dslreports logo
site
    All Forums Hot Topics Gallery
spc
Search Topic:
uniqs
7067
share rss forum feed

nethog

join:2006-12-08
Canton, MI

1 edit

[RESOLVED][Rootkit] rootkit virus? - Nethog Post 1 of 2

rootkit virus? - Nethog Post 1 of 2
I seem to have some kind of rootkit virus since this is mentioned everytime i boot by Malwarebytes. My norton av was corrupted so i uninisntalled it but could not reinstall it due to an error. Please help!
I performed all of the mandatory steps... Unfortunately when I tried to post all of the log files the size is around 80 kbytes so I will post in two parts:
Regards, Nethog

This is the *first* post with mbom.log & otl.txt

Mbom.log

2012/08/14 06:03:08 -0400 LAPTOP Peter MESSAGE Starting protection
2012/08/14 06:03:12 -0400 LAPTOP Peter MESSAGE Protection started successfully
2012/08/14 06:03:15 -0400 LAPTOP Peter MESSAGE Starting IP protection
2012/08/14 06:03:15 -0400 LAPTOP Peter ERROR IP protection failed: FwpmEngineOpen0 failed with error code 1753
2012/08/14 06:04:21 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access QUARANTINE
2012/08/14 06:05:25 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 06:06:06 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 06:07:09 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 06:07:56 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 06:08:09 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 06:08:22 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 06:09:09 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 06:10:10 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 06:11:10 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 06:12:10 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 06:13:10 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 06:14:11 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 06:15:11 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 06:16:11 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 06:17:11 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 06:18:11 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 06:19:05 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 06:19:06 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 06:19:08 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 06:19:09 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 06:19:12 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 06:20:12 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 06:21:12 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 06:22:12 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 06:23:01 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 06:23:02 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 06:23:12 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 06:24:13 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 06:25:13 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 06:26:13 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 06:27:08 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 06:27:09 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 06:27:13 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 06:28:14 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 06:28:33 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 06:29:14 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 06:30:14 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 06:31:14 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 06:32:14 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 06:33:15 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 06:34:15 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 06:35:15 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 06:36:15 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 06:37:14 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 06:37:16 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 06:38:16 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 06:39:16 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 17:50:25 -0400 LAPTOP Peter MESSAGE Starting protection
2012/08/14 17:50:29 -0400 LAPTOP Peter MESSAGE Protection started successfully
2012/08/14 17:50:32 -0400 LAPTOP Peter MESSAGE Starting IP protection
2012/08/14 17:50:32 -0400 LAPTOP Peter ERROR IP protection failed: FwpmEngineOpen0 failed with error code 1753
2012/08/14 17:54:24 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access QUARANTINE
2012/08/14 17:54:24 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 17:57:09 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 17:57:29 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 17:58:30 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 17:59:30 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 18:00:30 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 18:01:30 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 18:02:30 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 18:03:31 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 18:04:31 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 18:05:31 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 18:06:31 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 18:07:32 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 18:08:32 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 18:09:32 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 18:10:32 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 18:11:32 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 18:12:33 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 18:13:33 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 18:14:33 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 18:15:33 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 18:16:33 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 18:17:34 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 18:18:34 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 18:19:34 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 18:20:34 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 18:21:35 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 18:22:35 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 18:23:35 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 18:24:35 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 18:25:35 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 18:26:36 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 18:27:36 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 18:28:36 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 18:29:36 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 18:30:37 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 18:31:37 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 18:32:37 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 18:33:38 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 18:34:38 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 18:35:38 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 18:36:40 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 18:37:40 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 18:38:41 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 18:39:41 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 18:40:41 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 18:40:43 -0400 LAPTOP Peter MESSAGE Executing scheduled update: Daily
2012/08/14 18:40:51 -0400 LAPTOP Peter MESSAGE Starting database refresh
2012/08/14 18:40:51 -0400 LAPTOP Peter MESSAGE Scheduled update executed successfully: database updated from version v2012.08.13.07 to version v2012.08.14.07
2012/08/14 18:40:54 -0400 LAPTOP Peter MESSAGE Database refreshed successfully
2012/08/14 19:49:47 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access QUARANTINE
2012/08/14 19:49:48 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\000000cb.@ Rootkit.0Access QUARANTINE
2012/08/14 19:49:49 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\000000cb.@ Rootkit.0Access DENY
2012/08/14 19:49:49 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\000000cb.@ Rootkit.0Access DENY
2012/08/14 19:49:51 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 19:49:52 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 19:50:54 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 19:51:27 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 19:51:54 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 19:52:54 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 19:53:55 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 19:54:55 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 19:55:55 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 19:56:55 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 19:57:55 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 19:58:56 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 19:59:56 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 20:00:56 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 20:01:56 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 20:02:57 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 20:03:57 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 20:04:57 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 20:05:57 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 20:06:57 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 20:07:58 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 20:08:00 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 20:08:10 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 20:08:58 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 20:09:58 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 20:10:59 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 20:11:59 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 20:12:59 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 20:13:59 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 20:14:59 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 20:16:00 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 20:17:00 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 20:18:00 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 20:19:01 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 20:20:01 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 20:21:01 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 20:22:01 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 20:23:02 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 20:24:02 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 20:25:02 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 20:26:02 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 20:27:03 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
2012/08/14 20:28:03 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY

Otl.txt

OTL logfile created on: 8/14/2012 6:08:26 AM - Run 1
OTL by OldTimer - Version 3.2.57.0 Folder = C:\Users\Peter\Desktop
64bit- Ultimate Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

4.00 Gb Total Physical Memory | 2.65 Gb Available Physical Memory | 66.33% Memory free
7.99 Gb Paging File | 6.31 Gb Available in Paging File | 78.92% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 285.50 Gb Total Space | 170.52 Gb Free Space | 59.73% Space Free | Partition Type: NTFS
Drive D: | 10.00 Gb Total Space | 4.00 Gb Free Space | 39.97% Space Free | Partition Type: NTFS

Computer Name: LAPTOP | User Name: Peter | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

[color=#E56717]========== Processes (SafeList) ==========[/color]

PRC - [2012/08/14 06:07:30 | 000,596,992 | ---- | M] (OldTimer Tools) -- C:\Users\Peter\Desktop\OTL.exe
PRC - [2012/08/03 14:46:18 | 000,066,160 | ---- | M] (White Sky, Inc.) -- C:\Program Files (x86)\Constant Guard Protection Suite\IDVaultSvc.exe
PRC - [2012/08/03 14:46:16 | 006,530,160 | ---- | M] (White Sky, Inc.) -- C:\Program Files (x86)\Constant Guard Protection Suite\IDVault.exe
PRC - [2012/07/19 12:59:40 | 000,519,168 | ---- | M] (LOL Replay) -- C:\Program Files (x86)\LOLReplay\LOLRecorder.exe
PRC - [2012/07/03 13:46:44 | 000,655,944 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2012/07/03 13:46:44 | 000,462,920 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
PRC - [2012/04/04 01:53:50 | 000,063,928 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
PRC - [2011/11/29 22:17:50 | 000,138,248 | R--- | M] (Symantec Corporation) -- C:\Program Files (x86)\Norton Online\Engine\2.3.0.7\ccsvchst.exe
PRC - [2011/10/15 04:53:00 | 002,253,120 | ---- | M] (NVIDIA Corporation) -- C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
PRC - [2011/10/15 01:54:40 | 000,381,248 | ---- | M] (NVIDIA Corporation) -- C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
PRC - [2011/10/13 22:37:26 | 000,075,136 | ---- | M] () -- C:\Windows\SysWOW64\PnkBstrA.exe
PRC - [2011/07/05 10:24:06 | 000,395,528 | ---- | M] (StrikeForce Technologies Inc.) -- C:\Program Files (x86)\SFT\GuardedID\GIDD.exe
PRC - [2011/06/03 11:04:26 | 000,979,360 | ---- | M] (Razer USA Ltd) -- C:\Program Files (x86)\Razer\Imperator\RazerImperatorSysTray.exe
PRC - [2010/11/20 23:25:10 | 000,164,864 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\Windows Media Player\wmplayer.exe
PRC - [2010/08/03 09:43:02 | 000,522,824 | ---- | M] (Logitech Inc.) -- C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe
PRC - [2007/05/09 17:01:00 | 000,036,864 | ---- | M] (Creative Technology Ltd.) -- C:\Windows\OEM02Mon.exe

[color=#E56717]========== Modules (No Company Name) ==========[/color]

MOD - [2012/08/03 14:46:17 | 000,104,048 | ---- | M] () -- C:\Program Files (x86)\Constant Guard Protection Suite\IdVaultCore.XmlSerializers.dll
MOD - [2012/07/19 12:59:38 | 000,290,816 | ---- | M] () -- C:\Program Files (x86)\LOLReplay\LOLUtils.dll
MOD - [2012/06/15 14:46:39 | 000,240,128 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\WindowsFormsIntegra#\f2f8201dd3453250dfd9ed1afce630a0\WindowsFormsIntegration.ni.dll
MOD - [2012/06/15 14:46:37 | 001,358,336 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.WorkflowServ#\e3e5aa45736b95804bf6bb7eca08a57b\System.WorkflowServices.ni.dll
MOD - [2012/06/14 06:40:34 | 000,212,992 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\69ca4a43ba14b66689715ad62aed70e6\System.ServiceProcess.ni.dll
MOD - [2012/06/14 06:40:28 | 001,840,640 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web.Services\761fd1afc17f11bf6d49c3a7d16465ca\System.Web.Services.ni.dll
MOD - [2012/06/14 06:40:26 | 011,833,344 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web\a501b7960f6c6e2e39162b83f3303aaa\System.Web.ni.dll
MOD - [2012/06/14 06:40:09 | 014,340,608 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\e717a230496832656b05b515eb9f3bc5\PresentationFramework.ni.dll
MOD - [2012/06/14 06:39:39 | 012,436,480 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\7b7fbe651c6e72f12099a298654c9594\System.Windows.Forms.ni.dll
MOD - [2012/06/14 06:39:31 | 001,591,808 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\6bb439b3f87736d3248ae27d43e2c0d6\System.Drawing.ni.dll
MOD - [2012/06/14 06:39:11 | 012,237,824 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationCore\14a87218ea49639f38097e278b98a3da\PresentationCore.ni.dll
MOD - [2012/05/12 18:13:48 | 001,707,008 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.ServiceModel#\ed560b26f2f86b3f07b7f6d384f92275\System.ServiceModel.Web.ni.dll
MOD - [2012/05/12 18:08:55 | 001,051,136 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Management\9b2f17fb61b7197f2a04108f5d1a1cc6\System.Management.ni.dll
MOD - [2012/05/12 18:07:07 | 001,083,392 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.IdentityModel\2ce8210219c7123610072357358df470\System.IdentityModel.ni.dll
MOD - [2012/05/12 18:07:05 | 002,347,008 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Seri#\72a24b45e11d64eb2bc840aae9419ba5\System.Runtime.Serialization.ni.dll
MOD - [2012/05/12 18:07:02 | 000,256,000 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\SMDiagnostics\9e7bf69d97febe4ed1a288c787e5d9ca\SMDiagnostics.ni.dll
MOD - [2012/05/12 18:06:57 | 017,478,656 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.ServiceModel\107779ca2708d2b31b2e1560e47f6d15\System.ServiceModel.ni.dll
MOD - [2012/05/11 06:15:14 | 000,368,128 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\8e56489276063ededde74e597a121df3\PresentationFramework.Aero.ni.dll
MOD - [2012/05/11 06:14:47 | 006,611,456 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Data\f3814b488d9e083cbbc623e01b389f09\System.Data.ni.dll
MOD - [2012/05/11 06:13:08 | 000,060,928 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\UIAutomationProvider\ca2eff60beb3ba00a529a2d42dceca22\UIAutomationProvider.ni.dll
MOD - [2012/05/11 06:12:42 | 003,347,968 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\WindowsBase\46fce56db7685a586d3eeb7c373e3c1c\WindowsBase.ni.dll
MOD - [2012/05/11 06:12:39 | 000,680,448 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Security\054fcff18035c210487b0888e6461192\System.Security.ni.dll
MOD - [2012/05/11 06:12:33 | 005,452,800 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\ba3d70b651454c7d49b407b93663bfed\System.Xml.ni.dll
MOD - [2012/05/11 06:12:24 | 000,971,264 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\cfa9c506bfb9254c89dace7b83bc9f9d\System.Configuration.ni.dll
MOD - [2012/05/11 06:12:22 | 007,967,232 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System\ce9ff6baf9053ed2ed673d948179195c\System.ni.dll
MOD - [2012/05/11 06:11:24 | 011,492,864 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\acfc1391e45fedd2a359778ea57d914c\mscorlib.ni.dll
MOD - [2011/05/28 22:04:56 | 000,140,288 | ---- | M] () -- C:\Program Files\WinRAR\RarExt32.dll
MOD - [2011/05/14 18:16:59 | 008,007,680 | ---- | M] () -- C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.mshtml.dll
MOD - [2011/03/17 01:11:16 | 004,297,568 | ---- | M] () -- C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\OFFICE.ODF
MOD - [2010/11/20 23:24:09 | 000,232,448 | ---- | M] () -- \\.\globalroot\systemroot\syswow64\mswsock.dll
MOD - [2010/11/20 23:24:08 | 002,927,616 | ---- | M] () -- C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
MOD - [2010/10/20 16:45:26 | 008,801,120 | ---- | M] () -- C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveIntlResource.dll
MOD - [2009/06/12 16:32:16 | 000,104,456 | ---- | M] () -- C:\Windows\SysWOW64\EasyHook32.dll

[color=#E56717]========== Win32 Services (SafeList) ==========[/color]

SRV:64bit: - [2009/07/13 21:40:01 | 000,193,536 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\appmgmts.dll -- (AppMgmt)
SRV:64bit: - [2008/02/22 16:49:18 | 000,592,464 | ---- | M] (Dell Inc.) [Auto | Running] -- C:\Program Files\Dell\QuickSet\NicConfigSvc.exe -- (nicconfigsvc)
SRV - [2012/08/07 23:08:16 | 000,250,056 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012/08/03 14:46:18 | 000,066,160 | ---- | M] (White Sky, Inc.) [Auto | Running] -- C:\Program Files (x86)\Constant Guard Protection Suite\IDVaultSvc.exe -- (IDVaultSvc)
SRV - [2012/07/12 15:16:55 | 000,008,704 | ---- | M] (Hi-Rez Studios) [Auto | Running] -- C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe -- (HiPatchService)
SRV - [2012/07/03 13:46:44 | 000,655,944 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2012/06/18 22:30:33 | 000,529,232 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2012/04/04 01:53:50 | 000,063,928 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2011/11/29 22:17:50 | 000,138,248 | R--- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files (x86)\Norton Online\Engine\2.3.0.7\ccSvcHst.exe -- (NOF)
SRV - [2011/10/15 04:53:00 | 002,253,120 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe -- (nvUpdatusService)
SRV - [2011/10/15 01:54:40 | 000,381,248 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe -- (Stereo Service)
SRV - [2011/10/13 22:37:26 | 000,075,136 | ---- | M] () [Auto | Running] -- C:\Windows\SysWOW64\PnkBstrA.exe -- (PnkBstrA)
SRV - [2010/03/18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2009/06/10 17:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)

[color=#E56717]========== Driver Services (SafeList) ==========[/color]

DRV:64bit: - [2012/07/03 13:46:44 | 000,024,904 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\Windows\SysNative\drivers\mbam.sys -- (MBAMProtector)
DRV:64bit: - [2012/03/01 02:46:16 | 000,023,408 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec)
DRV:64bit: - [2012/02/09 07:11:31 | 000,175,736 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\SYMEVENT64x86.SYS -- (SymEvent)
DRV:64bit: - [2011/11/16 23:38:00 | 000,218,232 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\NSMx64\0203000.016\symrdrs.sys -- (SYMRDR_{78CA3BF0-9C3B-40e1-B46D-38C877EF059A})
DRV:64bit: - [2011/11/04 19:59:30 | 000,167,048 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\NOFx64\0203000.007\ccsetx64.sys -- (ccSet_NOF)
DRV:64bit: - [2011/07/05 10:18:38 | 000,029,288 | ---- | M] (StrikeForce Technologies, Inc.) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\gidv2.sys -- (GIDv2)
DRV:64bit: - [2011/04/13 15:04:38 | 000,045,432 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\point64.sys -- (Point64)
DRV:64bit: - [2011/03/11 02:41:12 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2011/03/11 02:41:12 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2010/11/20 23:24:43 | 000,020,992 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\rdpvideominiport.sys -- (RdpVideoMiniport)
DRV:64bit: - [2010/11/20 23:24:33 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV:64bit: - [2010/11/20 23:23:48 | 000,117,248 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\tsusbhub.sys -- (tsusbhub)
DRV:64bit: - [2010/11/20 23:23:48 | 000,088,960 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\Synth3dVsc.sys -- (Synth3dVsc)
DRV:64bit: - [2010/11/20 23:23:48 | 000,071,168 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\dmvsc.sys -- (dmvsc)
DRV:64bit: - [2010/11/20 23:23:48 | 000,034,816 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\terminpt.sys -- (terminpt)
DRV:64bit: - [2010/11/20 23:23:47 | 000,109,056 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\sdbus.sys -- (sdbus)
DRV:64bit: - [2010/11/20 23:23:47 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2010/11/20 23:23:47 | 000,031,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbGD.sys -- (TsUsbGD)
DRV:64bit: - [2010/04/14 01:01:44 | 000,054,824 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\btusbflt.sys -- (btusbflt)
DRV:64bit: - [2010/03/23 02:53:04 | 001,101,600 | ---- | M] (Ralink Technology Corp.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\ae1000w7.sys -- (AE1000)
DRV:64bit: - [2009/07/13 21:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009/07/13 21:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009/07/13 21:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009/06/25 17:04:20 | 000,067,584 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\rimmpx64.sys -- (rimmptsk)
DRV:64bit: - [2009/06/25 16:38:52 | 000,057,856 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\rixdpx64.sys -- (rismxdp)
DRV:64bit: - [2009/06/25 16:13:44 | 000,055,296 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\rimspx64.sys -- (rimsptsk)
DRV:64bit: - [2009/06/10 16:35:28 | 005,434,368 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\netw5v64.sys -- (netw5v64)
DRV:64bit: - [2009/06/10 16:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/10 16:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/10 16:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009/06/10 16:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV:64bit: - [2007/10/26 14:39:14 | 000,315,440 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\SynTP.sys -- (SynTP)
DRV:64bit: - [2007/10/10 17:03:00 | 000,266,624 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\OEM02Dev.sys -- (OEM02Dev)
DRV:64bit: - [2007/03/05 10:55:48 | 000,012,288 | ---- | M] (EyePower Games Pte. Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\OEM02Vfx.sys -- (OEM02Vfx)
DRV - [2009/07/13 21:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)

[color=#E56717]========== Standard Registry (SafeList) ==========[/color]

[color=#E56717]========== Internet Explorer ==========[/color]

IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE:64bit: - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 7F 3E 3B D7 ED 44 CC 01 [binary data]
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

[color=#E56717]========== FireFox ==========[/color]

FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_3_300_270.dll File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~1\MICROS~3\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_270.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@nvidia.com/3DVision: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation)
FF - HKLM\Software\MozillaPlugins\@nvidia.com/3DVisionStreaming: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation)
FF - HKLM\Software\MozillaPlugins\@pandonetworks.com/PandoWebPlugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll File not found
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{6D5C8FC4-DE46-41bf-9092-93F0F78E9115}: C:\ProgramData\Norton\{78CA3BF0-9C3B-40e1-B46D-38C877EF059A}\NSM_2.2.0.28\coFFFw\ [2012/08/14 06:01:03 | 000,000,000 | ---D | M]

O1 HOSTS File: ([2009/06/10 17:00:26 | 000,000,824 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O2 - BHO: (Constant Guard Protection Suite (COM)) - {B84CDBE7-1B46-494B-A188-01D4C52DEB61} - C:\ProgramData\White Sky, Inc\ID Vault\IEBHO1.1.730.1\NativeBHO.dll (WhiteSky)
O2 - BHO: (Norton Safety Minder BHO) - {B8E07826-0971-4f16-B133-047B88034E89} - C:\Program Files (x86)\Norton Online\AddOns\Norton Safety Minder\Engine\2.3.0.22\coieplg.dll (Symantec Corporation)
O2 - BHO: (Yontoo) - {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - C:\Program Files (x86)\Yontoo\YontooIEClient.dll (Yontoo LLC)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.
O4:64bit: - HKLM..\Run: [IntelliPoint] c:\Program Files\Microsoft IntelliPoint\ipoint.exe (Microsoft Corporation)
O4:64bit: - HKLM..\Run: [Launch LCDMon] C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe (Logitech Inc.)
O4:64bit: - HKLM..\Run: [Launch LgDeviceAgent] C:\Program Files\Logitech\GamePanel Software\LgDevAgt.exe (Logitech Inc.)
O4:64bit: - HKLM..\Run: [NVHotkey] C:\Windows\SysNative\nvHotkey.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [GIDDesktop] C:\Program Files (x86)\SFT\GuardedID\gidd.exe (StrikeForce Technologies Inc.)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [OEM02Mon.exe] C:\Windows\OEM02Mon.exe (Creative Technology Ltd.)
O4 - HKLM..\Run: [Razer Imperator Driver] C:\Program Files (x86)\Razer\Imperator\RazerImperatorSysTray.exe (Razer USA Ltd)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: LogonHoursAction = 2
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DontDisplayLogonHoursWarnings = 1
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000001 - mmswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000002 - mmswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000003 - mmswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000004 - mmswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000005 - mmswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000006 - mmswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000007 - mmswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000008 - mmswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000009 - mmswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000010 - mmswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000011 - mmswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL File not found
O1364bit: - gopher Prefix: missing
O13 - gopher Prefix: missing
O16 - DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} http://support.dell.com/systemprofiler/SysProExe.CAB (WMI Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 75.75.76.76 75.75.75.75 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{55708DA7-02EF-43EA-A72C-E5767C41A951}: DhcpNameServer = 68.87.77.134 68.87.72.134 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{7D41AF3F-544D-4E59-8FA5-CD15332DCC21}: DhcpNameServer = 75.75.76.76 75.75.75.75 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{C7A6B14E-934F-4523-AFEA-1CC2E11C0C7E}: DhcpNameServer = 68.87.77.134 68.87.72.134 192.168.1.1
O18:64bit: - Protocol\Handler\ms-help - No CLSID value found
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (userinit.exe) - C:\Windows\SysWow64\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

[color=#E56717]========== Files/Folders - Created Within 30 Days ==========[/color]

[2012/08/14 06:07:30 | 000,596,992 | ---- | C] (OldTimer Tools) -- C:\Users\Peter\Desktop\OTL.exe
[2012/08/13 22:40:08 | 000,000,000 | ---D | C] -- C:\ProgramData\IsolatedStorage
[2012/08/13 22:40:08 | 000,000,000 | ---D | C] -- C:\Users\Peter\AppData\Local\ID Vault
[2012/08/13 22:39:40 | 000,000,000 | ---D | C] -- C:\Users\Peter\AppData\Roaming\ID Vault
[2012/08/13 22:39:23 | 000,029,288 | ---- | C] (StrikeForce Technologies, Inc.) -- C:\Windows\SysNative\drivers\gidv2.sys
[2012/08/13 22:39:22 | 000,467,224 | ---- | C] (StrikeForce Technologies Inc.) -- C:\Windows\SysNative\GIDHOOK64.DLL
[2012/08/13 22:39:22 | 000,446,752 | ---- | C] (StrikeForce Technologies Inc.) -- C:\Windows\SysNative\GIDHookLogon64.dll
[2012/08/13 22:39:22 | 000,206,608 | ---- | C] (StrikeForce Technologies Inc.) -- C:\Windows\SysNative\GIDBIN1.DLL
[2012/08/13 22:39:22 | 000,102,160 | ---- | C] (StrikeForce Technologies Inc.) -- C:\Windows\SysNative\GIDBIN3.DLL
[2012/08/13 22:39:22 | 000,065,816 | ---- | C] (StrikeForce Technologies Inc.) -- C:\Windows\SysNative\GIDLogonCP64.dll
[2012/08/13 22:39:19 | 000,000,000 | ---D | C] -- C:\ProgramData\GID
[2012/08/13 22:39:18 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\SFT
[2012/08/13 22:38:56 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Constant Guard Protection Suite
[2012/08/13 22:38:43 | 000,000,000 | ---D | C] -- C:\ProgramData\White Sky, Inc
[2012/08/13 22:31:20 | 057,442,464 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\MRT.exe
[2012/08/13 20:18:58 | 000,000,000 | ---D | C] -- C:\Users\Peter\AppData\Roaming\Malwarebytes
[2012/08/13 20:18:54 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/08/13 20:18:53 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
[2012/08/13 20:18:10 | 010,652,120 | ---- | C] (Malwarebytes Corporation ) -- C:\Users\Peter\Desktop\mbam-setup-1.62.0.1300.exe
[2012/08/13 20:08:32 | 000,448,512 | ---- | C] (OldTimer Tools) -- C:\Users\Peter\Desktop\TFC.exe
[2012/08/13 20:07:22 | 000,000,000 | -HSD | C] -- C:\Windows\SysWow64\%APPDATA%
[2012/08/13 18:51:40 | 000,000,000 | ---D | C] -- C:\Users\Peter\AppData\Local\NPE
[2012/08/13 18:50:16 | 002,841,104 | ---- | C] (Symantec Corporation) -- C:\Users\Peter\Desktop\NPE.exe
[2012/08/13 18:47:20 | 000,000,000 | ---D | C] -- C:\Users\Peter\AppData\Roaming\Tific
[2012/08/13 18:46:54 | 000,000,000 | ---D | C] -- C:\Users\Peter\AppData\Local\Symantec
[2012/08/07 22:05:18 | 000,000,000 | ---D | C] -- C:\Users\Peter\Documents\LOLReplay
[2012/07/27 10:22:55 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Yontoo
[2012/07/27 10:22:53 | 000,000,000 | ---D | C] -- C:\ProgramData\Tarma Installer
[2012/07/16 16:32:17 | 003,673,600 | ---- | C] (Dxtory Software) -- C:\Windows\SysNative\DxtoryCodec64.dll
[2012/07/16 16:32:17 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Dxtory2.0
[2012/07/16 16:32:15 | 003,166,720 | ---- | C] (Dxtory Software) -- C:\Windows\SysWow64\DxtoryCodec.dll
[2012/07/16 16:32:13 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Dxtory Software

[color=#E56717]========== Files - Modified Within 30 Days ==========[/color]

[2012/08/14 06:11:00 | 000,000,564 | ---- | M] () -- C:\Windows\tasks\PCDoctorBackgroundMonitorTask.job
[2012/08/14 06:09:00 | 000,000,506 | ---- | M] () -- C:\Windows\tasks\SystemToolsDailyTest.job
[2012/08/14 06:08:19 | 000,020,496 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012/08/14 06:08:19 | 000,020,496 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012/08/14 06:08:00 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2012/08/14 06:07:30 | 000,596,992 | ---- | M] (OldTimer Tools) -- C:\Users\Peter\Desktop\OTL.exe
[2012/08/14 06:00:32 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/08/14 06:00:25 | 3219,701,760 | -HS- | M] () -- C:\hiberfil.sys
[2012/08/13 22:39:04 | 000,002,279 | ---- | M] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Constant Guard.lnk
[2012/08/13 22:39:04 | 000,002,261 | ---- | M] () -- C:\Users\Public\Desktop\Constant Guard.lnk
[2012/08/13 20:18:54 | 000,001,109 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/08/13 20:18:10 | 010,652,120 | ---- | M] (Malwarebytes Corporation ) -- C:\Users\Peter\Desktop\mbam-setup-1.62.0.1300.exe
[2012/08/13 20:08:44 | 000,448,512 | ---- | M] (OldTimer Tools) -- C:\Users\Peter\Desktop\TFC.exe
[2012/08/13 18:50:17 | 002,841,104 | ---- | M] (Symantec Corporation) -- C:\Users\Peter\Desktop\NPE.exe
[2012/08/07 23:08:16 | 000,426,184 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerApp.exe
[2012/08/07 23:08:16 | 000,070,344 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
[2012/07/28 15:48:20 | 000,002,707 | ---- | M] () -- C:\Users\Public\Desktop\Norton Online Family.lnk
[2012/07/20 12:10:09 | 000,001,993 | ---- | M] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\LOLRecorder.lnk
[2012/07/20 12:09:55 | 000,001,901 | ---- | M] () -- C:\Users\Public\Desktop\LOL Recorder.lnk

[color=#E56717]========== Files Created - No Company Name ==========[/color]

[2012/08/14 06:05:25 | 000,092,160 | ---- | C] () -- C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@
[2012/08/13 22:39:22 | 000,109,064 | ---- | C] () -- C:\Windows\SysNative\EasyHook64.dll
[2012/08/13 22:39:04 | 000,002,279 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Constant Guard.lnk
[2012/08/13 22:39:04 | 000,002,273 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Constant Guard.lnk
[2012/08/13 22:39:04 | 000,002,261 | ---- | C] () -- C:\Users\Public\Desktop\Constant Guard.lnk
[2012/08/13 22:20:29 | 000,232,960 | ---- | C] () -- C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\00000008.@
[2012/08/13 22:19:59 | 000,001,632 | ---- | C] () -- C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\000000cb.@
[2012/08/13 20:18:54 | 000,001,109 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/08/13 19:58:07 | 000,080,896 | ---- | C] () -- C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000064.@
[2012/08/13 19:58:07 | 000,000,804 | ---- | C] () -- C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\L\00000004.@
[2012/08/13 19:58:05 | 000,016,896 | ---- | C] () -- C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000000.@
[2012/08/13 19:57:42 | 000,002,048 | ---- | C] () -- C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\00000004.@
[2012/07/16 18:30:01 | 000,081,370 | ---- | C] () -- C:\vl.class
[2012/07/16 18:30:01 | 000,046,467 | ---- | C] () -- C:\ModLoader.class
[2012/07/16 18:30:01 | 000,022,590 | ---- | C] () -- C:\adl.class
[2012/07/16 18:30:01 | 000,006,409 | ---- | C] () -- C:\ahu.class
[2012/07/16 18:30:01 | 000,006,104 | ---- | C] () -- C:\alj.class
[2012/07/16 18:30:01 | 000,005,034 | ---- | C] () -- C:\uu.class
[2012/07/16 18:30:01 | 000,004,949 | ---- | C] () -- C:\ko.class
[2012/07/16 18:30:01 | 000,004,745 | ---- | C] () -- C:\ahg.class
[2012/07/16 18:30:01 | 000,004,026 | ---- | C] () -- C:\fq.class
[2012/07/16 18:30:01 | 000,003,651 | ---- | C] () -- C:\BaseMod.class
[2012/07/16 18:30:01 | 000,003,366 | ---- | C] () -- C:\alb.class
[2012/07/16 18:30:01 | 000,003,020 | ---- | C] () -- C:\ModTextureStatic.class
[2012/07/16 18:30:01 | 000,002,740 | ---- | C] () -- C:\vx.class
[2012/07/16 18:30:01 | 000,002,443 | ---- | C] () -- C:\amn.class
[2012/07/16 18:30:01 | 000,002,411 | ---- | C] () -- C:\ModTextureAnimation.class
[2012/07/16 18:30:01 | 000,001,422 | ---- | C] () -- C:\ajv.class
[2012/07/16 18:30:01 | 000,001,333 | ---- | C] () -- C:\ahy.class
[2012/07/16 18:30:01 | 000,000,589 | ---- | C] () -- C:\EntityRendererProxy.class
[2012/07/16 18:30:01 | 000,000,528 | ---- | C] () -- C:\MLProp.class
[2012/01/11 07:19:23 | 000,002,048 | -HS- | C] () -- C:\Windows\SysWOW64\config\systemprofile\AppData\Local\{a406e640-2847-144d-ca12-b5496dd1d4e7}\@
[2012/01/11 07:19:23 | 000,002,048 | -HS- | C] () -- C:\Windows\System32\config\systemprofile\AppData\Local\{a406e640-2847-144d-ca12-b5496dd1d4e7}\@
[2012/01/11 07:19:23 | 000,002,048 | -HS- | C] () -- C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\@
[2011/12/03 08:19:02 | 000,000,632 | RHS- | C] () -- C:\Users\Peter\ntuser.pol
[2011/10/29 15:51:53 | 000,187,612 | -H-- | C] () -- C:\Windows\SysWow64\mlfcache.dat
[2011/10/15 01:54:52 | 000,321,856 | ---- | C] () -- C:\Windows\SysWow64\nvStreaming.exe
[2011/10/13 22:39:19 | 000,266,752 | ---- | C] () -- C:\Windows\SysWow64\PnkBstrB.exe
[2011/10/13 22:37:26 | 000,075,136 | ---- | C] () -- C:\Windows\SysWow64\PnkBstrA.exe
[2011/09/28 17:44:14 | 000,179,271 | ---- | C] () -- C:\Windows\SysWow64\xlive.dll.cat
[2011/08/01 07:23:35 | 000,756,022 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2011/05/29 16:09:51 | 000,040,127 | ---- | C] () -- C:\Windows\DIIUnin.dat

[color=#E56717]========== LOP Check ==========[/color]

[2012/08/14 06:10:19 | 000,000,000 | ---D | M] -- C:\Users\Peter\AppData\Roaming\ID Vault
[2011/12/18 13:17:26 | 000,000,000 | ---D | M] -- C:\Users\Peter\AppData\Roaming\iolo
[2012/08/13 18:47:20 | 000,000,000 | ---D | M] -- C:\Users\Peter\AppData\Roaming\Tific
[2012/08/14 06:11:00 | 000,000,564 | ---- | M] () -- C:\Windows\Tasks\PCDoctorBackgroundMonitorTask.job
[2012/05/16 15:18:42 | 000,032,584 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
[2012/08/14 06:09:00 | 000,000,506 | ---- | M] () -- C:\Windows\Tasks\SystemToolsDailyTest.job

[color=#E56717]========== Purity Check ==========[/color]


lilhurricane
Crunchin' For Cures
Premium,Mod
join:2003-01-11
Purple Zone
kudos:57
Reviews:
·Comcast

Re: [Rootkit] rootkit virus? - Nethog Post 1 of 2

Hi nethog

Please make sure to use the reply button vs the "new topic" button - it helps keep things in one place for easier analysis.

