needhelp1

TDSSKiller log attached TDSSKiller.2.8.16.0_29.04.2013_22.41.54_log.txt

Hi Gringo, Below is the CF log. CF found Zeroaccess and restarted the computer, then again found it and proceeded with its scan. Also, Norton flagged and removed a few files while it was running an automatic scan after CF was finished, I'm including those below also. CF Log: ComboFix 13-04-28.01 - USER 04/29/2013 17:27:05.1.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.554 [GMT -5:00] Running from: c:\documents and settings\USER\Desktop\ComboFix.exe AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF} AV: Norton Security Suite *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8} FW: Norton Security Suite *Disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\All Users\Application Data\TEMP c:\documents and settings\USER\Application Data\.# c:\documents and settings\USER\Application Data\BqCeIzPyxuDoFpHOpen Cloud AV.ico c:\documents and settings\USER\Application Data\otzP0ycS1v3n4mOpen Cloud AV.ico c:\documents and settings\USER\Application Data\velIBtzP0c1v3n4Open Cloud AV.ico c:\documents and settings\USER\fixuegsccp.tmp c:\documents and settings\USER\Local Settings\Application Data\{4EA7117F-E066-47AE-8DFC-342BFF13AEA6} c:\documents and settings\USER\Local Settings\Application Data\{4EA7117F-E066-47AE-8DFC-342BFF13AEA6}\chrome.manifest c:\documents and settings\USER\Local Settings\Application Data\{4EA7117F-E066-47AE-8DFC-342BFF13AEA6}\chrome\content\_cfg.js c:\documents and settings\USER\Local Settings\Application Data\{4EA7117F-E066-47AE-8DFC-342BFF13AEA6}\chrome\content\overlay.xul c:\documents and settings\USER\Local Settings\Application Data\{4EA7117F-E066-47AE-8DFC-342BFF13AEA6}\install.rdf c:\documents and settings\USER\My Documents\~WRD2210.tmp c:\documents and settings\USER\WINDOWS c:\windows\desktop c:\windows\desktop\Instal~1.lnk c:\windows\system32\Cache c:\windows\system32\dllcache\wmpvis.dll c:\windows\system32\PowerToyReadme.htm c:\windows\system32\SET14.tmp c:\windows\system32\SET19.tmp c:\windows\system32\URTTemp c:\windows\system32\URTTemp\fusion.dll c:\windows\system32\URTTemp\mscoree.dll c:\windows\system32\URTTemp\mscoree.dll.local c:\windows\system32\URTTemp\mscorsn.dll c:\windows\system32\URTTemp\mscorwks.dll c:\windows\system32\URTTemp\msvcr71.dll c:\windows\system32\URTTemp\regtlib.exe c:\windows\wininit.ini . . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . . -------\Legacy_WMI32 . . ((((((((((((((((((((((((( Files Created from 2013-03-28 to 2013-04-29 ))))))))))))))))))))))))))))))) . . 2013-04-29 00:47 . 2013-03-02 02:06 522240 -c----w- c:\windows\system32\dllcache\jsdbgui.dll 2013-04-29 00:45 . 2013-02-12 00:32 12928 -c----w- c:\windows\system32\dllcache\usb8023x.sys 2013-04-29 00:45 . 2013-02-12 00:32 12928 -c----w- c:\windows\system32\dllcache\usb8023.sys . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2013-04-04 19:50 . 2011-10-22 04:27 22856 ----a-w- c:\windows\system32\drivers\mbam.sys 2013-03-08 08:36 . 2003-03-31 12:00 293376 ----a-w- c:\windows\system32\winsrv.dll 2013-03-07 01:32 . 2003-03-31 12:00 2149888 ----a-w- c:\windows\system32\ntoskrnl.exe 2013-03-07 00:50 . 2002-08-29 01:04 2028544 ----a-w- c:\windows\system32\ntkrnlpa.exe 2013-03-02 02:06 . 2004-02-07 00:05 916480 ----a-w- c:\windows\system32\wininet.dll 2013-03-02 02:06 . 2003-03-31 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll 2013-03-02 02:06 . 2003-03-31 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl 2013-03-02 01:25 . 2003-03-31 12:00 1867264 ----a-w- c:\windows\system32\win32k.sys 2013-03-02 01:08 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec 2013-02-27 07:56 . 2004-06-22 21:08 2067456 ----a-w- c:\windows\system32\mstscax.dll 2013-02-12 00:32 . 2004-08-04 06:04 12928 ------w- c:\windows\system32\drivers\usb8023x.sys 2013-02-12 00:32 . 2003-03-31 12:00 12928 ----a-w- c:\windows\system32\drivers\usb8023.sys 2005-03-22 05:48 . 2005-03-22 05:46 877056 ----a-w- c:\program files\iview395.exe 2005-02-22 02:40 . 2005-02-22 01:28 7096170 ----a-w- c:\program files\WSFTP_ProT40_Install.exe 2005-02-17 23:13 . 2005-02-17 23:13 295120 ----a-w- c:\program files\NSSetup.exe 2004-11-04 01:17 . 2004-11-04 01:17 2636408 ----a-w- c:\program files\aawsepersonal.exe . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Ptipbmf"="ptipbmf.dll" [2003-06-20 118784] "SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-05-29 790528] "ADUserMon"="c:\program files\Iomega\AutoDisk\ADUserMon.exe" [2002-09-24 147456] "Iomega Drive Icons"="c:\program files\Iomega\DriveIcons\ImgIcon.exe" [2002-08-13 86016] "SoundMan"="SOUNDMAN.EXE" [2006-11-17 577536] "ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005-02-16 221184] "SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472] "DNS7reminder"="c:\program files\Nuance\NaturallySpeaking10\Ereg\Ereg.exe" [2007-04-16 259624] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184] "Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-07-17 288080] "TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2011-12-02 296056] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] "AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVXV1UtV0JEWEMtVllGTjMtUURKTUgtNDJBT0EtSzZIVTk&inst=NzctNzU5MDE1MjEzLVNUMTJGT0krMS1ERFQrMC1FVUxBKzEtU1QxMkZBUFArMQ∏=90&ver=2012.0.1831&mid=67217e50267847d19092547b91d34f9b-06ce4fc639803a2e3563922518183d8e94088cb9" [?] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160] . [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128] . [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk backup=c:\windows\pss\Windows Search.lnkCommon Startup . [HKLM\~\startupfolder\C:^Documents and Settings^USER^Start Menu^Programs^Startup^TrueAssistant.lnk] path=c:\documents and settings\USER\Start Menu\Programs\Startup\TrueAssistant.lnk backup=c:\windows\pss\TrueAssistant.lnkStartup . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier] 2008-11-07 20:16 111936 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ComcastAntispyClient] 2009-08-19 17:25 1589208 ----a-w- c:\program files\comcasttb\ComcastSpywareScan\ComcastAntiSpy.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ddoctorv2] 2008-04-24 18:25 202560 ----a-w- c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Deskup] 2002-07-16 15:55 32768 ----a-w- c:\program files\Iomega\DriveIcons\deskup.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager] 2006-09-26 00:52 50736 ----a-w- c:\program files\Common Files\AOL\1106098516\EE\aolsoftware.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch] 2002-09-23 14:50 36864 ----a-w- c:\program files\Scansoft\PaperPort\IndexSearch.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup] 2005-02-16 21:15 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] 2010-12-13 23:16 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] 2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] 2004-02-13 10:41 155648 ----a-r- c:\windows\system32\NeroCheck.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OneTouch Monitor] 2003-08-18 12:12 98304 ----a-w- c:\program files\Visioneer OneTouch\OneTouchMon.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD] 2002-09-23 14:25 45108 ----a-w- c:\program files\Scansoft\PaperPort\pptd40nt.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic] 2004-04-05 21:33 99480 ----a-w- c:\progra~1\PURENE~1\PORTMA~1\PortAOL.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] 2010-11-29 23:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "_IOMEGA_ACTIVE_DISK_SERVICE_"=2 (0x2) "WMPNetworkSvc"=3 (0x3) "sprtsvc_ddoctorv2"=2 (0x2) "MsMpSvc"=2 (0x2) "MDM"=2 (0x2) "ITMRTSVC"=2 (0x2) "iPod Service"=3 (0x3) "Iomega App Services"=2 (0x2) "gusvc"=3 (0x3) "Bonjour Service"=2 (0x2) "Apple Mobile Device"=2 (0x2) "AOLService"=2 (0x2) "AOL TopSpeedMonitor"=2 (0x2) "AntiSpywareService"=2 (0x2) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Trainmaster\\TM4\\TM4.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"= "c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"= "c:\\Program Files\\Common Files\\AOL\\1106098516\\EE\\AOLServiceHost.exe"= "c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"= "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Common Files\\AOL\\1106098516\\EE\\aolsoftware.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= . R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0502020.003\symds.sys [1/1/2005 2:03 AM 340088] R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0502020.003\symefa.sys [1/1/2005 2:03 AM 744568] R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\BASHDefs\20130412.001\BHDrvx86.sys [4/13/2013 12:09 AM 1000024] R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0502020.003\ironx86.sys [1/1/2005 2:03 AM 136312] R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [4/27/2013 4:35 PM 418376] R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [10/21/2011 11:27 PM 701512] R2 N360;Norton Security Suite;c:\program files\Norton Security Suite\Engine\5.2.2.3\ccsvchst.exe [1/1/2005 2:02 AM 130008] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [1/1/2005 2:01 AM 106656] R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\IPSDefs\20130426.001\IDSXpx86.sys [4/26/2013 6:57 PM 373728] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [10/21/2011 11:27 PM 22856] R3 PIBus;PIBus Device;c:\windows\system32\drivers\PIBus.sys [7/27/2004 12:22 PM 43004] R3 PIKbd;PI Virtual Keyboard;c:\windows\system32\drivers\PIKbd.sys [7/27/2004 12:22 PM 3878] S3 DrvAgent32;DrvAgent32;c:\windows\system32\drivers\DrvAgent32.sys [2/2/2011 4:56 PM 23456] S3 ssmirrdr;ssmirrdr;c:\windows\system32\drivers\ssmirrdr.sys [10/3/2011 1:45 AM 10112] S3 yukonx86;NDIS5.1 Miniport Driver for Marvell Yukon Gigabit Ethernet Adapter;c:\windows\system32\drivers\yukonx86.sys [7/23/2004 6:03 PM 176256] S4 AntiSpywareService;Comcast AntiSpyware;c:\program files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe [6/17/2009 12:49 PM 616408] . Contents of the 'Scheduled Tasks' folder . 2011-12-15 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34] . 2013-04-29 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1641216279-2740818761-1370937033-1004.job - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-11-08 22:14] . 2011-12-02 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1641216279-2740818761-1370937033-1004.job - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-11-08 22:14] . 2013-04-29 c:\windows\Tasks\ReclaimerUpdateFiles_USER.job - c:\documents and settings\USER\Application Data\Real\Update\UpgradeHelper\RealPlayer\10.40\agent\rnupgagent.exe [2013-04-27 21:52] . 2013-04-29 c:\windows\Tasks\ReclaimerUpdateXML_USER.job - c:\documents and settings\USER\Application Data\Real\Update\UpgradeHelper\RealPlayer\10.40\agent\rnupgagent.exe [2013-04-27 21:52] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ mWindow Title = Windows Internet Explorer provided by Comcast uInternet Connection Wizard,ShellNext = iexplore uInternet Settings,ProxyOverride = *.local DPF: {42D06124-98A2-47EC-8098-3778B58CE7D5} - hxxps://actsvr.comcastonline.com/techtools/dl/Comcast%20Activation%20Controls.cab . - - - - ORPHANS REMOVED - - - - . MSConfigStartUp-Adobe ARM - c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe MSConfigStartUp-AOL Spyware Protection - c:\progra~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe MSConfigStartUp-AOLDialer - c:\program files\Common Files\AOL\ACS\AOLDial.exe MSConfigStartUp-MSSE - c:\program files\Microsoft Security Essentials\msseces.exe MSConfigStartUp-SpybotSD TeaTimer - d:\program files\Spybot - Search & Destroy\TeaTimer.exe MSConfigStartUp-TkBellExe - c:\program files\Common Files\Real\Update_OB\realsched.exe AddRemove-COASTER_F40PH_2103 - c:\program files\Microsoft Games\Train Simulator\TRAINS\TRAINSET\Uninstal.exe AddRemove-Railroad Tycoon II - The Next Millenium - l:\program files\Railroad Tycoon II - The Next Millenium\DeIsL1.isu AddRemove-Train Dispatcher 3 - l:\program files\TD3\DeIsL1.isu AddRemove-WinZip - l:\program files\WinZip\WINZIP32.EXE . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2013-04-29 17:46 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360] "ImagePath"="\"c:\program files\Norton Security Suite\Engine\5.2.2.3\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton Security Suite\Engine\5.2.2.3\diMaster.dll\" /prefetch:1" . [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Iomega Activity Disk2] "ImagePath"="\"\"" . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'explorer.exe'(1960) c:\windows\system32\WININET.dll c:\program files\Iomega\DriveIcons\IMGHOOK.DLL c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\program files\Common Files\aolshare\aolshcpy.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\inetsrv\inetinfo.exe c:\program files\Analog Devices\SoundMAX\SMAgent.exe c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE c:\windows\system32\SearchIndexer.exe c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe c:\windows\system32\wscntfy.exe c:\windows\SOUNDMAN.EXE c:\program files\Common Files\InstallShield\UpdateService\agent.exe . ************************************************************************** . Completion time: 2013-04-29 17:54:19 - machine was rebooted ComboFix-quarantined-files.txt 2013-04-29 22:54 . Pre-Run: 5,235,961,856 bytes free Post-Run: 5,515,190,272 bytes free . WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn . - - End Of File - - B3CD2837273543BCB543F25645067BF3 Norton results: 4/29/2013 6:26 PM,High,4aafe6ed-15742ff1 (Trojan.Maljava!gen4) detected by Virus scanner,Quarantined,Resolved - No Action Required,c:\documents and settings\user\application data\sun\java\deployment\cache\6.0\45\4aafe6ed-15742ff1 4/29/2013 6:23 PM,High,4c4b124c-4d43c600 (Trojan.Maljava!gen20) detected by Virus scanner,Quarantined,Resolved - No Action Required,c:\documents and settings\networkservice\application data\sun\java\deployment\cache\6.0\12\4c4b124c-4d43c600 Category: Resolved Security Risks Date & Time,Risk,Activity,Status,Recommended Action,Path - Filename 4/29/2013 6:26 PM,High,4aafe6ed-15742ff1 (Trojan.Maljava!gen4) detected by Virus scanner,Quarantined,Resolved - No Action Required,c:\documents and settings\user\application data\sun\java\deployment\cache\6.0\45\4aafe6ed-15742ff1 4/29/2013 6:23 PM,High,4c4b124c-4d43c600 (Trojan.Maljava!gen20) detected by Virus scanner,Quarantined,Resolved - No Action Required,c:\documents and settings\networkservice\application data\sun\java\deployment\cache\6.0\12\4c4b124c-4d43c600

Gringo, reports below. I'm going to have to turn in for the evening, I'll be back online tomorrow afternoon. Thanks again for your help :-) # AdwCleaner v2.300 - Logfile created 04/28/2013 at 23:51:18 # Updated 28/04/2013 by Xplode # Operating system : Microsoft Windows XP Service Pack 3 (32 bits) # User : USER - P4P800-SE # Boot Mode : Normal # Running from : C:\Documents and Settings\USER\Desktop\adwcleaner.exe # Option [Delete] ***** [services] ***** ***** [Files / Folders] ***** Folder Deleted : C:\Documents and Settings\All Users\Application Data\Viewpoint Folder Deleted : C:\Documents and Settings\USER\Application Data\PriceGong Folder Deleted : C:\Documents and Settings\USER\Local Settings\Application Data\Conduit Folder Deleted : C:\Program Files\Conduit Folder Deleted : C:\Program Files\Viewpoint ***** [Registry] ***** Key Deleted : HKCU\Software\AppDataLow\Software\Conduit Key Deleted : HKCU\Software\Conduit Key Deleted : HKCU\Software\ConduitSearchScopes Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{0FB6A909-6086-458F-BD92-1F8EE10042A0} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EF99BD32-C1FB-11D2-892F-0090271D4F88} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{03F998B2-0E00-11D3-A498-00104B6EB52E} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0FB6A909-6086-458F-BD92-1F8EE10042A0} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EF99BD32-C1FB-11D2-892F-0090271D4F88} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\grusskartencenter.com Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\grusskartencenter.com Key Deleted : HKCU\Software\PriceGong Key Deleted : HKCU\Software\Zugo Key Deleted : HKLM\SOFTWARE\Classes\AppID\NCTAudioCDGrabber2.DLL Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl.1 Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary.1 Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{03F998B2-0E00-11D3-A498-00104B6EB52E} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1791C1B5-FFD0-4D4B-ABCD-7A7DF6EAA89C} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1B00725B-C455-4DE6-BFB6-AD540AD427CD} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{35B8892D-C3FB-4D88-990D-31DB2EBD72BD} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{5EB0259D-AB79-4AE6-A6E6-24FFE21C3DA4} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{CADAF6BE-BF50-4669-8BFD-C27BD4E6181B} Key Deleted : HKLM\SOFTWARE\Classes\Interface\{2BEF239C-752E-4001-8048-F256E0D8CD93} Key Deleted : HKLM\SOFTWARE\Classes\Interface\{3F607E46-0D3C-4442-B1DE-DE7FA4768F5C} Key Deleted : HKLM\SOFTWARE\Classes\Interface\{49C00A51-6E59-41FE-B3FA-2D2157FAD67B} Key Deleted : HKLM\SOFTWARE\Classes\Interface\{6DFF5DBA-AE3A-46DB-B301-ECFFC6DB2982} Key Deleted : HKLM\SOFTWARE\Classes\Interface\{DE34CD67-F1C8-4001-9A23-B8A68F63F377} Key Deleted : HKLM\SOFTWARE\Classes\Interface\{FE0273D1-99DF-4AC0-87D5-1371C6271785} Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT1060933 Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{93E3D79C-0786-48FF-9329-93BC9F6DC2B3} Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9DBB28C1-1925-11D3-A498-00104B6EB52E} Key Deleted : HKLM\Software\Conduit Key Deleted : HKLM\Software\MetaStream Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{03F998B2-0E00-11D3-A498-00104B6EB52E} Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{1B00725B-C455-4DE6-BFB6-AD540AD427CD} Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1791C1B5-FFD0-4D4B-ABCD-7A7DF6EAA89C} Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\ViewpointMediaPlayer Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ViewpointMediaPlayer Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@viewpoint.com/VMP Key Deleted : HKLM\Software\Viewpoint Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{EF99BD32-C1FB-11D2-892F-0090271D4F88}] ***** [internet Browsers] ***** -\\ Internet Explorer v8.0.6001.18702 [OK] Registry is clean. ************************* AdwCleaner[s1].txt - [4601 octets] - [28/04/2013 23:51:18] ########## EOF - C:\AdwCleaner[s1].txt - [4661 octets] ########## RogueKiller V8.5.4 [Mar 18 2013] by Tigzy mail : tigzyRK<at>gmail<dot>com Feedback : http://www.geekstogo...13-roguekiller/ Website : http://tigzy.geeksto...roguekiller.php Blog : http://tigzyrk.blogspot.com/ Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version Started in : Normal mode User : USER [Admin rights] Mode : Remove -- Date : 04/29/2013 00:00:13 | ARK || FAK || MBR | ¤¤¤ Bad processes : 0 ¤¤¤ ¤¤¤ Registry Entries : 4 ¤¤¤ [RUN][PREVRUN] HKCU\[...]\Run : NvMediaCenter (RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit) [x] -> DELETED [PROXY IE] HKCU\[...]\Internet Settings : ProxyServer (:0) -> NOT REMOVED, USE PROXYFIX [HJ SMENU] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> REPLACED (1) [sHELLSPWN] HKCU\[...]\command : ("%1" %*) -> REPLACED ("%1" %*) ¤¤¤ Particular Files / Folders: ¤¤¤ ¤¤¤ Driver : [LOADED] ¤¤¤ SSDT[12] : NtAlertResumeThread @ 0x80637D2E -> HOOKED (Unknown @ 0x85AC2D30) SSDT[13] : NtAlertThread @ 0x80592C50 -> HOOKED (Unknown @ 0x85AF4798) SSDT[17] : NtAllocateVirtualMemory @ 0x80570DA7 -> HOOKED (Unknown @ 0x85AB5900) SSDT[19] : NtAssignProcessToJobObject @ 0x805E0F91 -> HOOKED (Unknown @ 0x85A9CC78) SSDT[31] : NtConnectPort @ 0x80590E73 -> HOOKED (Unknown @ 0x85D2D9C0) SSDT[43] : NtCreateMutant @ 0x805840AD -> HOOKED (Unknown @ 0x85AC2A80) SSDT[52] : NtCreateSymbolicLinkObject @ 0x805DFAEA -> HOOKED (Unknown @ 0x85A9CA98) SSDT[53] : NtCreateThread @ 0x80584D59 -> HOOKED (Unknown @ 0x85B2CD00) SSDT[57] : NtDebugActiveProcess @ 0x806633C5 -> HOOKED (Unknown @ 0x85A9CD58) SSDT[68] : NtDuplicateObject @ 0x8057F1A9 -> HOOKED (Unknown @ 0x85AB5AD0) SSDT[83] : NtFreeVirtualMemory @ 0x805712A1 -> HOOKED (Unknown @ 0x85AB56B8) SSDT[89] : NtImpersonateAnonymousToken @ 0x8059AD1D -> HOOKED (Unknown @ 0x85AC2B70) SSDT[91] : NtImpersonateThread @ 0x805876DA -> HOOKED (Unknown @ 0x85AC2C50) SSDT[97] : NtLoadDriver @ 0x805AF8B6 -> HOOKED (Unknown @ 0x85B44238) SSDT[108] : NtMapViewOfSection @ 0x8057AC39 -> HOOKED (Unknown @ 0x85B04328) SSDT[114] : NtOpenEvent @ 0x80589D81 -> HOOKED (Unknown @ 0x85AC29A0) SSDT[122] : NtOpenProcess @ 0x8057F956 -> HOOKED (Unknown @ 0x85AB5C90) SSDT[123] : NtOpenProcessToken @ 0x80578506 -> HOOKED (Unknown @ 0x85AB59F0) SSDT[125] : NtOpenSection @ 0x805791AE -> HOOKED (Unknown @ 0x85AC27E0) SSDT[128] : NtOpenThread @ 0x805E4831 -> HOOKED (Unknown @ 0x85AB5BC0) SSDT[137] : NtProtectVirtualMemory @ 0x8057F587 -> HOOKED (Unknown @ 0x85A9CB88) SSDT[206] : NtResumeThread @ 0x805853D0 -> HOOKED (Unknown @ 0x85AF4878) SSDT[213] : NtSetContextThread @ 0x80636395 -> HOOKED (Unknown @ 0x85AF4B18) SSDT[228] : NtSetInformationProcess @ 0x80574B2F -> HOOKED (Unknown @ 0x85AF4BF8) SSDT[240] : NtSetSystemInformation @ 0x805B14E8 -> HOOKED (Unknown @ 0x85AC2698) SSDT[253] : NtSuspendProcess @ 0x80637C73 -> HOOKED (Unknown @ 0x85AC28C0) SSDT[254] : NtSuspendThread @ 0x80637B8F -> HOOKED (Unknown @ 0x85AF4958) SSDT[257] : NtTerminateProcess @ 0x8058E8D1 -> HOOKED (Unknown @ 0x85ADB3E8) SSDT[258] : NtTerminateThread @ 0x80584986 -> HOOKED (Unknown @ 0x85AF4A38) SSDT[267] : NtUnmapViewOfSection @ 0x8057A7C1 -> HOOKED (Unknown @ 0x85AF4CE8) SSDT[277] : NtWriteVirtualMemory @ 0x8058760F -> HOOKED (Unknown @ 0x85AB57A8) S_SSDT[307] : NtUserAttachThreadInput -> HOOKED (Unknown @ 0x85C90100) S_SSDT[383] : NtUserGetAsyncKeyState -> HOOKED (Unknown @ 0x85C8FCF8) S_SSDT[414] : NtUserGetKeyboardState -> HOOKED (Unknown @ 0x85C8F928) S_SSDT[416] : NtUserGetKeyState -> HOOKED (Unknown @ 0x85C8FF30) S_SSDT[428] : NtUserGetRawInputData -> HOOKED (Unknown @ 0x85F24F50) S_SSDT[460] : NtUserMessageCall -> HOOKED (Unknown @ 0x85C87FC0) S_SSDT[475] : NtUserPostMessage -> HOOKED (Unknown @ 0x85F38FC0) S_SSDT[476] : NtUserPostThreadMessage -> HOOKED (Unknown @ 0x85C07BC8) S_SSDT[549] : NtUserSetWindowsHookEx -> HOOKED (Unknown @ 0x85F49070) S_SSDT[552] : NtUserSetWinEventHook -> HOOKED (Unknown @ 0x860AF4A0) ¤¤¤ Infection : Rogue.AntiSpy-AH ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤ --> C:\WINDOWS\system32\drivers\etc\hosts 127.0.0.1 localhost 127.0.0.1 www.007guard.com 127.0.0.1 007guard.com 127.0.0.1 008i.com 127.0.0.1 www.008k.com 127.0.0.1 008k.com 127.0.0.1 www.00hq.com 127.0.0.1 00hq.com 127.0.0.1 010402.com 127.0.0.1 www.032439.com 127.0.0.1 032439.com 127.0.0.1 www.0scan.com 127.0.0.1 0scan.com 127.0.0.1 www.1000gratisproben.com 127.0.0.1 1000gratisproben.com 127.0.0.1 www.1001namen.com 127.0.0.1 1001namen.com 127.0.0.1 www.100888290cs.com 127.0.0.1 100888290cs.com 127.0.0.1 www.100sexlinks.com [...] ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: WDC WD800BB-00FJA0 +++++ --- User --- [MBR] 460e99c23a4b391ae65eb8cdaed52a68 [bSP] 677bbefcd681198409fde7614fcdb730 : Windows XP MBR Code Partition table: 0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 36005 Mo 1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 73738350 | Size: 40311 Mo User = LL1 ... OK! User = LL2 ... OK! Finished : << RKreport[6]_D_04292013_02d0000.txt >> RKreport[1].txt ; RKreport[2].txt ; RKreport[3]_S_04272013_02d1638.txt ; RKreport[4]_S_01012005_02d0008.txt ; RKreport[5]_S_04282013_02d2358.txt ; RKreport[6]_D_04292013_02d0000.txt

