Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Program Freezing and Lagging


  • Please log in to reply

#1
libra26

libra26

    Member

  • Member
  • PipPip
  • 17 posts
Thanks for the help, in advance! It's great to know theres so much help available.

I'm working on a friend's laptop. Apparently, he rarely uses any anti-virus software. His Symantec popped a threat every 10 seconds or so. His computer was horribly slow on startup and frequently needed 10-15 minutes to "warm up" after booting. Any program opened during this period would usually freeze to the extent that ctrl+alt+del wouldn't even work since it was frozen.

I ran Spybot and his Symantec Endpoint User Protection scan programs, and about 230 threats were detected and removed. These included Trojan.Gen, Trojan.Gen.2, W32.Silly FDC, Trojan.Zefarch, multiple dowloaders, and some very suspicious jar_cache files that posed "multiple threats." Other programs were either quarantined or deleted by the active protection symantec program. These didn't make it in the list of malicious programs above. I took all action suggested by Symantec and told it to permanently delete all files that it would allow me to.

This has already helped a good bit, but I wanted to be sure that I have cleaned everything up in case these viruses have caused damage or changes that Symantec and Spybot haven't remedied.

I've attached the Spybot log, but the site wouldnt permit me to upload the Symantec log. I've also uploaded a Full Scan report with corresponding extras.txt.

Here's the OTL Quick Scan information. I've also included the text in the additional "extras.txt" file that was generated when the quick scan completed.

OTL logfile created on: 7/9/2011 2:11:19 PM - Run 1
OTL by OldTimer - Version 3.2.26.1 Folder = C:\Users\Kevin\Desktop
64bit- Enterprise Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.87 Gb Total Physical Memory | 1.09 Gb Available Physical Memory | 37.92% Memory free
5.73 Gb Paging File | 4.02 Gb Available in Paging File | 70.19% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 222.43 Gb Total Space | 105.65 Gb Free Space | 47.50% Space Free | Partition Type: NTFS

Computer Name: UNC-C1F0YCECGDA | User Name: Kevin | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan | Include 64bit Scans
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/07/09 14:02:33 | 000,579,584 | ---- | M] (OldTimer Tools) -- C:\Users\Kevin\Desktop\OTL.exe
PRC - [2011/06/23 19:36:54 | 000,912,344 | ---- | M] (Mozilla Corporation) -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe
PRC - [2010/05/18 15:46:30 | 000,108,392 | ---- | M] (Symantec Corporation) -- C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe
PRC - [2010/05/18 15:46:28 | 000,115,560 | ---- | M] (Symantec Corporation) -- C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe
PRC - [2010/05/18 15:46:26 | 001,831,024 | ---- | M] (Symantec Corporation) -- C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe
PRC - [2010/05/18 15:46:26 | 000,181,616 | ---- | M] (Symantec Corporation) -- C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\SavUI.exe
PRC - [2010/05/18 15:46:26 | 000,050,544 | ---- | M] (Symantec Corporation) -- C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\ProtectionUtilSurrogate.exe
PRC - [2010/05/12 18:04:48 | 000,599,480 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe
PRC - [2010/05/12 18:03:22 | 000,300,472 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files (x86)\Citrix\ICA Client\concentr.exe
PRC - [2009/01/26 15:31:10 | 001,153,368 | ---- | M] (Safer Networking Ltd.) -- C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
PRC - [2008/05/16 23:12:54 | 000,290,816 | ---- | M] (Pharos Systems International) -- C:\Program Files (x86)\PharosSystems\Core\CTskMstr.exe


========== Modules (SafeList) ==========

MOD - [2011/07/09 14:02:33 | 000,579,584 | ---- | M] (OldTimer Tools) -- C:\Users\Kevin\Desktop\OTL.exe
MOD - [2010/08/21 01:21:32 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16661_none_420fe3fa2b8113bd\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV:64bit: - [2009/07/13 21:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV:64bit: - [2009/07/13 21:40:01 | 000,193,536 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\appmgmts.dll -- (AppMgmt)
SRV - [2010/05/18 15:46:30 | 000,108,392 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe -- (ccSetMgr)
SRV - [2010/05/18 15:46:30 | 000,108,392 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe -- (ccEvtMgr)
SRV - [2010/05/18 15:46:28 | 000,419,656 | ---- | M] (Symantec Corporation) [Disabled | Stopped] -- C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\SNAC64.EXE -- (SNAC)
SRV - [2010/05/18 15:46:26 | 003,218,880 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Smc.exe -- (SmcService)
SRV - [2010/05/18 15:46:26 | 001,831,024 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe -- (Symantec AntiVirus)
SRV - [2010/03/18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2010/02/17 10:53:18 | 003,093,880 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files (x86)\Symantec\LiveUpdate\LuComServer_3_3.EXE -- (LiveUpdate)
SRV - [2009/06/10 17:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2009/01/26 15:31:10 | 001,153,368 | ---- | M] (Safer Networking Ltd.) [Auto | Running] -- C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe -- (SBSDWSCService)
SRV - [2008/05/16 23:12:54 | 000,290,816 | ---- | M] (Pharos Systems International) [Auto | Running] -- C:\Program Files (x86)\PharosSystems\Core\CTskMstr.exe -- (Pharos Systems ComTaskMaster)


========== Driver Services (SafeList) ==========

DRV:64bit: - [2011/03/11 02:22:41 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2011/03/11 02:22:40 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2010/10/17 19:01:34 | 000,172,592 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\SYMEVENT64x86.SYS -- (SymEvent)
DRV:64bit: - [2010/09/28 16:44:52 | 000,051,712 | ---- | M] (Apple, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\usbaapl64.sys -- (USBAAPL64)
DRV:64bit: - [2010/08/25 20:36:04 | 010,611,552 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\igdkmd64.sys -- (igfx)
DRV:64bit: - [2010/05/18 15:46:30 | 000,482,352 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\srtspl64.sys -- (SRTSPL)
DRV:64bit: - [2010/05/18 15:46:30 | 000,447,536 | ---- | M] (Symantec Corporation) [File_System | System | Running] -- C:\Windows\SysNative\drivers\srtsp64.sys -- (SRTSP)
DRV:64bit: - [2010/05/18 15:46:30 | 000,032,304 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\srtspx64.sys -- (SRTSPX)
DRV:64bit: - [2010/04/16 17:22:04 | 000,087,600 | ---- | M] (Citrix Systems, Inc.) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\ctxusbm.sys -- (ctxusbm)
DRV:64bit: - [2010/03/31 04:10:18 | 000,450,048 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\RTL8187B.sys -- (RTL8187B)
DRV:64bit: - [2009/10/09 22:41:20 | 000,109,056 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\sdbus.sys -- (sdbus)
DRV:64bit: - [2009/10/07 09:49:28 | 006,379,288 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lvuvc64.sys -- (LVUVC64) QuickCam Communicate Deluxe(UVC)
DRV:64bit: - [2009/10/07 09:47:46 | 000,327,704 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lvrs64.sys -- (LVRS64)
DRV:64bit: - [2009/07/20 18:48:32 | 000,274,480 | ---- | M] (Synaptics Incorporated) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\SynTP.sys -- (SynTP)
DRV:64bit: - [2009/07/13 21:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009/07/13 21:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009/07/13 21:47:48 | 000,077,888 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2009/07/13 21:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009/07/13 19:21:48 | 000,038,400 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\tpm.sys -- (TPM)
DRV:64bit: - [2009/07/13 17:36:22 | 000,253,488 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\Apfiltr.sys -- (ApfiltrService)
DRV:64bit: - [2009/06/19 22:09:57 | 001,394,688 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\athrx.sys -- (athr)
DRV:64bit: - [2009/06/10 17:01:11 | 001,485,312 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\VSTDPV6.SYS -- (SrvHsfV92)
DRV:64bit: - [2009/06/10 17:01:11 | 000,740,864 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\VSTCNXT6.SYS -- (SrvHsfWinac)
DRV:64bit: - [2009/06/10 17:01:11 | 000,292,864 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\VSTAZL6.SYS -- (SrvHsfHDA)
DRV:64bit: - [2009/06/10 16:38:56 | 000,000,308 | ---- | M] () [File_System | On_Demand | Running] -- C:\Windows\SysNative\wbem\ntfs.mof -- (Ntfs)
DRV:64bit: - [2009/06/10 16:35:28 | 005,434,368 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\netw5v64.sys -- (netw5v64) Intel®
DRV:64bit: - [2009/06/10 16:35:20 | 000,278,016 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\e1e6032e.sys -- (e1express) Intel®
DRV:64bit: - [2009/06/10 16:35:02 | 000,281,088 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\e1y60x64.sys -- (e1yexpress) Intel®
DRV:64bit: - [2009/06/10 16:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/10 16:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/10 16:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009/06/10 16:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV:64bit: - [2009/05/18 14:17:08 | 000,034,152 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV:64bit: - [2009/03/02 00:05:32 | 000,187,392 | ---- | M] (Realtek Corporation ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Rt64win7.sys -- (RTL8167)
DRV:64bit: - [2007/11/09 06:00:30 | 000,026,968 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\TVALZ_O.SYS -- (TVALZ)
DRV - [2011/05/17 04:00:00 | 002,011,768 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\ProgramData\Symantec\Definitions\VirusDefs\20110708.001\EX64.SYS -- (NAVEX15)
DRV - [2011/05/17 04:00:00 | 000,117,880 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\ProgramData\Symantec\Definitions\VirusDefs\20110708.001\ENG64.SYS -- (NAVENG)
DRV - [2011/05/09 04:00:00 | 000,481,912 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys -- (eeCtrl)
DRV - [2011/05/09 04:00:00 | 000,136,824 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2010/05/18 15:46:30 | 000,482,352 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\srtspl64.sys -- (SRTSPL)
DRV - [2010/05/18 15:46:30 | 000,447,536 | ---- | M] (Symantec Corporation) [File_System | System | Running] -- C:\Windows\SysWOW64\drivers\srtsp64.sys -- (SRTSP)
DRV - [2010/05/18 15:46:30 | 000,032,304 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\SysWOW64\drivers\srtspx64.sys -- (SRTSPX)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.symantec....ponse/index.jsp

IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.symantec....ponse/index.jsp

IE - HKU\S-1-5-21-2621877675-1559041608-2168509566-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.symantec....ponse/index.jsp
IE - HKU\S-1-5-21-2621877675-1559041608-2168509566-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKU\S-1-5-21-2621877675-1559041608-2168509566-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\S-1-5-21-2621877675-1559041608-2168509566-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 74 6B F4 9A FB 85 CB 01 [binary data]
IE - HKU\S-1-5-21-2621877675-1559041608-2168509566-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-2621877675-1559041608-2168509566-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://go.microsoft..../?LinkId=69157"
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA}:5.0.12
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24
FF - prefs.js..network.proxy.type: 0

FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\4.0.60531.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@nosltd.com/getPlus+®,version=1.6.2.97: C:\Program Files (x86)\NOS\bin\np_gp.dll File not found
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files (x86)\Google\Update\1.3.21.57\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files (x86)\Google\Update\1.3.21.57\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.18\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2011/06/23 19:36:55 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.18\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2011/06/23 19:36:55 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 3.1.4\extensions\\Components: C:\Program Files (x86)\Mozilla Thunderbird\components [2010/12/13 11:53:58 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 3.1.4\extensions\\Plugins: C:\Program Files (x86)\Mozilla Thunderbird\plugins

[2010/11/17 14:42:17 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Kevin\AppData\Roaming\Mozilla\Extensions
[2011/07/09 13:44:39 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Kevin\AppData\Roaming\Mozilla\Firefox\Profiles\1knux43m.default\extensions
[2011/06/01 09:06:00 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions
[2010/11/18 21:39:02 | 000,000,000 | ---D | M] (Skype extension) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
[2011/01/08 22:07:23 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA}
[2011/02/03 10:42:06 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
[2011/06/01 09:06:02 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
[2010/05/12 17:42:04 | 000,124,344 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files (x86)\mozilla firefox\plugins\CCMSDK.dll
[2010/05/12 17:43:54 | 000,070,592 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files (x86)\mozilla firefox\plugins\CgpCore.dll
[2010/05/12 17:42:52 | 000,091,576 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files (x86)\mozilla firefox\plugins\confmgr.dll
[2010/05/12 17:42:32 | 000,022,464 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files (x86)\mozilla firefox\plugins\ctxlogging.dll
[2011/02/02 21:40:24 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files (x86)\mozilla firefox\plugins\npdeployJava1.dll
[2010/05/12 18:22:36 | 000,423,328 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\plugins\npicaN.dll
[2010/05/12 17:43:56 | 000,024,000 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files (x86)\mozilla firefox\plugins\TcpPServ.dll