I am re-posting for you here:

I seem to have some kind of rootkit virus since this is mentioned everytime i boot by Malwarebytes. My norton av was corrupted so i uninisntalled it but could not reinstall it due to an error. Please help!
>I performed all of the mandatory steps... Unfortunately when I tried to post all of the log files the size is around 80 kbytes so I will post in two parts:
>Regards, Nethog

*second* post containing: extras.txt, checkup.txt, & online scan results

Extras.txt
OTL Extras logfile created on: 8/14/2012 6:08:26 AM - Run 1
OTL by OldTimer - Version 3.2.57.0 Folder = C:\Users\Peter\Desktop
64bit- Ultimate Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

4.00 Gb Total Physical Memory | 2.65 Gb Available Physical Memory | 66.33% Memory free
7.99 Gb Paging File | 6.31 Gb Available in Paging File | 78.92% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 285.50 Gb Total Space | 170.52 Gb Free Space | 59.73% Space Free | Partition Type: NTFS
Drive D: | 10.00 Gb Total Space | 4.00 Gb Free Space | 39.97% Space Free | Partition Type: NTFS

Computer Name: LAPTOP | User Name: Peter | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

[color=#E56717]========== Extra Registry (SafeList) ==========[/color]

[color=#E56717]========== File Associations ==========[/color]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\]
.url[@ = InternetShortcut] -- C:\Windows\SysNative\rundll32.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\]
.cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)

[color=#E56717]========== Shell Spawning ==========[/color]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

[color=#E56717]========== Security Center Settings ==========[/color]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 0

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = 28 4D B2 76 41 04 CA 01 [binary data]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

[color=#E56717]========== Firewall Settings ==========[/color]

[color=#E56717]========== Authorized Applications List ==========[/color]

[color=#E56717]========== HKEY_LOCAL_MACHINE Uninstall List ==========[/color]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0090A87C-3E0E-43D4-AA71-A71B06563A4A}" = Dell Support Center
"{3ED4AD02-F631-4A4C-AAC8-2325996E5A56}" = Microsoft IntelliPoint 8.1
"{5563A0F6-CF81-451E-87AD-A50075BCA9B7}" = QuickSet
"{889DF117-14D1-44EE-9F31-C5FB5D47F68B}" = Yontoo 1.10.02
"{90140000-002A-0000-1000-0000000FF1CE}" = Microsoft Office Office 64-bit Components 2010
"{90140000-002A-0409-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit MUI (English) 2010
"{90140000-0116-0409-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2010
"{95120000-00B9-0409-1000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9B48B0AC-C813-4174-9042-476A887592C7}" = Windows Live ID Sign-in Assistant
"{A1E85B9A-AFAD-4D38-AF01-6B020DD5213A}" = Logitech GamePanel Software 3.06.109
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.3DVision" = NVIDIA 3D Vision Driver 285.62
"{B2FE1952-0186-46c3-BAEC-A80AA35AC5B8}_Display.ControlPanel" = NVIDIA Control Panel 285.62
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver" = NVIDIA Graphics Driver 285.62
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.NVIRUSB" = NVIDIA 3D Vision Controller Driver 285.62
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX" = NVIDIA PhysX System Software 9.11.0621
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Update" = NVIDIA Update 1.5.20
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_installer" = NVIDIA Install Application
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_NVIDIA.Update" = NVIDIA Update Components
"{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile
"Blender" = Blender
"Creative OEM002" = Laptop Integrated Webcam Driver (1.04.01.1011)
"Dell Support Center" = Dell Support Center
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft IntelliPoint 8.1" = Microsoft IntelliPoint 8.1
"SynTPDeinstKey" = Dell Touchpad
"WinRAR archiver" = WinRAR 4.01 (64-bit)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
"{0CA38F52-F0FA-4B9F-8A36-EC8A9609FBBC}" = Halo 2 for Windows Vista
"{1EAC1D02-C6AC-4FA6-9A44-96258C37C812}_is1" = World of Tanks v.0.6.4
"{26A24AE4-039D-4CA4-87B4-2F83216025FF}" = Java(TM) 6 Update 29
"{2B818257-E6C7-4841-8C29-C5C9A982BCE5}" = RICOH Media Driver ver.2.07.01.04
"{328687A2-2504-49FA-AE3E-08B0DEDB51EC}" = MSRedist
"{3C87E0FF-BC0A-4F5E-951B-68DC3F8DF017}" = Smite Closed Beta
"{3C87E0FF-BC0A-4F5E-951B-68DC3F8DF1FC}" = Hi-Rez Studios Authenticate and Update Service
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4CB0307C-565E-4441-86BE-0DF2E4FB828C}" = Microsoft Games for Windows Marketplace
"{58E5AF4D-F896-41E6-9CA0-ECC4816B8C67}" = Ace of Spades
"{5DA8F6CD-C70E-39D8-8430-3D9808D6BD17}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30411
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{71320E4D-A4B8-4C7E-805F-7541CBFB97DD}" = Razer Imperator (2012) Firmware Updater
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{7F6D7FD9-648D-4DD9-BB6E-3990C675ECA4}" = NVIDIA PhysX
"{832D9DE0-8AFC-4689-9819-4DBBDEBD3E4F}" = Microsoft Games for Windows - LIVE Redistributable
"{888F1505-C2B3-4FDE-835D-36353EBD4754}" = Ubisoft Game Launcher
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90140000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2010
"{90140000-0015-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2010
"{90140000-0016-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2010
"{90140000-0018-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2010
"{90140000-0019-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2010
"{90140000-001A-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2010
"{90140000-001B-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2010
"{90140000-001F-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{99ACCA38-6DD3-48A8-96AE-A283C9759279}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2010
"{90140000-001F-040C-0000-0000000FF1CE}_Office14.PROPLUSR_{46298F6A-1E7E-4D4A-B5F5-106A4F0E48C6}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2010
"{90140000-001F-0C0A-0000-0000000FF1CE}_Office14.PROPLUSR_{DEA87BE2-FFCC-4F33-9946-FCBE55A1E998}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-002A-0000-1000-0000000FF1CE}_Office14.PROPLUSR_{967EF02C-5C7E-4718-8FCB-BDC050190CCF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-002A-0409-1000-0000000FF1CE}_Office14.PROPLUSR_{D6C6B46A-6CE1-4561-84A0-EFD58B8AB979}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2010
"{90140000-002C-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{7CA93DF4-8902-449E-A42E-4C5923CFBDE3}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2010
"{90140000-0044-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2010
"{90140000-006E-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{4560037C-E356-444A-A015-D21F487D809E}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2010
"{90140000-00A1-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2010
"{90140000-00BA-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2010
"{90140000-0115-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{4560037C-E356-444A-A015-D21F487D809E}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0116-0409-1000-0000000FF1CE}_Office14.PROPLUSR_{D6C6B46A-6CE1-4561-84A0-EFD58B8AB979}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2010
"{90140000-0117-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{91140000-0011-0000-0000-0000000FF1CE}" = Microsoft Office Professional Plus 2010
"{91140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUSR_{047B0968-E622-4FAA-9B4B-121FA109EDDE}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{9191979D-821C-4EA8-B021-2DA1D859A7C5}" = GuardedID
"{92606477-9366-4D3B-8AE3-6BE4B29727AB}" = League of Legends
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.3)
"{C05905B9-775A-4894-A4DF-B57C15250958}" = Razer Imperator
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{D6174060-52D9-4886-8DBF-4EBF7C1CBCAA}" = MSRedx64
"{ED50ECE9-EC54-4C05-B5ED-EE4741A9F2EC}" = Battlefield 2142
"12bbe590-c890-11d9-9669-0800200c9a66_is1" = The Lord of the Rings Online™ v03.03.05.8039
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Blender" = Blender (remove only)
"Blockland" = Blockland
"Cisco Connect" = Cisco Connect
"Diablo II" = Diablo II
"Dxtory2.0_is1" = Dxtory version 2.0.117
"Halo 2" = Halo 2 for Windows Vista
"ID Vault" = Constant Guard Protection Suite
"LOLReplay" = LOLReplay
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.62.0.1300
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"NOF" = Norton Online
"NSM" = Norton Safety Minder
"NVIDIA StereoUSB Driver" = NVIDIA 3D Vision Controller Driver
"NVIDIAStereo" = NVIDIA Stereoscopic 3D Driver
"Office14.PROPLUSR" = Microsoft Office Professional Plus 2010
"Outerra Anteworld" = Outerra - Anteworld - Outerra Anteworld Demo
"RiseOfImmortals" = Rise of Immortals
"Steam App 33460" = From Dust
"Steam App 41500" = Torchlight
"Steam App 440" = Team Fortress 2
"Steam App 520" = Team Fortress 2 Beta
"WinGimp-2.0_is1" = GIMP 2.6.11
"YTdetect" = Yahoo! Detect

[color=#E56717]========== Last 20 Event Log Errors ==========[/color]

[ Application Events ]
Error - 8/14/2012 6:00:55 AM | Computer Name = Laptop | Source = WinMgmt | ID = 10
Description =

Error - 8/14/2012 6:06:08 AM | Computer Name = Laptop | Source = Application Error | ID = 1000
Description = Faulting application name: svchost.exe, version: 6.1.7600.16385, time
stamp: 0x4a5bc100 Faulting module name: 80000032.@_unloaded, version: 0.0.0.0, time
stamp: 0x4fe23011 Exception code: 0xc0000005 Fault offset: 0x012ab2a1 Faulting process
id: 0x664 Faulting application start time: 0x01cd7a046b739ac2 Faulting application
path: C:\Windows\SysWOW64\svchost.exe Faulting module path: 80000032.@ Report Id:
aa6b04e9-e5f7-11e1-852f-00219bcf4407

Error - 8/14/2012 6:07:09 AM | Computer Name = Laptop | Source = Application Error | ID = 1000
Description = Faulting application name: svchost.exe, version: 6.1.7600.16385, time
stamp: 0x4a5bc100 Faulting module name: 80000032.@_unloaded, version: 0.0.0.0, time
stamp: 0x4fe23011 Exception code: 0xc0000005 Fault offset: 0x012ab2a1 Faulting process
id: 0xd18 Faulting application start time: 0x01cd7a0490eb6b23 Faulting application
path: C:\Windows\SysWOW64\svchost.exe Faulting module path: 80000032.@ Report Id:
cea3dce4-e5f7-11e1-852f-00219bcf4407

Error - 8/14/2012 6:08:09 AM | Computer Name = Laptop | Source = Application Error | ID = 1000
Description = Faulting application name: svchost.exe, version: 6.1.7600.16385, time
stamp: 0x4a5bc100 Faulting module name: 80000032.@_unloaded, version: 0.0.0.0, time
stamp: 0x4fe23011 Exception code: 0xc0000005 Fault offset: 0x012ab2a1 Faulting process
id: 0x764 Faulting application start time: 0x01cd7a04b4d6cee5 Faulting application
path: C:\Windows\SysWOW64\svchost.exe Faulting module path: 80000032.@ Report Id:
f28a7de6-e5f7-11e1-852f-00219bcf4407

Error - 8/14/2012 6:09:09 AM | Computer Name = Laptop | Source = Application Error | ID = 1000
Description = Faulting application name: svchost.exe, version: 6.1.7600.16385, time
stamp: 0x4a5bc100 Faulting module name: 80000032.@_unloaded, version: 0.0.0.0, time
stamp: 0x4fe23011 Exception code: 0xc0000005 Fault offset: 0x012ab2a1 Faulting process
id: 0xa00 Faulting application start time: 0x01cd7a04d8b8ad26 Faulting application
path: C:\Windows\SysWOW64\svchost.exe Faulting module path: 80000032.@ Report Id:
16679967-e5f8-11e1-852f-00219bcf4407

Error - 8/14/2012 6:10:10 AM | Computer Name = Laptop | Source = Application Error | ID = 1000
Description = Faulting application name: svchost.exe, version: 6.1.7600.16385, time
stamp: 0x4a5bc100 Faulting module name: 80000032.@_unloaded, version: 0.0.0.0, time
stamp: 0x4fe23011 Exception code: 0xc0000005 Fault offset: 0x000cb2a1 Faulting process
id: 0xe30 Faulting application start time: 0x01cd7a04fc9f4e28 Faulting application
path: C:\Windows\SysWOW64\svchost.exe Faulting module path: 80000032.@ Report Id:
3a52fd29-e5f8-11e1-852f-00219bcf4407

Error - 8/14/2012 6:11:10 AM | Computer Name = Laptop | Source = Application Error | ID = 1000
Description = Faulting application name: svchost.exe, version: 6.1.7600.16385, time
stamp: 0x4a5bc100 Faulting module name: 80000032.@_unloaded, version: 0.0.0.0, time
stamp: 0x4fe23011 Exception code: 0xc0000005 Fault offset: 0x013bb2a1 Faulting process
id: 0x1078 Faulting application start time: 0x01cd7a0520838dca Faulting application
path: C:\Windows\SysWOW64\svchost.exe Faulting module path: 80000032.@ Report Id:
5e3bff8c-e5f8-11e1-852f-00219bcf4407

Error - 8/14/2012 6:12:10 AM | Computer Name = Laptop | Source = Application Error | ID = 1000
Description = Faulting application name: svchost.exe, version: 6.1.7600.16385, time
stamp: 0x4a5bc100 Faulting module name: 80000032.@_unloaded, version: 0.0.0.0, time
stamp: 0x4fe23011 Exception code: 0xc0000005 Fault offset: 0x0017b2a1 Faulting process
id: 0x26c Faulting application start time: 0x01cd7a05446c902c Faulting application
path: C:\Windows\SysWOW64\svchost.exe Faulting module path: 80000032.@ Report Id:
821b7c6d-e5f8-11e1-852f-00219bcf4407

Error - 8/14/2012 6:13:10 AM | Computer Name = Laptop | Source = Application Error | ID = 1000
Description = Faulting application name: svchost.exe, version: 6.1.7600.16385, time
stamp: 0x4a5bc100 Faulting module name: 80000032.@_unloaded, version: 0.0.0.0, time
stamp: 0x4fe23011 Exception code: 0xc0000005 Fault offset: 0x001bb2a1 Faulting process
id: 0x874 Faulting application start time: 0x01cd7a05685a554f Faulting application
path: C:\Windows\SysWOW64\svchost.exe Faulting module path: 80000032.@ Report Id:
a60e0450-e5f8-11e1-852f-00219bcf4407

Error - 8/14/2012 6:14:11 AM | Computer Name = Laptop | Source = Application Error | ID = 1000
Description = Faulting application name: svchost.exe, version: 6.1.7600.16385, time
stamp: 0x4a5bc100 Faulting module name: 80000032.@_unloaded, version: 0.0.0.0, time
stamp: 0x4fe23011 Exception code: 0xc0000005 Fault offset: 0x000cb2a1 Faulting process
id: 0x1004 Faulting application start time: 0x01cd7a058c3e94f1 Faulting application
path: C:\Windows\SysWOW64\svchost.exe Faulting module path: 80000032.@ Report Id:
c9ed8131-e5f8-11e1-852f-00219bcf4407

[ System Events ]
Error - 8/13/2012 10:50:43 PM | Computer Name = Laptop | Source = Service Control Manager | ID = 7003
Description = The IPsec Policy Agent service depends the following service: BFE.
This service might not be installed.

Error - 8/13/2012 10:51:35 PM | Computer Name = Laptop | Source = Service Control Manager | ID = 7001
Description = The HomeGroup Provider service depends on the Function Discovery Resource
Publication service which failed to start because of the following error: %%-2147024891

Error - 8/13/2012 10:51:35 PM | Computer Name = Laptop | Source = Service Control Manager | ID = 7023
Description = The Function Discovery Resource Publication service terminated with
the following error: %%-2147024891

Error - 8/13/2012 10:56:11 PM | Computer Name = Laptop | Source = Service Control Manager | ID = 7034
Description = The Dell Internal Network Card Power Management service terminated
unexpectedly. It has done this 1 time(s).

Error - 8/14/2012 6:00:38 AM | Computer Name = Laptop | Source = Service Control Manager | ID = 7023
Description = The Computer Browser service terminated with the following error:
%%1060

Error - 8/14/2012 6:00:38 AM | Computer Name = Laptop | Source = Service Control Manager | ID = 7023
Description = The Function Discovery Resource Publication service terminated with
the following error: %%-2147024891

Error - 8/14/2012 6:00:43 AM | Computer Name = Laptop | Source = Service Control Manager | ID = 7003
Description = The IKE and AuthIP IPsec Keying Modules service depends the following
service: BFE. This service might not be installed.

Error - 8/14/2012 6:00:43 AM | Computer Name = Laptop | Source = Service Control Manager | ID = 7003
Description = The IPsec Policy Agent service depends the following service: BFE.
This service might not be installed.

Error - 8/14/2012 6:02:32 AM | Computer Name = Laptop | Source = Service Control Manager | ID = 7023
Description = The Function Discovery Resource Publication service terminated with
the following error: %%-2147024891

Error - 8/14/2012 6:02:32 AM | Computer Name = Laptop | Source = Service Control Manager | ID = 7001
Description = The HomeGroup Provider service depends on the Function Discovery Resource
Publication service which failed to start because of the following error: %%-2147024891

checkup.txt

Results of screen317's Security Check version 0.99.43
Windows 7 Service Pack 1 x64 [color=red](UAC is disabled!)[/color]
Internet Explorer 9
[u]``````````````Antivirus/Firewall Check:``````````````[/u]
[color=red]Windows Security Center service is not running! This report may not be accurate![/color]
Norton Security Suite
[size=1]WMI entry may not exist for antivirus; attempting automatic update.[/size]
[u]`````````Anti-malware/Other Utilities Check:`````````[/u]
Malwarebytes Anti-Malware version 1.62.0.1300
Java(TM) 6 Update 29
[color=red]Java version out of Date![/color]
Adobe Reader X (10.1.3)
[u]````````Process Check: objlist.exe by Laurent````````[/u]
Norton ccSvcHst.exe
Malwarebytes Anti-Malware mbamservice.exe
Malwarebytes Anti-Malware mbamgui.exe
Norton Online Engine 2.3.0.7 ccSvcHst.exe
[u]`````````````````System Health check`````````````````[/u]
Total Fragmentation on Drive C: 0%
[u]````````````````````End of Log``````````````````````[/u]

online scan:
ESETSmartInstaller@High as CAB hook log:
OnlineScanner64.ocx - registred OK
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=eedf2051c17c0442a35bc83240f0ef21
# end=stopped
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-08-14 10:39:18
# local_time=2012-08-14 06:39:18 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=5893 16776574 66 94 38615559 96483681 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=36718
# found=3
# cleaned=3
# scan_time=527
C:\$Recycle.Bin\S-1-5-21-1613675080-3381770067-651744427-1004\$R819XYN.exe a variant of Win32/Adware.Gamevance.CF application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\$Recycle.Bin\S-1-5-21-1613675080-3381770067-651744427-1004\$RHXA09S.exe a variant of Win32/Adware.Gamevance.CF application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\$Recycle.Bin\S-1-5-21-1613675080-3381770067-651744427-1004\$RPQTXV5.exe a variant of Win32/Adware.Gamevance.CF application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
# version=7
# iexplore.exe=9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=eedf2051c17c0442a35bc83240f0ef21
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-08-14 11:29:27
# local_time=2012-08-14 07:29:27 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=5893 16776574 66 94 38656675 96524797 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=259307
# found=7
# cleaned=6
# scan_time=5620
C:\ProgramData\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll Win32/Adware.Yontoo.B application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Andrew\Downloads\SoftonicDownloader_for_slender.exe a variant of Win32/SoftonicDownloader.D application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\00000008.@ Win64/Agent.BA trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\000000cb.@ Win64/Conedex.B trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000000.@ Win64/Sirefef.AP trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ a variant of Win32/Sirefef.FD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
${Memory} a variant of Win32/Sirefef.EZ trojan 00000000000000000000000000000000 I
--
~Safe Hex~ Team Discovery ~ Project Hope ~ Like A Hurricane~

nethog

join:2006-12-08
Canton, MI
By the way I going on vacation leaving today (august 15th) and wont be monitoring this thread until I return on august 29th. I will be sure to check back on august 29th.


LoPhatPhuud
Premium,VIP,MVM
join:2002-01-06
Albuquerque, NM
kudos:26
Reviews:
·Comcast

1 recommendation

reply to nethog
Download and run Sophos AntiRootkit. Post the log in this thread, even if nothing is found.

You find link(s) and instructions here:
»Security Cleanup FAQ »Rootkit Detection Applications
--
When angry count four; when very angry, swear.
Microsoft MVP/Consumer Security 2005-2011
Gladiator Security Forum

nethog

join:2006-12-08
Canton, MI
ok here is the Sophos log:

Sophos Anti-Rootkit Version 1.5.4 (c) 2009 Sophos Plc
Started logging on 8/29/2012 at 22:20:49 PM
User "Peter" on computer "LAPTOP"
Windows version 6.1 SP 1.0 Service Pack 1 build 7601 SM=0x100 PT=0x1 WOW64
Info: Starting registry scan.
Warning: Failed to query live registry key \HKEY_LOCAL_MACHINE.
You may not have access rights to the whole registry.
Incorrect function.
Hidden: registry item \HKEY_LOCAL_MACHINE\SAM
Info: Starting disk scan of C: (NTFS).
Hidden: file C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YZOVOUUY\www.burstnet.com%2fburstmedia%2fclk%2fBCPG196677.315933.527531%2fVTS%3d5KplS.MPaR%2fSZ%3d300X250A%2fa%3db%2fs%3d25216%2fFPR%2fV%3d2[1].htm
Hidden: file C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YZOVOUUY\nea;k2=sleepdisorders;k3=health;hlnexp=yes;type=top_rb;bf=no;sz=728x90;dcopt=ist;tile=1;pos=lb;ugc=false;url=http%3A%2F%2Fwww.dailyrx[1].js
Hidden: file C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YZOVOUUY\rtdisease;k1=sleepapnea;k2=sleepdisorders;k3=health;hlnexp=yes;bf=no;sz=160x600;tile=2;pos=wsl;ugc=false;url=http%3A%2F%2Fwww.dailyrx[1].js
Hidden: file C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UC69NR70\=sleepapnea;k2=sleepdisorders;k3=health;hlnexp=yes;type=top_rb;bf=no;sz=300x250;tile=3;pos=mr1;ugc=false;url=http%3A%2F%2Fwww.dailyrx[1].js
Hidden: file C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YZOVOUUY\www.burstnet.com%2fburstmedia%2fclk%2fBCPG196677.315933.527531%2fVTS%3d5KplT.VHDB%2fSZ%3d300X250A%2fa%3db%2fs%3d25216%2fFPR%2fV%3d2[1].htm
Hidden: file C:\ProgramData\Microsoft\Search\Data\Applications\Windows\tmp.edb
Hidden: file C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2QAN81J0\4083;sz=728x90;u=xbAAXbk6q4FqrRW5ymoL9DxXW6K94m4p2Gkt0T972BeAF3HuufJPf7S52mvxsWq1c01ZTkXT-VqH9lbl VSUxFH4QIBsUsp8QfBCw;ord=1346291593[1].htm
Hidden: file C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2QAN81J0\.games_l;sz=300x250;ord1=590038;cmw=owl;dcopt=ist;contx=games;cmd=www.freegametopia.com;an=;bu=;br=;btg=cm.nfl_l;btg=cm.games_l;ord=0[1].js
Hidden: file C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I85573OK\.games_l;sz=160x600;ord1=452807;cmw=owl;dcopt=ist;contx=games;cmd=www.freegametopia.com;an=;bu=;br=;btg=cm.nfl_l;btg=cm.games_l;ord=0[1].js
Info: Starting disk scan of D: (NTFS).
Stopped logging on 8/30/2012 at 0:08:14 AM


LoPhatPhuud
Premium,VIP,MVM
join:2002-01-06
Albuquerque, NM
kudos:26
Reviews:
·Comcast

1 recommendation

reply to nethog
Download ComboFix from one of these locations:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.infospyware.net/antimalware/combofix/
 
* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it at least 20-30 minutes to finish if needed.

