# No Internet After Virus Removal



## MrMurdstone (Mar 7, 2012)

Recently I deleted a lot of malware using Avast. One of the infected files was netbt.sys, I think it has something to do with that. After I restarted my computer, I stopped getting the internet even though it still detects networks. Some research has brought me to the conclusion that my computer is all sorts of messed up. I have been searching for a solution for quite a while now but I can't figure it out. Any help would be truly appreciated .

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 12:04:33 AM, on 3/7/2012
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v9.00 (9.00.8112.16421)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Users\Kyle Clark\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
R3 - URLSearchHook: (no name) - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Camera Assistant Software] "C:\Program Files\Camera Assistant Software for Gateway\traybar.exe"
O4 - HKLM\..\Run: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\Windows\system32\Macromed\Flash\FlashUtil11e_ActiveX.exe -update activex (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\Windows\system32\Macromed\Flash\FlashUtil11e_ActiveX.exe -update activex (User 'Default user')
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_ccfaa5a9\STacSV.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
--
End of file - 4060 bytes

.
DDS (Ver_2011-08-26.01) - NTFSx86 
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_26
Run by Kyle Clark at 0:07:15 on 2012-03-07
Microsoft® Windows Vista Home Premium 6.0.6002.2.1252.1.1033.18.3070.2190 [GMT -8:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_ccfaa5a9\STacSV.exe
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\Dwm.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k HPService
C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Camera Assistant Software] "c:\program files\camera assistant software for gateway\traybar.exe"
mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil11e_ActiveX.exe -update activex
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
LSP: mswsock.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{D6AAFE6F-191A-4DC9-B649-6FF0F99CCA9B} : DhcpNameServer = 192.168.1.1
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\kyle clark\appdata\roaming\mozilla\firefox\profiles\ohhvwtv6.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: c:\users\kyle clark\appdata\roaming\mozilla\firefox\profiles\ohhvwtv6.default\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}\components\RadioWMPCore.dll
FF - component: c:\users\kyle clark\appdata\roaming\mozilla\firefox\profiles\ohhvwtv6.default\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}\components\RadioWMPCoreGecko19.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: uTorrentBar Community Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - %profile%\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}
.
============= SERVICES / DRIVERS ===============
.
R0 Si3531;SiI-3531 SATA Controller;c:\windows\system32\drivers\Si3531.sys [2009-2-5 212520]
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2011-6-6 64952]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2006-10-11 21504]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\nvidia corporation\nvidia updatus\daemonu.exe [2011-12-9 2253120]
R3 NETw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2008-11-17 3668480]
S2 avg7updsvc;Xfilt;c:\windows\system32\svchost.exe -k netsvcs [2006-10-11 21504]
S2 mcafeeframework;HssSrv;c:\windows\system32\svchost.exe -k netsvcs [2006-10-11 21504]
S2 mksvirmonsvc;Contentfilter;c:\windows\system32\svchost.exe -k netsvcs [2006-10-11 21504]
S2 pavreport;Livesrv;c:\windows\system32\svchost.exe -k netsvcs [2006-10-11 21504]
S3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\drivers\ssadbus.sys [2011-10-28 121192]
S3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\drivers\ssadmdfl.sys [2011-5-13 12776]
S3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\drivers\ssadmdm.sys [2011-5-13 136808]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
.
=============== Created Last 30 ================
.
2012-03-02 00:54:06 67072 ----a-w- c:\windows\system32\drivers\cdrom.sys
2012-03-02 00:53:37 185856 ----a-w- c:\windows\system32\drivers\netbt.sys
2012-03-02 00:52:45 72192 ----a-w- c:\windows\system32\drivers\tdx.sys
2012-03-01 07:39:40 -------- d-----w- c:\programdata\AVAST Software
2012-03-01 07:39:40 -------- d-----w- c:\program files\AVAST Software
2012-02-26 01:02:36 -------- d-----w- c:\users\kyle clark\appdata\roaming\AVG2012
2012-02-25 21:06:07 -------- d-----w- c:\programdata\AVG2012
2012-02-16 22:14:11 680448 ----a-w- c:\windows\system32\msvcrt.dll
2012-02-16 22:14:10 2044416 ----a-w- c:\windows\system32\win32k.sys
2012-02-09 21:49:19 -------- d-----w- c:\program files\VideoLAN
.
==================== Find3M ====================
.
2012-03-01 08:02:56 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2011-12-27 02:02:56 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-14 09:14:59 979456 ----a-w- c:\windows\system32\MFH264Dec.dll
2011-12-14 09:13:28 4096 ----a-w- c:\windows\system32\drivers\en-us\dxgkrnl.sys.mui
2011-12-14 09:13:26 369664 ----a-w- c:\windows\system32\WMPhoto.dll
2011-12-14 09:13:25 252928 ----a-w- c:\windows\system32\dxdiag.exe
2011-12-14 09:13:25 195584 ----a-w- c:\windows\system32\dxdiagn.dll
2011-12-14 09:13:24 519680 ----a-w- c:\windows\system32\d3d11.dll
2011-12-14 09:13:24 321024 ----a-w- c:\windows\system32\PhotoMetadataHandler.dll
2011-12-14 09:13:23 189440 ----a-w- c:\windows\system32\WindowsCodecsExt.dll
2011-12-14 09:13:22 974848 ----a-w- c:\windows\system32\WindowsCodecs.dll
2011-12-14 03:04:54 1798656 ----a-w- c:\windows\system32\jscript9.dll
2011-12-14 02:57:18 1127424 ----a-w- c:\windows\system32\wininet.dll
2011-12-14 02:56:58 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
2011-12-14 02:50:04 2382848 ----a-w- c:\windows\system32\mshtml.tlb
.
============= FINISH: 0:07:49.12 ===============

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-03-07 02:14:42
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2 Hitachi_HTS543232L9A300 rev.FB4OC40C
Running: dddut5er.exe; Driver: C:\Users\KYLECL~1\AppData\Local\Temp\pwldruoc.sys

---- Kernel code sections - GMER 1.0.15 ----
.text afd.sys  8F757000 78 Bytes [90, 90, 90, 90, 90, FF, 15, ...]
.text afd.sys 8F75704F 161 Bytes [80, 76, 8F, 89, 45, F8, A1, ...]
.text afd.sys 8F7570F1 60 Bytes [77, 08, 8D, 4E, 1C, 8D, 55, ...]
.text afd.sys 8F75712E 113 Bytes [00, 00, 8D, 55, E4, 8D, 4E, ...]
.text afd.sys 8F7571A0 43 Bytes [F0, 0F, C1, 08, 75, 06, 57, ...]
.text ... 
? C:\Windows\system32\drivers\afd.sys suspicious PE modification
? C:\Users\KYLECL~1\AppData\Local\Temp\mbr.sys The system cannot find the file specified. !
---- User code sections - GMER 1.0.15 ----
? C:\Windows\system32\svchost.exe[940] C:\Windows\system32\smss.exe image checksum mismatch; time/date stamp mismatch; 
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs SiWinAcc.sys (Windows Accelerator Driver/Silicon Image, Inc.)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\001e4cd67ba6 (not active ControlSet) 
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001e4cd67ba6 (not active ControlSet) 
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001e4cd67ba6 
---- Files - GMER 1.0.15 ----
File C:\Windows\$NtUninstallKB64787$\1434888341 0 bytes
File C:\Windows\$NtUninstallKB64787$\1434888341\@ 2048 bytes
File C:\Windows\$NtUninstallKB64787$\1434888341\cfg.ini 367 bytes
File C:\Windows\$NtUninstallKB64787$\1434888341\Desktop.ini 4608 bytes
File C:\Windows\$NtUninstallKB64787$\1434888341\L 0 bytes
File C:\Windows\$NtUninstallKB64787$\1434888341\L\qnbwvoto 273408 bytes
File C:\Windows\$NtUninstallKB64787$\1434888341\U 0 bytes
File C:\Windows\$NtUninstallKB64787$\2330094071 0 bytes
---- EOF - GMER 1.0.15 ----


----------



## kevinf80 (Mar 21, 2006)

Your system is still infected with ZeroAccess Rootkit infection, see if you can get Combofix to run. As you have no Internet connection you will have to d/l to another PC and transfer to the infected PC Desktop.

Download Combofix either of the following links :-

*Link 1*
*Link 2*


 Ensure that Combofix is saved directly to the Desktop * <--- Very important*

Before saving Combofix to the Desktop re-name to Gotcha.exe as below:










Transfer it to a USB stick or CD, transfer it to the DESKTOP of the infected system.

 Disable all security programs as they will have a negative effect on Combofix, instructions available *Here* if required. Be aware the list may not have all programs listed, if you need more help please ask.

 Close any open browsers and any other programs you might have running

 Double click the







icon to run the tool (Vista or Windows 7 users right click and select "Run as Administrator)

 Instructions for running Combofix available *Here* if required.

 If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?" Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.

 When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" for further review

*******Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze* ******

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read *Here* why disabling autoruns is recommended.

*EXTRA NOTES*

 If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
 If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
 If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

Post the log in next reply please...

Kevin


----------



## MrMurdstone (Mar 7, 2012)

Thank you very much for the reply Kevin. 

I've been running Combofix for a little more than an hour and the window says:

"Scanning for infected files...
This typically doesn't take more than 10 minutes
However, scan time for badly infected machines may easily double"

Is it normal for it to take this long?


----------



## kevinf80 (Mar 21, 2006)

It may take well in excess of an hour, you definitely have a Rootkit infection, this will be very difficult to deal with. Leave CF running another hour and see how it goes..


----------



## MrMurdstone (Mar 7, 2012)

So I let Combofix run over night because it was taking a very long time, and when I returned, my computer was off. I turned it back on and now it doesn't even detect networks. There is no Combofix.txt in C:, but now there's a file in there called Qoobox, BOOTSECT.BAK, and something called Gotcha which when I click on it sends me back to Computer except it says Computer/C:/Gotcha instead of just Computer. There are also various new files in the Windows folders which I have no idea what they are. 

So I'm not sure what exactly it did.. where do I go from here?

I thank you for the continued assistance and am willing to do whatever it takes to get this worked out. 

Would running it again be a mistake?


----------



## kevinf80 (Mar 21, 2006)

It is not unusual for ZeroAccess rootkit to wipe out your internet connection, it is a nasty infection and very difficult to deal with.
Can you open the folder named "Qoobox" inside is there a file name *ComboFix-quarantined-files.txt* if so let me see that file.

Next,

Re-run DDS again and post DDS.txt log

Next,

Please download *Farbar Service Scanner* and run it on the computer with the issue.

*Make sure the following options are checked:*


*Internet Services*
Press "*Scan*".
It will create a log (FSS.txt) in the same directory the tool is run.
Please copy and paste the log to your reply.

Post those logs in your reply...

Kevin


----------



## MrMurdstone (Mar 7, 2012)

Inside Qoobox there is a file named "Quarantine" and inside of that there are two files: "C" and "RegistryBackups", both are empty. There is also a .txt named catchme, but all it says is this:

-------- 2012-03-07 - 20:06:49 -------------

-------- 2012-03-07 - 21:36:03 -------------

Here is the DDS.txt:

.
DDS (Ver_2011-08-26.01) - NTFSx86 
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_26
Run by Kyle Clark at 12:26:00 on 2012-03-10
Microsoft® Windows Vista Home Premium 6.0.6002.2.1252.1.1033.18.3070.2302 [GMT -8:00]
.
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_ccfaa5a9\STacSV.exe
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Camera Assistant Software] "c:\program files\camera assistant software for gateway\traybar.exe"
mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil11e_ActiveX.exe -update activex
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
LSP: mswsock.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{D6AAFE6F-191A-4DC9-B649-6FF0F99CCA9B} : DhcpNameServer = 192.168.1.1
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\kyle clark\appdata\roaming\mozilla\firefox\profiles\ohhvwtv6.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: c:\users\kyle clark\appdata\roaming\mozilla\firefox\profiles\ohhvwtv6.default\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}\components\RadioWMPCore.dll
FF - component: c:\users\kyle clark\appdata\roaming\mozilla\firefox\profiles\ohhvwtv6.default\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}\components\RadioWMPCoreGecko19.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: uTorrentBar Community Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - %profile%\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}
.
============= SERVICES / DRIVERS ===============
.
R0 Si3531;SiI-3531 SATA Controller;c:\windows\system32\drivers\Si3531.sys [2009-2-5 212520]
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2011-6-6 64952]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2006-10-11 21504]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\nvidia corporation\nvidia updatus\daemonu.exe [2011-12-9 2253120]
R3 NETw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2008-11-17 3668480]
S2 avg7updsvc;Xfilt;c:\windows\system32\svchost.exe -k netsvcs [2006-10-11 21504]
S2 mcafeeframework;HssSrv;c:\windows\system32\svchost.exe -k netsvcs [2006-10-11 21504]
S2 mksvirmonsvc;Contentfilter;c:\windows\system32\svchost.exe -k netsvcs [2006-10-11 21504]
S2 pavreport;Livesrv;c:\windows\system32\svchost.exe -k netsvcs [2006-10-11 21504]
S3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\drivers\ssadbus.sys [2011-10-28 121192]
S3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\drivers\ssadmdfl.sys [2011-5-13 12776]
S3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\drivers\ssadmdm.sys [2011-5-13 136808]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
.
=============== Created Last 30 ================
.
2012-03-08 05:36:01 -------- d-s---w- C:\Gotcha
2012-03-08 04:06:54 98816 ----a-w- c:\windows\sed.exe
2012-03-08 04:06:54 518144 ----a-w- c:\windows\SWREG.exe
2012-03-08 04:06:54 256000 ----a-w- c:\windows\PEV.exe
2012-03-08 04:06:54 208896 ----a-w- c:\windows\MBR.exe
2012-03-02 00:54:06 67072 ----a-w- c:\windows\system32\drivers\cdrom.sys
2012-03-02 00:53:37 185856 ----a-w- c:\windows\system32\drivers\netbt.sys
2012-03-02 00:52:45 72192 ----a-w- c:\windows\system32\drivers\tdx.sys
2012-03-01 07:39:40 -------- d-----w- c:\programdata\AVAST Software
2012-03-01 07:39:40 -------- d-----w- c:\program files\AVAST Software
2012-02-26 01:02:36 -------- d-----w- c:\users\kyle clark\appdata\roaming\AVG2012
2012-02-25 21:06:07 -------- d-----w- c:\programdata\AVG2012
2012-02-16 22:14:11 680448 ----a-w- c:\windows\system32\msvcrt.dll
2012-02-16 22:14:10 2044416 ----a-w- c:\windows\system32\win32k.sys
2012-02-09 21:49:19 -------- d-----w- c:\program files\VideoLAN
.
==================== Find3M ====================
.
2012-03-01 08:02:56 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2011-12-27 02:02:56 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-14 09:14:59 979456 ----a-w- c:\windows\system32\MFH264Dec.dll
2011-12-14 09:13:28 4096 ----a-w- c:\windows\system32\drivers\en-us\dxgkrnl.sys.mui
2011-12-14 09:13:26 369664 ----a-w- c:\windows\system32\WMPhoto.dll
2011-12-14 09:13:25 252928 ----a-w- c:\windows\system32\dxdiag.exe
2011-12-14 09:13:25 195584 ----a-w- c:\windows\system32\dxdiagn.dll
2011-12-14 09:13:24 519680 ----a-w- c:\windows\system32\d3d11.dll
2011-12-14 09:13:24 321024 ----a-w- c:\windows\system32\PhotoMetadataHandler.dll
2011-12-14 09:13:23 189440 ----a-w- c:\windows\system32\WindowsCodecsExt.dll
2011-12-14 09:13:22 974848 ----a-w- c:\windows\system32\WindowsCodecs.dll
2011-12-14 03:04:54 1798656 ----a-w- c:\windows\system32\jscript9.dll
2011-12-14 02:57:18 1127424 ----a-w- c:\windows\system32\wininet.dll
2011-12-14 02:56:58 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
2011-12-14 02:50:04 2382848 ----a-w- c:\windows\system32\mshtml.tlb
.
============= FINISH: 12:26:32.81 ===============

And here is the FSS:

Farbar Service Scanner Version: 01-03-2012
Ran by Kyle Clark (administrator) on 10-03-2012 at 12:40:48
Running from "C:\Users\Kyle Clark\Desktop"
Microsoft® Windows Vista Home Premium Service Pack 2 (X86)
Boot Mode: Normal
****************************************************************
Internet Services:
============
Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Google IP is accessible.
Yahoo IP is accessible.

File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys
[2012-03-01 16:52] - [2012-03-01 19:06] - 0072192 ____A () 18FB3398D36C039C1792FBB98B40B14E
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit

**** End of log ****


----------



## kevinf80 (Mar 21, 2006)

You still have ZA rootkit on your system, obviously Combofix dd not run to any effect....

Do the following please:

Please download *SystemLook* from one of the links below and save it to your Desktop.
*Download Mirror #1
Download Mirror #2*

Double-click *SystemLook.exe* to run it.
Copy the content of the following codebox into the main textfield:


```
:filefind
tdx.sys
```

Click the *Look* button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

*Note:* The log can also be found on your Desktop entitled *SystemLook.txt*

Kevin


----------



## MrMurdstone (Mar 7, 2012)

SystemLook 30.07.11 by jpshortstuff
Log created at 03:08 on 11/03/2012 by Kyle Clark
Administrator - Elevation successful
========== filefind ==========
Searching for "tdx.sys"
C:\Windows\System32\drivers\tdx.sys --a---- 72192 bytes [00:52 02/03/2012] [03:06 02/03/2012] 18FB3398D36C039C1792FBB98B40B14E
C:\Windows\winsxs\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.0.6000.16386_none_e807064fdf2a97e3\tdx.sys --a---- 68096 bytes [08:57 02/11/2006] [08:57 02/11/2006] AB4FDE8AF4A0270A46A001C08CBCE1C2
C:\Windows\winsxs\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.0.6001.18000_none_ea3dc84bdc15a8b7\tdx.sys --a---- 71680 bytes [09:21 11/10/2006] [04:56 19/01/2008] D09276B1FAB033CE1D40DCBDF303D10F
-= EOF =-


----------



## kevinf80 (Mar 21, 2006)

You`ll have to d/l the following and transfer to the infected PC desktop:

Please download *OTM by OldTimer*.
*Alternative Mirror 1*
*Alternative Mirror 2* 
Save it to your desktop. 
Double click *OTM.exe* to start the tool. Vista or Windows 7 users right click and select Run as Administrator. Be aware all processes will stopped during run, also Desktop will disappear, this will be put back on completion....

*Copy* the text from the code box belowbelow to the clipboard by highlighting *ALL* of them and *pressing CTRL + C* (or, after highlighting, right-click and choose *Copy*):


```
:Files
C:\Windows\System32\drivers\tdx.sys | C:\Windows\winsxs\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.0.6000.16386_none_e807064fdf2a97e3\tdx.sys /replace
ipconfig /flushdns /c
netsh winsock reset /c
```

 Return to OTMoveIt3, right click in the *"Paste Instructions for Items to be Moved"* window (under the yellow bar) and choose *Paste*.
Click the red







button.
*Copy* everything in the Results window (under the green bar) to the clipboard by highlighting *ALL* of them and *pressing CTRL + C* (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close *OTM*
*Note:* If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose *Yes.*

If the machine reboots, the Results log can be found here:

*c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log*

Where mmddyyyy_hhmmss is the date of the tool run.

Re-run Farbar Service Scanner as before and post the log...


----------



## MrMurdstone (Mar 7, 2012)

OTM:

========== FILES ==========
File C:\Windows\System32\drivers\tdx.sys successfully replaced with C:\Windows\winsxs\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.0.6000.16386_none_e807064fdf2a97e3\tdx.sys
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\Kyle Clark\Desktop\cmd.bat deleted successfully.
C:\Users\Kyle Clark\Desktop\cmd.txt deleted successfully.
< netsh winsock reset /c >
The following helper DLL cannot be loaded: WSHELPER.DLL.
The following helper DLL cannot be loaded: IFMON.DLL.
The following command was not found: winsock reset.
C:\Users\Kyle Clark\Desktop\cmd.bat deleted successfully.
C:\Users\Kyle Clark\Desktop\cmd.txt deleted successfully.

OTM by OldTimer - Version 3.1.19.0 log created on 03112012_154259

FSS:

Farbar Service Scanner Version: 01-03-2012
Ran by Kyle Clark (administrator) on 11-03-2012 at 15:44:01
Running from "C:\Users\Kyle Clark\Desktop"
Microsoft® Windows Vista™ Home Premium Service Pack 2 (X86)
Boot Mode: Normal
****************************************************************
Internet Services:
============
Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Google IP is accessible.
Yahoo IP is accessible.

File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit

**** End of log ****


----------



## kevinf80 (Mar 21, 2006)

Can you connect to the network now? if so delete Combofix from the desktop, download a fresh copy of Combofix from either of the following:

*Link 1*
*Link 2*

Save to the Desktop then run as before, post the log in next reply.....


----------



## MrMurdstone (Mar 7, 2012)

I can connect to the network now!

I ran Combofix again and it took almost 24 hours again. When I turned my computer back on it said that the Recycle Bin was corrupted and asked if I wanted to empty it (just like last time, I did). Also, it deleted a few programs like Paint, iTunes, System Restore, System Information, and Backup and Restore Center; these are just the ones that I noticed.

There is no Combofix log. All of the files in Qoobox are the same. In C://Windows there is a .txt named PFRO that was modified around the time that the scan would have completed. 

I don't know if it means anything, but this is what it says:

1/25/2012 23:29:41 - PFRO Error: \??\C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe, |delete operation|, 0xc0000034
1/25/2012 23:29:41 - PFRO Error: \??\C:\Program Files\Malwarebytes' Anti-Malware\mbamnet.dll, |delete operation|, 0xc0000034
1/25/2012 23:29:41 - PFRO Error: \??\C:\Program Files\Malwarebytes' Anti-Malware\mbamcore.dll, |delete operation|, 0xc0000034
1/25/2012 23:29:41 - PFRO Error: \??\C:\Program Files\Malwarebytes' Anti-Malware\mbam.dll, |delete operation|, 0xc0000034
1/25/2012 23:29:41 - PFRO Error: \??\C:\Program Files\Malwarebytes' Anti-Malware, |delete operation|, 0xc0000101
1/25/2012 23:29:41 - 5 Successful PFRO operations

1/26/2012 0:1:2 - PFRO Error: \??\C:\Program Files\AVG\AVG2012\, |delete operation|, 0xc0000101
1/26/2012 0:1:2 - PFRO Error: \??\C:\Program Files\AVG\, |delete operation|, 0xc0000101
1/26/2012 0:1:4 - 27 Successful PFRO operations

2/29/2012 14:36:8 - PFRO Error: \??\C:\ProgramData\AVG2012\IDS\, |delete operation|, 0xc0000101
2/29/2012 14:36:8 - PFRO Error: \??\C:\ProgramData\AVG2012\, |delete operation|, 0xc0000101
2/29/2012 14:36:8 - PFRO Error: \??\C:\Program Files\AVG\AVG2012\, |delete operation|, 0xc0000101
2/29/2012 14:36:8 - PFRO Error: \??\C:\Program Files\AVG\, |delete operation|, 0xc0000101
2/29/2012 14:36:8 - 21 Successful PFRO operations

3/1/2012 0:2:38 - PFRO Error: \??\C:\Program Files\Google\Chrome, |delete operation|, 0xc0000101
3/1/2012 0:2:38 - 0 Successful PFRO operations

3/4/2012 16:44:37 - PFRO Error: \??\C:\PROGRA~1\AVASTS~1\Avast\Setup\AVAST~1.SET, |delete operation|, 0xc0000034
3/4/2012 16:44:37 - PFRO Error: \??\C:\PROGRA~1\AVASTS~1\Avast\Setup, |delete operation|, 0xc0000101
3/4/2012 16:44:37 - PFRO Error: \??\C:\PROGRA~1\AVASTS~1\Avast, |delete operation|, 0xc0000101
3/4/2012 16:44:37 - 34 Successful PFRO operations

3/7/2012 21:31:20 - PFRO Error: \??\C:\Qoobox\Quarantine\C\MoveEx_test0123.vir, |delete operation|, 0xc0000034
3/7/2012 21:31:20 - PFRO Error: \??\C:\test0123, \??\C:\Qoobox\Quarantine\C\MoveEx_test0123.vir, 0xc0000034
3/7/2012 21:31:20 - 0 Successful PFRO operations

3/8/2012 10:43:34 - PFRO Error: \??\C:\Qoobox\Quarantine\C\MoveEx_test0123.vir, |delete operation|, 0xc0000034
3/8/2012 10:43:34 - PFRO Error: \??\C:\test0123, \??\C:\Qoobox\Quarantine\C\MoveEx_test0123.vir, 0xc0000034
3/8/2012 10:43:34 - 0 Successful PFRO operations

3/12/2012 6:7:45 - PFRO Error: \??\C:\Qoobox\Quarantine\C\MoveEx_test0123.vir, |delete operation|, 0xc0000034
3/12/2012 6:7:45 - PFRO Error: \??\C:\test0123, \??\C:\Qoobox\Quarantine\C\MoveEx_test0123.vir, 0xc0000034
3/12/2012 6:7:45 - 0 Successful PFRO operations



I'm not sure if I'm doing something wrong when I run it. I have no firewalls or anti-virus, or any programs up when I run it. However, I did open notepad mid-run so that I could write down some important information for a job interview, and I didn't even save it. Could that have messed it up?


----------



## kevinf80 (Mar 21, 2006)

You cannot use your system in anyway when Combofix is running, I`m surprised it never crashed your system using Notepad.

Delete Combofix, d/l a fresh copy and run again as previously instructed...

*Link 1*
*Link 2*


----------



## MrMurdstone (Mar 7, 2012)

Will do. Can I even move my mouse to remove the screensaver so I can see if it's done?


----------



## kevinf80 (Mar 21, 2006)

Right click on your Desktop, select > properties > in the new window select the "screen saver" tab > use the drop down next to Screen saver > select "none" select "apply" then "OK" No screen saver should kick in now.... Run CF and post the log...


----------



## MrMurdstone (Mar 7, 2012)

Umm.... it did the same thing. I returned to my computer and it said it recovered from an unexpected shutdown. I can't imagine this actually working. It has deleted just about every important program and left no logs, ever.

Should I even try again? Are there other options? I think it will just keep damaging my computer.

I guess I'll try one more time...


----------



## kevinf80 (Mar 21, 2006)

What important programs are referring to as being "deleted" by Combofix, please tell me


----------



## MrMurdstone (Mar 7, 2012)

Adobe Reader, iTunes, Paint, Quicktime, Openoffice, and those are just some that I just noticed. Maybe they're not deleted but the files cannot be found. 

Anyways, I am sorry for sounding angry or ungrateful. That is not my intention. It is just frustrating. I know that I am doing something wrong.

I am going to try again and be sure this time. Will post with results.


----------



## kevinf80 (Mar 21, 2006)

I can understand your frustration and even anger, but you must realize you have a definite rootkit infection. This type of infection is very unpredictable and changes on a daily basis. It will even invite many other infections on board. 

Use Explorer and see if those programs are still there, sometimes program shortcuts (from start menu) are removed to temporary folders, but the main program files are still in the default folders...


----------



## MrMurdstone (Mar 7, 2012)

I got a BSOD while it was running.

I guess I'll try again.


----------



## kevinf80 (Mar 21, 2006)

See if you can run Combofix from Safe Mode with Networking


----------



## MrMurdstone (Mar 7, 2012)

It worked within a few minutes this time! It made me restart, but now I don't get the internet and when I went into normal mode it restarted my computer automatically. There are a bunch of files in a Gotcha folder. Not sure which one will be useful. There is pend.txt and DriverList.txt, also one calle ntbtlog.txt in Windows folder.


----------



## kevinf80 (Mar 21, 2006)

The CF log will be here *C:\Combofix.txt* Have you lost your internet connection,


----------



## MrMurdstone (Mar 7, 2012)

I have nothing with that name, and yes, can't get internet anymore.


----------



## kevinf80 (Mar 21, 2006)

OK, follow these instructions, let`s see if we can find why there is no internet connect

Download *Farbar Service Scanner* and run it on the computer with the issue.

*Make sure the following options are checked:*


*Internet Services*
Press "*Scan*".
It will create a log (FSS.txt) in the same directory the tool is run.
Please copy and paste the log to your reply.

Kevin


----------



## MrMurdstone (Mar 7, 2012)

Sorry that took so long, don't give up on me! Here is the log, and also, it still restarts when I try to go into non-safe mode.

Farbar Service Scanner Version: 01-03-2012
Ran by Kyle Clark (administrator) on 19-03-2012 at 12:33:31
Running from "C:\Users\Kyle Clark\Desktop"
Microsoft® Windows Vista™ Home Premium Service Pack 2 (X86)
Boot Mode: Nerwork
****************************************************************
Internet Services:
============
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.

File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys
[2011-06-25 15:56] - [2011-04-21 06:58] - 0273408 ____A () E393785473ABBDD5C46285E5FB0F6710
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit

**** End of log ****


----------



## kevinf80 (Mar 21, 2006)

Download the following and transfer to the sick PC...

Please download *SystemLook* from one of the links below and save it to your Desktop.
*Download Mirror #1
Download Mirror #2*

Double-click *SystemLook.exe* to run it.
Copy the content of the following codebox into the main textfield:


```
:filefind
afd.sys
```

Click the *Look* button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
*Note:* The log can also be found on your Desktop entitled *SystemLook.txt*


----------



## MrMurdstone (Mar 7, 2012)

SystemLook 30.07.11 by jpshortstuff
Log created at 16:10 on 19/03/2012 by Kyle Clark
Administrator - Elevation successful
========== filefind ==========
Searching for "afd.sys"
C:\Windows\System32\drivers\afd.sys --a---- 273408 bytes [22:56 25/06/2011] [13:58 21/04/2011] E393785473ABBDD5C46285E5FB0F6710
C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6000.16386_none_d5b1809661820e7c\afd.sys --a---- 270336 bytes [08:58 02/11/2006] [08:58 02/11/2006] 5D24CAF8EFD924A875698FF28384DB8B
C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6001.18000_none_d7e842925e6d1f50\afd.sys --a---- 273920 bytes [09:22 11/10/2006] [04:57 19/01/2008] 763E172A55177E478CB419F88FD0BA03
C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6001.18639_none_d7d0e0cc5e7d461c\afd.sys --a---- 273408 bytes [22:56 25/06/2011] [13:16 21/04/2011] 48EB99503533C27AC6135648E5474457
C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6001.22905_none_d876efff77862705\afd.sys --a---- 273920 bytes [22:56 25/06/2011] [13:12 21/04/2011] C8AF25017CECB75906A571AC70D2D306
C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6002.18005_none_d9d3bb9e5b8eea9c\afd.sys --a---- 273920 bytes [06:06 03/07/2011] [04:47 11/04/2009] A201207363AA900ABF1A388468688570
C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6002.18457_none_d99fb42e5bb59d9b\afd.sys --a---- 273408 bytes [22:56 25/06/2011] [13:58 21/04/2011] E393785473ABBDD5C46285E5FB0F6710
C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6002.22629_none_da4bc33774b91967\afd.sys --a---- 273920 bytes [22:56 25/06/2011] [13:28 21/04/2011] 70EE0FC7A0F384DBD929A01384AEEB4B
-= EOF =-


----------



## kevinf80 (Mar 21, 2006)

OTM should still be on your Desktop,

Double click *OTM.exe* to start the tool. Vista or Windows 7 users right click and select Run as Administrator. Be aware all processes will stopped during run, also Desktop will disappear, this will be put back on completion....

*Copy* the text from the code box belowbelow to the clipboard by highlighting *ALL* of them and *pressing CTRL + C* (or, after highlighting, right-click and choose *Copy*):


```
:Files
C:\Windows\System32\drivers\afd.sys | C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6002.18005_none_d9d3bb9e5b8eea9c\afd.sys /replace
:Commands
[EmptyTemp]
[Reboot]
```

 Return to OTMoveIt3, right click in the *"Paste Instructions for Items to be Moved"* window (under the yellow bar) and choose *Paste*.
Click the red







button.
*Copy* everything in the Results window (under the green bar) to the clipboard by highlighting *ALL* of them and *pressing CTRL + C* (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close *OTM*
*Note:* If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose *Yes.*

If the machine reboots, the Results log can be found here:

*c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log*

Where mmddyyyy_hhmmss is the date of the tool run.

Is connection returned..


----------



## MrMurdstone (Mar 7, 2012)

Still no connection.

All processes killed
========== FILES ==========
Unable to replace file: C:\Windows\System32\drivers\afd.sys with C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6002.18005_none_d9d3bb9e5b8eea9c\afd.sys without a reboot.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 56468 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Kyle Clark
->Temp folder emptied: 104447634 bytes


----------



## kevinf80 (Mar 21, 2006)

Did you re-boot after running OTM?

Re-run Farbar Services Scanner, if you still have it on your Desktop ignore the D/L instruction...

Please download *Farbar Service Scanner* and run it on the computer with the issue.

*Make sure the following options are checked:*


*Internet Services*
Press "*Scan*".
It will create a log (FSS.txt) in the same directory the tool is run.
Please copy and paste the log to your reply.


----------



## MrMurdstone (Mar 7, 2012)

Yeah I did reboot

Farbar Service Scanner Version: 01-03-2012
Ran by Kyle Clark (administrator) on 21-03-2012 at 14:03:41
Running from "C:\Users\Kyle Clark\Desktop"
Microsoft® Windows Vista™ Home Premium Service Pack 2 (X86)
Boot Mode: Nerwork
****************************************************************
Internet Services:
============
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.

File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys
[2011-06-25 15:56] - [2011-04-21 06:58] - 0273408 ____A () E393785473ABBDD5C46285E5FB0F6710
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit

**** End of log ****


----------



## kevinf80 (Mar 21, 2006)

OK, the file we replaced is showing the same bad MD5, OK, lets try a different replacement:

Double click *OTM.exe* to start the tool. Vista or Windows 7 users right click and select Run as Administrator. Be aware all processes will stopped during run, also Desktop will disappear, this will be put back on completion....

*Copy* the text from the code box belowbelow to the clipboard by highlighting *ALL* of them and *pressing CTRL + C* (or, after highlighting, right-click and choose *Copy*):


```
:Files
C:\Windows\System32\drivers\afd.sys | C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6001.18000_none_d7e842925e6d1f50\afd.sys /replace
netsh winsock reset /c
:Commands
[Reboot]
```

 Return to OTMoveIt3, right click in the *"Paste Instructions for Items to be Moved"* window (under the yellow bar) and choose *Paste*.
Click the red







button.
*Copy* everything in the Results window (under the green bar) to the clipboard by highlighting *ALL* of them and *pressing CTRL + C* (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close *OTM*
*Note:* If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose *Yes.*

If the machine reboots, the Results log can be found here:

*c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log*

Where mmddyyyy_hhmmss is the date of the tool run.

When OTM re-boots your system re-run FSS as before and post the log with OTM log...


----------



## MrMurdstone (Mar 7, 2012)

========== FILES ==========
Unable to replace file: C:\Windows\System32\drivers\afd.sys with C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6001.18000_none_d7e842925e6d1f50\afd.sys without a reboot.
< netsh winsock reset /c >
Sucessfully reset the Winsock Catalog.
You must restart the computer in order to complete the reset.
C:\Users\Kyle Clark\Desktop\cmd.bat deleted successfully.
C:\Users\Kyle Clark\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========

OTM by OldTimer - Version 3.1.19.0 log created on 03212012_150928

Farbar Service Scanner Version: 01-03-2012
Ran by Kyle Clark (administrator) on 21-03-2012 at 15:38:11
Running from "C:\Users\Kyle Clark\Desktop"
Microsoft® Windows Vista™ Home Premium Service Pack 2 (X86)
Boot Mode: Nerwork
****************************************************************
Internet Services:
============
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.

File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys
[2011-06-25 15:56] - [2011-04-21 06:58] - 0273408 ____A () E393785473ABBDD5C46285E5FB0F6710
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit

**** End of log ****


----------



## kevinf80 (Mar 21, 2006)

Download Combofix from either of the following links :-

*Link 1*
*Link 2*


Save to a USB or similar, transfer to the sick PC Desktop

 Disable all security programs as they will have a negative effect on Combofix, instructions available *Here* if required. Be aware the list may not have all programs listed, if you need more help please ask.

 Close any open browsers and any other programs you might have running

 Double click the







icon to run the tool (Vista or Windows 7 users right click and select "Run as Administrator)

 Instructions for running Combofix available *Here* if required.

 If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?" Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.

 When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" for further review

*******Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze* ******

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read *Here* why disabling autoruns is recommended.

*EXTRA NOTES*

 If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
 If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
 If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

Post the log in next reply please...

Kevin


----------



## MrMurdstone (Mar 7, 2012)

Not sure why it never creates the log :\. It made me reboot and everything, but there is no .txt with that name. There is DriverList.txt, pend.txt, OsId.txt, Resident.txt, and that's it. 

There's also a new huge 3.5gb file named pagefile.sys in C:


----------



## kevinf80 (Mar 21, 2006)

Do you see a folder named "Qoobox" that belongs to CF, What is inside that folder if present?

pagefile.sys is a file used as 'virtual' memory by NT systems, that part of the drive behaves as though it was RAM... When physical RAM is fully used and there is need for more, infomation/data not currently being accessed can be 'swaped' to that location and thus free physical RAM for immediate use. That same data can be transferred back if need be into physical RAM at any time. If the Page-file (Swap-file) is being overly accessed/used then one would normally add extra RAM; extra RAM is the simplest way (usually the cheapest too) to improve overall performance of a given system.

Without some area so defined (on the hard-drive) NT systems will not run properly, especially when running applications that demand/use large areas of RAM. Size (and location) can be set by default or as you prefer. So it is not wise to remove it completely under normal circumstances.

Has your Connection returned after running Combofix?

If still no connection do this:

Close all windows, Select > start icon > all programs > accessories > Right click on "command prompt" > select > Run as administrator > ok any alerts > at the command prompt type or copy and paste *sfc /scannow* > then enter. Type exit when its finished and re-boot your PC. See if that helps. Note the space between *sfc* and */scannow*


----------



## MrMurdstone (Mar 7, 2012)

Inside of Qoobox there are folders named LastRun, BackEnv, Quarantine, Test, and TestC. 

Still no connection. 76% of the way through it said something like Windows Resource Protection cannot complete this operation.


----------



## kevinf80 (Mar 21, 2006)

Let me see any logs that appear in the Quarantine folder and Last run folder...

Zeroaccess rootkit is a very nasty and tenacious infection, it does have the ability to protect itself as we are witnessing. Originally we did cure the connection issue by replacing the the infected file tdx.sys.

Now we are having issues trying to replace the latest FILE that has been effected, afd.sys. These are classic ZA traits. Do you still get the error related to the recycle bin... if so follow these instructions:

http://www.winhelponline.com/blog/fix-corrupted-recycle-bin-windows-7-vista/

Next,

I`d like you to try TDSSKiller and see if we can get that to run, if it will not run from Normal Mode try it from Safe Mode. Obviously you will have to d/l and transfer to the sick pc....

*Please read carefully and follow these steps.*

Download *TDSSKiller* and save it to your Desktop.
Doubleclick on *TDSSKiller.exe* to run the application.
Click on* "Change parameters"* and place a checkmark next to Verify *Driver Digital Signature* and *Detect TDLFS file system*, then click OK
Select "Scan"










If an infected file is detected, the default action will be *Cure*, click on *Continue.*










If a suspicious file is detected, the default action will be *Skip*, click on *Continue.*










It may ask you to reboot the computer to complete the process. Click on *Reboot Now*.










If no reboot is require, click on *Report*. A log file should appear. Please copy and paste the contents of that file here.
If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "*TDSSKiller.[Version]_[Date]_[Time]_log.txt*". Please copy and paste the contents of that file here.


----------



## MrMurdstone (Mar 7, 2012)

This log called catchme is the only log in either of those files.

-------- 2012-03-07 - 20:06:49 -------------

-------- 2012-03-07 - 21:36:03 -------------

-------- 2012-03-11 - 17:23:12 -------------

-------- 2012-03-12 - 15:36:24 -------------

-------- 2012-03-12 - 22:58:44 -------------

-------- 2012-03-13 - 15:09:45 -------------

-------- 2012-03-14 - 01:16:05 -------------

-------- 2012-03-15 - 14:39:01 -------------

-------- 2012-03-15 - 14:56:43 -------------

-------- 2012-03-21 - 16:34:12 -------------


Also, I can't run it in normal mode because ever since the last time I ran Combofix, my computer reboots automatically as soon as I turn it on in normal mode. 

I do get internet connection after running the scan and rebooting.


