TechSpot

Heuristics.reserved.word.exploit

Solved
By TrunkMonkey
Jan 8, 2013
Topic Status:
Not open for further replies.
  1. TrunkMonkey

    TrunkMonkey TS Rookie Topic Starter Posts: 79

    panda.JPG

    Ok, it directed me to scan this way, with an additional download. Running now...
  2. TrunkMonkey

    TrunkMonkey TS Rookie Topic Starter Posts: 79

    Different UI than what you had intended, here is the only .txt file in the Panda program folder. It had me clean off 2 reg entries which it didn't like. I should have copy pasted the jumble of characters which were their file names or directories. I have a current registry back up from yesterday which I'm attaching in case that helps. Sorry.


    Analyze.txt
    0;C:\Users\Justin Sidwell\Videos
    0;C:\Users\Justin Sidwell\Templates
    0;C:\Users\Justin Sidwell\Start Menu
    0;C:\Users\Justin Sidwell\SendTo
    0;C:\Users\Justin Sidwell\Searches
    0;C:\Users\Justin Sidwell\Saved Games
    0;C:\Users\Justin Sidwell\Recent
    0;C:\Users\Justin Sidwell\PrintHood
    0;C:\Users\Justin Sidwell\Pictures
    0;C:\Users\Justin Sidwell\NetHood
    0;C:\Users\Justin Sidwell\My Documents
    0;C:\Users\Justin Sidwell\Music
    0;C:\Users\Justin Sidwell\Local Settings
    0;C:\Users\Justin Sidwell\Links
    0;C:\Users\Justin Sidwell\Favorites
    0;C:\Users\Justin Sidwell\Downloads
    0;C:\Users\Justin Sidwell\Documents
    0;C:\Users\Justin Sidwell\Desktop
    0;C:\Users\Justin Sidwell\Cookies
    0;C:\Users\Justin Sidwell\Contacts
    0;C:\Users\Justin Sidwell\Application Data
    0;C:\Users\Justin Sidwell\AppData
    0;C:\Users\Justin Sidwell\04A55A344DC549198B88FFA6CC7D6D20.TMP
    0;C:\Users\Justin Sidwell
    0;C:\Users\Justin Sidwell\AppData\Roaming\vlc
    0;C:\Users\Justin Sidwell\AppData\Roaming\Mozilla
    0;C:\Users\Justin Sidwell\AppData\Roaming\Microsoft
    0;C:\Users\Justin Sidwell\AppData\Roaming\Media Center Programs
    0;C:\Users\Justin Sidwell\AppData\Roaming\Malwarebytes
    0;C:\Users\Justin Sidwell\AppData\Roaming\Macromedia
    0;C:\Users\Justin Sidwell\AppData\Roaming\Identities
    0;C:\Users\Justin Sidwell\AppData\Roaming\ATI
    0;C:\Users\Justin Sidwell\AppData\Roaming\Adobe
    0;C:\Users\Justin Sidwell\AppData\Roaming
    0;C:\ProgramData\Templates
    0;C:\ProgramData\Start Menu
    0;C:\ProgramData\Mozilla
    0;C:\ProgramData\Microsoft
    0;C:\ProgramData\Malwarebytes
    0;C:\ProgramData\Favorites
    0;C:\ProgramData\Documents
    0;C:\ProgramData\Desktop
    0;C:\ProgramData\ATI
    0;C:\ProgramData\Application Data
    0;C:\ProgramData\AMD
    0;C:\ProgramData\Adobe
    0;C:\ProgramData
    0;C:\Users\Justin Sidwell\AppData\Local\VirtualStore
    0;C:\Users\Justin Sidwell\AppData\Local\Temporary Internet Files
    0;C:\Users\Justin Sidwell\AppData\Local\Temp
    0;C:\Users\Justin Sidwell\AppData\Local\Programs
    0;C:\Users\Justin Sidwell\AppData\Local\Mozilla
    0;C:\Users\Justin Sidwell\AppData\Local\Microsoft
    0;C:\Users\Justin Sidwell\AppData\Local\Macromedia
    0;C:\Users\Justin Sidwell\AppData\Local\History
    0;C:\Users\Justin Sidwell\AppData\Local\Google
    0;C:\Users\Justin Sidwell\AppData\Local\ElevatedDiagnostics
    0;C:\Users\Justin Sidwell\AppData\Local\Downloaded Installations
    0;C:\Users\Justin Sidwell\AppData\Local\Diagnostics
    0;C:\Users\Justin Sidwell\AppData\Local\Deployment
    0;C:\Users\Justin Sidwell\AppData\Local\ATI
    0;C:\Users\Justin Sidwell\AppData\Local\Apps
    0;C:\Users\Justin Sidwell\AppData\Local\Application Data
    0;C:\Users\Justin Sidwell\AppData\Local\AMD
    0;C:\Users\Justin Sidwell\AppData\Local
    0;C:\Program Files (x86)\Windows Sidebar
    0;C:\Program Files (x86)\Windows Portable Devices
    0;C:\Program Files (x86)\Windows Photo Viewer
    0;C:\Program Files (x86)\Windows NT
    0;C:\Program Files (x86)\Windows Media Player
    0;C:\Program Files (x86)\Windows Mail
    0;C:\Program Files (x86)\Windows Defender
    0;C:\Program Files (x86)\VIA
    0;C:\Program Files (x86)\Uninstall Information
    0;C:\Program Files (x86)\Reference Assemblies
    0;C:\Program Files (x86)\Radeon RAMDisk
    0;C:\Program Files (x86)\Panda Security
    0;C:\Program Files (x86)\MSBuild
    0;C:\Program Files (x86)\Mozilla Maintenance Service
    0;C:\Program Files (x86)\Mozilla Firefox
    0;C:\Program Files (x86)\Microsoft.NET
    0;C:\Program Files (x86)\Microsoft Silverlight
    0;C:\Program Files (x86)\Microsoft Security Client
    0;C:\Program Files (x86)\Malwarebytes' Anti-Malware
    0;C:\Program Files (x86)\Internet Explorer
    0;C:\Program Files (x86)\InstallShield Installation Information
    0;C:\Program Files (x86)\Google
    0;C:\Program Files (x86)\FileASSASSIN
    0;C:\Program Files (x86)\Common Files
    0;C:\Program Files (x86)\ATI Technologies
    0;C:\Program Files (x86)\AMD AVT
    0;C:\Program Files (x86)
    0;C:\Windows\system32\drivers
    0;C:\Windows\system32
    0;C:\Windows
    1;C:\Windows\Temp

    Attached Files:

  3. TrunkMonkey

    TrunkMonkey TS Rookie Topic Starter Posts: 79

    Here is reg export for right now so you can compare.

    Attached Files:

  4. TrunkMonkey

    TrunkMonkey TS Rookie Topic Starter Posts: 79

    gmail encrypt.JPG
    I'm_getting_this_everytime_iStart_gmail.Probably_nothing.Space_bar_is_dead.but_thats_notunusal_for_this_keyboard.:)
  5. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    So far, it's clean...Next:

    avast! aswMBR

    Please download aswMBR from here
    • Save aswMBR.exe to your Desktop
    • Double click aswMBR.exe to run it
    • Uncheck "Trace disk IO calls".
    • Click the Scan button to start the scan as illustrated below
    [​IMG]
    Note: Do not take action against any **Rootkit** entries until I have reviewed the log. Often there are false positives.
    • Once the scan finishes click Save log to save the log to your Desktop
      [​IMG]
    • Copy and paste the contents of aswMBR.txt back here for review
    • Please also find MBR.dat on your Desktop, and rename it to MBRscan.txt. Upload that as well. Do not copy and paste MBR.dat/txt, it needs to be uploaded.
  6. TrunkMonkey

    TrunkMonkey TS Rookie Topic Starter Posts: 79

    Running now. The image you posted has Trace disk IO calls checked. I will uncheck as stated.
  7. TrunkMonkey

    TrunkMonkey TS Rookie Topic Starter Posts: 79

    Here ya go. Hey, 1 just tried to start Windows Backup for the first time and it won't run. GIves this error popup with a red X. Right after clicking ok on the error box, it reappears a second time, then disappears after
    backup error.JPG

    aswMBR version 0.9.9.1707 Copyright(c) 2011 AVAST Software
    Run date: 2013-01-19 15:01:57
    -----------------------------
    15:01:57.809 OS Version: Windows x64 6.1.7601 Service Pack 1
    15:01:57.810 Number of processors: 6 586 0xA00
    15:01:57.810 ComputerName: TOWEROFPOWER10 UserName: Justin Sidwell
    15:01:59.094 Initialize success
    15:03:31.363 AVAST engine defs: 13011900
    15:06:25.624 Disk 0 \Device\Harddisk0\DR0 -> \Device\00000058
    15:06:25.626 Disk 0 Vendor: WDC_WD10 80.0 Size: 953869MB BusType: 11
    15:06:25.629 Disk 1 (boot) \Device\Harddisk1\DR1 -> \Device\0000005a
    15:06:25.631 Disk 1 Vendor: ST2000DM CC24 Size: 1907729MB BusType: 11
    15:06:25.640 Disk 1 MBR read successfully
    15:06:25.643 Disk 1 MBR scan
    15:06:25.647 Disk 1 Windows 7 default MBR code
    15:06:25.651 Disk 1 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
    15:06:25.684 Disk 1 Partition 2 00 07 HPFS/NTFS NTFS 1907627 MB offset 206848
    15:06:25.737 Disk 1 scanning C:\Windows\system32\drivers
    15:06:32.932 Service scanning
    15:06:48.424 Modules scanning
    15:06:49.831 AVAST engine scan C:\Windows
    15:06:52.581 AVAST engine scan C:\Windows\system32
    15:09:22.413 AVAST engine scan C:\Windows\system32\drivers
    15:09:30.622 AVAST engine scan C:\Users\Justin Sidwell
    15:14:29.342 AVAST engine scan C:\ProgramData
    15:14:54.722 Scan finished successfully
    15:15:54.582 Disk 1 MBR has been saved successfully to "C:\Users\Justin Sidwell\Desktop\MBR.dat"
    15:15:54.632 The log file has been saved successfully to "C:\Users\Justin Sidwell\Desktop\aswMBR.txt"

    Attached Files:

  8. TrunkMonkey

    TrunkMonkey TS Rookie Topic Starter Posts: 79

    Now I'm getting redirect warnings from Firefox. It's flagging them and I'm not allowing, obviously.
  9. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Did you wipe the hard drive clean (and/or boot-n-nuke) before reinstalling the OS?
  10. TrunkMonkey

    TrunkMonkey TS Rookie Topic Starter Posts: 79

    It was factory fresh Seagate. However...

    If you recall the old C: was put back in to transfer files. My impression was that as long as I didn't boot from this drive,there will be no issues with confusing windows having 2 boot able drives. Today researching the back up problem, I came a Ross this at sevenforums :
    www.sevenforums.com/backup-restore/61840-backup-error-server-execution-failed-0x80080005-5.html

    This may be the major issue here with random weirdness and possibly reinfection ? You tell me what your thoughts are on that.
    So now I'm in process of shrinking current primary boot volume (new C:), creating new basic volume with that space, assigning G: letter, formatting and moving all the 600gb of media from old C: there. Then I can do a full reformat of old C:, and feel better about the world. Could system reserved on old C: explain the reinfection? Oh lord pls say yes :) Edit : I scanned all files being moved with MB.
  11. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    I would think it indeed has a chance of moving over files from the backup drive and executing them. A new start over is in order, unfortunately. :(
     
  12. TrunkMonkey

    TrunkMonkey TS Rookie Topic Starter Posts: 79

    Okay then, after I get everything off of the old drive and scan and move anything on the new drive I want to keep, over to the new partition, I will reinstall windows on the current primary boot partition on the new drive and format it beforehand. Sound good?honestly I feel much worse for you having to start again for the third time. Thank you so much for all your work and I think we will have a real fresh start this time.
  13. TrunkMonkey

    TrunkMonkey TS Rookie Topic Starter Posts: 79

    Back in business with 2 fresh drives and clean windows install.
  14. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Let me know if things work out...
  15. TrunkMonkey

    TrunkMonkey TS Rookie Topic Starter Posts: 79

    Will do. I'm running a free trial of Bit defender along with MB.
  16. TrunkMonkey

    TrunkMonkey TS Rookie Topic Starter Posts: 79

    That didn't go well. I disconnected the network first thing so I could install some drivers I had saved on the newly formatted backup drive. By the time I was ready to enable the network to run windows update, I had lost access to that and windows update. And the browser was getting hammered by port attacks. Booted into windows DVD and restored back to a seemingly good point very early on and windows is happily in update land, just now restarting after 133 updates were installed. Is there any way to secure my router to block stuff? it was amazing how quickly they found me and ruined my day.I will report back after all of the pending Windows updates are finished or my computer has a meltdown whichever comes first.
  17. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Did you reset your router? What authentication level are you on? (What security level...is there a password or key?)​
  18. TrunkMonkey

    TrunkMonkey TS Rookie Topic Starter Posts: 79

    Wpa2 psk with passphrase. No haven't reset. You mean stick the pin in the tiny hole reset? Can I restore settings if I back them up? I have several static IP addresses. I've messed around in the menu and could have changed something I shouldn't have. It's netgear wgr614v10.

    Service pack 1 just installed and is rebooting
  19. TrunkMonkey

    TrunkMonkey TS Rookie Topic Starter Posts: 79

    Fr5 Malwarebytes Anti-Malware (PRO) 1.70.0.1100
    www.malwarebytes.org
    Database version: v2013.01.21.09
    Windows 7 Service Pack 1 x64 NTFS
    Internet Explorer 9.0.8112.16421
    SuperUser :: TOWEROFPOWER10 [administrator]
    Protection: Enabled
    1/21/2013 4:23:37 PM
    mbam-log-2013-01-21 (16-23-37).txt
    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
    Scan options disabled:
    Objects scanned: 202742
    Time elapsed: 1 minute(s), 14 second(s)
    Memory Processes Detected: 0
    (No malicious items detected)
    Memory Modules Detected: 0
    (No malicious items detected)
    Registry Keys Detected: 0
    (No malicious items detected)
    Registry Values Detected: 0
    (No malicious items detected)
    Registry Data Items Detected: 0
    (No malicious items detected)
    Folders Detected: 0
    (No malicious items detected)
    Files Detected: 0
    (No malicious items detected)
    (end)
  20. TrunkMonkey

    TrunkMonkey TS Rookie Topic Starter Posts: 79

    Reset router with the pin. Double checked that all security items I'm aware of were turned on. PC is running pretty good and security software is running and up to date. I see csrss.exe, winlogon.exe, and atieclxx.exe are all 3 running in task manager as before and without username or description.

    MB Full Scan:

    Malwarebytes Anti-Malware (PRO) 1.70.0.1100
    www.malwarebytes.org

    Database version: v2013.01.22.02

    Windows 7 Service Pack 1 x64 NTFS
    Internet Explorer 9.0.8112.16421
    SuperUser :: TOWEROFPOWER10 [administrator]

    Protection: Enabled

    1/22/2013 4:49:07 AM
    mbam-log-2013-01-22 (04-49-07).txt

    Scan type: Full scan (C:\|F:\|)
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
    Scan options disabled:
    Objects scanned: 361450
    Time elapsed: 20 minute(s), 53 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)

    FSS

    Farbar Service Scanner Version: 16-01-2013
    Ran by SuperUser (administrator) on 22-01-2013 at 05:25:12
    Running from "C:\Users\SuperUser\Desktop"
    Windows 7 Professional Service Pack 1 (X64)
    Boot Mode: Normal
    ****************************************************************

    Internet Services:
    ============

    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Attempt to access Google IP returned error. Google IP is offline
    Google.com is accessible.
    Yahoo IP is accessible.
    Yahoo.com is accessible.


    Windows Firewall:
    =============

    Firewall Disabled Policy:
    ==================


    System Restore:
    ============

    System Restore Disabled Policy:
    ========================


    Action Center:
    ============

    Windows Update:
    ============

    Windows Autoupdate Disabled Policy:
    ============================


    Windows Defender:
    ==============
    WinDefend Service is not running. Checking service configuration:
    The start type of WinDefend service is set to Demand. The default start type is Auto.
    The ImagePath of WinDefend service is OK.
    The ServiceDll of WinDefend service is OK.


    Windows Defender Disabled Policy:
    ==========================
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
    "DisableAntiSpyware"=DWORD:1


    Other Services:
    ==============


    File Check:
    ========
    C:\Windows\System32\nsisvc.dll => MD5 is legit
    C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
    C:\Windows\System32\dhcpcore.dll => MD5 is legit
    C:\Windows\System32\drivers\afd.sys => MD5 is legit
    C:\Windows\System32\drivers\tdx.sys => MD5 is legit
    C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
    C:\Windows\System32\dnsrslvr.dll => MD5 is legit
    C:\Windows\System32\mpssvc.dll => MD5 is legit
    C:\Windows\System32\bfe.dll => MD5 is legit
    C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
    C:\Windows\System32\SDRSVC.dll => MD5 is legit
    C:\Windows\System32\vssvc.exe => MD5 is legit
    C:\Windows\System32\wscsvc.dll => MD5 is legit
    C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
    C:\Windows\System32\wuaueng.dll => MD5 is legit
    C:\Windows\System32\qmgr.dll => MD5 is legit
    C:\Windows\System32\es.dll => MD5 is legit
    C:\Windows\System32\cryptsvc.dll => MD5 is legit
    C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\System32\rpcss.dll => MD5 is legit


    **** End of log ****


    Farbar Service Scanner Version: 16-01-2013
    Ran by SuperUser (administrator) on 22-01-2013 at 05:30:21
    Windows 7 Professional Service Pack 1 (X64)

    ************************************************
    ======== Search: "*csrss.exe*" =========

    C:\Windows\System32\csrss.exe
    [2009-07-13 17:19] - [2009-07-13 19:39] - 0007680 ____A (Microsoft Corporation) 60C2862B4BF0FD9F582EF344C2B1EC72

    C:\Windows\System32\en-US\csrss.exe.mui
    [2009-07-13 23:35] - [2009-07-13 20:30] - 0002048 ____A (Microsoft Corporation) 4E93457645E5B70920ABFB8565DBA004

    C:\Windows\winsxs\x86_microsoft-windows-csrss.resources_31bf3856ad364e35_6.1.7600.16385_en-us_da67613a42c43476\csrss.exe.mui
    [2009-07-13 23:35] - [2009-07-13 20:09] - 0002048 ____A (Microsoft Corporation) EA2C607C908AEB268FB76FE278085443

    C:\Windows\winsxs\Backup\amd64_microsoft-windows-csrss_31bf3856ad364e35_6.1.7600.16385_none_b4d8d57efdc6b4f3_csrss.exe_06529458
    [2009-07-13 20:59] - [2009-07-13 20:56] - 0007680 ____A (Microsoft Corporation) 60C2862B4BF0FD9F582EF344C2B1EC72

    C:\Windows\winsxs\amd64_microsoft-windows-csrss_31bf3856ad364e35_6.1.7600.16385_none_b4d8d57efdc6b4f3\csrss.exe
    [2009-07-13 17:19] - [2009-07-13 19:39] - 0007680 ____A (Microsoft Corporation) 60C2862B4BF0FD9F582EF344C2B1EC72

    C:\Windows\winsxs\amd64_microsoft-windows-csrss.resources_31bf3856ad364e35_6.1.7600.16385_en-us_3685fcbdfb21a5ac\csrss.exe.mui
    [2009-07-13 23:35] - [2009-07-13 20:30] - 0002048 ____A (Microsoft Corporation) 4E93457645E5B70920ABFB8565DBA004

    C:\Windows\SysWOW64\en-US\csrss.exe.mui
    [2009-07-13 23:35] - [2009-07-13 20:09] - 0002048 ____A (Microsoft Corporation) EA2C607C908AEB268FB76FE278085443

    ====== End Of Search ======

    Farbar Service Scanner Version: 16-01-2013
    Ran by SuperUser (administrator) on 22-01-2013 at 05:33:24
    Windows 7 Professional Service Pack 1 (X64)

    ************************************************
    ======== Search: "*winlogon.exe*" =========

    C:\Windows\System32\winlogon.exe
    [2013-01-21 15:09] - [2010-11-20 07:25] - 0390656 ____A (Microsoft Corporation) 1151B1BAA6F350B1DB6598E0FEA7C457

    C:\Windows\System32\en-US\winlogon.exe.mui
    [2013-01-21 15:09] - [2010-11-20 07:00] - 0023040 ____A (Microsoft Corporation) 34C7D2E30868EDAFB191341D963ABA5F

    C:\Windows\winsxs\Backup\amd64_microsoft-windows-winlogon.resources_31bf3856ad364e35_6.1.7601.17514_en-us_291e96fa1ab5fc7b_winlogon.exe.mui_3280fc46
    [2013-01-21 15:38] - [2013-01-21 15:36] - 0023040 ____A (Microsoft Corporation) 34C7D2E30868EDAFB191341D963ABA5F

    C:\Windows\winsxs\Backup\amd64_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7601.17514_none_cde90685eb910636_winlogon.exe_ac37d0c5
    [2013-01-21 15:38] - [2013-01-21 15:36] - 0390656 ____A (Microsoft Corporation) 1151B1BAA6F350B1DB6598E0FEA7C457

    C:\Windows\winsxs\amd64_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7601.17514_none_cde90685eb910636\winlogon.exe
    [2013-01-21 15:09] - [2010-11-20 07:25] - 0390656 ____A (Microsoft Corporation) 1151B1BAA6F350B1DB6598E0FEA7C457

    C:\Windows\winsxs\amd64_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.20560_none_cc522fd507b468f8\winlogon.exe
    [2013-01-21 13:52] - [2009-10-28 01:01] - 0389632 ____A (Microsoft Corporation) A93D41A4D4B0D91C072D11DD8AF266DE

    C:\Windows\winsxs\amd64_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.16447_none_cbe534e7ee8042ad\winlogon.exe
    [2013-01-21 13:52] - [2009-10-28 00:24] - 0389632 ____A (Microsoft Corporation) DA3E2A6FA9660CC75B471530CE88453A

    C:\Windows\winsxs\amd64_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.16385_none_cbb7f2bdeea2829c\winlogon.exe
    [2009-07-13 17:52] - [2009-07-13 19:39] - 0389120 ____A (Microsoft Corporation) 132328DF455B0028F13BF0ABEE51A63A

    C:\Windows\winsxs\amd64_microsoft-windows-winlogon.resources_31bf3856ad364e35_6.1.7601.17514_en-us_291e96fa1ab5fc7b\winlogon.exe.mui
    [2013-01-21 15:09] - [2010-11-20 07:00] - 0023040 ____A (Microsoft Corporation) 34C7D2E30868EDAFB191341D963ABA5F

    C:\Windows\winsxs\amd64_microsoft-windows-winlogon.resources_31bf3856ad364e35_6.1.7600.16385_en-us_26ed83321dc778e1\winlogon.exe.mui
    [2009-07-13 23:35] - [2009-07-13 20:29] - 0022528 ____A (Microsoft Corporation) 56D03B64B8C483C1D12A8E4577B3B332

    C:\Program Files (x86)\Malwarebytes' Anti-Malware\Chameleon\winlogon.exe
    [2013-01-21 16:05] - [2012-12-14 16:49] - 0216424 ____A () 22101A85B3CA2FE2BE05FE9A61A7A83D

    ====== End Of Search ======

    Farbar Service Scanner Version: 16-01-2013
    Ran by SuperUser (administrator) on 22-01-2013 at 05:36:20
    Windows 7 Professional Service Pack 1 (X64)

    ************************************************
    ======== Search: "*atieclxx.exe*" =========

    C:\Windows\System32\atieclxx.exe
    [2012-12-19 13:56] - [2012-12-19 13:56] - 0550912 ____A (AMD) 0620FE89F70FC0895DC312EEBAA62B06

    C:\Windows\System32\DriverStore\FileRepository\c7151592.inf_amd64_neutral_073058ea1b23e425\B151068\atieclxx.exe
    [2012-12-19 13:56] - [2012-12-19 13:56] - 0550912 ____A (AMD) 0620FE89F70FC0895DC312EEBAA62B06

    C:\Windows\System32\DriverStore\FileRepository\c7118908.inf_amd64_neutral_8dc4ff304e4afff6\B117547\atieclxx.exe
    [2011-04-20 02:04] - [2011-04-20 02:04] - 0480256 ____A (AMD) 4EFC5F29CA5CF912C09BD5586468A945

    ====== End Of Search ======

    I ran TSS this morning just before restoring system (after fresh win7 install, when things went badly)

    *******Initializing Message Log:TSSysprep.dll 01/21/13 10:52:46
    *******Version:Major=6, Minor=1, Build=7600, PlatForm=2, CSDVer=, Free

    sysprep.cpp(309)Entering RCMSysPrepRestore
    sysprep.cpp(314)ERROR: ResetTSPublicPrivateKeys() FAILED: 2
    sysprep.cpp(316)Leaving RCMSysPrepRestore
    logmsg.cpp(38)********Terminating Log.


    *******Initializing Message Log:TSSysprep.dll 01/21/13 10:52:46
    *******Version:Major=6, Minor=1, Build=7600, PlatForm=2, CSDVer=, Free

    sysprep.cpp(283)Entering LSMSysPrepRestore
    sysprep.cpp(511)WARNING: RestoreTSCustomSercurity - NameSIDList.LoadAndDelete FAILED.
    sysprep.cpp(512)If no Names/SIDs were saved during LSMSysPrepBackup, this is NOT an error. Otherwise, it IS an error, saved names and SIDs were NOT restored.
    sysprep.cpp(513)Please verify that no Names/SIDs were saved during backup
    sysprep.cpp(288)WARNING: RestoreTSCustomSercurity() FAILED: 2. To see if this is an error, please see message(s) above.
    sysprep.cpp(291)Leaving LSMSysPrepRestore
    logmsg.cpp(38)********Terminating Log.


    *******Initializing Message Log:TSSysprep.dll 01/21/13 10:52:47
    *******Version:Major=6, Minor=1, Build=7600, PlatForm=2, CSDVer=, Free

    sysprep.cpp(330)Entering RdpSysPrepRestore
    sysprep.cpp(358)Leaving RdpSysPrepRestore
    logmsg.cpp(38)********Terminating Log.


    ********************************

    Microsoft Signature Verification

    Log file generated on 1/22/2013 at 5:45 AM
    OS Platform: Windows (x64), Version: 6.1, Build: 7601, CSDVersion: Service Pack 1
    Scan Results: Total Files: 215, Signed: 215, Unsigned: 0, Not Scanned: 0

    File Modified Version Status Catalog Signed By
    ------------------ ------------ ----------- ------------ ----------- -------------------
    [c:\program files\ati technologies\ati.ace\fuel\amd64]
    aoddriver2.sys 4/9/2012 None Signed N/A
    [c:\program files\via\viaaud]
    viaaud.exe 10/22/2012 2:6.1 Signed viahduaa.cat Microsoft Windows Hardware Compatibility Publisher
    [c:\windows]
    atiogl.xml 11/15/2012 2:6.0 Signed c7151592.cat Microsoft Windows Hardware Compatibility Publisher
    [c:\windows\system32]
    amdpcom64.dll 12/19/2012 2:6.0 Signed c7151592.cat Microsoft Windows Hardware Compatibility Publisher
    atiadlxx.dll 12/19/2012 2:6.0 Signed c7151592.cat Microsoft Windows Hardware Compatibility Publisher
    atiapfxx.blb 12/19/2012 2:6.0 Signed c7151592.cat Microsoft Windows Hardware Compatibility Publisher
    atiapfxx.exe 12/19/2012 2:6.0 Signed c7151592.cat Microsoft Windows Hardware Compatibility Publisher
    atibtmon.exe 5/11/2009 2:6.0 Signed c7151592.cat Microsoft Windows Hardware Compatibility Publisher
    aticalcl64.dll 12/19/2012 2:6.0 Signed c7151592.cat Microsoft Windows Hardware Compatibility Publisher
    aticaldd64.dll 12/19/2012 2:6.0 Signed c7151592.cat Microsoft Windows Hardware Compatibility Publisher
    aticalrt64.dll 12/19/2012 2:6.0 Signed c7151592.cat Microsoft Windows Hardware Compatibility Publisher
    aticfx64.dll 12/19/2012 2:6.0 Signed c7151592.cat Microsoft Windows Hardware Compatibility Publisher
    atidemgy.dll 12/19/2012 2:6.0 Signed c7151592.cat Microsoft Windows Hardware Compatibility Publisher
    atidxx64.dll 12/19/2012 2:6.0 Signed c7151592.cat Microsoft Windows Hardware Compatibility Publisher
    atieclxx.exe 12/19/2012 2:6.0 Signed c7151592.cat Microsoft Windows Hardware Compatibility Publisher
    atiedu64.dll 12/19/2012 2:6.0 Signed c7151592.cat Microsoft Windows Hardware Compatibility Publisher
    atiesrxx.exe 12/19/2012 2:6.0 Signed c7151592.cat Microsoft Windows Hardware Compatibility Publisher
    atig6pxx.dll 12/19/2012 2:6.0 Signed c7151592.cat Microsoft Windows Hardware Compatibility Publisher
    atig6txx.dll 12/19/2012 2:6.0 Signed c7151592.cat Microsoft Windows Hardware Compatibility Publisher
    atiglpxx.dll 12/19/2012 2:6.0 Signed c7151592.cat Microsoft Windows Hardware Compatibility Publisher
    atiicdxx.dat 11/29/2012 2:6.0 Signed c7151592.cat Microsoft Windows Hardware Compatibility Publisher
    atimpc64.dll 12/19/2012 2:6.0 Signed c7151592.cat Microsoft Windows Hardware Compatibility Publisher
    atimuixx.dll 12/19/2012 2:6.0 Signed c7151592.cat Microsoft Windows Hardware Compatibility Publisher
    atio6axx.dll 12/19/2012 2:6.0 Signed c7151592.cat Microsoft Windows Hardware Compatibility Publisher
    atiodcli.exe 6/22/2009 2:6.0 Signed c7151592.cat Microsoft Windows Hardware Compatibility Publisher
    atiode.exe 8/27/2010 2:6.0 Signed c7151592.cat Microsoft Windows Hardware Compatibility Publisher
    atipblag.dat 9/12/2011 2:6.0 Signed c7151592.cat Microsoft Windows Hardware Compatibility Publisher
    atitmm64.dll 12/19/2012 2:6.0 Signed c7151592.cat Microsoft Windows Hardware Compatibility Publisher
    atiu9p64.dll 12/19/2012 2:6.0 Signed c7151592.cat Microsoft Windows Hardware Compatibility Publisher
    atiumd64.dll 12/19/2012 2:6.0 Signed c7151592.cat Microsoft Windows Hardware Compatibility Publisher
    atiumd6a.cap 12/19/2012 2:6.0 Signed c7151592.cat Microsoft Windows Hardware Compatibility Publisher
    atiumd6a.dll 12/19/2012 2:6.0 Signed c7151592.cat Microsoft Windows Hardware Compatibility Publisher
    atiuxp64.dll 12/19/2012 2:6.0 Signed c7151592.cat Microsoft Windows Hardware Compatibility Publisher
    ativce02.dat 9/19/2012 2:6.0 Signed c7151592.cat Microsoft Windows Hardware Compatibility Publisher
    ativvaxy_cik.dat 9/4/2012 2:6.0 Signed c7151592.cat Microsoft Windows Hardware Compatibility Publisher
    ativvaxy_cik_nd.dat 9/4/2012 2:6.0 Signed c7151592.cat Microsoft Windows Hardware Compatibility Publisher
    ativvsva.dat 12/19/2012 2:6.0 Signed c7151592.cat Microsoft Windows Hardware Compatibility Publisher
    ativvsvl.dat 12/19/2012 2:6.0 Signed c7151592.cat Microsoft Windows Hardware Compatibility Publisher
    batt.dll 7/13/2009 2:6.1 Signed nt5.cat Microsoft Windows
    clfs.sys 7/13/2009 2:6.1 Signed nt5.cat Microsoft Windows
    coinst_9.012.dll 12/19/2012 2:6.0 Signed c7151592.cat Microsoft Windows Hardware Compatibility Publisher
    dts2apo.dll 10/22/2012 2:6.1 Signed viahduaa.cat Microsoft Windows Hardware Compatibility Publisher
    dts2proppageext.dll 10/22/2012 2:6.1 Signed viahduaa.cat Microsoft Windows Hardware Compatibility Publisher
    eea64a.dll 12/15/2011 2:6.1 Signed viahduaa.cat Microsoft Windows Hardware Compatibility Publisher
    eea64h.dll 12/15/2011 2:6.1 Signed viahduaa.cat Microsoft Windows Hardware Compatibility Publisher
    eed64a.dll 12/15/2011 2:6.1 Signed viahduaa.cat Microsoft Windows Hardware Compatibility Publisher
    eed64h.dll 12/15/2011 2:6.1 Signed viahduaa.cat Microsoft Windows Hardware Compatibility Publisher
    eeg64a.dll 12/15/2011 2:6.1 Signed viahduaa.cat Microsoft Windows Hardware Compatibility Publisher
    eeg64h.dll 12/15/2011 2:6.1 Signed viahduaa.cat Microsoft Windows Hardware Compatibility Publisher
    eel64a.dll 12/15/2011 2:6.1 Signed viahduaa.cat Microsoft Windows Hardware Compatibility Publisher
    eel64h.dll 12/15/2011 2:6.1 Signed viahduaa.cat Microsoft Windows Hardware Compatibility Publisher
    eep64a.dll 12/15/2011 2:6.1 Signed viahduaa.cat Microsoft Windows Hardware Compatibility Publisher
    eep64h.dll 12/15/2011 2:6.1 Signed viahduaa.cat Microsoft Windows Hardware Compatibility Publisher
    maxxaudioapo30.dll 7/15/2012 2:6.1 Signed viahduaa.cat Microsoft Windows Hardware Compatibility Publisher
    maxxaudioaposhell64. 9/5/2012 2:6.1 Signed viahduaa.cat Microsoft Windows Hardware Compatibility Publisher
    maxxaudiovia64.dll 9/24/2012 2:6.1 Signed viahduaa.cat Microsoft Windows Hardware Compatibility Publisher
    nqapo.dll 6/8/2011 2:6.1 Signed viahduaa.cat Microsoft Windows Hardware Compatibility Publisher
    nqproppageext.dll 6/28/2012 2:6.1 Signed viahduaa.cat Microsoft Windows Hardware Compatibility Publisher
    proppageext.dll 10/22/2012 2:6.1 Signed viahduaa.cat Microsoft Windows Hardware Compatibility Publisher
    rtnicprop.dll 12/3/2009 2:6.1 Signed g311n6.cat Microsoft Windows Hardware Compatibility Publisher
    storprop.dll 7/13/2009 2:6.1 Signed nt5.cat Microsoft Windows
    streamci.dll 7/13/2009 2:5.1 Signed Microsoft-Windows-CoMicrosoft Windows
    sysfxui.dll 7/13/2009 2:5.1 Signed Microsoft-Windows-ClMicrosoft Windows
    viakaraokeapo.dll 10/22/2012 2:6.1 Signed viahduaa.cat Microsoft Windows Hardware Compatibility Publisher
    viakaraokeproppageex 10/22/2012 2:6.1 Signed viahduaa.cat Microsoft Windows Hardware Compatibility Publisher
    viakaraokesrv.exe 10/22/2012 2:6.1 Signed viahduaa.cat Microsoft Windows Hardware Compatibility Publisher
    viamicarrayapo.dll 10/22/2012 2:6.1 Signed viahduaa.cat Microsoft Windows Hardware Compatibility Publisher
    viamicarrayproppagee 10/22/2012 2:6.1 Signed viahduaa.cat Microsoft Windows Hardware Compatibility Publisher
    viaproppageext.dll 10/22/2012 2:6.1 Signed viahduaa.cat Microsoft Windows Hardware Compatibility Publisher
    viasysfx.dll 10/22/2012 2:6.1 Signed viahduaa.cat Microsoft Windows Hardware Compatibility Publisher
    vmapo64.dll 9/27/2011 2:6.1 Signed viahduaa.cat Microsoft Windows Hardware Compatibility Publisher
    vmppcn64.dll 10/26/2010 2:6.1 Signed viahduaa.cat Microsoft Windows Hardware Compatibility Publisher
    vmppld64.dll 9/27/2011 2:6.1 Signed viahduaa.cat Microsoft Windows Hardware Compatibility Publisher
    vmthx64.dll 9/27/2011 2:6.1 Signed viahduaa.cat Microsoft Windows Hardware Compatibility Publisher
    vmwrp64.dll 10/26/2010 2:6.1 Signed viahduaa.cat Microsoft Windows Hardware Compatibility Publisher
    vtsrdapo.dll 10/22/2012 2:6.1 Signed viahduaa.cat Microsoft Windows Hardware Compatibility Publisher
    wavesguilib64.dll 9/24/2012 2:6.1 Signed viahduaa.cat Microsoft Windows Hardware Compatibility Publisher
    wmalfxgfxdsp.dll 7/13/2009 2:5.1 Signed Microsoft-Windows-ClMicrosoft Windows
    [c:\windows\system32\drivers]
    acpi.sys 11/20/2010 2:5.1 Signed Microsoft-Windows-CoMicrosoft Windows
    afd.sys 12/27/2011 2:5.1,2:5.2,2:6.0,2:Signed Package_2_for_KB2645Microsoft Windows
    agilevpn.sys 7/13/2009 2:6.1 Signed nt5.cat Microsoft Windows
    amd_sata.sys 4/10/2012 2:6.1 Signed amd_sata.cat Microsoft Windows Hardware Compatibility Publisher
    amd_xata.sys 4/10/2012 2:6.1 Signed amd_sata.cat Microsoft Windows Hardware Compatibility Publisher
    amdppm.sys 7/13/2009 2:5.1 Signed Microsoft-Windows-CoMicrosoft Windows
    asacpi.sys 1/21/2013 2:5.00 Signed asacpi.cat Microsoft Windows Hardware Compatibility Publisher
    asyncmac.sys 7/13/2009 2:6.1 Signed nt5.cat Microsoft Windows
    atapi.sys 7/13/2009 2:5.1 Signed Microsoft-Windows-CoMicrosoft Windows
    ataport.sys 11/20/2010 2:5.1 Signed Microsoft-Windows-CoMicrosoft Windows
    ati2erec.dll 12/19/2012 2:6.0 Signed c7151592.cat Microsoft Windows Hardware Compatibility Publisher
    atihdw76.sys 11/6/2012 2:6.1 Signed atihdw76.cat Microsoft Windows Hardware Compatibility Publisher
    atikmdag.sys 12/19/2012 2:6.0 Signed c7151592.cat Microsoft Windows Hardware Compatibility Publisher
    atikmpag.sys 12/19/2012 2:6.0 Signed c7151592.cat Microsoft Windows Hardware Compatibility Publisher
    blbdrive.sys 7/13/2009 2:5.1 Signed Microsoft-Windows-CoMicrosoft Windows
    cdrom.sys 11/20/2010 2:5.1 Signed Microsoft-Windows-CoMicrosoft Windows
    cng.sys 6/1/2012 2:5.1,2:5.2,2:6.0,2:Signed Package_3_for_KB2655Microsoft Windows
    compositebus.sys 11/20/2010 2:5.1 Signed Microsoft-Windows-ClMicrosoft Windows
    csc.sys 11/20/2010 2:5.1,2:5.2,2:6.0,2:Signed Microsoft-Windows-OfMicrosoft Windows
    discache.sys 7/13/2009 2:6.1 Signed nt5.cat Microsoft Windows
    disk.sys 7/13/2009 2:5.1 Signed Microsoft-Windows-CoMicrosoft Windows
    drmk.sys 7/13/2009 2:5.1 Signed Microsoft-Windows-ClMicrosoft Windows
    drmkaud.sys 7/13/2009 2:5.1 Signed Microsoft-Windows-ClMicrosoft Windows
    dxgkrnl.sys 11/20/2010 2:5.1,2:5.2,2:6.0,2:Signed Microsoft-Windows-FoMicrosoft Windows
    fvevol.sys 11/20/2010 2:5.1,2:5.2,2:6.0,2:Signed Microsoft-Windows-SeMicrosoft Windows
    g311n6.sys 5/5/2010 2:6.1 Signed g311n6.cat Microsoft Windows Hardware Compatibility Publisher
    hdaudbus.sys 11/20/2010 2:5.1 Signed Microsoft-Windows-ClMicrosoft Windows
    hidclass.sys 11/20/2010 2:5.1 Signed Microsoft-Windows-CoMicrosoft Windows
    hidparse.sys 7/13/2009 2:5.1 Signed Microsoft-Windows-CoMicrosoft Windows
    hidusb.sys 11/20/2010 2:5.1 Signed Microsoft-Windows-CoMicrosoft Windows
    http.sys 11/20/2010 2:5.1,2:5.2,2:6.0,2:Signed Microsoft-Windows-FoMicrosoft Windows
    hwpolicy.sys 11/20/2010 2:5.1,2:5.2,2:6.0,2:Signed Microsoft-Windows-FoMicrosoft Windows
    i8042prt.sys 7/13/2009 2:5.1 Signed Microsoft-Windows-CoMicrosoft Windows
    kbdclass.sys 7/13/2009 2:5.1 Signed Microsoft-Windows-CoMicrosoft Windows
    kbdhid.sys 11/20/2010 2:5.1 Signed Microsoft-Windows-CoMicrosoft Windows
    ksecdd.sys 6/1/2012 2:5.1,2:5.2,2:6.0,2:Signed Package_3_for_KB2655Microsoft Windows
    ksecpkg.sys 6/1/2012 2:5.1,2:5.2,2:6.0,2:Signed Package_3_for_KB2655Microsoft Windows
    lltdio.sys 7/13/2009 2:6.1 Signed nt5.cat Microsoft Windows
    lycosa.sys 1/17/2008 2:6.0 Signed lyokbcat.cat Microsoft Windows Hardware Compatibility Publisher
    monitor.sys 7/13/2009 2:5.1 Signed Microsoft-Windows-ClMicrosoft Windows
    mouclass.sys 7/13/2009 2:5.1 Signed Microsoft-Windows-CoMicrosoft Windows
    mouhid.sys 7/13/2009 2:5.1 Signed Microsoft-Windows-CoMicrosoft Windows
    mountmgr.sys 11/20/2010 2:5.1,2:5.2,2:6.0,2:Signed Microsoft-Windows-FoMicrosoft Windows
    mpsdrv.sys 7/13/2009 2:6.1 Signed nt5.cat Microsoft Windows
    msahci.sys 11/20/2010 2:5.1,2:5.2,2:6.0,2:Signed Microsoft-Windows-CoMicrosoft Windows
    msisadrv.sys 7/13/2009 2:5.1 Signed Microsoft-Windows-CoMicrosoft Windows
    mskssrv.sys 7/13/2009 2:6.1 Signed nt5.cat Microsoft Windows
    mspclock.sys 7/13/2009 2:6.1 Signed nt5.cat Microsoft Windows
    mspqm.sys 7/13/2009 2:6.1 Signed nt5.cat Microsoft Windows
    mssmbios.sys 7/13/2009 2:5.1 Signed Microsoft-Windows-CoMicrosoft Windows
    mstee.sys 7/13/2009 2:6.1 Signed nt5.cat Microsoft Windows
    ndis.sys 8/22/2012 2:5.1,2:5.2,2:6.0,2:Signed Package_5_for_KB2719Microsoft Windows
    ndistapi.sys 7/13/2009 2:6.1 Signed nt5.cat Microsoft Windows
    ndiswan.sys 11/20/2010 2:5.1,2:5.2,2:6.0,2:Signed Microsoft-Windows-FoMicrosoft Windows
    netbt.sys 11/20/2010 2:5.1,2:5.2,2:6.0,2:Signed Microsoft-Windows-FoMicrosoft Windows
    nisdrvwfp.sys 8/30/2012 2:6.0,2:6.1 Signed NisDrvWFP.cat Microsoft Windows Hardware Compatibility Publisher
    nsiproxy.sys 7/13/2009 2:6.1 Signed nt5.cat Microsoft Windows
    nusb3hub.sys 1/22/2010 2:5.1 Signed nusb3drv.cat Microsoft Windows Hardware Compatibility Publisher
    nusb3xhc.sys 1/22/2010 2:5.1 Signed nusb3drv.cat Microsoft Windows Hardware Compatibility Publisher
    pacer.sys 11/20/2010 2:5.1,2:5.2,2:6.0,2:Signed Microsoft-Windows-FoMicrosoft Windows
    pci.sys 11/20/2010 2:5.1 Signed Microsoft-Windows-CoMicrosoft Windows
    pciide.sys 7/13/2009 2:5.1 Signed Microsoft-Windows-CoMicrosoft Windows
    pciidex.sys 7/13/2009 2:5.1 Signed Microsoft-Windows-CoMicrosoft Windows
    pcw.sys 7/13/2009 2:6.1 Signed nt5.cat Microsoft Windows
    peauth.sys 7/13/2009 2:6.1 Signed nt5.cat Microsoft Windows
    portcls.sys 7/13/2009 2:5.1 Signed Microsoft-Windows-ClMicrosoft Windows
    rasl2tp.sys 11/20/2010 2:5.1,2:5.2,2:6.0,2:Signed Microsoft-Windows-FoMicrosoft Windows
    raspppoe.sys 7/13/2009 2:6.1 Signed nt5.cat Microsoft Windows
    raspptp.sys 11/20/2010 2:5.1,2:5.2,2:6.0,2:Signed Microsoft-Windows-FoMicrosoft Windows
    rassstp.sys 7/13/2009 2:6.1 Signed nt5.cat Microsoft Windows
    rdpbus.sys 7/13/2009 2:5.1 Signed Microsoft-Windows-ClMicrosoft Windows
    rdpcdd.sys 7/13/2009 2:6.1 Signed nt5.cat Microsoft Windows
    rdpencdd.sys 7/13/2009 2:6.1 Signed nt5.cat Microsoft Windows
    rdprefmp.sys 7/13/2009 2:6.1 Signed nt5.cat Microsoft Windows
    rspndr.sys 7/13/2009 2:6.1 Signed nt5.cat Microsoft Windows
    sermouse.sys 7/13/2009 2:5.1 Signed Microsoft-Windows-CoMicrosoft Windows
    swenum.sys 7/13/2009 2:5.1 Signed Microsoft-Windows-CoMicrosoft Windows
    tcpip.sys 10/3/2012 2:5.1,2:5.2,2:6.0,2:Signed Package_4_for_KB2750Microsoft Windows
    tcpipreg.sys 10/3/2012 2:5.1,2:5.2,2:6.0,2:Signed Package_4_for_KB2750Microsoft Windows
    tdx.sys 11/20/2010 2:5.1,2:5.2,2:6.0,2:Signed Microsoft-Windows-FoMicrosoft Windows
    termdd.sys 11/20/2010 2:5.1 Signed Microsoft-Windows-CoMicrosoft Windows
    tunnel.sys 11/20/2010 2:5.1,2:5.2,2:6.0,2:Signed Microsoft-Windows-FoMicrosoft Windows
    umbus.sys 11/20/2010 2:5.1 Signed Microsoft-Windows-CoMicrosoft Windows
    usbccgp.sys 3/24/2011 2:5.1 Signed Package_1_for_KB2529Microsoft Windows
    usbd.sys 3/24/2011 2:5.1 Signed Package_1_for_KB2529Microsoft Windows
    usbehci.sys 3/24/2011 2:5.1 Signed Package_1_for_KB2529Microsoft Windows
    usbhub.sys 3/24/2011 2:5.1 Signed Package_1_for_KB2529Microsoft Windows
    usbohci.sys 3/24/2011 2:5.1 Signed Package_1_for_KB2529Microsoft Windows
    usbport.sys 3/24/2011 2:5.1 Signed Package_1_for_KB2529Microsoft Windows
    vdrvroot.sys 7/13/2009 2:5.1 Signed Microsoft-Windows-CoMicrosoft Windows
    vga.sys 7/13/2009 2:6.1 Signed nt5.cat Microsoft Windows
    viahduaa.sys 10/22/2012 2:6.1 Signed viahduaa.cat Microsoft Windows Hardware Compatibility Publisher
    vmbus.sys 11/20/2010 2:5.1,2:5.2,2:6.0,2:Signed Microsoft-Hyper-V-CoMicrosoft Windows
    vmfilt64.sys 7/31/2009 2:6.1 Signed viahduaa.cat Microsoft Windows Hardware Compatibility Publisher
    vmstorfl.sys 11/20/2010 2:5.1,2:5.2,2:6.0,2:Signed Microsoft-Hyper-V-GuMicrosoft Windows
    volmgr.sys 11/20/2010 2:5.1 Signed Microsoft-Windows-CoMicrosoft Windows
    volmgrx.sys 11/20/2010 2:5.1,2:5.2,2:6.0,2:Signed Microsoft-Windows-FoMicrosoft Windows
    volsnap.sys 11/20/2010 2:5.1 Signed Microsoft-Windows-CoMicrosoft Windows
    wanarp.sys 11/20/2010 2:5.1,2:5.2,2:6.0,2:Signed Microsoft-Windows-FoMicrosoft Windows
    wdf01000.sys 7/25/2012 2:5.1,2:5.2,2:6.0,2:Signed Package_76_for_KB268Microsoft Windows
    wfplwf.sys 7/13/2009 2:6.1 Signed nt5.cat Microsoft Windows
    wmiacpi.sys 7/13/2009 2:5.1 Signed Microsoft-Windows-CoMicrosoft Windows
    [c:\windows\system32\srslabs\{176f4e15-8f7c-4833-aded-81fae8ccd186}]
    slcshp64.dll 6/12/2009 2:6.1 Signed viahduaa.cat Microsoft Windows Hardware Compatibility Publisher
    slcsii64.dll 6/12/2009 2:6.1 Signed viahduaa.cat Microsoft Windows Hardware Compatibility Publisher
    slgeq64.dll 6/12/2009 2:6.1 Signed viahduaa.cat Microsoft Windows Hardware Compatibility Publisher
    slh36064.dll 6/12/2009 2:6.1 Signed viahduaa.cat Microsoft Windows Hardware Compatibility Publisher
    slinit64.dll 6/12/2009 2:6.1 Signed viahduaa.cat Microsoft Windows Hardware Compatibility Publisher
    slmaxv64.dll 6/12/2009 2:6.1 Signed viahduaa.cat Microsoft Windows Hardware Compatibility Publisher
    slprop64.dll 6/12/2009 2:6.1 Signed viahduaa.cat Microsoft Windows Hardware Compatibility Publisher
    sltshd64.dll 6/12/2009 2:6.1 Signed viahduaa.cat Microsoft Windows Hardware Compatibility Publisher
    sluapo64.dll 6/12/2009 2:6.1 Signed viahduaa.cat Microsoft Windows Hardware Compatibility Publisher
    slvipp64.dll 6/12/2009 2:6.1 Signed viahduaa.cat Microsoft Windows Hardware Compatibility Publisher
    slviq64.dll 6/12/2009 2:6.1 Signed viahduaa.cat Microsoft Windows Hardware Compatibility Publisher
    [c:\windows\syswow64]
    amdpcom32.dll 12/19/2012 2:6.0 Signed c7151592.cat Microsoft Windows Hardware Compatibility Publisher
    ati2edxx.dll 12/19/2012 2:6.0 Signed c7151592.cat Microsoft Windows Hardware Compatibility Publisher
    atiadlxy.dll 12/19/2012 2:6.0 Signed c7151592.cat Microsoft Windows Hardware Compatibility Publisher
    atiapfxx.blb 12/19/2012 2:6.0 Signed c7151592.cat Microsoft Windows Hardware Compatibility Publisher
    aticalcl.dll 12/19/2012 2:6.0 Signed c7151592.cat Microsoft Windows Hardware Compatibility Publisher
    aticaldd.dll 12/19/2012 2:6.0 Signed c7151592.cat Microsoft Windows Hardware Compatibility Publisher
    aticalrt.dll 12/19/2012 2:6.0 Signed c7151592.cat Microsoft Windows Hardware Compatibility Publisher
    aticfx32.dll 12/19/2012 2:6.0 Signed c7151592.cat Microsoft Windows Hardware Compatibility Publisher
    atidxx32.dll 12/19/2012 2:6.0 Signed c7151592.cat Microsoft Windows Hardware Compatibility Publisher
    atigktxx.dll 12/19/2012 2:6.0 Signed c7151592.cat Microsoft Windows Hardware Compatibility Publisher
    atiglpxx.dll 12/19/2012 2:6.0 Signed c7151592.cat Microsoft Windows Hardware Compatibility Publisher
    atimpc32.dll 12/19/2012 2:6.0 Signed c7151592.cat Microsoft Windows Hardware Compatibility Publisher
    atioglxx.dll 12/19/2012 2:6.0 Signed c7151592.cat Microsoft Windows Hardware Compatibility Publisher
    atipblag.dat 9/12/2011 2:6.0 Signed c7151592.cat Microsoft Windows Hardware Compatibility Publisher
    atiu9pag.dll 12/19/2012 2:6.0 Signed c7151592.cat Microsoft Windows Hardware Compatibility Publisher
    atiumdag.dll 12/19/2012 2:6.0 Signed c7151592.cat Microsoft Windows Hardware Compatibility Publisher
    atiumdva.cap 12/19/2012 2:6.0 Signed c7151592.cat Microsoft Windows Hardware Compatibility Publisher
    atiumdva.dll 12/19/2012 2:6.0 Signed c7151592.cat Microsoft Windows Hardware Compatibility Publisher
    atiuxpag.dll 12/19/2012 2:6.0 Signed c7151592.cat Microsoft Windows Hardware Compatibility Publisher
    ativvsva.dat 12/19/2012 2:6.0 Signed c7151592.cat Microsoft Windows Hardware Compatibility Publisher
    ativvsvl.dat 12/19/2012 2:6.0 Signed c7151592.cat Microsoft Windows Hardware Compatibility Publisher
    vmapo32.dll 9/27/2011 2:6.1 Signed viahduaa.cat Microsoft Windows Hardware Compatibility Publisher
    vmthx32.dll 9/27/2011 2:6.1 Signed viahduaa.cat Microsoft Windows Hardware Compatibility Publisher
    [c:\windows\syswow64\drivers]
    asio.sys 1/21/2013 None Signed N/A
  21. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    All of that looks to be good! (y)How is the system running? Manageable? Redirects?
  22. TrunkMonkey

    TrunkMonkey TS Rookie Topic Starter Posts: 79

    Only bouts of paranoid delusions. The rapid fire browser status bar URLs haven't shown up and the machine is very responsive. I have been creating system images and backups like a mad man. A poorly placed usb receiver for wireless keyboard/mouse in living room gave me a good panic. Neither device simply cut out, instead imitated a slow agonizing death similar to a malware attack. after moving it off of the main power center it worked fine again.


    What does the Google IP error mean in the above logs? That was there last time I ran it. And the three running processes (csrss.exe, etc, with blank username or description? Normal? Any final super duper scans I should do for that extra warm feeling of security? :)

    PS. what do you use for malware and virus software? Bit defender seemed like a high quality program, however didn't get to use it long before the reinfection.

    Thanks
  23. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Google, from time to time, does not allow people to ping them. Therefore, there is a ping error in the log. If you're not able to ping them, it means their server firewall blocked your request. It does this randomly, in which I haven't been able sometimes. Their rules in the firewall are too strict, and if they don't want to approve the ping, they won't. It's weird, tbh.

    Those are normal for the blank username, it means that the hidden super administrator account in Windows is not unlocked. If you don't unlock the super hidden administrator, the system will be safe and prevent anything from taking root access so easily. It will give your system more control to manage itself.

    I think with the scans above, you can get that super duper warm feeling. But, if you need to, you can run the Kaspersky Virus Removal Tool (find instructions earlier in this thread). That finds most serious issues.

    I use avast! Internet Security, SpywareBlaster, and have a couple of scan-only tools (like MBAM).

    For the paid/premium antivirus program I most recommend is Kaspersky Antivirus. It yields the highest results in antivirus testing groups, and is one of the most trusted. It's antivirus product is well worth its cost.

    Otherwise, if you go free, Avira or Avast free would do really well. Coupled with Windows Firewall, you should be able to keep your head out of most traps. Just avoid dodgy links and torrents/P2P.

    If you end up wanting to donate to me, then go with free stuff. I don't want you racking up a ton of cost. But, if you go with free, be much more careful browsing. It seems like you have enough sense to do that compared to a lot of others I see around here. :p

    See this page for more info about malware and prevention.
  24. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Topic solved.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.