Search similar:
|
uniqs 7699 |
|
|
|
nethog join:2006-12-08 Canton, MI 1 edit |
nethog
Member
2012-Aug-14 8:44 pm
[RESOLVED][Rootkit] rootkit virus? - Nethog Post 1 of 2rootkit virus? - Nethog Post 1 of 2 I seem to have some kind of rootkit virus since this is mentioned everytime i boot by Malwarebytes. My norton av was corrupted so i uninisntalled it but could not reinstall it due to an error. Please help! I performed all of the mandatory steps... Unfortunately when I tried to post all of the log files the size is around 80 kbytes so I will post in two parts: Regards, Nethog
This is the *first* post with mbom.log & otl.txt
Mbom.log
2012/08/14 06:03:08 -0400 LAPTOP Peter MESSAGE Starting protection 2012/08/14 06:03:12 -0400 LAPTOP Peter MESSAGE Protection started successfully 2012/08/14 06:03:15 -0400 LAPTOP Peter MESSAGE Starting IP protection 2012/08/14 06:03:15 -0400 LAPTOP Peter ERROR IP protection failed: FwpmEngineOpen0 failed with error code 1753 2012/08/14 06:04:21 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access QUARANTINE 2012/08/14 06:05:25 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 06:06:06 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 06:07:09 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 06:07:56 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 06:08:09 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 06:08:22 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 06:09:09 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 06:10:10 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 06:11:10 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 06:12:10 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 06:13:10 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 06:14:11 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 06:15:11 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 06:16:11 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 06:17:11 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 06:18:11 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 06:19:05 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 06:19:06 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 06:19:08 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 06:19:09 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 06:19:12 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 06:20:12 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 06:21:12 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 06:22:12 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 06:23:01 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 06:23:02 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 06:23:12 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 06:24:13 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 06:25:13 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 06:26:13 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 06:27:08 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 06:27:09 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 06:27:13 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 06:28:14 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 06:28:33 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 06:29:14 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 06:30:14 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 06:31:14 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 06:32:14 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 06:33:15 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 06:34:15 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 06:35:15 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 06:36:15 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 06:37:14 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 06:37:16 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 06:38:16 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 06:39:16 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 17:50:25 -0400 LAPTOP Peter MESSAGE Starting protection 2012/08/14 17:50:29 -0400 LAPTOP Peter MESSAGE Protection started successfully 2012/08/14 17:50:32 -0400 LAPTOP Peter MESSAGE Starting IP protection 2012/08/14 17:50:32 -0400 LAPTOP Peter ERROR IP protection failed: FwpmEngineOpen0 failed with error code 1753 2012/08/14 17:54:24 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access QUARANTINE 2012/08/14 17:54:24 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 17:57:09 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 17:57:29 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 17:58:30 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 17:59:30 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 18:00:30 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 18:01:30 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 18:02:30 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 18:03:31 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 18:04:31 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 18:05:31 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 18:06:31 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 18:07:32 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 18:08:32 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 18:09:32 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 18:10:32 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 18:11:32 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 18:12:33 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 18:13:33 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 18:14:33 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 18:15:33 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 18:16:33 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 18:17:34 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 18:18:34 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 18:19:34 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 18:20:34 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 18:21:35 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 18:22:35 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 18:23:35 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 18:24:35 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 18:25:35 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 18:26:36 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 18:27:36 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 18:28:36 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 18:29:36 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 18:30:37 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 18:31:37 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 18:32:37 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 18:33:38 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 18:34:38 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 18:35:38 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 18:36:40 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 18:37:40 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 18:38:41 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 18:39:41 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 18:40:41 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 18:40:43 -0400 LAPTOP Peter MESSAGE Executing scheduled update: Daily 2012/08/14 18:40:51 -0400 LAPTOP Peter MESSAGE Starting database refresh 2012/08/14 18:40:51 -0400 LAPTOP Peter MESSAGE Scheduled update executed successfully: database updated from version v2012.08.13.07 to version v2012.08.14.07 2012/08/14 18:40:54 -0400 LAPTOP Peter MESSAGE Database refreshed successfully 2012/08/14 19:49:47 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access QUARANTINE 2012/08/14 19:49:48 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\000000cb.@ Rootkit.0Access QUARANTINE 2012/08/14 19:49:49 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\000000cb.@ Rootkit.0Access DENY 2012/08/14 19:49:49 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\000000cb.@ Rootkit.0Access DENY 2012/08/14 19:49:51 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 19:49:52 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 19:50:54 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 19:51:27 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 19:51:54 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 19:52:54 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 19:53:55 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 19:54:55 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 19:55:55 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 19:56:55 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 19:57:55 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 19:58:56 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 19:59:56 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 20:00:56 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 20:01:56 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 20:02:57 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 20:03:57 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 20:04:57 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 20:05:57 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 20:06:57 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 20:07:58 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 20:08:00 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 20:08:10 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 20:08:58 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 20:09:58 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 20:10:59 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 20:11:59 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 20:12:59 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 20:13:59 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 20:14:59 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 20:16:00 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 20:17:00 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 20:18:00 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 20:19:01 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 20:20:01 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 20:21:01 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 20:22:01 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 20:23:02 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 20:24:02 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 20:25:02 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 20:26:02 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 20:27:03 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY 2012/08/14 20:28:03 -0400 LAPTOP Peter DETECTION C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ Rootkit.0Access DENY
Otl.txt
OTL logfile created on: 8/14/2012 6:08:26 AM - Run 1 OTL by OldTimer - Version 3.2.57.0 Folder = C:\Users\Peter\Desktop 64bit- Ultimate Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation Internet Explorer (Version = 9.0.8112.16421) Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
4.00 Gb Total Physical Memory | 2.65 Gb Available Physical Memory | 66.33% Memory free 7.99 Gb Paging File | 6.31 Gb Available in Paging File | 78.92% Paging File free Paging file location(s): ?:\pagefile.sys [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86) Drive C: | 285.50 Gb Total Space | 170.52 Gb Free Space | 59.73% Space Free | Partition Type: NTFS Drive D: | 10.00 Gb Total Space | 4.00 Gb Free Space | 39.97% Space Free | Partition Type: NTFS
Computer Name: LAPTOP | User Name: Peter | Logged in as Administrator. Boot Mode: Normal | Scan Mode: Current user | Include 64bit Scans Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
[color=#E56717]========== Processes (SafeList) ==========[/color]
PRC - [2012/08/14 06:07:30 | 000,596,992 | ---- | M] (OldTimer Tools) -- C:\Users\Peter\Desktop\OTL.exe PRC - [2012/08/03 14:46:18 | 000,066,160 | ---- | M] (White Sky, Inc.) -- C:\Program Files (x86)\Constant Guard Protection Suite\IDVaultSvc.exe PRC - [2012/08/03 14:46:16 | 006,530,160 | ---- | M] (White Sky, Inc.) -- C:\Program Files (x86)\Constant Guard Protection Suite\IDVault.exe PRC - [2012/07/19 12:59:40 | 000,519,168 | ---- | M] (LOL Replay) -- C:\Program Files (x86)\LOLReplay\LOLRecorder.exe PRC - [2012/07/03 13:46:44 | 000,655,944 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe PRC - [2012/07/03 13:46:44 | 000,462,920 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe PRC - [2012/04/04 01:53:50 | 000,063,928 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe PRC - [2011/11/29 22:17:50 | 000,138,248 | R--- | M] (Symantec Corporation) -- C:\Program Files (x86)\Norton Online\Engine\2.3.0.7\ccsvchst.exe PRC - [2011/10/15 04:53:00 | 002,253,120 | ---- | M] (NVIDIA Corporation) -- C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe PRC - [2011/10/15 01:54:40 | 000,381,248 | ---- | M] (NVIDIA Corporation) -- C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe PRC - [2011/10/13 22:37:26 | 000,075,136 | ---- | M] () -- C:\Windows\SysWOW64\PnkBstrA.exe PRC - [2011/07/05 10:24:06 | 000,395,528 | ---- | M] (StrikeForce Technologies Inc.) -- C:\Program Files (x86)\SFT\GuardedID\GIDD.exe PRC - [2011/06/03 11:04:26 | 000,979,360 | ---- | M] (Razer USA Ltd) -- C:\Program Files (x86)\Razer\Imperator\RazerImperatorSysTray.exe PRC - [2010/11/20 23:25:10 | 000,164,864 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\Windows Media Player\wmplayer.exe PRC - [2010/08/03 09:43:02 | 000,522,824 | ---- | M] (Logitech Inc.) -- C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe PRC - [2007/05/09 17:01:00 | 000,036,864 | ---- | M] (Creative Technology Ltd.) -- C:\Windows\OEM02Mon.exe
[color=#E56717]========== Modules (No Company Name) ==========[/color]
MOD - [2012/08/03 14:46:17 | 000,104,048 | ---- | M] () -- C:\Program Files (x86)\Constant Guard Protection Suite\IdVaultCore.XmlSerializers.dll MOD - [2012/07/19 12:59:38 | 000,290,816 | ---- | M] () -- C:\Program Files (x86)\LOLReplay\LOLUtils.dll MOD - [2012/06/15 14:46:39 | 000,240,128 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\WindowsFormsIntegra#\f2f8201dd3453250dfd9ed1afce630a0\WindowsFormsIntegration.ni.dll MOD - [2012/06/15 14:46:37 | 001,358,336 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.WorkflowServ#\e3e5aa45736b95804bf6bb7eca08a57b\System.WorkflowServices.ni.dll MOD - [2012/06/14 06:40:34 | 000,212,992 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\69ca4a43ba14b66689715ad62aed70e6\System.ServiceProcess.ni.dll MOD - [2012/06/14 06:40:28 | 001,840,640 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web.Services\761fd1afc17f11bf6d49c3a7d16465ca\System.Web.Services.ni.dll MOD - [2012/06/14 06:40:26 | 011,833,344 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web\a501b7960f6c6e2e39162b83f3303aaa\System.Web.ni.dll MOD - [2012/06/14 06:40:09 | 014,340,608 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\e717a230496832656b05b515eb9f3bc5\PresentationFramework.ni.dll MOD - [2012/06/14 06:39:39 | 012,436,480 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\7b7fbe651c6e72f12099a298654c9594\System.Windows.Forms.ni.dll MOD - [2012/06/14 06:39:31 | 001,591,808 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\6bb439b3f87736d3248ae27d43e2c0d6\System.Drawing.ni.dll MOD - [2012/06/14 06:39:11 | 012,237,824 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationCore\14a87218ea49639f38097e278b98a3da\PresentationCore.ni.dll MOD - [2012/05/12 18:13:48 | 001,707,008 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.ServiceModel#\ed560b26f2f86b3f07b7f6d384f92275\System.ServiceModel.Web.ni.dll MOD - [2012/05/12 18:08:55 | 001,051,136 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Management\9b2f17fb61b7197f2a04108f5d1a1cc6\System.Management.ni.dll MOD - [2012/05/12 18:07:07 | 001,083,392 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.IdentityModel\2ce8210219c7123610072357358df470\System.IdentityModel.ni.dll MOD - [2012/05/12 18:07:05 | 002,347,008 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Seri#\72a24b45e11d64eb2bc840aae9419ba5\System.Runtime.Serialization.ni.dll MOD - [2012/05/12 18:07:02 | 000,256,000 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\SMDiagnostics\9e7bf69d97febe4ed1a288c787e5d9ca\SMDiagnostics.ni.dll MOD - [2012/05/12 18:06:57 | 017,478,656 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.ServiceModel\107779ca2708d2b31b2e1560e47f6d15\System.ServiceModel.ni.dll MOD - [2012/05/11 06:15:14 | 000,368,128 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\8e56489276063ededde74e597a121df3\PresentationFramework.Aero.ni.dll MOD - [2012/05/11 06:14:47 | 006,611,456 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Data\f3814b488d9e083cbbc623e01b389f09\System.Data.ni.dll MOD - [2012/05/11 06:13:08 | 000,060,928 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\UIAutomationProvider\ca2eff60beb3ba00a529a2d42dceca22\UIAutomationProvider.ni.dll MOD - [2012/05/11 06:12:42 | 003,347,968 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\WindowsBase\46fce56db7685a586d3eeb7c373e3c1c\WindowsBase.ni.dll MOD - [2012/05/11 06:12:39 | 000,680,448 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Security\054fcff18035c210487b0888e6461192\System.Security.ni.dll MOD - [2012/05/11 06:12:33 | 005,452,800 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\ba3d70b651454c7d49b407b93663bfed\System.Xml.ni.dll MOD - [2012/05/11 06:12:24 | 000,971,264 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\cfa9c506bfb9254c89dace7b83bc9f9d\System.Configuration.ni.dll MOD - [2012/05/11 06:12:22 | 007,967,232 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System\ce9ff6baf9053ed2ed673d948179195c\System.ni.dll MOD - [2012/05/11 06:11:24 | 011,492,864 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\acfc1391e45fedd2a359778ea57d914c\mscorlib.ni.dll MOD - [2011/05/28 22:04:56 | 000,140,288 | ---- | M] () -- C:\Program Files\WinRAR\RarExt32.dll MOD - [2011/05/14 18:16:59 | 008,007,680 | ---- | M] () -- C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.mshtml.dll MOD - [2011/03/17 01:11:16 | 004,297,568 | ---- | M] () -- C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\OFFICE.ODF MOD - [2010/11/20 23:24:09 | 000,232,448 | ---- | M] () -- \\.\globalroot\systemroot\syswow64\mswsock.dll MOD - [2010/11/20 23:24:08 | 002,927,616 | ---- | M] () -- C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll MOD - [2010/10/20 16:45:26 | 008,801,120 | ---- | M] () -- C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveIntlResource.dll MOD - [2009/06/12 16:32:16 | 000,104,456 | ---- | M] () -- C:\Windows\SysWOW64\EasyHook32.dll
[color=#E56717]========== Win32 Services (SafeList) ==========[/color]
SRV:64bit: - [2009/07/13 21:40:01 | 000,193,536 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\appmgmts.dll -- (AppMgmt) SRV:64bit: - [2008/02/22 16:49:18 | 000,592,464 | ---- | M] (Dell Inc.) [Auto | Running] -- C:\Program Files\Dell\QuickSet\NicConfigSvc.exe -- (nicconfigsvc) SRV - [2012/08/07 23:08:16 | 000,250,056 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc) SRV - [2012/08/03 14:46:18 | 000,066,160 | ---- | M] (White Sky, Inc.) [Auto | Running] -- C:\Program Files (x86)\Constant Guard Protection Suite\IDVaultSvc.exe -- (IDVaultSvc) SRV - [2012/07/12 15:16:55 | 000,008,704 | ---- | M] (Hi-Rez Studios) [Auto | Running] -- C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe -- (HiPatchService) SRV - [2012/07/03 13:46:44 | 000,655,944 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService) SRV - [2012/06/18 22:30:33 | 000,529,232 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe -- (Steam Client Service) SRV - [2012/04/04 01:53:50 | 000,063,928 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice) SRV - [2011/11/29 22:17:50 | 000,138,248 | R--- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files (x86)\Norton Online\Engine\2.3.0.7\ccSvcHst.exe -- (NOF) SRV - [2011/10/15 04:53:00 | 002,253,120 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe -- (nvUpdatusService) SRV - [2011/10/15 01:54:40 | 000,381,248 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe -- (Stereo Service) SRV - [2011/10/13 22:37:26 | 000,075,136 | ---- | M] () [Auto | Running] -- C:\Windows\SysWOW64\PnkBstrA.exe -- (PnkBstrA) SRV - [2010/03/18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32) SRV - [2009/06/10 17:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
[color=#E56717]========== Driver Services (SafeList) ==========[/color]
DRV:64bit: - [2012/07/03 13:46:44 | 000,024,904 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\Windows\SysNative\drivers\mbam.sys -- (MBAMProtector) DRV:64bit: - [2012/03/01 02:46:16 | 000,023,408 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec) DRV:64bit: - [2012/02/09 07:11:31 | 000,175,736 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\SYMEVENT64x86.SYS -- (SymEvent) DRV:64bit: - [2011/11/16 23:38:00 | 000,218,232 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\NSMx64\0203000.016\symrdrs.sys -- (SYMRDR_{78CA3BF0-9C3B-40e1-B46D-38C877EF059A}) DRV:64bit: - [2011/11/04 19:59:30 | 000,167,048 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\NOFx64\0203000.007\ccsetx64.sys -- (ccSet_NOF) DRV:64bit: - [2011/07/05 10:18:38 | 000,029,288 | ---- | M] (StrikeForce Technologies, Inc.) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\gidv2.sys -- (GIDv2) DRV:64bit: - [2011/04/13 15:04:38 | 000,045,432 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\point64.sys -- (Point64) DRV:64bit: - [2011/03/11 02:41:12 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata) DRV:64bit: - [2011/03/11 02:41:12 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata) DRV:64bit: - [2010/11/20 23:24:43 | 000,020,992 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\rdpvideominiport.sys -- (RdpVideoMiniport) DRV:64bit: - [2010/11/20 23:24:33 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt) DRV:64bit: - [2010/11/20 23:23:48 | 000,117,248 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\tsusbhub.sys -- (tsusbhub) DRV:64bit: - [2010/11/20 23:23:48 | 000,088,960 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\Synth3dVsc.sys -- (Synth3dVsc) DRV:64bit: - [2010/11/20 23:23:48 | 000,071,168 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\dmvsc.sys -- (dmvsc) DRV:64bit: - [2010/11/20 23:23:48 | 000,034,816 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\terminpt.sys -- (terminpt) DRV:64bit: - [2010/11/20 23:23:47 | 000,109,056 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\sdbus.sys -- (sdbus) DRV:64bit: - [2010/11/20 23:23:47 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD) DRV:64bit: - [2010/11/20 23:23:47 | 000,031,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbGD.sys -- (TsUsbGD) DRV:64bit: - [2010/04/14 01:01:44 | 000,054,824 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\btusbflt.sys -- (btusbflt) DRV:64bit: - [2010/03/23 02:53:04 | 001,101,600 | ---- | M] (Ralink Technology Corp.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\ae1000w7.sys -- (AE1000) DRV:64bit: - [2009/07/13 21:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs) DRV:64bit: - [2009/07/13 21:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2) DRV:64bit: - [2009/07/13 21:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor) DRV:64bit: - [2009/06/25 17:04:20 | 000,067,584 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\rimmpx64.sys -- (rimmptsk) DRV:64bit: - [2009/06/25 16:38:52 | 000,057,856 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\rixdpx64.sys -- (rismxdp) DRV:64bit: - [2009/06/25 16:13:44 | 000,055,296 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\rimspx64.sys -- (rimsptsk) DRV:64bit: - [2009/06/10 16:35:28 | 005,434,368 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\netw5v64.sys -- (netw5v64) DRV:64bit: - [2009/06/10 16:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv) DRV:64bit: - [2009/06/10 16:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv) DRV:64bit: - [2009/06/10 16:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a) DRV:64bit: - [2009/06/10 16:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir) DRV:64bit: - [2007/10/26 14:39:14 | 000,315,440 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\SynTP.sys -- (SynTP) DRV:64bit: - [2007/10/10 17:03:00 | 000,266,624 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\OEM02Dev.sys -- (OEM02Dev) DRV:64bit: - [2007/03/05 10:55:48 | 000,012,288 | ---- | M] (EyePower Games Pte. Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\OEM02Vfx.sys -- (OEM02Vfx) DRV - [2009/07/13 21:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)
[color=#E56717]========== Standard Registry (SafeList) ==========[/color]
[color=#E56717]========== Internet Explorer ==========[/color]
IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990} IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE:64bit: - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7 IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm IE - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990} IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 7F 3E 3B D7 ED 44 CC 01 [binary data] IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
[color=#E56717]========== FireFox ==========[/color]
FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_3_300_270.dll File not found FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~1\MICROS~3\Office14\NPAUTHZ.DLL (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_270.dll () FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.) FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@nvidia.com/3DVision: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation) FF - HKLM\Software\MozillaPlugins\@nvidia.com/3DVisionStreaming: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation) FF - HKLM\Software\MozillaPlugins\@pandonetworks.com/PandoWebPlugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll File not found FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{6D5C8FC4-DE46-41bf-9092-93F0F78E9115}: C:\ProgramData\Norton\{78CA3BF0-9C3B-40e1-B46D-38C877EF059A}\NSM_2.2.0.28\coFFFw\ [2012/08/14 06:01:03 | 000,000,000 | ---D | M]
O1 HOSTS File: ([2009/06/10 17:00:26 | 000,000,824 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts O2 - BHO: (Constant Guard Protection Suite (COM)) - {B84CDBE7-1B46-494B-A188-01D4C52DEB61} - C:\ProgramData\White Sky, Inc\ID Vault\IEBHO1.1.730.1\NativeBHO.dll (WhiteSky) O2 - BHO: (Norton Safety Minder BHO) - {B8E07826-0971-4f16-B133-047B88034E89} - C:\Program Files (x86)\Norton Online\AddOns\Norton Safety Minder\Engine\2.3.0.22\coieplg.dll (Symantec Corporation) O2 - BHO: (Yontoo) - {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - C:\Program Files (x86)\Yontoo\YontooIEClient.dll (Yontoo LLC) O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found. O4:64bit: - HKLM..\Run: [IntelliPoint] c:\Program Files\Microsoft IntelliPoint\ipoint.exe (Microsoft Corporation) O4:64bit: - HKLM..\Run: [Launch LCDMon] C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe (Logitech Inc.) O4:64bit: - HKLM..\Run: [Launch LgDeviceAgent] C:\Program Files\Logitech\GamePanel Software\LgDevAgt.exe (Logitech Inc.) O4:64bit: - HKLM..\Run: [NVHotkey] C:\Windows\SysNative\nvHotkey.dll (NVIDIA Corporation) O4 - HKLM..\Run: [GIDDesktop] C:\Program Files (x86)\SFT\GuardedID\gidd.exe (StrikeForce Technologies Inc.) O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation) O4 - HKLM..\Run: [OEM02Mon.exe] C:\Windows\OEM02Mon.exe (Creative Technology Ltd.) O4 - HKLM..\Run: [Razer Imperator Driver] C:\Program Files (x86)\Razer\Imperator\RazerImperatorSysTray.exe (Razer USA Ltd) O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: LogonHoursAction = 2 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DontDisplayLogonHoursWarnings = 1 O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000001 - mmswsock.dll File not found O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000002 - mmswsock.dll File not found O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000003 - mmswsock.dll File not found O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000004 - mmswsock.dll File not found O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000005 - mmswsock.dll File not found O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000006 - mmswsock.dll File not found O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000007 - mmswsock.dll File not found O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000008 - mmswsock.dll File not found O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000009 - mmswsock.dll File not found O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000010 - mmswsock.dll File not found O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000011 - mmswsock.dll File not found O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL File not found O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL File not found O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL File not found O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL File not found O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL File not found O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL File not found O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL File not found O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL File not found O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL File not found O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL File not found O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL File not found O1364bit: - gopher Prefix: missing O13 - gopher Prefix: missing O16 - DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} http://support.dell.com/systemprofiler/SysProExe.CAB (WMI Class) O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (Reg Error: Key error.) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29) O16 - DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29) O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 75.75.76.76 75.75.75.75 192.168.1.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{55708DA7-02EF-43EA-A72C-E5767C41A951}: DhcpNameServer = 68.87.77.134 68.87.72.134 192.168.1.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{7D41AF3F-544D-4E59-8FA5-CD15332DCC21}: DhcpNameServer = 75.75.76.76 75.75.75.75 192.168.1.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{C7A6B14E-934F-4523-AFEA-1CC2E11C0C7E}: DhcpNameServer = 68.87.77.134 68.87.72.134 192.168.1.1 O18:64bit: - Protocol\Handler\ms-help - No CLSID value found O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation) O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (userinit.exe) - C:\Windows\SysWow64\userinit.exe (Microsoft Corporation) O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found. O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found. O32 - HKLM CDRom: AutoRun - 1 O34 - HKLM BootExecute: (autocheck autochk *) O35:64bit: - HKLM\..comfile [open] -- "%1" %* O35:64bit: - HKLM\..exefile [open] -- "%1" %* O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %* O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3) O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2) O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)
[color=#E56717]========== Files/Folders - Created Within 30 Days ==========[/color]
[2012/08/14 06:07:30 | 000,596,992 | ---- | C] (OldTimer Tools) -- C:\Users\Peter\Desktop\OTL.exe [2012/08/13 22:40:08 | 000,000,000 | ---D | C] -- C:\ProgramData\IsolatedStorage [2012/08/13 22:40:08 | 000,000,000 | ---D | C] -- C:\Users\Peter\AppData\Local\ID Vault [2012/08/13 22:39:40 | 000,000,000 | ---D | C] -- C:\Users\Peter\AppData\Roaming\ID Vault [2012/08/13 22:39:23 | 000,029,288 | ---- | C] (StrikeForce Technologies, Inc.) -- C:\Windows\SysNative\drivers\gidv2.sys [2012/08/13 22:39:22 | 000,467,224 | ---- | C] (StrikeForce Technologies Inc.) -- C:\Windows\SysNative\GIDHOOK64.DLL [2012/08/13 22:39:22 | 000,446,752 | ---- | C] (StrikeForce Technologies Inc.) -- C:\Windows\SysNative\GIDHookLogon64.dll [2012/08/13 22:39:22 | 000,206,608 | ---- | C] (StrikeForce Technologies Inc.) -- C:\Windows\SysNative\GIDBIN1.DLL [2012/08/13 22:39:22 | 000,102,160 | ---- | C] (StrikeForce Technologies Inc.) -- C:\Windows\SysNative\GIDBIN3.DLL [2012/08/13 22:39:22 | 000,065,816 | ---- | C] (StrikeForce Technologies Inc.) -- C:\Windows\SysNative\GIDLogonCP64.dll [2012/08/13 22:39:19 | 000,000,000 | ---D | C] -- C:\ProgramData\GID [2012/08/13 22:39:18 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\SFT [2012/08/13 22:38:56 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Constant Guard Protection Suite [2012/08/13 22:38:43 | 000,000,000 | ---D | C] -- C:\ProgramData\White Sky, Inc [2012/08/13 22:31:20 | 057,442,464 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\MRT.exe [2012/08/13 20:18:58 | 000,000,000 | ---D | C] -- C:\Users\Peter\AppData\Roaming\Malwarebytes [2012/08/13 20:18:54 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware [2012/08/13 20:18:53 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware [2012/08/13 20:18:10 | 010,652,120 | ---- | C] (Malwarebytes Corporation ) -- C:\Users\Peter\Desktop\mbam-setup-1.62.0.1300.exe [2012/08/13 20:08:32 | 000,448,512 | ---- | C] (OldTimer Tools) -- C:\Users\Peter\Desktop\TFC.exe [2012/08/13 20:07:22 | 000,000,000 | -HSD | C] -- C:\Windows\SysWow64\%APPDATA% [2012/08/13 18:51:40 | 000,000,000 | ---D | C] -- C:\Users\Peter\AppData\Local\NPE [2012/08/13 18:50:16 | 002,841,104 | ---- | C] (Symantec Corporation) -- C:\Users\Peter\Desktop\NPE.exe [2012/08/13 18:47:20 | 000,000,000 | ---D | C] -- C:\Users\Peter\AppData\Roaming\Tific [2012/08/13 18:46:54 | 000,000,000 | ---D | C] -- C:\Users\Peter\AppData\Local\Symantec [2012/08/07 22:05:18 | 000,000,000 | ---D | C] -- C:\Users\Peter\Documents\LOLReplay [2012/07/27 10:22:55 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Yontoo [2012/07/27 10:22:53 | 000,000,000 | ---D | C] -- C:\ProgramData\Tarma Installer [2012/07/16 16:32:17 | 003,673,600 | ---- | C] (Dxtory Software) -- C:\Windows\SysNative\DxtoryCodec64.dll [2012/07/16 16:32:17 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Dxtory2.0 [2012/07/16 16:32:15 | 003,166,720 | ---- | C] (Dxtory Software) -- C:\Windows\SysWow64\DxtoryCodec.dll [2012/07/16 16:32:13 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Dxtory Software
