Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

scvhost trojan


  • This topic is locked This topic is locked
45 replies to this topic

#1 micro102

micro102

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:05:04 PM

Posted 19 April 2012 - 11:39 AM

I've got a virus that Malwarebytes Anti-Malware keeps on detecting, quarantining, and "deleting", but that keeps coming back. It's an scvhost file and in the task manager it is described as winrscmde.

I've come to understand that Trojans like these need to be analyzed and thoroughly cleaned out, and am hoping someone can help me get rid of this. Symptoms include blue screening, computer locking up, scvhost process taking up all CPU and memory, and sometimes the inability to repair on startup.

BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:04 PM

Posted 19 April 2012 - 07:03 PM

Hi,

Please do the following:



Please download DDS from either of these links

LINK 1
LINK 2

and save it to your desktop.
  • Disable any script blocking protection
  • Double click dds to run the tool.
  • When done, two DDS.txt's will open.
  • Save both reports to your desktop.
---------------------------------------------------
Please include the contents of the following in your next reply:

DDS.txt
Attach.txt.


NEXT

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • When asked if you want to download Avast's virus definitions please select Yes.
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.
  • You will also notice another file created on the desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) file. Attach that zipped file in your next reply as well

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 micro102

micro102
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:05:04 PM

Posted 19 April 2012 - 09:44 PM

Ok, here we go.

DDS File

.
DDS (Ver_2011-08-26.01) - NTFSAMD64 
Internet Explorer: 9.0.8112.16421
Run by Micro102 at 22:05:50 on 2012-04-19
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.5610.3020 [GMT -4:00]
.
AV: Norton Internet Security *Disabled/Outdated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton Internet Security *Disabled/Outdated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton Internet Security *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ===============
.
C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\system32\atiesrxx.exe
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\atieclxx.exe
C:\windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\GFNEXSrv.exe
C:\windows\System32\spoolsv.exe
C:\windows\system32\taskhost.exe
C:\windows\system32\Dwm.exe
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\windows\Explorer.EXE
C:\windows\system32\taskeng.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
C:\Program Files\Toshiba\FlashCards\TCrdMain.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Toshiba\TECO\Teco.exe
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Toshiba\TosVolRegulator\TosVolRegulator.exe
C:\Program Files\Toshiba\BulletinBoard\TosNcCore.exe
C:\Program Files\Toshiba\ReelTime\TosReelTimeMonitor.exe
C:\windows\system32\taskeng.exe
C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files (x86)\Steam\Steam.exe
C:\Program Files (x86)\Skype\Phone\Skype.exe
C:\Program Files (x86)\Norton Internet Security\Engine\19.2.0.10\ccSvcHst.exe
C:\Program Files (x86)\Toshiba\TOSHIBA Service Station\ToshibaServiceStation.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.13.11\ccSvcHst.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
C:\windows\system32\TODDSrv.exe
C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\TOSHIBA\TECO\TecoService.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.13.11\ccSvcHst.exe
C:\windows\system32\wbem\unsecapp.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\windows\system32\SearchIndexer.exe
C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
-netsvcs
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files (x86)\Common Files\Steam\SteamService.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\windows\system32\conhost.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe
C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe
C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe
C:\Program Files (x86)\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.13.11\SymcPCCULaunchSvc.exe
C:\windows\system32\sppsvc.exe
C:\windows\System32\svchost.exe -k secsvcs
C:\windows\system32\SearchProtocolHost.exe
C:\windows\system32\SearchFilterHost.exe
C:\windows\system32\taskhost.exe
C:\windows\system32\wuauclt.exe
C:\windows\system32\DllHost.exe
C:\windows\system32\DllHost.exe
C:\windows\SysWOW64\cmd.exe
C:\windows\system32\conhost.exe
C:\windows\SysWOW64\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://start.toshiba.com
uDefault_Page_URL = hxxp://start.toshiba.com
uInternet Settings,ProxyOverride = <local>
mWinlogon: Userinit=userinit.exe,
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Norton Identity Protection: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - C:\Program Files (x86)\Norton Internet Security\Engine\19.2.0.10\coIEPlg.dll
BHO: Norton Vulnerability Protection: {6d53ec84-6aae-4787-aeee-f4628f01010c} - C:\Program Files (x86)\Norton Internet Security\Engine\19.2.0.10\IPS\IPSBHO.DLL
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: TOSHIBA Media Controller Plug-in: {f3c88694-effa-4d78-b409-54b7b2535b14} - C:\Program Files (x86)\TOSHIBA\TOSHIBA Media Controller Plug-in\TOSHIBAMediaControllerIE.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - C:\Program Files (x86)\Norton Internet Security\Engine\19.2.0.10\coIEPlg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
uRun: [Steam] "C:\Program Files (x86)\Steam\Steam.exe" -silent
uRun: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [TSleepSrv] %ProgramFiles(x86)%\TOSHIBA\TOSHIBA Sleep Utility\TSleepSrv.exe
mRun: [ToshibaServiceStation] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60
mRun: [ToshibaAppPlace] "C:\Program Files (x86)\Toshiba\Toshiba App Place\ToshibaAppPlace.exe"
mRun: [NortonOnlineBackupReminder] "C:\Program Files (x86)\Toshiba\Toshiba Online Backup\Activation\TOBuActivation.exe" UNATTENDED
mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
TCP: DhcpNameServer = 167.206.254.1 167.206.254.2
TCP: Interfaces\{0C4C5069-837A-4B81-8044-D413972269B6} : DhcpNameServer = 167.206.254.1 167.206.254.2
TCP: Interfaces\{2353BB29-4E04-4C85-A601-D8A69D00576A} : DhcpNameServer = 167.206.254.1 167.206.254.2
TCP: Interfaces\{2353BB29-4E04-4C85-A601-D8A69D00576A}\1375356413 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{2353BB29-4E04-4C85-A601-D8A69D00576A}\4586563516E6364757162797D27657563747 : DhcpNameServer = 167.206.254.2 167.206.254.1
TCP: Interfaces\{2353BB29-4E04-4C85-A601-D8A69D00576A}\6363937533 : DhcpNameServer = 192.168.1.1 68.237.161.12
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64:     AcroIEHelperStub - No File
BHO-X64: Norton Identity Protection: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Internet Security\Engine\19.2.0.10\coIEPlg.dll
BHO-X64:     Norton Identity Protection - No File
BHO-X64: Norton Vulnerability Protection: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Internet Security\Engine\19.2.0.10\IPS\IPSBHO.DLL
BHO-X64:     Norton Vulnerability Protection - No File
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO-X64: TOSHIBA Media Controller Plug-in: {F3C88694-EFFA-4d78-B409-54B7B2535B14} - C:\Program Files (x86)\TOSHIBA\TOSHIBA Media Controller Plug-in\TOSHIBAMediaControllerIE.dll
TB-X64: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\19.2.0.10\coIEPlg.dll
TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun-x64: [TSleepSrv] %ProgramFiles(x86)%\TOSHIBA\TOSHIBA Sleep Utility\TSleepSrv.exe
mRun-x64: [ToshibaServiceStation] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60
mRun-x64: [ToshibaAppPlace] "C:\Program Files (x86)\Toshiba\Toshiba App Place\ToshibaAppPlace.exe"
mRun-x64: [NortonOnlineBackupReminder] "C:\Program Files (x86)\Toshiba\Toshiba Online Backup\Activation\TOBuActivation.exe" UNATTENDED
mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Micro102\AppData\Roaming\Mozilla\Firefox\Profiles\oxwyom0i.default\
FF - plugin: C:\PROGRA~2\MICROS~3\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\BYOND\bin\npbyond.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.1.10111.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npbyond.dll
FF - plugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll
FF - plugin: C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\0\NP_wtapp.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;C:\windows\system32\drivers\NISx64\1302000.00A\SYMDS64.SYS --> C:\windows\system32\drivers\NISx64\1302000.00A\SYMDS64.SYS [?]
R0 SymEFA;Symantec Extended File Attributes;C:\windows\system32\drivers\NISx64\1302000.00A\SYMEFA64.SYS --> C:\windows\system32\drivers\NISx64\1302000.00A\SYMEFA64.SYS [?]
R1 IDSVia64;IDSVia64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.0.0.128\Definitions\IPSDefs\20120107.001\IDSviA64.sys [2012-1-9 488568]
R1 SymNetS;Symantec Network Security WFP Driver;C:\windows\system32\Drivers\NISx64\1302000.00A\SYMNETS.SYS --> C:\windows\system32\Drivers\NISx64\1302000.00A\SYMNETS.SYS [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\windows\system32\DRIVERS\vwififlt.sys --> C:\windows\system32\DRIVERS\vwififlt.sys [?]
R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-1-3 63928]
R2 AMD External Events Utility;AMD External Events Utility;C:\windows\system32\atiesrxx.exe --> C:\windows\system32\atiesrxx.exe [?]
R2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE [2012-1-4 822624]
R2 GFNEXSrv;GFNEX Service;C:\Windows\System32\GFNEXSrv.exe --> C:\Windows\System32\GFNEXSrv.exe [?]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-4-19 654408]
R2 NIS;Norton Internet Security;C:\Program Files (x86)\Norton Internet Security\Engine\19.2.0.10\ccsvchst.exe [2011-11-29 138760]
R2 Norton PC Checkup Application Launcher;Toshiba Laptop Checkup Application Launcher;C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.13.11\SymcPCCULaunchSvc.exe [2011-10-24 135608]
R2 PCCUJobMgr;Common Client Job Manager Service;C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.13.11\ccSvcHst.exe [2011-10-24 126392]
R2 regi;regi;\??\C:\windows\system32\drivers\regi.sys --> C:\windows\system32\drivers\regi.sys [?]
R2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-1 508776]
R2 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;C:\Program Files\Toshiba\TECO\TecoService.exe [2011-5-24 294848]
R2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;C:\windows\system32\DRIVERS\TVALZFL.sys --> C:\windows\system32\DRIVERS\TVALZFL.sys [?]
R3 amdkmdag;amdkmdag;C:\windows\system32\DRIVERS\atikmdag.sys --> C:\windows\system32\DRIVERS\atikmdag.sys [?]
R3 amdkmdap;amdkmdap;C:\windows\system32\DRIVERS\atikmpag.sys --> C:\windows\system32\DRIVERS\atikmpag.sys [?]
R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;C:\windows\system32\drivers\AtihdW76.sys --> C:\windows\system32\drivers\AtihdW76.sys [?]
R3 MBAMProtector;MBAMProtector;\??\C:\windows\system32\drivers\mbam.sys --> C:\windows\system32\drivers\mbam.sys [?]
R3 PGEffect;Pangu effect driver;C:\windows\system32\DRIVERS\pgeffect.sys --> C:\windows\system32\DRIVERS\pgeffect.sys [?]
R3 RTL8167;Realtek 8167 NT Driver;C:\windows\system32\DRIVERS\Rt64win7.sys --> C:\windows\system32\DRIVERS\Rt64win7.sys [?]
R3 RTL8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;C:\windows\system32\DRIVERS\rtl8192Ce.sys --> C:\windows\system32\DRIVERS\rtl8192Ce.sys [?]
R3 Sftfs;Sftfs;C:\windows\system32\DRIVERS\Sftfslh.sys --> C:\windows\system32\DRIVERS\Sftfslh.sys [?]
R3 Sftplay;Sftplay;C:\windows\system32\DRIVERS\Sftplaylh.sys --> C:\windows\system32\DRIVERS\Sftplaylh.sys [?]
R3 Sftredir;Sftredir;C:\windows\system32\DRIVERS\Sftredirlh.sys --> C:\windows\system32\DRIVERS\Sftredirlh.sys [?]
R3 Sftvol;Sftvol;C:\windows\system32\DRIVERS\Sftvollh.sys --> C:\windows\system32\DRIVERS\Sftvollh.sys [?]
R3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-1 219496]
R3 TMachInfo;TMachInfo;C:\Program Files (x86)\Toshiba\TOSHIBA Service Station\TMachInfo.exe [2011-10-24 57216]
R3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;C:\Program Files\Toshiba\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2011-6-10 138152]
R3 TPCHSrv;TPCH Service;C:\Program Files\Toshiba\TPHM\TPCHSrv.exe [2011-7-1 828856]
S1 BHDrvx64;BHDrvx64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.0.0.128\Definitions\BASHDefs\20111223.001\BHDrvx64.sys [2011-11-30 1157240]
S1 ccSet_NIS;Norton Internet Security Settings Manager;C:\windows\system32\drivers\NISx64\1302000.00A\ccSetx64.sys --> C:\windows\system32\drivers\NISx64\1302000.00A\ccSetx64.sys [?]
S1 SymIRON;Symantec Iron Driver;C:\windows\system32\drivers\NISx64\1302000.00A\Ironx64.SYS --> C:\windows\system32\drivers\NISx64\1302000.00A\Ironx64.SYS [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-10-24 136176]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2012-2-29 158856]
S3 GamesAppService;GamesAppService;C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-10-24 136176]
S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\windows\system32\Drivers\RtsUStor.sys --> C:\windows\system32\Drivers\RtsUStor.sys [?]
S3 TsUsbFlt;TsUsbFlt;C:\windows\system32\drivers\tsusbflt.sys --> C:\windows\system32\drivers\tsusbflt.sys [?]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\windows\system32\drivers\TsUsbGD.sys --> C:\windows\system32\drivers\TsUsbGD.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\windows\system32\Wat\WatAdminSvc.exe --> C:\windows\system32\Wat\WatAdminSvc.exe [?]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== Created Last 30 ================
.
2012-04-17 13:51:43	8669240	----a-w-	C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{430CC0EC-2A3E-47CF-81C4-5F19461AEAC3}\mpengine.dll
2012-04-16 22:07:25	--------	d-----w-	C:\Users\Micro102\AppData\Local\DOSBox
2012-04-16 22:06:24	--------	d-----w-	C:\Program Files (x86)\DOSBox-0.74
2012-04-16 21:54:26	--------	d-----w-	C:\CovertAction
2012-04-15 22:23:35	20480	----a-w-	C:\windows\svchost.exe
2012-04-12 07:00:48	81408	----a-w-	C:\windows\System32\imagehlp.dll
2012-04-12 07:00:48	23408	----a-w-	C:\windows\System32\drivers\fs_rec.sys
2012-04-12 07:00:48	159232	----a-w-	C:\windows\SysWow64\imagehlp.dll
2012-04-12 07:00:46	5120	----a-w-	C:\windows\SysWow64\wmi.dll
2012-04-12 07:00:46	5120	----a-w-	C:\windows\System32\wmi.dll
2012-04-12 07:00:46	220672	----a-w-	C:\windows\System32\wintrust.dll
2012-04-12 07:00:46	172544	----a-w-	C:\windows\SysWow64\wintrust.dll
2012-04-04 05:03:16	--------	d-----w-	C:\Program Files (x86)\Cockatrice
.
==================== Find3M  ====================
.
2012-04-04 19:56:40	24904	----a-w-	C:\windows\System32\drivers\mbam.sys
2012-02-28 06:56:48	2311168	----a-w-	C:\windows\System32\jscript9.dll
2012-02-28 06:49:56	1390080	----a-w-	C:\windows\System32\wininet.dll
2012-02-28 06:48:57	1493504	----a-w-	C:\windows\System32\inetcpl.cpl
2012-02-28 06:42:55	2382848	----a-w-	C:\windows\System32\mshtml.tlb
2012-02-28 01:18:55	1799168	----a-w-	C:\windows\SysWow64\jscript9.dll
2012-02-28 01:11:21	1427456	----a-w-	C:\windows\SysWow64\inetcpl.cpl
2012-02-28 01:11:07	1127424	----a-w-	C:\windows\SysWow64\wininet.dll
2012-02-28 01:03:16	2382848	----a-w-	C:\windows\SysWow64\mshtml.tlb
2012-02-23 13:18:36	279656	------w-	C:\windows\System32\MpSigStub.exe
2012-02-17 06:38:26	1031680	----a-w-	C:\windows\System32\rdpcore.dll
2012-02-17 05:34:22	826880	----a-w-	C:\windows\SysWow64\rdpcore.dll
2012-02-17 04:58:24	210944	----a-w-	C:\windows\System32\drivers\rdpwd.sys
2012-02-17 04:57:32	23552	----a-w-	C:\windows\System32\drivers\tdtcp.sys
2012-02-12 09:23:55	750488	----a-w-	C:\windows\System32\npdeployJava1.dll
2012-02-12 09:23:55	660368	----a-w-	C:\windows\System32\deployJava1.dll
2012-02-10 06:36:07	1544192	----a-w-	C:\windows\System32\DWrite.dll
2012-02-10 05:38:43	1077248	----a-w-	C:\windows\SysWow64\DWrite.dll
2012-02-03 04:34:34	3145728	----a-w-	C:\windows\System32\win32k.sys
2012-02-01 21:46:05	249856	------w-	C:\windows\Setup1.exe
2012-02-01 21:46:01	73216	----a-w-	C:\windows\ST6UNST.EXE
2012-01-25 06:38:39	77312	----a-w-	C:\windows\System32\rdpwsx.dll
2012-01-25 06:38:38	149504	----a-w-	C:\windows\System32\rdpcorekmts.dll
2012-01-25 06:33:30	9216	----a-w-	C:\windows\System32\rdrmemptylst.exe
.
============= FINISH: 22:08:34.80 ===============