O1 HOSTS File: ([2011/07/08 15:24:54 | 000,435,740 | R--- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 127.0.0.1 123fporn.info
O1 - Hosts: 14993 more lines...
O2 - BHO: (Skype Plug-In) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (SMTTB2009 Class) - {FCBCCB87-9224-4B8D-B117-F56D924BEB18} - File not found
O3 - HKLM\..\Toolbar: (Temp File Cleaner Toolbar) - {338B4DFE-2E2C-4338-9E41-E176D497299E} - File not found
O4:64bit: - HKLM..\Run: [HotKeysCmds] C:\Windows\SysNative\hkcmd.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [IgfxTray] C:\Windows\SysNative\igfxtray.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [Persistence] C:\Windows\SysNative\igfxpers.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [ccApp] C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [ConnectionCenter] C:\Program Files (x86)\Citrix\ICA Client\concentr.exe (Citrix Systems, Inc.)
O4 - HKU\S-1-5-19..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKLM..\RunOnce: [] File not found
O4 - HKU\S-1-5-19..\RunOnce: [] File not found
O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] File not found
O4 - HKU\S-1-5-20..\RunOnce: [] File not found
O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] File not found
O4 - HKU\S-1-5-21-2621877675-1559041608-2168509566-1000..\RunOnce: [] File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O9 - Extra Button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O10:64bit: - NameSpace_Catalog5\Catalog_Entries\000000000008 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000008 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O13 - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.5.0_12)
O16 - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (get_atlcom Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O18:64bit: - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - Reg Error: Key error. File not found
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O18:64bit: - Protocol\Filter\application/x-ica {CFB6322E-CC85-4d1b-82C7-893888A236BC} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Filter\ica {CFB6322E-CC85-4d1b-82C7-893888A236BC} - Reg Error: Key error. File not found
O18 - Protocol\Filter\application/x-ica {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\ica {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20:64bit: - Winlogon\Notify\igfxcui: DllName - Reg Error: Key error. - C:\Windows\SysNative\igfxdev.dll (Intel Corporation)
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/07/09 14:02:29 | 000,579,584 | ---- | C] (OldTimer Tools) -- C:\Users\Kevin\Desktop\OTL.exe
[2011/07/09 13:42:54 | 000,000,000 | ---D | C] -- C:\Users\Kevin\AppData\Roaming\QuickScan
[2011/07/08 14:30:55 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot - Search & Destroy
[2011/07/08 14:30:49 | 000,000,000 | ---D | C] -- C:\ProgramData\Spybot - Search & Destroy
[2011/07/08 14:30:49 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Spybot - Search & Destroy
[2011/07/02 00:16:01 | 000,000,000 | ---D | C] -- C:\Users\Kevin\Desktop\Brandon Loves You Cause You're AMAZING
[2011/07/01 14:29:43 | 000,000,000 | ---D | C] -- C:\Users\Kevin\IAG Remote Access Agent
[2011/06/27 18:10:20 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2011/06/27 11:29:21 | 000,000,000 | ---D | C] -- C:\Windows\Temp
[2011/06/12 22:01:48 | 000,000,000 | ---D | C] -- C:\Windows\Minidump
[1 C:\Windows\SysNative\*.tmp files -> C:\Windows\SysNative\*.tmp -> ]
[1 C:\Windows\Fonts\*.tmp files -> C:\Windows\Fonts\*.tmp -> ]
[1 C:\Users\Kevin\Desktop\*.tmp files -> C:\Users\Kevin\Desktop\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/07/09 14:10:37 | 000,016,320 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2011/07/09 14:10:37 | 000,016,320 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2011/07/09 14:04:01 | 000,000,896 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2011/07/09 14:02:33 | 000,579,584 | ---- | M] (OldTimer Tools) -- C:\Users\Kevin\Desktop\OTL.exe
[2011/07/09 13:00:11 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/07/08 15:56:56 | 000,729,014 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2011/07/08 15:56:56 | 000,626,092 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2011/07/08 15:56:56 | 000,107,098 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2011/07/08 15:49:22 | 000,000,892 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2011/07/08 15:47:49 | 2309,660,672 | -HS- | M] () -- C:\hiberfil.sys
[2011/07/08 15:24:54 | 000,435,740 | R--- | M] () -- C:\Windows\SysNative\drivers\etc\hosts
[2011/07/08 14:42:06 | 000,435,740 | R--- | M] () -- C:\Windows\SysNative\drivers\etc\hosts.20110708-152454.backup
[2011/07/08 14:30:59 | 000,001,297 | ---- | M] () -- C:\Users\Kevin\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2011/07/08 14:30:59 | 000,001,273 | ---- | M] () -- C:\Users\Kevin\Desktop\Spybot - Search & Destroy.lnk
[2011/07/06 16:42:57 | 000,281,352 | ---- | M] () -- C:\Users\Kevin\Desktop\279320_2015976153620_1070310002_2252968_5854562_o.jpg
[2011/07/04 11:59:34 | 000,000,000 | ---- | M] () -- C:\Windows\SysNative\drivers\lvuvc.hs
[2011/06/30 13:05:55 | 000,493,864 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2011/06/12 22:01:38 | 402,620,995 | ---- | M] () -- C:\Windows\MEMORY.DMP
[1 C:\Windows\SysNative\*.tmp files -> C:\Windows\SysNative\*.tmp -> ]
[1 C:\Users\Kevin\Desktop\*.tmp files -> C:\Users\Kevin\Desktop\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/07/08 14:30:59 | 000,001,297 | ---- | C] () -- C:\Users\Kevin\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2011/07/08 14:30:59 | 000,001,273 | ---- | C] () -- C:\Users\Kevin\Desktop\Spybot - Search & Destroy.lnk
[2011/07/06 16:39:23 | 000,281,352 | ---- | C] () -- C:\Users\Kevin\Desktop\279320_2015976153620_1070310002_2252968_5854562_o.jpg
[2011/06/12 22:01:38 | 402,620,995 | ---- | C] () -- C:\Windows\MEMORY.DMP
[2011/01/08 22:45:45 | 000,743,534 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2011/01/08 22:19:02 | 000,077,824 | R--- | C] () -- C:\Windows\SysWow64\sasperf.dll
[2010/11/18 21:39:54 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat
[2010/10/17 18:53:07 | 000,000,000 | ---- | C] () -- C:\Windows\nsreg.dat
[2010/08/25 20:34:30 | 000,982,240 | ---- | C] () -- C:\Windows\SysWow64\igkrng500.bin
[2010/08/25 20:34:30 | 000,439,308 | ---- | C] () -- C:\Windows\SysWow64\igcompkrng500.bin
[2010/08/25 20:34:30 | 000,092,356 | ---- | C] () -- C:\Windows\SysWow64\igfcg500m.bin
[2010/08/25 19:52:00 | 000,208,896 | ---- | C] () -- C:\Windows\SysWow64\iglhsip32.dll
[2010/08/25 19:52:00 | 000,143,360 | ---- | C] () -- C:\Windows\SysWow64\iglhcp32.dll
[2009/07/14 01:38:36 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2009/07/13 22:35:51 | 000,000,741 | ---- | C] () -- C:\Windows\SysWow64\NOISE.DAT
[2009/07/13 22:34:42 | 000,215,943 | ---- | C] () -- C:\Windows\SysWow64\dssec.dat
[2009/07/13 20:10:29 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2009/07/13 19:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\SysWow64\BWContextHandler.dll
[2009/07/13 17:59:36 | 000,139,824 | ---- | C] () -- C:\Windows\SysWow64\igfcg500.bin
[2009/07/13 17:03:59 | 000,364,544 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll
[2009/06/10 17:26:10 | 000,673,088 | ---- | C] () -- C:\Windows\SysWow64\mlang.dat

========== LOP Check ==========

[2010/12/18 12:08:21 | 000,000,000 | ---D | M] -- C:\Users\Kevin\AppData\Roaming\ICAClient
[2011/07/09 13:43:03 | 000,000,000 | ---D | M] -- C:\Users\Kevin\AppData\Roaming\QuickScan
[2011/02/08 12:04:01 | 000,000,000 | ---D | M] -- C:\Users\Kevin\AppData\Roaming\SAS
[2010/11/16 22:16:34 | 000,000,000 | ---D | M] -- C:\Users\Kevin\AppData\Roaming\WinBatch
[2009/07/14 01:08:49 | 000,025,650 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



< End of report >

OTL Extras logfile created on: 7/9/2011 2:03:24 PM - Run 1
OTL by OldTimer - Version 3.2.26.1 Folder = C:\Users\Kevin\Desktop
64bit- Enterprise Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.87 Gb Total Physical Memory | 1.11 Gb Available Physical Memory | 38.59% Memory free
5.73 Gb Paging File | 4.06 Gb Available in Paging File | 70.77% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 222.43 Gb Total Space | 105.32 Gb Free Space | 47.35% Space Free | Partition Type: NTFS

Computer Name: UNC-C1F0YCECGDA | User Name: Kevin | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.url[@ = InternetShortcut] -- C:\Windows\SysNative\rundll32.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-2621877675-1559041608-2168509566-1000\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %* File not found
cmdfile [open] -- "%1" %* File not found
comfile [open] -- "%1" %* File not found
exefile [open] -- "%1" %* File not found
helpfile [open] -- Reg Error: Key error.
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %* File not found
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1" File not found
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l File not found
scrfile [open] -- "%1" /S File not found
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 File not found
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = 28 4D B2 76 41 04 CA 01 [binary data]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========


========== HKEY_LOCAL_MACHINE Uninstall List ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0A2163CB-4F47-44AA-A219-36133260CF17}" = Symantec Endpoint Protection
"{90140000-002A-0000-1000-0000000FF1CE}" = Microsoft Office Office 64-bit Components 2010
"{90140000-002A-0409-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit MUI (English) 2010
"{90140000-0116-0409-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2010
"{963BFE7E-C350-4346-B43C-B02358306A45}" = Apple Mobile Device Support
"{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = ALPS Touch Pad Driver
"{B6EFD9A5-2ECE-4C22-BAEC-D16E73EA2013}" = iTunes
"{E4F5E48E-7155-4CF9-88CD-7F377EC9AC54}" = Bonjour
"{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile
"{F8776060-6929-480C-9CD0-AD4920C354EF}" = 64 Bit HP BiDi Channel Components Installer
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"SynTPDeinstKey" = Synaptics Pointing Device Driver

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{26A24AE4-039D-4CA4-87B4-2F83216023FF}" = Java™ 6 Update 24
"{3248F0A8-6813-11D6-A77B-00B0D0150120}" = J2SE Runtime Environment 5.0 Update 12
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{50ACF4F1-D38A-4DCE-8147-0F574CDEF45B}" = Citrix online plug-in (USB)
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90120000-00D1-0409-0000-0000000FF1CE}" = Microsoft Office Access database engine 2007 (English)
"{90140000-0011-0000-0000-0000000FF1CE}" = Microsoft Office Professional Plus 2010
"{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{5D15CCD0-2A41-4D56-AD90-4F049CE0B064}" =
"{90140000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2010
"{90140000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2010
"{90140000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2010
"{90140000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2010
"{90140000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2010
"{90140000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2010
"{90140000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2010
"{90140000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2010
"{90140000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2010
"{90140000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2010
"{90140000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2010
"{90140000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2010
"{90140000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2010
"{90140000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2010
"{90140000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2010
"{90140000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2010
"{96AE7E41-E34E-47D0-AC07-1091A8127911}" = Realtek USB 2.0 Card Reader
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{A9F6CFB0-806D-11E0-8EA1-B8AC6F97B88E}" = Google Earth Plug-in
"{AC76BA86-7AD7-1033-7B44-A94000000001}" = Adobe Reader 9.4.2
"{B124E6D3-91B4-4E3C-AD03-BA959B223537}" = Citrix online plug-in (Web)
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{C41300B9-185D-475E-BFEC-39EF732F19B1}" = Apple Software Update
"{CD95D125-2992-4858-B3EF-5F6FB52FBAD6}" = Skype Toolbars
"{D899C197-F8C1-4773-9EC4-6C1FBADB9B29}" = Citrix online plug-in (HDX)
"{D8D4ED7E-954C-449D-B21D-6F97036DF0E9}" = Citrix online plug-in (DV)
"{E2883E8F-472F-4fb0-9522-AC9BF37916A7}" = Adobe Download Manager
"{E3E71D07-CD27-46CB-8448-16D4FB29AA13}" = Microsoft WSE 3.0 Runtime
"{E633D396-5188-4E9D-8F6B-BFB8BF3467E8}" = Skype™ 5.1
"{E7004147-2CCA-431C-AA05-2AB166B9785D}" = QuickTime
"{EE6097DD-05F4-4178-9719-D3170BF098E8}" = Apple Application Support
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F8D314CA-8049-49F3-816B-794C3E5BB161}" = SAS Enterprise Guide 4.2
"{F9390B82-786C-43CF-A970-D39E23EF0366}" = SAS 9.2 (32)
"1d8476e4fcca11dab0f6f685d746a93a" = SAS/SECURE Java 9.2
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"CitrixOnlinePluginPackWeb" = Citrix online plug-in - web
"d512c678901db9d321c85ecf7c30ae2e" = SAS Deployment Tester - Client 1.3
"febb569a337f725f5f8607711f665d3b" = SAS Versioned Jar Repository 9.2
"LiveUpdate" = LiveUpdate 3.3 (Symantec Corporation)
"Mozilla Firefox (3.6.18)" = Mozilla Firefox (3.6.18)
"Mozilla Thunderbird (3.1.4)" = Mozilla Thunderbird (3.1.4)
"Office14.PROPLUS" = Microsoft Office Professional Plus 2010
"Pharos" = Pharos
"Temp File Cleaner" = Temp File Cleaner
"YTdetect" = Yahoo! Detect

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-2621877675-1559041608-2168509566-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Octoshape add-in for Adobe Flash Player" = Octoshape add-in for Adobe Flash Player

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 7/9/2011 1:22:49 PM | Computer Name = UNC-C1F0YCECGDA | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Downloader in File: c:\Windows.old\Users\Kevin\AppData\Local\Temp\rdjt81oj.dll
by: Manual scan. Action: Cleaned by Deletion. Action Description: The file was
deleted successfully.

Error - 7/9/2011 1:24:00 PM | Computer Name = UNC-C1F0YCECGDA | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Downloader.Ertfor in File: C:\Windows.old\Users\Kevin\AppData\Local\Temp\vk38uml.exe
by: Auto-Protect scan. Action: Cleaned by Deletion. Action Description: The file
was deleted successfully.

Error - 7/9/2011 1:25:12 PM | Computer Name = UNC-C1F0YCECGDA | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!W32.Harakit in File: C:\Windows.old\Users\Kevin\AppData\Local\Temp\taskmgr.exe
by: Auto-Protect scan. Action: Cleaned by Deletion. Action Description: The file
was deleted successfully.

Error - 7/9/2011 1:26:15 PM | Computer Name = UNC-C1F0YCECGDA | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!W32.Harakit in File: C:\Windows.old\Users\Kevin\AppData\Local\Temp\lsass.exe
by: Auto-Protect scan. Action: Cleaned by Deletion. Action Description: The file
was deleted successfully.

Error - 7/9/2011 1:26:53 PM | Computer Name = UNC-C1F0YCECGDA | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Downloader.Ertfor in File: C:\Windows.old\Users\Kevin\AppData\Local\Temp\lmk1v4q.exe
by: Auto-Protect scan. Action: Cleaned by Deletion. Action Description: The file
was deleted successfully.

Error - 7/9/2011 1:27:25 PM | Computer Name = UNC-C1F0YCECGDA | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Trojan.Zefarch in File: c:\Windows.old\Users\Kevin\AppData\Local\{9795F915-B286-4549-A015-5A313BC19F37}\chrome\content\overlay.xul
by: Manual scan. Action: Cleaned by Deletion. Action Description: The file was
deleted successfully.

Error - 7/9/2011 1:28:16 PM | Computer Name = UNC-C1F0YCECGDA | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Trojan.Zefarch!gen1 in File: C:\Windows.old\Users\Kevin\AppData\Local\Temp\raywqxi.exe
by: Auto-Protect scan. Action: Cleaned by Deletion. Action Description: The file
was deleted successfully.

Error - 7/9/2011 1:31:07 PM | Computer Name = UNC-C1F0YCECGDA | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!W32.SillyFDC in File: c:\Windows.old\Users\Kevin\AppData\Roaming\Microsoft\Windows\Start
Menu\Programs\Startup\cxxegewa.exe by: Manual scan. Action: Cleaned by Deletion.
Action Description: The file was deleted successfully.