[color=#E56717]========== Files - Modified Within 30 Days ==========[/color]
[2012/08/14 06:11:00 | 000,000,564 | ---- | M] () -- C:\Windows\tasks\PCDoctorBackgroundMonitorTask.job [2012/08/14 06:09:00 | 000,000,506 | ---- | M] () -- C:\Windows\tasks\SystemToolsDailyTest.job [2012/08/14 06:08:19 | 000,020,496 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 [2012/08/14 06:08:19 | 000,020,496 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 [2012/08/14 06:08:00 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job [2012/08/14 06:07:30 | 000,596,992 | ---- | M] (OldTimer Tools) -- C:\Users\Peter\Desktop\OTL.exe [2012/08/14 06:00:32 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2012/08/14 06:00:25 | 3219,701,760 | -HS- | M] () -- C:\hiberfil.sys [2012/08/13 22:39:04 | 000,002,279 | ---- | M] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Constant Guard.lnk [2012/08/13 22:39:04 | 000,002,261 | ---- | M] () -- C:\Users\Public\Desktop\Constant Guard.lnk [2012/08/13 20:18:54 | 000,001,109 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk [2012/08/13 20:18:10 | 010,652,120 | ---- | M] (Malwarebytes Corporation ) -- C:\Users\Peter\Desktop\mbam-setup-1.62.0.1300.exe [2012/08/13 20:08:44 | 000,448,512 | ---- | M] (OldTimer Tools) -- C:\Users\Peter\Desktop\TFC.exe [2012/08/13 18:50:17 | 002,841,104 | ---- | M] (Symantec Corporation) -- C:\Users\Peter\Desktop\NPE.exe [2012/08/07 23:08:16 | 000,426,184 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerApp.exe [2012/08/07 23:08:16 | 000,070,344 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl [2012/07/28 15:48:20 | 000,002,707 | ---- | M] () -- C:\Users\Public\Desktop\Norton Online Family.lnk [2012/07/20 12:10:09 | 000,001,993 | ---- | M] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\LOLRecorder.lnk [2012/07/20 12:09:55 | 000,001,901 | ---- | M] () -- C:\Users\Public\Desktop\LOL Recorder.lnk
[color=#E56717]========== Files Created - No Company Name ==========[/color]
[2012/08/14 06:05:25 | 000,092,160 | ---- | C] () -- C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ [2012/08/13 22:39:22 | 000,109,064 | ---- | C] () -- C:\Windows\SysNative\EasyHook64.dll [2012/08/13 22:39:04 | 000,002,279 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Constant Guard.lnk [2012/08/13 22:39:04 | 000,002,273 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Constant Guard.lnk [2012/08/13 22:39:04 | 000,002,261 | ---- | C] () -- C:\Users\Public\Desktop\Constant Guard.lnk [2012/08/13 22:20:29 | 000,232,960 | ---- | C] () -- C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\00000008.@ [2012/08/13 22:19:59 | 000,001,632 | ---- | C] () -- C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\000000cb.@ [2012/08/13 20:18:54 | 000,001,109 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk [2012/08/13 19:58:07 | 000,080,896 | ---- | C] () -- C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000064.@ [2012/08/13 19:58:07 | 000,000,804 | ---- | C] () -- C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\L\00000004.@ [2012/08/13 19:58:05 | 000,016,896 | ---- | C] () -- C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000000.@ [2012/08/13 19:57:42 | 000,002,048 | ---- | C] () -- C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\00000004.@ [2012/07/16 18:30:01 | 000,081,370 | ---- | C] () -- C:\vl.class [2012/07/16 18:30:01 | 000,046,467 | ---- | C] () -- C:\ModLoader.class [2012/07/16 18:30:01 | 000,022,590 | ---- | C] () -- C:\adl.class [2012/07/16 18:30:01 | 000,006,409 | ---- | C] () -- C:\ahu.class [2012/07/16 18:30:01 | 000,006,104 | ---- | C] () -- C:\alj.class [2012/07/16 18:30:01 | 000,005,034 | ---- | C] () -- C:\uu.class [2012/07/16 18:30:01 | 000,004,949 | ---- | C] () -- C:\ko.class [2012/07/16 18:30:01 | 000,004,745 | ---- | C] () -- C:\ahg.class [2012/07/16 18:30:01 | 000,004,026 | ---- | C] () -- C:\fq.class [2012/07/16 18:30:01 | 000,003,651 | ---- | C] () -- C:\BaseMod.class [2012/07/16 18:30:01 | 000,003,366 | ---- | C] () -- C:\alb.class [2012/07/16 18:30:01 | 000,003,020 | ---- | C] () -- C:\ModTextureStatic.class [2012/07/16 18:30:01 | 000,002,740 | ---- | C] () -- C:\vx.class [2012/07/16 18:30:01 | 000,002,443 | ---- | C] () -- C:\amn.class [2012/07/16 18:30:01 | 000,002,411 | ---- | C] () -- C:\ModTextureAnimation.class [2012/07/16 18:30:01 | 000,001,422 | ---- | C] () -- C:\ajv.class [2012/07/16 18:30:01 | 000,001,333 | ---- | C] () -- C:\ahy.class [2012/07/16 18:30:01 | 000,000,589 | ---- | C] () -- C:\EntityRendererProxy.class [2012/07/16 18:30:01 | 000,000,528 | ---- | C] () -- C:\MLProp.class [2012/01/11 07:19:23 | 000,002,048 | -HS- | C] () -- C:\Windows\SysWOW64\config\systemprofile\AppData\Local\{a406e640-2847-144d-ca12-b5496dd1d4e7}\@ [2012/01/11 07:19:23 | 000,002,048 | -HS- | C] () -- C:\Windows\System32\config\systemprofile\AppData\Local\{a406e640-2847-144d-ca12-b5496dd1d4e7}\@ [2012/01/11 07:19:23 | 000,002,048 | -HS- | C] () -- C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\@ [2011/12/03 08:19:02 | 000,000,632 | RHS- | C] () -- C:\Users\Peter\ntuser.pol [2011/10/29 15:51:53 | 000,187,612 | -H-- | C] () -- C:\Windows\SysWow64\mlfcache.dat [2011/10/15 01:54:52 | 000,321,856 | ---- | C] () -- C:\Windows\SysWow64\nvStreaming.exe [2011/10/13 22:39:19 | 000,266,752 | ---- | C] () -- C:\Windows\SysWow64\PnkBstrB.exe [2011/10/13 22:37:26 | 000,075,136 | ---- | C] () -- C:\Windows\SysWow64\PnkBstrA.exe [2011/09/28 17:44:14 | 000,179,271 | ---- | C] () -- C:\Windows\SysWow64\xlive.dll.cat [2011/08/01 07:23:35 | 000,756,022 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI [2011/05/29 16:09:51 | 000,040,127 | ---- | C] () -- C:\Windows\DIIUnin.dat
[color=#E56717]========== LOP Check ==========[/color]
[2012/08/14 06:10:19 | 000,000,000 | ---D | M] -- C:\Users\Peter\AppData\Roaming\ID Vault [2011/12/18 13:17:26 | 000,000,000 | ---D | M] -- C:\Users\Peter\AppData\Roaming\iolo [2012/08/13 18:47:20 | 000,000,000 | ---D | M] -- C:\Users\Peter\AppData\Roaming\Tific [2012/08/14 06:11:00 | 000,000,564 | ---- | M] () -- C:\Windows\Tasks\PCDoctorBackgroundMonitorTask.job [2012/05/16 15:18:42 | 000,032,584 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT [2012/08/14 06:09:00 | 000,000,506 | ---- | M] () -- C:\Windows\Tasks\SystemToolsDailyTest.job
[color=#E56717]========== Purity Check ==========[/color] | actions · 2012-Aug-14 8:44 pm · (locked) | lilhurricaneCrunchin' For Cures Numquam oblita join:2003-01-11 Purple Zone |
Re: [Rootkit] rootkit virus? - Nethog Post 1 of 2Hi nethog Please make sure to use the reply button vs the "new topic" button - it helps keep things in one place for easier analysis. I am re-posting for you here: I seem to have some kind of rootkit virus since this is mentioned everytime i boot by Malwarebytes. My norton av was corrupted so i uninisntalled it but could not reinstall it due to an error. Please help! >I performed all of the mandatory steps... Unfortunately when I tried to post all of the log files the size is around 80 kbytes so I will post in two parts: >Regards, Nethog *second* post containing: extras.txt, checkup.txt, & online scan results Extras.txt OTL Extras logfile created on: 8/14/2012 6:08:26 AM - Run 1 OTL by OldTimer - Version 3.2.57.0 Folder = C:\Users\Peter\Desktop 64bit- Ultimate Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation Internet Explorer (Version = 9.0.8112.16421) Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy 4.00 Gb Total Physical Memory | 2.65 Gb Available Physical Memory | 66.33% Memory free 7.99 Gb Paging File | 6.31 Gb Available in Paging File | 78.92% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86) Drive C: | 285.50 Gb Total Space | 170.52 Gb Free Space | 59.73% Space Free | Partition Type: NTFS Drive D: | 10.00 Gb Total Space | 4.00 Gb Free Space | 39.97% Space Free | Partition Type: NTFS Computer Name: LAPTOP | User Name: Peter | Logged in as Administrator. Boot Mode: Normal | Scan Mode: Current user | Include 64bit Scans Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days [color=#E56717]========== Extra Registry (SafeList) ==========[/color] [color=#E56717]========== File Associations ==========[/color] 64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\] .url[@ = InternetShortcut] -- C:\Windows\SysNative\rundll32.exe (Microsoft Corporation) [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\] .cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation) [color=#E56717]========== Shell Spawning ==========[/color] 64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\shell\[command]\command] batfile [open] -- "%1" %* cmdfile [open] -- "%1" %* comfile [open] -- "%1" %* exefile [open] -- "%1" %* helpfile [open] -- Reg Error: Key error. inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation) InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation) InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation) piffile [open] -- "%1" %* regfile [merge] -- Reg Error: Key error. scrfile [config] -- "%1" scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l scrfile [open] -- "%1" /S txtfile [edit] -- Reg Error: Key error. Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation) Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Folder [explore] -- Reg Error: Value error. Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\shell\[command]\command] batfile [open] -- "%1" %* cmdfile [open] -- "%1" %* comfile [open] -- "%1" %* cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation) exefile [open] -- "%1" %* helpfile [open] -- Reg Error: Key error. inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation) piffile [open] -- "%1" %* regfile [merge] -- Reg Error: Key error. scrfile [config] -- "%1" scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l scrfile [open] -- "%1" /S txtfile [edit] -- Reg Error: Key error. Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation) Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Folder [explore] -- Reg Error: Value error. Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) [color=#E56717]========== Security Center Settings ==========[/color] 64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] "cval" = 0 64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring] 64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc] "VistaSp1" = 28 4D B2 76 41 04 CA 01 [binary data] "AntiVirusOverride" = 0 "AntiSpywareOverride" = 0 "FirewallOverride" = 0 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc] [color=#E56717]========== Firewall Settings ==========[/color] [color=#E56717]========== Authorized Applications List ==========[/color] [color=#E56717]========== HKEY_LOCAL_MACHINE Uninstall List ==========[/color] 64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "{0090A87C-3E0E-43D4-AA71-A71B06563A4A}" = Dell Support Center "{3ED4AD02-F631-4A4C-AAC8-2325996E5A56}" = Microsoft IntelliPoint 8.1 "{5563A0F6-CF81-451E-87AD-A50075BCA9B7}" = QuickSet "{889DF117-14D1-44EE-9F31-C5FB5D47F68B}" = Yontoo 1.10.02 "{90140000-002A-0000-1000-0000000FF1CE}" = Microsoft Office Office 64-bit Components 2010 "{90140000-002A-0409-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit MUI (English) 2010 "{90140000-0116-0409-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2010 "{95120000-00B9-0409-1000-0000000FF1CE}" = Microsoft Application Error Reporting "{9B48B0AC-C813-4174-9042-476A887592C7}" = Windows Live ID Sign-in Assistant "{A1E85B9A-AFAD-4D38-AF01-6B020DD5213A}" = Logitech GamePanel Software 3.06.109 "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.3DVision" = NVIDIA 3D Vision Driver 285.62 "{B2FE1952-0186-46c3-BAEC-A80AA35AC5B8}_Display.ControlPanel" = NVIDIA Control Panel 285.62 "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver" = NVIDIA Graphics Driver 285.62 "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.NVIRUSB" = NVIDIA 3D Vision Controller Driver 285.62 "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX" = NVIDIA PhysX System Software 9.11.0621 "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Update" = NVIDIA Update 1.5.20 "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_installer" = NVIDIA Install Application "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_NVIDIA.Update" = NVIDIA Update Components "{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile "Blender" = Blender "Creative OEM002" = Laptop Integrated Webcam Driver (1.04.01.1011) "Dell Support Center" = Dell Support Center "Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile "Microsoft IntelliPoint 8.1" = Microsoft IntelliPoint 8.1 "SynTPDeinstKey" = Dell Touchpad "WinRAR archiver" = WinRAR 4.01 (64-bit) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148 "{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam "{0CA38F52-F0FA-4B9F-8A36-EC8A9609FBBC}" = Halo 2 for Windows Vista "{1EAC1D02-C6AC-4FA6-9A44-96258C37C812}_is1" = World of Tanks v.0.6.4 "{26A24AE4-039D-4CA4-87B4-2F83216025FF}" = Java(TM) 6 Update 29 "{2B818257-E6C7-4841-8C29-C5C9A982BCE5}" = RICOH Media Driver ver.2.07.01.04 "{328687A2-2504-49FA-AE3E-08B0DEDB51EC}" = MSRedist "{3C87E0FF-BC0A-4F5E-951B-68DC3F8DF017}" = Smite Closed Beta "{3C87E0FF-BC0A-4F5E-951B-68DC3F8DF1FC}" = Hi-Rez Studios Authenticate and Update Service "{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater "{4CB0307C-565E-4441-86BE-0DF2E4FB828C}" = Microsoft Games for Windows Marketplace "{58E5AF4D-F896-41E6-9CA0-ECC4816B8C67}" = Ace of Spades "{5DA8F6CD-C70E-39D8-8430-3D9808D6BD17}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30411 "{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable "{71320E4D-A4B8-4C7E-805F-7541CBFB97DD}" = Razer Imperator (2012) Firmware Updater "{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable "{7F6D7FD9-648D-4DD9-BB6E-3990C675ECA4}" = NVIDIA PhysX "{832D9DE0-8AFC-4689-9819-4DBBDEBD3E4F}" = Microsoft Games for Windows - LIVE Redistributable "{888F1505-C2B3-4FDE-835D-36353EBD4754}" = Ubisoft Game Launcher "{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight "{90140000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2010 "{90140000-0015-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1) "{90140000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2010 "{90140000-0016-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1) "{90140000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2010 "{90140000-0018-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1) "{90140000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2010 "{90140000-0019-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1) "{90140000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2010 "{90140000-001A-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1) "{90140000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2010 "{90140000-001B-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1) "{90140000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2010 "{90140000-001F-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{99ACCA38-6DD3-48A8-96AE-A283C9759279}" = Microsoft Office 2010 Service Pack 1 (SP1) "{90140000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2010 "{90140000-001F-040C-0000-0000000FF1CE}_Office14.PROPLUSR_{46298F6A-1E7E-4D4A-B5F5-106A4F0E48C6}" = Microsoft Office 2010 Service Pack 1 (SP1) "{90140000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2010 "{90140000-001F-0C0A-0000-0000000FF1CE}_Office14.PROPLUSR_{DEA87BE2-FFCC-4F33-9946-FCBE55A1E998}" = Microsoft Office 2010 Service Pack 1 (SP1) "{90140000-002A-0000-1000-0000000FF1CE}_Office14.PROPLUSR_{967EF02C-5C7E-4718-8FCB-BDC050190CCF}" = Microsoft Office 2010 Service Pack 1 (SP1) "{90140000-002A-0409-1000-0000000FF1CE}_Office14.PROPLUSR_{D6C6B46A-6CE1-4561-84A0-EFD58B8AB979}" = Microsoft Office 2010 Service Pack 1 (SP1) "{90140000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2010 "{90140000-002C-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{7CA93DF4-8902-449E-A42E-4C5923CFBDE3}" = Microsoft Office 2010 Service Pack 1 (SP1) "{90140000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2010 "{90140000-0044-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1) "{90140000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2010 "{90140000-006E-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{4560037C-E356-444A-A015-D21F487D809E}" = Microsoft Office 2010 Service Pack 1 (SP1) "{90140000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2010 "{90140000-00A1-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1) "{90140000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2010 "{90140000-00BA-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1) "{90140000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2010 "{90140000-0115-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{4560037C-E356-444A-A015-D21F487D809E}" = Microsoft Office 2010 Service Pack 1 (SP1) "{90140000-0116-0409-1000-0000000FF1CE}_Office14.PROPLUSR_{D6C6B46A-6CE1-4561-84A0-EFD58B8AB979}" = Microsoft Office 2010 Service Pack 1 (SP1) "{90140000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2010 "{90140000-0117-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1) "{91140000-0011-0000-0000-0000000FF1CE}" = Microsoft Office Professional Plus 2010 "{91140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUSR_{047B0968-E622-4FAA-9B4B-121FA109EDDE}" = Microsoft Office 2010 Service Pack 1 (SP1) "{9191979D-821C-4EA8-B021-2DA1D859A7C5}" = GuardedID "{92606477-9366-4D3B-8AE3-6BE4B29727AB}" = League of Legends "{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 "{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 "{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable "{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.3) "{C05905B9-775A-4894-A4DF-B57C15250958}" = Razer Imperator "{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1 "{D6174060-52D9-4886-8DBF-4EBF7C1CBCAA}" = MSRedx64 "{ED50ECE9-EC54-4C05-B5ED-EE4741A9F2EC}" = Battlefield 2142 "12bbe590-c890-11d9-9669-0800200c9a66_is1" = The Lord of the Rings Online v03.03.05.8039 "Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX "Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin "Blender" = Blender (remove only) "Blockland" = Blockland "Cisco Connect" = Cisco Connect "Diablo II" = Diablo II "Dxtory2.0_is1" = Dxtory version 2.0.117 "Halo 2" = Halo 2 for Windows Vista "ID Vault" = Constant Guard Protection Suite "LOLReplay" = LOLReplay "Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.62.0.1300 "Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1 "NOF" = Norton Online "NSM" = Norton Safety Minder "NVIDIA StereoUSB Driver" = NVIDIA 3D Vision Controller Driver "NVIDIAStereo" = NVIDIA Stereoscopic 3D Driver "Office14.PROPLUSR" = Microsoft Office Professional Plus 2010 "Outerra Anteworld" = Outerra - Anteworld - Outerra Anteworld Demo "RiseOfImmortals" = Rise of Immortals "Steam App 33460" = From Dust "Steam App 41500" = Torchlight "Steam App 440" = Team Fortress 2 "Steam App 520" = Team Fortress 2 Beta "WinGimp-2.0_is1" = GIMP 2.6.11 "YTdetect" = Yahoo! Detect [color=#E56717]========== Last 20 Event Log Errors ==========[/color] [ Application Events ] Error - 8/14/2012 6:00:55 AM | Computer Name = Laptop | Source = WinMgmt | ID = 10 Description = Error - 8/14/2012 6:06:08 AM | Computer Name = Laptop | Source = Application Error | ID = 1000 Description = Faulting application name: svchost.exe, version: 6.1.7600.16385, time stamp: 0x4a5bc100 Faulting module name: 80000032.@_unloaded, version: 0.0.0.0, time stamp: 0x4fe23011 Exception code: 0xc0000005 Fault offset: 0x012ab2a1 Faulting process id: 0x664 Faulting application start time: 0x01cd7a046b739ac2 Faulting application path: C:\Windows\SysWOW64\svchost.exe Faulting module path: 80000032.@ Report Id: aa6b04e9-e5f7-11e1-852f-00219bcf4407 Error - 8/14/2012 6:07:09 AM | Computer Name = Laptop | Source = Application Error | ID = 1000 Description = Faulting application name: svchost.exe, version: 6.1.7600.16385, time stamp: 0x4a5bc100 Faulting module name: 80000032.@_unloaded, version: 0.0.0.0, time stamp: 0x4fe23011 Exception code: 0xc0000005 Fault offset: 0x012ab2a1 Faulting process id: 0xd18 Faulting application start time: 0x01cd7a0490eb6b23 Faulting application path: C:\Windows\SysWOW64\svchost.exe Faulting module path: 80000032.@ Report Id: cea3dce4-e5f7-11e1-852f-00219bcf4407 Error - 8/14/2012 6:08:09 AM | Computer Name = Laptop | Source = Application Error | ID = 1000 Description = Faulting application name: svchost.exe, version: 6.1.7600.16385, time stamp: 0x4a5bc100 Faulting module name: 80000032.@_unloaded, version: 0.0.0.0, time stamp: 0x4fe23011 Exception code: 0xc0000005 Fault offset: 0x012ab2a1 Faulting process id: 0x764 Faulting application start time: 0x01cd7a04b4d6cee5 Faulting application path: C:\Windows\SysWOW64\svchost.exe Faulting module path: 80000032.@ Report Id: f28a7de6-e5f7-11e1-852f-00219bcf4407 Error - 8/14/2012 6:09:09 AM | Computer Name = Laptop | Source = Application Error | ID = 1000 Description = Faulting application name: svchost.exe, version: 6.1.7600.16385, time stamp: 0x4a5bc100 Faulting module name: 80000032.@_unloaded, version: 0.0.0.0, time stamp: 0x4fe23011 Exception code: 0xc0000005 Fault offset: 0x012ab2a1 Faulting process id: 0xa00 Faulting application start time: 0x01cd7a04d8b8ad26 Faulting application path: C:\Windows\SysWOW64\svchost.exe Faulting module path: 80000032.@ Report Id: 16679967-e5f8-11e1-852f-00219bcf4407 Error - 8/14/2012 6:10:10 AM | Computer Name = Laptop | Source = Application Error | ID = 1000 Description = Faulting application name: svchost.exe, version: 6.1.7600.16385, time stamp: 0x4a5bc100 Faulting module name: 80000032.@_unloaded, version: 0.0.0.0, time stamp: 0x4fe23011 Exception code: 0xc0000005 Fault offset: 0x000cb2a1 Faulting process id: 0xe30 Faulting application start time: 0x01cd7a04fc9f4e28 Faulting application path: C:\Windows\SysWOW64\svchost.exe Faulting module path: 80000032.@ Report Id: 3a52fd29-e5f8-11e1-852f-00219bcf4407 Error - 8/14/2012 6:11:10 AM | Computer Name = Laptop | Source = Application Error | ID = 1000 Description = Faulting application name: svchost.exe, version: 6.1.7600.16385, time stamp: 0x4a5bc100 Faulting module name: 80000032.@_unloaded, version: 0.0.0.0, time stamp: 0x4fe23011 Exception code: 0xc0000005 Fault offset: 0x013bb2a1 Faulting process id: 0x1078 Faulting application start time: 0x01cd7a0520838dca Faulting application path: C:\Windows\SysWOW64\svchost.exe Faulting module path: 80000032.@ Report Id: 5e3bff8c-e5f8-11e1-852f-00219bcf4407 Error - 8/14/2012 6:12:10 AM | Computer Name = Laptop | Source = Application Error | ID = 1000 Description = Faulting application name: svchost.exe, version: 6.1.7600.16385, time stamp: 0x4a5bc100 Faulting module name: 80000032.@_unloaded, version: 0.0.0.0, time stamp: 0x4fe23011 Exception code: 0xc0000005 Fault offset: 0x0017b2a1 Faulting process id: 0x26c Faulting application start time: 0x01cd7a05446c902c Faulting application path: C:\Windows\SysWOW64\svchost.exe Faulting module path: 80000032.@ Report Id: 821b7c6d-e5f8-11e1-852f-00219bcf4407 Error - 8/14/2012 6:13:10 AM | Computer Name = Laptop | Source = Application Error | ID = 1000 Description = Faulting application name: svchost.exe, version: 6.1.7600.16385, time stamp: 0x4a5bc100 Faulting module name: 80000032.@_unloaded, version: 0.0.0.0, time stamp: 0x4fe23011 Exception code: 0xc0000005 Fault offset: 0x001bb2a1 Faulting process id: 0x874 Faulting application start time: 0x01cd7a05685a554f Faulting application path: C:\Windows\SysWOW64\svchost.exe Faulting module path: 80000032.@ Report Id: a60e0450-e5f8-11e1-852f-00219bcf4407 Error - 8/14/2012 6:14:11 AM | Computer Name = Laptop | Source = Application Error | ID = 1000 Description = Faulting application name: svchost.exe, version: 6.1.7600.16385, time stamp: 0x4a5bc100 Faulting module name: 80000032.@_unloaded, version: 0.0.0.0, time stamp: 0x4fe23011 Exception code: 0xc0000005 Fault offset: 0x000cb2a1 Faulting process id: 0x1004 Faulting application start time: 0x01cd7a058c3e94f1 Faulting application path: C:\Windows\SysWOW64\svchost.exe Faulting module path: 80000032.@ Report Id: c9ed8131-e5f8-11e1-852f-00219bcf4407 [ System Events ] Error - 8/13/2012 10:50:43 PM | Computer Name = Laptop | Source = Service Control Manager | ID = 7003 Description = The IPsec Policy Agent service depends the following service: BFE. This service might not be installed. Error - 8/13/2012 10:51:35 PM | Computer Name = Laptop | Source = Service Control Manager | ID = 7001 Description = The HomeGroup Provider service depends on the Function Discovery Resource Publication service which failed to start because of the following error: %%-2147024891 Error - 8/13/2012 10:51:35 PM | Computer Name = Laptop | Source = Service Control Manager | ID = 7023 Description = The Function Discovery Resource Publication service terminated with the following error: %%-2147024891 Error - 8/13/2012 10:56:11 PM | Computer Name = Laptop | Source = Service Control Manager | ID = 7034 Description = The Dell Internal Network Card Power Management service terminated unexpectedly. It has done this 1 time(s). Error - 8/14/2012 6:00:38 AM | Computer Name = Laptop | Source = Service Control Manager | ID = 7023 Description = The Computer Browser service terminated with the following error: %%1060 Error - 8/14/2012 6:00:38 AM | Computer Name = Laptop | Source = Service Control Manager | ID = 7023 Description = The Function Discovery Resource Publication service terminated with the following error: %%-2147024891 Error - 8/14/2012 6:00:43 AM | Computer Name = Laptop | Source = Service Control Manager | ID = 7003 Description = The IKE and AuthIP IPsec Keying Modules service depends the following service: BFE. This service might not be installed. Error - 8/14/2012 6:00:43 AM | Computer Name = Laptop | Source = Service Control Manager | ID = 7003 Description = The IPsec Policy Agent service depends the following service: BFE. This service might not be installed. Error - 8/14/2012 6:02:32 AM | Computer Name = Laptop | Source = Service Control Manager | ID = 7023 Description = The Function Discovery Resource Publication service terminated with the following error: %%-2147024891 Error - 8/14/2012 6:02:32 AM | Computer Name = Laptop | Source = Service Control Manager | ID = 7001 Description = The HomeGroup Provider service depends on the Function Discovery Resource Publication service which failed to start because of the following error: %%-2147024891 checkup.txt Results of screen317's Security Check version 0.99.43 Windows 7 Service Pack 1 x64 [color=red] (UAC is disabled!)[/color] Internet Explorer 9 [u]``````````````Antivirus/Firewall Check:``````````````[/u] [color=red] Windows Security Center service is not running! This report may not be accurate![/color] Norton Security Suite [size=1]WMI entry may not exist for antivirus; attempting automatic update.[/size] [u]`````````Anti-malware/Other Utilities Check:`````````[/u] Malwarebytes Anti-Malware version 1.62.0.1300 Java(TM) 6 Update 29 [color=red] Java version out of Date![/color] Adobe Reader X (10.1.3) [u]````````Process Check: objlist.exe by Laurent````````[/u] Norton ccSvcHst.exe Malwarebytes Anti-Malware mbamservice.exe Malwarebytes Anti-Malware mbamgui.exe Norton Online Engine 2.3.0.7 ccSvcHst.exe [u]`````````````````System Health check`````````````````[/u] Total Fragmentation on Drive C: 0% [u]````````````````````End of Log``````````````````````[/u] online scan: ESETSmartInstaller@High as CAB hook log: OnlineScanner64.ocx - registred OK OnlineScanner.ocx - registred OK # version=7 # iexplore.exe=9.00.8112.16421 (WIN7_IE9_RTM.110308-0330) # OnlineScanner.ocx=1.0.0.6583 # api_version=3.0.2 # EOSSerial=eedf2051c17c0442a35bc83240f0ef21 # end=stopped # remove_checked=true # archives_checked=false # unwanted_checked=true # unsafe_checked=false # antistealth_checked=true # utc_time=2012-08-14 10:39:18 # local_time=2012-08-14 06:39:18 (-0500, Eastern Daylight Time) # country="United States" # lang=1033 # osver=6.1.7601 NT Service Pack 1 # compatibility_mode=5893 16776574 66 94 38615559 96483681 0 0 # compatibility_mode=8192 67108863 100 0 0 0 0 0 # scanned=36718 # found=3 # cleaned=3 # scan_time=527 C:\$Recycle.Bin\S-1-5-21-1613675080-3381770067-651744427-1004\$R819XYN.exe a variant of Win32/Adware.Gamevance.CF application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\$Recycle.Bin\S-1-5-21-1613675080-3381770067-651744427-1004\$RHXA09S.exe a variant of Win32/Adware.Gamevance.CF application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\$Recycle.Bin\S-1-5-21-1613675080-3381770067-651744427-1004\$RPQTXV5.exe a variant of Win32/Adware.Gamevance.CF application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C # version=7 # iexplore.exe=9.00.8112.16421 (WIN7_IE9_RTM.110308-0330) # OnlineScanner.ocx=1.0.0.6583 # api_version=3.0.2 # EOSSerial=eedf2051c17c0442a35bc83240f0ef21 # end=finished # remove_checked=true # archives_checked=false # unwanted_checked=true # unsafe_checked=false # antistealth_checked=true # utc_time=2012-08-14 11:29:27 # local_time=2012-08-14 07:29:27 (-0500, Eastern Daylight Time) # country="United States" # lang=1033 # osver=6.1.7601 NT Service Pack 1 # compatibility_mode=5893 16776574 66 94 38656675 96524797 0 0 # compatibility_mode=8192 67108863 100 0 0 0 0 0 # scanned=259307 # found=7 # cleaned=6 # scan_time=5620 C:\ProgramData\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll Win32/Adware.Yontoo.B application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Users\Andrew\Downloads\SoftonicDownloader_for_slender.exe a variant of Win32/SoftonicDownloader.D application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\00000008.@ Win64/Agent.BA trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\000000cb.@ Win64/Conedex.B trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000000.@ Win64/Sirefef.AP trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ a variant of Win32/Sirefef.FD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C ${Memory} a variant of Win32/Sirefef.EZ trojan 00000000000000000000000000000000 I | actions · 2012-Aug-14 11:56 pm · (locked) | nethog join:2006-12-08 Canton, MI |
nethog
Member
2012-Aug-15 5:26 am
By the way I going on vacation leaving today (august 15th) and wont be monitoring this thread until I return on august 29th. I will be sure to check back on august 29th. | actions · 2012-Aug-15 5:26 am · (locked) |
1 recommendation |
to nethog
Download and run Sophos AntiRootkit. Post the log in this thread, even if nothing is found. You find link(s) and instructions here: » Security Cleanup FAQ » Rootkit Detection Applications | actions · 2012-Aug-15 10:40 am · (locked) | nethog join:2006-12-08 Canton, MI |
nethog
Member
2012-Aug-30 6:18 am
ok here is the Sophos log:
Sophos Anti-Rootkit Version 1.5.4 (c) 2009 Sophos Plc Started logging on 8/29/2012 at 22:20:49 PM User "Peter" on computer "LAPTOP" Windows version 6.1 SP 1.0 Service Pack 1 build 7601 SM=0x100 PT=0x1 WOW64 Info: Starting registry scan. Warning: Failed to query live registry key \HKEY_LOCAL_MACHINE. You may not have access rights to the whole registry. Incorrect function. Hidden: registry item \HKEY_LOCAL_MACHINE\SAM Info: Starting disk scan of C: (NTFS). Hidden: file C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YZOVOUUY\www.burstnet.com%2fburstmedia%2fclk%2fBCPG196677.315933.527531%2fVTS%3d5KplS.MPaR%2fSZ%3d300X250A%2fa%3db%2fs%3d25216%2fFPR%2fV%3d2[1].htm Hidden: file C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YZOVOUUY\nea;k2=sleepdisorders;k3=health;hlnexp=yes;type=top_rb;bf=no;sz=728x90;dcopt=ist;tile=1;pos=lb;ugc=false;url=http%3A%2F%2Fwww.dailyrx[1].js Hidden: file C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YZOVOUUY\rtdisease;k1=sleepapnea;k2=sleepdisorders;k3=health;hlnexp=yes;bf=no;sz=160x600;tile=2;pos=wsl;ugc=false;url=http%3A%2F%2Fwww.dailyrx[1].js Hidden: file C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UC69NR70\=sleepapnea;k2=sleepdisorders;k3=health;hlnexp=yes;type=top_rb;bf=no;sz=300x250;tile=3;pos=mr1;ugc=false;url=http%3A%2F%2Fwww.dailyrx[1].js Hidden: file C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YZOVOUUY\www.burstnet.com%2fburstmedia%2fclk%2fBCPG196677.315933.527531%2fVTS%3d5KplT.VHDB%2fSZ%3d300X250A%2fa%3db%2fs%3d25216%2fFPR%2fV%3d2[1].htm Hidden: file C:\ProgramData\Microsoft\Search\Data\Applications\Windows\tmp.edb Hidden: file C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2QAN81J0\4083;sz=728x90;u=xbAAXbk6q4FqrRW5ymoL9DxXW6K94m4p2Gkt0T972BeAF3HuufJPf7S52mvxsWq1c01ZTkXT-VqH9lbl VSUxFH4QIBsUsp8QfBCw;ord=1346291593[1].htm Hidden: file C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2QAN81J0\.games_l;sz=300x250;ord1=590038;cmw=owl;dcopt=ist;contx=games;cmd=www.freegametopia.com;an=;bu=;br=;btg=cm.nfl_l;btg=cm.games_l;ord=0[1].js Hidden: file C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I85573OK\.games_l;sz=160x600;ord1=452807;cmw=owl;dcopt=ist;contx=games;cmd=www.freegametopia.com;an=;bu=;br=;btg=cm.nfl_l;btg=cm.games_l;ord=0[1].js Info: Starting disk scan of D: (NTFS). Stopped logging on 8/30/2012 at 0:08:14 AM | actions · 2012-Aug-30 6:18 am · (locked) |
1 recommendation |
to nethog
Download ComboFix from one of these locations: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.infospyware.net/antimalware/combofix/
* IMPORTANT !!! Save ComboFix.exe to your Desktop[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools [*]Double click on ComboFix.exe & follow the prompts. [*]As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. [*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1.Do not mouse-click Combofix's window while it is running. That may cause it to stall. 2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser. 3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper. 4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Give it at least 20-30 minutes to finish if needed.
