Highly infected laptop

Inactive
By Sador27
Nov 16, 2012
  1. I have a highly infected laptop that ive been trying my best to fix for months but just cant beat it and I give up so just before I full reinstall id LOVE to see one of you experts kick its arse PLEASE!!!!
  2. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Hello, and welcome to TechSpot.


    [​IMG] Please see here for the board rules and other FAQ.

    Please feel free to introduce yourself, after you follow the steps below to get started.

    Information
    • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by a malware removal helper.
    • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
    • If you have already asked for help somewhere, please post the link to the topic you were helped.
    • We try our best to reply quickly, but for any reason we do not reply in two days, please reply to this topic with the word BUMP!
    • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.
    Please review the 5-Step removal instructions and post the logs back here for my review.

    Also, include this scan:

    Download AdwCleaner by Xplode onto your Desktop.
    • Double click on AdwCleaner.exe to run the tool.
    • Click on Delete.
    • A logfile will automatically open after the scan has finished.
    • Please post the content of that logfile in your reply.
    • You can find the logfile at C:\AdwCleaner[Rn].txt as well - n is the order number.
  3. Sador27

    Sador27 Newcomer, in training Topic Starter Posts: 46

    Hey dragon, Thankyou so much im at work at the minute as soon as I get home ill follow you instructions and post logs. And give you a small run down on the disaster :)
  4. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Let me know how it all goes...looking forward to it.
  5. Sador27

    Sador27 Newcomer, in training Topic Starter Posts: 46

    Hey DMJ here goes,

    Malwarebytes Anti-Malware 1.65.1.1000
    www.malwarebytes.org

    Database version: v2012.11.17.02

    Windows 7 Service Pack 1 x64 NTFS
    Internet Explorer 9.0.8112.16421
    Sad0r :: SAD0R-PC [administrator]

    18/11/2012 12:22:34 AM
    mbam-log-2012-11-18 (00-22-34).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
    Scan options disabled:
    Objects scanned: 203389
    Time elapsed: 2 minute(s), 7 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)
    DDS (Ver_2012-11-07.01) - NTFS_AMD64
    Internet Explorer: 9.0.8112.16450
    Run by Sad0r at 15:42:49 on 2012-11-18
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.61.1033.18.12174.10114 [GMT 11:00]
    .
    SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\SYSTEM32\WISPTIS.EXE
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\system32\FBAgent.exe
    C:\Windows\system32\WLANExt.exe
    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe
    C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files (x86)\ASUS\InstantOn for NB\InsOnSrv.exe
    C:\Program Files\Intel\iCLS Client\HeciServer.exe
    C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe
    C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe
    C:\Program Files (x86)\Norton Identity Safe\Engine\2013.2.0.18\ccSvcHst.exe
    C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
    C:\Windows\System32\svchost.exe -k secsvcs
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
    C:\Windows\system32\taskhost.exe
    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe
    C:\Program Files (x86)\Norton Identity Safe\Engine\2013.2.0.18\ccSvcHst.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\SYSTEM32\WISPTIS.EXE
    C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
    C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\TabTip32.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe
    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe
    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe
    C:\Program Files\ASUS\P4G\BatteryLife.exe
    C:\Program Files (x86)\ASUS\ASUS Virtual Touch\QuickGesture\x86\QuickGesture.exe
    C:\Program Files (x86)\ASUS\USBChargerPlus\USBChargerPlus.exe
    C:\Program Files (x86)\ASUS\ASUS Virtual Touch\QuickGesture\x64\QuickGesture64.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
    C:\Windows\System32\hkcmd.exe
    C:\Program Files\Elantech\ETDCtrl.exe
    C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
    C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe
    C:\Users\Sad0r\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe
    C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe
    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe
    C:\Program Files\Elantech\ETDCtrlHelper.exe
    C:\Program Files\Elantech\ETDGesture.exe
    C:\Users\Sad0r\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Sad0r\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Sad0r\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Sad0r\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Sad0r\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Sad0r\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Program Files (x86)\ASUS\Splendid\ACMON.exe
    C:\Windows\SysWOW64\ACEngSvr.exe
    C:\Windows\system32\igfxpers.exe
    C:\Windows\AsScrPro.exe
    C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe
    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
    C:\Program Files (x86)\ASUS\ASUS Live Update\LiveUpdate.exe
    C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
    C:\Windows\system32\svchost.exe -k SDRSVC
    C:\Program Files (x86)\ASUS\InstantOn for NB\InsOnWMI.exe
    C:\Windows\system32\wuauclt.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Users\Sad0r\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\System32\cscript.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://google.com.au/
    uDefault_Page_URL = hxxp://asus.msn.com
    mStart Page = about:blank
    mWinlogon: Userinit = userinit.exe,
    BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    BHO: Norton Identity Protection: {AB4C7833-A6EC-433f-B9FE-6B14B1A2F836} - C:\Program Files (x86)\Norton Identity Safe\Engine\2013.2.0.18\CoIEPlg.dll
    BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} -
    TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} -
    TB: Norton Identity Safe Toolbar: {A13C2648-91D4-4bf3-BC6D-0079707C4389} - C:\Program Files (x86)\Norton Identity Safe\Engine\2013.2.0.18\CoIEPlg.dll
    mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    mRun: [ASUSPRP] "C:\Program Files (x86)\ASUS\APRP\APRP.EXE"
    mRun: [ASUSWebStorage] C:\Program Files (x86)\ASUS\ASUS WebStorage\3.0.108.222\AsusWSPanel.exe /S
    mRun: [USB3MON] "C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe"
    mRun: [Wireless Console 3] C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe
    mRun: [ATKOSD2] C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe
    mRun: [ATKMEDIA] C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe
    mRun: [HControlUser] C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe
    StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\ASUSVI~1.LNK - C:\Program Files (x86)\ASUS\AsusVibe\AsusVibeLauncher.exe
    uPolicies-Explorer: NoDriveAutoRun = dword:32
    uPolicies-Explorer: NoDriveTypeAutoRun = dword:255
    mPolicies-Explorer: NoActiveDesktop = dword:1
    mPolicies-Explorer: NoDriveTypeAutoRun = dword:255
    mPolicies-Explorer: NoDriveAutoRun = dword:67108863
    mPolicies-System: ConsentPromptBehaviorUser = dword:3
    mPolicies-System: EnableUIADesktopToggle = dword:0
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
    TCP: NameServer = 192.168.0.1
    TCP: Interfaces\{01FD1468-EA1B-4F82-9C9E-7CC26212FDAF} : DHCPNameServer = 192.168.0.1
    Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
    SSODL: WebCheck - <orphaned>
    x64-mStart Page = about:blank
    x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
    x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
    x64-Run: [ETDCtrl] C:\Program Files (x86)\Elantech\ETDCtrl.exe
    x64-DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
    x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
    x64-Notify: igfxcui - igfxdev.dll
    x64-SSODL: WebCheck - <orphaned>
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 iusb3hcs;Intel(R) USB 3.0 Host Controller Switch Driver;C:\Windows\System32\drivers\iusb3hcs.sys [2012-3-12 16152]
    R1 ATKWMIACPIIO;ATKWMIACPI Driver;C:\Program Files (x86)\ASUS\ATK Package\ATK WMIACPI\atkwmiacpi64.sys [2011-9-7 17536]
    R1 ccSet_NST;Norton Identity Safe Settings Manager;C:\Windows\System32\drivers\NSTx64\7DD02000.012\ccSetx64.sys [2012-11-18 168096]
    R2 AFBAgent;AFBAgent;C:\Windows\System32\FBAgent.exe [2012-8-31 379520]
    R2 ASMMAP64;ASMMAP64;C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\ASMMAP64.sys [2009-7-2 15416]
    R2 ASUS InstantOn;ASUS InstantOn Service;C:\Program Files (x86)\ASUS\InstantOn for NB\InsOnSrv.exe [2012-2-4 277120]
    R2 Intel(R) Capability Licensing Service Interface;Intel(R) Capability Licensing Service Interface;C:\Program Files\Intel\iCLS Client\HeciServer.exe [2011-12-9 607456]
    R2 Intel(R) ME Service;Intel(R) ME Service;C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe [2012-8-31 128280]
    R2 jhi_service;Intel(R) Dynamic Application Loader Host Interface Service;C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\Jhi_service.exe [2012-8-31 161560]
    R2 MBAMScheduler;MBAMScheduler;C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-11-18 399432]
    R2 NCO;Norton Identity Safe;C:\Program Files (x86)\Norton Identity Safe\Engine\2013.2.0.18\ccSvcHst.exe [2012-11-18 143928]
    R2 UNS;Intel(R) Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2012-8-31 363800]
    R3 AiCharger;ASUS Charger Driver;C:\Windows\System32\drivers\AiCharger.sys [2012-8-31 17152]
    R3 AsusVBus;AsusVBus;C:\Windows\System32\drivers\AsusVBus.sys [2011-12-22 35968]
    R3 AsusVTouch;AsusVTouch;C:\Windows\System32\drivers\AsusVTouch.sys [2011-11-8 16512]
    R3 ETD;ELAN PS/2 Port Input Device;C:\Windows\System32\drivers\ETD.sys [2012-3-12 200488]
    R3 IntcDAud;Intel(R) Display Audio;C:\Windows\System32\drivers\IntcDAud.sys [2012-3-12 331264]
    R3 iusb3hub;Intel(R) USB 3.0 Hub Driver;C:\Windows\System32\drivers\iusb3hub.sys [2012-3-12 356120]
    R3 iusb3xhc;Intel(R) USB 3.0 eXtensible Host Controller Driver;C:\Windows\System32\drivers\iusb3xhc.sys [2012-3-12 787736]
    R3 RSBASTOR;Realtek PCIE CardReader Driver - BA;C:\Windows\System32\drivers\RtsBaStor.sys [2012-8-31 292968]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-19 130384]
    S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-19 138576]
    S2 MBAMService;MBAMService;C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe [2012-11-18 676936]
    S3 BBSvc;Bing Bar Update Service;C:\Program Files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-3-2 183560]
    S3 fssfltr;fssfltr;C:\Windows\System32\drivers\fssfltr.sys [2012-2-18 48488]
    S3 fsssvc;Windows Live Family Safety Service;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2011-5-14 1492840]
    S3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller (NDIS 6.20);C:\Windows\System32\drivers\L1C62x64.sys [2009-6-11 57344]
    S3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2012-11-18 25928]
    S3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2012-8-31 565352]
    S3 SiSGbeLH;SiS191/SiS190 Ethernet Device NDIS 6.0 Driver;C:\Windows\System32\drivers\SiSG664.sys [2009-6-11 56832]
    S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2011-2-19 59392]
    S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2011-2-19 31232]
    S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2012-9-3 1255736]
    S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-23 57184]
    .
    =============== File Associations ===============
    .
    FileExt: .js: Applications\notepad.exe=C:\Windows\System32\NOTEPAD.EXE %1 [UserChoice]
    .
    =============== Created Last 30 ================
    .
    2012-11-17 13:38:53168096----a-r-C:\Windows\System32\drivers\NSTx64\7DD02000.012\ccSetx64.sys
    2012-11-17 13:38:52--------d-----w-C:\Windows\System32\drivers\NSTx64\7DD02000.012
    2012-11-17 13:38:52--------d-----w-C:\Windows\System32\drivers\NSTx64
    2012-11-17 13:38:51--------d-----w-C:\Program Files (x86)\Norton Identity Safe
    2012-11-17 13:20:5725928----a-w-C:\Windows\System32\drivers\mbam.sys
    2012-11-17 13:20:57--------d-----w-C:\Program Files\Malwarebytes' Anti-Malware
    2012-11-12 10:14:34--------d-----w-C:\Users\Sad0r\AppData\Local\Diagnostics
    2012-11-05 05:30:42--------d-----w-C:\Program Files (x86)\iWisoft Free Video Downloader
    2012-11-05 05:23:33758018----a-w-C:\Windows\SysWow64\xvidcore.dll
    2012-11-05 05:23:33180224----a-w-C:\Windows\SysWow64\xvidvfw.dll
    2012-11-05 05:23:33139264----a-w-C:\Windows\SysWow64\xvid.ax
    2012-11-05 05:23:33--------d-----w-C:\Program Files (x86)\iWisoft Free Video Converter
    2012-11-04 05:33:51--------d-----w-C:\Users\Sad0r\AppData\Local\CrashDumps
    2012-10-29 14:06:56--------d-----w-C:\silentrunners
    2012-10-25 15:28:54--------d-----w-C:\_OTM
    2012-10-25 14:39:05--------d-----w-C:\Program Files\Registrar Registry Manager
    2012-10-25 11:23:56--------d-----w-C:\Users\Sad0r\AppData\Local\NPE
    2012-10-22 19:48:209291768----a-w-C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{2CF52C71-4E6F-4B46-8A8F-B8966A578E00}\mpengine.dll
    2012-10-22 18:11:11--------d-----w-C:\Program Files (x86)\Common Files\Symantec Shared
    2012-10-22 12:04:12--------d-----w-C:\ProgramData\Norton
    2012-10-22 12:03:53--------d-----w-C:\ProgramData\NortonInstaller
    2012-10-22 12:03:53--------d-----w-C:\Program Files (x86)\NortonInstaller
    2012-10-22 11:37:40220242----a-w-C:\ProgramData\1350905593.bdinstall.bin
    2012-10-22 11:24:12431568----a-w-C:\ProgramData\1350885310.bdinstall.bin
    2012-10-21 04:32:03--------d-----w-C:\ProgramData\Kaspersky Lab
    .
    ==================== Find3M ====================
    .
    2012-11-18 04:37:19380----a-w-C:\Users\Sad0r\AppData\Roaming\sp_data.sys
    2012-10-15 18:49:14470508----a-w-C:\ProgramData\1350326436.bdinstall.bin
    2012-09-14 19:19:292048----a-w-C:\Windows\System32\tzres.dll
    2012-09-14 18:28:532048----a-w-C:\Windows\SysWow64\tzres.dll
    2012-09-08 05:35:21348160----a-w-C:\Windows\SysWow64\msvcr71.dll
    2012-09-08 05:35:211700352----a-w-C:\Windows\SysWow64\gdiplus.dll
    2012-09-08 05:35:211060864----a-w-C:\Windows\SysWow64\mfc71.dll
    2012-08-31 18:19:351659760----a-w-C:\Windows\System32\drivers\ntfs.sys
    2012-08-31 10:43:3980512----a-w-C:\Windows\ASUS K5 Series ScreenSaver Uninstaller.exe
    2012-08-31 10:43:313058304----a-w-C:\Windows\AsScrPro.exe
    2012-08-30 18:03:455559664----a-w-C:\Windows\System32\ntoskrnl.exe
    2012-08-30 17:12:023968880----a-w-C:\Windows\SysWow64\ntkrnlpa.exe
    2012-08-30 17:12:023914096----a-w-C:\Windows\SysWow64\ntoskrnl.exe
    2012-08-24 18:05:07220160----a-w-C:\Windows\System32\wintrust.dll
    2012-08-24 16:57:48172544----a-w-C:\Windows\SysWow64\wintrust.dll
    2012-08-24 10:31:322312704----a-w-C:\Windows\System32\jscript9.dll
    2012-08-24 10:21:181392128----a-w-C:\Windows\System32\wininet.dll
    2012-08-24 10:20:111494528----a-w-C:\Windows\System32\inetcpl.cpl
    2012-08-24 10:14:45173056----a-w-C:\Windows\System32\ieUnatt.exe
    2012-08-24 10:13:29599040----a-w-C:\Windows\System32\vbscript.dll
    2012-08-24 10:09:422382848----a-w-C:\Windows\System32\mshtml.tlb
    2012-08-24 06:59:171800704----a-w-C:\Windows\SysWow64\jscript9.dll
    2012-08-24 06:51:271129472----a-w-C:\Windows\SysWow64\wininet.dll
    2012-08-24 06:51:021427968----a-w-C:\Windows\SysWow64\inetcpl.cpl
    2012-08-24 06:47:26142848----a-w-C:\Windows\SysWow64\ieUnatt.exe
    2012-08-24 06:47:12420864----a-w-C:\Windows\SysWow64\vbscript.dll
    2012-08-24 06:43:582382848----a-w-C:\Windows\SysWow64\mshtml.tlb
    2012-08-22 18:12:501913200----a-w-C:\Windows\System32\drivers\tcpip.sys
    2012-08-22 18:12:40950128----a-w-C:\Windows\System32\drivers\ndis.sys
    2012-08-22 18:12:40376688----a-w-C:\Windows\System32\drivers\netio.sys
    2012-08-22 18:12:33288624----a-w-C:\Windows\System32\drivers\FWPKCLNT.SYS
    2012-08-21 21:01:00245760----a-w-C:\Windows\System32\OxpsConverter.exe
    2012-08-20 18:48:44362496----a-w-C:\Windows\System32\wow64win.dll
    2012-08-20 18:48:44243200----a-w-C:\Windows\System32\wow64.dll
    2012-08-20 18:48:4413312----a-w-C:\Windows\System32\wow64cpu.dll
    2012-08-20 18:48:43215040----a-w-C:\Windows\System32\winsrv.dll
    2012-08-20 18:48:3716384----a-w-C:\Windows\System32\ntvdm64.dll
    2012-08-20 18:48:35424448----a-w-C:\Windows\System32\KernelBase.dll
    2012-08-20 18:46:22338432----a-w-C:\Windows\System32\conhost.exe
    2012-08-20 17:40:2114336----a-w-C:\Windows\SysWow64\ntvdm64.dll
    2012-08-20 17:38:4444032----a-w-C:\Windows\apppatch\acwow64.dll
    2012-08-20 17:38:2625600----a-w-C:\Windows\SysWow64\setup16.exe
    2012-08-20 17:37:195120----a-w-C:\Windows\SysWow64\wow32.dll
    2012-08-20 17:37:18274944----a-w-C:\Windows\SysWow64\KernelBase.dll
    2012-08-20 15:38:217680----a-w-C:\Windows\SysWow64\instnm.exe
    2012-08-20 15:38:202048----a-w-C:\Windows\SysWow64\user.exe
    2012-08-20 15:33:286144---ha-w-C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
    2012-08-20 15:33:284608---ha-w-C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
    2012-08-20 15:33:283584---ha-w-C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
    2012-08-20 15:33:283072---ha-w-C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
    .
    ============= FINISH: 15:43:04.07 ===============
    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2012-11-07.01)
    .
    Microsoft Windows 7 Home Premium
    Boot Device: \Device\HarddiskVolume1
    Install Date: 31/08/2012 3:03:24 AM
    System Uptime: 18/11/2012 12:29:53 PM (3 hours ago)
    .
    Motherboard: ASUSTeK COMPUTER INC. | | K55A
    Processor: Intel(R) Core(TM) i7-3610QM CPU @ 2.30GHz | SOCKET 0 | 2301/100mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 255 GiB total, 160.151 GiB free.
    D: is FIXED (NTFS) - 419 GiB total, 418.558 GiB free.
    F: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID:
    Description: Ethernet Controller
    Device ID: PCI\VEN_10EC&DEV_8168&SUBSYS_14571043&REV_0A\89724418684CE00002
    Manufacturer:
    Name: Ethernet Controller
    PNP Device ID: PCI\VEN_10EC&DEV_8168&SUBSYS_14571043&REV_0A\89724418684CE00002
    Service:
    .
    ==== System Restore Points ===================
    .
    RP78: 7/11/2012 3:00:11 AM - Windows Update
    RP79: 8/11/2012 3:00:12 AM - Windows Update
    RP80: 9/11/2012 3:00:10 AM - Windows Update
    RP81: 9/11/2012 4:15:40 PM - Windows Update
    RP82: 10/11/2012 3:00:10 AM - Windows Update
    RP83: 13/11/2012 3:48:52 PM - Windows Update
    RP84: 14/11/2012 3:00:10 AM - Windows Update
    RP85: 15/11/2012 3:00:11 AM - Windows Update
    RP86: 16/11/2012 3:00:13 AM - Windows Update
    RP87: 17/11/2012 3:00:10 AM - Windows Update
    RP88: 18/11/2012 3:00:12 AM - Windows Update
    .
    ==== Installed Programs ======================
    .
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader X MUI
    ASUS AI Recovery
    ASUS FaceLogon
    ASUS K5 Series ScreenSaver
    ASUS LifeFrame3
    ASUS Live Update
    ASUS Power4Gear Hybrid
    ASUS Splendid Video Enhancement Technology
    ASUS USB Charger Plus
    ASUS Virtual Camera
    ASUS Virtual Touch
    ASUS WebStorage
    AsusVibe2.0
    ATK Package
    Bing Bar
    CCleaner
    CyberLink LabelPrint
    CyberLink Media Suite
    CyberLink Power2Go
    D3DX10
    DVD Decrypter (Remove Only)
    ETDWare PS/2-X64 10.5.9.0
    Fast Boot
    FormatFactory 2.70
    Galeria de Fotografias do Windows Live
    Galerie de photos Windows Live
    Galería fotográfica de Windows Live
    Google Chrome
    Graboid Video 3.32
    InstantOn for NB
    Intel(R) Manageability Engine Firmware Recovery Agent
    Intel(R) Management Engine Components
    Intel(R) OpenCL CPU Runtime
    Intel(R) Processor Graphics
    Intel(R) USB 3.0 eXtensible Host Controller Driver
    Intel® Trusted Connect Service Client
    iWisoft Free Video Converter 1.2
    iWisoft Free Video Downloader 2.1
    Junk Mail filter update
    Malwarebytes Anti-Malware version 1.65.1.1000
    Mesh Runtime
    Microsoft .NET Framework 4 Client Profile
    Microsoft .NET Framework 4 Extended
    Microsoft Application Error Reporting
    Microsoft Office 2010
    Microsoft Silverlight
    Microsoft SQL Server 2005 Compact Edition [ENU]
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219
    Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
    MSVCRT
    MSVCRT_amd64
    Norton Identity Safe
    PKR
    Qualcomm Atheros WiFi Driver Installation
    Realtek Ethernet Controller Driver
    Realtek High Definition Audio Driver
    Realtek PCIE Card Reader
    Registrar Registry Manager 7.50
    SceneSwitch
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
    Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
    Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
    ShowBiz DVD
    Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
    Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
    Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
    Update for Microsoft .NET Framework 4 Extended (KB2468871)
    Update for Microsoft .NET Framework 4 Extended (KB2533523)
    Update for Microsoft .NET Framework 4 Extended (KB2600217)
    VLC media player 1.0.1
    Windows Live
    Windows Live ???
    Windows Live ????
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Family Safety
    Windows Live ID Sign-in Assistant
    Windows Live Installer
    Windows Live Language Selector
    Windows Live Mail
    Windows Live Mesh
    Windows Live Mesh ActiveX Control for Remote Connections
    Windows Live Messenger
    Windows Live MIME IFilter
    Windows Live Movie Maker
    Windows Live Photo Common
    Windows Live Photo Gallery
    Windows Live PIMT Platform
    Windows Live Remote Client
    Windows Live Remote Client Resources
    Windows Live Remote Service
    Windows Live Remote Service Resources
    Windows Live SOXE
    Windows Live SOXE Definitions
    Windows Live UX Platform
    Windows Live UX Platform Language Pack
    Windows Live Writer
    Windows Live Writer Resources
    WinFlash
    Wireless Console 3
    Wisdom-soft ScreenHunter 6.0 Free
    .
    ==== Event Viewer Messages From Past Week ========
    .
    18/11/2012 3:37:58 PM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk1\DR1.
    18/11/2012 12:41:25 AM, Error: Microsoft-Windows-LanguagePackSetup [1001] - Failed to start language pack setup wizard. Please restart the system and try running the wizard again.
    18/11/2012 12:41:02 AM, Error: volmgr [46] - Crash dump initialization failed!
    .
    ==== End Of File ===========================
    # AdwCleaner v2.008 - Logfile created 11/18/2012 at 16:11:52
    # Updated 17/11/2012 by Xplode
    # Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
    # User : Sad0r - SAD0R-PC
    # Boot Mode : Normal
    # Running from : C:\Users\Sad0r\Desktop\adwcleaner.exe
    # Option [Delete]
    ***** [Services] *****
    ***** [Files / Folders] *****
    ***** [Registry] *****
    Key Deleted : HKCU\Software\Softonic
    ***** [Internet Browsers] *****
    -\\ Internet Explorer v9.0.8112.16421
    [OK] Registry is clean.
    *************************
    AdwCleaner[S1].txt - [553 octets] - [18/11/2012 16:11:52]
    ########## EOF - C:\AdwCleaner[S1].txt - [612 octets] ##########
  6. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    ComboFix scan

    Please download ComboFix[​IMG] by sUBs
    From BleepingComputer.com

    Please save the file to your Desktop.

    Important information about ComboFix


    After the download:
    • Close any open browsers.
    • Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
    • If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.
    Running ComboFix:
    • Double click on ComboFix.exe & follow the prompts.
    • When ComboFix finishes, it will produce a report for you.
    • Please post the report, which will launch or be found at "C:\Combo-Fix.txt" in your next reply.
    Troubleshooting ComboFix

    Safe Mode:

    If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

    (To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
    logo appears. A list of options will appear, select "Safe Mode.")

    Re-downloading:

    If this doesn't work either, try the same method (above method), but try to download it again, except name
    ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

    Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.

    NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.
  7. Sador27

    Sador27 Newcomer, in training Topic Starter Posts: 46

    ComboFix 12-11-16.02 - Sad0r 19/11/2012 22:23:03.1.8 - x64
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.61.1033.18.12174.10383 [GMT 11:00]
    Running from: c:\users\Sad0r\Desktop\Com.exe
    SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\$recycle.bin\S-1-5-21-3254260356-3574314768-983753981-1000\$RVN1D90.16385_none_1dd3ce8d1e7524cd\msdatt.dll
    c:\program files (x86)\INSTALL.LOG
    c:\programdata\1350326436.bdinstall.bin
    c:\programdata\1350885310.bdinstall.bin
    c:\programdata\1350905593.bdinstall.bin
    c:\programdata\ntuser.dat
    c:\windows\msvcr71.dll
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-10-19 to 2012-11-19 )))))))))))))))))))))))))))))))
    .
    .
    2012-11-19 11:26 . 2012-11-19 11:26--------d-----w-c:\users\Public\AppData\Local\temp
    2012-11-19 11:26 . 2012-11-19 11:26--------d-----w-c:\users\Default\AppData\Local\temp
    2012-11-17 13:38 . 2012-11-17 13:38--------d-----w-c:\windows\system32\drivers\NSTx64
    2012-11-17 13:38 . 2012-11-17 13:38--------d-----w-c:\program files (x86)\Norton Identity Safe
    2012-11-17 13:20 . 2012-11-17 13:20--------d-----w-c:\program files\Malwarebytes' Anti-Malware
    2012-11-17 13:20 . 2012-09-29 08:5425928----a-w-c:\windows\system32\drivers\mbam.sys
    2012-11-12 10:14 . 2012-11-12 10:14--------d-----w-c:\users\Sad0r\AppData\Local\Diagnostics
    2012-11-05 05:30 . 2012-11-05 05:30--------d-----w-c:\program files (x86)\iWisoft Free Video Downloader
    2012-11-05 05:23 . 2012-11-05 05:23--------d-----w-c:\program files (x86)\iWisoft Free Video Converter
    2012-11-05 05:23 . 2009-09-29 09:57758018----a-w-c:\windows\SysWow64\xvidcore.dll
    2012-11-05 05:23 . 2008-12-04 10:46180224----a-w-c:\windows\SysWow64\xvidvfw.dll
    2012-11-05 05:23 . 2008-10-07 23:16139264----a-w-c:\windows\SysWow64\xvid.ax
    2012-11-04 05:33 . 2012-11-07 13:25--------d-----w-c:\users\Sad0r\AppData\Local\CrashDumps
    2012-10-29 14:06 . 2012-10-29 14:08--------d-----w-C:\silentrunners
    2012-10-25 15:28 . 2012-10-25 15:28--------d-----w-C:\_OTM
    2012-10-25 14:39 . 2012-10-26 11:35--------d-----w-c:\program files\Registrar Registry Manager
    2012-10-25 11:23 . 2012-11-18 04:51--------d-----w-c:\users\Sad0r\AppData\Local\NPE
    2012-10-22 19:48 . 2012-10-12 07:199291768----a-w-c:\programdata\Microsoft\Windows Defender\Definition Updates\{2CF52C71-4E6F-4B46-8A8F-B8966A578E00}\mpengine.dll
    2012-10-22 18:11 . 2012-11-19 11:16--------d-----w-c:\program files (x86)\Common Files\Symantec Shared
    2012-10-22 12:04 . 2012-11-19 11:18--------d-----w-c:\programdata\Norton
    2012-10-22 12:03 . 2012-11-19 11:18--------d-----w-c:\program files (x86)\NortonInstaller
    2012-10-21 04:32 . 2012-10-21 04:32--------d-----w-c:\programdata\Kaspersky Lab
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-11-19 11:19 . 2012-08-30 17:03380----a-w-c:\users\Sad0r\AppData\Roaming\sp_data.sys
    2012-10-29 21:01 . 2012-09-19 10:1648648----a-w-c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\Markup.dll
    2012-10-29 21:01 . 2012-10-15 18:13336208----a-w-c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight-2\SpotlightResources.dll
    2012-10-25 08:33 . 2012-10-15 18:1348648----a-w-c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-2\Markup.dll
    2012-10-22 06:03 . 2012-09-19 10:16336208----a-w-c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
    2012-09-27 13:18 . 2012-10-04 05:0765309168----a-w-c:\windows\system32\MRT.exe
    2012-09-14 19:19 . 2012-10-10 12:332048----a-w-c:\windows\system32\tzres.dll
    2012-09-14 18:28 . 2012-10-10 12:332048----a-w-c:\windows\SysWow64\tzres.dll
    2012-09-08 05:35 . 2012-09-08 05:35348160----a-w-c:\windows\SysWow64\msvcr71.dll
    2012-09-08 05:35 . 2012-09-08 05:351700352----a-w-c:\windows\SysWow64\gdiplus.dll
    2012-09-08 05:35 . 2012-09-08 05:351060864----a-w-c:\windows\SysWow64\mfc71.dll
    2012-08-31 18:19 . 2012-10-10 12:341659760----a-w-c:\windows\system32\drivers\ntfs.sys
    2012-08-31 10:43 . 2012-08-31 10:4380512----a-w-c:\windows\ASUS K5 Series ScreenSaver Uninstaller.exe
    2012-08-31 10:43 . 2012-08-31 10:433058304----a-w-c:\windows\AsScrPro.exe
    2012-08-30 18:03 . 2012-10-10 12:345559664----a-w-c:\windows\system32\ntoskrnl.exe
    2012-08-30 17:12 . 2012-10-10 12:343914096----a-w-c:\windows\SysWow64\ntoskrnl.exe
    2012-08-30 17:12 . 2012-10-10 12:333968880----a-w-c:\windows\SysWow64\ntkrnlpa.exe
    2012-08-30 17:04 . 2011-03-29 02:3619720----a-w-c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
    2012-08-24 18:05 . 2012-10-10 12:33220160----a-w-c:\windows\system32\wintrust.dll
    2012-08-24 16:57 . 2012-10-10 12:33172544----a-w-c:\windows\SysWow64\wintrust.dll
    2012-08-24 11:15 . 2012-09-26 17:0017810944----a-w-c:\windows\system32\mshtml.dll
    2012-08-24 10:39 . 2012-09-26 17:0010925568----a-w-c:\windows\system32\ieframe.dll
    2012-08-24 10:31 . 2012-09-26 17:002312704----a-w-c:\windows\system32\jscript9.dll
    2012-08-24 10:22 . 2012-09-26 17:001346048----a-w-c:\windows\system32\urlmon.dll
    2012-08-24 10:21 . 2012-09-26 17:001392128----a-w-c:\windows\system32\wininet.dll
    2012-08-24 10:20 . 2012-09-26 17:001494528----a-w-c:\windows\system32\inetcpl.cpl
    2012-08-24 10:18 . 2012-09-26 17:00237056----a-w-c:\windows\system32\url.dll
    2012-08-24 10:17 . 2012-09-26 17:0085504----a-w-c:\windows\system32\jsproxy.dll
    2012-08-24 10:14 . 2012-09-26 17:00173056----a-w-c:\windows\system32\ieUnatt.exe
    2012-08-24 10:14 . 2012-09-26 17:00816640----a-w-c:\windows\system32\jscript.dll
    2012-08-24 10:13 . 2012-09-26 17:00599040----a-w-c:\windows\system32\vbscript.dll
    2012-08-24 10:12 . 2012-09-26 17:002144768----a-w-c:\windows\system32\iertutil.dll
    2012-08-24 10:11 . 2012-09-26 17:00729088----a-w-c:\windows\system32\msfeeds.dll
    2012-08-24 10:10 . 2012-09-26 17:0096768----a-w-c:\windows\system32\mshtmled.dll
    2012-08-24 10:09 . 2012-09-26 17:002382848----a-w-c:\windows\system32\mshtml.tlb
    2012-08-24 10:04 . 2012-09-26 17:00248320----a-w-c:\windows\system32\ieui.dll
    2012-08-24 06:59 . 2012-09-26 17:001800704----a-w-c:\windows\SysWow64\jscript9.dll
    2012-08-24 06:51 . 2012-09-26 17:001129472----a-w-c:\windows\SysWow64\wininet.dll
    2012-08-24 06:51 . 2012-09-26 17:001427968----a-w-c:\windows\SysWow64\inetcpl.cpl
    2012-08-24 06:47 . 2012-09-26 17:00142848----a-w-c:\windows\SysWow64\ieUnatt.exe
    2012-08-24 06:47 . 2012-09-26 17:00420864----a-w-c:\windows\SysWow64\vbscript.dll
    2012-08-24 06:43 . 2012-09-26 17:002382848----a-w-c:\windows\SysWow64\mshtml.tlb
    2012-08-22 18:12 . 2012-09-12 08:491913200----a-w-c:\windows\system32\drivers\tcpip.sys
    2012-08-22 18:12 . 2012-09-12 08:49950128----a-w-c:\windows\system32\drivers\ndis.sys
    2012-08-22 18:12 . 2012-09-12 08:49376688----a-w-c:\windows\system32\drivers\netio.sys
    2012-08-22 18:12 . 2012-09-12 08:49288624----a-w-c:\windows\system32\drivers\FWPKCLNT.SYS
    2012-08-21 21:01 . 2012-09-26 01:15245760----a-w-c:\windows\system32\OxpsConverter.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{AB4C7833-A6EC-433f-B9FE-6B14B1A2F836}]
    2012-10-18 17:57498584----a-r-c:\program files (x86)\Norton Identity Safe\Engine\2013.2.0.18\CoIEPlg.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
    "{A13C2648-91D4-4bf3-BC6D-0079707C4389}"= "c:\program files (x86)\Norton Identity Safe\Engine\2013.2.0.18\coIEPlg.dll" [2012-10-18 498584]
    .
    [HKEY_CLASSES_ROOT\clsid\{a13c2648-91d4-4bf3-bc6d-0079707c4389}]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-16 932288]
    "ASUSPRP"="c:\program files (x86)\ASUS\APRP\APRP.EXE" [2012-02-18 3331312]
    "ASUSWebStorage"="c:\program files (x86)\ASUS\ASUS WebStorage\3.0.108.222\AsusWSPanel.exe" [2011-07-29 737104]
    "USB3MON"="c:\program files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe" [2012-02-07 291608]
    "Wireless Console 3"="c:\program files (x86)\ASUS\Wireless Console 3\wcourier.exe" [2012-02-02 2321072]
    "ATKOSD2"="c:\program files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe" [2012-06-25 322208]
    "ATKMEDIA"="c:\program files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe" [2012-06-19 174752]
    "HControlUser"="c:\program files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe" [2009-06-19 105016]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    AsusVibeLauncher.lnk - c:\program files (x86)\ASUS\AsusVibe\AsusVibeLauncher.exe [2012-2-18 549040]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
    "mixer3"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""
    .
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R3 BBSvc;Bing Bar Update Service;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-03-02 183560]
    R3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller (NDIS 6.20);c:\windows\system32\DRIVERS\L1C62x64.sys [2009-06-10 57344]
    R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2011-08-23 565352]
    R3 SiSGbeLH;SiS191/SiS190 Ethernet Device NDIS 6.0 Driver;c:\windows\system32\DRIVERS\SiSG664.sys [2009-06-10 56832]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
    R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-20 31232]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-09-03 1255736]
    R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 57184]
    S0 iusb3hcs;Intel(R) USB 3.0 Host Controller Switch Driver;c:\windows\system32\DRIVERS\iusb3hcs.sys [2012-02-07 16152]
    S1 ATKWMIACPIIO;ATKWMIACPI Driver;c:\program files (x86)\ASUS\ATK Package\ATK WMIACPI\atkwmiacpi64.sys [2011-09-06 17536]
    S1 ccSet_NST;Norton Identity Safe Settings Manager;c:\windows\system32\drivers\NSTx64\7DD02000.012\ccSetx64.sys [2012-10-04 168096]
    S2 AFBAgent;AFBAgent;c:\windows\system32\FBAgent.exe [2011-03-03 379520]
    S2 ASMMAP64;ASMMAP64;c:\program files (x86)\ASUS\ATK Package\ATKGFNEX\ASMMAP64.sys [2009-07-02 15416]
    S2 ASUS InstantOn;ASUS InstantOn Service;c:\program files (x86)\ASUS\InstantOn for NB\InsOnSrv.exe [2012-02-03 277120]
    S2 Intel(R) Capability Licensing Service Interface;Intel(R) Capability Licensing Service Interface;c:\program files\Intel\iCLS Client\HeciServer.exe [2011-12-08 607456]
    S2 Intel(R) ME Service;Intel(R) ME Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe [2011-12-16 128280]
    S2 jhi_service;Intel(R) Dynamic Application Loader Host Interface Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe [2011-12-16 161560]
    S2 NCO;Norton Identity Safe;c:\program files (x86)\Norton Identity Safe\Engine\2013.2.0.18\ccSvcHst.exe [2012-10-11 143928]
    S2 UNS;Intel(R) Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2011-12-16 363800]
    S3 AiCharger;ASUS Charger Driver;c:\windows\system32\DRIVERS\AiCharger.sys [2012-01-30 17152]
    S3 AsusVBus;AsusVBus;c:\windows\system32\DRIVERS\AsusVBus.sys [2011-12-21 35968]
    S3 AsusVTouch;AsusVTouch;c:\windows\system32\DRIVERS\AsusVTouch.sys [2011-11-08 16512]
    S3 ETD;ELAN PS/2 Port Input Device;c:\windows\system32\DRIVERS\ETD.sys [2012-02-19 200488]
    S3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2012-02-20 331264]
    S3 iusb3hub;Intel(R) USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\iusb3hub.sys [2012-02-07 356120]
    S3 iusb3xhc;Intel(R) USB 3.0 eXtensible Host Controller Driver;c:\windows\system32\DRIVERS\iusb3xhc.sys [2012-02-07 787736]
    S3 RSBASTOR;Realtek PCIE CardReader Driver - BA;c:\windows\system32\DRIVERS\RtsBaStor.sys [2012-02-01 292968]
    .
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-10-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3254260356-3574314768-983753981-1000Core.job
    - c:\users\Sad0r\AppData\Local\Google\Update\GoogleUpdate.exe [2012-09-26 02:50]
    .
    2012-10-13 c:\windows\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d-Logon.job
    - c:\program files (x86)\Intel\Intel(R) ME FW Recovery Agent\bin\Bootstrap.exe [2011-11-25 20:41]
    .
    2012-10-13 c:\windows\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d.job
    - c:\program files (x86)\Intel\Intel(R) ME FW Recovery Agent\bin\Bootstrap.exe [2011-11-25 20:41]
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AsusWSShellExt_B]
    @="{6D4133E5-0742-4ADC-8A8C-9303440F7190}"
    [HKEY_CLASSES_ROOT\CLSID\{6D4133E5-0742-4ADC-8A8C-9303440F7190}]
    2011-05-25 07:09227840----a-w-c:\program files (x86)\ASUS\ASUS WebStorage\3.0.108.222\AsusWSShellExt64.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AsusWSShellExt_O]
    @="{64174815-8D98-4CE6-8646-4C039977D808}"
    [HKEY_CLASSES_ROOT\CLSID\{64174815-8D98-4CE6-8646-4C039977D808}]
    2011-05-25 07:09227840----a-w-c:\program files (x86)\ASUS\ASUS WebStorage\3.0.108.222\AsusWSShellExt64.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2012-02-22 170264]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2012-02-22 398616]
    "ETDCtrl"="c:\program files (x86)\Elantech\ETDCtrl.exe" [BU]
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = hxxp://google.com.au/
    mStart Page = about:blank
    mLocal Page = c:\windows\SysWOW64\blank.htm
    TCP: DhcpNameServer = 192.168.0.1
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Toolbar-Locked - (no file)
    SafeBoot-77118655.sys
    SafeBoot-95310364.sys
    Toolbar-Locked - (no file)
    .
    .
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NCO]
    "ImagePath"="\"c:\program files (x86)\Norton Identity Safe\Engine\2013.2.0.18\ccSvcHst.exe\" /s \"NCO\" /m \"c:\program files (x86)\Norton Identity Safe\Engine\2013.2.0.18\diMaster.dll\" /prefetch:1"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10k.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.10"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10k.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10k.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10k.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Completion time: 2012-11-19 22:27:50
    ComboFix-quarantined-files.txt 2012-11-19 11:27
    ComboFix2.txt 2012-09-20 23:35
    .
    Pre-Run: 171,741,958,144 bytes free
    Post-Run: 171,226,935,296 bytes free
    .
    - - End Of File - - 5E4364868D838EF217D48A15D9C1CABD
  8. Sador27

    Sador27 Newcomer, in training Topic Starter Posts: 46

    Hey DMJ, this line at the top I have also seen in my 2tb seagate hard drive (c:\$recycle.bin\S-1-5-21-3254260356-3574314768-983753981-1000\$RV.....) hidden away in a hidden recycle bin within another and I cant delete it as it just keeps saying access denied and even after changing permissions and deleting it just respawns so ill wait to see what you can see about these logs first and concentrate on the laptop before the HD, and I wont plug it in again either untill you say so. Long story short we had an infected laptop in the house and after trying to delete the virus manually the infected laptop self activated windows media player sharing and we literally watched the other 2 laptops in the house activate and join with the initial one so after giving up on the first and throwing it in a drawer to die we both noticed our 2 good LTs were joining still and everytime we turn them on they keep trying to install an unwanted network adapter so I reformated hers and it seems to be o.k so far but as I just bought this expensive one and have been reading about some new rootkit that even infects a machines MBR I thought I would let an expert have a look, and here we are.. so seek and DESTROY ;)
  9. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Let's do the following:

    Farbar Recovery Scan Tool x64

    Download Farbar Recovery Scan Tool and save it to a flash drive.


    Please make sure to get the 64-bit version

    Plug the flashdrive into the infected PC.

    Enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Choose your language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.
    To enter System Recovery Options by using Windows installation disc:
    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Choose your language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.
    On the System Recovery Options menu you will get the following options:
      • Startup Repair
        System Restore
        Windows Complete PC Restore
        Windows Memory Diagnostic Tool
        Command Prompt
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst.exe and press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to the disclaimer.
    • Place a check next to List Drivers MD5 as well as the default check marks that are already there
    • Press Scan button. It will do its scan and save a log on your flash drive.
    • Close out of the message after that, then type in the text services.exe in to the "Search:" text box. Then, press the Search file(s) button, just as below:
      [​IMG]
      When done searching, FRST makes a log, Search.txt, on the C:\ drive or on your flash drive.
    • Type exit in the Command Prompt window and reboot the computer normally
    • FRST will make a log (FRST.txt) on the flash drive and also the search.txt logfile, please copy and paste the logs in your reply.
  10. Sador27

    Sador27 Newcomer, in training Topic Starter Posts: 46

    Sorry for taking so long im working 17 hour shifts, it`ll be done by tomorrow night ;)
  11. Sador27

    Sador27 Newcomer, in training Topic Starter Posts: 46

    Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 18-11-2012
    Ran by SYSTEM at 21-11-2012 08:54:09
    Running from E:\
    Windows 7 Home Premium (X64) OS Language: English(US)
    The current controlset is ControlSet001

    ==================== Registry (Whitelisted) ===================

    HKLM\...\Run: [ETDCtrl] %ProgramFiles%\Elantech\ETDCtrl.exe [x]
    HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [932288 2010-11-15] (Adobe Systems Incorporated)
    HKLM-x32\...\Run: [ASUSPRP] "C:\Program Files (x86)\ASUS\APRP\APRP.EXE" [3331312 2012-02-17] (ASUSTek Computer Inc.)
    HKLM-x32\...\Run: [ASUSWebStorage] C:\Program Files (x86)\ASUS\ASUS WebStorage\3.0.108.222\AsusWSPanel.exe /S [737104 2011-07-29] (ecareme)
    HKLM-x32\...\Run: [USB3MON] "C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe" [291608 2012-02-06] (Intel Corporation)
    HKLM-x32\...\Run: [Wireless Console 3] C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe [2321072 2012-02-02] (ASUSTeK Computer Inc.)
    HKLM-x32\...\Run: [ATKOSD2] C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe [322208 2012-06-24] (ASUSTek Computer Inc.)
    HKLM-x32\...\Run: [ATKMEDIA] C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe [174752 2012-06-18] (ASUSTek Computer Inc.)
    HKLM-x32\...\Run: [HControlUser] C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe [105016 2009-06-18] (ASUS)
    Tcpip\Parameters: [DhcpNameServer] 192.168.0.1
    Startup: C:\Users\All Users\Start Menu\Programs\Startup\AsusVibeLauncher.lnk
    ShortcutTarget: AsusVibeLauncher.lnk -> C:\Program Files (x86)\ASUS\AsusVibe\AsusVibeLauncher.exe (ASUSTeK Computer Inc.)

    ==================== Services (Whitelisted) ===================

    2 ASUS InstantOn; C:\Program Files (x86)\ASUS\InstantOn for NB\InsOnSrv.exe [277120 2012-02-03] (ASUS)
    2 ATKGFNEXSrv; C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe [96896 2011-11-20] (ASUS)
    2 Intel(R) ME Service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe [128280 2011-12-16] ()
    2 jhi_service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe [161560 2011-12-16] (Intel Corporation)
    2 N360; "C:\Program Files (x86)\Norton 360\Engine\20.2.0.19\ccSvcHst.exe" /s "N360" /m "C:\Program Files (x86)\Norton 360\Engine\20.2.0.19\diMaster.dll" /prefetch:1 [535416 2012-10-11] (Symantec Corporation)
    2 NCO; "C:\Program Files (x86)\Norton Identity Safe\Engine\2013.2.0.18\ccSvcHst.exe" /s "NCO" /m "C:\Program Files (x86)\Norton Identity Safe\Engine\2013.2.0.18\diMaster.dll" /prefetch:1 [535416 2012-10-11] (Symantec Corporation)

    ==================== Drivers (Whitelisted) =====================

    3 AiCharger; C:\Windows\System32\Drivers\AiCharger.sys [17152 2012-01-30] (ASUSTek Computer Inc.)
    3 AiCharger; C:\Windows\SysWow64\Drivers\AiCharger.sys [17152 2012-01-30] (ASUSTek Computer Inc.)
    3 AsusVBus; C:\Windows\System32\Drivers\AsusVBus.sys [35968 2011-12-21] (Windows (R) Win 7 DDK provider)
    3 AsusVTouch; C:\Windows\System32\Drivers\AsusVTouch.sys [16512 2011-11-07] (Windows (R) Win 7 DDK provider)
    1 ATKWMIACPIIO; \??\C:\Program Files (x86)\ASUS\ATK Package\ATK WMIACPI\atkwmiacpi64.sys [17536 2011-09-06] (ASUS)
    1 BHDrvx64; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.2.0.19\Definitions\BASHDefs\20121106.001\BHDrvx64.sys [1384608 2012-10-23] (Symantec Corporation)
    1 ccSet_N360; C:\Windows\system32\drivers\N360x64\1402000.013\ccSetx64.sys [168096 2012-10-03] (Symantec Corporation)
    1 ccSet_NST; C:\Windows\system32\drivers\NSTx64\7DD02000.012\ccSetx64.sys [168096 2012-10-03] (Symantec Corporation)
    1 eeCtrl; \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [484512 2012-11-16] (Symantec Corporation)
    3 EraserUtilRebootDrv; \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [138912 2012-11-16] (Symantec Corporation)
    1 IDSVia64; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.2.0.19\Definitions\IPSDefs\20121119.001\IDSvia64.sys [513184 2012-11-18] (Symantec Corporation)
    3 kbfiltr; C:\Windows\System32\Drivers\kbfiltr.sys [15416 2009-07-20] ( )
    3 NAVENG; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.2.0.19\Definitions\VirusDefs\20121119.022\ENG64.SYS [126112 2012-11-16] (Symantec Corporation)
    3 NAVEX15; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.2.0.19\Definitions\VirusDefs\20121119.022\EX64.SYS [2084000 2012-11-16] (Symantec Corporation)
    3 RSBASTOR; C:\Windows\System32\DRIVERS\RtsBaStor.sys [292968 2012-02-01] (Realtek Semiconductor Corp.)
    3 SRTSP; C:\Windows\system32\drivers\N360x64\1402000.013\SRTSP64.SYS [776864 2012-10-08] (Symantec Corporation)
    1 SRTSPX; C:\Windows\system32\drivers\N360x64\1402000.013\SRTSPX64.SYS [37496 2012-09-06] (Symantec Corporation)
    0 SymDS; C:\Windows\System32\drivers\N360x64\1402000.013\SYMDS64.SYS [493216 2012-10-03] (Symantec Corporation)
    0 SymEFA; C:\Windows\System32\drivers\N360x64\1402000.013\SYMEFA64.SYS [1133216 2012-10-03] (Symantec Corporation)
    3 SymEvent; \??\C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [177312 2012-11-19] (Symantec Corporation)
    1 SymIM; C:\Windows\System32\DRIVERS\SymIMv.sys [43680 2012-09-06] (Symantec Corporation)
    1 SymIRON; C:\Windows\system32\drivers\N360x64\1402000.013\Ironx64.SYS [224416 2012-09-06] (Symantec Corporation)
    1 SymNetS; C:\Windows\system32\drivers\N360x64\1402000.013\SYMNETS.SYS [432800 2012-09-06] (Symantec Corporation)
    3 catchme; \??\C:\Com\catchme.sys [x]

    ==================== NetSvcs (Whitelisted) ====================


    ==================== One Month Created Files and Folders ========

    2012-11-20 06:16 - 2012-11-20 06:16 - 01154548 ____A C:\Users\Sad0r\Desktop\bookmkkk_11_21_12.html
    2012-11-19 09:45 - 2012-11-19 09:45 - 00001175 ____A C:\Users\Sad0r\Desktop\adsl.txt
    2012-11-19 07:37 - 2012-11-20 13:49 - 00524288 ____A C:\Windows\System32\Ikeext.etl
    2012-11-19 06:57 - 2012-11-19 08:49 - 00000000 ____D C:\Netgear
    2012-11-19 04:14 - 2012-11-19 10:59 - 00002611 ____A C:\Users\Sad0r\Desktop\fillll.txt
    2012-11-19 03:41 - 2012-09-06 18:05 - 00043680 ___RA (Symantec Corporation) C:\Windows\System32\Drivers\SymIMV.sys
    2012-11-19 03:35 - 2012-11-19 03:35 - 00177312 ____A (Symantec Corporation) C:\Windows\System32\Drivers\SYMEVENT64x86.SYS
    2012-11-19 03:35 - 2012-11-19 03:35 - 00007466 ____A C:\Windows\System32\Drivers\SYMEVENT64x86.CAT
    2012-11-19 03:35 - 2012-11-19 03:35 - 00000000 ____D C:\Program Files\Symantec
    2012-11-19 03:35 - 2012-11-19 03:35 - 00000000 ____D C:\Program Files\Common Files\Symantec Shared
    2012-11-19 03:34 - 2012-11-19 03:34 - 00002393 ____A C:\Users\Public\Desktop\Norton 360.lnk
    2012-11-19 03:34 - 2012-11-19 03:34 - 00000000 ____D C:\Windows\System32\Drivers\N360x64
    2012-11-19 03:34 - 2012-11-19 03:34 - 00000000 ____D C:\Program Files (x86)\Norton 360
    2012-11-19 03:27 - 2012-11-19 03:27 - 00018998 ____A C:\ComboFix.txt
    2012-11-19 03:21 - 2012-11-19 03:27 - 00000000 ____D C:\Windows\erdnt
    2012-11-19 03:21 - 2011-06-25 22:45 - 00256000 ____A C:\Windows\PEV.exe
    2012-11-19 03:21 - 2010-11-07 09:20 - 00208896 ____A C:\Windows\MBR.exe
    2012-11-19 03:21 - 2009-04-19 20:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
    2012-11-19 03:21 - 2000-08-30 16:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe
    2012-11-19 03:21 - 2000-08-30 16:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe
    2012-11-19 03:21 - 2000-08-30 16:00 - 00098816 ____A C:\Windows\sed.exe
    2012-11-19 03:21 - 2000-08-30 16:00 - 00080412 ____A C:\Windows\grep.exe
    2012-11-19 03:21 - 2000-08-30 16:00 - 00068096 ____A C:\Windows\zip.exe
    2012-11-19 03:10 - 2012-11-19 03:13 - 05002404 ____R (Swearware) C:\Users\Sad0r\Desktop\Com.exe
    2012-11-17 21:11 - 2012-11-17 21:11 - 00000680 ____A C:\AdwCleaner[S1].txt
    2012-11-17 20:58 - 2012-11-17 20:58 - 00000000 ____D C:\Users\Sad0r\Documents\Symantec
    2012-11-17 20:54 - 2012-11-19 03:34 - 00001298 ____A C:\Users\Sad0r\Desktop\Norton Installation Files.lnk
    2012-11-17 20:54 - 2012-11-17 20:54 - 00915464 ____A (Symantec Corporation) C:\Users\Sad0r\Desktop\N360Downloader.exe
    2012-11-17 20:54 - 2012-11-17 20:54 - 00000000 ____D C:\Users\Public\Downloads\Norton
    2012-11-17 20:43 - 2012-11-17 20:43 - 00017859 ____A C:\Users\Sad0r\Desktop\dds.txt
    2012-11-17 20:43 - 2012-11-17 20:43 - 00005812 ____A C:\Users\Sad0r\Desktop\attach.txt
    2012-11-17 05:38 - 2012-11-17 05:38 - 00000000 ____D C:\Windows\System32\Drivers\NSTx64
    2012-11-17 05:38 - 2012-11-17 05:38 - 00000000 ____D C:\Program Files (x86)\Norton Identity Safe
    2012-11-17 05:20 - 2012-11-17 05:20 - 00000916 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    2012-11-17 05:20 - 2012-11-17 05:20 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
    2012-11-17 05:20 - 2012-09-29 00:54 - 00025928 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
    2012-11-17 05:18 - 2012-11-17 05:19 - 10669952 ____A (Malwarebytes Corporation ) C:\Users\Sad0r\Desktop\mbam-setup-1.65.1.1000.exe
    2012-11-17 05:15 - 2012-11-20 13:15 - 02154832 ____A C:\Windows\PFRO.log
    2012-11-17 03:59 - 2012-11-17 03:59 - 01149813 ____A C:\Users\Sad0r\Desktop\bookmarksTT_17_12.html
    2012-11-16 09:28 - 2012-11-16 09:29 - 00001483 ____A C:\Users\Sad0r\Documents\acpie.txt
    2012-11-16 03:43 - 2012-11-16 03:43 - 00000365 ____A C:\Users\Sad0r\Desktop\Block_Autorun.inf_Files.reg
    2012-11-16 03:43 - 2012-11-16 03:43 - 00000330 ____A C:\Users\Sad0r\Desktop\Unblock_Autorun.inf_Files.reg
    2012-11-12 20:57 - 2012-11-12 20:57 - 03258000 ____A (BrightFort LLC ) C:\Users\Sad0r\Desktop\spup46.exe
    2012-11-12 04:46 - 2012-11-12 04:46 - 00347424 ____A (Microsoft Corporation) C:\Users\Sad0r\Desktop\MicrosoftFixit.malware.Run.exe
    2012-11-12 03:00 - 2012-11-12 03:00 - 01777664 ____A C:\Users\Sad0r\Desktop\MBSASetup-x64-EN.msi
    2012-11-12 02:59 - 2012-11-12 02:59 - 17667616 ____A (Microsoft Corporation) C:\Users\Sad0r\Desktop\Win.exe
    2012-11-11 09:38 - 2012-11-11 09:38 - 15140440 ____A (flashvideodownloader.org ) C:\Users\Sad0r\Downloads\fvdsuite_installer.exe
    2012-11-11 09:38 - 2012-11-11 09:38 - 15140440 ____A (flashvideodownloader.org ) C:\Users\Sad0r\Documents\fvdsuite_installer.ext
    2012-11-09 10:11 - 2012-11-20 13:34 - 00003100 ____A C:\Windows\setupact.log
    2012-11-09 10:11 - 2012-11-09 10:11 - 00000000 ____A C:\Windows\setuperr.log
    2012-11-09 10:09 - 2012-11-09 10:09 - 00062516 ____A C:\Users\Sad0r\Documents_1121009_180957.dmp
    2012-11-09 10:09 - 2012-11-09 10:09 - 00000552 ____A C:\Users\Sad0r\Documents_1121009_180957_main.txt
    2012-11-09 09:58 - 2012-11-09 09:58 - 00002846 ____A C:\Users\Sad0r\SEXXX.txt
    2012-11-09 05:54 - 2012-11-09 05:54 - 00000025 ____A C:\Users\Sad0r\THE BEST EVER.txt
    2012-11-07 05:29 - 2012-11-07 05:29 - 00005750 ____A C:\Users\Sad0r\Documents\cc_20121108_002907.reg
    2012-11-07 05:29 - 2012-11-07 05:29 - 00001448 ____A C:\Users\Sad0r\Documents\cc_20121108_002939.reg
    2012-11-06 08:20 - 2012-11-09 08:22 - 00000000 ____D C:\Users\Sad0r\Desktop\hott
    2012-11-05 08:30 - 2012-11-05 08:30 - 00000061 ____A C:\Users\Sad0r\FFFFFF.txt
    2012-11-05 07:30 - 2012-11-05 07:32 - 20345824 ____A (flashvideodownloader.org ) C:\Users\Sad0r\Downloads\fvdsuite-2.7.6-release.exe
    2012-11-04 21:32 - 2012-11-04 21:32 - 00079393 ____A C:\Users\Sad0r\Documents_1121005_053236.dmp
    2012-11-04 21:32 - 2012-11-04 21:32 - 00000471 ____A C:\Users\Sad0r\Documents_1121005_053236_main.txt
    2012-11-04 21:31 - 2012-11-04 21:31 - 00080641 ____A C:\Users\Sad0r\Documents_1121005_053114.dmp
    2012-11-04 21:31 - 2012-11-04 21:31 - 00000534 ____A C:\Users\Sad0r\Documents_1121005_053114_main.txt
    2012-11-04 21:30 - 2012-11-04 21:30 - 00001085 ____A C:\Users\Sad0r\Desktop\iWisoft Free Video Downloader.lnk
    2012-11-04 21:30 - 2012-11-04 21:30 - 00000000 ____D C:\Program Files (x86)\iWisoft Free Video Downloader
    2012-11-04 21:26 - 2012-11-04 21:27 - 03127375 ____A (www.iwisoft.com ) C:\Users\Sad0r\Documents\flashvideodownloader.exe
    2012-11-04 21:23 - 2012-11-20 05:18 - 00000000 ____D C:\Users\Sad0r\Documents\iWisoft Free Video Converter
    2012-11-04 21:23 - 2012-11-19 14:31 - 00000000 ____D C:\Program Files (x86)\iWisoft Free Video Converter
    2012-11-04 21:23 - 2012-11-04 21:23 - 00001075 ____A C:\Users\Sad0r\Desktop\iWisoft Free Video Converter.lnk
    2012-11-04 21:23 - 2009-09-29 01:57 - 00758018 ____A C:\Windows\SysWOW64\xvidcore.dll
    2012-11-04 21:23 - 2008-12-04 02:46 - 00180224 ____A C:\Windows\SysWOW64\xvidvfw.dll
    2012-11-04 21:23 - 2008-10-07 15:16 - 00139264 ____A (http://www.xvid.org) C:\Windows\SysWOW64\xvid.ax
    2012-11-04 21:20 - 2012-11-04 21:21 - 09120817 ____A (www.easy-video-converter.com ) C:\Users\Sad0r\Documents\videoconverter.exe
    2012-11-03 21:33 - 2012-11-19 08:28 - 00000000 ____D C:\Users\Sad0r\AppData\Local\CrashDumps
    2012-11-03 09:06 - 2012-11-03 09:06 - 00000512 ____A C:\Users\Sad0r\Desktop\MBR.dat
    2012-11-03 07:50 - 2012-11-03 07:50 - 00448512 ____A (OldTimer Tools) C:\Users\Sad0r\Desktop\TFC.exe
    2012-10-29 07:06 - 2012-10-29 07:06 - 00655360 ____A C:\Users\Sad0r\Desktop\MicrosoftFixit50471.msi
    2012-10-29 06:47 - 2012-11-06 01:44 - 00000000 ____D C:\Users\Sad0r\Desktop\crapola
    2012-10-29 06:06 - 2012-10-29 06:08 - 00000000 ____D C:\silentrunners
    2012-10-29 05:50 - 2012-10-29 05:57 - 00000336 ____A C:\Users\Sad0r\silent.txt
    2012-10-29 05:30 - 2012-10-29 05:30 - 00002549 ____A C:\Users\Sad0r\xxx.txt
    2012-10-29 04:32 - 2012-10-29 04:32 - 00000987 ____A C:\Users\Sad0r\MUD.txt
    2012-10-28 08:33 - 2012-10-28 08:33 - 00001407 ____A C:\Users\Sad0r\GYYYY.txt
    2012-10-28 03:41 - 2012-10-28 03:41 - 00000000 ____A C:\Windows\System32\remote_PC.csv
    2012-10-25 21:11 - 2012-10-25 21:11 - 00000026 ____A C:\Users\Sad0r\AMOLD.txt
    2012-10-25 10:51 - 2012-10-25 10:51 - 00000764 ____A C:\Users\Sad0r\quir.txt
    2012-10-25 07:40 - 2012-10-25 07:40 - 00000035 ____A C:\Users\Sad0r\hookd.txt
    2012-10-25 07:28 - 2012-10-25 07:28 - 00000000 ____D C:\_OTM
    2012-10-25 07:21 - 2012-10-25 07:21 - 00000391 ____A C:\Users\Sad0r\reddd.txt
    2012-10-25 07:12 - 2012-10-25 07:12 - 00000035 ____A C:\Users\Sad0r\convo.txt
    2012-10-25 06:39 - 2012-10-26 03:35 - 00000000 ____D C:\Program Files\Registrar Registry Manager
    2012-10-25 06:39 - 2012-10-25 06:42 - 00001057 ____A C:\Users\Sad0r\Desktop\Registrar Registry Manager.lnk
    2012-10-25 06:00 - 2012-10-25 06:00 - 00000042 ____A C:\Users\Sad0r\conh.txt
    2012-10-25 04:39 - 2012-10-25 04:39 - 00000093 ____A C:\Users\Sad0r\dri.txt
    2012-10-25 03:59 - 2012-10-25 04:40 - 00000157 ____A C:\Users\Sad0r\DRIVE.txt
    2012-10-25 03:23 - 2012-11-17 20:51 - 00000000 ____D C:\Users\Sad0r\AppData\Local\NPE
    2012-10-25 02:51 - 2012-10-25 02:51 - 02957840 ____A (Symantec Corporation) C:\Users\Sad0r\Desktop\Nuts.exe
    2012-10-23 05:45 - 2012-10-23 05:45 - 00005768 ____A C:\Users\Sad0r\Documents\cc_20121024_004532.reg
    2012-10-23 05:40 - 2012-10-23 05:40 - 00001151 ____A C:\Users\Sad0r\sum.txt
    2012-10-22 20:32 - 2012-10-23 03:37 - 00015255 ____A C:\Users\Sad0r\mee.txt
    2012-10-22 04:09 - 2012-10-22 04:09 - 00000635 ____A C:\Users\Sad0r\nor.txt
    2012-10-22 04:04 - 2012-11-19 03:37 - 00000000 ____D C:\Users\All Users\Norton


    ==================== One Month Modified Files and Folders =======

    2012-11-21 08:53 - 2012-11-21 08:53 - 00000000 ____D C:\FRST
    2012-11-20 13:49 - 2012-11-19 07:37 - 00524288 ____A C:\Windows\System32\Ikeext.etl
    2012-11-20 13:49 - 2012-10-21 03:44 - 01868064 ____A C:\Windows\WindowsUpdate.log
    2012-11-20 13:49 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\tracing
    2012-11-20 13:42 - 2009-07-13 20:45 - 00009920 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2012-11-20 13:42 - 2009-07-13 20:45 - 00009920 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2012-11-20 13:39 - 2009-07-13 21:13 - 00778834 ____A C:\Windows\System32\PerfStringBackup.INI
    2012-11-20 13:36 - 2012-08-30 09:03 - 00000380 ____A C:\Users\Sad0r\AppData\Roaming\sp_data.sys
    2012-11-20 13:34 - 2012-11-09 10:11 - 00003100 ____A C:\Windows\setupact.log
    2012-11-20 13:34 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2012-11-20 13:15 - 2012-11-17 05:15 - 02154832 ____A C:\Windows\PFRO.log
    2012-11-20 06:17 - 2012-09-08 06:47 - 00000000 ____D C:\Users\Sad0r\AppData\Roaming\vlc
    2012-11-20 06:16 - 2012-11-20 06:16 - 01154548 ____A C:\Users\Sad0r\Desktop\bookmkkk_11_21_12.html
    2012-11-20 05:29 - 2012-09-06 00:06 - 00000000 ____D C:\Users\Sad0r\Documents\FFOutput
    2012-11-20 05:28 - 2012-09-22 05:48 - 00000000 ____D C:\Users\Sad0r\Documents\iWisoft Free Video Downloader
    2012-11-20 05:18 - 2012-11-04 21:23 - 00000000 ____D C:\Users\Sad0r\Documents\iWisoft Free Video Converter
    2012-11-19 14:31 - 2012-11-04 21:23 - 00000000 ____D C:\Program Files (x86)\iWisoft Free Video Converter
    2012-11-19 12:18 - 2012-09-26 10:10 - 00000000 ____D C:\Users\Sad0r\Documents\My Albums
    2012-11-19 10:59 - 2012-11-19 04:14 - 00002611 ____A C:\Users\Sad0r\Desktop\fillll.txt
    2012-11-19 10:55 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\NDF
    2012-11-19 09:45 - 2012-11-19 09:45 - 00001175 ____A C:\Users\Sad0r\Desktop\adsl.txt
    2012-11-19 08:49 - 2012-11-19 06:57 - 00000000 ____D C:\Netgear
    2012-11-19 08:28 - 2012-11-03 21:33 - 00000000 ____D C:\Users\Sad0r\AppData\Local\CrashDumps
    2012-11-19 03:37 - 2012-10-22 04:04 - 00000000 ____D C:\Users\All Users\Norton
    2012-11-19 03:35 - 2012-11-19 03:35 - 00177312 ____A (Symantec Corporation) C:\Windows\System32\Drivers\SYMEVENT64x86.SYS
    2012-11-19 03:35 - 2012-11-19 03:35 - 00007466 ____A C:\Windows\System32\Drivers\SYMEVENT64x86.CAT
    2012-11-19 03:35 - 2012-11-19 03:35 - 00000000 ____D C:\Program Files\Symantec
    2012-11-19 03:35 - 2012-11-19 03:35 - 00000000 ____D C:\Program Files\Common Files\Symantec Shared
    2012-11-19 03:34 - 2012-11-19 03:34 - 00002393 ____A C:\Users\Public\Desktop\Norton 360.lnk
    2012-11-19 03:34 - 2012-11-19 03:34 - 00000000 ____D C:\Windows\System32\Drivers\N360x64
    2012-11-19 03:34 - 2012-11-19 03:34 - 00000000 ____D C:\Program Files (x86)\Norton 360
    2012-11-19 03:34 - 2012-11-17 20:54 - 00001298 ____A C:\Users\Sad0r\Desktop\Norton Installation Files.lnk
    2012-11-19 03:27 - 2012-11-19 03:27 - 00018998 ____A C:\ComboFix.txt
    2012-11-19 03:27 - 2012-11-19 03:21 - 00000000 ____D C:\Windows\erdnt
    2012-11-19 03:27 - 2012-09-20 15:30 - 00000000 ____D C:\Qoobox
    2012-11-19 03:26 - 2009-07-13 18:34 - 00000215 ____A C:\Windows\system.ini
    2012-11-19 03:13 - 2012-11-19 03:10 - 05002404 ____R (Swearware) C:\Users\Sad0r\Desktop\Com.exe
    2012-11-17 21:11 - 2012-11-17 21:11 - 00000680 ____A C:\AdwCleaner[S1].txt
    2012-11-17 20:58 - 2012-11-17 20:58 - 00000000 ____D C:\Users\Sad0r\Documents\Symantec
    2012-11-17 20:54 - 2012-11-17 20:54 - 00915464 ____A (Symantec Corporation) C:\Users\Sad0r\Desktop\N360Downloader.exe
    2012-11-17 20:54 - 2012-11-17 20:54 - 00000000 ____D C:\Users\Public\Downloads\Norton
    2012-11-17 20:51 - 2012-10-25 03:23 - 00000000 ____D C:\Users\Sad0r\AppData\Local\NPE
    2012-11-17 20:43 - 2012-11-17 20:43 - 00017859 ____A C:\Users\Sad0r\Desktop\dds.txt
    2012-11-17 20:43 - 2012-11-17 20:43 - 00005812 ____A C:\Users\Sad0r\Desktop\attach.txt
    2012-11-17 05:53 - 2012-08-31 02:43 - 00001783 ____A C:\Windows\System32\ServiceFilter.ini
    2012-11-17 05:38 - 2012-11-17 05:38 - 00000000 ____D C:\Windows\System32\Drivers\NSTx64
    2012-11-17 05:38 - 2012-11-17 05:38 - 00000000 ____D C:\Program Files (x86)\Norton Identity Safe
    2012-11-17 05:20 - 2012-11-17 05:20 - 00000916 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    2012-11-17 05:20 - 2012-11-17 05:20 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
    2012-11-17 05:19 - 2012-11-17 05:18 - 10669952 ____A (Malwarebytes Corporation ) C:\Users\Sad0r\Desktop\mbam-setup-1.65.1.1000.exe
    2012-11-17 03:59 - 2012-11-17 03:59 - 01149813 ____A C:\Users\Sad0r\Desktop\bookmarksTT_17_12.html
    2012-11-16 09:29 - 2012-11-16 09:28 - 00001483 ____A C:\Users\Sad0r\Documents\acpie.txt
    2012-11-16 03:43 - 2012-11-16 03:43 - 00000365 ____A C:\Users\Sad0r\Desktop\Block_Autorun.inf_Files.reg
    2012-11-16 03:43 - 2012-11-16 03:43 - 00000330 ____A C:\Users\Sad0r\Desktop\Unblock_Autorun.inf_Files.reg
    2012-11-15 21:17 - 2012-09-25 18:50 - 00002487 ____A C:\Users\Sad0r\Desktop\Google Chrome.lnk
    2012-11-12 20:57 - 2012-11-12 20:57 - 03258000 ____A (BrightFort LLC ) C:\Users\Sad0r\Desktop\spup46.exe
    2012-11-12 04:46 - 2012-11-12 04:46 - 00347424 ____A (Microsoft Corporation) C:\Users\Sad0r\Desktop\MicrosoftFixit.malware.Run.exe
    2012-11-12 03:00 - 2012-11-12 03:00 - 01777664 ____A C:\Users\Sad0r\Desktop\MBSASetup-x64-EN.msi
    2012-11-12 02:59 - 2012-11-12 02:59 - 17667616 ____A (Microsoft Corporation) C:\Users\Sad0r\Desktop\Win.exe
    2012-11-11 09:38 - 2012-11-11 09:38 - 15140440 ____A (flashvideodownloader.org ) C:\Users\Sad0r\Downloads\fvdsuite_installer.exe
    2012-11-11 09:38 - 2012-11-11 09:38 - 15140440 ____A (flashvideodownloader.org ) C:\Users\Sad0r\Documents\fvdsuite_installer.ext
    2012-11-09 10:11 - 2012-11-09 10:11 - 00000000 ____A C:\Windows\setuperr.log
    2012-11-09 10:09 - 2012-11-09 10:09 - 00062516 ____A C:\Users\Sad0r\Documents_1121009_180957.dmp
    2012-11-09 10:09 - 2012-11-09 10:09 - 00000552 ____A C:\Users\Sad0r\Documents_1121009_180957_main.txt
    2012-11-09 10:09 - 2012-08-30 09:03 - 00000000 ____D C:\users\Sad0r
    2012-11-09 09:58 - 2012-11-09 09:58 - 00002846 ____A C:\Users\Sad0r\SEXXX.txt
    2012-11-09 08:22 - 2012-11-06 08:20 - 00000000 ____D C:\Users\Sad0r\Desktop\hott
    2012-11-09 05:54 - 2012-11-09 05:54 - 00000025 ____A C:\Users\Sad0r\THE BEST EVER.txt
    2012-11-09 04:19 - 2012-09-17 05:21 - 00000000 ___SD C:\Users\Sad0r\Documents\Passwords Database
    2012-11-07 05:29 - 2012-11-07 05:29 - 00005750 ____A C:\Users\Sad0r\Documents\cc_20121108_002907.reg
    2012-11-07 05:29 - 2012-11-07 05:29 - 00001448 ____A C:\Users\Sad0r\Documents\cc_20121108_002939.reg
    2012-11-06 01:44 - 2012-10-29 06:47 - 00000000 ____D C:\Users\Sad0r\Desktop\crapola
    2012-11-05 08:30 - 2012-11-05 08:30 - 00000061 ____A C:\Users\Sad0r\FFFFFF.txt
    2012-11-05 07:32 - 2012-11-05 07:30 - 20345824 ____A (flashvideodownloader.org ) C:\Users\Sad0r\Downloads\fvdsuite-2.7.6-release.exe
    2012-11-04 21:32 - 2012-11-04 21:32 - 00079393 ____A C:\Users\Sad0r\Documents_1121005_053236.dmp
    2012-11-04 21:32 - 2012-11-04 21:32 - 00000471 ____A C:\Users\Sad0r\Documents_1121005_053236_main.txt
    2012-11-04 21:31 - 2012-11-04 21:31 - 00080641 ____A C:\Users\Sad0r\Documents_1121005_053114.dmp
    2012-11-04 21:31 - 2012-11-04 21:31 - 00000534 ____A C:\Users\Sad0r\Documents_1121005_053114_main.txt
    2012-11-04 21:30 - 2012-11-04 21:30 - 00001085 ____A C:\Users\Sad0r\Desktop\iWisoft Free Video Downloader.lnk
    2012-11-04 21:30 - 2012-11-04 21:30 - 00000000 ____D C:\Program Files (x86)\iWisoft Free Video Downloader
    2012-11-04 21:27 - 2012-11-04 21:26 - 03127375 ____A (www.iwisoft.com ) C:\Users\Sad0r\Documents\flashvideodownloader.exe
    2012-11-04 21:23 - 2012-11-04 21:23 - 00001075 ____A C:\Users\Sad0r\Desktop\iWisoft Free Video Converter.lnk
    2012-11-04 21:21 - 2012-11-04 21:20 - 09120817 ____A (www.easy-video-converter.com ) C:\Users\Sad0r\Documents\videoconverter.exe
    2012-11-04 02:29 - 2012-08-31 02:42 - 00000000 ____D C:\Users\All Users\P4G
    2012-11-04 02:29 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\registration
    2012-11-03 09:06 - 2012-11-03 09:06 - 00000512 ____A C:\Users\Sad0r\Desktop\MBR.dat
    2012-11-03 07:50 - 2012-11-03 07:50 - 00448512 ____A (OldTimer Tools) C:\Users\Sad0r\Desktop\TFC.exe
    2012-11-02 01:59 - 2012-09-08 06:27 - 00000000 ____D C:\Users\Sad0r\AppData\Local\Graboid
    2012-10-29 07:06 - 2012-10-29 07:06 - 00655360 ____A C:\Users\Sad0r\Desktop\MicrosoftFixit50471.msi
    2012-10-29 06:08 - 2012-10-29 06:06 - 00000000 ____D C:\silentrunners
    2012-10-29 05:57 - 2012-10-29 05:50 - 00000336 ____A C:\Users\Sad0r\silent.txt
    2012-10-29 05:30 - 2012-10-29 05:30 - 00002549 ____A C:\Users\Sad0r\xxx.txt
    2012-10-29 04:32 - 2012-10-29 04:32 - 00000987 ____A C:\Users\Sad0r\MUD.txt
    2012-10-28 08:33 - 2012-10-28 08:33 - 00001407 ____A C:\Users\Sad0r\GYYYY.txt
    2012-10-28 03:41 - 2012-10-28 03:41 - 00000000 ____A C:\Windows\System32\remote_PC.csv
    2012-10-26 03:35 - 2012-10-25 06:39 - 00000000 ____D C:\Program Files\Registrar Registry Manager
    2012-10-25 21:11 - 2012-10-25 21:11 - 00000026 ____A C:\Users\Sad0r\AMOLD.txt
    2012-10-25 10:51 - 2012-10-25 10:51 - 00000764 ____A C:\Users\Sad0r\quir.txt
    2012-10-25 07:40 - 2012-10-25 07:40 - 00000035 ____A C:\Users\Sad0r\hookd.txt
    2012-10-25 07:28 - 2012-10-25 07:28 - 00000000 ____D C:\_OTM
    2012-10-25 07:21 - 2012-10-25 07:21 - 00000391 ____A C:\Users\Sad0r\reddd.txt
    2012-10-25 07:12 - 2012-10-25 07:12 - 00000035 ____A C:\Users\Sad0r\convo.txt
    2012-10-25 06:42 - 2012-10-25 06:39 - 00001057 ____A C:\Users\Sad0r\Desktop\Registrar Registry Manager.lnk
    2012-10-25 06:00 - 2012-10-25 06:00 - 00000042 ____A C:\Users\Sad0r\conh.txt
    2012-10-25 04:40 - 2012-10-25 03:59 - 00000157 ____A C:\Users\Sad0r\DRIVE.txt
    2012-10-25 04:39 - 2012-10-25 04:39 - 00000093 ____A C:\Users\Sad0r\dri.txt
    2012-10-25 02:51 - 2012-10-25 02:51 - 02957840 ____A (Symantec Corporation) C:\Users\Sad0r\Desktop\Nuts.exe
    2012-10-23 05:45 - 2012-10-23 05:45 - 00005768 ____A C:\Users\Sad0r\Documents\cc_20121024_004532.reg
    2012-10-23 05:40 - 2012-10-23 05:40 - 00001151 ____A C:\Users\Sad0r\sum.txt
    2012-10-23 03:37 - 2012-10-22 20:32 - 00015255 ____A C:\Users\Sad0r\mee.txt
    2012-10-22 04:09 - 2012-10-22 04:09 - 00000635 ____A C:\Users\Sad0r\nor.txt
    2012-10-22 03:38 - 2012-10-15 10:41 - 00000000 ____D C:\Program Files\Bitdefender
    2012-10-22 03:37 - 2012-10-15 10:40 - 00000000 ____D C:\Program Files\Common Files\Bitdefender

    ==================== Known DLLs (Whitelisted) =================


    ==================== Bamital & volsnap Check =================

    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\SysWOW64\wininit.exe => MD5 is legit
    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\SysWOW64\explorer.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\SysWOW64\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe => MD5 is legit
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\SysWOW64\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\SysWOW64\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    ==================== EXE ASSOCIATION =====================

    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK

    ==================== Restore Points =========================

    Restore point made on: 2012-11-09 08:00:19
    Restore point made on: 2012-11-12 20:49:03
    Restore point made on: 2012-11-13 08:00:22
    Restore point made on: 2012-11-14 08:00:23
    Restore point made on: 2012-11-15 08:00:43
    Restore point made on: 2012-11-16 08:00:19
    Restore point made on: 2012-11-17 08:00:22
    Restore point made on: 2012-11-18 08:00:20
    Restore point made on: 2012-11-19 08:00:23
    Restore point made on: 2012-11-20 13:00:44

    ==================== Memory info ===========================

    Percentage of memory in use: 7%
    Total physical RAM: 12173.91 MB
    Available physical RAM: 11257.16 MB
    Total Pagefile: 12172.06 MB
    Available Pagefile: 11246.45 MB
    Total Virtual: 8192 MB
    Available Virtual: 8191.9 MB

    ==================== Partitions =============================

    1 Drive c: (OS) (Fixed) (Total:254.72 GB) (Free:192.41 GB) NTFS ==>[System with boot components (obtained from reading drive)]
    2 Drive d: (DATA) (Fixed) (Total:419.18 GB) (Free:418.56 GB) NTFS
    3 Drive e: (first) (CDROM) (Total:4.38 GB) (Free:4.37 GB) UDF
    4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

    Disk ### Status Size Free Dyn Gpt
    -------- ------------- ------- ------- --- ---
    Disk 0 Online 698 GB 0 B *

    Partitions of Disk 0:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 System (partition with boot components) 200 MB 1024 KB
    Partition 2 Reserved 128 MB 201 MB
    Partition 3 Primary 254 GB 329 MB
    Partition 4 Primary 419 GB 255 GB
    Partition 5 Recovery 24 GB 674 GB

    ==================================================================================

    Disk: 0
    Partition 1
    Type : c12a7328-f81f-11d2-ba4b-00a0c93ec93b
    Hidden : Yes
    Required: No
    Attrib : 0X8000000000000000

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 3 SYSTEM FAT32 Partition 200 MB Healthy Hidden

    =========================================================

    Disk: 0
    Partition 2
    Type : e3c9e316-0b5c-4db8-817d-f92df00215ae
    Hidden : Yes
    Required: No
    Attrib : 0X8000000000000000

    There is no volume associated with this partition.

    =========================================================

    Disk: 0
    Partition 3
    Type : ebd0a0a2-b9e5-4433-87c0-68b6b72699c7
    Hidden : No
    Required: No
    Attrib : 0000000000000000

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 C OS NTFS Partition 254 GB Healthy

    =========================================================

    Disk: 0
    Partition 4
    Type : ebd0a0a2-b9e5-4433-87c0-68b6b72699c7
    Hidden : No
    Required: No
    Attrib : 0000000000000000

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 D DATA NTFS Partition 419 GB Healthy

    =========================================================

    Disk: 0
    Partition 5
    Type : de94bba4-06d1-4d40-a16a-bfd50179d6ac
    Hidden : Yes
    Required: Yes
    Attrib : 0X8000000000000001

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 4 Recovery NTFS Partition 24 GB Healthy Hidden

    =========================================================

    Last Boot: 2012-11-14 08:39

    ==================== End Of Log =============================
  12. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Re-run ComboFix and post a log please. :)
  13. Sador27

    Sador27 Newcomer, in training Topic Starter Posts: 46

    Sorry DMG after running farbar it was as if a devil was unleashed comp slowed down froze, went offline and locked me out of half my files so I ran kaspersky scanning tool from drive and found a heur.backdoor.trojan.win32.generic which everywhere ive read says that it is very new and one of the worst yet rendering most systems dead within a couple of weeks. Well at the moment I have and now cannot install any antivirus ive tried bar one been dr web cureit through stealth mode but within hours was mashed to bits playing up with files corrupted and missing and after having to remove manually through the registry in safe mode as computer completely froze on every boot now I cant connect because my browser keeps saying access restricted :( so am writing from phone. I will try to get back online tonight and if I can what do you suggest cause this is way past my level?????
     
  14. Sador27

    Sador27 Newcomer, in training Topic Starter Posts: 46

    Well after nearly 500 key, data and binary deletions later I`m back online and will never install Dr web cureit again!!!!!! anyway I downloaded the larest combofix and ran it but the first time it ran it came to a point saying folder deletions c:\x\ cannot find batch file and just froze for 2 hours so I closed then ran again and it went fine though I often wonder does that mean it has been compromised but her are those latter logs.

    ComboFix 12-11-23.02 - Sad0r 25/11/2012 0:30.4.8 - x64
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.61.1033.18.12174.10206 [GMT 11:00]
    Running from: c:\users\Sad0r\Desktop\x.exe
    AV: Dr.Web Security Space *Disabled/Updated* {A8C161B2-600A-42FD-97E0-4C12952A9FEC}
    SP: Dr.Web Security Space *Disabled/Updated* {13A08056-4630-4D73-AD50-7760EEADD551}
    SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    C:\x
    c:\x\d-del2b.dat
    c:\x\ErrTrap1
    c:\x\N_\11335
    c:\x\N_\2867
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-10-24 to 2012-11-24 )))))))))))))))))))))))))))))))
    .
    .
    2012-11-24 13:32 . 2012-11-24 13:32--------d-----w-c:\users\Sad0r\AppData\Local\temp
    2012-11-23 11:58 . 2012-11-23 11:59--------d-----w-c:\program files\Malwarebytes' Anti-Malware
    2012-11-23 11:58 . 2012-09-29 08:5425928----a-w-c:\windows\system32\drivers\mbam.sys
    2012-11-23 11:31 . 2012-11-23 11:31--------d-----w-c:\users\Sad0r\AppData\Roaming\SUPERAntiSpyware.com
    2012-11-23 11:31 . 2012-11-23 11:31--------d-----w-c:\program files\SUPERAntiSpyware
    2012-11-23 11:31 . 2012-11-23 11:31--------d-----w-c:\programdata\SUPERAntiSpyware.com
    2012-11-23 06:47 . 2012-11-23 06:47--------d-----w-c:\users\Sad0r\AppData\Roaming\addpcs
    2012-11-23 06:47 . 2012-11-23 06:47--------d-----w-c:\program files\Temp File Cleaner
    2012-11-23 06:27 . 2012-11-23 08:31--------d-----w-c:\programdata\F-Secure
    2012-11-21 16:53 . 2012-11-21 16:53--------d-----w-C:\FRST
    2012-11-21 04:34 . 2012-11-21 04:34--------d-----w-c:\program files (x86)\UltraISO
    2012-11-21 04:34 . 2012-11-21 04:34--------d-----w-c:\program files (x86)\Common Files\EZB Systems
    2012-11-19 14:57 . 2012-11-19 16:49--------d-----w-C:\Netgear
    2012-11-12 10:14 . 2012-11-19 14:49--------d-----w-c:\users\Sad0r\AppData\Local\Diagnostics
    2012-11-05 05:30 . 2012-11-05 05:30--------d-----w-c:\program files (x86)\iWisoft Free Video Downloader
    2012-11-05 05:23 . 2012-11-19 22:31--------d-----w-c:\program files (x86)\iWisoft Free Video Converter
    2012-11-05 05:23 . 2009-09-29 09:57758018----a-w-c:\windows\SysWow64\xvidcore.dll
    2012-11-05 05:23 . 2008-12-04 10:46180224----a-w-c:\windows\SysWow64\xvidvfw.dll
    2012-11-05 05:23 . 2008-10-07 23:16139264----a-w-c:\windows\SysWow64\xvid.ax
    2012-11-04 05:33 . 2012-11-23 18:06--------d-----w-c:\users\Sad0r\AppData\Local\CrashDumps
    2012-10-29 14:06 . 2012-11-23 19:02--------d-----w-C:\silentrunners
    2012-10-25 15:28 . 2012-10-25 15:28--------d-----w-C:\_OTM
    2012-10-25 14:39 . 2012-10-26 11:35--------d-----w-c:\program files\Registrar Registry Manager
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-11-24 11:40 . 2012-08-30 17:03380----a-w-c:\users\Sad0r\AppData\Roaming\sp_data.sys
    2012-10-29 21:01 . 2012-09-19 10:1648648----a-w-c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\Markup.dll
    2012-10-29 21:01 . 2012-10-15 18:13336208----a-w-c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight-2\SpotlightResources.dll
    2012-10-25 08:33 . 2012-10-15 18:1348648----a-w-c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-2\Markup.dll
    2012-10-22 06:03 . 2012-09-19 10:16336208----a-w-c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
    2012-10-12 07:19 . 2012-10-22 19:489291768----a-w-c:\programdata\Microsoft\Windows Defender\Definition Updates\{2CF52C71-4E6F-4B46-8A8F-B8966A578E00}\mpengine.dll
    2012-09-27 13:18 . 2012-10-04 05:0765309168----a-w-c:\windows\system32\MRT.exe
    2012-09-14 19:19 . 2012-10-10 12:332048----a-w-c:\windows\system32\tzres.dll
    2012-09-14 18:28 . 2012-10-10 12:332048----a-w-c:\windows\SysWow64\tzres.dll
    2012-09-08 05:35 . 2012-09-08 05:35348160----a-w-c:\windows\SysWow64\msvcr71.dll
    2012-09-08 05:35 . 2012-09-08 05:351700352----a-w-c:\windows\SysWow64\gdiplus.dll
    2012-09-08 05:35 . 2012-09-08 05:351060864----a-w-c:\windows\SysWow64\mfc71.dll
    2012-08-31 18:19 . 2012-10-10 12:341659760----a-w-c:\windows\system32\drivers\ntfs.sys
    2012-08-31 10:43 . 2012-08-31 10:4380512----a-w-c:\windows\ASUS K5 Series ScreenSaver Uninstaller.exe
    2012-08-31 10:43 . 2012-08-31 10:433058304----a-w-c:\windows\AsScrPro.exe
    2012-08-30 18:03 . 2012-10-10 12:345559664----a-w-c:\windows\system32\ntoskrnl.exe
    2012-08-30 17:12 . 2012-10-10 12:343914096----a-w-c:\windows\SysWow64\ntoskrnl.exe
    2012-08-30 17:12 . 2012-10-10 12:333968880----a-w-c:\windows\SysWow64\ntkrnlpa.exe
    2012-08-30 17:04 . 2011-03-29 02:3619720----a-w-c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-11-01 5629312]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-16 932288]
    "ASUSPRP"="c:\program files (x86)\ASUS\APRP\APRP.EXE" [2012-02-18 3331312]
    "ASUSWebStorage"="c:\program files (x86)\ASUS\ASUS WebStorage\3.0.108.222\AsusWSPanel.exe" [2011-07-29 737104]
    "USB3MON"="c:\program files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe" [2012-02-07 291608]
    "Wireless Console 3"="c:\program files (x86)\ASUS\Wireless Console 3\wcourier.exe" [2012-02-02 2321072]
    "ATKOSD2"="c:\program files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe" [2012-06-25 322208]
    "ATKMEDIA"="c:\program files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe" [2012-06-19 174752]
    "HControlUser"="c:\program files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe" [2009-06-19 105016]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    AsusVibeLauncher.lnk - c:\program files (x86)\ASUS\AsusVibe\AsusVibeLauncher.exe [2012-2-18 549040]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
    "mixer3"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""
    .
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R3 BBSvc;Bing Bar Update Service;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-03-02 183560]
    R3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller (NDIS 6.20);c:\windows\system32\DRIVERS\L1C62x64.sys [2009-06-10 57344]
    R3 SiSGbeLH;SiS191/SiS190 Ethernet Device NDIS 6.0 Driver;c:\windows\system32\DRIVERS\SiSG664.sys [2009-06-10 56832]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
    R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-20 31232]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-09-03 1255736]
    R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 57184]
    S0 iusb3hcs;Intel(R) USB 3.0 Host Controller Switch Driver;c:\windows\system32\DRIVERS\iusb3hcs.sys [2012-02-07 16152]
    S1 ATKWMIACPIIO;ATKWMIACPI Driver;c:\program files (x86)\ASUS\ATK Package\ATK WMIACPI\atkwmiacpi64.sys [2011-09-06 17536]
    S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2011-07-22 14928]
    S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2011-07-12 12368]
    S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2012-07-11 140672]
    S2 AFBAgent;AFBAgent;c:\windows\system32\FBAgent.exe [2011-03-03 379520]
    S2 ASMMAP64;ASMMAP64;c:\program files (x86)\ASUS\ATK Package\ATKGFNEX\ASMMAP64.sys [2009-07-02 15416]
    S2 ASUS InstantOn;ASUS InstantOn Service;c:\program files (x86)\ASUS\InstantOn for NB\InsOnSrv.exe [2012-02-03 277120]
    S2 Intel(R) Capability Licensing Service Interface;Intel(R) Capability Licensing Service Interface;c:\program files\Intel\iCLS Client\HeciServer.exe [2011-12-08 607456]
    S2 Intel(R) ME Service;Intel(R) ME Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe [2011-12-16 128280]
    S2 jhi_service;Intel(R) Dynamic Application Loader Host Interface Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe [2011-12-16 161560]
    S2 UNS;Intel(R) Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2011-12-16 363800]
    S3 AiCharger;ASUS Charger Driver;c:\windows\system32\DRIVERS\AiCharger.sys [2012-01-30 17152]
    S3 AsusVBus;AsusVBus;c:\windows\system32\DRIVERS\AsusVBus.sys [2011-12-21 35968]
    S3 AsusVTouch;AsusVTouch;c:\windows\system32\DRIVERS\AsusVTouch.sys [2011-11-08 16512]
    S3 ETD;ELAN PS/2 Port Input Device;c:\windows\system32\DRIVERS\ETD.sys [2012-02-19 200488]
    S3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2012-02-20 331264]
    S3 iusb3hub;Intel(R) USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\iusb3hub.sys [2012-02-07 356120]
    S3 iusb3xhc;Intel(R) USB 3.0 eXtensible Host Controller Driver;c:\windows\system32\DRIVERS\iusb3xhc.sys [2012-02-07 787736]
    S3 RSBASTOR;Realtek PCIE CardReader Driver - BA;c:\windows\system32\DRIVERS\RtsBaStor.sys [2012-02-01 292968]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2011-08-23 565352]
    .
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-11-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-11-23 17:22]
    .
    2012-11-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-11-23 17:22]
    .
    2012-10-13 c:\windows\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d-Logon.job
    - c:\program files (x86)\Intel\Intel(R) ME FW Recovery Agent\bin\Bootstrap.exe [2011-11-25 20:41]
    .
    2012-10-13 c:\windows\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d.job
    - c:\program files (x86)\Intel\Intel(R) ME FW Recovery Agent\bin\Bootstrap.exe [2011-11-25 20:41]
    .
    2012-11-23 c:\windows\Tasks\SUPERAntiSpyware Scheduled Task 87ad0517-321a-4540-b518-2b1ca9882ddf.job
    - c:\program files\SUPERAntiSpyware\SASTask.exe [2011-05-04 17:52]
    .
    2012-11-24 c:\windows\Tasks\SUPERAntiSpyware Scheduled Task a5e493d9-23ae-4292-a764-805c38619a57.job
    - c:\program files\SUPERAntiSpyware\SASTask.exe [2011-05-04 17:52]
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AsusWSShellExt_B]
    @="{6D4133E5-0742-4ADC-8A8C-9303440F7190}"
    [HKEY_CLASSES_ROOT\CLSID\{6D4133E5-0742-4ADC-8A8C-9303440F7190}]
    2011-05-25 07:09227840----a-w-c:\program files (x86)\ASUS\ASUS WebStorage\3.0.108.222\AsusWSShellExt64.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AsusWSShellExt_O]
    @="{64174815-8D98-4CE6-8646-4C039977D808}"
    [HKEY_CLASSES_ROOT\CLSID\{64174815-8D98-4CE6-8646-4C039977D808}]
    2011-05-25 07:09227840----a-w-c:\program files (x86)\ASUS\ASUS WebStorage\3.0.108.222\AsusWSShellExt64.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2012-02-22 170264]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2012-02-22 398616]
    "ETDCtrl"="c:\program files (x86)\Elantech\ETDCtrl.exe" [BU]
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = hxxp://www.google.com.au/
    mStart Page = about:blank
    mLocal Page = c:\windows\SysWOW64\blank.htm
    TCP: DhcpNameServer = 192.168.0.1
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Toolbar-Locked - (no file)
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10k.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.10"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10k.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10k.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10k.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Completion time: 2012-11-25 00:33:23
    ComboFix-quarantined-files.txt 2012-11-24 13:33
    ComboFix2.txt 2012-11-23 15:02
    ComboFix3.txt 2012-11-19 11:27
    ComboFix4.txt 2012-09-20 23:35
    .
    Pre-Run: 217,451,196,416 bytes free
    Post-Run: 217,389,674,496 bytes free
    .
    - - End Of File - - AB9B4938F0570E903B04F0EDFC8351CB
    this is also the text file left from the combo run that froze if it helps

    ComboFix-quarantined-files.txt
    2012-11-24 11:54:46 . 2012-11-24 11:54:46 8 ----a-w- C:\Qoobox\Quarantine\C\x\d-del2b.dat.vir
    2012-11-24 11:54:46 . 2012-11-24 11:54:46 28 ----a-w- C:\Qoobox\Quarantine\C\x\N_\2867.vir
    2012-11-24 11:54:46 . 2012-11-24 11:54:46 275 ----a-w- C:\Qoobox\Quarantine\C\x\N_\11335.vir
    2012-11-24 11:53:55 . 2012-11-24 11:53:55 0 ----a-w- C:\Qoobox\Quarantine\C\x\BitsPath.vir
    2012-11-24 11:53:53 . 2012-11-24 11:53:53 739 ----a-w- C:\Qoobox\Quarantine\C\x\BitsStr.vir
    2012-11-24 11:53:32 . 2012-11-24 11:53:32 0 ----a-w- C:\Qoobox\Quarantine\C\x\BHOFiles.dat.vir
    2012-11-24 11:53:32 . 2012-11-24 11:53:32 0 ----a-w- C:\Qoobox\Quarantine\C\x\BHO.dat.vir
    2012-11-24 11:53:32 . 2012-11-24 11:53:32 575 ----a-w- C:\Qoobox\Quarantine\C\x\BHOQuery.dat.vir
    2012-11-24 11:53:27 . 2012-11-24 11:53:27 0 ----a-w- C:\Qoobox\Quarantine\C\x\catch_k.dat.vir
    2012-11-24 11:52:11 . 2012-11-24 11:54:46 606 ----a-w- C:\Qoobox\Quarantine\C\x\ErrTrap1.vir
    2012-11-24 11:51:55 . 2012-11-24 11:51:55 1,504 ----a-w- C:\Qoobox\Quarantine\C\x\borlander_file.dat.tmp.vir
    2012-11-24 11:51:55 . 2012-11-24 11:51:55 439 ----a-w- C:\Qoobox\Quarantine\C\x\borlander_folder.dat.tmp.vir
    2012-11-24 11:51:55 . 2012-11-24 11:51:55 436,854 ----a-w- C:\Qoobox\Quarantine\C\x\attr.dat.tmp.vir
    2012-11-24 11:51:39 . 2012-11-19 11:22:30 123 ----a-w- C:\Qoobox\Quarantine\C\x\AppData.folder.dat.vir
    2012-11-24 11:51:39 . 2012-11-19 11:22:30 228 ----a-w- C:\Qoobox\Quarantine\C\x\Cache.folder.dat.vir
    2012-11-24 11:51:35 . 2012-11-24 11:52:13 105 ----a-w- C:\Qoobox\Quarantine\C\x\CCS.bat.vir
    2012-11-24 11:51:35 . 2012-11-24 11:51:35 0 ----a-w- C:\Qoobox\Quarantine\C\x\c.mrk.vir
    2012-11-24 11:51:35 . 2010-11-20 13:24:34 345,088 ----a-w- C:\Qoobox\Quarantine\C\x\CF7265.3XE.vir
    2012-11-24 11:51:34 . 2009-07-14 01:38:55 18,432 ----a-w- C:\Qoobox\Quarantine\C\x\ATTRIB.3XE.vir
    2012-11-19 11:27:12 . 2012-11-19 11:27:12 558 ----a-w- C:\Qoobox\Quarantine\Registry_backups\SafeBoot-95310364.sys.reg.dat
    2012-11-19 11:27:12 . 2012-11-19 11:27:12 558 ----a-w- C:\Qoobox\Quarantine\Registry_backups\SafeBoot-77118655.sys.reg.dat
    2012-11-19 11:25:36 . 2012-11-24 13:31:32 9,550 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
    2012-11-05 14:27:56 . 2012-11-24 11:51:36 56,252 ----a-w- C:\Qoobox\Quarantine\C\x\023.dat.vir
    2012-11-02 10:54:10 . 2012-11-02 10:54:10 65,604 ----a-w- C:\Qoobox\Quarantine\C\x\c.bat.vir
    2012-10-22 11:37:40 . 2012-10-22 11:37:40 220,242 ----a-w- C:\Qoobox\Quarantine\C\ProgramData\1350905593.bdinstall.bin.vir
    2012-10-22 11:24:12 . 2012-10-22 11:24:12 431,568 ----a-w- C:\Qoobox\Quarantine\C\ProgramData\1350885310.bdinstall.bin.vir
    2012-10-15 18:49:14 . 2012-10-15 18:49:14 470,508 ----a-w- C:\Qoobox\Quarantine\C\ProgramData\1350326436.bdinstall.bin.vir
    2012-10-15 18:32:19 . 2012-10-15 18:32:19 262,144 ----a-w- C:\Qoobox\Quarantine\C\ProgramData\ntuser.dat.vir
    2012-09-21 15:10:02 . 2012-09-21 15:10:04 2,035 ----a-w- C:\Qoobox\Quarantine\C\Program Files (x86)\INSTALL.LOG.vir
    2012-09-20 23:34:35 . 2012-09-20 23:34:35 80 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-ETDCtrl.reg.dat
    2012-09-20 23:34:35 . 2012-11-19 11:27:15 92 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Toolbar-Locked.reg.dat
    2012-09-20 23:34:30 . 2012-09-20 23:34:30 558 ----a-w- C:\Qoobox\Quarantine\Registry_backups\SafeBoot-97384014.sys.reg.dat
    2012-09-20 23:34:30 . 2012-09-20 23:34:30 558 ----a-w- C:\Qoobox\Quarantine\Registry_backups\SafeBoot-08657672.sys.reg.dat
    2012-09-20 23:34:30 . 2012-09-20 23:34:30 558 ----a-w- C:\Qoobox\Quarantine\Registry_backups\SafeBoot-00705352.sys.reg.dat
    2012-09-20 23:34:25 . 2012-11-24 13:32:40 104 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Wow6432Node-Toolbar-Locked.reg.dat
    2012-09-20 23:30:09 . 2012-11-24 13:29:48 255 ----a-w- C:\Qoobox\Quarantine\catchme.log
    2012-09-11 14:47:32 . 2012-09-11 14:47:32 5,343 ----a-w- C:\Qoobox\Quarantine\C\x\Boot-Rk.cmd.vir
    2012-06-07 10:56:40 . 2012-06-07 10:56:40 4,638 ----a-w- C:\Qoobox\Quarantine\C\x\av.cmd.vir
    2012-02-10 18:12:14 . 2012-02-10 18:12:14 690 ----a-w- C:\Qoobox\Quarantine\C\x\ActiveDrv.vbs.vir
    2012-01-18 01:43:20 . 2012-01-18 01:43:20 348,160 ----a-w- C:\Qoobox\Quarantine\C\Windows\msvcr71.dll.vir
    2012-01-03 09:27:24 . 2012-01-03 09:27:24 40,960 ----a-w- C:\Qoobox\Quarantine\C\x\BFE.dat.vir
    2011-11-19 09:14:26 . 2011-11-19 09:14:26 8,400 ----a-w- C:\Qoobox\Quarantine\C\x\Boot.bat.vir
    2011-06-26 15:16:00 . 2011-06-26 15:16:00 666 ----a-w- C:\Qoobox\Quarantine\C\x\AWF.cmd.vir
    2010-12-15 15:02:06 . 2010-12-15 15:02:06 2,933 ----a-w- C:\Qoobox\Quarantine\C\x\av.vbs.vir
    2010-11-26 19:07:20 . 2010-11-26 19:07:20 2,181 ----a-w- C:\Qoobox\Quarantine\C\x\023v.dat.vir
    2010-10-21 08:45:48 . 2010-10-21 08:45:48 1,080 ----a-w- C:\Qoobox\Quarantine\C\x\Catch-sub.cmd.vir
    2010-07-27 08:55:16 . 2010-07-27 08:55:16 875 ----a-w- C:\Qoobox\Quarantine\C\x\BootDrv.vbs.vir
    2010-04-15 14:11:36 . 2010-04-15 14:11:36 4,144 ----a-w- C:\Qoobox\Quarantine\C\x\Assoc.cmd.vir
    2010-02-12 17:55:28 . 2010-02-12 17:55:28 660 ----a-w- C:\Qoobox\Quarantine\C\x\023w7.dat.vir
    2009-07-13 15:09:30 . 2009-07-13 15:09:30 602 ----a-w- C:\Qoobox\Quarantine\C\x\asp.str.vir
    2009-04-17 09:37:10 . 2009-04-17 09:37:10 147,456 ----a-w- C:\Qoobox\Quarantine\C\x\catchme.3XE.vir
    2000-08-31 00:00:00 . 2000-08-31 00:00:00 6,760 ----a-w- C:\Qoobox\Quarantine\C\x\appinit.bad.vir
  15. Sador27

    Sador27 Newcomer, in training Topic Starter Posts: 46

    Hey DMJ, not trying to rush you at all I`m just new to this so not sure what happens even though I have read all the rules e.t.c. So I can wait as long as you need I was just not sure if you were still helping me as I had made some changes of my own which as I read is understandably a "no no" but only did because I did not know what to do as my laptop became almost unusable and had no way of even logging on anymore, not out of any disrespect I can assure you!! So I`ll wait for further instruction and follow to the dot.. Thanks again ;)
  16. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    I hadn't realized I missed you on Saturday. My apologies, dearly.

    ESET Online Scan

    Please run a free online scan with the ESET Online Scanner
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • When asked, allow the ActiveX control to install, or it will ask to download an installer. Please do so an install it.
    • Click Start or wait for the scanner to load.
    • Make sure that the options Remove found threats and the option Scan unwanted applications are checked.
    • Click Scan (This scan can take several hours, so please be patient)
    • Once the scan is completed, there are a couple of things to keep in mind:
    • 1. If NO threats were found, allow the scanner to Uninstall on close and then close the Window.
    • 2. If threats WERE detected, click on List of Threats Found, Export to Text File...save it as ESET-Scan-Log.txt. Click the back button/link, put a checkmark to Uninstall Application on Close and then close the window.
    • Open the logfile from wherever you saved it
    • Copy and paste the contents in your next reply.
  17. Sador27

    Sador27 Newcomer, in training Topic Starter Posts: 46

    Should this be in safe or normal mode?
  18. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    If you can do it in Normal Mode, please do. Otherwise, Safe Mode with Networking might work. :)
  19. Sador27

    Sador27 Newcomer, in training Topic Starter Posts: 46

    ESETSmartInstaller@High as downloader log:
    all ok
    # version=7
    # OnlineScannerApp.exe=1.0.0.1
    # OnlineScanner.ocx=1.0.0.6583
    # api_version=3.0.2
    # EOSSerial=f230948e045746419c43a7c6942e92ed
    # end=finished
    # remove_checked=true
    # archives_checked=true
    # unwanted_checked=true
    # unsafe_checked=true
    # antistealth_checked=true
    # utc_time=2012-11-27 12:45:54
    # local_time=2012-11-27 11:45:54 (+1000, AUS Eastern Daylight Time)
    # country="Australia"
    # lang=1033
    # osver=6.1.7601 NT Service Pack 1
    # compatibility_mode=512 16777215 100 0 0 0 0 0
    # compatibility_mode=5893 16776573 100 94 6615 105606339 0 0
    # compatibility_mode=8192 67108863 100 0 444 444 0 0
    # scanned=121115
    # found=0
    # cleaned=0
    # scan_time=4265
    :( nothing
  20. Sador27

    Sador27 Newcomer, in training Topic Starter Posts: 46

    Hey can I post a log I found, I`m not sure where it comes from actually I must have ran something before a contacted you but I think it may be useful as its pretty in depth?
  21. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

  22. Sador27

    Sador27 Newcomer, in training Topic Starter Posts: 46

    A"Silent Runners.vbs", revision 64, http://www.silentrunners.org/
    Operating System: Microsoft Windows 7 Home Premium Service Pack 1 (64-bit)
    Output of all locations checked and all values found.


    Startup items buried in registry:
    ---------------------------------

    HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\

    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
    Google Update = "C:\Users\Sad0r\AppData\Local\Google\Update\GoogleUpdate.exe" /c [Google Inc.]

    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\

    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
    IgfxTray = C:\Windows\system32\igfxtray.exe [Intel Corporation]
    HotKeysCmds = C:\Windows\system32\hkcmd.exe [Intel Corporation]
    ETDCtrl = C:\Program Files\Elantech\ETDCtrl.exe

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\

    HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\
    Adobe ARM = "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [Adobe Systems Incorporated]
    ASUSPRP = "C:\Program Files (x86)\ASUS\APRP\APRP.EXE" [ASUSTek Computer Inc.]
    ASUSWebStorage = C:\Program Files (x86)\ASUS\ASUS WebStorage\3.0.108.222\AsusWSPanel.exe /S [null data]
    USB3MON = "C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe" [Intel Corporation]
    Wireless Console 3 = C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe [ASUSTeK Computer Inc.]
    ATKOSD2 = C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe [ASUSTek Computer Inc.]
    ATKMEDIA = C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe [ASUSTek Computer Inc.]
    HControlUser = C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe [ASUS]

    HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\

    >{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\(Default) = Microsoft Windows Media Player
    \StubPath = C:\Windows\system32\unregmp2.exe /ShowWMP [MS]

    HKLM\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\

    >{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\(Default) = Microsoft Windows Media Player
    \StubPath = C:\Windows\system32\unregmp2.exe /ShowWMP [MS]

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

    {9030D464-4C02-4ABF-8ECC-5164760863C6}\(Default) = (no title provided)
    -> {HKLM…CLSID} = Windows Live ID Sign-in Helper
    \InProcServer32\(Default) = C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [MS]

    HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

    {18DF081C-E8AD-4283-A596-FA578C2EBDC3}\(Default) = AcroIEHelperStub
    -> {HKLM…Wow…CLSID} = Adobe PDF Link Helper
    \InProcServer32\(Default) = C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [Adobe Systems Incorporated]

    {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}\(Default) = Norton Identity Protection
    -> {HKLM…Wow…CLSID} = Norton Identity Protection
    \InProcServer32\(Default) = C:\Program Files (x86)\Norton 360\Engine\20.2.0.19\coIEPlg.dll [Symantec Corporation]

    {6D53EC84-6AAE-4787-AEEE-F4628F01010C}\(Default) = Norton Vulnerability Protection
    -> {HKLM…Wow…CLSID} = Norton Vulnerability Protection
    \InProcServer32\(Default) = C:\Program Files (x86)\Norton 360\Engine\20.2.0.19\IPS\IPSBHO.DLL [Symantec Corporation]

    {9030D464-4C02-4ABF-8ECC-5164760863C6}\(Default) = (no title provided)
    -> {HKLM…Wow…CLSID} = Windows Live ID Sign-in Helper
    \InProcServer32\(Default) = C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [MS]

    {d2ce3e00-f94a-4740-988e-03dc2f38c34f}\(Default) = (no title provided)
    -> {HKLM…Wow…CLSID} = Bing Bar Helper
    \InProcServer32\(Default) = "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll" [Microsoft Corporation.]

    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\

    AsusWSShellExt_B\(Default) = {6D4133E5-0742-4ADC-8A8C-9303440F7190}
    -> {HKLM…CLSID} = AsusWSShellExt_B64 Class
    \InProcServer32\(Default) = C:\Program Files (x86)\ASUS\ASUS WebStorage\3.0.108.222\ASUSWSShellExt64.dll [eCareme Technologies, Inc.]

    AsusWSShellExt_O\(Default) = {64174815-8D98-4CE6-8646-4C039977D808}
    -> {HKLM…CLSID} = AsusWSShellExt_O64 Class
    \InProcServer32\(Default) = C:\Program Files (x86)\ASUS\ASUS WebStorage\3.0.108.222\ASUSWSShellExt64.dll [eCareme Technologies, Inc.]

    EnhancedStorageShell\(Default) = {D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D}
    -> {HKLM…CLSID} = Enhanced Storage Icon Overlay Handler Class
    \InProcServer32\(Default) = C:\Windows\system32\EhStorShell.dll [MS]

    OverlayExcluded\(Default) = {4433A54A-1AC8-432F-90FC-85F045CF383C}
    -> {HKLM…CLSID} = (no title provided)
    \InProcServer32\(Default) = C:\Program Files (x86)\Norton 360\Engine64\20.2.0.19\buShell.dll [Symantec Corporation]

    OverlayPending\(Default) = {F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}
    -> {HKLM…CLSID} = (no title provided)
    \InProcServer32\(Default) = C:\Program Files (x86)\Norton 360\Engine64\20.2.0.19\buShell.dll [Symantec Corporation]

    OverlayProtected\(Default) = {476D0EA3-80F9-48B5-B70B-05E677C9C148}
    -> {HKLM…CLSID} = (no title provided)
    \InProcServer32\(Default) = C:\Program Files (x86)\Norton 360\Engine64\20.2.0.19\buShell.dll [Symantec Corporation]

    SharingPrivate\(Default) = {08244EE6-92F0-47f2-9FC9-929BAA2E7235}
    -> {HKLM…CLSID} = Sharing Overlay (Private)
    \InProcServer32\(Default) = C:\Windows\system32\ntshrui.dll [MS]

    HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\

    EnhancedStorageShell\(Default) = {D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D}
    -> {HKLM…Wow…CLSID} = Enhanced Storage Icon Overlay Handler Class
    \InProcServer32\(Default) = C:\Windows\system32\EhStorShell.dll [MS]

    SharingPrivate\(Default) = {08244EE6-92F0-47f2-9FC9-929BAA2E7235}
    -> {HKLM…Wow…CLSID} = Sharing Overlay (Private)
    \InProcServer32\(Default) = C:\Windows\system32\ntshrui.dll [MS]

    HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

    {00C6D95F-329C-409a-81D7-C46C66EA7F33} = (no title provided)
    -> {HKLM…CLSID} = DefaultLocation
    \InProcServer32\(Default) = C:\Windows\System32\shdocvw.dll [MS]

    {80009818-f38f-4af1-87b5-eadab9433e58} = MF ADTS Property Handler
    -> {HKLM…CLSID} = MF ADTS Property Handler
    \InProcServer32\(Default) = C:\Windows\System32\mf.dll [MS]

    {08165EA0-E946-11CF-9C87-00AA005127ED} = WebCheckWebCrawler
    -> {HKLM…CLSID} = WebCheckWebCrawler
    \InProcServer32\(Default) = C:\Windows\System32\webcheck.dll [MS]

    {F5175861-2688-11d0-9C5E-00AA00A45957} = Subscription Folder
    -> {HKLM…CLSID} = Subscription Folder
    \InProcServer32\(Default) = C:\Windows\System32\webcheck.dll [MS]

    {7D559C10-9FE9-11d0-93F7-00AA0059CE02} = Code Download Agent
    -> {HKLM…CLSID} = Code Download Agent
    \InProcServer32\(Default) = C:\Windows\System32\webcheck.dll [MS]

    {ABBE31D0-6DAE-11D0-BECA-00C04FD940BE} = Subscription Mgr
    -> {HKLM…CLSID} = Subscription Mgr
    \InProcServer32\(Default) = C:\Windows\System32\webcheck.dll [MS]

    {7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB} = WebCheck SyncMgr Handler
    -> {HKLM…CLSID} = WebCheck SyncMgr Handler
    \InProcServer32\(Default) = C:\Windows\System32\webcheck.dll [MS]

    {d6044399-0b9e-4084-a9ac-c4b7c7800fcf} = FolderItem
    -> {HKLM…CLSID} = ASUS WebStorage Drive
    \InProcServer32\(Default) = mscoree.dll [MS]

    {b1b96b20-da1d-4a3c-92c1-7229b32f2325} = BackupContextMenuExtension
    -> {HKLM…CLSID} = XPClient.FileSystemBrowser.BackupContextMenuExtension.BackupContextMenuExtension
    \InProcServer32\(Default) = mscoree.dll [MS]

    {0066D4B3-8DE0-4D08-AA83-EDD50E2431F0} = ELAN Control Panel
    -> {HKLM…CLSID} = (no title provided)
    \InProcServer32\(Default) = C:\Program Files\Elantech\ETDMcpl.dll [ELAN Microelectronics Corp.]

    HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

    {00C6D95F-329C-409a-81D7-C46C66EA7F33} = (no title provided)
    -> {HKLM…Wow…CLSID} = DefaultLocation
    \InProcServer32\(Default) = C:\Windows\System32\shdocvw.dll [MS]

    {80009818-f38f-4af1-87b5-eadab9433e58} = MF ADTS Property Handler
    -> {HKLM…Wow…CLSID} = MF ADTS Property Handler
    \InProcServer32\(Default) = C:\Windows\System32\mf.dll [MS]

    {08165EA0-E946-11CF-9C87-00AA005127ED} = WebCheckWebCrawler
    -> {HKLM…Wow…CLSID} = WebCheckWebCrawler
    \InProcServer32\(Default) = C:\Windows\SysWOW64\webcheck.dll [MS]

    {F5175861-2688-11d0-9C5E-00AA00A45957} = Subscription Folder
    -> {HKLM…Wow…CLSID} = Subscription Folder
    \InProcServer32\(Default) = C:\Windows\SysWOW64\webcheck.dll [MS]

    {7D559C10-9FE9-11d0-93F7-00AA0059CE02} = Code Download Agent
    -> {HKLM…Wow…CLSID} = Code Download Agent
    \InProcServer32\(Default) = C:\Windows\SysWOW64\webcheck.dll [MS]

    {ABBE31D0-6DAE-11D0-BECA-00C04FD940BE} = Subscription Mgr
    -> {HKLM…Wow…CLSID} = Subscription Mgr
    \InProcServer32\(Default) = C:\Windows\SysWOW64\webcheck.dll [MS]

    {7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB} = WebCheck SyncMgr Handler
    -> {HKLM…Wow…CLSID} = WebCheck SyncMgr Handler
    \InProcServer32\(Default) = C:\Windows\SysWOW64\webcheck.dll [MS]

    {00F33137-EE26-412F-8D71-F84E4C2C6625} = (no title provided)
    -> {HKLM…Wow…CLSID} = Windows Live Photo Gallery Viewer Autoplay Shim
    \InProcServer32\(Default) = C:\Program Files (x86)\Windows Live\Photo Gallery\PhotoViewerShim.dll [MS]

    {00F346CB-35A4-465B-8B8F-65A29DBAB1F6} = Windows Live Photo Gallery Viewer Drop Target Shim
    -> {HKLM…Wow…CLSID} = Windows Live Photo Gallery Viewer Shim
    \InProcServer32\(Default) = C:\Program Files (x86)\Windows Live\Photo Gallery\PhotoViewerShim.dll [MS]

    {00F3712A-CA79-45B4-9E4D-D7891E7F8B9D} = Windows Live Photo Gallery Editor Drop Target Shim
    -> {HKLM…Wow…CLSID} = Windows Live Photo Gallery Editor Shim
    \InProcServer32\(Default) = C:\Program Files (x86)\Windows Live\Photo Gallery\PhotoViewerShim.dll [MS]

    {00F30F90-3E96-453B-AFCD-D71989ECC2C7} = Windows Live Photo Gallery Autoplay Drop Target Shim
    -> {HKLM…Wow…CLSID} = Windows Live Photo Gallery Viewer Autoplay Shim
    \InProcServer32\(Default) = C:\Program Files (x86)\Windows Live\Photo Gallery\PhotoViewerShim.dll [MS]

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DeviceNotificationCallbacks\

    HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\DeviceNotificationCallbacks\

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\

    HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\

    HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\

    HKCU\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\

    HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\

    HKCU\Software\Microsoft\Command Processor\
    AutoRun = (name not found)

    HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\
    Shell = (name not found)

    HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
    Shell = (name not found)

    HKLM\SOFTWARE\Microsoft\Command Processor\
    AutoRun = (name not found)

    HKLM\Wow6432Node\Software\Microsoft\Command Processor\
    AutoRun = (name not found)

    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
    AppInit_DLLs = (empty string)

    HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\
    AppInit_DLLs = (empty string)

    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
    IconServiceLib = IconCodecService.dll [MS]

    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
    GinaDLL = (name not found)
    Shell = explorer.exe [MS]
    System = (name not found)
    Taskman = (name not found)
    Userinit = C:\Windows\system32\userinit.exe, [MS]
    VmApplet = SystemPropertiesPerformance.exe /pagefile

    HKLM\SYSTEM\CurrentControlSet\Control\ServiceControlManagerExtension
    ServiceControlManagerExtension = C:\Windows\system32\scext.dll [MS]

    HKLM\SYSTEM\CurrentControlSet\Control\BootVerificationProgram\
    ImagePath = (name not found)

    HKLM\SYSTEM\CurrentControlSet\Control\Lsa\
    Authentication Packages = msv1_0

    HKLM\SYSTEM\CurrentControlSet\Control\Lsa\
    Notification Packages = scecli

    HKLM\SYSTEM\CurrentControlSet\Control\Lsa\
    <<!>> (livessp [MS]) Security Packages = kerberos|msv1_0|schannel|wdigest|tspkg|pku2u|livessp

    HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Option\
    UseAlternateShell = (name not found)

    HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\
    AlternateShell = cmd.exe [MS]

    HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\
    SecurityProviders = credssp.dll

    HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\
    BootExecute = autocheck autochk *
    Execute = (name not found)
    SetupExecute = (value not set)

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters\

    {DDC0EED2-ADBE-40b6-A217-EDE16A79A0DE}\(Default) = GenericFilter
    -> {HKLM…CLSID} = GenericFilter
    \InProcServer32\(Default) = C:\Windows\system32\authui.dll [MS]

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\

    {06FE45A8-6D92-44ba-A0F1-9A9BCDC8F5A7}\(Default) = FaceCredentialProvider64
    -> {HKLM…CLSID} = FaceCredentialProvider64
    \InProcServer32\(Default) = C:\Program Files (x86)\ASUS\FaceLogon\system\FaceCredentialProvider64.dll [ASUS]

    {25CBB996-92ED-457e-B28C-4774084BD562}\(Default) = GenericProvider
    -> {HKLM…CLSID} = GenericProvider
    \InProcServer32\(Default) = C:\Windows\system32\authui.dll [MS]

    {3dd6bec0-8193-4ffe-ae25-e08e39ea4063}\(Default) = NPProvider
    -> {HKLM…CLSID} = NPProvider
    \InProcServer32\(Default) = C:\Windows\system32\authui.dll [MS]

    {503739d0-4c5e-4cfd-b3ba-d881334f0df2}\(Default) = VaultCredProvider
    -> {HKLM…CLSID} = VaultCredProvider
    \InProcServer32\(Default) = C:\Windows\System32\VaultCredProvider.dll [MS]

    {6f45dc1e-5384-457a-bc13-2cd81b0d28ed}\(Default) = PasswordProvider
    -> {HKLM…CLSID} = PasswordProvider
    \InProcServer32\(Default) = C:\Windows\system32\authui.dll [MS]

    {8bf9a910-a8ff-457f-999f-a5ca10b4a885}\(Default) = Smartcard Credential Provider
    -> {HKLM…CLSID} = Smartcard Credential Provider
    \InProcServer32\(Default) = SmartcardCredentialProvider.dll [MS]

    {94596c7e-3744-41ce-893e-bbf09122f76a}\(Default) = Smartcard Pin Provider
    -> {HKLM…CLSID} = Smartcard Pin Provider
    \InProcServer32\(Default) = SmartcardCredentialProvider.dll [MS]

    {AC3AC249-E820-4343-A65B-377AC634DC09}\(Default) = WinBio Credential Provider
    -> {HKLM…CLSID} = WinBio Credential Provider
    \InProcServer32\(Default) = C:\Windows\System32\BioCredProv.dll [MS]

    {e74e57b0-6c6d-44d5-9cda-fb2df5ed7435}\(Default) = CertCredProvider
    -> {HKLM…CLSID} = CCertProvider
    \InProcServer32\(Default) = C:\Windows\system32\certCredProvider.dll [MS]

    {F8A0B131-5F68-486c-8040-7E8FC3C85BB6}\(Default) = WLIDCredentialProvider
    -> {HKLM…CLSID} = WLIDCredentialProvider
    \InProcServer32\(Default) = C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDCREDPROV.DLL [MS]

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\PLAP Providers\

    {5537E283-B1E7-4EF8-9C6E-7AB0AFE5056D}\(Default) = RasProvider
    -> {HKLM…CLSID} = CRasProvider
    \InProcServer32\(Default) = C:\Windows\system32\rasplap.dll [MS]

    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\

    HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\

    HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Logon\

    HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Logoff\

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\

    HKCU\Software\Classes\PROTOCOLS\Filter\

    HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\

    application/octet-stream\CLSID = {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
    -> {HKLM…CLSID} = Cor MIME Filter, CorFltr, CorFltr 1
    \InProcServer32\(Default) = mscoree.dll [MS]

    application/x-complus\CLSID = {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
    -> {HKLM…CLSID} = Cor MIME Filter, CorFltr, CorFltr 1
    \InProcServer32\(Default) = mscoree.dll [MS]

    application/x-msdownload\CLSID = {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
    -> {HKLM…CLSID} = Cor MIME Filter, CorFltr, CorFltr 1
    \InProcServer32\(Default) = mscoree.dll [MS]

    HKCU\Software\Classes\PROTOCOLS\Handler\

    HKLM\SOFTWARE\Classes\PROTOCOLS\Handler\

    about\CLSID = {3050F406-98B5-11CF-BB82-00AA00BDCE0B}
    -> {HKLM…CLSID} = Microsoft HTML About Pluggable Protocol
    \InProcServer32\(Default) = C:\Windows\System32\mshtml.dll [MS]

    cdl\CLSID = {3dd53d40-7b8b-11D0-b013-00aa0059ce02}
    -> {HKLM…CLSID} = CDL: Asychronous Pluggable Protocol Handler
    \InProcServer32\(Default) = C:\Windows\system32\urlmon.dll [MS]

    dvd\CLSID = {12D51199-0DB5-46FE-A120-47A3D7D937CC}
    -> {HKLM…CLSID} = DVD: Pluggable Protocol
    \InProcServer32\(Default) = C:\Windows\System32\msvidctl.dll [MS]

    file\CLSID = {79eac9e7-baf9-11ce-8c82-00aa004ba90b}
    -> {HKLM…CLSID} = file:, local: Asychronous Pluggable Protocol Handler
    \InProcServer32\(Default) = C:\Windows\system32\urlmon.dll [MS]

    ftp\CLSID = {79eac9e3-baf9-11ce-8c82-00aa004ba90b}
    -> {HKLM…CLSID} = ftp: Asychronous Pluggable Protocol Handler
    \InProcServer32\(Default) = C:\Windows\system32\urlmon.dll [MS]

    http\CLSID = {79eac9e2-baf9-11ce-8c82-00aa004ba90b}
    -> {HKLM…CLSID} = http: Asychronous Pluggable Protocol Handler
    \InProcServer32\(Default) = C:\Windows\system32\urlmon.dll [MS]

    https\CLSID = {79eac9e5-baf9-11ce-8c82-00aa004ba90b}
    -> {HKLM…CLSID} = https: Asychronous Pluggable Protocol Handler
    \InProcServer32\(Default) = C:\Windows\system32\urlmon.dll [MS]

    its\CLSID = {9D148291-B9C8-11D0-A4CC-0000F80149F6}
    -> {HKLM…CLSID} = Microsoft InfoTech Protocols for IE 4.0
    \InProcServer32\(Default) = C:\Windows\System32\itss.dll [MS]

    javascript\CLSID = {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B}
    -> {HKLM…CLSID} = Microsoft HTML Javascript Pluggable Protocol
    \InProcServer32\(Default) = C:\Windows\System32\mshtml.dll [MS]

    local\CLSID = {79eac9e7-baf9-11ce-8c82-00aa004ba90b}
    -> {HKLM…CLSID} = file:, local: Asychronous Pluggable Protocol Handler
    \InProcServer32\(Default) = C:\Windows\system32\urlmon.dll [MS]

    mailto\CLSID = {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B}
    -> {HKLM…CLSID} = Microsoft HTML Mailto Pluggable Protocol
    \InProcServer32\(Default) = C:\Windows\System32\mshtml.dll [MS]

    mhtml\CLSID = {05300401-BCBC-11d0-85E3-00C04FD85AB4}
    -> {HKLM…CLSID} = MHTML Asynchronous Pluggable Protocol Handler
    \InProcServer32\(Default) = C:\Windows\system32\inetcomm.dll [MS]

    mk\CLSID = {79eac9e6-baf9-11ce-8c82-00aa004ba90b}
    -> {HKLM…CLSID} = mk: Asychronous Pluggable Protocol Handler
    \InProcServer32\(Default) = C:\Windows\system32\urlmon.dll [MS]

    ms-its\CLSID = {9D148291-B9C8-11D0-A4CC-0000F80149F6}
    -> {HKLM…CLSID} = Microsoft InfoTech Protocols for IE 4.0
    \InProcServer32\(Default) = C:\Windows\System32\itss.dll [MS]

    res\CLSID = {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B}
    -> {HKLM…CLSID} = Microsoft HTML Resource Pluggable Protocol
    \InProcServer32\(Default) = C:\Windows\System32\mshtml.dll [MS]

    tv\CLSID = {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E}
    -> {HKLM…CLSID} = TV: Pluggable Protocol
    \InProcServer32\(Default) = C:\Windows\System32\msvidctl.dll [MS]

    vbscript\CLSID = {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B}
    -> {HKLM…CLSID} = Microsoft HTML Javascript Pluggable Protocol
    \InProcServer32\(Default) = C:\Windows\System32\mshtml.dll [MS]

    HKCU\Software\Classes\*\shellex\ColumnHandlers\

    HKLM\SOFTWARE\Classes\*\shellex\ColumnHandlers\

    HKLM\Wow3264Node\Software\Classes\*\shellex\ColumnHandlers\

    HKCU\Software\Classes\*\shellex\ContextMenuHandlers\

    HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\

    BriefcaseMenu\(Default) = {85BBD920-42A0-1069-A2E4-08002B30309D}
    -> {HKLM…CLSID} = Briefcase
    \InProcServer32\(Default) = C:\Windows\system32\syncui.dll [MS]

    BUContextMenu\(Default) = {F7CAA2A1-67A2-44BB-B20F-202FD8EB1DAB}
    -> {HKLM…CLSID} = (no title provided)
    \InProcServer32\(Default) = C:\Program Files (x86)\Norton 360\Engine64\20.2.0.19\buShell.dll [Symantec Corporation]

    FormatFactoryShell\(Default) = {A3777921-CFD3-4A6B-89BF-08E6B95716E8}
    -> {HKLM…CLSID} = FormatFactoryShell
    \InProcServer32\(Default) = C:\Program Files (x86)\FreeTime\FormatFactory\ShellEx64_100.dll [Free Time]

    Open With\(Default) = {09799AFB-AD67-11d1-ABCD-00C04FC30936}
    -> {HKLM…CLSID} = Open With Context Menu Handler
    \InProcServer32\(Default) = C:\Windows\system32\shell32.dll [MS]

    Open With EncryptionMenu\(Default) = {A470F8CF-A1E8-4f65-8335-227475AA5C46}
    -> {HKLM…CLSID} = Encryption Context Menu
    \InProcServer32\(Default) = C:\Windows\system32\shell32.dll [MS]

    Sharing\(Default) = {f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}
    -> {HKLM…CLSID} = Shell extensions for sharing
    \InProcServer32\(Default) = C:\Windows\system32\ntshrui.dll [MS]

    Symantec.Norton.Antivirus.IEContextMenu\(Default) = {FAD61B3D-699D-49B2-BE16-7F82CB4C59CA}
    -> {HKLM…CLSID} = IEContextMenu Class
    \InProcServer32\(Default) = "C:\Program Files (x86)\Norton 360\Engine64\20.2.0.19\NavShExt.dll" [Symantec Corporation]

    {90AA3A4E-1CBA-4233-B8BB-535773D48449}\(Default) = Taskband Pin
    -> {HKLM…CLSID} = Taskband Pin
    \InProcServer32\(Default) = C:\Windows\system32\shell32.dll [MS]

    {a2a9545d-a0c2-42b4-9708-a0b2badd77c8}\(Default) = Start Menu Pin
    -> {HKLM…CLSID} = Start Menu Pin
    \InProcServer32\(Default) = C:\Windows\system32\shell32.dll [MS]

    HKLM\Wow3264Node\Software\Classes\*\shellex\ContextMenuHandlers\

    HKCU\Software\Classes\*\shellex\CopyHookHandlers\

    HKLM\SOFTWARE\Classes\*\shellex\CopyHookHandlers\

    HKLM\Wow3264Node\Software\Classes\*\shellex\CopyHookHandlers\

    HKCU\Software\Classes\*\shellex\DragDropHandlers\

    HKLM\SOFTWARE\Classes\*\shellex\DragDropHandlers\

    HKLM\Wow3264Node\Software\Classes\*\shellex\DragDropHandlers\

    HKCU\Software\Classes\*\shellex\PropertySheetHandlers\

    HKLM\SOFTWARE\Classes\*\shellex\PropertySheetHandlers\

    BriefcasePage\(Default) = {85BBD920-42A0-1069-A2E4-08002B30309D}
    -> {HKLM…CLSID} = Briefcase
    \InProcServer32\(Default) = C:\Windows\system32\syncui.dll [MS]

    BuPropertySheet\(Default) = {B59987EA-25FE-44B4-8802-E4DE67073D8C}
    -> {HKLM…CLSID} = (no title provided)
    \InProcServer32\(Default) = C:\Program Files (x86)\Norton 360\Engine64\20.2.0.19\buShell.dll [Symantec Corporation]

    CryptoSignMenu\(Default) = {7444C719-39BF-11D1-8CD9-00C04FC29D45}
    -> {HKLM…CLSID} = CryptSig Class
    \InProcServer32\(Default) = C:\Windows\system32\cryptext.dll [MS]

    {1f2e5c40-9550-11ce-99d2-00aa006e086c}\(Default) = (no title provided)
    -> {HKLM…CLSID} = Security Shell Extension
    \InProcServer32\(Default) = C:\Windows\system32\rshx32.dll [MS]

    {3EA48300-8CF6-101B-84FB-666CCB9BCD32}\(Default) = OLE DocFile Property Page
    -> {HKLM…CLSID} = OLE Docfile Property Page
    \InProcServer32\(Default) = C:\Windows\system32\docprop.dll [MS]

    {883373C3-BF89-11D1-BE35-080036B11A03}\(Default) = Summary Properties Page
    -> {HKLM…CLSID} = Summary Properties Page
    \InProcServer32\(Default) = C:\Windows\system32\shell32.dll [MS]

    HKLM\Wow3264Node\Software\Classes\*\shellex\PropertySheetHandlers\

    HKCU\Software\Classes\AllFilesystemObjects\shellex\ColumnHandlers\

    HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ColumnHandlers\

    HKLM\Wow3264Node\Software\Classes\AllFilesystemObjects\shellex\ColumnHandlers\

    HKCU\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\

    HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\

    BackupContextMenuExtension\(Default) = {b1b96b20-da1d-4a3c-92c1-7229b32f2325}
    -> {HKLM…CLSID} = XPClient.FileSystemBrowser.BackupContextMenuExtension.BackupContextMenuExtension
    \InProcServer32\(Default) = mscoree.dll [MS]

    CopyAsPathMenu\(Default) = {f3d06e7c-1e45-4a26-847e-f9fcdee59be0}
    -> {HKLM…CLSID} = Copy as Path Menu
    \InProcServer32\(Default) = C:\Windows\system32\shell32.dll [MS]

    MBAMShlExt\(Default) = {57CE581A-0CB6-4266-9CA0-19364C90A0B3}
    -> {HKLM…CLSID} = MBAMShlExt Class
    \InProcServer32\(Default) = C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamext.dll [Malwarebytes Corporation]

    SendTo\(Default) = {7BA4C740-9E81-11CF-99D3-00AA004AE837}
    -> {HKLM…CLSID} = Microsoft SendTo Service
    \InProcServer32\(Default) = C:\Windows\system32\shell32.dll [MS]

    {596AB062-B4D2-4215-9F74-E9109B0A8153}\(Default) = (no title provided)
    -> {HKLM…CLSID} = Previous Versions Property Page
    \InProcServer32\(Default) = C:\Windows\system32\twext.dll [MS]

    HKLM\Wow3264Node\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\

    HKCU\Software\Classes\AllFilesystemObjects\shellex\CopyHookHandlers\

    HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\CopyHookHandlers\

    HKLM\Wow3264Node\Software\Classes\AllFilesystemObjects\shellex\CopyHookHandlers\

    HKCU\Software\Classes\AllFilesystemObjects\shellex\DragDropHandlers\

    HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\DragDropHandlers\

    HKLM\Wow3264Node\Software\Classes\AllFilesystemObjects\shellex\DragDropHandlers\

    HKCU\Software\Classes\AllFilesystemObjects\shellex\PropertySheetHandlers\

    HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\PropertySheetHandlers\

    PropertySheetExtension1\(Default) = {506d8021-4fcf-446f-bf22-2ad5c3c28109}
    -> {HKLM…CLSID} = XPClient.FileSystemBrowser.PropertySheetExtension.PropertySheetExtension1
    \InProcServer32\(Default) = mscoree.dll [MS]

    {596AB062-B4D2-4215-9F74-E9109B0A8153}\(Default) = (no title provided)
    -> {HKLM…CLSID} = Previous Versions Property Page
    \InProcServer32\(Default) = C:\Windows\system32\twext.dll [MS]

    HKLM\Wow3264Node\Software\Classes\AllFilesystemObjects\shellex\PropertySheetHandlers\

    HKCU\Software\Classes\Directory\shellex\ColumnHandlers\

    HKLM\SOFTWARE\Classes\Directory\shellex\ColumnHandlers\

    HKLM\Wow3264Node\Software\Classes\Directory\shellex\ColumnHandlers\

    HKCU\Software\Classes\Directory\shellex\ContextMenuHandlers\

    HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\

    EncryptionMenu\(Default) = {A470F8CF-A1E8-4f65-8335-227475AA5C46}
    -> {HKLM…CLSID} = Encryption Context Menu
    \InProcServer32\(Default) = C:\Windows\system32\shell32.dll [MS]

    FormatFactoryShell\(Default) = {A3777921-CFD3-4A6B-89BF-08E6B95716E8}
    -> {HKLM…CLSID} = FormatFactoryShell
    \InProcServer32\(Default) = C:\Program Files (x86)\FreeTime\FormatFactory\ShellEx64_100.dll [Free Time]

    Sharing\(Default) = {f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}
    -> {HKLM…CLSID} = Shell extensions for sharing
    \InProcServer32\(Default) = C:\Windows\system32\ntshrui.dll [MS]

    {596AB062-B4D2-4215-9F74-E9109B0A8153}\(Default) = (no title provided)
    -> {HKLM…CLSID} = Previous Versions Property Page
    \InProcServer32\(Default) = C:\Windows\system32\twext.dll [MS]

    HKLM\Wow3264Node\Software\Classes\Directory\shellex\ContextMenuHandlers\

    HKCU\Software\Classes\Directory\shellex\CopyHookHandlers\

    HKLM\SOFTWARE\Classes\Directory\shellex\CopyHookHandlers\

    FileSystem\(Default) = {217FC9C0-3AEA-1069-A2DB-08002B30309D}
    -> {HKLM…CLSID} = Shell Copy Hook
    \InProcServer32\(Default) = C:\Windows\system32\shell32.dll [MS]

    Sharing\(Default) = {40dd6e20-7c17-11ce-a804-00aa003ca9f6}
    -> {HKLM…CLSID} = Shell extensions for sharing
    \InProcServer32\(Default) = C:\Windows\system32\ntshrui.dll [MS]

    HKLM\Wow3264Node\Software\Classes\Directory\shellex\CopyHookHandlers\

    HKCU\Software\Classes\Directory\shellex\DragDropHandlers\

    HKLM\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\

    HKLM\Wow3264Node\Software\Classes\Directory\shellex\DragDropHandlers\

    HKCU\Software\Classes\Directory\shellex\PropertySheetHandlers\

    HKLM\SOFTWARE\Classes\Directory\shellex\PropertySheetHandlers\

    Sharing\(Default) = {f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}
    -> {HKLM…CLSID} = Shell extensions for sharing
    \InProcServer32\(Default) = C:\Windows\system32\ntshrui.dll [MS]

    {1f2e5c40-9550-11ce-99d2-00aa006e086c}\(Default) = (no title provided)
    -> {HKLM…CLSID} = Security Shell Extension
    \InProcServer32\(Default) = C:\Windows\system32\rshx32.dll [MS]

    {4a7ded0a-ad25-11d0-98a8-0800361b1103}\(Default) = (no title provided)
    -> {HKLM…CLSID} = MyFolder menu and properties
    \InProcServer32\(Default) = C:\Windows\system32\mydocs.dll [MS]

    {596AB062-B4D2-4215-9F74-E9109B0A8153}\(Default) = (no title provided)
    -> {HKLM…CLSID} = Previous Versions Property Page
    \InProcServer32\(Default) = C:\Windows\system32\twext.dll [MS]

    {ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}\(Default) = (no title provided)
    -> {HKLM…CLSID} = DfsShell Class
    \InProcServer32\(Default) = C:\Windows\system32\DfsShlEx.dll [MS]

    {ef43ecfe-2ab9-4632-bf21-58909dd177f0}\(Default) = (no title provided)
    -> {HKLM…CLSID} = Folder Customization Tab
    \InProcServer32\(Default) = C:\Windows\system32\shell32.dll [MS]

    HKLM\Wow3264Node\Software\Classes\Directory\shellex\PropertySheetHandlers\

    HKCU\Software\Classes\Directory\Background\shellex\ColumnHandlers\

    HKLM\SOFTWARE\Classes\Directory\Background\shellex\ColumnHandlers\

    HKLM\Wow3264Node\Software\Classes\Directory\Background\shellex\ColumnHandlers\

    HKCU\Software\Classes\Directory\Background\shellex\ContextMenuHandlers\

    HKLM\SOFTWARE\Classes\Directory\Background\shellex\ContextMenuHandlers\

    Gadgets\(Default) = {6B9228DA-9C15-419e-856C-19E768A13BDC}
    -> {HKLM…CLSID} = Windows Desktop Gadgets
    \InProcServer32\(Default) = C:\Program Files\Windows Sidebar\sbdrop.dll [MS]

    igfxcui\(Default) = {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4}
    -> {HKLM…CLSID} = GraphicsShellExt Class
    \InProcServer32\(Default) = C:\Windows\system32\igfxpph.dll [Intel Corporation]

    New\(Default) = {D969A300-E7FF-11d0-A93B-00A0C90F2719}
    -> {HKLM…CLSID} = New Menu Handler
    \InProcServer32\(Default) = C:\Windows\system32\shell32.dll [MS]

    Sharing\(Default) = {f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}
    -> {HKLM…CLSID} = Shell extensions for sharing
    \InProcServer32\(Default) = C:\Windows\system32\ntshrui.dll [MS]

    HKLM\Wow3264Node\Software\Classes\Directory\Background\shellex\ContextMenuHandlers\

    HKCU\Software\Classes\Directory\Background\shellex\CopyHookHandlers\

    HKLM\SOFTWARE\Classes\Directory\Background\shellex\CopyHookHandlers\

    HKLM\Wow3264Node\Software\Classes\Directory\Background\shellex\CopyHookHandlers\

    HKCU\Software\Classes\Directory\Background\shellex\DragDropHandlers\

    HKLM\SOFTWARE\Classes\Directory\Background\shellex\DragDropHandlers\

    HKLM\Wow3264Node\Software\Classes\Directory\Background\shellex\DragDropHandlers\

    HKCU\Software\Classes\Directory\Background\shellex\PropertySheetHandlers\

    HKLM\SOFTWARE\Classes\Directory\Background\shellex\PropertySheetHandlers\

    HKLM\Wow3264Node\Software\Classes\Directory\Background\shellex\PropertySheetHandlers\

    HKCU\Software\Classes\Folder\shellex\ColumnHandlers\

    HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\

    HKLM\Wow3264Node\Software\Classes\Folder\shellex\ColumnHandlers\

    HKCU\Software\Classes\Folder\shellex\ContextMenuHandlers\

    HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\

    BriefcaseMenu\(Default) = {85BBD920-42A0-1069-A2E4-08002B30309D}
    -> {HKLM…CLSID} = Briefcase
    \InProcServer32\(Default) = C:\Windows\system32\syncui.dll [MS]

    BUContextMenu\(Default) = {F7CAA2A1-67A2-44BB-B20F-202FD8EB1DAB}
    -> {HKLM…CLSID} = (no title provided)
    \InProcServer32\(Default) = C:\Program Files (x86)\Norton 360\Engine64\20.2.0.19\buShell.dll [Symantec Corporation]

    Library Location\(Default) = {3dad6c5d-2167-4cae-9914-f99e41c12cfa}
    -> {HKLM…CLSID} = Include In Library Sub Context Menu
    \InProcServer32\(Default) = C:\Windows\system32\shell32.dll [MS]

    MBAMShlExt\(Default) = {57CE581A-0CB6-4266-9CA0-19364C90A0B3}
    -> {HKLM…CLSID} = MBAMShlExt Class
    \InProcServer32\(Default) = C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamext.dll [Malwarebytes Corporation]

    Symantec.Norton.Antivirus.IEContextMenu\(Default) = {FAD61B3D-699D-49B2-BE16-7F82CB4C59CA}
    -> {HKLM…CLSID} = IEContextMenu Class
    \InProcServer32\(Default) = "C:\Program Files (x86)\Norton 360\Engine64\20.2.0.19\NavShExt.dll" [Symantec Corporation]

    HKLM\Wow3264Node\Software\Classes\Folder\shellex\ContextMenuHandlers\

    HKCU\Software\Classes\Folder\shellex\CopyHookHandlers\

    HKLM\SOFTWARE\Classes\Folder\shellex\CopyHookHandlers\

    HKLM\Wow3264Node\Software\Classes\Folder\shellex\CopyHookHandlers\

    HKCU\Software\Classes\Folder\shellex\DragDropHandlers\

    HKLM\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\

    {BD472F60-27FA-11cf-B8B4-444553540000}\(Default) = (no title provided)
    -> {HKLM…CLSID} = Compressed (zipped) Folder Right Drag Handler
    \InProcServer32\(Default) = C:\Windows\system32\zipfldr.dll [MS]

    HKLM\Wow3264Node\Software\Classes\Folder\shellex\DragDropHandlers\

    HKCU\Software\Classes\Folder\shellex\PropertySheetHandlers\

    HKLM\SOFTWARE\Classes\Folder\shellex\PropertySheetHandlers\

    BriefcasePage\(Default) = {85BBD920-42A0-1069-A2E4-08002B30309D}
    -> {HKLM…CLSID} = Briefcase
    \InProcServer32\(Default) = C:\Windows\system32\syncui.dll [MS]

    HKLM\Wow3264Node\Software\Classes\Folder\shellex\PropertySheetHandlers\


    Default executables:
    --------------------

    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bat\UserChoice\

    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cmd\UserChoice\

    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.com\UserChoice\

    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\UserChoice\

    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.hta\UserChoice\

    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pif\UserChoice\

    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.scr\UserChoice\

    HKLM\SOFTWARE\Classes\.bat\(Default) = batfile
    HKLM\SOFTWARE\Classes\batfile\shell\open\command\(Default) = "%1" %*

    HKLM\SOFTWARE\Classes\.cmd\(Default) = cmdfile
    HKLM\SOFTWARE\Classes\cmdfile\shell\open\command\(Default) = "%1" %*

    HKLM\SOFTWARE\Classes\.com\(Default) = comfile
    HKLM\SOFTWARE\Classes\comfile\shell\open\command\(Default) = "%1" %*

    HKLM\SOFTWARE\Classes\.exe\(Default) = exefile
    HKLM\SOFTWARE\Classes\exefile\shell\open\command\(Default) = "%1" %*

    HKLM\SOFTWARE\Classes\.hta\(Default) = htafile
    HKLM\SOFTWARE\Classes\htafile\shell\open\command\(Default) = C:\Windows\SysWOW64\mshta.exe "%1" %*

    HKLM\SOFTWARE\Classes\.pif\(Default) = piffile
    HKLM\SOFTWARE\Classes\piffile\shell\open\command\(Default) = "%1" %*

    HKLM\SOFTWARE\Classes\.scr\(Default) = scrfile
    HKLM\SOFTWARE\Classes\scrfile\shell\open\command\(Default) = "%1" /S


    Group Policies {GPedit.msc branch and setting}:
    -----------------------------------------------

    Note: detected settings may not have any effect.

    HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\

    HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations\

    HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\

    HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

    NoDriveAutoRun = (REG_DWORD) dword:0x00000020
    {Turn off autoplay for drive letter}

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\

    NoActiveDesktop = (REG_DWORD) dword:0x00000001
    {not in GPedit.msc under Computer Configuration|
    Disable Active Desktop and prevent users from enabling it}

    ForceActiveDesktopOn = (REG_DWORD) dword:0x00000000
    {not in GPedit.msc under Computer Configuration|
    Enable Active Desktop and prevent users from disabling it}

    NoDriveTypeAutoRun = (REG_DWORD) dword:0x000000FF
    {Computer Configuration|Administrative Templates|Windows Components|AutoPlay Policies|
    Turn off Autoplay}

    NoDriveAutoRun = (REG_DWORD) dword:0x03FFFFFF
    {Turn off autoplay for drive letter}

    HonorAutorunSetting = (REG_DWORD) dword:0x00000001
    {not in GPedit.msc|
    Per MSKB 967715, enable Autorun settings in Hotfixes 950582, 967715, and 953252}

    HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowCpl\

    HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

    HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall\

    HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate\

    HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\

    HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\

    HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel\

    HKCU\Software\Policies\Microsoft\Internet Explorer\Download\

    HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Download\

    HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\

    HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\

    HKCU\Software\Policies\Microsoft\Internet Explorer\Main\

    HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\

    HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS\

    HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS\

    HKCU\Software\Policies\Microsoft\Internet Explorer\PhishingFilter\

    HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\PhishingFilter\

    HKCU\Software\Policies\Microsoft\Internet Explorer\Privacy\

    HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Privacy\

    HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions\

    HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Restrictions\

    HKCU\Software\Policies\Microsoft\Internet Explorer\Security\

    HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Security\

    HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbar\

    HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Toolbar\

    HKCU\Software\Policies\Microsoft\MMC\{0E752416-F29E-4195-A9DD-7F0D4D5A9D71}\

    HKCU\Software\Policies\Microsoft\MMC\{0F3621F1-23C6-11D1-AD97-00AA00B88E5A}\

    HKCU\Software\Policies\Microsoft\MMC\{0F6B957D-509E-11D1-A7CC-0000F87571E3}\

    HKCU\Software\Policies\Microsoft\MMC\{0F6B957E-509E-11D1-A7CC-0000F87571E3}\

    HKCU\Software\Policies\Microsoft\MMC\{394C052E-B830-11D0-9A86-00C04FD8DBF7}\

    HKCU\Software\Policies\Microsoft\MMC\{58221C66-EA27-11CF-ADCF-00AA00A80033}\

    HKCU\Software\Policies\Microsoft\MMC\{58221C67-EA27-11CF-ADCF-00AA00A80033}\

    HKCU\Software\Policies\Microsoft\MMC\{5D6179C8-17EC-11D1-9AA9-00C04FD8FE93}\

    HKCU\Software\Policies\Microsoft\MMC\{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}\

    HKCU\Software\Policies\Microsoft\MMC\{84DE202D-5D95-4764-9014-A46F994CE856}\

    HKCU\Software\Policies\Microsoft\MMC\{84DE202E-5D95-4764-9014-A46F994CE856}\

    HKCU\Software\Policies\Microsoft\MMC\{8FC0B734-A0E1-11D1-A7D3-0000F87571E3}\

    HKCU\Software\Policies\Microsoft\MMC\{975797FC-4E2A-11D0-B702-00C04FD8DBF7}\

    HKCU\Software\Policies\Microsoft\MMC\{D02B1F72-3407-48ae-BA88-E8213C6761F1}\

    HKCU\Software\Policies\Microsoft\MMC\{D02B1F73-3407-48ae-BA88-E8213C6761F1}\

    HKCU\Software\Policies\Microsoft\MMC\{E12BBB5D-D59D-4E61-947A-301D25AE8C23}\

    HKCU\Software\Policies\Microsoft\MMC\{FC715823-C5FB-11D1-9EEF-00A0C90347FF}\

    HKCU\Software\Policies\Microsoft\MMC\FX:{b05566ac-fe9c-4368-be02-7a4cbb7cbe11}\

    HKCU\Software\Policies\Microsoft\MMC\FX:{b05566ad-fe9c-4363-be05-7a4cbb7cb510}\

    HKCU\Software\Policies\Microsoft\MMC\FX:{b05566ae-fe9c-4363-be05-7a4cbb7cb510}\

    HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\

    HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\

    HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\

    HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\

    HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\

    HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\

    HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\

    HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\

    HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\

    HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\

    HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\

    HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\

    HKCU\Software\Policies\Microsoft\Windows\Network Connections\

    HKCU\Software\Policies\Microsoft\Windows\System\

    HKCU\Software\Policies\Microsoft\Windows\Task Scheduler5.0\

    HKLM\SOFTWARE\Policies\Microsoft\Windows\Task Scheduler5.0\

    HKCU\Software\Policies\Microsoft\Windows Defender\

    HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\

    HKCU\Software\Policies\Microsoft\Windows Defender\Real-time Protection\

    HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\

    HKCU\Software\Policies\Microsoft\Windows\Windows Error Reporting\

    HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

    ConsentPromptBehaviorAdmin = (REG_DWORD) dword:0x00000002
    {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
    User Account Control: Behavior Of The Elevation Prompt For Administrators In Admin Approval Mode}

    ConsentPromptBehaviorUser = (REG_DWORD) dword:0x00000003
    {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
    User Account Control: Behavior Of The Elevation Prompt For Standard Users}
  23. Sador27

    Sador27 Newcomer, in training Topic Starter Posts: 46

    EnableInstallerDetection = (REG_DWORD) dword:0x00000001
    {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
    User Account Control: Detect Application Installations And Prompt For Elevation}

    EnableLUA = (REG_DWORD) dword:0x00000001
    {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
    User Account Control: Run All Administrators In Admin Approval Mode}

    EnableSecureUIAPaths = (REG_DWORD) dword:0x00000001
    {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
    User Account Control: Only elevate UIAccess applications that are installed in secure locations}

    EnableUIADesktopToggle = (REG_DWORD) dword:0x00000000
    {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
    User Account Control: Allow UIAcess applications to prompt for elevation without using the secure desktop}

    EnableVirtualization = (REG_DWORD) dword:0x00000001
    {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
    User Account Control: Virtualize file and registry write failures to per-user locations}

    PromptOnSecureDesktop = (REG_DWORD) dword:0x00000001
    {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
    User Account Control: Switch to the secure desktop when prompting for elevation}

    ValidateAdminCodeSignatures = (REG_DWORD) dword:0x00000000
    {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
    User Account Control: Only elevate executables that are signed and validated}

    dontdisplaylastusername = (REG_DWORD) dword:0x00000000
    {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
    Interactive logon: Do not display last user name}

    legalnoticecaption = (REG_SZ) (empty string)
    {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
    Interactive logon: Message title for users attempting to log on}

    legalnoticetext = (REG_SZ) (empty string)
    {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
    Interactive logon: Message text for users attempting to log on}

    scforceoption = (REG_DWORD) dword:0x00000000
    {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
    Interactive logon: Require smart card}

    shutdownwithoutlogon = (REG_DWORD) dword:0x00000001
    {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
    Shutdown: Allow system to be shut down without having to log on}

    undockwithoutlogon = (REG_DWORD) dword:0x00000001
    {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
    Devices: Allow undock without having to log on}

    FilterAdministratorToken = (REG_DWORD) dword:0x00000000
    {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
    User Account Control: Admin Approval Mode for the Built-in Administrator Account}

    HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\


    Active Desktop and Wallpaper:
    -----------------------------

    Active Desktop may be disabled at this entry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

    Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
    HKCU\Control Panel\Desktop\
    Wallpaper = C:\Users\Sad0r\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg

    Active Desktop web content (hidden if disabled):

    HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\


    Enabled Screen Saver:
    ---------------------

    HKCU\Control Panel\Desktop\
    SCRNSAVE.EXE = C:\Windows\system32\Bubbles.scr [MS]


    IniFileMapping Pointers to .INI Files:
    --------------------------------------

    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\

    System.ini\
    drivers32 = SYS:Microsoft\Windows NT\CurrentVersion\Drivers32

    system.ini\boot\
    (Default) = SYS:Microsoft\Windows NT\CurrentVersion\WOW\boot
    SCRNSAVE.EXE = USR:Control Panel\Desktop
    Shell = SYS:Microsoft\Windows NT\CurrentVersion\Winlogon

    win.ini\
    Winlogon = SYS:Microsoft\Windows NT\CurrentVersion\Winlogon
    AeDebug = SYS:Microsoft\Windows NT\CurrentVersion\AeDebug
    Devices = USR:Software\Microsoft\Windows NT\CurrentVersion\Devices

    win.ini\Windows\
    (Default) = USR:Software\Microsoft\Windows NT\CurrentVersion\Windows
    APPINIT_DLLS = SYS:MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINDOWS


    Windows Portable Device AutoPlay Handlers
    -----------------------------------------

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\

    ArcSoftVideoCameraArrival\
    Provider = ArcSoft ShowBiz DVD 2
    ProgID = Shell.HWEventHandlerShellExecute
    InitCmdLine = C:\PROGRA~2\ArcSoft\SHOWBI~1\showbiz.exe /capture
    HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}
    -> {HKLM…CLSID} = Shell Execute Hardware Event Handler
    \LocalServer32\(Default) = C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7} [MS]

    DVDDecrypterPlayDVDMovieOnArrival\
    Provider = DVD Decrypter
    InvokeProgID = DVDDecrypter
    InvokeVerb = PlayDVDMovieOnArrival_Decrypt
    HKLM\SOFTWARE\Classes\DVDDecrypter\shell\PlayDVDMovieOnArrival_Decrypt\Command\(Default) = "C:\Program Files (x86)\DVD Decrypter\DVDDecrypter.exe" /MODE READ /SOURCE "%1" [LIGHTNING UK!]

    MagicUSBCable\
    Provider = @%windir%\system32\migwiz\wet.dll,-588
    CLSID = {0C776A5A-FC42-4870-8D65-D62ADD9184FF}
    -> {HKLM…CLSID} = Magic USB Cable Class ID
    \LocalServer32\(Default) = MigAutoPlay.exe [MS]

    MSCDBurningOnArrival\
    Provider = @C:\Windows\system32\shell32.dll,-17417
    InvokeProgID = Shell.CDBurn
    InvokeVerb = Prepare
    HKLM\SOFTWARE\Classes\Shell.CDBurn\shell\Prepare\Command\(Default) = C:\Windows\system32\rundll32.exe C:\Windows\system32\shell32.dll,PrepareDiscForBurnRunDll %L [MS]

    MSCreateRdbCache\
    Provider = @C:\Windows\system32\sysmain.dll,-200
    InvokeProgID = RDB.AutoPlayHandler
    InvokeVerb = properties
    HKLM\SOFTWARE\Classes\RDB.AutoPlayHandler\shell\properties\command\(Default) = C:\Windows\system32\rundll32.exe C:\Windows\system32\sysmain.dll,RDBMgmtLaunchProperties %L [MS]

    MSDVDArrivalDvdMaker\
    Provider = @C:\Program Files\DVD maker\dvdmaker.exe,-61403
    InvokeProgID = DVDMaker.DVD
    InvokeVerb = burn
    HKLM\SOFTWARE\Classes\DVDMaker.DVD\shell\burn\command\(Default) = "C:\Program Files\DVD Maker\dvdmaker.exe" -drive:%L [MS]

    MSEnhancedStorageHandler\
    Provider = @C:\Windows\system32\EhStorShell.dll,-106
    ProgID = EhStorShell.AutoplayHandler
    InitCmdLine = Authorize
    HKLM\SOFTWARE\Classes\EhStorShell.AutoplayHandler\CLSID\(Default) = {36F54939-CD3B-4C73-92D5-F9A389ED631C}
    -> {HKLM…CLSID} = Enhanced Storage Autoplay Handler Class
    \InProcServer32\(Default) = C:\Windows\system32\EhStorShell.dll [MS]

    MSLivePhotoAcquireDropHandler\
    Provider = @%ProgramFiles(x86)%\Windows Live\Photo Gallery\regres.dll,-10
    InvokeProgID = Microsoft.LivePhotoAcqDTShim.1
    InvokeVerb = open
    HKLM\SOFTWARE\Classes\Microsoft.LivePhotoAcqDTShim.1\shell\open\DropTarget\CLSID = {00F33137-EE26-412F-8D71-F84E4C2C6625}
    -> {HKLM…CLSID} = Windows Live Photo Gallery Viewer Autoplay Shim
    \InProcServer32\(Default) = C:\Program Files (x86)\Windows Live\Photo Gallery\PhotoViewerShimx64.dll [MS]

    MSLiveShowPicturesOnArrival\
    Provider = @%ProgramFiles(x86)%\Windows Live\Photo Gallery\regres.dll,-10
    InvokeProgID = Microsoft.Photos.LiveAutoplayShim.1
    InvokeVerb = open
    HKLM\SOFTWARE\Classes\Microsoft.Photos.LiveAutoplayShim.1\shell\open\DropTarget\CLSID = {00F30F90-3E96-453B-AFCD-D71989ECC2C7}
    -> {HKLM…CLSID} = Windows Live Photo Gallery Viewer Autoplay Shim
    \InProcServer32\(Default) = C:\Program Files (x86)\Windows Live\Photo Gallery\PhotoViewerShimx64.dll [MS]

    MSOpenFolder\
    Provider = @C:\Windows\system32\shell32.dll,-17411
    InvokeProgID = Folder
    InvokeVerb = open
    HKLM\SOFTWARE\Classes\Folder\shell\open\command\(Default) = C:\Windows\Explorer.exe [MS]

    MSPhotoAcqHWEventHandler\
    Provider = @C:\Program Files\Windows Photo Viewer\PhotoAcq.dll,-401
    ProgID = Microsoft.PhotoAcqHWEventHandler
    HKLM\SOFTWARE\Classes\Microsoft.PhotoAcqHWEventHandler\CLSID\(Default) = {00f2b433-44e4-4d88-b2b0-2698a0a91dba}
    -> {HKLM…CLSID} = PhotoAcqHWEventHandler
    \LocalServer32\(Default) = "C:\Windows\System32\rundll32.exe" "C:\Program Files\Windows Photo Viewer\PhotoAcq.dll",AutoplayComServerW {00f2b433-44e4-4d88-b2b0-2698a0a91dba} [MS]

    MSPhotoAcquireDropHandler\
    Provider = @C:\Program Files\Windows Photo Viewer\PhotoAcq.dll,-401
    InvokeProgID = Microsoft.PhotoAcqDropTarget.1
    InvokeVerb = open
    HKLM\SOFTWARE\Classes\Microsoft.PhotoAcqDropTarget.1\shell\open\DropTarget\CLSID = {00f20eb5-8fd6-4d9d-b75e-36801766c8f1}
    -> {HKLM…CLSID} = PhotoAcqDropTarget
    \InProcServer32\(Default) = C:\Program Files\Windows Photo Viewer\PhotoAcq.dll [MS]

    MSPlayCDAudioOnArrival\
    Provider = @wmploc.dll,-6502
    InvokeProgID = WMP.AudioCD
    InvokeVerb = play
    HKLM\SOFTWARE\Classes\WMP.AudioCD\shell\play\command\(Default) = "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:3 /device:AudioCD "%L" [MS]

    MSPlayDVDMovieOnArrival\
    Provider = @wmploc.dll,-6502
    InvokeProgID = WMP.DVD
    InvokeVerb = play
    HKLM\SOFTWARE\Classes\WMP.DVD\shell\play\command\(Default) = "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:4 /device:DVD "%L" [MS]

    MSPlaySuperVideoCDMovieOnArrival\
    Provider = @wmploc.dll,-6502
    InvokeProgID = WMP.VCD
    InvokeVerb = play
    HKLM\SOFTWARE\Classes\WMP.VCD\shell\play\command\(Default) = "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:4 /device:VCD "%L" [MS]

    MSPlayVideoCDMovieOnArrival\
    Provider = @wmploc.dll,-6502
    InvokeProgID = WMP.VCD
    InvokeVerb = play
    HKLM\SOFTWARE\Classes\WMP.VCD\shell\play\command\(Default) = "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:4 /device:VCD "%L" [MS]

    MSPromptEachTime\
    Provider = @C:\Windows\system32\shell32.dll,-17411
    ProgID = Shell.Autoplay
    InitCmdLine = PromptEachTime
    HKLM\SOFTWARE\Classes\Shell.Autoplay\CLSID\(Default) = {995C996E-D918-4a8c-A302-45719A6F4EA7}
    -> {HKLM…CLSID} = Shell Hardware Mixed Content Handler
    \LocalServer32\(Default) = C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} [MS]

    MSPromptEachTimeNoContent\
    Provider = @C:\Windows\system32\shell32.dll,-17411
    ProgID = Shell.Autoplay
    InitCmdLine = PromptEachTimeNoContent
    HKLM\SOFTWARE\Classes\Shell.Autoplay\CLSID\(Default) = {995C996E-D918-4a8c-A302-45719A6F4EA7}
    -> {HKLM…CLSID} = Shell Hardware Mixed Content Handler
    \LocalServer32\(Default) = C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} [MS]

    MSSdConfigBackup\
    Provider = @C:\Windows\system32\sdautoplay.dll,-100
    InvokeProgID = SDConfig.AutoPlayHandler
    InvokeVerb = config
    HKLM\SOFTWARE\Classes\SDConfig.AutoPlayHandler\shell\config\command\(Default) = C:\Windows\system32\sdclt.exe /CONFIGELEV %L [MS]

    MSSdRunBackup\
    Provider = @C:\Windows\system32\sdautoplay.dll,-100
    InvokeProgID = SDRun.AutoPlayHandler
    InvokeVerb = run
    HKLM\SOFTWARE\Classes\SDRun.AutoPlayHandler\shell\run\command\(Default) = C:\Windows\system32\sdclt.exe /KICKOFFELEV [MS]

    MSWcnImportWireless\
    Provider = @C:\Windows\system32\wzcdlg.dll,-2102
    InvokeProgID = WCN.AutoPlayHandler
    InvokeVerb = open
    HKLM\SOFTWARE\Classes\WCN.AutoPlayHandler\shell\open\command\(Default) = C:\Windows\system32\rundll32.exe C:\Windows\system32\wzcdlg.dll,ImportFlashProfile %L [MS]

    MSWMDMHandler\
    Provider = @wmploc.dll,-6502
    ProgID = WMP.Device
    HKLM\SOFTWARE\Classes\WMP.Device\CLSID\(Default) = {94E03510-31B9-47a0-A44E-E932AC86BB17}
    -> {HKLM…CLSID} = Windows Media Player Device Autoplay
    \LocalServer32\(Default) = "C:\Program Files\Windows Media Player\wmlaunch.exe" [MS]

    MSWMPBurnCDOnArrival\
    Provider = @wmploc.dll,-6502
    InvokeProgID = WMP.BurnCD
    InvokeVerb = Burn
    HKLM\SOFTWARE\Classes\WMP.BurnCD\shell\Burn\Command\(Default) = "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:3 /Task:CDWrite /Device:"%L" [MS]

    MSWPDNetworkConfigHandler\
    Provider = @C:\Windows\system32\wpdshext.dll,-503
    CLSID = {A55803CC-4D53-404c-8557-FD63DBA95D24}
    InitCmdLine = /NetworkConfig;rundll32;xwizards.dll,RunWizard {34c219bd-85c1-4338-95e8-788a36901dc2} /z %s
    -> {HKLM…CLSID} = WPDShextAutoplay
    \LocalServer32\(Default) = C:\Windows\system32\WPDShextAutoplay.exe [MS]

    MSWPDShellNamespaceHandler\
    Provider = @C:\Windows\system32\wpdshext.dll,-501
    CLSID = {A55803CC-4D53-404c-8557-FD63DBA95D24}
    -> {HKLM…CLSID} = WPDShextAutoplay
    \LocalServer32\(Default) = C:\Windows\system32\WPDShextAutoplay.exe [MS]

    P2GCDBurningOnArrival\
    Provider = Power2Go
    InvokeProgID = BlankCD
    InvokeVerb = OpenWithPower2Go
    HKLM\SOFTWARE\Classes\BlankCD\shell\OpenWithPower2Go\Command\(Default) = "C:\Program Files (x86)\CyberLink\Power2Go\Power2Go.exe" "%L" [CyberLink Corp.]

    P2GDVDBurningOnArrival\
    Provider = Power2Go
    InvokeProgID = BlankDVD
    InvokeVerb = OpenWithPower2Go
    HKLM\SOFTWARE\Classes\BlankDVD\shell\OpenWithPower2Go\Command\(Default) = "C:\Program Files (x86)\CyberLink\Power2Go\Power2Go.exe" "%L" [CyberLink Corp.]

    Power2GoPlayCDAudioOnArrival\
    Provider = Power2Go
    InvokeProgID = AudioCD
    InvokeVerb = PlayWithPower2Go
    HKLM\SOFTWARE\Classes\AudioCD\shell\PlayWithPower2Go\Command\(Default) = "C:\Program Files (x86)\CyberLink\Power2Go\Power2Go.exe" /AudioRipper "%L" [CyberLink Corp.]

    PStarterBlankCDArrival\
    Provider = Media Suite
    InvokeProgID = BlankCD
    InvokeVerb = OpenWithPowerStarter
    HKLM\SOFTWARE\Classes\BlankCD\shell\OpenWithPowerStarter\Command\(Default) = "C:\Program Files (x86)\CyberLink\Media Suite\PS.exe" "%L" [CyberLink Corp.]

    PStarterDVDBurningOnArrival\
    Provider = Media Suite
    InvokeProgID = BlankDVD
    InvokeVerb = OpenWithPowerStarter
    HKLM\SOFTWARE\Classes\BlankDVD\shell\OpenWithPowerStarter\Command\(Default) = "C:\Program Files (x86)\CyberLink\Media Suite\PS.exe" "%L" [CyberLink Corp.]

    PStarterMixedCDArrival\
    Provider = Media Suite
    InvokeProgID = MixedContent
    InvokeVerb = OpenWithPowerStarter
    HKLM\SOFTWARE\Classes\MixedContent\shell\OpenWithPowerStarter\Command\(Default) = "C:\Program Files (x86)\CyberLink\Media Suite\PS.exe" "%L" [CyberLink Corp.]

    PStarterMusicFilesArrival\
    Provider = Media Suite
    InvokeProgID = MusicFiles
    InvokeVerb = OpenWithPowerStarter
    HKLM\SOFTWARE\Classes\MusicFiles\shell\OpenWithPowerStarter\Command\(Default) = "C:\Program Files (x86)\CyberLink\Media Suite\PS.exe" "%L" [CyberLink Corp.]

    PStarterPicturesArrival\
    Provider = Media Suite
    InvokeProgID = Picture
    InvokeVerb = OpenWithPowerStarter
    HKLM\SOFTWARE\Classes\Picture\shell\OpenWithPowerStarter\Command\(Default) = "C:\Program Files (x86)\CyberLink\Media Suite\PS.exe" "%L" [CyberLink Corp.]

    PStarterVideoFilesArrival\
    Provider = Media Suite
    InvokeProgID = VideoFiles
    InvokeVerb = OpenWithPowerStarter
    HKLM\SOFTWARE\Classes\VideoFiles\shell\OpenWithPowerStarter\Command\(Default) = "C:\Program Files (x86)\CyberLink\Media Suite\PS.exe" "%L" [CyberLink Corp.]

    VLCPlayCDAudioOnArrival\
    Provider = VideoLAN VLC media player
    InvokeProgID = VLC.CDAudio
    InvokeVerb = play
    HKLM\SOFTWARE\Classes\VLC.CDAudio\shell\play\command\(Default) = "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file cdda://%1 [the VideoLAN Team]

    VLCPlayDVDMovieOnArrival\
    Provider = VideoLAN VLC media player
    InvokeProgID = VLC.DVDMovie
    InvokeVerb = play
    HKLM\SOFTWARE\Classes\VLC.DVDMovie\shell\play\command\(Default) = "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file dvd://%1 [the VideoLAN Team]


    DESKTOP.INI DLL launch in local fixed drive directories:
    --------------------------------------------------------

    C:\$Recycle.Bin\S-1-5-21-3254260356-3574314768-983753981-1000\DESKTOP.INI
    [.ShellClassInfo]
    CLSID={645FF040-5081-101B-9F08-00AA002F954E}
    -> {HKLM…CLSID}\InProcServer32\(Default) = C:\Windows\system32\shell32.dll [MS]
    -> {HKLM…Wow…CLSID}\InProcServer32\(Default) = C:\Windows\system32\shell32.dll [MS]

    C:\$Recycle.Bin\S-1-5-21-3254260356-3574314768-983753981-500\DESKTOP.INI
    [.ShellClassInfo]
    CLSID={645FF040-5081-101B-9F08-00AA002F954E}
    -> {HKLM…CLSID}\InProcServer32\(Default) = C:\Windows\system32\shell32.dll [MS]
    -> {HKLM…Wow…CLSID}\InProcServer32\(Default) = C:\Windows\system32\shell32.dll [MS]

    C:\Users\Sad0r\AppData\Local\History\DESKTOP.INI
    [.ShellClassInfo]
    CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
    -> {HKLM…CLSID}\InProcServer32\(Default) = C:\Windows\System32\ieframe.dll [MS]
    -> {HKLM…Wow…CLSID}\InProcServer32\(Default) = C:\Windows\SysWOW64\ieframe.dll [MS]
    UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
    -> {HKLM…CLSID}\InProcServer32\(Default) = C:\Windows\System32\ieframe.dll [MS]
    -> {HKLM…Wow…CLSID}\InProcServer32\(Default) = C:\Windows\SysWOW64\ieframe.dll [MS]

    C:\Users\Sad0r\AppData\Local\Microsoft\Windows\History\DESKTOP.INI
    [.ShellClassInfo]
    CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
    -> {HKLM…CLSID}\InProcServer32\(Default) = C:\Windows\System32\ieframe.dll [MS]
    -> {HKLM…Wow…CLSID}\InProcServer32\(Default) = C:\Windows\SysWOW64\ieframe.dll [MS]
    UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
    -> {HKLM…CLSID}\InProcServer32\(Default) = C:\Windows\System32\ieframe.dll [MS]
    -> {HKLM…Wow…CLSID}\InProcServer32\(Default) = C:\Windows\SysWOW64\ieframe.dll [MS]

    C:\Users\Sad0r\AppData\Local\Microsoft\Windows\History\History.IE5\DESKTOP.INI
    [.ShellClassInfo]
    UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
    -> {HKLM…CLSID}\InProcServer32\(Default) = C:\Windows\System32\ieframe.dll [MS]
    -> {HKLM…Wow…CLSID}\InProcServer32\(Default) = C:\Windows\SysWOW64\ieframe.dll [MS]

    C:\Users\Sad0r\AppData\Local\Microsoft\Windows\History\Low\DESKTOP.INI
    [.ShellClassInfo]
    CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
    -> {HKLM…CLSID}\InProcServer32\(Default) = C:\Windows\System32\ieframe.dll [MS]
    -> {HKLM…Wow…CLSID}\InProcServer32\(Default) = C:\Windows\SysWOW64\ieframe.dll [MS]
    UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
    -> {HKLM…CLSID}\InProcServer32\(Default) = C:\Windows\System32\ieframe.dll [MS]
    -> {HKLM…Wow…CLSID}\InProcServer32\(Default) = C:\Windows\SysWOW64\ieframe.dll [MS]

    C:\Users\Sad0r\AppData\Local\Microsoft\Windows\History\Low\History.IE5\DESKTOP.INI
    [.ShellClassInfo]
    UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
    -> {HKLM…CLSID}\InProcServer32\(Default) = C:\Windows\System32\ieframe.dll [MS]
    -> {HKLM…Wow…CLSID}\InProcServer32\(Default) = C:\Windows\SysWOW64\ieframe.dll [MS]

    C:\Users\Sad0r\AppData\Local\Microsoft\Windows\Temporary Internet Files\DESKTOP.INI
    [.ShellClassInfo]
    UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
    -> {HKLM…CLSID}\InProcServer32\(Default) = C:\Windows\System32\ieframe.dll [MS]
    -> {HKLM…Wow…CLSID}\InProcServer32\(Default) = C:\Windows\SysWOW64\ieframe.dll [MS]

    C:\Users\Sad0r\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DESKTOP.INI
    [.ShellClassInfo]
    UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
    -> {HKLM…CLSID}\InProcServer32\(Default) = C:\Windows\System32\ieframe.dll [MS]
    -> {HKLM…Wow…CLSID}\InProcServer32\(Default) = C:\Windows\SysWOW64\ieframe.dll [MS]

    C:\Users\Sad0r\AppData\Local\Temporary Internet Files\DESKTOP.INI
    [.ShellClassInfo]
    UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
    -> {HKLM…CLSID}\InProcServer32\(Default) = C:\Windows\System32\ieframe.dll [MS]
    -> {HKLM…Wow…CLSID}\InProcServer32\(Default) = C:\Windows\SysWOW64\ieframe.dll [MS]

    C:\Windows\assembly\DESKTOP.INI
    [.ShellClassInfo]
    CLSID={1D2680C9-0E2A-469d-B787-065558BC7D43}
    -> {HKLM…CLSID}\InProcServer32\(Default) = C:\Windows\system32\mscoree.dll [MS]
    -> {HKLM…Wow…CLSID}\InProcServer32\(Default) = C:\Windows\SysWOW64\mscoree.dll [MS]

    C:\Windows\Fonts\DESKTOP.INI
    [.ShellClassInfo]
    CLSID={BD84B380-8CA2-1069-AB1D-08000948F534}
    -> {HKLM…CLSID}\InProcServer32\(Default) = C:\Windows\system32\fontext.dll [MS]
    -> {HKLM…Wow…CLSID}\InProcServer32\(Default) = C:\Windows\system32\fontext.dll [MS]

    C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\DESKTOP.INI
    [.ShellClassInfo]
    CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
    -> {HKLM…CLSID}\InProcServer32\(Default) = C:\Windows\System32\ieframe.dll [MS]
    -> {HKLM…Wow…CLSID}\InProcServer32\(Default) = C:\Windows\SysWOW64\ieframe.dll [MS]
    UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
    -> {HKLM…CLSID}\InProcServer32\(Default) = C:\Windows\System32\ieframe.dll [MS]
    -> {HKLM…Wow…CLSID}\InProcServer32\(Default) = C:\Windows\SysWOW64\ieframe.dll [MS]

    C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\DESKTOP.INI
    [.ShellClassInfo]
    CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
    -> {HKLM…CLSID}\InProcServer32\(Default) = C:\Windows\System32\ieframe.dll [MS]
    -> {HKLM…Wow…CLSID}\InProcServer32\(Default) = C:\Windows\SysWOW64\ieframe.dll [MS]
    UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
    -> {HKLM…CLSID}\InProcServer32\(Default) = C:\Windows\System32\ieframe.dll [MS]
    -> {HKLM…Wow…CLSID}\InProcServer32\(Default) = C:\Windows\SysWOW64\ieframe.dll [MS]

    C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\DESKTOP.INI
    [.ShellClassInfo]
    CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
    -> {HKLM…CLSID}\InProcServer32\(Default) = C:\Windows\System32\ieframe.dll [MS]
    -> {HKLM…Wow…CLSID}\InProcServer32\(Default) = C:\Windows\SysWOW64\ieframe.dll [MS]
    UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
    -> {HKLM…CLSID}\InProcServer32\(Default) = C:\Windows\System32\ieframe.dll [MS]
    -> {HKLM…Wow…CLSID}\InProcServer32\(Default) = C:\Windows\SysWOW64\ieframe.dll [MS]

    C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\DESKTOP.INI
    [.ShellClassInfo]
    CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
    -> {HKLM…CLSID}\InProcServer32\(Default) = C:\Windows\System32\ieframe.dll [MS]
    -> {HKLM…Wow…CLSID}\InProcServer32\(Default) = C:\Windows\SysWOW64\ieframe.dll [MS]
    UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
    -> {HKLM…CLSID}\InProcServer32\(Default) = C:\Windows\System32\ieframe.dll [MS]
    -> {HKLM…Wow…CLSID}\InProcServer32\(Default) = C:\Windows\SysWOW64\ieframe.dll [MS]

    C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\DESKTOP.INI
    [.ShellClassInfo]
    UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
    -> {HKLM…CLSID}\InProcServer32\(Default) = C:\Windows\System32\ieframe.dll [MS]
    -> {HKLM…Wow…CLSID}\InProcServer32\(Default) = C:\Windows\SysWOW64\ieframe.dll [MS]

    C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DESKTOP.INI
    [.ShellClassInfo]
    UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
    -> {HKLM…CLSID}\InProcServer32\(Default) = C:\Windows\System32\ieframe.dll [MS]
    -> {HKLM…Wow…CLSID}\InProcServer32\(Default) = C:\Windows\SysWOW64\ieframe.dll [MS]

    C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HM69YR8O\DESKTOP.INI
    [.ShellClassInfo]
    UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
    -> {HKLM…CLSID}\InProcServer32\(Default) = C:\Windows\System32\ieframe.dll [MS]
    -> {HKLM…Wow…CLSID}\InProcServer32\(Default) = C:\Windows\SysWOW64\ieframe.dll [MS]

    C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OKG9U2FZ\DESKTOP.INI
    [.ShellClassInfo]
    UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
    -> {HKLM…CLSID}\InProcServer32\(Default) = C:\Windows\System32\ieframe.dll [MS]
    -> {HKLM…Wow…CLSID}\InProcServer32\(Default) = C:\Windows\SysWOW64\ieframe.dll [MS]

    C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RGUQFBA3\DESKTOP.INI
    [.ShellClassInfo]
    UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
    -> {HKLM…CLSID}\InProcServer32\(Default) = C:\Windows\System32\ieframe.dll [MS]
    -> {HKLM…Wow…CLSID}\InProcServer32\(Default) = C:\Windows\SysWOW64\ieframe.dll [MS]

    C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TXA1G3IW\DESKTOP.INI
    [.ShellClassInfo]
    UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
    -> {HKLM…CLSID}\InProcServer32\(Default) = C:\Windows\System32\ieframe.dll [MS]
    -> {HKLM…Wow…CLSID}\InProcServer32\(Default) = C:\Windows\SysWOW64\ieframe.dll [MS]

    Permission Errors on C:
    C:\Documents and Settings, C:\ProgramData\Application Data, C:\ProgramData\Desktop
    C:\ProgramData\Documents, C:\ProgramData\Favorites
    C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\SRTSP\Quarantine
    C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\SRTSP\SrtETmp, C:\ProgramData\Start Menu
    C:\ProgramData\Templates, C:\Qoobox\BackEnv, C:\Users\All Users\Application Data
    C:\Users\All Users\Desktop, C:\Users\All Users\Documents, C:\Users\All Users\Favorites
    C:\Users\All Users\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\SRTSP\Quarantine
    C:\Users\All Users\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\SRTSP\SrtETmp
    C:\Users\All Users\Start Menu, C:\Users\All Users\Templates
    C:\Users\Default\AppData\Local\Application Data, C:\Users\Default\AppData\Local\History
    C:\Users\Default\AppData\Local\Temporary Internet Files, C:\Users\Default\Application Data
    C:\Users\Default\Documents\My Music, C:\Users\Default\Documents\My Pictures
    C:\Users\Default\Documents\My Videos, C:\Users\Default\Local Settings, C:\Users\Default\My Documents
    C:\Users\Default\NetHood, C:\Users\Default\PrintHood, C:\Users\Default\Recent
    C:\Users\Default\SendTo, C:\Users\Default\Start Menu, C:\Users\Default\Templates
    C:\Users\Default User, C:\Users\Public\Documents\My Music, C:\Users\Public\Documents\My Pictures
    C:\Users\Public\Documents\My Videos, C:\Users\Sad0r\AppData\Local\Application Data
    C:\Users\Sad0r\AppData\Local\History, C:\Users\Sad0r\AppData\Local\Temporary Internet Files
    C:\Users\Sad0r\Application Data, C:\Users\Sad0r\Cookies, C:\Users\Sad0r\Documents\My Music
    C:\Users\Sad0r\Documents\My Pictures, C:\Users\Sad0r\Documents\My Videos
    C:\Users\Sad0r\Local Settings, C:\Users\Sad0r\My Documents, C:\Users\Sad0r\NetHood
    C:\Users\Sad0r\PrintHood, C:\Users\Sad0r\Recent, C:\Users\Sad0r\SendTo, C:\Users\Sad0r\Start Menu
    C:\Users\Sad0r\Templates, C:\Windows\System32\LogFiles\WMI\RtBackup

    D:\$RECYCLE.BIN\S-1-5-21-3254260356-3574314768-983753981-1000\DESKTOP.INI
    [.ShellClassInfo]
    CLSID={645FF040-5081-101B-9F08-00AA002F954E}
    -> {HKLM…CLSID}\InProcServer32\(Default) = C:\Windows\system32\shell32.dll [MS]
    -> {HKLM…Wow…CLSID}\InProcServer32\(Default) = C:\Windows\system32\shell32.dll [MS]


    Startup items in "Sad0r" & "All Users" startup folders:
    -------------------------------------------------------

    C:\Users\Sad0r\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
    AsusVibeLauncher -> shortcut to: C:\Program Files (x86)\ASUS\AsusVibe\AsusVibeLauncher.exe /start [ASUSTeK Computer Inc.]
    Secunia PSI Tray -> shortcut to: C:\Program Files (x86)\Secunia\PSI\psi_tray.exe [Secunia]


    Windows Sidebar Gadgets:
    ------------------------

    C:\Users\Sad0r\AppData\Local\Microsoft\Windows Sidebar\Settings.ini


    Non-disabled Scheduled Tasks:
    -----------------------------

    C:\Windows\System32\Tasks
    ASUS Live Update -> launches: C:\Program Files (x86)\ASUS\ASUS Live Update\LiveUpdate.exe [null data]
    ASUS P4G -> launches: C:\Program Files\ASUS\P4G\BatteryLife.exe [ASUS]
    ASUS Quick Gesture -> launches: C:\Program Files (x86)\ASUS\ASUS Virtual Touch\QuickGesture\x86\QuickGesture.exe [ASUSTeK Computer Inc.]
    ASUS Quick Gesture (x64) -> launches: C:\Program Files (x86)\ASUS\ASUS Virtual Touch\QuickGesture\x64\QuickGesture64.exe [ASUSTeK Computer Inc.]
    ASUS USB Charger Plus -> launches: "C:\Program Files (x86)\ASUS\USBChargerPlus\USBChargerPlus.exe" [ASUSTek Computer Inc.]
    ATKOSD2 -> launches: C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe [ASUSTek Computer Inc.]
    Norton WSC Integration -> (HIDDEN!) launches: "C:\Program Files (x86)\Norton 360\Engine\20.2.0.19\WSCStub.exe" /taskschd [Symantec Corporation]
    SidebarExecute -> launches: C:\Program Files\Windows Sidebar\sidebar.exe [MS]

    C:\Windows\System32\Tasks\Microsoft\Windows\Active Directory Rights Management Services Client
    AD RMS Rights Policy Template Management (Manual) -> launches: {BF5CB148-7C77-4d8a-A53E-D81C70CF743C}
    -> {HKLM…CLSID} = AD RMS Rights Policy Template Management (Manual) Task Handler
    \InProcServer32\(Default) = C:\Windows\system32\msdrm.dll [MS]
    -> {HKLM…Wow…CLSID} = AD RMS Rights Policy Template Management (Manual) Task Handler
    \InProcServer32\(Default) = C:\Windows\system32\msdrm.dll [MS]

    C:\Windows\System32\Tasks\Microsoft\Windows\AppID
    PolicyConverter -> launches: %windir%\system32\appidpolicyconverter.exe [MS]
    VerifiedPublisherCertStoreCheck -> launches: %windir%\system32\appidcertstorecheck.exe [MS]

    C:\Windows\System32\Tasks\Microsoft\Windows\Application Experience
    AitAgent -> launches: aitagent [MS]
    ProgramDataUpdater -> launches: %windir%\system32\rundll32.exe aepdu.dll,AePduRunUpdate [MS]

    C:\Windows\System32\Tasks\Microsoft\Windows\Autochk
    Proxy -> launches: %windir%\system32\rundll32.exe /d acproxy.dll,PerformAutochkOperations [MS]

    C:\Windows\System32\Tasks\Microsoft\Windows\Bluetooth
    UninstallDeviceTask -> launches: BthUdTask.exe $(Arg0) [MS]

    C:\Windows\System32\Tasks\Microsoft\Windows\CertificateServicesClient
    SystemTask -> launches: {58fb76b9-ac85-4e55-ac04-427593b1d060}
    -> {HKLM…CLSID} = Certificate Services Client Task Handler
    \InProcServer32\(Default) = C:\Windows\system32\dimsjob.dll [MS]
    -> {HKLM…Wow…CLSID} = Certificate Services Client Task Handler
    \InProcServer32\(Default) = C:\Windows\system32\dimsjob.dll [MS]
    UserTask -> launches: {58fb76b9-ac85-4e55-ac04-427593b1d060}
    -> {HKLM…CLSID} = Certificate Services Client Task Handler
    \InProcServer32\(Default) = C:\Windows\system32\dimsjob.dll [MS]
    -> {HKLM…Wow…CLSID} = Certificate Services Client Task Handler
    \InProcServer32\(Default) = C:\Windows\system32\dimsjob.dll [MS]

    C:\Windows\System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program
    Consolidator -> launches: %SystemRoot%\System32\wsqmcons.exe [MS]
    KernelCeipTask -> (HIDDEN!) launches: {e7ed314f-2816-4c26-aeb5-54a34d02404c}
    -> {HKLM…CLSID} = KernelCeipCustomHandler
    \InProcServer32\(Default) = C:\Windows\System32\kernelceip.dll [MS]
    UsbCeip -> (HIDDEN!) launches: {c27f6b1d-fe0b-45e4-9257-38799fa69bc8}
    -> {HKLM…CLSID} = UsbCeip
    \InProcServer32\(Default) = C:\Windows\System32\usbceip.dll [MS]
    -> {HKLM…Wow…CLSID} = UsbCeip
    \InProcServer32\(Default) = C:\Windows\System32\usbceip.dll [MS]

    C:\Windows\System32\Tasks\Microsoft\Windows\Diagnosis
    Scheduled -> (HIDDEN!) launches: {c1f85ef8-bcc2-4606-bb39-70c523715eb3}
    -> {HKLM…CLSID} = ScheduledDiagnosticCustomHandler
    \InProcServer32\(Default) = C:\Windows\System32\sdiagschd.dll [MS]

    C:\Windows\System32\Tasks\Microsoft\Windows\Location
    Notifications -> launches: %windir%\System32\LocationNotifications.exe [MS]

    C:\Windows\System32\Tasks\Microsoft\Windows\Maintenance
    WinSAT -> launches: {A9A33436-678B-4C9C-A211-7CC38785E79D}
    -> {HKLM…CLSID} = WinSAT Task Manger Task
    \InProcServer32\(Default) = C:\Windows\system32\WinSATAPI.dll [MS]
    -> {HKLM…Wow…CLSID} = WinSAT Task Manger Task
    \InProcServer32\(Default) = C:\Windows\system32\WinSATAPI.dll [MS]

    C:\Windows\System32\Tasks\Microsoft\Windows\Media Center
    ActivateWindowsSearch -> launches: %SystemRoot%\ehome\ehPrivJob.exe /DoActivateWindowsSearch [MS]
    ConfigureInternetTimeService -> launches: %SystemRoot%\ehome\ehPrivJob.exe /DoConfigureInternetTimeService [MS]
    DispatchRecoveryTasks -> launches: %SystemRoot%\ehome\ehPrivJob.exe /DoRecoveryTasks $(Arg0) [MS]
    ehDRMInit -> launches: %SystemRoot%\ehome\ehPrivJob.exe /DRMInit [MS]
    InstallPlayReady -> launches: %SystemRoot%\ehome\ehPrivJob.exe /InstallPlayReady $(Arg0) [MS]
    mcupdate -> launches: %SystemRoot%\ehome\mcupdate $(Arg0) [MS]
    mcupdate_scheduled -> launches: %SystemRoot%\ehome\mcupdate -crl -hms -pscn 15 [MS]
    MediaCenterRecoveryTask -> launches: %SystemRoot%\ehome\mcupdate.exe -MediaCenterRecoveryTask [MS]
    ObjectStoreRecoveryTask -> launches: %SystemRoot%\ehome\mcupdate.exe -ObjectStoreRecoveryTask [MS]
    OCURActivate -> launches: %SystemRoot%\ehome\ehPrivJob.exe /OCURActivate [MS]
    OCURDiscovery -> launches: %SystemRoot%\ehome\ehPrivJob.exe /OCURDiscovery $(Arg0) [MS]
    PBDADiscovery -> launches: %SystemRoot%\ehome\ehPrivJob.exe /PBDADiscovery [MS]
    PBDADiscoveryW1 -> launches: %SystemRoot%\ehome\ehPrivJob.exe /wait:7 /PBDADiscovery [MS]
    PBDADiscoveryW2 -> launches: %SystemRoot%\ehome\ehPrivJob.exe /wait:90 /PBDADiscovery [MS]
    PvrRecoveryTask -> launches: %SystemRoot%\ehome\mcupdate.exe -PvrRecoveryTask [MS]
    PvrScheduleTask -> launches: %SystemRoot%\ehome\mcupdate.exe -PvrSchedule [MS]
    RegisterSearch -> launches: %SystemRoot%\ehome\ehPrivJob.exe /DoRegisterSearch $(Arg0) [MS]
    ReindexSearchRoot -> launches: %SystemRoot%\ehome\ehPrivJob.exe /DoReindexSearchRoot [MS]
    SqlLiteRecoveryTask -> launches: %SystemRoot%\ehome\mcupdate.exe -SqlLiteRecoveryTask [MS]
    StartRecording -> launches: %SystemRoot%\ehome\ehrec /StartRecording [MS]
    UpdateRecordPath -> launches: %SystemRoot%\ehome\ehPrivJob.exe /DoUpdateRecordPath $(Arg0) [MS]

    C:\Windows\System32\Tasks\Microsoft\Windows\MemoryDiagnostic
    CorruptionDetector -> (HIDDEN!) launches: {190BA3F6-0205-4f46-B589-95C6822899D2}
    -> {HKLM…CLSID} = MemoryDiagnosticCustomHandler
    \InProcServer32\(Default) = C:\Windows\System32\memdiag.dll [MS]
    DecompressionFailureDetector -> (HIDDEN!) launches: {190BA3F6-0205-4f46-B589-95C6822899D2}
    -> {HKLM…CLSID} = MemoryDiagnosticCustomHandler
    \InProcServer32\(Default) = C:\Windows\System32\memdiag.dll [MS]

    C:\Windows\System32\Tasks\Microsoft\Windows\MobilePC
    HotStart -> launches: {06DA0625-9701-43da-BFD7-FBEEA2180A1E}
    -> {HKLM…CLSID} = HotStart User Agent
    \InProcServer32\(Default) = C:\Windows\System32\HotStartUserAgent.dll [MS]

    C:\Windows\System32\Tasks\Microsoft\Windows\MUI
    Lpksetup -> launches: C:\Windows\System32\lpksetup.exe -v [MS]
    LPRemove -> launches: %windir%\system32\lpremove.exe [MS]
    Mcbuilder -> launches: C:\Windows\System32\mcbuilder.exe [MS]

    C:\Windows\System32\Tasks\Microsoft\Windows\Multimedia
    SystemSoundsService -> launches: {2DEA658F-54C1-4227-AF9B-260AB5FC3543}
    -> {HKLM…CLSID} = Microsoft PlaySoundService Class
    \InProcServer32\(Default) = C:\Windows\System32\PlaySndSrv.dll [MS]
    -> {HKLM…Wow…CLSID} = Microsoft PlaySoundService Class
    \InProcServer32\(Default) = C:\Windows\System32\PlaySndSrv.dll [MS]

    C:\Windows\System32\Tasks\Microsoft\Windows\NetTrace
    GatherNetworkInfo -> launches: %windir%\system32\gatherNetworkInfo.vbs [null data]
  24. Sador27

    Sador27 Newcomer, in training Topic Starter Posts: 46

    C:\Windows\System32\Tasks\Microsoft\Windows\Power Efficiency Diagnostics
    AnalyzeSystem -> launches: %SystemRoot%\System32\powercfg.exe -energy -auto [MS]

    C:\Windows\System32\Tasks\Microsoft\Windows\RAC
    RacTask -> (HIDDEN!) launches: {42060D27-CA53-41f5-96E4-B1E8169308A6}
    -> {HKLM…CLSID} = ReliabilityAnalysisCustomHandler
    \InProcServer32\(Default) = C:\Windows\system32\RacEngn.dll [MS]
    -> {HKLM…Wow…CLSID} = ReliabilityAnalysisCustomHandler
    \InProcServer32\(Default) = C:\Windows\system32\RacEngn.dll [MS]

    C:\Windows\System32\Tasks\Microsoft\Windows\Ras
    MobilityManager -> launches: {c463a0fc-794f-4fdf-9201-01938ceacafa}
    -> {HKLM…CLSID} = RasMobilityManager
    \InProcServer32\(Default) = C:\Windows\system32\rasmbmgr.dll [MS]

    C:\Windows\System32\Tasks\Microsoft\Windows\Registry
    RegIdleBackup -> (HIDDEN!) launches: {ca767aa8-9157-4604-b64b-40747123d5f2}
    -> {HKLM…CLSID} = RegistryIdleBackupHandler
    \InProcServer32\(Default) = C:\Windows\System32\regidle.dll [MS]

    C:\Windows\System32\Tasks\Microsoft\Windows\RemoteAssistance
    RemoteAssistanceTask -> (HIDDEN!) launches: %windir%\system32\RAServer.exe /offerraupdate [MS]

    C:\Windows\System32\Tasks\Microsoft\Windows\SideShow
    GadgetManager -> launches: {FF87090D-4A9A-4f47-879B-29A80C355D61}
    -> {HKLM…CLSID} = GadgetsManager Class
    \InProcServer32\(Default) = C:\Windows\System32\AuxiliaryDisplayServices.dll [MS]

    C:\Windows\System32\Tasks\Microsoft\Windows\SystemRestore
    SR -> launches: %windir%\system32\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreation [MS]

    C:\Windows\System32\Tasks\Microsoft\Windows\TabletPC
    InputPersonalization -> launches: %CommonProgramFiles%\Microsoft Shared\Ink\InputPersonalization.exe [MS]

    C:\Windows\System32\Tasks\Microsoft\Windows\Task Manager
    Interactive -> (HIDDEN!) launches: {855fec53-d2e4-4999-9e87-3414e9cf0ff4}
    -> {HKLM…CLSID} = RunTask
    \InProcServer32\(Default) = C:\Windows\system32\wdc.dll [MS]
    -> {HKLM…Wow…CLSID} = RunTask
    \InProcServer32\(Default) = C:\Windows\system32\wdc.dll [MS]

    C:\Windows\System32\Tasks\Microsoft\Windows\Tcpip
    IpAddressConflict1 -> launches: %windir%\system32\rundll32.exe ndfapi.dll,NdfRunDllDuplicateIPOffendingSystem [MS]
    IpAddressConflict2 -> launches: %windir%\system32\rundll32.exe ndfapi.dll,NdfRunDllDuplicateIPDefendingSystem [MS]

    C:\Windows\System32\Tasks\Microsoft\Windows\TextServicesFramework
    MsCtfMonitor -> (HIDDEN!) launches: {01575cfe-9a55-4003-a5e1-f38d1ebdcbe1}
    -> {HKLM…CLSID} = MsCtfMonitor task handler
    \InProcServer32\(Default) = C:\Windows\system32\MsCtfMonitor.dll [MS]
    -> {HKLM…Wow…CLSID} = MsCtfMonitor task handler
    \InProcServer32\(Default) = C:\Windows\system32\MsCtfMonitor.dll [MS]

    C:\Windows\System32\Tasks\Microsoft\Windows\Time Synchronization
    SynchronizeTime -> launches: %windir%\system32\sc.exe start w32time task_started [MS]

    C:\Windows\System32\Tasks\Microsoft\Windows\UPnP
    UPnPHostConfig -> launches: sc.exe config upnphost start= auto [MS]

    C:\Windows\System32\Tasks\Microsoft\Windows\WDI
    ResolutionHost -> (HIDDEN!) launches: {900be39d-6be8-461a-bc4d-b0fa71f5ecb1}
    -> {HKLM…CLSID} = DiagnosticInfrastructureCustomHandler
    \InProcServer32\(Default) = C:\Windows\System32\wdi.dll [MS]
    -> {HKLM…Wow…CLSID} = DiagnosticInfrastructureCustomHandler
    \InProcServer32\(Default) = C:\Windows\System32\wdi.dll [MS]

    C:\Windows\System32\Tasks\Microsoft\Windows\Windows Activation Technologies
    ValidationTask -> (HIDDEN!) launches: %SystemRoot%\system32\Wat\WatAdminSvc.exe /run [MS]
    ValidationTaskDeadline -> (HIDDEN!) launches: %SystemRoot%\system32\schtasks.exe /run /I /TN "\Microsoft\Windows\Windows Activation Technologies\ValidationTask" [MS]

    C:\Windows\System32\Tasks\Microsoft\Windows\Windows Error Reporting
    QueueReporting -> launches: %windir%\system32\wermgr.exe -queuereporting [MS]

    C:\Windows\System32\Tasks\Microsoft\Windows\Windows Filtering Platform
    BfeOnServiceStartTypeChange -> (HIDDEN!) launches: %windir%\system32\rundll32.exe bfe.dll,BfeOnServiceStartTypeChange [MS]

    C:\Windows\System32\Tasks\Microsoft\Windows\Windows Media Sharing
    UpdateLibrary -> launches: "%ProgramFiles%\Windows Media Player\wmpnscfg.exe" [MS]

    C:\Windows\System32\Tasks\Microsoft\Windows\WindowsBackup
    AutomaticBackup -> launches: %systemroot%\system32\rundll32.exe /d sdengin2.dll,ExecuteScheduledBackup [MS]
    Windows Backup Monitor -> launches: %systemroot%\system32\sdclt.exe /CHECKSKIPPED [MS]

    C:\Windows\System32\Tasks\Microsoft\Windows Defender
    MP Scheduled Scan -> (HIDDEN!) launches: c:\program files\windows defender\MpCmdRun.exe Scan -ScheduleJob -WinTask -RestrictPrivilegesScan [MS]

    C:\Windows\System32\Tasks\Microsoft\Windows Live\SOXE
    Extractor Definitions Update Task -> launches: {3519154C-227E-47F3-9CC9-12C3F05817F1}
    -> {HKLM…Wow…CLSID} = Windows Live Social Object Extractor Engine Definition Updater
    \InProcServer32\(Default) = C:\Program Files (x86)\Windows Live\SOXE\wlsoxe.dll [MS]

    C:\Windows\System32\Tasks\Norton 360
    Norton Error Analyzer -> launches: C:\Program Files (x86)\Norton 360\Engine\20.2.0.19\SymErr.exe /analyze [Symantec Corporation]
    Norton Error Processor -> launches: C:\Program Files (x86)\Norton 360\Engine\20.2.0.19\SymErr.exe /submit [Symantec Corporation]

    C:\Windows\System32\Tasks\WPD
    SqmUpload_S-1-5-21-3254260356-3574314768-983753981-1000 -> (HIDDEN!) launches: %windir%\system32\rundll32.exe portabledeviceapi.dll,#1 [MS]


    Winsock2 Service Provider DLLs:
    -------------------------------

    Namespace Service Providers

    HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
    000000000001\LibraryPath = %SystemRoot%\system32\NLAapi.dll [MS]
    000000000002\LibraryPath = %SystemRoot%\system32\napinsp.dll [MS]
    000000000003\LibraryPath = %SystemRoot%\system32\pnrpnsp.dll [MS]
    000000000004\LibraryPath = %SystemRoot%\system32\pnrpnsp.dll [MS]
    000000000005\LibraryPath = %SystemRoot%\system32\wshbth.dll [MS]
    000000000006\LibraryPath = %SystemRoot%\System32\mswsock.dll [MS]
    000000000007\LibraryPath = %SystemRoot%\System32\winrnr.dll [MS]
    000000000008\LibraryPath = C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [MS]
    000000000009\LibraryPath = C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [MS]

    Transport Service Providers

    HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
    0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
    %SystemRoot%\system32\mswsock.dll [MS], 01 - 11


    Toolbars, Explorer Bars, Extensions:
    ------------------------------------

    Toolbars

    HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\

    HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\

    HKCU\Software\Wow6432Node\Microsoft\Internet Explorer\Toolbar\

    HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\
    {8DCB7100-DF86-4384-8842-8FA844297B3F} = Bing
    -> {HKLM…Wow…CLSID} = Bing Bar
    \InProcServer32\(Default) = "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll" [Microsoft Corporation.]

    {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} = Norton Toolbar
    -> {HKLM…Wow…CLSID} = Norton Toolbar
    \InProcServer32\(Default) = C:\Program Files (x86)\Norton 360\Engine\20.2.0.19\coIEPlg.dll [Symantec Corporation]

    Explorer Bars

    HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\

    HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\

    HKCU\Software\Wow6432Node\Microsoft\Internet Explorer\Explorer Bars\

    HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Explorer Bars\

    HKLM\SOFTWARE\Classes\CLSID\{30D02401-6A81-11D0-8274-00C04FD5AE38}\(Default) = IE Search Band
    Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
    InProcServer32\(Default) = C:\Windows\System32\ieframe.dll [MS]

    HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{30D02401-6A81-11D0-8274-00C04FD5AE38}\(Default) = IE Search Band
    Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
    InProcServer32\(Default) = C:\Windows\SysWOW64\ieframe.dll [MS]

    Extensions (Tools menu items, main toolbar menu buttons)

    HKCU\Software\Microsoft\Internet Explorer\Extensions\

    HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\

    HKCU\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions\

    HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\
    {219C3416-8CB2-491A-A3C7-D9FCDDC9D600}\
    ButtonText = @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004
    MenuText = @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003
    CLSIDExtension = {5F7B1267-94A9-47F5-98DB-E99415F33AEC}
    -> {HKLM…Wow…CLSID} = BlogThisToolbarButton Class
    \InProcServer32\(Default) = C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll [MS]


    Internet Explorer Address Prefixes:
    -----------------------------------

    Prefix for bare domain ("domain-name-here.com")

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Default Prefix\
    (Default) = http://

    Prefix for specific service (I.e., "www")

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes\
    mosaic = http://
    www = http://
    home = http://
    ftp = ftp://


    Miscellaneous IE Hijack Points
    ------------------------------

    HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\
    {CFBFAE00-17A6-11D0-99CB-00C04FD64497} = (no title provided)
    -> {HKLM…CLSID} = Microsoft Url Search Hook
    \InProcServer32\(Default) = C:\Windows\System32\ieframe.dll [MS]

    HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs\
    blank = res://mshtml.dll/blank.htm [MS]
    NoAdd-onsInfo = res://ieframe.dll/noaddoninfo.htm [MS]
    InPrivate = res://ieframe.dll/inprivate.htm [MS]
    NavigationFailure = res://ieframe.dll/navcancl.htm [MS]
    NoAdd-ons = res://ieframe.dll/noaddon.htm [MS]
    Home = dword:0x0000010E
    PostNotCached = res://ieframe.dll/repost.htm [MS]
    DesktopItemNavigationFailure = res://ieframe.dll/navcancl.htm [MS]
    NavigationCanceled = res://ieframe.dll/navcancl.htm [MS]
    OfflineInformation = res://ieframe.dll/offcancl.htm [MS]
    SecurityRisk = res://ieframe.dll/securityatrisk.htm [MS]


    HOSTS file
    ----------

    HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\
    DataBasePath = C:\Windows\System32\drivers\etc

    C:\Windows\System32\drivers\etc\HOSTS

    maps: no domain names to IP addresses


    All Running Services (Display Name, Service Name, Path {Service DLL}):
    ----------------------------------------------------------------------

    AFBAgent, AFBAgent, "C:\Windows\system32\FBAgent.exe" [ASUSTeK Computer Inc.]
    Application Experience, AeLookupSvc, C:\Windows\system32\svchost.exe -k netsvcs {C:\Windows\System32\aelupsvc.dll [MS]}
    Application Information, Appinfo, C:\Windows\system32\svchost.exe -k netsvcs {C:\Windows\System32\appinfo.dll [MS]}
    ASLDR Service, ASLDRService, C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe [ASUS]
    ASUS InstantOn Service, ASUS InstantOn, C:\Program Files (x86)\ASUS\InstantOn for NB\InsOnSrv.exe [ASUS]
    ATKGFNEX Service, ATKGFNEXSrv, C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe [ASUS]
    Background Intelligent Transfer Service, BITS, C:\Windows\System32\svchost.exe -k netsvcs {C:\Windows\System32\qmgr.dll [MS]}
    Base Filtering Engine, BFE, C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork {C:\Windows\System32\bfe.dll [MS]}
    Certificate Propagation, CertPropSvc, C:\Windows\system32\svchost.exe -k netsvcs {C:\Windows\System32\certprop.dll [MS]}
    CNG Key Isolation, KeyIso, C:\Windows\system32\lsass.exe [MS]
    COM+ Event System, EventSystem, C:\Windows\system32\svchost.exe -k LocalService {C:\Windows\system32\es.dll [MS]}
    Cryptographic Services, CryptSvc, C:\Windows\system32\svchost.exe -k NetworkService {C:\Windows\system32\cryptsvc.dll [MS]}
    DCOM Server Process Launcher, DcomLaunch, C:\Windows\system32\svchost.exe -k DcomLaunch {C:\Windows\system32\rpcss.dll [MS]}
    Desktop Window Manager Session Manager, UxSms, C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted {C:\Windows\System32\uxsms.dll [MS]}
    DHCP Client, Dhcp, C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted {C:\Windows\system32\dhcpcore.dll [MS]}
    Diagnostic Policy Service, DPS, C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork {C:\Windows\system32\dps.dll [MS]}
    Diagnostic Service Host, WdiServiceHost, C:\Windows\System32\svchost.exe -k LocalService {C:\Windows\system32\wdi.dll [MS]}
    Diagnostic System Host, WdiSystemHost, C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted {C:\Windows\system32\wdi.dll [MS]}
    Distributed Link Tracking Client, TrkWks, C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted {C:\Windows\System32\trkwks.dll [MS]}
    DNS Client, Dnscache, C:\Windows\system32\svchost.exe -k NetworkService {C:\Windows\System32\dnsrslvr.dll [MS]}
    Encrypting File System (EFS), EFS, C:\Windows\System32\lsass.exe [MS]
    Extensible Authentication Protocol, EapHost, C:\Windows\System32\svchost.exe -k netsvcs {C:\Windows\System32\eapsvc.dll [MS]}
    Function Discovery Provider Host, fdPHost, C:\Windows\system32\svchost.exe -k LocalService {C:\Windows\system32\fdPHost.dll [MS]}
    Function Discovery Resource Publication, FDResPub, C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation {C:\Windows\system32\fdrespub.dll [MS]}
    Group Policy Client, gpsvc, C:\Windows\system32\svchost.exe -k netsvcs {C:\Windows\System32\gpsvc.dll [MS]}
    HomeGroup Provider, HomeGroupProvider, C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted {C:\Windows\system32\provsvc.dll [MS]}
    Human Interface Device Access, hidserv, C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted {C:\Windows\system32\hidserv.dll [MS]}
    IKE and AuthIP IPsec Keying Modules, IKEEXT, C:\Windows\system32\svchost.exe -k netsvcs {C:\Windows\System32\ikeext.dll [MS]}
    Intel(R) Capability Licensing Service Interface, Intel(R) Capability Licensing Service Interface, "C:\Program Files\Intel\iCLS Client\HeciServer.exe" [Intel(R) Corporation]
    Intel(R) Dynamic Application Loader Host Interface Service, jhi_service, C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe [Intel Corporation]
    Intel(R) Management and Security Application Local Management Service, LMS, C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe [Intel Corporation]
    Intel(R) Management and Security Application User Notification Service, UNS, "C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe" [Intel Corporation]
    Intel(R) ME Service, Intel(R) ME Service, C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe [null data]
    IP Helper, iphlpsvc, C:\Windows\System32\svchost.exe -k NetSvcs {C:\Windows\System32\iphlpsvc.dll [MS]}
    IPsec Policy Agent, PolicyAgent, C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted {C:\Windows\System32\ipsecsvc.dll [MS]}
    Multimedia Class Scheduler, MMCSS, C:\Windows\system32\svchost.exe -k netsvcs {C:\Windows\system32\mmcss.dll [MS]}
    Network Connections, Netman, C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted {C:\Windows\System32\netman.dll [MS]}
    Network List Service, netprofm, C:\Windows\System32\svchost.exe -k LocalService {C:\Windows\System32\netprofm.dll [MS]}
    Network Location Awareness, NlaSvc, C:\Windows\System32\svchost.exe -k NetworkService {C:\Windows\System32\nlasvc.dll [MS]}
    Network Store Interface Service, nsi, C:\Windows\system32\svchost.exe -k LocalService {C:\Windows\system32\nsisvc.dll [MS]}
    Norton 360, N360, "C:\Program Files (x86)\Norton 360\Engine\20.2.0.19\ccSvcHst.exe" /s "N360" /m "C:\Program Files (x86)\Norton 360\Engine\20.2.0.19\diMaster.dll" /prefetch:1 [Symantec Corporation]
    Plug and Play, PlugPlay, C:\Windows\system32\svchost.exe -k DcomLaunch {C:\Windows\system32\umpnpmgr.dll [MS]}
    Power, Power, C:\Windows\system32\svchost.exe -k DcomLaunch {C:\Windows\system32\umpo.dll [MS]}
    Print Spooler, Spooler, C:\Windows\System32\spoolsv.exe [MS]
    Program Compatibility Assistant Service, PcaSvc, C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted {C:\Windows\System32\pcasvc.dll [MS]}
    Remote Procedure Call (RPC), RpcSs, C:\Windows\system32\svchost.exe -k rpcss {C:\Windows\system32\rpcss.dll [MS]}
    RPC Endpoint Mapper, RpcEptMapper, C:\Windows\system32\svchost.exe -k RPCSS {C:\Windows\System32\RpcEpMap.dll [MS]}
    SeaPort, SeaPort, "C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE" [MS]
    Secunia PSI Agent, Secunia PSI Agent, "C:\Program Files (x86)\Secunia\PSI\PSIA.exe" --start-service [Secunia]
    Secunia Update Agent, Secunia Update Agent, "C:\Program Files (x86)\Secunia\PSI\sua.exe" --start-service [Secunia]
    Security Accounts Manager, SamSs, C:\Windows\system32\lsass.exe [MS]
    Security Center, wscsvc, C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted {C:\Windows\System32\wscsvc.dll [MS]}
    Server, LanmanServer, C:\Windows\system32\svchost.exe -k netsvcs {C:\Windows\system32\srvsvc.dll [MS]}
    Shell Hardware Detection, ShellHWDetection, C:\Windows\System32\svchost.exe -k netsvcs {C:\Windows\System32\shsvcs.dll [MS]}
    Smart Card, SCardSvr, C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation {C:\Windows\System32\SCardSvr.dll [MS]}
    SSDP Discovery, SSDPSRV, C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation {C:\Windows\System32\ssdpsrv.dll [MS]}
    Superfetch, SysMain, C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted {C:\Windows\system32\sysmain.dll [MS]}
    System Event Notification Service, SENS, C:\Windows\system32\svchost.exe -k netsvcs {C:\Windows\System32\sens.dll [MS]}
    Tablet PC Input Service, TabletInputService, C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted {C:\Windows\System32\TabSvc.dll [MS]}
    Task Scheduler, Schedule, C:\Windows\system32\svchost.exe -k netsvcs {C:\Windows\system32\schedsvc.dll [MS]}
    TCP/IP NetBIOS Helper, lmhosts, C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted {C:\Windows\System32\lmhsvc.dll [MS]}
    Themes, Themes, C:\Windows\System32\svchost.exe -k netsvcs {C:\Windows\system32\themeservice.dll [MS]}
    User Profile Service, ProfSvc, C:\Windows\system32\svchost.exe -k netsvcs {C:\Windows\system32\profsvc.dll [MS]}
    Windows Audio, AudioSrv, C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted {C:\Windows\System32\Audiosrv.dll [MS]}
    Windows Audio Endpoint Builder, AudioEndpointBuilder, C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted {C:\Windows\System32\Audiosrv.dll [MS]}
    Windows Backup, SDRSVC, C:\Windows\system32\svchost.exe -k SDRSVC {C:\Windows\System32\SDRSVC.dll [MS]}
    Windows Defender, WinDefend, C:\Windows\System32\svchost.exe -k secsvcs {C:\Program Files\Windows Defender\mpsvc.dll [MS]}
    Windows Driver Foundation - User-mode Driver Framework, wudfsvc, C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted {C:\Windows\System32\WUDFSvc.dll [MS]}
    Windows Event Log, eventlog, C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted {C:\Windows\System32\wevtsvc.dll [MS]}
    Windows Firewall, MpsSvc, C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork {C:\Windows\system32\mpssvc.dll [MS]}
    Windows Font Cache Service, FontCache, C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation {C:\Windows\system32\FntCache.dll [MS]}
    Windows Image Acquisition (WIA), stisvc, C:\Windows\system32\svchost.exe -k imgsvc {C:\Windows\System32\wiaservc.dll [MS]}
    Windows Live ID Sign-in Assistant, wlidsvc, "C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE" [MS]
    Windows Management Instrumentation, Winmgmt, C:\Windows\system32\svchost.exe -k netsvcs {C:\Windows\system32\wbem\WMIsvc.dll [MS]}
    Windows Media Player Network Sharing Service, WMPNetworkSvc, "C:\Program Files\Windows Media Player\wmpnetwk.exe" [MS]
    Windows Presentation Foundation Font Cache 3.0.0.0, FontCache3.0.0.0, C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe [MS]
    Windows Search, WSearch, C:\Windows\system32\SearchIndexer.exe /Embedding [MS]
    Windows Update, wuauserv, C:\Windows\system32\svchost.exe -k netsvcs {C:\Windows\system32\wuaueng.dll [MS]}
    WinHTTP Web Proxy Auto-Discovery Service, WinHttpAutoProxySvc, C:\Windows\system32\svchost.exe -k LocalService {winhttp.dll [MS]}
    WLAN AutoConfig, Wlansvc, C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted {C:\Windows\System32\wlansvc.dll [MS]}
    Workstation, LanmanWorkstation, C:\Windows\System32\svchost.exe -k NetworkService {C:\Windows\System32\wkssvc.dll [MS]}


    Safe Mode Drivers & Services (subkey name, subkey default value):
    -----------------------------------------------------------------

    HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\

    <<!>> 00705352.sys, Driver
    <<!>> 08657672.sys, Driver
    <<!>> 77118655.sys, Driver
    <<!>> 95310364.sys, Driver
    <<!>> 97384014.sys, Driver
    AppInfo, Service
    AppMgmt, Service
    Base, Driver Group
    Boot Bus Extender, Driver Group
    Boot file system, Driver Group
    CryptSvc, Service
    DcomLaunch, Service
    EFS, Service
    EventLog, Service
    File system, Driver Group
    Filter, Driver Group
    HelpSvc, Service
    KeyIso, Service
    <<!>> MCODS,
    Netlogon, Service
    NTDS, Service
    PCI Configuration, Driver Group
    PlugPlay, Service
    PNP Filter, Driver Group
    Power, Service
    Primary disk, Driver Group
    ProfSvc, Service
    RpcEptMapper, Service
    RpcSs, Service
    sacsvr, Service
    SCSI Class, Driver Group
    sermouse.sys, Driver
    SWPRV, Service
    System Bus Extender, Driver Group
    TabletInputService, Service
    TBS, Service
    TrustedInstaller, Service
    VDS, Service
    vga.sys, Driver
    vgasave.sys, Driver
    vmms, Service
    volmgr.sys, Driver
    volmgrx.sys, Driver
    WinDefend, Service
    WinMgmt, Service
    WudfPf, Driver
    WudfRd, Driver
    WudfSvc, Service
    {36FC9E60-C465-11CF-8056-444553540000}, Universal Serial Bus controllers
    {4D36E965-E325-11CE-BFC1-08002BE10318}, CD-ROM Drive
    {4D36E967-E325-11CE-BFC1-08002BE10318}, DiskDrive
    {4D36E969-E325-11CE-BFC1-08002BE10318}, Standard floppy disk controller
    {4D36E96A-E325-11CE-BFC1-08002BE10318}, Hdc
    {4D36E96B-E325-11CE-BFC1-08002BE10318}, Keyboard
    {4D36E96F-E325-11CE-BFC1-08002BE10318}, Mouse
    {4D36E977-E325-11CE-BFC1-08002BE10318}, PCMCIA Adapters
    {4D36E97B-E325-11CE-BFC1-08002BE10318}, SCSIAdapter
    {4D36E97D-E325-11CE-BFC1-08002BE10318}, System
    {4D36E980-E325-11CE-BFC1-08002BE10318}, Floppy disk drive
    {533C5B84-EC70-11D2-9505-00C04F79DEAF}, Volume shadow copy
    {6BDD1FC1-810F-11D0-BEC7-08002BE2092F}, IEEE 1394 Bus host controllers
    {71A27CDD-812A-11D0-BEC7-08002BE2092F}, Volume
    {745A17A0-74D3-11D0-B6FE-00A0C90F57DA}, Human Interface Devices
    {D48179BE-EC20-11D1-B6B8-00C04FA372A7}, SBP2 IEEE 1394 Devices
    {D94EE5D8-D189-4994-83D2-F68D7D41B0E6}, SecurityDevices

    HKLM\System\CurrentControlSet\Control\SafeBoot\Network\

    <<!>> 00705352.sys, Driver
    <<!>> 08657672.sys, Driver
    <<!>> 77118655.sys, Driver
    <<!>> 95310364.sys, Driver
    <<!>> 97384014.sys, Driver
    AFD, Service
    AppInfo, Service
    AppMgmt, Service
    Base, Driver Group
    BFE, Service
    Boot Bus Extender, Driver Group
    Boot file system, Driver Group
    bowser, Driver
    Browser, Service
    CryptSvc, Service
    DcomLaunch, Service
    dfsc, Driver
    Dhcp, Service
    DnsCache, Service
    Dot3Svc, Service
    Eaphost, Service
    EFS, Service
    EventLog, Service
    File system, Driver Group
    Filter, Driver Group
    HelpSvc, Service
    IKEEXT, Service
    ipnat.sys, Driver
    KeyIso, Service
    LanmanServer, Service
    LanmanWorkstation, Service
    LmHosts, Service
    <<!>> MCODS,
    Messenger, Service
    MPSDrv, Driver
    MPSSvc, Service
    mrxsmb, Driver
    mrxsmb10, Driver
    mrxsmb20, Driver
    NativeWifiP, Service
    NDIS, Driver Group
    NDIS Wrapper, Driver Group
    ndiscap, Driver
    Ndisuio, Service
    NetBIOS, Service
    NetBIOSGroup, Driver Group
    NetBT, Service
    NetDDEGroup, Driver Group
    Netlogon, Service
    NetMan, Service
    netprofm, Service
    Network, Driver Group
    NetworkProvider, Driver Group
    NlaSvc, Service
    Nsi, Service
    nsiproxy.sys, Driver
    NTDS, Service
    PCI Configuration, Driver Group
    PlugPlay, Service
    PNP Filter, Driver Group
    PNP_TDI, Driver Group
    PolicyAgent, Service
    Power, Service
    Primary disk, Driver Group
    ProfSvc, Service
    rdbss, Driver
    rdpencdd.sys, Driver
    rdsessmgr, Service
    RpcEptMapper, Service
    RpcSs, Service
    sacsvr, Service
    SCardSvr, Service
    SCSI Class, Driver Group
    sermouse.sys, Driver
    SharedAccess, Service
    Streams Drivers, Driver Group
    SWPRV, Service
    System Bus Extender, Driver Group
    TabletInputService, Service
    TBS, Service
    Tcpip, Service
    TDI, Driver Group
    TrustedInstaller, Service
    VaultSvc, Service
    VDS, Service
    vga.sys, Driver
    vgasave.sys, Driver
    vmms, Service
    volmgr.sys, Driver
    volmgrx.sys, Driver
    WinDefend, Service
    WinMgmt, Service
    Wlansvc, Service
    WudfPf, Driver
    WudfRd, Driver
    WudfSvc, Service
    WudfUsbccidDriver, Driver
    {36FC9E60-C465-11CF-8056-444553540000}, Universal Serial Bus controllers
    {4D36E965-E325-11CE-BFC1-08002BE10318}, CD-ROM Drive
    {4D36E967-E325-11CE-BFC1-08002BE10318}, DiskDrive
    {4D36E969-E325-11CE-BFC1-08002BE10318}, Standard floppy disk controller
    {4D36E96A-E325-11CE-BFC1-08002BE10318}, Hdc
    {4D36E96B-E325-11CE-BFC1-08002BE10318}, Keyboard
    {4D36E96F-E325-11CE-BFC1-08002BE10318}, Mouse
    {4D36E972-E325-11CE-BFC1-08002BE10318}, Net
    {4D36E973-E325-11CE-BFC1-08002BE10318}, NetClient
    {4D36E974-E325-11CE-BFC1-08002BE10318}, NetService
    {4D36E975-E325-11CE-BFC1-08002BE10318}, NetTrans
    {4D36E977-E325-11CE-BFC1-08002BE10318}, PCMCIA Adapters
    {4D36E97B-E325-11CE-BFC1-08002BE10318}, SCSIAdapter
    {4D36E97D-E325-11CE-BFC1-08002BE10318}, System
    {4D36E980-E325-11CE-BFC1-08002BE10318}, Floppy disk drive
    {50DD5230-BA8A-11D1-BF5D-0000F805F530}, Smart card readers
    {533C5B84-EC70-11D2-9505-00C04F79DEAF}, Volume shadow copy
    {6BDD1FC1-810F-11D0-BEC7-08002BE2092F}, IEEE 1394 Bus host controllers
    {71A27CDD-812A-11D0-BEC7-08002BE2092F}, Volume
    {745A17A0-74D3-11D0-B6FE-00A0C90F57DA}, Human Interface Devices
    {D48179BE-EC20-11D1-B6B8-00C04FA372A7}, SBP2 IEEE 1394 Devices
    {D94EE5D8-D189-4994-83D2-F68D7D41B0E6}, SecurityDevices


    Accessibility Tools:
    --------------------

    HKCU\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\
    Configuration = (value not set)

    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\
    Configuration = (value not set)


    Keyboard Driver Filters:
    ------------------------

    HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318}\
    UpperFilters = kbdclass [MS]


    Print Monitors:
    ---------------

    HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
    Local Port\Driver = localspl.dll [MS]
    Microsoft Shared Fax Monitor\Driver = FXSMON.DLL [MS]
    Standard TCP/IP Port\Driver = tcpmon.dll [MS]
    USB Monitor\Driver = usbmon.dll [MS]
    WSD Port\Driver = WSDMon.dll [MS]


    -- (total run time: 63 seconds)
    <<!>>: Suspicious data at a malware launch point.
  25. Sador27

    Sador27 Newcomer, in training Topic Starter Posts: 46

    Hey DMJ I cant find anything on those dodgy looking drivers under HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\ and here are a couple of logs from cureit which dont look right they arent in total they were too long so just copied some dodgy bits


    Dr.Web Scanner SE for Windows v7.0.2.05020
    (c) Doctor Web, Ltd., 1992-2012
    Scan session started 2012:09:19 07:29:35
    Module location : C:\Users\Sad0r\AppData\Local\Temp\154BAA38-1AF7D060-B1523AF7-48BF6C62\
    =============================================================================
    OPTION AdminRightsNo
    OPTION AutoApplyActionNo
    OPTION TurnOffComputerNo
    OPTION UseSoundsNo
    OPTION BlockNetworkNo
    Using language : English
    Using C:\Users\Sad0r\AppData\Local\Temp\154BAA38-1AF7D060-B1523AF7-48BF6C62\ecv7vsfq.key as Dr.Web (R) Key file
    This Dr.Web (R) Key is for 1 computer (A User)
    =============================================================================
    Dr.Web Scanner SE for Windows v7.0.2.05020
    (c) Doctor Web, Ltd., 1992-2012
    Scan session started 2012:09:19 07:30:31
    Module location : C:\Users\Sad0r\AppData\Local\Temp\B47A04B5-6F2BE766-8945642B-C82B1923\
    =============================================================================
    OPTION AdminRightsNo
    OPTION AutoApplyActionNo
    OPTION TurnOffComputerNo
    OPTION UseSoundsNo
    OPTION BlockNetworkNo
    Using language : English
    Using C:\Users\Sad0r\AppData\Local\Temp\B47A04B5-6F2BE766-8945642B-C82B1923\ecv7vsfq.key as Dr.Web (R) Key file
    This Dr.Web (R) Key is for 1 computer (A User)
    Available instances: 12
    Instances used: 11
    Platform: Windows 7 Premium x64/WOW (Build 7601), Service Pack 1
    API Version: 2.2
    Scanning Engine version: 7.0.1.5020
    Virus Finding Engine version: 7.0.2.4281
    Total 68 virus bases are loaded from C:\Users\Sad0r\AppData\Local\Temp\B47A04B5-6F2BE766-8945642B-C82B1923
    qjbxvxwa 7.0 3e072b8acee37a003a4ab009031d07fe 2012/09/19 05:03:20 1509 records - OK
    eby608gy 7.0 b9d94c688c2f992a5fb753a95493b786 2011/07/26 00:20:03 1 record - OK
    xas6elt1 7.0 bd93f8d30a154dcb3c30a5caad30762d 2012/09/19 05:03:25 4658 records - OK
    mn89iafs 7.0 21534a94390a2e6640dfb1b7d8a9fd60 2012/09/17 13:05:43 11686 records - OK
    d1m3lbt4 7.0 b8491d67044914e522f86febf4ab4adb 2012/09/10 13:04:34 12677 records - OK
    hvye00kf 7.0 e47a62b2e05112b5289fb6ff20eb66a9 2012/09/03 13:05:28 10118 records - OK
    61emyubz 7.0 614464d9b912155e7d9e698d6d870ed1 2012/08/27 13:05:26 12602 records - OK
    jtidaagk 7.0 ed8d7ebd237d6f77fb18ce304e949810 2012/08/20 13:04:05 18298 records - OK
    nblnb01d 7.0 2d42833088267273612ba412753fbb55 2012/08/13 13:05:19 17126 records - OK
    06udial3 7.0 d3c1de8bff5cbde0bcbe4e6d138f8e46 2012/08/06 13:03:53 20539 records - OK
    wvusc3jz 7.0 c78566c2c5ac022255771e63a1466872 2012/07/30 13:05:26 19330 records - OK
    9b33kqia 7.0 84a092b0ef2df74dd310b815b21582d2 2012/07/23 13:05:34 19692 records - OK
    7lbp04zn 7.0 3723d09d29bc782d3ae6d30d6f4fd592 2012/07/16 13:05:43 14727 records - OK
    lvbvuwya 7.0 deac986b4d290a35d14f4422433af5f8 2012/07/09 13:04:33 19485 records - OK
    7xnxj3sa 7.0 e6f122a65122ad41aa3b9444e5d636ff 2012/07/02 13:04:55 22898 records - OK
    jfl12dp0 7.0 c9407f85adac1b27f8ae15134373df8e 2012/06/25 13:05:17 20551 records - OK
    0byvsfpo 7.0 3476198c6f6f0036f34bbc42a570afd3 2012/06/18 13:03:35 9661 records - OK
    2vamk9gb 7.0 1394fc1924b4bbaa7215a67e2207a19e 2012/06/11 13:04:32 23632 records - OK
    s7v2tz78 7.0 c612d8a0424c03f90ec558c059300a37 2012/06/04 13:04:41 12423 records - OK
    5xd0of0c 7.0 3536d9ae353011c5a2ae9c49b8df482f 2012/05/28 13:04:26 15493 records - OK
    oxilio3e 7.0 92392c2b8b88d6fb1da9eafa4dd71e08 2012/05/21 13:03:29 13065 records - OK
    pweqa9l8 7.0 aacf0516bb16a10879bbe0bfc4103df0 2012/05/14 13:04:24 16238 records - OK
    v444t0ha 7.0 44d29e2ccb066f15bdd74b68e6f678f2 2012/05/07 13:04:33 11570 records - OK
    qfcm9pcs 7.0 223fca8835e0f743a8253c2f3926635e 2012/04/30 13:03:28 15478 records - OK
    el8p9gvk 7.0 79aeb3a6e5a8ef62bfdd2a5f18c1216b 2012/04/23 13:05:05 11881 records - OK
    kop0yygt 7.0 d736d5af62365a48d6df0c576e142049 2012/04/16 13:03:29 13578 records - OK
    7umpv0t6 7.0 514bf65528a21da1ff63b6cbcfed392a 2012/04/09 13:05:02 14292 records - OK
    93j9mv9i 7.0 aa333f70731106e42fe621620f11be77 2012/04/02 13:03:24 14084 records - OK
    yxap8fom 7.0 6116ca417266c84af723605412cf866b 2012/03/26 14:04:43 19126 records - OK
    byt0pp51 7.0 9c72fdd2be21a72a62518eec40681cee 2012/03/19 14:03:23 14920 records - OK
    6ek8ar2x 7.0 eb4aaab85447f2426ff171d55c8e7e61 2012/03/12 14:03:25 19017 records - OK
    kcv09zbs 7.0 2495da734e05b8097320a4473b1eea28 2012/03/05 14:04:32 19691 records - OK
    mfjzebu0 7.0 71e19e94d1c1bf5d585c2135763c1c7b 2012/02/27 14:03:21 23605 records - OK
    8vrrmoj2 7.0 1e1d4493cad242dc7c69e29c5957e2c7 2012/02/20 14:03:45 19067 records - OK
    vihxgm8q 7.0 9a3c6dad8079517daa9984b7244bcc31 2012/02/13 14:04:49 19019 records - OK
    mzsv9jru 7.0 daacbf3c71802809a1d03cf2eaa130e7 2012/02/06 14:05:25 28028 records - OK
    v7pe8omi 7.0 1a070b574148c5d2f33d1ac7521f4585 2012/01/30 14:08:41 29444 records - OK
    dcxyp9vo 7.0 2be52ecb2647685f3199958e23467673 2012/01/23 19:22:13 19353 records - OK
    jzxqk84d 7.0 ad3910b450b231bb0c6d1beca85e9009 2012/01/16 14:12:31 20747 records - OK
    oa51i74u 7.0 13a2b180c0cac36b6a538ca07da6584e 2012/01/09 14:04:30 28052 records - OK
    ko0m9vsn 7.0 b30385e4765848e07e201792adbbcaa0 2012/01/02 14:04:40 12183 records - OK
    b0fqc4c6 7.0 dd53038bb0520641a64574ab56267cf4 2011/12/26 14:03:33 19984 records - OK
    0weweiz0 7.0 35ffbffd359457dc1ff11eb006ae2d70 2011/12/19 14:08:45 22627 records - OK
    bbjj7u1b 7.0 043b3fcfbd0cf7d6d1d9743b6c74d835 2011/12/13 07:20:22 49580 records - OK
    whwrchpm 7.0 ab632362ebcf39cb6f1826f38b255c12 2011/12/04 19:00:00 45195 records - OK
    ggbu14f3 7.0 876707f6f37fe48d1e6010d6be55d284 2011/12/04 18:00:00 171075 records - OK
    y43lhaf7 7.0 f6d020c7e08df3aeb99631829756d4c5 2011/12/04 17:00:00 170820 records - OK
    b1kuc7dj 7.0 2e12236d21f7f66132625f83921f3235 2011/12/04 16:00:00 171279 records - OK
    882g98by 7.0 eaee6c83ba62620a5118df44b3e0a3a6 2011/12/04 15:00:00 170253 records - OK
    n3ivz7zn 7.0 e31126ff36b01981b64f81570db34a8c 2011/12/04 14:00:00 170291 records - OK
    woinb8tx 7.0 16cd2b4085458728c92bef8a07fd3608 2011/12/04 13:00:00 170501 records - OK
    ll0v0mg7 7.0 cb9f40076e3b8bae0eb7c5345bfbd738 2011/12/04 12:00:00 353582 records - OK
    3nz75zt2 7.0 1f24c5ce5f84c30ee604199036388dac 2011/12/04 11:00:00 852776 records - OK
    vgcgbkip 7.0 7d7f670c4652dcb24bdb379ab8267f82 2012/09/19 04:51:02 1327 records - OK
    6vky9fxq 7.0 08329098e83625a844bbf888258de2ae 2012/06/25 13:12:36 1421 records - OK
    ybet5tnl 7.0 7a40beb8607237a6d144a6674d07a481 2012/03/26 14:12:30 1385 records - OK
    id6o6um8 7.0 245417419cfbec24aa48eb6b0589b384 2012/01/23 15:56:09 1653 records - OK
    uy39xzrv 7.0 2eb03a74099f577fbab0c523a8534d9b 2012/09/19 05:03:08 514 records - OK
    5krrhyao 7.0 c0fa2ac84c87aeebbb6b4dfa5c3f0b5e 2012/09/10 13:23:14 1588 records - OK
    tttrohwk 7.0 31c1f0b0163c1104faca04e39152b95e 2012/07/23 13:22:36 1702 records - OK
    0qdh2381 7.0 efa3fba6b8311ef4a7c4aba3baee7d26 2012/06/11 13:22:36 1659 records - OK
    zttqdme7 7.0 0db4ebf90d0ba1577684c368703ae359 2012/04/30 13:22:34 1670 records - OK
    847tqq2y 7.0 3cc40ae70ae9666330f29e20a3e03bed 2012/03/12 14:22:28 1729 records - OK
    9z9trufi 7.0 d41a5aa17a9868ee4197a1528f6a9e73 2012/01/30 14:23:00 1523 records - OK
    tsw2o4ad 7.0 669119c2434b21040b1737e32d4ea783 2011/12/19 14:22:29 1805 records - OK
    9jtaqh15 7.0 a7130cdf4fa35f1b4157dafaeee2e35f 2011/12/04 10:00:00 26456 records - OK
    opwb303w 7.0 a571e30153b575cc4da79dae6be21932 2011/12/04 09:00:00 74279 records - OK
    i8rpe3xa 7.0 9d46fd43346b5342c57fa7ae72e9c334 2011/12/04 08:00:00 1 record - OK
    Total records count: 3156219

    Anti-rootkit module version (API 4.02 / 4.02)

    Using C:\Users\Sad0r\AppData\Local\Temp\B47A04B5-6F2BE766-8945642B-C82B1923\ecv7vsfq.key as Dr.Web (R) Key file
    This Dr.Web (R) Key is for 1 computer (A User)
    Available instances: 12
    Instances used: 11
    Platform: Windows 7 Premium x64/WOW (Build 7601), Service Pack 1
    API Version: 2.2
    Scanning Engine version: 7.0.1.5020
    Virus Finding Engine version: 7.0.2.4281
    Total 68 virus bases are loaded from C:\Users\Sad0r\AppData\Local\Temp\B47A04B5-6F2BE766-8945642B-C82B1923
    qjbxvxwa 7.0 3e072b8acee37a003a4ab009031d07fe 2012/09/19 05:03:20 1509 records - OK
    eby608gy 7.0 b9d94c688c2f992a5fb753a95493b786 2011/07/26 00:20:03 1 record - OK
    xas6elt1 7.0 bd93f8d30a154dcb3c30a5caad30762d 2012/09/19 05:03:25 4658 records - OK
    mn89iafs 7.0 21534a94390a2e6640dfb1b7d8a9fd60 2012/09/17 13:05:43 11686 records - OK

    >C:\Windows\SysWOW64\setupSNK.exe - packed by FLY-CODEC:\Windows\SysWOW64\shell32.dll - Ok
    C:\Windows\SysWOW64\SensorsCpl.dll - Ok
    >C:\Windows\SysWOW64\spfileq.dll - packed by BINARYRES
    >>C:\Windows\SysWOW64\spfileq.dll - packed by MS COMPRESS
    C:\Windows\SysWOW64\spnet.dll - Ok
    C:\Windows\SysWOW64\SPInf.dll - Ok
    C:\Windows\SysWOW64\spopk.dll - Ok
    C:\Windows\SysWOW64\spfileq.dll - Ok
    C:\Windows\SysWOW64\slmgr.vbs - Ok
    C:\Windows\SysWOW64\shwebsvc.dll - Ok
    C:\Windows\SysWOW64\spwinsat.dll - Ok
    C:\Windows\SysWOW64\sppc.dll - Ok
    C:\Windows\SysWOW64\SndVolSSO.dll - Ok
    C:\Windows\SysWOW64\spp.dll - Ok
    C:\Windows\SysWOW64\sppwmi.dll - Ok
    C:\Windows\SysWOW64\spwizres.dll - Ok
    C:\Windows\SysWOW64\sppinst.dll - Ok
    C:\Windows\SysWOW64\sppcc.dll - Ok
    C:\Windows\SysWOW64\spwmp.dll - Ok
    C:\Windows\SysWOW64\sppcomapi.dll - Ok
    C:\Windows\SysWOW64\spwizeng.dll - Ok
    C:\Windows\SysWOW64\sqlceoledb30.dll - Ok>C:\Windows\SysWOW64\srdelayed.exe - packed by FLY-CODE
    C:\Windows\SysWOW64\sqlunirl.dll - Ok
    C:\Windows\SysWOW64\sqlsrv32.dll - Ok
    C:\Windows\SysWOW64\srvcli.dll - Ok
    C:\Windows\SysWOW64\sscore.dll - Ok
    C:\Windows\SysWOW64\srhelper.dll - Ok
    C:\Windows\SysWOW64\sspicli.dll - Ok
    C:\Windows\SysWOW64\srdelayed.exe - Ok
    C:\Windows\SysWOW64\srchadmin.dll - Ok
    C:\Windows\SysWOW64\stdole2.tlb - Ok
    C:\Windows\SysWOW64\srclient.dll - Ok
    C:\Windows\SysWOW64\ssdpapi.dll - Ok
    C:\Windows\SysWOW64\sqlceqp30.dll - Ok
    C:\Windows\SysWOW64\SSShim.dll - Ok
    C:\Windows\SysWOW64\stdole32.tlb - Ok
    C:\Windows\SysWOW64\stclient.dll - Ok
    C:\Windows\SysWOW64\storage.dll - Ok
    >C:\Windows\SysWOW64\subst.exe - packed by FLY-CODE
    C:\Windows\SysWOW64\StorageContextHandler.dll - Ok
    C:\Windows\SysWOW64\SubRange.uce - Ok
    C:\Windows\SysWOW64\StructuredQuery.dll - Ok
    >C:\Windows\SysWOW64\sppcext.dll - packed by FLY-CODE
    C:\Windows\SysWOW64\subst.exe - Ok
    C:\Windows\SysWOW64\sxproxy.dll - Ok
    C:\Windows\SysWOW64\Storprop.dll - Ok
    C:\Windows\SysWOW64\sxshared.dll - Ok
    C:\Windows\SysWOW64\stobject.dll - Ok
    C:\Windows\SysWOW64\svchost.exe - Ok
    C:\Windows\SysWOW64\sxsstore.dll - Ok
    C:\Windows\SysWOW64\sxs.dll - Ok
    C:\Windows\SysWOW64\sti.dll - Ok
    C:\Windows\SysWOW64\sxstrace.exe - Ok
    C:\Windows\SysWOW64\synceng.dll - Ok
    C:\Windows\SysWOW64\SyncHostps.dll - Ok
    C:\Windows\SysWOW64\ssText3d.scr - Ok
    C:\Windows\SysWOW64\SyncInfrastructureps.dll - Ok
    C:\Windows\SysWOW64\syncui.dll - Ok
    C:\Windows\SysWOW64\SyncHost.exe - Ok
    C:\Windows\SysWOW64\sppcext.dll - Ok
    C:\Windows\SysWOW64\sysprint.sep - Ok


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.