Error - 7/9/2011 1:31:12 PM | Computer Name = UNC-C1F0YCECGDA | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Trojan.Gen.2 in File: c:\Windows.old\Users\Kevin\AppData\Roaming\sdra64.exe
by: Manual scan. Action: Quarantine succeeded. Action Description: The file was
quarantined successfully.

Error - 7/9/2011 2:08:45 PM | Computer Name = UNC-C1F0YCECGDA | Source = Microsoft-Windows-CAPI2 | ID = 4107
Description = Failed extract of third-party root list from auto update cab at: <http://www.download....uthrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file. .

[ System Events ]
Error - 6/27/2011 6:43:31 PM | Computer Name = UNC-C1F0YCECGDA | Source = DCOM | ID = 10010
Description =

Error - 6/27/2011 11:35:54 PM | Computer Name = UNC-C1F0YCECGDA | Source = Service Control Manager | ID = 7011
Description = A timeout (30000 milliseconds) was reached while waiting for a transaction
response from the Netman service.

Error - 6/29/2011 5:40:39 AM | Computer Name = UNC-C1F0YCECGDA | Source = Service Control Manager | ID = 7011
Description = A timeout (30000 milliseconds) was reached while waiting for a transaction
response from the ShellHWDetection service.

Error - 6/29/2011 9:12:06 AM | Computer Name = UNC-C1F0YCECGDA | Source = Service Control Manager | ID = 7011
Description = A timeout (30000 milliseconds) was reached while waiting for a transaction
response from the ShellHWDetection service.

Error - 6/30/2011 8:45:32 AM | Computer Name = UNC-C1F0YCECGDA | Source = Service Control Manager | ID = 7011
Description = A timeout (30000 milliseconds) was reached while waiting for a transaction
response from the ShellHWDetection service.

Error - 6/30/2011 1:06:33 PM | Computer Name = UNC-C1F0YCECGDA | Source = Application Popup | ID = 1060
Description = \??\C:\Windows\TEMP\mc2A727.tmp has been blocked from loading due
to incompatibility with this system. Please contact your software vendor for a compatible
version of the driver.

Error - 6/30/2011 1:11:17 PM | Computer Name = UNC-C1F0YCECGDA | Source = Service Control Manager | ID = 7022
Description = The Windows Update service hung on starting.

Error - 6/30/2011 1:12:19 PM | Computer Name = UNC-C1F0YCECGDA | Source = Service Control Manager | ID = 7011
Description = A timeout (30000 milliseconds) was reached while waiting for a transaction
response from the ShellHWDetection service.

Error - 7/1/2011 8:41:51 AM | Computer Name = UNC-C1F0YCECGDA | Source = Service Control Manager | ID = 7011
Description = A timeout (30000 milliseconds) was reached while waiting for a transaction
response from the Wlansvc service.

Error - 7/1/2011 9:48:09 AM | Computer Name = UNC-C1F0YCECGDA | Source = Service Control Manager | ID = 7011
Description = A timeout (30000 milliseconds) was reached while waiting for a transaction
response from the ShellHWDetection service.


< End of report >

Attached Files


  • 0

Advertisements


#2
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,788 posts
  • MVP
Clear the Java Cache by following the instructions on
http://www.java.com/...lugin_cache.xml

You do not have the latest Java.
First go into Control Panel, Add/Remove Software and remove any old versions (which may call themselves: Java Runtime, Runtime Environment, Runtime, JRE, Java Virtual Machine, Virtual Machine, Java VM, JVM, VM, J2RE, J2SE)
I see:
Java™ 6 Update 24
2SE Runtime Environment 5.0 Update 12

Get the latest at:

http://javadl.sun.co...?BundleId=41723

Save it to your PC then close all browsers and install it. Do not let it install the yahoo toolbar or other foistware.

Copy the text between the lines of stars by highlighting and Ctrl + c


********************************************************************
:processes
killallprocesses

:OTL
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA}:5.0.12
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@nosltd.com/getPlus+®,version=1.6.2.97: C:\Program Files (x86)\NOS\bin\np_gp.dll File not found
[2011/01/08 22:07:23 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA}
[2011/02/03 10:42:06 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
[2011/06/01 09:06:02 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
O2 - BHO: (SMTTB2009 Class) - {FCBCCB87-9224-4B8D-B117-F56D924BEB18} - File not found
O3 - HKLM\..\Toolbar: (Temp File Cleaner Toolbar) - {338B4DFE-2E2C-4338-9E41-E176D497299E} - File not found
O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] File not found
O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] File not found
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.5.0_12)
O16 - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_24)

:Commands
[purity]
[Reboot]


*******************************************************************

then Rightclick on OTL and select Run As Administrator to start. Under the Custom Scans/Fixes box at the bottom, paste (ctrl +v) the text. Verify that you got it all and Then click the RUN FIX button (NOT THE QUICK SCAN button!) at the top
Let the program run unhindered, OTL will reboot the PC when it is done.

Malwarebytes' Anti-Malware
:!: If you have a previous version of MalwareBytes', remove it via Add or Remove Programs and download a fresh copy. :!:

http://www.malwarebytes.org/mbam.php

SAVE Malwarebytes' Anti-Malware to your desktop.

Rightclick on Malwarebytes' Anti-Malware and select Run As Administrator and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.

* Once the program has loaded, select Perform Quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.

* Be sure that everything is checked, and click Remove Selected.

* When completed, a log will open in Notepad. Please save it to a convenient location.
* The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
* Post that log back here.



ComboFix

You must first uninstall AVG before running Combofix then download and run the AVG removal tool.
http://download.avg....6_2011_1322.exe

:!: If you have a previous version of Combofix.exe, delete it and download a fresh copy. :!:

:!: It must be saved to your desktop, do not run it :!:

:!: Disable your Antivirus software when downloading or running Combofix. If it has Script Blocking features, please disable these as well. See: http://www.bleepingc...opic114351.html


Download and Save this file -- to your Desktop -- from either of these two sources:
http://download.blee...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Rightclick on ComboFix and select Run As Administrator to start the program.



* :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.


* A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix. Allow it to install the Recovery Console then Continue. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.


A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.


Download TDSSKiller:
http://support.kaspe.../tdsskiller.exe
Save it to your desktop then right click and Run as Administrator

If TDSSKiller alerts you that the system needs to reboot, please consent.
When done, a log file should be created on your C: drive named "TDSSKiller.txt" please copy and paste the contents in your next reply.


Download aswMBR.exe ( 511KB ) to your desktop.

Right click and Run As Administrator the aswMBR.exe to run it

Click the "Scan" button to start scan
Posted Image

On completion of the scan (Note if the Fix button is enabled and tell me) click save log, save it to your desktop and post in your next reply
Posted Image




Download

http://ad13.geekstogo.com/MBRCheck.exe

Save it and run it by right clicking and Run As Administrator. It will produce a log MBRCheck(date).txt on your desktop. Copy and paste it into a reply.

Use IE and go to http://eset.com/onlinescan and click on ESET online Scanner. Accept the terms then press Start (If you get a warning from your browser tell it you want to run it).

# Check Scan Archives
# Push the Start button.
# ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
# When the scan completes, push LIST OF THREATS FOUND
# Push EXPORT TO TEXT FILE , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
# Push the BACK button.
# Push Finish
# Once the scan is completed, you may close the window.
# Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
# Copy and paste that log as a reply.


Let's also try the bitdefender quickscan. Close all browsers windows but one and go to:

http://quickscan.bitdefender.com/

When it finishes there is a report option. Click on it and copy and paste the report (even if it says nothing found).

Now for some maintenance:

1. Double-click My Computer, and then right-click the hard disk that you want to check. C:
2. Click Properties, and then click Tools.
3. Under Error-checking, click Check Now. A dialog box that shows the Check disk options is displayed,
4. Check both boxes and then click Start.
You will receive the following message:
The disk check could not be performed because the disk check utility needs exclusive access to some Windows files on the disk. These files can be accessed by restarting Windows. Do you want to schedule the disk check to occur the next time you restart the computer?
Click Yes to schedule the disk check, but don't restart yet.

Right click on (My) Computer and select Manage (Continue) Then the Event Viewer. Next select Windows Logs. Right click on System and Clear Log, Clear. Repeat for Application. Reboot. The disk check will run and will probably take an hour or more to finish.


Start, All Programs, Accessories then right click on Command Prompt and type (with an Enter after each line).

sfc /scannow

(SPACE after sfc. This will check your critical system files. If it asks for a CD and you don't have one or it doesn't like your CD just tell it to SKIP.)

sigverif

Press Start in the new window. This will check your drivers. If you just get a few when it finishes tell me what they are. If you get a lot just look for those with newish dates (since about the time the problem started.)


1. Please download the Event Viewer Tool by Vino Rosso
http://images.malwar...om/vino/VEW.exe
and save it to your Desktop:
2. Right-click VEW.exe and Run AS Administrator
3. Under 'Select log to query', select:

* System
4. Under 'Select type to list', select:
* Error
* Warning


Then use the 'Number of events' as follows:


1. Click the radio button for 'Number of events'
Type 20 in the 1 to 20 box
Then click the Run button.
Notepad will open with the output log.


Please post the Output log in your next reply then repeat but select Application.

Ron
  • 0

#3
libra26

libra26

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
aswMBR was only partially complete when I terminated it. This occurred after one blue screen restart. Should it take more than 2 hours to complete a quickscan?

Eset is in progress.

Sfc detected some corrupted files but could not repair all of them because they were in use.

Let me know if I missed a log file.

Attached Files


  • 0

#4
libra26

libra26

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
added...

Attached Files


  • 0

#5
libra26

libra26

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Forgot to mention:

1) The Symantec notifications that previously involved the /Windows.old folder are now indicating Trojan activity in Symantec's quarantine folder. When I try to delete the quarantined files through Symantec, they replicate. I can't clear the window.

2) When looking through my saved passwords file in Firefox I came across an entry for the website http://1.1.1.1 with password: backdoor. I promptly deleted it.

3) Firefox will no longer allow me to download files and returns the error message C:Windows/Temp could not be modified, unless I run it as an administrator.
  • 0

#6
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,788 posts
  • MVP
Please do not attach your logs. Copy and paste them. It's too hard to work with them otherwise.



I'm assuming you meant Combofix. Combofix takes a long time when something is actively fighting it. Try booting into Safe Mode with Networking and running it from there. (Reboot, when you see the maker's logo, hear a beep or it mentions F8, start tapping the F8 key slowly. Keep tapping until you see the Safe Mode Menu. Select Safe Mode with Networking and log in as your usual login. ) Remember we don't want Symantec running as it will also keep it from working and may delete key files.

Not sure why Firefox thinks it needs to save to C:\windows\temp. Try changing the download location to your desktop. Firefox, Options, General, Save Files to, Browse and point it at the Desktop then OK, OK.

Also Open a Command Prompt ((Start), (all) Programs, Accessories then right click on Command Prompt and select Run As Administrator) and type:

set

(with an Enter after the line)
Near the bottom of the output should be a line starting with TEMP and another that starts with TMP. What do they point to?

If you are logged in as Kevin then it should say:
TEMP=C:\Users\Kevin\AppData\Local\Temp
TMP=C:\Users\Kevin\AppData\Local\Temp

Does it?


Now type:

cd \windows\temp

(Enter at end of line and space after cd. Prompt should change to show you are now in c:\windows\temp)

Dir  /a  \windows\temp  >  \junk.txt
notepad  \junk.txt

Copy and Paste the text from notepad.

Can you attach a screen shot of the quarantine list from Symantec?
http://graphicssoft....nscreenshot.htm Save the file as a .jpg or the forum won't allow it.

Ron
  • 0

#7
libra26

libra26

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
I did the CMD stuff. The TEMP and TMP locations were not as you listed. Instead, both showed C:\windows\temp. I am logged in as Kevin and I am unaware of any other user account.

I also checked the location where Firefox is told to save files. It already says the desktop.

Also noticed that I cannot save files in Paint unless I run it as an administrator.

I've pasted the junk.txt and completed aswMBR log below...

Heres the text of the junk file:

Volume in drive C is TI105756W0B
Volume Serial Number is 3AD6-C62D

Directory of C:\windows\temp

07/10/2011 12:09 PM <DIR> .
07/10/2011 12:09 PM <DIR> ..
07/10/2011 03:08 AM 0 FXSAPIDebugLogFile.txt
07/10/2011 03:08 AM 0 FXSTIFFDebugLogFile.txt
07/10/2011 05:37 AM <DIR> plugtmp
07/10/2011 04:06 AM 5,800 qs-en-utf16.txt
07/10/2011 11:54 AM <DIR> _av4_
07/10/2011 09:08 AM <DIR> _avast4_
3 File(s) 5,800 bytes
5 Dir(s) 118,915,727,360 bytes free


