Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32\ZAccess.EW infection


  • This topic is locked This topic is locked
21 replies to this topic

#1 Charlie929

Charlie929

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:01:23 PM

Posted 07 August 2012 - 08:19 PM

total Defense detected this trojan and I keep getting pop ups or a Virus alert from Total Defense r12. I ran Malware Bytes and the TD anti malware scans a few times. Removed a few things but this pop up alert is continuous.Shows it as quarentined but when I delete the files they just come back. How do I rid the system of this? Windows 7 OS

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7600.16385
Run by charlie at 12:58:41 on 2012-08-08
Microsoft Windows 7 Professional 6.1.7600.0.1252.2.1033.18.4046.1732 [GMT -4:00]
.
AV: Total Defense r12 *Enabled/Updated* {57B5C44D-AAB5-DBC9-741B-542BE5A132EA}
SP: Total Defense r12 *Enabled/Updated* {ECD425A9-8C8F-D447-4EAB-6F599E267857}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: Total Defense r12 *Enabled* {6F8E4568-E0DA-DA91-5F44-FD1E1B727591}
.
============== Running Processes ===============
.
C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\Program Files (x86)\Hewlett-Packard\File Sanitizer\HPFSService.exe
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\system32\atiesrxx.exe
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\Program Files\IDT\WDM\STacSV64.exe
C:\windows\system32\svchost.exe -k GPSvcGroup
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\Hpservice.exe
C:\windows\system32\vcsFPService.exe
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\System32\spoolsv.exe
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
c:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\Bin\DpHostW.exe
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\IDT\WDM\AESTSr64.exe
C:\Program Files\LSI SoftModem\agr64svc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
C:\Program Files\CA\SharedComponents\AMS\win\x64\CAAMSvc.exe
C:\Program Files\CA\TotalDefense\EndPointClient\EndpointProtection\ccschedulersvc.exe
c:\Program Files\Hewlett-Packard\HP DayStarter\32-bit\HPDayStarterService.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe
C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe
c:\Program Files (x86)\Hewlett-Packard\Embedded Security Software\ifxspmgt.exe
c:\Program Files (x86)\Hewlett-Packard\Embedded Security Software\ifxtcs.exe
C:\Program Files\CA\TotalDefense\EndPointClient\EndpointProtection\isafe.exe
C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe
C:\Program Files\Hewlett-Packard\Drive Encryption\EEAgent\MfeEpeHost.exe
C:\Program Files (x86)\PDF Complete\pdfsvc.exe
C:\Program Files (x86)\Common Files\Portrait Displays\Drivers\pdisrvc.exe
c:\Program Files (x86)\Hewlett-Packard\Embedded Security Software\IfxPsdSv.exe
C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
C:\windows\system32\svchost.exe -k imgsvc
C:\Program Files\CA\SharedComponents\Agent\TDAgent.exe
C:\Program Files\CA\Entitlement\ccprovsp.exe
C:\windows\SysWow64\ArcVCapRender\uArcCapture.exe
C:\Program Files\CA\SharedComponents\TMEngine\UmxEngine.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
C:\windows\system32\wbem\unsecapp.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe
C:\windows\system32\SearchIndexer.exe
c:\Program Files (x86)\Hewlett-Packard\2009 Password Filter for HP ProtectTools\PTChangeFilterService.exe
C:\windows\system32\svchost.exe -k bthsvcs
C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\windows\System32\svchost.exe -k secsvcs
C:\windows\system32\atieclxx.exe
C:\windows\system32\taskhost.exe
c:\Program Files (x86)\Hewlett-Packard\HP ProtectTools Security Manager\Bin\DPAgent.exe
C:\windows\system32\Dwm.exe
C:\windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\IDT\WDM\sttray64.exe
C:\Program Files\Hewlett-Packard\Drive Encryption\EpePcMonitor.exe
C:\Program Files\CA\TotalDefense\EndPointClient\EndpointProtection\catm.exe
C:\Program Files\CA\TotalDefense\EndPointClient\EndpointProtection\ccEvtMgr.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe
C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\QLBController.exe
C:\Program Files (x86)\Hewlett-Packard\File Sanitizer\coreshredder.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
C:\Program Files (x86)\HP HD Webcam [Fixed]\Monitor.exe
C:\windows\SysWOW64\RunDll32.exe
C:\Program Files (x86)\Hewlett-Packard\HP QuickWeb\hpqwutils.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\BearShare Applications\MediaBar\Datamngr\datamngrUI.exe
c:\Program Files (x86)\Hewlett-Packard\Embedded Security Software\PSDrt.exe
C:\windows\sysWOW64\wbem\wmiprvse.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe
c:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\Bin\DPAgent.exe
C:\windows\system32\DllHost.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\IMSS\PrivacyIconClient.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\Hewlett-Packard\HP Power Assistant\HPPA_Service.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Program Files\Hewlett-Packard\HP Power Assistant\HPPA_Main.exe
C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\hpConnectionManager.exe
c:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\hpCMSrv.exe
C:\Program Files (x86)\Common Files\Portrait Displays\Drivers\SDKCOMServer.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\hpCaslNotification.exe
C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\cvh.exe
C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Windows\system32\WUDFHost.exe
C:\windows\system32\taskeng.exe
C:\windows\System32\svchost.exe -k swprv
C:\windows\system32\svchost.exe -k SDRSVC
C:\windows\system32\wbengine.exe
C:\windows\System32\vds.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\windows\System32\svchost.exe -k WerSvcGroup
C:\windows\system32\SearchProtocolHost.exe
C:\windows\system32\SearchFilterHost.exe
C:\windows\system32\DllHost.exe
C:\windows\system32\DllHost.exe
C:\windows\SysWOW64\cmd.exe
C:\windows\system32\conhost.exe
C:\windows\SysWOW64\cscript.exe
C:\windows\system32\DllHost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.ca/
uDefault_Page_URL = hxxp://companyweb
mWinlogon: Userinit=userinit.exe,
BHO: File Sanitizer for HP ProtectTools: {3134413b-49b4-425c-98a5-893c1f195601} - C:\Program Files (x86)\Hewlett-Packard\File Sanitizer\IEBHO.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: DataMngr: {b939cf93-f2cb-443d-956c-dc523d85c9db} - C:\PROGRA~2\BEARSH~1\MediaBar\Datamngr\BROWSE~1.DLL
BHO: Wincore Mediabar: {c2d64ff7-0ab8-4263-89c9-ea3b0f8f050c} - C:\PROGRA~2\BEARSH~1\MediaBar\Datamngr\ToolBar\wincorebsdtx.dll
BHO: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\MSN Toolbar\Platform\6.0.2282.0\npwinext.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: @C:\Program Files (x86)\MSN Toolbar\Platform\6.0.2282.0\npwinext.dll,-100: {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\MSN Toolbar\Platform\6.0.2282.0\npwinext.dll
TB: Wincore Mediabar: {c2d64ff7-0ab8-4263-89c9-ea3b0f8f050c} - C:\PROGRA~2\BEARSH~1\MediaBar\Datamngr\ToolBar\wincorebsdtx.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
mRun: [PDF Complete] C:\Program Files (x86)\PDF Complete\pdfsty.exe
mRun: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe"
mRun: [Microsoft Default Manager] "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
mRun: [QLBController] C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\QLBController.exe /start
mRun: [File Sanitizer] C:\Program Files (x86)\Hewlett-Packard\File Sanitizer\CoreShredder.exe
mRun: [IMSS] "C:\Program Files (x86)\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe"
mRun: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun: [NUSB3MON] "c:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"
mRun: [HP HD Webcam [Fixed]_Monitor] C:\Program Files (x86)\HP HD Webcam [Fixed]\monitor.exe
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [HPConnectionManager] c:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\HPCMDelayStart.exe
mRun: [<NO NAME>]
mRun: [HPQuickWebProxy] "c:\Program Files (x86)\Hewlett-Packard\HP QuickWeb\hpqwutils.exe"
mRun: [IFXSPMGT] "c:\Program Files (x86)\Hewlett-Packard\Embedded Security Software\ifxspmgt.exe" /NotifyLogon
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [DATAMNGR] C:\PROGRA~2\BEARSH~1\MediaBar\Datamngr\DATAMN~1.EXE
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\BLUETO~1.LNK - C:\Program Files (x86)\WIDCOMM\Bluetooth Software\BTTray.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: RunStartupScriptSync = 1 (0x1)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\OFFICE11\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\OFFICE11\REFIEBAR.DLL
LSP: C:\windows\system32\VetRedir.dll
Trusted Zone: service-filtration.com\dc.corp
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/4.0.1.0/GarminAxControl_32.CAB
DPF: {0AFD9937-10D5-436F-9F2B-08BF61754446} - hxxps://dc.corp.service-filtration.com/crm70/Plugin/OTLTools.cab
DPF: {102FD995-E687-4C3F-8D81-E98BEA843F33} - file:///C:/PROGRAM%20FILES%20(X86)/SAGE/SAGE%20ACCPAC/OE56A/ACCPACOE1700.OCX
DPF: {11201A08-45E3-463F-BDA8-038F24D0216C} - file:///C:/Program%20Files%20(x86)/Sage/Sage%20Accpac/AR56A/AccpacAR1500.ocx
DPF: {1DD916E1-3C0A-4B24-8FDC-947384362105} - file:///C:/Program%20Files%20(x86)/Sage/Sage%20Accpac/OE56A/AccpacOE2200.ocx
DPF: {20BC2824-4A3A-43E1-BD47-D745202CCEFF} - file:///C:/PROGRAM%20FILES%20(X86)/SAGE/SAGE%20ACCPAC/AP56A/ACCPACAP1500.OCX
DPF: {226D14A9-2C2B-4FE7-AD1A-FCFE92154D83} - file:///C:/PROGRAM%20FILES%20(X86)/SAGE/SAGE%20ACCPAC/OE56A/ACCPACOE1150.OCX
DPF: {3491E43E-9500-422F-8C0A-4E78929C31C3} - file:///C:/PROGRAM%20FILES%20(X86)/SAGE/SAGE%20ACCPAC/OE56A/ACCPACOE2900.OCX
DPF: {34FA3366-277D-4E3D-96A3-6A4C8CC2CC3A} - file:///C:/PROGRAM%20FILES%20(X86)/SAGE/SAGE%20ACCPAC/IC56A/ACCPACIC1130.OCX
DPF: {37AB9D4B-CCAE-4ABB-AB2F-B49A6051F125} - file:///C:/PROGRAM%20FILES%20(X86)/SAGE/SAGE%20ACCPAC/IC56A/ACCPACIC4280.OCX
DPF: {40627C94-8738-4C73-8665-E3240AB40E5F} - file:///C:/PROGRAM%20FILES%20(X86)/SAGE/SAGE%20ACCPAC/AS56A/ACCPACAS1000.OCX
DPF: {4A4AEF7D-CF4B-46F8-AE70-E6B33F3CDAF9} - file:///C:/PROGRAM%20FILES%20(X86)/SAGE/SAGE%20ACCPAC/AP56A/ACCPACAP1200.OCX
DPF: {582BF555-F003-4246-BC84-2BE62DBDACD4} - file:///C:/PROGRAM%20FILES%20(X86)/SAGE/SAGE%20ACCPAC/OE56A/ACCPACOE2400.OCX
DPF: {58F0DB8F-7692-408C-B5A3-60CA8F6EE9BD} - file:///C:/PROGRAM%20FILES%20(X86)/SAGE/SAGE%20ACCPAC/IC56A/ACCPACIC1120.OCX
DPF: {68D62318-219F-48F4-B2FA-7446DE44617C} - file:///C:/PROGRAM%20FILES%20(X86)/SAGE/SAGE%20ACCPAC/PO56A/ACCPACPO1210.OCX
DPF: {69386CF4-961C-4808-B35A-AD3B7B3F885F} - file:///C:/PROGRAM%20FILES%20(X86)/SAGE/SAGE%20ACCPAC/IC56A/ACCPACIC1610.OCX
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {927813AD-A98E-4BBC-8A47-0FE4CA7D4FC7} - file:///C:/PROGRAM%20FILES%20(X86)/SAGE/SAGE%20ACCPAC/IC56A/ACCPACIC1110.OCX