| actions · 2012-Aug-30 10:27 am · (locked) | nethog join:2006-12-08 Canton, MI |
nethog
Member
2012-Aug-30 5:57 pm
Ok here is the combo fix log: ComboFix 12-08-30.05 - Peter 08/30/2012 17:30:26.1.2 - x64 Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.4094.2523 [GMT -4:00] Running from: c:\users\Peter\Desktop\ComboFix.exe SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . C:\Install.exe c:\users\Andrew\AppData\Roaming\avcodec-52.dll c:\users\Andrew\AppData\Roaming\avdevice-52.dll c:\users\Andrew\AppData\Roaming\avformat-52.dll c:\users\Andrew\AppData\Roaming\avutil-50.dll c:\users\Andrew\AppData\Roaming\BlendThumb64.dll c:\users\Andrew\AppData\Roaming\libsndfile-1.dll c:\users\Andrew\AppData\Roaming\msvcm90.dll c:\users\Andrew\AppData\Roaming\msvcp90.dll c:\users\Andrew\AppData\Roaming\msvcr90.dll c:\users\Andrew\AppData\Roaming\OpenAL32.dll c:\users\Andrew\AppData\Roaming\pthreadVC2.dll c:\users\Andrew\AppData\Roaming\python32.dll c:\users\Andrew\AppData\Roaming\swscale-0.dll c:\users\Andrew\AppData\Roaming\uninstall.exe c:\users\Andrew\AppData\Roaming\vcomp90.dll c:\users\Andrew\AppData\Roaming\wrap_oal.dll c:\users\Andrew\AppData\Roaming\zlib.dll c:\users\Andrew\GoToAssistDownloadHelper.exe c:\windows\assembly\GAC_32\Desktop.ini c:\windows\assembly\GAC_64\Desktop.ini c:\windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\@ c:\windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\L\00000004.@ c:\windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\L\201d3dde c:\windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\00000004.@ c:\windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\00000008.@ c:\windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\000000cb.@ c:\windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000000.@ c:\windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@ c:\windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000064.@ c:\windows\SysWow64\URTTemp c:\windows\SysWow64\URTTemp\regtlib.exe . Infected copy of c:\windows\system32\Services.exe was found and disinfected Restored copy from - c:\windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe . . ((((((((((((((((((((((((( Files Created from 2012-07-28 to 2012-08-30 ))))))))))))))))))))))))))))))) . . 2012-08-30 21:39 . 2012-08-30 21:39 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp 2012-08-30 21:39 . 2012-08-30 21:39 -------- d-----w- c:\users\Default\AppData\Local\temp 2012-08-30 21:39 . 2012-08-30 21:39 -------- d-----w- c:\users\Cameron\AppData\Local\temp 2012-08-30 21:39 . 2012-08-30 21:39 -------- d-----w- c:\users\Brianna\AppData\Local\temp 2012-08-30 21:39 . 2012-08-30 21:39 -------- d-----w- c:\users\Andrew\AppData\Local\temp 2012-08-30 02:39 . 2010-05-26 14:39 6144 ------w- c:\windows\system32\AB3E.tmp 2012-08-30 02:20 . 2010-05-26 14:39 6144 ------w- c:\windows\system32\666.tmp 2012-08-30 02:20 . 2012-08-30 02:20 -------- d-----w- c:\program files (x86)\Sophos 2012-08-14 23:54 . 2012-08-14 23:54 -------- d-----w- c:\users\Peter\AppData\Roaming\QuickScan 2012-08-14 10:28 . 2012-08-14 10:28 -------- d-----w- c:\program files (x86)\ESET 2012-08-14 02:40 . 2012-08-30 01:38 -------- d-----w- c:\users\Peter\AppData\Local\ID Vault 2012-08-14 02:40 . 2012-08-14 02:40 -------- d-----w- c:\programdata\IsolatedStorage 2012-08-14 02:39 . 2012-08-30 01:38 -------- d-----w- c:\users\Peter\AppData\Roaming\ID Vault 2012-08-14 02:38 . 2012-08-30 01:38 -------- d-----w- c:\program files (x86)\Constant Guard Protection Suite 2012-08-14 02:38 . 2012-08-14 02:38 -------- d-----w- c:\programdata\White Sky, Inc 2012-08-14 00:18 . 2012-08-14 00:18 -------- d-----w- c:\users\Peter\AppData\Roaming\Malwarebytes 2012-08-14 00:18 . 2012-08-14 00:18 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware 2012-08-14 00:07 . 2012-08-14 00:07 -------- d-sh--w- c:\windows\SysWow64\%APPDATA% 2012-08-13 22:51 . 2012-08-13 23:02 -------- d-----w- c:\users\Peter\AppData\Local\NPE 2012-08-13 22:47 . 2012-08-13 22:47 -------- d-----w- c:\users\Peter\AppData\Roaming\Tific 2012-08-13 22:46 . 2012-08-13 22:46 -------- d-----w- c:\users\Peter\AppData\Local\Symantec . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-08-15 00:08 . 2012-05-21 10:09 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe 2012-08-15 00:08 . 2011-05-15 01:59 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl 2012-07-03 17:46 . 2011-12-22 18:13 24904 ----a-w- c:\windows\system32\drivers\mbam.sys 2012-07-03 07:19 . 2011-05-14 19:59 59701280 ----a-w- c:\windows\system32\MRT.exe 2012-06-12 03:08 . 2012-07-12 05:51 3148800 ----a-w- c:\windows\system32\win32k.sys 2012-06-09 05:43 . 2012-07-11 15:38 14172672 ----a-w- c:\windows\system32\shell32.dll 2012-06-06 06:06 . 2012-07-11 15:38 2004480 ----a-w- c:\windows\system32\msxml6.dll 2012-06-06 06:06 . 2012-07-11 15:38 1881600 ----a-w- c:\windows\system32\msxml3.dll 2012-06-06 06:02 . 2012-07-11 15:38 1133568 ----a-w- c:\windows\system32\cdosys.dll 2012-06-06 05:05 . 2012-07-11 15:38 1390080 ----a-w- c:\windows\SysWow64\msxml6.dll 2012-06-06 05:05 . 2012-07-11 15:38 1236992 ----a-w- c:\windows\SysWow64\msxml3.dll 2012-06-06 05:03 . 2012-07-11 15:38 805376 ----a-w- c:\windows\SysWow64\cdosys.dll 2012-06-02 22:19 . 2012-06-21 15:30 38424 ----a-w- c:\windows\system32\wups.dll 2012-06-02 22:19 . 2012-06-21 15:30 2428952 ----a-w- c:\windows\system32\wuaueng.dll 2012-06-02 22:19 . 2012-06-21 15:30 57880 ----a-w- c:\windows\system32\wuauclt.exe 2012-06-02 22:19 . 2012-06-21 15:30 44056 ----a-w- c:\windows\system32\wups2.dll 2012-06-02 22:19 . 2012-06-21 15:30 701976 ----a-w- c:\windows\system32\wuapi.dll 2012-06-02 22:15 . 2012-06-21 15:30 2622464 ----a-w- c:\windows\system32\wucltux.dll 2012-06-02 22:15 . 2012-06-21 15:30 99840 ----a-w- c:\windows\system32\wudriver.dll 2012-06-02 19:19 . 2012-06-21 15:29 186752 ----a-w- c:\windows\system32\wuwebv.dll 2012-06-02 19:15 . 2012-06-21 15:29 36864 ----a-w- c:\windows\system32\wuapp.exe 2012-06-02 12:49 . 2012-07-12 05:43 17807360 ----a-w- c:\windows\system32\mshtml.dll 2012-06-02 12:17 . 2012-07-12 05:43 10924032 ----a-w- c:\windows\system32\ieframe.dll 2012-06-02 12:12 . 2012-07-12 05:43 2311680 ----a-w- c:\windows\system32\jscript9.dll 2012-06-02 12:05 . 2012-07-12 05:43 1346048 ----a-w- c:\windows\system32\urlmon.dll 2012-06-02 12:05 . 2012-07-12 05:43 1392128 ----a-w- c:\windows\system32\wininet.dll 2012-06-02 12:04 . 2012-07-12 05:43 1494528 ----a-w- c:\windows\system32\inetcpl.cpl 2012-06-02 12:04 . 2012-07-12 05:43 237056 ----a-w- c:\windows\system32\url.dll 2012-06-02 12:03 . 2012-07-12 05:43 85504 ----a-w- c:\windows\system32\jsproxy.dll 2012-06-02 12:01 . 2012-07-12 05:43 173056 ----a-w- c:\windows\system32\ieUnatt.exe 2012-06-02 12:00 . 2012-07-12 05:43 818688 ----a-w- c:\windows\system32\jscript.dll 2012-06-02 11:59 . 2012-07-12 05:43 2144768 ----a-w- c:\windows\system32\iertutil.dll 2012-06-02 11:57 . 2012-07-12 05:43 96768 ----a-w- c:\windows\system32\mshtmled.dll 2012-06-02 11:57 . 2012-07-12 05:43 2382848 ----a-w- c:\windows\system32\mshtml.tlb 2012-06-02 11:54 . 2012-07-12 05:43 248320 ----a-w- c:\windows\system32\ieui.dll 2012-06-02 08:33 . 2012-07-12 05:43 1800192 ----a-w- c:\windows\SysWow64\jscript9.dll 2012-06-02 08:25 . 2012-07-12 05:43 1129472 ----a-w- c:\windows\SysWow64\wininet.dll 2012-06-02 08:25 . 2012-07-12 05:43 1427968 ----a-w- c:\windows\SysWow64\inetcpl.cpl 2012-06-02 08:20 . 2012-07-12 05:43 142848 ----a-w- c:\windows\SysWow64\ieUnatt.exe 2012-06-02 08:16 . 2012-07-12 05:43 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb 2012-06-02 05:50 . 2012-07-11 15:38 458704 ----a-w- c:\windows\system32\drivers\cng.sys 2012-06-02 05:48 . 2012-07-11 15:38 95600 ----a-w- c:\windows\system32\drivers\ksecdd.sys 2012-06-02 05:48 . 2012-07-11 15:38 151920 ----a-w- c:\windows\system32\drivers\ksecpkg.sys 2012-06-02 05:45 . 2012-07-11 15:38 340992 ----a-w- c:\windows\system32\schannel.dll 2012-06-02 05:44 . 2012-07-11 15:38 307200 ----a-w- c:\windows\system32\ncrypt.dll 2012-06-02 04:40 . 2012-07-11 15:38 22016 ----a-w- c:\windows\SysWow64\secur32.dll 2012-06-02 04:40 . 2012-07-11 15:38 225280 ----a-w- c:\windows\SysWow64\schannel.dll 2012-06-02 04:39 . 2012-07-11 15:38 219136 ----a-w- c:\windows\SysWow64\ncrypt.dll 2012-06-02 04:34 . 2012-07-11 15:38 96768 ----a-w- c:\windows\SysWow64\sspicli.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] "OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2007-05-09 36864] "BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520] "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696] "Razer Imperator Driver"="c:\program files (x86)\Razer\Imperator\RazerImperatorSysTray.exe" [2011-06-03 979360] "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008] "Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920] . c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ QuickSet.lnk - c:\program files\Dell\QuickSet\quickset.exe [2008-2-22 1556560] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorAdmin"= 0 (0x0) "ConsentPromptBehaviorUser"= 3 (0x3) "EnableLUA"= 0 (0x0) "EnableUIADesktopToggle"= 0 (0x0) "PromptOnSecureDesktop"= 0 (0x0) . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32] "aux1"=wdmaud.drv . [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp . R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576] R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-15 250056] R3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2010-04-14 54824] R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-21 71168] R3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\AB3E.tmp [2010-05-26 6144] R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files (x86)\Microsoft Office\Office14\GROOVE.EXE [2011-06-12 31125880] R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184] R3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys [2011-04-13 45432] R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-21 20992] R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [2010-11-21 88960] R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [2010-11-21 34816] R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392] R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232] R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [2010-11-21 117248] R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x] R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-05-14 1255736] S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904] S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-07-27 63960] S2 HiPatchService;Hi-Rez Studios Authenticate and Update Service;c:\program files (x86)\Hi-Rez Studios\HiPatchService.exe [2012-07-12 8704] S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-07-03 655944] S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-10-15 2253120] S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-10-15 381248] S3 AE1000;Linksys AE1000 Driver;c:\windows\system32\DRIVERS\ae1000w7.sys [2010-03-23 1101600] S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-07-03 24904] S3 netw5v64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [2009-06-10 5434368] . . Contents of the 'Scheduled Tasks' folder . 2012-08-30 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-21 00:08] . 2012-08-30 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job - c:\program files\Dell Support Center\uaclauncher.exe [2012-04-13 06:11] . 2012-08-30 c:\windows\Tasks\SystemToolsDailyTest.job - c:\program files\Dell Support Center\uaclauncher.exe [2012-04-13 06:11] . . --------- X64 Entries ----------- . . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-04-13 2399632] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-10-26 1211688] "Launch LgDeviceAgent"="c:\program files\Logitech\GamePanel Software\LgDevAgt.exe" [2010-08-03 415816] "Launch LCDMon"="c:\program files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2010-08-03 2412616] "NVHotkey"="c:\windows\system32\nvHotkey.dll" [2011-10-15 539456] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "LoadAppInit_DLLs"=0x0 . ------- Supplementary Scan ------- . uLocal Page = c:\windows\system32\blank.htm uStart Page = hxxp://www.google.com/ mLocal Page = c:\windows\SysWOW64\blank.htm IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000 IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105 TCP: DhcpNameServer = 75.75.76.76 75.75.75.75 192.168.1.1 . . [HKEY_LOCAL_MACHINE\system\ControlSet001\services\MEMSWEEP2] "ImagePath"="\??\c:\windows\system32\AB3E.tmp" . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions] @Denied: (2) (LocalSystem) "{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"=hex:51,66,7a,6c,4c,1d,38,12,8d,ec,f8, 7b,2b,25,27,06,e7,c4,bc,f0,98,15,0d,de "{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc, 1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7 "{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}"=hex:51,66,7a,6c,4c,1d,38,12,60,d8,39, 64,cd,04,79,07,f5,b7,d6,9a,c1,81,e0,1c "{6D53EC84-6AAE-4787-AEEE-F4628F01010C}"=hex:51,66,7a,6c,4c,1d,38,12,ea,ef,40, 69,9c,24,e9,02,d1,f8,b7,22,8a,5f,45,18 "{72853161-30C5-4D22-B7F9-0BBC1D38A37E}"=hex:51,66,7a,6c,4c,1d,38,12,0f,32,96, 76,f7,7e,4c,08,c8,ef,48,fc,18,66,e7,6a "{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,38,12,0a,d7,23, 94,30,02,d1,0f,f1,da,12,24,73,56,27,d2 "{B4F3A835-0E21-4959-BA22-42B3008E02FF}"=hex:51,66,7a,6c,4c,1d,38,12,5b,ab,e0, b0,13,40,37,0c,c5,34,01,f3,05,d0,46,eb "{B8E07826-0971-4F16-B133-047B88034E89}"=hex:51,66,7a,6c,4c,1d,38,12,48,7b,f3, bc,43,47,78,0a,ce,25,47,3b,8d,5d,0a,9d "{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db, df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd "{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}"=hex:51,66,7a,6c,4c,1d,38,12,70,05,61, f9,ec,d1,23,0d,da,9c,48,eb,44,0f,8e,cc "{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}"=hex:51,66,7a,6c,4c,1d,38,12,8f,19,47, 2e,c4,15,0b,03,d7,b5,8c,e9,62,70,06,85 . [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration] @Denied: (2) (LocalSystem) "Timestamp"=hex:5c,e1,7b,1f,37,75,cd,01 . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_271_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_271_ActiveX.exe" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Shockwave Flash Object" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus] @="0" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID] @="ShockwaveFlash.ShockwaveFlash.11" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx, 1" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="ShockwaveFlash.ShockwaveFlash" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Macromedia Flash Factory Object" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID] @="FlashFactory.FlashFactory.1" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx, 1" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="FlashFactory.FlashFactory" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . [HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}] @Denied: (A) (Everyone) "Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}" . [HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3] @Denied: (A) (Everyone) . [HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0] "Key"="ActionsPane3" "Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd" . [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security] @Denied: (Full) (Everyone) . ------------------------ Other Running Processes ------------------------ . c:\windows\SysWOW64\PnkBstrA.exe . ************************************************************************** . Completion time: 2012-08-30 17:52:46 - machine was rebooted ComboFix-quarantined-files.txt 2012-08-30 21:52 . Pre-Run: 180,906,434,560 bytes free Post-Run: 181,338,066,944 bytes free . - - End Of File - - 1D04ACEA2BC38EEC80897DDA65789525 | actions · 2012-Aug-30 5:57 pm · (locked) | nethog |
nethog
Member
2012-Aug-31 6:27 pm
i also re-ran Malwarebytes after combofix and here is the log file: Malwarebytes Anti-Malware 1.62.0.1300 www.malwarebytes.org
Database version: v2012.08.31.12
Windows 7 Service Pack 1 x64 NTFS Internet Explorer 9.0.8112.16421 Peter :: LAPTOP [administrator]
Protection: Enabled
8/31/2012 4:44:58 PM mbam-log-2012-08-31 (16-44-58).txt
Scan type: Full scan (C:\|D:\|) Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 528371 Time elapsed: 1 hour(s), 32 minute(s), 19 second(s)
Memory Processes Detected: 0 (No malicious items detected)
Memory Modules Detected: 0 (No malicious items detected)
Registry Keys Detected: 0 (No malicious items detected)
Registry Values Detected: 0 (No malicious items detected)
Registry Data Items Detected: 0 (No malicious items detected)
Folders Detected: 0 (No malicious items detected)
Files Detected: 4 C:\Qoobox\Quarantine\C\Windows\assembly\GAC_32\Desktop.ini.vir (Trojan.0access) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\00000008.@.vir (Trojan.Dropper.BCMiner) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\000000cb.@.vir (Rootkit.0Access) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\Windows\Installer\{a406e640-2847-144d-ca12-b5496dd1d4e7}\U\80000032.@.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
(end) | actions · 2012-Aug-31 6:27 pm · (locked) |
1 recommendation |
to nethog
If you want to continue receiving assistance in this forum, then DO NOT RUN ANY PROGRAMS UNLESS INSTRUCTED.
Combofix had removed the zero access trojan to quarantine. MBAM only removed the files already quarantined. If for some strange reason it was necessary to reverse COmbofix's action, you removed that option by running MBAM.
Onward....
Please run OTL again, and post the new log in this thread. Note that there will not be a new Extras log this time. | actions · 2012-Sep-1 10:21 am · (locked) | nethog join:2006-12-08 Canton, MI |
nethog
Member
2012-Sep-2 2:24 pm
Ok sorry.... here is the OTL log file: OTL logfile created on: 9/2/2012 2:06:23 PM - Run 2 OTL by OldTimer - Version 3.2.56.0 Folder = C:\Users\Peter\Desktop 64bit- Ultimate Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation Internet Explorer (Version = 9.0.8112.16421) Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
4.00 Gb Total Physical Memory | 2.73 Gb Available Physical Memory | 68.36% Memory free 7.99 Gb Paging File | 6.29 Gb Available in Paging File | 78.71% Paging File free Paging file location(s): ?:\pagefile.sys [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86) Drive C: | 285.50 Gb Total Space | 161.40 Gb Free Space | 56.53% Space Free | Partition Type: NTFS Drive D: | 10.00 Gb Total Space | 4.01 Gb Free Space | 40.12% Space Free | Partition Type: NTFS
Computer Name: LAPTOP | User Name: Peter | Logged in as Administrator. Boot Mode: Normal | Scan Mode: Current user | Include 64bit Scans Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
[color=#E56717]========== Processes (SafeList) ==========[/color]
PRC - [2012/09/02 14:04:45 | 000,596,480 | ---- | M] (OldTimer Tools) -- C:\Users\Peter\Desktop\OTL.exe PRC - [2012/07/27 16:51:26 | 000,063,960 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe PRC - [2012/06/15 22:24:20 | 000,138,272 | R--- | M] (Symantec Corporation) -- C:\Program Files (x86)\Norton Security Suite\Engine\6.3.0.14\ccsvchst.exe PRC - [2011/11/29 22:17:50 | 000,138,248 | R--- | M] (Symantec Corporation) -- C:\Program Files (x86)\Norton Online\Engine\2.3.0.7\ccSvcHst.exe PRC - [2011/10/15 04:53:00 | 002,253,120 | ---- | M] (NVIDIA Corporation) -- C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe PRC - [2011/10/15 01:54:40 | 000,381,248 | ---- | M] (NVIDIA Corporation) -- C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe PRC - [2011/10/13 22:37:26 | 000,075,136 | ---- | M] () -- C:\Windows\SysWOW64\PnkBstrA.exe PRC - [2011/06/09 14:06:06 | 000,507,624 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe PRC - [2011/06/03 11:04:26 | 000,979,360 | ---- | M] (Razer USA Ltd) -- C:\Program Files (x86)\Razer\Imperator\RazerImperatorSysTray.exe PRC - [2010/08/03 09:43:02 | 000,522,824 | ---- | M] (Logitech Inc.) -- C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe PRC - [2009/07/13 21:14:45 | 000,020,480 | ---- | M] () -- \\.\globalroot\systemroot\svchost.exe PRC - [2009/07/13 21:14:45 | 000,020,480 | ---- | M] () -- \\.\globalroot\systemroot\svchost.exe PRC - [2009/07/13 21:14:45 | 000,020,480 | ---- | M] () -- \\.\globalroot\systemroot\svchost.exe PRC - [2009/07/13 21:14:45 | 000,020,480 | ---- | M] () -- \\.\globalroot\systemroot\svchost.exe PRC - [2007/05/09 17:01:00 | 000,036,864 | ---- | M] (Creative Technology Ltd.) -- C:\Windows\OEM02Mon.exe
[color=#E56717]========== Modules (No Company Name) ==========[/color]
[color=#E56717]========== Win32 Services (SafeList) ==========[/color]
SRV:64bit: - [2009/07/13 21:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend) SRV:64bit: - [2009/07/13 21:40:01 | 000,193,536 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\appmgmts.dll -- (AppMgmt) SRV:64bit: - [2008/02/22 16:49:18 | 000,592,464 | ---- | M] (Dell Inc.) [Auto | Running] -- C:\Program Files\Dell\QuickSet\NicConfigSvc.exe -- (nicconfigsvc) SRV - [2012/08/14 20:08:10 | 000,250,056 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc) SRV - [2012/07/27 16:51:26 | 000,063,960 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice) SRV - [2012/07/12 15:16:55 | 000,008,704 | ---- | M] (Hi-Rez Studios) [Auto | Running] -- C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe -- (HiPatchService) SRV - [2012/06/18 22:30:33 | 000,529,232 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe -- (Steam Client Service) SRV - [2012/06/15 22:24:20 | 000,138,272 | R--- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files (x86)\Norton Security Suite\Engine\6.3.0.14\ccSvcHst.exe -- (N360) SRV - [2011/11/29 22:17:50 | 000,138,248 | R--- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files (x86)\Norton Online\Engine\2.3.0.7\ccSvcHst.exe -- (NOF) SRV - [2011/10/15 04:53:00 | 002,253,120 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe -- (nvUpdatusService) SRV - [2011/10/15 01:54:40 | 000,381,248 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe -- (Stereo Service) SRV - [2011/10/13 22:37:26 | 000,075,136 | ---- | M] () [Auto | Running] -- C:\Windows\SysWOW64\PnkBstrA.exe -- (PnkBstrA) SRV - [2010/03/18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32) SRV - [2009/06/10 17:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
[color=#E56717]========== Driver Services (SafeList) ==========[/color]