Attach file

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows 7 Home Premium 
Boot Device: \Device\HarddiskVolume1
Install Date: 11/29/2011 2:36:32 AM
System Uptime: 4/19/2012 10:01:30 PM (0 hours ago)
.
Motherboard: PEGATRON CORPORATION |  | TKBSS
Processor: AMD A6-3400M APU with Radeon(tm) HD Graphics | CPU 1 | 1400/mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 581 GiB total, 480 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Description: BHDrvx64
Device ID: ROOT\LEGACY_BHDRVX64\0000
Manufacturer: 
Name: BHDrvx64
PNP Device ID: ROOT\LEGACY_BHDRVX64\0000
Service: BHDrvx64
.
Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Description: Norton Internet Security Settings Manager
Device ID: ROOT\LEGACY_CCSET_NIS\0000
Manufacturer: 
Name: Norton Internet Security Settings Manager
PNP Device ID: ROOT\LEGACY_CCSET_NIS\0000
Service: ccSet_NIS
.
Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Description: Symantec Iron Driver
Device ID: ROOT\LEGACY_SYMIRON\0000
Manufacturer: 
Name: Symantec Iron Driver
PNP Device ID: ROOT\LEGACY_SYMIRON\0000
Service: SymIRON
.
==== System Restore Points ===================
.
RP99: 4/13/2012 3:00:17 AM - Windows Update
RP100: 4/14/2012 3:00:13 AM - Windows Update
RP101: 4/15/2012 3:00:14 AM - Windows Update
RP102: 4/15/2012 9:12:36 PM - Windows Update
RP103: 4/15/2012 9:14:02 PM - Windows Update
RP104: 4/16/2012 3:00:12 AM - Windows Update
RP105: 4/17/2012 3:00:17 AM - Windows Update
RP106: 4/18/2012 3:00:13 AM - Windows Update
RP107: 4/19/2012 3:00:12 AM - Windows Update
.
==== Installed Programs ======================
.
7-Zip 9.20
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader X (10.1.2) MUI
AMD VISION Engine Control Center
Aurora
Bejeweled 3
Build Your Own Net Dream (remove only)
Catalyst Control Center - Branding
Catalyst Control Center Graphics Previews Common
Catalyst Control Center Localization All
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Czech
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Greek
CCC Help Hungarian
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Polish
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
CCC Help Thai
CCC Help Turkish
Chuzzle Deluxe
Cockatrice
Corel WinDVD
D3DX10
Europa Universalis III
FATE - The Traitor Soul
Fishdom (TM) 2
Google Chrome
Google Toolbar for Internet Explorer
Google Update Helper
Hearts of Iron III
Heroes of Newerth
Java Auto Updater
Java(TM) 6 Update 25
Junk Mail filter update
KAG 0.95A
Label@Once 1.0
League of Legends
Magicka
Malwarebytes Anti-Malware version 1.61.0.1400
Mesh Runtime
Microsoft Office 2010
Microsoft Office Click-to-Run 2010
Microsoft Office Starter 2010 - English
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219
Microsoft XNA Framework Redistributable 3.1
Microsoft XNA Framework Redistributable 4.0
Mount & Blade: Warband
Mount & Blade: With Fire and Sword
Mozilla Firefox 11.0 (x86 en-US)
MSVCRT
MSVCRT_amd64
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Norton Internet Security
NVIDIA PhysX
Pando Media Booster
Penguins!
Plants vs. Zombies - Game of the Year
PlayReady PC Runtime x86
Polar Bowler
Realtek Ethernet Controller Driver
Realtek High Definition Audio Driver
Realtek USB 2.0 Card Reader
Realtek WLAN Driver
Rome: Total War Gold Edition
S.T.A.L.K.E.R.: Call of Pripyat
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
Skype Launcher
Skype™ 5.8
Steam
Team Fortress 2
The Elder Scrolls V: Skyrim
Tom Clancy's Splinter Cell
Toshiba App Place
TOSHIBA Application Installer
TOSHIBA Assist
Toshiba Book Place
TOSHIBA Bulletin Board
TOSHIBA Face Recognition
TOSHIBA Hardware Setup
Toshiba Laptop Checkup
TOSHIBA Media Controller
TOSHIBA Media Controller Plug-in
Toshiba Online Backup
TOSHIBA Quality Application
TOSHIBA Recovery Media Creator
TOSHIBA ReelTime
TOSHIBA Resolution+ Plug-in for Windows Media Player
TOSHIBA Service Station
TOSHIBA Sleep Utility
TOSHIBA Supervisor Password
TOSHIBA Value Added Package
TOSHIBA Web Camera Application
TOSHIBA Wireless LAN Indicator
TOSHIBARegistration
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft .NET Framework 4 Extended (KB2468871)
Update for Microsoft .NET Framework 4 Extended (KB2533523)
Update for Microsoft .NET Framework 4 Extended (KB2600217)
Update Installer for WildTangent Games App
Virtual Villagers 5 - New Believers
WildTangent Games
WildTangent Games App (Toshiba Games)
Windows Live Communications Platform
Windows Live Essentials
Windows Live Installer
Windows Live Mail
Windows Live Mesh
Windows Live Mesh ActiveX Control for Remote Connections
Windows Live Messenger
Windows Live Movie Maker
Windows Live Photo Common
Windows Live Photo Gallery
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Live Writer
Windows Live Writer Resources
Wurm Online 3.0.1b
X-COM: UFO Defense
Zuma's Revenge
.
==== Event Viewer Messages From Past Week ========
.
4/19/2012 3:00:42 AM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80070643: Update for Windows 7 for x64-based Systems (KB2679255).
4/19/2012 11:13:13 AM, Error: Service Control Manager [7009]  - A timeout was reached (30000 milliseconds) while waiting for the Windows Modules Installer service to connect.
4/19/2012 11:13:13 AM, Error: Service Control Manager [7000]  - The Windows Modules Installer service failed to start due to the following error:  The service did not respond to the start or control request in a timely fashion.
4/19/2012 11:12:13 AM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1053" attempting to start the service TrustedInstaller with arguments "" in order to run the server: {752073A1-23F2-4396-85F0-8FDB879ED0ED}
4/19/2012 10:02:29 PM, Error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  BHDrvx64 ccSet_NIS SymIRON
4/15/2012 6:12:47 PM, Error: Service Control Manager [7022]  - The Windows Update service hung on starting.
4/15/2012 6:07:01 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001]  - The computer has rebooted from a bugcheck.  The bugcheck was: 0x0000001e (0xffffffffc0000005, 0xfffff80002caff6b, 0x0000000000000000, 0x000000007efa0000). A dump was saved in: C:\windows\MEMORY.DMP. Report Id: 041512-38703-01.
.
==== End Of File ===========================

aswMBR file
aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-04-19 22:13:38
-----------------------------
22:13:38.271    OS Version: Windows x64 6.1.7601 Service Pack 1
22:13:38.271    Number of processors: 4 586 0x100
22:13:38.272    ComputerName: MICRO102-PC  UserName: Micro102
22:13:42.714    Initialize success
22:15:05.845    AVAST engine defs: 12041901
22:16:42.729    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-4
22:16:42.732    Disk 0 Vendor: Hitachi_HTS547564A9E384 JEDOA60B Size: 610480MB BusType: 11
22:16:42.735    Device \Driver\atapi -> MajorFunction fffffa80072a75c4
22:16:42.739    Disk 0 MBR read successfully
22:16:42.742    Disk 0 MBR scan
22:16:42.749    Disk 0 MBR:Pihar-C [Rtk]
22:16:42.753    Disk 0 TDL4@MBR code has been found
22:16:42.757    Disk 0 MBR hidden
22:16:42.761    Disk 0 Partition 1 80 (A) 27 Hidden NTFS WinRE NTFS         1500 MB offset 2048
22:16:42.782    Disk 0 Partition 2 00     07    HPFS/NTFS NTFS       594512 MB offset 3074048
22:16:42.811    Disk 0 Partition 3 00     17 Hidd HPFS/NTFS NTFS        14467 MB offset 1220634624
22:16:42.819    Disk 0 MBR [TDL4]  **ROOTKIT**
22:16:42.824    Disk 0 trace - called modules:
22:16:43.164    ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xfffffa80072a75c4]<<
22:16:43.172    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80065cf060]
22:16:43.179    3 CLASSPNP.SYS[fffff88001baa43f] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-4[0xfffffa80063251f0]
22:16:43.186    \Driver\atapi[0xfffffa80072b83f0] -> IRP_MJ_CREATE -> 0xfffffa80072a75c4
22:16:46.951    AVAST engine scan C:\windows
22:16:50.063    AVAST engine scan C:\windows\system32
22:21:46.093    AVAST engine scan C:\windows\system32\drivers
22:22:15.722    AVAST engine scan C:\Users\Micro102
22:30:05.279    AVAST engine scan C:\ProgramData
22:31:15.988    File: C:\ProgramData\Microsoft\Windows\DRM\A777.tmp  **INFECTED** Win32:Malware-gen
22:31:16.065    File: C:\ProgramData\Microsoft\Windows\DRM\A778.tmp  **INFECTED** Win32:Malware-gen
22:31:16.234    File: C:\ProgramData\Microsoft\Windows\DRM\DF9D.tmp  **INFECTED** Win32:Malware-gen
22:31:16.297    File: C:\ProgramData\Microsoft\Windows\DRM\DF9E.tmp  **INFECTED** Win32:Malware-gen
22:32:25.251    Scan finished successfully
22:40:49.804    Disk 0 MBR has been saved successfully to "C:\Users\Micro102\Desktop\MBR.dat"
22:40:49.811    The log file has been saved successfully to "C:\Users\Micro102\Desktop\aswMBR.txt"



And the attachment MBR

Attached Files

  • Attached File  MBR.zip   586bytes   0 downloads


#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:04 PM

Posted 20 April 2012 - 06:12 AM

Please download TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • when the window opens, click on Change Parameters
  • under ”Additional options”, put a check mark in the box next to “Detect TDLFS File System”
  • click OK
  • Press Start Scan
    • Only if Malicious objects are found then ensure Cure is selected
    • If the TDLFS File system is found then ensure delete is selected
    • Then click Continue > Reboot now
  • Copy and paste the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)


NEXT



Download Combofix from either of the links below, and save it to your desktop.

Link 1
Link 2

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt for further review.

