Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infection in my MBR, File: rikvm_C6F09094.sys


  • This topic is locked This topic is locked
7 replies to this topic

#1 Seth420

Seth420

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:19 AM

Posted 11 September 2011 - 10:58 AM

Here is the link to my previous posts that have brought me here

The first MBR.exe failed to run properly here is the log.

-Copied from file: "mbr.log"
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.1.7601

device: opened successfully
user: error reading MBR
error: Read The handle is invalid.
kernel: error reading MBR

-End-

Then I was instructed to run MBRCheck.exe instead and here are the results.

-Copied from file "MBRCheck_09.09.11_23.49.45.txt"
MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows 7 Home Premium Edition
Windows Information: Service Pack 1 (build 7601), 64-bit
Base Board Manufacturer: Hewlett-Packard
BIOS Manufacturer: Hewlett-Packard
System Manufacturer: Hewlett-Packard
System Product Name: HP Pavilion dv7 Notebook PC
Logical Drives Mask: 0x0000003c

Kernel Drivers (total 182):
0x02E12000 \SystemRoot\system32\ntoskrnl.exe
0x033FB000 \SystemRoot\system32\hal.dll
0x00BAB000 \SystemRoot\system32\kdcom.dll
0x00C58000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x00CA7000 \SystemRoot\system32\PSHED.dll
0x00CBB000 \SystemRoot\system32\CLFS.SYS
0x00D19000 \SystemRoot\system32\CI.dll
0x00DD9000 \SystemRoot\System32\drivers\SMR210.SYS
0x00C00000 \SystemRoot\System32\drivers\FLTMGR.SYS
0x00E51000 \SystemRoot\system32\drivers\Wdf01000.sys
0x00EF5000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x00F04000 \SystemRoot\system32\drivers\ACPI.sys
0x00F5B000 \SystemRoot\system32\drivers\WMILIB.SYS
0x00F64000 \SystemRoot\system32\drivers\msisadrv.sys
0x00F6E000 \SystemRoot\system32\drivers\pci.sys
0x00FA1000 \SystemRoot\system32\drivers\vdrvroot.sys
0x00FAE000 \SystemRoot\System32\drivers\partmgr.sys
0x00FC3000 \SystemRoot\system32\DRIVERS\compbatt.sys
0x00FCC000 \SystemRoot\system32\DRIVERS\BATTC.SYS
0x00FD8000 \SystemRoot\system32\drivers\volmgr.sys
0x010DB000 \SystemRoot\System32\drivers\volmgrx.sys
0x01137000 \SystemRoot\System32\drivers\mountmgr.sys
0x01278000 \SystemRoot\system32\DRIVERS\iaStor.sys
0x013CC000 \SystemRoot\system32\drivers\atapi.sys
0x013D5000 \SystemRoot\system32\drivers\ataport.SYS
0x01200000 \SystemRoot\system32\drivers\msahci.sys
0x0120B000 \SystemRoot\system32\drivers\PCIIDEX.SYS
0x0121B000 \SystemRoot\system32\drivers\amdxata.sys
0x01151000 \SystemRoot\system32\drivers\NISx64\1301000.01C\SYMDS64.SYS
0x01226000 \SystemRoot\system32\drivers\fileinfo.sys
0x01460000 \SystemRoot\system32\drivers\NISx64\1301000.01C\SYMEFA64.SYS
0x01601000 \SystemRoot\System32\Drivers\Ntfs.sys
0x0156E000 \SystemRoot\System32\Drivers\msrpc.sys
0x017A4000 \SystemRoot\System32\Drivers\ksecdd.sys
0x01000000 \SystemRoot\System32\Drivers\cng.sys
0x017BF000 \SystemRoot\System32\drivers\pcw.sys
0x017D0000 \SystemRoot\System32\Drivers\Fs_Rec.sys
0x01852000 \SystemRoot\system32\drivers\ndis.sys
0x01945000 \SystemRoot\system32\drivers\NETIO.SYS
0x019A5000 \SystemRoot\System32\Drivers\ksecpkg.sys
0x01A55000 \SystemRoot\System32\drivers\tcpip.sys
0x01C59000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x01CA3000 \SystemRoot\system32\DRIVERS\wd.sys
0x01CAB000 \SystemRoot\system32\drivers\volsnap.sys
0x01CF7000 \SystemRoot\System32\Drivers\spldr.sys
0x01CFF000 \SystemRoot\System32\drivers\rdyboost.sys
0x01D39000 \SystemRoot\System32\Drivers\mup.sys
0x01D4B000 \SystemRoot\System32\drivers\hwpolicy.sys
0x01D54000 \SystemRoot\system32\DRIVERS\hpdskflt.sys
0x01D5E000 \SystemRoot\System32\DRIVERS\fvevol.sys
0x01D98000 \SystemRoot\system32\DRIVERS\disk.sys
0x01DAE000 \SystemRoot\system32\DRIVERS\CLASSPNP.SYS
0x031A9000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x03000000 \SystemRoot\system32\drivers\NISx64\1301000.01C\ccSetx64.sys
0x0467D000 \SystemRoot\System32\Drivers\NISx64\1301000.01C\SRTSP64.SYS
0x0473B000 \SystemRoot\system32\drivers\NISx64\1301000.01C\Ironx64.SYS
0x0476C000 \SystemRoot\system32\drivers\NISx64\1301000.01C\SRTSPX64.SYS
0x04781000 \??\C:\Windows\system32\Drivers\SYMEVENT64x86.SYS
0x04802000 \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\VirusDefs\20110909.002\EX64.SYS
0x047B8000 \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\VirusDefs\20110909.002\ENG64.SYS
0x047D8000 \SystemRoot\System32\Drivers\Null.SYS
0x047E1000 \SystemRoot\System32\Drivers\Beep.SYS
0x047E8000 \SystemRoot\System32\drivers\vga.sys
0x04600000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x04625000 \SystemRoot\System32\drivers\watchdog.sys
0x04635000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x0463E000 \SystemRoot\system32\drivers\rdpencdd.sys
0x04647000 \SystemRoot\system32\drivers\rdprefmp.sys
0x04650000 \SystemRoot\System32\Drivers\Msfs.SYS
0x0465B000 \SystemRoot\System32\Drivers\Npfs.SYS
0x031D3000 \SystemRoot\system32\DRIVERS\tdx.sys
0x0466C000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x04CB5000 \SystemRoot\system32\drivers\afd.sys
0x04D3E000 \SystemRoot\System32\DRIVERS\netbt.sys
0x04D83000 \SystemRoot\system32\DRIVERS\wfplwf.sys
0x04D8C000 \SystemRoot\system32\DRIVERS\pacer.sys
0x04DB2000 \SystemRoot\system32\DRIVERS\vwififlt.sys
0x04DC8000 \SystemRoot\system32\DRIVERS\SymIMv.sys
0x04DD6000 \SystemRoot\system32\DRIVERS\netbios.sys
0x04DE5000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x04C00000 \SystemRoot\system32\drivers\termdd.sys
0x04C14000 \SystemRoot\System32\Drivers\NISx64\1301000.01C\SYMNETS.SYS
0x04C7F000 \??\C:\Users\ROBERT~1\AppData\Local\Temp\SAS_SelfExtract\SASKUTIL64.SYS
0x04C89000 \??\C:\Users\ROBERT~1\AppData\Local\Temp\SAS_SelfExtract\SASDIFSV64.SYS
0x01A00000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x04C93000 \SystemRoot\system32\drivers\nsiproxy.sys
0x04C9F000 \SystemRoot\system32\drivers\mssmbios.sys
0x040AA000 \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\IPSDefs\20110908.030\IDSvia64.sys
0x04127000 \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys
0x041A0000 \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
0x041C6000 \SystemRoot\System32\drivers\discache.sys
0x041D5000 \SystemRoot\System32\Drivers\dfsc.sys
0x04000000 \SystemRoot\system32\DRIVERS\blbdrive.sys
0x04EDF000 \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\BASHDefs\20110901.001\BHDrvx64.sys
0x04E00000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0x04E05000 \SystemRoot\system32\DRIVERS\atikmpag.sys
0x0501D000 \SystemRoot\system32\DRIVERS\atikmdag.sys
0x05CAC000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x05DA0000 \SystemRoot\System32\drivers\dxgmms1.sys
0x05C00000 \SystemRoot\system32\drivers\HDAudBus.sys
0x05C24000 \SystemRoot\system32\DRIVERS\HECIx64.sys
0x05C35000 \SystemRoot\system32\drivers\usbehci.sys
0x05C46000 \SystemRoot\system32\drivers\USBPORT.SYS
0x068C7000 \SystemRoot\system32\DRIVERS\NETwNs64.sys
0x07149000 \SystemRoot\system32\DRIVERS\vwifibus.sys
0x07156000 \SystemRoot\system32\DRIVERS\Rt64win7.sys
0x071DB000 \SystemRoot\system32\drivers\i8042prt.sys
0x06800000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x05E37000 \SystemRoot\system32\DRIVERS\SynTP.sys
0x05F94000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x05F96000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x05FA5000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0x05FB2000 \SystemRoot\system32\DRIVERS\Accelerometer.sys
0x05FBF000 \SystemRoot\system32\drivers\wmiacpi.sys
0x05FC8000 \SystemRoot\system32\DRIVERS\intelppm.sys
0x05FDE000 \SystemRoot\system32\drivers\CompositeBus.sys
0x05FEE000 \SystemRoot\system32\DRIVERS\clwvd.sys
0x0680F000 \SystemRoot\system32\DRIVERS\ks.sys
0x05FF4000 \SystemRoot\system32\drivers\ksthunk.sys
0x05E00000 \SystemRoot\system32\DRIVERS\AgileVpn.sys
0x06852000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x05E16000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x06876000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x068A5000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x057D8000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x05DE6000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x05E22000 \SystemRoot\system32\drivers\swenum.sys
0x05E24000 \SystemRoot\system32\DRIVERS\circlass.sys
0x05000000 \SystemRoot\system32\DRIVERS\umbus.sys
0x04E4F000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x04EA9000 \SystemRoot\System32\Drivers\fastfat.SYS
0x04011000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x04026000 \SystemRoot\system32\drivers\AtiHdmi.sys
0x04049000 \SystemRoot\system32\drivers\portcls.sys
0x04086000 \SystemRoot\system32\drivers\drmk.sys
0x08A55000 \SystemRoot\system32\DRIVERS\stwrt64.sys
0x08AD7000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0x08AF2000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0x08B0F000 \SystemRoot\system32\DRIVERS\dc3d.sys
0x08B21000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x08B2A000 \SystemRoot\system32\DRIVERS\WinUSB.sys
0x08B3B000 \SystemRoot\system32\DRIVERS\hidusb.sys
0x08B49000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0x08B62000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0x08B70000 \SystemRoot\system32\DRIVERS\mouhid.sys
0x08B7D000 \SystemRoot\system32\DRIVERS\point64.sys
0x08B8D000 \SystemRoot\System32\Drivers\crashdmp.sys
0x0302E000 \SystemRoot\System32\Drivers\dump_iaStor.sys
0x08B9B000 \SystemRoot\System32\Drivers\dump_dumpfve.sys
0x00030000 \SystemRoot\System32\win32k.sys
0x08BAE000 \SystemRoot\System32\drivers\Dxapi.sys
0x08BBA000 \SystemRoot\System32\Drivers\usbvideo.sys
0x08BE8000 \SystemRoot\system32\DRIVERS\monitor.sys
0x00580000 \SystemRoot\System32\TSDDD.dll
0x006D0000 \SystemRoot\System32\cdd.dll
0x00900000 \SystemRoot\System32\ATMFD.DLL
0x08A00000 \SystemRoot\system32\drivers\luafv.sys
0x08A23000 \SystemRoot\system32\drivers\WudfPf.sys
0x03182000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x01400000 \SystemRoot\system32\DRIVERS\nwifi.sys
0x01DDE000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x019D0000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x03CFA000 \SystemRoot\system32\drivers\HTTP.sys
0x03DC3000 \SystemRoot\system32\DRIVERS\bowser.sys
0x03DE1000 \SystemRoot\System32\drivers\mpsdrv.sys
0x03C00000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x03C2D000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x03C7B000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x05814000 \??\C:\Windows\system32\Drivers\rikvm_C6F09094.sys
0x07461000 \SystemRoot\system32\drivers\peauth.sys
0x07507000 \SystemRoot\System32\Drivers\secdrv.SYS
0x07512000 \SystemRoot\System32\DRIVERS\srvnet.sys
0x07543000 \SystemRoot\System32\drivers\tcpipreg.sys
0x07555000 \SystemRoot\System32\DRIVERS\srv2.sys
0x09AF5000 \SystemRoot\System32\DRIVERS\srv.sys
0x09B8D000 \SystemRoot\system32\DRIVERS\WUDFRd.sys
0x09BBE000 \SystemRoot\system32\DRIVERS\WSDScan.sys
0x09BCA000 \SystemRoot\system32\DRIVERS\WSDPrint.sys
0x77400000 \Windows\System32\ntdll.dll
0x47990000 \Windows\System32\smss.exe
0xFF720000 \Windows\System32\apisetschema.dll
0xFFD30000 \Windows\System32\autochk.exe