DRV:64bit: - [2012/09/01 00:03:17 | 000,175,736 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\SYMEVENT64x86.SYS -- (SymEvent) DRV:64bit: - [2012/08/17 17:26:48 | 000,025,584 | ---- | M] (PC-Doctor, Inc.) [Kernel | On_Demand | Running] -- c:\Program Files\Dell Support Center\pcdsrvc_x64.pkms -- (PCDSRVC{1E208CE0-FB7451FF-06020200}_0) DRV:64bit: - [2012/07/05 22:17:58 | 000,737,952 | ---- | M] (Symantec Corporation) [File_System | On_Demand | Running] -- C:\Windows\SysNative\drivers\N360x64\0603000.00E\srtsp64.sys -- (SRTSP) DRV:64bit: - [2012/07/05 22:17:58 | 000,037,536 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\N360x64\0603000.00E\srtspx64.sys -- (SRTSPX) DRV:64bit: - [2012/06/07 00:43:38 | 000,167,072 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\N360x64\0603000.00E\ccsetx64.sys -- (ccSet_N360) DRV:64bit: - [2012/05/21 21:37:12 | 001,129,120 | ---- | M] (Symantec Corporation) [File_System | Boot | Running] -- C:\Windows\SysNative\drivers\N360x64\0603000.00E\symefa64.sys -- (SymEFA) DRV:64bit: - [2012/03/01 02:46:16 | 000,023,408 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec) DRV:64bit: - [2011/11/16 23:38:00 | 000,405,624 | R--- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\N360x64\0603000.00E\symnets.sys -- (SymNetS) DRV:64bit: - [2011/11/16 23:38:00 | 000,218,232 | R--- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\NSMx64\0203000.01A\symrdrs.sys -- (SYMRDR_{78CA3BF0-9C3B-40e1-B46D-38C877EF059A}) DRV:64bit: - [2011/11/16 23:17:50 | 000,190,072 | R--- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\N360x64\0603000.00E\ironx64.sys -- (SymIRON) DRV:64bit: - [2011/11/04 19:59:30 | 000,167,048 | R--- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\NOFx64\0203000.007\ccSetx64.sys -- (ccSet_NOF) DRV:64bit: - [2011/08/16 02:51:40 | 000,451,192 | R--- | M] (Symantec Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\N360x64\0603000.00E\symds64.sys -- (SymDS) DRV:64bit: - [2011/04/13 15:04:38 | 000,045,432 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\point64.sys -- (Point64) DRV:64bit: - [2011/03/11 02:41:12 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata) DRV:64bit: - [2011/03/11 02:41:12 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata) DRV:64bit: - [2010/11/20 23:24:43 | 000,020,992 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\rdpvideominiport.sys -- (RdpVideoMiniport) DRV:64bit: - [2010/11/20 23:24:33 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt) DRV:64bit: - [2010/11/20 23:23:48 | 000,117,248 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\tsusbhub.sys -- (tsusbhub) DRV:64bit: - [2010/11/20 23:23:48 | 000,088,960 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\Synth3dVsc.sys -- (Synth3dVsc) DRV:64bit: - [2010/11/20 23:23:48 | 000,071,168 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\dmvsc.sys -- (dmvsc) DRV:64bit: - [2010/11/20 23:23:48 | 000,034,816 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\terminpt.sys -- (terminpt) DRV:64bit: - [2010/11/20 23:23:47 | 000,109,056 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\sdbus.sys -- (sdbus) DRV:64bit: - [2010/11/20 23:23:47 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD) DRV:64bit: - [2010/11/20 23:23:47 | 000,031,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbGD.sys -- (TsUsbGD) DRV:64bit: - [2010/04/14 01:01:44 | 000,054,824 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\btusbflt.sys -- (btusbflt) DRV:64bit: - [2010/03/23 02:53:04 | 001,101,600 | ---- | M] (Ralink Technology Corp.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\ae1000w7.sys -- (AE1000) DRV:64bit: - [2009/07/13 21:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs) DRV:64bit: - [2009/07/13 21:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2) DRV:64bit: - [2009/07/13 21:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor) DRV:64bit: - [2009/06/25 17:04:20 | 000,067,584 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\rimmpx64.sys -- (rimmptsk) DRV:64bit: - [2009/06/25 16:38:52 | 000,057,856 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\rixdpx64.sys -- (rismxdp) DRV:64bit: - [2009/06/25 16:13:44 | 000,055,296 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\rimspx64.sys -- (rimsptsk) DRV:64bit: - [2009/06/10 16:35:28 | 005,434,368 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\netw5v64.sys -- (netw5v64) DRV:64bit: - [2009/06/10 16:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv) DRV:64bit: - [2009/06/10 16:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv) DRV:64bit: - [2009/06/10 16:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a) DRV:64bit: - [2009/06/10 16:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir) DRV:64bit: - [2007/10/26 14:39:14 | 000,315,440 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\SynTP.sys -- (SynTP) DRV:64bit: - [2007/10/10 17:03:00 | 000,266,624 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\OEM02Dev.sys -- (OEM02Dev) DRV:64bit: - [2007/03/05 10:55:48 | 000,012,288 | ---- | M] (EyePower Games Pte. Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\OEM02Vfx.sys -- (OEM02Vfx) DRV - [2012/09/02 00:51:27 | 002,084,000 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.0.0.145\Definitions\VirusDefs\20120901.008\ex64.sys -- (NAVEX15) DRV - [2012/09/02 00:51:27 | 000,125,600 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.0.0.145\Definitions\VirusDefs\20120901.008\eng64.sys -- (NAVENG) DRV - [2012/08/31 23:32:03 | 000,484,512 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys -- (eeCtrl) DRV - [2012/08/31 23:32:03 | 000,138,912 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv) DRV - [2012/08/31 09:01:08 | 000,512,672 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.0.0.145\Definitions\IPSDefs\20120831.001\IDSviA64.sys -- (IDSVia64) DRV - [2012/08/23 03:52:48 | 001,161,376 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.0.0.145\Definitions\BASHDefs\20120823.007\BHDrvx64.sys -- (BHDrvx64) DRV - [2009/07/13 21:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)
[color=#E56717]========== Standard Registry (SafeList) ==========[/color]
[color=#E56717]========== Internet Explorer ==========[/color]
IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990} IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE:64bit: - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7 IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm IE - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990} IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 7F 3E 3B D7 ED 44 CC 01 [binary data] IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
[color=#E56717]========== FireFox ==========[/color]
FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_3_300_271.dll File not found FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~1\MICROS~3\Office14\NPAUTHZ.DLL (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_271.dll () FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.) FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@nvidia.com/3DVision: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation) FF - HKLM\Software\MozillaPlugins\@nvidia.com/3DVisionStreaming: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation) FF - HKLM\Software\MozillaPlugins\@pandonetworks.com/PandoWebPlugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll File not found FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{6D5C8FC4-DE46-41bf-9092-93F0F78E9115}: C:\ProgramData\Norton\{78CA3BF0-9C3B-40e1-B46D-38C877EF059A}\NSM_2.3.0.26\coFFFw\ [2012/09/02 10:00:39 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.0.0.145\IPSFFPlgn\ [2012/08/31 23:28:47 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.0.0.145\coFFPlgn\ [2012/09/02 09:49:50 | 000,000,000 | ---D | M]
O1 HOSTS File: ([2012/08/30 17:49:29 | 000,000,027 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O2 - BHO: (Norton Identity Protection) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Security Suite\Engine\6.3.0.14\coieplg.dll (Symantec Corporation) O2 - BHO: (Norton Vulnerability Protection) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Security Suite\Engine\6.3.0.14\ips\ipsbho.dll (Symantec Corporation) O2 - BHO: (Norton Safety Minder BHO) - {B8E07826-0971-4f16-B133-047B88034E89} - C:\Program Files (x86)\Norton Online\AddOns\Norton Safety Minder\Engine\2.3.0.26\CoIEPlg.dll (Symantec Corporation) O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Security Suite\Engine\6.3.0.14\coieplg.dll (Symantec Corporation) O3 - HKCU\..\Toolbar\WebBrowser: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Security Suite\Engine\6.3.0.14\coieplg.dll (Symantec Corporation) O4:64bit: - HKLM..\Run: [IntelliPoint] c:\Program Files\Microsoft IntelliPoint\ipoint.exe (Microsoft Corporation) O4:64bit: - HKLM..\Run: [Launch LCDMon] C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe (Logitech Inc.) O4:64bit: - HKLM..\Run: [Launch LgDeviceAgent] C:\Program Files\Logitech\GamePanel Software\LgDevAgt.exe (Logitech Inc.) O4:64bit: - HKLM..\Run: [NVHotkey] C:\Windows\SysNative\nvHotkey.dll (NVIDIA Corporation) O4 - HKLM..\Run: [OEM02Mon.exe] C:\Windows\OEM02Mon.exe (Creative Technology Ltd.) O4 - HKLM..\Run: [Razer Imperator Driver] C:\Program Files (x86)\Razer\Imperator\RazerImperatorSysTray.exe (Razer USA Ltd) O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0 O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: LogonHoursAction = 2 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DontDisplayLogonHoursWarnings = 1 O16 - DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} http://support.dell.com/systemprofiler/SysProExe.CAB (WMI Class) O16 - DPF: {4B54A9DE-EF1C-4EBE-A328-7C28EA3B433A} http://quickscan.bitdefender.com/qsax/qsax.cab (Bitdefender QuickScan Control) O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (Reg Error: Key error.) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29) O16 - DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29) O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 75.75.76.76 75.75.75.75 192.168.1.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{55708DA7-02EF-43EA-A72C-E5767C41A951}: DhcpNameServer = 68.87.77.134 68.87.72.134 192.168.1.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{7D41AF3F-544D-4E59-8FA5-CD15332DCC21}: DhcpNameServer = 75.75.76.76 75.75.75.75 192.168.1.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{C7A6B14E-934F-4523-AFEA-1CC2E11C0C7E}: DhcpNameServer = 68.87.77.134 68.87.72.134 192.168.1.1 O18:64bit: - Protocol\Handler\ms-help - No CLSID value found O20:64bit: - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation) O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation) O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found O32 - HKLM CDRom: AutoRun - 1 O34 - HKLM BootExecute: (autocheck autochk *) O35:64bit: - HKLM\..comfile [open] -- "%1" %* O35:64bit: - HKLM\..exefile [open] -- "%1" %* O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37:64bit: - HKLM\...com [@ = ComFile] -- "%1" %* O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %* O37 - HKLM\...com [@ = ComFile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3) O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2) O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)
[color=#E56717]========== Files/Folders - Created Within 30 Days ==========[/color]
[2012/09/02 14:04:45 | 000,596,480 | ---- | C] (OldTimer Tools) -- C:\Users\Peter\Desktop\OTL.exe [2012/09/01 01:13:02 | 000,020,480 | ---- | C] (Microsoft Corporation) -- C:\Windows\svchost.exe [2012/09/01 00:44:13 | 000,000,000 | R--D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Dell Support Center [2012/09/01 00:44:12 | 000,000,000 | ---D | C] -- C:\ProgramData\PC-Doctor for Windows [2012/09/01 00:02:58 | 000,218,232 | R--- | C] (Symantec Corporation) -- C:\Windows\SysNative\drivers\NSMx64\0203000.01A\symrdrs.sys [2012/09/01 00:02:57 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\drivers\NSMx64 [2012/09/01 00:02:57 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Norton Safety Minder [2012/09/01 00:02:57 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\drivers\NSMx64\0203000.01A [2012/09/01 00:02:47 | 000,167,048 | R--- | C] (Symantec Corporation) -- C:\Windows\SysNative\drivers\NOFx64\0203000.007\ccSetx64.sys [2012/09/01 00:02:45 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Norton Online [2012/09/01 00:02:45 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\drivers\NOFx64 [2012/09/01 00:02:45 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\drivers\NOFx64\0203000.007 [2012/09/01 00:02:03 | 000,828,832 | ---- | C] (Symantec Corporation) -- C:\Users\Public\Documents\NSM_Installer.exe [2012/09/01 00:02:02 | 000,269,720 | ---- | C] (Symantec Corporation) -- C:\Users\Public\Documents\2013FSDPlugin.dll [2012/09/01 00:02:02 | 000,172,992 | ---- | C] (Symantec Corporation) -- C:\Users\Public\Documents\2012FSDPlugin.dll [2012/09/01 00:02:00 | 013,259,848 | ---- | C] (Symantec Corporation) -- C:\Users\Public\Documents\SafetyMinder.exe [2012/08/31 23:47:23 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Symantec Shared [2012/08/31 23:31:49 | 001,129,120 | ---- | C] (Symantec Corporation) -- C:\Windows\SysNative\drivers\N360x64\0603000.00E\symefa64.sys [2012/08/31 23:31:49 | 000,737,952 | ---- | C] (Symantec Corporation) -- C:\Windows\SysNative\drivers\N360x64\0603000.00E\srtsp64.sys [2012/08/31 23:31:49 | 000,451,192 | R--- | C] (Symantec Corporation) -- C:\Windows\SysNative\drivers\N360x64\0603000.00E\symds64.sys [2012/08/31 23:31:49 | 000,405,624 | R--- | C] (Symantec Corporation) -- C:\Windows\SysNative\drivers\N360x64\0603000.00E\symnets.sys [2012/08/31 23:31:49 | 000,190,072 | R--- | C] (Symantec Corporation) -- C:\Windows\SysNative\drivers\N360x64\0603000.00E\ironx64.sys [2012/08/31 23:31:49 | 000,167,072 | ---- | C] (Symantec Corporation) -- C:\Windows\SysNative\drivers\N360x64\0603000.00E\ccsetx64.sys [2012/08/31 23:31:49 | 000,037,536 | ---- | C] (Symantec Corporation) -- C:\Windows\SysNative\drivers\N360x64\0603000.00E\srtspx64.sys [2012/08/31 23:28:22 | 000,175,736 | ---- | C] (Symantec Corporation) -- C:\Windows\SysNative\drivers\SYMEVENT64x86.SYS [2012/08/31 23:28:22 | 000,000,000 | ---D | C] -- C:\Program Files\Symantec [2012/08/31 23:26:41 | 000,000,000 | R--D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Norton Security Suite [2012/08/31 23:26:41 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Norton Security Suite [2012/08/31 23:26:30 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\NortonInstaller [2012/08/31 22:04:04 | 000,000,000 | ---D | C] -- C:\Users\Peter\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Norton [2012/08/31 21:38:24 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\drivers\N360x64\0603000.00E [2012/08/31 21:11:58 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Symantec Shared [2012/08/31 21:10:10 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\drivers\N360x64 [2012/08/30 17:52:48 | 000,000,000 | ---D | C] -- C:\Windows\temp [2012/08/30 17:16:11 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe [2012/08/30 17:16:11 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe [2012/08/30 17:16:11 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe [2012/08/30 17:07:22 | 000,000,000 | ---D | C] -- C:\Qoobox [2012/08/30 17:06:50 | 000,000,000 | ---D | C] -- C:\Windows\erdnt [2012/08/29 22:20:38 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Sophos [2012/08/14 19:54:05 | 000,000,000 | ---D | C] -- C:\Users\Peter\AppData\Roaming\QuickScan [2012/08/13 22:40:08 | 000,000,000 | ---D | C] -- C:\ProgramData\IsolatedStorage [2012/08/13 22:40:08 | 000,000,000 | ---D | C] -- C:\Users\Peter\AppData\Local\ID Vault [2012/08/13 22:39:40 | 000,000,000 | ---D | C] -- C:\Users\Peter\AppData\Roaming\ID Vault [2012/08/13 22:38:56 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Constant Guard Protection Suite [2012/08/13 22:38:43 | 000,000,000 | ---D | C] -- C:\ProgramData\White Sky, Inc [2012/08/13 22:31:20 | 057,442,464 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\MRT.exe [2012/08/13 20:18:58 | 000,000,000 | ---D | C] -- C:\Users\Peter\AppData\Roaming\Malwarebytes [2012/08/13 20:07:22 | 000,000,000 | -HSD | C] -- C:\Windows\SysWow64\%APPDATA% [2012/08/13 18:51:40 | 000,000,000 | ---D | C] -- C:\Users\Peter\AppData\Local\NPE [2012/08/13 18:47:20 | 000,000,000 | ---D | C] -- C:\Users\Peter\AppData\Roaming\Tific [2012/08/13 18:46:54 | 000,000,000 | ---D | C] -- C:\Users\Peter\AppData\Local\Symantec [2012/08/07 22:05:18 | 000,000,000 | ---D | C] -- C:\Users\Peter\Documents\LOLReplay
[color=#E56717]========== Files - Modified Within 30 Days ==========[/color]
[2012/09/02 14:08:12 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job [2012/09/02 14:04:45 | 000,596,480 | ---- | M] (OldTimer Tools) -- C:\Users\Peter\Desktop\OTL.exe [2012/09/02 09:57:58 | 000,020,496 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 [2012/09/02 09:57:58 | 000,020,496 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 [2012/09/02 09:46:32 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2012/09/02 09:46:25 | 3219,701,760 | -HS- | M] () -- C:\hiberfil.sys [2012/09/01 15:39:44 | 468,952,159 | ---- | M] () -- C:\Windows\MEMORY.DMP [2012/09/01 00:03:17 | 000,175,736 | ---- | M] (Symantec Corporation) -- C:\Windows\SysNative\drivers\SYMEVENT64x86.SYS [2012/09/01 00:03:17 | 000,007,488 | ---- | M] () -- C:\Windows\SysNative\drivers\SYMEVENT64x86.CAT [2012/09/01 00:03:17 | 000,000,855 | ---- | M] () -- C:\Windows\SysNative\drivers\SYMEVENT64x86.INF [2012/09/01 00:03:08 | 000,002,779 | ---- | M] () -- C:\Users\Public\Desktop\Norton Online Family.lnk [2012/09/01 00:00:22 | 013,259,848 | ---- | M] (Symantec Corporation) -- C:\Users\Public\Documents\SafetyMinder.exe [2012/09/01 00:00:00 | 000,828,832 | ---- | M] (Symantec Corporation) -- C:\Users\Public\Documents\NSM_Installer.exe [2012/08/31 23:38:56 | 000,002,431 | ---- | M] () -- C:\Users\Public\Desktop\Norton Security Suite.lnk [2012/08/31 22:06:11 | 000,416,528 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT [2012/08/31 21:42:43 | 001,455,447 | ---- | M] () -- C:\Windows\SysNative\drivers\N360x64\0603000.00E\Cat.DB [2012/08/31 21:38:46 | 000,008,942 | ---- | M] () -- C:\Windows\SysNative\drivers\N360x64\0603000.00E\VT20120731.038 [2012/08/30 17:49:29 | 000,000,027 | ---- | M] () -- C:\Windows\SysNative\drivers\etc\hosts [2012/08/29 21:53:24 | 001,936,389 | ---- | M] () -- C:\Users\Peter\Desktop\virus.png [2012/08/15 05:19:28 | 000,046,654 | ---- | M] () -- C:\Users\Peter\Desktop\rootkit msg.png [2012/08/14 20:08:10 | 000,426,184 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerApp.exe [2012/08/14 20:08:10 | 000,070,344 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl [2012/08/14 16:48:54 | 000,000,172 | ---- | M] () -- C:\Windows\SysNative\drivers\N360x64\0603000.00E\isolate.ini
[color=#E56717]========== Files Created - No Company Name ==========[/color]
[2012/09/01 00:03:08 | 000,002,779 | ---- | C] () -- C:\Users\Public\Desktop\Norton Online Family.lnk [2012/09/01 00:02:57 | 000,001,482 | R--- | C] () -- C:\Windows\SysNative\drivers\NSMx64\0203000.01A\SymRdr.inf [2012/09/01 00:02:57 | 000,001,130 | R--- | C] () -- C:\Windows\SysNative\drivers\NSMx64\0203000.01A\symrdr64.cat [2012/09/01 00:02:46 | 000,000,853 | R--- | C] () -- C:\Windows\SysNative\drivers\NOFx64\0203000.007\ccSetx64.inf [2012/09/01 00:02:45 | 000,007,468 | R--- | C] () -- C:\Windows\SysNative\drivers\NOFx64\0203000.007\ccSetx64.cat [2012/09/01 00:02:45 | 000,000,172 | ---- | C] () -- C:\Windows\SysNative\drivers\NOFx64\0203000.007\isolate.ini [2012/08/31 23:31:49 | 000,007,496 | R--- | C] () -- C:\Windows\SysNative\drivers\N360x64\0603000.00E\symds64.cat [2012/08/31 23:31:49 | 000,007,458 | R--- | C] () -- C:\Windows\SysNative\drivers\N360x64\0603000.00E\symnet64.cat [2012/08/31 23:31:49 | 000,007,450 | R--- | C] () -- C:\Windows\SysNative\drivers\N360x64\0603000.00E\iron.cat [2012/08/31 23:31:49 | 000,007,446 | ---- | C] () -- C:\Windows\SysNative\drivers\N360x64\0603000.00E\ccsetx64.cat [2012/08/31 23:31:49 | 000,007,438 | ---- | C] () -- C:\Windows\SysNative\drivers\N360x64\0603000.00E\symefa64.cat [2012/08/31 23:31:49 | 000,007,406 | ---- | C] () -- C:\Windows\SysNative\drivers\N360x64\0603000.00E\srtspx64.cat [2012/08/31 23:31:49 | 000,007,402 | ---- | C] () -- C:\Windows\SysNative\drivers\N360x64\0603000.00E\srtsp64.cat [2012/08/31 23:31:49 | 000,003,435 | ---- | C] () -- C:\Windows\SysNative\drivers\N360x64\0603000.00E\symefa.inf [2012/08/31 23:31:49 | 000,002,852 | R--- | C] () -- C:\Windows\SysNative\drivers\N360x64\0603000.00E\symds.inf [2012/08/31 23:31:49 | 000,001,441 | R--- | C] () -- C:\Windows\SysNative\drivers\N360x64\0603000.00E\symnet.inf [2012/08/31 23:31:49 | 000,001,437 | ---- | C] () -- C:\Windows\SysNative\drivers\N360x64\0603000.00E\srtsp64.inf [2012/08/31 23:31:49 | 000,001,419 | ---- | C] () -- C:\Windows\SysNative\drivers\N360x64\0603000.00E\srtspx64.inf [2012/08/31 23:31:49 | 000,000,853 | ---- | C] () -- C:\Windows\SysNative\drivers\N360x64\0603000.00E\ccsetx64.inf [2012/08/31 23:31:49 | 000,000,772 | R--- | C] () -- C:\Windows\SysNative\drivers\N360x64\0603000.00E\iron.inf [2012/08/31 23:31:46 | 000,008,942 | ---- | C] () -- C:\Windows\SysNative\drivers\N360x64\0603000.00E\symvtcer.dat [2012/08/31 23:31:46 | 000,000,172 | ---- | C] () -- C:\Windows\SysNative\drivers\N360x64\0603000.00E\isolate.ini [2012/08/31 23:28:22 | 000,007,488 | ---- | C] () -- C:\Windows\SysNative\drivers\SYMEVENT64x86.CAT [2012/08/31 23:28:22 | 000,000,855 | ---- | C] () -- C:\Windows\SysNative\drivers\SYMEVENT64x86.INF [2012/08/31 23:27:54 | 000,002,431 | ---- | C] () -- C:\Users\Public\Desktop\Norton Security Suite.lnk [2012/08/31 21:41:59 | 001,455,447 | ---- | C] () -- C:\Windows\SysNative\drivers\N360x64\0603000.00E\Cat.DB [2012/08/31 21:39:46 | 000,008,942 | ---- | C] () -- C:\Windows\SysNative\drivers\N360x64\0603000.00E\VT20120731.038 [2012/08/30 17:16:11 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe [2012/08/30 17:16:11 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe [2012/08/30 17:16:11 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe [2012/08/30 17:16:11 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe [2012/08/30 17:16:11 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe [2012/08/29 21:53:23 | 001,936,389 | ---- | C] () -- C:\Users\Peter\Desktop\virus.png [2012/08/15 05:19:28 | 000,046,654 | ---- | C] () -- C:\Users\Peter\Desktop\rootkit msg.png [2012/01/11 07:19:23 | 000,002,048 | -HS- | C] () -- C:\Windows\SysWOW64\config\systemprofile\AppData\Local\{a406e640-2847-144d-ca12-b5496dd1d4e7}\@ [2012/01/11 07:19:23 | 000,002,048 | -HS- | C] () -- C:\Windows\System32\config\systemprofile\AppData\Local\{a406e640-2847-144d-ca12-b5496dd1d4e7}\@ [2011/12/03 08:19:02 | 000,000,632 | RHS- | C] () -- C:\Users\Peter\ntuser.pol [2011/10/29 15:51:53 | 000,187,612 | -H-- | C] () -- C:\Windows\SysWow64\mlfcache.dat [2011/10/15 01:54:52 | 000,321,856 | ---- | C] () -- C:\Windows\SysWow64\nvStreaming.exe [2011/10/13 22:39:19 | 000,266,752 | ---- | C] () -- C:\Windows\SysWow64\PnkBstrB.exe [2011/10/13 22:37:26 | 000,075,136 | ---- | C] () -- C:\Windows\SysWow64\PnkBstrA.exe [2011/09/28 17:44:14 | 000,179,271 | ---- | C] () -- C:\Windows\SysWow64\xlive.dll.cat [2011/08/01 07:23:35 | 000,756,022 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI [2011/05/29 16:09:51 | 000,040,127 | ---- | C] () -- C:\Windows\DIIUnin.dat
[color=#E56717]========== LOP Check ==========[/color]
[2012/08/29 21:38:50 | 000,000,000 | ---D | M] -- C:\Users\Peter\AppData\Roaming\ID Vault [2011/12/18 13:17:26 | 000,000,000 | ---D | M] -- C:\Users\Peter\AppData\Roaming\iolo [2012/08/14 19:54:09 | 000,000,000 | ---D | M] -- C:\Users\Peter\AppData\Roaming\QuickScan [2012/08/13 18:47:20 | 000,000,000 | ---D | M] -- C:\Users\Peter\AppData\Roaming\Tific [2012/08/30 17:20:34 | 000,032,560 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
[color=#E56717]========== Purity Check ==========[/color] | actions · 2012-Sep-2 2:24 pm · (locked) |
1 recommendation |
to nethog
Looks good. First:Use Add/Remove Programs to uninstall Yoontoo. It has adware and potential privacy concerns. Second:We don't need Combofix any more. so time to remove. Click Start, then Run and copy/paste the following bolded text into the Run box and click OK: ComboFix /Uninstall ( Note: There is a SPACE between ComboFix and /uninstall) Third:A final check for the Google redirector rootkit. I fully expect this to be negative, but it's worth doing. Download and run TDSS Killer, posting the log in this thread. Please post the log, even if nothing is detected. You'll find the link(s) and instruction(s) here: » Security Cleanup FAQ » Rootkit Detection Applications | actions · 2012-Sep-3 11:09 am · (locked) | nethog join:2006-12-08 Canton, MI |
nethog
Member
2012-Sep-6 8:03 pm
LoPhatPhuud: I am unable to uninstall Yoontoo - after selecting uninstall from control panel I get a "setup initialization error".
Also when I try running ComboFix /Uninstall I get a "windows cannot find Combofix" error.
Here is the first portion of the TDSS Killer log (2nd part in next reply):