Here's the log after aswMBR completed:

aswMBR version 0.9.7.705 Copyright© 2011 AVAST Software
Run date: 2011-07-09 23:47:51
-----------------------------
23:47:51.072 OS Version: Windows x64 6.1.7600
23:47:51.072 Number of processors: 1 586 0x170A
23:47:51.072 ComputerName: UNC-C1F0YCECGDA UserName: Kevin
23:47:54.160 Initialize success
23:48:00.728 AVAST engine defs: 11070901
23:48:11.274 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-1
23:48:11.274 Disk 0 Vendor: TOSHIBA_MK2555GSX FG001M Size: 238475MB BusType: 11
23:48:13.348 Disk 0 MBR read successfully
23:48:13.364 Disk 0 MBR scan
23:48:13.364 Disk 0 Windows 7 default MBR code
23:48:13.364 Service scanning
23:48:20.025 Disk 0 trace - called modules:
23:48:20.072 ntoskrnl.exe CLASSPNP.SYS disk.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys
23:48:20.088 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800323e660]
23:48:20.088 3 CLASSPNP.SYS[fffff880018f143f] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-1[0xfffffa80030f1060]
23:48:21.741 AVAST engine scan C:\Windows
00:43:46.031 File: C:\Windows\System32\drivers\en-US\bfe.dll.mui **SUSPICIOUS**
00:43:52.287 File: C:\Windows\System32\drivers\en-US\ndiscap.sys.mui **SUSPICIOUS**
00:43:53.504 File: C:\Windows\System32\drivers\en-US\pacer.sys.mui **SUSPICIOUS**
00:43:55.800 File: C:\Windows\System32\drivers\en-US\qwavedrv.sys.mui **SUSPICIOUS**
00:43:56.408 File: C:\Windows\System32\drivers\en-US\scfilter.sys.mui **SUSPICIOUS**
00:43:57.220 File: C:\Windows\System32\drivers\en-US\tcpip.sys.mui **SUSPICIOUS**
00:44:46.305 File: C:\Windows\System32\drivers\wimmount.sys **SUSPICIOUS**
02:06:39.433 Disk 0 MBR has been saved successfully to "C:\Users\Kevin\Desktop\Brandon Loves You Cause You're AMAZING\Virus Logs\MBR.dat"
02:06:39.433 The log file has been saved successfully to "C:\Users\Kevin\Desktop\Brandon Loves You Cause You're AMAZING\Virus Logs\aswMBR.txt"


aswMBR version 0.9.7.705 Copyright© 2011 AVAST Software
Run date: 2011-07-10 05:59:03
-----------------------------
05:59:03.163 OS Version: Windows x64 6.1.7601 Service Pack 1
05:59:03.163 Number of processors: 1 586 0x170A
05:59:03.178 ComputerName: UNC-C1F0YCECGDA UserName: Kevin
05:59:15.811 Initialize success
05:59:26.711 AVAST engine defs: 11070901
06:00:10.302 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-1
06:00:10.304 Disk 0 Vendor: TOSHIBA_MK2555GSX FG001M Size: 238475MB BusType: 11
06:00:12.350 Disk 0 MBR read successfully
06:00:12.352 Disk 0 MBR scan
06:00:12.355 Disk 0 Windows 7 default MBR code
06:00:12.358 Service scanning
06:00:17.378 Disk 0 trace - called modules:
06:00:17.403 ntoskrnl.exe CLASSPNP.SYS disk.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys
06:00:17.407 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8003266060]
06:00:17.410 3 CLASSPNP.SYS[fffff8800198f43f] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-1[0xfffffa8002e8e060]
06:00:18.189 AVAST engine scan C:\Windows
06:43:33.759 File: C:\Windows\System32\drivers\en-US\bfe.dll.mui **SUSPICIOUS**
06:43:40.319 File: C:\Windows\System32\drivers\en-US\ndiscap.sys.mui **SUSPICIOUS**
06:43:41.612 File: C:\Windows\System32\drivers\en-US\pacer.sys.mui **SUSPICIOUS**
06:43:43.263 File: C:\Windows\System32\drivers\en-US\qwavedrv.sys.mui **SUSPICIOUS**
06:43:44.230 File: C:\Windows\System32\drivers\en-US\scfilter.sys.mui **SUSPICIOUS**
06:43:44.975 File: C:\Windows\System32\drivers\en-US\tcpip.sys.mui **SUSPICIOUS**
06:45:02.413 File: C:\Windows\System32\drivers\wimmount.sys **SUSPICIOUS**
08:56:51.038 AVAST engine scan C:\Users\Kevin
09:09:23.303 AVAST engine scan C:\ProgramData
09:45:19.021 Scan finished successfully
11:54:12.276 Disk 0 MBR has been saved successfully to "C:\Users\Kevin\Desktop\Brandon Loves You Cause You're AMAZING\Virus Logs\MBR.dat"
11:54:12.320 The log file has been saved successfully to "C:\Users\Kevin\Desktop\Brandon Loves You Cause You're AMAZING\Virus Logs\aswMBR.txt"
  • 0

#8
libra26

libra26

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Screen shots. scr1.jpg - how the quarantine window looked when I opened; scr2.jpg - the bottom of the populated list; scr3.jpg - the beginning of the new list once I selected all the previous entries and deleted them.

Attached Thumbnails

  • scr1.jpg
  • scr2.jpg
  • scr3.jpg

  • 0

#9
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,788 posts
  • MVP
(Start), (Settings) Control Panel, System, Advanced System Settings, Continue, Advanced, Environmental Variables, User Variables for Kevin, Click on Temp then Edit. Change it to read
%USERPROFILE%\AppData\Local\Temp
repeat for TMP. OK.

That should fix the download problem.

Ron
  • 0

#10
libra26

libra26

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Thanks, do you think that would also solve the other program save issues?

As a side note, I remember deleting those (sorry) when I started to poke around to investigate the virus issues. Just to be clear, the issues predated my clumsiness.
  • 0

Advertisements


#11
libra26

libra26

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Also, I forgot to mention these two things:

I couldn't run Eset in IE because it would basically sieze up. Way worse than Firefox. I eventually opened the site through Firefox and downloaded the program to run from my computer. It was 95% finished when I accidentally X'd out of the program. It had found around 10 threats, consisting of java trojans and some trojan.bk and other variants as well as additional bugs that I can't remember. I am running the program again and will post the log when it finishes.

I accessed the quarantine and deleted what it had found. I've attached the screenshot of those files in case it would be helpful.

Second, I forgot to mention something strange that happened right after I cleared the system and application logs and did a disk error check like you instructed. I opened the event viewer to see what windows had found, and a strange error message popped up. It said something about a corrupted snap-in, or something to that effect. I told it to take action, but I cant remember if it gave me the option to replace/repair the snap-in or delete it. I'm posting this on the odd chance that you would find this hardly complete information helpful. I didn't take a screenshot, sorry.

I also found the following three LOG files and am posting them in case you haven't yet seen them:

notify_debug.txt:

[2010-11-30 11:05:24.847 P2076 T2444] --> CNotifyServer::HandleCallImpl()
[2010-11-30 11:05:24.862 P2076 T2444] --> CBalloonBoxDetails::ReadPacket()
[2010-11-30 11:05:24.863 P2076 T2444] <-- CBalloonBoxDetails::ReadPacket()
[2010-11-30 11:05:24.865 P2076 T2444] --> CBalloonBoxDetails::WriteXml()
[2010-11-30 11:05:24.866 P2076 T2444] <-- CBalloonBoxDetails::WriteXml()
[2010-11-30 11:05:24.868 P2076 T2444] Question
[2010-11-30 11:05:24.868 P2076 T2444] <questionsets><questionset><formtype>balloonform</formtype><title>Message about your print job...</title><timeout>15</timeout><question><prompt>Print job final (0 Color pages, 6 Black and White pages)
[2010-11-30 11:05:24.868 P2076 T2444] will cost $0.30 to print.</prompt><icon>1</icon></question><responsewanted>false</responsewanted></questionset></questionsets>
[2010-11-30 11:05:24.869 P2076 T2444] Session 1
[2010-11-30 11:05:24.873 P2076 T2444] --> CBaseDetails::InventReply()
[2010-11-30 11:05:24.875 P2076 T2444] <-- CBaseDetails::InventReply()
[2010-11-30 11:05:24.876 P2076 T2444] --> CBalloonBoxDetails::MakeReplyPacket()
[2010-11-30 11:05:24.877 P2076 T2444] <-- CBalloonBoxDetails::MakeReplyPacket()
[2010-11-30 11:05:24.879 P2076 T2444] OK
[2010-11-30 11:05:24.880 P2076 T2444] <-- CNotifyServer::HandleCallImpl()
[2010-11-30 11:05:24.882 P2076 T192] --> CallGui()
[2010-11-30 11:05:24.884 P2076 T192] Locked mutex
[2010-11-30 11:05:24.886 P2076 T192] --> XpPopupGui::PresentData()
[2010-11-30 11:05:24.891 P2076 T192] --> XpPopupGui::PackQuestionIntoMemFile()
[2010-11-30 11:05:24.893 P2076 T192] <-- XpPopupGui::PackQuestionIntoMemFile()
[2010-11-30 11:05:34.439 P2076 T192] --> XpPopupGui::ReadAnswerFromMemFile()
[2010-11-30 11:05:34.443 P2076 T192] <-- XpPopupGui::ReadAnswerFromMemFile()
[2010-11-30 11:05:34.445 P2076 T192] <-- XpPopupGui::PresentData()
[2010-11-30 11:05:34.447 P2076 T192] GUI finished
[2010-11-30 11:05:34.449 P2076 T192] OK
[2010-11-30 11:05:34.451 P2076 T192] <-- CallGui()
[2010-11-30 11:06:20.351 P2076 T2444] --> CNotifyServer::HandleCallImpl()
[2010-11-30 11:06:20.531 P2076 T2444] --> CBalloonBoxDetails::ReadPacket()
[2010-11-30 11:06:20.533 P2076 T2444] <-- CBalloonBoxDetails::ReadPacket()
[2010-11-30 11:06:20.535 P2076 T2444] --> CBalloonBoxDetails::WriteXml()
[2010-11-30 11:06:20.538 P2076 T2444] <-- CBalloonBoxDetails::WriteXml()
[2010-11-30 11:06:20.540 P2076 T2444] Question
[2010-11-30 11:06:20.540 P2076 T2444] <questionsets><questionset><formtype>balloonform</formtype><title>Message about your print job...</title><timeout>15</timeout><question><prompt>Print job rules (0 Color pages, 8 Black and White pages)
[2010-11-30 11:06:20.540 P2076 T2444] will cost $0.40 to print.</prompt><icon>1</icon></question><responsewanted>false</responsewanted></questionset></questionsets>
[2010-11-30 11:06:20.541 P2076 T2444] Session 1
[2010-11-30 11:06:20.543 P2076 T2444] --> CBaseDetails::InventReply()
[2010-11-30 11:06:20.546 P2076 T2444] <-- CBaseDetails::InventReply()
[2010-11-30 11:06:20.547 P2076 T2444] --> CBalloonBoxDetails::MakeReplyPacket()
[2010-11-30 11:06:20.549 P2076 T2444] <-- CBalloonBoxDetails::MakeReplyPacket()
[2010-11-30 11:06:20.550 P2076 T2444] OK
[2010-11-30 11:06:20.552 P2076 T2444] <-- CNotifyServer::HandleCallImpl()
[2010-11-30 11:06:20.554 P2076 T1892] --> CallGui()
[2010-11-30 11:06:20.556 P2076 T1892] Locked mutex
[2010-11-30 11:06:20.557 P2076 T1892] --> XpPopupGui::PresentData()
[2010-11-30 11:06:20.560 P2076 T1892] --> XpPopupGui::PackQuestionIntoMemFile()
[2010-11-30 11:06:20.562 P2076 T1892] <-- XpPopupGui::PackQuestionIntoMemFile()
[2010-11-30 11:06:37.683 P2076 T1892] --> XpPopupGui::ReadAnswerFromMemFile()
[2010-11-30 11:06:37.686 P2076 T1892] <-- XpPopupGui::ReadAnswerFromMemFile()
[2010-11-30 11:06:37.691 P2076 T1892] <-- XpPopupGui::PresentData()
[2010-11-30 11:06:37.693 P2076 T1892] GUI finished
[2010-11-30 11:06:37.695 P2076 T1892] OK
[2010-11-30 11:06:37.697 P2076 T1892] <-- CallGui()
[2010-11-30 11:26:57.275 P2076 T2444] --> CNotifyServer::HandleCallImpl()
[2010-11-30 11:26:57.279 P2076 T2444] --> CBalloonBoxDetails::ReadPacket()
[2010-11-30 11:26:57.281 P2076 T2444] <-- CBalloonBoxDetails::ReadPacket()
[2010-11-30 11:26:57.284 P2076 T2444] --> CBalloonBoxDetails::WriteXml()
[2010-11-30 11:26:57.286 P2076 T2444] <-- CBalloonBoxDetails::WriteXml()
[2010-11-30 11:26:57.288 P2076 T2444] Question
[2010-11-30 11:26:57.288 P2076 T2444] <questionsets><questionset><formtype>balloonform</formtype><title>Message about your print job...</title><timeout>15</timeout><question><prompt>Print job ppt (0 Color pages, 6 Black and White pages)
[2010-11-30 11:26:57.288 P2076 T2444] will cost $0.30 to print.</prompt><icon>1</icon></question><responsewanted>false</responsewanted></questionset></questionsets>
[2010-11-30 11:26:57.290 P2076 T2444] Session 1
[2010-11-30 11:26:57.295 P2076 T2444] --> CBaseDetails::InventReply()
[2010-11-30 11:26:57.297 P2076 T2444] <-- CBaseDetails::InventReply()
[2010-11-30 11:26:57.299 P2076 T2444] --> CBalloonBoxDetails::MakeReplyPacket()
[2010-11-30 11:26:57.301 P2076 T2444] <-- CBalloonBoxDetails::MakeReplyPacket()
[2010-11-30 11:26:57.303 P2076 T2444] OK
[2010-11-30 11:26:57.305 P2076 T2444] <-- CNotifyServer::HandleCallImpl()
[2010-11-30 11:26:57.307 P2076 T3184] --> CallGui()
[2010-11-30 11:26:57.309 P2076 T3184] Locked mutex
[2010-11-30 11:26:57.312 P2076 T3184] --> XpPopupGui::PresentData()
[2010-11-30 11:26:57.315 P2076 T3184] --> XpPopupGui::PackQuestionIntoMemFile()
[2010-11-30 11:26:57.328 P2076 T3184] <-- XpPopupGui::PackQuestionIntoMemFile()
[2010-11-30 11:27:00.446 P2076 T3184] --> XpPopupGui::ReadAnswerFromMemFile()
[2010-11-30 11:27:00.448 P2076 T3184] <-- XpPopupGui::ReadAnswerFromMemFile()
[2010-11-30 11:27:00.450 P2076 T3184] <-- XpPopupGui::PresentData()
[2010-11-30 11:27:00.452 P2076 T3184] GUI finished
[2010-11-30 11:27:00.454 P2076 T3184] OK
[2010-11-30 11:27:00.456 P2076 T3184] <-- CallGui()

VEW.txt

Vino's Event Viewer v01c run on Windows 2008 in English
Report run at 10/07/2011 4:39:33 AM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Critical Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'Application' Date/Time: 10/07/2011 8:37:49 AM
Type: Error Category: 0
Event: 0 Source: SAS Disk Cleanup Handler
The event description cannot be found.

Log: 'Application' Date/Time: 10/07/2011 8:37:49 AM
Type: Error Category: 0
Event: 0 Source: SAS Disk Cleanup Handler
The event description cannot be found.

Log: 'Application' Date/Time: 10/07/2011 8:37:49 AM
Type: Error Category: 0
Event: 0 Source: SAS Disk Cleanup Handler
The event description cannot be found.

Log: 'Application' Date/Time: 10/07/2011 8:37:49 AM
Type: Error Category: 0
Event: 0 Source: SAS Disk Cleanup Handler
The event description cannot be found.

Log: 'Application' Date/Time: 10/07/2011 8:37:48 AM
Type: Error Category: 0
Event: 0 Source: SAS Disk Cleanup Handler
The event description cannot be found.

Log: 'Application' Date/Time: 10/07/2011 8:37:48 AM
Type: Error Category: 0
Event: 0 Source: SAS Disk Cleanup Handler
The event description cannot be found.

Log: 'Application' Date/Time: 10/07/2011 8:37:48 AM
Type: Error Category: 0
Event: 0 Source: SAS Disk Cleanup Handler
The event description cannot be found.

Log: 'Application' Date/Time: 10/07/2011 8:37:48 AM
Type: Error Category: 0
Event: 0 Source: SAS Disk Cleanup Handler
The event description cannot be found.

Log: 'Application' Date/Time: 10/07/2011 8:37:48 AM
Type: Error Category: 0
Event: 0 Source: SAS Disk Cleanup Handler
The event description cannot be found.

Log: 'Application' Date/Time: 10/07/2011 8:37:48 AM
Type: Error Category: 0
Event: 0 Source: SAS Disk Cleanup Handler
The event description cannot be found.

Log: 'Application' Date/Time: 10/07/2011 8:37:47 AM
Type: Error Category: 0
Event: 0 Source: SAS Disk Cleanup Handler
The event description cannot be found.

Log: 'Application' Date/Time: 10/07/2011 8:37:47 AM
Type: Error Category: 0
Event: 0 Source: SAS Disk Cleanup Handler
The event description cannot be found.

Log: 'Application' Date/Time: 10/07/2011 8:37:47 AM
Type: Error Category: 0
Event: 0 Source: SAS Disk Cleanup Handler
The event description cannot be found.

Log: 'Application' Date/Time: 10/07/2011 8:37:47 AM
Type: Error Category: 0
Event: 0 Source: SAS Disk Cleanup Handler
The event description cannot be found.

Log: 'Application' Date/Time: 10/07/2011 8:37:47 AM
Type: Error Category: 0
Event: 0 Source: SAS Disk Cleanup Handler
The event description cannot be found.

Log: 'Application' Date/Time: 10/07/2011 8:37:47 AM
Type: Error Category: 0
Event: 0 Source: SAS Disk Cleanup Handler
The event description cannot be found.

Log: 'Application' Date/Time: 10/07/2011 8:37:47 AM
Type: Error Category: 0
Event: 0 Source: SAS Disk Cleanup Handler
The event description cannot be found.

Log: 'Application' Date/Time: 10/07/2011 8:37:47 AM
Type: Error Category: 0
Event: 0 Source: SAS Disk Cleanup Handler
The event description cannot be found.

Log: 'Application' Date/Time: 10/07/2011 8:37:37 AM
Type: Error Category: 0
Event: 0 Source: SAS Disk Cleanup Handler
The event description cannot be found.

Log: 'Application' Date/Time: 10/07/2011 8:37:37 AM
Type: Error Category: 0
Event: 0 Source: SAS Disk Cleanup Handler
The event description cannot be found.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'Application' Date/Time: 10/07/2011 8:39:18 AM
Type: Warning Category: 3
Event: 3036 Source: Microsoft-Windows-Search
The content source <SharePointWorkspaceSearch://{S-1-5-21-2621877675-1559041608-2168509566-1000}/> cannot be accessed.

Context: Windows Application, SystemIndex Catalog

Details:
A server error occurred. Check that the server is available. (HRESULT : 0x80041206) (0x80041206)


Log: 'Application' Date/Time: 10/07/2011 8:26:43 AM
Type: Warning Category: 3
Event: 3036 Source: Microsoft-Windows-Search
The content source <SharePointWorkspaceSearch://{S-1-5-21-2621877675-1559041608-2168509566-1000}/> cannot be accessed.

Context: Windows Application, SystemIndex Catalog

Details:
A server error occurred. Check that the server is available. (HRESULT : 0x80041206) (0x80041206)


Log: 'Application' Date/Time: 10/07/2011 8:26:43 AM
Type: Warning Category: 3
Event: 3036 Source: Microsoft-Windows-Search
The content source <mapi://{S-1-5-21-2621877675-1559041608-2168509566-1000}/> cannot be accessed.

Context: Windows Application, SystemIndex Catalog

Details:
A server error occurred. Check that the server is available. (HRESULT : 0x80041206) (0x80041206)


Log: 'Application' Date/Time: 10/07/2011 8:24:14 AM
Type: Warning Category: 3
Event: 3036 Source: Microsoft-Windows-Search
The content source <SharePointWorkspaceSearch://{S-1-5-21-2621877675-1559041608-2168509566-1000}/> cannot be accessed.

Context: Windows Application, SystemIndex Catalog

Details:
No protocol handler is available. Install a protocol handler that can process this URL type. (HRESULT : 0x80040d37) (0x80040d37)


Log: 'Application' Date/Time: 10/07/2011 8:24:13 AM
Type: Warning Category: 3
Event: 3036 Source: Microsoft-Windows-Search
The content source <mapi://{S-1-5-21-2621877675-1559041608-2168509566-1000}/> cannot be accessed.

Context: Windows Application, SystemIndex Catalog

Details:
A server error occurred. Check that the server is available. (HRESULT : 0x80041206) (0x80041206)


Log: 'Application' Date/Time: 10/07/2011 8:18:41 AM
Type: Warning Category: 3
Event: 3036 Source: Microsoft-Windows-Search
The content source <mapi://{S-1-5-21-2621877675-1559041608-2168509566-1000}/> cannot be accessed.

Context: Windows Application, SystemIndex Catalog

Details:
No protocol handler is available. Install a protocol handler that can process this URL type. (HRESULT : 0x80040d37) (0x80040d37)


Log: 'Application' Date/Time: 10/07/2011 8:14:49 AM
Type: Warning Category: 1
Event: 1008 Source: Microsoft-Windows-Search
The Windows Search Service is starting up and attempting to remove the old search index {Reason: Application Requested}.


Log: 'Application' Date/Time: 10/07/2011 8:12:01 AM
Type: Warning Category: 0
Event: 1530 Source: Microsoft-Windows-User Profiles Service
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. DETAIL - 1 user registry handles leaked from \Registry\User\S-1-5-21-2621877675-1559041608-2168509566-1000:
Process 1860 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe) has opened key \REGISTRY\USER\S-1-5-21-2621877675-1559041608-2168509566-1000\Software\Symantec\Symantec Endpoint Protection\AV\Custom Tasks

TDSSkiller:

2011/07/09 18:21:58.0183 3456 TDSS rootkit removing tool 2.5.9.0 Jul 1 2011 18:45:21
2011/07/09 18:21:58.0558 3456 ================================================================================
2011/07/09 18:21:58.0558 3456 SystemInfo:
2011/07/09 18:21:58.0558 3456
2011/07/09 18:21:58.0558 3456 OS Version: 6.1.7600 ServicePack: 0.0
2011/07/09 18:21:58.0558 3456 Product type: Workstation
2011/07/09 18:21:58.0558 3456 ComputerName: UNC-C1F0YCECGDA
2011/07/09 18:21:58.0558 3456 UserName: Kevin
2011/07/09 18:21:58.0558 3456 Windows directory: C:\Windows
2011/07/09 18:21:58.0558 3456 System windows directory: C:\Windows
2011/07/09 18:21:58.0558 3456 Running under WOW64
2011/07/09 18:21:58.0558 3456 Processor architecture: Intel x64
2011/07/09 18:21:58.0558 3456 Number of processors: 1
2011/07/09 18:21:58.0558 3456 Page size: 0x1000
2011/07/09 18:21:58.0558 3456 Boot type: Normal boot
2011/07/09 18:21:58.0558 3456 ================================================================================
2011/07/09 18:21:59.0618 3456 Initialize success
2011/07/09 18:22:01.0085 1320 ================================================================================
2011/07/09 18:22:01.0085 1320 Scan started
2011/07/09 18:22:01.0085 1320 Mode: Manual;
2011/07/09 18:22:01.0085 1320 ================================================================================
2011/07/09 18:22:02.0489 1320 1394ohci (1b00662092f9f9568b995902f0cc40d5) C:\Windows\system32\DRIVERS\1394ohci.sys
2011/07/09 18:22:02.0660 1320 ACPI (6f11e88748cdefd2f76aa215f97ddfe5) C:\Windows\system32\DRIVERS\ACPI.sys
2011/07/09 18:22:02.0832 1320 AcpiPmi (63b05a0420ce4bf0e4af6dcc7cada254) C:\Windows\system32\DRIVERS\acpipmi.sys
2011/07/09 18:22:03.0019 1320 adp94xx (2f6b34b83843f0c5118b63ac634f5bf4) C:\Windows\system32\DRIVERS\adp94xx.sys
2011/07/09 18:22:03.0222 1320 adpahci (597f78224ee9224ea1a13d6350ced962) C:\Windows\system32\DRIVERS\adpahci.sys
2011/07/09 18:22:03.0394 1320 adpu320 (e109549c90f62fb570b9540c4b148e54) C:\Windows\system32\DRIVERS\adpu320.sys
2011/07/09 18:22:03.0596 1320 AFD (6ef20ddf3172e97d69f596fb90602f29) C:\Windows\system32\drivers\afd.sys
2011/07/09 18:22:03.0768 1320 agp440 (608c14dba7299d8cb6ed035a68a15799) C:\Windows\system32\DRIVERS\agp440.sys
2011/07/09 18:22:03.0940 1320 aliide (5812713a477a3ad7363c7438ca2ee038) C:\Windows\system32\DRIVERS\aliide.sys
2011/07/09 18:22:04.0096 1320 amdide (1ff8b4431c353ce385c875f194924c0c) C:\Windows\system32\DRIVERS\amdide.sys
2011/07/09 18:22:04.0252 1320 AmdK8 (7024f087cff1833a806193ef9d22cda9) C:\Windows\system32\DRIVERS\amdk8.sys
2011/07/09 18:22:04.0501 1320 AmdPPM (1e56388b3fe0d031c44144eb8c4d6217) C:\Windows\system32\DRIVERS\amdppm.sys
2011/07/09 18:22:04.0626 1320 amdsata (ec7ebab00a4d8448bab68d1e49b4beb9) C:\Windows\system32\drivers\amdsata.sys
2011/07/09 18:22:04.0782 1320 amdsbs (f67f933e79241ed32ff46a4f29b5120b) C:\Windows\system32\DRIVERS\amdsbs.sys
2011/07/09 18:22:04.0954 1320 amdxata (db27766102c7bf7e95140a2aa81d042e) C:\Windows\system32\drivers\amdxata.sys
2011/07/09 18:22:05.0125 1320 ApfiltrService (1661f9c9e4b0049fa0a5e30264375a87) C:\Windows\system32\DRIVERS\Apfiltr.sys
2011/07/09 18:22:05.0312 1320 AppID (42fd751b27fa0e9c69bb39f39e409594) C:\Windows\system32\drivers\appid.sys
2011/07/09 18:22:05.0562 1320 arc (c484f8ceb1717c540242531db7845c4e) C:\Windows\system32\DRIVERS\arc.sys
2011/07/09 18:22:05.0734 1320 arcsas (019af6924aefe7839f61c830227fe79c) C:\Windows\system32\DRIVERS\arcsas.sys
2011/07/09 18:22:05.0905 1320 AsyncMac (769765ce2cc62867468cea93969b2242) C:\Windows\system32\DRIVERS\asyncmac.sys
2011/07/09 18:22:06.0092 1320 atapi (02062c0b390b7729edc9e69c680a6f3c) C:\Windows\system32\DRIVERS\atapi.sys
2011/07/09 18:22:06.0295 1320 athr (e857eee6b92aaa473ebb3465add8f7e7) C:\Windows\system32\DRIVERS\athrx.sys
2011/07/09 18:22:06.0514 1320 b06bdrv (3e5b191307609f7514148c6832bb0842) C:\Windows\system32\DRIVERS\bxvbda.sys
2011/07/09 18:22:06.0685 1320 b57nd60a (b5ace6968304a3900eeb1ebfd9622df2) C:\Windows\system32\DRIVERS\b57nd60a.sys
2011/07/09 18:22:06.0872 1320 Beep (16a47ce2decc9b099349a5f840654746) C:\Windows\system32\drivers\Beep.sys
2011/07/09 18:22:07.0075 1320 blbdrive (61583ee3c3a17003c4acd0475646b4d3) C:\Windows\system32\DRIVERS\blbdrive.sys
2011/07/09 18:22:07.0247 1320 bowser (19d20159708e152267e53b66677a4995) C:\Windows\system32\DRIVERS\bowser.sys
2011/07/09 18:22:07.0403 1320 BrFiltLo (f09eee9edc320b5e1501f749fde686c8) C:\Windows\system32\DRIVERS\BrFiltLo.sys
2011/07/09 18:22:07.0559 1320 BrFiltUp (b114d3098e9bdb8bea8b053685831be6) C:\Windows\system32\DRIVERS\BrFiltUp.sys
2011/07/09 18:22:07.0730 1320 Brserid (43bea8d483bf1870f018e2d02e06a5bd) C:\Windows\System32\Drivers\Brserid.sys
2011/07/09 18:22:07.0902 1320 BrSerWdm (a6eca2151b08a09caceca35c07f05b42) C:\Windows\System32\Drivers\BrSerWdm.sys
2011/07/09 18:22:08.0058 1320 BrUsbMdm (b79968002c277e869cf38bd22cd61524) C:\Windows\System32\Drivers\BrUsbMdm.sys
2011/07/09 18:22:08.0198 1320 BrUsbSer (a87528880231c54e75ea7a44943b38bf) C:\Windows\System32\Drivers\BrUsbSer.sys
2011/07/09 18:22:08.0370 1320 BthEnum (cf98190a94f62e405c8cb255018b2315) C:\Windows\system32\DRIVERS\BthEnum.sys
2011/07/09 18:22:08.0526 1320 BTHMODEM (9da669f11d1f894ab4eb69bf546a42e8) C:\Windows\system32\DRIVERS\bthmodem.sys
2011/07/09 18:22:08.0698 1320 BthPan (02dd601b708dd0667e1331fa8518e9ff) C:\Windows\system32\DRIVERS\bthpan.sys
2011/07/09 18:22:08.0854 1320 BTHPORT (a51fa9d0e85d5adabef72e67f386309c) C:\Windows\system32\Drivers\BTHport.sys
2011/07/09 18:22:09.0041 1320 BTHUSB (f740b9a16b2c06700f2130e19986bf3b) C:\Windows\system32\Drivers\BTHUSB.sys
2011/07/09 18:22:09.0228 1320 cdfs (b8bd2bb284668c84865658c77574381a) C:\Windows\system32\DRIVERS\cdfs.sys
2011/07/09 18:22:09.0400 1320 cdrom (83d2d75e1efb81b3450c18131443f7db) C:\Windows\system32\DRIVERS\cdrom.sys
2011/07/09 18:22:09.0587 1320 circlass (d7cd5c4e1b71fa62050515314cfb52cf) C:\Windows\system32\DRIVERS\circlass.sys
2011/07/09 18:22:09.0743 1320 CLFS (fe1ec06f2253f691fe36217c592a0206) C:\Windows\system32\CLFS.sys
2011/07/09 18:22:09.0961 1320 CmBatt (0840155d0bddf1190f84a663c284bd33) C:\Windows\system32\DRIVERS\CmBatt.sys
2011/07/09 18:22:10.0117 1320 cmdide (e19d3f095812725d88f9001985b94edd) C:\Windows\system32\DRIVERS\cmdide.sys
2011/07/09 18:22:10.0273 1320 CNG (f95fd4cb7da00ba2a63ce9f6b5c053e1) C:\Windows\system32\Drivers\cng.sys
2011/07/09 18:22:10.0476 1320 Compbatt (102de219c3f61415f964c88e9085ad14) C:\Windows\system32\DRIVERS\compbatt.sys
2011/07/09 18:22:10.0663 1320 CompositeBus (f26b3a86f6fa87ca360b879581ab4123) C:\Windows\system32\DRIVERS\CompositeBus.sys
2011/07/09 18:22:10.0819 1320 crcdisk (1c827878a998c18847245fe1f34ee597) C:\Windows\system32\DRIVERS\crcdisk.sys
2011/07/09 18:22:11.0038 1320 CSC (4a6173c2279b498cd8f57cae504564cb) C:\Windows\system32\drivers\csc.sys
2011/07/09 18:22:11.0225 1320 ctxusbm (ba8e5b2291c01ef71ca80e25f0c79d55) C:\Windows\system32\DRIVERS\ctxusbm.sys
2011/07/09 18:22:11.0412 1320 DfsC (9c253ce7311ca60fc11c774692a13208) C:\Windows\system32\Drivers\dfsc.sys
2011/07/09 18:22:11.0599 1320 discache (13096b05847ec78f0977f2c0f79e9ab3) C:\Windows\system32\drivers\discache.sys
2011/07/09 18:22:11.0755 1320 Disk (9819eee8b5ea3784ec4af3b137a5244c) C:\Windows\system32\DRIVERS\disk.sys
2011/07/09 18:22:11.0942 1320 drmkaud (9b19f34400d24df84c858a421c205754) C:\Windows\system32\drivers\drmkaud.sys
2011/07/09 18:22:12.0114 1320 DXGKrnl (1633b9abf52784a1331476397a48cbef) C:\Windows\System32\drivers\dxgkrnl.sys
2011/07/09 18:22:12.0301 1320 e1express (416a2007878ed1d6fc5dddb9e1f6db3e) C:\Windows\system32\DRIVERS\e1e6032e.sys
2011/07/09 18:22:12.0473 1320 e1yexpress (50ad8fc1dc800ff36087994c8f7fdff2) C:\Windows\system32\DRIVERS\e1y60x64.sys
2011/07/09 18:22:12.0691 1320 ebdrv (dc5d737f51be844d8c82c695eb17372f) C:\Windows\system32\DRIVERS\evbda.sys
2011/07/09 18:22:12.0832 1320 eeCtrl (eb0883462ac43829e47929d705d40933) C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys
2011/07/09 18:22:13.0034 1320 elxstor (0e5da5369a0fcaea12456dd852545184) C:\Windows\system32\DRIVERS\elxstor.sys
2011/07/09 18:22:13.0175 1320 EraserUtilRebootDrv (86fc0d272f6bb43e7214d4ba955a41e7) C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
2011/07/09 18:22:13.0346 1320 ErrDev (34a3c54752046e79a126e15c51db409b) C:\Windows\system32\DRIVERS\errdev.sys
2011/07/09 18:22:13.0549 1320 exfat (a510c654ec00c1e9bdd91eeb3a59823b) C:\Windows\system32\drivers\exfat.sys
2011/07/09 18:22:13.0721 1320 fastfat (0adc83218b66a6db380c330836f3e36d) C:\Windows\system32\drivers\fastfat.sys
2011/07/09 18:22:13.0892 1320 fdc (d765d19cd8ef61f650c384f62fac00ab) C:\Windows\system32\DRIVERS\fdc.sys
2011/07/09 18:22:14.0080 1320 FileInfo (655661be46b5f5f3fd454e2c3095b930) C:\Windows\system32\drivers\fileinfo.sys
2011/07/09 18:22:14.0236 1320 Filetrace (5f671ab5bc87eea04ec38a6cd5962a47) C:\Windows\system32\drivers\filetrace.sys
2011/07/09 18:22:14.0407 1320 flpydisk (c172a0f53008eaeb8ea33fe10e177af5) C:\Windows\system32\DRIVERS\flpydisk.sys
2011/07/09 18:22:14.0579 1320 FltMgr (f7866af72abbaf84b1fa5aa195378c59) C:\Windows\system32\drivers\fltmgr.sys
2011/07/09 18:22:14.0750 1320 FsDepends (d43703496149971890703b4b1b723eac) C:\Windows\system32\drivers\FsDepends.sys
2011/07/09 18:22:14.0906 1320 Fs_Rec (e95ef8547de20cf0603557c0cf7a9462) C:\Windows\system32\drivers\Fs_Rec.sys
2011/07/09 18:22:15.0094 1320 fvevol (ae87ba80d0ec3b57126ed2cdc15b24ed) C:\Windows\system32\DRIVERS\fvevol.sys
2011/07/09 18:22:15.0234 1320 gagp30kx (8c778d335c9d272cfd3298ab02abe3b6) C:\Windows\system32\DRIVERS\gagp30kx.sys
2011/07/09 18:22:15.0406 1320 GEARAspiWDM (e403aacf8c7bb11375122d2464560311) C:\Windows\system32\DRIVERS\GEARAspiWDM.sys
2011/07/09 18:22:15.0640 1320 hcw85cir (f2523ef6460fc42405b12248338ab2f0) C:\Windows\system32\drivers\hcw85cir.sys
2011/07/09 18:22:15.0796 1320 HdAudAddService (6410f6f415b2a5a9037224c41da8bf12) C:\Windows\system32\drivers\HdAudio.sys
2011/07/09 18:22:16.0014 1320 HDAudBus (0a49913402747a0b67de940fb42cbdbb) C:\Windows\system32\DRIVERS\HDAudBus.sys
2011/07/09 18:22:16.0170 1320 HidBatt (78e86380454a7b10a5eb255dc44a355f) C:\Windows\system32\DRIVERS\HidBatt.sys
2011/07/09 18:22:16.0326 1320 HidBth (7fd2a313f7afe5c4dab14798c48dd104) C:\Windows\system32\DRIVERS\hidbth.sys
2011/07/09 18:22:16.0482 1320 HidIr (0a77d29f311b88cfae3b13f9c1a73825) C:\Windows\system32\DRIVERS\hidir.sys
2011/07/09 18:22:16.0669 1320 HidUsb (b3bf6b5b50006def50b66306d99fcf6f) C:\Windows\system32\DRIVERS\hidusb.sys
2011/07/09 18:22:16.0856 1320 HpSAMD (0886d440058f203eba0e1825e4355914) C:\Windows\system32\DRIVERS\HpSAMD.sys
2011/07/09 18:22:17.0012 1320 HTTP (cee049cac4efa7f4e1e4ad014414a5d4) C:\Windows\system32\drivers\HTTP.sys
2011/07/09 18:22:17.0168 1320 hwpolicy (f17766a19145f111856378df337a5d79) C:\Windows\system32\drivers\hwpolicy.sys
2011/07/09 18:22:17.0356 1320 i8042prt (fa55c73d4affa7ee23ac4be53b4592d3) C:\Windows\system32\DRIVERS\i8042prt.sys
2011/07/09 18:22:17.0543 1320 iaStorV (b75e45c564e944a2657167d197ab29da) C:\Windows\system32\drivers\iaStorV.sys
2011/07/09 18:22:17.0948 1320 igfx (677aa5991026a65ada128c4b59cf2bad) C:\Windows\system32\DRIVERS\igdkmd64.sys
2011/07/09 18:22:18.0292 1320 iirsp (5c18831c61933628f5bb0ea2675b9d21) C:\Windows\system32\DRIVERS\iirsp.sys
2011/07/09 18:22:18.0619 1320 IntcAzAudAddService (0c3cf4b3bae28e121a1689e3538f8712) C:\Windows\system32\drivers\RTKVHD64.sys
2011/07/09 18:22:18.0775 1320 intelide (f00f20e70c6ec3aa366910083a0518aa) C:\Windows\system32\DRIVERS\intelide.sys
2011/07/09 18:22:18.0962 1320 intelppm (ada036632c664caa754079041cf1f8c1) C:\Windows\system32\DRIVERS\intelppm.sys
2011/07/09 18:22:19.0118 1320 IpFilterDriver (722dd294df62483cecaae6e094b4d695) C:\Windows\system32\DRIVERS\ipfltdrv.sys
2011/07/09 18:22:19.0290 1320 IPMIDRV (e2b4a4494db7cb9b89b55ca268c337c5) C:\Windows\system32\DRIVERS\IPMIDrv.sys
2011/07/09 18:22:19.0446 1320 IPNAT (af9b39a7e7b6caa203b3862582e9f2d0) C:\Windows\system32\drivers\ipnat.sys
2011/07/09 18:22:19.0633 1320 IRENUM (3abf5e7213eb28966d55d58b515d5ce9) C:\Windows\system32\drivers\irenum.sys
2011/07/09 18:22:19.0805 1320 isapnp (2f7b28dc3e1183e5eb418df55c204f38) C:\Windows\system32\DRIVERS\isapnp.sys
2011/07/09 18:22:19.0945 1320 iScsiPrt (fa4d2557de56d45b0a346f93564be6e1) C:\Windows\system32\DRIVERS\msiscsi.sys
2011/07/09 18:22:20.0117 1320 kbdclass (bc02336f1cba7dcc7d1213bb588a68a5) C:\Windows\system32\DRIVERS\kbdclass.sys
2011/07/09 18:22:20.0288 1320 kbdhid (6def98f8541e1b5dceb2c822a11f7323) C:\Windows\system32\DRIVERS\kbdhid.sys
2011/07/09 18:22:20.0444 1320 KSecDD (e8b6fcc9c83535c67f835d407620bd27) C:\Windows\system32\Drivers\ksecdd.sys
2011/07/09 18:22:20.0616 1320 KSecPkg (a8c63880ef6f4d3fec7b616b9c060215) C:\Windows\system32\Drivers\ksecpkg.sys
2011/07/09 18:22:20.0772 1320 ksthunk (6869281e78cb31a43e969f06b57347c4) C:\Windows\system32\drivers\ksthunk.sys
2011/07/09 18:22:21.0006 1320 lltdio (1538831cf8ad2979a04c423779465827) C:\Windows\system32\DRIVERS\lltdio.sys
2011/07/09 18:22:21.0193 1320 LSI_FC (1a93e54eb0ece102495a51266dcdb6a6) C:\Windows\system32\DRIVERS\lsi_fc.sys
2011/07/09 18:22:21.0365 1320 LSI_SAS (1047184a9fdc8bdbff857175875ee810) C:\Windows\system32\DRIVERS\lsi_sas.sys
2011/07/09 18:22:21.0552 1320 LSI_SAS2 (30f5c0de1ee8b5bc9306c1f0e4a75f93) C:\Windows\system32\DRIVERS\lsi_sas2.sys
2011/07/09 18:22:21.0739 1320 LSI_SCSI (0504eacaff0d3c8aed161c4b0d369d4a) C:\Windows\system32\DRIVERS\lsi_scsi.sys
2011/07/09 18:22:21.0926 1320 luafv (43d0f98e1d56ccddb0d5254cff7b356e) C:\Windows\system32\drivers\luafv.sys
2011/07/09 18:22:22.0082 1320 LVRS64 (986c1cb787a007baa5f74e7d316d7246) C:\Windows\system32\DRIVERS\lvrs64.sys
2011/07/09 18:22:22.0363 1320 LVUVC64 (5747bc465abea2858c5d037252aed84e) C:\Windows\system32\DRIVERS\lvuvc64.sys
2011/07/09 18:22:22.0675 1320 MBAMProtector (ed49fd1373de93617a1f6d128d98fe4d) C:\Windows\system32\drivers\mbam.sys
2011/07/09 18:22:22.0925 1320 megasas (a55805f747c6edb6a9080d7c633bd0f4) C:\Windows\system32\DRIVERS\megasas.sys
2011/07/09 18:22:23.0096 1320 MegaSR (baf74ce0072480c3b6b7c13b2a94d6b3) C:\Windows\system32\DRIVERS\MegaSR.sys
2011/07/09 18:22:23.0299 1320 Modem (800ba92f7010378b09f9ed9270f07137) C:\Windows\system32\drivers\modem.sys
2011/07/09 18:22:23.0471 1320 monitor (b03d591dc7da45ece20b3b467e6aadaa) C:\Windows\system32\DRIVERS\monitor.sys
2011/07/09 18:22:23.0658 1320 mouclass (7d27ea49f3c1f687d357e77a470aea99) C:\Windows\system32\DRIVERS\mouclass.sys
2011/07/09 18:22:23.0845 1320 mouhid (d3bf052c40b0c4166d9fd86a4288c1e6) C:\Windows\system32\DRIVERS\mouhid.sys
2011/07/09 18:22:24.0001 1320 mountmgr (791af66c4d0e7c90a3646066386fb571) C:\Windows\system32\drivers\mountmgr.sys
2011/07/09 18:22:24.0173 1320 mpio (609d1d87649ecc19796f4d76d4c15cea) C:\Windows\system32\DRIVERS\mpio.sys
2011/07/09 18:22:24.0329 1320 mpsdrv (6c38c9e45ae0ea2fa5e551f2ed5e978f) C:\Windows\system32\drivers\mpsdrv.sys
2011/07/09 18:22:24.0500 1320 MRxDAV (30524261bb51d96d6fcbac20c810183c) C:\Windows\system32\drivers\mrxdav.sys
2011/07/09 18:22:24.0672 1320 mrxsmb (040d62a9d8ad28922632137acdd984f2) C:\Windows\system32\DRIVERS\mrxsmb.sys
2011/07/09 18:22:24.0828 1320 mrxsmb10 (a8c2d7673c8a010569390c826a0efaf4) C:\Windows\system32\DRIVERS\mrxsmb10.sys
2011/07/09 18:22:25.0000 1320 mrxsmb20 (3c142d31de9f2f193218a53fe2632051) C:\Windows\system32\DRIVERS\mrxsmb20.sys
2011/07/09 18:22:25.0156 1320 msahci (5c37497276e3b3a5488b23a326a754b7) C:\Windows\system32\DRIVERS\msahci.sys
2011/07/09 18:22:25.0312 1320 msdsm (8d27b597229aed79430fb9db3bcbfbd0) C:\Windows\system32\DRIVERS\msdsm.sys
2011/07/09 18:22:25.0483 1320 Msfs (aa3fb40e17ce1388fa1bedab50ea8f96) C:\Windows\system32\drivers\Msfs.sys
2011/07/09 18:22:25.0671 1320 mshidkmdf (f9d215a46a8b9753f61767fa72a20326) C:\Windows\System32\drivers\mshidkmdf.sys
2011/07/09 18:22:25.0827 1320 msisadrv (d916874bbd4f8b07bfb7fa9b3ccae29d) C:\Windows\system32\DRIVERS\msisadrv.sys
2011/07/09 18:22:26.0029 1320 MSKSSRV (49ccf2c4fea34ffad8b1b59d49439366) C:\Windows\system32\drivers\MSKSSRV.sys
2011/07/09 18:22:26.0185 1320 MSPCLOCK (bdd71ace35a232104ddd349ee70e1ab3) C:\Windows\system32\drivers\MSPCLOCK.sys
2011/07/09 18:22:26.0357 1320 MSPQM (4ed981241db27c3383d72092b618a1d0) C:\Windows\system32\drivers\MSPQM.sys
