1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Clicking links redirects to spam/virus sites

Discussion in 'Virus & Other Malware Removal' started by gknight86, Jan 6, 2013.

Thread Status:
Not open for further replies.
Advertisement
  1. gknight86

    gknight86 Thread Starter

    Joined:
    Jan 6, 2013
    Messages:
    21
    As stated in the title anytime I try to search for something on a search engine and click the links it takes me to random spam and/or virus sites. If I try to right click on a link and copy the shortcut it and paste it in the address bar it copies a link to the spam/virus sites. Also when I right click on the links sometimes the open in a new tab option doesn't appear, and at times when it does appear it still opens in the same tab instead of a new one when clicked. Also wondering if I can be walked through how to remove Norton completely and a recomendation of a good/practical anti-virus program.

    TSG SysInfo

    Tech Support Guy System Info Utility version 1.0.0.2
    OS Version: Microsoft Windows 7 Home Premium, Service Pack 1, 64 bit
    Processor: Intel(R) Core(TM) i3-2350M CPU @ 2.30GHz, Intel64 Family 6 Model 42 Stepping 7
    Processor Count: 4
    RAM: 6051 Mb
    Graphics Card: Intel(R) HD Graphics Family, -1262 Mb
    Hard Drives: C: Total - 698475 MB, Free - 653658 MB;
    Motherboard: TOSHIBA, POQAA
    Antivirus: Norton Internet Security, Disabled

    HijackThis Log:

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 1:54:30 PM, on 1/6/2013
    Platform: Windows 7 SP1 (WinNT 6.00.3505)
    MSIE: Internet Explorer v9.00 (9.00.8112.16457)
    Boot mode: Normal
    Running processes:
    C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files (x86)\TOSHIBA\Utilities\KeNotify.exe
    C:\Program Files (x86)\TOSHIBA\TOSHIBA Sleep Utility\TSleepSrv.exe
    C:\Program Files (x86)\TOSHIBA\widimon\widimon.exe
    C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe
    C:\windows\SysWOW64\Macromed\Flash\FlashUtil32_11_5_502_135_ActiveX.exe
    C:\Users\Andrew\AppData\Roaming\Dropbox\bin\Dropbox.exe
    C:\Program Files (x86)\Norton Internet Security\Engine\19.9.0.9\ccSvcHst.exe
    C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Users\Andrew\Desktop\HijackThis.exe
    C:\windows\SysWOW64\DllHost.exe
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.toshiba.com/?cid=C001B2Y
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    F2 - REG:system.ini: UserInit=userinit.exe
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: Norton Identity Protection - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Internet Security\Engine\19.9.0.9\coIEPlg.dll
    O2 - BHO: Norton Vulnerability Protection - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Internet Security\Engine\19.9.0.9\IPS\IPSBHO.DLL
    O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: TOSHIBA Media Controller Plug-in - {F3C88694-EFFA-4d78-B409-54B7B2535B14} - C:\Program Files (x86)\TOSHIBA\TOSHIBA Media Controller Plug-in\TOSHIBAMediaControllerIE.dll
    O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\19.9.0.9\coIEPlg.dll
    O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
    O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files (x86)\TOSHIBA\Utilities\SVPWUTIL.exe SVPwUTIL
    O4 - HKLM\..\Run: [HWSetup] C:\Program Files\TOSHIBA\Utilities\HWSetup.exe hwSetUP
    O4 - HKLM\..\Run: [KeNotify] "C:\Program Files (x86)\TOSHIBA\Utilities\KeNotify.exe" LPCM
    O4 - HKLM\..\Run: [TSleepSrv] %ProgramFiles(x86)%\TOSHIBA\TOSHIBA Sleep Utility\TSleepSrv.exe
    O4 - HKLM\..\Run: [DelayTSS] "C:\Program Files\Toshiba\DelayTSS\DelayTSS.exe"
    O4 - HKCU\..\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
    O4 - Startup: Dropbox.lnk = C:\Users\Andrew\AppData\Roaming\Dropbox\bin\Dropbox.exe
    O9 - Extra button: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra 'Tools' menuitem: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
    O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
    O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
    O15 - Trusted Zone: *.clonewarsadventures.com
    O15 - Trusted Zone: *.freerealms.com
    O15 - Trusted Zone: *.soe.com
    O15 - Trusted Zone: *.sony.com
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
    O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
    O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\windows\System32\alg.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\windows\System32\lsass.exe (file missing)
    O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel(R) Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe
    O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\windows\system32\fxssvc.exe (file missing)
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\windows\system32\lsass.exe (file missing)
    O23 - Service: Intel(R) Management and Security Application Local Management Service (LMS) - Intel Corporation - C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
    O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\windows\System32\msdtc.exe (file missing)
    O23 - Service: Wireless PAN DHCP Server (MyWiFiDHCPDNS) - Unknown owner - C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe
    O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\windows\system32\lsass.exe (file missing)
    O23 - Service: Norton Internet Security (NIS) - Symantec Corporation - C:\Program Files (x86)\Norton Internet Security\Engine\19.9.0.9\ccSvcHst.exe
    O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\windows\system32\lsass.exe (file missing)
    O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel(R) Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
    O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\windows\system32\locator.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\windows\system32\lsass.exe (file missing)
    O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
    O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\windows\System32\snmptrap.exe (file missing)
    O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\windows\System32\spoolsv.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\windows\system32\sppsvc.exe (file missing)
    O23 - Service: TOSHIBA HDD Protection (Thpsrv) - Unknown owner - C:\windows\system32\ThpSrv.exe (file missing)
    O23 - Service: TMachInfo - TOSHIBA Corporation - C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
    O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - Unknown owner - C:\windows\system32\TODDSrv.exe (file missing)
    O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
    O23 - Service: TOSHIBA eco Utility Service - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TECO\TecoService.exe
    O23 - Service: TOSHIBA HDD SSD Alert Service - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe
    O23 - Service: TPCH Service (TPCHSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe
    O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\windows\system32\UI0Detect.exe (file missing)
    O23 - Service: Intel(R) Management and Security Application User Notification Service (UNS) - Intel Corporation - C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
    O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\windows\system32\lsass.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\windows\System32\vds.exe (file missing)
    O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\windows\system32\vssvc.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\windows\system32\Wat\WatAdminSvc.exe (file missing)
    O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\windows\system32\wbengine.exe (file missing)
    O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\windows\system32\wbem\WmiApSrv.exe (file missing)
    O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
    --
    End of file - 11415 bytes

    DDS.TXT

    DDS (Ver_2012-11-20.01) - NTFS_AMD64
    Internet Explorer: 9.0.8112.16457
    Run by Andrew at 13:55:19 on 2013-01-06
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.6052.3714 [GMT -5:00]
    .
    AV: Norton Internet Security *Disabled/Outdated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: Norton Internet Security *Disabled/Outdated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
    FW: Norton Internet Security *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
    .
    ============== Running Processes ===============
    .
    C:\windows\system32\lsm.exe
    C:\windows\system32\svchost.exe -k DcomLaunch
    C:\windows\system32\svchost.exe -k RPCSS
    C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\windows\system32\svchost.exe -k netsvcs
    C:\windows\system32\svchost.exe -k LocalService
    C:\windows\system32\svchost.exe -k NetworkService
    C:\windows\system32\WLANExt.exe
    C:\windows\System32\spoolsv.exe
    C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files\Intel\WiFi\bin\EvtEng.exe
    C:\windows\system32\taskhost.exe
    C:\windows\system32\Dwm.exe
    C:\windows\Explorer.EXE
    C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
    C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
    C:\windows\system32\ThpSrv.exe
    C:\windows\system32\TODDSrv.exe
    C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Windows\System32\hkcmd.exe
    C:\Windows\System32\igfxpers.exe
    C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
    C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
    C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Windows\System32\ThpSrv.exe
    C:\Program Files\TOSHIBA\TECO\Teco.exe
    C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
    C:\Program Files\TOSHIBA\BulletinBoard\TosNcCore.exe
    C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe
    C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
    C:\Program Files\TOSHIBA\FlashCards\Hotkey\TcrdKBB.exe
    C:\windows\system32\wbem\unsecapp.exe
    C:\windows\system32\wbem\unsecapp.exe
    C:\windows\system32\wbem\wmiprvse.exe
    C:\Program Files (x86)\TOSHIBA\Utilities\KeNotify.exe
    C:\Program Files (x86)\TOSHIBA\TOSHIBA Sleep Utility\TSleepSrv.exe
    C:\Program Files\TOSHIBA\TECO\TecoService.exe
    C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
    C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
    C:\windows\system32\SearchIndexer.exe
    C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\windows\system32\taskeng.exe
    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Program Files (x86)\TOSHIBA\widimon\widimon.exe
    C:\windows\system32\igfxext.exe
    \\.\globalroot\systemroot\svchost.exe -netsvcs
    C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe
    C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
    C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe
    C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe
    C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe
    C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe
    C:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
    C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
    C:\Program Files (x86)\Norton Internet Security\Engine\19.9.0.9\ccSvcHst.exe
    C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe
    C:\windows\SysWOW64\Macromed\Flash\FlashUtil32_11_5_502_135_ActiveX.exe
    C:\Users\Andrew\AppData\Roaming\Dropbox\bin\Dropbox.exe
    C:\windows\System32\svchost.exe -k secsvcs
    C:\Program Files (x86)\Norton Internet Security\Engine\19.9.0.9\ccSvcHst.exe
    C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
    C:\windows\system32\wuauclt.exe
    C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\windows\system32\SearchProtocolHost.exe
    C:\windows\system32\wbem\wmiprvse.exe
    C:\windows\system32\SearchFilterHost.exe
    C:\windows\system32\igfxsrvc.exe
    C:\windows\System32\cscript.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://google.com/
    uDefault_Page_URL = hxxp://start.toshiba.com/?cid=C001B2Y
    uProxyOverride = <local>
    mWinlogon: Userinit = userinit.exe
    BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
    BHO: Norton Identity Protection: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Internet Security\Engine\19.9.0.9\coieplg.dll
    BHO: Norton Vulnerability Protection: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Internet Security\Engine\19.9.0.9\ips\ipsbho.dll
    BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    BHO: TOSHIBA Media Controller Plug-in: {F3C88694-EFFA-4d78-B409-54B7B2535B14} - C:\Program Files (x86)\TOSHIBA\TOSHIBA Media Controller Plug-in\TOSHIBAMediaControllerIE.dll
    TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\19.9.0.9\coieplg.dll
    TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
    TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\19.9.0.9\coieplg.dll
    TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
    uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
    uRun: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
    mRun: [SVPWUTIL] C:\Program Files (x86)\TOSHIBA\Utilities\SVPWUTIL.exe SVPwUTIL
    mRun: [HWSetup] C:\Program Files\TOSHIBA\Utilities\HWSetup.exe hwSetUP
    mRun: [KeNotify] "C:\Program Files (x86)\TOSHIBA\Utilities\KeNotify.exe" LPCM
    mRun: [TSleepSrv] C:\Program Files (x86)\TOSHIBA\TOSHIBA Sleep Utility\TSleepSrv.exe
    mRun: [DelayTSS] "C:\Program Files\Toshiba\DelayTSS\DelayTSS.exe"
    StartupFolder: C:\Users\Andrew\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dropbox.lnk - C:\Users\Andrew\AppData\Roaming\Dropbox\bin\Dropbox.exe
    mPolicies-Explorer: NoActiveDesktop = dword:1
    mPolicies-Explorer: NoActiveDesktopChanges = dword:1
    mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
    mPolicies-System: ConsentPromptBehaviorUser = dword:3
    mPolicies-System: EnableUIADesktopToggle = dword:0
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
    Trusted Zone: clonewarsadventures.com
    Trusted Zone: freerealms.com
    Trusted Zone: soe.com
    Trusted Zone: sony.com
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    TCP: NameServer = 10.0.0.1
    TCP: Interfaces\{4B272CDA-DC9E-4041-A764-377816FDB550} : DHCPNameServer = 10.0.0.1
    TCP: Interfaces\{EF86F661-0708-4FB7-877E-185038082738} : DHCPNameServer = 100.100.0.102
    Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
    SSODL: WebCheck - <orphaned>
    x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    x64-BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
    x64-BHO: TOSHIBA Media Controller Plug-in: {F3C88694-EFFA-4d78-B409-54B7B2535B14} - C:\Program Files (x86)\TOSHIBA\TOSHIBA Media Controller Plug-in\x64\TOSHIBAMediaControllerIE.dll
    x64-TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
    x64-Run: [IgfxTray] C:\windows\System32\igfxtray.exe
    x64-Run: [HotKeysCmds] C:\windows\System32\hkcmd.exe
    x64-Run: [Persistence] C:\windows\System32\igfxpers.exe
    x64-Run: [TPwrMain] C:\Program Files (x86)\TOSHIBA\Power Saver\TPwrMain.EXE
    x64-Run: [HSON] C:\Program Files (x86)\TOSHIBA\TBS\HSON.exe
    x64-Run: [TCrdMain] C:\Program Files (x86)\TOSHIBA\FlashCards\TCrdMain.exe
    x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
    x64-Run: [RtHDVBg] C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe /FORPCEE3 /MAXX3
    x64-Run: [SynTPEnh] C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe
    x64-Run: [ThpSrv] C:\windows\System32\thpsrv /logon
    x64-Run: [Teco] "C:\Program Files (x86)\TOSHIBA\TECO\Teco.exe" /r
    x64-Run: [IntelPAN] "C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" /tf Intel PAN Tray
    x64-Run: [TosSENotify] C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe
    x64-Run: [TosWaitSrv] C:\Program Files (x86)\TOSHIBA\TPHM\TosWaitSrv.exe
    x64-Run: [TosVolRegulator] C:\Program Files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe
    x64-Run: [TosNC] C:\Program Files (x86)\Toshiba\BulletinBoard\TosNcCore.exe
    x64-Run: [TosReelTimeMonitor] C:\Program Files (x86)\TOSHIBA\ReelTime\TosReelTimeMonitor.exe
    x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
    x64-Notify: igfxcui - igfxdev.dll
    x64-SSODL: WebCheck - <orphaned>
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 Thpdrv;TOSHIBA HDD Protection Driver;C:\windows\System32\drivers\thpdrv.sys [2011-3-23 36992]
    R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;C:\windows\System32\drivers\Thpevm.sys [2009-6-29 14784]
    R0 tos_sps64;TOSHIBA tos_sps64 Service;C:\windows\System32\drivers\tos_sps64.sys [2012-2-28 482384]
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
    R2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE [2012-1-4 822624]
    R2 NIS;Norton Internet Security;C:\Program Files (x86)\Norton Internet Security\Engine\19.9.0.9\ccsvchst.exe [2012-10-1 138272]
    R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2012-10-30 1153368]
    R2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-1 508776]
    R2 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;C:\Program Files\TOSHIBA\TECO\TecoService.exe [2011-5-24 294848]
    R2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;C:\windows\System32\drivers\TVALZFL.sys [2009-6-19 14472]
    R2 UNS;Intel(R) Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2012-2-28 2656280]
    R3 BHDrvx64;BHDrvx64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\BASHDefs\20120619.001\BHDrvx64.sys [2012-6-18 1161376]
    R3 ccSet_NIS;Norton Internet Security Settings Manager;C:\windows\System32\drivers\NISx64\1309000.009\ccsetx64.sys [2012-10-1 167072]
    R3 CeKbFilter;CeKbFilter;C:\windows\System32\drivers\CeKbFilter.sys [2012-2-28 20592]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-6-26 138912]
    R3 IDSVia64;IDSVia64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\IPSDefs\20120623.002\IDSviA64.sys [2012-6-23 509088]
    R3 IntcDAud;Intel(R) Display Audio;C:\windows\System32\drivers\IntcDAud.sys [2010-10-15 317440]
    R3 iwdbus;IWD Bus Enumerator;C:\windows\System32\drivers\iwdbus.sys [2011-8-5 25496]
    R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;C:\windows\System32\drivers\nusb3hub.sys [2011-2-10 82432]
    R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;C:\windows\System32\drivers\nusb3xhc.sys [2011-2-10 181760]
    R3 PGEffect;Pangu effect driver;C:\windows\System32\drivers\PGEffect.sys [2012-2-28 38096]
    R3 RTL8167;Realtek 8167 NT Driver;C:\windows\System32\drivers\Rt64win7.sys [2012-2-28 413800]
    R3 Sftfs;Sftfs;C:\windows\System32\drivers\Sftfslh.sys [2011-10-1 764264]
    R3 Sftplay;Sftplay;C:\windows\System32\drivers\Sftplaylh.sys [2011-10-1 268648]
    R3 Sftredir;Sftredir;C:\windows\System32\drivers\Sftredirlh.sys [2011-10-1 25960]
    R3 Sftvol;Sftvol;C:\windows\System32\drivers\Sftvollh.sys [2011-10-1 22376]
    R3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-1 219496]
    R3 SymDS;Symantec Data Store;C:\windows\System32\drivers\NISx64\1309000.009\symds64.sys [2012-10-1 451192]
    R3 SymEFA;Symantec Extended File Attributes;C:\windows\System32\drivers\NISx64\1309000.009\symefa64.sys [2012-10-1 1129120]
    R3 SymIRON;Symantec Iron Driver;C:\windows\System32\drivers\NISx64\1309000.009\ironx64.sys [2012-10-1 190072]
    R3 SymNetS;Symantec Network Security WFP Driver;C:\windows\System32\drivers\NISx64\1309000.009\symnets.sys [2012-10-1 405624]
    R3 TMachInfo;TMachInfo;C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2012-2-28 57216]
    R3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2011-6-10 138152]
    R3 TPCHSrv;TPCH Service;C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe [2011-7-1 828856]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S3 intaud_WaveExtensible;Intel WiDi Audio Device;C:\windows\System32\drivers\intelaud.sys [2011-8-5 34200]
    S3 JMCR;JMCR;C:\windows\System32\drivers\jmcr.sys [2011-1-31 174168]
    S3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [2011-6-1 340240]
    S3 TsUsbFlt;TsUsbFlt;C:\windows\System32\drivers\TsUsbFlt.sys [2010-11-20 59392]
    S3 TsUsbGD;Remote Desktop Generic USB Device;C:\windows\System32\drivers\TsUsbGD.sys [2010-11-20 31232]
    S3 WatAdminSvc;Windows Activation Technologies Service;C:\windows\System32\Wat\WatAdminSvc.exe [2012-8-14 1255736]
    S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
    .
    =============== Created Last 30 ================
    .
    2013-01-06 18:37:51 9125352 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{5F2A8674-4E32-4F84-812E-42671D573C2D}\mpengine.dll
    2012-12-25 06:39:48 2048 ----a-w- C:\windows\SysWow64\tzres.dll
    .
    ==================== Find3M ====================
    .
    2012-12-29 01:06:23 73656 ----a-w- C:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-12-29 01:06:23 697272 ----a-w- C:\windows\SysWow64\FlashPlayerApp.exe
    2012-12-16 17:11:22 46080 ----a-w- C:\windows\System32\atmlib.dll
    2012-12-16 14:45:03 367616 ----a-w- C:\windows\System32\atmfd.dll
    2012-12-16 14:13:28 295424 ----a-w- C:\windows\SysWow64\atmfd.dll
    2012-12-16 14:13:20 34304 ----a-w- C:\windows\SysWow64\atmlib.dll
    2012-11-22 03:26:40 3149824 ----a-w- C:\windows\System32\win32k.sys
    2012-11-20 16:50:39 88576 ----a-w- C:\windows\System32\wddmn4ui.dll
    2012-11-20 16:50:39 303616 ----a-w- C:\windows\System32\wddmn4.dll
    2012-11-14 06:11:44 2312704 ----a-w- C:\windows\System32\jscript9.dll
    2012-11-14 06:04:11 1392128 ----a-w- C:\windows\System32\wininet.dll
    2012-11-14 06:02:49 1494528 ----a-w- C:\windows\System32\inetcpl.cpl
    2012-11-14 05:57:46 599040 ----a-w- C:\windows\System32\vbscript.dll
    2012-11-14 05:57:35 173056 ----a-w- C:\windows\System32\ieUnatt.exe
    2012-11-14 05:52:40 2382848 ----a-w- C:\windows\System32\mshtml.tlb
    2012-11-14 02:09:22 1800704 ----a-w- C:\windows\SysWow64\jscript9.dll
    2012-11-14 01:58:15 1427968 ----a-w- C:\windows\SysWow64\inetcpl.cpl
    2012-11-14 01:57:37 1129472 ----a-w- C:\windows\SysWow64\wininet.dll
    2012-11-14 01:49:25 142848 ----a-w- C:\windows\SysWow64\ieUnatt.exe
    2012-11-14 01:48:27 420864 ----a-w- C:\windows\SysWow64\vbscript.dll
    2012-11-14 01:44:42 2382848 ----a-w- C:\windows\SysWow64\mshtml.tlb
    2012-11-09 05:45:09 2048 ----a-w- C:\windows\System32\tzres.dll
    2012-11-02 05:59:11 478208 ----a-w- C:\windows\System32\dpnet.dll
    2012-11-02 05:11:31 376832 ----a-w- C:\windows\SysWow64\dpnet.dll
    2012-10-16 08:38:37 135168 ----a-w- C:\windows\apppatch\AppPatch64\AcXtrnal.dll
    2012-10-16 08:38:34 350208 ----a-w- C:\windows\apppatch\AppPatch64\AcLayers.dll
    2012-10-16 07:39:52 561664 ----a-w- C:\windows\apppatch\AcLayers.dll
    2012-10-09 18:17:13 55296 ----a-w- C:\windows\System32\dhcpcsvc6.dll
    2012-10-09 18:17:13 226816 ----a-w- C:\windows\System32\dhcpcore6.dll
    2012-10-09 17:40:31 44032 ----a-w- C:\windows\SysWow64\dhcpcsvc6.dll
    2012-10-09 17:40:31 193536 ----a-w- C:\windows\SysWow64\dhcpcore6.dll
    .
    ============= FINISH: 13:56:05.19 ===============

    Attach.txt

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2012-11-20.01)
    .
    Microsoft Windows 7 Home Premium
    Boot Device: \Device\HarddiskVolume1
    Install Date: 6/24/2012 7:30:07 PM
    System Uptime: 1/6/2013 1:21:54 PM (0 hours ago)
    .
    Motherboard: TOSHIBA | | POQAA
    Processor: Intel(R) Core(TM) i3-2350M CPU @ 2.30GHz | CPU 1 | 2300/100mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 682 GiB total, 638.363 GiB free.
    D: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP39: 11/6/2012 11:18:50 AM - Windows Update
    RP40: 11/6/2012 1:32:16 PM - Windows Update
    RP41: 11/6/2012 7:15:37 PM - Windows Update
    RP42: 11/8/2012 7:49:20 PM - Windows Update
    RP43: 11/8/2012 8:26:57 PM - Windows Update
    RP44: 11/9/2012 11:22:30 AM - Windows Update
    RP45: 11/11/2012 7:08:21 PM - Windows Update
    RP46: 11/11/2012 10:00:36 PM - Windows Update
    RP47: 11/19/2012 9:39:41 PM - Windows Update
    RP48: 11/20/2012 11:27:43 AM - Windows Update
    RP49: 11/20/2012 1:40:30 PM - Windows Update
    RP50: 11/26/2012 11:15:10 PM - Windows Update
    RP51: 11/27/2012 12:22:27 AM - Windows Update
    RP52: 11/27/2012 11:40:23 AM - Windows Update
    RP53: 11/27/2012 1:22:16 PM - Windows Update
    RP54: 11/29/2012 1:44:16 PM - Windows Update
    RP55: 12/3/2012 8:23:33 PM - Windows Update
    RP56: 12/3/2012 10:28:27 PM - Windows Update
    RP57: 12/6/2012 10:28:41 AM - Windows Update
    RP58: 12/6/2012 1:23:27 PM - Windows Update
    RP59: 12/9/2012 8:58:57 PM - Windows Update
    RP60: 12/9/2012 10:45:00 PM - Windows Update
    RP61: 12/25/2012 1:19:42 AM - Windows Update
    RP62: 12/25/2012 1:41:37 AM - Windows Update
    RP63: 12/28/2012 8:06:31 PM - Windows Update
    RP64: 12/28/2012 8:40:44 PM - Windows Update
    RP65: 1/6/2013 1:37:16 PM - Windows Update
    .
    ==== Installed Programs ======================
    .
    Adobe AIR
    Adobe Flash Player 11 ActiveX
    Adobe Flash Player 11 Plugin
    Adobe Reader X MUI
    D3DX10
    Dropbox
    EverQuest
    Google Chrome
    Google Toolbar for Internet Explorer
    Google Update Helper
    Intel PROSet Wireless
    Intel(R) Management Engine Components
    Intel(R) Processor Graphics
    Intel(R) PROSet/Wireless WiFi Software
    Intel(R) Rapid Storage Technology
    Intel(R) WiDi
    Intel(R) Wireless Display
    Java Auto Updater
    Java(TM) 6 Update 25
    JMicron Flash Media Controller Driver
    Junk Mail filter update
    [email protected] 1.0
    Mesh Runtime
    Microsoft .NET Framework 4 Client Profile
    Microsoft .NET Framework 4 Extended
    Microsoft Application Error Reporting
    Microsoft Office 2010
    Microsoft Office Click-to-Run 2010
    Microsoft Office Starter 2010 - English
    Microsoft PowerPoint Viewer
    Microsoft Silverlight
    Microsoft SQL Server 2005 Compact Edition [ENU]
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
    MSVCRT
    MSVCRT_amd64
    Norton Internet Security
    PlayReady PC Runtime amd64
    PlayReady PC Runtime x86
    Realtek Ethernet Controller Driver
    Realtek High Definition Audio Driver
    Renesas Electronics USB 3.0 Host Controller Driver
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
    Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
    Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
    Spybot - Search & Destroy
    Synaptics Pointing Device Driver
    TOSHIBA Application Installer
    TOSHIBA Assist
    Toshiba Book Place
    TOSHIBA Bulletin Board
    TOSHIBA Disc Creator
    TOSHIBA eco Utility
    TOSHIBA Face Recognition
    TOSHIBA Flash Cards Support Utility
    TOSHIBA Hardware Setup
    TOSHIBA HDD Protection
    TOSHIBA HDD/SSD Alert
    TOSHIBA Media Controller
    TOSHIBA Media Controller Plug-in
    TOSHIBA PC Health Monitor
    TOSHIBA Quality Application
    TOSHIBA Recovery Media Creator
    TOSHIBA ReelTime
    TOSHIBA Resolution+ Plug-in for Windows Media Player
    TOSHIBA Service Station
    TOSHIBA Sleep Utility
    TOSHIBA Supervisor Password
    TOSHIBA Value Added Package
    TOSHIBA VIDEO PLAYER
    TOSHIBA Web Camera Application
    TOSHIBA Wireless Display Monitor
    TOSHIBARegistration
    Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
    Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
    Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
    Update for Microsoft .NET Framework 4 Extended (KB2468871)
    Update for Microsoft .NET Framework 4 Extended (KB2533523)
    Update for Microsoft .NET Framework 4 Extended (KB2600217)
    Utility Common Driver
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live ID Sign-in Assistant
    Windows Live Installer
    Windows Live Language Selector
    Windows Live Mail
    Windows Live Mesh
    Windows Live Mesh ActiveX Control for Remote Connections
    Windows Live Messenger
    Windows Live MIME IFilter
    Windows Live Movie Maker
    Windows Live Photo Common
    Windows Live Photo Gallery
    Windows Live PIMT Platform
    Windows Live Remote Client
    Windows Live Remote Client Resources
    Windows Live Remote Service
    Windows Live Remote Service Resources
    Windows Live SOXE
    Windows Live SOXE Definitions
    Windows Live UX Platform
    Windows Live UX Platform Language Pack
    Windows Live Writer
    Windows Live Writer Resources
    .
    ==== Event Viewer Messages From Past Week ========
    .
    1/6/2013 1:33:51 PM, Error: Service Control Manager [7022] - The Windows Update service hung on starting.
    1/6/2013 1:28:41 PM, Error: Service Control Manager [7022] - The Norton Internet Security service hung on starting.
    .
    ==== End Of File ===========================

    ark.txt

    GMER 2.0.18437 - http://www.gmer.net
    Rootkit scan 2013-01-06 14:07:03
    Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 TOSHIBA_ rev.GT00 698.64GB
    Running: ebw3zimk.exe; Driver: C:\Users\Andrew\AppData\Local\Temp\axtoakod.sys