19:51:09.0634 2712 TDSS rootkit removing tool 2.8.8.0 Aug 24 2012 13:27:48 19:51:11.0647 2712 ============================================================ 19:51:11.0647 2712 Current date / time: 2012/09/06 19:51:11.0647 19:51:11.0647 2712 SystemInfo: 19:51:11.0647 2712 19:51:11.0647 2712 OS Version: 6.1.7601 ServicePack: 1.0 19:51:11.0647 2712 Product type: Workstation 19:51:11.0647 2712 ComputerName: LAPTOP 19:51:11.0647 2712 UserName: Peter 19:51:11.0647 2712 Windows directory: C:\Windows 19:51:11.0647 2712 System windows directory: C:\Windows 19:51:11.0647 2712 Running under WOW64 19:51:11.0647 2712 Processor architecture: Intel x64 19:51:11.0647 2712 Number of processors: 2 19:51:11.0647 2712 Page size: 0x1000 19:51:11.0647 2712 Boot type: Normal boot 19:51:11.0647 2712 ============================================================ 19:51:25.0421 2712 Drive \Device\Harddisk0\DR0 - Size: 0x4A85D56000 (298.09 Gb), SectorSize: 0x200, Cylinders: 0x9801, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000040 19:51:25.0733 2712 ============================================================ 19:51:25.0733 2712 \Device\Harddisk0\DR0: 19:51:25.0999 2712 MBR partitions: 19:51:25.0999 2712 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x2B800, BlocksNum 0x1400000 19:51:25.0999 2712 \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x142B800, BlocksNum 0x23B027F8 19:51:25.0999 2712 ============================================================ 19:51:26.0342 2712 C: \Device\Harddisk0\DR0\Partition2 19:51:26.0513 2712 D: \Device\Harddisk0\DR0\Partition1 19:51:26.0513 2712 ============================================================ 19:51:26.0513 2712 Initialize success 19:51:26.0513 2712 ============================================================ 19:51:33.0424 3480 ============================================================ 19:51:33.0424 3480 Scan started 19:51:33.0424 3480 Mode: Manual; 19:51:33.0424 3480 ============================================================ 19:51:36.0653 3480 ================ Scan system memory ======================== 19:51:36.0653 3480 System memory - ok 19:51:36.0653 3480 ================ Scan services ============================= 19:51:36.0872 3480 [ A87D604AEA360176311474C87A63BB88 ] 1394ohci C:\Windows\system32\DRIVERS\1394ohci.sys 19:51:36.0887 3480 1394ohci - ok 19:51:36.0919 3480 [ D81D9E70B8A6DD14D42D7B4EFA65D5F2 ] ACPI C:\Windows\system32\drivers\ACPI.sys 19:51:36.0919 3480 ACPI - ok 19:51:36.0950 3480 [ 99F8E788246D495CE3794D7E7821D2CA ] AcpiPmi C:\Windows\system32\drivers\acpipmi.sys 19:51:36.0950 3480 AcpiPmi - ok 19:51:37.0168 3480 [ D19C4EE2AC7C47B8F5F84FFF1A789D8A ] AdobeARMservice C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe 19:51:37.0184 3480 AdobeARMservice - ok 19:51:37.0418 3480 [ A9D3B95E8466BD58EEB8A1154654E162 ] AdobeFlashPlayerUpdateSvc C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe 19:51:37.0433 3480 AdobeFlashPlayerUpdateSvc - ok 19:51:37.0480 3480 [ 2F6B34B83843F0C5118B63AC634F5BF4 ] adp94xx C:\Windows\system32\drivers\adp94xx.sys 19:51:37.0511 3480 adp94xx - ok 19:51:37.0543 3480 [ 597F78224EE9224EA1A13D6350CED962 ] adpahci C:\Windows\system32\drivers\adpahci.sys 19:51:37.0558 3480 adpahci - ok 19:51:37.0574 3480 [ E109549C90F62FB570B9540C4B148E54 ] adpu320 C:\Windows\system32\drivers\adpu320.sys 19:51:37.0589 3480 adpu320 - ok 19:51:37.0667 3480 [ E005682AE8F8EC4EB05F2A70A16EA1C5 ] AE1000 C:\Windows\system32\DRIVERS\ae1000w7.sys 19:51:37.0699 3480 AE1000 - ok 19:51:37.0730 3480 [ 4B78B431F225FD8624C5655CB1DE7B61 ] AeLookupSvc C:\Windows\System32\aelupsvc.dll 19:51:37.0730 3480 AeLookupSvc - ok 19:51:37.0823 3480 [ 1C7857B62DE5994A75B054A9FD4C3825 ] AFD C:\Windows\system32\drivers\afd.sys 19:51:37.0839 3480 AFD - ok 19:51:37.0886 3480 [ 608C14DBA7299D8CB6ED035A68A15799 ] agp440 C:\Windows\system32\drivers\agp440.sys 19:51:37.0901 3480 agp440 - ok 19:51:37.0917 3480 [ 3290D6946B5E30E70414990574883DDB ] ALG C:\Windows\System32\alg.exe 19:51:37.0917 3480 ALG - ok 19:51:37.0948 3480 [ 5812713A477A3AD7363C7438CA2EE038 ] aliide C:\Windows\system32\drivers\aliide.sys 19:51:37.0964 3480 aliide - ok 19:51:37.0979 3480 [ 1FF8B4431C353CE385C875F194924C0C ] amdide C:\Windows\system32\drivers\amdide.sys 19:51:37.0995 3480 amdide - ok 19:51:38.0011 3480 [ 7024F087CFF1833A806193EF9D22CDA9 ] AmdK8 C:\Windows\system32\drivers\amdk8.sys 19:51:38.0011 3480 AmdK8 - ok 19:51:38.0057 3480 [ 1E56388B3FE0D031C44144EB8C4D6217 ] AmdPPM C:\Windows\system32\drivers\amdppm.sys 19:51:38.0120 3480 AmdPPM - ok 19:51:38.0182 3480 [ D4121AE6D0C0E7E13AA221AA57EF2D49 ] amdsata C:\Windows\system32\drivers\amdsata.sys 19:51:38.0198 3480 amdsata - ok 19:51:38.0245 3480 [ F67F933E79241ED32FF46A4F29B5120B ] amdsbs C:\Windows\system32\drivers\amdsbs.sys 19:51:38.0245 3480 amdsbs - ok 19:51:38.0276 3480 [ 540DAF1CEA6094886D72126FD7C33048 ] amdxata C:\Windows\system32\drivers\amdxata.sys 19:51:38.0276 3480 amdxata - ok 19:51:38.0323 3480 [ 89A69C3F2F319B43379399547526D952 ] AppID C:\Windows\system32\drivers\appid.sys 19:51:38.0323 3480 AppID - ok 19:51:38.0369 3480 [ 0BC381A15355A3982216F7172F545DE1 ] AppIDSvc C:\Windows\System32\appidsvc.dll 19:51:38.0369 3480 AppIDSvc - ok 19:51:38.0463 3480 [ 3977D4A871CA0D4F2ED1E7DB46829731 ] Appinfo C:\Windows\System32\appinfo.dll 19:51:38.0463 3480 Appinfo - ok 19:51:38.0525 3480 [ 4ABA3E75A76195A3E38ED2766C962899 ] AppMgmt C:\Windows\System32\appmgmts.dll 19:51:38.0525 3480 AppMgmt - ok 19:51:38.0557 3480 [ C484F8CEB1717C540242531DB7845C4E ] arc C:\Windows\system32\drivers\arc.sys 19:51:38.0557 3480 arc - ok 19:51:38.0588 3480 [ 019AF6924AEFE7839F61C830227FE79C ] arcsas C:\Windows\system32\drivers\arcsas.sys 19:51:38.0588 3480 arcsas - ok 19:51:38.0681 3480 aspnet_state - ok 19:51:38.0697 3480 [ 769765CE2CC62867468CEA93969B2242 ] AsyncMac C:\Windows\system32\DRIVERS\asyncmac.sys 19:51:38.0697 3480 AsyncMac - ok 19:51:38.0728 3480 [ 02062C0B390B7729EDC9E69C680A6F3C ] atapi C:\Windows\system32\drivers\atapi.sys 19:51:38.0728 3480 atapi - ok 19:51:38.0791 3480 [ F23FEF6D569FCE88671949894A8BECF1 ] AudioEndpointBuilder C:\Windows\System32\Audiosrv.dll 19:51:38.0822 3480 AudioEndpointBuilder - ok 19:51:38.0869 3480 [ F23FEF6D569FCE88671949894A8BECF1 ] AudioSrv C:\Windows\System32\Audiosrv.dll 19:51:38.0869 3480 AudioSrv - ok 19:51:38.0915 3480 [ A6BF31A71B409DFA8CAC83159E1E2AFF ] AxInstSV C:\Windows\System32\AxInstSV.dll 19:51:38.0915 3480 AxInstSV - ok 19:51:38.0962 3480 [ 3E5B191307609F7514148C6832BB0842 ] b06bdrv C:\Windows\system32\drivers\bxvbda.sys 19:51:38.0962 3480 b06bdrv - ok 19:51:38.0993 3480 [ B5ACE6968304A3900EEB1EBFD9622DF2 ] b57nd60a C:\Windows\system32\DRIVERS\b57nd60a.sys 19:51:39.0009 3480 b57nd60a - ok 19:51:39.0025 3480 [ FDE360167101B4E45A96F939F388AEB0 ] BDESVC C:\Windows\System32\bdesvc.dll 19:51:39.0025 3480 BDESVC - ok 19:51:39.0040 3480 [ 16A47CE2DECC9B099349A5F840654746 ] Beep C:\Windows\system32\drivers\Beep.sys 19:51:39.0040 3480 Beep - ok 19:51:39.0118 3480 [ 82974D6A2FD19445CC5171FC378668A4 ] BFE C:\Windows\System32\bfe.dll 19:51:39.0149 3480 BFE - ok 19:51:39.0446 3480 [ A45BE4E091636F6C86D6E4FC945D5A26 ] BHDrvx64 C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.0.0.145\Definitions\BASHDefs\20120905.001\BHDrvx64.sys 19:51:39.0508 3480 BHDrvx64 - ok 19:51:39.0617 3480 [ 61583EE3C3A17003C4ACD0475646B4D3 ] blbdrive C:\Windows\system32\DRIVERS\blbdrive.sys 19:51:39.0617 3480 blbdrive - ok 19:51:39.0664 3480 [ 6C02A83164F5CC0A262F4199F0871CF5 ] bowser C:\Windows\system32\DRIVERS\bowser.sys 19:51:39.0664 3480 bowser - ok 19:51:39.0711 3480 [ F09EEE9EDC320B5E1501F749FDE686C8 ] BrFiltLo C:\Windows\system32\drivers\BrFiltLo.sys 19:51:39.0727 3480 BrFiltLo - ok 19:51:39.0742 3480 [ B114D3098E9BDB8BEA8B053685831BE6 ] BrFiltUp C:\Windows\system32\drivers\BrFiltUp.sys 19:51:39.0742 3480 BrFiltUp - ok 19:51:39.0820 3480 [ 5C2F352A4E961D72518261257AAE204B ] BridgeMP C:\Windows\system32\DRIVERS\bridge.sys 19:51:39.0820 3480 BridgeMP - ok 19:51:39.0851 3480 [ 8EF0D5C41EC907751B8429162B1239ED ] Browser C:\Windows\System32\browser.dll 19:51:39.0883 3480 Browser - ok 19:51:39.0929 3480 [ 43BEA8D483BF1870F018E2D02E06A5BD ] Brserid C:\Windows\System32\Drivers\Brserid.sys 19:51:39.0929 3480 Brserid - ok 19:51:39.0961 3480 [ A6ECA2151B08A09CACECA35C07F05B42 ] BrSerWdm C:\Windows\System32\Drivers\BrSerWdm.sys 19:51:39.0961 3480 BrSerWdm - ok 19:51:39.0992 3480 [ B79968002C277E869CF38BD22CD61524 ] BrUsbMdm C:\Windows\System32\Drivers\BrUsbMdm.sys 19:51:39.0992 3480 BrUsbMdm - ok 19:51:40.0023 3480 [ A87528880231C54E75EA7A44943B38BF ] BrUsbSer C:\Windows\System32\Drivers\BrUsbSer.sys 19:51:40.0023 3480 BrUsbSer - ok 19:51:40.0101 3480 [ CF98190A94F62E405C8CB255018B2315 ] BthEnum C:\Windows\system32\drivers\BthEnum.sys 19:51:40.0117 3480 BthEnum - ok 19:51:40.0148 3480 [ 9DA669F11D1F894AB4EB69BF546A42E8 ] BTHMODEM C:\Windows\system32\drivers\bthmodem.sys 19:51:40.0148 3480 BTHMODEM - ok 19:51:40.0179 3480 [ 02DD601B708DD0667E1331FA8518E9FF ] BthPan C:\Windows\system32\DRIVERS\bthpan.sys 19:51:40.0179 3480 BthPan - ok 19:51:40.0210 3480 [ 64C198198501F7560EE41D8D1EFA7952 ] BTHPORT C:\Windows\System32\Drivers\BTHport.sys 19:51:40.0241 3480 BTHPORT - ok 19:51:40.0288 3480 [ 95F9C2976059462CBBF227F7AAB10DE9 ] bthserv C:\Windows\system32\bthserv.dll 19:51:40.0288 3480 bthserv - ok 19:51:40.0319 3480 [ F188B7394D81010767B6DF3178519A37 ] BTHUSB C:\Windows\System32\Drivers\BTHUSB.sys 19:51:40.0319 3480 BTHUSB - ok 19:51:40.0366 3480 [ 2641A3FE3D7B0646308F33B67F3B5300 ] btusbflt C:\Windows\system32\drivers\btusbflt.sys 19:51:40.0366 3480 btusbflt - ok 19:51:40.0382 3480 catchme - ok 19:51:40.0522 3480 [ 2C6FFCCA37B002AAB3C7C31A6D780A76 ] ccSet_N360 C:\Windows\system32\drivers\N360x64\0603000.00E\ccSetx64.sys 19:51:40.0522 3480 ccSet_N360 - ok 19:51:40.0709 3480 [ 0E1737A63AEC0F6DE231BB59836C0A11 ] ccSet_NOF C:\Windows\system32\drivers\NOFx64\0203000.007\ccSetx64.sys 19:51:40.0725 3480 ccSet_NOF - ok 19:51:40.0772 3480 [ B8BD2BB284668C84865658C77574381A ] cdfs C:\Windows\system32\DRIVERS\cdfs.sys 19:51:40.0772 3480 cdfs - ok 19:51:40.0834 3480 [ F036CE71586E93D94DAB220D7BDF4416 ] cdrom C:\Windows\system32\DRIVERS\cdrom.sys 19:51:40.0850 3480 cdrom - ok 19:51:40.0897 3480 [ F17D1D393BBC69C5322FBFAFACA28C7F ] CertPropSvc C:\Windows\System32\certprop.dll 19:51:40.0897 3480 CertPropSvc - ok 19:51:40.0912 3480 [ D7CD5C4E1B71FA62050515314CFB52CF ] circlass C:\Windows\system32\drivers\circlass.sys 19:51:40.0928 3480 circlass - ok 19:51:40.0943 3480 [ FE1EC06F2253F691FE36217C592A0206 ] CLFS C:\Windows\system32\CLFS.sys 19:51:40.0959 3480 CLFS - ok 19:51:40.0990 3480 [ D88040F816FDA31C3B466F0FA0918F29 ] clr_optimization_v2.0.50727_32 C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe 19:51:41.0006 3480 clr_optimization_v2.0.50727_32 - ok 19:51:41.0068 3480 [ D1CEEA2B47CB998321C579651CE3E4F8 ] clr_optimization_v2.0.50727_64 C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe 19:51:41.0084 3480 clr_optimization_v2.0.50727_64 - ok 19:51:41.0146 3480 [ C5A75EB48E2344ABDC162BDA79E16841 ] clr_optimization_v4.0.30319_32 C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe 19:51:41.0177 3480 clr_optimization_v4.0.30319_32 - ok 19:51:41.0209 3480 [ C6F9AF94DCD58122A4D7E89DB6BED29D ] clr_optimization_v4.0.30319_64 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe 19:51:41.0209 3480 clr_optimization_v4.0.30319_64 - ok 19:51:41.0240 3480 [ 0840155D0BDDF1190F84A663C284BD33 ] CmBatt C:\Windows\system32\DRIVERS\CmBatt.sys 19:51:41.0240 3480 CmBatt - ok 19:51:41.0271 3480 [ E19D3F095812725D88F9001985B94EDD ] cmdide C:\Windows\system32\drivers\cmdide.sys 19:51:41.0271 3480 cmdide - ok 19:51:41.0333 3480 [ 9AC4F97C2D3E93367E2148EA940CD2CD ] CNG C:\Windows\system32\Drivers\cng.sys 19:51:41.0349 3480 CNG - ok 19:51:41.0365 3480 [ 102DE219C3F61415F964C88E9085AD14 ] Compbatt C:\Windows\system32\DRIVERS\compbatt.sys 19:51:41.0380 3480 Compbatt - ok 19:51:41.0396 3480 [ 03EDB043586CCEBA243D689BDDA370A8 ] CompositeBus C:\Windows\system32\DRIVERS\CompositeBus.sys 19:51:41.0396 3480 CompositeBus - ok 19:51:41.0427 3480 COMSysApp - ok 19:51:41.0443 3480 [ 1C827878A998C18847245FE1F34EE597 ] crcdisk C:\Windows\system32\drivers\crcdisk.sys 19:51:41.0443 3480 crcdisk - ok 19:51:41.0521 3480 [ 4F5414602E2544A4554D95517948B705 ] CryptSvc C:\Windows\system32\cryptsvc.dll 19:51:41.0536 3480 CryptSvc - ok 19:51:41.0583 3480 [ 54DA3DFD29ED9F1619B6F53F3CE55E49 ] CSC C:\Windows\system32\drivers\csc.sys 19:51:41.0599 3480 CSC - ok 19:51:41.0645 3480 [ 3AB183AB4D2C79DCF459CD2C1266B043 ] CscService C:\Windows\System32\cscsvc.dll 19:51:41.0677 3480 CscService - ok 19:51:41.0723 3480 [ 5C627D1B1138676C0A7AB2C2C190D123 ] DcomLaunch C:\Windows\system32\rpcss.dll 19:51:41.0739 3480 DcomLaunch - ok 19:51:41.0770 3480 [ 3CEC7631A84943677AA8FA8EE5B6B43D ] defragsvc C:\Windows\System32\defragsvc.dll 19:51:41.0786 3480 defragsvc - ok 19:51:41.0801 3480 [ 9BB2EF44EAA163B29C4A4587887A0FE4 ] DfsC C:\Windows\system32\Drivers\dfsc.sys 19:51:41.0801 3480 DfsC - ok 19:51:41.0848 3480 [ 43D808F5D9E1A18E5EEB5EBC83969E4E ] Dhcp C:\Windows\system32\dhcpcore.dll 19:51:41.0848 3480 Dhcp - ok 19:51:41.0879 3480 [ 13096B05847EC78F0977F2C0F79E9AB3 ] discache C:\Windows\system32\drivers\discache.sys 19:51:41.0895 3480 discache - ok 19:51:41.0942 3480 [ 9819EEE8B5EA3784EC4AF3B137A5244C ] Disk C:\Windows\system32\drivers\disk.sys 19:51:41.0942 3480 Disk - ok 19:51:41.0989 3480 [ 5DB085A8A6600BE6401F2B24EECB5415 ] dmvsc C:\Windows\system32\drivers\dmvsc.sys 19:51:41.0989 3480 dmvsc - ok 19:51:42.0035 3480 [ 16835866AAA693C7D7FCEBA8FFF706E4 ] Dnscache C:\Windows\System32\dnsrslvr.dll 19:51:42.0035 3480 Dnscache - ok 19:51:42.0160 3480 [ B1FB3DDCA0FDF408750D5843591AFBC6 ] dot3svc C:\Windows\System32\dot3svc.dll 19:51:42.0176 3480 dot3svc - ok 19:51:42.0191 3480 [ B26F4F737E8F9DF4F31AF6CF31D05820 ] DPS C:\Windows\system32\dps.dll 19:51:42.0207 3480 DPS - ok 19:51:42.0238 3480 [ 9B19F34400D24DF84C858A421C205754 ] drmkaud C:\Windows\system32\drivers\drmkaud.sys 19:51:42.0238 3480 drmkaud - ok 19:51:42.0285 3480 [ F5BEE30450E18E6B83A5012C100616FD ] DXGKrnl C:\Windows\System32\drivers\dxgkrnl.sys 19:51:42.0332 3480 DXGKrnl - ok 19:51:42.0363 3480 [ E2DDA8726DA9CB5B2C4000C9018A9633 ] EapHost C:\Windows\System32\eapsvc.dll 19:51:42.0379 3480 EapHost - ok 19:51:42.0519 3480 [ DC5D737F51BE844D8C82C695EB17372F ] ebdrv C:\Windows\system32\drivers\evbda.sys 19:51:42.0613 3480 ebdrv - ok 19:51:42.0722 3480 [ 4353FF94D47A0A9D52B89ECCF0CDB013 ] eeCtrl C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys 19:51:42.0722 3480 eeCtrl - ok 19:51:42.0769 3480 [ C118A82CD78818C29AB228366EBF81C3 ] EFS C:\Windows\System32\lsass.exe 19:51:42.0784 3480 EFS - ok 19:51:42.0847 3480 [ C4002B6B41975F057D98C439030CEA07 ] ehRecvr C:\Windows\ehome\ehRecvr.exe 19:51:42.0862 3480 ehRecvr - ok 19:51:42.0893 3480 [ 4705E8EF9934482C5BB488CE28AFC681 ] ehSched C:\Windows\ehome\ehsched.exe 19:51:42.0893 3480 ehSched - ok 19:51:42.0940 3480 [ 0E5DA5369A0FCAEA12456DD852545184 ] elxstor C:\Windows\system32\drivers\elxstor.sys 19:51:42.0956 3480 elxstor - ok 19:51:43.0034 3480 [ C5BCCB378D0A896304A3E71BE7215983 ] EraserUtilRebootDrv C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys 19:51:43.0049 3480 EraserUtilRebootDrv - ok 19:51:43.0065 3480 [ 34A3C54752046E79A126E15C51DB409B ] ErrDev C:\Windows\system32\drivers\errdev.sys 19:51:43.0081 3480 ErrDev - ok 19:51:43.0127 3480 [ 4166F82BE4D24938977DD1746BE9B8A0 ] EventSystem C:\Windows\system32\es.dll 19:51:43.0143 3480 EventSystem - ok 19:51:43.0174 3480 [ A510C654EC00C1E9BDD91EEB3A59823B ] exfat C:\Windows\system32\drivers\exfat.sys 19:51:43.0174 3480 exfat - ok 19:51:43.0221 3480 [ 0ADC83218B66A6DB380C330836F3E36D ] fastfat C:\Windows\system32\drivers\fastfat.sys 19:51:43.0221 3480 fastfat - ok 19:51:43.0268 3480 [ DBEFD454F8318A0EF691FDD2EAAB44EB ] Fax C:\Windows\system32\fxssvc.exe 19:51:43.0299 3480 Fax - ok 19:51:43.0315 3480 [ D765D19CD8EF61F650C384F62FAC00AB ] fdc C:\Windows\system32\drivers\fdc.sys 19:51:43.0315 3480 fdc - ok 19:51:43.0315 3480 [ 0438CAB2E03F4FB61455A7956026FE86 ] fdPHost C:\Windows\system32\fdPHost.dll 19:51:43.0330 3480 fdPHost - ok 19:51:43.0346 3480 [ 802496CB59A30349F9A6DD22D6947644 ] FDResPub C:\Windows\system32\fdrespub.dll 19:51:43.0346 3480 FDResPub - ok 19:51:43.0361 3480 [ 655661BE46B5F5F3FD454E2C3095B930 ] FileInfo C:\Windows\system32\drivers\fileinfo.sys 19:51:43.0361 3480 FileInfo - ok 19:51:43.0377 3480 [ 5F671AB5BC87EEA04EC38A6CD5962A47 ] Filetrace C:\Windows\system32\drivers\filetrace.sys 19:51:43.0377 3480 Filetrace - ok 19:51:43.0393 3480 [ C172A0F53008EAEB8EA33FE10E177AF5 ] flpydisk C:\Windows\system32\drivers\flpydisk.sys 19:51:43.0408 3480 flpydisk - ok 19:51:43.0424 3480 [ DA6B67270FD9DB3697B20FCE94950741 ] FltMgr C:\Windows\system32\drivers\fltmgr.sys 19:51:43.0439 3480 FltMgr - ok 19:51:43.0486 3480 [ 5C4CB4086FB83115B153E47ADD961A0C ] FontCache C:\Windows\system32\FntCache.dll 19:51:43.0533 3480 FontCache - ok 19:51:43.0595 3480 [ A8B7F3818AB65695E3A0BB3279F6DCE6 ] FontCache3.0.0.0 C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 19:51:43.0595 3480 FontCache3.0.0.0 - ok 19:51:43.0627 3480 [ D43703496149971890703B4B1B723EAC ] FsDepends C:\Windows\system32\drivers\FsDepends.sys 19:51:43.0627 3480 FsDepends - ok 19:51:43.0689 3480 [ 6BD9295CC032DD3077C671FCCF579A7B ] Fs_Rec C:\Windows\system32\drivers\Fs_Rec.sys 19:51:43.0705 3480 Fs_Rec - ok 19:51:43.0736 3480 [ 1F7B25B858FA27015169FE95E54108ED ] fvevol C:\Windows\system32\DRIVERS\fvevol.sys 19:51:43.0736 3480 fvevol - ok 19:51:43.0767 3480 [ 8C778D335C9D272CFD3298AB02ABE3B6 ] gagp30kx C:\Windows\system32\drivers\gagp30kx.sys 19:51:43.0767 3480 gagp30kx - ok 19:51:43.0829 3480 [ 277BBC7E1AA1EE957F573A10ECA7EF3A ] gpsvc C:\Windows\System32\gpsvc.dll 19:51:43.0845 3480 gpsvc - ok 19:51:43.0861 3480 [ F2523EF6460FC42405B12248338AB2F0 ] hcw85cir C:\Windows\system32\drivers\hcw85cir.sys 19:51:43.0892 3480 hcw85cir - ok 19:51:44.0001 3480 [ 975761C778E33CD22498059B91E7373A ] HdAudAddService C:\Windows\system32\drivers\HdAudio.sys 19:51:44.0017 3480 HdAudAddService - ok 19:51:44.0032 3480 [ 97BFED39B6B79EB12CDDBFEED51F56BB ] HDAudBus C:\Windows\system32\DRIVERS\HDAudBus.sys 19:51:44.0032 3480 HDAudBus - ok 19:51:44.0063 3480 [ 78E86380454A7B10A5EB255DC44A355F ] HidBatt C:\Windows\system32\drivers\HidBatt.sys 19:51:44.0063 3480 HidBatt - ok 19:51:44.0095 3480 [ 7FD2A313F7AFE5C4DAB14798C48DD104 ] HidBth C:\Windows\system32\drivers\hidbth.sys 19:51:44.0095 3480 HidBth - ok 19:51:44.0126 3480 [ 0A77D29F311B88CFAE3B13F9C1A73825 ] HidIr C:\Windows\system32\drivers\hidir.sys 19:51:44.0126 3480 HidIr - ok 19:51:44.0157 3480 [ BD9EB3958F213F96B97B1D897DEE006D ] hidserv C:\Windows\System32\hidserv.dll 19:51:44.0157 3480 hidserv - ok 19:51:44.0204 3480 [ 9592090A7E2B61CD582B612B6DF70536 ] HidUsb C:\Windows\system32\DRIVERS\hidusb.sys 19:51:44.0204 3480 HidUsb - ok 19:51:44.0391 3480 [ 8D1F00F4254C3EF428B715484940427C ] HiPatchService C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe 19:51:44.0391 3480 HiPatchService - ok 19:51:44.0422 3480 [ 387E72E739E15E3D37907A86D9FF98E2 ] hkmsvc C:\Windows\system32\kmsvc.dll 19:51:44.0422 3480 hkmsvc - ok 19:51:44.0516 3480 [ EFDFB3DD38A4376F93E7985173813ABD ] HomeGroupListener C:\Windows\system32\ListSvc.dll 19:51:44.0516 3480 HomeGroupListener - ok 19:51:44.0563 3480 [ 908ACB1F594274965A53926B10C81E89 ] HomeGroupProvider C:\Windows\system32\provsvc.dll 19:51:44.0563 3480 HomeGroupProvider - ok 19:51:44.0609 3480 [ 39D2ABCD392F3D8A6DCE7B60AE7B8EFC ] HpSAMD C:\Windows\system32\drivers\HpSAMD.sys 19:51:44.0609 3480 HpSAMD - ok 19:51:44.0672 3480 [ 0EA7DE1ACB728DD5A369FD742D6EEE28 ] HTTP C:\Windows\system32\drivers\HTTP.sys 19:51:44.0703 3480 HTTP - ok 19:51:44.0734 3480 [ A5462BD6884960C9DC85ED49D34FF392 ] hwpolicy C:\Windows\system32\drivers\hwpolicy.sys 19:51:44.0734 3480 hwpolicy - ok 19:51:44.0781 3480 [ FA55C73D4AFFA7EE23AC4BE53B4592D3 ] i8042prt C:\Windows\system32\DRIVERS\i8042prt.sys 19:51:44.0781 3480 i8042prt - ok 19:51:44.0843 3480 [ AAAF44DB3BD0B9D1FB6969B23ECC8366 ] iaStorV C:\Windows\system32\drivers\iaStorV.sys 19:51:44.0859 3480 iaStorV - ok 19:51:45.0109 3480 [ 5988FC40F8DB5B0739CD1E3A5D0D78BD ] idsvc C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe 19:51:45.0218 3480 idsvc - ok 19:51:45.0343 3480 [ A48928D4CCA6F8B731989DB08CF2C0AB ] IDSVia64 C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.0.0.145\Definitions\IPSDefs\20120906.002\IDSvia64.sys 19:51:45.0358 3480 IDSVia64 - ok 19:51:45.0436 3480 [ 5C18831C61933628F5BB0EA2675B9D21 ] iirsp C:\Windows\system32\drivers\iirsp.sys 19:51:45.0436 3480 iirsp - ok 19:51:45.0623 3480 [ FCD84C381E0140AF901E58D48882D26B ] IKEEXT C:\Windows\System32\ikeext.dll 19:51:45.0655 3480 IKEEXT - ok 19:51:45.0670 3480 [ F00F20E70C6EC3AA366910083A0518AA ] intelide C:\Windows\system32\drivers\intelide.sys 19:51:45.0686 3480 intelide - ok 19:51:45.0717 3480 [ ADA036632C664CAA754079041CF1F8C1 ] intelppm C:\Windows\system32\DRIVERS\intelppm.sys 19:51:45.0717 3480 intelppm - ok 19:51:45.0733 3480 [ 098A91C54546A3B878DAD6A7E90A455B ] IPBusEnum C:\Windows\system32\ipbusenum.dll 19:51:45.0733 3480 IPBusEnum - ok 19:51:45.0764 3480 [ C9F0E1BD74365A8771590E9008D22AB6 ] IpFilterDriver C:\Windows\system32\DRIVERS\ipfltdrv.sys 19:51:45.0779 3480 IpFilterDriver - ok 19:51:45.0904 3480 [ A34A587FFFD45FA649FBA6D03784D257 ] iphlpsvc C:\Windows\System32\iphlpsvc.dll 19:51:45.0935 3480 iphlpsvc - ok 19:51:45.0982 3480 [ 0FC1AEA580957AA8817B8F305D18CA3A ] IPMIDRV C:\Windows\system32\drivers\IPMIDrv.sys 19:51:45.0982 3480 IPMIDRV - ok 19:51:46.0060 3480 [ AF9B39A7E7B6CAA203B3862582E9F2D0 ] IPNAT C:\Windows\system32\drivers\ipnat.sys 19:51:46.0060 3480 IPNAT - ok 19:51:46.0091 3480 [ 3ABF5E7213EB28966D55D58B515D5CE9 ] IRENUM C:\Windows\system32\drivers\irenum.sys 19:51:46.0091 3480 IRENUM - ok 19:51:46.0107 3480 [ 2F7B28DC3E1183E5EB418DF55C204F38 ] isapnp C:\Windows\system32\drivers\isapnp.sys 19:51:46.0107 3480 isapnp - ok 19:51:46.0138 3480 [ D931D7309DEB2317035B07C9F9E6B0BD ] iScsiPrt C:\Windows\system32\drivers\msiscsi.sys 19:51:46.0138 3480 iScsiPrt - ok 19:51:46.0169 3480 [ BC02336F1CBA7DCC7D1213BB588A68A5 ] kbdclass C:\Windows\system32\DRIVERS\kbdclass.sys 19:51:46.0169 3480 kbdclass - ok 19:51:46.0201 3480 [ 0705EFF5B42A9DB58548EEC3B26BB484 ] kbdhid C:\Windows\system32\DRIVERS\kbdhid.sys 19:51:46.0201 3480 kbdhid - ok 19:51:46.0216 3480 [ C118A82CD78818C29AB228366EBF81C3 ] KeyIso C:\Windows\system32\lsass.exe 19:51:46.0216 3480 KeyIso - ok 19:51:46.0279 3480 [ 97A7070AEA4C058B6418519E869A63B4 ] KSecDD C:\Windows\system32\Drivers\ksecdd.sys 19:51:46.0279 3480 KSecDD - ok 19:51:46.0294 3480 [ 26C43A7C2862447EC59DEDA188D1DA07 ] KSecPkg C:\Windows\system32\Drivers\ksecpkg.sys 19:51:46.0294 3480 KSecPkg - ok 19:51:46.0341 3480 [ 6869281E78CB31A43E969F06B57347C4 ] ksthunk C:\Windows\system32\drivers\ksthunk.sys 19:51:46.0341 3480 ksthunk - ok 19:51:46.0403 3480 [ 6AB66E16AA859232F64DEB66887A8C9C ] KtmRm C:\Windows\system32\msdtckrm.dll 19:51:46.0419 3480 KtmRm - ok 19:51:46.0466 3480 [ D9F42719019740BAA6D1C6D536CBDAA6 ] LanmanServer C:\Windows\System32\srvsvc.dll 19:51:46.0466 3480 LanmanServer - ok 19:51:46.0497 3480 [ 851A1382EED3E3A7476DB004F4EE3E1A ] LanmanWorkstation C:\Windows\System32\wkssvc.dll 19:51:46.0497 3480 LanmanWorkstation - ok 19:51:46.0544 3480 [ 1538831CF8AD2979A04C423779465827 ] lltdio C:\Windows\system32\DRIVERS\lltdio.sys 19:51:46.0544 3480 lltdio - ok 19:51:46.0591 3480 [ C1185803384AB3FEED115F79F109427F ] lltdsvc C:\Windows\System32\lltdsvc.dll 19:51:46.0591 3480 lltdsvc - ok 19:51:46.0606 3480 [ F993A32249B66C9D622EA5592A8B76B8 ] lmhosts C:\Windows\System32\lmhsvc.dll 19:51:46.0622 3480 lmhosts - ok 19:51:46.0653 3480 [ 1A93E54EB0ECE102495A51266DCDB6A6 ] LSI_FC C:\Windows\system32\drivers\lsi_fc.sys 19:51:46.0669 3480 LSI_FC - ok 19:51:46.0669 3480 [ 1047184A9FDC8BDBFF857175875EE810 ] LSI_SAS C:\Windows\system32\drivers\lsi_sas.sys 19:51:46.0669 3480 LSI_SAS - ok 19:51:46.0700 3480 [ 30F5C0DE1EE8B5BC9306C1F0E4A75F93 ] LSI_SAS2 C:\Windows\system32\drivers\lsi_sas2.sys 19:51:46.0700 3480 LSI_SAS2 - ok 19:51:46.0715 3480 [ 0504EACAFF0D3C8AED161C4B0D369D4A ] LSI_SCSI C:\Windows\system32\drivers\lsi_scsi.sys 19:51:46.0715 3480 LSI_SCSI - ok 19:51:46.0762 3480 [ 43D0F98E1D56CCDDB0D5254CFF7B356E ] luafv C:\Windows\system32\drivers\luafv.sys 19:51:46.0762 3480 luafv - ok 19:51:46.0809 3480 [ 0BE09CD858ABF9DF6ED259D57A1A1663 ] Mcx2Svc C:\Windows\system32\Mcx2Svc.dll 19:51:46.0809 3480 Mcx2Svc - ok 19:51:46.0825 3480 [ A55805F747C6EDB6A9080D7C633BD0F4 ] megasas C:\Windows\system32\drivers\megasas.sys 19:51:46.0840 3480 megasas - ok 19:51:46.0871 3480 [ BAF74CE0072480C3B6B7C13B2A94D6B3 ] MegaSR C:\Windows\system32\drivers\MegaSR.sys 19:51:46.0871 3480 MegaSR - ok 19:51:46.0903 3480 MEMSWEEP2 - ok 19:51:47.0012 3480 Microsoft SharePoint Workspace Audit Service - ok 19:51:47.0074 3480 [ E40E80D0304A73E8D269F7141D77250B ] MMCSS C:\Windows\system32\mmcss.dll 19:51:47.0074 3480 MMCSS - ok 19:51:47.0105 3480 [ 800BA92F7010378B09F9ED9270F07137 ] Modem C:\Windows\system32\drivers\modem.sys 19:51:47.0105 3480 Modem - ok 19:51:47.0137 3480 [ B03D591DC7DA45ECE20B3B467E6AADAA ] monitor C:\Windows\system32\DRIVERS\monitor.sys 19:51:47.0137 3480 monitor - ok 19:51:47.0152 3480 [ 7D27EA49F3C1F687D357E77A470AEA99 ] mouclass C:\Windows\system32\DRIVERS\mouclass.sys 19:51:47.0168 3480 mouclass - ok 19:51:47.0183 3480 [ D3BF052C40B0C4166D9FD86A4288C1E6 ] mouhid C:\Windows\system32\DRIVERS\mouhid.sys 19:51:47.0183 3480 mouhid - ok 19:51:47.0277 3480 [ 32E7A3D591D671A6DF2DB515A5CBE0FA ] mountmgr C:\Windows\system32\drivers\mountmgr.sys 19:51:47.0277 3480 mountmgr - ok 19:51:47.0308 3480 [ A44B420D30BD56E145D6A2BC8768EC58 ] mpio C:\Windows\system32\drivers\mpio.sys 19:51:47.0308 3480 mpio - ok 19:51:47.0324 3480 [ 6C38C9E45AE0EA2FA5E551F2ED5E978F ] mpsdrv C:\Windows\system32\drivers\mpsdrv.sys 19:51:47.0324 3480 mpsdrv - ok 19:51:47.0433 3480 [ 54FFC9C8898113ACE189D4AA7199D2C1 ] MpsSvc C:\Windows\system32\mpssvc.dll 19:51:47.0480 3480 MpsSvc - ok 19:51:47.0495 3480 [ DC722758B8261E1ABAFD31A3C0A66380 ] MRxDAV C:\Windows\system32\drivers\mrxdav.sys 19:51:47.0495 3480 MRxDAV - ok 19:51:47.0573 3480 [ A5D9106A73DC88564C825D317CAC68AC ] mrxsmb C:\Windows\system32\DRIVERS\mrxsmb.sys 19:51:47.0573 3480 mrxsmb - ok 19:51:47.0651 3480 [ D711B3C1D5F42C0C2415687BE09FC163 ] mrxsmb10 C:\Windows\system32\DRIVERS\mrxsmb10.sys 19:51:47.0651 3480 mrxsmb10 - ok 19:51:47.0683 3480 [ 9423E9D355C8D303E76B8CFBD8A5C30C ] mrxsmb20 C:\Windows\system32\DRIVERS\mrxsmb20.sys 19:51:47.0683 3480 mrxsmb20 - ok 19:51:47.0698 3480 [ C25F0BAFA182CBCA2DD3C851C2E75796 ] msahci C:\Windows\system32\drivers\msahci.sys 19:51:47.0698 3480 msahci - ok 19:51:47.0807 3480 [ DB801A638D011B9633829EB6F663C900 ] msdsm C:\Windows\system32\drivers\msdsm.sys 19:51:47.0807 3480 msdsm - ok 19:51:47.0839 3480 [ DE0ECE52236CFA3ED2DBFC03F28253A8 ] MSDTC C:\Windows\System32\msdtc.exe 19:51:47.0839 3480 MSDTC - ok 19:51:47.0870 3480 [ AA3FB40E17CE1388FA1BEDAB50EA8F96 ] Msfs C:\Windows\system32\drivers\Msfs.sys 19:51:47.0885 3480 Msfs - ok 19:51:47.0917 3480 [ F9D215A46A8B9753F61767FA72A20326 ] mshidkmdf C:\Windows\System32\drivers\mshidkmdf.sys 19:51:47.0917 3480 mshidkmdf - ok | actions · 2012-Sep-6 8:03 pm · (locked) | nethog |