--
When angry count four; when very angry, swear.
Microsoft MVP/Consumer Security 2005-2011
Gladiator Security Forum

nethog

join:2006-12-08
Canton, MI
Ok here is the combo fix log:
ComboFix 12-08-30.05 - Peter 08/30/2012 17:30:26.1.2 - x64
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.4094.2523 [GMT -4:00]
Running from: c:\users\Peter\Desktop\ComboFix.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\Install.exe
c:\users\Andrew\AppData\Roaming\avcodec-52.dll
c:\users\Andrew\AppData\Roaming\avdevice-52.dll
c:\users\Andrew\AppData\Roaming\avformat-52.dll
c:\users\Andrew\AppData\Roaming\avutil-50.dll
c:\users\Andrew\AppData\Roaming\BlendThumb64.dll
c:\users\Andrew\AppData\Roaming\libsndfile-1.dll
c:\users\Andrew\AppData\Roaming\msvcm90.dll
c:\users\Andrew\AppData\Roaming\msvcp90.dll
c:\users\Andrew\AppData\Roaming\msvcr90.dll
c:\users\Andrew\AppData\Roaming\OpenAL32.dll
c:\users\Andrew\AppData\Roaming\pthreadVC2.dll
c:\users\Andrew\AppData\Roaming\python32.dll
c:\users\Andrew\AppData\Roaming\swscale-0.dll
c:\users\Andrew\AppData\Roaming\uninstall.exe
c:\users\Andrew\AppData\Roaming\vcomp90.dll
c:\users\Andrew\AppData\Roaming\wrap_oal.dll
c:\users\Andrew\AppData\Roaming\zlib.dll
c:\users\Andrew\GoToAssistDownloadHelper.exe
c:\windows\assembly\GAC_32\Desktop.ini
c:\windows\assembly\GAC_64\Desktop.ini
c:\windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\@
c:\windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\L\00000004.@
c:\windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\L\201d3dde
c:\windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\00000004.@
c:\windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\00000008.@
c:\windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\000000cb.@
c:\windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000000.@
c:\windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@
c:\windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000064.@
c:\windows\SysWow64\URTTemp
c:\windows\SysWow64\URTTemp\regtlib.exe
.
Infected copy of c:\windows\system32\Services.exe was found and disinfected
Restored copy from - c:\windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-07-28 to 2012-08-30 )))))))))))))))))))))))))))))))
.
.
2012-08-30 21:39 . 2012-08-30 21:39 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2012-08-30 21:39 . 2012-08-30 21:39 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-08-30 21:39 . 2012-08-30 21:39 -------- d-----w- c:\users\Cameron\AppData\Local\temp
2012-08-30 21:39 . 2012-08-30 21:39 -------- d-----w- c:\users\Brianna\AppData\Local\temp
2012-08-30 21:39 . 2012-08-30 21:39 -------- d-----w- c:\users\Andrew\AppData\Local\temp
2012-08-30 02:39 . 2010-05-26 14:39 6144 ------w- c:\windows\system32\AB3E.tmp
2012-08-30 02:20 . 2010-05-26 14:39 6144 ------w- c:\windows\system32\666.tmp
2012-08-30 02:20 . 2012-08-30 02:20 -------- d-----w- c:\program files (x86)\Sophos
2012-08-14 23:54 . 2012-08-14 23:54 -------- d-----w- c:\users\Peter\AppData\Roaming\QuickScan
2012-08-14 10:28 . 2012-08-14 10:28 -------- d-----w- c:\program files (x86)\ESET
2012-08-14 02:40 . 2012-08-30 01:38 -------- d-----w- c:\users\Peter\AppData\Local\ID Vault
2012-08-14 02:40 . 2012-08-14 02:40 -------- d-----w- c:\programdata\IsolatedStorage
2012-08-14 02:39 . 2012-08-30 01:38 -------- d-----w- c:\users\Peter\AppData\Roaming\ID Vault
2012-08-14 02:38 . 2012-08-30 01:38 -------- d-----w- c:\program files (x86)\Constant Guard Protection Suite
2012-08-14 02:38 . 2012-08-14 02:38 -------- d-----w- c:\programdata\White Sky, Inc
2012-08-14 00:18 . 2012-08-14 00:18 -------- d-----w- c:\users\Peter\AppData\Roaming\Malwarebytes
2012-08-14 00:18 . 2012-08-14 00:18 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-08-14 00:07 . 2012-08-14 00:07 -------- d-sh--w- c:\windows\SysWow64\%APPDATA%
2012-08-13 22:51 . 2012-08-13 23:02 -------- d-----w- c:\users\Peter\AppData\Local\NPE
2012-08-13 22:47 . 2012-08-13 22:47 -------- d-----w- c:\users\Peter\AppData\Roaming\Tific
2012-08-13 22:46 . 2012-08-13 22:46 -------- d-----w- c:\users\Peter\AppData\Local\Symantec
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-15 00:08 . 2012-05-21 10:09 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-08-15 00:08 . 2011-05-15 01:59 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-07-03 17:46 . 2011-12-22 18:13 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-07-03 07:19 . 2011-05-14 19:59 59701280 ----a-w- c:\windows\system32\MRT.exe
2012-06-12 03:08 . 2012-07-12 05:51 3148800 ----a-w- c:\windows\system32\win32k.sys
2012-06-09 05:43 . 2012-07-11 15:38 14172672 ----a-w- c:\windows\system32\shell32.dll
2012-06-06 06:06 . 2012-07-11 15:38 2004480 ----a-w- c:\windows\system32\msxml6.dll
2012-06-06 06:06 . 2012-07-11 15:38 1881600 ----a-w- c:\windows\system32\msxml3.dll
2012-06-06 06:02 . 2012-07-11 15:38 1133568 ----a-w- c:\windows\system32\cdosys.dll
2012-06-06 05:05 . 2012-07-11 15:38 1390080 ----a-w- c:\windows\SysWow64\msxml6.dll
2012-06-06 05:05 . 2012-07-11 15:38 1236992 ----a-w- c:\windows\SysWow64\msxml3.dll
2012-06-06 05:03 . 2012-07-11 15:38 805376 ----a-w- c:\windows\SysWow64\cdosys.dll
2012-06-02 22:19 . 2012-06-21 15:30 38424 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-21 15:30 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:19 . 2012-06-21 15:30 57880 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-21 15:30 44056 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-21 15:30 701976 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:15 . 2012-06-21 15:30 2622464 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:15 . 2012-06-21 15:30 99840 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 19:19 . 2012-06-21 15:29 186752 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 19:15 . 2012-06-21 15:29 36864 ----a-w- c:\windows\system32\wuapp.exe
2012-06-02 12:49 . 2012-07-12 05:43 17807360 ----a-w- c:\windows\system32\mshtml.dll
2012-06-02 12:17 . 2012-07-12 05:43 10924032 ----a-w- c:\windows\system32\ieframe.dll
2012-06-02 12:12 . 2012-07-12 05:43 2311680 ----a-w- c:\windows\system32\jscript9.dll
2012-06-02 12:05 . 2012-07-12 05:43 1346048 ----a-w- c:\windows\system32\urlmon.dll
2012-06-02 12:05 . 2012-07-12 05:43 1392128 ----a-w- c:\windows\system32\wininet.dll
2012-06-02 12:04 . 2012-07-12 05:43 1494528 ----a-w- c:\windows\system32\inetcpl.cpl
2012-06-02 12:04 . 2012-07-12 05:43 237056 ----a-w- c:\windows\system32\url.dll
2012-06-02 12:03 . 2012-07-12 05:43 85504 ----a-w- c:\windows\system32\jsproxy.dll
2012-06-02 12:01 . 2012-07-12 05:43 173056 ----a-w- c:\windows\system32\ieUnatt.exe
2012-06-02 12:00 . 2012-07-12 05:43 818688 ----a-w- c:\windows\system32\jscript.dll
2012-06-02 11:59 . 2012-07-12 05:43 2144768 ----a-w- c:\windows\system32\iertutil.dll
2012-06-02 11:57 . 2012-07-12 05:43 96768 ----a-w- c:\windows\system32\mshtmled.dll
2012-06-02 11:57 . 2012-07-12 05:43 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-06-02 11:54 . 2012-07-12 05:43 248320 ----a-w- c:\windows\system32\ieui.dll
2012-06-02 08:33 . 2012-07-12 05:43 1800192 ----a-w- c:\windows\SysWow64\jscript9.dll
2012-06-02 08:25 . 2012-07-12 05:43 1129472 ----a-w- c:\windows\SysWow64\wininet.dll
2012-06-02 08:25 . 2012-07-12 05:43 1427968 ----a-w- c:\windows\SysWow64\inetcpl.cpl
2012-06-02 08:20 . 2012-07-12 05:43 142848 ----a-w- c:\windows\SysWow64\ieUnatt.exe
2012-06-02 08:16 . 2012-07-12 05:43 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb
2012-06-02 05:50 . 2012-07-11 15:38 458704 ----a-w- c:\windows\system32\drivers\cng.sys
2012-06-02 05:48 . 2012-07-11 15:38 95600 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-06-02 05:48 . 2012-07-11 15:38 151920 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2012-06-02 05:45 . 2012-07-11 15:38 340992 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 05:44 . 2012-07-11 15:38 307200 ----a-w- c:\windows\system32\ncrypt.dll
2012-06-02 04:40 . 2012-07-11 15:38 22016 ----a-w- c:\windows\SysWow64\secur32.dll
2012-06-02 04:40 . 2012-07-11 15:38 225280 ----a-w- c:\windows\SysWow64\schannel.dll
2012-06-02 04:39 . 2012-07-11 15:38 219136 ----a-w- c:\windows\SysWow64\ncrypt.dll
2012-06-02 04:34 . 2012-07-11 15:38 96768 ----a-w- c:\windows\SysWow64\sspicli.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2007-05-09 36864]
"BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"Razer Imperator Driver"="c:\program files (x86)\Razer\Imperator\RazerImperatorSysTray.exe" [2011-06-03 979360]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
QuickSet.lnk - c:\program files\Dell\QuickSet\quickset.exe [2008-2-22 1556560]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-15 250056]
R3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2010-04-14 54824]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-21 71168]
R3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\AB3E.tmp [2010-05-26 6144]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files (x86)\Microsoft Office\Office14\GROOVE.EXE [2011-06-12 31125880]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys [2011-04-13 45432]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-21 20992]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [2010-11-21 88960]
R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [2010-11-21 34816]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [2010-11-21 117248]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-05-14 1255736]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-07-27 63960]
S2 HiPatchService;Hi-Rez Studios Authenticate and Update Service;c:\program files (x86)\Hi-Rez Studios\HiPatchService.exe [2012-07-12 8704]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-07-03 655944]
S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-10-15 2253120]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-10-15 381248]
S3 AE1000;Linksys AE1000 Driver;c:\windows\system32\DRIVERS\ae1000w7.sys [2010-03-23 1101600]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-07-03 24904]
S3 netw5v64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [2009-06-10 5434368]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-30 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-21 00:08]
.
2012-08-30 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\Dell Support Center\uaclauncher.exe [2012-04-13 06:11]
.
2012-08-30 c:\windows\Tasks\SystemToolsDailyTest.job
- c:\program files\Dell Support Center\uaclauncher.exe [2012-04-13 06:11]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-04-13 2399632]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-10-26 1211688]
"Launch LgDeviceAgent"="c:\program files\Logitech\GamePanel Software\LgDevAgt.exe" [2010-08-03 415816]
"Launch LCDMon"="c:\program files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2010-08-03 2412616]
"NVHotkey"="c:\windows\system32\nvHotkey.dll" [2011-10-15 539456]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 75.75.76.76 75.75.75.75 192.168.1.1
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\AB3E.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"=hex:51,66,7a,6c,4c,1d,38,12,8d,ec,f8,
7b,2b,25,27,06,e7,c4,bc,f0,98,15,0d,de
"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,
1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7
"{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}"=hex:51,66,7a,6c,4c,1d,38,12,60,d8,39,
64,cd,04,79,07,f5,b7,d6,9a,c1,81,e0,1c
"{6D53EC84-6AAE-4787-AEEE-F4628F01010C}"=hex:51,66,7a,6c,4c,1d,38,12,ea,ef,40,
69,9c,24,e9,02,d1,f8,b7,22,8a,5f,45,18
"{72853161-30C5-4D22-B7F9-0BBC1D38A37E}"=hex:51,66,7a,6c,4c,1d,38,12,0f,32,96,
76,f7,7e,4c,08,c8,ef,48,fc,18,66,e7,6a
"{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,38,12,0a,d7,23,
94,30,02,d1,0f,f1,da,12,24,73,56,27,d2
"{B4F3A835-0E21-4959-BA22-42B3008E02FF}"=hex:51,66,7a,6c,4c,1d,38,12,5b,ab,e0,
b0,13,40,37,0c,c5,34,01,f3,05,d0,46,eb
"{B8E07826-0971-4F16-B133-047B88034E89}"=hex:51,66,7a,6c,4c,1d,38,12,48,7b,f3,
bc,43,47,78,0a,ce,25,47,3b,8d,5d,0a,9d
"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,
df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd
"{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}"=hex:51,66,7a,6c,4c,1d,38,12,70,05,61,
f9,ec,d1,23,0d,da,9c,48,eb,44,0f,8e,cc
"{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}"=hex:51,66,7a,6c,4c,1d,38,12,8f,19,47,
2e,c4,15,0b,03,d7,b5,8c,e9,62,70,06,85
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (LocalSystem)
"Timestamp"=hex:5c,e1,7b,1f,37,75,cd,01
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_271_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_271_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SysWOW64\PnkBstrA.exe
.
**************************************************************************
.
Completion time: 2012-08-30 17:52:46 - machine was rebooted
ComboFix-quarantined-files.txt 2012-08-30 21:52
.
Pre-Run: 180,906,434,560 bytes free
Post-Run: 181,338,066,944 bytes free
.
- - End Of File - - 1D04ACEA2BC38EEC80897DDA65789525

nethog

join:2006-12-08
Canton, MI
i also re-ran Malwarebytes after combofix and here is the log file:
Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.08.31.12

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Peter :: LAPTOP [administrator]

Protection: Enabled

8/31/2012 4:44:58 PM
mbam-log-2012-08-31 (16-44-58).txt

Scan type: Full scan (C:\|D:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 528371
Time elapsed: 1 hour(s), 32 minute(s), 19 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 4
C:\Qoobox\Quarantine\C\Windows\assembly\GAC_32\Desktop.ini.vir (Trojan.0access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\00000008.@.vir (Trojan.Dropper.BCMiner) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\000000cb.@.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

(end)


LoPhatPhuud
Premium,VIP,MVM
join:2002-01-06
Albuquerque, NM
kudos:26
Reviews:
·Comcast

1 recommendation

reply to nethog
If you want to continue receiving assistance in this forum, then DO NOT RUN ANY PROGRAMS UNLESS INSTRUCTED.

Combofix had removed the zero access trojan to quarantine. MBAM only removed the files already quarantined. If for some strange reason it was necessary to reverse COmbofix's action, you removed that option by running MBAM.

Onward....

Please run OTL again, and post the new log in this thread. Note that there will not be a new Extras log this time.
--
When angry count four; when very angry, swear.
Microsoft MVP/Consumer Security 2005-2011
Gladiator Security Forum

nethog

join:2006-12-08
Canton, MI
Ok sorry.... here is the OTL log file:
OTL logfile created on: 9/2/2012 2:06:23 PM - Run 2
OTL by OldTimer - Version 3.2.56.0 Folder = C:\Users\Peter\Desktop
64bit- Ultimate Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

4.00 Gb Total Physical Memory | 2.73 Gb Available Physical Memory | 68.36% Memory free
7.99 Gb Paging File | 6.29 Gb Available in Paging File | 78.71% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 285.50 Gb Total Space | 161.40 Gb Free Space | 56.53% Space Free | Partition Type: NTFS
Drive D: | 10.00 Gb Total Space | 4.01 Gb Free Space | 40.12% Space Free | Partition Type: NTFS

Computer Name: LAPTOP | User Name: Peter | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

[color=#E56717]========== Processes (SafeList) ==========[/color]

PRC - [2012/09/02 14:04:45 | 000,596,480 | ---- | M] (OldTimer Tools) -- C:\Users\Peter\Desktop\OTL.exe
PRC - [2012/07/27 16:51:26 | 000,063,960 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
PRC - [2012/06/15 22:24:20 | 000,138,272 | R--- | M] (Symantec Corporation) -- C:\Program Files (x86)\Norton Security Suite\Engine\6.3.0.14\ccsvchst.exe
PRC - [2011/11/29 22:17:50 | 000,138,248 | R--- | M] (Symantec Corporation) -- C:\Program Files (x86)\Norton Online\Engine\2.3.0.7\ccSvcHst.exe
PRC - [2011/10/15 04:53:00 | 002,253,120 | ---- | M] (NVIDIA Corporation) -- C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
PRC - [2011/10/15 01:54:40 | 000,381,248 | ---- | M] (NVIDIA Corporation) -- C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
PRC - [2011/10/13 22:37:26 | 000,075,136 | ---- | M] () -- C:\Windows\SysWOW64\PnkBstrA.exe
PRC - [2011/06/09 14:06:06 | 000,507,624 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe
PRC - [2011/06/03 11:04:26 | 000,979,360 | ---- | M] (Razer USA Ltd) -- C:\Program Files (x86)\Razer\Imperator\RazerImperatorSysTray.exe
PRC - [2010/08/03 09:43:02 | 000,522,824 | ---- | M] (Logitech Inc.) -- C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe
PRC - [2009/07/13 21:14:45 | 000,020,480 | ---- | M] () -- \\.\globalroot\systemroot\svchost.exe
PRC - [2009/07/13 21:14:45 | 000,020,480 | ---- | M] () -- \\.\globalroot\systemroot\svchost.exe
PRC - [2009/07/13 21:14:45 | 000,020,480 | ---- | M] () -- \\.\globalroot\systemroot\svchost.exe
PRC - [2009/07/13 21:14:45 | 000,020,480 | ---- | M] () -- \\.\globalroot\systemroot\svchost.exe
PRC - [2007/05/09 17:01:00 | 000,036,864 | ---- | M] (Creative Technology Ltd.) -- C:\Windows\OEM02Mon.exe

[color=#E56717]========== Modules (No Company Name) ==========[/color]

[color=#E56717]========== Win32 Services (SafeList) ==========[/color]

SRV:64bit: - [2009/07/13 21:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV:64bit: - [2009/07/13 21:40:01 | 000,193,536 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\appmgmts.dll -- (AppMgmt)
SRV:64bit: - [2008/02/22 16:49:18 | 000,592,464 | ---- | M] (Dell Inc.) [Auto | Running] -- C:\Program Files\Dell\QuickSet\NicConfigSvc.exe -- (nicconfigsvc)
SRV - [2012/08/14 20:08:10 | 000,250,056 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012/07/27 16:51:26 | 000,063,960 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2012/07/12 15:16:55 | 000,008,704 | ---- | M] (Hi-Rez Studios) [Auto | Running] -- C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe -- (HiPatchService)
SRV - [2012/06/18 22:30:33 | 000,529,232 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2012/06/15 22:24:20 | 000,138,272 | R--- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files (x86)\Norton Security Suite\Engine\6.3.0.14\ccSvcHst.exe -- (N360)
SRV - [2011/11/29 22:17:50 | 000,138,248 | R--- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files (x86)\Norton Online\Engine\2.3.0.7\ccSvcHst.exe -- (NOF)
SRV - [2011/10/15 04:53:00 | 002,253,120 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe -- (nvUpdatusService)
SRV - [2011/10/15 01:54:40 | 000,381,248 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe -- (Stereo Service)
SRV - [2011/10/13 22:37:26 | 000,075,136 | ---- | M] () [Auto | Running] -- C:\Windows\SysWOW64\PnkBstrA.exe -- (PnkBstrA)
SRV - [2010/03/18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2009/06/10 17:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)

[color=#E56717]========== Driver Services (SafeList) ==========[/color]

DRV:64bit: - [2012/09/01 00:03:17 | 000,175,736 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\SYMEVENT64x86.SYS -- (SymEvent)
DRV:64bit: - [2012/08/17 17:26:48 | 000,025,584 | ---- | M] (PC-Doctor, Inc.) [Kernel | On_Demand | Running] -- c:\Program Files\Dell Support Center\pcdsrvc_x64.pkms -- (PCDSRVC{1E208CE0-FB7451FF-06020200}_0)
DRV:64bit: - [2012/07/05 22:17:58 | 000,737,952 | ---- | M] (Symantec Corporation) [File_System | On_Demand | Running] -- C:\Windows\SysNative\drivers\N360x64\0603000.00E\srtsp64.sys -- (SRTSP)
DRV:64bit: - [2012/07/05 22:17:58 | 000,037,536 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\N360x64\0603000.00E\srtspx64.sys -- (SRTSPX)
DRV:64bit: - [2012/06/07 00:43:38 | 000,167,072 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\N360x64\0603000.00E\ccsetx64.sys -- (ccSet_N360)
DRV:64bit: - [2012/05/21 21:37:12 | 001,129,120 | ---- | M] (Symantec Corporation) [File_System | Boot | Running] -- C:\Windows\SysNative\drivers\N360x64\0603000.00E\symefa64.sys -- (SymEFA)
DRV:64bit: - [2012/03/01 02:46:16 | 000,023,408 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec)
DRV:64bit: - [2011/11/16 23:38:00 | 000,405,624 | R--- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\N360x64\0603000.00E\symnets.sys -- (SymNetS)
DRV:64bit: - [2011/11/16 23:38:00 | 000,218,232 | R--- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\NSMx64\0203000.01A\symrdrs.sys -- (SYMRDR_{78CA3BF0-9C3B-40e1-B46D-38C877EF059A})
DRV:64bit: - [2011/11/16 23:17:50 | 000,190,072 | R--- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\N360x64\0603000.00E\ironx64.sys -- (SymIRON)
DRV:64bit: - [2011/11/04 19:59:30 | 000,167,048 | R--- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\NOFx64\0203000.007\ccSetx64.sys -- (ccSet_NOF)
DRV:64bit: - [2011/08/16 02:51:40 | 000,451,192 | R--- | M] (Symantec Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\N360x64\0603000.00E\symds64.sys -- (SymDS)
DRV:64bit: - [2011/04/13 15:04:38 | 000,045,432 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\point64.sys -- (Point64)
DRV:64bit: - [2011/03/11 02:41:12 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2011/03/11 02:41:12 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2010/11/20 23:24:43 | 000,020,992 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\rdpvideominiport.sys -- (RdpVideoMiniport)
DRV:64bit: - [2010/11/20 23:24:33 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV:64bit: - [2010/11/20 23:23:48 | 000,117,248 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\tsusbhub.sys -- (tsusbhub)
DRV:64bit: - [2010/11/20 23:23:48 | 000,088,960 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\Synth3dVsc.sys -- (Synth3dVsc)
DRV:64bit: - [2010/11/20 23:23:48 | 000,071,168 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\dmvsc.sys -- (dmvsc)
DRV:64bit: - [2010/11/20 23:23:48 | 000,034,816 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\terminpt.sys -- (terminpt)
DRV:64bit: - [2010/11/20 23:23:47 | 000,109,056 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\sdbus.sys -- (sdbus)
DRV:64bit: - [2010/11/20 23:23:47 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2010/11/20 23:23:47 | 000,031,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbGD.sys -- (TsUsbGD)
DRV:64bit: - [2010/04/14 01:01:44 | 000,054,824 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\btusbflt.sys -- (btusbflt)
DRV:64bit: - [2010/03/23 02:53:04 | 001,101,600 | ---- | M] (Ralink Technology Corp.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\ae1000w7.sys -- (AE1000)
DRV:64bit: - [2009/07/13 21:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009/07/13 21:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009/07/13 21:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009/06/25 17:04:20 | 000,067,584 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\rimmpx64.sys -- (rimmptsk)
DRV:64bit: - [2009/06/25 16:38:52 | 000,057,856 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\rixdpx64.sys -- (rismxdp)
DRV:64bit: - [2009/06/25 16:13:44 | 000,055,296 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\rimspx64.sys -- (rimsptsk)
DRV:64bit: - [2009/06/10 16:35:28 | 005,434,368 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\netw5v64.sys -- (netw5v64)
DRV:64bit: - [2009/06/10 16:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/10 16:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/10 16:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009/06/10 16:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV:64bit: - [2007/10/26 14:39:14 | 000,315,440 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\SynTP.sys -- (SynTP)
DRV:64bit: - [2007/10/10 17:03:00 | 000,266,624 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\OEM02Dev.sys -- (OEM02Dev)
DRV:64bit: - [2007/03/05 10:55:48 | 000,012,288 | ---- | M] (EyePower Games Pte. Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\OEM02Vfx.sys -- (OEM02Vfx)
DRV - [2012/09/02 00:51:27 | 002,084,000 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.0.0.145\Definitions\VirusDefs\20120901.008\ex64.sys -- (NAVEX15)
DRV - [2012/09/02 00:51:27 | 000,125,600 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.0.0.145\Definitions\VirusDefs\20120901.008\eng64.sys -- (NAVENG)
DRV - [2012/08/31 23:32:03 | 000,484,512 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys -- (eeCtrl)
DRV - [2012/08/31 23:32:03 | 000,138,912 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2012/08/31 09:01:08 | 000,512,672 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.0.0.145\Definitions\IPSDefs\20120831.001\IDSviA64.sys -- (IDSVia64)
DRV - [2012/08/23 03:52:48 | 001,161,376 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.0.0.145\Definitions\BASHDefs\20120823.007\BHDrvx64.sys -- (BHDrvx64)
DRV - [2009/07/13 21:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)

[color=#E56717]========== Standard Registry (SafeList) ==========[/color]

[color=#E56717]========== Internet Explorer ==========[/color]

IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE:64bit: - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 7F 3E 3B D7 ED 44 CC 01 [binary data]
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

[color=#E56717]========== FireFox ==========[/color]

FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_3_300_271.dll File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~1\MICROS~3\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_271.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@nvidia.com/3DVision: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation)
FF - HKLM\Software\MozillaPlugins\@nvidia.com/3DVisionStreaming: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation)
FF - HKLM\Software\MozillaPlugins\@pandonetworks.com/PandoWebPlugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll File not found
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{6D5C8FC4-DE46-41bf-9092-93F0F78E9115}: C:\ProgramData\Norton\{78CA3BF0-9C3B-40e1-B46D-38C877EF059A}\NSM_2.3.0.26\coFFFw\ [2012/09/02 10:00:39 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.0.0.145\IPSFFPlgn\ [2012/08/31 23:28:47 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.0.0.145\coFFPlgn\ [2012/09/02 09:49:50 | 000,000,000 | ---D | M]

O1 HOSTS File: ([2012/08/30 17:49:29 | 000,000,027 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Norton Identity Protection) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Security Suite\Engine\6.3.0.14\coieplg.dll (Symantec Corporation)
O2 - BHO: (Norton Vulnerability Protection) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Security Suite\Engine\6.3.0.14\ips\ipsbho.dll (Symantec Corporation)
O2 - BHO: (Norton Safety Minder BHO) - {B8E07826-0971-4f16-B133-047B88034E89} - C:\Program Files (x86)\Norton Online\AddOns\Norton Safety Minder\Engine\2.3.0.26\CoIEPlg.dll (Symantec Corporation)
O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Security Suite\Engine\6.3.0.14\coieplg.dll (Symantec Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Security Suite\Engine\6.3.0.14\coieplg.dll (Symantec Corporation)
O4:64bit: - HKLM..\Run: [IntelliPoint] c:\Program Files\Microsoft IntelliPoint\ipoint.exe (Microsoft Corporation)
O4:64bit: - HKLM..\Run: [Launch LCDMon] C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe (Logitech Inc.)
O4:64bit: - HKLM..\Run: [Launch LgDeviceAgent] C:\Program Files\Logitech\GamePanel Software\LgDevAgt.exe (Logitech Inc.)
O4:64bit: - HKLM..\Run: [NVHotkey] C:\Windows\SysNative\nvHotkey.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [OEM02Mon.exe] C:\Windows\OEM02Mon.exe (Creative Technology Ltd.)
O4 - HKLM..\Run: [Razer Imperator Driver] C:\Program Files (x86)\Razer\Imperator\RazerImperatorSysTray.exe (Razer USA Ltd)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: LogonHoursAction = 2
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DontDisplayLogonHoursWarnings = 1
O16 - DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} http://support.dell.com/systemprofiler/SysProExe.CAB (WMI Class)
O16 - DPF: {4B54A9DE-EF1C-4EBE-A328-7C28EA3B433A} http://quickscan.bitdefender.com/qsax/qsax.cab (Bitdefender QuickScan Control)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 75.75.76.76 75.75.75.75 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{55708DA7-02EF-43EA-A72C-E5767C41A951}: DhcpNameServer = 68.87.77.134 68.87.72.134 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{7D41AF3F-544D-4E59-8FA5-CD15332DCC21}: DhcpNameServer = 75.75.76.76 75.75.75.75 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{C7A6B14E-934F-4523-AFEA-1CC2E11C0C7E}: DhcpNameServer = 68.87.77.134 68.87.72.134 192.168.1.1
O18:64bit: - Protocol\Handler\ms-help - No CLSID value found
O20:64bit: - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = ComFile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

[color=#E56717]========== Files/Folders - Created Within 30 Days ==========[/color]

[2012/09/02 14:04:45 | 000,596,480 | ---- | C] (OldTimer Tools) -- C:\Users\Peter\Desktop\OTL.exe
[2012/09/01 01:13:02 | 000,020,480 | ---- | C] (Microsoft Corporation) -- C:\Windows\svchost.exe
[2012/09/01 00:44:13 | 000,000,000 | R--D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Dell Support Center
[2012/09/01 00:44:12 | 000,000,000 | ---D | C] -- C:\ProgramData\PC-Doctor for Windows
[2012/09/01 00:02:58 | 000,218,232 | R--- | C] (Symantec Corporation) -- C:\Windows\SysNative\drivers\NSMx64\0203000.01A\symrdrs.sys
[2012/09/01 00:02:57 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\drivers\NSMx64
[2012/09/01 00:02:57 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Norton Safety Minder
[2012/09/01 00:02:57 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\drivers\NSMx64\0203000.01A
[2012/09/01 00:02:47 | 000,167,048 | R--- | C] (Symantec Corporation) -- C:\Windows\SysNative\drivers\NOFx64\0203000.007\ccSetx64.sys
[2012/09/01 00:02:45 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Norton Online
[2012/09/01 00:02:45 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\drivers\NOFx64
[2012/09/01 00:02:45 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\drivers\NOFx64\0203000.007
[2012/09/01 00:02:03 | 000,828,832 | ---- | C] (Symantec Corporation) -- C:\Users\Public\Documents\NSM_Installer.exe
[2012/09/01 00:02:02 | 000,269,720 | ---- | C] (Symantec Corporation) -- C:\Users\Public\Documents\2013FSDPlugin.dll
[2012/09/01 00:02:02 | 000,172,992 | ---- | C] (Symantec Corporation) -- C:\Users\Public\Documents\2012FSDPlugin.dll
[2012/09/01 00:02:00 | 013,259,848 | ---- | C] (Symantec Corporation) -- C:\Users\Public\Documents\SafetyMinder.exe
[2012/08/31 23:47:23 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Symantec Shared
[2012/08/31 23:31:49 | 001,129,120 | ---- | C] (Symantec Corporation) -- C:\Windows\SysNative\drivers\N360x64\0603000.00E\symefa64.sys
[2012/08/31 23:31:49 | 000,737,952 | ---- | C] (Symantec Corporation) -- C:\Windows\SysNative\drivers\N360x64\0603000.00E\srtsp64.sys
[2012/08/31 23:31:49 | 000,451,192 | R--- | C] (Symantec Corporation) -- C:\Windows\SysNative\drivers\N360x64\0603000.00E\symds64.sys
[2012/08/31 23:31:49 | 000,405,624 | R--- | C] (Symantec Corporation) -- C:\Windows\SysNative\drivers\N360x64\0603000.00E\symnets.sys
[2012/08/31 23:31:49 | 000,190,072 | R--- | C] (Symantec Corporation) -- C:\Windows\SysNative\drivers\N360x64\0603000.00E\ironx64.sys
[2012/08/31 23:31:49 | 000,167,072 | ---- | C] (Symantec Corporation) -- C:\Windows\SysNative\drivers\N360x64\0603000.00E\ccsetx64.sys
[2012/08/31 23:31:49 | 000,037,536 | ---- | C] (Symantec Corporation) -- C:\Windows\SysNative\drivers\N360x64\0603000.00E\srtspx64.sys
[2012/08/31 23:28:22 | 000,175,736 | ---- | C] (Symantec Corporation) -- C:\Windows\SysNative\drivers\SYMEVENT64x86.SYS
[2012/08/31 23:28:22 | 000,000,000 | ---D | C] -- C:\Program Files\Symantec
[2012/08/31 23:26:41 | 000,000,000 | R--D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Norton Security Suite
[2012/08/31 23:26:41 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Norton Security Suite
[2012/08/31 23:26:30 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\NortonInstaller
[2012/08/31 22:04:04 | 000,000,000 | ---D | C] -- C:\Users\Peter\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Norton
[2012/08/31 21:38:24 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\drivers\N360x64\0603000.00E
[2012/08/31 21:11:58 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Symantec Shared
[2012/08/31 21:10:10 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\drivers\N360x64
[2012/08/30 17:52:48 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2012/08/30 17:16:11 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2012/08/30 17:16:11 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2012/08/30 17:16:11 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2012/08/30 17:07:22 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/08/30 17:06:50 | 000,000,000 | ---D | C] -- C:\Windows\erdnt
[2012/08/29 22:20:38 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Sophos
[2012/08/14 19:54:05 | 000,000,000 | ---D | C] -- C:\Users\Peter\AppData\Roaming\QuickScan
[2012/08/13 22:40:08 | 000,000,000 | ---D | C] -- C:\ProgramData\IsolatedStorage
[2012/08/13 22:40:08 | 000,000,000 | ---D | C] -- C:\Users\Peter\AppData\Local\ID Vault
[2012/08/13 22:39:40 | 000,000,000 | ---D | C] -- C:\Users\Peter\AppData\Roaming\ID Vault
[2012/08/13 22:38:56 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Constant Guard Protection Suite
[2012/08/13 22:38:43 | 000,000,000 | ---D | C] -- C:\ProgramData\White Sky, Inc
[2012/08/13 22:31:20 | 057,442,464 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\MRT.exe
[2012/08/13 20:18:58 | 000,000,000 | ---D | C] -- C:\Users\Peter\AppData\Roaming\Malwarebytes
[2012/08/13 20:07:22 | 000,000,000 | -HSD | C] -- C:\Windows\SysWow64\%APPDATA%
[2012/08/13 18:51:40 | 000,000,000 | ---D | C] -- C:\Users\Peter\AppData\Local\NPE
[2012/08/13 18:47:20 | 000,000,000 | ---D | C] -- C:\Users\Peter\AppData\Roaming\Tific
[2012/08/13 18:46:54 | 000,000,000 | ---D | C] -- C:\Users\Peter\AppData\Local\Symantec
[2012/08/07 22:05:18 | 000,000,000 | ---D | C] -- C:\Users\Peter\Documents\LOLReplay

[color=#E56717]========== Files - Modified Within 30 Days ==========[/color]

[2012/09/02 14:08:12 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2012/09/02 14:04:45 | 000,596,480 | ---- | M] (OldTimer Tools) -- C:\Users\Peter\Desktop\OTL.exe
[2012/09/02 09:57:58 | 000,020,496 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012/09/02 09:57:58 | 000,020,496 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012/09/02 09:46:32 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/09/02 09:46:25 | 3219,701,760 | -HS- | M] () -- C:\hiberfil.sys
[2012/09/01 15:39:44 | 468,952,159 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2012/09/01 00:03:17 | 000,175,736 | ---- | M] (Symantec Corporation) -- C:\Windows\SysNative\drivers\SYMEVENT64x86.SYS
[2012/09/01 00:03:17 | 000,007,488 | ---- | M] () -- C:\Windows\SysNative\drivers\SYMEVENT64x86.CAT
[2012/09/01 00:03:17 | 000,000,855 | ---- | M] () -- C:\Windows\SysNative\drivers\SYMEVENT64x86.INF
[2012/09/01 00:03:08 | 000,002,779 | ---- | M] () -- C:\Users\Public\Desktop\Norton Online Family.lnk
[2012/09/01 00:00:22 | 013,259,848 | ---- | M] (Symantec Corporation) -- C:\Users\Public\Documents\SafetyMinder.exe
[2012/09/01 00:00:00 | 000,828,832 | ---- | M] (Symantec Corporation) -- C:\Users\Public\Documents\NSM_Installer.exe
[2012/08/31 23:38:56 | 000,002,431 | ---- | M] () -- C:\Users\Public\Desktop\Norton Security Suite.lnk
[2012/08/31 22:06:11 | 000,416,528 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2012/08/31 21:42:43 | 001,455,447 | ---- | M] () -- C:\Windows\SysNative\drivers\N360x64\0603000.00E\Cat.DB
[2012/08/31 21:38:46 | 000,008,942 | ---- | M] () -- C:\Windows\SysNative\drivers\N360x64\0603000.00E\VT20120731.038
[2012/08/30 17:49:29 | 000,000,027 | ---- | M] () -- C:\Windows\SysNative\drivers\etc\hosts
[2012/08/29 21:53:24 | 001,936,389 | ---- | M] () -- C:\Users\Peter\Desktop\virus.png
[2012/08/15 05:19:28 | 000,046,654 | ---- | M] () -- C:\Users\Peter\Desktop\rootkit msg.png
[2012/08/14 20:08:10 | 000,426,184 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerApp.exe
[2012/08/14 20:08:10 | 000,070,344 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
[2012/08/14 16:48:54 | 000,000,172 | ---- | M] () -- C:\Windows\SysNative\drivers\N360x64\0603000.00E\isolate.ini

[color=#E56717]========== Files Created - No Company Name ==========[/color]

[2012/09/01 00:03:08 | 000,002,779 | ---- | C] () -- C:\Users\Public\Desktop\Norton Online Family.lnk
[2012/09/01 00:02:57 | 000,001,482 | R--- | C] () -- C:\Windows\SysNative\drivers\NSMx64\0203000.01A\SymRdr.inf
[2012/09/01 00:02:57 | 000,001,130 | R--- | C] () -- C:\Windows\SysNative\drivers\NSMx64\0203000.01A\symrdr64.cat
[2012/09/01 00:02:46 | 000,000,853 | R--- | C] () -- C:\Windows\SysNative\drivers\NOFx64\0203000.007\ccSetx64.inf
[2012/09/01 00:02:45 | 000,007,468 | R--- | C] () -- C:\Windows\SysNative\drivers\NOFx64\0203000.007\ccSetx64.cat
[2012/09/01 00:02:45 | 000,000,172 | ---- | C] () -- C:\Windows\SysNative\drivers\NOFx64\0203000.007\isolate.ini
[2012/08/31 23:31:49 | 000,007,496 | R--- | C] () -- C:\Windows\SysNative\drivers\N360x64\0603000.00E\symds64.cat
[2012/08/31 23:31:49 | 000,007,458 | R--- | C] () -- C:\Windows\SysNative\drivers\N360x64\0603000.00E\symnet64.cat
[2012/08/31 23:31:49 | 000,007,450 | R--- | C] () -- C:\Windows\SysNative\drivers\N360x64\0603000.00E\iron.cat
[2012/08/31 23:31:49 | 000,007,446 | ---- | C] () -- C:\Windows\SysNative\drivers\N360x64\0603000.00E\ccsetx64.cat
[2012/08/31 23:31:49 | 000,007,438 | ---- | C] () -- C:\Windows\SysNative\drivers\N360x64\0603000.00E\symefa64.cat
[2012/08/31 23:31:49 | 000,007,406 | ---- | C] () -- C:\Windows\SysNative\drivers\N360x64\0603000.00E\srtspx64.cat
[2012/08/31 23:31:49 | 000,007,402 | ---- | C] () -- C:\Windows\SysNative\drivers\N360x64\0603000.00E\srtsp64.cat
[2012/08/31 23:31:49 | 000,003,435 | ---- | C] () -- C:\Windows\SysNative\drivers\N360x64\0603000.00E\symefa.inf
[2012/08/31 23:31:49 | 000,002,852 | R--- | C] () -- C:\Windows\SysNative\drivers\N360x64\0603000.00E\symds.inf
[2012/08/31 23:31:49 | 000,001,441 | R--- | C] () -- C:\Windows\SysNative\drivers\N360x64\0603000.00E\symnet.inf
[2012/08/31 23:31:49 | 000,001,437 | ---- | C] () -- C:\Windows\SysNative\drivers\N360x64\0603000.00E\srtsp64.inf
[2012/08/31 23:31:49 | 000,001,419 | ---- | C] () -- C:\Windows\SysNative\drivers\N360x64\0603000.00E\srtspx64.inf
[2012/08/31 23:31:49 | 000,000,853 | ---- | C] () -- C:\Windows\SysNative\drivers\N360x64\0603000.00E\ccsetx64.inf
[2012/08/31 23:31:49 | 000,000,772 | R--- | C] () -- C:\Windows\SysNative\drivers\N360x64\0603000.00E\iron.inf
[2012/08/31 23:31:46 | 000,008,942 | ---- | C] () -- C:\Windows\SysNative\drivers\N360x64\0603000.00E\symvtcer.dat
[2012/08/31 23:31:46 | 000,000,172 | ---- | C] () -- C:\Windows\SysNative\drivers\N360x64\0603000.00E\isolate.ini
[2012/08/31 23:28:22 | 000,007,488 | ---- | C] () -- C:\Windows\SysNative\drivers\SYMEVENT64x86.CAT
[2012/08/31 23:28:22 | 000,000,855 | ---- | C] () -- C:\Windows\SysNative\drivers\SYMEVENT64x86.INF
[2012/08/31 23:27:54 | 000,002,431 | ---- | C] () -- C:\Users\Public\Desktop\Norton Security Suite.lnk
[2012/08/31 21:41:59 | 001,455,447 | ---- | C] () -- C:\Windows\SysNative\drivers\N360x64\0603000.00E\Cat.DB
[2012/08/31 21:39:46 | 000,008,942 | ---- | C] () -- C:\Windows\SysNative\drivers\N360x64\0603000.00E\VT20120731.038
[2012/08/30 17:16:11 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2012/08/30 17:16:11 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2012/08/30 17:16:11 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2012/08/30 17:16:11 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2012/08/30 17:16:11 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2012/08/29 21:53:23 | 001,936,389 | ---- | C] () -- C:\Users\Peter\Desktop\virus.png
[2012/08/15 05:19:28 | 000,046,654 | ---- | C] () -- C:\Users\Peter\Desktop\rootkit msg.png
[2012/01/11 07:19:23 | 000,002,048 | -HS- | C] () -- C:\Windows\SysWOW64\config\systemprofile\AppData\Local\{a406e640-2847-144d-ca12-b5496dd1d4e7}\@
[2012/01/11 07:19:23 | 000,002,048 | -HS- | C] () -- C:\Windows\System32\config\systemprofile\AppData\Local\{a406e640-2847-144d-ca12-b5496dd1d4e7}\@
[2011/12/03 08:19:02 | 000,000,632 | RHS- | C] () -- C:\Users\Peter\ntuser.pol
[2011/10/29 15:51:53 | 000,187,612 | -H-- | C] () -- C:\Windows\SysWow64\mlfcache.dat
[2011/10/15 01:54:52 | 000,321,856 | ---- | C] () -- C:\Windows\SysWow64\nvStreaming.exe
[2011/10/13 22:39:19 | 000,266,752 | ---- | C] () -- C:\Windows\SysWow64\PnkBstrB.exe
[2011/10/13 22:37:26 | 000,075,136 | ---- | C] () -- C:\Windows\SysWow64\PnkBstrA.exe
[2011/09/28 17:44:14 | 000,179,271 | ---- | C] () -- C:\Windows\SysWow64\xlive.dll.cat
[2011/08/01 07:23:35 | 000,756,022 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2011/05/29 16:09:51 | 000,040,127 | ---- | C] () -- C:\Windows\DIIUnin.dat

[color=#E56717]========== LOP Check ==========[/color]

[2012/08/29 21:38:50 | 000,000,000 | ---D | M] -- C:\Users\Peter\AppData\Roaming\ID Vault
[2011/12/18 13:17:26 | 000,000,000 | ---D | M] -- C:\Users\Peter\AppData\Roaming\iolo
[2012/08/14 19:54:09 | 000,000,000 | ---D | M] -- C:\Users\Peter\AppData\Roaming\QuickScan
[2012/08/13 18:47:20 | 000,000,000 | ---D | M] -- C:\Users\Peter\AppData\Roaming\Tific
[2012/08/30 17:20:34 | 000,032,560 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

[color=#E56717]========== Purity Check ==========[/color]


LoPhatPhuud
Premium,VIP,MVM
join:2002-01-06
Albuquerque, NM
kudos:26
Reviews:
·Comcast

1 recommendation

reply to nethog
Looks good.

First:
Use Add/Remove Programs to uninstall Yoontoo. It has adware and potential privacy concerns.

Second:
We don't need Combofix any more. so time to remove.

Click Start, then Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

(Note: There is a SPACE between ComboFix and /uninstall)

Third:
A final check for the Google redirector rootkit. I fully expect this to be negative, but it's worth doing.

Download and run TDSS Killer, posting the log in this thread. Please post the log, even if nothing is detected.

You'll find the link(s) and instruction(s) here:
»Security Cleanup FAQ »Rootkit Detection Applications
--
When angry count four; when very angry, swear.
Microsoft MVP/Consumer Security 2005-2011
Gladiator Security Forum

nethog

join:2006-12-08
Canton, MI
LoPhatPhuud:
I am unable to uninstall Yoontoo - after selecting uninstall from control panel I get a "setup initialization error".

Also when I try running ComboFix /Uninstall I get a "windows cannot find Combofix" error.

Here is the first portion of the TDSS Killer log (2nd part in next reply):