Processes (total 94):
0 System Idle Process
4 System
384 C:\Windows\System32\smss.exe
512 csrss.exe
580 C:\Windows\System32\wininit.exe
600 csrss.exe
644 C:\Windows\System32\services.exe
660 C:\Windows\System32\lsass.exe
672 C:\Windows\System32\lsm.exe
768 C:\Windows\System32\svchost.exe
828 C:\Windows\System32\winlogon.exe
892 C:\Windows\System32\svchost.exe
956 C:\Windows\System32\atiesrxx.exe
140 C:\Windows\System32\svchost.exe
404 C:\Windows\System32\svchost.exe
528 C:\Windows\System32\svchost.exe
716 C:\Program Files\IDT\WDM\stacsv64.exe
1160 C:\Windows\System32\svchost.exe
1220 C:\Windows\System32\hpservice.exe
1256 C:\Windows\System32\atieclxx.exe
1348 C:\Windows\System32\vcsFPService.exe
1440 C:\Windows\System32\svchost.exe
1600 C:\Windows\System32\spoolsv.exe
1628 C:\Program Files\DigitalPersona\Bin\DpHostW.exe
1692 C:\Windows\System32\svchost.exe
1796 C:\Program Files\IDT\WDM\AESTSr64.exe
1836 C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
1908 C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe
1952 C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe
1976 C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe
2020 C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
1072 C:\Program Files (x86)\Common Files\microsoft shared\VS7DEBUG\mdm.exe
1528 C:\Program Files (x86)\Norton Internet Security\Engine\19.1.0.28\ccSvcHst.exe
1920 C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe
2104 C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe
2128 C:\Program Files (x86)\Roxio\RoxioNow Player\RNowSvc.exe
2168 C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE
2344 C:\Windows\System32\svchost.exe
2376 C:\Program Files (x86)\TeamViewer\Version6\TeamViewer_Service.exe
2420 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
2504 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
2948 C:\Windows\System32\SearchIndexer.exe
2432 C:\Windows\System32\svchost.exe
3096 WUDFHost.exe
3220 WmiPrvSE.exe
3528 C:\Windows\System32\dwm.exe
3536 C:\Program Files (x86)\DigitalPersona\Bin\DPAgent.exe
3560 C:\Windows\explorer.exe
3576 C:\Windows\System32\taskhost.exe
3712 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
3740 C:\Program Files\IDT\WDM\sttray64.exe
3756 C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
3860 C:\Program Files\Microsoft IntelliPoint\ipoint.exe
3964 C:\Windows\System32\svchost.exe
4032 C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
4080 C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe
3356 C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
3332 C:\Program Files (x86)\Norton Internet Security\Engine\19.1.0.28\ccSvcHst.exe
3916 C:\Windows\SysWOW64\rundll32.exe
3484 C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
4232 C:\Users\Robert\AppData\Roaming\Dropbox\bin\Dropbox.exe
4248 C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
4256 C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
4388 C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe
4416 C:\Program Files\IPMsg\ipmsg.exe
4440 C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe
4736 C:\Windows\System32\svchost.exe
4964 C:\Program Files\Windows Media Player\wmpnetwk.exe
5024 C:\Program Files\DigitalPersona\Bin\DpAgent.exe
3520 C:\Windows\System32\taskeng.exe
1688 C:\Program Files (x86)\Hewlett-Packard\Media\Webcam\YCMMirage.exe
2900 C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
2540 C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
4812 C:\Program Files (x86)\Hewlett-Packard\HP Health Check\HPHC_Service.exe
2568 C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe
3692 C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe
5140 C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
5316 C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
5728 C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
5900 C:\Program Files (x86)\Hewlett-Packard\Shared\hpCaslNotification.exe
1320 C:\Users\Robert\AppData\Local\Google\Chrome\Application\chrome.exe
5420 C:\Users\Robert\AppData\Local\Google\Chrome\Application\chrome.exe
3060 C:\Users\Robert\AppData\Local\Google\Chrome\Application\chrome.exe
5552 C:\Users\Robert\AppData\Local\Google\Chrome\Application\chrome.exe
6100 C:\Users\Robert\AppData\Local\Google\Chrome\Application\chrome.exe
5648 C:\Users\Robert\AppData\Local\Google\Chrome\Application\chrome.exe
5612 WmiPrvSE.exe
5112 C:\Windows\System32\notepad.exe
2776 C:\Windows\System32\dllhost.exe
3800 C:\Windows\System32\audiodg.exe
3272 dllhost.exe
5052 dllhost.exe
4584 C:\Users\Robert\Desktop\Tool Kit\MBRCheck.exe
2992 C:\Windows\System32\conhost.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`0c800000 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x000000e0`ef100000 (NTFS)

PhysicalDrive0 Model Number: TOSHIBAMK1059GSM, Rev: GL002C

Size Device Name MBR Status
--------------------------------------------
931 GB \\.\PhysicalDrive0 Unknown MBR code
SHA1: 3F7A35536DE962FFF1F2DC0F9C3D269F049695C1


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!