nethog
Member
2012-Sep-6 8:04 pm
Part 2 of TDSS log: 19:51:47.0995 3480 [ D916874BBD4F8B07BFB7FA9B3CCAE29D ] msisadrv C:\Windows\system32\drivers\msisadrv.sys 19:51:48.0010 3480 msisadrv - ok 19:51:48.0057 3480 [ 808E98FF49B155C522E6400953177B08 ] MSiSCSI C:\Windows\system32\iscsiexe.dll 19:51:48.0073 3480 MSiSCSI - ok 19:51:48.0073 3480 msiserver - ok 19:51:48.0151 3480 [ 49CCF2C4FEA34FFAD8B1B59D49439366 ] MSKSSRV C:\Windows\system32\drivers\MSKSSRV.sys 19:51:48.0151 3480 MSKSSRV - ok 19:51:48.0213 3480 [ BDD71ACE35A232104DDD349EE70E1AB3 ] MSPCLOCK C:\Windows\system32\drivers\MSPCLOCK.sys 19:51:48.0213 3480 MSPCLOCK - ok 19:51:48.0244 3480 [ 4ED981241DB27C3383D72092B618A1D0 ] MSPQM C:\Windows\system32\drivers\MSPQM.sys 19:51:48.0260 3480 MSPQM - ok 19:51:48.0322 3480 [ 759A9EEB0FA9ED79DA1FB7D4EF78866D ] MsRPC C:\Windows\system32\drivers\MsRPC.sys 19:51:48.0322 3480 MsRPC - ok 19:51:48.0353 3480 [ 0EED230E37515A0EAEE3C2E1BC97B288 ] mssmbios C:\Windows\system32\DRIVERS\mssmbios.sys 19:51:48.0369 3480 mssmbios - ok 19:51:48.0416 3480 [ 2E66F9ECB30B4221A318C92AC2250779 ] MSTEE C:\Windows\system32\drivers\MSTEE.sys 19:51:48.0416 3480 MSTEE - ok 19:51:48.0572 3480 [ 7EA404308934E675BFFDE8EDF0757BCD ] MTConfig C:\Windows\system32\drivers\MTConfig.sys 19:51:48.0572 3480 MTConfig - ok 19:51:48.0603 3480 [ F9A18612FD3526FE473C1BDA678D61C8 ] Mup C:\Windows\system32\Drivers\mup.sys 19:51:48.0619 3480 Mup - ok 19:51:49.0133 3480 [ F2840DBFE9322F35557219AE82CC4597 ] N360 C:\Program Files (x86)\Norton Security Suite\Engine\6.3.0.14\ccSvcHst.exe 19:51:49.0149 3480 N360 - ok 19:51:49.0180 3480 [ 582AC6D9873E31DFA28A4547270862DD ] napagent C:\Windows\system32\qagentRT.dll 19:51:49.0196 3480 napagent - ok 19:51:49.0243 3480 [ 1EA3749C4114DB3E3161156FFFFA6B33 ] NativeWifiP C:\Windows\system32\DRIVERS\nwifi.sys 19:51:49.0258 3480 NativeWifiP - ok 19:51:49.0367 3480 [ 149A9AD81BB327E892FA1ACB77722442 ] NAVENG C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.0.0.145\Definitions\VirusDefs\20120906.018\ENG64.SYS 19:51:49.0367 3480 NAVENG - ok 19:51:49.0461 3480 [ 4AF8750E71B549FEC5F6D1D01398CA69 ] NAVEX15 C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.0.0.145\Definitions\VirusDefs\20120906.018\EX64.SYS 19:51:49.0539 3480 NAVEX15 - ok 19:51:49.0601 3480 [ 79B47FD40D9A817E932F9D26FAC0A81C ] NDIS C:\Windows\system32\drivers\ndis.sys 19:51:49.0617 3480 NDIS - ok 19:51:49.0664 3480 [ 9F9A1F53AAD7DA4D6FEF5BB73AB811AC ] NdisCap C:\Windows\system32\DRIVERS\ndiscap.sys 19:51:49.0664 3480 NdisCap - ok 19:51:49.0679 3480 [ 30639C932D9FEF22B31268FE25A1B6E5 ] NdisTapi C:\Windows\system32\DRIVERS\ndistapi.sys 19:51:49.0695 3480 NdisTapi - ok 19:51:49.0711 3480 [ 136185F9FB2CC61E573E676AA5402356 ] Ndisuio C:\Windows\system32\DRIVERS\ndisuio.sys 19:51:49.0711 3480 Ndisuio - ok 19:51:49.0726 3480 [ 53F7305169863F0A2BDDC49E116C2E11 ] NdisWan C:\Windows\system32\DRIVERS\ndiswan.sys 19:51:49.0726 3480 NdisWan - ok 19:51:49.0742 3480 [ 015C0D8E0E0421B4CFD48CFFE2825879 ] NDProxy C:\Windows\system32\drivers\NDProxy.sys 19:51:49.0742 3480 NDProxy - ok 19:51:49.0757 3480 [ 86743D9F5D2B1048062B14B1D84501C4 ] NetBIOS C:\Windows\system32\DRIVERS\netbios.sys 19:51:49.0773 3480 NetBIOS - ok 19:51:49.0789 3480 [ 09594D1089C523423B32A4229263F068 ] NetBT C:\Windows\system32\DRIVERS\netbt.sys 19:51:49.0789 3480 NetBT - ok 19:51:49.0804 3480 [ C118A82CD78818C29AB228366EBF81C3 ] Netlogon C:\Windows\system32\lsass.exe 19:51:49.0804 3480 Netlogon - ok 19:51:49.0867 3480 [ 847D3AE376C0817161A14A82C8922A9E ] Netman C:\Windows\System32\netman.dll 19:51:49.0898 3480 Netman - ok 19:51:49.0945 3480 [ 5F28111C648F1E24F7DBC87CDEB091B8 ] netprofm C:\Windows\System32\netprofm.dll 19:51:49.0976 3480 netprofm - ok 19:51:50.0023 3480 [ 3E5A36127E201DDF663176B66828FAFE ] NetTcpPortSharing C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe 19:51:50.0038 3480 NetTcpPortSharing - ok 19:51:50.0350 3480 [ 64428DFDAF6E88366CB51F45A79C5F69 ] netw5v64 C:\Windows\system32\DRIVERS\netw5v64.sys 19:51:50.0569 3480 netw5v64 - ok 19:51:50.0615 3480 [ 77889813BE4D166CDAB78DDBA990DA92 ] nfrd960 C:\Windows\system32\drivers\nfrd960.sys 19:51:50.0615 3480 nfrd960 - ok 19:51:50.0725 3480 [ B4B153868698A6BA4ADCF6F08AA55B4F ] nicconfigsvc C:\Program Files\Dell\QuickSet\NicConfigSvc.exe 19:51:50.0740 3480 nicconfigsvc - ok 19:51:50.0787 3480 [ 1EE99A89CC788ADA662441D1E9830529 ] NlaSvc C:\Windows\System32\nlasvc.dll 19:51:50.0787 3480 NlaSvc - ok 19:51:50.0974 3480 [ 9D0F43B1D0434B44183D4795E89F6C14 ] NOF C:\Program Files (x86)\Norton Online\Engine\2.3.0.7\ccSvcHst.exe 19:51:50.0974 3480 NOF - ok 19:51:51.0037 3480 [ 1E4C4AB5C9B8DD13179BBDC75A2A01F7 ] Npfs C:\Windows\system32\drivers\Npfs.sys 19:51:51.0037 3480 Npfs - ok 19:51:51.0068 3480 [ D54BFDF3E0C953F823B3D0BFE4732528 ] nsi C:\Windows\system32\nsisvc.dll 19:51:51.0083 3480 nsi - ok 19:51:51.0099 3480 [ E7F5AE18AF4168178A642A9247C63001 ] nsiproxy C:\Windows\system32\drivers\nsiproxy.sys 19:51:51.0099 3480 nsiproxy - ok 19:51:51.0255 3480 [ A2F74975097F52A00745F9637451FDD8 ] Ntfs C:\Windows\system32\drivers\Ntfs.sys 19:51:51.0302 3480 Ntfs - ok 19:51:51.0317 3480 [ 9899284589F75FA8724FF3D16AED75C1 ] Null C:\Windows\system32\drivers\Null.sys 19:51:51.0317 3480 Null - ok 19:51:51.0629 3480 [ B15258B1F45F9571758AC6BB2F043B01 ] nvlddmkm C:\Windows\system32\DRIVERS\nvlddmkm.sys 19:51:51.0941 3480 nvlddmkm - ok 19:51:52.0456 3480 [ 0A92CB65770442ED0DC44834632F66AD ] nvraid C:\Windows\system32\drivers\nvraid.sys 19:51:52.0628 3480 nvraid - ok 19:51:52.0971 3480 [ DAB0E87525C10052BF65F06152F37E4A ] nvstor C:\Windows\system32\drivers\nvstor.sys 19:51:52.0987 3480 nvstor - ok 19:51:53.0158 3480 [ 2D7092FEC9BD2ACA199673BBA2BA9277 ] NVSvc C:\Windows\system32\nvvsvc.exe 19:51:53.0221 3480 NVSvc - ok 19:51:53.0283 3480 [ 7E22DE30E222BFDFCEC7E77032BAF3CD ] nvUpdatusService C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe 19:51:53.0361 3480 nvUpdatusService - ok 19:51:53.0392 3480 [ 270D7CD42D6E3979F6DD0146650F0E05 ] nv_agp C:\Windows\system32\drivers\nv_agp.sys 19:51:53.0392 3480 nv_agp - ok 19:51:53.0455 3480 [ 44A9473D72983DD484B4F1BF0D946571 ] OEM02Dev C:\Windows\system32\DRIVERS\OEM02Dev.sys 19:51:53.0455 3480 OEM02Dev - ok 19:51:53.0470 3480 [ 766F689564BC30E5A91F8621CE65AD68 ] OEM02Vfx C:\Windows\system32\DRIVERS\OEM02Vfx.sys 19:51:53.0486 3480 OEM02Vfx - ok 19:51:53.0517 3480 [ 3589478E4B22CE21B41FA1BFC0B8B8A0 ] ohci1394 C:\Windows\system32\drivers\ohci1394.sys 19:51:53.0517 3480 ohci1394 - ok 19:51:53.0580 3480 [ 9D10F99A6712E28F8ACD5641E3A7EA6B ] ose C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE 19:51:53.0580 3480 ose - ok 19:51:53.0767 3480 [ 61BFFB5F57AD12F83AB64B7181829B34 ] osppsvc C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE 19:51:53.0907 3480 osppsvc - ok 19:51:53.0938 3480 [ 3EAC4455472CC2C97107B5291E0DCAFE ] p2pimsvc C:\Windows\system32\pnrpsvc.dll 19:51:53.0954 3480 p2pimsvc - ok 19:51:54.0001 3480 [ 927463ECB02179F88E4B9A17568C63C3 ] p2psvc C:\Windows\system32\p2psvc.dll 19:51:54.0016 3480 p2psvc - ok 19:51:54.0079 3480 [ 0086431C29C35BE1DBC43F52CC273887 ] Parport C:\Windows\system32\drivers\parport.sys 19:51:54.0079 3480 Parport - ok 19:51:54.0188 3480 [ E9766131EEADE40A27DC27D2D68FBA9C ] partmgr C:\Windows\system32\drivers\partmgr.sys 19:51:54.0188 3480 partmgr - ok 19:51:54.0219 3480 [ 3AEAA8B561E63452C655DC0584922257 ] PcaSvc C:\Windows\System32\pcasvc.dll 19:51:54.0219 3480 PcaSvc - ok 19:51:54.0235 3480 [ 94575C0571D1462A0F70BDE6BD6EE6B3 ] pci C:\Windows\system32\drivers\pci.sys 19:51:54.0250 3480 pci - ok 19:51:54.0266 3480 [ B5B8B5EF2E5CB34DF8DCF8831E3534FA ] pciide C:\Windows\system32\drivers\pciide.sys 19:51:54.0266 3480 pciide - ok 19:51:54.0297 3480 [ B2E81D4E87CE48589F98CB8C05B01F2F ] pcmcia C:\Windows\system32\drivers\pcmcia.sys 19:51:54.0297 3480 pcmcia - ok 19:51:54.0328 3480 [ D6B9C2E1A11A3A4B26A182FFEF18F603 ] pcw C:\Windows\system32\drivers\pcw.sys 19:51:54.0328 3480 pcw - ok 19:51:54.0360 3480 [ 68769C3356B3BE5D1C732C97B9A80D6E ] PEAUTH C:\Windows\system32\drivers\peauth.sys 19:51:54.0360 3480 PEAUTH - ok 19:51:54.0516 3480 [ B9B0A4299DD2D76A4243F75FD54DC680 ] PeerDistSvc C:\Windows\system32\peerdistsvc.dll 19:51:54.0578 3480 PeerDistSvc - ok 19:51:54.0656 3480 [ E495E408C93141E8FC72DC0C6046DDFA ] PerfHost C:\Windows\SysWow64\perfhost.exe 19:51:54.0656 3480 PerfHost - ok 19:51:54.0718 3480 [ C7CF6A6E137463219E1259E3F0F0DD6C ] pla C:\Windows\system32\pla.dll 19:51:54.0765 3480 pla - ok 19:51:54.0843 3480 [ 25FBDEF06C4D92815B353F6E792C8129 ] PlugPlay C:\Windows\system32\umpnpmgr.dll 19:51:54.0874 3480 PlugPlay - ok 19:51:54.0952 3480 PnkBstrA - ok 19:51:54.0984 3480 [ 7195581CEC9BB7D12ABE54036ACC2E38 ] PNRPAutoReg C:\Windows\system32\pnrpauto.dll 19:51:54.0984 3480 PNRPAutoReg - ok 19:51:54.0999 3480 [ 3EAC4455472CC2C97107B5291E0DCAFE ] PNRPsvc C:\Windows\system32\pnrpsvc.dll 19:51:55.0015 3480 PNRPsvc - ok 19:51:55.0062 3480 [ 33328FA8A580885AB0065BE6DB266E9F ] Point64 C:\Windows\system32\DRIVERS\point64.sys 19:51:55.0062 3480 Point64 - ok 19:51:55.0108 3480 [ 4F15D75ADF6156BF56ECED6D4A55C389 ] PolicyAgent C:\Windows\System32\ipsecsvc.dll 19:51:55.0171 3480 PolicyAgent - ok 19:51:55.0218 3480 [ 6BA9D927DDED70BD1A9CADED45F8B184 ] Power C:\Windows\system32\umpo.dll 19:51:55.0218 3480 Power - ok 19:51:55.0358 3480 [ F92A2C41117A11A00BE01CA01A7FCDE9 ] PptpMiniport C:\Windows\system32\DRIVERS\raspptp.sys 19:51:55.0358 3480 PptpMiniport - ok 19:51:55.0389 3480 [ 0D922E23C041EFB1C3FAC2A6F943C9BF ] Processor C:\Windows\system32\drivers\processr.sys 19:51:55.0389 3480 Processor - ok 19:51:55.0452 3480 [ 53E83F1F6CF9D62F32801CF66D8352A8 ] ProfSvc C:\Windows\system32\profsvc.dll 19:51:55.0467 3480 ProfSvc - ok 19:51:55.0483 3480 [ C118A82CD78818C29AB228366EBF81C3 ] ProtectedStorage C:\Windows\system32\lsass.exe 19:51:55.0483 3480 ProtectedStorage - ok 19:51:55.0498 3480 [ 0557CF5A2556BD58E26384169D72438D ] Psched C:\Windows\system32\DRIVERS\pacer.sys 19:51:55.0498 3480 Psched - ok 19:51:55.0545 3480 [ A53A15A11EBFD21077463EE2C7AFEEF0 ] ql2300 C:\Windows\system32\drivers\ql2300.sys 19:51:55.0608 3480 ql2300 - ok 19:51:55.0654 3480 [ 4F6D12B51DE1AAEFF7DC58C4D75423C8 ] ql40xx C:\Windows\system32\drivers\ql40xx.sys 19:51:55.0670 3480 ql40xx - ok 19:51:55.0701 3480 [ 906191634E99AEA92C4816150BDA3732 ] QWAVE C:\Windows\system32\qwave.dll 19:51:55.0717 3480 QWAVE - ok 19:51:55.0732 3480 [ 76707BB36430888D9CE9D705398ADB6C ] QWAVEdrv C:\Windows\system32\drivers\qwavedrv.sys 19:51:55.0732 3480 QWAVEdrv - ok 19:51:55.0748 3480 [ 5A0DA8AD5762FA2D91678A8A01311704 ] RasAcd C:\Windows\system32\DRIVERS\rasacd.sys 19:51:55.0748 3480 RasAcd - ok 19:51:55.0810 3480 [ 7ECFF9B22276B73F43A99A15A6094E90 ] RasAgileVpn C:\Windows\system32\DRIVERS\AgileVpn.sys 19:51:55.0810 3480 RasAgileVpn - ok 19:51:55.0904 3480 [ 8F26510C5383B8DBE976DE1CD00FC8C7 ] RasAuto C:\Windows\System32\rasauto.dll 19:51:55.0904 3480 RasAuto - ok 19:51:55.0966 3480 [ 471815800AE33E6F1C32FB1B97C490CA ] Rasl2tp C:\Windows\system32\DRIVERS\rasl2tp.sys 19:51:55.0982 3480 Rasl2tp - ok 19:51:56.0060 3480 [ EE867A0870FC9E4972BA9EAAD35651E2 ] RasMan C:\Windows\System32\rasmans.dll 19:51:56.0091 3480 RasMan - ok 19:51:56.0169 3480 [ 855C9B1CD4756C5E9A2AA58A15F58C25 ] RasPppoe C:\Windows\system32\DRIVERS\raspppoe.sys 19:51:56.0169 3480 RasPppoe - ok 19:51:56.0278 3480 [ E8B1E447B008D07FF47D016C2B0EEECB ] RasSstp C:\Windows\system32\DRIVERS\rassstp.sys 19:51:56.0294 3480 RasSstp - ok 19:51:56.0356 3480 [ 77F665941019A1594D887A74F301FA2F ] rdbss C:\Windows\system32\DRIVERS\rdbss.sys 19:51:56.0356 3480 rdbss - ok 19:51:56.0403 3480 [ 302DA2A0539F2CF54D7C6CC30C1F2D8D ] rdpbus C:\Windows\system32\DRIVERS\rdpbus.sys 19:51:56.0403 3480 rdpbus - ok 19:51:56.0419 3480 [ CEA6CC257FC9B7715F1C2B4849286D24 ] RDPCDD C:\Windows\system32\DRIVERS\RDPCDD.sys 19:51:56.0419 3480 RDPCDD - ok 19:51:56.0450 3480 [ 1B6163C503398B23FF8B939C67747683 ] RDPDR C:\Windows\system32\drivers\rdpdr.sys 19:51:56.0450 3480 RDPDR - ok 19:51:56.0466 3480 [ BB5971A4F00659529A5C44831AF22365 ] RDPENCDD C:\Windows\system32\drivers\rdpencdd.sys 19:51:56.0466 3480 RDPENCDD - ok 19:51:56.0481 3480 [ 216F3FA57533D98E1F74DED70113177A ] RDPREFMP C:\Windows\system32\drivers\rdprefmp.sys 19:51:56.0481 3480 RDPREFMP - ok 19:51:56.0544 3480 [ 70CBA1A0C98600A2AA1863479B35CB90 ] RdpVideoMiniport C:\Windows\system32\drivers\rdpvideominiport.sys 19:51:56.0544 3480 RdpVideoMiniport - ok 19:51:56.0606 3480 [ E61608AA35E98999AF9AAEEEA6114B0A ] RDPWD C:\Windows\system32\drivers\RDPWD.sys 19:51:56.0606 3480 RDPWD - ok 19:51:56.0653 3480 [ 34ED295FA0121C241BFEF24764FC4520 ] rdyboost C:\Windows\system32\drivers\rdyboost.sys 19:51:56.0653 3480 rdyboost - ok 19:51:56.0700 3480 [ 254FB7A22D74E5511C73A3F6D802F192 ] RemoteAccess C:\Windows\System32\mprdim.dll 19:51:56.0715 3480 RemoteAccess - ok 19:51:56.0746 3480 [ E4D94F24081440B5FC5AA556C7C62702 ] RemoteRegistry C:\Windows\system32\regsvc.dll 19:51:56.0746 3480 RemoteRegistry - ok 19:51:56.0871 3480 [ 3DD798846E2C28102B922C56E71B7932 ] RFCOMM C:\Windows\system32\DRIVERS\rfcomm.sys 19:51:56.0871 3480 RFCOMM - ok 19:51:56.0902 3480 [ 6FAF5B04BEDC66D300D9D233B2D222F0 ] rimmptsk C:\Windows\system32\DRIVERS\rimmpx64.sys 19:51:56.0949 3480 rimmptsk - ok 19:51:56.0980 3480 [ 67F50C31713106FD1B0F286F86AA2B2E ] rimsptsk C:\Windows\system32\DRIVERS\rimspx64.sys 19:51:56.0980 3480 rimsptsk - ok 19:51:56.0996 3480 [ 4D7EF3D46346EC4C58784DB964B365DE ] rismxdp C:\Windows\system32\DRIVERS\rixdpx64.sys 19:51:56.0996 3480 rismxdp - ok 19:51:57.0027 3480 [ E4DC58CF7B3EA515AE917FF0D402A7BB ] RpcEptMapper C:\Windows\System32\RpcEpMap.dll 19:51:57.0027 3480 RpcEptMapper - ok 19:51:57.0058 3480 [ D5BA242D4CF8E384DB90E6A8ED850B8C ] RpcLocator C:\Windows\system32\locator.exe 19:51:57.0058 3480 RpcLocator - ok 19:51:57.0090 3480 [ 5C627D1B1138676C0A7AB2C2C190D123 ] RpcSs C:\Windows\System32\rpcss.dll 19:51:57.0090 3480 RpcSs - ok 19:51:57.0136 3480 [ DDC86E4F8E7456261E637E3552E804FF ] rspndr C:\Windows\system32\DRIVERS\rspndr.sys 19:51:57.0136 3480 rspndr - ok 19:51:57.0168 3480 [ E60C0A09F997826C7627B244195AB581 ] s3cap C:\Windows\system32\drivers\vms3cap.sys 19:51:57.0168 3480 s3cap - ok 19:51:57.0183 3480 [ C118A82CD78818C29AB228366EBF81C3 ] SamSs C:\Windows\system32\lsass.exe 19:51:57.0183 3480 SamSs - ok 19:51:57.0183 3480 [ AC03AF3329579FFFB455AA2DAABBE22B ] sbp2port C:\Windows\system32\drivers\sbp2port.sys 19:51:57.0199 3480 sbp2port - ok 19:51:57.0230 3480 [ 9B7395789E3791A3B6D000FE6F8B131E ] SCardSvr C:\Windows\System32\SCardSvr.dll 19:51:57.0230 3480 SCardSvr - ok 19:51:57.0324 3480 [ 253F38D0D7074C02FF8DEB9836C97D2B ] scfilter C:\Windows\system32\DRIVERS\scfilter.sys 19:51:57.0324 3480 scfilter - ok 19:51:57.0370 3480 [ 262F6592C3299C005FD6BEC90FC4463A ] Schedule C:\Windows\system32\schedsvc.dll 19:51:57.0433 3480 Schedule - ok 19:51:57.0448 3480 [ F17D1D393BBC69C5322FBFAFACA28C7F ] SCPolicySvc C:\Windows\System32\certprop.dll 19:51:57.0448 3480 SCPolicySvc - ok 19:51:57.0480 3480 [ 111E0EBC0AD79CB0FA014B907B231CF0 ] sdbus C:\Windows\system32\DRIVERS\sdbus.sys 19:51:57.0480 3480 sdbus - ok 19:51:57.0526 3480 [ 6EA4234DC55346E0709560FE7C2C1972 ] SDRSVC C:\Windows\System32\SDRSVC.dll 19:51:57.0526 3480 SDRSVC - ok 19:51:57.0558 3480 [ 3EA8A16169C26AFBEB544E0E48421186 ] secdrv C:\Windows\system32\drivers\secdrv.sys 19:51:57.0558 3480 secdrv - ok 19:51:57.0573 3480 [ BC617A4E1B4FA8DF523A061739A0BD87 ] seclogon C:\Windows\system32\seclogon.dll 19:51:57.0573 3480 seclogon - ok 19:51:57.0604 3480 [ C32AB8FA018EF34C0F113BD501436D21 ] SENS C:\Windows\system32\sens.dll 19:51:57.0604 3480 SENS - ok 19:51:57.0620 3480 [ 0336CFFAFAAB87A11541F1CF1594B2B2 ] SensrSvc C:\Windows\system32\sensrsvc.dll 19:51:57.0620 3480 SensrSvc - ok 19:51:57.0636 3480 [ CB624C0035412AF0DEBEC78C41F5CA1B ] Serenum C:\Windows\system32\drivers\serenum.sys 19:51:57.0636 3480 Serenum - ok 19:51:57.0667 3480 [ C1D8E28B2C2ADFAEC4BA89E9FDA69BD6 ] Serial C:\Windows\system32\drivers\serial.sys 19:51:57.0667 3480 Serial - ok 19:51:57.0682 3480 [ 1C545A7D0691CC4A027396535691C3E3 ] sermouse C:\Windows\system32\drivers\sermouse.sys 19:51:57.0682 3480 sermouse - ok 19:51:57.0714 3480 [ 0B6231BF38174A1628C4AC812CC75804 ] SessionEnv C:\Windows\system32\sessenv.dll 19:51:57.0714 3480 SessionEnv - ok 19:51:57.0729 3480 [ A554811BCD09279536440C964AE35BBF ] sffdisk C:\Windows\system32\drivers\sffdisk.sys 19:51:57.0745 3480 sffdisk - ok 19:51:57.0760 3480 [ FF414F0BAEFEBA59BC6C04B3DB0B87BF ] sffp_mmc C:\Windows\system32\drivers\sffp_mmc.sys 19:51:57.0760 3480 sffp_mmc - ok 19:51:57.0776 3480 [ DD85B78243A19B59F0637DCF284DA63C ] sffp_sd C:\Windows\system32\drivers\sffp_sd.sys 19:51:57.0776 3480 sffp_sd - ok 19:51:57.0792 3480 [ A9D601643A1647211A1EE2EC4E433FF4 ] sfloppy C:\Windows\system32\drivers\sfloppy.sys 19:51:57.0792 3480 sfloppy - ok 19:51:57.0979 3480 [ B95F6501A2F8B2E78C697FEC401970CE ] SharedAccess C:\Windows\System32\ipnathlp.dll 19:51:57.0979 3480 SharedAccess - ok 19:51:58.0041 3480 [ AAF932B4011D14052955D4B212A4DA8D ] ShellHWDetection C:\Windows\System32\shsvcs.dll 19:51:58.0057 3480 ShellHWDetection - ok 19:51:58.0166 3480 [ 843CAF1E5FDE1FFD5FF768F23A51E2E1 ] SiSRaid2 C:\Windows\system32\drivers\SiSRaid2.sys 19:51:58.0166 3480 SiSRaid2 - ok 19:51:58.0260 3480 [ 6A6C106D42E9FFFF8B9FCB4F754F6DA4 ] SiSRaid4 C:\Windows\system32\drivers\sisraid4.sys 19:51:58.0260 3480 SiSRaid4 - ok 19:51:58.0306 3480 [ 548260A7B8654E024DC30BF8A7C5BAA4 ] Smb C:\Windows\system32\DRIVERS\smb.sys 19:51:58.0322 3480 Smb - ok 19:51:58.0384 3480 [ 6313F223E817CC09AA41811DAA7F541D ] SNMPTRAP C:\Windows\System32\snmptrap.exe 19:51:58.0384 3480 SNMPTRAP - ok 19:51:58.0400 3480 [ B9E31E5CACDFE584F34F730A677803F9 ] spldr C:\Windows\system32\drivers\spldr.sys 19:51:58.0400 3480 spldr - ok 19:51:58.0447 3480 [ B96C17B5DC1424D56EEA3A99E97428CD ] Spooler C:\Windows\System32\spoolsv.exe 19:51:58.0447 3480 Spooler - ok 19:51:58.0696 3480 [ E17E0188BB90FAE42D83E98707EFA59C ] sppsvc C:\Windows\system32\sppsvc.exe 19:51:58.0774 3480 sppsvc - ok 19:51:58.0790 3480 [ 93D7D61317F3D4BC4F4E9F8A96A7DE45 ] sppuinotify C:\Windows\system32\sppuinotify.dll 19:51:58.0806 3480 sppuinotify - ok 19:51:58.0977 3480 [ 891793E00432FA055CF040605C260E49 ] SRTSP C:\Windows\System32\Drivers\N360x64\0603000.00E\SRTSP64.SYS 19:51:59.0008 3480 SRTSP - ok 19:51:59.0133 3480 [ 1CB7BB3B0561FB5ECFE37F7731E8BF3E ] SRTSPX C:\Windows\system32\drivers\N360x64\0603000.00E\SRTSPX64.SYS 19:51:59.0133 3480 SRTSPX - ok 19:51:59.0196 3480 [ 441FBA48BFF01FDB9D5969EBC1838F0B ] srv C:\Windows\system32\DRIVERS\srv.sys 19:51:59.0211 3480 srv - ok 19:51:59.0227 3480 [ B4ADEBBF5E3677CCE9651E0F01F7CC28 ] srv2 C:\Windows\system32\DRIVERS\srv2.sys 19:51:59.0242 3480 srv2 - ok 19:51:59.0258 3480 [ 27E461F0BE5BFF5FC737328F749538C3 ] srvnet C:\Windows\system32\DRIVERS\srvnet.sys 19:51:59.0258 3480 srvnet - ok 19:51:59.0305 3480 [ 51B52FBD583CDE8AA9BA62B8B4298F33 ] SSDPSRV C:\Windows\System32\ssdpsrv.dll 19:51:59.0305 3480 SSDPSRV - ok 19:51:59.0320 3480 [ AB7AEBF58DAD8DAAB7A6C45E6A8885CB ] SstpSvc C:\Windows\system32\sstpsvc.dll 19:51:59.0320 3480 SstpSvc - ok 19:51:59.0367 3480 Steam Client Service - ok 19:51:59.0539 3480 [ 9E1222C417291BC836210743624A8E5E ] Stereo Service C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe 19:51:59.0554 3480 Stereo Service - ok 19:51:59.0570 3480 [ F3817967ED533D08327DC73BC4D5542A ] stexstor C:\Windows\system32\drivers\stexstor.sys 19:51:59.0586 3480 stexstor - ok 19:51:59.0617 3480 [ 8DD52E8E6128F4B2DA92CE27402871C1 ] stisvc C:\Windows\System32\wiaservc.dll 19:51:59.0617 3480 stisvc - ok 19:51:59.0648 3480 [ 7785DC213270D2FC066538DAF94087E7 ] storflt C:\Windows\system32\drivers\vmstorfl.sys 19:51:59.0648 3480 storflt - ok 19:51:59.0679 3480 [ D34E4943D5AC096C8EDEEBFD80D76E23 ] storvsc C:\Windows\system32\drivers\storvsc.sys 19:51:59.0695 3480 storvsc - ok 19:51:59.0695 3480 [ D01EC09B6711A5F8E7E6564A4D0FBC90 ] swenum C:\Windows\system32\DRIVERS\swenum.sys 19:51:59.0695 3480 swenum - ok 19:51:59.0742 3480 [ E08E46FDD841B7184194011CA1955A0B ] swprv C:\Windows\System32\swprv.dll 19:51:59.0742 3480 swprv - ok 19:51:59.0866 3480 [ 8B2430762099598DA40686F754632EFD ] SymDS C:\Windows\system32\drivers\N360x64\0603000.00E\SYMDS64.SYS 19:51:59.0866 3480 SymDS - ok 19:52:00.0241 3480 [ 5CB7F2FD7E30A0F52F93574BFC3A8041 ] SymEFA C:\Windows\system32\drivers\N360x64\0603000.00E\SYMEFA64.SYS 19:52:00.0272 3480 SymEFA - ok 19:52:00.0444 3480 [ 898BB48C797483420DF523B2BBC1ECDB ] SymEvent C:\Windows\system32\Drivers\SYMEVENT64x86.SYS 19:52:00.0444 3480 SymEvent - ok 19:52:00.0506 3480 [ 5013A76CAAA1D7CF1C55214B490B4E35 ] SymIRON C:\Windows\system32\drivers\N360x64\0603000.00E\Ironx64.SYS 19:52:00.0522 3480 SymIRON - ok 19:52:00.0600 3480 [ 3911BD0E68C010E5438A87706ABBE9AB ] SymNetS C:\Windows\System32\Drivers\N360x64\0603000.00E\SYMNETS.SYS 19:52:00.0600 3480 SymNetS - ok 19:52:00.0740 3480 [ C21550B1D42A39B3A6D128729A9EBDD6 ] SYMRDR_{78CA3BF0-9C3B-40e1-B46D-38C877EF059A} C:\Windows\system32\drivers\NSMx64\0203000.01A\SymRdrS.SYS 19:52:00.0740 3480 SYMRDR_{78CA3BF0-9C3B-40e1-B46D-38C877EF059A} - ok 19:52:00.0787 3480 [ C3A39C4079305480972D29C44B868C78 ] Synth3dVsc C:\Windows\system32\drivers\synth3dvsc.sys 19:52:00.0787 3480 Synth3dVsc - ok 19:52:00.0834 3480 [ B2A7D0790246E6FCDBDD256C4FCC4975 ] SynTP C:\Windows\system32\DRIVERS\SynTP.sys 19:52:00.0834 3480 SynTP - ok 19:52:00.0912 3480 [ BF9CCC0BF39B418C8D0AE8B05CF95B7D ] SysMain C:\Windows\system32\sysmain.dll 19:52:00.0958 3480 SysMain - ok 19:52:00.0974 3480 [ E3C61FD7B7C2557E1F1B0B4CEC713585 ] TabletInputService C:\Windows\System32\TabSvc.dll 19:52:00.0974 3480 TabletInputService - ok 19:52:00.0990 3480 [ 40F0849F65D13EE87B9A9AE3C1DD6823 ] TapiSrv C:\Windows\System32\tapisrv.dll 19:52:01.0005 3480 TapiSrv - ok 19:52:01.0021 3480 [ 1BE03AC720F4D302EA01D40F588162F6 ] TBS C:\Windows\System32\tbssvc.dll 19:52:01.0021 3480 TBS - ok 19:52:01.0114 3480 [ ACB82BDA8F46C84F465C1AFA517DC4B9 ] Tcpip C:\Windows\system32\drivers\tcpip.sys 19:52:01.0177 3480 Tcpip - ok 19:52:01.0255 3480 [ ACB82BDA8F46C84F465C1AFA517DC4B9 ] TCPIP6 C:\Windows\system32\DRIVERS\tcpip.sys 19:52:01.0270 3480 TCPIP6 - ok 19:52:01.0302 3480 [ DF687E3D8836BFB04FCC0615BF15A519 ] tcpipreg C:\Windows\system32\drivers\tcpipreg.sys 19:52:01.0302 3480 tcpipreg - ok 19:52:01.0317 3480 [ 3371D21011695B16333A3934340C4E7C ] TDPIPE C:\Windows\system32\drivers\tdpipe.sys 19:52:01.0317 3480 TDPIPE - ok 19:52:01.0442 3480 [ 51C5ECEB1CDEE2468A1748BE550CFBC8 ] TDTCP C:\Windows\system32\drivers\tdtcp.sys 19:52:01.0442 3480 TDTCP - ok 19:52:01.0473 3480 [ DDAD5A7AB24D8B65F8D724F5C20FD806 ] tdx