Inactive Highly infected laptop

[Sador27]

I have a highly infected laptop that ive been trying my best to fix for months but just cant beat it and I give up so just before I full reinstall id LOVE to see one of you experts kick its arse PLEASE!!!!

 

[Jay Pfoutz]

Hello, and welcome to TechSpot.

Please see here for the board rules and other FAQ.

Please feel free to introduce yourself, after you follow the steps below to get started.

Information

• From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by a malware removal helper.
• Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
• If you have already asked for help somewhere, please post the link to the topic you were helped.
• We try our best to reply quickly, but for any reason we do not reply in two days, please reply to this topic with the word BUMP!
• Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.

Please review the 5-Step removal instructions and post the logs back here for my review.

Also, include this scan:

Download AdwCleaner by Xplode onto your Desktop.

• Double click on AdwCleaner.exe to run the tool.
• Click on Delete.
• A logfile will automatically open after the scan has finished.
• Please post the content of that logfile in your reply.
• You can find the logfile at C:\AdwCleaner[Rn].txt as well - n is the order number.

 

[Sador27]

Hey dragon, Thankyou so much im at work at the minute as soon as I get home ill follow you instructions and post logs. And give you a small run down on the disaster

 

[Jay Pfoutz]

Let me know how it all goes...looking forward to it.

 

[Sador27]

Hey DMJ here goes,

Malwarebytes Anti-Malware 1.65.1.1000
www.malwarebytes.org

Database version: v2012.11.17.02

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Sad0r :: SAD0R-PC [administrator]

18/11/2012 12:22:34 AM
mbam-log-2012-11-18 (00-22-34).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 203389
Time elapsed: 2 minute(s), 7 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
DDS (Ver_2012-11-07.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16450
Run by Sad0r at 15:42:49 on 2012-11-18
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.61.1033.18.12174.10114 [GMT 11:00]
.
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\FBAgent.exe
C:\Windows\system32\WLANExt.exe
C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe
C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\ASUS\InstantOn for NB\InsOnSrv.exe
C:\Program Files\Intel\iCLS Client\HeciServer.exe
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe
C:\Program Files (x86)\Norton Identity Safe\Engine\2013.2.0.18\ccSvcHst.exe
C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe
C:\Program Files (x86)\Norton Identity Safe\Engine\2013.2.0.18\ccSvcHst.exe
C:\Windows\system32\taskeng.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\TabTip32.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe
C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe
C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe
C:\Program Files\ASUS\P4G\BatteryLife.exe
C:\Program Files (x86)\ASUS\ASUS Virtual Touch\QuickGesture\x86\QuickGesture.exe
C:\Program Files (x86)\ASUS\USBChargerPlus\USBChargerPlus.exe
C:\Program Files (x86)\ASUS\ASUS Virtual Touch\QuickGesture\x64\QuickGesture64.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Windows\System32\hkcmd.exe
C:\Program Files\Elantech\ETDCtrl.exe
C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe
C:\Users\Sad0r\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe
C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe
C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe
C:\Program Files\Elantech\ETDCtrlHelper.exe
C:\Program Files\Elantech\ETDGesture.exe
C:\Users\Sad0r\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Sad0r\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Sad0r\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Sad0r\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Sad0r\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Sad0r\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\ASUS\Splendid\ACMON.exe
C:\Windows\SysWOW64\ACEngSvr.exe
C:\Windows\system32\igfxpers.exe
C:\Windows\AsScrPro.exe
C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files (x86)\ASUS\ASUS Live Update\LiveUpdate.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Program Files (x86)\ASUS\InstantOn for NB\InsOnWMI.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Users\Sad0r\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://google.com.au/
uDefault_Page_URL = hxxp://asus.msn.com
mStart Page = about:blank
mWinlogon: Userinit = userinit.exe,
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Norton Identity Protection: {AB4C7833-A6EC-433f-B9FE-6B14B1A2F836} - C:\Program Files (x86)\Norton Identity Safe\Engine\2013.2.0.18\CoIEPlg.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} -
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} -
TB: Norton Identity Safe Toolbar: {A13C2648-91D4-4bf3-BC6D-0079707C4389} - C:\Program Files (x86)\Norton Identity Safe\Engine\2013.2.0.18\CoIEPlg.dll
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [ASUSPRP] "C:\Program Files (x86)\ASUS\APRP\APRP.EXE"
mRun: [ASUSWebStorage] C:\Program Files (x86)\ASUS\ASUS WebStorage\3.0.108.222\AsusWSPanel.exe /S
mRun: [USB3MON] "C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe"
mRun: [Wireless Console 3] C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe
mRun: [ATKOSD2] C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe
mRun: [ATKMEDIA] C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe
mRun: [HControlUser] C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\ASUSVI~1.LNK - C:\Program Files (x86)\ASUS\AsusVibe\AsusVibeLauncher.exe
uPolicies-Explorer: NoDriveAutoRun = dword:32
uPolicies-Explorer: NoDriveTypeAutoRun = dword:255
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:255
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
TCP: NameServer = 192.168.0.1
TCP: Interfaces\{01FD1468-EA1B-4F82-9C9E-7CC26212FDAF} : DHCPNameServer = 192.168.0.1
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SSODL: WebCheck - <orphaned>
x64-mStart Page = about:blank
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [ETDCtrl] C:\Program Files (x86)\Elantech\ETDCtrl.exe
x64-DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R0 iusb3hcs;Intel(R) USB 3.0 Host Controller Switch Driver;C:\Windows\System32\drivers\iusb3hcs.sys [2012-3-12 16152]
R1 ATKWMIACPIIO;ATKWMIACPI Driver;C:\Program Files (x86)\ASUS\ATK Package\ATK WMIACPI\atkwmiacpi64.sys [2011-9-7 17536]
R1 ccSet_NST;Norton Identity Safe Settings Manager;C:\Windows\System32\drivers\NSTx64\7DD02000.012\ccSetx64.sys [2012-11-18 168096]
R2 AFBAgent;AFBAgent;C:\Windows\System32\FBAgent.exe [2012-8-31 379520]
R2 ASMMAP64;ASMMAP64;C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\ASMMAP64.sys [2009-7-2 15416]
R2 ASUS InstantOn;ASUS InstantOn Service;C:\Program Files (x86)\ASUS\InstantOn for NB\InsOnSrv.exe [2012-2-4 277120]
R2 Intel(R) Capability Licensing Service Interface;Intel(R) Capability Licensing Service Interface;C:\Program Files\Intel\iCLS Client\HeciServer.exe [2011-12-9 607456]
R2 Intel(R) ME Service;Intel(R) ME Service;C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe [2012-8-31 128280]
R2 jhi_service;Intel(R) Dynamic Application Loader Host Interface Service;C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\Jhi_service.exe [2012-8-31 161560]
R2 MBAMScheduler;MBAMScheduler;C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-11-18 399432]
R2 NCO;Norton Identity Safe;C:\Program Files (x86)\Norton Identity Safe\Engine\2013.2.0.18\ccSvcHst.exe [2012-11-18 143928]
R2 UNS;Intel(R) Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2012-8-31 363800]
R3 AiCharger;ASUS Charger Driver;C:\Windows\System32\drivers\AiCharger.sys [2012-8-31 17152]
R3 AsusVBus;AsusVBus;C:\Windows\System32\drivers\AsusVBus.sys [2011-12-22 35968]
R3 AsusVTouch;AsusVTouch;C:\Windows\System32\drivers\AsusVTouch.sys [2011-11-8 16512]
R3 ETD;ELAN PS/2 Port Input Device;C:\Windows\System32\drivers\ETD.sys [2012-3-12 200488]
R3 IntcDAud;Intel(R) Display Audio;C:\Windows\System32\drivers\IntcDAud.sys [2012-3-12 331264]
R3 iusb3hub;Intel(R) USB 3.0 Hub Driver;C:\Windows\System32\drivers\iusb3hub.sys [2012-3-12 356120]
R3 iusb3xhc;Intel(R) USB 3.0 eXtensible Host Controller Driver;C:\Windows\System32\drivers\iusb3xhc.sys [2012-3-12 787736]
R3 RSBASTOR;Realtek PCIE CardReader Driver - BA;C:\Windows\System32\drivers\RtsBaStor.sys [2012-8-31 292968]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-19 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-19 138576]
S2 MBAMService;MBAMService;C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe [2012-11-18 676936]
S3 BBSvc;Bing Bar Update Service;C:\Program Files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-3-2 183560]
S3 fssfltr;fssfltr;C:\Windows\System32\drivers\fssfltr.sys [2012-2-18 48488]
S3 fsssvc;Windows Live Family Safety Service;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2011-5-14 1492840]
S3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller (NDIS 6.20);C:\Windows\System32\drivers\L1C62x64.sys [2009-6-11 57344]
S3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2012-11-18 25928]
S3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2012-8-31 565352]
S3 SiSGbeLH;SiS191/SiS190 Ethernet Device NDIS 6.0 Driver;C:\Windows\System32\drivers\SiSG664.sys [2009-6-11 56832]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2011-2-19 59392]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2011-2-19 31232]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2012-9-3 1255736]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-23 57184]
.
=============== File Associations ===============
.
FileExt: .js: Applications\notepad.exe=C:\Windows\System32\NOTEPAD.EXE %1 [UserChoice]
.
=============== Created Last 30 ================
.
2012-11-17 13:38:53168096----a-r-C:\Windows\System32\drivers\NSTx64\7DD02000.012\ccSetx64.sys
2012-11-17 13:38:52--------d-----w-C:\Windows\System32\drivers\NSTx64\7DD02000.012
2012-11-17 13:38:52--------d-----w-C:\Windows\System32\drivers\NSTx64
2012-11-17 13:38:51--------d-----w-C:\Program Files (x86)\Norton Identity Safe
2012-11-17 13:20:5725928----a-w-C:\Windows\System32\drivers\mbam.sys
2012-11-17 13:20:57--------d-----w-C:\Program Files\Malwarebytes' Anti-Malware
2012-11-12 10:14:34--------d-----w-C:\Users\Sad0r\AppData\Local\Diagnostics
2012-11-05 05:30:42--------d-----w-C:\Program Files (x86)\iWisoft Free Video Downloader
2012-11-05 05:23:33758018----a-w-C:\Windows\SysWow64\xvidcore.dll
2012-11-05 05:23:33180224----a-w-C:\Windows\SysWow64\xvidvfw.dll
2012-11-05 05:23:33139264----a-w-C:\Windows\SysWow64\xvid.ax
2012-11-05 05:23:33--------d-----w-C:\Program Files (x86)\iWisoft Free Video Converter
2012-11-04 05:33:51--------d-----w-C:\Users\Sad0r\AppData\Local\CrashDumps
2012-10-29 14:06:56--------d-----w-C:\silentrunners
2012-10-25 15:28:54--------d-----w-C:\_OTM
2012-10-25 14:39:05--------d-----w-C:\Program Files\Registrar Registry Manager
2012-10-25 11:23:56--------d-----w-C:\Users\Sad0r\AppData\Local\NPE
2012-10-22 19:48:209291768----a-w-C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{2CF52C71-4E6F-4B46-8A8F-B8966A578E00}\mpengine.dll
2012-10-22 18:11:11--------d-----w-C:\Program Files (x86)\Common Files\Symantec Shared
2012-10-22 12:04:12--------d-----w-C:\ProgramData\Norton
2012-10-22 12:03:53--------d-----w-C:\ProgramData\NortonInstaller
2012-10-22 12:03:53--------d-----w-C:\Program Files (x86)\NortonInstaller
2012-10-22 11:37:40220242----a-w-C:\ProgramData\1350905593.bdinstall.bin
2012-10-22 11:24:12431568----a-w-C:\ProgramData\1350885310.bdinstall.bin
2012-10-21 04:32:03--------d-----w-C:\ProgramData\Kaspersky Lab
.
==================== Find3M ====================
.
2012-11-18 04:37:19380----a-w-C:\Users\Sad0r\AppData\Roaming\sp_data.sys
2012-10-15 18:49:14470508----a-w-C:\ProgramData\1350326436.bdinstall.bin
2012-09-14 19:19:292048----a-w-C:\Windows\System32\tzres.dll
2012-09-14 18:28:532048----a-w-C:\Windows\SysWow64\tzres.dll
2012-09-08 05:35:21348160----a-w-C:\Windows\SysWow64\msvcr71.dll
2012-09-08 05:35:211700352----a-w-C:\Windows\SysWow64\gdiplus.dll
2012-09-08 05:35:211060864----a-w-C:\Windows\SysWow64\mfc71.dll
2012-08-31 18:19:351659760----a-w-C:\Windows\System32\drivers\ntfs.sys
2012-08-31 10:43:3980512----a-w-C:\Windows\ASUS K5 Series ScreenSaver Uninstaller.exe
2012-08-31 10:43:313058304----a-w-C:\Windows\AsScrPro.exe
2012-08-30 18:03:455559664----a-w-C:\Windows\System32\ntoskrnl.exe
2012-08-30 17:12:023968880----a-w-C:\Windows\SysWow64\ntkrnlpa.exe
2012-08-30 17:12:023914096----a-w-C:\Windows\SysWow64\ntoskrnl.exe
2012-08-24 18:05:07220160----a-w-C:\Windows\System32\wintrust.dll
2012-08-24 16:57:48172544----a-w-C:\Windows\SysWow64\wintrust.dll
2012-08-24 10:31:322312704----a-w-C:\Windows\System32\jscript9.dll
2012-08-24 10:21:181392128----a-w-C:\Windows\System32\wininet.dll
2012-08-24 10:20:111494528----a-w-C:\Windows\System32\inetcpl.cpl
2012-08-24 10:14:45173056----a-w-C:\Windows\System32\ieUnatt.exe
2012-08-24 10:13:29599040----a-w-C:\Windows\System32\vbscript.dll
2012-08-24 10:09:422382848----a-w-C:\Windows\System32\mshtml.tlb
2012-08-24 06:59:171800704----a-w-C:\Windows\SysWow64\jscript9.dll
2012-08-24 06:51:271129472----a-w-C:\Windows\SysWow64\wininet.dll
2012-08-24 06:51:021427968----a-w-C:\Windows\SysWow64\inetcpl.cpl
2012-08-24 06:47:26142848----a-w-C:\Windows\SysWow64\ieUnatt.exe
2012-08-24 06:47:12420864----a-w-C:\Windows\SysWow64\vbscript.dll
2012-08-24 06:43:582382848----a-w-C:\Windows\SysWow64\mshtml.tlb
2012-08-22 18:12:501913200----a-w-C:\Windows\System32\drivers\tcpip.sys
2012-08-22 18:12:40950128----a-w-C:\Windows\System32\drivers\ndis.sys
2012-08-22 18:12:40376688----a-w-C:\Windows\System32\drivers\netio.sys
2012-08-22 18:12:33288624----a-w-C:\Windows\System32\drivers\FWPKCLNT.SYS
2012-08-21 21:01:00245760----a-w-C:\Windows\System32\OxpsConverter.exe
2012-08-20 18:48:44362496----a-w-C:\Windows\System32\wow64win.dll
2012-08-20 18:48:44243200----a-w-C:\Windows\System32\wow64.dll
2012-08-20 18:48:4413312----a-w-C:\Windows\System32\wow64cpu.dll
2012-08-20 18:48:43215040----a-w-C:\Windows\System32\winsrv.dll
2012-08-20 18:48:3716384----a-w-C:\Windows\System32\ntvdm64.dll
2012-08-20 18:48:35424448----a-w-C:\Windows\System32\KernelBase.dll
2012-08-20 18:46:22338432----a-w-C:\Windows\System32\conhost.exe
2012-08-20 17:40:2114336----a-w-C:\Windows\SysWow64\ntvdm64.dll
2012-08-20 17:38:4444032----a-w-C:\Windows\apppatch\acwow64.dll
2012-08-20 17:38:2625600----a-w-C:\Windows\SysWow64\setup16.exe
2012-08-20 17:37:195120----a-w-C:\Windows\SysWow64\wow32.dll
2012-08-20 17:37:18274944----a-w-C:\Windows\SysWow64\KernelBase.dll
2012-08-20 15:38:217680----a-w-C:\Windows\SysWow64\instnm.exe
2012-08-20 15:38:202048----a-w-C:\Windows\SysWow64\user.exe
2012-08-20 15:33:286144---ha-w-C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
2012-08-20 15:33:284608---ha-w-C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
2012-08-20 15:33:283584---ha-w-C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
2012-08-20 15:33:283072---ha-w-C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
.
============= FINISH: 15:43:04.07 ===============
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-07.01)
.
Microsoft Windows 7 Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 31/08/2012 3:03:24 AM
System Uptime: 18/11/2012 12:29:53 PM (3 hours ago)
.
Motherboard: ASUSTeK COMPUTER INC. | | K55A
Processor: Intel(R) Core(TM) i7-3610QM CPU @ 2.30GHz | SOCKET 0 | 2301/100mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 255 GiB total, 160.151 GiB free.
D: is FIXED (NTFS) - 419 GiB total, 418.558 GiB free.
F: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID:
Description: Ethernet Controller
Device ID: PCI\VEN_10EC&DEV_8168&SUBSYS_14571043&REV_0A\89724418684CE00002
Manufacturer:
Name: Ethernet Controller
PNP Device ID: PCI\VEN_10EC&DEV_8168&SUBSYS_14571043&REV_0A\89724418684CE00002
Service:
.
==== System Restore Points ===================
.
RP78: 7/11/2012 3:00:11 AM - Windows Update
RP79: 8/11/2012 3:00:12 AM - Windows Update
RP80: 9/11/2012 3:00:10 AM - Windows Update
RP81: 9/11/2012 4:15:40 PM - Windows Update
RP82: 10/11/2012 3:00:10 AM - Windows Update
RP83: 13/11/2012 3:48:52 PM - Windows Update
RP84: 14/11/2012 3:00:10 AM - Windows Update
RP85: 15/11/2012 3:00:11 AM - Windows Update
RP86: 16/11/2012 3:00:13 AM - Windows Update
RP87: 17/11/2012 3:00:10 AM - Windows Update
RP88: 18/11/2012 3:00:12 AM - Windows Update
.
==== Installed Programs ======================
.
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader X MUI
ASUS AI Recovery
ASUS FaceLogon
ASUS K5 Series ScreenSaver
ASUS LifeFrame3
ASUS Live Update
ASUS Power4Gear Hybrid
ASUS Splendid Video Enhancement Technology
ASUS USB Charger Plus
ASUS Virtual Camera
ASUS Virtual Touch
ASUS WebStorage
AsusVibe2.0
ATK Package
Bing Bar
CCleaner
CyberLink LabelPrint
CyberLink Media Suite
CyberLink Power2Go
D3DX10
DVD Decrypter (Remove Only)
ETDWare PS/2-X64 10.5.9.0
Fast Boot
FormatFactory 2.70
Galeria de Fotografias do Windows Live
Galerie de photos Windows Live
Galería fotográfica de Windows Live
Google Chrome
Graboid Video 3.32
InstantOn for NB
Intel(R) Manageability Engine Firmware Recovery Agent
Intel(R) Management Engine Components
Intel(R) OpenCL CPU Runtime
Intel(R) Processor Graphics
Intel(R) USB 3.0 eXtensible Host Controller Driver
Intel® Trusted Connect Service Client
iWisoft Free Video Converter 1.2
iWisoft Free Video Downloader 2.1
Junk Mail filter update
Malwarebytes Anti-Malware version 1.65.1.1000
Mesh Runtime
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft Application Error Reporting
Microsoft Office 2010
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
MSVCRT
MSVCRT_amd64
Norton Identity Safe
PKR
Qualcomm Atheros WiFi Driver Installation
Realtek Ethernet Controller Driver
Realtek High Definition Audio Driver
Realtek PCIE Card Reader
Registrar Registry Manager 7.50
SceneSwitch
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
ShowBiz DVD
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft .NET Framework 4 Extended (KB2468871)
Update for Microsoft .NET Framework 4 Extended (KB2533523)
Update for Microsoft .NET Framework 4 Extended (KB2600217)
VLC media player 1.0.1
Windows Live
Windows Live ???
Windows Live ????
Windows Live Communications Platform
Windows Live Essentials
Windows Live Family Safety
Windows Live ID Sign-in Assistant
Windows Live Installer
Windows Live Language Selector
Windows Live Mail
Windows Live Mesh
Windows Live Mesh ActiveX Control for Remote Connections
Windows Live Messenger
Windows Live MIME IFilter
Windows Live Movie Maker
Windows Live Photo Common
Windows Live Photo Gallery
Windows Live PIMT Platform
Windows Live Remote Client
Windows Live Remote Client Resources
Windows Live Remote Service
Windows Live Remote Service Resources
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Live Writer
Windows Live Writer Resources
WinFlash
Wireless Console 3
Wisdom-soft ScreenHunter 6.0 Free
.
==== Event Viewer Messages From Past Week ========
.
18/11/2012 3:37:58 PM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk1\DR1.
18/11/2012 12:41:25 AM, Error: Microsoft-Windows-LanguagePackSetup [1001] - Failed to start language pack setup wizard. Please restart the system and try running the wizard again.
18/11/2012 12:41:02 AM, Error: volmgr [46] - Crash dump initialization failed!
.
==== End Of File ===========================
# AdwCleaner v2.008 - Logfile created 11/18/2012 at 16:11:52
# Updated 17/11/2012 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
# User : Sad0r - SAD0R-PC
# Boot Mode : Normal
# Running from : C:\Users\Sad0r\Desktop\adwcleaner.exe
# Option [Delete]
***** [Services] *****
***** [Files / Folders] *****
***** [Registry] *****
Key Deleted : HKCU\Software\Softonic
***** [Internet Browsers] *****
-\\ Internet Explorer v9.0.8112.16421
[OK] Registry is clean.
*************************
AdwCleaner[S1].txt - [553 octets] - [18/11/2012 16:11:52]
########## EOF - C:\AdwCleaner[S1].txt - [612 octets] ##########

 

[Jay Pfoutz]

ComboFix scan

Please download ComboFix

by sUBs
From BleepingComputer.com

Please save the file to your Desktop.

Important information about ComboFix


After the download:

• Close any open browsers.
• Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
• WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
• Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
• If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.

Running ComboFix:

• Double click on ComboFix.exe & follow the prompts.
• When ComboFix finishes, it will produce a report for you.
• Please post the report, which will launch or be found at "C:\Combo-Fix.txt" in your next reply.

Troubleshooting ComboFix

Safe Mode:

If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

(To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
logo appears. A list of options will appear, select "Safe Mode.")

Re-downloading:

If this doesn't work either, try the same method (above method), but try to download it again, except name
ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

 

[Sador27]

ComboFix 12-11-16.02 - Sad0r 19/11/2012 22:23:03.1.8 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.61.1033.18.12174.10383 [GMT 11:00]
Running from: c:\users\Sad0r\Desktop\Com.exe
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\$recycle.bin\S-1-5-21-3254260356-3574314768-983753981-1000\$RVN1D90.16385_none_1dd3ce8d1e7524cd\msdatt.dll
c:\program files (x86)\INSTALL.LOG
c:\programdata\1350326436.bdinstall.bin
c:\programdata\1350885310.bdinstall.bin
c:\programdata\1350905593.bdinstall.bin
c:\programdata\ntuser.dat
c:\windows\msvcr71.dll
.
.
((((((((((((((((((((((((( Files Created from 2012-10-19 to 2012-11-19 )))))))))))))))))))))))))))))))
.
.
2012-11-19 11:26 . 2012-11-19 11:26--------d-----w-c:\users\Public\AppData\Local\temp
2012-11-19 11:26 . 2012-11-19 11:26--------d-----w-c:\users\Default\AppData\Local\temp
2012-11-17 13:38 . 2012-11-17 13:38--------d-----w-c:\windows\system32\drivers\NSTx64
2012-11-17 13:38 . 2012-11-17 13:38--------d-----w-c:\program files (x86)\Norton Identity Safe
2012-11-17 13:20 . 2012-11-17 13:20--------d-----w-c:\program files\Malwarebytes' Anti-Malware
2012-11-17 13:20 . 2012-09-29 08:5425928----a-w-c:\windows\system32\drivers\mbam.sys
2012-11-12 10:14 . 2012-11-12 10:14--------d-----w-c:\users\Sad0r\AppData\Local\Diagnostics
2012-11-05 05:30 . 2012-11-05 05:30--------d-----w-c:\program files (x86)\iWisoft Free Video Downloader
2012-11-05 05:23 . 2012-11-05 05:23--------d-----w-c:\program files (x86)\iWisoft Free Video Converter
2012-11-05 05:23 . 2009-09-29 09:57758018----a-w-c:\windows\SysWow64\xvidcore.dll
2012-11-05 05:23 . 2008-12-04 10:46180224----a-w-c:\windows\SysWow64\xvidvfw.dll
2012-11-05 05:23 . 2008-10-07 23:16139264----a-w-c:\windows\SysWow64\xvid.ax
2012-11-04 05:33 . 2012-11-07 13:25--------d-----w-c:\users\Sad0r\AppData\Local\CrashDumps
2012-10-29 14:06 . 2012-10-29 14:08--------d-----w-C:\silentrunners
2012-10-25 15:28 . 2012-10-25 15:28--------d-----w-C:\_OTM
2012-10-25 14:39 . 2012-10-26 11:35--------d-----w-c:\program files\Registrar Registry Manager
2012-10-25 11:23 . 2012-11-18 04:51--------d-----w-c:\users\Sad0r\AppData\Local\NPE
2012-10-22 19:48 . 2012-10-12 07:199291768----a-w-c:\programdata\Microsoft\Windows Defender\Definition Updates\{2CF52C71-4E6F-4B46-8A8F-B8966A578E00}\mpengine.dll
2012-10-22 18:11 . 2012-11-19 11:16--------d-----w-c:\program files (x86)\Common Files\Symantec Shared
2012-10-22 12:04 . 2012-11-19 11:18--------d-----w-c:\programdata\Norton
2012-10-22 12:03 . 2012-11-19 11:18--------d-----w-c:\program files (x86)\NortonInstaller
2012-10-21 04:32 . 2012-10-21 04:32--------d-----w-c:\programdata\Kaspersky Lab
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-11-19 11:19 . 2012-08-30 17:03380----a-w-c:\users\Sad0r\AppData\Roaming\sp_data.sys
2012-10-29 21:01 . 2012-09-19 10:1648648----a-w-c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\Markup.dll
2012-10-29 21:01 . 2012-10-15 18:13336208----a-w-c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight-2\SpotlightResources.dll
2012-10-25 08:33 . 2012-10-15 18:1348648----a-w-c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-2\Markup.dll
2012-10-22 06:03 . 2012-09-19 10:16336208----a-w-c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2012-09-27 13:18 . 2012-10-04 05:0765309168----a-w-c:\windows\system32\MRT.exe
2012-09-14 19:19 . 2012-10-10 12:332048----a-w-c:\windows\system32\tzres.dll
2012-09-14 18:28 . 2012-10-10 12:332048----a-w-c:\windows\SysWow64\tzres.dll
2012-09-08 05:35 . 2012-09-08 05:35348160----a-w-c:\windows\SysWow64\msvcr71.dll
2012-09-08 05:35 . 2012-09-08 05:351700352----a-w-c:\windows\SysWow64\gdiplus.dll
2012-09-08 05:35 . 2012-09-08 05:351060864----a-w-c:\windows\SysWow64\mfc71.dll
2012-08-31 18:19 . 2012-10-10 12:341659760----a-w-c:\windows\system32\drivers\ntfs.sys
2012-08-31 10:43 . 2012-08-31 10:4380512----a-w-c:\windows\ASUS K5 Series ScreenSaver Uninstaller.exe
2012-08-31 10:43 . 2012-08-31 10:433058304----a-w-c:\windows\AsScrPro.exe
2012-08-30 18:03 . 2012-10-10 12:345559664----a-w-c:\windows\system32\ntoskrnl.exe
2012-08-30 17:12 . 2012-10-10 12:343914096----a-w-c:\windows\SysWow64\ntoskrnl.exe
2012-08-30 17:12 . 2012-10-10 12:333968880----a-w-c:\windows\SysWow64\ntkrnlpa.exe
2012-08-30 17:04 . 2011-03-29 02:3619720----a-w-c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2012-08-24 18:05 . 2012-10-10 12:33220160----a-w-c:\windows\system32\wintrust.dll
2012-08-24 16:57 . 2012-10-10 12:33172544----a-w-c:\windows\SysWow64\wintrust.dll
2012-08-24 11:15 . 2012-09-26 17:0017810944----a-w-c:\windows\system32\mshtml.dll
2012-08-24 10:39 . 2012-09-26 17:0010925568----a-w-c:\windows\system32\ieframe.dll
2012-08-24 10:31 . 2012-09-26 17:002312704----a-w-c:\windows\system32\jscript9.dll
2012-08-24 10:22 . 2012-09-26 17:001346048----a-w-c:\windows\system32\urlmon.dll
2012-08-24 10:21 . 2012-09-26 17:001392128----a-w-c:\windows\system32\wininet.dll
2012-08-24 10:20 . 2012-09-26 17:001494528----a-w-c:\windows\system32\inetcpl.cpl
2012-08-24 10:18 . 2012-09-26 17:00237056----a-w-c:\windows\system32\url.dll
2012-08-24 10:17 . 2012-09-26 17:0085504----a-w-c:\windows\system32\jsproxy.dll
2012-08-24 10:14 . 2012-09-26 17:00173056----a-w-c:\windows\system32\ieUnatt.exe
2012-08-24 10:14 . 2012-09-26 17:00816640----a-w-c:\windows\system32\jscript.dll
2012-08-24 10:13 . 2012-09-26 17:00599040----a-w-c:\windows\system32\vbscript.dll
2012-08-24 10:12 . 2012-09-26 17:002144768----a-w-c:\windows\system32\iertutil.dll
2012-08-24 10:11 . 2012-09-26 17:00729088----a-w-c:\windows\system32\msfeeds.dll
2012-08-24 10:10 . 2012-09-26 17:0096768----a-w-c:\windows\system32\mshtmled.dll
2012-08-24 10:09 . 2012-09-26 17:002382848----a-w-c:\windows\system32\mshtml.tlb
2012-08-24 10:04 . 2012-09-26 17:00248320----a-w-c:\windows\system32\ieui.dll
2012-08-24 06:59 . 2012-09-26 17:001800704----a-w-c:\windows\SysWow64\jscript9.dll
2012-08-24 06:51 . 2012-09-26 17:001129472----a-w-c:\windows\SysWow64\wininet.dll
2012-08-24 06:51 . 2012-09-26 17:001427968----a-w-c:\windows\SysWow64\inetcpl.cpl
2012-08-24 06:47 . 2012-09-26 17:00142848----a-w-c:\windows\SysWow64\ieUnatt.exe
2012-08-24 06:47 . 2012-09-26 17:00420864----a-w-c:\windows\SysWow64\vbscript.dll
2012-08-24 06:43 . 2012-09-26 17:002382848----a-w-c:\windows\SysWow64\mshtml.tlb
2012-08-22 18:12 . 2012-09-12 08:491913200----a-w-c:\windows\system32\drivers\tcpip.sys
2012-08-22 18:12 . 2012-09-12 08:49950128----a-w-c:\windows\system32\drivers\ndis.sys
2012-08-22 18:12 . 2012-09-12 08:49376688----a-w-c:\windows\system32\drivers\netio.sys
2012-08-22 18:12 . 2012-09-12 08:49288624----a-w-c:\windows\system32\drivers\FWPKCLNT.SYS
2012-08-21 21:01 . 2012-09-26 01:15245760----a-w-c:\windows\system32\OxpsConverter.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{AB4C7833-A6EC-433f-B9FE-6B14B1A2F836}]
2012-10-18 17:57498584----a-r-c:\program files (x86)\Norton Identity Safe\Engine\2013.2.0.18\CoIEPlg.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{A13C2648-91D4-4bf3-BC6D-0079707C4389}"= "c:\program files (x86)\Norton Identity Safe\Engine\2013.2.0.18\coIEPlg.dll" [2012-10-18 498584]
.
[HKEY_CLASSES_ROOT\clsid\{a13c2648-91d4-4bf3-bc6d-0079707c4389}]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-16 932288]
"ASUSPRP"="c:\program files (x86)\ASUS\APRP\APRP.EXE" [2012-02-18 3331312]
"ASUSWebStorage"="c:\program files (x86)\ASUS\ASUS WebStorage\3.0.108.222\AsusWSPanel.exe" [2011-07-29 737104]
"USB3MON"="c:\program files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe" [2012-02-07 291608]
"Wireless Console 3"="c:\program files (x86)\ASUS\Wireless Console 3\wcourier.exe" [2012-02-02 2321072]
"ATKOSD2"="c:\program files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe" [2012-06-25 322208]
"ATKMEDIA"="c:\program files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe" [2012-06-19 174752]
"HControlUser"="c:\program files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe" [2009-06-19 105016]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
AsusVibeLauncher.lnk - c:\program files (x86)\ASUS\AsusVibe\AsusVibeLauncher.exe [2012-2-18 549040]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"mixer3"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 BBSvc;Bing Bar Update Service;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-03-02 183560]
R3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller (NDIS 6.20);c:\windows\system32\DRIVERS\L1C62x64.sys [2009-06-10 57344]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2011-08-23 565352]
R3 SiSGbeLH;SiS191/SiS190 Ethernet Device NDIS 6.0 Driver;c:\windows\system32\DRIVERS\SiSG664.sys [2009-06-10 56832]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-20 31232]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-09-03 1255736]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 57184]
S0 iusb3hcs;Intel(R) USB 3.0 Host Controller Switch Driver;c:\windows\system32\DRIVERS\iusb3hcs.sys [2012-02-07 16152]
S1 ATKWMIACPIIO;ATKWMIACPI Driver;c:\program files (x86)\ASUS\ATK Package\ATK WMIACPI\atkwmiacpi64.sys [2011-09-06 17536]
S1 ccSet_NST;Norton Identity Safe Settings Manager;c:\windows\system32\drivers\NSTx64\7DD02000.012\ccSetx64.sys [2012-10-04 168096]
S2 AFBAgent;AFBAgent;c:\windows\system32\FBAgent.exe [2011-03-03 379520]
S2 ASMMAP64;ASMMAP64;c:\program files (x86)\ASUS\ATK Package\ATKGFNEX\ASMMAP64.sys [2009-07-02 15416]
S2 ASUS InstantOn;ASUS InstantOn Service;c:\program files (x86)\ASUS\InstantOn for NB\InsOnSrv.exe [2012-02-03 277120]
S2 Intel(R) Capability Licensing Service Interface;Intel(R) Capability Licensing Service Interface;c:\program files\Intel\iCLS Client\HeciServer.exe [2011-12-08 607456]
S2 Intel(R) ME Service;Intel(R) ME Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe [2011-12-16 128280]
S2 jhi_service;Intel(R) Dynamic Application Loader Host Interface Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe [2011-12-16 161560]
S2 NCO;Norton Identity Safe;c:\program files (x86)\Norton Identity Safe\Engine\2013.2.0.18\ccSvcHst.exe [2012-10-11 143928]
S2 UNS;Intel(R) Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2011-12-16 363800]
S3 AiCharger;ASUS Charger Driver;c:\windows\system32\DRIVERS\AiCharger.sys [2012-01-30 17152]
S3 AsusVBus;AsusVBus;c:\windows\system32\DRIVERS\AsusVBus.sys [2011-12-21 35968]
S3 AsusVTouch;AsusVTouch;c:\windows\system32\DRIVERS\AsusVTouch.sys [2011-11-08 16512]
S3 ETD;ELAN PS/2 Port Input Device;c:\windows\system32\DRIVERS\ETD.sys [2012-02-19 200488]
S3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2012-02-20 331264]
S3 iusb3hub;Intel(R) USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\iusb3hub.sys [2012-02-07 356120]
S3 iusb3xhc;Intel(R) USB 3.0 eXtensible Host Controller Driver;c:\windows\system32\DRIVERS\iusb3xhc.sys [2012-02-07 787736]
S3 RSBASTOR;Realtek PCIE CardReader Driver - BA;c:\windows\system32\DRIVERS\RtsBaStor.sys [2012-02-01 292968]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-10-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3254260356-3574314768-983753981-1000Core.job
- c:\users\Sad0r\AppData\Local\Google\Update\GoogleUpdate.exe [2012-09-26 02:50]
.
2012-10-13 c:\windows\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d-Logon.job
- c:\program files (x86)\Intel\Intel(R) ME FW Recovery Agent\bin\Bootstrap.exe [2011-11-25 20:41]
.
2012-10-13 c:\windows\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d.job
- c:\program files (x86)\Intel\Intel(R) ME FW Recovery Agent\bin\Bootstrap.exe [2011-11-25 20:41]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AsusWSShellExt_B]
@="{6D4133E5-0742-4ADC-8A8C-9303440F7190}"
[HKEY_CLASSES_ROOT\CLSID\{6D4133E5-0742-4ADC-8A8C-9303440F7190}]
2011-05-25 07:09227840----a-w-c:\program files (x86)\ASUS\ASUS WebStorage\3.0.108.222\AsusWSShellExt64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AsusWSShellExt_O]
@="{64174815-8D98-4CE6-8646-4C039977D808}"
[HKEY_CLASSES_ROOT\CLSID\{64174815-8D98-4CE6-8646-4C039977D808}]
2011-05-25 07:09227840----a-w-c:\program files (x86)\ASUS\ASUS WebStorage\3.0.108.222\AsusWSShellExt64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2012-02-22 170264]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2012-02-22 398616]
"ETDCtrl"="c:\program files (x86)\Elantech\ETDCtrl.exe" [BU]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://google.com.au/
mStart Page = about:blank
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 192.168.0.1
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
SafeBoot-77118655.sys
SafeBoot-95310364.sys
Toolbar-Locked - (no file)
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NCO]
"ImagePath"="\"c:\program files (x86)\Norton Identity Safe\Engine\2013.2.0.18\ccSvcHst.exe\" /s \"NCO\" /m \"c:\program files (x86)\Norton Identity Safe\Engine\2013.2.0.18\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10k.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10k.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10k.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10k.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-11-19 22:27:50
ComboFix-quarantined-files.txt 2012-11-19 11:27
ComboFix2.txt 2012-09-20 23:35
.
Pre-Run: 171,741,958,144 bytes free
Post-Run: 171,226,935,296 bytes free
.
- - End Of File - - 5E4364868D838EF217D48A15D9C1CABD

 

[Sador27]

Hey DMJ, this line at the top I have also seen in my 2tb seagate hard drive (c:\$recycle.bin\S-1-5-21-3254260356-3574314768-983753981-1000\$RV.....) hidden away in a hidden recycle bin within another and I cant delete it as it just keeps saying access denied and even after changing permissions and deleting it just respawns so ill wait to see what you can see about these logs first and concentrate on the laptop before the HD, and I wont plug it in again either untill you say so. Long story short we had an infected laptop in the house and after trying to delete the virus manually the infected laptop self activated windows media player sharing and we literally watched the other 2 laptops in the house activate and join with the initial one so after giving up on the first and throwing it in a drawer to die we both noticed our 2 good LTs were joining still and everytime we turn them on they keep trying to install an unwanted network adapter so I reformated hers and it seems to be o.k so far but as I just bought this expensive one and have been reading about some new rootkit that even infects a machines MBR I thought I would let an expert have a look, and here we are.. so seek and DESTROY

 

[Jay Pfoutz]

Let's do the following:

Farbar Recovery Scan Tool x64

Download Farbar Recovery Scan Tool and save it to a flash drive.


Please make sure to get the 64-bit version

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
• Use the arrow keys to select the Repair your computer menu item.
• Choose your language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account and click Next.

To enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
• Restart your computer.
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
• Click Repair your computer.
• Choose your language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account an click Next.

On the System Recovery Options menu you will get the following options:

• • Startup Repair
    System Restore
    Windows Complete PC Restore
    Windows Memory Diagnostic Tool
    Command Prompt
• Select Command Prompt
• In the command window type in notepad and press Enter.
• The notepad opens. Under File menu select Open.
• Select "Computer" and find your flash drive letter and close the notepad.
• In the command window type e:\frst.exe and press Enter
  Note: Replace letter e with the drive letter of your flash drive.
• The tool will start to run.
• When the tool opens click Yes to the disclaimer.
• Place a check next to List Drivers MD5 as well as the default check marks that are already there
• Press Scan button. It will do its scan and save a log on your flash drive.
• Close out of the message after that, then type in the text services.exe in to the "Search:" text box. Then, press the Search file(s) button, just as below:
  
  
  
  When done searching, FRST makes a log, Search.txt, on the C:\ drive or on your flash drive.
• Type exit in the Command Prompt window and reboot the computer normally
• FRST will make a log (FRST.txt) on the flash drive and also the search.txt logfile, please copy and paste the logs in your reply.

 

[Sador27]

Sorry for taking so long im working 17 hour shifts, it`ll be done by tomorrow night

 

[Sador27]

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 18-11-2012
Ran by SYSTEM at 21-11-2012 08:54:09
Running from E:\
Windows 7 Home Premium (X64) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [ETDCtrl] %ProgramFiles%\Elantech\ETDCtrl.exe [x]
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [932288 2010-11-15] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [ASUSPRP] "C:\Program Files (x86)\ASUS\APRP\APRP.EXE" [3331312 2012-02-17] (ASUSTek Computer Inc.)
HKLM-x32\...\Run: [ASUSWebStorage] C:\Program Files (x86)\ASUS\ASUS WebStorage\3.0.108.222\AsusWSPanel.exe /S [737104 2011-07-29] (ecareme)
HKLM-x32\...\Run: [USB3MON] "C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe" [291608 2012-02-06] (Intel Corporation)
HKLM-x32\...\Run: [Wireless Console 3] C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe [2321072 2012-02-02] (ASUSTeK Computer Inc.)
HKLM-x32\...\Run: [ATKOSD2] C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe [322208 2012-06-24] (ASUSTek Computer Inc.)
HKLM-x32\...\Run: [ATKMEDIA] C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe [174752 2012-06-18] (ASUSTek Computer Inc.)
HKLM-x32\...\Run: [HControlUser] C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe [105016 2009-06-18] (ASUS)
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1
Startup: C:\Users\All Users\Start Menu\Programs\Startup\AsusVibeLauncher.lnk
ShortcutTarget: AsusVibeLauncher.lnk -> C:\Program Files (x86)\ASUS\AsusVibe\AsusVibeLauncher.exe (ASUSTeK Computer Inc.)

==================== Services (Whitelisted) ===================

2 ASUS InstantOn; C:\Program Files (x86)\ASUS\InstantOn for NB\InsOnSrv.exe [277120 2012-02-03] (ASUS)
2 ATKGFNEXSrv; C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe [96896 2011-11-20] (ASUS)
2 Intel(R) ME Service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe [128280 2011-12-16] ()
2 jhi_service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe [161560 2011-12-16] (Intel Corporation)
2 N360; "C:\Program Files (x86)\Norton 360\Engine\20.2.0.19\ccSvcHst.exe" /s "N360" /m "C:\Program Files (x86)\Norton 360\Engine\20.2.0.19\diMaster.dll" /prefetch:1 [535416 2012-10-11] (Symantec Corporation)
2 NCO; "C:\Program Files (x86)\Norton Identity Safe\Engine\2013.2.0.18\ccSvcHst.exe" /s "NCO" /m "C:\Program Files (x86)\Norton Identity Safe\Engine\2013.2.0.18\diMaster.dll" /prefetch:1 [535416 2012-10-11] (Symantec Corporation)

==================== Drivers (Whitelisted) =====================

3 AiCharger; C:\Windows\System32\Drivers\AiCharger.sys [17152 2012-01-30] (ASUSTek Computer Inc.)
3 AiCharger; C:\Windows\SysWow64\Drivers\AiCharger.sys [17152 2012-01-30] (ASUSTek Computer Inc.)
3 AsusVBus; C:\Windows\System32\Drivers\AsusVBus.sys [35968 2011-12-21] (Windows (R) Win 7 DDK provider)
3 AsusVTouch; C:\Windows\System32\Drivers\AsusVTouch.sys [16512 2011-11-07] (Windows (R) Win 7 DDK provider)
1 ATKWMIACPIIO; \??\C:\Program Files (x86)\ASUS\ATK Package\ATK WMIACPI\atkwmiacpi64.sys [17536 2011-09-06] (ASUS)
1 BHDrvx64; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.2.0.19\Definitions\BASHDefs\20121106.001\BHDrvx64.sys [1384608 2012-10-23] (Symantec Corporation)
1 ccSet_N360; C:\Windows\system32\drivers\N360x64\1402000.013\ccSetx64.sys [168096 2012-10-03] (Symantec Corporation)
1 ccSet_NST; C:\Windows\system32\drivers\NSTx64\7DD02000.012\ccSetx64.sys [168096 2012-10-03] (Symantec Corporation)
1 eeCtrl; \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [484512 2012-11-16] (Symantec Corporation)
3 EraserUtilRebootDrv; \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [138912 2012-11-16] (Symantec Corporation)
1 IDSVia64; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.2.0.19\Definitions\IPSDefs\20121119.001\IDSvia64.sys [513184 2012-11-18] (Symantec Corporation)
3 kbfiltr; C:\Windows\System32\Drivers\kbfiltr.sys [15416 2009-07-20] ( )
3 NAVENG; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.2.0.19\Definitions\VirusDefs\20121119.022\ENG64.SYS [126112 2012-11-16] (Symantec Corporation)
3 NAVEX15; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.2.0.19\Definitions\VirusDefs\20121119.022\EX64.SYS [2084000 2012-11-16] (Symantec Corporation)
3 RSBASTOR; C:\Windows\System32\DRIVERS\RtsBaStor.sys [292968 2012-02-01] (Realtek Semiconductor Corp.)
3 SRTSP; C:\Windows\system32\drivers\N360x64\1402000.013\SRTSP64.SYS [776864 2012-10-08] (Symantec Corporation)
1 SRTSPX; C:\Windows\system32\drivers\N360x64\1402000.013\SRTSPX64.SYS [37496 2012-09-06] (Symantec Corporation)
0 SymDS; C:\Windows\System32\drivers\N360x64\1402000.013\SYMDS64.SYS [493216 2012-10-03] (Symantec Corporation)
0 SymEFA; C:\Windows\System32\drivers\N360x64\1402000.013\SYMEFA64.SYS [1133216 2012-10-03] (Symantec Corporation)
3 SymEvent; \??\C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [177312 2012-11-19] (Symantec Corporation)
1 SymIM; C:\Windows\System32\DRIVERS\SymIMv.sys [43680 2012-09-06] (Symantec Corporation)
1 SymIRON; C:\Windows\system32\drivers\N360x64\1402000.013\Ironx64.SYS [224416 2012-09-06] (Symantec Corporation)
1 SymNetS; C:\Windows\system32\drivers\N360x64\1402000.013\SYMNETS.SYS [432800 2012-09-06] (Symantec Corporation)
3 catchme; \??\C:\Com\catchme.sys [x]

==================== NetSvcs (Whitelisted) ====================


==================== One Month Created Files and Folders ========

2012-11-20 06:16 - 2012-11-20 06:16 - 01154548 ____A C:\Users\Sad0r\Desktop\bookmkkk_11_21_12.html
2012-11-19 09:45 - 2012-11-19 09:45 - 00001175 ____A C:\Users\Sad0r\Desktop\adsl.txt
2012-11-19 07:37 - 2012-11-20 13:49 - 00524288 ____A C:\Windows\System32\Ikeext.etl
2012-11-19 06:57 - 2012-11-19 08:49 - 00000000 ____D C:\Netgear
2012-11-19 04:14 - 2012-11-19 10:59 - 00002611 ____A C:\Users\Sad0r\Desktop\fillll.txt
2012-11-19 03:41 - 2012-09-06 18:05 - 00043680 ___RA (Symantec Corporation) C:\Windows\System32\Drivers\SymIMV.sys
2012-11-19 03:35 - 2012-11-19 03:35 - 00177312 ____A (Symantec Corporation) C:\Windows\System32\Drivers\SYMEVENT64x86.SYS
2012-11-19 03:35 - 2012-11-19 03:35 - 00007466 ____A C:\Windows\System32\Drivers\SYMEVENT64x86.CAT
2012-11-19 03:35 - 2012-11-19 03:35 - 00000000 ____D C:\Program Files\Symantec
2012-11-19 03:35 - 2012-11-19 03:35 - 00000000 ____D C:\Program Files\Common Files\Symantec Shared
2012-11-19 03:34 - 2012-11-19 03:34 - 00002393 ____A C:\Users\Public\Desktop\Norton 360.lnk
2012-11-19 03:34 - 2012-11-19 03:34 - 00000000 ____D C:\Windows\System32\Drivers\N360x64
2012-11-19 03:34 - 2012-11-19 03:34 - 00000000 ____D C:\Program Files (x86)\Norton 360
2012-11-19 03:27 - 2012-11-19 03:27 - 00018998 ____A C:\ComboFix.txt
2012-11-19 03:21 - 2012-11-19 03:27 - 00000000 ____D C:\Windows\erdnt
2012-11-19 03:21 - 2011-06-25 22:45 - 00256000 ____A C:\Windows\PEV.exe
2012-11-19 03:21 - 2010-11-07 09:20 - 00208896 ____A C:\Windows\MBR.exe
2012-11-19 03:21 - 2009-04-19 20:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
2012-11-19 03:21 - 2000-08-30 16:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe
2012-11-19 03:21 - 2000-08-30 16:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe
2012-11-19 03:21 - 2000-08-30 16:00 - 00098816 ____A C:\Windows\sed.exe
2012-11-19 03:21 - 2000-08-30 16:00 - 00080412 ____A C:\Windows\grep.exe
2012-11-19 03:21 - 2000-08-30 16:00 - 00068096 ____A C:\Windows\zip.exe
2012-11-19 03:10 - 2012-11-19 03:13 - 05002404 ____R (Swearware) C:\Users\Sad0r\Desktop\Com.exe
2012-11-17 21:11 - 2012-11-17 21:11 - 00000680 ____A C:\AdwCleaner[S1].txt
2012-11-17 20:58 - 2012-11-17 20:58 - 00000000 ____D C:\Users\Sad0r\Documents\Symantec
2012-11-17 20:54 - 2012-11-19 03:34 - 00001298 ____A C:\Users\Sad0r\Desktop\Norton Installation Files.lnk
2012-11-17 20:54 - 2012-11-17 20:54 - 00915464 ____A (Symantec Corporation) C:\Users\Sad0r\Desktop\N360Downloader.exe
2012-11-17 20:54 - 2012-11-17 20:54 - 00000000 ____D C:\Users\Public\Downloads\Norton
2012-11-17 20:43 - 2012-11-17 20:43 - 00017859 ____A C:\Users\Sad0r\Desktop\dds.txt
2012-11-17 20:43 - 2012-11-17 20:43 - 00005812 ____A C:\Users\Sad0r\Desktop\attach.txt
2012-11-17 05:38 - 2012-11-17 05:38 - 00000000 ____D C:\Windows\System32\Drivers\NSTx64
2012-11-17 05:38 - 2012-11-17 05:38 - 00000000 ____D C:\Program Files (x86)\Norton Identity Safe
2012-11-17 05:20 - 2012-11-17 05:20 - 00000916 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-11-17 05:20 - 2012-11-17 05:20 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2012-11-17 05:20 - 2012-09-29 00:54 - 00025928 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-11-17 05:18 - 2012-11-17 05:19 - 10669952 ____A (Malwarebytes Corporation ) C:\Users\Sad0r\Desktop\mbam-setup-1.65.1.1000.exe
2012-11-17 05:15 - 2012-11-20 13:15 - 02154832 ____A C:\Windows\PFRO.log
2012-11-17 03:59 - 2012-11-17 03:59 - 01149813 ____A C:\Users\Sad0r\Desktop\bookmarksTT_17_12.html
2012-11-16 09:28 - 2012-11-16 09:29 - 00001483 ____A C:\Users\Sad0r\Documents\acpie.txt
2012-11-16 03:43 - 2012-11-16 03:43 - 00000365 ____A C:\Users\Sad0r\Desktop\Block_Autorun.inf_Files.reg
2012-11-16 03:43 - 2012-11-16 03:43 - 00000330 ____A C:\Users\Sad0r\Desktop\Unblock_Autorun.inf_Files.reg
2012-11-12 20:57 - 2012-11-12 20:57 - 03258000 ____A (BrightFort LLC ) C:\Users\Sad0r\Desktop\spup46.exe
2012-11-12 04:46 - 2012-11-12 04:46 - 00347424 ____A (Microsoft Corporation) C:\Users\Sad0r\Desktop\MicrosoftFixit.malware.Run.exe
2012-11-12 03:00 - 2012-11-12 03:00 - 01777664 ____A C:\Users\Sad0r\Desktop\MBSASetup-x64-EN.msi
2012-11-12 02:59 - 2012-11-12 02:59 - 17667616 ____A (Microsoft Corporation) C:\Users\Sad0r\Desktop\Win.exe
2012-11-11 09:38 - 2012-11-11 09:38 - 15140440 ____A (flashvideodownloader.org ) C:\Users\Sad0r\Downloads\fvdsuite_installer.exe
2012-11-11 09:38 - 2012-11-11 09:38 - 15140440 ____A (flashvideodownloader.org ) C:\Users\Sad0r\Documents\fvdsuite_installer.ext
2012-11-09 10:11 - 2012-11-20 13:34 - 00003100 ____A C:\Windows\setupact.log
2012-11-09 10:11 - 2012-11-09 10:11 - 00000000 ____A C:\Windows\setuperr.log
2012-11-09 10:09 - 2012-11-09 10:09 - 00062516 ____A C:\Users\Sad0r\Documents_1121009_180957.dmp
2012-11-09 10:09 - 2012-11-09 10:09 - 00000552 ____A C:\Users\Sad0r\Documents_1121009_180957_main.txt
2012-11-09 09:58 - 2012-11-09 09:58 - 00002846 ____A C:\Users\Sad0r\SEXXX.txt
2012-11-09 05:54 - 2012-11-09 05:54 - 00000025 ____A C:\Users\Sad0r\THE BEST EVER.txt
2012-11-07 05:29 - 2012-11-07 05:29 - 00005750 ____A C:\Users\Sad0r\Documents\cc_20121108_002907.reg
2012-11-07 05:29 - 2012-11-07 05:29 - 00001448 ____A C:\Users\Sad0r\Documents\cc_20121108_002939.reg
2012-11-06 08:20 - 2012-11-09 08:22 - 00000000 ____D C:\Users\Sad0r\Desktop\hott
2012-11-05 08:30 - 2012-11-05 08:30 - 00000061 ____A C:\Users\Sad0r\FFFFFF.txt
2012-11-05 07:30 - 2012-11-05 07:32 - 20345824 ____A (flashvideodownloader.org ) C:\Users\Sad0r\Downloads\fvdsuite-2.7.6-release.exe
2012-11-04 21:32 - 2012-11-04 21:32 - 00079393 ____A C:\Users\Sad0r\Documents_1121005_053236.dmp
2012-11-04 21:32 - 2012-11-04 21:32 - 00000471 ____A C:\Users\Sad0r\Documents_1121005_053236_main.txt
2012-11-04 21:31 - 2012-11-04 21:31 - 00080641 ____A C:\Users\Sad0r\Documents_1121005_053114.dmp
2012-11-04 21:31 - 2012-11-04 21:31 - 00000534 ____A C:\Users\Sad0r\Documents_1121005_053114_main.txt
2012-11-04 21:30 - 2012-11-04 21:30 - 00001085 ____A C:\Users\Sad0r\Desktop\iWisoft Free Video Downloader.lnk
2012-11-04 21:30 - 2012-11-04 21:30 - 00000000 ____D C:\Program Files (x86)\iWisoft Free Video Downloader
2012-11-04 21:26 - 2012-11-04 21:27 - 03127375 ____A (www.iwisoft.com ) C:\Users\Sad0r\Documents\flashvideodownloader.exe
2012-11-04 21:23 - 2012-11-20 05:18 - 00000000 ____D C:\Users\Sad0r\Documents\iWisoft Free Video Converter
2012-11-04 21:23 - 2012-11-19 14:31 - 00000000 ____D C:\Program Files (x86)\iWisoft Free Video Converter
2012-11-04 21:23 - 2012-11-04 21:23 - 00001075 ____A C:\Users\Sad0r\Desktop\iWisoft Free Video Converter.lnk
2012-11-04 21:23 - 2009-09-29 01:57 - 00758018 ____A C:\Windows\SysWOW64\xvidcore.dll
2012-11-04 21:23 - 2008-12-04 02:46 - 00180224 ____A C:\Windows\SysWOW64\xvidvfw.dll
2012-11-04 21:23 - 2008-10-07 15:16 - 00139264 ____A (http://www.xvid.org) C:\Windows\SysWOW64\xvid.ax
2012-11-04 21:20 - 2012-11-04 21:21 - 09120817 ____A (www.easy-video-converter.com ) C:\Users\Sad0r\Documents\videoconverter.exe
2012-11-03 21:33 - 2012-11-19 08:28 - 00000000 ____D C:\Users\Sad0r\AppData\Local\CrashDumps
2012-11-03 09:06 - 2012-11-03 09:06 - 00000512 ____A C:\Users\Sad0r\Desktop\MBR.dat
2012-11-03 07:50 - 2012-11-03 07:50 - 00448512 ____A (OldTimer Tools) C:\Users\Sad0r\Desktop\TFC.exe
2012-10-29 07:06 - 2012-10-29 07:06 - 00655360 ____A C:\Users\Sad0r\Desktop\MicrosoftFixit50471.msi
2012-10-29 06:47 - 2012-11-06 01:44 - 00000000 ____D C:\Users\Sad0r\Desktop\crapola
2012-10-29 06:06 - 2012-10-29 06:08 - 00000000 ____D C:\silentrunners
2012-10-29 05:50 - 2012-10-29 05:57 - 00000336 ____A C:\Users\Sad0r\silent.txt
2012-10-29 05:30 - 2012-10-29 05:30 - 00002549 ____A C:\Users\Sad0r\xxx.txt
2012-10-29 04:32 - 2012-10-29 04:32 - 00000987 ____A C:\Users\Sad0r\MUD.txt
2012-10-28 08:33 - 2012-10-28 08:33 - 00001407 ____A C:\Users\Sad0r\GYYYY.txt
2012-10-28 03:41 - 2012-10-28 03:41 - 00000000 ____A C:\Windows\System32\remote_PC.csv
2012-10-25 21:11 - 2012-10-25 21:11 - 00000026 ____A C:\Users\Sad0r\AMOLD.txt
2012-10-25 10:51 - 2012-10-25 10:51 - 00000764 ____A C:\Users\Sad0r\quir.txt
2012-10-25 07:40 - 2012-10-25 07:40 - 00000035 ____A C:\Users\Sad0r\hookd.txt
2012-10-25 07:28 - 2012-10-25 07:28 - 00000000 ____D C:\_OTM
2012-10-25 07:21 - 2012-10-25 07:21 - 00000391 ____A C:\Users\Sad0r\reddd.txt
2012-10-25 07:12 - 2012-10-25 07:12 - 00000035 ____A C:\Users\Sad0r\convo.txt
2012-10-25 06:39 - 2012-10-26 03:35 - 00000000 ____D C:\Program Files\Registrar Registry Manager
2012-10-25 06:39 - 2012-10-25 06:42 - 00001057 ____A C:\Users\Sad0r\Desktop\Registrar Registry Manager.lnk
2012-10-25 06:00 - 2012-10-25 06:00 - 00000042 ____A C:\Users\Sad0r\conh.txt
2012-10-25 04:39 - 2012-10-25 04:39 - 00000093 ____A C:\Users\Sad0r\dri.txt
2012-10-25 03:59 - 2012-10-25 04:40 - 00000157 ____A C:\Users\Sad0r\DRIVE.txt
2012-10-25 03:23 - 2012-11-17 20:51 - 00000000 ____D C:\Users\Sad0r\AppData\Local\NPE
2012-10-25 02:51 - 2012-10-25 02:51 - 02957840 ____A (Symantec Corporation) C:\Users\Sad0r\Desktop\Nuts.exe
2012-10-23 05:45 - 2012-10-23 05:45 - 00005768 ____A C:\Users\Sad0r\Documents\cc_20121024_004532.reg
2012-10-23 05:40 - 2012-10-23 05:40 - 00001151 ____A C:\Users\Sad0r\sum.txt
2012-10-22 20:32 - 2012-10-23 03:37 - 00015255 ____A C:\Users\Sad0r\mee.txt
2012-10-22 04:09 - 2012-10-22 04:09 - 00000635 ____A C:\Users\Sad0r\nor.txt
2012-10-22 04:04 - 2012-11-19 03:37 - 00000000 ____D C:\Users\All Users\Norton


==================== One Month Modified Files and Folders =======

2012-11-21 08:53 - 2012-11-21 08:53 - 00000000 ____D C:\FRST
2012-11-20 13:49 - 2012-11-19 07:37 - 00524288 ____A C:\Windows\System32\Ikeext.etl
2012-11-20 13:49 - 2012-10-21 03:44 - 01868064 ____A C:\Windows\WindowsUpdate.log
2012-11-20 13:49 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\tracing
2012-11-20 13:42 - 2009-07-13 20:45 - 00009920 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-11-20 13:42 - 2009-07-13 20:45 - 00009920 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-11-20 13:39 - 2009-07-13 21:13 - 00778834 ____A C:\Windows\System32\PerfStringBackup.INI
2012-11-20 13:36 - 2012-08-30 09:03 - 00000380 ____A C:\Users\Sad0r\AppData\Roaming\sp_data.sys
2012-11-20 13:34 - 2012-11-09 10:11 - 00003100 ____A C:\Windows\setupact.log
2012-11-20 13:34 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-11-20 13:15 - 2012-11-17 05:15 - 02154832 ____A C:\Windows\PFRO.log
2012-11-20 06:17 - 2012-09-08 06:47 - 00000000 ____D C:\Users\Sad0r\AppData\Roaming\vlc
2012-11-20 06:16 - 2012-11-20 06:16 - 01154548 ____A C:\Users\Sad0r\Desktop\bookmkkk_11_21_12.html
2012-11-20 05:29 - 2012-09-06 00:06 - 00000000 ____D C:\Users\Sad0r\Documents\FFOutput
2012-11-20 05:28 - 2012-09-22 05:48 - 00000000 ____D C:\Users\Sad0r\Documents\iWisoft Free Video Downloader
2012-11-20 05:18 - 2012-11-04 21:23 - 00000000 ____D C:\Users\Sad0r\Documents\iWisoft Free Video Converter
2012-11-19 14:31 - 2012-11-04 21:23 - 00000000 ____D C:\Program Files (x86)\iWisoft Free Video Converter
2012-11-19 12:18 - 2012-09-26 10:10 - 00000000 ____D C:\Users\Sad0r\Documents\My Albums
2012-11-19 10:59 - 2012-11-19 04:14 - 00002611 ____A C:\Users\Sad0r\Desktop\fillll.txt
2012-11-19 10:55 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\NDF
2012-11-19 09:45 - 2012-11-19 09:45 - 00001175 ____A C:\Users\Sad0r\Desktop\adsl.txt
2012-11-19 08:49 - 2012-11-19 06:57 - 00000000 ____D C:\Netgear
2012-11-19 08:28 - 2012-11-03 21:33 - 00000000 ____D C:\Users\Sad0r\AppData\Local\CrashDumps
2012-11-19 03:37 - 2012-10-22 04:04 - 00000000 ____D C:\Users\All Users\Norton
2012-11-19 03:35 - 2012-11-19 03:35 - 00177312 ____A (Symantec Corporation) C:\Windows\System32\Drivers\SYMEVENT64x86.SYS
2012-11-19 03:35 - 2012-11-19 03:35 - 00007466 ____A C:\Windows\System32\Drivers\SYMEVENT64x86.CAT
2012-11-19 03:35 - 2012-11-19 03:35 - 00000000 ____D C:\Program Files\Symantec
2012-11-19 03:35 - 2012-11-19 03:35 - 00000000 ____D C:\Program Files\Common Files\Symantec Shared
2012-11-19 03:34 - 2012-11-19 03:34 - 00002393 ____A C:\Users\Public\Desktop\Norton 360.lnk
2012-11-19 03:34 - 2012-11-19 03:34 - 00000000 ____D C:\Windows\System32\Drivers\N360x64
2012-11-19 03:34 - 2012-11-19 03:34 - 00000000 ____D C:\Program Files (x86)\Norton 360
2012-11-19 03:34 - 2012-11-17 20:54 - 00001298 ____A C:\Users\Sad0r\Desktop\Norton Installation Files.lnk
2012-11-19 03:27 - 2012-11-19 03:27 - 00018998 ____A C:\ComboFix.txt
2012-11-19 03:27 - 2012-11-19 03:21 - 00000000 ____D C:\Windows\erdnt
2012-11-19 03:27 - 2012-09-20 15:30 - 00000000 ____D C:\Qoobox
2012-11-19 03:26 - 2009-07-13 18:34 - 00000215 ____A C:\Windows\system.ini
2012-11-19 03:13 - 2012-11-19 03:10 - 05002404 ____R (Swearware) C:\Users\Sad0r\Desktop\Com.exe
2012-11-17 21:11 - 2012-11-17 21:11 - 00000680 ____A C:\AdwCleaner[S1].txt
2012-11-17 20:58 - 2012-11-17 20:58 - 00000000 ____D C:\Users\Sad0r\Documents\Symantec
2012-11-17 20:54 - 2012-11-17 20:54 - 00915464 ____A (Symantec Corporation) C:\Users\Sad0r\Desktop\N360Downloader.exe
2012-11-17 20:54 - 2012-11-17 20:54 - 00000000 ____D C:\Users\Public\Downloads\Norton
2012-11-17 20:51 - 2012-10-25 03:23 - 00000000 ____D C:\Users\Sad0r\AppData\Local\NPE
2012-11-17 20:43 - 2012-11-17 20:43 - 00017859 ____A C:\Users\Sad0r\Desktop\dds.txt
2012-11-17 20:43 - 2012-11-17 20:43 - 00005812 ____A C:\Users\Sad0r\Desktop\attach.txt
2012-11-17 05:53 - 2012-08-31 02:43 - 00001783 ____A C:\Windows\System32\ServiceFilter.ini
2012-11-17 05:38 - 2012-11-17 05:38 - 00000000 ____D C:\Windows\System32\Drivers\NSTx64
2012-11-17 05:38 - 2012-11-17 05:38 - 00000000 ____D C:\Program Files (x86)\Norton Identity Safe
2012-11-17 05:20 - 2012-11-17 05:20 - 00000916 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-11-17 05:20 - 2012-11-17 05:20 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2012-11-17 05:19 - 2012-11-17 05:18 - 10669952 ____A (Malwarebytes Corporation ) C:\Users\Sad0r\Desktop\mbam-setup-1.65.1.1000.exe
2012-11-17 03:59 - 2012-11-17 03:59 - 01149813 ____A C:\Users\Sad0r\Desktop\bookmarksTT_17_12.html
2012-11-16 09:29 - 2012-11-16 09:28 - 00001483 ____A C:\Users\Sad0r\Documents\acpie.txt
2012-11-16 03:43 - 2012-11-16 03:43 - 00000365 ____A C:\Users\Sad0r\Desktop\Block_Autorun.inf_Files.reg
2012-11-16 03:43 - 2012-11-16 03:43 - 00000330 ____A C:\Users\Sad0r\Desktop\Unblock_Autorun.inf_Files.reg
2012-11-15 21:17 - 2012-09-25 18:50 - 00002487 ____A C:\Users\Sad0r\Desktop\Google Chrome.lnk
2012-11-12 20:57 - 2012-11-12 20:57 - 03258000 ____A (BrightFort LLC ) C:\Users\Sad0r\Desktop\spup46.exe
2012-11-12 04:46 - 2012-11-12 04:46 - 00347424 ____A (Microsoft Corporation) C:\Users\Sad0r\Desktop\MicrosoftFixit.malware.Run.exe
2012-11-12 03:00 - 2012-11-12 03:00 - 01777664 ____A C:\Users\Sad0r\Desktop\MBSASetup-x64-EN.msi
2012-11-12 02:59 - 2012-11-12 02:59 - 17667616 ____A (Microsoft Corporation) C:\Users\Sad0r\Desktop\Win.exe
2012-11-11 09:38 - 2012-11-11 09:38 - 15140440 ____A (flashvideodownloader.org ) C:\Users\Sad0r\Downloads\fvdsuite_installer.exe
2012-11-11 09:38 - 2012-11-11 09:38 - 15140440 ____A (flashvideodownloader.org ) C:\Users\Sad0r\Documents\fvdsuite_installer.ext
2012-11-09 10:11 - 2012-11-09 10:11 - 00000000 ____A C:\Windows\setuperr.log
2012-11-09 10:09 - 2012-11-09 10:09 - 00062516 ____A C:\Users\Sad0r\Documents_1121009_180957.dmp
2012-11-09 10:09 - 2012-11-09 10:09 - 00000552 ____A C:\Users\Sad0r\Documents_1121009_180957_main.txt
2012-11-09 10:09 - 2012-08-30 09:03 - 00000000 ____D C:\users\Sad0r
2012-11-09 09:58 - 2012-11-09 09:58 - 00002846 ____A C:\Users\Sad0r\SEXXX.txt
2012-11-09 08:22 - 2012-11-06 08:20 - 00000000 ____D C:\Users\Sad0r\Desktop\hott
2012-11-09 05:54 - 2012-11-09 05:54 - 00000025 ____A C:\Users\Sad0r\THE BEST EVER.txt
2012-11-09 04:19 - 2012-09-17 05:21 - 00000000 ___SD C:\Users\Sad0r\Documents\Passwords Database
2012-11-07 05:29 - 2012-11-07 05:29 - 00005750 ____A C:\Users\Sad0r\Documents\cc_20121108_002907.reg
2012-11-07 05:29 - 2012-11-07 05:29 - 00001448 ____A C:\Users\Sad0r\Documents\cc_20121108_002939.reg
2012-11-06 01:44 - 2012-10-29 06:47 - 00000000 ____D C:\Users\Sad0r\Desktop\crapola
2012-11-05 08:30 - 2012-11-05 08:30 - 00000061 ____A C:\Users\Sad0r\FFFFFF.txt
2012-11-05 07:32 - 2012-11-05 07:30 - 20345824 ____A (flashvideodownloader.org ) C:\Users\Sad0r\Downloads\fvdsuite-2.7.6-release.exe
2012-11-04 21:32 - 2012-11-04 21:32 - 00079393 ____A C:\Users\Sad0r\Documents_1121005_053236.dmp
2012-11-04 21:32 - 2012-11-04 21:32 - 00000471 ____A C:\Users\Sad0r\Documents_1121005_053236_main.txt
2012-11-04 21:31 - 2012-11-04 21:31 - 00080641 ____A C:\Users\Sad0r\Documents_1121005_053114.dmp
2012-11-04 21:31 - 2012-11-04 21:31 - 00000534 ____A C:\Users\Sad0r\Documents_1121005_053114_main.txt
2012-11-04 21:30 - 2012-11-04 21:30 - 00001085 ____A C:\Users\Sad0r\Desktop\iWisoft Free Video Downloader.lnk
2012-11-04 21:30 - 2012-11-04 21:30 - 00000000 ____D C:\Program Files (x86)\iWisoft Free Video Downloader
2012-11-04 21:27 - 2012-11-04 21:26 - 03127375 ____A (www.iwisoft.com ) C:\Users\Sad0r\Documents\flashvideodownloader.exe
2012-11-04 21:23 - 2012-11-04 21:23 - 00001075 ____A C:\Users\Sad0r\Desktop\iWisoft Free Video Converter.lnk
2012-11-04 21:21 - 2012-11-04 21:20 - 09120817 ____A (www.easy-video-converter.com ) C:\Users\Sad0r\Documents\videoconverter.exe
2012-11-04 02:29 - 2012-08-31 02:42 - 00000000 ____D C:\Users\All Users\P4G
2012-11-04 02:29 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\registration
2012-11-03 09:06 - 2012-11-03 09:06 - 00000512 ____A C:\Users\Sad0r\Desktop\MBR.dat
2012-11-03 07:50 - 2012-11-03 07:50 - 00448512 ____A (OldTimer Tools) C:\Users\Sad0r\Desktop\TFC.exe
2012-11-02 01:59 - 2012-09-08 06:27 - 00000000 ____D C:\Users\Sad0r\AppData\Local\Graboid
2012-10-29 07:06 - 2012-10-29 07:06 - 00655360 ____A C:\Users\Sad0r\Desktop\MicrosoftFixit50471.msi
2012-10-29 06:08 - 2012-10-29 06:06 - 00000000 ____D C:\silentrunners
2012-10-29 05:57 - 2012-10-29 05:50 - 00000336 ____A C:\Users\Sad0r\silent.txt
2012-10-29 05:30 - 2012-10-29 05:30 - 00002549 ____A C:\Users\Sad0r\xxx.txt
2012-10-29 04:32 - 2012-10-29 04:32 - 00000987 ____A C:\Users\Sad0r\MUD.txt
2012-10-28 08:33 - 2012-10-28 08:33 - 00001407 ____A C:\Users\Sad0r\GYYYY.txt
2012-10-28 03:41 - 2012-10-28 03:41 - 00000000 ____A C:\Windows\System32\remote_PC.csv
2012-10-26 03:35 - 2012-10-25 06:39 - 00000000 ____D C:\Program Files\Registrar Registry Manager
2012-10-25 21:11 - 2012-10-25 21:11 - 00000026 ____A C:\Users\Sad0r\AMOLD.txt
2012-10-25 10:51 - 2012-10-25 10:51 - 00000764 ____A C:\Users\Sad0r\quir.txt
2012-10-25 07:40 - 2012-10-25 07:40 - 00000035 ____A C:\Users\Sad0r\hookd.txt
2012-10-25 07:28 - 2012-10-25 07:28 - 00000000 ____D C:\_OTM
2012-10-25 07:21 - 2012-10-25 07:21 - 00000391 ____A C:\Users\Sad0r\reddd.txt
2012-10-25 07:12 - 2012-10-25 07:12 - 00000035 ____A C:\Users\Sad0r\convo.txt
2012-10-25 06:42 - 2012-10-25 06:39 - 00001057 ____A C:\Users\Sad0r\Desktop\Registrar Registry Manager.lnk
2012-10-25 06:00 - 2012-10-25 06:00 - 00000042 ____A C:\Users\Sad0r\conh.txt
2012-10-25 04:40 - 2012-10-25 03:59 - 00000157 ____A C:\Users\Sad0r\DRIVE.txt
2012-10-25 04:39 - 2012-10-25 04:39 - 00000093 ____A C:\Users\Sad0r\dri.txt
2012-10-25 02:51 - 2012-10-25 02:51 - 02957840 ____A (Symantec Corporation) C:\Users\Sad0r\Desktop\Nuts.exe
2012-10-23 05:45 - 2012-10-23 05:45 - 00005768 ____A C:\Users\Sad0r\Documents\cc_20121024_004532.reg
2012-10-23 05:40 - 2012-10-23 05:40 - 00001151 ____A C:\Users\Sad0r\sum.txt
2012-10-23 03:37 - 2012-10-22 20:32 - 00015255 ____A C:\Users\Sad0r\mee.txt
2012-10-22 04:09 - 2012-10-22 04:09 - 00000635 ____A C:\Users\Sad0r\nor.txt
2012-10-22 03:38 - 2012-10-15 10:41 - 00000000 ____D C:\Program Files\Bitdefender
2012-10-22 03:37 - 2012-10-15 10:40 - 00000000 ____D C:\Program Files\Common Files\Bitdefender

==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-11-09 08:00:19
Restore point made on: 2012-11-12 20:49:03
Restore point made on: 2012-11-13 08:00:22
Restore point made on: 2012-11-14 08:00:23
Restore point made on: 2012-11-15 08:00:43
Restore point made on: 2012-11-16 08:00:19
Restore point made on: 2012-11-17 08:00:22
Restore point made on: 2012-11-18 08:00:20
Restore point made on: 2012-11-19 08:00:23
Restore point made on: 2012-11-20 13:00:44

==================== Memory info ===========================

Percentage of memory in use: 7%
Total physical RAM: 12173.91 MB
Available physical RAM: 11257.16 MB
Total Pagefile: 12172.06 MB
Available Pagefile: 11246.45 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

==================== Partitions =============================

1 Drive c: (OS) (Fixed) (Total:254.72 GB) (Free:192.41 GB) NTFS ==>[System with boot components (obtained from reading drive)]
2 Drive d: (DATA) (Fixed) (Total:419.18 GB) (Free:418.56 GB) NTFS
3 Drive e: (first) (CDROM) (Total:4.38 GB) (Free:4.37 GB) UDF
4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 698 GB 0 B *

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 System (partition with boot components) 200 MB 1024 KB
Partition 2 Reserved 128 MB 201 MB
Partition 3 Primary 254 GB 329 MB
Partition 4 Primary 419 GB 255 GB
Partition 5 Recovery 24 GB 674 GB

==================================================================================

Disk: 0
Partition 1
Type : c12a7328-f81f-11d2-ba4b-00a0c93ec93b
Hidden : Yes
Required: No
Attrib : 0X8000000000000000

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 SYSTEM FAT32 Partition 200 MB Healthy Hidden

=========================================================

Disk: 0
Partition 2
Type : e3c9e316-0b5c-4db8-817d-f92df00215ae
Hidden : Yes
Required: No
Attrib : 0X8000000000000000

There is no volume associated with this partition.

=========================================================

Disk: 0
Partition 3
Type : ebd0a0a2-b9e5-4433-87c0-68b6b72699c7
Hidden : No
Required: No
Attrib : 0000000000000000

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C OS NTFS Partition 254 GB Healthy

=========================================================

Disk: 0
Partition 4
Type : ebd0a0a2-b9e5-4433-87c0-68b6b72699c7
Hidden : No
Required: No
Attrib : 0000000000000000

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 D DATA NTFS Partition 419 GB Healthy

=========================================================

Disk: 0
Partition 5
Type : de94bba4-06d1-4d40-a16a-bfd50179d6ac
Hidden : Yes
Required: Yes
Attrib : 0X8000000000000001

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 Recovery NTFS Partition 24 GB Healthy Hidden

=========================================================

Last Boot: 2012-11-14 08:39

==================== End Of Log =============================

 

[Jay Pfoutz]

Re-run ComboFix and post a log please.

 

[Sador27]

Sorry DMG after running farbar it was as if a devil was unleashed comp slowed down froze, went offline and locked me out of half my files so I ran kaspersky scanning tool from drive and found a heur.backdoor.trojan.win32.generic which everywhere ive read says that it is very new and one of the worst yet rendering most systems dead within a couple of weeks. Well at the moment I have and now cannot install any antivirus ive tried bar one been dr web cureit through stealth mode but within hours was mashed to bits playing up with files corrupted and missing and after having to remove manually through the registry in safe mode as computer completely froze on every boot now I cant connect because my browser keeps saying access restricted so am writing from phone. I will try to get back online tonight and if I can what do you suggest cause this is way past my level?????

 

[Sador27]

Well after nearly 500 key, data and binary deletions later I`m back online and will never install Dr web cureit again!!!!!! anyway I downloaded the larest combofix and ran it but the first time it ran it came to a point saying folder deletions c:\x\ cannot find batch file and just froze for 2 hours so I closed then ran again and it went fine though I often wonder does that mean it has been compromised but her are those latter logs.

ComboFix 12-11-23.02 - Sad0r 25/11/2012 0:30.4.8 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.61.1033.18.12174.10206 [GMT 11:00]
Running from: c:\users\Sad0r\Desktop\x.exe
AV: Dr.Web Security Space *Disabled/Updated* {A8C161B2-600A-42FD-97E0-4C12952A9FEC}
SP: Dr.Web Security Space *Disabled/Updated* {13A08056-4630-4D73-AD50-7760EEADD551}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\x
c:\x\d-del2b.dat
c:\x\ErrTrap1
c:\x\N_\11335
c:\x\N_\2867
.
.
((((((((((((((((((((((((( Files Created from 2012-10-24 to 2012-11-24 )))))))))))))))))))))))))))))))
.
.
2012-11-24 13:32 . 2012-11-24 13:32--------d-----w-c:\users\Sad0r\AppData\Local\temp
2012-11-23 11:58 . 2012-11-23 11:59--------d-----w-c:\program files\Malwarebytes' Anti-Malware
2012-11-23 11:58 . 2012-09-29 08:5425928----a-w-c:\windows\system32\drivers\mbam.sys
2012-11-23 11:31 . 2012-11-23 11:31--------d-----w-c:\users\Sad0r\AppData\Roaming\SUPERAntiSpyware.com
2012-11-23 11:31 . 2012-11-23 11:31--------d-----w-c:\program files\SUPERAntiSpyware
2012-11-23 11:31 . 2012-11-23 11:31--------d-----w-c:\programdata\SUPERAntiSpyware.com
2012-11-23 06:47 . 2012-11-23 06:47--------d-----w-c:\users\Sad0r\AppData\Roaming\addpcs
2012-11-23 06:47 . 2012-11-23 06:47--------d-----w-c:\program files\Temp File Cleaner
2012-11-23 06:27 . 2012-11-23 08:31--------d-----w-c:\programdata\F-Secure
2012-11-21 16:53 . 2012-11-21 16:53--------d-----w-C:\FRST
2012-11-21 04:34 . 2012-11-21 04:34--------d-----w-c:\program files (x86)\UltraISO
2012-11-21 04:34 . 2012-11-21 04:34--------d-----w-c:\program files (x86)\Common Files\EZB Systems
2012-11-19 14:57 . 2012-11-19 16:49--------d-----w-C:\Netgear
2012-11-12 10:14 . 2012-11-19 14:49--------d-----w-c:\users\Sad0r\AppData\Local\Diagnostics
2012-11-05 05:30 . 2012-11-05 05:30--------d-----w-c:\program files (x86)\iWisoft Free Video Downloader
2012-11-05 05:23 . 2012-11-19 22:31--------d-----w-c:\program files (x86)\iWisoft Free Video Converter
2012-11-05 05:23 . 2009-09-29 09:57758018----a-w-c:\windows\SysWow64\xvidcore.dll
2012-11-05 05:23 . 2008-12-04 10:46180224----a-w-c:\windows\SysWow64\xvidvfw.dll
2012-11-05 05:23 . 2008-10-07 23:16139264----a-w-c:\windows\SysWow64\xvid.ax
2012-11-04 05:33 . 2012-11-23 18:06--------d-----w-c:\users\Sad0r\AppData\Local\CrashDumps
2012-10-29 14:06 . 2012-11-23 19:02--------d-----w-C:\silentrunners
2012-10-25 15:28 . 2012-10-25 15:28--------d-----w-C:\_OTM
2012-10-25 14:39 . 2012-10-26 11:35--------d-----w-c:\program files\Registrar Registry Manager
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-11-24 11:40 . 2012-08-30 17:03380----a-w-c:\users\Sad0r\AppData\Roaming\sp_data.sys
2012-10-29 21:01 . 2012-09-19 10:1648648----a-w-c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\Markup.dll
2012-10-29 21:01 . 2012-10-15 18:13336208----a-w-c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight-2\SpotlightResources.dll
2012-10-25 08:33 . 2012-10-15 18:1348648----a-w-c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-2\Markup.dll
2012-10-22 06:03 . 2012-09-19 10:16336208----a-w-c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2012-10-12 07:19 . 2012-10-22 19:489291768----a-w-c:\programdata\Microsoft\Windows Defender\Definition Updates\{2CF52C71-4E6F-4B46-8A8F-B8966A578E00}\mpengine.dll
2012-09-27 13:18 . 2012-10-04 05:0765309168----a-w-c:\windows\system32\MRT.exe
2012-09-14 19:19 . 2012-10-10 12:332048----a-w-c:\windows\system32\tzres.dll
2012-09-14 18:28 . 2012-10-10 12:332048----a-w-c:\windows\SysWow64\tzres.dll
2012-09-08 05:35 . 2012-09-08 05:35348160----a-w-c:\windows\SysWow64\msvcr71.dll
2012-09-08 05:35 . 2012-09-08 05:351700352----a-w-c:\windows\SysWow64\gdiplus.dll
2012-09-08 05:35 . 2012-09-08 05:351060864----a-w-c:\windows\SysWow64\mfc71.dll
2012-08-31 18:19 . 2012-10-10 12:341659760----a-w-c:\windows\system32\drivers\ntfs.sys
2012-08-31 10:43 . 2012-08-31 10:4380512----a-w-c:\windows\ASUS K5 Series ScreenSaver Uninstaller.exe
2012-08-31 10:43 . 2012-08-31 10:433058304----a-w-c:\windows\AsScrPro.exe
2012-08-30 18:03 . 2012-10-10 12:345559664----a-w-c:\windows\system32\ntoskrnl.exe
2012-08-30 17:12 . 2012-10-10 12:343914096----a-w-c:\windows\SysWow64\ntoskrnl.exe
2012-08-30 17:12 . 2012-10-10 12:333968880----a-w-c:\windows\SysWow64\ntkrnlpa.exe
2012-08-30 17:04 . 2011-03-29 02:3619720----a-w-c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-11-01 5629312]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-16 932288]
"ASUSPRP"="c:\program files (x86)\ASUS\APRP\APRP.EXE" [2012-02-18 3331312]
"ASUSWebStorage"="c:\program files (x86)\ASUS\ASUS WebStorage\3.0.108.222\AsusWSPanel.exe" [2011-07-29 737104]
"USB3MON"="c:\program files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe" [2012-02-07 291608]
"Wireless Console 3"="c:\program files (x86)\ASUS\Wireless Console 3\wcourier.exe" [2012-02-02 2321072]
"ATKOSD2"="c:\program files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe" [2012-06-25 322208]
"ATKMEDIA"="c:\program files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe" [2012-06-19 174752]
"HControlUser"="c:\program files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe" [2009-06-19 105016]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
AsusVibeLauncher.lnk - c:\program files (x86)\ASUS\AsusVibe\AsusVibeLauncher.exe [2012-2-18 549040]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"mixer3"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 BBSvc;Bing Bar Update Service;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-03-02 183560]
R3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller (NDIS 6.20);c:\windows\system32\DRIVERS\L1C62x64.sys [2009-06-10 57344]
R3 SiSGbeLH;SiS191/SiS190 Ethernet Device NDIS 6.0 Driver;c:\windows\system32\DRIVERS\SiSG664.sys [2009-06-10 56832]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-20 31232]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-09-03 1255736]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 57184]
S0 iusb3hcs;Intel(R) USB 3.0 Host Controller Switch Driver;c:\windows\system32\DRIVERS\iusb3hcs.sys [2012-02-07 16152]
S1 ATKWMIACPIIO;ATKWMIACPI Driver;c:\program files (x86)\ASUS\ATK Package\ATK WMIACPI\atkwmiacpi64.sys [2011-09-06 17536]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2011-07-22 14928]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2011-07-12 12368]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2012-07-11 140672]
S2 AFBAgent;AFBAgent;c:\windows\system32\FBAgent.exe [2011-03-03 379520]
S2 ASMMAP64;ASMMAP64;c:\program files (x86)\ASUS\ATK Package\ATKGFNEX\ASMMAP64.sys [2009-07-02 15416]
S2 ASUS InstantOn;ASUS InstantOn Service;c:\program files (x86)\ASUS\InstantOn for NB\InsOnSrv.exe [2012-02-03 277120]
S2 Intel(R) Capability Licensing Service Interface;Intel(R) Capability Licensing Service Interface;c:\program files\Intel\iCLS Client\HeciServer.exe [2011-12-08 607456]
S2 Intel(R) ME Service;Intel(R) ME Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe [2011-12-16 128280]
S2 jhi_service;Intel(R) Dynamic Application Loader Host Interface Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe [2011-12-16 161560]
S2 UNS;Intel(R) Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2011-12-16 363800]
S3 AiCharger;ASUS Charger Driver;c:\windows\system32\DRIVERS\AiCharger.sys [2012-01-30 17152]
S3 AsusVBus;AsusVBus;c:\windows\system32\DRIVERS\AsusVBus.sys [2011-12-21 35968]
S3 AsusVTouch;AsusVTouch;c:\windows\system32\DRIVERS\AsusVTouch.sys [2011-11-08 16512]
S3 ETD;ELAN PS/2 Port Input Device;c:\windows\system32\DRIVERS\ETD.sys [2012-02-19 200488]
S3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2012-02-20 331264]
S3 iusb3hub;Intel(R) USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\iusb3hub.sys [2012-02-07 356120]
S3 iusb3xhc;Intel(R) USB 3.0 eXtensible Host Controller Driver;c:\windows\system32\DRIVERS\iusb3xhc.sys [2012-02-07 787736]
S3 RSBASTOR;Realtek PCIE CardReader Driver - BA;c:\windows\system32\DRIVERS\RtsBaStor.sys [2012-02-01 292968]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2011-08-23 565352]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-11-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-11-23 17:22]
.
2012-11-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-11-23 17:22]
.
2012-10-13 c:\windows\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d-Logon.job
- c:\program files (x86)\Intel\Intel(R) ME FW Recovery Agent\bin\Bootstrap.exe [2011-11-25 20:41]
.
2012-10-13 c:\windows\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d.job
- c:\program files (x86)\Intel\Intel(R) ME FW Recovery Agent\bin\Bootstrap.exe [2011-11-25 20:41]
.
2012-11-23 c:\windows\Tasks\SUPERAntiSpyware Scheduled Task 87ad0517-321a-4540-b518-2b1ca9882ddf.job
- c:\program files\SUPERAntiSpyware\SASTask.exe [2011-05-04 17:52]
.
2012-11-24 c:\windows\Tasks\SUPERAntiSpyware Scheduled Task a5e493d9-23ae-4292-a764-805c38619a57.job
- c:\program files\SUPERAntiSpyware\SASTask.exe [2011-05-04 17:52]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AsusWSShellExt_B]
@="{6D4133E5-0742-4ADC-8A8C-9303440F7190}"
[HKEY_CLASSES_ROOT\CLSID\{6D4133E5-0742-4ADC-8A8C-9303440F7190}]
2011-05-25 07:09227840----a-w-c:\program files (x86)\ASUS\ASUS WebStorage\3.0.108.222\AsusWSShellExt64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AsusWSShellExt_O]
@="{64174815-8D98-4CE6-8646-4C039977D808}"
[HKEY_CLASSES_ROOT\CLSID\{64174815-8D98-4CE6-8646-4C039977D808}]
2011-05-25 07:09227840----a-w-c:\program files (x86)\ASUS\ASUS WebStorage\3.0.108.222\AsusWSShellExt64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2012-02-22 170264]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2012-02-22 398616]
"ETDCtrl"="c:\program files (x86)\Elantech\ETDCtrl.exe" [BU]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com.au/
mStart Page = about:blank
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 192.168.0.1
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10k.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10k.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10k.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10k.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-11-25 00:33:23
ComboFix-quarantined-files.txt 2012-11-24 13:33
ComboFix2.txt 2012-11-23 15:02
ComboFix3.txt 2012-11-19 11:27
ComboFix4.txt 2012-09-20 23:35
.
Pre-Run: 217,451,196,416 bytes free
Post-Run: 217,389,674,496 bytes free
.
- - End Of File - - AB9B4938F0570E903B04F0EDFC8351CB
this is also the text file left from the combo run that froze if it helps

ComboFix-quarantined-files.txt
2012-11-24 11:54:46 . 2012-11-24 11:54:46 8 ----a-w- C:\Qoobox\Quarantine\C\x\d-del2b.dat.vir
2012-11-24 11:54:46 . 2012-11-24 11:54:46 28 ----a-w- C:\Qoobox\Quarantine\C\x\N_\2867.vir
2012-11-24 11:54:46 . 2012-11-24 11:54:46 275 ----a-w- C:\Qoobox\Quarantine\C\x\N_\11335.vir
2012-11-24 11:53:55 . 2012-11-24 11:53:55 0 ----a-w- C:\Qoobox\Quarantine\C\x\BitsPath.vir
2012-11-24 11:53:53 . 2012-11-24 11:53:53 739 ----a-w- C:\Qoobox\Quarantine\C\x\BitsStr.vir
2012-11-24 11:53:32 . 2012-11-24 11:53:32 0 ----a-w- C:\Qoobox\Quarantine\C\x\BHOFiles.dat.vir
2012-11-24 11:53:32 . 2012-11-24 11:53:32 0 ----a-w- C:\Qoobox\Quarantine\C\x\BHO.dat.vir
2012-11-24 11:53:32 . 2012-11-24 11:53:32 575 ----a-w- C:\Qoobox\Quarantine\C\x\BHOQuery.dat.vir
2012-11-24 11:53:27 . 2012-11-24 11:53:27 0 ----a-w- C:\Qoobox\Quarantine\C\x\catch_k.dat.vir
2012-11-24 11:52:11 . 2012-11-24 11:54:46 606 ----a-w- C:\Qoobox\Quarantine\C\x\ErrTrap1.vir
2012-11-24 11:51:55 . 2012-11-24 11:51:55 1,504 ----a-w- C:\Qoobox\Quarantine\C\x\borlander_file.dat.tmp.vir
2012-11-24 11:51:55 . 2012-11-24 11:51:55 439 ----a-w- C:\Qoobox\Quarantine\C\x\borlander_folder.dat.tmp.vir
2012-11-24 11:51:55 . 2012-11-24 11:51:55 436,854 ----a-w- C:\Qoobox\Quarantine\C\x\attr.dat.tmp.vir
2012-11-24 11:51:39 . 2012-11-19 11:22:30 123 ----a-w- C:\Qoobox\Quarantine\C\x\AppData.folder.dat.vir
2012-11-24 11:51:39 . 2012-11-19 11:22:30 228 ----a-w- C:\Qoobox\Quarantine\C\x\Cache.folder.dat.vir
2012-11-24 11:51:35 . 2012-11-24 11:52:13 105 ----a-w- C:\Qoobox\Quarantine\C\x\CCS.bat.vir
2012-11-24 11:51:35 . 2012-11-24 11:51:35 0 ----a-w- C:\Qoobox\Quarantine\C\x\c.mrk.vir
2012-11-24 11:51:35 . 2010-11-20 13:24:34 345,088 ----a-w- C:\Qoobox\Quarantine\C\x\CF7265.3XE.vir
2012-11-24 11:51:34 . 2009-07-14 01:38:55 18,432 ----a-w- C:\Qoobox\Quarantine\C\x\ATTRIB.3XE.vir
2012-11-19 11:27:12 . 2012-11-19 11:27:12 558 ----a-w- C:\Qoobox\Quarantine\Registry_backups\SafeBoot-95310364.sys.reg.dat
2012-11-19 11:27:12 . 2012-11-19 11:27:12 558 ----a-w- C:\Qoobox\Quarantine\Registry_backups\SafeBoot-77118655.sys.reg.dat
2012-11-19 11:25:36 . 2012-11-24 13:31:32 9,550 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2012-11-05 14:27:56 . 2012-11-24 11:51:36 56,252 ----a-w- C:\Qoobox\Quarantine\C\x\023.dat.vir
2012-11-02 10:54:10 . 2012-11-02 10:54:10 65,604 ----a-w- C:\Qoobox\Quarantine\C\x\c.bat.vir
2012-10-22 11:37:40 . 2012-10-22 11:37:40 220,242 ----a-w- C:\Qoobox\Quarantine\C\ProgramData\1350905593.bdinstall.bin.vir
2012-10-22 11:24:12 . 2012-10-22 11:24:12 431,568 ----a-w- C:\Qoobox\Quarantine\C\ProgramData\1350885310.bdinstall.bin.vir
2012-10-15 18:49:14 . 2012-10-15 18:49:14 470,508 ----a-w- C:\Qoobox\Quarantine\C\ProgramData\1350326436.bdinstall.bin.vir
2012-10-15 18:32:19 . 2012-10-15 18:32:19 262,144 ----a-w- C:\Qoobox\Quarantine\C\ProgramData\ntuser.dat.vir
2012-09-21 15:10:02 . 2012-09-21 15:10:04 2,035 ----a-w- C:\Qoobox\Quarantine\C\Program Files (x86)\INSTALL.LOG.vir
2012-09-20 23:34:35 . 2012-09-20 23:34:35 80 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-ETDCtrl.reg.dat
2012-09-20 23:34:35 . 2012-11-19 11:27:15 92 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Toolbar-Locked.reg.dat
2012-09-20 23:34:30 . 2012-09-20 23:34:30 558 ----a-w- C:\Qoobox\Quarantine\Registry_backups\SafeBoot-97384014.sys.reg.dat
2012-09-20 23:34:30 . 2012-09-20 23:34:30 558 ----a-w- C:\Qoobox\Quarantine\Registry_backups\SafeBoot-08657672.sys.reg.dat
2012-09-20 23:34:30 . 2012-09-20 23:34:30 558 ----a-w- C:\Qoobox\Quarantine\Registry_backups\SafeBoot-00705352.sys.reg.dat
2012-09-20 23:34:25 . 2012-11-24 13:32:40 104 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Wow6432Node-Toolbar-Locked.reg.dat
2012-09-20 23:30:09 . 2012-11-24 13:29:48 255 ----a-w- C:\Qoobox\Quarantine\catchme.log
2012-09-11 14:47:32 . 2012-09-11 14:47:32 5,343 ----a-w- C:\Qoobox\Quarantine\C\x\Boot-Rk.cmd.vir
2012-06-07 10:56:40 . 2012-06-07 10:56:40 4,638 ----a-w- C:\Qoobox\Quarantine\C\x\av.cmd.vir
2012-02-10 18:12:14 . 2012-02-10 18:12:14 690 ----a-w- C:\Qoobox\Quarantine\C\x\ActiveDrv.vbs.vir
2012-01-18 01:43:20 . 2012-01-18 01:43:20 348,160 ----a-w- C:\Qoobox\Quarantine\C\Windows\msvcr71.dll.vir
2012-01-03 09:27:24 . 2012-01-03 09:27:24 40,960 ----a-w- C:\Qoobox\Quarantine\C\x\BFE.dat.vir
2011-11-19 09:14:26 . 2011-11-19 09:14:26 8,400 ----a-w- C:\Qoobox\Quarantine\C\x\Boot.bat.vir
2011-06-26 15:16:00 . 2011-06-26 15:16:00 666 ----a-w- C:\Qoobox\Quarantine\C\x\AWF.cmd.vir
2010-12-15 15:02:06 . 2010-12-15 15:02:06 2,933 ----a-w- C:\Qoobox\Quarantine\C\x\av.vbs.vir
2010-11-26 19:07:20 . 2010-11-26 19:07:20 2,181 ----a-w- C:\Qoobox\Quarantine\C\x\023v.dat.vir
2010-10-21 08:45:48 . 2010-10-21 08:45:48 1,080 ----a-w- C:\Qoobox\Quarantine\C\x\Catch-sub.cmd.vir
2010-07-27 08:55:16 . 2010-07-27 08:55:16 875 ----a-w- C:\Qoobox\Quarantine\C\x\BootDrv.vbs.vir
2010-04-15 14:11:36 . 2010-04-15 14:11:36 4,144 ----a-w- C:\Qoobox\Quarantine\C\x\Assoc.cmd.vir
2010-02-12 17:55:28 . 2010-02-12 17:55:28 660 ----a-w- C:\Qoobox\Quarantine\C\x\023w7.dat.vir
2009-07-13 15:09:30 . 2009-07-13 15:09:30 602 ----a-w- C:\Qoobox\Quarantine\C\x\asp.str.vir
2009-04-17 09:37:10 . 2009-04-17 09:37:10 147,456 ----a-w- C:\Qoobox\Quarantine\C\x\catchme.3XE.vir
2000-08-31 00:00:00 . 2000-08-31 00:00:00 6,760 ----a-w- C:\Qoobox\Quarantine\C\x\appinit.bad.vir

 

[Sador27]

Hey DMJ, not trying to rush you at all I`m just new to this so not sure what happens even though I have read all the rules e.t.c. So I can wait as long as you need I was just not sure if you were still helping me as I had made some changes of my own which as I read is understandably a "no no" but only did because I did not know what to do as my laptop became almost unusable and had no way of even logging on anymore, not out of any disrespect I can assure you!! So I`ll wait for further instruction and follow to the dot.. Thanks again

 

[Jay Pfoutz]

I hadn't realized I missed you on Saturday. My apologies, dearly.

ESET Online Scan

Please run a free online scan with the ESET Online Scanner

• Tick the box next to YES, I accept the Terms of Use
• Click Start
• When asked, allow the ActiveX control to install, or it will ask to download an installer. Please do so an install it.
• Click Start or wait for the scanner to load.
• Make sure that the options Remove found threats and the option Scan unwanted applications are checked.
• Click Scan (This scan can take several hours, so please be patient)
• Once the scan is completed, there are a couple of things to keep in mind:
• 1. If NO threats were found, allow the scanner to Uninstall on close and then close the Window.
• 2. If threats WERE detected, click on List of Threats Found, Export to Text File...save it as ESET-Scan-Log.txt. Click the back button/link, put a checkmark to Uninstall Application on Close and then close the window.
• Open the logfile from wherever you saved it
• Copy and paste the contents in your next reply.

 

[Sador27]

Should this be in safe or normal mode?

 

[Jay Pfoutz]

If you can do it in Normal Mode, please do. Otherwise, Safe Mode with Networking might work.

 

[Sador27]

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=f230948e045746419c43a7c6942e92ed
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-11-27 12:45:54
# local_time=2012-11-27 11:45:54 (+1000, AUS Eastern Daylight Time)
# country="Australia"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=5893 16776573 100 94 6615 105606339 0 0
# compatibility_mode=8192 67108863 100 0 444 444 0 0
# scanned=121115
# found=0
# cleaned=0
# scan_time=4265
nothing

 

[Sador27]

Hey can I post a log I found, I`m not sure where it comes from actually I must have ran something before a contacted you but I think it may be useful as its pretty in depth?

 

[Jay Pfoutz]

Sure.

 

[Sador27]

A"Silent Runners.vbs", revision 64, http://www.silentrunners.org/
Operating System: Microsoft Windows 7 Home Premium Service Pack 1 (64-bit)
Output of all locations checked and all values found.


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Google Update = "C:\Users\Sad0r\AppData\Local\Google\Update\GoogleUpdate.exe" /c [Google Inc.]

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
IgfxTray = C:\Windows\system32\igfxtray.exe [Intel Corporation]
HotKeysCmds = C:\Windows\system32\hkcmd.exe [Intel Corporation]
ETDCtrl = C:\Program Files\Elantech\ETDCtrl.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\

HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\
Adobe ARM = "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [Adobe Systems Incorporated]
ASUSPRP = "C:\Program Files (x86)\ASUS\APRP\APRP.EXE" [ASUSTek Computer Inc.]
ASUSWebStorage = C:\Program Files (x86)\ASUS\ASUS WebStorage\3.0.108.222\AsusWSPanel.exe /S [null data]
USB3MON = "C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe" [Intel Corporation]
Wireless Console 3 = C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe [ASUSTeK Computer Inc.]
ATKOSD2 = C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe [ASUSTek Computer Inc.]
ATKMEDIA = C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe [ASUSTek Computer Inc.]
HControlUser = C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe [ASUS]

HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\

>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\(Default) = Microsoft Windows Media Player
\StubPath = C:\Windows\system32\unregmp2.exe /ShowWMP [MS]

HKLM\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\

>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\(Default) = Microsoft Windows Media Player
\StubPath = C:\Windows\system32\unregmp2.exe /ShowWMP [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{9030D464-4C02-4ABF-8ECC-5164760863C6}\(Default) = (no title provided)
-> {HKLM…CLSID} = Windows Live ID Sign-in Helper
\InProcServer32\(Default) = C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [MS]

HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\(Default) = AcroIEHelperStub
-> {HKLM…Wow…CLSID} = Adobe PDF Link Helper
\InProcServer32\(Default) = C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [Adobe Systems Incorporated]

{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}\(Default) = Norton Identity Protection
-> {HKLM…Wow…CLSID} = Norton Identity Protection
\InProcServer32\(Default) = C:\Program Files (x86)\Norton 360\Engine\20.2.0.19\coIEPlg.dll [Symantec Corporation]

{6D53EC84-6AAE-4787-AEEE-F4628F01010C}\(Default) = Norton Vulnerability Protection
-> {HKLM…Wow…CLSID} = Norton Vulnerability Protection
\InProcServer32\(Default) = C:\Program Files (x86)\Norton 360\Engine\20.2.0.19\IPS\IPSBHO.DLL [Symantec Corporation]

{9030D464-4C02-4ABF-8ECC-5164760863C6}\(Default) = (no title provided)
-> {HKLM…Wow…CLSID} = Windows Live ID Sign-in Helper
\InProcServer32\(Default) = C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [MS]

{d2ce3e00-f94a-4740-988e-03dc2f38c34f}\(Default) = (no title provided)
-> {HKLM…Wow…CLSID} = Bing Bar Helper
\InProcServer32\(Default) = "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll" [Microsoft Corporation.]

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\

AsusWSShellExt_B\(Default) = {6D4133E5-0742-4ADC-8A8C-9303440F7190}
-> {HKLM…CLSID} = AsusWSShellExt_B64 Class
\InProcServer32\(Default) = C:\Program Files (x86)\ASUS\ASUS WebStorage\3.0.108.222\ASUSWSShellExt64.dll [eCareme Technologies, Inc.]

AsusWSShellExt_O\(Default) = {64174815-8D98-4CE6-8646-4C039977D808}
-> {HKLM…CLSID} = AsusWSShellExt_O64 Class
\InProcServer32\(Default) = C:\Program Files (x86)\ASUS\ASUS WebStorage\3.0.108.222\ASUSWSShellExt64.dll [eCareme Technologies, Inc.]

EnhancedStorageShell\(Default) = {D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D}
-> {HKLM…CLSID} = Enhanced Storage Icon Overlay Handler Class
\InProcServer32\(Default) = C:\Windows\system32\EhStorShell.dll [MS]

OverlayExcluded\(Default) = {4433A54A-1AC8-432F-90FC-85F045CF383C}
-> {HKLM…CLSID} = (no title provided)
\InProcServer32\(Default) = C:\Program Files (x86)\Norton 360\Engine64\20.2.0.19\buShell.dll [Symantec Corporation]

OverlayPending\(Default) = {F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}
-> {HKLM…CLSID} = (no title provided)
\InProcServer32\(Default) = C:\Program Files (x86)\Norton 360\Engine64\20.2.0.19\buShell.dll [Symantec Corporation]

OverlayProtected\(Default) = {476D0EA3-80F9-48B5-B70B-05E677C9C148}
-> {HKLM…CLSID} = (no title provided)
\InProcServer32\(Default) = C:\Program Files (x86)\Norton 360\Engine64\20.2.0.19\buShell.dll [Symantec Corporation]

SharingPrivate\(Default) = {08244EE6-92F0-47f2-9FC9-929BAA2E7235}
-> {HKLM…CLSID} = Sharing Overlay (Private)
\InProcServer32\(Default) = C:\Windows\system32\ntshrui.dll [MS]

HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\

EnhancedStorageShell\(Default) = {D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D}
-> {HKLM…Wow…CLSID} = Enhanced Storage Icon Overlay Handler Class
\InProcServer32\(Default) = C:\Windows\system32\EhStorShell.dll [MS]

SharingPrivate\(Default) = {08244EE6-92F0-47f2-9FC9-929BAA2E7235}
-> {HKLM…Wow…CLSID} = Sharing Overlay (Private)
\InProcServer32\(Default) = C:\Windows\system32\ntshrui.dll [MS]

HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

{00C6D95F-329C-409a-81D7-C46C66EA7F33} = (no title provided)
-> {HKLM…CLSID} = DefaultLocation
\InProcServer32\(Default) = C:\Windows\System32\shdocvw.dll [MS]

{80009818-f38f-4af1-87b5-eadab9433e58} = MF ADTS Property Handler
-> {HKLM…CLSID} = MF ADTS Property Handler
\InProcServer32\(Default) = C:\Windows\System32\mf.dll [MS]

{08165EA0-E946-11CF-9C87-00AA005127ED} = WebCheckWebCrawler
-> {HKLM…CLSID} = WebCheckWebCrawler
\InProcServer32\(Default) = C:\Windows\System32\webcheck.dll [MS]

{F5175861-2688-11d0-9C5E-00AA00A45957} = Subscription Folder
-> {HKLM…CLSID} = Subscription Folder
\InProcServer32\(Default) = C:\Windows\System32\webcheck.dll [MS]

{7D559C10-9FE9-11d0-93F7-00AA0059CE02} = Code Download Agent
-> {HKLM…CLSID} = Code Download Agent
\InProcServer32\(Default) = C:\Windows\System32\webcheck.dll [MS]

{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE} = Subscription Mgr
-> {HKLM…CLSID} = Subscription Mgr
\InProcServer32\(Default) = C:\Windows\System32\webcheck.dll [MS]

{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB} = WebCheck SyncMgr Handler
-> {HKLM…CLSID} = WebCheck SyncMgr Handler
\InProcServer32\(Default) = C:\Windows\System32\webcheck.dll [MS]

{d6044399-0b9e-4084-a9ac-c4b7c7800fcf} = FolderItem
-> {HKLM…CLSID} = ASUS WebStorage Drive
\InProcServer32\(Default) = mscoree.dll [MS]

{b1b96b20-da1d-4a3c-92c1-7229b32f2325} = BackupContextMenuExtension
-> {HKLM…CLSID} = XPClient.FileSystemBrowser.BackupContextMenuExtension.BackupContextMenuExtension
\InProcServer32\(Default) = mscoree.dll [MS]

{0066D4B3-8DE0-4D08-AA83-EDD50E2431F0} = ELAN Control Panel
-> {HKLM…CLSID} = (no title provided)
\InProcServer32\(Default) = C:\Program Files\Elantech\ETDMcpl.dll [ELAN Microelectronics Corp.]

HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

{00C6D95F-329C-409a-81D7-C46C66EA7F33} = (no title provided)
-> {HKLM…Wow…CLSID} = DefaultLocation
\InProcServer32\(Default) = C:\Windows\System32\shdocvw.dll [MS]

{80009818-f38f-4af1-87b5-eadab9433e58} = MF ADTS Property Handler
-> {HKLM…Wow…CLSID} = MF ADTS Property Handler
\InProcServer32\(Default) = C:\Windows\System32\mf.dll [MS]

{08165EA0-E946-11CF-9C87-00AA005127ED} = WebCheckWebCrawler
-> {HKLM…Wow…CLSID} = WebCheckWebCrawler
\InProcServer32\(Default) = C:\Windows\SysWOW64\webcheck.dll [MS]

{F5175861-2688-11d0-9C5E-00AA00A45957} = Subscription Folder
-> {HKLM…Wow…CLSID} = Subscription Folder
\InProcServer32\(Default) = C:\Windows\SysWOW64\webcheck.dll [MS]

{7D559C10-9FE9-11d0-93F7-00AA0059CE02} = Code Download Agent
-> {HKLM…Wow…CLSID} = Code Download Agent
\InProcServer32\(Default) = C:\Windows\SysWOW64\webcheck.dll [MS]

{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE} = Subscription Mgr
-> {HKLM…Wow…CLSID} = Subscription Mgr
\InProcServer32\(Default) = C:\Windows\SysWOW64\webcheck.dll [MS]

{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB} = WebCheck SyncMgr Handler
-> {HKLM…Wow…CLSID} = WebCheck SyncMgr Handler
\InProcServer32\(Default) = C:\Windows\SysWOW64\webcheck.dll [MS]

{00F33137-EE26-412F-8D71-F84E4C2C6625} = (no title provided)
-> {HKLM…Wow…CLSID} = Windows Live Photo Gallery Viewer Autoplay Shim
\InProcServer32\(Default) = C:\Program Files (x86)\Windows Live\Photo Gallery\PhotoViewerShim.dll [MS]

{00F346CB-35A4-465B-8B8F-65A29DBAB1F6} = Windows Live Photo Gallery Viewer Drop Target Shim
-> {HKLM…Wow…CLSID} = Windows Live Photo Gallery Viewer Shim
\InProcServer32\(Default) = C:\Program Files (x86)\Windows Live\Photo Gallery\PhotoViewerShim.dll [MS]

{00F3712A-CA79-45B4-9E4D-D7891E7F8B9D} = Windows Live Photo Gallery Editor Drop Target Shim
-> {HKLM…Wow…CLSID} = Windows Live Photo Gallery Editor Shim
\InProcServer32\(Default) = C:\Program Files (x86)\Windows Live\Photo Gallery\PhotoViewerShim.dll [MS]

{00F30F90-3E96-453B-AFCD-D71989ECC2C7} = Windows Live Photo Gallery Autoplay Drop Target Shim
-> {HKLM…Wow…CLSID} = Windows Live Photo Gallery Viewer Autoplay Shim
\InProcServer32\(Default) = C:\Program Files (x86)\Windows Live\Photo Gallery\PhotoViewerShim.dll [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DeviceNotificationCallbacks\

HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\DeviceNotificationCallbacks\

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\

HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\

HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\

HKCU\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\

HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\

HKCU\Software\Microsoft\Command Processor\
AutoRun = (name not found)

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\
Shell = (name not found)

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
Shell = (name not found)

HKLM\SOFTWARE\Microsoft\Command Processor\
AutoRun = (name not found)

HKLM\Wow6432Node\Software\Microsoft\Command Processor\
AutoRun = (name not found)

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
AppInit_DLLs = (empty string)

HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\
AppInit_DLLs = (empty string)

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
IconServiceLib = IconCodecService.dll [MS]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
GinaDLL = (name not found)
Shell = explorer.exe [MS]
System = (name not found)
Taskman = (name not found)
Userinit = C:\Windows\system32\userinit.exe, [MS]
VmApplet = SystemPropertiesPerformance.exe /pagefile

HKLM\SYSTEM\CurrentControlSet\Control\ServiceControlManagerExtension
ServiceControlManagerExtension = C:\Windows\system32\scext.dll [MS]

HKLM\SYSTEM\CurrentControlSet\Control\BootVerificationProgram\
ImagePath = (name not found)

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\
Authentication Packages = msv1_0

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\
Notification Packages = scecli

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\
<<!>> (livessp [MS]) Security Packages = kerberos|msv1_0|schannel|wdigest|tspkg|pku2u|livessp

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Option\
UseAlternateShell = (name not found)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\
AlternateShell = cmd.exe [MS]

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\
SecurityProviders = credssp.dll

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\
BootExecute = autocheck autochk *
Execute = (name not found)
SetupExecute = (value not set)

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters\

{DDC0EED2-ADBE-40b6-A217-EDE16A79A0DE}\(Default) = GenericFilter
-> {HKLM…CLSID} = GenericFilter
\InProcServer32\(Default) = C:\Windows\system32\authui.dll [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\

{06FE45A8-6D92-44ba-A0F1-9A9BCDC8F5A7}\(Default) = FaceCredentialProvider64
-> {HKLM…CLSID} = FaceCredentialProvider64
\InProcServer32\(Default) = C:\Program Files (x86)\ASUS\FaceLogon\system\FaceCredentialProvider64.dll [ASUS]

{25CBB996-92ED-457e-B28C-4774084BD562}\(Default) = GenericProvider
-> {HKLM…CLSID} = GenericProvider
\InProcServer32\(Default) = C:\Windows\system32\authui.dll [MS]

{3dd6bec0-8193-4ffe-ae25-e08e39ea4063}\(Default) = NPProvider
-> {HKLM…CLSID} = NPProvider
\InProcServer32\(Default) = C:\Windows\system32\authui.dll [MS]

{503739d0-4c5e-4cfd-b3ba-d881334f0df2}\(Default) = VaultCredProvider
-> {HKLM…CLSID} = VaultCredProvider
\InProcServer32\(Default) = C:\Windows\System32\VaultCredProvider.dll [MS]

{6f45dc1e-5384-457a-bc13-2cd81b0d28ed}\(Default) = PasswordProvider
-> {HKLM…CLSID} = PasswordProvider
\InProcServer32\(Default) = C:\Windows\system32\authui.dll [MS]

{8bf9a910-a8ff-457f-999f-a5ca10b4a885}\(Default) = Smartcard Credential Provider
-> {HKLM…CLSID} = Smartcard Credential Provider
\InProcServer32\(Default) = SmartcardCredentialProvider.dll [MS]

{94596c7e-3744-41ce-893e-bbf09122f76a}\(Default) = Smartcard Pin Provider
-> {HKLM…CLSID} = Smartcard Pin Provider
\InProcServer32\(Default) = SmartcardCredentialProvider.dll [MS]

{AC3AC249-E820-4343-A65B-377AC634DC09}\(Default) = WinBio Credential Provider
-> {HKLM…CLSID} = WinBio Credential Provider
\InProcServer32\(Default) = C:\Windows\System32\BioCredProv.dll [MS]

{e74e57b0-6c6d-44d5-9cda-fb2df5ed7435}\(Default) = CertCredProvider
-> {HKLM…CLSID} = CCertProvider
\InProcServer32\(Default) = C:\Windows\system32\certCredProvider.dll [MS]

{F8A0B131-5F68-486c-8040-7E8FC3C85BB6}\(Default) = WLIDCredentialProvider
-> {HKLM…CLSID} = WLIDCredentialProvider
\InProcServer32\(Default) = C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDCREDPROV.DLL [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\PLAP Providers\

{5537E283-B1E7-4EF8-9C6E-7AB0AFE5056D}\(Default) = RasProvider
-> {HKLM…CLSID} = CRasProvider
\InProcServer32\(Default) = C:\Windows\system32\rasplap.dll [MS]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\

HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\

HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Logon\

HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Logoff\

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\

HKCU\Software\Classes\PROTOCOLS\Filter\

HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\

application/octet-stream\CLSID = {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
-> {HKLM…CLSID} = Cor MIME Filter, CorFltr, CorFltr 1
\InProcServer32\(Default) = mscoree.dll [MS]

application/x-complus\CLSID = {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
-> {HKLM…CLSID} = Cor MIME Filter, CorFltr, CorFltr 1
\InProcServer32\(Default) = mscoree.dll [MS]

application/x-msdownload\CLSID = {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
-> {HKLM…CLSID} = Cor MIME Filter, CorFltr, CorFltr 1
\InProcServer32\(Default) = mscoree.dll [MS]

HKCU\Software\Classes\PROTOCOLS\Handler\

HKLM\SOFTWARE\Classes\PROTOCOLS\Handler\

about\CLSID = {3050F406-98B5-11CF-BB82-00AA00BDCE0B}
-> {HKLM…CLSID} = Microsoft HTML About Pluggable Protocol
\InProcServer32\(Default) = C:\Windows\System32\mshtml.dll [MS]

cdl\CLSID = {3dd53d40-7b8b-11D0-b013-00aa0059ce02}
-> {HKLM…CLSID} = CDL: Asychronous Pluggable Protocol Handler
\InProcServer32\(Default) = C:\Windows\system32\urlmon.dll [MS]

dvd\CLSID = {12D51199-0DB5-46FE-A120-47A3D7D937CC}
-> {HKLM…CLSID} = DVD: Pluggable Protocol
\InProcServer32\(Default) = C:\Windows\System32\msvidctl.dll [MS]

file\CLSID = {79eac9e7-baf9-11ce-8c82-00aa004ba90b}
-> {HKLM…CLSID} = file:, local: Asychronous Pluggable Protocol Handler
\InProcServer32\(Default) = C:\Windows\system32\urlmon.dll [MS]

ftp\CLSID = {79eac9e3-baf9-11ce-8c82-00aa004ba90b}
-> {HKLM…CLSID} = ftp: Asychronous Pluggable Protocol Handler
\InProcServer32\(Default) = C:\Windows\system32\urlmon.dll [MS]

http\CLSID = {79eac9e2-baf9-11ce-8c82-00aa004ba90b}
-> {HKLM…CLSID} = http: Asychronous Pluggable Protocol Handler
\InProcServer32\(Default) = C:\Windows\system32\urlmon.dll [MS]

https\CLSID = {79eac9e5-baf9-11ce-8c82-00aa004ba90b}
-> {HKLM…CLSID} = https: Asychronous Pluggable Protocol Handler
\InProcServer32\(Default) = C:\Windows\system32\urlmon.dll [MS]

its\CLSID = {9D148291-B9C8-11D0-A4CC-0000F80149F6}
-> {HKLM…CLSID} = Microsoft InfoTech Protocols for IE 4.0
\InProcServer32\(Default) = C:\Windows\System32\itss.dll [MS]

javascript\CLSID = {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B}
-> {HKLM…CLSID} = Microsoft HTML Javascript Pluggable Protocol
\InProcServer32\(Default) = C:\Windows\System32\mshtml.dll [MS]

local\CLSID = {79eac9e7-baf9-11ce-8c82-00aa004ba90b}
-> {HKLM…CLSID} = file:, local: Asychronous Pluggable Protocol Handler
\InProcServer32\(Default) = C:\Windows\system32\urlmon.dll [MS]

mailto\CLSID = {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B}
-> {HKLM…CLSID} = Microsoft HTML Mailto Pluggable Protocol
\InProcServer32\(Default) = C:\Windows\System32\mshtml.dll [MS]

mhtml\CLSID = {05300401-BCBC-11d0-85E3-00C04FD85AB4}
-> {HKLM…CLSID} = MHTML Asynchronous Pluggable Protocol Handler
\InProcServer32\(Default) = C:\Windows\system32\inetcomm.dll [MS]

mk\CLSID = {79eac9e6-baf9-11ce-8c82-00aa004ba90b}
-> {HKLM…CLSID} = mk: Asychronous Pluggable Protocol Handler
\InProcServer32\(Default) = C:\Windows\system32\urlmon.dll [MS]

ms-its\CLSID = {9D148291-B9C8-11D0-A4CC-0000F80149F6}
-> {HKLM…CLSID} = Microsoft InfoTech Protocols for IE 4.0
\InProcServer32\(Default) = C:\Windows\System32\itss.dll [MS]

res\CLSID = {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B}
-> {HKLM…CLSID} = Microsoft HTML Resource Pluggable Protocol
\InProcServer32\(Default) = C:\Windows\System32\mshtml.dll [MS]

tv\CLSID = {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E}
-> {HKLM…CLSID} = TV: Pluggable Protocol
\InProcServer32\(Default) = C:\Windows\System32\msvidctl.dll [MS]

vbscript\CLSID = {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B}
-> {HKLM…CLSID} = Microsoft HTML Javascript Pluggable Protocol
\InProcServer32\(Default) = C:\Windows\System32\mshtml.dll [MS]

HKCU\Software\Classes\*\shellex\ColumnHandlers\

HKLM\SOFTWARE\Classes\*\shellex\ColumnHandlers\

HKLM\Wow3264Node\Software\Classes\*\shellex\ColumnHandlers\

HKCU\Software\Classes\*\shellex\ContextMenuHandlers\

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\

BriefcaseMenu\(Default) = {85BBD920-42A0-1069-A2E4-08002B30309D}
-> {HKLM…CLSID} = Briefcase
\InProcServer32\(Default) = C:\Windows\system32\syncui.dll [MS]

BUContextMenu\(Default) = {F7CAA2A1-67A2-44BB-B20F-202FD8EB1DAB}
-> {HKLM…CLSID} = (no title provided)
\InProcServer32\(Default) = C:\Program Files (x86)\Norton 360\Engine64\20.2.0.19\buShell.dll [Symantec Corporation]

FormatFactoryShell\(Default) = {A3777921-CFD3-4A6B-89BF-08E6B95716E8}
-> {HKLM…CLSID} = FormatFactoryShell
\InProcServer32\(Default) = C:\Program Files (x86)\FreeTime\FormatFactory\ShellEx64_100.dll [Free Time]

Open With\(Default) = {09799AFB-AD67-11d1-ABCD-00C04FC30936}
-> {HKLM…CLSID} = Open With Context Menu Handler
\InProcServer32\(Default) = C:\Windows\system32\shell32.dll [MS]

Open With EncryptionMenu\(Default) = {A470F8CF-A1E8-4f65-8335-227475AA5C46}
-> {HKLM…CLSID} = Encryption Context Menu
\InProcServer32\(Default) = C:\Windows\system32\shell32.dll [MS]

Sharing\(Default) = {f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}
-> {HKLM…CLSID} = Shell extensions for sharing
\InProcServer32\(Default) = C:\Windows\system32\ntshrui.dll [MS]

Symantec.Norton.Antivirus.IEContextMenu\(Default) = {FAD61B3D-699D-49B2-BE16-7F82CB4C59CA}
-> {HKLM…CLSID} = IEContextMenu Class
\InProcServer32\(Default) = "C:\Program Files (x86)\Norton 360\Engine64\20.2.0.19\NavShExt.dll" [Symantec Corporation]

{90AA3A4E-1CBA-4233-B8BB-535773D48449}\(Default) = Taskband Pin
-> {HKLM…CLSID} = Taskband Pin
\InProcServer32\(Default) = C:\Windows\system32\shell32.dll [MS]

{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}\(Default) = Start Menu Pin
-> {HKLM…CLSID} = Start Menu Pin
\InProcServer32\(Default) = C:\Windows\system32\shell32.dll [MS]

HKLM\Wow3264Node\Software\Classes\*\shellex\ContextMenuHandlers\

HKCU\Software\Classes\*\shellex\CopyHookHandlers\

HKLM\SOFTWARE\Classes\*\shellex\CopyHookHandlers\

HKLM\Wow3264Node\Software\Classes\*\shellex\CopyHookHandlers\

HKCU\Software\Classes\*\shellex\DragDropHandlers\

HKLM\SOFTWARE\Classes\*\shellex\DragDropHandlers\

HKLM\Wow3264Node\Software\Classes\*\shellex\DragDropHandlers\

HKCU\Software\Classes\*\shellex\PropertySheetHandlers\

HKLM\SOFTWARE\Classes\*\shellex\PropertySheetHandlers\

BriefcasePage\(Default) = {85BBD920-42A0-1069-A2E4-08002B30309D}
-> {HKLM…CLSID} = Briefcase
\InProcServer32\(Default) = C:\Windows\system32\syncui.dll [MS]

BuPropertySheet\(Default) = {B59987EA-25FE-44B4-8802-E4DE67073D8C}
-> {HKLM…CLSID} = (no title provided)
\InProcServer32\(Default) = C:\Program Files (x86)\Norton 360\Engine64\20.2.0.19\buShell.dll [Symantec Corporation]

CryptoSignMenu\(Default) = {7444C719-39BF-11D1-8CD9-00C04FC29D45}
-> {HKLM…CLSID} = CryptSig Class
\InProcServer32\(Default) = C:\Windows\system32\cryptext.dll [MS]

{1f2e5c40-9550-11ce-99d2-00aa006e086c}\(Default) = (no title provided)
-> {HKLM…CLSID} = Security Shell Extension
\InProcServer32\(Default) = C:\Windows\system32\rshx32.dll [MS]

{3EA48300-8CF6-101B-84FB-666CCB9BCD32}\(Default) = OLE DocFile Property Page
-> {HKLM…CLSID} = OLE Docfile Property Page
\InProcServer32\(Default) = C:\Windows\system32\docprop.dll [MS]

{883373C3-BF89-11D1-BE35-080036B11A03}\(Default) = Summary Properties Page
-> {HKLM…CLSID} = Summary Properties Page
\InProcServer32\(Default) = C:\Windows\system32\shell32.dll [MS]

HKLM\Wow3264Node\Software\Classes\*\shellex\PropertySheetHandlers\

HKCU\Software\Classes\AllFilesystemObjects\shellex\ColumnHandlers\

HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ColumnHandlers\

HKLM\Wow3264Node\Software\Classes\AllFilesystemObjects\shellex\ColumnHandlers\

HKCU\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\

HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\

BackupContextMenuExtension\(Default) = {b1b96b20-da1d-4a3c-92c1-7229b32f2325}
-> {HKLM…CLSID} = XPClient.FileSystemBrowser.BackupContextMenuExtension.BackupContextMenuExtension
\InProcServer32\(Default) = mscoree.dll [MS]

CopyAsPathMenu\(Default) = {f3d06e7c-1e45-4a26-847e-f9fcdee59be0}
-> {HKLM…CLSID} = Copy as Path Menu
\InProcServer32\(Default) = C:\Windows\system32\shell32.dll [MS]

MBAMShlExt\(Default) = {57CE581A-0CB6-4266-9CA0-19364C90A0B3}
-> {HKLM…CLSID} = MBAMShlExt Class
\InProcServer32\(Default) = C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamext.dll [Malwarebytes Corporation]

SendTo\(Default) = {7BA4C740-9E81-11CF-99D3-00AA004AE837}
-> {HKLM…CLSID} = Microsoft SendTo Service
\InProcServer32\(Default) = C:\Windows\system32\shell32.dll [MS]

{596AB062-B4D2-4215-9F74-E9109B0A8153}\(Default) = (no title provided)
-> {HKLM…CLSID} = Previous Versions Property Page
\InProcServer32\(Default) = C:\Windows\system32\twext.dll [MS]

HKLM\Wow3264Node\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\

HKCU\Software\Classes\AllFilesystemObjects\shellex\CopyHookHandlers\

HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\CopyHookHandlers\

HKLM\Wow3264Node\Software\Classes\AllFilesystemObjects\shellex\CopyHookHandlers\

HKCU\Software\Classes\AllFilesystemObjects\shellex\DragDropHandlers\

HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\DragDropHandlers\

HKLM\Wow3264Node\Software\Classes\AllFilesystemObjects\shellex\DragDropHandlers\

HKCU\Software\Classes\AllFilesystemObjects\shellex\PropertySheetHandlers\

HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\PropertySheetHandlers\

PropertySheetExtension1\(Default) = {506d8021-4fcf-446f-bf22-2ad5c3c28109}
-> {HKLM…CLSID} = XPClient.FileSystemBrowser.PropertySheetExtension.PropertySheetExtension1
\InProcServer32\(Default) = mscoree.dll [MS]

{596AB062-B4D2-4215-9F74-E9109B0A8153}\(Default) = (no title provided)
-> {HKLM…CLSID} = Previous Versions Property Page
\InProcServer32\(Default) = C:\Windows\system32\twext.dll [MS]

HKLM\Wow3264Node\Software\Classes\AllFilesystemObjects\shellex\PropertySheetHandlers\

HKCU\Software\Classes\Directory\shellex\ColumnHandlers\

HKLM\SOFTWARE\Classes\Directory\shellex\ColumnHandlers\

HKLM\Wow3264Node\Software\Classes\Directory\shellex\ColumnHandlers\

HKCU\Software\Classes\Directory\shellex\ContextMenuHandlers\

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\

EncryptionMenu\(Default) = {A470F8CF-A1E8-4f65-8335-227475AA5C46}
-> {HKLM…CLSID} = Encryption Context Menu
\InProcServer32\(Default) = C:\Windows\system32\shell32.dll [MS]

FormatFactoryShell\(Default) = {A3777921-CFD3-4A6B-89BF-08E6B95716E8}
-> {HKLM…CLSID} = FormatFactoryShell
\InProcServer32\(Default) = C:\Program Files (x86)\FreeTime\FormatFactory\ShellEx64_100.dll [Free Time]

Sharing\(Default) = {f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}
-> {HKLM…CLSID} = Shell extensions for sharing
\InProcServer32\(Default) = C:\Windows\system32\ntshrui.dll [MS]

{596AB062-B4D2-4215-9F74-E9109B0A8153}\(Default) = (no title provided)
-> {HKLM…CLSID} = Previous Versions Property Page
\InProcServer32\(Default) = C:\Windows\system32\twext.dll [MS]

HKLM\Wow3264Node\Software\Classes\Directory\shellex\ContextMenuHandlers\

HKCU\Software\Classes\Directory\shellex\CopyHookHandlers\

HKLM\SOFTWARE\Classes\Directory\shellex\CopyHookHandlers\

FileSystem\(Default) = {217FC9C0-3AEA-1069-A2DB-08002B30309D}
-> {HKLM…CLSID} = Shell Copy Hook
\InProcServer32\(Default) = C:\Windows\system32\shell32.dll [MS]

Sharing\(Default) = {40dd6e20-7c17-11ce-a804-00aa003ca9f6}
-> {HKLM…CLSID} = Shell extensions for sharing
\InProcServer32\(Default) = C:\Windows\system32\ntshrui.dll [MS]

HKLM\Wow3264Node\Software\Classes\Directory\shellex\CopyHookHandlers\

HKCU\Software\Classes\Directory\shellex\DragDropHandlers\

HKLM\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\

HKLM\Wow3264Node\Software\Classes\Directory\shellex\DragDropHandlers\

HKCU\Software\Classes\Directory\shellex\PropertySheetHandlers\

HKLM\SOFTWARE\Classes\Directory\shellex\PropertySheetHandlers\

Sharing\(Default) = {f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}
-> {HKLM…CLSID} = Shell extensions for sharing
\InProcServer32\(Default) = C:\Windows\system32\ntshrui.dll [MS]

{1f2e5c40-9550-11ce-99d2-00aa006e086c}\(Default) = (no title provided)
-> {HKLM…CLSID} = Security Shell Extension
\InProcServer32\(Default) = C:\Windows\system32\rshx32.dll [MS]

{4a7ded0a-ad25-11d0-98a8-0800361b1103}\(Default) = (no title provided)
-> {HKLM…CLSID} = MyFolder menu and properties
\InProcServer32\(Default) = C:\Windows\system32\mydocs.dll [MS]

{596AB062-B4D2-4215-9F74-E9109B0A8153}\(Default) = (no title provided)
-> {HKLM…CLSID} = Previous Versions Property Page
\InProcServer32\(Default) = C:\Windows\system32\twext.dll [MS]

{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}\(Default) = (no title provided)
-> {HKLM…CLSID} = DfsShell Class
\InProcServer32\(Default) = C:\Windows\system32\DfsShlEx.dll [MS]

{ef43ecfe-2ab9-4632-bf21-58909dd177f0}\(Default) = (no title provided)
-> {HKLM…CLSID} = Folder Customization Tab
\InProcServer32\(Default) = C:\Windows\system32\shell32.dll [MS]

HKLM\Wow3264Node\Software\Classes\Directory\shellex\PropertySheetHandlers\

HKCU\Software\Classes\Directory\Background\shellex\ColumnHandlers\

HKLM\SOFTWARE\Classes\Directory\Background\shellex\ColumnHandlers\

HKLM\Wow3264Node\Software\Classes\Directory\Background\shellex\ColumnHandlers\

HKCU\Software\Classes\Directory\Background\shellex\ContextMenuHandlers\

HKLM\SOFTWARE\Classes\Directory\Background\shellex\ContextMenuHandlers\

Gadgets\(Default) = {6B9228DA-9C15-419e-856C-19E768A13BDC}
-> {HKLM…CLSID} = Windows Desktop Gadgets
\InProcServer32\(Default) = C:\Program Files\Windows Sidebar\sbdrop.dll [MS]

igfxcui\(Default) = {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4}
-> {HKLM…CLSID} = GraphicsShellExt Class
\InProcServer32\(Default) = C:\Windows\system32\igfxpph.dll [Intel Corporation]

New\(Default) = {D969A300-E7FF-11d0-A93B-00A0C90F2719}
-> {HKLM…CLSID} = New Menu Handler
\InProcServer32\(Default) = C:\Windows\system32\shell32.dll [MS]

Sharing\(Default) = {f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}
-> {HKLM…CLSID} = Shell extensions for sharing
\InProcServer32\(Default) = C:\Windows\system32\ntshrui.dll [MS]

HKLM\Wow3264Node\Software\Classes\Directory\Background\shellex\ContextMenuHandlers\

HKCU\Software\Classes\Directory\Background\shellex\CopyHookHandlers\

HKLM\SOFTWARE\Classes\Directory\Background\shellex\CopyHookHandlers\

HKLM\Wow3264Node\Software\Classes\Directory\Background\shellex\CopyHookHandlers\

HKCU\Software\Classes\Directory\Background\shellex\DragDropHandlers\

HKLM\SOFTWARE\Classes\Directory\Background\shellex\DragDropHandlers\

HKLM\Wow3264Node\Software\Classes\Directory\Background\shellex\DragDropHandlers\

HKCU\Software\Classes\Directory\Background\shellex\PropertySheetHandlers\

HKLM\SOFTWARE\Classes\Directory\Background\shellex\PropertySheetHandlers\

HKLM\Wow3264Node\Software\Classes\Directory\Background\shellex\PropertySheetHandlers\

HKCU\Software\Classes\Folder\shellex\ColumnHandlers\

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\

HKLM\Wow3264Node\Software\Classes\Folder\shellex\ColumnHandlers\

HKCU\Software\Classes\Folder\shellex\ContextMenuHandlers\

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\

BriefcaseMenu\(Default) = {85BBD920-42A0-1069-A2E4-08002B30309D}
-> {HKLM…CLSID} = Briefcase
\InProcServer32\(Default) = C:\Windows\system32\syncui.dll [MS]

BUContextMenu\(Default) = {F7CAA2A1-67A2-44BB-B20F-202FD8EB1DAB}
-> {HKLM…CLSID} = (no title provided)
\InProcServer32\(Default) = C:\Program Files (x86)\Norton 360\Engine64\20.2.0.19\buShell.dll [Symantec Corporation]

Library Location\(Default) = {3dad6c5d-2167-4cae-9914-f99e41c12cfa}
-> {HKLM…CLSID} = Include In Library Sub Context Menu
\InProcServer32\(Default) = C:\Windows\system32\shell32.dll [MS]

MBAMShlExt\(Default) = {57CE581A-0CB6-4266-9CA0-19364C90A0B3}
-> {HKLM…CLSID} = MBAMShlExt Class
\InProcServer32\(Default) = C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamext.dll [Malwarebytes Corporation]

Symantec.Norton.Antivirus.IEContextMenu\(Default) = {FAD61B3D-699D-49B2-BE16-7F82CB4C59CA}
-> {HKLM…CLSID} = IEContextMenu Class
\InProcServer32\(Default) = "C:\Program Files (x86)\Norton 360\Engine64\20.2.0.19\NavShExt.dll" [Symantec Corporation]

HKLM\Wow3264Node\Software\Classes\Folder\shellex\ContextMenuHandlers\

HKCU\Software\Classes\Folder\shellex\CopyHookHandlers\

HKLM\SOFTWARE\Classes\Folder\shellex\CopyHookHandlers\

HKLM\Wow3264Node\Software\Classes\Folder\shellex\CopyHookHandlers\

HKCU\Software\Classes\Folder\shellex\DragDropHandlers\

HKLM\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\

{BD472F60-27FA-11cf-B8B4-444553540000}\(Default) = (no title provided)
-> {HKLM…CLSID} = Compressed (zipped) Folder Right Drag Handler
\InProcServer32\(Default) = C:\Windows\system32\zipfldr.dll [MS]

HKLM\Wow3264Node\Software\Classes\Folder\shellex\DragDropHandlers\

HKCU\Software\Classes\Folder\shellex\PropertySheetHandlers\

HKLM\SOFTWARE\Classes\Folder\shellex\PropertySheetHandlers\

BriefcasePage\(Default) = {85BBD920-42A0-1069-A2E4-08002B30309D}
-> {HKLM…CLSID} = Briefcase
\InProcServer32\(Default) = C:\Windows\system32\syncui.dll [MS]

HKLM\Wow3264Node\Software\Classes\Folder\shellex\PropertySheetHandlers\


Default executables:
--------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bat\UserChoice\

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cmd\UserChoice\

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.com\UserChoice\

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\UserChoice\

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.hta\UserChoice\

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pif\UserChoice\

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.scr\UserChoice\

HKLM\SOFTWARE\Classes\.bat\(Default) = batfile
HKLM\SOFTWARE\Classes\batfile\shell\open\command\(Default) = "%1" %*

HKLM\SOFTWARE\Classes\.cmd\(Default) = cmdfile
HKLM\SOFTWARE\Classes\cmdfile\shell\open\command\(Default) = "%1" %*

HKLM\SOFTWARE\Classes\.com\(Default) = comfile
HKLM\SOFTWARE\Classes\comfile\shell\open\command\(Default) = "%1" %*

HKLM\SOFTWARE\Classes\.exe\(Default) = exefile
HKLM\SOFTWARE\Classes\exefile\shell\open\command\(Default) = "%1" %*

HKLM\SOFTWARE\Classes\.hta\(Default) = htafile
HKLM\SOFTWARE\Classes\htafile\shell\open\command\(Default) = C:\Windows\SysWOW64\mshta.exe "%1" %*

HKLM\SOFTWARE\Classes\.pif\(Default) = piffile
HKLM\SOFTWARE\Classes\piffile\shell\open\command\(Default) = "%1" %*

HKLM\SOFTWARE\Classes\.scr\(Default) = scrfile
HKLM\SOFTWARE\Classes\scrfile\shell\open\command\(Default) = "%1" /S


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations\

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

NoDriveAutoRun = (REG_DWORD) dword:0x00000020
{Turn off autoplay for drive letter}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\

NoActiveDesktop = (REG_DWORD) dword:0x00000001
{not in GPedit.msc under Computer Configuration|
Disable Active Desktop and prevent users from enabling it}

ForceActiveDesktopOn = (REG_DWORD) dword:0x00000000
{not in GPedit.msc under Computer Configuration|
Enable Active Desktop and prevent users from disabling it}

NoDriveTypeAutoRun = (REG_DWORD) dword:0x000000FF
{Computer Configuration|Administrative Templates|Windows Components|AutoPlay Policies|
Turn off Autoplay}

NoDriveAutoRun = (REG_DWORD) dword:0x03FFFFFF
{Turn off autoplay for drive letter}

HonorAutorunSetting = (REG_DWORD) dword:0x00000001
{not in GPedit.msc|
Per MSKB 967715, enable Autorun settings in Hotfixes 950582, 967715, and 953252}

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowCpl\

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall\

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate\

HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\

HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel\

HKCU\Software\Policies\Microsoft\Internet Explorer\Download\

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Download\

HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\

HKCU\Software\Policies\Microsoft\Internet Explorer\Main\

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\

HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS\

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS\

HKCU\Software\Policies\Microsoft\Internet Explorer\PhishingFilter\

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\PhishingFilter\

HKCU\Software\Policies\Microsoft\Internet Explorer\Privacy\

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Privacy\

HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions\

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Restrictions\

HKCU\Software\Policies\Microsoft\Internet Explorer\Security\

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Security\

HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbar\

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Toolbar\

HKCU\Software\Policies\Microsoft\MMC\{0E752416-F29E-4195-A9DD-7F0D4D5A9D71}\

HKCU\Software\Policies\Microsoft\MMC\{0F3621F1-23C6-11D1-AD97-00AA00B88E5A}\

HKCU\Software\Policies\Microsoft\MMC\{0F6B957D-509E-11D1-A7CC-0000F87571E3}\

HKCU\Software\Policies\Microsoft\MMC\{0F6B957E-509E-11D1-A7CC-0000F87571E3}\

HKCU\Software\Policies\Microsoft\MMC\{394C052E-B830-11D0-9A86-00C04FD8DBF7}\

HKCU\Software\Policies\Microsoft\MMC\{58221C66-EA27-11CF-ADCF-00AA00A80033}\

HKCU\Software\Policies\Microsoft\MMC\{58221C67-EA27-11CF-ADCF-00AA00A80033}\

HKCU\Software\Policies\Microsoft\MMC\{5D6179C8-17EC-11D1-9AA9-00C04FD8FE93}\

HKCU\Software\Policies\Microsoft\MMC\{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}\

HKCU\Software\Policies\Microsoft\MMC\{84DE202D-5D95-4764-9014-A46F994CE856}\

HKCU\Software\Policies\Microsoft\MMC\{84DE202E-5D95-4764-9014-A46F994CE856}\

HKCU\Software\Policies\Microsoft\MMC\{8FC0B734-A0E1-11D1-A7D3-0000F87571E3}\

HKCU\Software\Policies\Microsoft\MMC\{975797FC-4E2A-11D0-B702-00C04FD8DBF7}\

HKCU\Software\Policies\Microsoft\MMC\{D02B1F72-3407-48ae-BA88-E8213C6761F1}\

HKCU\Software\Policies\Microsoft\MMC\{D02B1F73-3407-48ae-BA88-E8213C6761F1}\

HKCU\Software\Policies\Microsoft\MMC\{E12BBB5D-D59D-4E61-947A-301D25AE8C23}\

HKCU\Software\Policies\Microsoft\MMC\{FC715823-C5FB-11D1-9EEF-00A0C90347FF}\

HKCU\Software\Policies\Microsoft\MMC\FX:{b05566ac-fe9c-4368-be02-7a4cbb7cbe11}\

HKCU\Software\Policies\Microsoft\MMC\FX:{b05566ad-fe9c-4363-be05-7a4cbb7cb510}\

HKCU\Software\Policies\Microsoft\MMC\FX:{b05566ae-fe9c-4363-be05-7a4cbb7cb510}\

HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\

HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\

HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\

HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\

HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\

HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\

HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\

HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\

HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\

HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\

HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\

HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\

HKCU\Software\Policies\Microsoft\Windows\Network Connections\

HKCU\Software\Policies\Microsoft\Windows\System\

HKCU\Software\Policies\Microsoft\Windows\Task Scheduler5.0\

HKLM\SOFTWARE\Policies\Microsoft\Windows\Task Scheduler5.0\

HKCU\Software\Policies\Microsoft\Windows Defender\

HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\

HKCU\Software\Policies\Microsoft\Windows Defender\Real-time Protection\

HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\

HKCU\Software\Policies\Microsoft\Windows\Windows Error Reporting\

HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

ConsentPromptBehaviorAdmin = (REG_DWORD) dword:0x00000002
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Behavior Of The Elevation Prompt For Administrators In Admin Approval Mode}

ConsentPromptBehaviorUser = (REG_DWORD) dword:0x00000003
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Behavior Of The Elevation Prompt For Standard Users}

 

[Sador27]

EnableInstallerDetection = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Detect Application Installations And Prompt For Elevation}

EnableLUA = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Run All Administrators In Admin Approval Mode}

EnableSecureUIAPaths = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Only elevate UIAccess applications that are installed in secure locations}

EnableUIADesktopToggle = (REG_DWORD) dword:0x00000000
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Allow UIAcess applications to prompt for elevation without using the secure desktop}

EnableVirtualization = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Virtualize file and registry write failures to per-user locations}

PromptOnSecureDesktop = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Switch to the secure desktop when prompting for elevation}

ValidateAdminCodeSignatures = (REG_DWORD) dword:0x00000000
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Only elevate executables that are signed and validated}

dontdisplaylastusername = (REG_DWORD) dword:0x00000000
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Interactive logon: Do not display last user name}

legalnoticecaption = (REG_SZ) (empty string)
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Interactive logon: Message title for users attempting to log on}

legalnoticetext = (REG_SZ) (empty string)
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Interactive logon: Message text for users attempting to log on}

scforceoption = (REG_DWORD) dword:0x00000000
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Interactive logon: Require smart card}

shutdownwithoutlogon = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

undockwithoutlogon = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}

FilterAdministratorToken = (REG_DWORD) dword:0x00000000
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Admin Approval Mode for the Built-in Administrator Account}

HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
Wallpaper = C:\Users\Sad0r\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg

Active Desktop web content (hidden if disabled):

HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
SCRNSAVE.EXE = C:\Windows\system32\Bubbles.scr [MS]


IniFileMapping Pointers to .INI Files:
--------------------------------------

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\

System.ini\
drivers32 = SYS:Microsoft\Windows NT\CurrentVersion\Drivers32

system.ini\boot\
(Default) = SYS:Microsoft\Windows NT\CurrentVersion\WOW\boot
SCRNSAVE.EXE = USR:Control Panel\Desktop
Shell = SYS:Microsoft\Windows NT\CurrentVersion\Winlogon

win.ini\
Winlogon = SYS:Microsoft\Windows NT\CurrentVersion\Winlogon
AeDebug = SYS:Microsoft\Windows NT\CurrentVersion\AeDebug
Devices = USR:Software\Microsoft\Windows NT\CurrentVersion\Devices

win.ini\Windows\
(Default) = USR:Software\Microsoft\Windows NT\CurrentVersion\Windows
APPINIT_DLLS = SYS:MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINDOWS


Windows Portable Device AutoPlay Handlers
-----------------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\

ArcSoftVideoCameraArrival\
Provider = ArcSoft ShowBiz DVD 2
ProgID = Shell.HWEventHandlerShellExecute
InitCmdLine = C:\PROGRA~2\ArcSoft\SHOWBI~1\showbiz.exe /capture
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}
-> {HKLM…CLSID} = Shell Execute Hardware Event Handler
\LocalServer32\(Default) = C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7} [MS]

DVDDecrypterPlayDVDMovieOnArrival\
Provider = DVD Decrypter
InvokeProgID = DVDDecrypter
InvokeVerb = PlayDVDMovieOnArrival_Decrypt
HKLM\SOFTWARE\Classes\DVDDecrypter\shell\PlayDVDMovieOnArrival_Decrypt\Command\(Default) = "C:\Program Files (x86)\DVD Decrypter\DVDDecrypter.exe" /MODE READ /SOURCE "%1" [LIGHTNING UK!]

MagicUSBCable\
Provider = @%windir%\system32\migwiz\wet.dll,-588
CLSID = {0C776A5A-FC42-4870-8D65-D62ADD9184FF}
-> {HKLM…CLSID} = Magic USB Cable Class ID
\LocalServer32\(Default) = MigAutoPlay.exe [MS]

MSCDBurningOnArrival\
Provider = @C:\Windows\system32\shell32.dll,-17417
InvokeProgID = Shell.CDBurn
InvokeVerb = Prepare
HKLM\SOFTWARE\Classes\Shell.CDBurn\shell\Prepare\Command\(Default) = C:\Windows\system32\rundll32.exe C:\Windows\system32\shell32.dll,PrepareDiscForBurnRunDll %L [MS]

MSCreateRdbCache\
Provider = @C:\Windows\system32\sysmain.dll,-200
InvokeProgID = RDB.AutoPlayHandler
InvokeVerb = properties
HKLM\SOFTWARE\Classes\RDB.AutoPlayHandler\shell\properties\command\(Default) = C:\Windows\system32\rundll32.exe C:\Windows\system32\sysmain.dll,RDBMgmtLaunchProperties %L [MS]

MSDVDArrivalDvdMaker\
Provider = @C:\Program Files\DVD maker\dvdmaker.exe,-61403
InvokeProgID = DVDMaker.DVD
InvokeVerb = burn
HKLM\SOFTWARE\Classes\DVDMaker.DVD\shell\burn\command\(Default) = "C:\Program Files\DVD Maker\dvdmaker.exe" -drive:%L [MS]

MSEnhancedStorageHandler\
Provider = @C:\Windows\system32\EhStorShell.dll,-106
ProgID = EhStorShell.AutoplayHandler
InitCmdLine = Authorize
HKLM\SOFTWARE\Classes\EhStorShell.AutoplayHandler\CLSID\(Default) = {36F54939-CD3B-4C73-92D5-F9A389ED631C}
-> {HKLM…CLSID} = Enhanced Storage Autoplay Handler Class
\InProcServer32\(Default) = C:\Windows\system32\EhStorShell.dll [MS]

MSLivePhotoAcquireDropHandler\
Provider = @%ProgramFiles(x86)%\Windows Live\Photo Gallery\regres.dll,-10
InvokeProgID = Microsoft.LivePhotoAcqDTShim.1
InvokeVerb = open
HKLM\SOFTWARE\Classes\Microsoft.LivePhotoAcqDTShim.1\shell\open\DropTarget\CLSID = {00F33137-EE26-412F-8D71-F84E4C2C6625}
-> {HKLM…CLSID} = Windows Live Photo Gallery Viewer Autoplay Shim
\InProcServer32\(Default) = C:\Program Files (x86)\Windows Live\Photo Gallery\PhotoViewerShimx64.dll [MS]

MSLiveShowPicturesOnArrival\
Provider = @%ProgramFiles(x86)%\Windows Live\Photo Gallery\regres.dll,-10
InvokeProgID = Microsoft.Photos.LiveAutoplayShim.1
InvokeVerb = open
HKLM\SOFTWARE\Classes\Microsoft.Photos.LiveAutoplayShim.1\shell\open\DropTarget\CLSID = {00F30F90-3E96-453B-AFCD-D71989ECC2C7}
-> {HKLM…CLSID} = Windows Live Photo Gallery Viewer Autoplay Shim
\InProcServer32\(Default) = C:\Program Files (x86)\Windows Live\Photo Gallery\PhotoViewerShimx64.dll [MS]

MSOpenFolder\
Provider = @C:\Windows\system32\shell32.dll,-17411
InvokeProgID = Folder
InvokeVerb = open
HKLM\SOFTWARE\Classes\Folder\shell\open\command\(Default) = C:\Windows\Explorer.exe [MS]

MSPhotoAcqHWEventHandler\
Provider = @C:\Program Files\Windows Photo Viewer\PhotoAcq.dll,-401
ProgID = Microsoft.PhotoAcqHWEventHandler
HKLM\SOFTWARE\Classes\Microsoft.PhotoAcqHWEventHandler\CLSID\(Default) = {00f2b433-44e4-4d88-b2b0-2698a0a91dba}
-> {HKLM…CLSID} = PhotoAcqHWEventHandler
\LocalServer32\(Default) = "C:\Windows\System32\rundll32.exe" "C:\Program Files\Windows Photo Viewer\PhotoAcq.dll",AutoplayComServerW {00f2b433-44e4-4d88-b2b0-2698a0a91dba} [MS]

MSPhotoAcquireDropHandler\
Provider = @C:\Program Files\Windows Photo Viewer\PhotoAcq.dll,-401
InvokeProgID = Microsoft.PhotoAcqDropTarget.1
InvokeVerb = open
HKLM\SOFTWARE\Classes\Microsoft.PhotoAcqDropTarget.1\shell\open\DropTarget\CLSID = {00f20eb5-8fd6-4d9d-b75e-36801766c8f1}
-> {HKLM…CLSID} = PhotoAcqDropTarget
\InProcServer32\(Default) = C:\Program Files\Windows Photo Viewer\PhotoAcq.dll [MS]

MSPlayCDAudioOnArrival\
Provider = @wmploc.dll,-6502
InvokeProgID = WMP.AudioCD
InvokeVerb = play
HKLM\SOFTWARE\Classes\WMP.AudioCD\shell\play\command\(Default) = "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:3 /device:AudioCD "%L" [MS]

MSPlayDVDMovieOnArrival\
Provider = @wmploc.dll,-6502
InvokeProgID = WMP.DVD
InvokeVerb = play
HKLM\SOFTWARE\Classes\WMP.DVD\shell\play\command\(Default) = "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:4 /deviceVD "%L" [MS]

MSPlaySuperVideoCDMovieOnArrival\
Provider = @wmploc.dll,-6502
InvokeProgID = WMP.VCD
InvokeVerb = play
HKLM\SOFTWARE\Classes\WMP.VCD\shell\play\command\(Default) = "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:4 /device:VCD "%L" [MS]

MSPlayVideoCDMovieOnArrival\
Provider = @wmploc.dll,-6502
InvokeProgID = WMP.VCD
InvokeVerb = play
HKLM\SOFTWARE\Classes\WMP.VCD\shell\play\command\(Default) = "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:4 /device:VCD "%L" [MS]

MSPromptEachTime\
Provider = @C:\Windows\system32\shell32.dll,-17411
ProgID = Shell.Autoplay
InitCmdLine = PromptEachTime
HKLM\SOFTWARE\Classes\Shell.Autoplay\CLSID\(Default) = {995C996E-D918-4a8c-A302-45719A6F4EA7}
-> {HKLM…CLSID} = Shell Hardware Mixed Content Handler
\LocalServer32\(Default) = C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} [MS]

MSPromptEachTimeNoContent\
Provider = @C:\Windows\system32\shell32.dll,-17411
ProgID = Shell.Autoplay
InitCmdLine = PromptEachTimeNoContent
HKLM\SOFTWARE\Classes\Shell.Autoplay\CLSID\(Default) = {995C996E-D918-4a8c-A302-45719A6F4EA7}
-> {HKLM…CLSID} = Shell Hardware Mixed Content Handler
\LocalServer32\(Default) = C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} [MS]

MSSdConfigBackup\
Provider = @C:\Windows\system32\sdautoplay.dll,-100
InvokeProgID = SDConfig.AutoPlayHandler
InvokeVerb = config
HKLM\SOFTWARE\Classes\SDConfig.AutoPlayHandler\shell\config\command\(Default) = C:\Windows\system32\sdclt.exe /CONFIGELEV %L [MS]

MSSdRunBackup\
Provider = @C:\Windows\system32\sdautoplay.dll,-100
InvokeProgID = SDRun.AutoPlayHandler
InvokeVerb = run
HKLM\SOFTWARE\Classes\SDRun.AutoPlayHandler\shell\run\command\(Default) = C:\Windows\system32\sdclt.exe /KICKOFFELEV [MS]

MSWcnImportWireless\
Provider = @C:\Windows\system32\wzcdlg.dll,-2102
InvokeProgID = WCN.AutoPlayHandler
InvokeVerb = open
HKLM\SOFTWARE\Classes\WCN.AutoPlayHandler\shell\open\command\(Default) = C:\Windows\system32\rundll32.exe C:\Windows\system32\wzcdlg.dll,ImportFlashProfile %L [MS]

MSWMDMHandler\
Provider = @wmploc.dll,-6502
ProgID = WMP.Device
HKLM\SOFTWARE\Classes\WMP.Device\CLSID\(Default) = {94E03510-31B9-47a0-A44E-E932AC86BB17}
-> {HKLM…CLSID} = Windows Media Player Device Autoplay
\LocalServer32\(Default) = "C:\Program Files\Windows Media Player\wmlaunch.exe" [MS]

MSWMPBurnCDOnArrival\
Provider = @wmploc.dll,-6502
InvokeProgID = WMP.BurnCD
InvokeVerb = Burn
HKLM\SOFTWARE\Classes\WMP.BurnCD\shell\Burn\Command\(Default) = "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:3 /Task:CDWrite /Device:"%L" [MS]

MSWPDNetworkConfigHandler\
Provider = @C:\Windows\system32\wpdshext.dll,-503
CLSID = {A55803CC-4D53-404c-8557-FD63DBA95D24}
InitCmdLine = /NetworkConfig;rundll32;xwizards.dll,RunWizard {34c219bd-85c1-4338-95e8-788a36901dc2} /z %s
-> {HKLM…CLSID} = WPDShextAutoplay
\LocalServer32\(Default) = C:\Windows\system32\WPDShextAutoplay.exe [MS]

MSWPDShellNamespaceHandler\
Provider = @C:\Windows\system32\wpdshext.dll,-501
CLSID = {A55803CC-4D53-404c-8557-FD63DBA95D24}
-> {HKLM…CLSID} = WPDShextAutoplay
\LocalServer32\(Default) = C:\Windows\system32\WPDShextAutoplay.exe [MS]

P2GCDBurningOnArrival\
Provider = Power2Go
InvokeProgID = BlankCD
InvokeVerb = OpenWithPower2Go
HKLM\SOFTWARE\Classes\BlankCD\shell\OpenWithPower2Go\Command\(Default) = "C:\Program Files (x86)\CyberLink\Power2Go\Power2Go.exe" "%L" [CyberLink Corp.]

P2GDVDBurningOnArrival\
Provider = Power2Go
InvokeProgID = BlankDVD
InvokeVerb = OpenWithPower2Go
HKLM\SOFTWARE\Classes\BlankDVD\shell\OpenWithPower2Go\Command\(Default) = "C:\Program Files (x86)\CyberLink\Power2Go\Power2Go.exe" "%L" [CyberLink Corp.]

Power2GoPlayCDAudioOnArrival\
Provider = Power2Go
InvokeProgID = AudioCD
InvokeVerb = PlayWithPower2Go
HKLM\SOFTWARE\Classes\AudioCD\shell\PlayWithPower2Go\Command\(Default) = "C:\Program Files (x86)\CyberLink\Power2Go\Power2Go.exe" /AudioRipper "%L" [CyberLink Corp.]

PStarterBlankCDArrival\
Provider = Media Suite
InvokeProgID = BlankCD
InvokeVerb = OpenWithPowerStarter
HKLM\SOFTWARE\Classes\BlankCD\shell\OpenWithPowerStarter\Command\(Default) = "C:\Program Files (x86)\CyberLink\Media Suite\PS.exe" "%L" [CyberLink Corp.]

PStarterDVDBurningOnArrival\
Provider = Media Suite
InvokeProgID = BlankDVD
InvokeVerb = OpenWithPowerStarter
HKLM\SOFTWARE\Classes\BlankDVD\shell\OpenWithPowerStarter\Command\(Default) = "C:\Program Files (x86)\CyberLink\Media Suite\PS.exe" "%L" [CyberLink Corp.]

PStarterMixedCDArrival\
Provider = Media Suite
InvokeProgID = MixedContent
InvokeVerb = OpenWithPowerStarter
HKLM\SOFTWARE\Classes\MixedContent\shell\OpenWithPowerStarter\Command\(Default) = "C:\Program Files (x86)\CyberLink\Media Suite\PS.exe" "%L" [CyberLink Corp.]

PStarterMusicFilesArrival\
Provider = Media Suite
InvokeProgID = MusicFiles
InvokeVerb = OpenWithPowerStarter
HKLM\SOFTWARE\Classes\MusicFiles\shell\OpenWithPowerStarter\Command\(Default) = "C:\Program Files (x86)\CyberLink\Media Suite\PS.exe" "%L" [CyberLink Corp.]

PStarterPicturesArrival\
Provider = Media Suite
InvokeProgID = Picture
InvokeVerb = OpenWithPowerStarter
HKLM\SOFTWARE\Classes\Picture\shell\OpenWithPowerStarter\Command\(Default) = "C:\Program Files (x86)\CyberLink\Media Suite\PS.exe" "%L" [CyberLink Corp.]

PStarterVideoFilesArrival\
Provider = Media Suite
InvokeProgID = VideoFiles
InvokeVerb = OpenWithPowerStarter
HKLM\SOFTWARE\Classes\VideoFiles\shell\OpenWithPowerStarter\Command\(Default) = "C:\Program Files (x86)\CyberLink\Media Suite\PS.exe" "%L" [CyberLink Corp.]

VLCPlayCDAudioOnArrival\
Provider = VideoLAN VLC media player
InvokeProgID = VLC.CDAudio
InvokeVerb = play
HKLM\SOFTWARE\Classes\VLC.CDAudio\shell\play\command\(Default) = "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file cdda://%1 [the VideoLAN Team]

VLCPlayDVDMovieOnArrival\
Provider = VideoLAN VLC media player
InvokeProgID = VLC.DVDMovie
InvokeVerb = play
HKLM\SOFTWARE\Classes\VLC.DVDMovie\shell\play\command\(Default) = "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file dvd://%1 [the VideoLAN Team]


DESKTOP.INI DLL launch in local fixed drive directories:
--------------------------------------------------------

C:\$Recycle.Bin\S-1-5-21-3254260356-3574314768-983753981-1000\DESKTOP.INI
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
-> {HKLM…CLSID}\InProcServer32\(Default) = C:\Windows\system32\shell32.dll [MS]
-> {HKLM…Wow…CLSID}\InProcServer32\(Default) = C:\Windows\system32\shell32.dll [MS]

C:\$Recycle.Bin\S-1-5-21-3254260356-3574314768-983753981-500\DESKTOP.INI
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
-> {HKLM…CLSID}\InProcServer32\(Default) = C:\Windows\system32\shell32.dll [MS]
-> {HKLM…Wow…CLSID}\InProcServer32\(Default) = C:\Windows\system32\shell32.dll [MS]

C:\Users\Sad0r\AppData\Local\History\DESKTOP.INI
[.ShellClassInfo]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM…CLSID}\InProcServer32\(Default) = C:\Windows\System32\ieframe.dll [MS]
-> {HKLM…Wow…CLSID}\InProcServer32\(Default) = C:\Windows\SysWOW64\ieframe.dll [MS]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM…CLSID}\InProcServer32\(Default) = C:\Windows\System32\ieframe.dll [MS]
-> {HKLM…Wow…CLSID}\InProcServer32\(Default) = C:\Windows\SysWOW64\ieframe.dll [MS]

C:\Users\Sad0r\AppData\Local\Microsoft\Windows\History\DESKTOP.INI
[.ShellClassInfo]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM…CLSID}\InProcServer32\(Default) = C:\Windows\System32\ieframe.dll [MS]
-> {HKLM…Wow…CLSID}\InProcServer32\(Default) = C:\Windows\SysWOW64\ieframe.dll [MS]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM…CLSID}\InProcServer32\(Default) = C:\Windows\System32\ieframe.dll [MS]
-> {HKLM…Wow…CLSID}\InProcServer32\(Default) = C:\Windows\SysWOW64\ieframe.dll [MS]

C:\Users\Sad0r\AppData\Local\Microsoft\Windows\History\History.IE5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM…CLSID}\InProcServer32\(Default) = C:\Windows\System32\ieframe.dll [MS]
-> {HKLM…Wow…CLSID}\InProcServer32\(Default) = C:\Windows\SysWOW64\ieframe.dll [MS]

C:\Users\Sad0r\AppData\Local\Microsoft\Windows\History\Low\DESKTOP.INI
[.ShellClassInfo]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM…CLSID}\InProcServer32\(Default) = C:\Windows\System32\ieframe.dll [MS]
-> {HKLM…Wow…CLSID}\InProcServer32\(Default) = C:\Windows\SysWOW64\ieframe.dll [MS]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM…CLSID}\InProcServer32\(Default) = C:\Windows\System32\ieframe.dll [MS]
-> {HKLM…Wow…CLSID}\InProcServer32\(Default) = C:\Windows\SysWOW64\ieframe.dll [MS]

C:\Users\Sad0r\AppData\Local\Microsoft\Windows\History\Low\History.IE5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM…CLSID}\InProcServer32\(Default) = C:\Windows\System32\ieframe.dll [MS]
-> {HKLM…Wow…CLSID}\InProcServer32\(Default) = C:\Windows\SysWOW64\ieframe.dll [MS]

C:\Users\Sad0r\AppData\Local\Microsoft\Windows\Temporary Internet Files\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM…CLSID}\InProcServer32\(Default) = C:\Windows\System32\ieframe.dll [MS]
-> {HKLM…Wow…CLSID}\InProcServer32\(Default) = C:\Windows\SysWOW64\ieframe.dll [MS]

C:\Users\Sad0r\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM…CLSID}\InProcServer32\(Default) = C:\Windows\System32\ieframe.dll [MS]
-> {HKLM…Wow…CLSID}\InProcServer32\(Default) = C:\Windows\SysWOW64\ieframe.dll [MS]

C:\Users\Sad0r\AppData\Local\Temporary Internet Files\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM…CLSID}\InProcServer32\(Default) = C:\Windows\System32\ieframe.dll [MS]
-> {HKLM…Wow…CLSID}\InProcServer32\(Default) = C:\Windows\SysWOW64\ieframe.dll [MS]

C:\Windows\assembly\DESKTOP.INI
[.ShellClassInfo]
CLSID={1D2680C9-0E2A-469d-B787-065558BC7D43}
-> {HKLM…CLSID}\InProcServer32\(Default) = C:\Windows\system32\mscoree.dll [MS]
-> {HKLM…Wow…CLSID}\InProcServer32\(Default) = C:\Windows\SysWOW64\mscoree.dll [MS]

C:\Windows\Fonts\DESKTOP.INI
[.ShellClassInfo]
CLSID={BD84B380-8CA2-1069-AB1D-08000948F534}
-> {HKLM…CLSID}\InProcServer32\(Default) = C:\Windows\system32\fontext.dll [MS]
-> {HKLM…Wow…CLSID}\InProcServer32\(Default) = C:\Windows\system32\fontext.dll [MS]

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\DESKTOP.INI
[.ShellClassInfo]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM…CLSID}\InProcServer32\(Default) = C:\Windows\System32\ieframe.dll [MS]
-> {HKLM…Wow…CLSID}\InProcServer32\(Default) = C:\Windows\SysWOW64\ieframe.dll [MS]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM…CLSID}\InProcServer32\(Default) = C:\Windows\System32\ieframe.dll [MS]
-> {HKLM…Wow…CLSID}\InProcServer32\(Default) = C:\Windows\SysWOW64\ieframe.dll [MS]

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\DESKTOP.INI
[.ShellClassInfo]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM…CLSID}\InProcServer32\(Default) = C:\Windows\System32\ieframe.dll [MS]
-> {HKLM…Wow…CLSID}\InProcServer32\(Default) = C:\Windows\SysWOW64\ieframe.dll [MS]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM…CLSID}\InProcServer32\(Default) = C:\Windows\System32\ieframe.dll [MS]
-> {HKLM…Wow…CLSID}\InProcServer32\(Default) = C:\Windows\SysWOW64\ieframe.dll [MS]

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\DESKTOP.INI
[.ShellClassInfo]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM…CLSID}\InProcServer32\(Default) = C:\Windows\System32\ieframe.dll [MS]
-> {HKLM…Wow…CLSID}\InProcServer32\(Default) = C:\Windows\SysWOW64\ieframe.dll [MS]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM…CLSID}\InProcServer32\(Default) = C:\Windows\System32\ieframe.dll [MS]
-> {HKLM…Wow…CLSID}\InProcServer32\(Default) = C:\Windows\SysWOW64\ieframe.dll [MS]

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\DESKTOP.INI
[.ShellClassInfo]
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
-> {HKLM…CLSID}\InProcServer32\(Default) = C:\Windows\System32\ieframe.dll [MS]
-> {HKLM…Wow…CLSID}\InProcServer32\(Default) = C:\Windows\SysWOW64\ieframe.dll [MS]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM…CLSID}\InProcServer32\(Default) = C:\Windows\System32\ieframe.dll [MS]
-> {HKLM…Wow…CLSID}\InProcServer32\(Default) = C:\Windows\SysWOW64\ieframe.dll [MS]

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM…CLSID}\InProcServer32\(Default) = C:\Windows\System32\ieframe.dll [MS]
-> {HKLM…Wow…CLSID}\InProcServer32\(Default) = C:\Windows\SysWOW64\ieframe.dll [MS]

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM…CLSID}\InProcServer32\(Default) = C:\Windows\System32\ieframe.dll [MS]
-> {HKLM…Wow…CLSID}\InProcServer32\(Default) = C:\Windows\SysWOW64\ieframe.dll [MS]

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HM69YR8O\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM…CLSID}\InProcServer32\(Default) = C:\Windows\System32\ieframe.dll [MS]
-> {HKLM…Wow…CLSID}\InProcServer32\(Default) = C:\Windows\SysWOW64\ieframe.dll [MS]

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OKG9U2FZ\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM…CLSID}\InProcServer32\(Default) = C:\Windows\System32\ieframe.dll [MS]
-> {HKLM…Wow…CLSID}\InProcServer32\(Default) = C:\Windows\SysWOW64\ieframe.dll [MS]

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RGUQFBA3\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM…CLSID}\InProcServer32\(Default) = C:\Windows\System32\ieframe.dll [MS]
-> {HKLM…Wow…CLSID}\InProcServer32\(Default) = C:\Windows\SysWOW64\ieframe.dll [MS]

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TXA1G3IW\DESKTOP.INI
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
-> {HKLM…CLSID}\InProcServer32\(Default) = C:\Windows\System32\ieframe.dll [MS]
-> {HKLM…Wow…CLSID}\InProcServer32\(Default) = C:\Windows\SysWOW64\ieframe.dll [MS]

Permission Errors on C:
C:\Documents and Settings, C:\ProgramData\Application Data, C:\ProgramData\Desktop
C:\ProgramData\Documents, C:\ProgramData\Favorites
C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\SRTSP\Quarantine
C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\SRTSP\SrtETmp, C:\ProgramData\Start Menu
C:\ProgramData\Templates, C:\Qoobox\BackEnv, C:\Users\All Users\Application Data
C:\Users\All Users\Desktop, C:\Users\All Users\Documents, C:\Users\All Users\Favorites
C:\Users\All Users\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\SRTSP\Quarantine
C:\Users\All Users\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\SRTSP\SrtETmp
C:\Users\All Users\Start Menu, C:\Users\All Users\Templates
C:\Users\Default\AppData\Local\Application Data, C:\Users\Default\AppData\Local\History
C:\Users\Default\AppData\Local\Temporary Internet Files, C:\Users\Default\Application Data
C:\Users\Default\Documents\My Music, C:\Users\Default\Documents\My Pictures
C:\Users\Default\Documents\My Videos, C:\Users\Default\Local Settings, C:\Users\Default\My Documents
C:\Users\Default\NetHood, C:\Users\Default\PrintHood, C:\Users\Default\Recent
C:\Users\Default\SendTo, C:\Users\Default\Start Menu, C:\Users\Default\Templates
C:\Users\Default User, C:\Users\Public\Documents\My Music, C:\Users\Public\Documents\My Pictures
C:\Users\Public\Documents\My Videos, C:\Users\Sad0r\AppData\Local\Application Data
C:\Users\Sad0r\AppData\Local\History, C:\Users\Sad0r\AppData\Local\Temporary Internet Files
C:\Users\Sad0r\Application Data, C:\Users\Sad0r\Cookies, C:\Users\Sad0r\Documents\My Music
C:\Users\Sad0r\Documents\My Pictures, C:\Users\Sad0r\Documents\My Videos
C:\Users\Sad0r\Local Settings, C:\Users\Sad0r\My Documents, C:\Users\Sad0r\NetHood
C:\Users\Sad0r\PrintHood, C:\Users\Sad0r\Recent, C:\Users\Sad0r\SendTo, C:\Users\Sad0r\Start Menu
C:\Users\Sad0r\Templates, C:\Windows\System32\LogFiles\WMI\RtBackup

D:\$RECYCLE.BIN\S-1-5-21-3254260356-3574314768-983753981-1000\DESKTOP.INI
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
-> {HKLM…CLSID}\InProcServer32\(Default) = C:\Windows\system32\shell32.dll [MS]
-> {HKLM…Wow…CLSID}\InProcServer32\(Default) = C:\Windows\system32\shell32.dll [MS]


Startup items in "Sad0r" & "All Users" startup folders:
-------------------------------------------------------

C:\Users\Sad0r\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
AsusVibeLauncher -> shortcut to: C:\Program Files (x86)\ASUS\AsusVibe\AsusVibeLauncher.exe /start [ASUSTeK Computer Inc.]
Secunia PSI Tray -> shortcut to: C:\Program Files (x86)\Secunia\PSI\psi_tray.exe [Secunia]


Windows Sidebar Gadgets:
------------------------

C:\Users\Sad0r\AppData\Local\Microsoft\Windows Sidebar\Settings.ini


Non-disabled Scheduled Tasks:
-----------------------------

C:\Windows\System32\Tasks
ASUS Live Update -> launches: C:\Program Files (x86)\ASUS\ASUS Live Update\LiveUpdate.exe [null data]
ASUS P4G -> launches: C:\Program Files\ASUS\P4G\BatteryLife.exe [ASUS]
ASUS Quick Gesture -> launches: C:\Program Files (x86)\ASUS\ASUS Virtual Touch\QuickGesture\x86\QuickGesture.exe [ASUSTeK Computer Inc.]
ASUS Quick Gesture (x64) -> launches: C:\Program Files (x86)\ASUS\ASUS Virtual Touch\QuickGesture\x64\QuickGesture64.exe [ASUSTeK Computer Inc.]
ASUS USB Charger Plus -> launches: "C:\Program Files (x86)\ASUS\USBChargerPlus\USBChargerPlus.exe" [ASUSTek Computer Inc.]
ATKOSD2 -> launches: C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe [ASUSTek Computer Inc.]
Norton WSC Integration -> (HIDDEN!) launches: "C:\Program Files (x86)\Norton 360\Engine\20.2.0.19\WSCStub.exe" /taskschd [Symantec Corporation]
SidebarExecute -> launches: C:\Program Files\Windows Sidebar\sidebar.exe [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\Active Directory Rights Management Services Client
AD RMS Rights Policy Template Management (Manual) -> launches: {BF5CB148-7C77-4d8a-A53E-D81C70CF743C}
-> {HKLM…CLSID} = AD RMS Rights Policy Template Management (Manual) Task Handler
\InProcServer32\(Default) = C:\Windows\system32\msdrm.dll [MS]
-> {HKLM…Wow…CLSID} = AD RMS Rights Policy Template Management (Manual) Task Handler
\InProcServer32\(Default) = C:\Windows\system32\msdrm.dll [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\AppID
PolicyConverter -> launches: %windir%\system32\appidpolicyconverter.exe [MS]
VerifiedPublisherCertStoreCheck -> launches: %windir%\system32\appidcertstorecheck.exe [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\Application Experience
AitAgent -> launches: aitagent [MS]
ProgramDataUpdater -> launches: %windir%\system32\rundll32.exe aepdu.dll,AePduRunUpdate [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\Autochk
Proxy -> launches: %windir%\system32\rundll32.exe /d acproxy.dll,PerformAutochkOperations [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\Bluetooth
UninstallDeviceTask -> launches: BthUdTask.exe $(Arg0) [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\CertificateServicesClient
SystemTask -> launches: {58fb76b9-ac85-4e55-ac04-427593b1d060}
-> {HKLM…CLSID} = Certificate Services Client Task Handler
\InProcServer32\(Default) = C:\Windows\system32\dimsjob.dll [MS]
-> {HKLM…Wow…CLSID} = Certificate Services Client Task Handler
\InProcServer32\(Default) = C:\Windows\system32\dimsjob.dll [MS]
UserTask -> launches: {58fb76b9-ac85-4e55-ac04-427593b1d060}
-> {HKLM…CLSID} = Certificate Services Client Task Handler
\InProcServer32\(Default) = C:\Windows\system32\dimsjob.dll [MS]
-> {HKLM…Wow…CLSID} = Certificate Services Client Task Handler
\InProcServer32\(Default) = C:\Windows\system32\dimsjob.dll [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program
Consolidator -> launches: %SystemRoot%\System32\wsqmcons.exe [MS]
KernelCeipTask -> (HIDDEN!) launches: {e7ed314f-2816-4c26-aeb5-54a34d02404c}
-> {HKLM…CLSID} = KernelCeipCustomHandler
\InProcServer32\(Default) = C:\Windows\System32\kernelceip.dll [MS]
UsbCeip -> (HIDDEN!) launches: {c27f6b1d-fe0b-45e4-9257-38799fa69bc8}
-> {HKLM…CLSID} = UsbCeip
\InProcServer32\(Default) = C:\Windows\System32\usbceip.dll [MS]
-> {HKLM…Wow…CLSID} = UsbCeip
\InProcServer32\(Default) = C:\Windows\System32\usbceip.dll [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\Diagnosis
Scheduled -> (HIDDEN!) launches: {c1f85ef8-bcc2-4606-bb39-70c523715eb3}
-> {HKLM…CLSID} = ScheduledDiagnosticCustomHandler
\InProcServer32\(Default) = C:\Windows\System32\sdiagschd.dll [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\Location
Notifications -> launches: %windir%\System32\LocationNotifications.exe [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\Maintenance
WinSAT -> launches: {A9A33436-678B-4C9C-A211-7CC38785E79D}
-> {HKLM…CLSID} = WinSAT Task Manger Task
\InProcServer32\(Default) = C:\Windows\system32\WinSATAPI.dll [MS]
-> {HKLM…Wow…CLSID} = WinSAT Task Manger Task
\InProcServer32\(Default) = C:\Windows\system32\WinSATAPI.dll [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\Media Center
ActivateWindowsSearch -> launches: %SystemRoot%\ehome\ehPrivJob.exe /DoActivateWindowsSearch [MS]
ConfigureInternetTimeService -> launches: %SystemRoot%\ehome\ehPrivJob.exe /DoConfigureInternetTimeService [MS]
DispatchRecoveryTasks -> launches: %SystemRoot%\ehome\ehPrivJob.exe /DoRecoveryTasks $(Arg0) [MS]
ehDRMInit -> launches: %SystemRoot%\ehome\ehPrivJob.exe /DRMInit [MS]
InstallPlayReady -> launches: %SystemRoot%\ehome\ehPrivJob.exe /InstallPlayReady $(Arg0) [MS]
mcupdate -> launches: %SystemRoot%\ehome\mcupdate $(Arg0) [MS]
mcupdate_scheduled -> launches: %SystemRoot%\ehome\mcupdate -crl -hms -pscn 15 [MS]
MediaCenterRecoveryTask -> launches: %SystemRoot%\ehome\mcupdate.exe -MediaCenterRecoveryTask [MS]
ObjectStoreRecoveryTask -> launches: %SystemRoot%\ehome\mcupdate.exe -ObjectStoreRecoveryTask [MS]
OCURActivate -> launches: %SystemRoot%\ehome\ehPrivJob.exe /OCURActivate [MS]
OCURDiscovery -> launches: %SystemRoot%\ehome\ehPrivJob.exe /OCURDiscovery $(Arg0) [MS]
PBDADiscovery -> launches: %SystemRoot%\ehome\ehPrivJob.exe /PBDADiscovery [MS]
PBDADiscoveryW1 -> launches: %SystemRoot%\ehome\ehPrivJob.exe /wait:7 /PBDADiscovery [MS]
PBDADiscoveryW2 -> launches: %SystemRoot%\ehome\ehPrivJob.exe /wait:90 /PBDADiscovery [MS]
PvrRecoveryTask -> launches: %SystemRoot%\ehome\mcupdate.exe -PvrRecoveryTask [MS]
PvrScheduleTask -> launches: %SystemRoot%\ehome\mcupdate.exe -PvrSchedule [MS]
RegisterSearch -> launches: %SystemRoot%\ehome\ehPrivJob.exe /DoRegisterSearch $(Arg0) [MS]
ReindexSearchRoot -> launches: %SystemRoot%\ehome\ehPrivJob.exe /DoReindexSearchRoot [MS]
SqlLiteRecoveryTask -> launches: %SystemRoot%\ehome\mcupdate.exe -SqlLiteRecoveryTask [MS]
StartRecording -> launches: %SystemRoot%\ehome\ehrec /StartRecording [MS]
UpdateRecordPath -> launches: %SystemRoot%\ehome\ehPrivJob.exe /DoUpdateRecordPath $(Arg0) [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\MemoryDiagnostic
CorruptionDetector -> (HIDDEN!) launches: {190BA3F6-0205-4f46-B589-95C6822899D2}
-> {HKLM…CLSID} = MemoryDiagnosticCustomHandler
\InProcServer32\(Default) = C:\Windows\System32\memdiag.dll [MS]
DecompressionFailureDetector -> (HIDDEN!) launches: {190BA3F6-0205-4f46-B589-95C6822899D2}
-> {HKLM…CLSID} = MemoryDiagnosticCustomHandler
\InProcServer32\(Default) = C:\Windows\System32\memdiag.dll [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\MobilePC
HotStart -> launches: {06DA0625-9701-43da-BFD7-FBEEA2180A1E}
-> {HKLM…CLSID} = HotStart User Agent
\InProcServer32\(Default) = C:\Windows\System32\HotStartUserAgent.dll [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\MUI
Lpksetup -> launches: C:\Windows\System32\lpksetup.exe -v [MS]
LPRemove -> launches: %windir%\system32\lpremove.exe [MS]
Mcbuilder -> launches: C:\Windows\System32\mcbuilder.exe [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\Multimedia
SystemSoundsService -> launches: {2DEA658F-54C1-4227-AF9B-260AB5FC3543}
-> {HKLM…CLSID} = Microsoft PlaySoundService Class
\InProcServer32\(Default) = C:\Windows\System32\PlaySndSrv.dll [MS]
-> {HKLM…Wow…CLSID} = Microsoft PlaySoundService Class
\InProcServer32\(Default) = C:\Windows\System32\PlaySndSrv.dll [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\NetTrace
GatherNetworkInfo -> launches: %windir%\system32\gatherNetworkInfo.vbs [null data]

 

[Sador27]

C:\Windows\System32\Tasks\Microsoft\Windows\Power Efficiency Diagnostics
AnalyzeSystem -> launches: %SystemRoot%\System32\powercfg.exe -energy -auto [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\RAC
RacTask -> (HIDDEN!) launches: {42060D27-CA53-41f5-96E4-B1E8169308A6}
-> {HKLM…CLSID} = ReliabilityAnalysisCustomHandler
\InProcServer32\(Default) = C:\Windows\system32\RacEngn.dll [MS]
-> {HKLM…Wow…CLSID} = ReliabilityAnalysisCustomHandler
\InProcServer32\(Default) = C:\Windows\system32\RacEngn.dll [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\Ras
MobilityManager -> launches: {c463a0fc-794f-4fdf-9201-01938ceacafa}
-> {HKLM…CLSID} = RasMobilityManager
\InProcServer32\(Default) = C:\Windows\system32\rasmbmgr.dll [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\Registry
RegIdleBackup -> (HIDDEN!) launches: {ca767aa8-9157-4604-b64b-40747123d5f2}
-> {HKLM…CLSID} = RegistryIdleBackupHandler
\InProcServer32\(Default) = C:\Windows\System32\regidle.dll [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\RemoteAssistance
RemoteAssistanceTask -> (HIDDEN!) launches: %windir%\system32\RAServer.exe /offerraupdate [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\SideShow
GadgetManager -> launches: {FF87090D-4A9A-4f47-879B-29A80C355D61}
-> {HKLM…CLSID} = GadgetsManager Class
\InProcServer32\(Default) = C:\Windows\System32\AuxiliaryDisplayServices.dll [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\SystemRestore
SR -> launches: %windir%\system32\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreation [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\TabletPC
InputPersonalization -> launches: %CommonProgramFiles%\Microsoft Shared\Ink\InputPersonalization.exe [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\Task Manager
Interactive -> (HIDDEN!) launches: {855fec53-d2e4-4999-9e87-3414e9cf0ff4}
-> {HKLM…CLSID} = RunTask
\InProcServer32\(Default) = C:\Windows\system32\wdc.dll [MS]
-> {HKLM…Wow…CLSID} = RunTask
\InProcServer32\(Default) = C:\Windows\system32\wdc.dll [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\Tcpip
IpAddressConflict1 -> launches: %windir%\system32\rundll32.exe ndfapi.dll,NdfRunDllDuplicateIPOffendingSystem [MS]
IpAddressConflict2 -> launches: %windir%\system32\rundll32.exe ndfapi.dll,NdfRunDllDuplicateIPDefendingSystem [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\TextServicesFramework
MsCtfMonitor -> (HIDDEN!) launches: {01575cfe-9a55-4003-a5e1-f38d1ebdcbe1}
-> {HKLM…CLSID} = MsCtfMonitor task handler
\InProcServer32\(Default) = C:\Windows\system32\MsCtfMonitor.dll [MS]
-> {HKLM…Wow…CLSID} = MsCtfMonitor task handler
\InProcServer32\(Default) = C:\Windows\system32\MsCtfMonitor.dll [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\Time Synchronization
SynchronizeTime -> launches: %windir%\system32\sc.exe start w32time task_started [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\UPnP
UPnPHostConfig -> launches: sc.exe config upnphost start= auto [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\WDI
ResolutionHost -> (HIDDEN!) launches: {900be39d-6be8-461a-bc4d-b0fa71f5ecb1}
-> {HKLM…CLSID} = DiagnosticInfrastructureCustomHandler
\InProcServer32\(Default) = C:\Windows\System32\wdi.dll [MS]
-> {HKLM…Wow…CLSID} = DiagnosticInfrastructureCustomHandler
\InProcServer32\(Default) = C:\Windows\System32\wdi.dll [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\Windows Activation Technologies
ValidationTask -> (HIDDEN!) launches: %SystemRoot%\system32\Wat\WatAdminSvc.exe /run [MS]
ValidationTaskDeadline -> (HIDDEN!) launches: %SystemRoot%\system32\schtasks.exe /run /I /TN "\Microsoft\Windows\Windows Activation Technologies\ValidationTask" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\Windows Error Reporting
QueueReporting -> launches: %windir%\system32\wermgr.exe -queuereporting [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\Windows Filtering Platform
BfeOnServiceStartTypeChange -> (HIDDEN!) launches: %windir%\system32\rundll32.exe bfe.dll,BfeOnServiceStartTypeChange [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\Windows Media Sharing
UpdateLibrary -> launches: "%ProgramFiles%\Windows Media Player\wmpnscfg.exe" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\WindowsBackup
AutomaticBackup -> launches: %systemroot%\system32\rundll32.exe /d sdengin2.dll,ExecuteScheduledBackup [MS]
Windows Backup Monitor -> launches: %systemroot%\system32\sdclt.exe /CHECKSKIPPED [MS]

C:\Windows\System32\Tasks\Microsoft\Windows Defender
MP Scheduled Scan -> (HIDDEN!) launches: c:\program files\windows defender\MpCmdRun.exe Scan -ScheduleJob -WinTask -RestrictPrivilegesScan [MS]

C:\Windows\System32\Tasks\Microsoft\Windows Live\SOXE
Extractor Definitions Update Task -> launches: {3519154C-227E-47F3-9CC9-12C3F05817F1}
-> {HKLM…Wow…CLSID} = Windows Live Social Object Extractor Engine Definition Updater
\InProcServer32\(Default) = C:\Program Files (x86)\Windows Live\SOXE\wlsoxe.dll [MS]

C:\Windows\System32\Tasks\Norton 360
Norton Error Analyzer -> launches: C:\Program Files (x86)\Norton 360\Engine\20.2.0.19\SymErr.exe /analyze [Symantec Corporation]
Norton Error Processor -> launches: C:\Program Files (x86)\Norton 360\Engine\20.2.0.19\SymErr.exe /submit [Symantec Corporation]

C:\Windows\System32\Tasks\WPD
SqmUpload_S-1-5-21-3254260356-3574314768-983753981-1000 -> (HIDDEN!) launches: %windir%\system32\rundll32.exe portabledeviceapi.dll,#1 [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = %SystemRoot%\system32\NLAapi.dll [MS]
000000000002\LibraryPath = %SystemRoot%\system32\napinsp.dll [MS]
000000000003\LibraryPath = %SystemRoot%\system32\pnrpnsp.dll [MS]
000000000004\LibraryPath = %SystemRoot%\system32\pnrpnsp.dll [MS]
000000000005\LibraryPath = %SystemRoot%\system32\wshbth.dll [MS]
000000000006\LibraryPath = %SystemRoot%\System32\mswsock.dll [MS]
000000000007\LibraryPath = %SystemRoot%\System32\winrnr.dll [MS]
000000000008\LibraryPath = C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [MS]
000000000009\LibraryPath = C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [MS]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 11


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\

HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\

HKCU\Software\Wow6432Node\Microsoft\Internet Explorer\Toolbar\

HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\
{8DCB7100-DF86-4384-8842-8FA844297B3F} = Bing
-> {HKLM…Wow…CLSID} = Bing Bar
\InProcServer32\(Default) = "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll" [Microsoft Corporation.]

{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} = Norton Toolbar
-> {HKLM…Wow…CLSID} = Norton Toolbar
\InProcServer32\(Default) = C:\Program Files (x86)\Norton 360\Engine\20.2.0.19\coIEPlg.dll [Symantec Corporation]

Explorer Bars

HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\

HKCU\Software\Wow6432Node\Microsoft\Internet Explorer\Explorer Bars\

HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Explorer Bars\

HKLM\SOFTWARE\Classes\CLSID\{30D02401-6A81-11D0-8274-00C04FD5AE38}\(Default) = IE Search Band
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = C:\Windows\System32\ieframe.dll [MS]

HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{30D02401-6A81-11D0-8274-00C04FD5AE38}\(Default) = IE Search Band
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = C:\Windows\SysWOW64\ieframe.dll [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKCU\Software\Microsoft\Internet Explorer\Extensions\

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\

HKCU\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions\

HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\
{219C3416-8CB2-491A-A3C7-D9FCDDC9D600}\
ButtonText = @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004
MenuText = @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003
CLSIDExtension = {5F7B1267-94A9-47F5-98DB-E99415F33AEC}
-> {HKLM…Wow…CLSID} = BlogThisToolbarButton Class
\InProcServer32\(Default) = C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll [MS]


Internet Explorer Address Prefixes:
-----------------------------------

Prefix for bare domain ("domain-name-here.com")

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Default Prefix\
(Default) = http://

Prefix for specific service (I.e., "www")

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes\
mosaic = http://
www = http://
home = http://
ftp = ftp://


Miscellaneous IE Hijack Points
------------------------------

HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\
{CFBFAE00-17A6-11D0-99CB-00C04FD64497} = (no title provided)
-> {HKLM…CLSID} = Microsoft Url Search Hook
\InProcServer32\(Default) = C:\Windows\System32\ieframe.dll [MS]

HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs\
blank = res://mshtml.dll/blank.htm [MS]
NoAdd-onsInfo = res://ieframe.dll/noaddoninfo.htm [MS]
InPrivate = res://ieframe.dll/inprivate.htm [MS]
NavigationFailure = res://ieframe.dll/navcancl.htm [MS]
NoAdd-ons = res://ieframe.dll/noaddon.htm [MS]
Home = dword:0x0000010E
PostNotCached = res://ieframe.dll/repost.htm [MS]
DesktopItemNavigationFailure = res://ieframe.dll/navcancl.htm [MS]
NavigationCanceled = res://ieframe.dll/navcancl.htm [MS]
OfflineInformation = res://ieframe.dll/offcancl.htm [MS]
SecurityRisk = res://ieframe.dll/securityatrisk.htm [MS]


HOSTS file
----------

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\
DataBasePath = C:\Windows\System32\drivers\etc

C:\Windows\System32\drivers\etc\HOSTS

maps: no domain names to IP addresses


All Running Services (Display Name, Service Name, Path {Service DLL}):
----------------------------------------------------------------------

AFBAgent, AFBAgent, "C:\Windows\system32\FBAgent.exe" [ASUSTeK Computer Inc.]
Application Experience, AeLookupSvc, C:\Windows\system32\svchost.exe -k netsvcs {C:\Windows\System32\aelupsvc.dll [MS]}
Application Information, Appinfo, C:\Windows\system32\svchost.exe -k netsvcs {C:\Windows\System32\appinfo.dll [MS]}
ASLDR Service, ASLDRService, C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe [ASUS]
ASUS InstantOn Service, ASUS InstantOn, C:\Program Files (x86)\ASUS\InstantOn for NB\InsOnSrv.exe [ASUS]
ATKGFNEX Service, ATKGFNEXSrv, C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe [ASUS]
Background Intelligent Transfer Service, BITS, C:\Windows\System32\svchost.exe -k netsvcs {C:\Windows\System32\qmgr.dll [MS]}
Base Filtering Engine, BFE, C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork {C:\Windows\System32\bfe.dll [MS]}
Certificate Propagation, CertPropSvc, C:\Windows\system32\svchost.exe -k netsvcs {C:\Windows\System32\certprop.dll [MS]}
CNG Key Isolation, KeyIso, C:\Windows\system32\lsass.exe [MS]
COM+ Event System, EventSystem, C:\Windows\system32\svchost.exe -k LocalService {C:\Windows\system32\es.dll [MS]}
Cryptographic Services, CryptSvc, C:\Windows\system32\svchost.exe -k NetworkService {C:\Windows\system32\cryptsvc.dll [MS]}
DCOM Server Process Launcher, DcomLaunch, C:\Windows\system32\svchost.exe -k DcomLaunch {C:\Windows\system32\rpcss.dll [MS]}
Desktop Window Manager Session Manager, UxSms, C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted {C:\Windows\System32\uxsms.dll [MS]}
DHCP Client, Dhcp, C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted {C:\Windows\system32\dhcpcore.dll [MS]}
Diagnostic Policy Service, DPS, C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork {C:\Windows\system32\dps.dll [MS]}
Diagnostic Service Host, WdiServiceHost, C:\Windows\System32\svchost.exe -k LocalService {C:\Windows\system32\wdi.dll [MS]}
Diagnostic System Host, WdiSystemHost, C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted {C:\Windows\system32\wdi.dll [MS]}
Distributed Link Tracking Client, TrkWks, C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted {C:\Windows\System32\trkwks.dll [MS]}
DNS Client, Dnscache, C:\Windows\system32\svchost.exe -k NetworkService {C:\Windows\System32\dnsrslvr.dll [MS]}
Encrypting File System (EFS), EFS, C:\Windows\System32\lsass.exe [MS]
Extensible Authentication Protocol, EapHost, C:\Windows\System32\svchost.exe -k netsvcs {C:\Windows\System32\eapsvc.dll [MS]}
Function Discovery Provider Host, fdPHost, C:\Windows\system32\svchost.exe -k LocalService {C:\Windows\system32\fdPHost.dll [MS]}
Function Discovery Resource Publication, FDResPub, C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation {C:\Windows\system32\fdrespub.dll [MS]}
Group Policy Client, gpsvc, C:\Windows\system32\svchost.exe -k netsvcs {C:\Windows\System32\gpsvc.dll [MS]}
HomeGroup Provider, HomeGroupProvider, C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted {C:\Windows\system32\provsvc.dll [MS]}
Human Interface Device Access, hidserv, C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted {C:\Windows\system32\hidserv.dll [MS]}
IKE and AuthIP IPsec Keying Modules, IKEEXT, C:\Windows\system32\svchost.exe -k netsvcs {C:\Windows\System32\ikeext.dll [MS]}
Intel(R) Capability Licensing Service Interface, Intel(R) Capability Licensing Service Interface, "C:\Program Files\Intel\iCLS Client\HeciServer.exe" [Intel(R) Corporation]
Intel(R) Dynamic Application Loader Host Interface Service, jhi_service, C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe [Intel Corporation]
Intel(R) Management and Security Application Local Management Service, LMS, C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe [Intel Corporation]
Intel(R) Management and Security Application User Notification Service, UNS, "C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe" [Intel Corporation]
Intel(R) ME Service, Intel(R) ME Service, C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe [null data]
IP Helper, iphlpsvc, C:\Windows\System32\svchost.exe -k NetSvcs {C:\Windows\System32\iphlpsvc.dll [MS]}
IPsec Policy Agent, PolicyAgent, C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted {C:\Windows\System32\ipsecsvc.dll [MS]}
Multimedia Class Scheduler, MMCSS, C:\Windows\system32\svchost.exe -k netsvcs {C:\Windows\system32\mmcss.dll [MS]}
Network Connections, Netman, C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted {C:\Windows\System32\netman.dll [MS]}
Network List Service, netprofm, C:\Windows\System32\svchost.exe -k LocalService {C:\Windows\System32\netprofm.dll [MS]}
Network Location Awareness, NlaSvc, C:\Windows\System32\svchost.exe -k NetworkService {C:\Windows\System32\nlasvc.dll [MS]}
Network Store Interface Service, nsi, C:\Windows\system32\svchost.exe -k LocalService {C:\Windows\system32\nsisvc.dll [MS]}
Norton 360, N360, "C:\Program Files (x86)\Norton 360\Engine\20.2.0.19\ccSvcHst.exe" /s "N360" /m "C:\Program Files (x86)\Norton 360\Engine\20.2.0.19\diMaster.dll" /prefetch:1 [Symantec Corporation]
Plug and Play, PlugPlay, C:\Windows\system32\svchost.exe -k DcomLaunch {C:\Windows\system32\umpnpmgr.dll [MS]}
Power, Power, C:\Windows\system32\svchost.exe -k DcomLaunch {C:\Windows\system32\umpo.dll [MS]}
Print Spooler, Spooler, C:\Windows\System32\spoolsv.exe [MS]
Program Compatibility Assistant Service, PcaSvc, C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted {C:\Windows\System32\pcasvc.dll [MS]}
Remote Procedure Call (RPC), RpcSs, C:\Windows\system32\svchost.exe -k rpcss {C:\Windows\system32\rpcss.dll [MS]}
RPC Endpoint Mapper, RpcEptMapper, C:\Windows\system32\svchost.exe -k RPCSS {C:\Windows\System32\RpcEpMap.dll [MS]}
SeaPort, SeaPort, "C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE" [MS]
Secunia PSI Agent, Secunia PSI Agent, "C:\Program Files (x86)\Secunia\PSI\PSIA.exe" --start-service [Secunia]
Secunia Update Agent, Secunia Update Agent, "C:\Program Files (x86)\Secunia\PSI\sua.exe" --start-service [Secunia]
Security Accounts Manager, SamSs, C:\Windows\system32\lsass.exe [MS]
Security Center, wscsvc, C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted {C:\Windows\System32\wscsvc.dll [MS]}
Server, LanmanServer, C:\Windows\system32\svchost.exe -k netsvcs {C:\Windows\system32\srvsvc.dll [MS]}
Shell Hardware Detection, ShellHWDetection, C:\Windows\System32\svchost.exe -k netsvcs {C:\Windows\System32\shsvcs.dll [MS]}
Smart Card, SCardSvr, C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation {C:\Windows\System32\SCardSvr.dll [MS]}
SSDP Discovery, SSDPSRV, C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation {C:\Windows\System32\ssdpsrv.dll [MS]}
Superfetch, SysMain, C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted {C:\Windows\system32\sysmain.dll [MS]}
System Event Notification Service, SENS, C:\Windows\system32\svchost.exe -k netsvcs {C:\Windows\System32\sens.dll [MS]}
Tablet PC Input Service, TabletInputService, C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted {C:\Windows\System32\TabSvc.dll [MS]}
Task Scheduler, Schedule, C:\Windows\system32\svchost.exe -k netsvcs {C:\Windows\system32\schedsvc.dll [MS]}
TCP/IP NetBIOS Helper, lmhosts, C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted {C:\Windows\System32\lmhsvc.dll [MS]}
Themes, Themes, C:\Windows\System32\svchost.exe -k netsvcs {C:\Windows\system32\themeservice.dll [MS]}
User Profile Service, ProfSvc, C:\Windows\system32\svchost.exe -k netsvcs {C:\Windows\system32\profsvc.dll [MS]}
Windows Audio, AudioSrv, C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted {C:\Windows\System32\Audiosrv.dll [MS]}
Windows Audio Endpoint Builder, AudioEndpointBuilder, C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted {C:\Windows\System32\Audiosrv.dll [MS]}
Windows Backup, SDRSVC, C:\Windows\system32\svchost.exe -k SDRSVC {C:\Windows\System32\SDRSVC.dll [MS]}
Windows Defender, WinDefend, C:\Windows\System32\svchost.exe -k secsvcs {C:\Program Files\Windows Defender\mpsvc.dll [MS]}
Windows Driver Foundation - User-mode Driver Framework, wudfsvc, C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted {C:\Windows\System32\WUDFSvc.dll [MS]}
Windows Event Log, eventlog, C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted {C:\Windows\System32\wevtsvc.dll [MS]}
Windows Firewall, MpsSvc, C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork {C:\Windows\system32\mpssvc.dll [MS]}
Windows Font Cache Service, FontCache, C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation {C:\Windows\system32\FntCache.dll [MS]}
Windows Image Acquisition (WIA), stisvc, C:\Windows\system32\svchost.exe -k imgsvc {C:\Windows\System32\wiaservc.dll [MS]}
Windows Live ID Sign-in Assistant, wlidsvc, "C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE" [MS]
Windows Management Instrumentation, Winmgmt, C:\Windows\system32\svchost.exe -k netsvcs {C:\Windows\system32\wbem\WMIsvc.dll [MS]}
Windows Media Player Network Sharing Service, WMPNetworkSvc, "C:\Program Files\Windows Media Player\wmpnetwk.exe" [MS]
Windows Presentation Foundation Font Cache 3.0.0.0, FontCache3.0.0.0, C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe [MS]
Windows Search, WSearch, C:\Windows\system32\SearchIndexer.exe /Embedding [MS]
Windows Update, wuauserv, C:\Windows\system32\svchost.exe -k netsvcs {C:\Windows\system32\wuaueng.dll [MS]}
WinHTTP Web Proxy Auto-Discovery Service, WinHttpAutoProxySvc, C:\Windows\system32\svchost.exe -k LocalService {winhttp.dll [MS]}
WLAN AutoConfig, Wlansvc, C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted {C:\Windows\System32\wlansvc.dll [MS]}
Workstation, LanmanWorkstation, C:\Windows\System32\svchost.exe -k NetworkService {C:\Windows\System32\wkssvc.dll [MS]}


Safe Mode Drivers & Services (subkey name, subkey default value):
-----------------------------------------------------------------

HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\

<<!>> 00705352.sys, Driver
<<!>> 08657672.sys, Driver
<<!>> 77118655.sys, Driver
<<!>> 95310364.sys, Driver
<<!>> 97384014.sys, Driver
AppInfo, Service
AppMgmt, Service
Base, Driver Group
Boot Bus Extender, Driver Group
Boot file system, Driver Group
CryptSvc, Service
DcomLaunch, Service
EFS, Service
EventLog, Service
File system, Driver Group
Filter, Driver Group
HelpSvc, Service
KeyIso, Service
<<!>> MCODS,
Netlogon, Service
NTDS, Service
PCI Configuration, Driver Group
PlugPlay, Service
PNP Filter, Driver Group
Power, Service
Primary disk, Driver Group
ProfSvc, Service
RpcEptMapper, Service
RpcSs, Service
sacsvr, Service
SCSI Class, Driver Group
sermouse.sys, Driver
SWPRV, Service
System Bus Extender, Driver Group
TabletInputService, Service
TBS, Service
TrustedInstaller, Service
VDS, Service
vga.sys, Driver
vgasave.sys, Driver
vmms, Service
volmgr.sys, Driver
volmgrx.sys, Driver
WinDefend, Service
WinMgmt, Service
WudfPf, Driver
WudfRd, Driver
WudfSvc, Service
{36FC9E60-C465-11CF-8056-444553540000}, Universal Serial Bus controllers
{4D36E965-E325-11CE-BFC1-08002BE10318}, CD-ROM Drive
{4D36E967-E325-11CE-BFC1-08002BE10318}, DiskDrive
{4D36E969-E325-11CE-BFC1-08002BE10318}, Standard floppy disk controller
{4D36E96A-E325-11CE-BFC1-08002BE10318}, Hdc
{4D36E96B-E325-11CE-BFC1-08002BE10318}, Keyboard
{4D36E96F-E325-11CE-BFC1-08002BE10318}, Mouse
{4D36E977-E325-11CE-BFC1-08002BE10318}, PCMCIA Adapters
{4D36E97B-E325-11CE-BFC1-08002BE10318}, SCSIAdapter
{4D36E97D-E325-11CE-BFC1-08002BE10318}, System
{4D36E980-E325-11CE-BFC1-08002BE10318}, Floppy disk drive
{533C5B84-EC70-11D2-9505-00C04F79DEAF}, Volume shadow copy
{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}, IEEE 1394 Bus host controllers
{71A27CDD-812A-11D0-BEC7-08002BE2092F}, Volume
{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}, Human Interface Devices
{D48179BE-EC20-11D1-B6B8-00C04FA372A7}, SBP2 IEEE 1394 Devices
{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}, SecurityDevices

HKLM\System\CurrentControlSet\Control\SafeBoot\Network\

<<!>> 00705352.sys, Driver
<<!>> 08657672.sys, Driver
<<!>> 77118655.sys, Driver
<<!>> 95310364.sys, Driver
<<!>> 97384014.sys, Driver
AFD, Service
AppInfo, Service
AppMgmt, Service
Base, Driver Group
BFE, Service
Boot Bus Extender, Driver Group
Boot file system, Driver Group
bowser, Driver
Browser, Service
CryptSvc, Service
DcomLaunch, Service
dfsc, Driver
Dhcp, Service
DnsCache, Service
Dot3Svc, Service
Eaphost, Service
EFS, Service
EventLog, Service
File system, Driver Group
Filter, Driver Group
HelpSvc, Service
IKEEXT, Service
ipnat.sys, Driver
KeyIso, Service
LanmanServer, Service
LanmanWorkstation, Service
LmHosts, Service
<<!>> MCODS,
Messenger, Service
MPSDrv, Driver
MPSSvc, Service
mrxsmb, Driver
mrxsmb10, Driver
mrxsmb20, Driver
NativeWifiP, Service
NDIS, Driver Group
NDIS Wrapper, Driver Group
ndiscap, Driver
Ndisuio, Service
NetBIOS, Service
NetBIOSGroup, Driver Group
NetBT, Service
NetDDEGroup, Driver Group
Netlogon, Service
NetMan, Service
netprofm, Service
Network, Driver Group
NetworkProvider, Driver Group
NlaSvc, Service
Nsi, Service
nsiproxy.sys, Driver
NTDS, Service
PCI Configuration, Driver Group
PlugPlay, Service
PNP Filter, Driver Group
PNP_TDI, Driver Group
PolicyAgent, Service
Power, Service
Primary disk, Driver Group
ProfSvc, Service
rdbss, Driver
rdpencdd.sys, Driver
rdsessmgr, Service
RpcEptMapper, Service
RpcSs, Service
sacsvr, Service
SCardSvr, Service
SCSI Class, Driver Group
sermouse.sys, Driver
SharedAccess, Service
Streams Drivers, Driver Group
SWPRV, Service
System Bus Extender, Driver Group
TabletInputService, Service
TBS, Service
Tcpip, Service
TDI, Driver Group
TrustedInstaller, Service
VaultSvc, Service
VDS, Service
vga.sys, Driver
vgasave.sys, Driver
vmms, Service
volmgr.sys, Driver
volmgrx.sys, Driver
WinDefend, Service
WinMgmt, Service
Wlansvc, Service
WudfPf, Driver
WudfRd, Driver
WudfSvc, Service
WudfUsbccidDriver, Driver
{36FC9E60-C465-11CF-8056-444553540000}, Universal Serial Bus controllers
{4D36E965-E325-11CE-BFC1-08002BE10318}, CD-ROM Drive
{4D36E967-E325-11CE-BFC1-08002BE10318}, DiskDrive
{4D36E969-E325-11CE-BFC1-08002BE10318}, Standard floppy disk controller
{4D36E96A-E325-11CE-BFC1-08002BE10318}, Hdc
{4D36E96B-E325-11CE-BFC1-08002BE10318}, Keyboard
{4D36E96F-E325-11CE-BFC1-08002BE10318}, Mouse
{4D36E972-E325-11CE-BFC1-08002BE10318}, Net
{4D36E973-E325-11CE-BFC1-08002BE10318}, NetClient
{4D36E974-E325-11CE-BFC1-08002BE10318}, NetService
{4D36E975-E325-11CE-BFC1-08002BE10318}, NetTrans
{4D36E977-E325-11CE-BFC1-08002BE10318}, PCMCIA Adapters
{4D36E97B-E325-11CE-BFC1-08002BE10318}, SCSIAdapter
{4D36E97D-E325-11CE-BFC1-08002BE10318}, System
{4D36E980-E325-11CE-BFC1-08002BE10318}, Floppy disk drive
{50DD5230-BA8A-11D1-BF5D-0000F805F530}, Smart card readers
{533C5B84-EC70-11D2-9505-00C04F79DEAF}, Volume shadow copy
{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}, IEEE 1394 Bus host controllers
{71A27CDD-812A-11D0-BEC7-08002BE2092F}, Volume
{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}, Human Interface Devices
{D48179BE-EC20-11D1-B6B8-00C04FA372A7}, SBP2 IEEE 1394 Devices
{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}, SecurityDevices


Accessibility Tools:
--------------------

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\
Configuration = (value not set)

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\
Configuration = (value not set)


Keyboard Driver Filters:
------------------------

HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318}\
UpperFilters = kbdclass [MS]


Print Monitors:
---------------

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
Local Port\Driver = localspl.dll [MS]
Microsoft Shared Fax Monitor\Driver = FXSMON.DLL [MS]
Standard TCP/IP Port\Driver = tcpmon.dll [MS]
USB Monitor\Driver = usbmon.dll [MS]
WSD Port\Driver = WSDMon.dll [MS]


-- (total run time: 63 seconds)
<<!>>: Suspicious data at a malware launch point.

 

[Sador27]

Hey DMJ I cant find anything on those dodgy looking drivers under HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\ and here are a couple of logs from cureit which dont look right they arent in total they were too long so just copied some dodgy bits


Dr.Web Scanner SE for Windows v7.0.2.05020
(c) Doctor Web, Ltd., 1992-2012
Scan session started 2012:09:19 07:29:35
Module location : C:\Users\Sad0r\AppData\Local\Temp\154BAA38-1AF7D060-B1523AF7-48BF6C62\
=============================================================================
OPTION AdminRightsNo
OPTION AutoApplyActionNo
OPTION TurnOffComputerNo
OPTION UseSoundsNo
OPTION BlockNetworkNo
Using language : English
Using C:\Users\Sad0r\AppData\Local\Temp\154BAA38-1AF7D060-B1523AF7-48BF6C62\ecv7vsfq.key as Dr.Web (R) Key file
This Dr.Web (R) Key is for 1 computer (A User)
=============================================================================
Dr.Web Scanner SE for Windows v7.0.2.05020
(c) Doctor Web, Ltd., 1992-2012
Scan session started 2012:09:19 07:30:31
Module location : C:\Users\Sad0r\AppData\Local\Temp\B47A04B5-6F2BE766-8945642B-C82B1923\
=============================================================================
OPTION AdminRightsNo
OPTION AutoApplyActionNo
OPTION TurnOffComputerNo
OPTION UseSoundsNo
OPTION BlockNetworkNo
Using language : English
Using C:\Users\Sad0r\AppData\Local\Temp\B47A04B5-6F2BE766-8945642B-C82B1923\ecv7vsfq.key as Dr.Web (R) Key file
This Dr.Web (R) Key is for 1 computer (A User)
Available instances: 12
Instances used: 11
Platform: Windows 7 Premium x64/WOW (Build 7601), Service Pack 1
API Version: 2.2
Scanning Engine version: 7.0.1.5020
Virus Finding Engine version: 7.0.2.4281
Total 68 virus bases are loaded from C:\Users\Sad0r\AppData\Local\Temp\B47A04B5-6F2BE766-8945642B-C82B1923
qjbxvxwa 7.0 3e072b8acee37a003a4ab009031d07fe 2012/09/19 05:03:20 1509 records - OK
eby608gy 7.0 b9d94c688c2f992a5fb753a95493b786 2011/07/26 00:20:03 1 record - OK
xas6elt1 7.0 bd93f8d30a154dcb3c30a5caad30762d 2012/09/19 05:03:25 4658 records - OK
mn89iafs 7.0 21534a94390a2e6640dfb1b7d8a9fd60 2012/09/17 13:05:43 11686 records - OK
d1m3lbt4 7.0 b8491d67044914e522f86febf4ab4adb 2012/09/10 13:04:34 12677 records - OK
hvye00kf 7.0 e47a62b2e05112b5289fb6ff20eb66a9 2012/09/03 13:05:28 10118 records - OK
61emyubz 7.0 614464d9b912155e7d9e698d6d870ed1 2012/08/27 13:05:26 12602 records - OK
jtidaagk 7.0 ed8d7ebd237d6f77fb18ce304e949810 2012/08/20 13:04:05 18298 records - OK
nblnb01d 7.0 2d42833088267273612ba412753fbb55 2012/08/13 13:05:19 17126 records - OK
06udial3 7.0 d3c1de8bff5cbde0bcbe4e6d138f8e46 2012/08/06 13:03:53 20539 records - OK
wvusc3jz 7.0 c78566c2c5ac022255771e63a1466872 2012/07/30 13:05:26 19330 records - OK
9b33kqia 7.0 84a092b0ef2df74dd310b815b21582d2 2012/07/23 13:05:34 19692 records - OK
7lbp04zn 7.0 3723d09d29bc782d3ae6d30d6f4fd592 2012/07/16 13:05:43 14727 records - OK
lvbvuwya 7.0 deac986b4d290a35d14f4422433af5f8 2012/07/09 13:04:33 19485 records - OK
7xnxj3sa 7.0 e6f122a65122ad41aa3b9444e5d636ff 2012/07/02 13:04:55 22898 records - OK
jfl12dp0 7.0 c9407f85adac1b27f8ae15134373df8e 2012/06/25 13:05:17 20551 records - OK
0byvsfpo 7.0 3476198c6f6f0036f34bbc42a570afd3 2012/06/18 13:03:35 9661 records - OK
2vamk9gb 7.0 1394fc1924b4bbaa7215a67e2207a19e 2012/06/11 13:04:32 23632 records - OK
s7v2tz78 7.0 c612d8a0424c03f90ec558c059300a37 2012/06/04 13:04:41 12423 records - OK
5xd0of0c 7.0 3536d9ae353011c5a2ae9c49b8df482f 2012/05/28 13:04:26 15493 records - OK
oxilio3e 7.0 92392c2b8b88d6fb1da9eafa4dd71e08 2012/05/21 13:03:29 13065 records - OK
pweqa9l8 7.0 aacf0516bb16a10879bbe0bfc4103df0 2012/05/14 13:04:24 16238 records - OK
v444t0ha 7.0 44d29e2ccb066f15bdd74b68e6f678f2 2012/05/07 13:04:33 11570 records - OK
qfcm9pcs 7.0 223fca8835e0f743a8253c2f3926635e 2012/04/30 13:03:28 15478 records - OK
el8p9gvk 7.0 79aeb3a6e5a8ef62bfdd2a5f18c1216b 2012/04/23 13:05:05 11881 records - OK
kop0yygt 7.0 d736d5af62365a48d6df0c576e142049 2012/04/16 13:03:29 13578 records - OK
7umpv0t6 7.0 514bf65528a21da1ff63b6cbcfed392a 2012/04/09 13:05:02 14292 records - OK
93j9mv9i 7.0 aa333f70731106e42fe621620f11be77 2012/04/02 13:03:24 14084 records - OK
yxap8fom 7.0 6116ca417266c84af723605412cf866b 2012/03/26 14:04:43 19126 records - OK
byt0pp51 7.0 9c72fdd2be21a72a62518eec40681cee 2012/03/19 14:03:23 14920 records - OK
6ek8ar2x 7.0 eb4aaab85447f2426ff171d55c8e7e61 2012/03/12 14:03:25 19017 records - OK
kcv09zbs 7.0 2495da734e05b8097320a4473b1eea28 2012/03/05 14:04:32 19691 records - OK
mfjzebu0 7.0 71e19e94d1c1bf5d585c2135763c1c7b 2012/02/27 14:03:21 23605 records - OK
8vrrmoj2 7.0 1e1d4493cad242dc7c69e29c5957e2c7 2012/02/20 14:03:45 19067 records - OK
vihxgm8q 7.0 9a3c6dad8079517daa9984b7244bcc31 2012/02/13 14:04:49 19019 records - OK
mzsv9jru 7.0 daacbf3c71802809a1d03cf2eaa130e7 2012/02/06 14:05:25 28028 records - OK
v7pe8omi 7.0 1a070b574148c5d2f33d1ac7521f4585 2012/01/30 14:08:41 29444 records - OK
dcxyp9vo 7.0 2be52ecb2647685f3199958e23467673 2012/01/23 19:22:13 19353 records - OK
jzxqk84d 7.0 ad3910b450b231bb0c6d1beca85e9009 2012/01/16 14:12:31 20747 records - OK
oa51i74u 7.0 13a2b180c0cac36b6a538ca07da6584e 2012/01/09 14:04:30 28052 records - OK
ko0m9vsn 7.0 b30385e4765848e07e201792adbbcaa0 2012/01/02 14:04:40 12183 records - OK
b0fqc4c6 7.0 dd53038bb0520641a64574ab56267cf4 2011/12/26 14:03:33 19984 records - OK
0weweiz0 7.0 35ffbffd359457dc1ff11eb006ae2d70 2011/12/19 14:08:45 22627 records - OK
bbjj7u1b 7.0 043b3fcfbd0cf7d6d1d9743b6c74d835 2011/12/13 07:20:22 49580 records - OK
whwrchpm 7.0 ab632362ebcf39cb6f1826f38b255c12 2011/12/04 19:00:00 45195 records - OK
ggbu14f3 7.0 876707f6f37fe48d1e6010d6be55d284 2011/12/04 18:00:00 171075 records - OK
y43lhaf7 7.0 f6d020c7e08df3aeb99631829756d4c5 2011/12/04 17:00:00 170820 records - OK
b1kuc7dj 7.0 2e12236d21f7f66132625f83921f3235 2011/12/04 16:00:00 171279 records - OK
882g98by 7.0 eaee6c83ba62620a5118df44b3e0a3a6 2011/12/04 15:00:00 170253 records - OK
n3ivz7zn 7.0 e31126ff36b01981b64f81570db34a8c 2011/12/04 14:00:00 170291 records - OK
woinb8tx 7.0 16cd2b4085458728c92bef8a07fd3608 2011/12/04 13:00:00 170501 records - OK
ll0v0mg7 7.0 cb9f40076e3b8bae0eb7c5345bfbd738 2011/12/04 12:00:00 353582 records - OK
3nz75zt2 7.0 1f24c5ce5f84c30ee604199036388dac 2011/12/04 11:00:00 852776 records - OK
vgcgbkip 7.0 7d7f670c4652dcb24bdb379ab8267f82 2012/09/19 04:51:02 1327 records - OK
6vky9fxq 7.0 08329098e83625a844bbf888258de2ae 2012/06/25 13:12:36 1421 records - OK
ybet5tnl 7.0 7a40beb8607237a6d144a6674d07a481 2012/03/26 14:12:30 1385 records - OK
id6o6um8 7.0 245417419cfbec24aa48eb6b0589b384 2012/01/23 15:56:09 1653 records - OK
uy39xzrv 7.0 2eb03a74099f577fbab0c523a8534d9b 2012/09/19 05:03:08 514 records - OK
5krrhyao 7.0 c0fa2ac84c87aeebbb6b4dfa5c3f0b5e 2012/09/10 13:23:14 1588 records - OK
tttrohwk 7.0 31c1f0b0163c1104faca04e39152b95e 2012/07/23 13:22:36 1702 records - OK
0qdh2381 7.0 efa3fba6b8311ef4a7c4aba3baee7d26 2012/06/11 13:22:36 1659 records - OK
zttqdme7 7.0 0db4ebf90d0ba1577684c368703ae359 2012/04/30 13:22:34 1670 records - OK
847tqq2y 7.0 3cc40ae70ae9666330f29e20a3e03bed 2012/03/12 14:22:28 1729 records - OK
9z9trufi 7.0 d41a5aa17a9868ee4197a1528f6a9e73 2012/01/30 14:23:00 1523 records - OK
tsw2o4ad 7.0 669119c2434b21040b1737e32d4ea783 2011/12/19 14:22:29 1805 records - OK
9jtaqh15 7.0 a7130cdf4fa35f1b4157dafaeee2e35f 2011/12/04 10:00:00 26456 records - OK
opwb303w 7.0 a571e30153b575cc4da79dae6be21932 2011/12/04 09:00:00 74279 records - OK
i8rpe3xa 7.0 9d46fd43346b5342c57fa7ae72e9c334 2011/12/04 08:00:00 1 record - OK
Total records count: 3156219

Anti-rootkit module version (API 4.02 / 4.02)

Using C:\Users\Sad0r\AppData\Local\Temp\B47A04B5-6F2BE766-8945642B-C82B1923\ecv7vsfq.key as Dr.Web (R) Key file
This Dr.Web (R) Key is for 1 computer (A User)
Available instances: 12
Instances used: 11
Platform: Windows 7 Premium x64/WOW (Build 7601), Service Pack 1
API Version: 2.2
Scanning Engine version: 7.0.1.5020
Virus Finding Engine version: 7.0.2.4281
Total 68 virus bases are loaded from C:\Users\Sad0r\AppData\Local\Temp\B47A04B5-6F2BE766-8945642B-C82B1923
qjbxvxwa 7.0 3e072b8acee37a003a4ab009031d07fe 2012/09/19 05:03:20 1509 records - OK
eby608gy 7.0 b9d94c688c2f992a5fb753a95493b786 2011/07/26 00:20:03 1 record - OK
xas6elt1 7.0 bd93f8d30a154dcb3c30a5caad30762d 2012/09/19 05:03:25 4658 records - OK
mn89iafs 7.0 21534a94390a2e6640dfb1b7d8a9fd60 2012/09/17 13:05:43 11686 records - OK

>C:\Windows\SysWOW64\setupSNK.exe - packed by FLY-CODEC:\Windows\SysWOW64\shell32.dll - Ok
C:\Windows\SysWOW64\SensorsCpl.dll - Ok
>C:\Windows\SysWOW64\spfileq.dll - packed by BINARYRES
>>C:\Windows\SysWOW64\spfileq.dll - packed by MS COMPRESS
C:\Windows\SysWOW64\spnet.dll - Ok
C:\Windows\SysWOW64\SPInf.dll - Ok
C:\Windows\SysWOW64\spopk.dll - Ok
C:\Windows\SysWOW64\spfileq.dll - Ok
C:\Windows\SysWOW64\slmgr.vbs - Ok
C:\Windows\SysWOW64\shwebsvc.dll - Ok
C:\Windows\SysWOW64\spwinsat.dll - Ok
C:\Windows\SysWOW64\sppc.dll - Ok
C:\Windows\SysWOW64\SndVolSSO.dll - Ok
C:\Windows\SysWOW64\spp.dll - Ok
C:\Windows\SysWOW64\sppwmi.dll - Ok
C:\Windows\SysWOW64\spwizres.dll - Ok
C:\Windows\SysWOW64\sppinst.dll - Ok
C:\Windows\SysWOW64\sppcc.dll - Ok
C:\Windows\SysWOW64\spwmp.dll - Ok
C:\Windows\SysWOW64\sppcomapi.dll - Ok
C:\Windows\SysWOW64\spwizeng.dll - Ok
C:\Windows\SysWOW64\sqlceoledb30.dll - Ok>C:\Windows\SysWOW64\srdelayed.exe - packed by FLY-CODE
C:\Windows\SysWOW64\sqlunirl.dll - Ok
C:\Windows\SysWOW64\sqlsrv32.dll - Ok
C:\Windows\SysWOW64\srvcli.dll - Ok
C:\Windows\SysWOW64\sscore.dll - Ok
C:\Windows\SysWOW64\srhelper.dll - Ok
C:\Windows\SysWOW64\sspicli.dll - Ok
C:\Windows\SysWOW64\srdelayed.exe - Ok
C:\Windows\SysWOW64\srchadmin.dll - Ok
C:\Windows\SysWOW64\stdole2.tlb - Ok
C:\Windows\SysWOW64\srclient.dll - Ok
C:\Windows\SysWOW64\ssdpapi.dll - Ok
C:\Windows\SysWOW64\sqlceqp30.dll - Ok
C:\Windows\SysWOW64\SSShim.dll - Ok
C:\Windows\SysWOW64\stdole32.tlb - Ok
C:\Windows\SysWOW64\stclient.dll - Ok
C:\Windows\SysWOW64\storage.dll - Ok
>C:\Windows\SysWOW64\subst.exe - packed by FLY-CODE
C:\Windows\SysWOW64\StorageContextHandler.dll - Ok
C:\Windows\SysWOW64\SubRange.uce - Ok
C:\Windows\SysWOW64\StructuredQuery.dll - Ok
>C:\Windows\SysWOW64\sppcext.dll - packed by FLY-CODE
C:\Windows\SysWOW64\subst.exe - Ok
C:\Windows\SysWOW64\sxproxy.dll - Ok
C:\Windows\SysWOW64\Storprop.dll - Ok
C:\Windows\SysWOW64\sxshared.dll - Ok
C:\Windows\SysWOW64\stobject.dll - Ok
C:\Windows\SysWOW64\svchost.exe - Ok
C:\Windows\SysWOW64\sxsstore.dll - Ok
C:\Windows\SysWOW64\sxs.dll - Ok
C:\Windows\SysWOW64\sti.dll - Ok
C:\Windows\SysWOW64\sxstrace.exe - Ok
C:\Windows\SysWOW64\synceng.dll - Ok
C:\Windows\SysWOW64\SyncHostps.dll - Ok
C:\Windows\SysWOW64\ssText3d.scr - Ok
C:\Windows\SysWOW64\SyncInfrastructureps.dll - Ok
C:\Windows\SysWOW64\syncui.dll - Ok
C:\Windows\SysWOW64\SyncHost.exe - Ok
C:\Windows\SysWOW64\sppcext.dll - Ok
C:\Windows\SysWOW64\sysprint.sep - Ok