19:51:09.0634 2712 TDSS rootkit removing tool 2.8.8.0 Aug 24 2012 13:27:48
19:51:11.0647 2712 ============================================================
19:51:11.0647 2712 Current date / time: 2012/09/06 19:51:11.0647
19:51:11.0647 2712 SystemInfo:
19:51:11.0647 2712
19:51:11.0647 2712 OS Version: 6.1.7601 ServicePack: 1.0
19:51:11.0647 2712 Product type: Workstation
19:51:11.0647 2712 ComputerName: LAPTOP
19:51:11.0647 2712 UserName: Peter
19:51:11.0647 2712 Windows directory: C:\Windows
19:51:11.0647 2712 System windows directory: C:\Windows
19:51:11.0647 2712 Running under WOW64
19:51:11.0647 2712 Processor architecture: Intel x64
19:51:11.0647 2712 Number of processors: 2
19:51:11.0647 2712 Page size: 0x1000
19:51:11.0647 2712 Boot type: Normal boot
19:51:11.0647 2712 ============================================================
19:51:25.0421 2712 Drive \Device\Harddisk0\DR0 - Size: 0x4A85D56000 (298.09 Gb), SectorSize: 0x200, Cylinders: 0x9801, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000040
19:51:25.0733 2712 ============================================================
19:51:25.0733 2712 \Device\Harddisk0\DR0:
19:51:25.0999 2712 MBR partitions:
19:51:25.0999 2712 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x2B800, BlocksNum 0x1400000
19:51:25.0999 2712 \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x142B800, BlocksNum 0x23B027F8
19:51:25.0999 2712 ============================================================
19:51:26.0342 2712 C: \Device\Harddisk0\DR0\Partition2
19:51:26.0513 2712 D: \Device\Harddisk0\DR0\Partition1
19:51:26.0513 2712 ============================================================
19:51:26.0513 2712 Initialize success
19:51:26.0513 2712 ============================================================
19:51:33.0424 3480 ============================================================
19:51:33.0424 3480 Scan started
19:51:33.0424 3480 Mode: Manual;
19:51:33.0424 3480 ============================================================
19:51:36.0653 3480 ================ Scan system memory ========================
19:51:36.0653 3480 System memory - ok
19:51:36.0653 3480 ================ Scan services =============================
19:51:36.0872 3480 [ A87D604AEA360176311474C87A63BB88 ] 1394ohci C:\Windows\system32\DRIVERS\1394ohci.sys
19:51:36.0887 3480 1394ohci - ok
19:51:36.0919 3480 [ D81D9E70B8A6DD14D42D7B4EFA65D5F2 ] ACPI C:\Windows\system32\drivers\ACPI.sys
19:51:36.0919 3480 ACPI - ok
19:51:36.0950 3480 [ 99F8E788246D495CE3794D7E7821D2CA ] AcpiPmi C:\Windows\system32\drivers\acpipmi.sys
19:51:36.0950 3480 AcpiPmi - ok
19:51:37.0168 3480 [ D19C4EE2AC7C47B8F5F84FFF1A789D8A ] AdobeARMservice C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
19:51:37.0184 3480 AdobeARMservice - ok
19:51:37.0418 3480 [ A9D3B95E8466BD58EEB8A1154654E162 ] AdobeFlashPlayerUpdateSvc C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
19:51:37.0433 3480 AdobeFlashPlayerUpdateSvc - ok
19:51:37.0480 3480 [ 2F6B34B83843F0C5118B63AC634F5BF4 ] adp94xx C:\Windows\system32\drivers\adp94xx.sys
19:51:37.0511 3480 adp94xx - ok
19:51:37.0543 3480 [ 597F78224EE9224EA1A13D6350CED962 ] adpahci C:\Windows\system32\drivers\adpahci.sys
19:51:37.0558 3480 adpahci - ok
19:51:37.0574 3480 [ E109549C90F62FB570B9540C4B148E54 ] adpu320 C:\Windows\system32\drivers\adpu320.sys
19:51:37.0589 3480 adpu320 - ok
19:51:37.0667 3480 [ E005682AE8F8EC4EB05F2A70A16EA1C5 ] AE1000 C:\Windows\system32\DRIVERS\ae1000w7.sys
19:51:37.0699 3480 AE1000 - ok
19:51:37.0730 3480 [ 4B78B431F225FD8624C5655CB1DE7B61 ] AeLookupSvc C:\Windows\System32\aelupsvc.dll
19:51:37.0730 3480 AeLookupSvc - ok
19:51:37.0823 3480 [ 1C7857B62DE5994A75B054A9FD4C3825 ] AFD C:\Windows\system32\drivers\afd.sys
19:51:37.0839 3480 AFD - ok
19:51:37.0886 3480 [ 608C14DBA7299D8CB6ED035A68A15799 ] agp440 C:\Windows\system32\drivers\agp440.sys
19:51:37.0901 3480 agp440 - ok
19:51:37.0917 3480 [ 3290D6946B5E30E70414990574883DDB ] ALG C:\Windows\System32\alg.exe
19:51:37.0917 3480 ALG - ok
19:51:37.0948 3480 [ 5812713A477A3AD7363C7438CA2EE038 ] aliide C:\Windows\system32\drivers\aliide.sys
19:51:37.0964 3480 aliide - ok
19:51:37.0979 3480 [ 1FF8B4431C353CE385C875F194924C0C ] amdide C:\Windows\system32\drivers\amdide.sys
19:51:37.0995 3480 amdide - ok
19:51:38.0011 3480 [ 7024F087CFF1833A806193EF9D22CDA9 ] AmdK8 C:\Windows\system32\drivers\amdk8.sys
19:51:38.0011 3480 AmdK8 - ok
19:51:38.0057 3480 [ 1E56388B3FE0D031C44144EB8C4D6217 ] AmdPPM C:\Windows\system32\drivers\amdppm.sys
19:51:38.0120 3480 AmdPPM - ok
19:51:38.0182 3480 [ D4121AE6D0C0E7E13AA221AA57EF2D49 ] amdsata C:\Windows\system32\drivers\amdsata.sys
19:51:38.0198 3480 amdsata - ok
19:51:38.0245 3480 [ F67F933E79241ED32FF46A4F29B5120B ] amdsbs C:\Windows\system32\drivers\amdsbs.sys
19:51:38.0245 3480 amdsbs - ok
19:51:38.0276 3480 [ 540DAF1CEA6094886D72126FD7C33048 ] amdxata C:\Windows\system32\drivers\amdxata.sys
19:51:38.0276 3480 amdxata - ok
19:51:38.0323 3480 [ 89A69C3F2F319B43379399547526D952 ] AppID C:\Windows\system32\drivers\appid.sys
19:51:38.0323 3480 AppID - ok
19:51:38.0369 3480 [ 0BC381A15355A3982216F7172F545DE1 ] AppIDSvc C:\Windows\System32\appidsvc.dll
19:51:38.0369 3480 AppIDSvc - ok
19:51:38.0463 3480 [ 3977D4A871CA0D4F2ED1E7DB46829731 ] Appinfo C:\Windows\System32\appinfo.dll
19:51:38.0463 3480 Appinfo - ok
19:51:38.0525 3480 [ 4ABA3E75A76195A3E38ED2766C962899 ] AppMgmt C:\Windows\System32\appmgmts.dll
19:51:38.0525 3480 AppMgmt - ok
19:51:38.0557 3480 [ C484F8CEB1717C540242531DB7845C4E ] arc C:\Windows\system32\drivers\arc.sys
19:51:38.0557 3480 arc - ok
19:51:38.0588 3480 [ 019AF6924AEFE7839F61C830227FE79C ] arcsas C:\Windows\system32\drivers\arcsas.sys
19:51:38.0588 3480 arcsas - ok
19:51:38.0681 3480 aspnet_state - ok
19:51:38.0697 3480 [ 769765CE2CC62867468CEA93969B2242 ] AsyncMac C:\Windows\system32\DRIVERS\asyncmac.sys
19:51:38.0697 3480 AsyncMac - ok
19:51:38.0728 3480 [ 02062C0B390B7729EDC9E69C680A6F3C ] atapi C:\Windows\system32\drivers\atapi.sys
19:51:38.0728 3480 atapi - ok
19:51:38.0791 3480 [ F23FEF6D569FCE88671949894A8BECF1 ] AudioEndpointBuilder C:\Windows\System32\Audiosrv.dll
19:51:38.0822 3480 AudioEndpointBuilder - ok
19:51:38.0869 3480 [ F23FEF6D569FCE88671949894A8BECF1 ] AudioSrv C:\Windows\System32\Audiosrv.dll
19:51:38.0869 3480 AudioSrv - ok
19:51:38.0915 3480 [ A6BF31A71B409DFA8CAC83159E1E2AFF ] AxInstSV C:\Windows\System32\AxInstSV.dll
19:51:38.0915 3480 AxInstSV - ok
19:51:38.0962 3480 [ 3E5B191307609F7514148C6832BB0842 ] b06bdrv C:\Windows\system32\drivers\bxvbda.sys
19:51:38.0962 3480 b06bdrv - ok
19:51:38.0993 3480 [ B5ACE6968304A3900EEB1EBFD9622DF2 ] b57nd60a C:\Windows\system32\DRIVERS\b57nd60a.sys
19:51:39.0009 3480 b57nd60a - ok
19:51:39.0025 3480 [ FDE360167101B4E45A96F939F388AEB0 ] BDESVC C:\Windows\System32\bdesvc.dll
19:51:39.0025 3480 BDESVC - ok
19:51:39.0040 3480 [ 16A47CE2DECC9B099349A5F840654746 ] Beep C:\Windows\system32\drivers\Beep.sys
19:51:39.0040 3480 Beep - ok
19:51:39.0118 3480 [ 82974D6A2FD19445CC5171FC378668A4 ] BFE C:\Windows\System32\bfe.dll
19:51:39.0149 3480 BFE - ok
19:51:39.0446 3480 [ A45BE4E091636F6C86D6E4FC945D5A26 ] BHDrvx64 C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.0.0.145\Definitions\BASHDefs\20120905.001\BHDrvx64.sys
19:51:39.0508 3480 BHDrvx64 - ok
19:51:39.0617 3480 [ 61583EE3C3A17003C4ACD0475646B4D3 ] blbdrive C:\Windows\system32\DRIVERS\blbdrive.sys
19:51:39.0617 3480 blbdrive - ok
19:51:39.0664 3480 [ 6C02A83164F5CC0A262F4199F0871CF5 ] bowser C:\Windows\system32\DRIVERS\bowser.sys
19:51:39.0664 3480 bowser - ok
19:51:39.0711 3480 [ F09EEE9EDC320B5E1501F749FDE686C8 ] BrFiltLo C:\Windows\system32\drivers\BrFiltLo.sys
19:51:39.0727 3480 BrFiltLo - ok
19:51:39.0742 3480 [ B114D3098E9BDB8BEA8B053685831BE6 ] BrFiltUp C:\Windows\system32\drivers\BrFiltUp.sys
19:51:39.0742 3480 BrFiltUp - ok
19:51:39.0820 3480 [ 5C2F352A4E961D72518261257AAE204B ] BridgeMP C:\Windows\system32\DRIVERS\bridge.sys
19:51:39.0820 3480 BridgeMP - ok
19:51:39.0851 3480 [ 8EF0D5C41EC907751B8429162B1239ED ] Browser C:\Windows\System32\browser.dll
19:51:39.0883 3480 Browser - ok
19:51:39.0929 3480 [ 43BEA8D483BF1870F018E2D02E06A5BD ] Brserid C:\Windows\System32\Drivers\Brserid.sys
19:51:39.0929 3480 Brserid - ok
19:51:39.0961 3480 [ A6ECA2151B08A09CACECA35C07F05B42 ] BrSerWdm C:\Windows\System32\Drivers\BrSerWdm.sys
19:51:39.0961 3480 BrSerWdm - ok
19:51:39.0992 3480 [ B79968002C277E869CF38BD22CD61524 ] BrUsbMdm C:\Windows\System32\Drivers\BrUsbMdm.sys
19:51:39.0992 3480 BrUsbMdm - ok
19:51:40.0023 3480 [ A87528880231C54E75EA7A44943B38BF ] BrUsbSer C:\Windows\System32\Drivers\BrUsbSer.sys
19:51:40.0023 3480 BrUsbSer - ok
19:51:40.0101 3480 [ CF98190A94F62E405C8CB255018B2315 ] BthEnum C:\Windows\system32\drivers\BthEnum.sys
19:51:40.0117 3480 BthEnum - ok
19:51:40.0148 3480 [ 9DA669F11D1F894AB4EB69BF546A42E8 ] BTHMODEM C:\Windows\system32\drivers\bthmodem.sys
19:51:40.0148 3480 BTHMODEM - ok
19:51:40.0179 3480 [ 02DD601B708DD0667E1331FA8518E9FF ] BthPan C:\Windows\system32\DRIVERS\bthpan.sys
19:51:40.0179 3480 BthPan - ok
19:51:40.0210 3480 [ 64C198198501F7560EE41D8D1EFA7952 ] BTHPORT C:\Windows\System32\Drivers\BTHport.sys
19:51:40.0241 3480 BTHPORT - ok
19:51:40.0288 3480 [ 95F9C2976059462CBBF227F7AAB10DE9 ] bthserv C:\Windows\system32\bthserv.dll
19:51:40.0288 3480 bthserv - ok
19:51:40.0319 3480 [ F188B7394D81010767B6DF3178519A37 ] BTHUSB C:\Windows\System32\Drivers\BTHUSB.sys
19:51:40.0319 3480 BTHUSB - ok
19:51:40.0366 3480 [ 2641A3FE3D7B0646308F33B67F3B5300 ] btusbflt C:\Windows\system32\drivers\btusbflt.sys
19:51:40.0366 3480 btusbflt - ok
19:51:40.0382 3480 catchme - ok
19:51:40.0522 3480 [ 2C6FFCCA37B002AAB3C7C31A6D780A76 ] ccSet_N360 C:\Windows\system32\drivers\N360x64\0603000.00E\ccSetx64.sys
19:51:40.0522 3480 ccSet_N360 - ok
19:51:40.0709 3480 [ 0E1737A63AEC0F6DE231BB59836C0A11 ] ccSet_NOF C:\Windows\system32\drivers\NOFx64\0203000.007\ccSetx64.sys
19:51:40.0725 3480 ccSet_NOF - ok
19:51:40.0772 3480 [ B8BD2BB284668C84865658C77574381A ] cdfs C:\Windows\system32\DRIVERS\cdfs.sys
19:51:40.0772 3480 cdfs - ok
19:51:40.0834 3480 [ F036CE71586E93D94DAB220D7BDF4416 ] cdrom C:\Windows\system32\DRIVERS\cdrom.sys
19:51:40.0850 3480 cdrom - ok
19:51:40.0897 3480 [ F17D1D393BBC69C5322FBFAFACA28C7F ] CertPropSvc C:\Windows\System32\certprop.dll
19:51:40.0897 3480 CertPropSvc - ok
19:51:40.0912 3480 [ D7CD5C4E1B71FA62050515314CFB52CF ] circlass C:\Windows\system32\drivers\circlass.sys
19:51:40.0928 3480 circlass - ok
19:51:40.0943 3480 [ FE1EC06F2253F691FE36217C592A0206 ] CLFS C:\Windows\system32\CLFS.sys
19:51:40.0959 3480 CLFS - ok
19:51:40.0990 3480 [ D88040F816FDA31C3B466F0FA0918F29 ] clr_optimization_v2.0.50727_32 C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
19:51:41.0006 3480 clr_optimization_v2.0.50727_32 - ok
19:51:41.0068 3480 [ D1CEEA2B47CB998321C579651CE3E4F8 ] clr_optimization_v2.0.50727_64 C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
19:51:41.0084 3480 clr_optimization_v2.0.50727_64 - ok
19:51:41.0146 3480 [ C5A75EB48E2344ABDC162BDA79E16841 ] clr_optimization_v4.0.30319_32 C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
19:51:41.0177 3480 clr_optimization_v4.0.30319_32 - ok
19:51:41.0209 3480 [ C6F9AF94DCD58122A4D7E89DB6BED29D ] clr_optimization_v4.0.30319_64 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
19:51:41.0209 3480 clr_optimization_v4.0.30319_64 - ok
19:51:41.0240 3480 [ 0840155D0BDDF1190F84A663C284BD33 ] CmBatt C:\Windows\system32\DRIVERS\CmBatt.sys
19:51:41.0240 3480 CmBatt - ok
19:51:41.0271 3480 [ E19D3F095812725D88F9001985B94EDD ] cmdide C:\Windows\system32\drivers\cmdide.sys
19:51:41.0271 3480 cmdide - ok
19:51:41.0333 3480 [ 9AC4F97C2D3E93367E2148EA940CD2CD ] CNG C:\Windows\system32\Drivers\cng.sys
19:51:41.0349 3480 CNG - ok
19:51:41.0365 3480 [ 102DE219C3F61415F964C88E9085AD14 ] Compbatt C:\Windows\system32\DRIVERS\compbatt.sys
19:51:41.0380 3480 Compbatt - ok
19:51:41.0396 3480 [ 03EDB043586CCEBA243D689BDDA370A8 ] CompositeBus C:\Windows\system32\DRIVERS\CompositeBus.sys
19:51:41.0396 3480 CompositeBus - ok
19:51:41.0427 3480 COMSysApp - ok
19:51:41.0443 3480 [ 1C827878A998C18847245FE1F34EE597 ] crcdisk C:\Windows\system32\drivers\crcdisk.sys
19:51:41.0443 3480 crcdisk - ok
19:51:41.0521 3480 [ 4F5414602E2544A4554D95517948B705 ] CryptSvc C:\Windows\system32\cryptsvc.dll
19:51:41.0536 3480 CryptSvc - ok
19:51:41.0583 3480 [ 54DA3DFD29ED9F1619B6F53F3CE55E49 ] CSC C:\Windows\system32\drivers\csc.sys
19:51:41.0599 3480 CSC - ok
19:51:41.0645 3480 [ 3AB183AB4D2C79DCF459CD2C1266B043 ] CscService C:\Windows\System32\cscsvc.dll
19:51:41.0677 3480 CscService - ok
19:51:41.0723 3480 [ 5C627D1B1138676C0A7AB2C2C190D123 ] DcomLaunch C:\Windows\system32\rpcss.dll
19:51:41.0739 3480 DcomLaunch - ok
19:51:41.0770 3480 [ 3CEC7631A84943677AA8FA8EE5B6B43D ] defragsvc C:\Windows\System32\defragsvc.dll
19:51:41.0786 3480 defragsvc - ok
19:51:41.0801 3480 [ 9BB2EF44EAA163B29C4A4587887A0FE4 ] DfsC C:\Windows\system32\Drivers\dfsc.sys
19:51:41.0801 3480 DfsC - ok
19:51:41.0848 3480 [ 43D808F5D9E1A18E5EEB5EBC83969E4E ] Dhcp C:\Windows\system32\dhcpcore.dll
19:51:41.0848 3480 Dhcp - ok
19:51:41.0879 3480 [ 13096B05847EC78F0977F2C0F79E9AB3 ] discache C:\Windows\system32\drivers\discache.sys
19:51:41.0895 3480 discache - ok
19:51:41.0942 3480 [ 9819EEE8B5EA3784EC4AF3B137A5244C ] Disk C:\Windows\system32\drivers\disk.sys
19:51:41.0942 3480 Disk - ok
19:51:41.0989 3480 [ 5DB085A8A6600BE6401F2B24EECB5415 ] dmvsc C:\Windows\system32\drivers\dmvsc.sys
19:51:41.0989 3480 dmvsc - ok
19:51:42.0035 3480 [ 16835866AAA693C7D7FCEBA8FFF706E4 ] Dnscache C:\Windows\System32\dnsrslvr.dll
19:51:42.0035 3480 Dnscache - ok
19:51:42.0160 3480 [ B1FB3DDCA0FDF408750D5843591AFBC6 ] dot3svc C:\Windows\System32\dot3svc.dll
19:51:42.0176 3480 dot3svc - ok
19:51:42.0191 3480 [ B26F4F737E8F9DF4F31AF6CF31D05820 ] DPS C:\Windows\system32\dps.dll
19:51:42.0207 3480 DPS - ok
19:51:42.0238 3480 [ 9B19F34400D24DF84C858A421C205754 ] drmkaud C:\Windows\system32\drivers\drmkaud.sys
19:51:42.0238 3480 drmkaud - ok
19:51:42.0285 3480 [ F5BEE30450E18E6B83A5012C100616FD ] DXGKrnl C:\Windows\System32\drivers\dxgkrnl.sys
19:51:42.0332 3480 DXGKrnl - ok
19:51:42.0363 3480 [ E2DDA8726DA9CB5B2C4000C9018A9633 ] EapHost C:\Windows\System32\eapsvc.dll
19:51:42.0379 3480 EapHost - ok
19:51:42.0519 3480 [ DC5D737F51BE844D8C82C695EB17372F ] ebdrv C:\Windows\system32\drivers\evbda.sys
19:51:42.0613 3480 ebdrv - ok
19:51:42.0722 3480 [ 4353FF94D47A0A9D52B89ECCF0CDB013 ] eeCtrl C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys
19:51:42.0722 3480 eeCtrl - ok
19:51:42.0769 3480 [ C118A82CD78818C29AB228366EBF81C3 ] EFS C:\Windows\System32\lsass.exe
19:51:42.0784 3480 EFS - ok
19:51:42.0847 3480 [ C4002B6B41975F057D98C439030CEA07 ] ehRecvr C:\Windows\ehome\ehRecvr.exe
19:51:42.0862 3480 ehRecvr - ok
19:51:42.0893 3480 [ 4705E8EF9934482C5BB488CE28AFC681 ] ehSched C:\Windows\ehome\ehsched.exe
19:51:42.0893 3480 ehSched - ok
19:51:42.0940 3480 [ 0E5DA5369A0FCAEA12456DD852545184 ] elxstor C:\Windows\system32\drivers\elxstor.sys
19:51:42.0956 3480 elxstor - ok
19:51:43.0034 3480 [ C5BCCB378D0A896304A3E71BE7215983 ] EraserUtilRebootDrv C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
19:51:43.0049 3480 EraserUtilRebootDrv - ok
19:51:43.0065 3480 [ 34A3C54752046E79A126E15C51DB409B ] ErrDev C:\Windows\system32\drivers\errdev.sys
19:51:43.0081 3480 ErrDev - ok
19:51:43.0127 3480 [ 4166F82BE4D24938977DD1746BE9B8A0 ] EventSystem C:\Windows\system32\es.dll
19:51:43.0143 3480 EventSystem - ok
19:51:43.0174 3480 [ A510C654EC00C1E9BDD91EEB3A59823B ] exfat C:\Windows\system32\drivers\exfat.sys
19:51:43.0174 3480 exfat - ok
19:51:43.0221 3480 [ 0ADC83218B66A6DB380C330836F3E36D ] fastfat C:\Windows\system32\drivers\fastfat.sys
19:51:43.0221 3480 fastfat - ok
19:51:43.0268 3480 [ DBEFD454F8318A0EF691FDD2EAAB44EB ] Fax C:\Windows\system32\fxssvc.exe
19:51:43.0299 3480 Fax - ok
19:51:43.0315 3480 [ D765D19CD8EF61F650C384F62FAC00AB ] fdc C:\Windows\system32\drivers\fdc.sys
19:51:43.0315 3480 fdc - ok
19:51:43.0315 3480 [ 0438CAB2E03F4FB61455A7956026FE86 ] fdPHost C:\Windows\system32\fdPHost.dll
19:51:43.0330 3480 fdPHost - ok
19:51:43.0346 3480 [ 802496CB59A30349F9A6DD22D6947644 ] FDResPub C:\Windows\system32\fdrespub.dll
19:51:43.0346 3480 FDResPub - ok
19:51:43.0361 3480 [ 655661BE46B5F5F3FD454E2C3095B930 ] FileInfo C:\Windows\system32\drivers\fileinfo.sys
19:51:43.0361 3480 FileInfo - ok
19:51:43.0377 3480 [ 5F671AB5BC87EEA04EC38A6CD5962A47 ] Filetrace C:\Windows\system32\drivers\filetrace.sys
19:51:43.0377 3480 Filetrace - ok
19:51:43.0393 3480 [ C172A0F53008EAEB8EA33FE10E177AF5 ] flpydisk C:\Windows\system32\drivers\flpydisk.sys
19:51:43.0408 3480 flpydisk - ok
19:51:43.0424 3480 [ DA6B67270FD9DB3697B20FCE94950741 ] FltMgr C:\Windows\system32\drivers\fltmgr.sys
19:51:43.0439 3480 FltMgr - ok
19:51:43.0486 3480 [ 5C4CB4086FB83115B153E47ADD961A0C ] FontCache C:\Windows\system32\FntCache.dll
19:51:43.0533 3480 FontCache - ok
19:51:43.0595 3480 [ A8B7F3818AB65695E3A0BB3279F6DCE6 ] FontCache3.0.0.0 C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
19:51:43.0595 3480 FontCache3.0.0.0 - ok
19:51:43.0627 3480 [ D43703496149971890703B4B1B723EAC ] FsDepends C:\Windows\system32\drivers\FsDepends.sys
19:51:43.0627 3480 FsDepends - ok
19:51:43.0689 3480 [ 6BD9295CC032DD3077C671FCCF579A7B ] Fs_Rec C:\Windows\system32\drivers\Fs_Rec.sys
19:51:43.0705 3480 Fs_Rec - ok
19:51:43.0736 3480 [ 1F7B25B858FA27015169FE95E54108ED ] fvevol C:\Windows\system32\DRIVERS\fvevol.sys
19:51:43.0736 3480 fvevol - ok
19:51:43.0767 3480 [ 8C778D335C9D272CFD3298AB02ABE3B6 ] gagp30kx C:\Windows\system32\drivers\gagp30kx.sys
19:51:43.0767 3480 gagp30kx - ok
19:51:43.0829 3480 [ 277BBC7E1AA1EE957F573A10ECA7EF3A ] gpsvc C:\Windows\System32\gpsvc.dll
19:51:43.0845 3480 gpsvc - ok
19:51:43.0861 3480 [ F2523EF6460FC42405B12248338AB2F0 ] hcw85cir C:\Windows\system32\drivers\hcw85cir.sys
19:51:43.0892 3480 hcw85cir - ok
19:51:44.0001 3480 [ 975761C778E33CD22498059B91E7373A ] HdAudAddService C:\Windows\system32\drivers\HdAudio.sys
19:51:44.0017 3480 HdAudAddService - ok
19:51:44.0032 3480 [ 97BFED39B6B79EB12CDDBFEED51F56BB ] HDAudBus C:\Windows\system32\DRIVERS\HDAudBus.sys
19:51:44.0032 3480 HDAudBus - ok
19:51:44.0063 3480 [ 78E86380454A7B10A5EB255DC44A355F ] HidBatt C:\Windows\system32\drivers\HidBatt.sys
19:51:44.0063 3480 HidBatt - ok
19:51:44.0095 3480 [ 7FD2A313F7AFE5C4DAB14798C48DD104 ] HidBth C:\Windows\system32\drivers\hidbth.sys
19:51:44.0095 3480 HidBth - ok
19:51:44.0126 3480 [ 0A77D29F311B88CFAE3B13F9C1A73825 ] HidIr C:\Windows\system32\drivers\hidir.sys
19:51:44.0126 3480 HidIr - ok
19:51:44.0157 3480 [ BD9EB3958F213F96B97B1D897DEE006D ] hidserv C:\Windows\System32\hidserv.dll
19:51:44.0157 3480 hidserv - ok
19:51:44.0204 3480 [ 9592090A7E2B61CD582B612B6DF70536 ] HidUsb C:\Windows\system32\DRIVERS\hidusb.sys
19:51:44.0204 3480 HidUsb - ok
19:51:44.0391 3480 [ 8D1F00F4254C3EF428B715484940427C ] HiPatchService C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe
19:51:44.0391 3480 HiPatchService - ok
19:51:44.0422 3480 [ 387E72E739E15E3D37907A86D9FF98E2 ] hkmsvc C:\Windows\system32\kmsvc.dll
19:51:44.0422 3480 hkmsvc - ok
19:51:44.0516 3480 [ EFDFB3DD38A4376F93E7985173813ABD ] HomeGroupListener C:\Windows\system32\ListSvc.dll
19:51:44.0516 3480 HomeGroupListener - ok
19:51:44.0563 3480 [ 908ACB1F594274965A53926B10C81E89 ] HomeGroupProvider C:\Windows\system32\provsvc.dll
19:51:44.0563 3480 HomeGroupProvider - ok
19:51:44.0609 3480 [ 39D2ABCD392F3D8A6DCE7B60AE7B8EFC ] HpSAMD C:\Windows\system32\drivers\HpSAMD.sys
19:51:44.0609 3480 HpSAMD - ok
19:51:44.0672 3480 [ 0EA7DE1ACB728DD5A369FD742D6EEE28 ] HTTP C:\Windows\system32\drivers\HTTP.sys
19:51:44.0703 3480 HTTP - ok
19:51:44.0734 3480 [ A5462BD6884960C9DC85ED49D34FF392 ] hwpolicy C:\Windows\system32\drivers\hwpolicy.sys
19:51:44.0734 3480 hwpolicy - ok
19:51:44.0781 3480 [ FA55C73D4AFFA7EE23AC4BE53B4592D3 ] i8042prt C:\Windows\system32\DRIVERS\i8042prt.sys
19:51:44.0781 3480 i8042prt - ok
19:51:44.0843 3480 [ AAAF44DB3BD0B9D1FB6969B23ECC8366 ] iaStorV C:\Windows\system32\drivers\iaStorV.sys
19:51:44.0859 3480 iaStorV - ok
19:51:45.0109 3480 [ 5988FC40F8DB5B0739CD1E3A5D0D78BD ] idsvc C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe
19:51:45.0218 3480 idsvc - ok
19:51:45.0343 3480 [ A48928D4CCA6F8B731989DB08CF2C0AB ] IDSVia64 C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.0.0.145\Definitions\IPSDefs\20120906.002\IDSvia64.sys
19:51:45.0358 3480 IDSVia64 - ok
19:51:45.0436 3480 [ 5C18831C61933628F5BB0EA2675B9D21 ] iirsp C:\Windows\system32\drivers\iirsp.sys
19:51:45.0436 3480 iirsp - ok
19:51:45.0623 3480 [ FCD84C381E0140AF901E58D48882D26B ] IKEEXT C:\Windows\System32\ikeext.dll
19:51:45.0655 3480 IKEEXT - ok
19:51:45.0670 3480 [ F00F20E70C6EC3AA366910083A0518AA ] intelide C:\Windows\system32\drivers\intelide.sys
19:51:45.0686 3480 intelide - ok
19:51:45.0717 3480 [ ADA036632C664CAA754079041CF1F8C1 ] intelppm C:\Windows\system32\DRIVERS\intelppm.sys
19:51:45.0717 3480 intelppm - ok
19:51:45.0733 3480 [ 098A91C54546A3B878DAD6A7E90A455B ] IPBusEnum C:\Windows\system32\ipbusenum.dll
19:51:45.0733 3480 IPBusEnum - ok
19:51:45.0764 3480 [ C9F0E1BD74365A8771590E9008D22AB6 ] IpFilterDriver C:\Windows\system32\DRIVERS\ipfltdrv.sys
19:51:45.0779 3480 IpFilterDriver - ok
19:51:45.0904 3480 [ A34A587FFFD45FA649FBA6D03784D257 ] iphlpsvc C:\Windows\System32\iphlpsvc.dll
19:51:45.0935 3480 iphlpsvc - ok
19:51:45.0982 3480 [ 0FC1AEA580957AA8817B8F305D18CA3A ] IPMIDRV C:\Windows\system32\drivers\IPMIDrv.sys
19:51:45.0982 3480 IPMIDRV - ok
19:51:46.0060 3480 [ AF9B39A7E7B6CAA203B3862582E9F2D0 ] IPNAT C:\Windows\system32\drivers\ipnat.sys
19:51:46.0060 3480 IPNAT - ok
19:51:46.0091 3480 [ 3ABF5E7213EB28966D55D58B515D5CE9 ] IRENUM C:\Windows\system32\drivers\irenum.sys
19:51:46.0091 3480 IRENUM - ok
19:51:46.0107 3480 [ 2F7B28DC3E1183E5EB418DF55C204F38 ] isapnp C:\Windows\system32\drivers\isapnp.sys
19:51:46.0107 3480 isapnp - ok
19:51:46.0138 3480 [ D931D7309DEB2317035B07C9F9E6B0BD ] iScsiPrt C:\Windows\system32\drivers\msiscsi.sys
19:51:46.0138 3480 iScsiPrt - ok
19:51:46.0169 3480 [ BC02336F1CBA7DCC7D1213BB588A68A5 ] kbdclass C:\Windows\system32\DRIVERS\kbdclass.sys
19:51:46.0169 3480 kbdclass - ok
19:51:46.0201 3480 [ 0705EFF5B42A9DB58548EEC3B26BB484 ] kbdhid C:\Windows\system32\DRIVERS\kbdhid.sys
19:51:46.0201 3480 kbdhid - ok
19:51:46.0216 3480 [ C118A82CD78818C29AB228366EBF81C3 ] KeyIso C:\Windows\system32\lsass.exe
19:51:46.0216 3480 KeyIso - ok
19:51:46.0279 3480 [ 97A7070AEA4C058B6418519E869A63B4 ] KSecDD C:\Windows\system32\Drivers\ksecdd.sys
19:51:46.0279 3480 KSecDD - ok
19:51:46.0294 3480 [ 26C43A7C2862447EC59DEDA188D1DA07 ] KSecPkg C:\Windows\system32\Drivers\ksecpkg.sys
19:51:46.0294 3480 KSecPkg - ok
19:51:46.0341 3480 [ 6869281E78CB31A43E969F06B57347C4 ] ksthunk C:\Windows\system32\drivers\ksthunk.sys
19:51:46.0341 3480 ksthunk - ok
19:51:46.0403 3480 [ 6AB66E16AA859232F64DEB66887A8C9C ] KtmRm C:\Windows\system32\msdtckrm.dll
19:51:46.0419 3480 KtmRm - ok
19:51:46.0466 3480 [ D9F42719019740BAA6D1C6D536CBDAA6 ] LanmanServer C:\Windows\System32\srvsvc.dll
19:51:46.0466 3480 LanmanServer - ok
19:51:46.0497 3480 [ 851A1382EED3E3A7476DB004F4EE3E1A ] LanmanWorkstation C:\Windows\System32\wkssvc.dll
19:51:46.0497 3480 LanmanWorkstation - ok
19:51:46.0544 3480 [ 1538831CF8AD2979A04C423779465827 ] lltdio C:\Windows\system32\DRIVERS\lltdio.sys
19:51:46.0544 3480 lltdio - ok
19:51:46.0591 3480 [ C1185803384AB3FEED115F79F109427F ] lltdsvc C:\Windows\System32\lltdsvc.dll
19:51:46.0591 3480 lltdsvc - ok
19:51:46.0606 3480 [ F993A32249B66C9D622EA5592A8B76B8 ] lmhosts C:\Windows\System32\lmhsvc.dll
19:51:46.0622 3480 lmhosts - ok
19:51:46.0653 3480 [ 1A93E54EB0ECE102495A51266DCDB6A6 ] LSI_FC C:\Windows\system32\drivers\lsi_fc.sys
19:51:46.0669 3480 LSI_FC - ok
19:51:46.0669 3480 [ 1047184A9FDC8BDBFF857175875EE810 ] LSI_SAS C:\Windows\system32\drivers\lsi_sas.sys
19:51:46.0669 3480 LSI_SAS - ok
19:51:46.0700 3480 [ 30F5C0DE1EE8B5BC9306C1F0E4A75F93 ] LSI_SAS2 C:\Windows\system32\drivers\lsi_sas2.sys
19:51:46.0700 3480 LSI_SAS2 - ok
19:51:46.0715 3480 [ 0504EACAFF0D3C8AED161C4B0D369D4A ] LSI_SCSI C:\Windows\system32\drivers\lsi_scsi.sys
19:51:46.0715 3480 LSI_SCSI - ok
19:51:46.0762 3480 [ 43D0F98E1D56CCDDB0D5254CFF7B356E ] luafv C:\Windows\system32\drivers\luafv.sys
19:51:46.0762 3480 luafv - ok
19:51:46.0809 3480 [ 0BE09CD858ABF9DF6ED259D57A1A1663 ] Mcx2Svc C:\Windows\system32\Mcx2Svc.dll
19:51:46.0809 3480 Mcx2Svc - ok
19:51:46.0825 3480 [ A55805F747C6EDB6A9080D7C633BD0F4 ] megasas C:\Windows\system32\drivers\megasas.sys
19:51:46.0840 3480 megasas - ok
19:51:46.0871 3480 [ BAF74CE0072480C3B6B7C13B2A94D6B3 ] MegaSR C:\Windows\system32\drivers\MegaSR.sys
19:51:46.0871 3480 MegaSR - ok
19:51:46.0903 3480 MEMSWEEP2 - ok
19:51:47.0012 3480 Microsoft SharePoint Workspace Audit Service - ok
19:51:47.0074 3480 [ E40E80D0304A73E8D269F7141D77250B ] MMCSS C:\Windows\system32\mmcss.dll
19:51:47.0074 3480 MMCSS - ok
19:51:47.0105 3480 [ 800BA92F7010378B09F9ED9270F07137 ] Modem C:\Windows\system32\drivers\modem.sys
19:51:47.0105 3480 Modem - ok
19:51:47.0137 3480 [ B03D591DC7DA45ECE20B3B467E6AADAA ] monitor C:\Windows\system32\DRIVERS\monitor.sys
19:51:47.0137 3480 monitor - ok
19:51:47.0152 3480 [ 7D27EA49F3C1F687D357E77A470AEA99 ] mouclass C:\Windows\system32\DRIVERS\mouclass.sys
19:51:47.0168 3480 mouclass - ok
19:51:47.0183 3480 [ D3BF052C40B0C4166D9FD86A4288C1E6 ] mouhid C:\Windows\system32\DRIVERS\mouhid.sys
19:51:47.0183 3480 mouhid - ok
19:51:47.0277 3480 [ 32E7A3D591D671A6DF2DB515A5CBE0FA ] mountmgr C:\Windows\system32\drivers\mountmgr.sys
19:51:47.0277 3480 mountmgr - ok
19:51:47.0308 3480 [ A44B420D30BD56E145D6A2BC8768EC58 ] mpio C:\Windows\system32\drivers\mpio.sys
19:51:47.0308 3480 mpio - ok
19:51:47.0324 3480 [ 6C38C9E45AE0EA2FA5E551F2ED5E978F ] mpsdrv C:\Windows\system32\drivers\mpsdrv.sys
19:51:47.0324 3480 mpsdrv - ok
19:51:47.0433 3480 [ 54FFC9C8898113ACE189D4AA7199D2C1 ] MpsSvc C:\Windows\system32\mpssvc.dll
19:51:47.0480 3480 MpsSvc - ok
19:51:47.0495 3480 [ DC722758B8261E1ABAFD31A3C0A66380 ] MRxDAV C:\Windows\system32\drivers\mrxdav.sys
19:51:47.0495 3480 MRxDAV - ok
19:51:47.0573 3480 [ A5D9106A73DC88564C825D317CAC68AC ] mrxsmb C:\Windows\system32\DRIVERS\mrxsmb.sys
19:51:47.0573 3480 mrxsmb - ok
19:51:47.0651 3480 [ D711B3C1D5F42C0C2415687BE09FC163 ] mrxsmb10 C:\Windows\system32\DRIVERS\mrxsmb10.sys
19:51:47.0651 3480 mrxsmb10 - ok
19:51:47.0683 3480 [ 9423E9D355C8D303E76B8CFBD8A5C30C ] mrxsmb20 C:\Windows\system32\DRIVERS\mrxsmb20.sys
19:51:47.0683 3480 mrxsmb20 - ok
19:51:47.0698 3480 [ C25F0BAFA182CBCA2DD3C851C2E75796 ] msahci C:\Windows\system32\drivers\msahci.sys
19:51:47.0698 3480 msahci - ok
19:51:47.0807 3480 [ DB801A638D011B9633829EB6F663C900 ] msdsm C:\Windows\system32\drivers\msdsm.sys
19:51:47.0807 3480 msdsm - ok
19:51:47.0839 3480 [ DE0ECE52236CFA3ED2DBFC03F28253A8 ] MSDTC C:\Windows\System32\msdtc.exe
19:51:47.0839 3480 MSDTC - ok
19:51:47.0870 3480 [ AA3FB40E17CE1388FA1BEDAB50EA8F96 ] Msfs C:\Windows\system32\drivers\Msfs.sys
19:51:47.0885 3480 Msfs - ok
19:51:47.0917 3480 [ F9D215A46A8B9753F61767FA72A20326 ] mshidkmdf C:\Windows\System32\drivers\mshidkmdf.sys
19:51:47.0917 3480 mshidkmdf - ok