C:\Windows\system32\DRIVERS\tdx.sys 19:52:01.0473 3480 tdx - ok 19:52:01.0504 3480 [ 561E7E1F06895D78DE991E01DD0FB6E5 ] TermDD C:\Windows\system32\DRIVERS\termdd.sys 19:52:01.0504 3480 TermDD - ok 19:52:01.0536 3480 [ 2B5BDFF688EC9871D7EC5837833374E9 ] terminpt C:\Windows\system32\drivers\terminpt.sys 19:52:01.0536 3480 terminpt - ok 19:52:01.0582 3480 [ 2E648163254233755035B46DD7B89123 ] TermService C:\Windows\System32\termsrv.dll 19:52:01.0582 3480 TermService - ok 19:52:01.0614 3480 [ F0344071948D1A1FA732231785A0664C ] Themes C:\Windows\system32\themeservice.dll 19:52:01.0614 3480 Themes - ok 19:52:01.0645 3480 [ E40E80D0304A73E8D269F7141D77250B ] THREADORDER C:\Windows\system32\mmcss.dll 19:52:01.0645 3480 THREADORDER - ok 19:52:01.0660 3480 [ 7E7AFD841694F6AC397E99D75CEAD49D ] TrkWks C:\Windows\System32\trkwks.dll 19:52:01.0676 3480 TrkWks - ok 19:52:01.0723 3480 [ 773212B2AAA24C1E31F10246B15B276C ] TrustedInstaller C:\Windows\servicing\TrustedInstaller.exe 19:52:01.0723 3480 TrustedInstaller - ok 19:52:01.0770 3480 [ CE18B2CDFC837C99E5FAE9CA6CBA5D30 ] tssecsrv C:\Windows\system32\DRIVERS\tssecsrv.sys 19:52:01.0770 3480 tssecsrv - ok 19:52:01.0801 3480 [ D11C783E3EF9A3C52C0EBE83CC5000E9 ] TsUsbFlt C:\Windows\system32\drivers\tsusbflt.sys 19:52:01.0801 3480 TsUsbFlt - ok 19:52:01.0832 3480 [ 9CC2CCAE8A84820EAECB886D477CBCB8 ] TsUsbGD C:\Windows\system32\drivers\TsUsbGD.sys 19:52:01.0832 3480 TsUsbGD - ok 19:52:01.0863 3480 [ E1748D04AE40118B62BC18AC86032192 ] tsusbhub C:\Windows\system32\drivers\tsusbhub.sys 19:52:01.0879 3480 tsusbhub - ok 19:52:01.0988 3480 [ 3566A8DAAFA27AF944F5D705EAA64894 ] tunnel C:\Windows\system32\DRIVERS\tunnel.sys 19:52:01.0988 3480 tunnel - ok 19:52:02.0050 3480 [ B4DD609BD7E282BFC683CEC7EAAAAD67 ] uagp35 C:\Windows\system32\drivers\uagp35.sys 19:52:02.0050 3480 uagp35 - ok 19:52:02.0238 3480 [ FF4232A1A64012BAA1FD97C7B67DF593 ] udfs C:\Windows\system32\DRIVERS\udfs.sys 19:52:02.0253 3480 udfs - ok 19:52:02.0300 3480 [ 3CBDEC8D06B9968ABA702EBA076364A1 ] UI0Detect C:\Windows\system32\UI0Detect.exe 19:52:02.0300 3480 UI0Detect - ok 19:52:02.0331 3480 [ 4BFE1BC28391222894CBF1E7D0E42320 ] uliagpkx C:\Windows\system32\drivers\uliagpkx.sys 19:52:02.0331 3480 uliagpkx - ok 19:52:02.0362 3480 [ DC54A574663A895C8763AF0FA1FF7561 ] umbus C:\Windows\system32\DRIVERS\umbus.sys 19:52:02.0362 3480 umbus - ok 19:52:02.0378 3480 [ B2E8E8CB557B156DA5493BBDDCC1474D ] UmPass C:\Windows\system32\drivers\umpass.sys 19:52:02.0378 3480 UmPass - ok 19:52:02.0425 3480 [ A293DCD756D04D8492A750D03B9A297C ] UmRdpService C:\Windows\System32\umrdp.dll 19:52:02.0425 3480 UmRdpService - ok 19:52:02.0550 3480 [ D47EC6A8E81633DD18D2436B19BAF6DE ] upnphost C:\Windows\System32\upnphost.dll 19:52:02.0550 3480 upnphost - ok 19:52:02.0612 3480 [ 6F1A3157A1C89435352CEB543CDB359C ] usbccgp C:\Windows\system32\DRIVERS\usbccgp.sys 19:52:02.0628 3480 usbccgp - ok 19:52:02.0659 3480 [ AF0892A803FDDA7492F595368E3B68E7 ] usbcir C:\Windows\system32\drivers\usbcir.sys 19:52:02.0674 3480 usbcir - ok 19:52:02.0737 3480 [ C025055FE7B87701EB042095DF1A2D7B ] usbehci C:\Windows\system32\DRIVERS\usbehci.sys 19:52:02.0737 3480 usbehci - ok 19:52:02.0830 3480 [ 287C6C9410B111B68B52CA298F7B8C24 ] usbhub C:\Windows\system32\DRIVERS\usbhub.sys 19:52:02.0830 3480 usbhub - ok 19:52:02.0846 3480 [ 9840FC418B4CBD632D3D0A667A725C31 ] usbohci C:\Windows\system32\drivers\usbohci.sys 19:52:02.0846 3480 usbohci - ok 19:52:02.0862 3480 [ 73188F58FB384E75C4063D29413CEE3D ] usbprint C:\Windows\system32\drivers\usbprint.sys 19:52:02.0862 3480 usbprint - ok 19:52:02.0908 3480 [ FED648B01349A3C8395A5169DB5FB7D6 ] USBSTOR C:\Windows\system32\DRIVERS\USBSTOR.SYS 19:52:02.0908 3480 USBSTOR - ok 19:52:02.0940 3480 [ 62069A34518BCF9C1FD9E74B3F6DB7CD ] usbuhci C:\Windows\system32\DRIVERS\usbuhci.sys 19:52:02.0940 3480 usbuhci - ok 19:52:02.0986 3480 [ 454800C2BC7F3927CE030141EE4F4C50 ] usbvideo C:\Windows\system32\Drivers\usbvideo.sys 19:52:02.0986 3480 usbvideo - ok 19:52:03.0018 3480 [ EDBB23CBCF2CDF727D64FF9B51A6070E ] UxSms C:\Windows\System32\uxsms.dll 19:52:03.0018 3480 UxSms - ok 19:52:03.0033 3480 [ C118A82CD78818C29AB228366EBF81C3 ] VaultSvc C:\Windows\system32\lsass.exe 19:52:03.0033 3480 VaultSvc - ok 19:52:03.0080 3480 [ C5C876CCFC083FF3B128F933823E87BD ] vdrvroot C:\Windows\system32\drivers\vdrvroot.sys 19:52:03.0080 3480 vdrvroot - ok 19:52:03.0236 3480 [ 8D6B481601D01A456E75C3210F1830BE ] vds C:\Windows\System32\vds.exe 19:52:03.0252 3480 vds - ok 19:52:03.0283 3480 [ DA4DA3F5E02943C2DC8C6ED875DE68DD ] vga C:\Windows\system32\DRIVERS\vgapnp.sys 19:52:03.0283 3480 vga - ok 19:52:03.0314 3480 [ 53E92A310193CB3C03BEA963DE7D9CFC ] VgaSave C:\Windows\System32\drivers\vga.sys 19:52:03.0314 3480 VgaSave - ok 19:52:03.0314 3480 VGPU - ok 19:52:03.0345 3480 [ 2CE2DF28C83AEAF30084E1B1EB253CBB ] vhdmp C:\Windows\system32\drivers\vhdmp.sys 19:52:03.0345 3480 vhdmp - ok 19:52:03.0361 3480 [ E5689D93FFE4E5D66C0178761240DD54 ] viaide C:\Windows\system32\drivers\viaide.sys 19:52:03.0361 3480 viaide - ok 19:52:03.0408 3480 [ 86EA3E79AE350FEA5331A1303054005F ] vmbus C:\Windows\system32\drivers\vmbus.sys 19:52:03.0408 3480 vmbus - ok 19:52:03.0439 3480 [ 7DE90B48F210D29649380545DB45A187 ] VMBusHID C:\Windows\system32\drivers\VMBusHID.sys 19:52:03.0439 3480 VMBusHID - ok 19:52:03.0454 3480 [ D2AAFD421940F640B407AEFAAEBD91B0 ] volmgr C:\Windows\system32\drivers\volmgr.sys 19:52:03.0454 3480 volmgr - ok 19:52:03.0486 3480 [ A255814907C89BE58B79EF2F189B843B ] volmgrx C:\Windows\system32\drivers\volmgrx.sys 19:52:03.0486 3480 volmgrx - ok 19:52:03.0501 3480 [ 0D08D2F3B3FF84E433346669B5E0F639 ] volsnap C:\Windows\system32\drivers\volsnap.sys 19:52:03.0517 3480 volsnap - ok 19:52:03.0532 3480 [ 5E2016EA6EBACA03C04FEAC5F330D997 ] vsmraid C:\Windows\system32\drivers\vsmraid.sys 19:52:03.0548 3480 vsmraid - ok 19:52:03.0595 3480 [ B60BA0BC31B0CB414593E169F6F21CC2 ] VSS C:\Windows\system32\vssvc.exe 19:52:03.0657 3480 VSS - ok 19:52:03.0673 3480 [ 36D4720B72B5C5D9CB2B9C29E9DF67A1 ] vwifibus C:\Windows\system32\DRIVERS\vwifibus.sys 19:52:03.0688 3480 vwifibus - ok 19:52:03.0735 3480 [ 6A3D66263414FF0D6FA754C646612F3F ] vwififlt C:\Windows\system32\DRIVERS\vwififlt.sys 19:52:03.0735 3480 vwififlt - ok 19:52:03.0751 3480 [ 1C9D80CC3849B3788048078C26486E1A ] W32Time C:\Windows\system32\w32time.dll 19:52:03.0751 3480 W32Time - ok 19:52:03.0782 3480 [ 4E9440F4F152A7B944CB1663D3935A3E ] WacomPen C:\Windows\system32\drivers\wacompen.sys 19:52:03.0782 3480 WacomPen - ok 19:52:03.0813 3480 [ 356AFD78A6ED4457169241AC3965230C ] WANARP C:\Windows\system32\DRIVERS\wanarp.sys 19:52:03.0813 3480 WANARP - ok 19:52:03.0829 3480 [ 356AFD78A6ED4457169241AC3965230C ] Wanarpv6 C:\Windows\system32\DRIVERS\wanarp.sys 19:52:03.0829 3480 Wanarpv6 - ok 19:52:04.0078 3480 [ 3CEC96DE223E49EAAE3651FCF8FAEA6C ] WatAdminSvc C:\Windows\system32\Wat\WatAdminSvc.exe 19:52:04.0188 3480 WatAdminSvc - ok 19:52:04.0500 3480 [ 78F4E7F5C56CB9716238EB57DA4B6A75 ] wbengine C:\Windows\system32\wbengine.exe 19:52:04.0562 3480 wbengine - ok 19:52:04.0656 3480 [ 3AA101E8EDAB2DB4131333F4325C76A3 ] WbioSrvc C:\Windows\System32\wbiosrvc.dll 19:52:04.0671 3480 WbioSrvc - ok 19:52:04.0702 3480 [ 7368A2AFD46E5A4481D1DE9D14848EDD ] wcncsvc C:\Windows\System32\wcncsvc.dll 19:52:04.0702 3480 wcncsvc - ok 19:52:04.0718 3480 [ 20F7441334B18CEE52027661DF4A6129 ] WcsPlugInService C:\Windows\System32\WcsPlugInService.dll 19:52:04.0718 3480 WcsPlugInService - ok 19:52:04.0749 3480 [ 72889E16FF12BA0F235467D6091B17DC ] Wd C:\Windows\system32\drivers\wd.sys 19:52:04.0749 3480 Wd - ok 19:52:04.0780 3480 [ 441BD2D7B4F98134C3A4F9FA570FD250 ] Wdf01000 C:\Windows\system32\drivers\Wdf01000.sys 19:52:04.0796 3480 Wdf01000 - ok 19:52:04.0812 3480 [ BF1FC3F79B863C914687A737C2F3D681 ] WdiServiceHost C:\Windows\system32\wdi.dll 19:52:04.0812 3480 WdiServiceHost - ok 19:52:04.0812 3480 [ BF1FC3F79B863C914687A737C2F3D681 ] WdiSystemHost C:\Windows\system32\wdi.dll 19:52:04.0827 3480 WdiSystemHost - ok 19:52:04.0843 3480 [ 3DB6D04E1C64272F8B14EB8BC4616280 ] WebClient C:\Windows\System32\webclnt.dll 19:52:04.0843 3480 WebClient - ok 19:52:04.0874 3480 [ C749025A679C5103E575E3B48E092C43 ] Wecsvc C:\Windows\system32\wecsvc.dll 19:52:04.0874 3480 Wecsvc - ok 19:52:04.0890 3480 [ 7E591867422DC788B9E5BD337A669A08 ] wercplsupport C:\Windows\System32\wercplsupport.dll 19:52:04.0890 3480 wercplsupport - ok 19:52:04.0921 3480 [ 6D137963730144698CBD10F202E9F251 ] WerSvc C:\Windows\System32\WerSvc.dll 19:52:04.0921 3480 WerSvc - ok 19:52:04.0968 3480 [ 611B23304BF067451A9FDEE01FBDD725 ] WfpLwf C:\Windows\system32\DRIVERS\wfplwf.sys 19:52:04.0968 3480 WfpLwf - ok 19:52:04.0999 3480 [ 05ECAEC3E4529A7153B3136CEB49F0EC ] WIMMount C:\Windows\system32\drivers\wimmount.sys 19:52:04.0999 3480 WIMMount - ok 19:52:05.0030 3480 WinDefend - ok 19:52:05.0030 3480 WinHttpAutoProxySvc - ok 19:52:05.0092 3480 [ 19B07E7E8915D701225DA41CB3877306 ] Winmgmt C:\Windows\system32\wbem\WMIsvc.dll 19:52:05.0092 3480 Winmgmt - ok 19:52:05.0155 3480 [ BCB1310604AA415C4508708975B3931E ] WinRM C:\Windows\system32\WsmSvc.dll 19:52:05.0233 3480 WinRM - ok 19:52:05.0342 3480 [ FE88B288356E7B47B74B13372ADD906D ] WinUSB C:\Windows\system32\DRIVERS\WinUSB.sys 19:52:05.0342 3480 WinUSB - ok 19:52:05.0436 3480 [ 4FADA86E62F18A1B2F42BA18AE24E6AA ] Wlansvc C:\Windows\System32\wlansvc.dll 19:52:05.0467 3480 Wlansvc - ok 19:52:05.0748 3480 [ 98F138897EF4246381D197CB81846D62 ] wlidsvc C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE 19:52:05.0794 3480 wlidsvc - ok 19:52:05.0841 3480 [ F6FF8944478594D0E414D3F048F0D778 ] WmiAcpi C:\Windows\system32\DRIVERS\wmiacpi.sys 19:52:05.0841 3480 WmiAcpi - ok 19:52:05.0872 3480 [ 38B84C94C5A8AF291ADFEA478AE54F93 ] wmiApSrv C:\Windows\system32\wbem\WmiApSrv.exe 19:52:05.0872 3480 wmiApSrv - ok 19:52:05.0904 3480 WMPNetworkSvc - ok 19:52:05.0966 3480 [ 96C6E7100D724C69FCF9E7BF590D1DCA ] WPCSvc C:\Windows\System32\wpcsvc.dll 19:52:05.0966 3480 WPCSvc - ok 19:52:06.0013 3480 [ 93221146D4EBBF314C29B23CD6CC391D ] WPDBusEnum C:\Windows\system32\wpdbusenum.dll 19:52:06.0013 3480 WPDBusEnum - ok 19:52:06.0028 3480 [ 6BCC1D7D2FD2453957C5479A32364E52 ] ws2ifsl C:\Windows\system32\drivers\ws2ifsl.sys 19:52:06.0044 3480 ws2ifsl - ok 19:52:06.0216 3480 [ E8B1FE6669397D1772D8196DF0E57A9E ] wscsvc C:\Windows\system32\wscsvc.dll 19:52:06.0216 3480 wscsvc - ok 19:52:06.0231 3480 WSearch - ok 19:52:06.0418 3480 [ D9EF901DCA379CFE914E9FA13B73B4C4 ] wuauserv C:\Windows\system32\wuaueng.dll 19:52:06.0496 3480 wuauserv - ok 19:52:06.0512 3480 [ D3381DC54C34D79B22CEE0D65BA91B7C ] WudfPf C:\Windows\system32\drivers\WudfPf.sys 19:52:06.0512 3480 WudfPf - ok 19:52:06.0590 3480 [ 7A95C95B6C4CF292D689106BCAE49543 ] wudfsvc C:\Windows\System32\WUDFSvc.dll 19:52:06.0637 3480 wudfsvc - ok 19:52:06.0793 3480 [ 9A3452B3C2A46C073166C5CF49FAD1AE ] WwanSvc C:\Windows\System32\wwansvc.dll 19:52:06.0855 3480 WwanSvc - ok 19:52:06.0918 3480 ================ Scan global =============================== 19:52:06.0933 3480 [ BA0CD8C393E8C9F83354106093832C7B ] C:\Windows\system32\basesrv.dll 19:52:07.0011 3480 [ EB6A48CC998E1090E44E8E7F1009A640 ] C:\Windows\system32\winsrv.dll 19:52:07.0027 3480 [ EB6A48CC998E1090E44E8E7F1009A640 ] C:\Windows\system32\winsrv.dll 19:52:07.0058 3480 [ D6160F9D869BA3AF0B787F971DB56368 ] C:\Windows\system32\sxssrv.dll 19:52:07.0105 3480 [ 24ACB7E5BE595468E3B9AA488B9B4FCB ] C:\Windows\system32\services.exe 19:52:07.0105 3480 [Global] - ok 19:52:07.0105 3480 ================ Scan MBR ================================== 19:52:07.0120 3480 [ A36C5E4F47E84449FF07ED3517B43A31 ] \Device\Harddisk0\DR0 19:52:07.0120 3480 Suspicious mbr (Forged): \Device\Harddisk0\DR0 19:52:07.0230 3480 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.c ) - infected 19:52:07.0230 3480 \Device\Harddisk0\DR0 - detected Rootkit.Boot.Pihar.c (0) 19:52:07.0230 3480 ================ Scan VBR ================================== 19:52:07.0245 3480 [ A8592AA7C9F9DC7332DBA05C2506D4B7 ] \Device\Harddisk0\DR0\Partition1 19:52:07.0245 3480 \Device\Harddisk0\DR0\Partition1 - ok 19:52:07.0261 3480 [ 319D4EF3DB47BAD0D06E43DB8956B942 ] \Device\Harddisk0\DR0\Partition2 19:52:07.0261 3480 \Device\Harddisk0\DR0\Partition2 - ok 19:52:07.0261 3480 ============================================================ 19:52:07.0261 3480 Scan finished 19:52:07.0261 3480 ============================================================ 19:52:07.0276 2844 Detected object count: 1 19:52:07.0276 2844 Actual detected object count: 1 19:52:20.0004 2844 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.c ) - skipped by user 19:52:20.0004 2844 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.c ) - User select action: Skip | actions · 2012-Sep-6 8:04 pm · (locked) | nethog |
nethog
Member
2012-Sep-8 8:12 am
LoPhatPhuud: I just noticed something disturbing on this computer - looking at the network connection properties I see that some program is constantly downloading data - after 1/2 hour I see over 500Mb recieved and I am running NO applications. | actions · 2012-Sep-8 8:12 am · (locked) | 2 edits
1 recommendation |
to nethog
Use Task Manager to see if you an determine which process is doing the downloading. Are you losing disk space? I suspect what you are seeing is normal network traffic and not necessarily anything being downloaded. Logs so far showed no 'mysterious' programs and no rootkits, but we'll look again for rootkits. The instructions are later in this post. What did you do to make this determination? (give me the steps yju took to check the connection. I want to be able to duplicate them on my computer) Also,, Download and run GMER. Post the log in this thread, even if nothing is found. You find link(s) and instructions here: » Security Cleanup FAQ » Rootkit Detection Applications | actions · 2012-Sep-8 10:33 am · (locked) | nethog join:2006-12-08 Canton, MI |
nethog
Member
2012-Sep-9 9:37 am
I am not loosing disk space but I am certain that the data being received is *not* normal network activity. I am using the wireless connection properties to see the data transmitted/received. Yesterday, after a few hours this showed over 5 Gbytes received - again with very little network use on my part. It seems that svchost.exe 32 is the process that is pulling the data since it continually shows cpu use until I turn off my wireless. Another thing you should know is that if I use Google all search results seem bogus and not actually from google since it lists a bunch of links that appear to be advertisements. I unstalled the google toolbar from IE9 and at the end I got a 404 error in my browser - I recall that normally google sends you to a web page asking why you uninstalled their toolbar. Anyway here is the GMER log: GMER 1.0.15.15641 - » www.gmer.netRootkit scan 2012-09-09 09:24:20 Windows 6.1.7601 Service Pack 1 Running: dtlcc9oh.exe ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002269c4728e Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002269c4728e (not active ControlSet) ---- Files - GMER 1.0.15 ---- File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0VWWQG7C\dnserrordiagoff_webOC[1] 6766 bytes ---- EOF - GMER 1.0.15 ---- | actions · 2012-Sep-9 9:37 am · (locked) |
1 recommendation |
to nethog
IF you use Comcast as an ISP (the logs indicate you are/were), have you received any Bot notifications from them?
Is you wireless connection secured with a WPA/WPA2 password to prevent unauthorized connections?
Do you have any computers connected via wire to teh router?
Also, run MBAM again, and post the new log in this thread, | actions · 2012-Sep-9 11:53 am · (locked) | nethog join:2006-12-08 Canton, MI |
nethog
Member
2012-Sep-10 11:17 pm
LoPhatPhuud: No I never received anything from Comcast. The infected computer is connected to my wireless router using WPA. My wireless router is secure with WPA and I just replaced my router last weekend with a new netgear model. There are no computers connected to the infected computer by wire. Here is the MBAM log just before I hit the remove virus button - after a mandatory reboot by MBAM I could not see an updated logfile anywhere:
Malwarebytes Anti-Malware 1.65.0.1400 www.malwarebytes.org
Database version: v2012.09.10.08
Windows 7 Service Pack 1 x64 NTFS Internet Explorer 9.0.8112.16421 Andrew :: LAPTOP [administrator]
9/10/2012 8:18:23 PM mbam-log-2012-09-10 (22-44-53).txt
Scan type: Full scan (C:\|D:\|) Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 558498 Time elapsed: 2 hour(s), 18 minute(s), 35 second(s)
Memory Processes Detected: 1 C:\Windows\svchost.exe (Trojan.Agent) -> 5232 -> No action taken.
Memory Modules Detected: 0 (No malicious items detected)
Registry Keys Detected: 0 (No malicious items detected)
Registry Values Detected: 1 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Adobe (Trojan.RedirRdll3.Gen) -> Data: rundll32.exe "C:\Users\Andrew\AppData\Local\Apps\Adobe\uctnh.dll",CreateInstance -> No action taken.
Registry Data Items Detected: 0 (No malicious items detected)
Folders Detected: 0 (No malicious items detected)
Files Detected: 1 C:\Windows\svchost.exe (Trojan.Agent) -> No action taken.
(end) | actions · 2012-Sep-10 11:17 pm · (locked) |
1 recommendation |
to nethog
Run MBAM again and this time remove the what it detects. That looks like the Zero Access trojan. | actions · 2012-Sep-11 9:52 am · (locked) | nethog join:2006-12-08 Canton, MI |
nethog
Member
2012-Sep-11 6:06 pm
I did actually click the remove option in MBAM after it finished, but like I stated there was not a new log file nor was the original log file I posted updated. I did check network data tranmission just now and I see that over 4 gigabytes of data was received the past 3 hours but the only network activity by a family member was using ie9 to view a few short youtube videos - and data continues to be recieved when doing nothing on the internet. | actions · 2012-Sep-11 6:06 pm · (locked) |
1 recommendation |
to nethog
The MBAM reboot was due to an upgrade to the most current version. That may have affected the removal.
Run MBAM again, removing anything it finds, and post the new log in this thread.
If not log shows up, click the 'Log' tab in MBAM, That will give you a list of all logs stored. Double clicking on any log will open it so you can copy and paste. | actions · 2012-Sep-12 11:18 am · (locked) | nethog join:2006-12-08 Canton, MI |
nethog
Member
2012-Sep-13 5:37 am
Ok I reran MBAM, clicked "remove", rebooted and looked in the MBAM log area. I notice there is an mbam-log file and 2 protection-log files associated with this last run. I see that the second protection log is being updated even as I am typing this message basically ALLOWing the trojan "svchost.exe"! All three files posted below:
mbam-log: Malwarebytes Anti-Malware 1.65.0.1400 www.malwarebytes.org
Database version: v2012.09.13.01
Windows 7 Service Pack 1 x64 NTFS Internet Explorer 9.0.8112.16421 Andrew :: LAPTOP [administrator]
9/12/2012 10:34:45 PM mbam-log-2012-09-12 (22-34-45).txt
Scan type: Full scan (C:\|D:\|) Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 569612 Time elapsed: 2 hour(s), 2 minute(s), 10 second(s)
Memory Processes Detected: 1 C:\Windows\svchost.exe (Trojan.Agent) -> 5440 -> Delete on reboot.
Memory Modules Detected: 0 (No malicious items detected)
Registry Keys Detected: 0 (No malicious items detected)
Registry Values Detected: 0 (No malicious items detected)
Registry Data Items Detected: 0 (No malicious items detected)
Folders Detected: 0 (No malicious items detected)
Files Detected: 1 C:\Windows\svchost.exe (Trojan.Agent) -> Delete on reboot.
(end)
First protection-log: a2012/09/12 05:29:57 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW 2012/09/12 05:32:00 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW 2012/09/12 05:32:17 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW 2012/09/12 05:42:31 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW 2012/09/12 05:43:02 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW 2012/09/12 05:45:19 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW 2012/09/12 05:47:56 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW 2012/09/12 05:56:10 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW 2012/09/12 05:56:25 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW 2012/09/12 14:45:16 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW 2012/09/12 14:53:39 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW 2012/09/12 14:54:20 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW 2012/09/12 14:55:17 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW 2012/09/12 14:56:12 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW 2012/09/12 14:59:44 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW 2012/09/12 15:01:03 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW 2012/09/12 15:01:45 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW 2012/09/12 15:03:27 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW 2012/09/12 15:58:07 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW 2012/09/12 15:59:43 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW 2012/09/12 16:01:33 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW 2012/09/12 16:28:17 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW 2012/09/12 16:29:02 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW 2012/09/12 17:16:32 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW 2012/09/12 17:19:24 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW 2012/09/12 17:32:10 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW 2012/09/12 17:33:00 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW 2012/09/12 17:33:44 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW 2012/09/12 18:21:42 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW 2012/09/12 18:44:12 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW 2012/09/12 18:44:28 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW 2012/09/12 19:07:03 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW 2012/09/12 19:07:24 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW 2012/09/12 19:53:03 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW 2012/09/12 19:53:38 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW 2012/09/12 20:13:36 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW 2012/09/12 20:15:01 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW 2012/09/12 20:41:03 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW 2012/09/12 20:41:25 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW 2012/09/12 21:21:21 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW 2012/09/12 21:22:01 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW 2012/09/12 21:23:35 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW 2012/09/12 21:23:46 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW 2012/09/12 21:34:35 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW 2012/09/12 21:35:20 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW 2012/09/12 22:34:14 -0400 LAPTOP Andrew MESSAGE Starting database refresh 2012/09/12 22:35:14 -0400 LAPTOP Andrew MESSAGE Database refreshed successfully
Second protection-log: 2012/09/13 01:15:26 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW 2012/09/13 05:28:39 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW 2012/09/13 05:29:02 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW 2012/09/13 05:31:45 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW | actions · 2012-Sep-13 5:37 am · (locked) |
1 recommendation |
to nethog
OK. MBAM cleared the trojan. I'm surprised that Combofix did not catch it unless it was recently installed. Time to run Combofix again... Download ComboFix from one of these locations: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.infospyware.net/antimalware/combofix/
* IMPORTANT !!! Save ComboFix.exe to your Desktop[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools [*]Double click on ComboFix.exe & follow the prompts. [*]As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. [*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1.Do not mouse-click Combofix's window while it is running. That may cause it to stall. 2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser. 3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper. 4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Give it at least 20-30 minutes to finish if needed.
