csrss.exe

gfmet17 · July 4, 2010

Hi

I have spent ages trying to sort out a possible infection on my PC - I'm dual booting Vista 64-bit and Windows 7 64-bit.

I have always used Mbam and swear that it's the best Malware Removal Tool out there.

However every time I run a "Quick Scan" it finds 2 entries, namely: -

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows audio driver (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Users\Paul\AppData\Roaming\csrss.exe (Trojan.Agent) -> Quarantined and deleted successfully.

They seem to be Quarantined and deleted ok but upon reboot they are still there following another "Quick Scan".

For some reason they do not show after a "Full Scan", they only show after a "Quick Scan". Trying to isolate and investigate the actual csrss.exe file in Vista's Task Manager" (I never boot into Windows 7 anymore as I cannot do so but that partition is defunct and clean) I see that that there are two entries under "Processes". Right-clicking these and then clicking on Properties does not bting up the Properties window AFAIK there should only be one entry for this file which Windows needs to run. Trying to disable each one brings up a window saying that Windows needs it to run properly, so at this point I cancel, so as not to give myself problems.

The infection only shows in Mbam - I have run many other scanners including my own Norton Internet Security 2009 (which of course I disable when running Mbam, Kaspersky, CounterSpy, smitfraudfix to name a few, but this "infection" doesn't show. I have run Mbam in both normal and safe modes, the results are the same - the above two infections which seem to be some kind of derivative of Trojan.Agent, but which one, if any?

I suspect these are "false-positives", but am not sure. I run, as you can see, a 64-bit Operating system and wonder how good Mbam is on these OS's? And I am told that Rootkits do not infect these systems. Furthermore, I was persuaded when electing to install a 64-bit OS that they would be less prone to Viruses/Adware/Malware/Spyware etc, than 32-bit systems.

My system is not displaying anything untoward whatsoever, unlike the symtoms which I have read about on the net. It operates fast and efficient as it should.

I have searched for occurences of the csrss.exe file and I attach a small screenshot showing the 2 occurences within my Vista partition.

Hope someone can shed some light upon this and tell me whether it is a false positive or not.

Cheers

gfmet17

gfmet17 · July 7, 2010

Anyone help please?

gfmet17

Elise · July 7, 2010

Hello ,

And My name is Elise and I'll be glad to help you with your computer problems.

I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications.

-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.

Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:

Please download OTL from one of the following mirrors:
- This is THE Mirror
[*]Save it to your desktop.
[*]Double click on the icon on your desktop.
[*]Click the "Scan All Users" checkbox.
[*]Push the button.
[*]Two reports will open, copy and paste them in a reply here:
- OTListIt.txt <-- Will be opened
- Extra.txt <-- Will be minimized

-------------------------------------------------------------

In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply

A detailed description of your problems
A new OTL log (don't forget extra.txt)

gfmet17 · July 9, 2010

Hi

Thank you for agreeing to help me. First up, I am sorry for the delay in replying, but I have been away. The problems, as reported by Malwarebytes are still present, the details of which, together with a Mbam report, were included in my original post.

The OTL.txt and Extras.txt files are too long to post normally, so I have attached them with this post

I look forward to hearing from you shortly

Regards

gfmet17

OTL.Txt

Extras.Txt

Elise · July 9, 2010

Hello again,

This is definitely not a false positive by MBAM, but a real infection, OTL shows it too.

Please run the following fix, then run a quick scan with MBAM to see if it still comes back.

OTL FIX

------------

We need to run an OTL Fix

Please reopen on your desktop.

Copy and Paste the following code into the

textbox. Do not include the word "Code"

:otl
O4 - HKU\S-1-5-21-1258145863-4091313971-1601379617-1000..\Run: [Windows Audio Driver] C:\Users\Paul\AppData\Roaming\csrss.exe (Windows Microsoft)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1

:commands
[emptytemp]

Push
OTL may ask to reboot the machine. Please do so if asked.
Click .
A report will open. Copy and Paste that report in your next reply.

gfmet17 · July 9, 2010

Hi

I did what you said. However when I ran OTL with the fix in normal mode, it froze my PC - I therefore rebooted into safe mode and ran it again with the fix text previously saved to a text file.

Upon reboot I ran Malwarebytes again but the two infections are still there

Heres the report from OTL as requested: -

All processes killed

========== OTL ==========

Registry value HKEY_USERS\S-1-5-21-1258145863-4091313971-1601379617-1000\Software\Microsoft\Windows\CurrentVersion\Run\\Windows Audio Driver deleted successfully.

C:\Users\Paul\AppData\Roaming\csrss.exe moved successfully.

Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoActiveDesktop deleted successfully.

========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default

->Temp folder emptied: 0 bytes

User: Default User

->Temp folder emptied: 0 bytes

User: Paul

->Temp folder emptied: 139458360 bytes

->Java cache emptied: 320736 bytes

User: Public

User: ReleaseEngineer.MACROVISION

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 0 bytes

%systemroot%\System32 .tmp files removed: 0 bytes

%systemroot%\System32 (64bit) .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 4209 bytes

%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 32902 bytes

RecycleBin emptied: 0 bytes

Total Files Cleaned = 133.00 mb

OTL by OldTimer - Version 3.2.8.1 log created on 07092010_163656

Files\Folders moved on Reboot...

C:\Users\Paul\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

Registry entries deleted on Reboot...

gfmet17

Elise · July 9, 2010

Please post me a new OTL log. Make sure to check the All Users box.

No need for extra.txt. Please try to paste the log in the reply box instead of attaching it, that makes it easier for me to read.

gfmet17 · July 10, 2010

Hi Elise - again sorry for not getting back to you quickly, I have had a barrel load of work issues this week.

Ok Ihave rerun another scan ticking the all users box - here it is: -

OTL logfile created on: 10/07/2010 08:24:20 - Run 2

OTL by OldTimer - Version 3.2.8.1 Folder = C:\Users\Paul\Desktop

64bit-Windows Vista Ultimate Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18928)

Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

4.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 54.00% Memory free

8.00 Gb Paging File | 6.00 Gb Available in Paging File | 78.00% Paging File free

Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)

Drive C: | 89.70 Gb Total Space | 29.46 Gb Free Space | 32.85% Space Free | Partition Type: NTFS

Drive D: | 50.02 Gb Total Space | 32.94 Gb Free Space | 65.85% Space Free | Partition Type: NTFS

Drive E: | 244.14 Gb Total Space | 7.99 Gb Free Space | 3.27% Space Free | Partition Type: NTFS

Drive F: | 501.06 Gb Total Space | 24.56 Gb Free Space | 4.90% Space Free | Partition Type: NTFS

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: PAULS-PC

Current User Name: Paul

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: All users

Include 64bit Scans

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/07/09 10:03:07 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Users\Paul\Desktop\OTL.exe

PRC - [2010/05/07 13:36:10 | 000,092,008 | ---- | M] (TomTom) -- C:\Program Files (x86)\TomTom HOME 2\TomTomHOMEService.exe

PRC - [2009/12/08 12:27:10 | 001,503,232 | ---- | M] (Nokia) -- C:\Program Files (x86)\Common Files\Nokia\MPlatform\NokiaMServer.exe

PRC - [2009/11/11 17:16:13 | 000,761,856 | ---- | M] (Epitiro Ltd.) -- C:\Program Files (x86)\isposure\IsposureAgent.exe

PRC - [2009/10/14 14:36:56 | 002,793,304 | ---- | M] () -- C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe

PRC - [2009/10/14 14:34:18 | 000,560,472 | ---- | M] () -- C:\Program Files (x86)\Common Files\LogiShrd\LQCVFX\COCIManager.exe

PRC - [2009/10/07 02:47:22 | 000,125,464 | ---- | M] (Logitech Inc.) -- C:\Program Files (x86)\Common Files\LogiShrd\LVMVFM\LVPrS64H.exe

PRC - [2009/08/22 08:28:17 | 000,117,640 | R--- | M] (Symantec Corporation) -- C:\Program Files (x86)\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe

PRC - [2009/08/11 23:31:14 | 000,039,424 | ---- | M] (Xobni Corporation) -- C:\Program Files (x86)\Xobni\XobniService.exe

PRC - [2009/05/01 15:35:54 | 000,181,544 | ---- | M] (Seagate Technology LLC) -- C:\Program Files (x86)\Seagate\SeagateManager\Sync\FreeAgentService.exe

PRC - [2009/05/01 15:35:10 | 000,185,640 | ---- | M] (Seagate LLC) -- C:\Program Files (x86)\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe

PRC - [2009/03/15 11:15:16 | 000,180,224 | ---- | M] (PowerISO Computing, Inc.) -- C:\Program Files (x86)\PowerISO\PWRISOVM.EXE

PRC - [2008/11/08 12:12:43 | 000,251,184 | ---- | M] (BUFFALO INC.) -- C:\Program Files (x86)\BUFFALO\NASNAVI\nassvc.exe

PRC - [2008/11/08 12:12:43 | 000,206,128 | ---- | M] (BUFFALO INC.) -- C:\Program Files (x86)\BUFFALO\NASNAVI\nassche.exe

PRC - [2008/11/08 12:12:42 | 001,549,720 | ---- | M] (BUFFALO INC.) -- C:\Program Files (x86)\BUFFALO\NASNAVI\NasNavi.exe

PRC - [2008/11/07 05:00:00 | 000,077,824 | ---- | M] () -- C:\Program Files\Logitech\SetPoint\x86\SetPoint32.exe

PRC - [2008/10/09 15:32:56 | 000,014,336 | ---- | M] (Vodafone) -- C:\Program Files (x86)\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe

PRC - [2008/10/03 23:45:12 | 000,960,376 | ---- | M] (Acronis) -- C:\Program Files (x86)\Acronis\TrueImageHome\TimounterMonitor.exe

PRC - [2008/10/03 23:40:00 | 000,165,144 | ---- | M] (Acronis) -- C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe

PRC - [2008/10/03 23:23:30 | 004,344,472 | ---- | M] (Acronis) -- C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe

PRC - [2008/09/24 15:32:48 | 000,935,208 | ---- | M] (Nero AG) -- C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe

PRC - [2008/07/24 16:52:09 | 001,282,048 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe

PRC - [2008/05/07 18:41:14 | 000,354,840 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTmon.exe

PRC - [2008/05/07 18:41:12 | 000,178,712 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe

PRC - [2007/08/02 18:45:50 | 000,053,248 | ---- | M] (Sonic Focus, Inc.) -- C:\Program Files (x86)\Analog Devices\SoundMAX\SoundTray.exe

PRC - [2007/06/05 14:20:32 | 000,177,704 | ---- | M] () -- C:\Windows\SysWOW64\PSIService.exe

PRC - [2007/03/25 16:44:00 | 000,081,920 | ---- | M] (Maxtor Corporation) -- C:\Program Files (x86)\Maxtor\OneTouch Status\MaxMenuMgr.exe

PRC - [2007/03/20 18:09:26 | 000,188,416 | ---- | M] () -- C:\Program Files (x86)\Maxtor\Maxtor Backup\MaxBackServiceInt.exe

PRC - [2007/03/20 16:22:06 | 000,114,344 | ---- | M] ( ) -- C:\Program Files (x86)\Maxtor\Utils\SyncServices.exe

PRC - [2007/02/27 18:57:48 | 000,716,456 | ---- | M] (Maxtor Corporation) -- C:\Program Files (x86)\Maxtor\ManagerApp\OneTouch.exe

PRC - [2006/08/11 12:15:36 | 000,200,704 | ---- | M] (InterVideo Inc.) -- C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe

========== Modules (SafeList) ==========

MOD - [2010/07/09 10:03:07 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Users\Paul\Desktop\OTL.exe

MOD - [2009/11/27 15:10:18 | 000,632,656 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4053_none_d08d7da0442a985

d\msvcr80.dll

MOD - [2008/11/07 05:00:00 | 000,038,912 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Logitech\SetPoint\x86\lgscroll.dll

MOD - [2008/01/21 03:49:08 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\msscript.ocx

========== Win32 Services (SafeList) ==========

SRV:64bit: - File not found [On_Demand | Stopped] -- C:\Program Files\WinPcap\rpcapd.exe -d -f %ProgramFiles%\WinPcap\rpcapd.ini -- (rpcapd)

SRV:64bit: - File not found [Auto | Stopped] -- C:\Windows\SysNative\atiesrxx.exe -- (AMD External Events Utility)

SRV:64bit: - [2009/10/29 12:30:06 | 001,038,088 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe -- (FLEXnet Licensing Service 64)

SRV:64bit: - [2009/10/07 02:47:10 | 000,191,000 | ---- | M] (Logitech Inc.) [Auto | Running] -- C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe -- (LVPrcS64)

SRV:64bit: - [2009/04/11 08:11:27 | 000,252,928 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\umrdp.dll -- (UmRdpService)

SRV:64bit: - [2009/04/11 08:11:14 | 000,604,672 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\cscsvc.dll -- (CscService)

SRV:64bit: - [2009/03/30 17:19:56 | 002,297,216 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE -- (wlidsvc)

SRV:64bit: - [2008/11/07 17:49:10 | 000,160,784 | ---- | M] (Logitech, Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\logishrd\Bluetooth\LBTServ.exe -- (LBTServ)

SRV:64bit: - [2008/07/24 16:52:08 | 000,089,088 | ---- | M] (Andrea Electronics Corporation) [Auto | Running] -- C:\Windows\SysNative\AEADISRV.EXE -- (AEADIFilters)

SRV:64bit: - [2008/01/21 03:50:23 | 000,195,584 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\appmgmts.dll -- (AppMgmt)

SRV:64bit: - [2008/01/21 03:46:39 | 000,383,544 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)

SRV - [2010/05/07 13:36:10 | 000,092,008 | ---- | M] (TomTom) [Auto | Running] -- C:\Program Files (x86)\TomTom HOME 2\TomTomHOMEService.exe -- (TomTomHOMEService)

SRV - [2010/02/19 13:37:14 | 000,517,096 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe -- (SwitchBoard)

SRV - [2009/11/11 17:16:13 | 000,761,856 | ---- | M] (Epitiro Ltd.) [Auto | Running] -- C:\Program Files (x86)\isposure\IsposureAgent.exe -- (isposure_svc)

SRV - [2009/10/27 10:26:36 | 000,657,408 | ---- | M] (Nokia) [On_Demand | Stopped] -- C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer)

SRV - [2009/08/22 08:28:17 | 000,117,640 | R--- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files (x86)\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe -- (Norton Internet Security)

SRV - [2009/08/11 23:31:14 | 000,039,424 | ---- | M] (Xobni Corporation) [Auto | Running] -- C:\Program Files (x86)\Xobni\XobniService.exe -- (XobniService)

