Possible Rootkit, Windows Services Crashing

Solved
By wf2008
Feb 28, 2013
Topic Status:
Not open for further replies.
  1. I have been noticing weird symptoms with my computer - in the event viewer logs, I am seeing errors such as "Cryptographics Services service terminated unexpectedly" repeatedly, programs sometimes freeze and do not respond for 60-90 seconds (but eventually do), etc. Running boot_cleaner.exe (bootkit_remover) and it states "Boot code on some of your physical disks is hidden by a rootkit."

    Here are my logs:

    ****************DDS.TXT*******************
    DDS (Ver_2012-11-20.01) - NTFS_AMD64
    Internet Explorer: 9.0.8112.16447
    Run by jonesas at 10:06:26 on 2013-02-28
    Microsoft Windows 7 Enterprise 6.1.7601.1.1252.1.1033.18.3819.1647 [GMT -5:00]
    .
    AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k RPCSS
    c:\Program Files\Microsoft Security Client\MsMpEng.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
    C:\Windows\System32\svchost.exe -k HPZ12
    C:\Windows\System32\svchost.exe -k HPZ12
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\SysWOW64\CCM\CcmExec.exe
    C:\Windows\system32\taskhost.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\System32\rundll32.exe
    C:\Windows\sysWOW64\wbem\wmiprvse.exe
    C:\Windows\system32\igfxext.exe
    C:\Windows\system32\igfxsrvc.exe
    C:\Program Files (x86)\Skype\Phone\Skype.exe
    C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\sysWOW64\wbem\wmiprvse.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe
    C:\Windows\servicing\TrustedInstaller.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\System32\cscript.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.com/
    mStart Page = hxxp://search.coupons.com/
    BHO: Ginger Grammar & Spell Checker: {0877c1fc-19c6-4fe2-8e3d-699d8edb2964} - C:\Program Files (x86)\Ginger\GingerIEAddin\adxloader.dll
    BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL
    BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL
    BHO: TBSB07898 Class: {FCBCCB87-9224-4B8D-B117-F56D924BEB18} -
    TB: Coupons.com CouponBar: {8660E5B3-6C41-44DE-8503-98D99BBECD41} -
    uRun: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun
    uRun: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    mRunOnce: [Malwarebytes Anti-Malware (cleanup)] rundll32.exe "C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\cleanup.dll",ProcessCleanupScript
    uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
    uPolicies-Explorer: NoDrives = dword:0
    mPolicies-Explorer: NoDrives = dword:0
    mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
    mPolicies-System: ConsentPromptBehaviorUser = dword:3
    mPolicies-System: EnableLUA = dword:0
    mPolicies-System: EnableUIADesktopToggle = dword:0
    mPolicies-System: PromptOnSecureDesktop = dword:0
    IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
    IE: Se&nd to OneNote - C:\PROGRA~1\MICROS~1\Office14\ONBttnIE.dll/105
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
    IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
    Trusted Zone: clayton
    DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
    DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.5.5.0.cab
    TCP: NameServer = 10.2.1.2 10.1.16.111 10.2.1.1
    TCP: Interfaces\{6858871A-2138-40E3-A415-DF12B09FECCF} : DHCPNameServer = 10.2.1.2 10.1.16.111 10.2.1.1
    TCP: Interfaces\{6858871A-2138-40E3-A415-DF12B09FECCF}\A4F6E6563727163696E676 : DHCPNameServer = 192.168.2.1 209.18.47.61 209.18.47.62
    TCP: Interfaces\{C8CBD6A1-7D4D-469A-B021-8FF78BA781CE} : DHCPNameServer = 10.2.1.2 10.1.16.111 10.2.1.1
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
    AppInit_DLLs= C:\Windows\katrack.dll
    SSODL: WebCheck - <orphaned>
    SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL
    LSA: Notification Packages = scecli C:\Program Files\ThinkPad\Bluetooth Software\BtwProximityCP.dll
    mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\25.0.1364.97\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
    x64-BHO: Ginger Grammar & Spell Checker: {0877c1fc-19c6-4fe2-8e3d-699d8edb2964} - C:\Program Files (x86)\Ginger\GingerIEAddin\adxloader64.dll
    x64-BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL
    x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL
    x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
    x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
    x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
    x64-Notify: igfxcui - igfxdev.dll
    x64-SSODL: WebCheck - <orphaned>
    x64-SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - C:\Users\WFU2012\AppData\Roaming\Mozilla\Firefox\Profiles\gpfneout.default\
    FF - prefs.js: browser.search.selectedEngine - Search Results
    FF - prefs.js: browser.startup.homepage - hxxp://google.wfu.edu
    FF - prefs.js: keyword.URL - hxxp://search.fantastigames.com/web?src=ffb&appid=103&systemid=453&sr=0&q=
    FF - prefs.js: network.proxy.type - 0
    FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL
    FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL
    FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
    FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.135\npGoogleUpdate3.dll
    FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrlui.dll
    FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\NPcol400.dll
    FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_6_602_168.dll
    FF - plugin: C:\Windows\SysWOW64\npDeployJava1.dll
    FF - plugin: C:\Windows\SysWOW64\npmproxy.dll
    FF - ExtSQL: 2013-01-16 07:31; adapter@gingersoftware.com; C:\Users\WFU2012\AppData\Roaming\Mozilla\Firefox\Profiles\gpfneout.default\extensions\adapter@gingersoftware.com
    FF - ExtSQL: !HIDDEN! 2012-10-28 17:27; adapter@gingersoftware.com; C:\Program Files (x86)\Mozilla Firefox\extensions\adapter@gingersoftware.com
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 DzHDD64;DzHDD64;C:\Windows\System32\drivers\DZHDD64.SYS [2011-12-12 29512]
    R0 iusb3hcs;Intel(R) USB 3.0 Host Controller Switch Driver;C:\Windows\System32\drivers\iusb3hcs.sys [2012-6-20 16152]
    R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\System32\drivers\MpFilter.sys [2011-4-18 203888]
    R0 pavboot;pavboot;C:\Windows\System32\drivers\pavboot64.sys [2013-2-27 33800]
    R0 TPDIGIMN;TPDIGIMN;C:\Windows\System32\drivers\ApsHM64.sys [2011-12-28 25416]
    R1 lenovo.smi;Lenovo System Interface Driver;C:\Windows\System32\drivers\smiifx64.sys [2011-12-12 15472]
    R1 PHCORE;PHCORE;C:\Program Files\Lenovo\RapidBoot\PHCORE64.sys [2010-12-3 31592]
    R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2011-7-22 14928]
    R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2011-7-12 12368]
    R2 risdxc;risdxc;C:\Windows\System32\drivers\risdxc64.sys [2011-12-12 101888]
    R3 5U877;5U877;C:\Windows\System32\drivers\5U877.sys [2012-6-20 216704]
    R3 AMPPAL;IntelÆ CentrinoÆ Wireless BluetoothÆ + High Speed Virtual Adapter;C:\Windows\System32\drivers\AmpPal.sys [2012-3-15 198144]
    R3 bcbtums;Bluetooth RAM Firmware Download USB Filter;C:\Windows\System32\drivers\bcbtums.sys [2012-7-2 163368]
    R3 BTWAMPFL;BTWAMPFL;C:\Windows\System32\drivers\btwampfl.sys [2011-12-12 594472]
    R3 btwl2cap;Bluetooth L2CAP Service;C:\Windows\System32\drivers\btwl2cap.sys [2012-7-2 39976]
    R3 iusb3hub;Intel(R) USB 3.0 Hub Driver;C:\Windows\System32\drivers\iusb3hub.sys [2012-6-20 356120]
    R3 iusb3xhc;Intel(R) USB 3.0 eXtensible Host Controller Driver;C:\Windows\System32\drivers\iusb3xhc.sys [2012-6-20 788760]
    R3 iwdbus;IWD Bus Enumerator;C:\Windows\System32\drivers\iwdbus.sys [2012-4-19 25528]
    R3 tvtvcamd;ThinkVantage Virtual Camera;C:\Windows\System32\drivers\tvtvcamd.sys [2012-6-20 27432]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
    S3 AMPPALP;IntelÆ CentrinoÆ Wireless BluetoothÆ + High Speed Protocol;C:\Windows\System32\drivers\AmpPal.sys [2012-3-15 198144]
    S3 cpudrv64;cpudrv64;C:\Program Files (x86)\SystemRequirementsLab\cpudrv64.sys [2011-6-2 17864]
    S3 dmvsc;dmvsc;C:\Windows\System32\drivers\dmvsc.sys [2011-12-8 71168]
    S3 intaud_WaveExtensible;Intel WiDi Audio Device;C:\Windows\System32\drivers\intelaud.sys [2012-4-19 35256]
    S3 IntcDAud;Intel(R) Display Audio;C:\Windows\System32\drivers\IntcDAud.sys [2012-6-20 331264]
    S3 NisDrv;Microsoft Network Inspection System;C:\Windows\System32\drivers\NisDrvWFP.sys [2011-4-27 98688]
    S3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2012-3-26 291696]
    S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;C:\Windows\System32\drivers\nusb3hub.sys [2010-12-10 80384]
    S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;C:\Windows\System32\drivers\nusb3xhc.sys [2010-12-10 181248]
    S3 ose64;Office 64 Source Engine;C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2010-1-9 174440]
    S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2011-12-8 20992]
    S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 27136]
    S3 Synth3dVsc;Microsoft Virtual 3D Video Transport Driver;C:\Windows\System32\drivers\Synth3dVsc.sys [2011-12-8 88960]
    S3 terminpt;Microsoft Remote Desktop Input Driver;C:\Windows\System32\drivers\terminpt.sys [2011-12-8 34816]
    S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2011-12-8 59392]
    S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2011-12-8 31232]
    S3 tsusbhub;Remote Deskotop USB Hub;C:\Windows\System32\drivers\tsusbhub.sys [2011-12-8 117248]
    S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2011-12-7 1255736]
    S3 WDC_SAM;WD SCSI Pass Thru driver;C:\Windows\System32\drivers\wdcsam64.sys [2008-5-6 14464]
    S4 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2012-7-11 140672]
    S4 AMPPALR3;IntelÆ CentrinoÆ Wireless BluetoothÆ + High Speed Service;C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe [2012-3-15 659976]
    S4 BTHSSecurityMgr;Intel(R) Centrino(R) Wireless Bluetooth(R) + High Speed Security Service;C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe [2012-4-23 135952]
    S4 Cisco WebEx Connect Upgrade Service;Cisco WebEx Connect Upgrade Service;C:\Program Files (x86)\WebEx\Connect\apUpdate.exe [2011-12-1 856888]
    S4 CorelCreatorMessages;CorelCreatorMessages;C:\Windows\System32\CorelCreatorMessages.exe [2012-4-25 105984]
    S4 DozeSvc;Lenovo Doze Mode Service;C:\Program Files (x86)\ThinkPad\Utilities\DZSVC64.EXE [2012-6-20 320576]
    S4 GingerUpdateService;GingerUpdateService;C:\Program Files (x86)\Ginger\GingerUpdateService\GingerUpdateService.exe [2013-2-14 272680]
    S4 HyperW7Svc;HyperW7 Service;C:\Program Files\Lenovo\RapidBoot\HyperW7Svc64.exe [2010-12-3 116072]
    S4 Intel(R) Capability Licensing Service Interface;Intel(R) Capability Licensing Service Interface;C:\Program Files\Intel\iCLS Client\HeciServer.exe [2012-2-2 628448]
    S4 jhi_service;Intel(R) Identity Protection Technology Host Interface Service;C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe [2011-2-7 210896]
    S4 LENOVO.CAMMUTE;Lenovo Camera Mute;C:\Program Files\Lenovo\Communications Utility\CamMute.exe [2012-6-20 58192]
    S4 LENOVO.MICMUTE;Lenovo Microphone Mute;C:\Program Files\Lenovo\HOTKEY\micmute.exe [2011-12-12 101736]
    S4 LENOVO.TPKNRSVC;Lenovo Keyboard Noise Reduction;C:\Program Files\Lenovo\Communications Utility\TPKNRSVC.exe [2012-6-20 61264]
    S4 LENOVO.TVTVCAM;ThinkVantage Virtual Camera Controller;C:\Program Files\Lenovo\Communications Utility\vcamsvc.exe [2012-6-20 175440]
    S4 Lenovo.VIRTSCRLSVC;Lenovo Auto Scroll;C:\Program Files\Lenovo\VIRTSCRL\lvvsst.exe [2011-12-12 133992]
    S4 Power Manager DBC Service;Power Manager DBC Service;C:\Program Files (x86)\ThinkPad\Utilities\PWMDBSVC.exe [2011-12-12 1662560]
    S4 PwmEWSvc;Cisco EnergyWise Enabler;C:\Program Files (x86)\ThinkPad\Utilities\PWMEWSVC.exe [2011-12-12 1665120]
    S4 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2013-1-8 161536]
    S4 TPHKLOAD;Lenovo Hotkey Client Loader;C:\Program Files\Lenovo\HOTKEY\tphkload.exe [2011-12-12 145256]
    S4 TPHKSVC;On Screen Display;C:\Program Files\Lenovo\HOTKEY\TPHKSVC.exe [2013-2-12 144960]
    S4 UNS;Intel(R) Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2011-12-12 363800]
    .
    =============== Created Last 30 ================
    .
    2013-02-28 13:55:16 9162192 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{EF2D3B2D-9954-423D-93C7-96FCB26C7429}\mpengine.dll
    2013-02-28 13:41:57 -------- d-sh--w- C:\$RECYCLE.BIN
    2013-02-27 21:36:22 -------- d-----w- C:\New folder
    2013-02-27 21:30:24 -------- d-----w- C:\bootkit_remover
    2013-02-27 19:52:08 33800 ----a-w- C:\Windows\System32\drivers\pavboot64.sys
    2013-02-27 19:52:04 -------- d-----w- C:\Program Files (x86)\Panda Security
    2013-02-27 18:58:37 39424 ----a-w- C:\esentprf.dll
    2013-02-27 18:58:37 2565632 ----a-w- C:\esent.dll
    2013-02-26 22:37:35 -------- d-----w- C:\FRST
    2013-02-26 16:19:06 98816 ----a-w- C:\Windows\sed.exe
    2013-02-26 16:19:06 256000 ----a-w- C:\Windows\PEV.exe
    2013-02-26 16:19:06 208896 ----a-w- C:\Windows\MBR.exe
    2013-02-26 15:55:05 -------- d-----w- C:\Windows\pss
    2013-02-26 14:54:11 -------- d-----w- C:\Program Files (x86)\CleanUp!
    2013-02-26 14:24:47 9162192 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2013-02-26 14:21:03 -------- d-----w- C:\Users\WFU2012\AppData\Roaming\SUPERAntiSpyware.com
    2013-02-26 14:20:50 -------- d-----w- C:\ProgramData\SUPERAntiSpyware.com
    2013-02-26 14:20:50 -------- d-----w- C:\Program Files\SUPERAntiSpyware
    2013-02-25 20:24:06 -------- d-----w- C:\Users\WFU2012\AppData\Local\Programs
    2013-02-25 12:48:29 963488 ----a-w- C:\Windows\System32\deployJava1.dll
    2013-02-25 12:48:28 1085344 ----a-w- C:\Windows\System32\npDeployJava1.dll
    2013-02-25 12:34:37 -------- d-----w- C:\Program Files (x86)\JavaJREUpdate
    2013-02-15 22:31:23 186432 ----a-w- C:\Program Files (x86)\Mozilla Firefox\plugins\nppdf32.dll
    2013-02-15 22:31:23 186432 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\nppdf32.dll
    2013-02-13 16:29:02 -------- d-----w- C:\Users\WFU2012\AppData\Local\WebEx Connect
    2013-02-13 16:28:43 -------- d-----w- C:\Users\WFU2012\AppData\Roaming\WebEx Connect
    2013-02-13 13:52:39 249 ----a-w- C:\Reset_and_Clear_Print_Spooler_Queue.bat
    2013-02-12 16:15:18 99328 ----a-w- C:\Windows\System32\drivers\usbccgp.sys
    2013-02-12 16:15:18 7936 ----a-w- C:\Windows\System32\drivers\usbd.sys
    2013-02-12 16:15:18 52736 ----a-w- C:\Windows\System32\drivers\usbehci.sys
    2013-02-12 16:15:18 325120 ----a-w- C:\Windows\System32\drivers\usbport.sys
    2013-02-12 16:15:17 343040 ----a-w- C:\Windows\System32\drivers\usbhub.sys
    2013-02-12 15:06:07 68864 ----a-w- C:\Windows\System32\drivers\stream.sys
    2013-02-12 14:48:10 569152 ----a-w- C:\Windows\System32\drivers\iaStor.sys
    2013-02-06 13:10:57 -------- d-----w- C:\Users\WFU2012\AppData\Local\Macromedia
    .
    ==================== Find3M ====================
    .
    2013-02-13 18:46:13 71024 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
    2013-02-13 18:46:13 691568 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
    2013-01-30 10:53:22 273840 ------w- C:\Windows\System32\MpSigStub.exe
    2012-12-14 21:49:28 24176 ----a-w- C:\Windows\System32\drivers\mbam.sys
    .
    ============= FINISH: 10:06:58.23 ===============


    **************MALWAREBYTES**************

    Malwarebytes Anti-Malware 1.70.0.1100
    www.malwarebytes.org

    Database version: v2013.02.25.08

    Windows 7 Service Pack 1 x64 NTFS
    Internet Explorer 9.0.8112.16421
    jonesas :: JONESAS-6920 [administrator]

    2/28/2013 9:29:59 AM
    mbam-log-2013-02-28 (09-29-59).txt

    Scan type: Full scan (C:\|)
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 424711
    Time elapsed: 34 minute(s),

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 1
    C:\Users\WFU2012\Downloads\CD\Setup.exe (PUP.Bundle.Installer.OI) -> Quarantined and deleted successfully.

    (end)


    Attach.txt will be added separately since it is so long
  2. wf2008

    wf2008 Newcomer, in training Topic Starter

    ********************ATTACH.TXT*************************
    .Note: I had to remove some of the "Cryptographic Services service terminated unexpectedly" errors because this message was still too long to post, even by itself. I can attach the full log if desired.

    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT



    .
    DDS (Ver_2012-11-20.01)
    .
    Microsoft Windows 7 Enterprise
    Boot Device: \Device\HarddiskVolume1
    Install Date: 6/22/2012 3:26:39 PM
    System Uptime: 2/28/2013 8:40:45 AM (2 hours ago)
    .
    Motherboard: LENOVO | | 2355A12
    Processor: Intel(R) Core(TM) i5-3320M CPU @ 2.60GHz | CPU Socket - U3E1 | 2601/100mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 298 GiB total, 227.893 GiB free.
    D: is CDROM (UDF)
    E: is Removable
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: Cisco Systems VPN Adapter for 64-bit Windows
    Device ID: ROOT\NET\0000
    Manufacturer: Cisco Systems
    Name: Cisco Systems VPN Adapter for 64-bit Windows
    PNP Device ID: ROOT\NET\0000
    Service: CVirtA
    .
    ==== System Restore Points ===================
    .
    RP140: 2/6/2013 11:56:59 AM - Configured Ginger
    RP141: 2/8/2013 8:06:33 AM - Windows Update
    RP142: 2/12/2013 8:06:58 AM - Windows Update
    RP143: 2/12/2013 9:49:38 AM - Windows Update
    RP144: 2/12/2013 10:05:50 AM - Windows Update
    RP145: 2/12/2013 11:13:39 AM - Installed Microsoft Fix it 50229
    RP146: 2/12/2013 11:15:06 AM - Windows Update
    RP147: 2/13/2013 8:59:00 AM - Windows Update
    RP148: 2/14/2013 11:43:44 AM - Configured Ginger
    RP149: 2/16/2013 1:53:26 PM - Windows Update
    RP150: 2/20/2013 1:53:44 PM - Windows Update
    RP151: 2/24/2013 1:45:45 AM - Windows Update
    RP153: 2/25/2013 3:06:08 PM - Removed Java 7 Update 15
    RP155: 2/25/2013 3:06:48 PM - Removed Java 7 Update 15 (64-bit)
    RP156: 2/27/2013 4:45:53 PM - ComboFix created restore point
    RP158: 2/28/2013 8:54:59 AM - Windows Update
    .
    ==== Installed Programs ======================
    .
    64 Bit HP BiDi Channel Components Installer
    7-Zip 9.20 (x64 edition)
    Adobe Flash Player 11 ActiveX
    Adobe Flash Player 11 Plugin
    Adobe Reader X (10.1.6)
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    Audacity 2.0
    Bonjour
    Cisco Systems VPN Client 5.0.07.0440
    Cisco WebEx Connect
    CleanUp!
    Configuration Manager Client
    Contents
    Corel PaintShop Pro X4
    Corel PDF Fusion
    Corel PDF Fusion Addins
    Corel VideoStudio Pro X5
    Definition Update for Microsoft Office 2010 (KB982726) 64-Bit Edition
    Dolby Advanced Audio v2
    EZ Fonts
    Ginger
    Google Chrome
    Google Update Helper
    GoToMeeting 5.2.0.952
    Hotfix for Microsoft Excel 2010 (KB2598350)
    Hotfix for Microsoft Office 2010 (KB2598378)
    Hyland Web ActiveX Controls
    ICA
    ImgBurn
    Integrated Camera Driver Installer Package Ver.1.1.0.1147
    Integrated Camera Driver Installer Package Ver.1.2.1.18
    Integrated Camera TWAIN
    Intel PROSet Wireless
    Intel(R) Control Center
    Intel(R) Identity Protection Technology 1.0.74.0
    Intel(R) Management Engine Components
    Intel(R) Network Connections Drivers
    Intel(R) PROSet/Wireless for Bluetooth(R) + High Speed
    Intel(R) USB 3.0 eXtensible Host Controller Driver
    Intel(R) WiDi
    Intel(R) Wireless Display
    IntelÆ PROSet/Wireless WiFi Software
    IntelÆ Trusted Connect Service Client
    InterVideo WinDVD 8
    IPM_PSP_COM
    IPM_VS_Pro
    ISCOM
    iTunes
    JavaFX 2.1.1
    Lenovo Auto Scroll Utility
    Lenovo Patch Utility
    Lenovo Patch Utility 64 bit
    Lenovo System Interface Driver
    Lenovo System Update
    Malwarebytes Anti-Malware version 1.70.0.1100
    Microsoft .NET Framework 4 Client Profile
    Microsoft .NET Framework 4 Extended
    Microsoft Mouse and Keyboard Center
    Microsoft Office 2010 Service Pack 1 (SP1)
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access MUI (English) 2010
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2010
    Microsoft Office Enterprise 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Excel MUI (English) 2010
    Microsoft Office Groove MUI (English) 2007
    Microsoft Office Groove MUI (English) 2010
    Microsoft Office Groove Setup Metadata MUI (English) 2007
    Microsoft Office InfoPath MUI (English) 2007
    Microsoft Office InfoPath MUI (English) 2010
    Microsoft Office Office 32-bit Components 2010
    Microsoft Office Office 64-bit Components 2007
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office OneNote MUI (English) 2010
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office Outlook MUI (English) 2010
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2010
    Microsoft Office Professional Plus 2010
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (English) 2010
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (French) 2010
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proof (Spanish) 2010
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing (English) 2010
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Publisher MUI (English) 2010
    Microsoft Office Shared 32-bit MUI (English) 2010
    Microsoft Office Shared 64-bit MUI (English) 2007
    Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared MUI (English) 2010
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2010
    Microsoft Office Word MUI (English) 2007
    Microsoft Office Word MUI (English) 2010
    Microsoft Security Client
    Microsoft Security Essentials
    Microsoft Silverlight
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2005 Redistributable (x64)
    Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219
    Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
    Microsoft Visual Studio 2010 Tools for Office Runtime (x64)
    Mozilla Firefox 19.0 (x86 en-US)
    Mozilla Maintenance Service
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    On Screen Display
    Panda ActiveScan 2.0
    Power Manager
    PSPPContent
    PSPPHelp
    PSPPro64
    QuickTime
    RapidBoot
    Realtek High Definition Audio Driver
    Renesas Electronics USB 3.0 Host Controller Driver
    RICOH_Media_Driver_v2.14.18.01
    Samsung SSD Magician
    Sassafras K2 Client
    Security Update for 2007 Microsoft Office System (KB951550)
    Security Update for 2007 Microsoft Office System (KB951944)
    Security Update for 2007 Microsoft Office System (KB960003)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
    Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
    Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
    Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
    Security Update for Microsoft InfoPath 2010 (KB2553322) 64-Bit Edition
    Security Update for Microsoft InfoPath 2010 (KB2553431) 64-Bit Edition
    Security Update for Microsoft Office 2010 (KB2553091)
    Security Update for Microsoft Office 2010 (KB2553096)
    Security Update for Microsoft Office 2010 (KB2553447) 64-Bit Edition
    Security Update for Microsoft Office 2010 (KB2589320) 64-Bit Edition
    Security Update for Microsoft Office 2010 (KB2598243) 64-Bit Edition
    Security Update for Microsoft Office Excel 2007 (KB959997)
    Security Update for Microsoft Office PowerPoint 2007 (KB951338)
    Security Update for Microsoft Office Publisher 2007 (KB950114)
    Security Update for Microsoft Office system 2007 (KB954326)
    Security Update for Microsoft Office system 2007 (KB956828)
    Security Update for Microsoft Office Word 2007 (KB956358)
    Security Update for Microsoft SharePoint Workspace 2010 (KB2566445)
    Security Update for Microsoft Visio Viewer 2010 (KB2597981) 64-Bit Edition
    Setup
    Share
    Share64
    Skypeô 6.1
    Smart Label Printer 6.6
    SmartSound Common Data
    SmartSound Quicktracks 5
    SUPERAntiSpyware
    System Requirements Lab for Intel
    ThinkPad Bluetooth with Enhanced Data Rate Software
    ThinkPad FullScreen Magnifier
    ThinkPad Power Management Driver
    ThinkPad UltraNav Driver
    ThinkPad UltraNav Utility
    ThinkVantage Active Protection System
    ThinkVantage AutoLock
    ThinkVantage Communications Utility
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
    Update for Microsoft .NET Framework 4 Client Profile (KB2473228)
    Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
    Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
    Update for Microsoft .NET Framework 4 Extended (KB2468871)
    Update for Microsoft .NET Framework 4 Extended (KB2533523)
    Update for Microsoft .NET Framework 4 Extended (KB2600217)
    Update for Microsoft Office 2010 (KB2553065)
    Update for Microsoft Office 2010 (KB2553092)
    Update for Microsoft Office 2010 (KB2553181) 64-Bit Edition
    Update for Microsoft Office 2010 (KB2553267) 64-Bit Edition
    Update for Microsoft Office 2010 (KB2553310) 64-Bit Edition
    Update for Microsoft Office 2010 (KB2553378) 64-Bit Edition
    Update for Microsoft Office 2010 (KB2566458)
    Update for Microsoft Office 2010 (KB2597091) 64-Bit Edition
    Update for Microsoft Office 2010 (KB2598242) 64-Bit Edition
    Update for Microsoft Office 2010 (KB2760631) 64-Bit Edition
    Update for Microsoft Office Outlook 2007 (KB952142)
    Update for Microsoft OneNote 2010 (KB2553290) 64-Bit Edition
    Update for Microsoft OneNote 2010 (KB2589345) 64-Bit Edition
    Update for Microsoft Outlook 2010 (KB2553248) 64-Bit Edition
    Update for Microsoft Outlook 2010 (KB2597090) 64-Bit Edition
    Update for Microsoft Outlook Social Connector 2010 (KB2553406) 64-Bit Edition
    Update for Microsoft PowerPoint 2010 (KB2598240) 64-Bit Edition
    Update for Office 2007 (KB932080)
    Update for Office 2007 (KB934391)
    VSClassic
    VSHelp
    VSPro
    Windows Media Encoder 9 Series
    WinSCP 4.3.7
    .
    ==== Event Viewer Messages From Past Week ========
    .
    2/28/2013 9:11:12 AM, Error: Service Control Manager [7034] - The Cryptographic Services service terminated unexpectedly. It has done this 410 time(s).
    2/28/2013 9:11:07 AM, Error: Service Control Manager [7034] - The Cryptographic Services service terminated unexpectedly. It has done this 409 time(s).
    2/28/2013 9:11:02 AM, Error: Service Control Manager [7034] - The Cryptographic Services service terminated unexpectedly. It has done this 408 time(s).
    2/28/2013 9:10:57 AM, Error: Service Control Manager [7034] - The Cryptographic Services service terminated unexpectedly. It has done this 407 time(s).
    2/28/2013 9:10:52 AM, Error: Service Control Manager [7034] - The Cryptographic Services service terminated unexpectedly. It has done this 406 time(s).
    2/28/2013 9:10:47 AM, Error: Service Control Manager [7034] - The Cryptographic Services service terminated unexpectedly. It has done this 405 time(s).
    2/28/2013 9:10:42 AM, Error: Service Control Manager [7034] - The Cryptographic Services service terminated unexpectedly. It has done this 404 time(s).
    2/28/2013 9:10:37 AM, Error: Service Control Manager [7034] - The Cryptographic Services service terminated unexpectedly. It has done this 403 time(s).
    2/28/2013 9:10:32 AM, Error: Service Control Manager [7034] - The Cryptographic Services service terminated unexpectedly. It has done this 402 time(s).
    2/28/2013 9:10:27 AM, Error: Service Control Manager [7034] - The Cryptographic Services service terminated unexpectedly. It has done this 401 time(s).
    2/28/2013 9:10:22 AM, Error: Service Control Manager [7034] - The Cryptographic Services service terminated unexpectedly. It has done this 400 time(s).
    2/28/2013 9:10:17 AM, Error: Service Control Manager [7034] - The Cryptographic Services service terminated unexpectedly. It has done this 399 time(s).
    2/28/2013 9:10:12 AM, Error: Service Control Manager [7034] - The Cryptographic Services service terminated unexpectedly. It has done this 398 time(s).
    2/28/2013 9:10:07 AM, Error: Service Control Manager [7034] - The Cryptographic Services service terminated unexpectedly. It has done this 397 time(s).
    2/28/2013 9:10:02 AM, Error: Service Control Manager [7034] - The Cryptographic Services service terminated unexpectedly. It has done this 396 time(s).
    2/28/2013 9:09:57 AM, Error: Service Control Manager [7034] - The Cryptographic Services service terminated unexpectedly. It has done this 395 time(s).
    2/28/2013 9:09:54 AM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk1\DR1.
    2/28/2013 9:09:52 AM, Error: Service Control Manager [7034] - The Cryptographic Services service terminated unexpectedly. It has done this 394 time(s).
    2/28/2013 9:09:47 AM, Error: Service Control Manager [7034] - The Cryptographic Services service terminated unexpectedly. It has done this 393 time(s).
    2/28/2013 9:09:42 AM, Error: Service Control Manager [7034] - The Cryptographic Services service terminated unexpectedly. It has done this 392 time(s).
    2/28/2013 9:09:37 AM, Error: Service Control Manager [7034] - The Cryptographic Services service terminated unexpectedly. It has done this 391 time(s).
    2/28/2013 9:09:32 AM, Error: Service Control Manager [7034] - The Cryptographic Services service terminated unexpectedly. It has done this 390 time(s).
    2/28/2013 9:09:27 AM, Error: Service Control Manager [7034] - The Cryptographic Services service terminated unexpectedly. It has done this 389 time(s).
    2/28/2013 9:09:22 AM, Error: Service Control Manager [7034] - The Cryptographic Services service terminated unexpectedly. It has done this 388 time(s).


    .....(some repeated messages removed here)...

    2/28/2013 9:05:11 AM, Error: Service Control Manager [7034] - The Cryptographic Services service terminated unexpectedly. It has done this 295 time(s).
    2/28/2013 9:05:10 AM, Error: Service Control Manager [7034] - The Cryptographic Services service terminated unexpectedly. It has done this 294 time(s).
    2/28/2013 9:05:06 AM, Error: Service Control Manager [7034] - The Cryptographic Services service terminated unexpectedly. It has done this 293 time(s).
    2/28/2013 9:05:05 AM, Error: Service Control Manager [7034] - The Cryptographic Services service terminated unexpectedly. It has done this 292 time(s).
    2/28/2013 9:05:01 AM, Error: Service Control Manager [7034] - The Cryptographic Services service terminated unexpectedly. It has done this 291 time(s).
    2/28/2013 9:05:00 AM, Error: Service Control Manager [7034] - The Cryptographic Services service terminated unexpectedly. It has done this 290 time(s).
    2/28/2013 9:04:56 AM, Error: Service Control Manager [7034] - The Cryptographic Services service terminated unexpectedly. It has done this 289 time(s).
    2/28/2013 9:04:55 AM, Error: Service Control Manager [7034] - The Cryptographic Services service terminated unexpectedly. It has done this 288 time(s).
    2/28/2013 9:04:51 AM, Error: Service Control Manager [7034] - The Cryptographic Services service terminated unexpectedly. It has done this 287 time(s).
    2/28/2013 9:04:50 AM, Error: Service Control Manager [7034] - The Cryptographic Services service terminated unexpectedly. It has done this 286 time(s).


    .....(some repeated messages removed here)...

    2/28/2013 8:53:51 AM, Error: Service Control Manager [7034] - The Workstation service terminated unexpectedly. It has done this 3 time(s).
    2/28/2013 8:53:51 AM, Error: Service Control Manager [7034] - The Telephony service terminated unexpectedly. It has done this 3 time(s).
    2/28/2013 8:53:51 AM, Error: Service Control Manager [7034] - The DNS Client service terminated unexpectedly. It has done this 3 time(s).
    2/28/2013 8:53:51 AM, Error: Service Control Manager [7034] - The Cryptographic Services service terminated unexpectedly. It has done this 27 time(s).
    2/28/2013 8:45:46 AM, Error: Service Control Manager [7034] - The Cryptographic Services service terminated unexpectedly. It has done this 26 time(s).
    2/28/2013 8:45:41 AM, Error: Service Control Manager [7034] - The Cryptographic Services service terminated unexpectedly. It has done this 25 time(s).
    2/28/2013 8:45:36 AM, Error: Service Control Manager [7034] - The Cryptographic Services service terminated unexpectedly. It has done this 24 time(s).
    2/28/2013 8:45:31 AM, Error: Service Control Manager [7034] - The Cryptographic Services service terminated unexpectedly. It has done this 23 time(s).
    2/28/2013 8:45:26 AM, Error: Service Control Manager [7034] - The Cryptographic Services service terminated unexpectedly. It has done this 22 time(s).
    2/28/2013 8:45:21 AM, Error: Service Control Manager [7034] - The Cryptographic Services service terminated unexpectedly. It has done this 21 time(s).
    2/28/2013 8:45:16 AM, Error: Service Control Manager [7034] - The Cryptographic Services service terminated unexpectedly. It has done this 20 time(s).
    2/28/2013 8:45:11 AM, Error: Service Control Manager [7034] - The Cryptographic Services service terminated unexpectedly. It has done this 19 time(s).
    2/28/2013 8:45:06 AM, Error: Service Control Manager [7034] - The Cryptographic Services service terminated unexpectedly. It has done this 18 time(s).
    2/28/2013 8:45:01 AM, Error: Service Control Manager [7034] - The Cryptographic Services service terminated unexpectedly. It has done this 17 time(s).
    2/28/2013 8:44:56 AM, Error: Service Control Manager [7034] - The Cryptographic Services service terminated unexpectedly. It has done this 16 time(s).
    2/28/2013 8:44:51 AM, Error: Service Control Manager [7034] - The Cryptographic Services service terminated unexpectedly. It has done this 15 time(s).
    2/28/2013 8:44:51 AM, Error: Service Control Manager [7031] - The Telephony service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 300000 milliseconds: Restart the service.
    2/28/2013 8:44:51 AM, Error: Service Control Manager [7031] - The DNS Client service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 300000 milliseconds: Restart the service.
    2/28/2013 8:44:46 AM, Error: Service Control Manager [7034] - The Cryptographic Services service terminated unexpectedly. It has done this 14 time(s).
    2/28/2013 8:44:41 AM, Error: Service Control Manager [7034] - The Cryptographic Services service terminated unexpectedly. It has done this 13 time(s).
    2/28/2013 8:44:36 AM, Error: Service Control Manager [7034] - The Cryptographic Services service terminated unexpectedly. It has done this 12 time(s).
    2/28/2013 8:44:31 AM, Error: Service Control Manager [7034] - The Cryptographic Services service terminated unexpectedly. It has done this 11 time(s).
    2/28/2013 8:44:26 AM, Error: Service Control Manager [7034] - The Cryptographic Services service terminated unexpectedly. It has done this 10 time(s).
    2/28/2013 8:44:21 AM, Error: Service Control Manager [7034] - The Cryptographic Services service terminated unexpectedly. It has done this 9 time(s).
    2/28/2013 8:44:16 AM, Error: Service Control Manager [7034] - The Cryptographic Services service terminated unexpectedly. It has done this 8 time(s).
    2/28/2013 8:44:11 AM, Error: Service Control Manager [7034] - The Cryptographic Services service terminated unexpectedly. It has done this 7 time(s).
    2/28/2013 8:44:07 AM, Error: Service Control Manager [7034] - The Cryptographic Services service terminated unexpectedly. It has done this 6 time(s).
    2/28/2013 8:44:01 AM, Error: Service Control Manager [7034] - The Cryptographic Services service terminated unexpectedly. It has done this 5 time(s).
    2/28/2013 8:43:57 AM, Error: Service Control Manager [7034] - The Cryptographic Services service terminated unexpectedly. It has done this 4 time(s).
    2/28/2013 8:43:51 AM, Error: Service Control Manager [7034] - The Network Location Awareness service terminated unexpectedly. It has done this 3 time(s).
    2/28/2013 8:43:51 AM, Error: Service Control Manager [7034] - The Cryptographic Services service terminated unexpectedly. It has done this 3 time(s).
    2/28/2013 8:43:51 AM, Error: Service Control Manager [7034] - The Cryptographic Services service terminated unexpectedly. It has done this 2 time(s).
    2/28/2013 8:43:51 AM, Error: Service Control Manager [7031] - The Workstation service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
    2/28/2013 8:43:51 AM, Error: Service Control Manager [7031] - The Network Location Awareness service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 100 milliseconds: Restart the service.
    2/28/2013 8:43:42 AM, Error: Microsoft-Windows-DistributedCOM [10016] - The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID {24FF4FDC-1D9F-4195-8C79-0DA39248FF48} and APPID {B292921D-AF50-400C-9B75-0C57A7F29BA1} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
    2/28/2013 8:42:50 AM, Error: Service Control Manager [7031] - The Workstation service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    2/28/2013 8:42:50 AM, Error: Service Control Manager [7031] - The Telephony service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
    2/28/2013 8:42:50 AM, Error: Service Control Manager [7031] - The Network Location Awareness service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 100 milliseconds: Restart the service.
    2/28/2013 8:42:50 AM, Error: Service Control Manager [7031] - The DNS Client service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
    2/28/2013 8:42:50 AM, Error: Service Control Manager [7031] - The Cryptographic Services service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    2/28/2013 8:41:05 AM, Error: NETLOGON [5719] - This computer was not able to set up a secure session with a domain controller in domain DEACNET due to the following: There are currently no logon servers available to service the logon request. This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator. ADDITIONAL INFO If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain.
    2/28/2013 8:40:46 AM, Error: Microsoft-Windows-BitLocker-Driver [24636] - Bootmgr failed to obtain the BitLocker volume master key from the TPM.
    2/28/2013 8:40:46 AM, Error: Microsoft-Windows-BitLocker-Driver [24635] - Bootmgr failed to obtain the BitLocker volume master key from the TPM because the PCRs did not match.
    2/28/2013 10:05:27 AM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk1\DR2.
    2/27/2013 7:06:08 PM, Error: Service Control Manager [7030] - The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
    2/27/2013 7:05:31 PM, Error: Service Control Manager [7034] - The Cryptographic Services service terminated unexpectedly. It has done this 2396 time(s).
    2/27/2013 7:05:26 PM, Error: Service Control Manager [7034] - The Cryptographic Services service terminated unexpectedly. It has done this 2395 time(s).
    2/27/2013 7:05:21 PM, Error: Service Control Manager [7034] - The Cryptographic Services service terminated unexpectedly. It has done this 2394 time(s).
    2/27/2013 7:05:16 PM, Error: Service Control Manager [7034] - The Cryptographic Services service terminated unexpectedly. It has done this 2393 time(s).

    .....(some repeated messages removed here)...


    2/27/2013 1:21:12 PM, Error: Service Control Manager [7034] - The DNS Client service terminated unexpectedly. It has done this 7 time(s).
    2/27/2013 1:21:04 PM, Error: Service Control Manager [7034] - The DNS Client service terminated unexpectedly. It has done this 6 time(s).
    2/26/2013 9:51:40 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: discache lenovo.smi MpFilter SASDIFSV SASKUTIL spldr TPPWRIF Wanarpv6
    2/26/2013 9:29:56 AM, Error: Service Control Manager [7034] - The Cisco Systems, Inc. VPN Service service terminated unexpectedly. It has done this 1 time(s).
    2/26/2013 9:12:29 AM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.145.417.0 Update Source: Microsoft Update Server Update Stage: Install Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.9203.0 Error code: 0x8024001e Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
    2/26/2013 8:50:40 AM, Error: Microsoft-Windows-GroupPolicy [1053] - The processing of Group Policy failed. Windows could not resolve the user name. This could be caused by one of more of the following: a) Name Resolution failure on the current domain controller. b) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller).
    2/26/2013 5:22:43 PM, Error: Service Control Manager [7034] - The DNS Client service terminated unexpectedly. It has done this 5 time(s).
    2/26/2013 5:18:26 PM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the DNS Client service, but this action failed with the following error: An instance of the service is already running.
    2/26/2013 5:14:37 PM, Error: Service Control Manager [7034] - The DNS Client service terminated unexpectedly. It has done this 4 time(s).
    2/26/2013 5:11:52 PM, Error: Microsoft-Windows-GroupPolicy [1129] - The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.
    2/26/2013 5:05:59 PM, Error: Service Control Manager [7038] - The LanmanWorkstation service was unable to log on as NT AUTHORITY\NetworkService with the currently configured password due to the following error: The request is not supported. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
    2/26/2013 5:05:59 PM, Error: Service Control Manager [7000] - The Workstation service failed to start due to the following error: The service did not start due to a logon failure.
    2/26/2013 3:38:45 PM, Error: Service Control Manager [7034] - The DNS Client service terminated unexpectedly. It has done this 9 time(s).
    2/26/2013 11:18:46 AM, Error: Service Control Manager [7031] - The Microsoft Antimalware Service service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 15000 milliseconds: Restart the service.
    2/26/2013 11:17:53 AM, Error: Service Control Manager [7031] - The Microsoft Antimalware Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 15000 milliseconds: Restart the service.
    2/26/2013 10:47:27 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
    2/26/2013 10:41:14 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
    2/26/2013 10:41:13 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
    2/26/2013 10:41:13 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    2/26/2013 10:41:07 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
    2/26/2013 1:59:13 PM, Error: Microsoft-Windows-GroupPolicy [1055] - The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one of more of the following: a) Name Resolution failure on the current domain controller. b) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller).
    2/26/2013 1:17:50 PM, Error: Application Popup [1060] - \??\C:\ComboFix\catchme.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.
    2/25/2013 7:20:22 PM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.145.417.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.9203.0 Error code: 0x8024402c Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
    2/25/2013 5:52:47 PM, Error: Service Control Manager [7043] - The Windows Update service did not shut down properly after receiving a preshutdown control.
    2/25/2013 5:46:30 PM, Error: Service Control Manager [7038] - The Dnscache service was unable to log on as NT AUTHORITY\NetworkService with the currently configured password due to the following error: The security account manager (SAM) or local security authority (LSA) server was in the wrong state to perform the security operation. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
    2/25/2013 5:46:30 PM, Error: Service Control Manager [7000] - The DNS Client service failed to start due to the following error: The service did not start due to a logon failure.
    2/25/2013 3:42:29 PM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Definition Update for Microsoft Security Essentials - KB2310138 (Definition 1.145.487.0).
    2/25/2013 3:42:16 PM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.145.417.0 Update Source: Microsoft Update Server Update Stage: Install Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.9203.0 Error code: 0x80070643 Error description: Fatal error during installation.
    2/25/2013 3:30:21 PM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Cryptographic Services service, but this action failed with the following error: An instance of the service is already running.
    2/25/2013 3:22:38 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: discache lenovo.smi MpFilter spldr TPPWRIF Wanarpv6
    2/25/2013 3:04:32 PM, Error: Microsoft-Windows-DistributedCOM [10016] - The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID {1CCB96F4-B8AD-4B43-9688-B273F58E0910} and APPID {AD65A69D-3831-40D7-9629-9B0B50A93843} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
    2/25/2013 2:41:56 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Winmgmt service.
    2/25/2013 2:41:15 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the ProfSvc service.
    2/25/2013 2:40:34 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the FontCache3.0.0.0 service.
    2/25/2013 2:37:46 PM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.145.417.0 Update Source: Microsoft Update Server Update Stage: Install Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.9203.0 Error code: 0x8024001e Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
    2/25/2013 2:37:10 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Lenovo.VIRTSCRLSVC service.
    2/25/2013 12:24:21 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the LENOVO.CAMMUTE service.
    2/25/2013 12:24:06 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the LENOVO.TVTVCAM service.
    2/25/2013 12:22:16 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the btwdins service.
    2/25/2013 12:21:37 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Apple Mobile Device service.
    .
    ==== End Of File ===========================
  3. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Hello, and welcome to TechSpot.


    [​IMG] Please see here for the board rules and other FAQ.

    Please feel free to introduce yourself, after you follow the steps below to get started.

    Information
    • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by a malware removal helper.
    • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
    • If you have already asked for help somewhere, please post the link to the topic you were helped.
    • We try our best to reply quickly, but for any reason we do not reply in two days, please reply to this topic with the word BUMP!
    • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.


    Farbar Recovery Scan Tool x64

    Download Farbar Recovery Scan Tool and save it to a flash drive.


    Please make sure to get the 64-bit version

    Plug the flashdrive into the infected PC.

    Enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Choose your language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.
    To enter System Recovery Options by using Windows installation disc:
    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Choose your language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.
    On the System Recovery Options menu you will get the following options:
      • Startup Repair
        System Restore
        Windows Complete PC Restore
        Windows Memory Diagnostic Tool
        Command Prompt
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst64.exe and press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to the disclaimer.
    • Place a check next to List Drivers MD5 as well as the default check marks that are already there
    • Press Scan button. It will do its scan and save a log on your flash drive.
    • Close out of the message after that, then type in the text services.exe in to the "Search:" text box. Then, press the Search file(s) button, just as below:
      [​IMG]
      When done searching, FRST makes a log, Search.txt, on the C:\ drive or on your flash drive.
    • Type exit in the Command Prompt window and reboot the computer normally
    • FRST will make a log (FRST.txt) on the flash drive and also the search.txt logfile, please copy and paste the logs in your reply.
  4. wf2008

    wf2008 Newcomer, in training Topic Starter

    Hi, thank you for your help. Here are the requested logs:


    ****************FRST.TXT********************

    Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 28-02-2013
    Ran by SYSTEM at 28-02-2013 14:25:41
    Running from F:\
    Windows 7 Enterprise (X64) OS Language: English(US)
    The current controlset is ControlSet001

    ==================== Registry (Whitelisted) ===================

    HKU\WFU2012\...\Run: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun [18705664 2013-01-08] (Skype Technologies S.A.)
    HKU\WFU2012\...\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [5629312 2013-02-26] (SUPERAntiSpyware.com)
    Tcpip\Parameters: [DhcpNameServer] 10.2.1.2 10.1.16.111 10.2.1.1
    AppInit_DLLs: C:\Windows\katrk64.dll
    Lsa: [Notification Packages] scecli C:\Program Files\ThinkPad\Bluetooth Software\BtwProximityCP.dll
    Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Samsung SSD Magician.lnk
    ShortcutTarget: Samsung SSD Magician.lnk -> C:\Program Files (x86)\Samsung SSD Magician\Samsung SSD Magician.exe (Samsung Electronics.)
    Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Samsung SSD Magician.lnk
    ShortcutTarget: Samsung SSD Magician.lnk -> C:\Program Files (x86)\Samsung SSD Magician\Samsung SSD Magician.exe (Samsung Electronics.)
    Startup: C:\Users\jonesas\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Samsung SSD Magician.lnk
    ShortcutTarget: Samsung SSD Magician.lnk -> C:\Program Files (x86)\Samsung SSD Magician\Samsung SSD Magician.exe (Samsung Electronics.)

    ==================== Services (Whitelisted) ===================

    4 !SASCORE; "C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE" [140672 2012-07-11] (SUPERAntiSpyware.com)
    4 Cisco WebEx Connect Upgrade Service; C:\Program Files (x86)\WebEx\Connect\apUpdate.exe [856888 2011-12-01] (WebEx Communications Inc.)
    4 CorelCreatorMessages; "C:\Windows\system32\CorelCreatorMessages.exe" [105984 2012-04-25] (Global Graphics Software Ltd)
    4 DozeSvc; C:\Program Files (x86)\ThinkPad\Utilities\DZSVC64.EXE [320576 2012-05-16] (Lenovo.)
    4 GingerUpdateService; "C:\Program Files (x86)\Ginger\GingerUpdateService\GingerUpdateService.exe" [272680 2013-02-14] (Ginger Software)
    4 LENOVO.TVTVCAM; C:\Program Files\Lenovo\Communications Utility\vcamsvc.exe [175440 2012-04-10] (Lenovo Group Limited)
    4 Lenovo.VIRTSCRLSVC; C:\Program Files\LENOVO\VIRTSCRL\lvvsst.exe [133992 2011-07-12] (Lenovo Group Limited)
    2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [12600 2012-03-26] (Microsoft Corporation)
    3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [291696 2012-03-26] (Microsoft Corporation)
    4 SUService; "C:\Program Files (x86)\Lenovo\System Update\SUService.exe" [22376 2013-02-04] ()

    ==================== Drivers (Whitelisted) =====================

    3 bcbtums; C:\Windows\System32\Drivers\bcbtums.sys [163368 2012-04-01] (Broadcom Corporation.)
    3 cpudrv64; \??\C:\Program Files (x86)\SystemRequirementsLab\cpudrv64.sys [17864 2011-06-02] ()
    3 CVPNDRVA; C:\Windows\System32\Drivers\CVPNDRVA.sys [306536 2011-03-04] ()
    0 MpFilter; C:\Windows\System32\Drivers\MpFilter.sys [203888 2012-03-20] (Microsoft Corporation)
    3 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [98688 2012-03-20] (Microsoft Corporation)
    0 pavboot; C:\Windows\System32\drivers\pavboot64.sys [33800 2009-06-30] (Panda Security, S.L.)
    3 prepdrvr; \??\C:\Windows\SysWOW64\CCM\prepdrv.sys [26992 2009-09-18] (Microsoft Corporation)
    1 SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
    1 SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
    3 tvtvcamd; C:\Windows\System32\Drivers\tvtvcamd.sys [27432 2011-12-07] (ThinkVantage Communications Utility)
    3 catchme; \??\C:\ComboFix\catchme.sys [x]
    3 CnxtHdAudService; C:\Windows\System32\drivers\CHDRT64.sys [x]
    3 KeyAccess; [x]
    3 VGPU; C:\Windows\System32\drivers\rdvgkmd.sys [x]

    ==================== NetSvcs (Whitelisted) ====================


    ==================== One Month Created Files and Folders ========

    2013-02-28 07:07 - 2013-02-28 07:06 - 00017635 ____A C:\Users\WFU2012\Desktop\dds.txt
    2013-02-27 16:08 - 2013-02-27 16:08 - 00020552 ____A C:\ComboFix.txt
    2013-02-27 13:36 - 2013-02-27 13:43 - 00000000 ____D C:\New folder
    2013-02-27 13:36 - 2013-02-27 13:42 - 00191772 ____A C:\Users\WFU2012\Desktop\Rkill.txt
    2013-02-27 13:30 - 2013-02-27 13:30 - 00000000 ____D C:\bootkit_remover
    2013-02-27 11:52 - 2013-02-27 11:53 - 00000000 ____D C:\Program Files (x86)\Panda Security
    2013-02-27 11:52 - 2009-06-30 07:37 - 00033800 ____A (Panda Security, S.L.) C:\Windows\System32\Drivers\pavboot64.sys
    2013-02-27 10:58 - 2011-03-10 22:33 - 02565632 ____A (Microsoft Corporation) C:\esent.dll
    2013-02-27 10:58 - 2009-07-13 17:40 - 00039424 ____A (Microsoft Corporation) C:\esentprf.dll
    2013-02-26 14:37 - 2013-02-26 14:37 - 00000000 ____D C:\FRST
    2013-02-26 08:19 - 2011-06-25 22:45 - 00256000 ____A C:\Windows\PEV.exe
    2013-02-26 08:19 - 2010-11-07 09:20 - 00208896 ____A C:\Windows\MBR.exe
    2013-02-26 08:19 - 2009-04-19 20:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
    2013-02-26 08:19 - 2000-08-30 16:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe
    2013-02-26 08:19 - 2000-08-30 16:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe
    2013-02-26 08:19 - 2000-08-30 16:00 - 00098816 ____A C:\Windows\sed.exe
    2013-02-26 08:19 - 2000-08-30 16:00 - 00080412 ____A C:\Windows\grep.exe
    2013-02-26 08:19 - 2000-08-30 16:00 - 00068096 ____A C:\Windows\zip.exe
    2013-02-26 08:17 - 2013-02-27 16:08 - 00000000 ____D C:\Qoobox
    2013-02-26 08:16 - 2013-02-27 16:06 - 00000000 ____D C:\Windows\erdnt
    2013-02-26 07:55 - 2013-02-26 07:55 - 00000000 ____D C:\Windows\pss
    2013-02-26 06:54 - 2013-02-26 06:54 - 00000000 ____D C:\Program Files (x86)\CleanUp!
    2013-02-26 06:53 - 2013-02-26 06:53 - 00339257 ____A C:\Users\WFU2012\Downloads\CleanUp452.exe
    2013-02-26 06:21 - 2013-02-26 06:21 - 00000000 ____D C:\Users\WFU2012\AppData\Roaming\SUPERAntiSpyware.com
    2013-02-26 06:20 - 2013-02-26 06:21 - 00000000 ____D C:\Program Files\SUPERAntiSpyware
    2013-02-26 06:20 - 2013-02-26 06:20 - 00001808 ____A C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
    2013-02-26 06:20 - 2013-02-26 06:20 - 00000000 ____D C:\ProgramData\SUPERAntiSpyware.com
    2013-02-25 12:08 - 2013-02-25 12:08 - 00088576 ____A C:\Users\WFU2012\Downloads\WfuBitlockerManager (1).exe
    2013-02-25 05:22 - 2013-02-25 05:22 - 00203290 ____A C:\Users\WFU2012\Downloads\mZakXFnW.pdf.part
    2013-02-25 05:22 - 2013-02-25 05:22 - 00203252 ____A C:\Users\WFU2012\Downloads\sC+KTtO1.pdf.part
    2013-02-25 05:20 - 2013-02-25 05:21 - 00203252 ____A C:\Users\WFU2012\Downloads\oMuLiQib.pdf.part
    2013-02-25 04:48 - 2013-02-25 04:47 - 01085344 ____A (Oracle Corporation) C:\Windows\System32\npDeployJava1.dll
    2013-02-25 04:48 - 2013-02-25 04:47 - 00963488 ____A (Oracle Corporation) C:\Windows\System32\deployJava1.dll
    2013-02-25 04:34 - 2013-02-25 04:34 - 00000000 ____D C:\Program Files (x86)\JavaJREUpdate
    2013-02-19 17:14 - 2013-02-21 04:48 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
    2013-02-13 12:29 - 2013-02-13 12:29 - 00014840 ____A C:\Users\WFU2012\Downloads\link.htm
    2013-02-13 08:45 - 2013-02-13 08:45 - 00279507 ____A C:\Users\WFU2012\Downloads\Festival on the Quad 2012 Flickr - Photo Sharing!.htm
    2013-02-13 08:45 - 2013-02-13 08:45 - 00000000 ____D C:\Users\WFU2012\Downloads\Festival on the Quad 2012 Flickr - Photo Sharing!_files
    2013-02-13 08:29 - 2013-02-13 08:29 - 00000000 ____D C:\Users\WFU2012\AppData\Local\WebEx Connect
    2013-02-13 08:28 - 2013-02-13 08:36 - 00000000 ____D C:\Users\WFU2012\AppData\Roaming\WebEx Connect
    2013-02-13 05:52 - 2012-08-23 04:49 - 00000249 ____A C:\Reset_and_Clear_Print_Spooler_Queue.bat
    2013-02-13 05:05 - 2013-02-13 05:05 - 00240272 ____A C:\Users\WFU2012\Downloads\Hayden2.htm
    2013-02-12 12:59 - 2013-02-12 12:59 - 10377216 ____A C:\Users\WFU2012\Downloads\COM 370-1.ppt
    2013-02-12 08:28 - 2013-02-12 08:28 - 00088576 ____A C:\Users\WFU2012\Downloads\WfuBitlockerManager.exe
    2013-02-12 08:15 - 2011-10-04 19:54 - 00343040 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\usbhub.sys
    2013-02-12 08:15 - 2011-10-04 19:54 - 00099328 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\usbccgp.sys
    2013-02-12 08:15 - 2011-10-04 19:41 - 00325120 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\usbport.sys
    2013-02-12 08:15 - 2011-10-04 19:41 - 00052736 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\usbehci.sys
    2013-02-12 08:15 - 2011-10-04 19:41 - 00007936 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\usbd.sys
    2013-02-12 08:12 - 2013-02-12 08:20 - 00000000 ____D C:\Users\Administrator\AppData\Local\CrashDumps
    2013-02-12 08:12 - 2013-02-12 08:12 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Smart Label Printer
    2013-02-12 08:12 - 2013-02-12 08:12 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Acapela Group
    2013-02-12 07:06 - 2012-01-13 20:41 - 00068864 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\stream.sys
    2013-02-12 06:48 - 2012-05-30 10:42 - 00569152 ____A (Intel Corporation) C:\Windows\System32\Drivers\iaStor.sys
    2013-02-06 10:35 - 2013-02-06 10:35 - 00005097 ____A C:\Users\WFU2012\Downloads\Kelly, Stan 013013.doc (1).html
    2013-02-06 10:29 - 2013-02-06 10:30 - 00005097 ____A C:\Users\WFU2012\Downloads\Kelly, Stan 013013.doc.html
    2013-02-06 08:56 - 2013-02-14 08:44 - 00012423 ____A C:\GingerSetupHelper.log
    2013-02-06 05:10 - 2013-02-06 05:10 - 00000000 ____D C:\Users\WFU2012\AppData\Local\Macromedia
    2013-02-05 04:52 - 2013-02-05 04:52 - 01004608 ____A (Solid State Networks) C:\Users\WFU2012\Downloads\install_flashplayer11x32_mssa_aih(1).exe
    2013-02-01 12:59 - 2013-02-01 12:59 - 00074086 ____A C:\Users\WFU2012\Downloads\AlumParti (1).pptx
    2013-02-01 10:15 - 2013-02-01 10:15 - 00074086 ____A C:\Users\WFU2012\Downloads\AlumParti.pptx
    2013-02-01 07:30 - 2013-02-01 07:30 - 00224914 ____A C:\Users\WFU2012\Downloads\Alumni_Participation_BenchmarkOther_Ver4.pptx
    2013-02-01 04:49 - 2013-02-01 04:49 - 00282232 ____A C:\Windows\Minidump\020113-17628-01.dmp
    2013-01-29 12:00 - 2013-02-20 06:30 - 00026708 ____A C:\Users\WFU2012\Downloads\Copy of Detail - Transaction-1.xlsx
    2013-01-29 11:59 - 2013-01-29 11:59 - 00093679 ____A C:\Users\WFU2012\Downloads\Copy of Summary - Operating Including Activity & Location-1.xlsx


    ==================== One Month Modified Files and Folders =======

    2013-02-28 11:20 - 2012-06-22 11:24 - 01745892 ____A C:\Windows\WindowsUpdate.log
    2013-02-28 11:16 - 2013-01-24 18:47 - 00000000 ____D C:\Users\WFU2012\AppData\Roaming\Skype
    2013-02-28 11:16 - 2012-06-22 05:51 - 00000912 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
    2013-02-28 10:48 - 2012-06-28 06:45 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
    2013-02-28 10:47 - 2012-08-01 05:24 - 00000792 ____A C:\Windows\System32\config\netlogon.ftl
    2013-02-28 07:20 - 2009-07-13 20:45 - 00016304 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2013-02-28 07:20 - 2009-07-13 20:45 - 00016304 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2013-02-28 07:16 - 2012-06-22 05:51 - 00000908 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
    2013-02-28 07:13 - 2012-08-01 05:28 - 00000462 ____A C:\Windows\SMSCFG.ini
    2013-02-28 07:12 - 2012-06-20 06:36 - 00036954 ____A C:\Windows\setupact.log
    2013-02-28 07:12 - 2011-12-12 08:01 - 00048410 ____A C:\Windows\PFRO.log
    2013-02-28 07:12 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2013-02-28 07:07 - 2013-02-28 07:07 - 00401650 ____A C:\Users\WFU2012\Desktop\attach.txt
    2013-02-28 07:06 - 2013-02-28 07:07 - 00017635 ____A C:\Users\WFU2012\Desktop\dds.txt
    2013-02-28 06:11 - 2009-07-13 21:13 - 00789078 ____A C:\Windows\System32\PerfStringBackup.INI
    2013-02-27 16:08 - 2013-02-27 16:08 - 00020552 ____A C:\ComboFix.txt
    2013-02-27 16:08 - 2013-02-26 08:17 - 00000000 ____D C:\Qoobox
    2013-02-27 16:06 - 2013-02-26 08:16 - 00000000 ____D C:\Windows\erdnt
    2013-02-27 16:06 - 2009-07-13 18:34 - 00000215 ____A C:\Windows\system.ini
    2013-02-27 13:43 - 2013-02-27 13:36 - 00000000 ____D C:\New folder
    2013-02-27 13:42 - 2013-02-27 13:36 - 00191772 ____A C:\Users\WFU2012\Desktop\Rkill.txt
    2013-02-27 13:31 - 2012-07-02 04:40 - 00000000 ____D C:\Users\WFU2012\AppData\Local\Deployment
    2013-02-27 13:31 - 2012-07-02 04:40 - 00000000 ____D C:\Users\WFU2012\AppData\Local\Apps\2.0
    2013-02-27 13:30 - 2013-02-27 13:30 - 00000000 ____D C:\bootkit_remover
    2013-02-27 11:53 - 2013-02-27 11:52 - 00000000 ____D C:\Program Files (x86)\Panda Security
    2013-02-26 14:37 - 2013-02-26 14:37 - 00000000 ____D C:\FRST
    2013-02-26 10:53 - 2012-09-27 05:30 - 00000000 ____D C:\users\ACNET
    2013-02-26 10:18 - 2012-06-22 11:26 - 00000000 ____D C:\users\Administrator
    2013-02-26 10:18 - 2012-06-22 11:03 - 00000000 ____D C:\users\WFU2012
    2013-02-26 07:55 - 2013-02-26 07:55 - 00000000 ____D C:\Windows\pss
    2013-02-26 06:54 - 2013-02-26 06:54 - 00000000 ____D C:\Program Files (x86)\CleanUp!
    2013-02-26 06:53 - 2013-02-26 06:53 - 00339257 ____A C:\Users\WFU2012\Downloads\CleanUp452.exe
    2013-02-26 06:21 - 2013-02-26 06:21 - 00000000 ____D C:\Users\WFU2012\AppData\Roaming\SUPERAntiSpyware.com
    2013-02-26 06:21 - 2013-02-26 06:20 - 00000000 ____D C:\Program Files\SUPERAntiSpyware
    2013-02-26 06:20 - 2013-02-26 06:20 - 00001808 ____A C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
    2013-02-26 06:20 - 2013-02-26 06:20 - 00000000 ____D C:\ProgramData\SUPERAntiSpyware.com
    2013-02-26 05:06 - 2012-06-22 06:04 - 00000000 ____D C:\Users\Public\Downloads\WebEx Connect
    2013-02-25 12:24 - 2012-06-28 05:57 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2013-02-25 12:08 - 2013-02-25 12:08 - 00088576 ____A C:\Users\WFU2012\Downloads\WfuBitlockerManager (1).exe
    2013-02-25 07:36 - 2012-08-01 05:25 - 00018682 _RASH C:\ProgramData\ntuser.pol
    2013-02-25 05:22 - 2013-02-25 05:22 - 00203290 ____A C:\Users\WFU2012\Downloads\mZakXFnW.pdf.part
    2013-02-25 05:22 - 2013-02-25 05:22 - 00203252 ____A C:\Users\WFU2012\Downloads\sC+KTtO1.pdf.part
    2013-02-25 05:21 - 2013-02-25 05:20 - 00203252 ____A C:\Users\WFU2012\Downloads\oMuLiQib.pdf.part
    2013-02-25 04:47 - 2013-02-25 04:48 - 01085344 ____A (Oracle Corporation) C:\Windows\System32\npDeployJava1.dll
    2013-02-25 04:47 - 2013-02-25 04:48 - 00963488 ____A (Oracle Corporation) C:\Windows\System32\deployJava1.dll
    2013-02-25 04:34 - 2013-02-25 04:34 - 00000000 ____D C:\Program Files (x86)\JavaJREUpdate
    2013-02-21 04:48 - 2013-02-19 17:14 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
    2013-02-21 04:47 - 2012-06-28 05:56 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
    2013-02-20 06:30 - 2013-01-29 12:00 - 00026708 ____A C:\Users\WFU2012\Downloads\Copy of Detail - Transaction-1.xlsx
    2013-02-15 14:35 - 2012-07-02 05:23 - 00000000 ____D C:\Users\WFU2012\AppData\Local\CrashDumps
    2013-02-14 08:44 - 2013-02-06 08:56 - 00012423 ____A C:\GingerSetupHelper.log
    2013-02-14 08:44 - 2012-10-28 13:27 - 00002949 ____A C:\Users\Public\Desktop\Ginger.lnk
    2013-02-14 08:44 - 2012-10-28 13:27 - 00000000 ____D C:\Program Files (x86)\Ginger
    2013-02-14 08:44 - 2012-10-28 13:26 - 00003091 ____A C:\GingerSetup.log
    2013-02-13 12:35 - 2012-08-01 06:40 - 00000000 ____D C:\Users\WFU2012\Documents\Outlook Files
    2013-02-13 12:29 - 2013-02-13 12:29 - 00014840 ____A C:\Users\WFU2012\Downloads\link.htm
    2013-02-13 10:46 - 2012-06-28 06:45 - 00691568 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
    2013-02-13 10:46 - 2012-06-28 06:45 - 00071024 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
    2013-02-13 10:46 - 2012-06-28 06:08 - 00000000 ____D C:\ProgramData\Adobe
    2013-02-13 08:45 - 2013-02-13 08:45 - 00279507 ____A C:\Users\WFU2012\Downloads\Festival on the Quad 2012 Flickr - Photo Sharing!.htm
    2013-02-13 08:45 - 2013-02-13 08:45 - 00000000 ____D C:\Users\WFU2012\Downloads\Festival on the Quad 2012 Flickr - Photo Sharing!_files
    2013-02-13 08:36 - 2013-02-13 08:28 - 00000000 ____D C:\Users\WFU2012\AppData\Roaming\WebEx Connect
    2013-02-13 08:29 - 2013-02-13 08:29 - 00000000 ____D C:\Users\WFU2012\AppData\Local\WebEx Connect
    2013-02-13 06:01 - 2012-01-09 13:17 - 00000000 ____D C:\ProgramData\Microsoft Help
    2013-02-13 05:05 - 2013-02-13 05:05 - 00240272 ____A C:\Users\WFU2012\Downloads\Hayden2.htm
    2013-02-12 12:59 - 2013-02-12 12:59 - 10377216 ____A C:\Users\WFU2012\Downloads\COM 370-1.ppt
    2013-02-12 08:28 - 2013-02-12 08:28 - 00088576 ____A C:\Users\WFU2012\Downloads\WfuBitlockerManager.exe
    2013-02-12 08:20 - 2013-02-12 08:12 - 00000000 ____D C:\Users\Administrator\AppData\Local\CrashDumps
    2013-02-12 08:12 - 2013-02-12 08:12 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Smart Label Printer
    2013-02-12 08:12 - 2013-02-12 08:12 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Acapela Group
    2013-02-12 08:12 - 2012-06-25 05:28 - 00002255 ____A C:\Users\Administrator\Desktop\Google Chrome.lnk
    2013-02-12 08:12 - 2012-06-22 11:26 - 00122088 ____A C:\Users\Administrator\AppData\Local\GDIPFONTCACHEV1.DAT
    2013-02-12 07:28 - 2009-07-13 21:08 - 00032538 ____A C:\Windows\Tasks\SCHEDLGU.TXT
    2013-02-11 01:08 - 2011-12-07 07:25 - 00000000 ____D C:\Program Files (x86)\Lenovo
    2013-02-06 10:35 - 2013-02-06 10:35 - 00005097 ____A C:\Users\WFU2012\Downloads\Kelly, Stan 013013.doc (1).html
    2013-02-06 10:30 - 2013-02-06 10:29 - 00005097 ____A C:\Users\WFU2012\Downloads\Kelly, Stan 013013.doc.html
    2013-02-06 06:32 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\NDF
    2013-02-06 05:10 - 2013-02-06 05:10 - 00000000 ____D C:\Users\WFU2012\AppData\Local\Macromedia
    2013-02-05 04:52 - 2013-02-05 04:52 - 01004608 ____A (Solid State Networks) C:\Users\WFU2012\Downloads\install_flashplayer11x32_mssa_aih(1).exe
    2013-02-01 12:59 - 2013-02-01 12:59 - 00074086 ____A C:\Users\WFU2012\Downloads\AlumParti (1).pptx
    2013-02-01 10:15 - 2013-02-01 10:15 - 00074086 ____A C:\Users\WFU2012\Downloads\AlumParti.pptx
    2013-02-01 07:30 - 2013-02-01 07:30 - 00224914 ____A C:\Users\WFU2012\Downloads\Alumni_Participation_BenchmarkOther_Ver4.pptx
    2013-02-01 04:49 - 2013-02-01 04:49 - 00282232 ____A C:\Windows\Minidump\020113-17628-01.dmp
    2013-02-01 04:49 - 2012-10-28 12:29 - 00000000 ____D C:\Windows\Minidump
    2013-02-01 04:49 - 2012-10-28 12:28 - 351495469 ____A C:\Windows\MEMORY.DMP
    2013-01-30 02:53 - 2011-12-07 07:28 - 00273840 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe
    2013-01-29 11:59 - 2013-01-29 11:59 - 00093679 ____A C:\Users\WFU2012\Downloads\Copy of Summary - Operating Including Activity & Location-1.xlsx

    ==================== Known DLLs (Whitelisted) =================


    ==================== Bamital & volsnap Check =================

    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\SysWOW64\wininit.exe => MD5 is legit
    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\SysWOW64\explorer.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\SysWOW64\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe => MD5 is legit
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\SysWOW64\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\SysWOW64\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    ==================== EXE ASSOCIATION =====================

    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK

    ==================== Restore Points =========================

    Restore point made on: 2013-02-06 08:57:17
    Restore point made on: 2013-02-08 05:06:43
    Restore point made on: 2013-02-12 05:07:06
    Restore point made on: 2013-02-12 06:49:49
    Restore point made on: 2013-02-12 07:06:00
    Restore point made on: 2013-02-12 08:14:00
    Restore point made on: 2013-02-12 08:15:10
    Restore point made on: 2013-02-13 05:59:25
    Restore point made on: 2013-02-14 08:43:53
    Restore point made on: 2013-02-16 10:53:34
    Restore point made on: 2013-02-20 10:54:07
    Restore point made on: 2013-02-23 22:47:59
    Restore point made on: 2013-02-25 12:06:09
    Restore point made on: 2013-02-25 12:06:54
    Restore point made on: 2013-02-27 13:46:00
    Restore point made on: 2013-02-28 05:55:00

    ==================== Memory info ===========================

    Percentage of memory in use: 16%
    Total physical RAM: 3819.1 MB
    Available physical RAM: 3204.06 MB
    Total Pagefile: 3817.25 MB
    Available Pagefile: 3190.19 MB
    Total Virtual: 8192 MB
    Available Virtual: 8191.91 MB

    ==================== Partitions =============================

    1 Drive c: () (Fixed) (Total:297.99 GB) (Free:227.78 GB) NTFS
    3 Drive f: (SANDISK) (Removable) (Total:7.47 GB) (Free:6.49 GB) FAT32
    4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
    5 Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]

    Disk ### Status Size Free Dyn Gpt
    -------- ------------- ------- ------- --- ---
    Disk 0 Online 298 GB 0 B
    Disk 1 Online 7663 MB 0 B

    Partitions of Disk 0:
    ===============

    Disk ID: 4A166261

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 100 MB 1024 KB
    Partition 2 Primary 297 GB 101 MB

    ==================================================================================

    Disk: 0
    Partition 1
    Type : 07
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 Y System Rese NTFS Partition 100 MB Healthy

    =========================================================

    Disk: 0
    Partition 2
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 C NTFS Partition 297 GB Healthy

    =========================================================

    Partitions of Disk 1:
    ===============

    Disk ID: 00000000

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 7663 MB 31 KB

    ==================================================================================

    Disk: 1
    Partition 1
    Type : 0B
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 3 F SANDISK FAT32 Removable 7663 MB Healthy

    =========================================================

    Last Boot: 2013-02-22 21:15

    ==================== End Of Log =============================


    ****************SEARCH.TXT********************
    Farbar Recovery Scan Tool (x64) Version: 28-02-2013
    Ran by SYSTEM at 2013-02-28 14:28:24
    Running from F:\

    ================== Search: "services.exe" ===================

    C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
    [2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

    C:\Windows\System32\services.exe
    [2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

    ====== End Of Search ======
  5. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    ComboFix scan

    Please download ComboFix[​IMG] by sUBs
    From TechSpot

    Direct Link (alternative)

    Please save the file to your Desktop.

    Important information about ComboFix


    After the download:
    • Close any open browsers.
    • Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
    • If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.
    Running ComboFix:
    • Double click on ComboFix.exe & follow the prompts.
    • When ComboFix finishes, it will produce a report for you.
    • Please post the report, which will launch or be found at "C:\Combo-Fix.txt" in your next reply.
    Troubleshooting ComboFix

    Safe Mode:

    If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

    (To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
    logo appears. A list of options will appear, select "Safe Mode.")

    Re-downloading:

    If this doesn't work either, try the same method (above method), but try to download it again, except name
    ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

    Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.

    NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.


    Scan for malware

    [​IMG] Please download Malwarebytes Anti-Malware from HERE.


    Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If you are prompted to restart, please allow it to restart your computer. Failure to do this, will cause the infection to still be active on the computer.
    • Please save the log to a location you will remember.
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • The log can also be found at C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
    • Copy and paste the entire report in your next reply.
    It's a good idea to purchase MBAM Pro for protection in the future. :)
  6. wf2008

    wf2008 Newcomer, in training Topic Starter

    I have downloaded and run ComboFix and MBAM. Here are the logs:

    ****************COMBOFIX.TXT*****************
    ComboFix 13-02-26.01 - jonesas 02/28/2013 15:40:41.4.4 - x64
    Microsoft Windows 7 Enterprise 6.1.7601.1.1252.1.1033.18.3819.2458 [GMT -5:00]
    Running from: c:\users\WFU2012\Desktop\ComboFix.exe
    AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
    SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2013-01-28 to 2013-02-28 )))))))))))))))))))))))))))))))
    .
    .
    2013-02-28 21:19 . 2013-02-28 21:19 -------- d-----w- c:\users\jonesas\AppData\Local\temp
    2013-02-28 21:19 . 2013-02-28 21:19 -------- d-----w- c:\users\Default\AppData\Local\temp
    2013-02-28 21:19 . 2013-02-28 21:19 -------- d-----w- c:\users\Administrator\AppData\Local\temp
    2013-02-28 13:55 . 2013-02-08 00:28 9162192 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{EF2D3B2D-9954-423D-93C7-96FCB26C7429}\mpengine.dll
    2013-02-27 21:36 . 2013-02-27 21:43 -------- d-----w- C:\New folder
    2013-02-27 21:30 . 2013-02-27 21:30 -------- d-----w- C:\bootkit_remover
    2013-02-27 19:52 . 2009-06-30 15:37 33800 ----a-w- c:\windows\system32\drivers\pavboot64.sys
    2013-02-27 19:52 . 2013-02-27 19:53 -------- d-----w- c:\program files (x86)\Panda Security
    2013-02-27 18:58 . 2011-03-11 06:33 2565632 ----a-w- C:\esent.dll
    2013-02-27 18:58 . 2009-07-14 01:40 39424 ----a-w- C:\esentprf.dll
    2013-02-26 22:37 . 2013-02-26 22:37 -------- d-----w- C:\FRST
    2013-02-26 14:54 . 2013-02-26 14:54 -------- d-----w- c:\program files (x86)\CleanUp!
    2013-02-26 14:24 . 2013-02-08 00:28 9162192 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2013-02-26 14:21 . 2013-02-26 14:21 -------- d-----w- c:\users\WFU2012\AppData\Roaming\SUPERAntiSpyware.com
    2013-02-26 14:20 . 2013-02-26 14:21 -------- d-----w- c:\program files\SUPERAntiSpyware
    2013-02-26 14:20 . 2013-02-26 14:20 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
    2013-02-25 20:24 . 2013-02-25 20:24 -------- d-----w- c:\users\WFU2012\AppData\Local\Programs
    2013-02-25 12:48 . 2013-02-25 12:47 963488 ----a-w- c:\windows\system32\deployJava1.dll
    2013-02-25 12:48 . 2013-02-25 12:47 1085344 ----a-w- c:\windows\system32\npDeployJava1.dll
    2013-02-25 12:34 . 2013-02-25 12:34 -------- d-----w- c:\program files (x86)\JavaJREUpdate
    2013-02-15 22:31 . 2013-02-15 22:31 186432 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\nppdf32.dll
    2013-02-13 16:29 . 2013-02-13 16:29 -------- d-----w- c:\users\WFU2012\AppData\Local\WebEx Connect
    2013-02-13 16:28 . 2013-02-13 16:36 -------- d-----w- c:\users\WFU2012\AppData\Roaming\WebEx Connect
    2013-02-13 13:52 . 2012-08-23 12:49 249 ----a-w- C:\Reset_and_Clear_Print_Spooler_Queue.bat
    2013-02-12 16:15 . 2011-10-05 03:54 99328 ----a-w- c:\windows\system32\drivers\usbccgp.sys
    2013-02-12 16:15 . 2011-10-05 03:41 325120 ----a-w- c:\windows\system32\drivers\usbport.sys
    2013-02-12 16:15 . 2011-10-05 03:41 52736 ----a-w- c:\windows\system32\drivers\usbehci.sys
    2013-02-12 16:15 . 2011-10-05 03:41 7936 ----a-w- c:\windows\system32\drivers\usbd.sys
    2013-02-12 16:15 . 2011-10-05 03:54 343040 ----a-w- c:\windows\system32\drivers\usbhub.sys
    2013-02-12 16:12 . 2013-02-12 16:12 -------- d-----w- c:\users\Administrator\AppData\Roaming\Acapela Group
    2013-02-12 16:12 . 2013-02-12 16:20 -------- d-----w- c:\users\Administrator\AppData\Local\CrashDumps
    2013-02-12 16:12 . 2013-02-12 16:12 -------- d-----w- c:\users\Administrator\AppData\Roaming\Smart Label Printer
    2013-02-12 15:06 . 2012-01-14 04:41 68864 ----a-w- c:\windows\system32\drivers\stream.sys
    2013-02-12 14:48 . 2012-05-30 18:42 569152 ----a-w- c:\windows\system32\drivers\iaStor.sys
    2013-02-06 13:10 . 2013-02-06 13:10 -------- d-----w- c:\users\WFU2012\AppData\Local\Macromedia
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2013-02-13 18:46 . 2012-06-28 14:45 71024 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2013-02-13 18:46 . 2012-06-28 14:45 691568 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
    2013-01-30 10:53 . 2011-12-07 15:28 273840 ------w- c:\windows\system32\MpSigStub.exe
    2012-12-14 21:49 . 2012-06-28 13:57 24176 ----a-w- c:\windows\system32\drivers\mbam.sys
    .
    .
    ------- Sigcheck -------
    Note: Unsigned files aren't necessarily malware.
    .
    Cryptography Services Error !!
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
    "{8660E5B3-6C41-44DE-8503-98D99BBECD41}"= "c:\program files (x86)\Coupons.com CouponBar\tbcore3.dll" [BU]
    .
    [HKEY_CLASSES_ROOT\clsid\{8660e5b3-6c41-44de-8503-98d99bbecd41}]
    [HKEY_CLASSES_ROOT\TBSB07898.TBSB07898.3]
    [HKEY_CLASSES_ROOT\TypeLib\{EC4085F2-8DB3-45a6-AD0B-CA289F3C5D7E}]
    [HKEY_CLASSES_ROOT\TBSB07898.TBSB07898]
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2013-01-08 18705664]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2013-02-26 5629312]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
    "LoadAppInit_DLLs"=1 (0x1)
    "AppInit_DLLs"=c:\windows\katrack.dll
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Notification Packages REG_MULTI_SZ scecli c:\program files\ThinkPad\Bluetooth Software\BtwProximityCP.dll
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R3 AMPPALP;IntelÆ CentrinoÆ Wireless BluetoothÆ + High Speed Protocol;c:\windows\system32\DRIVERS\amppal.sys [2012-03-15 198144]
    R3 cpudrv64;cpudrv64;c:\program files (x86)\SystemRequirementsLab\cpudrv64.sys [2011-06-02 17864]
    R3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [2012-06-25 52320]
    R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-20 71168]
    R3 intaud_WaveExtensible;Intel WiDi Audio Device;c:\windows\system32\drivers\intelaud.sys [2012-04-19 35256]
    R3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2011-12-06 331264]
    R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2012-03-21 98688]
    R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-03-26 291696]
    R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\drivers\nusb3hub.sys [2010-12-10 80384]
    R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\drivers\nusb3xhc.sys [2010-12-10 181248]
    R3 ose64;Office 64 Source Engine;c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2010-01-10 174440]
    R3 Point64;Microsoft Mouse and Keyboard Center Filter Driver;c:\windows\system32\DRIVERS\point64.sys [2012-06-27 46176]
    R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 20992]
    R3 Synth3dVsc;Microsoft Virtual 3D Video Transport Driver;c:\windows\system32\drivers\Synth3dVsc.sys [2010-11-20 88960]
    R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [2010-11-20 34816]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
    R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-20 31232]
    R3 tsusbhub;Remote Deskotop USB Hub;c:\windows\system32\drivers\tsusbhub.sys [2010-11-20 117248]
    R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-12-07 1255736]
    R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam64.sys [2008-05-06 14464]
    R4 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2012-07-11 140672]
    R4 AMPPALR3;IntelÆ CentrinoÆ Wireless BluetoothÆ + High Speed Service;c:\program files\Intel\BluetoothHS\BTHSAmpPalService.exe [2012-03-15 659976]
    R4 BTHSSecurityMgr;Intel(R) Centrino(R) Wireless Bluetooth(R) + High Speed Security Service;c:\program files\Intel\BluetoothHS\BTHSSecurityMgr.exe [2012-04-23 135952]
    R4 Cisco WebEx Connect Upgrade Service;Cisco WebEx Connect Upgrade Service;c:\program files (x86)\WebEx\Connect\apUpdate.exe [2011-12-01 856888]
    R4 CorelCreatorMessages;CorelCreatorMessages;c:\windows\system32\CorelCreatorMessages.exe [2012-04-25 105984]
    R4 DozeSvc;Lenovo Doze Mode Service;c:\program files (x86)\ThinkPad\Utilities\DZSVC64.EXE [2012-05-16 320576]
    R4 GingerUpdateService;GingerUpdateService;c:\program files (x86)\Ginger\GingerUpdateService\GingerUpdateService.exe [2013-02-14 272680]
    R4 HyperW7Svc;HyperW7 Service;c:\program files\Lenovo\RapidBoot\HyperW7Svc64.exe [2010-12-03 116072]
    R4 Intel(R) Capability Licensing Service Interface;Intel(R) Capability Licensing Service Interface;c:\program files\Intel\iCLS Client\HeciServer.exe [2012-02-03 628448]
    R4 jhi_service;Intel(R) Identity Protection Technology Host Interface Service;c:\program files (x86)\Intel\Services\IPT\jhi_service.exe [2011-02-07 210896]
    R4 LENOVO.CAMMUTE;Lenovo Camera Mute;c:\program files\Lenovo\Communications Utility\CAMMUTE.exe [2012-04-10 58192]
    R4 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\LENOVO\HOTKEY\MICMUTE.exe [2011-07-12 101736]
    R4 LENOVO.TPKNRSVC;Lenovo Keyboard Noise Reduction;c:\program files\Lenovo\Communications Utility\TPKNRSVC.exe [2012-04-10 61264]
    R4 LENOVO.TVTVCAM;ThinkVantage Virtual Camera Controller;c:\program files\Lenovo\Communications Utility\vcamsvc.exe [2012-04-10 175440]
    R4 Lenovo.VIRTSCRLSVC;Lenovo Auto Scroll;c:\program files\LENOVO\VIRTSCRL\lvvsst.exe [2011-07-12 133992]
    R4 Power Manager DBC Service;Power Manager DBC Service;c:\program files (x86)\ThinkPad\Utilities\PWMDBSVC.EXE [2012-05-16 1662560]
    R4 PwmEWSvc;Cisco EnergyWise Enabler;c:\program files (x86)\ThinkPad\Utilities\PWMEWSVC.EXE [2012-05-16 1665120]
    R4 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2013-01-08 161536]
    R4 TPHKLOAD;Lenovo Hotkey Client Loader;c:\program files\LENOVO\HOTKEY\TPHKLOAD.exe [2011-07-12 145256]
    R4 TPHKSVC;On Screen Display;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe [2011-12-30 144960]
    R4 UNS;Intel(R) Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2012-02-28 363800]
    S0 DzHDD64;DzHDD64;c:\windows\System32\DRIVERS\DzHDD64.sys [2012-05-16 29512]
    S0 iusb3hcs;Intel(R) USB 3.0 Host Controller Switch Driver;c:\windows\system32\drivers\iusb3hcs.sys [2012-02-27 16152]
    S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot64.sys [2009-06-30 33800]
    S0 TPDIGIMN;TPDIGIMN;c:\windows\System32\DRIVERS\ApsHM64.sys [2011-12-29 25416]
    S1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\DRIVERS\smiifx64.sys [2010-09-07 15472]
    S1 PHCORE;PHCORE;c:\program files\Lenovo\RapidBoot\PHCORE64.SYS [2010-12-03 31592]
    S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2011-07-22 14928]
    S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2011-07-12 12368]
    S2 risdxc;risdxc;c:\windows\system32\DRIVERS\risdxc64.sys [2011-05-25 101888]
    S3 5U877;5U877;c:\windows\system32\DRIVERS\5U877.sys [2012-03-28 216704]
    S3 AMPPAL;IntelÆ CentrinoÆ Wireless BluetoothÆ + High Speed Virtual Adapter;c:\windows\system32\DRIVERS\AMPPAL.sys [2012-03-15 198144]
    S3 bcbtums;Bluetooth RAM Firmware Download USB Filter;c:\windows\system32\drivers\bcbtums.sys [2012-04-01 163368]
    S3 BTWAMPFL;BTWAMPFL;c:\windows\system32\DRIVERS\btwampfl.sys [2012-04-01 594472]
    S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2011-09-17 39976]
    S3 iusb3hub;Intel(R) USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\iusb3hub.sys [2012-02-27 356120]
    S3 iusb3xhc;Intel(R) USB 3.0 eXtensible Host Controller Driver;c:\windows\system32\DRIVERS\iusb3xhc.sys [2012-02-27 788760]
    S3 iwdbus;IWD Bus Enumerator;c:\windows\system32\DRIVERS\iwdbus.sys [2012-04-19 25528]
    S3 tvtvcamd;ThinkVantage Virtual Camera;c:\windows\system32\DRIVERS\tvtvcamd.sys [2011-12-07 27432]
    .
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
    2013-02-23 05:16 1629648 ----a-w- c:\program files (x86)\Google\Chrome\Application\25.0.1364.97\Installer\chrmstp.exe
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2013-02-28 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-28 18:46]
    .
    2013-02-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-06-22 13:51]
    .
    2013-02-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-06-22 13:51]
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"=c:\windows\katrk64.dll
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = hxxp://www.google.com/
    mStart Page = hxxp://search.coupons.com/
    mLocal Page = c:\windows\SysWOW64\blank.htm
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
    IE: Se&nd to OneNote - c:\progra~1\MICROS~1\Office14\ONBttnIE.dll/105
    Trusted Zone: clayton
    Trusted Zone: onbaseonline.com\wfu
    Trusted Zone: wfu.edu\app.banner
    Trusted Zone: wfu.edu\cognos
    Trusted Zone: wfu.edu\devl.cognos
    Trusted Zone: wfu.edu\pprd.cognos
    TCP: DhcpNameServer = 10.2.1.2 10.1.16.111 10.2.1.1
    FF - ProfilePath - c:\users\WFU2012\AppData\Roaming\Mozilla\Firefox\Profiles\gpfneout.default\
    FF - prefs.js: browser.search.selectedEngine - Search Results
    FF - prefs.js: browser.startup.homepage - hxxp://google.wfu.edu
    FF - prefs.js: keyword.URL - hxxp://search.fantastigames.com/web?src=ffb&appid=103&systemid=453&sr=0&q=
    FF - prefs.js: network.proxy.type - 0
    FF - ExtSQL: 2013-01-16 07:31; adapter@gingersoftware.com; c:\users\WFU2012\AppData\Roaming\Mozilla\Firefox\Profiles\gpfneout.default\extensions\adapter@gingersoftware.com
    FF - ExtSQL: !HIDDEN! 2012-10-28 17:27; adapter@gingersoftware.com; c:\program files (x86)\Mozilla Firefox\extensions\adapter@gingersoftware.com
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Toolbar-10 - (no file)
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_149_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
    @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_149_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker5"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_149_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_149_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_149.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.11"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_149.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_149.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_149.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker5"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Completion time: 2013-02-28 16:21:33
    ComboFix-quarantined-files.txt 2013-02-28 21:21
    ComboFix2.txt 2013-02-28 00:08
    ComboFix3.txt 2013-02-26 21:09
    ComboFix4.txt 2013-02-26 18:52
    .
    Pre-Run: 244,568,096,768 bytes free
    Post-Run: 244,268,212,224 bytes free
    .
    - - End Of File - - D5AE562D36F0EC6E954F1CA8CC53D09A



    ******************MBAM*********************

    Malwarebytes Anti-Malware 1.70.0.1100
    www.malwarebytes.org

    Database version: v2013.02.25.08

    Windows 7 Service Pack 1 x64 NTFS
    Internet Explorer 9.0.8112.16421
    jonesas :: JONESAS-6920 [administrator]

    2/28/2013 4:22:30 PM
    mbam-log-2013-02-28 (16-22-30).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 263247
    Time elapsed: 1 minute(s), 58 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)


    Thank you!
  7. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    TDSSKiller Scan

    Please download and run TDSSKiller to your desktop as outlined below:

    Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

    For Windows XP, double-click to start.
    For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

    [​IMG]

    -------------------------

    Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

    [​IMG]

    ------------------------

    Click the Start Scan button.

    [​IMG]

    -----------------------

    If a suspicious object is detected, the default action will be Skip, click on Continue
    If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
    Skip and click on Continue


    [​IMG]

    ----------------------

    If malicious objects are found, they will show in the Scan results and offer three (3) options.

    Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.


    [​IMG]


    --------------------

    A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.

    Sometimes these logs can be very large, in that case please attach it.

    -------------------

    Here's a summary of what to do if you would like to print it out:

    If a suspicious object is detected, the default action will be Skip, click on Continue
    If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
    Skip and click on Continue

    If malicious objects are found, they will show in the Scan results and offer three (3) options.

    Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  8. wf2008

    wf2008 Newcomer, in training Topic Starter

    Hi, thank you for your continued help. TDSSKiller did not find any threats. Here is the log:

    14:06:33.0527 3096 TDSS rootkit removing tool 2.8.16.0 Feb 11 2013 18:50:42
    14:06:33.0917 3096 ============================================================
    14:06:33.0917 3096 Current date / time: 2013/03/01 14:06:33.0917
    14:06:33.0917 3096 SystemInfo:
    14:06:33.0917 3096
    14:06:33.0917 3096 OS Version: 6.1.7601 ServicePack: 1.0
    14:06:33.0917 3096 Product type: Workstation
    14:06:33.0917 3096 ComputerName: JONESAS-6920
    14:06:33.0917 3096 UserName: jonesas
    14:06:33.0917 3096 Windows directory: C:\Windows
    14:06:33.0917 3096 System windows directory: C:\Windows
    14:06:33.0917 3096 Running under WOW64
    14:06:33.0917 3096 Processor architecture: Intel x64
    14:06:33.0917 3096 Number of processors: 4
    14:06:33.0917 3096 Page size: 0x1000
    14:06:33.0917 3096 Boot type: Normal boot
    14:06:33.0917 3096 ============================================================
    14:06:51.0374 3096 Drive \Device\Harddisk0\DR0 - Size: 0x4A85D56000 (298.09 Gb), SectorSize: 0x200, Cylinders: 0x9801, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000040
    14:06:51.0389 3096 ============================================================
    14:06:51.0389 3096 \Device\Harddisk0\DR0:
    14:06:51.0389 3096 MBR partitions:
    14:06:51.0389 3096 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x32000
    14:06:51.0389 3096 \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x32800, BlocksNum 0x253FC000
    14:06:51.0389 3096 ============================================================
    14:06:51.0389 3096 C: <-> \Device\Harddisk0\DR0\Partition2
    14:06:51.0389 3096 ============================================================
    14:06:51.0389 3096 Initialize success
    14:06:51.0389 3096 ============================================================
    14:07:30.0358 1224 ============================================================
    14:07:30.0358 1224 Scan started
    14:07:30.0358 1224 Mode: Manual; SigCheck; TDLFS;
    14:07:30.0358 1224 ============================================================
    14:07:32.0059 1224 ================ Scan system memory ========================
    14:07:32.0059 1224 System memory - ok
    14:07:32.0059 1224 ================ Scan services =============================
    14:07:32.0106 1224 1394ohci - ok
    14:07:32.0106 1224 5U877 - ok
    14:07:32.0121 1224 ACPI - ok
    14:07:32.0121 1224 AcpiPmi - ok
    14:07:32.0137 1224 AdobeARMservice - ok
    14:07:32.0137 1224 AdobeFlashPlayerUpdateSvc - ok
    14:07:32.0152 1224 adp94xx - ok
    14:07:32.0152 1224 adpahci - ok
    14:07:32.0152 1224 adpu320 - ok
    14:07:32.0152 1224 AeLookupSvc - ok
    14:07:32.0168 1224 AFD - ok
    14:07:32.0168 1224 agp440 - ok
    14:07:32.0168 1224 ALG - ok
    14:07:32.0168 1224 aliide - ok
    14:07:32.0184 1224 amdide - ok
    14:07:32.0184 1224 AmdK8 - ok
    14:07:32.0184 1224 AmdPPM - ok
    14:07:32.0199 1224 amdsata - ok
    14:07:32.0199 1224 amdsbs - ok
    14:07:32.0199 1224 amdxata - ok
    14:07:32.0215 1224 AMPPAL - ok
    14:07:32.0215 1224 AMPPALP - ok
    14:07:32.0215 1224 AMPPALR3 - ok
    14:07:32.0230 1224 AppID - ok
    14:07:32.0230 1224 AppIDSvc - ok
    14:07:32.0246 1224 Appinfo - ok
    14:07:32.0262 1224 Apple Mobile Device - ok
    14:07:32.0262 1224 AppMgmt - ok
    14:07:32.0262 1224 arc - ok
    14:07:32.0262 1224 arcsas - ok
    14:07:32.0277 1224 aspnet_state - ok
    14:07:32.0277 1224 AsyncMac - ok
    14:07:32.0277 1224 atapi - ok
    14:07:32.0293 1224 AudioEndpointBuilder - ok
    14:07:32.0293 1224 AudioSrv - ok
    14:07:32.0308 1224 AxInstSV - ok
    14:07:32.0308 1224 b06bdrv - ok
    14:07:32.0308 1224 b57nd60a - ok
    14:07:32.0340 1224 bcbtums - ok
    14:07:32.0340 1224 BDESVC - ok
    14:07:32.0340 1224 Beep - ok
    14:07:32.0340 1224 BFE - ok
    14:07:32.0340 1224 BITS - ok
    14:07:32.0355 1224 blbdrive - ok
    14:07:32.0355 1224 Bonjour Service - ok
    14:07:32.0355 1224 bowser - ok
    14:07:32.0355 1224 BrFiltLo - ok
    14:07:32.0371 1224 BrFiltUp - ok
    14:07:32.0402 1224 BridgeMP - ok
    14:07:32.0402 1224 Browser - ok
    14:07:32.0402 1224 Brserid - ok
    14:07:32.0418 1224 BrSerWdm - ok
    14:07:32.0418 1224 BrUsbMdm - ok
    14:07:32.0418 1224 BrUsbSer - ok
    14:07:32.0418 1224 BthEnum - ok
    14:07:32.0418 1224 BTHMODEM - ok
    14:07:32.0433 1224 BthPan - ok
    14:07:32.0433 1224 BTHPORT - ok
    14:07:32.0433 1224 bthserv - ok
    14:07:32.0449 1224 BTHSSecurityMgr - ok
    14:07:32.0449 1224 BTHUSB - ok
    14:07:32.0449 1224 BTWAMPFL - ok
    14:07:32.0449 1224 btwaudio - ok
    14:07:32.0464 1224 btwavdt - ok
    14:07:32.0480 1224 btwdins - ok
    14:07:32.0480 1224 btwl2cap - ok
    14:07:32.0480 1224 btwrchid - ok
    14:07:32.0511 1224 catchme - ok
    14:07:32.0511 1224 CcmExec - ok
    14:07:32.0511 1224 cdfs - ok
    14:07:32.0511 1224 cdrom - ok
    14:07:32.0527 1224 CertPropSvc - ok
    14:07:32.0527 1224 circlass - ok
    14:07:32.0542 1224 Cisco WebEx Connect Upgrade Service - ok
    14:07:32.0558 1224 CLFS - ok
    14:07:32.0558 1224 clr_optimization_v2.0.50727_32 - ok
    14:07:32.0558 1224 clr_optimization_v2.0.50727_64 - ok
    14:07:32.0574 1224 clr_optimization_v4.0.30319_32 - ok
    14:07:32.0574 1224 clr_optimization_v4.0.30319_64 - ok
    14:07:32.0574 1224 CmBatt - ok
    14:07:32.0574 1224 cmdide - ok
    14:07:32.0589 1224 CNG - ok
    14:07:32.0589 1224 CnxtHdAudService - ok
    14:07:32.0605 1224 Compbatt - ok
    14:07:32.0605 1224 CompositeBus - ok
    14:07:32.0605 1224 COMSysApp - ok
    14:07:32.0620 1224 CorelCreatorMessages - ok
    14:07:32.0620 1224 cphs - ok
    14:07:32.0652 1224 cpudrv64 - ok
    14:07:32.0652 1224 crcdisk - ok
    14:07:32.0652 1224 CryptSvc - ok
    14:07:32.0652 1224 CSC - ok
    14:07:32.0667 1224 CscService - ok
    14:07:32.0667 1224 CVirtA - ok
    14:07:32.0683 1224 CVPND - ok
    14:07:32.0683 1224 CVPNDRVA - ok
    14:07:32.0683 1224 dc3d - ok
    14:07:32.0698 1224 DcomLaunch - ok
    14:07:32.0698 1224 defragsvc - ok
    14:07:32.0698 1224 DfsC - ok
    14:07:32.0714 1224 Dhcp - ok
    14:07:32.0714 1224 discache - ok
    14:07:32.0714 1224 Disk - ok
    14:07:32.0714 1224 dmvsc - ok
    14:07:32.0714 1224 DNE - ok
    14:07:32.0730 1224 Dnscache - ok
    14:07:32.0730 1224 dot3svc - ok
    14:07:32.0730 1224 DozeSvc - ok
    14:07:32.0730 1224 DPS - ok
    14:07:32.0745 1224 drmkaud - ok
    14:07:32.0745 1224 DXGKrnl - ok
    14:07:32.0745 1224 DzHDD64 - ok
    14:07:32.0745 1224 e1cexpress - ok
    14:07:32.0776 1224 EapHost - ok
    14:07:32.0776 1224 ebdrv - ok
    14:07:32.0776 1224 EFS - ok
    14:07:32.0776 1224 ehRecvr - ok
    14:07:32.0776 1224 ehSched - ok
    14:07:32.0776 1224 elxstor - ok
    14:07:32.0792 1224 ErrDev - ok
    14:07:32.0808 1224 EventSystem - ok
    14:07:32.0808 1224 exfat - ok
    14:07:32.0823 1224 fastfat - ok
    14:07:32.0823 1224 Fax - ok
    14:07:32.0823 1224 fdc - ok
    14:07:32.0823 1224 fdPHost - ok
    14:07:32.0823 1224 FDResPub - ok
    14:07:32.0823 1224 FileInfo - ok
    14:07:32.0839 1224 Filetrace - ok
    14:07:32.0839 1224 flpydisk - ok
    14:07:32.0839 1224 FltMgr - ok
    14:07:32.0839 1224 FontCache - ok
    14:07:32.0839 1224 FontCache3.0.0.0 - ok
    14:07:32.0839 1224 FsDepends - ok
    14:07:32.0854 1224 Fs_Rec - ok
    14:07:32.0854 1224 fvevol - ok
    14:07:32.0854 1224 gagp30kx - ok
    14:07:32.0870 1224 GEARAspiWDM - ok
    14:07:32.0870 1224 GingerUpdateService - ok
    14:07:32.0870 1224 gpsvc - ok
    14:07:32.0901 1224 gupdate - ok
    14:07:32.0917 1224 gupdatem - ok
    14:07:32.0917 1224 hcw85cir - ok
    14:07:32.0932 1224 HdAudAddService - ok
    14:07:32.0932 1224 HDAudBus - ok
    14:07:32.0932 1224 HidBatt - ok
    14:07:32.0948 1224 HidBth - ok
    14:07:32.0948 1224 HidIr - ok
    14:07:32.0948 1224 hidserv - ok
    14:07:32.0964 1224 HidUsb - ok
    14:07:32.0979 1224 hkmsvc - ok
    14:07:32.0979 1224 HomeGroupListener - ok
    14:07:32.0979 1224 HomeGroupProvider - ok
    14:07:32.0979 1224 HpSAMD - ok
    14:07:32.0979 1224 HTTP - ok
    14:07:32.0995 1224 hwpolicy - ok
    14:07:33.0010 1224 HyperW7Svc - ok
    14:07:33.0010 1224 i8042prt - ok
    14:07:33.0010 1224 iaStor - ok
    14:07:33.0010 1224 iaStorV - ok
    14:07:33.0026 1224 IBMPMDRV - ok
    14:07:33.0026 1224 IBMPMSVC - ok
    14:07:33.0026 1224 idsvc - ok
    14:07:33.0026 1224 igfx - ok
    14:07:33.0026 1224 iirsp - ok
    14:07:33.0026 1224 IKEEXT - ok
    14:07:33.0057 1224 intaud_WaveExtensible - ok
    14:07:33.0088 1224 IntcAzAudAddService - ok
    14:07:33.0088 1224 IntcDAud - ok
    14:07:33.0104 1224 Intel(R) Capability Licensing Service Interface - ok
    14:07:33.0120 1224 intelide - ok
    14:07:33.0120 1224 intelppm - ok
    14:07:33.0120 1224 IPBusEnum - ok
    14:07:33.0120 1224 IpFilterDriver - ok
    14:07:33.0120 1224 iphlpsvc - ok
    14:07:33.0135 1224 IPMIDRV - ok
    14:07:33.0135 1224 IPNAT - ok
    14:07:33.0135 1224 iPod Service - ok
    14:07:33.0135 1224 IRENUM - ok
    14:07:33.0135 1224 isapnp - ok
    14:07:33.0151 1224 iScsiPrt - ok
    14:07:33.0151 1224 iusb3hcs - ok
    14:07:33.0151 1224 iusb3hub - ok
    14:07:33.0151 1224 iusb3xhc - ok
    14:07:33.0166 1224 IviRegMgr - ok
    14:07:33.0182 1224 iwdbus - ok
    14:07:33.0198 1224 jhi_service - ok
    14:07:33.0198 1224 kbdclass - ok
    14:07:33.0198 1224 kbdhid - ok
    14:07:33.0198 1224 KeyIso - ok
    14:07:33.0198 1224 KSecDD - ok
    14:07:33.0213 1224 KSecPkg - ok
    14:07:33.0213 1224 ksthunk - ok
    14:07:33.0213 1224 KtmRm - ok
    14:07:33.0213 1224 LanmanServer - ok
    14:07:33.0213 1224 LanmanWorkstation - ok
    14:07:33.0229 1224 LENOVO.CAMMUTE - ok
    14:07:33.0229 1224 LENOVO.MICMUTE - ok
    14:07:33.0229 1224 lenovo.smi - ok
    14:07:33.0229 1224 LENOVO.TPKNRSVC - ok
    14:07:33.0244 1224 LENOVO.TVTVCAM - ok
    14:07:33.0244 1224 Lenovo.VIRTSCRLSVC - ok
    14:07:33.0260 1224 lltdio - ok
    14:07:33.0260 1224 lltdsvc - ok
    14:07:33.0260 1224 lmhosts - ok
    14:07:33.0260 1224 LMS - ok
    14:07:33.0276 1224 LSI_FC - ok
    14:07:33.0276 1224 LSI_SAS - ok
    14:07:33.0276 1224 LSI_SAS2 - ok
    14:07:33.0291 1224 LSI_SCSI - ok
    14:07:33.0291 1224 luafv - ok
    14:07:33.0291 1224 Mcx2Svc - ok
    14:07:33.0291 1224 megasas - ok
    14:07:33.0307 1224 MegaSR - ok
    14:07:33.0307 1224 MEIx64 - ok
    14:07:33.0307 1224 Microsoft SharePoint Workspace Audit Service - ok
    14:07:33.0322 1224 MMCSS - ok
    14:07:33.0322 1224 Modem - ok
    14:07:33.0322 1224 monitor - ok
    14:07:33.0322 1224 mouclass - ok
    14:07:33.0338 1224 mouhid - ok
    14:07:33.0338 1224 mountmgr - ok
    14:07:33.0338 1224 MozillaMaintenance - ok
    14:07:33.0354 1224 MpFilter - ok
    14:07:33.0354 1224 mpio - ok
    14:07:33.0354 1224 mpsdrv - ok
    14:07:33.0354 1224 MpsSvc - ok
    14:07:33.0354 1224 MRxDAV - ok
    14:07:33.0369 1224 mrxsmb - ok
    14:07:33.0369 1224 mrxsmb10 - ok
    14:07:33.0369 1224 mrxsmb20 - ok
    14:07:33.0369 1224 msahci - ok
    14:07:33.0369 1224 msdsm - ok
    14:07:33.0369 1224 MSDTC - ok
    14:07:33.0385 1224 Msfs - ok
    14:07:33.0385 1224 mshidkmdf - ok
    14:07:33.0385 1224 msisadrv - ok
    14:07:33.0385 1224 MSiSCSI - ok
    14:07:33.0400 1224 msiserver - ok
    14:07:33.0400 1224 MSKSSRV - ok
    14:07:33.0416 1224 MsMpSvc - ok
    14:07:33.0416 1224 MSPCLOCK - ok
    14:07:33.0416 1224 MSPQM - ok
    14:07:33.0416 1224 MsRPC - ok
    14:07:33.0432 1224 mssmbios - ok
    14:07:33.0432 1224 MSTEE - ok
    14:07:33.0432 1224 MTConfig - ok
    14:07:33.0432 1224 Mup - ok
    14:07:33.0432 1224 napagent - ok
    14:07:33.0432 1224 NativeWifiP - ok
    14:07:33.0447 1224 NDIS - ok
    14:07:33.0447 1224 NdisCap - ok
    14:07:33.0463 1224 NdisTapi - ok
    14:07:33.0463 1224 Ndisuio - ok
    14:07:33.0463 1224 NdisWan - ok
    14:07:33.0478 1224 NDProxy - ok
    14:07:33.0494 1224 Net Driver HPZ12 - ok
    14:07:33.0494 1224 NetBIOS - ok
    14:07:33.0494 1224 NetBT - ok
    14:07:33.0494 1224 Netlogon - ok
    14:07:33.0510 1224 Netman - ok
    14:07:33.0510 1224 NetMsmqActivator - ok
    14:07:33.0510 1224 NetPipeActivator - ok
    14:07:33.0510 1224 netprofm - ok
    14:07:33.0510 1224 NetTcpActivator - ok
    14:07:33.0525 1224 NetTcpPortSharing - ok
    14:07:33.0525 1224 NETwNs64 - ok
    14:07:33.0525 1224 nfrd960 - ok
    14:07:33.0572 1224 NisDrv - ok
    14:07:33.0572 1224 NisSrv - ok
    14:07:33.0572 1224 NlaSvc - ok
    14:07:33.0588 1224 Npfs - ok
    14:07:33.0588 1224 nsi - ok
    14:07:33.0588 1224 nsiproxy - ok
    14:07:33.0588 1224 Ntfs - ok
    14:07:33.0603 1224 NuidFltr - ok
    14:07:33.0603 1224 Null - ok
    14:07:33.0603 1224 nusb3hub - ok
    14:07:33.0619 1224 nusb3xhc - ok
    14:07:33.0619 1224 nvraid - ok
    14:07:33.0619 1224 nvstor - ok
    14:07:33.0619 1224 nv_agp - ok
    14:07:33.0619 1224 odserv - ok
    14:07:33.0619 1224 ohci1394 - ok
    14:07:33.0634 1224 ose - ok
    14:07:33.0634 1224 ose64 - ok
    14:07:33.0650 1224 osppsvc - ok
    14:07:33.0650 1224 p2pimsvc - ok
    14:07:33.0650 1224 p2psvc - ok
    14:07:33.0650 1224 Parport - ok
    14:07:33.0650 1224 partmgr - ok
    14:07:33.0697 1224 pavboot - ok
    14:07:33.0697 1224 PcaSvc - ok
    14:07:33.0697 1224 pci - ok
    14:07:33.0697 1224 pciide - ok
    14:07:33.0712 1224 pcmcia - ok
    14:07:33.0712 1224 pcw - ok
    14:07:33.0712 1224 PEAUTH - ok
    14:07:33.0712 1224 PeerDistSvc - ok
    14:07:33.0712 1224 PerfHost - ok
    14:07:33.0728 1224 PHCORE - ok
    14:07:33.0728 1224 pla - ok
    14:07:33.0728 1224 PlugPlay - ok
    14:07:33.0728 1224 Pml Driver HPZ12 - ok
    14:07:33.0744 1224 PNRPAutoReg - ok
    14:07:33.0744 1224 PNRPsvc - ok
    14:07:33.0759 1224 Point64 - ok
    14:07:33.0759 1224 PolicyAgent - ok
    14:07:33.0759 1224 Power - ok
    14:07:33.0775 1224 Power Manager DBC Service - ok
    14:07:33.0775 1224 PptpMiniport - ok
    14:07:33.0790 1224 prepdrvr - ok
    14:07:33.0790 1224 Processor - ok
    14:07:33.0790 1224 ProfSvc - ok
    14:07:33.0790 1224 ProtectedStorage - ok
    14:07:33.0790 1224 psadd - ok
    14:07:33.0790 1224 Psched - ok
    14:07:33.0806 1224 PSI_SVC_2 - ok
    14:07:33.0806 1224 PwmEWSvc - ok
    14:07:33.0806 1224 ql2300 - ok
    14:07:33.0806 1224 ql40xx - ok
    14:07:33.0806 1224 QWAVE - ok
    14:07:33.0822 1224 QWAVEdrv - ok
    14:07:33.0822 1224 RasAcd - ok
    14:07:33.0837 1224 RasAgileVpn - ok
    14:07:33.0837 1224 RasAuto - ok
    14:07:33.0837 1224 Rasl2tp - ok
    14:07:33.0837 1224 RasMan - ok
    14:07:33.0837 1224 RasPppoe - ok
    14:07:33.0853 1224 RasSstp - ok
    14:07:33.0853 1224 rdbss - ok
    14:07:33.0853 1224 rdpbus - ok
    14:07:33.0853 1224 RDPCDD - ok
    14:07:33.0868 1224 RDPDR - ok
    14:07:33.0868 1224 RDPENCDD - ok
    14:07:33.0868 1224 RDPREFMP - ok
    14:07:33.0884 1224 RdpVideoMiniport - ok
    14:07:33.0884 1224 RDPWD - ok
    14:07:33.0884 1224 rdyboost - ok
    14:07:33.0884 1224 RemoteAccess - ok
    14:07:33.0884 1224 RemoteRegistry - ok
    14:07:33.0900 1224 RFCOMM - ok
    14:07:33.0900 1224 risdxc - ok
    14:07:33.0900 1224 RpcEptMapper - ok
    14:07:33.0915 1224 RpcLocator - ok
    14:07:33.0915 1224 RpcSs - ok
    14:07:33.0915 1224 rspndr - ok
    14:07:33.0915 1224 s3cap - ok
    14:07:33.0915 1224 SamSs - ok
    14:07:33.0915 1224 sbp2port - ok
    14:07:33.0931 1224 SCardSvr - ok
    14:07:33.0931 1224 scfilter - ok
    14:07:33.0931 1224 Schedule - ok
    14:07:33.0931 1224 SCPolicySvc - ok
    14:07:33.0931 1224 SDRSVC - ok
    14:07:33.0946 1224 secdrv - ok
    14:07:33.0946 1224 seclogon - ok
    14:07:33.0946 1224 SENS - ok
    14:07:33.0946 1224 SensrSvc - ok
    14:07:33.0946 1224 Serenum - ok
    14:07:33.0978 1224 Serial - ok
    14:07:33.0993 1224 sermouse - ok
    14:07:33.0993 1224 SessionEnv - ok
    14:07:33.0993 1224 sffdisk - ok
    14:07:33.0993 1224 sffp_mmc - ok
    14:07:34.0009 1224 sffp_sd - ok
    14:07:34.0009 1224 sfloppy - ok
    14:07:34.0009 1224 SharedAccess - ok
    14:07:34.0009 1224 ShellHWDetection - ok
    14:07:34.0009 1224 Shockprf - ok
    14:07:34.0024 1224 SiSRaid2 - ok
    14:07:34.0024 1224 SiSRaid4 - ok
    14:07:34.0040 1224 SkypeUpdate - ok
    14:07:34.0040 1224 Smb - ok
    14:07:34.0056 1224 smstsmgr - ok
    14:07:34.0056 1224 SNMPTRAP - ok
    14:07:34.0056 1224 spldr - ok
    14:07:34.0056 1224 Spooler - ok
    14:07:34.0056 1224 sppsvc - ok
    14:07:34.0071 1224 sppuinotify - ok
    14:07:34.0071 1224 srv - ok
    14:07:34.0071 1224 srv2 - ok
    14:07:34.0071 1224 srvnet - ok
    14:07:34.0071 1224 SSDPSRV - ok
    14:07:34.0071 1224 SstpSvc - ok
    14:07:34.0087 1224 stexstor - ok
    14:07:34.0087 1224 stisvc - ok
    14:07:34.0087 1224 storflt - ok
    14:07:34.0087 1224 StorSvc - ok
    14:07:34.0087 1224 storvsc - ok
    14:07:34.0087 1224 SUService - ok
    14:07:34.0102 1224 swenum - ok
    14:07:34.0102 1224 swprv - ok
    14:07:34.0102 1224 Synth3dVsc - ok
    14:07:34.0102 1224 SynTP - ok
    14:07:34.0102 1224 SysMain - ok
    14:07:34.0118 1224 TabletInputService - ok
    14:07:34.0118 1224 TapiSrv - ok
    14:07:34.0118 1224 TBS - ok
    14:07:34.0118 1224 Tcpip - ok
    14:07:34.0118 1224 TCPIP6 - ok
    14:07:34.0118 1224 tcpipreg - ok
    14:07:34.0134 1224 TDPIPE - ok
    14:07:34.0134 1224 TDTCP - ok
    14:07:34.0134 1224 tdx - ok
    14:07:34.0134 1224 TermDD - ok
    14:07:34.0134 1224 terminpt - ok
    14:07:34.0149 1224 TermService - ok
    14:07:34.0149 1224 Themes - ok
    14:07:34.0149 1224 THREADORDER - ok
    14:07:34.0149 1224 TPDIGIMN - ok
    14:07:34.0149 1224 TPHDEXLGSVC - ok
    14:07:34.0149 1224 TPHKLOAD - ok
    14:07:34.0165 1224 TPHKSVC - ok
    14:07:34.0165 1224 TPM - ok
    14:07:34.0180 1224 TPPWRIF - ok
    14:07:34.0180 1224 TrkWks - ok
    14:07:34.0180 1224 TrustedInstaller - ok
    14:07:34.0180 1224 tssecsrv - ok
    14:07:34.0180 1224 TsUsbFlt - ok
    14:07:34.0196 1224 TsUsbGD - ok
    14:07:34.0196 1224 tsusbhub - ok
    14:07:34.0196 1224 tunnel - ok
    14:07:34.0212 1224 tvtvcamd - ok
    14:07:34.0212 1224 uagp35 - ok
    14:07:34.0212 1224 udfs - ok
    14:07:34.0227 1224 UI0Detect - ok
    14:07:34.0227 1224 uliagpkx - ok
    14:07:34.0227 1224 umbus - ok
    14:07:34.0227 1224 UmPass - ok
    14:07:34.0227 1224 UmRdpService - ok
    14:07:34.0243 1224 UNS - ok
    14:07:34.0243 1224 upnphost - ok
    14:07:34.0243 1224 usbccgp - ok
    14:07:34.0243 1224 usbcir - ok
    14:07:34.0243 1224 usbehci - ok
    14:07:34.0243 1224 usbhub - ok
    14:07:34.0258 1224 usbohci - ok
    14:07:34.0258 1224 usbprint - ok
    14:07:34.0258 1224 USBSTOR - ok
    14:07:34.0258 1224 usbuhci - ok
    14:07:34.0258 1224 usbvideo - ok
    14:07:34.0274 1224 UxSms - ok
    14:07:34.0274 1224 VaultSvc - ok
    14:07:34.0274 1224 vdrvroot - ok
    14:07:34.0274 1224 vds - ok
    14:07:34.0274 1224 vga - ok
    14:07:34.0290 1224 VgaSave - ok
    14:07:34.0290 1224 VGPU - ok
    14:07:34.0290 1224 vhdmp - ok
    14:07:34.0290 1224 viaide - ok
    14:07:34.0290 1224 vmbus - ok
    14:07:34.0290 1224 VMBusHID - ok
    14:07:34.0305 1224 volmgr - ok
    14:07:34.0305 1224 volmgrx - ok
    14:07:34.0305 1224 volsnap - ok
    14:07:34.0305 1224 vsmraid - ok
    14:07:34.0305 1224 VSS - ok
    14:07:34.0305 1224 vwifibus - ok
    14:07:34.0321 1224 vwififlt - ok
    14:07:34.0336 1224 vwifimp - ok
    14:07:34.0336 1224 W32Time - ok
    14:07:34.0336 1224 WacomPen - ok
    14:07:34.0336 1224 WANARP - ok
    14:07:34.0352 1224 Wanarpv6 - ok
    14:07:34.0352 1224 WatAdminSvc - ok
    14:07:34.0352 1224 wbengine - ok
    14:07:34.0352 1224 WbioSrvc - ok
    14:07:34.0352 1224 wcncsvc - ok
    14:07:34.0352 1224 WcsPlugInService - ok
    14:07:34.0368 1224 Wd - ok
    14:07:34.0368 1224 WDC_SAM - ok
    14:07:34.0368 1224 Wdf01000 - ok
    14:07:34.0368 1224 WdiServiceHost - ok
    14:07:34.0368 1224 WdiSystemHost - ok
    14:07:34.0383 1224 WebClient - ok
    14:07:34.0383 1224 Wecsvc - ok
    14:07:34.0383 1224 wercplsupport - ok
    14:07:34.0383 1224 WerSvc - ok
    14:07:34.0383 1224 WfpLwf - ok
    14:07:34.0383 1224 WIMMount - ok
    14:07:34.0399 1224 WinDefend - ok
    14:07:34.0399 1224 WinHttpAutoProxySvc - ok
    14:07:34.0399 1224 Winmgmt - ok
    14:07:34.0399 1224 WinRM - ok
    14:07:34.0414 1224 Wlansvc - ok
    14:07:34.0414 1224 WmiAcpi - ok
    14:07:34.0414 1224 wmiApSrv - ok
    14:07:34.0414 1224 WMPNetworkSvc - ok
    14:07:34.0414 1224 WPCSvc - ok
    14:07:34.0430 1224 WPDBusEnum - ok
    14:07:34.0430 1224 ws2ifsl - ok
    14:07:34.0430 1224 wscsvc - ok
    14:07:34.0430 1224 WSearch - ok
    14:07:34.0430 1224 wuauserv - ok
    14:07:34.0446 1224 WudfPf - ok
    14:07:34.0446 1224 WUDFRd - ok
    14:07:34.0446 1224 wudfsvc - ok
    14:07:34.0461 1224 WwanSvc - ok
    14:07:34.0477 1224 ================ Scan global ===============================
    14:07:34.0477 1224 [Global] - ok
    14:07:34.0477 1224 ================ Scan MBR ==================================
    14:07:34.0492 1224 [ A36C5E4F47E84449FF07ED3517B43A31 ] \Device\Harddisk0\DR0
    14:07:34.0804 1224 \Device\Harddisk0\DR0 - ok
    14:07:34.0804 1224 ================ Scan VBR ==================================
    14:07:34.0804 1224 [ 52B246396C3ED0D8BBD44547CB6768D2 ] \Device\Harddisk0\DR0\Partition1
    14:07:34.0804 1224 \Device\Harddisk0\DR0\Partition1 - ok
    14:07:34.0851 1224 [ ADCA3CB33A2EDB0160A098D3BE6A65CF ] \Device\Harddisk0\DR0\Partition2
    14:07:34.0851 1224 \Device\Harddisk0\DR0\Partition2 - ok
    14:07:34.0851 1224 ============================================================
    14:07:34.0851 1224 Scan finished
    14:07:34.0851 1224 ============================================================
    14:07:34.0851 1680 Detected object count: 0
    14:07:34.0851 1680 Actual detected object count: 0
    14:07:50.0841 0844 ============================================================
    14:07:50.0841 0844 Scan started
    14:07:50.0841 0844 Mode: Manual; SigCheck; TDLFS;
    14:07:50.0841 0844 ============================================================
    14:07:51.0278 0844 ================ Scan system memory ========================
    14:07:51.0278 0844 System memory - ok
    14:07:51.0278 0844 ================ Scan services =============================
    14:07:51.0294 0844 1394ohci - ok
    14:07:51.0294 0844 5U877 - ok
    14:07:51.0294 0844 ACPI - ok
    14:07:51.0294 0844 AcpiPmi - ok
    14:07:51.0309 0844 AdobeARMservice - ok
    14:07:51.0309 0844 AdobeFlashPlayerUpdateSvc - ok
    14:07:51.0309 0844 adp94xx - ok
    14:07:51.0309 0844 adpahci - ok
    14:07:51.0309 0844 adpu320 - ok
    14:07:51.0325 0844 AeLookupSvc - ok
    14:07:51.0325 0844 AFD - ok
    14:07:51.0325 0844 agp440 - ok
    14:07:51.0325 0844 ALG - ok
    14:07:51.0325 0844 aliide - ok
    14:07:51.0325 0844 amdide - ok
    14:07:51.0340 0844 AmdK8 - ok
    14:07:51.0340 0844 AmdPPM - ok
    14:07:51.0340 0844 amdsata - ok
    14:07:51.0340 0844 amdsbs - ok
    14:07:51.0340 0844 amdxata - ok
    14:07:51.0340 0844 AMPPAL - ok
    14:07:51.0356 0844 AMPPALP - ok
    14:07:51.0372 0844 AMPPALR3 - ok
    14:07:51.0372 0844 AppID - ok
    14:07:51.0372 0844 AppIDSvc - ok
    14:07:51.0372 0844 Appinfo - ok
    14:07:51.0372 0844 Apple Mobile Device - ok
    14:07:51.0387 0844 AppMgmt - ok
    14:07:51.0387 0844 arc - ok
    14:07:51.0387 0844 arcsas - ok
    14:07:51.0403 0844 aspnet_state - ok
    14:07:51.0403 0844 AsyncMac - ok
    14:07:51.0403 0844 atapi - ok
    14:07:51.0403 0844 AudioEndpointBuilder - ok
    14:07:51.0403 0844 AudioSrv - ok
    14:07:51.0418 0844 AxInstSV - ok
    14:07:51.0418 0844 b06bdrv - ok
    14:07:51.0418 0844 b57nd60a - ok
    14:07:51.0418 0844 bcbtums - ok
    14:07:51.0418 0844 BDESVC - ok
    14:07:51.0418 0844 Beep - ok
    14:07:51.0434 0844 BFE - ok
    14:07:51.0434 0844 BITS - ok
    14:07:51.0434 0844 blbdrive - ok
    14:07:51.0465 0844 Bonjour Service - ok
    14:07:51.0465 0844 bowser - ok
    14:07:51.0465 0844 BrFiltLo - ok
    14:07:51.0465 0844 BrFiltUp - ok
    14:07:51.0465 0844 BridgeMP - ok
    14:07:51.0465 0844 Browser - ok
    14:07:51.0481 0844 Brserid - ok
    14:07:51.0481 0844 BrSerWdm - ok
    14:07:51.0481 0844 BrUsbMdm - ok
    14:07:51.0481 0844 BrUsbSer - ok
    14:07:51.0496 0844 BthEnum - ok
    14:07:51.0496 0844 BTHMODEM - ok
    14:07:51.0496 0844 BthPan - ok
    14:07:51.0496 0844 BTHPORT - ok
    14:07:51.0496 0844 bthserv - ok
    14:07:51.0496 0844 BTHSSecurityMgr - ok
    14:07:51.0512 0844 BTHUSB - ok
    14:07:51.0512 0844 BTWAMPFL - ok
    14:07:51.0512 0844 btwaudio - ok
    14:07:51.0512 0844 btwavdt - ok
    14:07:51.0512 0844 btwdins - ok
    14:07:51.0528 0844 btwl2cap - ok
    14:07:51.0528 0844 btwrchid - ok
    14:07:51.0528 0844 catchme - ok
    14:07:51.0528 0844 CcmExec - ok
    14:07:51.0528 0844 cdfs - ok
    14:07:51.0528 0844 cdrom - ok
    14:07:51.0543 0844 CertPropSvc - ok
    14:07:51.0543 0844 circlass - ok
    14:07:51.0543 0844 Cisco WebEx Connect Upgrade Service - ok
    14:07:51.0543 0844 CLFS - ok
    14:07:51.0543 0844 clr_optimization_v2.0.50727_32 - ok
    14:07:51.0559 0844 clr_optimization_v2.0.50727_64 - ok
    14:07:51.0559 0844 clr_optimization_v4.0.30319_32 - ok
    14:07:51.0559 0844 clr_optimization_v4.0.30319_64 - ok
    14:07:51.0559 0844 CmBatt - ok
    14:07:51.0559 0844 cmdide - ok
    14:07:51.0559 0844 CNG - ok
    14:07:51.0574 0844 CnxtHdAudService - ok
    14:07:51.0574 0844 Compbatt - ok
    14:07:51.0574 0844 CompositeBus - ok
    14:07:51.0574 0844 COMSysApp - ok
    14:07:51.0574 0844 CorelCreatorMessages - ok
    14:07:51.0574 0844 cphs - ok
    14:07:51.0590 0844 cpudrv64 - ok
    14:07:51.0590 0844 crcdisk - ok
    14:07:51.0590 0844 CryptSvc - ok
    14:07:51.0590 0844 CSC - ok
    14:07:51.0590 0844 CscService - ok
    14:07:51.0606 0844 CVirtA - ok
    14:07:51.0606 0844 CVPND - ok
    14:07:51.0606 0844 CVPNDRVA - ok
    14:07:51.0606 0844 dc3d - ok
    14:07:51.0606 0844 DcomLaunch - ok
    14:07:51.0606 0844 defragsvc - ok
    14:07:51.0621 0844 DfsC - ok
    14:07:51.0637 0844 Dhcp - ok
    14:07:51.0652 0844 discache - ok
    14:07:51.0652 0844 Disk - ok
    14:07:51.0652 0844 dmvsc - ok
    14:07:51.0652 0844 DNE - ok
    14:07:51.0652 0844 Dnscache - ok
    14:07:51.0652 0844 dot3svc - ok
    14:07:51.0668 0844 DozeSvc - ok
    14:07:51.0668 0844 DPS - ok
    14:07:51.0668 0844 drmkaud - ok
    14:07:51.0668 0844 DXGKrnl - ok
    14:07:51.0668 0844 DzHDD64 - ok
    14:07:51.0684 0844 e1cexpress - ok
    14:07:51.0684 0844 EapHost - ok
    14:07:51.0684 0844 ebdrv - ok
    14:07:51.0684 0844 EFS - ok
    14:07:51.0684 0844 ehRecvr - ok
    14:07:51.0684 0844 ehSched - ok
    14:07:51.0699 0844 elxstor - ok
    14:07:51.0699 0844 ErrDev - ok
    14:07:51.0699 0844 EventSystem - ok
    14:07:51.0699 0844 exfat - ok
    14:07:51.0699 0844 fastfat - ok
    14:07:51.0715 0844 Fax - ok
    14:07:51.0715 0844 fdc - ok
    14:07:51.0746 0844 fdPHost - ok
    14:07:51.0746 0844 FDResPub - ok
    14:07:51.0746 0844 FileInfo - ok
    14:07:51.0746 0844 Filetrace - ok
    14:07:51.0746 0844 flpydisk - ok
    14:07:51.0746 0844 FltMgr - ok
    14:07:51.0762 0844 FontCache - ok
    14:07:51.0762 0844 FontCache3.0.0.0 - ok
    14:07:51.0762 0844 FsDepends - ok
    14:07:51.0762 0844 Fs_Rec - ok
    14:07:51.0762 0844 fvevol - ok
    14:07:51.0762 0844 gagp30kx - ok
    14:07:51.0777 0844 GEARAspiWDM - ok
    14:07:51.0777 0844 GingerUpdateService - ok
    14:07:51.0777 0844 gpsvc - ok
    14:07:51.0777 0844 gupdate - ok
    14:07:51.0777 0844 gupdatem - ok
    14:07:51.0777 0844 hcw85cir - ok
    14:07:51.0793 0844 HdAudAddService - ok
    14:07:51.0793 0844 HDAudBus - ok
    14:07:51.0793 0844 HidBatt - ok
    14:07:51.0793 0844 HidBth - ok
    14:07:51.0793 0844 HidIr - ok
    14:07:51.0808 0844 hidserv - ok
    14:07:51.0808 0844 HidUsb - ok
    14:07:51.0808 0844 hkmsvc - ok
    14:07:51.0808 0844 HomeGroupListener - ok
    14:07:51.0808 0844 HomeGroupProvider - ok
    14:07:51.0808 0844 HpSAMD - ok
    14:07:51.0824 0844 HTTP - ok
    14:07:51.0824 0844 hwpolicy - ok
    14:07:51.0824 0844 HyperW7Svc - ok
    14:07:51.0824 0844 i8042prt - ok
    14:07:51.0824 0844 iaStor - ok
    14:07:51.0840 0844 iaStorV - ok
    14:07:51.0840 0844 IBMPMDRV - ok
    14:07:51.0840 0844 IBMPMSVC - ok
    14:07:51.0840 0844 idsvc - ok
    14:07:51.0840 0844 igfx - ok
    14:07:51.0840 0844 iirsp - ok
    14:07:51.0855 0844 IKEEXT - ok
    14:07:51.0855 0844 intaud_WaveExtensible - ok
    14:07:51.0855 0844 IntcAzAudAddService - ok
    14:07:51.0855 0844 IntcDAud - ok
    14:07:51.0855 0844 Intel(R) Capability Licensing Service Interface - ok
    14:07:51.0855 0844 intelide - ok
    14:07:51.0871 0844 intelppm - ok
    14:07:51.0871 0844 IPBusEnum - ok
    14:07:51.0871 0844 IpFilterDriver - ok
    14:07:51.0871 0844 iphlpsvc - ok
    14:07:51.0871 0844 IPMIDRV - ok
    14:07:51.0886 0844 IPNAT - ok
    14:07:51.0886 0844 iPod Service - ok
    14:07:51.0886 0844 IRENUM - ok
    14:07:51.0886 0844 isapnp - ok
    14:07:51.0886 0844 iScsiPrt - ok
    14:07:51.0902 0844 iusb3hcs - ok
    14:07:51.0902 0844 iusb3hub - ok
    14:07:51.0902 0844 iusb3xhc - ok
    14:07:51.0902 0844 IviRegMgr - ok
    14:07:51.0902 0844 iwdbus - ok
    14:07:51.0918 0844 jhi_service - ok
    14:07:51.0918 0844 kbdclass - ok
    14:07:51.0918 0844 kbdhid - ok
    14:07:51.0918 0844 KeyIso - ok
    14:07:51.0933 0844 KSecDD - ok
    14:07:51.0933 0844 KSecPkg - ok
    14:07:51.0933 0844 ksthunk - ok
    14:07:51.0933 0844 KtmRm - ok
    14:07:51.0949 0844 LanmanServer - ok
    14:07:51.0949 0844 LanmanWorkstation - ok
    14:07:51.0949 0844 LENOVO.CAMMUTE - ok
    14:07:51.0949 0844 LENOVO.MICMUTE - ok
    14:07:51.0949 0844 lenovo.smi - ok
    14:07:51.0964 0844 LENOVO.TPKNRSVC - ok
    14:07:51.0964 0844 LENOVO.TVTVCAM - ok
    14:07:51.0964 0844 Lenovo.VIRTSCRLSVC - ok
    14:07:51.0964 0844 lltdio - ok
    14:07:51.0964 0844 lltdsvc - ok
    14:07:51.0980 0844 lmhosts - ok
    14:07:51.0980 0844 LMS - ok
    14:07:51.0980 0844 LSI_FC - ok
    14:07:51.0980 0844 LSI_SAS - ok
    14:07:51.0980 0844 LSI_SAS2 - ok
    14:07:51.0980 0844 LSI_SCSI - ok
    14:07:51.0996 0844 luafv - ok
    14:07:51.0996 0844 Mcx2Svc - ok
    14:07:51.0996 0844 megasas - ok
    14:07:51.0996 0844 MegaSR - ok
    14:07:51.0996 0844 MEIx64 - ok
    14:07:51.0996 0844 Microsoft SharePoint Workspace Audit Service - ok
    14:07:52.0011 0844 MMCSS - ok
    14:07:52.0011 0844 Modem - ok
    14:07:52.0011 0844 monitor - ok
    14:07:52.0011 0844 mouclass - ok
    14:07:52.0011 0844 mouhid - ok
    14:07:52.0027 0844 mountmgr - ok
    14:07:52.0027 0844 MozillaMaintenance - ok
    14:07:52.0089 0844 MpFilter - ok
    14:07:52.0089 0844 mpio - ok
    14:07:52.0089 0844 mpsdrv - ok
    14:07:52.0089 0844 MpsSvc - ok
    14:07:52.0089 0844 MRxDAV - ok
    14:07:52.0105 0844 mrxsmb - ok
    14:07:52.0105 0844 mrxsmb10 - ok
    14:07:52.0105 0844 mrxsmb20 - ok
    14:07:52.0105 0844 msahci - ok
    14:07:52.0105 0844 msdsm - ok
    14:07:52.0105 0844 MSDTC - ok
    14:07:52.0120 0844 Msfs - ok
    14:07:52.0120 0844 mshidkmdf - ok
    14:07:52.0120 0844 msisadrv - ok
    14:07:52.0120 0844 MSiSCSI - ok
    14:07:52.0120 0844 msiserver - ok
    14:07:52.0136 0844 MSKSSRV - ok
    14:07:52.0136 0844 MsMpSvc - ok
    14:07:52.0136 0844 MSPCLOCK - ok
    14:07:52.0136 0844 MSPQM - ok
    14:07:52.0136 0844 MsRPC - ok
    14:07:52.0136 0844 mssmbios - ok
    14:07:52.0152 0844 MSTEE - ok
    14:07:52.0152 0844 MTConfig - ok
    14:07:52.0152 0844 Mup - ok
    14:07:52.0152 0844 napagent - ok
    14:07:52.0152 0844 NativeWifiP - ok
    14:07:52.0152 0844 NDIS - ok
    14:07:52.0167 0844 NdisCap - ok
    14:07:52.0167 0844 NdisTapi - ok
    14:07:52.0167 0844 Ndisuio - ok
    14:07:52.0167 0844 NdisWan - ok
    14:07:52.0167 0844 NDProxy - ok
    14:07:52.0167 0844 Net Driver HPZ12 - ok
    14:07:52.0183 0844 NetBIOS - ok
    14:07:52.0183 0844 NetBT - ok
    14:07:52.0183 0844 Netlogon - ok
    14:07:52.0183 0844 Netman - ok
    14:07:52.0183 0844 NetMsmqActivator - ok
    14:07:52.0183 0844 NetPipeActivator - ok
    14:07:52.0198 0844 netprofm - ok
    14:07:52.0198 0844 NetTcpActivator - ok
    14:07:52.0198 0844 NetTcpPortSharing - ok
    14:07:52.0198 0844 NETwNs64 - ok
    14:07:52.0198 0844 nfrd960 - ok
    14:07:52.0214 0844 NisDrv - ok
    14:07:52.0214 0844 NisSrv - ok
    14:07:52.0214 0844 NlaSvc - ok
    14:07:52.0214 0844 Npfs - ok
    14:07:52.0214 0844 nsi - ok
    14:07:52.0214 0844 nsiproxy - ok
    14:07:52.0230 0844 Ntfs - ok
    14:07:52.0230 0844 NuidFltr - ok
    14:07:52.0230 0844 Null - ok
    14:07:52.0230 0844 nusb3hub - ok
    14:07:52.0230 0844 nusb3xhc - ok
    14:07:52.0245 0844 nvraid - ok
    14:07:52.0245 0844 nvstor - ok
    14:07:52.0245 0844 nv_agp - ok
    14:07:52.0245 0844 odserv - ok
    14:07:52.0245 0844 ohci1394 - ok
    14:07:52.0245 0844 ose - ok
    14:07:52.0261 0844 ose64 - ok
    14:07:52.0261 0844 osppsvc - ok
    14:07:52.0261 0844 p2pimsvc - ok
    14:07:52.0261 0844 p2psvc - ok
    14:07:52.0261 0844 Parport - ok
    14:07:52.0276 0844 partmgr - ok
    14:07:52.0292 0844 pavboot - ok
    14:07:52.0292 0844 PcaSvc - ok
    14:07:52.0292 0844 pci - ok
    14:07:52.0292 0844 pciide - ok
    14:07:52.0292 0844 pcmcia - ok
    14:07:52.0308 0844 pcw - ok
    14:07:52.0308 0844 PEAUTH - ok
    14:07:52.0308 0844 PeerDistSvc - ok
    14:07:52.0308 0844 PerfHost - ok
    14:07:52.0323 0844 PHCORE - ok
    14:07:52.0323 0844 pla - ok
    14:07:52.0323 0844 PlugPlay - ok
    14:07:52.0323 0844 Pml Driver HPZ12 - ok
    14:07:52.0323 0844 PNRPAutoReg - ok
    14:07:52.0323 0844 PNRPsvc - ok
    14:07:52.0339 0844 Point64 - ok
    14:07:52.0339 0844 PolicyAgent - ok
    14:07:52.0339 0844 Power - ok
    14:07:52.0339 0844 Power Manager DBC Service - ok
    14:07:52.0339 0844 PptpMiniport - ok
    14:07:52.0354 0844 prepdrvr - ok
    14:07:52.0354 0844 Processor - ok
    14:07:52.0354 0844 ProfSvc - ok
    14:07:52.0354 0844 ProtectedStorage - ok
    14:07:52.0354 0844 psadd - ok
    14:07:52.0354 0844 Psched - ok
    14:07:52.0370 0844 PSI_SVC_2 - ok
    14:07:52.0370 0844 PwmEWSvc - ok
    14:07:52.0370 0844 ql2300 - ok
    14:07:52.0370 0844 ql40xx - ok
    14:07:52.0370 0844 QWAVE - ok
    14:07:52.0370 0844 QWAVEdrv - ok
    14:07:52.0386 0844 RasAcd - ok
    14:07:52.0386 0844 RasAgileVpn - ok
    14:07:52.0386 0844 RasAuto - ok
    14:07:52.0386 0844 Rasl2tp - ok
    14:07:52.0386 0844 RasMan - ok
    14:07:52.0386 0844 RasPppoe - ok
    14:07:52.0401 0844 RasSstp - ok
    14:07:52.0401 0844 rdbss - ok
    14:07:52.0401 0844 rdpbus - ok
    14:07:52.0417 0844 RDPCDD - ok
    14:07:52.0417 0844 RDPDR - ok
    14:07:52.0417 0844 RDPENCDD - ok
    14:07:52.0417 0844 RDPREFMP - ok
    14:07:52.0417 0844 RdpVideoMiniport - ok
    14:07:52.0432 0844 RDPWD - ok
    14:07:52.0432 0844 rdyboost - ok
    14:07:52.0432 0844 RemoteAccess - ok
    14:07:52.0432 0844 RemoteRegistry - ok
    14:07:52.0432 0844 RFCOMM - ok
    14:07:52.0448 0844 risdxc - ok
    14:07:52.0448 0844 RpcEptMapper - ok
    14:07:52.0448 0844 RpcLocator - ok
    14:07:52.0448 0844 RpcSs - ok
    14:07:52.0448 0844 rspndr - ok
    14:07:52.0448 0844 s3cap - ok
    14:07:52.0464 0844 SamSs - ok
    14:07:52.0464 0844 sbp2port - ok
    14:07:52.0464 0844 SCardSvr - ok
    14:07:52.0464 0844 scfilter - ok
    14:07:52.0464 0844 Schedule - ok
    14:07:52.0464 0844 SCPolicySvc - ok
    14:07:52.0479 0844 SDRSVC - ok
    14:07:52.0479 0844 secdrv - ok
    14:07:52.0479 0844 seclogon - ok
    14:07:52.0479 0844 SENS - ok
    14:07:52.0479 0844 SensrSvc - ok
    14:07:52.0479 0844 Serenum - ok
    14:07:52.0479 0844 Serial - ok
    14:07:52.0495 0844 sermouse - ok
    14:07:52.0495 0844 SessionEnv - ok
    14:07:52.0495 0844 sffdisk - ok
    14:07:52.0495 0844 sffp_mmc - ok
    14:07:52.0510 0844 sffp_sd - ok
    14:07:52.0510 0844 sfloppy - ok
    14:07:52.0510 0844 SharedAccess - ok
    14:07:52.0526 0844 ShellHWDetection - ok
    14:07:52.0526 0844 Shockprf - ok
    14:07:52.0526 0844 SiSRaid2 - ok
    14:07:52.0526 0844 SiSRaid4 - ok
    14:07:52.0526 0844 SkypeUpdate - ok
    14:07:52.0542 0844 Smb - ok
    14:07:52.0542 0844 smstsmgr - ok
    14:07:52.0542 0844 SNMPTRAP - ok
    14:07:52.0542 0844 spldr - ok
    14:07:52.0542 0844 Spooler - ok
    14:07:52.0557 0844 sppsvc - ok
    14:07:52.0557 0844 sppuinotify - ok
    14:07:52.0557 0844 srv - ok
    14:07:52.0557 0844 srv2 - ok
    14:07:52.0557 0844 srvnet - ok
    14:07:52.0557 0844 SSDPSRV - ok
    14:07:52.0573 0844 SstpSvc - ok
    14:07:52.0573 0844 stexstor - ok
    14:07:52.0573 0844 stisvc - ok
    14:07:52.0604 0844 storflt - ok
    14:07:52.0604 0844 StorSvc - ok
    14:07:52.0604 0844 storvsc - ok
    14:07:52.0604 0844 SUService - ok
    14:07:52.0604 0844 swenum - ok
    14:07:52.0604 0844 swprv - ok
    14:07:52.0620 0844 Synth3dVsc - ok
    14:07:52.0620 0844 SynTP - ok
    14:07:52.0620 0844 SysMain - ok
    14:07:52.0620 0844 TabletInputService - ok
    14:07:52.0620 0844 TapiSrv - ok
    14:07:52.0620 0844 TBS - ok
    14:07:52.0635 0844 Tcpip - ok
    14:07:52.0635 0844 TCPIP6 - ok
    14:07:52.0635 0844 tcpipreg - ok
    14:07:52.0635 0844 TDPIPE - ok
    14:07:52.0635 0844 TDTCP - ok
    14:07:52.0651 0844 tdx - ok
    14:07:52.0651 0844 TermDD - ok
    14:07:52.0651 0844 terminpt - ok
    14:07:52.0651 0844 TermService - ok
    14:07:52.0651 0844 Themes - ok
    14:07:52.0651 0844 THREADORDER - ok
    14:07:52.0666 0844 TPDIGIMN - ok
    14:07:52.0666 0844 TPHDEXLGSVC - ok
    14:07:52.0666 0844 TPHKLOAD - ok
    14:07:52.0666 0844 TPHKSVC - ok
    14:07:52.0666 0844 TPM - ok
    14:07:52.0682 0844 TPPWRIF - ok
    14:07:52.0682 0844 TrkWks - ok
    14:07:52.0682 0844 TrustedInstaller - ok
    14:07:52.0682 0844 tssecsrv - ok
    14:07:52.0682 0844 TsUsbFlt - ok
    14:07:52.0698 0844 TsUsbGD - ok
    14:07:52.0698 0844 tsusbhub - ok
    14:07:52.0698 0844 tunnel - ok
    14:07:52.0698 0844 tvtvcamd - ok
    14:07:52.0698 0844 uagp35 - ok
    14:07:52.0698 0844 udfs - ok
    14:07:52.0713 0844 UI0Detect - ok
    14:07:52.0713 0844 uliagpkx - ok
    14:07:52.0713 0844 umbus - ok
    14:07:52.0713 0844 UmPass - ok
    14:07:52.0713 0844 UmRdpService - ok
    14:07:52.0729 0844 UNS - ok
    14:07:52.0729 0844 upnphost - ok
    14:07:52.0729 0844 usbccgp - ok
    14:07:52.0729 0844 usbcir - ok
    14:07:52.0729 0844 usbehci - ok
    14:07:52.0729 0844 usbhub - ok
    14:07:52.0744 0844 usbohci - ok
    14:07:52.0744 0844 usbprint - ok
    14:07:52.0744 0844 USBSTOR - ok
    14:07:52.0744 0844 usbuhci - ok
    14:07:52.0744 0844 usbvideo - ok
    14:07:52.0744 0844 UxSms - ok
    14:07:52.0760 0844 VaultSvc - ok
    14:07:52.0760 0844 vdrvroot - ok
    14:07:52.0760 0844 vds - ok
    14:07:52.0760 0844 vga - ok
    14:07:52.0760 0844 VgaSave - ok
    14:07:52.0776 0844 VGPU - ok
    14:07:52.0776 0844 vhdmp - ok
    14:07:52.0776 0844 viaide - ok
    14:07:52.0776 0844 vmbus - ok
    14:07:52.0776 0844 VMBusHID - ok
    14:07:52.0776 0844 volmgr - ok
    14:07:52.0791 0844 volmgrx - ok
    14:07:52.0791 0844 volsnap - ok
    14:07:52.0791 0844 vsmraid - ok
    14:07:52.0791 0844 VSS - ok
    14:07:52.0791 0844 vwifibus - ok
    14:07:52.0807 0844 vwififlt - ok
    14:07:52.0807 0844 vwifimp - ok
    14:07:52.0807 0844 W32Time - ok
    14:07:52.0807 0844 WacomPen - ok
    14:07:52.0807 0844 WANARP - ok
    14:07:52.0822 0844 Wanarpv6 - ok
    14:07:52.0822 0844 WatAdminSvc - ok
    14:07:52.0822 0844 wbengine - ok
    14:07:52.0822 0844 WbioSrvc - ok
    14:07:52.0822 0844 wcncsvc - ok
    14:07:52.0822 0844 WcsPlugInService - ok
    14:07:52.0838 0844 Wd - ok
    14:07:52.0838 0844 WDC_SAM - ok
    14:07:52.0838 0844 Wdf01000 - ok
    14:07:52.0838 0844 WdiServiceHost - ok
    14:07:52.0838 0844 WdiSystemHost - ok
    14:07:52.0838 0844 WebClient - ok
    14:07:52.0854 0844 Wecsvc - ok
    14:07:52.0854 0844 wercplsupport - ok
    14:07:52.0854 0844 WerSvc - ok
    14:07:52.0854 0844 WfpLwf - ok
    14:07:52.0854 0844 WIMMount - ok
    14:07:52.0869 0844 WinDefend - ok
    14:07:52.0869 0844 WinHttpAutoProxySvc - ok
    14:07:52.0869 0844 Winmgmt - ok
    14:07:52.0869 0844 WinRM - ok
    14:07:52.0900 0844 Wlansvc - ok
    14:07:52.0900 0844 WmiAcpi - ok
    14:07:52.0900 0844 wmiApSrv - ok
    14:07:52.0900 0844 WMPNetworkSvc - ok
    14:07:52.0916 0844 WPCSvc - ok
    14:07:52.0916 0844 WPDBusEnum - ok
    14:07:52.0916 0844 ws2ifsl - ok
    14:07:52.0916 0844 wscsvc - ok
    14:07:52.0932 0844 WSearch - ok
    14:07:52.0932 0844 wuauserv - ok
    14:07:52.0932 0844 WudfPf - ok
    14:07:52.0932 0844 WUDFRd - ok
    14:07:52.0947 0844 wudfsvc - ok
    14:07:52.0947 0844 WwanSvc - ok
    14:07:52.0963 0844 ================ Scan global ===============================
    14:07:52.0963 0844 [Global] - ok
    14:07:52.0963 0844 ================ Scan MBR ==================================
    14:07:52.0994 0844 [ A36C5E4F47E84449FF07ED3517B43A31 ] \Device\Harddisk0\DR0
    14:07:54.0523 0844 \Device\Harddisk0\DR0 - ok
    14:07:54.0523 0844 ================ Scan VBR ==================================
    14:07:54.0523 0844 [ 52B246396C3ED0D8BBD44547CB6768D2 ] \Device\Harddisk0\DR0\Partition1
    14:07:54.0523 0844 \Device\Harddisk0\DR0\Partition1 - ok
    14:07:54.0570 0844 [ ADCA3CB33A2EDB0160A098D3BE6A65CF ] \Device\Harddisk0\DR0\Partition2
    14:07:54.0570 0844 \Device\Harddisk0\DR0\Partition2 - ok
    14:07:54.0570 0844 ============================================================
    14:07:54.0570 0844 Scan finished
    14:07:54.0570 0844 ============================================================
    14:07:54.0570 2724 Detected object count: 0
    14:07:54.0570 2724 Actual detected object count: 0
  9. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Next step please:

    Go to Start > type in CMD and hit enter or press result "Command Prompt" in the results pane.

    Type in the following:

    reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /s >crypt.txt&&crypt.txt


    Once done, it shall launch a log for me to see. Please post it in next reply. :)
  10. wf2008

    wf2008 Newcomer, in training Topic Starter

    Hi,

    Here is the requested log.

    Thank you!

    **************CRYPT.TXT****************

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CryptSvc
    DisplayName REG_SZ Cryptographic Services
    ImagePath REG_EXPAND_SZ %SystemRoot%\system32\svchost.exe -k NetworkService
    Description REG_SZ @%SystemRoot%\system32\cryptsvc.dll,-1002
    ObjectName REG_SZ NT Authority\NetworkService
    ErrorControl REG_DWORD 0x1
    Start REG_DWORD 0x2
    Type REG_DWORD 0x20
    DependOnService REG_MULTI_SZ RpcSs
    ServiceSidType REG_DWORD 0x1
    RequiredPrivileges REG_MULTI_SZ SeChangeNotifyPrivilege\0SeCreateGlobalPrivilege\0SeImpersonatePrivilege
    FailureActions REG_BINARY 80510100000000000000000003000000140000000100000060EA000000000000000000000000000000000000

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CryptSvc\Parameters
    ServiceDll REG_EXPAND_SZ %SystemRoot%\system32\cryptsvc.dll
    ServiceMain REG_SZ CryptServiceMain
    ServiceDllUnloadOnStop REG_DWORD 0x1

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CryptSvc\Security
    Security REG_BINARY 00000E0001
  11. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Open a command window and execute the following commands, one at a time. Click OK if prompted.

    regsvr32 softpub.dll
    regsvr32 wintrust.dll
    regsvr32 initpki.dll
    regsvr32 dssenh.dll
    regsvr32 rsaenh.dll
    regsvr32 gpkcsp.dll
    regsvr32 sccbase.dll
    regsvr32 slbcsp.dll
    regsvr32 cryptdlg.dll
    net start cryptsvc


    Let me know the results of the final command.
  12. wf2008

    wf2008 Newcomer, in training Topic Starter

    The following files returned error messages: initpki.dll, gpkcsp.dll, sccbase.dll, and slbcsp.dll. The error message for all of those was:


    The module "initpki.dll" failed to load.

    Make sure the binary is stored at the specified path or debug it to check for problems with the binary or dependent .DLL files.

    The specified module could not be found.
    (Each error message had the corresponding dll file in the first line of the error message). The other files displayed a message saying they were registered successfully.

    When running the final command, I see:

    The Cryptographic Services service is starting.
    The Cryptographic Services service could not be started.

    A system error has occurred.
    System error 1067 has occurred.
    The process terminated unexpectedly.
  13. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

     
  14. wf2008

    wf2008 Newcomer, in training Topic Starter

    Thank you for your continued help. Here are the logs:

    ***************FIRST LOG*****************
    Volume in drive C has no label.
    Volume Serial Number is B804-8DBC

    Directory of C:\Windows\System32

    04/23/2012 11:36 PM 140,288 cryptsvc.dll
    1 File(s) 140,288 bytes

    Directory of C:\Windows\SysWOW64

    04/23/2012 11:36 PM 140,288 cryptsvc.dll
    1 File(s) 140,288 bytes

    Directory of C:\Windows\winsxs\amd64_microsoft-windows-cryptsvc-dll_31bf3856ad364e35_6.1.7601.17514_none_d4259ed3b16ed82a

    11/20/2010 08:25 AM 177,152 cryptsvc.dll
    1 File(s) 177,152 bytes

    Directory of C:\Windows\winsxs\amd64_microsoft-windows-cryptsvc-dll_31bf3856ad364e35_6.1.7601.17827_none_d41dd577b1743795

    04/24/2012 12:37 AM 184,320 cryptsvc.dll
    1 File(s) 184,320 bytes

    Directory of C:\Windows\winsxs\amd64_microsoft-windows-cryptsvc-dll_31bf3856ad364e35_6.1.7601.21979_none_d473633acab895c2

    04/24/2012 12:22 AM 186,880 cryptsvc.dll
    1 File(s) 186,880 bytes

    Directory of C:\Windows\winsxs\x86_microsoft-windows-cryptsvc-dll_31bf3856ad364e35_6.1.7601.17514_none_7807034ff91166f4

    11/20/2010 07:18 AM 136,192 cryptsvc.dll
    1 File(s) 136,192 bytes

    Directory of C:\Windows\winsxs\x86_microsoft-windows-cryptsvc-dll_31bf3856ad364e35_6.1.7601.17827_none_77ff39f3f916c65f

    04/23/2012 11:36 PM 140,288 cryptsvc.dll
    1 File(s) 140,288 bytes

    Directory of C:\Windows\winsxs\x86_microsoft-windows-cryptsvc-dll_31bf3856ad364e35_6.1.7601.21979_none_7854c7b7125b248c

    04/23/2012 11:28 PM 142,336 cryptsvc.dll
    1 File(s) 142,336 bytes

    Total Files Listed:
    8 File(s) 1,247,744 bytes
    0 Dir(s) 245,213,573,120 bytes free


    **************SECOND LOG*****************
    The system cannot find the path specified.
  15. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Okay, need more information now...

    Go to Command Prompt like before, copy and paste this to the Command window:

    cacls c:\windows\system32\svchost.exe

    Post back what it says please.
  16. wf2008

    wf2008 Newcomer, in training Topic Starter

    Ok, here is the output:

    c:\windows\system32\svchost.exe NT SERVICE\TrustedInstaller:F
    BUILTIN\Administrators:R
    NT AUTHORITY\SYSTEM:R
    BUILTIN\Users:R

    Thank you!
  17. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Next command:

    cacls c:\windows\system32\svchost.exe /e /g Everyone:F

    Restart the computer and open another command prompt, then type sc query cryptsvc

    If stopped, try sc start cryptsvc
  18. wf2008

    wf2008 Newcomer, in training Topic Starter

    Hi,

    After running that first command, it reported that it successfully processed the file.
    After restarting and running sc query cryptsvc, I received the following output:

    SERVICE_NAME: cryptsvc
    TYPE: 20 WIN32_SHARE_PROCESS
    STATE: 1 STOPPED
    WIN32_EXIT_CODE : 1067 (0x42b)
    SERVICE_EXIT_CODE : 0 (0x0)
    CHECKPOINT : 0x0
    WAIT_HINT : 0x0

    When I run sc start cryptsvc, it gives the following information:

    SERVICE_NAME: cryptsvc
    TYPE: 20 WIN32_SHARE_PROCESS
    STATE: 2 START_PENDING (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
    WIN32_EXIT_CODE : 0 (0x0)
    SERVICE_EXIT_CODE : 0 (0x0)
    CHECKPOINT : 0x0
    WAIT_HINT : 0x7d0
    PID: 488
    FLAGS:

    But after running sc query cryptsvc again, it reports that it has stopped:

    SERVICE_NAME: cryptsvc
    TYPE: 20 WIN32_SHARE_PROCESS
    STATE: 1 STOPPED
    WIN32_EXIT_CODE : 1067 (0x42b)
    SERVICE_EXIT_CODE : 0 (0x0)
    CHECKPOINT : 0x0
    WAIT_HINT : 0x0

    Thank you so much for your continued assistance.
  19. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Let's try and do a bit of reckless fixing here (trust me):

    Download the attached zip file, right-click and Extract all...

    Once you get the fix-crypt-service-xp.reg file extracted from the zip file...double-click on it to merge. Restart your computer.

    Then, go to Command Prompt again (as administrator), run sc start cryptsvc - let me know the response. Then, sc query cryptsvc > log.txt&&log.txt

    Once done, post the log. :)

    Attached Files:

  20. wf2008

    wf2008 Newcomer, in training Topic Starter

    Thank you for your help.

    After double-clicking the registry file, the entries were successfully merged. After restarting and running sc start cryptsvc, I get the following error:

    [SC] StartService FAILED 1083:

    The executable program that this service is configured to run in does not implement the service.

    Below is the log:


    SERVICE_NAME: cryptsvc
    TYPE : 20 WIN32_SHARE_PROCESS
    STATE : 1 STOPPED
    WIN32_EXIT_CODE : 0 (0x0)
    SERVICE_EXIT_CODE : 0 (0x0)
    CHECKPOINT : 0x0
    WAIT_HINT : 0x0
  21. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Roar... :D

    Download Windows Repair (all in one) from this site

    Install the program then run it.

    Go to Step 2 and allow it to run CheckDisk by clicking on Do It button:

    [​IMG]



    Once that is done then go to Step 3 and allow it to run System File Check by clicking on Do It button:

    [​IMG]


    Go to Step 4 and under "System Restore" click on Create button:

    [​IMG]


    Go to Start Repairs tab and click Start button.

    [​IMG]


    Please ensure that ONLY items seen in the image below are ticked as indicated (they're all checked by default):

    [​IMG]

    Click on box next to the Restart System when Finished. Then click on Start.


    Then, do the same with the start and query of cryptsvc please. :)
  22. wf2008

    wf2008 Newcomer, in training Topic Starter

    I ran all of the steps you mentioned with the Windows Repair All In One, but I am unfortunately still getting the same error message:

    [SC] StartService FAILED 1083:

    The executable program that this service is configured to run in does not implement the service.

    And the log:

    SERVICE_NAME: cryptsvc
    TYPE : 20 WIN32_SHARE_PROCESS
    STATE : 1 STOPPED
    WIN32_EXIT_CODE : 0 (0x0)
    SERVICE_EXIT_CODE : 0 (0x0)
    CHECKPOINT : 0x0
    WAIT_HINT : 0x0

    :(
  23. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

  24. wf2008

    wf2008 Newcomer, in training Topic Starter

    Ok, thank you for your help. I have done a repair install and all seems to be well at this point.
  25. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Excellent work! Topic marked solved. :)
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.