| actions · 2012-Sep-13 10:59 am · (locked) | nethog join:2006-12-08 Canton, MI |
nethog
Member
2012-Sep-13 8:02 pm
here is my combofix log: ComboFix 12-09-13.03 - Andrew 09/13/2012 19:38:50.2.2 - x64 Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.4094.2792 [GMT -4:00] Running from: c:\users\Andrew\Desktop\ComboFix.exe AV: Norton Security Suite *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF} FW: Norton Security Suite *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4} SP: Norton Security Suite *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202} SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\programdata\PCDr\6032\AddOnDownloaded\06004c97-c212-44da-81de-706b46554efe.dll c:\programdata\PCDr\6032\AddOnDownloaded\0d03215e-4c16-4ea7-b7d7-805a2556effc.dll c:\programdata\PCDr\6032\AddOnDownloaded\0d461521-7dbf-4cec-a29e-936c88cdf8c9.dll c:\programdata\PCDr\6032\AddOnDownloaded\0d85b53c-d766-4bf0-8940-17b534910268.dll c:\programdata\PCDr\6032\AddOnDownloaded\100c3865-0c76-461b-b2fd-042d6d5fa7f6.dll c:\programdata\PCDr\6032\AddOnDownloaded\140239b3-d59a-46fa-b856-17682a46cb44.dll c:\programdata\PCDr\6032\AddOnDownloaded\16837627-a839-41c5-a88f-3a0335128383.dll c:\programdata\PCDr\6032\AddOnDownloaded\173c4dd2-e93c-4725-b006-db1d8f465192.dll c:\programdata\PCDr\6032\AddOnDownloaded\1e0aaf9a-9947-4a7b-b1ae-8a89919438ed.dll c:\programdata\PCDr\6032\AddOnDownloaded\263d6ac9-4f87-466c-947c-bd9af71d7035.dll c:\programdata\PCDr\6032\AddOnDownloaded\2ee79d71-badc-46b4-b731-42b15f3cd1c3.dll c:\programdata\PCDr\6032\AddOnDownloaded\3410f47b-5e8c-47c6-bf2c-234af4121d4c.dll c:\programdata\PCDr\6032\AddOnDownloaded\378deb7f-049e-4a5e-83b2-5381dcd9e928.dll c:\programdata\PCDr\6032\AddOnDownloaded\3972fea3-214c-4935-a7d1-96bf66115683.dll c:\programdata\PCDr\6032\AddOnDownloaded\3a79f062-8f3e-464f-9815-2c45840494ee.dll c:\programdata\PCDr\6032\AddOnDownloaded\3b1c7acd-5e3e-4459-ab98-5109117e2341.dll c:\programdata\PCDr\6032\AddOnDownloaded\3e4c86d5-a5c1-4c3f-8fc7-6258992b16c5.dll c:\programdata\PCDr\6032\AddOnDownloaded\44ddba62-3b58-480f-a775-ae7e9dd9d5df.dll c:\programdata\PCDr\6032\AddOnDownloaded\4546f2bc-b9d9-4667-abe7-b0bacc90279e.dll c:\programdata\PCDr\6032\AddOnDownloaded\4804ced5-915b-48a3-a465-b8a5e02714bf.dll c:\programdata\PCDr\6032\AddOnDownloaded\4818e109-9489-4cd8-9044-44defd8ec187.dll c:\programdata\PCDr\6032\AddOnDownloaded\493f295d-1a46-46f6-926c-63b474cedab4.dll c:\programdata\PCDr\6032\AddOnDownloaded\5e1c102f-bfde-420c-87c0-64fe851888e5.dll c:\programdata\PCDr\6032\AddOnDownloaded\62d1f0b0-bc9a-4f6c-bad7-93b19a91276a.dll c:\programdata\PCDr\6032\AddOnDownloaded\67c3d4fe-b638-467a-9fe2-c5813ade3330.dll c:\programdata\PCDr\6032\AddOnDownloaded\6820b110-e483-4f1e-9b48-438f7916f078.dll c:\programdata\PCDr\6032\AddOnDownloaded\684a43a7-04d5-4797-bc20-4db8a316286c.dll c:\programdata\PCDr\6032\AddOnDownloaded\6b5978fa-48d7-4309-a523-7e157768c0d8.dll c:\programdata\PCDr\6032\AddOnDownloaded\6f4fb483-ce30-493a-8cb4-3e530ab1be5b.dll c:\programdata\PCDr\6032\AddOnDownloaded\7014e871-cc3b-4dec-b82b-bc70222b40ed.dll c:\programdata\PCDr\6032\AddOnDownloaded\739db3eb-d3cd-4c86-a6ea-01a49984fa3b.dll c:\programdata\PCDr\6032\AddOnDownloaded\7bd83798-7a02-4f50-83a2-b91cabcbd1f9.dll c:\programdata\PCDr\6032\AddOnDownloaded\7dbfef1a-6148-4748-a1b3-71627763a45a.dll c:\programdata\PCDr\6032\AddOnDownloaded\813755dc-2229-47a2-b85b-19d0aaa641c9.dll c:\programdata\PCDr\6032\AddOnDownloaded\872965c7-08b7-47fc-a74c-ff167590b71a.dll c:\programdata\PCDr\6032\AddOnDownloaded\8d357f17-07ad-4392-ba06-fb67564c98cd.dll c:\programdata\PCDr\6032\AddOnDownloaded\934f6059-2d35-4bd9-a130-a17cb5563507.dll c:\programdata\PCDr\6032\AddOnDownloaded\a4930af9-016c-4915-a740-a3364e7618aa.dll c:\programdata\PCDr\6032\AddOnDownloaded\a61f44a8-21a3-4c4a-a04b-993dfb73bf96.dll c:\programdata\PCDr\6032\AddOnDownloaded\a9de0c84-9a7c-4638-9653-13aa8cf56e80.dll c:\programdata\PCDr\6032\AddOnDownloaded\ae67b364-b69e-471e-b177-2459120b84d4.dll c:\programdata\PCDr\6032\AddOnDownloaded\b2152f30-7380-4987-8fcf-e4c06952615d.dll c:\programdata\PCDr\6032\AddOnDownloaded\b2ed8d53-41ce-48e6-b4ac-8b8e5e1a4fdf.dll c:\programdata\PCDr\6032\AddOnDownloaded\b4cc2a4a-87f5-49cd-935c-18f1a80e65b7.dll c:\programdata\PCDr\6032\AddOnDownloaded\bbfa36b0-30b0-4e36-8d8c-69df1d87626b.dll c:\programdata\PCDr\6032\AddOnDownloaded\bc6fc708-5b6b-4a72-b336-09b3089baa7a.dll c:\programdata\PCDr\6032\AddOnDownloaded\bf647bd7-dfb5-4746-a6b4-b7c2fdbbf3b1.dll c:\programdata\PCDr\6032\AddOnDownloaded\c4211805-b43b-471d-81af-4e0589f8607b.dll c:\programdata\PCDr\6032\AddOnDownloaded\c882e61c-ecc2-4db0-9a28-7cbe8bd4876b.dll c:\programdata\PCDr\6032\AddOnDownloaded\cdda52ec-6ccd-425a-8c72-b7bbdc8b3acd.dll c:\programdata\PCDr\6032\AddOnDownloaded\d1f4dc82-bc4c-4916-b37c-3ab9c30ae468.dll c:\programdata\PCDr\6032\AddOnDownloaded\d34c0cf7-889f-43dd-9283-b2b6f442aae3.dll c:\programdata\PCDr\6032\AddOnDownloaded\daf30858-49d8-434b-b4b1-068b5dc9267c.dll c:\programdata\PCDr\6032\AddOnDownloaded\ddb9fe5d-525c-4d5d-ac37-0bd10f2864f8.dll c:\programdata\PCDr\6032\AddOnDownloaded\e45cd45a-4d7c-4802-881f-74582b847e5c.dll c:\programdata\PCDr\6032\AddOnDownloaded\e9bb45d9-5a2b-47e8-9c48-168276d422cc.dll c:\programdata\PCDr\6032\AddOnDownloaded\ef78c3e8-1d94-4219-8070-7617e119bba4.dll c:\programdata\PCDr\6032\AddOnDownloaded\f06c5597-1a85-4d1f-ac16-a6fdd2a6bedc.dll c:\programdata\PCDr\6032\AddOnDownloaded\f80d4ad1-1fad-43b5-b6f3-347848b5ddd5.dll c:\programdata\PCDr\6032\AddOnDownloaded\f9dc840b-c6f7-42a5-acec-50cc7a2827fd.dll c:\windows\svchost.exe . . ((((((((((((((((((((((((( Files Created from 2012-08-13 to 2012-09-13 ))))))))))))))))))))))))))))))) . . 2012-09-13 23:50 . 2012-09-13 23:50 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp 2012-09-13 23:50 . 2012-09-13 23:50 -------- d-----w- c:\users\Peter\AppData\Local\temp 2012-09-13 23:50 . 2012-09-13 23:50 -------- d-----w- c:\users\Default\AppData\Local\temp 2012-09-13 23:50 . 2012-09-13 23:50 -------- d-----w- c:\users\Cameron\AppData\Local\temp 2012-09-13 23:50 . 2012-09-13 23:50 -------- d-----w- c:\users\Brianna\AppData\Local\temp 2012-09-13 23:50 . 2012-09-13 23:50 -------- d-----w- c:\users\Administrator\AppData\Local\temp 2012-09-11 00:16 . 2012-09-11 00:16 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware 2012-09-11 00:16 . 2012-09-07 21:04 25928 ----a-w- c:\windows\system32\drivers\mbam.sys 2012-09-09 11:38 . 2012-09-09 11:38 -------- d-----w- c:\users\Peter\AppData\Local\Google 2012-09-08 19:06 . 2012-09-08 19:06 27256 ----a-w- c:\windows\system32\drivers\FixZeroAccess.sys 2012-09-08 17:54 . 2012-09-08 17:54 -------- d-----w- c:\program files (x86)\WinDirStat 2012-09-08 14:26 . 2012-08-28 05:49 9310152 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{23FE69FC-3850-4F9D-AFB4-2DE3ACB0DC71}\mpengine.dll 2012-09-08 13:44 . 2012-01-04 21:06 8192 ----a-w- c:\windows\system32\drivers\rt2870.bin 2012-09-08 13:44 . 2012-09-08 13:44 -------- d-----w- c:\users\Andrew\AppData\Local\NETGEAR 2012-09-08 13:44 . 2012-09-08 13:44 -------- d-----w- c:\programdata\NETGEAR 2012-09-08 13:43 . 2012-09-08 13:43 -------- d-----w- c:\windows\Downloaded Installations 2012-09-04 21:41 . 2012-09-04 21:41 -------- d-----w- c:\program files (x86)\Microsoft XNA 2012-09-02 18:55 . 2012-09-02 18:55 -------- d-----w- c:\program files (x86)\Common Files\Java 2012-09-02 18:39 . 2012-09-02 18:38 821736 ----a-w- c:\windows\SysWow64\npDeployJava1.dll 2012-09-02 18:38 . 2012-09-02 18:38 95208 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll 2012-09-02 18:34 . 2012-09-02 18:34 -------- d-----w- c:\programdata\McAfee 2012-09-01 04:44 . 2012-09-01 04:44 -------- d-----w- c:\programdata\PC-Doctor for Windows 2012-09-01 04:02 . 2012-09-01 04:02 -------- d-----w- c:\windows\system32\drivers\NSMx64 2012-09-01 04:02 . 2012-09-01 04:02 -------- d-----w- c:\program files (x86)\Norton Online 2012-09-01 04:02 . 2012-09-01 04:02 -------- d-----w- c:\windows\system32\drivers\NOFx64 2012-09-01 03:47 . 2012-09-01 03:47 -------- d-----w- c:\program files (x86)\Common Files\Symantec Shared 2012-09-01 03:28 . 2012-09-01 04:03 -------- d-----w- c:\program files\Symantec 2012-09-01 03:28 . 2012-09-01 04:03 175736 ----a-w- c:\windows\system32\drivers\SYMEVENT64x86.SYS 2012-09-01 03:26 . 2012-09-01 03:26 -------- d-----w- c:\program files (x86)\Norton Security Suite 2012-09-01 03:26 . 2012-09-01 04:02 -------- d-----w- c:\program files (x86)\NortonInstaller 2012-09-01 01:11 . 2012-09-01 03:28 -------- d-----w- c:\program files\Common Files\Symantec Shared 2012-09-01 01:10 . 2012-09-01 03:39 -------- d-----w- c:\windows\system32\drivers\N360x64 2012-08-30 21:52 . 2012-09-13 23:50 -------- d-----w- c:\users\Andrew\AppData\Local\temp 2012-08-30 02:20 . 2012-09-01 01:57 -------- d-----w- c:\program files (x86)\Sophos 2012-08-14 23:54 . 2012-08-14 23:54 -------- d-----w- c:\users\Peter\AppData\Roaming\QuickScan . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-09-08 03:59 . 2012-05-21 10:09 696520 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe 2012-09-08 03:59 . 2011-05-15 01:59 73416 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl 2012-09-02 18:38 . 2011-05-15 00:31 746984 ----a-w- c:\windows\SysWow64\deployJava1.dll 2012-07-03 07:19 . 2011-05-14 19:59 59701280 ----a-w- c:\windows\system32\MRT.exe . . ((((((((((((((((((((((((((((( SnapShot@2012-08-30_21.49.38 ))))))))))))))))))))))))))))))))))))))))) . - 2012-08-08 07:26 . 2012-08-12 19:04 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\PrivacIE\index.dat + 2012-08-08 07:26 . 2012-09-12 21:31 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\PrivacIE\index.dat + 2012-09-02 18:28 . 2012-09-02 18:28 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\Low\index.dat + 2012-07-29 19:17 . 2012-09-13 21:22 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\index.dat - 2012-07-29 19:17 . 2012-08-12 18:49 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\index.dat + 2012-09-02 18:28 . 2012-09-02 18:28 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat + 2012-09-02 18:28 . 2012-09-02 18:28 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat + 2012-09-09 19:37 . 2012-09-09 19:38 15360 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{CCF2619F-FAB5-11E1-803C-00219BCF4407}.dat + 2012-09-07 19:35 . 2012-09-07 19:36 10240 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{385DB477-F923-11E1-91D9-002269C4728E}.dat + 2012-09-13 20:25 . 2012-09-13 23:31 15360 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{2E97E053-FDE1-11E1-A0A0-00219BCF4407}.dat + 2012-09-12 21:31 . 2012-09-12 21:31 17408 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{2DCD035E-FD21-11E1-B304-00219BCF4407}.dat + 2012-07-29 18:42 . 2012-09-13 23:31 81920 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\DOMStore\index.dat + 2010-11-21 03:09 . 2012-09-13 18:46 72600 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin + 2009-07-14 05:10 . 2012-09-13 18:46 51858 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin + 2011-05-15 00:02 . 2012-09-13 18:46 22318 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1613675080-3381770067-651744427-1004_UserData.bin + 2011-05-14 20:05 . 2012-09-09 11:29 12760 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1613675080-3381770067-651744427-1001_UserData.bin + 2011-05-14 19:53 . 2006-09-13 09:00 27136 c:\windows\system32\spool\prtprocs\x64\3_CNMPD7O.DLL + 2012-01-13 19:40 . 2012-01-13 19:40 14119 c:\windows\system32\RaCoInst.dat + 2009-07-14 05:30 . 2012-09-08 13:45 86016 c:\windows\system32\DriverStore\infpub.dat - 2009-07-14 05:30 . 2012-01-07 13:41 86016 c:\windows\system32\DriverStore\infpub.dat + 2012-01-13 19:40 . 2012-01-13 19:40 14119 c:\windows\system32\DriverStore\FileRepository\netr28ux.inf_amd64_neutral_ae671fe85c678215\RaCoInst.dat + 2012-09-01 03:31 . 2012-07-06 02:17 37536 c:\windows\system32\drivers\N360x64\0603000.00E\srtspx64.sys + 2011-05-14 19:45 . 2012-09-13 23:22 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat - 2011-05-14 19:45 . 2012-08-30 21:13 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat + 2012-08-31 02:09 . 2012-09-13 23:22 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat - 2012-08-14 00:19 . 2012-08-30 21:13 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat - 2009-07-14 04:54 . 2012-08-30 21:13 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat + 2009-07-14 04:54 . 2012-09-13 23:22 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat - 2011-05-14 19:51 . 2011-05-14 20:04 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat + 2011-05-14 19:51 . 2012-09-03 14:27 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat + 2009-07-14 04:46 . 2012-09-10 20:41 91040 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat - 2011-05-14 19:51 . 2011-05-14 20:04 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat + 2011-05-14 19:51 . 2012-09-03 14:27 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat - 2011-05-14 19:51 . 2011-05-14 20:04 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat + 2011-05-14 19:51 . 2012-09-03 14:27 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat + 2012-09-04 21:41 . 2012-09-04 21:41 98304 c:\windows\assembly\GAC_32\Microsoft.Xna.Framework.Game\3.1.0.0__6d5c3888ef60e27d\Microsoft.Xna.Framework.Game.dll + 2012-09-09 17:29 . 2012-09-09 19:37 5120 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{DABBE800-FAA3-11E1-803C-00219BCF4407}.dat + 2012-09-11 20:52 . 2012-09-11 20:52 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{9266E6A9-FC52-11E1-B393-00219BCF4407}.dat + 2012-09-02 14:50 . 2012-09-02 14:50 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{8400F94C-F50D-11E1-AB47-00219BCF4407}.dat + 2012-09-06 23:49 . 2012-09-06 23:49 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{719EAD37-F87D-11E1-B394-002269C4728E}.dat + 2012-09-07 19:35 . 2012-09-07 19:35 5632 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{385DB474-F923-11E1-91D9-002269C4728E}.dat + 2012-09-13 20:25 . 2012-09-13 20:25 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{2E97E052-FDE1-11E1-A0A0-00219BCF4407}.dat + 2012-09-12 21:31 . 2012-09-12 22:04 5632 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{2DCD035D-FD21-11E1-B304-00219BCF4407}.dat + 2012-09-08 20:01 . 2012-09-09 05:03 5632 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{0908AA41-F9F0-11E1-8481-00219BCF4407}.dat + 2012-09-09 17:29 . 2012-09-09 17:29 5120 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{DABBE801-FAA3-11E1-803C-00219BCF4407}.dat + 2012-09-12 22:02 . 2012-09-12 22:03 5120 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{9B95B4F5-FD25-11E1-B304-00219BCF4407}.dat + 2012-09-11 20:52 . 2012-09-11 20:52 5120 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{9266E6AA-FC52-11E1-B393-00219BCF4407}.dat + 2012-09-02 14:50 . 2012-09-02 14:50 5120 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{8400F94D-F50D-11E1-AB47-00219BCF4407}.dat + 2012-09-09 05:02 . 2012-09-09 05:02 5120 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{8279C7EB-FA3B-11E1-8481-00219BCF4407}.dat + 2012-09-06 23:49 . 2012-09-06 23:49 4096 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{719EAD38-F87D-11E1-B394-002269C4728E}.dat + 2012-09-07 19:35 . 2012-09-07 19:35 5120 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{385DB475-F923-11E1-91D9-002269C4728E}.dat + 2012-09-08 20:01 . 2012-09-08 20:02 5120 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{0908AA42-F9F0-11E1-8481-00219BCF4407}.dat + 2012-09-09 18:06 . 2012-09-09 18:06 5120 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{030469D0-FAA9-11E1-803C-00219BCF4407}.dat + 2011-05-16 02:08 . 2012-09-13 09:20 3214 c:\windows\system32\wdi\ERCQueuedResolutions.dat + 2012-09-01 03:31 . 2012-05-15 01:22 8942 c:\windows\system32\drivers\N360x64\0603000.00E\symvtcer.dat + 2012-09-13 18:44 . 2012-09-13 18:44 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat - 2012-08-30 21:40 . 2012-08-30 21:40 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat + 2012-09-13 18:44 . 2012-09-13 18:44 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat - 2012-08-30 21:40 . 2012-08-30 21:40 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat + 2012-09-08 03:59 . 2012-09-08 03:59 690888 c:\windows\SysWOW64\Macromed\Flash\FlashUtil32_11_4_402_265_ActiveX.exe + 2012-05-21 10:09 . 2012-09-08 03:59 250568 c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe + 2012-09-02 18:39 . 2012-09-02 18:38 246760 c:\windows\SysWOW64\javaws.exe + 2012-09-02 18:38 . 2012-09-02 18:38 174056 c:\windows\SysWOW64\javaw.exe + 2012-09-02 18:38 . 2012-09-02 18:38 174056 c:\windows\SysWOW64\java.exe + 2012-07-29 18:42 . 2012-09-13 23:31 262144 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat - 2012-07-29 18:42 . 2012-08-13 22:08 262144 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat + 2012-08-08 07:27 . 2012-09-02 14:50 393216 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatCache\index.dat + 2012-08-30 10:16 . 2012-09-13 23:34 212992 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat + 2012-09-03 03:56 . 2012-09-03 03:57 245980 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT + 2012-01-13 19:40 . 2012-01-13 19:40 327008 c:\windows\system32\RaCoInstx.dll + 2009-07-14 02:36 . 2012-09-11 00:12 636122 c:\windows\system32\perfh009.dat + 2009-07-14 02:36 . 2012-09-11 00:12 111664 c:\windows\system32\perfc009.dat + 2010-11-21 03:27 . 2012-05-31 16:25 279656 c:\windows\system32\MpSigStub.exe + 2012-09-08 03:58 . 2012-09-08 03:58 420552 c:\windows\system32\Macromed\Flash\FlashUtil64_11_4_402_265_ActiveX.exe + 2009-07-14 04:45 . 2012-09-01 02:06 416528 c:\windows\system32\FNTCACHE.DAT + 2009-07-14 05:30 . 2012-09-08 13:45 143360 c:\windows\system32\DriverStore\infstrng.dat - 2009-07-14 05:30 . 2012-01-07 13:41 143360 c:\windows\system32\DriverStore\infstrng.dat + 2009-07-14 05:30 . 2012-09-08 13:44 143360 c:\windows\system32\DriverStore\infstor.dat - 2009-07-14 05:30 . 2012-01-07 13:39 143360 c:\windows\system32\DriverStore\infstor.dat + 2012-01-13 19:40 . 2012-01-13 19:40 327008 c:\windows\system32\DriverStore\FileRepository\netr28ux.inf_amd64_neutral_ae671fe85c678215\RaCoInstx.dll + 2012-09-01 04:02 . 2011-11-17 03:38 218232 c:\windows\system32\drivers\NSMx64\0203000.01A\symrdrs.sys + 2012-09-01 04:02 . 2011-11-04 23:59 167048 c:\windows\system32\drivers\NOFx64\0203000.007\ccSetx64.sys + 2012-09-01 03:31 . 2011-11-17 03:38 405624 c:\windows\system32\drivers\N360x64\0603000.00E\symnets.sys + 2012-09-01 03:31 . 2011-08-16 06:51 451192 c:\windows\system32\drivers\N360x64\0603000.00E\symds64.sys + 2012-09-01 03:31 . 2012-07-06 02:17 737952 c:\windows\system32\drivers\N360x64\0603000.00E\srtsp64.sys + 2012-09-01 03:31 . 2011-11-17 03:17 190072 c:\windows\system32\drivers\N360x64\0603000.00E\ironx64.sys + 2012-09-01 03:31 . 2012-06-07 04:43 167072 c:\windows\system32\drivers\N360x64\0603000.00E\ccsetx64.sys + 2012-09-08 15:32 . 2012-09-08 15:32 262144 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\usrclass.dat + 2012-09-08 15:32 . 2012-09-08 15:32 262144 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\usrclass.dat + 2009-07-14 05:01 . 2012-09-13 10:10 386868 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat + 2011-05-14 21:30 . 2012-09-01 04:05 733008 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1613675080-3381770067-651744427-1001-8192.dat + 2012-09-02 18:55 . 2012-09-02 18:55 179200 c:\windows\Installer\11b35aa.msi + 2012-09-01 01:30 . 2012-09-13 23:34 5619712 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat + 2012-01-13 19:40 . 2012-01-13 19:40 1675840 c:\windows\system32\DriverStore\FileRepository\netr28ux.inf_amd64_neutral_ae671fe85c678215\netr28ux.sys + 2012-01-13 19:40 . 2012-01-13 19:40 1675840 c:\windows\system32\drivers\netr28ux.sys + 2012-09-01 03:31 . 2012-05-22 01:37 1129120 c:\windows\system32\drivers\N360x64\0603000.00E\symefa64.sys + 2012-09-08 05:39 . 2012-09-13 09:21 1956280 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat + 2012-07-30 03:03 . 2012-09-13 10:10 9816552 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-18-16384.dat + 2012-09-08 13:43 . 2012-09-08 13:43 4807168 c:\windows\Installer\759d5c.msi + 2012-09-04 21:37 . 2012-09-04 21:37 7671808 c:\windows\Installer\1656b3c.msi + 2012-09-08 13:43 . 2012-09-08 13:43 4807168 c:\windows\Downloaded Installations\{441B6121-45DC-4A59-BC38-4E9E55A6A41A}\NETGEAR WNDA4100.msi + 2012-09-04 21:41 . 2012-09-04 21:41 1034752 c:\windows\assembly\GAC_32\Microsoft.Xna.Framework\3.1.0.0__6d5c3888ef60e27d\Microsoft.Xna.Framework.dll + 2009-07-14 04:54 . 2012-09-13 23:34 16187392 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat - 2009-07-14 04:54 . 2012-08-30 21:12 16187392 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat + 2011-05-15 04:29 . 2012-09-09 13:38 10209076 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1613675080-3381770067-651744427-1004-8192.dat + 2011-05-15 04:29 . 2012-09-13 10:10 46600062 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1613675080-3381770067-651744427-1004-12288.dat + 2011-05-14 23:54 . 2012-09-09 12:04 12983476 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1613675080-3381770067-651744427-1001-12288.dat + 2012-09-02 18:34 . 2012-09-02 18:34 27545600 c:\windows\Installer\1085b2f.msi . -- Snapshot reset to current date -- . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Steam"="c:\program files (x86)\Steam\Steam.exe" [2012-09-01 1353080] "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-21 1475584] . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] "OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2007-05-09 36864] "BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520] "Razer Imperator Driver"="c:\program files (x86)\Razer\Imperator\RazerImperatorSysTray.exe" [2011-06-03 979360] "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008] "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848] . c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ QuickSet.lnk - c:\program files\Dell\QuickSet\quickset.exe [2008-2-22 1556560] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorAdmin"= 0 (0x0) "ConsentPromptBehaviorUser"= 3 (0x3) "EnableLUA"= 0 (0x0) "EnableUIADesktopToggle"= 0 (0x0) "PromptOnSecureDesktop"= 0 (0x0) . [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp . R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576] R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-09-08 250568] R3 AE1000;Linksys AE1000 Driver;c:\windows\system32\DRIVERS\ae1000w7.sys [2010-03-23 1101600] R3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2010-04-14 54824] R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-21 71168] R3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\AB3E.tmp [x] R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files (x86)\Microsoft Office\Office14\GROOVE.EXE [2011-06-12 31125880] R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184] R3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys [2011-04-13 45432] R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-21 20992] R3 SYMRDR_{78CA3BF0-9C3B-40e1-B46D-38C877EF059A};Symantec Redirector - Norton Safety Minder;c:\windows\system32\drivers\NSMx64\0203000.01A\SymRdrS.SYS [2011-11-17 218232] R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [2010-11-21 88960] R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [2010-11-21 34816] R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392] R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232] R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [2010-11-21 117248] R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x] R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-05-14 1255736] S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360x64\0603000.00E\SYMDS64.SYS [2011-08-16 451192] S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360x64\0603000.00E\SYMEFA64.SYS [2012-05-22 1129120] S1 BHDrvx64;BHDrvx64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.0.0.145\Definitions\BASHDefs\20120905.001\BHDrvx64.sys [2012-08-31 1385120] S1 ccSet_N360;Norton Security Suite Settings Manager;c:\windows\system32\drivers\N360x64\0603000.00E\ccSetx64.sys [2012-06-07 167072] S1 ccSet_NOF;Norton Online Settings Manager;c:\windows\system32\drivers\NOFx64\0203000.007\ccSetx64.sys [2011-11-04 167048] S1 IDSVia64;IDSVia64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.0.0.145\Definitions\IPSDefs\20120912.001\IDSvia64.sys [2012-09-01 513184] S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360x64\0603000.00E\Ironx64.SYS [2011-11-17 190072] S1 SymNetS;Symantec Network Security WFP Driver;c:\windows\System32\Drivers\N360x64\0603000.00E\SYMNETS.SYS [2011-11-17 405624] S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904] S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-07-27 63960] S2 HiPatchService;Hi-Rez Studios Authenticate and Update Service;c:\program files (x86)\Hi-Rez Studios\HiPatchService.exe [2012-07-12 8704] S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-09-07 399432] S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-09-07 676936] S2 N360;Norton Security Suite;c:\program files (x86)\Norton Security Suite\Engine\6.3.0.14\ccSvcHst.exe [2012-06-16 138272] S2 NOF;Norton Online;c:\program files (x86)\Norton Online\Engine\2.3.0.7\ccSvcHst.exe [2011-11-30 138248] S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-10-15 2253120] S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-10-15 381248] S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-09-01 138912] S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-09-07 25928] S3 netr28ux;RT2870 USB Extensible Wireless LAN Card Driver;c:\windows\system32\DRIVERS\netr28ux.sys [2012-01-13 1675840] S3 netw5v64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [2009-06-10 5434368] . . Contents of the 'Scheduled Tasks' folder . 2012-09-13 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-21 03:59] . . --------- X64 Entries ----------- . . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-04-13 2399632] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-10-26 1211688] "Launch LgDeviceAgent"="c:\program files\Logitech\GamePanel Software\LgDevAgt.exe" [2010-08-03 415816] "Launch LCDMon"="c:\program files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2010-08-03 2412616] "NVHotkey"="c:\windows\system32\nvHotkey.dll" [2011-10-15 539456] . ------- Supplementary Scan ------- . uLocal Page = c:\windows\system32\blank.htm uStart Page = hxxp://www.bing.com/ mLocal Page = c:\windows\SysWOW64\blank.htm IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000 IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105 TCP: DhcpNameServer = 192.168.1.1 . - - - - ORPHANS REMOVED - - - - . Wow6432Node-HKCU-Run-Dxtory Update Checker 2.0 - c:\program files (x86)\Dxtory Software\Dxtory2.0\UpdateChecker.exe Wow6432Node-HKU-Default-RunOnce-FlashPlayerUpdate - c:\windows\SysWOW64\Macromed\Flash\FlashUtil32_11_3_300_271_ActiveX.exe WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file) . . . [HKEY_LOCAL_MACHINE\system\ControlSet001\services\N360] "ImagePath"="\"c:\program files (x86)\Norton Security Suite\Engine\6.3.0.14\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files (x86)\Norton Security Suite\Engine\6.3.0.14\diMaster.dll\" /prefetch:1" -- . [HKEY_LOCAL_MACHINE\system\ControlSet001\services\NOF] "ImagePath"="\"c:\program files (x86)\Norton Online\Engine\2.3.0.7\ccSvcHst.exe\" /s \"NOF\" /m \"c:\program files (x86)\Norton Online\Engine\2.3.0.7\diMaster.dll\" /prefetch:1" . [HKEY_LOCAL_MACHINE\system\ControlSet001\services\MEMSWEEP2] "ImagePath"="\??\c:\windows\system32\AB3E.tmp" . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions] @Denied: (2) (LocalSystem) "{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"=hex:51,66,7a,6c,4c,1d,38,12,8d,ec,f8, 7b,2b,25,27,06,e7,c4,bc,f0,98,15,0d,de "{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc, 1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7 "{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}"=hex:51,66,7a,6c,4c,1d,38,12,60,d8,39, 64,cd,04,79,07,f5,b7,d6,9a,c1,81,e0,1c "{6D53EC84-6AAE-4787-AEEE-F4628F01010C}"=hex:51,66,7a,6c,4c,1d,38,12,ea,ef,40, 69,9c,24,e9,02,d1,f8,b7,22,8a,5f,45,18 "{72853161-30C5-4D22-B7F9-0BBC1D38A37E}"=hex:51,66,7a,6c,4c,1d,38,12,0f,32,96, 76,f7,7e,4c,08,c8,ef,48,fc,18,66,e7,6a "{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,38,12,0a,d7,23, 94,30,02,d1,0f,f1,da,12,24,73,56,27,d2 "{B4F3A835-0E21-4959-BA22-42B3008E02FF}"=hex:51,66,7a,6c,4c,1d,38,12,5b,ab,e0, b0,13,40,37,0c,c5,34,01,f3,05,d0,46,eb "{B8E07826-0971-4F16-B133-047B88034E89}"=hex:51,66,7a,6c,4c,1d,38,12,48,7b,f3, bc,43,47,78,0a,ce,25,47,3b,8d,5d,0a,9d "{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db, df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd "{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}"=hex:51,66,7a,6c,4c,1d,38,12,70,05,61, f9,ec,d1,23,0d,da,9c,48,eb,44,0f,8e,cc "{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}"=hex:51,66,7a,6c,4c,1d,38,12,8f,19,47, 2e,c4,15,0b,03,d7,b5,8c,e9,62,70,06,85 . [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration] @Denied: (2) (LocalSystem) "Timestamp"=hex:5c,e1,7b,1f,37,75,cd,01 . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_265_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32] @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_265_ActiveX.exe" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="IFlashBroker5" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_265_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_265_ActiveX.exe" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Shockwave Flash Object" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_265.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus] @="0" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID] @="ShockwaveFlash.ShockwaveFlash.11" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_265.ocx, 1" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="ShockwaveFlash.ShockwaveFlash" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Macromedia Flash Factory Object" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_265.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID] @="FlashFactory.FlashFactory.1" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_265.ocx, 1" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="FlashFactory.FlashFactory" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="IFlashBroker5" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . [HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}] @Denied: (A) (Everyone) "Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}" . [HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3] @Denied: (A) (Everyone) . [HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0] "Key"="ActionsPane3" "Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd" . [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security] @Denied: (Full) (Everyone) . Completion time: 2012-09-13 19:56:25 ComboFix-quarantined-files.txt 2012-09-13 23:56 . Pre-Run: 173,584,371,712 bytes free Post-Run: 175,528,013,824 bytes free . - - End Of File - - 127BB92CC27A3CFC2622E3ECE17CB231 | actions · 2012-Sep-13 8:02 pm · (locked) | | nethog |
nethog
Member
2012-Sep-17 6:15 pm
LoPhatPhuud Just so you know, my PC is still continuously receiving a stream of data; for example yesterday after 6 hours approximately 8Gb was received over my wireless connection. When I look at the connection status I see what appears to be 1 Mb transmitted every 2-3 seconds with NO network apps running. | actions · 2012-Sep-17 6:15 pm · (locked) |
1 recommendation |
to nethog
I believe the main culprit is multiple infections across multiple user accounts. That would explain the "mysterious" behavior when the logs show nothing.
Infections at this depth are best dealt with by reformat and re-install. Back up all pertinent data first.
Then either load the factory recovery program, or boot from your Windows DVD.
Operating System stability is foremost for me. If can't be assured that the removal steps will leave a stable OS, then the only recommendation I can make is reformat. | actions · 2012-Sep-17 9:59 pm · (locked) | nethog join:2006-12-08 Canton, MI |
nethog
Member
2012-Sep-18 6:07 pm
Would it help if I reran MBAM on the other account that is in-use on this computer? | actions · 2012-Sep-18 6:07 pm · (locked) |
1 recommendation |
to nethog
The problem is that your computer is infecting faster than you can clean it. MBAM may help, but it's not the preferred program for this trojan.
Again, for infections of this depth, I will only recommend reformat and re-install.
That said, if you want to try to remove the exploit from all users, you'll need to run a AV from a bootable CD/DVD.
My recommendation would be to use the Kaspersky Rescue tool. I'll post the instructions in the next post.
Please understand, my recommendation for reformat and reinstall still stands. | actions · 2012-Sep-19 10:52 am · (locked) | LoPhatPhuud
1 recommendation |
to nethog
The Kaspersky Rescue Disk is a bootable CD or USB based version of Kaspersky Antivirus. You will find full instructions for download and use at the following links: CD based: » support.kaspersky.com/fa ··· 08282484USB Based: » support.kaspersky.com/fa ··· 08282163Note: Please post the log (krd-log.txt) in your next reply | actions · 2012-Sep-19 10:57 am · (locked) | nethog join:2006-12-08 Canton, MI |
nethog
Member
2012-Sep-20 6:23 am
LoPhatPhuud: Well I ran KRD and it detected 2 viruses. I selected "Disinfect All" and saved the log file but when I tried rebooting back to windows windows coult not start. I tried selecting a restore point but it did not work. Do you know if I can undo the changes KRD made by booting back to the USB? or some other suggestion? | actions · 2012-Sep-20 6:23 am · (locked) |
|