Gringo, one other thing if it helps you. For some reason earlier today my computer reset its date to 2004, I didn't see that until after I ran a DDS/Attach scan in preparation for the forum (the ones I just posted were ran a few minutes ago with the date corrected). But in doing so, DDS gave all created files back to that time. Here are the ones from the created last 30 section starting right at the date of infection. =============== Created Last 30 ================ . 2012-04-14 19:20:36 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys 2012-04-14 19:20:36 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys 2011-12-02 21:43:07 -------- d-----w- c:\program files\common files\xing shared 2011-11-17 02:42:08 472808 ----a-w- c:\windows\system32\deployJava1.dll 2011-11-13 03:48:21 -------- d-----w- c:\documents and settings\user\application data\PriceGong 2011-11-13 03:43:13 -------- d-----w- c:\program files\Conduit 2011-11-13 03:43:09 -------- d-----w- c:\documents and settings\user\local settings\application data\Temp 2011-11-13 03:43:09 -------- d-----w- c:\documents and settings\user\local settings\application data\Conduit 2011-11-13 03:42:49 -------- d-----w- c:\documents and settings\user\local settings\application data\FLVService 2011-11-12 18:00:39 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2011-10-31 21:20:55 -------- d-----w- c:\program files\Little Registry Cleaner 2011-10-22 04:27:43 22856 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-10-22 02:17:44 -------- d-----w- C:\stk_downloads 2011-10-14 05:30:07 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL 2011-10-14 05:30:07 126584 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS 2011-10-14 05:30:07 -------- d-----w- c:\program files\Symantec 2011-10-14 05:30:07 -------- d-----w- c:\program files\common files\Symantec Shared 2011-10-14 05:29:26 -------- d-----w- c:\windows\system32\drivers\N360 2011-10-14 05:29:23 -------- d-----w- c:\program files\Norton Security Suite 2011-10-14 05:27:14 -------- d-----w- c:\program files\NortonInstaller 2011-10-14 05:23:42 -------- d-----w- c:\documents and settings\user\application data\OpswatLogs 2011-10-14 05:15:39 -------- d-----w- c:\documents and settings\user\application data\supportdotcom 2011-10-14 04:19:42 -------- d-----w- C:\temp 2011-10-14 04:18:47 -------- d-----w- c:\program files\common files\supportdotcom 2011-10-06 22:38:15 -------- d-----w- c:\documents and settings\user\application data\AVG2012 2011-10-06 22:30:47 -------- d-----w- c:\documents and settings\all users\application data\AVG2012 2011-10-06 22:30:03 -------- d-----w- c:\program files\AVG 2011-10-06 22:26:10 -------- d--h--w- c:\documents and settings\all users\application data\Common Files 2011-10-06 22:25:30 -------- d-----w- c:\documents and settings\all users\application data\MFAData 2011-10-06 01:51:36 -------- d-----w- C:\TDSSKiller_Quarantine 2011-10-04 03:36:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2011-10-04 03:29:29 -------- d-----w- c:\documents and settings\user\application data\i3onG4aQHf 2011-10-04 03:29:29 -------- d-----w- c:\documents and settings\user\application data\BqCeIzPyxuDoFpH 2011-10-04 02:30:17 -------- d-----w- c:\documents and settings\user\application data\otzP0ycS1v3n4m 2011-10-04 02:30:16 -------- d-----w- c:\documents and settings\user\application data\TF3pmG5aQ6E8 2011-10-04 02:13:27 -------- d-----w- c:\documents and settings\user\application data\velIBtzP0c1v3n4 2011-10-04 02:13:26 -------- d-----w- c:\documents and settings\user\application data\qG5aQJ6dW8R9TwU 2011-10-04 02:13:11 -------- d-----w- c:\documents and settings\user\application data\PtxA0ucS2b3n5Q6 2011-10-03 06:45:40 28032 ----a-w- c:\windows\system32\ssmirrdr.dll 2011-10-03 06:45:40 10112 ----a-w- c:\windows\system32\drivers\ssmirrdr.sys

Thanks for the quick reply Gringo (and Mr.C ;-) ) Logs are below. Quick note about that Java being out of date, yesterday I uninstalled all the Java I could, yet it still showed up on the report hmm. Same goes for AVG in the DDS log as well. Securitycheck: Results of screen317's Security Check version 0.99.63 Windows XP Service Pack 3 x86 Internet Explorer 8 ``````````````Antivirus/Firewall Check:`````````````` Windows Firewall Disabled! AVG Anti-Virus Free Edition 2012 Norton Security Suite Antivirus up to date! (On Access scanning disabled!) `````````Anti-malware/Other Utilities Check:````````` Malwarebytes Anti-Malware version 1.75.0.1300 Java version out of Date! ````````Process Check: objlist.exe by Laurent```````` Norton ccSvcHst.exe Malwarebytes Anti-Malware mbamservice.exe Malwarebytes Anti-Malware mbamgui.exe Malwarebytes' Anti-Malware mbamscheduler.exe `````````````````System Health check````````````````` Total Fragmentation on Drive C:: 7% ````````````````````End of Log`````````````````````` DDS: DDS (Ver_2012-11-20.01) - NTFS_x86 Internet Explorer: 8.0.6001.18702 Run by USER at 22:28:31 on 2013-04-28 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.638 [GMT -5:00] . AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF} AV: Norton Security Suite *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8} FW: Norton Security Suite *Enabled* . ============== Running Processes ================ . C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe C:\WINDOWS\system32\inetsrv\inetinfo.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe C:\Program Files\Norton Security Suite\Engine\5.2.2.3\ccSvcHst.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE C:\WINDOWS\system32\SearchIndexer.exe C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe C:\Program Files\Analog Devices\SoundMAX\Smax4.exe C:\Program Files\Iomega\AutoDisk\ADUserMon.exe C:\Program Files\Iomega\DriveIcons\ImgIcon.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe C:\program files\real\realplayer\update\realsched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Norton Security Suite\Engine\5.2.2.3\ccSvcHst.exe C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe C:\WINDOWS\System32\alg.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\notepad.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\SearchProtocolHost.exe C:\WINDOWS\system32\SearchFilterHost.exe C:\WINDOWS\system32\wbem\wmiprvse.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup C:\WINDOWS\System32\svchost.exe -k NetworkService C:\WINDOWS\System32\svchost.exe -k LocalService C:\WINDOWS\System32\svchost.exe -k LocalService C:\WINDOWS\System32\svchost.exe -k imgsvc C:\WINDOWS\System32\svchost.exe -k HTTPFilter . ============== Pseudo HJT Report =============== . uStart Page = hxxp://www.google.com/ uWindow Title = Windows Internet Explorer provided by Comcast mWindow Title = Windows Internet Explorer provided by Comcast uInternet Connection Wizard,ShellNext = iexplore uProxyServer = :0 BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll BHO: Symantec NCO BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - c:\program files\norton security suite\engine\5.2.2.3\coieplg.dll BHO: Symantec Intrusion Prevention: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - c:\program files\norton security suite\engine\5.2.2.3\ips\ipsbho.dll BHO: Comcast Toolbar: {79CEEA4E-C231-4614-9E3B-53B2A02F39B7} - c:\program files\comcasttb\comcastdx.dll BHO: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - <orphaned> BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\program files\norton security suite\engine\5.2.2.3\coieplg.dll TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\program files\norton security suite\engine\5.2.2.3\coieplg.dll EB: {32683183-48a0-441b-a342-7c2a440a9478} - <orphaned> EB: {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - <orphaned> uRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NVMCTRAY.DLL,NvTaskbarInit uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode mRun: [soundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe mRun: [soundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray mRun: [ADUserMon] c:\program files\iomega\autodisk\ADUserMon.exe mRun: [iomega Drive Icons] c:\program files\iomega\driveicons\ImgIcon.exe mRun: [soundMan] SOUNDMAN.EXE mRun: [iSUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler mRun: [sSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot mRun: [DNS7reminder] "c:\program files\nuance\naturallyspeaking10\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\nuance\naturallyspeaking10\Ereg.ini mRun: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVXV1UtV0JEWEMtVllGTjMtUURKTUgtNDJBT0EtSzZIVTk"& "inst=NzctNzU5MDE1MjEzLVNUMTJGT0krMS1ERFQrMC1FVUxBKzEtU1QxMkZBUFArMQ"&"prod=90"&"ver=2012.0.1831"&"mid=67217e502 67847d19092547b91d34f9b-06ce4fc639803a2e3563922518183d8e94088cb9 dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t uPolicies-Explorer: NoDriveTypeAutoRun = dword:145 mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1 mPolicies-Explorer: NoDriveTypeAutoRun = dword:145 IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0013-0001-0004-ABCDEFFEDCBC} - <orphaned> IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe . INFO: HKCU has more than 50 listed domains. If you wish to scan all of them, select the 'Force scan all domains' option. . . INFO: HKLM has more than 50 listed domains. If you wish to scan all of them, select the 'Force scan all domains' option. . DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab DPF: {42D06124-98A2-47EC-8098-3778B58CE7D5} - hxxps://actsvr.comcastonline.com/techtools/dl/Comcast%20Activation%20Controls.cab DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.3.cab DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1221295268468 DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - hxxp://mediaplayer.walmart.com/installer/install.cab DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38191.8488888889 DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab DPF: {D821DC4A-0814-435E-9820-661C543A4679} - hxxp://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab TCP: Interfaces\{A4A7C4A6-C308-445C-A868-1D85C5AE3302} : DHCPNameServer = 68.87.72.130 68.87.77.130 68.87.66.196 SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: Windows Desktop Search Namespace Manager - {56F9679E-7826-4C84-81F3-532071A8BCC5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll Hosts: 127.0.0.1 www.spywareinfo.com . ============= SERVICES / DRIVERS =============== . R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0502020.003\symds.sys [2005-1-1 340088] R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0502020.003\symefa.sys [2005-1-1 744568] R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\bashdefs\20130412.001\BHDrvx86.sys [2013-4-13 1000024] R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0502020.003\ironx86.sys [2005-1-1 136312] R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2013-4-27 418376] R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-10-21 701512] R2 N360;Norton Security Suite;c:\program files\norton security suite\engine\5.2.2.3\ccsvchst.exe [2005-1-1 130008] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2005-1-1 106656] R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\ipsdefs\20130426.001\IDSXpx86.sys [2013-4-26 373728] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-10-21 22856] R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\virusdefs\20130428.008\NAVENG.SYS [2013-4-28 93296] R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\virusdefs\20130428.008\NAVEX15.SYS [2013-4-28 1603824] R3 PIBus;PIBus Device;c:\windows\system32\drivers\PIBus.sys [2004-7-27 43004] R3 PIKbd;PI Virtual Keyboard;c:\windows\system32\drivers\PIKbd.sys [2004-7-27 3878] S3 DrvAgent32;DrvAgent32;c:\windows\system32\drivers\DrvAgent32.sys [2011-2-2 23456] S3 rootrepeal;rootrepeal;\??\c:\windows\system32\drivers\rootrepeal.sys --> c:\windows\system32\drivers\rootrepeal.sys [?] S3 ssmirrdr;ssmirrdr;c:\windows\system32\drivers\ssmirrdr.sys [2011-10-3 10112] S3 yukonx86;NDIS5.1 Miniport Driver for Marvell Yukon Gigabit Ethernet Adapter;c:\windows\system32\drivers\yukonx86.sys [2004-7-23 176256] S4 AntiSpywareService;Comcast AntiSpyware;c:\program files\comcasttb\comcastspywarescan\ComcastAntiSpyService.exe [2009-6-17 616408] . =============== Created Last 30 ================ . 2013-04-29 00:47:04 522240 -c----w- c:\windows\system32\dllcache\jsdbgui.dll 2013-04-29 00:45:45 12928 -c----w- c:\windows\system32\dllcache\usb8023x.sys 2013-04-29 00:45:45 12928 -c----w- c:\windows\system32\dllcache\usb8023.sys . ==================== Find3M ==================== . 2013-04-04 19:50:32 22856 ----a-w- c:\windows\system32\drivers\mbam.sys 2013-03-08 08:36:22 293376 ----a-w- c:\windows\system32\winsrv.dll 2013-03-07 01:32:25 2149888 ----a-w- c:\windows\system32\ntoskrnl.exe 2013-03-07 00:50:30 2028544 ----a-w- c:\windows\system32\ntkrnlpa.exe 2013-03-02 02:06:31 916480 ----a-w- c:\windows\system32\wininet.dll 2013-03-02 02:06:30 43520 ----a-w- c:\windows\system32\licmgr10.dll 2013-03-02 02:06:30 1469440 ------w- c:\windows\system32\inetcpl.cpl 2013-03-02 01:25:02 1867264 ----a-w- c:\windows\system32\win32k.sys 2013-03-02 01:08:47 385024 ----a-w- c:\windows\system32\html.iec 2013-02-27 07:56:51 2067456 ----a-w- c:\windows\system32\mstscax.dll 2013-02-12 00:32:23 12928 ----a-w- c:\windows\system32\drivers\usb8023.sys 2013-02-12 00:32:23 12928 ------w- c:\windows\system32\drivers\usb8023x.sys 2005-03-22 05:48:31 877056 ----a-w- c:\program files\iview395.exe 2005-02-22 02:40:53 7096170 ----a-w- c:\program files\WSFTP_ProT40_Install.exe 2005-02-17 23:13:26 295120 ----a-w- c:\program files\NSSetup.exe 2004-11-04 01:17:25 2636408 ----a-w- c:\program files\aawsepersonal.exe . ============= FINISH: 22:30:52.84 =============== ATTACH: . UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG. IF REQUESTED, ZIP IT UP & ATTACH IT . DDS (Ver_2012-11-20.01) . Microsoft Windows XP Professional Boot Device: \Device\HarddiskVolume1 Install Date: 7/23/2004 5:44:45 PM System Uptime: 4/28/2013 10:05:36 PM (0 hours ago) . Motherboard: | | 848P-Series Processor: Intel® Pentium® 4 CPU 2.80GHz | | 2800/mhz . ==== Disk Partitions ========================= . A: is Removable C: is FIXED (NTFS) - 35 GiB total, 5.091 GiB free. D: is FIXED (NTFS) - 39 GiB total, 20.782 GiB free. E: is Removable F: is CDROM () G: is CDROM () H: is Removable I: is Removable J: is Removable K: is Removable . ==== Disabled Device Manager Items ============= . ==== System Restore Points =================== . RP1741: 12/4/2011 11:52:49 PM - Before Little Registry Cleaner Registry Fix RP1742: 12/7/2011 5:31:50 PM - System Checkpoint RP1743: 12/12/2011 10:06:58 PM - System Checkpoint RP1744: 12/13/2011 10:45:48 PM - System Checkpoint RP1745: 12/14/2011 1:45:33 AM - Software Distribution Service 3.0 RP1746: 4/27/2012 11:13:27 AM - System Checkpoint RP1747: 12/31/2004 11:16:47 PM - Removed Adobe Reader 9.4.6. RP1748: 12/31/2004 11:18:43 PM - Removed J2SE Runtime Environment 5.0 Update 4 RP1749: 12/31/2004 11:19:41 PM - Removed Java 6 Update 17 RP1750: 12/31/2004 11:22:16 PM - Removed Spelling Dictionaries Support For Adobe Reader 9. RP1751: 4/27/2013 4:15:27 PM - Removed CA Pest Patrol Realtime Protection RP1752: 12/31/2004 11:09:07 PM - Removed Apple Mobile Device Support RP1753: 12/31/2004 11:10:16 PM - Removed CA Pest Patrol Realtime Protection RP1754: 12/31/2004 11:13:44 PM - Removed SnagIt 9 RP1755: 12/31/2004 11:15:02 PM - Removed TC RP1756: 1/1/2005 12:02:37 AM - Malwarebytes Anti-Rootkit Restore Point RP1757: 4/28/2013 7:51:01 PM - Software Distribution Service 3.0 . ==== Installed Programs ====================== . Acrobat.com Active Disk Adobe AIR Adobe Flash Player 11 ActiveX AOL Uninstaller (Choose which Products to Remove) Apple Application Support Apple Software Update ArcSoft Camera Suite Audacity 1.2.6 Bonjour BurnInTest v4.0 Standard Camera Window Canon Camera Window for ZoomBrowser EX Canon PhotoRecord Canon RAW Image Task for ZoomBrowser EX Canon RemoteCapture Task for ZoomBrowser EX Canon Utilities PhotoStitch 3.1 Canon Utilities ZoomBrowser EX Card Games Collection Citrix Presentation Server Client - Web Only Coaster Activity Coaster CabCar and F59PHI Consist COASTER_F40PH_2103 Comcast High-Speed Internet Install Wizard Comcast Toolbar 3.0 CPR AC4400 9590 Desktop Doctor Dragon NaturallySpeaking 10 Drew & Eagle Project - Coaster CabCar & F59PHI (Driveable) DriverAgent by eSupport.com DVD Decrypter (Remove Only) DVD Shrink 3.2 EasyChange Powered by TrueSwitch EXPERTool Fighters Anthology Free M4a to MP3 Converter 6.1 Free WAV To MP3 Converter 2.1 Google Toolbar for Internet Explorer Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595) Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484) Hotfix for Windows Media Format 11 SDK (KB929399) Hotfix for Windows XP (KB2633952) Hotfix for Windows XP (KB2779562) Hotfix for Windows XP (KB952287) Hotfix for Windows XP (KB961118) Image Resizer Powertoy for Windows XP IomegaWare 4.0.2 Ipswitch WS_FTP Pro IrfanView (remove only) iTunes Java Auto Updater Learn To Speak Spanish 8.1 Learn2 Player (Uninstall Only) M4P MP3 Converter 1.0 Macromedia Shockwave Player Malwarebytes Anti-Malware version 1.75.0.1300 Maple Leaf Tracks - Niagara Corridor Microsoft .NET Framework (English) Microsoft .NET Framework (English) v1.0.3705 Microsoft .NET Framework 1.0 Hotfix (KB928367) Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Security Update (KB2742597) Microsoft .NET Framework 1.1 Security Update (KB979906) Microsoft .NET Framework 2.0 Service Pack 2 Microsoft .NET Framework 3.0 Service Pack 2 Microsoft .NET Framework 3.5 SP1 Microsoft Application Error Reporting Microsoft Compression Client Pack 1.0 for Windows XP Microsoft Default Manager Microsoft Flight Simulator for Windows 95 Microsoft FrontPage Client - English Microsoft Internationalized Domain Names Mitigation APIs Microsoft Kernel-Mode Driver Framework Feature Pack 1.5 Microsoft National Language Support Downlevel APIs Microsoft Office File Validation Add-In Microsoft Office Standard Edition 2003 Microsoft Office Visio Professional 2003 Microsoft Silverlight Microsoft Train Simulator Microsoft User-Mode Driver Framework Feature Pack 1.0 Microsoft Visual Basic .NET Standard 2003 - English Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 Microsoft Visual C++ 2005 Redistributable Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148 Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570 Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 Microsoft WinUsb 1.0 MLT Greater Toronto Area MLT Kicking Horse Pass CPR Demo Route MobileMe Control Panel MP3 Cutter 1.9 MSDN Library for Visual Studio .NET 2003 MSTS Patch 1.8.0521 EN MSXML 4.0 SP2 (KB954430) MSXML 4.0 SP2 (KB973688) MSXML 6.0 Parser (KB927977) Music Editor Free Nero OEM Norton Security Suite NVIDIA Display Driver OGA Notifier 2.0.0048.0 PaperPort 8.0 SE PhotoStitch PowerDVD Pure Networks Port Magic QuickTime RailDriver Railroad Tycoon II - The Next Millenium RAW Image Task RealPlayer Realtek AC'97 Audio REALTEK GbE & FE Ethernet PCI NIC Driver RealUpgrade 1.1 RemoteCapture Task 1.0.1 Safari Sandpatch Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111) Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424) Security Update for Microsoft .NET Framework 3.5 SP1 (KB2736416) Security Update for Windows Internet Explorer 7 (KB944533) Security Update for Windows Internet Explorer 7 (KB958215) Security Update for Windows Internet Explorer 7 (KB960714) Security Update for Windows Internet Explorer 7 (KB969897) Security Update for Windows Internet Explorer 8 (KB2183461) Security Update for Windows Internet Explorer 8 (KB2416400) Security Update for Windows Internet Explorer 8 (KB2530548) Security Update for Windows Internet Explorer 8 (KB2559049) Security Update for Windows Internet Explorer 8 (KB2586448) Security Update for Windows Internet Explorer 8 (KB2618444) Security Update for Windows Internet Explorer 8 (KB2817183) Security Update for Windows Internet Explorer 8 (KB972260) Security Update for Windows Media Player (KB2378111) Security Update for Windows Media Player (KB911564) Security Update for Windows Media Player (KB975558) Security Update for Windows Media Player (KB978695) Security Update for Windows Media Player 11 (KB936782) Security Update for Windows XP (KB2124261) Security Update for Windows XP (KB2286198) Security Update for Windows XP (KB2440591) Security Update for Windows XP (KB2476490) Security Update for Windows XP (KB2479628) Security Update for Windows XP (KB2483185) Security Update for Windows XP (KB2503658) Security Update for Windows XP (KB2507618) Security Update for Windows XP (KB2509553) Security Update for Windows XP (KB2544893-v2) Security Update for Windows XP (KB2566454) Security Update for Windows XP (KB2570222) Security Update for Windows XP (KB2584146) Security Update for Windows XP (KB2585542) Security Update for Windows XP (KB2598479) Security Update for Windows XP (KB2603381) Security Update for Windows XP (KB2618451) Security Update for Windows XP (KB2619339) Security Update for Windows XP (KB2620712) Security Update for Windows XP (KB2624667) Security Update for Windows XP (KB2631813) Security Update for Windows XP (KB2633171) Security Update for Windows XP (KB2639417) Security Update for Windows XP (KB2653956) Security Update for Windows XP (KB2655992) Security Update for Windows XP (KB2659262) Security Update for Windows XP (KB2676562) Security Update for Windows XP (KB2686509) Security Update for Windows XP (KB2691442) Security Update for Windows XP (KB2698365) Security Update for Windows XP (KB2705219-v2) Security Update for Windows XP (KB2712808) Security Update for Windows XP (KB2719985) Security Update for Windows XP (KB2723135-v2) Security Update for Windows XP (KB2727528) Security Update for Windows XP (KB2753842-v2) Security Update for Windows XP (KB2757638) Security Update for Windows XP (KB2758857) Security Update for Windows XP (KB2770660) Security Update for Windows XP (KB2780091) Security Update for Windows XP (KB2802968) Security Update for Windows XP (KB2807986) Security Update for Windows XP (KB2808735) Security Update for Windows XP (KB2813170) Security Update for Windows XP (KB2813345) Security Update for Windows XP (KB2820917) Security Update for Windows XP (KB923561) Security Update for Windows XP (KB938464) Security Update for Windows XP (KB950760) Security Update for Windows XP (KB951748) Security Update for Windows XP (KB953839) Security Update for Windows XP (KB954459) Security Update for Windows XP (KB956572) Security Update for Windows XP (KB956841) Security Update for Windows XP (KB958869) Security Update for Windows XP (KB961501) Security Update for Windows XP (KB970430) Security Update for Windows XP (KB971468) Security Update for Windows XP (KB971657) Security Update for Windows XP (KB973354) Security Update for Windows XP (KB974112) Security Update for Windows XP (KB974571) Security Update for Windows XP (KB975713) Security Update for Windows XP (KB977914) Security Update for Windows XP (KB978262) Security Update for Windows XP (KB979482) Security Update for Windows XP (KB980436) Security Update for Windows XP (KB981852) Security Update for Windows XP (KB982214) SoundMAX The American Heritage Talking Dictionary Tower Sim - MG Tower Train Dispatcher 3 Trainmaster TM4.2 update Update for Microsoft .NET Framework 3.5 SP1 (KB963707) Update for Windows Internet Explorer 8 (KB976662) Update for Windows Internet Explorer 8 (KB980182) Update for Windows XP (KB2345886) Update for Windows XP (KB2541763) Update for Windows XP (KB2616676) Update for Windows XP (KB2641690) Update for Windows XP (KB2661254-v2) Update for Windows XP (KB2736233) Update for Windows XP (KB2749655) Update for Windows XP (KB951072-v2) Update for Windows XP (KB955759) Update for Windows XP (KB968389) Update for Windows XP (KB973687) USB Joy Stick Viewpoint Media Player Visioneer OneTouch 9320 Visual Basic .NET Standard 2003 - English Visual C++ Runtime for Dragon NaturallySpeaking Visual Studio.NET Baseline - English Walmart MP3 Music Downloads WebFldrs XP Windows Easy Transfer for Windows 7 Windows Genuine Advantage Notifications (KB905474) Windows Genuine Advantage Validation Tool (KB892130) Windows Imaging Component Windows Internet Explorer 7 Windows Internet Explorer 8 Windows Live ID Sign-in Assistant Windows Media Format 11 runtime Windows Media Player 11 Windows Presentation Foundation Windows Search 4.0 Windows XP Service Pack 3 WinZip XML Paper Specification Shared Components Pack 1.0 XTrkCad Yahoo! Toolbar . ==== Event Viewer Messages From Past Week ======== . 4/28/2013 10:07:47 PM, error: Dhcp [1002] - The IP address lease 192.168.1.136 for the Network Card with network address 003018C03090 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message). 4/27/2013 4:45:15 PM, error: Dhcp [1002] - The IP address lease 192.168.1.142 for the Network Card with network address 003018C03090 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message). 4/27/2013 4:18:17 PM, error: NETLOGON [3095] - This computer is configured as a member of a workgroup, not as a member of a domain. The Netlogon service does not need to run in this configuration. 4/27/2013 4:14:56 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service MDM with arguments "" in order to run the server: {0C0A3666-30C9-11D0-8F20-00805F2CD064} . ==== End Of File ===========================

About a year and a half ago I had a computer hit with Zeroaccess and a fake AV rogue. I had my ISP help with removal but they were only partially successful. I was planning on purchasing a new computer at the time anyway so I just parked the old one and left it ever since. Yesterday I had to get a few files off the old computer and decided to run a Roguekiller scan just to see what came up. Zeroaccess was still there so I decided to give MBAR a try. It found 17 peices of the rootkit and I let it remove them, I re-ran MBAR to make sure nothing came up again and nothing did. I then ran Roguekiller after that and it didn't mention anything about Zeroaccess this time, But it did mention parts of the rogue still there - I didn't take any action with Roguekiller, just generated logs with it. Roguekiller and MBAR logs below, let me know if you need DDS/Attach also. I don't plan on doing any websurfing with the infected computer other than this one time on the forum but I'd rather not have any remnants of Zeroaccess sitting around on it in either case :-) INITIAL ROGUEKILLER SCAN RogueKiller V8.5.4 [Mar 18 2013] by Tigzy mail : tigzyRK<at>gmail<dot>com Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/ Website : http://tigzy.geekstogo.com/roguekiller.php Blog : http://tigzyrk.blogspot.com/ Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version Started in : Normal mode User : USER [Admin rights] Mode : Scan -- Date : 04/27/2013 16:38:39 | ARK || FAK || MBR | ¤¤¤ Bad processes : 0 ¤¤¤ ¤¤¤ Registry Entries : 7 ¤¤¤ [RUN][bLACKLISTDLL] HKCU\[...]\Run : NvMediaCenter (RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit) -> FOUND [RUN][bLACKLISTDLL] HKUS\S-1-5-21-1641216279-2740818761-1370937033-1004[...]\Run : NvMediaCenter (RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit) -> FOUND [PROXY IE] HKCU\[...]\Internet Settings : ProxyServer (:0) -> FOUND [HJ SMENU] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> FOUND [sHELLSPWN] HKCU\[...]\command : ("%1" %*) -> FOUND [sHELLSPWN] HKUS\S-1-5-21-1641216279-2740818761-1370937033-1004[...]\command : ("%1" %*) -> FOUND [sHELLSPWN] HKCR\[...]\command : ("%1" %*) -> FOUND ¤¤¤ Particular Files / Folders: ¤¤¤ [ZeroAccess][FOLDER] $NtUninstallKB40514$ : C:\WINDOWS\$NtUninstallKB40514$ --> FOUND ¤¤¤ Driver : [LOADED] ¤¤¤ SSDT[12] : NtAlertResumeThread @ 0x80637D4E -> HOOKED (Unknown @ 0x85AF4088) SSDT[13] : NtAlertThread @ 0x80592C30 -> HOOKED (Unknown @ 0x85AF4148) SSDT[17] : NtAllocateVirtualMemory @ 0x80570BC5 -> HOOKED (Unknown @ 0x85AF66F8) SSDT[19] : NtAssignProcessToJobObject @ 0x805E4D63 -> HOOKED (Unknown @ 0x85B06048) SSDT[31] : NtConnectPort @ 0x80590E53 -> HOOKED (Unknown @ 0x86070C20) SSDT[43] : NtCreateMutant @ 0x8058408D -> HOOKED (Unknown @ 0x85B07070) SSDT[52] : NtCreateSymbolicLinkObject @ 0x805AD5D4 -> HOOKED (Unknown @ 0x85B08068) SSDT[53] : NtCreateThread @ 0x80584D39 -> HOOKED (Unknown @ 0x85BDD780) SSDT[57] : NtDebugActiveProcess @ 0x80663211 -> HOOKED (Unknown @ 0x85B06080) SSDT[68] : NtDuplicateObject @ 0x8057F18D -> HOOKED (Unknown @ 0x85AFC880) SSDT[83] : NtFreeVirtualMemory @ 0x805710BF -> HOOKED (Unknown @ 0x85AF6598) SSDT[89] : NtImpersonateAnonymousToken @ 0x805A0F55 -> HOOKED (Unknown @ 0x85B07140) SSDT[91] : NtImpersonateThread @ 0x805876BA -> HOOKED (Unknown @ 0x85AF4050) SSDT[97] : NtLoadDriver @ 0x805B52F0 -> HOOKED (Unknown @ 0x85BEA5E8) SSDT[108] : NtMapViewOfSection @ 0x8057AC21 -> HOOKED (Unknown @ 0x85B2B1E8) SSDT[114] : NtOpenEvent @ 0x80589D61 -> HOOKED (Unknown @ 0x85B041D0) SSDT[122] : NtOpenProcess @ 0x8057F93A -> HOOKED (Unknown @ 0x85B06EA0) SSDT[123] : NtOpenProcessToken @ 0x805784EC -> HOOKED (Unknown @ 0x85B288D8) SSDT[125] : NtOpenSection @ 0x80579192 -> HOOKED (Unknown @ 0x85B06008) SSDT[128] : NtOpenThread @ 0x80596743 -> HOOKED (Unknown @ 0x85B06DD0) SSDT[137] : NtProtectVirtualMemory @ 0x8057F56B -> HOOKED (Unknown @ 0x85B08138) SSDT[206] : NtResumeThread @ 0x805853B0 -> HOOKED (Unknown @ 0x85AF4208) SSDT[213] : NtSetContextThread @ 0x80635EFB -> HOOKED (Unknown @ 0x85B06D98) SSDT[228] : NtSetInformationProcess @ 0x80574B1F -> HOOKED (Unknown @ 0x85B2B090) SSDT[240] : NtSetSystemInformation @ 0x805BFDB1 -> HOOKED (Unknown @ 0x85B06140) SSDT[253] : NtSuspendProcess @ 0x80637C93 -> HOOKED (Unknown @ 0x85B04110) SSDT[254] : NtSuspendThread @ 0x80637BAF -> HOOKED (Unknown @ 0x85AF20C0) SSDT[257] : NtTerminateProcess @ 0x8058E8B1 -> HOOKED (Unknown @ 0x85AEF450) SSDT[258] : NtTerminateThread @ 0x80584966 -> HOOKED (Unknown @ 0x85AF2180) SSDT[267] : NtUnmapViewOfSection @ 0x8057A7A9 -> HOOKED (Unknown @ 0x85B11C28) SSDT[277] : NtWriteVirtualMemory @ 0x805875EF -> HOOKED (Unknown @ 0x85AF6668) S_SSDT[307] : NtUserAttachThreadInput -> HOOKED (Unknown @ 0x85C5DDF8) S_SSDT[383] : NtUserGetAsyncKeyState -> HOOKED (Unknown @ 0x85C5D5C8) S_SSDT[414] : NtUserGetKeyboardState -> HOOKED (Unknown @ 0x85C5CF10) S_SSDT[416] : NtUserGetKeyState -> HOOKED (Unknown @ 0x85C5D970) S_SSDT[428] : NtUserGetRawInputData -> HOOKED (Unknown @ 0x85C294F8) S_SSDT[460] : NtUserMessageCall -> HOOKED (Unknown @ 0x860861E0) S_SSDT[475] : NtUserPostMessage -> HOOKED (Unknown @ 0x860ACAE0) S_SSDT[476] : NtUserPostThreadMessage -> HOOKED (Unknown @ 0x873E7238) S_SSDT[549] : NtUserSetWindowsHookEx -> HOOKED (Unknown @ 0x85C46D90) S_SSDT[552] : NtUserSetWinEventHook -> HOOKED (Unknown @ 0x85C9EAE0) ¤¤¤ Infection : ZeroAccess|Rogue.AntiSpy-AH ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤ --> C:\WINDOWS\system32\drivers\etc\hosts 127.0.0.1 localhost 127.0.0.1 www.007guard.com 127.0.0.1 007guard.com 127.0.0.1 008i.com 127.0.0.1 www.008k.com 127.0.0.1 008k.com 127.0.0.1 www.00hq.com 127.0.0.1 00hq.com 127.0.0.1 010402.com 127.0.0.1 www.032439.com 127.0.0.1 032439.com 127.0.0.1 www.0scan.com 127.0.0.1 0scan.com 127.0.0.1 www.1000gratisproben.com 127.0.0.1 1000gratisproben.com 127.0.0.1 www.1001namen.com 127.0.0.1 1001namen.com 127.0.0.1 www.100888290cs.com 127.0.0.1 100888290cs.com 127.0.0.1 www.100sexlinks.com [...] ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: WDC WD800BB-00FJA0 +++++ --- User --- [MBR] 460e99c23a4b391ae65eb8cdaed52a68 [bSP] 677bbefcd681198409fde7614fcdb730 : Windows XP MBR Code Partition table: 0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 36005 Mo 1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 73738350 | Size: 40311 Mo User = LL1 ... OK! User = LL2 ... OK! Finished : << RKreport[3]_S_04272013_02d1638.txt >> RKreport[1].txt ; RKreport[2].txt ; RKreport[3]_S_04272013_02d1638.txt ----------------------------------------------------------------------------------------- MBAR LOG Malwarebytes Anti-Rootkit BETA 1.05.0.1001 www.malwarebytes.org Database version: v2013.04.27.04 Windows XP Service Pack 3 x86 NTFS Internet Explorer 8.0.6001.18702 USER :: P4P800-SE [administrator] 12/31/2004 11:52:42 PM mbar-log-2004-12-31 (23-52-42).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P Scan options disabled: Objects scanned: 27871 Time elapsed: 20 minute(s), 48 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 4 c:\windows\$ntuninstallkb40514$\2417156173 (Backdoor.0Access) -> Delete on reboot. c:\windows\$ntuninstallkb40514$\2873346814 (Backdoor.0Access) -> Delete on reboot. c:\windows\$ntuninstallkb40514$\2873346814\l (Backdoor.0Access) -> Delete on reboot. c:\windows\$ntuninstallkb40514$\2873346814\u (Backdoor.0Access) -> Delete on reboot. Files Detected: 13 c:\recycler\s-1-5-21-1641216279-2740818761-1370937033-500\dc1:1421620481.exe (Rootkit.0Access) -> Delete on reboot. c:\windows\$ntuninstallkb40514$\2873346814\l\tjogdrmb (Backdoor.0Access) -> Delete on reboot. c:\windows\$ntuninstallkb40514$\2873346814\u\00000001.@ (Backdoor.0Access) -> Delete on reboot. c:\windows\$ntuninstallkb40514$\2873346814\u\00000002.@ (Backdoor.0Access) -> Delete on reboot. c:\windows\$ntuninstallkb40514$\2873346814\u\80000000.@ (Backdoor.0Access) -> Delete on reboot. c:\windows\$ntuninstallkb40514$\2873346814\u\80000032.@ (Backdoor.0Access) -> Delete on reboot. c:\windows\$ntuninstallkb40514$\2873346814\@ (Backdoor.0Access) -> Delete on reboot. c:\windows\$ntuninstallkb40514$\2873346814\bckfg.tmp (Backdoor.0Access) -> Delete on reboot. c:\windows\$ntuninstallkb40514$\2873346814\cfg.ini (Backdoor.0Access) -> Delete on reboot. c:\windows\$ntuninstallkb40514$\2873346814\desktop.ini (Backdoor.0Access) -> Delete on reboot. c:\windows\$ntuninstallkb40514$\2873346814\keywords (Backdoor.0Access) -> Delete on reboot. c:\windows\$ntuninstallkb40514$\2873346814\kwrd.dll (Backdoor.0Access) -> Delete on reboot. c:\windows\$ntuninstallkb40514$\2873346814\lsflt7.ver (Backdoor.0Access) -> Delete on reboot. (end) --------------------------------------------------------------------------------- ROGUEKILLER LOG AFTER RUNNING MBAR RogueKiller V8.5.4 [Mar 18 2013] by Tigzy mail : tigzyRK<at>gmail<dot>com Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/ Website : http://tigzy.geekstogo.com/roguekiller.php Blog : http://tigzyrk.blogspot.com/ Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version Started in : Normal mode User : USER [Admin rights] Mode : Scan -- Date : 01/01/2005 00:08:42 | ARK || FAK || MBR | ¤¤¤ Bad processes : 0 ¤¤¤ ¤¤¤ Registry Entries : 7 ¤¤¤ [RUN][PREVRUN] HKCU\[...]\Run : NvMediaCenter (RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit) [x] -> FOUND [RUN][PREVRUN] HKUS\S-1-5-21-1641216279-2740818761-1370937033-1004[...]\Run : NvMediaCenter (RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit) [x] -> FOUND [PROXY IE] HKCU\[...]\Internet Settings : ProxyServer (:0) -> FOUND [HJ SMENU] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> FOUND [sHELLSPWN] HKCU\[...]\command : ("%1" %*) -> FOUND [sHELLSPWN] HKUS\S-1-5-21-1641216279-2740818761-1370937033-1004[...]\command : ("%1" %*) -> FOUND [sHELLSPWN] HKCR\[...]\command : ("%1" %*) -> FOUND ¤¤¤ Particular Files / Folders: ¤¤¤ ¤¤¤ Driver : [LOADED] ¤¤¤ SSDT[12] : NtAlertResumeThread @ 0x80637D4E -> HOOKED (Unknown @ 0x85D368C8) SSDT[13] : NtAlertThread @ 0x80592C30 -> HOOKED (Unknown @ 0x85D2D7D8) SSDT[17] : NtAllocateVirtualMemory @ 0x80570BC5 -> HOOKED (Unknown @ 0x86111408) SSDT[19] : NtAssignProcessToJobObject @ 0x805E4D63 -> HOOKED (Unknown @ 0x85C535A0) SSDT[31] : NtConnectPort @ 0x80590E53 -> HOOKED (Unknown @ 0x85BE2130) SSDT[43] : NtCreateMutant @ 0x8058408D -> HOOKED (Unknown @ 0x859BEEB0) SSDT[52] : NtCreateSymbolicLinkObject @ 0x805AD5D4 -> HOOKED (Unknown @ 0x860D8708) SSDT[53] : NtCreateThread @ 0x80584D39 -> HOOKED (Unknown @ 0x860F2FB0) SSDT[57] : NtDebugActiveProcess @ 0x80663211 -> HOOKED (Unknown @ 0x85C53C70) SSDT[68] : NtDuplicateObject @ 0x8057F18D -> HOOKED (Unknown @ 0x861132A0) SSDT[83] : NtFreeVirtualMemory @ 0x805710BF -> HOOKED (Unknown @ 0x85A47198) SSDT[89] : NtImpersonateAnonymousToken @ 0x805A0F55 -> HOOKED (Unknown @ 0x85D20DC8) SSDT[91] : NtImpersonateThread @ 0x805876BA -> HOOKED (Unknown @ 0x85D2A938) SSDT[97] : NtLoadDriver @ 0x805B52F0 -> HOOKED (Unknown @ 0x85BE7C20) SSDT[108] : NtMapViewOfSection @ 0x8057AC21 -> HOOKED (Unknown @ 0x86109838) SSDT[114] : NtOpenEvent @ 0x80589D61 -> HOOKED (Unknown @ 0x85D057C0) SSDT[122] : NtOpenProcess @ 0x8057F93A -> HOOKED (Unknown @ 0x860861E8) SSDT[123] : NtOpenProcessToken @ 0x805784EC -> HOOKED (Unknown @ 0x85D51A80) SSDT[125] : NtOpenSection @ 0x80579192 -> HOOKED (Unknown @ 0x85C552D0) SSDT[128] : NtOpenThread @ 0x80596743 -> HOOKED (Unknown @ 0x8608A250) SSDT[137] : NtProtectVirtualMemory @ 0x8057F56B -> HOOKED (Unknown @ 0x86113728) SSDT[206] : NtResumeThread @ 0x805853B0 -> HOOKED (Unknown @ 0x85D43F60) SSDT[213] : NtSetContextThread @ 0x80635EFB -> HOOKED (Unknown @ 0x85C59670) SSDT[228] : NtSetInformationProcess @ 0x80574B1F -> HOOKED (Unknown @ 0x860DDD28) SSDT[240] : NtSetSystemInformation @ 0x805BFDB1 -> HOOKED (Unknown @ 0x85C54D30) SSDT[253] : NtSuspendProcess @ 0x80637C93 -> HOOKED (Unknown @ 0x85CEEBE0) SSDT[254] : NtSuspendThread @ 0x80637BAF -> HOOKED (Unknown @ 0x85C58108) SSDT[257] : NtTerminateProcess @ 0x8058E8B1 -> HOOKED (Unknown @ 0x85D517F8) SSDT[258] : NtTerminateThread @ 0x80584966 -> HOOKED (Unknown @ 0x85C59410) SSDT[267] : NtUnmapViewOfSection @ 0x8057A7A9 -> HOOKED (Unknown @ 0x85C59A90) SSDT[277] : NtWriteVirtualMemory @ 0x805875EF -> HOOKED (Unknown @ 0x860DD6B0) S_SSDT[307] : NtUserAttachThreadInput -> HOOKED (Unknown @ 0x85C64938) S_SSDT[383] : NtUserGetAsyncKeyState -> HOOKED (Unknown @ 0x85C66BC0) S_SSDT[414] : NtUserGetKeyboardState -> HOOKED (Unknown @ 0x85C67B70) S_SSDT[416] : NtUserGetKeyState -> HOOKED (Unknown @ 0x85C65E90) S_SSDT[428] : NtUserGetRawInputData -> HOOKED (Unknown @ 0x85AE2738) S_SSDT[460] : NtUserMessageCall -> HOOKED (Unknown @ 0x860B1610) S_SSDT[475] : NtUserPostMessage -> HOOKED (Unknown @ 0x85A7A9C8) S_SSDT[476] : NtUserPostThreadMessage -> HOOKED (Unknown @ 0x8612AC10) S_SSDT[549] : NtUserSetWindowsHookEx -> HOOKED (Unknown @ 0x85C934D8) S_SSDT[552] : NtUserSetWinEventHook -> HOOKED (Unknown @ 0x85EEC838) ¤¤¤ Infection : Rogue.AntiSpy-AH ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤ --> C:\WINDOWS\system32\drivers\etc\hosts 127.0.0.1 localhost 127.0.0.1 www.007guard.com 127.0.0.1 007guard.com 127.0.0.1 008i.com 127.0.0.1 www.008k.com 127.0.0.1 008k.com 127.0.0.1 www.00hq.com 127.0.0.1 00hq.com 127.0.0.1 010402.com 127.0.0.1 www.032439.com 127.0.0.1 032439.com 127.0.0.1 www.0scan.com 127.0.0.1 0scan.com 127.0.0.1 www.1000gratisproben.com 127.0.0.1 1000gratisproben.com 127.0.0.1 www.1001namen.com 127.0.0.1 1001namen.com 127.0.0.1 www.100888290cs.com 127.0.0.1 100888290cs.com 127.0.0.1 www.100sexlinks.com [...] ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: WDC WD800BB-00FJA0 +++++ --- User --- [MBR] 460e99c23a4b391ae65eb8cdaed52a68 [bSP] 677bbefcd681198409fde7614fcdb730 : Windows XP MBR Code Partition table: 0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 36005 Mo 1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 73738350 | Size: 40311 Mo User = LL1 ... OK! User = LL2 ... OK! Finished : << RKreport[4]_S_01012005_02d0008.txt >> RKreport[1].txt ; RKreport[2].txt ; RKreport[3]_S_04272013_02d1638.txt ; RKreport[4]_S_01012005_02d0008.txt

Yep I understood your explanation - you said it fine in English :-) DDS all deleted. Thanks again! :-D

No other open issues as far as I can see (so it looks like no malware was involved?) Thanks for your help and your time Daniel, I appreciate it!

That seemed to work, windows now recognizes Norton and hasn't thrown any error messages. New DDS and Attach logs for your reference. DDS (Ver_2012-11-20.01) - NTFS_AMD64 Internet Explorer: 10.0.9200.16521 Run by PWS at 15:58:47 on 2013-03-28 Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.12199.9516 [GMT -5:00] . AV: Norton Security Suite *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF} SP: Norton Security Suite *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202} FW: Norton Security Suite *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4} . ============== Running Processes =============== . C:\Windows\system32\lsm.exe C:\Windows\system32\svchost.exe -k DcomLaunch C:\Windows\system32\svchost.exe -k RPCSS C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted C:\Windows\system32\svchost.exe -k LocalService C:\Windows\system32\svchost.exe -k netsvcs C:\Program Files\Sandboxie\SbieSvc.exe C:\Windows\system32\svchost.exe -k NetworkService C:\Windows\System32\spoolsv.exe C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe C:\Program Files (x86)\ASUS\AXSP\1.00.13\atkexComSvc.exe C:\Program Files (x86)\ASUS\AAHM\1.00.11\aaHMSvc.exe C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.10\AsSysCtrlService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Windows\SysWOW64\AsHookDevice.exe C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe C:\Windows\System32\svchost.exe -k HPZ12 C:\Windows\System32\svchost.exe -k HPZ12 C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\Seagate.Dashboard.DASWindowsService.exe C:\Windows\system32\svchost.exe -k imgsvc C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe C:\Windows\system32\wbem\wmiprvse.exe C:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexingService.exe C:\Windows\system32\SearchIndexer.exe C:\Program Files\iPod\bin\iPodService.exe C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe C:\Windows\system32\taskhost.exe C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe C:\Windows\system32\Dwm.exe C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe C:\Windows\System32\igfxtray.exe C:\Windows\System32\hkcmd.exe C:\Windows\System32\igfxpers.exe C:\Program Files (x86)\BillP Studios\WinPatrol\WinPatrol.exe C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\Seagate.Dashboard.Uploader.exe C:\Program Files\Sandboxie\SbieCtrl.exe C:\Program Files (x86)\ASUS\AI Manager\AsShellApplication.exe C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\DBAgent.exe C:\Program Files (x86)\EMET\EMET_notifier.exe C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe C:\Program Files (x86)\iTunes\iTunesHelper.exe C:\Windows\system32\taskeng.exe C:\Program Files (x86)\ASUS\AI Suite II\AsRoutineController.exe C:\Windows\system32\wbem\wmiprvse.exe C:\Windows\Explorer.exe C:\Program Files (x86)\Norton Security Suite\Engine\20.2.0.19\ccSvcHst.exe C:\Program Files (x86)\Norton Security Suite\Engine\20.2.0.19\ccSvcHst.exe C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE C:\Windows\splwow64.exe C:\Windows\System32\cscript.exe . ============== Pseudo HJT Report =============== . uSearch Bar = Preserve BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll BHO: Norton Identity Protection: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Security Suite\Engine\20.2.0.19\coieplg.dll BHO: Norton Vulnerability Protection: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Security Suite\Engine\20.2.0.19\ips\ipsbho.dll BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL BHO: WOT Helper: {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - C:\Program Files (x86)\WOT\WOT.dll TB: WOT: {71576546-354D-41C9-AAE8-31F2EC22BF0D} - C:\Program Files (x86)\WOT\WOT.dll TB: WOT: {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files (x86)\WOT\WOT.dll TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Security Suite\Engine\20.2.0.19\coieplg.dll uRun: [LightScribe Control Panel] C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden uRun: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files (x86)\Common Files\Ahead\Lib\NMBgMonitor.exe" uRun: [uploader] C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\Seagate.Dashboard.Uploader.exe mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe" mRun: [RunAIShell] C:\Program Files (x86)\ASUS\AI Manager\AsShellApplication.exe mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" mRun: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe mRun: [ConnectionCenter] "C:\Users\PWS\AppData\Local\Citrix\ICA Client\concentr.exe" /startup mRun: [DBAgent] "C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\DBAgent.exe" /WinStart mRun: [EMET Notifier] C:\Program Files (x86)\EMET\EMET_notifier.exe mRun: [TkBellExe] "C:\Program Files (x86)\Real\RealPlayer\update\realsched.exe" -osboot mRun: [WinPatrol] C:\Program Files (x86)\BillP Studios\WinPatrol\winpatrol.exe -expressboot mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" mRun: [bCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\ASUSVI~1.LNK - C:\Program Files (x86)\ASUS\AsusVibe\AsusVibeLauncher.exe uPolicies-Explorer: NoDrives = dword:0 mPolicies-Explorer: NoDrives = dword:0 mPolicies-System: ConsentPromptBehaviorUser = dword:3 mPolicies-System: EnableUIADesktopToggle = dword:0 IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000 IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~1\Office14\ONBttnIE.dll/105 IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll . INFO: HKCU has more than 50 listed domains. If you wish to scan all of them, select the 'Force scan all domains' option. . DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab TCP: NameServer = 75.75.75.75 75.75.76.76 192.168.1.1 TCP: Interfaces\{B572E52D-654C-4037-A505-6BF565430247} : DHCPNameServer = 75.75.75.75 75.75.76.76 192.168.1.1 Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Users\PWS\AppData\Local\Citrix\ICA Client\IcaMimeFilter.dll Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Users\PWS\AppData\Local\Citrix\ICA Client\IcaMimeFilter.dll Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Users\PWS\AppData\Local\Citrix\ICA Client\IcaMimeFilter.dll Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Users\PWS\AppData\Local\Citrix\ICA Client\IcaMimeFilter.dll Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Users\PWS\AppData\Local\Citrix\ICA Client\IcaMimeFilter.dll Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Users\PWS\AppData\Local\Citrix\ICA Client\IcaMimeFilter.dll Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Users\PWS\AppData\Local\Citrix\ICA Client\IcaMimeFilter.dll Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Users\PWS\AppData\Local\Citrix\ICA Client\IcaMimeFilter.dll Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Users\PWS\AppData\Local\Citrix\ICA Client\IcaMimeFilter.dll Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Users\PWS\AppData\Local\Citrix\ICA Client\IcaMimeFilter.dll Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Users\PWS\AppData\Local\Citrix\ICA Client\IcaMimeFilter.dll Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Users\PWS\AppData\Local\Citrix\ICA Client\IcaMimeFilter.dll Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Users\PWS\AppData\Local\Citrix\ICA Client\IcaMimeFilter.dll Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Users\PWS\AppData\Local\Citrix\ICA Client\IcaMimeFilter.dll Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Users\PWS\AppData\Local\Citrix\ICA Client\IcaMimeFilter.dll Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Users\PWS\AppData\Local\Citrix\ICA Client\IcaMimeFilter.dll Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll Handler: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files (x86)\WOT\WOT.dll SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "C:\Program Files (x86)\Common Files\LightScribe\LSRunOnce.exe" x64-BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL x64-BHO: WOT Helper: {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - C:\Program Files\WOT\WOT.dll x64-TB: WOT: {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files\WOT\WOT.dll x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s x64-Run: [igfxTray] C:\Windows\System32\igfxtray.exe x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe x64-Run: [WinPatrol] C:\Program Files (x86)\BillP Studios\WinPatrol\WinPatrol.exe -expressboot x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll x64-Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned> x64-Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned> x64-Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned> x64-Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned> x64-Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned> x64-Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned> x64-Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned> x64-Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned> x64-Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned> x64-Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned> x64-Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned> x64-Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned> x64-Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned> x64-Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned> x64-Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned> x64-Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned> x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned> x64-Handler: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files\WOT\WOT.dll x64-Notify: igfxcui - igfxdev.dll x64-SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL . ============= SERVICES / DRIVERS =============== . R0 SymDS;Symantec Data Store;C:\Windows\System32\drivers\N360x64\1402000.013\symds64.sys [2013-3-28 493216] R0 SymEFA;Symantec Extended File Attributes;C:\Windows\System32\drivers\N360x64\1402000.013\symefa64.sys [2013-3-28 1133216] R1 BHDrvx64;BHDrvx64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\BASHDefs\20130322.001\BHDrvx64.sys [2013-3-22 1387608] R1 ccSet_N360;Norton Security Suite Settings Manager;C:\Windows\System32\drivers\N360x64\1402000.013\ccsetx64.sys [2013-3-28 168096] R1 ctxusbm;Citrix USB Monitor Driver;C:\Windows\System32\drivers\ctxusbm.sys [2010-7-14 87600] R1 IDSVia64;IDSVia64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\IPSDefs\20130327.001\IDSviA64.sys [2013-3-27 513184] R1 SymIRON;Symantec Iron Driver;C:\Windows\System32\drivers\N360x64\1402000.013\ironx64.sys [2013-3-28 224416] R1 SymNetS;Symantec Network Security WFP Driver;C:\Windows\System32\drivers\N360x64\1402000.013\symnets.sys [2013-3-28 432800] R2 asComSvc;ASUS Com Service;C:\Program Files (x86)\ASUS\AXSP\1.00.13\atkexComSvc.exe [2011-5-31 918144] R2 asHmComSvc;ASUS HM Com Service;C:\Program Files (x86)\ASUS\AAHM\1.00.11\aaHMSvc.exe [2011-5-31 915072] R2 AsSysCtrlService;ASUS System Control Service;C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.10\AsSysCtrlService.exe [2011-5-31 586880] R2 Device Handle Service;Device Handle Service;C:\Windows\SysWOW64\AsHookDevice.exe [2011-5-31 203392] R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-9-11 398184] R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-9-11 682344] R2 N360;Norton Security Suite;C:\Program Files (x86)\Norton Security Suite\Engine\20.2.0.19\ccsvchst.exe [2013-3-28 143928] R2 RtNdPt60;Realtek NDIS Protocol Driver;C:\Windows\System32\drivers\RtNdPt60.sys [2011-5-31 32544] R2 Seagate Dashboard Services;Seagate Dashboard Services;C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\Seagate.Dashboard.DASWindowsService.exe [2012-5-4 14496] R2 UNS;Intel® Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-5-31 2656280] R3 asmthub3;ASMedia USB3 Hub Service;C:\Windows\System32\drivers\asmthub3.sys [2011-5-25 126952] R3 asmtxhci;ASMEDIA XHCI Service;C:\Windows\System32\drivers\asmtxhci.sys [2011-5-25 389608] R3 IntcDAud;Intel® Display Audio;C:\Windows\System32\drivers\IntcDAud.sys [2011-5-31 317440] R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2011-12-18 24176] R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2011-5-31 406632] R3 SbieDrv;SbieDrv;C:\Program Files\Sandboxie\SbieDrv.sys [2012-12-16 202632] S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384] S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576] S3 fssfltr;fssfltr;C:\Windows\System32\drivers\fssfltr.sys [2011-5-31 48488] S3 fsssvc;Windows Live Family Safety Service;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2010-9-23 1493352] S3 Impcd;Impcd;C:\Windows\System32\drivers\Impcd.sys [2011-5-31 158976] S3 mv91xx;mv91xx;C:\Windows\System32\drivers\mv91xx.sys [2011-5-25 293416] S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;C:\Windows\System32\drivers\nusb3hub.sys [2011-5-25 80384] S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;C:\Windows\System32\drivers\nusb3xhc.sys [2011-5-25 181248] S3 RTTEAMPT;Realtek Teaming Protocol Driver (NDIS 6.2);C:\Windows\System32\drivers\RtTeam60.sys [2011-5-31 48416] S3 RTVLANPT;Realtek Vlan Protocol Driver (NDIS 6.2);C:\Windows\System32\drivers\RtVlan60.sys [2011-5-31 29472] S3 TEAM;Realtek Virtual Miniport Driver for Teaming (NDIS 6.2);C:\Windows\System32\drivers\RtTeam60.sys [2011-5-31 48416] S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2010-11-20 59392] S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-20 31232] S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2012-9-28 53760] S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2011-12-20 1255736] S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184] . =============== Created Last 30 ================ . 2013-03-28 17:45:03 -------- d-----w- C:\Program Files (x86)\Common Files\Symantec Shared 2013-03-28 17:21:35 776864 ----a-w- C:\Windows\System32\drivers\N360x64\1402000.013\srtsp64.sys 2013-03-28 17:21:35 493216 ----a-w- C:\Windows\System32\drivers\N360x64\1402000.013\symds64.sys 2013-03-28 17:21:35 432800 ----a-r- C:\Windows\System32\drivers\N360x64\1402000.013\symnets.sys 2013-03-28 17:21:35 37496 ----a-r- C:\Windows\System32\drivers\N360x64\1402000.013\srtspx64.sys 2013-03-28 17:21:35 23448 ----a-r- C:\Windows\System32\drivers\N360x64\1402000.013\symelam.sys 2013-03-28 17:21:35 224416 ----a-r- C:\Windows\System32\drivers\N360x64\1402000.013\ironx64.sys 2013-03-28 17:21:35 168096 ----a-w- C:\Windows\System32\drivers\N360x64\1402000.013\ccsetx64.sys 2013-03-28 17:21:35 1133216 ----a-w- C:\Windows\System32\drivers\N360x64\1402000.013\symefa64.sys 2013-03-28 17:21:03 -------- d-----w- C:\Windows\System32\drivers\N360x64\1402000.013 2013-03-28 17:11:08 177312 ----a-w- C:\Windows\System32\drivers\SYMEVENT64x86.SYS 2013-03-28 17:11:08 -------- d-----w- C:\Program Files\Symantec 2013-03-28 17:11:08 -------- d-----w- C:\Program Files\Common Files\Symantec Shared 2013-03-28 17:09:46 -------- d-----w- C:\Windows\System32\drivers\N360x64 2013-03-28 17:09:46 -------- d-----w- C:\Program Files (x86)\Norton Security Suite 2013-03-28 17:09:37 -------- d-----w- C:\Program Files (x86)\NortonInstaller 2013-03-27 02:06:16 -------- d-----w- C:\Windows\System32\wbem\repository 2013-03-23 03:46:30 19968 ----a-w- C:\Windows\System32\drivers\usb8023.sys 2013-03-02 17:00:31 -------- d-----w- C:\ProgramData\Licenses 2013-02-26 22:11:02 2776576 ----a-w- C:\Windows\System32\msmpeg2vdec.dll 2013-02-26 22:11:02 2284544 ----a-w- C:\Windows\SysWow64\msmpeg2vdec.dll 2013-02-26 22:11:02 221184 ----a-w- C:\Windows\System32\UIAnimation.dll 2013-02-26 22:11:02 187392 ----a-w- C:\Windows\SysWow64\UIAnimation.dll 2013-02-26 22:11:01 465920 ----a-w- C:\Windows\System32\WMPhoto.dll 2013-02-26 22:11:01 417792 ----a-w- C:\Windows\SysWow64\WMPhoto.dll . ==================== Find3M ==================== . 