SRV - [2009/05/01 15:35:54 | 000,181,544 | ---- | M] (Seagate Technology LLC) [Auto | Running] -- C:\Program Files (x86)\Seagate\SeagateManager\Sync\FreeAgentService.exe -- (FreeAgentGoNext Service)

SRV - [2008/11/08 12:12:43 | 000,251,184 | ---- | M] (BUFFALO INC.) [Auto | Running] -- C:\Program Files (x86)\BUFFALO\NASNAVI\nassvc.exe -- (NasPmService)

SRV - [2008/10/25 11:44:08 | 000,065,888 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files (x86)\Microsoft Office\Office12\GrooveAuditService.exe -- (Microsoft Office Groove Audit Service)

SRV - [2008/10/09 15:32:56 | 000,014,336 | ---- | M] (Vodafone) [Auto | Running] -- C:\Program Files (x86)\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe -- (VMCService)

SRV - [2008/10/03 23:41:22 | 000,743,192 | ---- | M] (Acronis) [Auto | Running] -- C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe -- (AcrSch2Svc)

SRV - [2008/09/24 15:32:48 | 000,935,208 | ---- | M] (Nero AG) [Auto | Running] -- C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe -- (Nero BackItUp Scheduler 4.0)

SRV - [2008/05/07 18:41:14 | 000,354,840 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON) Intel®

SRV - [2008/01/29 17:09:02 | 000,394,704 | ---- | M] (Symantec, Inc.) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Symantec Shared\Support Controls\ssrc.exe -- (Symantec RemoteAssist)

SRV - [2007/06/05 14:20:32 | 000,177,704 | ---- | M] () [Auto | Running] -- C:\Windows\SysWOW64\PSIService.exe -- (ProtexisLicensing)

SRV - [2007/03/20 18:09:26 | 000,188,416 | ---- | M] () [Auto | Running] -- C:\Program Files (x86)\Maxtor\Maxtor Backup\MaxBackServiceInt.exe -- (MaxBackServiceInt)

SRV - [2007/03/20 16:22:06 | 000,114,344 | ---- | M] ( ) [Auto | Running] -- C:\Program Files (x86)\Maxtor\Utils\SyncServices.exe -- (NTService1)

SRV - [2006/08/11 12:15:36 | 000,200,704 | ---- | M] (InterVideo Inc.) [Auto | Running] -- C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe -- (Capture Device Service)

========== Driver Services (SafeList) ==========

DRV:64bit: - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)

DRV:64bit: - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)

DRV:64bit: - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\ipinip.sys -- (IpInIp)

DRV:64bit: - File not found [Kernel | System | Stopped] -- C:\Windows\SysNative\DRIVERS\EIO64.sys -- (EIO64)

DRV:64bit: - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\AtiHdmi.sys -- (AtiHdmiService)

DRV:64bit: - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\asusgsb.sys -- (asusgsb)

DRV:64bit: - [2010/02/02 09:09:48 | 000,583,296 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\SysNative\Drivers\NISx64\1008000.029\ccHPx64.sys -- (ccHP)

DRV:64bit: - [2010/01/12 10:43:02 | 000,834,544 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\SysNative\Drivers\sptd.sys -- (sptd)

DRV:64bit: - [2009/12/26 15:45:14 | 000,027,176 | ---- | M] (Sony Ericsson Mobile Communications) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\ggsemc.sys -- (ggsemc)

DRV:64bit: - [2009/12/26 15:45:14 | 000,013,352 | ---- | M] (Sony Ericsson Mobile Communications) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\ggflt.sys -- (ggflt)

DRV:64bit: - [2009/10/07 09:49:28 | 006,379,288 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\lvuvc64.sys -- (LVUVC64) Logitech QuickCam Pro 9000(UVC)

DRV:64bit: - [2009/10/07 09:47:46 | 000,327,704 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\lvrs64.sys -- (LVRS64)

DRV:64bit: - [2009/10/07 02:45:50 | 000,030,232 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\LVPr2M64.sys -- (LVPr2Mon)

DRV:64bit: - [2009/10/07 02:45:50 | 000,030,232 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\LVPr2M64.sys -- (LVPr2M64)

DRV:64bit: - [2009/10/06 12:56:34 | 000,172,544 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\nmwcdnsux64.sys -- (nmwcdnsux64)

DRV:64bit: - [2009/10/06 12:56:32 | 000,012,288 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\nmwcdnsucx64.sys -- (nmwcdnsucx64)

DRV:64bit: - [2009/10/06 12:54:18 | 000,008,704 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\usbser_lowerfltx64j.sys -- (UsbserFilt)

DRV:64bit: - [2009/10/06 12:53:56 | 000,025,088 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\ccdcmbox64.sys -- (nmwcdcx64)

DRV:64bit: - [2009/10/06 12:53:56 | 000,008,704 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\usbser_lowerfltx64.sys -- (upperdev)

DRV:64bit: - [2009/10/06 12:53:54 | 000,018,944 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\ccdcmbx64.sys -- (nmwcdx64)

DRV:64bit: - [2009/10/01 01:51:42 | 000,046,592 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\wpdusb.sys -- (WpdUsb)

DRV:64bit: - [2009/09/29 14:06:46 | 000,037,392 | ---- | M] (Paragon Software Group) [Kernel | Boot | Running] -- C:\Windows\SysNative\DRIVERS\hotcore3.sys -- (hotcore3)

DRV:64bit: - [2009/08/22 08:28:17 | 000,476,720 | ---- | M] (Symantec Corporation) [File_System | System | Running] -- C:\Windows\SysNative\Drivers\NISx64\1008000.029\SRTSP64.SYS -- (SRTSP)

DRV:64bit: - [2009/08/22 08:28:17 | 000,402,992 | ---- | M] (Symantec Corporation) [File_System | Boot | Running] -- C:\Windows\SysNative\drivers\NISx64\1008000.029\SYMEFA64.SYS -- (SymEFA)

DRV:64bit: - [2009/08/22 08:28:17 | 000,334,384 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\SysNative\Drivers\NISx64\1008000.029\BHDrvx64.sys -- (BHDrvx64)

DRV:64bit: - [2009/08/22 08:28:17 | 000,278,576 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\SysNative\Drivers\NISx64\1008000.029\SYMTDI.SYS -- (SYMTDI)

DRV:64bit: - [2009/08/22 08:28:17 | 000,120,880 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\Drivers\NISx64\1008000.029\SYMFW.SYS -- (SYMFW)

DRV:64bit: - [2009/08/22 08:28:17 | 000,056,880 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\Drivers\NISx64\1008000.029\SYMNDISV.SYS -- (SYMNDISV)

DRV:64bit: - [2009/08/22 08:28:17 | 000,032,304 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\NISx64\1008000.029\SRTSPX64.SYS -- (SRTSPX) Symantec Real Time Storage Protection (PEL)

DRV:64bit: - [2009/08/21 06:09:33 | 000,172,592 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\Drivers\SYMEVENT64x86.SYS -- (SymEvent)

DRV:64bit: - [2009/07/09 03:00:00 | 000,055,280 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\Windows\SysNative\Drivers\PxHlpa64.sys -- (PxHlpa64)

DRV:64bit: - [2009/05/25 06:51:00 | 000,207,872 | ---- | M] (Realtek ) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\Rtlh64.sys -- (RTL8169)

DRV:64bit: - [2009/04/11 06:39:37 | 000,032,768 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\usbser.sys -- (usbser)

DRV:64bit: - [2009/04/11 05:56:24 | 000,460,800 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\csc.sys -- (CSC)

DRV:64bit: - [2009/02/09 19:25:10 | 000,022,568 | ---- | M] (Silicon Image, Inc.) [Kernel | Boot | Running] -- C:\Windows\SysNative\DRIVERS\SiWinAcc.sys -- (SiFilter)

DRV:64bit: - [2009/02/09 19:25:10 | 000,016,936 | ---- | M] (Silicon Image, Inc.) [Kernel | Boot | Running] -- C:\Windows\SysNative\DRIVERS\SiRemFil.sys -- (SiRemFil)

DRV:64bit: - [2009/02/09 19:25:04 | 000,333,864 | ---- | M] (Silicon Image, Inc) [Kernel | Boot | Running] -- C:\Windows\SysNative\DRIVERS\Si3531.sys -- (Si3531)

DRV:64bit: - [2009/01/30 12:50:39 | 000,082,816 | ---- | M] (VSO Software) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\Drivers\pcouffin.sys -- (pcouffin)

DRV:64bit: - [2009/01/15 13:19:58 | 000,030,760 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\GEARAspiWDM.sys -- (GEARAspiWDM)

DRV:64bit: - [2008/12/12 13:26:50 | 001,580,576 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\Windows\SysNative\DRIVERS\tdrpm140.sys -- (tdrpman140) Acronis Try&Decide and Restore Points filter (build 140)

DRV:64bit: - [2008/12/12 13:16:03 | 000,880,160 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\Windows\SysNative\DRIVERS\timntr.sys -- (timounter)

DRV:64bit: - [2008/12/12 13:16:01 | 000,237,600 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\Windows\SysNative\DRIVERS\snman380.sys -- (snapman380) Acronis Snapshots Manager (Build 380)

DRV:64bit: - [2008/11/10 10:05:03 | 000,083,488 | ---- | M] (Acronis) [File_System | Auto | Running] -- C:\Windows\SysNative\DRIVERS\tifsfilt.sys -- (tifsfilter)

DRV:64bit: - [2008/09/26 10:56:00 | 000,057,872 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\LMouFilt.Sys -- (LMouFilt)

DRV:64bit: - [2008/09/26 10:56:00 | 000,055,312 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\LHidFilt.Sys -- (LHidFilt)

DRV:64bit: - [2008/09/26 10:55:00 | 000,035,344 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\L8042Kbd.sys -- (L8042Kbd)

DRV:64bit: - [2008/08/28 12:44:42 | 000,025,600 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\pccsmcfdx64.sys -- (pccsmcfd)

DRV:64bit: - [2008/07/26 16:26:34 | 000,050,072 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\LVUSBS64.sys -- (LVUSBS64)

DRV:64bit: - [2008/07/24 16:52:08 | 000,435,200 | ---- | M] (Analog Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\ADIHdAud.sys -- (ADIHdAudAddService)

DRV:64bit: - [2008/07/04 14:33:32 | 000,115,072 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\ewusbmdm.sys -- (hwdatacard)

DRV:64bit: - [2008/06/27 02:40:36 | 000,399,360 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\RTL8187.sys -- (RTL8187)

DRV:64bit: - [2008/05/07 18:40:38 | 000,395,288 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\DRIVERS\iaStor.sys -- (iaStor)

DRV:64bit: - [2008/01/21 03:46:34 | 000,048,768 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\avc.sys -- (Avc)

DRV:64bit: - [2008/01/21 03:46:05 | 000,058,496 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\61883.sys -- (61883)

DRV:64bit: - [2008/01/21 03:46:01 | 000,061,568 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\msdv.sys -- (MSDV)

DRV:64bit: - [2007/12/06 10:51:00 | 000,391,680 | ---- | M] (Marvell) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\yk60x64.sys -- (yukonx64)

DRV:64bit: - [2007/01/25 18:31:38 | 000,040,208 | ---- | M] (CACE Technologies) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\npf.sys -- (NPF)

DRV:64bit: - [2006/10/31 01:00:00 | 000,015,680 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\ASACPI.sys -- (MTsensor)

DRV:64bit: - [2006/09/18 22:38:10 | 000,543,744 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\ltmdm64.sys -- (ltmodem5)

DRV:64bit: - [2006/09/18 22:36:24 | 000,000,308 | ---- | M] () [File_System | On_Demand | Running] -- C:\Windows\SysNative\Wbem\ntfs.mof -- (Ntfs)

DRV:64bit: - [2006/08/29 15:56:20 | 000,032,377 | ---- | M] (B-phreaks) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\Drivers\PRODIGY.SYS -- (PRODIGY)

DRV - [2010/05/28 20:33:18 | 000,463,408 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100709.001\IDSviA64.sys -- (IDSVia64)

DRV - [2010/05/28 02:01:00 | 001,773,104 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100709.040\EX64.SYS -- (NAVEX15)

DRV - [2010/05/28 02:01:00 | 000,117,808 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100709.040\ENG64.SYS -- (NAVENG)

DRV - [2010/05/26 09:00:00 | 000,475,696 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys -- (eeCtrl)

DRV - [2010/05/26 09:00:00 | 000,132,656 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)

DRV - [2008/08/14 08:57:42 | 000,074,720 | ---- | M] (Adobe Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\SysWow64\drivers\adfs.sys -- (adfs)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1258145863-4091313971-1601379617-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank

IE - HKU\S-1-5-21-1258145863-4091313971-1601379617-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1

IE - HKU\S-1-5-21-1258145863-4091313971-1601379617-1000\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)

IE - HKU\S-1-5-21-1258145863-4091313971-1601379617-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\Extensions\\{7BA52691-1876-45ce-9EE6-54BCB3B04BBC}: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\ [2010/04/28 17:12:23 | 000,000,000 | ---D | M]

O1 HOSTS File: ([2010/06/23 11:53:50 | 000,000,050 | RH-- | M]) - C:\Windows\SysNative\drivers\etc\Hosts

O1 - Hosts: 127.0.0.1 localhost

O2:64bit: - BHO: (Windows Live ID Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)

O2:64bit: - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)

O2:64bit: - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg64.dll (Google Inc.)

O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)

O2 - BHO: (AskBar BHO) - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files (x86)\AskBarDis\bar\bin\askBar.dll (Ask.com)

O2 - BHO: (Skype add-on (mastermind)) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)

O2 - BHO: (Megaupload Toolbar) - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\Program Files (x86)\MegauploadToolbar\megauploadtoolbar.dll (MEGAUPLOAD )

O2 - BHO: (Symantec NCO BHO) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Internet Security\Engine\16.8.0.41\CoIEPlg.dll (Symantec Corporation)

O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Internet Security\Engine\16.8.0.41\IPSBHO.dll (Symantec Corporation)

O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)

O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)

O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll (Google Inc.)

