Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Zeroaccess!inf4 infection


  • This topic is locked This topic is locked
19 replies to this topic

#1 mcwhirtj

mcwhirtj

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:05:18 PM

Posted 12 August 2012 - 12:36 PM

Results of dds.txt....

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_31
Run by jmcwhirt at 13:29:50 on 2012-08-12
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3951.1814 [GMT -4:00]
.
AV: Symantec Endpoint Protection *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Symantec Endpoint Protection *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\IDT\WDM\STacSV64.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\Hpservice.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\vcsFPService.exe
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\IDT\WDM\AESTSr64.exe
C:\Windows\SysWOW64\svchost.exe -k Akamai
C:\Program Files (x86)\Dell\KACE\AMPAgent.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\Program Files (x86)\Power Monitors, Inc\ProVision\CommunicatorSvc.exe
C:\Program Files\EPSON\EpsonCustomerParticipation\EPCP.exe
C:\Windows\system32\hasplms.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\ptumlcmsvc64.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files (x86)\TomTom HOME 2\TomTomHOMEService.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\ProtectionUtilSurrogate.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\IDT\WDM\sttray64.exe
C:\Windows\System32\rundll32.exe
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe
C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Epson Software\FAX Utility\FUFAXRCV.exe
C:\Program Files (x86)\Epson Software\FAX Utility\FUFAXSTM.exe
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\VolCtrl.exe
C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\acrotray.exe
C:\Program Files (x86)\Carbonite\Carbonite Backup\CarboniteUI.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\SymCorpUI.exe
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\SavUI.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.bizjournals.com/washington/
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
uRun: [Adobe Acrobat Synchronizer] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\AdobeCollabSync.exe"
mRun: [QlbCtrl.exe] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [ccApp] "C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe"
mRun: [EEventManager] "C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe"
mRun: [FUFAXRCV] "C:\Program Files (x86)\Epson Software\FAX Utility\FUFAXRCV.exe"
mRun: [FUFAXSTM] "C:\Program Files (x86)\Epson Software\FAX Utility\FUFAXSTM.exe"
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [Adobe Acrobat Speed Launcher] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe"
mRun: [Carbonite Backup] C:\Program Files (x86)\Carbonite\Carbonite Backup\CarboniteUI.exe
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [RIMBBLaunchAgent.exe] C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
mRunOnce: [Malwarebytes Anti-Malware (cleanup)] rundll32.exe "C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\cleanup.dll",ProcessCleanupScript
StartupFolder: C:\Users\JMCWHI~1.000\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\EVERNO~1.LNK - C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe
uPolicies-explorer: HideSCAHealth = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: Add to Evernote 4.0 - C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll/204
IE: Append Link Target to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: {A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll/204
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
Trusted Zone: intuit.com\ttlc
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/_layouts/ClientBin/ieawsdc32.cab
DPF: {0A36238C-2E5E-11D3-85BF-00105AC8B715} - hxxp://dashboard-acc5.dft.com/Support/isDigitalLibrary.cab
DPF: {1791C036-8981-492A-BD28-F2331BC9B7C7} - hxxp://dashboard-acc5.dft.com/Support/iPlotLibrary.cab
DPF: {48817CB3-6E86-4395-A428-F1511C786233} - hxxp://10.10.8.2/powerlogicweb/CabFiles/PSWebInstaller.cab
DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://access1.dft.com/CACHE/stc/1/binaries/vpnweb.cab
DPF: {57802C16-9A15-11D4-B2A8-0090272E599B} - hxxp://10.10.8.3/WebHMI/cabs/IcoSetServer.cab
DPF: {5B829641-F33D-46EC-B1F1-CB7EE8192FA3} - hxxp://10.10.8.2/powerlogicweb/CabFiles/Communications.cab
DPF: {673204A0-F8B3-4090-8506-80658C5D02C6} - hxxp://10.10.16.254/nwcv3setup.exe
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20614.www2.hp.com/ediags/gmd/Install/Cab/hpdetect119.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {98A5DDE3-563B-11CF-A343-487C03C10000} - hxxp://10.10.8.3/WebHMI/cabs/GWXview32U.cab
DPF: {A1B8A30B-8AAA-4A3E-8869-1DA509E8A011} - hxxp://10.10.8.2/crystalreportviewers10/ActiveXControls/ActiveXViewer.cab
DPF: {C5412DD5-2E2F-11D3-85BF-00105AC8B715} - hxxps://dashboard-acc6.dft.com/Support/isAnalogLibrary.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CC679CB8-DC4B-458B-B817-D447B3B6AC31} - hxxps://access.dft.com/CACHE/stc/1/binaries/vpnweb.cab
DPF: {D25FCAFC-F795-4609-89BB-5F78B4ACAF2C} - hxxp://10.10.8.3/WebHMI/cabs/GenVersion.cab
DPF: {E29C6B91-3542-4F37-82CE-2BFB7B8933D3} - hxxp://dashboard-acc5.dft.com/Support/iProfessionalLibrary.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{2B16A7A5-7C21-4531-B1A5-01757BEC6949} : NameServer = 66.174.71.33 66.174.95.44
TCP: Interfaces\{2C205223-77B8-4B18-BB5D-3A0926AB4AFA} : DhcpNameServer = 68.87.73.242 68.87.71.226
TCP: Interfaces\{562EB158-C4E0-41CB-B50A-BE5BBE6143F7} : NameServer = 66.174.95.44 69.78.96.14
TCP: Interfaces\{6431DF15-24E2-4946-9B86-3B3C48CA34A8} : NameServer = 66.174.71.33 66.174.95.44
TCP: Interfaces\{9425AACB-31BE-49EA-BD22-63926B285C82} : DhcpNameServer = 10.10.4.8 10.6.4.8
TCP: Interfaces\{A1B920F9-5C77-4608-95C4-6BBC20AAFA00} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{A1B920F9-5C77-4608-95C4-6BBC20AAFA00}\244535 : DhcpNameServer = 10.100.20.225 10.100.20.1
TCP: Interfaces\{A1B920F9-5C77-4608-95C4-6BBC20AAFA00}\446445D27405 : DhcpNameServer = 10.10.4.8 10.6.4.8
TCP: Interfaces\{A1B920F9-5C77-4608-95C4-6BBC20AAFA00}\446445D27455543545 : DhcpNameServer = 8.8.8.8 8.8.4.4
TCP: Interfaces\{A1B920F9-5C77-4608-95C4-6BBC20AAFA00}\B496E676370244F6D696E696F6E6023416D6077627F657E646 : DhcpNameServer = 192.168.84.1
BHO-X64: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO-X64: 0x1 - No File
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO-X64: Adobe PDF Conversion Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO-X64: SmartSelect Class: {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
BHO-X64: SmartSelect - No File
TB-X64: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
mRun-x64: [QlbCtrl.exe] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun-x64: [ccApp] "C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe"
mRun-x64: [EEventManager] "C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe"
mRun-x64: [FUFAXRCV] "C:\Program Files (x86)\Epson Software\FAX Utility\FUFAXRCV.exe"
mRun-x64: [FUFAXSTM] "C:\Program Files (x86)\Epson Software\FAX Utility\FUFAXSTM.exe"
mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [Adobe Acrobat Speed Launcher] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe"
mRun-x64: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe"
mRun-x64: [Carbonite Backup] C:\Program Files (x86)\Carbonite\Carbonite Backup\CarboniteUI.exe
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun-x64: [RIMBBLaunchAgent.exe] C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
mRunOnce-x64: [Malwarebytes Anti-Malware (cleanup)] rundll32.exe "C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\cleanup.dll",ProcessCleanupScript
IE-X64: {A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll/204
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\jmcwhirt.DFD.000\AppData\Roaming\Mozilla\Firefox\Profiles\ybcrpzc8.default\
FF - prefs.js: network.proxy.type - 0
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
============= SERVICES / DRIVERS ===============
.
R0 PxHlpa64;PxHlpa64;C:\Windows\system32\Drivers\PxHlpa64.sys --> C:\Windows\system32\Drivers\PxHlpa64.sys [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 AESTFilters;Andrea ST Filters Service;C:\Program Files\IDT\WDM\AESTSr64.exe [2012-7-5 89600]
R2 Akamai;Akamai NetSession Interface;C:\Windows\System32\svchost.exe -k Akamai [2009-7-13 20992]
R2 aksdf;aksdf;C:\Windows\system32\DRIVERS\aksdf.sys --> C:\Windows\system32\DRIVERS\aksdf.sys [?]
R2 AMPAgent;Dell KACE Agent;C:\Program Files (x86)\Dell\KACE\AMPAgent.exe [2011-9-21 2753640]