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 micro102

micro102
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:05:04 PM

Posted 21 April 2012 - 12:20 AM

TDSS log

23:54:03.0198 42136	TDSS rootkit removing tool 2.7.31.0 Apr 20 2012 19:49:47
23:54:03.0472 42136	============================================================
23:54:03.0472 42136	Current date / time: 2012/04/20 23:54:03.0472
23:54:03.0472 42136	SystemInfo:
23:54:03.0472 42136	
23:54:03.0472 42136	OS Version: 6.1.7601 ServicePack: 1.0
23:54:03.0472 42136	Product type: Workstation
23:54:03.0472 42136	ComputerName: MICRO102-PC
23:54:03.0472 42136	UserName: Micro102
23:54:03.0472 42136	Windows directory: C:\windows
23:54:03.0472 42136	System windows directory: C:\windows
23:54:03.0472 42136	Running under WOW64
23:54:03.0472 42136	Processor architecture: Intel x64
23:54:03.0472 42136	Number of processors: 4
23:54:03.0472 42136	Page size: 0x1000
23:54:03.0472 42136	Boot type: Normal boot
23:54:03.0472 42136	============================================================
23:54:05.0324 42136	Drive \Device\Harddisk0\DR0 - Size: 0x950B056000 (596.17 Gb), SectorSize: 0x200, Cylinders: 0x13001, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000040
23:54:05.0346 42136	\Device\Harddisk0\DR0:
23:54:05.0346 42136	MBR partitions:
23:54:05.0346 42136	\Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x2EE800, BlocksNum 0x48928000
23:54:05.0382 42136	C: <-> \Device\Harddisk0\DR0\Partition0
23:54:05.0382 42136	Initialize success
23:54:05.0382 42136	============================================================
23:54:36.0855 31968	============================================================
23:54:36.0855 31968	Scan started
23:54:36.0855 31968	Mode: Manual; TDLFS; 
23:54:36.0855 31968	============================================================
23:54:37.0784 31968	1394ohci        (a87d604aea360176311474c87a63bb88) C:\windows\system32\drivers\1394ohci.sys
23:54:37.0788 31968	1394ohci - ok
23:54:37.0893 31968	ACPI            (d81d9e70b8a6dd14d42d7b4efa65d5f2) C:\windows\system32\drivers\ACPI.sys
23:54:37.0898 31968	ACPI - ok
23:54:37.0977 31968	AcpiPmi         (99f8e788246d495ce3794d7e7821d2ca) C:\windows\system32\drivers\acpipmi.sys
23:54:37.0979 31968	AcpiPmi - ok
23:54:38.0087 31968	AdobeARMservice (62b7936f9036dd6ed36e6a7efa805dc0) C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
23:54:38.0088 31968	AdobeARMservice - ok
23:54:38.0234 31968	adp94xx         (2f6b34b83843f0c5118b63ac634f5bf4) C:\windows\system32\drivers\adp94xx.sys
23:54:38.0241 31968	adp94xx - ok
23:54:38.0407 31968	adpahci         (597f78224ee9224ea1a13d6350ced962) C:\windows\system32\drivers\adpahci.sys
23:54:38.0412 31968	adpahci - ok
23:54:38.0525 31968	adpu320         (e109549c90f62fb570b9540c4b148e54) C:\windows\system32\drivers\adpu320.sys
23:54:38.0528 31968	adpu320 - ok
23:54:38.0601 31968	AeLookupSvc     (4b78b431f225fd8624c5655cb1de7b61) C:\windows\System32\aelupsvc.dll
23:54:38.0603 31968	AeLookupSvc - ok
23:54:38.0709 31968	AFD             (1c7857b62de5994a75b054a9fd4c3825) C:\windows\system32\drivers\afd.sys
23:54:38.0716 31968	AFD - ok
23:54:38.0808 31968	agp440          (608c14dba7299d8cb6ed035a68a15799) C:\windows\system32\drivers\agp440.sys
23:54:38.0810 31968	agp440 - ok
23:54:38.0925 31968	ALG             (3290d6946b5e30e70414990574883ddb) C:\windows\System32\alg.exe
23:54:38.0927 31968	ALG - ok
23:54:39.0049 31968	aliide          (5812713a477a3ad7363c7438ca2ee038) C:\windows\system32\drivers\aliide.sys
23:54:39.0050 31968	aliide - ok
23:54:39.0122 31968	AMD External Events Utility (e9f172f8067830ab6418fcf13b7c82f1) C:\windows\system32\atiesrxx.exe
23:54:39.0126 31968	AMD External Events Utility - ok
23:54:39.0225 31968	amdide          (1ff8b4431c353ce385c875f194924c0c) C:\windows\system32\drivers\amdide.sys
23:54:39.0226 31968	amdide - ok
23:54:39.0367 31968	AmdK8           (7024f087cff1833a806193ef9d22cda9) C:\windows\system32\drivers\amdk8.sys
23:54:39.0369 31968	AmdK8 - ok
23:54:39.0640 31968	amdkmdag        (3ea481540bf571ce2ac422249c4e18a9) C:\windows\system32\DRIVERS\atikmdag.sys
23:54:39.0838 31968	amdkmdag - ok
23:54:40.0047 31968	amdkmdap        (c5228c5fd5ca78002255089c4e74dc0e) C:\windows\system32\DRIVERS\atikmpag.sys
23:54:40.0052 31968	amdkmdap - ok
23:54:40.0124 31968	AmdPPM          (1e56388b3fe0d031c44144eb8c4d6217) C:\windows\system32\DRIVERS\amdppm.sys
23:54:40.0126 31968	AmdPPM - ok
23:54:40.0249 31968	amdsata         (d4121ae6d0c0e7e13aa221aa57ef2d49) C:\windows\system32\drivers\amdsata.sys
23:54:40.0252 31968	amdsata - ok
23:54:40.0423 31968	amdsbs          (f67f933e79241ed32ff46a4f29b5120b) C:\windows\system32\drivers\amdsbs.sys
23:54:40.0426 31968	amdsbs - ok
23:54:40.0572 31968	amdxata         (540daf1cea6094886d72126fd7c33048) C:\windows\system32\drivers\amdxata.sys
23:54:40.0574 31968	amdxata - ok
23:54:40.0729 31968	AppID           (89a69c3f2f319b43379399547526d952) C:\windows\system32\drivers\appid.sys
23:54:40.0731 31968	AppID - ok
23:54:40.0806 31968	AppIDSvc        (0bc381a15355a3982216f7172f545de1) C:\windows\System32\appidsvc.dll
23:54:40.0807 31968	AppIDSvc - ok
23:54:40.0899 31968	Appinfo         (3977d4a871ca0d4f2ed1e7db46829731) C:\windows\System32\appinfo.dll
23:54:40.0911 31968	Appinfo - ok
23:54:41.0072 31968	arc             (c484f8ceb1717c540242531db7845c4e) C:\windows\system32\drivers\arc.sys
23:54:41.0074 31968	arc - ok
23:54:41.0176 31968	arcsas          (019af6924aefe7839f61c830227fe79c) C:\windows\system32\drivers\arcsas.sys
23:54:41.0178 31968	arcsas - ok
23:54:41.0299 31968	aspnet_state    (9217d874131ae6ff8f642f124f00a555) C:\windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
23:54:41.0301 31968	aspnet_state - ok
23:54:41.0415 31968	AsyncMac        (769765ce2cc62867468cea93969b2242) C:\windows\system32\DRIVERS\asyncmac.sys
23:54:41.0416 31968	AsyncMac - ok
23:54:41.0491 31968	atapi           (02062c0b390b7729edc9e69c680a6f3c) C:\windows\system32\drivers\atapi.sys
23:54:41.0491 31968	atapi - ok
23:54:41.0614 31968	AtiHDAudioService (4bf5bca6e2608cd8a00bc4a6673a9f47) C:\windows\system32\drivers\AtihdW76.sys
23:54:41.0617 31968	AtiHDAudioService - ok
23:54:41.0708 31968	AudioEndpointBuilder (f23fef6d569fce88671949894a8becf1) C:\windows\System32\Audiosrv.dll
23:54:41.0718 31968	AudioEndpointBuilder - ok
23:54:41.0732 31968	AudioSrv        (f23fef6d569fce88671949894a8becf1) C:\windows\System32\Audiosrv.dll
23:54:41.0738 31968	AudioSrv - ok
23:54:41.0821 31968	AxInstSV        (a6bf31a71b409dfa8cac83159e1e2aff) C:\windows\System32\AxInstSV.dll
23:54:41.0824 31968	AxInstSV - ok
23:54:41.0930 31968	b06bdrv         (3e5b191307609f7514148c6832bb0842) C:\windows\system32\drivers\bxvbda.sys
23:54:41.0950 31968	b06bdrv - ok
23:54:42.0082 31968	b57nd60a        (b5ace6968304a3900eeb1ebfd9622df2) C:\windows\system32\DRIVERS\b57nd60a.sys
23:54:42.0087 31968	b57nd60a - ok
23:54:42.0150 31968	BDESVC          (fde360167101b4e45a96f939f388aeb0) C:\windows\System32\bdesvc.dll
23:54:42.0152 31968	BDESVC - ok
23:54:42.0260 31968	Beep            (16a47ce2decc9b099349a5f840654746) C:\windows\system32\drivers\Beep.sys
23:54:42.0262 31968	Beep - ok
23:54:42.0386 31968	BFE             (82974d6a2fd19445cc5171fc378668a4) C:\windows\System32\bfe.dll
23:54:42.0401 31968	BFE - ok
23:54:42.0556 31968	BHDrvx64        (1d757a7e020c577c4259a755f21b7152) C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.0.0.128\Definitions\BASHDefs\20111223.001\BHDrvx64.sys
23:54:42.0572 31968	BHDrvx64 - ok
23:54:42.0644 31968	BITS            (1ea7969e3271cbc59e1730697dc74682) C:\windows\System32\qmgr.dll
23:54:42.0671 31968	BITS - ok
23:54:42.0767 31968	blbdrive        (61583ee3c3a17003c4acd0475646b4d3) C:\windows\system32\DRIVERS\blbdrive.sys
23:54:42.0769 31968	blbdrive - ok
23:54:42.0855 31968	bowser          (6c02a83164f5cc0a262f4199f0871cf5) C:\windows\system32\DRIVERS\bowser.sys
23:54:42.0857 31968	bowser - ok
23:54:42.0952 31968	BrFiltLo        (f09eee9edc320b5e1501f749fde686c8) C:\windows\system32\drivers\BrFiltLo.sys
23:54:42.0953 31968	BrFiltLo - ok
23:54:43.0048 31968	BrFiltUp        (b114d3098e9bdb8bea8b053685831be6) C:\windows\system32\drivers\BrFiltUp.sys
23:54:43.0049 31968	BrFiltUp - ok
23:54:43.0121 31968	Browser         (8ef0d5c41ec907751b8429162b1239ed) C:\windows\System32\browser.dll
23:54:43.0123 31968	Browser - ok
23:54:43.0301 31968	Brserid         (43bea8d483bf1870f018e2d02e06a5bd) C:\windows\System32\Drivers\Brserid.sys
23:54:43.0305 31968	Brserid - ok
23:54:43.0433 31968	BrSerWdm        (a6eca2151b08a09caceca35c07f05b42) C:\windows\System32\Drivers\BrSerWdm.sys
23:54:43.0435 31968	BrSerWdm - ok
23:54:43.0518 31968	BrUsbMdm        (b79968002c277e869cf38bd22cd61524) C:\windows\System32\Drivers\BrUsbMdm.sys
23:54:43.0519 31968	BrUsbMdm - ok
23:54:43.0607 31968	BrUsbSer        (a87528880231c54e75ea7a44943b38bf) C:\windows\System32\Drivers\BrUsbSer.sys
23:54:43.0608 31968	BrUsbSer - ok
23:54:43.0716 31968	BTHMODEM        (9da669f11d1f894ab4eb69bf546a42e8) C:\windows\system32\drivers\bthmodem.sys
23:54:43.0731 31968	BTHMODEM - ok
23:54:43.0809 31968	bthserv         (95f9c2976059462cbbf227f7aab10de9) C:\windows\system32\bthserv.dll
23:54:43.0811 31968	bthserv - ok
23:54:43.0956 31968	ccSet_NIS       (a8ad33c9dd88c810cac00acc7f4329fb) C:\windows\system32\drivers\NISx64\1302000.00A\ccSetx64.sys
23:54:43.0960 31968	ccSet_NIS - ok
23:54:44.0042 31968	cdfs            (b8bd2bb284668c84865658c77574381a) C:\windows\system32\DRIVERS\cdfs.sys
23:54:44.0044 31968	cdfs - ok
23:54:44.0136 31968	cdrom           (f036ce71586e93d94dab220d7bdf4416) C:\windows\system32\DRIVERS\cdrom.sys
23:54:44.0139 31968	cdrom - ok
23:54:44.0299 31968	CertPropSvc     (f17d1d393bbc69c5322fbfafaca28c7f) C:\windows\System32\certprop.dll
23:54:44.0301 31968	CertPropSvc - ok
23:54:44.0439 31968	circlass        (d7cd5c4e1b71fa62050515314cfb52cf) C:\windows\system32\drivers\circlass.sys
23:54:44.0441 31968	circlass - ok
23:54:44.0527 31968	CLFS            (fe1ec06f2253f691fe36217c592a0206) C:\windows\system32\CLFS.sys
23:54:44.0533 31968	CLFS - ok
23:54:44.0611 31968	clr_optimization_v2.0.50727_32 (d88040f816fda31c3b466f0fa0918f29) C:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
23:54:44.0614 31968	clr_optimization_v2.0.50727_32 - ok
23:54:44.0662 31968	clr_optimization_v2.0.50727_64 (d1ceea2b47cb998321c579651ce3e4f8) C:\windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
23:54:44.0665 31968	clr_optimization_v2.0.50727_64 - ok
23:54:44.0786 31968	clr_optimization_v4.0.30319_32 (c5a75eb48e2344abdc162bda79e16841) C:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
23:54:44.0791 31968	clr_optimization_v4.0.30319_32 - ok
23:54:44.0880 31968	clr_optimization_v4.0.30319_64 (c6f9af94dcd58122a4d7e89db6bed29d) C:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
23:54:44.0883 31968	clr_optimization_v4.0.30319_64 - ok
23:54:44.0978 31968	CmBatt          (0840155d0bddf1190f84a663c284bd33) C:\windows\system32\DRIVERS\CmBatt.sys
23:54:44.0979 31968	CmBatt - ok
23:54:45.0052 31968	cmdide          (e19d3f095812725d88f9001985b94edd) C:\windows\system32\drivers\cmdide.sys
23:54:45.0053 31968	cmdide - ok
23:54:45.0154 31968	CNG             (c4943b6c962e4b82197542447ad599f4) C:\windows\system32\Drivers\cng.sys
23:54:45.0161 31968	CNG - ok
23:54:45.0321 31968	Compbatt        (102de219c3f61415f964c88e9085ad14) C:\windows\system32\drivers\compbatt.sys
23:54:45.0322 31968	Compbatt - ok
23:54:45.0420 31968	CompositeBus    (03edb043586cceba243d689bdda370a8) C:\windows\system32\DRIVERS\CompositeBus.sys
23:54:45.0426 31968	CompositeBus - ok
23:54:45.0491 31968	COMSysApp - ok
23:54:45.0550 31968	crcdisk         (1c827878a998c18847245fe1f34ee597) C:\windows\system32\drivers\crcdisk.sys
23:54:45.0552 31968	crcdisk - ok
23:54:45.0639 31968	CryptSvc        (15597883fbe9b056f276ada3ad87d9af) C:\windows\system32\cryptsvc.dll
23:54:45.0643 31968	CryptSvc - ok
23:54:45.0762 31968	cvhsvc          (72794d112cbaff3bc0c29bf7350d4741) C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
23:54:45.0774 31968	cvhsvc - ok
23:54:45.0858 31968	DcomLaunch      (5c627d1b1138676c0a7ab2c2c190d123) C:\windows\system32\rpcss.dll
23:54:45.0867 31968	DcomLaunch - ok
23:54:45.0936 31968	defragsvc       (3cec7631a84943677aa8fa8ee5b6b43d) C:\windows\System32\defragsvc.dll
23:54:45.0941 31968	defragsvc - ok
23:54:46.0017 31968	DfsC            (9bb2ef44eaa163b29c4a4587887a0fe4) C:\windows\system32\Drivers\dfsc.sys
23:54:46.0019 31968	DfsC - ok
23:54:46.0110 31968	Dhcp            (43d808f5d9e1a18e5eeb5ebc83969e4e) C:\windows\system32\dhcpcore.dll
23:54:46.0115 31968	Dhcp - ok
23:54:46.0207 31968	discache        (13096b05847ec78f0977f2c0f79e9ab3) C:\windows\system32\drivers\discache.sys
23:54:46.0209 31968	discache - ok
23:54:46.0391 31968	Disk            (9819eee8b5ea3784ec4af3b137a5244c) C:\windows\system32\drivers\disk.sys
23:54:46.0393 31968	Disk - ok
23:54:46.0503 31968	Dnscache        (16835866aaa693c7d7fceba8fff706e4) C:\windows\System32\dnsrslvr.dll
23:54:46.0506 31968	Dnscache - ok
23:54:46.0551 31968	dot3svc         (b1fb3ddca0fdf408750d5843591afbc6) C:\windows\System32\dot3svc.dll
23:54:46.0556 31968	dot3svc - ok
23:54:46.0577 31968	DPS             (b26f4f737e8f9df4f31af6cf31d05820) C:\windows\system32\dps.dll
23:54:46.0588 31968	DPS - ok
23:54:46.0686 31968	drmkaud         (9b19f34400d24df84c858a421c205754) C:\windows\system32\drivers\drmkaud.sys
23:54:46.0688 31968	drmkaud - ok
23:54:46.0778 31968	DXGKrnl         (f5bee30450e18e6b83a5012c100616fd) C:\windows\System32\drivers\dxgkrnl.sys
23:54:46.0792 31968	DXGKrnl - ok
23:54:46.0873 31968	EapHost         (e2dda8726da9cb5b2c4000c9018a9633) C:\windows\System32\eapsvc.dll
23:54:46.0875 31968	EapHost - ok
23:54:47.0049 31968	ebdrv           (dc5d737f51be844d8c82c695eb17372f) C:\windows\system32\drivers\evbda.sys
23:54:47.0131 31968	ebdrv - ok
23:54:47.0228 31968	eeCtrl          (5ccf1be80930aeb1cdebf561666325e8) C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys
23:54:47.0235 31968	eeCtrl - ok
23:54:47.0313 31968	EFS             (c118a82cd78818c29ab228366ebf81c3) C:\windows\System32\lsass.exe
23:54:47.0315 31968	EFS - ok
23:54:47.0387 31968	ehRecvr         (c4002b6b41975f057d98c439030cea07) C:\windows\ehome\ehRecvr.exe
23:54:47.0398 31968	ehRecvr - ok
23:54:47.0496 31968	ehSched         (4705e8ef9934482c5bb488ce28afc681) C:\windows\ehome\ehsched.exe
23:54:47.0499 31968	ehSched - ok
23:54:47.0607 31968	elxstor         (0e5da5369a0fcaea12456dd852545184) C:\windows\system32\drivers\elxstor.sys
23:54:47.0615 31968	elxstor - ok
23:54:47.0756 31968	ErrDev          (34a3c54752046e79a126e15c51db409b) C:\windows\system32\drivers\errdev.sys
23:54:47.0757 31968	ErrDev - ok
23:54:47.0846 31968	EventSystem     (4166f82be4d24938977dd1746be9b8a0) C:\windows\system32\es.dll
23:54:47.0852 31968	EventSystem - ok
23:54:47.0933 31968	exfat           (a510c654ec00c1e9bdd91eeb3a59823b) C:\windows\system32\drivers\exfat.sys
23:54:47.0936 31968	exfat - ok
23:54:48.0024 31968	fastfat         (0adc83218b66a6db380c330836f3e36d) C:\windows\system32\drivers\fastfat.sys
23:54:48.0028 31968	fastfat - ok
23:54:48.0124 31968	Fax             (dbefd454f8318a0ef691fdd2eaab44eb) C:\windows\system32\fxssvc.exe
23:54:48.0135 31968	Fax - ok
23:54:48.0215 31968	fdc             (d765d19cd8ef61f650c384f62fac00ab) C:\windows\system32\drivers\fdc.sys
23:54:48.0216 31968	fdc - ok
23:54:48.0294 31968	fdPHost         (0438cab2e03f4fb61455a7956026fe86) C:\windows\system32\fdPHost.dll
23:54:48.0296 31968	fdPHost - ok
23:54:48.0370 31968	FDResPub        (802496cb59a30349f9a6dd22d6947644) C:\windows\system32\fdrespub.dll
23:54:48.0372 31968	FDResPub - ok
23:54:48.0444 31968	FileInfo        (655661be46b5f5f3fd454e2c3095b930) C:\windows\system32\drivers\fileinfo.sys
23:54:48.0446 31968	FileInfo - ok
23:54:48.0552 31968	Filetrace       (5f671ab5bc87eea04ec38a6cd5962a47) C:\windows\system32\drivers\filetrace.sys
23:54:48.0554 31968	Filetrace - ok
23:54:48.0641 31968	flpydisk        (c172a0f53008eaeb8ea33fe10e177af5) C:\windows\system32\drivers\flpydisk.sys
23:54:48.0643 31968	flpydisk - ok
23:54:48.0771 31968	FltMgr          (da6b67270fd9db3697b20fce94950741) C:\windows\system32\drivers\fltmgr.sys
23:54:48.0775 31968	FltMgr - ok
23:54:48.0876 31968	FontCache       (5c4cb4086fb83115b153e47add961a0c) C:\windows\system32\FntCache.dll
23:54:48.0893 31968	FontCache - ok
23:54:48.0970 31968	FontCache3.0.0.0 (a8b7f3818ab65695e3a0bb3279f6dce6) C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
23:54:48.0972 31968	FontCache3.0.0.0 - ok
23:54:49.0140 31968	FsDepends       (d43703496149971890703b4b1b723eac) C:\windows\system32\drivers\FsDepends.sys
23:54:49.0142 31968	FsDepends - ok
23:54:49.0225 31968	Fs_Rec          (6bd9295cc032dd3077c671fccf579a7b) C:\windows\system32\drivers\Fs_Rec.sys
23:54:49.0226 31968	Fs_Rec - ok
23:54:49.0319 31968	fvevol          (1f7b25b858fa27015169fe95e54108ed) C:\windows\system32\DRIVERS\fvevol.sys
23:54:49.0323 31968	fvevol - ok
23:54:49.0420 31968	gagp30kx        (8c778d335c9d272cfd3298ab02abe3b6) C:\windows\system32\drivers\gagp30kx.sys
23:54:49.0422 31968	gagp30kx - ok
23:54:49.0545 31968	GamesAppService (c403c5db49a0f9aaf4f2128edc0106d8) C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe
23:54:49.0548 31968	GamesAppService - ok
23:54:49.0646 31968	GFNEXSrv        (fa07ec01952729ddddc5bf4bae06b09e) C:\Windows\System32\GFNEXSrv.exe
23:54:49.0649 31968	GFNEXSrv - ok
23:54:49.0729 31968	gpsvc           (277bbc7e1aa1ee957f573a10eca7ef3a) C:\windows\System32\gpsvc.dll
23:54:49.0744 31968	gpsvc - ok
23:54:49.0856 31968	gupdate         (f02a533f517eb38333cb12a9e8963773) C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
23:54:49.0858 31968	gupdate - ok
23:54:49.0876 31968	gupdatem        (f02a533f517eb38333cb12a9e8963773) C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
23:54:49.0878 31968	gupdatem - ok
23:54:49.0909 31968	gusvc           (cc839e8d766cc31a7710c9f38cf3e375) C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe
23:54:49.0913 31968	gusvc - ok
23:54:50.0008 31968	hcw85cir        (f2523ef6460fc42405b12248338ab2f0) C:\windows\system32\drivers\hcw85cir.sys
23:54:50.0010 31968	hcw85cir - ok
23:54:50.0114 31968	HdAudAddService (975761c778e33cd22498059b91e7373a) C:\windows\system32\drivers\HdAudio.sys
23:54:50.0119 31968	HdAudAddService - ok
23:54:50.0253 31968	HDAudBus        (97bfed39b6b79eb12cddbfeed51f56bb) C:\windows\system32\DRIVERS\HDAudBus.sys
23:54:50.0256 31968	HDAudBus - ok
23:54:50.0393 31968	HidBatt         (78e86380454a7b10a5eb255dc44a355f) C:\windows\system32\drivers\HidBatt.sys
23:54:50.0394 31968	HidBatt - ok
23:54:50.0471 31968	HidBth          (7fd2a313f7afe5c4dab14798c48dd104) C:\windows\system32\drivers\hidbth.sys
23:54:50.0473 31968	HidBth - ok
23:54:50.0594 31968	HidIr           (0a77d29f311b88cfae3b13f9c1a73825) C:\windows\system32\drivers\hidir.sys
23:54:50.0596 31968	HidIr - ok
23:54:50.0668 31968	hidserv         (bd9eb3958f213f96b97b1d897dee006d) C:\windows\system32\hidserv.dll
23:54:50.0670 31968	hidserv - ok
23:54:50.0859 31968	HidUsb          (9592090a7e2b61cd582b612b6df70536) C:\windows\system32\DRIVERS\hidusb.sys
23:54:50.0861 31968	HidUsb - ok
23:54:50.0925 31968	hkmsvc          (387e72e739e15e3d37907a86d9ff98e2) C:\windows\system32\kmsvc.dll
23:54:50.0929 31968	hkmsvc - ok
23:54:50.0973 31968	HomeGroupListener (efdfb3dd38a4376f93e7985173813abd) C:\windows\system32\ListSvc.dll
23:54:50.0978 31968	HomeGroupListener - ok
23:54:51.0009 31968	HomeGroupProvider (908acb1f594274965a53926b10c81e89) C:\windows\system32\provsvc.dll
23:54:51.0014 31968	HomeGroupProvider - ok
23:54:51.0101 31968	HpSAMD          (39d2abcd392f3d8a6dce7b60ae7b8efc) C:\windows\system32\drivers\HpSAMD.sys
23:54:51.0103 31968	HpSAMD - ok
23:54:51.0214 31968	HTTP            (0ea7de1acb728dd5a369fd742d6eee28) C:\windows\system32\drivers\HTTP.sys
23:54:51.0225 31968	HTTP - ok
23:54:51.0296 31968	hwpolicy        (a5462bd6884960c9dc85ed49d34ff392) C:\windows\system32\drivers\hwpolicy.sys
23:54:51.0298 31968	hwpolicy - ok
23:54:51.0411 31968	i8042prt        (fa55c73d4affa7ee23ac4be53b4592d3) C:\windows\system32\DRIVERS\i8042prt.sys
23:54:51.0414 31968	i8042prt - ok
23:54:51.0515 31968	iaStorV         (aaaf44db3bd0b9d1fb6969b23ecc8366) C:\windows\system32\drivers\iaStorV.sys
23:54:51.0533 31968	iaStorV - ok
23:54:51.0640 31968	idsvc           (5988fc40f8db5b0739cd1e3a5d0d78bd) C:\windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe
23:54:51.0654 31968	idsvc - ok
23:54:51.0765 31968	IDSVia64        (0b97f1a640ad3d159a7b5d2164c42e50) C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.0.0.128\Definitions\IPSDefs\20120107.001\IDSvia64.sys
23:54:51.0776 31968	IDSVia64 - ok
23:54:51.0910 31968	iirsp           (5c18831c61933628f5bb0ea2675b9d21) C:\windows\system32\drivers\iirsp.sys
23:54:51.0911 31968	iirsp - ok
23:54:51.0992 31968	IKEEXT          (fcd84c381e0140af901e58d48882d26b) C:\windows\System32\ikeext.dll
23:54:52.0004 31968	IKEEXT - ok
23:54:52.0168 31968	IntcAzAudAddService (028e40182a6f0374978c755f85b9f07c) C:\windows\system32\drivers\RTKVHD64.sys
23:54:52.0212 31968	IntcAzAudAddService - ok
23:54:52.0367 31968	intelide        (f00f20e70c6ec3aa366910083a0518aa) C:\windows\system32\drivers\intelide.sys
23:54:52.0369 31968	intelide - ok
23:54:52.0503 31968	intelppm        (ada036632c664caa754079041cf1f8c1) C:\windows\system32\drivers\intelppm.sys
23:54:52.0505 31968	intelppm - ok
23:54:52.0599 31968	IPBusEnum       (098a91c54546a3b878dad6a7e90a455b) C:\windows\system32\ipbusenum.dll
23:54:52.0602 31968	IPBusEnum - ok
23:54:52.0675 31968	IpFilterDriver  (c9f0e1bd74365a8771590e9008d22ab6) C:\windows\system32\DRIVERS\ipfltdrv.sys
23:54:52.0677 31968	IpFilterDriver - ok
23:54:52.0755 31968	iphlpsvc        (a34a587fffd45fa649fba6d03784d257) C:\windows\System32\iphlpsvc.dll
23:54:52.0764 31968	iphlpsvc - ok
23:54:52.0854 31968	IPMIDRV         (0fc1aea580957aa8817b8f305d18ca3a) C:\windows\system32\drivers\IPMIDrv.sys
23:54:52.0856 31968	IPMIDRV - ok
23:54:52.0933 31968	IPNAT           (af9b39a7e7b6caa203b3862582e9f2d0) C:\windows\system32\drivers\ipnat.sys
23:54:52.0936 31968	IPNAT - ok
23:54:53.0029 31968	IRENUM          (3abf5e7213eb28966d55d58b515d5ce9) C:\windows\system32\drivers\irenum.sys
23:54:53.0031 31968	IRENUM - ok
23:54:53.0118 31968	isapnp          (2f7b28dc3e1183e5eb418df55c204f38) C:\windows\system32\drivers\isapnp.sys
23:54:53.0120 31968	isapnp - ok
23:54:53.0224 31968	iScsiPrt        (d931d7309deb2317035b07c9f9e6b0bd) C:\windows\system32\drivers\msiscsi.sys
23:54:53.0229 31968	iScsiPrt - ok
23:54:53.0341 31968	IviRegMgr       (f415a88162d23977b5edae4f0410e903) C:\Program Files (x86)\Common Files\InterVideo\RegMgr\iviRegMgr.exe
23:54:53.0343 31968	IviRegMgr - ok
23:54:53.0445 31968	kbdclass        (bc02336f1cba7dcc7d1213bb588a68a5) C:\windows\system32\DRIVERS\kbdclass.sys
23:54:53.0447 31968	kbdclass - ok
23:54:53.0543 31968	kbdhid          (0705eff5b42a9db58548eec3b26bb484) C:\windows\system32\drivers\kbdhid.sys
23:54:53.0544 31968	kbdhid - ok
23:54:53.0647 31968	KeyIso          (c118a82cd78818c29ab228366ebf81c3) C:\windows\system32\lsass.exe
23:54:53.0648 31968	KeyIso - ok
23:54:53.0729 31968	KSecDD          (da1e991a61cfdd755a589e206b97644b) C:\windows\system32\Drivers\ksecdd.sys
23:54:53.0732 31968	KSecDD - ok
23:54:53.0814 31968	KSecPkg         (7e33198d956943a4f11a5474c1e9106f) C:\windows\system32\Drivers\ksecpkg.sys
23:54:53.0817 31968	KSecPkg - ok
23:54:53.0899 31968	ksthunk         (6869281e78cb31a43e969f06b57347c4) C:\windows\system32\drivers\ksthunk.sys
23:54:53.0900 31968	ksthunk - ok
23:54:53.0976 31968	KtmRm           (6ab66e16aa859232f64deb66887a8c9c) C:\windows\system32\msdtckrm.dll
23:54:53.0983 31968	KtmRm - ok
23:54:54.0098 31968	LanmanServer    (d9f42719019740baa6d1c6d536cbdaa6) C:\windows\system32\srvsvc.dll
23:54:54.0103 31968	LanmanServer - ok
23:54:54.0178 31968	LanmanWorkstation (851a1382eed3e3a7476db004f4ee3e1a) C:\windows\System32\wkssvc.dll
23:54:54.0183 31968	LanmanWorkstation - ok
23:54:54.0309 31968	lltdio          (1538831cf8ad2979a04c423779465827) C:\windows\system32\DRIVERS\lltdio.sys
23:54:54.0311 31968	lltdio - ok
23:54:54.0408 31968	lltdsvc         (c1185803384ab3feed115f79f109427f) C:\windows\System32\lltdsvc.dll
23:54:54.0414 31968	lltdsvc - ok
23:54:54.0486 31968	lmhosts         (f993a32249b66c9d622ea5592a8b76b8) C:\windows\System32\lmhsvc.dll
23:54:54.0488 31968	lmhosts - ok
23:54:54.0566 31968	LSI_FC          (1a93e54eb0ece102495a51266dcdb6a6) C:\windows\system32\drivers\lsi_fc.sys
23:54:54.0569 31968	LSI_FC - ok
23:54:54.0697 31968	LSI_SAS         (1047184a9fdc8bdbff857175875ee810) C:\windows\system32\drivers\lsi_sas.sys
23:54:54.0699 31968	LSI_SAS - ok
23:54:54.0791 31968	LSI_SAS2        (30f5c0de1ee8b5bc9306c1f0e4a75f93) C:\windows\system32\drivers\lsi_sas2.sys
23:54:54.0793 31968	LSI_SAS2 - ok
23:54:54.0893 31968	LSI_SCSI        (0504eacaff0d3c8aed161c4b0d369d4a) C:\windows\system32\drivers\lsi_scsi.sys
23:54:54.0896 31968	LSI_SCSI - ok
23:54:54.0994 31968	luafv           (43d0f98e1d56ccddb0d5254cff7b356e) C:\windows\system32\drivers\luafv.sys
23:54:54.0996 31968	luafv - ok
23:54:55.0106 31968	MBAMProtector   (dbc08862a71459e74f7538b432c114cc) C:\windows\system32\drivers\mbam.sys
23:54:55.0108 31968	MBAMProtector - ok
23:54:55.0182 31968	MBAMService     (ba400ed640bca1eae5c727ae17c10207) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
23:54:55.0192 31968	MBAMService - ok
23:54:55.0261 31968	Mcx2Svc         (0be09cd858abf9df6ed259d57a1a1663) C:\windows\system32\Mcx2Svc.dll
23:54:55.0264 31968	Mcx2Svc - ok
23:54:55.0414 31968	megasas         (a55805f747c6edb6a9080d7c633bd0f4) C:\windows\system32\drivers\megasas.sys
23:54:55.0415 31968	megasas - ok
23:54:55.0547 31968	MegaSR          (baf74ce0072480c3b6b7c13b2a94d6b3) C:\windows\system32\drivers\MegaSR.sys
23:54:55.0551 31968	MegaSR - ok
23:54:55.0655 31968	MMCSS           (e40e80d0304a73e8d269f7141d77250b) C:\windows\system32\mmcss.dll
23:54:55.0658 31968	MMCSS - ok
23:54:55.0739 31968	Modem           (800ba92f7010378b09f9ed9270f07137) C:\windows\system32\drivers\modem.sys
23:54:55.0741 31968	Modem - ok
23:54:55.0830 31968	monitor         (b03d591dc7da45ece20b3b467e6aadaa) C:\windows\system32\DRIVERS\monitor.sys
23:54:55.0831 31968	monitor - ok
23:54:55.0920 31968	mouclass        (7d27ea49f3c1f687d357e77a470aea99) C:\windows\system32\DRIVERS\mouclass.sys
23:54:55.0922 31968	mouclass - ok
23:54:56.0023 31968	mouhid          (d3bf052c40b0c4166d9fd86a4288c1e6) C:\windows\system32\DRIVERS\mouhid.sys