18:55:15.0047 1136 TDSS rootkit removing tool 2.7.22.0 Mar 21 2012 17:40:00
18:55:15.0078 1136 ============================================================
18:55:15.0078 1136 Current date / time: 2012/03/24 18:55:15.0078
18:55:15.0078 1136 SystemInfo:
18:55:15.0078 1136 
18:55:15.0078 1136 OS Version: 6.0.6002 ServicePack: 2.0
18:55:15.0078 1136 Product type: Workstation
18:55:15.0078 1136 ComputerName: KYLECLARK-PC
18:55:15.0078 1136 UserName: Kyle Clark
18:55:15.0078 1136 Windows directory: C:\Windows
18:55:15.0078 1136 System windows directory: C:\Windows
18:55:15.0078 1136 Processor architecture: Intel x86
18:55:15.0078 1136 Number of processors: 2
18:55:15.0078 1136 Page size: 0x1000
18:55:15.0078 1136 Boot type: Safe boot with network
18:55:15.0078 1136 ============================================================
18:55:16.0716 1136 Drive \Device\Harddisk0\DR0 - Size: 0x4A85D56000 (298.09 Gb), SectorSize: 0x200, Cylinders: 0x9801, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
18:55:16.0716 1136 Drive \Device\Harddisk1\DR1 - Size: 0x3C3FFE00 (0.94 Gb), SectorSize: 0x200, Cylinders: 0x7A, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
18:55:16.0716 1136 \Device\Harddisk0\DR0:
18:55:16.0716 1136 MBR used
18:55:16.0716 1136 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x2542D800
18:55:16.0716 1136 \Device\Harddisk1\DR1:
18:55:16.0731 1136 MBR used
18:55:16.0731 1136 \Device\Harddisk1\DR1\Partition0: MBR, Type 0x6, StartLBA 0x3F, BlocksNum 0x1E1FC0
18:55:16.0763 1136 Initialize success
18:55:16.0763 1136 ============================================================
18:55:47.0791 0496 ============================================================
18:55:47.0791 0496 Scan started
18:55:47.0791 0496 Mode: Manual; SigCheck; TDLFS; 
18:55:47.0791 0496 ============================================================
18:55:49.0289 0496 3compxe - ok
18:55:49.0413 0496 ACDaemon (adc420616c501b45d26c0fd3ef1e54e4) C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
18:55:49.0866 0496 ACDaemon - ok
18:55:49.0944 0496 acnusvc (11028c6a84a967070cb1286550f2058f) C:\Windows\system32\ptbsync.dll
18:55:50.0006 0496 acnusvc ( Backdoor.Multi.ZAccess.gen ) - infected
18:55:50.0006 0496 acnusvc - detected Backdoor.Multi.ZAccess.gen (0)
18:55:50.0100 0496 ACPI (82b296ae1892fe3dbee00c9cf92f8ac7) C:\Windows\system32\drivers\acpi.sys
18:55:50.0131 0496 ACPI - ok
18:55:50.0240 0496 adihdaudaddservice (11028c6a84a967070cb1286550f2058f) C:\Windows\system32\umpusbxp.dll
18:55:50.0271 0496 adihdaudaddservice ( Backdoor.Multi.ZAccess.gen ) - infected
18:55:50.0271 0496 adihdaudaddservice - detected Backdoor.Multi.ZAccess.gen (0)
18:55:50.0381 0496 AdobeARMservice (11a52cf7b265631deeb24c6149309eff) C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
18:55:50.0396 0496 AdobeARMservice - ok
18:55:50.0505 0496 adp94xx (2edc5bbac6c651ece337bde8ed97c9fb) C:\Windows\system32\drivers\adp94xx.sys
18:55:50.0537 0496 adp94xx - ok
18:55:50.0646 0496 adpahci (b84088ca3cdca97da44a984c6ce1ccad) C:\Windows\system32\drivers\adpahci.sys
18:55:50.0661 0496 adpahci - ok
18:55:50.0771 0496 adpu160m (7880c67bccc27c86fd05aa2afb5ea469) C:\Windows\system32\drivers\adpu160m.sys
18:55:50.0786 0496 adpu160m - ok
18:55:50.0833 0496 adpu320 (9ae713f8e30efc2abccd84904333df4d) C:\Windows\system32\drivers\adpu320.sys
18:55:50.0849 0496 adpu320 - ok
18:55:50.0942 0496 AeLookupSvc (9d1fda9e086ba64e3c93c9de32461bcf) C:\Windows\System32\aelupsvc.dll
18:55:51.0098 0496 AeLookupSvc - ok
18:55:51.0239 0496 Afc (fe3ea6e9afc1a78e6edca121e006afb7) C:\Windows\system32\drivers\Afc.sys
18:55:51.0254 0496 Afc - ok
18:55:51.0348 0496 AFD (e393785473abbdd5c46285e5fb0f6710) C:\Windows\system32\drivers\afd.sys
18:55:51.0363 0496 AFD ( Virus.Win32.ZAccess.c ) - infected
18:55:51.0363 0496 AFD - detected Virus.Win32.ZAccess.c (0)
18:55:51.0441 0496 AffinegyService (11028c6a84a967070cb1286550f2058f) C:\Windows\system32\nhcDriverDevice.dll
18:55:51.0441 0496 AffinegyService ( Backdoor.Multi.ZAccess.gen ) - infected
18:55:51.0441 0496 AffinegyService - detected Backdoor.Multi.ZAccess.gen (0)
18:55:51.0457 0496 AFGSp50 - ok
18:55:51.0488 0496 AgereModemAudio (39e435c90c9c4f780fa0ed05ca3c3a1b) C:\Windows\system32\agrsmsvc.exe
18:55:51.0551 0496 AgereModemAudio - ok
18:55:51.0644 0496 AgereSoftModem (ce91b158fa490cf4c4d487a4130f4660) C:\Windows\system32\DRIVERS\AGRSM.sys
18:55:51.0769 0496 AgereSoftModem - ok
18:55:51.0894 0496 agp440 (ef23439cdd587f64c2c1b8825cead7d8) C:\Windows\system32\drivers\agp440.sys
18:55:51.0909 0496 agp440 - ok
18:55:51.0956 0496 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
18:55:51.0972 0496 aic78xx - ok
18:55:52.0081 0496 ALG (a1545b731579895d8cc44fc0481c1192) C:\Windows\System32\alg.exe
18:55:52.0237 0496 ALG - ok
18:55:52.0346 0496 aliide (90395b64600ebb4552e26e178c94b2e4) C:\Windows\system32\drivers\aliide.sys
18:55:52.0362 0496 aliide - ok
18:55:52.0393 0496 AlKernel (11028c6a84a967070cb1286550f2058f) C:\Windows\system32\sansaservice.dll
18:55:52.0409 0496 AlKernel ( Backdoor.Multi.ZAccess.gen ) - infected
18:55:52.0409 0496 AlKernel - detected Backdoor.Multi.ZAccess.gen (0)
18:55:52.0502 0496 amdagp (2b13e304c9dfdfa5eb582f6a149fa2c7) C:\Windows\system32\drivers\amdagp.sys
18:55:52.0518 0496 amdagp - ok
18:55:52.0549 0496 amdide (0577df1d323fe75a739c787893d300ea) C:\Windows\system32\drivers\amdide.sys
18:55:52.0565 0496 amdide - ok
18:55:52.0658 0496 AmdK7 (dc487885bcef9f28eece6fac0e5ddfc5) C:\Windows\system32\drivers\amdk7.sys
18:55:52.0830 0496 AmdK7 - ok
18:55:52.0939 0496 AmdK8 (0ca0071da4315b00fc1328ca86b425da) C:\Windows\system32\drivers\amdk8.sys
18:55:53.0033 0496 AmdK8 - ok
18:55:53.0126 0496 Appinfo (c6d704c7f0434dc791aac37cac4b6e14) C:\Windows\System32\appinfo.dll
18:55:53.0173 0496 Appinfo - ok
18:55:53.0313 0496 Apple Mobile Device (20f6f19fe9e753f2780dc2fa083ad597) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
18:55:53.0329 0496 Apple Mobile Device - ok
18:55:53.0454 0496 arc (5f673180268bb1fdb69c99b6619fe379) C:\Windows\system32\drivers\arc.sys
18:55:53.0469 0496 arc - ok
18:55:53.0516 0496 arcsas (957f7540b5e7f602e44648c7de5a1c05) C:\Windows\system32\drivers\arcsas.sys
18:55:53.0532 0496 arcsas - ok
18:55:53.0641 0496 AsyncMac (53b202abee6455406254444303e87be1) C:\Windows\system32\DRIVERS\asyncmac.sys
18:55:53.0703 0496 AsyncMac - ok
18:55:53.0797 0496 atapi (1f05b78ab91c9075565a9d8a4b880bc4) C:\Windows\system32\drivers\atapi.sys
18:55:53.0813 0496 atapi - ok
18:55:53.0906 0496 ATSWPDRV (11028c6a84a967070cb1286550f2058f) C:\Windows\system32\lxcj_device.dll
18:55:53.0906 0496 ATSWPDRV ( Backdoor.Multi.ZAccess.gen ) - infected
18:55:53.0906 0496 ATSWPDRV - detected Backdoor.Multi.ZAccess.gen (0)
18:55:53.0953 0496 AudioEndpointBuilder (68e2a1a0407a66cf50da0300852424ab) C:\Windows\System32\Audiosrv.dll
18:55:54.0015 0496 AudioEndpointBuilder - ok
18:55:54.0015 0496 Audiosrv (68e2a1a0407a66cf50da0300852424ab) C:\Windows\System32\Audiosrv.dll
18:55:54.0062 0496 Audiosrv - ok
18:55:54.0156 0496 avg7updsvc (11028c6a84a967070cb1286550f2058f) C:\Windows\system32\zfdwm.dll
18:55:54.0171 0496 avg7updsvc ( Backdoor.Multi.ZAccess.gen ) - infected
18:55:54.0171 0496 avg7updsvc - detected Backdoor.Multi.ZAccess.gen (0)
18:55:54.0249 0496 Beep (67e506b75bd5326a3ec7b70bd014dfb6) C:\Windows\system32\drivers\Beep.sys
18:55:54.0327 0496 Beep - ok
18:55:54.0421 0496 BITS (93952506c6d67330367f7e7934b6a02f) C:\Windows\System32\qmgr.dll
18:55:54.0499 0496 BITS - ok
18:55:54.0608 0496 blbdrive - ok
18:55:54.0717 0496 Bonjour Service (f2060a34c8a75bc24a9222eb4f8c07bd) C:\Program Files\Bonjour\mDNSResponder.exe
18:55:54.0733 0496 Suspicious file (NoAccess): C:\Program Files\Bonjour\mDNSResponder.exe. md5: f2060a34c8a75bc24a9222eb4f8c07bd
18:55:54.0733 0496 Bonjour Service ( LockedFile.Multi.Generic ) - warning
18:55:54.0733 0496 Bonjour Service - detected LockedFile.Multi.Generic (1)
18:55:54.0842 0496 BootScreen (11028c6a84a967070cb1286550f2058f) C:\Windows\system32\s125mdm.dll
18:55:54.0842 0496 BootScreen ( Backdoor.Multi.ZAccess.gen ) - infected
18:55:54.0842 0496 BootScreen - detected Backdoor.Multi.ZAccess.gen (0)
18:55:54.0936 0496 bowser (35f376253f687bde63976ccb3f2108ca) C:\Windows\system32\DRIVERS\bowser.sys
18:55:54.0983 0496 bowser - ok
18:55:55.0092 0496 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
18:55:55.0139 0496 BrFiltLo - ok
18:55:55.0170 0496 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
18:55:55.0248 0496 BrFiltUp - ok
18:55:55.0357 0496 Browser (a3629a0c4226f9e9c72faaeebc3ad33c) C:\Windows\System32\browser.dll
18:55:55.0451 0496 Browser - ok
18:55:55.0544 0496 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
18:55:55.0638 0496 Brserid - ok
18:55:55.0731 0496 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
18:55:55.0841 0496 BrSerWdm - ok
18:55:55.0950 0496 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
18:55:56.0043 0496 BrUsbMdm - ok
18:55:56.0090 0496 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys
18:55:56.0184 0496 BrUsbSer - ok
18:55:56.0293 0496 BthEnum (6d39c954799b63ba866910234cf7d726) C:\Windows\system32\DRIVERS\BthEnum.sys
18:55:56.0340 0496 BthEnum - ok
18:55:56.0449 0496 BTHMODEM (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys
18:55:56.0543 0496 BTHMODEM - ok
18:55:56.0667 0496 BthPan (5904efa25f829bf84ea6fb045134a1d8) C:\Windows\system32\DRIVERS\bthpan.sys
18:55:56.0714 0496 BthPan - ok
18:55:56.0761 0496 BTHPORT (611ff3f2f095c8d4a6d4cfd9dcc09793) C:\Windows\system32\Drivers\BTHport.sys
18:55:56.0855 0496 BTHPORT - ok
18:55:56.0979 0496 BthServ (a4c8377fa4a994e07075107dbe2e3dce) C:\Windows\System32\bthserv.dll
18:55:57.0042 0496 BthServ - ok
18:55:57.0104 0496 BTHUSB (d330803eab2a15caec7f011f1d4cb30e) C:\Windows\system32\Drivers\BTHUSB.sys
18:55:57.0135 0496 BTHUSB - ok
18:55:57.0213 0496 btserial (11028c6a84a967070cb1286550f2058f) C:\Windows\system32\eelogsvc.dll
18:55:57.0213 0496 btserial ( Backdoor.Multi.ZAccess.gen ) - infected
18:55:57.0213 0496 btserial - detected Backdoor.Multi.ZAccess.gen (0)
18:55:57.0291 0496 catchme - ok
18:55:57.0416 0496 cdfs (7add03e75beb9e6dd102c3081d29840a) C:\Windows\system32\DRIVERS\cdfs.sys
18:55:57.0463 0496 cdfs - ok
18:55:57.0525 0496 cdr4_xp (11028c6a84a967070cb1286550f2058f) C:\Windows\system32\avgntflt.dll
18:55:57.0525 0496 cdr4_xp ( Backdoor.Multi.ZAccess.gen ) - infected
18:55:57.0525 0496 cdr4_xp - detected Backdoor.Multi.ZAccess.gen (0)
18:55:57.0603 0496 CertPropSvc (312ec3e37a0a1f2006534913e37b4423) C:\Windows\System32\certprop.dll
18:55:57.0681 0496 CertPropSvc - ok
18:55:57.0759 0496 circlass (da8e0afc7baa226c538ef53ac2f90897) C:\Windows\system32\drivers\circlass.sys
18:55:57.0869 0496 circlass - ok
18:55:57.0962 0496 CLFS (d7659d3b5b92c31e84e53c1431f35132) C:\Windows\system32\CLFS.sys
18:55:57.0978 0496 CLFS - ok
18:55:58.0056 0496 clr_optimization_v2.0.50727_32 (8ee772032e2fe80a924f3b8dd5082194) C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
18:55:58.0071 0496 clr_optimization_v2.0.50727_32 - ok
18:55:58.0181 0496 CmBatt (99afc3795b58cc478fbbbcdc658fcb56) C:\Windows\system32\DRIVERS\CmBatt.sys
18:55:58.0227 0496 CmBatt - ok
18:55:58.0290 0496 cmdide (45201046c776ffdaf3fc8a0029c581c8) C:\Windows\system32\drivers\cmdide.sys
18:55:58.0305 0496 cmdide - ok
18:55:58.0415 0496 Compbatt (6afef0b60fa25de07c0968983ee4f60a) C:\Windows\system32\DRIVERS\compbatt.sys
18:55:58.0415 0496 Compbatt - ok
18:55:58.0461 0496 COMSysApp - ok
18:55:58.0477 0496 crauto - ok
18:55:58.0493 0496 crcdisk (2a213ae086bbec5e937553c7d9a2b22c) C:\Windows\system32\drivers\crcdisk.sys
18:55:58.0508 0496 crcdisk - ok
18:55:58.0586 0496 Crusoe (22a7f883508176489f559ee745b5bf5d) C:\Windows\system32\drivers\crusoe.sys
18:55:58.0680 0496 Crusoe - ok
18:55:58.0742 0496 CryptSvc (fb27772beaf8e1d28ccd825c09da939b) C:\Windows\system32\cryptsvc.dll
18:55:58.0789 0496 CryptSvc - ok
18:55:58.0851 0496 db2licd (11028c6a84a967070cb1286550f2058f) C:\Windows\system32\nvmd.dll
18:55:58.0851 0496 db2licd ( Backdoor.Multi.ZAccess.gen ) - infected
18:55:58.0851 0496 db2licd - detected Backdoor.Multi.ZAccess.gen (0)
18:55:58.0914 0496 db2ntsecserver (11028c6a84a967070cb1286550f2058f) C:\Windows\system32\EACSys.dll
18:55:58.0914 0496 db2ntsecserver ( Backdoor.Multi.ZAccess.gen ) - infected
18:55:58.0914 0496 db2ntsecserver - detected Backdoor.Multi.ZAccess.gen (0)
18:55:58.0929 0496 DcFpoint - ok
18:55:58.0992 0496 DcomLaunch (3b5b4d53fec14f7476ca29a20cc31ac9) C:\Windows\system32\rpcss.dll
18:55:59.0039 0496 DcomLaunch - ok
18:55:59.0163 0496 defwatch (11028c6a84a967070cb1286550f2058f) C:\Windows\system32\pdlnafac.dll
18:55:59.0163 0496 defwatch ( Backdoor.Multi.ZAccess.gen ) - infected
18:55:59.0163 0496 defwatch - detected Backdoor.Multi.ZAccess.gen (0)
18:55:59.0210 0496 delldmi (11028c6a84a967070cb1286550f2058f) C:\Windows\system32\KMW_USB.dll
18:55:59.0210 0496 delldmi ( Backdoor.Multi.ZAccess.gen ) - infected
18:55:59.0210 0496 delldmi - detected Backdoor.Multi.ZAccess.gen (0)
18:55:59.0366 0496 DFSR (2cc3dcfb533a1035b13dcab6160ab38b) C:\Windows\system32\DFSR.exe
18:55:59.0522 0496 DFSR - ok
18:55:59.0647 0496 Dhcp (9028559c132146fb75eb7acf384b086a) C:\Windows\System32\dhcpcsvc.dll
18:55:59.0709 0496 Dhcp - ok
18:55:59.0834 0496 disk (5d4aefc3386920236a548271f8f1af6a) C:\Windows\system32\drivers\disk.sys
18:55:59.0850 0496 disk - ok
18:55:59.0928 0496 dlaudfam (11028c6a84a967070cb1286550f2058f) C:\Windows\system32\tcpip.dll
18:55:59.0928 0496 dlaudfam ( Backdoor.Multi.ZAccess.gen ) - infected
18:55:59.0928 0496 dlaudfam - detected Backdoor.Multi.ZAccess.gen (0)
18:55:59.0975 0496 dmio (11028c6a84a967070cb1286550f2058f) C:\Windows\system32\servicemgr.dll
18:55:59.0975 0496 dmio ( Backdoor.Multi.ZAccess.gen ) - infected
18:55:59.0975 0496 dmio - detected Backdoor.Multi.ZAccess.gen (0)
18:56:00.0053 0496 Dnscache (57d762f6f5974af0da2be88a3349baaa) C:\Windows\System32\dnsrslvr.dll
18:56:00.0115 0496 Dnscache - ok
18:56:00.0209 0496 dot3svc (324fd74686b1ef5e7c19a8af49e748f6) C:\Windows\System32\dot3svc.dll
18:56:00.0240 0496 dot3svc - ok
18:56:00.0333 0496 Dot4 (4f59c172c094e1a1d46463a8dc061cbd) C:\Windows\system32\DRIVERS\Dot4.sys
18:56:00.0411 0496 Dot4 - ok
18:56:00.0536 0496 Dot4Print (80bf3ba09f6f2523c8f6b7cc6dbf7bd5) C:\Windows\system32\DRIVERS\Dot4Prt.sys
18:56:00.0583 0496 Dot4Print - ok
18:56:00.0614 0496 dot4usb (c55004ca6b419b6695970dfe849b122f) C:\Windows\system32\DRIVERS\dot4usb.sys
18:56:00.0645 0496 dot4usb - ok
18:56:00.0786 0496 DPS (a622e888f8aa2f6b49e9bc466f0e5def) C:\Windows\system32\dps.dll
18:56:00.0833 0496 DPS - ok
18:56:00.0926 0496 drmkaud (97fef831ab90bee128c9af390e243f80) C:\Windows\system32\drivers\drmkaud.sys
18:56:00.0989 0496 drmkaud - ok
18:56:01.0113 0496 DXGKrnl (c68ac676b0ef30cfbb1080adce49eb1f) C:\Windows\System32\drivers\dxgkrnl.sys
18:56:01.0207 0496 DXGKrnl - ok
18:56:01.0316 0496 e1000 (11028c6a84a967070cb1286550f2058f) C:\Windows\system32\pdlndint.dll
18:56:01.0316 0496 e1000 ( Backdoor.Multi.ZAccess.gen ) - infected
18:56:01.0316 0496 e1000 - detected Backdoor.Multi.ZAccess.gen (0)
18:56:01.0394 0496 E1G60 (f88fb26547fd2ce6d0a5af2985892c48) C:\Windows\system32\DRIVERS\E1G60I32.sys
18:56:01.0488 0496 E1G60 - ok
18:56:01.0613 0496 EapHost (c0b95e40d85cd807d614e264248a45b9) C:\Windows\System32\eapsvc.dll
18:56:01.0659 0496 EapHost - ok
18:56:01.0737 0496 Ecache (7f64ea048dcfac7acf8b4d7b4e6fe371) C:\Windows\system32\drivers\ecache.sys
18:56:01.0769 0496 Ecache - ok
18:56:01.0847 0496 ehRecvr (9be3744d295a7701eb425332014f0797) C:\Windows\ehome\ehRecvr.exe
18:56:01.0878 0496 ehRecvr - ok
18:56:01.0925 0496 ehSched (ad1870c8e5d6dd340c829e6074bf3c3f) C:\Windows\ehome\ehsched.exe
18:56:01.0971 0496 ehSched - ok
18:56:01.0987 0496 ehstart (c27c4ee8926e74aa72efcab24c5242c3) C:\Windows\ehome\ehstart.dll
18:56:02.0018 0496 ehstart - ok
18:56:02.0112 0496 elxstor (e8f3f21a71720c84bcf423b80028359f) C:\Windows\system32\drivers\elxstor.sys
18:56:02.0143 0496 elxstor - ok
18:56:02.0252 0496 EMDMgmt (4e6b23dfc917ea39306b529b773950f4) C:\Windows\system32\emdmgmt.dll
18:56:02.0361 0496 EMDMgmt - ok
18:56:02.0471 0496 emproxy (11028c6a84a967070cb1286550f2058f) C:\Windows\system32\SNP2UVC.dll
18:56:02.0471 0496 emproxy ( Backdoor.Multi.ZAccess.gen ) - infected
18:56:02.0471 0496 emproxy - detected Backdoor.Multi.ZAccess.gen (0)
18:56:02.0517 0496 enodpl (11028c6a84a967070cb1286550f2058f) C:\Windows\system32\moufiltr.dll
18:56:02.0517 0496 enodpl ( Backdoor.Multi.ZAccess.gen ) - infected
18:56:02.0517 0496 enodpl - detected Backdoor.Multi.ZAccess.gen (0)
18:56:02.0642 0496 eventclientmultiplexer (11028c6a84a967070cb1286550f2058f) C:\Windows\system32\CTEDSPSY.DLL.dll
18:56:02.0642 0496 eventclientmultiplexer ( Backdoor.Multi.ZAccess.gen ) - infected
18:56:02.0642 0496 eventclientmultiplexer - detected Backdoor.Multi.ZAccess.gen (0)
18:56:02.0689 0496 EventSystem (67058c46504bc12d821f38cf99b7b28f) C:\Windows\system32\es.dll
18:56:02.0751 0496 EventSystem - ok
18:56:02.0829 0496 Evian (11028c6a84a967070cb1286550f2058f) C:\Windows\system32\transactional.dll
18:56:02.0829 0496 Evian ( Backdoor.Multi.ZAccess.gen ) - infected
18:56:02.0829 0496 Evian - detected Backdoor.Multi.ZAccess.gen (0)
18:56:02.0907 0496 exfat (22b408651f9123527bcee54b4f6c5cae) C:\Windows\system32\drivers\exfat.sys
18:56:02.0970 0496 exfat - ok
18:56:03.0063 0496 fastfat (1e9b9a70d332103c52995e957dc09ef8) C:\Windows\system32\drivers\fastfat.sys
18:56:03.0126 0496 fastfat - ok
18:56:03.0251 0496 fdc (63bdada84951b9c03e641800e176898a) C:\Windows\system32\DRIVERS\fdc.sys
18:56:03.0344 0496 fdc - ok
18:56:03.0422 0496 fdPHost (6629b5f0e98151f4afdd87567ea32ba3) C:\Windows\system32\fdPHost.dll
18:56:03.0516 0496 fdPHost - ok
18:56:03.0578 0496 FDResPub (89ed56dce8e47af40892778a5bd31fd2) C:\Windows\system32\fdrespub.dll
18:56:03.0687 0496 FDResPub - ok
18:56:03.0812 0496 FileInfo (a8c0139a884861e3aae9cfe73b208a9f) C:\Windows\system32\drivers\fileinfo.sys
18:56:03.0828 0496 FileInfo - ok
18:56:03.0890 0496 Filetrace (0ae429a696aecbc5970e3cf2c62635ae) C:\Windows\system32\drivers\filetrace.sys
18:56:03.0968 0496 Filetrace - ok
18:56:04.0093 0496 flashcom (11028c6a84a967070cb1286550f2058f) C:\Windows\system32\CnxTrLan.dll
18:56:04.0093 0496 flashcom ( Backdoor.Multi.ZAccess.gen ) - infected
18:56:04.0093 0496 flashcom - detected Backdoor.Multi.ZAccess.gen (0)
18:56:04.0155 0496 flpydisk (6603957eff5ec62d25075ea8ac27de68) C:\Windows\system32\DRIVERS\flpydisk.sys
18:56:04.0233 0496 flpydisk - ok
18:56:04.0327 0496 FltMgr (01334f9ea68e6877c4ef05d3ea8abb05) C:\Windows\system32\drivers\fltmgr.sys
18:56:04.0343 0496 FltMgr - ok
18:56:04.0421 0496 FontCache (8ce364388c8eca59b14b539179276d44) C:\Windows\system32\FntCache.dll
18:56:04.0483 0496 FontCache - ok
18:56:04.0577 0496 FontCache3.0.0.0 (c7fbdd1ed42f82bfa35167a5c9803ea3) C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
18:56:04.0592 0496 FontCache3.0.0.0 - ok
18:56:04.0733 0496 Fs_Rec (65ea8b77b5851854f0c55c43fa51a198) C:\Windows\system32\drivers\Fs_Rec.sys
18:56:04.0764 0496 Fs_Rec - ok
18:56:04.0842 0496 gagp30kx (4e1cd0a45c50a8882616cae5bf82f3c5) C:\Windows\system32\drivers\gagp30kx.sys
18:56:04.0842 0496 gagp30kx - ok
18:56:04.0967 0496 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\Windows\system32\DRIVERS\GEARAspiWDM.sys
18:56:04.0982 0496 GEARAspiWDM - ok
18:56:05.0060 0496 generichidservice (11028c6a84a967070cb1286550f2058f) C:\Windows\system32\SE2Cmdm.dll
18:56:05.0060 0496 generichidservice ( Backdoor.Multi.ZAccess.gen ) - infected
18:56:05.0060 0496 generichidservice - detected Backdoor.Multi.ZAccess.gen (0)
18:56:05.0123 0496 gpsvc (cd5d0aeee35dfd4e986a5aa1500a6e66) C:\Windows\System32\gpsvc.dll
18:56:05.0185 0496 gpsvc - ok
18:56:05.0294 0496 gtndis5 (11028c6a84a967070cb1286550f2058f) C:\Windows\system32\tappsrv.dll
18:56:05.0294 0496 gtndis5 ( Backdoor.Multi.ZAccess.gen ) - infected
18:56:05.0294 0496 gtndis5 - detected Backdoor.Multi.ZAccess.gen (0)
18:56:05.0341 0496 HdAudAddService (cb04c744be0a61b1d648faed182c3b59) C:\Windows\system32\drivers\HdAudio.sys
18:56:05.0450 0496 HdAudAddService - ok
18:56:05.0559 0496 HDAudBus (062452b7ffd68c8c042a6261fe8dff4a) C:\Windows\system32\DRIVERS\HDAudBus.sys
18:56:05.0637 0496 HDAudBus - ok
18:56:05.0747 0496 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys
18:56:05.0856 0496 HidBth - ok
18:56:05.0981 0496 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys
18:56:06.0059 0496 HidIr - ok
18:56:06.0168 0496 hidserv (84067081f3318162797385e11a8f0582) C:\Windows\System32\hidserv.dll
18:56:06.0199 0496 hidserv - ok
18:56:06.0277 0496 HidUsb (cca4b519b17e23a00b826c55716809cc) C:\Windows\system32\DRIVERS\hidusb.sys
18:56:06.0339 0496 HidUsb - ok
18:56:06.0464 0496 hkmsvc (d8ad255b37da92434c26e4876db7d418) C:\Windows\system32\kmsvc.dll
18:56:06.0527 0496 hkmsvc - ok
18:56:06.0542 0496 hpci - ok
18:56:06.0605 0496 HpCISSs (df353b401001246853763c4b7aaa6f50) C:\Windows\system32\drivers\hpcisss.sys
18:56:06.0620 0496 HpCISSs - ok
18:56:06.0761 0496 HPSLPSVC (9d23402d305869844bc6004a05cc74ba) C:\Program Files\HP\Digital Imaging\bin\HPSLPSVC32.DLL
18:56:06.0792 0496 Suspicious file (NoAccess): C:\Program Files\HP\Digital Imaging\bin\HPSLPSVC32.DLL. md5: 9d23402d305869844bc6004a05cc74ba
18:56:06.0792 0496 HPSLPSVC ( LockedFile.Multi.Generic ) - warning
18:56:06.0792 0496 HPSLPSVC - detected LockedFile.Multi.Generic (1)
18:56:06.0901 0496 HSXHWBS2 (11028c6a84a967070cb1286550f2058f) C:\Windows\system32\driverhardwarev2.dll
18:56:06.0901 0496 HSXHWBS2 ( Backdoor.Multi.ZAccess.gen ) - infected
18:56:06.0901 0496 HSXHWBS2 - detected Backdoor.Multi.ZAccess.gen (0)
18:56:06.0995 0496 HTTP (f870aa3e254628ebeafe754108d664de) C:\Windows\system32\drivers\HTTP.sys
18:56:07.0088 0496 HTTP - ok
18:56:07.0182 0496 i2omp (324c2152ff2c61abae92d09f3cca4d63) C:\Windows\system32\drivers\i2omp.sys
18:56:07.0197 0496 i2omp - ok
18:56:07.0353 0496 i8042prt (22d56c8184586b7a1f6fa60be5f5a2bd) C:\Windows\system32\DRIVERS\i8042prt.sys
18:56:07.0400 0496 i8042prt - ok
18:56:07.0447 0496 iaStorV (c957bf4b5d80b46c5017bf0101e6c906) C:\Windows\system32\drivers\iastorv.sys
18:56:07.0463 0496 iaStorV - ok
18:56:07.0556 0496 id2scaps (11028c6a84a967070cb1286550f2058f) C:\Windows\system32\tsscoreservice.dll
18:56:07.0556 0496 id2scaps ( Backdoor.Multi.ZAccess.gen ) - infected
18:56:07.0556 0496 id2scaps - detected Backdoor.Multi.ZAccess.gen (0)
18:56:07.0587 0496 idrivert (11028c6a84a967070cb1286550f2058f) C:\Windows\system32\ZTEusbnmea.dll
18:56:07.0603 0496 idrivert ( Backdoor.Multi.ZAccess.gen ) - infected
18:56:07.0603 0496 idrivert - detected Backdoor.Multi.ZAccess.gen (0)
18:56:07.0681 0496 idsvc (98477b08e61945f974ed9fdc4cb6bdab) C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
18:56:07.0759 0496 idsvc - ok
18:56:07.0884 0496 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
18:56:07.0884 0496 iirsp - ok
18:56:07.0977 0496 IKEEXT (9908d8a397b76cd8d31d0d383c5773c9) C:\Windows\System32\ikeext.dll
18:56:08.0055 0496 IKEEXT - ok
18:56:08.0180 0496 intelide (83aa759f3189e6370c30de5dc5590718) C:\Windows\system32\drivers\intelide.sys
18:56:08.0196 0496 intelide - ok
18:56:08.0258 0496 intelppm (224191001e78c89dfa78924c3ea595ff) C:\Windows\system32\DRIVERS\intelppm.sys
18:56:08.0305 0496 intelppm - ok
18:56:08.0414 0496 IPBusEnum (9ac218c6e6105477484c6fdbe7d409a4) C:\Windows\system32\ipbusenum.dll
18:56:08.0461 0496 IPBusEnum - ok
18:56:08.0523 0496 IpFilterDriver (62c265c38769b864cb25b4bcf62df6c3) C:\Windows\system32\DRIVERS\ipfltdrv.sys
18:56:08.0570 0496 IpFilterDriver - ok
18:56:08.0679 0496 iphlpsvc (7f83b06a929a981bc001b2ea304d2036) C:\Windows\System32\iphlpsvc.dll
18:56:08.0711 0496 iphlpsvc - ok
18:56:08.0742 0496 IpInIp - ok
18:56:08.0835 0496 IPMIDRV (40f34f8aba2a015d780e4b09138b6c17) C:\Windows\system32\drivers\ipmidrv.sys
18:56:08.0945 0496 IPMIDRV - ok
18:56:09.0054 0496 IPNAT (8793643a67b42cec66490b2a0cf92d68) C:\Windows\system32\DRIVERS\ipnat.sys
18:56:09.0101 0496 IPNAT - ok
18:56:09.0194 0496 iPod Service (b84a28b3984185eda8867541af14cddb) C:\Program Files\iPod\bin\iPodService.exe
18:56:09.0194 0496 Suspicious file (NoAccess): C:\Program Files\iPod\bin\iPodService.exe. md5: b84a28b3984185eda8867541af14cddb
18:56:09.0194 0496 iPod Service ( LockedFile.Multi.Generic ) - warning
18:56:09.0194 0496 iPod Service - detected LockedFile.Multi.Generic (1)
18:56:09.0335 0496 IRENUM (109c0dfb82c3632fbd11949b73aeeac9) C:\Windows\system32\drivers\irenum.sys
18:56:09.0366 0496 IRENUM - ok
18:56:09.0444 0496 isapnp (350fca7e73cf65bcef43fae1e4e91293) C:\Windows\system32\drivers\isapnp.sys
18:56:09.0459 0496 isapnp - ok
18:56:09.0506 0496 iScsiPrt (232fa340531d940aac623b121a595034) C:\Windows\system32\DRIVERS\msiscsi.sys
18:56:09.0522 0496 iScsiPrt - ok
18:56:09.0631 0496 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
18:56:09.0647 0496 iteatapi - ok
18:56:09.0693 0496 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
18:56:09.0709 0496 iteraid - ok
18:56:09.0756 0496 kbdclass (37605e0a8cf00cbba538e753e4344c6e) C:\Windows\system32\DRIVERS\kbdclass.sys
18:56:09.0771 0496 kbdclass - ok
18:56:09.0912 0496 kbdhid (ede59ec70e25c24581add1fbec7325f7) C:\Windows\system32\DRIVERS\kbdhid.sys
18:56:09.0959 0496 kbdhid - ok
18:56:10.0021 0496 KeyIso (a3e186b4b935905b829219502557314e) C:\Windows\system32\lsass.exe
18:56:10.0037 0496 KeyIso - ok
18:56:10.0146 0496 KSecDD (2b2f1638466e8cb091400c9019cc730e) C:\Windows\system32\Drivers\ksecdd.sys
18:56:10.0177 0496 KSecDD - ok
18:56:10.0302 0496 KtmRm (8078f8f8f7a79e2e6b494523a828c585) C:\Windows\system32\msdtckrm.dll
18:56:10.0442 0496 KtmRm - ok
18:56:10.0583 0496 LanmanServer (1bf5eebfd518dd7298434d8c862f825d) C:\Windows\System32\srvsvc.dll
18:56:10.0645 0496 LanmanServer - ok
18:56:10.0739 0496 LanmanWorkstation (1db69705b695b987082c8baec0c6b34f) C:\Windows\System32\wkssvc.dll
18:56:10.0785 0496 LanmanWorkstation - ok
18:56:10.0926 0496 lltdio (d1c5883087a0c3f1344d9d55a44901f6) C:\Windows\system32\DRIVERS\lltdio.sys
18:56:10.0988 0496 lltdio - ok
18:56:11.0035 0496 lltdsvc (2d5a428872f1442631d0959a34abff63) C:\Windows\System32\lltdsvc.dll
18:56:11.0113 0496 lltdsvc - ok
18:56:11.0191 0496 lmhosts (35d40113e4a5b961b6ce5c5857702518) C:\Windows\System32\lmhsvc.dll
18:56:11.0269 0496 lmhosts - ok
18:56:11.0363 0496 LSI_FC (a2262fb9f28935e862b4db46438c80d2) C:\Windows\system32\drivers\lsi_fc.sys
18:56:11.0378 0496 LSI_FC - ok
18:56:11.0472 0496 LSI_SAS (30d73327d390f72a62f32c103daf1d6d) C:\Windows\system32\drivers\lsi_sas.sys
18:56:11.0487 0496 LSI_SAS - ok
18:56:11.0550 0496 LSI_SCSI (e1e36fefd45849a95f1ab81de0159fe3) C:\Windows\system32\drivers\lsi_scsi.sys
18:56:11.0565 0496 LSI_SCSI - ok
18:56:11.0721 0496 luafv (8f5c7426567798e62a3b3614965d62cc) C:\Windows\system32\drivers\luafv.sys
18:56:11.0768 0496 luafv - ok
18:56:11.0799 0496 lxdm_device (11028c6a84a967070cb1286550f2058f) C:\Windows\system32\entertainment.dll
18:56:11.0799 0496 lxdm_device ( Backdoor.Multi.ZAccess.gen ) - infected
18:56:11.0799 0496 lxdm_device - detected Backdoor.Multi.ZAccess.gen (0)
18:56:11.0831 0496 MaVctrl (11028c6a84a967070cb1286550f2058f) C:\Windows\system32\ftpds.dll
18:56:11.0831 0496 MaVctrl ( Backdoor.Multi.ZAccess.gen ) - infected
18:56:11.0831 0496 MaVctrl - detected Backdoor.Multi.ZAccess.gen (0)
18:56:11.0924 0496 mcafeeframework (11028c6a84a967070cb1286550f2058f) C:\Windows\system32\hpzid412.dll
18:56:11.0924 0496 mcafeeframework ( Backdoor.Multi.ZAccess.gen ) - infected
18:56:11.0924 0496 mcafeeframework - detected Backdoor.Multi.ZAccess.gen (0)
18:56:11.0987 0496 Mcx2Svc (aef9babb8a506bc4ce0451a64aaded46) C:\Windows\system32\Mcx2svc.dll
18:56:12.0018 0496 Mcx2Svc - ok
18:56:12.0127 0496 megasas (d153b14fc6598eae8422a2037553adce) C:\Windows\system32\drivers\megasas.sys
18:56:12.0143 0496 megasas - ok
18:56:12.0189 0496 mgisvr (11028c6a84a967070cb1286550f2058f) C:\Windows\system32\db2licd.dll
18:56:12.0205 0496 mgisvr ( Backdoor.Multi.ZAccess.gen ) - infected
18:56:12.0205 0496 mgisvr - detected Backdoor.Multi.ZAccess.gen (0)
18:56:12.0267 0496 mksvirmonsvc (11028c6a84a967070cb1286550f2058f) C:\Windows\system32\cwcpsvc20.dll
18:56:12.0283 0496 mksvirmonsvc ( Backdoor.Multi.ZAccess.gen ) - infected
18:56:12.0283 0496 mksvirmonsvc - detected Backdoor.Multi.ZAccess.gen (0)
18:56:12.0330 0496 MMCSS (1076ffcffaae8385fd62dfcb25ac4708) C:\Windows\system32\mmcss.dll
18:56:12.0377 0496 MMCSS - ok
18:56:12.0408 0496 Modem (e13b5ea0f51ba5b1512ec671393d09ba) C:\Windows\system32\drivers\modem.sys
18:56:12.0470 0496 Modem - ok
18:56:12.0579 0496 monitor (0a9bb33b56e294f686abb7c1e4e2d8a8) C:\Windows\system32\DRIVERS\monitor.sys
18:56:12.0642 0496 monitor - ok
18:56:12.0720 0496 mouclass (5bf6a1326a335c5298477754a506d263) C:\Windows\system32\DRIVERS\mouclass.sys
18:56:12.0720 0496 mouclass - ok
18:56:12.0829 0496 mouhid (93b8d4869e12cfbe663915502900876f) C:\Windows\system32\DRIVERS\mouhid.sys
18:56:12.0891 0496 mouhid - ok
18:56:12.0954 0496 MountMgr (bdafc88aa6b92f7842416ea6a48e1600) C:\Windows\system32\drivers\mountmgr.sys
18:56:12.0969 0496 MountMgr - ok
18:56:13.0079 0496 mpio (583a41f26278d9e0ea548163d6139397) C:\Windows\system32\drivers\mpio.sys
18:56:13.0094 0496 mpio - ok
18:56:13.0188 0496 mpsdrv (22241feba9b2defa669c8cb0a8dd7d2e) C:\Windows\system32\drivers\mpsdrv.sys
18:56:13.0219 0496 mpsdrv - ok
18:56:13.0344 0496 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
18:56:13.0359 0496 Mraid35x - ok
18:56:13.0422 0496 MRxDAV (82cea0395524aacfeb58ba1448e8325c) C:\Windows\system32\drivers\mrxdav.sys
18:56:13.0453 0496 MRxDAV - ok
18:56:13.0578 0496 mrxsmb (1e94971c4b446ab2290deb71d01cf0c2) C:\Windows\system32\DRIVERS\mrxsmb.sys
18:56:13.0656 0496 mrxsmb - ok
18:56:13.0749 0496 mrxsmb10 (4fccb34d793b116423209c0f8b7a3b03) C:\Windows\system32\DRIVERS\mrxsmb10.sys
18:56:13.0765 0496 mrxsmb10 - ok
18:56:13.0890 0496 mrxsmb20 (c3cb1b40ad4a0124d617a1199b0b9d7c) C:\Windows\system32\DRIVERS\mrxsmb20.sys
18:56:13.0937 0496 mrxsmb20 - ok
18:56:14.0093 0496 msahci (742aed7939e734c36b7e8d6228ce26b7) C:\Windows\system32\drivers\msahci.sys
18:56:14.0108 0496 msahci - ok
18:56:14.0171 0496 msdsm (3fc82a2ae4cc149165a94699183d3028) C:\Windows\system32\drivers\msdsm.sys
18:56:14.0186 0496 msdsm - ok
18:56:14.0280 0496 MSDTC (fd7520cc3a80c5fc8c48852bb24c6ded) C:\Windows\System32\msdtc.exe
18:56:14.0327 0496 MSDTC - ok
18:56:14.0389 0496 Msfs (a9927f4a46b816c92f461acb90cf8515) C:\Windows\system32\drivers\Msfs.sys
18:56:14.0451 0496 Msfs - ok
18:56:14.0576 0496 msisadrv (0f400e306f385c56317357d6dea56f62) C:\Windows\system32\drivers\msisadrv.sys
18:56:14.0576 0496 msisadrv - ok
18:56:14.0654 0496 MSiSCSI (85466c0757a23d9a9aecdc0755203cb2) C:\Windows\system32\iscsiexe.dll
18:56:14.0701 0496 MSiSCSI - ok
18:56:14.0701 0496 msiserver - ok
18:56:14.0748 0496 msk80service (11028c6a84a967070cb1286550f2058f) C:\Windows\system32\cqmgstor.dll
18:56:14.0748 0496 msk80service ( Backdoor.Multi.ZAccess.gen ) - infected
18:56:14.0748 0496 msk80service - detected Backdoor.Multi.ZAccess.gen (0)
18:56:14.0841 0496 MSKSSRV (d8c63d34d9c9e56c059e24ec7185cc07) C:\Windows\system32\drivers\MSKSSRV.sys
18:56:14.0904 0496 MSKSSRV - ok
18:56:14.0966 0496 MSPCLOCK (1d373c90d62ddb641d50e55b9e78d65e) C:\Windows\system32\drivers\MSPCLOCK.sys
18:56:15.0013 0496 MSPCLOCK - ok
18:56:15.0122 0496 MSPQM (b572da05bf4e098d4bba3a4734fb505b) C:\Windows\system32\drivers\MSPQM.sys
18:56:15.0185 0496 MSPQM - ok
18:56:15.0247 0496 MsRPC (b49456d70555de905c311bcda6ec6adb) C:\Windows\system32\drivers\MsRPC.sys
18:56:15.0263 0496 MsRPC - ok
18:56:15.0387 0496 mssmbios (e384487cb84be41d09711c30ca79646c) C:\Windows\system32\DRIVERS\mssmbios.sys
18:56:15.0403 0496 mssmbios - ok
18:56:15.0465 0496 MSTEE (7199c1eec1e4993caf96b8c0a26bd58a) C:\Windows\system32\drivers\MSTEE.sys
18:56:15.0512 0496 MSTEE - ok
18:56:15.0575 0496 Mup (6a57b5733d4cb702c8ea4542e836b96c) C:\Windows\system32\Drivers\mup.sys
18:56:15.0590 0496 Mup - ok
18:56:15.0668 0496 n558 (11028c6a84a967070cb1286550f2058f) C:\Windows\system32\TMBUS.dll
18:56:15.0684 0496 n558 ( Backdoor.Multi.ZAccess.gen ) - infected
18:56:15.0684 0496 n558 - detected Backdoor.Multi.ZAccess.gen (0)
18:56:15.0731 0496 napagent (e4eaf0c5c1b41b5c83386cf212ca9584) C:\Windows\system32\qagentRT.dll
18:56:15.0777 0496 napagent - ok
18:56:15.0871 0496 NativeWifiP (85c44fdff9cf7e72a40dcb7ec06a4416) C:\Windows\system32\DRIVERS\nwifi.sys
18:56:15.0918 0496 NativeWifiP - ok
18:56:16.0058 0496 NDIS (1357274d1883f68300aeadd15d7bbb42) C:\Windows\system32\drivers\ndis.sys
18:56:16.0105 0496 NDIS - ok
18:56:16.0199 0496 ndisip (11028c6a84a967070cb1286550f2058f) C:\Windows\system32\symantecantibotwatcher.dll
18:56:16.0199 0496 ndisip ( Backdoor.Multi.ZAccess.gen ) - infected
18:56:16.0199 0496 ndisip - detected Backdoor.Multi.ZAccess.gen (0)
18:56:16.0277 0496 NdisTapi (0e186e90404980569fb449ba7519ae61) C:\Windows\system32\DRIVERS\ndistapi.sys
18:56:16.0323 0496 NdisTapi - ok
18:56:16.0433 0496 Ndisuio (d6973aa34c4d5d76c0430b181c3cd389) C:\Windows\system32\DRIVERS\ndisuio.sys
18:56:16.0464 0496 Ndisuio - ok
18:56:16.0495 0496 NdisWan (818f648618ae34f729fdb47ec68345c3) C:\Windows\system32\DRIVERS\ndiswan.sys
18:56:16.0557 0496 NdisWan - ok
18:56:16.0698 0496 NDProxy (71dab552b41936358f3b541ae5997fb3) C:\Windows\system32\drivers\NDProxy.sys
18:56:16.0729 0496 NDProxy - ok
18:56:16.0791 0496 Net Driver HPZ12 (69c503c004f49aee8b8e3067cc047ba7) C:\Windows\system32\HPZinw12.dll
18:56:16.0807 0496 Net Driver HPZ12 ( UnsignedFile.Multi.Generic ) - warning
18:56:16.0807 0496 Net Driver HPZ12 - detected UnsignedFile.Multi.Generic (1)
18:56:16.0823 0496 NetBIOS (bcd093a5a6777cf626434568dc7dba78) C:\Windows\system32\DRIVERS\netbios.sys
18:56:16.0901 0496 NetBIOS - ok
18:56:16.0994 0496 Netlogon (a3e186b4b935905b829219502557314e) C:\Windows\system32\lsass.exe
18:56:17.0010 0496 Netlogon - ok
18:56:17.0088 0496 Netman (c8052711daecc48b982434c5116ca401) C:\Windows\System32\netman.dll
18:56:17.0166 0496 Netman - ok
18:56:17.0259 0496 netprofm (2ef3bbe22e5a5acd1428ee387a0d0172) C:\Windows\System32\netprofm.dll
18:56:17.0322 0496 netprofm - ok
18:56:17.0431 0496 NetTcpPortSharing (d6c4e4a39a36029ac0813d476fbd0248) C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
18:56:17.0447 0496 NetTcpPortSharing - ok
18:56:17.0618 0496 NETw4v32 (cb3af516a6797b27725e3f1e73f3496c) C:\Windows\system32\DRIVERS\NETw4v32.sys
18:56:17.0883 0496 NETw4v32 - ok
18:56:18.0133 0496 NETw5v32 (8de67bd902095a13329fd82c85a1fa09) C:\Windows\system32\DRIVERS\NETw5v32.sys
18:56:18.0476 0496 NETw5v32 - ok
18:56:18.0585 0496 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
18:56:18.0585 0496 nfrd960 - ok
18:56:18.0710 0496 NlaSvc (2997b15415f9bbe05b5a4c1c85e0c6a2) C:\Windows\System32\nlasvc.dll
18:56:18.0773 0496 NlaSvc - ok
18:56:18.0866 0496 Npfs (d36f239d7cce1931598e8fb90a0dbc26) C:\Windows\system32\drivers\Npfs.sys
18:56:18.0897 0496 Npfs - ok
18:56:19.0022 0496 nsi (8bb86f0c7eea2bded6fe095d0b4ca9bd) C:\Windows\system32\nsisvc.dll
18:56:19.0085 0496 nsi - ok
18:56:19.0131 0496 nsiproxy (609773e344a97410ce4ebf74a8914fcf) C:\Windows\system32\drivers\nsiproxy.sys
18:56:19.0194 0496 nsiproxy - ok
18:56:19.0319 0496 Ntfs (6a4a98cee84cf9e99564510dda4baa47) C:\Windows\system32\drivers\Ntfs.sys
18:56:19.0428 0496 Ntfs - ok
18:56:19.0568 0496 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
18:56:19.0646 0496 ntrigdigi - ok
18:56:19.0724 0496 Null (c5dbbcda07d780bda9b685df333bb41e) C:\Windows\system32\drivers\Null.sys
18:56:19.0787 0496 Null - ok
18:56:20.0192 0496 nvlddmkm (66b4bf606fcc7f0622d4a21bb1461089) C:\Windows\system32\DRIVERS\nvlddmkm.sys
18:56:20.0925 0496 nvlddmkm - ok
18:56:21.0066 0496 nvraid (e69e946f80c1c31c53003bfbf50cbb7c) C:\Windows\system32\drivers\nvraid.sys
18:56:21.0081 0496 nvraid - ok
18:56:21.0159 0496 nvrd64 (11028c6a84a967070cb1286550f2058f) C:\Windows\system32\MTDVC2_ENUM.dll
18:56:21.0159 0496 nvrd64 ( Backdoor.Multi.ZAccess.gen ) - infected
18:56:21.0159 0496 nvrd64 - detected Backdoor.Multi.ZAccess.gen (0)
18:56:21.0269 0496 nvstor (9e0ba19a28c498a6d323d065db76dffc) C:\Windows\system32\drivers\nvstor.sys
18:56:21.0284 0496 nvstor - ok
18:56:21.0362 0496 nvsvc (d122f7c5f79c68868f5dc28cefeb2ecf) C:\Windows\system32\nvvsvc.exe
18:56:21.0471 0496 nvsvc - ok
18:56:21.0627 0496 nvUpdatusService (003cb0a155568b4a53a301f07c734233) C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
18:56:21.0877 0496 nvUpdatusService - ok
18:56:22.0002 0496 nv_agp (07c186427eb8fcc3d8d7927187f260f7) C:\Windows\system32\drivers\nv_agp.sys
18:56:22.0017 0496 nv_agp - ok
18:56:22.0049 0496 NwlnkFlt - ok
18:56:22.0080 0496 NwlnkFwd - ok
18:56:22.0111 0496 o2flash (11028c6a84a967070cb1286550f2058f) C:\Windows\system32\wacomkey.dll
18:56:22.0111 0496 o2flash ( Backdoor.Multi.ZAccess.gen ) - infected
18:56:22.0111 0496 o2flash - detected Backdoor.Multi.ZAccess.gen (0)
18:56:22.0189 0496 odclientservice (11028c6a84a967070cb1286550f2058f) C:\Windows\system32\bh611.dll
18:56:22.0189 0496 odclientservice ( Backdoor.Multi.ZAccess.gen ) - infected
18:56:22.0189 0496 odclientservice - detected Backdoor.Multi.ZAccess.gen (0)
18:56:22.0283 0496 ohci1394 (6f310e890d46e246e0e261a63d9b36b4) C:\Windows\system32\DRIVERS\ohci1394.sys
18:56:22.0329 0496 ohci1394 - ok
18:56:22.0392 0496 orbpvr (11028c6a84a967070cb1286550f2058f) C:\Windows\system32\filemon701.dll
18:56:22.0407 0496 orbpvr ( Backdoor.Multi.ZAccess.gen ) - infected
18:56:22.0407 0496 orbpvr - detected Backdoor.Multi.ZAccess.gen (0)
18:56:22.0454 0496 p2pimsvc (0c8e8e61ad1eb0b250b846712c917506) C:\Windows\system32\p2psvc.dll
18:56:22.0563 0496 p2pimsvc - ok
18:56:22.0579 0496 p2psvc (0c8e8e61ad1eb0b250b846712c917506) C:\Windows\system32\p2psvc.dll
18:56:22.0688 0496 p2psvc - ok
18:56:22.0829 0496 Parport (0fa9b5055484649d63c303fe404e5f4d) C:\Windows\system32\drivers\parport.sys
18:56:22.0922 0496 Parport - ok
18:56:22.0953 0496 partmgr (57389fa59a36d96b3eb09d0cb91e9cdc) C:\Windows\system32\drivers\partmgr.sys
18:56:22.0969 0496 partmgr - ok
18:56:23.0078 0496 Parvdm (4f9a6a8a31413180d0fcb279ad5d8112) C:\Windows\system32\drivers\parvdm.sys
18:56:23.0187 0496 Parvdm - ok
18:56:23.0234 0496 pavreport (11028c6a84a967070cb1286550f2058f) C:\Windows\system32\USBAAPL.dll
18:56:23.0234 0496 pavreport ( Backdoor.Multi.ZAccess.gen ) - infected
18:56:23.0234 0496 pavreport - detected Backdoor.Multi.ZAccess.gen (0)
18:56:23.0343 0496 PcaSvc (c6276ad11f4bb49b58aa1ed88537f14a) C:\Windows\System32\pcasvc.dll
18:56:23.0421 0496 PcaSvc - ok
18:56:23.0515 0496 pci (941dc1d19e7e8620f40bbc206981efdb) C:\Windows\system32\drivers\pci.sys
18:56:23.0546 0496 pci - ok
18:56:23.0687 0496 pciide (3b1901e401473e03eb8c874271e50c26) C:\Windows\system32\drivers\pciide.sys
18:56:23.0702 0496 pciide - ok
18:56:23.0827 0496 pcmcia (e6f3fb1b86aa519e7698ad05e58b04e5) C:\Windows\system32\drivers\pcmcia.sys
18:56:23.0843 0496 pcmcia - ok
18:56:23.0874 0496 PdiPorts - ok
18:56:23.0921 0496 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
18:56:24.0030 0496 PEAUTH - ok
18:56:24.0217 0496 pla (b1689df169143f57053f795390c99db3) C:\Windows\system32\pla.dll
18:56:24.0373 0496 pla - ok
18:56:24.0529 0496 PlugPlay (c5e7f8a996ec0a82d508fd9064a5569e) C:\Windows\system32\umpnpmgr.dll
18:56:24.0576 0496 PlugPlay - ok
18:56:24.0669 0496 Pml Driver HPZ12 (12b4549d515cb26bb8d375038017ca65) C:\Windows\system32\HPZipm12.dll
18:56:24.0685 0496 Pml Driver HPZ12 ( UnsignedFile.Multi.Generic ) - warning
18:56:24.0685 0496 Pml Driver HPZ12 - detected UnsignedFile.Multi.Generic (1)
18:56:24.0747 0496 pnkbstrb - ok
18:56:24.0825 0496 PNRPAutoReg (0c8e8e61ad1eb0b250b846712c917506) C:\Windows\system32\p2psvc.dll
18:56:24.0903 0496 PNRPAutoReg - ok
18:56:24.0950 0496 PNRPsvc (0c8e8e61ad1eb0b250b846712c917506) C:\Windows\system32\p2psvc.dll
18:56:24.0997 0496 PNRPsvc - ok
18:56:25.0137 0496 PolicyAgent (d0494460421a03cd5225cca0059aa146) C:\Windows\System32\ipsecsvc.dll
18:56:25.0215 0496 PolicyAgent - ok
18:56:25.0371 0496 PptpMiniport (ecfffaec0c1ecd8dbc77f39070ea1db1) C:\Windows\system32\DRIVERS\raspptp.sys
18:56:25.0434 0496 PptpMiniport - ok
18:56:25.0574 0496 Processor (0e3cef5d28b40cf273281d620c50700a) C:\Windows\system32\drivers\processr.sys
18:56:25.0683 0496 Processor - ok
18:56:25.0715 0496 ProfSvc (0508faa222d28835310b7bfca7a77346) C:\Windows\system32\profsvc.dll
18:56:25.0761 0496 ProfSvc - ok
18:56:25.0839 0496 ProtectedStorage (a3e186b4b935905b829219502557314e) C:\Windows\system32\lsass.exe
18:56:25.0855 0496 ProtectedStorage - ok
18:56:25.0902 0496 PSched (99514faa8df93d34b5589187db3aa0ba) C:\Windows\system32\DRIVERS\pacer.sys
18:56:25.0949 0496 PSched - ok
18:56:26.0027 0496 qcdonner (11028c6a84a967070cb1286550f2058f) C:\Windows\system32\ptilink.dll
18:56:26.0027 0496 qcdonner ( Backdoor.Multi.ZAccess.gen ) - infected
18:56:26.0027 0496 qcdonner - detected Backdoor.Multi.ZAccess.gen (0)
18:56:26.0073 0496 qconsvc (11028c6a84a967070cb1286550f2058f) C:\Windows\system32\mskssrv.dll
18:56:26.0073 0496 qconsvc ( Backdoor.Multi.ZAccess.gen ) - infected
18:56:26.0073 0496 qconsvc - detected Backdoor.Multi.ZAccess.gen (0)
18:56:26.0183 0496 ql2300 (ccdac889326317792480c0a67156a1ec) C:\Windows\system32\drivers\ql2300.sys
18:56:26.0245 0496 ql2300 - ok
18:56:26.0354 0496 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
18:56:26.0370 0496 ql40xx - ok
18:56:26.0541 0496 QWAVE (e9ecae663f47e6cb43962d18ab18890f) C:\Windows\system32\qwave.dll
18:56:26.0573 0496 QWAVE - ok
18:56:26.0635 0496 QWAVEdrv (9f5e0e1926014d17486901c88eca2db7) C:\Windows\system32\drivers\qwavedrv.sys
18:56:26.0666 0496 QWAVEdrv - ok
18:56:26.0760 0496 RasAcd (147d7f9c556d259924351feb0de606c3) C:\Windows\system32\DRIVERS\rasacd.sys
18:56:26.0822 0496 RasAcd - ok
18:56:26.0853 0496 RasAuto (f6a452eb4ceadbb51c9e0ee6b3ecef0f) C:\Windows\System32\rasauto.dll
18:56:26.0900 0496 RasAuto - ok
18:56:27.0009 0496 Rasl2tp (a214adbaf4cb47dd2728859ef31f26b0) C:\Windows\system32\DRIVERS\rasl2tp.sys
18:56:27.0072 0496 Rasl2tp - ok
18:56:27.0181 0496 RasMan (75d47445d70ca6f9f894b032fbc64fcf) C:\Windows\System32\rasmans.dll
18:56:27.0228 0496 RasMan - ok
18:56:27.0353 0496 RasPppoe (509a98dd18af4375e1fc40bc175f1def) C:\Windows\system32\DRIVERS\raspppoe.sys
18:56:27.0399 0496 RasPppoe - ok
18:56:27.0462 0496 RasSstp (2005f4a1e05fa09389ac85840f0a9e4d) C:\Windows\system32\DRIVERS\rassstp.sys
18:56:27.0493 0496 RasSstp - ok
18:56:27.0587 0496 rdbss (b14c9d5b9add2f84f70570bbbfaa7935) C:\Windows\system32\DRIVERS\rdbss.sys
18:56:27.0633 0496 rdbss - ok
18:56:27.0680 0496 RDPCDD (89e59be9a564262a3fb6c4f4f1cd9899) C:\Windows\system32\DRIVERS\RDPCDD.sys
18:56:27.0743 0496 RDPCDD - ok
18:56:27.0899 0496 rdpdr (e8bd98d46f2ed77132ba927fccb47d8b) C:\Windows\system32\drivers\rdpdr.sys
18:56:28.0008 0496 rdpdr - ok
18:56:28.0117 0496 RDPENCDD (9d91fe5286f748862ecffa05f8a0710c) C:\Windows\system32\drivers\rdpencdd.sys
18:56:28.0195 0496 RDPENCDD - ok
18:56:28.0257 0496 RDPWD (30bfbdfb7f95559ede971f9ddb9a00ba) C:\Windows\system32\drivers\RDPWD.sys
18:56:28.0304 0496 RDPWD - ok
18:56:28.0413 0496 regsrvc (11028c6a84a967070cb1286550f2058f) C:\Windows\system32\cpuidlep.dll
18:56:28.0413 0496 regsrvc ( Backdoor.Multi.ZAccess.gen ) - infected
18:56:28.0413 0496 regsrvc - detected Backdoor.Multi.ZAccess.gen (0)
18:56:28.0491 0496 RemoteAccess (bcdd6b4804d06b1f7ebf29e53a57ece9) C:\Windows\System32\mprdim.dll
18:56:28.0538 0496 RemoteAccess - ok
18:56:28.0632 0496 RemoteRegistry (9e6894ea18daff37b63e1005f83ae4ab) C:\Windows\system32\regsvc.dll
18:56:28.0694 0496 RemoteRegistry - ok
18:56:28.0803 0496 retroexplauncher (11028c6a84a967070cb1286550f2058f) C:\Windows\system32\fshttps.dll
18:56:28.0803 0496 retroexplauncher ( Backdoor.Multi.ZAccess.gen ) - infected
18:56:28.0803 0496 retroexplauncher - detected Backdoor.Multi.ZAccess.gen (0)
18:56:28.0897 0496 RFCOMM (6482707f9f4da0ecbab43b2e0398a101) C:\Windows\system32\DRIVERS\rfcomm.sys
18:56:28.0959 0496 RFCOMM - ok
18:56:28.0991 0496 risdptsk - ok
18:56:29.0053 0496 RMSvc (11028c6a84a967070cb1286550f2058f) C:\Windows\system32\fax.dll
18:56:29.0053 0496 RMSvc ( Backdoor.Multi.ZAccess.gen ) - infected
18:56:29.0053 0496 RMSvc - detected Backdoor.Multi.ZAccess.gen (0)
18:56:29.0131 0496 RpcLocator (5123f83cbc4349d065534eeb6bbdc42b) C:\Windows\system32\locator.exe
18:56:29.0178 0496 RpcLocator - ok
18:56:29.0240 0496 RpcSs (3b5b4d53fec14f7476ca29a20cc31ac9) C:\Windows\system32\rpcss.dll
18:56:29.0287 0496 RpcSs - ok
18:56:29.0443 0496 rspndr (9c508f4074a39e8b4b31d27198146fad) C:\Windows\system32\DRIVERS\rspndr.sys
18:56:29.0490 0496 rspndr - ok
18:56:29.0599 0496 RTL8169 (2d19a7469ea19993d0c12e627f4530bc) C:\Windows\system32\DRIVERS\Rtlh86.sys
18:56:29.0630 0496 RTL8169 - ok
18:56:29.0724 0496 RTSTOR (6e7f2054faedbe766034aa8a185213ec) C:\Windows\system32\drivers\RTSTOR.SYS
18:56:29.0755 0496 RTSTOR - ok
18:56:29.0849 0496 SaiNtHid (11028c6a84a967070cb1286550f2058f) C:\Windows\system32\symantecantibotdriver.dll
18:56:29.0849 0496 SaiNtHid ( Backdoor.Multi.ZAccess.gen ) - infected
18:56:29.0849 0496 SaiNtHid - detected Backdoor.Multi.ZAccess.gen (0)
18:56:29.0895 0496 SamSs (a3e186b4b935905b829219502557314e) C:\Windows\system32\lsass.exe
18:56:29.0911 0496 SamSs - ok
18:56:29.0958 0496 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys
18:56:29.0973 0496 sbp2port - ok
18:56:30.0051 0496 SCardSvr (77b7a11a0c3d78d3386398fbbea1b632) C:\Windows\System32\SCardSvr.dll
18:56:30.0098 0496 SCardSvr - ok
18:56:30.0192 0496 Schedule (1a58069db21d05eb2ab58ee5753ebe8d) C:\Windows\system32\schedsvc.dll
18:56:30.0301 0496 Schedule - ok
18:56:30.0379 0496 SCPolicySvc (312ec3e37a0a1f2006534913e37b4423) C:\Windows\System32\certprop.dll
18:56:30.0410 0496 SCPolicySvc - ok
18:56:30.0504 0496 SDRSVC (716313d9f6b0529d03f726d5aaf6f191) C:\Windows\System32\SDRSVC.dll
18:56:30.0566 0496 SDRSVC - ok
18:56:30.0660 0496 SE26obex (11028c6a84a967070cb1286550f2058f) C:\Windows\system32\procdd.dll
18:56:30.0660 0496 SE26obex ( Backdoor.Multi.ZAccess.gen ) - infected
18:56:30.0660 0496 SE26obex - detected Backdoor.Multi.ZAccess.gen (0)
18:56:30.0707 0496 se59mgmt (11028c6a84a967070cb1286550f2058f) C:\Windows\system32\pclepci.dll
18:56:30.0707 0496 se59mgmt ( Backdoor.Multi.ZAccess.gen ) - infected
18:56:30.0707 0496 se59mgmt - detected Backdoor.Multi.ZAccess.gen (0)
18:56:30.0816 0496 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
18:56:30.0909 0496 secdrv - ok
18:56:30.0972 0496 seclogon (fd5199d4d8a521005e4b5ee7fe00fa9b) C:\Windows\system32\seclogon.dll
18:56:31.0019 0496 seclogon - ok
18:56:31.0128 0496 SENS (a9bbab5759771e523f55563d6cbe140f) C:\Windows\system32\sens.dll
18:56:31.0175 0496 SENS - ok
18:56:31.0253 0496 Serenum (68e44e331d46f0fb38f0863a84cd1a31) C:\Windows\system32\drivers\serenum.sys
18:56:31.0346 0496 Serenum - ok
18:56:31.0440 0496 Serial (c70d69a918b178d3c3b06339b40c2e1b) C:\Windows\system32\drivers\serial.sys
18:56:31.0549 0496 Serial - ok
18:56:31.0689 0496 sermouse (8af3d28a879bf75db53a0ee7a4289624) C:\Windows\system32\drivers\sermouse.sys
18:56:31.0721 0496 sermouse - ok
18:56:31.0799 0496 SessionEnv (d2193326f729b163125610dbf3e17d57) C:\Windows\system32\sessenv.dll
18:56:31.0845 0496 SessionEnv - ok
18:56:31.0939 0496 sffdisk (103b79418da647736ee95645f305f68a) C:\Windows\system32\drivers\sffdisk.sys
18:56:32.0017 0496 sffdisk - ok
18:56:32.0064 0496 sffp_mmc (8fd08a310645fe872eeec6e08c6bf3ee) C:\Windows\system32\drivers\sffp_mmc.sys
18:56:32.0157 0496 sffp_mmc - ok
18:56:32.0235 0496 sffp_sd (9cfa05fcfcb7124e69cfc812b72f9614) C:\Windows\system32\drivers\sffp_sd.sys
18:56:32.0313 0496 sffp_sd - ok
18:56:32.0360 0496 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\drivers\sfloppy.sys
18:56:32.0469 0496 sfloppy - ok
18:56:32.0594 0496 SharedAccess (e1499bd0ff76b1b2fbbf1af339d91165) C:\Windows\System32\ipnathlp.dll
18:56:32.0672 0496 SharedAccess - ok
18:56:32.0828 0496 ShellHWDetection (c7230fbee14437716701c15be02c27b8) C:\Windows\System32\shsvcs.dll
18:56:32.0875 0496 ShellHWDetection - ok
18:56:32.0969 0496 Si3531 (93beacc3815a4653a655c8bd7622ff63) C:\Windows\system32\DRIVERS\Si3531.sys
18:56:33.0000 0496 Si3531 - ok
18:56:33.0109 0496 SiFilter (165448bc832d424b97270c8d1276e24a) C:\Windows\system32\DRIVERS\SiWinAcc.sys
18:56:33.0140 0496 SiFilter - ok
18:56:33.0171 0496 SiRemFil (9be8ea3a8c7e6d47e710f6fa14b7442b) C:\Windows\system32\DRIVERS\SiRemFil.sys
18:56:33.0187 0496 SiRemFil - ok
18:56:33.0281 0496 sisagp (d2a595d6eebeeaf4334f8e50efbc9931) C:\Windows\system32\drivers\sisagp.sys
18:56:33.0296 0496 sisagp - ok
18:56:33.0359 0496 sisidex (11028c6a84a967070cb1286550f2058f) C:\Windows\system32\TryAndDecideService.dll
18:56:33.0359 0496 sisidex ( Backdoor.Multi.ZAccess.gen ) - infected
18:56:33.0359 0496 sisidex - detected Backdoor.Multi.ZAccess.gen (0)
18:56:33.0437 0496 SiSRaid2 (cedd6f4e7d84e9f98b34b3fe988373aa) C:\Windows\system32\drivers\sisraid2.sys
18:56:33.0452 0496 SiSRaid2 - ok
18:56:33.0483 0496 SiSRaid4 (df843c528c4f69d12ce41ce462e973a7) C:\Windows\system32\drivers\sisraid4.sys
18:56:33.0499 0496 SiSRaid4 - ok
18:56:33.0546 0496 Slntamr (11028c6a84a967070cb1286550f2058f) C:\Windows\system32\mbr.dll
18:56:33.0546 0496 Slntamr ( Backdoor.Multi.ZAccess.gen ) - infected
18:56:33.0546 0496 Slntamr - detected Backdoor.Multi.ZAccess.gen (0)
18:56:33.0702 0496 slsvc (862bb4cbc05d80c5b45be430e5ef872f) C:\Windows\system32\SLsvc.exe
18:56:33.0951 0496 slsvc - ok
18:56:34.0045 0496 SLUINotify (6edc422215cd78aa8a9cde6b30abbd35) C:\Windows\system32\SLUINotify.dll
18:56:34.0092 0496 SLUINotify - ok
18:56:34.0139 0496 SMNDIS5 (11028c6a84a967070cb1286550f2058f) C:\Windows\system32\pktfilter.dll
18:56:34.0139 0496 SMNDIS5 ( Backdoor.Multi.ZAccess.gen ) - infected
18:56:34.0139 0496 SMNDIS5 - detected Backdoor.Multi.ZAccess.gen (0)
18:56:34.0232 0496 SNMPTRAP (2a146a055b4401c16ee62d18b8e2a032) C:\Windows\System32\snmptrap.exe
18:56:34.0248 0496 SNMPTRAP - ok
18:56:34.0341 0496 spldr (7aebdeef071fe28b0eef2cdd69102bff) C:\Windows\system32\drivers\spldr.sys
18:56:34.0357 0496 spldr - ok
18:56:34.0388 0496 splitter (11028c6a84a967070cb1286550f2058f) C:\Windows\system32\nsysaudm.dll
18:56:34.0388 0496 splitter ( Backdoor.Multi.ZAccess.gen ) - infected
18:56:34.0388 0496 splitter - detected Backdoor.Multi.ZAccess.gen (0)
18:56:34.0513 0496 Spooler (8554097e5136c3bf9f69fe578a1b35f4) C:\Windows\System32\spoolsv.exe
18:56:34.0560 0496 Spooler - ok
18:56:34.0700 0496 srv (41987f9fc0e61adf54f581e15029ad91) C:\Windows\system32\DRIVERS\srv.sys
18:56:34.0763 0496 srv - ok
18:56:34.0903 0496 srv2 (ff33aff99564b1aa534f58868cbe41ef) C:\Windows\system32\DRIVERS\srv2.sys
18:56:34.0965 0496 srv2 - ok
18:56:34.0997 0496 srvnet (7605c0e1d01a08f3ecd743f38b834a44) C:\Windows\system32\DRIVERS\srvnet.sys
18:56:35.0043 0496 srvnet - ok
18:56:35.0153 0496 ssadbus (48f44a1be434830b7c90fb730745f65a) C:\Windows\system32\DRIVERS\ssadbus.sys
18:56:35.0184 0496 ssadbus - ok
18:56:35.0231 0496 ssadmdfl (bb2c84a15c765da89fd832b0e73f26ce) C:\Windows\system32\DRIVERS\ssadmdfl.sys
18:56:35.0246 0496 ssadmdfl - ok
18:56:35.0355 0496 ssadmdm (6d0d132ddc6f43eda00dced6d8b1ca31) C:\Windows\system32\DRIVERS\ssadmdm.sys
18:56:35.0387 0496 ssadmdm - ok
18:56:35.0465 0496 SSDPSRV (03d50b37234967433a5ea5ba72bc0b62) C:\Windows\System32\ssdpsrv.dll
18:56:35.0558 0496 SSDPSRV - ok
18:56:35.0683 0496 SstpSvc (6f1a32e7b7b30f004d9a20afadb14944) C:\Windows\system32\sstpsvc.dll
18:56:35.0714 0496 SstpSvc - ok
18:56:35.0792 0496 STacSV (ffa85a9f3c3571ad29ac156bc6f116c5) C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_ccfaa5a9\STacSV.exe
18:56:35.0855 0496 STacSV - ok
18:56:35.0901 0496 Steam Client Service - ok
18:56:36.0026 0496 STHDA (5af1feec6945f4fa5efd00e0c6d8f9b9) C:\Windows\system32\DRIVERS\stwrt.sys
18:56:36.0104 0496 STHDA - ok
18:56:36.0245 0496 StillCam (ef70b3d22b4bffda6ea851ecb063efaa) C:\Windows\system32\DRIVERS\serscan.sys
18:56:36.0291 0496 StillCam - ok
18:56:36.0354 0496 stisvc (5de7d67e49b88f5f07f3e53c4b92a352) C:\Windows\System32\wiaservc.dll
18:56:36.0416 0496 stisvc - ok
18:56:36.0557 0496 superproserver (11028c6a84a967070cb1286550f2058f) C:\Windows\system32\FETNDIS.dll
18:56:36.0557 0496 superproserver ( Backdoor.Multi.ZAccess.gen ) - infected
18:56:36.0557 0496 superproserver - detected Backdoor.Multi.ZAccess.gen (0)
18:56:36.0635 0496 swenum (7ba58ecf0c0a9a69d44b3dca62becf56) C:\Windows\system32\DRIVERS\swenum.sys
18:56:36.0650 0496 swenum - ok
18:56:36.0728 0496 swprv (f21fd248040681cca1fb6c9a03aaa93d) C:\Windows\System32\swprv.dll
18:56:36.0791 0496 swprv - ok
18:56:36.0869 0496 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
18:56:36.0884 0496 Symc8xx - ok
18:56:36.0915 0496 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
18:56:36.0931 0496 Sym_hi - ok
18:56:37.0025 0496 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
18:56:37.0040 0496 Sym_u3 - ok
18:56:37.0087 0496 SynTP (3196c5df63d5e86fc0041ae0c816b80f) C:\Windows\system32\DRIVERS\SynTP.sys
18:56:37.0118 0496 SynTP - ok
18:56:37.0196 0496 sysaidagent (11028c6a84a967070cb1286550f2058f) C:\Windows\system32\lgsnd_filter.dll
18:56:37.0212 0496 sysaidagent ( Backdoor.Multi.ZAccess.gen ) - infected
18:56:37.0212 0496 sysaidagent - detected Backdoor.Multi.ZAccess.gen (0)
18:56:37.0290 0496 SysMain (9a51b04e9886aa4ee90093586b0ba88d) C:\Windows\system32\sysmain.dll
18:56:37.0352 0496 SysMain - ok
18:56:37.0477 0496 TabletInputService (2dca225eae15f42c0933e998ee0231c3) C:\Windows\System32\TabSvc.dll
18:56:37.0524 0496 TabletInputService - ok
18:56:37.0633 0496 TapiSrv (d7673e4b38ce21ee54c59eeeb65e2483) C:\Windows\System32\tapisrv.dll
18:56:37.0711 0496 TapiSrv - ok
18:56:37.0836 0496 TBS (cb05822cd9cc6c688168e113c603dbe7) C:\Windows\System32\tbssvc.dll
18:56:37.0945 0496 TBS - ok
18:56:38.0039 0496 Tcpip (814a1c66fbd4e1b310a517221f1456bf) C:\Windows\system32\drivers\tcpip.sys
18:56:38.0132 0496 Tcpip - ok
18:56:38.0319 0496 Tcpip6 (814a1c66fbd4e1b310a517221f1456bf) C:\Windows\system32\DRIVERS\tcpip.sys
18:56:38.0366 0496 Tcpip6 - ok
18:56:38.0491 0496 tcpipBM (11028c6a84a967070cb1286550f2058f) C:\Windows\system32\tfsnpool.dll
18:56:38.0491 0496 tcpipBM ( Backdoor.Multi.ZAccess.gen ) - infected
18:56:38.0491 0496 tcpipBM - detected Backdoor.Multi.ZAccess.gen (0)
18:56:38.0600 0496 tcpipreg (608c345a255d82a6289c2d468eb41fd7) C:\Windows\system32\drivers\tcpipreg.sys
18:56:38.0631 0496 tcpipreg - ok
18:56:38.0756 0496 TDPIPE (5dcf5e267be67a1ae926f2df77fbcc56) C:\Windows\system32\drivers\tdpipe.sys
18:56:38.0803 0496 TDPIPE - ok
18:56:38.0865 0496 TDTCP (389c63e32b3cefed425b61ed92d3f021) C:\Windows\system32\drivers\tdtcp.sys
18:56:38.0912 0496 TDTCP - ok
18:56:38.0975 0496 tdx (ab4fde8af4a0270a46a001c08cbce1c2) C:\Windows\system32\DRIVERS\tdx.sys
18:56:39.0068 0496 tdx - ok
18:56:39.0209 0496 TermDD (3cad38910468eab9a6479e2f01db43c7) C:\Windows\system32\DRIVERS\termdd.sys
18:56:39.0224 0496 TermDD - ok
18:56:39.0271 0496 TermService (bb95da09bef6e7a131bff3ba5032090d) C:\Windows\System32\termsrv.dll
18:56:39.0349 0496 TermService - ok
18:56:39.0489 0496 Themes (c7230fbee14437716701c15be02c27b8) C:\Windows\system32\shsvcs.dll
18:56:39.0521 0496 Themes - ok
18:56:39.0599 0496 THREADORDER (1076ffcffaae8385fd62dfcb25ac4708) C:\Windows\system32\mmcss.dll
18:56:39.0630 0496 THREADORDER - ok
18:56:39.0677 0496 tosrfbnp (11028c6a84a967070cb1286550f2058f) C:\Windows\system32\bhmonitorservice.dll
18:56:39.0677 0496 tosrfbnp ( Backdoor.Multi.ZAccess.gen ) - infected
18:56:39.0677 0496 tosrfbnp - detected Backdoor.Multi.ZAccess.gen (0)
18:56:39.0723 0496 tphdexlgsvc - ok
18:56:39.0817 0496 TrkWks (ec74e77d0eb004bd3a809b5f8fb8c2ce) C:\Windows\System32\trkwks.dll
18:56:39.0895 0496 TrkWks - ok
18:56:39.0942 0496 trufos (11028c6a84a967070cb1286550f2058f) C:\Windows\system32\termservice.dll
18:56:39.0942 0496 trufos ( Backdoor.Multi.ZAccess.gen ) - infected
18:56:39.0942 0496 trufos - detected Backdoor.Multi.ZAccess.gen (0)
18:56:40.0004 0496 TrustedInstaller (97d9d6a04e3ad9b6c626b9931db78dba) C:\Windows\servicing\TrustedInstaller.exe
18:56:40.0035 0496 TrustedInstaller - ok
18:56:40.0129 0496 tssecsrv (dcf0f056a2e4f52287264f5ab29cf206) C:\Windows\system32\DRIVERS\tssecsrv.sys
18:56:40.0176 0496 tssecsrv - ok
18:56:40.0223 0496 tunmp (caecc0120ac49e3d2f758b9169872d38) C:\Windows\system32\DRIVERS\tunmp.sys
18:56:40.0269 0496 tunmp - ok
18:56:40.0379 0496 tunnel (119b8184e106baedc83fce5ddf3950da) C:\Windows\system32\DRIVERS\tunnel.sys
18:56:40.0425 0496 tunnel - ok
18:56:40.0488 0496 tvtnetwk (11028c6a84a967070cb1286550f2058f) C:\Windows\system32\ssm_mdfl.dll
18:56:40.0488 0496 tvtnetwk ( Backdoor.Multi.ZAccess.gen ) - infected
18:56:40.0488 0496 tvtnetwk - detected Backdoor.Multi.ZAccess.gen (0)
18:56:40.0613 0496 uagp35 (c3ade15414120033a36c0f293d4a4121) C:\Windows\system32\drivers\uagp35.sys
18:56:40.0628 0496 uagp35 - ok
18:56:40.0691 0496 udfs (d9728af68c4c7693cb100b8441cbdec6) C:\Windows\system32\DRIVERS\udfs.sys
18:56:40.0722 0496 udfs - ok
18:56:40.0815 0496 ufad-ws60 (11028c6a84a967070cb1286550f2058f) C:\Windows\system32\lxbt_device.dll
18:56:40.0815 0496 ufad-ws60 ( Backdoor.Multi.ZAccess.gen ) - infected
18:56:40.0815 0496 ufad-ws60 - detected Backdoor.Multi.ZAccess.gen (0)
18:56:40.0893 0496 uhcd (11028c6a84a967070cb1286550f2058f) C:\Windows\system32\pcouffin.dll
18:56:40.0893 0496 uhcd ( Backdoor.Multi.ZAccess.gen ) - infected
18:56:40.0893 0496 uhcd - detected Backdoor.Multi.ZAccess.gen (0)
18:56:40.0987 0496 UI0Detect (ecef404f62863755951e09c802c94ad5) C:\Windows\system32\UI0Detect.exe
18:56:41.0049 0496 UI0Detect - ok
18:56:41.0143 0496 uliagpkx (75e6890ebfce0841d3291b02e7a8bdb0) C:\Windows\system32\drivers\uliagpkx.sys
18:56:41.0159 0496 uliagpkx - ok
18:56:41.0283 0496 uliahci (3cd4ea35a6221b85dcc25daa46313f8d) C:\Windows\system32\drivers\uliahci.sys
18:56:41.0299 0496 uliahci - ok
18:56:41.0424 0496 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
18:56:41.0439 0496 UlSata - ok
18:56:41.0471 0496 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
18:56:41.0486 0496 ulsata2 - ok
18:56:41.0549 0496 umbus (32cff9f809ae9aed85464492bf3e32d2) C:\Windows\system32\DRIVERS\umbus.sys
18:56:41.0611 0496 umbus - ok
18:56:41.0751 0496 upnphost (68308183f4ae0be7bf8ecd07cb297999) C:\Windows\System32\upnphost.dll
18:56:41.0798 0496 upnphost - ok
18:56:41.0861 0496 USBAAPL (83cafcb53201bbac04d822f32438e244) C:\Windows\system32\Drivers\usbaapl.sys
18:56:41.0923 0496 USBAAPL - ok
18:56:42.0063 0496 usbccgp (caf811ae4c147ffcd5b51750c7f09142) C:\Windows\system32\DRIVERS\usbccgp.sys
18:56:42.0110 0496 usbccgp - ok
18:56:42.0141 0496 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
18:56:42.0219 0496 usbcir - ok
18:56:42.0360 0496 usbehci (79e96c23a97ce7b8f14d310da2db0c9b) C:\Windows\system32\DRIVERS\usbehci.sys
18:56:42.0407 0496 usbehci - ok
18:56:42.0453 0496 usbhub (4673bbcb006af60e7abddbe7a130ba42) C:\Windows\system32\DRIVERS\usbhub.sys
18:56:42.0516 0496 usbhub - ok
18:56:42.0641 0496 USBMN1X1 (11028c6a84a967070cb1286550f2058f) C:\Windows\system32\se58mgmt.dll
18:56:42.0641 0496 USBMN1X1 ( Backdoor.Multi.ZAccess.gen ) - infected
18:56:42.0641 0496 USBMN1X1 - detected Backdoor.Multi.ZAccess.gen (0)
18:56:42.0734 0496 usbohci (38dbc7dd6cc5a72011f187425384388b) C:\Windows\system32\drivers\usbohci.sys
18:56:42.0828 0496 usbohci - ok
18:56:42.0953 0496 usbprint (e75c4b5269091d15a2e7dc0b6d35f2f5) C:\Windows\system32\DRIVERS\usbprint.sys
18:56:43.0015 0496 usbprint - ok
18:56:43.0093 0496 USBSTOR (be3da31c191bc222d9ad503c5224f2ad) C:\Windows\system32\DRIVERS\USBSTOR.SYS
18:56:43.0155 0496 USBSTOR - ok
18:56:43.0296 0496 usbuhci (814d653efc4d48be3b04a307eceff56f) C:\Windows\system32\DRIVERS\usbuhci.sys
18:56:43.0343 0496 usbuhci - ok
18:56:43.0421 0496 usbvideo (e67998e8f14cb0627a769f6530bcb352) C:\Windows\system32\Drivers\usbvideo.sys
18:56:43.0467 0496 usbvideo - ok
18:56:43.0623 0496 UVCFTR (7b8424bbaafbc127c8f55ad6007d6d6b) C:\Windows\system32\Drivers\UVCFTR_S.SYS
18:56:43.0655 0496 UVCFTR - ok
18:56:43.0733 0496 UxSms (1509e705f3ac1d474c92454a5c2dd81f) C:\Windows\System32\uxsms.dll
18:56:43.0811 0496 UxSms - ok
18:56:43.0873 0496 UxTuneUp (11028c6a84a967070cb1286550f2058f) C:\Windows\system32\networkx.dll
18:56:43.0873 0496 UxTuneUp ( Backdoor.Multi.ZAccess.gen ) - infected
18:56:43.0873 0496 UxTuneUp - detected Backdoor.Multi.ZAccess.gen (0)
18:56:43.0967 0496 vds (cd88d1b7776dc17a119049742ec07eb4) C:\Windows\System32\vds.exe
18:56:44.0013 0496 vds - ok
18:56:44.0123 0496 vga (7d92be0028ecdedec74617009084b5ef) C:\Windows\system32\DRIVERS\vgapnp.sys
18:56:44.0201 0496 vga - ok
18:56:44.0247 0496 VgaSave (2e93ac0a1d8c79d019db6c51f036636c) C:\Windows\System32\drivers\vga.sys
18:56:44.0294 0496 VgaSave - ok
18:56:44.0325 0496 viaagp (045d9961e591cf0674a920b6ba3ba5cb) C:\Windows\system32\drivers\viaagp.sys
18:56:44.0357 0496 viaagp - ok
18:56:44.0466 0496 ViaC7 (56a4de5f02f2e88182b0981119b4dd98) C:\Windows\system32\drivers\viac7.sys
18:56:44.0544 0496 ViaC7 - ok
18:56:44.0606 0496 viaide (fd2e3175fcada350c7ab4521dca187ec) C:\Windows\system32\drivers\viaide.sys
18:56:44.0622 0496 viaide - ok
18:56:44.0669 0496 vmm (11028c6a84a967070cb1286550f2058f) C:\Windows\system32\Tablet2k.dll
18:56:44.0684 0496 vmm ( Backdoor.Multi.ZAccess.gen ) - infected
18:56:44.0684 0496 vmm - detected Backdoor.Multi.ZAccess.gen (0)
18:56:44.0793 0496 volmgr (69503668ac66c77c6cd7af86fbdf8c43) C:\Windows\system32\drivers\volmgr.sys
18:56:44.0809 0496 volmgr - ok
18:56:44.0856 0496 volmgrx (23e41b834759917bfd6b9a0d625d0c28) C:\Windows\system32\drivers\volmgrx.sys
18:56:44.0887 0496 volmgrx - ok
18:56:45.0027 0496 volsnap (147281c01fcb1df9252de2a10d5e7093) C:\Windows\system32\drivers\volsnap.sys
18:56:45.0043 0496 volsnap - ok
18:56:45.0105 0496 vsmraid (d984439746d42b30fc65a4c3546c6829) C:\Windows\system32\drivers\vsmraid.sys
18:56:45.0137 0496 vsmraid - ok
18:56:45.0246 0496 VSS (db3d19f850c6eb32bdcb9bc0836acddb) C:\Windows\system32\vssvc.exe
18:56:45.0371 0496 VSS - ok
18:56:45.0449 0496 vvoice (11028c6a84a967070cb1286550f2058f) C:\Windows\system32\srv.dll
18:56:45.0449 0496 vvoice ( Backdoor.Multi.ZAccess.gen ) - infected
18:56:45.0464 0496 vvoice - detected Backdoor.Multi.ZAccess.gen (0)
18:56:45.0511 0496 W32Time (96ea68b9eb310a69c25ebb0282b2b9de) C:\Windows\system32\w32time.dll
18:56:45.0558 0496 W32Time - ok
18:56:45.0651 0496 w810mdm (11028c6a84a967070cb1286550f2058f) C:\Windows\system32\TMKEmu.dll
18:56:45.0651 0496 w810mdm ( Backdoor.Multi.ZAccess.gen ) - infected
18:56:45.0651 0496 w810mdm - detected Backdoor.Multi.ZAccess.gen (0)
18:56:45.0729 0496 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
18:56:45.0839 0496 WacomPen - ok
18:56:45.0963 0496 Wanarp (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
18:56:45.0995 0496 Wanarp - ok
18:56:46.0010 0496 Wanarpv6 (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
18:56:46.0041 0496 Wanarpv6 - ok
18:56:46.0104 0496 wcncsvc (a3cd60fd826381b49f03832590e069af) C:\Windows\System32\wcncsvc.dll
18:56:46.0135 0496 wcncsvc - ok
18:56:46.0213 0496 WcsPlugInService (11bcb7afcdd7aadacb5746f544d3a9c7) C:\Windows\System32\WcsPlugInService.dll
18:56:46.0244 0496 WcsPlugInService - ok
18:56:46.0307 0496 Wd (afc5ad65b991c1e205cf25cfdbf7a6f4) C:\Windows\system32\drivers\wd.sys
18:56:46.0322 0496 Wd - ok
18:56:46.0447 0496 WDC_SAM (d6efaf429fd30c5df613d220e344cce7) C:\Windows\system32\DRIVERS\wdcsam.sys
18:56:46.0478 0496 WDC_SAM - ok
18:56:46.0556 0496 Wdf01000 (b6f0a7ad6d4bd325fbcd8bac96cd8d96) C:\Windows\system32\drivers\Wdf01000.sys
18:56:46.0587 0496 Wdf01000 - ok
18:56:46.0681 0496 WdiServiceHost (abfc76b48bb6c96e3338d8943c5d93b5) C:\Windows\system32\wdi.dll
18:56:46.0759 0496 WdiServiceHost - ok
18:56:46.0759 0496 WdiSystemHost (abfc76b48bb6c96e3338d8943c5d93b5) C:\Windows\system32\wdi.dll
18:56:46.0821 0496 WdiSystemHost - ok
18:56:46.0868 0496 WebClient (04c37d8107320312fbae09926103d5e2) C:\Windows\System32\webclnt.dll
18:56:46.0899 0496 WebClient - ok
18:56:46.0993 0496 websensecamreportserver (11028c6a84a967070cb1286550f2058f) C:\Windows\system32\iaimtv3.dll
18:56:46.0993 0496 websensecamreportserver ( Backdoor.Multi.ZAccess.gen ) - infected
18:56:46.0993 0496 websensecamreportserver - detected Backdoor.Multi.ZAccess.gen (0)
18:56:47.0055 0496 websensewfreportserver (11028c6a84a967070cb1286550f2058f) C:\Windows\system32\SunkFilt39.dll
18:56:47.0055 0496 websensewfreportserver ( Backdoor.Multi.ZAccess.gen ) - infected
18:56:47.0055 0496 websensewfreportserver - detected Backdoor.Multi.ZAccess.gen (0)
18:56:47.0087 0496 webupdate (11028c6a84a967070cb1286550f2058f) C:\Windows\system32\MXOPSWD.dll
18:56:47.0087 0496 webupdate ( Backdoor.Multi.ZAccess.gen ) - infected
18:56:47.0087 0496 webupdate - detected Backdoor.Multi.ZAccess.gen (0)
18:56:47.0180 0496 Wecsvc (ae3736e7e8892241c23e4ebbb7453b60) C:\Windows\system32\wecsvc.dll
18:56:47.0227 0496 Wecsvc - ok
18:56:47.0367 0496 wercplsupport (670ff720071ed741206d69bd995ea453) C:\Windows\System32\wercplsupport.dll
18:56:47.0430 0496 wercplsupport - ok
18:56:47.0492 0496 WerSvc (32b88481d3b326da6deb07b1d03481e7) C:\Windows\System32\WerSvc.dll
18:56:47.0523 0496 WerSvc - ok
18:56:47.0664 0496 winachsf (11028c6a84a967070cb1286550f2058f) C:\Windows\system32\raspti.dll
18:56:47.0664 0496 winachsf ( Backdoor.Multi.ZAccess.gen ) - infected
18:56:47.0664 0496 winachsf - detected Backdoor.Multi.ZAccess.gen (0)
18:56:47.0742 0496 WinDefend (4575aa12561c5648483403541d0d7f2b) C:\Program Files\Windows Defender\mpsvc.dll
18:56:47.0773 0496 WinDefend - ok
18:56:47.0789 0496 WinHttpAutoProxySvc - ok
18:56:47.0929 0496 Winmgmt (6b2a1d0e80110e3d04e6863c6e62fd8a) C:\Windows\system32\wbem\WMIsvc.dll
18:56:47.0960 0496 Winmgmt - ok
18:56:47.0991 0496 winproxy - ok
18:56:48.0054 0496 WinRM (7cfe68bdc065e55aa5e8421607037511) C:\Windows\system32\WsmSvc.dll
18:56:48.0147 0496 WinRM - ok
18:56:48.0303 0496 WinUSB (676f4b665bdd8053eaa53ac1695b8074) C:\Windows\system32\DRIVERS\WinUSB.sys
18:56:48.0335 0496 WinUSB - ok
18:56:48.0397 0496 wlancfg (11028c6a84a967070cb1286550f2058f) C:\Windows\system32\SerTVOutCtlr.dll
18:56:48.0413 0496 wlancfg ( Backdoor.Multi.ZAccess.gen ) - infected
18:56:48.0413 0496 wlancfg - detected Backdoor.Multi.ZAccess.gen (0)
18:56:48.0537 0496 Wlansvc (c008405e4feeb069e30da1d823910234) C:\Windows\System32\wlansvc.dll
18:56:48.0615 0496 Wlansvc - ok
18:56:48.0740 0496 WLAN_USB (11028c6a84a967070cb1286550f2058f) C:\Windows\system32\ufdsvc.dll
18:56:48.0740 0496 WLAN_USB ( Backdoor.Multi.ZAccess.gen ) - infected
18:56:48.0740 0496 WLAN_USB - detected Backdoor.Multi.ZAccess.gen (0)
18:56:48.0834 0496 WmiAcpi (2e7255d172df0b8283cdfb7b433b864e) C:\Windows\system32\DRIVERS\wmiacpi.sys
18:56:48.0881 0496 WmiAcpi - ok
18:56:49.0005 0496 wmiApSrv (43be3875207dcb62a85c8c49970b66cc) C:\Windows\system32\wbem\WmiApSrv.exe
18:56:49.0052 0496 wmiApSrv - ok
18:56:49.0161 0496 WMPNetworkSvc (3978704576a121a9204f8cc49a301a9b) C:\Program Files\Windows Media Player\wmpnetwk.exe
18:56:49.0255 0496 WMPNetworkSvc - ok
18:56:49.0364 0496 WPCSvc (cfc5a04558f5070cee3e3a7809f3ff52) C:\Windows\System32\wpcsvc.dll
18:56:49.0411 0496 WPCSvc - ok
18:56:49.0489 0496 WPDBusEnum (801fbdb89d472b3c467eb112a0fc9246) C:\Windows\system32\wpdbusenum.dll
18:56:49.0551 0496 WPDBusEnum - ok
18:56:49.0645 0496 ws2ifsl (e3a3cb253c0ec2494d4a61f5e43a389c) C:\Windows\system32\drivers\ws2ifsl.sys
18:56:49.0692 0496 ws2ifsl - ok
18:56:49.0785 0496 wscsvc (1ca6c40261ddc0425987980d0cd2aaab) C:\Windows\system32\wscsvc.dll
18:56:49.0817 0496 wscsvc - ok
18:56:49.0863 0496 WSearch - ok
18:56:49.0973 0496 wuauserv (6298277b73c77fa99106b271a7525163) C:\Windows\system32\wuaueng.dll
18:56:50.0082 0496 wuauserv - ok
18:56:50.0207 0496 WUDFRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\Windows\system32\DRIVERS\WUDFRd.sys
18:56:50.0253 0496 WUDFRd - ok
18:56:50.0285 0496 wudfsvc (575a4190d989f64732119e4114045a4f) C:\Windows\System32\WUDFSvc.dll
18:56:50.0363 0496 wudfsvc - ok
18:56:50.0425 0496 xnacc - ok
18:56:50.0487 0496 XTrapD12 (11028c6a84a967070cb1286550f2058f) C:\Windows\system32\REVOSENS.dll
18:56:50.0503 0496 XTrapD12 ( Backdoor.Multi.ZAccess.gen ) - infected
18:56:50.0503 0496 XTrapD12 - detected Backdoor.Multi.ZAccess.gen (0)
18:56:50.0519 0496 z525mdfl (11028c6a84a967070cb1286550f2058f) C:\Windows\system32\nmwcdcm.dll
18:56:50.0519 0496 z525mdfl ( Backdoor.Multi.ZAccess.gen ) - infected
18:56:50.0519 0496 z525mdfl - detected Backdoor.Multi.ZAccess.gen (0)
18:56:50.0550 0496 MBR (0x1B8) (5c616939100b85e558da92b899a0fc36) \Device\Harddisk0\DR0
18:56:50.0675 0496 \Device\Harddisk0\DR0 - ok
18:56:50.0675 0496 MBR (0x1B8) (e5fa06aca0d60ba9c870d0ef3d9898c9) \Device\Harddisk1\DR1
18:56:53.0701 0496 \Device\Harddisk1\DR1 - ok
18:56:53.0701 0496 Boot (0x1200) (14e15f2f63a183105deeb1d854bfbadc) \Device\Harddisk0\DR0\Partition0
18:56:53.0701 0496 \Device\Harddisk0\DR0\Partition0 - ok
18:56:53.0717 0496 Boot (0x1200) (42667d886a13a49aab1bae52353890ea) \Device\Harddisk1\DR1\Partition0
18:56:53.0717 0496 \Device\Harddisk1\DR1\Partition0 - ok
18:56:53.0717 0496 ============================================================
18:56:53.0717 0496 Scan finished
18:56:53.0717 0496 ============================================================
18:56:53.0732 0580 Detected object count: 78
18:56:53.0732 0580 Actual detected object count: 78
19:01:41.0334 0580 C:\Windows\system32\ptbsync.dll - copied to quarantine
19:01:41.0365 0580 HKLM\SYSTEM\ControlSet001\services\acnusvc - will be deleted on reboot
19:01:41.0396 0580 HKLM\SYSTEM\ControlSet002\services\acnusvc - will be deleted on reboot
19:01:41.0396 0580 HKLM\SYSTEM\ControlSet003\services\acnusvc - will be deleted on reboot
19:01:41.0443 0580 C:\Windows\system32\ptbsync.dll - will be deleted on reboot
19:01:41.0443 0580 acnusvc ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete 
19:01:41.0615 0580 C:\Windows\system32\umpusbxp.dll - copied to quarantine
19:01:41.0615 0580 HKLM\SYSTEM\ControlSet001\services\adihdaudaddservice - will be deleted on reboot
19:01:41.0615 0580 HKLM\SYSTEM\ControlSet002\services\adihdaudaddservice - will be deleted on reboot
19:01:41.0615 0580 HKLM\SYSTEM\ControlSet003\services\adihdaudaddservice - will be deleted on reboot
19:01:41.0615 0580 C:\Windows\system32\umpusbxp.dll - will be deleted on reboot
19:01:41.0615 0580 adihdaudaddservice ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete 
19:01:41.0724 0580 C:\Windows\system32\drivers\afd.sys - copied to quarantine
19:01:41.0817 0580 Backup copy found, using it..
19:01:41.0849 0580 C:\Windows\system32\drivers\afd.sys - will be cured on reboot
19:01:45.0873 0580 AFD ( Virus.Win32.ZAccess.c ) - User select action: Cure 
19:01:45.0951 0580 C:\Windows\system32\nhcDriverDevice.dll - copied to quarantine
19:01:45.0951 0580 HKLM\SYSTEM\ControlSet001\services\AffinegyService - will be deleted on reboot
19:01:45.0951 0580 HKLM\SYSTEM\ControlSet002\services\AffinegyService - will be deleted on reboot
19:01:45.0951 0580 HKLM\SYSTEM\ControlSet003\services\AffinegyService - will be deleted on reboot
19:01:45.0967 0580 C:\Windows\system32\nhcDriverDevice.dll - will be deleted on reboot
19:01:45.0967 0580 AffinegyService ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete 
19:01:46.0061 0580 C:\Windows\system32\sansaservice.dll - copied to quarantine
19:01:46.0061 0580 HKLM\SYSTEM\ControlSet001\services\AlKernel - will be deleted on reboot
19:01:46.0061 0580 HKLM\SYSTEM\ControlSet002\services\AlKernel - will be deleted on reboot
19:01:46.0061 0580 HKLM\SYSTEM\ControlSet003\services\AlKernel - will be deleted on reboot
19:01:46.0061 0580 C:\Windows\system32\sansaservice.dll - will be deleted on reboot
19:01:46.0061 0580 AlKernel ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete 
19:01:46.0139 0580 C:\Windows\system32\lxcj_device.dll - copied to quarantine
19:01:46.0139 0580 HKLM\SYSTEM\ControlSet001\services\ATSWPDRV - will be deleted on reboot
19:01:46.0139 0580 HKLM\SYSTEM\ControlSet002\services\ATSWPDRV - will be deleted on reboot
19:01:46.0139 0580 HKLM\SYSTEM\ControlSet003\services\ATSWPDRV - will be deleted on reboot
19:01:46.0139 0580 C:\Windows\system32\lxcj_device.dll - will be deleted on reboot
19:01:46.0139 0580 ATSWPDRV ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete 
19:01:46.0217 0580 C:\Windows\system32\zfdwm.dll - copied to quarantine
19:01:46.0217 0580 HKLM\SYSTEM\ControlSet001\services\avg7updsvc - will be deleted on reboot
19:01:46.0217 0580 HKLM\SYSTEM\ControlSet002\services\avg7updsvc - will be deleted on reboot
19:01:46.0217 0580 HKLM\SYSTEM\ControlSet003\services\avg7updsvc - will be deleted on reboot
19:01:46.0217 0580 C:\Windows\system32\zfdwm.dll - will be deleted on reboot
19:01:46.0217 0580 avg7updsvc ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete 
19:01:46.0217 0580 Bonjour Service ( LockedFile.Multi.Generic ) - skipped by user
19:01:46.0217 0580 Bonjour Service ( LockedFile.Multi.Generic ) - User select action: Skip 
19:01:46.0326 0580 C:\Windows\system32\s125mdm.dll - copied to quarantine
19:01:46.0326 0580 HKLM\SYSTEM\ControlSet001\services\BootScreen - will be deleted on reboot
19:01:46.0326 0580 HKLM\SYSTEM\ControlSet002\services\BootScreen - will be deleted on reboot
19:01:46.0326 0580 HKLM\SYSTEM\ControlSet003\services\BootScreen - will be deleted on reboot
19:01:46.0326 0580 C:\Windows\system32\s125mdm.dll - will be deleted on reboot
19:01:46.0326 0580 BootScreen ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete 
19:01:46.0435 0580 C:\Windows\system32\eelogsvc.dll - copied to quarantine
19:01:46.0435 0580 HKLM\SYSTEM\ControlSet001\services\btserial - will be deleted on reboot
19:01:46.0435 0580 HKLM\SYSTEM\ControlSet002\services\btserial - will be deleted on reboot
19:01:46.0435 0580 HKLM\SYSTEM\ControlSet003\services\btserial - will be deleted on reboot
19:01:46.0435 0580 C:\Windows\system32\eelogsvc.dll - will be deleted on reboot
19:01:46.0435 0580 btserial ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete 
19:01:46.0513 0580 C:\Windows\system32\avgntflt.dll - copied to quarantine
19:01:46.0513 0580 HKLM\SYSTEM\ControlSet001\services\cdr4_xp - will be deleted on reboot
19:01:46.0529 0580 HKLM\SYSTEM\ControlSet002\services\cdr4_xp - will be deleted on reboot
19:01:46.0529 0580 HKLM\SYSTEM\ControlSet003\services\cdr4_xp - will be deleted on reboot
19:01:46.0529 0580 C:\Windows\system32\avgntflt.dll - will be deleted on reboot
19:01:46.0529 0580 cdr4_xp ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete 
19:01:46.0560 0580 C:\Windows\system32\nvmd.dll - copied to quarantine
19:01:46.0560 0580 HKLM\SYSTEM\ControlSet001\services\db2licd - will be deleted on reboot
19:01:46.0575 0580 HKLM\SYSTEM\ControlSet002\services\db2licd - will be deleted on reboot
19:01:46.0575 0580 HKLM\SYSTEM\ControlSet003\services\db2licd - will be deleted on reboot
19:01:46.0591 0580 C:\Windows\system32\nvmd.dll - will be deleted on reboot
19:01:46.0591 0580 db2licd ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete 
19:01:46.0669 0580 C:\Windows\system32\EACSys.dll - copied to quarantine
19:01:46.0669 0580 HKLM\SYSTEM\ControlSet001\services\db2ntsecserver - will be deleted on reboot
19:01:46.0669 0580 HKLM\SYSTEM\ControlSet002\services\db2ntsecserver - will be deleted on reboot
19:01:46.0669 0580 HKLM\SYSTEM\ControlSet003\services\db2ntsecserver - will be deleted on reboot
19:01:46.0669 0580 C:\Windows\system32\EACSys.dll - will be deleted on reboot
19:01:46.0669 0580 db2ntsecserver ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete 
19:01:46.0763 0580 C:\Windows\system32\pdlnafac.dll - copied to quarantine
19:01:46.0763 0580 HKLM\SYSTEM\ControlSet001\services\defwatch - will be deleted on reboot
19:01:46.0763 0580 HKLM\SYSTEM\ControlSet002\services\defwatch - will be deleted on reboot
19:01:46.0763 0580 HKLM\SYSTEM\ControlSet003\services\defwatch - will be deleted on reboot
19:01:46.0778 0580 C:\Windows\system32\pdlnafac.dll - will be deleted on reboot
19:01:46.0778 0580 defwatch ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete 
19:01:46.0887 0580 C:\Windows\system32\KMW_USB.dll - copied to quarantine
19:01:46.0934 0580 HKLM\SYSTEM\ControlSet001\services\delldmi - will be deleted on reboot
19:01:46.0934 0580 HKLM\SYSTEM\ControlSet002\services\delldmi - will be deleted on reboot
19:01:46.0934 0580 HKLM\SYSTEM\ControlSet003\services\delldmi - will be deleted on reboot
19:01:46.0934 0580 C:\Windows\system32\KMW_USB.dll - will be deleted on reboot
19:01:46.0934 0580 delldmi ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete 
19:01:47.0215 0580 C:\Windows\system32\tcpip.dll - copied to quarantine
19:01:47.0277 0580 HKLM\SYSTEM\ControlSet001\services\dlaudfam - will be deleted on reboot
19:01:47.0277 0580 HKLM\SYSTEM\ControlSet002\services\dlaudfam - will be deleted on reboot
19:01:47.0277 0580 HKLM\SYSTEM\ControlSet003\services\dlaudfam - will be deleted on reboot
19:01:47.0277 0580 C:\Windows\system32\tcpip.dll - will be deleted on reboot
19:01:47.0277 0580 dlaudfam ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete 
19:01:47.0387 0580 C:\Windows\system32\servicemgr.dll - copied to quarantine
19:01:47.0387 0580 HKLM\SYSTEM\ControlSet001\services\dmio - will be deleted on reboot
19:01:47.0387 0580 HKLM\SYSTEM\ControlSet002\services\dmio - will be deleted on reboot
19:01:47.0387 0580 HKLM\SYSTEM\ControlSet003\services\dmio - will be deleted on reboot
19:01:47.0387 0580 C:\Windows\system32\servicemgr.dll - will be deleted on reboot
19:01:47.0387 0580 dmio ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete 
19:01:47.0527 0580 C:\Windows\system32\pdlndint.dll - copied to quarantine
19:01:47.0527 0580 HKLM\SYSTEM\ControlSet001\services\e1000 - will be deleted on reboot
19:01:47.0527 0580 HKLM\SYSTEM\ControlSet002\services\e1000 - will be deleted on reboot
19:01:47.0527 0580 HKLM\SYSTEM\ControlSet003\services\e1000 - will be deleted on reboot
19:01:47.0527 0580 C:\Windows\system32\pdlndint.dll - will be deleted on reboot
19:01:47.0527 0580 e1000 ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete 
19:01:47.0605 0580 C:\Windows\system32\SNP2UVC.dll - copied to quarantine
19:01:47.0605 0580 HKLM\SYSTEM\ControlSet001\services\emproxy - will be deleted on reboot
19:01:47.0605 0580 HKLM\SYSTEM\ControlSet002\services\emproxy - will be deleted on reboot
19:01:47.0621 0580 HKLM\SYSTEM\ControlSet003\services\emproxy - will be deleted on reboot
19:01:47.0621 0580 C:\Windows\system32\SNP2UVC.dll - will be deleted on reboot
19:01:47.0621 0580 emproxy ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete 
19:01:47.0699 0580 C:\Windows\system32\moufiltr.dll - copied to quarantine
19:01:47.0699 0580 HKLM\SYSTEM\ControlSet001\services\enodpl - will be deleted on reboot
19:01:47.0699 0580 HKLM\SYSTEM\ControlSet002\services\enodpl - will be deleted on reboot
19:01:47.0699 0580 HKLM\SYSTEM\ControlSet003\services\enodpl - will be deleted on reboot
19:01:47.0714 0580 C:\Windows\system32\moufiltr.dll - will be deleted on reboot
19:01:47.0714 0580 enodpl ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete 
19:01:47.0777 0580 C:\Windows\system32\CTEDSPSY.DLL.dll - copied to quarantine
19:01:47.0777 0580 HKLM\SYSTEM\ControlSet001\services\eventclientmultiplexer - will be deleted on reboot
19:01:47.0777 0580 HKLM\SYSTEM\ControlSet002\services\eventclientmultiplexer - will be deleted on reboot
19:01:47.0777 0580 HKLM\SYSTEM\ControlSet003\services\eventclientmultiplexer - will be deleted on reboot
19:01:47.0777 0580 C:\Windows\system32\CTEDSPSY.DLL.dll - will be deleted on reboot
19:01:47.0777 0580 eventclientmultiplexer ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete 
19:01:47.0886 0580 C:\Windows\system32\transactional.dll - copied to quarantine
19:01:47.0886 0580 HKLM\SYSTEM\ControlSet001\services\Evian - will be deleted on reboot
19:01:47.0886 0580 HKLM\SYSTEM\ControlSet002\services\Evian - will be deleted on reboot
19:01:47.0886 0580 HKLM\SYSTEM\ControlSet003\services\Evian - will be deleted on reboot
19:01:47.0886 0580 C:\Windows\system32\transactional.dll - will be deleted on reboot
19:01:47.0886 0580 Evian ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete 
19:01:47.0917 0580 C:\Windows\system32\CnxTrLan.dll - copied to quarantine
19:01:47.0917 0580 HKLM\SYSTEM\ControlSet001\services\flashcom - will be deleted on reboot
19:01:47.0948 0580 HKLM\SYSTEM\ControlSet002\services\flashcom - will be deleted on reboot
19:01:47.0948 0580 HKLM\SYSTEM\ControlSet003\services\flashcom - will be deleted on reboot
19:01:47.0948 0580 C:\Windows\system32\CnxTrLan.dll - will be deleted on reboot
19:01:47.0948 0580 flashcom ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete 
19:01:48.0026 0580 C:\Windows\system32\SE2Cmdm.dll - copied to quarantine
19:01:48.0042 0580 HKLM\SYSTEM\ControlSet001\services\generichidservice - will be deleted on reboot
19:01:48.0042 0580 HKLM\SYSTEM\ControlSet002\services\generichidservice - will be deleted on reboot
19:01:48.0042 0580 HKLM\SYSTEM\ControlSet003\services\generichidservice - will be deleted on reboot
19:01:48.0042 0580 C:\Windows\system32\SE2Cmdm.dll - will be deleted on reboot
19:01:48.0042 0580 generichidservice ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete 
19:01:48.0104 0580 C:\Windows\system32\tappsrv.dll - copied to quarantine
19:01:48.0104 0580 HKLM\SYSTEM\ControlSet001\services\gtndis5 - will be deleted on reboot
19:01:48.0104 0580 HKLM\SYSTEM\ControlSet002\services\gtndis5 - will be deleted on reboot
19:01:48.0104 0580 HKLM\SYSTEM\ControlSet003\services\gtndis5 - will be deleted on reboot
19:01:48.0104 0580 C:\Windows\system32\tappsrv.dll - will be deleted on reboot
19:01:48.0104 0580 gtndis5 ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete 
19:01:48.0104 0580 HPSLPSVC ( LockedFile.Multi.Generic ) - skipped by user
19:01:48.0104 0580 HPSLPSVC ( LockedFile.Multi.Generic ) - User select action: Skip 
19:01:48.0167 0580 C:\Windows\system32\driverhardwarev2.dll - copied to quarantine
19:01:48.0167 0580 HKLM\SYSTEM\ControlSet001\services\HSXHWBS2 - will be deleted on reboot
19:01:48.0167 0580 HKLM\SYSTEM\ControlSet002\services\HSXHWBS2 - will be deleted on reboot
19:01:48.0167 0580 HKLM\SYSTEM\ControlSet003\services\HSXHWBS2 - will be deleted on reboot
19:01:48.0167 0580 C:\Windows\system32\driverhardwarev2.dll - will be deleted on reboot
19:01:48.0167 0580 HSXHWBS2 ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete 
19:01:48.0198 0580 C:\Windows\system32\tsscoreservice.dll - copied to quarantine
19:01:48.0198 0580 HKLM\SYSTEM\ControlSet001\services\id2scaps - will be deleted on reboot
19:01:48.0198 0580 HKLM\SYSTEM\ControlSet002\services\id2scaps - will be deleted on reboot
19:01:48.0198 0580 HKLM\SYSTEM\ControlSet003\services\id2scaps - will be deleted on reboot
19:01:48.0198 0580 C:\Windows\system32\tsscoreservice.dll - will be deleted on reboot
19:01:48.0198 0580 id2scaps ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete 
19:01:48.0307 0580 C:\Windows\system32\ZTEusbnmea.dll - copied to quarantine
19:01:48.0307 0580 HKLM\SYSTEM\ControlSet001\services\idrivert - will be deleted on reboot
19:01:48.0307 0580 HKLM\SYSTEM\ControlSet002\services\idrivert - will be deleted on reboot
19:01:48.0307 0580 HKLM\SYSTEM\ControlSet003\services\idrivert - will be deleted on reboot
19:01:48.0307 0580 C:\Windows\system32\ZTEusbnmea.dll - will be deleted on reboot
19:01:48.0307 0580 idrivert ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete 
19:01:48.0307 0580 iPod Service ( LockedFile.Multi.Generic ) - skipped by user
19:01:48.0307 0580 iPod Service ( LockedFile.Multi.Generic ) - User select action: Skip 
19:01:48.0401 0580 C:\Windows\system32\entertainment.dll - copied to quarantine
19:01:48.0401 0580 HKLM\SYSTEM\ControlSet001\services\lxdm_device - will be deleted on reboot
19:01:48.0401 0580 HKLM\SYSTEM\ControlSet002\services\lxdm_device - will be deleted on reboot
19:01:48.0401 0580 HKLM\SYSTEM\ControlSet003\services\lxdm_device - will be deleted on reboot
19:01:48.0401 0580 C:\Windows\system32\entertainment.dll - will be deleted on reboot
19:01:48.0401 0580 lxdm_device ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete 
19:01:48.0463 0580 C:\Windows\system32\ftpds.dll - copied to quarantine
19:01:48.0463 0580 HKLM\SYSTEM\ControlSet001\services\MaVctrl - will be deleted on reboot
19:01:48.0463 0580 HKLM\SYSTEM\ControlSet002\services\MaVctrl - will be deleted on reboot
19:01:48.0463 0580 HKLM\SYSTEM\ControlSet003\services\MaVctrl - will be deleted on reboot
19:01:48.0463 0580 C:\Windows\system32\ftpds.dll - will be deleted on reboot
19:01:48.0463 0580 MaVctrl ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete 
19:01:48.0541 0580 C:\Windows\system32\hpzid412.dll - copied to quarantine
19:01:48.0541 0580 HKLM\SYSTEM\ControlSet001\services\mcafeeframework - will be deleted on reboot
19:01:48.0541 0580 HKLM\SYSTEM\ControlSet002\services\mcafeeframework - will be deleted on reboot
19:01:48.0541 0580 HKLM\SYSTEM\ControlSet003\services\mcafeeframework - will be deleted on reboot
19:01:48.0541 0580 C:\Windows\system32\hpzid412.dll - will be deleted on reboot
19:01:48.0541 0580 mcafeeframework ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete 
19:01:48.0650 0580 C:\Windows\system32\db2licd.dll - copied to quarantine
19:01:48.0650 0580 HKLM\SYSTEM\ControlSet001\services\mgisvr - will be deleted on reboot
19:01:48.0650 0580 HKLM\SYSTEM\ControlSet002\services\mgisvr - will be deleted on reboot
19:01:48.0650 0580 HKLM\SYSTEM\ControlSet003\services\mgisvr - will be deleted on reboot
19:01:48.0650 0580 C:\Windows\system32\db2licd.dll - will be deleted on reboot
19:01:48.0650 0580 mgisvr ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete 
19:01:48.0681 0580 C:\Windows\system32\cwcpsvc20.dll - copied to quarantine
19:01:48.0681 0580 HKLM\SYSTEM\ControlSet001\services\mksvirmonsvc - will be deleted on reboot
19:01:48.0681 0580 HKLM\SYSTEM\ControlSet002\services\mksvirmonsvc - will be deleted on reboot
19:01:48.0681 0580 HKLM\SYSTEM\ControlSet003\services\mksvirmonsvc - will be deleted on reboot
19:01:48.0697 0580 C:\Windows\system32\cwcpsvc20.dll - will be deleted on reboot
19:01:48.0697 0580 mksvirmonsvc ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete 
19:01:48.0775 0580 C:\Windows\system32\cqmgstor.dll - copied to quarantine
19:01:48.0775 0580 HKLM\SYSTEM\ControlSet001\services\msk80service - will be deleted on reboot
19:01:48.0775 0580 HKLM\SYSTEM\ControlSet002\services\msk80service - will be deleted on reboot
19:01:48.0775 0580 HKLM\SYSTEM\ControlSet003\services\msk80service - will be deleted on reboot
19:01:48.0775 0580 C:\Windows\system32\cqmgstor.dll - will be deleted on reboot
19:01:48.0775 0580 msk80service ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete 
19:01:48.0884 0580 C:\Windows\system32\TMBUS.dll - copied to quarantine
19:01:48.0884 0580 HKLM\SYSTEM\ControlSet001\services\n558 - will be deleted on reboot
19:01:48.0900 0580 HKLM\SYSTEM\ControlSet002\services\n558 - will be deleted on reboot
19:01:48.0900 0580 HKLM\SYSTEM\ControlSet003\services\n558 - will be deleted on reboot
19:01:48.0900 0580 C:\Windows\system32\TMBUS.dll - will be deleted on reboot
19:01:48.0900 0580 n558 ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete 
19:01:48.0978 0580 C:\Windows\system32\symantecantibotwatcher.dll - copied to quarantine
19:01:48.0993 0580 HKLM\SYSTEM\ControlSet001\services\ndisip - will be deleted on reboot
19:01:48.0993 0580 HKLM\SYSTEM\ControlSet002\services\ndisip - will be deleted on reboot
19:01:48.0993 0580 HKLM\SYSTEM\ControlSet003\services\ndisip - will be deleted on reboot
19:01:49.0009 0580 C:\Windows\system32\symantecantibotwatcher.dll - will be deleted on reboot
19:01:49.0009 0580 ndisip ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete 
19:01:49.0009 0580 Net Driver HPZ12 ( UnsignedFile.Multi.Generic ) - skipped by user
19:01:49.0009 0580 Net Driver HPZ12 ( UnsignedFile.Multi.Generic ) - User select action: Skip 
19:01:49.0087 0580 C:\Windows\system32\MTDVC2_ENUM.dll - copied to quarantine
19:01:49.0087 0580 HKLM\SYSTEM\ControlSet001\services\nvrd64 - will be deleted on reboot
19:01:49.0103 0580 HKLM\SYSTEM\ControlSet002\services\nvrd64 - will be deleted on reboot
19:01:49.0103 0580 HKLM\SYSTEM\ControlSet003\services\nvrd64 - will be deleted on reboot
19:01:49.0103 0580 C:\Windows\system32\MTDVC2_ENUM.dll - will be deleted on reboot
19:01:49.0103 0580 nvrd64 ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete 
19:01:49.0165 0580 C:\Windows\system32\wacomkey.dll - copied to quarantine
19:01:49.0165 0580 HKLM\SYSTEM\ControlSet001\services\o2flash - will be deleted on reboot
19:01:49.0165 0580 HKLM\SYSTEM\ControlSet002\services\o2flash - will be deleted on reboot
19:01:49.0165 0580 HKLM\SYSTEM\ControlSet003\services\o2flash - will be deleted on reboot
19:01:49.0165 0580 C:\Windows\system32\wacomkey.dll - will be deleted on reboot
19:01:49.0165 0580 o2flash ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete 
19:01:49.0243 0580 C:\Windows\system32\bh611.dll - copied to quarantine
19:01:49.0243 0580 HKLM\SYSTEM\ControlSet001\services\odclientservice - will be deleted on reboot
19:01:49.0243 0580 HKLM\SYSTEM\ControlSet002\services\odclientservice - will be deleted on reboot
19:01:49.0243 0580 HKLM\SYSTEM\ControlSet003\services\odclientservice - will be deleted on reboot
19:01:49.0243 0580 C:\Windows\system32\bh611.dll - will be deleted on reboot
19:01:49.0243 0580 odclientservice ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete 
19:01:49.0321 0580 C:\Windows\system32\filemon701.dll - copied to quarantine
19:01:49.0337 0580 HKLM\SYSTEM\ControlSet001\services\orbpvr - will be deleted on reboot
19:01:49.0337 0580 HKLM\SYSTEM\ControlSet002\services\orbpvr - will be deleted on reboot
19:01:49.0337 0580 HKLM\SYSTEM\ControlSet003\services\orbpvr - will be deleted on reboot
19:01:49.0337 0580 C:\Windows\system32\filemon701.dll - will be deleted on reboot
19:01:49.0337 0580 orbpvr ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete 
19:01:49.0461 0580 C:\Windows\system32\USBAAPL.dll - copied to quarantine
19:01:49.0461 0580 HKLM\SYSTEM\ControlSet001\services\pavreport - will be deleted on reboot
19:01:49.0461 0580 HKLM\SYSTEM\ControlSet002\services\pavreport - will be deleted on reboot
19:01:49.0461 0580 HKLM\SYSTEM\ControlSet003\services\pavreport - will be deleted on reboot
19:01:49.0461 0580 C:\Windows\system32\USBAAPL.dll - will be deleted on reboot
19:01:49.0461 0580 pavreport ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete 
19:01:49.0477 0580 Pml Driver HPZ12 ( UnsignedFile.Multi.Generic ) - skipped by user
19:01:49.0477 0580 Pml Driver HPZ12 ( UnsignedFile.Multi.Generic ) - User select action: Skip 
19:01:49.0555 0580 C:\Windows\system32\ptilink.dll - copied to quarantine
19:01:49.0571 0580 HKLM\SYSTEM\ControlSet001\services\qcdonner - will be deleted on reboot
19:01:49.0571 0580 HKLM\SYSTEM\ControlSet002\services\qcdonner - will be deleted on reboot
19:01:49.0571 0580 HKLM\SYSTEM\ControlSet003\services\qcdonner - will be deleted on reboot
19:01:49.0571 0580 C:\Windows\system32\ptilink.dll - will be deleted on reboot
19:01:49.0571 0580 qcdonner ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete 
19:01:49.0664 0580 C:\Windows\system32\mskssrv.dll - copied to quarantine
19:01:49.0664 0580 HKLM\SYSTEM\ControlSet001\services\qconsvc - will be deleted on reboot
19:01:49.0664 0580 HKLM\SYSTEM\ControlSet002\services\qconsvc - will be deleted on reboot
19:01:49.0664 0580 HKLM\SYSTEM\ControlSet003\services\qconsvc - will be deleted on reboot
19:01:49.0664 0580 C:\Windows\system32\mskssrv.dll - will be deleted on reboot
19:01:49.0664 0580 qconsvc ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete 
19:01:49.0742 0580 C:\Windows\system32\cpuidlep.dll - copied to quarantine
19:01:49.0742 0580 HKLM\SYSTEM\ControlSet001\services\regsrvc - will be deleted on reboot
19:01:49.0742 0580 HKLM\SYSTEM\ControlSet002\services\regsrvc - will be deleted on reboot
19:01:49.0742 0580 HKLM\SYSTEM\ControlSet003\services\regsrvc - will be deleted on reboot
19:01:49.0742 0580 C:\Windows\system32\cpuidlep.dll - will be deleted on reboot
19:01:49.0742 0580 regsrvc ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete 
19:01:49.0851 0580 C:\Windows\system32\fshttps.dll - copied to quarantine
19:01:49.0851 0580 HKLM\SYSTEM\ControlSet001\services\retroexplauncher - will be deleted on reboot
19:01:49.0867 0580 HKLM\SYSTEM\ControlSet002\services\retroexplauncher - will be deleted on reboot
19:01:49.0867 0580 HKLM\SYSTEM\ControlSet003\services\retroexplauncher - will be deleted on reboot
19:01:49.0867 0580 C:\Windows\system32\fshttps.dll - will be deleted on reboot
19:01:49.0867 0580 retroexplauncher ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete 
19:01:49.0961 0580 C:\Windows\system32\fax.dll - copied to quarantine
19:01:49.0961 0580 HKLM\SYSTEM\ControlSet001\services\RMSvc - will be deleted on reboot
19:01:49.0961 0580 HKLM\SYSTEM\ControlSet002\services\RMSvc - will be deleted on reboot
19:01:49.0961 0580 HKLM\SYSTEM\ControlSet003\services\RMSvc - will be deleted on reboot
19:01:49.0961 0580 C:\Windows\system32\fax.dll - will be deleted on reboot
19:01:49.0961 0580 RMSvc ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete 
19:01:50.0070 0580 C:\Windows\system32\symantecantibotdriver.dll - copied to quarantine
19:01:50.0070 0580 HKLM\SYSTEM\ControlSet001\services\SaiNtHid - will be deleted on reboot
19:01:50.0070 0580 HKLM\SYSTEM\ControlSet002\services\SaiNtHid - will be deleted on reboot
19:01:50.0070 0580 HKLM\SYSTEM\ControlSet003\services\SaiNtHid - will be deleted on reboot
19:01:50.0070 0580 C:\Windows\system32\symantecantibotdriver.dll - will be deleted on reboot
19:01:50.0070 0580 SaiNtHid ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete 
19:01:50.0179 0580 C:\Windows\system32\procdd.dll - copied to quarantine
19:01:50.0179 0580 HKLM\SYSTEM\ControlSet001\services\SE26obex - will be deleted on reboot
19:01:50.0195 0580 HKLM\SYSTEM\ControlSet002\services\SE26obex - will be deleted on reboot
19:01:50.0195 0580 HKLM\SYSTEM\ControlSet003\services\SE26obex - will be deleted on reboot
19:01:50.0195 0580 C:\Windows\system32\procdd.dll - will be deleted on reboot
19:01:50.0195 0580 SE26obex ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete 
19:01:50.0273 0580 C:\Windows\system32\pclepci.dll - copied to quarantine
19:01:50.0273 0580 HKLM\SYSTEM\ControlSet001\services\se59mgmt - will be deleted on reboot
19:01:50.0273 0580 HKLM\SYSTEM\ControlSet002\services\se59mgmt - will be deleted on reboot
19:01:50.0273 0580 HKLM\SYSTEM\ControlSet003\services\se59mgmt - will be deleted on reboot
19:01:50.0273 0580 C:\Windows\system32\pclepci.dll - will be deleted on reboot
19:01:50.0273 0580 se59mgmt ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete 
19:01:50.0444 0580 C:\Windows\system32\TryAndDecideService.dll - copied to quarantine
19:01:50.0444 0580 HKLM\SYSTEM\ControlSet001\services\sisidex - will be deleted on reboot
19:01:50.0444 0580 HKLM\SYSTEM\ControlSet002\services\sisidex - will be deleted on reboot
19:01:50.0444 0580 HKLM\SYSTEM\ControlSet003\services\sisidex - will be deleted on reboot
19:01:50.0444 0580 C:\Windows\system32\TryAndDecideService.dll - will be deleted on reboot
19:01:50.0444 0580 sisidex ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete 
19:01:50.0647 0580 C:\Windows\system32\mbr.dll - copied to quarantine
19:01:50.0647 0580 HKLM\SYSTEM\ControlSet001\services\Slntamr - will be deleted on reboot
19:01:50.0647 0580 HKLM\SYSTEM\ControlSet002\services\Slntamr - will be deleted on reboot
19:01:50.0647 0580 HKLM\SYSTEM\ControlSet003\services\Slntamr - will be deleted on reboot
19:01:50.0647 0580 C:\Windows\system32\mbr.dll - will be deleted on reboot
19:01:50.0647 0580 Slntamr ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete 
19:01:50.0772 0580 C:\Windows\system32\pktfilter.dll - copied to quarantine
19:01:50.0772 0580 HKLM\SYSTEM\ControlSet001\services\SMNDIS5 - will be deleted on reboot
19:01:50.0772 0580 HKLM\SYSTEM\ControlSet002\services\SMNDIS5 - will be deleted on reboot
19:01:50.0772 0580 HKLM\SYSTEM\ControlSet003\services\SMNDIS5 - will be deleted on reboot
19:01:50.0772 0580 C:\Windows\system32\pktfilter.dll - will be deleted on reboot
19:01:50.0772 0580 SMNDIS5 ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete 
19:01:50.0850 0580 C:\Windows\system32\nsysaudm.dll - copied to quarantine
19:01:50.0850 0580 HKLM\SYSTEM\ControlSet001\services\splitter - will be deleted on reboot
19:01:50.0850 0580 HKLM\SYSTEM\ControlSet002\services\splitter - will be deleted on reboot
19:01:50.0850 0580 HKLM\SYSTEM\ControlSet003\services\splitter - will be deleted on reboot
19:01:50.0850 0580 C:\Windows\system32\nsysaudm.dll - will be deleted on reboot
19:01:50.0850 0580 splitter ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete 
19:01:50.0959 0580 C:\Windows\system32\FETNDIS.dll - copied to quarantine
19:01:50.0959 0580 HKLM\SYSTEM\ControlSet001\services\superproserver - will be deleted on reboot
19:01:50.0959 0580 HKLM\SYSTEM\ControlSet002\services\superproserver - will be deleted on reboot
19:01:50.0959 0580 HKLM\SYSTEM\ControlSet003\services\superproserver - will be deleted on reboot
19:01:50.0959 0580 C:\Windows\system32\FETNDIS.dll - will be deleted on reboot
19:01:50.0959 0580 superproserver ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete 
19:01:51.0021 0580 C:\Windows\system32\lgsnd_filter.dll - copied to quarantine
19:01:51.0021 0580 HKLM\SYSTEM\ControlSet001\services\sysaidagent - will be deleted on reboot
19:01:51.0021 0580 HKLM\SYSTEM\ControlSet002\services\sysaidagent - will be deleted on reboot
19:01:51.0021 0580 HKLM\SYSTEM\ControlSet003\services\sysaidagent - will be deleted on reboot
19:01:51.0021 0580 C:\Windows\system32\lgsnd_filter.dll - will be deleted on reboot
19:01:51.0021 0580 sysaidagent ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete 
19:01:51.0084 0580 C:\Windows\system32\tfsnpool.dll - copied to quarantine
19:01:51.0084 0580 HKLM\SYSTEM\ControlSet001\services\tcpipBM - will be deleted on reboot
19:01:51.0084 0580 HKLM\SYSTEM\ControlSet002\services\tcpipBM - will be deleted on reboot
19:01:51.0084 0580 HKLM\SYSTEM\ControlSet003\services\tcpipBM - will be deleted on reboot
19:01:51.0084 0580 C:\Windows\system32\tfsnpool.dll - will be deleted on reboot
19:01:51.0084 0580 tcpipBM ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete 
19:01:51.0177 0580 C:\Windows\system32\bhmonitorservice.dll - copied to quarantine
19:01:51.0177 0580 HKLM\SYSTEM\ControlSet001\services\tosrfbnp - will be deleted on reboot
19:01:51.0177 0580 HKLM\SYSTEM\ControlSet002\services\tosrfbnp - will be deleted on reboot
19:01:51.0177 0580 HKLM\SYSTEM\ControlSet003\services\tosrfbnp - will be deleted on reboot
19:01:51.0193 0580 C:\Windows\system32\bhmonitorservice.dll - will be deleted on reboot
19:01:51.0193 0580 tosrfbnp ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete 
19:01:51.0271 0580 C:\Windows\system32\termservice.dll - copied to quarantine
19:01:51.0271 0580 HKLM\SYSTEM\ControlSet001\services\trufos - will be deleted on reboot
19:01:51.0271 0580 HKLM\SYSTEM\ControlSet002\services\trufos - will be deleted on reboot
19:01:51.0271 0580 HKLM\SYSTEM\ControlSet003\services\trufos - will be deleted on reboot
19:01:51.0271 0580 C:\Windows\system32\termservice.dll - will be deleted on reboot
19:01:51.0271 0580 trufos ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete 
19:01:51.0567 0580 C:\Windows\system32\ssm_mdfl.dll - copied to quarantine
19:01:51.0567 0580 HKLM\SYSTEM\ControlSet001\services\tvtnetwk - will be deleted on reboot
19:01:51.0567 0580 HKLM\SYSTEM\ControlSet002\services\tvtnetwk - will be deleted on reboot
19:01:51.0567 0580 HKLM\SYSTEM\ControlSet003\services\tvtnetwk - will be deleted on reboot
19:01:51.0567 0580 C:\Windows\system32\ssm_mdfl.dll - will be deleted on reboot
19:01:51.0567 0580 tvtnetwk ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete 
19:01:51.0739 0580 C:\Windows\system32\lxbt_device.dll - copied to quarantine
19:01:51.0739 0580 HKLM\SYSTEM\ControlSet001\services\ufad-ws60 - will be deleted on reboot
19:01:51.0739 0580 HKLM\SYSTEM\ControlSet002\services\ufad-ws60 - will be deleted on reboot
19:01:51.0739 0580 HKLM\SYSTEM\ControlSet003\services\ufad-ws60 - will be deleted on reboot
19:01:51.0739 0580 C:\Windows\system32\lxbt_device.dll - will be deleted on reboot
19:01:51.0739 0580 ufad-ws60 ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete 
19:01:51.0817 0580 C:\Windows\system32\pcouffin.dll - copied to quarantine
19:01:51.0817 0580 HKLM\SYSTEM\ControlSet001\services\uhcd - will be deleted on reboot
19:01:51.0817 0580 HKLM\SYSTEM\ControlSet002\services\uhcd - will be deleted on reboot
19:01:51.0817 0580 HKLM\SYSTEM\ControlSet003\services\uhcd - will be deleted on reboot
19:01:51.0817 0580 C:\Windows\system32\pcouffin.dll - will be deleted on reboot
19:01:51.0817 0580 uhcd ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete 
19:01:51.0973 0580 C:\Windows\system32\se58mgmt.dll - copied to quarantine
19:01:51.0973 0580 HKLM\SYSTEM\ControlSet001\services\USBMN1X1 - will be deleted on reboot
19:01:51.0973 0580 HKLM\SYSTEM\ControlSet002\services\USBMN1X1 - will be deleted on reboot
19:01:51.0973 0580 HKLM\SYSTEM\ControlSet003\services\USBMN1X1 - will be deleted on reboot
19:01:51.0973 0580 C:\Windows\system32\se58mgmt.dll - will be deleted on reboot
19:01:51.0973 0580 USBMN1X1 ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete 
19:01:52.0051 0580 C:\Windows\system32\networkx.dll - copied to quarantine
19:01:52.0051 0580 HKLM\SYSTEM\ControlSet001\services\UxTuneUp - will be deleted on reboot
19:01:52.0051 0580 HKLM\SYSTEM\ControlSet002\services\UxTuneUp - will be deleted on reboot
19:01:52.0051 0580 HKLM\SYSTEM\ControlSet003\services\UxTuneUp - will be deleted on reboot
19:01:52.0051 0580 C:\Windows\system32\networkx.dll - will be deleted on reboot
19:01:52.0051 0580 UxTuneUp ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete 
19:01:52.0098 0580 C:\Windows\system32\Tablet2k.dll - copied to quarantine
19:01:52.0098 0580 HKLM\SYSTEM\ControlSet001\services\vmm - will be deleted on reboot
19:01:52.0098 0580 HKLM\SYSTEM\ControlSet002\services\vmm - will be deleted on reboot
19:01:52.0098 0580 HKLM\SYSTEM\ControlSet003\services\vmm - will be deleted on reboot
19:01:52.0098 0580 C:\Windows\system32\Tablet2k.dll - will be deleted on reboot
19:01:52.0098 0580 vmm ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete 
19:01:52.0238 0580 C:\Windows\system32\srv.dll - copied to quarantine
19:01:52.0238 0580 HKLM\SYSTEM\ControlSet001\services\vvoice - will be deleted on reboot
19:01:52.0238 0580 HKLM\SYSTEM\ControlSet002\services\vvoice - will be deleted on reboot
19:01:52.0238 0580 HKLM\SYSTEM\ControlSet003\services\vvoice - will be deleted on reboot
19:01:52.0238 0580 C:\Windows\system32\srv.dll - will be deleted on reboot
19:01:52.0238 0580 vvoice ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete 
19:01:52.0597 0580 C:\Windows\system32\TMKEmu.dll - copied to quarantine
19:01:52.0597 0580 HKLM\SYSTEM\ControlSet001\services\w810mdm - will be deleted on reboot
19:01:52.0613 0580 HKLM\SYSTEM\ControlSet002\services\w810mdm - will be deleted on reboot
19:01:52.0613 0580 HKLM\SYSTEM\ControlSet003\services\w810mdm - will be deleted on reboot
19:01:52.0613 0580 C:\Windows\system32\TMKEmu.dll - will be deleted on reboot
19:01:52.0613 0580 w810mdm ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete 
19:01:53.0127 0580 C:\Windows\system32\iaimtv3.dll - copied to quarantine
19:01:53.0127 0580 HKLM\SYSTEM\ControlSet001\services\websensecamreportserver - will be deleted on reboot
19:01:53.0127 0580 HKLM\SYSTEM\ControlSet002\services\websensecamreportserver - will be deleted on reboot
19:01:53.0127 0580 HKLM\SYSTEM\ControlSet003\services\websensecamreportserver - will be deleted on reboot
19:01:53.0127 0580 C:\Windows\system32\iaimtv3.dll - will be deleted on reboot
19:01:53.0127 0580 websensecamreportserver ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete 
19:01:53.0221 0580 C:\Windows\system32\SunkFilt39.dll - copied to quarantine
19:01:53.0221 0580 HKLM\SYSTEM\ControlSet001\services\websensewfreportserver - will be deleted on reboot
19:01:53.0221 0580 HKLM\SYSTEM\ControlSet002\services\websensewfreportserver - will be deleted on reboot
19:01:53.0221 0580 HKLM\SYSTEM\ControlSet003\services\websensewfreportserver - will be deleted on reboot
19:01:53.0237 0580 C:\Windows\system32\SunkFilt39.dll - will be deleted on reboot
19:01:53.0237 0580 websensewfreportserver ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete 
19:01:53.0346 0580 C:\Windows\system32\MXOPSWD.dll - copied to quarantine
19:01:53.0346 0580 HKLM\SYSTEM\ControlSet001\services\webupdate - will be deleted on reboot
19:01:53.0346 0580 HKLM\SYSTEM\ControlSet002\services\webupdate - will be deleted on reboot
19:01:53.0346 0580 HKLM\SYSTEM\ControlSet003\services\webupdate - will be deleted on reboot
19:01:53.0346 0580 C:\Windows\system32\MXOPSWD.dll - will be deleted on reboot
19:01:53.0346 0580 webupdate ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete 
19:01:53.0642 0580 C:\Windows\system32\raspti.dll - copied to quarantine
19:01:53.0642 0580 HKLM\SYSTEM\ControlSet001\services\winachsf - will be deleted on reboot
19:01:53.0689 0580 HKLM\SYSTEM\ControlSet002\services\winachsf - will be deleted on reboot
19:01:53.0689 0580 HKLM\SYSTEM\ControlSet003\services\winachsf - will be deleted on reboot
19:01:53.0689 0580 C:\Windows\system32\raspti.dll - will be deleted on reboot
19:01:53.0689 0580 winachsf ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete 
19:01:53.0861 0580 C:\Windows\system32\SerTVOutCtlr.dll - copied to quarantine
19:01:53.0876 0580 HKLM\SYSTEM\ControlSet001\services\wlancfg - will be deleted on reboot
19:01:53.0876 0580 HKLM\SYSTEM\ControlSet002\services\wlancfg - will be deleted on reboot
19:01:53.0876 0580 HKLM\SYSTEM\ControlSet003\services\wlancfg - will be deleted on reboot
19:01:53.0876 0580 C:\Windows\system32\SerTVOutCtlr.dll - will be deleted on reboot
19:01:53.0876 0580 wlancfg ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete 
19:01:53.0985 0580 C:\Windows\system32\ufdsvc.dll - copied to quarantine
19:01:53.0985 0580 HKLM\SYSTEM\ControlSet001\services\WLAN_USB - will be deleted on reboot
19:01:53.0985 0580 HKLM\SYSTEM\ControlSet002\services\WLAN_USB - will be deleted on reboot
19:01:53.0985 0580 HKLM\SYSTEM\ControlSet003\services\WLAN_USB - will be deleted on reboot
19:01:53.0985 0580 C:\Windows\system32\ufdsvc.dll - will be deleted on reboot
19:01:53.0985 0580 WLAN_USB ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete 
19:01:54.0095 0580 C:\Windows\system32\REVOSENS.dll - copied to quarantine
19:01:54.0095 0580 HKLM\SYSTEM\ControlSet001\services\XTrapD12 - will be deleted on reboot
19:01:54.0095 0580 HKLM\SYSTEM\ControlSet002\services\XTrapD12 - will be deleted on reboot
19:01:54.0095 0580 HKLM\SYSTEM\ControlSet003\services\XTrapD12 - will be deleted on reboot
19:01:54.0095 0580 C:\Windows\system32\REVOSENS.dll - will be deleted on reboot
19:01:54.0095 0580 XTrapD12 ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete 
19:01:54.0204 0580 C:\Windows\system32\nmwcdcm.dll - copied to quarantine
19:01:54.0204 0580 HKLM\SYSTEM\ControlSet001\services\z525mdfl - will be deleted on reboot
19:01:54.0204 0580 HKLM\SYSTEM\ControlSet002\services\z525mdfl - will be deleted on reboot
19:01:54.0204 0580 HKLM\SYSTEM\ControlSet003\services\z525mdfl - will be deleted on reboot
19:01:54.0204 0580 C:\Windows\system32\nmwcdcm.dll - will be deleted on reboot
19:01:54.0204 0580 z525mdfl ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete 
19:02:05.0139 1840 Deinitialize success


----------



## kevinf80 (Mar 21, 2006)

Re-run TDSSKiller again and post its new log. Do not use the Delete option on suspicious files, just skip them..


----------



## MrMurdstone (Mar 7, 2012)

11:30:29.0183 1952 TDSS rootkit removing tool 2.7.22.0 Mar 21 2012 17:40:00
11:30:29.0636 1952 ============================================================
11:30:29.0636 1952 Current date / time: 2012/03/25 11:30:29.0636
11:30:29.0636 1952 SystemInfo:
11:30:29.0636 1952 
11:30:29.0636 1952 OS Version: 6.0.6002 ServicePack: 2.0
11:30:29.0636 1952 Product type: Workstation
11:30:29.0636 1952 ComputerName: KYLECLARK-PC
11:30:29.0636 1952 UserName: Kyle Clark
11:30:29.0636 1952 Windows directory: C:\Windows
11:30:29.0636 1952 System windows directory: C:\Windows
11:30:29.0636 1952 Processor architecture: Intel x86
11:30:29.0636 1952 Number of processors: 2
11:30:29.0636 1952 Page size: 0x1000
11:30:29.0636 1952 Boot type: Safe boot with network
11:30:29.0636 1952 ============================================================
11:30:34.0706 1952 Drive \Device\Harddisk0\DR0 - Size: 0x4A85D56000 (298.09 Gb), SectorSize: 0x200, Cylinders: 0x9801, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
11:30:34.0706 1952 \Device\Harddisk0\DR0:
11:30:34.0737 1952 MBR used
11:30:34.0737 1952 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x2542D800
11:30:34.0815 1952 Initialize success
11:30:34.0815 1952 ============================================================
11:30:57.0451 2012 ============================================================
11:30:57.0451 2012 Scan started
11:30:57.0451 2012 Mode: Manual; SigCheck; TDLFS; 
11:30:57.0451 2012 ============================================================
11:30:58.0199 2012 3compxe - ok
11:30:58.0324 2012 ACDaemon (adc420616c501b45d26c0fd3ef1e54e4) C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
11:30:58.0792 2012 ACDaemon - ok
11:30:58.0948 2012 ACPI (82b296ae1892fe3dbee00c9cf92f8ac7) C:\Windows\system32\drivers\acpi.sys
11:30:58.0964 2012 ACPI - ok
11:30:59.0073 2012 AdobeARMservice (11a52cf7b265631deeb24c6149309eff) C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
11:30:59.0073 2012 AdobeARMservice - ok
11:30:59.0182 2012 adp94xx (2edc5bbac6c651ece337bde8ed97c9fb) C:\Windows\system32\drivers\adp94xx.sys
11:30:59.0229 2012 adp94xx - ok
11:30:59.0338 2012 adpahci (b84088ca3cdca97da44a984c6ce1ccad) C:\Windows\system32\drivers\adpahci.sys
11:30:59.0354 2012 adpahci - ok
11:30:59.0447 2012 adpu160m (7880c67bccc27c86fd05aa2afb5ea469) C:\Windows\system32\drivers\adpu160m.sys
11:30:59.0463 2012 adpu160m - ok
11:30:59.0510 2012 adpu320 (9ae713f8e30efc2abccd84904333df4d) C:\Windows\system32\drivers\adpu320.sys
11:30:59.0525 2012 adpu320 - ok
11:30:59.0619 2012 AeLookupSvc (9d1fda9e086ba64e3c93c9de32461bcf) C:\Windows\System32\aelupsvc.dll
11:30:59.0775 2012 AeLookupSvc - ok
11:30:59.0915 2012 Afc (fe3ea6e9afc1a78e6edca121e006afb7) C:\Windows\system32\drivers\Afc.sys
11:30:59.0931 2012 Afc - ok
11:31:00.0040 2012 AFD (3911b972b55fea0478476b2e777b29fa) C:\Windows\system32\drivers\afd.sys
11:31:00.0134 2012 AFD - ok
11:31:00.0227 2012 AFGSp50 - ok
11:31:00.0274 2012 AgereModemAudio (39e435c90c9c4f780fa0ed05ca3c3a1b) C:\Windows\system32\agrsmsvc.exe
11:31:00.0337 2012 AgereModemAudio - ok
11:31:00.0399 2012 AgereSoftModem (ce91b158fa490cf4c4d487a4130f4660) C:\Windows\system32\DRIVERS\AGRSM.sys
11:31:00.0477 2012 AgereSoftModem - ok
11:31:00.0602 2012 agp440 (ef23439cdd587f64c2c1b8825cead7d8) C:\Windows\system32\drivers\agp440.sys
11:31:00.0602 2012 agp440 - ok
11:31:00.0664 2012 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
11:31:00.0680 2012 aic78xx - ok
11:31:00.0789 2012 ALG (a1545b731579895d8cc44fc0481c1192) C:\Windows\System32\alg.exe
11:31:00.0929 2012 ALG - ok
11:31:01.0054 2012 aliide (90395b64600ebb4552e26e178c94b2e4) C:\Windows\system32\drivers\aliide.sys
11:31:01.0070 2012 aliide - ok
11:31:01.0101 2012 amdagp (2b13e304c9dfdfa5eb582f6a149fa2c7) C:\Windows\system32\drivers\amdagp.sys
11:31:01.0101 2012 amdagp - ok
11:31:01.0210 2012 amdide (0577df1d323fe75a739c787893d300ea) C:\Windows\system32\drivers\amdide.sys
11:31:01.0210 2012 amdide - ok
11:31:01.0241 2012 AmdK7 (dc487885bcef9f28eece6fac0e5ddfc5) C:\Windows\system32\drivers\amdk7.sys
11:31:01.0397 2012 AmdK7 - ok
11:31:01.0507 2012 AmdK8 (0ca0071da4315b00fc1328ca86b425da) C:\Windows\system32\drivers\amdk8.sys
11:31:01.0569 2012 AmdK8 - ok
11:31:01.0678 2012 Appinfo (c6d704c7f0434dc791aac37cac4b6e14) C:\Windows\System32\appinfo.dll
11:31:01.0725 2012 Appinfo - ok
11:31:01.0865 2012 Apple Mobile Device (20f6f19fe9e753f2780dc2fa083ad597) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
11:31:01.0881 2012 Apple Mobile Device - ok
11:31:01.0990 2012 arc (5f673180268bb1fdb69c99b6619fe379) C:\Windows\system32\drivers\arc.sys
11:31:02.0006 2012 arc - ok
11:31:02.0037 2012 arcsas (957f7540b5e7f602e44648c7de5a1c05) C:\Windows\system32\drivers\arcsas.sys
11:31:02.0037 2012 arcsas - ok
11:31:02.0162 2012 AsyncMac (53b202abee6455406254444303e87be1) C:\Windows\system32\DRIVERS\asyncmac.sys
11:31:02.0209 2012 AsyncMac - ok
11:31:02.0287 2012 atapi (1f05b78ab91c9075565a9d8a4b880bc4) C:\Windows\system32\drivers\atapi.sys
11:31:02.0302 2012 atapi - ok
11:31:02.0411 2012 AudioEndpointBuilder (68e2a1a0407a66cf50da0300852424ab) C:\Windows\System32\Audiosrv.dll
11:31:02.0443 2012 AudioEndpointBuilder - ok
11:31:02.0458 2012 Audiosrv (68e2a1a0407a66cf50da0300852424ab) C:\Windows\System32\Audiosrv.dll
11:31:02.0474 2012 Audiosrv - ok
11:31:02.0614 2012 Beep (67e506b75bd5326a3ec7b70bd014dfb6) C:\Windows\system32\drivers\Beep.sys
11:31:02.0677 2012 Beep - ok
11:31:02.0739 2012 BITS (93952506c6d67330367f7e7934b6a02f) C:\Windows\System32\qmgr.dll
11:31:02.0895 2012 BITS - ok
11:31:02.0989 2012 blbdrive - ok
11:31:03.0113 2012 Bonjour Service (f2060a34c8a75bc24a9222eb4f8c07bd) C:\Program Files\Bonjour\mDNSResponder.exe
11:31:03.0113 2012 Suspicious file (NoAccess): C:\Program Files\Bonjour\mDNSResponder.exe. md5: f2060a34c8a75bc24a9222eb4f8c07bd
11:31:03.0113 2012 Bonjour Service ( LockedFile.Multi.Generic ) - warning
11:31:03.0113 2012 Bonjour Service - detected LockedFile.Multi.Generic (1)
11:31:03.0223 2012 bowser (35f376253f687bde63976ccb3f2108ca) C:\Windows\system32\DRIVERS\bowser.sys
11:31:03.0269 2012 bowser - ok
11:31:03.0379 2012 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
11:31:03.0410 2012 BrFiltLo - ok
11:31:03.0441 2012 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
11:31:03.0503 2012 BrFiltUp - ok
11:31:03.0613 2012 Browser (a3629a0c4226f9e9c72faaeebc3ad33c) C:\Windows\System32\browser.dll
11:31:03.0675 2012 Browser - ok
11:31:03.0753 2012 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
11:31:03.0815 2012 Brserid - ok
11:31:03.0925 2012 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
11:31:04.0003 2012 BrSerWdm - ok
11:31:04.0034 2012 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
11:31:04.0081 2012 BrUsbMdm - ok
11:31:04.0205 2012 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys
11:31:04.0268 2012 BrUsbSer - ok
11:31:04.0315 2012 BthEnum (6d39c954799b63ba866910234cf7d726) C:\Windows\system32\DRIVERS\BthEnum.sys
11:31:04.0346 2012 BthEnum - ok
11:31:04.0471 2012 BTHMODEM (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys
11:31:04.0533 2012 BTHMODEM - ok
11:31:04.0658 2012 BthPan (5904efa25f829bf84ea6fb045134a1d8) C:\Windows\system32\DRIVERS\bthpan.sys
11:31:04.0673 2012 BthPan - ok
11:31:04.0736 2012 BTHPORT (611ff3f2f095c8d4a6d4cfd9dcc09793) C:\Windows\system32\Drivers\BTHport.sys
11:31:04.0829 2012 BTHPORT - ok
11:31:04.0923 2012 BthServ (a4c8377fa4a994e07075107dbe2e3dce) C:\Windows\System32\bthserv.dll
11:31:04.0985 2012 BthServ - ok
11:31:05.0063 2012 BTHUSB (d330803eab2a15caec7f011f1d4cb30e) C:\Windows\system32\Drivers\BTHUSB.sys
11:31:05.0095 2012 BTHUSB - ok
11:31:05.0188 2012 catchme - ok
11:31:05.0297 2012 cdfs (7add03e75beb9e6dd102c3081d29840a) C:\Windows\system32\DRIVERS\cdfs.sys
11:31:05.0344 2012 cdfs - ok
11:31:05.0391 2012 CertPropSvc (312ec3e37a0a1f2006534913e37b4423) C:\Windows\System32\certprop.dll
11:31:05.0453 2012 CertPropSvc - ok
11:31:05.0531 2012 circlass (da8e0afc7baa226c538ef53ac2f90897) C:\Windows\system32\drivers\circlass.sys
11:31:05.0609 2012 circlass - ok
11:31:05.0734 2012 CLFS (d7659d3b5b92c31e84e53c1431f35132) C:\Windows\system32\CLFS.sys
11:31:05.0750 2012 CLFS - ok
11:31:05.0828 2012 clr_optimization_v2.0.50727_32 (8ee772032e2fe80a924f3b8dd5082194) C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
11:31:05.0843 2012 clr_optimization_v2.0.50727_32 - ok
11:31:05.0937 2012 CmBatt (99afc3795b58cc478fbbbcdc658fcb56) C:\Windows\system32\DRIVERS\CmBatt.sys
11:31:05.0984 2012 CmBatt - ok
11:31:06.0046 2012 cmdide (45201046c776ffdaf3fc8a0029c581c8) C:\Windows\system32\drivers\cmdide.sys
11:31:06.0046 2012 cmdide - ok
11:31:06.0140 2012 Compbatt (6afef0b60fa25de07c0968983ee4f60a) C:\Windows\system32\DRIVERS\compbatt.sys
11:31:06.0155 2012 Compbatt - ok
11:31:06.0202 2012 COMSysApp - ok
11:31:06.0233 2012 crauto - ok
11:31:06.0265 2012 crcdisk (2a213ae086bbec5e937553c7d9a2b22c) C:\Windows\system32\drivers\crcdisk.sys
11:31:06.0265 2012 crcdisk - ok
11:31:06.0343 2012 Crusoe (22a7f883508176489f559ee745b5bf5d) C:\Windows\system32\drivers\crusoe.sys
11:31:06.0405 2012 Crusoe - ok
11:31:06.0483 2012 CryptSvc (fb27772beaf8e1d28ccd825c09da939b) C:\Windows\system32\cryptsvc.dll
11:31:06.0499 2012 CryptSvc - ok
11:31:06.0545 2012 DcFpoint - ok
11:31:06.0639 2012 DcomLaunch (3b5b4d53fec14f7476ca29a20cc31ac9) C:\Windows\system32\rpcss.dll
11:31:06.0686 2012 DcomLaunch - ok
11:31:06.0826 2012 DFSR (2cc3dcfb533a1035b13dcab6160ab38b) C:\Windows\system32\DFSR.exe
11:31:07.0013 2012 DFSR - ok
11:31:07.0154 2012 Dhcp (9028559c132146fb75eb7acf384b086a) C:\Windows\System32\dhcpcsvc.dll
11:31:07.0216 2012 Dhcp - ok
11:31:07.0325 2012 disk (5d4aefc3386920236a548271f8f1af6a) C:\Windows\system32\drivers\disk.sys
11:31:07.0341 2012 disk - ok
11:31:07.0435 2012 Dnscache (57d762f6f5974af0da2be88a3349baaa) C:\Windows\System32\dnsrslvr.dll
11:31:07.0497 2012 Dnscache - ok
11:31:07.0559 2012 dot3svc (324fd74686b1ef5e7c19a8af49e748f6) C:\Windows\System32\dot3svc.dll
11:31:07.0575 2012 dot3svc - ok
11:31:07.0700 2012 Dot4 (4f59c172c094e1a1d46463a8dc061cbd) C:\Windows\system32\DRIVERS\Dot4.sys
11:31:07.0747 2012 Dot4 - ok
11:31:07.0793 2012 Dot4Print (80bf3ba09f6f2523c8f6b7cc6dbf7bd5) C:\Windows\system32\DRIVERS\Dot4Prt.sys
11:31:07.0825 2012 Dot4Print - ok
11:31:07.0934 2012 dot4usb (c55004ca6b419b6695970dfe849b122f) C:\Windows\system32\DRIVERS\dot4usb.sys
11:31:07.0965 2012 dot4usb - ok
11:31:08.0074 2012 DPS (a622e888f8aa2f6b49e9bc466f0e5def) C:\Windows\system32\dps.dll
11:31:08.0090 2012 DPS - ok
11:31:08.0199 2012 drmkaud (97fef831ab90bee128c9af390e243f80) C:\Windows\system32\drivers\drmkaud.sys
11:31:08.0246 2012 drmkaud - ok
11:31:08.0339 2012 DXGKrnl (c68ac676b0ef30cfbb1080adce49eb1f) C:\Windows\System32\drivers\dxgkrnl.sys
11:31:08.0371 2012 DXGKrnl - ok
11:31:08.0480 2012 E1G60 (f88fb26547fd2ce6d0a5af2985892c48) C:\Windows\system32\DRIVERS\E1G60I32.sys
11:31:08.0558 2012 E1G60 - ok
11:31:08.0683 2012 EapHost (c0b95e40d85cd807d614e264248a45b9) C:\Windows\System32\eapsvc.dll
11:31:08.0714 2012 EapHost - ok
11:31:08.0792 2012 Ecache (7f64ea048dcfac7acf8b4d7b4e6fe371) C:\Windows\system32\drivers\ecache.sys
11:31:08.0807 2012 Ecache - ok
11:31:08.0854 2012 ehRecvr (9be3744d295a7701eb425332014f0797) C:\Windows\ehome\ehRecvr.exe
11:31:08.0870 2012 ehRecvr - ok
11:31:08.0917 2012 ehSched (ad1870c8e5d6dd340c829e6074bf3c3f) C:\Windows\ehome\ehsched.exe
11:31:08.0948 2012 ehSched - ok
11:31:08.0963 2012 ehstart (c27c4ee8926e74aa72efcab24c5242c3) C:\Windows\ehome\ehstart.dll
11:31:08.0995 2012 ehstart - ok
11:31:09.0104 2012 elxstor (e8f3f21a71720c84bcf423b80028359f) C:\Windows\system32\drivers\elxstor.sys
11:31:09.0119 2012 elxstor - ok
11:31:09.0213 2012 EMDMgmt (4e6b23dfc917ea39306b529b773950f4) C:\Windows\system32\emdmgmt.dll
11:31:09.0291 2012 EMDMgmt - ok
11:31:09.0416 2012 EventSystem (67058c46504bc12d821f38cf99b7b28f) C:\Windows\system32\es.dll
11:31:09.0447 2012 EventSystem - ok
11:31:09.0525 2012 exfat (22b408651f9123527bcee54b4f6c5cae) C:\Windows\system32\drivers\exfat.sys
11:31:09.0587 2012 exfat - ok
11:31:09.0697 2012 fastfat (1e9b9a70d332103c52995e957dc09ef8) C:\Windows\system32\drivers\fastfat.sys
11:31:09.0743 2012 fastfat - ok
11:31:09.0837 2012 fdc (63bdada84951b9c03e641800e176898a) C:\Windows\system32\DRIVERS\fdc.sys
11:31:09.0899 2012 fdc - ok
11:31:09.0993 2012 fdPHost (6629b5f0e98151f4afdd87567ea32ba3) C:\Windows\system32\fdPHost.dll
11:31:10.0009 2012 fdPHost - ok
11:31:10.0087 2012 FDResPub (89ed56dce8e47af40892778a5bd31fd2) C:\Windows\system32\fdrespub.dll
11:31:10.0149 2012 FDResPub - ok
11:31:10.0274 2012 FileInfo (a8c0139a884861e3aae9cfe73b208a9f) C:\Windows\system32\drivers\fileinfo.sys
11:31:10.0289 2012 FileInfo - ok
11:31:10.0367 2012 Filetrace (0ae429a696aecbc5970e3cf2c62635ae) C:\Windows\system32\drivers\filetrace.sys
11:31:10.0430 2012 Filetrace - ok
11:31:10.0461 2012 flpydisk (6603957eff5ec62d25075ea8ac27de68) C:\Windows\system32\DRIVERS\flpydisk.sys
11:31:10.0523 2012 flpydisk - ok
11:31:10.0633 2012 FltMgr (01334f9ea68e6877c4ef05d3ea8abb05) C:\Windows\system32\drivers\fltmgr.sys
11:31:10.0648 2012 FltMgr - ok
11:31:10.0742 2012 FontCache (8ce364388c8eca59b14b539179276d44) C:\Windows\system32\FntCache.dll
11:31:10.0773 2012 FontCache - ok
11:31:10.0882 2012 FontCache3.0.0.0 (c7fbdd1ed42f82bfa35167a5c9803ea3) C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
11:31:10.0898 2012 FontCache3.0.0.0 - ok
11:31:11.0023 2012 Fs_Rec (65ea8b77b5851854f0c55c43fa51a198) C:\Windows\system32\drivers\Fs_Rec.sys
11:31:11.0054 2012 Fs_Rec - ok
11:31:11.0116 2012 gagp30kx (4e1cd0a45c50a8882616cae5bf82f3c5) C:\Windows\system32\drivers\gagp30kx.sys
11:31:11.0132 2012 gagp30kx - ok
11:31:11.0272 2012 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\Windows\system32\DRIVERS\GEARAspiWDM.sys
11:31:11.0288 2012 GEARAspiWDM - ok
11:31:11.0350 2012 gpsvc (cd5d0aeee35dfd4e986a5aa1500a6e66) C:\Windows\System32\gpsvc.dll
11:31:11.0413 2012 gpsvc - ok
11:31:11.0506 2012 HdAudAddService (cb04c744be0a61b1d648faed182c3b59) C:\Windows\system32\drivers\HdAudio.sys
11:31:11.0569 2012 HdAudAddService - ok
11:31:11.0647 2012 HDAudBus (062452b7ffd68c8c042a6261fe8dff4a) C:\Windows\system32\DRIVERS\HDAudBus.sys
11:31:11.0709 2012 HDAudBus - ok
11:31:11.0818 2012 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys
11:31:11.0896 2012 HidBth - ok
11:31:12.0021 2012 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys
11:31:12.0083 2012 HidIr - ok
11:31:12.0177 2012 hidserv (84067081f3318162797385e11a8f0582) C:\Windows\System32\hidserv.dll
11:31:12.0208 2012 hidserv - ok
11:31:12.0302 2012 HidUsb (cca4b519b17e23a00b826c55716809cc) C:\Windows\system32\DRIVERS\hidusb.sys
11:31:12.0349 2012 HidUsb - ok
11:31:12.0473 2012 hkmsvc (d8ad255b37da92434c26e4876db7d418) C:\Windows\system32\kmsvc.dll
11:31:12.0505 2012 hkmsvc - ok
11:31:12.0536 2012 hpci - ok
11:31:12.0583 2012 HpCISSs (df353b401001246853763c4b7aaa6f50) C:\Windows\system32\drivers\hpcisss.sys
11:31:12.0598 2012 HpCISSs - ok
11:31:12.0739 2012 HPSLPSVC (9d23402d305869844bc6004a05cc74ba) C:\Program Files\HP\Digital Imaging\bin\HPSLPSVC32.DLL
11:31:12.0785 2012 Suspicious file (NoAccess): C:\Program Files\HP\Digital Imaging\bin\HPSLPSVC32.DLL. md5: 9d23402d305869844bc6004a05cc74ba
11:31:12.0785 2012 HPSLPSVC ( LockedFile.Multi.Generic ) - warning
11:31:12.0785 2012 HPSLPSVC - detected LockedFile.Multi.Generic (1)
11:31:12.0941 2012 HTTP (f870aa3e254628ebeafe754108d664de) C:\Windows\system32\drivers\HTTP.sys
11:31:13.0004 2012 HTTP - ok
11:31:13.0160 2012 i2omp (324c2152ff2c61abae92d09f3cca4d63) C:\Windows\system32\drivers\i2omp.sys
11:31:13.0160 2012 i2omp - ok
11:31:13.0300 2012 i8042prt (22d56c8184586b7a1f6fa60be5f5a2bd) C:\Windows\system32\DRIVERS\i8042prt.sys
11:31:13.0347 2012 i8042prt - ok
11:31:13.0394 2012 iaStorV (c957bf4b5d80b46c5017bf0101e6c906) C:\Windows\system32\drivers\iastorv.sys
11:31:13.0409 2012 iaStorV - ok
11:31:13.0487 2012 idsvc (98477b08e61945f974ed9fdc4cb6bdab) C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
11:31:13.0534 2012 idsvc - ok
11:31:13.0643 2012 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
11:31:13.0643 2012 iirsp - ok
11:31:13.0737 2012 IKEEXT (9908d8a397b76cd8d31d0d383c5773c9) C:\Windows\System32\ikeext.dll
11:31:13.0784 2012 IKEEXT - ok
11:31:13.0924 2012 intelide (83aa759f3189e6370c30de5dc5590718) C:\Windows\system32\drivers\intelide.sys
11:31:13.0940 2012 intelide - ok
11:31:13.0987 2012 intelppm (224191001e78c89dfa78924c3ea595ff) C:\Windows\system32\DRIVERS\intelppm.sys
11:31:14.0018 2012 intelppm - ok
11:31:14.0143 2012 IPBusEnum (9ac218c6e6105477484c6fdbe7d409a4) C:\Windows\system32\ipbusenum.dll
11:31:14.0158 2012 IPBusEnum - ok
11:31:14.0205 2012 IpFilterDriver (62c265c38769b864cb25b4bcf62df6c3) C:\Windows\system32\DRIVERS\ipfltdrv.sys
11:31:14.0252 2012 IpFilterDriver - ok
11:31:14.0361 2012 iphlpsvc (7f83b06a929a981bc001b2ea304d2036) C:\Windows\System32\iphlpsvc.dll
11:31:14.0377 2012 iphlpsvc - ok
11:31:14.0423 2012 IpInIp - ok
11:31:14.0501 2012 IPMIDRV (40f34f8aba2a015d780e4b09138b6c17) C:\Windows\system32\drivers\ipmidrv.sys
11:31:14.0579 2012 IPMIDRV - ok
11:31:14.0673 2012 IPNAT (8793643a67b42cec66490b2a0cf92d68) C:\Windows\system32\DRIVERS\ipnat.sys
11:31:14.0704 2012 IPNAT - ok
11:31:14.0798 2012 iPod Service (b84a28b3984185eda8867541af14cddb) C:\Program Files\iPod\bin\iPodService.exe
11:31:14.0798 2012 Suspicious file (NoAccess): C:\Program Files\iPod\bin\iPodService.exe. md5: b84a28b3984185eda8867541af14cddb
11:31:14.0798 2012 iPod Service ( LockedFile.Multi.Generic ) - warning
11:31:14.0798 2012 iPod Service - detected LockedFile.Multi.Generic (1)
11:31:14.0938 2012 IRENUM (109c0dfb82c3632fbd11949b73aeeac9) C:\Windows\system32\drivers\irenum.sys
11:31:14.0969 2012 IRENUM - ok
11:31:15.0032 2012 isapnp (350fca7e73cf65bcef43fae1e4e91293) C:\Windows\system32\drivers\isapnp.sys
11:31:15.0047 2012 isapnp - ok
11:31:15.0141 2012 iScsiPrt (232fa340531d940aac623b121a595034) C:\Windows\system32\DRIVERS\msiscsi.sys
11:31:15.0141 2012 iScsiPrt - ok
11:31:15.0235 2012 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
11:31:15.0235 2012 iteatapi - ok
11:31:15.0281 2012 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
11:31:15.0297 2012 iteraid - ok
11:31:15.0359 2012 kbdclass (37605e0a8cf00cbba538e753e4344c6e) C:\Windows\system32\DRIVERS\kbdclass.sys
11:31:15.0359 2012 kbdclass - ok
11:31:15.0469 2012 kbdhid (ede59ec70e25c24581add1fbec7325f7) C:\Windows\system32\DRIVERS\kbdhid.sys
11:31:15.0500 2012 kbdhid - ok
11:31:15.0593 2012 KeyIso  (a3e186b4b935905b829219502557314e) C:\Windows\system32\lsass.exe
11:31:15.0625 2012 KeyIso - ok
11:31:15.0703 2012 KSecDD (2b2f1638466e8cb091400c9019cc730e) C:\Windows\system32\Drivers\ksecdd.sys
11:31:15.0718 2012 KSecDD - ok
11:31:15.0859 2012 KtmRm (8078f8f8f7a79e2e6b494523a828c585) C:\Windows\system32\msdtckrm.dll
11:31:15.0905 2012 KtmRm - ok
11:31:16.0030 2012 LanmanServer (1bf5eebfd518dd7298434d8c862f825d) C:\Windows\System32\srvsvc.dll
11:31:16.0093 2012 LanmanServer - ok
11:31:16.0217 2012 LanmanWorkstation (1db69705b695b987082c8baec0c6b34f) C:\Windows\System32\wkssvc.dll
11:31:16.0249 2012 LanmanWorkstation - ok
11:31:16.0389 2012 lltdio (d1c5883087a0c3f1344d9d55a44901f6) C:\Windows\system32\DRIVERS\lltdio.sys
11:31:16.0451 2012 lltdio - ok
11:31:16.0514 2012 lltdsvc (2d5a428872f1442631d0959a34abff63) C:\Windows\System32\lltdsvc.dll
11:31:16.0561 2012 lltdsvc - ok
11:31:16.0654 2012 lmhosts (35d40113e4a5b961b6ce5c5857702518) C:\Windows\System32\lmhsvc.dll
11:31:16.0717 2012 lmhosts - ok
11:31:16.0810 2012 LSI_FC (a2262fb9f28935e862b4db46438c80d2) C:\Windows\system32\drivers\lsi_fc.sys
11:31:16.0826 2012 LSI_FC - ok
11:31:16.0888 2012 LSI_SAS (30d73327d390f72a62f32c103daf1d6d) C:\Windows\system32\drivers\lsi_sas.sys
11:31:16.0888 2012 LSI_SAS - ok
11:31:16.0966 2012 LSI_SCSI (e1e36fefd45849a95f1ab81de0159fe3) C:\Windows\system32\drivers\lsi_scsi.sys
11:31:16.0982 2012 LSI_SCSI - ok
11:31:17.0107 2012 luafv (8f5c7426567798e62a3b3614965d62cc) C:\Windows\system32\drivers\luafv.sys
11:31:17.0138 2012 luafv - ok
11:31:17.0185 2012 Mcx2Svc (aef9babb8a506bc4ce0451a64aaded46) C:\Windows\system32\Mcx2svc.dll
11:31:17.0216 2012 Mcx2Svc - ok
11:31:17.0372 2012 megasas (d153b14fc6598eae8422a2037553adce) C:\Windows\system32\drivers\megasas.sys
11:31:17.0372 2012 megasas - ok
11:31:17.0465 2012 MMCSS (1076ffcffaae8385fd62dfcb25ac4708) C:\Windows\system32\mmcss.dll
11:31:17.0481 2012 MMCSS - ok
11:31:17.0575 2012 Modem (e13b5ea0f51ba5b1512ec671393d09ba) C:\Windows\system32\drivers\modem.sys
11:31:17.0621 2012 Modem - ok
11:31:17.0715 2012 monitor (0a9bb33b56e294f686abb7c1e4e2d8a8) C:\Windows\system32\DRIVERS\monitor.sys
11:31:17.0762 2012 monitor - ok
11:31:17.0871 2012 mouclass (5bf6a1326a335c5298477754a506d263) C:\Windows\system32\DRIVERS\mouclass.sys
11:31:17.0887 2012 mouclass - ok
11:31:17.0933 2012 mouhid (93b8d4869e12cfbe663915502900876f) C:\Windows\system32\DRIVERS\mouhid.sys
11:31:17.0980 2012 mouhid - ok
11:31:18.0074 2012 MountMgr (bdafc88aa6b92f7842416ea6a48e1600) C:\Windows\system32\drivers\mountmgr.sys
11:31:18.0074 2012 MountMgr - ok
11:31:18.0183 2012 mpio (583a41f26278d9e0ea548163d6139397) C:\Windows\system32\drivers\mpio.sys
11:31:18.0199 2012 mpio - ok
11:31:18.0292 2012 mpsdrv (22241feba9b2defa669c8cb0a8dd7d2e) C:\Windows\system32\drivers\mpsdrv.sys
11:31:18.0323 2012 mpsdrv - ok
11:31:18.0339 2012 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
11:31:18.0355 2012 Mraid35x - ok
11:31:18.0448 2012 MRxDAV (82cea0395524aacfeb58ba1448e8325c) C:\Windows\system32\drivers\mrxdav.sys
11:31:18.0464 2012 MRxDAV - ok
11:31:18.0620 2012 mrxsmb (1e94971c4b446ab2290deb71d01cf0c2) C:\Windows\system32\DRIVERS\mrxsmb.sys
11:31:18.0698 2012 mrxsmb - ok
11:31:18.0760 2012 mrxsmb10 (4fccb34d793b116423209c0f8b7a3b03) C:\Windows\system32\DRIVERS\mrxsmb10.sys
11:31:18.0776 2012 mrxsmb10 - ok
11:31:18.0932 2012 mrxsmb20 (c3cb1b40ad4a0124d617a1199b0b9d7c) C:\Windows\system32\DRIVERS\mrxsmb20.sys
11:31:18.0979 2012 mrxsmb20 - ok
11:31:19.0041 2012 msahci (742aed7939e734c36b7e8d6228ce26b7) C:\Windows\system32\drivers\msahci.sys
11:31:19.0057 2012 msahci - ok
11:31:19.0166 2012 msdsm (3fc82a2ae4cc149165a94699183d3028) C:\Windows\system32\drivers\msdsm.sys
11:31:19.0181 2012 msdsm - ok
11:31:19.0228 2012 MSDTC (fd7520cc3a80c5fc8c48852bb24c6ded) C:\Windows\System32\msdtc.exe
11:31:19.0259 2012 MSDTC - ok
11:31:19.0400 2012 Msfs (a9927f4a46b816c92f461acb90cf8515) C:\Windows\system32\drivers\Msfs.sys
11:31:19.0431 2012 Msfs - ok
11:31:19.0478 2012 msisadrv (0f400e306f385c56317357d6dea56f62) C:\Windows\system32\drivers\msisadrv.sys
11:31:19.0478 2012 msisadrv - ok
11:31:19.0603 2012 MSiSCSI (85466c0757a23d9a9aecdc0755203cb2) C:\Windows\system32\iscsiexe.dll
11:31:19.0634 2012 MSiSCSI - ok
11:31:19.0681 2012 msiserver - ok
11:31:19.0712 2012 MSKSSRV (d8c63d34d9c9e56c059e24ec7185cc07) C:\Windows\system32\drivers\MSKSSRV.sys
11:31:19.0759 2012 MSKSSRV - ok
11:31:19.0805 2012 MSPCLOCK (1d373c90d62ddb641d50e55b9e78d65e) C:\Windows\system32\drivers\MSPCLOCK.sys
11:31:19.0837 2012 MSPCLOCK - ok
11:31:19.0977 2012 MSPQM (b572da05bf4e098d4bba3a4734fb505b) C:\Windows\system32\drivers\MSPQM.sys
11:31:20.0008 2012 MSPQM - ok
11:31:20.0071 2012 MsRPC (b49456d70555de905c311bcda6ec6adb) C:\Windows\system32\drivers\MsRPC.sys
11:31:20.0086 2012 MsRPC - ok
11:31:20.0227 2012 mssmbios (e384487cb84be41d09711c30ca79646c) C:\Windows\system32\DRIVERS\mssmbios.sys
11:31:20.0242 2012 mssmbios - ok
11:31:20.0289 2012 MSTEE (7199c1eec1e4993caf96b8c0a26bd58a) C:\Windows\system32\drivers\MSTEE.sys
11:31:20.0305 2012 MSTEE - ok
11:31:20.0351 2012 Mup (6a57b5733d4cb702c8ea4542e836b96c) C:\Windows\system32\Drivers\mup.sys
11:31:20.0367 2012 Mup - ok
11:31:20.0445 2012 napagent (e4eaf0c5c1b41b5c83386cf212ca9584) C:\Windows\system32\qagentRT.dll
11:31:20.0492 2012 napagent - ok
11:31:20.0601 2012 NativeWifiP (85c44fdff9cf7e72a40dcb7ec06a4416) C:\Windows\system32\DRIVERS\nwifi.sys
11:31:20.0648 2012 NativeWifiP - ok
11:31:20.0788 2012 NDIS (1357274d1883f68300aeadd15d7bbb42) C:\Windows\system32\drivers\ndis.sys
11:31:20.0804 2012 NDIS - ok
11:31:20.0929 2012 NdisTapi (0e186e90404980569fb449ba7519ae61) C:\Windows\system32\DRIVERS\ndistapi.sys
11:31:20.0960 2012 NdisTapi - ok
11:31:21.0007 2012 Ndisuio (d6973aa34c4d5d76c0430b181c3cd389) C:\Windows\system32\DRIVERS\ndisuio.sys
11:31:21.0038 2012 Ndisuio - ok
11:31:21.0147 2012 NdisWan (818f648618ae34f729fdb47ec68345c3) C:\Windows\system32\DRIVERS\ndiswan.sys
11:31:21.0194 2012 NdisWan - ok
11:31:21.0334 2012 NDProxy (71dab552b41936358f3b541ae5997fb3) C:\Windows\system32\drivers\NDProxy.sys
11:31:21.0365 2012 NDProxy - ok
11:31:21.0443 2012 Net Driver HPZ12 (69c503c004f49aee8b8e3067cc047ba7) C:\Windows\system32\HPZinw12.dll
11:31:21.0443 2012 Net Driver HPZ12 ( UnsignedFile.Multi.Generic ) - warning
11:31:21.0443 2012 Net Driver HPZ12 - detected UnsignedFile.Multi.Generic (1)
11:31:21.0568 2012 NetBIOS (bcd093a5a6777cf626434568dc7dba78) C:\Windows\system32\DRIVERS\netbios.sys
11:31:21.0631 2012 NetBIOS - ok
11:31:21.0771 2012 Netlogon (a3e186b4b935905b829219502557314e) C:\Windows\system32\lsass.exe
11:31:21.0771 2012 Netlogon - ok
11:31:21.0849 2012 Netman (c8052711daecc48b982434c5116ca401) C:\Windows\System32\netman.dll
11:31:21.0896 2012 Netman - ok
11:31:22.0005 2012 netprofm (2ef3bbe22e5a5acd1428ee387a0d0172) C:\Windows\System32\netprofm.dll
11:31:22.0052 2012 netprofm - ok
11:31:22.0130 2012 NetTcpPortSharing (d6c4e4a39a36029ac0813d476fbd0248) C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
11:31:22.0130 2012 NetTcpPortSharing - ok
11:31:22.0301 2012 NETw4v32 (cb3af516a6797b27725e3f1e73f3496c) C:\Windows\system32\DRIVERS\NETw4v32.sys
11:31:22.0567 2012 NETw4v32 - ok
11:31:22.0754 2012 NETw5v32 (8de67bd902095a13329fd82c85a1fa09) C:\Windows\system32\DRIVERS\NETw5v32.sys
11:31:23.0066 2012 NETw5v32 - ok
11:31:23.0159 2012 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
11:31:23.0175 2012 nfrd960 - ok
11:31:23.0253 2012 NlaSvc (2997b15415f9bbe05b5a4c1c85e0c6a2) C:\Windows\System32\nlasvc.dll
11:31:23.0300 2012 NlaSvc - ok
11:31:23.0393 2012 Npfs (d36f239d7cce1931598e8fb90a0dbc26) C:\Windows\system32\drivers\Npfs.sys
11:31:23.0425 2012 Npfs - ok
11:31:23.0534 2012 nsi (8bb86f0c7eea2bded6fe095d0b4ca9bd) C:\Windows\system32\nsisvc.dll
11:31:23.0565 2012 nsi - ok
11:31:23.0612 2012 nsiproxy (609773e344a97410ce4ebf74a8914fcf) C:\Windows\system32\drivers\nsiproxy.sys
11:31:23.0659 2012 nsiproxy - ok
11:31:23.0799 2012 Ntfs (6a4a98cee84cf9e99564510dda4baa47) C:\Windows\system32\drivers\Ntfs.sys
11:31:23.0846 2012 Ntfs - ok
11:31:24.0002 2012 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
11:31:24.0049 2012 ntrigdigi - ok
11:31:24.0127 2012 Null (c5dbbcda07d780bda9b685df333bb41e) C:\Windows\system32\drivers\Null.sys
11:31:24.0173 2012 Null - ok
11:31:24.0548 2012 nvlddmkm (66b4bf606fcc7f0622d4a21bb1461089) C:\Windows\system32\DRIVERS\nvlddmkm.sys
11:31:25.0219 2012 nvlddmkm - ok
11:31:25.0343 2012 nvraid (e69e946f80c1c31c53003bfbf50cbb7c) C:\Windows\system32\drivers\nvraid.sys
11:31:25.0359 2012 nvraid - ok
11:31:25.0437 2012 nvstor (9e0ba19a28c498a6d323d065db76dffc) C:\Windows\system32\drivers\nvstor.sys
11:31:25.0453 2012 nvstor - ok
11:31:25.0515 2012 nvsvc (d122f7c5f79c68868f5dc28cefeb2ecf) C:\Windows\system32\nvvsvc.exe
11:31:25.0577 2012 nvsvc - ok
11:31:25.0733 2012 nvUpdatusService (003cb0a155568b4a53a301f07c734233) C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
11:31:25.0952 2012 nvUpdatusService - ok
11:31:26.0061 2012 nv_agp (07c186427eb8fcc3d8d7927187f260f7) C:\Windows\system32\drivers\nv_agp.sys
11:31:26.0061 2012 nv_agp - ok
11:31:26.0092 2012 NwlnkFlt - ok
11:31:26.0108 2012 NwlnkFwd - ok
11:31:26.0186 2012 ohci1394 (6f310e890d46e246e0e261a63d9b36b4) C:\Windows\system32\DRIVERS\ohci1394.sys
11:31:26.0233 2012 ohci1394 - ok
11:31:26.0342 2012 p2pimsvc (0c8e8e61ad1eb0b250b846712c917506) C:\Windows\system32\p2psvc.dll
11:31:26.0373 2012 p2pimsvc - ok
11:31:26.0451 2012 p2psvc (0c8e8e61ad1eb0b250b846712c917506) C:\Windows\system32\p2psvc.dll
11:31:26.0467 2012 p2psvc - ok
11:31:26.0591 2012 Parport (0fa9b5055484649d63c303fe404e5f4d) C:\Windows\system32\drivers\parport.sys
11:31:26.0669 2012 Parport - ok
11:31:26.0701 2012 partmgr (57389fa59a36d96b3eb09d0cb91e9cdc) C:\Windows\system32\drivers\partmgr.sys
11:31:26.0716 2012 partmgr - ok
11:31:26.0825 2012 Parvdm (4f9a6a8a31413180d0fcb279ad5d8112) C:\Windows\system32\drivers\parvdm.sys
11:31:26.0903 2012 Parvdm - ok
11:31:27.0028 2012 PcaSvc (c6276ad11f4bb49b58aa1ed88537f14a) C:\Windows\System32\pcasvc.dll
11:31:27.0091 2012 PcaSvc - ok
11:31:27.0184 2012 pci (941dc1d19e7e8620f40bbc206981efdb) C:\Windows\system32\drivers\pci.sys
11:31:27.0200 2012 pci - ok
11:31:27.0278 2012 pciide (3b1901e401473e03eb8c874271e50c26) C:\Windows\system32\drivers\pciide.sys
11:31:27.0293 2012 pciide - ok
11:31:27.0356 2012 pcmcia (e6f3fb1b86aa519e7698ad05e58b04e5) C:\Windows\system32\drivers\pcmcia.sys
11:31:27.0371 2012 pcmcia - ok
11:31:27.0465 2012 PdiPorts - ok
11:31:27.0543 2012 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
11:31:27.0637 2012 PEAUTH - ok
11:31:27.0824 2012 pla (b1689df169143f57053f795390c99db3) C:\Windows\system32\pla.dll
11:31:27.0964 2012 pla - ok
11:31:28.0073 2012 PlugPlay (c5e7f8a996ec0a82d508fd9064a5569e) C:\Windows\system32\umpnpmgr.dll
11:31:28.0089 2012 PlugPlay - ok
11:31:28.0151 2012 Pml Driver HPZ12 (12b4549d515cb26bb8d375038017ca65) C:\Windows\system32\HPZipm12.dll
11:31:28.0167 2012 Pml Driver HPZ12 ( UnsignedFile.Multi.Generic ) - warning
11:31:28.0167 2012 Pml Driver HPZ12 - detected UnsignedFile.Multi.Generic (1)
11:31:28.0229 2012 pnkbstrb - ok
11:31:28.0292 2012 PNRPAutoReg (0c8e8e61ad1eb0b250b846712c917506) C:\Windows\system32\p2psvc.dll
11:31:28.0323 2012 PNRPAutoReg - ok
11:31:28.0354 2012 PNRPsvc (0c8e8e61ad1eb0b250b846712c917506) C:\Windows\system32\p2psvc.dll
11:31:28.0385 2012 PNRPsvc - ok
11:31:28.0526 2012 PolicyAgent (d0494460421a03cd5225cca0059aa146) C:\Windows\System32\ipsecsvc.dll
11:31:28.0573 2012 PolicyAgent - ok
11:31:28.0713 2012 PptpMiniport (ecfffaec0c1ecd8dbc77f39070ea1db1) C:\Windows\system32\DRIVERS\raspptp.sys
11:31:28.0775 2012 PptpMiniport - ok
11:31:28.0916 2012 Processor (0e3cef5d28b40cf273281d620c50700a) C:\Windows\system32\drivers\processr.sys
11:31:28.0978 2012 Processor - ok
11:31:29.0025 2012 ProfSvc (0508faa222d28835310b7bfca7a77346) C:\Windows\system32\profsvc.dll
11:31:29.0056 2012 ProfSvc - ok
11:31:29.0134 2012 ProtectedStorage (a3e186b4b935905b829219502557314e) C:\Windows\system32\lsass.exe
11:31:29.0150 2012 ProtectedStorage - ok
11:31:29.0212 2012 PSched (99514faa8df93d34b5589187db3aa0ba) C:\Windows\system32\DRIVERS\pacer.sys
11:31:29.0243 2012 PSched - ok
11:31:29.0384 2012 ql2300 (ccdac889326317792480c0a67156a1ec) C:\Windows\system32\drivers\ql2300.sys
11:31:29.0415 2012 ql2300 - ok
11:31:29.0540 2012 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
11:31:29.0555 2012 ql40xx - ok
11:31:29.0711 2012 QWAVE (e9ecae663f47e6cb43962d18ab18890f) C:\Windows\system32\qwave.dll
11:31:29.0743 2012 QWAVE - ok
11:31:29.0789 2012 QWAVEdrv (9f5e0e1926014d17486901c88eca2db7) C:\Windows\system32\drivers\qwavedrv.sys
11:31:29.0805 2012 QWAVEdrv - ok
11:31:29.0914 2012 RasAcd (147d7f9c556d259924351feb0de606c3) C:\Windows\system32\DRIVERS\rasacd.sys
11:31:29.0961 2012 RasAcd - ok
11:31:29.0992 2012 RasAuto (f6a452eb4ceadbb51c9e0ee6b3ecef0f) C:\Windows\System32\rasauto.dll
11:31:30.0039 2012 RasAuto - ok
11:31:30.0164 2012 Rasl2tp (a214adbaf4cb47dd2728859ef31f26b0) C:\Windows\system32\DRIVERS\rasl2tp.sys
11:31:30.0211 2012 Rasl2tp - ok
11:31:30.0335 2012 RasMan (75d47445d70ca6f9f894b032fbc64fcf) C:\Windows\System32\rasmans.dll
11:31:30.0367 2012 RasMan - ok
11:31:30.0476 2012 RasPppoe (509a98dd18af4375e1fc40bc175f1def) C:\Windows\system32\DRIVERS\raspppoe.sys
11:31:30.0523 2012 RasPppoe - ok
11:31:30.0585 2012 RasSstp (2005f4a1e05fa09389ac85840f0a9e4d) C:\Windows\system32\DRIVERS\rassstp.sys
11:31:30.0601 2012 RasSstp - ok
11:31:30.0710 2012 rdbss (b14c9d5b9add2f84f70570bbbfaa7935) C:\Windows\system32\DRIVERS\rdbss.sys
11:31:30.0725 2012 rdbss - ok
11:31:30.0788 2012 RDPCDD (89e59be9a564262a3fb6c4f4f1cd9899) C:\Windows\system32\DRIVERS\RDPCDD.sys
11:31:30.0835 2012 RDPCDD - ok
11:31:30.0959 2012 rdpdr (e8bd98d46f2ed77132ba927fccb47d8b) C:\Windows\system32\drivers\rdpdr.sys
11:31:31.0037 2012 rdpdr - ok
11:31:31.0162 2012 RDPENCDD (9d91fe5286f748862ecffa05f8a0710c) C:\Windows\system32\drivers\rdpencdd.sys
11:31:31.0209 2012 RDPENCDD - ok
11:31:31.0271 2012 RDPWD  (30bfbdfb7f95559ede971f9ddb9a00ba) C:\Windows\system32\drivers\RDPWD.sys
11:31:31.0318 2012 RDPWD - ok
11:31:31.0459 2012 RemoteAccess (bcdd6b4804d06b1f7ebf29e53a57ece9) C:\Windows\System32\mprdim.dll
11:31:31.0490 2012 RemoteAccess - ok
11:31:31.0537 2012 RemoteRegistry (9e6894ea18daff37b63e1005f83ae4ab) C:\Windows\system32\regsvc.dll
11:31:31.0583 2012 RemoteRegistry - ok
11:31:31.0708 2012 RFCOMM (6482707f9f4da0ecbab43b2e0398a101) C:\Windows\system32\DRIVERS\rfcomm.sys
11:31:31.0739 2012 RFCOMM - ok
11:31:31.0771 2012 risdptsk - ok
11:31:31.0864 2012 RpcLocator (5123f83cbc4349d065534eeb6bbdc42b) C:\Windows\system32\locator.exe
11:31:31.0911 2012 RpcLocator - ok
11:31:31.0958 2012 RpcSs (3b5b4d53fec14f7476ca29a20cc31ac9) C:\Windows\system32\rpcss.dll
11:31:31.0989 2012 RpcSs - ok
11:31:32.0098 2012 rspndr (9c508f4074a39e8b4b31d27198146fad) C:\Windows\system32\DRIVERS\rspndr.sys
11:31:32.0129 2012 rspndr - ok
11:31:32.0207 2012 RTL8169 (2d19a7469ea19993d0c12e627f4530bc) C:\Windows\system32\DRIVERS\Rtlh86.sys
11:31:32.0223 2012 RTL8169 - ok
11:31:32.0285 2012 RTSTOR (6e7f2054faedbe766034aa8a185213ec) C:\Windows\system32\drivers\RTSTOR.SYS
11:31:32.0317 2012 RTSTOR - ok
11:31:32.0395 2012 SamSs (a3e186b4b935905b829219502557314e) C:\Windows\system32\lsass.exe
11:31:32.0410 2012 SamSs - ok
11:31:32.0473 2012 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys
11:31:32.0488 2012 sbp2port - ok
11:31:32.0566 2012 SCardSvr (77b7a11a0c3d78d3386398fbbea1b632) C:\Windows\System32\SCardSvr.dll
11:31:32.0597 2012 SCardSvr - ok
11:31:32.0660 2012 Schedule (1a58069db21d05eb2ab58ee5753ebe8d) C:\Windows\system32\schedsvc.dll
11:31:32.0738 2012 Schedule - ok
11:31:32.0831 2012 SCPolicySvc (312ec3e37a0a1f2006534913e37b4423) C:\Windows\System32\certprop.dll
11:31:32.0863 2012 SCPolicySvc - ok
11:31:32.0941 2012 SDRSVC (716313d9f6b0529d03f726d5aaf6f191) C:\Windows\System32\SDRSVC.dll
11:31:33.0003 2012 SDRSVC - ok
11:31:33.0081 2012 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
11:31:33.0159 2012 secdrv - ok
11:31:33.0237 2012 seclogon (fd5199d4d8a521005e4b5ee7fe00fa9b) C:\Windows\system32\seclogon.dll
11:31:33.0268 2012 seclogon - ok
11:31:33.0377 2012 SENS (a9bbab5759771e523f55563d6cbe140f) C:\Windows\system32\sens.dll
11:31:33.0424 2012 SENS - ok
11:31:33.0487 2012 Serenum (68e44e331d46f0fb38f0863a84cd1a31) C:\Windows\system32\drivers\serenum.sys
11:31:33.0565 2012 Serenum - ok
11:31:33.0658 2012 Serial (c70d69a918b178d3c3b06339b40c2e1b) C:\Windows\system32\drivers\serial.sys
11:31:33.0752 2012 Serial - ok
11:31:33.0845 2012 sermouse (8af3d28a879bf75db53a0ee7a4289624) C:\Windows\system32\drivers\sermouse.sys
11:31:33.0877 2012 sermouse - ok
11:31:33.0986 2012 SessionEnv (d2193326f729b163125610dbf3e17d57) C:\Windows\system32\sessenv.dll
11:31:34.0017 2012 SessionEnv - ok
11:31:34.0095 2012 sffdisk (103b79418da647736ee95645f305f68a) C:\Windows\system32\drivers\sffdisk.sys
11:31:34.0157 2012 sffdisk - ok
11:31:34.0235 2012 sffp_mmc (8fd08a310645fe872eeec6e08c6bf3ee) C:\Windows\system32\drivers\sffp_mmc.sys
11:31:34.0298 2012 sffp_mmc - ok
11:31:34.0345 2012 sffp_sd (9cfa05fcfcb7124e69cfc812b72f9614) C:\Windows\system32\drivers\sffp_sd.sys
11:31:34.0407 2012 sffp_sd - ok
11:31:34.0501 2012 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\drivers\sfloppy.sys
11:31:34.0579 2012 sfloppy - ok
11:31:34.0688 2012 SharedAccess (e1499bd0ff76b1b2fbbf1af339d91165) C:\Windows\System32\ipnathlp.dll
11:31:34.0750 2012 SharedAccess - ok
11:31:34.0875 2012 ShellHWDetection (c7230fbee14437716701c15be02c27b8) C:\Windows\System32\shsvcs.dll
11:31:34.0922 2012 ShellHWDetection - ok
11:31:35.0015 2012 Si3531 (93beacc3815a4653a655c8bd7622ff63) C:\Windows\system32\DRIVERS\Si3531.sys
11:31:35.0031 2012 Si3531 - ok
11:31:35.0125 2012 SiFilter (165448bc832d424b97270c8d1276e24a) C:\Windows\system32\DRIVERS\SiWinAcc.sys
11:31:35.0140 2012 SiFilter - ok
11:31:35.0171 2012 SiRemFil (9be8ea3a8c7e6d47e710f6fa14b7442b) C:\Windows\system32\DRIVERS\SiRemFil.sys
11:31:35.0187 2012 SiRemFil - ok
11:31:35.0234 2012 sisagp (d2a595d6eebeeaf4334f8e50efbc9931) C:\Windows\system32\drivers\sisagp.sys
11:31:35.0249 2012 sisagp - ok
11:31:35.0327 2012 SiSRaid2 (cedd6f4e7d84e9f98b34b3fe988373aa) C:\Windows\system32\drivers\sisraid2.sys
11:31:35.0327 2012 SiSRaid2 - ok
11:31:35.0374 2012 SiSRaid4 (df843c528c4f69d12ce41ce462e973a7) C:\Windows\system32\drivers\sisraid4.sys
11:31:35.0390 2012 SiSRaid4 - ok
11:31:35.0499 2012 slsvc (862bb4cbc05d80c5b45be430e5ef872f) C:\Windows\system32\SLsvc.exe
11:31:35.0717 2012 slsvc - ok
11:31:35.0795 2012 SLUINotify (6edc422215cd78aa8a9cde6b30abbd35) C:\Windows\system32\SLUINotify.dll
11:31:35.0842 2012 SLUINotify - ok
11:31:35.0905 2012 SNMPTRAP (2a146a055b4401c16ee62d18b8e2a032) C:\Windows\System32\snmptrap.exe
11:31:35.0920 2012 SNMPTRAP - ok
11:31:36.0029 2012 spldr (7aebdeef071fe28b0eef2cdd69102bff) C:\Windows\system32\drivers\spldr.sys
11:31:36.0045 2012 spldr - ok
11:31:36.0123 2012 Spooler (8554097e5136c3bf9f69fe578a1b35f4) C:\Windows\System32\spoolsv.exe
11:31:36.0154 2012 Spooler - ok
11:31:36.0279 2012 srv (41987f9fc0e61adf54f581e15029ad91) C:\Windows\system32\DRIVERS\srv.sys
11:31:36.0357 2012 srv - ok
11:31:36.0482 2012 srv2 (ff33aff99564b1aa534f58868cbe41ef) C:\Windows\system32\DRIVERS\srv2.sys
11:31:36.0544 2012 srv2 - ok
11:31:36.0575 2012 srvnet (7605c0e1d01a08f3ecd743f38b834a44) C:\Windows\system32\DRIVERS\srvnet.sys
11:31:36.0622 2012 srvnet - ok
11:31:36.0731 2012 ssadbus (48f44a1be434830b7c90fb730745f65a) C:\Windows\system32\DRIVERS\ssadbus.sys
11:31:36.0747 2012 ssadbus - ok
11:31:36.0794 2012 ssadmdfl (bb2c84a15c765da89fd832b0e73f26ce) C:\Windows\system32\DRIVERS\ssadmdfl.sys
11:31:36.0809 2012 ssadmdfl - ok
11:31:36.0919 2012 ssadmdm (6d0d132ddc6f43eda00dced6d8b1ca31) C:\Windows\system32\DRIVERS\ssadmdm.sys
11:31:36.0934 2012 ssadmdm - ok
11:31:37.0012 2012 SSDPSRV (03d50b37234967433a5ea5ba72bc0b62) C:\Windows\System32\ssdpsrv.dll
11:31:37.0075 2012 SSDPSRV - ok
11:31:37.0199 2012 SstpSvc (6f1a32e7b7b30f004d9a20afadb14944) C:\Windows\system32\sstpsvc.dll
11:31:37.0215 2012 SstpSvc - ok
11:31:37.0309 2012 STacSV (ffa85a9f3c3571ad29ac156bc6f116c5) C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_ccfaa5a9\STacSV.exe
11:31:37.0355 2012 STacSV - ok
11:31:37.0402 2012 Steam Client Service - ok
11:31:37.0511 2012 STHDA (5af1feec6945f4fa5efd00e0c6d8f9b9) C:\Windows\system32\DRIVERS\stwrt.sys
11:31:37.0558 2012 STHDA - ok
11:31:37.0683 2012 StillCam (ef70b3d22b4bffda6ea851ecb063efaa) C:\Windows\system32\DRIVERS\serscan.sys
11:31:37.0730 2012 StillCam - ok
11:31:37.0855 2012 stisvc (5de7d67e49b88f5f07f3e53c4b92a352) C:\Windows\System32\wiaservc.dll
11:31:37.0901 2012 stisvc - ok
11:31:38.0042 2012 swenum (7ba58ecf0c0a9a69d44b3dca62becf56) C:\Windows\system32\DRIVERS\swenum.sys
11:31:38.0057 2012 swenum - ok
11:31:38.0120 2012 swprv (f21fd248040681cca1fb6c9a03aaa93d) C:\Windows\System32\swprv.dll
11:31:38.0167 2012 swprv - ok
11:31:38.0260 2012 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
11:31:38.0276 2012 Symc8xx - ok
11:31:38.0354 2012 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
11:31:38.0354 2012 Sym_hi - ok
11:31:38.0432 2012 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
11:31:38.0432 2012 Sym_u3 - ok
11:31:38.0494 2012 SynTP (3196c5df63d5e86fc0041ae0c816b80f) C:\Windows\system32\DRIVERS\SynTP.sys
11:31:38.0525 2012 SynTP - ok
11:31:38.0603 2012 SysMain (9a51b04e9886aa4ee90093586b0ba88d) C:\Windows\system32\sysmain.dll
11:31:38.0681 2012 SysMain - ok
11:31:38.0806 2012 TabletInputService (2dca225eae15f42c0933e998ee0231c3) C:\Windows\System32\TabSvc.dll
11:31:38.0837 2012 TabletInputService - ok
11:31:38.0962 2012 TapiSrv (d7673e4b38ce21ee54c59eeeb65e2483) C:\Windows\System32\tapisrv.dll
11:31:39.0009 2012 TapiSrv - ok
11:31:39.0103 2012 TBS (cb05822cd9cc6c688168e113c603dbe7) C:\Windows\System32\tbssvc.dll
11:31:39.0181 2012 TBS - ok
11:31:39.0305 2012 Tcpip (814a1c66fbd4e1b310a517221f1456bf) C:\Windows\system32\drivers\tcpip.sys
11:31:39.0352 2012 Tcpip - ok
11:31:39.0555 2012 Tcpip6 (814a1c66fbd4e1b310a517221f1456bf) C:\Windows\system32\DRIVERS\tcpip.sys
11:31:39.0586 2012 Tcpip6 - ok
11:31:39.0727 2012 tcpipreg (608c345a255d82a6289c2d468eb41fd7) C:\Windows\system32\drivers\tcpipreg.sys
11:31:39.0758 2012 tcpipreg - ok
11:31:39.0883 2012 TDPIPE (5dcf5e267be67a1ae926f2df77fbcc56) C:\Windows\system32\drivers\tdpipe.sys
11:31:39.0914 2012 TDPIPE - ok
11:31:40.0007 2012 TDTCP (389c63e32b3cefed425b61ed92d3f021) C:\Windows\system32\drivers\tdtcp.sys
11:31:40.0039 2012 TDTCP - ok
11:31:40.0101 2012 tdx (ab4fde8af4a0270a46a001c08cbce1c2) C:\Windows\system32\DRIVERS\tdx.sys
11:31:40.0195 2012 tdx - ok
11:31:40.0319 2012 TermDD (3cad38910468eab9a6479e2f01db43c7) C:\Windows\system32\DRIVERS\termdd.sys
11:31:40.0335 2012 TermDD - ok
11:31:40.0397 2012 TermService (bb95da09bef6e7a131bff3ba5032090d) C:\Windows\System32\termsrv.dll
11:31:40.0460 2012 TermService - ok
11:31:40.0600 2012 Themes (c7230fbee14437716701c15be02c27b8) C:\Windows\system32\shsvcs.dll
11:31:40.0616 2012 Themes - ok
11:31:40.0694 2012 THREADORDER (1076ffcffaae8385fd62dfcb25ac4708) C:\Windows\system32\mmcss.dll
11:31:40.0741 2012 THREADORDER - ok
11:31:40.0756 2012 tphdexlgsvc - ok
11:31:40.0819 2012 TrkWks (ec74e77d0eb004bd3a809b5f8fb8c2ce) C:\Windows\System32\trkwks.dll
11:31:40.0881 2012 TrkWks - ok
11:31:40.0943 2012 TrustedInstaller (97d9d6a04e3ad9b6c626b9931db78dba) C:\Windows\servicing\TrustedInstaller.exe
11:31:40.0975 2012 TrustedInstaller - ok
11:31:41.0068 2012 tssecsrv (dcf0f056a2e4f52287264f5ab29cf206) C:\Windows\system32\DRIVERS\tssecsrv.sys
11:31:41.0099 2012 tssecsrv - ok
11:31:41.0146 2012 tunmp (caecc0120ac49e3d2f758b9169872d38) C:\Windows\system32\DRIVERS\tunmp.sys
11:31:41.0193 2012 tunmp - ok
11:31:41.0287 2012 tunnel (119b8184e106baedc83fce5ddf3950da) C:\Windows\system32\DRIVERS\tunnel.sys
11:31:41.0318 2012 tunnel - ok
11:31:41.0396 2012 uagp35 (c3ade15414120033a36c0f293d4a4121) C:\Windows\system32\drivers\uagp35.sys
11:31:41.0411 2012 uagp35 - ok
11:31:41.0505 2012 udfs (d9728af68c4c7693cb100b8441cbdec6) C:\Windows\system32\DRIVERS\udfs.sys
11:31:41.0536 2012 udfs - ok
11:31:41.0630 2012 UI0Detect (ecef404f62863755951e09c802c94ad5) C:\Windows\system32\UI0Detect.exe
11:31:41.0677 2012 UI0Detect - ok
11:31:41.0770 2012 uliagpkx (75e6890ebfce0841d3291b02e7a8bdb0) C:\Windows\system32\drivers\uliagpkx.sys
11:31:41.0786 2012 uliagpkx - ok
11:31:41.0864 2012 uliahci (3cd4ea35a6221b85dcc25daa46313f8d) C:\Windows\system32\drivers\uliahci.sys
11:31:41.0879 2012 uliahci - ok
11:31:41.0957 2012 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
11:31:41.0973 2012 UlSata - ok
11:31:42.0067 2012 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
11:31:42.0067 2012 ulsata2 - ok
11:31:42.0191 2012 umbus (32cff9f809ae9aed85464492bf3e32d2) C:\Windows\system32\DRIVERS\umbus.sys
11:31:42.0238 2012 umbus - ok
11:31:42.0347 2012 upnphost (68308183f4ae0be7bf8ecd07cb297999) C:\Windows\System32\upnphost.dll
11:31:42.0394 2012 upnphost - ok
11:31:42.0472 2012 USBAAPL (83cafcb53201bbac04d822f32438e244) C:\Windows\system32\Drivers\usbaapl.sys
11:31:42.0535 2012 USBAAPL - ok
11:31:42.0644 2012 usbccgp (caf811ae4c147ffcd5b51750c7f09142) C:\Windows\system32\DRIVERS\usbccgp.sys
11:31:42.0675 2012 usbccgp - ok
11:31:42.0737 2012 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
11:31:42.0815 2012 usbcir - ok
11:31:42.0909 2012 usbehci (79e96c23a97ce7b8f14d310da2db0c9b) C:\Windows\system32\DRIVERS\usbehci.sys
11:31:42.0971 2012 usbehci - ok
11:31:43.0065 2012 usbhub (4673bbcb006af60e7abddbe7a130ba42) C:\Windows\system32\DRIVERS\usbhub.sys
11:31:43.0127 2012 usbhub - ok
11:31:43.0205 2012 usbohci (38dbc7dd6cc5a72011f187425384388b) C:\Windows\system32\drivers\usbohci.sys
11:31:43.0299 2012 usbohci - ok
11:31:43.0361 2012 usbprint (e75c4b5269091d15a2e7dc0b6d35f2f5) C:\Windows\system32\DRIVERS\usbprint.sys
11:31:43.0424 2012 usbprint - ok
11:31:43.0517 2012 USBSTOR (be3da31c191bc222d9ad503c5224f2ad) C:\Windows\system32\DRIVERS\USBSTOR.SYS
11:31:43.0564 2012 USBSTOR - ok
11:31:43.0658 2012 usbuhci (814d653efc4d48be3b04a307eceff56f) C:\Windows\system32\DRIVERS\usbuhci.sys
11:31:43.0689 2012 usbuhci - ok
11:31:43.0783 2012 usbvideo (e67998e8f14cb0627a769f6530bcb352) C:\Windows\system32\Drivers\usbvideo.sys
11:31:43.0845 2012 usbvideo - ok
11:31:43.0892 2012 UVCFTR (7b8424bbaafbc127c8f55ad6007d6d6b) C:\Windows\system32\Drivers\UVCFTR_S.SYS
11:31:43.0923 2012 UVCFTR - ok
11:31:43.0970 2012 UxSms (1509e705f3ac1d474c92454a5c2dd81f) C:\Windows\System32\uxsms.dll
11:31:44.0032 2012 UxSms - ok
11:31:44.0126 2012 vds (cd88d1b7776dc17a119049742ec07eb4) C:\Windows\System32\vds.exe
11:31:44.0157 2012 vds - ok
11:31:44.0282 2012 vga (7d92be0028ecdedec74617009084b5ef) C:\Windows\system32\DRIVERS\vgapnp.sys
11:31:44.0344 2012 vga - ok
11:31:44.0391 2012 VgaSave (2e93ac0a1d8c79d019db6c51f036636c) C:\Windows\System32\drivers\vga.sys
11:31:44.0422 2012 VgaSave - ok
11:31:44.0531 2012 viaagp (045d9961e591cf0674a920b6ba3ba5cb) C:\Windows\system32\drivers\viaagp.sys
11:31:44.0547 2012 viaagp - ok
11:31:44.0609 2012 ViaC7 (56a4de5f02f2e88182b0981119b4dd98) C:\Windows\system32\drivers\viac7.sys
11:31:44.0672 2012 ViaC7 - ok
11:31:44.0703 2012 viaide (fd2e3175fcada350c7ab4521dca187ec) C:\Windows\system32\drivers\viaide.sys
11:31:44.0719 2012 viaide - ok
11:31:44.0859 2012 volmgr (69503668ac66c77c6cd7af86fbdf8c43) C:\Windows\system32\drivers\volmgr.sys
11:31:44.0859 2012 volmgr - ok
11:31:44.0937 2012 volmgrx (23e41b834759917bfd6b9a0d625d0c28) C:\Windows\system32\drivers\volmgrx.sys
11:31:44.0953 2012 volmgrx - ok
11:31:45.0093 2012 volsnap (147281c01fcb1df9252de2a10d5e7093) C:\Windows\system32\drivers\volsnap.sys
11:31:45.0109 2012 volsnap - ok
11:31:45.0171 2012 vsmraid (d984439746d42b30fc65a4c3546c6829) C:\Windows\system32\drivers\vsmraid.sys
11:31:45.0187 2012 vsmraid - ok
11:31:45.0311 2012 VSS (db3d19f850c6eb32bdcb9bc0836acddb) C:\Windows\system32\vssvc.exe
11:31:45.0374 2012 VSS - ok
11:31:45.0530 2012 W32Time (96ea68b9eb310a69c25ebb0282b2b9de) C:\Windows\system32\w32time.dll
11:31:45.0561 2012 W32Time - ok
11:31:45.0686 2012 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
11:31:45.0779 2012 WacomPen - ok
11:31:45.0857 2012 Wanarp (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
11:31:45.0889 2012 Wanarp - ok
11:31:45.0889 2012 Wanarpv6 (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
11:31:45.0920 2012 Wanarpv6 - ok
11:31:46.0013 2012 wcncsvc (a3cd60fd826381b49f03832590e069af) C:\Windows\System32\wcncsvc.dll
11:31:46.0045 2012 wcncsvc - ok
11:31:46.0123 2012 WcsPlugInService (11bcb7afcdd7aadacb5746f544d3a9c7) C:\Windows\System32\WcsPlugInService.dll
11:31:46.0154 2012 WcsPlugInService - ok
11:31:46.0232 2012 Wd (afc5ad65b991c1e205cf25cfdbf7a6f4) C:\Windows\system32\drivers\wd.sys
11:31:46.0232 2012 Wd - ok
11:31:46.0357 2012 WDC_SAM (d6efaf429fd30c5df613d220e344cce7) C:\Windows\system32\DRIVERS\wdcsam.sys
11:31:46.0388 2012 WDC_SAM - ok
11:31:46.0481 2012 Wdf01000 (b6f0a7ad6d4bd325fbcd8bac96cd8d96) C:\Windows\system32\drivers\Wdf01000.sys
11:31:46.0513 2012 Wdf01000 - ok
11:31:46.0606 2012 WdiServiceHost (abfc76b48bb6c96e3338d8943c5d93b5) C:\Windows\system32\wdi.dll
11:31:46.0669 2012 WdiServiceHost - ok
11:31:46.0669 2012 WdiSystemHost (abfc76b48bb6c96e3338d8943c5d93b5) C:\Windows\system32\wdi.dll
11:31:46.0715 2012 WdiSystemHost - ok
11:31:46.0762 2012 WebClient (04c37d8107320312fbae09926103d5e2) C:\Windows\System32\webclnt.dll
11:31:46.0793 2012 WebClient - ok
11:31:46.0903 2012 Wecsvc (ae3736e7e8892241c23e4ebbb7453b60) C:\Windows\system32\wecsvc.dll
11:31:46.0934 2012 Wecsvc - ok
11:31:47.0043 2012 wercplsupport (670ff720071ed741206d69bd995ea453) C:\Windows\System32\wercplsupport.dll
11:31:47.0105 2012 wercplsupport - ok
11:31:47.0168 2012 WerSvc (32b88481d3b326da6deb07b1d03481e7) C:\Windows\System32\WerSvc.dll
11:31:47.0183 2012 WerSvc - ok
11:31:47.0293 2012 WinDefend (4575aa12561c5648483403541d0d7f2b) C:\Program Files\Windows Defender\mpsvc.dll
11:31:47.0308 2012 WinDefend - ok
11:31:47.0308 2012 WinHttpAutoProxySvc - ok
11:31:47.0464 2012 Winmgmt (6b2a1d0e80110e3d04e6863c6e62fd8a) C:\Windows\system32\wbem\WMIsvc.dll
11:31:47.0495 2012 Winmgmt - ok
11:31:47.0511 2012 winproxy - ok
11:31:47.0573 2012 WinRM (7cfe68bdc065e55aa5e8421607037511) C:\Windows\system32\WsmSvc.dll
11:31:47.0667 2012 WinRM - ok
11:31:47.0807 2012 WinUSB (676f4b665bdd8053eaa53ac1695b8074) C:\Windows\system32\DRIVERS\WinUSB.sys
11:31:47.0823 2012 WinUSB - ok
11:31:47.0948 2012 Wlansvc (c008405e4feeb069e30da1d823910234) C:\Windows\System32\wlansvc.dll
11:31:48.0026 2012 Wlansvc - ok
11:31:48.0135 2012 WmiAcpi (2e7255d172df0b8283cdfb7b433b864e) C:\Windows\system32\DRIVERS\wmiacpi.sys
11:31:48.0182 2012 WmiAcpi - ok
11:31:48.0260 2012 wmiApSrv (43be3875207dcb62a85c8c49970b66cc) C:\Windows\system32\wbem\WmiApSrv.exe
11:31:48.0307 2012 wmiApSrv - ok
11:31:48.0431 2012 WMPNetworkSvc (3978704576a121a9204f8cc49a301a9b) C:\Program Files\Windows Media Player\wmpnetwk.exe
11:31:48.0509 2012 WMPNetworkSvc - ok
11:31:48.0603 2012 WPCSvc (cfc5a04558f5070cee3e3a7809f3ff52) C:\Windows\System32\wpcsvc.dll
11:31:48.0634 2012 WPCSvc - ok
11:31:48.0728 2012 WPDBusEnum (801fbdb89d472b3c467eb112a0fc9246) C:\Windows\system32\wpdbusenum.dll
11:31:48.0790 2012 WPDBusEnum - ok
11:31:48.0884 2012 ws2ifsl (e3a3cb253c0ec2494d4a61f5e43a389c) C:\Windows\system32\drivers\ws2ifsl.sys
11:31:48.0931 2012 ws2ifsl - ok
11:31:49.0024 2012 wscsvc (1ca6c40261ddc0425987980d0cd2aaab) C:\Windows\system32\wscsvc.dll
11:31:49.0055 2012 wscsvc - ok
11:31:49.0102 2012 WSearch - ok
11:31:49.0211 2012 wuauserv (6298277b73c77fa99106b271a7525163) C:\Windows\system32\wuaueng.dll
11:31:49.0305 2012 wuauserv - ok
11:31:49.0430 2012 WUDFRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\Windows\system32\DRIVERS\WUDFRd.sys
11:31:49.0461 2012 WUDFRd - ok
11:31:49.0492 2012 wudfsvc (575a4190d989f64732119e4114045a4f) C:\Windows\System32\WUDFSvc.dll
11:31:49.0555 2012 wudfsvc - ok
11:31:49.0633 2012 xnacc - ok
11:31:49.0664 2012 MBR (0x1B8) (5c616939100b85e558da92b899a0fc36) \Device\Harddisk0\DR0
11:31:49.0773 2012 \Device\Harddisk0\DR0 - ok
11:31:49.0773 2012 Boot (0x1200) (14e15f2f63a183105deeb1d854bfbadc) \Device\Harddisk0\DR0\Partition0
11:31:49.0789 2012 \Device\Harddisk0\DR0\Partition0 - ok
11:31:49.0789 2012 ============================================================
11:31:49.0789 2012 Scan finished
11:31:49.0789 2012 ============================================================
11:31:49.0804 2004 Detected object count: 5
11:31:49.0804 2004 Actual detected object count: 5
11:32:05.0030 2004 Bonjour Service ( LockedFile.Multi.Generic ) - skipped by user
11:32:05.0030 2004 Bonjour Service ( LockedFile.Multi.Generic ) - User select action: Skip 
11:32:05.0045 2004 HPSLPSVC ( LockedFile.Multi.Generic ) - skipped by user
11:32:05.0045 2004 HPSLPSVC ( LockedFile.Multi.Generic ) - User select action: Skip 
11:32:05.0061 2004 iPod Service ( LockedFile.Multi.Generic ) - skipped by user
11:32:05.0061 2004 iPod Service ( LockedFile.Multi.Generic ) - User select action: Skip 
11:32:05.0077 2004 Net Driver HPZ12 ( UnsignedFile.Multi.Generic ) - skipped by user
11:32:05.0077 2004 Net Driver HPZ12 ( UnsignedFile.Multi.Generic ) - User select action: Skip 
11:32:05.0123 2004 Pml Driver HPZ12 ( UnsignedFile.Multi.Generic ) - skipped by user
11:32:05.0123 2004 Pml Driver HPZ12 ( UnsignedFile.Multi.Generic ) - User select action: Skip