    ---- User code sections - GMER 2.0 ----
    .text C:\windows\system32\svchost.exe[1060] c:\windows\system32\DNSAPI.dll!Query_Main 000007fefd483028 14 bytes {JMP QWORD [RIP+0x0]}
    .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[4064] C:\windows\syswow64\psapi.dll!GetModuleFileNameExW + 17 0000000075a61401 2 bytes [A6, 75]
    .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[4064] C:\windows\syswow64\psapi.dll!EnumProcessModules + 17 0000000075a61419 2 bytes [A6, 75]
    .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[4064] C:\windows\syswow64\psapi.dll!GetModuleInformation + 17 0000000075a61431 2 bytes [A6, 75]
    .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[4064] C:\windows\syswow64\psapi.dll!GetModuleInformation + 42 0000000075a6144a 2 bytes [A6, 75]
    .text ... * 9
    .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[4064] C:\windows\syswow64\psapi.dll!EnumDeviceDrivers + 17 0000000075a614dd 2 bytes [A6, 75]
    .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[4064] C:\windows\syswow64\psapi.dll!GetDeviceDriverBaseNameA + 17 0000000075a614f5 2 bytes [A6, 75]
    .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[4064] C:\windows\syswow64\psapi.dll!QueryWorkingSetEx + 17 0000000075a6150d 2 bytes [A6, 75]
    .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[4064] C:\windows\syswow64\psapi.dll!GetDeviceDriverBaseNameW + 17 0000000075a61525 2 bytes [A6, 75]
    .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[4064] C:\windows\syswow64\psapi.dll!GetModuleBaseNameW + 17 0000000075a6153d 2 bytes [A6, 75]
    .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[4064] C:\windows\syswow64\psapi.dll!EnumProcesses + 17 0000000075a61555 2 bytes [A6, 75]
    .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[4064] C:\windows\syswow64\psapi.dll!GetProcessMemoryInfo + 17 0000000075a6156d 2 bytes [A6, 75]
    .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[4064] C:\windows\syswow64\psapi.dll!GetPerformanceInfo + 17 0000000075a61585 2 bytes [A6, 75]
    .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[4064] C:\windows\syswow64\psapi.dll!QueryWorkingSet + 17 0000000075a6159d 2 bytes [A6, 75]
    .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[4064] C:\windows\syswow64\psapi.dll!GetModuleBaseNameA + 17 0000000075a615b5 2 bytes [A6, 75]
    .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[4064] C:\windows\syswow64\psapi.dll!GetModuleFileNameExA + 17 0000000075a615cd 2 bytes [A6, 75]
    .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[4064] C:\windows\syswow64\psapi.dll!GetProcessImageFileNameW + 20 0000000075a616b2 2 bytes [A6, 75]
    .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[4064] C:\windows\syswow64\psapi.dll!GetProcessImageFileNameW + 31 0000000075a616bd 2 bytes [A6, 75]
    .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2964] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075a61401 2 bytes [A6, 75]
    .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2964] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075a61419 2 bytes [A6, 75]
    .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2964] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075a61431 2 bytes [A6, 75]
    .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2964] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075a6144a 2 bytes [A6, 75]
    .text ... * 9
    .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2964] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075a614dd 2 bytes [A6, 75]
    .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2964] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075a614f5 2 bytes [A6, 75]
    .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2964] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075a6150d 2 bytes [A6, 75]
    .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2964] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075a61525 2 bytes [A6, 75]
    .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2964] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075a6153d 2 bytes [A6, 75]
    .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2964] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075a61555 2 bytes [A6, 75]
    .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2964] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075a6156d 2 bytes [A6, 75]
    .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2964] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075a61585 2 bytes [A6, 75]
    .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2964] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075a6159d 2 bytes [A6, 75]
    .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2964] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075a615b5 2 bytes [A6, 75]
    .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2964] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075a615cd 2 bytes [A6, 75]
    .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2964] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075a616b2 2 bytes [A6, 75]
    .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2964] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075a616bd 2 bytes [A6, 75]
    .text \\.\globalroot\systemroot\svchost.exe[4156] C:\windows\SysWOW64\ntdll.dll!NtWriteFile 0000000077b2f908 5 bytes JMP 0000000100013aa9
    .text \\.\globalroot\systemroot\svchost.exe[4156] C:\windows\SysWOW64\ntdll.dll!RtlRaiseException 0000000077b6b808 5 bytes JMP 0000000100013cc9
    .text \\.\globalroot\systemroot\svchost.exe[4156] C:\windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 00000000771587b1 5 bytes [33, C0, C2, 04, 00]
    .text \\.\globalroot\systemroot\svchost.exe[4156] C:\windows\syswow64\USER32.dll!IsWindowVisible 000000007546112d 5 bytes JMP 00000001000146ba
    .text \\.\globalroot\systemroot\svchost.exe[4156] C:\windows\syswow64\USER32.dll!GetCursorPos 0000000075461218 5 bytes JMP 00000001000145b6
    .text \\.\globalroot\systemroot\svchost.exe[4156] C:\windows\syswow64\USER32.dll!GetForegroundWindow 0000000075462320 5 bytes JMP 0000000100014687
    .text \\.\globalroot\systemroot\svchost.exe[4156] C:\windows\syswow64\USER32.dll!WindowFromPoint 000000007547ed12 5 bytes JMP 0000000100014617
    .text \\.\globalroot\systemroot\svchost.exe[4156] C:\windows\syswow64\USER32.dll!MessageBoxIndirectW 00000000754afc9d 6 bytes [33, C0, 40, C2, 04, 00]
    .text \\.\globalroot\systemroot\svchost.exe[4156] C:\windows\syswow64\ole32.dll!CoGetClassObject 0000000076ee54ad 5 bytes JMP 00000001000147f6
    .text \\.\globalroot\systemroot\svchost.exe[4156] C:\windows\syswow64\ole32.dll!CoCreateInstance 0000000076ef9d0b 5 bytes JMP 0000000100014820
    .text \\.\globalroot\systemroot\svchost.exe[4156] C:\windows\syswow64\WS2_32.dll!GetAddrInfoW 0000000075674889 5 bytes JMP 0000000100014518
    .text \\.\globalroot\systemroot\svchost.exe[4156] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075a61401 2 bytes [A6, 75]
    .text \\.\globalroot\systemroot\svchost.exe[4156] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075a61419 2 bytes [A6, 75]
    .text \\.\globalroot\systemroot\svchost.exe[4156] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075a61431 2 bytes [A6, 75]
    .text \\.\globalroot\systemroot\svchost.exe[4156] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075a6144a 2 bytes [A6, 75]
    .text ... * 9
    .text \\.\globalroot\systemroot\svchost.exe[4156] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075a614dd 2 bytes [A6, 75]
    .text \\.\globalroot\systemroot\svchost.exe[4156] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075a614f5 2 bytes [A6, 75]
    .text \\.\globalroot\systemroot\svchost.exe[4156] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075a6150d 2 bytes [A6, 75]
    .text \\.\globalroot\systemroot\svchost.exe[4156] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075a61525 2 bytes [A6, 75]
    .text \\.\globalroot\systemroot\svchost.exe[4156] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075a6153d 2 bytes [A6, 75]
    .text \\.\globalroot\systemroot\svchost.exe[4156] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075a61555 2 bytes [A6, 75]
    .text \\.\globalroot\systemroot\svchost.exe[4156] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075a6156d 2 bytes [A6, 75]
    .text \\.\globalroot\systemroot\svchost.exe[4156] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075a61585 2 bytes [A6, 75]
    .text \\.\globalroot\systemroot\svchost.exe[4156] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075a6159d 2 bytes [A6, 75]
    .text \\.\globalroot\systemroot\svchost.exe[4156] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075a615b5 2 bytes [A6, 75]
    .text \\.\globalroot\systemroot\svchost.exe[4156] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075a615cd 2 bytes [A6, 75]
    .text \\.\globalroot\systemroot\svchost.exe[4156] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075a616b2 2 bytes [A6, 75]
    .text \\.\globalroot\systemroot\svchost.exe[4156] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075a616bd 2 bytes [A6, 75]
    .text C:\windows\SysWOW64\Macromed\Flash\FlashUtil32_11_5_502_135_ActiveX.exe[5152] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075a61401 2 bytes [A6, 75]
    .text C:\windows\SysWOW64\Macromed\Flash\FlashUtil32_11_5_502_135_ActiveX.exe[5152] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075a61419 2 bytes [A6, 75]
    .text C:\windows\SysWOW64\Macromed\Flash\FlashUtil32_11_5_502_135_ActiveX.exe[5152] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075a61431 2 bytes [A6, 75]
    .text C:\windows\SysWOW64\Macromed\Flash\FlashUtil32_11_5_502_135_ActiveX.exe[5152] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075a6144a 2 bytes [A6, 75]
    .text ... * 9
    .text C:\windows\SysWOW64\Macromed\Flash\FlashUtil32_11_5_502_135_ActiveX.exe[5152] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075a614dd 2 bytes [A6, 75]
    .text C:\windows\SysWOW64\Macromed\Flash\FlashUtil32_11_5_502_135_ActiveX.exe[5152] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075a614f5 2 bytes [A6, 75]
    .text C:\windows\SysWOW64\Macromed\Flash\FlashUtil32_11_5_502_135_ActiveX.exe[5152] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075a6150d 2 bytes [A6, 75]
    .text C:\windows\SysWOW64\Macromed\Flash\FlashUtil32_11_5_502_135_ActiveX.exe[5152] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075a61525 2 bytes [A6, 75]
    .text C:\windows\SysWOW64\Macromed\Flash\FlashUtil32_11_5_502_135_ActiveX.exe[5152] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075a6153d 2 bytes [A6, 75]
    .text C:\windows\SysWOW64\Macromed\Flash\FlashUtil32_11_5_502_135_ActiveX.exe[5152] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075a61555 2 bytes [A6, 75]
    .text C:\windows\SysWOW64\Macromed\Flash\FlashUtil32_11_5_502_135_ActiveX.exe[5152] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075a6156d 2 bytes [A6, 75]
    .text C:\windows\SysWOW64\Macromed\Flash\FlashUtil32_11_5_502_135_ActiveX.exe[5152] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075a61585 2 bytes [A6, 75]
    .text C:\windows\SysWOW64\Macromed\Flash\FlashUtil32_11_5_502_135_ActiveX.exe[5152] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075a6159d 2 bytes [A6, 75]
    .text C:\windows\SysWOW64\Macromed\Flash\FlashUtil32_11_5_502_135_ActiveX.exe[5152] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075a615b5 2 bytes [A6, 75]
    .text C:\windows\SysWOW64\Macromed\Flash\FlashUtil32_11_5_502_135_ActiveX.exe[5152] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075a615cd 2 bytes [A6, 75]
    .text C:\windows\SysWOW64\Macromed\Flash\FlashUtil32_11_5_502_135_ActiveX.exe[5152] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075a616b2 2 bytes [A6, 75]
    .text C:\windows\SysWOW64\Macromed\Flash\FlashUtil32_11_5_502_135_ActiveX.exe[5152] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075a616bd 2 bytes [A6, 75]
    .text C:\Users\Andrew\AppData\Roaming\Dropbox\bin\Dropbox.exe[2544] C:\windows\syswow64\Psapi.dll!GetModuleFileNameExW + 17 0000000075a61401 2 bytes [A6, 75]
    .text C:\Users\Andrew\AppData\Roaming\Dropbox\bin\Dropbox.exe[2544] C:\windows\syswow64\Psapi.dll!EnumProcessModules + 17 0000000075a61419 2 bytes [A6, 75]
    .text C:\Users\Andrew\AppData\Roaming\Dropbox\bin\Dropbox.exe[2544] C:\windows\syswow64\Psapi.dll!GetModuleInformation + 17 0000000075a61431 2 bytes [A6, 75]
    .text C:\Users\Andrew\AppData\Roaming\Dropbox\bin\Dropbox.exe[2544] C:\windows\syswow64\Psapi.dll!GetModuleInformation + 42 0000000075a6144a 2 bytes [A6, 75]
    .text ... * 9
    .text C:\Users\Andrew\AppData\Roaming\Dropbox\bin\Dropbox.exe[2544] C:\windows\syswow64\Psapi.dll!EnumDeviceDrivers + 17 0000000075a614dd 2 bytes [A6, 75]
    .text C:\Users\Andrew\AppData\Roaming\Dropbox\bin\Dropbox.exe[2544] C:\windows\syswow64\Psapi.dll!GetDeviceDriverBaseNameA + 17 0000000075a614f5 2 bytes [A6, 75]
    .text C:\Users\Andrew\AppData\Roaming\Dropbox\bin\Dropbox.exe[2544] C:\windows\syswow64\Psapi.dll!QueryWorkingSetEx + 17 0000000075a6150d 2 bytes [A6, 75]
    .text C:\Users\Andrew\AppData\Roaming\Dropbox\bin\Dropbox.exe[2544] C:\windows\syswow64\Psapi.dll!GetDeviceDriverBaseNameW + 17 0000000075a61525 2 bytes [A6, 75]
    .text C:\Users\Andrew\AppData\Roaming\Dropbox\bin\Dropbox.exe[2544] C:\windows\syswow64\Psapi.dll!GetModuleBaseNameW + 17 0000000075a6153d 2 bytes [A6, 75]
    .text C:\Users\Andrew\AppData\Roaming\Dropbox\bin\Dropbox.exe[2544] C:\windows\syswow64\Psapi.dll!EnumProcesses + 17 0000000075a61555 2 bytes [A6, 75]
    .text C:\Users\Andrew\AppData\Roaming\Dropbox\bin\Dropbox.exe[2544] C:\windows\syswow64\Psapi.dll!GetProcessMemoryInfo + 17 0000000075a6156d 2 bytes [A6, 75]
    .text C:\Users\Andrew\AppData\Roaming\Dropbox\bin\Dropbox.exe[2544] C:\windows\syswow64\Psapi.dll!GetPerformanceInfo + 17 0000000075a61585 2 bytes [A6, 75]
    .text C:\Users\Andrew\AppData\Roaming\Dropbox\bin\Dropbox.exe[2544] C:\windows\syswow64\Psapi.dll!QueryWorkingSet + 17 0000000075a6159d 2 bytes [A6, 75]
    .text C:\Users\Andrew\AppData\Roaming\Dropbox\bin\Dropbox.exe[2544] C:\windows\syswow64\Psapi.dll!GetModuleBaseNameA + 17 0000000075a615b5 2 bytes [A6, 75]
    .text C:\Users\Andrew\AppData\Roaming\Dropbox\bin\Dropbox.exe[2544] C:\windows\syswow64\Psapi.dll!GetModuleFileNameExA + 17 0000000075a615cd 2 bytes [A6, 75]
    .text C:\Users\Andrew\AppData\Roaming\Dropbox\bin\Dropbox.exe[2544] C:\windows\syswow64\Psapi.dll!GetProcessImageFileNameW + 20 0000000075a616b2 2 bytes [A6, 75]
    .text C:\Users\Andrew\AppData\Roaming\Dropbox\bin\Dropbox.exe[2544] C:\windows\syswow64\Psapi.dll!GetProcessImageFileNameW + 31 0000000075a616bd 2 bytes [A6, 75]
    ---- Kernel IAT/EAT - GMER 2.0 ----
    IAT C:\windows\system32\ntoskrnl.exe[KDCOM.dll!KdD3Transition] [fffff80000bca78c] \SystemRoot\system32\kdcom.dll [.text]
    IAT C:\windows\system32\ntoskrnl.exe[KDCOM.dll!KdD0Transition] [fffff80000bca780] \SystemRoot\system32\kdcom.dll [.text]
    IAT C:\windows\system32\ntoskrnl.exe[KDCOM.dll!KdReceivePacket] [fffff80000bca8b4] \SystemRoot\system32\kdcom.dll [.text]
    IAT C:\windows\system32\ntoskrnl.exe[KDCOM.dll!KdSendPacket] [fffff80000bca8ac] \SystemRoot\system32\kdcom.dll [.text]
    IAT C:\windows\system32\ntoskrnl.exe[KDCOM.dll!KdRestore] [fffff80000bca8a0] \SystemRoot\system32\kdcom.dll [.text]
    IAT C:\windows\system32\ntoskrnl.exe[KDCOM.dll!KdSave] [fffff80000bca894] \SystemRoot\system32\kdcom.dll [.text]
    IAT C:\windows\system32\ntoskrnl.exe[KDCOM.dll!KdDebuggerInitialize0] [fffff80000bca878] \SystemRoot\system32\kdcom.dll [.text]
    IAT C:\windows\system32\ntoskrnl.exe[KDCOM.dll!KdDebuggerInitialize1] [fffff80000bca884] \SystemRoot\system32\kdcom.dll [.text]
    IAT C:\windows\system32\hal.dll[KDCOM.dll!KdRestore] [fffff80000bca8a0] \SystemRoot\system32\kdcom.dll [.text]
    ---- User IAT/EAT - GMER 2.0 ----
    IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2468] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppId] [7fef8ec2750] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll
    IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2468] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetMachineId] [7fef8ec2b98] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll
    IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2468] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmWriteSharedMachineId] [7fef8ec7de0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll
    IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2468] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmCreateNewId] [7fef8ec8130] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll
    IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2468] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmReadSharedMachineId] [7fef8ec1908] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll
    IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2468] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmGetSession] [7fef8ec1c00] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll
    IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2468] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartUpload] [7fef8ec81d8] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll
    IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2468] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSet] [7fef8ec2878] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll
    IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2468] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamString] [7fef8ec7a5c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll
    IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2468] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmIncrement] [7fef8ec6c48] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll
    IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2468] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamDWord] [7fef8ec77bc] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll
    IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2468] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppVersion] [7fef8ec7064] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll
    IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2468] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartSession] [7fef8ec6544] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll
    IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2468] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmEndSession] [7fef8ec5e30] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll
    ---- Devices - GMER 2.0 ----
    Device \Driver\iaStor \Device\Ide\IAAStorageDevice-1
    ---- Trace I/O - GMER 2.0 ----
    Trace ntoskrnl.exe CLASSPNP.SYS disk.sys thpdrv.sys >>UNKNOWN [0xfffffa80083455e8]<< fffffa80083455e8
    Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8007bd2060] fffffa8007bd2060
    Trace 3 CLASSPNP.SYS[fffff8800140143f] -> nt!IofCallDriver -> \Device\THPDRV1[0xfffffa8007bd1060] fffffa8007bd1060
    Trace 5 thpdrv.sys[fffff88001bbf2b0] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8005d32050] fffffa8005d32050
    Trace \Driver\iaStor[0xfffffa8008294980] -> IRP_MJ_CREATE -> 0xfffffa80083455e8 fffffa80083455e8
    ---- Threads - GMER 2.0 ----
    Thread C:\windows\system32\svchost.exe [1060:5672] 00000000000e2368
    Thread C:\windows\system32\svchost.exe [1060:3644] 00000000000e2518
    Thread C:\windows\system32\svchost.exe [1060:3168] 00000000000e2518
    Thread C:\windows\system32\svchost.exe [1060:5748] 00000000000e2518
    Thread C:\windows\system32\svchost.exe [1060:6408] 00000000000e1a78
    Thread C:\windows\system32\svchost.exe [1060:5136] 00000000000e2518
    Thread C:\windows\system32\svchost.exe [1060:3604] 00000000000e2518
    Thread C:\windows\system32\svchost.exe [1060:6232] 00000000000e1a78
    Thread C:\Program Files (x86)\Norton Internet Security\Engine\19.9.0.9\ccSvcHst.exe [3732:5168] 000000006a6ce196
    Thread C:\Program Files (x86)\Norton Internet Security\Engine\19.9.0.9\ccSvcHst.exe [3732:1224] 0000000069705876
    Thread C:\Program Files (x86)\Norton Internet Security\Engine\19.9.0.9\ccSvcHst.exe [3732:1888] 0000000069705876
    Thread C:\Program Files (x86)\Norton Internet Security\Engine\19.9.0.9\ccSvcHst.exe [3732:776] 0000000069705876
    Thread C:\Program Files (x86)\Norton Internet Security\Engine\19.9.0.9\ccSvcHst.exe [3732:460] 0000000069933bff
    Thread C:\Program Files (x86)\Norton Internet Security\Engine\19.9.0.9\ccSvcHst.exe [3732:4748] 00000000693e67e9
    Thread C:\Program Files (x86)\Norton Internet Security\Engine\19.9.0.9\ccSvcHst.exe [3732:3500] 0000000068431854
    Thread C:\windows\System32\svchost.exe [5628:1292] 000007feed299688
    ---- Processes - GMER 2.0 ----
    Library ? (*** suspicious ***) @ C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [1472] 0000000073630000
    Library ? (*** suspicious ***) @ C:\Program Files (x86)\TOSHIBA\widimon\widimon.exe [4740] 0000000072290000
    Library \\.\globalroot\systemroot\svchost.exe (*** suspicious ***) @ \\.\globalroot\systemroot\svchost.exe [4156] 0000000000f00000
    Library ? (*** suspicious ***) @ C:\Program Files (x86)\Norton Internet Security\Engine\19.9.0.9\ccSvcHst.exe [3732] 0000000076be0000
    Library ? (*** suspicious ***) @ C:\windows\System32\svchost.exe [5628] 000007feff860000
    ---- Registry - GMER 2.0 ----
    Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\[email protected] 958
    ---- EOF - GMER 2.0 ----


    Thanks in advance guys/gals!
     
  2. gknight86

    gknight86 Thread Starter

    Joined:
    Jan 6, 2013
    Messages:
    21
    Anyone have an idea what's wrong with my computer? Or did I forget to upload something? I think I included everything.
     
  3. Satchfan

    Satchfan Malware Specialist

    Joined:
    Jan 12, 2009
    Messages:
    653
    Hello gknight86 and welcome to TSG.

    My name is Satchfan and I would be glad to help you with your computer problem.