2011/07/09 18:22:26.0591 1320 MsRPC (89cb141aa8616d8c6a4610fa26c60964) C:\Windows\system32\drivers\MsRPC.sys
2011/07/09 18:22:26.0747 1320 mssmbios (0eed230e37515a0eaee3c2e1bc97b288) C:\Windows\system32\DRIVERS\mssmbios.sys
2011/07/09 18:22:26.0903 1320 MSTEE (2e66f9ecb30b4221a318c92ac2250779) C:\Windows\system32\drivers\MSTEE.sys
2011/07/09 18:22:27.0075 1320 MTConfig (7ea404308934e675bffde8edf0757bcd) C:\Windows\system32\DRIVERS\MTConfig.sys
2011/07/09 18:22:27.0231 1320 Mup (f9a18612fd3526fe473c1bda678d61c8) C:\Windows\system32\Drivers\mup.sys
2011/07/09 18:22:27.0433 1320 NativeWifiP (1ea3749c4114db3e3161156ffffa6b33) C:\Windows\system32\DRIVERS\nwifi.sys
2011/07/09 18:22:27.0636 1320 NAVENG (f594e1acbbb3ba48586b5dd69b3a6bc2) C:\PROGRA~3\Symantec\DEFINI~1\VIRUSD~1\20110708.001\ENG64.SYS
2011/07/09 18:22:27.0855 1320 NAVEX15 (cfe00b55488acf0cd9f62b0401297864) C:\PROGRA~3\Symantec\DEFINI~1\VIRUSD~1\20110708.001\EX64.SYS
2011/07/09 18:22:28.0057 1320 NDIS (cad515dbd07d082bb317d9928ce8962c) C:\Windows\system32\drivers\ndis.sys
2011/07/09 18:22:28.0276 1320 NdisCap (9f9a1f53aad7da4d6fef5bb73ab811ac) C:\Windows\system32\DRIVERS\ndiscap.sys
2011/07/09 18:22:28.0479 1320 NdisTapi (30639c932d9fef22b31268fe25a1b6e5) C:\Windows\system32\DRIVERS\ndistapi.sys
2011/07/09 18:22:28.0666 1320 Ndisuio (f105ba1e22bf1f2ee8f005d4305e4bec) C:\Windows\system32\DRIVERS\ndisuio.sys
2011/07/09 18:22:28.0837 1320 NdisWan (557dfab9ca1fcb036ac77564c010dad3) C:\Windows\system32\DRIVERS\ndiswan.sys
2011/07/09 18:22:29.0009 1320 NDProxy (659b74fb74b86228d6338d643cd3e3cf) C:\Windows\system32\drivers\NDProxy.sys
2011/07/09 18:22:29.0181 1320 NetBIOS (86743d9f5d2b1048062b14b1d84501c4) C:\Windows\system32\DRIVERS\netbios.sys
2011/07/09 18:22:29.0352 1320 NetBT (9162b273a44ab9dce5b44362731d062a) C:\Windows\system32\DRIVERS\netbt.sys
2011/07/09 18:22:29.0695 1320 netw5v64 (64428dfdaf6e88366cb51f45a79c5f69) C:\Windows\system32\DRIVERS\netw5v64.sys
2011/07/09 18:22:29.0961 1320 nfrd960 (77889813be4d166cdab78ddba990da92) C:\Windows\system32\DRIVERS\nfrd960.sys
2011/07/09 18:22:30.0132 1320 Npfs (1e4c4ab5c9b8dd13179bbdc75a2a01f7) C:\Windows\system32\drivers\Npfs.sys
2011/07/09 18:22:30.0304 1320 nsiproxy (e7f5ae18af4168178a642a9247c63001) C:\Windows\system32\drivers\nsiproxy.sys
2011/07/09 18:22:30.0491 1320 Ntfs (378e0e0dfea67d98ae6ea53adbbd76bc) C:\Windows\system32\drivers\Ntfs.sys
2011/07/09 18:22:30.0663 1320 Null (9899284589f75fa8724ff3d16aed75c1) C:\Windows\system32\drivers\Null.sys
2011/07/09 18:22:30.0834 1320 nvraid (a4d9c9a608a97f59307c2f2600edc6a4) C:\Windows\system32\drivers\nvraid.sys
2011/07/09 18:22:31.0006 1320 nvstor (6c1d5f70e7a6a3fd1c90d840edc048b9) C:\Windows\system32\drivers\nvstor.sys
2011/07/09 18:22:31.0162 1320 nv_agp (270d7cd42d6e3979f6dd0146650f0e05) C:\Windows\system32\DRIVERS\nv_agp.sys
2011/07/09 18:22:31.0333 1320 ohci1394 (3589478e4b22ce21b41fa1bfc0b8b8a0) C:\Windows\system32\DRIVERS\ohci1394.sys
2011/07/09 18:22:31.0989 1320 Parport (0086431c29c35be1dbc43f52cc273887) C:\Windows\system32\DRIVERS\parport.sys
2011/07/09 18:22:32.0145 1320 partmgr (7daa117143316c4a1537e074a5a9eaf0) C:\Windows\system32\drivers\partmgr.sys
2011/07/09 18:22:32.0316 1320 pci (f36f6504009f2fb0dfd1b17a116ad74b) C:\Windows\system32\DRIVERS\pci.sys
2011/07/09 18:22:32.0472 1320 pciide (b5b8b5ef2e5cb34df8dcf8831e3534fa) C:\Windows\system32\DRIVERS\pciide.sys
2011/07/09 18:22:32.0644 1320 pcmcia (b2e81d4e87ce48589f98cb8c05b01f2f) C:\Windows\system32\DRIVERS\pcmcia.sys
2011/07/09 18:22:32.0800 1320 pcw (d6b9c2e1a11a3a4b26a182ffef18f603) C:\Windows\system32\drivers\pcw.sys
2011/07/09 18:22:32.0971 1320 PEAUTH (68769c3356b3be5d1c732c97b9a80d6e) C:\Windows\system32\drivers\peauth.sys
2011/07/09 18:22:33.0268 1320 PptpMiniport (27cc19e81ba5e3403c48302127bda717) C:\Windows\system32\DRIVERS\raspptp.sys
2011/07/09 18:22:33.0455 1320 Processor (0d922e23c041efb1c3fac2a6f943c9bf) C:\Windows\system32\DRIVERS\processr.sys
2011/07/09 18:22:33.0658 1320 Psched (ee992183bd8eaefd9973f352e587a299) C:\Windows\system32\DRIVERS\pacer.sys
2011/07/09 18:22:33.0845 1320 ql2300 (a53a15a11ebfd21077463ee2c7afeef0) C:\Windows\system32\DRIVERS\ql2300.sys
2011/07/09 18:22:34.0017 1320 ql40xx (4f6d12b51de1aaeff7dc58c4d75423c8) C:\Windows\system32\DRIVERS\ql40xx.sys
2011/07/09 18:22:34.0188 1320 QWAVEdrv (76707bb36430888d9ce9d705398adb6c) C:\Windows\system32\drivers\qwavedrv.sys
2011/07/09 18:22:34.0344 1320 RasAcd (5a0da8ad5762fa2d91678a8a01311704) C:\Windows\system32\DRIVERS\rasacd.sys
2011/07/09 18:22:34.0500 1320 RasAgileVpn (7ecff9b22276b73f43a99a15a6094e90) C:\Windows\system32\DRIVERS\AgileVpn.sys
2011/07/09 18:22:34.0734 1320 Rasl2tp (87a6e852a22991580d6d39adc4790463) C:\Windows\system32\DRIVERS\rasl2tp.sys
2011/07/09 18:22:34.0921 1320 RasPppoe (855c9b1cd4756c5e9a2aa58a15f58c25) C:\Windows\system32\DRIVERS\raspppoe.sys
2011/07/09 18:22:35.0093 1320 RasSstp (e8b1e447b008d07ff47d016c2b0eeecb) C:\Windows\system32\DRIVERS\rassstp.sys
2011/07/09 18:22:35.0265 1320 rdbss (3bac8142102c15d59a87757c1d41dce5) C:\Windows\system32\DRIVERS\rdbss.sys
2011/07/09 18:22:35.0436 1320 rdpbus (302da2a0539f2cf54d7c6cc30c1f2d8d) C:\Windows\system32\DRIVERS\rdpbus.sys
2011/07/09 18:22:35.0608 1320 RDPCDD (cea6cc257fc9b7715f1c2b4849286d24) C:\Windows\system32\DRIVERS\RDPCDD.sys
2011/07/09 18:22:35.0779 1320 RDPDR (9706b84dbabfc4b4ca46c5a82b14dfa3) C:\Windows\system32\drivers\rdpdr.sys
2011/07/09 18:22:35.0951 1320 RDPENCDD (bb5971a4f00659529a5c44831af22365) C:\Windows\system32\drivers\rdpencdd.sys
2011/07/09 18:22:36.0138 1320 RDPREFMP (216f3fa57533d98e1f74ded70113177a) C:\Windows\system32\drivers\rdprefmp.sys
2011/07/09 18:22:36.0310 1320 RDPWD (8a3e6bea1c53ea6177fe2b6eba2c80d7) C:\Windows\system32\drivers\RDPWD.sys
2011/07/09 18:22:36.0481 1320 rdyboost (634b9a2181d98f15941236886164ec8b) C:\Windows\system32\drivers\rdyboost.sys
2011/07/09 18:22:36.0669 1320 RFCOMM (3dd798846e2c28102b922c56e71b7932) C:\Windows\system32\DRIVERS\rfcomm.sys
2011/07/09 18:22:36.0856 1320 rspndr (ddc86e4f8e7456261e637e3552e804ff) C:\Windows\system32\DRIVERS\rspndr.sys
2011/07/09 18:22:37.0183 1320 RTL8167 (abcb5a38a0d85bdf69b7877e1ad1eed5) C:\Windows\system32\DRIVERS\Rt64win7.sys
2011/07/09 18:22:37.0355 1320 RTL8187B (945ab249d12cbe044782430c6013aa1a) C:\Windows\system32\DRIVERS\RTL8187B.sys
2011/07/09 18:22:37.0667 1320 s3cap (88af6e02ab19df7fd07ecdf9c91e9af6) C:\Windows\system32\DRIVERS\vms3cap.sys
2011/07/09 18:22:37.0854 1320 sbp2port (e3bbb89983daf5622c1d50cf49f28227) C:\Windows\system32\DRIVERS\sbp2port.sys
2011/07/09 18:22:38.0026 1320 scfilter (c94da20c7e3ba1dca269bc8460d98387) C:\Windows\system32\DRIVERS\scfilter.sys
2011/07/09 18:22:38.0213 1320 sdbus (2c8d162efaf73abd36d8bcbb6340cae7) C:\Windows\system32\DRIVERS\sdbus.sys
2011/07/09 18:22:38.0416 1320 secdrv (3ea8a16169c26afbeb544e0e48421186) C:\Windows\system32\drivers\secdrv.sys
2011/07/09 18:22:38.0603 1320 Serenum (cb624c0035412af0debec78c41f5ca1b) C:\Windows\system32\DRIVERS\serenum.sys
2011/07/09 18:22:38.0759 1320 Serial (c1d8e28b2c2adfaec4ba89e9fda69bd6) C:\Windows\system32\DRIVERS\serial.sys
2011/07/09 18:22:38.0915 1320 sermouse (1c545a7d0691cc4a027396535691c3e3) C:\Windows\system32\DRIVERS\sermouse.sys
2011/07/09 18:22:39.0102 1320 sffdisk (a554811bcd09279536440c964ae35bbf) C:\Windows\system32\DRIVERS\sffdisk.sys
2011/07/09 18:22:39.0243 1320 sffp_mmc (ff414f0baefeba59bc6c04b3db0b87bf) C:\Windows\system32\DRIVERS\sffp_mmc.sys
2011/07/09 18:22:39.0477 1320 sffp_sd (178298f767fe638c9fedcbdef58bb5e4) C:\Windows\system32\DRIVERS\sffp_sd.sys
2011/07/09 18:22:39.0804 1320 sfloppy (a9d601643a1647211a1ee2ec4e433ff4) C:\Windows\system32\DRIVERS\sfloppy.sys
2011/07/09 18:22:40.0163 1320 SiSRaid2 (843caf1e5fde1ffd5ff768f23a51e2e1) C:\Windows\system32\DRIVERS\SiSRaid2.sys
2011/07/09 18:22:40.0428 1320 SiSRaid4 (6a6c106d42e9ffff8b9fcb4f754f6da4) C:\Windows\system32\DRIVERS\sisraid4.sys
2011/07/09 18:22:40.0912 1320 Smb (548260a7b8654e024dc30bf8a7c5baa4) C:\Windows\system32\DRIVERS\smb.sys
2011/07/09 18:22:41.0692 1320 spldr (b9e31e5cacdfe584f34f730a677803f9) C:\Windows\system32\drivers\spldr.sys
2011/07/09 18:22:42.0066 1320 SRTSP (b531fc8918dcdaae638511a123c3465e) C:\Windows\system32\Drivers\SRTSP64.SYS
2011/07/09 18:22:42.0487 1320 SRTSPL (2bd3a73d0601320b72486fc3ebc2544f) C:\Windows\system32\Drivers\SRTSPL64.SYS
2011/07/09 18:22:42.0721 1320 SRTSPX (529b337c1aeeb289f0b502eb0ee6a8f5) C:\Windows\system32\Drivers\SRTSPX64.SYS
2011/07/09 18:22:43.0096 1320 srv (2408c0366d96bcdf63e8f1c78e4a29c5) C:\Windows\system32\DRIVERS\srv.sys
2011/07/09 18:22:43.0611 1320 srv2 (76548f7b818881b47d8d1ae1be9c11f8) C:\Windows\system32\DRIVERS\srv2.sys
2011/07/09 18:22:43.0907 1320 SrvHsfHDA (0c4540311e11664b245a263e1154cef8) C:\Windows\system32\DRIVERS\VSTAZL6.SYS
2011/07/09 18:22:44.0281 1320 SrvHsfV92 (02071d207a9858fbe3a48cbfd59c4a04) C:\Windows\system32\DRIVERS\VSTDPV6.SYS
2011/07/09 18:22:44.0469 1320 SrvHsfWinac (18e40c245dbfaf36fd0134a7ef2df396) C:\Windows\system32\DRIVERS\VSTCNXT6.SYS
2011/07/09 18:22:44.0671 1320 srvnet (0af6e19d39c70844c5caa8fb0183c36e) C:\Windows\system32\DRIVERS\srvnet.sys
2011/07/09 18:22:44.0859 1320 stexstor (f3817967ed533d08327dc73bc4d5542a) C:\Windows\system32\DRIVERS\stexstor.sys
2011/07/09 18:22:45.0046 1320 storflt (ffd7a6f15b14234b5b0e5d49e7961895) C:\Windows\system32\DRIVERS\vmstorfl.sys
2011/07/09 18:22:45.0217 1320 storvsc (8fccbefc5c440b3c23454656e551b09a) C:\Windows\system32\DRIVERS\storvsc.sys
2011/07/09 18:22:45.0420 1320 swenum (d01ec09b6711a5f8e7e6564a4d0fbc90) C:\Windows\system32\DRIVERS\swenum.sys
2011/07/09 18:22:45.0639 1320 SymEvent (7e4d281982e19abd06728c7ee9ac40a8) C:\Windows\system32\Drivers\SYMEVENT64x86.SYS
2011/07/09 18:22:45.0857 1320 SynTP (be7311da9d6833fa69ed04b744a1c8f8) C:\Windows\system32\DRIVERS\SynTP.sys
2011/07/09 18:22:46.0091 1320 Tcpip (61dc720bb065d607d5823f13d2a64321) C:\Windows\system32\drivers\tcpip.sys
2011/07/09 18:22:46.0341 1320 TCPIP6 (61dc720bb065d607d5823f13d2a64321) C:\Windows\system32\DRIVERS\tcpip.sys
2011/07/09 18:22:46.0512 1320 tcpipreg (76d078af6f587b162d50210f761eb9ed) C:\Windows\system32\drivers\tcpipreg.sys
2011/07/09 18:22:46.0684 1320 TDPIPE (3371d21011695b16333a3934340c4e7c) C:\Windows\system32\drivers\tdpipe.sys
2011/07/09 18:22:46.0855 1320 TDTCP (e4245bda3190a582d55ed09e137401a9) C:\Windows\system32\drivers\tdtcp.sys
2011/07/09 18:22:47.0027 1320 tdx (079125c4b17b01fcaeebce0bcb290c0f) C:\Windows\system32\DRIVERS\tdx.sys
2011/07/09 18:22:47.0199 1320 TermDD (c448651339196c0e869a355171875522) C:\Windows\system32\DRIVERS\termdd.sys
2011/07/09 18:22:47.0448 1320 TPM (dbcc20c02e8a3e43b03c304a4e40a84f) C:\Windows\system32\drivers\tpm.sys
2011/07/09 18:22:47.0667 1320 tssecsrv (61b96c26131e37b24e93327a0bd1fb95) C:\Windows\system32\DRIVERS\tssecsrv.sys
2011/07/09 18:22:47.0869 1320 tunnel (3836171a2cdf3af8ef10856db9835a70) C:\Windows\system32\DRIVERS\tunnel.sys
2011/07/09 18:22:48.0057 1320 TVALZ (9a744cc3d804ec38a6c2c65bc3c6fcd8) C:\Windows\system32\DRIVERS\TVALZ_O.SYS
2011/07/09 18:22:48.0244 1320 uagp35 (b4dd609bd7e282bfc683cec7eaaaad67) C:\Windows\system32\DRIVERS\uagp35.sys
2011/07/09 18:22:48.0447 1320 udfs (d47baead86c65d4f4069d7ce0a4edceb) C:\Windows\system32\DRIVERS\udfs.sys
2011/07/09 18:22:48.0696 1320 uliagpkx (4bfe1bc28391222894cbf1e7d0e42320) C:\Windows\system32\DRIVERS\uliagpkx.sys
2011/07/09 18:22:48.0868 1320 umbus (eab6c35e62b1b0db0d1b48b671d3a117) C:\Windows\system32\DRIVERS\umbus.sys
2011/07/09 18:22:49.0024 1320 UmPass (b2e8e8cb557b156da5493bbddcc1474d) C:\Windows\system32\DRIVERS\umpass.sys
2011/07/09 18:22:49.0211 1320 USBAAPL64 (f724b03c3dfaacf08d17d38bf3333583) C:\Windows\system32\Drivers\usbaapl64.sys
2011/07/09 18:22:49.0414 1320 usbaudio (77b01bc848298223a95d4ec23e1785a1) C:\Windows\system32\drivers\usbaudio.sys
2011/07/09 18:22:49.0601 1320 usbccgp (7b6a127c93ee590e4d79a5f2a76fe46f) C:\Windows\system32\DRIVERS\usbccgp.sys
2011/07/09 18:22:49.0913 1320 usbcir (af0892a803fdda7492f595368e3b68e7) C:\Windows\system32\DRIVERS\usbcir.sys
2011/07/09 18:22:50.0069 1320 usbehci (92969ba5ac44e229c55a332864f79677) C:\Windows\system32\DRIVERS\usbehci.sys
2011/07/09 18:22:50.0287 1320 usbhub (e7df1cfd28ca86b35ef5add0735ceef3) C:\Windows\system32\DRIVERS\usbhub.sys
2011/07/09 18:22:50.0443 1320 usbohci (f1bb1e55f1e7a65c5839ccc7b36d773e) C:\Windows\system32\drivers\usbohci.sys
2011/07/09 18:22:50.0646 1320 usbprint (73188f58fb384e75c4063d29413cee3d) C:\Windows\system32\DRIVERS\usbprint.sys
2011/07/09 18:22:50.0802 1320 USBSTOR (f39983647bc1f3e6100778ddfe9dce29) C:\Windows\system32\DRIVERS\USBSTOR.SYS
2011/07/09 18:22:50.0989 1320 usbuhci (bc3070350a491d84b518d7cca9abd36f) C:\Windows\system32\DRIVERS\usbuhci.sys
2011/07/09 18:22:51.0161 1320 usbvideo (7cb8c573c6e4a2714402cc0a36eab4fe) C:\Windows\System32\Drivers\usbvideo.sys
2011/07/09 18:22:51.0426 1320 vdrvroot (c5c876ccfc083ff3b128f933823e87bd) C:\Windows\system32\DRIVERS\vdrvroot.sys
2011/07/09 18:22:51.0660 1320 vga (da4da3f5e02943c2dc8c6ed875de68dd) C:\Windows\system32\DRIVERS\vgapnp.sys
2011/07/09 18:22:51.0863 1320 VgaSave (53e92a310193cb3c03bea963de7d9cfc) C:\Windows\System32\drivers\vga.sys
2011/07/09 18:22:52.0035 1320 vhdmp (c82e748660f62a242b2dfac1442f22a4) C:\Windows\system32\DRIVERS\vhdmp.sys
2011/07/09 18:22:52.0206 1320 viaide (e5689d93ffe4e5d66c0178761240dd54) C:\Windows\system32\DRIVERS\viaide.sys
2011/07/09 18:22:52.0378 1320 vmbus (1501699d7eda984abc4155a7da5738d1) C:\Windows\system32\DRIVERS\vmbus.sys
2011/07/09 18:22:52.0565 1320 VMBusHID (ae10c35761889e65a6f7176937c5592c) C:\Windows\system32\DRIVERS\VMBusHID.sys
2011/07/09 18:22:52.0721 1320 volmgr (2b1a3dae2b4e70dbba822b7a03fbd4a3) C:\Windows\system32\DRIVERS\volmgr.sys
2011/07/09 18:22:52.0893 1320 volmgrx (99b0cbb569ca79acaed8c91461d765fb) C:\Windows\system32\drivers\volmgrx.sys
2011/07/09 18:22:53.0064 1320 volsnap (58f82eed8ca24b461441f9c3e4f0bf5c) C:\Windows\system32\DRIVERS\volsnap.sys
2011/07/09 18:22:53.0236 1320 vsmraid (5e2016ea6ebaca03c04feac5f330d997) C:\Windows\system32\DRIVERS\vsmraid.sys
2011/07/09 18:22:53.0439 1320 vwifibus (36d4720b72b5c5d9cb2b9c29e9df67a1) C:\Windows\system32\DRIVERS\vwifibus.sys
2011/07/09 18:22:53.0922 1320 vwififlt (6a3d66263414ff0d6fa754c646612f3f) C:\Windows\system32\DRIVERS\vwififlt.sys
2011/07/09 18:22:54.0343 1320 WacomPen (4e9440f4f152a7b944cb1663d3935a3e) C:\Windows\system32\DRIVERS\wacompen.sys
2011/07/09 18:22:54.0562 1320 WANARP (47ca49400643effd3f1c9a27e1d69324) C:\Windows\system32\DRIVERS\wanarp.sys
2011/07/09 18:22:54.0609 1320 Wanarpv6 (47ca49400643effd3f1c9a27e1d69324) C:\Windows\system32\DRIVERS\wanarp.sys
2011/07/09 18:22:54.0858 1320 Wd (72889e16ff12ba0f235467d6091b17dc) C:\Windows\system32\DRIVERS\wd.sys
2011/07/09 18:22:55.0030 1320 Wdf01000 (441bd2d7b4f98134c3a4f9fa570fd250) C:\Windows\system32\drivers\Wdf01000.sys
2011/07/09 18:22:55.0248 1320 WfpLwf (611b23304bf067451a9fdee01fbdd725) C:\Windows\system32\DRIVERS\wfplwf.sys
2011/07/09 18:22:55.0498 1320 WIMMount (05ecaec3e4529a7153b3136ceb49f0ec) C:\Windows\system32\drivers\wimmount.sys
2011/07/09 18:22:55.0732 1320 WinUsb (817eaff5d38674edd7713b9dfb8e9791) C:\Windows\system32\DRIVERS\WinUsb.sys
2011/07/09 18:22:55.0919 1320 WmiAcpi (f6ff8944478594d0e414d3f048f0d778) C:\Windows\system32\DRIVERS\wmiacpi.sys
2011/07/09 18:22:56.0122 1320 ws2ifsl (6bcc1d7d2fd2453957c5479a32364e52) C:\Windows\system32\drivers\ws2ifsl.sys
2011/07/09 18:22:56.0293 1320 WudfPf (7cadc74271dd6461c452c271b30bd378) C:\Windows\system32\drivers\WudfPf.sys
2011/07/09 18:22:56.0449 1320 WUDFRd (3b197af0fff08aa66b6b2241ca538d64) C:\Windows\system32\DRIVERS\WUDFRd.sys
2011/07/09 18:22:56.0543 1320 MBR (0x1B8) (a36c5e4f47e84449ff07ed3517b43a31) \Device\Harddisk0\DR0
2011/07/09 18:22:56.0574 1320 Boot (0x1200) (d081f37bd3d62809c092d0aea6ad5670) \Device\Harddisk0\DR0\Partition0
2011/07/09 18:22:56.0590 1320 ================================================================================
2011/07/09 18:22:56.0590 1320 Scan finished
2011/07/09 18:22:56.0590 1320 ================================================================================
2011/07/09 18:22:56.0605 4072 Detected object count: 0
2011/07/09 18:22:56.0605 4072 Actual detected object count: 0
2011/07/09 18:23:29.0319 3796 Deinitialize success