R2 Autodesk Content Service;Autodesk Content Service;C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe [2011-2-2 18656]
R2 CommunicatorSvc;ProVision Communicator Service;C:\Program Files (x86)\Power Monitors, Inc\ProVision\CommunicatorSvc.exe [2011-10-11 53248]
R2 EpsonCustomerParticipation;EpsonCustomerParticipation;C:\Program Files\EPSON\EpsonCustomerParticipation\EPCP.exe [2011-6-9 555392]
R2 hasplms;HASP License Manager;C:\Windows\system32\hasplms.exe -run --> C:\Windows\system32\hasplms.exe -run [?]
R2 hpsrv;HP Service;C:\Windows\system32\Hpservice.exe --> C:\Windows\system32\Hpservice.exe [?]
R2 IntuitUpdateServiceV4;Intuit Update Service v4;C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [2011-8-25 13672]
R2 ptumlcmsvc;PTUML290 Connection Manager Service;C:\Windows\system32\ptumlcmsvc64.exe --> C:\Windows\system32\ptumlcmsvc64.exe [?]
R2 Symantec AntiVirus;Symantec Endpoint Protection;C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe [2012-6-11 1860000]
R2 TomTomHOMEService;TomTomHOMEService;C:\Program Files (x86)\TomTom HOME 2\TomTomHOMEService.exe [2012-1-23 92592]
R2 vcsFPService;Validity VCS Fingerprint Service;C:\Windows\System32\vcsFPService.exe [2009-12-29 1639728]
R2 vpnagent;Cisco AnyConnect VPN Agent;C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [2011-9-22 645048]
R3 btusbflt;Bluetooth USB Filter;C:\Windows\system32\drivers\btusbflt.sys --> C:\Windows\system32\drivers\btusbflt.sys [?]
R3 Com4QLBEx;Com4QLBEx;C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2011-8-23 227896]
R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;C:\Windows\system32\DRIVERS\e1k62x64.sys --> C:\Windows\system32\DRIVERS\e1k62x64.sys [?]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-8-9 138912]
R3 HECIx64;Intel® Management Engine Interface;C:\Windows\system32\DRIVERS\HECIx64.sys --> C:\Windows\system32\DRIVERS\HECIx64.sys [?]
R3 NETw5s64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;C:\Windows\system32\DRIVERS\NETw5s64.sys --> C:\Windows\system32\DRIVERS\NETw5s64.sys [?]
R3 nusb3hub;NEC Electronics USB 3.0 Hub Driver;C:\Windows\system32\DRIVERS\nusb3hub.sys --> C:\Windows\system32\DRIVERS\nusb3hub.sys [?]
R3 nusb3xhc;NEC Electronics USB 3.0 Host Controller Driver;C:\Windows\system32\DRIVERS\nusb3xhc.sys --> C:\Windows\system32\DRIVERS\nusb3xhc.sys [?]
R3 RICOH SmartCard Reader;RICOH SmartCard Reader;C:\Windows\system32\DRIVERS\rismcx64.sys --> C:\Windows\system32\DRIVERS\rismcx64.sys [?]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\system32\DRIVERS\vwifimp.sys --> C:\Windows\system32\DRIVERS\vwifimp.sys [?]
S2 b7y55;b7y55;C:\Users\jmcwhirt.DFD.000\AppData\Roaming\752qh.bat [2012-8-12 98]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-11-25 136176]
S2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2012-3-16 1153368]
S3 androidusb;ADB Interface Driver;C:\Windows\system32\Drivers\androidusb.sys --> C:\Windows\system32\Drivers\androidusb.sys [?]
S3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [2011-8-25 1431888]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-11-25 136176]
S3 PTUMLBUS;PTUML USB Composite Device Driver;C:\Windows\system32\DRIVERS\PTUMLBUS.sys --> C:\Windows\system32\DRIVERS\PTUMLBUS.sys [?]
S3 PTUMLCVsp;PANTECH UML290 Connection Manager Port;C:\Windows\system32\DRIVERS\PTUMLCVsp.sys --> C:\Windows\system32\DRIVERS\PTUMLCVsp.sys [?]
S3 PTUMLMBMP;PANTECH UML290 Mobile Broadband;C:\Windows\system32\DRIVERS\PTUMLMBMP.sys --> C:\Windows\system32\DRIVERS\PTUMLMBMP.sys [?]
S3 PTUMLMdm;PANTECH UML290;C:\Windows\system32\DRIVERS\PTUMLMdm.sys --> C:\Windows\system32\DRIVERS\PTUMLMdm.sys [?]
S3 PTUMLNET61;PANTECH UML290 WWAN (NDIS6.1);C:\Windows\system32\DRIVERS\PTUMLNET61.sys --> C:\Windows\system32\DRIVERS\PTUMLNET61.sys [?]
S3 PTUMLNVsp;PANTECH UML290 NMEA Port;C:\Windows\system32\DRIVERS\PTUMLNVsp.sys --> C:\Windows\system32\DRIVERS\PTUMLNVsp.sys [?]
S3 PTUMLRMNET;PANTECH UML290 RMNET Service;C:\Windows\system32\DRIVERS\PTUMLRMNET.sys --> C:\Windows\system32\DRIVERS\PTUMLRMNET.sys [?]
S3 PTUMLVsp;PANTECH UML290 Diagnostic Port;C:\Windows\system32\DRIVERS\PTUMLVsp.sys --> C:\Windows\system32\DRIVERS\PTUMLVsp.sys [?]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
.
=============== File Associations ===============
.
.scr=AutoCADLTScriptFile
.
=============== Created Last 30 ================
.
2012-08-12 15:52:30 -------- d-----w- C:\ProgramData\7531CC9232A5F6C09E41AFCAF875EF60
2012-08-12 15:52:22 -------- d-----w- C:\Users\jmcwhirt.DFD.000\AppData\Local\{BAA72C26-E495-11E1-8270-B8AC6F996F26}
2012-08-12 15:52:20 473600 ----a-w- C:\Users\jmcwhirt.DFD.000\AppData\Roaming\wihle.dll
2012-08-12 15:51:34 63488 ---ha-w- C:\Windows\System32\compPlay64.dll
2012-08-12 15:16:49 98 ---h--w- C:\Users\jmcwhirt.DFD.000\AppData\Roaming\752qh.bat
2012-08-12 13:40:33 -------- d-----w- C:\Users\jmcwhirt.DFD.000\AppData\Local\Evernote
2012-08-12 13:40:10 -------- d-----w- C:\Program Files (x86)\Evernote
2012-08-05 23:35:56 -------- d-----w- C:\Windows\.jagex_cache_32
2012-07-31 16:07:42 307200 ----a-w- C:\Windows\System32\ncrypt.dll
2012-07-31 16:07:41 96768 ----a-w- C:\Windows\SysWow64\sspicli.dll
2012-07-31 16:07:41 95600 ----a-w- C:\Windows\System32\drivers\ksecdd.sys
2012-07-31 16:07:41 458704 ----a-w- C:\Windows\System32\drivers\cng.sys
2012-07-31 16:07:41 340992 ----a-w- C:\Windows\System32\schannel.dll
2012-07-31 16:07:41 225280 ----a-w- C:\Windows\SysWow64\schannel.dll
2012-07-31 16:07:41 22016 ----a-w- C:\Windows\SysWow64\secur32.dll
2012-07-31 16:07:41 219136 ----a-w- C:\Windows\SysWow64\ncrypt.dll
2012-07-31 16:07:41 151920 ----a-w- C:\Windows\System32\drivers\ksecpkg.sys
2012-07-31 16:06:13 3148800 ----a-w- C:\Windows\System32\win32k.sys
2012-07-31 16:04:32 2048 ----a-w- C:\Windows\SysWow64\msxml3r.dll
2012-07-31 16:04:32 2048 ----a-w- C:\Windows\System32\msxml3r.dll
2012-07-31 16:04:32 2004480 ----a-w- C:\Windows\System32\msxml6.dll
2012-07-31 16:04:32 1881600 ----a-w- C:\Windows\System32\msxml3.dll
2012-07-31 16:04:32 1390080 ----a-w- C:\Windows\SysWow64\msxml6.dll
2012-07-31 16:04:32 1236992 ----a-w- C:\Windows\SysWow64\msxml3.dll
2012-07-31 16:01:44 210944 ----a-w- C:\Windows\System32\drivers\rdpwd.sys
2012-07-31 16:01:01 9216 ----a-w- C:\Windows\System32\rdrmemptylst.exe
2012-07-31 16:01:01 77312 ----a-w- C:\Windows\System32\rdpwsx.dll
2012-07-31 16:01:01 149504 ----a-w- C:\Windows\System32\rdpcorekmts.dll
2012-07-27 21:55:23 -------- d-----w- C:\Program Files (x86)\Cisco
2012-07-27 21:45:02 -------- d-----w- C:\$RECYCLE.BIN
2012-07-27 21:29:18 98816 ----a-w- C:\Windows\sed.exe
2012-07-27 21:29:18 518144 ----a-w- C:\Windows\SWREG.exe
2012-07-27 21:29:18 256000 ----a-w- C:\Windows\PEV.exe
2012-07-27 21:29:18 208896 ----a-w- C:\Windows\MBR.exe
2012-07-20 16:43:07 -------- d-----w- C:\Users\jmcwhirt.DFD.000\jagexcache1
.
==================== Find3M ====================
.
2012-08-12 15:16:38 210051234 ----a-w- C:\Users\jmcwhirt.DFD.000\AppData\Roaming\b7y55.exe
2012-08-01 11:17:12 70344 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-08-01 11:17:12 426184 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2012-07-31 16:05:43 805376 ----a-w- C:\Windows\SysWow64\cdosys.dll
2012-07-31 16:05:43 1133568 ----a-w- C:\Windows\System32\cdosys.dll
2012-07-31 16:03:21 981504 ----a-w- C:\Windows\SysWow64\wininet.dll
2012-07-31 16:03:21 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2012-07-31 16:03:21 1638912 ----a-w- C:\Windows\System32\mshtml.tlb
2012-07-31 16:03:21 1188864 ----a-w- C:\Windows\System32\wininet.dll
2012-07-05 10:33:14 174200 ----a-w- C:\Windows\System32\drivers\SYMEVENT64x86.SYS
2012-07-03 17:46:44 24904 ----a-w- C:\Windows\System32\drivers\mbam.sys
2012-06-13 17:35:30 20400 ----a-w- C:\Windows\System32\SnacNp.dll
2012-06-13 17:35:30 18352 ----a-w- C:\Windows\SysWow64\SnacNp.dll
2012-06-11 16:08:56 138144 ----a-w- C:\Windows\SysWow64\SymVPN.dll
2012-06-11 16:08:56 138144 ----a-w- C:\Windows\System32\SymVPN.dll
2012-06-11 16:08:55 87456 ----a-w- C:\Windows\SysWow64\FwsVpn.dll
2012-06-11 16:08:53 482424 ----a-w- C:\Windows\SysWow64\drivers\srtspl64.sys
2012-06-11 16:08:53 482424 ----a-w- C:\Windows\System32\drivers\srtspl64.sys
2012-06-11 16:08:53 453240 ----a-w- C:\Windows\SysWow64\drivers\srtsp64.sys
2012-06-11 16:08:53 453240 ----a-w- C:\Windows\System32\drivers\srtsp64.sys
2012-06-11 16:08:53 32376 ----a-w- C:\Windows\SysWow64\drivers\srtspx64.sys
2012-06-11 16:08:53 32376 ----a-w- C:\Windows\System32\drivers\srtspx64.sys
2012-05-19 20:52:04 8744608 ----a-w- C:\Windows\SysWow64\FlashPlayerInstaller.exe
.
============= FINISH: 13:30:35.07 ===============