O2 - BHO: (IeMonitorBho Class) - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - C:\Program Files (x86)\Megaupload\Mega Manager\MegaIEMn.dll (Megaupload Limited)

O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll (Yahoo! Inc)

O3:64bit: - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)

O3:64bit: - HKLM\..\Toolbar: (DAEMON Tools Toolbar) - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files (x86)\DAEMON Tools Toolbar\DTToolbar64.dll File not found

O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)

O3 - HKLM\..\Toolbar: (Ask Toolbar) - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files (x86)\AskBarDis\bar\bin\askBar.dll (Ask.com)

O3 - HKLM\..\Toolbar: (Megaupload Toolbar) - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\Program Files (x86)\MegauploadToolbar\megauploadtoolbar.dll (MEGAUPLOAD )

O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\16.8.0.41\CoIEPlg.dll (Symantec Corporation)

O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)

O3:64bit: - HKU\S-1-5-21-1258145863-4091313971-1601379617-1000\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)

O3 - HKU\S-1-5-21-1258145863-4091313971-1601379617-1000\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)

O3 - HKU\S-1-5-21-1258145863-4091313971-1601379617-1000\..\Toolbar\WebBrowser: (Ask Toolbar) - {3041D03E-FD4B-44E0-B742-2D9B88305F98} - C:\Program Files (x86)\AskBarDis\bar\bin\askBar.dll (Ask.com)

O3:64bit: - HKU\S-1-5-21-1258145863-4091313971-1601379617-1000\..\Toolbar\WebBrowser: (DAEMON Tools Toolbar) - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files (x86)\DAEMON Tools Toolbar\DTToolbar64.dll File not found

O3 - HKU\S-1-5-21-1258145863-4091313971-1601379617-1000\..\Toolbar\WebBrowser: (Megaupload Toolbar) - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\Program Files (x86)\MegauploadToolbar\megauploadtoolbar.dll (MEGAUPLOAD )

O3 - HKU\S-1-5-21-1258145863-4091313971-1601379617-1000\..\Toolbar\WebBrowser: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\16.8.0.41\CoIEPlg.dll (Symantec Corporation)

O4:64bit: - HKLM..\Run: [Acronis Scheduler2 Service] C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe (Acronis)

O4:64bit: - HKLM..\Run: [AdobeAAMUpdater-1.0] C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe (Adobe Systems Incorporated)

O4:64bit: - HKLM..\Run: [iAAnotif] C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe (Intel Corporation)

O4:64bit: - HKLM..\Run: [Kernel and Hardware Abstraction Layer] C:\Windows\KHALMNPR.Exe (Logitech, Inc.)

O4:64bit: - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)

O4:64bit: - HKLM..\Run: [Windows-Network Component] C:\Windows\SysNative\WUHDHost.exe (Windows Microsoft)

O4 - HKLM..\Run: [] File not found

O4 - HKLM..\Run: [AcronisTimounterMonitor] C:\Program Files (x86)\Acronis\TrueImageHome\TimounterMonitor.exe (Acronis)

O4 - HKLM..\Run: [Corel Photo Downloader] C:\Program Files (x86)\Common Files\Corel\Corel PhotoDownloader\Corel PhotoDownloader.exe File not found

O4 - HKLM..\Run: [EazyScheduler] C:\Program Files (x86)\Eazy-Ware\ezSched.exe (AJSystems.com Inc.)

O4 - HKLM..\Run: [GrooveMonitor] C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe (Microsoft Corporation)

O4 - HKLM..\Run: [LogitechQuickCamRibbon] C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe ()

O4 - HKLM..\Run: [MaxMenuMgr] C:\Program Files (x86)\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe (Seagate LLC)

O4 - HKLM..\Run: [MobileConnect] C:\Program Files (x86)\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe (Vodafone)

O4 - HKLM..\Run: [mxomssmenu] C:\Program Files (x86)\Maxtor\OneTouch Status\maxmenumgr.exe (Maxtor Corporation)

O4 - HKLM..\Run: [NokiaMServer] C:\Program Files (x86)\Common Files\Nokia\MPlatform\NokiaMServer.exe (Nokia)

O4 - HKLM..\Run: [PWRISOVM.EXE] C:\Program Files (x86)\PowerISO\PWRISOVM.EXE (PowerISO Computing, Inc.)

O4 - HKLM..\Run: [soundMAXPnP] C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.)

O4 - HKLM..\Run: [soundTray] C:\Program Files (x86)\Analog Devices\SoundMAX\SoundTray.exe (Sonic Focus, Inc.)

O4 - HKLM..\Run: [switchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe (Adobe Systems Incorporated)

O4 - HKLM..\Run: [TrueImageMonitor.exe] C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe (Acronis)

O4 - HKU\S-1-5-19..\Run: [sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)

O4 - HKU\S-1-5-19..\Run: [WindowsWelcomeCenter] C:\Windows\SysWow64\oobefldr.dll (Microsoft Corporation)

O4 - HKU\S-1-5-20..\Run: [sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)

O4 - HKU\S-1-5-20..\Run: [WindowsWelcomeCenter] C:\Windows\SysWow64\oobefldr.dll (Microsoft Corporation)

O4 - HKU\S-1-5-21-1258145863-4091313971-1601379617-1000..\Run: [swg] C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)

O4 - HKU\S-1-5-21-1258145863-4091313971-1601379617-1000..\Run: [Windows Audio Driver] C:\Users\Paul\AppData\Roaming\csrss.exe (Windows Microsoft)

O4 - Startup: C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BUFFALO NAS Navigator.lnk = C:\Program Files (x86)\BUFFALO\NASNAVI\NasNavi.exe (BUFFALO INC.)

O4 - Startup: C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NAS Scheduler.lnk = C:\Program Files (x86)\BUFFALO\NASNAVI\nassche.exe (BUFFALO INC.)

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 0

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 0

O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 0

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 0

O7 - HKU\S-1-5-21-1258145863-4091313971-1601379617-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 0

O7 - HKU\S-1-5-21-1258145863-4091313971-1601379617-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0

O8:64bit: - Extra context menu item: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll (Google Inc.)

O8 - Extra context menu item: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll (Google Inc.)

O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)

O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)

O9 - Extra Button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)

O13 - gopher Prefix: missing

O15 - HKLM\..Trusted Domains: registration.sonystyle-europe.com ([]* in Trusted sites)

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/C/0...heckControl.cab (Windows Genuine Advantage Validation Tool)

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files (x86)\Yahoo!\Common\Yinsthelper.dll (Installation Support)

O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} https://secure2.comned.com/signuptemplates/...login-devel.cab (SecureLogin class)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)

O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)

O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1

O18:64bit: - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - Reg Error: Key error. File not found

O18:64bit: - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - Reg Error: Key error. File not found

O18:64bit: - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - Reg Error: Key error. File not found

O18:64bit: - Protocol\Handler\symres {AA1061FE-6C41-421f-9344-69640C9732AB} - Reg Error: Key error. File not found

O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)

O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)

O18 - Protocol\Handler\symres {AA1061FE-6C41-421f-9344-69640C9732AB} - C:\Program Files (x86)\Norton Internet Security\Engine\16.8.0.41\CoIEPlg.dll (Symantec Corporation)

O20 - AppInit_DLLs: (AnyDiscHelp.dll) - File not found

O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)

O22:64bit: - SharedTaskScheduler: {E31004D1-A431-41B8-826F-E902F9D95C81} - Windows DreamScene - C:\Windows\SysNative\DreamScene.dll (Microsoft Corporation)

O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\img25.jpg

O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\img25.jpg

O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2009/12/16 09:58:33 | 000,000,000 | ---D | M] - E:\Autoroute 2010 Eng x86 x64 ISO DVD -- [ NTFS ]

O33 - MountPoints2\{fb4ad629-e601-11dd-bcc5-001bfc3b3bf3}\Shell\AutoRun\command - "" = K:\InstallTomTomHOME.exe -- File not found

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O35:64bit: - HKLM\..comfile [open] -- "%1" %*

O35:64bit: - HKLM\..exefile [open] -- "%1" %*

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*

O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*

O37 - HKLM\...com [@ = comfile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/07/09 14:41:24 | 000,000,000 | ---D | C] -- C:\_OTL

[2010/07/09 10:03:02 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Users\Paul\Desktop\OTL.exe

[2010/07/04 09:44:35 | 000,000,000 | ---D | C] -- C:\Users\Paul\Desktop\Private Investigation Stuff

[2010/07/03 14:06:17 | 000,000,000 | ---D | C] -- C:\Users\Paul\Desktop\MbrWiz

[2010/07/03 13:06:26 | 000,053,248 | ---- | C] (http://www.beyondlogic.org) -- C:\Windows\SysWow64\Process.exe

[2010/07/03 11:44:20 | 005,499,248 | ---- | C] (Symantec Corporation) -- C:\Users\Paul\Desktop\NPE.exe

[2010/07/02 08:27:27 | 000,000,000 | -HSD | C] -- C:\Config.Msi

[2010/07/01 18:40:54 | 000,000,000 | -HSD | C] -- C:\Boot

[2010/06/25 11:09:42 | 000,000,000 | ---D | C] -- C:\Users\Paul\DoctorWeb

[2010/06/24 08:12:26 | 000,000,000 | ---D | C] -- C:\ProgramData\Sunbelt

[2010/06/24 08:12:23 | 000,045,656 | ---- | C] (Sunbelt Software) -- C:\Windows\SysNative\drivers\sbredrv.sys

[2010/06/24 08:12:23 | 000,027,472 | ---- | C] (Sunbelt Software) -- C:\Windows\SysNative\sbbd.exe

[2010/06/23 13:31:18 | 000,000,000 | ---D | C] -- C:\Users\Paul\Desktop\Virus issue June 2010

[2010/06/23 12:18:42 | 001,942,856 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\dfshim.dll

[2010/06/23 12:18:42 | 001,130,824 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\dfshim.dll

[2010/06/23 12:18:42 | 000,320,352 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\PresentationHost.exe

[2010/06/23 12:18:42 | 000,295,264 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\PresentationHost.exe

[2010/06/23 12:18:42 | 000,109,912 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\PresentationHostProxy.dll

[2010/06/23 12:18:42 | 000,099,176 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\PresentationHostProxy.dll

[2010/06/23 12:18:42 | 000,049,472 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\netfxperf.dll

[2010/06/23 12:18:42 | 000,048,960 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\netfxperf.dll

[2010/06/23 11:53:45 | 000,000,000 | ---D | C] -- C:\_OTS

[2010/06/15 12:40:31 | 000,289,144 | ---- | C] (S!Ri) -- C:\Windows\SysWow64\VCCLSID.exe

[2010/06/15 12:40:31 | 000,288,417 | ---- | C] (S!Ri) -- C:\Windows\SysWow64\SrchSTS.exe

[2010/06/15 12:40:31 | 000,135,168 | ---- | C] (SteelWerX) -- C:\Windows\SysWow64\swreg.exe

[2010/06/15 12:40:31 | 000,087,552 | ---- | C] (S!Ri.URZ) -- C:\Windows\SysWow64\VACFix.exe

[2010/06/15 12:40:31 | 000,082,944 | ---- | C] (S!Ri.URZ) -- C:\Windows\SysWow64\IEDFix.exe

[2010/06/15 12:40:31 | 000,082,944 | ---- | C] (S!Ri.URZ) -- C:\Windows\SysWow64\IEDFix.C.exe

[2010/06/15 12:40:31 | 000,082,432 | ---- | C] (S!Ri.URZ) -- C:\Windows\SysWow64\404Fix.exe

[2010/06/15 12:40:31 | 000,080,384 | ---- | C] (S!Ri.URZ) -- C:\Windows\SysWow64\o4Patch.exe

[2010/06/15 12:40:31 | 000,079,360 | ---- | C] (SteelWerX) -- C:\Windows\SysWow64\swxcacls.exe

[2010/06/15 12:40:31 | 000,078,336 | ---- | C] (S!Ri.URZ) -- C:\Windows\SysWow64\Agent.OMZ.Fix.exe

[2010/06/15 07:34:13 | 000,000,000 | RHSD | C] -- C:\Windows\install

[2010/06/13 14:58:13 | 000,000,000 | ---D | C] -- C:\Users\Paul\Desktop\Adobe CS5

[2010/06/13 13:35:28 | 000,000,000 | RHSD | C] -- C:\Users\Paul\AppData\Local\AMD Drivers

[2010/06/13 13:31:27 | 000,000,000 | RHSD | C] -- C:\Users\Paul\AppData\Local\System32

[2010/06/12 20:38:35 | 000,105,984 | -H-- | C] (Windows Microsoft) -- C:\Windows\SysNative\WUHDHost.exe

[2010/06/10 16:44:54 | 000,000,000 | ---D | C] -- C:\Users\Paul\Desktop\Wedding Pics for Mona

========== Files - Modified Within 30 Days ==========

[2010/07/10 08:26:27 | 006,553,600 | -HS- | M] () -- C:\Users\Paul\NTUSER.DAT

[2010/07/10 08:20:35 | 000,032,784 | ---- | M] () -- C:\ProgramData\nvModes.001

[2010/07/10 08:04:00 | 000,000,896 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job

[2010/07/10 06:42:28 | 000,006,512 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0

[2010/07/10 06:42:28 | 000,006,512 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0

[2010/07/09 22:03:52 | 000,000,456 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{E1D5F289-C962-4A70-8DD3-5840862BDCBD}.job

[2010/07/09 16:48:28 | 000,694,964 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI

[2010/07/09 16:48:28 | 000,602,846 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat

[2010/07/09 16:48:28 | 000,106,292 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat

[2010/07/09 16:43:21 | 000,032,784 | ---- | M] () -- C:\ProgramData\nvModes.dat

[2010/07/09 16:42:47 | 000,000,892 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job

[2010/07/09 16:42:27 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT

[2010/07/09 16:42:14 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat

[2010/07/09 16:41:02 | 000,000,000 | ---- | M] () -- C:\Windows\SysNative\drivers\lvuvc.hs

[2010/07/09 16:39:39 | 000,524,288 | -HS- | M] () -- C:\Users\Paul\NTUSER.DAT{c28ddeb3-ff70-11dd-a7f3-001bfc3b3bf3}.TMContainer00000000000000000001.regtrans-ms

[2010/07/09 16:39:39 | 000,065,536 | -HS- | M] () -- C:\Users\Paul\NTUSER.DAT{c28ddeb3-ff70-11dd-a7f3-001bfc3b3bf3}.TM.blf

[2010/07/09 16:38:07 | 000,001,460 | ---- | M] () -- C:\Users\Paul\AppData\Local\d3d9caps64.dat

[2010/07/09 10:03:07 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Users\Paul\Desktop\OTL.exe

[2010/07/09 09:31:54 | 000,000,305 | ---- | M] () -- C:\Users\Paul\Desktop\320 clk spark plug change diy - Page 4 - Mercedes-Benz Owners' Forums.url

[2010/07/08 04:31:02 | 000,000,346 | ---- | M] () -- C:\Users\Paul\Desktop\csrss.exe - Malwarebytes Forum (2).url

[2010/07/08 03:58:29 | 000,000,367 | ---- | M] () -- C:\Users\Paul\Desktop\When do you really need new spark plugs - Page 3 - Mercedes-Benz Owners' Forums (2).url

[2010/07/07 22:37:14 | 000,000,680 | ---- | M] () -- C:\Users\Paul\AppData\Local\d3d9caps.dat

[2010/07/07 16:01:24 | 000,000,367 | ---- | M] () -- C:\Users\Paul\Desktop\When do you really need new spark plugs - Page 3 - Mercedes-Benz Owners' Forums.url

[2010/07/07 15:38:54 | 000,000,315 | ---- | M] () -- C:\Users\Paul\Desktop\320 clk spark plug change diy - Page 3 - Mercedes-Benz Owners' Forums.url

[2010/07/07 15:16:36 | 000,000,263 | ---- | M] () -- C:\Users\Paul\Desktop\Mercedes-Benz W208 - Wikipedia, the free encyclopedia.url

[2010/07/05 19:59:59 | 000,000,556 | ---- | M] () -- C:\Windows\tasks\Norton Internet Security - Run Full System Scan - Paul.job

[2010/07/05 04:54:31 | 000,000,300 | ---- | M] () -- C:\Users\Paul\Desktop\Did you know... Directgov - Motoring.url

[2010/07/04 13:36:40 | 000,000,288 | ---- | M] () -- C:\Users\Paul\Desktop\csrss.exe - Malwarebytes Forum.url

[2010/07/04 12:04:48 | 000,000,265 | ---- | M] () -- C:\Users\Paul\Desktop\Mercedes-Benz Owners' Forums.url

[2010/07/04 12:01:08 | 000,000,304 | ---- | M] () -- C:\Users\Paul\Desktop\W208 CLk Retrofitting Double Din Sat Nav - Mercedes-Benz Owners' Forums.url

[2010/07/04 11:45:15 | 000,000,184 | ---- | M] () -- C:\Users\Paul\Desktop\Mercedes-Benz Parts, Inchcape.url

[2010/07/04 11:30:45 | 000,000,356 | ---- | M] () -- C:\Users\Paul\Desktop\CLICK HERE for Genuine Mercedes-Benz Touch-up Paint Pens - Items - ZakParts.url

[2010/07/04 11:09:26 | 000,000,401 | ---- | M] () -- C:\Users\Paul\Desktop\2002 Mercd Benz Clk Class Touch Up Paint Colors.url

[2010/07/04 08:12:50 | 000,147,265 | ---- | M] () -- C:\Users\Paul\Desktop\Kaspersky Scan 04.07.jpg

[2010/07/04 08:10:25 | 000,001,825 | ---- | M] () -- C:\Users\Paul\Desktop\Kaspersky Scan 04.07.2010

[2010/07/03 19:09:44 | 000,000,337 | ---- | M] () -- C:\Users\Paul\Desktop\Viitura a f?cut pr?p?d

mbam_log_2010_07_10__08_47_19_.txt

Elise · July 10, 2010

Please run that same fix again, but now in safe mode. Before running it, make sure your Acronis and Eazy backup applications are disabled, so any changes will be allowed. Make also sure none of your security programs is running, since they can change back the registry changes OTL makes.

gfmet17 · July 10, 2010

Hi again. Ok I have done what you asked but regrettably upon reboot the two entries, after removal by the Fix in safe mode, are still revealed exactly the same in Malwarebytes following a quick scan

I ensured in safe mode that there were no applications running, there wern't, ensured that all processes were stopped as they were applicable to the two programs you mentioned - there was an Acronis entry, but this had already been stopped and that all services were stopped - they were, before running the fix.

Immediately upon reboot I ran a Mbam quick scan and there they were again

Obviously something is recreating them - I still do not know what they relate to - ie; which variant of Trojan.agent and what damage if anything they are doing to my machine.

I await your further instructions. I am extremely grateful for your assistance and will try to get back to you as quickly as possible after each request

The lates OTL report follows

Regards

gfmet17

All processes killed

========== OTL ==========

Registry value HKEY_USERS\S-1-5-21-1258145863-4091313971-1601379617-1000\Software\Microsoft\Windows\CurrentVersion\Run\\Windows Audio Driver deleted successfully.

C:\Users\Paul\AppData\Roaming\csrss.exe moved successfully.

Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoActiveDesktop not found.

========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default

->Temp folder emptied: 0 bytes

User: Default User

->Temp folder emptied: 0 bytes

User: Paul

->Temp folder emptied: 277676 bytes

->Java cache emptied: 0 bytes

User: Public

User: ReleaseEngineer.MACROVISION

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 0 bytes

%systemroot%\System32 .tmp files removed: 0 bytes

%systemroot%\System32 (64bit) .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 672 bytes

%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33170 bytes

RecycleBin emptied: 893 bytes

Total Files Cleaned = 0.00 mb

OTL by OldTimer - Version 3.2.8.1 log created on 07102010_115609

Files\Folders moved on Reboot...

C:\Users\Paul\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

Registry entries deleted on Reboot...

Elise · July 10, 2010

Please restart your computer and hit f8 repeatedly until the windows boot options come up.

See if you have an entry like this:

Directory Services Restore Mode (Windows Domain Controllers only)

If so, select that option, and when booted, rerun the OTL fix.

gfmet17 · July 10, 2010

Yep did that exactly as you said but upon reboot out of Directory Services Restore Mode and after rerunning a further quick scan in Mbam, the two entries are still there exactly the same

gfmet17

gfmet17 · July 10, 2010

Sorry - here is the actual OTL Report following removal: -

All processes killed

========== OTL ==========

Registry value HKEY_USERS\S-1-5-21-1258145863-4091313971-1601379617-1000\Software\Microsoft\Windows\CurrentVersion\Run\\Windows Audio Driver deleted successfully.

C:\Users\Paul\AppData\Roaming\csrss.exe moved successfully.

Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoActiveDesktop not found.

========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default

->Temp folder emptied: 0 bytes

User: Default User

->Temp folder emptied: 0 bytes

User: Paul

->Temp folder emptied: 72368 bytes

->Java cache emptied: 0 bytes

User: Public

User: ReleaseEngineer.MACROVISION

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 0 bytes

%systemroot%\System32 .tmp files removed: 0 bytes

%systemroot%\System32 (64bit) .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 241270 bytes

%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 0 bytes

RecycleBin emptied: 0 bytes

Total Files Cleaned = 0.00 mb

OTL by OldTimer - Version 3.2.8.1 log created on 07102010_135351

Files\Folders moved on Reboot...

C:\Users\Paul\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

File move failed. C:\Windows\temp\logishrd\LVPrcInj01.dll scheduled to be moved on reboot.

File move failed. C:\Windows\temp\logishrd\LVPrcInj02.dll scheduled to be moved on reboot.

Registry entries deleted on Reboot...

Elise · July 10, 2010

Please try to run the fix using OTH.

Note: If using Firefox right-click on any download links and choose Save As

Please download OTH to your desktop

Double click the OTH file to run it and click Kill All Processes, your desktop will go blank.

Then select Start OTL. OTL will now run

Run the same fix as last time.

gfmet17 · July 11, 2010

Hi

I did that - in normal mode "killing the Processes" didn't seem to work and I noticed in Task Manager that none of the processes had stopped anyway! it eventually froze my pc after pressing this button a few times and therefore I rebooted into safe mode and carried out all the proceedures. Not sure what killing the processes did though - I didn't check this time but it didn't affect my destop in any way.

However rebooting back into normal mode once more and running Malwarebytes again showed the two infections once more.

They are certainly being recreated upon reboot

gfmet17

Elise · July 11, 2010

Yes, you are right about that, however, I think it is one of your backup applications: either Eazy or Acronis (my first guess would be Eazy).

Did you completely disable these programs earlier?

Also be aware that these backups now are basically useless: were you to restore them, you would end up with an infected computer. I would recommend to rebackup all your data once clean and erase any previous backups.

gfmet17 · July 11, 2010

I am not quite sure whether they are working in the background or not actually - by Eazy, I presume you mean EasyBCD? I cannot find anything at all within Task Manager regarding running Processes or running Services for this application - am I missing something? The only reason I use it is so that I can manage to boot loader for Dual Booting purposes.

With regards to Acronis there appears to be three processes and one service running - presumably it is these four items you want stopping?

Take a look at the two attached screen shots - they don't include every Process or Service but I have arranged them in alphbetical order so that you can at least see "A to E". If I run OTH again, alongside OTL, with the "Fix" Code, please give me step by step instructions as to how you would do this and in what mode you want me to run Windows before undertaking the procedure - ie; Normal mode, Safe mode etc. Also when using OTH when I click "Kill Processes", what exactly should happen and how can I verify that the processes have indeed been killed before running the fix?

Hope I'm making sense BTW I have turned off System Restore - it has been off the whole time I have been talking with you.

gfmet17

Elise · July 11, 2010

Usually you will not see running processes for Eazy or Acronis, at least not all of them. You will have to open these programs (Start > Programs) and disable them manually. They have boot drivers that always are run on startup.

BTW I have turned off System Restore - it has been off the whole time I have been talking with you.

Not a good idea. By doing so, you have no restore points to fall back on if something goes wrong. I always instruct to reset system restore once clean, so you have a new clean point.

In your case its not that much an issue since you have third party backups, but please turn it on for now.

What do you mean you use Eazy to manage your dual boot? I am not too familiar with the program and I don't understand what it has to do with your dual boot. Or do you mean it backs up the settings for your dual boot?

gfmet17 · July 11, 2010

Hi

I think we might be on cross purposes with EAZY - I use EasyBCD - this is a boot manager which allows you to manage the Windows Boot Loader. In my case it allows me to manage the Bootloader for both Vista Ultimate and Windows 7 Ultimate. As far as I know I have no program called EAZY. Maybe you can expand a little please?

As far as Acronis is concerned I do not use it so not sure why things are shown in processes/services - I think I will uninstall this program - I have never backed up anything on my system

I need you now to tell me the next steps and in what order, precisely because I am getting a wee bit confused.

gfmet

Elise · July 11, 2010

Hi again,

I now see where the confusion comes from, my apologies:

First of all Acronis. This is what you have installed according to your logs (can be found in Add Remove programs).

Acronis True Image Home

Now Eazy/Easy. What I am talking about is this:

O4 - HKLM..\Run: [EazyScheduler] C:\Program Files (x86)\Eazy-Ware\ezSched.exe (AJSystems.com Inc.)

I checked it, but you have indeed nothing installed, this is most likely a leftover, so we will include it in a fix.

Two other programs that may interfere with our fix are:

Your Buffalo software (since it involves sharing storage, it may reinfect things)

Maxtor backup: C:\Program Files (x86)\Maxtor\Maxtor Backup\MaxBackServiceInt.exe

Concluding: Best would be to uninstall Acronis first if you don't use it. We will fix the Eazy-ware line and I need to know if you use Maxtor backup (otherwise disable/uninstall this as well).

Since I am not familiar with Buffalo, I need to know how you use its sharing options and if you have the possibility to disable this to prevent reinfecting the computer.

As a side note, the OTL log shows all running services, drivers and processes, so there is no need for screenshots (I appreciate the effort you make to clarify things)

Please let me know if the above makes sense to you.

Once we know exactly which programs are used, which are running, which are necessary and so on, we can try a new fix. Until then it makes no sense because as soon as we fix the lines, they get recreated.

gfmet17 · July 12, 2010

Hi Elise

Sorry for the delay but yesterday afternoon I was very busy and it's only now that I've studied your latest response. Yes you are making total sense, although I'm not sure that uninstalling Acronis or Maxtor will achieve anything. I do not use Acronis but I'm wary that by uninstalling it may interfere with my Master Boot Record. Do you whether it will? Let me explain a little more - I am dual booting as I have mentioned and the MBR resides on partition D, which hosts Windows 7, which I seldom use and will ultimately uninstall. I must be careful though as to not upset the MBR otherwise Windows Vista, my preferred OS will not boot. I have experienced many problems regarding this - Windows 7 was installed AFTER Vista and I'm not sure if by uninstalling Acronis, that this will not interfere with the MBR. I have created restore points on both D and C now having activated system restore on those partitions but unless my system can boot, reverting back should any problems occur could prove difficult if I am not already in windows.

Maxtor Backup relates to a program which was installed so that I can use an external USB?Firewire hdd - the backup capability relates to that drive alone, again which I seldom use, could uninstall and reinstall after everything is clear.

Buffalo is a program associated with my Buffalo Tera Station - this is an external networked drive - essentially a NAS - it has been switched off for some time, although at any time I could switch it back on and I can then see the drive, which has been mapped to windows like my Maxtor, for storgae purposes.

I really do not know what "Eazy-Ware\ezSched.exe (AJSystems.com Inc." is all about, as you say, probably something which has already been uninstalled unless you know better.

Finally as I have mentiuoned I really do not know if these programs are instrumental in "recreating" the 2 Trojan.agent infections and just what derivative of Trjan.agent, I have been infected with - do you know? Are you sure your fix should clear the infections completely, without being recreated upon reboot. It seems you are very focused so on the basis that you know the answers I am of course going to stick with you, but would appreciate before undertaking anything else, that you know exactly what infection I have please

I will be leaving for work in 45 minutes so will respond next tomorrow morning.

Thank you once again, I an very appreciative of your help and support :)

gfmet17

Elise · July 12, 2010

Thank you for the explanation.

Acronis should not interfere with your MBR, however I understand your concerns.

For that reason, lets be cautious. First of all lets run a custom OTL scan. Based on that I will make a new script, after which we will see what happens.

OTL

-----

Please download OTL from one of the following mirrors:
- This is THE Mirror

[*]Save it to your desktop.

[*]Double click on the icon on your desktop.

[*]Copy and Paste the following code into the textbox. Do not include the word "Code"

netsvcs
msconfig
safebootminimal
drivers32
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\Tasks\at*.job

[*]Push

[*]A report will open. Copy and Paste that report in your next reply.

gfmet17 · July 13, 2010

Hi Elise

Ok without uninstalling anything or doing anything since your previous instruction I have run OTL with the Code the report follows

gfmet17

OTL logfile created on: 13/07/2010 08:53:39 - Run 3

OTL by OldTimer - Version 3.2.8.1 Folder = C:\Users\Paul\Desktop

64bit-Windows Vista Ultimate Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18928)

Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

4.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 54.00% Memory free

8.00 Gb Paging File | 6.00 Gb Available in Paging File | 78.00% Paging File free

Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)

Drive C: | 89.70 Gb Total Space | 28.73 Gb Free Space | 32.03% Space Free | Partition Type: NTFS

Drive D: | 50.02 Gb Total Space | 33.09 Gb Free Space | 66.14% Space Free | Partition Type: NTFS