DPF: {A4B4AAFF-B753-49C5-AEFE-66F625E3D79D} - file:///C:/Program%20Files%20(x86)/Sage/Sage%20Accpac/OE56A/AccpacOE1900.ocx
DPF: {AE99C8EE-A516-4439-9158-7256EC30596C} - file:///C:/PROGRAM%20FILES%20(X86)/SAGE/SAGE%20ACCPAC/IC56A/ACCPACIC1650.OCX
DPF: {B2829727-B96B-43D9-A9AD-9679EB5998D0} - file:///C:/PROGRAM%20FILES%20(X86)/SAGE/SAGE%20ACCPAC/AP56A/ACCPACAP5102.OCX
DPF: {B45E39C0-99A5-40EC-BCEE-BB7D0EF9765A} - file:///C:/PROGRAM%20FILES%20(X86)/SAGE/SAGE%20ACCPAC/AR56A/ACCPACAR1700.OCX
DPF: {B9961A44-766F-4406-9E63-5E83058DAF49} - file:///C:/PROGRAM%20FILES%20(X86)/SAGE/SAGE%20ACCPAC/IC56A/ACCPACIC1150.OCX
DPF: {BD979773-9FFB-46C6-A309-67993BF774E9} - file:///C:/PROGRAM%20FILES%20(X86)/SAGE/SAGE%20ACCPAC/OE56A/ACCPACOE2800.OCX
DPF: {C33FD450-9AC3-419B-A103-F326F1A9CCE7} - file:///C:/PROGRAM%20FILES%20(X86)/SAGE/SAGE%20ACCPAC/OE56A/ACCPACOE1600.OCX
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CB8C45D4-9BFB-4A4A-83C3-0AE95073DE3E} - file:///C:/PROGRAM%20FILES%20(X86)/SAGE/SAGE%20ACCPAC/OE56A/ACCPACOE1300.OCX
DPF: {DCD31444-B215-4DF4-9086-3F19E9B551AB} - file:///C:/PROGRAM%20FILES%20(X86)/SAGE/SAGE%20ACCPAC/OE56A/ACCPACOE2000.OCX
DPF: {E258DB2E-CA12-4C5D-B866-987F24461A39} - file:///C:/PROGRAM%20FILES%20(X86)/SAGE/SAGE%20ACCPAC/OE56A/ACCPACOE1200.OCX
DPF: {E8FF1787-BE1D-4DE7-A549-3FA1765059C7} - file:///C:/PROGRAM%20FILES%20(X86)/SAGE/SAGE%20ACCPAC/AR56A/ACCPACAR1300.OCX
DPF: {E95A62BC-81AB-44D8-B9CB-8A7310FC2CD5} - file:///C:/PROGRAM%20FILES%20(X86)/SAGE/SAGE%20ACCPAC/PO56A/ACCPACPO1310.OCX
DPF: {E965500C-2FDC-4EBC-80C3-3D2BCFAA7033} - file:///C:/PROGRAM%20FILES%20(X86)/SAGE/SAGE%20ACCPAC/OE56A/ACCPACOE2500.OCX
DPF: {F95F49C2-28BA-4ED5-8E0D-6858D6AD7550} - file:///C:/PROGRAM%20FILES%20(X86)/SAGE/SAGE%20ACCPAC/OE56A/ACCPACOE1100.OCX
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{15B88D23-82E6-43F6-8C86-61ACB28F8E03} : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{15B88D23-82E6-43F6-8C86-61ACB28F8E03}\2456C6C634546403 : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{15B88D23-82E6-43F6-8C86-61ACB28F8E03}\356434 : DhcpNameServer = 192.168.0.1
Notify: DeviceNP - DeviceNP.dll
Notify: PFW - UmxWnp.Dll
AppInit_DLLs: C:\PROGRA~2\BEARSH~1\MediaBar\Datamngr\datamngr.dll C:\PROGRA~2\BEARSH~1\MediaBar\Datamngr\IEBHO.dll UmxSbxExw.dll
LSA: Notification Packages = EpePcNp64 DPPassFilter scecli
BHO-X64: File Sanitizer for HP ProtectTools: {3134413B-49B4-425C-98A5-893C1F195601} - C:\Program Files (x86)\Hewlett-Packard\File Sanitizer\IEBHO.dll
BHO-X64: BHO_Startup - No File
BHO-X64: Search Helper: {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
BHO-X64: Search Helper - No File
BHO-X64: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: DataMngr: {B939CF93-F2CB-443d-956C-DC523D85C9DB} - C:\PROGRA~2\BEARSH~1\MediaBar\Datamngr\BROWSE~1.DLL
BHO-X64: Wincore Mediabar: {c2d64ff7-0ab8-4263-89c9-ea3b0f8f050c} - C:\PROGRA~2\BEARSH~1\MediaBar\Datamngr\ToolBar\wincorebsdtx.dll
BHO-X64: Wincore Mediabar - No File
BHO-X64: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\MSN Toolbar\Platform\6.0.2282.0\npwinext.dll
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB-X64: @C:\Program Files (x86)\MSN Toolbar\Platform\6.0.2282.0\npwinext.dll,-100: {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\MSN Toolbar\Platform\6.0.2282.0\npwinext.dll
TB-X64: Wincore Mediabar: {c2d64ff7-0ab8-4263-89c9-ea3b0f8f050c} - C:\PROGRA~2\BEARSH~1\MediaBar\Datamngr\ToolBar\wincorebsdtx.dll
TB-X64: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB-X64: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
mRun-x64: [PDF Complete] C:\Program Files (x86)\PDF Complete\pdfsty.exe
mRun-x64: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe"
mRun-x64: [Microsoft Default Manager] "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
mRun-x64: [QLBController] C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\QLBController.exe /start
mRun-x64: [File Sanitizer] C:\Program Files (x86)\Hewlett-Packard\File Sanitizer\CoreShredder.exe
mRun-x64: [IMSS] "C:\Program Files (x86)\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe"
mRun-x64: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun-x64: [NUSB3MON] "c:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"
mRun-x64: [HP HD Webcam [Fixed]_Monitor] C:\Program Files (x86)\HP HD Webcam [Fixed]\monitor.exe
mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun-x64: [HPConnectionManager] c:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\HPCMDelayStart.exe
mRun-x64: [(Default)]
mRun-x64: [HPQuickWebProxy] "c:\Program Files (x86)\Hewlett-Packard\HP QuickWeb\hpqwutils.exe"
mRun-x64: [IFXSPMGT] "c:\Program Files (x86)\Hewlett-Packard\Embedded Security Software\ifxspmgt.exe" /NotifyLogon
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [DATAMNGR] C:\PROGRA~2\BEARSH~1\MediaBar\Datamngr\DATAMN~1.EXE
IE-X64: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
AppInit_DLLs-X64: C:\PROGRA~2\BEARSH~1\MediaBar\Datamngr\datamngr.dll C:\PROGRA~2\BEARSH~1\MediaBar\Datamngr\IEBHO.dll UmxSbxExw.dll
.
============= SERVICES / DRIVERS ===============
.
R0 KmxAMRT;KmxAMRT;C:\windows\system32\DRIVERS\KmxAMRT.sys --> C:\windows\system32\DRIVERS\KmxAMRT.sys [?]
R0 KmxFw;KmxFw;C:\windows\system32\DRIVERS\kmxfw.sys --> C:\windows\system32\DRIVERS\kmxfw.sys [?]
R0 MfeEpePc;MfeEpePc;C:\windows\system32\drivers\MfeEpePc.sys --> C:\windows\system32\drivers\MfeEpePc.sys [?]
R0 PxHlpa64;PxHlpa64;C:\windows\system32\Drivers\PxHlpa64.sys --> C:\windows\system32\Drivers\PxHlpa64.sys [?]
R1 KmxAgent;KmxAgent;C:\windows\system32\DRIVERS\kmxagent.sys --> C:\windows\system32\DRIVERS\kmxagent.sys [?]
R1 KmxCfg;KmxCfg;C:\windows\system32\DRIVERS\kmxcfg.sys --> C:\windows\system32\DRIVERS\kmxcfg.sys [?]
R1 KmxFile;KmxFile;C:\windows\system32\DRIVERS\KmxFile.sys --> C:\windows\system32\DRIVERS\KmxFile.sys [?]
R1 KmxFilter;HIPS Core Filter Driver;C:\windows\system32\DRIVERS\KmxFilter.sys --> C:\windows\system32\DRIVERS\KmxFilter.sys [?]
R1 PersonalSecureDrive;PersonalSecureDrive;C:\windows\system32\drivers\psd.sys --> C:\windows\system32\drivers\psd.sys [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\windows\system32\DRIVERS\vwififlt.sys --> C:\windows\system32\DRIVERS\vwififlt.sys [?]
R2 AESTFilters;Andrea ST Filters Service;C:\Program Files\IDT\WDM\AESTSr64.exe [2012-1-14 89600]
R2 AMD External Events Utility;AMD External Events Utility;C:\windows\system32\atiesrxx.exe --> C:\windows\system32\atiesrxx.exe [?]
R2 CAAMSvc;CAAMSvc;C:\Program Files\CA\SharedComponents\AMS\win\x64\CAAMSvc.exe [2011-9-12 291656]
R2 ccSchedulerSvc;Total Defense Scheduler Service;C:\Program Files\CA\TotalDefense\EndPointClient\EndpointProtection\ccschedulersvc.exe [2012-3-5 424496]
R2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE [2010-2-28 821664]
R2 HP Power Assistant Service;HP Power Assistant Service;C:\Program Files\Hewlett-Packard\HP Power Assistant\HPPA_Service.exe [2011-3-17 132152]
R2 HPDayStarterService;HP DayStarter Service;C:\Program Files\Hewlett-Packard\HP DayStarter\32-bit\HPDayStarterService.exe [2011-1-28 133688]
R2 HPDrvMntSvc.exe;HP Quick Synchronization Service;C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-3-28 94264]
R2 HPFSService;File Sanitizer for HP ProtectTools;C:\Program Files (x86)\Hewlett-Packard\File Sanitizer\HPFSService.exe [2011-3-10 320512]
R2 hpHotkeyMonitor;hpHotkeyMonitor;C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe [2011-3-21 293944]
R2 hpsrv;HP Service;C:\windows\system32\Hpservice.exe --> C:\windows\system32\Hpservice.exe [?]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2012-1-14 13336]
R2 isafe;Total Defense ISafe Service;C:\Program Files\CA\TotalDefense\EndPointClient\EndpointProtection\isafe.exe [2012-3-5 290304]
R2 jhi_service;Intel® Identity Protection Technology Host Interface Service;C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe [2011-2-24 212944]
R2 KmxIds;KmxIds;C:\windows\system32\DRIVERS\kmxids.sys --> C:\windows\system32\DRIVERS\kmxids.sys [?]
R2 KmxSbx;KmxSbx;C:\windows\system32\DRIVERS\KmxSbx.sys --> C:\windows\system32\DRIVERS\KmxSbx.sys [?]
R2 McAfee Endpoint Encryption Agent;McAfee Endpoint Encryption Agent;C:\Program Files\Hewlett-Packard\Drive Encryption\EEAgent\MfeEpeHost.exe [2011-3-29 1318912]
R2 pdfcDispatcher;PDF Document Manager;C:\Program Files (x86)\PDF Complete\pdfsvc.exe [2011-5-7 1128952]
R2 PdiService;Portrait Displays SDK Service;C:\Program Files (x86)\Common Files\Portrait Displays\Drivers\pdisrvc.exe [2011-5-7 113264]
R2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2009-12-2 483688]
R2 TD Agent Service;Total Defense Agent;C:\Program Files\CA\SharedComponents\Agent\TDAgent.exe [2011-11-12 158208]
R2 Total Defense Common Elevation Service;Total Defense Common Elevation Service;C:\Program Files\CA\Entitlement\ccprovsp.exe [2012-3-5 371248]
R2 uArcCapture;ArcCapture;C:\Windows\SysWOW64\ArcVCapRender\uArcCapture.exe [2012-1-14 502464]
R2 UmxEngine;TM Engine;C:\Program Files\CA\SharedComponents\TMEngine\UmxEngine.exe [2011-4-4 920656]
R2 UNS;Intel® Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2012-1-14 2656280]
R2 vcsFPService;Validity VCS Fingerprint Service;C:\Windows\System32\vcsFPService.exe [2011-3-24 2762032]
R3 amdkmdag;amdkmdag;C:\windows\system32\DRIVERS\atikmdag.sys --> C:\windows\system32\DRIVERS\atikmdag.sys [?]
R3 amdkmdap;amdkmdap;C:\windows\system32\DRIVERS\atikmpag.sys --> C:\windows\system32\DRIVERS\atikmpag.sys [?]
R3 ARCVCAM;ARCVCAM, ArcSoft Webcam Sharing Manager Driver;C:\windows\system32\DRIVERS\ArcSoftVCapture.sys --> C:\windows\system32\DRIVERS\ArcSoftVCapture.sys [?]
R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;C:\windows\system32\drivers\AtihdW76.sys --> C:\windows\system32\drivers\AtihdW76.sys [?]
R3 btwampfl;Bluetooth AMP USB Filter;C:\windows\system32\drivers\btwampfl.sys --> C:\windows\system32\drivers\btwampfl.sys [?]
R3 btwl2cap;Bluetooth L2CAP Service;C:\windows\system32\DRIVERS\btwl2cap.sys --> C:\windows\system32\DRIVERS\btwl2cap.sys [?]
R3 e1cexpress;Intel® PRO/1000 PCI Express Network Connection Driver C;C:\windows\system32\DRIVERS\e1c62x64.sys --> C:\windows\system32\DRIVERS\e1c62x64.sys [?]
R3 HP ProtectTools Service;HP ProtectTools Service;C:\Program Files (x86)\Hewlett-Packard\2009 Password Filter for HP ProtectTools\PTChangeFilterService.exe [2011-4-4 30776]
R3 hpCMSrv;HP Connection Manager 4 Service;C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\hpCMSrv.exe [2011-4-5 1094712]
R3 JMCR;JMCR;C:\windows\system32\DRIVERS\jmcr.sys --> C:\windows\system32\DRIVERS\jmcr.sys [?]
R3 johci;JMicron 1394 Filter Driver;C:\windows\system32\DRIVERS\johci.sys --> C:\windows\system32\DRIVERS\johci.sys [?]
R3 MEIx64;Intel® Management Engine Interface;C:\windows\system32\DRIVERS\HECIx64.sys --> C:\windows\system32\DRIVERS\HECIx64.sys [?]
R3 NETwNs64;___ Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;C:\windows\system32\DRIVERS\NETwNs64.sys --> C:\windows\system32\DRIVERS\NETwNs64.sys [?]
R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;C:\windows\system32\DRIVERS\nusb3hub.sys --> C:\windows\system32\DRIVERS\nusb3hub.sys [?]
R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;C:\windows\system32\DRIVERS\nusb3xhc.sys --> C:\windows\system32\DRIVERS\nusb3xhc.sys [?]
R3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
R3 Sftfs;Sftfs;C:\windows\system32\DRIVERS\Sftfslh.sys --> C:\windows\system32\DRIVERS\Sftfslh.sys [?]
R3 Sftplay;Sftplay;C:\windows\system32\DRIVERS\Sftplaylh.sys --> C:\windows\system32\DRIVERS\Sftplaylh.sys [?]
R3 Sftredir;Sftredir;C:\windows\system32\DRIVERS\Sftredirlh.sys --> C:\windows\system32\DRIVERS\Sftredirlh.sys [?]
R3 Sftvol;Sftvol;C:\windows\system32\DRIVERS\Sftvollh.sys --> C:\windows\system32\DRIVERS\Sftvollh.sys [?]
R3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2009-12-2 209768]
R3 SPUVCbv;SPUVCb Driver Service;C:\windows\system32\Drivers\SPUVCbv_x64.sys --> C:\windows\system32\Drivers\SPUVCbv_x64.sys [?]
R3 SzCCID;USB SmartCard Reader Driver;C:\windows\system32\DRIVERS\SzCCID.sys --> C:\windows\system32\DRIVERS\SzCCID.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2012-6-14 116648]
S3 10523;10523;C:\windows\system32\DRIVERS\10523 --> C:\windows\system32\DRIVERS\10523 [?]
S3 26383;26383;C:\windows\system32\DRIVERS\26383 --> C:\windows\system32\DRIVERS\26383 [?]
S3 3459;3459;C:\windows\system32\DRIVERS\3459 --> C:\windows\system32\DRIVERS\3459 [?]
S3 a4wnetMgrService;Sage Accpac .NET Remoting Service;C:\Program Files (x86)\Common Files\Sage\Sage Accpac\a4wnetMgrService.exe [2009-10-26 20480]
S3 DAMDrv;DAMDrv;C:\windows\system32\DRIVERS\DAMDrv64.sys --> C:\windows\system32\DRIVERS\DAMDrv64.sys [?]
S3 FLCDLOCK;HP ProtectTools Device Locking / Auditing;C:\Windows\SysWOW64\flcdlock.exe [2011-3-7 464512]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2012-6-14 116648]
S3 RoxMediaDB12OEM;RoxMediaDB12OEM;C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [2011-2-15 1116656]
S3 StorSvc;Storage Service;C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\windows\system32\Wat\WatAdminSvc.exe --> C:\windows\system32\Wat\WatAdminSvc.exe [?]
.
=============== Created Last 30 ================
.
2012-08-08 13:54:16 69000 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{526B016C-1DB2-40B0-A7E1-E2B1BCF7E354}\offreg.dll
2012-08-07 16:13:37 9072 ----a-w- C:\windows\System32\drivers\3459
2012-08-07 12:43:23 9072 ----a-w- C:\windows\System32\drivers\26383
2012-08-07 12:41:18 9072 ----a-w- C:\windows\System32\drivers\10523
2012-07-12 15:01:47 251528 ----a-w- C:\windows\System32\drivers\PCTSD64.sys
2012-07-12 15:01:47 -------- d-----w- C:\Program Files (x86)\PC Tools
2012-07-12 15:01:47 -------- d-----w- C:\Program Files (x86)\Common Files\PC Tools
2012-07-12 15:01:31 -------- d-----w- C:\ProgramData\PC Tools
2012-07-12 15:01:30 -------- d-----w- C:\Users\charlie.CORP\AppData\Roaming\TestApp
2012-07-12 14:23:25 -------- d-----w- C:\ProgramData\B7E858A7000F12F6005C783DA6014588
.
==================== Find3M ====================
.
2012-07-30 12:34:22 70344 ----a-w- C:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-07-30 12:34:22 426184 ----a-w- C:\windows\SysWow64\FlashPlayerApp.exe
2012-07-03 17:46:44 24904 ----a-w- C:\windows\System32\drivers\mbam.sys
2012-06-02 22:15:31 2622464 ----a-w- C:\windows\System32\wucltux.dll
2012-06-02 22:15:08 99840 ----a-w- C:\windows\System32\wudriver.dll
2012-06-02 19:19:42 186752 ----a-w- C:\windows\System32\wuwebv.dll
2012-06-02 19:15:12 36864 ----a-w- C:\windows\System32\wuapp.exe
.
============= FINISH: 12:59:43.12 ===============
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows 7 Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 17/02/2012 1:36:38 PM
System Uptime: 08/08/2012 8:16:37 AM (4 hours ago)
.
Motherboard: Hewlett-Packard | | 1630
Processor: Intel® Core™ i5-2540M CPU @ 2.60GHz | CPU 1 | 2601/100mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 445 GiB total, 369.013 GiB free.
D: is FIXED (NTFS) - 932 GiB total, 726.164 GiB free.
E: is FIXED (NTFS) - 15 GiB total, 2.3 GiB free.
F: is FIXED (FAT32) - 5 GiB total, 2.124 GiB free.
G: is CDROM ()
H: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP42: 27/05/2012 2:34:11 PM - Scheduled Checkpoint
RP43: 03/06/2012 4:43:40 AM - Windows Update
RP44: 11/06/2012 9:22:59 AM - Scheduled Checkpoint
RP45: 14/06/2012 9:41:09 AM - Windows Update
RP46: 22/06/2012 1:57:37 PM - Scheduled Checkpoint
RP47: 30/06/2012 12:30:30 PM - Scheduled Checkpoint
RP48: 04/07/2012 5:15:59 AM - Windows Update
RP49: 11/07/2012 4:43:34 PM - Scheduled Checkpoint
RP50: 12/07/2012 1:10:30 AM - HPSF Restore Point
RP51: 19/07/2012 4:59:21 PM - Scheduled Checkpoint
RP52: 28/07/2012 10:01:58 AM - Scheduled Checkpoint
RP53: 05/08/2012 12:00:02 PM - Scheduled Checkpoint
RP54: 08/08/2012 10:35:03 AM - Windows Backup
RP55: 08/08/2012 10:53:40 AM - Windows Backup
RP56: 08/08/2012 10:55:55 AM - Windows Backup
.
==== Installed Programs ======================
.
ActiveCheck component for HP Active Support Library
Adobe Flash Player 11 ActiveX
Alcor Micro Smart Card Reader Driver
ArcSoft Webcam Sharing Manager
Bing Bar
Bing Bar Platform
Bing Rewards Client Installer
Catalyst Control Center - Branding
Catalyst Control Center Graphics Previews Common
Catalyst Control Center InstallProxy
Catalyst Control Center Localization All
Catalyst Control Center Profiles Mobile
ccc-core-static
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Czech
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Greek
CCC Help Hungarian
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Polish
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
CCC Help Thai
CCC Help Turkish
CRM Client
DirectX 9 Runtime
File Sanitizer For HP ProtectTools
Google Earth Plug-in
Google Update Helper
HP Client Automation Agent Preload
HP Connection Manager
HP Customer Experience Enhancements
HP Documentation
HP ESU for Microsoft Windows 7
HP HD Webcam [Fixed]
HP Performance Advisor
HP QuickWeb
HP Setup
HP SoftPaq Download Manager
HP Software Framework
HP Software Setup
HP Support Assistant
HP System Default Settings
HP Wallpaper
HP Webcam
HPAsset component for HP Active Support Library
IDT Audio
Intel® Identity Protection Technology 1.1.2.0
Intel® Management Engine Components
Intel® Rapid Storage Technology
Java Auto Updater
Java™ 6 Update 31
Java™ 6 Update 5
JMicron 1394 Filter Driver
JMicron Flash Media Controller Driver
Malwarebytes Anti-Malware version 1.62.0.1300
Microsoft Default Manager
Microsoft Office 2003 Primary Interop Assemblies
Microsoft Office 2010
Microsoft Office Access database engine 2007 (English)
Microsoft Office Basic Edition 2003
Microsoft Office Click-to-Run 2010
Microsoft Office Starter 2010 - English
Microsoft PowerPoint Viewer
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
Microsoft Visual Studio 2005 Tools for Office Runtime
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
PDF Complete Special Edition
Pervasive PSQL v10 SP2 Client (32-bit)
Renesas Electronics USB 3.0 Host Controller Driver
Roxio Activation Module
Roxio CinePlayer Decoder Pack
Roxio Express Labeler 3
Roxio MyDVD Business 2010
Roxio Secure Burn
Sage Accpac .NET Libraries 5.6A
Sage Accpac 5.6A
Sage Accpac Options Uni Workstation Install 5.6A
SDK
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
Theft Recovery for HP ProtectTools
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Extended (KB2468871)
Update for Microsoft .NET Framework 4 Extended (KB2533523)
VIP Access SDK (1.0.0.55)
Visual Basic for Applications ® Core
Visual Basic for Applications ® Core - English
Visual Studio 2005 Tools for Office Second Edition Runtime
Wincore MediaBar
Windows Small Business Server 2011 Standard WMI Provider
.
==== Event Viewer Messages From Past Week ========
.
08/08/2012 8:23:31 AM, Error: Server [2505] - The server could not bind to the transport \Device\NetBT_Tcpip_{8F060649-705F-4B6E-97DB-FDC96A87638A} because another computer on the network has the same name. The server could not start.
08/08/2012 8:19:56 AM, Error: Microsoft-Windows-TerminalServices-RemoteConnectionManager [1067] - The terminal server cannot register 'TERMSRV' Service Principal Name to be used for server authentication. The following error occured: The specified domain either does not exist or could not be contacted. .
08/08/2012 8:03:19 AM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
08/08/2012 8:03:16 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service Total Defense Common Elevation Service with arguments "" in order to run the server: {AACF4A1C-BC69-4359-9518-DF3F77E462BF}
08/08/2012 7:49:29 AM, Error: Service Control Manager [7001] - The HomeGroup Provider service depends on the Function Discovery Provider Host service which failed to start because of the following error: The dependency service or group failed to start.
08/08/2012 7:48:25 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
08/08/2012 7:48:25 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
08/08/2012 7:48:22 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
08/08/2012 7:48:15 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
08/08/2012 7:48:12 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service TermService with arguments "" in order to run the server: {F9A874B6-F8A8-4D73-B5A8-AB610816828B}
08/08/2012 7:48:08 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: discache KmxAgent KmxCfg KmxFile KmxFilter KmxFw spldr vpcvmm Wanarpv6
08/08/2012 7:48:06 AM, Error: Service Control Manager [7001] - The Client Virtualization Handler service depends on the Application Virtualization Client service which failed to start because of the following error: The dependency service or group failed to start.
08/08/2012 12:18:26 PM, Error: Microsoft-Windows-GroupPolicy [1129] - The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.
08/08/2012 12:18:25 PM, Error: NETLOGON [5719] - This computer was not able to set up a secure session with a domain controller in domain CORP due to the following: There are currently no logon servers available to service the logon request. This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator. ADDITIONAL INFO If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain.
07/08/2012 8:43:23 AM, Error: Application Popup [1060] - \SystemRoot\System32\DRIVERS\26383 has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.
07/08/2012 8:41:19 AM, Error: Application Popup [1060] - \SystemRoot\System32\DRIVERS\10523 has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.
07/08/2012 12:13:37 PM, Error: Application Popup [1060] - \SystemRoot\System32\DRIVERS\3459 has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.
04/08/2012 11:34:58 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the hpqwmiex service.
.
==== End Of File ===========================

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-08-08 13:38:35
Windows 6.1.7600
Running: gmer.exe


---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\402cf487d789
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\402cf487d789 (not active ControlSet)

---- Files - GMER 1.0.15 ----

File C:\Users\charlie.CORP\AppData\Local\Microsoft\Windows\WER\ReportArchive\AppCrash_svchost.exe_1d2f8c8c4fc818679b1ec15e4c3f42f3313d28_28e31fe6 0 bytes

---- EOF - GMER 1.0.15 ----

Edited by Charlie929, 08 August 2012 - 01:06 PM.


BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,496 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:23 PM

Posted 12 August 2012 - 04:00 PM

Please do the following:

download Farbar Recovery Scan Tool and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to the disclaimer.
[*]Place a check next to List Drivers MD5 as well as the default check marks that are already there
[*]Press Scan button.
[*]FRST will let you know when the scan is complete and has written the FRST.txt to file, close out this message, then type the following into the search box:
services.exe
[*]now press the search button
[*]when the search is complete, search.txt will also be written to your USB
[*]type exit and reboot the computer normally
[*]please copy and paste both logs in your reply.(FRST.txt and Search.txt)[/list]
The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif
Microsoft MVP - 2010, 2011, 2012, 2013

#3 Charlie929

Charlie929
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:01:23 PM

Posted 13 August 2012 - 02:40 PM

Hi CatByte,
When I enter the drive location etc (D:\frst.exe) I get this message: "The system needed to support the image is not present". So I can't open the tool this way. However, I can run it in the normal windows. Will have the same effect or am I doing something wrong? My IT guy here did some work on this and cleared the pop up virus alert message, but mentioned this may rewrite itself.. So I still want to see what you folks can do. I'm getting strange pop up ads in the lower screen when I'm on the net, and I get a redirectto a Bearshare browser which I would like removed as well.
Charlie

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,496 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:23 PM

Posted 13 August 2012 - 02:43 PM

when you log into the recovery environment, did you check to see what the drive letter is that is assigned to your USB drive (it changes in the recovery environment)

so work through the instructions carefully

http://www.bleepingcomputer.com/forums/topic464321.html/page__view__findpost__p__2802731
The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif
Microsoft MVP - 2010, 2011, 2012, 2013

#5 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,496 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:23 PM

Posted 13 August 2012 - 02:46 PM

My IT guy here did some work on this and cleared the pop up virus alert message, but mentioned this may rewrite itself


we generally don't work of business computers for various reasons, your computer may contain proprietary information or have policies set that our tools may interfere with

Plus the IT department may not agree with our assistance.

If we have the blessing from the IT department to assist as they are unable to resolve the issue and are not in a position to reformat the computer, then we can still offer assistance, but cannot be held accountable for any issues that may arise from it being a business computer.

Let me know if you still wish to proceed
The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif
Microsoft MVP - 2010, 2011, 2012, 2013

#6 Charlie929

Charlie929
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:01:23 PM

Posted 13 August 2012 - 03:07 PM

I've used B/C in the past on laptops from work.
Anyway, I followed the directions correctly, the flash was D:\ but I still get that message. Tried E:\ as there are frst files in there but that was not the flash drive (still didn't work)
Could it be an issue with the download on the flash?

#7 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,496 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:23 PM

Posted 13 August 2012 - 03:33 PM

yes, try formatting the USB, then re-download the FRST program

make sure you download the 64bit version
The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif
Microsoft MVP - 2010, 2011, 2012, 2013

#8 Charlie929

Charlie929
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:01:23 PM

Posted 14 August 2012 - 07:40 AM

Scan result of Farbar Recovery Scan Tool Version: 14-08-2012
Ran by SYSTEM at 14-08-2012 08:14:45
Running from D:\
Windows 7 Professional (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [HPPowerAssistant] C:\Program Files\Hewlett-Packard\HP Power Assistant\DelayedAppStarter.exe 120 C:\Program Files\Hewlett-Packard\HP Power Assistant\HPPA_Main.exe /hidden [2941496 2011-03-17] (Hewlett-Packard Company)
HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2710824 2011-03-29] (Synaptics Incorporated)
HKLM\...\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe [1128448 2011-03-04] (IDT, Inc.)
HKLM\...\Run: [MfeEpePcMonitor] "C:\Program Files\Hewlett-Packard\Drive Encryption\EpePcMonitor.exe" [200704 2011-03-29] ()
HKLM\...\Run: [CATM] "C:\Program Files\CA\TotalDefense\EndPointClient\EndpointProtection\catm.exe" [768560 2012-02-15] (Total Defense, Inc.)
HKLM\...\Run: [EventMgt] "C:\Program Files\CA\TotalDefense\EndPointClient\EndpointProtection\ccEvtMgr.exe" [610352 2012-02-15] (Total Defense, Inc.)
HKLM-x32\...\Run: [PDF Complete] C:\Program Files (x86)\PDF Complete\pdfsty.exe [658424 2011-02-25] (PDF Complete Inc)
HKLM-x32\...\Run: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe" [514544 2011-01-12] ()
HKLM-x32\...\Run: [Microsoft Default Manager] "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume [439568 2010-05-10] (Microsoft Corporation)
HKLM-x32\...\Run: [QLBController] C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\QLBController.exe /start [312376 2011-03-21] (Hewlett-Packard Company)
HKLM-x32\...\Run: [File Sanitizer] C:\Program Files (x86)\Hewlett-Packard\File Sanitizer\CoreShredder.exe [12277760 2011-03-10] (Hewlett-Packard)
HKLM-x32\...\Run: [IMSS] "C:\Program Files (x86)\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe" [112152 2011-01-17] (Intel Corporation)
HKLM-x32\...\Run: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [283160 2011-01-26] (Intel Corporation)
HKLM-x32\...\Run: [NUSB3MON] "c:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [113288 2010-11-17] (Renesas Electronics Corporation)
HKLM-x32\...\Run: [HP HD Webcam [Fixed]_Monitor] C:\Program Files (x86)\HP HD Webcam [Fixed]\monitor.exe [267128 2010-11-26] ()
HKLM-x32\...\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [336384 2011-08-10] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [HPConnectionManager] c:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\HPCMDelayStart.exe [94264 2011-04-05] (Hewlett-Packard Development Company L.P.)
HKLM-x32\...\Run: [] [x]
HKLM-x32\...\Run: [HPQuickWebProxy] "c:\Program Files (x86)\Hewlett-Packard\HP QuickWeb\hpqwutils.exe" [76344 2011-03-30] (Hewlett-Packard Company)
HKLM-x32\...\Run: [IFXSPMGT] "c:\Program Files (x86)\Hewlett-Packard\Embedded Security Software\ifxspmgt.exe" /NotifyLogon [1125728 2011-01-19] (Infineon Technologies AG)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [252296 2012-01-17] (Sun Microsystems, Inc.)
HKLM\...\Winlogon: [Userinit] C:\Windows\system32\userinit.exe,c:\Program Files (x86)\Hewlett-Packard\HP ProtectTools Security Manager\Bin\DPAgent.exe,
Tcpip\Parameters: [DhcpNameServer] 192.168.2.1
AppInit_DLLs: UmxSbxExA64.dll
Lsa: [Notification Packages] EpePcNp64
DPPassFilter
scecli
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
ShortcutTarget: Bluetooth.lnk -> C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)

==================== Services (Whitelisted) ======

3 a4wnetMgrService; "C:\Program Files (x86)\Common Files\Sage\Sage Accpac\a4wnetMgrService.exe" [20480 2009-10-26] (Sage Software, Inc.)
2 CAAMSvc; C:\Program Files\CA\SharedComponents\AMS\win\x64\CAAMSvc.exe [291656 2011-09-12] (CA)
2 ccSchedulerSvc; "C:\Program Files\CA\TotalDefense\EndPointClient\EndpointProtection\ccschedulersvc.exe" [424496 2012-02-15] (Total Defense, Inc.)
2 DpHost; C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\Bin\DpHostW.exe [485712 2011-04-01] (DigitalPersona, Inc.)
3 FLCDLOCK; C:\Windows\SysWOW64\flcdlock.exe [464512 2011-03-07] (Hewlett-Packard Company)
3 HP ProtectTools Service; "C:\Program Files (x86)\Hewlett-Packard\2009 Password Filter for HP ProtectTools\PTChangeFilterService.exe" [30776 2011-04-04] (Hewlett-Packard Development Company, L.P)
3 hpCMSrv; "C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\hpCMSrv.exe" [1094712 2011-04-05] (Hewlett-Packard Development Company L.P.)
2 HPDayStarterService; "C:\Program Files\Hewlett-Packard\HP DayStarter\32-bit\HPDayStarterService.exe" [133688 2011-01-28] (Hewlett-Packard Company)
2 hpHotkeyMonitor; C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe [293944 2011-03-21] (Hewlett-Packard Company)
2 IFXSpMgtSrv; C:\Program Files (x86)\Hewlett-Packard\Embedded Security Software\ifxspmgt.exe [1125728 2011-01-19] (Infineon Technologies AG)
2 IFXTCS; C:\Program Files (x86)\Hewlett-Packard\Embedded Security Software\ifxtcs.exe [980320 2011-01-19] (Infineon Technologies AG)
2 isafe; "C:\Program Files\CA\TotalDefense\EndPointClient\EndpointProtection\isafe.exe" [290304 2012-02-15] (Total Defense, Inc.)
2 McAfee Endpoint Encryption Agent; "C:\Program Files\Hewlett-Packard\Drive Encryption\EEAgent\MfeEpeHost.exe" [1318912 2011-03-29] ()
2 PdiService; C:\Program Files (x86)\Common Files\Portrait Displays\Drivers\pdisrvc.exe [113264 2011-03-16] (Portrait Displays, Inc.)
2 PersonalSecureDriveService; "C:\Program Files (x86)\Hewlett-Packard\Embedded Security Software\IfxPsdSv.exe" [203104 2011-01-19] (Infineon Technologies AG)
3 stllssvr; "C:\Program Files (x86)\Common Files\SureThing Shared\stllssvr.exe" [74392 2010-11-08] (MicroVision Development, Inc.)
2 TD Agent Service; "C:\Program Files\CA\SharedComponents\Agent\TDAgent.exe" [158208 2012-01-09] (Total Defense Inc.)
2 Total Defense Common Elevation Service; "C:\Program Files\CA\Entitlement\ccprovsp.exe" [371248 2012-02-15] (Total Defense, Inc.)
2 uArcCapture; C:\windows\SysWow64\ArcVCapRender\uArcCapture.exe [502464 2010-11-10] (ArcSoft, Inc.)
2 UmxEngine; "C:\Program Files\CA\SharedComponents\TMEngine\UmxEngine.exe" [920656 2011-04-04] (CA)
2 UNS; "C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe" [2656280 2011-01-17] (Intel Corporation)

========================== Drivers (Whitelisted) =============

3 ARCVCAM; C:\Windows\System32\DRIVERS\ArcSoftVCapture.sys [32192 2010-11-10] (ArcSoft, Inc.)
3 DAMDrv; C:\Windows\System32\DRIVERS\DAMDrv64.sys [63336 2011-03-03] (Hewlett-Packard Company)
3 johci; C:\Windows\System32\Drivers\johci.sys [26712 2011-02-09] (JMicron Technology Corp.)
1 KmxAgent; C:\Windows\System32\Drivers\KmxAgent.sys [113744 2011-10-26] (CA)
0 KmxAMRT; C:\Windows\System32\Drivers\KmxAMRT.sys [182352 2011-10-27] (Total Defense)
1 KmxCfg; C:\Windows\System32\Drivers\KmxCfg.sys [365136 2011-09-06] (CA)
1 KmxFile; C:\Windows\System32\Drivers\KmxFile.sys [87120 2011-09-06] (CA)
1 KmxFilter; C:\Windows\System32\Drivers\KmxFilter.sys [99024 2011-09-06] (CA)
0 KmxFw; C:\Windows\System32\Drivers\KmxFw.sys [143824 2011-09-06] (CA)
2 KmxIds; C:\Windows\System32\Drivers\KmxIds.sys [238672 2011-09-06] (CA)
2 KmxSbx; C:\Windows\System32\Drivers\KmxSbx.sys [81488 2011-09-06] (CA)
0 MfeEpePc; C:\Windows\System32\Drivers\MfeEpePc.sys [168008 2011-03-29] (McAfee, Inc.)
1 PersonalSecureDrive; C:\Windows\System32\drivers\psd.sys [44576 2010-01-25] (Infineon Technologies AG)
3 SPUVCbv; C:\Windows\System32\Drivers\SPUVCbv_x64.sys [2612728 2011-02-11] (Sunplus Technology)
3 SzCCID; C:\Windows\System32\Drivers\SzCCID.sys [40448 2011-01-13] (Generic)
3 10523; C:\Windows\System32\DRIVERS\10523 [x]
3 26383; C:\Windows\System32\DRIVERS\26383 [x]
3 3459; C:\Windows\System32\DRIVERS\3459 [x]
3 8063; C:\Windows\System32\DRIVERS\8063 [x]

========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-08-13 11:31 - 2012-08-14 08:14 - 00000000 ____D C:\FRST
2012-08-10 06:02 - 2012-08-10 06:02 - 00000000 ____D C:\Program Files (x86)\Oracle
2012-08-10 06:01 - 2012-07-05 18:06 - 00772544 ____A (Oracle Corporation) C:\Windows\SysWOW64\npDeployJava1.dll
2012-08-10 05:54 - 2012-08-10 05:54 - 00009072 ____A C:\Windows\System32\Drivers\8063
2012-08-10 04:46 - 2012-08-10 04:46 - 00000000 ____D C:\Users\administrator.CORP\AppData\Roaming\Macromedia
2012-08-10 04:46 - 2012-08-10 04:46 - 00000000 ____D C:\Users\administrator.CORP\AppData\Roaming\Adobe
2012-08-10 04:35 - 2012-08-10 04:35 - 00000000 ____D C:\Users\administrator.CORP\AppData\Roaming\Malwarebytes
2012-08-09 13:35 - 2012-08-09 13:35 - 00000761 ____A C:\Windows\System32\Drivers\etc\hosts.txt
2012-08-08 09:50 - 2012-08-08 09:50 - 00000000 ____A C:\Users\charlie.CORP\defogger_reenable
2012-08-08 09:39 - 2012-08-08 09:39 - 00000248 ____A C:\Users\charlie.CORP\Desktop\defogger_enable.log
2012-08-08 09:38 - 2012-08-08 09:38 - 00000677 ____A C:\Users\charlie.CORP\Desktop\ark.txt
2012-08-08 09:02 - 2012-08-08 09:24 - 00000000 ____D C:\Users\charlie.CORP\Desktop\gmer
2012-08-08 09:01 - 2012-08-08 09:01 - 00030788 ____A C:\Users\charlie.CORP\Desktop\DDS.txt
2012-08-08 09:01 - 2012-08-08 09:01 - 00010345 ____A C:\Users\charlie.CORP\Desktop\Attach.txt
2012-08-08 08:58 - 2012-08-08 09:50 - 00000476 ____A C:\Users\charlie.CORP\Desktop\defogger_disable.log
2012-08-08 05:59 - 2012-08-08 05:59 - 00294216 ____A C:\Users\charlie.CORP\Desktop\gmer.zip
2012-08-08 05:56 - 2012-08-08 05:56 - 00607260 ____R (Swearware) C:\Users\charlie.CORP\Desktop\dds.com
2012-08-08 05:54 - 2012-08-08 05:54 - 00050477 ____A C:\Users\charlie.CORP\Desktop\Defogger.exe
2012-08-07 17:08 - 2012-08-07 17:08 - 00751391 ____A (Farbar) C:\Users\charlie.CORP\Desktop\MiniToolBox.exe
2012-08-07 17:07 - 2012-08-07 17:07 - 01051552 ____A (Bleeping Computer, LLC) C:\Users\charlie.CORP\Desktop\rkill.scr
2012-08-07 08:13 - 2012-08-07 08:13 - 00009072 ____A C:\Windows\System32\Drivers\3459
2012-08-07 04:43 - 2012-08-07 04:43 - 00009072 ____A C:\Windows\System32\Drivers\26383
2012-08-07 04:41 - 2012-08-07 04:41 - 00009072 ____A C:\Windows\System32\Drivers\10523

============ 3 Months Modified Files ========================

2012-08-14 04:11 - 2012-03-03 09:39 - 00303199 ____A C:\Windows\System32\Drivers\kmxcfg.u2k0
2012-08-14 04:11 - 2012-03-03 09:39 - 00121980 ____A C:\Windows\System32\Drivers\KmxAgent.asc
2012-08-14 04:11 - 2012-03-03 09:39 - 00000575 ____A C:\Windows\System32\Drivers\kmxzone.u2k0
2012-08-14 04:11 - 2012-03-03 09:39 - 00000085 ____A C:\Windows\System32\Drivers\kmxcfg.u2k7
2012-08-14 04:11 - 2012-03-03 09:39 - 00000085 ____A C:\Windows\System32\Drivers\kmxcfg.u2k6
2012-08-14 04:11 - 2012-03-03 09:39 - 00000085 ____A C:\Windows\System32\Drivers\kmxcfg.u2k5
2012-08-14 04:11 - 2012-03-03 09:39 - 00000085 ____A C:\Windows\System32\Drivers\kmxcfg.u2k4
2012-08-14 04:11 - 2012-03-03 09:39 - 00000085 ____A C:\Windows\System32\Drivers\kmxcfg.u2k3
2012-08-14 04:11 - 2012-03-03 09:39 - 00000085 ____A C:\Windows\System32\Drivers\kmxcfg.u2k2
2012-08-14 04:11 - 2012-03-03 09:39 - 00000085 ____A C:\Windows\System32\Drivers\kmxcfg.u2k1
2012-08-14 04:11 - 2012-03-03 09:39 - 00000049 ____A C:\Windows\System32\Drivers\kmxzone.u2k7
2012-08-14 04:11 - 2012-03-03 09:39 - 00000049 ____A C:\Windows\System32\Drivers\kmxzone.u2k6
2012-08-14 04:11 - 2012-03-03 09:39 - 00000049 ____A C:\Windows\System32\Drivers\kmxzone.u2k5
2012-08-14 04:11 - 2012-03-03 09:39 - 00000049 ____A C:\Windows\System32\Drivers\kmxzone.u2k4
2012-08-14 04:11 - 2012-03-03 09:39 - 00000049 ____A C:\Windows\System32\Drivers\kmxzone.u2k3
2012-08-14 04:11 - 2012-03-03 09:39 - 00000049 ____A C:\Windows\System32\Drivers\kmxzone.u2k2
2012-08-14 04:11 - 2012-03-03 09:39 - 00000049 ____A C:\Windows\System32\Drivers\kmxzone.u2k1
2012-08-14 04:10 - 2012-06-14 06:20 - 00000896 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-08-14 04:09 - 2012-03-03 09:36 - 00000036 ____A C:\Windows\System32\Drivers\Ids_cfg.dat.0
2012-08-14 04:09 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-08-14 04:09 - 2009-07-13 20:51 - 00053994 ____A C:\Windows\setupact.log
2012-08-14 04:05 - 2009-07-13 21:13 - 00779614 ____A C:\Windows\System32\PerfStringBackup.INI
2012-08-14 04:03 - 2009-07-13 20:45 - 00020944 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-08-14 04:03 - 2009-07-13 20:45 - 00020944 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-08-14 03:57 - 2012-02-21 08:55 - 00000152 ____A C:\Windows\System32\config\netlogon.ftl
2012-08-13 17:30 - 2012-06-14 06:20 - 00000900 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-08-13 03:23 - 2012-01-14 06:20 - 01794864 ____A C:\Windows\WindowsUpdate.log
2012-08-13 03:22 - 2012-01-14 06:44 - 00286178 ____A C:\Windows\PFRO.log
2012-08-10 06:01 - 2012-02-28 08:51 - 00174064 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe
2012-08-10 06:01 - 2012-02-28 08:51 - 00174064 ____A (Oracle Corporation) C:\Windows\SysWOW64\java.exe
2012-08-10 05:54 - 2012-08-10 05:54 - 00009072 ____A C:\Windows\System32\Drivers\8063
2012-08-09 13:35 - 2012-08-09 13:35 - 00000761 ____A C:\Windows\System32\Drivers\etc\hosts.txt
2012-08-09 13:32 - 2012-03-20 11:11 - 00002000 ___AH C:\Users\charlie.CORP\Documents\Default.rdp
2012-08-08 09:50 - 2012-08-08 09:50 - 00000000 ____A C:\Users\charlie.CORP\defogger_reenable
2012-08-08 09:50 - 2012-08-08 08:58 - 00000476 ____A C:\Users\charlie.CORP\Desktop\defogger_disable.log
2012-08-08 09:39 - 2012-08-08 09:39 - 00000248 ____A C:\Users\charlie.CORP\Desktop\defogger_enable.log
2012-08-08 09:38 - 2012-08-08 09:38 - 00000677 ____A C:\Users\charlie.CORP\Desktop\ark.txt
2012-08-08 09:01 - 2012-08-08 09:01 - 00030788 ____A C:\Users\charlie.CORP\Desktop\DDS.txt
2012-08-08 09:01 - 2012-08-08 09:01 - 00010345 ____A C:\Users\charlie.CORP\Desktop\Attach.txt
2012-08-08 05:59 - 2012-08-08 05:59 - 00294216 ____A C:\Users\charlie.CORP\Desktop\gmer.zip
2012-08-08 05:56 - 2012-08-08 05:56 - 00607260 ____R (Swearware) C:\Users\charlie.CORP\Desktop\dds.com
2012-08-08 05:54 - 2012-08-08 05:54 - 00050477 ____A C:\Users\charlie.CORP\Desktop\Defogger.exe
2012-08-07 17:08 - 2012-08-07 17:08 - 00751391 ____A (Farbar) C:\Users\charlie.CORP\Desktop\MiniToolBox.exe
2012-08-07 17:07 - 2012-08-07 17:07 - 01051552 ____A (Bleeping Computer, LLC) C:\Users\charlie.CORP\Desktop\rkill.scr
2012-08-07 08:13 - 2012-08-07 08:13 - 00009072 ____A C:\Windows\System32\Drivers\3459
2012-08-07 04:43 - 2012-08-07 04:43 - 00009072 ____A C:\Windows\System32\Drivers\26383
2012-08-07 04:41 - 2012-08-07 04:41 - 00009072 ____A C:\Windows\System32\Drivers\10523
2012-07-30 04:34 - 2012-03-29 04:29 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-07-30 04:34 - 2011-05-06 20:50 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-07-12 07:07 - 2012-03-02 06:34 - 00001113 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-07-10 17:04 - 2012-07-10 17:03 - 00275984 ____A C:\Windows\Minidump\071012-27877-01.dmp
2012-07-10 17:03 - 2012-07-10 17:03 - 504561932 ____A C:\Windows\MEMORY.DMP
2012-07-05 18:06 - 2012-08-10 06:01 - 00772544 ____A (Oracle Corporation) C:\Windows\SysWOW64\npDeployJava1.dll
2012-07-05 18:06 - 2012-03-01 10:17 - 00687544 ____A (Oracle Corporation) C:\Windows\SysWOW64\deployJava1.dll
2012-07-05 18:06 - 2012-02-28 08:51 - 00227760 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
2012-07-03 09:46 - 2012-03-02 06:34 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-06-08 10:52 - 2012-06-08 10:49 - 00857088 ____A C:\Users\charlie.CORP\Desktop\2012 Shelco Industrial Price Book 20120601A2.xls
2012-06-02 14:19 - 2012-06-14 05:42 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-14 05:42 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 14:19 - 2012-06-14 05:42 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-14 05:42 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-06-14 05:42 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 14:15 - 2012-06-14 05:42 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:15 - 2012-06-14 05:42 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 11:19 - 2012-06-14 05:41 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 11:15 - 2012-06-14 05:41 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe


ZeroAccess:
C:\Users\charlie.CORP\AppData\Local\{4cc1492f-80ef-a2d4-cdf0-25a246fb2f73}
C:\Users\charlie.CORP\AppData\Local\{4cc1492f-80ef-a2d4-cdf0-25a246fb2f73}\@
C:\Users\charlie.CORP\AppData\Local\{4cc1492f-80ef-a2d4-cdf0-25a246fb2f73}\L
C:\Users\charlie.CORP\AppData\Local\{4cc1492f-80ef-a2d4-cdf0-25a246fb2f73}\U
C:\Users\charlie.CORP\AppData\Local\{4cc1492f-80ef-a2d4-cdf0-25a246fb2f73}\U\00000001.@
C:\Users\charlie.CORP\AppData\Local\{4cc1492f-80ef-a2d4-cdf0-25a246fb2f73}\U\800000cb.@

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 15%
Total physical RAM: 4046.36 MB
Available physical RAM: 3412.65 MB
Total Pagefile: 4044.51 MB
Available Pagefile: 3399.96 MB
Total Virtual: 8192 MB
Available Virtual: 8191.91 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:445.11 GB) (Free:369.41 GB) NTFS ==>[System with boot components (obtained from reading drive)]
2 Drive d: () (Removable) (Total:0.94 GB) (Free:0.94 GB) FAT
3 Drive f: (HP_RECOVERY) (Fixed) (Total:15.36 GB) (Free:2.3 GB) NTFS ==>[System with boot components (obtained from reading drive)]
4 Drive g: (HP_TOOLS) (Fixed) (Total:4.98 GB) (Free:2.12 GB) FAT32
6 Drive x: (Boot) (Fixed) (Total:0.12 GB) (Free:0.12 GB) NTFS
7 Drive y: (SYSTEM) (Fixed) (Total:0.29 GB) (Free:0.25 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 465 GB 0 B
Disk 1 Online 962 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 300 MB 1024 KB
Partition 2 Primary 445 GB 301 MB
Partition 3 Primary 15 GB 445 GB
Partition 4 Primary 5115 MB 460 GB

==================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y SYSTEM NTFS Partition 300 MB Healthy

==================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 445 GB Healthy

==================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 F HP_RECOVERY NTFS Partition 15 GB Healthy

==================================================================================

Disk: 0
Partition 4
Type : 0C
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 G HP_TOOLS FAT32 Partition 5115 MB Healthy

==================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 960 MB 1276 KB

==================================================================================

Disk: 1
Partition 1
Type : 06
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 5 D FAT Removable 960 MB Healthy

==================================================================================

Last Boot: 2012-08-07 03:41

======================= End Of Log ==========================

Farbar Recovery Scan Tool Version: 14-08-2012
Ran by SYSTEM at 2012-08-14 08:17:02
Running from D:\

================== Search: "service.exe" ===================

====== End Of Search ======

#9 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,496 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:23 PM

Posted 14 August 2012 - 08:15 AM

Please do the following:


Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
HKLM-x32\...\Run: [] [x]
3 10523; C:\Windows\System32\DRIVERS\10523 [x]
3 26383; C:\Windows\System32\DRIVERS\26383 [x]
3 3459; C:\Windows\System32\DRIVERS\3459 [x]
3 8063; C:\Windows\System32\DRIVERS\8063 [x]
2012-08-10 05:54 - 2012-08-10 05:54 - 00009072 ____A C:\Windows\System32\Drivers\8063
2012-08-07 08:13 - 2012-08-07 08:13 - 00009072 ____A C:\Windows\System32\Drivers\3459
2012-08-07 04:43 - 2012-08-07 04:43 - 00009072 ____A C:\Windows\System32\Drivers\26383
2012-08-07 04:41 - 2012-08-07 04:41 - 00009072 ____A C:\Windows\System32\Drivers\10523
C:\Users\charlie.CORP\AppData\Local\{4cc1492f-80ef-a2d4-cdf0-25a246fb2f73}
end

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST (or FRST64 if you have the 64bit version) and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Reboot Normally.


NEXT


Refer to the ComboFix User's Guide

  • Download ComboFix from the following location:

    Link

    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  • Double click on ComboFix.exe & follow the prompts.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.
The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif
Microsoft MVP - 2010, 2011, 2012, 2013

#10 Charlie929

Charlie929
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:01:23 PM

Posted 14 August 2012 - 11:09 AM

Catbyte,
The scan tool seems to hang at "completed stage _4" but no log or reboot or anything. Ive turned off the virus/malware protection as required.??

#11 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,496 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:23 PM

Posted 14 August 2012 - 11:51 AM

please try running it in safe mode, sometimes it does take a lot longer than your would expect it to:

To Enter Safemode
  • Go to Start> Shut off your Computer> Restart
  • As the computer starts to boot-up, Tap the F8 KEY repeatedly,
  • this will bring up a menu.
  • Use the Up and Down Arrow Keys to scroll up to Safemode
  • Then press the Enter Key on your Keyboard
  • go into your usual account

The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif
Microsoft MVP - 2010, 2011, 2012, 2013

#12 Charlie929

Charlie929
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:01:23 PM

Posted 14 August 2012 - 12:51 PM

ComboFix 12-08-13.01 - charlie 14/08/2012 13:06:06.3.4 - x64 MINIMAL
Microsoft Windows 7 Professional 6.1.7600.0.1252.2.1033.18.4046.2706 [GMT -4:00]
Running from: c:\users\charlie.CORP\Desktop\ComboFix.exe
AV: Total Defense r12 *Enabled/Updated* {57B5C44D-AAB5-DBC9-741B-542BE5A132EA}
FW: Total Defense r12 *Enabled* {6F8E4568-E0DA-DA91-5F44-FD1E1B727591}
SP: Total Defense r12 *Enabled/Updated* {ECD425A9-8C8F-D447-4EAB-6F599E267857}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\charlie.CORP\AppData\Local\assembly\tmp
.
.
((((((((((((((((((((((((( Files Created from 2012-07-14 to 2012-08-14 )))))))))))))))))))))))))))))))
.
.
2012-08-14 17:10 . 2012-08-14 17:10 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-08-13 19:31 . 2012-08-14 16:14 -------- d-----w- C:\FRST
2012-08-10 14:02 . 2012-08-10 14:02 -------- d-----w- c:\program files (x86)\Oracle
2012-08-10 14:01 . 2012-07-06 02:06 772544 ----a-w- c:\windows\SysWow64\npDeployJava1.dll
2012-08-10 12:35 . 2012-08-10 12:35 -------- d-----w- c:\users\administrator.CORP\AppData\Roaming\Malwarebytes
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-30 12:34 . 2012-03-29 12:29 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-07-30 12:34 . 2011-05-07 04:50 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-07-06 02:06 . 2012-03-01 18:17 687544 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-07-03 17:46 . 2012-03-02 14:34 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-02 22:19 . 2012-06-14 13:42 38424 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-14 13:42 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:19 . 2012-06-14 13:42 57880 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-14 13:42 44056 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-14 13:42 701976 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:15 . 2012-06-14 13:42 2622464 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:15 . 2012-06-14 13:42 99840 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 19:19 . 2012-06-14 13:41 186752 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 19:15 . 2012-06-14 13:41 36864 ----a-w- c:\windows\system32\wuapp.exe
2012-05-31 04:04 . 2012-07-04 09:17 9013136 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{526B016C-1DB2-40B0-A7E1-E2B1BCF7E354}\mpengine.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"PDF Complete"="c:\program files (x86)\PDF Complete\pdfsty.exe" [2011-02-25 658424]
"Desktop Disc Tool"="c:\program files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe" [2011-01-12 514544]
"Microsoft Default Manager"="c:\program files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2010-05-10 439568]
"QLBController"="c:\program files (x86)\Hewlett-Packard\HP HotKey Support\QLBController.exe" [2011-03-22 312376]
"File Sanitizer"="c:\program files (x86)\Hewlett-Packard\File Sanitizer\CoreShredder.exe" [2011-03-10 12277760]
"IMSS"="c:\program files (x86)\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe" [2011-01-17 112152]
"IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2011-01-26 283160]
"NUSB3MON"="c:\program files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2010-11-17 113288]
"HP HD Webcam [Fixed]_Monitor"="c:\program files (x86)\HP HD Webcam [Fixed]\monitor.exe" [2010-11-26 11:31 267128]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-08-10 336384]
"HPConnectionManager"="c:\program files (x86)\Hewlett-Packard\HP Connection Manager\HPCMDelayStart.exe" [2011-04-05 94264]
"HPQuickWebProxy"="c:\program files (x86)\Hewlett-Packard\HP QuickWeb\hpqwutils.exe" [2011-03-30 76344]
"IFXSPMGT"="c:\program files (x86)\Hewlett-Packard\Embedded Security Software\ifxspmgt.exe" [2011-01-20 1125728]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2010-7-29 1132320]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DeviceNP]
2011-03-07 17:59 75392 ----a-w- c:\windows\System32\DeviceNP.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
2011-02-24 19:33 79368 ----a-w- c:\windows\System32\UmxWNP.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ DPPassFilter scecli
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2354695922-4183816018-3316816161-1119\Scripts\Logon\0\0]
"Script"=d:\technology\Scripts\logon.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2354695922-4183816018-3316816161-1119\Scripts\Logon\1\0]
"Script"=d:\technology\Scripts\logon.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2354695922-4183816018-3316816161-500\Scripts\Logon\0\0]
"Script"=d:\technology\Scripts\logon.bat
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-06-14 116648]
R3 a4wnetMgrService;Sage Accpac .NET Remoting Service;c:\program files (x86)\Common Files\Sage\Sage Accpac\a4wnetMgrService.exe [2009-10-27 20480]
R3 DAMDrv;DAMDrv;c:\windows\system32\DRIVERS\DAMDrv64.sys [2011-03-03 63336]
R3 FLCDLOCK;HP ProtectTools Device Locking / Auditing;c:\windows\SysWOW64\flcdlock.exe [2011-03-07 464512]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-06-14 116648]
R3 hpCMSrv;HP Connection Manager 4 Service;c:\program files (x86)\Hewlett-Packard\HP Connection Manager\hpCMSrv.exe [2011-04-05 1094712]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 RoxMediaDB12OEM;RoxMediaDB12OEM;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [2011-02-15 1116656]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-02-20 1255736]
S0 KmxAMRT;KmxAMRT;c:\windows\system32\DRIVERS\KmxAMRT.sys [2011-10-27 182352]
S0 KmxFw;KmxFw;c:\windows\System32\DRIVERS\kmxfw.sys [2011-09-07 143824]
S0 MfeEpePc;MfeEpePc; [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2010-03-19 55856]
S1 KmxAgent;KmxAgent;c:\windows\system32\DRIVERS\kmxagent.sys [2011-10-26 113744]
S1 KmxCfg;KmxCfg;c:\windows\system32\DRIVERS\kmxcfg.sys [2011-09-07 365136]
S1 KmxFile;KmxFile;c:\windows\system32\DRIVERS\KmxFile.sys [2011-09-07 87120]
S1 KmxFilter;HIPS Core Filter Driver;c:\windows\system32\DRIVERS\KmxFilter.sys [2011-09-07 99024]
S1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\System32\drivers\psd.sys [2010-01-26 44576]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
S2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\AESTSr64.exe [2009-03-03 89600]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-08-09 203776]
S2 CAAMSvc;CAAMSvc;c:\program files\CA\SharedComponents\AMS\win\x64\CAAMSvc.exe [2011-09-13 291656]
S2 ccSchedulerSvc;Total Defense Scheduler Service;c:\program files\CA\TotalDefense\EndPointClient\EndpointProtection\ccschedulersvc.exe [2012-02-15 424496]
S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2010-02-28 821664]
S2 HP Power Assistant Service;HP Power Assistant Service;c:\program files\Hewlett-Packard\HP Power Assistant\HPPA_Service.exe [2011-03-17 132152]
S2 HPDayStarterService;HP DayStarter Service;c:\program files\Hewlett-Packard\HP DayStarter\32-bit\HPDayStarterService.exe [2011-01-28 133688]
S2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-03-29 94264]
S2 HPFSService;File Sanitizer for HP ProtectTools;c:\program files (x86)\Hewlett-Packard\File Sanitizer\HPFSService.exe [2011-03-10 320512]
S2 hpHotkeyMonitor;hpHotkeyMonitor;c:\program files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe [2011-03-22 293944]
S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [2011-03-16 30520]
S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2011-01-26 13336]
S2 isafe;Total Defense ISafe Service;c:\program files\CA\TotalDefense\EndPointClient\EndpointProtection\isafe.exe [2012-02-15 290304]
S2 jhi_service;Intel® Identity Protection Technology Host Interface Service;c:\program files (x86)\Intel\Services\IPT\jhi_service.exe [2011-02-24 212944]
S2 KmxIds;KmxIds;c:\windows\system32\DRIVERS\kmxids.sys [2011-09-07 238672]
S2 KmxSbx;KmxSbx;c:\windows\system32\DRIVERS\KmxSbx.sys [2011-09-07 81488]
S2 McAfee Endpoint Encryption Agent;McAfee Endpoint Encryption Agent;c:\program files\Hewlett-Packard\Drive Encryption\EEAgent\MfeEpeHost.exe [2011-03-29 1318912]
S2 pdfcDispatcher;PDF Document Manager;c:\program files (x86)\PDF Complete\pdfsvc.exe [2011-02-25 1128952]
S2 PdiService;Portrait Displays SDK Service;c:\program files (x86)\Common Files\Portrait Displays\Drivers\pdisrvc.exe [2011-03-16 113264]
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2009-12-03 483688]
S2 TD Agent Service;Total Defense Agent;c:\program files\CA\SharedComponents\Agent\TDAgent.exe [2012-01-09 158208]
S2 Total Defense Common Elevation Service;Total Defense Common Elevation Service;c:\program files\CA\Entitlement\ccprovsp.exe [2012-02-15 371248]
S2 uArcCapture;ArcCapture;c:\windows\SysWow64\ArcVCapRender\uArcCapture.exe [2010-11-11 502464]
S2 UmxEngine;TM Engine;c:\program files\CA\SharedComponents\TMEngine\UmxEngine.exe [2011-04-04 920656]
S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-01-17 2656280]
S2 vcsFPService;Validity VCS Fingerprint Service;c:\windows\system32\vcsFPService.exe [2011-03-24 3161904]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2011-08-09 9090560]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2011-08-09 299520]
S3 ARCVCAM;ARCVCAM, ArcSoft Webcam Sharing Manager Driver;c:\windows\system32\DRIVERS\ArcSoftVCapture.sys [2010-11-11 32192]
S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [2011-06-06 231440]
S3 btwampfl;Bluetooth AMP USB Filter;c:\windows\system32\drivers\btwampfl.sys [2010-07-14 344616]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2010-03-02 39464]
S3 e1cexpress;Intel® PRO/1000 PCI Express Network Connection Driver C;c:\windows\system32\DRIVERS\e1c62x64.sys [2010-12-21 316080]
S3 HP ProtectTools Service;HP ProtectTools Service;c:\program files (x86)\Hewlett-Packard\2009 Password Filter for HP ProtectTools\PTChangeFilterService.exe [2011-04-04 30776]
S3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys [2011-03-08 174680]
S3 johci;JMicron 1394 Filter Driver;c:\windows\system32\DRIVERS\johci.sys [2011-02-09 26712]
S3 MEIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2010-10-20 56344]
S3 NETwNs64;___ Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;c:\windows\system32\DRIVERS\NETwNs64.sys [2011-01-04 8507392]
S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys [2010-12-10 80384]
S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys [2010-12-10 181248]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [2009-12-03 721768]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [2009-12-03 269672]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [2009-12-03 25960]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [2009-12-03 22376]
S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2009-12-03 209768]
S3 SPUVCbv;SPUVCb Driver Service;c:\windows\system32\Drivers\SPUVCbv_x64.sys [2011-02-12 2612728]
S3 SzCCID;USB SmartCard Reader Driver;c:\windows\system32\DRIVERS\SzCCID.sys [2011-01-13 40448]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-06-14 14:20]
.
2012-08-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-06-14 14:20]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPPowerAssistant"="c:\program files\Hewlett-Packard\HP Power Assistant\DelayedAppStarter.exe" [2011-03-17 13880]
"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2011-03-04 1128448]
"MfeEpePcMonitor"="c:\program files\Hewlett-Packard\Drive Encryption\EpePcMonitor.exe" [2011-03-29 200704]
"CATM"="c:\program files\CA\TotalDefense\EndPointClient\EndpointProtection\catm.exe" [2012-02-15 768560]
"EventMgt"="c:\program files\CA\TotalDefense\EndPointClient\EndpointProtection\ccEvtMgr.exe" [2012-02-15 610352]
"combofix"="c:\combofix\CF26706.3XE" [2009-07-14 344576]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x1
"AppInit_DLLs"=c:\windows\System32\UmxSbxExA64.dll
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.ca/
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\OFFICE11\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
LSP: c:\windows\system32\VetRedir.dll
Trusted Zone: service-filtration.com\dc.corp
TCP: DhcpNameServer = 192.168.2.1
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/4.0.1.0/GarminAxControl_32.CAB
DPF: {0AFD9937-10D5-436F-9F2B-08BF61754446} - hxxps://dc.corp.service-filtration.com/crm70/Plugin/OTLTools.cab
DPF: {102FD995-E687-4C3F-8D81-E98BEA843F33} - file:///C:/PROGRAM%20FILES%20(X86)/SAGE/SAGE%20ACCPAC/OE56A/ACCPACOE1700.OCX
DPF: {11201A08-45E3-463F-BDA8-038F24D0216C} - file:///C:/Program%20Files%20(x86)/Sage/Sage%20Accpac/AR56A/AccpacAR1500.ocx
DPF: {1DD916E1-3C0A-4B24-8FDC-947384362105} - file:///C:/Program%20Files%20(x86)/Sage/Sage%20Accpac/OE56A/AccpacOE2200.ocx
DPF: {20BC2824-4A3A-43E1-BD47-D745202CCEFF} - file:///C:/PROGRAM%20FILES%20(X86)/SAGE/SAGE%20ACCPAC/AP56A/ACCPACAP1500.OCX
DPF: {226D14A9-2C2B-4FE7-AD1A-FCFE92154D83} - file:///C:/PROGRAM%20FILES%20(X86)/SAGE/SAGE%20ACCPAC/OE56A/ACCPACOE1150.OCX
DPF: {3491E43E-9500-422F-8C0A-4E78929C31C3} - file:///C:/PROGRAM%20FILES%20(X86)/SAGE/SAGE%20ACCPAC/OE56A/ACCPACOE2900.OCX
DPF: {34FA3366-277D-4E3D-96A3-6A4C8CC2CC3A} - file:///C:/PROGRAM%20FILES%20(X86)/SAGE/SAGE%20ACCPAC/IC56A/ACCPACIC1130.OCX
DPF: {37AB9D4B-CCAE-4ABB-AB2F-B49A6051F125} - file:///C:/PROGRAM%20FILES%20(X86)/SAGE/SAGE%20ACCPAC/IC56A/ACCPACIC4280.OCX
DPF: {40627C94-8738-4C73-8665-E3240AB40E5F} - file:///C:/PROGRAM%20FILES%20(X86)/SAGE/SAGE%20ACCPAC/AS56A/ACCPACAS1000.OCX
DPF: {4A4AEF7D-CF4B-46F8-AE70-E6B33F3CDAF9} - file:///C:/PROGRAM%20FILES%20(X86)/SAGE/SAGE%20ACCPAC/AP56A/ACCPACAP1200.OCX
DPF: {582BF555-F003-4246-BC84-2BE62DBDACD4} - file:///C:/PROGRAM%20FILES%20(X86)/SAGE/SAGE%20ACCPAC/OE56A/ACCPACOE2400.OCX
DPF: {58F0DB8F-7692-408C-B5A3-60CA8F6EE9BD} - file:///C:/PROGRAM%20FILES%20(X86)/SAGE/SAGE%20ACCPAC/IC56A/ACCPACIC1120.OCX
DPF: {68D62318-219F-48F4-B2FA-7446DE44617C} - file:///C:/PROGRAM%20FILES%20(X86)/SAGE/SAGE%20ACCPAC/PO56A/ACCPACPO1210.OCX
DPF: {69386CF4-961C-4808-B35A-AD3B7B3F885F} - file:///C:/PROGRAM%20FILES%20(X86)/SAGE/SAGE%20ACCPAC/IC56A/ACCPACIC1610.OCX
DPF: {927813AD-A98E-4BBC-8A47-0FE4CA7D4FC7} - file:///C:/PROGRAM%20FILES%20(X86)/SAGE/SAGE%20ACCPAC/IC56A/ACCPACIC1110.OCX
DPF: {A4B4AAFF-B753-49C5-AEFE-66F625E3D79D} - file:///C:/Program%20Files%20(x86)/Sage/Sage%20Accpac/OE56A/AccpacOE1900.ocx
DPF: {AE99C8EE-A516-4439-9158-7256EC30596C} - file:///C:/PROGRAM%20FILES%20(X86)/SAGE/SAGE%20ACCPAC/IC56A/ACCPACIC1650.OCX
DPF: {B2829727-B96B-43D9-A9AD-9679EB5998D0} - file:///C:/PROGRAM%20FILES%20(X86)/SAGE/SAGE%20ACCPAC/AP56A/ACCPACAP5102.OCX
DPF: {B45E39C0-99A5-40EC-BCEE-BB7D0EF9765A} - file:///C:/PROGRAM%20FILES%20(X86)/SAGE/SAGE%20ACCPAC/AR56A/ACCPACAR1700.OCX
DPF: {B9961A44-766F-4406-9E63-5E83058DAF49} - file:///C:/PROGRAM%20FILES%20(X86)/SAGE/SAGE%20ACCPAC/IC56A/ACCPACIC1150.OCX
DPF: {BD979773-9FFB-46C6-A309-67993BF774E9} - file:///C:/PROGRAM%20FILES%20(X86)/SAGE/SAGE%20ACCPAC/OE56A/ACCPACOE2800.OCX
DPF: {C33FD450-9AC3-419B-A103-F326F1A9CCE7} - file:///C:/PROGRAM%20FILES%20(X86)/SAGE/SAGE%20ACCPAC/OE56A/ACCPACOE1600.OCX
DPF: {CB8C45D4-9BFB-4A4A-83C3-0AE95073DE3E} - file:///C:/PROGRAM%20FILES%20(X86)/SAGE/SAGE%20ACCPAC/OE56A/ACCPACOE1300.OCX
DPF: {DCD31444-B215-4DF4-9086-3F19E9B551AB} - file:///C:/PROGRAM%20FILES%20(X86)/SAGE/SAGE%20ACCPAC/OE56A/ACCPACOE2000.OCX
DPF: {E258DB2E-CA12-4C5D-B866-987F24461A39} - file:///C:/PROGRAM%20FILES%20(X86)/SAGE/SAGE%20ACCPAC/OE56A/ACCPACOE1200.OCX
DPF: {E8FF1787-BE1D-4DE7-A549-3FA1765059C7} - file:///C:/PROGRAM%20FILES%20(X86)/SAGE/SAGE%20ACCPAC/AR56A/ACCPACAR1300.OCX
DPF: {E95A62BC-81AB-44D8-B9CB-8A7310FC2CD5} - file:///C:/PROGRAM%20FILES%20(X86)/SAGE/SAGE%20ACCPAC/PO56A/ACCPACPO1310.OCX
DPF: {E965500C-2FDC-4EBC-80C3-3D2BCFAA7033} - file:///C:/PROGRAM%20FILES%20(X86)/SAGE/SAGE%20ACCPAC/OE56A/ACCPACOE2500.OCX
DPF: {F95F49C2-28BA-4ED5-8E0D-6858D6AD7550} - file:///C:/PROGRAM%20FILES%20(X86)/SAGE/SAGE%20ACCPAC/OE56A/ACCPACOE1100.OCX
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-10 - (no file)
Toolbar-10 - (no file)
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
AddRemove-{E92D47A1-D27D-430A-8368-0BAFD956507D} - c:\program files (x86)\InstallShield Installation Information\{E92D47A1-D27D-430A-8368-0BAFD956507D}\setup.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\pdfcDispatcher]
"ImagePath"="c:\program files (x86)\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_268_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_268_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_268.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_268.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_268.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_268.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B9A09F18-45AB-4F09-A117-A4ADDA8FA8C8}]
@Denied: (A) (Everyone)
"Solution"="{36eb6792-3a29-43b3-8cd0-f67d266fb426}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane\0]
"Key"="ActionsPane"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\8.0\\ActionsPane.xsd"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Pervasive Software\PSQL]
@Denied: ) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Hewlett-Packard\Embedded Security Software\ifxtcs.exe
c:\program files (x86)\Hewlett-Packard\Embedded Security Software\IfxPsdSv.exe
c:\program files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe
c:\program files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
c:\program files (x86)\Hewlett-Packard\HP ProtectTools Security Manager\Bin\DPAgent.exe
c:\windows\SysWOW64\RunDll32.exe
c:\program files (x86)\HP HD Webcam [Fixed]\Monitor.exe
c:\program files (x86)\Hewlett-Packard\Embedded Security Software\PSDrt.exe
c:\program files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe
.
**************************************************************************
.
Completion time: 2012-08-14 13:20:51 - machine was rebooted
ComboFix-quarantined-files.txt 2012-08-14 17:20
.
Pre-Run: 396,702,584,832 bytes free
Post-Run: 396,458,442,752 bytes free
.
- - End Of File - - C648C1E1F67BF63EE2170BD5FC755261

#13 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,496 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:23 PM

Posted 14 August 2012 - 01:04 PM

Please do the following:

  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif
Microsoft MVP - 2010, 2011, 2012, 2013

#14 Charlie929

Charlie929
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:01:23 PM

Posted 14 August 2012 - 03:20 PM

C:\Users\charlie.CORP\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\12\3e8cb14c-655b5fe6 multiple threats
C:\Users\charlie.CORP\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\26\5f3dc41a-5d439ec8 a variant of Java/Exploit.Agent.NBC trojan
C:\Users\charlie.CORP\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\48\11724130-16b21efe a variant of Java/Exploit.Blacole.AN trojan
C:\Users\charlie.CORP\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\5c11a149-465eb9c4 a variant of Java/Exploit.Agent.NBC trojan

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.08.14.06

Windows 7 x64 NTFS
Internet Explorer 8.0.7600.16385
charlie :: CHARLIE-HP [administrator]

14/08/2012 2:45:15 PM
mbam-log-2012-08-14 (14-45-15).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 244531
Time elapsed: 2 minute(s), 36 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

#15 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,496 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:23 PM

Posted 14 August 2012 - 06:09 PM

the ESET detections are in Java cache, we need to update Java and clear the cache then check for any broken services


Go to Start > Control Panel > Programs and Features > scroll down to the Java installation and Remove it, now download the latest Java version 7 update 5 and install it: http://java.com/en/download/index.jsp

Clear Java cache

Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup) If you do not see the icon, look to your left and click 'Switch to Classic View'.
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.


NEXT


  • Please download MiniToolBox and save it to your desktop and run it.

    Checkmark following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List installed programs.

Click Go and post the result (Result.txt) that pops up. A copy of result.txt will be saved in the same directory the tool is run.

NEXT


Please download Farbar Service Scanner to your desktop and run it.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif
Microsoft MVP - 2010, 2011, 2012, 2013




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users