    Please read the following guidelines which will help to make cleaning your machine easier:

    • please follow all instructions in the order posted
    • please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear
    • all logs/reports, etc. must be posted in Notepad. Please ensure that word wrap is unchecked. In Notepad click Format, uncheck Word wrap if it is checked
    • if you don't understand something, please don't hesitate to ask for clarification before proceeding
    • the fixes are specific to your problem and should only be used for this issue on this machine.
    • please reply within 3 days. If you do not reply within this period I will post a reminder but topics with no reply in 4 days will be closed!
    IMPORTANT:

    Please DO NOT install/uninstall any programs unless asked to.
    Please DO NOT run any scans other than those requested

    I am looking at your logs now and will reply with instructions shortly.

    Satchfan
     
  4. Satchfan

    Satchfan Malware Specialist

    Joined:
    Jan 12, 2009
    Messages:
    653
    Hello again gknight86

    There is nothing untoward showing up in your logs so we’ll have to look with other scans.

    Run RogueKiller

    IMPORTANT: Do not reboot your computer if at all possible otherwise the malware will reactivate and you will have to run RogueKiller again

    Download RogueKiller to your desktop.

    • close all running programs
    • for Windows Vista/Seven, right click -> run as administrator, for XP simply double-click on RogueKiller.exe
    • when the prescan is finished, click on Scan
    • click on Report and copy/paste the content in your next post
    • NOTE: DO NOT attempt to remove anything that the scan detects.
    If the program is blocked, continue to try it several times. If it still doesn’t work, (it could happen), rename it to winlogon.exe.

    Please post the contents of the RKreport.txt in your next reply.

    Remember: do not reboot your computer if at all possible otherwise the malware will reactivate and you will have to run RogueKiller again.

    ===================================================

    Download and run OTL

    • download OTL to your desktop.
    • double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • click Scan all users.
    • under Custom Scan paste this in
    netsvcs%SYSTEMDRIVE%\*.exe
    /md5start
    explorer.exe
    winlogon.exe
    Userinit.exe
    svchost.exe
    consrv.dll
    /md5stop
    %systemroot%\*. /rp /s
    DRIVES
    CREATERESTOREPOINT

    • click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan won’t take long.
    • when the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.
    • you may need two posts to fit them both in.

    Logs to include with next post:

    RKreport.txt
    OTL.txt
    Extras.txt


    Thanks

    Satchfan
     
  5. gknight86

    gknight86 Thread Starter

    Joined:
    Jan 6, 2013
    Messages:
    21
    RKReport.txt:

    RogueKiller V8.4.3 [Jan 10 2013] by Tigzy
    mail : tigzyRK<at>gmail<dot>com
    Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
    Website : http://tigzy.geekstogo.com/roguekiller.php
    Blog : http://tigzyrk.blogspot.com/
    Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
    Started in : Normal mode
    User : Andrew [Admin rights]
    Mode : Scan -- Date : 01/11/2013 07:01:21
    ¤¤¤ Bad processes : 1 ¤¤¤
    [SVCHOST] svchost.exe -- \\.\globalroot\systemroot\svchost.exe -> KILLED [TermProc]
    ¤¤¤ Registry Entries : 2 ¤¤¤
    [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
    [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
    ¤¤¤ Particular Files / Folders: ¤¤¤
    ¤¤¤ Driver : [NOT LOADED] ¤¤¤
    ¤¤¤ HOSTS File: ¤¤¤
    --> C:\windows\system32\drivers\etc\hosts

    ¤¤¤ MBR Check: ¤¤¤
    +++++ PhysicalDrive0: TOSHIBA MK7575GSX +++++
    --- User ---
    [MBR] a29794bbf5dda1c4e3fbaf03e974229a
    [BSP] 9ea1ced1571f36b81b112b3982abe1b2 : Windows Vista MBR Code
    Partition table:
    0 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo
    1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 698476 Mo
    2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 1433552896 | Size: 15427 Mo
    User != LL1 ... KO!
    --- LL1 ---
    [MBR] b50cb5422c9d43432ad208019116a2a5
    [BSP] 9ea1ced1571f36b81b112b3982abe1b2 : Windows Vista MBR Code
    Partition table:
    1 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo
    2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 698476 Mo
    3 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 1433552896 | Size: 15427 Mo
    User != LL2 ... KO!
    --- LL2 ---
    [MBR] b50cb5422c9d43432ad208019116a2a5
    [BSP] 9ea1ced1571f36b81b112b3982abe1b2 : Windows Vista MBR Code
    Partition table:
    1 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo
    2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 698476 Mo
    3 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 1433552896 | Size: 15427 Mo
    Finished : << RKreport[1]_S_01112013_02d0701.txt >>
    RKreport[1]_S_01112013_02d0701.txt

    OTL.txt:

    OTL logfile created on: 1/11/2013 7:05:07 AM - Run 1
    OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Andrew\Desktop
    64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
    Internet Explorer (Version = 9.0.8112.16421)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    5.91 Gb Total Physical Memory | 3.73 Gb Available Physical Memory | 63.19% Memory free
    11.82 Gb Paging File | 9.48 Gb Available in Paging File | 80.24% Paging File free
    Paging file location(s): ?:\pagefile.sys [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files (x86)
    Drive C: | 682.11 Gb Total Space | 638.25 Gb Free Space | 93.57% Space Free | Partition Type: NTFS

    Computer Name: ANDREWSCRAPTOP | User Name: Andrew | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
    Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2013/01/11 07:02:45 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Andrew\Desktop\OTL.exe
    PRC - [2013/01/06 14:07:30 | 000,250,808 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
    PRC - [2012/12/28 20:06:23 | 000,697,272 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_5_502_135_ActiveX.exe
    PRC - [2012/12/28 18:02:24 | 028,539,392 | ---- | M] (Dropbox, Inc.) -- C:\Users\Andrew\AppData\Roaming\Dropbox\bin\Dropbox.exe
    PRC - [2012/09/01 20:31:48 | 000,307,856 | ---- | M] (Google Inc.) -- C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe
    PRC - [2012/06/15 21:24:19 | 000,138,272 | R--- | M] (Symantec Corporation) -- C:\Program Files (x86)\Norton Internet Security\Engine\19.9.0.9\ccsvchst.exe
    PRC - [2011/10/01 07:30:22 | 000,219,496 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
    PRC - [2011/10/01 07:30:18 | 000,508,776 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
    PRC - [2011/02/01 16:24:42 | 002,656,280 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
    PRC - [2011/02/01 16:24:40 | 000,326,168 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
    PRC - [2010/12/25 19:05:54 | 001,716,144 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files (x86)\TOSHIBA\widimon\widimon.exe
    PRC - [2010/08/16 13:54:50 | 000,034,160 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files (x86)\TOSHIBA\Utilities\KeNotify.exe
    PRC - [2010/06/04 19:32:58 | 000,252,792 | ---- | M] (TOSHIBA) -- C:\Program Files (x86)\TOSHIBA\TOSHIBA Sleep Utility\TSleepSrv.exe
    PRC - [2009/07/13 20:14:45 | 000,020,480 | ---- | M] () -- \\.\globalroot\systemroot\svchost.exe
    PRC - [2009/07/13 20:14:45 | 000,020,480 | ---- | M] () -- \\.\globalroot\systemroot\svchost.exe
    PRC - [2009/01/26 14:31:16 | 002,144,088 | RHS- | M] (Safer Networking Limited) -- C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
    PRC - [2009/01/26 14:31:10 | 001,153,368 | ---- | M] (Safer Networking Ltd.) -- C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe


    ========== Modules (No Company Name) ==========


    ========== Services (SafeList) ==========

    SRV:64bit: - [2011/07/01 14:46:14 | 000,828,856 | ---- | M] (TOSHIBA Corporation) [On_Demand | Running] -- C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe -- (TPCHSrv)
    SRV:64bit: - [2011/06/10 00:10:00 | 000,138,152 | ---- | M] (TOSHIBA Corporation) [On_Demand | Running] -- C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe -- (TOSHIBA HDD SSD Alert Service)
    SRV:64bit: - [2011/06/01 15:38:30 | 001,517,328 | ---- | M] (Intel(R) Corporation) [Auto | Running] -- C:\Program Files\Intel\WiFi\bin\EvtEng.exe -- (EvtEng)
    SRV:64bit: - [2011/06/01 15:23:40 | 000,340,240 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe -- (MyWiFiDHCPDNS)
    SRV:64bit: - [2011/06/01 15:19:58 | 000,844,560 | ---- | M] (Intel(R) Corporation) [Auto | Running] -- C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe -- (RegSrvc)
    SRV:64bit: - [2011/05/24 12:58:12 | 000,294,848 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Program Files\TOSHIBA\TECO\TecoService.exe -- (TOSHIBA eco Utility Service)
    SRV:64bit: - [2011/05/17 17:34:18 | 000,574,896 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe -- (TosCoSrv)
    SRV:64bit: - [2011/04/20 18:16:04 | 000,558,592 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Windows\SysNative\ThpSrv.exe -- (Thpsrv)
    SRV:64bit: - [2010/10/20 17:41:00 | 000,138,656 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Windows\SysNative\TODDSrv.exe -- (TODDSrv)
    SRV:64bit: - [2010/09/22 21:10:10 | 000,057,184 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Windows Live\Mesh\wlcrasvc.exe -- (wlcrasvc)
    SRV:64bit: - [2009/07/13 20:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
    SRV - [2013/01/06 14:07:30 | 000,250,808 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Running] -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
    SRV - [2012/06/15 21:24:19 | 000,138,272 | R--- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files (x86)\Norton Internet Security\Engine\19.9.0.9\ccSvcHst.exe -- (NIS)
    SRV - [2011/11/21 18:32:40 | 000,057,216 | ---- | M] (TOSHIBA Corporation) [On_Demand | Running] -- C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe -- (TMachInfo)
    SRV - [2011/10/01 07:30:22 | 000,219,496 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe -- (sftvsa)
    SRV - [2011/10/01 07:30:18 | 000,508,776 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe -- (sftlist)
    SRV - [2011/02/01 16:24:42 | 002,656,280 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe -- (UNS)
    SRV - [2011/02/01 16:24:40 | 000,326,168 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe -- (LMS)
    SRV - [2010/03/18 12:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
    SRV - [2009/06/10 16:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)


    ========== Driver Services (SafeList) ==========

    DRV:64bit: - [2012/08/14 09:48:11 | 000,175,736 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\SYMEVENT64x86.SYS -- (SymEvent)
    DRV:64bit: - [2012/07/05 21:17:58 | 000,037,536 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\NISx64\1309000.009\srtspx64.sys -- (SRTSPX)
    DRV:64bit: - [2012/07/05 21:17:57 | 000,737,952 | ---- | M] (Symantec Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\NISx64\1309000.009\srtsp64.sys -- (SRTSP)
    DRV:64bit: - [2012/06/06 23:43:38 | 000,167,072 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\NISx64\1309000.009\ccsetx64.sys -- (ccSet_NIS)
    DRV:64bit: - [2012/05/21 20:37:12 | 001,129,120 | ---- | M] (Symantec Corporation) [File_System | On_Demand | Running] -- C:\Windows\SysNative\drivers\NISx64\1309000.009\symefa64.sys -- (SymEFA)
    DRV:64bit: - [2012/04/17 21:13:32 | 000,405,624 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\NISx64\1309000.009\symnets.sys -- (SymNetS)
    DRV:64bit: - [2012/04/17 20:42:14 | 000,190,072 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\NISx64\1309000.009\ironx64.sys -- (SymIRON)
    DRV:64bit: - [2012/03/01 01:46:16 | 000,023,408 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec)
    DRV:64bit: - [2012/02/28 07:03:58 | 000,020,592 | ---- | M] (Compal Electronics, INC.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\CeKbFilter.sys -- (CeKbFilter)
    DRV:64bit: - [2011/10/01 07:30:22 | 000,022,376 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Sftvollh.sys -- (Sftvol)
    DRV:64bit: - [2011/10/01 07:30:18 | 000,268,648 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Sftplaylh.sys -- (Sftplay)
    DRV:64bit: - [2011/10/01 07:30:18 | 000,025,960 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Running] -- C:\Windows\SysNative\drivers\Sftredirlh.sys -- (Sftredir)
    DRV:64bit: - [2011/10/01 07:30:10 | 000,764,264 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Sftfslh.sys -- (Sftfs)
    DRV:64bit: - [2011/08/05 15:34:02 | 000,025,496 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\iwdbus.sys -- (iwdbus)
    DRV:64bit: - [2011/08/05 15:34:00 | 000,034,200 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\intelaud.sys -- (intaud_WaveExtensible)
    DRV:64bit: - [2011/07/25 13:18:36 | 000,451,192 | R--- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\NISx64\1309000.009\symds64.sys -- (SymDS)
    DRV:64bit: - [2011/06/27 12:55:50 | 012,231,584 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\igdkmd64.sys -- (igfx)
    DRV:64bit: - [2011/06/09 22:28:22 | 000,482,384 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\tos_sps64.sys -- (tos_sps64)
    DRV:64bit: - [2011/05/01 17:33:06 | 008,593,920 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\NETwNs64.sys -- (NETwNs64)
    DRV:64bit: - [2011/03/23 20:10:28 | 000,036,992 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\thpdrv.sys -- (Thpdrv)
    DRV:64bit: - [2011/03/11 01:41:12 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
    DRV:64bit: - [2011/03/11 01:41:12 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
    DRV:64bit: - [2011/02/10 17:52:34 | 000,181,760 | ---- | M] (Renesas Electronics Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\nusb3xhc.sys -- (nusb3xhc)
    DRV:64bit: - [2011/02/10 17:52:34 | 000,082,432 | ---- | M] (Renesas Electronics Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\nusb3hub.sys -- (nusb3hub)
    DRV:64bit: - [2011/02/08 22:07:00 | 000,038,096 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\PGEffect.sys -- (PGEffect)
    DRV:64bit: - [2011/02/03 22:59:06 | 001,413,680 | ---- | M] (Synaptics Incorporated) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\SynTP.sys -- (SynTP)
    DRV:64bit: - [2011/01/31 19:04:42 | 000,174,168 | ---- | M] (JMicron Technology Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\jmcr.sys -- (JMCR)
    DRV:64bit: - [2011/01/13 22:58:30 | 000,413,800 | ---- | M] (Realtek ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Rt64win7.sys -- (RTL8167)
    DRV:64bit: - [2011/01/12 20:51:44 | 000,439,320 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\iaStor.sys -- (iaStor)
    DRV:64bit: - [2010/11/20 22:24:33 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt)
    DRV:64bit: - [2010/11/20 22:23:47 | 000,109,056 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\sdbus.sys -- (sdbus)
    DRV:64bit: - [2010/11/20 22:23:47 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
    DRV:64bit: - [2010/11/20 22:23:47 | 000,031,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbGD.sys -- (TsUsbGD)
    DRV:64bit: - [2010/10/19 19:34:26 | 000,056,344 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\HECIx64.sys -- (MEIx64)
    DRV:64bit: - [2010/10/15 19:28:18 | 000,317,440 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\IntcDAud.sys -- (IntcDAud)
    DRV:64bit: - [2010/03/22 13:55:20 | 000,046,192 | ---- | M] (COMPAL ELECTRONIC INC.) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\LPCFilter.sys -- (LPCFilter)
    DRV:64bit: - [2009/07/30 23:22:04 | 000,027,784 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\tdcmdpst.sys -- (tdcmdpst)
    DRV:64bit: - [2009/07/14 18:31:18 | 000,026,840 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\TVALZ_O.SYS -- (TVALZ)
    DRV:64bit: - [2009/07/13 20:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
    DRV:64bit: - [2009/07/13 20:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
    DRV:64bit: - [2009/07/13 20:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
    DRV:64bit: - [2009/06/29 19:16:20 | 000,014,784 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\Thpevm.sys -- (Thpevm)
    DRV:64bit: - [2009/06/19 22:15:22 | 000,014,472 | ---- | M] (TOSHIBA Corporation) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\TVALZFL.sys -- (TVALZFL)
    DRV:64bit: - [2009/06/10 15:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
    DRV:64bit: - [2009/06/10 15:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
    DRV:64bit: - [2009/06/10 15:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
    DRV:64bit: - [2009/06/10 15:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
    DRV - [2012/06/26 09:06:43 | 002,068,600 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\VirusDefs\20120625.034\ex64.sys -- (NAVEX15)
    DRV - [2012/06/26 09:06:43 | 000,484,512 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys -- (eeCtrl)
    DRV - [2012/06/26 09:06:43 | 000,138,912 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
    DRV - [2012/06/26 09:06:43 | 000,120,440 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\VirusDefs\20120625.034\eng64.sys -- (NAVENG)
    DRV - [2012/06/23 18:56:04 | 000,509,088 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\IPSDefs\20120623.002\IDSviA64.sys -- (IDSVia64)
    DRV - [2012/06/18 23:03:24 | 001,161,376 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\BASHDefs\20120619.001\BHDrvx64.sys -- (BHDrvx64)
    DRV - [2009/07/13 20:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {{67A2568C-7A0A-4EED-AECC-B5405DE63B64}}
    IE:64bit: - HKLM\..\SearchScopes\{{67A2568C-7A0A-4EED-AECC-B5405DE63B64}}: "URL" = http://www.google.com/search?source...nputEncoding}&oe={outputEncoding}&rlz=1I7TSNO
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
    IE - HKLM\..\SearchScopes,DefaultScope = {{67A2568C-7A0A-4EED-AECC-B5405DE63B64}}
    IE - HKLM\..\SearchScopes\{{67A2568C-7A0A-4EED-AECC-B5405DE63B64}}: "URL" = http://www.google.com/search?source...nputEncoding}&oe={outputEncoding}&rlz=1I7TSNO


    IE - HKU\.DEFAULT\..\SearchScopes,DefaultScope = {{67A2568C-7A0A-4EED-AECC-B5405DE63B64}}
    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-18\..\SearchScopes,DefaultScope = {{67A2568C-7A0A-4EED-AECC-B5405DE63B64}}
    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


    IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-21-1161726624-3780918960-1667609166-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.toshiba.com/?cid=C001B2Y
    IE - HKU\S-1-5-21-1161726624-3780918960-1667609166-1000\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
    IE - HKU\S-1-5-21-1161726624-3780918960-1667609166-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
    IE - HKU\S-1-5-21-1161726624-3780918960-1667609166-1000\..\SearchScopes,DefaultScope = {4C45C437-5EDC-4C21-8316-2DFDEBAAC445}
    IE - HKU\S-1-5-21-1161726624-3780918960-1667609166-1000\..\SearchScopes\{{67A2568C-7A0A-4EED-AECC-B5405DE63B64}}: "URL" = http://www.google.com/search?source...nputEncoding}&oe={outputEncoding}&rlz=1I7TSNO
    IE - HKU\S-1-5-21-1161726624-3780918960-1667609166-1000\..\SearchScopes\{4C45C437-5EDC-4C21-8316-2DFDEBAAC445}: "URL" = http://www.google.com/search?source...ding}&oe={outputEncoding}&rlz=1I7TSNO_enUS489
    IE - HKU\S-1-5-21-1161726624-3780918960-1667609166-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
    IE - HKU\S-1-5-21-1161726624-3780918960-1667609166-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>


    ========== FireFox ==========

    FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\windows\system32\Macromed\Flash\NPSWF64_11_5_502_135.dll File not found
    FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
    FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\windows\SysWOW64\Macromed\Flash\NPSWF32_11_5_502_135.dll ()
    FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
    FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~2\MICROS~3\Office14\NPSPWRAP.DLL (Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3538.0513: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files (x86)\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
    FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files (x86)\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)

    FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\IPSFFPlgn\ [2012/08/14 09:23:45 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\coFFPlgn\ [2013/01/11 06:58:07 | 000,000,000 | ---D | M]


    ========== Chrome ==========

    CHR - homepage: http://start.toshiba.com/?cid=C001B2Y
    CHR - default_search_provider: Google (Enabled)
    CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:acceptedSuggestion}{google:eek:riginalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}sourceid=chrome&ie={inputEncoding}
    CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&hl={language}&q={searchTerms}&sugkey={google:suggestAPIKeyParameter}
    CHR - homepage: http://start.toshiba.com/?cid=C001B2Y
    CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files (x86)\Google\Chrome\Application\21.0.1180.89\PepperFlash\pepflashplayer.dll
    CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files (x86)\Google\Chrome\Application\23.0.1271.97\gcswf32.dll
    CHR - plugin: Shockwave Flash (Enabled) = C:\windows\SysWOW64\Macromed\Flash\NPSWF32.dll
    CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
    CHR - plugin: Native Client (Enabled) = C:\Program Files (x86)\Google\Chrome\Application\23.0.1271.97\ppGoogleNaClPluginChrome.dll
    CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files (x86)\Google\Chrome\Application\23.0.1271.97\pdf.dll
    CHR - plugin: Norton Confidential (Enabled) = C:\Users\Andrew\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkfokfffehpeedafpekjeddnmnjhmcmk\2012.5.5.11_0\npcoplgn.dll
    CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll
    CHR - plugin: Java Deployment Toolkit 6.0.250.6 (Enabled) = C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
    CHR - plugin: Java(TM) Platform SE 6 U25 (Enabled) = C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll
    CHR - plugin: Microsoft Office 2010 (Enabled) = C:\PROGRA~2\MICROS~3\Office14\NPSPWRAP.DLL
    CHR - plugin: Google Update (Enabled) = C:\Program Files (x86)\Google\Update\1.3.21.115\npGoogleUpdate3.dll
    CHR - plugin: Windows Live\u0099 Photo Gallery (Enabled) = C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
    CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files (x86)\Microsoft Silverlight\4.0.50401.0\npctrl.dll
    CHR - Extension: Norton Identity Protection = C:\Users\Andrew\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkfokfffehpeedafpekjeddnmnjhmcmk\2012.5.6.10_0\