nethog

join:2006-12-08
Canton, MI
Part 2 of TDSS log:
19:51:47.0995 3480 [ D916874BBD4F8B07BFB7FA9B3CCAE29D ] msisadrv C:\Windows\system32\drivers\msisadrv.sys
19:51:48.0010 3480 msisadrv - ok
19:51:48.0057 3480 [ 808E98FF49B155C522E6400953177B08 ] MSiSCSI C:\Windows\system32\iscsiexe.dll
19:51:48.0073 3480 MSiSCSI - ok
19:51:48.0073 3480 msiserver - ok
19:51:48.0151 3480 [ 49CCF2C4FEA34FFAD8B1B59D49439366 ] MSKSSRV C:\Windows\system32\drivers\MSKSSRV.sys
19:51:48.0151 3480 MSKSSRV - ok
19:51:48.0213 3480 [ BDD71ACE35A232104DDD349EE70E1AB3 ] MSPCLOCK C:\Windows\system32\drivers\MSPCLOCK.sys
19:51:48.0213 3480 MSPCLOCK - ok
19:51:48.0244 3480 [ 4ED981241DB27C3383D72092B618A1D0 ] MSPQM C:\Windows\system32\drivers\MSPQM.sys
19:51:48.0260 3480 MSPQM - ok
19:51:48.0322 3480 [ 759A9EEB0FA9ED79DA1FB7D4EF78866D ] MsRPC C:\Windows\system32\drivers\MsRPC.sys
19:51:48.0322 3480 MsRPC - ok
19:51:48.0353 3480 [ 0EED230E37515A0EAEE3C2E1BC97B288 ] mssmbios C:\Windows\system32\DRIVERS\mssmbios.sys
19:51:48.0369 3480 mssmbios - ok
19:51:48.0416 3480 [ 2E66F9ECB30B4221A318C92AC2250779 ] MSTEE C:\Windows\system32\drivers\MSTEE.sys
19:51:48.0416 3480 MSTEE - ok
19:51:48.0572 3480 [ 7EA404308934E675BFFDE8EDF0757BCD ] MTConfig C:\Windows\system32\drivers\MTConfig.sys
19:51:48.0572 3480 MTConfig - ok
19:51:48.0603 3480 [ F9A18612FD3526FE473C1BDA678D61C8 ] Mup C:\Windows\system32\Drivers\mup.sys
19:51:48.0619 3480 Mup - ok
19:51:49.0133 3480 [ F2840DBFE9322F35557219AE82CC4597 ] N360 C:\Program Files (x86)\Norton Security Suite\Engine\6.3.0.14\ccSvcHst.exe
19:51:49.0149 3480 N360 - ok
19:51:49.0180 3480 [ 582AC6D9873E31DFA28A4547270862DD ] napagent C:\Windows\system32\qagentRT.dll
19:51:49.0196 3480 napagent - ok
19:51:49.0243 3480 [ 1EA3749C4114DB3E3161156FFFFA6B33 ] NativeWifiP C:\Windows\system32\DRIVERS\nwifi.sys
19:51:49.0258 3480 NativeWifiP - ok
19:51:49.0367 3480 [ 149A9AD81BB327E892FA1ACB77722442 ] NAVENG C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.0.0.145\Definitions\VirusDefs\20120906.018\ENG64.SYS
19:51:49.0367 3480 NAVENG - ok
19:51:49.0461 3480 [ 4AF8750E71B549FEC5F6D1D01398CA69 ] NAVEX15 C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.0.0.145\Definitions\VirusDefs\20120906.018\EX64.SYS
19:51:49.0539 3480 NAVEX15 - ok
19:51:49.0601 3480 [ 79B47FD40D9A817E932F9D26FAC0A81C ] NDIS C:\Windows\system32\drivers\ndis.sys
19:51:49.0617 3480 NDIS - ok
19:51:49.0664 3480 [ 9F9A1F53AAD7DA4D6FEF5BB73AB811AC ] NdisCap C:\Windows\system32\DRIVERS\ndiscap.sys
19:51:49.0664 3480 NdisCap - ok
19:51:49.0679 3480 [ 30639C932D9FEF22B31268FE25A1B6E5 ] NdisTapi C:\Windows\system32\DRIVERS\ndistapi.sys
19:51:49.0695 3480 NdisTapi - ok
19:51:49.0711 3480 [ 136185F9FB2CC61E573E676AA5402356 ] Ndisuio C:\Windows\system32\DRIVERS\ndisuio.sys
19:51:49.0711 3480 Ndisuio - ok
19:51:49.0726 3480 [ 53F7305169863F0A2BDDC49E116C2E11 ] NdisWan C:\Windows\system32\DRIVERS\ndiswan.sys
19:51:49.0726 3480 NdisWan - ok
19:51:49.0742 3480 [ 015C0D8E0E0421B4CFD48CFFE2825879 ] NDProxy C:\Windows\system32\drivers\NDProxy.sys
19:51:49.0742 3480 NDProxy - ok
19:51:49.0757 3480 [ 86743D9F5D2B1048062B14B1D84501C4 ] NetBIOS C:\Windows\system32\DRIVERS\netbios.sys
19:51:49.0773 3480 NetBIOS - ok
19:51:49.0789 3480 [ 09594D1089C523423B32A4229263F068 ] NetBT C:\Windows\system32\DRIVERS\netbt.sys
19:51:49.0789 3480 NetBT - ok
19:51:49.0804 3480 [ C118A82CD78818C29AB228366EBF81C3 ] Netlogon C:\Windows\system32\lsass.exe
19:51:49.0804 3480 Netlogon - ok
19:51:49.0867 3480 [ 847D3AE376C0817161A14A82C8922A9E ] Netman C:\Windows\System32\netman.dll
19:51:49.0898 3480 Netman - ok
19:51:49.0945 3480 [ 5F28111C648F1E24F7DBC87CDEB091B8 ] netprofm C:\Windows\System32\netprofm.dll
19:51:49.0976 3480 netprofm - ok
19:51:50.0023 3480 [ 3E5A36127E201DDF663176B66828FAFE ] NetTcpPortSharing C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe
19:51:50.0038 3480 NetTcpPortSharing - ok
19:51:50.0350 3480 [ 64428DFDAF6E88366CB51F45A79C5F69 ] netw5v64 C:\Windows\system32\DRIVERS\netw5v64.sys
19:51:50.0569 3480 netw5v64 - ok
19:51:50.0615 3480 [ 77889813BE4D166CDAB78DDBA990DA92 ] nfrd960 C:\Windows\system32\drivers\nfrd960.sys
19:51:50.0615 3480 nfrd960 - ok
19:51:50.0725 3480 [ B4B153868698A6BA4ADCF6F08AA55B4F ] nicconfigsvc C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
19:51:50.0740 3480 nicconfigsvc - ok
19:51:50.0787 3480 [ 1EE99A89CC788ADA662441D1E9830529 ] NlaSvc C:\Windows\System32\nlasvc.dll
19:51:50.0787 3480 NlaSvc - ok
19:51:50.0974 3480 [ 9D0F43B1D0434B44183D4795E89F6C14 ] NOF C:\Program Files (x86)\Norton Online\Engine\2.3.0.7\ccSvcHst.exe
19:51:50.0974 3480 NOF - ok
19:51:51.0037 3480 [ 1E4C4AB5C9B8DD13179BBDC75A2A01F7 ] Npfs C:\Windows\system32\drivers\Npfs.sys
19:51:51.0037 3480 Npfs - ok
19:51:51.0068 3480 [ D54BFDF3E0C953F823B3D0BFE4732528 ] nsi C:\Windows\system32\nsisvc.dll
19:51:51.0083 3480 nsi - ok
19:51:51.0099 3480 [ E7F5AE18AF4168178A642A9247C63001 ] nsiproxy C:\Windows\system32\drivers\nsiproxy.sys
19:51:51.0099 3480 nsiproxy - ok
19:51:51.0255 3480 [ A2F74975097F52A00745F9637451FDD8 ] Ntfs C:\Windows\system32\drivers\Ntfs.sys
19:51:51.0302 3480 Ntfs - ok
19:51:51.0317 3480 [ 9899284589F75FA8724FF3D16AED75C1 ] Null C:\Windows\system32\drivers\Null.sys
19:51:51.0317 3480 Null - ok
19:51:51.0629 3480 [ B15258B1F45F9571758AC6BB2F043B01 ] nvlddmkm C:\Windows\system32\DRIVERS\nvlddmkm.sys
19:51:51.0941 3480 nvlddmkm - ok
19:51:52.0456 3480 [ 0A92CB65770442ED0DC44834632F66AD ] nvraid C:\Windows\system32\drivers\nvraid.sys
19:51:52.0628 3480 nvraid - ok
19:51:52.0971 3480 [ DAB0E87525C10052BF65F06152F37E4A ] nvstor C:\Windows\system32\drivers\nvstor.sys
19:51:52.0987 3480 nvstor - ok
19:51:53.0158 3480 [ 2D7092FEC9BD2ACA199673BBA2BA9277 ] NVSvc C:\Windows\system32\nvvsvc.exe
19:51:53.0221 3480 NVSvc - ok
19:51:53.0283 3480 [ 7E22DE30E222BFDFCEC7E77032BAF3CD ] nvUpdatusService C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
19:51:53.0361 3480 nvUpdatusService - ok
19:51:53.0392 3480 [ 270D7CD42D6E3979F6DD0146650F0E05 ] nv_agp C:\Windows\system32\drivers\nv_agp.sys
19:51:53.0392 3480 nv_agp - ok
19:51:53.0455 3480 [ 44A9473D72983DD484B4F1BF0D946571 ] OEM02Dev C:\Windows\system32\DRIVERS\OEM02Dev.sys
19:51:53.0455 3480 OEM02Dev - ok
19:51:53.0470 3480 [ 766F689564BC30E5A91F8621CE65AD68 ] OEM02Vfx C:\Windows\system32\DRIVERS\OEM02Vfx.sys
19:51:53.0486 3480 OEM02Vfx - ok
19:51:53.0517 3480 [ 3589478E4B22CE21B41FA1BFC0B8B8A0 ] ohci1394 C:\Windows\system32\drivers\ohci1394.sys
19:51:53.0517 3480 ohci1394 - ok
19:51:53.0580 3480 [ 9D10F99A6712E28F8ACD5641E3A7EA6B ] ose C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
19:51:53.0580 3480 ose - ok
19:51:53.0767 3480 [ 61BFFB5F57AD12F83AB64B7181829B34 ] osppsvc C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
19:51:53.0907 3480 osppsvc - ok
19:51:53.0938 3480 [ 3EAC4455472CC2C97107B5291E0DCAFE ] p2pimsvc C:\Windows\system32\pnrpsvc.dll
19:51:53.0954 3480 p2pimsvc - ok
19:51:54.0001 3480 [ 927463ECB02179F88E4B9A17568C63C3 ] p2psvc C:\Windows\system32\p2psvc.dll
19:51:54.0016 3480 p2psvc - ok
19:51:54.0079 3480 [ 0086431C29C35BE1DBC43F52CC273887 ] Parport C:\Windows\system32\drivers\parport.sys
19:51:54.0079 3480 Parport - ok
19:51:54.0188 3480 [ E9766131EEADE40A27DC27D2D68FBA9C ] partmgr C:\Windows\system32\drivers\partmgr.sys
19:51:54.0188 3480 partmgr - ok
19:51:54.0219 3480 [ 3AEAA8B561E63452C655DC0584922257 ] PcaSvc C:\Windows\System32\pcasvc.dll
19:51:54.0219 3480 PcaSvc - ok
19:51:54.0235 3480 [ 94575C0571D1462A0F70BDE6BD6EE6B3 ] pci C:\Windows\system32\drivers\pci.sys
19:51:54.0250 3480 pci - ok
19:51:54.0266 3480 [ B5B8B5EF2E5CB34DF8DCF8831E3534FA ] pciide C:\Windows\system32\drivers\pciide.sys
19:51:54.0266 3480 pciide - ok
19:51:54.0297 3480 [ B2E81D4E87CE48589F98CB8C05B01F2F ] pcmcia C:\Windows\system32\drivers\pcmcia.sys
19:51:54.0297 3480 pcmcia - ok
19:51:54.0328 3480 [ D6B9C2E1A11A3A4B26A182FFEF18F603 ] pcw C:\Windows\system32\drivers\pcw.sys
19:51:54.0328 3480 pcw - ok
19:51:54.0360 3480 [ 68769C3356B3BE5D1C732C97B9A80D6E ] PEAUTH C:\Windows\system32\drivers\peauth.sys
19:51:54.0360 3480 PEAUTH - ok
19:51:54.0516 3480 [ B9B0A4299DD2D76A4243F75FD54DC680 ] PeerDistSvc C:\Windows\system32\peerdistsvc.dll
19:51:54.0578 3480 PeerDistSvc - ok
19:51:54.0656 3480 [ E495E408C93141E8FC72DC0C6046DDFA ] PerfHost C:\Windows\SysWow64\perfhost.exe
19:51:54.0656 3480 PerfHost - ok
19:51:54.0718 3480 [ C7CF6A6E137463219E1259E3F0F0DD6C ] pla C:\Windows\system32\pla.dll
19:51:54.0765 3480 pla - ok
19:51:54.0843 3480 [ 25FBDEF06C4D92815B353F6E792C8129 ] PlugPlay C:\Windows\system32\umpnpmgr.dll
19:51:54.0874 3480 PlugPlay - ok
19:51:54.0952 3480 PnkBstrA - ok
19:51:54.0984 3480 [ 7195581CEC9BB7D12ABE54036ACC2E38 ] PNRPAutoReg C:\Windows\system32\pnrpauto.dll
19:51:54.0984 3480 PNRPAutoReg - ok
19:51:54.0999 3480 [ 3EAC4455472CC2C97107B5291E0DCAFE ] PNRPsvc C:\Windows\system32\pnrpsvc.dll
19:51:55.0015 3480 PNRPsvc - ok
19:51:55.0062 3480 [ 33328FA8A580885AB0065BE6DB266E9F ] Point64 C:\Windows\system32\DRIVERS\point64.sys
19:51:55.0062 3480 Point64 - ok
19:51:55.0108 3480 [ 4F15D75ADF6156BF56ECED6D4A55C389 ] PolicyAgent C:\Windows\System32\ipsecsvc.dll
19:51:55.0171 3480 PolicyAgent - ok
19:51:55.0218 3480 [ 6BA9D927DDED70BD1A9CADED45F8B184 ] Power C:\Windows\system32\umpo.dll
19:51:55.0218 3480 Power - ok
19:51:55.0358 3480 [ F92A2C41117A11A00BE01CA01A7FCDE9 ] PptpMiniport C:\Windows\system32\DRIVERS\raspptp.sys
19:51:55.0358 3480 PptpMiniport - ok
19:51:55.0389 3480 [ 0D922E23C041EFB1C3FAC2A6F943C9BF ] Processor C:\Windows\system32\drivers\processr.sys
19:51:55.0389 3480 Processor - ok
19:51:55.0452 3480 [ 53E83F1F6CF9D62F32801CF66D8352A8 ] ProfSvc C:\Windows\system32\profsvc.dll
19:51:55.0467 3480 ProfSvc - ok
19:51:55.0483 3480 [ C118A82CD78818C29AB228366EBF81C3 ] ProtectedStorage C:\Windows\system32\lsass.exe
19:51:55.0483 3480 ProtectedStorage - ok
19:51:55.0498 3480 [ 0557CF5A2556BD58E26384169D72438D ] Psched C:\Windows\system32\DRIVERS\pacer.sys
19:51:55.0498 3480 Psched - ok
19:51:55.0545 3480 [ A53A15A11EBFD21077463EE2C7AFEEF0 ] ql2300 C:\Windows\system32\drivers\ql2300.sys
19:51:55.0608 3480 ql2300 - ok
19:51:55.0654 3480 [ 4F6D12B51DE1AAEFF7DC58C4D75423C8 ] ql40xx C:\Windows\system32\drivers\ql40xx.sys
19:51:55.0670 3480 ql40xx - ok
19:51:55.0701 3480 [ 906191634E99AEA92C4816150BDA3732 ] QWAVE C:\Windows\system32\qwave.dll
19:51:55.0717 3480 QWAVE - ok
19:51:55.0732 3480 [ 76707BB36430888D9CE9D705398ADB6C ] QWAVEdrv C:\Windows\system32\drivers\qwavedrv.sys
19:51:55.0732 3480 QWAVEdrv - ok
19:51:55.0748 3480 [ 5A0DA8AD5762FA2D91678A8A01311704 ] RasAcd C:\Windows\system32\DRIVERS\rasacd.sys
19:51:55.0748 3480 RasAcd - ok
19:51:55.0810 3480 [ 7ECFF9B22276B73F43A99A15A6094E90 ] RasAgileVpn C:\Windows\system32\DRIVERS\AgileVpn.sys
19:51:55.0810 3480 RasAgileVpn - ok
19:51:55.0904 3480 [ 8F26510C5383B8DBE976DE1CD00FC8C7 ] RasAuto C:\Windows\System32\rasauto.dll
19:51:55.0904 3480 RasAuto - ok
19:51:55.0966 3480 [ 471815800AE33E6F1C32FB1B97C490CA ] Rasl2tp C:\Windows\system32\DRIVERS\rasl2tp.sys
19:51:55.0982 3480 Rasl2tp - ok
19:51:56.0060 3480 [ EE867A0870FC9E4972BA9EAAD35651E2 ] RasMan C:\Windows\System32\rasmans.dll
19:51:56.0091 3480 RasMan - ok
19:51:56.0169 3480 [ 855C9B1CD4756C5E9A2AA58A15F58C25 ] RasPppoe C:\Windows\system32\DRIVERS\raspppoe.sys
19:51:56.0169 3480 RasPppoe - ok
19:51:56.0278 3480 [ E8B1E447B008D07FF47D016C2B0EEECB ] RasSstp C:\Windows\system32\DRIVERS\rassstp.sys
19:51:56.0294 3480 RasSstp - ok
19:51:56.0356 3480 [ 77F665941019A1594D887A74F301FA2F ] rdbss C:\Windows\system32\DRIVERS\rdbss.sys
19:51:56.0356 3480 rdbss - ok
19:51:56.0403 3480 [ 302DA2A0539F2CF54D7C6CC30C1F2D8D ] rdpbus C:\Windows\system32\DRIVERS\rdpbus.sys
19:51:56.0403 3480 rdpbus - ok
19:51:56.0419 3480 [ CEA6CC257FC9B7715F1C2B4849286D24 ] RDPCDD C:\Windows\system32\DRIVERS\RDPCDD.sys
19:51:56.0419 3480 RDPCDD - ok
19:51:56.0450 3480 [ 1B6163C503398B23FF8B939C67747683 ] RDPDR C:\Windows\system32\drivers\rdpdr.sys
19:51:56.0450 3480 RDPDR - ok
19:51:56.0466 3480 [ BB5971A4F00659529A5C44831AF22365 ] RDPENCDD C:\Windows\system32\drivers\rdpencdd.sys
19:51:56.0466 3480 RDPENCDD - ok
19:51:56.0481 3480 [ 216F3FA57533D98E1F74DED70113177A ] RDPREFMP C:\Windows\system32\drivers\rdprefmp.sys
19:51:56.0481 3480 RDPREFMP - ok
19:51:56.0544 3480 [ 70CBA1A0C98600A2AA1863479B35CB90 ] RdpVideoMiniport C:\Windows\system32\drivers\rdpvideominiport.sys
19:51:56.0544 3480 RdpVideoMiniport - ok
19:51:56.0606 3480 [ E61608AA35E98999AF9AAEEEA6114B0A ] RDPWD C:\Windows\system32\drivers\RDPWD.sys
19:51:56.0606 3480 RDPWD - ok
19:51:56.0653 3480 [ 34ED295FA0121C241BFEF24764FC4520 ] rdyboost C:\Windows\system32\drivers\rdyboost.sys
19:51:56.0653 3480 rdyboost - ok
19:51:56.0700 3480 [ 254FB7A22D74E5511C73A3F6D802F192 ] RemoteAccess C:\Windows\System32\mprdim.dll
19:51:56.0715 3480 RemoteAccess - ok
19:51:56.0746 3480 [ E4D94F24081440B5FC5AA556C7C62702 ] RemoteRegistry C:\Windows\system32\regsvc.dll
19:51:56.0746 3480 RemoteRegistry - ok
19:51:56.0871 3480 [ 3DD798846E2C28102B922C56E71B7932 ] RFCOMM C:\Windows\system32\DRIVERS\rfcomm.sys
19:51:56.0871 3480 RFCOMM - ok
19:51:56.0902 3480 [ 6FAF5B04BEDC66D300D9D233B2D222F0 ] rimmptsk C:\Windows\system32\DRIVERS\rimmpx64.sys
19:51:56.0949 3480 rimmptsk - ok
19:51:56.0980 3480 [ 67F50C31713106FD1B0F286F86AA2B2E ] rimsptsk C:\Windows\system32\DRIVERS\rimspx64.sys
19:51:56.0980 3480 rimsptsk - ok
19:51:56.0996 3480 [ 4D7EF3D46346EC4C58784DB964B365DE ] rismxdp C:\Windows\system32\DRIVERS\rixdpx64.sys
19:51:56.0996 3480 rismxdp - ok
19:51:57.0027 3480 [ E4DC58CF7B3EA515AE917FF0D402A7BB ] RpcEptMapper C:\Windows\System32\RpcEpMap.dll
19:51:57.0027 3480 RpcEptMapper - ok
19:51:57.0058 3480 [ D5BA242D4CF8E384DB90E6A8ED850B8C ] RpcLocator C:\Windows\system32\locator.exe
19:51:57.0058 3480 RpcLocator - ok
19:51:57.0090 3480 [ 5C627D1B1138676C0A7AB2C2C190D123 ] RpcSs C:\Windows\System32\rpcss.dll
19:51:57.0090 3480 RpcSs - ok
19:51:57.0136 3480 [ DDC86E4F8E7456261E637E3552E804FF ] rspndr C:\Windows\system32\DRIVERS\rspndr.sys
19:51:57.0136 3480 rspndr - ok
19:51:57.0168 3480 [ E60C0A09F997826C7627B244195AB581 ] s3cap C:\Windows\system32\drivers\vms3cap.sys
19:51:57.0168 3480 s3cap - ok
19:51:57.0183 3480 [ C118A82CD78818C29AB228366EBF81C3 ] SamSs C:\Windows\system32\lsass.exe
19:51:57.0183 3480 SamSs - ok
19:51:57.0183 3480 [ AC03AF3329579FFFB455AA2DAABBE22B ] sbp2port C:\Windows\system32\drivers\sbp2port.sys
19:51:57.0199 3480 sbp2port - ok
19:51:57.0230 3480 [ 9B7395789E3791A3B6D000FE6F8B131E ] SCardSvr C:\Windows\System32\SCardSvr.dll
19:51:57.0230 3480 SCardSvr - ok
19:51:57.0324 3480 [ 253F38D0D7074C02FF8DEB9836C97D2B ] scfilter C:\Windows\system32\DRIVERS\scfilter.sys
19:51:57.0324 3480 scfilter - ok
19:51:57.0370 3480 [ 262F6592C3299C005FD6BEC90FC4463A ] Schedule C:\Windows\system32\schedsvc.dll
19:51:57.0433 3480 Schedule - ok
19:51:57.0448 3480 [ F17D1D393BBC69C5322FBFAFACA28C7F ] SCPolicySvc C:\Windows\System32\certprop.dll
19:51:57.0448 3480 SCPolicySvc - ok
19:51:57.0480 3480 [ 111E0EBC0AD79CB0FA014B907B231CF0 ] sdbus C:\Windows\system32\DRIVERS\sdbus.sys
19:51:57.0480 3480 sdbus - ok
19:51:57.0526 3480 [ 6EA4234DC55346E0709560FE7C2C1972 ] SDRSVC C:\Windows\System32\SDRSVC.dll
19:51:57.0526 3480 SDRSVC - ok
19:51:57.0558 3480 [ 3EA8A16169C26AFBEB544E0E48421186 ] secdrv C:\Windows\system32\drivers\secdrv.sys
19:51:57.0558 3480 secdrv - ok
19:51:57.0573 3480 [ BC617A4E1B4FA8DF523A061739A0BD87 ] seclogon C:\Windows\system32\seclogon.dll
19:51:57.0573 3480 seclogon - ok
19:51:57.0604 3480 [ C32AB8FA018EF34C0F113BD501436D21 ] SENS C:\Windows\system32\sens.dll
19:51:57.0604 3480 SENS - ok
19:51:57.0620 3480 [ 0336CFFAFAAB87A11541F1CF1594B2B2 ] SensrSvc C:\Windows\system32\sensrsvc.dll
19:51:57.0620 3480 SensrSvc - ok
19:51:57.0636 3480 [ CB624C0035412AF0DEBEC78C41F5CA1B ] Serenum C:\Windows\system32\drivers\serenum.sys
19:51:57.0636 3480 Serenum - ok
19:51:57.0667 3480 [ C1D8E28B2C2ADFAEC4BA89E9FDA69BD6 ] Serial C:\Windows\system32\drivers\serial.sys
19:51:57.0667 3480 Serial - ok
19:51:57.0682 3480 [ 1C545A7D0691CC4A027396535691C3E3 ] sermouse C:\Windows\system32\drivers\sermouse.sys
19:51:57.0682 3480 sermouse - ok
19:51:57.0714 3480 [ 0B6231BF38174A1628C4AC812CC75804 ] SessionEnv C:\Windows\system32\sessenv.dll
19:51:57.0714 3480 SessionEnv - ok
19:51:57.0729 3480 [ A554811BCD09279536440C964AE35BBF ] sffdisk C:\Windows\system32\drivers\sffdisk.sys
19:51:57.0745 3480 sffdisk - ok
19:51:57.0760 3480 [ FF414F0BAEFEBA59BC6C04B3DB0B87BF ] sffp_mmc C:\Windows\system32\drivers\sffp_mmc.sys
19:51:57.0760 3480 sffp_mmc - ok
19:51:57.0776 3480 [ DD85B78243A19B59F0637DCF284DA63C ] sffp_sd C:\Windows\system32\drivers\sffp_sd.sys
19:51:57.0776 3480 sffp_sd - ok
19:51:57.0792 3480 [ A9D601643A1647211A1EE2EC4E433FF4 ] sfloppy C:\Windows\system32\drivers\sfloppy.sys
19:51:57.0792 3480 sfloppy - ok
19:51:57.0979 3480 [ B95F6501A2F8B2E78C697FEC401970CE ] SharedAccess C:\Windows\System32\ipnathlp.dll
19:51:57.0979 3480 SharedAccess - ok
19:51:58.0041 3480 [ AAF932B4011D14052955D4B212A4DA8D ] ShellHWDetection C:\Windows\System32\shsvcs.dll
19:51:58.0057 3480 ShellHWDetection - ok
19:51:58.0166 3480 [ 843CAF1E5FDE1FFD5FF768F23A51E2E1 ] SiSRaid2 C:\Windows\system32\drivers\SiSRaid2.sys
19:51:58.0166 3480 SiSRaid2 - ok
19:51:58.0260 3480 [ 6A6C106D42E9FFFF8B9FCB4F754F6DA4 ] SiSRaid4 C:\Windows\system32\drivers\sisraid4.sys
19:51:58.0260 3480 SiSRaid4 - ok
19:51:58.0306 3480 [ 548260A7B8654E024DC30BF8A7C5BAA4 ] Smb C:\Windows\system32\DRIVERS\smb.sys
19:51:58.0322 3480 Smb - ok
19:51:58.0384 3480 [ 6313F223E817CC09AA41811DAA7F541D ] SNMPTRAP C:\Windows\System32\snmptrap.exe
19:51:58.0384 3480 SNMPTRAP - ok
19:51:58.0400 3480 [ B9E31E5CACDFE584F34F730A677803F9 ] spldr C:\Windows\system32\drivers\spldr.sys
19:51:58.0400 3480 spldr - ok
19:51:58.0447 3480 [ B96C17B5DC1424D56EEA3A99E97428CD ] Spooler C:\Windows\System32\spoolsv.exe
19:51:58.0447 3480 Spooler - ok
19:51:58.0696 3480 [ E17E0188BB90FAE42D83E98707EFA59C ] sppsvc C:\Windows\system32\sppsvc.exe
19:51:58.0774 3480 sppsvc - ok
19:51:58.0790 3480 [ 93D7D61317F3D4BC4F4E9F8A96A7DE45 ] sppuinotify C:\Windows\system32\sppuinotify.dll
19:51:58.0806 3480 sppuinotify - ok
19:51:58.0977 3480 [ 891793E00432FA055CF040605C260E49 ] SRTSP C:\Windows\System32\Drivers\N360x64\0603000.00E\SRTSP64.SYS
19:51:59.0008 3480 SRTSP - ok
19:51:59.0133 3480 [ 1CB7BB3B0561FB5ECFE37F7731E8BF3E ] SRTSPX C:\Windows\system32\drivers\N360x64\0603000.00E\SRTSPX64.SYS
19:51:59.0133 3480 SRTSPX - ok
19:51:59.0196 3480 [ 441FBA48BFF01FDB9D5969EBC1838F0B ] srv C:\Windows\system32\DRIVERS\srv.sys
19:51:59.0211 3480 srv - ok
19:51:59.0227 3480 [ B4ADEBBF5E3677CCE9651E0F01F7CC28 ] srv2 C:\Windows\system32\DRIVERS\srv2.sys
19:51:59.0242 3480 srv2 - ok
19:51:59.0258 3480 [ 27E461F0BE5BFF5FC737328F749538C3 ] srvnet C:\Windows\system32\DRIVERS\srvnet.sys
19:51:59.0258 3480 srvnet - ok
19:51:59.0305 3480 [ 51B52FBD583CDE8AA9BA62B8B4298F33 ] SSDPSRV C:\Windows\System32\ssdpsrv.dll
19:51:59.0305 3480 SSDPSRV - ok
19:51:59.0320 3480 [ AB7AEBF58DAD8DAAB7A6C45E6A8885CB ] SstpSvc C:\Windows\system32\sstpsvc.dll
19:51:59.0320 3480 SstpSvc - ok
19:51:59.0367 3480 Steam Client Service - ok
19:51:59.0539 3480 [ 9E1222C417291BC836210743624A8E5E ] Stereo Service C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
19:51:59.0554 3480 Stereo Service - ok
19:51:59.0570 3480 [ F3817967ED533D08327DC73BC4D5542A ] stexstor C:\Windows\system32\drivers\stexstor.sys
19:51:59.0586 3480 stexstor - ok
19:51:59.0617 3480 [ 8DD52E8E6128F4B2DA92CE27402871C1 ] stisvc C:\Windows\System32\wiaservc.dll
19:51:59.0617 3480 stisvc - ok
19:51:59.0648 3480 [ 7785DC213270D2FC066538DAF94087E7 ] storflt C:\Windows\system32\drivers\vmstorfl.sys
19:51:59.0648 3480 storflt - ok
19:51:59.0679 3480 [ D34E4943D5AC096C8EDEEBFD80D76E23 ] storvsc C:\Windows\system32\drivers\storvsc.sys
19:51:59.0695 3480 storvsc - ok
19:51:59.0695 3480 [ D01EC09B6711A5F8E7E6564A4D0FBC90 ] swenum C:\Windows\system32\DRIVERS\swenum.sys
19:51:59.0695 3480 swenum - ok
19:51:59.0742 3480 [ E08E46FDD841B7184194011CA1955A0B ] swprv C:\Windows\System32\swprv.dll
19:51:59.0742 3480 swprv - ok
19:51:59.0866 3480 [ 8B2430762099598DA40686F754632EFD ] SymDS C:\Windows\system32\drivers\N360x64\0603000.00E\SYMDS64.SYS
19:51:59.0866 3480 SymDS - ok
19:52:00.0241 3480 [ 5CB7F2FD7E30A0F52F93574BFC3A8041 ] SymEFA C:\Windows\system32\drivers\N360x64\0603000.00E\SYMEFA64.SYS
19:52:00.0272 3480 SymEFA - ok
19:52:00.0444 3480 [ 898BB48C797483420DF523B2BBC1ECDB ] SymEvent C:\Windows\system32\Drivers\SYMEVENT64x86.SYS
19:52:00.0444 3480 SymEvent - ok
19:52:00.0506 3480 [ 5013A76CAAA1D7CF1C55214B490B4E35 ] SymIRON C:\Windows\system32\drivers\N360x64\0603000.00E\Ironx64.SYS
19:52:00.0522 3480 SymIRON - ok
19:52:00.0600 3480 [ 3911BD0E68C010E5438A87706ABBE9AB ] SymNetS C:\Windows\System32\Drivers\N360x64\0603000.00E\SYMNETS.SYS
19:52:00.0600 3480 SymNetS - ok
19:52:00.0740 3480 [ C21550B1D42A39B3A6D128729A9EBDD6 ] SYMRDR_{78CA3BF0-9C3B-40e1-B46D-38C877EF059A} C:\Windows\system32\drivers\NSMx64\0203000.01A\SymRdrS.SYS
19:52:00.0740 3480 SYMRDR_{78CA3BF0-9C3B-40e1-B46D-38C877EF059A} - ok
19:52:00.0787 3480 [ C3A39C4079305480972D29C44B868C78 ] Synth3dVsc C:\Windows\system32\drivers\synth3dvsc.sys
19:52:00.0787 3480 Synth3dVsc - ok
19:52:00.0834 3480 [ B2A7D0790246E6FCDBDD256C4FCC4975 ] SynTP C:\Windows\system32\DRIVERS\SynTP.sys
19:52:00.0834 3480 SynTP - ok
19:52:00.0912 3480 [ BF9CCC0BF39B418C8D0AE8B05CF95B7D ] SysMain C:\Windows\system32\sysmain.dll
19:52:00.0958 3480 SysMain - ok
19:52:00.0974 3480 [ E3C61FD7B7C2557E1F1B0B4CEC713585 ] TabletInputService C:\Windows\System32\TabSvc.dll
19:52:00.0974 3480 TabletInputService - ok
19:52:00.0990 3480 [ 40F0849F65D13EE87B9A9AE3C1DD6823 ] TapiSrv C:\Windows\System32\tapisrv.dll
19:52:01.0005 3480 TapiSrv - ok
19:52:01.0021 3480 [ 1BE03AC720F4D302EA01D40F588162F6 ] TBS C:\Windows\System32\tbssvc.dll
19:52:01.0021 3480 TBS - ok
19:52:01.0114 3480 [ ACB82BDA8F46C84F465C1AFA517DC4B9 ] Tcpip C:\Windows\system32\drivers\tcpip.sys
19:52:01.0177 3480 Tcpip - ok
19:52:01.0255 3480 [ ACB82BDA8F46C84F465C1AFA517DC4B9 ] TCPIP6 C:\Windows\system32\DRIVERS\tcpip.sys
19:52:01.0270 3480 TCPIP6 - ok
19:52:01.0302 3480 [ DF687E3D8836BFB04FCC0615BF15A519 ] tcpipreg C:\Windows\system32\drivers\tcpipreg.sys
19:52:01.0302 3480 tcpipreg - ok
19:52:01.0317 3480 [ 3371D21011695B16333A3934340C4E7C ] TDPIPE C:\Windows\system32\drivers\tdpipe.sys
19:52:01.0317 3480 TDPIPE - ok
19:52:01.0442 3480 [ 51C5ECEB1CDEE2468A1748BE550CFBC8 ] TDTCP C:\Windows\system32\drivers\tdtcp.sys
19:52:01.0442 3480 TDTCP - ok
19:52:01.0473 3480 [ DDAD5A7AB24D8B65F8D724F5C20FD806 ] tdx C:\Windows\system32\DRIVERS\tdx.sys
19:52:01.0473 3480 tdx - ok
19:52:01.0504 3480 [ 561E7E1F06895D78DE991E01DD0FB6E5 ] TermDD C:\Windows\system32\DRIVERS\termdd.sys
19:52:01.0504 3480 TermDD - ok
19:52:01.0536 3480 [ 2B5BDFF688EC9871D7EC5837833374E9 ] terminpt C:\Windows\system32\drivers\terminpt.sys
19:52:01.0536 3480 terminpt - ok
19:52:01.0582 3480 [ 2E648163254233755035B46DD7B89123 ] TermService C:\Windows\System32\termsrv.dll
19:52:01.0582 3480 TermService - ok
19:52:01.0614 3480 [ F0344071948D1A1FA732231785A0664C ] Themes C:\Windows\system32\themeservice.dll
19:52:01.0614 3480 Themes - ok
19:52:01.0645 3480 [ E40E80D0304A73E8D269F7141D77250B ] THREADORDER C:\Windows\system32\mmcss.dll
19:52:01.0645 3480 THREADORDER - ok
19:52:01.0660 3480 [ 7E7AFD841694F6AC397E99D75CEAD49D ] TrkWks C:\Windows\System32\trkwks.dll
19:52:01.0676 3480 TrkWks - ok
19:52:01.0723 3480 [ 773212B2AAA24C1E31F10246B15B276C ] TrustedInstaller C:\Windows\servicing\TrustedInstaller.exe
19:52:01.0723 3480 TrustedInstaller - ok
19:52:01.0770 3480 [ CE18B2CDFC837C99E5FAE9CA6CBA5D30 ] tssecsrv C:\Windows\system32\DRIVERS\tssecsrv.sys
19:52:01.0770 3480 tssecsrv - ok
19:52:01.0801 3480 [ D11C783E3EF9A3C52C0EBE83CC5000E9 ] TsUsbFlt C:\Windows\system32\drivers\tsusbflt.sys
19:52:01.0801 3480 TsUsbFlt - ok
19:52:01.0832 3480 [ 9CC2CCAE8A84820EAECB886D477CBCB8 ] TsUsbGD C:\Windows\system32\drivers\TsUsbGD.sys
19:52:01.0832 3480 TsUsbGD - ok
19:52:01.0863 3480 [ E1748D04AE40118B62BC18AC86032192 ] tsusbhub C:\Windows\system32\drivers\tsusbhub.sys
19:52:01.0879 3480 tsusbhub - ok
19:52:01.0988 3480 [ 3566A8DAAFA27AF944F5D705EAA64894 ] tunnel C:\Windows\system32\DRIVERS\tunnel.sys
19:52:01.0988 3480 tunnel - ok
19:52:02.0050 3480 [ B4DD609BD7E282BFC683CEC7EAAAAD67 ] uagp35 C:\Windows\system32\drivers\uagp35.sys
19:52:02.0050 3480 uagp35 - ok
19:52:02.0238 3480 [ FF4232A1A64012BAA1FD97C7B67DF593 ] udfs C:\Windows\system32\DRIVERS\udfs.sys
19:52:02.0253 3480 udfs - ok
19:52:02.0300 3480 [ 3CBDEC8D06B9968ABA702EBA076364A1 ] UI0Detect C:\Windows\system32\UI0Detect.exe
19:52:02.0300 3480 UI0Detect - ok
19:52:02.0331 3480 [ 4BFE1BC28391222894CBF1E7D0E42320 ] uliagpkx C:\Windows\system32\drivers\uliagpkx.sys
19:52:02.0331 3480 uliagpkx - ok
19:52:02.0362 3480 [ DC54A574663A895C8763AF0FA1FF7561 ] umbus C:\Windows\system32\DRIVERS\umbus.sys
19:52:02.0362 3480 umbus - ok
19:52:02.0378 3480 [ B2E8E8CB557B156DA5493BBDDCC1474D ] UmPass C:\Windows\system32\drivers\umpass.sys
19:52:02.0378 3480 UmPass - ok
19:52:02.0425 3480 [ A293DCD756D04D8492A750D03B9A297C ] UmRdpService C:\Windows\System32\umrdp.dll
19:52:02.0425 3480 UmRdpService - ok
19:52:02.0550 3480 [ D47EC6A8E81633DD18D2436B19BAF6DE ] upnphost C:\Windows\System32\upnphost.dll
19:52:02.0550 3480 upnphost - ok
19:52:02.0612 3480 [ 6F1A3157A1C89435352CEB543CDB359C ] usbccgp C:\Windows\system32\DRIVERS\usbccgp.sys
19:52:02.0628 3480 usbccgp - ok
19:52:02.0659 3480 [ AF0892A803FDDA7492F595368E3B68E7 ] usbcir C:\Windows\system32\drivers\usbcir.sys
19:52:02.0674 3480 usbcir - ok
19:52:02.0737 3480 [ C025055FE7B87701EB042095DF1A2D7B ] usbehci C:\Windows\system32\DRIVERS\usbehci.sys
19:52:02.0737 3480 usbehci - ok
19:52:02.0830 3480 [ 287C6C9410B111B68B52CA298F7B8C24 ] usbhub C:\Windows\system32\DRIVERS\usbhub.sys
19:52:02.0830 3480 usbhub - ok
19:52:02.0846 3480 [ 9840FC418B4CBD632D3D0A667A725C31 ] usbohci C:\Windows\system32\drivers\usbohci.sys
19:52:02.0846 3480 usbohci - ok
19:52:02.0862 3480 [ 73188F58FB384E75C4063D29413CEE3D ] usbprint C:\Windows\system32\drivers\usbprint.sys
19:52:02.0862 3480 usbprint - ok
19:52:02.0908 3480 [ FED648B01349A3C8395A5169DB5FB7D6 ] USBSTOR C:\Windows\system32\DRIVERS\USBSTOR.SYS
19:52:02.0908 3480 USBSTOR - ok
19:52:02.0940 3480 [ 62069A34518BCF9C1FD9E74B3F6DB7CD ] usbuhci C:\Windows\system32\DRIVERS\usbuhci.sys
19:52:02.0940 3480 usbuhci - ok
19:52:02.0986 3480 [ 454800C2BC7F3927CE030141EE4F4C50 ] usbvideo C:\Windows\system32\Drivers\usbvideo.sys
19:52:02.0986 3480 usbvideo - ok
19:52:03.0018 3480 [ EDBB23CBCF2CDF727D64FF9B51A6070E ] UxSms C:\Windows\System32\uxsms.dll
19:52:03.0018 3480 UxSms - ok
19:52:03.0033 3480 [ C118A82CD78818C29AB228366EBF81C3 ] VaultSvc C:\Windows\system32\lsass.exe
19:52:03.0033 3480 VaultSvc - ok
19:52:03.0080 3480 [ C5C876CCFC083FF3B128F933823E87BD ] vdrvroot C:\Windows\system32\drivers\vdrvroot.sys
19:52:03.0080 3480 vdrvroot - ok
19:52:03.0236 3480 [ 8D6B481601D01A456E75C3210F1830BE ] vds C:\Windows\System32\vds.exe
19:52:03.0252 3480 vds - ok
19:52:03.0283 3480 [ DA4DA3F5E02943C2DC8C6ED875DE68DD ] vga C:\Windows\system32\DRIVERS\vgapnp.sys
19:52:03.0283 3480 vga - ok
19:52:03.0314 3480 [ 53E92A310193CB3C03BEA963DE7D9CFC ] VgaSave C:\Windows\System32\drivers\vga.sys
19:52:03.0314 3480 VgaSave - ok
19:52:03.0314 3480 VGPU - ok
19:52:03.0345 3480 [ 2CE2DF28C83AEAF30084E1B1EB253CBB ] vhdmp C:\Windows\system32\drivers\vhdmp.sys
19:52:03.0345 3480 vhdmp - ok
19:52:03.0361 3480 [ E5689D93FFE4E5D66C0178761240DD54 ] viaide C:\Windows\system32\drivers\viaide.sys
19:52:03.0361 3480 viaide - ok
19:52:03.0408 3480 [ 86EA3E79AE350FEA5331A1303054005F ] vmbus C:\Windows\system32\drivers\vmbus.sys
19:52:03.0408 3480 vmbus - ok
19:52:03.0439 3480 [ 7DE90B48F210D29649380545DB45A187 ] VMBusHID C:\Windows\system32\drivers\VMBusHID.sys
19:52:03.0439 3480 VMBusHID - ok
19:52:03.0454 3480 [ D2AAFD421940F640B407AEFAAEBD91B0 ] volmgr C:\Windows\system32\drivers\volmgr.sys
19:52:03.0454 3480 volmgr - ok
19:52:03.0486 3480 [ A255814907C89BE58B79EF2F189B843B ] volmgrx C:\Windows\system32\drivers\volmgrx.sys
19:52:03.0486 3480 volmgrx - ok
19:52:03.0501 3480 [ 0D08D2F3B3FF84E433346669B5E0F639 ] volsnap C:\Windows\system32\drivers\volsnap.sys
19:52:03.0517 3480 volsnap - ok
19:52:03.0532 3480 [ 5E2016EA6EBACA03C04FEAC5F330D997 ] vsmraid C:\Windows\system32\drivers\vsmraid.sys
19:52:03.0548 3480 vsmraid - ok
19:52:03.0595 3480 [ B60BA0BC31B0CB414593E169F6F21CC2 ] VSS C:\Windows\system32\vssvc.exe
19:52:03.0657 3480 VSS - ok
19:52:03.0673 3480 [ 36D4720B72B5C5D9CB2B9C29E9DF67A1 ] vwifibus C:\Windows\system32\DRIVERS\vwifibus.sys
19:52:03.0688 3480 vwifibus - ok
19:52:03.0735 3480 [ 6A3D66263414FF0D6FA754C646612F3F ] vwififlt C:\Windows\system32\DRIVERS\vwififlt.sys
19:52:03.0735 3480 vwififlt - ok
19:52:03.0751 3480 [ 1C9D80CC3849B3788048078C26486E1A ] W32Time C:\Windows\system32\w32time.dll
19:52:03.0751 3480 W32Time - ok
19:52:03.0782 3480 [ 4E9440F4F152A7B944CB1663D3935A3E ] WacomPen C:\Windows\system32\drivers\wacompen.sys
19:52:03.0782 3480 WacomPen - ok
19:52:03.0813 3480 [ 356AFD78A6ED4457169241AC3965230C ] WANARP C:\Windows\system32\DRIVERS\wanarp.sys
19:52:03.0813 3480 WANARP - ok
19:52:03.0829 3480 [ 356AFD78A6ED4457169241AC3965230C ] Wanarpv6 C:\Windows\system32\DRIVERS\wanarp.sys
19:52:03.0829 3480 Wanarpv6 - ok
19:52:04.0078 3480 [ 3CEC96DE223E49EAAE3651FCF8FAEA6C ] WatAdminSvc C:\Windows\system32\Wat\WatAdminSvc.exe
19:52:04.0188 3480 WatAdminSvc - ok
19:52:04.0500 3480 [ 78F4E7F5C56CB9716238EB57DA4B6A75 ] wbengine C:\Windows\system32\wbengine.exe
19:52:04.0562 3480 wbengine - ok
19:52:04.0656 3480 [ 3AA101E8EDAB2DB4131333F4325C76A3 ] WbioSrvc C:\Windows\System32\wbiosrvc.dll
19:52:04.0671 3480 WbioSrvc - ok
19:52:04.0702 3480 [ 7368A2AFD46E5A4481D1DE9D14848EDD ] wcncsvc C:\Windows\System32\wcncsvc.dll
19:52:04.0702 3480 wcncsvc - ok
19:52:04.0718 3480 [ 20F7441334B18CEE52027661DF4A6129 ] WcsPlugInService C:\Windows\System32\WcsPlugInService.dll
19:52:04.0718 3480 WcsPlugInService - ok
19:52:04.0749 3480 [ 72889E16FF12BA0F235467D6091B17DC ] Wd C:\Windows\system32\drivers\wd.sys
19:52:04.0749 3480 Wd - ok
19:52:04.0780 3480 [ 441BD2D7B4F98134C3A4F9FA570FD250 ] Wdf01000 C:\Windows\system32\drivers\Wdf01000.sys
19:52:04.0796 3480 Wdf01000 - ok
19:52:04.0812 3480 [ BF1FC3F79B863C914687A737C2F3D681 ] WdiServiceHost C:\Windows\system32\wdi.dll
19:52:04.0812 3480 WdiServiceHost - ok
19:52:04.0812 3480 [ BF1FC3F79B863C914687A737C2F3D681 ] WdiSystemHost C:\Windows\system32\wdi.dll
19:52:04.0827 3480 WdiSystemHost - ok
19:52:04.0843 3480 [ 3DB6D04E1C64272F8B14EB8BC4616280 ] WebClient C:\Windows\System32\webclnt.dll
19:52:04.0843 3480 WebClient - ok
19:52:04.0874 3480 [ C749025A679C5103E575E3B48E092C43 ] Wecsvc C:\Windows\system32\wecsvc.dll
19:52:04.0874 3480 Wecsvc - ok
19:52:04.0890 3480 [ 7E591867422DC788B9E5BD337A669A08 ] wercplsupport C:\Windows\System32\wercplsupport.dll
19:52:04.0890 3480 wercplsupport - ok
19:52:04.0921 3480 [ 6D137963730144698CBD10F202E9F251 ] WerSvc C:\Windows\System32\WerSvc.dll
19:52:04.0921 3480 WerSvc - ok
19:52:04.0968 3480 [ 611B23304BF067451A9FDEE01FBDD725 ] WfpLwf C:\Windows\system32\DRIVERS\wfplwf.sys
19:52:04.0968 3480 WfpLwf - ok
19:52:04.0999 3480 [ 05ECAEC3E4529A7153B3136CEB49F0EC ] WIMMount C:\Windows\system32\drivers\wimmount.sys
19:52:04.0999 3480 WIMMount - ok
19:52:05.0030 3480 WinDefend - ok
19:52:05.0030 3480 WinHttpAutoProxySvc - ok
19:52:05.0092 3480 [ 19B07E7E8915D701225DA41CB3877306 ] Winmgmt C:\Windows\system32\wbem\WMIsvc.dll
19:52:05.0092 3480 Winmgmt - ok
19:52:05.0155 3480 [ BCB1310604AA415C4508708975B3931E ] WinRM C:\Windows\system32\WsmSvc.dll
19:52:05.0233 3480 WinRM - ok
19:52:05.0342 3480 [ FE88B288356E7B47B74B13372ADD906D ] WinUSB C:\Windows\system32\DRIVERS\WinUSB.sys
19:52:05.0342 3480 WinUSB - ok
19:52:05.0436 3480 [ 4FADA86E62F18A1B2F42BA18AE24E6AA ] Wlansvc C:\Windows\System32\wlansvc.dll
19:52:05.0467 3480 Wlansvc - ok
19:52:05.0748 3480 [ 98F138897EF4246381D197CB81846D62 ] wlidsvc C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
19:52:05.0794 3480 wlidsvc - ok
19:52:05.0841 3480 [ F6FF8944478594D0E414D3F048F0D778 ] WmiAcpi C:\Windows\system32\DRIVERS\wmiacpi.sys
19:52:05.0841 3480 WmiAcpi - ok
19:52:05.0872 3480 [ 38B84C94C5A8AF291ADFEA478AE54F93 ] wmiApSrv C:\Windows\system32\wbem\WmiApSrv.exe
19:52:05.0872 3480 wmiApSrv - ok
19:52:05.0904 3480 WMPNetworkSvc - ok
19:52:05.0966 3480 [ 96C6E7100D724C69FCF9E7BF590D1DCA ] WPCSvc C:\Windows\System32\wpcsvc.dll
19:52:05.0966 3480 WPCSvc - ok
19:52:06.0013 3480 [ 93221146D4EBBF314C29B23CD6CC391D ] WPDBusEnum C:\Windows\system32\wpdbusenum.dll
19:52:06.0013 3480 WPDBusEnum - ok
19:52:06.0028 3480 [ 6BCC1D7D2FD2453957C5479A32364E52 ] ws2ifsl C:\Windows\system32\drivers\ws2ifsl.sys
19:52:06.0044 3480 ws2ifsl - ok
19:52:06.0216 3480 [ E8B1FE6669397D1772D8196DF0E57A9E ] wscsvc C:\Windows\system32\wscsvc.dll
19:52:06.0216 3480 wscsvc - ok
19:52:06.0231 3480 WSearch - ok
19:52:06.0418 3480 [ D9EF901DCA379CFE914E9FA13B73B4C4 ] wuauserv C:\Windows\system32\wuaueng.dll
19:52:06.0496 3480 wuauserv - ok
19:52:06.0512 3480 [ D3381DC54C34D79B22CEE0D65BA91B7C ] WudfPf C:\Windows\system32\drivers\WudfPf.sys
19:52:06.0512 3480 WudfPf - ok
19:52:06.0590 3480 [ 7A95C95B6C4CF292D689106BCAE49543 ] wudfsvc C:\Windows\System32\WUDFSvc.dll
19:52:06.0637 3480 wudfsvc - ok
19:52:06.0793 3480 [ 9A3452B3C2A46C073166C5CF49FAD1AE ] WwanSvc C:\Windows\System32\wwansvc.dll
19:52:06.0855 3480 WwanSvc - ok
19:52:06.0918 3480 ================ Scan global ===============================
19:52:06.0933 3480 [ BA0CD8C393E8C9F83354106093832C7B ] C:\Windows\system32\basesrv.dll
19:52:07.0011 3480 [ EB6A48CC998E1090E44E8E7F1009A640 ] C:\Windows\system32\winsrv.dll
19:52:07.0027 3480 [ EB6A48CC998E1090E44E8E7F1009A640 ] C:\Windows\system32\winsrv.dll
19:52:07.0058 3480 [ D6160F9D869BA3AF0B787F971DB56368 ] C:\Windows\system32\sxssrv.dll
19:52:07.0105 3480 [ 24ACB7E5BE595468E3B9AA488B9B4FCB ] C:\Windows\system32\services.exe
19:52:07.0105 3480 [Global] - ok
19:52:07.0105 3480 ================ Scan MBR ==================================
19:52:07.0120 3480 [ A36C5E4F47E84449FF07ED3517B43A31 ] \Device\Harddisk0\DR0
19:52:07.0120 3480 Suspicious mbr (Forged): \Device\Harddisk0\DR0
19:52:07.0230 3480 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.c ) - infected
19:52:07.0230 3480 \Device\Harddisk0\DR0 - detected Rootkit.Boot.Pihar.c (0)
19:52:07.0230 3480 ================ Scan VBR ==================================
19:52:07.0245 3480 [ A8592AA7C9F9DC7332DBA05C2506D4B7 ] \Device\Harddisk0\DR0\Partition1
19:52:07.0245 3480 \Device\Harddisk0\DR0\Partition1 - ok
19:52:07.0261 3480 [ 319D4EF3DB47BAD0D06E43DB8956B942 ] \Device\Harddisk0\DR0\Partition2
19:52:07.0261 3480 \Device\Harddisk0\DR0\Partition2 - ok
19:52:07.0261 3480 ============================================================
19:52:07.0261 3480 Scan finished
19:52:07.0261 3480 ============================================================
19:52:07.0276 2844 Detected object count: 1
19:52:07.0276 2844 Actual detected object count: 1
19:52:20.0004 2844 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.c ) - skipped by user
19:52:20.0004 2844 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.c ) - User select action: Skip

nethog

join:2006-12-08
Canton, MI
LoPhatPhuud:
I just noticed something disturbing on this computer - looking at the network connection properties I see that some program is constantly downloading data - after 1/2 hour I see over 500Mb recieved and I am running NO applications.


LoPhatPhuud
Premium,VIP,MVM
join:2002-01-06
Albuquerque, NM
kudos:26
Reviews:
·Comcast

2 edits

1 recommendation

reply to nethog
Use Task Manager to see if you an determine which process is doing the downloading.

Are you losing disk space?

I suspect what you are seeing is normal network traffic and not necessarily anything being downloaded.

Logs so far showed no 'mysterious' programs and no rootkits, but we'll look again for rootkits. The instructions are later in this post.

What did you do to make this determination? (give me the steps yju took to check the connection. I want to be able to duplicate them on my computer)

Also,,

Download and run GMER. Post the log in this thread, even if nothing is found.

You find link(s) and instructions here:
»Security Cleanup FAQ »Rootkit Detection Applications

nethog

join:2006-12-08
Canton, MI
I am not loosing disk space but I am certain that the data being received is *not* normal network activity. I am using the wireless connection properties to see the data transmitted/received. Yesterday, after a few hours this showed over 5 Gbytes received - again with very little network use on my part. It seems that svchost.exe 32 is the process that is pulling the data since it continually shows cpu use until I turn off my wireless. Another thing you should know is that if I use Google all search results seem bogus and not actually from google since it lists a bunch of links that appear to be advertisements. I unstalled the google toolbar from IE9 and at the end I got a 404 error in my browser - I recall that normally google sends you to a web page asking why you uninstalled their toolbar.

Anyway here is the GMER log:

GMER 1.0.15.15641 - »www.gmer.net
Rootkit scan 2012-09-09 09:24:20
Windows 6.1.7601 Service Pack 1
Running: dtlcc9oh.exe

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002269c4728e
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002269c4728e (not active ControlSet)

---- Files - GMER 1.0.15 ----

File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0VWWQG7C\dnserrordiagoff_webOC[1] 6766 bytes

---- EOF - GMER 1.0.15 ----


LoPhatPhuud
Premium,VIP,MVM
join:2002-01-06
Albuquerque, NM
kudos:26
Reviews:
·Comcast

1 recommendation

reply to nethog
IF you use Comcast as an ISP (the logs indicate you are/were), have you received any Bot notifications from them?

Is you wireless connection secured with a WPA/WPA2 password to prevent unauthorized connections?

Do you have any computers connected via wire to teh router?

Also, run MBAM again, and post the new log in this thread,
--
When angry count four; when very angry, swear.
Microsoft MVP/Consumer Security 2005-2011
Gladiator Security Forum

nethog

join:2006-12-08
Canton, MI
LoPhatPhuud:
No I never received anything from Comcast. The infected computer is connected to my wireless router using WPA. My wireless router is secure with WPA and I just replaced my router last weekend with a new netgear model. There are no computers connected to the infected computer by wire. Here is the MBAM log just before I hit the remove virus button - after a mandatory reboot by MBAM I could not see an updated logfile anywhere:

Malwarebytes Anti-Malware 1.65.0.1400
www.malwarebytes.org

Database version: v2012.09.10.08

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Andrew :: LAPTOP [administrator]

9/10/2012 8:18:23 PM
mbam-log-2012-09-10 (22-44-53).txt

Scan type: Full scan (C:\|D:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 558498
Time elapsed: 2 hour(s), 18 minute(s), 35 second(s)

Memory Processes Detected: 1
C:\Windows\svchost.exe (Trojan.Agent) -> 5232 -> No action taken.

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Adobe (Trojan.RedirRdll3.Gen) -> Data: rundll32.exe "C:\Users\Andrew\AppData\Local\Apps\Adobe\uctnh.dll",CreateInstance -> No action taken.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Windows\svchost.exe (Trojan.Agent) -> No action taken.

(end)


LoPhatPhuud
Premium,VIP,MVM
join:2002-01-06
Albuquerque, NM
kudos:26

1 recommendation

reply to nethog
Run MBAM again and this time remove the what it detects. That looks like the Zero Access trojan.

nethog

join:2006-12-08
Canton, MI
I did actually click the remove option in MBAM after it finished, but like I stated there was not a new log file nor was the original log file I posted updated. I did check network data tranmission just now and I see that over 4 gigabytes of data was received the past 3 hours but the only network activity by a family member was using ie9 to view a few short youtube videos - and data continues to be recieved when doing nothing on the internet.


LoPhatPhuud
Premium,VIP,MVM
join:2002-01-06
Albuquerque, NM
kudos:26
Reviews:
·Comcast

1 recommendation

reply to nethog
The MBAM reboot was due to an upgrade to the most current version. That may have affected the removal.

Run MBAM again, removing anything it finds, and post the new log in this thread.

If not log shows up, click the 'Log' tab in MBAM, That will give you a list of all logs stored. Double clicking on any log will open it so you can copy and paste.
--
When angry count four; when very angry, swear.
Microsoft MVP/Consumer Security 2005-2011
Gladiator Security Forum

nethog

join:2006-12-08
Canton, MI
Ok I reran MBAM, clicked "remove", rebooted and looked in the MBAM log area. I notice there is an mbam-log file and 2 protection-log files associated with this last run. I see that the second protection log is being updated even as I am typing this message basically ALLOWing the trojan "svchost.exe"! All three files posted below:

mbam-log:
Malwarebytes Anti-Malware 1.65.0.1400
www.malwarebytes.org

Database version: v2012.09.13.01

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Andrew :: LAPTOP [administrator]

9/12/2012 10:34:45 PM
mbam-log-2012-09-12 (22-34-45).txt

Scan type: Full scan (C:\|D:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 569612
Time elapsed: 2 hour(s), 2 minute(s), 10 second(s)

Memory Processes Detected: 1
C:\Windows\svchost.exe (Trojan.Agent) -> 5440 -> Delete on reboot.

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Windows\svchost.exe (Trojan.Agent) -> Delete on reboot.

(end)

First protection-log:
a2012/09/12 05:29:57 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW
2012/09/12 05:32:00 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW
2012/09/12 05:32:17 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW
2012/09/12 05:42:31 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW
2012/09/12 05:43:02 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW
2012/09/12 05:45:19 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW
2012/09/12 05:47:56 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW
2012/09/12 05:56:10 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW
2012/09/12 05:56:25 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW
2012/09/12 14:45:16 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW
2012/09/12 14:53:39 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW
2012/09/12 14:54:20 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW
2012/09/12 14:55:17 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW
2012/09/12 14:56:12 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW
2012/09/12 14:59:44 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW
2012/09/12 15:01:03 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW
2012/09/12 15:01:45 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW
2012/09/12 15:03:27 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW
2012/09/12 15:58:07 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW
2012/09/12 15:59:43 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW
2012/09/12 16:01:33 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW
2012/09/12 16:28:17 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW
2012/09/12 16:29:02 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW
2012/09/12 17:16:32 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW
2012/09/12 17:19:24 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW
2012/09/12 17:32:10 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW
2012/09/12 17:33:00 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW
2012/09/12 17:33:44 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW
2012/09/12 18:21:42 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW
2012/09/12 18:44:12 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW
2012/09/12 18:44:28 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW
2012/09/12 19:07:03 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW
2012/09/12 19:07:24 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW
2012/09/12 19:53:03 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW
2012/09/12 19:53:38 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW
2012/09/12 20:13:36 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW
2012/09/12 20:15:01 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW
2012/09/12 20:41:03 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW
2012/09/12 20:41:25 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW
2012/09/12 21:21:21 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW
2012/09/12 21:22:01 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW
2012/09/12 21:23:35 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW
2012/09/12 21:23:46 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW
2012/09/12 21:34:35 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW
2012/09/12 21:35:20 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW
2012/09/12 22:34:14 -0400 LAPTOP Andrew MESSAGE Starting database refresh
2012/09/12 22:35:14 -0400 LAPTOP Andrew MESSAGE Database refreshed successfully

Second protection-log:
2012/09/13 01:15:26 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW
2012/09/13 05:28:39 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW
2012/09/13 05:29:02 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW
2012/09/13 05:31:45 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW


LoPhatPhuud
Premium,VIP,MVM
join:2002-01-06
Albuquerque, NM
kudos:26
Reviews:
·Comcast

1 recommendation

reply to nethog
OK. MBAM cleared the trojan. I'm surprised that Combofix did not catch it unless it was recently installed. Time to run Combofix again...

Download ComboFix from one of these locations:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.infospyware.net/antimalware/combofix/
 
* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it at least 20-30 minutes to finish if needed.

--
When angry count four; when very angry, swear.
Microsoft MVP/Consumer Security 2005-2011
Gladiator Security Forum

nethog

join:2006-12-08
Canton, MI
here is my combofix log:
ComboFix 12-09-13.03 - Andrew 09/13/2012 19:38:50.2.2 - x64
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.4094.2792 [GMT -4:00]
Running from: c:\users\Andrew\Desktop\ComboFix.exe
AV: Norton Security Suite *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Norton Security Suite *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Norton Security Suite *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\PCDr\6032\AddOnDownloaded\06004c97-c212-44da-81de-706b46554efe.dll
c:\programdata\PCDr\6032\AddOnDownloaded\0d03215e-4c16-4ea7-b7d7-805a2556effc.dll
c:\programdata\PCDr\6032\AddOnDownloaded\0d461521-7dbf-4cec-a29e-936c88cdf8c9.dll
c:\programdata\PCDr\6032\AddOnDownloaded\0d85b53c-d766-4bf0-8940-17b534910268.dll
c:\programdata\PCDr\6032\AddOnDownloaded\100c3865-0c76-461b-b2fd-042d6d5fa7f6.dll
c:\programdata\PCDr\6032\AddOnDownloaded\140239b3-d59a-46fa-b856-17682a46cb44.dll
c:\programdata\PCDr\6032\AddOnDownloaded\16837627-a839-41c5-a88f-3a0335128383.dll
c:\programdata\PCDr\6032\AddOnDownloaded\173c4dd2-e93c-4725-b006-db1d8f465192.dll
c:\programdata\PCDr\6032\AddOnDownloaded\1e0aaf9a-9947-4a7b-b1ae-8a89919438ed.dll
c:\programdata\PCDr\6032\AddOnDownloaded\263d6ac9-4f87-466c-947c-bd9af71d7035.dll
c:\programdata\PCDr\6032\AddOnDownloaded\2ee79d71-badc-46b4-b731-42b15f3cd1c3.dll
c:\programdata\PCDr\6032\AddOnDownloaded\3410f47b-5e8c-47c6-bf2c-234af4121d4c.dll
c:\programdata\PCDr\6032\AddOnDownloaded\378deb7f-049e-4a5e-83b2-5381dcd9e928.dll
c:\programdata\PCDr\6032\AddOnDownloaded\3972fea3-214c-4935-a7d1-96bf66115683.dll
c:\programdata\PCDr\6032\AddOnDownloaded\3a79f062-8f3e-464f-9815-2c45840494ee.dll
c:\programdata\PCDr\6032\AddOnDownloaded\3b1c7acd-5e3e-4459-ab98-5109117e2341.dll
c:\programdata\PCDr\6032\AddOnDownloaded\3e4c86d5-a5c1-4c3f-8fc7-6258992b16c5.dll
c:\programdata\PCDr\6032\AddOnDownloaded\44ddba62-3b58-480f-a775-ae7e9dd9d5df.dll
c:\programdata\PCDr\6032\AddOnDownloaded\4546f2bc-b9d9-4667-abe7-b0bacc90279e.dll
c:\programdata\PCDr\6032\AddOnDownloaded\4804ced5-915b-48a3-a465-b8a5e02714bf.dll
c:\programdata\PCDr\6032\AddOnDownloaded\4818e109-9489-4cd8-9044-44defd8ec187.dll
c:\programdata\PCDr\6032\AddOnDownloaded\493f295d-1a46-46f6-926c-63b474cedab4.dll
c:\programdata\PCDr\6032\AddOnDownloaded\5e1c102f-bfde-420c-87c0-64fe851888e5.dll
c:\programdata\PCDr\6032\AddOnDownloaded\62d1f0b0-bc9a-4f6c-bad7-93b19a91276a.dll
c:\programdata\PCDr\6032\AddOnDownloaded\67c3d4fe-b638-467a-9fe2-c5813ade3330.dll
c:\programdata\PCDr\6032\AddOnDownloaded\6820b110-e483-4f1e-9b48-438f7916f078.dll
c:\programdata\PCDr\6032\AddOnDownloaded\684a43a7-04d5-4797-bc20-4db8a316286c.dll
c:\programdata\PCDr\6032\AddOnDownloaded\6b5978fa-48d7-4309-a523-7e157768c0d8.dll
c:\programdata\PCDr\6032\AddOnDownloaded\6f4fb483-ce30-493a-8cb4-3e530ab1be5b.dll
c:\programdata\PCDr\6032\AddOnDownloaded\7014e871-cc3b-4dec-b82b-bc70222b40ed.dll
c:\programdata\PCDr\6032\AddOnDownloaded\739db3eb-d3cd-4c86-a6ea-01a49984fa3b.dll
c:\programdata\PCDr\6032\AddOnDownloaded\7bd83798-7a02-4f50-83a2-b91cabcbd1f9.dll
c:\programdata\PCDr\6032\AddOnDownloaded\7dbfef1a-6148-4748-a1b3-71627763a45a.dll
c:\programdata\PCDr\6032\AddOnDownloaded\813755dc-2229-47a2-b85b-19d0aaa641c9.dll
c:\programdata\PCDr\6032\AddOnDownloaded\872965c7-08b7-47fc-a74c-ff167590b71a.dll
c:\programdata\PCDr\6032\AddOnDownloaded\8d357f17-07ad-4392-ba06-fb67564c98cd.dll
c:\programdata\PCDr\6032\AddOnDownloaded\934f6059-2d35-4bd9-a130-a17cb5563507.dll
c:\programdata\PCDr\6032\AddOnDownloaded\a4930af9-016c-4915-a740-a3364e7618aa.dll
c:\programdata\PCDr\6032\AddOnDownloaded\a61f44a8-21a3-4c4a-a04b-993dfb73bf96.dll
c:\programdata\PCDr\6032\AddOnDownloaded\a9de0c84-9a7c-4638-9653-13aa8cf56e80.dll
c:\programdata\PCDr\6032\AddOnDownloaded\ae67b364-b69e-471e-b177-2459120b84d4.dll
c:\programdata\PCDr\6032\AddOnDownloaded\b2152f30-7380-4987-8fcf-e4c06952615d.dll
c:\programdata\PCDr\6032\AddOnDownloaded\b2ed8d53-41ce-48e6-b4ac-8b8e5e1a4fdf.dll
c:\programdata\PCDr\6032\AddOnDownloaded\b4cc2a4a-87f5-49cd-935c-18f1a80e65b7.dll
c:\programdata\PCDr\6032\AddOnDownloaded\bbfa36b0-30b0-4e36-8d8c-69df1d87626b.dll
c:\programdata\PCDr\6032\AddOnDownloaded\bc6fc708-5b6b-4a72-b336-09b3089baa7a.dll
c:\programdata\PCDr\6032\AddOnDownloaded\bf647bd7-dfb5-4746-a6b4-b7c2fdbbf3b1.dll
c:\programdata\PCDr\6032\AddOnDownloaded\c4211805-b43b-471d-81af-4e0589f8607b.dll
c:\programdata\PCDr\6032\AddOnDownloaded\c882e61c-ecc2-4db0-9a28-7cbe8bd4876b.dll
c:\programdata\PCDr\6032\AddOnDownloaded\cdda52ec-6ccd-425a-8c72-b7bbdc8b3acd.dll
c:\programdata\PCDr\6032\AddOnDownloaded\d1f4dc82-bc4c-4916-b37c-3ab9c30ae468.dll
c:\programdata\PCDr\6032\AddOnDownloaded\d34c0cf7-889f-43dd-9283-b2b6f442aae3.dll
c:\programdata\PCDr\6032\AddOnDownloaded\daf30858-49d8-434b-b4b1-068b5dc9267c.dll
c:\programdata\PCDr\6032\AddOnDownloaded\ddb9fe5d-525c-4d5d-ac37-0bd10f2864f8.dll
c:\programdata\PCDr\6032\AddOnDownloaded\e45cd45a-4d7c-4802-881f-74582b847e5c.dll
c:\programdata\PCDr\6032\AddOnDownloaded\e9bb45d9-5a2b-47e8-9c48-168276d422cc.dll
c:\programdata\PCDr\6032\AddOnDownloaded\ef78c3e8-1d94-4219-8070-7617e119bba4.dll
c:\programdata\PCDr\6032\AddOnDownloaded\f06c5597-1a85-4d1f-ac16-a6fdd2a6bedc.dll
c:\programdata\PCDr\6032\AddOnDownloaded\f80d4ad1-1fad-43b5-b6f3-347848b5ddd5.dll
c:\programdata\PCDr\6032\AddOnDownloaded\f9dc840b-c6f7-42a5-acec-50cc7a2827fd.dll
c:\windows\svchost.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-08-13 to 2012-09-13 )))))))))))))))))))))))))))))))
.
.
2012-09-13 23:50 . 2012-09-13 23:50 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2012-09-13 23:50 . 2012-09-13 23:50 -------- d-----w- c:\users\Peter\AppData\Local\temp
2012-09-13 23:50 . 2012-09-13 23:50 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-09-13 23:50 . 2012-09-13 23:50 -------- d-----w- c:\users\Cameron\AppData\Local\temp
2012-09-13 23:50 . 2012-09-13 23:50 -------- d-----w- c:\users\Brianna\AppData\Local\temp
2012-09-13 23:50 . 2012-09-13 23:50 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2012-09-11 00:16 . 2012-09-11 00:16 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-09-11 00:16 . 2012-09-07 21:04 25928 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-09-09 11:38 . 2012-09-09 11:38 -------- d-----w- c:\users\Peter\AppData\Local\Google
2012-09-08 19:06 . 2012-09-08 19:06 27256 ----a-w- c:\windows\system32\drivers\FixZeroAccess.sys
2012-09-08 17:54 . 2012-09-08 17:54 -------- d-----w- c:\program files (x86)\WinDirStat
2012-09-08 14:26 . 2012-08-28 05:49 9310152 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{23FE69FC-3850-4F9D-AFB4-2DE3ACB0DC71}\mpengine.dll
2012-09-08 13:44 . 2012-01-04 21:06 8192 ----a-w- c:\windows\system32\drivers\rt2870.bin
2012-09-08 13:44 . 2012-09-08 13:44 -------- d-----w- c:\users\Andrew\AppData\Local\NETGEAR
2012-09-08 13:44 . 2012-09-08 13:44 -------- d-----w- c:\programdata\NETGEAR
2012-09-08 13:43 . 2012-09-08 13:43 -------- d-----w- c:\windows\Downloaded Installations
2012-09-04 21:41 . 2012-09-04 21:41 -------- d-----w- c:\program files (x86)\Microsoft XNA
2012-09-02 18:55 . 2012-09-02 18:55 -------- d-----w- c:\program files (x86)\Common Files\Java
2012-09-02 18:39 . 2012-09-02 18:38 821736 ----a-w- c:\windows\SysWow64\npDeployJava1.dll
2012-09-02 18:38 . 2012-09-02 18:38 95208 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
2012-09-02 18:34 . 2012-09-02 18:34 -------- d-----w- c:\programdata\McAfee
2012-09-01 04:44 . 2012-09-01 04:44 -------- d-----w- c:\programdata\PC-Doctor for Windows
2012-09-01 04:02 . 2012-09-01 04:02 -------- d-----w- c:\windows\system32\drivers\NSMx64
2012-09-01 04:02 . 2012-09-01 04:02 -------- d-----w- c:\program files (x86)\Norton Online
2012-09-01 04:02 . 2012-09-01 04:02 -------- d-----w- c:\windows\system32\drivers\NOFx64
2012-09-01 03:47 . 2012-09-01 03:47 -------- d-----w- c:\program files (x86)\Common Files\Symantec Shared
2012-09-01 03:28 . 2012-09-01 04:03 -------- d-----w- c:\program files\Symantec
2012-09-01 03:28 . 2012-09-01 04:03 175736 ----a-w- c:\windows\system32\drivers\SYMEVENT64x86.SYS
2012-09-01 03:26 . 2012-09-01 03:26 -------- d-----w- c:\program files (x86)\Norton Security Suite
2012-09-01 03:26 . 2012-09-01 04:02 -------- d-----w- c:\program files (x86)\NortonInstaller
2012-09-01 01:11 . 2012-09-01 03:28 -------- d-----w- c:\program files\Common Files\Symantec Shared
2012-09-01 01:10 . 2012-09-01 03:39 -------- d-----w- c:\windows\system32\drivers\N360x64
2012-08-30 21:52 . 2012-09-13 23:50 -------- d-----w- c:\users\Andrew\AppData\Local\temp
2012-08-30 02:20 . 2012-09-01 01:57 -------- d-----w- c:\program files (x86)\Sophos
2012-08-14 23:54 . 2012-08-14 23:54 -------- d-----w- c:\users\Peter\AppData\Roaming\QuickScan
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-09-08 03:59 . 2012-05-21 10:09 696520 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-09-08 03:59 . 2011-05-15 01:59 73416 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-09-02 18:38 . 2011-05-15 00:31 746984 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-07-03 07:19 . 2011-05-14 19:59 59701280 ----a-w- c:\windows\system32\MRT.exe
.
.
((((((((((((((((((((((((((((( SnapShot@2012-08-30_21.49.38 )))))))))))))))))))))))))))))))))))))))))
.
- 2012-08-08 07:26 . 2012-08-12 19:04 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\PrivacIE\index.dat
+ 2012-08-08 07:26 . 2012-09-12 21:31 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\PrivacIE\index.dat
+ 2012-09-02 18:28 . 2012-09-02 18:28 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\Low\index.dat
+ 2012-07-29 19:17 . 2012-09-13 21:22 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\index.dat
- 2012-07-29 19:17 . 2012-08-12 18:49 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\index.dat
+ 2012-09-02 18:28 . 2012-09-02 18:28 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat
+ 2012-09-02 18:28 . 2012-09-02 18:28 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat
+ 2012-09-09 19:37 . 2012-09-09 19:38 15360 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{CCF2619F-FAB5-11E1-803C-00219BCF4407}.dat
+ 2012-09-07 19:35 . 2012-09-07 19:36 10240 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{385DB477-F923-11E1-91D9-002269C4728E}.dat
+ 2012-09-13 20:25 . 2012-09-13 23:31 15360 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{2E97E053-FDE1-11E1-A0A0-00219BCF4407}.dat
+ 2012-09-12 21:31 . 2012-09-12 21:31 17408 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{2DCD035E-FD21-11E1-B304-00219BCF4407}.dat
+ 2012-07-29 18:42 . 2012-09-13 23:31 81920 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\DOMStore\index.dat
+ 2010-11-21 03:09 . 2012-09-13 18:46 72600 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-09-13 18:46 51858 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2011-05-15 00:02 . 2012-09-13 18:46 22318 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1613675080-3381770067-651744427-1004_UserData.bin
+ 2011-05-14 20:05 . 2012-09-09 11:29 12760 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1613675080-3381770067-651744427-1001_UserData.bin
+ 2011-05-14 19:53 . 2006-09-13 09:00 27136 c:\windows\system32\spool\prtprocs\x64\3_CNMPD7O.DLL
+ 2012-01-13 19:40 . 2012-01-13 19:40 14119 c:\windows\system32\RaCoInst.dat
+ 2009-07-14 05:30 . 2012-09-08 13:45 86016 c:\windows\system32\DriverStore\infpub.dat
- 2009-07-14 05:30 . 2012-01-07 13:41 86016 c:\windows\system32\DriverStore\infpub.dat
+ 2012-01-13 19:40 . 2012-01-13 19:40 14119 c:\windows\system32\DriverStore\FileRepository\netr28ux.inf_amd64_neutral_ae671fe85c678215\RaCoInst.dat
+ 2012-09-01 03:31 . 2012-07-06 02:17 37536 c:\windows\system32\drivers\N360x64\0603000.00E\srtspx64.sys
+ 2011-05-14 19:45 . 2012-09-13 23:22 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-05-14 19:45 . 2012-08-30 21:13 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2012-08-31 02:09 . 2012-09-13 23:22 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2012-08-14 00:19 . 2012-08-30 21:13 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-08-30 21:13 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2012-09-13 23:22 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2011-05-14 19:51 . 2011-05-14 20:04 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-05-14 19:51 . 2012-09-03 14:27 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:46 . 2012-09-10 20:41 91040 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
- 2011-05-14 19:51 . 2011-05-14 20:04 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2011-05-14 19:51 . 2012-09-03 14:27 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2011-05-14 19:51 . 2011-05-14 20:04 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-05-14 19:51 . 2012-09-03 14:27 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2012-09-04 21:41 . 2012-09-04 21:41 98304 c:\windows\assembly\GAC_32\Microsoft.Xna.Framework.Game\3.1.0.0__6d5c3888ef60e27d\Microsoft.Xna.Framework.Game.dll
+ 2012-09-09 17:29 . 2012-09-09 19:37 5120 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{DABBE800-FAA3-11E1-803C-00219BCF4407}.dat
+ 2012-09-11 20:52 . 2012-09-11 20:52 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{9266E6A9-FC52-11E1-B393-00219BCF4407}.dat
+ 2012-09-02 14:50 . 2012-09-02 14:50 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{8400F94C-F50D-11E1-AB47-00219BCF4407}.dat
+ 2012-09-06 23:49 . 2012-09-06 23:49 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{719EAD37-F87D-11E1-B394-002269C4728E}.dat
+ 2012-09-07 19:35 . 2012-09-07 19:35 5632 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{385DB474-F923-11E1-91D9-002269C4728E}.dat
+ 2012-09-13 20:25 . 2012-09-13 20:25 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{2E97E052-FDE1-11E1-A0A0-00219BCF4407}.dat
+ 2012-09-12 21:31 . 2012-09-12 22:04 5632 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{2DCD035D-FD21-11E1-B304-00219BCF4407}.dat
+ 2012-09-08 20:01 . 2012-09-09 05:03 5632 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{0908AA41-F9F0-11E1-8481-00219BCF4407}.dat
+ 2012-09-09 17:29 . 2012-09-09 17:29 5120 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{DABBE801-FAA3-11E1-803C-00219BCF4407}.dat
+ 2012-09-12 22:02 . 2012-09-12 22:03 5120 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{9B95B4F5-FD25-11E1-B304-00219BCF4407}.dat
+ 2012-09-11 20:52 . 2012-09-11 20:52 5120 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{9266E6AA-FC52-11E1-B393-00219BCF4407}.dat
+ 2012-09-02 14:50 . 2012-09-02 14:50 5120 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{8400F94D-F50D-11E1-AB47-00219BCF4407}.dat
+ 2012-09-09 05:02 . 2012-09-09 05:02 5120 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{8279C7EB-FA3B-11E1-8481-00219BCF4407}.dat
+ 2012-09-06 23:49 . 2012-09-06 23:49 4096 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{719EAD38-F87D-11E1-B394-002269C4728E}.dat
+ 2012-09-07 19:35 . 2012-09-07 19:35 5120 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{385DB475-F923-11E1-91D9-002269C4728E}.dat
+ 2012-09-08 20:01 . 2012-09-08 20:02 5120 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{0908AA42-F9F0-11E1-8481-00219BCF4407}.dat
+ 2012-09-09 18:06 . 2012-09-09 18:06 5120 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{030469D0-FAA9-11E1-803C-00219BCF4407}.dat
+ 2011-05-16 02:08 . 2012-09-13 09:20 3214 c:\windows\system32\wdi\ERCQueuedResolutions.dat
+ 2012-09-01 03:31 . 2012-05-15 01:22 8942 c:\windows\system32\drivers\N360x64\0603000.00E\symvtcer.dat
+ 2012-09-13 18:44 . 2012-09-13 18:44 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-08-30 21:40 . 2012-08-30 21:40 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-09-13 18:44 . 2012-09-13 18:44 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-08-30 21:40 . 2012-08-30 21:40 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-09-08 03:59 . 2012-09-08 03:59 690888 c:\windows\SysWOW64\Macromed\Flash\FlashUtil32_11_4_402_265_ActiveX.exe
+ 2012-05-21 10:09 . 2012-09-08 03:59 250568 c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
+ 2012-09-02 18:39 . 2012-09-02 18:38 246760 c:\windows\SysWOW64\javaws.exe
+ 2012-09-02 18:38 . 2012-09-02 18:38 174056 c:\windows\SysWOW64\javaw.exe
+ 2012-09-02 18:38 . 2012-09-02 18:38 174056 c:\windows\SysWOW64\java.exe
+ 2012-07-29 18:42 . 2012-09-13 23:31 262144 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
- 2012-07-29 18:42 . 2012-08-13 22:08 262144 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2012-08-08 07:27 . 2012-09-02 14:50 393216 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatCache\index.dat
+ 2012-08-30 10:16 . 2012-09-13 23:34 212992 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2012-09-03 03:56 . 2012-09-03 03:57 245980 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT
+ 2012-01-13 19:40 . 2012-01-13 19:40 327008 c:\windows\system32\RaCoInstx.dll
+ 2009-07-14 02:36 . 2012-09-11 00:12 636122 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-09-11 00:12 111664 c:\windows\system32\perfc009.dat
+ 2010-11-21 03:27 . 2012-05-31 16:25 279656 c:\windows\system32\MpSigStub.exe
+ 2012-09-08 03:58 . 2012-09-08 03:58 420552 c:\windows\system32\Macromed\Flash\FlashUtil64_11_4_402_265_ActiveX.exe
+ 2009-07-14 04:45 . 2012-09-01 02:06 416528 c:\windows\system32\FNTCACHE.DAT
+ 2009-07-14 05:30 . 2012-09-08 13:45 143360 c:\windows\system32\DriverStore\infstrng.dat
- 2009-07-14 05:30 . 2012-01-07 13:41 143360 c:\windows\system32\DriverStore\infstrng.dat
+ 2009-07-14 05:30 . 2012-09-08 13:44 143360 c:\windows\system32\DriverStore\infstor.dat
- 2009-07-14 05:30 . 2012-01-07 13:39 143360 c:\windows\system32\DriverStore\infstor.dat
+ 2012-01-13 19:40 . 2012-01-13 19:40 327008 c:\windows\system32\DriverStore\FileRepository\netr28ux.inf_amd64_neutral_ae671fe85c678215\RaCoInstx.dll
+ 2012-09-01 04:02 . 2011-11-17 03:38 218232 c:\windows\system32\drivers\NSMx64\0203000.01A\symrdrs.sys
+ 2012-09-01 04:02 . 2011-11-04 23:59 167048 c:\windows\system32\drivers\NOFx64\0203000.007\ccSetx64.sys
+ 2012-09-01 03:31 . 2011-11-17 03:38 405624 c:\windows\system32\drivers\N360x64\0603000.00E\symnets.sys
+ 2012-09-01 03:31 . 2011-08-16 06:51 451192 c:\windows\system32\drivers\N360x64\0603000.00E\symds64.sys
+ 2012-09-01 03:31 . 2012-07-06 02:17 737952 c:\windows\system32\drivers\N360x64\0603000.00E\srtsp64.sys
+ 2012-09-01 03:31 . 2011-11-17 03:17 190072 c:\windows\system32\drivers\N360x64\0603000.00E\ironx64.sys
+ 2012-09-01 03:31 . 2012-06-07 04:43 167072 c:\windows\system32\drivers\N360x64\0603000.00E\ccsetx64.sys
+ 2012-09-08 15:32 . 2012-09-08 15:32 262144 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\usrclass.dat
+ 2012-09-08 15:32 . 2012-09-08 15:32 262144 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\usrclass.dat
+ 2009-07-14 05:01 . 2012-09-13 10:10 386868 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2011-05-14 21:30 . 2012-09-01 04:05 733008 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1613675080-3381770067-651744427-1001-8192.dat
+ 2012-09-02 18:55 . 2012-09-02 18:55 179200 c:\windows\Installer\11b35aa.msi
+ 2012-09-01 01:30 . 2012-09-13 23:34 5619712 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2012-01-13 19:40 . 2012-01-13 19:40 1675840 c:\windows\system32\DriverStore\FileRepository\netr28ux.inf_amd64_neutral_ae671fe85c678215\netr28ux.sys
+ 2012-01-13 19:40 . 2012-01-13 19:40 1675840 c:\windows\system32\drivers\netr28ux.sys
+ 2012-09-01 03:31 . 2012-05-22 01:37 1129120 c:\windows\system32\drivers\N360x64\0603000.00E\symefa64.sys
+ 2012-09-08 05:39 . 2012-09-13 09:21 1956280 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2012-07-30 03:03 . 2012-09-13 10:10 9816552 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-18-16384.dat
+ 2012-09-08 13:43 . 2012-09-08 13:43 4807168 c:\windows\Installer\759d5c.msi
+ 2012-09-04 21:37 . 2012-09-04 21:37 7671808 c:\windows\Installer\1656b3c.msi
+ 2012-09-08 13:43 . 2012-09-08 13:43 4807168 c:\windows\Downloaded Installations\{441B6121-45DC-4A59-BC38-4E9E55A6A41A}\NETGEAR WNDA4100.msi
+ 2012-09-04 21:41 . 2012-09-04 21:41 1034752 c:\windows\assembly\GAC_32\Microsoft.Xna.Framework\3.1.0.0__6d5c3888ef60e27d\Microsoft.Xna.Framework.dll
+ 2009-07-14 04:54 . 2012-09-13 23:34 16187392 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 04:54 . 2012-08-30 21:12 16187392 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-05-15 04:29 . 2012-09-09 13:38 10209076 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1613675080-3381770067-651744427-1004-8192.dat
+ 2011-05-15 04:29 . 2012-09-13 10:10 46600062 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1613675080-3381770067-651744427-1004-12288.dat
+ 2011-05-14 23:54 . 2012-09-09 12:04 12983476 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1613675080-3381770067-651744427-1001-12288.dat
+ 2012-09-02 18:34 . 2012-09-02 18:34 27545600 c:\windows\Installer\1085b2f.msi
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files (x86)\Steam\Steam.exe" [2012-09-01 1353080]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-21 1475584]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2007-05-09 36864]
"BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"Razer Imperator Driver"="c:\program files (x86)\Razer\Imperator\RazerImperatorSysTray.exe" [2011-06-03 979360]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
QuickSet.lnk - c:\program files\Dell\QuickSet\quickset.exe [2008-2-22 1556560]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-09-08 250568]
R3 AE1000;Linksys AE1000 Driver;c:\windows\system32\DRIVERS\ae1000w7.sys [2010-03-23 1101600]
R3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2010-04-14 54824]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-21 71168]
R3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\AB3E.tmp [x]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files (x86)\Microsoft Office\Office14\GROOVE.EXE [2011-06-12 31125880]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys [2011-04-13 45432]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-21 20992]
R3 SYMRDR_{78CA3BF0-9C3B-40e1-B46D-38C877EF059A};Symantec Redirector - Norton Safety Minder;c:\windows\system32\drivers\NSMx64\0203000.01A\SymRdrS.SYS [2011-11-17 218232]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [2010-11-21 88960]
R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [2010-11-21 34816]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [2010-11-21 117248]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-05-14 1255736]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360x64\0603000.00E\SYMDS64.SYS [2011-08-16 451192]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360x64\0603000.00E\SYMEFA64.SYS [2012-05-22 1129120]
S1 BHDrvx64;BHDrvx64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.0.0.145\Definitions\BASHDefs\20120905.001\BHDrvx64.sys [2012-08-31 1385120]
S1 ccSet_N360;Norton Security Suite Settings Manager;c:\windows\system32\drivers\N360x64\0603000.00E\ccSetx64.sys [2012-06-07 167072]
S1 ccSet_NOF;Norton Online Settings Manager;c:\windows\system32\drivers\NOFx64\0203000.007\ccSetx64.sys [2011-11-04 167048]
S1 IDSVia64;IDSVia64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.0.0.145\Definitions\IPSDefs\20120912.001\IDSvia64.sys [2012-09-01 513184]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360x64\0603000.00E\Ironx64.SYS [2011-11-17 190072]
S1 SymNetS;Symantec Network Security WFP Driver;c:\windows\System32\Drivers\N360x64\0603000.00E\SYMNETS.SYS [2011-11-17 405624]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-07-27 63960]
S2 HiPatchService;Hi-Rez Studios Authenticate and Update Service;c:\program files (x86)\Hi-Rez Studios\HiPatchService.exe [2012-07-12 8704]
S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-09-07 399432]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-09-07 676936]
S2 N360;Norton Security Suite;c:\program files (x86)\Norton Security Suite\Engine\6.3.0.14\ccSvcHst.exe [2012-06-16 138272]
S2 NOF;Norton Online;c:\program files (x86)\Norton Online\Engine\2.3.0.7\ccSvcHst.exe [2011-11-30 138248]
S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-10-15 2253120]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-10-15 381248]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-09-01 138912]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-09-07 25928]
S3 netr28ux;RT2870 USB Extensible Wireless LAN Card Driver;c:\windows\system32\DRIVERS\netr28ux.sys [2012-01-13 1675840]
S3 netw5v64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [2009-06-10 5434368]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-09-13 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-21 03:59]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-04-13 2399632]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-10-26 1211688]
"Launch LgDeviceAgent"="c:\program files\Logitech\GamePanel Software\LgDevAgt.exe" [2010-08-03 415816]
"Launch LCDMon"="c:\program files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2010-08-03 2412616]
"NVHotkey"="c:\windows\system32\nvHotkey.dll" [2011-10-15 539456]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.bing.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKCU-Run-Dxtory Update Checker 2.0 - c:\program files (x86)\Dxtory Software\Dxtory2.0\UpdateChecker.exe
Wow6432Node-HKU-Default-RunOnce-FlashPlayerUpdate - c:\windows\SysWOW64\Macromed\Flash\FlashUtil32_11_3_300_271_ActiveX.exe
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\N360]
"ImagePath"="\"c:\program files (x86)\Norton Security Suite\Engine\6.3.0.14\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files (x86)\Norton Security Suite\Engine\6.3.0.14\diMaster.dll\" /prefetch:1"
--
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\NOF]
"ImagePath"="\"c:\program files (x86)\Norton Online\Engine\2.3.0.7\ccSvcHst.exe\" /s \"NOF\" /m \"c:\program files (x86)\Norton Online\Engine\2.3.0.7\diMaster.dll\" /prefetch:1"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\AB3E.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"=hex:51,66,7a,6c,4c,1d,38,12,8d,ec,f8,
7b,2b,25,27,06,e7,c4,bc,f0,98,15,0d,de
"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,
1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7
"{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}"=hex:51,66,7a,6c,4c,1d,38,12,60,d8,39,
64,cd,04,79,07,f5,b7,d6,9a,c1,81,e0,1c
"{6D53EC84-6AAE-4787-AEEE-F4628F01010C}"=hex:51,66,7a,6c,4c,1d,38,12,ea,ef,40,
69,9c,24,e9,02,d1,f8,b7,22,8a,5f,45,18
"{72853161-30C5-4D22-B7F9-0BBC1D38A37E}"=hex:51,66,7a,6c,4c,1d,38,12,0f,32,96,
76,f7,7e,4c,08,c8,ef,48,fc,18,66,e7,6a
"{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,38,12,0a,d7,23,
94,30,02,d1,0f,f1,da,12,24,73,56,27,d2
"{B4F3A835-0E21-4959-BA22-42B3008E02FF}"=hex:51,66,7a,6c,4c,1d,38,12,5b,ab,e0,
b0,13,40,37,0c,c5,34,01,f3,05,d0,46,eb
"{B8E07826-0971-4F16-B133-047B88034E89}"=hex:51,66,7a,6c,4c,1d,38,12,48,7b,f3,
bc,43,47,78,0a,ce,25,47,3b,8d,5d,0a,9d
"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,
df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd
"{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}"=hex:51,66,7a,6c,4c,1d,38,12,70,05,61,
f9,ec,d1,23,0d,da,9c,48,eb,44,0f,8e,cc
"{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}"=hex:51,66,7a,6c,4c,1d,38,12,8f,19,47,
2e,c4,15,0b,03,d7,b5,8c,e9,62,70,06,85
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (LocalSystem)
"Timestamp"=hex:5c,e1,7b,1f,37,75,cd,01
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_265_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_265_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_265_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_265_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_265.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_265.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_265.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_265.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-09-13 19:56:25
ComboFix-quarantined-files.txt 2012-09-13 23:56
.
Pre-Run: 173,584,371,712 bytes free
Post-Run: 175,528,013,824 bytes free
.
- - End Of File - - 127BB92CC27A3CFC2622E3ECE17CB231

nethog

join:2006-12-08
Canton, MI
LoPhatPhuud
Just so you know, my PC is still continuously receiving a stream of data; for example yesterday after 6 hours approximately 8Gb was received over my wireless connection. When I look at the connection status I see what appears to be 1 Mb transmitted every 2-3 seconds with NO network apps running.


LoPhatPhuud
Premium,VIP,MVM
join:2002-01-06
Albuquerque, NM
kudos:26
Reviews:
·Comcast

1 recommendation

reply to nethog
I believe the main culprit is multiple infections across multiple user accounts. That would explain the "mysterious" behavior when the logs show nothing.

Infections at this depth are best dealt with by reformat and re-install. Back up all pertinent data first.

Then either load the factory recovery program, or boot from your Windows DVD.

Operating System stability is foremost for me. If can't be assured that the removal steps will leave a stable OS, then the only recommendation I can make is reformat.
--
When angry count four; when very angry, swear.
Microsoft MVP/Consumer Security 2005-2011
Gladiator Security Forum

nethog

join:2006-12-08
Canton, MI
Would it help if I reran MBAM on the other account that is in-use on this computer?


LoPhatPhuud
Premium,VIP,MVM
join:2002-01-06
Albuquerque, NM
kudos:26
Reviews:
·Comcast

1 recommendation

reply to nethog
The problem is that your computer is infecting faster than you can clean it. MBAM may help, but it's not the preferred program for this trojan.

Again, for infections of this depth, I will only recommend reformat and re-install.

That said, if you want to try to remove the exploit from all users, you'll need to run a AV from a bootable CD/DVD.

My recommendation would be to use the Kaspersky Rescue tool. I'll post the instructions in the next post.

Please understand, my recommendation for reformat and reinstall still stands.


LoPhatPhuud
Premium,VIP,MVM
join:2002-01-06
Albuquerque, NM
kudos:26
Reviews:
·Comcast

1 recommendation

reply to nethog
The Kaspersky Rescue Disk is a bootable CD or USB based version of Kaspersky Antivirus.

You will find full instructions for download and use at the following links:

CD based: »support.kaspersky.com/faq/?qid=208282484

USB Based: »support.kaspersky.com/faq/?qid=208282163

Note: Please post the log (krd-log.txt) in your next reply
--
When angry count four; when very angry, swear.
Microsoft MVP/Consumer Security 2005-2011
Gladiator Security Forum

nethog

join:2006-12-08
Canton, MI
LoPhatPhuud:
Well I ran KRD and it detected 2 viruses. I selected "Disinfect All" and saved the log file but when I tried rebooting back to windows windows coult not start. I tried selecting a restore point but it did not work. Do you know if I can undo the changes KRD made by booting back to the USB? or some other suggestion?