BC AdBot (Login to Remove)

 


#2 mcwhirtj

mcwhirtj
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:05:18 PM

Posted 12 August 2012 - 04:48 PM

Actually it looks like I was able to remove the inf4, now just have the Trojan.Zeroaccess.B remaining as well as Trojan.Gen2.
Jeff

Edited by mcwhirtj, 12 August 2012 - 04:53 PM.


#3 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,360 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:18 PM

Posted 12 August 2012 - 04:49 PM

Please do the following:

download Farbar Recovery Scan Tool and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to the disclaimer.
[*]Place a check next to List Drivers MD5 as well as the default check marks that are already there
[*]Press Scan button.
[*]FRST will let you know when the scan is complete and has written the FRST.txt to file, close out this message, then type the following into the search box:
services.exe
[*]now press the search button
[*]when the search is complete, search.txt will also be written to your USB
[*]type exit and reboot the computer normally
[*]please copy and paste both logs in your reply.(FRST.txt and Search.txt)[/list]
The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif
Microsoft MVP - 2010, 2011, 2012, 2013

#4 mcwhirtj

mcwhirtj
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:05:18 PM

Posted 12 August 2012 - 05:11 PM

Hi-

When I get to the options:
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

the ONLY one avail is Startup Repair....none of the others are available.

#5 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,360 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:18 PM

Posted 12 August 2012 - 05:14 PM

ok,

it doesn't appear as though the Recovery Environment is pre-installed on your computer,

do you have access to your installation disk to access it that way?

If not, you can make a recovery disk so that the Recovery Environment can be accessed


Follow the directions here:

http://www.howtogeek.com/howto/5409/create-a-system-repair-disc-in-windows-7/
The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif
Microsoft MVP - 2010, 2011, 2012, 2013

#6 mcwhirtj

mcwhirtj
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:05:18 PM

Posted 12 August 2012 - 05:54 PM

OK- got the recovery disk option to work, but when I boot from DVD, appears the USB driver might be loaded because cannot find the USB drive......

Gonna put the fsrt file on another CD and try it that way....

Edited by mcwhirtj, 12 August 2012 - 06:19 PM.


#7 mcwhirtj

mcwhirtj
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:05:18 PM

Posted 12 August 2012 - 06:43 PM

OK got em....here they are!

Scan result of Farbar Recovery Scan Tool Version: 09-08-2012
Ran by SYSTEM at 12-08-2012 19:29:11
Running from F:\
Windows 7 Professional (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2174760 2010-06-03] (Synaptics Incorporated)
HKLM\...\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /installquiet [1875048 2010-11-04] ()
HKLM\...\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2417032 2011-08-01] (Microsoft Corporation)
HKLM\...\Run: [itype] "c:\Program Files\Microsoft IntelliType Pro\itype.exe" [1873256 2011-08-10] (Microsoft Corporation)
HKLM\...\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe [489472 2010-09-07] (IDT, Inc.)
HKLM\...\Run: [lilap] rundll32.exe "C:\Users\jmcwhirt.DFD.000\AppData\Roaming\lilap.dll",PSTCreateTypeSubType_NoUI [x]
HKLM\...\Run: [wihle] "C:\Windows\System32\rundll32.exe" "C:\Users\jmcwhirt.DFD.000\AppData\Roaming\wihle.dll",write_rows [473600 2012-08-12] (C-Media Electronics Inc.)
HKLM-x32\...\Run: [QlbCtrl.exe] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start [287800 2010-02-25] ( Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [ccApp] "C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe" [115624 2012-06-11] (Symantec Corporation)
HKLM-x32\...\Run: [EEventManager] "C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe" [979328 2010-10-12] (SEIKO EPSON CORPORATION)
HKLM-x32\...\Run: [FUFAXRCV] "C:\Program Files (x86)\Epson Software\FAX Utility\FUFAXRCV.exe" [495616 2011-03-08] (SEIKO EPSON CORPORATION)
HKLM-x32\...\Run: [FUFAXSTM] "C:\Program Files (x86)\Epson Software\FAX Utility\FUFAXSTM.exe" [856064 2011-03-08] (SEIKO EPSON CORPORATION)
HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-05-30] (Apple Inc.)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe" [36760 2012-04-03] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe" [815512 2012-04-03] (Adobe Systems Inc.)
HKLM-x32\...\Run: [Carbonite Backup] C:\Program Files (x86)\Carbonite\Carbonite Backup\CarboniteUI.exe [1059984 2012-03-16] (Carbonite, Inc.)
HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2012-04-18] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421776 2012-06-07] (Apple Inc.)
HKLM-x32\...\Run: [RIMBBLaunchAgent.exe] C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe [90448 2011-11-01] (Research In Motion Limited)
HKU\adminbrm\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun [x]
HKU\adminram\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun [x]
HKU\Default\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun [x]
HKU\Default User\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun [x]
HKU\jmcwhirt\...\Run: [Steam] "C:\Program Files (x86)\Steam\Steam.exe" -silent [1242448 2011-09-18] (Valve Corporation)
HKU\jmcwhirt.DFD.000\...\Run: [Adobe Acrobat Synchronizer] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\AdobeCollabSync.exe" [1261472 2012-04-03] (Adobe Systems Incorporated)
Winlogon\Notify\ScCertProp: wlnotify.dll [X]
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{2B16A7A5-7C21-4531-B1A5-01757BEC6949}: [NameServer]66.174.71.33 66.174.95.44
Tcpip\..\Interfaces\{562EB158-C4E0-41CB-B50A-BE5BBE6143F7}: [NameServer]66.174.95.44 69.78.96.14
Tcpip\..\Interfaces\{6431DF15-24E2-4946-9B86-3B3C48CA34A8}: [NameServer]66.174.71.33 66.174.95.44
Startup: C:\Users\adminbrm\Start Menu\Programs\Startup\Uninstall Webroot RunOnce.lnk
ShortcutTarget: Uninstall Webroot RunOnce.lnk -> C:\Users\adminbrm\AppData\Roaming\wruninstall.exe (Webroot Software, Inc.)
Startup: C:\Users\admindft\Start Menu\Programs\Startup\Uninstall Webroot RunOnce.lnk
ShortcutTarget: Uninstall Webroot RunOnce.lnk -> C:\Users\admindft\AppData\Roaming\wruninstall.exe (Webroot Software, Inc.)
Startup: C:\Users\adminmeg\Start Menu\Programs\Startup\Uninstall Webroot RunOnce.lnk
ShortcutTarget: Uninstall Webroot RunOnce.lnk -> C:\Users\adminmeg\AppData\Roaming\wruninstall.exe (Webroot Software, Inc.)
Startup: C:\Users\adminmeg.DFD\Start Menu\Programs\Startup\Uninstall Webroot RunOnce.lnk
ShortcutTarget: Uninstall Webroot RunOnce.lnk -> C:\Users\adminmeg.DFD\AppData\Roaming\wruninstall.exe (Webroot Software, Inc.)
Startup: C:\Users\adminram\Start Menu\Programs\Startup\Uninstall Webroot RunOnce.lnk
ShortcutTarget: Uninstall Webroot RunOnce.lnk -> C:\Users\adminram\AppData\Roaming\wruninstall.exe (Webroot Software, Inc.)
Startup: C:\Users\image\Start Menu\Programs\Startup\Uninstall Webroot RunOnce.lnk
ShortcutTarget: Uninstall Webroot RunOnce.lnk -> C:\Users\image\AppData\Roaming\wruninstall.exe (Webroot Software, Inc.)
Startup: C:\Users\jmcwhirt\Start Menu\Programs\Startup\Uninstall Webroot RunOnce.lnk
ShortcutTarget: Uninstall Webroot RunOnce.lnk -> C:\Users\jmcwhirt\AppData\Roaming\wruninstall.exe (Webroot Software, Inc.)
Startup: C:\Users\jmcwhirt.DFD.000\Start Menu\Programs\Startup\EvernoteClipper.lnk
ShortcutTarget: EvernoteClipper.lnk -> C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe (Evernote Corp., 333 W Evelyn Ave. Mountain View, CA 94041)
Startup: C:\Users\ryan\Start Menu\Programs\Startup\Uninstall Webroot RunOnce.lnk
ShortcutTarget: Uninstall Webroot RunOnce.lnk -> C:\Users\ryan\AppData\Roaming\wruninstall.exe (Webroot Software, Inc.)
Startup: C:\Users\soconnor\Start Menu\Programs\Startup\Uninstall Webroot RunOnce.lnk
ShortcutTarget: Uninstall Webroot RunOnce.lnk -> C:\Users\soconnor\AppData\Roaming\wruninstall.exe (Webroot Software, Inc.)

==================== Services (Whitelisted) ======

2 AMPAgent; "C:\Program Files (x86)\Dell\KACE\AMPAgent.exe" [2753640 2011-09-21] (Dell Inc.)
2 Autodesk Content Service; "C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe" [18656 2011-02-02] ()
2 CarboniteService; "C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe" [6684304 2012-03-16] (Carbonite, Inc. (www.carbonite.com))
2 ccEvtMgr; "C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [108456 2012-06-11] (Symantec Corporation)
2 ccSetMgr; "C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [108456 2012-06-11] (Symantec Corporation)
2 CommunicatorSvc; "C:\Program Files (x86)\Power Monitors, Inc\ProVision\CommunicatorSvc.exe" [53248 2011-10-11] (Power Monitors, Inc)
2 hasplms; C:\Windows\system32\hasplms.exe -run [4913608 2011-12-02] (SafeNet Inc.)
3 IDriverT; "C:\Program Files (x86)\Roxio\Roxio MyDVD Basic v9\InstallShield\Driver\1050\Intel 32\IDriverT.exe" [73728 2004-10-22] (Macrovision Corporation)
3 LiveUpdate; "C:\PROGRA~2\Symantec\LIVEUP~1\LUCOMS~1.EXE" [3093944 2012-03-07] (Symantec Corporation)
2 SBSDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [1153368 2009-01-26] (Safer Networking Ltd.)
2 SmcService; "C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Smc.exe" [3326624 2012-06-11] (Symantec Corporation)
4 SNAC; "C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\SNAC64.EXE" [428976 2012-06-11] (Symantec Corporation)
3 stllssvr; "C:\Program Files (x86)\Common Files\SureThing Shared\stllssvr.exe" [74656 2007-05-03] (MicroVision Development, Inc.)
2 Symantec AntiVirus; "C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe" [1860000 2012-06-11] (Symantec Corporation)
2 TomTomHOMEService; C:\Program Files (x86)\TomTom HOME 2\TomTomHOMEService.exe [92592 2012-01-22] (TomTom)

========================== Drivers (Whitelisted) =============

2 aksdf; C:\Windows\System32\Drivers\aksdf.sys [78208 2011-11-24] (SafeNet Inc.)
2 aksfridge; C:\Windows\System32\Drivers\aksfridge.sys [139592 2011-11-24] (SafeNet Inc.)
3 akshasp; C:\Windows\System32\Drivers\akshasp.sys [53760 2011-02-09] (Aladdin Knowledge Systems Ltd.)
3 akshhl; C:\Windows\System32\Drivers\akshhl.sys [57088 2011-09-08] (SafeNet Inc.)
3 aksusb; C:\Windows\System32\Drivers\aksusb.sys [21120 2011-08-09] (SafeNet Inc.)
3 androidusb; C:\Windows\System32\Drivers\androidusb.sys [32768 2010-04-29] (Google Inc)
2 b7y55; C:\Users\jmcwhirt.DFD.000\AppData\Roaming\752qh.bat [98 2012-08-12] ()
3 e1kexpress; C:\Windows\System32\DRIVERS\e1k62x64.sys [340656 2011-05-04] (Intel Corporation)
1 eeCtrl; \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [484512 2012-08-09] (Symantec Corporation)
3 EraserUtilRebootDrv; \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [138912 2012-08-09] (Symantec Corporation)
2 Hardlock; C:\Windows\System32\Drivers\Hardlock.sys [321536 2011-10-07] (SafeNet Inc.)
3 NAVENG; \??\C:\PROGRA~3\Symantec\DEFINI~1\VIRUSD~1\20120810.001\ENG64.SYS [120440 2012-08-09] (Symantec Corporation)
3 NAVEX15; \??\C:\PROGRA~3\Symantec\DEFINI~1\VIRUSD~1\20120810.001\EX64.SYS [2068600 2012-08-09] (Symantec Corporation)
3 PTUMLMBMP; C:\Windows\System32\Drivers\PTUMLMBMP.sys [235776 2011-10-16] (DEVGURU Co., LTD.)
3 RICOH SmartCard Reader; C:\Windows\System32\DRIVERS\rismcx64.sys [79488 2006-10-02] (RICOH Company, Ltd.)
1 SRTSP; C:\Windows\System32\Drivers\SRTSP64.SYS [453240 2012-06-11] (Symantec Corporation)
3 SRTSPL; C:\Windows\System32\Drivers\SRTSPL64.SYS [482424 2012-06-11] (Symantec Corporation)
1 SRTSPX; C:\Windows\System32\Drivers\SRTSPX64.SYS [32376 2012-06-11] (Symantec Corporation)
3 SymEvent; \??\C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [174200 2012-07-05] (Symantec Corporation)
3 U2SP; C:\Windows\System32\DRIVERS\u2s2kxp64.sys [91008 2010-05-27] (Magic Control Technology Corp.)
3 catchme; \??\C:\ComboFix\catchme.sys [x]

========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-08-12 15:19 - 2012-08-12 15:19 - 00000000 ____A C:\KBSERVICE.SHUTDOWN
2012-08-12 13:19 - 2012-08-12 13:42 - 00000000 ____D C:\Users\jmcwhirt.DFD.000\AppData\Local\NPE
2012-08-12 13:19 - 2012-08-12 13:19 - 00000000 ____D C:\Users\All Users\Norton
2012-08-12 13:16 - 2012-08-12 13:16 - 02841104 ____A (Symantec Corporation) C:\Users\jmcwhirt.DFD.000\Downloads\NPE.exe
2012-08-12 11:50 - 2012-08-12 11:50 - 00090176 ____A C:\Users\jmcwhirt.DFD.000\AppData\Roaming\lj1y6nb.dat
2012-08-12 11:50 - 2012-08-12 11:50 - 00086080 ____A C:\Users\jmcwhirt.DFD.000\AppData\Roaming\aftr4sb.dat
2012-08-12 11:46 - 2012-08-12 11:46 - 00027256 ____A (Symantec Corporation) C:\Windows\System32\Drivers\FixZeroAccess.sys
2012-08-12 09:32 - 2012-08-12 09:32 - 00022457 ____A C:\Users\jmcwhirt.DFD.000\Downloads\Attach.txt
2012-08-12 09:31 - 2012-08-12 09:31 - 00025415 ____A C:\Users\jmcwhirt.DFD.000\Downloads\DDS.txt
2012-08-12 09:28 - 2012-08-12 09:28 - 00607260 ____R (Swearware) C:\Users\jmcwhirt.DFD.000\Downloads\dds.com
2012-08-12 09:26 - 2012-08-12 09:26 - 00000478 ____A C:\Users\jmcwhirt.DFD.000\Desktop\defogger_disable.log
2012-08-12 09:26 - 2012-08-12 09:26 - 00000000 ____A C:\Users\jmcwhirt.DFD.000\defogger_reenable
2012-08-12 07:52 - 2012-08-12 07:54 - 00000000 ____D C:\Users\All Users\7531CC9232A5F6C09E41AFCAF875EF60
2012-08-12 07:52 - 2012-08-12 07:52 - 00473600 ____A (C-Media Electronics Inc.) C:\Users\jmcwhirt.DFD.000\AppData\Roaming\wihle.dll
2012-08-12 07:52 - 2012-08-12 07:52 - 00000000 ____D C:\Users\jmcwhirt.DFD.000\AppData\Local\{BAA72C26-E495-11E1-8270-B8AC6F996F26}
2012-08-12 07:16 - 2012-08-12 07:16 - 00086080 ____A C:\Users\jmcwhirt.DFD.000\AppData\Roaming\aftr3sb.dat
2012-08-12 07:16 - 2012-08-12 07:16 - 00060992 ____A C:\Users\jmcwhirt.DFD.000\AppData\Roaming\serjs58n.dat
2012-08-12 07:16 - 2012-08-12 07:16 - 00000098 ____H C:\Users\jmcwhirt.DFD.000\AppData\Roaming\752qh.bat
2012-08-12 05:40 - 2012-08-12 05:40 - 00000932 ____A C:\Users\jmcwhirt.DFD.000\Desktop\Evernote.lnk
2012-08-12 05:40 - 2012-08-12 05:40 - 00000000 ____D C:\Users\jmcwhirt.DFD.000\AppData\Local\Evernote
2012-08-12 05:40 - 2012-08-12 05:40 - 00000000 ____D C:\Program Files (x86)\Evernote
2012-08-05 15:35 - 2012-08-05 15:35 - 00000000 ____D C:\Windows\.jagex_cache_32
2012-07-31 08:07 - 2012-07-31 08:07 - 00458704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
2012-07-31 08:07 - 2012-07-31 08:07 - 00340992 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-07-31 08:07 - 2012-07-31 08:07 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-07-31 08:07 - 2012-07-31 08:07 - 00225280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2012-07-31 08:07 - 2012-07-31 08:07 - 00219136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2012-07-31 08:07 - 2012-07-31 08:07 - 00151920 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
2012-07-31 08:07 - 2012-07-31 08:07 - 00096768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2012-07-31 08:07 - 2012-07-31 08:07 - 00095600 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-07-31 08:07 - 2012-07-31 08:07 - 00022016 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2012-07-31 08:06 - 2012-07-31 08:06 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-07-31 08:06 - 2012-07-31 08:06 - 12873728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2012-07-31 08:06 - 2012-07-31 08:06 - 03148800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-07-31 08:05 - 2012-07-31 08:05 - 01133568 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll
2012-07-31 08:05 - 2012-07-31 08:05 - 00805376 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cdosys.dll
2012-07-31 08:04 - 2012-07-31 08:04 - 02004480 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-07-31 08:04 - 2012-07-31 08:04 - 01881600 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-07-31 08:04 - 2012-07-31 08:04 - 01390080 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll
2012-07-31 08:04 - 2012-07-31 08:04 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
2012-07-31 08:04 - 2012-07-31 08:04 - 00002048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3r.dll
2012-07-31 08:04 - 2012-07-31 08:04 - 00002048 ____A (Microsoft Corporation) C:\Windows\System32\msxml3r.dll
2012-07-31 08:03 - 2012-07-31 08:03 - 12297216 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-07-31 08:03 - 2012-07-31 08:03 - 11020800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-07-31 08:03 - 2012-07-31 08:03 - 09059840 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-07-31 08:03 - 2012-07-31 08:03 - 06027776 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-07-31 08:03 - 2012-07-31 08:03 - 02454528 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-07-31 08:03 - 2012-07-31 08:03 - 02073600 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-07-31 08:03 - 2012-07-31 08:03 - 01638912 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-07-31 08:03 - 2012-07-31 08:03 - 01638912 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-07-31 08:03 - 2012-07-31 08:03 - 01494016 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-07-31 08:03 - 2012-07-31 08:03 - 01231360 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-07-31 08:03 - 2012-07-31 08:03 - 01188864 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-07-31 08:03 - 2012-07-31 08:03 - 00981504 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-07-31 08:03 - 2012-07-31 08:03 - 00735744 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2012-07-31 08:03 - 2012-07-31 08:03 - 00627712 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2012-07-31 08:03 - 2012-07-31 08:03 - 00247808 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-07-31 08:03 - 2012-07-31 08:03 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-07-31 08:03 - 2012-07-31 08:03 - 00134144 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-07-31 08:03 - 2012-07-31 08:03 - 00132096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-07-31 08:03 - 2012-07-31 08:03 - 00097792 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-07-31 08:03 - 2012-07-31 08:03 - 00067584 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-07-31 08:03 - 2012-07-31 08:03 - 00064512 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-07-31 08:03 - 2012-07-31 08:03 - 00048128 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-07-31 08:01 - 2012-07-31 08:01 - 00210944 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
2012-07-31 08:01 - 2012-07-31 08:01 - 00149504 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll
2012-07-31 08:01 - 2012-07-31 08:01 - 00077312 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll
2012-07-31 08:01 - 2012-07-31 08:01 - 00009216 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe
2012-07-27 13:55 - 2012-07-27 13:55 - 00000000 ____D C:\Program Files (x86)\Cisco
2012-07-27 13:50 - 2012-07-27 13:50 - 00029861 ____A C:\ComboFix.txt
2012-07-27 13:29 - 2011-06-25 22:45 - 00256000 ____A C:\Windows\PEV.exe
2012-07-27 13:29 - 2010-11-07 09:20 - 00208896 ____A C:\Windows\MBR.exe
2012-07-27 13:29 - 2009-04-19 20:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
2012-07-27 13:29 - 2000-08-30 16:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe
2012-07-27 13:29 - 2000-08-30 16:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe
2012-07-27 13:29 - 2000-08-30 16:00 - 00098816 ____A C:\Windows\sed.exe
2012-07-27 13:29 - 2000-08-30 16:00 - 00080412 ____A C:\Windows\grep.exe
2012-07-27 13:29 - 2000-08-30 16:00 - 00068096 ____A C:\Windows\zip.exe
2012-07-27 13:26 - 2012-07-27 13:50 - 00000000 ____D C:\Qoobox
2012-07-27 13:26 - 2012-07-27 13:48 - 00000000 ____D C:\Windows\erdnt
2012-07-27 13:24 - 2012-07-27 13:25 - 04719842 ____R (Swearware) C:\Users\jmcwhirt.DFD.000\Documents\ComboFix.exe
2012-07-23 18:42 - 2012-07-23 17:41 - 01012656 ____A C:\Users\jmcwhirt.DFD.000\Desktop\rkill.exe
2012-07-20 08:43 - 2012-07-20 08:43 - 00000056 ____A C:\Users\jmcwhirt.DFD.000\jagex_cl_runescape_LIVE1.dat
2012-07-20 08:43 - 2012-07-20 08:43 - 00000000 ____D C:\Users\jmcwhirt.DFD.000\jagexcache1
2012-07-18 10:33 - 2012-07-18 10:33 - 00000973 ____A C:\Users\Public\Desktop\PuTTY.lnk
2012-07-18 10:33 - 2012-07-18 10:33 - 00000000 ____D C:\Program Files (x86)\PuTTY
2012-07-16 16:48 - 2012-07-17 08:47 - 00022016 ____A C:\Users\jmcwhirt.DFD.000\Desktop\ACC6 Tank Pressures (2).xls
2012-07-16 16:38 - 2012-07-16 16:38 - 00027648 ____A C:\Users\jmcwhirt.DFD.000\Desktop\ACC6 Tank Pressures.xls
2012-07-13 22:43 - 2012-07-13 22:43 - 00061440 ____A (Gary's Hood) C:\Users\jmcwhirt.DFD.000\Desktop\rsclient.exe


============ 3 Months Modified Files ========================

2012-08-12 15:19 - 2012-08-12 15:19 - 00000000 ____A C:\KBSERVICE.SHUTDOWN
2012-08-12 15:18 - 2009-07-13 21:13 - 00783096 ____A C:\Windows\System32\PerfStringBackup.INI
2012-08-12 15:13 - 2011-11-25 06:25 - 00000898 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-08-12 15:11 - 2011-08-31 07:14 - 00735398 ____A C:\Windows\System32\ptumlacsvc-0.log
2012-08-12 15:10 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-08-12 15:09 - 2012-04-22 16:18 - 00025667 ____A C:\Windows\setupact.log
2012-08-12 14:56 - 2009-07-13 20:45 - 00009920 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-08-12 14:56 - 2009-07-13 20:45 - 00009920 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-08-12 14:02 - 2012-04-22 16:17 - 00037372 ____A C:\Windows\PFRO.log
2012-08-12 13:47 - 2011-11-25 06:25 - 00000902 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-08-12 13:16 - 2012-08-12 13:16 - 02841104 ____A (Symantec Corporation) C:\Users\jmcwhirt.DFD.000\Downloads\NPE.exe
2012-08-12 11:50 - 2012-08-12 11:50 - 00090176 ____A C:\Users\jmcwhirt.DFD.000\AppData\Roaming\lj1y6nb.dat
2012-08-12 11:50 - 2012-08-12 11:50 - 00086080 ____A C:\Users\jmcwhirt.DFD.000\AppData\Roaming\aftr4sb.dat
2012-08-12 11:46 - 2012-08-12 11:46 - 00027256 ____A (Symantec Corporation) C:\Windows\System32\Drivers\FixZeroAccess.sys
2012-08-12 09:32 - 2012-08-12 09:32 - 00022457 ____A C:\Users\jmcwhirt.DFD.000\Downloads\Attach.txt
2012-08-12 09:31 - 2012-08-12 09:31 - 00025415 ____A C:\Users\jmcwhirt.DFD.000\Downloads\DDS.txt
2012-08-12 09:28 - 2012-08-12 09:28 - 00607260 ____R (Swearware) C:\Users\jmcwhirt.DFD.000\Downloads\dds.com
2012-08-12 09:26 - 2012-08-12 09:26 - 00000478 ____A C:\Users\jmcwhirt.DFD.000\Desktop\defogger_disable.log
2012-08-12 09:26 - 2012-08-12 09:26 - 00000000 ____A C:\Users\jmcwhirt.DFD.000\defogger_reenable
2012-08-12 08:19 - 2012-04-18 17:11 - 00000433 ____A C:\rkill.log
2012-08-12 07:52 - 2012-08-12 07:52 - 00473600 ____A (C-Media Electronics Inc.) C:\Users\jmcwhirt.DFD.000\AppData\Roaming\wihle.dll
2012-08-12 07:51 - 2011-01-22 17:38 - 01058364 ____A C:\Windows\WindowsUpdate.log
2012-08-12 07:16 - 2012-08-12 07:16 - 00086080 ____A C:\Users\jmcwhirt.DFD.000\AppData\Roaming\aftr3sb.dat
2012-08-12 07:16 - 2012-08-12 07:16 - 00060992 ____A C:\Users\jmcwhirt.DFD.000\AppData\Roaming\serjs58n.dat
2012-08-12 07:16 - 2012-08-12 07:16 - 00000098 ____H C:\Users\jmcwhirt.DFD.000\AppData\Roaming\752qh.bat
2012-08-12 05:40 - 2012-08-12 05:40 - 00000932 ____A C:\Users\jmcwhirt.DFD.000\Desktop\Evernote.lnk
2012-08-10 11:15 - 2011-08-23 07:47 - 00000200 ____A C:\Windows\System32\config\netlogon.ftl
2012-08-01 16:30 - 2012-01-20 16:06 - 00000024 ____A C:\Users\jmcwhirt.DFD.000\random.dat
2012-08-01 16:26 - 2012-01-20 16:06 - 00000055 ____A C:\Users\jmcwhirt.DFD.000\jagex_cl_runescape_LIVE.dat
2012-08-01 03:17 - 2012-03-29 12:51 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-08-01 03:17 - 2011-09-27 02:41 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-08-01 03:00 - 2009-07-13 20:45 - 00541472 ____A C:\Windows\System32\FNTCACHE.DAT
2012-07-31 08:07 - 2012-07-31 08:07 - 00458704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
2012-07-31 08:07 - 2012-07-31 08:07 - 00340992 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-07-31 08:07 - 2012-07-31 08:07 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-07-31 08:07 - 2012-07-31 08:07 - 00225280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2012-07-31 08:07 - 2012-07-31 08:07 - 00219136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2012-07-31 08:07 - 2012-07-31 08:07 - 00151920 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
2012-07-31 08:07 - 2012-07-31 08:07 - 00096768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2012-07-31 08:07 - 2012-07-31 08:07 - 00095600 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-07-31 08:07 - 2012-07-31 08:07 - 00022016 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2012-07-31 08:06 - 2012-07-31 08:06 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-07-31 08:06 - 2012-07-31 08:06 - 12873728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2012-07-31 08:06 - 2012-07-31 08:06 - 03148800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-07-31 08:05 - 2012-07-31 08:05 - 01133568 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll
2012-07-31 08:05 - 2012-07-31 08:05 - 00805376 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cdosys.dll
2012-07-31 08:04 - 2012-07-31 08:04 - 02004480 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-07-31 08:04 - 2012-07-31 08:04 - 01881600 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-07-31 08:04 - 2012-07-31 08:04 - 01390080 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll
2012-07-31 08:04 - 2012-07-31 08:04 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
2012-07-31 08:04 - 2012-07-31 08:04 - 00002048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3r.dll
2012-07-31 08:04 - 2012-07-31 08:04 - 00002048 ____A (Microsoft Corporation) C:\Windows\System32\msxml3r.dll
2012-07-31 08:03 - 2012-07-31 08:03 - 12297216 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-07-31 08:03 - 2012-07-31 08:03 - 11020800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-07-31 08:03 - 2012-07-31 08:03 - 09059840 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-07-31 08:03 - 2012-07-31 08:03 - 06027776 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-07-31 08:03 - 2012-07-31 08:03 - 02454528 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-07-31 08:03 - 2012-07-31 08:03 - 02073600 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-07-31 08:03 - 2012-07-31 08:03 - 01638912 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-07-31 08:03 - 2012-07-31 08:03 - 01638912 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-07-31 08:03 - 2012-07-31 08:03 - 01494016 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-07-31 08:03 - 2012-07-31 08:03 - 01231360 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-07-31 08:03 - 2012-07-31 08:03 - 01188864 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-07-31 08:03 - 2012-07-31 08:03 - 00981504 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-07-31 08:03 - 2012-07-31 08:03 - 00735744 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2012-07-31 08:03 - 2012-07-31 08:03 - 00627712 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2012-07-31 08:03 - 2012-07-31 08:03 - 00247808 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-07-31 08:03 - 2012-07-31 08:03 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-07-31 08:03 - 2012-07-31 08:03 - 00134144 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-07-31 08:03 - 2012-07-31 08:03 - 00132096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-07-31 08:03 - 2012-07-31 08:03 - 00097792 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-07-31 08:03 - 2012-07-31 08:03 - 00067584 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-07-31 08:03 - 2012-07-31 08:03 - 00064512 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-07-31 08:03 - 2012-07-31 08:03 - 00048128 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-07-31 08:01 - 2012-07-31 08:01 - 00210944 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
2012-07-31 08:01 - 2012-07-31 08:01 - 00149504 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll
2012-07-31 08:01 - 2012-07-31 08:01 - 00077312 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll
2012-07-31 08:01 - 2012-07-31 08:01 - 00009216 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe
2012-07-30 10:09 - 2012-01-19 06:28 - 00001022 ____A C:\Users\jmcwhirt.DFD.000\Desktop\Dropbox.lnk
2012-07-27 13:50 - 2012-07-27 13:50 - 00029861 ____A C:\ComboFix.txt
2012-07-27 13:45 - 2009-07-13 18:34 - 00000215 ____A C:\Windows\system.ini
2012-07-27 13:25 - 2012-07-27 13:24 - 04719842 ____R (Swearware) C:\Users\jmcwhirt.DFD.000\Documents\ComboFix.exe
2012-07-26 02:46 - 2012-01-19 05:59 - 00004146 _RASH C:\Users\jmcwhirt.DFD.000\ntuser.pol
2012-07-26 02:44 - 2009-07-13 21:08 - 00032584 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-07-23 17:41 - 2012-07-23 18:42 - 01012656 ____A C:\Users\jmcwhirt.DFD.000\Desktop\rkill.exe
2012-07-20 08:43 - 2012-07-20 08:43 - 00000056 ____A C:\Users\jmcwhirt.DFD.000\jagex_cl_runescape_LIVE1.dat
2012-07-19 14:57 - 2012-01-19 06:32 - 00002004 ___AH C:\Users\jmcwhirt.DFD.000\Documents\Default.rdp
2012-07-18 10:33 - 2012-07-18 10:33 - 00000973 ____A C:\Users\Public\Desktop\PuTTY.lnk
2012-07-17 08:47 - 2012-07-16 16:48 - 00022016 ____A C:\Users\jmcwhirt.DFD.000\Desktop\ACC6 Tank Pressures (2).xls
2012-07-17 08:15 - 2011-12-14 03:21 - 00003945 ____A C:\Windows\SysWOW64\install.log
2012-07-16 16:38 - 2012-07-16 16:38 - 00027648 ____A C:\Users\jmcwhirt.DFD.000\Desktop\ACC6 Tank Pressures.xls
2012-07-13 22:43 - 2012-07-13 22:43 - 00061440 ____A (Gary's Hood) C:\Users\jmcwhirt.DFD.000\Desktop\rsclient.exe
2012-07-10 13:42 - 2012-07-10 13:41 - 00021881 ____A C:\Windows\System32\PTUMLsetup_20120710.log
2012-07-05 02:33 - 2011-08-25 02:26 - 00174200 ____A (Symantec Corporation) C:\Windows\System32\Drivers\SYMEVENT64x86.SYS
2012-07-05 02:33 - 2011-08-25 02:26 - 00007488 ____A C:\Windows\System32\Drivers\SYMEVENT64x86.CAT
2012-07-03 09:46 - 2011-10-15 16:08 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-07-02 10:09 - 2012-07-02 09:38 - 00000231 ____A C:\Users\jmcwhirt.DFD.000\AppData\Roaming\Rim.Transcoder.Exception.log
2012-07-02 10:09 - 2012-07-02 09:37 - 00000231 ____A C:\Users\jmcwhirt.DFD.000\AppData\Roaming\Rim.DesktopHelper.Exception.log
2012-07-02 10:09 - 2012-07-02 09:29 - 00001244 ____A C:\Users\jmcwhirt.DFD.000\AppData\Roaming\Rim.Desktop.Exception.log
2012-07-02 09:51 - 2012-07-02 09:32 - 00008192 ____A C:\Users\jmcwhirt.DFD.000\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-07-02 09:44 - 2012-07-02 09:38 - 00024261 ____A C:\ads_err.adt
2012-07-02 09:38 - 2012-07-02 09:38 - 00006499 ____A C:\ads_err.dbf
2012-07-02 09:38 - 2012-07-02 09:38 - 00004559 ____A C:\ads_err.adm
2012-07-02 09:38 - 2012-07-02 09:38 - 00003072 ____A C:\ads_err.adi
2012-07-02 09:36 - 2012-07-02 09:36 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_Kernel_RimUsb_AMD64_01007.Wdf
2012-07-02 09:36 - 2012-07-02 09:36 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_Kernel_RimSerial_AMD64_01007.Wdf
2012-07-02 09:36 - 2012-07-02 09:35 - 00001104 ____A C:\Users\jmcwhirt.DFD.000\AppData\Roaming\Rim.Desktop.HttpServerSetup.log
2012-07-02 09:35 - 2012-07-02 09:35 - 00002241 ____A C:\Users\Public\Desktop\BlackBerry Desktop Software.lnk
2012-07-02 02:27 - 2012-07-02 02:27 - 00000000 ____A C:\t17k.2
2012-06-28 04:54 - 2011-08-25 02:24 - 00000271 ____A C:\Windows\System32\RPCS.ini
2012-06-28 04:54 - 2011-08-25 02:24 - 00000069 ____A C:\Windows\System32\ricdb.ini
2012-06-25 09:05 - 2012-06-25 09:05 - 12382100 ____A (Basler Electric ) C:\Users\jmcwhirt.DFD.000\Downloads\BESTCOMS_1051_20602.exe
2012-06-25 09:04 - 2012-06-25 09:04 - 11763427 ____A (Basler Electric ) C:\Users\jmcwhirt.DFD.000\Downloads\BESTCOMS_851_20600.exe
2012-06-25 09:04 - 2012-06-25 09:04 - 11761142 ____A (Basler Electric ) C:\Users\jmcwhirt.DFD.000\Downloads\BESTCOMS_851G_20700.exe
2012-06-24 07:34 - 2012-06-24 07:33 - 25326592 ____A C:\Users\jmcwhirt.DFD.000\Downloads\GettingThingsDone.exe
2012-06-24 07:34 - 2012-01-10 09:20 - 00001591 ____A C:\Windows\GettingThingsDone.mif
2012-06-13 09:35 - 2012-06-13 09:35 - 00020400 ____A (Symantec Corporation) C:\Windows\System32\SnacNp.dll
2012-06-13 09:35 - 2012-06-13 09:35 - 00018352 ____A (Symantec Corporation) C:\Windows\SysWOW64\SnacNp.dll
2012-06-12 15:36 - 2012-06-12 15:36 - 00001793 ____A C:\Users\Public\Desktop\iTunes.lnk
2012-06-11 08:08 - 2012-06-11 08:08 - 00482424 ____A (Symantec Corporation) C:\Windows\SysWOW64\Drivers\srtspl64.sys
2012-06-11 08:08 - 2012-06-11 08:08 - 00482424 ____A (Symantec Corporation) C:\Windows\System32\Drivers\srtspl64.sys
2012-06-11 08:08 - 2012-06-11 08:08 - 00453240 ____A (Symantec Corporation) C:\Windows\SysWOW64\Drivers\srtsp64.sys
2012-06-11 08:08 - 2012-06-11 08:08 - 00453240 ____A (Symantec Corporation) C:\Windows\System32\Drivers\srtsp64.sys
2012-06-11 08:08 - 2012-06-11 08:08 - 00138144 ____A (Symantec Corporation) C:\Windows\SysWOW64\SymVPN.dll
2012-06-11 08:08 - 2012-06-11 08:08 - 00138144 ____A (Symantec Corporation) C:\Windows\System32\SymVPN.dll
2012-06-11 08:08 - 2012-06-11 08:08 - 00087456 ____A (Symantec Corporation) C:\Windows\SysWOW64\FwsVpn.dll
2012-06-11 08:08 - 2012-06-11 08:08 - 00032376 ____A (Symantec Corporation) C:\Windows\SysWOW64\Drivers\srtspx64.sys
2012-06-11 08:08 - 2012-06-11 08:08 - 00032376 ____A (Symantec Corporation) C:\Windows\System32\Drivers\srtspx64.sys
2012-06-11 08:08 - 2012-06-11 08:08 - 00007504 ____A C:\Windows\SysWOW64\Drivers\srtspx64.cat
2012-06-11 08:08 - 2012-06-11 08:08 - 00007504 ____A C:\Windows\SysWOW64\Drivers\srtspl64.cat
2012-06-11 08:08 - 2012-06-11 08:08 - 00007504 ____A C:\Windows\System32\Drivers\srtspx64.cat
2012-06-11 08:08 - 2012-06-11 08:08 - 00007504 ____A C:\Windows\System32\Drivers\srtspl64.cat
2012-06-11 08:08 - 2012-06-11 08:08 - 00007500 ____A C:\Windows\SysWOW64\Drivers\srtsp64.cat
2012-06-11 08:08 - 2012-06-11 08:08 - 00007500 ____A C:\Windows\System32\Drivers\srtsp64.cat
2012-05-30 11:39 - 2012-05-30 11:39 - 00004177 ____A C:\Users\jmcwhirt.DFD.000\Desktop\RE Term resisitors.txt
2012-05-27 11:09 - 2012-05-27 11:09 - 00002188 ____A C:\Users\Public\Desktop\Adobe Digital Editions.lnk
2012-05-27 10:50 - 2012-05-27 10:50 - 00002519 ____A C:\Users\Public\Desktop\OverDrive Media Console.lnk
2012-05-27 10:48 - 2012-05-27 10:48 - 00004135 ____A C:\Users\jmcwhirt.DFD.000\Desktop\ThrowOutFiftyThings.odm
2012-05-25 02:54 - 2011-01-22 11:45 - 57848688 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-05-22 07:38 - 2011-08-23 07:58 - 00018396 _RASH C:\Users\All Users\ntuser.pol
2012-05-21 10:58 - 2012-05-21 07:29 - 00410086 ____A C:\Users\jmcwhirt.DFD.000\Desktop\ACC-6 Electrical Asset List 5-21-12.xlsm
2012-05-21 07:28 - 2012-05-15 16:18 - 00409936 ____A C:\Users\jmcwhirt.DFD.000\Desktop\ACC-6 Electrical Asset List 5-16-12.xlsm
2012-05-19 12:52 - 2012-05-19 12:52 - 08744608 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
2012-05-17 11:08 - 2012-05-17 11:08 - 00010077 ____A C:\Users\jmcwhirt.DFD.000\Desktop\Account Codes ACC6.xlsx
2012-05-16 16:39 - 2012-05-16 16:39 - 00000000 ____A C:\t17k.1
2012-05-16 02:32 - 2012-05-16 02:32 - 00000000 ____A C:\t16c.1
2012-05-15 16:18 - 2012-05-15 16:16 - 00145505 ____A C:\Users\jmcwhirt.DFD.000\Desktop\Copy of ACC-6 Electrical Asset List 5-15-12.xlsm
2012-05-15 02:34 - 2012-05-15 02:34 - 00002142 ____A C:\Users\Public\Desktop\Carbonite InfoCenter.lnk