-End-

Here are the options I received when I entered 'Y'

-Copied from file: "MBRCheck_09.10.11_14.16.40.txt"
Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:
Options:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.

Enter your choice: Enter the physical disk number to dump (0-99, -1 to exit):

Done!

-End-

Here is the dds.scr file created

-Copied from file "DDS.txt"
.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_26
Run by Robert at 1:17:02 on 2011-09-11
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.8174.6067 [GMT -4:00]
.
AV: Norton Internet Security *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton Internet Security *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton Internet Security *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\IDT\WDM\STacSV64.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\Hpservice.exe
C:\Windows\system32\vcsFPService.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files\DigitalPersona\Bin\DpHostW.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\IDT\WDM\AESTSr64.exe
C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe
C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files (x86)\Norton Internet Security\Engine\19.1.0.28\ccSvcHst.exe
C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe
c:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files (x86)\Roxio\RoxioNow Player\RNowSvc.exe
C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\TeamViewer\Version6\TeamViewer_Service.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\Norton Internet Security\Engine\19.1.0.28\ccSvcHst.exe
C:\Program Files (x86)\DigitalPersona\Bin\DPAgent.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\IDT\WDM\sttray64.exe
C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\Users\Robert\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe
C:\Program Files\IPMsg\ipmsg.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Windows\SysWOW64\RunDll32.exe
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\DigitalPersona\Bin\DPAgent.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\Hewlett-Packard\Media\Webcam\YCMMirage.exe
C:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\hpCaslNotification.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Program Files (x86)\Internet Explorer\IELowutil.exe
C:\Users\Robert\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Robert\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Robert\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Robert\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Robert\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Robert\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = https://www.google.com/
mWinlogon: Userinit=userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: GhosteryBHO Class: {237eb6da-3fea-4dd2-8a61-a901b5c489d7} - C:\Program Files (x86)\GhosteryIEplugin\GhosteryBrowserHelperObjec.dll
BHO: Norton Identity Protection: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - C:\Program Files (x86)\Norton Internet Security\Engine\19.1.0.28\coIEPlg.dll
BHO: Norton Vulnerability Protection: {6d53ec84-6aae-4787-aeee-f4628f01010c} - C:\Program Files (x86)\Norton Internet Security\Engine\19.1.0.28\IPS\IPSBHO.DLL
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - C:\Program Files (x86)\Norton Internet Security\Engine\19.1.0.28\coIEPlg.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
uRun: [LightScribe Control Panel] C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
uRun: [SpiderOak] C:\Program Files (x86)\SpiderOak\SpiderOak.exe --windows_startup
uRun: [Lexar_Echo_Backup_Manager.exe] C:\Users\Robert\AppData\Roaming\Lexar\Lexar_Echo_Backup_Manager.exe
uRun: [Google Update] "C:\Users\Robert\AppData\Local\Google\Update\GoogleUpdate.exe" /c
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun: [Norton Online Backup] C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Corel File Shell Monitor] c:\Program Files (x86)\Corel\Corel PaintShop Photo Pro\X3\PSPClassic\CorelIOMonitor.exe
mRun: [KeePass 2 PreLoad] "C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe" --preload
mRun: [amd_dc_opt] C:\Program Files (x86)\AMD\Dual-Core Optimizer\amd_dc_opt.exe
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [HP Quick Launch] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
StartupFolder: C:\Users\ROBERT~1\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dropbox.lnk - C:\Users\Robert\AppData\Roaming\Dropbox\bin\Dropbox.exe
StartupFolder: C:\Users\ROBERT~1\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\EVERNO~1.LNK - C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe
StartupFolder: C:\Users\ROBERT~1\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\IPMSGF~1.LNK - C:\Program Files (x86)\IPMsg\ipmsg.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\BLUETO~1.LNK - C:\Program Files (x86)\WIDCOMM\Bluetooth Software\BTTray.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\SNAPFI~1.LNK - C:\Program Files (x86)\PictureMover\Bin\PictureMover.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Evernote 4.0 - C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll/204
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll/204
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {237EB6DA-3FEA-4DD2-8A61-A901B5C489D7} - {237EB6DA-3FEA-4DD2-8A61-A901B5C489D7} - C:\Program Files (x86)\GhosteryIEplugin\GhosteryBrowserHelperObjec.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
DPF: {10000000-1000-1000-1000-100000000000} - hxxp://cdn.betteradvertising.com/ghostery/addons/ie/WebInstall/ghostery.cab
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
DPF: {84A31672-371A-4CBF-8785-DCE55CDC7370} - hxxp://192.168.0.155/ocxfile/DownLoad.ocx
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{6A884292-BDF8-40F4-BB61-E23D16D62A2B} : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{6A884292-BDF8-40F4-BB61-E23D16D62A2B}\0757D60796E6769627F6E6 : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{6A884292-BDF8-40F4-BB61-E23D16D62A2B}\355647864323032736930393 : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{6A884292-BDF8-40F4-BB61-E23D16D62A2B}\452554E444E6564763534336933316 : DhcpNameServer = 192.168.10.1
TCP: Interfaces\{6A884292-BDF8-40F4-BB61-E23D16D62A2B}\46C696E6B6 : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{6A884292-BDF8-40F4-BB61-E23D16D62A2B}\75966496253555F52363 : DhcpNameServer = 192.168.15.1
TCP: Interfaces\{E100A179-BDEB-41CE-A1A3-A087A4C7C2B0} : DhcpNameServer = 192.168.0.1
Filter: text/html - {4459DC76-1FDE-4B16-BAD0-E4F8E7647555} - C:\Program Files (x86)\GhosteryIEplugin\GhosteryMimeFilter.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
LSA: Notification Packages = DPPassFilter scecli
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "C:\Program Files (x86)\Common Files\LightScribe\LSRunOnce.exe"
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: GhosteryBHO Class: {237EB6DA-3FEA-4DD2-8A61-A901B5C489D7} - C:\Program Files (x86)\GhosteryIEplugin\GhosteryBrowserHelperObjec.dll
BHO-X64: Ghostery BHO - No File
BHO-X64: Norton Identity Protection: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Internet Security\Engine\19.1.0.28\coIEPlg.dll
BHO-X64: Norton Identity Protection - No File
BHO-X64: Norton Vulnerability Protection: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Internet Security\Engine\19.1.0.28\IPS\IPSBHO.DLL
BHO-X64: Norton Vulnerability Protection - No File
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB-X64: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\19.1.0.28\coIEPlg.dll
TB-X64: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun-x64: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun-x64: [Norton Online Backup] C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun-x64: [Corel File Shell Monitor] c:\Program Files (x86)\Corel\Corel PaintShop Photo Pro\X3\PSPClassic\CorelIOMonitor.exe
mRun-x64: [KeePass 2 PreLoad] "C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe" --preload
mRun-x64: [amd_dc_opt] C:\Program Files (x86)\AMD\Dual-Core Optimizer\amd_dc_opt.exe
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [HP Quick Launch] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
IE-X64: {A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll/204
IE-X64: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Robert\AppData\Roaming\Mozilla\Firefox\Profiles\uk5nmmwz.default\
FF - prefs.js: browser.startup.homepage - hxxps://encrypted.google.com/
FF - plugin: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Users\Robert\AppData\Local\Google\Update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: C:\Users\Robert\AppData\Local\HuluDesktop\instances\0.9.14.1\nphdplg.dll
FF - plugin: C:\Windows\SysWOW64\Adobe\Director\np32dsw.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;C:\Windows\system32\drivers\NISx64\1301000.01C\SYMDS64.SYS --> C:\Windows\system32\drivers\NISx64\1301000.01C\SYMDS64.SYS [?]
R0 SymEFA;Symantec Extended File Attributes;C:\Windows\system32\drivers\NISx64\1301000.01C\SYMEFA64.SYS --> C:\Windows\system32\drivers\NISx64\1301000.01C\SYMEFA64.SYS [?]
R1 BHDrvx64;BHDrvx64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\BASHDefs\20110901.001\BHDrvx64.sys [2011-9-1 1151096]
R1 ccSet_NIS;Norton Internet Security Settings Manager;C:\Windows\system32\drivers\NISx64\1301000.01C\ccSetx64.sys --> C:\Windows\system32\drivers\NISx64\1301000.01C\ccSetx64.sys [?]
R1 IDSVia64;IDSVia64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\IPSDefs\20110909.030\IDSviA64.sys [2011-9-10 488568]
R1 SASDIFSV;SASDIFSV;C:\Users\ROBERT~1\AppData\Local\Temp\SAS_SelfExtract\SASDIFSV64.SYS [2011-7-22 14928]
R1 SASKUTIL;SASKUTIL;C:\Users\ROBERT~1\AppData\Local\Temp\SAS_SelfExtract\SASKUTIL64.SYS [2011-7-12 12368]
R1 SymIRON;Symantec Iron Driver;C:\Windows\system32\drivers\NISx64\1301000.01C\Ironx64.SYS --> C:\Windows\system32\drivers\NISx64\1301000.01C\Ironx64.SYS [?]
R1 SymNetS;Symantec Network Security WFP Driver;C:\Windows\system32\Drivers\NISx64\1301000.01C\SYMNETS.SYS --> C:\Windows\system32\Drivers\NISx64\1301000.01C\SYMNETS.SYS [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 AESTFilters;Andrea ST Filters Service;C:\Program Files\IDT\WDM\AESTSr64.exe [2011-2-28 89600]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R2 HP Wireless Assistant Service;HP Wireless Assistant Service;C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe [2010-7-21 103992]
R2 HPClientSvc;HP Client Services;C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe [2010-8-5 291896]
R2 HPDrvMntSvc.exe;HP Quick Synchronization Service;C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-5-21 103992]
R2 hpsrv;HP Service;C:\Windows\system32\Hpservice.exe --> C:\Windows\system32\Hpservice.exe [?]
R2 HPWMISVC;HPWMISVC;C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [2011-6-14 26680]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2011-2-28 13336]
R2 NIS;Norton Internet Security;C:\Program Files (x86)\Norton Internet Security\Engine\19.1.0.28\ccSvcHst.exe [2011-9-8 138760]
R2 NOBU;Norton Online Backup;C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe [2010-6-1 2804568]
R2 RoxioNow Service;RoxioNow Service;C:\Program Files (x86)\Roxio\RoxioNow Player\RNowSvc.exe [2010-9-11 399344]
R2 TeamViewer6;TeamViewer 6;C:\Program Files (x86)\TeamViewer\Version6\TeamViewer_Service.exe [2011-8-17 2358656]
R2 UNS;Intel® Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-2-28 2655768]
R2 vcsFPService;Validity VCS Fingerprint Service;C:\Windows\System32\vcsFPService.exe [2010-2-23 1799472]
R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
R3 clwvd;HP Webcam Splitter;C:\Windows\system32\DRIVERS\clwvd.sys --> C:\Windows\system32\DRIVERS\clwvd.sys [?]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2011-7-28 136824]
R3 MEIx64;Intel® Management Engine Interface;C:\Windows\system32\DRIVERS\HECIx64.sys --> C:\Windows\system32\DRIVERS\HECIx64.sys [?]
R3 NETwNs64;___ Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;C:\Windows\system32\DRIVERS\NETwNs64.sys --> C:\Windows\system32\DRIVERS\NETwNs64.sys [?]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
S2 CLKMSVC10_C6F09094;CyberLink Product - 2011/02/28 01:34:06;C:\Program Files (x86)\Hewlett-Packard\Media\DVD\Kernel\HDDVD\NavFilter\kmsvc.exe [2011-2-28 245232]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-5-6 136176]
S3 BBSvc;Bing Bar Update Service;C:\Program Files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-2-28 183560]
S3 btwampfl;Bluetooth AMP USB Filter;C:\Windows\system32\drivers\btwampfl.sys --> C:\Windows\system32\drivers\btwampfl.sys [?]
S3 btwl2cap;Bluetooth L2CAP Service;C:\Windows\system32\DRIVERS\btwl2cap.sys --> C:\Windows\system32\DRIVERS\btwl2cap.sys [?]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-5-6 136176]
S3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;C:\Windows\system32\DRIVERS\netw5v64.sys --> C:\Windows\system32\DRIVERS\netw5v64.sys [?]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\Windows\system32\Drivers\RtsUStor.sys --> C:\Windows\system32\Drivers\RtsUStor.sys [?]
S3 SrvHsfHDA;SrvHsfHDA;C:\Windows\system32\DRIVERS\VSTAZL6.SYS --> C:\Windows\system32\DRIVERS\VSTAZL6.SYS [?]
S3 SrvHsfV92;SrvHsfV92;C:\Windows\system32\DRIVERS\VSTDPV6.SYS --> C:\Windows\system32\DRIVERS\VSTDPV6.SYS [?]
S3 SrvHsfWinac;SrvHsfWinac;C:\Windows\system32\DRIVERS\VSTCNXT6.SYS --> C:\Windows\system32\DRIVERS\VSTCNXT6.SYS [?]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\system32\DRIVERS\vwifimp.sys --> C:\Windows\system32\DRIVERS\vwifimp.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
S3 WSDPrintDevice;WSD Print Support via UMB;C:\Windows\system32\DRIVERS\WSDPrint.sys --> C:\Windows\system32\DRIVERS\WSDPrint.sys [?]
S3 WSDScan;WSD Scan Support via UMB;C:\Windows\system32\DRIVERS\WSDScan.sys --> C:\Windows\system32\DRIVERS\WSDScan.sys [?]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk62x64.sys --> C:\Windows\system32\DRIVERS\yk62x64.sys [?]
.
=============== Created Last 30 ================
.
2011-09-09 23:41:40 -------- d-----w- C:\Users\Robert\AppData\Roaming\SUPERAntiSpyware.com
2011-09-09 23:41:40 -------- d-----w- C:\ProgramData\SUPERAntiSpyware.com
2011-09-09 22:44:55 -------- d-----w- C:\Users\Robert\AppData\Roaming\Malwarebytes
2011-09-09 22:44:51 -------- d-----w- C:\ProgramData\Malwarebytes
2011-09-09 22:44:48 25912 ----a-w- C:\Windows\System32\drivers\mbam.sys
2011-09-08 20:34:13 34152 ----a-w- C:\Windows\System32\drivers\GEARAspiWDM.sys
2011-09-08 20:33:55 125872 ----a-w- C:\Windows\System32\GEARAspi64.dll
2011-09-08 20:33:55 106928 ----a-w- C:\Windows\SysWow64\GEARAspi.dll
2011-09-08 20:33:40 -------- d-----w- C:\Windows\System32\drivers\NBRTWizardx64\0401000.00F
2011-09-08 20:33:40 -------- d-----w- C:\Windows\System32\drivers\NBRTWizardx64
2011-09-08 20:33:39 -------- d-----w- C:\Program Files (x86)\Norton Bootable Recovery Tool Wizard
2011-09-08 20:17:47 729720 ----a-r- C:\Windows\System32\drivers\NISx64\1301000.01C\srtsp64.sys
2011-09-08 20:17:47 451192 ----a-r- C:\Windows\System32\drivers\NISx64\1301000.01C\SymDS64.sys
2011-09-08 20:17:47 401016 ----a-r- C:\Windows\System32\drivers\NISx64\1301000.01C\symnets.sys
2011-09-08 20:17:47 37496 ----a-r- C:\Windows\System32\drivers\NISx64\1301000.01C\srtspx64.sys
2011-09-08 20:17:47 189560 ----a-r- C:\Windows\System32\drivers\NISx64\1301000.01C\Ironx64.sys
2011-09-08 20:17:47 167048 ----a-r- C:\Windows\System32\drivers\NISx64\1301000.01C\ccSetx64.sys
2011-09-08 20:17:47 1084536 ----a-r- C:\Windows\System32\drivers\NISx64\1301000.01C\SymEFA64.sys
2011-09-08 20:17:41 -------- d-----w- C:\Windows\System32\drivers\NISx64\1301000.01C
2011-09-05 23:36:28 -------- d-----w- C:\Users\Robert\Work
2011-08-30 02:54:49 -------- d-----w- C:\Users\Robert\AppData\Roaming\YouTube HD Transfer
2011-08-27 23:45:28 -------- d-----w- C:\Users\Robert\Calender
2011-08-24 23:16:58 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2011-08-24 23:16:40 2048 ----a-w- C:\Windows\System32\tzres.dll
2011-08-15 01:46:08 -------- d-----w- C:\Program Files\IPMsg
2011-08-13 01:50:36 -------- d-----w- C:\Users\Robert\AppData\Local\Microsoft_Corporation
.
==================== Find3M ====================
.
2011-09-08 20:18:10 174200 ----a-w- C:\Windows\System32\drivers\SYMEVENT64x86.SYS
2011-09-08 03:56:03 952 --sha-w- C:\ProgramData\KGyGaAvL.sys
2011-09-03 18:26:20 404640 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2011-08-01 19:59:06 45416 ----a-w- C:\Windows\System32\drivers\point64.sys
2011-07-27 00:51:01 43640 ----a-r- C:\Windows\System32\drivers\SymIMV.sys
2011-07-22 05:42:23 2303488 ----a-w- C:\Windows\System32\jscript9.dll
2011-07-22 05:36:16 1389056 ----a-w- C:\Windows\System32\wininet.dll
2011-07-22 05:32:40 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2011-07-22 02:54:43 1797632 ----a-w- C:\Windows\SysWow64\jscript9.dll
2011-07-22 02:48:26 1126912 ----a-w- C:\Windows\SysWow64\wininet.dll
2011-07-22 02:44:36 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2011-07-16 05:41:50 362496 ----a-w- C:\Windows\System32\wow64win.dll
2011-07-16 05:41:49 243200 ----a-w- C:\Windows\System32\wow64.dll
2011-07-16 05:41:49 13312 ----a-w- C:\Windows\System32\wow64cpu.dll
2011-07-16 05:39:10 16384 ----a-w- C:\Windows\System32\ntvdm64.dll
2011-07-16 05:37:12 421888 ----a-w- C:\Windows\System32\KernelBase.dll
2011-07-16 04:29:19 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll
2011-07-16 04:26:00 44032 ----a-w- C:\Windows\apppatch\acwow64.dll
2011-07-16 04:25:37 25600 ----a-w- C:\Windows\SysWow64\setup16.exe
2011-07-16 04:24:23 5120 ----a-w- C:\Windows\SysWow64\wow32.dll
2011-07-16 04:24:22 272384 ----a-w- C:\Windows\SysWow64\KernelBase.dll
2011-07-16 02:21:44 7680 ----a-w- C:\Windows\SysWow64\instnm.exe
2011-07-16 02:21:41 2048 ----a-w- C:\Windows\SysWow64\user.exe
2011-07-16 02:17:19 6144 ---ha-w- C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
2011-07-16 02:17:19 4608 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
2011-07-16 02:17:19 3584 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
2011-07-16 02:17:19 3072 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
2011-07-10 00:29:58 8593920 ----a-w- C:\Windows\System32\drivers\NETwNs64.sys
2011-07-09 02:46:28 288768 ----a-w- C:\Windows\System32\drivers\mrxsmb10.sys
2011-06-24 05:34:53 214528 ----a-w- C:\Windows\System32\winsrv.dll
2011-06-24 05:25:49 338432 ----a-w- C:\Windows\System32\conhost.exe
2011-06-23 05:43:12 5561216 ----a-w- C:\Windows\System32\ntoskrnl.exe
2011-06-23 04:33:57 3967872 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2011-06-23 04:33:57 3912576 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2011-06-21 06:34:00 1923968 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2011-06-16 21:45:41 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2011-06-15 10:02:23 212992 ----a-w- C:\Windows\System32\odbctrac.dll
2011-06-15 10:02:23 163840 ----a-w- C:\Windows\System32\odbccp32.dll
2011-06-15 10:02:23 106496 ----a-w- C:\Windows\System32\odbccu32.dll
2011-06-15 10:02:23 106496 ----a-w- C:\Windows\System32\odbccr32.dll
2011-06-15 08:55:19 86016 ----a-w- C:\Windows\SysWow64\odbccu32.dll
2011-06-15 08:55:19 81920 ----a-w- C:\Windows\SysWow64\odbccr32.dll
2011-06-15 08:55:19 319488 ----a-w- C:\Windows\SysWow64\odbcjt32.dll
2011-06-15 08:55:19 163840 ----a-w- C:\Windows\SysWow64\odbctrac.dll
2011-06-15 08:55:19 122880 ----a-w- C:\Windows\SysWow64\odbccp32.dll
2011-06-14 18:29:24 770384 ----a-w- C:\Windows\SysWow64\msvcr100.dll
2011-06-14 18:29:22 421200 ----a-w- C:\Windows\SysWow64\msvcp100.dll
.
============= FINISH: 1:17:35.08 ===============

-End-

Truly thank you for all your time and effort.
"I fear not the man who has practiced 10,000 kicks once, but I fear the man who had practiced one kick 10,000 times."
— Bruce Lee

"Empty your mind, be formless. Shapeless, like water. If you put water into a cup, it becomes the cup. You put water into a bottle and it becomes the bottle. You put it in a teapot it becomes the teapot. Now, water can flow or it can crash. Be water my friend."
— Bruce Lee

BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,752 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:19 AM

Posted 18 September 2011 - 10:19 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===


Nothing suspicious was found on your DDS log.

We can check further.

Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

IMPORTANT....

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Do not install any other programs until this if fixed.


How to : Disable Anti-virus and Firewall...
http://www.bleepingcomputer.com/forums/topic114351.html

Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt
Note:
Do not mouse click ComboFix's window while it's running. That may cause it to stall


Note: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

===

Third party programs if not up to date can be the cause infiltration of an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Please post the logs and let me know what problem persists.

#3 Seth420

Seth420
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:19 AM

Posted 21 September 2011 - 04:05 PM

I did not have any issues running ComboFix.exe or Securitycheck.exe.
I did notice that it took about 3 hours for combofix just on stage_4, but after reading the literature i expect that it is normal but thought that it was worth mentioning.

Here is the ComboFix.exe scan results.

-Copied from file "ComboFix.txt"-
ComboFix 11-09-18.03 - Robert 09/20/2011 19:18:32.2.8 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.8174.6203 [GMT -4:00]
Running from: c:\users\Robert\Desktop\combofix.exe
AV: Norton Internet Security *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Norton Internet Security *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Norton Internet Security *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\install.exe
c:\users\Robert\AppData\Roaming\Lexar\Lexar_Echo_Backup_Manager.exe
c:\windows\system32\no
c:\windows\system32\no\DPCrProv.dll.mui
c:\windows\system32\no\DPFPApiUI.dll.mui
c:\windows\system32\no\DPPassFilter.dll.mui
c:\windows\system32\SV
c:\windows\system32\SV\DPCrProv.dll.mui
c:\windows\system32\SV\DPFPApiUI.dll.mui
c:\windows\system32\SV\DPPassFilter.dll.mui
c:\windows\SysWow64\comct332.ocx
c:\windows\SysWow64\no
c:\windows\SysWow64\no\DPCrProv.dll.mui
c:\windows\SysWow64\no\DPFPApiUI.dll.mui
c:\windows\SysWow64\no\DPPassFilter.dll.mui
c:\windows\SysWow64\SV
c:\windows\SysWow64\SV\DPCrProv.dll.mui
c:\windows\SysWow64\SV\DPFPApiUI.dll.mui
c:\windows\SysWow64\SV\DPPassFilter.dll.mui
.
.
((((((((((((((((((((((((( Files Created from 2011-08-21 to 2011-09-21 )))))))))))))))))))))))))))))))
.
.
2011-09-21 06:36 . 2011-09-21 06:36 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-09-20 21:28 . 2011-09-20 22:02 -------- d-----w- c:\windows\system32\drivers\NISx64\1301010.003
2011-09-18 03:07 . 2011-09-18 03:07 -------- d-----w- C:\HP_TOOLS_mountHPSF
2011-09-18 02:50 . 2011-09-18 02:50 -------- d-----w- c:\programdata\{D3B41B92-9BC2-43EB-916A-4FA9E8191837}
2011-09-09 23:41 . 2011-09-09 23:41 -------- d-----w- c:\users\Robert\AppData\Roaming\SUPERAntiSpyware.com
2011-09-09 23:41 . 2011-09-09 23:41 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2011-09-09 22:44 . 2011-09-09 22:44 -------- d-----w- c:\users\Robert\AppData\Roaming\Malwarebytes
2011-09-09 22:44 . 2011-09-09 22:44 -------- d-----w- c:\programdata\Malwarebytes
2011-09-09 22:44 . 2011-07-06 23:52 25912 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-09-08 20:34 . 2011-09-08 20:34 -------- dc----w- c:\windows\system32\DRVSTORE
2011-09-08 20:34 . 2009-05-18 07:47 34152 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2011-09-08 20:33 . 2010-08-27 06:38 125872 ----a-w- c:\windows\system32\GEARAspi64.dll
2011-09-08 20:33 . 2010-08-27 06:38 106928 ----a-w- c:\windows\SysWow64\GEARAspi.dll
2011-09-08 20:33 . 2011-09-08 20:33 -------- d-----w- c:\windows\system32\drivers\NBRTWizardx64
2011-09-08 20:33 . 2011-09-08 20:33 -------- d-----w- c:\program files (x86)\Norton Bootable Recovery Tool Wizard
2011-09-05 23:36 . 2011-09-05 23:36 -------- d-----w- c:\users\Robert\Work
2011-08-30 02:54 . 2011-08-30 03:04 -------- d-----w- c:\users\Robert\AppData\Roaming\YouTube HD Transfer
2011-08-30 02:54 . 2011-08-30 02:54 -------- d-----w- c:\users\Public\Robert
2011-08-27 23:45 . 2011-08-27 23:45 -------- d-----w- c:\users\Robert\Calender
2011-08-24 23:16 . 2011-07-09 04:29 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2011-08-24 23:16 . 2011-07-09 05:26 2048 ----a-w- c:\windows\system32\tzres.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-08 20:18 . 2011-02-28 09:48 174200 ----a-w- c:\windows\system32\drivers\SYMEVENT64x86.SYS
2011-09-08 03:56 . 2011-06-16 01:42 952 --sha-w- c:\programdata\KGyGaAvL.sys
2011-09-03 18:26 . 2011-05-17 00:08 404640 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-08-01 19:59 . 2011-08-01 19:59 45416 ----a-w- c:\windows\system32\drivers\point64.sys
2011-07-27 00:51 . 2011-06-06 02:24 43640 ----a-r- c:\windows\system32\drivers\SymIMV.sys
2011-07-22 05:42 . 2011-08-10 20:00 2303488 ----a-w- c:\windows\system32\jscript9.dll
2011-07-22 05:36 . 2011-08-10 20:00 1389056 ----a-w- c:\windows\system32\wininet.dll
2011-07-22 05:32 . 2011-08-10 20:00 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2011-07-22 02:54 . 2011-08-10 20:00 1797632 ----a-w- c:\windows\SysWow64\jscript9.dll
2011-07-22 02:48 . 2011-08-10 20:00 1126912 ----a-w- c:\windows\SysWow64\wininet.dll
2011-07-22 02:44 . 2011-08-10 20:00 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb
2011-07-16 05:41 . 2011-08-10 19:59 362496 ----a-w- c:\windows\system32\wow64win.dll
2011-07-16 05:41 . 2011-08-10 19:59 243200 ----a-w- c:\windows\system32\wow64.dll
2011-07-16 05:41 . 2011-08-10 19:59 13312 ----a-w- c:\windows\system32\wow64cpu.dll
2011-07-16 05:39 . 2011-08-10 19:59 16384 ----a-w- c:\windows\system32\ntvdm64.dll
2011-07-16 05:37 . 2011-08-10 19:59 421888 ----a-w- c:\windows\system32\KernelBase.dll
2011-07-16 05:21 . 2011-08-10 19:59 4608 ---ha-w- c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2011-07-16 05:21 . 2011-08-10 19:59 4096 ---ha-w- c:\windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll
2011-07-16 05:21 . 2011-08-10 19:59 4096 ---ha-w- c:\windows\system32\api-ms-win-core-synch-l1-1-0.dll
2011-07-16 05:21 . 2011-08-10 19:59 6144 ---ha-w- c:\windows\system32\api-ms-win-security-base-l1-1-0.dll
2011-07-16 05:21 . 2011-08-10 19:59 3584 ---ha-w- c:\windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll
2011-07-16 05:21 . 2011-08-10 19:59 3072 ---ha-w- c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2011-07-16 05:21 . 2011-08-10 19:59 3072 ---ha-w- c:\windows\system32\api-ms-win-core-util-l1-1-0.dll
2011-07-16 05:21 . 2011-08-10 19:59 3072 ---ha-w- c:\windows\system32\api-ms-win-core-string-l1-1-0.dll
2011-07-16 05:21 . 2011-08-10 19:59 4608 ---ha-w- c:\windows\system32\api-ms-win-core-processthreads-l1-1-0.dll
2011-07-16 05:21 . 2011-08-10 19:59 4096 ---ha-w- c:\windows\system32\api-ms-win-core-localregistry-l1-1-0.dll
2011-07-16 05:21 . 2011-08-10 19:59 3584 ---ha-w- c:\windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll
2011-07-16 05:21 . 2011-08-10 19:59 3584 ---ha-w- c:\windows\system32\api-ms-win-core-memory-l1-1-0.dll
2011-07-16 05:21 . 2011-08-10 19:59 3584 ---ha-w- c:\windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll
2011-07-16 05:21 . 2011-08-10 19:59 3584 ---ha-w- c:\windows\system32\api-ms-win-core-misc-l1-1-0.dll
2011-07-16 05:21 . 2011-08-10 19:59 3584 ---ha-w- c:\windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll
2011-07-16 05:21 . 2011-08-10 19:59 3072 ---ha-w- c:\windows\system32\api-ms-win-core-profile-l1-1-0.dll
2011-07-16 05:21 . 2011-08-10 19:59 3072 ---ha-w- c:\windows\system32\api-ms-win-core-io-l1-1-0.dll
2011-07-16 05:21 . 2011-08-10 19:59 3072 ---ha-w- c:\windows\system32\api-ms-win-core-interlocked-l1-1-0.dll
2011-07-16 05:21 . 2011-08-10 19:59 4096 ---ha-w- c:\windows\system32\api-ms-win-core-localization-l1-1-0.dll
2011-07-16 05:21 . 2011-08-10 19:59 5120 ---ha-w- c:\windows\system32\api-ms-win-core-file-l1-1-0.dll
2011-07-16 05:21 . 2011-08-10 19:59 3584 ---ha-w- c:\windows\system32\api-ms-win-core-heap-l1-1-0.dll
2011-07-16 05:21 . 2011-08-10 19:59 3072 ---ha-w- c:\windows\system32\api-ms-win-core-handle-l1-1-0.dll
2011-07-16 05:21 . 2011-08-10 19:59 3072 ---ha-w- c:\windows\system32\api-ms-win-core-fibers-l1-1-0.dll
2011-07-16 05:21 . 2011-08-10 19:59 3072 ---ha-w- c:\windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll
2011-07-16 05:21 . 2011-08-10 19:59 3072 ---ha-w- c:\windows\system32\api-ms-win-core-delayload-l1-1-0.dll
2011-07-16 05:21 . 2011-08-10 19:59 3072 ---ha-w- c:\windows\system32\api-ms-win-core-debug-l1-1-0.dll
2011-07-16 05:21 . 2011-08-10 19:59 3072 ---ha-w- c:\windows\system32\api-ms-win-core-datetime-l1-1-0.dll
2011-07-16 05:21 . 2011-08-10 19:59 3072 ---ha-w- c:\windows\system32\api-ms-win-core-console-l1-1-0.dll
2011-07-16 04:29 . 2011-08-10 19:59 14336 ----a-w- c:\windows\SysWow64\ntvdm64.dll
2011-07-16 04:26 . 2011-08-10 19:59 44032 ----a-w- c:\windows\apppatch\acwow64.dll
2011-07-16 04:25 . 2011-08-10 19:59 25600 ----a-w- c:\windows\SysWow64\setup16.exe
2011-07-16 04:24 . 2011-08-10 19:59 5120 ----a-w- c:\windows\SysWow64\wow32.dll
2011-07-16 04:24 . 2011-08-10 19:59 272384 ----a-w- c:\windows\SysWow64\KernelBase.dll
2011-07-16 04:15 . 2011-08-10 19:59 4096 ---ha-w- c:\windows\SysWow64\api-ms-win-core-sysinfo-l1-1-0.dll
2011-07-16 04:15 . 2011-08-10 19:59 4096 ---ha-w- c:\windows\SysWow64\api-ms-win-core-synch-l1-1-0.dll
2011-07-16 04:15 . 2011-08-10 19:59 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-string-l1-1-0.dll
2011-07-16 04:15 . 2011-08-10 19:59 5120 ---ha-w- c:\windows\SysWow64\api-ms-win-core-file-l1-1-0.dll
2011-07-16 04:15 . 2011-08-10 19:59 4608 ---ha-w- c:\windows\SysWow64\api-ms-win-core-processthreads-l1-1-0.dll
2011-07-16 04:15 . 2011-08-10 19:59 4096 ---ha-w- c:\windows\SysWow64\api-ms-win-core-misc-l1-1-0.dll
2011-07-16 04:15 . 2011-08-10 19:59 4096 ---ha-w- c:\windows\SysWow64\api-ms-win-core-localregistry-l1-1-0.dll
2011-07-16 04:15 . 2011-08-10 19:59 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-core-processenvironment-l1-1-0.dll
2011-07-16 04:15 . 2011-08-10 19:59 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-core-memory-l1-1-0.dll
2011-07-16 04:15 . 2011-08-10 19:59 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-core-libraryloader-l1-1-0.dll
2011-07-16 04:15 . 2011-08-10 19:59 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-core-interlocked-l1-1-0.dll
2011-07-16 04:15 . 2011-08-10 19:59 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-core-heap-l1-1-0.dll
2011-07-16 04:15 . 2011-08-10 19:59 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-rtlsupport-l1-1-0.dll
2011-07-16 04:15 . 2011-08-10 19:59 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-profile-l1-1-0.dll
2011-07-16 04:15 . 2011-08-10 19:59 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-io-l1-1-0.dll
2011-07-16 04:15 . 2011-08-10 19:59 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-handle-l1-1-0.dll
2011-07-16 04:15 . 2011-08-10 19:59 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-fibers-l1-1-0.dll
2011-07-16 04:15 . 2011-08-10 19:59 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-errorhandling-l1-1-0.dll
2011-07-16 04:15 . 2011-08-10 19:59 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-delayload-l1-1-0.dll
2011-07-16 04:15 . 2011-08-10 19:59 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-debug-l1-1-0.dll
2011-07-16 04:15 . 2011-08-10 19:59 4096 ---ha-w- c:\windows\SysWow64\api-ms-win-core-localization-l1-1-0.dll
2011-07-16 04:15 . 2011-08-10 19:59 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-core-namedpipe-l1-1-0.dll
2011-07-16 04:15 . 2011-08-10 19:59 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-datetime-l1-1-0.dll
2011-07-16 04:15 . 2011-08-10 19:59 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-console-l1-1-0.dll
2011-07-16 02:21 . 2011-08-10 19:59 7680 ----a-w- c:\windows\SysWow64\instnm.exe
2011-07-16 02:21 . 2011-08-10 19:59 2048 ----a-w- c:\windows\SysWow64\user.exe
2011-07-16 02:17 . 2011-08-10 19:59 6144 ---ha-w- c:\windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
2011-07-16 02:17 . 2011-08-10 19:59 4608 ---ha-w- c:\windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
2011-07-16 02:17 . 2011-08-10 19:59 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
2011-07-16 02:17 . 2011-08-10 19:59 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
2011-07-10 00:29 . 2011-07-10 00:30 8593920 ----a-w- c:\windows\system32\drivers\NETwNs64.sys
2011-07-09 02:46 . 2011-08-10 19:59 288768 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-06-24 05:34 . 2011-08-10 19:59 214528 ----a-w- c:\windows\system32\winsrv.dll
2011-06-24 05:25 . 2011-08-10 19:59 338432 ----a-w- c:\windows\system32\conhost.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{237EB6DA-3FEA-4DD2-8A61-A901B5C489D7}]
2010-05-14 18:10 561400 ----a-w- c:\program files (x86)\GhosteryIEplugin\GhosteryBrowserHelperObjec.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Robert\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Robert\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Robert\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe" [2010-08-16 2736128]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-09-09 98304]
"IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2010-09-14 283160]
"Norton Online Backup"="c:\program files (x86)\Symantec\Norton Online Backup\NOBuClient.exe" [2010-06-01 1155928]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
"KeePass 2 PreLoad"="c:\program files (x86)\KeePass Password Safe 2\KeePass.exe" [2011-04-10 1733120]
"amd_dc_opt"="c:\program files (x86)\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"HP Quick Launch"="c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe" [2011-06-14 587320]
.
c:\users\Robert\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Robert\AppData\Roaming\Dropbox\bin\Dropbox.exe [2011-5-25 24176560]
EvernoteClipper.lnk - c:\program files (x86)\Evernote\Evernote\EvernoteClipper.exe [2011-8-8 977408]
IPMSG for Win32.lnk - c:\program files\IPMsg\ipmsg.exe [2011-8-14 641536]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2010-7-29 1132320]
Snapfish PictureMover.lnk - c:\program files (x86)\PictureMover\Bin\PictureMover.exe [2010-9-28 1040952]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"mixer2"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 CLKMSVC10_C6F09094;CyberLink Product - 2011/02/28 01:34;c:\program files (x86)\Hewlett-Packard\Media\DVD\Kernel\HDDVD\NavFilter\kmsvc.exe [2010-09-21 245232]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-05-06 136176]
R3 BBSvc;Bing Bar Update Service;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-02-28 183560]
R3 btwampfl;Bluetooth AMP USB Filter;c:\windows\system32\drivers\btwampfl.sys [x]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-05-06 136176]
R3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [x]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [x]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [x]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [x]
R3 WSDScan;WSD Scan Support via UMB;c:\windows\system32\DRIVERS\WSDScan.sys [x]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [x]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NISx64\1301010.003\SYMDS64.SYS [x]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NISx64\1301010.003\SYMEFA64.SYS [x]
S1 BHDrvx64;BHDrvx64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\BASHDefs\20110909.001\BHDrvx64.sys [2011-09-09 1152632]
S1 ccSet_NIS;Norton Internet Security Settings Manager;c:\windows\system32\drivers\NISx64\1301010.003\ccSetx64.sys [x]
S1 IDSVia64;IDSVia64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\IPSDefs\20110917.033\IDSvia64.sys [2011-09-07 488568]
S1 SASDIFSV;SASDIFSV;c:\users\ROBERT~1\AppData\Local\Temp\SAS_SelfExtract\SASDIFSV64.SYS [x]
S1 SASKUTIL;SASKUTIL;c:\users\ROBERT~1\AppData\Local\Temp\SAS_SelfExtract\SASKUTIL64.SYS [x]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NISx64\1301010.003\Ironx64.SYS [x]
S1 SymNetS;Symantec Network Security WFP Driver;c:\windows\System32\Drivers\NISx64\1301010.003\SYMNETS.SYS [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\AESTSr64.exe [2009-03-03 89600]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 HP Support Assistant Service;HP Support Assistant Service;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [2011-06-21 85560]
S2 HP Wireless Assistant Service;HP Wireless Assistant Service;c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe [2010-07-21 103992]
S2 HPClientSvc;HP Client Services;c:\program files\Hewlett-Packard\HP Client Services\HPClientServices.exe [2010-08-06 291896]
S2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-05-21 103992]
S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [x]
S2 HPWMISVC;HPWMISVC;c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [2011-06-14 26680]
S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-09-14 13336]
S2 NIS;Norton Internet Security;c:\program files (x86)\Norton Internet Security\Engine\19.1.1.3\ccSvcHst.exe [2011-08-10 138760]
S2 NOBU;Norton Online Backup;c:\program files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe SERVICE [x]
S2 RoxioNow Service;RoxioNow Service;c:\program files (x86)\Roxio\RoxioNow Player\RNowSvc.exe [2010-09-11 399344]
S2 TeamViewer6;TeamViewer 6;c:\program files (x86)\TeamViewer\Version6\TeamViewer_Service.exe [2011-08-17 2358656]
S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2010-09-30 2655768]
S2 vcsFPService;Validity VCS Fingerprint Service;c:\windows\system32\vcsFPService.exe [2010-02-23 2192176]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 clwvd;HP Webcam Splitter;c:\windows\system32\DRIVERS\clwvd.sys [x]
S3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [x]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2011-07-28 136824]
S3 MEIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [x]
S3 NETwNs64;___ Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;c:\windows\system32\DRIVERS\NETwNs64.sys [x]
S3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - CLKMDRV10_C6F09094
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2010-08-16 21:43 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-05-06 20:24]
.
2011-09-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-05-06 20:24]
.
2011-09-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2973698638-1772673222-3898640807-1000Core.job
- c:\users\Robert\AppData\Local\Google\Update\GoogleUpdate.exe [2011-06-24 20:21]
.
2011-09-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2973698638-1772673222-3898640807-1000UA.job
- c:\users\Robert\AppData\Local\Google\Update\GoogleUpdate.exe [2011-06-24 20:21]
.
2011-09-18 c:\windows\Tasks\HPCeeScheduleForRobert.job
- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-09-14 05:15]
.
2011-08-31 c:\windows\Tasks\HPCeeScheduleForROBERT-HP$.job
- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-09-14 05:15]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 97792 ----a-w- c:\users\Robert\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 97792 ----a-w- c:\users\Robert\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 97792 ----a-w- c:\users\Robert\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 97792 ----a-w- c:\users\Robert\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2010-07-22 487424]
"SmartMenu"="c:\program files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe" [2010-09-01 611896]
"HPWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\DelayedAppStarter.exe" [2010-07-21 8192]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-08-01 2417032]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{1984DD45-52CF-49cd-AB77-18F378FEA264}"= "c:\program files\Stardock\Fences Pro\FencesMenu64.dll" [2010-09-16 464744]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uStart Page = https://www.google.com/
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: Add to Evernote 4.0 - c:\program files (x86)\Evernote\Evernote\EvernoteIE.dll/204
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {{A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://c:\program files (x86)\Evernote\Evernote\EvernoteIE.dll/204
IE: {{237EB6DA-3FEA-4DD2-8A61-A901B5C489D7} - {237EB6DA-3FEA-4DD2-8A61-A901B5C489D7} - c:\program files (x86)\GhosteryIEplugin\GhosteryBrowserHelperObjec.dll
TCP: DhcpNameServer = 192.168.0.1
DPF: {84A31672-371A-4CBF-8785-DCE55CDC7370} - hxxp://192.168.0.155/ocxfile/DownLoad.ocx
FF - ProfilePath - c:\users\Robert\AppData\Roaming\Mozilla\Firefox\Profiles\uk5nmmwz.default\
FF - prefs.js: browser.startup.homepage - hxxps://encrypted.google.com/
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKCU-Run-Lexar_Echo_Backup_Manager.exe - c:\users\Robert\AppData\Roaming\Lexar\Lexar_Echo_Backup_Manager.exe
Wow6432Node-HKLM-Run-Corel File Shell Monitor - c:\program files (x86)\Corel\Corel PaintShop Photo Pro\X3\PSPClassic\CorelIOMonitor.exe
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
AddRemove-HijackThis - c:\users\Robert\Desktop\HijackThis.exe
AddRemove-{CA43FE4F-9FF2-4AD7-88F0-CC3BAC17B226} - c:\program files (x86)\InstallShield Installation Information\{CA43FE4F-9FF2-4AD7-88F0-CC3BAC17B226}\setup.exe
AddRemove-{68BF0BE8-AF72-40e0-B5CA-8C0685E1924E}Lexar_Echo_Backup_Manager.exe - c:\users\Robert\AppData\Roaming\Lexar\Lexar_Echo_Backup_Manager.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NIS]
"ImagePath"="\"c:\program files (x86)\Norton Internet Security\Engine\19.1.1.3\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files (x86)\Norton Internet Security\Engine\19.1.1.3\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10u_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10u_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10u.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10u.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10u.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10u.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-09-21 02:37:39
ComboFix-quarantined-files.txt 2011-09-21 06:37
.
Pre-Run: 880,264,519,680 bytes free
Post-Run: 880,434,749,440 bytes free
.
- - End Of File - - D19845120FF2C80AE84A49AE3323AFD7

-End-

Here are the results from the Securitycheck.exe

-Copied from file "checkup.txt'"-

Results of screen317's Security Check version 0.99.18
Windows 7 (UAC is enabled)
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
Norton Internet Security
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:

Out of date HijackThis installed!
HijackThis 1.99.1
Java™ 6 Update 26
Adobe Flash Player 10.3.183.7
Mozilla Firefox (x86 en-US..)
````````````````````````````````
Process Check:
objlist.exe by Laurent

Norton ccSvcHst.exe
``````````End of Log````````````

-End-
"I fear not the man who has practiced 10,000 kicks once, but I fear the man who had practiced one kick 10,000 times."
— Bruce Lee

"Empty your mind, be formless. Shapeless, like water. If you put water into a cup, it becomes the cup. You put water into a bottle and it becomes the bottle. You put it in a teapot it becomes the teapot. Now, water can flow or it can crash. Be water my friend."
— Bruce Lee

#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,752 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:19 AM

Posted 21 September 2011 - 06:14 PM

Remove this old version of HijackThis using the Add/Remove Programs list.
HijackThis 1.99.1
Must forum are now using the DDS tool.
===

Secure your system by updating 3rd party programs.

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:
  • Download the latest version of Java SE Runtime Environment 6 Update 27.
  • In the box labeled "Java Platform, Standard Edition", click the "Download JRE" button to the right.
  • In the Window that opens, select Windows (or Windows x64), and check the "agree" box and click "Continue".
  • Click on the link to download Windows Offline Installation and save to your Desktop.
  • Then from your Desktop double-click on jre-6u27-windows-i586.exe that you have downloaded to install the newest version.

    For the x64 bit version download this on jre-6u27-windows-x64.exe). Make sure you download the corrent version.

    - Note: If you are running Vista or Windows 7, you may need to right-click on the installation file and select Run as Administrator.

If present remove the old version(s) of Java using the Add/Remove Programs applet.


Java™ 6 Update 26

===

Your ComboFix log is clean.

Please let me know what problem persists.

#5 nasdaq

nasdaq

  • Malware Response Team
  • 40,752 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:19 AM

Posted 27 September 2011 - 08:46 AM

Time for some housekeeping

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bold text into the Run box and click OK:

ComboFix /Uninstall
===

Surf Safely, and Think Prevention!

#6 Seth420

Seth420
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:19 AM

Posted 28 September 2011 - 03:47 PM

I have updated both Java 32-bit and 64-bit since I use both versions of web the browsers
Then I have uninstalled ComboFix
I updated my Anti-Virus then ran a scan and it came back clean, so I got the newest version of Norton Power Eraser ran it's scan and found the original file (rikvm_C6F09094.sys) plus a registry key entry to hide icons.


-Copied From NPE.exe output-

Name: Advanced
____________________________
Registry Key: HKEY_USERS\S-1-5-21-2973698638-1772673222-3898640807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"HideIcons"
____________________________

-End-

Regarding my issue, I have not noticed my computer acting up at all or communicating over the internet without my consent even with the possible infections.
I have used Sysinternals Suite to monitor Processes (procexp.exe and Procmon.exe) and Wireshark with a lan-tap from another computer.
I am just worried because I do allot of online purchases from this computer and want to make sure that it is secure.

Any thoughts would be appreciated

Thank you for all your time and help.
"I fear not the man who has practiced 10,000 kicks once, but I fear the man who had practiced one kick 10,000 times."
— Bruce Lee

"Empty your mind, be formless. Shapeless, like water. If you put water into a cup, it becomes the cup. You put water into a bottle and it becomes the bottle. You put it in a teapot it becomes the teapot. Now, water can flow or it can crash. Be water my friend."
— Bruce Lee

#7 nasdaq

nasdaq

  • Malware Response Team
  • 40,752 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:19 AM

Posted 29 September 2011 - 07:09 AM

I cant find anything one this file rikvm_C6F09094.sys you can quarantine it or locate the file and rename it rikvm_C6F09094.sys.old
If an application needs it you will be prompted by a message.
===

Registry Key: HKEY_USERS\S-1-5-21-2973698638-1772673222-3898640807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"HideIcons"


Possibly that a user at one time has hidden some icons.

We can check the registry and find out if this option is still active.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2


If your operating system is 64 bit download this tool:
SystemLook_x64.exe
  • Double-click SystemLook.exe to run it.
  • Copy and paste the content of the following bold text into the main textfield:


    :regfind
    HideIcons

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
===

Do an other scan with this tool.

Download the latest version of Kaspersky Virus Removal Tool
  • Close all other applications and double-click and run the installer.
  • When AVPTool starts, select all the scanable items except for CD-ROM drives.
  • Then please choose Security level: Recommended and perform the following actions.
    Posted Image
  • Click the Start scan button.
  • If malware is detected, place a checkmark in the Apply to all box, and click the Delete button (or Disinfect if the button is active).
  • After the scan finishes, if any threat remains in the Scan window (Red exclamation point), click the Neutralize all button
  • In the window that opens, place a checkmark in the Apply to all box, and click the Delete button (or Disinfect if the button is active).
  • If advised that a special disinfection procedure is required which demands system reboot: click the Ok button to close the window.
  • In the Scan window click the Reports button and select Save to file.
  • Name the report AVPT.txt, and save it to the Desktop.
  • Close AVPTool.
  • You will be prompted if you want to uninstall the program; click Yes.
  • You will then be prompted that to complete the uninstallation, the computer must be restarted. Select Yes to restart the system.
  • Copy and paste the first part of the report (Detected) that you saved in your next reply. Do not include the longer list marked Events.
===

Post the log.

#8 nasdaq

nasdaq

  • Malware Response Team
  • 40,752 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:19 AM

Posted 04 October 2011 - 10:21 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users