----------



## kevinf80 (Mar 21, 2006)

How is your system responding, do you have an internet connection...

Kevin


----------



## MrMurdstone (Mar 7, 2012)

Yes, I got internet connection and normal mode works now


----------



## kevinf80 (Mar 21, 2006)

I`ve personally never seen ZA infection react the way it did on your system, I actually half expected your system to die on the second run of TDSSKiller, I did not expect a clean log. Those suspect files are OK, the MD5`s check out clean.

I`d like you to try Combofix again, see if it will run now...

Delete any versions of Combofix that you may have on your Desktop, download a fresh copy from either of the following links :-

*Link 1*
*Link 2*


 Ensure that Combofix is saved directly to the Desktop * <--- Very important*

 Disable all security programs as they will have a negative effect on Combofix, instructions available *Here* if required. Be aware the list may not have all programs listed, if you need more help please ask.

 Close any open browsers and any other programs you might have running

 Double click the







icon to run the tool (Vista or Windows 7 users right click and select "Run as Administrator)

 Instructions for running Combofix available *Here* if required.

 If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?" Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.

 When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" for further review

*******Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze* ******

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read *Here* why disabling autoruns is recommended.

*EXTRA NOTES*

 If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
 If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
 If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

Post the log in next reply please... One other point, I gave you a fix for the recycle bin, did you do that?

Kevin


----------



## MrMurdstone (Mar 7, 2012)

Now I am getting this error when I try to open Firefox or Internet explorer: "Illegal operation attempted on a registry key that has been marked for deletion." Nevermind, it started working when I rebooted. And no, I didn't do the recycle bin thing because it stopped saying something.

ComboFix 12-03-22.01 - Kyle Clark 03/25/2012 13:15:23.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3070.2138 [GMT -7:00]
Running from: c:\users\Kyle Clark\Desktop\ComboFix.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\$NtUninstallKB64787$
c:\windows\system32\dds_trash_log.cmd
.
Infected copy of c:\windows\system32\drivers\cdrom.sys was found and disinfected 
Restored copy from - The cat found it  
c:\windows\system32\drivers\netbt.sys was missing 
Restored copy from - c:\windows\winsxs\x86_microsoft-windows-netbt_31bf3856ad364e35_6.0.6001.18000_none_6064c861f7442765\netbt.sys
.
.
((((((((((((((((((((((((( Files Created from 2012-02-25 to 2012-03-25 )))))))))))))))))))))))))))))))
.
.
2012-03-25 20:26 . 2012-03-25 20:38 -------- d-----w- c:\users\Kyle Clark\AppData\Local\temp
2012-03-25 20:26 . 2012-03-25 20:26 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-03-25 20:26 . 2008-01-19 04:55 184320 ----a-w- c:\windows\system32\drivers\netbt.sys
2012-03-25 02:01 . 2012-03-25 02:01 -------- d-----w- C:\TDSSKiller_Quarantine
2012-03-11 22:42 . 2012-03-11 22:42 -------- d-----w- C:\_OTM
2012-03-02 00:54 . 2009-04-11 04:39 67072 ----a-w- c:\windows\system32\drivers\cdrom.sys
2012-03-02 00:52 . 2006-11-02 08:57 68096 ----a-w- c:\windows\system32\drivers\tdx.sys
2012-03-01 07:42 . 2012-03-02 00:48 -------- d-----w- c:\program files\Google
2012-03-01 07:39 . 2012-03-05 00:44 -------- d-----w- c:\programdata\AVAST Software
2012-02-26 01:02 . 2012-02-26 01:02 -------- d-----w- c:\users\Kyle Clark\AppData\Roaming\AVG2012
2012-02-25 21:06 . 2012-02-29 22:36 -------- d-----w- c:\programdata\AVG2012
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-25 02:03 . 2011-06-25 22:56 273408 ----a-w- c:\windows\system32\drivers\afd.sys
2012-01-12 19:52 . 2012-02-16 22:14 2044416 ----a-w- c:\windows\system32\win32k.sys
2011-12-27 02:02 . 2011-06-25 22:21 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Camera Assistant Software"="c:\program files\Camera Assistant Software for Gateway\traybar.exe" [2007-06-29 638976]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil11e_ActiveX.exe" [2011-12-27 247968]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^ShortKeys 3.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ShortKeys 3.lnk
backup=c:\windows\pss\ShortKeys 3.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^Users^Kyle Clark^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 3.3.lnk]
path=c:\users\Kyle Clark\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk
backup=c:\windows\pss\OpenOffice.org 3.3.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-06-06 19:55 937920 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArcSoft Connection Service]
2010-10-28 02:17 207424 ----a-w- c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArcSoft MediaImpression Monitor]
2010-12-16 01:03 80448 ----a-w- c:\program files\Kodak\MediaImpression\ArcMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-04-08 19:59 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2010-12-09 10:45 74752 ----a-w- c:\program files\Winamp\winampa.exe
.
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
HPService REG_MULTI_SZ HPSLPSVC
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
NETSVCS REQUIRES REPAIRS - current entries shown
AeLookupSvc
wercplsupport
Themes
CertPropSvc
SCPolicySvc
lanmanserver
gpsvc
IKEEXT
AudioSrv
FastUserSwitchingCompatibility
Ias
Irmon
Nla
Ntmssvc
NWCWorkstation
Nwsapagent
Rasauto
Rasman
Remoteaccess
SENS
Sharedaccess
SRService
xnacc
PdiPorts
3compxe
enodpl
uhcd
orbpvr
vvoice
nvrd64
winproxy
WLAN_USB
z525mdfl
USBMN1X1
eventclientmultiplexer
db2ntsecserver
id2scaps
btserial
BootScreen
e1000
RMSvc
websensecamreportserver
Slntamr
qcdonner
DcFpoint
UxTuneUp
SE26obex
delldmi
retroexplauncher
msk80service
emproxy
webupdate
ufad-ws60
defwatch
wlancfg
websensewfreportserver
idrivert
mcafeeframework
XTrapD12
pnkbstrb
o2flash
vmm
pavreport
generichidservice
flashcom
acnusvc
ATSWPDRV
AFGSp50
sysaidagent
mgisvr
Evian
splitter
cdr4_xp
db2licd
se59mgmt
adihdaudaddservice
trufos
tcpipBM
mksvirmonsvc
tosrfbnp
gtndis5
n558
w810mdm
dlaudfam
SaiNtHid
MaVctrl
SMNDIS5
avg7updsvc
AffinegyService
ndisip
qconsvc
winachsf
risdptsk
superproserver
dmio
crauto
HSXHWBS2
hpci
regsrvc
tvtnetwk
sisidex
AlKernel
odclientservice
tphdexlgsvc
lxdm_device
Tapisrv
Wmi
WmdmPmSp
TermService
wuauserv
BITS
ShellHWDetection
LogonHours
PCAudit
helpsvc
uploadmgr
iphlpsvc
seclogon
AppInfo
msiscsi
MMCSS
ProfSvc
EapHost
winmgmt
schedule
SessionEnv
browser
hkmsvc
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
.
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\Kyle Clark\AppData\Roaming\Mozilla\Firefox\Profiles\ohhvwtv6.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: uTorrentBar Community Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - %profile%\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - (no file)
HKLM-Run-SynTPEnh - c:\program files\Synaptics\SynTP\SynTPEnh.exe
HKLM-Run-SysTrayApp - c:\program files\IDT\WDM\sttray.exe
HKLM-Run-Malwarebytes' Anti-Malware (reboot) - c:\program files\Malwarebytes' Anti-Malware\mbam.exe
SafeBoot-72707762.sys
MSConfigStartUp-iTunesHelper - c:\program files\iTunes\iTunesHelper.exe
MSConfigStartUp-QuickTime Task - c:\program files\QuickTime\QTTask.exe
AddRemove-{14BC6853-A74E-4874-B50D-679889D1544D} - c:\program files\HP\Digital Imaging\{14BC6853-A74E-4874-B50D-679889D1544D}\setup\hpzscr01.exe
AddRemove-{5A15F754-086E-4185-96F4-0BC31F1A2382} - c:\program files\HP\Digital Imaging\{5A15F754-086E-4185-96F4-0BC31F1A2382}\setup\hpzscr01.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-25 13:40
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ... 
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\internet explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,
1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7
"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,
df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd
.
[HKEY_USERS\.Default\Software\Microsoft\internet explorer\ApprovedExtensionsMigration]
@Denied: (2) (LocalSystem)
"Timestamp"=hex:e0,53,a0,4e,fc,f3,cc,01
.
[HKEY_USERS\.Default\Software\Microsoft\internet explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,9b,41,f7,b8,23,2b,ae,41,b0,69,07,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,9b,41,f7,b8,23,2b,ae,41,b0,69,07,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\System32\DriverStore\FileRepository\stwrt.inf_ccfaa5a9\STacSV.exe
c:\program files\NVIDIA Corporation\Display\nvxdsync.exe
c:\windows\system32\nvvsvc.exe
c:\program files\NVIDIA Corporation\Display\nvtray.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\windows\system32\agrsmsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
.
**************************************************************************
.
Completion time: 2012-03-25 13:45:16 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-25 20:45
.
Pre-Run: 84,666,073,088 bytes free
Post-Run: 84,627,951,616 bytes free
.
- - End Of File - - 584CBB1907A7071DA6A65A565DFD0B7E


----------



## kevinf80 (Mar 21, 2006)

This is not getting any better, there is still a lot of work to do.....

Run this please:

Download







*OTL* from any of the following links and save to your Desktop:

*Link 1*
*Link 2*
*Link 3*
*Link 4*

 Double click on the icon







to run it, Vista or Windows 7 users right click and select Run as Administartor. Make sure all other windows are closed and to let it run uninterrupted.
 When the window appears, underneath *Output* at the top, make sure *Stadard output* is selected.
 Select *Scan all users*
 Under the *Extra Registry* section, check *Use SafeList*
 In the lower right corner, checkmark *"LOP Check"* and checkmark *"Purity Check".*
 Under the Custom Scan box paste this in:


```
netsvcs
%systemroot%\*. /mp /s
%systemroot%\*. /rp /s
msconfig
%SYSTEMDRIVE%\*.exe
%LOCALAPPDATA%\*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
consrv.dll
/md5stop
```

 Click the







button. Do not change any settings unless otherwise told to do so. The scan wont take long.
 When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
 Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them in your reply


----------



## MrMurdstone (Mar 7, 2012)

OTL logfile created on: 3/25/2012 4:31:16 PM - Run 2
OTL by OldTimer - Version 3.2.39.2 Folder = C:\Users\Kyle Clark\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.03 Gb Available Physical Memory | 67.74% Memory free
6.19 Gb Paging File | 5.39 Gb Available in Paging File | 87.06% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 298.09 Gb Total Space | 78.76 Gb Free Space | 26.42% Space Free | Partition Type: NTFS

Computer Name: KYLECLARK-PC | User Name: Kyle Clark | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/03/25 16:11:21 | 000,593,920 | ---- | M] (OldTimer Tools) -- C:\Users\Kyle Clark\Desktop\OTL.exe
PRC - [2011/10/15 01:53:00 | 002,253,120 | ---- | M] (NVIDIA Corporation) -- C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
PRC - [2011/10/15 01:53:00 | 001,820,480 | ---- | M] (NVIDIA Corporation) -- C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
PRC - [2011/10/15 01:53:00 | 001,328,960 | ---- | M] (NVIDIA Corporation) -- C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
PRC - [2011/06/06 12:55:28 | 000,064,952 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
PRC - [2010/03/18 11:19:26 | 000,113,152 | ---- | M] (ArcSoft Inc.) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
PRC - [2009/04/10 23:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2008/05/06 16:03:08 | 000,221,239 | ---- | M] (IDT, Inc.) -- C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_ccfaa5a9\stacsv.exe
PRC - [2006/10/05 14:10:12 | 000,009,216 | ---- | M] (Agere Systems) -- C:\Windows\System32\agrsmsvc.exe

========== Modules (No Company Name) ==========

========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- %systemroot%\system32\appnnode.dll -- (xnacc)
SRV - File not found [Auto | Stopped] -- %systemroot%\system32\knobserv.dll -- (winproxy)
SRV - File not found [Auto | Stopped] -- %systemroot%\system32\ccpwdsvc.dll -- (tphdexlgsvc)
SRV - File not found [Auto | Stopped] -- %systemroot%\system32\U81xmgmt.dll -- (risdptsk)
SRV - File not found [Auto | Stopped] -- %systemroot%\system32\avipbb.dll -- (pnkbstrb)
SRV - File not found [Auto | Stopped] -- %systemroot%\system32\FVNETusb.dll -- (PdiPorts)
SRV - File not found [On_Demand | Stopped] -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)
SRV - File not found [Auto | Stopped] -- C:\Program Files\HP\Digital Imaging\bin\HPSLPSVC32.DLL -- (HPSLPSVC)
SRV - File not found [Auto | Stopped] -- %systemroot%\system32\AsuhfivrO.dll -- (hpci)
SRV - File not found [Auto | Stopped] -- %systemroot%\system32\Sunkfiltp.dll -- (DcFpoint)
SRV - File not found [Auto | Stopped] -- %systemroot%\system32\atixsaudio.dll -- (crauto)
SRV - File not found [Auto | Stopped] -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)
SRV - File not found [Auto | Stopped] -- %systemroot%\system32\tifmsony.dll -- (AFGSp50)
SRV - File not found [Auto | Stopped] -- %systemroot%\system32\obvious.dll -- (3compxe)
SRV - [2011/11/24 03:29:15 | 000,419,624 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2011/10/15 01:53:00 | 002,253,120 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe -- (nvUpdatusService)
SRV - [2011/06/06 12:55:28 | 000,064,952 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2010/03/18 11:19:26 | 000,113,152 | ---- | M] (ArcSoft Inc.) [Auto | Running] -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe -- (ACDaemon)
SRV - [2008/05/06 16:03:08 | 000,221,239 | ---- | M] (IDT, Inc.) [Auto | Running] -- C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_ccfaa5a9\stacsv.exe -- (STacSV)
SRV - [2008/01/18 23:38:26 | 000,272,952 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2006/10/05 14:10:12 | 000,009,216 | ---- | M] (Agere Systems) [Auto | Running] -- C:\Windows\System32\agrsmsvc.exe -- (AgereModemAudio)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\ComboFix\catchme.sys -- (catchme)
DRV - File not found [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\blbdrive.sys -- (blbdrive)
DRV - [2011/10/15 01:53:00 | 010,327,360 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2011/05/13 04:21:06 | 000,136,808 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ssadmdm.sys -- (ssadmdm)
DRV - [2011/05/13 04:21:06 | 000,012,776 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ssadmdfl.sys -- (ssadmdfl) SAMSUNG Android USB Modem (Filter)
DRV - [2011/01/12 21:15:08 | 000,121,192 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ssadbus.sys -- (ssadbus) SAMSUNG Android USB Composite Device driver (WDM)
DRV - [2010/06/23 10:21:32 | 000,259,176 | ---- | M] (Realtek ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Rtlh86.sys -- (RTL8169)
DRV - [2009/04/10 21:42:52 | 000,031,616 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\winusb.sys -- (WinUSB)
DRV - [2009/02/05 19:39:08 | 000,017,064 | ---- | M] (Silicon Image, Inc.) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\SiWinAcc.sys -- (SiFilter)
DRV - [2009/02/05 19:39:00 | 000,012,200 | ---- | M] (Silicon Image, Inc.) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\SiRemFil.sys -- (SiRemFil)
DRV - [2009/02/05 19:38:24 | 000,212,520 | ---- | M] (Silicon Image, Inc) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\Si3531.sys -- (Si3531)
DRV - [2008/11/17 16:40:22 | 003,668,480 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\NETw5v32.sys -- (NETw5v32) Intel(R)
DRV - [2008/05/06 16:06:00 | 000,011,520 | ---- | M] (Western Digital Technologies) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\wdcsam.sys -- (WDC_SAM)
DRV - [2008/05/06 16:04:40 | 000,379,904 | ---- | M] (IDT, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\stwrt.sys -- (STHDA)
DRV - [2007/05/23 17:37:40 | 000,011,776 | ---- | M] (Chicony Electronics Co., Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\UVCFTR_S.SYS -- (UVCFTR)
DRV - [2007/04/30 08:45:18 | 002,219,520 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\NETw4v32.sys -- (NETw4v32) Intel(R)
DRV - [2006/11/28 17:11:00 | 001,161,888 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2006/11/10 15:05:00 | 000,018,688 | ---- | M] (Arcsoft, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\afc.sys -- (Afc)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2786678

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-474303697-943411777-899299439-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\S-1-5-21-474303697-943411777-899299439-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = CC AC 55 C5 53 D7 CC 01 [binary data]
IE - HKU\S-1-5-21-474303697-943411777-899299439-1001\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-474303697-943411777-899299439-1001\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-21-474303697-943411777-899299439-1001\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKU\S-1-5-21-474303697-943411777-899299439-1001\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2786678
IE - HKU\S-1-5-21-474303697-943411777-899299439-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-474303697-943411777-899299439-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "www.google.com"
FF - prefs.js..extensions.enabledItems: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}:3.5.0.12
FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll File not found
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll File not found
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@pandonetworks.com/PandoWebPlugin: C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll File not found
FF - HKCU\Software\MozillaPlugins\pandonetworks.com/PandoWebPlugin: C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files\AVAST Software\Avast\WebRep\FF
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.27\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/03/25 16:17:44 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.27\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/03/25 16:17:44 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 3.6.28\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/03/25 16:17:44 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 3.6.28\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/03/25 16:17:44 | 000,000,000 | ---D | M]

[2006/10/11 10:01:25 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Kyle Clark\AppData\Roaming\Mozilla\Extensions
[2012/03/25 12:41:04 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Kyle Clark\AppData\Roaming\Mozilla\Firefox\Profiles\ohhvwtv6.default\extensions
[2011/06/27 14:46:49 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Kyle Clark\AppData\Roaming\Mozilla\Firefox\Profiles\ohhvwtv6.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/08/01 00:08:48 | 000,000,000 | ---D | M] (uTorrentBar Community Toolbar) -- C:\Users\Kyle Clark\AppData\Roaming\Mozilla\Firefox\Profiles\ohhvwtv6.default\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}
[2011/12/25 23:21:02 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/07/05 22:34:34 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
[2011/06/26 02:21:23 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
[2011/06/26 02:21:00 | 000,476,904 | ---- | M] () -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll

========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{googleriginalQueryForSuggestion}{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}client=chrome&hl={language}&q={searchTerms}
CHR - Extension: YouTube = C:\Users\Kyle Clark\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2_0\
CHR - Extension: Google Search = C:\Users\Kyle Clark\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.14_0\
CHR - Extension: avast! WebRep = C:\Users\Kyle Clark\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\6.0.1407_0\
CHR - Extension: Gmail = C:\Users\Kyle Clark\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\6.1.3_0\

O1 HOSTS File: ([2012/03/25 13:38:50 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll File not found
O4 - HKLM..\Run: [Camera Assistant Software] C:\Program Files\Camera Assistant Software for Gateway\traybar.exe (Chicony)
O4 - HKU\S-1-5-21-474303697-943411777-899299439-1002..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\.DEFAULT..\RunOnce: [FlashPlayerUpdate] C:\Windows\System32\Macromed\Flash\FlashUtil11e_ActiveX.exe (Adobe Systems, Inc.)
O4 - HKU\S-1-5-18..\RunOnce: [FlashPlayerUpdate] C:\Windows\System32\Macromed\Flash\FlashUtil11e_ActiveX.exe (Adobe Systems, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-474303697-943411777-899299439-1001\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-474303697-943411777-899299439-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-474303697-943411777-899299439-1002\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{D6AAFE6F-191A-4DC9-B649-6FF0F99CCA9B}: DhcpNameServer = 192.168.1.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\img22.jpg
O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\img22.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 14:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - C:\Windows\System32\ias.dll (Microsoft Corporation)
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: xnacc - %systemroot%\system32\appnnode.dll File not found
NetSvcs: PdiPorts - %systemroot%\system32\FVNETusb.dll File not found
NetSvcs: 3compxe - %systemroot%\system32\obvious.dll File not found
NetSvcs: enodpl - File not found
NetSvcs: uhcd - File not found
NetSvcs: orbpvr - File not found
NetSvcs: vvoice - File not found
NetSvcs: nvrd64 - File not found
NetSvcs: winproxy - %systemroot%\system32\knobserv.dll File not found
NetSvcs: WLAN_USB - File not found
NetSvcs: z525mdfl - File not found
NetSvcs: USBMN1X1 - File not found
NetSvcs: eventclientmultiplexer - File not found
NetSvcs: db2ntsecserver - File not found
NetSvcs: id2scaps - File not found
NetSvcs: btserial - File not found
NetSvcs: BootScreen - File not found
NetSvcs: e1000 - File not found
NetSvcs: RMSvc - File not found
NetSvcs: websensecamreportserver - File not found
NetSvcs: Slntamr - File not found
NetSvcs: qcdonner - File not found
NetSvcs: DcFpoint - %systemroot%\system32\Sunkfiltp.dll File not found
NetSvcs: UxTuneUp - File not found
NetSvcs: SE26obex - File not found
NetSvcs: delldmi - File not found
NetSvcs: retroexplauncher - File not found
NetSvcs: msk80service - File not found
NetSvcs: emproxy - File not found
NetSvcs: webupdate - File not found
NetSvcs: ufad-ws60 - File not found
NetSvcs: defwatch - File not found
NetSvcs: wlancfg - C:\Windows\System32\wlancfg.dll (Microsoft Corporation)
NetSvcs: websensewfreportserver - File not found
NetSvcs: idrivert - File not found
NetSvcs: mcafeeframework - File not found
NetSvcs: XTrapD12 - File not found
NetSvcs: pnkbstrb - %systemroot%\system32\avipbb.dll File not found
NetSvcs: o2flash - File not found
NetSvcs: vmm - File not found
NetSvcs: pavreport - File not found
NetSvcs: generichidservice - File not found
NetSvcs: flashcom - File not found
NetSvcs: acnusvc - File not found
NetSvcs: ATSWPDRV - File not found
NetSvcs: AFGSp50 - %systemroot%\system32\tifmsony.dll File not found
NetSvcs: sysaidagent - File not found
NetSvcs: mgisvr - File not found
NetSvcs: Evian - File not found
NetSvcs: splitter - File not found
NetSvcs: cdr4_xp - File not found
NetSvcs: db2licd - File not found
NetSvcs: se59mgmt - File not found
NetSvcs: adihdaudaddservice - File not found
NetSvcs: trufos - File not found
NetSvcs: tcpipBM - File not found
NetSvcs: mksvirmonsvc - File not found
NetSvcs: tosrfbnp - File not found
NetSvcs: gtndis5 - File not found
NetSvcs: n558 - File not found
NetSvcs: w810mdm - File not found
NetSvcs: dlaudfam - File not found
NetSvcs: SaiNtHid - File not found
NetSvcs: MaVctrl - File not found
NetSvcs: SMNDIS5 - File not found
NetSvcs: avg7updsvc - File not found
NetSvcs: AffinegyService - File not found
NetSvcs: ndisip - File not found
NetSvcs: qconsvc - File not found
NetSvcs: winachsf - File not found
NetSvcs: risdptsk - %systemroot%\system32\U81xmgmt.dll File not found
NetSvcs: superproserver - File not found
NetSvcs: dmio - File not found
NetSvcs: crauto - %systemroot%\system32\atixsaudio.dll File not found
NetSvcs: HSXHWBS2 - File not found
NetSvcs: hpci - %systemroot%\system32\AsuhfivrO.dll File not found
NetSvcs: regsrvc - File not found
NetSvcs: tvtnetwk - File not found
NetSvcs: sisidex - File not found
NetSvcs: AlKernel - File not found
NetSvcs: odclientservice - File not found
NetSvcs: tphdexlgsvc - %systemroot%\system32\ccpwdsvc.dll File not found
NetSvcs: lxdm_device - File not found
NetSvcs: WmdmPmSp - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found

MsConfig - StartUpFolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^ShortKeys 3.lnk - C:\Program Files\ShortKeys 3\shortkey.exe - (Insight Software Solutions)
MsConfig - StartUpFolder: C:^Users^Kyle Clark^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 3.3.lnk - - File not found
MsConfig - StartUpReg: *Adobe ARM* - hkey= - key= - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
MsConfig - StartUpReg: *ArcSoft Connection Service* - hkey= - key= - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe (ArcSoft Inc.)
MsConfig - StartUpReg: *ArcSoft MediaImpression Monitor* - hkey= - key= - C:\Program Files\Kodak\MediaImpression\ArcMonitor.exe (ArcSoft, Inc.)
MsConfig - StartUpReg: *SunJavaUpdateSched* - hkey= - key= - C:\Program Files\Common Files\Java\Java Update\jusched.exe (Sun Microsystems, Inc.)
MsConfig - StartUpReg: *WinampAgent* - hkey= - key= - C:\Program Files\Winamp\winampa.exe (Nullsoft, Inc.)
MsConfig - State: "startup" - 2

========== Files/Folders - Created Within 30 Days ==========

[2012/03/25 16:11:21 | 000,593,920 | ---- | C] (OldTimer Tools) -- C:\Users\Kyle Clark\Desktop\OTL.exe
[2012/03/25 14:02:33 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2012/03/25 13:45:21 | 000,000,000 | ---D | C] -- C:\Users\Kyle Clark\AppData\Local\temp
[2012/03/25 13:38:54 | 000,000,000 | ---D | C] -- C:\$RECYCLE.BIN
[2012/03/25 13:06:29 | 000,000,000 | ---D | C] -- C:\ComboFix
[2012/03/25 13:03:17 | 004,443,082 | R--- | C] (Swearware) -- C:\Users\Kyle Clark\Desktop\ComboFix.exe
[2012/03/24 19:01:41 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine
[2012/03/24 18:53:12 | 002,066,480 | ---- | C] (Kaspersky Lab ZAO) -- C:\Users\Kyle Clark\Desktop\tdsskiller.exe
[2012/03/21 13:03:55 | 000,523,264 | ---- | C] (OldTimer Tools) -- C:\Users\Kyle Clark\Desktop\OTM.exe
[2012/03/15 15:00:04 | 000,273,408 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\drivers\afd.svs
[2012/03/15 14:42:16 | 000,067,072 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\drivers\cdrom.svs
[2012/03/11 15:42:59 | 000,000,000 | ---D | C] -- C:\_OTM
[2012/03/07 21:06:54 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2012/03/07 21:06:54 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2012/03/07 21:06:54 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2012/03/07 21:06:49 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2012/03/07 21:06:44 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/03/01 00:42:03 | 000,000,000 | ---D | C] -- C:\Program Files\Google
[2012/03/01 00:39:40 | 000,000,000 | ---D | C] -- C:\ProgramData\AVAST Software
[2012/02/25 18:02:36 | 000,000,000 | ---D | C] -- C:\Users\Kyle Clark\AppData\Roaming\AVG2012
[2012/02/25 14:06:07 | 000,000,000 | ---D | C] -- C:\ProgramData\AVG2012
[1 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/03/25 16:11:21 | 000,593,920 | ---- | M] (OldTimer Tools) -- C:\Users\Kyle Clark\Desktop\OTL.exe
[2012/03/25 16:09:54 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/03/25 14:10:38 | 000,595,684 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2012/03/25 14:10:38 | 000,101,350 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2012/03/25 14:02:47 | 000,003,568 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2012/03/25 14:02:47 | 000,003,568 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2012/03/25 14:02:29 | 3217,514,496 | -HS- | M] () -- C:\hiberfil.sys
[2012/03/25 14:01:23 | 000,000,012 | ---- | M] () -- C:\Windows\bthservsdp.dat
[2012/03/25 13:38:50 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2012/03/25 13:03:18 | 004,443,082 | R--- | M] (Swearware) -- C:\Users\Kyle Clark\Desktop\ComboFix.exe
[2012/03/24 18:46:24 | 002,066,480 | ---- | M] (Kaspersky Lab ZAO) -- C:\Users\Kyle Clark\Desktop\tdsskiller.exe
[2012/03/15 05:55:20 | 397,302,498 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2012/03/11 15:38:40 | 000,523,264 | ---- | M] (OldTimer Tools) -- C:\Users\Kyle Clark\Desktop\OTM.exe
[2012/03/11 03:05:40 | 000,139,264 | ---- | M] () -- C:\Users\Kyle Clark\Desktop\SystemLook.exe
[2012/03/10 12:11:34 | 000,337,137 | ---- | M] () -- C:\Users\Kyle Clark\Desktop\FSS.exe
[2012/03/07 00:57:35 | 000,003,584 | ---- | M] () -- C:\Users\Kyle Clark\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/03/01 00:41:46 | 000,002,577 | ---- | M] () -- C:\Windows\System32\config.nt
[2012/02/28 22:18:10 | 000,020,846 | ---- | M] () -- C:\Users\Kyle Clark\Documents\walmart2.odt
[2012/02/28 22:18:08 | 000,014,379 | ---- | M] () -- C:\Users\Kyle Clark\Documents\outline.odt
[2012/02/25 17:36:09 | 000,000,112 | ---- | M] () -- C:\ProgramData\QlgfDmdWO.dat
[1 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/03/25 12:24:59 | 3217,514,496 | -HS- | C] () -- C:\hiberfil.sys
[2012/03/19 16:10:02 | 000,139,264 | ---- | C] () -- C:\Users\Kyle Clark\Desktop\SystemLook.exe
[2012/03/19 12:33:19 | 000,337,137 | ---- | C] () -- C:\Users\Kyle Clark\Desktop\FSS.exe
[2012/03/07 21:06:54 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2012/03/07 21:06:54 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2012/03/07 21:06:54 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2012/03/07 21:06:54 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2012/03/07 21:06:54 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2012/03/07 00:57:35 | 000,003,584 | ---- | C] () -- C:\Users\Kyle Clark\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/02/28 17:31:46 | 000,020,846 | ---- | C] () -- C:\Users\Kyle Clark\Documents\walmart2.odt
[2012/01/10 21:13:36 | 000,011,824 | -HS- | C] () -- C:\Users\Kyle Clark\AppData\Local\b10ya0b81g
[2012/01/10 21:13:36 | 000,011,824 | -HS- | C] () -- C:\ProgramData\b10ya0b81g
[2011/12/28 14:32:39 | 000,000,680 | ---- | C] () -- C:\Users\Kyle Clark\AppData\Local\d3d9caps.dat
[2011/12/24 14:09:09 | 000,000,112 | ---- | C] () -- C:\ProgramData\QlgfDmdWO.dat
[2011/12/23 19:41:32 | 000,010,842 | -HS- | C] () -- C:\Users\Kyle Clark\AppData\Local\637137n7y858v116t034c5egj2p7
[2011/12/23 19:41:32 | 000,010,842 | -HS- | C] () -- C:\ProgramData\637137n7y858v116t034c5egj2p7
[2011/12/09 17:52:19 | 000,011,562 | -HS- | C] () -- C:\Users\Kyle Clark\AppData\Local\t6le76k8mp5pca
[2011/12/09 17:52:19 | 000,011,562 | -HS- | C] () -- C:\ProgramData\t6le76k8mp5pca
[2011/11/18 01:11:42 | 000,155,870 | ---- | C] () -- C:\Windows\hpwins12.dat
[2011/11/18 01:10:55 | 000,009,847 | ---- | C] () -- C:\Windows\hpwscr12.dat
[2011/11/18 01:10:55 | 000,000,981 | ---- | C] () -- C:\Windows\hpwmdl12.dat
[2011/10/07 01:11:47 | 000,173,023 | ---- | C] () -- C:\Windows\hpoins46.dat
[2011/10/07 01:11:47 | 000,000,601 | ---- | C] () -- C:\Windows\hpomdl46.dat
[2011/07/02 23:07:26 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2011/07/02 23:07:26 | 000,107,612 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2011/07/02 23:06:30 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
[2011/06/25 16:39:38 | 000,021,840 | ---- | C] () -- C:\Windows\System32\SIntfNT.dll
[2011/06/25 16:39:38 | 000,017,212 | ---- | C] () -- C:\Windows\System32\SIntf32.dll
[2011/06/25 16:39:38 | 000,012,067 | ---- | C] () -- C:\Windows\System32\SIntf16.dll
[2011/06/25 16:11:38 | 000,028,314 | ---- | C] () -- C:\Users\Kyle Clark\AppData\Roaming\nvModes.001
[2011/06/25 16:11:35 | 000,028,314 | ---- | C] () -- C:\Users\Kyle Clark\AppData\Roaming\nvModes.dat
[2011/06/25 16:11:23 | 000,035,978 | ---- | C] () -- C:\Windows\DIIUnin.dat

========== LOP Check ==========

[2012/02/25 18:02:36 | 000,000,000 | ---D | M] -- C:\Users\Kyle Clark\AppData\Roaming\AVG2012
[2011/11/25 17:38:29 | 000,000,000 | ---D | M] -- C:\Users\Kyle Clark\AppData\Roaming\LolClient
[2011/07/05 22:43:15 | 000,000,000 | ---D | M] -- C:\Users\Kyle Clark\AppData\Roaming\OpenOffice.org
[2011/12/09 01:08:14 | 000,000,000 | ---D | M] -- C:\Users\Kyle Clark\AppData\Roaming\SystemRequirementsLab
[2011/06/28 22:43:53 | 000,000,000 | ---D | M] -- C:\Users\Kyle Clark\AppData\Roaming\Trillian
[2012/02/11 04:05:16 | 000,000,000 | ---D | M] -- C:\Users\Kyle Clark\AppData\Roaming\uTorrent
[2012/03/25 14:01:23 | 000,032,636 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========

========== Custom Scans ==========

< %systemroot%\*. /mp /s >

< %systemroot%\*. /rp /s >

< %SYSTEMDRIVE%\*.exe >

< %LOCALAPPDATA%\*.exe >

< MD5 for: EXPLORER.EXE >
[2008/10/28 23:20:29 | 002,923,520 | ---- | M] (Microsoft Corporation) MD5=37440D09DEAE0B672A04DCCF7ABF06BE -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16771_none_4f83bb287ccdb7e3\explorer.exe
[2008/10/28 23:29:41 | 002,927,104 | ---- | M] (Microsoft Corporation) MD5=4F554999D7D5F05DAAEBBA7B5BA1089D -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18164_none_5177ca9879e978e8\explorer.exe
[2008/10/29 20:59:17 | 002,927,616 | ---- | M] (Microsoft Corporation) MD5=50BA5850147410CDE89C523AD3BC606E -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.22298_none_51e4f8c7931bd1e1\explorer.exe
[2009/04/10 23:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) MD5=D07D4C3038F3578FFCE1C0237F2A1253 -- C:\Windows\ERDNT\cache\explorer.exe
[2009/04/10 23:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) MD5=D07D4C3038F3578FFCE1C0237F2A1253 -- C:\Windows\explorer.exe
[2009/04/10 23:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) MD5=D07D4C3038F3578FFCE1C0237F2A1253 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6002.18005_none_53a0201e76de3a0b\explorer.exe
[2008/10/27 19:15:02 | 002,923,520 | ---- | M] (Microsoft Corporation) MD5=E7156B0B74762D9DE0E66BDCDE06E5FB -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.20947_none_5033cb5995cd990b\explorer.exe
[2006/11/02 02:45:07 | 002,923,520 | ---- | M] (Microsoft Corporation) MD5=FD8C53FB002217F6F888BCF6F5D7084D -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16386_none_4f7de5167cd15deb\explorer.exe
[2008/01/18 23:33:12 | 002,927,104 | ---- | M] (Microsoft Corporation) MD5=FFA764631CB70A30065C12EF8E174F9F -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18000_none_51b4a71279bc6ebf\explorer.exe

< MD5 for: SVCHOST.EXE >
[2006/11/02 02:45:47 | 000,022,016 | ---- | M] (Microsoft Corporation) MD5=10DA15933D582D2FEDCF705EFE394B09 -- C:\Windows\winsxs\x86_microsoft-windows-services-svchost_31bf3856ad364e35_6.0.6000.16386_none_b38497a50862ad11\svchost.exe
[2008/01/18 23:33:34 | 000,021,504 | ---- | M] (Microsoft Corporation) MD5=3794B461C45882E06856F282EEF025AF -- C:\Windows\ERDNT\cache\svchost.exe
[2008/01/18 23:33:34 | 000,021,504 | ---- | M] (Microsoft Corporation) MD5=3794B461C45882E06856F282EEF025AF -- C:\Windows\System32\svchost.exe
[2008/01/18 23:33:34 | 000,021,504 | ---- | M] (Microsoft Corporation) MD5=3794B461C45882E06856F282EEF025AF -- C:\Windows\winsxs\x86_microsoft-windows-services-svchost_31bf3856ad364e35_6.0.6001.18000_none_b5bb59a1054dbde5\svchost.exe

< MD5 for: USERINIT.EXE >
[2008/01/18 23:33:34 | 000,025,088 | ---- | M] (Microsoft Corporation) MD5=0E135526E9785D085BCD9AEDE6FBCBF9 -- C:\Windows\ERDNT\cache\userinit.exe
[2008/01/18 23:33:34 | 000,025,088 | ---- | M] (Microsoft Corporation) MD5=0E135526E9785D085BCD9AEDE6FBCBF9 -- C:\Windows\System32\userinit.exe
[2008/01/18 23:33:34 | 000,025,088 | ---- | M] (Microsoft Corporation) MD5=0E135526E9785D085BCD9AEDE6FBCBF9 -- C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.0.6001.18000_none_dc28ba15d1aff80b\userinit.exe
[2006/11/02 02:45:50 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=22027835939F86C3E47AD8E3FBDE3D11 -- C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.0.6000.16386_none_d9f1f819d4c4e737\userinit.exe

< MD5 for: WINLOGON.EXE >
[2009/04/10 23:28:13 | 000,314,368 | ---- | M] (Microsoft Corporation) MD5=898E7C06A350D4A1A64A9EA264D55452 -- C:\Windows\ERDNT\cache\winlogon.exe
[2009/04/10 23:28:13 | 000,314,368 | ---- | M] (Microsoft Corporation) MD5=898E7C06A350D4A1A64A9EA264D55452 -- C:\Windows\System32\winlogon.exe
[2009/04/10 23:28:13 | 000,314,368 | ---- | M] (Microsoft Corporation) MD5=898E7C06A350D4A1A64A9EA264D55452 -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6002.18005_none_71ae7a22d2134741\winlogon.exe
[2006/11/02 02:45:57 | 000,308,224 | ---- | M] (Microsoft Corporation) MD5=9F75392B9128A91ABAFB044EA350BAAD -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6000.16386_none_6d8c3f1ad8066b21\winlogon.exe
[2008/01/18 23:33:38 | 000,314,880 | ---- | M] (Microsoft Corporation) MD5=C2610B6BDBEFC053BBDAB4F1B965CB24 -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6001.18000_none_6fc30116d4f17bf5\winlogon.exe

========== Hard Links - Junction Points - Mount Points - Symbolic Links ==========
[C:\Windows\System32\config\systemprofile\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data] -> C:\Windows\system32\config\systemprofile\AppData\Local -> Junction
[C:\Windows\System32\config\systemprofile\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History] -> C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History -> Junction
[C:\Windows\System32\config\systemprofile\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data] -> C:\Windows\system32\config\systemprofile\AppData\Local -> Junction
[C:\Windows\System32\config\systemprofile\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History] -> C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History -> Junction
[C:\Windows\System32\config\systemprofile\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files] -> C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files -> Junction
[C:\Windows\System32\config\systemprofile\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data] -> C:\Windows\system32\config\systemprofile\AppData\Local -> Junction
[C:\Windows\System32\config\systemprofile\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History] -> C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History -> Junction
[C:\Windows\System32\config\systemprofile\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files] -> C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files -> Junction
[C:\Windows\System32\config\systemprofile\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data] -> C:\Windows\system32\config\systemprofile\AppData\Local -> Junction
[C:\Windows\System32\config\systemprofile\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History] -> C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History -> Junction
[C:\Windows\System32\config\systemprofile\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files] -> C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files -> Junction
[C:\Windows\System32\config\systemprofile\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data] -> C:\Windows\system32\config\systemprofile\AppData\Local -> Junction
[C:\Windows\System32\config\systemprofile\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History] -> C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History -> Junction
[C:\Windows\System32\config\systemprofile\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files] -> C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files -> Junction
[C:\Windows\System32\config\systemprofile\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data] -> C:\Windows\system32\config\systemprofile\AppData\Local -> Junction
[C:\Windows\System32\config\systemprofile\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History] -> C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History -> Junction
[C:\Windows\System32\config\systemprofile\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files] -> C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files -> Junction
[C:\Windows\System32\config\systemprofile\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data] -> C:\Windows\system32\config\systemprofile\AppData\Local -> Junction
[C:\Windows\System32\config\systemprofile\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\History] -> C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History -> Junction
[C:\Windows\System32\config\systemprofile\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files] -> C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files -> Junction
[C:\Windows\System32\config\systemprofile\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data] -> C:\Windows\system32\config\systemprofile\AppData\Local -> Junction
[C:\Windows\System32\config\systemprofile\AppData\Local\Application Data\Application Data\Application Data\Application Data\History] -> C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History -> Junction
[C:\Windows\System32\config\systemprofile\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files] -> C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files -> Junction
[C:\Windows\System32\config\systemprofile\AppData\Local\Application Data\Application Data\Application Data\Application Data] -> C:\Windows\system32\config\systemprofile\AppData\Local -> Junction
[C:\Windows\System32\config\systemprofile\AppData\Local\Application Data\Application Data\Application Data\History] -> C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History -> Junction
[C:\Windows\System32\config\systemprofile\AppData\Local\Application Data\Application Data\Application Data\Temporary Internet Files] -> C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files -> Junction
[C:\Windows\System32\config\systemprofile\AppData\Local\Application Data\Application Data\Application Data] -> C:\Windows\system32\config\systemprofile\AppData\Local -> Junction
[C:\Windows\System32\config\systemprofile\AppData\Local\Application Data\Application Data\History] -> C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History -> Junction
[C:\Windows\System32\config\systemprofile\AppData\Local\Application Data\Application Data\Temporary Internet Files] -> C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files -> Junction
[C:\Windows\System32\config\systemprofile\AppData\Local\Application Data\Application Data] -> C:\Windows\system32\config\systemprofile\AppData\Local -> Junction
[C:\Windows\System32\config\systemprofile\AppData\Local\Application Data\History] -> C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History -> Junction
[C:\Windows\System32\config\systemprofile\AppData\Local\Application Data\Temporary Internet Files] -> C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files -> Junction
[C:\Windows\System32\config\systemprofile\AppData\Local\Application Data] -> C:\Windows\system32\config\systemprofile\AppData\Local -> Junction
[C:\Windows\System32\config\systemprofile\AppData\Local\History] -> C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History -> Junction
[C:\Windows\System32\config\systemprofile\AppData\Local\Temporary Internet Files] -> C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files -> Junction
[C:\Windows\System32\config\systemprofile\Application Data] -> C:\Windows\system32\config\systemprofile\AppData\Roaming -> Junction
[C:\Windows\System32\config\systemprofile\Local Settings] -> C:\Windows\system32\config\systemprofile\AppData\Local -> Junction

< End of report >

OTL Extras logfile created on: 3/25/2012 4:31:16 PM - Run 2
OTL by OldTimer - Version 3.2.39.2 Folder = C:\Users\Kyle Clark\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.03 Gb Available Physical Memory | 67.74% Memory free
6.19 Gb Paging File | 5.39 Gb Available in Paging File | 87.06% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 298.09 Gb Total Space | 78.76 Gb Free Space | 26.42% Space Free | Partition Type: NTFS

Computer Name: KYLECLARK-PC | User Name: Kyle Clark | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
.html [@ = ChromeHTML] -- Reg Error: Key error. File not found

[HKEY_USERS\S-1-5-21-474303697-943411777-899299439-1001\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- Reg Error: Key error.
https [open] -- Reg Error: Key error.
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"oobe_av" = 1
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"VistaSp2" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{F720682F-DB16-4337-852A-A56D67A2E1C3}" = rport=427 | protocol=17 | dir=in | svc=hpslpsvc | app=c:\windows\system32\svchost.exe |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{000AC8B9-0085-4192-8F59-A39EF43C490A}" = protocol=6 | dir=in | app=c:\clark\program files (x86)\steam\steam.exe | 
"{0299E9E4-B4B9-4C3B-8FF2-AC235168F862}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpiscnapp.exe | 
"{05633377-4911-4271-A88C-67A0617BD781}" = protocol=17 | dir=in | app=c:\program files\pando networks\media booster\pmb.exe | 
"{28ADEDE1-A4D5-42D8-9B05-BF7C283C4059}" = protocol=6 | dir=in | app=c:\windows\system32\svchost.exe | 
"{28ADEDE1-A4D5-42D8-9B05-BF7C283C4060}" = protocol=6 | dir=out | app=c:\windows\system32\svchost.exe | 
"{2E1D8BD4-5A4F-4083-9035-A9A3EF9C1AD2}" = protocol=6 | dir=in | app=c:\program files\pando networks\media booster\pmb.exe | 
"{2E7688D4-7C4A-4010-959E-3212CAECAE51}" = protocol=6 | dir=in | app=c:\clark\program files (x86)\steam\steam.exe | 
"{44C3C383-007C-477E-BDE1-B7DB1E3F889C}" = protocol=17 | dir=in | app=c:\program files\utorrent\utorrent.exe | 
"{5866B153-2D5C-4BA1-9533-E3C72014095E}" = dir=in | app=c:\program files\pando networks\media booster\pmb.exe | 
"{59C0AA79-BDC3-4B6A-A896-7EE10BC138D7}" = protocol=17 | dir=in | app=c:\program files\pando networks\media booster\pmb.exe | 
"{5A062D8E-83E4-4E0A-9573-222B93961332}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe | 
"{67EAAFF8-302C-45FC-8270-4400D79BB304}" = dir=in | app=c:\users\kylecl~1\appdata\local\temp\7zs25fc\setup\hpznui01.exe | 
"{8F13112E-BAB1-45F9-8772-A334E136D294}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe | 
"{905B5F4C-5A2F-4D3C-976D-05DDEC51AC31}" = dir=in | app=c:\program files\itunes\itunes.exe | 
"{973676B6-2252-4140-9899-CD4B639B2A8A}" = protocol=6 | dir=in | app=c:\program files\utorrent\utorrent.exe | 
"{A18DA36E-483A-4355-9554-23068BD7537F}" = protocol=6 | dir=in | app=c:\program files\pando networks\media booster\pmb.exe | 
"{C3C3B4AC-C6C1-4A40-A6C5-6AD8EF7A1223}" = protocol=17 | dir=in | app=c:\clark\program files (x86)\steam\steam.exe | 
"{D76D3CB2-1330-478B-88BA-E2B75FC2F5F7}" = protocol=17 | dir=in | app=c:\clark\program files (x86)\steam\steam.exe | 
"{DF1FE973-FF58-4ED2-AA88-FE6E237A8ECE}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpfccopy.exe | 
"{ECAFF674-497A-4A1A-96B7-63655698AA6A}" = dir=in | app=c:\program files\pando networks\media booster\pmb.exe | 
"{EEED4B3D-7B40-4847-9071-283E5CABF588}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpqkygrp.exe | 
"TCP Query User{1B132177-414E-4B45-88D5-EC302340C028}C:\clark\program files (x86)\steam\steamapps\mr_halloween\team fortress 2\hl2.exe" = protocol=6 | dir=in | app=c:\clark\program files (x86)\steam\steamapps\mr_halloween\team fortress 2\hl2.exe | 
"TCP Query User{54857479-C01A-438C-9CC3-BC4416A5C3D1}C:\clark\program files (x86)\steam\steamapps\kyleclarkk\team fortress 2\hl2.exe" = protocol=6 | dir=in | app=c:\clark\program files (x86)\steam\steamapps\kyleclarkk\team fortress 2\hl2.exe | 
"TCP Query User{E45D57F5-30B4-47AA-A7DD-1CF79BBBE715}C:\program files\heroes of newerth\hon.exe" = protocol=6 | dir=in | app=c:\program files\heroes of newerth\hon.exe | 
"TCP Query User{E904B104-3F37-4517-9903-3A4E4E5480F0}C:\program files\trillian\trillian.exe" = protocol=6 | dir=in | app=c:\program files\trillian\trillian.exe | 
"UDP Query User{080D9CEC-65E1-433B-9237-EB20C8B50F9F}C:\program files\heroes of newerth\hon.exe" = protocol=17 | dir=in | app=c:\program files\heroes of newerth\hon.exe | 
"UDP Query User{2AA9BFD1-8481-40D2-A34E-72A1DC8FCD4B}C:\clark\program files (x86)\steam\steamapps\mr_halloween\team fortress 2\hl2.exe" = protocol=17 | dir=in | app=c:\clark\program files (x86)\steam\steamapps\mr_halloween\team fortress 2\hl2.exe | 
"UDP Query User{37751300-D59A-49EB-A172-3F4E6C4FABF2}C:\clark\program files (x86)\steam\steamapps\kyleclarkk\team fortress 2\hl2.exe" = protocol=17 | dir=in | app=c:\clark\program files (x86)\steam\steamapps\kyleclarkk\team fortress 2\hl2.exe | 
"UDP Query User{B9AE71B8-651D-4760-9438-E7DF99EC1DBC}C:\program files\trillian\trillian.exe" = protocol=17 | dir=in | app=c:\program files\trillian\trillian.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
"{0BC4864E-72C5-472D-8692-0E5971E0BD36}" = BPDSoftware_Ini
"{0F367CA3-3B2F-43F9-A44A-25A8EE69E45D}" = Scan
"{10829556-7C82-4a83-8C81-F2D98472C76B}" = H470
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{26A24AE4-039D-4CA4-87B4-2F83216022F0}" = Java(TM) 6 Update 22
"{26A24AE4-039D-4CA4-87B4-2F83216026FF}" = Java(TM) 6 Update 26
"{29FA38B4-0AE4-4D0D-8A51-6165BB990BB0}" = WebReg
"{39098402-3F7A-4257-A4AE-FC1181D1B40B}" = Camera Assistant Software for Gateway
"{3B11D799-48E0-48ED-BFD7-EA655676D8BB}" = Star Wars: The Old Republic
"{3E171899-0175-47CC-84C4-562ACDD4C021}" = OpenOffice.org 3.3
"{42BBA4CC-EFB6-4653-A2CC-F305D4B399C3}" = PS_AIO_07_D110_SW_Min
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{57752979-A1C9-4C02-856B-FBB27AC4E02C}" = QuickTime
"{60FFB3E0-6D5B-4D73-AE5B-07E58B83AF0C}" = 32 Bit HP CIO Components Installer
"{6673E0F4-D376-431b-A6F4-18D1B86B4A89}" = BPDSoftware
"{6B349DE1-590D-4506-B272-9115EC31F7D2}" = 470_Help
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{7F6D7FD9-648D-4DD9-BB6E-3990C675ECA4}" = NVIDIA PhysX
"{8833FFB6-5B0C-4764-81AA-06DFEED9A476}" = Realtek 8169 PCI, 8168 and 8101E PCIe Ethernet Network Card Driver for Windows Vista
"{980A182F-E0A2-4A40-94C1-AE0C1235902E}" = Pando Media Booster
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.0)
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.ControlPanel" = NVIDIA Control Panel 285.62
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver" = NVIDIA Graphics Driver 285.62
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX" = NVIDIA PhysX System Software 9.11.0621
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Update" = NVIDIA Update 1.5.20
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_installer" = NVIDIA Install Application
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_NVIDIA.Update" = NVIDIA Update Components
"{B3575D00-27EF-49C2-B9E0-14B3D954E992}" = Apple Application Support
"{BA72A4E3-D2D0-4203-A17E-E53012B8807C}" = BPD_HPSU
"{BBFB2E59-B0DB-42C8-8F4D-CF4E85471667}" = Toolbox
"{BD1587F7-B8D0-4111-8F1F-3327628AB02F}" = 3531-W-D
"{C23CD6DA-1958-43A5-ADD0-59396572E02E}" = Apple Mobile Device Support
"{C2E4B5BD-32DB-4817-A060-341AB17C3F90}" = Bonjour
"{C631FB9D-81D2-4E4E-A688-901AC748322D}" = O2Micro Flash Memory Card Reader Driver
"{C6579A65-9CAE-4B31-8B6B-3306E0630A66}" = Apple Software Update
"{C897FCB3-2F8B-4185-8035-79E2AF3A92A4}" = iTunes
"{C975D391-7BF6-44A0-A4FF-EDF3CFD88F68}" = ArcSoft MediaImpression for Kodak
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{DC24971E-1946-445D-8A82-CE685433FA7D}" = Realtek USB 2.0 Card Reader
"{E022C318-BAC9-468D-8731-3C5EE63C7743}" = 470_Readme
"{E3A5A8AB-58F6-45FF-AFCB-C9AE18C05001}" = IDT Audio
"{EE5F0136-2C7C-42a7-B1B0-5F12D107A0EE}" = ProductContext
"{F80BD4BC-06B8-488E-A62E-C4755013DD71}" = Network
"{FDB3B167-F4FA-461D-976F-286304A57B2A}" = Adobe AIR
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Agere Systems Soft Modem" = Agere Systems HDA Modem
"CCleaner" = CCleaner
"Diablo II" = Diablo II
"hon" = Heroes of Newerth
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.6.27)" = Mozilla Firefox (3.6.27)
"ShortKeys 3" = ShortKeys 3
"Steam App 1250" = Killing Floor
"Steam App 380" = Half-Life 2: Episode One
"Steam App 420" = Half-Life 2: Episode Two
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"SystemRequirementsLab" = System Requirements Lab
"Trillian" = Trillian
"uTorrent" = µTorrent
"VLC media player" = VLC media player 1.1.11
"Winamp" = Winamp

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-474303697-943411777-899299439-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Mozilla Firefox (3.6.28)" = Mozilla Firefox (3.6.28)
"SwiftKit" = SwiftKit

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 3/15/2012 5:32:06 PM | Computer Name = KyleClark-PC | Source = ESENT | ID = 455
Description = wuaueng.dll (1020) SUS20ClientDataStore: Error -1032 (0xfffffbf8) 
occurred while opening logfile C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log.

Error - 3/15/2012 5:32:16 PM | Computer Name = KyleClark-PC | Source = ESENT | ID = 490
Description = wuaueng.dll (1020) SUS20ClientDataStore: An attempt to open the file
"C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk" for read / write access
failed with system error 5 (0x00000005): "Access is denied. ". The open file operation
will fail with error -1032 (0xfffffbf8).

Error - 3/15/2012 5:32:26 PM | Computer Name = KyleClark-PC | Source = ESENT | ID = 489
Description = wuaueng.dll (1020) SUS20ClientDataStore: An attempt to open the file
"C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log" for read only access failed
with system error 5 (0x00000005): "Access is denied. ". The open file operation
will fail with error -1032 (0xfffffbf8).

Error - 3/15/2012 5:32:26 PM | Computer Name = KyleClark-PC | Source = ESENT | ID = 455
Description = wuaueng.dll (1020) SUS20ClientDataStore: Error -1032 (0xfffffbf8) 
occurred while opening logfile C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log.

Error - 3/15/2012 5:32:36 PM | Computer Name = KyleClark-PC | Source = ESENT | ID = 489
Description = wuaueng.dll (1020) SUS20ClientDataStore: An attempt to open the file
"C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log" for read only access failed
with system error 5 (0x00000005): "Access is denied. ". The open file operation
will fail with error -1032 (0xfffffbf8).

Error - 3/15/2012 5:32:36 PM | Computer Name = KyleClark-PC | Source = ESENT | ID = 455
Description = wuaueng.dll (1020) SUS20ClientDataStore: Error -1032 (0xfffffbf8) 
occurred while opening logfile C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log.

Error - 3/15/2012 5:36:45 PM | Computer Name = KyleClark-PC | Source = EventSystem | ID = 4609
Description =

Error - 3/15/2012 5:50:29 PM | Computer Name = KyleClark-PC | Source = EventSystem | ID = 4609
Description =

Error - 3/15/2012 6:03:59 PM | Computer Name = KyleClark-PC | Source = EventSystem | ID = 4609
Description =

Error - 3/15/2012 6:14:16 PM | Computer Name = KyleClark-PC | Source = EventSystem | ID = 4609
Description =

[ System Events ]
Error - 9/8/2011 4:40:20 PM | Computer Name = KyleClark-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 9/9/2011 6:46:04 PM | Computer Name = KyleClark-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 9/10/2011 3:28:29 PM | Computer Name = KyleClark-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 9/10/2011 3:28:55 PM | Computer Name = KyleClark-PC | Source = Service Control Manager | ID = 7009
Description =

Error - 9/10/2011 3:28:55 PM | Computer Name = KyleClark-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 9/12/2011 4:28:22 PM | Computer Name = KyleClark-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 9/13/2011 10:19:19 AM | Computer Name = KyleClark-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 9/14/2011 4:11:36 PM | Computer Name = KyleClark-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 9/15/2011 12:12:39 PM | Computer Name = KyleClark-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 9/16/2011 6:42:11 PM | Computer Name = KyleClark-PC | Source = BTHUSB | ID = 327697
Description = The local Bluetooth adapter has failed in an undetermined manner and
will not be used. The driver has been unloaded.

< End of report >


----------



## kevinf80 (Mar 21, 2006)

Thanks to Larusso for this fix, I`ve attached a zip file to this reply. Unzip it to your Desktop, double click on the file to merge into the registry, agree any alerts.

Re-boot when finished and re-run Combofix, post the new CF log in next reply....

Thanks,

Kevin......


----------



## kevinf80 (Mar 21, 2006)

OOPS, forgot the file, been a very long day, nearly 2 am for me... zip file attached..


----------



## MrMurdstone (Mar 7, 2012)

ComboFix 12-03-22.01 - Kyle Clark 03/25/2012 18:09:41.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3070.2308 [GMT -7:00]
Running from: c:\users\Kyle Clark\Desktop\ComboFix.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-02-26 to 2012-03-26 )))))))))))))))))))))))))))))))
.
.
2012-03-26 01:18 . 2012-03-26 01:18 -------- d-----w- c:\users\Kyle Clark\AppData\Local\temp
2012-03-26 01:18 . 2012-03-26 01:18 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-03-25 20:26 . 2008-01-19 04:55 184320 ----a-w- c:\windows\system32\drivers\netbt.sys
2012-03-25 02:01 . 2012-03-25 02:01 -------- d-----w- C:\TDSSKiller_Quarantine
2012-03-11 22:42 . 2012-03-11 22:42 -------- d-----w- C:\_OTM
2012-03-02 00:54 . 2009-04-11 04:39 67072 ----a-w- c:\windows\system32\drivers\cdrom.sys
2012-03-02 00:52 . 2006-11-02 08:57 68096 ----a-w- c:\windows\system32\drivers\tdx.sys
2012-03-01 07:42 . 2012-03-02 00:48 -------- d-----w- c:\program files\Google
2012-03-01 07:39 . 2012-03-05 00:44 -------- d-----w- c:\programdata\AVAST Software
2012-02-26 01:02 . 2012-02-26 01:02 -------- d-----w- c:\users\Kyle Clark\AppData\Roaming\AVG2012
2012-02-25 21:06 . 2012-02-29 22:36 -------- d-----w- c:\programdata\AVG2012
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-25 02:03 . 2011-06-25 22:56 273408 ----a-w- c:\windows\system32\drivers\afd.sys
2012-01-12 19:52 . 2012-02-16 22:14 2044416 ----a-w- c:\windows\system32\win32k.sys
2011-12-27 02:02 . 2011-06-25 22:21 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Camera Assistant Software"="c:\program files\Camera Assistant Software for Gateway\traybar.exe" [2007-06-29 638976]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil11e_ActiveX.exe" [2011-12-27 247968]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^ShortKeys 3.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ShortKeys 3.lnk
backup=c:\windows\pss\ShortKeys 3.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^Users^Kyle Clark^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 3.3.lnk]
path=c:\users\Kyle Clark\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk
backup=c:\windows\pss\OpenOffice.org 3.3.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-06-06 19:55 937920 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArcSoft Connection Service]
2010-10-28 02:17 207424 ----a-w- c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArcSoft MediaImpression Monitor]
2010-12-16 01:03 80448 ----a-w- c:\program files\Kodak\MediaImpression\ArcMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-04-08 19:59 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2010-12-09 10:45 74752 ----a-w- c:\program files\Winamp\winampa.exe
.
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
HPService REG_MULTI_SZ HPSLPSVC
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\Kyle Clark\AppData\Roaming\Mozilla\Firefox\Profiles\ohhvwtv6.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: uTorrentBar Community Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - %profile%\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-25 18:18
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ... 
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\internet explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,
1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7
"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,
df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd
.
[HKEY_USERS\.Default\Software\Microsoft\internet explorer\ApprovedExtensionsMigration]
@Denied: (2) (LocalSystem)
"Timestamp"=hex:e0,53,a0,4e,fc,f3,cc,01
.
[HKEY_USERS\.Default\Software\Microsoft\internet explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,9b,41,f7,b8,23,2b,ae,41,b0,69,07,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,9b,41,f7,b8,23,2b,ae,41,b0,69,07,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2012-03-25 18:21:00
ComboFix-quarantined-files.txt 2012-03-26 01:20
ComboFix2.txt 2012-03-25 20:45
.
Pre-Run: 84,556,791,808 bytes free
Post-Run: 84,521,316,352 bytes free
.
- - End Of File - - C307CB10C16FFD7F891BEF0B84F2A79F


----------



## kevinf80 (Mar 21, 2006)

Well that certainly looks promising, OK do the following :-

*Step 1*

Re-Run







by double left click, Vista and Widows 7 users right click and select Run as Administrator.

Under the







box at the bottom, paste in the following


```
:OTL
IE - HKLM\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2786678
IE - HKU\S-1-5-21-474303697-943411777-899299439-1001\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2786678
[2012/01/10 21:13:36 | 000,011,824 | -HS- | C] () -- C:\Users\Kyle Clark\AppData\Local\b10ya0b81g
[2012/01/10 21:13:36 | 000,011,824 | -HS- | C] () -- C:\ProgramData\b10ya0b81g
[2011/12/23 19:41:32 | 000,010,842 | -HS- | C] () -- C:\Users\Kyle Clark\AppData\Local\637137n7y858v116t034c5egj2p7
[2011/12/23 19:41:32 | 000,010,842 | -HS- | C] () -- C:\ProgramData\637137n7y858v116t034c5egj2p7
[2011/12/09 17:52:19 | 000,011,562 | -HS- | C] () -- C:\Users\Kyle Clark\AppData\Local\t6le76k8mp5pca
[2011/12/09 17:52:19 | 000,011,562 | -HS- | C] () -- C:\ProgramData\t6le76k8mp5pca. 
[2012/02/25 17:36:09 | 000,000,112 | ---- | M] () -- C:\ProgramData\QlgfDmdWO.dat
:Files
ipconfig /flushdns /c
:commands
[emptytemp]
[resethosts]
[CREATERESTOREPOINT]
[Reboot]
```

Then click







button at the top
Let the program run unhindered, reboot the PC when it is done
Post the log it produces in your next reply.

*Step 2*








Please download *Malwarebytes* Anti-Malware and save it to your desktop.
*Alernative D/L mirror*
*Alternative D/L mirror*

Double Click mbam-setup.exe to install the application.

 Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
 If an update is found, it will download and install the latest version.
 Once the program has loaded, select "Perform Quick Scan", then click Scan.
 The scan may take some time to finish,so please be patient.
 When the scan is complete, click OK, then Show Results to view the results.
 Make sure that everything is checked, and click Remove Selected.
 When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
 Please save the log to a location you will remember.
 The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
 Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

*Step 3*

Run this online Quickscan by BitDefender, available here http://quickscan.bitdefender.com/# hit the Scan Now tab, when finished there is an option to "view report" do that, Hover your cursor over "view report" and it will open, copy and paste to next reply....

*Step 4*

Download Security Check by screen317 from *HERE* or *HERE*.
Save it to your Desktop.
Double click SecurityCheck.exe (Vista or Windows 7 users right click and select "Run as Administrator") and follow the onscreen instructions inside of the black box. Press any key when asked.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me see the following in your reply:


 Log from OTL fix
 Log from Malwarebytes
 Log from BitDefender
 Log from Security Checks

Also give an update on current issues/concerns and how your system is responding.

Kevin


----------



## MrMurdstone (Mar 7, 2012)

All processes killed
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{afdbddaa-5d3f-42ee-b79c-185a7020515b}\ not found.
Registry key HKEY_USERS\S-1-5-21-474303697-943411777-899299439-1001\Software\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{afdbddaa-5d3f-42ee-b79c-185a7020515b}\ not found.
C:\Users\Kyle Clark\AppData\Local\b10ya0b81g moved successfully.
C:\ProgramData\b10ya0b81g moved successfully.
C:\Users\Kyle Clark\AppData\Local\637137n7y858v116t034c5egj2p7 moved successfully.
C:\ProgramData\637137n7y858v116t034c5egj2p7 moved successfully.
C:\Users\Kyle Clark\AppData\Local\t6le76k8mp5pca moved successfully.
C:\ProgramData\t6le76k8mp5pca moved successfully.
C:\ProgramData\QlgfDmdWO.dat moved successfully.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\Kyle Clark\Desktop\cmd.bat deleted successfully.
C:\Users\Kyle Clark\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Kyle Clark
->Temp folder emptied: 31832 bytes
->Temporary Internet Files folder emptied: 32902 bytes
->Java cache emptied: 30989025 bytes
->FireFox cache emptied: 113273568 bytes
->Google Chrome cache emptied: 6493131 bytes
->Flash cache emptied: 20573 bytes

User: Public
->Temp folder emptied: 0 bytes

User: UpdatusUser

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 593920 bytes

Total Files Cleaned = 144.00 mb

C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTL by OldTimer - Version 3.2.39.2 log created on 03262012_125406

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.03.26.07

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Kyle Clark :: KYLECLARK-PC [administrator]

3/26/2012 1:04:34 PM
mbam-log-2012-03-26 (13-04-34).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 198975
Time elapsed: 4 minute(s), 30 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

BitDefender's log was blank.

Results of screen317's Security Check version 0.99.32 
Windows Vista Service Pack 2 x86 (UAC is enabled) 
Internet Explorer 9 
*`````````````````````````````` 
Antivirus/Firewall Check:* 
Windows Firewall Enabled! 
WMI entry may not exist for antivirus; attempting automatic update. 
*``````````````````````````````` 
Anti-malware/Other Utilities Check:* 
CCleaner 
Java(TM) 6 Update 22 
Java(TM) 6 Update 26 
*Java version out of date!* 
Adobe Flash Player 10.3.181.26 *Flash Player out of Date!* 
Adobe Reader X 10.1.0 *Adobe Reader out of Date!* 
Mozilla Firefox (3.6.27) *Firefox out of Date!* 
*```````````````````````````````` 
Process Check: 
objlist.exe by Laurent* 
*``````````End of Log````````````*

Everything seems to be running great. Just wondering about the programs like iTunes that say "The item that this shortcut refers to has been changed or moved, so this shortcut will no longer work properly."


----------



## kevinf80 (Mar 21, 2006)

I do not see an Anti-Virus program listed in Security Checks, do you have one installed?

Regarding the shortcut issue, right click on the shortcut, select "properties" you should be able to see the "Target" and "Start in" that will tell where the executable resides, will be something like C:\Program files\name of program
If the executable is not there, or the program is not there, you`ll have to re-install it....

There are some updates to complete, i`d rather sort the AV issue out first...

Kevin


----------



## MrMurdstone (Mar 7, 2012)

Nope I don't have one anymore. Which one would be good to install?

When I go to the file it says "You don't currently have permission to access that folder." Should I just re-install those ones?


----------



## kevinf80 (Mar 21, 2006)

Any programs that have ceased workig will have to be reinstalled, you did have a considerable amount of infected files on your system.

This is an excellent free version AV, I use it myself...

To keep safe when online you need a good *Antivirus/Antspyware/Antimalware/Anti-Rootkit* combination application. *Microsoft Security Essentials* covers all of those bases, but better still it is free. Go *Here* and hit the "Download free" tab, follow the prompts. Once installed it will want to update and carry out a quick scan, allow that to happen.

Let me know if the Quick scan flags anything, you will not get a log as such but can check under the History tab from the main interface...

Go *Here* for information that will show you how to install and use MSE.

If the MSE scan is clean we can clean up tools etc and update the apps highlighted by Security Check, this has been a bit of a journey for sure....

Kevin


----------



## MrMurdstone (Mar 7, 2012)

Okay thanks, I installed it and no threats were detected.

Indeed it has been. Thank you so much. You are a master


----------



## kevinf80 (Mar 21, 2006)

OK, do the following:

*Step 1*

Remove Combofix now that we're done with it

Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/")









 Please follow the prompts to uninstall Combofix.
 You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.
The above procedure will delete the following:

 ComboFix and its associated files and folders.
 VundoFix backups, if present
 The C:_OtMoveIt folder, if present
 Reset the clock settings.
 Hide file extensions, if required.
 Hide System/Hidden files, if required.
 Reset System Restore.
*It is very important that you get a successful uninstall because of the extra functions done at the same time, let me know if this does not happen.*

*Step 2*


Download *OTC* by OldTimer and save it to your *desktop.* *Alternative mirror*
Double click







icon to start the program. 
If you are using Vista or Windows 7, please right-click and choose run as administrator
Then Click the big







button.
You will get a prompt saying "_Begining Cleanup Process_". Please select *Yes*.
Restart your computer when prompted.
This will remove tools we have used and itself. *Any tools/logs remaining on the Desktop can be deleted.*

*Step 3*

Your Adobe Acrobat Reader is out of date. Older versions are vulnerable to attack and exploitation.

Please go to the link below to update.

*Adobe Reader* Untick the Free McAfee® Security Scan Plus (optional) not rquired..

*Step 4*

Your Adobe Flash Player is out of date. Older versions are vulnerable to attack and exploitation
Please go to the link below to update.
*Adobe Flash Player* Untick the Free McAfee® Security Scan Plus (optional) not required...

*Step 5*

You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. 
For this reason, it's extremely important that you keep the program up to date, and also remove the older more vulnerable versions from your system. 
The most current version of Sun Java is: Java Runtime Environment Version 6 Update 31.


 Go to *Sun Java*
 Select *Windows 7/XP/Vista/2000/2003/2008* If using 64 bit OS Select *Information about the 64-bit Java plug-in* and follow prompts
 Install the new version by running the newly-downloaded file with the java icon which will be at your desktop, and follow the on-screen instructions.
 Reboot your computer

Once Java is installed check in Programs and Features, make sure the old versions are removed, Java 6 update 22 and 26...

*Step 6*

I see you have CCleaner installed, now would be a good time to run the cleaner section...

Let me know if those steps complete OK, also if any remaining issues or concerns...

Thanks,

Kevin


----------



## MrMurdstone (Mar 7, 2012)

Everything worked except I got these errors when trying to install Adobe Reader and Java

Error 1317 An error occurred while attempting to create the directory C:\Program Files\Adobe\Reader 10.0


The wizard was interrupted before Java(TM) 6 Update 31 could be completely installed. To complete installation at another time, please rune setup again.


----------



## kevinf80 (Mar 21, 2006)

I believe Error 1317 is a permission issue, re-download the installer for adobe, save it to your Desktop. Right click on the file and select "run as administrator" see if that helps.

If that works for Adobe try the same with Java.....


----------



## MrMurdstone (Mar 7, 2012)

Nope, I still can't get it to work. I don't think it should be a big deal though


----------



## kevinf80 (Mar 21, 2006)

Reading at the Adobe site that fault can occur if there are any references to the old installation still on the system.

Run the following to see what is still onboard, once found we can remove it and try a fresh install:

download *SystemLook* from one of the links below and save it to your Desktop.
*Download Mirror #1
Download Mirror #2*

Double-click *SystemLook.exe* to run it.
Copy the content of the following codebox into the main textfield:


```
:regfind
adobe.exe
:filefind
adobe.*
:folderfind
*adobe*
```

Click the *Look* button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
*Note:* The log can also be found on your Desktop entitled *SystemLook.txt*


----------



## MrMurdstone (Mar 7, 2012)

SystemLook 30.07.11 by jpshortstuff
Log created at 11:01 on 27/03/2012 by Kyle Clark
Administrator - Elevation successful

========== regfind ==========

Searching for "adobe.exe"
No data found.

========== filefind ==========

Searching for "adobe.*"
C:\Clark\Program Files (x86)\Adobe\Reader 10.0\Reader\Adobe.Reader.Dependencies.manifest --a---- 1472 bytes [23:46 22/06/2011] [20:49 10/11/2010] 57557175D027C27266DE4A6566F87F6F

========== folderfind ==========

Searching for "*adobe*"
C:\Clark\Program Files (x86)\Adobe d------ [23:46 22/06/2011]
C:\Clark\Program Files (x86)\Adobe\Reader 10.0\Resource\TypeSupport\Unicode\Mappings\Adobe d------ [23:46 22/06/2011]
C:\Clark\Program Files (x86)\Common Files\Adobe d------ [23:44 22/06/2011]
C:\Clark\Program Files (x86)\Common Files\Adobe AIR d------ [23:44 22/06/2011]
C:\Clark\Users\Kyle\AppData\Local\Adobe d------ [22:09 22/06/2011]
C:\Clark\Users\Kyle\AppData\Local\Temp\Adobe d------ [22:08 22/06/2011]
C:\Clark\Users\Kyle\AppData\LocalLow\Adobe d------ [22:07 22/06/2011]
C:\Clark\Users\Kyle\AppData\LocalLow\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary d------ [22:07 22/06/2011]
C:\Clark\Users\Kyle\AppData\Roaming\Adobe d------ [22:06 22/06/2011]
C:\Documents and Settings\All Users\Adobe d------ [06:41 04/08/2011]
C:\Documents and Settings\All Users\Application Data\Adobe d------ [06:41 04/08/2011]
C:\Documents and Settings\All Users\Application Data\Application Data\Adobe d------ [06:41 04/08/2011]
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Adobe d------ [06:41 04/08/2011]
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Adobe d------ [06:41 04/08/2011]
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe d------ [06:41 04/08/2011]
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe d------ [06:41 04/08/2011]
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe d------ [06:41 04/08/2011]
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe d------ [06:41 04/08/2011]
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe d------ [06:41 04/08/2011]
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe d------ [06:41 04/08/2011]
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe d------ [06:41 04/08/2011]
C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe d------ [06:41 04/08/2011]
C:\Documents and Settings\Kyle Clark\AppData\Local\Adobe d------ [06:41 04/08/2011]
C:\Documents and Settings\Kyle Clark\AppData\LocalLow\Adobe d------ [06:28 24/08/2011]
C:\Documents and Settings\Kyle Clark\AppData\LocalLow\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary d------ [03:41 17/02/2012]
C:\Documents and Settings\Kyle Clark\AppData\Roaming\Adobe d------ [22:21 25/06/2011]
C:\Program Files\Adobe d------ [06:41 04/08/2011]
C:\Program Files\Common Files\Adobe d------ [06:43 04/08/2011]
C:\Program Files\Common Files\Adobe AIR d------ [06:41 04/08/2011]
C:\ProgramData\Adobe d------ [06:41 04/08/2011]
C:\ProgramData\Application Data\Adobe d------ [06:41 04/08/2011]
C:\ProgramData\Application Data\Application Data\Adobe d------ [06:41 04/08/2011]
C:\ProgramData\Application Data\Application Data\Application Data\Adobe d------ [06:41 04/08/2011]
C:\ProgramData\Application Data\Application Data\Application Data\Application Data\Adobe d------ [06:41 04/08/2011]
C:\ProgramData\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe d------ [06:41 04/08/2011]
C:\ProgramData\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe d------ [06:41 04/08/2011]
C:\ProgramData\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe d------ [06:41 04/08/2011]
C:\ProgramData\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe d------ [06:41 04/08/2011]
C:\ProgramData\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe d------ [06:41 04/08/2011]
C:\ProgramData\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe d------ [06:41 04/08/2011]
C:\ProgramData\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe d------ [06:41 04/08/2011]
C:\ProgramData\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe d------ [06:41 04/08/2011]
C:\ProgramData\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe d------ [06:41 04/08/2011]
C:\Users\All Users\Adobe d------ [06:41 04/08/2011]
C:\Users\All Users\Application Data\Adobe d------ [06:41 04/08/2011]
C:\Users\All Users\Application Data\Application Data\Adobe d------ [06:41 04/08/2011]
C:\Users\All Users\Application Data\Application Data\Application Data\Adobe d------ [06:41 04/08/2011]
C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Adobe d------ [06:41 04/08/2011]
C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe d------ [06:41 04/08/2011]
C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe d------ [06:41 04/08/2011]
C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe d------ [06:41 04/08/2011]
C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe d------ [06:41 04/08/2011]
C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe d------ [06:41 04/08/2011]
C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe d------ [06:41 04/08/2011]
C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe d------ [06:41 04/08/2011]
C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe d------ [06:41 04/08/2011]
C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe d------ [06:41 04/08/2011]
C:\Users\Kyle Clark\AppData\Local\Adobe d------ [06:41 04/08/2011]
C:\Users\Kyle Clark\AppData\LocalLow\Adobe d------ [06:28 24/08/2011]
C:\Users\Kyle Clark\AppData\LocalLow\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary d------ [03:41 17/02/2012]
C:\Users\Kyle Clark\AppData\Roaming\Adobe d------ [22:21 25/06/2011]

-= EOF =-


----------



## kevinf80 (Mar 21, 2006)

Run the following and try Adobe again....

Please download *OTM by OldTimer*.
*Alternative Mirror 1*
*Alternative Mirror 2* 
Save it to your desktop. 
Double click *OTM.exe* to start the tool. Vista or Windows 7 users right click and select Run as Administrator. Be aware all processes will stopped during run, also Desktop will disappear, this will be put back on completion....

*Copy* the text from the code box belowbelow to the clipboard by highlighting *ALL* of them and *pressing CTRL + C* (or, after highlighting, right-click and choose *Copy*):


```
:Files
C:\Clark\Program Files (x86)\Adobe
C:\Clark\Program Files (x86)\Common Files\Adobe
C:\Clark\Users\Kyle\AppData\Local\Adobe
C:\Clark\Users\Kyle\AppData\LocalLow\Adobe
C:\Clark\Users\Kyle\AppData\Roaming\Adobe
C:\Documents and Settings\All Users\Adobe
C:\Documents and Settings\All Users\Application Data\Adobe
C:\Documents and Settings\Kyle Clark\AppData\Local\Adobe
C:\Documents and Settings\Kyle Clark\AppData\LocalLow\Adobe
C:\ProgramData\Adobe
C:\ProgramData\Application Data\Adobe
C:\Users\All Users\Adobe
C:\Users\All Users\Application Data\Adobe
C:\Users\Kyle Clark\AppData\Local\Adobe
C:\Users\Kyle Clark\AppData\LocalLow\Adobe
C:\Users\Kyle Clark\AppData\Roaming\Adobe
:Commands
[emptytemp]
[reboot]
```

 Return to OTMoveIt3, right click in the *"Paste Instructions for Items to be Moved"* window (under the yellow bar) and choose *Paste*.
Click the red







button.
*Copy* everything in the Results window (under the green bar) to the clipboard by highlighting *ALL* of them and *pressing CTRL + C* (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close *OTM*
*Note:* If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose *Yes.*

If the machine reboots, the Results log can be found here:

*c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log*

Where mmddyyyy_hhmmss is the date of the tool run.


----------



## MrMurdstone (Mar 7, 2012)

All processes killed
========== FILES ==========
C:\Clark\Program Files (x86)\Adobe\Reader 10.0\Setup Files\{AC76BA86-7AD7-1033-7B44-AA0000000001} folder moved successfully.
C:\Clark\Program Files (x86)\Adobe\Reader 10.0\Setup Files folder moved successfully.
C:\Clark\Program Files (x86)\Adobe\Reader 10.0\Resource\TypeSupport\Unicode\Mappings\win folder moved successfully.
C:\Clark\Program Files (x86)\Adobe\Reader 10.0\Resource\TypeSupport\Unicode\Mappings\Mac folder moved successfully.
C:\Clark\Program Files (x86)\Adobe\Reader 10.0\Resource\TypeSupport\Unicode\Mappings\Adobe folder moved successfully.
C:\Clark\Program Files (x86)\Adobe\Reader 10.0\Resource\TypeSupport\Unicode\Mappings folder moved successfully.
C:\Clark\Program Files (x86)\Adobe\Reader 10.0\Resource\TypeSupport\Unicode\ICU folder moved successfully.
C:\Clark\Program Files (x86)\Adobe\Reader 10.0\Resource\TypeSupport\Unicode folder moved successfully.
C:\Clark\Program Files (x86)\Adobe\Reader 10.0\Resource\TypeSupport folder moved successfully.
C:\Clark\Program Files (x86)\Adobe\Reader 10.0\Resource\SaslPrep folder moved successfully.
C:\Clark\Program Files (x86)\Adobe\Reader 10.0\Resource\Linguistics\Providers\Proximity\11.00 folder moved successfully.
C:\Clark\Program Files (x86)\Adobe\Reader 10.0\Resource\Linguistics\Providers\Proximity folder moved successfully.
C:\Clark\Program Files (x86)\Adobe\Reader 10.0\Resource\Linguistics\Providers folder moved successfully.
C:\Clark\Program Files (x86)\Adobe\Reader 10.0\Resource\Linguistics\LanguageNames2 folder moved successfully.
C:\Clark\Program Files (x86)\Adobe\Reader 10.0\Resource\Linguistics folder moved successfully.
C:\Clark\Program Files (x86)\Adobe\Reader 10.0\Resource\Font\PFM folder moved successfully.
C:\Clark\Program Files (x86)\Adobe\Reader 10.0\Resource\Font folder moved successfully.
C:\Clark\Program Files (x86)\Adobe\Reader 10.0\Resource\CMap folder moved successfully.
C:\Clark\Program Files (x86)\Adobe\Reader 10.0\Resource folder moved successfully.
C:\Clark\Program Files (x86)\Adobe\Reader 10.0\Reader\Tracker folder moved successfully.
C:\Clark\Program Files (x86)\Adobe\Reader 10.0\Reader\SPPlugins folder moved successfully.
C:\Clark\Program Files (x86)\Adobe\Reader 10.0\Reader\Services folder moved successfully.
C:\Clark\Program Files (x86)\Adobe\Reader 10.0\Reader\plug_ins3d\prc folder moved successfully.
C:\Clark\Program Files (x86)\Adobe\Reader 10.0\Reader\plug_ins3d folder moved successfully.
C:\Clark\Program Files (x86)\Adobe\Reader 10.0\Reader\plug_ins\Multimedia\MPP folder moved successfully.
C:\Clark\Program Files (x86)\Adobe\Reader 10.0\Reader\plug_ins\Multimedia folder moved successfully.
C:\Clark\Program Files (x86)\Adobe\Reader 10.0\Reader\plug_ins\Annotations\Stamps\ENU folder moved successfully.
C:\Clark\Program Files (x86)\Adobe\Reader 10.0\Reader\plug_ins\Annotations\Stamps folder moved successfully.
C:\Clark\Program Files (x86)\Adobe\Reader 10.0\Reader\plug_ins\Annotations folder moved successfully.
C:\Clark\Program Files (x86)\Adobe\Reader 10.0\Reader\plug_ins\AcroForm\PMP folder moved successfully.
C:\Clark\Program Files (x86)\Adobe\Reader 10.0\Reader\plug_ins\AcroForm folder moved successfully.
C:\Clark\Program Files (x86)\Adobe\Reader 10.0\Reader\plug_ins folder moved successfully.
C:\Clark\Program Files (x86)\Adobe\Reader 10.0\Reader\Legal\ENU folder moved successfully.
C:\Clark\Program Files (x86)\Adobe\Reader 10.0\Reader\Legal folder moved successfully.
C:\Clark\Program Files (x86)\Adobe\Reader 10.0\Reader\Javascripts folder moved successfully.
C:\Clark\Program Files (x86)\Adobe\Reader 10.0\Reader\IDTemplates\ENU folder moved successfully.
C:\Clark\Program Files (x86)\Adobe\Reader 10.0\Reader\IDTemplates folder moved successfully.
C:\Clark\Program Files (x86)\Adobe\Reader 10.0\Reader\Browser folder moved successfully.
C:\Clark\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR folder moved successfully.
C:\Clark\Program Files (x86)\Adobe\Reader 10.0\Reader folder moved successfully.
C:\Clark\Program Files (x86)\Adobe\Reader 10.0\Esl folder moved successfully.
C:\Clark\Program Files (x86)\Adobe\Reader 10.0 folder moved successfully.
C:\Clark\Program Files (x86)\Adobe\Flash Player\AddIns\airappinstaller folder moved successfully.
C:\Clark\Program Files (x86)\Adobe\Flash Player\AddIns folder moved successfully.
C:\Clark\Program Files (x86)\Adobe\Flash Player folder moved successfully.
C:\Clark\Program Files (x86)\Adobe folder moved successfully.
C:\Clark\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US folder moved successfully.
C:\Clark\Program Files (x86)\Common Files\Adobe\HelpCfg folder moved successfully.
C:\Clark\Program Files (x86)\Common Files\Adobe\ARM\1.0 folder moved successfully.
C:\Clark\Program Files (x86)\Common Files\Adobe\ARM folder moved successfully.
C:\Clark\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX folder moved successfully.
C:\Clark\Program Files (x86)\Common Files\Adobe\Acrobat folder moved successfully.
C:\Clark\Program Files (x86)\Common Files\Adobe folder moved successfully.
C:\Clark\Users\Kyle\AppData\Local\Adobe\Color\Profiles folder moved successfully.
C:\Clark\Users\Kyle\AppData\Local\Adobe\Color folder moved successfully.
C:\Clark\Users\Kyle\AppData\Local\Adobe\AIR\logs folder moved successfully.
C:\Clark\Users\Kyle\AppData\Local\Adobe\AIR folder moved successfully.
C:\Clark\Users\Kyle\AppData\Local\Adobe\Acrobat\10.0\Cache folder moved successfully.
C:\Clark\Users\Kyle\AppData\Local\Adobe\Acrobat\10.0 folder moved successfully.
C:\Clark\Users\Kyle\AppData\Local\Adobe\Acrobat folder moved successfully.
C:\Clark\Users\Kyle\AppData\Local\Adobe folder moved successfully.
C:\Clark\Users\Kyle\AppData\LocalLow\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\eng folder moved successfully.
C:\Clark\Users\Kyle\AppData\LocalLow\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\can folder moved successfully.
C:\Clark\Users\Kyle\AppData\LocalLow\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\brt folder moved successfully.
C:\Clark\Users\Kyle\AppData\LocalLow\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\all folder moved successfully.
C:\Clark\Users\Kyle\AppData\LocalLow\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary folder moved successfully.
C:\Clark\Users\Kyle\AppData\LocalLow\Adobe\Linguistics\Dictionaries folder moved successfully.
C:\Clark\Users\Kyle\AppData\LocalLow\Adobe\Linguistics folder moved successfully.
C:\Clark\Users\Kyle\AppData\LocalLow\Adobe\Acrobat\10.0\Synchronizer\resources folder moved successfully.
C:\Clark\Users\Kyle\AppData\LocalLow\Adobe\Acrobat\10.0\Synchronizer\metadata folder moved successfully.
C:\Clark\Users\Kyle\AppData\LocalLow\Adobe\Acrobat\10.0\Synchronizer\inprogress folder moved successfully.
C:\Clark\Users\Kyle\AppData\LocalLow\Adobe\Acrobat\10.0\Synchronizer folder moved successfully.
C:\Clark\Users\Kyle\AppData\LocalLow\Adobe\Acrobat\10.0 folder moved successfully.
C:\Clark\Users\Kyle\AppData\LocalLow\Adobe\Acrobat folder moved successfully.
C:\Clark\Users\Kyle\AppData\LocalLow\Adobe folder moved successfully.
C:\Clark\Users\Kyle\AppData\Roaming\Adobe\LogTransport2 folder moved successfully.
C:\Clark\Users\Kyle\AppData\Roaming\Adobe\Linguistics\Dictionaries folder moved successfully.
C:\Clark\Users\Kyle\AppData\Roaming\Adobe\Linguistics folder moved successfully.
C:\Clark\Users\Kyle\AppData\Roaming\Adobe\Headlights folder moved successfully.
C:\Clark\Users\Kyle\AppData\Roaming\Adobe\Flash Player\AssetCache\DFJ4PV8X folder moved successfully.
C:\Clark\Users\Kyle\AppData\Roaming\Adobe\Flash Player\AssetCache folder moved successfully.
C:\Clark\Users\Kyle\AppData\Roaming\Adobe\Flash Player folder moved successfully.
C:\Clark\Users\Kyle\AppData\Roaming\Adobe\AIR\Updater folder moved successfully.
C:\Clark\Users\Kyle\AppData\Roaming\Adobe\AIR folder moved successfully.
C:\Clark\Users\Kyle\AppData\Roaming\Adobe\Acrobat\10.0\Security\CRLCache folder moved successfully.
C:\Clark\Users\Kyle\AppData\Roaming\Adobe\Acrobat\10.0\Security folder moved successfully.
C:\Clark\Users\Kyle\AppData\Roaming\Adobe\Acrobat\10.0\JavaScripts folder moved successfully.
C:\Clark\Users\Kyle\AppData\Roaming\Adobe\Acrobat\10.0\Forms folder moved successfully.
C:\Clark\Users\Kyle\AppData\Roaming\Adobe\Acrobat\10.0\Collab folder moved successfully.
C:\Clark\Users\Kyle\AppData\Roaming\Adobe\Acrobat\10.0 folder moved successfully.
C:\Clark\Users\Kyle\AppData\Roaming\Adobe\Acrobat folder moved successfully.
C:\Clark\Users\Kyle\AppData\Roaming\Adobe folder moved successfully.
C:\Documents and Settings\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AA1000000001} folder moved successfully.
C:\Documents and Settings\All Users\Adobe\Setup folder moved successfully.
C:\Documents and Settings\All Users\Adobe\ARM\Reader_10.1.0\25899 folder moved successfully.
C:\Documents and Settings\All Users\Adobe\ARM\Reader_10.1.0\22089 folder moved successfully.
C:\Documents and Settings\All Users\Adobe\ARM\Reader_10.1.0\17844 folder moved successfully.
C:\Documents and Settings\All Users\Adobe\ARM\Reader_10.1.0 folder moved successfully.
C:\Documents and Settings\All Users\Adobe\ARM folder moved successfully.
C:\Documents and Settings\All Users\Adobe\AIR\Updater folder moved successfully.
C:\Documents and Settings\All Users\Adobe\AIR folder moved successfully.
C:\Documents and Settings\All Users\Adobe\Acrobat\10.0\Replicate\Security folder moved successfully.
C:\Documents and Settings\All Users\Adobe\Acrobat\10.0\Replicate folder moved successfully.
C:\Documents and Settings\All Users\Adobe\Acrobat\10.0 folder moved successfully.
C:\Documents and Settings\All Users\Adobe\Acrobat folder moved successfully.
C:\Documents and Settings\All Users\Adobe folder moved successfully.
File/Folder C:\Documents and Settings\All Users\Application Data\Adobe not found.
C:\Documents and Settings\Kyle Clark\AppData\Local\Adobe\Color\Profiles folder moved successfully.
C:\Documents and Settings\Kyle Clark\AppData\Local\Adobe\Color folder moved successfully.
C:\Documents and Settings\Kyle Clark\AppData\Local\Adobe\AIR\logs folder moved successfully.
C:\Documents and Settings\Kyle Clark\AppData\Local\Adobe\AIR folder moved successfully.
C:\Documents and Settings\Kyle Clark\AppData\Local\Adobe\Acrobat\10.0 folder moved successfully.
C:\Documents and Settings\Kyle Clark\AppData\Local\Adobe\Acrobat folder moved successfully.
C:\Documents and Settings\Kyle Clark\AppData\Local\Adobe folder moved successfully.
C:\Documents and Settings\Kyle Clark\AppData\LocalLow\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\eng folder moved successfully.
C:\Documents and Settings\Kyle Clark\AppData\LocalLow\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\can folder moved successfully.
C:\Documents and Settings\Kyle Clark\AppData\LocalLow\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\brt folder moved successfully.
C:\Documents and Settings\Kyle Clark\AppData\LocalLow\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\all folder moved successfully.
C:\Documents and Settings\Kyle Clark\AppData\LocalLow\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary folder moved successfully.
C:\Documents and Settings\Kyle Clark\AppData\LocalLow\Adobe\Linguistics\Dictionaries folder moved successfully.
C:\Documents and Settings\Kyle Clark\AppData\LocalLow\Adobe\Linguistics folder moved successfully.
C:\Documents and Settings\Kyle Clark\AppData\LocalLow\Adobe\Acrobat\10.0 folder moved successfully.
C:\Documents and Settings\Kyle Clark\AppData\LocalLow\Adobe\Acrobat folder moved successfully.
C:\Documents and Settings\Kyle Clark\AppData\LocalLow\Adobe folder moved successfully.
File/Folder C:\ProgramData\Adobe not found.
File/Folder C:\ProgramData\Application Data\Adobe not found.
File/Folder C:\Users\All Users\Adobe not found.
File/Folder C:\Users\All Users\Application Data\Adobe not found.
File/Folder C:\Users\Kyle Clark\AppData\Local\Adobe not found.
File/Folder C:\Users\Kyle Clark\AppData\LocalLow\Adobe not found.
C:\Users\Kyle Clark\AppData\Roaming\Adobe\LogTransport2 folder moved successfully.
C:\Users\Kyle Clark\AppData\Roaming\Adobe\Linguistics\Dictionaries folder moved successfully.
C:\Users\Kyle Clark\AppData\Roaming\Adobe\Linguistics folder moved successfully.
C:\Users\Kyle Clark\AppData\Roaming\Adobe\Headlights folder moved successfully.
C:\Users\Kyle Clark\AppData\Roaming\Adobe\Flash Player\AssetCache\BR9N7WTQ folder moved successfully.
C:\Users\Kyle Clark\AppData\Roaming\Adobe\Flash Player\AssetCache folder moved successfully.
C:\Users\Kyle Clark\AppData\Roaming\Adobe\Flash Player folder moved successfully.
C:\Users\Kyle Clark\AppData\Roaming\Adobe\AIR\Updater folder moved successfully.
C:\Users\Kyle Clark\AppData\Roaming\Adobe\AIR folder moved successfully.
C:\Users\Kyle Clark\AppData\Roaming\Adobe\Acrobat\10.0\Security\CRLCache folder moved successfully.
C:\Users\Kyle Clark\AppData\Roaming\Adobe\Acrobat\10.0\Security folder moved successfully.
C:\Users\Kyle Clark\AppData\Roaming\Adobe\Acrobat\10.0\JavaScripts folder moved successfully.
C:\Users\Kyle Clark\AppData\Roaming\Adobe\Acrobat\10.0\Forms folder moved successfully.
C:\Users\Kyle Clark\AppData\Roaming\Adobe\Acrobat\10.0\Collab folder moved successfully.
C:\Users\Kyle Clark\AppData\Roaming\Adobe\Acrobat\10.0 folder moved successfully.
C:\Users\Kyle Clark\AppData\Roaming\Adobe\Acrobat folder moved successfully.
C:\Users\Kyle Clark\AppData\Roaming\Adobe folder moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Kyle Clark
->Temp folder emptied: 606951 bytes
->Temporary Internet Files folder emptied: 576222 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 91502839 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 727 bytes

User: Public
->Temp folder emptied: 0 bytes

User: UpdatusUser

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 91076 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 910112 bytes

Total Files Cleaned = 89.00 mb

OTM by OldTimer - Version 3.1.19.0 log created on 03272012_113322
All processes killed

OTM by OldTimer - Version 3.1.19.0 log created on 03272012_113322

It's still saying the same thing, and when I go to the Adobe folder it says I do not currently have permission to access it. I also can't delete it even though it's empty.


----------



## kevinf80 (Mar 21, 2006)

Right click on the folder and select "properties" then select "security tab" what permissions do you have for "system" and the "Administrator" accounts? are they like the screen shots


----------



## MrMurdstone (Mar 7, 2012)

I set them all to full control. It still won't install -__-


----------



## kevinf80 (Mar 21, 2006)

What about Java did that update OK? When you installed Microsoft Security Essentials did you have any issues?


----------



## MrMurdstone (Mar 7, 2012)

No, it keeps saying it's interrupted before it finishes for some reason. I had no problems with MSE except that I had to find another link because the one you posted was down. Also, I'm trying to redownload OpenOffice and it doesn't let me do that either.


----------



## kevinf80 (Mar 21, 2006)

Close all windows, Select > start icon > all programs > accessories > Right click on "command prompt" > select > Run as administrator > ok any alerts > at the command prompt type or copy and paste *sfc /scannow* > then enter. Type exit when its finished and re-boot your PC. See if that helps.


----------



## MrMurdstone (Mar 7, 2012)

This what it says when I do that:

"C:\Windows\system32>sfc /scannow

Beginning system scan. This process will take some time.

Beginning verification phase of system scan.
Verification 76% complete.

Windows Resource Protection could not perform the requested operation."

I tried two times and it stopped at the same place both times.


----------



## kevinf80 (Mar 21, 2006)

It appears that the infection has messed up your system big time....

ok do this....

*Step 1*

Go start > all programs > accessories > right click *command prompt* and select "Run as Administartor" accept any alerts.

Type this at the prompt *chkdsk /r* and tap <Enter>. 
Note the space between the * chkdsk * and the * /r *. You will get a message that the drive cannot be locked, but that the command can be scheduled to run at the next boot. Type *Y* and then tap <Enter> again. You will get a message that chkdsk has been scheduled to run on the next boot. Then reboot.

chkdsk will run during the boot, and it will take quite a bit of time, particularly if your boot partition is large. What the /r flag does is force chkdsk to run an expanded version of chkdsk that has 5 tests. The last two will check the drive for file/folder/free space errors and also fix related MFT errors if there are any.

*Step 2*

Please download FixPolicies from *here* and save it to your *desktop*.


 Double-click *FixPolicies.exe*.
 Click the *Install* button to start the extraction.
 The program will create a new folder called *FixPolicies*.
 Double-click the *FixPolicies* folder.
 In the folder please double-click on *Fix_Policies.cmd*. If you are using Vista or Windows 7, please right-click and select Run as Administrator
 A black DOS Command Prompt window shall appear and the close. This is normal.

Re-boot your system,

See if the sfc /scannow command will complete....


----------



## MrMurdstone (Mar 7, 2012)

It still didn't work :/


----------



## kevinf80 (Mar 21, 2006)

Open an elevated command prompt again.

Type or copy paste the following command, and then press ENTER:

*findstr /c:"[SR]" %windir%\Logs\CBS\CBS.log >%userprofile%\Desktop\sfcdetails.txt*

Note The Sfcdetails.txt file contains details from every time that the System File Checker tool has been run on the computer. The file includes information about files that were not repaired by the System File Checker tool. Verify the date and time entries to determine the problem files that were found the last time that you ran the System File Checker tool.

Type *sfcdetails.txt* in Search programs and files and press Enter. Does the log indicate any specific sticking point? If we can find where it sticks it may help us....

You have had a very serious infection that has obviously made some alterations to the OS, It may be beneficial to open a thread in the Vista OS forum here http://forums.techguy.org/75-windows-vista/ Link back to this thread so that the techy guys can see what has been done.

I`m sure the infection has messed up file permissions at some point, i`d rather the tech guys have a look and advise, we`ve come a long with this and i`d hate to mess it up after we`ve removed the infection....

Let me know your thoughts....

Kevin


----------



## MrMurdstone (Mar 7, 2012)

It says "FINDSTR: Cannot open 

Okay, I will make a thread in there. It seems pretty messed up.


----------



## kevinf80 (Mar 21, 2006)

I feel the best option is to let the technical guys have a look at it, link to this thread so they can see what we`ve been up to...

Please come back and let me know howw you get on....

Kevin


----------



## MrMurdstone (Mar 7, 2012)

Will do. I posted the thread here: http://forums.techguy.org/windows-vista/1047277-infection-messed-up-computer.html


----------



## kevinf80 (Mar 21, 2006)

Thanks, i`ll subscribe to that thread and see what happens. It`ll have to be later, nearly 1 am local time for me, sleepy time...

Good luck!!


----------



## MrMurdstone (Mar 7, 2012)

Do you think there are no other options than to completely re-install windows?


----------



## kevinf80 (Mar 21, 2006)

Give me an update, exactly what issues remain...


----------



## MrMurdstone (Mar 7, 2012)

Some programs won't install, cd won't read (not sure if it's just this one), and I can't save my internet connection, like I have to type in the password every time.


----------



## kevinf80 (Mar 21, 2006)

I see the technical guys also suggest a re-install, your system was very heavily infected and the registry messed up. Whilst i`m very confident that we got rid of the infection, i`m not so sure on the registry and certain drivers.

I note you mention cd`s not playing, Combofix replaced an infected driver relating to that facility. You could try opening device manager, scroll to CD/DVD drives, expand, right click on the cd drive and uninstall it, reboot. Windows should see the hardware and re-install apropriate drivers.

Regarding programs not installing, try this link http://support.microsoft.com/kb/931361/en-us see if that helps.

Regarding your Internet connection, usually when you enter the password there is a box to tick so that the password will be remembered...

I still feel a full re-install is the best way forward. If you do not want to do a full re-install you could try a repair/install, although results are not always successful. Have a read here for the full instructions:

http://www.vistax64.com/tutorials/88236-repair-install-vista.html

Maybe worth a shot removing SP2, then reinstall it again. That may help with the registry issues...

1. Link for instructions to remove Service Packs http://support.microsoft.com/kb/948537

2. Link to service packs to reinstall http://windows.microsoft.com/en-US/windows/downloads/service-packs

Let me know if any of that helps.....

Kevin


----------



## MrMurdstone (Mar 7, 2012)

Hey Kevin, not sure if you're still around, but I decided I should probably just reinstall windows. Is there any way to do that without the CD? Not sure where it is. Or any way I can order one for free?

I tried those fixes and some worked, like the CD drive one, but some didn't, so I figure I ought to just reinstall.


----------



## kevinf80 (Mar 21, 2006)

I`m still around, if you registered your system with MS when intially installed windows you should be able to contact them for a replacement installation DVD, there would be a nominal charge.

What is the make and model of your system, is it possible it came with a recovery partition. Select start, type *disk management* into the search box, tap enter or select OK.

Can you post a screen shot of the partition layout....


----------