2013-03-13 01:05:21 73432 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl 2013-03-13 01:05:21 693976 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe 2013-02-12 05:45:24 135168 ----a-w- C:\Windows\apppatch\AppPatch64\AcXtrnal.dll 2013-02-12 05:45:22 350208 ----a-w- C:\Windows\apppatch\AppPatch64\AcLayers.dll 2013-02-12 05:45:22 308736 ----a-w- C:\Windows\apppatch\AppPatch64\AcGenral.dll 2013-02-12 05:45:22 111104 ----a-w- C:\Windows\apppatch\AppPatch64\acspecfc.dll 2013-02-12 04:48:31 474112 ----a-w- C:\Windows\apppatch\AcSpecfc.dll 2013-02-12 04:48:26 2176512 ----a-w- C:\Windows\apppatch\AcGenral.dll 2013-01-13 21:17:03 9728 ---ha-w- C:\Windows\SysWow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll 2013-01-13 21:17:02 2560 ---ha-w- C:\Windows\SysWow64\api-ms-win-downlevel-normaliz-l1-1-0.dll 2013-01-13 21:16:42 10752 ---ha-w- C:\Windows\SysWow64\api-ms-win-downlevel-advapi32-l1-1-0.dll 2013-01-13 21:12:46 3584 ---ha-w- C:\Windows\SysWow64\api-ms-win-downlevel-advapi32-l2-1-0.dll 2013-01-13 21:11:21 4096 ---ha-w- C:\Windows\SysWow64\api-ms-win-downlevel-user32-l1-1-0.dll 2013-01-13 21:11:08 5632 ---ha-w- C:\Windows\SysWow64\api-ms-win-downlevel-ole32-l1-1-0.dll 2013-01-13 21:11:07 5632 ---ha-w- C:\Windows\SysWow64\api-ms-win-downlevel-shlwapi-l2-1-0.dll 2013-01-13 21:11:07 3072 ---ha-w- C:\Windows\SysWow64\api-ms-win-downlevel-version-l1-1-0.dll 2013-01-13 21:11:07 3072 ---ha-w- C:\Windows\SysWow64\api-ms-win-downlevel-shell32-l1-1-0.dll 2013-01-13 20:35:31 9728 ---ha-w- C:\Windows\System32\api-ms-win-downlevel-shlwapi-l1-1-0.dll 2013-01-13 20:35:31 2560 ---ha-w- C:\Windows\System32\api-ms-win-downlevel-normaliz-l1-1-0.dll 2013-01-13 20:35:18 10752 ---ha-w- C:\Windows\System32\api-ms-win-downlevel-advapi32-l1-1-0.dll 2013-01-13 20:32:07 3584 ---ha-w- C:\Windows\System32\api-ms-win-downlevel-advapi32-l2-1-0.dll 2013-01-13 20:31:48 4096 ---ha-w- C:\Windows\System32\api-ms-win-downlevel-user32-l1-1-0.dll 2013-01-13 20:31:41 5632 ---ha-w- C:\Windows\System32\api-ms-win-downlevel-ole32-l1-1-0.dll 2013-01-13 20:31:40 5632 ---ha-w- C:\Windows\System32\api-ms-win-downlevel-shlwapi-l2-1-0.dll 2013-01-13 20:31:40 3072 ---ha-w- C:\Windows\System32\api-ms-win-downlevel-version-l1-1-0.dll 2013-01-13 20:31:40 3072 ---ha-w- C:\Windows\System32\api-ms-win-downlevel-shell32-l1-1-0.dll 2013-01-13 20:31:00 1247744 ----a-w- C:\Windows\SysWow64\DWrite.dll 2013-01-13 20:22:22 1988096 ----a-w- C:\Windows\SysWow64\d3d10warp.dll 2013-01-13 20:20:31 293376 ----a-w- C:\Windows\SysWow64\dxgi.dll 2013-01-13 20:09:00 249856 ----a-w- C:\Windows\SysWow64\d3d10_1core.dll 2013-01-13 20:08:43 220160 ----a-w- C:\Windows\SysWow64\d3d10core.dll 2013-01-13 20:08:35 1504768 ----a-w- C:\Windows\SysWow64\d3d11.dll 2013-01-13 19:59:04 1643520 ----a-w- C:\Windows\System32\DWrite.dll 2013-01-13 19:58:28 1175552 ----a-w- C:\Windows\System32\FntCache.dll 2013-01-13 19:54:01 604160 ----a-w- C:\Windows\SysWow64\d3d10level9.dll 2013-01-13 19:53:58 207872 ----a-w- C:\Windows\SysWow64\WindowsCodecsExt.dll 2013-01-13 19:51:30 2565120 ----a-w- C:\Windows\System32\d3d10warp.dll 2013-01-13 19:49:17 363008 ----a-w- C:\Windows\System32\dxgi.dll 2013-01-13 19:48:47 161792 ----a-w- C:\Windows\SysWow64\d3d10_1.dll 2013-01-13 19:46:25 1080832 ----a-w- C:\Windows\SysWow64\d3d10.dll 2013-01-13 19:43:21 1230336 ----a-w- C:\Windows\SysWow64\WindowsCodecs.dll 2013-01-13 19:38:39 333312 ----a-w- C:\Windows\System32\d3d10_1core.dll 2013-01-13 19:38:32 1887232 ----a-w- C:\Windows\System32\d3d11.dll 2013-01-13 19:38:21 296960 ----a-w- C:\Windows\System32\d3d10core.dll 2013-01-13 19:37:57 3419136 ----a-w- C:\Windows\SysWow64\d2d1.dll 2013-01-13 19:25:04 245248 ----a-w- C:\Windows\System32\WindowsCodecsExt.dll 2013-01-13 19:24:33 648192 ----a-w- C:\Windows\System32\d3d10level9.dll 2013-01-13 19:20:42 194560 ----a-w- C:\Windows\System32\d3d10_1.dll 2013-01-13 19:20:04 1238528 ----a-w- C:\Windows\System32\d3d10.dll 2013-01-13 19:15:40 1424384 ----a-w- C:\Windows\System32\WindowsCodecs.dll 2013-01-13 19:10:36 3928064 ----a-w- C:\Windows\System32\d2d1.dll 2013-01-13 18:34:58 364544 ----a-w- C:\Windows\SysWow64\XpsGdiConverter.dll 2013-01-13 18:09:52 522752 ----a-w- C:\Windows\System32\XpsGdiConverter.dll 2013-01-13 17:26:42 1158144 ----a-w- C:\Windows\SysWow64\XpsPrint.dll 2013-01-13 17:05:09 1682432 ----a-w- C:\Windows\System32\XpsPrint.dll 2013-01-05 05:53:43 5553512 ----a-w- C:\Windows\System32\ntoskrnl.exe 2013-01-05 05:00:15 3967848 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe 2013-01-05 05:00:11 3913064 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe 2013-01-04 05:46:09 215040 ----a-w- C:\Windows\System32\winsrv.dll 2013-01-04 04:51:16 5120 ----a-w- C:\Windows\SysWow64\wow32.dll 2013-01-04 04:43:21 44032 ----a-w- C:\Windows\apppatch\acwow64.dll 2013-01-04 03:26:48 3153408 ----a-w- C:\Windows\System32\win32k.sys 2013-01-04 02:47:35 25600 ----a-w- C:\Windows\SysWow64\setup16.exe 2013-01-04 02:47:34 7680 ----a-w- C:\Windows\SysWow64\instnm.exe 2013-01-04 02:47:34 2048 ----a-w- C:\Windows\SysWow64\user.exe 2013-01-04 02:47:33 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll 2013-01-03 06:00:54 1913192 ----a-w- C:\Windows\System32\drivers\tcpip.sys 2013-01-03 06:00:42 288088 ----a-w- C:\Windows\System32\drivers\FWPKCLNT.SYS . ============= FINISH: 15:59:14.43 =============== ATTACH:. UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG. IF REQUESTED, ZIP IT UP & ATTACH IT . DDS (Ver_2012-11-20.01) . Microsoft Windows 7 Home Premium Boot Device: \Device\HarddiskVolume2 Install Date: 12/18/2011 12:24:35 PM System Uptime: 3/28/2013 12:33:15 PM (3 hours ago) . Motherboard: ASUSTeK Computer INC. | | CM6850 Processor: Intel® Core i5-2320 CPU @ 3.00GHz | LGA1155 | 1590/100mhz . ==== Disk Partitions ========================= . C: is FIXED (NTFS) - 745 GiB total, 670.567 GiB free. D: is FIXED (NTFS) - 1104 GiB total, 1063.449 GiB free. E: is CDROM (CDFS) F: is Removable G: is Removable H: is Removable I: is Removable . ==== Disabled Device Manager Items ============= . Class GUID: {eec5ad98-8080-425f-922a-dabf3de3f69a} Description: MS/MS-Pro Device ID: WPDBUSENUMROOT\UMB\2&37C186B&2&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_GENERIC-&PROD_MS#MS-PRO&REV_1.03#058F63626420&3# Manufacturer: Generic- Name: I:\ PNP Device ID: WPDBUSENUMROOT\UMB\2&37C186B&2&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_GENERIC-&PROD_MS#MS-PRO&REV_1.03#058F63626420&3# Service: WUDFRd . Class GUID: {eec5ad98-8080-425f-922a-dabf3de3f69a} Description: SD/MMC Device ID: WPDBUSENUMROOT\UMB\2&37C186B&2&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_GENERIC-&PROD_SD#MMC&REV_1.00#058F63626420&0# Manufacturer: Generic- Name: F:\ PNP Device ID: WPDBUSENUMROOT\UMB\2&37C186B&2&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_GENERIC-&PROD_SD#MMC&REV_1.00#058F63626420&0# Service: WUDFRd . Class GUID: {eec5ad98-8080-425f-922a-dabf3de3f69a} Description: SM/xD Picture Device ID: WPDBUSENUMROOT\UMB\2&37C186B&2&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_GENERIC-&PROD_SM#XD_PICTURE&REV_1.02#058F63626420&2# Manufacturer: Generic- Name: H:\ PNP Device ID: WPDBUSENUMROOT\UMB\2&37C186B&2&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_GENERIC-&PROD_SM#XD_PICTURE&REV_1.02#058F63626420&2# Service: WUDFRd . Class GUID: {eec5ad98-8080-425f-922a-dabf3de3f69a} Description: Compact Flash Device ID: WPDBUSENUMROOT\UMB\2&37C186B&2&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_GENERIC-&PROD_COMPACT_FLASH&REV_1.01#058F63626420&1# Manufacturer: Generic- Name: G:\ PNP Device ID: WPDBUSENUMROOT\UMB\2&37C186B&2&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_GENERIC-&PROD_COMPACT_FLASH&REV_1.01#058F63626420&1# Service: WUDFRd . ==== System Restore Points =================== . RP121: 2/18/2013 11:40:56 PM - Norton Security Suite Registry RP122: 2/26/2013 4:10:30 PM - Windows Update RP123: 3/9/2013 3:56:38 PM - Scheduled Checkpoint RP124: 3/12/2013 8:04:10 PM - Windows Update RP125: 3/18/2013 2:22:48 PM - Norton Security Suite Registry RP127: 3/22/2013 10:46:37 PM - Windows Update RP128: 3/22/2013 10:52:26 PM - Windows Update RP129: 3/28/2013 12:21:50 PM - Norton Security Suite Registry . ==== Installed Programs ====================== . 64 Bit HP CIO Components Installer Adobe Flash Player 11 ActiveX Adobe Reader XI (11.0.02) AI Manager AI Suite II Apple Application Support Apple Mobile Device Support Apple Software Update ASUS Backup Wizard AsusVibe2.0 Bonjour Citrix online plug-in - web Citrix online plug-in (DV) Citrix online plug-in (HDX) Citrix online plug-in (USB) Citrix online plug-in (Web) Citrix XenApp Web Plugin Contrôle ActiveX Windows Live Mesh pour connexions à distance Control ActiveX de Windows Live Mesh para conexiones remotas D3DX10 Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition DVD Shrink 3.2 EMET ERUNT 1.1j ESET Online Scanner v3 Free M4a to MP3 Converter 7.0 Galerie de photos Windows Live Galería fotográfica de Windows Live HP Officejet Pro 8500 A910 Basic Device Software HP Officejet Pro 8500 A910 Help HP Officejet Pro 8500 A910 Product Improvement Study HP Update I.R.I.S. OCR Intel® Management Engine Components iTunes Junk Mail filter update LightScribe System Software 1.10.13.1 Malwarebytes Anti-Malware version 1.70.0.1100 Marketsplash Shortcuts Mesh Runtime Microsoft .NET Framework 4 Client Profile Microsoft Application Error Reporting Microsoft Office 2010 Microsoft Office 2010 Service Pack 1 (SP1) Microsoft Office Access MUI (English) 2010 Microsoft Office Access Setup Metadata MUI (English) 2010 Microsoft Office Excel MUI (English) 2010 Microsoft Office File Validation Add-In Microsoft Office Groove MUI (English) 2010 Microsoft Office InfoPath MUI (English) 2010 Microsoft Office Office 64-bit Components 2010 Microsoft Office OneNote MUI (English) 2010 Microsoft Office Outlook MUI (English) 2010 Microsoft Office PowerPoint MUI (English) 2010 Microsoft Office Professional Plus 2010 Microsoft Office Proof (English) 2010 Microsoft Office Proof (French) 2010 Microsoft Office Proof (Spanish) 2010 Microsoft Office Proofing (English) 2010 Microsoft Office Publisher MUI (English) 2010 Microsoft Office Shared 64-bit MUI (English) 2010 Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2010 Microsoft Office Shared MUI (English) 2010 Microsoft Office Shared Setup Metadata MUI (English) 2010 Microsoft Office Word MUI (English) 2010 Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs Microsoft Silverlight Microsoft SQL Server 2005 Compact Edition [ENU] Microsoft Train Simulator Microsoft Visual C++ 2005 Redistributable Microsoft Visual C++ 2005 Redistributable (x64) Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 MLT Greater Toronto Area MSTS Patch 1.8.0521 EN MSVCRT MSVCRT_amd64 MSXML 4.0 SP2 (KB973688) MSXML 4.0 SP3 Parser (KB2721691) MSXML 4.0 SP3 Parser (KB2758694) MSXML 4.0 SP3 Parser (KB973685) Nero 7 Essentials neroxml Norton Security Suite QuickTime RailDriver for MSTS RealNetworks - Microsoft Visual C++ 2008 Runtime RealPlayer Realtek Ethernet Controller Driver Realtek Ethernet Diagnostic Utility Realtek High Definition Audio Driver RealUpgrade 1.1 Safari Sandboxie 3.76 (64-bit) Seagate Dashboard 2.0 Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870) Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636) Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078) Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121) Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870) Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351) Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368) Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2) Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405) Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827) Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449) Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019) Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595) Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642) Security Update for Microsoft Excel 2010 (KB2597126) 32-Bit Edition Security Update for Microsoft Filter Pack 2.0 (KB2553501) 32-Bit Edition Security Update for Microsoft InfoPath 2010 (KB2687417) 32-Bit Edition Security Update for Microsoft InfoPath 2010 (KB2687436) 32-Bit Edition Security Update for Microsoft Office 2010 (KB2553091) Security Update for Microsoft Office 2010 (KB2553096) Security Update for Microsoft Office 2010 (KB2553371) 32-Bit Edition Security Update for Microsoft Office 2010 (KB2553447) 32-Bit Edition Security Update for Microsoft Office 2010 (KB2589320) 32-Bit Edition Security Update for Microsoft Office 2010 (KB2598243) 32-Bit Edition Security Update for Microsoft Office 2010 (KB2687501) 32-Bit Edition Security Update for Microsoft Office 2010 (KB2687510) 32-Bit Edition Security Update for Microsoft OneNote 2010 (KB2760600) 32-Bit Edition Security Update for Microsoft Visio 2010 (KB2760762) 32-Bit Edition Security Update for Microsoft Visio Viewer 2010 (KB2687505) 32-Bit Edition Security Update for Microsoft Word 2010 (KB2760410) 32-Bit Edition SpywareBlaster 5.0 TC Track Builder 3 Train Dispatcher 3 Update for Microsoft .NET Framework 4 Client Profile (KB2468871) Update for Microsoft .NET Framework 4 Client Profile (KB2533523) Update for Microsoft .NET Framework 4 Client Profile (KB2600217) Update for Microsoft Office 2010 (KB2553065) Update for Microsoft Office 2010 (KB2553092) Update for Microsoft Office 2010 (KB2553181) 32-Bit Edition Update for Microsoft Office 2010 (KB2553267) 32-Bit Edition Update for Microsoft Office 2010 (KB2553310) 32-Bit Edition Update for Microsoft Office 2010 (KB2553378) 32-Bit Edition Update for Microsoft Office 2010 (KB2566458) Update for Microsoft Office 2010 (KB2596964) 32-Bit Edition Update for Microsoft Office 2010 (KB2598242) 32-Bit Edition Update for Microsoft Office 2010 (KB2687503) 32-Bit Edition Update for Microsoft Office 2010 (KB2687509) 32-Bit Edition Update for Microsoft Office 2010 (KB2760631) 32-Bit Edition Update for Microsoft Office 2010 (KB2767886) 32-Bit Edition Update for Microsoft OneNote 2010 (KB2553290) 32-Bit Edition Update for Microsoft Outlook 2010 (KB2597090) 32-Bit Edition Update for Microsoft Outlook 2010 (KB2687623) 32-Bit Edition Update for Microsoft Outlook Social Connector 2010 (KB2553406) 32-Bit Edition Update for Microsoft PowerPoint 2010 (KB2598240) 32-Bit Edition Update for Microsoft SharePoint Workspace 2010 (KB2589371) 32-Bit Edition Windows Live Windows Live Communications Platform Windows Live Essentials Windows Live Family Safety Windows Live Fotogalerie Windows Live ID Sign-in Assistant Windows Live Installer Windows Live Language Selector Windows Live Mail Windows Live Mesh Windows Live Mesh - ActiveX-besturingselement voor externe verbindingen Windows Live Mesh ActiveX Control for Remote Connections Windows Live Messenger Windows Live MIME IFilter Windows Live Movie Maker Windows Live Photo Common Windows Live Photo Gallery Windows Live PIMT Platform Windows Live Remote Client Windows Live Remote Client Resources Windows Live Remote Service Windows Live Remote Service Resources Windows Live SOXE Windows Live SOXE Definitions Windows Live UX Platform Windows Live UX Platform Language Pack Windows Live Writer Windows Live Writer Resources WinPatrol WOT for Internet Explorer . ==== Event Viewer Messages From Past Week ======== . 3/28/2013 12:33:44 PM, Error: Service Control Manager [7023] - The Windows Defender service terminated with the following error: The specified module could not be found. 3/23/2013 11:21:27 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the ShellHWDetection service. . ==== End Of File ===========================

DDS (Ver_2012-11-20.01) - NTFS_AMD64 Internet Explorer: 10.0.9200.16521 Run by PWS at 11:18:06 on 2013-03-28 Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.12199.10231 [GMT -5:00] . . ============== Running Processes =============== . C:\Windows\system32\lsm.exe C:\Windows\system32\svchost.exe -k DcomLaunch C:\Windows\system32\svchost.exe -k RPCSS C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted C:\Windows\system32\svchost.exe -k LocalService C:\Windows\system32\svchost.exe -k netsvcs C:\Program Files\Sandboxie\SbieSvc.exe C:\Windows\system32\svchost.exe -k NetworkService C:\Windows\System32\spoolsv.exe C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe C:\Program Files (x86)\ASUS\AXSP\1.00.13\atkexComSvc.exe C:\Program Files (x86)\ASUS\AAHM\1.00.11\aaHMSvc.exe C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.10\AsSysCtrlService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Windows\SysWOW64\AsHookDevice.exe C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe C:\Program Files (x86)\Norton Security Suite\Engine\5.2.2.3\ccSvcHst.exe C:\Windows\System32\svchost.exe -k HPZ12 C:\Windows\System32\svchost.exe -k HPZ12 C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\Seagate.Dashboard.DASWindowsService.exe C:\Windows\system32\svchost.exe -k imgsvc C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE C:\Windows\system32\wbem\wmiprvse.exe C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe C:\Windows\System32\WUDFHost.exe C:\Windows\system32\taskhost.exe C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Program Files (x86)\Norton Security Suite\Engine\5.2.2.3\ccSvcHst.exe C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe C:\Windows\System32\igfxtray.exe C:\Windows\System32\hkcmd.exe C:\Windows\System32\igfxpers.exe C:\Program Files (x86)\BillP Studios\WinPatrol\WinPatrol.exe C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\Seagate.Dashboard.Uploader.exe C:\Program Files\Sandboxie\SbieCtrl.exe C:\Windows\system32\taskeng.exe C:\Program Files (x86)\ASUS\AI Suite II\AsRoutineController.exe C:\Program Files (x86)\ASUS\AI Manager\AsShellApplication.exe C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\DBAgent.exe C:\Program Files (x86)\EMET\EMET_notifier.exe C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe C:\Program Files (x86)\iTunes\iTunesHelper.exe C:\Windows\system32\SearchIndexer.exe C:\Program Files\iPod\bin\iPodService.exe C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation \\?\C:\Windows\system32\wbem\WMIADAP.EXE C:\Windows\system32\wbem\wmiprvse.exe C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe C:\Windows\system32\sppsvc.exe C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe C:\Windows\system32\SearchProtocolHost.exe C:\Windows\system32\SearchFilterHost.exe C:\Windows\System32\cscript.exe . ============== Pseudo HJT Report =============== . uSearch Bar = Preserve BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll BHO: Symantec NCO BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Security Suite\Engine\5.2.2.3\coieplg.dll BHO: Symantec Intrusion Prevention: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Security Suite\Engine\5.2.2.3\ips\ipsbho.dll BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL BHO: WOT Helper: {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - C:\Program Files (x86)\WOT\WOT.dll TB: WOT: {71576546-354D-41C9-AAE8-31F2EC22BF0D} - C:\Program Files (x86)\WOT\WOT.dll TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Security Suite\Engine\5.2.2.3\coieplg.dll TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Security Suite\Engine\5.2.2.3\coieplg.dll TB: WOT: {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files (x86)\WOT\WOT.dll uRun: [LightScribe Control Panel] C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden uRun: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files (x86)\Common Files\Ahead\Lib\NMBgMonitor.exe" uRun: [uploader] C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\Seagate.Dashboard.Uploader.exe mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe" mRun: [RunAIShell] C:\Program Files (x86)\ASUS\AI Manager\AsShellApplication.exe mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" mRun: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe mRun: [ConnectionCenter] "C:\Users\PWS\AppData\Local\Citrix\ICA Client\concentr.exe" /startup mRun: [DBAgent] "C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\DBAgent.exe" /WinStart mRun: [EMET Notifier] C:\Program Files (x86)\EMET\EMET_notifier.exe mRun: [TkBellExe] "C:\Program Files (x86)\Real\RealPlayer\update\realsched.exe" -osboot mRun: [WinPatrol] C:\Program Files (x86)\BillP Studios\WinPatrol\winpatrol.exe -expressboot mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" mRun: [bCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\ASUSVI~1.LNK - C:\Program Files (x86)\ASUS\AsusVibe\AsusVibeLauncher.exe uPolicies-Explorer: NoDrives = dword:0 mPolicies-Explorer: NoDrives = dword:0 mPolicies-System: ConsentPromptBehaviorUser = dword:3 mPolicies-System: EnableUIADesktopToggle = dword:0 IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000 IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~1\Office14\ONBttnIE.dll/105 IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll . INFO: HKCU has more than 50 listed domains. If you wish to scan all of them, select the 'Force scan all domains' option. . DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab TCP: NameServer = 75.75.75.75 75.75.76.76 192.168.1.1 TCP: Interfaces\{B572E52D-654C-4037-A505-6BF565430247} : DHCPNameServer = 75.75.75.75 75.75.76.76 192.168.1.1 Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Users\PWS\AppData\Local\Citrix\ICA Client\IcaMimeFilter.dll Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Users\PWS\AppData\Local\Citrix\ICA Client\IcaMimeFilter.dll Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Users\PWS\AppData\Local\Citrix\ICA Client\IcaMimeFilter.dll Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Users\PWS\AppData\Local\Citrix\ICA Client\IcaMimeFilter.dll Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Users\PWS\AppData\Local\Citrix\ICA Client\IcaMimeFilter.dll Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Users\PWS\AppData\Local\Citrix\ICA Client\IcaMimeFilter.dll Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Users\PWS\AppData\Local\Citrix\ICA Client\IcaMimeFilter.dll Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Users\PWS\AppData\Local\Citrix\ICA Client\IcaMimeFilter.dll Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Users\PWS\AppData\Local\Citrix\ICA Client\IcaMimeFilter.dll Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Users\PWS\AppData\Local\Citrix\ICA Client\IcaMimeFilter.dll Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Users\PWS\AppData\Local\Citrix\ICA Client\IcaMimeFilter.dll Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Users\PWS\AppData\Local\Citrix\ICA Client\IcaMimeFilter.dll Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Users\PWS\AppData\Local\Citrix\ICA Client\IcaMimeFilter.dll Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Users\PWS\AppData\Local\Citrix\ICA Client\IcaMimeFilter.dll Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Users\PWS\AppData\Local\Citrix\ICA Client\IcaMimeFilter.dll Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Users\PWS\AppData\Local\Citrix\ICA Client\IcaMimeFilter.dll Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll Handler: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files (x86)\WOT\WOT.dll SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "C:\Program Files (x86)\Common Files\LightScribe\LSRunOnce.exe" x64-BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL x64-BHO: WOT Helper: {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - C:\Program Files\WOT\WOT.dll x64-TB: WOT: {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files\WOT\WOT.dll x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s x64-Run: [igfxTray] C:\Windows\System32\igfxtray.exe x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe x64-Run: [WinPatrol] C:\Program Files (x86)\BillP Studios\WinPatrol\WinPatrol.exe -expressboot x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll x64-Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned> x64-Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned> x64-Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned> x64-Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned> x64-Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned> x64-Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned> x64-Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned> x64-Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned> x64-Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned> x64-Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned> x64-Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned> x64-Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned> x64-Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned> x64-Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned> x64-Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned> x64-Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned> x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned> x64-Handler: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files\WOT\WOT.dll x64-Notify: igfxcui - igfxdev.dll x64-SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL . ============= SERVICES / DRIVERS =============== . R0 SymDS;Symantec Data Store;C:\Windows\System32\drivers\N360x64\0502020.003\symds64.sys [2012-7-17 450680] R0 SymEFA;Symantec Extended File Attributes;C:\Windows\System32\drivers\N360x64\0502020.003\symefa64.sys [2012-7-17 912504] R1 BHDrvx64;BHDrvx64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\BASHDefs\20130322.001\BHDrvx64.sys [2013-3-21 1387608] R1 ctxusbm;Citrix USB Monitor Driver;C:\Windows\System32\drivers\ctxusbm.sys [2010-7-14 87600] R1 IDSVia64;IDSVia64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\IPSDefs\20130327.001\IDSviA64.sys [2013-3-28 513184] R1 SymIRON;Symantec Iron Driver;C:\Windows\System32\drivers\N360x64\0502020.003\ironx64.sys [2012-7-17 171128] R1 SymNetS;Symantec Network Security WFP Driver;C:\Windows\System32\drivers\N360x64\0502020.003\symnets.sys [2012-7-17 386168] R2 asComSvc;ASUS Com Service;C:\Program Files (x86)\ASUS\AXSP\1.00.13\atkexComSvc.exe [2011-5-31 918144] R2 asHmComSvc;ASUS HM Com Service;C:\Program Files (x86)\ASUS\AAHM\1.00.11\aaHMSvc.exe [2011-5-31 915072] R2 AsSysCtrlService;ASUS System Control Service;C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.10\AsSysCtrlService.exe [2011-5-31 586880] R2 Device Handle Service;Device Handle Service;C:\Windows\SysWOW64\AsHookDevice.exe [2011-5-31 203392] R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-9-11 398184] R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-9-11 682344] R2 N360;Norton Security Suite;C:\Program Files (x86)\Norton Security Suite\Engine\5.2.2.3\ccsvchst.exe [2012-7-17 130008] R2 RtNdPt60;Realtek NDIS Protocol Driver;C:\Windows\System32\drivers\RtNdPt60.sys [2011-5-31 32544] R2 Seagate Dashboard Services;Seagate Dashboard Services;C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\Seagate.Dashboard.DASWindowsService.exe [2012-5-4 14496] R2 UNS;Intel® Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-5-31 2656280] R3 asmthub3;ASMedia USB3 Hub Service;C:\Windows\System32\drivers\asmthub3.sys [2011-5-25 126952] R3 asmtxhci;ASMEDIA XHCI Service;C:\Windows\System32\drivers\asmtxhci.sys [2011-5-25 389608] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-8-8 138912] R3 IntcDAud;Intel® Display Audio;C:\Windows\System32\drivers\IntcDAud.sys [2011-5-31 317440] R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2011-12-18 24176] R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2011-5-31 406632] R3 SbieDrv;SbieDrv;C:\Program Files\Sandboxie\SbieDrv.sys [2012-12-16 202632] S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384] S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576] S3 fssfltr;fssfltr;C:\Windows\System32\drivers\fssfltr.sys [2011-5-31 48488] S3 fsssvc;Windows Live Family Safety Service;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2010-9-23 1493352] S3 Impcd;Impcd;C:\Windows\System32\drivers\Impcd.sys [2011-5-31 158976] S3 mv91xx;mv91xx;C:\Windows\System32\drivers\mv91xx.sys [2011-5-25 293416] S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;C:\Windows\System32\drivers\nusb3hub.sys [2011-5-25 80384] S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;C:\Windows\System32\drivers\nusb3xhc.sys [2011-5-25 181248] S3 RTTEAMPT;Realtek Teaming Protocol Driver (NDIS 6.2);C:\Windows\System32\drivers\RtTeam60.sys [2011-5-31 48416] S3 RTVLANPT;Realtek Vlan Protocol Driver (NDIS 6.2);C:\Windows\System32\drivers\RtVlan60.sys [2011-5-31 29472] S3 TEAM;Realtek Virtual Miniport Driver for Teaming (NDIS 6.2);C:\Windows\System32\drivers\RtTeam60.sys [2011-5-31 48416] S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2010-11-20 59392] S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-20 31232] S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2012-9-28 53760] S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2011-12-20 1255736] S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184] . =============== Created Last 30 ================ . 2013-03-27 02:06:16 -------- d-----w- C:\Windows\System32\wbem\repository 2013-03-23 03:46:30 19968 ----a-w- C:\Windows\System32\drivers\usb8023.sys 2013-03-02 17:00:31 -------- d-----w- C:\ProgramData\Licenses 2013-02-26 22:11:02 2776576 ----a-w- C:\Windows\System32\msmpeg2vdec.dll 2013-02-26 22:11:02 2284544 ----a-w- C:\Windows\SysWow64\msmpeg2vdec.dll 2013-02-26 22:11:02 221184 ----a-w- C:\Windows\System32\UIAnimation.dll 2013-02-26 22:11:02 187392 ----a-w- C:\Windows\SysWow64\UIAnimation.dll 2013-02-26 22:11:01 465920 ----a-w- C:\Windows\System32\WMPhoto.dll 2013-02-26 22:11:01 417792 ----a-w- C:\Windows\SysWow64\WMPhoto.dll . ==================== Find3M ==================== . 2013-03-13 01:05:21 73432 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl 2013-03-13 01:05:21 693976 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe 2013-02-12 05:45:24 135168 ----a-w- C:\Windows\apppatch\AppPatch64\AcXtrnal.dll 2013-02-12 05:45:22 350208 ----a-w- C:\Windows\apppatch\AppPatch64\AcLayers.dll 2013-02-12 05:45:22 308736 ----a-w- C:\Windows\apppatch\AppPatch64\AcGenral.dll 2013-02-12 05:45:22 111104 ----a-w- C:\Windows\apppatch\AppPatch64\acspecfc.dll 2013-02-12 04:48:31 474112 ----a-w- C:\Windows\apppatch\AcSpecfc.dll 2013-02-12 04:48:26 2176512 ----a-w- C:\Windows\apppatch\AcGenral.dll 2013-01-13 21:17:03 9728 ---ha-w- C:\Windows\SysWow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll 2013-01-13 21:17:02 2560 ---ha-w- C:\Windows\SysWow64\api-ms-win-downlevel-normaliz-l1-1-0.dll 2013-01-13 21:16:42 10752 ---ha-w- C:\Windows\SysWow64\api-ms-win-downlevel-advapi32-l1-1-0.dll 2013-01-13 21:12:46 3584 ---ha-w- C:\Windows\SysWow64\api-ms-win-downlevel-advapi32-l2-1-0.dll 2013-01-13 21:11:21 4096 ---ha-w- C:\Windows\SysWow64\api-ms-win-downlevel-user32-l1-1-0.dll 2013-01-13 21:11:08 5632 ---ha-w- C:\Windows\SysWow64\api-ms-win-downlevel-ole32-l1-1-0.dll 2013-01-13 21:11:07 5632 ---ha-w- C:\Windows\SysWow64\api-ms-win-downlevel-shlwapi-l2-1-0.dll 2013-01-13 21:11:07 3072 ---ha-w- C:\Windows\SysWow64\api-ms-win-downlevel-version-l1-1-0.dll 2013-01-13 21:11:07 3072 ---ha-w- C:\Windows\SysWow64\api-ms-win-downlevel-shell32-l1-1-0.dll 2013-01-13 20:35:31 9728 ---ha-w- C:\Windows\System32\api-ms-win-downlevel-shlwapi-l1-1-0.dll 2013-01-13 20:35:31 2560 ---ha-w- C:\Windows\System32\api-ms-win-downlevel-normaliz-l1-1-0.dll 2013-01-13 20:35:18 10752 ---ha-w- C:\Windows\System32\api-ms-win-downlevel-advapi32-l1-1-0.dll 2013-01-13 20:32:07 3584 ---ha-w- C:\Windows\System32\api-ms-win-downlevel-advapi32-l2-1-0.dll 2013-01-13 20:31:48 4096 ---ha-w- C:\Windows\System32\api-ms-win-downlevel-user32-l1-1-0.dll 2013-01-13 20:31:41 5632 ---ha-w- C:\Windows\System32\api-ms-win-downlevel-ole32-l1-1-0.dll 2013-01-13 20:31:40 5632 ---ha-w- C:\Windows\System32\api-ms-win-downlevel-shlwapi-l2-1-0.dll 2013-01-13 20:31:40 3072 ---ha-w- C:\Windows\System32\api-ms-win-downlevel-version-l1-1-0.dll 2013-01-13 20:31:40 3072 ---ha-w- C:\Windows\System32\api-ms-win-downlevel-shell32-l1-1-0.dll 2013-01-13 20:31:00 1247744 ----a-w- C:\Windows\SysWow64\DWrite.dll 2013-01-13 20:22:22 1988096 ----a-w- C:\Windows\SysWow64\d3d10warp.dll 2013-01-13 20:20:31 293376 ----a-w- C:\Windows\SysWow64\dxgi.dll 2013-01-13 20:09:00 249856 ----a-w- C:\Windows\SysWow64\d3d10_1core.dll 2013-01-13 20:08:43 220160 ----a-w- C:\Windows\SysWow64\d3d10core.dll 2013-01-13 20:08:35 1504768 ----a-w- C:\Windows\SysWow64\d3d11.dll 2013-01-13 19:59:04 1643520 ----a-w- C:\Windows\System32\DWrite.dll 2013-01-13 19:58:28 1175552 ----a-w- C:\Windows\System32\FntCache.dll 2013-01-13 19:54:01 604160 ----a-w- C:\Windows\SysWow64\d3d10level9.dll 2013-01-13 19:53:58 207872 ----a-w- C:\Windows\SysWow64\WindowsCodecsExt.dll 2013-01-13 19:51:30 2565120 ----a-w- C:\Windows\System32\d3d10warp.dll 2013-01-13 19:49:17 363008 ----a-w- C:\Windows\System32\dxgi.dll 2013-01-13 19:48:47 161792 ----a-w- C:\Windows\SysWow64\d3d10_1.dll 2013-01-13 19:46:25 1080832 ----a-w- C:\Windows\SysWow64\d3d10.dll 2013-01-13 19:43:21 1230336 ----a-w- C:\Windows\SysWow64\WindowsCodecs.dll 2013-01-13 19:38:39 333312 ----a-w- C:\Windows\System32\d3d10_1core.dll 2013-01-13 19:38:32 1887232 ----a-w- C:\Windows\System32\d3d11.dll 2013-01-13 19:38:21 296960 ----a-w- C:\Windows\System32\d3d10core.dll 2013-01-13 19:37:57 3419136 ----a-w- C:\Windows\SysWow64\d2d1.dll 2013-01-13 19:25:04 245248 ----a-w- C:\Windows\System32\WindowsCodecsExt.dll 2013-01-13 19:24:33 648192 ----a-w- C:\Windows\System32\d3d10level9.dll 2013-01-13 19:20:42 194560 ----a-w- C:\Windows\System32\d3d10_1.dll 2013-01-13 19:20:04 1238528 ----a-w- C:\Windows\System32\d3d10.dll 2013-01-13 19:15:40 1424384 ----a-w- C:\Windows\System32\WindowsCodecs.dll 2013-01-13 19:10:36 3928064 ----a-w- C:\Windows\System32\d2d1.dll 2013-01-13 18:34:58 364544 ----a-w- C:\Windows\SysWow64\XpsGdiConverter.dll 2013-01-13 18:09:52 522752 ----a-w- C:\Windows\System32\XpsGdiConverter.dll 2013-01-13 17:26:42 1158144 ----a-w- C:\Windows\SysWow64\XpsPrint.dll 2013-01-13 17:05:09 1682432 ----a-w- C:\Windows\System32\XpsPrint.dll 2013-01-05 05:53:43 5553512 ----a-w- C:\Windows\System32\ntoskrnl.exe 2013-01-05 05:00:15 3967848 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe 2013-01-05 05:00:11 3913064 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe 2013-01-04 05:46:09 215040 ----a-w- C:\Windows\System32\winsrv.dll 2013-01-04 04:51:16 5120 ----a-w- C:\Windows\SysWow64\wow32.dll 2013-01-04 04:43:21 44032 ----a-w- C:\Windows\apppatch\acwow64.dll 2013-01-04 03:26:48 3153408 ----a-w- C:\Windows\System32\win32k.sys 2013-01-04 02:47:35 25600 ----a-w- C:\Windows\SysWow64\setup16.exe 2013-01-04 02:47:34 7680 ----a-w- C:\Windows\SysWow64\instnm.exe 2013-01-04 02:47:34 2048 ----a-w- C:\Windows\SysWow64\user.exe 2013-01-04 02:47:33 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll 2013-01-03 06:00:54 1913192 ----a-w- C:\Windows\System32\drivers\tcpip.sys 2013-01-03 06:00:42 288088 ----a-w- C:\Windows\System32\drivers\FWPKCLNT.SYS . ============= FINISH: 11:19:24.70 =============== ATTACH:. UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG. IF REQUESTED, ZIP IT UP & ATTACH IT . DDS (Ver_2012-11-20.01) . Microsoft Windows 7 Home Premium Boot Device: \Device\HarddiskVolume2 Install Date: 12/18/2011 12:24:35 PM System Uptime: 3/28/2013 11:14:05 AM (0 hours ago) . Motherboard: ASUSTeK Computer INC. | | CM6850 Processor: Intel® Core i5-2320 CPU @ 3.00GHz | LGA1155 | 1590/100mhz . ==== Disk Partitions ========================= . C: is FIXED (NTFS) - 745 GiB total, 671.399 GiB free. D: is FIXED (NTFS) - 1104 GiB total, 1068.037 GiB free. E: is CDROM (CDFS) F: is Removable G: is Removable H: is Removable I: is Removable J: is Removable K: is Removable . ==== Disabled Device Manager Items ============= . ==== System Restore Points =================== . RP121: 2/18/2013 11:40:56 PM - Norton Security Suite Registry RP122: 2/26/2013 4:10:30 PM - Windows Update RP123: 3/9/2013 3:56:38 PM - Scheduled Checkpoint RP124: 3/12/2013 8:04:10 PM - Windows Update RP125: 3/18/2013 2:22:48 PM - Norton Security Suite Registry RP127: 3/22/2013 10:46:37 PM - Windows Update RP128: 3/22/2013 10:52:26 PM - Windows Update . ==== Installed Programs ====================== . 64 Bit HP CIO Components Installer Adobe Flash Player 11 ActiveX Adobe Reader XI (11.0.02) AI Manager AI Suite II Apple Application Support Apple Mobile Device Support Apple Software Update ASUS Backup Wizard AsusVibe2.0 Bonjour Citrix online plug-in - web Citrix online plug-in (DV) Citrix online plug-in (HDX) Citrix online plug-in (USB) Citrix online plug-in (Web) Citrix XenApp Web Plugin Contrôle ActiveX Windows Live Mesh pour connexions à distance Control ActiveX de Windows Live Mesh para conexiones remotas D3DX10 Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition DVD Shrink 3.2 EMET ERUNT 1.1j ESET Online Scanner v3 Free M4a to MP3 Converter 7.0 Galerie de photos Windows Live Galería fotográfica de Windows Live HP Officejet Pro 8500 A910 Basic Device Software HP Officejet Pro 8500 A910 Help HP Officejet Pro 8500 A910 Product Improvement Study HP Update I.R.I.S. OCR Intel® Management Engine Components iTunes Junk Mail filter update LightScribe System Software 1.10.13.1 Malwarebytes Anti-Malware version 1.70.0.1100 Marketsplash Shortcuts Mesh Runtime Microsoft .NET Framework 4 Client Profile Microsoft Application Error Reporting Microsoft Office 2010 Microsoft Office 2010 Service Pack 1 (SP1) Microsoft Office Access MUI (English) 2010 Microsoft Office Access Setup Metadata MUI (English) 2010 Microsoft Office Excel MUI (English) 2010 Microsoft Office File Validation Add-In Microsoft Office Groove MUI (English) 2010 Microsoft Office InfoPath MUI (English) 2010 Microsoft Office Office 64-bit Components 2010 Microsoft Office OneNote MUI (English) 2010 Microsoft Office Outlook MUI (English) 2010 Microsoft Office PowerPoint MUI (English) 2010 Microsoft Office Professional Plus 2010 Microsoft Office Proof (English) 2010 Microsoft Office Proof (French) 2010 Microsoft Office Proof (Spanish) 2010 Microsoft Office Proofing (English) 2010 Microsoft Office Publisher MUI (English) 2010 Microsoft Office Shared 64-bit MUI (English) 2010 Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2010 Microsoft Office Shared MUI (English) 2010 Microsoft Office Shared Setup Metadata MUI (English) 2010 Microsoft Office Word MUI (English) 2010 Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs Microsoft Silverlight Microsoft SQL Server 2005 Compact Edition [ENU] Microsoft Train Simulator Microsoft Visual C++ 2005 Redistributable Microsoft Visual C++ 2005 Redistributable (x64) Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 MLT Greater Toronto Area MSTS Patch 1.8.0521 EN MSVCRT MSVCRT_amd64 MSXML 4.0 SP2 (KB973688) MSXML 4.0 SP3 Parser (KB2721691) MSXML 4.0 SP3 Parser (KB2758694) MSXML 4.0 SP3 Parser (KB973685) Nero 7 Essentials neroxml Norton Security Suite QuickTime RailDriver for MSTS RealNetworks - Microsoft Visual C++ 2008 Runtime RealPlayer Realtek Ethernet Controller Driver Realtek Ethernet Diagnostic Utility Realtek High Definition Audio Driver RealUpgrade 1.1 Safari Sandboxie 3.76 (64-bit) Seagate Dashboard 2.0 Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870) Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636) Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078) Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121) Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870) Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351) Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368) Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2) Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405) Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827) Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449) Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019) Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595) Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642) Security Update for Microsoft Excel 2010 (KB2597126) 32-Bit Edition Security Update for Microsoft Filter Pack 2.0 (KB2553501) 32-Bit Edition Security Update for Microsoft InfoPath 2010 (KB2687417) 32-Bit Edition Security Update for Microsoft InfoPath 2010 (KB2687436) 32-Bit Edition Security Update for Microsoft Office 2010 (KB2553091) Security Update for Microsoft Office 2010 (KB2553096) Security Update for Microsoft Office 2010 (KB2553371) 32-Bit Edition Security Update for Microsoft Office 2010 (KB2553447) 32-Bit Edition Security Update for Microsoft Office 2010 (KB2589320) 32-Bit Edition Security Update for Microsoft Office 2010 (KB2598243) 32-Bit Edition Security Update for Microsoft Office 2010 (KB2687501) 32-Bit Edition Security Update for Microsoft Office 2010 (KB2687510) 32-Bit Edition Security Update for Microsoft OneNote 2010 (KB2760600) 32-Bit Edition Security Update for Microsoft Visio 2010 (KB2760762) 32-Bit Edition Security Update for Microsoft Visio Viewer 2010 (KB2687505) 32-Bit Edition Security Update for Microsoft Word 2010 (KB2760410) 32-Bit Edition SpywareBlaster 5.0 TC Track Builder 3 Train Dispatcher 3 Update for Microsoft .NET Framework 4 Client Profile (KB2468871) Update for Microsoft .NET Framework 4 Client Profile (KB2533523) Update for Microsoft .NET Framework 4 Client Profile (KB2600217) Update for Microsoft Office 2010 (KB2553065) Update for Microsoft Office 2010 (KB2553092) Update for Microsoft Office 2010 (KB2553181) 32-Bit Edition Update for Microsoft Office 2010 (KB2553267) 32-Bit Edition Update for Microsoft Office 2010 (KB2553310) 32-Bit Edition Update for Microsoft Office 2010 (KB2553378) 32-Bit Edition Update for Microsoft Office 2010 (KB2566458) Update for Microsoft Office 2010 (KB2596964) 32-Bit Edition Update for Microsoft Office 2010 (KB2598242) 32-Bit Edition Update for Microsoft Office 2010 (KB2687503) 32-Bit Edition Update for Microsoft Office 2010 (KB2687509) 32-Bit Edition Update for Microsoft Office 2010 (KB2760631) 32-Bit Edition Update for Microsoft Office 2010 (KB2767886) 32-Bit Edition Update for Microsoft OneNote 2010 (KB2553290) 32-Bit Edition Update for Microsoft Outlook 2010 (KB2597090) 32-Bit Edition Update for Microsoft Outlook 2010 (KB2687623) 32-Bit Edition Update for Microsoft Outlook Social Connector 2010 (KB2553406) 32-Bit Edition Update for Microsoft PowerPoint 2010 (KB2598240) 32-Bit Edition Update for Microsoft SharePoint Workspace 2010 (KB2589371) 32-Bit Edition Windows Live Windows Live Communications Platform Windows Live Essentials Windows Live Family Safety Windows Live Fotogalerie Windows Live ID Sign-in Assistant Windows Live Installer Windows Live Language Selector Windows Live Mail Windows Live Mesh Windows Live Mesh - ActiveX-besturingselement voor externe verbindingen Windows Live Mesh ActiveX Control for Remote Connections Windows Live Messenger Windows Live MIME IFilter Windows Live Movie Maker Windows Live Photo Common Windows Live Photo Gallery Windows Live PIMT Platform Windows Live Remote Client Windows Live Remote Client Resources Windows Live Remote Service Windows Live Remote Service Resources Windows Live SOXE Windows Live SOXE Definitions Windows Live UX Platform Windows Live UX Platform Language Pack Windows Live Writer Windows Live Writer Resources WinPatrol WOT for Internet Explorer . ==== Event Viewer Messages From Past Week ======== . 3/28/2013 11:14:32 AM, Error: Service Control Manager [7023] - The Windows Defender service terminated with the following error: The specified module could not be found. 3/23/2013 11:21:27 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the ShellHWDetection service. . ==== End Of File ===========================

Yep, it says "WMI repository is consistent"

Same here, time to sign out for today. The problem keeps appearing. I'll try it again tomorrow.

Shoot, again :-( It looks the security center flips it to unprotected after about 4 minutes. It didn't do this before running the bat file, is there a way to fix that?

The two messages just showed up again so I again ran the command and restarted. Quiet again for now :-) I'll keep an eye on it for a bit. Other than that, no open issues. So you didn't see any traces of malware in the logs?

I just ran those commands and so far so good, the message center is quiet for now :-)

Oh okay, if that volume shadow copy is windows backup, that's fine, I didn't set it up (I'm using another program for backing up). I ran the BAT file and it looks like it did what was intended. The windows message center now displays the following: "Turn on windows defender (important)", "find an antivirus program online (important)", "Turn on windows firewall (important." Norton is still running as normal. Time to rebuild the folder? ;-)

Two questions: 1. What is the volume shadow copy that you mentioned? 2. when running the BAT file, the following text comes up, is this what you were expecting? I just want to verify before I run it. "The following services are dependent on the Windows Management instrumentation service. Stopping the Windows Management Instrumentation service wil also stop these services. Security Center IP Helper Do you want to continue with this operation? (Y/N)"

Farbar Service Scanner Version: 03-03-2013 Ran by PLF (ATTENTION: The logged in user is not administrator) on 24-03-2013 at 22:46:38 Running from "C:\Users\PLF\Desktop" Windows 7 Home Premium Service Pack 1 (X64) Boot Mode: Normal **************************************************************** Internet Services: ============ Connection Status: ============== Localhost is accessible. LAN connected. Google IP is accessible. Google.com is accessible. Yahoo IP is accessible. Yahoo.com is accessible. Windows Firewall: ============= Firewall Disabled Policy: ================== System Restore: ============ SDRSVC Service is not running. Checking service configuration: The start type of SDRSVC service is OK. The ImagePath of SDRSVC service is OK. The ServiceDll of SDRSVC service is OK. VSS Service is not running. Checking service configuration: The start type of VSS service is OK. The ImagePath of VSS service is OK. System Restore Disabled Policy: ======================== Action Center: ============ Windows Update: ============ Windows Autoupdate Disabled Policy: ============================ Windows Defender: ============== WinDefend Service is not running. Checking service configuration: The start type of WinDefend service is OK. The ImagePath of WinDefend service is OK. The ServiceDll of WinDefend: "%ProgramFiles(x86)%\Windows Defender\mpsvc.dll". Windows Defender Disabled Policy: ========================== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender] "DisableAntiSpyware"=DWORD:1 Other Services: ============== File Check: ======== C:\Windows\System32\nsisvc.dll => MD5 is legit C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit C:\Windows\System32\dhcpcore.dll => MD5 is legit C:\Windows\System32\drivers\afd.sys => MD5 is legit C:\Windows\System32\drivers\tdx.sys => MD5 is legit C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit C:\Windows\System32\dnsrslvr.dll => MD5 is legit C:\Windows\System32\mpssvc.dll => MD5 is legit C:\Windows\System32\bfe.dll => MD5 is legit C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit C:\Windows\System32\SDRSVC.dll => MD5 is legit C:\Windows\System32\vssvc.exe => MD5 is legit C:\Windows\System32\wscsvc.dll => MD5 is legit C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit C:\Windows\System32\wuaueng.dll => MD5 is legit C:\Windows\System32\qmgr.dll => MD5 is legit C:\Windows\System32\es.dll => MD5 is legit C:\Windows\System32\cryptsvc.dll => MD5 is legit C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit C:\Windows\System32\svchost.exe => MD5 is legit C:\Windows\System32\rpcss.dll => MD5 is legit **** End of log ****

Hi Daniel, thanks for the quick reply. Log pasted here. GMER 2.1.19155 - http://www.gmer.net Rootkit scan 2013-03-23 23:30:06 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD20EARX-22PASB0 rev.51.0AB51 1863.02GB Running: g4fvg2l7.exe; Driver: C:\Users\PWS\AppData\Local\Temp\pxddypog.sys ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----

A few days ago while browsing the web, my web browser all of the sudden acted erratic and froze (I was running it sandboxed at the time under a standard user account), it was a bit different, almost like a drive by download was attempted - on the top title bar a dll was listed. I figured just a hiccup. But then right after that, windows reported that my Norton AV was turned off which made me suspicious. I checked that and the AV was still on, so I followed some advice from Norton and re-registered a file which seemed to solve that. Later that day, Norton was having trouble updating a definition (maybe a coincidence), and yet later it hung up while turning off the computer (again seemingly another common issue). So I figured just another hiccup. Today about two minutes after getting online, all of the sudden windows again reported that Norton was turned off, reregistering that same file fixed it again (although it looks like this one might be in the event viewer section in the attach log). In over a year and a half of using Norton, I never had these problems until the last few days when that erratic behavior in the web browser happened. MBAM, Norton, and ESET online scans came up clean and I'm not experiencing any redirects. If you don't mind, could one of you take a look at the computer to be sure. Thanks! Sorry it looks like the enter button isn't working to go to another line - DDS & attached below:DDS (Ver_2012-11-20.01) - NTFS_AMD64 Internet Explorer: 10.0.9200.16521 Run by PWS at 11:34:36 on 2013-03-23 Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.12199.10059 [GMT -5:00] . AV: Norton Security Suite *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF} SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} SP: Norton Security Suite *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202} FW: Norton Security Suite *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4} . ============== Running Processes =============== . C:\Windows\system32\lsm.exe C:\Windows\system32\svchost.exe -k DcomLaunch C:\Windows\system32\svchost.exe -k RPCSS C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted C:\Windows\system32\svchost.exe -k LocalService C:\Windows\system32\svchost.exe -k netsvcs C:\Program Files\Sandboxie\SbieSvc.exe C:\Windows\system32\svchost.exe -k NetworkService C:\Windows\System32\spoolsv.exe C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe C:\Program Files (x86)\ASUS\AXSP\1.00.13\atkexComSvc.exe C:\Program Files (x86)\ASUS\AAHM\1.00.11\aaHMSvc.exe C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.10\AsSysCtrlService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Windows\SysWOW64\AsHookDevice.exe C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe C:\Program Files (x86)\Norton Security Suite\Engine\5.2.2.3\ccSvcHst.exe C:\Windows\System32\svchost.exe -k HPZ12 C:\Windows\System32\svchost.exe -k HPZ12 C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\Seagate.Dashboard.DASWindowsService.exe C:\Windows\system32\svchost.exe -k imgsvc C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe C:\Windows\system32\taskhost.exe C:\Windows\system32\Dwm.exe C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe C:\Windows\Explorer.EXE C:\Windows\system32\wbem\wmiprvse.exe C:\Program Files (x86)\Norton Security Suite\Engine\5.2.2.3\ccSvcHst.exe C:\Windows\System32\WUDFHost.exe C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe C:\Windows\System32\igfxtray.exe C:\Windows\System32\hkcmd.exe C:\Windows\System32\igfxpers.exe C:\Program Files (x86)\BillP Studios\WinPatrol\WinPatrol.exe C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\Seagate.Dashboard.Uploader.exe C:\Program Files\Sandboxie\SbieCtrl.exe C:\Windows\system32\taskeng.exe C:\Program Files (x86)\ASUS\AI Manager\AsShellApplication.exe C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\DBAgent.exe C:\Windows\system32\SearchIndexer.exe C:\Program Files (x86)\EMET\EMET_notifier.exe C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe C:\Program Files (x86)\iTunes\iTunesHelper.exe C:\Program Files (x86)\ASUS\AI Suite II\AsRoutineController.exe C:\Program Files\iPod\bin\iPodService.exe C:\Windows\system32\SearchProtocolHost.exe C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe C:\Windows\system32\sppsvc.exe C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe C:\Windows\system32\SearchFilterHost.exe C:\Windows\system32\wbem\wmiprvse.exe C:\Windows\System32\cscript.exe . ============== Pseudo HJT Report =============== . uSearch Bar = Preserve BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll BHO: Symantec NCO BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Security Suite\Engine\5.2.2.3\coieplg.dll BHO: Symantec Intrusion Prevention: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Security Suite\Engine\5.2.2.3\ips\ipsbho.dll BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL BHO: WOT Helper: {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - C:\Program Files (x86)\WOT\WOT.dll TB: WOT: {71576546-354D-41C9-AAE8-31F2EC22BF0D} - C:\Program Files (x86)\WOT\WOT.dll TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Security Suite\Engine\5.2.2.3\coieplg.dll TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Security Suite\Engine\5.2.2.3\coieplg.dll TB: WOT: {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files (x86)\WOT\WOT.dll uRun: [LightScribe Control Panel] C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden uRun: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files (x86)\Common Files\Ahead\Lib\NMBgMonitor.exe" uRun: [uploader] C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\Seagate.Dashboard.Uploader.exe mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe" mRun: [RunAIShell] C:\Program Files (x86)\ASUS\AI Manager\AsShellApplication.exe mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" mRun: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe mRun: [ConnectionCenter] "C:\Users\PWS\AppData\Local\Citrix\ICA Client\concentr.exe" /startup mRun: [DBAgent] "C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\DBAgent.exe" /WinStart mRun: [EMET Notifier] C:\Program Files (x86)\EMET\EMET_notifier.exe mRun: [TkBellExe] "C:\Program Files (x86)\Real\RealPlayer\update\realsched.exe" -osboot mRun: [WinPatrol] C:\Program Files (x86)\BillP Studios\WinPatrol\winpatrol.exe -expressboot mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" mRun: [bCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\ASUSVI~1.LNK - C:\Program Files (x86)\ASUS\AsusVibe\AsusVibeLauncher.exe uPolicies-Explorer: NoDrives = dword:0 mPolicies-Explorer: NoDrives = dword:0 mPolicies-System: ConsentPromptBehaviorUser = dword:3 mPolicies-System: EnableUIADesktopToggle = dword:0 IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000 IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~1\Office14\ONBttnIE.dll/105 IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll . INFO: HKCU has more than 50 listed domains. If you wish to scan all of them, select the 'Force scan all domains' option. . DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab TCP: NameServer = 192.168.1.1 TCP: Interfaces\{B572E52D-654C-4037-A505-6BF565430247} : DHCPNameServer = 192.168.1.1 Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Users\PWS\AppData\Local\Citrix\ICA Client\IcaMimeFilter.dll Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Users\PWS\AppData\Local\Citrix\ICA Client\IcaMimeFilter.dll Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Users\PWS\AppData\Local\Citrix\ICA Client\IcaMimeFilter.dll Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Users\PWS\AppData\Local\Citrix\ICA Client\IcaMimeFilter.dll Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Users\PWS\AppData\Local\Citrix\ICA Client\IcaMimeFilter.dll Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Users\PWS\AppData\Local\Citrix\ICA Client\IcaMimeFilter.dll Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Users\PWS\AppData\Local\Citrix\ICA Client\IcaMimeFilter.dll Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Users\PWS\AppData\Local\Citrix\ICA Client\IcaMimeFilter.dll Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Users\PWS\AppData\Local\Citrix\ICA Client\IcaMimeFilter.dll Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Users\PWS\AppData\Local\Citrix\ICA Client\IcaMimeFilter.dll Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Users\PWS\AppData\Local\Citrix\ICA Client\IcaMimeFilter.dll Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Users\PWS\AppData\Local\Citrix\ICA Client\IcaMimeFilter.dll Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Users\PWS\AppData\Local\Citrix\ICA Client\IcaMimeFilter.dll Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Users\PWS\AppData\Local\Citrix\ICA Client\IcaMimeFilter.dll Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Users\PWS\AppData\Local\Citrix\ICA Client\IcaMimeFilter.dll Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Users\PWS\AppData\Local\Citrix\ICA Client\IcaMimeFilter.dll Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll Handler: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files (x86)\WOT\WOT.dll SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "C:\Program Files (x86)\Common Files\LightScribe\LSRunOnce.exe" x64-BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL x64-BHO: WOT Helper: {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - C:\Program Files\WOT\WOT.dll x64-TB: WOT: {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files\WOT\WOT.dll x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s x64-Run: [igfxTray] C:\Windows\System32\igfxtray.exe x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe x64-Run: [WinPatrol] C:\Program Files (x86)\BillP Studios\WinPatrol\WinPatrol.exe -expressboot x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll x64-Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned> x64-Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned> x64-Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned> x64-Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned> x64-Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned> x64-Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned> x64-Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned> x64-Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned> x64-Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned> x64-Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned> x64-Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned> x64-Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned> x64-Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned> x64-Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned> x64-Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned> x64-Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned> x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned> x64-Handler: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files\WOT\WOT.dll x64-Notify: igfxcui - igfxdev.dll x64-SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL . ============= SERVICES / DRIVERS =============== . R0 SymDS;Symantec Data Store;C:\Windows\System32\drivers\N360x64\0502020.003\symds64.sys [2012-7-17 450680] R0 SymEFA;Symantec Extended File Attributes;C:\Windows\System32\drivers\N360x64\0502020.003\symefa64.sys [2012-7-17 912504] R1 BHDrvx64;BHDrvx64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\BASHDefs\20130301.001\BHDrvx64.sys [2013-3-6 1388120] R1 ctxusbm;Citrix USB Monitor Driver;C:\Windows\System32\drivers\ctxusbm.sys [2010-7-14 87600] R1 IDSVia64;IDSVia64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\IPSDefs\20130322.001\IDSviA64.sys [2013-3-22 513184] R1 SymIRON;Symantec Iron Driver;C:\Windows\System32\drivers\N360x64\0502020.003\ironx64.sys [2012-7-17 171128] R1 SymNetS;Symantec Network Security WFP Driver;C:\Windows\System32\drivers\N360x64\0502020.003\symnets.sys [2012-7-17 386168] R2 asComSvc;ASUS Com Service;C:\Program Files (x86)\ASUS\AXSP\1.00.13\atkexComSvc.exe [2011-5-31 918144] R2 asHmComSvc;ASUS HM Com Service;C:\Program Files (x86)\ASUS\AAHM\1.00.11\aaHMSvc.exe [2011-5-31 915072] R2 AsSysCtrlService;ASUS System Control Service;C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.10\AsSysCtrlService.exe [2011-5-31 586880] R2 Device Handle Service;Device Handle Service;C:\Windows\SysWOW64\AsHookDevice.exe [2011-5-31 203392] R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-9-11 398184] R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-9-11 682344] R2 N360;Norton Security Suite;C:\Program Files (x86)\Norton Security Suite\Engine\5.2.2.3\ccsvchst.exe [2012-7-17 130008] R2 RtNdPt60;Realtek NDIS Protocol Driver;C:\Windows\System32\drivers\RtNdPt60.sys [2011-5-31 32544] R2 Seagate Dashboard Services;Seagate Dashboard Services;C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\Seagate.Dashboard.DASWindowsService.exe [2012-5-4 14496] R2 UNS;Intel® Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-5-31 2656280] R3 asmthub3;ASMedia USB3 Hub Service;C:\Windows\System32\drivers\asmthub3.sys [2011-5-25 126952] R3 asmtxhci;ASMEDIA XHCI Service;C:\Windows\System32\drivers\asmtxhci.sys [2011-5-25 389608] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-8-8 138912] R3 IntcDAud;Intel® Display Audio;C:\Windows\System32\drivers\IntcDAud.sys [2011-5-31 317440] R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2011-12-18 24176] R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2011-5-31 406632] R3 SbieDrv;SbieDrv;C:\Program Files\Sandboxie\SbieDrv.sys [2012-12-16 202632] S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384] S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576] S3 fssfltr;fssfltr;C:\Windows\System32\drivers\fssfltr.sys [2011-5-31 48488] S3 fsssvc;Windows Live Family Safety Service;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2010-9-23 1493352] S3 Impcd;Impcd;C:\Windows\System32\drivers\Impcd.sys [2011-5-31 158976] S3 mv91xx;mv91xx;C:\Windows\System32\drivers\mv91xx.sys [2011-5-25 293416] S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;C:\Windows\System32\drivers\nusb3hub.sys [2011-5-25 80384] S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;C:\Windows\System32\drivers\nusb3xhc.sys [2011-5-25 181248] S3 RTTEAMPT;Realtek Teaming Protocol Driver (NDIS 6.2);C:\Windows\System32\drivers\RtTeam60.sys [2011-5-31 48416] S3 RTVLANPT;Realtek Vlan Protocol Driver (NDIS 6.2);C:\Windows\System32\drivers\RtVlan60.sys [2011-5-31 29472] S3 TEAM;Realtek Virtual Miniport Driver for Teaming (NDIS 6.2);C:\Windows\System32\drivers\RtTeam60.sys [2011-5-31 48416] S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2010-11-20 59392] S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-20 31232] S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2012-9-28 53760] S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2011-12-20 1255736] S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184] . =============== Created Last 30 ================ . 2013-03-23 03:46:30 19968 ----a-w- C:\Windows\System32\drivers\usb8023.sys 2013-03-02 17:00:31 -------- d-----w- C:\ProgramData\Licenses 2013-02-26 22:11:02 2776576 ----a-w- C:\Windows\System32\msmpeg2vdec.dll 2013-02-26 22:11:02 2284544 ----a-w- C:\Windows\SysWow64\msmpeg2vdec.dll 2013-02-26 22:11:02 221184 ----a-w- C:\Windows\System32\UIAnimation.dll 2013-02-26 22:11:02 187392 ----a-w- C:\Windows\SysWow64\UIAnimation.dll 2013-02-26 22:11:01 465920 ----a-w- C:\Windows\System32\WMPhoto.dll 2013-02-26 22:11:01 417792 ----a-w- C:\Windows\SysWow64\WMPhoto.dll 2013-02-26 03:22:38 -------- d-----r- C:\Sandbox 2013-02-26 03:20:35 -------- d-----w- C:\Program Files\Sandboxie . ==================== Find3M ==================== . 2013-03-13 01:05:21 73432 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl 2013-03-13 01:05:21 693976 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe 2013-02-12 05:45:24 135168 ----a-w- C:\Windows\apppatch\AppPatch64\AcXtrnal.dll 2013-02-12 05:45:22 350208 ----a-w- C:\Windows\apppatch\AppPatch64\AcLayers.dll 2013-02-12 05:45:22 308736 ----a-w- C:\Windows\apppatch\AppPatch64\AcGenral.dll 2013-02-12 05:45:22 111104 ----a-w- C:\Windows\apppatch\AppPatch64\acspecfc.dll 2013-02-12 04:48:31 474112 ----a-w- C:\Windows\apppatch\AcSpecfc.dll 2013-02-12 04:48:26 2176512 ----a-w- C:\Windows\apppatch\AcGenral.dll 2013-01-13 21:17:03 9728 ---ha-w- C:\Windows\SysWow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll 2013-01-13 21:17:02 2560 ---ha-w- C:\Windows\SysWow64\api-ms-win-downlevel-normaliz-l1-1-0.dll 2013-01-13 21:16:42 10752 ---ha-w- C:\Windows\SysWow64\api-ms-win-downlevel-advapi32-l1-1-0.dll 2013-01-13 21:12:46 3584 ---ha-w- C:\Windows\SysWow64\api-ms-win-downlevel-advapi32-l2-1-0.dll 2013-01-13 21:11:21 4096 ---ha-w- C:\Windows\SysWow64\api-ms-win-downlevel-user32-l1-1-0.dll 2013-01-13 21:11:08 5632 ---ha-w- C:\Windows\SysWow64\api-ms-win-downlevel-ole32-l1-1-0.dll 2013-01-13 21:11:07 5632 ---ha-w- C:\Windows\SysWow64\api-ms-win-downlevel-shlwapi-l2-1-0.dll 2013-01-13 21:11:07 3072 ---ha-w- C:\Windows\SysWow64\api-ms-win-downlevel-version-l1-1-0.dll 2013-01-13 21:11:07 3072 ---ha-w- C:\Windows\SysWow64\api-ms-win-downlevel-shell32-l1-1-0.dll 2013-01-13 20:35:31 9728 ---ha-w- C:\Windows\System32\api-ms-win-downlevel-shlwapi-l1-1-0.dll 2013-01-13 20:35:31 2560 ---ha-w- C:\Windows\System32\api-ms-win-downlevel-normaliz-l1-1-0.dll 2013-01-13 20:35:18 10752 ---ha-w- C:\Windows\System32\api-ms-win-downlevel-advapi32-l1-1-0.dll 2013-01-13 20:32:07 3584 ---ha-w- C:\Windows\System32\api-ms-win-downlevel-advapi32-l2-1-0.dll 2013-01-13 20:31:48 4096 ---ha-w- C:\Windows\System32\api-ms-win-downlevel-user32-l1-1-0.dll 2013-01-13 20:31:41 5632 ---ha-w- C:\Windows\System32\api-ms-win-downlevel-ole32-l1-1-0.dll 2013-01-13 20:31:40 5632 ---ha-w- C:\Windows\System32\api-ms-win-downlevel-shlwapi-l2-1-0.dll 2013-01-13 20:31:40 3072 ---ha-w- C:\Windows\System32\api-ms-win-downlevel-version-l1-1-0.dll 2013-01-13 20:31:40 3072 ---ha-w- C:\Windows\System32\api-ms-win-downlevel-shell32-l1-1-0.dll 2013-01-13 20:31:00 1247744 ----a-w- C:\Windows\SysWow64\DWrite.dll 2013-01-13 20:22:22 1988096 ----a-w- C:\Windows\SysWow64\d3d10warp.dll 2013-01-13 20:20:31 293376 ----a-w- C:\Windows\SysWow64\dxgi.dll 2013-01-13 20:09:00 249856 ----a-w- C:\Windows\SysWow64\d3d10_1core.dll 2013-01-13 20:08:43 220160 ----a-w- C:\Windows\SysWow64\d3d10core.dll 2013-01-13 20:08:35 1504768 ----a-w- C:\Windows\SysWow64\d3d11.dll 2013-01-13 19:59:04 1643520 ----a-w- C:\Windows\System32\DWrite.dll 2013-01-13 19:58:28 1175552 ----a-w- C:\Windows\System32\FntCache.dll 2013-01-13 19:54:01 604160 ----a-w- C:\Windows\SysWow64\d3d10level9.dll 2013-01-13 19:53:58 207872 ----a-w- C:\Windows\SysWow64\WindowsCodecsExt.dll 2013-01-13 19:51:30 2565120 ----a-w- C:\Windows\System32\d3d10warp.dll 2013-01-13 19:49:17 363008 ----a-w- C:\Windows\System32\dxgi.dll 2013-01-13 19:48:47 161792 ----a-w- C:\Windows\SysWow64\d3d10_1.dll 2013-01-13 19:46:25 1080832 ----a-w- C:\Windows\SysWow64\d3d10.dll 2013-01-13 19:43:21 1230336 ----a-w- C:\Windows\SysWow64\WindowsCodecs.dll 2013-01-13 19:38:39 333312 ----a-w- C:\Windows\System32\d3d10_1core.dll 2013-01-13 19:38:32 1887232 ----a-w- C:\Windows\System32\d3d11.dll 2013-01-13 19:38:21 296960 ----a-w- C:\Windows\System32\d3d10core.dll 2013-01-13 19:37:57 3419136 ----a-w- C:\Windows\SysWow64\d2d1.dll 2013-01-13 19:25:04 245248 ----a-w- C:\Windows\System32\WindowsCodecsExt.dll 2013-01-13 19:24:33 648192 ----a-w- C:\Windows\System32\d3d10level9.dll 2013-01-13 19:20:42 194560 ----a-w- C:\Windows\System32\d3d10_1.dll 2013-01-13 19:20:04 1238528 ----a-w- C:\Windows\System32\d3d10.dll 2013-01-13 19:15:40 1424384 ----a-w- C:\Windows\System32\WindowsCodecs.dll 2013-01-13 19:10:36 3928064 ----a-w- C:\Windows\System32\d2d1.dll 2013-01-13 18:34:58 364544 ----a-w- C:\Windows\SysWow64\XpsGdiConverter.dll 2013-01-13 18:09:52 522752 ----a-w- C:\Windows\System32\XpsGdiConverter.dll 2013-01-13 17:26:42 1158144 ----a-w- C:\Windows\SysWow64\XpsPrint.dll 2013-01-13 17:05:09 1682432 ----a-w- C:\Windows\System32\XpsPrint.dll 2013-01-05 05:53:43 5553512 ----a-w- C:\Windows\System32\ntoskrnl.exe 2013-01-05 05:00:15 3967848 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe 2013-01-05 05:00:11 3913064 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe 2013-01-04 05:46:09 215040 ----a-w- C:\Windows\System32\winsrv.dll 2013-01-04 04:51:16 5120 ----a-w- C:\Windows\SysWow64\wow32.dll 2013-01-04 04:43:21 44032 ----a-w- C:\Windows\apppatch\acwow64.dll 2013-01-04 03:26:48 3153408 ----a-w- C:\Windows\System32\win32k.sys 2013-01-04 02:47:35 25600 ----a-w- C:\Windows\SysWow64\setup16.exe 2013-01-04 02:47:34 7680 ----a-w- C:\Windows\SysWow64\instnm.exe 2013-01-04 02:47:34 2048 ----a-w- C:\Windows\SysWow64\user.exe 2013-01-04 02:47:33 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll 2013-01-03 06:00:54 1913192 ----a-w- C:\Windows\System32\drivers\tcpip.sys 2013-01-03 06:00:42 288088 ----a-w- C:\Windows\System32\drivers\FWPKCLNT.SYS . ============= FINISH: 11:35:46.86 =============== Attach:. UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG. IF REQUESTED, ZIP IT UP & ATTACH IT . DDS (Ver_2012-11-20.01) . Microsoft Windows 7 Home Premium Boot Device: \Device\HarddiskVolume2 Install Date: 12/18/2011 12:24:35 PM System Uptime: 3/23/2013 11:28:54 AM (0 hours ago) . Motherboard: ASUSTeK Computer INC. | | CM6850 Processor: Intel® Core™ i5-2320 CPU @ 3.00GHz | LGA1155 | 2670/100mhz . ==== Disk Partitions ========================= . C: is FIXED (NTFS) - 745 GiB total, 671.907 GiB free. D: is FIXED (NTFS) - 1104 GiB total, 1068.587 GiB free. E: is CDROM (CDFS) F: is Removable G: is Removable H: is Removable I: is Removable J: is Removable . ==== Disabled Device Manager Items ============= . ==== System Restore Points =================== . RP121: 2/18/2013 11:40:56 PM - Norton Security Suite Registry RP122: 2/26/2013 4:10:30 PM - Windows Update RP123: 3/9/2013 3:56:38 PM - Scheduled Checkpoint RP124: 3/12/2013 8:04:10 PM - Windows Update RP125: 3/18/2013 2:22:48 PM - Norton Security Suite Registry RP127: 3/22/2013 10:46:37 PM - Windows Update RP128: 3/22/2013 10:52:26 PM - Windows Update . ==== Installed Programs ====================== . 64 Bit HP CIO Components Installer Adobe Flash Player 11 ActiveX Adobe Reader XI (11.0.02) AI Manager AI Suite II Apple Application Support Apple Mobile Device Support Apple Software Update ASUS Backup Wizard AsusVibe2.0 Bonjour Citrix online plug-in - web Citrix online plug-in (DV) Citrix online plug-in (HDX) Citrix online plug-in (USB) Citrix online plug-in (Web) Citrix XenApp Web Plugin Contrôle ActiveX Windows Live Mesh pour connexions à distance Control ActiveX de Windows Live Mesh para conexiones remotas D3DX10 Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition DVD Shrink 3.2 EMET ERUNT 1.1j ESET Online Scanner v3 Free M4a to MP3 Converter 7.0 Galerie de photos Windows Live Galería fotográfica de Windows Live HP Officejet Pro 8500 A910 Basic Device Software HP Officejet Pro 8500 A910 Help HP Officejet Pro 8500 A910 Product Improvement Study HP Update I.R.I.S. OCR Intel® Management Engine Components iTunes Junk Mail filter update LightScribe System Software 1.10.13.1 Malwarebytes Anti-Malware version 1.70.0.1100 Marketsplash Shortcuts Mesh Runtime Microsoft .NET Framework 4 Client Profile Microsoft Application Error Reporting Microsoft Office 2010 Microsoft Office 2010 Service Pack 1 (SP1) Microsoft Office Access MUI (English) 2010 Microsoft Office Access Setup Metadata MUI (English) 2010 Microsoft Office Excel MUI (English) 2010 Microsoft Office File Validation Add-In Microsoft Office Groove MUI (English) 2010 Microsoft Office InfoPath MUI (English) 2010 Microsoft Office Office 64-bit Components 2010 Microsoft Office OneNote MUI (English) 2010 Microsoft Office Outlook MUI (English) 2010 Microsoft Office PowerPoint MUI (English) 2010 Microsoft Office Professional Plus 2010 Microsoft Office Proof (English) 2010 Microsoft Office Proof (French) 2010 Microsoft Office Proof (Spanish) 2010 Microsoft Office Proofing (English) 2010 Microsoft Office Publisher MUI (English) 2010 Microsoft Office Shared 64-bit MUI (English) 2010 Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2010 Microsoft Office Shared MUI (English) 2010 Microsoft Office Shared Setup Metadata MUI (English) 2010 Microsoft Office Word MUI (English) 2010 Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs Microsoft Silverlight Microsoft SQL Server 2005 Compact Edition [ENU] Microsoft Train Simulator Microsoft Visual C++ 2005 Redistributable Microsoft Visual C++ 2005 Redistributable (x64) Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 MLT Greater Toronto Area MSTS Patch 1.8.0521 EN MSVCRT MSVCRT_amd64 MSXML 4.0 SP2 (KB973688) MSXML 4.0 SP3 Parser (KB2721691) MSXML 4.0 SP3 Parser (KB2758694) MSXML 4.0 SP3 Parser (KB973685) Nero 7 Essentials neroxml Norton Security Suite QuickTime RailDriver for MSTS RealNetworks - Microsoft Visual C++ 2008 Runtime RealPlayer Realtek Ethernet Controller Driver Realtek Ethernet Diagnostic Utility Realtek High Definition Audio Driver RealUpgrade 1.1 Safari Sandboxie 3.76 (64-bit) Seagate Dashboard 2.0 Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870) Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636) Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078) Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121) Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870) Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351) Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368) Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2) Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405) Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827) Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449) Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019) Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595) Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642) Security Update for Microsoft Excel 2010 (KB2597126) 32-Bit Edition Security Update for Microsoft Filter Pack 2.0 (KB2553501) 32-Bit Edition Security Update for Microsoft InfoPath 2010 (KB2687417) 32-Bit Edition Security Update for Microsoft InfoPath 2010 (KB2687436) 32-Bit Edition Security Update for Microsoft Office 2010 (KB2553091) Security Update for Microsoft Office 2010 (KB2553096) Security Update for Microsoft Office 2010 (KB2553371) 32-Bit Edition Security Update for Microsoft Office 2010 (KB2553447) 32-Bit Edition Security Update for Microsoft Office 2010 (KB2589320) 32-Bit Edition Security Update for Microsoft Office 2010 (KB2598243) 32-Bit Edition Security Update for Microsoft Office 2010 (KB2687501) 32-Bit Edition Security Update for Microsoft Office 2010 (KB2687510) 32-Bit Edition Security Update for Microsoft OneNote 2010 (KB2760600) 32-Bit Edition Security Update for Microsoft Visio 2010 (KB2760762) 32-Bit Edition Security Update for Microsoft Visio Viewer 2010 (KB2687505) 32-Bit Edition Security Update for Microsoft Word 2010 (KB2760410) 32-Bit Edition SpywareBlaster 5.0 TC Track Builder 3 Train Dispatcher 3 Update for Microsoft .NET Framework 4 Client Profile (KB2468871) Update for Microsoft .NET Framework 4 Client Profile (KB2533523) Update for Microsoft .NET Framework 4 Client Profile (KB2600217) Update for Microsoft Office 2010 (KB2553065) Update for Microsoft Office 2010 (KB2553092) Update for Microsoft Office 2010 (KB2553181) 32-Bit Edition Update for Microsoft Office 2010 (KB2553267) 32-Bit Edition Update for Microsoft Office 2010 (KB2553310) 32-Bit Edition Update for Microsoft Office 2010 (KB2553378) 32-Bit Edition Update for Microsoft Office 2010 (KB2566458) Update for Microsoft Office 2010 (KB2596964) 32-Bit Edition Update for Microsoft Office 2010 (KB2598242) 32-Bit Edition Update for Microsoft Office 2010 (KB2687503) 32-Bit Edition Update for Microsoft Office 2010 (KB2687509) 32-Bit Edition Update for Microsoft Office 2010 (KB2760631) 32-Bit Edition Update for Microsoft Office 2010 (KB2767886) 32-Bit Edition Update for Microsoft OneNote 2010 (KB2553290) 32-Bit Edition Update for Microsoft Outlook 2010 (KB2597090) 32-Bit Edition Update for Microsoft Outlook 2010 (KB2687623) 32-Bit Edition Update for Microsoft Outlook Social Connector 2010 (KB2553406) 32-Bit Edition Update for Microsoft PowerPoint 2010 (KB2598240) 32-Bit Edition Update for Microsoft SharePoint Workspace 2010 (KB2589371) 32-Bit Edition Windows Live Windows Live Communications Platform Windows Live Essentials Windows Live Family Safety Windows Live Fotogalerie Windows Live ID Sign-in Assistant Windows Live Installer Windows Live Language Selector Windows Live Mail Windows Live Mesh Windows Live Mesh - ActiveX-besturingselement voor externe verbindingen Windows Live Mesh ActiveX Control for Remote Connections Windows Live Messenger Windows Live MIME IFilter Windows Live Movie Maker Windows Live Photo Common Windows Live Photo Gallery Windows Live PIMT Platform Windows Live Remote Client Windows Live Remote Client Resources Windows Live Remote Service Windows Live Remote Service Resources Windows Live SOXE Windows Live SOXE Definitions Windows Live UX Platform Windows Live UX Platform Language Pack Windows Live Writer Windows Live Writer Resources WinPatrol WOT for Internet Explorer . ==== Event Viewer Messages From Past Week ======== . 3/23/2013 11:29:26 AM, Error: Service Control Manager [7023] - The Windows Defender service terminated with the following error: The specified module could not be found. 3/23/2013 11:21:27 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the ShellHWDetection service. . ==== End Of File ===========================

I've been using MBAM Pro and Norton 360 both running in realtime (with exclusions set for both) for the last six months and they work great together.

MSE full scan came back clean. Computer is still generally slow, maybe a hammer will do ;-) At this point, if it seems like something other than malware or outside the scope of this forum, then go ahead and close this thread if needed. We appreciate all your help!

ESET scan below. New thing for today: when my friend started the computer today, in the lower right in the icon tray was a red shield with an X through it stating that virus protection was off. She clicked on the icon and the generic screen came up with firewall on, updates on, virus protection off. So I had her check MSE and protection was on and updates were on. The odd thing was that the MSE green icon was next to the shield with the X through it in the icon tray. So MSE was on, firewall was on, what would set that icon off like that? For the heck of it, I also had her do an MBAM quick scan and that was clean, it just took a bit of time to open it and update. I'm guessing the answer to this last question is no but does any of this sound like rootkit activity? ESETSmartInstaller@High as CAB hook log: OnlineScanner.ocx - registred OK esets_scanner_update returned -1 esets_gle=53251 # version=7 # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339) # OnlineScanner.ocx=1.0.0.6583 # api_version=3.0.2 # EOSSerial=05c7f916f212d84ebe8d5591953a5e3e # end=finished # remove_checked=true # archives_checked=false # unwanted_checked=true # unsafe_checked=false # antistealth_checked=false # utc_time=2012-11-08 03:30:19 # local_time=2012-11-07 09:30:19 (-0600, Central Standard Time) # country="United States" # lang=1033 # osver=5.1.2600 NT Service Pack 3 # compatibility_mode=5121 16777214 0 96 74979999 104349085 0 0 # compatibility_mode=5891 16776549 42 92 0 5040133 0 0 # compatibility_mode=8192 67108863 100 0 0 0 0 0 # scanned=47281 # found=0 # cleaned=0 # scan_time=1457

My friend ran the Complete Internet Repair successfully, I don't know if its supposed to produce a report. Current symptoms: The computer now has periods of slowness, it isn't contstant. In periods of slowness it takes a long time for web pages to load, and for buttons to react to being clicked. Even programs other than Internet Explorer can be slow. During these times of slowness, the computer can be heard processing like mad so something is taking resources. There are 126 of 144 GB left of space so that seems okay.

My friend was having trouble locating the log for MSE and I didn't have enough time today to help her find it. But she did say that the MSE full scan found nothing malicious. The internet was still poking along very slowly though.