23:54:56.0024 31968	mouhid - ok
23:54:56.0104 31968	mountmgr        (32e7a3d591d671a6df2db515a5cbe0fa) C:\windows\system32\drivers\mountmgr.sys
23:54:56.0107 31968	mountmgr - ok
23:54:56.0202 31968	mpio            (a44b420d30bd56e145d6a2bc8768ec58) C:\windows\system32\drivers\mpio.sys
23:54:56.0205 31968	mpio - ok
23:54:56.0301 31968	mpsdrv          (6c38c9e45ae0ea2fa5e551f2ed5e978f) C:\windows\system32\drivers\mpsdrv.sys
23:54:56.0303 31968	mpsdrv - ok
23:54:56.0389 31968	MpsSvc          (54ffc9c8898113ace189d4aa7199d2c1) C:\windows\system32\mpssvc.dll
23:54:56.0402 31968	MpsSvc - ok
23:54:56.0490 31968	MRxDAV          (dc722758b8261e1abafd31a3c0a66380) C:\windows\system32\drivers\mrxdav.sys
23:54:56.0492 31968	MRxDAV - ok
23:54:56.0690 31968	mrxsmb          (a5d9106a73dc88564c825d317cac68ac) C:\windows\system32\DRIVERS\mrxsmb.sys
23:54:56.0693 31968	mrxsmb - ok
23:54:56.0771 31968	mrxsmb10        (d711b3c1d5f42c0c2415687be09fc163) C:\windows\system32\DRIVERS\mrxsmb10.sys
23:54:56.0775 31968	mrxsmb10 - ok
23:54:56.0859 31968	mrxsmb20        (9423e9d355c8d303e76b8cfbd8a5c30c) C:\windows\system32\DRIVERS\mrxsmb20.sys
23:54:56.0862 31968	mrxsmb20 - ok
23:54:56.0956 31968	msahci          (c25f0bafa182cbca2dd3c851c2e75796) C:\windows\system32\DRIVERS\msahci.sys
23:54:56.0957 31968	msahci - ok
23:54:57.0052 31968	msdsm           (db801a638d011b9633829eb6f663c900) C:\windows\system32\drivers\msdsm.sys
23:54:57.0055 31968	msdsm - ok
23:54:57.0128 31968	MSDTC           (de0ece52236cfa3ed2dbfc03f28253a8) C:\windows\System32\msdtc.exe
23:54:57.0132 31968	MSDTC - ok
23:54:57.0224 31968	Msfs            (aa3fb40e17ce1388fa1bedab50ea8f96) C:\windows\system32\drivers\Msfs.sys
23:54:57.0225 31968	Msfs - ok
23:54:57.0303 31968	mshidkmdf       (f9d215a46a8b9753f61767fa72a20326) C:\windows\System32\drivers\mshidkmdf.sys
23:54:57.0304 31968	mshidkmdf - ok
23:54:57.0391 31968	msisadrv        (d916874bbd4f8b07bfb7fa9b3ccae29d) C:\windows\system32\drivers\msisadrv.sys
23:54:57.0392 31968	msisadrv - ok
23:54:57.0454 31968	MSiSCSI         (808e98ff49b155c522e6400953177b08) C:\windows\system32\iscsiexe.dll
23:54:57.0457 31968	MSiSCSI - ok
23:54:57.0502 31968	msiserver - ok
23:54:57.0641 31968	MSKSSRV         (49ccf2c4fea34ffad8b1b59d49439366) C:\windows\system32\drivers\MSKSSRV.sys
23:54:57.0642 31968	MSKSSRV - ok
23:54:57.0774 31968	MSPCLOCK        (bdd71ace35a232104ddd349ee70e1ab3) C:\windows\system32\drivers\MSPCLOCK.sys
23:54:57.0776 31968	MSPCLOCK - ok
23:54:57.0874 31968	MSPQM           (4ed981241db27c3383d72092b618a1d0) C:\windows\system32\drivers\MSPQM.sys
23:54:57.0875 31968	MSPQM - ok
23:54:57.0963 31968	MsRPC           (759a9eeb0fa9ed79da1fb7d4ef78866d) C:\windows\system32\drivers\MsRPC.sys
23:54:57.0969 31968	MsRPC - ok
23:54:58.0042 31968	mssmbios        (0eed230e37515a0eaee3c2e1bc97b288) C:\windows\system32\DRIVERS\mssmbios.sys
23:54:58.0044 31968	mssmbios - ok
23:54:58.0130 31968	MSTEE           (2e66f9ecb30b4221a318c92ac2250779) C:\windows\system32\drivers\MSTEE.sys
23:54:58.0131 31968	MSTEE - ok
23:54:58.0255 31968	MTConfig        (7ea404308934e675bffde8edf0757bcd) C:\windows\system32\drivers\MTConfig.sys
23:54:58.0256 31968	MTConfig - ok
23:54:58.0340 31968	Mup             (f9a18612fd3526fe473c1bda678d61c8) C:\windows\system32\Drivers\mup.sys
23:54:58.0342 31968	Mup - ok
23:54:58.0423 31968	napagent        (582ac6d9873e31dfa28a4547270862dd) C:\windows\system32\qagentRT.dll
23:54:58.0431 31968	napagent - ok
23:54:58.0530 31968	NativeWifiP     (1ea3749c4114db3e3161156ffffa6b33) C:\windows\system32\DRIVERS\nwifi.sys
23:54:58.0535 31968	NativeWifiP - ok
23:54:58.0754 31968	NAVENG          (2dbe90210de76be6e1653bb20ec70ec2) C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.0.0.128\Definitions\VirusDefs\20120109.033\ENG64.SYS
23:54:58.0794 31968	NAVENG - ok
23:54:59.0188 31968	NAVEX15         (346da70e203b8e2c850277713de8f71b) C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.0.0.128\Definitions\VirusDefs\20120109.033\EX64.SYS
23:54:59.0221 31968	NAVEX15 - ok
23:54:59.0514 31968	NDIS            (79b47fd40d9a817e932f9d26fac0a81c) C:\windows\system32\drivers\ndis.sys
23:54:59.0530 31968	NDIS - ok
23:54:59.0812 31968	NdisCap         (9f9a1f53aad7da4d6fef5bb73ab811ac) C:\windows\system32\DRIVERS\ndiscap.sys
23:54:59.0814 31968	NdisCap - ok
23:55:00.0068 31968	NdisTapi        (30639c932d9fef22b31268fe25a1b6e5) C:\windows\system32\DRIVERS\ndistapi.sys
23:55:00.0070 31968	NdisTapi - ok
23:55:00.0327 31968	Ndisuio         (136185f9fb2cc61e573e676aa5402356) C:\windows\system32\DRIVERS\ndisuio.sys
23:55:00.0329 31968	Ndisuio - ok
23:55:00.0554 31968	NdisWan         (53f7305169863f0a2bddc49e116c2e11) C:\windows\system32\DRIVERS\ndiswan.sys
23:55:00.0579 31968	NdisWan - ok
23:55:00.0911 31968	NDProxy         (015c0d8e0e0421b4cfd48cffe2825879) C:\windows\system32\drivers\NDProxy.sys
23:55:00.0933 31968	NDProxy - ok
23:55:01.0201 31968	NetBIOS         (86743d9f5d2b1048062b14b1d84501c4) C:\windows\system32\DRIVERS\netbios.sys
23:55:01.0202 31968	NetBIOS - ok
23:55:01.0385 31968	NetBT           (09594d1089c523423b32a4229263f068) C:\windows\system32\DRIVERS\netbt.sys
23:55:01.0390 31968	NetBT - ok
23:55:01.0524 31968	Netlogon        (c118a82cd78818c29ab228366ebf81c3) C:\windows\system32\lsass.exe
23:55:01.0526 31968	Netlogon - ok
23:55:01.0751 31968	Netman          (847d3ae376c0817161a14a82c8922a9e) C:\windows\System32\netman.dll
23:55:01.0759 31968	Netman - ok
23:55:02.0105 31968	NetMsmqActivator (d22cd77d4f0d63d1169bb35911bff12d) C:\windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
23:55:02.0134 31968	NetMsmqActivator - ok
23:55:02.0169 31968	NetPipeActivator (d22cd77d4f0d63d1169bb35911bff12d) C:\windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
23:55:02.0171 31968	NetPipeActivator - ok
23:55:02.0478 31968	netprofm        (5f28111c648f1e24f7dbc87cdeb091b8) C:\windows\System32\netprofm.dll
23:55:02.0487 31968	netprofm - ok
23:55:02.0738 31968	NetTcpActivator (d22cd77d4f0d63d1169bb35911bff12d) C:\windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
23:55:02.0740 31968	NetTcpActivator - ok
23:55:02.0765 31968	NetTcpPortSharing (d22cd77d4f0d63d1169bb35911bff12d) C:\windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
23:55:02.0767 31968	NetTcpPortSharing - ok
23:55:02.0930 31968	nfrd960         (77889813be4d166cdab78ddba990da92) C:\windows\system32\drivers\nfrd960.sys
23:55:02.0952 31968	nfrd960 - ok
23:55:03.0110 31968	NIS             (e127420b7feb65c7f279eaac183bbc0e) C:\Program Files (x86)\Norton Internet Security\Engine\19.2.0.10\ccSvcHst.exe
23:55:03.0113 31968	NIS - ok
23:55:03.0291 31968	NlaSvc          (1ee99a89cc788ada662441d1e9830529) C:\windows\System32\nlasvc.dll
23:55:03.0299 31968	NlaSvc - ok
23:55:03.0422 31968	Norton PC Checkup Application Launcher - ok
23:55:03.0644 31968	Npfs            (1e4c4ab5c9b8dd13179bbdc75a2a01f7) C:\windows\system32\drivers\Npfs.sys
23:55:03.0646 31968	Npfs - ok
23:55:03.0773 31968	nsi             (d54bfdf3e0c953f823b3d0bfe4732528) C:\windows\system32\nsisvc.dll
23:55:03.0799 31968	nsi - ok
23:55:04.0032 31968	nsiproxy        (e7f5ae18af4168178a642a9247c63001) C:\windows\system32\drivers\nsiproxy.sys
23:55:04.0034 31968	nsiproxy - ok
23:55:04.0193 31968	Ntfs            (a2f74975097f52a00745f9637451fdd8) C:\windows\system32\drivers\Ntfs.sys
23:55:04.0216 31968	Ntfs - ok
23:55:04.0330 31968	Null            (9899284589f75fa8724ff3d16aed75c1) C:\windows\system32\drivers\Null.sys
23:55:04.0331 31968	Null - ok
23:55:04.0434 31968	nvraid          (0a92cb65770442ed0dc44834632f66ad) C:\windows\system32\drivers\nvraid.sys
23:55:04.0437 31968	nvraid - ok
23:55:04.0535 31968	nvstor          (dab0e87525c10052bf65f06152f37e4a) C:\windows\system32\drivers\nvstor.sys
23:55:04.0538 31968	nvstor - ok
23:55:04.0626 31968	nv_agp          (270d7cd42d6e3979f6dd0146650f0e05) C:\windows\system32\drivers\nv_agp.sys
23:55:04.0629 31968	nv_agp - ok
23:55:04.0731 31968	ohci1394        (3589478e4b22ce21b41fa1bfc0b8b8a0) C:\windows\system32\drivers\ohci1394.sys
23:55:04.0733 31968	ohci1394 - ok
23:55:04.0826 31968	ose             (9d10f99a6712e28f8acd5641e3a7ea6b) C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
23:55:04.0828 31968	ose - ok
23:55:05.0004 31968	osppsvc         (61bffb5f57ad12f83ab64b7181829b34) C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
23:55:05.0132 31968	osppsvc - ok
23:55:05.0223 31968	p2pimsvc        (3eac4455472cc2c97107b5291e0dcafe) C:\windows\system32\pnrpsvc.dll
23:55:05.0230 31968	p2pimsvc - ok
23:55:05.0300 31968	p2psvc          (927463ecb02179f88e4b9a17568c63c3) C:\windows\system32\p2psvc.dll
23:55:05.0308 31968	p2psvc - ok
23:55:05.0392 31968	Parport         (0086431c29c35be1dbc43f52cc273887) C:\windows\system32\drivers\parport.sys
23:55:05.0394 31968	Parport - ok
23:55:05.0488 31968	partmgr         (871eadac56b0a4c6512bbe32753ccf79) C:\windows\system32\drivers\partmgr.sys
23:55:05.0490 31968	partmgr - ok
23:55:05.0557 31968	PcaSvc          (3aeaa8b561e63452c655dc0584922257) C:\windows\System32\pcasvc.dll
23:55:05.0561 31968	PcaSvc - ok
23:55:05.0620 31968	PCCUJobMgr      (2f86be1818c2d7ac90478e3323ee7fcb) C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.13.11\ccSvcHst.exe
23:55:05.0622 31968	PCCUJobMgr - ok
23:55:05.0699 31968	pci             (94575c0571d1462a0f70bde6bd6ee6b3) C:\windows\system32\drivers\pci.sys
23:55:05.0701 31968	pci - ok
23:55:05.0777 31968	pciide          (b5b8b5ef2e5cb34df8dcf8831e3534fa) C:\windows\system32\DRIVERS\pciide.sys
23:55:05.0779 31968	pciide - ok
23:55:05.0867 31968	pcmcia          (b2e81d4e87ce48589f98cb8c05b01f2f) C:\windows\system32\drivers\pcmcia.sys
23:55:05.0871 31968	pcmcia - ok
23:55:05.0984 31968	pcw             (d6b9c2e1a11a3a4b26a182ffef18f603) C:\windows\system32\drivers\pcw.sys
23:55:05.0986 31968	pcw - ok
23:55:06.0082 31968	PEAUTH          (68769c3356b3be5d1c732c97b9a80d6e) C:\windows\system32\drivers\peauth.sys
23:55:06.0092 31968	PEAUTH - ok
23:55:06.0298 31968	PerfHost        (e495e408c93141e8fc72dc0c6046ddfa) C:\windows\SysWow64\perfhost.exe
23:55:06.0300 31968	PerfHost - ok
23:55:06.0395 31968	PGEffect        (91111cebbde8015e822c46120ed9537c) C:\windows\system32\DRIVERS\pgeffect.sys
23:55:06.0397 31968	PGEffect - ok
23:55:06.0487 31968	pla             (c7cf6a6e137463219e1259e3f0f0dd6c) C:\windows\system32\pla.dll
23:55:06.0508 31968	pla - ok
23:55:06.0606 31968	PlugPlay        (25fbdef06c4d92815b353f6e792c8129) C:\windows\system32\umpnpmgr.dll
23:55:06.0614 31968	PlugPlay - ok
23:55:06.0673 31968	PNRPAutoReg     (7195581cec9bb7d12abe54036acc2e38) C:\windows\system32\pnrpauto.dll
23:55:06.0675 31968	PNRPAutoReg - ok
23:55:06.0746 31968	PNRPsvc         (3eac4455472cc2c97107b5291e0dcafe) C:\windows\system32\pnrpsvc.dll
23:55:06.0750 31968	PNRPsvc - ok
23:55:06.0817 31968	PolicyAgent     (4f15d75adf6156bf56eced6d4a55c389) C:\windows\System32\ipsecsvc.dll
23:55:06.0825 31968	PolicyAgent - ok
23:55:06.0929 31968	Power           (6ba9d927dded70bd1a9caded45f8b184) C:\windows\system32\umpo.dll
23:55:06.0933 31968	Power - ok
23:55:07.0030 31968	PptpMiniport    (f92a2c41117a11a00be01ca01a7fcde9) C:\windows\system32\DRIVERS\raspptp.sys
23:55:07.0032 31968	PptpMiniport - ok
23:55:07.0122 31968	Processor       (0d922e23c041efb1c3fac2a6f943c9bf) C:\windows\system32\drivers\processr.sys
23:55:07.0123 31968	Processor - ok
23:55:07.0250 31968	ProfSvc         (5c78838b4d166d1a27db3a8a820c799a) C:\windows\system32\profsvc.dll
23:55:07.0255 31968	ProfSvc - ok
23:55:07.0358 31968	ProtectedStorage (c118a82cd78818c29ab228366ebf81c3) C:\windows\system32\lsass.exe
23:55:07.0360 31968	ProtectedStorage - ok
23:55:07.0462 31968	Psched          (0557cf5a2556bd58e26384169d72438d) C:\windows\system32\DRIVERS\pacer.sys
23:55:07.0465 31968	Psched - ok
23:55:07.0535 31968	PSI_SVC_2       (f036cfb275d0c55f4e45fbbf5f98b3c8) C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe
23:55:07.0538 31968	PSI_SVC_2 - ok
23:55:07.0650 31968	ql2300          (a53a15a11ebfd21077463ee2c7afeef0) C:\windows\system32\drivers\ql2300.sys
23:55:07.0671 31968	ql2300 - ok
23:55:07.0752 31968	ql40xx          (4f6d12b51de1aaeff7dc58c4d75423c8) C:\windows\system32\drivers\ql40xx.sys
23:55:07.0755 31968	ql40xx - ok
23:55:07.0825 31968	QWAVE           (906191634e99aea92c4816150bda3732) C:\windows\system32\qwave.dll
23:55:07.0831 31968	QWAVE - ok
23:55:07.0942 31968	QWAVEdrv        (76707bb36430888d9ce9d705398adb6c) C:\windows\system32\drivers\qwavedrv.sys
23:55:07.0949 31968	QWAVEdrv - ok
23:55:08.0069 31968	RasAcd          (5a0da8ad5762fa2d91678a8a01311704) C:\windows\system32\DRIVERS\rasacd.sys
23:55:08.0070 31968	RasAcd - ok
23:55:08.0146 31968	RasAgileVpn     (7ecff9b22276b73f43a99a15a6094e90) C:\windows\system32\DRIVERS\AgileVpn.sys
23:55:08.0148 31968	RasAgileVpn - ok
23:55:08.0345 31968	RasAuto         (8f26510c5383b8dbe976de1cd00fc8c7) C:\windows\System32\rasauto.dll
23:55:08.0348 31968	RasAuto - ok
23:55:08.0438 31968	Rasl2tp         (471815800ae33e6f1c32fb1b97c490ca) C:\windows\system32\DRIVERS\rasl2tp.sys
23:55:08.0440 31968	Rasl2tp - ok
23:55:08.0518 31968	RasMan          (ee867a0870fc9e4972ba9eaad35651e2) C:\windows\System32\rasmans.dll
23:55:08.0525 31968	RasMan - ok
23:55:08.0608 31968	RasPppoe        (855c9b1cd4756c5e9a2aa58a15f58c25) C:\windows\system32\DRIVERS\raspppoe.sys
23:55:08.0610 31968	RasPppoe - ok
23:55:08.0713 31968	RasSstp         (e8b1e447b008d07ff47d016c2b0eeecb) C:\windows\system32\DRIVERS\rassstp.sys
23:55:08.0715 31968	RasSstp - ok
23:55:08.0801 31968	rdbss           (77f665941019a1594d887a74f301fa2f) C:\windows\system32\DRIVERS\rdbss.sys
23:55:08.0806 31968	rdbss - ok
23:55:08.0883 31968	rdpbus          (302da2a0539f2cf54d7c6cc30c1f2d8d) C:\windows\system32\drivers\rdpbus.sys
23:55:08.0884 31968	rdpbus - ok
23:55:09.0005 31968	RDPCDD          (cea6cc257fc9b7715f1c2b4849286d24) C:\windows\system32\DRIVERS\RDPCDD.sys
23:55:09.0006 31968	RDPCDD - ok
23:55:09.0098 31968	RDPENCDD        (bb5971a4f00659529a5c44831af22365) C:\windows\system32\drivers\rdpencdd.sys
23:55:09.0131 31968	RDPENCDD - ok
23:55:09.0495 31968	RDPREFMP        (216f3fa57533d98e1f74ded70113177a) C:\windows\system32\drivers\rdprefmp.sys
23:55:09.0496 31968	RDPREFMP - ok
23:55:09.0604 31968	RDPWD           (6d76e6433574b058adcb0c50df834492) C:\windows\system32\drivers\RDPWD.sys
23:55:09.0608 31968	RDPWD - ok
23:55:09.0692 31968	rdyboost        (34ed295fa0121c241bfef24764fc4520) C:\windows\system32\drivers\rdyboost.sys
23:55:09.0695 31968	rdyboost - ok
23:55:09.0774 31968	regi            (4d9afddda0efe97cdbfd3b5fa48b05f6) C:\windows\system32\drivers\regi.sys
23:55:09.0775 31968	regi - ok
23:55:09.0850 31968	RemoteAccess    (254fb7a22d74e5511c73a3f6d802f192) C:\windows\System32\mprdim.dll
23:55:09.0854 31968	RemoteAccess - ok
23:55:09.0939 31968	RemoteRegistry  (e4d94f24081440b5fc5aa556c7c62702) C:\windows\system32\regsvc.dll
23:55:09.0952 31968	RemoteRegistry - ok
23:55:10.0038 31968	RpcEptMapper    (e4dc58cf7b3ea515ae917ff0d402a7bb) C:\windows\System32\RpcEpMap.dll
23:55:10.0041 31968	RpcEptMapper - ok
23:55:10.0112 31968	RpcLocator      (d5ba242d4cf8e384db90e6a8ed850b8c) C:\windows\system32\locator.exe
23:55:10.0115 31968	RpcLocator - ok
23:55:10.0225 31968	RpcSs           (5c627d1b1138676c0a7ab2c2c190d123) C:\windows\system32\rpcss.dll
23:55:10.0231 31968	RpcSs - ok
23:55:10.0424 31968	rspndr          (ddc86e4f8e7456261e637e3552e804ff) C:\windows\system32\DRIVERS\rspndr.sys
23:55:10.0441 31968	rspndr - ok
23:55:10.0626 31968	RSUSBSTOR       (be29b0a3ac1e8bd02ffab8cee86badfa) C:\windows\system32\Drivers\RtsUStor.sys
23:55:10.0630 31968	RSUSBSTOR - ok
23:55:10.0724 31968	RTL8167         (6d3c7e7d82d3dc92dc2a8b0df9f20f8a) C:\windows\system32\DRIVERS\Rt64win7.sys
23:55:10.0730 31968	RTL8167 - ok
23:55:10.0847 31968	RTL8192Ce       (fa088015155c4c6dab5d1d9e68eb9d6b) C:\windows\system32\DRIVERS\rtl8192Ce.sys
23:55:10.0864 31968	RTL8192Ce - ok
23:55:10.0947 31968	SamSs           (c118a82cd78818c29ab228366ebf81c3) C:\windows\system32\lsass.exe
23:55:10.0949 31968	SamSs - ok
23:55:11.0059 31968	sbp2port        (ac03af3329579fffb455aa2daabbe22b) C:\windows\system32\drivers\sbp2port.sys
23:55:11.0062 31968	sbp2port - ok
23:55:11.0138 31968	SCardSvr        (9b7395789e3791a3b6d000fe6f8b131e) C:\windows\System32\SCardSvr.dll
23:55:11.0143 31968	SCardSvr - ok
23:55:11.0221 31968	scfilter        (253f38d0d7074c02ff8deb9836c97d2b) C:\windows\system32\DRIVERS\scfilter.sys
23:55:11.0223 31968	scfilter - ok
23:55:11.0310 31968	Schedule        (262f6592c3299c005fd6bec90fc4463a) C:\windows\system32\schedsvc.dll
23:55:11.0328 31968	Schedule - ok
23:55:11.0389 31968	SCPolicySvc     (f17d1d393bbc69c5322fbfafaca28c7f) C:\windows\System32\certprop.dll
23:55:11.0390 31968	SCPolicySvc - ok
23:55:11.0566 31968	SDRSVC          (6ea4234dc55346e0709560fe7c2c1972) C:\windows\System32\SDRSVC.dll
23:55:11.0571 31968	SDRSVC - ok
23:55:11.0668 31968	secdrv          (3ea8a16169c26afbeb544e0e48421186) C:\windows\system32\drivers\secdrv.sys
23:55:11.0669 31968	secdrv - ok
23:55:11.0740 31968	seclogon        (bc617a4e1b4fa8df523a061739a0bd87) C:\windows\system32\seclogon.dll
23:55:11.0743 31968	seclogon - ok
23:55:11.0817 31968	SENS            (c32ab8fa018ef34c0f113bd501436d21) C:\windows\System32\sens.dll
23:55:11.0820 31968	SENS - ok
23:55:11.0898 31968	SensrSvc        (0336cffafaab87a11541f1cf1594b2b2) C:\windows\system32\sensrsvc.dll
23:55:11.0901 31968	SensrSvc - ok
23:55:12.0015 31968	Serenum         (cb624c0035412af0debec78c41f5ca1b) C:\windows\system32\drivers\serenum.sys
23:55:12.0016 31968	Serenum - ok
23:55:12.0113 31968	Serial          (c1d8e28b2c2adfaec4ba89e9fda69bd6) C:\windows\system32\drivers\serial.sys
23:55:12.0116 31968	Serial - ok
23:55:12.0214 31968	sermouse        (1c545a7d0691cc4a027396535691c3e3) C:\windows\system32\drivers\sermouse.sys
23:55:12.0216 31968	sermouse - ok
23:55:12.0336 31968	SessionEnv      (0b6231bf38174a1628c4ac812cc75804) C:\windows\system32\sessenv.dll
23:55:12.0340 31968	SessionEnv - ok
23:55:12.0433 31968	sffdisk         (a554811bcd09279536440c964ae35bbf) C:\windows\system32\drivers\sffdisk.sys
23:55:12.0435 31968	sffdisk - ok
23:55:12.0605 31968	sffp_mmc        (ff414f0baefeba59bc6c04b3db0b87bf) C:\windows\system32\drivers\sffp_mmc.sys
23:55:12.0606 31968	sffp_mmc - ok
23:55:12.0707 31968	sffp_sd         (dd85b78243a19b59f0637dcf284da63c) C:\windows\system32\drivers\sffp_sd.sys
23:55:12.0708 31968	sffp_sd - ok
23:55:12.0796 31968	sfloppy         (a9d601643a1647211a1ee2ec4e433ff4) C:\windows\system32\drivers\sfloppy.sys
23:55:12.0797 31968	sfloppy - ok
23:55:12.0912 31968	Sftfs           (c6cc9297bd53e5229653303e556aa539) C:\windows\system32\DRIVERS\Sftfslh.sys
23:55:12.0923 31968	Sftfs - ok
23:55:13.0028 31968	sftlist         (13693b6354dd6e72dc5131da7d764b90) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
23:55:13.0035 31968	sftlist - ok
23:55:13.0120 31968	Sftplay         (390aa7bc52cee43f6790cdea1e776703) C:\windows\system32\DRIVERS\Sftplaylh.sys
23:55:13.0125 31968	Sftplay - ok
23:55:13.0218 31968	Sftredir        (617e29a0b0a2807466560d4c4e338d3e) C:\windows\system32\DRIVERS\Sftredirlh.sys
23:55:13.0220 31968	Sftredir - ok
23:55:13.0404 31968	Sftvol          (8f571f016fa1976f445147e9e6c8ae9b) C:\windows\system32\DRIVERS\Sftvollh.sys
23:55:13.0406 31968	Sftvol - ok
23:55:13.0592 31968	sftvsa          (c3cddd18f43d44ab713cf8c4916f7696) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
23:55:13.0596 31968	sftvsa - ok
23:55:13.0849 31968	SharedAccess    (b95f6501a2f8b2e78c697fec401970ce) C:\windows\System32\ipnathlp.dll
23:55:13.0856 31968	SharedAccess - ok
23:55:14.0105 31968	ShellHWDetection (aaf932b4011d14052955d4b212a4da8d) C:\windows\System32\shsvcs.dll
23:55:14.0137 31968	ShellHWDetection - ok
23:55:14.0454 31968	SiSRaid2        (843caf1e5fde1ffd5ff768f23a51e2e1) C:\windows\system32\drivers\SiSRaid2.sys
23:55:14.0456 31968	SiSRaid2 - ok
23:55:14.0884 31968	SiSRaid4        (6a6c106d42e9ffff8b9fcb4f754f6da4) C:\windows\system32\drivers\sisraid4.sys
23:55:14.0911 31968	SiSRaid4 - ok
23:55:15.0165 31968	SkypeUpdate     (8c5477eb1c03ca76cd8eb66a610a9e90) C:\Program Files (x86)\Skype\Updater\Updater.exe
23:55:15.0168 31968	SkypeUpdate - ok
23:55:15.0396 31968	Smb             (548260a7b8654e024dc30bf8a7c5baa4) C:\windows\system32\DRIVERS\smb.sys
23:55:15.0422 31968	Smb - ok
23:55:15.0580 31968	SNMPTRAP        (6313f223e817cc09aa41811daa7f541d) C:\windows\System32\snmptrap.exe
23:55:15.0584 31968	SNMPTRAP - ok
23:55:15.0812 31968	spldr           (b9e31e5cacdfe584f34f730a677803f9) C:\windows\system32\drivers\spldr.sys
23:55:15.0814 31968	spldr - ok
23:55:15.0988 31968	Spooler         (b96c17b5dc1424d56eea3a99e97428cd) C:\windows\System32\spoolsv.exe
23:55:15.0999 31968	Spooler - ok
23:55:16.0398 31968	sppsvc          (e17e0188bb90fae42d83e98707efa59c) C:\windows\system32\sppsvc.exe
23:55:16.0493 31968	sppsvc - ok
23:55:16.0626 31968	sppuinotify     (93d7d61317f3d4bc4f4e9f8a96a7de45) C:\windows\system32\sppuinotify.dll
23:55:16.0630 31968	sppuinotify - ok
23:55:16.0996 31968	SRTSP           (1321a6c3c92bbd3f3bbe1292cff8e91a) C:\windows\System32\Drivers\NISx64\1302000.00A\SRTSP64.SYS
23:55:17.0008 31968	SRTSP - ok
23:55:17.0368 31968	SRTSPX          (bd129c22c3b8c2e584227269dfa77b09) C:\windows\system32\drivers\NISx64\1302000.00A\SRTSPX64.SYS
23:55:17.0397 31968	SRTSPX - ok
23:55:17.0560 31968	srv             (441fba48bff01fdb9d5969ebc1838f0b) C:\windows\system32\DRIVERS\srv.sys
23:55:17.0567 31968	srv - ok
23:55:17.0819 31968	srv2            (b4adebbf5e3677cce9651e0f01f7cc28) C:\windows\system32\DRIVERS\srv2.sys
23:55:17.0826 31968	srv2 - ok
23:55:17.0919 31968	srvnet          (27e461f0be5bff5fc737328f749538c3) C:\windows\system32\DRIVERS\srvnet.sys
23:55:17.0922 31968	srvnet - ok
23:55:17.0978 31968	SSDPSRV         (51b52fbd583cde8aa9ba62b8b4298f33) C:\windows\System32\ssdpsrv.dll
23:55:17.0983 31968	SSDPSRV - ok
23:55:18.0112 31968	SstpSvc         (ab7aebf58dad8daab7a6c45e6a8885cb) C:\windows\system32\sstpsvc.dll
23:55:18.0116 31968	SstpSvc - ok
23:55:18.0182 31968	Steam Client Service - ok
23:55:18.0351 31968	stexstor        (f3817967ed533d08327dc73bc4d5542a) C:\windows\system32\drivers\stexstor.sys
23:55:18.0353 31968	stexstor - ok
23:55:18.0508 31968	stisvc          (8dd52e8e6128f4b2da92ce27402871c1) C:\windows\System32\wiaservc.dll
23:55:18.0519 31968	stisvc - ok
23:55:18.0607 31968	swenum          (d01ec09b6711a5f8e7e6564a4d0fbc90) C:\windows\system32\DRIVERS\swenum.sys
23:55:18.0608 31968	swenum - ok
23:55:18.0688 31968	swprv           (e08e46fdd841b7184194011ca1955a0b) C:\windows\System32\swprv.dll
23:55:18.0697 31968	swprv - ok
23:55:18.0825 31968	SymDS           (8b2430762099598da40686f754632efd) C:\windows\system32\drivers\NISx64\1302000.00A\SYMDS64.SYS
23:55:18.0832 31968	SymDS - ok
23:55:18.0982 31968	SymEFA          (d89a88ad71e12f963b1f436a0e91dcbf) C:\windows\system32\drivers\NISx64\1302000.00A\SYMEFA64.SYS
23:55:18.0998 31968	SymEFA - ok
23:55:19.0168 31968	SymEvent        (36b77f5c9e21f88a8c8ec67ad5415819) C:\windows\system32\Drivers\SYMEVENT64x86.SYS
23:55:19.0171 31968	SymEvent - ok
23:55:19.0314 31968	SymIRON         (dd70da422460fded831d211df151d560) C:\windows\system32\drivers\NISx64\1302000.00A\Ironx64.SYS
23:55:19.0317 31968	SymIRON - ok
23:55:19.0441 31968	SymNetS         (bce4eb2eef05e388959b46fd21388c2d) C:\windows\System32\Drivers\NISx64\1302000.00A\SYMNETS.SYS
23:55:19.0448 31968	SymNetS - ok
23:55:19.0581 31968	SynTP           (f5b46df59feaa48a442aed7eeb754d4b) C:\windows\system32\DRIVERS\SynTP.sys
23:55:19.0601 31968	SynTP - ok
23:55:19.0707 31968	SysMain         (bf9ccc0bf39b418c8d0ae8b05cf95b7d) C:\windows\system32\sysmain.dll
23:55:19.0732 31968	SysMain - ok
23:55:19.0804 31968	TabletInputService (e3c61fd7b7c2557e1f1b0b4cec713585) C:\windows\System32\TabSvc.dll
23:55:19.0808 31968	TabletInputService - ok
23:55:19.0890 31968	TapiSrv         (40f0849f65d13ee87b9a9ae3c1dd6823) C:\windows\System32\tapisrv.dll
23:55:19.0897 31968	TapiSrv - ok
23:55:19.0976 31968	TBS             (1be03ac720f4d302ea01d40f588162f6) C:\windows\System32\tbssvc.dll
23:55:19.0980 31968	TBS - ok
23:55:20.0152 31968	Tcpip           (fc62769e7bff2896035aeed399108162) C:\windows\system32\drivers\tcpip.sys
23:55:20.0183 31968	Tcpip - ok
23:55:20.0396 31968	TCPIP6          (fc62769e7bff2896035aeed399108162) C:\windows\system32\DRIVERS\tcpip.sys
23:55:20.0413 31968	TCPIP6 - ok
23:55:20.0490 31968	tcpipreg        (df687e3d8836bfb04fcc0615bf15a519) C:\windows\system32\drivers\tcpipreg.sys
23:55:20.0492 31968	tcpipreg - ok
23:55:20.0576 31968	tdcmdpst        (fd542b661bd22fa69ca789ad0ac58c29) C:\windows\system32\DRIVERS\tdcmdpst.sys
23:55:20.0577 31968	tdcmdpst - ok
23:55:20.0645 31968	TDEIO - ok
23:55:20.0741 31968	TDPIPE          (3371d21011695b16333a3934340c4e7c) C:\windows\system32\drivers\tdpipe.sys
23:55:20.0742 31968	TDPIPE - ok
23:55:20.0819 31968	TDTCP           (51c5eceb1cdee2468a1748be550cfbc8) C:\windows\system32\drivers\tdtcp.sys
23:55:20.0820 31968	TDTCP - ok
23:55:20.0903 31968	tdx             (ddad5a7ab24d8b65f8d724f5c20fd806) C:\windows\system32\DRIVERS\tdx.sys
23:55:20.0906 31968	tdx - ok
23:55:20.0982 31968	TermDD          (561e7e1f06895d78de991e01dd0fb6e5) C:\windows\system32\DRIVERS\termdd.sys
23:55:20.0984 31968	TermDD - ok
23:55:21.0069 31968	TermService     (2e648163254233755035b46dd7b89123) C:\windows\System32\termsrv.dll
23:55:21.0083 31968	TermService - ok
23:55:21.0203 31968	Themes          (f0344071948d1a1fa732231785a0664c) C:\windows\system32\themeservice.dll
23:55:21.0206 31968	Themes - ok
23:55:21.0301 31968	THREADORDER     (e40e80d0304a73e8d269f7141d77250b) C:\windows\system32\mmcss.dll
23:55:21.0303 31968	THREADORDER - ok
23:55:21.0385 31968	TMachInfo       (71c321649b28638ee80a2eeb164c1dc8) C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
23:55:21.0386 31968	TMachInfo - ok
23:55:21.0459 31968	TODDSrv         (8e2c799d3476eac32c3ba0df7ce6af19) C:\windows\system32\TODDSrv.exe
23:55:21.0463 31968	TODDSrv - ok
23:55:21.0590 31968	TosCoSrv        (1c73689b900428c7d054a41c4687f55c) C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
23:55:21.0598 31968	TosCoSrv - ok
23:55:21.0647 31968	TOSHIBA eco Utility Service (63aafcf3ea5dbb17123e0bae9afe4d58) C:\Program Files\TOSHIBA\TECO\TecoService.exe
23:55:21.0651 31968	TOSHIBA eco Utility Service - ok
23:55:21.0733 31968	TOSHIBA HDD SSD Alert Service (29d0886cf250fcef1bf9e65ab8d2c0c8) C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe
23:55:21.0736 31968	TOSHIBA HDD SSD Alert Service - ok
23:55:21.0813 31968	TPCHSrv         (098b8a408c17e125a3d9a8e1166780c8) C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe
23:55:21.0824 31968	TPCHSrv - ok
23:55:21.0892 31968	TrkWks          (7e7afd841694f6ac397e99d75cead49d) C:\windows\System32\trkwks.dll
23:55:21.0896 31968	TrkWks - ok
23:55:21.0942 31968	TrustedInstaller (773212b2aaa24c1e31f10246b15b276c) C:\windows\servicing\TrustedInstaller.exe
23:55:21.0946 31968	TrustedInstaller - ok
23:55:22.0012 31968	tssecsrv        (ce18b2cdfc837c99e5fae9ca6cba5d30) C:\windows\system32\DRIVERS\tssecsrv.sys
23:55:22.0014 31968	tssecsrv - ok
23:55:22.0109 31968	TsUsbFlt        (d11c783e3ef9a3c52c0ebe83cc5000e9) C:\windows\system32\drivers\tsusbflt.sys
23:55:22.0111 31968	TsUsbFlt - ok
23:55:22.0204 31968	TsUsbGD         (9cc2ccae8a84820eaecb886d477cbcb8) C:\windows\system32\drivers\TsUsbGD.sys
23:55:22.0206 31968	TsUsbGD - ok
23:55:22.0425 31968	tunnel          (3566a8daafa27af944f5d705eaa64894) C:\windows\system32\DRIVERS\tunnel.sys
23:55:22.0428 31968	tunnel - ok
23:55:22.0570 31968	TVALZ           (550b567f9364d8f7684c3fb3ea665a72) C:\windows\system32\DRIVERS\TVALZ_O.SYS
23:55:22.0572 31968	TVALZ - ok
23:55:22.0667 31968	TVALZFL         (9c7191f4b2e49bff47a6c1144b5923fa) C:\windows\system32\DRIVERS\TVALZFL.sys
23:55:22.0668 31968	TVALZFL - ok
23:55:22.0757 31968	uagp35          (b4dd609bd7e282bfc683cec7eaaaad67) C:\windows\system32\drivers\uagp35.sys
23:55:22.0759 31968	uagp35 - ok
23:55:22.0845 31968	udfs            (ff4232a1a64012baa1fd97c7b67df593) C:\windows\system32\DRIVERS\udfs.sys
23:55:22.0850 31968	udfs - ok
23:55:22.0931 31968	UI0Detect       (3cbdec8d06b9968aba702eba076364a1) C:\windows\system32\UI0Detect.exe
23:55:22.0935 31968	UI0Detect - ok
23:55:23.0023 31968	uliagpkx        (4bfe1bc28391222894cbf1e7d0e42320) C:\windows\system32\drivers\uliagpkx.sys
23:55:23.0025 31968	uliagpkx - ok
23:55:23.0116 31968	umbus           (dc54a574663a895c8763af0fa1ff7561) C:\windows\system32\DRIVERS\umbus.sys
23:55:23.0118 31968	umbus - ok
23:55:23.0194 31968	UmPass          (b2e8e8cb557b156da5493bbddcc1474d) C:\windows\system32\drivers\umpass.sys
23:55:23.0196 31968	UmPass - ok
23:55:23.0284 31968	upnphost        (d47ec6a8e81633dd18d2436b19baf6de) C:\windows\System32\upnphost.dll
23:55:23.0302 31968	upnphost - ok
23:55:23.0540 31968	usbccgp         (6f1a3157a1c89435352ceb543cdb359c) C:\windows\system32\DRIVERS\usbccgp.sys
23:55:23.0568 31968	usbccgp - ok
23:55:23.0781 31968	usbcir          (af0892a803fdda7492f595368e3b68e7) C:\windows\system32\drivers\usbcir.sys
23:55:23.0784 31968	usbcir - ok
23:55:24.0015 31968	usbehci         (c025055fe7b87701eb042095df1a2d7b) C:\windows\system32\DRIVERS\usbehci.sys
23:55:24.0018 31968	usbehci - ok
23:55:24.0232 31968	usbhub          (287c6c9410b111b68b52ca298f7b8c24) C:\windows\system32\DRIVERS\usbhub.sys
23:55:24.0243 31968	usbhub - ok
23:55:24.0600 31968	usbohci         (9840fc418b4cbd632d3d0a667a725c31) C:\windows\system32\DRIVERS\usbohci.sys
23:55:24.0601 31968	usbohci - ok
23:55:24.0699 31968	usbprint        (73188f58fb384e75c4063d29413cee3d) C:\windows\system32\drivers\usbprint.sys
23:55:24.0700 31968	usbprint - ok
23:55:24.0776 31968	USBSTOR         (fed648b01349a3c8395a5169db5fb7d6) C:\windows\system32\DRIVERS\USBSTOR.SYS
23:55:24.0779 31968	USBSTOR - ok
23:55:24.0868 31968	usbuhci         (62069a34518bcf9c1fd9e74b3f6db7cd) C:\windows\system32\drivers\usbuhci.sys
23:55:24.0869 31968	usbuhci - ok
23:55:24.0962 31968	usbvideo        (454800c2bc7f3927ce030141ee4f4c50) C:\windows\system32\Drivers\usbvideo.sys
23:55:24.0966 31968	usbvideo - ok
23:55:25.0030 31968	UxSms           (edbb23cbcf2cdf727d64ff9b51a6070e) C:\windows\System32\uxsms.dll
23:55:25.0033 31968	UxSms - ok
23:55:25.0114 31968	VaultSvc        (c118a82cd78818c29ab228366ebf81c3) C:\windows\system32\lsass.exe
23:55:25.0116 31968	VaultSvc - ok
23:55:25.0212 31968	vdrvroot        (c5c876ccfc083ff3b128f933823e87bd) C:\windows\system32\drivers\vdrvroot.sys
23:55:25.0213 31968	vdrvroot - ok
23:55:25.0298 31968	vds             (8d6b481601d01a456e75c3210f1830be) C:\windows\System32\vds.exe
23:55:25.0308 31968	vds - ok
23:55:25.0524 31968	vga             (da4da3f5e02943c2dc8c6ed875de68dd) C:\windows\system32\DRIVERS\vgapnp.sys
23:55:25.0525 31968	vga - ok
23:55:25.0618 31968	VgaSave         (53e92a310193cb3c03bea963de7d9cfc) C:\windows\System32\drivers\vga.sys
23:55:25.0620 31968	VgaSave - ok
23:55:25.0709 31968	vhdmp           (2ce2df28c83aeaf30084e1b1eb253cbb) C:\windows\system32\drivers\vhdmp.sys
23:55:25.0713 31968	vhdmp - ok
23:55:25.0813 31968	viaide          (e5689d93ffe4e5d66c0178761240dd54) C:\windows\system32\drivers\viaide.sys
23:55:25.0814 31968	viaide - ok
23:55:26.0014 31968	volmgr          (d2aafd421940f640b407aefaaebd91b0) C:\windows\system32\drivers\volmgr.sys
23:55:26.0017 31968	volmgr - ok
23:55:26.0247 31968	volmgrx         (a255814907c89be58b79ef2f189b843b) C:\windows\system32\drivers\volmgrx.sys
23:55:26.0254 31968	volmgrx - ok
23:55:26.0688 31968	volsnap         (df8126bd41180351a093a3ad2fc8903b) C:\windows\system32\drivers\volsnap.sys
23:55:26.0694 31968	volsnap - ok
23:55:26.0892 31968	vsmraid         (5e2016ea6ebaca03c04feac5f330d997) C:\windows\system32\drivers\vsmraid.sys
23:55:26.0896 31968	vsmraid - ok
23:55:27.0110 31968	VSS             (b60ba0bc31b0cb414593e169f6f21cc2) C:\windows\system32\vssvc.exe
23:55:27.0192 31968	VSS - ok
23:55:27.0450 31968	vwifibus        (36d4720b72b5c5d9cb2b9c29e9df67a1) C:\windows\system32\DRIVERS\vwifibus.sys
23:55:27.0452 31968	vwifibus - ok
23:55:27.0735 31968	vwififlt        (6a3d66263414ff0d6fa754c646612f3f) C:\windows\system32\DRIVERS\vwififlt.sys
23:55:27.0738 31968	vwififlt - ok
23:55:27.0917 31968	W32Time         (1c9d80cc3849b3788048078c26486e1a) C:\windows\system32\w32time.dll
23:55:27.0947 31968	W32Time - ok
23:55:28.0129 31968	WacomPen        (4e9440f4f152a7b944cb1663d3935a3e) C:\windows\system32\drivers\wacompen.sys
23:55:28.0131 31968	WacomPen - ok
23:55:28.0404 31968	WANARP          (356afd78a6ed4457169241ac3965230c) C:\windows\system32\DRIVERS\wanarp.sys
23:55:28.0406 31968	WANARP - ok
23:55:28.0495 31968	Wanarpv6        (356afd78a6ed4457169241ac3965230c) C:\windows\system32\DRIVERS\wanarp.sys
23:55:28.0496 31968	Wanarpv6 - ok
23:55:28.0820 31968	WatAdminSvc     (3cec96de223e49eaae3651fcf8faea6c) C:\windows\system32\Wat\WatAdminSvc.exe
23:55:28.0900 31968	WatAdminSvc - ok
23:55:29.0167 31968	wbengine        (78f4e7f5c56cb9716238eb57da4b6a75) C:\windows\system32\wbengine.exe
23:55:29.0249 31968	wbengine - ok
23:55:29.0446 31968	WbioSrvc        (3aa101e8edab2db4131333f4325c76a3) C:\windows\System32\wbiosrvc.dll
23:55:29.0453 31968	WbioSrvc - ok
23:55:29.0697 31968	wcncsvc         (7368a2afd46e5a4481d1de9d14848edd) C:\windows\System32\wcncsvc.dll
23:55:29.0706 31968	wcncsvc - ok
23:55:29.0781 31968	WcsPlugInService (20f7441334b18cee52027661df4a6129) C:\windows\System32\WcsPlugInService.dll
23:55:29.0785 31968	WcsPlugInService - ok
23:55:29.0919 31968	Wd              (72889e16ff12ba0f235467d6091b17dc) C:\windows\system32\drivers\wd.sys
23:55:29.0920 31968	Wd - ok
23:55:30.0023 31968	Wdf01000        (441bd2d7b4f98134c3a4f9fa570fd250) C:\windows\system32\drivers\Wdf01000.sys
23:55:30.0033 31968	Wdf01000 - ok
23:55:30.0101 31968	WdiServiceHost  (bf1fc3f79b863c914687a737c2f3d681) C:\windows\system32\wdi.dll
23:55:30.0105 31968	WdiServiceHost - ok
23:55:30.0110 31968	WdiSystemHost   (bf1fc3f79b863c914687a737c2f3d681) C:\windows\system32\wdi.dll
23:55:30.0113 31968	WdiSystemHost - ok
23:55:30.0204 31968	WebClient       (3db6d04e1c64272f8b14eb8bc4616280) C:\windows\System32\webclnt.dll
23:55:30.0210 31968	WebClient - ok
23:55:30.0308 31968	Wecsvc          (c749025a679c5103e575e3b48e092c43) C:\windows\system32\wecsvc.dll
23:55:30.0314 31968	Wecsvc - ok
23:55:30.0363 31968	wercplsupport   (7e591867422dc788b9e5bd337a669a08) C:\windows\System32\wercplsupport.dll
23:55:30.0367 31968	wercplsupport - ok
23:55:30.0438 31968	WerSvc          (6d137963730144698cbd10f202e9f251) C:\windows\System32\WerSvc.dll
23:55:30.0441 31968	WerSvc - ok
23:55:30.0526 31968	WfpLwf          (611b23304bf067451a9fdee01fbdd725) C:\windows\system32\DRIVERS\wfplwf.sys
23:55:30.0527 31968	WfpLwf - ok
23:55:30.0652 31968	WIMMount        (05ecaec3e4529a7153b3136ceb49f0ec) C:\windows\system32\drivers\wimmount.sys
23:55:30.0654 31968	WIMMount - ok
23:55:30.0691 31968	WinDefend - ok
23:55:30.0709 31968	WinHttpAutoProxySvc - ok
23:55:30.0801 31968	Winmgmt         (19b07e7e8915d701225da41cb3877306) C:\windows\system32\wbem\WMIsvc.dll
23:55:30.0805 31968	Winmgmt - ok
23:55:30.0952 31968	WinRM           (bcb1310604aa415c4508708975b3931e) C:\windows\system32\WsmSvc.dll
23:55:30.0983 31968	WinRM - ok
23:55:31.0072 31968	Wlansvc         (4fada86e62f18a1b2f42ba18ae24e6aa) C:\windows\System32\wlansvc.dll
23:55:31.0087 31968	Wlansvc - ok
23:55:31.0161 31968	wlcrasvc        (06c8fa1cf39de6a735b54d906ba791c6) C:\Program Files\Windows Live\Mesh\wlcrasvc.exe
23:55:31.0163 31968	wlcrasvc - ok
23:55:31.0259 31968	wlidsvc         (2bacd71123f42cea603f4e205e1ae337) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
23:55:31.0291 31968	wlidsvc - ok
23:55:31.0385 31968	WmiAcpi         (f6ff8944478594d0e414d3f048f0d778) C:\windows\system32\DRIVERS\wmiacpi.sys
23:55:31.0387 31968	WmiAcpi - ok
23:55:31.0478 31968	wmiApSrv        (38b84c94c5a8af291adfea478ae54f93) C:\windows\system32\wbem\WmiApSrv.exe
23:55:31.0481 31968	wmiApSrv - ok
23:55:31.0515 31968	WMPNetworkSvc - ok
23:55:31.0575 31968	WPCSvc          (96c6e7100d724c69fcf9e7bf590d1dca) C:\windows\System32\wpcsvc.dll
23:55:31.0583 31968	WPCSvc - ok
23:55:31.0664 31968	WPDBusEnum      (93221146d4ebbf314c29b23cd6cc391d) C:\windows\system32\wpdbusenum.dll
23:55:31.0669 31968	WPDBusEnum - ok
23:55:31.0749 31968	ws2ifsl         (6bcc1d7d2fd2453957c5479a32364e52) C:\windows\system32\drivers\ws2ifsl.sys
23:55:31.0751 31968	ws2ifsl - ok
23:55:31.0811 31968	wscsvc          (e8b1fe6669397d1772d8196df0e57a9e) C:\windows\System32\wscsvc.dll
23:55:31.0815 31968	wscsvc - ok
23:55:31.0859 31968	WSearch - ok
23:55:32.0002 31968	wuauserv        (9df12edbc698b0bc353b3ef84861e430) C:\windows\system32\wuaueng.dll
23:55:32.0038 31968	wuauserv - ok
23:55:32.0110 31968	WudfPf          (d3381dc54c34d79b22cee0d65ba91b7c) C:\windows\system32\drivers\WudfPf.sys
23:55:32.0112 31968	WudfPf - ok
23:55:32.0208 31968	WUDFRd          (cf8d590be3373029d57af80914190682) C:\windows\system32\DRIVERS\WUDFRd.sys
23:55:32.0211 31968	WUDFRd - ok
23:55:32.0288 31968	wudfsvc         (7a95c95b6c4cf292d689106bcae49543) C:\windows\System32\WUDFSvc.dll
23:55:32.0292 31968	wudfsvc - ok
23:55:32.0445 31968	WwanSvc         (9a3452b3c2a46c073166c5cf49fad1ae) C:\windows\System32\wwansvc.dll
23:55:32.0451 31968	WwanSvc - ok
23:55:32.0505 31968	MBR (0x1B8)     (b5d3b89509933463264ff7748b075c37) \Device\Harddisk0\DR0
23:55:32.0545 31968	\Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - infected
23:55:32.0545 31968	\Device\Harddisk0\DR0 - detected Rootkit.Boot.Pihar.b (0)
23:55:32.0584 31968	\Device\Harddisk0\DR0 ( TDSS File System ) - warning
23:55:32.0584 31968	\Device\Harddisk0\DR0 - detected TDSS File System (1)
23:55:32.0618 31968	Boot (0x1200)   (a34c67791cd669792a9a2e3159c081f3) \Device\Harddisk0\DR0\Partition0
23:55:32.0620 31968	\Device\Harddisk0\DR0\Partition0 - ok
23:55:32.0621 31968	============================================================
23:55:32.0621 31968	Scan finished
23:55:32.0621 31968	============================================================
23:55:32.0640 42472	Detected object count: 2
23:55:32.0640 42472	Actual detected object count: 2
23:56:18.0084 42472	\Device\Harddisk0\DR0\# - copied to quarantine
23:56:18.0085 42472	\Device\Harddisk0\DR0 - copied to quarantine
23:56:18.0118 42472	\Device\Harddisk0\DR0\TDLFS\phdata - copied to quarantine
23:56:18.0119 42472	\Device\Harddisk0\DR0\TDLFS\phm - copied to quarantine
23:56:18.0121 42472	\Device\Harddisk0\DR0\TDLFS\phld - copied to quarantine
23:56:18.0124 42472	\Device\Harddisk0\DR0\TDLFS\phln - copied to quarantine
23:56:18.0127 42472	\Device\Harddisk0\DR0\TDLFS\phlx - copied to quarantine
23:56:18.0140 42472	\Device\Harddisk0\DR0\TDLFS\phd - copied to quarantine
23:56:18.0149 42472	\Device\Harddisk0\DR0\TDLFS\phdx - copied to quarantine
23:56:18.0158 42472	\Device\Harddisk0\DR0\TDLFS\ph.dll - copied to quarantine
23:56:18.0167 42472	\Device\Harddisk0\DR0\TDLFS\phx.dll - copied to quarantine
23:56:18.0168 42472	\Device\Harddisk0\DR0\TDLFS\phs - copied to quarantine
23:56:18.0204 42472	\Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - will be cured on reboot
23:56:18.0273 42472	\Device\Harddisk0\DR0 - ok
23:56:19.0043 42472	\Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - User select action: Cure 
23:56:19.0069 42472	\Device\Harddisk0\DR0\TDLFS\phdata - copied to quarantine
23:56:19.0071 42472	\Device\Harddisk0\DR0\TDLFS\phm - copied to quarantine
23:56:19.0099 42472	\Device\Harddisk0\DR0\TDLFS\phld - copied to quarantine
23:56:19.0102 42472	\Device\Harddisk0\DR0\TDLFS\phln - copied to quarantine
23:56:19.0104 42472	\Device\Harddisk0\DR0\TDLFS\phlx - copied to quarantine
23:56:19.0120 42472	\Device\Harddisk0\DR0\TDLFS\phd - copied to quarantine
23:56:19.0129 42472	\Device\Harddisk0\DR0\TDLFS\phdx - copied to quarantine
23:56

Combofix log

ComboFix 12-04-20.03 - Micro102 04/21/2012   0:53.1.4 - x64
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.5610.2645 [GMT -4:00]
Running from: c:\users\Micro102\Desktop\ComboFix.exe
AV: Norton Internet Security *Disabled/Outdated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Norton Internet Security *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Norton Internet Security *Disabled/Outdated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\install.exe
c:\users\Micro102\AppData\Roaming\Mozilla\Firefox\Profiles\oxwyom0i.default\extensions\{a72dbc0b-4d5f-4e2c-8d24-3a9252ae689e}
c:\users\Micro102\AppData\Roaming\Mozilla\Firefox\Profiles\oxwyom0i.default\extensions\{a72dbc0b-4d5f-4e2c-8d24-3a9252ae689e}\chrome.manifest
c:\users\Micro102\AppData\Roaming\Mozilla\Firefox\Profiles\oxwyom0i.default\extensions\{a72dbc0b-4d5f-4e2c-8d24-3a9252ae689e}\chrome\xulcache.jar
c:\users\Micro102\AppData\Roaming\Mozilla\Firefox\Profiles\oxwyom0i.default\extensions\{a72dbc0b-4d5f-4e2c-8d24-3a9252ae689e}\defaults\preferences\xulcache.js
c:\users\Micro102\AppData\Roaming\Mozilla\Firefox\Profiles\oxwyom0i.default\extensions\{a72dbc0b-4d5f-4e2c-8d24-3a9252ae689e}\install.rdf
.
.
(((((((((((((((((((((((((   Files Created from 2012-03-21 to 2012-04-21  )))))))))))))))))))))))))))))))
.
.
2012-04-21 05:03 . 2012-04-21 05:03	--------	d-----w-	c:\users\Default\AppData\Local\temp
2012-04-21 03:56 . 2012-04-21 03:56	--------	d-----w-	C:\TDSSKiller_Quarantine
2012-04-20 19:46 . 2012-04-13 08:46	8917360	----a-w-	c:\programdata\Microsoft\Windows Defender\Definition Updates\{A9222369-94A0-4C3B-9711-E16D9C697983}\mpengine.dll
2012-04-16 22:07 . 2012-04-16 22:07	--------	d-----w-	c:\users\Micro102\AppData\Local\DOSBox
2012-04-16 22:06 . 2012-04-16 22:06	--------	d-----w-	c:\program files (x86)\DOSBox-0.74
2012-04-16 21:54 . 2012-04-16 23:28	--------	d-----w-	C:\CovertAction
2012-04-12 07:00 . 2012-03-01 06:46	23408	----a-w-	c:\windows\system32\drivers\fs_rec.sys
2012-04-12 07:00 . 2012-03-01 06:33	81408	----a-w-	c:\windows\system32\imagehlp.dll
2012-04-12 07:00 . 2012-03-01 05:33	159232	----a-w-	c:\windows\SysWow64\imagehlp.dll
2012-04-12 07:00 . 2012-03-01 06:38	220672	----a-w-	c:\windows\system32\wintrust.dll
2012-04-12 07:00 . 2012-03-01 06:28	5120	----a-w-	c:\windows\system32\wmi.dll
2012-04-12 07:00 . 2012-03-01 05:37	172544	----a-w-	c:\windows\SysWow64\wintrust.dll
2012-04-12 07:00 . 2012-03-01 05:29	5120	----a-w-	c:\windows\SysWow64\wmi.dll
2012-04-04 05:03 . 2012-04-04 05:11	--------	d-----w-	c:\program files (x86)\Cockatrice
2012-03-23 01:37 . 2012-03-23 01:37	--------	d-----w-	c:\program files (x86)\Common Files\Skype
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-04 19:56 . 2011-12-11 20:44	24904	----a-w-	c:\windows\system32\drivers\mbam.sys
2012-03-10 01:51 . 2012-03-10 01:51	6656	----a-w-	c:\programdata\Microsoft\Windows\DRM\DF9E.tmp
2012-03-10 01:51 . 2012-03-10 01:51	6656	----a-w-	c:\programdata\Microsoft\Windows\DRM\DF9D.tmp
2012-03-08 09:38 . 2012-03-08 09:38	6656	----a-w-	c:\programdata\Microsoft\Windows\DRM\A778.tmp
2012-03-08 09:38 . 2012-03-08 09:38	6656	----a-w-	c:\programdata\Microsoft\Windows\DRM\A777.tmp
2012-02-23 14:18 . 2010-11-21 03:27	279656	------w-	c:\windows\system32\MpSigStub.exe
2012-02-17 06:38 . 2012-03-13 19:28	1031680	----a-w-	c:\windows\system32\rdpcore.dll
2012-02-17 05:34 . 2012-03-13 19:28	826880	----a-w-	c:\windows\SysWow64\rdpcore.dll
2012-02-17 04:58 . 2012-03-13 19:28	210944	----a-w-	c:\windows\system32\drivers\rdpwd.sys
2012-02-17 04:57 . 2012-03-13 19:28	23552	----a-w-	c:\windows\system32\drivers\tdtcp.sys
2012-02-12 09:23 . 2012-02-12 09:24	750488	----a-w-	c:\windows\system32\npdeployJava1.dll
2012-02-12 09:23 . 2012-02-12 09:24	660368	----a-w-	c:\windows\system32\deployJava1.dll
2012-02-10 06:36 . 2012-03-14 02:41	1544192	----a-w-	c:\windows\system32\DWrite.dll
2012-02-10 05:38 . 2012-03-14 02:41	1077248	----a-w-	c:\windows\SysWow64\DWrite.dll
2012-02-03 04:34 . 2012-03-14 02:41	3145728	----a-w-	c:\windows\system32\win32k.sys
2012-02-01 21:46 . 2012-02-01 21:46	249856	------w-	c:\windows\Setup1.exe
2012-02-01 21:46 . 2012-02-01 21:46	73216	----a-w-	c:\windows\ST6UNST.EXE
2012-01-25 06:38 . 2012-03-13 19:28	77312	----a-w-	c:\windows\system32\rdpwsx.dll
2012-01-25 06:38 . 2012-03-13 19:28	149504	----a-w-	c:\windows\system32\rdpcorekmts.dll
2012-01-25 06:33 . 2012-03-13 19:28	9216	----a-w-	c:\windows\system32\rdrmemptylst.exe
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-10-25 39408]
"Steam"="c:\program files (x86)\Steam\Steam.exe" [2011-11-29 1242448]
"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2012-02-29 17151624]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-04-20 336384]
"ToshibaServiceStation"="c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" [2011-07-12 1298816]
"ToshibaAppPlace"="c:\program files (x86)\Toshiba\Toshiba App Place\ToshibaAppPlace.exe" [2010-09-23 552960]
"NortonOnlineBackupReminder"="c:\program files (x86)\Toshiba\Toshiba Online Backup\Activation\TOBuActivation.exe" [2011-06-22 3218864]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages	REG_MULTI_SZ   	kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R1 BHDrvx64;BHDrvx64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.0.0.128\Definitions\BASHDefs\20111223.001\BHDrvx64.sys [2011-12-01 1157240]
R1 ccSet_NIS;Norton Internet Security Settings Manager;c:\windows\system32\drivers\NISx64\1302000.00A\ccSetx64.sys [x]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NISx64\1302000.00A\Ironx64.SYS [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-10-25 136176]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-02-29 158856]
R3 GamesAppService;GamesAppService;c:\program files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-10-25 136176]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]
R3 TDEIO;TDEIO;c:\windows\SysWOW64\sysprep\BOOTPRIO\tdeio64.sys [x]
R3 TMachInfo;TMachInfo;c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2011-07-12 57216]
R3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2011-06-10 138152]
R3 TPCHSrv;TPCH Service;c:\program files\TOSHIBA\TPHM\TPCHSrv.exe [2011-07-01 828856]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 57184]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NISx64\1302000.00A\SYMDS64.SYS [x]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NISx64\1302000.00A\SYMEFA64.SYS [x]
S1 IDSVia64;IDSVia64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.0.0.128\Definitions\IPSDefs\20120107.001\IDSvia64.sys [2011-12-22 488568]
S1 SymNetS;Symantec Network Security WFP Driver;c:\windows\System32\Drivers\NISx64\1302000.00A\SYMNETS.SYS [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2012-01-04 822624]
S2 GFNEXSrv;GFNEX Service;c:\windows\System32\GFNEXSrv.exe [x]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-04-04 654408]
S2 NIS;Norton Internet Security;c:\program files (x86)\Norton Internet Security\Engine\19.2.0.10\ccSvcHst.exe [2011-08-10 138760]
S2 Norton PC Checkup Application Launcher;Toshiba Laptop Checkup Application Launcher;c:\program files (x86)\Norton PC Checkup\Engine\2.0.13.11\SymcPCCULaunchSvc.exe [2012-03-08 135608]
S2 PCCUJobMgr;Common Client Job Manager Service;c:\program files (x86)\Norton PC Checkup\Engine\2.0.13.11\ccSvcHst.exe [2011-07-19 126392]
S2 regi;regi;c:\windows\system32\drivers\regi.sys [x]
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-01 508776]
S2 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;c:\program files\TOSHIBA\TECO\TecoService.exe [2011-05-24 294848]
S2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;c:\windows\system32\DRIVERS\TVALZFL.sys [x]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
S3 PGEffect;Pangu effect driver;c:\windows\system32\DRIVERS\pgeffect.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
S3 RTL8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;c:\windows\system32\DRIVERS\rtl8192Ce.sys [x]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [x]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [x]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [x]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [x]
S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-01 219496]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-10-25 03:44]
.
2012-04-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-10-25 03:44]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2011-07-07 12558440]
"RtHDVBg_Dolby"="c:\program files\Realtek\Audio\HDA\RAVBg64.exe" [2011-06-03 2226280]
"TosSENotify"="c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe" [2011-06-10 710560]
"TosVolRegulator"="c:\program files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe" [2009-11-11 24376]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://start.toshiba.com
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = <local>
TCP: DhcpNameServer = 167.206.254.1 167.206.254.2
FF - ProfilePath - c:\users\Micro102\AppData\Roaming\Mozilla\Firefox\Profiles\oxwyom0i.default\
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Wow6432Node-HKLM-Run-TSleepSrv - %ProgramFiles(x86)%\TOSHIBA\TOSHIBA Sleep Utility\TSleepSrv.exe
Toolbar-Locked - (no file)
HKLM-Run-(Default) - (no file)
HKLM-Run-TPwrMain - c:\program files (x86)\TOSHIBA\Power Saver\TPwrMain.EXE
HKLM-Run-HSON - c:\program files (x86)\TOSHIBA\TBS\HSON.exe
HKLM-Run-TCrdMain - c:\program files (x86)\TOSHIBA\FlashCards\TCrdMain.exe
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
HKLM-Run-Teco - c:\program files (x86)\TOSHIBA\TECO\Teco.exe
HKLM-Run-TosWaitSrv - c:\program files (x86)\TOSHIBA\TPHM\TosWaitSrv.exe
HKLM-Run-TosNC - c:\program files (x86)\Toshiba\BulletinBoard\TosNcCore.exe
HKLM-Run-TosReelTimeMonitor - c:\program files (x86)\TOSHIBA\ReelTime\TosReelTimeMonitor.exe
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\NIS]
"ImagePath"="\"c:\program files (x86)\Norton Internet Security\Engine\19.2.0.10\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files (x86)\Norton Internet Security\Engine\19.2.0.10\diMaster.dll\" /prefetch:1"
--
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\PCCUJobMgr]
"ImagePath"="\"c:\program files (x86)\Norton PC Checkup\Engine\2.0.13.11\ccSvcHst.exe\" /s \"PCCUJobMgr\" /m \"c:\program files (x86)\Norton PC Checkup\Engine\2.0.13.11\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10u_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10u_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10u.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10u.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10u.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10u.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files (x86)\Common Files\InterVideo\RegMgr\iviRegMgr.exe
.
**************************************************************************
.
Completion time: 2012-04-21  01:12:28 - machine was rebooted
ComboFix-quarantined-files.txt  2012-04-21 05:12
.
Pre-Run: 519,595,405,312 bytes free
Post-Run: 524,238,622,720 bytes free
.
- - End Of File - - ED730C66EBB794C4CB9F961B184A99ED


#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:04 PM

Posted 21 April 2012 - 06:33 AM

Hi,

Please do the following:

  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish


NEXT


Please advise how the computer is running now and if there are any outstanding issues

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 micro102

micro102
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:05:04 PM

Posted 21 April 2012 - 09:47 PM

The things the maleware causes are many and random. I cannot say that anything has happened until it shows itself. I will post again if it does.



Malwarebytes file

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.04.21.02

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Micro102 :: MICRO102-PC [administrator]

Protection: Enabled

4/21/2012 7:59:11 AM
mbam-log-2012-04-21 (07-59-11).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 201808
Time elapsed: 2 minute(s), 31 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


ESETSCAN file

Attached Files



#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:04 PM

Posted 21 April 2012 - 09:55 PM

Hi

Please do the following:

  • Go to Start->Run and type in notepad and hit OK.
  • Then copy and paste the content of the following codebox into Notepad:

    @echo off
    if exist results.txt del results.txt
    FOR %%H IN (
    "C:\ProgramData\Microsoft\Windows\DRM\A777.tmp"
    "C:\ProgramData\Microsoft\Windows\DRM\A778.tmp"
    "C:\ProgramData\Microsoft\Windows\DRM\DF9D.tmp"	
    "C:\ProgramData\Microsoft\Windows\DRM\DF9E.tmp"	
    "C:\Users\All Users\Microsoft\Windows\DRM\A777.tmp"
    "C:\Users\All Users\Microsoft\Windows\DRM\A778.tmp"	
    "C:\Users\All Users\Microsoft\Windows\DRM\DF9D.tmp"	
    "C:\Users\All Users\Microsoft\Windows\DRM\DF9E.tmp"	
    "C:\Windows\System32\srrstr.dll"	
    "C:\Windows\SysWOW64\srrstr.dll"
    ) DO (
    attrib -r -h -s %%H
    del /q /f %%H >> results.txt 2>>&1
    )
    del %0 
    start notepad results.txt
    del %0 
    
  • Save the file to your DESKTOP as "fix.bat". Make sure to save it with the quotes.
  • Once saved, the icon to click should look like this on your desktop:

    Posted Image
  • Double click fix.bat. to run it. A small black box should open and close - this is normal.
  • Please post the content of results.txt


NEXT


Posted Image Your Java is out of date.
Java™ 6 Update 25 can be updated from the Java control panel Start > Control Panel (Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now.
An update should begin; > follow the prompts.


let me know how that went and if there are any other issues

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 micro102

micro102
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:05:04 PM

Posted 22 April 2012 - 08:27 AM

Here you go, I assume this is bad :(

Could Not Find C:\Users\All Users\Microsoft\Windows\DRM\A777.tmp
Could Not Find C:\Users\All Users\Microsoft\Windows\DRM\A778.tmp
Could Not Find C:\Users\All Users\Microsoft\Windows\DRM\DF9D.tmp
Could Not Find C:\Users\All Users\Microsoft\Windows\DRM\DF9E.tmp
C:\Windows\System32\srrstr.dll
Access is denied.
C:\Windows\SysWOW64\srrstr.dll
Access is denied.


Also, I have no update option. Or at least it is so hidden that I can't find it.

Edited by micro102, 22 April 2012 - 08:28 AM.


#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:04 PM

Posted 22 April 2012 - 08:34 AM

I expected that the the temp files were already gone, I just wanted to be certain, but the other files with the access denied needs some attention.


Are you able to navigate to those files to verify that they actually exist?

It appears the permissions are locked down on them, so we can change that.

Please run the following:

(note the file path of the following tool has to be saved to the c:\windows folder)

  • Please download Junction.zip and save it to your desktop.
  • Unzip it and put junction.exe in the Windows directory (C:\WINDOWS).
  • Now go to Start > Run to open a run box > Copy and paste the following command in the open run box and click OK:

    cmd /c junction -s c:\ >log.txt&log.txt& del log.txt

  • A command window will open and the system will be scanned.
  • Wait until a log file opens.
  • Copy and paste or attach the content of it in your next reply

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 micro102

micro102
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:05:04 PM

Posted 22 April 2012 - 06:22 PM

The Junction link isn't working, I'm getting this.

This XML file does not appear to have any style information associated with it. The document tree is shown below.
      <Error><Code>OutOfRangeInput</Code><Message>One of the request inputs is out of range.
RequestId:3dc7fc54-b848-4bfd-8325-5ff8ce487de9
Time:2012-04-22T23:21:29.6203577Z</Message></Error>

Also, those restricted files do exist. I can navigate to them.

#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:04 PM

Posted 22 April 2012 - 06:28 PM

Hi

sorry about that, the link has recently been updated, you can find Junction here

http://technet.microsoft.com/en-us/sysinternals/bb896768

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 micro102

micro102
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:05:04 PM

Posted 22 April 2012 - 07:23 PM

Hrm, I used the command posted, but nothing happened. Then I tried to run the junction.exe from my windows folder, a black window with some text on it opened up for a split second. But no logs appeared on my desktop or in the windows folder.

#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:04 PM

Posted 22 April 2012 - 08:04 PM

I'm not sure why that's not working for you, but let's try it from an elevated command prompt

type cmd into the search box > when it populates in the window above the search box > right click it and choose to "run as an administrator"

when the command window opens, make sure it is at the c:\windows command prompt, if not type

cd c:\windows

now type

junction -s c:\>log.txt

st the command prompt

log.txt should now be in your c:\windows folder


if it still wont work, then run the following:

Please run the following:
  • please download GrantPerms.zip and save it to your desktop.
  • Unzip the file and run GrantPerms.exe
  • Copy and paste the following in the edit box:


C:\Windows\System32\srrstr.dll
C:\Windows\SysWOW64\srrstr.dll



  • Now Click Unlock.
  • When it is done click "OK".
  • Now click List Permissions and post the result (Perms.txt) that pops up.
  • A copy of Perms.txt will be saved in the same directory the tool is run.

Once you have permission back to access those files, then please upload them for analysis, I want to be sure they are infected:



submit a file to virustotal for analysis
  • Use the browse button on that page to navigate to the location of the file to be scanned.
  • In the right hand panel,
  • click on the file C:\Windows\System32\srrstr.dll
  • then click the open button.
  • The file will now be displayed in the submit box.
  • Scroll down a bit and click "send file", wait for the results
  • If you get a message saying File has already been analyzed: click Reanalyze file now
  • Once scanned, copy and paste the link to the results page in your next reply.

Do the same for the other file

C:\Windows\SysWOW64\srrstr.dll

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#15 micro102

micro102
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:05:04 PM

Posted 22 April 2012 - 08:54 PM

Well, it worked and I got the log. Do you still want me to do the other stuff?

Junction v1.06 - Windows junction creator and reparse point viewer
Copyright (C) 2000-2010 Mark Russinovich
Sysinternals - www.sysinternals.com

\\?\c:\\Documents and Settings: JUNCTION
   Print Name     : C:\Users
   Substitute Name: C:\Users


Failed to open \\?\c:\\hiberfil.sys: The process cannot access the file because it is being used by another process.



Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.


...
     
...
     
...
     
...
     
...
     
...
     
...
     
...
     
...
     
...
     
...
     
...
     
.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users