Attached Thumbnails

  • oops.jpg

  • 0

#12
libra26

libra26

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
New bug found by Malware after I did a full scan. Here's the log (it's at the very bottom).

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 7060

Windows 6.1.7601 Service Pack 1
Internet Explorer 8.0.7601.17514

7/10/2011 6:27:33 PM
mbam-log-2011-07-10 (18-27-33).txt

Scan type: Full scan (C:\|)
Objects scanned: 506132
Time elapsed: 4 hour(s), 48 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Windows.old\programdata\WSTB\ver64b.exe (Adware.BHO) -> Quarantined and deleted successfully.
  • 0

#13
libra26

libra26

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
I apologize for posting so often, I really enjoy having someone so experienced helping with this.

Was checking out my task manager, and I have two questions. Should dwm.exe (Desktop Window Manager) and task manager both be at "High" priority?

Also, I got it to show me tasks from all users and I found a lot of memory being used by svchost.exe which was open in multiple instances. I've posted a screenshot. Is this normal?

Attached Thumbnails

  • taskmanager.jpg

  • 0

#14
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,788 posts
  • MVP
Sorry for the delay. Wife wanted the computer for a video conference and then we had to leave to catch the ferry to take my step son to Vancouver. I'm on my little netbook on the hotel network so it's not ideal.

If you have deleted the temp folder then I would recreate it and then change the Environmental variable to point to it. The Windows\temp folder requires administrator rights to save stuff there (why a temp folder should be so well protected is beyond me).

Most programs use the temp folder and if they can't write to it then they may crash. Firefox usually stores the downloaded file there until it finishes then moves it to the designated location so I expect that recreating the normal temp will solve a lot of problems.
  • 0

#15
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,788 posts
  • MVP
Multiple posts are fine. I'll be doing it too since it's easier to answer your posts one at a time.

AS long as the program is in the right place I'm not too worried about the priority.
Multiple svchosts are normal. If you could get combofix to run I could tell you if any were malware.

The files that aswMBR labeled as suspicious should be submitted to http://virustotal.com.

If the report does not say something like 0/42 then copy and paste the report.

Ron
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP