Security risk detected: Trojan.Zeroaccess (Symantec Endpoint Protection)

Inactive
By TheeAngel
Jun 11, 2012
  1. Symantec keeps generating a notification that Trojan.Zeroaccess security risk has been detected.

    File: C:\Windows\Installer\{57369e81-f07e-70ff-5a12-67343e07a51c}\U\80000000.@
    Location: C:\Windows\Installer\{57369e81-f07e-70ff-5a12-67343e07a51c}\U

    How can I remove the virus and/or stop these notifications?

    Running Microsoft Windows 7 Enterprise SP1 (64-bit)
    almitra likes this.
  2. Broni

    Broni Malware Annihilator Posts: 46,179   +251

    Welcome aboard [​IMG]

    Please, complete all steps listed here: http://www.techspot.com/vb/topic58138.html
    Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
    Attached logs won't be reviewed.

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.
  3. TheeAngel

    TheeAngel Newcomer, in training Topic Starter

    Malwarebytes Anti-Malware (Trial) 1.61.0.1400
    www.malwarebytes.org
    Database version: v2012.06.12.01
    Windows 7 Service Pack 1 x64 NTFS
    Internet Explorer 8.0.7601.17514
    kclark4 :: WGC1W77CH6BS1 [administrator]
    Protection: Enabled
    6/11/2012 8:48:54 PM
    mbam-log-2012-06-11 (20-53-43).txt
    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 318063
    Time elapsed: 3 minute(s), 24 second(s)
    Memory Processes Detected: 0
    (No malicious items detected)
    Memory Modules Detected: 0
    (No malicious items detected)
    Registry Keys Detected: 4
    HKCR\bho_project.bho_object (Trojan.BHO) -> No action taken.
    HKCR\bho_project.bho_object.1 (Trojan.BHO) -> No action taken.
    HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Live Security Platinum (Rogue.LiveSecurityPlatinum) -> No action taken.
    HKLM\SOFTWARE\Google\Chrome\Extensions\kincjchfokkeneeofpeefomkikfkiedl (PUP.FCTPlugin) -> No action taken.
    Registry Values Detected: 0
    (No malicious items detected)
    Registry Data Items Detected: 3
    HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
    HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
    HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
    Folders Detected: 0
    (No malicious items detected)
    Files Detected: 1
    C:\Windows\e3298ujdamdashdhdsaud.exe (Trojan.Agent) -> No action taken.
    (end)
    .
    DDS (Ver_2011-08-26.01) - NTFSAMD64
    Internet Explorer: 8.0.7601.17514
    Run by kclark4 at 20:21:11 on 2012-06-11
    Microsoft Windows 7 Enterprise 6.1.7601.1.1252.1.1033.18.8149.4294 [GMT -4:00]
    .
    AV: Symantec Endpoint Protection *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: Symantec Endpoint Protection *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
    FW: Symantec Endpoint Protection *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Program Files\IDT\WDM\STacSV64.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\WUDFHost.exe
    C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe
    C:\Windows\system32\nvvsvc.exe
    C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\system32\WLANExt.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Program Files\IDT\WDM\AESTSr64.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\ehost.exe
    C:\Program Files\Intel\WiFi\bin\EvtEng.exe
    C:\Program Files\Ford Motor Company\BLHealthMon\BLHealthMon.exe
    C:\Windows\System32\svchost.exe -k HPZ12
    C:\Program Files\1E\NightWatchman50\NwmSvc.exe
    C:\Windows\system32\DRIVERS\o2flash.exe
    C:\Windows\System32\svchost.exe -k HPZ12
    C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
    C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe
    c:\Program Files (x86)\1E\WakeUp\Agent\WakeUpAgt.exe
    C:\Program Files\Ford Motor Company\WSL Reduced Login Client Extension\WSL_RLCE_SERVICE.EXE
    C:\Windows\SysWOW64\CCM\CcmExec.exe
    C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin64\Smc.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\sysWOW64\wbem\wmiprvse.exe
    C:\Windows\system32\taskhost.exe
    C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\DellTPad\Apoint.exe
    C:\Program Files\IDT\WDM\sttray64.exe
    C:\Program Files\Siemens\Teamcenter8.3\Visualization\Program\VisFastStart.exe
    C:\Program Files\Microsoft IntelliPoint\ipoint.exe
    C:\Windows\System32\rundll32.exe
    C:\Program Files\DellTPad\ApMsgFwd.exe
    C:\Program Files\DellTPad\HidFind.exe
    C:\Program Files\DellTPad\Apntex.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\SysWOW64\rundll32.exe
    C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE
    C:\Program Files (x86)\eRoom 7\ERClient7.exe
    C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE
    C:\Program Files (x86)\Microsoft Office Communicator\communicator.exe
    C:\Program Files (x86)\WebEx\Productivity Tools\PTIM.exe
    C:\Program Files (x86)\WebEx\Productivity Tools\ptSrv.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\1E\NightWatchman50\NWMCLI.EXE
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Windows\system32\vpc.exe
    svchost.exe
    C:\Windows\system32\sppsvc.exe
    C:\Windows\sysWOW64\wbem\wmiprvse.exe
    C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
    C:\Windows\splwow64.exe
    C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\svchost.exe -k regsvc
    C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\SymCorpUI.exe
    C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin64\SmcGui.exe
    C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\ProtectionUtilSurrogate.exe
    C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\SavUI.exe
    C:\Windows\system32\SearchProtocolHost.exe
    \\.\globalroot\systemroot\Installer\{57369e81-f07e-70ff-5a12-67343e07a51c}\U
    C:\ProgramData\Anti-phishing Domain Advisor\visicom_antiphishing.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\SysWOW64\cscript.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://blekkosearch.mystart.com/blekkotb_soc/?source=a545ea26&toolbarid=blekkotb_soc&u=D9B1F38B6CDF1F67A8EA014FD689E956&tbp=homepage&v=2_0
    uDefault_Page_URL = hxxp://www.at.ford.com
    uInternet Settings,ProxyOverride = <local>
    mWinlogon: Userinit=userinit.exe
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO: VideoFileDownload: {5c2e8e24-2f41-4958-921e-5a41da19cfd6} - C:\Program Files (x86)\OApps\bho_project.dll
    BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\bin\IPS\IPSBHO.DLL
    BHO: Blekko search bar: {7d9e1adc-7db1-4eaf-b6c7-7e062074e6be} - C:\Program Files (x86)\blekkotb_soc\blekkotb_019X.dll
    BHO: WebEx Productivity Tools: {90e2ba2e-dd1b-4cde-9134-7a8b86d33ca7} - C:\Program Files (x86)\WebEx\Productivity Tools\ptonecli.dll
    BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MICROS~2\Office14\URLREDIR.DLL
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre1.6.0_22\bin\jp2ssv.dll
    TB: WebEx Productivity Tools: {90e2ba2e-dd1b-4cde-9134-7a8b86d33ca7} - C:\Program Files (x86)\WebEx\Productivity Tools\ptonecli.dll
    TB: Blekko search bar: {7d9e1adc-7db1-4eaf-b6c7-7e062074e6be} - C:\Program Files (x86)\blekkotb_soc\blekkotb_019X.dll
    uRun: [CheckXPMstate] C:\Program Files\Ford\XPM\XPM_Utility.exe VMreset off
    uRun: [OfficeSyncProcess] "C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE"
    uRun: [SPMTray] "C:\Program Files (x86)\PC Speed Maximizer\SPMTray.exe"
    mRun: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
    mRun: [Communicator] "C:\Program Files (x86)\Microsoft Office Communicator\communicator.exe" /fromrunkey
    mRun: [PTIM.exe] C:\Program Files (x86)\WebEx\Productivity Tools\PTIM.exe
    mRun: [Anti-phishing Domain Advisor] "C:\ProgramData\Anti-phishing Domain Advisor\visicom_antiphishing.exe"
    dRun: [CommunicatorInit] C:\PROGRA~1\Ford\MS Communicator\utl\setcmusr.vbs
    uExplorerRun: [Nico Mak Computing] C:\Users\kclark4\AppData\Roaming\231106.exe
    StartupFolder: C:\Users\kclark4\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\MONITO~1.LNK - C:\Program Files (x86)\eRoom 7\ERClient7.exe
    StartupFolder: C:\Users\kclark4\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ONENOT~1.LNK - C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE
    uPolicies-explorer: NoWindowsUpdate = 1 (0x1)
    uPolicies-explorer: HideSCAHealth = 1 (0x1)
    mPolicies-explorer: NoActiveDesktop = 1 (0x1)
    mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
    mPolicies-explorer: NoMSAppLogo5ChannelNotify = 1 (0x1)
    mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
    mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableLUA = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 1 (0x1)
    mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
    mPolicies-system: HideFastUserSwitching = 0 (0x0)
    mPolicies-system: HideShutdownScripts = 0 (0x0)
    dPolicies-explorer: NoWindowsUpdate = 1 (0x1)
    dPolicies-explorer: HideSCAHealth = 1 (0x1)
    IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\Office14\EXCEL.EXE/3000
    IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~2\Office14\ONBttnIE.dll/105
    IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a}
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
    IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
    DPF: 55963676-2F5E-4BAF-AC28-CF26AA587566 - vpnweb.cab
    DPF: {255221B5-28F5-4493-ACBA-E6D5F6124C47} - hxxps://web.efdvs.ford.com/vsp_common/web_lib/VSP.CAB
    DPF: {5D7D1AA9-D525-4D90-AF8D-CD152E33117D} - hxxps://web.efdvs.ford.com/vsp_common/web_lib/SOTree.CAB
    DPF: {6E2510E6-BF2D-4C78-9F28-2F5C8760F124} - hxxps://f1.ford.com/eRoomSetup/client.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
    TCP: DhcpNameServer = 192.168.0.1
    TCP: Interfaces\{16889E1A-A047-4D35-867E-648498100E87} : DhcpNameServer = 192.168.0.1
    TCP: Interfaces\{FEDD1143-0622-497F-85CB-F96681FCD0E5} : DhcpNameServer = 192.168.0.1
    Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
    Notify: SEP - C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\WinLogoutNotifier.dll
    mASetup: {26A24AE4-039D-4CA4-87B4-2F83216022FF} - C:\Program Files (x86)\Java\jre1.6.0_22\bin\jreupdpol.exe
    mASetup: >{A7D3870D-9B1A-4F2A-B563-A4E8A637A58F} - "C:\Program Files\Ford\IBMHOD\UserCfg.exe"
    BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO-X64: AcroIEHelperStub - No File
    BHO-X64: VideoFileDownload: {5C2E8E24-2F41-4958-921E-5A41DA19CFD6} - C:\Program Files (x86)\OApps\bho_project.dll
    BHO-X64: BHO_PROJECT - No File
    BHO-X64: Symantec Intrusion Prevention: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\bin\IPS\IPSBHO.DLL
    BHO-X64: Symantec Intrusion Prevention - No File
    BHO-X64: Blekko search bar: {7d9e1adc-7db1-4eaf-b6c7-7e062074e6be} - C:\Program Files (x86)\blekkotb_soc\blekkotb_019X.dll
    BHO-X64: Blekko search bar - No File
    BHO-X64: WebEx Productivity Tools: {90E2BA2E-DD1B-4cde-9134-7A8B86D33CA7} - C:\Program Files (x86)\WebEx\Productivity Tools\ptonecli.dll
    BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~2\Office14\URLREDIR.DLL
    BHO-X64: URLRedirectionBHO - No File
    BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre1.6.0_22\bin\jp2ssv.dll
    TB-X64: WebEx Productivity Tools: {90E2BA2E-DD1B-4cde-9134-7A8B86D33CA7} - C:\Program Files (x86)\WebEx\Productivity Tools\ptonecli.dll
    TB-X64: Blekko search bar: {7d9e1adc-7db1-4eaf-b6c7-7e062074e6be} - C:\Program Files (x86)\blekkotb_soc\blekkotb_019X.dll
    mRun-x64: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
    mRun-x64: [Communicator] "C:\Program Files (x86)\Microsoft Office Communicator\communicator.exe" /fromrunkey
    mRun-x64: [PTIM.exe] C:\Program Files (x86)\WebEx\Productivity Tools\PTIM.exe
    mRun-x64: [Anti-phishing Domain Advisor] "C:\ProgramData\Anti-phishing Domain Advisor\visicom_antiphishing.exe"
    IE-X64: {c95fe080-8f5d-11d2-a20b-00aa003c157a}
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 stdcfltn;Disk Class Filter Driver for Accelerometer;C:\Windows\system32\DRIVERS\stdcfltn.sys --> C:\Windows\system32\DRIVERS\stdcfltn.sys [?]
    R0 SymDS;Symantec Data Store;C:\Windows\system32\Drivers\SEP\0C01029F\136B.105\x64\SYMDS64.SYS --> C:\Windows\system32\Drivers\SEP\0C01029F\136B.105\x64\SYMDS64.SYS [?]
    R0 SymEFA;Symantec Extended File Attributes;C:\Windows\system32\Drivers\SEP\0C01029F\136B.105\x64\SYMEFA64.SYS --> C:\Windows\system32\Drivers\SEP\0C01029F\136B.105\x64\SYMEFA64.SYS [?]
    R1 BHDrvx64;BHDrvx64;C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\Definitions\BASHDefs\20120517.011\BHDrvx64.sys [2012-5-24 1160824]
    R1 ehost_;ehost_;\??\C:\Windows\system32\ehost_.sys --> C:\Windows\system32\ehost_.sys [?]
    R1 IDSVia64;IDSVia64;C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\Definitions\IPSDefs\20120608.001\IDSviA64.sys [2012-6-11 488568]
    R1 SymIRON;Symantec Iron Driver;C:\Windows\system32\Drivers\SEP\0C01029F\136B.105\x64\Ironx64.SYS --> C:\Windows\system32\Drivers\SEP\0C01029F\136B.105\x64\Ironx64.SYS [?]
    R1 SYMNETS;Symantec Network Security WFP Driver;C:\Windows\system32\Drivers\SEP\0C01029F\136B.105\x64\SYMNETS.SYS --> C:\Windows\system32\Drivers\SEP\0C01029F\136B.105\x64\SYMNETS.SYS [?]
    R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
    R2 AESTFilters;Andrea ST Filters Service;C:\Program Files\IDT\WDM\AESTSr64.exe [2012-4-18 89600]
    R2 ehost;ehost;C:\Windows\system32\ehost.exe -s -l 2289 --> C:\Windows\system32\ehost.exe -s -l 2289 [?]
    R2 HLTHMON;Bitlocker Health Monitor Service;C:\Program Files\Ford Motor Company\BLHealthMon\BLHealthMon.exe [2012-1-23 9216]
    R2 NightWatchman50;NightWatchman50;C:\Program Files\1E\NightWatchman50\NwmSvc.exe [2010-3-4 1355096]
    R2 NwmSleepless;NwmSleepless;C:\Windows\system32\DRIVERS\NwmSleepless64.sys --> C:\Windows\system32\DRIVERS\NwmSleepless64.sys [?]
    R2 SepMasterService;Symantec Endpoint Protection;C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe [2011-8-2 137224]
    R2 vpnagent;Cisco AnyConnect VPN Agent;C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [2010-5-5 583360]
    R2 WakeUpAgt;1E WakeUp Agent;C:\Program Files (x86)\1E\WakeUp\Agent\WakeUpAgt.exe [2011-7-4 275792]
    R2 WSL_RLCE;WSL Reduced Logon Service;C:\Program Files\Ford Motor Company\WSL Reduced Login Client Extension\WSL_RLCE_SERVICE.EXE [2010-8-12 43008]
    R3 Acceler;Accelerometer Service;C:\Windows\system32\DRIVERS\Accelern.sys --> C:\Windows\system32\DRIVERS\Accelern.sys [?]
    R3 cvusbdrv;Dell ControlVault;C:\Windows\system32\Drivers\cvusbdrv.sys --> C:\Windows\system32\Drivers\cvusbdrv.sys [?]
    R3 e1cexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver C;C:\Windows\system32\DRIVERS\e1c62x64.sys --> C:\Windows\system32\DRIVERS\e1c62x64.sys [?]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-6-2 138912]
    R3 MEIx64;Intel(R) Management Engine Interface;C:\Windows\system32\DRIVERS\HECIx64.sys --> C:\Windows\system32\DRIVERS\HECIx64.sys [?]
    R3 NETwNs64;___ Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;C:\Windows\system32\DRIVERS\NETwNs64.sys --> C:\Windows\system32\DRIVERS\NETwNs64.sys [?]
    R3 NVHDA;Service for NVIDIA High Definition Audio Driver;C:\Windows\system32\drivers\nvhda64v.sys --> C:\Windows\system32\drivers\nvhda64v.sys [?]
    R3 O2MDRRDR;O2MDRRDR;C:\Windows\system32\DRIVERS\O2MDRw7x64.sys --> C:\Windows\system32\DRIVERS\O2MDRw7x64.sys [?]
    R3 O2SDJRDR;O2SDJRDR;C:\Windows\system32\DRIVERS\o2sdjw7x64.sys --> C:\Windows\system32\DRIVERS\o2sdjw7x64.sys [?]
    R3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
    R3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\system32\DRIVERS\vwifimp.sys --> C:\Windows\system32\DRIVERS\vwifimp.sys [?]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
    S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-5-18 257696]
    S3 dc21x4vm;dc21x4vm;C:\Windows\system32\DRIVERS\dc21x4vm.sys --> C:\Windows\system32\DRIVERS\dc21x4vm.sys [?]
    S3 dmvsc;dmvsc;C:\Windows\system32\drivers\dmvsc.sys --> C:\Windows\system32\drivers\dmvsc.sys [?]
    S3 O2MDFRDR;O2MDFRDR;C:\Windows\system32\drivers\O2MDFw7x64.sys --> C:\Windows\system32\drivers\O2MDFw7x64.sys [?]
    S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\system32\drivers\rdpvideominiport.sys --> C:\Windows\system32\drivers\rdpvideominiport.sys [?]
    S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
    S3 SyDvCtrl;SyDvCtrl;C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin64\SyDvCtrl64.sys [2011-8-2 29664]
    S3 Synth3dVsc;Microsoft Virtual 3D Video Transport Driver;C:\Windows\system32\drivers\Synth3dVsc.sys --> C:\Windows\system32\drivers\Synth3dVsc.sys [?]
    S3 SynthVid;SynthVid;C:\Windows\system32\DRIVERS\VMBusVideoM.sys --> C:\Windows\system32\DRIVERS\VMBusVideoM.sys [?]
    S3 terminpt;Microsoft Remote Desktop Input Driver;C:\Windows\system32\drivers\terminpt.sys --> C:\Windows\system32\drivers\terminpt.sys [?]
    S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
    S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\system32\drivers\TsUsbGD.sys --> C:\Windows\system32\drivers\TsUsbGD.sys [?]
    S3 tsusbhub;Remote Deskotop USB Hub;C:\Windows\system32\drivers\tsusbhub.sys --> C:\Windows\system32\drivers\tsusbhub.sys [?]
    S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
    .
    =============== Created Last 30 ================
    .
    2012-06-12 00:15:20 -------- d-----w- C:\Program Files (x86)\Free Download Manager
    2012-06-12 00:14:59 -------- d-----w- C:\Users\kclark4\AppData\Local\antiphishing-vmninternethelper1_1dn
    2012-06-12 00:14:59 -------- d-----w- C:\ProgramData\Anti-phishing Domain Advisor
    2012-06-12 00:14:52 -------- d-----w- C:\Program Files (x86)\OApps
    2012-06-12 00:14:46 -------- d-----w- C:\ProgramData\blekko toolbars
    2012-06-12 00:14:33 -------- d-----w- C:\Program Files (x86)\blekkotb_soc
    2012-06-11 19:23:58 -------- d-----w- C:\Users\kclark4\Teamcenter
    2012-06-11 19:20:13 -------- d-----w- C:\Windows\System32\appmgmt
    2012-06-11 14:00:53 -------- d-----w- C:\Users\kclark4\FCCCache_VSEM
    2012-06-02 23:30:15 -------- d-sh--w- C:\Windows\System32\%APPDATA%
    2012-06-02 23:29:35 69632 ----a-w- C:\Windows\e3298ujdamdashdhdsaud.exe
    2012-06-02 23:27:45 -------- d-----w- C:\ProgramData\B7E858A7000FC4DA0B8814DCB4EB2331
    2012-06-02 23:26:34 142848 --sha-w- C:\Users\kclark4\AppData\Roaming\bgcos.dll
    2012-05-27 21:10:01 -------- d-----w- C:\Program Files\Microsoft IntelliPoint
    2012-05-27 19:22:54 1918320 ----a-w- C:\Windows\System32\drivers\tcpip.sys
    2012-05-27 19:20:18 3146240 ----a-w- C:\Windows\System32\win32k.sys
    2012-05-27 19:20:17 5559664 ----a-w- C:\Windows\System32\ntoskrnl.exe
    2012-05-27 19:20:17 3968368 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
    2012-05-27 19:20:17 3913072 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
    2012-05-27 19:19:00 1544704 ----a-w- C:\Windows\System32\DWrite.dll
    2012-05-27 19:19:00 1077248 ----a-w- C:\Windows\SysWow64\DWrite.dll
    2012-05-27 19:17:39 936960 ----a-w- C:\Program Files (x86)\Common Files\Microsoft Shared\ink\journal.dll
    2012-05-27 19:17:39 1732096 ----a-w- C:\Program Files\Windows Journal\NBDoc.DLL
    2012-05-27 19:17:39 1367552 ----a-w- C:\Program Files\Common Files\Microsoft Shared\ink\journal.dll
    2012-05-27 19:17:38 1393664 ----a-w- C:\Program Files\Windows Journal\JNTFiltr.dll
    2012-05-27 19:17:37 1402880 ----a-w- C:\Program Files\Windows Journal\JNWDRV.dll
    2012-05-27 19:17:27 75120 ----a-w- C:\Windows\System32\drivers\partmgr.sys
    2012-05-21 16:08:26 -------- d-----w- C:\Users\kclark4\AppData\Local\WebEx
    2012-05-19 00:59:22 419488 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
    .
    ==================== Find3M ====================
    .
    2012-05-19 00:59:22 70304 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-05-08 00:56:18 237 ----a-w- C:\Windows\wpd99.drv
    2012-05-08 00:55:31 40448 ----a-w- C:\Windows\SysWow64\pdf995mon64.dll
    2012-04-23 23:15:06 174200 ----a-w- C:\Windows\System32\drivers\SYMEVENT64x86.SYS
    2012-04-23 23:14:31 58288 ----a-w- C:\Windows\SysWow64\snacnp.dll
    2012-04-23 23:14:31 58288 ----a-w- C:\Windows\System32\snacnp.dll
    2012-04-23 23:14:31 513456 ----a-w- C:\Windows\System32\sysfer.dll
    2012-04-23 23:14:31 42632 ----a-w- C:\Windows\System32\drivers\WGX64.SYS
    2012-04-23 23:14:31 374704 ----a-w- C:\Windows\SysWow64\sysfer.dll
    2012-04-23 23:14:31 287152 ----a-w- C:\Windows\System32\SymVPN.dll
    2012-04-23 23:14:31 147632 ----a-w- C:\Windows\System32\drivers\SysPlant.sys
    2012-04-23 23:14:31 11184 ----a-w- C:\Windows\System32\sysferThunk.dll
    2012-04-23 23:14:31 10672 ----a-w- C:\Windows\SysWow64\sysferThunk.dll
    2012-04-23 23:14:31 102832 ----a-w- C:\Windows\SysWow64\FwsVpn.dll
    .
    ============= FINISH: 20:21:51.78 ===============
    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows 7 Enterprise
    Boot Device: \Device\HarddiskVolume2
    Install Date: 4/18/2012 5:08:59 PM
    System Uptime: 6/11/2012 6:32:57 PM (2 hours ago)
    .
    Motherboard: Dell Inc. | | 0J4TFW
    Processor: Intel(R) Core(TM) i5-2520M CPU @ 2.50GHz | CPU 1 | 2501/100mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 465 GiB total, 379.11 GiB free.
    D: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: Cisco AnyConnect VPN Virtual Miniport Adapter for Windows x64
    Device ID: ROOT\NET\0000
    Manufacturer: Cisco Systems
    Name: Cisco AnyConnect VPN Virtual Miniport Adapter for Windows x64
    PNP Device ID: ROOT\NET\0000
    Service: vpnva
    .
    ==== System Restore Points ===================
    .
    No restore point in system.
    .
    ==== Installed Programs ======================
    .
    .
    <No Name>
    1E WakeUp Agent
    Adobe Reader 9.5.0
    Adobe Reader Extended Language Support Font Pack
    Adobe Shockwave Player 11.6
    Anti-phishing Domain Advisor
    Blekko search bar
    C3png Configure Package fna
    C3PNG P2.1 Teamcenter Fides Manager PRI F225.257 Updates
    C3PNGTAG:pDCLOC1:Central:\\ECC9010116\c3png_p2
    CA Clarity PPM Microsoft Project Interface
    CA Clarity PPM Schedule Connect
    Chinese Simplified Fonts Support For Adobe Reader 9
    Chinese Traditional Fonts Support For Adobe Reader 9
    Cisco AnyConnect VPN Client
    Cisco WebEx Document Loader
    Cisco WebEx Meeting Center for Internet Explorer
    Configuration Manager Client
    Diagnostic Engineering Tool
    eFDVS 3.1.26
    eRoom 7 Client
    Ford IE8 Update v02
    Ford IE8 Update v03
    Ford NetCom MAVS Analysis
    Ford PC Move Utility
    FordFonts
    HelpInfo
    Hotfix for Microsoft Outlook 2010 (KB2475877)
    Intel PROSet Wireless
    Intrepid Control Systems RP1210B
    Japanese Fonts Support For Adobe Reader 9
    Java(TM) 6 Update 22
    Korean Fonts Support For Adobe Reader 9
    Live Security Platinum
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Hotfix (KB928366)
    Microsoft Office Access MUI (English) 2010
    Microsoft Office Access Setup Metadata MUI (English) 2010
    Microsoft Office Communicator 2007 R2
    Microsoft Office Communicator 2007 R2, MUI
    Microsoft Office Excel MUI (English) 2010
    Microsoft Office Groove MUI (English) 2010
    Microsoft Office InfoPath MUI (English) 2010
    Microsoft Office OneNote MUI (English) 2010
    Microsoft Office Outlook MUI (English) 2010
    Microsoft Office PowerPoint MUI (English) 2010
    Microsoft Office Professional Plus 2010
    Microsoft Office Project 2007 Service Pack 2 (SP2)
    Microsoft Office Project MUI (English) 2007
    Microsoft Office Project Professional 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (English) 2010
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (French) 2010
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proof (Spanish) 2010
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing (English) 2010
    Microsoft Office Publisher MUI (English) 2010
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared MUI (English) 2010
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2010
    Microsoft Office Visio Viewer 2007
    Microsoft Office Word MUI (English) 2010
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.5026
    OmniFormat 10.5
    Pdf995 11.16
    PdfEdit995 10.8
    RSA SecurID Software Token
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
    Signature995 10.1
    SLS VB Version 2.4.0.3
    Spelling Dictionaries Support For Adobe Reader 9
    UGS Teamcenter RAC Visualization 2007
    Vehicle Spy 3 Setup
    VideoFileDownload
    VSEM1.5_Customizations
    VSEM1.5_Teamcenter_8.1.2.2
    WebEx
    WebEx Productivity Tools
    .
    ==== Event Viewer Messages From Past Week ========
    .
    6/7/2012 7:54:22 AM, Error: Microsoft-Windows-DistributedCOM [10016] - The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID {1CCB96F4-B8AD-4B43-9688-B273F58E0910} and APPID {AD65A69D-3831-40D7-9629-9B0B50A93843} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
    6/7/2012 1:41:07 PM, Error: Service Control Manager [7022] - The Windows Update service hung on starting.
    6/6/2012 9:07:39 AM, Error: Microsoft-Windows-GroupPolicy [1054] - The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.
    6/6/2012 9:07:28 AM, Error: Microsoft-Windows-GroupPolicy [1110] - The processing of Group Policy failed. Windows could not determine if the user and computer accounts are in the same forest. Ensure the user domain name matches the name of a trusted domain that resides in the same forest as the computer account.
    6/11/2012 6:36:22 PM, Error: Microsoft-Windows-DistributedCOM [10016] - The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID {24FF4FDC-1D9F-4195-8C79-0DA39248FF48} and APPID {B292921D-AF50-400C-9B75-0C57A7F29BA1} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
    6/11/2012 6:34:59 PM, Error: Microsoft-Windows-DistributedCOM [10016] - The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID {F80A8D57-D338-43FF-A5E6-5D093EA80775} and APPID {AD65A69D-3831-40D7-9629-9B0B50A93843} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
    6/11/2012 6:33:56 PM, Error: Service Control Manager [7023] - The Function Discovery Resource Publication service terminated with the following error: %%-2147024891
    6/11/2012 6:33:56 PM, Error: Service Control Manager [7001] - The HomeGroup Provider service depends on the Function Discovery Resource Publication service which failed to start because of the following error: %%-2147024891
    6/11/2012 6:33:38 PM, Error: Microsoft-Windows-GroupPolicy [1129] - The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.
    6/11/2012 6:33:21 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: luafv omci
    6/11/2012 6:33:17 PM, Error: Service Control Manager [7003] - The IPsec Policy Agent service depends the following service: BFE. This service might not be installed.
    6/11/2012 6:33:17 PM, Error: Service Control Manager [7003] - The IKE and AuthIP IPsec Keying Modules service depends the following service: BFE. This service might not be installed.
    6/11/2012 6:33:16 PM, Error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specified service does not exist as an installed service.
    6/11/2012 6:33:16 PM, Error: NETLOGON [5719] - This computer was not able to set up a secure session with a domain controller in domain FORDNA1 due to the following: There are currently no logon servers available to service the logon request. This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator. ADDITIONAL INFO If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain.
    .
    ==== End Of File ===========================
  4. Broni

    Broni Malware Annihilator Posts: 46,179   +251

    Your MBAM log says "No action taken".
    Re-run it, FIX all issues and post new log.
    I still need GMER log.
  5. TheeAngel

    TheeAngel Newcomer, in training Topic Starter

    I ran Malware multiple times and I did delete all the files that were quarantined. Posting all the log files in order (oldest to newest). Also GMER returned no results. I didn't see a file to save, but I'm trying again. As I think GMER requires me to disconnect from the internet, I'll post this now, then execute GMER, then repost the results.

    Malwarebytes Anti-Malware (Trial) 1.61.0.1400
    www.malwarebytes.org
    Database version: v2012.06.12.01
    Windows 7 Service Pack 1 x64 NTFS
    Internet Explorer 8.0.7601.17514
    kclark4 :: WGC1W77CH6BS1 [administrator]
    Protection: Enabled
    6/11/2012 8:48:54 PM
    mbam-log-2012-06-11 (20-48-54).txt
    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 318063
    Time elapsed: 3 minute(s), 24 second(s)
    Memory Processes Detected: 0
    (No malicious items detected)
    Memory Modules Detected: 0
    (No malicious items detected)
    Registry Keys Detected: 4
    HKLM\SOFTWARE\Google\Chrome\Extensions\kincjchfokkeneeofpeefomkikfkiedl (PUP.FCTPlugin) -> No action taken.
    HKCR\bho_project.bho_object (Trojan.BHO) -> Quarantined and deleted successfully.
    HKCR\bho_project.bho_object.1 (Trojan.BHO) -> Quarantined and deleted successfully.
    HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Live Security Platinum (Rogue.LiveSecurityPlatinum) -> Quarantined and deleted successfully.
    Registry Values Detected: 0
    (No malicious items detected)
    Registry Data Items Detected: 3
    HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
    HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
    HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
    Folders Detected: 0
    (No malicious items detected)
    Files Detected: 1
    C:\Windows\e3298ujdamdashdhdsaud.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    (end)
    Malwarebytes Anti-Malware (Trial) 1.61.0.1400
    www.malwarebytes.org
    Database version: v2012.06.12.01
    Windows 7 Service Pack 1 x64 NTFS
    Internet Explorer 8.0.7601.17514
    kclark4 :: WGC1W77CH6BS1 [administrator]
    Protection: Enabled
    6/11/2012 9:02:44 PM
    mbam-log-2012-06-11 (21-02-44).txt
    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 315643
    Time elapsed: 1 minute(s), 4 second(s)
    Memory Processes Detected: 0
    (No malicious items detected)
    Memory Modules Detected: 0
    (No malicious items detected)
    Registry Keys Detected: 1
    HKLM\SOFTWARE\Google\Chrome\Extensions\kincjchfokkeneeofpeefomkikfkiedl (PUP.FCTPlugin) -> Quarantined and deleted successfully.
    Registry Values Detected: 0
    (No malicious items detected)
    Registry Data Items Detected: 0
    (No malicious items detected)
    Folders Detected: 0
    (No malicious items detected)
    Files Detected: 0
    (No malicious items detected)
    (end)
    Malwarebytes Anti-Malware (Trial) 1.61.0.1400
    www.malwarebytes.org
    Database version: v2012.06.12.01
    Windows 7 Service Pack 1 x64 NTFS
    Internet Explorer 8.0.7601.17514
    kclark4 :: WGC1W77CH6BS1 [administrator]
    Protection: Enabled
    6/11/2012 9:46:19 PM
    mbam-log-2012-06-11 (21-46-19).txt
    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 315538
    Time elapsed: 1 minute(s), 25 second(s)
    Memory Processes Detected: 0
    (No malicious items detected)
    Memory Modules Detected: 0
    (No malicious items detected)
    Registry Keys Detected: 0
    (No malicious items detected)
    Registry Values Detected: 0
    (No malicious items detected)
    Registry Data Items Detected: 0
    (No malicious items detected)
    Folders Detected: 0
    (No malicious items detected)
    Files Detected: 0
    (No malicious items detected)
    (end)
    2012/06/11 20:48:43 -0400 WGC1W77CH6BS1 kclark4 MESSAGE Starting protection
    2012/06/11 20:48:45 -0400 WGC1W77CH6BS1 kclark4 MESSAGE Protection started successfully
    2012/06/11 20:48:48 -0400 WGC1W77CH6BS1 kclark4 MESSAGE Starting IP protection
    2012/06/11 20:48:48 -0400 WGC1W77CH6BS1 kclark4 ERROR IP protection failed: FwpmEngineOpen0 failed with error code 1753
    2012/06/11 20:55:28 -0400 WGC1W77CH6BS1 kclark4 MESSAGE Executing scheduled update: Daily
    2012/06/11 20:55:29 -0400 WGC1W77CH6BS1 kclark4 MESSAGE Database already up-to-date
  6. TheeAngel

    TheeAngel Newcomer, in training Topic Starter

    I reran GMER and the feedback indicated nothing was found. I hit the save button anyway, but the notepad file was blank, so I didn't attach it.
  7. Broni

    Broni Malware Annihilator Posts: 46,179   +251

    Download Bootkit Remover to your desktop.

    • Unzip downloaded file to your Desktop.
    • Double-click on boot_cleaner.exe to run the program (Vista/7 users,right click on boot_cleaner.exe and click Run As Administrator).
    • It will show a Black screen with some data on it.
    • Right click on the screen and click Select All.
    • Press CTRL+C
    • Open a Notepad and press CTRL+V
    • Post the output back here.

    =====================================================

    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
    Click the "Scan" button to start scan.
    On completion of the scan click "Save log", save it to your desktop and post in your next reply.

    NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.
    almitra likes this.
  8. TheeAngel

    TheeAngel Newcomer, in training Topic Starter

    Bootkit Remover
    (c) 2009 Esage Lab
    www.esagelab.com
    Program version: 1.2.0.1
    OS Version: Microsoft Windows 7 Enterprise Edition Service Pack 1 (build 7601),
    64-bit
    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00100000
    Size Device Name MBR Status
    --------------------------------------------
    465 GB \\.\PhysicalDrive0 Controlled by rootkit!
    Boot code on some of your physical disks is hidden by a rootkit.
    To disinfect the master boot sector, use the following command:
    remover.exe fix <device_name>
    To inspect the boot code manually, dump the master boot sector:
    remover.exe dump <device_name> [output_file]

    Done;
    Press any key to quit...

    aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
    Run date: 2012-06-12 05:05:18
    -----------------------------
    05:05:18.717 OS Version: Windows x64 6.1.7601 Service Pack 1
    05:05:18.717 Number of processors: 4 586 0x2A07
    05:05:18.717 ComputerName: WGC1W77CH6BS1 UserName: kclark4
    05:05:22.149 Initialize success
    05:10:37.952 AVAST engine defs: 12061200
    05:11:27.872 The log file has been saved successfully to "C:\Users\kclark4\Desktop\aswMBR.txt"

    aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
    Run date: 2012-06-12 05:16:22
    -----------------------------
    05:16:22.460 OS Version: Windows x64 6.1.7601 Service Pack 1
    05:16:22.460 Number of processors: 4 586 0x2A07
    05:16:22.470 ComputerName: WGC1W77CH6BS1 UserName: kclark4
    05:16:34.160 Initialize success
    05:16:42.345 AVAST engine defs: 12061200
    05:16:46.585 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
    05:16:46.595 Disk 0 Vendor: ST950042 0003 Size: 476940MB BusType: 8
    05:16:46.625 Disk 0 MBR read successfully
    05:16:46.625 Disk 0 MBR scan
    05:16:46.625 Disk 0 Windows 7 default MBR code
    05:16:46.645 Disk 0 Partition 1 00 07 HPFS/NTFS 476638 MB offset 2048
    05:16:47.015 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 299 MB offset 976158720
    05:16:47.065 Disk 0 scanning C:\Windows\system32\drivers
    05:16:47.065 Service scanning
    05:17:34.340 Modules scanning
    05:17:34.371 Disk 0 trace - called modules:
    05:17:34.403 ntoskrnl.exe CLASSPNP.SYS disk.sys stdcfltn.sys iaStor.sys hal.dll
    05:17:34.403 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8009388060]
    05:17:34.403 3 CLASSPNP.SYS[fffff88001a0143f] -> nt!IofCallDriver -> [0xfffffa80091cdcb0]
    05:17:34.418 5 stdcfltn.sys[fffff88001d32c52] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa80080e5050]
    05:18:00.517 AVAST engine scan C:\Windows
    05:18:01.593 AVAST engine scan C:\Windows\system32
    05:18:01.703 AVAST engine scan C:\Windows\system32\drivers
    05:18:01.718 AVAST engine scan C:\Users\kclark4
    05:18:01.718 AVAST engine scan C:\ProgramData
    05:18:01.718 Scan finished successfully
    05:18:02.763 Disk 0 MBR has been saved successfully to "C:\Users\kclark4\Desktop\MBR.dat"
    05:18:02.779 The log file has been saved successfully to "C:\Users\kclark4\Desktop\aswMBR.txt"
  9. Broni

    Broni Malware Annihilator Posts: 46,179   +251

    Download TDSSKiller and save it to your desktop.
    • Extract (unzip) its contents to your desktop.
    • Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    • If an infected file is detected, the default action will be Cure, click on Continue.
    • If a suspicious file is detected, the default action will be Skip, click on Continue.
    • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
    • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.
  10. TheeAngel

    TheeAngel Newcomer, in training Topic Starter

    No problems found by TDSSKiller. Report attached below.

    06:34:15.0990 2316 TDSS rootkit removing tool 2.7.36.0 May 21 2012 16:40:16
    06:34:16.0380 2316 ============================================================
    06:34:16.0380 2316 Current date / time: 2012/06/13 06:34:16.0380
    06:34:16.0380 2316 SystemInfo:
    06:34:16.0380 2316
    06:34:16.0380 2316 OS Version: 6.1.7601 ServicePack: 1.0
    06:34:16.0380 2316 Product type: Workstation
    06:34:16.0380 2316 ComputerName: WGC1W77CH6BS1
    06:34:16.0395 2316 UserName: kclark4
    06:34:16.0395 2316 Windows directory: C:\Windows
    06:34:16.0395 2316 System windows directory: C:\Windows
    06:34:16.0395 2316 Running under WOW64
    06:34:16.0395 2316 Processor architecture: Intel x64
    06:34:16.0395 2316 Number of processors: 4
    06:34:16.0395 2316 Page size: 0x1000
    06:34:16.0395 2316 Boot type: Normal boot
    06:34:16.0395 2316 ============================================================
    06:34:16.0879 2316 Drive \Device\Harddisk0\DR0 - Size: 0x7470C06000 (465.76 Gb), SectorSize: 0x200, Cylinders: 0xED81, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000040
    06:34:16.0895 2316 ============================================================
    06:34:16.0895 2316 \Device\Harddisk0\DR0:
    06:34:16.0895 2316 MBR partitions:
    06:34:16.0895 2316 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x3A2EF030
    06:34:16.0895 2316 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x3A2F0000, BlocksNum 0x95800
    06:34:16.0895 2316 ============================================================
    06:34:16.0895 2316 C: <-> \Device\Harddisk0\DR0\Partition0
    06:34:16.0895 2316 ============================================================
    06:34:16.0895 2316 Initialize success
    06:34:16.0895 2316 ============================================================
    06:34:19.0625 6032 ============================================================
    06:34:19.0625 6032 Scan started
    06:34:19.0625 6032 Mode: Manual;
    06:34:19.0625 6032 ============================================================
    06:34:21.0247 6032 1394ohci - ok
    06:34:21.0247 6032 Acceler - ok
    06:34:21.0263 6032 ACPI - ok
    06:34:21.0278 6032 AcpiPmi - ok
    06:34:21.0309 6032 AdobeFlashPlayerUpdateSvc - ok
    06:34:21.0309 6032 adp94xx - ok
    06:34:21.0325 6032 adpahci - ok
    06:34:21.0341 6032 adpu320 - ok
    06:34:21.0341 6032 AeLookupSvc - ok
    06:34:21.0372 6032 AESTFilters - ok
    06:34:21.0387 6032 AFD - ok
    06:34:21.0387 6032 agp440 - ok
    06:34:21.0403 6032 ALG - ok
    06:34:21.0403 6032 aliide - ok
    06:34:21.0419 6032 amdide - ok
    06:34:21.0434 6032 AmdK8 - ok
    06:34:21.0434 6032 AmdPPM - ok
    06:34:21.0434 6032 amdsata - ok
    06:34:21.0450 6032 amdsbs - ok
    06:34:21.0450 6032 amdxata - ok
    06:34:21.0465 6032 ApfiltrService - ok
    06:34:21.0481 6032 AppID - ok
    06:34:21.0481 6032 AppIDSvc - ok
    06:34:21.0497 6032 Appinfo - ok
    06:34:21.0512 6032 AppMgmt - ok
    06:34:21.0512 6032 arc - ok
    06:34:21.0512 6032 arcsas - ok
    06:34:21.0528 6032 aspnet_state - ok
    06:34:21.0543 6032 AsyncMac - ok
    06:34:21.0559 6032 atapi - ok
    06:34:21.0575 6032 AudioEndpointBuilder - ok
    06:34:21.0575 6032 AudioSrv - ok
    06:34:21.0590 6032 AxInstSV - ok
    06:34:21.0606 6032 b06bdrv - ok
    06:34:21.0606 6032 b57nd60a - ok
    06:34:21.0606 6032 BDESVC - ok
    06:34:21.0621 6032 Beep - ok
    06:34:21.0621 6032 BHDrvx64 - ok
    06:34:21.0621 6032 BITS - ok
    06:34:21.0621 6032 blbdrive - ok
    06:34:21.0621 6032 bowser - ok
    06:34:21.0637 6032 BrFiltLo - ok
    06:34:21.0637 6032 BrFiltUp - ok
    06:34:21.0637 6032 Browser - ok
    06:34:21.0637 6032 Brserid - ok
    06:34:21.0653 6032 BrSerWdm - ok
    06:34:21.0653 6032 BrUsbMdm - ok
    06:34:21.0653 6032 BrUsbSer - ok
    06:34:21.0653 6032 BTHMODEM - ok
    06:34:21.0668 6032 bthserv - ok
    06:34:21.0668 6032 CcmExec - ok
    06:34:21.0668 6032 cdfs - ok
    06:34:21.0668 6032 cdrom - ok
    06:34:21.0668 6032 CertPropSvc - ok
    06:34:21.0684 6032 circlass - ok
    06:34:21.0684 6032 CLFS - ok
    06:34:21.0684 6032 clr_optimization_v2.0.50727_32 - ok
    06:34:21.0684 6032 clr_optimization_v2.0.50727_64 - ok
    06:34:21.0684 6032 clr_optimization_v4.0.30319_32 - ok
    06:34:21.0699 6032 clr_optimization_v4.0.30319_64 - ok
    06:34:21.0699 6032 CmBatt - ok
    06:34:21.0699 6032 cmdide - ok
    06:34:21.0699 6032 CNG - ok
    06:34:21.0699 6032 Compbatt - ok
    06:34:21.0715 6032 CompositeBus - ok
    06:34:21.0715 6032 COMSysApp - ok
    06:34:21.0715 6032 crcdisk - ok
    06:34:21.0715 6032 CryptSvc - ok
    06:34:21.0715 6032 CSC - ok
    06:34:21.0715 6032 CscService - ok
    06:34:21.0731 6032 cvusbdrv - ok
    06:34:21.0731 6032 dc21x4vm - ok
    06:34:21.0731 6032 dc3d - ok
    06:34:21.0746 6032 DcomLaunch - ok
    06:34:21.0746 6032 defragsvc - ok
    06:34:21.0746 6032 DfsC - ok
    06:34:21.0746 6032 Dhcp - ok
    06:34:21.0762 6032 discache - ok
    06:34:21.0762 6032 Disk - ok
    06:34:21.0762 6032 dmvsc - ok
    06:34:21.0762 6032 Dnscache - ok
    06:34:21.0762 6032 dot3svc - ok
    06:34:21.0777 6032 DPS - ok
    06:34:21.0777 6032 drmkaud - ok
    06:34:21.0777 6032 DXGKrnl - ok
    06:34:21.0777 6032 e1cexpress - ok
    06:34:21.0777 6032 EapHost - ok
    06:34:21.0777 6032 ebdrv - ok
    06:34:21.0793 6032 eeCtrl - ok
    06:34:21.0793 6032 EFS - ok
    06:34:21.0809 6032 ehost - ok
    06:34:21.0809 6032 ehost_ - ok
    06:34:21.0809 6032 ehRecvr - ok
    06:34:21.0809 6032 ehSched - ok
    06:34:21.0809 6032 elxstor - ok
    06:34:21.0824 6032 EraserUtilRebootDrv - ok
    06:34:21.0824 6032 ErrDev - ok
    06:34:21.0840 6032 EventSystem - ok
    06:34:21.0855 6032 EvtEng - ok
    06:34:21.0855 6032 exfat - ok
    06:34:21.0855 6032 fastfat - ok
    06:34:21.0855 6032 Fax - ok
    06:34:21.0855 6032 fdc - ok
    06:34:21.0855 6032 fdPHost - ok
    06:34:21.0855 6032 FDResPub - ok
    06:34:21.0871 6032 FileInfo - ok
    06:34:21.0871 6032 Filetrace - ok
    06:34:21.0871 6032 flpydisk - ok
    06:34:21.0871 6032 FltMgr - ok
    06:34:21.0871 6032 FontCache - ok
    06:34:21.0871 6032 FontCache3.0.0.0 - ok
    06:34:21.0887 6032 FsDepends - ok
    06:34:21.0887 6032 Fs_Rec - ok
    06:34:21.0887 6032 FTDIBUS - ok
    06:34:21.0887 6032 FTSER2K - ok
    06:34:21.0887 6032 fvevol - ok
    06:34:21.0902 6032 gagp30kx - ok
    06:34:21.0902 6032 gpsvc - ok
    06:34:21.0902 6032 hcw85cir - ok
    06:34:21.0902 6032 HDAudBus - ok
    06:34:21.0902 6032 HidBatt - ok
    06:34:21.0902 6032 HidBth - ok
    06:34:21.0918 6032 HidIr - ok
    06:34:21.0918 6032 hidserv - ok
    06:34:21.0918 6032 HidUsb - ok
    06:34:21.0918 6032 hkmsvc - ok
    06:34:21.0949 6032 HLTHMON - ok
    06:34:21.0949 6032 HomeGroupListener - ok
    06:34:21.0949 6032 HomeGroupProvider - ok
    06:34:21.0949 6032 HpSAMD - ok
    06:34:21.0949 6032 HTTP - ok
    06:34:21.0949 6032 hwpolicy - ok
    06:34:21.0949 6032 i8042prt - ok
    06:34:21.0965 6032 iaStor - ok
    06:34:21.0965 6032 iaStorV - ok
    06:34:21.0965 6032 IDriverT - ok
    06:34:21.0965 6032 idsvc - ok
    06:34:21.0980 6032 IDSVia64 - ok
    06:34:21.0980 6032 iirsp - ok
    06:34:21.0980 6032 IKEEXT - ok
    06:34:21.0980 6032 intelide - ok
    06:34:21.0980 6032 intelppm - ok
    06:34:21.0996 6032 IPBusEnum - ok
    06:34:21.0996 6032 IpFilterDriver - ok
    06:34:21.0996 6032 IPMIDRV - ok
    06:34:21.0996 6032 IPNAT - ok
    06:34:21.0996 6032 IRENUM - ok
    06:34:21.0996 6032 isapnp - ok
    06:34:22.0011 6032 iScsiPrt - ok
    06:34:22.0011 6032 kbdclass - ok
    06:34:22.0011 6032 kbdhid - ok
    06:34:22.0011 6032 KeyIso - ok
    06:34:22.0011 6032 KSecDD - ok
    06:34:22.0011 6032 KSecPkg - ok
    06:34:22.0027 6032 ksthunk - ok
    06:34:22.0027 6032 KtmRm - ok
    06:34:22.0027 6032 LanmanServer - ok
    06:34:22.0027 6032 LanmanWorkstation - ok
    06:34:22.0027 6032 lltdio - ok
    06:34:22.0043 6032 lltdsvc - ok
    06:34:22.0043 6032 lmhosts - ok
    06:34:22.0043 6032 LSI_FC - ok
    06:34:22.0043 6032 LSI_SAS - ok
    06:34:22.0058 6032 LSI_SAS2 - ok
    06:34:22.0058 6032 LSI_SCSI - ok
    06:34:22.0058 6032 luafv - ok
    06:34:22.0089 6032 MBAMProtector - ok
    06:34:22.0105 6032 MBAMService - ok
    06:34:22.0121 6032 Mcx2Svc - ok
    06:34:22.0121 6032 megasas - ok
    06:34:22.0121 6032 MegaSR - ok
    06:34:22.0136 6032 MEIx64 - ok
    06:34:22.0136 6032 MMCSS - ok
    06:34:22.0152 6032 Modem - ok
    06:34:22.0152 6032 monitor - ok
    06:34:22.0152 6032 mouclass - ok
    06:34:22.0152 6032 mouhid - ok
    06:34:22.0167 6032 mountmgr - ok
    06:34:22.0167 6032 mpio - ok
    06:34:22.0167 6032 mpsdrv - ok
    06:34:22.0183 6032 MRxDAV - ok
    06:34:22.0183 6032 mrxsmb - ok
    06:34:22.0183 6032 mrxsmb10 - ok
    06:34:22.0183 6032 mrxsmb20 - ok
    06:34:22.0183 6032 msahci - ok
    06:34:22.0183 6032 msdsm - ok
    06:34:22.0199 6032 MSDTC - ok
    06:34:22.0199 6032 Msfs - ok
    06:34:22.0199 6032 mshidkmdf - ok
    06:34:22.0199 6032 msisadrv - ok
    06:34:22.0214 6032 MSiSCSI - ok
    06:34:22.0214 6032 msiserver - ok
    06:34:22.0214 6032 MSKSSRV - ok
    06:34:22.0214 6032 MSPCLOCK - ok
    06:34:22.0214 6032 MSPQM - ok
    06:34:22.0230 6032 MsRPC - ok
    06:34:22.0230 6032 mssmbios - ok
    06:34:22.0230 6032 MSTEE - ok
    06:34:22.0230 6032 MTConfig - ok
    06:34:22.0230 6032 Mup - ok
    06:34:22.0245 6032 napagent - ok
    06:34:22.0261 6032 NativeWifiP - ok
    06:34:22.0261 6032 NAVENG - ok
    06:34:22.0261 6032 NAVEX15 - ok
    06:34:22.0277 6032 NDIS - ok
    06:34:22.0277 6032 NdisCap - ok
    06:34:22.0277 6032 NdisTapi - ok
    06:34:22.0277 6032 Ndisuio - ok
    06:34:22.0277 6032 NdisWan - ok
    06:34:22.0277 6032 NDProxy - ok
    06:34:22.0292 6032 Net Driver HPZ12 - ok
    06:34:22.0292 6032 NetBIOS - ok
    06:34:22.0292 6032 NetBT - ok
    06:34:22.0292 6032 Netlogon - ok
    06:34:22.0308 6032 Netman - ok
    06:34:22.0308 6032 netprofm - ok
    06:34:22.0308 6032 NetTcpPortSharing - ok
    06:34:22.0308 6032 NETwNs64 - ok
    06:34:22.0323 6032 nfrd960 - ok
    06:34:22.0323 6032 NightWatchman50 - ok
    06:34:22.0323 6032 NlaSvc - ok
    06:34:22.0323 6032 Npfs - ok
    06:34:22.0323 6032 nsi - ok
    06:34:22.0323 6032 nsiproxy - ok
    06:34:22.0339 6032 Ntfs - ok
    06:34:22.0339 6032 Null - ok
    06:34:22.0339 6032 NVHDA - ok
    06:34:22.0339 6032 nvlddmkm - ok
    06:34:22.0339 6032 nvraid - ok
    06:34:22.0355 6032 nvstor - ok
    06:34:22.0355 6032 NVSvc - ok
    06:34:22.0355 6032 nv_agp - ok
    06:34:22.0355 6032 NwmSleepless - ok
    06:34:22.0355 6032 O2FLASH - ok
    06:34:22.0370 6032 O2MDFRDR - ok
    06:34:22.0370 6032 O2MDRRDR - ok
    06:34:22.0370 6032 O2SDJRDR - ok
    06:34:22.0370 6032 odserv - ok
    06:34:22.0370 6032 ohci1394 - ok
    06:34:22.0401 6032 omci - ok
    06:34:22.0417 6032 ose - ok
    06:34:22.0417 6032 osppsvc - ok
    06:34:22.0433 6032 p2pimsvc - ok
    06:34:22.0433 6032 p2psvc - ok
    06:34:22.0448 6032 Parport - ok
    06:34:22.0448 6032 partmgr - ok
    06:34:22.0448 6032 PcaSvc - ok
    06:34:22.0464 6032 pci - ok
    06:34:22.0464 6032 pciide - ok
    06:34:22.0479 6032 pcmcia - ok
    06:34:22.0479 6032 pcw - ok
    06:34:22.0479 6032 PEAUTH - ok
    06:34:22.0479 6032 PeerDistSvc - ok
    06:34:22.0495 6032 PerfHost - ok
    06:34:22.0495 6032 pla - ok
    06:34:22.0511 6032 PlugPlay - ok
    06:34:22.0526 6032 Pml Driver HPZ12 - ok
    06:34:22.0526 6032 PNRPAutoReg - ok
    06:34:22.0526 6032 PNRPsvc - ok
    06:34:22.0526 6032 Point64 - ok
    06:34:22.0526 6032 PolicyAgent - ok
    06:34:22.0542 6032 Power - ok
    06:34:22.0542 6032 PptpMiniport - ok
    06:34:22.0542 6032 prepdrvr - ok
    06:34:22.0542 6032 Processor - ok
    06:34:22.0542 6032 ProfSvc - ok
    06:34:22.0557 6032 ProtectedStorage - ok
    06:34:22.0557 6032 Psched - ok
    06:34:22.0573 6032 ql2300 - ok
    06:34:22.0573 6032 ql40xx - ok
    06:34:22.0573 6032 QWAVE - ok
    06:34:22.0573 6032 QWAVEdrv - ok
    06:34:22.0573 6032 RasAcd - ok
    06:34:22.0573 6032 RasAgileVpn - ok
    06:34:22.0573 6032 RasAuto - ok
    06:34:22.0589 6032 Rasl2tp - ok
    06:34:22.0589 6032 RasMan - ok
    06:34:22.0589 6032 RasPppoe - ok
    06:34:22.0589 6032 RasSstp - ok
    06:34:22.0589 6032 rdbss - ok
    06:34:22.0604 6032 rdpbus - ok
    06:34:22.0604 6032 RDPCDD - ok
    06:34:22.0604 6032 RDPDR - ok
    06:34:22.0604 6032 RDPENCDD - ok
    06:34:22.0620 6032 RDPREFMP - ok
    06:34:22.0620 6032 RdpVideoMiniport - ok
    06:34:22.0620 6032 RDPWD - ok
    06:34:22.0620 6032 rdyboost - ok
    06:34:22.0620 6032 RegSrvc - ok
    06:34:22.0635 6032 RemoteAccess - ok
    06:34:22.0635 6032 RemoteRegistry - ok
    06:34:22.0635 6032 RpcEptMapper - ok
    06:34:22.0635 6032 RpcLocator - ok
    06:34:22.0635 6032 RpcSs - ok
    06:34:22.0651 6032 rspndr - ok
    06:34:22.0651 6032 s3cap - ok
    06:34:22.0651 6032 SamSs - ok
    06:34:22.0651 6032 sbp2port - ok
    06:34:22.0651 6032 SCardSvr - ok
    06:34:22.0667 6032 scfilter - ok
    06:34:22.0667 6032 Schedule - ok
    06:34:22.0667 6032 SCPolicySvc - ok
    06:34:22.0667 6032 SDRSVC - ok
    06:34:22.0667 6032 secdrv - ok
    06:34:22.0667 6032 seclogon - ok
    06:34:22.0682 6032 SENS - ok
    06:34:22.0682 6032 SensrSvc - ok
    06:34:22.0682 6032 SepMasterService - ok
    06:34:22.0682 6032 Serenum - ok
    06:34:22.0682 6032 Serial - ok
    06:34:22.0698 6032 sermouse - ok
    06:34:22.0698 6032 SessionEnv - ok
    06:34:22.0698 6032 sffdisk - ok
    06:34:22.0698 6032 sffp_mmc - ok
    06:34:22.0713 6032 sffp_sd - ok
    06:34:22.0713 6032 sfloppy - ok
    06:34:22.0713 6032 ShellHWDetection - ok
    06:34:22.0713 6032 SiSRaid2 - ok
    06:34:22.0713 6032 SiSRaid4 - ok
    06:34:22.0713 6032 Smb - ok
    06:34:22.0729 6032 SmcService - ok
    06:34:22.0729 6032 smstsmgr - ok
    06:34:22.0745 6032 SNAC - ok
    06:34:22.0745 6032 SNMPTRAP - ok
    06:34:22.0745 6032 spldr - ok
    06:34:22.0745 6032 Spooler - ok
    06:34:22.0745 6032 sppsvc - ok
    06:34:22.0745 6032 sppuinotify - ok
    06:34:22.0760 6032 SRTSP - ok
    06:34:22.0760 6032 SRTSPX - ok
    06:34:22.0760 6032 srv - ok
    06:34:22.0760 6032 srv2 - ok
    06:34:22.0760 6032 srvnet - ok
    06:34:22.0760 6032 SSDPSRV - ok
    06:34:22.0776 6032 SstpSvc - ok
    06:34:22.0776 6032 STacSV - ok
    06:34:22.0776 6032 stdcfltn - ok
    06:34:22.0776 6032 stexstor - ok
    06:34:22.0791 6032 STHDA - ok
    06:34:22.0791 6032 stisvc - ok
    06:34:22.0791 6032 StorSvc - ok
    06:34:22.0807 6032 storvsc - ok
    06:34:22.0807 6032 swenum - ok
    06:34:22.0807 6032 swprv - ok
    06:34:22.0823 6032 SyDvCtrl - ok
    06:34:22.0823 6032 SymDS - ok
    06:34:22.0823 6032 SymEFA - ok
    06:34:22.0838 6032 SymEvent - ok
    06:34:22.0838 6032 SymIRON - ok
    06:34:22.0854 6032 SYMNETS - ok
    06:34:22.0854 6032 Synth3dVsc - ok
    06:34:22.0854 6032 SynthVid - ok
    06:34:22.0869 6032 SynTP - ok
    06:34:22.0869 6032 SysMain - ok
    06:34:22.0869 6032 SysPlant - ok
    06:34:22.0869 6032 TabletInputService - ok
    06:34:22.0869 6032 TapiSrv - ok
    06:34:22.0869 6032 TBS - ok
    06:34:22.0885 6032 Tcpip - ok
    06:34:22.0885 6032 TCPIP6 - ok
    06:34:22.0885 6032 tcpipreg - ok
    06:34:22.0885 6032 TDPIPE - ok
    06:34:22.0885 6032 TDTCP - ok
    06:34:22.0901 6032 tdx - ok
    06:34:22.0901 6032 Teefer2 - ok
    06:34:22.0901 6032 TermDD - ok
    06:34:22.0901 6032 terminpt - ok
    06:34:22.0901 6032 TermService - ok
    06:34:22.0901 6032 Themes - ok
    06:34:22.0916 6032 THREADORDER - ok
    06:34:22.0916 6032 TPM - ok
    06:34:22.0916 6032 TrkWks - ok
    06:34:22.0916 6032 TrustedInstaller - ok
    06:34:22.0916 6032 tssecsrv - ok
    06:34:22.0932 6032 TsUsbFlt - ok
    06:34:22.0932 6032 TsUsbGD - ok
    06:34:22.0932 6032 tsusbhub - ok
    06:34:22.0932 6032 tunnel - ok
    06:34:22.0932 6032 uagp35 - ok
    06:34:22.0932 6032 udfs - ok
    06:34:22.0947 6032 UI0Detect - ok
    06:34:22.0947 6032 uliagpkx - ok
    06:34:22.0947 6032 umbus - ok
    06:34:22.0947 6032 UmPass - ok
    06:34:22.0947 6032 UmRdpService - ok
    06:34:22.0947 6032 upnphost - ok
    06:34:22.0963 6032 usbccgp - ok
    06:34:22.0963 6032 usbcir - ok
    06:34:22.0963 6032 usbehci - ok
    06:34:22.0963 6032 usbhub - ok
    06:34:22.0963 6032 usbohci - ok
    06:34:22.0963 6032 usbprint - ok
    06:34:22.0963 6032 USBSTOR - ok
    06:34:22.0979 6032 usbuhci - ok
    06:34:22.0979 6032 UxSms - ok
    06:34:22.0979 6032 VaultSvc - ok
    06:34:22.0979 6032 vdrvroot - ok
    06:34:22.0979 6032 vds - ok
    06:34:22.0979 6032 vga - ok
    06:34:22.0994 6032 VgaSave - ok
    06:34:22.0994 6032 VGPU - ok
    06:34:22.0994 6032 vhdmp - ok
    06:34:22.0994 6032 viaide - ok
    06:34:22.0994 6032 VMBusHID - ok
    06:34:22.0994 6032 volmgr - ok
    06:34:22.0994 6032 volmgrx - ok
    06:34:23.0010 6032 volsnap - ok
    06:34:23.0025 6032 vpcbus - ok
    06:34:23.0025 6032 vpcnfltr - ok
    06:34:23.0025 6032 vpcusb - ok
    06:34:23.0041 6032 vpcvmm - ok
    06:34:23.0041 6032 vpnagent - ok
    06:34:23.0041 6032 vpnva - ok
    06:34:23.0041 6032 vsmraid - ok
    06:34:23.0041 6032 VSS - ok
    06:34:23.0057 6032 vwifibus - ok
    06:34:23.0057 6032 vwififlt - ok
    06:34:23.0057 6032 vwifimp - ok
    06:34:23.0057 6032 W32Time - ok
    06:34:23.0057 6032 WacomPen - ok
    06:34:23.0057 6032 WakeUpAgt - ok
    06:34:23.0072 6032 WANARP - ok
    06:34:23.0072 6032 Wanarpv6 - ok
    06:34:23.0072 6032 WatAdminSvc - ok
    06:34:23.0072 6032 wbengine - ok
    06:34:23.0072 6032 WbioSrvc - ok
    06:34:23.0072 6032 wcncsvc - ok
    06:34:23.0088 6032 WcsPlugInService - ok
    06:34:23.0088 6032 Wd - ok
    06:34:23.0088 6032 Wdf01000 - ok
    06:34:23.0088 6032 WdiServiceHost - ok
    06:34:23.0088 6032 WdiSystemHost - ok
    06:34:23.0088 6032 WebClient - ok
    06:34:23.0103 6032 Wecsvc - ok
    06:34:23.0103 6032 wercplsupport - ok
    06:34:23.0103 6032 WerSvc - ok
    06:34:23.0103 6032 WfpLwf - ok
    06:34:23.0103 6032 WIMMount - ok
    06:34:23.0103 6032 WinHttpAutoProxySvc - ok
    06:34:23.0119 6032 Winmgmt - ok
    06:34:23.0119 6032 WinRM - ok
    06:34:23.0119 6032 WinUsb - ok
    06:34:23.0119 6032 Wlansvc - ok
    06:34:23.0119 6032 WmiAcpi - ok
    06:34:23.0135 6032 wmiApSrv - ok
    06:34:23.0135 6032 WMPNetworkSvc - ok
    06:34:23.0135 6032 WPCSvc - ok
    06:34:23.0135 6032 WPDBusEnum - ok
    06:34:23.0135 6032 ws2ifsl - ok
    06:34:23.0135 6032 WSearch - ok
    06:34:23.0150 6032 WSL_RLCE - ok
    06:34:23.0150 6032 wuauserv - ok
    06:34:23.0150 6032 WudfPf - ok
    06:34:23.0150 6032 WUDFRd - ok
    06:34:23.0150 6032 wudfsvc - ok
    06:34:23.0166 6032 WwanSvc - ok
    06:34:23.0166 6032 MBR (0x1B8) (a36c5e4f47e84449ff07ed3517b43a31) \Device\Harddisk0\DR0
    06:34:23.0447 6032 \Device\Harddisk0\DR0 - ok
    06:34:23.0478 6032 Boot (0x1200) (c5304d066c7abbb4612068846f7b716c) \Device\Harddisk0\DR0\Partition0
    06:34:23.0493 6032 \Device\Harddisk0\DR0\Partition0 - ok
    06:34:23.0493 6032 Boot (0x1200) (640ac2ec034c9a515e3f7d6fcbc0dfe0) \Device\Harddisk0\DR0\Partition1
    06:34:23.0493 6032 \Device\Harddisk0\DR0\Partition1 - ok
    06:34:23.0493 6032 ============================================================
    06:34:23.0493 6032 Scan finished
    06:34:23.0493 6032 ============================================================
    06:34:23.0509 3244 Detected object count: 0
    06:34:23.0509 3244 Actual detected object count: 0
    06:34:51.0995 6032 ============================================================
    06:34:51.0995 6032 Scan started
    06:34:51.0995 6032 Mode: Manual;
    06:34:51.0995 6032 ============================================================
    06:34:52.0884 6032 1394ohci - ok
    06:34:52.0899 6032 Acceler - ok
    06:34:52.0899 6032 ACPI - ok
    06:34:52.0899 6032 AcpiPmi - ok
    06:34:52.0915 6032 AdobeFlashPlayerUpdateSvc - ok
    06:34:52.0915 6032 adp94xx - ok
    06:34:52.0915 6032 adpahci - ok
    06:34:52.0931 6032 adpu320 - ok
    06:34:52.0931 6032 AeLookupSvc - ok
    06:34:52.0931 6032 AESTFilters - ok
    06:34:52.0946 6032 AFD - ok
    06:34:52.0946 6032 agp440 - ok
    06:34:52.0946 6032 ALG - ok
    06:34:52.0946 6032 aliide - ok
    06:34:52.0962 6032 amdide - ok
    06:34:52.0962 6032 AmdK8 - ok
    06:34:52.0962 6032 AmdPPM - ok
    06:34:52.0962 6032 amdsata - ok
    06:34:52.0962 6032 amdsbs - ok
    06:34:52.0962 6032 amdxata - ok
    06:34:52.0977 6032 ApfiltrService - ok
    06:34:52.0977 6032 AppID - ok
    06:34:52.0977 6032 AppIDSvc - ok
    06:34:52.0977 6032 Appinfo - ok
    06:34:52.0977 6032 AppMgmt - ok
    06:34:52.0977 6032 arc - ok
    06:34:52.0993 6032 arcsas - ok
    06:34:52.0993 6032 aspnet_state - ok
    06:34:52.0993 6032 AsyncMac - ok
    06:34:52.0993 6032 atapi - ok
    06:34:52.0993 6032 AudioEndpointBuilder - ok
    06:34:53.0024 6032 AudioSrv - ok
    06:34:53.0024 6032 AxInstSV - ok
    06:34:53.0024 6032 b06bdrv - ok
    06:34:53.0024 6032 b57nd60a - ok
    06:34:53.0040 6032 BDESVC - ok
    06:34:53.0040 6032 Beep - ok
    06:34:53.0040 6032 BHDrvx64 - ok
    06:34:53.0040 6032 BITS - ok
    06:34:53.0040 6032 blbdrive - ok
    06:34:53.0055 6032 bowser - ok
    06:34:53.0055 6032 BrFiltLo - ok
    06:34:53.0055 6032 BrFiltUp - ok
    06:34:53.0055 6032 Browser - ok
    06:34:53.0055 6032 Brserid - ok
    06:34:53.0071 6032 BrSerWdm - ok
    06:34:53.0071 6032 BrUsbMdm - ok
    06:34:53.0071 6032 BrUsbSer - ok
    06:34:53.0071 6032 BTHMODEM - ok
    06:34:53.0087 6032 bthserv - ok
    06:34:53.0087 6032 CcmExec - ok
    06:34:53.0087 6032 cdfs - ok
    06:34:53.0087 6032 cdrom - ok
    06:34:53.0102 6032 CertPropSvc - ok
    06:34:53.0102 6032 circlass - ok
    06:34:53.0102 6032 CLFS - ok
    06:34:53.0102 6032 clr_optimization_v2.0.50727_32 - ok
    06:34:53.0118 6032 clr_optimization_v2.0.50727_64 - ok
    06:34:53.0118 6032 clr_optimization_v4.0.30319_32 - ok
    06:34:53.0118 6032 clr_optimization_v4.0.30319_64 - ok
    06:34:53.0118 6032 CmBatt - ok
    06:34:53.0118 6032 cmdide - ok
    06:34:53.0118 6032 CNG - ok
    06:34:53.0133 6032 Compbatt - ok
    06:34:53.0149 6032 CompositeBus - ok
    06:34:53.0149 6032 COMSysApp - ok
    06:34:53.0149 6032 crcdisk - ok
    06:34:53.0149 6032 CryptSvc - ok
    06:34:53.0149 6032 CSC - ok
    06:34:53.0165 6032 CscService - ok
    06:34:53.0165 6032 cvusbdrv - ok
    06:34:53.0165 6032 dc21x4vm - ok
    06:34:53.0180 6032 dc3d - ok
    06:34:53.0180 6032 DcomLaunch - ok
    06:34:53.0180 6032 defragsvc - ok
    06:34:53.0180 6032 DfsC - ok
    06:34:53.0196 6032 Dhcp - ok
    06:34:53.0196 6032 discache - ok
    06:34:53.0196 6032 Disk - ok
    06:34:53.0196 6032 dmvsc - ok
    06:34:53.0196 6032 Dnscache - ok
    06:34:53.0211 6032 dot3svc - ok
    06:34:53.0211 6032 DPS - ok
    06:34:53.0211 6032 drmkaud - ok
    06:34:53.0211 6032 DXGKrnl - ok
    06:34:53.0211 6032 e1cexpress - ok
    06:34:53.0227 6032 EapHost - ok
    06:34:53.0227 6032 ebdrv - ok
    06:34:53.0227 6032 eeCtrl - ok
    06:34:53.0227 6032 EFS - ok
    06:34:53.0227 6032 ehost - ok
    06:34:53.0243 6032 ehost_ - ok
    06:34:53.0243 6032 ehRecvr - ok
    06:34:53.0243 6032 ehSched - ok
    06:34:53.0243 6032 elxstor - ok
    06:34:53.0243 6032 EraserUtilRebootDrv - ok
    06:34:53.0243 6032 ErrDev - ok
    06:34:53.0258 6032 EventSystem - ok
    06:34:53.0258 6032 EvtEng - ok
    06:34:53.0258 6032 exfat - ok
    06:34:53.0258 6032 fastfat - ok
    06:34:53.0258 6032 Fax - ok
    06:34:53.0274 6032 fdc - ok
    06:34:53.0274 6032 fdPHost - ok
    06:34:53.0274 6032 FDResPub - ok
    06:34:53.0274 6032 FileInfo - ok
    06:34:53.0274 6032 Filetrace - ok
    06:34:53.0289 6032 flpydisk - ok
    06:34:53.0289 6032 FltMgr - ok
    06:34:53.0289 6032 FontCache - ok
    06:34:53.0305 6032 FontCache3.0.0.0 - ok
    06:34:53.0305 6032 FsDepends - ok
    06:34:53.0305 6032 Fs_Rec - ok
    06:34:53.0305 6032 FTDIBUS - ok
    06:34:53.0305 6032 FTSER2K - ok
    06:34:53.0321 6032 fvevol - ok
    06:34:53.0321 6032 gagp30kx - ok
    06:34:53.0321 6032 gpsvc - ok
    06:34:53.0321 6032 hcw85cir - ok
    06:34:53.0321 6032 HDAudBus - ok
    06:34:53.0336 6032 HidBatt - ok
    06:34:53.0336 6032 HidBth - ok
    06:34:53.0336 6032 HidIr - ok
    06:34:53.0336 6032 hidserv - ok
    06:34:53.0367 6032 HidUsb - ok
    06:34:53.0367 6032 hkmsvc - ok
    06:34:53.0383 6032 HLTHMON - ok
    06:34:53.0383 6032 HomeGroupListener - ok
    06:34:53.0383 6032 HomeGroupProvider - ok
    06:34:53.0383 6032 HpSAMD - ok
    06:34:53.0383 6032 HTTP - ok
    06:34:53.0399 6032 hwpolicy - ok
    06:34:53.0399 6032 i8042prt - ok
    06:34:53.0399 6032 iaStor - ok
    06:34:53.0399 6032 iaStorV - ok
    06:34:53.0399 6032 IDriverT - ok
    06:34:53.0414 6032 idsvc - ok
    06:34:53.0414 6032 IDSVia64 - ok
    06:34:53.0414 6032 iirsp - ok
    06:34:53.0414 6032 IKEEXT - ok
    06:34:53.0414 6032 intelide - ok
    06:34:53.0430 6032 intelppm - ok
    06:34:53.0430 6032 IPBusEnum - ok
    06:34:53.0430 6032 IpFilterDriver - ok
    06:34:53.0430 6032 IPMIDRV - ok
    06:34:53.0430 6032 IPNAT - ok
    06:34:53.0430 6032 IRENUM - ok
    06:34:53.0430 6032 isapnp - ok
    06:34:53.0445 6032 iScsiPrt - ok
    06:34:53.0445 6032 kbdclass - ok
    06:34:53.0445 6032 kbdhid - ok
    06:34:53.0445 6032 KeyIso - ok
    06:34:53.0445 6032 KSecDD - ok
    06:34:53.0461 6032 KSecPkg - ok
    06:34:53.0461 6032 ksthunk - ok
    06:34:53.0461 6032 KtmRm - ok
    06:34:53.0461 6032 LanmanServer - ok
    06:34:53.0461 6032 LanmanWorkstation - ok
    06:34:53.0477 6032 lltdio - ok
    06:34:53.0477 6032 lltdsvc - ok
    06:34:53.0477 6032 lmhosts - ok
    06:34:53.0477 6032 LSI_FC - ok
    06:34:53.0492 6032 LSI_SAS - ok
    06:34:53.0492 6032 LSI_SAS2 - ok
    06:34:53.0492 6032 LSI_SCSI - ok
    06:34:53.0492 6032 luafv - ok
    06:34:53.0492 6032 MBAMProtector - ok
    06:34:53.0508 6032 MBAMService - ok
    06:34:53.0508 6032 Mcx2Svc - ok
    06:34:53.0508 6032 megasas - ok
    06:34:53.0523 6032 MegaSR - ok
    06:34:53.0523 6032 MEIx64 - ok
    06:34:53.0523 6032 MMCSS - ok
    06:34:53.0523 6032 Modem - ok
    06:34:53.0523 6032 monitor - ok
    06:34:53.0539 6032 mouclass - ok
    06:34:53.0539 6032 mouhid - ok
    06:34:53.0539 6032 mountmgr - ok
    06:34:53.0539 6032 mpio - ok
    06:34:53.0555 6032 mpsdrv - ok
    06:34:53.0555 6032 MRxDAV - ok
    06:34:53.0555 6032 mrxsmb - ok
    06:34:53.0555 6032 mrxsmb10 - ok
    06:34:53.0555 6032 mrxsmb20 - ok
    06:34:53.0570 6032 msahci - ok
    06:34:53.0570 6032 msdsm - ok
    06:34:53.0570 6032 MSDTC - ok
    06:34:53.0570 6032 Msfs - ok
    06:34:53.0586 6032 mshidkmdf - ok
    06:34:53.0586 6032 msisadrv - ok
    06:34:53.0586 6032 MSiSCSI - ok
    06:34:53.0586 6032 msiserver - ok
    06:34:53.0586 6032 MSKSSRV - ok
    06:34:53.0601 6032 MSPCLOCK - ok
    06:34:53.0601 6032 MSPQM - ok
    06:34:53.0601 6032 MsRPC - ok
    06:34:53.0601 6032 mssmbios - ok
    06:34:53.0601 6032 MSTEE - ok
    06:34:53.0617 6032 MTConfig - ok
    06:34:53.0617 6032 Mup - ok
    06:34:53.0617 6032 napagent - ok
    06:34:53.0617 6032 NativeWifiP - ok
    06:34:53.0617 6032 NAVENG - ok
    06:34:53.0617 6032 NAVEX15 - ok
    06:34:53.0633 6032 NDIS - ok
    06:34:53.0633 6032 NdisCap - ok
    06:34:53.0633 6032 NdisTapi - ok
    06:34:53.0633 6032 Ndisuio - ok
    06:34:53.0633 6032 NdisWan - ok
    06:34:53.0648 6032 NDProxy - ok
    06:34:53.0648 6032 Net Driver HPZ12 - ok
    06:34:53.0648 6032 NetBIOS - ok
    06:34:53.0648 6032 NetBT - ok
    06:34:53.0648 6032 Netlogon - ok
    06:34:53.0664 6032 Netman - ok
    06:34:53.0664 6032 netprofm - ok
    06:34:53.0664 6032 NetTcpPortSharing - ok
    06:34:53.0664 6032 NETwNs64 - ok
    06:34:53.0664 6032 nfrd960 - ok
    06:34:53.0679 6032 NightWatchman50 - ok
    06:34:53.0679 6032 NlaSvc - ok
    06:34:53.0679 6032 Npfs - ok
    06:34:53.0679 6032 nsi - ok
    06:34:53.0679 6032 nsiproxy - ok
    06:34:53.0695 6032 Ntfs - ok
    06:34:53.0695 6032 Null - ok
    06:34:53.0695 6032 NVHDA - ok
    06:34:53.0695 6032 nvlddmkm - ok
    06:34:53.0711 6032 nvraid - ok
    06:34:53.0711 6032 nvstor - ok
    06:34:53.0711 6032 NVSvc - ok
    06:34:53.0711 6032 nv_agp - ok
    06:34:53.0711 6032 NwmSleepless - ok
    06:34:53.0711 6032 O2FLASH - ok
    06:34:53.0726 6032 O2MDFRDR - ok
    06:34:53.0726 6032 O2MDRRDR - ok
    06:34:53.0726 6032 O2SDJRDR - ok
    06:34:53.0726 6032 odserv - ok
    06:34:53.0726 6032 ohci1394 - ok
    06:34:53.0742 6032 omci - ok
    06:34:53.0742 6032 ose - ok
    06:34:53.0742 6032 osppsvc - ok
    06:34:53.0742 6032 p2pimsvc - ok
    06:34:53.0742 6032 p2psvc - ok
    06:34:53.0742 6032 Parport - ok
    06:34:53.0757 6032 partmgr - ok
    06:34:53.0757 6032 PcaSvc - ok
    06:34:53.0757 6032 pci - ok
    06:34:53.0757 6032 pciide - ok
    06:34:53.0757 6032 pcmcia - ok
    06:34:53.0773 6032 pcw - ok
    06:34:53.0773 6032 PEAUTH - ok
    06:34:53.0773 6032 PeerDistSvc - ok
    06:34:53.0773 6032 PerfHost - ok
    06:34:53.0789 6032 pla - ok
    06:34:53.0789 6032 PlugPlay - ok
    06:34:53.0789 6032 Pml Driver HPZ12 - ok
    06:34:53.0804 6032 PNRPAutoReg - ok
    06:34:53.0804 6032 PNRPsvc - ok
    06:34:53.0804 6032 Point64 - ok
    06:34:53.0804 6032 PolicyAgent - ok
    06:34:53.0804 6032 Power - ok
    06:34:53.0820 6032 PptpMiniport - ok
    06:34:53.0820 6032 prepdrvr - ok
    06:34:53.0820 6032 Processor - ok
    06:34:53.0820 6032 ProfSvc - ok
    06:34:53.0820 6032 ProtectedStorage - ok
    06:34:53.0835 6032 Psched - ok
    06:34:53.0835 6032 ql2300 - ok
    06:34:53.0835 6032 ql40xx - ok
    06:34:53.0835 6032 QWAVE - ok
    06:34:53.0835 6032 QWAVEdrv - ok
    06:34:53.0851 6032 RasAcd - ok
    06:34:53.0851 6032 RasAgileVpn - ok
    06:34:53.0851 6032 RasAuto - ok
    06:34:53.0851 6032 Rasl2tp - ok
    06:34:53.0851 6032 RasMan - ok
    06:34:53.0851 6032 RasPppoe - ok
    06:34:53.0867 6032 RasSstp - ok
    06:34:53.0867 6032 rdbss - ok
    06:34:53.0867 6032 rdpbus - ok
    06:34:53.0867 6032 RDPCDD - ok
    06:34:53.0882 6032 RDPDR - ok
    06:34:53.0882 6032 RDPENCDD - ok
    06:34:53.0882 6032 RDPREFMP - ok
    06:34:53.0882 6032 RdpVideoMiniport - ok
    06:34:53.0898 6032 RDPWD - ok
    06:34:53.0898 6032 rdyboost - ok
    06:34:53.0898 6032 RegSrvc - ok
    06:34:53.0898 6032 RemoteAccess - ok
    06:34:53.0898 6032 RemoteRegistry - ok
    06:34:53.0913 6032 RpcEptMapper - ok
    06:34:53.0913 6032 RpcLocator - ok
    06:34:53.0913 6032 RpcSs - ok
    06:34:53.0913 6032 rspndr - ok
    06:34:53.0913 6032 s3cap - ok
    06:34:53.0913 6032 SamSs - ok
    06:34:53.0929 6032 sbp2port - ok
    06:34:53.0929 6032 SCardSvr - ok
    06:34:53.0929 6032 scfilter - ok
    06:34:53.0929 6032 Schedule - ok
    06:34:53.0945 6032 SCPolicySvc - ok
    06:34:53.0945 6032 SDRSVC - ok
    06:34:53.0945 6032 secdrv - ok
    06:34:53.0945 6032 seclogon - ok
    06:34:53.0945 6032 SENS - ok
    06:34:53.0945 6032 SensrSvc - ok
    06:34:53.0960 6032 SepMasterService - ok
    06:34:53.0960 6032 Serenum - ok
    06:34:53.0960 6032 Serial - ok
    06:34:53.0960 6032 sermouse - ok
    06:34:53.0976 6032 SessionEnv - ok
    06:34:53.0976 6032 sffdisk - ok
    06:34:53.0976 6032 sffp_mmc - ok
    06:34:53.0976 6032 sffp_sd - ok
    06:34:53.0976 6032 sfloppy - ok
    06:34:53.0991 6032 ShellHWDetection - ok
    06:34:53.0991 6032 SiSRaid2 - ok
    06:34:53.0991 6032 SiSRaid4 - ok
    06:34:53.0991 6032 Smb - ok
    06:34:54.0007 6032 SmcService - ok
    06:34:54.0007 6032 smstsmgr - ok
    06:34:54.0007 6032 SNAC - ok
    06:34:54.0007 6032 SNMPTRAP - ok
    06:34:54.0023 6032 spldr - ok
    06:34:54.0023 6032 Spooler - ok
    06:34:54.0023 6032 sppsvc - ok
    06:34:54.0023 6032 sppuinotify - ok
    06:34:54.0023 6032 SRTSP - ok
    06:34:54.0038 6032 SRTSPX - ok
    06:34:54.0038 6032 srv - ok
    06:34:54.0038 6032 srv2 - ok
    06:34:54.0038 6032 srvnet - ok
    06:34:54.0038 6032 SSDPSRV - ok
    06:34:54.0054 6032 SstpSvc - ok
    06:34:54.0054 6032 STacSV - ok
    06:34:54.0054 6032 stdcfltn - ok
    06:34:54.0054 6032 stexstor - ok
    06:34:54.0054 6032 STHDA - ok
    06:34:54.0054 6032 stisvc - ok
    06:34:54.0069 6032 StorSvc - ok
    06:34:54.0069 6032 storvsc - ok
    06:34:54.0069 6032 swenum - ok
    06:34:54.0069 6032 swprv - ok
    06:34:54.0069 6032 SyDvCtrl - ok
    06:34:54.0085 6032 SymDS - ok
    06:34:54.0085 6032 SymEFA - ok
    06:34:54.0085 6032 SymEvent - ok
    06:34:54.0085 6032 SymIRON - ok
    06:34:54.0085 6032 SYMNETS - ok
    06:34:54.0101 6032 Synth3dVsc - ok
    06:34:54.0101 6032 SynthVid - ok
    06:34:54.0101 6032 SynTP - ok
    06:34:54.0101 6032 SysMain - ok
    06:34:54.0101 6032 SysPlant - ok
    06:34:54.0116 6032 TabletInputService - ok
    06:34:54.0116 6032 TapiSrv - ok
    06:34:54.0116 6032 TBS - ok
    06:34:54.0116 6032 Tcpip - ok
    06:34:54.0116 6032 TCPIP6 - ok
    06:34:54.0132 6032 tcpipreg - ok
    06:34:54.0132 6032 TDPIPE - ok
    06:34:54.0132 6032 TDTCP - ok
    06:34:54.0132 6032 tdx - ok
    06:34:54.0147 6032 Teefer2 - ok
    06:34:54.0147 6032 TermDD - ok
    06:34:54.0147 6032 terminpt - ok
    06:34:54.0147 6032 TermService - ok
    06:34:54.0147 6032 Themes - ok
    06:34:54.0163 6032 THREADORDER - ok
    06:34:54.0163 6032 TPM - ok
    06:34:54.0163 6032 TrkWks - ok
    06:34:54.0163 6032 TrustedInstaller - ok
    06:34:54.0163 6032 tssecsrv - ok
    06:34:54.0179 6032 TsUsbFlt - ok
    06:34:54.0179 6032 TsUsbGD - ok
    06:34:54.0179 6032 tsusbhub - ok
    06:34:54.0179 6032 tunnel - ok
    06:34:54.0179 6032 uagp35 - ok
    06:34:54.0194 6032 udfs - ok
    06:34:54.0194 6032 UI0Detect - ok
    06:34:54.0194 6032 uliagpkx - ok
    06:34:54.0210 6032 umbus - ok
    06:34:54.0210 6032 UmPass - ok
    06:34:54.0210 6032 UmRdpService - ok
    06:34:54.0210 6032 upnphost - ok
    06:34:54.0210 6032 usbccgp - ok
    06:34:54.0210 6032 usbcir - ok
    06:34:54.0225 6032 usbehci - ok
    06:34:54.0225 6032 usbhub - ok
    06:34:54.0225 6032 usbohci - ok
    06:34:54.0225 6032 usbprint - ok
    06:34:54.0225 6032 USBSTOR - ok
    06:34:54.0225 6032 usbuhci - ok
    06:34:54.0241 6032 UxSms - ok
    06:34:54.0241 6032 VaultSvc - ok
    06:34:54.0241 6032 vdrvroot - ok
    06:34:54.0241 6032 vds - ok
    06:34:54.0241 6032 vga - ok
    06:34:54.0257 6032 VgaSave - ok
    06:34:54.0257 6032 VGPU - ok
    06:34:54.0257 6032 vhdmp - ok
    06:34:54.0257 6032 viaide - ok
    06:34:54.0257 6032 VMBusHID - ok
    06:34:54.0272 6032 volmgr - ok
    06:34:54.0272 6032 volmgrx - ok
    06:34:54.0272 6032 volsnap - ok
    06:34:54.0272 6032 vpcbus - ok
    06:34:54.0272 6032 vpcnfltr - ok
    06:34:54.0288 6032 vpcusb - ok
    06:34:54.0288 6032 vpcvmm - ok
    06:34:54.0288 6032 vpnagent - ok
    06:34:54.0288 6032 vpnva - ok
    06:34:54.0288 6032 vsmraid - ok
    06:34:54.0303 6032 VSS - ok
    06:34:54.0303 6032 vwifibus - ok
    06:34:54.0303 6032 vwififlt - ok
    06:34:54.0303 6032 vwifimp - ok
    06:34:54.0303 6032 W32Time - ok
    06:34:54.0319 6032 WacomPen - ok
    06:34:54.0319 6032 WakeUpAgt - ok
    06:34:54.0319 6032 WANARP - ok
    06:34:54.0319 6032 Wanarpv6 - ok
    06:34:54.0319 6032 WatAdminSvc - ok
    06:34:54.0319 6032 wbengine - ok
    06:34:54.0319 6032 WbioSrvc - ok
    06:34:54.0335 6032 wcncsvc - ok
    06:34:54.0335 6032 WcsPlugInService - ok
    06:34:54.0335 6032 Wd - ok
    06:34:54.0335 6032 Wdf01000 - ok
    06:34:54.0335 6032 WdiServiceHost - ok
    06:34:54.0350 6032 WdiSystemHost - ok
    06:34:54.0350 6032 WebClient - ok
    06:34:54.0350 6032 Wecsvc - ok
    06:34:54.0350 6032 wercplsupport - ok
    06:34:54.0350 6032 WerSvc - ok
    06:34:54.0350 6032 WfpLwf - ok
    06:34:54.0366 6032 WIMMount - ok
    06:34:54.0366 6032 WinHttpAutoProxySvc - ok
    06:34:54.0366 6032 Winmgmt - ok
    06:34:54.0366 6032 WinRM - ok
    06:34:54.0366 6032 WinUsb - ok
    06:34:54.0381 6032 Wlansvc - ok
    06:34:54.0381 6032 WmiAcpi - ok
    06:34:54.0381 6032 wmiApSrv - ok
    06:34:54.0381 6032 WMPNetworkSvc - ok
    06:34:54.0381 6032 WPCSvc - ok
    06:34:54.0381 6032 WPDBusEnum - ok
    06:34:54.0397 6032 ws2ifsl - ok
    06:34:54.0397 6032 WSearch - ok
    06:34:54.0397 6032 WSL_RLCE - ok
    06:34:54.0397 6032 wuauserv - ok
    06:34:54.0397 6032 WudfPf - ok
    06:34:54.0397 6032 WUDFRd - ok
    06:34:54.0413 6032 wudfsvc - ok
    06:34:54.0413 6032 WwanSvc - ok
    06:34:54.0428 6032 MBR (0x1B8) (a36c5e4f47e84449ff07ed3517b43a31) \Device\Harddisk0\DR0
    06:34:55.0177 6032 \Device\Harddisk0\DR0 - ok
    06:34:55.0224 6032 Boot (0x1200) (c5304d066c7abbb4612068846f7b716c) \Device\Harddisk0\DR0\Partition0
    06:34:55.0224 6032 \Device\Harddisk0\DR0\Partition0 - ok
    06:34:55.0255 6032 Boot (0x1200) (640ac2ec034c9a515e3f7d6fcbc0dfe0) \Device\Harddisk0\DR0\Partition1
    06:34:55.0255 6032 \Device\Harddisk0\DR0\Partition1 - ok
    06:34:55.0286 6032 ============================================================
    06:34:55.0286 6032 Scan finished
    06:34:55.0286 6032 ============================================================
    06:34:55.0286 4132 Detected object count: 0
    06:34:55.0286 4132 Actual detected object count: 0
  11. TheeAngel

    TheeAngel Newcomer, in training Topic Starter

    Also wanted to provide the full error message(s) rececived from Symantec Endpoint Detection Notification. It appears the same file keeps getting detected and deleted (by Symantec), then re-installed by the rogue program, as the same two notifcations keeps getting posted (5 notifications have popped over the last 8 minutes or so, since I started working on this post).

    Symnantec Endpoint Detection Notifications (pop up screens)

    ****** IF YOU KNOW THAT THIS FILE HAS BEEN ERRONEOUSLY QUARANTINED PLEASE CONTACT SPOC or LOCAL SUPPORT *****
    Action taken: Cleaned by Deletion
    Scan type: Auto-Protect Scan
    Event: Security Risk Found!
    Security risk detected: Trojan.Zeroaccess
    File: C:\Windows\Installer\{57369e81-f07e-70ff-5a12-67343e07a51c}\U\80000000.@
    Location: Deleted or access blocked
    Computer: WGC1W77CH6BS1
    User: SYSTEM
    Date found: Wednesday, June 13, 2012 6:36:29 AM

    ****** IF YOU KNOW THAT THIS FILE HAS BEEN ERRONEOUSLY QUARANTINED PLEASE CONTACT SPOC or LOCAL SUPPORT *****
    Action taken: Pending Side Effects Analysis : Access denied
    Scan type: Auto-Protect Scan
    Event: Risk Found!
    Security risk detected: Trojan.Zeroaccess
    File: C:\Windows\Installer\{57369e81-f07e-70ff-5a12-67343e07a51c}\U\80000000.@
    Location: C:\Windows\Installer\{57369e81-f07e-70ff-5a12-67343e07a51c}\U
    Computer: WGC1W77CH6BS1
    User: SYSTEM
    Date found: Wednesday, June 13, 2012 6:39:59 AM

    ****** IF YOU KNOW THAT THIS FILE HAS BEEN ERRONEOUSLY QUARANTINED PLEASE CONTACT SPOC or LOCAL SUPPORT *****
    Action taken: Cleaned by Deletion
    Scan type: Auto-Protect Scan
    Event: Security Risk Found!
    Security risk detected: Trojan.Zeroaccess
    File: C:\Windows\Installer\{57369e81-f07e-70ff-5a12-67343e07a51c}\U\80000000.@
    Location: Deleted or access blocked
    Computer: WGC1W77CH6BS1
    User: SYSTEM
    Date found: Wednesday, June 13, 2012 6:40:09 AM

    ****** IF YOU KNOW THAT THIS FILE HAS BEEN ERRONEOUSLY QUARANTINED PLEASE CONTACT SPOC or LOCAL SUPPORT *****
    Action taken: Pending Side Effects Analysis : Access denied
    Scan type: Auto-Protect Scan
    Event: Risk Found!
    Security risk detected: Trojan.Zeroaccess
    File: C:\Windows\Installer\{57369e81-f07e-70ff-5a12-67343e07a51c}\U\80000000.@
    Location: C:\Windows\Installer\{57369e81-f07e-70ff-5a12-67343e07a51c}\U
    Computer: WGC1W77CH6BS1
    User: SYSTEM
    Date found: Wednesday, June 13, 2012 6:44:33 AM

    ****** IF YOU KNOW THAT THIS FILE HAS BEEN ERRONEOUSLY QUARANTINED PLEASE CONTACT SPOC or LOCAL SUPPORT *****
    Action taken: Cleaned by Deletion
    Scan type: Auto-Protect Scan
    Event: Security Risk Found!
    Security risk detected: Trojan.Zeroaccess
    File: C:\Windows\Installer\{57369e81-f07e-70ff-5a12-67343e07a51c}\U\80000000.@
    Location: Deleted or access blocked
    Computer: WGC1W77CH6BS1
    User: SYSTEM
    Date found: Wednesday, June 13, 2012 6:44:44 AM
     
  12. Broni

    Broni Malware Annihilator Posts: 46,179   +251

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    • Never rename Combofix unless instructed.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    • Double click on combofix.exe & follow the prompts.

    • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
    **Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.
    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
    There are 4 different versions. If one of them won't run then download and try to run the other one.
    Vista and Win7 users need to right click Rkill and choose Run as Administrator
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    * Rkill.com
    * Rkill.scr
    * Rkill.exe
    • Double-click on the Rkill icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.
    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
  13. TheeAngel

    TheeAngel Newcomer, in training Topic Starter

    I tried to run Combofix, but was unable to disable symantec (its locked active). I also received a Combofix warning message about proceeding with symantec active. The further I go, the more concerned I am that I might screw up my corporate PC performing these unauthorized actions. Better quit while I'm ahead and simply take the PC back to my company's IT department to have the computer restaged. Thanks again for all your time, as its clear you know 100 times more than me about computers.

    Aside: If you have any ideas as to what may be causing this problem, let me know and I'll share it with our IT department. Also, if I learn anything from them about the problem, I'll bring it back to this forum.

    Thanks again!
  14. TheeAngel

    TheeAngel Newcomer, in training Topic Starter

    P.S. My corporate PC is prevented from booting in Safe Mode without a bit-locker password, so I'm unable to disable virus protection and/or perfrom some of the other directions provided via this forum. The company put this in place to prevent unauthorized users from viewing encrypted information off the hard drive.
  15. Broni

    Broni Malware Annihilator Posts: 46,179   +251

    Well, you'll have to talk to your IT people.
    There is not much I can do.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.