    O1 HOSTS File: ([2009/06/10 16:00:26 | 000,000,824 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
    O2:64bit: - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
    O2:64bit: - BHO: (TOSHIBA Media Controller Plug-in) - {F3C88694-EFFA-4d78-B409-54B7B2535B14} - C:\Program Files (x86)\TOSHIBA\TOSHIBA Media Controller Plug-in\x64\TOSHIBAMediaControllerIE.dll (TOSHIBA Corporation)
    O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
    O2 - BHO: (Norton Identity Protection) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Internet Security\Engine\19.9.0.9\coieplg.dll (Symantec Corporation)
    O2 - BHO: (Norton Vulnerability Protection) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Internet Security\Engine\19.9.0.9\ips\ipsbho.dll (Symantec Corporation)
    O2 - BHO: (TOSHIBA Media Controller Plug-in) - {F3C88694-EFFA-4d78-B409-54B7B2535B14} - C:\Program Files (x86)\TOSHIBA\TOSHIBA Media Controller Plug-in\TOSHIBAMediaControllerIE.dll (TOSHIBA Corporation)
    O3:64bit: - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
    O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
    O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\19.9.0.9\coieplg.dll (Symantec Corporation)
    O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
    O3:64bit: - HKU\S-1-5-21-1161726624-3780918960-1667609166-1000\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
    O3 - HKU\S-1-5-21-1161726624-3780918960-1667609166-1000\..\Toolbar\WebBrowser: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\19.9.0.9\coieplg.dll (Symantec Corporation)
    O4:64bit: - HKLM..\Run: [] File not found
    O4:64bit: - HKLM..\Run: [HotKeysCmds] C:\Windows\SysNative\hkcmd.exe (Intel Corporation)
    O4:64bit: - HKLM..\Run: [HSON] C:\Program Files\TOSHIBA\TBS\HSON.exe (TOSHIBA Corporation)
    O4:64bit: - HKLM..\Run: [IgfxTray] C:\Windows\SysNative\igfxtray.exe (Intel Corporation)
    O4:64bit: - HKLM..\Run: [IntelPAN] C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe (Intel(R) Corporation)
    O4:64bit: - HKLM..\Run: [Persistence] C:\Windows\SysNative\igfxpers.exe (Intel Corporation)
    O4:64bit: - HKLM..\Run: [RtHDVBg] C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe (Realtek Semiconductor)
    O4:64bit: - HKLM..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe (Realtek Semiconductor)
    O4:64bit: - HKLM..\Run: [TCrdMain] C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe (TOSHIBA Corporation)
    O4:64bit: - HKLM..\Run: [Teco] C:\Program Files\TOSHIBA\TECO\Teco.exe (TOSHIBA Corporation)
    O4:64bit: - HKLM..\Run: [ThpSrv] C:\windows\SysNative\thpsrv.exe (TOSHIBA Corporation)
    O4:64bit: - HKLM..\Run: [TosNC] C:\Program Files\TOSHIBA\BulletinBoard\TosNcCore.exe (TOSHIBA Corporation)
    O4:64bit: - HKLM..\Run: [TosReelTimeMonitor] C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe (TOSHIBA Corporation)
    O4:64bit: - HKLM..\Run: [TosSENotify] C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe (TOSHIBA Corporation)
    O4:64bit: - HKLM..\Run: [TosVolRegulator] C:\Program Files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe (TOSHIBA Corporation)
    O4:64bit: - HKLM..\Run: [TosWaitSrv] C:\Program Files\TOSHIBA\TPHM\TosWaitSrv.exe (TOSHIBA Corporation)
    O4:64bit: - HKLM..\Run: [TPwrMain] C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe (TOSHIBA Corporation)
    O4 - HKLM..\Run: [DelayTSS] C:\Program Files\Toshiba\DelayTSS\DelayTSS.exe ()
    O4 - HKLM..\Run: [HWSetup] C:\Program Files\TOSHIBA\Utilities\HWSetup.exe (TOSHIBA Electronics, Inc.)
    O4 - HKLM..\Run: [KeNotify] C:\Program Files (x86)\TOSHIBA\Utilities\KeNotify.exe (TOSHIBA CORPORATION)
    O4 - HKLM..\Run: [SVPWUTIL] C:\Program Files (x86)\TOSHIBA\Utilities\SVPWUTIL.exe (TOSHIBA CORPORATION)
    O4 - HKLM..\Run: [TSleepSrv] C:\Program Files (x86)\TOSHIBA\TOSHIBA Sleep Utility\TSleepSrv.exe (TOSHIBA)
    O4 - HKU\S-1-5-19..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
    O4 - HKU\S-1-5-20..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
    O4 - HKU\S-1-5-21-1161726624-3780918960-1667609166-1000..\Run: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe (Safer Networking Limited)
    O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
    O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
    O4 - Startup: C:\Users\Andrew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk = C:\Users\Andrew\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
    O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
    O1364bit: - gopher Prefix: missing
    O13 - gopher Prefix: missing
    O15 - HKU\.DEFAULT\..Trusted Domains: clonewarsadventures.com ([]* in Trusted sites)
    O15 - HKU\.DEFAULT\..Trusted Domains: freerealms.com ([]* in Trusted sites)
    O15 - HKU\.DEFAULT\..Trusted Domains: soe.com ([]* in Trusted sites)
    O15 - HKU\.DEFAULT\..Trusted Domains: sony.com ([]* in Trusted sites)
    O15 - HKU\S-1-5-18\..Trusted Domains: clonewarsadventures.com ([]* in Trusted sites)
    O15 - HKU\S-1-5-18\..Trusted Domains: freerealms.com ([]* in Trusted sites)
    O15 - HKU\S-1-5-18\..Trusted Domains: soe.com ([]* in Trusted sites)
    O15 - HKU\S-1-5-18\..Trusted Domains: sony.com ([]* in Trusted sites)
    O15 - HKU\S-1-5-19\..Trusted Domains: clonewarsadventures.com ([]* in )
    O15 - HKU\S-1-5-19\..Trusted Domains: freerealms.com ([]* in )
    O15 - HKU\S-1-5-19\..Trusted Domains: soe.com ([]* in )
    O15 - HKU\S-1-5-19\..Trusted Domains: sony.com ([]* in )
    O15 - HKU\S-1-5-20\..Trusted Domains: clonewarsadventures.com ([]* in )
    O15 - HKU\S-1-5-20\..Trusted Domains: freerealms.com ([]* in )
    O15 - HKU\S-1-5-20\..Trusted Domains: soe.com ([]* in )
    O15 - HKU\S-1-5-20\..Trusted Domains: sony.com ([]* in )
    O15 - HKU\S-1-5-21-1161726624-3780918960-1667609166-1000\..Trusted Domains: clonewarsadventures.com ([]* in Trusted sites)
    O15 - HKU\S-1-5-21-1161726624-3780918960-1667609166-1000\..Trusted Domains: freerealms.com ([]* in Trusted sites)
    O15 - HKU\S-1-5-21-1161726624-3780918960-1667609166-1000\..Trusted Domains: soe.com ([]* in Trusted sites)
    O15 - HKU\S-1-5-21-1161726624-3780918960-1667609166-1000\..Trusted Domains: sony.com ([]* in Trusted sites)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab (Java Plug-in 1.6.0_25)
    O16 - DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab (Java Plug-in 1.6.0_25)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab (Java Plug-in 1.6.0_25)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.0.0.1
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{4B272CDA-DC9E-4041-A764-377816FDB550}: DhcpNameServer = 10.0.0.1
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{EF86F661-0708-4FB7-877E-185038082738}: DhcpNameServer = 100.100.0.102
    O18:64bit: - Protocol\Handler\livecall - No CLSID value found
    O18:64bit: - Protocol\Handler\msnim - No CLSID value found
    O18:64bit: - Protocol\Handler\wlmailhtml - No CLSID value found
    O18:64bit: - Protocol\Handler\wlpg - No CLSID value found
    O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\windows\explorer.exe (Microsoft Corporation)
    O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\windows\SysWow64\explorer.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: UserInit - (userinit.exe) - C:\windows\SysWow64\userinit.exe (Microsoft Corporation)
    O20:64bit: - Winlogon\Notify\igfxcui: DllName - (igfxdev.dll) - C:\windows\SysNative\igfxdev.dll (Intel Corporation)
    O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
    O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
    O32 - HKLM CDRom: AutoRun - 1
    O34 - HKLM BootExecute: (autocheck autochk *)
    O35:64bit: - HKLM\..comfile [open] -- "%1" %*
    O35:64bit: - HKLM\..exefile [open] -- "%1" %*
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
    O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
    O37 - HKLM\...com [@ = comfile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*
    O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
    O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
    O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)


    CREATERESTOREPOINT
    Restore point Set: OTL Restore Point

    ========== Files/Folders - Created Within 30 Days ==========

    [2013/01/11 07:02:45 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\Andrew\Desktop\OTL.exe
    [2013/01/11 07:00:50 | 000,000,000 | ---D | C] -- C:\Users\Andrew\Desktop\RK_Quarantine
    [2013/01/06 14:13:49 | 000,509,440 | ---- | C] (Tech Support Guy System) -- C:\Users\Andrew\Desktop\SysInfo.exe
    [2013/01/06 13:54:50 | 000,688,992 | R--- | C] (Swearware) -- C:\Users\Andrew\Desktop\dds.scr
    [2013/01/06 13:52:02 | 000,388,608 | ---- | C] (Trend Micro Inc.) -- C:\Users\Andrew\Desktop\HijackThis.exe
    [2012/12/25 01:42:41 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\ieui.dll
    [2012/12/25 01:42:41 | 000,096,768 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\mshtmled.dll
    [2012/12/25 01:42:41 | 000,073,216 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\mshtmled.dll
    [2012/12/25 01:42:40 | 000,248,320 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\ieui.dll
    [2012/12/25 01:42:40 | 000,237,056 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\url.dll
    [2012/12/25 01:42:40 | 000,231,936 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\url.dll
    [2012/12/25 01:42:40 | 000,173,056 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\ieUnatt.exe
    [2012/12/25 01:42:40 | 000,142,848 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\ieUnatt.exe
    [2012/12/25 01:42:39 | 002,312,704 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\jscript9.dll
    [2012/12/25 01:42:39 | 001,494,528 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\inetcpl.cpl
    [2012/12/25 01:42:39 | 001,427,968 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\inetcpl.cpl
    [2012/12/25 01:42:39 | 000,729,088 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\msfeeds.dll
    [2012/12/25 01:42:37 | 000,816,640 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\jscript.dll
    [2012/12/25 01:42:37 | 000,717,824 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\jscript.dll
    [2012/12/25 01:42:37 | 000,599,040 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\vbscript.dll
    [2012/12/25 01:42:03 | 000,046,080 | ---- | C] (Adobe Systems) -- C:\windows\SysNative\atmlib.dll
    [2012/12/25 01:42:03 | 000,034,304 | ---- | C] (Adobe Systems) -- C:\windows\SysWow64\atmlib.dll
    [2012/12/25 01:42:00 | 000,367,616 | ---- | C] (Adobe Systems Incorporated) -- C:\windows\SysNative\atmfd.dll
    [2012/12/25 01:42:00 | 000,295,424 | ---- | C] (Adobe Systems Incorporated) -- C:\windows\SysWow64\atmfd.dll
    [2012/12/25 01:39:29 | 001,161,216 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\kernel32.dll
    [2012/12/25 01:39:29 | 000,424,960 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\KernelBase.dll
    [2012/12/25 01:39:28 | 000,362,496 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\wow64win.dll
    [2012/12/25 01:39:28 | 000,338,432 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\conhost.exe
    [2012/12/25 01:39:28 | 000,243,200 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\wow64.dll
    [2012/12/25 01:39:28 | 000,215,040 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\winsrv.dll
    [2012/12/25 01:39:28 | 000,025,600 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\setup16.exe
    [2012/12/25 01:39:28 | 000,016,384 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\ntvdm64.dll
    [2012/12/25 01:39:28 | 000,014,336 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\ntvdm64.dll
    [2012/12/25 01:39:28 | 000,013,312 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\wow64cpu.dll
    [2012/12/25 01:39:28 | 000,007,680 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\instnm.exe
    [2012/12/25 01:39:28 | 000,006,144 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-security-base-l1-1-0.dll
    [2012/12/25 01:39:28 | 000,005,120 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-file-l1-1-0.dll
    [2012/12/25 01:39:28 | 000,005,120 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-file-l1-1-0.dll
    [2012/12/25 01:39:28 | 000,005,120 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\wow32.dll
    [2012/12/25 01:39:28 | 000,004,608 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-threadpool-l1-1-0.dll
    [2012/12/25 01:39:28 | 000,004,608 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-processthreads-l1-1-0.dll
    [2012/12/25 01:39:28 | 000,004,608 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-processthreads-l1-1-0.dll
    [2012/12/25 01:39:28 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-sysinfo-l1-1-0.dll
    [2012/12/25 01:39:28 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-sysinfo-l1-1-0.dll
    [2012/12/25 01:39:28 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-synch-l1-1-0.dll
    [2012/12/25 01:39:28 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-rtlsupport-l1-1-0.dll
    [2012/12/25 01:39:28 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-processenvironment-l1-1-0.dll
    [2012/12/25 01:39:28 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-processenvironment-l1-1-0.dll
    [2012/12/25 01:39:28 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-heap-l1-1-0.dll
    [2012/12/25 01:39:28 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-xstate-l1-1-0.dll
    [2012/12/25 01:39:28 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-util-l1-1-0.dll
    [2012/12/25 01:39:28 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-string-l1-1-0.dll
    [2012/12/25 01:39:28 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-string-l1-1-0.dll
    [2012/12/25 01:39:28 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-rtlsupport-l1-1-0.dll
    [2012/12/25 01:39:28 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-profile-l1-1-0.dll
    [2012/12/25 01:39:28 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-profile-l1-1-0.dll
    [2012/12/25 01:39:27 | 000,006,144 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
    [2012/12/25 01:39:27 | 000,004,608 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
    [2012/12/25 01:39:27 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-synch-l1-1-0.dll
    [2012/12/25 01:39:27 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-misc-l1-1-0.dll
    [2012/12/25 01:39:27 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-localregistry-l1-1-0.dll
    [2012/12/25 01:39:27 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-localregistry-l1-1-0.dll
    [2012/12/25 01:39:27 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-localization-l1-1-0.dll
    [2012/12/25 01:39:27 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-localization-l1-1-0.dll
    [2012/12/25 01:39:27 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
    [2012/12/25 01:39:27 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-namedpipe-l1-1-0.dll
    [2012/12/25 01:39:27 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-namedpipe-l1-1-0.dll
    [2012/12/25 01:39:27 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-misc-l1-1-0.dll
    [2012/12/25 01:39:27 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-memory-l1-1-0.dll
    [2012/12/25 01:39:27 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-memory-l1-1-0.dll
    [2012/12/25 01:39:27 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-libraryloader-l1-1-0.dll
    [2012/12/25 01:39:27 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-libraryloader-l1-1-0.dll
    [2012/12/25 01:39:27 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-interlocked-l1-1-0.dll
    [2012/12/25 01:39:27 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-heap-l1-1-0.dll
    [2012/12/25 01:39:27 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
    [2012/12/25 01:39:27 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-io-l1-1-0.dll
    [2012/12/25 01:39:27 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-io-l1-1-0.dll
    [2012/12/25 01:39:27 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-interlocked-l1-1-0.dll
    [2012/12/25 01:39:27 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-handle-l1-1-0.dll
    [2012/12/25 01:39:27 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-handle-l1-1-0.dll
    [2012/12/25 01:39:27 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-fibers-l1-1-0.dll
    [2012/12/25 01:39:27 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-fibers-l1-1-0.dll
    [2012/12/25 01:39:27 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-errorhandling-l1-1-0.dll
    [2012/12/25 01:39:27 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-errorhandling-l1-1-0.dll
    [2012/12/25 01:39:27 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-delayload-l1-1-0.dll
    [2012/12/25 01:39:27 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-delayload-l1-1-0.dll
    [2012/12/25 01:39:27 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-debug-l1-1-0.dll
    [2012/12/25 01:39:27 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-debug-l1-1-0.dll
    [2012/12/25 01:39:27 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-datetime-l1-1-0.dll
    [2012/12/25 01:39:27 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-datetime-l1-1-0.dll
    [2012/12/25 01:39:27 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-console-l1-1-0.dll
    [2012/12/25 01:39:27 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-console-l1-1-0.dll
    [2012/12/25 01:39:27 | 000,002,048 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\user.exe
    [2012/12/25 01:39:20 | 000,478,208 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\dpnet.dll
    [2012/12/25 01:39:20 | 000,376,832 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\dpnet.dll
    [1 C:\windows\*.tmp files -> C:\windows\*.tmp -> ]
    [1 C:\Program Files (x86)\*.tmp files -> C:\Program Files (x86)\*.tmp -> ]

    ========== Files - Modified Within 30 Days ==========

    [2013/01/11 07:06:30 | 000,000,830 | ---- | M] () -- C:\windows\tasks\Adobe Flash Player Updater.job
    [2013/01/11 07:06:27 | 000,697,864 | ---- | M] (Adobe Systems Incorporated) -- C:\windows\SysWow64\FlashPlayerApp.exe
    [2013/01/11 07:06:27 | 000,074,248 | ---- | M] (Adobe Systems Incorporated) -- C:\windows\SysWow64\FlashPlayerCPLApp.cpl
    [2013/01/11 07:03:38 | 000,025,120 | -H-- | M] () -- C:\windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    [2013/01/11 07:03:38 | 000,025,120 | -H-- | M] () -- C:\windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    [2013/01/11 07:02:45 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Andrew\Desktop\OTL.exe
    [2013/01/11 07:02:05 | 000,779,724 | ---- | M] () -- C:\windows\SysNative\PerfStringBackup.INI
    [2013/01/11 07:02:05 | 000,660,770 | ---- | M] () -- C:\windows\SysNative\perfh009.dat
    [2013/01/11 07:02:05 | 000,121,408 | ---- | M] () -- C:\windows\SysNative\perfc009.dat
    [2013/01/11 06:59:41 | 000,764,416 | ---- | M] () -- C:\Users\Andrew\Desktop\RogueKiller.exe
    [2013/01/11 06:55:28 | 000,000,908 | ---- | M] () -- C:\windows\tasks\GoogleUpdateTaskMachineCore.job
    [2013/01/11 06:55:08 | 000,067,584 | --S- | M] () -- C:\windows\bootstat.dat
    [2013/01/11 06:54:59 | 464,330,751 | -HS- | M] () -- C:\hiberfil.sys
    [2013/01/08 00:18:00 | 000,000,912 | ---- | M] () -- C:\windows\tasks\GoogleUpdateTaskMachineUA.job
    [2013/01/06 14:13:50 | 000,509,440 | ---- | M] (Tech Support Guy System) -- C:\Users\Andrew\Desktop\SysInfo.exe
    [2013/01/06 13:57:01 | 000,365,568 | ---- | M] () -- C:\Users\Andrew\Desktop\ebw3zimk.exe
    [2013/01/06 13:54:54 | 000,688,992 | R--- | M] (Swearware) -- C:\Users\Andrew\Desktop\dds.scr
    [2013/01/06 13:52:03 | 000,388,608 | ---- | M] (Trend Micro Inc.) -- C:\Users\Andrew\Desktop\HijackThis.exe
    [2013/01/06 13:28:15 | 000,001,023 | ---- | M] () -- C:\Users\Andrew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
    [2012/12/28 19:59:43 | 000,275,712 | ---- | M] () -- C:\windows\SysNative\FNTCACHE.DAT
    [2012/12/16 12:11:22 | 000,046,080 | ---- | M] (Adobe Systems) -- C:\windows\SysNative\atmlib.dll
    [2012/12/16 09:45:03 | 000,367,616 | ---- | M] (Adobe Systems Incorporated) -- C:\windows\SysNative\atmfd.dll
    [2012/12/16 09:13:28 | 000,295,424 | ---- | M] (Adobe Systems Incorporated) -- C:\windows\SysWow64\atmfd.dll
    [2012/12/16 09:13:20 | 000,034,304 | ---- | M] (Adobe Systems) -- C:\windows\SysWow64\atmlib.dll
    [1 C:\windows\*.tmp files -> C:\windows\*.tmp -> ]
    [1 C:\Program Files (x86)\*.tmp files -> C:\Program Files (x86)\*.tmp -> ]

    ========== Files Created - No Company Name ==========

    [2013/01/11 06:59:40 | 000,764,416 | ---- | C] () -- C:\Users\Andrew\Desktop\RogueKiller.exe
    [2013/01/06 13:57:01 | 000,365,568 | ---- | C] () -- C:\Users\Andrew\Desktop\ebw3zimk.exe
    [2013/01/06 13:28:15 | 000,001,023 | ---- | C] () -- C:\Users\Andrew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
    [2012/10/30 12:23:11 | 000,000,085 | ---- | C] () -- C:\windows\wininit.ini
    [2012/06/24 18:45:14 | 000,796,420 | ---- | C] () -- C:\windows\SysWow64\PerfStringBackup.INI
    [2011/06/27 12:53:58 | 000,963,116 | ---- | C] () -- C:\windows\SysWow64\igkrng600.bin
    [2011/06/27 12:53:58 | 000,218,304 | ---- | C] () -- C:\windows\SysWow64\igfcg600m.bin
    [2011/06/27 12:53:58 | 000,145,804 | ---- | C] () -- C:\windows\SysWow64\igcompkrng600.bin
    [2011/06/27 12:48:58 | 000,056,832 | ---- | C] () -- C:\windows\SysWow64\igdde32.dll
    [2011/06/27 12:28:08 | 013,899,776 | ---- | C] () -- C:\windows\SysWow64\ig4icd32.dll
    [2011/02/03 22:56:58 | 000,066,856 | ---- | C] () -- C:\windows\SysWow64\SynTPEnhPS.dll

    ========== ZeroAccess Check ==========

    [2009/07/13 23:55:00 | 000,000,227 | RHS- | M] () -- C:\windows\assembly\Desktop.ini

    [HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64

    [HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

    [HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64

    [HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

    [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
    "" = C:\Windows\SysNative\shell32.dll -- [2012/06/09 00:43:10 | 014,172,672 | ---- | M] (Microsoft Corporation)
    "ThreadingModel" = Apartment

    [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
    "" = %SystemRoot%\system32\shell32.dll -- [2012/06/08 23:41:00 | 012,873,728 | ---- | M] (Microsoft Corporation)
    "ThreadingModel" = Apartment

    [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64
    "" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009/07/13 20:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation)
    "ThreadingModel" = Free

    [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
    "" = %systemroot%\system32\wbem\fastprox.dll -- [2010/11/20 22:24:25 | 000,606,208 | ---- | M] (Microsoft Corporation)
    "ThreadingModel" = Free

    [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64
    "" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009/07/13 20:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation)
    "ThreadingModel" = Both

    [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]

    ========== Custom Scans ==========

    < MD5 for: EXPLORER.EXE >
    [2011/02/26 00:19:21 | 002,616,320 | ---- | M] (Microsoft Corporation) MD5=0FB9C74046656D1579A64660AD67B746 -- C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.21669_none_ba87e574ddfe652d\explorer.exe
    [2011/02/25 01:19:30 | 002,871,808 | ---- | M] (Microsoft Corporation) MD5=332FEAB1435662FC6C672E25BEB37BE3 -- C:\Windows\explorer.exe
    [2011/02/25 01:19:30 | 002,871,808 | ---- | M] (Microsoft Corporation) MD5=332FEAB1435662FC6C672E25BEB37BE3 -- C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17567_none_afa79dc39081d0ba\explorer.exe
    [2011/02/26 01:14:34 | 002,871,808 | ---- | M] (Microsoft Corporation) MD5=3B69712041F3D63605529BD66DC00C48 -- C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.21669_none_b0333b22a99da332\explorer.exe
    [2010/11/20 22:24:25 | 002,616,320 | ---- | M] (Microsoft Corporation) MD5=40D777B7A95E00593EB1568C68514493 -- C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17514_none_ba2f56d3c4bcbafb\explorer.exe
    [2011/02/25 00:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) MD5=8B88EBBB05A0E56B7DCC708498C02B3E -- C:\Windows\SysWOW64\explorer.exe
    [2011/02/25 00:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) MD5=8B88EBBB05A0E56B7DCC708498C02B3E -- C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17567_none_b9fc4815c4e292b5\explorer.exe
    [2010/11/20 22:24:11 | 002,872,320 | ---- | M] (Microsoft Corporation) MD5=AC4C51EB24AA95B77F705AB159189E24 -- C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17514_none_afdaac81905bf900\explorer.exe

    < MD5 for: SVCHOST.EXE >
    [2009/07/13 20:14:45 | 000,020,480 | ---- | M] (Microsoft Corporation) MD5=2CEFF13ACE25A40BD8D97654944297CD -- C:\Windows\svchost.exe
    [2009/07/13 20:14:41 | 000,020,992 | ---- | M] (Microsoft Corporation) MD5=54A47F6B5E09A77E61649109C6A08866 -- C:\Windows\winsxs\x86_microsoft-windows-services-svchost_31bf3856ad364e35_6.1.7600.16385_none_b591afc466a15356\svchost.exe
    [2011/03/01 03:10:51 | 000,027,648 | ---- | M] (Microsoft Corporation) MD5=635455A95EB8EC47AC72142E501465ED -- C:\Windows\winsxs\amd64_microsoft-windows-services-svchost_31bf3856ad364e35_6.1.7601.21671_none_14271b75353e4391\svchost.exe
    [2011/03/01 03:07:49 | 000,027,648 | ---- | M] (Microsoft Corporation) MD5=6F68F63794097E54F36474ED4384B759 -- C:\windows\SysNative\svchost.exe
    [2011/03/01 03:07:49 | 000,027,648 | ---- | M] (Microsoft Corporation) MD5=6F68F63794097E54F36474ED4384B759 -- C:\Windows\winsxs\amd64_microsoft-windows-services-svchost_31bf3856ad364e35_6.1.7601.17568_none_13af509c1c123937\svchost.exe
    [2011/03/01 03:07:49 | 000,021,504 | ---- | M] (Microsoft Corporation) MD5=A91A288C91F9D9F1CFA4FAA9893C4D55 -- C:\Windows\winsxs\x86_microsoft-windows-services-svchost_31bf3856ad364e35_6.1.7601.21671_none_b8087ff17ce0d25b\svchost.exe
    [2009/07/13 20:39:46 | 000,027,136 | ---- | M] (Microsoft Corporation) MD5=C78655BC80301D76ED4FEF1C1EA40A7D -- C:\Windows\winsxs\amd64_microsoft-windows-services-svchost_31bf3856ad364e35_6.1.7600.16385_none_11b04b481efec48c\svchost.exe
    [2011/03/01 03:05:31 | 000,021,504 | ---- | M] (Microsoft Corporation) MD5=ECDB182F885292145826C58252B53000 -- C:\Windows\SysWOW64\svchost.exe
    [2011/03/01 03:05:31 | 000,021,504 | ---- | M] (Microsoft Corporation) MD5=ECDB182F885292145826C58252B53000 -- C:\Windows\winsxs\x86_microsoft-windows-services-svchost_31bf3856ad364e35_6.1.7601.17568_none_b790b51863b4c801\svchost.exe

    < MD5 for: USERINIT.EXE >
    [2010/11/20 22:23:55 | 000,026,624 | ---- | M] (Microsoft Corporation) MD5=61AC3EFDFACFDD3F0F11DD4FD4044223 -- C:\Windows\SysWOW64\userinit.exe
    [2010/11/20 22:23:55 | 000,026,624 | ---- | M] (Microsoft Corporation) MD5=61AC3EFDFACFDD3F0F11DD4FD4044223 -- C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.1.7601.17514_none_de3024012ff21116\userinit.exe
    [2010/11/20 22:24:28 | 000,030,720 | ---- | M] (Microsoft Corporation) MD5=BAFE84E637BF7388C96EF48D4D3FDD53 -- C:\windows\SysNative\userinit.exe
    [2010/11/20 22:24:28 | 000,030,720 | ---- | M] (Microsoft Corporation) MD5=BAFE84E637BF7388C96EF48D4D3FDD53 -- C:\Windows\winsxs\amd64_microsoft-windows-userinit_31bf3856ad364e35_6.1.7601.17514_none_3a4ebf84e84f824c\userinit.exe

    < MD5 for: WINLOGON.EXE >
    [2010/11/20 22:24:29 | 000,390,656 | ---- | M] (Microsoft Corporation) MD5=1151B1BAA6F350B1DB6598E0FEA7C457 -- C:\windows\SysNative\winlogon.exe
    [2010/11/20 22:24:29 | 000,390,656 | ---- | M] (Microsoft Corporation) MD5=1151B1BAA6F350B1DB6598E0FEA7C457 -- C:\Windows\winsxs\amd64_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7601.17514_none_cde90685eb910636\winlogon.exe

    < %systemroot%\*. /rp /s >

    ========== Drive Information ==========

    Physical Drives
    ---------------

    Drive: \\\\.\\PHYSICALDRIVE0 - Fixed hard disk media
    Interface type: IDE
    Media Type: Fixed hard disk media
    Model: TOSHIBA MK7575GSX
    Partitions: 3
    Status: OK
    Status Info: 0

    Partitions
    ---------------

    DeviceID: Disk #0, Partition #0
    PartitionType: Unknown
    Bootable: True
    BootPartition: True
    PrimaryPartition: True
    Size: 1.00GB
    Starting Offset: 1048576
    Hidden sectors: 0


    DeviceID: Disk #0, Partition #1
    PartitionType: Installable File System
    Bootable: False
    BootPartition: False
    PrimaryPartition: True
    Size: 682.00GB
    Starting Offset: 1573912576
    Hidden sectors: 0


    DeviceID: Disk #0, Partition #2
    PartitionType: Unknown
    Bootable: False
    BootPartition: False
    PrimaryPartition: True
    Size: 15.00GB
    Starting Offset: 733979082752
    Hidden sectors: 0

    < End of report >

    Extras.txt

    OTL Extras logfile created on: 1/11/2013 7:05:07 AM - Run 1
    OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Andrew\Desktop
    64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
    Internet Explorer (Version = 9.0.8112.16421)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    5.91 Gb Total Physical Memory | 3.73 Gb Available Physical Memory | 63.19% Memory free
    11.82 Gb Paging File | 9.48 Gb Available in Paging File | 80.24% Paging File free
    Paging file location(s): ?:\pagefile.sys [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files (x86)
    Drive C: | 682.11 Gb Total Space | 638.25 Gb Free Space | 93.57% Space Free | Partition Type: NTFS

    Computer Name: ANDREWSCRAPTOP | User Name: Andrew | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
    Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

    ========== Extra Registry (SafeList) ==========


    ========== File Associations ==========

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
    .url[@ = InternetShortcut] -- C:\windows\SysNative\rundll32.exe (Microsoft Corporation)

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
    .cpl [@ = cplfile] -- C:\windows\SysWow64\control.exe (Microsoft Corporation)

    ========== Shell Spawning ==========

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    exefile [open] -- "%1" %*
    helpfile [open] -- Reg Error: Key error.
    htmlfile [edit] -- Reg Error: Key error.
    htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1"
    inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
    InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)
    InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [explore] -- Reg Error: Value error.
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
    exefile [open] -- "%1" %*
    helpfile [open] -- Reg Error: Key error.
    htmlfile [edit] -- Reg Error: Key error.
    htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1"
    inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [explore] -- Reg Error: Value error.
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    ========== Security Center Settings ==========

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "cval" = 1

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
    "VistaSp1" = 28 4D B2 76 41 04 CA 01 [binary data]
    "AntiVirusOverride" = 0
    "AntiSpywareOverride" = 0
    "FirewallOverride" = 0

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

    ========== Firewall Settings ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
    "EnableFirewall" = 1
    "DisableNotifications" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "EnableFirewall" = 1
    "DisableNotifications" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
    "EnableFirewall" = 1
    "DisableNotifications" = 0

    ========== Authorized Applications List ==========


    ========== Vista Active Open Ports Exception List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
    "{5450716C-A89B-49DA-A7EB-39BCE09ABC90}" = lport=1900 | protocol=17 | dir=in | name=windows live communications platform (ssdp) |
    "{5908E83F-A67E-4D95-B275-37A845D908C0}" = lport=2869 | protocol=6 | dir=in | name=windows live communications platform (upnp) |

    ========== Vista Active Application Exception List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
    "{14F238E0-5D87-457F-9A4F-08BF95E2FCFC}" = dir=in | app=c:\program files (x86)\windows live\messenger\msnmsgr.exe |
    "{33A56C04-8024-42D5-9C8A-BDF03E0AD2DA}" = dir=in | app=c:\program files (x86)\intel corporation\intel widi\widiapp.exe |
    "{38AE5C5E-6C17-4F50-B4B0-AFC98947B748}" = dir=in | app=c:\program files\intel\wifi\bin\pandhcpdns.exe |
    "{53C30A38-375B-4EAC-A4FC-7255FEE57685}" = dir=in | app=c:\program files (x86)\windows live\mesh\moe.exe |
    "{9457582E-3F64-464F-ACC1-332DF8097760}" = protocol=6 | dir=in | app=c:\users\andrew\appdata\roaming\dropbox\bin\dropbox.exe |
    "{C872428A-EEC0-4859-981B-44A990B4821D}" = dir=in | app=c:\program files (x86)\windows live\contacts\wlcomm.exe |
    "{EC8CF8F8-B658-4E02-8D63-84AF369CD092}" = protocol=17 | dir=in | app=c:\users\andrew\appdata\roaming\dropbox\bin\dropbox.exe |
    "TCP Query User{908DA858-7147-437C-A736-F238CC8F861B}E:\sony online entertainment\installed games\everquest\eqvoiceservice.exe" = protocol=6 | dir=in | app=e:\sony online entertainment\installed games\everquest\eqvoiceservice.exe |
    "TCP Query User{A7B5CE83-5F4F-4AFA-94FC-FB02C01BA4B6}C:\users\andrew\appdata\roaming\dropbox\bin\dropbox.exe" = protocol=6 | dir=in | app=c:\users\andrew\appdata\roaming\dropbox\bin\dropbox.exe |
    "UDP Query User{3DCE1AB6-D476-4380-BA45-D2FE376D9927}C:\users\andrew\appdata\roaming\dropbox\bin\dropbox.exe" = protocol=17 | dir=in | app=c:\users\andrew\appdata\roaming\dropbox\bin\dropbox.exe |
    "UDP Query User{C7F7BBD0-5414-414C-9C69-66107CD4FDD6}E:\sony online entertainment\installed games\everquest\eqvoiceservice.exe" = protocol=17 | dir=in | app=e:\sony online entertainment\installed games\everquest\eqvoiceservice.exe |

    ========== HKEY_LOCAL_MACHINE Uninstall List ==========

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{066CFFF8-12BF-4390-A673-75F95EFF188E}" = TOSHIBA Value Added Package
    "{180C8888-50F1-426B-A9DC-AB83A1989C65}" = Windows Live Language Selector
    "{1ACC8FFB-9D84-4C05-A4DE-D28A9BC91698}" = Windows Live ID Sign-in Assistant
    "{1C8C049A-145F-4A6E-8290-B5C245EBE39D}" = TOSHIBA Bulletin Board
    "{24811C12-F4A9-4D0F-8494-A7B8FE46123C}" = TOSHIBA ReelTime
    "{28EF7372-9087-4AC3-9B9F-D9751FCDF830}" = Intel(R) Wireless Display
    "{3C41721F-AF0F-4086-AA1C-4C7F29076228}" = Intel(R) PROSet/Wireless WiFi Software
    "{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148
    "{5DA0E02F-970B-424B-BF41-513A5018E4C0}" = TOSHIBA Disc Creator
    "{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161
    "{656DEEDE-F6AC-47CA-A568-A1B4E34B5760}" = Windows Live Remote Service Resources
    "{8220EEFE-38CD-377E-8595-13398D740ACE}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17
    "{847B0532-55E3-4AAF-8D7B-E3A1A7CD17E5}" = Windows Live Remote Client Resources
    "{8E34682C-8118-31F1-BC4C-98CD9675E1C2}" = Microsoft .NET Framework 4 Extended
    "{90140000-006D-0409-1000-0000000FF1CE}" = Microsoft Office Click-to-Run 2010
    "{94A90C69-71C1-470A-88F5-AA47ECC96B40}" = TOSHIBA HDD Protection
    "{95120000-00B9-0409-1000-0000000FF1CE}" = Microsoft Application Error Reporting
    "{9DECD0F9-D3E8-48B0-A390-1CF09F54E3A4}" = TOSHIBA PC Health Monitor
    "{BCA9334F-B6C9-4F65-9A73-AC5A329A4D04}" = PlayReady PC Runtime amd64
    "{C2F94B5E-201A-4754-8F2F-4395E1D90DA3}" = TOSHIBA eco Utility
    "{D4322448-B6AF-4316-B859-D8A0E84DCB38}" = TOSHIBA HDD/SSD Alert
    "{DA54F80E-261C-41A2-A855-549A144F2F59}" = Windows Live MIME IFilter
    "{DF6D988A-EEA0-4277-AAB8-158E086E439B}" = Windows Live Remote Client
    "{E02A6548-6FDE-40E2-8ED9-119D7D7E641F}" = Windows Live Remote Service
    "{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile
    "{F67FA545-D8E5-4209-86B1-AEE045D1003F}" = TOSHIBA Face Recognition
    "Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
    "Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
    "ProInst" = Intel PROSet Wireless
    "SynTPDeinstKey" = Synaptics Pointing Device Driver

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{066CFFF8-12BF-4390-A673-75F95EFF188E}" = TOSHIBA Value Added Package
    "{0B0F231F-CE6A-483D-AA23-77B364F75917}" = Windows Live Installer
    "{0D795777-9D60-4692-8386-F2B3F2B5E5BF}" = [email protected] 1.0
    "{12688FD7-CB92-4A5B-BEE4-5C8E0574434F}" = Utility Common Driver
    "{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
    "{196BB40D-1578-3D01-B289-BEFC77A11A1E}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
    "{19BA08F7-C728-469C-8A35-BFBD3633BE08}" = Windows Live Movie Maker
    "{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    "{1F6AB0E7-8CDD-4B93-8A23-AA9EB2FEFCE4}" = Junk Mail filter update
    "{200FEC62-3C34-4D60-9CE8-EC372E01C08F}" = Windows Live SOXE Definitions
    "{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
    "{26604C7E-A313-4D12-867F-7C6E7820BE4C}" = JMicron Flash Media Controller Driver
    "{26A24AE4-039D-4CA4-87B4-2F83216025FF}" = Java(TM) 6 Update 25
    "{2902F983-B4C1-44BA-B85D-5C6D52E2C441}" = Windows Live Mesh ActiveX Control for Remote Connections
    "{2A3FC24C-6EC0-4519-A52B-FDA4EA9B2D24}" = Windows Live Messenger
    "{3336F667-9049-4D46-98B6-4C743EEBC5B1}" = Windows Live Photo Gallery
    "{34F4D9A4-42C2-4348-BEF4-E553C84549E7}" = Windows Live Photo Gallery
    "{3E29EE6C-963A-4aae-86C1-DC237C4A49FC}" = Intel(R) Rapid Storage Technology
    "{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
    "{51B4E156-14A5-4904-9AE4-B1AA2A0E46BE}" = TOSHIBA Supervisor Password
    "{5279374D-87FE-4879-9385-F17278EBB9D3}" = TOSHIBA Hardware Setup
    "{5442DAB8-7177-49E1-8B22-09A049EA5996}" = Renesas Electronics USB 3.0 Host Controller Driver
    "{579684A4-DDD5-4CA3-9EA8-7BE7D9593DB4}" = Windows Live UX Platform Language Pack
    "{5AF550B4-BB67-4E7E-82F1-2C4300279050}" = TOSHIBARegistration
    "{617773AE-ADBA-4479-BB04-65FE7758B35C}" = TOSHIBA Wireless Display Monitor
    "{620BBA5E-F848-4D56-8BDA-584E44584C5E}" = TOSHIBA Flash Cards Support Utility
    "{65153EA5-8B6E-43B6-857B-C6E4FC25798A}" = Intel(R) Management Engine Components
    "{654F7484-88C5-46DC-AB32-C66BCB0E2102}" = TOSHIBA Sleep Utility
    "{682B3E4F-696A-42DE-A41C-4C07EA1678B4}" = Windows Live SOXE
    "{6C5F3BDC-0A1B-4436-A696-5939629D5C31}" = TOSHIBA VIDEO PLAYER
    "{6CB76C9D-80C2-4CB3-A4CD-D96B239E3F94}" = TOSHIBA Resolution+ Plug-in for Windows Media Player
    "{6F3C8901-EBD3-470D-87F8-AC210F6E5E02}" = TOSHIBA Web Camera Application
    "{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
    "{7257132D-7F65-41E6-A90F-43BF6099461A}" = Intel(R) WiDi
    "{83C292B7-38A5-440B-A731-07070E81A64F}" = Windows Live PIMT Platform
    "{8833FFB6-5B0C-4764-81AA-06DFEED9A476}" = Realtek Ethernet Controller Driver
    "{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
    "{8C6D6116-B724-4810-8F2D-D047E6B7D68E}" = Mesh Runtime
    "{8DD46C6A-0056-4FEC-B70A-28BB16A1F11F}" = MSVCRT
    "{90140011-0066-0409-0000-0000000FF1CE}" = Microsoft Office Starter 2010 - English
    "{92EA4134-10D1-418A-91E1-5A0453131A38}" = Windows Live Movie Maker
    "{95140000-0070-0000-0000-0000000FF1CE}" = Microsoft Office 2010
    "{95140000-00AF-0409-0000-0000000FF1CE}" = Microsoft PowerPoint Viewer
    "{970472D0-F5F9-4158-A6E3-1AE49EFEF2D3}" = TOSHIBA Application Installer
    "{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    "{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    "{9D56775A-93F3-44A3-8092-840E3826DE30}" = Windows Live Mail
    "{A0C91188-C88F-4E86-93E6-CD7C9A266649}" = Windows Live Mesh
    "{A14962A7-2B7D-456E-BFCD-F54E3A88D41F}" = Toshiba Book Place
    "{A726AE06-AAA3-43D1-87E3-70F510314F04}" = Windows Live Writer
    "{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
    "{A9BDCA6B-3653-467B-AC83-94367DA3BFE3}" = Windows Live Photo Common
    "{AAAFC670-569B-4A2F-82B4-42945E0DE3EF}" = Windows Live Writer
    "{AAF454FC-82CA-4F29-AB31-6A109485E76E}" = Windows Live Writer
    "{AC6569FA-6919-442A-8552-073BE69E247A}" = TOSHIBA Service Station
    "{AC76BA86-7AD7-FFFF-7B44-AA0000000001}" = Adobe Reader X MUI
    "{AFF7E080-1974-45BF-9310-10DE1A1F5ED0}" = Adobe AIR
    "{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
    "{B65BBB06-1F8E-48F5-8A54-B024A9E15FDF}" = TOSHIBA Recovery Media Creator
    "{C2A276E3-154E-44DC-AAF1-FFDD7FD30E35}" = TOSHIBA Assist
    "{C66824E4-CBB3-4851-BB3F-E8CFD6350923}" = Windows Live Mail
    "{C7A4F26F-F9B0-41B2-8659-99181108CDE3}" = TOSHIBA Media Controller
    "{CCA5EAAD-92F4-4B7A-B5EE-14294C66AB61}" = PlayReady PC Runtime x86
    "{CE95A79E-E4FC-4FFF-8A75-29F04B942FF2}" = Windows Live UX Platform
    "{D0B44725-3666-492D-BEF6-587A14BD9BD9}" = MSVCRT_amd64
    "{D436F577-1695-4D2F-8B44-AC76C99E0002}" = Windows Live Photo Common
    "{D45240D3-B6B3-4FF9-B243-54ECE3E10066}" = Windows Live Communications Platform
    "{DDC8BDEE-DCAC-404D-8257-3E8D4B782467}" = Windows Live Writer Resources
    "{DECDCB7C-58CC-4865-91AF-627F9798FE48}" = Windows Live Mesh
    "{E09C4DB7-630C-4F06-A631-8EA7239923AF}" = D3DX10
    "{E5B21F11-6933-4E0B-A25C-7963E3C07D11}" = Windows Live Messenger
    "{E69992ED-A7F6-406C-9280-1C156417BC49}" = TOSHIBA Quality Application
    "{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
    "{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}" = Intel(R) Processor Graphics
    "{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
    "{F26FDF57-483E-42C8-A9C9-EEE1EDB256E0}" = TOSHIBA Media Controller Plug-in
    "{FE044230-9CA5-43F7-9B58-5AC5A28A1F33}" = Windows Live Essentials
    "Adobe AIR" = Adobe AIR
    "Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
    "Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
    "Google Chrome" = Google Chrome
    "InstallShield_{066CFFF8-12BF-4390-A673-75F95EFF188E}" = TOSHIBA Value Added Package
    "InstallShield_{12688FD7-CB92-4A5B-BEE4-5C8E0574434F}" = Utility Common Driver
    "InstallShield_{1C8C049A-145F-4A6E-8290-B5C245EBE39D}" = TOSHIBA Bulletin Board
    "InstallShield_{24811C12-F4A9-4D0F-8494-A7B8FE46123C}" = TOSHIBA ReelTime
    "InstallShield_{51B4E156-14A5-4904-9AE4-B1AA2A0E46BE}" = TOSHIBA Supervisor Password
    "InstallShield_{5279374D-87FE-4879-9385-F17278EBB9D3}" = TOSHIBA Hardware Setup
    "InstallShield_{5442DAB8-7177-49E1-8B22-09A049EA5996}" = Renesas Electronics USB 3.0 Host Controller Driver
    "InstallShield_{620BBA5E-F848-4D56-8BDA-584E44584C5E}" = TOSHIBA Flash Cards Support Utility
    "InstallShield_{6F3C8901-EBD3-470D-87F8-AC210F6E5E02}" = TOSHIBA Web Camera Application
    "InstallShield_{F67FA545-D8E5-4209-86B1-AEE045D1003F}" = TOSHIBA Face Recognition
    "NIS" = Norton Internet Security
    "Office14.Click2Run" = Microsoft Office Click-to-Run 2010
    "ProInst" = Intel PROSet Wireless
    "WinLiveSuite" = Windows Live Essentials

    ========== HKEY_USERS Uninstall List ==========

    [HKEY_USERS\S-1-5-21-1161726624-3780918960-1667609166-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "Dropbox" = Dropbox
    "SOE-EverQuest" = EverQuest

    ========== Last 20 Event Log Errors ==========

    [ Application Events ]
    Error - 10/23/2012 10:23:21 PM | Computer Name = AndrewsCraptop | Source = WinMgmt | ID = 10
    Description =

    Error - 10/23/2012 10:51:17 PM | Computer Name = AndrewsCraptop | Source = Application Error | ID = 1000
    Description = Faulting application name: svchost.exe, version: 6.1.7600.16385, time
    stamp: 0x4a5bc3c5 Faulting module name: MSHTML.dll, version: 9.0.8112.16450, time
    stamp: 0x50372c8a Exception code: 0xc0000005 Fault offset: 0x001d9ad6 Faulting process
    id: 0x13c0 Faulting application start time: 0x01cdb18ea0382e88 Faulting application
    path: \\.\globalroot\systemroot\svchost.exe Faulting module path: C:\windows\system32\MSHTML.dll
    Report
    Id: ae4cda0a-1d85-11e2-9b7a-dc0ea14725e6

    Error - 10/26/2012 8:17:45 AM | Computer Name = AndrewsCraptop | Source = WinMgmt | ID = 10
    Description =

    Error - 10/27/2012 3:17:36 PM | Computer Name = AndrewsCraptop | Source = WinMgmt | ID = 10
    Description =

    Error - 10/28/2012 10:36:26 AM | Computer Name = AndrewsCraptop | Source = WinMgmt | ID = 10
    Description =

    Error - 10/30/2012 12:36:27 PM | Computer Name = AndrewsCraptop | Source = WinMgmt | ID = 10
    Description =

    Error - 11/2/2012 8:48:56 AM | Computer Name = AndrewsCraptop | Source = WinMgmt | ID = 10
    Description =

    Error - 11/6/2012 12:14:10 PM | Computer Name = AndrewsCraptop | Source = WinMgmt | ID = 10
    Description =

    Error - 11/6/2012 12:47:51 PM | Computer Name = AndrewsCraptop | Source = Application Error | ID = 1000
    Description = Faulting application name: svchost.exe, version: 6.1.7600.16385, time
    stamp: 0x4a5bc3c5 Faulting module name: MSHTML.dll, version: 9.0.8112.16450, time
    stamp: 0x50372c8a Exception code: 0xc0000005 Fault offset: 0x001d9ad6 Faulting process
    id: 0x128c Faulting application start time: 0x01cdbc39d8af5c6d Faulting application
    path: \\.\globalroot\systemroot\svchost.exe Faulting module path: C:\windows\system32\MSHTML.dll
    Report
    Id: b364cbdb-2831-11e2-9677-dc0ea14725e6

    Error - 11/6/2012 8:01:01 PM | Computer Name = AndrewsCraptop | Source = WinMgmt | ID = 10
    Description =

    [ System Events ]
    Error - 11/11/2012 7:41:15 PM | Computer Name = AndrewsCraptop | Source = Service Control Manager | ID = 7000
    Description = The Software Protection service failed to start due to the following
    error: %%1053

    Error - 11/11/2012 8:08:36 PM | Computer Name = AndrewsCraptop | Source = DCOM | ID = 10010
    Description =

    Error - 11/11/2012 8:08:38 PM | Computer Name = AndrewsCraptop | Source = Microsoft-Windows-WindowsUpdateClient | ID = 20
    Description = Installation Failure: Windows failed to install the following update
    with error 0x80070643: Security Update for Windows 7 for x64-based Systems (KB2724197).

    Error - 11/11/2012 11:01:02 PM | Computer Name = AndrewsCraptop | Source = Microsoft-Windows-WindowsUpdateClient | ID = 20
    Description = Installation Failure: Windows failed to install the following update
    with error 0x80070643: Security Update for Windows 7 for x64-based Systems (KB2724197).

    Error - 11/20/2012 12:22:58 PM | Computer Name = AndrewsCraptop | Source = EventLog | ID = 6008
    Description = The previous system shutdown at 4:02:07 AM on ?11/?20/?2012 was unexpected.

    Error - 11/20/2012 12:37:21 PM | Computer Name = AndrewsCraptop | Source = Microsoft-Windows-WindowsUpdateClient | ID = 20
    Description = Installation Failure: Windows failed to install the following update
    with error 0x80070643: Security Update for Windows 7 for x64-based Systems (KB2724197).

    Error - 11/20/2012 2:40:40 PM | Computer Name = AndrewsCraptop | Source = Microsoft-Windows-WindowsUpdateClient | ID = 20
    Description = Installation Failure: Windows failed to install the following update
    with error 0x80070643: Security Update for Windows 7 for x64-based Systems (KB2724197).

    Error - 11/27/2012 12:10:13 AM | Computer Name = AndrewsCraptop | Source = EventLog | ID = 6008
    Description = The previous system shutdown at 4:42:23 AM on ?11/?22/?2012 was unexpected.

    Error - 11/27/2012 12:16:03 AM | Computer Name = AndrewsCraptop | Source = Microsoft-Windows-WindowsUpdateClient | ID = 20
    Description = Installation Failure: Windows failed to install the following update
    with error 0x80070643: Security Update for Windows 7 for x64-based Systems (KB2724197).

    Error - 11/27/2012 1:22:34 AM | Computer Name = AndrewsCraptop | Source = Microsoft-Windows-WindowsUpdateClient | ID = 20
    Description = Installation Failure: Windows failed to install the following update
    with error 0x80070643: Security Update for Windows 7 for x64-based Systems (KB2724197).


    < End of report >
     
  6. Satchfan

    Satchfan Malware Specialist

    Joined:
    Jan 12, 2009
    Messages:
    653
    I apologise for the delay but I didn't receive notification of your reply.

    I'll check your logs as soon as I can and will reply later in the day

    Thanks

    Satchfan
     
  7. Satchfan

    Satchfan Malware Specialist

    Joined:
    Jan 12, 2009
    Messages:
    653
    Hi gknight86

    Sorry for the delay.

    Disable Spybot’s TeaTimer

    Spybot’s TeaTimer can sometimes prevent some things from being fixed.

    Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your log is clean


    • open Spybot Search & Destroy
    • in the Mode menu click "Advanced mode" if not already selected
    • choose "Yes" at the Warning prompt
    • expand the "Tools" menu
    • click "Resident"
    • uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box
    • in the File menu click "Exit" to exit Spybot Search & Destroy.
    ===================================================

    Run OTL


    • double click on the icon to run it.copy/paste ALL the following text written inside the code box into the Custom Scans/Fixes box located at the bottom of OTL
    Code:
    :Services
    [B]:OTL
    IE - HKU\S-1-5-21-1161726624-3780918960-1667609166-1000\..\SearchScopes,DefaultScope = {4C45C437-5EDC-4C21-8316-2DFDEBAAC445}
    IE - HKU\S-1-5-21-1161726624-3780918960-1667609166-1000\..\SearchScopes\{4C45C437-5EDC-4C21-8316-2DFDEBAAC445}: "URL" = [URL="http://www.google.com/search?sourceid=ie9&q=%7bsearchTerms%7d&rls=com.microsoft:%7blanguage%7d:%7breferrer:source?%7d&ie=%7binputEncoding%7d&oe=%7boutputEncoding%7d&rlz=1I7TSNO_enUS489"][COLOR=windowtext]http://www.google.com/search?sourcei...I7TSNO_enUS489[/COLOR][/URL]
    O3:[B]64bit:[/B] - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
    O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
    O4:[B]64bit:[/B] - HKLM..\Run: [] File not found
    [2013/01/06 13:57:01 | 000,365,568 | ---- | C] () -- C:\Users\Andrew\Desktop\ebw3zimk.exe
     
     [/B]
      [B][FONT=Arial]:Reg[/FONT][/B]  [B][HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameter s\FirewallPolicy\DomainProfile]
    "EnableFirewall" =[COLOR=windowtext]dword:00000000[/COLOR]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameter s\FirewallPolicy\StandardProfile]
    "EnableFirewall" =[COLOR=windowtext]dword:00000000[/COLOR]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameter s\FirewallPolicy\PublicProfile]
    "EnableFirewall" =[COLOR=windowtext]dword:00000000[/COLOR]
    
    :Commands
    [purity]
    [emptytemp][/B]
      [B][Reboot][/B]
    • click the Run Fix button at the top
    • let the program run unhindered, reboot when it is done
    • please post the OTL fix log.
    ===================================================

    Run Malwarebytes Anti-Rootkit

    Please download Malwarebytes Anti-Rootkit and save it to your desktop.

    • unzip the contents to a folder in a convenient location.
    • open the folder where the contents were unzipped and run mbar.exe
    • follow the instructions in the wizard to update and allow the program to scan your computer for threats.
    • click on the Cleanup button to remove any threats and reboot if prompted to do so.
    • wait while the system shuts down and the cleanup process is performed.
    • perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
    • when it has finished, please post the two logs produced in the MBAR folder – mbar-log.txt and system-log.txt
    ===================================================

    Submit a file to VirusTotal

    Go to VirusTotal and submit this file for analysis:

    C:\Users\Andrew\Desktop\ebw3zimk.exe

    • click on Browse
    • click on the arrow and choose Local Disc (C:)
      [​IMG]
    • below, double-click on Users
    • double-click on the Andrewfolder and then the Desktop folder
    • locate the file ebw3zimk.exe click on it and then on Open
    • click on Send File
    • if you get a message saying File has already been analyzed, click Reanalyze file now.
    You will get a report back; post the report into this thread for me to see.


    Logs to include in the next post:

    OTL fix log
    mbar-log.txt
    system-log.txt
    result from VirusTotal


    Satchfan
     
  8. gknight86

    gknight86 Thread Starter

    Joined:
    Jan 6, 2013
    Messages:
    21
    I appreciate the reply irregardless of when it is since I am lost on my own. I am at work until 7 PM EST and will follow those steps once I get home.
     
  9. Satchfan

    Satchfan Malware Specialist

    Joined:
    Jan 12, 2009
    Messages:
    653
  10. gknight86

    gknight86 Thread Starter

    Joined:
    Jan 6, 2013
    Messages:
    21
    OTL Fix Long:

    All processes killed
    ========== SERVICES/DRIVERS ==========
    ========== OTL ==========
    HKEY_USERS\S-1-5-21-1161726624-3780918960-1667609166-1000\Software\Microsoft\Internet Explorer\SearchScopes\\DefaultScope| /E : value set successfully!
    Registry key HKEY_USERS\S-1-5-21-1161726624-3780918960-1667609166-1000\Software\Microsoft\Internet Explorer\SearchScopes\{4C45C437-5EDC-4C21-8316-2DFDEBAAC445}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4C45C437-5EDC-4C21-8316-2DFDEBAAC445}\ not found.
    64bit-Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked deleted successfully.
    Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked deleted successfully.
    64bit-Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ deleted successfully.
    C:\Users\Andrew\Desktop\ebw3zimk.exe moved successfully.
    File EY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameter s\FirewallPolicy\StandardProfile] not found.
    File EY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameter s\FirewallPolicy\PublicProfile] not found.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Andrew
    ->Temp folder emptied: 32756669 bytes
    ->Temporary Internet Files folder emptied: 368058194 bytes
    ->Java cache emptied: 0 bytes
    ->Google Chrome cache emptied: 376409143 bytes
    ->Flash cache emptied: 62285 bytes

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 56466 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Public

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32 (64bit) .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 99628068 bytes
    %systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 50333 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 836.00 mb


    OTL by OldTimer - Version 3.2.69.0 log created on 01122013_195345
    Files\Folders moved on Reboot...
    C:\Users\Andrew\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
    C:\Users\Andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\Q1N7DEQV\s[1].htm moved successfully.
    C:\Users\Andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\52JF9FFS\1084006-clicking-links-redirects-spam-virus[1].htm moved successfully.
    C:\Users\Andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DAT moved successfully.
    PendingFileRenameOperations files...
    Registry entries deleted on Reboot...

    mbar log:

    Malwarebytes Anti-Rootkit BETA 1.01.0.1016
    www.malwarebytes.org
    Database version: v2013.01.09.01
    Windows 7 Service Pack 1 x64 NTFS
    Internet Explorer 9.0.8112.16421
    Andrew :: ANDREWSCRAPTOP [administrator]
    1/12/2013 8:45:58 PM
    mbar-log-2013-01-12 (20-45-58).txt
    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
    Scan options disabled:
    Objects scanned: 28912
    Time elapsed: 11 minute(s), 18 second(s)
    Memory Processes Detected: 0
    (No malicious items detected)
    Memory Modules Detected: 0
    (No malicious items detected)
    Registry Keys Detected: 0
    (No malicious items detected)
    Registry Values Detected: 0
    (No malicious items detected)
    Registry Data Items Detected: 0
    (No malicious items detected)
    Folders Detected: 0
    (No malicious items detected)
    Files Detected: 0
    (No malicious items detected)
    (end)

    System Log:

    ---------------------------------------
    Malwarebytes Anti-Rootkit BETA 1.01.0.1016
    (c) Malwarebytes Corporation 2011-2012
    OS version: 6.1.7601 Windows 7 Service Pack 1 x64
    Account is Administrative
    Internet Explorer version: 9.0.8112.16421
    Java version: 1.6.0_25
    File system is: NTFS
    Disk drives: C:\ DRIVE_FIXED, Q:\ DRIVE_FIXED
    CPU speed: 2.294000 GHz
    Memory total: 6345732096, free: 4622127104
    ------------ Kernel report ------------
    01/12/2013 20:17:12
    ------------ Loaded modules -----------
    \SystemRoot\system32\ntoskrnl.exe
    \SystemRoot\system32\hal.dll
    \SystemRoot\system32\kdcom.dll
    \SystemRoot\system32\mcupdate_GenuineIntel.dll
    \SystemRoot\system32\PSHED.dll
    \SystemRoot\system32\CLFS.SYS
    \SystemRoot\system32\CI.dll
    \SystemRoot\system32\drivers\Wdf01000.sys
    \SystemRoot\system32\drivers\WDFLDR.SYS
    \SystemRoot\system32\drivers\ACPI.sys
    \SystemRoot\system32\drivers\WMILIB.SYS
    \SystemRoot\system32\drivers\msisadrv.sys
    \SystemRoot\system32\drivers\pci.sys
    \SystemRoot\system32\drivers\vdrvroot.sys
    \SystemRoot\system32\DRIVERS\LPCFilter.sys
    \SystemRoot\System32\drivers\partmgr.sys
    \SystemRoot\system32\drivers\compbatt.sys
    \SystemRoot\system32\drivers\BATTC.SYS
    \SystemRoot\system32\drivers\volmgr.sys
    \SystemRoot\System32\drivers\volmgrx.sys
    \SystemRoot\System32\drivers\mountmgr.sys
    \SystemRoot\system32\DRIVERS\pciide.sys
    \SystemRoot\system32\DRIVERS\PCIIDEX.SYS
    \SystemRoot\system32\DRIVERS\iaStor.sys
    \SystemRoot\system32\drivers\atapi.sys
    \SystemRoot\system32\drivers\ataport.SYS
    \SystemRoot\system32\DRIVERS\msahci.sys
    \SystemRoot\system32\drivers\amdxata.sys
    \SystemRoot\system32\drivers\fltmgr.sys
    \SystemRoot\system32\drivers\fileinfo.sys
    \SystemRoot\System32\Drivers\Ntfs.sys
    \SystemRoot\System32\Drivers\msrpc.sys
    \SystemRoot\System32\Drivers\ksecdd.sys
    \SystemRoot\System32\Drivers\cng.sys
    \SystemRoot\System32\drivers\pcw.sys
    \SystemRoot\System32\Drivers\Fs_Rec.sys
    \SystemRoot\system32\drivers\ndis.sys
    \SystemRoot\system32\drivers\NETIO.SYS
    \SystemRoot\System32\Drivers\ksecpkg.sys
    \SystemRoot\System32\drivers\tcpip.sys
    \SystemRoot\System32\drivers\fwpkclnt.sys
    \SystemRoot\system32\drivers\volsnap.sys
    \SystemRoot\system32\DRIVERS\TVALZ_O.SYS
    \SystemRoot\system32\DRIVERS\tos_sps64.sys
    \SystemRoot\system32\DRIVERS\Thpevm.SYS
    \SystemRoot\system32\DRIVERS\thpdrv.sys
    \SystemRoot\System32\Drivers\spldr.sys
    \SystemRoot\System32\drivers\rdyboost.sys
    \SystemRoot\System32\Drivers\mup.sys
    \SystemRoot\System32\drivers\hwpolicy.sys
    \SystemRoot\System32\DRIVERS\fvevol.sys
    \SystemRoot\system32\drivers\disk.sys
    \SystemRoot\system32\drivers\CLASSPNP.SYS
    \SystemRoot\system32\DRIVERS\cdrom.sys
    \SystemRoot\System32\Drivers\Null.SYS
    \SystemRoot\System32\Drivers\Beep.SYS
    \SystemRoot\System32\drivers\vga.sys
    \SystemRoot\System32\drivers\VIDEOPRT.SYS
    \SystemRoot\System32\drivers\watchdog.sys
    \SystemRoot\System32\DRIVERS\RDPCDD.sys
    \SystemRoot\system32\drivers\rdpencdd.sys
    \SystemRoot\system32\drivers\rdprefmp.sys
    \SystemRoot\System32\Drivers\Msfs.SYS
    \SystemRoot\System32\Drivers\Npfs.SYS
    \SystemRoot\system32\DRIVERS\tdx.sys
    \SystemRoot\system32\DRIVERS\TDI.SYS
    \SystemRoot\system32\drivers\afd.sys
    \SystemRoot\System32\DRIVERS\netbt.sys
    \SystemRoot\system32\DRIVERS\wfplwf.sys
    \SystemRoot\system32\DRIVERS\pacer.sys
    \SystemRoot\system32\DRIVERS\vwififlt.sys
    \SystemRoot\system32\DRIVERS\netbios.sys
    \SystemRoot\system32\DRIVERS\wanarp.sys
    \SystemRoot\system32\drivers\termdd.sys
    \SystemRoot\system32\DRIVERS\rdbss.sys
    \SystemRoot\system32\drivers\nsiproxy.sys
    \SystemRoot\system32\drivers\mssmbios.sys
    \SystemRoot\System32\drivers\discache.sys
    \SystemRoot\System32\Drivers\dfsc.sys
    \SystemRoot\system32\drivers\blbdrive.sys
    \SystemRoot\system32\DRIVERS\tunnel.sys
    \SystemRoot\system32\DRIVERS\igdkmd64.sys
    \SystemRoot\System32\drivers\dxgkrnl.sys
    \SystemRoot\System32\drivers\dxgmms1.sys
    \SystemRoot\system32\DRIVERS\HECIx64.sys
    \SystemRoot\system32\DRIVERS\usbehci.sys
    \SystemRoot\system32\DRIVERS\USBPORT.SYS
    \SystemRoot\system32\drivers\HDAudBus.sys
    \SystemRoot\system32\DRIVERS\Rt64win7.sys
    \SystemRoot\system32\DRIVERS\NETwNs64.sys
    \SystemRoot\system32\DRIVERS\vwifibus.sys
    \SystemRoot\system32\DRIVERS\SCSIPORT.SYS
    \SystemRoot\system32\DRIVERS\nusb3xhc.sys
    \SystemRoot\system32\DRIVERS\USBD.SYS
    \SystemRoot\system32\drivers\CmBatt.sys
    \SystemRoot\system32\drivers\i8042prt.sys
    \SystemRoot\system32\DRIVERS\SynTP.sys
    \SystemRoot\system32\drivers\mouclass.sys
    \SystemRoot\system32\DRIVERS\CeKbFilter.sys
    \SystemRoot\system32\drivers\kbdclass.sys
    \SystemRoot\system32\DRIVERS\tdcmdpst.sys
    \SystemRoot\system32\DRIVERS\intelppm.sys
    \SystemRoot\system32\DRIVERS\TVALZFL.sys
    \SystemRoot\system32\drivers\CompositeBus.sys
    \SystemRoot\system32\DRIVERS\AgileVpn.sys
    \SystemRoot\system32\DRIVERS\rasl2tp.sys
    \SystemRoot\system32\DRIVERS\ndistapi.sys
    \SystemRoot\system32\DRIVERS\ndiswan.sys
    \SystemRoot\system32\DRIVERS\raspppoe.sys
    \SystemRoot\system32\DRIVERS\raspptp.sys
    \SystemRoot\system32\DRIVERS\rassstp.sys
    \SystemRoot\system32\drivers\swenum.sys
    \SystemRoot\system32\drivers\ks.sys
    \SystemRoot\system32\DRIVERS\iwdbus.sys
    \SystemRoot\system32\DRIVERS\umbus.sys
    \SystemRoot\system32\drivers\usbhub.sys
    \SystemRoot\system32\DRIVERS\nusb3hub.sys
    \SystemRoot\System32\Drivers\NDProxy.SYS
    \SystemRoot\system32\drivers\RTKVHD64.sys
    \SystemRoot\system32\drivers\portcls.sys
    \SystemRoot\system32\drivers\drmk.sys
    \SystemRoot\system32\drivers\ksthunk.sys
    \SystemRoot\system32\DRIVERS\IntcDAud.sys
    \SystemRoot\system32\DRIVERS\usbccgp.sys
    \SystemRoot\System32\Drivers\usbvideo.sys
    \SystemRoot\system32\DRIVERS\pgeffect.sys
    \SystemRoot\System32\Drivers\crashdmp.sys
    \SystemRoot\System32\Drivers\dump_iaStor.sys
    \SystemRoot\System32\Drivers\dump_dumpfve.sys
    \SystemRoot\System32\win32k.sys
    \SystemRoot\System32\drivers\Dxapi.sys
    \SystemRoot\system32\DRIVERS\monitor.sys
    \SystemRoot\System32\TSDDD.dll
    \SystemRoot\System32\cdd.dll
    \SystemRoot\system32\drivers\luafv.sys
    \SystemRoot\system32\DRIVERS\Sftvollh.sys
    \SystemRoot\system32\DRIVERS\lltdio.sys
    \SystemRoot\system32\DRIVERS\nwifi.sys
    \SystemRoot\system32\DRIVERS\ndisuio.sys
    \SystemRoot\system32\DRIVERS\rspndr.sys
    \SystemRoot\system32\drivers\HTTP.sys
    \SystemRoot\system32\DRIVERS\bowser.sys
    \SystemRoot\System32\drivers\mpsdrv.sys
    \SystemRoot\system32\DRIVERS\mrxsmb.sys
    \SystemRoot\system32\DRIVERS\mrxsmb10.sys
    \SystemRoot\system32\DRIVERS\mrxsmb20.sys
    \SystemRoot\system32\drivers\peauth.sys
    \SystemRoot\System32\Drivers\secdrv.SYS
    \SystemRoot\system32\DRIVERS\Sftfslh.sys
    \SystemRoot\system32\DRIVERS\Sftplaylh.sys
    \SystemRoot\System32\DRIVERS\srvnet.sys
    \SystemRoot\System32\drivers\tcpipreg.sys
    \SystemRoot\system32\DRIVERS\vwifimp.sys
    \SystemRoot\System32\DRIVERS\srv2.sys
    \SystemRoot\System32\DRIVERS\srv.sys
    \SystemRoot\system32\DRIVERS\Sftredirlh.sys
    \SystemRoot\system32\drivers\NISx64\1309000.009\SYMDS64.SYS
    \SystemRoot\system32\drivers\NISx64\1309000.009\ccSetx64.sys
    \SystemRoot\system32\drivers\NISx64\1309000.009\SYMEFA64.SYS
    \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\IPSDefs\20120623.002\IDSvia64.sys
    \??\C:\windows\system32\Drivers\SYMEVENT64x86.SYS
    \SystemRoot\system32\drivers\NISx64\1309000.009\SRTSPX64.SYS
    \SystemRoot\System32\Drivers\NISx64\1309000.009\SYMNETS.SYS
    \SystemRoot\system32\drivers\NISx64\1309000.009\Ironx64.SYS
    \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\BASHDefs\20120619.001\BHDrvx64.sys
    \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys
    \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
    \??\C:\windows\system32\drivers\mbamchameleon.sys
    \??\C:\windows\system32\drivers\mbamswissarmy.sys
    \Windows\System32\ntdll.dll
    \Windows\System32\smss.exe
    \Windows\System32\apisetschema.dll
    \Windows\System32\autochk.exe
    ----------- End -----------
    <<<1>>>
    Upper Device Name: \Device\Harddisk0\DR0
    Upper Device Object: 0xfffffa8007bb5060
    Upper Device Driver Name: \Driver\Disk\
    Lower Device Name: \Device\Ide\IAAStorageDevice-1\
    Lower Device Object: 0xfffffa8005d14050
    Lower Device Driver Name: \00000399\
    Driver name found: iaStor
    Initialization returned 0x0
    Load Function returned 0x0
    Initializing...
    Done!
    <<<2>>>
    Device number: 0, partition: 2
    Physical Sector Size: 512
    Drive: 0, DevicePointer: 0xfffffa8007bb5060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
    --------- Disk Stack ------
    DevicePointer: 0xfffffa8007bb5b90, DeviceName: Unknown, DriverName: \Driver\partmgr\
    DevicePointer: 0xfffffa8007bb5060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
    DevicePointer: 0xfffffa8007bb4060, DeviceName: \Device\THPDRV1\, DriverName: \Driver\Thpdrv\
    DevicePointer: 0xfffffa8005d14050, DeviceName: \Device\Ide\IAAStorageDevice-1\, DriverName: \00000399\
    ------------ End ----------
    Upper DeviceData: 0xfffff8a003a318d0, 0xfffffa8007bb5060, 0xfffffa800a7af510
    Lower DeviceData: 0xfffff8a00e3e3060, 0xfffffa8005d14050, 0xfffffa800a8ce9e0
    <<<3>>>
    Volume: C:
    File system type: NTFS
    SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
    Scanning directory: C:\windows\system32\drivers...
    Done!
    Drive 0
    Scanning MBR on drive 0...
    MBR buffers are not equal
    MBR is forged! [4333f673a96dbe57f4d0023e55e5303d]
    Inspecting partition table:
    MBR Signature: 55AA
    Disk Signature: 27058636
    Partition information:
    Partition 0 type is Empty (0x0)
    Partition is ACTIVE.
    Partition starts at LBA: 60 Numsec = 0
    Partition is not bootable
    Infected: VBR on Empty active partition --> [Rootkit.Pihar.c.MBR]
    Changing partition to empty and not active. New active partition is 1 on drive 0 ...
    Partition 0 type is Other (0x27)
    Partition is ACTIVE.
    Partition starts at LBA: 2048 Numsec = 3072000
    Partition file system is NTFS
    Partition is bootable
    Partition 1 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 3074048 Numsec = 1430478848
    Partition file system is NTFS
    Partition is bootable
    Partition 2 type is HIDDEN (0x17)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 1433552896 Numsec = 31594496
    Partition is not bootable
    Hidden partition VBR is not infected.
    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0
    MBR infection found on drive 0
    Disk Size: 750156374016 bytes
    Sector size: 512 bytes
    Scanning physical sectors of unpartitioned space on drive 0 (1-59-1465129168-1465149168)...
    Sector 1465148792 --> [Forged physical sector]
    Sector 1465148793 --> [Forged physical sector]
    Sector 1465148794 --> [Forged physical sector]
    Sector 1465148795 --> [Forged physical sector]
    Sector 1465148796 --> [Forged physical sector]
    Sector 1465148797 --> [Forged physical sector]
    Sector 1465148798 --> [Forged physical sector]
    Sector 1465148799 --> [Forged physical sector]
    Sector 1465148800 --> [Forged physical sector]
    Sector 1465148801 --> [Forged physical sector]
    Sector 1465148802 --> [Forged physical sector]
    Sector 1465148803 --> [Forged physical sector]
    Sector 1465148804 --> [Forged physical sector]
    Sector 1465148805 --> [Forged physical sector]
    Sector 1465148806 --> [Forged physical sector]
    Sector 1465148807 --> [Forged physical sector]
    Sector 1465148808 --> [Forged physical sector]
    Sector 1465148809 --> [Forged physical sector]
    Sector 1465148810 --> [Forged physical sector]
    Sector 1465148811 --> [Forged physical sector]
    Sector 1465148812 --> [Forged physical sector]
    Sector 1465148813 --> [Forged physical sector]
    Sector 1465148814 --> [Forged physical sector]
    Sector 1465148815 --> [Forged physical sector]
    Sector 1465148816 --> [Forged physical sector]
    Sector 1465148817 --> [Forged physical sector]
    Sector 1465148818 --> [Forged physical sector]
    Sector 1465148819 --> [Forged physical sector]
    Sector 1465148820 --> [Forged physical sector]
    Sector 1465148821 --> [Forged physical sector]
    Sector 1465148822 --> [Forged physical sector]
    Sector 1465148823 --> [Forged physical sector]
    Sector 1465148824 --> [Forged physical sector]
    Sector 1465148825 --> [Forged physical sector]
    Sector 1465148826 --> [Forged physical sector]
    Sector 1465148827 --> [Forged physical sector]
    Sector 1465148828 --> [Forged physical sector]
    Sector 1465148829 --> [Forged physical sector]
    Sector 1465148830 --> [Forged physical sector]
    Sector 1465148831 --> [Forged physical sector]
    Sector 1465148832 --> [Forged physical sector]
    Sector 1465148833 --> [Forged physical sector]
    Sector 1465148834 --> [Forged physical sector]
    Sector 1465148835 --> [Forged physical sector]
    Sector 1465148836 --> [Forged physical sector]
    Sector 1465148837 --> [Forged physical sector]
    Sector 1465148838 --> [Forged physical sector]
    Sector 1465148839 --> [Forged physical sector]
    Sector 1465148840 --> [Forged physical sector]
    Sector 1465148841 --> [Forged physical sector]
    Sector 1465148842 --> [Forged physical sector]
    Sector 1465148843 --> [Forged physical sector]
    Sector 1465148844 --> [Forged physical sector]
    Sector 1465148845 --> [Forged physical sector]
    Sector 1465148846 --> [Forged physical sector]
    Sector 1465148847 --> [Forged physical sector]
    Sector 1465148848 --> [Forged physical sector]
    Sector 1465148849 --> [Forged physical sector]
    Sector 1465148850 --> [Forged physical sector]
    Sector 1465148851 --> [Forged physical sector]
    Sector 1465148852 --> [Forged physical sector]
    Sector 1465148853 --> [Forged physical sector]
    Sector 1465148854 --> [Forged physical sector]
    Sector 1465148855 --> [Forged physical sector]
    Sector 1465148856 --> [Forged physical sector]
    Sector 1465148857 --> [Forged physical sector]
    Sector 1465148858 --> [Forged physical sector]
    Sector 1465148859 --> [Forged physical sector]
    Sector 1465148860 --> [Forged physical sector]
    Sector 1465148861 --> [Forged physical sector]
    Sector 1465148862 --> [Forged physical sector]
    Sector 1465148863 --> [Forged physical sector]
    Sector 1465148864 --> [Forged physical sector]
    Sector 1465148865 --> [Forged physical sector]
    Sector 1465148866 --> [Forged physical sector]
    Sector 1465148867 --> [Forged physical sector]
    Sector 1465148868 --> [Forged physical sector]
    Sector 1465148869 --> [Forged physical sector]
    Sector 1465148870 --> [Forged physical sector]
    Sector 1465148871 --> [Forged physical sector]
    Sector 1465148872 --> [Forged physical sector]
    Sector 1465148873 --> [Forged physical sector]
    Sector 1465148874 --> [Forged physical sector]
    Sector 1465148875 --> [Forged physical sector]
    Sector 1465148876 --> [Forged physical sector]
    Sector 1465148877 --> [Forged physical sector]
    Sector 1465148878 --> [Forged physical sector]
    Sector 1465148879 --> [Forged physical sector]
    Sector 1465148880 --> [Forged physical sector]
    Sector 1465148881 --> [Forged physical sector]
    Sector 1465148882 --> [Forged physical sector]
    Sector 1465148883 --> [Forged physical sector]
    Sector 1465148884 --> [Forged physical sector]
    Sector 1465148885 --> [Forged physical sector]
    Sector 1465148886 --> [Forged physical sector]
    Sector 1465148887 --> [Forged physical sector]
    Sector 1465148888 --> [Forged physical sector]
    Sector 1465148889 --> [Forged physical sector]
    Sector 1465148890 --> [Forged physical sector]
    Sector 1465148891 --> [Forged physical sector]
    Sector 1465148892 --> [Forged physical sector]
    Sector 1465148893 --> [Forged physical sector]
    Sector 1465148894 --> [Forged physical sector]
    Sector 1465148895 --> [Forged physical sector]
    Sector 1465148896 --> [Forged physical sector]
    Sector 1465148897 --> [Forged physical sector]
    Sector 1465148898 --> [Forged physical sector]
    Sector 1465148899 --> [Forged physical sector]
    Sector 1465148900 --> [Forged physical sector]
    Sector 1465148901 --> [Forged physical sector]
    Sector 1465148902 --> [Forged physical sector]
    Sector 1465148903 --> [Forged physical sector]
    Sector 1465148904 --> [Forged physical sector]
    Sector 1465148905 --> [Forged physical sector]
    Sector 1465148906 --> [Forged physical sector]
    Sector 1465148907 --> [Forged physical sector]
    Sector 1465148908 --> [Forged physical sector]
    Sector 1465148909 --> [Forged physical sector]
    Sector 1465148910 --> [Forged physical sector]
    Sector 1465148911 --> [Forged physical sector]
    Sector 1465148912 --> [Forged physical sector]
    Sector 1465148913 --> [Forged physical sector]
    Sector 1465148914 --> [Forged physical sector]
    Sector 1465148915 --> [Forged physical sector]
    Sector 1465148916 --> [Forged physical sector]
    Sector 1465148917 --> [Forged physical sector]
    Sector 1465148918 --> [Forged physical sector]
    Sector 1465148919 --> [Forged physical sector]
    Sector 1465148920 --> [Forged physical sector]
    Sector 1465148921 --> [Forged physical sector]
    Sector 1465148922 --> [Forged physical sector]
    Sector 1465148923 --> [Forged physical sector]
    Sector 1465148924 --> [Forged physical sector]
    Sector 1465148925 --> [Forged physical sector]
    Sector 1465148926 --> [Forged physical sector]
    Sector 1465148927 --> [Forged physical sector]
    Sector 1465148928 --> [Forged physical sector]
    Sector 1465148929 --> [Forged physical sector]
    Sector 1465148930 --> [Forged physical sector]
    Sector 1465148931 --> [Forged physical sector]
    Sector 1465148932 --> [Forged physical sector]
    Sector 1465148933 --> [Forged physical sector]
    Sector 1465148934 --> [Forged physical sector]
    Sector 1465148935 --> [Forged physical sector]
    Sector 1465148936 --> [Forged physical sector]
    Sector 1465148937 --> [Forged physical sector]
    Sector 1465148938 --> [Forged physical sector]
    Sector 1465148939 --> [Forged physical sector]
    Sector 1465148940 --> [Forged physical sector]
    Sector 1465148941 --> [Forged physical sector]
    Sector 1465148942 --> [Forged physical sector]
    Sector 1465148943 --> [Forged physical sector]
    Sector 1465148944 --> [Forged physical sector]
    Sector 1465148945 --> [Forged physical sector]
    Sector 1465148946 --> [Forged physical sector]
    Sector 1465148947 --> [Forged physical sector]
    Sector 1465148948 --> [Forged physical sector]
    Sector 1465148949 --> [Forged physical sector]
    Sector 1465148950 --> [Forged physical sector]
    Sector 1465148951 --> [Forged physical sector]
    Sector 1465148952 --> [Forged physical sector]
    Sector 1465148953 --> [Forged physical sector]
    Sector 1465148954 --> [Forged physical sector]
    Sector 1465148955 --> [Forged physical sector]
    Sector 1465148956 --> [Forged physical sector]
    Sector 1465148957 --> [Forged physical sector]
    Sector 1465148958 --> [Forged physical sector]
    Sector 1465148959 --> [Forged physical sector]
    Sector 1465148960 --> [Forged physical sector]
    Sector 1465148961 --> [Forged physical sector]
    Sector 1465148962 --> [Forged physical sector]
    Sector 1465148963 --> [Forged physical sector]
    Sector 1465148964 --> [Forged physical sector]
    Sector 1465148965 --> [Forged physical sector]
    Sector 1465148966 --> [Forged physical sector]
    Sector 1465148967 --> [Forged physical sector]
    Sector 1465148968 --> [Forged physical sector]
    Sector 1465148969 --> [Forged physical sector]
    Sector 1465148970 --> [Forged physical sector]
    Sector 1465148971 --> [Forged physical sector]
    Sector 1465148972 --> [Forged physical sector]
    Sector 1465148973 --> [Forged physical sector]
    Sector 1465148974 --> [Forged physical sector]
    Sector 1465148975 --> [Forged physical sector]
    Sector 1465148976 --> [Forged physical sector]
    Sector 1465148977 --> [Forged physical sector]
    Sector 1465148978 --> [Forged physical sector]
    Sector 1465148979 --> [Forged physical sector]
    Sector 1465148980 --> [Forged physical sector]
    Sector 1465148981 --> [Forged physical sector]
    Sector 1465148982 --> [Forged physical sector]
    Sector 1465148983 --> [Forged physical sector]
    Sector 1465148984 --> [Forged physical sector]
    Sector 1465148985 --> [Forged physical sector]
    Sector 1465148986 --> [Forged physical sector]
    Sector 1465148987 --> [Forged physical sector]
    Sector 1465148988 --> [Forged physical sector]
    Sector 1465148989 --> [Forged physical sector]
    Sector 1465148990 --> [Forged physical sector]
    Sector 1465148991 --> [Forged physical sector]
    Sector 1465148992 --> [Forged physical sector]
    Sector 1465148993 --> [Forged physical sector]
    Sector 1465148994 --> [Forged physical sector]
    Sector 1465148995 --> [Forged physical sector]
    Sector 1465148996 --> [Forged physical sector]
    Sector 1465148997 --> [Forged physical sector]
    Sector 1465148998 --> [Forged physical sector]
    Sector 1465148999 --> [Forged physical sector]
    Sector 1465149000 --> [Forged physical sector]
    Sector 1465149001 --> [Forged physical sector]
    Sector 1465149002 --> [Forged physical sector]
    Sector 1465149003 --> [Forged physical sector]
    Sector 1465149004 --> [Forged physical sector]
    Sector 1465149005 --> [Forged physical sector]
    Sector 1465149006 --> [Forged physical sector]
    Sector 1465149007 --> [Forged physical sector]
    Sector 1465149008 --> [Forged physical sector]
    Sector 1465149009 --> [Forged physical sector]
    Sector 1465149010 --> [Forged physical sector]
    Sector 1465149011 --> [Forged physical sector]
    Sector 1465149012 --> [Forged physical sector]
    Sector 1465149013 --> [Forged physical sector]
    Sector 1465149014 --> [Forged physical sector]
    Sector 1465149015 --> [Forged physical sector]
    Sector 1465149016 --> [Forged physical sector]
    Sector 1465149017 --> [Forged physical sector]
    Sector 1465149018 --> [Forged physical sector]
    Sector 1465149019 --> [Forged physical sector]
    Sector 1465149020 --> [Forged physical sector]
    Sector 1465149021 --> [Forged physical sector]
    Sector 1465149022 --> [Forged physical sector]
    Sector 1465149023 --> [Forged physical sector]
    Sector 1465149024 --> [Forged physical sector]
    Sector 1465149025 --> [Forged physical sector]
    Sector 1465149026 --> [Forged physical sector]
    Sector 1465149027 --> [Forged physical sector]
    Sector 1465149028 --> [Forged physical sector]
    Sector 1465149029 --> [Forged physical sector]
    Sector 1465149030 --> [Forged physical sector]
    Sector 1465149031 --> [Forged physical sector]
    Sector 1465149032 --> [Forged physical sector]
    Sector 1465149033 --> [Forged physical sector]
    Sector 1465149034 --> [Forged physical sector]
    Sector 1465149035 --> [Forged physical sector]
    Sector 1465149036 --> [Forged physical sector]
    Sector 1465149037 --> [Forged physical sector]
    Sector 1465149038 --> [Forged physical sector]
    Sector 1465149039 --> [Forged physical sector]
    Sector 1465149040 --> [Forged physical sector]
    Sector 1465149041 --> [Forged physical sector]
    Sector 1465149042 --> [Forged physical sector]
    Sector 1465149043 --> [Forged physical sector]
    Sector 1465149044 --> [Forged physical sector]
    Sector 1465149045 --> [Forged physical sector]
    Sector 1465149046 --> [Forged physical sector]
    Sector 1465149047 --> [Forged physical sector]
    Sector 1465149048 --> [Forged physical sector]
    Sector 1465149049 --> [Forged physical sector]
    Sector 1465149050 --> [Forged physical sector]
    Sector 1465149051 --> [Forged physical sector]
    Sector 1465149052 --> [Forged physical sector]
    Sector 1465149053 --> [Forged physical sector]
    Sector 1465149054 --> [Forged physical sector]
    Sector 1465149055 --> [Forged physical sector]
    Sector 1465149056 --> [Forged physical sector]
    Sector 1465149057 --> [Forged physical sector]
    Sector 1465149058 --> [Forged physical sector]
    Sector 1465149059 --> [Forged physical sector]
    Sector 1465149060 --> [Forged physical sector]
    Sector 1465149061 --> [Forged physical sector]
    Sector 1465149062 --> [Forged physical sector]
    Sector 1465149063 --> [Forged physical sector]
    Sector 1465149064 --> [Forged physical sector]
    Sector 1465149065 --> [Forged physical sector]
    Sector 1465149066 --> [Forged physical sector]
    Sector 1465149067 --> [Forged physical sector]
    Sector 1465149068 --> [Forged physical sector]
    Sector 1465149069 --> [Forged physical sector]
    Sector 1465149070 --> [Forged physical sector]
    Sector 1465149071 --> [Forged physical sector]
    Sector 1465149072 --> [Forged physical sector]
    Sector 1465149073 --> [Forged physical sector]
    Sector 1465149074 --> [Forged physical sector]
    Sector 1465149075 --> [Forged physical sector]
    Sector 1465149076 --> [Forged physical sector]
    Sector 1465149077 --> [Forged physical sector]
    Sector 1465149078 --> [Forged physical sector]
    Sector 1465149079 --> [Forged physical sector]
    Sector 1465149080 --> [Forged physical sector]
    Sector 1465149081 --> [Forged physical sector]
    Sector 1465149082 --> [Forged physical sector]
    Sector 1465149083 --> [Forged physical sector]
    Sector 1465149084 --> [Forged physical sector]
    Sector 1465149085 --> [Forged physical sector]
    Sector 1465149086 --> [Forged physical sector]
    Sector 1465149087 --> [Forged physical sector]
    Sector 1465149088 --> [Forged physical sector]
    Sector 1465149089 --> [Forged physical sector]
    Sector 1465149090 --> [Forged physical sector]
    Sector 1465149091 --> [Forged physical sector]
    Sector 1465149092 --> [Forged physical sector]
    Sector 1465149093 --> [Forged physical sector]
    Sector 1465149094 --> [Forged physical sector]
    Sector 1465149095 --> [Forged physical sector]
    Sector 1465149096 --> [Forged physical sector]
    Sector 1465149097 --> [Forged physical sector]
    Sector 1465149098 --> [Forged physical sector]
    Sector 1465149099 --> [Forged physical sector]
    Sector 1465149100 --> [Forged physical sector]
    Sector 1465149101 --> [Forged physical sector]
    Sector 1465149102 --> [Forged physical sector]
    Sector 1465149103 --> [Forged physical sector]
    Sector 1465149104 --> [Forged physical sector]
    Sector 1465149105 --> [Forged physical sector]
    Sector 1465149106 --> [Forged physical sector]
    Sector 1465149107 --> [Forged physical sector]
    Sector 1465149108 --> [Forged physical sector]
    Sector 1465149109 --> [Forged physical sector]
    Sector 1465149110 --> [Forged physical sector]
    Sector 1465149111 --> [Forged physical sector]
    Sector 1465149112 --> [Forged physical sector]
    Sector 1465149113 --> [Forged physical sector]
    Sector 1465149114 --> [Forged physical sector]
    Sector 1465149115 --> [Forged physical sector]
    Sector 1465149116 --> [Forged physical sector]
    Sector 1465149117 --> [Forged physical sector]
    Sector 1465149118 --> [Forged physical sector]
    Sector 1465149119 --> [Forged physical sector]
    Sector 1465149120 --> [Forged physical sector]
    Sector 1465149121 --> [Forged physical sector]
    Sector 1465149122 --> [Forged physical sector]
    Sector 1465149123 --> [Forged physical sector]
    Sector 1465149124 --> [Forged physical sector]
    Sector 1465149125 --> [Forged physical sector]
    Sector 1465149126 --> [Forged physical sector]
    Sector 1465149127 --> [Forged physical sector]
    Sector 1465149128 --> [Forged physical sector]
    Sector 1465149129 --> [Forged physical sector]
    Sector 1465149130 --> [Forged physical sector]
    Sector 1465149131 --> [Forged physical sector]
    Sector 1465149132 --> [Forged physical sector]
    Sector 1465149133 --> [Forged physical sector]
    Sector 1465149134 --> [Forged physical sector]
    Sector 1465149135 --> [Forged physical sector]
    Sector 1465149136 --> [Forged physical sector]
    Sector 1465149137 --> [Forged physical sector]
    Sector 1465149138 --> [Forged physical sector]
    Sector 1465149139 --> [Forged physical sector]
    Sector 1465149140 --> [Forged physical sector]
    Sector 1465149141 --> [Forged physical sector]
    Sector 1465149142 --> [Forged physical sector]
    Sector 1465149143 --> [Forged physical sector]
    Sector 1465149144 --> [Forged physical sector]
    Sector 1465149145 --> [Forged physical sector]
    Sector 1465149146 --> [Forged physical sector]
    Sector 1465149147 --> [Forged physical sector]
    Sector 1465149148 --> [Forged physical sector]
    Sector 1465149149 --> [Forged physical sector]
    Sector 1465149150 --> [Forged physical sector]
    Sector 1465149151 --> [Forged physical sector]
    Sector 1465149152 --> [Forged physical sector]
    Sector 1465149153 --> [Forged physical sector]
    Sector 1465149154 --> [Forged physical sector]
    Sector 1465149155 --> [Forged physical sector]
    Sector 1465149156 --> [Forged physical sector]
    Sector 1465149157 --> [Forged physical sector]
    Sector 1465149158 --> [Forged physical sector]
    Sector 1465149159 --> [Forged physical sector]
    Sector 1465149160 --> [Forged physical sector]
    Sector 1465149161 --> [Forged physical sector]
    Sector 1465149162 --> [Forged physical sector]
    Sector 1465149163 --> [Forged physical sector]
    Sector 1465149164 --> [Forged physical sector]
    Sector 1465149165 --> [Forged physical sector]
    Sector 1465149166 --> [Forged physical sector]
    Sector 1465149167 --> [Forged physical sector]
    Done!
    Performing system, memory and registry scan...
    Infected: c:\Windows\svchost.exe --> [Trojan.Agent]
    Infected: c:\Windows\svchost.exe --> [Trojan.Agent]
    Done!
    Scan finished
    Creating System Restore point...
    Scheduling clean up...
    <<<2>>>
    Device number: 0, partition: 2
    <<<3>>>
    Volume: C:
    File system type: NTFS
    SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
    BCD Entry for BOOTEMS is missing
    Malicious Entry 26000022 for BOOTEMS present!
    Removal scheduling successful. System shutdown needed.
    System shutdown occurred
    =======================================

    ---------------------------------------
    Malwarebytes Anti-Rootkit BETA 1.01.0.1016
    (c) Malwarebytes Corporation 2011-2012
    OS version: 6.1.7601 Windows 7 Service Pack 1 x64
    Account is Administrative
    Internet Explorer version: 9.0.8112.16421
    Java version: 1.6.0_25
    File system is: NTFS
    Disk drives: C:\ DRIVE_FIXED, Q:\ DRIVE_FIXED
    CPU speed: 2.294000 GHz
    Memory total: 6345732096, free: 5142114304
    Removal queue found; removal started
    Removing c:\Windows\svchost.exe...
    Removal finished
    =======================================
    ---------------------------------------
    Malwarebytes Anti-Rootkit BETA 1.01.0.1016
    (c) Malwarebytes Corporation 2011-2012
    OS version: 6.1.7601 Windows 7 Service Pack 1 x64
    Account is Administrative
    Internet Explorer version: 9.0.8112.16421
    Java version: 1.6.0_25
    File system is: NTFS
    Disk drives: C:\ DRIVE_FIXED, Q:\ DRIVE_FIXED
    CPU speed: 2.294000 GHz
    Memory total: 6345732096, free: 4434681856
    ------------ Kernel report ------------
    01/12/2013 20:34:29
    ------------ Loaded modules -----------
    \SystemRoot\system32\ntoskrnl.exe
    \SystemRoot\system32\hal.dll
    \SystemRoot\system32\kdcom.dll
    \SystemRoot\system32\mcupdate_GenuineIntel.dll
    \SystemRoot\system32\PSHED.dll
    \SystemRoot\system32\CLFS.SYS
    \SystemRoot\system32\CI.dll
    \SystemRoot\system32\drivers\Wdf01000.sys
    \SystemRoot\system32\drivers\WDFLDR.SYS
    \SystemRoot\system32\drivers\ACPI.sys
    \SystemRoot\system32\drivers\WMILIB.SYS
    \SystemRoot\system32\drivers\msisadrv.sys
    \SystemRoot\system32\drivers\pci.sys
    \SystemRoot\system32\drivers\vdrvroot.sys
    \SystemRoot\system32\DRIVERS\LPCFilter.sys
    \SystemRoot\System32\drivers\partmgr.sys
    \SystemRoot\system32\drivers\compbatt.sys
    \SystemRoot\system32\drivers\BATTC.SYS
    \SystemRoot\system32\drivers\volmgr.sys
    \SystemRoot\System32\drivers\volmgrx.sys
    \SystemRoot\System32\drivers\mountmgr.sys
    \SystemRoot\system32\DRIVERS\pciide.sys
    \SystemRoot\system32\DRIVERS\PCIIDEX.SYS
    \SystemRoot\system32\DRIVERS\iaStor.sys
    \SystemRoot\system32\drivers\atapi.sys
    \SystemRoot\system32\drivers\ataport.SYS
    \SystemRoot\system32\DRIVERS\msahci.sys
    \SystemRoot\system32\drivers\amdxata.sys
    \SystemRoot\system32\drivers\fltmgr.sys
    \SystemRoot\system32\drivers\fileinfo.sys
    \SystemRoot\System32\Drivers\Ntfs.sys
    \SystemRoot\System32\Drivers\msrpc.sys
    \SystemRoot\System32\Drivers\ksecdd.sys
    \SystemRoot\System32\Drivers\cng.sys
    \SystemRoot\System32\drivers\pcw.sys
    \SystemRoot\System32\Drivers\Fs_Rec.sys
    \SystemRoot\system32\drivers\ndis.sys
    \SystemRoot\system32\drivers\NETIO.SYS
    \SystemRoot\System32\Drivers\ksecpkg.sys
    \SystemRoot\System32\drivers\tcpip.sys
    \SystemRoot\System32\drivers\fwpkclnt.sys
    \SystemRoot\system32\drivers\volsnap.sys
    \SystemRoot\system32\DRIVERS\TVALZ_O.SYS
    \SystemRoot\system32\DRIVERS\tos_sps64.sys
    \SystemRoot\system32\DRIVERS\Thpevm.SYS
    \SystemRoot\system32\DRIVERS\thpdrv.sys
    \SystemRoot\System32\Drivers\spldr.sys
    \SystemRoot\System32\drivers\rdyboost.sys
    \SystemRoot\System32\Drivers\mup.sys
    \SystemRoot\System32\drivers\hwpolicy.sys
    \SystemRoot\System32\DRIVERS\fvevol.sys
    \SystemRoot\system32\drivers\disk.sys
    \SystemRoot\system32\drivers\CLASSPNP.SYS
    \SystemRoot\system32\DRIVERS\cdrom.sys
    \SystemRoot\System32\Drivers\Null.SYS
    \SystemRoot\System32\Drivers\Beep.SYS
    \SystemRoot\System32\drivers\vga.sys
    \SystemRoot\System32\drivers\VIDEOPRT.SYS
    \SystemRoot\System32\drivers\watchdog.sys
    \SystemRoot\System32\DRIVERS\RDPCDD.sys
    \SystemRoot\system32\drivers\rdpencdd.sys
    \SystemRoot\system32\drivers\rdprefmp.sys
    \SystemRoot\System32\Drivers\Msfs.SYS
    \SystemRoot\System32\Drivers\Npfs.SYS
    \SystemRoot\system32\DRIVERS\tdx.sys
    \SystemRoot\system32\DRIVERS\TDI.SYS
    \SystemRoot\system32\drivers\afd.sys
    \SystemRoot\System32\DRIVERS\netbt.sys
    \SystemRoot\system32\DRIVERS\wfplwf.sys
    \SystemRoot\system32\DRIVERS\pacer.sys
    \SystemRoot\system32\DRIVERS\vwififlt.sys
    \SystemRoot\system32\DRIVERS\netbios.sys
    \SystemRoot\system32\DRIVERS\wanarp.sys
    \SystemRoot\system32\drivers\termdd.sys
    \SystemRoot\system32\DRIVERS\rdbss.sys
    \SystemRoot\system32\drivers\nsiproxy.sys
    \SystemRoot\system32\drivers\mssmbios.sys
    \SystemRoot\System32\drivers\discache.sys
    \SystemRoot\System32\Drivers\dfsc.sys
    \SystemRoot\system32\drivers\blbdrive.sys
    \SystemRoot\system32\DRIVERS\tunnel.sys
    \SystemRoot\system32\DRIVERS\igdkmd64.sys
    \SystemRoot\System32\drivers\dxgkrnl.sys
    \SystemRoot\System32\drivers\dxgmms1.sys
    \SystemRoot\system32\DRIVERS\HECIx64.sys
    \SystemRoot\system32\DRIVERS\usbehci.sys
    \SystemRoot\system32\DRIVERS\USBPORT.SYS
    \SystemRoot\system32\drivers\HDAudBus.sys
    \SystemRoot\system32\DRIVERS\Rt64win7.sys
    \SystemRoot\system32\DRIVERS\NETwNs64.sys
    \SystemRoot\system32\DRIVERS\vwifibus.sys
    \SystemRoot\system32\DRIVERS\jmcr.sys
    \SystemRoot\system32\DRIVERS\SCSIPORT.SYS
    \SystemRoot\system32\DRIVERS\nusb3xhc.sys
    \SystemRoot\system32\DRIVERS\USBD.SYS
    \SystemRoot\system32\drivers\CmBatt.sys
    \SystemRoot\system32\drivers\i8042prt.sys
    \SystemRoot\system32\DRIVERS\SynTP.sys
    \SystemRoot\system32\drivers\mouclass.sys
    \SystemRoot\system32\DRIVERS\CeKbFilter.sys
    \SystemRoot\system32\drivers\kbdclass.sys
    \SystemRoot\system32\DRIVERS\tdcmdpst.sys
    \SystemRoot\system32\DRIVERS\intelppm.sys
    \SystemRoot\system32\DRIVERS\TVALZFL.sys
    \SystemRoot\system32\drivers\CompositeBus.sys
    \SystemRoot\system32\DRIVERS\AgileVpn.sys
    \SystemRoot\system32\DRIVERS\rasl2tp.sys
    \SystemRoot\system32\DRIVERS\ndistapi.sys
    \SystemRoot\system32\DRIVERS\ndiswan.sys
    \SystemRoot\system32\DRIVERS\raspppoe.sys
    \SystemRoot\system32\DRIVERS\raspptp.sys
    \SystemRoot\system32\DRIVERS\rassstp.sys
    \SystemRoot\system32\drivers\swenum.sys
    \SystemRoot\system32\drivers\ks.sys
    \SystemRoot\system32\DRIVERS\iwdbus.sys
    \SystemRoot\system32\DRIVERS\umbus.sys
    \SystemRoot\system32\drivers\usbhub.sys
    \SystemRoot\system32\DRIVERS\nusb3hub.sys
    \SystemRoot\System32\Drivers\NDProxy.SYS
    \SystemRoot\system32\drivers\RTKVHD64.sys
    \SystemRoot\system32\drivers\portcls.sys
    \SystemRoot\system32\drivers\drmk.sys
    \SystemRoot\system32\drivers\ksthunk.sys
    \SystemRoot\system32\DRIVERS\IntcDAud.sys
    \SystemRoot\System32\Drivers\crashdmp.sys
    \SystemRoot\System32\Drivers\dump_iaStor.sys
    \SystemRoot\System32\Drivers\dump_dumpfve.sys
    \SystemRoot\system32\DRIVERS\usbccgp.sys
    \SystemRoot\System32\Drivers\usbvideo.sys
    \SystemRoot\system32\DRIVERS\pgeffect.sys
    \SystemRoot\System32\win32k.sys
    \SystemRoot\System32\drivers\Dxapi.sys
    \SystemRoot\system32\DRIVERS\monitor.sys
    \SystemRoot\System32\TSDDD.dll
    \SystemRoot\System32\cdd.dll
    \SystemRoot\system32\drivers\luafv.sys
    \SystemRoot\system32\DRIVERS\Sftvollh.sys
    \SystemRoot\system32\DRIVERS\lltdio.sys
    \SystemRoot\system32\DRIVERS\nwifi.sys
    \SystemRoot\system32\DRIVERS\ndisuio.sys
    \SystemRoot\system32\DRIVERS\rspndr.sys
    \SystemRoot\system32\drivers\HTTP.sys
    \SystemRoot\system32\DRIVERS\bowser.sys
    \SystemRoot\System32\drivers\mpsdrv.sys
    \SystemRoot\system32\DRIVERS\mrxsmb.sys
    \SystemRoot\system32\DRIVERS\mrxsmb10.sys
    \SystemRoot\system32\DRIVERS\mrxsmb20.sys
    \SystemRoot\system32\drivers\peauth.sys
    \SystemRoot\System32\Drivers\secdrv.SYS
    \SystemRoot\system32\DRIVERS\Sftfslh.sys
    \SystemRoot\system32\DRIVERS\Sftplaylh.sys
    \SystemRoot\System32\DRIVERS\srvnet.sys
    \SystemRoot\System32\drivers\tcpipreg.sys
    \SystemRoot\system32\DRIVERS\vwifimp.sys
    \SystemRoot\System32\DRIVERS\srv2.sys
    \SystemRoot\System32\DRIVERS\srv.sys
    \SystemRoot\system32\DRIVERS\Sftredirlh.sys
    \SystemRoot\system32\drivers\NISx64\1309000.009\SYMDS64.SYS
    \SystemRoot\system32\drivers\NISx64\1309000.009\ccSetx64.sys
    \SystemRoot\system32\drivers\NISx64\1309000.009\SYMEFA64.SYS
    \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\IPSDefs\20120623.002\IDSvia64.sys
    \??\C:\windows\system32\Drivers\SYMEVENT64x86.SYS
    \SystemRoot\system32\drivers\NISx64\1309000.009\SRTSPX64.SYS
    \SystemRoot\System32\Drivers\NISx64\1309000.009\SYMNETS.SYS
    \SystemRoot\system32\drivers\NISx64\1309000.009\Ironx64.SYS
    \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\BASHDefs\20120619.001\BHDrvx64.sys
    \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys
    \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
    \SystemRoot\system32\drivers\spsys.sys
    \??\C:\windows\system32\drivers\mbamchameleon.sys
    \??\C:\windows\system32\drivers\mbamswissarmy.sys
    \Windows\System32\ntdll.dll
    \Windows\System32\smss.exe
    \Windows\System32\apisetschema.dll
    \Windows\System32\autochk.exe
    ----------- End -----------
    <<<1>>>
    Upper Device Name: \Device\Harddisk0\DR0
    Upper Device Object: 0xfffffa8007bd2060
    Upper Device Driver Name: \Driver\Disk\
    Lower Device Name: \Device\Ide\IAAStorageDevice-1\
    Lower Device Object: 0xfffffa8005d2d050
    Lower Device Driver Name: \Driver\iaStor\
    Driver name found: iaStor
    Initialization returned 0x0
    Load Function returned 0x0
    Initializing...
    Done!
    <<<2>>>
    Device number: 0, partition: 2
    Physical Sector Size: 512
    Drive: 0, DevicePointer: 0xfffffa8007bd2060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
    --------- Disk Stack ------
    DevicePointer: 0xfffffa8007bd2b90, DeviceName: Unknown, DriverName: \Driver\partmgr\
    DevicePointer: 0xfffffa8007bd2060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
    DevicePointer: 0xfffffa8007bd1060, DeviceName: \Device\THPDRV1\, DriverName: \Driver\Thpdrv\
    DevicePointer: 0xfffffa8005d2d050, DeviceName: \Device\Ide\IAAStorageDevice-1\, DriverName: \Driver\iaStor\
    ------------ End ----------
    Upper DeviceData: 0xfffff8a00146c350, 0xfffffa8007bd2060, 0xfffffa8009b5b090
    Lower DeviceData: 0xfffff8a00999b730, 0xfffffa8005d2d050, 0xfffffa8009c6d930
    <<<3>>>
    Volume: C:
    File system type: NTFS
    SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
    Scanning directory: C:\windows\system32\drivers...
    Done!
    Drive 0
    Scanning MBR on drive 0...
    Inspecting partition table:
    MBR Signature: 55AA
    Disk Signature: 27058636
    Partition information:
    Partition 0 type is Other (0x27)
    Partition is ACTIVE.
    Partition starts at LBA: 2048 Numsec = 3072000
    Partition file system is NTFS
    Partition is bootable
    Partition 1 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 3074048 Numsec = 1430478848
    Partition file system is NTFS
    Partition is bootable
    Partition 2 type is HIDDEN (0x17)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 1433552896 Numsec = 31594496
    Partition is not bootable
    Hidden partition VBR is not infected.
    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0
    Disk Size: 750156374016 bytes
    Sector size: 512 bytes
    Scanning physical sectors of unpartitioned space on drive 0 (1-2047-1465129168-1465149168)...
    Done!
    Performing system, memory and registry scan...
    Done!
    Scan finished
    =======================================

    Virus Total:

    AntivirusResultUpdateAgnitum-20130112AhnLab-V3-20130112AntiVir-20130107Antiy-AVL-20130112Avast-20130113AVG-20130113BitDefender-20130111ByteHero-20130110CAT-QuickHeal-20130112ClamAV-20130113Commtouch-20130112Comodo-20130113DrWeb-20130113Emsisoft-20130113eSafe-20130110ESET-NOD32-20130112F-Prot-20130112F-Secure-20130113Fortinet-20130113GData-20130113Ikarus-20130112Jiangmin-20121221K7AntiVirus-20130111Kaspersky-20130113Kingsoft-20130107Malwarebytes-20130113McAfee-20130113McAfee-GW-Edition-20130112Microsoft-20130113MicroWorld-eScan-20130113NANO-Antivirus-20130113Norman-20130112nProtect-20130112Panda-20130112PCTools-20130113Rising-20130110Sophos-20130112SUPERAntiSpyware-20130112Symantec-20130112TheHacker-20130112TotalDefense-20130112TrendMicro-20130113TrendMicro-HouseCall-20130113VBA32-20130112VIPRE-20130113ViRobot-20130112
    I think I did everything right!
     
  11. Satchfan

    Satchfan Malware Specialist

    Joined:
    Jan 12, 2009
    Messages:
    653
    Well done running all that: you did great!

    That found what we were looking for.

    Please open the Mbar folder and run fixdamage.

    Now we need to run another scan to pick up anything that may have been missed.

    Download Combofix from either of the links below, and save it to your desktop.

    Link 1
    Link 2

    **Note: It MUST be saved directly to your desktop. Choose save as and then make sure you choose Desktop

    --------------------------------------------------------------------

    IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

    --------------------------------------------------------------------

    Double click on ComboFix.exe & follow the prompts.

    • when finished, it will produce a report for you.
    • please post the C:\ComboFix.txt for further review.


    Can you tell me how things are running now.

    Thanks

    Satchfan
     
  12. gknight86

    gknight86 Thread Starter

    Joined:
    Jan 6, 2013
    Messages:
    21
    ComboFix Log:

    ComboFix 13-01-13.01 - Andrew 01/13/2013 5:49.1.4 - x64
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.6052.4389 [GMT -5:00]
    Running from: c:\users\Andrew\Desktop\ComboFix.exe
    AV: Norton Internet Security *Disabled/Outdated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
    FW: Norton Internet Security *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
    SP: Norton Internet Security *Disabled/Outdated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\programdata\Microsoft\Windows\DRM\530C.tmp
    c:\programdata\Microsoft\Windows\DRM\530D.tmp
    c:\programdata\Roaming
    c:\windows\wininit.ini
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-12-13 to 2013-01-13 )))))))))))))))))))))))))))))))
    .
    .
    2013-01-13 10:53 . 2013-01-13 10:53 -------- d-----w- c:\users\Default\AppData\Local\temp
    2013-01-13 01:17 . 2013-01-13 01:17 -------- d-----w- c:\programdata\Malwarebytes
    2013-01-13 00:53 . 2013-01-13 00:53 -------- d-----w- C:\_OTL
    2013-01-11 12:25 . 2013-01-11 12:25 -------- d-----w- C:\58b9afd32e9e966a36
    2013-01-11 12:10 . 2012-11-30 05:41 424448 ----a-w- c:\windows\system32\KernelBase.dll
    2013-01-11 12:05 . 2012-11-08 17:24 9125352 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{3C01A228-0DE2-4B18-B91D-3264B31DFC44}\mpengine.dll
    2012-12-25 06:39 . 2012-11-09 05:45 2048 ----a-w- c:\windows\system32\tzres.dll
    2012-12-25 06:39 . 2012-11-09 04:42 2048 ----a-w- c:\windows\SysWow64\tzres.dll
    2012-12-25 06:39 . 2012-11-02 05:59 478208 ----a-w- c:\windows\system32\dpnet.dll
    2012-12-25 06:39 . 2012-11-02 05:11 376832 ----a-w- c:\windows\SysWow64\dpnet.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2013-01-11 14:05 . 2012-10-09 15:36 697864 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
    2013-01-11 14:05 . 2011-11-22 04:31 74248 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-11-30 04:45 . 2013-01-11 12:10 44032 ----a-w- c:\windows\apppatch\acwow64.dll
    2012-11-20 16:50 . 2012-11-20 16:50 88576 ----a-w- c:\windows\system32\wddmn4ui.dll
    2012-11-20 16:50 . 2012-11-20 16:50 303616 ----a-w- c:\windows\system32\wddmn4.dll
    2012-10-16 08:38 . 2012-11-29 16:34 135168 ----a-w- c:\windows\apppatch\AppPatch64\AcXtrnal.dll
    2012-10-16 08:38 . 2012-11-29 16:34 350208 ----a-w- c:\windows\apppatch\AppPatch64\AcLayers.dll
    2012-10-16 07:39 . 2012-11-29 16:34 561664 ----a-w- c:\windows\apppatch\AcLayers.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2012-02-28 39408]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "SVPWUTIL"="c:\program files (x86)\TOSHIBA\Utilities\SVPWUTIL.exe" [2010-11-09 532480]
    "HWSetup"="c:\program files\TOSHIBA\Utilities\HWSetup.exe" [2011-03-10 423936]
    "KeNotify"="c:\program files (x86)\TOSHIBA\Utilities\KeNotify.exe" [2010-08-16 34160]
    "DelayTSS"="c:\program files\Toshiba\DelayTSS\DelayTSS.exe" [2011-11-21 2153328]
    .
    c:\users\Andrew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    Dropbox.lnk - c:\users\Andrew\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-12-28 28539392]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R3 intaud_WaveExtensible;Intel WiDi Audio Device;c:\windows\system32\drivers\intelaud.sys [2011-08-05 34200]
    R3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe [2011-06-01 340240]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]
    R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-06-26 1255736]
    R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 57184]
    S0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\DRIVERS\thpdrv.sys [2011-03-24 36992]
    S0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\DRIVERS\Thpevm.SYS [2009-06-30 14784]
    S0 tos_sps64;TOSHIBA tos_sps64 Service;c:\windows\system32\DRIVERS\tos_sps64.sys [2011-06-10 482384]
    S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2012-01-04 822624]
    S2 NIS;Norton Internet Security;c:\program files (x86)\Norton Internet Security\Engine\19.9.0.9\ccSvcHst.exe [2012-06-16 138272]
    S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
    S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-01 508776]
    S2 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;c:\program files\TOSHIBA\TECO\TecoService.exe [2011-05-24 294848]
    S2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;c:\windows\system32\DRIVERS\TVALZFL.sys [2009-06-20 14472]
    S2 UNS;Intel(R) Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2011-02-01 2656280]
    S3 BHDrvx64;BHDrvx64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\BASHDefs\20120619.001\BHDrvx64.sys [2012-06-19 1161376]
    S3 ccSet_NIS;Norton Internet Security Settings Manager;c:\windows\system32\drivers\NISx64\1309000.009\ccSetx64.sys [2012-06-07 167072]
    S3 CeKbFilter;CeKbFilter;c:\windows\system32\DRIVERS\CeKbFilter.sys [2012-02-28 20592]
    S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-06-26 138912]
    S3 IDSVia64;IDSVia64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\IPSDefs\20120623.002\IDSvia64.sys [2012-06-23 509088]
    S3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2010-10-16 317440]
    S3 iwdbus;IWD Bus Enumerator;c:\windows\system32\DRIVERS\iwdbus.sys [2011-08-05 25496]
    S3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys [2011-02-01 174168]
    S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys [2011-02-10 82432]
    S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys [2011-02-10 181760]
    S3 PGEffect;Pangu effect driver;c:\windows\system32\DRIVERS\pgeffect.sys [2011-02-09 38096]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2011-01-14 413800]
    S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [2011-10-01 764264]
    S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [2011-10-01 268648]
    S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [2011-10-01 25960]
    S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [2011-10-01 22376]
    S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-01 219496]
    S3 SymDS;Symantec Data Store;c:\windows\system32\drivers\NISx64\1309000.009\SYMDS64.SYS [2011-07-25 451192]
    S3 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NISx64\1309000.009\SYMEFA64.SYS [2012-05-22 1129120]
    S3 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NISx64\1309000.009\Ironx64.SYS [2012-04-18 190072]
    S3 SymNetS;Symantec Network Security WFP Driver;c:\windows\System32\Drivers\NISx64\1309000.009\SYMNETS.SYS [2012-04-18 405624]
    S3 TMachInfo;TMachInfo;c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2011-11-21 57216]
    S3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2011-06-10 138152]
    S3 TPCHSrv;TPCH Service;c:\program files\TOSHIBA\TPHM\TPCHSrv.exe [2011-07-01 828856]
    .
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2013-01-13 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-10-09 14:05]
    .
    2013-01-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-02-28 12:24]
    .
    2013-01-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-02-28 12:24]
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
    @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
    2012-11-13 23:32 162552 ----a-w- c:\users\Andrew\AppData\Roaming\Dropbox\bin\DropboxExt64.17.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
    @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
    2012-11-13 23:32 162552 ----a-w- c:\users\Andrew\AppData\Roaming\Dropbox\bin\DropboxExt64.17.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
    @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
    2012-11-13 23:32 162552 ----a-w- c:\users\Andrew\AppData\Roaming\Dropbox\bin\DropboxExt64.17.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
    @="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
    2012-11-13 23:32 162552 ----a-w- c:\users\Andrew\AppData\Roaming\Dropbox\bin\DropboxExt64.17.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ThpSrv"="c:\windows\system32\thpsrv" [X]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-07-02 167704]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-07-02 392472]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2011-07-02 416024]
    "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2011-01-26 11775592]
    "RtHDVBg"="c:\program files\Realtek\Audio\HDA\RAVBg64.exe" [2011-01-18 2188904]
    "IntelPAN"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2011-06-01 1935120]
    "TosSENotify"="c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe" [2011-06-10 710560]
    "TosVolRegulator"="c:\program files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe" [2009-11-11 24376]
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = hxxp://google.com/
    mLocal Page = c:\windows\SysWOW64\blank.htm
    uInternet Settings,ProxyOverride = <local>
    Trusted Zone: clonewarsadventures.com
    Trusted Zone: freerealms.com
    Trusted Zone: soe.com
    Trusted Zone: sony.com
    TCP: DhcpNameServer = 10.0.0.1
    .
    - - - - ORPHANS REMOVED - - - -
    .
    ShellIconOverlayIdentifiers-{FB314ED9-A251-47B7-93E1-CDD82E34AF8B} - c:\users\Andrew\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    ShellIconOverlayIdentifiers-{FB314EDA-A251-47B7-93E1-CDD82E34AF8B} - c:\users\Andrew\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    ShellIconOverlayIdentifiers-{FB314EDB-A251-47B7-93E1-CDD82E34AF8B} - c:\users\Andrew\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    Wow6432Node-HKLM-Run-TSleepSrv - %ProgramFiles(x86)%\TOSHIBA\TOSHIBA Sleep Utility\TSleepSrv.exe
    HKLM-Run-TPwrMain - c:\program files (x86)\TOSHIBA\Power Saver\TPwrMain.EXE
    HKLM-Run-HSON - c:\program files (x86)\TOSHIBA\TBS\HSON.exe
    HKLM-Run-TCrdMain - c:\program files (x86)\TOSHIBA\FlashCards\TCrdMain.exe
    HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
    HKLM-Run-Teco - c:\program files (x86)\TOSHIBA\TECO\Teco.exe
    HKLM-Run-TosWaitSrv - c:\program files (x86)\TOSHIBA\TPHM\TosWaitSrv.exe
    HKLM-Run-TosNC - c:\program files (x86)\Toshiba\BulletinBoard\TosNcCore.exe
    HKLM-Run-TosReelTimeMonitor - c:\program files (x86)\TOSHIBA\ReelTime\TosReelTimeMonitor.exe
    AddRemove-SOE-EverQuest - e:\sony online entertainment\Installed Games\EverQuest\Uninstaller.exe
    .
    .
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NIS]
    "ImagePath"="\"c:\program files (x86)\Norton Internet Security\Engine\19.9.0.9\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files (x86)\Norton Internet Security\Engine\19.9.0.9\diMaster.dll\" /prefetch:1"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
    @Denied: (2) (LocalSystem)
    "{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"=hex:51,66,7a,6c,4c,1d,38,12,8d,ec,f8,
    7b,2b,25,27,06,e7,c4,bc,f0,98,15,0d,de
    "{2318C2B1-4965-11D4-9B18-009027A5CD4F}"=hex:51,66,7a,6c,4c,1d,38,12,df,c1,0b,
    27,57,07,ba,54,e4,0e,43,d0,22,fb,89,5b
    "{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,
    1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7
    "{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}"=hex:51,66,7a,6c,4c,1d,38,12,60,d8,39,
    64,cd,04,79,07,f5,b7,d6,9a,c1,81,e0,1c
    "{6D53EC84-6AAE-4787-AEEE-F4628F01010C}"=hex:51,66,7a,6c,4c,1d,38,12,ea,ef,40,
    69,9c,24,e9,02,d1,f8,b7,22,8a,5f,45,18
    "{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,38,12,0a,d7,23,
    94,30,02,d1,0f,f1,da,12,24,73,56,27,d2
    "{AA58ED58-01DD-4D91-8333-CF10577473F7}"=hex:51,66,7a,6c,4c,1d,38,12,36,ee,4b,
    ae,ef,4f,ff,08,fc,25,8c,50,52,2a,37,e3
    "{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,
    df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd
    "{F3C88694-EFFA-4D78-B409-54B7B2535B14}"=hex:51,66,7a,6c,4c,1d,38,12,fa,85,db,
    f7,c8,a1,16,08,cb,1f,17,f7,b7,0d,1f,00
    .
    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
    @Denied: (2) (LocalSystem)
    "Timestamp"=hex:f4,78,8d,39,7f,a8,cd,01
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_146_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
    @="c:\\windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_146_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker5"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
    @="c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.11"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker5"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Completion time: 2013-01-13 05:56:22
    ComboFix-quarantined-files.txt 2013-01-13 10:56
    .
    Pre-Run: 685,117,464,576 bytes free
    Post-Run: 684,602,281,984 bytes free
    .
    - - End Of File - - 481BD9321EABF5D5209CC7901B026599


    The seems to have taken care of the issue. Do you have any recommendation of a good anti-virus program to use?
     
  13. Satchfan

    Satchfan Malware Specialist

    Joined:
    Jan 12, 2009
    Messages:
    653
    That’s looking good.

    If all is clear, I'll give you my recommendations when we tidy up after this.


    Run Security Check

    Download Security Check by screen317 from here or here.

    • save it to your Desktop
    • double click SecurityCheck.exe and follow the onscreen instructions inside of the black box
    • a Notepad document should open automatically called checkup.txt; please post the contents of that document.
    ===========================================

    Run ESET Online Scan

    Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan

    • click the Eset online Scanner button.
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    click on esetinstaller.exe to download the ESET Smart Installer. Save it to your desktop.
    double click on the Eset installer icon on your desktop
    • check Yes, I accept the Terms of Use
    • click the Start button.
    • accept any security warnings from your browser.
    • check Scan archives
    • push the Start button.
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • when the scan completes, push List of found threats
    • push Export to Text file and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • Note - when ESET doesn't find any threats, no report will be created.
    • push the back button.
    • push Finish
    NOTE. If Eset doesn't find any threats, it won't produce a log.

    Satchfan
     
  14. gknight86

    gknight86 Thread Starter

    Joined:
    Jan 6, 2013
    Messages:
    21
    Security.txt

    Results of screen317's Security Check version 0.99.57
    Windows 7 Service Pack 1 x64 (UAC is enabled)
    Internet Explorer 9
    ``````````````Antivirus/Firewall Check:``````````````
    Windows Firewall Enabled!
    Norton Internet Security
    WMI entry may not exist for antivirus; attempting automatic update.
    `````````Anti-malware/Other Utilities Check:`````````
    Spybot - Search & Destroy
    Java(TM) 6 Update 25
    Java version out of Date!
    Adobe Flash Player 11.5.502.146
    Google Chrome 21.0.1180.77
    Google Chrome 21.0.1180.89
    Google Chrome 22.0.1229.79
    Google Chrome 22.0.1229.92
    Google Chrome 22.0.1229.94
    Google Chrome 23.0.1271.64
    Google Chrome 23.0.1271.91
    Google Chrome 23.0.1271.95
    Google Chrome 23.0.1271.97
    ````````Process Check: objlist.exe by Laurent````````
    Norton ccSvcHst.exe
    Spybot Teatimer.exe is disabled!
    `````````````````System Health check`````````````````
    Total Fragmentation on Drive C: 3%
    ````````````````````End of Log``````````````````````


    List of Threats.txt

    C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric.zip Win32/Bagle.gen.zip worm
    C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric1.zip Win32/Bagle.gen.zip worm
    C:\Qoobox\Quarantine\C\ProgramData\Microsoft\Windows\DRM\530C.tmp.vir Win64/Olmarik.AO trojan
    C:\Qoobox\Quarantine\C\ProgramData\Microsoft\Windows\DRM\530D.tmp.vir Win64/Olmarik.AO trojan
    C:\Users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric.zip Win32/Bagle.gen.zip worm
    C:\Users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric1.zip Win32/Bagle.gen.zip worm


    Uh oh?
     
  15. Satchfan

    Satchfan Malware Specialist

    Joined:
    Jan 12, 2009
    Messages:
    653
    Well done, your computer appears to be clean.

    It's OK, they are all quarantined and can't do any harm.

    Spybot's recovery files are there in case you need to "recover" them and can be deleted (purged) by going into Spybot > Recovery, selecting the items listed that you no longer want to keep and using the "Purge selected items" option on the top of the screen.

    The ComboFix items found will be dealt with now.

    Uninstall Combofix

    Follow these steps to uninstall Combofix

    • click START then RUN
    • now type Combofix /uninstall in the runbox and click OK.
    Note the space between the X and the /, it needs to be there.
    [​IMG]

    • please follow the prompts to uninstall Combofix.
    • once it's finished uninstalling itself you will receive a message saying Combofix was uninstalled successfully.
    ===================================================

    Uninstall OTL

    • double-click OTL.exe
    • click the CleanUp! button.
    • select Yes when the Begin cleanup Process? prompt appears.
    • if you are prompted to reboot during the cleanup, select Yes.
    • the tool will delete itself once it finishes, if not delete it by yourself.
    NOTE: If you receive a warning from your firewall or other security programs regarding OTL attempting to contact the internet, please allow it to do so.



    ===================================================

    Uninstall AdwCleaner

    • double click on adwcleaner.exe to run the tool
    • click on Uninstall
    • confirm with Yes.
    You can delete all other logs and programs we’ve used that are on your desktop. Just click on them and press Delete.
    [/LIST]
    You can delete all other logs and programs we’ve used that are on your desktop. Just click on them and press Delete.

    ===================================================

    Update installed programs

    You have an old version of Java on your computer: old versions are vulnerable to infection.

    • from the Start menu, select Control Panel.
    • in Large or Small icon view, click Programs and Features. If you're using Category view, under "Programs", click Uninstall a program.
    • select any versions of Java, then click Uninstall.
    Install the latest version here

    NOTE – when you install Java, before clicking on Install, be sure to Uncheck “Install the Ask Toolbar and make Ask my default search provider”

    [​IMG]


    ===================================================

    Recommended Antivirus

    Note: before installing one of these you MUST uninstall Norton Internet Security

    Do NOT install more than one or they will fight against each other and render both ineffective.

    Here are some of the better AV products.

    Download and install one of these free antivirus programs: Also, you will have to re-enable Windows firewall.


    To turn on Windows Firewall

    • open Windows Firewall by clicking Start, Control Panel, and then clicking WindowsFirewall.
    • click Turn Windows Firewall on or off. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
    • click Turn on Windows Firewall, and then OK.
    ===================================================

    Remember to re-enable Spybot Search & Destroy

    ===================================================

    Download Malwarebytes' Anti-Malware. This really is an excellent program that you should update and run on a regular basis, probably weekly.

    ===================================================

    I also recommend that you read the following:

    How to prevent malware by miekiemoes


    Finally, if your computer has no more problems and you are happy to close this, please click on “mark Solved” at the top of the page.

    Safe computing

    Satchfan
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1084006

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice