\Users\user\Desktop\MONTHLY MANAGER SCHEDULE July and august (1).xlsx
    2012-07-10 23:22 - 2009-07-13 20:33 - 00427376 ____A C:\Windows\System32\FNTCACHE.DAT
    2012-07-10 23:04 - 2009-07-13 18:04 - 00000478 ____A C:\Windows\win.ini
    2012-07-10 23:01 - 2011-01-07 10:59 - 57442464 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
    2012-07-07 10:51 - 2011-06-19 10:11 - 00073959 ____A C:\Users\user\Desktop\mariapricelist - Current.xlsx
    2012-07-04 08:49 - 2012-07-04 08:49 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_Kernel_WinUsb_01009.Wdf
    2012-07-03 09:54 - 2012-06-03 09:28 - 00017003 ____A C:\Users\user\Desktop\free state payroll we 61712.xlsx
    2012-06-11 18:40 - 2012-07-10 23:01 - 02345984 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
    2012-06-10 07:13 - 2012-06-10 07:12 - 00002358 ____A C:\Users\user\cvdm.err
    2012-06-08 20:41 - 2012-07-10 13:17 - 12873728 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
    2012-06-05 21:05 - 2012-07-10 13:18 - 01390080 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
    2012-06-05 21:05 - 2012-07-10 13:18 - 01236992 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
    2012-06-05 21:03 - 2012-07-10 13:17 - 00805376 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll
    2012-06-02 14:19 - 2012-06-20 16:14 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
    2012-06-02 14:19 - 2012-06-20 16:14 - 00577048 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
    2012-06-02 14:19 - 2012-06-20 16:14 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
    2012-06-02 14:19 - 2012-06-20 16:14 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
    2012-06-02 14:19 - 2012-06-20 16:14 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
    2012-06-02 14:12 - 2012-06-20 16:14 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
    2012-06-02 14:12 - 2012-06-20 16:14 - 00088576 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
    2012-06-02 11:19 - 2012-06-20 16:14 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
    2012-06-02 11:12 - 2012-06-20 16:14 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
    2012-06-02 01:07 - 2012-07-10 23:05 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
    2012-06-02 00:43 - 2012-07-10 23:05 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
    2012-06-02 00:33 - 2012-07-10 23:05 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
    2012-06-02 00:26 - 2012-07-10 23:05 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
    2012-06-02 00:25 - 2012-07-10 23:05 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
    2012-06-02 00:25 - 2012-07-10 23:05 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
    2012-06-02 00:23 - 2012-07-10 23:05 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
    2012-06-02 00:21 - 2012-07-10 23:05 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
    2012-06-02 00:20 - 2012-07-10 23:05 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
    2012-06-02 00:19 - 2012-07-10 23:05 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
    2012-06-02 00:19 - 2012-07-10 23:05 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
    2012-06-02 00:17 - 2012-07-10 23:05 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
    2012-06-02 00:16 - 2012-07-10 23:05 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
    2012-06-02 00:14 - 2012-07-10 23:05 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
    2012-06-01 20:45 - 2012-07-10 13:18 - 00134000 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
    2012-06-01 20:45 - 2012-07-10 13:18 - 00067440 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
    2012-06-01 20:40 - 2012-07-10 13:18 - 00369336 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
    2012-06-01 20:40 - 2012-07-10 13:18 - 00225280 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
    2012-06-01 20:39 - 2012-07-10 13:18 - 00219136 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
    2012-05-20 12:53 - 2009-07-13 18:05 - 00152576 ____A (Microsoft Corporation) C:\Windows\System32\msclmd.dll
    2012-04-30 20:44 - 2012-06-13 09:31 - 00164352 ____A (Microsoft Corporation) C:\Windows\System32\profsvc.dll
    2012-04-27 19:17 - 2012-06-13 09:31 - 00183808 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys


    ZeroAccess:
    C:\Windows\Installer\{fcc14dac-34e5-284e-c14d-275d85d6fd01}
    C:\Windows\Installer\{fcc14dac-34e5-284e-c14d-275d85d6fd01}\@
    C:\Windows\Installer\{fcc14dac-34e5-284e-c14d-275d85d6fd01}\L
    C:\Windows\Installer\{fcc14dac-34e5-284e-c14d-275d85d6fd01}\n
    C:\Windows\Installer\{fcc14dac-34e5-284e-c14d-275d85d6fd01}\U
    C:\Windows\Installer\{fcc14dac-34e5-284e-c14d-275d85d6fd01}\L\00000004.@
    C:\Windows\Installer\{fcc14dac-34e5-284e-c14d-275d85d6fd01}\L\1afb2d56
    C:\Windows\Installer\{fcc14dac-34e5-284e-c14d-275d85d6fd01}\L\201d3dde
    C:\Windows\Installer\{fcc14dac-34e5-284e-c14d-275d85d6fd01}\U\00000004.@
    C:\Windows\Installer\{fcc14dac-34e5-284e-c14d-275d85d6fd01}\U\00000008.@
    C:\Windows\Installer\{fcc14dac-34e5-284e-c14d-275d85d6fd01}\U\000000cb.@
    C:\Windows\Installer\{fcc14dac-34e5-284e-c14d-275d85d6fd01}\U\80000000.@
    C:\Windows\Installer\{fcc14dac-34e5-284e-c14d-275d85d6fd01}\U\80000032.@

    ZeroAccess:
    C:\Users\user\AppData\Local\{fcc14dac-34e5-284e-c14d-275d85d6fd01}
    C:\Users\user\AppData\Local\{fcc14dac-34e5-284e-c14d-275d85d6fd01}\@
    C:\Users\user\AppData\Local\{fcc14dac-34e5-284e-c14d-275d85d6fd01}\L
    C:\Users\user\AppData\Local\{fcc14dac-34e5-284e-c14d-275d85d6fd01}\n
    C:\Users\user\AppData\Local\{fcc14dac-34e5-284e-c14d-275d85d6fd01}\U

    ZeroAccess:
    C:\Windows\assembly\GAC\Desktop.ini

    ========================= Known DLLs (Whitelisted) ============


    ========================= Bamital & volsnap Check ============

    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe A302BBFF2A7278C0E239EE5D471D86A9 ZeroAccess <==== ATTENTION!.
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    ==================== EXE ASSOCIATION =====================

    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK

    ========================= Memory info ======================

    Percentage of memory in use: 12%
    Total physical RAM: 4030.43 MB
    Available physical RAM: 3513.96 MB
    Total Pagefile: 4028.71 MB
    Available Pagefile: 3513.52 MB
    Total Virtual: 2047.88 MB
    Available Virtual: 1968.7 MB

    ======================= Partitions =========================

    1 Drive c: () (Fixed) (Total:931.41 GB) (Free:881.03 GB) NTFS
    3 Drive f: () (Removable) (Total:7.45 GB) (Free:7.04 GB) FAT32
    4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
    5 Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]

    Disk ### Status Size Free Dyn Gpt
    -------- ------------- ------- ------- --- ---
    Disk 0 Online 931 GB 0 B
    Disk 1 Online 7633 MB 0 B

    Partitions of Disk 0:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 100 MB 1024 KB
    Partition 2 Primary 931 GB 101 MB

    ==================================================================================

    Disk: 0
    Partition 1
    Type : 07
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 Y System Rese NTFS Partition 100 MB Healthy

    ==================================================================================

    Disk: 0
    Partition 2
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 C NTFS Partition 931 GB Healthy

    ==================================================================================

    Partitions of Disk 1:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 7633 MB 16 KB

    ==================================================================================

    Disk: 1
    Partition 1
    Type : 0B
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 3 F FAT32 Removable 7633 MB Healthy

    ==================================================================================

    ==========================================================

    Last Boot: 2012-07-17 20:10

    ======================= End Of Log ==========================
     
  2. Broni

    Broni Malware Annihilator Posts: 52,890   +344

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    =====================================

    Re-run FRST again.
    Type the following in the edit box after "Search:".

    services.exe

    Click Search button and post the log (Search.txt) it makes to your reply.
     
  3. Josh1976

    Josh1976 TS Rookie Topic Starter

    Farbar Recovery Scan Tool Version: 25-07-2012 01
    Ran by SYSTEM at 2012-07-25 15:17:02
    Running from F:\

    ================== Search: "services.exe" ===================

    C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe
    [2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) 5F1B6A9C35D3D5CA72D6D6FDEF9747D6

    C:\Windows\System32\services.exe
    [2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) A302BBFF2A7278C0E239EE5D471D86A9

    === End Of Search ===
     
  4. Broni

    Broni Malware Annihilator Posts: 52,890   +344

    Download attached fixlist.txt file and save it to the very same USB flash drive you've been using. Plug the drive back in.

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    On Vista or Windows 7: Now please enter System Recovery Options.
    On Windows XP: Now please boot into the UBCD.
    Run FRST/FRST64 and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

    Next...

    Restart normally.

    Please download ComboFix from Here, Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    • Never rename Combofix unless instructed.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    • Double click on combofix.exe & follow the prompts.

    • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
    **Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.
    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
    There are 4 different versions. If one of them won't run then download and try to run the other one.
    Vista and Win7 users need to right click Rkill and choose Run as Administrator
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    * Rkill.com
    * Rkill.scr
    * Rkill.exe
    • Double-click on the Rkill icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.
    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     

    Attached Files:

  5. Josh1976

    Josh1976 TS Rookie Topic Starter

    computer seems to be back to normal

    Below is the combofix report and fixlog report.

    ComboFix 12-07-26.03 - user 07/25/2012 16:36:14.1.3 - x86
    Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3518.2567 [GMT -4:00]
    Running from: c:\users\user\Desktop\ComboFix.exe
    AV: Microsoft Security Essentials *Enabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
    SP: Microsoft Security Essentials *Enabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
    SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\programdata\rundll32.exe
    c:\users\user\AppData\Local\Temp\_MEI31522\_ctypes.pyd
    c:\users\user\AppData\Local\Temp\_MEI31522\_elementtree.pyd
    c:\users\user\AppData\Local\Temp\_MEI31522\_hashlib.pyd
    c:\users\user\AppData\Local\Temp\_MEI31522\_socket.pyd
    c:\users\user\AppData\Local\Temp\_MEI31522\_ssl.pyd
    c:\users\user\AppData\Local\Temp\_MEI31522\pyexpat.pyd
    c:\users\user\AppData\Local\Temp\_MEI31522\pysqlite2._sqlite.pyd
    c:\users\user\AppData\Local\Temp\_MEI31522\python26.dll
    c:\users\user\AppData\Local\Temp\_MEI31522\pythoncom26.dll
    c:\users\user\AppData\Local\Temp\_MEI31522\PyWinTypes26.dll
    c:\users\user\AppData\Local\Temp\_MEI31522\select.pyd
    c:\users\user\AppData\Local\Temp\_MEI31522\unicodedata.pyd
    c:\users\user\AppData\Local\Temp\_MEI31522\win32api.pyd
    c:\users\user\AppData\Local\Temp\_MEI31522\win32com.shell.shell.pyd
    c:\users\user\AppData\Local\Temp\_MEI31522\win32crypt.pyd
    c:\users\user\AppData\Local\Temp\_MEI31522\win32event.pyd
    c:\users\user\AppData\Local\Temp\_MEI31522\win32file.pyd
    c:\users\user\AppData\Local\Temp\_MEI31522\win32inet.pyd
    c:\users\user\AppData\Local\Temp\_MEI31522\win32pdh.pyd
    c:\users\user\AppData\Local\Temp\_MEI31522\win32process.pyd
    c:\users\user\AppData\Local\Temp\_MEI31522\windows._cacheinvalidation.pyd
    c:\users\user\AppData\Local\Temp\_MEI31522\wx._controls_.pyd
    c:\users\user\AppData\Local\Temp\_MEI31522\wx._core_.pyd
    c:\users\user\AppData\Local\Temp\_MEI31522\wx._gdi_.pyd
    c:\users\user\AppData\Local\Temp\_MEI31522\wx._html2.pyd
    c:\users\user\AppData\Local\Temp\_MEI31522\wx._misc_.pyd
    c:\users\user\AppData\Local\Temp\_MEI31522\wx._windows_.pyd
    c:\users\user\AppData\Local\Temp\_MEI31522\wx._wizard.pyd
    c:\users\user\AppData\Local\Temp\_MEI31522\wxbase293u_net_vc.dll
    c:\users\user\AppData\Local\Temp\_MEI31522\wxbase293u_vc.dll
    c:\users\user\AppData\Local\Temp\_MEI31522\wxmsw293u_adv_vc.dll
    c:\users\user\AppData\Local\Temp\_MEI31522\wxmsw293u_core_vc.dll
    c:\users\user\AppData\Local\Temp\_MEI31522\wxmsw293u_html_vc.dll
    c:\users\user\AppData\Local\Temp\_MEI31522\wxmsw293u_webview_vc.dll
    c:\windows\system32\install
    c:\windows\system32\SET333F.tmp
    c:\windows\system32\SET9DDF.tmp
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-06-25 to 2012-07-25 )))))))))))))))))))))))))))))))
    .
    .
    2012-07-25 22:52 . 2012-07-25 22:53--------d-----w-C:\FRST
    2012-07-25 20:43 . 2012-07-25 20:44--------d-----w-c:\users\user\AppData\Local\temp
    2012-07-25 14:45 . 2012-07-25 21:00--------d-----w-c:\program files\Spybot - Search & Destroy
    2012-07-25 14:45 . 2012-07-25 21:00--------d-----w-c:\programdata\Spybot - Search & Destroy
    2012-07-21 00:11 . 2012-07-25 21:00--------d-sh--w-c:\windows\system32\%APPDATA%
    2012-07-17 14:35 . 2012-07-17 14:35247----a-w-C:\user.js
    2012-07-16 16:57 . 2012-07-16 16:57--------d-----w-c:\users\user\AppData\Roaming\com.pageone.Curator
    2012-07-16 16:57 . 2012-07-16 16:57--------d-----w-c:\program files\PageOneTraffic
    2012-07-11 07:01 . 2012-06-12 02:402345984----a-w-c:\windows\system32\win32k.sys
    2012-07-10 21:18 . 2012-06-02 04:45134000----a-w-c:\windows\system32\drivers\ksecpkg.sys
    2012-07-10 21:18 . 2012-06-02 04:40369336----a-w-c:\windows\system32\drivers\cng.sys
    2012-07-10 21:18 . 2012-06-02 04:39219136----a-w-c:\windows\system32\ncrypt.dll
    2012-07-10 21:18 . 2012-06-02 04:4567440----a-w-c:\windows\system32\drivers\ksecdd.sys
    2012-07-10 21:18 . 2012-06-02 04:40225280----a-w-c:\windows\system32\schannel.dll
    2012-07-10 21:18 . 2012-06-06 05:051390080----a-w-c:\windows\system32\msxml6.dll
    2012-07-10 21:18 . 2012-06-06 05:051236992----a-w-c:\windows\system32\msxml3.dll
    2012-07-10 21:18 . 2010-06-26 03:242048----a-w-c:\windows\system32\msxml3r.dll
    2012-07-10 21:17 . 2012-06-06 05:051019904----a-w-c:\program files\Common Files\System\ado\msado15.dll
    2012-07-10 21:17 . 2012-06-06 05:03805376----a-w-c:\windows\system32\cdosys.dll
    2012-07-10 21:17 . 2012-06-06 05:05143360----a-w-c:\program files\Common Files\System\ado\msjro.dll
    2012-07-10 21:17 . 2012-06-06 05:0557344----a-w-c:\program files\Common Files\System\ado\msador15.dll
    2012-07-10 21:17 . 2012-06-06 05:05352256----a-w-c:\program files\Common Files\System\ado\msadomd.dll
    2012-07-10 21:17 . 2012-06-06 05:05212992----a-w-c:\program files\Common Files\System\msadc\msadco.dll
    2012-07-10 21:17 . 2012-06-06 05:05372736----a-w-c:\program files\Common Files\System\ado\msadox.dll
    2012-07-07 18:08 . 2012-07-07 18:08--------d-----w-c:\users\user\.autobahn
    2012-07-07 18:07 . 2012-07-07 18:08--------d-----w-c:\users\user\AppData\Local\Autobahn
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-07-12 13:27 . 2011-01-10 22:1083392----a-w-c:\windows\system32\LMIRfsClientNP.dll
    2012-07-12 13:27 . 2011-01-10 22:1052128----a-w-c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll
    2012-07-12 13:27 . 2011-01-10 22:1030624----a-w-c:\windows\system32\LMIport.dll
    2012-07-12 13:27 . 2011-01-10 22:1087456----a-w-c:\windows\system32\LMIinit.dll
    2012-06-02 22:19 . 2012-06-21 00:1453784----a-w-c:\windows\system32\wuauclt.exe
    2012-06-02 22:19 . 2012-06-21 00:1445080----a-w-c:\windows\system32\wups2.dll
    2012-06-02 22:19 . 2012-06-21 00:1435864----a-w-c:\windows\system32\wups.dll
    2012-06-02 22:19 . 2012-06-21 00:14577048----a-w-c:\windows\system32\wuapi.dll
    2012-06-02 22:19 . 2012-06-21 00:141933848----a-w-c:\windows\system32\wuaueng.dll
    2012-06-02 22:12 . 2012-06-21 00:142422272----a-w-c:\windows\system32\wucltux.dll
    2012-06-02 22:12 . 2012-06-21 00:1488576----a-w-c:\windows\system32\wudriver.dll
    2012-06-02 19:19 . 2012-06-21 00:14171904----a-w-c:\windows\system32\wuwebv.dll
    2012-06-02 19:12 . 2012-06-21 00:1433792----a-w-c:\windows\system32\wuapp.exe
    2012-05-20 20:53 . 2009-07-14 02:05152576----a-w-c:\windows\system32\msclmd.dll
    2012-05-01 04:44 . 2012-06-13 17:31164352----a-w-c:\windows\system32\profsvc.dll
    2012-04-28 03:17 . 2012-06-13 17:31183808----a-w-c:\windows\system32\drivers\rdpwd.sys
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveBlacklistedOverlay]
    @="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}"
    [HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}]
    2012-06-20 23:02556056----a-w-c:\program files\Google\Drive\googledrivesync32.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay]
    @="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}"
    [HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}]
    2012-06-20 23:02556056----a-w-c:\program files\Google\Drive\googledrivesync32.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncedOverlay]
    @="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}"
    [HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}]
    2012-06-20 23:02556056----a-w-c:\program files\Google\Drive\googledrivesync32.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncingOverlay]
    @="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}"
    [HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}]
    2012-06-20 23:02556056----a-w-c:\program files\Google\Drive\googledrivesync32.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "GoogleDriveSync"="c:\program files\Google\Drive\googledrivesync.exe" [2012-06-20 12163848]
    "chromium"="c:\users\user\AppData\Local\Google\Chrome\Application\chrome.exe" [2012-07-10 1250328]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
    "SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2008-02-15 405504]
    "mmlweb"="c:\windows\system32\mmlweb.exe" [2007-06-28 49152]
    "LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2010-09-17 63048]
    "Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2010-10-19 1439496]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-04-04 843712]
    .
    c:\users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    NexDef Plug-in.lnk - c:\users\user\AppData\Local\Autobahn\nexdef.exe [2011-8-11 15490560]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Muratec OB Document Download Manager.lnk - c:\program files\Muratec\OfficeBridge\Download\DOWNUTY.exe [2011-1-10 442368]
    Muratec OB InfoMonitor.lnk - c:\program files\Muratec\OfficeBridge\Imonitor\Imonitor2.exe [2011-1-10 385024]
    Muratec OB Scan to Print Monitor.lnk - c:\program files\Muratec\OfficeBridge\ScanToPM\ScanToPM.exe [2011-1-10 107008]
    QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2012-2-4 1155432]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Security PackagesREG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
    SecurityProviderscredssp.dll, schannel.dll
    .
    R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [x]
    R3 androidusb;SAMSUNG Android Composite ADB Interface Driver;c:\windows\system32\Drivers\ssadadb.sys [x]
    R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [x]
    R3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\DRIVERS\ssadbus.sys [x]
    R3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\DRIVERS\ssadmdfl.sys [x]
    R3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\DRIVERS\ssadmdm.sys [x]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
    R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [x]
    S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]
    S2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [x]
    S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [x]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - WS2IFSL
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LPDServiceREG_MULTI_SZ LPDSVC
    HPZ12REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-07-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-06-15 17:57]
    .
    2012-07-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-06-15 17:57]
    .
    2012-07-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-429206791-1674625279-1837712758-1001Core.job
    - c:\users\user\AppData\Local\Google\Update\GoogleUpdate.exe [2011-07-10 17:57]
    .
    2012-07-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-429206791-1674625279-1837712758-1001UA.job
    - c:\users\user\AppData\Local\Google\Update\GoogleUpdate.exe [2011-07-10 17:57]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.yahoo.com/
    mStart Page = hxxp://startsear.ch/?aff=1
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
    TCP: DhcpNameServer = 71.242.0.12 71.252.0.12
    DPF: {B7039D87-D648-4431-BA87-C3A04E6111DA} - hxxps://69.73.131.159:4643/vz/ssh/wodTelnetDLX.cab
    DPF: {FD7910DE-821C-4C63-BAF1-E645B16DB155} - hxxp://192.168.8.31/HD300ACTL.cab
    .
    - - - - ORPHANS REMOVED - - - -
    .
    AddRemove-03_Swallowtail - c:\program files\SAMSUNG\USB Drivers\03_Swallowtail\Uninstall.exe
    AddRemove-04_semseyite - c:\program files\SAMSUNG\USB Drivers\04_semseyite\Uninstall.exe
    AddRemove-16_Shrewsbury - c:\program files\SAMSUNG\USB Drivers\16_Shrewsbury\Uninstall.exe
    .
    .
    .
    **************************************************************************
    .
    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 6.1.7601 Disk: Hitachi_ rev.JP4O -> Harddisk0\DR0 ->
    .
    device: opened successfully
    user: MBR read successfully
    .
    Disk trace:
    called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll >>UNKNOWN [0x8747A4B1]<<
    _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8748193c]; MOV EAX, [0x87481ab0]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
    1 ntkrnlpa!IofCallDriver[0x82C3955A] -> \Device\Harddisk0\DR0[0x86AC1310]
    3 CLASSPNP[0x837AF59E] -> ntkrnlpa!IofCallDriver[0x82C3955A] -> [0x85A59130]
    5 ACPI[0x834203D4] -> ntkrnlpa!IofCallDriver[0x82C3955A] -> \0000005d[0x85A59570]
    \Driver\nvstor32[0x87404F38] -> IRP_MJ_CREATE -> 0x8747A4B1
    kernel: MBR read successfully
    _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [BP+0x0], 0x0; }
    detected disk devices:
    \Device\0000005d -> \??\SCSI#Disk&Ven_Hitachi&Prod_HDS721010CLA#4&183ce646&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
    detected hooks:
    user & kernel MBR OK
    Warning: possible TDL3 rootkit infection !
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\nvvsvc.exe
    c:\windows\system32\nvvsvc.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\LogMeIn\x86\RaMaint.exe
    c:\program files\LogMeIn\x86\LogMeIn.exe
    c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
    c:\windows\System32\tcpsvcs.exe
    c:\windows\System32\snmp.exe
    c:\windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_124a1a436c563c4c\STacSV.exe
    c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    c:\windows\system32\taskhost.exe
    c:\windows\system32\conhost.exe
    c:\windows\servicing\TrustedInstaller.exe
    c:\program files\Windows Media Player\wmpnetwk.exe
    c:\windows\system32\vssvc.exe
    c:\windows\system32\sppsvc.exe
    c:\windows\system32\wbem\WmiApSrv.exe
    .
    **************************************************************************
    .
    Completion time: 2012-07-25 16:49:54 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-07-25 20:49
    .
    Pre-Run: 945,532,710,912 bytes free
    Post-Run: 947,051,331,584 bytes free
    .
    - - End Of File - - 667B145BE0991FCB4104A1CAFC7FC3EA
    FIXLOG:
    Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 25-07-2012 01
    Ran by SYSTEM at 2012-07-25 16:25:29 Run:1
    Running from F:\
    ==============================================
    HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session Manager\SubSystems\\Windows No ZeroAccess entry found.
    C:\Windows\System32\consrv.dll not found.
    C:\Users\user\AppData\Roaming\890E9E35 moved successfully.
    C:\Users\user\AppData\Local\fycmy.exe moved successfully.
    C:\Windows\Installer\{fcc14dac-34e5-284e-c14d-275d85d6fd01} moved successfully.
    C:\Users\user\AppData\Local\{fcc14dac-34e5-284e-c14d-275d85d6fd01} moved successfully.
    C:\Windows\assembly\GAC\Desktop.ini moved successfully.
    C:\Windows\System32\services.exe moved successfully.
    C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe copied successfully to C:\Windows\System32\services.exe
    ==== End of Fixlog ====
     
  6. Josh1976

    Josh1976 TS Rookie Topic Starter

    Google still redirects to sites other than what I am clicking on.
     
  7. Broni

    Broni Malware Annihilator Posts: 52,890   +344

    Download TDSSKiller and save it to your desktop.
    • Extract (unzip) its contents to your desktop.
    • Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    • If an infected file is detected, the default action will be Cure, click on Continue.
    • If a suspicious file is detected, the default action will be Skip, click on Continue.
    • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
    • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.
     
  8. Josh1976

    Josh1976 TS Rookie Topic Starter

    again....looking like its fixed...Thank you

    17:48:03.0449 0832TDSS rootkit removing tool 2.7.48.0 Jul 24 2012 13:16:32
    17:48:03.0759 0832============================================================
    17:48:03.0759 0832Current date / time: 2012/07/25 17:48:03.0759
    17:48:03.0759 0832SystemInfo:
    17:48:03.0759 0832
    17:48:03.0759 0832OS Version: 6.1.7601 ServicePack: 1.0
    17:48:03.0759 0832Product type: Workstation
    17:48:03.0759 0832ComputerName: FSDL-PC1
    17:48:03.0759 0832UserName: user
    17:48:03.0759 0832Windows directory: C:\Windows
    17:48:03.0759 0832System windows directory: C:\Windows
    17:48:03.0759 0832Processor architecture: Intel x86
    17:48:03.0759 0832Number of processors: 3
    17:48:03.0759 0832Page size: 0x1000
    17:48:03.0759 0832Boot type: Normal boot
    17:48:03.0759 0832============================================================
    17:48:04.0749 0832Drive \Device\Harddisk0\DR0 - Size: 0xE8E0DB6000 (931.51 Gb), SectorSize: 0x200, Cylinders: 0x1F8B1, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xF0, Type 'K0', Flags 0x00000050
    17:48:04.0859 0832Drive \Device\Harddisk1\DR1 - Size: 0x1DD180000 (7.45 Gb), SectorSize: 0x200, Cylinders: 0x3CD, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
    17:48:04.0859 0832============================================================
    17:48:04.0859 0832\Device\Harddisk0\DR0:
    17:48:04.0859 0832MBR partitions:
    17:48:04.0859 0832\Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x32000
    17:48:04.0859 0832\Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x32800, BlocksNum 0x746D3800
    17:48:04.0859 0832\Device\Harddisk1\DR1:
    17:48:04.0859 0832MBR partitions:
    17:48:04.0859 0832\Device\Harddisk1\DR1\Partition0: MBR, Type 0xB, StartLBA 0x20, BlocksNum 0xEE8BE0
    17:48:04.0859 0832============================================================
    17:48:04.0869 0832C: <-> \Device\Harddisk0\DR0\Partition1
    17:48:04.0869 0832============================================================
    17:48:04.0869 0832Initialize success
    17:48:04.0869 0832============================================================
    17:48:12.0169 5628============================================================
    17:48:12.0169 5628Scan started
    17:48:12.0169 5628Mode: Manual;
    17:48:12.0169 5628============================================================
    17:48:12.0609 56281394ohci (1b133875b8aa8ac48969bd3458afe9f5) C:\Windows\system32\drivers\1394ohci.sys
    17:48:12.0609 56281394ohci - ok
    17:48:12.0669 5628ACPI (cea80c80bed809aa0da6febc04733349) C:\Windows\system32\drivers\ACPI.sys
    17:48:12.0679 5628ACPI - ok
    17:48:12.0739 5628AcpiPmi (1efbc664abff416d1d07db115dcb264f) C:\Windows\system32\drivers\acpipmi.sys
    17:48:12.0739 5628AcpiPmi - ok
    17:48:12.0829 5628AdobeARMservice (62b7936f9036dd6ed36e6a7efa805dc0) C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
    17:48:12.0829 5628AdobeARMservice - ok
    17:48:12.0889 5628adp94xx (21e785ebd7dc90a06391141aac7892fb) C:\Windows\system32\DRIVERS\adp94xx.sys
    17:48:12.0889 5628adp94xx - ok
    17:48:12.0929 5628adpahci (0c676bc278d5b59ff5abd57bbe9123f2) C:\Windows\system32\DRIVERS\adpahci.sys
    17:48:12.0929 5628adpahci - ok
    17:48:12.0959 5628adpu320 (7c7b5ee4b7b822ec85321fe23a27db33) C:\Windows\system32\DRIVERS\adpu320.sys
    17:48:12.0969 5628adpu320 - ok
    17:48:12.0989 5628AeLookupSvc (8b5eefeec1e6d1a72a06c526628ad161) C:\Windows\System32\aelupsvc.dll
    17:48:12.0989 5628AeLookupSvc - ok
    17:48:13.0049 5628AFD (9ebbba55060f786f0fcaa3893bfa2806) C:\Windows\system32\drivers\afd.sys
    17:48:13.0059 5628AFD - ok
    17:48:13.0089 5628agp440 (507812c3054c21cef746b6ee3d04dd6e) C:\Windows\system32\drivers\agp440.sys
    17:48:13.0089 5628agp440 - ok
    17:48:13.0159 5628aic78xx (8b30250d573a8f6b4bd23195160d8707) C:\Windows\system32\DRIVERS\djsvs.sys
    17:48:13.0159 5628aic78xx - ok
    17:48:13.0209 5628ALG (18a54e132947cd98fea9accc57f98f13) C:\Windows\System32\alg.exe
    17:48:13.0209 5628ALG - ok
    17:48:13.0239 5628aliide (0d40bcf52ea90fc7df2aeab6503dea44) C:\Windows\system32\drivers\aliide.sys
    17:48:13.0239 5628aliide - ok
    17:48:13.0259 5628amdagp (3c6600a0696e90a463771c7422e23ab5) C:\Windows\system32\drivers\amdagp.sys
    17:48:13.0259 5628amdagp - ok
    17:48:13.0279 5628amdide (cd5914170297126b6266860198d1d4f0) C:\Windows\system32\drivers\amdide.sys
    17:48:13.0279 5628amdide - ok
    17:48:13.0289 5628AmdK8 (00dda200d71bac534bf56a9db5dfd666) C:\Windows\system32\DRIVERS\amdk8.sys
    17:48:13.0289 5628AmdK8 - ok
    17:48:13.0309 5628AmdPPM (3cbf30f5370fda40dd3e87df38ea53b6) C:\Windows\system32\DRIVERS\amdppm.sys
    17:48:13.0309 5628AmdPPM - ok
    17:48:13.0339 5628amdsata (d320bf87125326f996d4904fe24300fc) C:\Windows\system32\drivers\amdsata.sys
    17:48:13.0339 5628amdsata - ok
    17:48:13.0379 5628amdsbs (ea43af0c423ff267355f74e7a53bdaba) C:\Windows\system32\DRIVERS\amdsbs.sys
    17:48:13.0389 5628amdsbs - ok
    17:48:13.0409 5628amdxata (46387fb17b086d16dea267d5be23a2f2) C:\Windows\system32\drivers\amdxata.sys
    17:48:13.0409 5628amdxata - ok
    17:48:13.0439 5628androidusb (dd8d9c597af7cd2f6b70a3d6a4a1acea) C:\Windows\system32\Drivers\ssadadb.sys
    17:48:13.0439 5628androidusb - ok
    17:48:13.0479 5628AppID (aea177f783e20150ace5383ee368da19) C:\Windows\system32\drivers\appid.sys
    17:48:13.0479 5628AppID - ok
    17:48:13.0509 5628AppIDSvc (62a9c86cb6085e20db4823e4e97826f5) C:\Windows\System32\appidsvc.dll
    17:48:13.0519 5628AppIDSvc - ok
    17:48:13.0539 5628Appinfo (fb1959012294d6ad43e5304df65e3c26) C:\Windows\System32\appinfo.dll
    17:48:13.0549 5628Appinfo - ok
    17:48:13.0629 5628Apple Mobile Device (018857ead9a077a56aedfc0e5ef7a24a) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    17:48:13.0639 5628Apple Mobile Device - ok
    17:48:13.0659 5628AppMgmt (a45d184df6a8803da13a0b329517a64a) C:\Windows\System32\appmgmts.dll
    17:48:13.0669 5628AppMgmt - ok
    17:48:13.0699 5628arc (2932004f49677bd84dbc72edb754ffb3) C:\Windows\system32\DRIVERS\arc.sys
    17:48:13.0699 5628arc - ok
    17:48:13.0719 5628arcsas (5d6f36c46fd283ae1b57bd2e9feb0bc7) C:\Windows\system32\DRIVERS\arcsas.sys
    17:48:13.0719 5628arcsas - ok
    17:48:13.0749 5628AsyncMac (add2ade1c2b285ab8378d2daaf991481) C:\Windows\system32\DRIVERS\asyncmac.sys
    17:48:13.0749 5628AsyncMac - ok
    17:48:13.0779 5628atapi (338c86357871c167a96ab976519bf59e) C:\Windows\system32\drivers\atapi.sys
    17:48:13.0779 5628atapi - ok
    17:48:13.0869 5628AudioEndpointBuilder (ce3b4e731638d2ef62fcb419be0d39f0) C:\Windows\System32\Audiosrv.dll
    17:48:13.0869 5628AudioEndpointBuilder - ok
    17:48:13.0889 5628Audiosrv (ce3b4e731638d2ef62fcb419be0d39f0) C:\Windows\System32\Audiosrv.dll
    17:48:13.0889 5628Audiosrv - ok
    17:48:13.0929 5628AxInstSV (6e30d02aac9cac84f421622e3a2f6178) C:\Windows\System32\AxInstSV.dll
    17:48:13.0929 5628AxInstSV - ok
    17:48:13.0989 5628b06bdrv (1a231abec60fd316ec54c66715543cec) C:\Windows\system32\DRIVERS\bxvbdx.sys
    17:48:13.0989 5628b06bdrv - ok
    17:48:14.0049 5628b57nd60x (bd8869eb9cde6bbe4508d869929869ee) C:\Windows\system32\DRIVERS\b57nd60x.sys
    17:48:14.0049 5628b57nd60x - ok
    17:48:14.0079 5628BDESVC (ee1e9c3bb8228ae423dd38db69128e71) C:\Windows\System32\bdesvc.dll
    17:48:14.0089 5628BDESVC - ok
    17:48:14.0099 5628Beep (505506526a9d467307b3c393dedaf858) C:\Windows\system32\drivers\Beep.sys
    17:48:14.0099 5628Beep - ok
    17:48:14.0179 5628BFE (1e2bac209d184bb851e1a187d8a29136) C:\Windows\System32\bfe.dll
    17:48:14.0189 5628BFE - ok
    17:48:14.0219 5628blbdrive (2287078ed48fcfc477b05b20cf38f36f) C:\Windows\system32\DRIVERS\blbdrive.sys
    17:48:14.0229 5628blbdrive - ok
    17:48:14.0289 5628Bonjour Service (f832f1505ad8b83474bd9a5b1b985e01) C:\Program Files\Bonjour\mDNSResponder.exe
    17:48:14.0299 5628Bonjour Service - ok
    17:48:14.0329 5628bowser (8f2da3028d5fcbd1a060a3de64cd6506) C:\Windows\system32\DRIVERS\bowser.sys
    17:48:14.0329 5628bowser - ok
    17:48:14.0349 5628BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\DRIVERS\BrFiltLo.sys
    17:48:14.0349 5628BrFiltLo - ok
    17:48:14.0359 5628BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\DRIVERS\BrFiltUp.sys
    17:48:14.0359 5628BrFiltUp - ok
    17:48:14.0389 5628BridgeMP (77361d72a04f18809d0efb6cceb74d4b) C:\Windows\system32\DRIVERS\bridge.sys
    17:48:14.0389 5628BridgeMP - ok
    17:48:14.0419 5628Browser (6e11f33d14d020f58d5e02e4d67dfa19) C:\Windows\System32\browser.dll
    17:48:14.0429 5628Browser - ok
    17:48:14.0449 5628Brserid (845b8ce732e67f3b4133164868c666ea) C:\Windows\System32\Drivers\Brserid.sys
    17:48:14.0449 5628Brserid - ok
    17:48:14.0469 5628BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\System32\Drivers\BrSerWdm.sys
    17:48:14.0469 5628BrSerWdm - ok
    17:48:14.0479 5628BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\System32\Drivers\BrUsbMdm.sys
    17:48:14.0479 5628BrUsbMdm - ok
    17:48:14.0489 5628BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\System32\Drivers\BrUsbSer.sys
    17:48:14.0489 5628BrUsbSer - ok
    17:48:14.0499 5628BTHMODEM (ed3df7c56ce0084eb2034432fc56565a) C:\Windows\system32\DRIVERS\bthmodem.sys
    17:48:14.0509 5628BTHMODEM - ok
    17:48:14.0549 5628bthserv (1df19c96eef6c29d1c3e1a8678e07190) C:\Windows\system32\bthserv.dll
    17:48:14.0549 5628bthserv - ok
    17:48:14.0629 5628catchme - ok
    17:48:14.0659 5628cdfs (77ea11b065e0a8ab902d78145ca51e10) C:\Windows\system32\DRIVERS\cdfs.sys
    17:48:14.0659 5628cdfs - ok
    17:48:14.0699 5628cdrom (be167ed0fdb9c1fa1133953c18d5a6c9) C:\Windows\system32\drivers\cdrom.sys
    17:48:14.0709 5628cdrom - ok
    17:48:14.0729 5628CertPropSvc (319c6b309773d063541d01df8ac6f55f) C:\Windows\System32\certprop.dll
    17:48:14.0739 5628CertPropSvc - ok
    17:48:14.0749 5628circlass (3fe3fe94a34df6fb06e6418d0f6a0060) C:\Windows\system32\DRIVERS\circlass.sys
    17:48:14.0749 5628circlass - ok
    17:48:14.0789 5628CLFS (635181e0e9bbf16871bf5380d71db02d) C:\Windows\system32\CLFS.sys
    17:48:14.0789 5628CLFS - ok
    17:48:14.0849 5628clr_optimization_v2.0.50727_32 (d88040f816fda31c3b466f0fa0918f29) C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
    17:48:14.0859 5628clr_optimization_v2.0.50727_32 - ok
    17:48:14.0909 5628clr_optimization_v4.0.30319_32 (c5a75eb48e2344abdc162bda79e16841) C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    17:48:14.0919 5628clr_optimization_v4.0.30319_32 - ok
    17:48:14.0929 5628CmBatt (dea805815e587dad1dd2c502220b5616) C:\Windows\system32\DRIVERS\CmBatt.sys
    17:48:14.0929 5628CmBatt - ok
    17:48:14.0949 5628cmdide (c537b1db64d495b9b4717b4d6d9edbf2) C:\Windows\system32\drivers\cmdide.sys
    17:48:14.0949 5628cmdide - ok
    17:48:14.0999 5628CNG (247b4ce2dab1160cd422d532d5241e1f) C:\Windows\system32\Drivers\cng.sys
    17:48:14.0999 5628CNG - ok
    17:48:15.0019 5628Compbatt (a6023d3823c37043986713f118a89bee) C:\Windows\system32\DRIVERS\compbatt.sys
    17:48:15.0029 5628Compbatt - ok
    17:48:15.0079 5628CompositeBus (cbe8c58a8579cfe5fccf809e6f114e89) C:\Windows\system32\drivers\CompositeBus.sys
    17:48:15.0079 5628CompositeBus - ok
    17:48:15.0089 5628COMSysApp - ok
    17:48:15.0109 5628crcdisk (2c4ebcfc84a9b44f209dff6c6e6c61d1) C:\Windows\system32\DRIVERS\crcdisk.sys
    17:48:15.0109 5628crcdisk - ok
    17:48:15.0159 5628CryptSvc (06e771aa596b8761107ab57e99f128d7) C:\Windows\system32\cryptsvc.dll
    17:48:15.0169 5628CryptSvc - ok
    17:48:15.0219 5628CSC (3c2177a897b4ca2788c6fb0c3fd81d4b) C:\Windows\system32\drivers\csc.sys
    17:48:15.0229 5628CSC - ok
    17:48:15.0299 5628CscService (15f93b37f6801943360d9eb42485d5d3) C:\Windows\System32\cscsvc.dll
    17:48:15.0309 5628CscService - ok
    17:48:15.0339 5628DcomLaunch (7660f01d3b38aca1747e397d21d790af) C:\Windows\system32\rpcss.dll
    17:48:15.0349 5628DcomLaunch - ok
    17:48:15.0389 5628defragsvc (8d6e10a2d9a5eed59562d9b82cf804e1) C:\Windows\System32\defragsvc.dll
    17:48:15.0389 5628defragsvc - ok
    17:48:15.0449 5628DfsC (f024449c97ec1e464aaffda18593db88) C:\Windows\system32\Drivers\dfsc.sys
    17:48:15.0459 5628DfsC - ok
    17:48:15.0499 5628Dhcp (e9e01eb683c132f7fa27cd607b8a2b63) C:\Windows\system32\dhcpcore.dll
    17:48:15.0509 5628Dhcp - ok
    17:48:15.0529 5628discache (1a050b0274bfb3890703d490f330c0da) C:\Windows\system32\drivers\discache.sys
    17:48:15.0529 5628discache - ok
    17:48:15.0569 5628Disk (565003f326f99802e68ca78f2a68e9ff) C:\Windows\system32\DRIVERS\disk.sys
    17:48:15.0569 5628Disk - ok
    17:48:15.0599 5628Dnscache (33ef4861f19a0736b11314aad9ae28d0) C:\Windows\System32\dnsrslvr.dll
    17:48:15.0609 5628Dnscache - ok
    17:48:15.0649 5628dot3svc (366ba8fb4b7bb7435e3b9eacb3843f67) C:\Windows\System32\dot3svc.dll
    17:48:15.0649 5628dot3svc - ok
    17:48:15.0679 5628DPS (8ec04ca86f1d68da9e11952eb85973d6) C:\Windows\system32\dps.dll
    17:48:15.0689 5628DPS - ok
    17:48:15.0719 5628drmkaud (b918e7c5f9bf77202f89e1a9539f2eb4) C:\Windows\system32\drivers\drmkaud.sys
    17:48:15.0719 5628drmkaud - ok
    17:48:15.0779 5628DXGKrnl (23f5d28378a160352ba8f817bd8c71cb) C:\Windows\System32\drivers\dxgkrnl.sys
    17:48:15.0799 5628DXGKrnl - ok
    17:48:15.0819 5628EapHost (8600142fa91c1b96367d3300ad0f3f3a) C:\Windows\System32\eapsvc.dll
    17:48:15.0819 5628EapHost - ok
    17:48:16.0069 5628ebdrv (024e1b5cac09731e4d868e64dbfb4ab0) C:\Windows\system32\DRIVERS\evbdx.sys
    17:48:16.0119 5628ebdrv - ok
    17:48:16.0229 5628EFS (81951f51e318aecc2d68559e47485cc4) C:\Windows\System32\lsass.exe
    17:48:16.0239 5628EFS - ok
    17:48:16.0309 5628ehRecvr (a8c362018efc87beb013ee28f29c0863) C:\Windows\ehome\ehRecvr.exe
    17:48:16.0379 5628ehRecvr - ok
    17:48:16.0399 5628ehSched (d389bff34f80caede417bf9d1507996a) C:\Windows\ehome\ehsched.exe
    17:48:16.0449 5628ehSched - ok
    17:48:16.0519 5628elxstor (0ed67910c8c326796faa00b2bf6d9d3c) C:\Windows\system32\DRIVERS\elxstor.sys
    17:48:16.0529 5628elxstor - ok
    17:48:16.0559 5628ErrDev (8fc3208352dd3912c94367a206ab3f11) C:\Windows\system32\drivers\errdev.sys
    17:48:16.0569 5628ErrDev - ok
    17:48:16.0609 5628EventSystem (f6916efc29d9953d5d0df06882ae8e16) C:\Windows\system32\es.dll
    17:48:16.0619 5628EventSystem - ok
    17:48:16.0649 5628exfat (2dc9108d74081149cc8b651d3a26207f) C:\Windows\system32\drivers\exfat.sys
    17:48:16.0649 5628exfat - ok
    17:48:16.0659 5628fastfat (7e0ab74553476622fb6ae36f73d97d35) C:\Windows\system32\drivers\fastfat.sys
    17:48:16.0669 5628fastfat - ok
    17:48:16.0729 5628Fax (967ea5b213e9984cbe270205df37755b) C:\Windows\system32\fxssvc.exe
    17:48:16.0739 5628Fax - ok
    17:48:16.0759 5628fdc (e817a017f82df2a1f8cfdbda29388b29) C:\Windows\system32\DRIVERS\fdc.sys
    17:48:16.0759 5628fdc - ok
    17:48:16.0779 5628fdPHost (f3222c893bd2f5821a0179e5c71e88fb) C:\Windows\system32\fdPHost.dll
    17:48:16.0779 5628fdPHost - ok
    17:48:16.0799 5628FDResPub (7dbe8cbfe79efbdeb98c9fb08d3a9a5b) C:\Windows\system32\fdrespub.dll
    17:48:16.0809 5628FDResPub - ok
    17:48:16.0819 5628FileInfo (6cf00369c97f3cf563be99be983d13d8) C:\Windows\system32\drivers\fileinfo.sys
    17:48:16.0819 5628FileInfo - ok
    17:48:16.0839 5628Filetrace (42c51dc94c91da21cb9196eb64c45db9) C:\Windows\system32\drivers\filetrace.sys
    17:48:16.0839 5628Filetrace - ok
    17:48:16.0859 5628flpydisk (87907aa70cb3c56600f1c2fb8841579b) C:\Windows\system32\DRIVERS\flpydisk.sys
    17:48:16.0859 5628flpydisk - ok
    17:48:16.0889 5628FltMgr (7520ec808e0c35e0ee6f841294316653) C:\Windows\system32\drivers\fltmgr.sys
    17:48:16.0899 5628FltMgr - ok
    17:48:16.0969 5628FontCache (b3a5ec6b6b6673db7e87c2bcdbddc074) C:\Windows\system32\FntCache.dll
    17:48:16.0979 5628FontCache - ok
    17:48:17.0049 5628FontCache3.0.0.0 (e56f39f6b7fda0ac77a79b0fd3de1a2f) C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
    17:48:17.0049 5628FontCache3.0.0.0 - ok
    17:48:17.0059 5628FsDepends (1a16b57943853e598cff37fe2b8cbf1d) C:\Windows\system32\drivers\FsDepends.sys
    17:48:17.0059 5628FsDepends - ok
    17:48:17.0079 5628Fs_Rec (7dae5ebcc80e45d3253f4923dc424d05) C:\Windows\system32\drivers\Fs_Rec.sys
    17:48:17.0079 5628Fs_Rec - ok
    17:48:17.0129 5628fvevol (8a73e79089b282100b9393b644cb853b) C:\Windows\system32\DRIVERS\fvevol.sys
    17:48:17.0139 5628fvevol - ok
    17:48:17.0169 5628gagp30kx (65ee0c7a58b65e74ae05637418153938) C:\Windows\system32\DRIVERS\gagp30kx.sys
    17:48:17.0179 5628gagp30kx - ok
    17:48:17.0279 5628gpsvc (e897eaf5ed6ba41e081060c9b447a673) C:\Windows\System32\gpsvc.dll
    17:48:17.0289 5628gpsvc - ok
    17:48:17.0359 5628gupdate (f02a533f517eb38333cb12a9e8963773) C:\Program Files\Google\Update\GoogleUpdate.exe
    17:48:17.0369 5628gupdate - ok
    17:48:17.0369 5628gupdatem (f02a533f517eb38333cb12a9e8963773) C:\Program Files\Google\Update\GoogleUpdate.exe
    17:48:17.0379 5628gupdatem - ok
    17:48:17.0389 5628hcw85cir (c44e3c2bab6837db337ddee7544736db) C:\Windows\system32\drivers\hcw85cir.sys
    17:48:17.0389 5628hcw85cir - ok
    17:48:17.0449 5628HdAudAddService (a5ef29d5315111c80a5c1abad14c8972) C:\Windows\system32\drivers\HdAudio.sys
    17:48:17.0449 5628HdAudAddService - ok
    17:48:17.0479 5628HDAudBus (9036377b8a6c15dc2eec53e489d159b5) C:\Windows\system32\drivers\HDAudBus.sys
    17:48:17.0479 5628HDAudBus - ok
    17:48:17.0489 5628HidBatt (1d58a7f3e11a9731d0eaaaa8405acc36) C:\Windows\system32\DRIVERS\HidBatt.sys
    17:48:17.0489 5628HidBatt - ok
    17:48:17.0519 5628HidBth (89448f40e6df260c206a193a4683ba78) C:\Windows\system32\DRIVERS\hidbth.sys
    17:48:17.0519 5628HidBth - ok
    17:48:17.0549 5628HidIr (cf50b4cf4a4f229b9f3c08351f99ca5e) C:\Windows\system32\DRIVERS\hidir.sys
    17:48:17.0549 5628HidIr - ok
    17:48:17.0569 5628hidserv (2bc6f6a1992b3a77f5f41432ca6b3b6b) C:\Windows\System32\hidserv.dll
    17:48:17.0579 5628hidserv - ok
    17:48:17.0599 5628HidUsb (10c19f8290891af023eaec0832e1eb4d) C:\Windows\system32\drivers\hidusb.sys
    17:48:17.0599 5628HidUsb - ok
    17:48:17.0629 5628hkmsvc (196b4e3f4cccc24af836ce58facbb699) C:\Windows\system32\kmsvc.dll
    17:48:17.0639 5628hkmsvc - ok
    17:48:17.0659 5628HomeGroupListener (6658f4404de03d75fe3ba09f7aba6a30) C:\Windows\system32\ListSvc.dll
    17:48:17.0669 5628HomeGroupListener - ok
    17:48:17.0699 5628HomeGroupProvider (dbc02d918fff1cad628acbe0c0eaa8e8) C:\Windows\system32\provsvc.dll
    17:48:17.0699 5628HomeGroupProvider - ok
    17:48:17.0739 5628HpSAMD (295fdc419039090eb8b49ffdbb374549) C:\Windows\system32\drivers\HpSAMD.sys
    17:48:17.0739 5628HpSAMD - ok
    17:48:17.0799 5628HTTP (871917b07a141bff43d76d8844d48106) C:\Windows\system32\drivers\HTTP.sys
    17:48:17.0809 5628HTTP - ok
    17:48:17.0839 5628hwpolicy (0c4e035c7f105f1299258c90886c64c5) C:\Windows\system32\drivers\hwpolicy.sys
    17:48:17.0839 5628hwpolicy - ok
    17:48:17.0869 5628i8042prt (f151f0bdc47f4a28b1b20a0818ea36d6) C:\Windows\system32\drivers\i8042prt.sys
    17:48:17.0869 5628i8042prt - ok
    17:48:17.0909 5628iaStorV (5cd5f9a5444e6cdcb0ac89bd62d8b76e) C:\Windows\system32\drivers\iaStorV.sys
    17:48:17.0909 5628iaStorV - ok
    17:48:17.0969 5628IDriverT (6f95324909b502e2651442c1548ab12f) c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    17:48:18.0029 5628IDriverT - ok
    17:48:18.0139 5628idsvc (c521d7eb6497bb1af6afa89e322fb43c) C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
    17:48:18.0169 5628idsvc - ok
    17:48:18.0249 5628iirsp (4173ff5708f3236cf25195fecd742915) C:\Windows\system32\DRIVERS\iirsp.sys
    17:48:18.0259 5628iirsp - ok
    17:48:18.0329 5628IKEEXT (f95622f161474511b8d80d6b093aa610) C:\Windows\System32\ikeext.dll
    17:48:18.0339 5628IKEEXT - ok
    17:48:18.0369 5628intelide (a0f12f2c9ba6c72f3987ce780e77c130) C:\Windows\system32\drivers\intelide.sys
    17:48:18.0369 5628intelide - ok
    17:48:18.0389 5628intelppm (3b514d27bfc4accb4037bc6685f766e0) C:\Windows\system32\DRIVERS\intelppm.sys
    17:48:18.0389 5628intelppm - ok
    17:48:18.0409 5628IPBusEnum (acb364b9075a45c0736e5c47be5cae19) C:\Windows\system32\ipbusenum.dll
    17:48:18.0409 5628IPBusEnum - ok
    17:48:18.0419 5628IpFilterDriver (709d1761d3b19a932ff0238ea6d50200) C:\Windows\system32\DRIVERS\ipfltdrv.sys
    17:48:18.0419 5628IpFilterDriver - ok
    17:48:18.0479 5628iphlpsvc (4d65a07b795d6674312f879d09aa7663) C:\Windows\System32\iphlpsvc.dll
    17:48:18.0489 5628iphlpsvc - ok
    17:48:18.0499 5628IPMIDRV (4bd7134618c1d2a27466a099062547bf) C:\Windows\system32\drivers\IPMIDrv.sys
    17:48:18.0509 5628IPMIDRV - ok
    17:48:18.0539 5628IPNAT (a5fa468d67abcdaa36264e463a7bb0cd) C:\Windows\system32\drivers\ipnat.sys
    17:48:18.0539 5628IPNAT - ok
    17:48:18.0569 5628IRENUM (42996cff20a3084a56017b7902307e9f) C:\Windows\system32\drivers\irenum.sys
    17:48:18.0569 5628IRENUM - ok
    17:48:18.0599 5628isapnp (1f32bb6b38f62f7df1a7ab7292638a35) C:\Windows\system32\drivers\isapnp.sys
    17:48:18.0599 5628isapnp - ok
    17:48:18.0629 5628iScsiPrt (cb7a9abb12b8415bce5d74994c7ba3ae) C:\Windows\system32\drivers\msiscsi.sys
    17:48:18.0629 5628iScsiPrt - ok
    17:48:18.0659 5628kbdclass (adef52ca1aeae82b50df86b56413107e) C:\Windows\system32\drivers\kbdclass.sys
    17:48:18.0669 5628kbdclass - ok
    17:48:18.0699 5628kbdhid (9e3ced91863e6ee98c24794d05e27a71) C:\Windows\system32\drivers\kbdhid.sys
    17:48:18.0699 5628kbdhid - ok
    17:48:18.0719 5628KeyIso (81951f51e318aecc2d68559e47485cc4) C:\Windows\system32\lsass.exe
    17:48:18.0729 5628KeyIso - ok
    17:48:18.0749 5628KSecDD (b7895b4182c0d16f6efadeb8081e8d36) C:\Windows\system32\Drivers\ksecdd.sys
    17:48:18.0749 5628KSecDD - ok
    17:48:18.0769 5628KSecPkg (d30159ac9237519fbc62c6ec247d2d46) C:\Windows\system32\Drivers\ksecpkg.sys
    17:48:18.0769 5628KSecPkg - ok
    17:48:18.0819 5628KtmRm (89a7b9cc98d0d80c6f31b91c0a310fcd) C:\Windows\system32\msdtckrm.dll
    17:48:18.0829 5628KtmRm - ok
    17:48:18.0879 5628LanmanServer (d64af876d53eca3668bb97b51b4e70ab) C:\Windows\System32\srvsvc.dll
    17:48:18.0879 5628LanmanServer - ok
    17:48:18.0919 5628LanmanWorkstation (58405e4f68ba8e4057c6e914f326aba2) C:\Windows\System32\wkssvc.dll
    17:48:18.0919 5628LanmanWorkstation - ok
    17:48:18.0959 5628lltdio (f7611ec07349979da9b0ae1f18ccc7a6) C:\Windows\system32\DRIVERS\lltdio.sys
    17:48:18.0959 5628lltdio - ok
    17:48:18.0989 5628lltdsvc (5700673e13a2117fa3b9020c852c01e2) C:\Windows\System32\lltdsvc.dll
    17:48:18.0999 5628lltdsvc - ok
    17:48:19.0009 5628lmhosts (55ca01ba19d0006c8f2639b6c045e08b) C:\Windows\System32\lmhsvc.dll
    17:48:19.0009 5628lmhosts - ok
    17:48:19.0159 5628LMIGuardianSvc (63daf163d1617dd611bd0ab8e41a43e8) C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
     
  9. Josh1976

    Josh1976 TS Rookie Topic Starter

    17:48:19.0169 5628LMIGuardianSvc - ok
    17:48:19.0219 5628LMIInfo (4f69faaabb7db0d43e327c0b6aab40fc) C:\Program Files\LogMeIn\x86\RaInfo.sys
    17:48:19.0219 5628LMIInfo - ok
    17:48:19.0239 5628LMIMaint (175f50f37eeaa1d4d744bcccbb7cf68c) C:\Program Files\LogMeIn\x86\RaMaint.exe
    17:48:19.0249 5628LMIMaint - ok
    17:48:19.0269 5628lmimirr (4477689e2d8ae6b78ba34c9af4cc1ed1) C:\Windows\system32\DRIVERS\lmimirr.sys
    17:48:19.0269 5628lmimirr - ok
    17:48:19.0289 5628LMIRfsClientNP - ok
    17:48:19.0309 5628LMIRfsDriver (3faa563ddf853320f90259d455a01d79) C:\Windows\system32\drivers\LMIRfsDriver.sys
    17:48:19.0309 5628LMIRfsDriver - ok
    17:48:19.0349 5628LogMeIn (432618fa75b61059d2c57d6a7e55147a) C:\Program Files\LogMeIn\x86\LogMeIn.exe
    17:48:19.0359 5628LogMeIn - ok
    17:48:19.0379 5628LPDSVC (9a84f41e421287a712c90e5384400e4f) C:\Windows\system32\lpdsvc.dll
    17:48:19.0389 5628LPDSVC - ok
    17:48:19.0429 5628LSI_FC (eb119a53ccf2acc000ac71b065b78fef) C:\Windows\system32\DRIVERS\lsi_fc.sys
    17:48:19.0429 5628LSI_FC - ok
    17:48:19.0439 5628LSI_SAS (8ade1c877256a22e49b75d1cc9161f9c) C:\Windows\system32\DRIVERS\lsi_sas.sys
    17:48:19.0449 5628LSI_SAS - ok
    17:48:19.0459 5628LSI_SAS2 (dc9dc3d3daa0e276fd2ec262e38b11e9) C:\Windows\system32\DRIVERS\lsi_sas2.sys
    17:48:19.0459 5628LSI_SAS2 - ok
    17:48:19.0469 5628LSI_SCSI (0a036c7d7cab643a7f07135ac47e0524) C:\Windows\system32\DRIVERS\lsi_scsi.sys
    17:48:19.0469 5628LSI_SCSI - ok
    17:48:19.0489 5628luafv (6703e366cc18d3b6e534f5cf7df39cee) C:\Windows\system32\drivers\luafv.sys
    17:48:19.0489 5628luafv - ok
    17:48:19.0519 5628Mcx2Svc (bfb9ee8ee977efe85d1a3105abef6dd1) C:\Windows\system32\Mcx2Svc.dll
    17:48:19.0519 5628Mcx2Svc - ok
    17:48:19.0539 5628megasas (0fff5b045293002ab38eb1fd1fc2fb74) C:\Windows\system32\DRIVERS\megasas.sys
    17:48:19.0539 5628megasas - ok
    17:48:19.0559 5628MegaSR (dcbab2920c75f390caf1d29f675d03d6) C:\Windows\system32\DRIVERS\MegaSR.sys
    17:48:19.0569 5628MegaSR - ok
    17:48:19.0589 5628MMCSS (146b6f43a673379a3c670e86d89be5ea) C:\Windows\system32\mmcss.dll
    17:48:19.0599 5628MMCSS - ok
    17:48:19.0619 5628Modem (f001861e5700ee84e2d4e52c712f4964) C:\Windows\system32\drivers\modem.sys
    17:48:19.0619 5628Modem - ok
    17:48:19.0659 5628monitor (79d10964de86b292320e9dfe02282a23) C:\Windows\system32\DRIVERS\monitor.sys
    17:48:19.0659 5628monitor - ok
    17:48:19.0699 5628mouclass (fb18cc1d4c2e716b6b903b0ac0cc0609) C:\Windows\system32\drivers\mouclass.sys
    17:48:19.0699 5628mouclass - ok
    17:48:19.0729 5628mouhid (2c388d2cd01c9042596cf3c8f3c7b24d) C:\Windows\system32\DRIVERS\mouhid.sys
    17:48:19.0729 5628mouhid - ok
    17:48:19.0759 5628mountmgr (fc8771f45ecccfd89684e38842539b9b) C:\Windows\system32\drivers\mountmgr.sys
    17:48:19.0759 5628mountmgr - ok
    17:48:19.0819 5628MpFilter (d993bea500e7382dc4e760bf4f35efcb) C:\Windows\system32\DRIVERS\MpFilter.sys
    17:48:19.0819 5628MpFilter - ok
    17:48:19.0849 5628mpio (2d699fb6e89ce0d8da14ecc03b3edfe0) C:\Windows\system32\drivers\mpio.sys
    17:48:19.0859 5628mpio - ok
    17:48:19.0979 5628MpKsl9ae81431 (a69630d039c38018689190234f866d77) c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{EFC24D0C-6776-4DD6-A1C8-8F00EC98488F}\MpKsl9ae81431.sys
    17:48:19.0979 5628MpKsl9ae81431 - ok
    17:48:20.0009 5628mpsdrv (ad2723a7b53dd1aacae6ad8c0bfbf4d0) C:\Windows\system32\drivers\mpsdrv.sys
    17:48:20.0009 5628mpsdrv - ok
    17:48:20.0079 5628MpsSvc (9835584e999d25004e1ee8e5f3e3b881) C:\Windows\system32\mpssvc.dll
    17:48:20.0079 5628MpsSvc - ok
    17:48:20.0119 5628MRxDAV (ceb46ab7c01c9f825f8cc6babc18166a) C:\Windows\system32\drivers\mrxdav.sys
    17:48:20.0119 5628MRxDAV - ok
    17:48:20.0159 5628mrxsmb (5d16c921e3671636c0eba3bbaac5fd25) C:\Windows\system32\DRIVERS\mrxsmb.sys
    17:48:20.0159 5628mrxsmb - ok
    17:48:20.0199 5628mrxsmb10 (6d17a4791aca19328c685d256349fefc) C:\Windows\system32\DRIVERS\mrxsmb10.sys
    17:48:20.0199 5628mrxsmb10 - ok
    17:48:20.0219 5628mrxsmb20 (b81f204d146000be76651a50670a5e9e) C:\Windows\system32\DRIVERS\mrxsmb20.sys
    17:48:20.0219 5628mrxsmb20 - ok
    17:48:20.0239 5628msahci (012c5f4e9349e711e11e0f19a8589f0a) C:\Windows\system32\drivers\msahci.sys
    17:48:20.0239 5628msahci - ok
    17:48:20.0269 5628msdsm (55055f8ad8be27a64c831322a780a228) C:\Windows\system32\drivers\msdsm.sys
    17:48:20.0279 5628msdsm - ok
    17:48:20.0309 5628MSDTC (e1bce74a3bd9902b72599c0192a07e27) C:\Windows\System32\msdtc.exe
    17:48:20.0309 5628MSDTC - ok
    17:48:20.0339 5628Msfs (daefb28e3af5a76abcc2c3078c07327f) C:\Windows\system32\drivers\Msfs.sys
    17:48:20.0339 5628Msfs - ok
    17:48:20.0349 5628mshidkmdf (3e1e5767043c5af9367f0056295e9f84) C:\Windows\System32\drivers\mshidkmdf.sys
    17:48:20.0349 5628mshidkmdf - ok
    17:48:20.0369 5628msisadrv (0a4e5757ae09fa9622e3158cc1aef114) C:\Windows\system32\drivers\msisadrv.sys
    17:48:20.0369 5628msisadrv - ok
    17:48:20.0409 5628MSiSCSI (90f7d9e6b6f27e1a707d4a297f077828) C:\Windows\system32\iscsiexe.dll
    17:48:20.0409 5628MSiSCSI - ok
    17:48:20.0419 5628msiserver - ok
    17:48:20.0449 5628MSKSSRV (8c0860d6366aaffb6c5bb9df9448e631) C:\Windows\system32\drivers\MSKSSRV.sys
    17:48:20.0449 5628MSKSSRV - ok
    17:48:20.0539 5628MsMpSvc (24516bf4e12a46cb67302e2cdcb8cddf) c:\Program Files\Microsoft Security Client\MsMpEng.exe
    17:48:20.0539 5628MsMpSvc - ok
    17:48:20.0559 5628MSPCLOCK (3ea8b949f963562cedbb549eac0c11ce) C:\Windows\system32\drivers\MSPCLOCK.sys
    17:48:20.0559 5628MSPCLOCK - ok
    17:48:20.0569 5628MSPQM (f456e973590d663b1073e9c463b40932) C:\Windows\system32\drivers\MSPQM.sys
    17:48:20.0579 5628MSPQM - ok
    17:48:20.0599 5628MsRPC (0e008fc4819d238c51d7c93e7b41e560) C:\Windows\system32\drivers\MsRPC.sys
    17:48:20.0599 5628MsRPC - ok
    17:48:20.0629 5628mssmbios (fc6b9ff600cc585ea38b12589bd4e246) C:\Windows\system32\drivers\mssmbios.sys
    17:48:20.0629 5628mssmbios - ok
    17:48:20.0639 5628MSTEE (b42c6b921f61a6e55159b8be6cd54a36) C:\Windows\system32\drivers\MSTEE.sys
    17:48:20.0639 5628MSTEE - ok
    17:48:20.0649 5628MTConfig (33599130f44e1f34631cea241de8ac84) C:\Windows\system32\DRIVERS\MTConfig.sys
    17:48:20.0649 5628MTConfig - ok
    17:48:20.0659 5628Mup (159fad02f64e6381758c990f753bcc80) C:\Windows\system32\Drivers\mup.sys
    17:48:20.0659 5628Mup - ok
    17:48:20.0699 5628napagent (61d57a5d7c6d9afe10e77dae6e1b445e) C:\Windows\system32\qagentRT.dll
    17:48:20.0709 5628napagent - ok
    17:48:20.0759 5628NativeWifiP (26384429fcd85d83746f63e798ab1480) C:\Windows\system32\DRIVERS\nwifi.sys
    17:48:20.0759 5628NativeWifiP - ok
    17:48:20.0829 5628NDIS (e7c54812a2aaf43316eb6930c1ffa108) C:\Windows\system32\drivers\ndis.sys
    17:48:20.0839 5628NDIS - ok
    17:48:20.0869 5628NdisCap (0e1787aa6c9191d3d319e8bafe86f80c) C:\Windows\system32\DRIVERS\ndiscap.sys
    17:48:20.0869 5628NdisCap - ok
    17:48:20.0889 5628NdisTapi (e4a8aec125a2e43a9e32afeea7c9c888) C:\Windows\system32\DRIVERS\ndistapi.sys
    17:48:20.0889 5628NdisTapi - ok
    17:48:20.0909 5628Ndisuio (d8a65dafb3eb41cbb622745676fcd072) C:\Windows\system32\DRIVERS\ndisuio.sys
    17:48:20.0919 5628Ndisuio - ok
    17:48:20.0939 5628NdisWan (38fbe267e7e6983311179230facb1017) C:\Windows\system32\DRIVERS\ndiswan.sys
    17:48:20.0949 5628NdisWan - ok
    17:48:20.0979 5628NDProxy (a4bdc541e69674fbff1a8ff00be913f2) C:\Windows\system32\drivers\NDProxy.sys
    17:48:20.0979 5628NDProxy - ok
    17:48:21.0009 5628Net Driver HPZ12 (a081cb6fb9a12668f233eb5414be3a0e) C:\Windows\system32\HPZinw12.dll
    17:48:21.0019 5628Net Driver HPZ12 - ok
    17:48:21.0049 5628NetBIOS (80b275b1ce3b0e79909db7b39af74d51) C:\Windows\system32\DRIVERS\netbios.sys
    17:48:21.0049 5628NetBIOS - ok
    17:48:21.0079 5628NetBT (280122ddcf04b378edd1ad54d71c1e54) C:\Windows\system32\DRIVERS\netbt.sys
    17:48:21.0079 5628NetBT - ok
    17:48:21.0099 5628Netlogon (81951f51e318aecc2d68559e47485cc4) C:\Windows\system32\lsass.exe
    17:48:21.0099 5628Netlogon - ok
    17:48:21.0149 5628Netman (7cccfca7510684768da22092d1fa4db2) C:\Windows\System32\netman.dll
    17:48:21.0149 5628Netman - ok
    17:48:21.0189 5628netprofm (8c338238c16777a802d6a9211eb2ba50) C:\Windows\System32\netprofm.dll
    17:48:21.0189 5628netprofm - ok
    17:48:21.0259 5628NetTcpPortSharing (f476ec40033cdb91efbe73eb99b8362d) C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
    17:48:21.0259 5628NetTcpPortSharing - ok
    17:48:21.0309 5628nfrd960 (1d85c4b390b0ee09c7a46b91efb2c097) C:\Windows\system32\DRIVERS\nfrd960.sys
    17:48:21.0309 5628nfrd960 - ok
    17:48:21.0359 5628NisDrv (b52f26bade7d7e4a79706e3fd91834cd) C:\Windows\system32\DRIVERS\NisDrvWFP.sys
    17:48:21.0369 5628NisDrv - ok
    17:48:21.0459 5628NisSrv (290c0d4c4889398797f8df3be00b9698) c:\Program Files\Microsoft Security Client\NisSrv.exe
    17:48:21.0459 5628NisSrv - ok
    17:48:21.0509 5628NlaSvc (912084381d30d8b89ec4e293053f4710) C:\Windows\System32\nlasvc.dll
    17:48:21.0509 5628NlaSvc - ok
    17:48:21.0529 5628Npfs (1db262a9f8c087e8153d89bef3d2235f) C:\Windows\system32\drivers\Npfs.sys
    17:48:21.0529 5628Npfs - ok
    17:48:21.0549 5628nsi (ba387e955e890c8a88306d9b8d06bf17) C:\Windows\system32\nsisvc.dll
    17:48:21.0549 5628nsi - ok
    17:48:21.0569 5628nsiproxy (e9a0a4d07e53d8fea2bb8387a3293c58) C:\Windows\system32\drivers\nsiproxy.sys
    17:48:21.0569 5628nsiproxy - ok
    17:48:21.0669 5628Ntfs (81189c3d7763838e55c397759d49007a) C:\Windows\system32\drivers\Ntfs.sys
    17:48:21.0689 5628Ntfs - ok
    17:48:21.0719 5628Null (f9756a98d69098dca8945d62858a812c) C:\Windows\system32\drivers\Null.sys
    17:48:21.0719 5628Null - ok
    17:48:22.0389 5628nvlddmkm (377140a534d013bd661c69f1741de43c) C:\Windows\system32\DRIVERS\nvlddmkm.sys
    17:48:22.0519 5628nvlddmkm - ok
    17:48:22.0649 5628nvraid (b3e25ee28883877076e0e1ff877d02e0) C:\Windows\system32\drivers\nvraid.sys
    17:48:22.0649 5628nvraid - ok
    17:48:22.0669 5628nvstor (4380e59a170d88c4f1022eff6719a8a4) C:\Windows\system32\drivers\nvstor.sys
    17:48:22.0679 5628nvstor - ok
    17:48:22.0699 5628nvstor32 (dc5f166422beebf195e3e4bb8ab4ee22) C:\Windows\system32\DRIVERS\nvstor32.sys
    17:48:22.0709 5628nvstor32 - ok
    17:48:22.0739 5628nvsvc (4ed813efd77a9b7e57e341cdc1c5cbc4) C:\Windows\system32\nvvsvc.exe
    17:48:22.0749 5628nvsvc - ok
    17:48:22.0769 5628nv_agp (5a0983915f02bae73267cc2a041f717d) C:\Windows\system32\drivers\nv_agp.sys
    17:48:22.0769 5628nv_agp - ok
    17:48:22.0859 5628odserv (785f487a64950f3cb8e9f16253ba3b7b) C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE
    17:48:22.0869 5628odserv - ok
    17:48:22.0889 5628ohci1394 (08a70a1f2cdde9bb49b885cb817a66eb) C:\Windows\system32\drivers\ohci1394.sys
    17:48:22.0889 5628ohci1394 - ok
    17:48:22.0929 5628ose (5a432a042dae460abe7199b758e8606c) C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
    17:48:22.0929 5628ose - ok
    17:48:22.0969 5628p2pimsvc (82a8521ddc60710c3d3d3e7325209bec) C:\Windows\system32\pnrpsvc.dll
    17:48:22.0979 5628p2pimsvc - ok
    17:48:23.0019 5628p2psvc (59c3ddd501e39e006dac31bf55150d91) C:\Windows\system32\p2psvc.dll
    17:48:23.0029 5628p2psvc - ok
    17:48:23.0059 5628Parport (2ea877ed5dd9713c5ac74e8ea7348d14) C:\Windows\system32\DRIVERS\parport.sys
    17:48:23.0059 5628Parport - ok
    17:48:23.0079 5628partmgr (3f34a1b4c5f6475f320c275e63afce9b) C:\Windows\system32\drivers\partmgr.sys
    17:48:23.0079 5628partmgr - ok
    17:48:23.0089 5628Parvdm (eb0a59f29c19b86479d36b35983daadc) C:\Windows\system32\DRIVERS\parvdm.sys
    17:48:23.0099 5628Parvdm - ok
    17:48:23.0119 5628PcaSvc (358ab7956d3160000726574083dfc8a6) C:\Windows\System32\pcasvc.dll
    17:48:23.0129 5628PcaSvc - ok
    17:48:23.0169 5628pci (673e55c3498eb970088e812ea820aa8f) C:\Windows\system32\drivers\pci.sys
    17:48:23.0179 5628pci - ok
    17:48:23.0189 5628pciide (afe86f419014db4e5593f69ffe26ce0a) C:\Windows\system32\drivers\pciide.sys
    17:48:23.0199 5628pciide - ok
    17:48:23.0249 5628pcmcia (f396431b31693e71e8a80687ef523506) C:\Windows\system32\DRIVERS\pcmcia.sys
    17:48:23.0249 5628pcmcia - ok
    17:48:23.0269 5628pcw (250f6b43d2b613172035c6747aeeb19f) C:\Windows\system32\drivers\pcw.sys
    17:48:23.0269 5628pcw - ok
    17:48:23.0339 5628PEAUTH (9e0104ba49f4e6973749a02bf41344ed) C:\Windows\system32\drivers\peauth.sys
    17:48:23.0339 5628PEAUTH - ok
    17:48:23.0429 5628PeerDistSvc (af4d64d2a57b9772cf3801950b8058a6) C:\Windows\system32\peerdistsvc.dll
    17:48:23.0439 5628PeerDistSvc - ok
    17:48:23.0569 5628pla (414bba67a3ded1d28437eb66aeb8a720) C:\Windows\system32\pla.dll
    17:48:23.0589 5628pla - ok
    17:48:23.0699 5628PlugPlay (ec7bc28d207da09e79b3e9faf8b232ca) C:\Windows\system32\umpnpmgr.dll
    17:48:23.0709 5628PlugPlay - ok
    17:48:23.0739 5628Pml Driver HPZ12 (65bc271f337637731d3c71455ae1f476) C:\Windows\system32\HPZipm12.dll
    17:48:23.0739 5628Pml Driver HPZ12 - ok
    17:48:23.0759 5628PNRPAutoReg (63ff8572611249931eb16bb8eed6afc8) C:\Windows\system32\pnrpauto.dll
    17:48:23.0769 5628PNRPAutoReg - ok
    17:48:23.0799 5628PNRPsvc (82a8521ddc60710c3d3d3e7325209bec) C:\Windows\system32\pnrpsvc.dll
    17:48:23.0799 5628PNRPsvc - ok
    17:48:23.0859 5628PolicyAgent (53946b69ba0836bd95b03759530c81ec) C:\Windows\System32\ipsecsvc.dll
    17:48:23.0859 5628PolicyAgent - ok
    17:48:23.0889 5628Power (f87d30e72e03d579a5199ccb3831d6ea) C:\Windows\system32\umpo.dll
    17:48:23.0899 5628Power - ok
    17:48:23.0939 5628PptpMiniport (631e3e205ad6d86f2aed6a4a8e69f2db) C:\Windows\system32\DRIVERS\raspptp.sys
    17:48:23.0939 5628PptpMiniport - ok
    17:48:23.0959 5628Processor (85b1e3a0c7585bc4aae6899ec6fcf011) C:\Windows\system32\DRIVERS\processr.sys
    17:48:23.0959 5628Processor - ok
    17:48:23.0989 5628ProfSvc (cadefac453040e370a1bdff3973be00d) C:\Windows\system32\profsvc.dll
    17:48:23.0999 5628ProfSvc - ok
    17:48:24.0019 5628ProtectedStorage (81951f51e318aecc2d68559e47485cc4) C:\Windows\system32\lsass.exe
    17:48:24.0029 5628ProtectedStorage - ok
    17:48:24.0059 5628Psched (6270ccae2a86de6d146529fe55b3246a) C:\Windows\system32\DRIVERS\pacer.sys
    17:48:24.0059 5628Psched - ok
    17:48:24.0129 5628QBCFMonitorService (ee46f431b25c14778d2e89d6f10f1d65) c:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
    17:48:24.0179 5628QBCFMonitorService - ok
    17:48:24.0239 5628QBFCService (6bee1814470dc12fa20c53dfc3c97ebb) c:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
    17:48:24.0279 5628QBFCService - ok
    17:48:24.0389 5628ql2300 (ab95ecf1f6659a60ddc166d8315b0751) C:\Windows\system32\DRIVERS\ql2300.sys
    17:48:24.0409 5628ql2300 - ok
    17:48:24.0499 5628ql40xx (b4dd51dd25182244b86737dc51af2270) C:\Windows\system32\DRIVERS\ql40xx.sys
    17:48:24.0509 5628ql40xx - ok
    17:48:24.0539 5628QWAVE (31ac809e7707eb580b2bdb760390765a) C:\Windows\system32\qwave.dll
    17:48:24.0549 5628QWAVE - ok
    17:48:24.0559 5628QWAVEdrv (584078ca1b95ca72df2a27c336f9719d) C:\Windows\system32\drivers\qwavedrv.sys
    17:48:24.0559 5628QWAVEdrv - ok
    17:48:24.0579 5628RasAcd (30a81b53c766d0133bb86d234e5556ab) C:\Windows\system32\DRIVERS\rasacd.sys
    17:48:24.0579 5628RasAcd - ok
    17:48:24.0609 5628RasAgileVpn (57ec4aef73660166074d8f7f31c0d4fd) C:\Windows\system32\DRIVERS\AgileVpn.sys
    17:48:24.0609 5628RasAgileVpn - ok
    17:48:24.0629 5628RasAuto (a60f1839849c0c00739787fd5ec03f13) C:\Windows\System32\rasauto.dll
    17:48:24.0629 5628RasAuto - ok
    17:48:24.0649 5628Rasl2tp (d9f91eafec2815365cbe6d167e4e332a) C:\Windows\system32\DRIVERS\rasl2tp.sys
    17:48:24.0649 5628Rasl2tp - ok
    17:48:24.0699 5628RasMan (cb9e04dc05eacf5b9a36ca276d475006) C:\Windows\System32\rasmans.dll
    17:48:24.0709 5628RasMan - ok
    17:48:24.0729 5628RasPppoe (0fe8b15916307a6ac12bfb6a63e45507) C:\Windows\system32\DRIVERS\raspppoe.sys
    17:48:24.0729 5628RasPppoe - ok
    17:48:24.0749 5628RasSstp (44101f495a83ea6401d886e7fd70096b) C:\Windows\system32\DRIVERS\rassstp.sys
    17:48:24.0749 5628RasSstp - ok
    17:48:24.0779 5628rdbss (d528bc58a489409ba40334ebf96a311b) C:\Windows\system32\DRIVERS\rdbss.sys
    17:48:24.0779 5628rdbss - ok
    17:48:24.0799 5628rdpbus (0d8f05481cb76e70e1da06ee9f0da9df) C:\Windows\system32\DRIVERS\rdpbus.sys
    17:48:24.0799 5628rdpbus - ok
    17:48:24.0829 5628RDPCDD (23dae03f29d253ae74c44f99e515f9a1) C:\Windows\system32\DRIVERS\RDPCDD.sys
    17:48:24.0829 5628RDPCDD - ok
    17:48:24.0849 5628RDPDR (b973fcfc50dc1434e1970a146f7e3885) C:\Windows\system32\drivers\rdpdr.sys
    17:48:24.0859 5628RDPDR - ok
    17:48:24.0869 5628RDPENCDD (5a53ca1598dd4156d44196d200c94b8a) C:\Windows\system32\drivers\rdpencdd.sys
    17:48:24.0879 5628RDPENCDD - ok
    17:48:24.0899 5628RDPREFMP (44b0a53cd4f27d50ed461dae0c0b4e1f) C:\Windows\system32\drivers\rdprefmp.sys
    17:48:24.0899 5628RDPREFMP - ok
    17:48:24.0939 5628RDPWD (f031683e6d1fea157abb2ff260b51e61) C:\Windows\system32\drivers\RDPWD.sys
    17:48:24.0939 5628RDPWD - ok
    17:48:24.0979 5628rdyboost (518395321dc96fe2c9f0e96ac743b656) C:\Windows\system32\drivers\rdyboost.sys
    17:48:24.0979 5628rdyboost - ok
    17:48:25.0009 5628RemoteAccess (7b5e1419717fac363a31cc302895217a) C:\Windows\System32\mprdim.dll
    17:48:25.0009 5628RemoteAccess - ok
    17:48:25.0029 5628RemoteRegistry (cb9a8683f4ef2bf99e123d79950d7935) C:\Windows\system32\regsvc.dll
    17:48:25.0039 5628RemoteRegistry - ok
    17:48:25.0049 5628RimUsb (0f6756ef8bda6dfa7be50465c83132bb) C:\Windows\system32\Drivers\RimUsb.sys
    17:48:25.0059 5628RimUsb - ok
    17:48:25.0069 5628RpcEptMapper (78d072f35bc45d9e4e1b61895c152234) C:\Windows\System32\RpcEpMap.dll
    17:48:25.0079 5628RpcEptMapper - ok
    17:48:25.0099 5628RpcLocator (94d36c0e44677dd26981d2bfeef2a29d) C:\Windows\system32\locator.exe
    17:48:25.0099 5628RpcLocator - ok
    17:48:25.0149 5628RpcSs (7660f01d3b38aca1747e397d21d790af) C:\Windows\system32\rpcss.dll
    17:48:25.0149 5628RpcSs - ok
    17:48:25.0239 5628rspndr (032b0d36ad92b582d869879f5af5b928) C:\Windows\system32\DRIVERS\rspndr.sys
    17:48:25.0239 5628rspndr - ok
    17:48:25.0259 5628s3cap (7fa7f2e249a5dcbb7970630e15e1f482) C:\Windows\system32\drivers\vms3cap.sys
    17:48:25.0259 5628s3cap - ok
    17:48:25.0279 5628SamSs (81951f51e318aecc2d68559e47485cc4) C:\Windows\system32\lsass.exe
    17:48:25.0289 5628SamSs - ok
    17:48:25.0319 5628sbp2port (05d860da1040f111503ac416ccef2bca) C:\Windows\system32\drivers\sbp2port.sys
    17:48:25.0319 5628sbp2port - ok
    17:48:25.0349 5628SCardSvr (8fc518ffe9519c2631d37515a68009c4) C:\Windows\System32\SCardSvr.dll
    17:48:25.0359 5628SCardSvr - ok
    17:48:25.0389 5628scfilter (0693b5ec673e34dc147e195779a4dcf6) C:\Windows\system32\DRIVERS\scfilter.sys
    17:48:25.0389 5628scfilter - ok
    17:48:25.0469 5628Schedule (a04bb13f8a72f8b6e8b4071723e4e336) C:\Windows\system32\schedsvc.dll
    17:48:25.0479 5628Schedule - ok
    17:48:25.0499 5628SCPolicySvc (319c6b309773d063541d01df8ac6f55f) C:\Windows\System32\certprop.dll
    17:48:25.0499 5628SCPolicySvc - ok
    17:48:25.0529 5628SDRSVC (08236c4bce5edd0a0318a438af28e0f7) C:\Windows\System32\SDRSVC.dll
    17:48:25.0529 5628SDRSVC - ok
    17:48:25.0569 5628secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
    17:48:25.0569 5628secdrv - ok
    17:48:25.0589 5628seclogon (a59b3a4442c52060cc7a85293aa3546f) C:\Windows\system32\seclogon.dll
    17:48:25.0589 5628seclogon - ok
    17:48:25.0609 5628SENS (dcb7fcdcc97f87360f75d77425b81737) C:\Windows\system32\sens.dll
    17:48:25.0619 5628SENS - ok
    17:48:25.0639 5628SensrSvc (50087fe1ee447009c9cc2997b90de53f) C:\Windows\system32\sensrsvc.dll
    17:48:25.0639 5628SensrSvc - ok
    17:48:25.0669 5628Serenum (9ad8b8b515e3df6acd4212ef465de2d1) C:\Windows\system32\DRIVERS\serenum.sys
    17:48:25.0669 5628Serenum - ok
    17:48:25.0689 5628Serial (5fb7fcea0490d821f26f39cc5ea3d1e2) C:\Windows\system32\DRIVERS\serial.sys
    17:48:25.0689 5628Serial - ok
    17:48:25.0719 5628sermouse (79bffb520327ff916a582dfea17aa813) C:\Windows\system32\DRIVERS\sermouse.sys
    17:48:25.0719 5628sermouse - ok
    17:48:25.0769 5628SessionEnv (4ae380f39a0032eab7dd953030b26d28) C:\Windows\system32\sessenv.dll
    17:48:25.0779 5628SessionEnv - ok
    17:48:25.0799 5628sffdisk (9f976e1eb233df46fce808d9dea3eb9c) C:\Windows\system32\drivers\sffdisk.sys
    17:48:25.0799 5628sffdisk - ok
    17:48:25.0809 5628sffp_mmc (932a68ee27833cfd57c1639d375f2731) C:\Windows\system32\drivers\sffp_mmc.sys
    17:48:25.0809 5628sffp_mmc - ok
    17:48:25.0819 5628sffp_sd (6d4ccaedc018f1cf52866bbbaa235982) C:\Windows\system32\drivers\sffp_sd.sys
    17:48:25.0829 5628sffp_sd - ok
    17:48:25.0859 5628sfloppy (db96666cc8312ebc45032f30b007a547) C:\Windows\system32\DRIVERS\sfloppy.sys
    17:48:25.0869 5628sfloppy - ok
    17:48:25.0939 5628SharedAccess (d1a079a0de2ea524513b6930c24527a2) C:\Windows\System32\ipnathlp.dll
    17:48:25.0949 5628SharedAccess - ok
    17:48:25.0999 5628ShellHWDetection (414da952a35bf5d50192e28263b40577) C:\Windows\System32\shsvcs.dll
    17:48:25.0999 5628ShellHWDetection - ok
    17:48:26.0029 5628simptcp (f5aaa8cdda25b6387af590d676d25bad) C:\Windows\System32\tcpsvcs.exe
    17:48:26.0029 5628simptcp - ok
    17:48:26.0069 5628sisagp (2565cac0dc9fe0371bdce60832582b2e) C:\Windows\system32\drivers\sisagp.sys
    17:48:26.0069 5628sisagp - ok
    17:48:26.0099 5628SiSRaid2 (a9f0486851becb6dda1d89d381e71055) C:\Windows\system32\DRIVERS\SiSRaid2.sys
    17:48:26.0099 5628SiSRaid2 - ok
    17:48:26.0119 5628SiSRaid4 (3727097b55738e2f554972c3be5bc1aa) C:\Windows\system32\DRIVERS\sisraid4.sys
    17:48:26.0119 5628SiSRaid4 - ok
    17:48:26.0149 5628Smb (3e21c083b8a01cb70ba1f09303010fce) C:\Windows\system32\DRIVERS\smb.sys
    17:48:26.0149 5628Smb - ok
    17:48:26.0189 5628SNMP (8f5171c837e64ff0ac48f0a29dd9e180) C:\Windows\System32\snmp.exe
    17:48:26.0189 5628SNMP - ok
    17:48:26.0229 5628SNMPTRAP (6a984831644eca1a33ffeae4126f4f37) C:\Windows\System32\snmptrap.exe
    17:48:26.0229 5628SNMPTRAP - ok
    17:48:26.0239 5628spldr (95cf1ae7527fb70f7816563cbc09d942) C:\Windows\system32\drivers\spldr.sys
    17:48:26.0249 5628spldr - ok
    17:48:26.0299 5628Spooler (866a43013535dc8587c258e43579c764) C:\Windows\System32\spoolsv.exe
    17:48:26.0309 5628Spooler - ok
    17:48:26.0539 5628sppsvc (cf87a1de791347e75b98885214ced2b8) C:\Windows\system32\sppsvc.exe
    17:48:26.0569 5628sppsvc - ok
    17:48:26.0659 5628sppuinotify (b0180b20b065d89232a78a40fe56eaa6) C:\Windows\system32\sppuinotify.dll
    17:48:26.0659 5628sppuinotify - ok
    17:48:26.0709 5628srv (e4c2764065d66ea1d2d3ebc28fe99c46) C:\Windows\system32\DRIVERS\srv.sys
    17:48:26.0719 5628srv - ok
    17:48:26.0739 5628srv2 (03f0545bd8d4c77fa0ae1ceedfcc71ab) C:\Windows\system32\DRIVERS\srv2.sys
    17:48:26.0749 5628srv2 - ok
    17:48:26.0769 5628srvnet (be6bd660caa6f291ae06a718a4fa8abc) C:\Windows\system32\DRIVERS\srvnet.sys
    17:48:26.0769 5628srvnet - ok
    17:48:26.0819 5628ssadbus (48f44a1be434830b7c90fb730745f65a) C:\Windows\system32\DRIVERS\ssadbus.sys
    17:48:26.0819 5628ssadbus - ok
    17:48:26.0829 5628ssadmdfl (9630b486b62cc0adb0a89152ed0218d7) C:\Windows\system32\DRIVERS\ssadmdfl.sys
    17:48:26.0829 5628ssadmdfl - ok
    17:48:26.0849 5628ssadmdm (9afaa23421622c392b55508fa9613949) C:\Windows\system32\DRIVERS\ssadmdm.sys
    17:48:26.0859 5628ssadmdm - ok
    17:48:26.0899 5628sscdbus (069351a1d7d291013177a90ae6edccbc) C:\Windows\system32\DRIVERS\sscdbus.sys
    17:48:26.0899 5628sscdbus - ok
    17:48:26.0929 5628sscdmdfl (1c925be223a5c0f9f469252292a48df6) C:\Windows\system32\DRIVERS\sscdmdfl.sys
    17:48:26.0929 5628sscdmdfl - ok
    17:48:26.0959 5628sscdmdm (ae3e77ae0fbdb07eb1ac3fed74a0695e) C:\Windows\system32\DRIVERS\sscdmdm.sys
    17:48:26.0959 5628sscdmdm - ok
    17:48:26.0989 5628SSDPSRV (d887c9fd02ac9fa880f6e5027a43e118) C:\Windows\System32\ssdpsrv.dll
    17:48:26.0999 5628SSDPSRV - ok
    17:48:27.0019 5628SstpSvc (d318f23be45d5e3a107469eb64815b50) C:\Windows\system32\sstpsvc.dll
    17:48:27.0019 5628SstpSvc - ok
    17:48:27.0109 5628STacSV (71679f24d0d0b2c6403bb5ac57026e99) C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_124a1a436c563c4c\STacSV.exe
    17:48:36.0799 5628STacSV - ok
    17:48:36.0819 5628stexstor (db32d325c192b801df274bfd12a7e72b) C:\Windows\system32\DRIVERS\stexstor.sys
    17:48:36.0819 5628stexstor - ok
    17:48:36.0879 5628STHDA (68a0d39e357dd7a234b1d4f1e844c615) C:\Windows\system32\drivers\stwrt.sys
    17:48:36.0889 5628STHDA - ok
    17:48:36.0939 5628StiSvc (e1fb3706030fb4578a0d72c2fc3689e4) C:\Windows\System32\wiaservc.dll
    17:48:36.0949 5628StiSvc - ok
    17:48:36.0989 5628storflt (472af0311073dceceaa8fa18ba2bdf89) C:\Windows\system32\drivers\vmstorfl.sys
    17:48:36.0989 5628storflt - ok
    17:48:37.0009 5628StorSvc (0bf669f0a910beda4a32258d363af2a5) C:\Windows\system32\storsvc.dll
    17:48:37.0009 5628StorSvc - ok
    17:48:37.0039 5628storvsc (dcaffd62259e0bdb433dd67b5bb37619) C:\Windows\system32\drivers\storvsc.sys
    17:48:37.0039 5628storvsc - ok
    17:48:37.0059 5628swenum (e58c78a848add9610a4db6d214af5224) C:\Windows\system32\drivers\swenum.sys
    17:48:37.0059 5628swenum - ok
    17:48:37.0099 5628swprv (a28bd92df340e57b024ba433165d34d7) C:\Windows\System32\swprv.dll
    17:48:37.0109 5628swprv - ok
    17:48:37.0209 5628SysMain (36650d618ca34c9d357dfd3d89b2c56f) C:\Windows\system32\sysmain.dll
    17:48:37.0219 5628SysMain - ok
    17:48:37.0269 5628TabletInputService (763fecdc3d30c815fe72dd57936c6cd1) C:\Windows\System32\TabSvc.dll
    17:48:37.0279 5628TabletInputService - ok
    17:48:37.0319 5628TapiSrv (613bf4820361543956909043a265c6ac) C:\Windows\System32\tapisrv.dll
    17:48:37.0329 5628TapiSrv - ok
    17:48:37.0349 5628TBS (b799d9fdb26111737f58288d8dc172d9) C:\Windows\System32\tbssvc.dll
    17:48:37.0359 5628TBS - ok
    17:48:37.0479 5628Tcpip (7fa2e0f8b072bd04b77b421480b6cc22) C:\Windows\system32\drivers\tcpip.sys
    17:48:37.0499 5628Tcpip - ok
    17:48:37.0529 5628TCPIP6 (7fa2e0f8b072bd04b77b421480b6cc22) C:\Windows\system32\DRIVERS\tcpip.sys
    17:48:37.0539 5628TCPIP6 - ok
    17:48:37.0559 5628tcpipreg (cca24162e055c3714ce5a88b100c64ed) C:\Windows\system32\drivers\tcpipreg.sys
    17:48:37.0559 5628tcpipreg - ok
    17:48:37.0589 5628TDPIPE (1cb91b2bd8f6dd367dfc2ef26fd751b2) C:\Windows\system32\drivers\tdpipe.sys
    17:48:37.0589 5628TDPIPE - ok
    17:48:37.0609 5628TDTCP (2c2c5afe7ee4f620d69c23c0617651a8) C:\Windows\system32\drivers\tdtcp.sys
    17:48:37.0609 5628TDTCP - ok
    17:48:37.0639 5628tdx (b459575348c20e8121d6039da063c704) C:\Windows\system32\DRIVERS\tdx.sys
    17:48:37.0639 5628tdx - ok
    17:48:37.0659 5628TermDD (04dbf4b01ea4bf25a9a3e84affac9b20) C:\Windows\system32\drivers\termdd.sys
    17:48:37.0669 5628TermDD - ok
    17:48:37.0719 5628TermService (382c804c92811be57829d8e550a900e2) C:\Windows\System32\termsrv.dll
    17:48:37.0729 5628TermService - ok
    17:48:37.0749 5628Themes (42fb6afd6b79d9fe07381609172e7ca4) C:\Windows\system32\themeservice.dll
    17:48:37.0759 5628Themes - ok
    17:48:37.0789 5628THREADORDER (146b6f43a673379a3c670e86d89be5ea) C:\Windows\system32\mmcss.dll
    17:48:37.0789 5628THREADORDER - ok
    17:48:37.0799 5628TrkWks (4792c0378db99a9bc2ae2de6cfff0c3a) C:\Windows\System32\trkwks.dll
    17:48:37.0809 5628TrkWks - ok
    17:48:37.0849 5628TrustedInstaller (2c49b175aee1d4364b91b531417fe583) C:\Windows\servicing\TrustedInstaller.exe
    17:48:37.0929 5628TrustedInstaller - ok
    17:48:37.0939 5628tssecsrv (254bb140eee3c59d6114c1a86b636877) C:\Windows\system32\DRIVERS\tssecsrv.sys
    17:48:37.0939 5628tssecsrv - ok
    17:48:37.0989 5628TsUsbFlt (fd1d6c73e6333be727cbcc6054247654) C:\Windows\system32\drivers\tsusbflt.sys
    17:48:37.0989 5628TsUsbFlt - ok
    17:48:38.0039 5628tunnel (b2fa25d9b17a68bb93d58b0556e8c90d) C:\Windows\system32\DRIVERS\tunnel.sys
    17:48:38.0049 5628tunnel - ok
    17:48:38.0069 5628uagp35 (750fbcb269f4d7dd2e420c56b795db6d) C:\Windows\system32\DRIVERS\uagp35.sys
    17:48:38.0069 5628uagp35 - ok
    17:48:38.0119 5628udfs (ee43346c7e4b5e63e54f927babbb32ff) C:\Windows\system32\DRIVERS\udfs.sys
    17:48:38.0119 5628udfs - ok
    17:48:38.0149 5628UI0Detect (8344fd4fce927880aa1aa7681d4927e5) C:\Windows\system32\UI0Detect.exe
    17:48:38.0159 5628UI0Detect - ok
    17:48:38.0199 5628uliagpkx (44e8048ace47befbfdc2e9be4cbc8880) C:\Windows\system32\drivers\uliagpkx.sys
    17:48:38.0199 5628uliagpkx - ok
    17:48:38.0239 5628umbus (d295bed4b898f0fd999fcfa9b32b071b) C:\Windows\system32\drivers\umbus.sys
    17:48:38.0239 5628umbus - ok
    17:48:38.0269 5628UmPass (7550ad0c6998ba1cb4843e920ee0feac) C:\Windows\system32\DRIVERS\umpass.sys
    17:48:38.0269 5628UmPass - ok
    17:48:38.0299 5628UmRdpService (409994a8eaceee4e328749c0353527a0) C:\Windows\System32\umrdp.dll
    17:48:38.0309 5628UmRdpService - ok
    17:48:38.0339 5628upnphost (833fbb672460efce8011d262175fad33) C:\Windows\System32\upnphost.dll
    17:48:38.0339 5628upnphost - ok
    17:48:38.0359 5628usbccgp (bd9c55d7023c5de374507acc7a14e2ac) C:\Windows\system32\DRIVERS\usbccgp.sys
    17:48:38.0359 5628usbccgp - ok
    17:48:38.0379 5628usbcir (04ec7cec62ec3b6d9354eee93327fc82) C:\Windows\system32\drivers\usbcir.sys
    17:48:38.0379 5628usbcir - ok
    17:48:38.0399 5628usbehci (f92de757e4b7ce9c07c5e65423f3ae3b) C:\Windows\system32\DRIVERS\usbehci.sys
    17:48:38.0399 5628usbehci - ok
    17:48:38.0449 5628usbhub (8dc94aec6a7e644a06135ae7506dc2e9) C:\Windows\system32\DRIVERS\usbhub.sys
    17:48:38.0449 5628usbhub - ok
    17:48:38.0469 5628usbohci (e185d44fac515a18d9deddc23c2cdf44) C:\Windows\system32\DRIVERS\usbohci.sys
    17:48:38.0469 5628usbohci - ok
    17:48:38.0509 5628usbprint (797d862fe0875e75c7cc4c1ad7b30252) C:\Windows\system32\DRIVERS\usbprint.sys
    17:48:38.0509 5628usbprint - ok
    17:48:38.0529 5628USBSTOR (f991ab9cc6b908db552166768176896a) C:\Windows\system32\DRIVERS\USBSTOR.SYS
    17:48:38.0529 5628USBSTOR - ok
    17:48:38.0539 5628usbuhci (68df884cf41cdada664beb01daf67e3d) C:\Windows\system32\drivers\usbuhci.sys
    17:48:38.0539 5628usbuhci - ok
    17:48:38.0569 5628UxSms (081e6e1c91aec36758902a9f727cd23c) C:\Windows\System32\uxsms.dll
    17:48:38.0569 5628UxSms - ok
    17:48:38.0599 5628VaultSvc (81951f51e318aecc2d68559e47485cc4) C:\Windows\system32\lsass.exe
    17:48:38.0599 5628VaultSvc - ok
    17:48:38.0629 5628vdrvroot (a059c4c3edb09e07d21a8e5c0aabd3cb) C:\Windows\system32\drivers\vdrvroot.sys
    17:48:38.0629 5628vdrvroot - ok
    17:48:38.0679 5628vds (c3cd30495687c2a2f66a65ca6fd89be9) C:\Windows\System32\vds.exe
    17:48:38.0689 5628vds - ok
    17:48:38.0699 5628vga (17c408214ea61696cec9c66e388b14f3) C:\Windows\system32\DRIVERS\vgapnp.sys
    17:48:38.0699 5628vga - ok
    17:48:38.0709 5628VgaSave (8e38096ad5c8570a6f1570a61e251561) C:\Windows\System32\drivers\vga.sys
    17:48:38.0719 5628VgaSave - ok
    17:48:38.0749 5628vhdmp (5461686cca2fda57b024547733ab42e3) C:\Windows\system32\drivers\vhdmp.sys
    17:48:38.0749 5628vhdmp - ok
    17:48:38.0779 5628viaagp (c829317a37b4bea8f39735d4b076e923) C:\Windows\system32\drivers\viaagp.sys
    17:48:38.0779 5628viaagp - ok
    17:48:38.0809 5628ViaC7 (e02f079a6aa107f06b16549c6e5c7b74) C:\Windows\system32\DRIVERS\viac7.sys
    17:48:38.0809 5628ViaC7 - ok
    17:48:38.0839 5628viaide (e43574f6a56a0ee11809b48c09e4fd3c) C:\Windows\system32\drivers\viaide.sys
    17:48:38.0839 5628viaide - ok
    17:48:38.0859 5628vmbus (c2f2911156fdc7817c52829c86da494e) C:\Windows\system32\drivers\vmbus.sys
    17:48:38.0869 5628vmbus - ok
    17:48:38.0869 5628VMBusHID (d4d77455211e204f370d08f4963063ce) C:\Windows\system32\drivers\VMBusHID.sys
    17:48:38.0869 5628VMBusHID - ok
    17:48:38.0899 5628volmgr (4c63e00f2f4b5f86ab48a58cd990f212) C:\Windows\system32\drivers\volmgr.sys
    17:48:38.0899 5628volmgr - ok
    17:48:38.0929 5628volmgrx (b5bb72067ddddbbfb04b2f89ff8c3c87) C:\Windows\system32\drivers\volmgrx.sys
    17:48:38.0929 5628volmgrx - ok
    17:48:38.0969 5628volsnap (f497f67932c6fa693d7de2780631cfe7) C:\Windows\system32\drivers\volsnap.sys
    17:48:38.0969 5628volsnap - ok
    17:48:39.0009 5628vsmraid (9dfa0cc2f8855a04816729651175b631) C:\Windows\system32\DRIVERS\vsmraid.sys
    17:48:39.0009 5628vsmraid - ok
    17:48:39.0099 5628VSS (209a3b1901b83aeb8527ed211cce9e4c) C:\Windows\system32\vssvc.exe
    17:48:39.0109 5628VSS - ok
    17:48:39.0129 5628vwifibus (90567b1e658001e79d7c8bbd3dde5aa6) C:\Windows\System32\drivers\vwifibus.sys
    17:48:39.0129 5628vwifibus - ok
    17:48:39.0179 5628W32Time (55187fd710e27d5095d10a472c8baf1c) C:\Windows\system32\w32time.dll
    17:48:39.0179 5628W32Time - ok
    17:48:39.0229 5628WacomPen (de3721e89c653aa281428c8a69745d90) C:\Windows\system32\DRIVERS\wacompen.sys
    17:48:39.0229 5628WacomPen - ok
    17:48:39.0259 5628WANARP (3c3c78515f5ab448b022bdf5b8ffdd2e) C:\Windows\system32\DRIVERS\wanarp.sys
    17:48:39.0259 5628WANARP - ok
    17:48:39.0269 5628Wanarpv6 (3c3c78515f5ab448b022bdf5b8ffdd2e) C:\Windows\system32\DRIVERS\wanarp.sys
    17:48:39.0269 5628Wanarpv6 - ok
    17:48:39.0399 5628WatAdminSvc (353a04c273ec58475d8633e75ccd5604) C:\Windows\system32\Wat\WatAdminSvc.exe
    17:48:39.0419 5628WatAdminSvc - ok
    17:48:39.0509 5628wbengine (691e3285e53dca558e1a84667f13e15a) C:\Windows\system32\wbengine.exe
    17:48:39.0539 5628wbengine - ok
    17:48:39.0569 5628WbioSrvc (9614b5d29dc76ac3c29f6d2d3aa70e67) C:\Windows\System32\wbiosrvc.dll
    17:48:39.0569 5628WbioSrvc - ok
    17:48:39.0609 5628wcncsvc (34eee0dfaadb4f691d6d5308a51315dc) C:\Windows\System32\wcncsvc.dll
    17:48:39.0619 5628wcncsvc - ok
    17:48:39.0629 5628WcsPlugInService (5d930b6357a6d2af4d7653bdabbf352f) C:\Windows\System32\WcsPlugInService.dll
    17:48:39.0639 5628WcsPlugInService - ok
    17:48:39.0669 5628Wd (1112a9badacb47b7c0bb0392e3158dff) C:\Windows\system32\DRIVERS\wd.sys
    17:48:39.0669 5628Wd - ok
    17:48:39.0709 5628Wdf01000 (9950e3d0f08141c7e89e64456ae7dc73) C:\Windows\system32\drivers\Wdf01000.sys
    17:48:39.0709 5628Wdf01000 - ok
    17:48:39.0729 5628WdiServiceHost (46ef9dc96265fd0b423db72e7c38c2a5) C:\Windows\system32\wdi.dll
    17:48:39.0729 5628WdiServiceHost - ok
    17:48:39.0729 5628WdiSystemHost (46ef9dc96265fd0b423db72e7c38c2a5) C:\Windows\system32\wdi.dll
    17:48:39.0739 5628WdiSystemHost - ok
    17:48:39.0769 5628WebClient (a9d880f97530d5b8fee278923349929d) C:\Windows\System32\webclnt.dll
    17:48:39.0769 5628WebClient - ok
    17:48:39.0799 5628Wecsvc (760f0afe937a77cff27153206534f275) C:\Windows\system32\wecsvc.dll
    17:48:39.0799 5628Wecsvc - ok
    17:48:39.0819 5628wercplsupport (ac804569bb2364fb6017370258a4091b) C:\Windows\System32\wercplsupport.dll
    17:48:39.0819 5628wercplsupport - ok
    17:48:39.0849 5628WerSvc (08e420d873e4fd85241ee2421b02c4a4) C:\Windows\System32\WerSvc.dll
    17:48:39.0859 5628WerSvc - ok
    17:48:39.0879 5628WfpLwf (8b9a943f3b53861f2bfaf6c186168f79) C:\Windows\system32\DRIVERS\wfplwf.sys
    17:48:39.0879 5628WfpLwf - ok
    17:48:39.0899 5628WIMMount (5cf95b35e59e2a38023836fff31be64c) C:\Windows\system32\drivers\wimmount.sys
    17:48:39.0899 5628WIMMount - ok
    17:48:40.0009 5628WinDefend (3fae8f94296001c32eab62cd7d82e0fd) C:\Program Files\Windows Defender\mpsvc.dll
    17:48:40.0009 5628WinDefend - ok
    17:48:40.0019 5628WinHttpAutoProxySvc - ok
    17:48:40.0069 5628Winmgmt (f62e510b6ad4c21eb9fe8668ed251826) C:\Windows\system32\wbem\WMIsvc.dll
    17:48:40.0119 5628Winmgmt - ok
    17:48:40.0219 5628WinRM (1b91cd34ea3a90ab6a4ef0550174f4cc) C:\Windows\system32\WsmSvc.dll
    17:48:40.0239 5628WinRM - ok
    17:48:40.0299 5628WinUsb (a67e5f9a400f3bd1be3d80613b45f708) C:\Windows\system32\DRIVERS\WinUsb.sys
    17:48:40.0299 5628WinUsb - ok
    17:48:40.0379 5628Wlansvc (16935c98ff639d185086a3529b1f2067) C:\Windows\System32\wlansvc.dll
    17:48:40.0399 5628Wlansvc - ok
    17:48:40.0469 5628wlcrasvc (6067acef367e79914af628fa1e9b5330) C:\Program Files\Windows Live\Mesh\wlcrasvc.exe
    17:48:40.0469 5628wlcrasvc - ok
    17:48:40.0609 5628wlidsvc (0a70f4022ec2e14c159efc4f69aa2477) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    17:48:40.0639 5628wlidsvc - ok
    17:48:40.0739 5628WmiAcpi (0217679b8fca58714c3bf2726d2ca84e) C:\Windows\system32\drivers\wmiacpi.sys
    17:48:40.0739 5628WmiAcpi - ok
    17:48:40.0789 5628wmiApSrv (6eb6b66517b048d87dc1856ddf1f4c3f) C:\Windows\system32\wbem\WmiApSrv.exe
    17:48:40.0789 5628wmiApSrv - ok
    17:48:40.0909 5628WMPNetworkSvc (3b40d3a61aa8c21b88ae57c58ab3122e) C:\Program Files\Windows Media Player\wmpnetwk.exe
    17:48:40.0919 5628WMPNetworkSvc - ok
    17:48:40.0939 5628WPCSvc (a2f0ec770a92f2b3f9de6d518e11409c) C:\Windows\System32\wpcsvc.dll
    17:48:40.0939 5628WPCSvc - ok
    17:48:40.0969 5628WPDBusEnum (aa53356d60af47eacc85bc617a4f3f66) C:\Windows\system32\wpdbusenum.dll
    17:48:40.0979 5628WPDBusEnum - ok
    17:48:41.0019 5628ws2ifsl (6db3276587b853bf886b69528fdb048c) C:\Windows\system32\drivers\ws2ifsl.sys
    17:48:41.0019 5628ws2ifsl - ok
    17:48:41.0059 5628wscsvc (6f5d49efe0e7164e03ae773a3fe25340) C:\Windows\system32\wscsvc.dll
    17:48:41.0069 5628wscsvc - ok
    17:48:41.0079 5628WSearch - ok
    17:48:41.0239 5628wuauserv (fc3ec24fce372c89423e015a2ac1a31e) C:\Windows\system32\wuaueng.dll
    17:48:41.0279 5628wuauserv - ok
    17:48:41.0399 5628WudfPf (e714a1c0354636837e20ccbf00888ee7) C:\Windows\system32\drivers\WudfPf.sys
    17:48:41.0399 5628WudfPf - ok
    17:48:41.0429 5628WUDFRd (1023ee888c9b47178c5293ed5336ab69) C:\Windows\system32\DRIVERS\WUDFRd.sys
    17:48:41.0439 5628WUDFRd - ok
    17:48:41.0469 5628wudfsvc (8d1e1e529a2c9e9b6a85b55a345f7629) C:\Windows\System32\WUDFSvc.dll
    17:48:41.0479 5628wudfsvc - ok
    17:48:41.0509 5628WwanSvc (ff2d745b560f7c71b31f30f4d49f73d2) C:\Windows\System32\wwansvc.dll
    17:48:41.0509 5628WwanSvc - ok
    17:48:41.0539 5628MBR (0x1B8) (a36c5e4f47e84449ff07ed3517b43a31) \Device\Harddisk0\DR0
    17:48:41.0579 5628\Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.c ) - infected
    17:48:41.0579 5628\Device\Harddisk0\DR0 - detected Rootkit.Boot.Pihar.c (0)
    17:48:41.0589 5628MBR (0x1B8) (5fb38429d5d77768867c76dcbdb35194) \Device\Harddisk1\DR1
    17:48:41.0599 5628\Device\Harddisk1\DR1 - ok
    17:48:41.0599 5628Boot (0x1200) (4acf70f9ddef18ee637c04c6976183bc) \Device\Harddisk0\DR0\Partition0
    17:48:41.0609 5628\Device\Harddisk0\DR0\Partition0 - ok
    17:48:41.0629 5628Boot (0x1200) (72f5bb64491b280ddbeda1d5d1caaa2b) \Device\Harddisk0\DR0\Partition1
    17:48:41.0629 5628\Device\Harddisk0\DR0\Partition1 - ok
    17:48:41.0639 5628Boot (0x1200) (278fefe7a529bbd9c371cf7a0387dc1d) \Device\Harddisk1\DR1\Partition0
    17:48:41.0639 5628\Device\Harddisk1\DR1\Partition0 - ok
    17:48:41.0639 5628============================================================
    17:48:41.0639 5628Scan finished
    17:48:41.0639 5628============================================================
    17:48:41.0659 4048Detected object count: 1
    17:48:41.0659 4048Actual detected object count: 1
    17:48:52.0249 4048\Device\Harddisk0\DR0\# - copied to quarantine
    17:48:52.0329 4048\Device\Harddisk0\DR0 - copied to quarantine
    17:48:54.0219 4048\Device\Harddisk0\DR0\TDLFS\ldrm - copied to quarantine
    17:48:54.0219 4048\Device\Harddisk0\DR0\TDLFS\config.ini - copied to quarantine
    17:48:54.0229 4048\Device\Harddisk0\DR0\TDLFS\cmd64.dll - copied to quarantine
    17:48:54.0289 4048\Device\Harddisk0\DR0\TDLFS\sub.dll - copied to quarantine
    17:48:54.0319 4048\Device\Harddisk0\DR0\TDLFS\subx.dll - copied to quarantine
    17:48:54.0369 4048\Device\Harddisk0\DR0\TDLFS\drv32 - copied to quarantine
    17:48:54.0419 4048\Device\Harddisk0\DR0\TDLFS\drv64 - copied to quarantine
    17:48:54.0479 4048\Device\Harddisk0\DR0\TDLFS\servers.dat - copied to quarantine
    17:48:54.0499 4048\Device\Harddisk0\DR0\TDLFS\ldr16 - copied to quarantine
    17:48:54.0789 4048\Device\Harddisk0\DR0\TDLFS\ldr32 - copied to quarantine
    17:48:54.0859 4048\Device\Harddisk0\DR0\TDLFS\ldr64 - copied to quarantine
    17:48:54.0879 4048\Device\Harddisk0\DR0\TDLFS\s - copied to quarantine
    17:48:54.0879 4048\Device\Harddisk0\DR0\TDLFS\u - copied to quarantine
    17:48:54.0989 4048\Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.c ) - will be cured on reboot
    17:48:55.0019 4048\Device\Harddisk0\DR0 - ok
    17:48:55.0029 4048\Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.c ) - User select action: Cure
    17:49:50.0459 3776Deinitialize success
     
  10. Broni

    Broni Malware Annihilator Posts: 52,890   +344

    Good :)

    Download Malwarebytes' Anti-Malware (MBAM): http://www.malwarebytes.org/products/malwarebytes_free to your desktop.
    NOTE. If you already have MBAM installed, update it before running the scan.

    * Double-click mbam-setup.exe and follow the prompts to install the program.
    * At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select Perform quick scan, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Be sure that everything is checked, and click Remove Selected.
    * When completed, a log will open in Notepad.
    * Post the log back here.

    Be sure to restart the computer IF MBAM asks you to do so.

    The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
    Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

    =================================

    Download OTL to your Desktop.
    Alternate download: http://www.itxassociates.com/OT-Tools/OTL.exe

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Click the Scan All Users checkbox.
    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  11. Josh1976

    Josh1976 TS Rookie Topic Starter

    Malwarebytes Anti-Malware (Trial) 1.62.0.1300
    www.malwarebytes.org

    Database version: v2012.07.26.11

    Windows 7 Service Pack 1 x86 NTFS
    Internet Explorer 9.0.8112.16421
    user :: FSDL-PC1 [administrator]

    Protection: Enabled

    7/26/2012 8:50:09 AM
    mbam-log-2012-07-26 (08-50-09).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 216185
    Time elapsed: 5 minute(s), 4 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 1
    HKLM\SOFTWARE\Microsoft\Internet Explorer\Main|Start Page (Hijack.StartPage) -> Bad: (http://startsear.ch/?aff=1) Good: (http://www.google.com) -> Quarantined and repaired successfully.

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)
     
  12. Josh1976

    Josh1976 TS Rookie Topic Starter

    OTL logfile created on: 7/26/2012 8:58:51 AM - Run 1
    OTL by OldTimer - Version 3.2.53.1 Folder = C:\Users\user\Downloads
    Professional Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
    Internet Explorer (Version = 9.0.8112.16421)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    3.44 Gb Total Physical Memory | 2.17 Gb Available Physical Memory | 63.02% Memory free
    6.87 Gb Paging File | 5.57 Gb Available in Paging File | 81.04% Paging File free
    Paging file location(s): ?:\pagefile.sys [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
    Drive C: | 931.41 Gb Total Space | 881.15 Gb Free Space | 94.60% Space Free | Partition Type: NTFS
    Drive E: | 7.45 Gb Total Space | 7.04 Gb Free Space | 94.45% Space Free | Partition Type: FAT32

    Computer Name: FSDL-PC1 | User Name: user | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: Current user | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2012/07/26 08:47:20 | 000,595,968 | ---- | M] (OldTimer Tools) -- C:\Users\user\Downloads\OTL.exe
    PRC - [2012/07/12 09:28:09 | 000,136,616 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\ramaint.exe
    PRC - [2012/07/12 09:27:31 | 000,374,184 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
    PRC - [2012/07/03 13:46:44 | 000,655,944 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    PRC - [2012/07/03 13:46:44 | 000,462,920 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
    PRC - [2012/04/04 01:53:50 | 000,063,928 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
    PRC - [2012/03/26 17:08:12 | 000,931,200 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\msseces.exe
    PRC - [2012/03/26 17:03:40 | 000,011,552 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\MsMpEng.exe
    PRC - [2012/02/04 09:52:02 | 001,155,432 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    PRC - [2012/02/04 08:40:44 | 000,045,056 | ---- | M] (Intuit) -- c:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
    PRC - [2011/08/11 11:27:42 | 015,490,560 | ---- | M] () -- C:\Users\user\AppData\Local\Autobahn\nexdef.exe
    PRC - [2011/02/25 01:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
    PRC - [2010/11/20 08:17:47 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
    PRC - [2010/11/08 13:04:20 | 000,390,528 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LogMeIn.exe
    PRC - [2010/09/17 16:40:06 | 000,063,048 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
    PRC - [2008/02/15 18:25:34 | 000,102,400 | ---- | M] (IDT, Inc.) -- C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_124a1a436c563c4c\stacsv.exe
    PRC - [2008/02/15 18:23:20 | 000,405,504 | ---- | M] (IDT, Inc.) -- C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe
    PRC - [2008/01/29 14:17:22 | 000,442,368 | ---- | M] (MURATA MACHINERY,LTD.) -- C:\Program Files\Muratec\OfficeBridge\Download\DOWNUTY.exe
    PRC - [2008/01/29 14:08:36 | 000,385,024 | ---- | M] (MURATA MACHINERY,LTD.) -- C:\Program Files\Muratec\OfficeBridge\Imonitor\Imonitor2.exe
    PRC - [2007/11/27 12:55:08 | 000,107,008 | ---- | M] (MURATA MACHINERY,LTD.) -- C:\Program Files\Muratec\OfficeBridge\ScanToPM\ScanToPM.exe
    PRC - [2007/06/28 14:36:24 | 000,049,152 | ---- | M] (MURATA MACHINERY,LTD.) -- C:\Windows\System32\mmlweb.exe


    ========== Modules (No Company Name) ==========

    MOD - [2011/08/11 11:27:44 | 000,159,744 | ---- | M] () -- C:\Users\user\AppData\Local\Autobahn\rt\jetrt\baseline720.dll
    MOD - [2011/08/11 11:27:44 | 000,069,632 | ---- | M] () -- C:\Users\user\AppData\Local\Autobahn\rt\bin\java.dll
    MOD - [2011/08/11 11:27:42 | 015,490,560 | ---- | M] () -- C:\Users\user\AppData\Local\Autobahn\nexdef.exe
    MOD - [2011/08/11 11:27:40 | 000,126,976 | ---- | M] () -- C:\Users\user\AppData\Local\Autobahn\rt\bin\zip.dll
    MOD - [2011/08/11 11:27:40 | 000,020,480 | ---- | M] () -- C:\Users\user\AppData\Local\Autobahn\rt\bin\jetvm\jvm.dll


    ========== Win32 Services (SafeList) ==========

    SRV - [2012/07/12 09:28:09 | 000,136,616 | ---- | M] (LogMeIn, Inc.) [Auto | Running] -- C:\Program Files\LogMeIn\x86\ramaint.exe -- (LMIMaint)
    SRV - [2012/07/12 09:27:31 | 000,374,184 | ---- | M] (LogMeIn, Inc.) [Auto | Running] -- C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe -- (LMIGuardianSvc)
    SRV - [2012/07/03 13:46:44 | 000,655,944 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
    SRV - [2012/04/04 01:53:50 | 000,063,928 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
    SRV - [2012/03/26 17:03:40 | 000,214,952 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- c:\Program Files\Microsoft Security Client\NisSrv.exe -- (NisSrv)
    SRV - [2012/03/26 17:03:40 | 000,011,552 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc)
    SRV - [2012/02/04 08:40:44 | 000,045,056 | ---- | M] (Intuit) [Auto | Running] -- c:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe -- (QBCFMonitorService)
    SRV - [2011/01/07 15:15:32 | 001,343,400 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\Wat\WatAdminSvc.exe -- (WatAdminSvc)
    SRV - [2010/11/08 13:04:20 | 000,390,528 | ---- | M] (LogMeIn, Inc.) [Auto | Running] -- C:\Program Files\LogMeIn\x86\LogMeIn.exe -- (LogMeIn)
    SRV - [2009/07/23 22:10:38 | 000,061,440 | ---- | M] (Intuit Inc.) [On_Demand | Stopped] -- c:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe -- (QBFCService)
    SRV - [2009/07/13 21:16:15 | 000,016,384 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\StorSvc.dll -- (StorSvc)
    SRV - [2009/07/13 21:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
    SRV - [2009/07/13 21:16:12 | 001,004,544 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\PeerDistSvc.dll -- (PeerDistSvc)
    SRV - [2009/07/13 21:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
    SRV - [2009/07/13 21:15:36 | 000,038,400 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\lpdsvc.dll -- (LPDSVC)
    SRV - [2008/02/15 18:25:34 | 000,102,400 | ---- | M] (IDT, Inc.) [Auto | Running] -- C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_124a1a436c563c4c\stacsv.exe -- (STacSV)


    ========== Driver Services (SafeList) ==========

    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Users\user\AppData\Local\Temp\catchme.sys -- (catchme)
    DRV - [2012/07/12 09:27:32 | 000,083,392 | ---- | M] (LogMeIn, Inc.) [File_System | Disabled | Stopped] -- C:\Windows\System32\LMIRfsClientNP.dll -- (LMIRfsClientNP)
    DRV - [2012/07/03 13:46:44 | 000,022,344 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\Windows\System32\drivers\mbam.sys -- (MBAMProtector)
    DRV - [2012/03/20 20:44:12 | 000,074,112 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\NisDrvWFP.sys -- (NisDrv)
    DRV - [2011/01/12 21:15:46 | 000,132,424 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\sscdmdm.sys -- (sscdmdm)
    DRV - [2011/01/12 21:15:46 | 000,104,648 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\sscdbus.sys -- (sscdbus) SAMSUNG USB Composite Device driver (WDM)
    DRV - [2011/01/12 21:15:46 | 000,014,920 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\sscdmdfl.sys -- (sscdmdfl)
    DRV - [2011/01/12 21:15:08 | 000,136,680 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ssadmdm.sys -- (ssadmdm)
    DRV - [2011/01/12 21:15:08 | 000,121,192 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ssadbus.sys -- (ssadbus) SAMSUNG Android USB Composite Device driver (WDM)
    DRV - [2011/01/12 21:15:08 | 000,030,312 | ---- | M] (Google Inc) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ssadadb.sys -- (androidusb)
    DRV - [2011/01/12 21:15:08 | 000,012,776 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ssadmdfl.sys -- (ssadmdfl) SAMSUNG Android USB Modem (Filter)
    DRV - [2010/11/20 08:30:15 | 000,175,360 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\vmbus.sys -- (vmbus)
    DRV - [2010/11/20 08:30:15 | 000,040,704 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\vmstorfl.sys -- (storflt)
    DRV - [2010/11/20 08:30:15 | 000,028,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\storvsc.sys -- (storvsc)
    DRV - [2010/11/20 06:24:41 | 000,052,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt)
    DRV - [2010/11/20 05:59:44 | 000,035,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\winusb.sys -- (WinUsb)
    DRV - [2010/11/20 05:14:45 | 000,017,920 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\VMBusHID.sys -- (VMBusHID)
    DRV - [2010/11/20 05:14:41 | 000,005,632 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\vms3cap.sys -- (s3cap)
    DRV - [2010/09/17 16:40:06 | 000,047,640 | ---- | M] (LogMeIn, Inc.) [File_System | Auto | Running] -- C:\Windows\System32\drivers\LMIRfsDriver.sys -- (LMIRfsDriver)
    DRV - [2010/09/17 16:40:06 | 000,012,856 | ---- | M] (LogMeIn, Inc.) [Kernel | Auto | Running] -- C:\Program Files\LogMeIn\x86\rainfo.sys -- (LMIInfo)
    DRV - [2010/07/10 06:37:00 | 011,008,040 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
    DRV - [2008/02/15 18:27:02 | 000,330,752 | ---- | M] (IDT, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\stwrt.sys -- (STHDA)
    DRV - [2007/08/09 19:12:30 | 000,110,624 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\nvstor32.sys -- (nvstor32)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
    IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
    IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
    IE - HKLM\..\SearchScopes\{17DC7BC0-9D4D-47E8-9A7E-4DA165762DED}: "URL" = http://startsear.ch/?aff=1&src=sp&cf=22da6b60-f81b-11e0-a258-00221934c645&q={searchTerms}

    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-US
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 9C 0C 40 A4 97 8A CC 01 [binary data]
    IE - HKCU\..\SearchScopes,DefaultScope = {0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}
    IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
    IE - HKCU\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://search.babylon.com/?q={searc...SP_ss&mntrId=503287a700000000000000221934c645
    IE - HKCU\..\SearchScopes\{17DC7BC0-9D4D-47E8-9A7E-4DA165762DED}: "URL" = http://startsear.ch/?aff=1&src=sp&cf=22da6b60-f81b-11e0-a258-00221934c645&q={searchTerms}
    IE - HKCU\..\SearchScopes\{6F1B6FB3-7020-4007-B245-AC3AB101F522}: "URL" = http://www.google.com/search?q={sea...tartIndex={startIndex?}&startPage={startPage}
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


    ========== FireFox ==========

    FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
    FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
    FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
    FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
    FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3508.1109: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)
    FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)
    FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
    FF - HKCU\Software\MozillaPlugins\@talk.google.com/GoogleTalkPlugin: C:\Users\user\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll (Google)
    FF - HKCU\Software\MozillaPlugins\@talk.google.com/O3DPlugin: C:\Users\user\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll ()
    FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\user\AppData\Local\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)
    FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\user\AppData\Local\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)


    [2012/07/25 13:10:24 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
    [2011/11/23 20:41:01 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}
    [2012/01/29 14:42:00 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA}
    [2011/03/18 13:33:21 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files\mozilla firefox\plugins\npCouponPrinter.dll
    [2011/11/10 06:54:13 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
    [2011/03/18 13:33:22 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files\mozilla firefox\plugins\npMozCouponPrinter.dll
    [2012/07/17 10:34:58 | 000,002,349 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\babylon.xml

    ========== Chrome ==========

    CHR - default_search_provider: Google (Enabled)
    CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:eek:riginalQueryForSuggestion}{google:searchFieldtrialParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
    CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&hl={language}&q={searchTerms}
    CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
    CHR - plugin: Native Client (Enabled) = C:\Users\user\AppData\Local\Google\Chrome\Application\20.0.1132.57\ppGoogleNaClPluginChrome.dll
    CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Users\user\AppData\Local\Google\Chrome\Application\20.0.1132.57\pdf.dll
    CHR - plugin: Shockwave Flash (Enabled) = C:\Users\user\AppData\Local\Google\Chrome\Application\20.0.1132.57\gcswf32.dll
    CHR - plugin: Shockwave Flash (Disabled) = C:\Users\user\AppData\Local\Google\Chrome\User Data\PepperFlash\11.2.31.144\pepflashplayer.dll
    CHR - plugin: Shockwave Flash (Enabled) = C:\Windows\system32\Macromed\Flash\NPSWF32.dll
    CHR - plugin: Chrome IE Tab (Enabled) = C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hehijbfgiekmjfkfjpbkbammjbdenadd\3.5.14.1_0\plugin/blackfishietab.dll
    CHR - plugin: Adobe Acrobat (Disabled) = C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll
    CHR - plugin: Java Deployment Toolkit 6.0.300.12 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npdeployJava1.dll
    CHR - plugin: Java(TM) Platform SE 6 U30 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll
    CHR - plugin: Coupons Inc., Coupon Printer Manager (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npCouponPrinter.dll
    CHR - plugin: Coupons Inc., Coupon Printer Manager (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npMozCouponPrinter.dll
    CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll
    CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll
    CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll
    CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll
    CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll
    CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll
    CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll
    CHR - plugin: Google Talk Plugin (Enabled) = C:\Users\user\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
    CHR - plugin: Google Talk Plugin Video Accelerator (Enabled) = C:\Users\user\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll
    CHR - plugin: Google Earth Plugin (Enabled) = C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll
    CHR - plugin: Google Update (Enabled) = C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll
    CHR - plugin: Veetle TV Player (Enabled) = C:\Program Files\Veetle\Player\npvlc.dll
    CHR - plugin: Veetle TV Core (Enabled) = C:\Program Files\Veetle\plugins\npVeetle.dll
    CHR - plugin: Windows Live\u0099 Photo Gallery (Enabled) = C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll
    CHR - plugin: iTunes Application Detector (Enabled) = C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
    CHR - plugin: Shockwave for Director (Enabled) = C:\Windows\system32\Adobe\Director\np32dsw.dll
    CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll
    CHR - Extension: Google Drive = C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6_0\
    CHR - Extension: TweetDeck = C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hbdpomandigafcibbmofojjchbcdagbl\1.5.3_0\
    CHR - Extension: IE Tab = C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hehijbfgiekmjfkfjpbkbammjbdenadd\3.6.30.1_0\
    CHR - Extension: Google Theme = C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\imoaoigekmpoalkbfohhjgkcocjdapne\1.0.1_0\
    CHR - Extension: Yahoo! Axis = C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\mbilcmekbcocfaiofmdokibplmongfil\1.0.84_0\

    O1 HOSTS File: ([2012/07/25 16:44:35 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
    O4 - HKLM..\Run: [Intuit SyncManager] C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe (Intuit Inc. All rights reserved.)
    O4 - HKLM..\Run: [LogMeIn GUI] C:\Program Files\LogMeIn\x86\LogMeInSystray.exe (LogMeIn, Inc.)
    O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
    O4 - HKLM..\Run: [mmlweb] C:\Windows\System32\mmlweb.exe (MURATA MACHINERY,LTD.)
    O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
    O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe (IDT, Inc.)
    O4 - HKCU..\Run: [GoogleDriveSync] C:\Program Files\Google\Drive\googledrivesync.exe (Google)
    O4 - HKLM..\RunOnce: [Malwarebytes Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
    O4 - Startup: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NexDef Plug-in.lnk = C:\Users\user\AppData\Local\Autobahn\nexdef.exe ()
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
    O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 1.6.0_30)
    O16 - DPF: {B7039D87-D648-4431-BA87-C3A04E6111DA} https://69.73.131.159:4643/vz/ssh/wodTelnetDLX.cab (wodTelnetDLX Class)
    O16 - DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 1.6.0_30)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 1.6.0_30)
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
    O16 - DPF: {FD7910DE-821C-4C63-BAF1-E645B16DB155} http://192.168.8.31/HD300ACTL.cab (HD300AController Control)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 71.242.0.12 71.252.0.12
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{CF208DFF-53AB-4F35-AE49-DD6EBE1E9854}: DhcpNameServer = 71.242.0.12 71.252.0.12
    O18 - Protocol\Handler\intu-help-qb3 {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - C:\Program Files\Intuit\QuickBooks 2010\HelpAsyncPluggableProtocol.dll (Intuit, Inc.)
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2009/06/10 17:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
    O32 - AutoRun File - [2010/10/04 11:57:10 | 000,000,125 | -H-- | M] () - E:\autorun.inf -- [ FAT32 ]
    O34 - HKLM BootExecute: (autocheck autochk *)
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = ComFile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*
    O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
    O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
    O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

    ========== Files/Folders - Created Within 30 Days ==========

    [2012/07/26 08:49:08 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Roaming\Malwarebytes
    [2012/07/26 08:48:14 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
    [2012/07/26 08:48:05 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
    [2012/07/26 08:48:03 | 000,022,344 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
    [2012/07/26 08:48:03 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
    [2012/07/25 18:52:52 | 000,000,000 | ---D | C] -- C:\FRST
    [2012/07/25 17:48:51 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine
    [2012/07/25 17:07:04 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Client
    [2012/07/25 16:48:43 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
    [2012/07/25 16:43:00 | 000,000,000 | ---D | C] -- C:\Windows\temp
    [2012/07/25 16:43:00 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\temp
    [2012/07/25 16:34:10 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
    [2012/07/25 16:34:10 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
    [2012/07/25 16:34:10 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
    [2012/07/25 16:27:52 | 000,000,000 | ---D | C] -- C:\Qoobox
    [2012/07/25 16:27:29 | 000,000,000 | ---D | C] -- C:\Windows\erdnt
    [2012/07/25 16:16:13 | 004,585,817 | R--- | C] (Swearware) -- C:\Users\user\Desktop\ComboFix.exe
    [2012/07/25 13:08:19 | 000,000,000 | ---D | C] -- C:\Windows\System32\appmgmt
    [2012/07/25 10:45:30 | 000,000,000 | ---D | C] -- C:\ProgramData\Spybot - Search & Destroy
    [2012/07/25 10:45:30 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
    [2012/07/24 13:22:36 | 002,136,664 | ---- | C] (Kaspersky Lab ZAO) -- C:\Users\user\Desktop\TDSSKiller.exe
    [2012/07/21 19:24:56 | 000,000,000 | ---D | C] -- C:\Windows\Minidump
    [2012/07/20 20:11:47 | 000,000,000 | -HSD | C] -- C:\Windows\System32\%APPDATA%
    [2012/07/16 12:57:42 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Roaming\com.pageone.Curator
    [2012/07/16 12:57:36 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PageOneTraffic
    [2012/07/16 12:57:19 | 000,000,000 | ---D | C] -- C:\Program Files\PageOneTraffic
    [2012/07/15 12:02:51 | 000,000,000 | ---D | C] -- C:\Users\user\Documents\Out of the Park Developments
    [2012/07/07 14:08:02 | 000,000,000 | ---D | C] -- C:\Users\user\.autobahn
    [2012/07/07 14:07:52 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\Autobahn
    [2012/06/28 18:28:14 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Drive

    ========== Files - Modified Within 30 Days ==========

    [2012/07/26 08:57:00 | 000,000,904 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-429206791-1674625279-1837712758-1001UA.job
    [2012/07/26 08:48:14 | 000,001,067 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    [2012/07/26 08:32:00 | 000,000,882 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
    [2012/07/25 22:32:00 | 000,000,878 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
    [2012/07/25 17:57:58 | 000,013,456 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    [2012/07/25 17:57:58 | 000,013,456 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    [2012/07/25 17:50:29 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
    [2012/07/25 17:50:27 | 2767,003,648 | -HS- | M] () -- C:\hiberfil.sys
    [2012/07/25 17:47:04 | 002,136,664 | ---- | M] (Kaspersky Lab ZAO) -- C:\Users\user\Desktop\TDSSKiller.exe
    [2012/07/25 17:07:19 | 000,001,945 | ---- | M] () -- C:\Windows\epplauncher.mif
    [2012/07/25 17:07:08 | 000,629,194 | ---- | M] () -- C:\Windows\System32\perfh009.dat
    [2012/07/25 17:07:08 | 000,108,410 | ---- | M] () -- C:\Windows\System32\perfc009.dat
    [2012/07/25 16:44:35 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
    [2012/07/25 16:16:18 | 004,585,817 | R--- | M] (Swearware) -- C:\Users\user\Desktop\ComboFix.exe
    [2012/07/25 15:57:00 | 000,000,852 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-429206791-1674625279-1837712758-1001Core.job
    [2012/07/21 19:24:56 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat(28).dat
    [2012/07/21 19:24:53 | 340,223,470 | ---- | M] () -- C:\Windows\MEMORY.DMP
    [2012/07/17 10:35:18 | 000,000,247 | ---- | M] () -- C:\user.js
    [2012/07/12 09:27:32 | 000,083,392 | ---- | M] (LogMeIn, Inc.) -- C:\Windows\System32\LMIRfsClientNP.dll
    [2012/07/12 09:27:31 | 000,087,456 | ---- | M] (LogMeIn, Inc.) -- C:\Windows\System32\LMIinit.dll
    [2012/07/12 09:27:31 | 000,030,624 | ---- | M] (LogMeIn, Inc.) -- C:\Windows\System32\LMIport.dll
    [2012/07/11 03:22:21 | 000,427,376 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
    [2012/07/07 14:08:01 | 000,001,013 | ---- | M] () -- C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NexDef Plug-in.lnk
    [2012/07/04 12:49:25 | 000,000,000 | -H-- | M] () -- C:\Windows\System32\drivers\Msft_Kernel_WinUsb_01009.Wdf
    [2012/07/03 13:46:44 | 000,022,344 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
    [2012/07/01 15:40:15 | 022,703,042 | ---- | M] () -- C:\Users\user\Desktop\07Jul12MDprice.pdf

    ========== Files Created - No Company Name ==========

    [2012/07/26 08:48:14 | 000,001,067 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    [2012/07/25 17:07:12 | 000,001,915 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk
    [2012/07/25 16:34:10 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
    [2012/07/25 16:34:10 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
    [2012/07/25 16:34:10 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
    [2012/07/25 16:34:10 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
    [2012/07/25 16:34:10 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
    [2012/07/21 19:24:53 | 340,223,470 | ---- | C] () -- C:\Windows\MEMORY.DMP
    [2012/07/17 10:43:04 | 000,791,977 | ---- | C] () -- C:\Users\user\Desktop\galertmanual.pdf
    [2012/07/17 10:35:17 | 000,000,247 | ---- | C] () -- C:\user.js
    [2012/07/07 14:08:01 | 000,001,013 | ---- | C] () -- C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NexDef Plug-in.lnk
    [2012/07/04 12:49:25 | 000,000,000 | -H-- | C] () -- C:\Windows\System32\drivers\Msft_Kernel_WinUsb_01009.Wdf
    [2012/07/01 15:39:00 | 022,703,042 | ---- | C] () -- C:\Users\user\Desktop\07Jul12MDprice.pdf
    [2012/06/10 11:12:41 | 000,002,358 | ---- | C] () -- C:\Users\user\cvdm.err
    [2012/01/11 12:51:09 | 000,002,048 | -HS- | C] () -- C:\Windows\System32\config\systemprofile\AppData\Local\{fcc14dac-34e5-284e-c14d-275d85d6fd01}\@
    [2011/06/01 17:32:37 | 000,066,048 | ---- | C] () -- C:\Windows\System32\PrintBrmUi.exe
    [2011/01/12 13:28:57 | 000,000,090 | ---- | C] () -- C:\Windows\QBChanUtil_Trigger.ini
    [2011/01/11 16:21:50 | 000,000,359 | ---- | C] () -- C:\Users\user\Recycle Bin - Shortcut.lnk
    [2011/01/10 16:44:06 | 000,000,000 | ---- | C] () -- C:\Windows\HPMProp.INI

    ========== LOP Check ==========

    [2012/07/16 12:57:42 | 000,000,000 | ---D | M] -- C:\Users\user\AppData\Roaming\com.pageone.Curator
    [2012/07/11 18:02:25 | 000,000,000 | ---D | M] -- C:\Users\user\AppData\Roaming\FileZilla
    [2011/09/04 12:02:40 | 000,000,000 | ---D | M] -- C:\Users\user\AppData\Roaming\JonathanLeger.com
    [2012/04/26 17:48:50 | 000,000,000 | ---D | M] -- C:\Users\user\AppData\Roaming\Out of the Park Developments
    [2011/08/20 19:03:45 | 000,000,000 | ---D | M] -- C:\Users\user\AppData\Roaming\StreamTorrent
    [2011/03/11 15:43:16 | 000,000,000 | ---D | M] -- C:\Users\user\AppData\Roaming\Windows Live Writer
    [2012/05/02 13:15:54 | 000,000,000 | ---D | M] -- C:\Users\user\AppData\Roaming\YourFileDownloader
    [2012/07/20 21:04:14 | 000,020,840 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

    ========== Purity Check ==========


    < End of report >
     
  13. Josh1976

    Josh1976 TS Rookie Topic Starter

    OTL Extras logfile created on: 7/26/2012 8:58:51 AM - Run 1
    OTL by OldTimer - Version 3.2.53.1 Folder = C:\Users\user\Downloads
    Professional Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
    Internet Explorer (Version = 9.0.8112.16421)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    3.44 Gb Total Physical Memory | 2.17 Gb Available Physical Memory | 63.02% Memory free
    6.87 Gb Paging File | 5.57 Gb Available in Paging File | 81.04% Paging File free
    Paging file location(s): ?:\pagefile.sys [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
    Drive C: | 931.41 Gb Total Space | 881.15 Gb Free Space | 94.60% Space Free | Partition Type: NTFS
    Drive E: | 7.45 Gb Total Space | 7.04 Gb Free Space | 94.45% Space Free | Partition Type: FAT32

    Computer Name: FSDL-PC1 | User Name: user | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: Current user | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Extra Registry (SafeList) ==========


    ========== File Associations ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
    .cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
    .hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

    [HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
    .html [@ = ChromeHTML] -- Reg Error: Key error. File not found

    ========== Shell Spawning ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
    exefile [open] -- "%1" %*
    helpfile [open] -- Reg Error: Key error.
    hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [explore] -- Reg Error: Value error.
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    ========== Security Center Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "cval" = 1
    "FirewallDisableNotify" = 0
    "AntiVirusDisableNotify" = 0
    "UpdatesDisableNotify" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
    "VistaSp1" = Reg Error: Unknown registry data type -- File not found
    "AntiVirusOverride" = 0
    "AntiSpywareOverride" = 0
    "FirewallOverride" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

    ========== System Restore Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
    "DisableSR" = 0

    ========== Firewall Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
    "DisableNotifications" = 0
    "EnableFirewall" = 1

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "DisableNotifications" = 0
    "EnableFirewall" = 1

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
    "DisableNotifications" = 0
    "EnableFirewall" = 1

    ========== Authorized Applications List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


    ========== Vista Active Open Ports Exception List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
    "{0294BB2F-6178-459D-8C46-8D1C40D6AD6B}" = rport=445 | protocol=6 | dir=out | app=system |
    "{057550CC-1C7E-4C7B-A2F8-3A8DDC978C8C}" = lport=138 | protocol=17 | dir=in | app=system |
    "{08E024BB-596A-4DFF-A430-159062EB67CE}" = lport=10243 | protocol=6 | dir=in | app=system |
    "{14B775EB-C6CA-49AB-8A40-CC8DF18B513B}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
    "{19A5737B-0BEE-43C8-BCD3-3CC714AA4FD3}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
    "{25B9D31D-64EC-44F5-900B-17177C3E5D3C}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
    "{295EF879-34FC-4A05-A484-51AA1443280E}" = lport=445 | protocol=6 | dir=in | app=system |
    "{2FA65B31-3A9D-4C20-AFC6-469495F0EF44}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
    "{4084E937-EAAA-47EE-9520-7BE7CE434C09}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
    "{4BF5EB07-06A2-40E2-B5B6-244EF5C49A0F}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
    "{5456EA1E-AF45-48BD-9C96-AB99A6CCF1D9}" = lport=139 | protocol=6 | dir=in | app=system |
    "{5D3AB51A-6EE7-42A2-B965-FEE78638DAF8}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
    "{6364B77A-8796-4078-B3CC-5963A3E70B4F}" = rport=139 | protocol=6 | dir=out | app=system |
    "{6EFD3216-D4DB-448C-81DA-E8838C66FFD2}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
    "{7C7BD74E-D59D-40F9-8481-A74C4729E9DD}" = rport=138 | protocol=17 | dir=out | app=system |
    "{86444BB3-291D-4D31-A046-BB4AA3243C28}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
    "{AF8150A9-8B4A-4262-900E-D368942052B3}" = lport=2869 | protocol=6 | dir=in | app=system |
    "{BE10AB93-C4A6-464B-BE93-069E778BFF99}" = rport=10243 | protocol=6 | dir=out | app=system |
    "{C232D951-55E7-4D04-9346-F88A07FC0B22}" = lport=137 | protocol=17 | dir=in | app=system |
    "{C428A183-FD79-40B5-990D-895328F43AC8}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
    "{CF0676E6-E2EC-438A-9741-7029DEBD00CE}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
    "{F534D21D-02A4-4E48-A237-A3745ED5E6D3}" = rport=137 | protocol=17 | dir=out | app=system |
    "{F9C1EEE5-72B7-40C6-BC7C-64E9DF7DEB39}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |

    ========== Vista Active Application Exception List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
    "{003C7A18-60D9-4C89-94D8-DE42C1AA1D76}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
    "{02A4D600-582A-4C14-ADFE-C125CF0CB18F}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
    "{1473D86F-6F04-46A3-9153-CD04272511DC}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
    "{4849799C-D8E9-4360-8F9A-6B5F2BCC7EA4}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
    "{56E808A1-BFD0-4B79-B567-B9FA848D697F}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
    "{61FB8AD2-C831-45AB-9DFB-D685C3A8300D}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
    "{62F27534-2769-4D2F-B42F-E96E62F64F44}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
    "{65901CFC-D156-4C8F-90EA-C26D256CA195}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
    "{68F6992D-6E9D-4F14-88EC-3E0B8BEC7EFF}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
    "{8642AF85-31DC-4BB3-8E9D-1E478C224084}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
    "{91FF2412-85DD-4492-9030-D518647355AD}" = protocol=6 | dir=in | app=c:\users\user\appdata\local\google\google talk plugin\googletalkplugin.exe |
    "{936C3B1F-7A37-450D-9C67-D3B2EE279596}" = protocol=17 | dir=in | app=c:\users\user\appdata\local\google\google talk plugin\googletalkplugin.exe |
    "{A5589677-56C4-46C1-A86B-1F0B5425786F}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
    "{AB3FBA72-52C3-4476-9A38-230DBE05659B}" = protocol=17 | dir=in | app=%programfiles(x86)%\windows media player\wmplayer.exe |
    "{BC7833D1-AE4B-4CAB-BDD5-6EA587E5C763}" = protocol=6 | dir=out | app=system |
    "{CE504808-152F-4073-8BB9-0F8E7C4D30C6}" = protocol=17 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |
    "{D3648D1D-2BA3-4973-9B7E-EDC907B6E342}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
    "{E8715BB0-E132-4617-B344-62E03BFE2C1C}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
    "{E926E57D-011D-4F63-BCC5-FFCFDC28D091}" = protocol=6 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |
    "{EFA98652-B437-42AA-B7D3-EFFD71ED4ECD}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
    "{F7DCF881-DB9D-4779-8D1C-CCCBAC7C73FF}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
    "TCP Query User{1F10C03D-2945-4755-ACB3-C5D1200BFE8C}C:\program files\muratec\officebridge\imonitor\imonitor2.exe" = protocol=6 | dir=in | app=c:\program files\muratec\officebridge\imonitor\imonitor2.exe |
    "TCP Query User{7A125E2B-4303-4E2F-91F8-6BF6B3CD72DE}C:\program files\muratec\officebridge\scantopm\scantopm.exe" = protocol=6 | dir=in | app=c:\program files\muratec\officebridge\scantopm\scantopm.exe |
    "TCP Query User{FE799951-0276-4BF3-B62F-41FFF5DE858C}C:\program files\muratec\officebridge\scantopm\scantopm.exe" = protocol=6 | dir=in | app=c:\program files\muratec\officebridge\scantopm\scantopm.exe |
    "UDP Query User{1520C292-B0FD-436E-B415-760511AC6AED}C:\program files\muratec\officebridge\scantopm\scantopm.exe" = protocol=17 | dir=in | app=c:\program files\muratec\officebridge\scantopm\scantopm.exe |
    "UDP Query User{5C4B400B-6094-49DB-92EA-A30E7EE21A83}C:\program files\muratec\officebridge\imonitor\imonitor2.exe" = protocol=17 | dir=in | app=c:\program files\muratec\officebridge\imonitor\imonitor2.exe |
    "UDP Query User{EF33E823-F947-465F-8BE8-8B64905E4AA0}C:\program files\muratec\officebridge\scantopm\scantopm.exe" = protocol=17 | dir=in | app=c:\program files\muratec\officebridge\scantopm\scantopm.exe |

    ========== HKEY_LOCAL_MACHINE Uninstall List ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{01C5A10F-AD9B-405B-853A-6659841A1242}" = Microsoft SQL Server 2008 Policies
    "{06A9E630-DBA6-4D92-9DE7-A235AA6496C7}" = QuickBooks
    "{0700E22B-A422-40A5-BD20-04BF618CA0F9}" = QuickBooks Pro 2010
    "{0B0F231F-CE6A-483D-AA23-77B364F75917}" = Windows Live Installer
    "{0B69EB78-AD50-47F3-811C-80540DA06A4C}" = Printer/Scanner Driver for MFX-1450/2050,F-525/565
    "{0F842B77-56EA-4AAF-8295-81A022350B5E}" = Microsoft Security Client
    "{17504ED4-DB08-40A8-81C2-27D8C01581DA}" = Windows Live Remote Service Resources
    "{196E77C5-F524-4B50-BD1A-2C21EEE9B8F7}" = Microsoft SQL Server 2008 Common Files
    "{19A4A990-5343-4FF7-B3B5-6F046C091EDF}" = Windows Live Remote Client
    "{19BA08F7-C728-469C-8A35-BFBD3633BE08}" = Windows Live Movie Maker
    "{1EB9429A-A874-4BF0-961D-BDAAFB1641A6}" = Microsoft SQL Server 2005 Backward compatibility
    "{1F6A1825-474F-4124-9016-1168471D847B}" = Google Drive
    "{1F6AB0E7-8CDD-4B93-8A23-AA9EB2FEFCE4}" = Junk Mail filter update
    "{200FEC62-3C34-4D60-9CE8-EC372E01C08F}" = Windows Live SOXE Definitions
    "{2020045B-8DCF-4449-8D5C-EB5BA37440F1}" = Microsoft SQL Server 2008 Management Studio
    "{227E8782-B2F4-4E97-B0EE-49DE9CC1C0C0}" = Windows Live Remote Service
    "{22AF6BEF-B0ED-4A81-AEBB-C5D446401F10}" = Microsoft Dynamics RMS Store Operations
    "{26A24AE4-039D-4CA4-87B4-2F83216023FF}" = Java(TM) 6 Update 30
    "{2902F983-B4C1-44BA-B85D-5C6D52E2C441}" = Windows Live Mesh ActiveX Control for Remote Connections
    "{2934DCB0-F8EE-11E0-A4A5-B8AC6F97B88E}" = Google Earth Plug-in
    "{2A981294-F14C-4F0F-9627-D793270922F8}" = Bonjour
    "{308B6AEA-DE50-4666-996D-0FA461719D6B}" = Apple Mobile Device Support
    "{3336F667-9049-4D46-98B6-4C743EEBC5B1}" = Windows Live Photo Gallery
    "{34F4D9A4-42C2-4348-BEF4-E553C84549E7}" = Windows Live Photo Gallery
    "{354E9868-51A7-4CDA-B9FD-690603FCB3A2}" = Microsoft SQL Server 2008 Setup Support Files
    "{388E4B09-3E71-4649-8921-F44A3A2954A7}" = Microsoft Visual Studio 2005 Tools for Office Runtime
    "{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
    "{3D3E663D-4E7E-4577-A560-7ECDDD45548A}" = PVSonyDll
    "{42929F0F-CE14-47AF-9FC7-FF297A603021}" = Dell Resource CD
    "{464B3406-A4D0-4914-910F-7CA4380DCC13}" = Windows Live Remote Client Resources
    "{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
    "{4A6F34E2-09E5-4616-B227-4A26A488A6F9}" = Microsoft SQL Server 2008 Common Files
    "{4F44B5AE-82A6-4A8A-A3E3-E24D489728E3}" = Microsoft SQL Server 2008 Native Client
    "{50120000-1105-0000-0000-0000000FF1CE}" = Microsoft Office 2007 Primary Interop Assemblies
    "{50816F92-1652-4A7C-B9BC-48F682742C4B}" = Messenger Companion
    "{57752979-A1C9-4C02-856B-FBB27AC4E02C}" = QuickTime
    "{579684A4-DDD5-4CA3-9EA8-7BE7D9593DB4}" = Windows Live UX Platform Language Pack
    "{5A3F6A80-7913-475E-8B96-477A952CFA43}" = SupportSoft Assisted Service
    "{61AD15B2-50DB-4686-A739-14FE180D4429}" = Windows Live ID Sign-in Assistant
    "{64CDE8F2-3791-46F5-BAD2-72FFF5252FAB}" = Microsoft SQL Server Compact 3.5 SP1 Query Tools English
    "{65CB4C08-C47B-4A7E-A6A4-50C06ADA5FC6}" = Adobe AIR
    "{682B3E4F-696A-42DE-A41C-4C07EA1678B4}" = Windows Live SOXE
    "{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
    "{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
    "{7645B631-3FAE-3B68-63D5-884943DC9303}" = PageOne Curator
    "{78A96B4C-A643-4D0F-98C2-A8E16A6669F9}" = Windows Live Messenger Companion Core
    "{80956555-A512-4190-9CAD-B000C36D6B6B}" = Windows Live Messenger
    "{83A5D4E9-7FE6-336D-9525-F1C879496014}" = Google Talk Plugin
    "{83C292B7-38A5-440B-A731-07070E81A64F}" = Windows Live PIMT Platform
    "{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
    "{8C6D6116-B724-4810-8F2D-D047E6B7D68E}" = Mesh Runtime
    "{8DD46C6A-0056-4FEC-B70A-28BB16A1F11F}" = MSVCRT
    "{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
    "{90120000-0016-0409-0000-0000000FF1CE}_SMALLBUSINESSR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
    "{90120000-0018-0409-0000-0000000FF1CE}_SMALLBUSINESSR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
    "{90120000-0019-0409-0000-0000000FF1CE}_SMALLBUSINESSR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
    "{90120000-001A-0409-0000-0000000FF1CE}_SMALLBUSINESSR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
    "{90120000-001B-0409-0000-0000000FF1CE}_SMALLBUSINESSR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
    "{90120000-001F-0409-0000-0000000FF1CE}_SMALLBUSINESSR_{1FF96026-A04A-4C3E-B50A-BB7022654D0F}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
    "{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
    "{90120000-001F-040C-0000-0000000FF1CE}_SMALLBUSINESSR_{71F055E8-E2C6-4214-BB3D-BFE03561B89E}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
    "{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
    "{90120000-001F-0C0A-0000-0000000FF1CE}_SMALLBUSINESSR_{2314F9A1-126F-45CC-8A5E-DFAF866F3FBC}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
    "{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
    "{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
    "{90120000-006E-0409-0000-0000000FF1CE}_SMALLBUSINESSR_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
    "{90120000-0115-0409-0000-0000000FF1CE}_SMALLBUSINESSR_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{91120000-00CA-0000-0000-0000000FF1CE}" = Microsoft Office Small Business 2007
    "{91120000-00CA-0000-0000-0000000FF1CE}_SMALLBUSINESSR_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{9207A8EC-3B2D-4A4A-8BF7-957FC19BB3DE}" = Zebra Setup Utilities
    "{92EA4134-10D1-418A-91E1-5A0453131A38}" = Windows Live Movie Maker
    "{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
    "{95140000-007A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook Connector
    "{9D56775A-93F3-44A3-8092-840E3826DE30}" = Windows Live Mail
    "{A0C91188-C88F-4E86-93E6-CD7C9A266649}" = Windows Live Mesh
    "{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = SigmaTel Audio
    "{A726AE06-AAA3-43D1-87E3-70F510314F04}" = Windows Live Writer
    "{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
    "{A9BDCA6B-3653-467B-AC83-94367DA3BFE3}" = Windows Live Photo Common
    "{AA4A4B2C-0465-3CF8-BA76-27A027D8ACAB}" = Microsoft Visual Studio Tools for Applications 2.0 - ENU
    "{AAAFC670-569B-4A2F-82B4-42945E0DE3EF}" = Windows Live Writer
    "{AAF454FC-82CA-4F29-AB31-6A109485E76E}" = Windows Live Writer
    "{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.3)
    "{AF844339-2F8A-4593-81B3-9F4C54038C4E}" = Windows Live MIME IFilter
    "{C41300B9-185D-475E-BFEC-39EF732F19B1}" = Apple Software Update
    "{C66824E4-CBB3-4851-BB3F-E8CFD6350923}" = Windows Live Mail
    "{CE95A79E-E4FC-4FFF-8A75-29F04B942FF2}" = Windows Live UX Platform
    "{D0795B21-0CDA-4a92-AB9E-6E92D8111E44}" = SAMSUNG USB Driver for Mobile Phones
    "{D3AE96EE-2876-4B3F-847C-D3A4AD689E43}" = LogMeIn
    "{D436F577-1695-4D2F-8B44-AC76C99E0002}" = Windows Live Photo Common
    "{D45240D3-B6B3-4FF9-B243-54ECE3E10066}" = Windows Live Communications Platform
    "{D7EC8A27-CDA2-46AE-8A26-4104A04FA5BE}" = 32 Bit HP CIO Components Installer
    "{DDC8BDEE-DCAC-404D-8257-3E8D4B782467}" = Windows Live Writer Resources
    "{DECDCB7C-58CC-4865-91AF-627F9798FE48}" = Windows Live Mesh
    "{E09C4DB7-630C-4F06-A631-8EA7239923AF}" = D3DX10
    "{E59113EB-0285-4BFD-A37A-B79EAC6B8F4B}" = Microsoft SQL Server Compact 3.5 SP1 English
    "{EB4DF488-AAEF-406F-A341-CB2AAA315B90}" = Windows Live Messenger
    "{EE6097DD-05F4-4178-9719-D3170BF098E8}" = Apple Application Support
    "{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
    "{F5E87B12-3C27-452F-8E78-21D42164FD83}" = Microsoft SQL Server 2008 Management Objects
    "{FA9C3624-C693-4423-8A8B-2BC2B9F607AB}" = Microsoft SQL Server 2008 Management Studio
    "{FE044230-9CA5-43F7-9B58-5AC5A28A1F33}" = Windows Live Essentials
    "7-Zip" = 7-Zip 9.20
    "Adobe AIR" = Adobe AIR
    "Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
    "Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
    "Adobe Shockwave Player" = Adobe Shockwave Player 11.5
    "Autobahn" = NexDef Plug-in
    "com.pageone.Curator" = PageOne Curator
    "InstantArticleWizard" = InstantArticleWizard
    "Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.62.0.1300
    "Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
    "Microsoft Security Client" = Microsoft Security Essentials
    "Microsoft SQL Server 10" = Microsoft SQL Server 2008
    "Microsoft SQL Server 10 Release" = Microsoft SQL Server 2008
    "Microsoft Visual Studio 2005 Tools for Office Runtime" = Visual Studio 2005 Tools for Office Second Edition Runtime
    "NVIDIA Display Control Panel" = NVIDIA Display Control Panel
    "NVIDIA Drivers" = NVIDIA Drivers
    "Out of the Park Baseball13" = Out of the Park Baseball 13
    "SMALLBUSINESSR" = Microsoft Office Small Business 2007
    "WinLiveSuite" = Windows Live Essentials
    "Zebra Font Downloader_is1" = Zebra Font Downloader
    "Zebra Setup Utilities" = Zebra Setup Utilities

    ========== HKEY_CURRENT_USER Uninstall List ==========

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "FileZilla Client" = FileZilla Client 3.4.0
    "Google Chrome" = Google Chrome
    "GoToMeeting" = GoToMeeting 4.8.0.723
    "Octoshape add-in for Adobe Flash Player" = Octoshape add-in for Adobe Flash Player

    ========== Last 20 Event Log Errors ==========

    [ Application Events ]
    Error - 7/25/2012 9:51:51 AM | Computer Name = FSDL-PC1 | Source = Application Hang | ID = 1002
    Description = The program msseces.exe version 4.0.1526.0 stopped interacting with
    Windows and was closed. To see if more information about the problem is available,
    check the problem history in the Action Center control panel. Process ID: 2524 Start
    Time: 01cd6a6c8cdd0298 Termination Time: 10 Application Path: C:\Program Files\Microsoft
    Security Client\msseces.exe Report Id: d7a15bf9-d65f-11e1-82e9-00221934c645

    Error - 7/25/2012 10:09:48 AM | Computer Name = FSDL-PC1 | Source = Microsoft Security Client Setup | ID = 100
    Description = HRESULT:0x8004FF11 Description:Can’t install Microsoft Security Essentials
    on a computer running in safe mode. Your computer is currently running in safe
    mode. To install Security Essentials, your computer must be running in normal mode.
    Please restart your computer in normal mode, and then try to run the Security Essentials
    Setup Wizard again. Error code:0x8004FF11.

    Error - 7/25/2012 12:35:36 PM | Computer Name = FSDL-PC1 | Source = Microsoft Security Client Setup | ID = 100
    Description = HRESULT:0x8004FF71 Description:Microsoft Security Essentials cannot
    be installed on your operating system. Windows Program Compatibility mode is not
    supported by this program. <a>For information about supported operating systems,
    see the online Help</a>. Error code:0x8004FF71.

    Error - 7/25/2012 1:07:53 PM | Computer Name = FSDL-PC1 | Source = VSS | ID = 8193
    Description =

    Error - 7/25/2012 1:11:57 PM | Computer Name = FSDL-PC1 | Source = VSS | ID = 8193
    Description =

    Error - 7/25/2012 3:30:29 PM | Computer Name = FSDL-PC1 | Source = QuickBooks | ID = 4
    Description = An unexpected error has occured in "QuickBooks": Returning NULL QBWinInstance
    Hand

    Error - 7/25/2012 3:30:29 PM | Computer Name = FSDL-PC1 | Source = QuickBooks | ID = 4
    Description = An unexpected error has occured in "QuickBooks": Returning NULL QBWinInstance
    Hand

    Error - 7/25/2012 3:30:29 PM | Computer Name = FSDL-PC1 | Source = QuickBooks | ID = 4
    Description = An unexpected error has occured in "QuickBooks": Returning NULL QBWinInstance
    Hand

    Error - 7/25/2012 3:30:42 PM | Computer Name = FSDL-PC1 | Source = QuickBooks | ID = 4
    Description = An unexpected error has occured in "QuickBooks Pro 2010": Got unexpected
    error 5 in call to NetShareGetInfo for path \\FSDL-RMSSRV\Intuit\QuickBooks\Company
    Files\Free State Discount Liquors Inc.Q

    Error - 7/25/2012 4:45:39 PM | Computer Name = FSDL-PC1 | Source = VSS | ID = 8193
    Description =

    [ OSession Events ]
    Error - 11/9/2011 4:17:46 AM | Computer Name = FSDL-PC1 | Source = Microsoft Office 12 Sessions | ID = 7001
    Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
    12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 647038
    seconds with 0 seconds of active time. This session ended with a crash.

    Error - 12/15/2011 4:19:34 AM | Computer Name = FSDL-PC1 | Source = Microsoft Office 12 Sessions | ID = 7001
    Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
    12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 581156
    seconds with 120 seconds of active time. This session ended with a crash.

    Error - 12/15/2011 4:19:35 AM | Computer Name = FSDL-PC1 | Source = Microsoft Office 12 Sessions | ID = 7001
    Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
    12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 1339382
    seconds with 0 seconds of active time. This session ended with a crash.

    Error - 12/15/2011 4:19:36 AM | Computer Name = FSDL-PC1 | Source = Microsoft Office 12 Sessions | ID = 7001
    Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
    12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 2393101
    seconds with 0 seconds of active time. This session ended with a crash.

    Error - 1/12/2012 4:18:08 AM | Computer Name = FSDL-PC1 | Source = Microsoft Office 12 Sessions | ID = 7001
    Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
    12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 1096901
    seconds with 300 seconds of active time. This session ended with a crash.

    Error - 5/11/2012 3:25:48 AM | Computer Name = FSDL-PC1 | Source = Microsoft Office 12 Sessions | ID = 7001
    Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
    12.0.6612.1000, Microsoft Office Version: 12.0.6612.1000. This session lasted 148428
    seconds with 0 seconds of active time. This session ended with a crash.

    [ System Events ]
    Error - 2/13/2012 11:01:33 PM | Computer Name = FSDL-PC1 | Source = UmrdpService | ID = 1111
    Description = Driver Amyuni Document Converter 400 required for printer Quicken
    PDF Printer is unknown. Contact the administrator to install the driver before you
    log in again.

    Error - 2/16/2012 4:22:55 AM | Computer Name = FSDL-PC1 | Source = SNMP | ID = 16713180
    Description = The SNMP Service encountered an error while accessing the registry
    key SYSTEM\CurrentControlSet\Services\SNMP\Parameters\TrapConfiguration.

    Error - 2/18/2012 11:25:03 PM | Computer Name = FSDL-PC1 | Source = UmrdpService | ID = 1111
    Description = Driver HP Universal Printing PS required for printer !!CASEYSLAPTOP-PC!HP
    Color LaserJet 2605/2605dn/2605dtn PS UPD PS is unknown. Contact the administrator
    to install the driver before you log in again.

    Error - 2/18/2012 11:25:04 PM | Computer Name = FSDL-PC1 | Source = UmrdpService | ID = 1111
    Description = Driver Send To Microsoft OneNote 2010 Driver required for printer
    Send To OneNote 2010 is unknown. Contact the administrator to install the driver
    before you log in again.

    Error - 2/18/2012 11:25:05 PM | Computer Name = FSDL-PC1 | Source = UmrdpService | ID = 1111
    Description = Driver HP Color LaserJet 2605/2605dn/2605dtn PS required for printer
    HP Color LaserJet 2605dn UPD PCL 5 is unknown. Contact the administrator to install
    the driver before you log in again.

    Error - 2/18/2012 11:25:10 PM | Computer Name = FSDL-PC1 | Source = UmrdpService | ID = 1111
    Description = Driver Amyuni Document Converter 400 required for printer Quicken
    PDF Printer is unknown. Contact the administrator to install the driver before you
    log in again.

    Error - 2/23/2012 9:46:22 AM | Computer Name = FSDL-PC1 | Source = UmrdpService | ID = 1111
    Description = Driver HP Universal Printing PS required for printer !!CASEYSLAPTOP-PC!HP
    Color LaserJet 2605/2605dn/2605dtn PS UPD PS is unknown. Contact the administrator
    to install the driver before you log in again.

    Error - 2/23/2012 9:46:23 AM | Computer Name = FSDL-PC1 | Source = UmrdpService | ID = 1111
    Description = Driver Send To Microsoft OneNote 2010 Driver required for printer
    Send To OneNote 2010 is unknown. Contact the administrator to install the driver
    before you log in again.

    Error - 2/23/2012 9:46:25 AM | Computer Name = FSDL-PC1 | Source = UmrdpService | ID = 1111
    Description = Driver HP Color LaserJet 2605/2605dn/2605dtn PS required for printer
    HP Color LaserJet 2605dn UPD PCL 5 is unknown. Contact the administrator to install
    the driver before you log in again.

    Error - 2/23/2012 9:46:29 AM | Computer Name = FSDL-PC1 | Source = UmrdpService | ID = 1111
    Description = Driver Amyuni Document Converter 400 required for printer Quicken
    PDF Printer is unknown. Contact the administrator to install the driver before you
    log in again.


    < End of report >
     
  14. Broni

    Broni Malware Annihilator Posts: 52,890   +344

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
      [2012/07/25 18:52:52 | 000,000,000 | ---D | C] -- C:\FRST
      [2012/01/11 12:51:09 | 000,002,048 | -HS- | C] () -- C:\Windows\System32\config\systemprofile\AppData\Local\{fcc14dac-34e5-284e-c14d-275d85d6fd01}\@
      
      
      :Services
      
      :Reg
      
      :Files
      C:\Windows\System32\config\systemprofile\AppData\Local\{fcc14dac-34e5-284e-c14d-275d85d6fd01}
      
      :Commands
      [purity]
      [emptytemp]
      [emptyjava]
      [emptyflash]
      [Reboot]
      
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.

    =======================================

    Last scans...

    1. Download Security Check from HERE, and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

      NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.

    2. Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
    • Make sure the following options are checked:
      • Internet Services
      • Windows Firewall
      • System Restore
      • Security Center
      • Windows Update
      • Windows Defender
    • Press "Scan".
    • It will create a log (FSS.txt) in the same directory the tool is run.
    • Please copy and paste the log to your reply.


    3. Download Temp File Cleaner (TFC)
    Alternate download: http://www.itxassociates.com/OT-Tools/TFC.exe
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.


    4. Please run a free online scan with the ESET Online Scanner

    • Disable your antivirus program
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • Accept any security warnings from your browser.
    • Check Scan archives
    • Click Start
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, click on List of found threats
    • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • NOTE. If Eset won't find any threats, it won't produce any log.
     
  15. Josh1976

    Josh1976 TS Rookie Topic Starter

    Farbar Service Scanner Version: 26-07-2012
    Ran by user (administrator) on 28-07-2012 at 10:35:30
    Running from "C:\Users\user\Downloads"
    Microsoft Windows 7 Professional Service Pack 1 (X86)
    Boot Mode: Normal
    ****************************************************************

    Internet Services:
    ============

    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Google IP is accessible.
    Google.com is accessible.
    Yahoo IP is accessible.
    Yahoo.com is accessible.


    Windows Firewall:
    =============

    Firewall Disabled Policy:
    ==================


    System Restore:
    ============

    System Restore Disabled Policy:
    ========================


    Action Center:
    ============

    Windows Update:
    ============
    BITS Service is not running. Checking service configuration:
    Checking Start type: ATTENTION!=====> Unable to retrieve start type of BITS. The value does not exist.
    The ImagePath of BITS service is OK.
    The ServiceDll of BITS service is OK.


    Windows Autoupdate Disabled Policy:
    ============================


    Windows Defender:
    ==============
    WinDefend Service is not running. Checking service configuration:
    The start type of WinDefend service is set to Demand. The default start type is Auto.
    The ImagePath of WinDefend service is OK.
    The ServiceDll of WinDefend service is OK.


    Windows Defender Disabled Policy:
    ==========================
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
    "DisableAntiSpyware"=DWORD:1


    Other Services:
    ==============

    sharedaccess Service is not running. Checking service configuration:
    The start type of sharedaccess service is set to Auto
    The ImagePath of sharedaccess service is OK.
    The ServiceDll of sharedaccess service is OK.


    File Check:
    ========
    C:\Windows\system32\nsisvc.dll => MD5 is legit
    C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
    C:\Windows\system32\dhcpcore.dll => MD5 is legit
    C:\Windows\system32\Drivers\afd.sys => MD5 is legit
    C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
    C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
    C:\Windows\system32\dnsrslvr.dll => MD5 is legit
    C:\Windows\system32\mpssvc.dll => MD5 is legit
    C:\Windows\system32\bfe.dll => MD5 is legit
    C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
    C:\Windows\system32\SDRSVC.dll => MD5 is legit
    C:\Windows\system32\vssvc.exe => MD5 is legit
    C:\Windows\system32\wscsvc.dll => MD5 is legit
    C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\Windows\system32\wuaueng.dll => MD5 is legit
    C:\Windows\system32\qmgr.dll => MD5 is legit
    C:\Windows\system32\es.dll => MD5 is legit
    C:\Windows\system32\cryptsvc.dll => MD5 is legit
    C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
    C:\Windows\system32\svchost.exe => MD5 is legit
    C:\Windows\system32\rpcss.dll => MD5 is legit


    **** End of log ****
     
  16. Josh1976

    Josh1976 TS Rookie Topic Starter

    Results of screen317's Security Check version 0.99.43
    Windows 7 Service Pack 1 x86 (UAC is disabled!)
    Internet Explorer 9
    ``````````````Antivirus/Firewall Check:``````````````
    Windows Firewall Enabled!
    Microsoft Security Essentials
    Antivirus up to date!
    `````````Anti-malware/Other Utilities Check:`````````
    Malwarebytes Anti-Malware version 1.62.0.1300
    Java(TM) 6 Update 30
    Java version out of Date!
    Adobe Flash Player 10 Flash Player out of Date!
    Adobe Flash Player10.3.181.34 Flash Player out of Date!
    Adobe Reader X (10.1.3)
    Google Chrome 20.0.1132.47
    Google Chrome 20.0.1132.57
    ````````Process Check: objlist.exe by Laurent````````
    Microsoft Security Essentials MSMpEng.exe
    Microsoft Security Essentials msseces.exe
    Malwarebytes Anti-Malware mbamservice.exe
    Malwarebytes Anti-Malware mbamgui.exe
    `````````````````System Health check`````````````````
    Total Fragmentation on Drive C: 0%
    ````````````````````End of Log``````````````````````
    Getting user folders.

    Stopping running processes.

    Emptying Temp folders.


    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    User: sysadmin
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: user
    ->Temp folder emptied: 26973155 bytes
    ->Temporary Internet Files folder emptied: 41247 bytes
    ->Java cache emptied: 0 bytes
    ->Google Chrome cache emptied: 13111451 bytes
    ->Flash cache emptied: 2027 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 7077 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 290090234 bytes
    %systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 1736 bytes

    Emptying RecycleBin. Do not interrupt.

    RecycleBin emptied: 0 bytes
    Process complete!

    Total Files Cleaned = 315.00 mb
     
  17. Broni

    Broni Malware Annihilator Posts: 52,890   +344

    Eset?
     
  18. Josh1976

    Josh1976 TS Rookie Topic Starter

    C:\TDSSKiller_Quarantine\25.07.2012_17.48.03\mbr0000\tdlfs0000\tsk0002.dtaWin64/Olmarik.AK trojancleaned by deleting - quarantined
    C:\TDSSKiller_Quarantine\25.07.2012_17.48.03\mbr0000\tdlfs0000\tsk0003.dtaWin32/Olmarik.AYH trojancleaned by deleting - quarantined
    C:\TDSSKiller_Quarantine\25.07.2012_17.48.03\mbr0000\tdlfs0000\tsk0004.dtaWin64/Olmarik.AL trojancleaned by deleting - quarantined
    C:\TDSSKiller_Quarantine\25.07.2012_17.48.03\mbr0000\tdlfs0000\tsk0006.dtaWin64/Olmarik.AK trojancleaned by deleting - quarantined
    C:\Users\user\Documents\Featured selection\Josh's Folder\Coon inc\MicroNicheFinder5.5.7.rara variant of Win32/Packed.Themida applicationdeleted - quarantined
     
  19. Broni

    Broni Malware Annihilator Posts: 52,890   +344

    Update Adobe Flash Player
    Download the Latest Adobe Flash for Firefox and IE Without Any Extras: http://www.404techsupport.com/2010/...-flash-for-firefox-and-ie-without-any-extras/

    =========================================

    1. Update your Java version here: http://www.java.com/en/download/installed.jsp

    Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

    Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

    2. Now, we need to remove old Java version and its remnants...

    Download JavaRa to your desktop and unzip it.
    • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
    • Accept any prompts.
    • Do NOT post JavaRa log.
    .

    ==============================================

    We have one corrupted registry key affecting Windows updates.

    Following steps involve registry editing. Please create new restore point before proceeding!!!
    How to:
    XP - http://support.microsoft.com/kb/948247
    Vista and Seven - http://www.howtogeek.com/howto/wind...tore-point-for-windows-vistas-system-restore/


    Download Seven.zip file from here: http://www.smartestcomputing.us.com/files/download/9-registry-network-keys/
    Unzip the file.
    You'll find several files inside.
    Double click on bits.reg file and confirm the prompt.
    Restart computer.
    Post new FSS log.
     
  20. Josh1976

    Josh1976 TS Rookie Topic Starter

    Farbar Service Scanner Version: 26-07-2012
    Ran by user (administrator) on 29-07-2012 at 10:56:35
    Running from "C:\Users\user\Documents\Featured selection\Josh's Folder\728"
    Microsoft Windows 7 Professional Service Pack 1 (X86)
    Boot Mode: Normal
    ****************************************************************

    Internet Services:
    ============

    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Google IP is accessible.
    Google.com is accessible.
    Yahoo IP is accessible.
    Yahoo.com is accessible.


    Windows Firewall:
    =============

    Firewall Disabled Policy:
    ==================


    System Restore:
    ============

    System Restore Disabled Policy:
    ========================


    Action Center:
    ============
    wscsvc Service is not running. Checking service configuration:
    The start type of wscsvc service is OK.
    The ImagePath of wscsvc service is OK.
    The ServiceDll of wscsvc service is OK.


    Windows Update:
    ============

    Windows Autoupdate Disabled Policy:
    ============================


    Windows Defender:
    ==============
    WinDefend Service is not running. Checking service configuration:
    The start type of WinDefend service is set to Demand. The default start type is Auto.
    The ImagePath of WinDefend service is OK.
    The ServiceDll of WinDefend service is OK.


    Windows Defender Disabled Policy:
    ==========================
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
    "DisableAntiSpyware"=DWORD:1


    Other Services:
    ==============

    sharedaccess Service is not running. Checking service configuration:
    The start type of sharedaccess service is set to Auto
    The ImagePath of sharedaccess service is OK.
    The ServiceDll of sharedaccess service is OK.


    File Check:
    ========
    C:\Windows\system32\nsisvc.dll => MD5 is legit
    C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
    C:\Windows\system32\dhcpcore.dll => MD5 is legit
    C:\Windows\system32\Drivers\afd.sys => MD5 is legit
    C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
    C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
    C:\Windows\system32\dnsrslvr.dll => MD5 is legit
    C:\Windows\system32\mpssvc.dll => MD5 is legit
    C:\Windows\system32\bfe.dll => MD5 is legit
    C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
    C:\Windows\system32\SDRSVC.dll => MD5 is legit
    C:\Windows\system32\vssvc.exe => MD5 is legit
    C:\Windows\system32\wscsvc.dll => MD5 is legit
    C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\Windows\system32\wuaueng.dll => MD5 is legit
    C:\Windows\system32\qmgr.dll => MD5 is legit
    C:\Windows\system32\es.dll => MD5 is legit
    C:\Windows\system32\cryptsvc.dll => MD5 is legit
    C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
    C:\Windows\system32\svchost.exe => MD5 is legit
    C:\Windows\system32\rpcss.dll => MD5 is legit


    **** End of log ****
     
  21. Broni

    Broni Malware Annihilator Posts: 52,890   +344

    Your computer is clean [​IMG]

    1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

    Run OTL

    • Under the Custom Scans/Fixes box at the bottom, paste in the following:

    Code:
    :OTL
    :Commands
    [purity]
    [emptytemp]
    [EMPTYFLASH]
    [emptyjava]
    [CLEARALLRESTOREPOINTS]
    [Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Post resulting log.

    2. Now, we'll remove all tools, we used during our cleaning process

    Clean up with OTL:

    • Double-click OTL.exe to start the program.
    • Close all other programs apart from OTL as this step will require a reboot
    • On the OTL main screen, press the CLEANUP button
    • Say Yes to the prompt and then allow the program to reboot your computer.

    If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

    3. Make sure, Windows Updates are current.

    4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

    7. Run Temporary File Cleaner (TFC) weekly.

    8. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

    9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
    The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

    10. (Windows XP only) Run defrag at your convenience.

    11. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

    12. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    13. Please, let me know, how your computer is doing.
     
  22. Josh1976

    Josh1976 TS Rookie Topic Starter

    I completed all the steps above, but forgot to copy the log before I deleted it... All seems to be going well so far.. Thank you for your support.
     
  23. Broni

    Broni Malware Annihilator Posts: 52,890   +344

    Way to go!! [​IMG]
    Good luck and stay safe :)
     

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...