ZeroAccess:
C:\Windows\Installer\{1832f1e1-9eb3-63f8-2d22-35e45858eaed}
C:\Windows\Installer\{1832f1e1-9eb3-63f8-2d22-35e45858eaed}\@
C:\Windows\Installer\{1832f1e1-9eb3-63f8-2d22-35e45858eaed}\L
C:\Windows\Installer\{1832f1e1-9eb3-63f8-2d22-35e45858eaed}\U
C:\Windows\Installer\{1832f1e1-9eb3-63f8-2d22-35e45858eaed}\U\00000001.@

ZeroAccess:
C:\Users\jmcwhirt.DFD.000\AppData\Local\{1832f1e1-9eb3-63f8-2d22-35e45858eaed}
C:\Users\jmcwhirt.DFD.000\AppData\Local\{1832f1e1-9eb3-63f8-2d22-35e45858eaed}\@
C:\Users\jmcwhirt.DFD.000\AppData\Local\{1832f1e1-9eb3-63f8-2d22-35e45858eaed}\L
C:\Users\jmcwhirt.DFD.000\AppData\Local\{1832f1e1-9eb3-63f8-2d22-35e45858eaed}\U

ZeroAccess:
C:\Windows\assembly\GAC_32\Desktop.ini

ZeroAccess:
C:\Windows\assembly\GAC_64\Desktop.ini

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe 014A9CB92514E27C0107614DF764BC06 ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 19%
Total physical RAM: 3951.38 MB
Available physical RAM: 3199.95 MB
Total Pagefile: 3949.53 MB
Available Pagefile: 3207.26 MB
Total Virtual: 8192 MB
Available Virtual: 8191.91 MB

======================= Partitions =========================

1 Drive c: (Local Disk) (Fixed) (Total:297.99 GB) (Free:196.67 GB) NTFS
3 Drive f: () (Removable) (Total:0.96 GB) (Free:0.96 GB) FAT
4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
5 Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 298 GB 0 B
Disk 1 Online 980 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 100 MB 1024 KB
Partition 2 Primary 297 GB 101 MB

==================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y System Rese NTFS Partition 100 MB Healthy

==================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C Local Disk NTFS Partition 297 GB Healthy

==================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 980 MB 16 KB

==================================================================================

Disk: 1
Partition 1
Type : 06
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 F FAT Removable 980 MB Healthy

==================================================================================

Last Boot: 2012-08-07 13:26

======================= End Of Log ==========================


Farbar Recovery Scan Tool Version: 09-08-2012
Ran by SYSTEM at 2012-08-12 19:32:34
Running from F:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

C:\Windows\System32\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 014A9CB92514E27C0107614DF764BC06

C:\Windows\erdnt\cache64\services.exe
[2012-07-27 13:48] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

====== End Of Search ======

#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,360 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:18 PM

Posted 12 August 2012 - 07:06 PM

Please do the following:


Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
HKLM\...\Run: [lilap] rundll32.exe "C:\Users\jmcwhirt.DFD.000\AppData\Roaming\lilap.dll",PSTCreateTypeSubType_NoUI [x]
HKLM\...\Run: [wihle] "C:\Windows\System32\rundll32.exe" "C:\Users\jmcwhirt.DFD.000\AppData\Roaming\wihle.dll",write_rows [473600 2012-08-12] (C-Media Electronics Inc.)
C:\Users\jmcwhirt.DFD.000\AppData\Roaming\lilap.dll
C:\Users\jmcwhirt.DFD.000\AppData\Roaming\wihle.dll
2 b7y55; C:\Users\jmcwhirt.DFD.000\AppData\Roaming\752qh.bat [98 2012-08-12] ()
C:\Users\jmcwhirt.DFD.000\AppData\Roaming\752qh.bat 
2012-08-12 11:50 - 2012-08-12 11:50 - 00090176 ____A C:\Users\jmcwhirt.DFD.000\AppData\Roaming\lj1y6nb.dat
2012-08-12 11:50 - 2012-08-12 11:50 - 00086080 ____A C:\Users\jmcwhirt.DFD.000\AppData\Roaming\aftr4sb.dat
2012-08-12 07:52 - 2012-08-12 07:54 - 00000000 ____D C:\Users\All Users\7531CC9232A5F6C09E41AFCAF875EF60
2012-08-12 07:52 - 2012-08-12 07:52 - 00473600 ____A (C-Media Electronics Inc.) C:\Users\jmcwhirt.DFD.000\AppData\Roaming\wihle.dll
2012-08-12 07:52 - 2012-08-12 07:52 - 00000000 ____D C:\Users\jmcwhirt.DFD.000\AppData\Local\{BAA72C26-E495-11E1-8270-B8AC6F996F26}
2012-08-12 07:16 - 2012-08-12 07:16 - 00086080 ____A C:\Users\jmcwhirt.DFD.000\AppData\Roaming\aftr3sb.dat
2012-08-12 07:16 - 2012-08-12 07:16 - 00060992 ____A C:\Users\jmcwhirt.DFD.000\AppData\Roaming\serjs58n.dat
2012-08-12 07:16 - 2012-08-12 07:16 - 00000098 ____H C:\Users\jmcwhirt.DFD.000\AppData\Roaming\752qh.bat
2012-07-02 02:27 - 2012-07-02 02:27 - 00000000 ____A C:\t17k.2
2012-05-16 16:39 - 2012-05-16 16:39 - 00000000 ____A C:\t17k.1
2012-05-16 02:32 - 2012-05-16 02:32 - 00000000 ____A C:\t16c.1
C:\Windows\Installer\{1832f1e1-9eb3-63f8-2d22-35e45858eaed}
C:\Users\jmcwhirt.DFD.000\AppData\Local\{1832f1e1-9eb3-63f8-2d22-35e45858eaed}
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini
replace: C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe C:\Windows\System32\services.exe
end

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST (or FRST64 if you have the 64bit version) and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Reboot Normally.


NEXT


Refer to the ComboFix User's Guide

  • Download ComboFix from the following location:

    Link

    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  • Double click on ComboFix.exe & follow the prompts.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.
The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif
Microsoft MVP - 2010, 2011, 2012, 2013

#9 mcwhirtj

mcwhirtj
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:05:18 PM

Posted 12 August 2012 - 07:51 PM

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 09-08-2012
Ran by SYSTEM at 2012-08-12 20:24:57 Run:1
Running from F:\

==============================================

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\lilap Value deleted successfully.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\wihle Value deleted successfully.
C:\Users\jmcwhirt.DFD.000\AppData\Roaming\lilap.dll not found.
C:\Users\jmcwhirt.DFD.000\AppData\Roaming\wihle.dll moved successfully.
b7y55 service deleted successfully.
C:\Users\jmcwhirt.DFD.000\AppData\Roaming\752qh.bat moved successfully.
C:\Users\jmcwhirt.DFD.000\AppData\Roaming\lj1y6nb.dat moved successfully.
C:\Users\jmcwhirt.DFD.000\AppData\Roaming\aftr4sb.dat moved successfully.
C:\Users\All Users\7531CC9232A5F6C09E41AFCAF875EF60 moved successfully.
C:\Users\jmcwhirt.DFD.000\AppData\Roaming\wihle.dll not found.
C:\Users\jmcwhirt.DFD.000\AppData\Local\{BAA72C26-E495-11E1-8270-B8AC6F996F26} moved successfully.
C:\Users\jmcwhirt.DFD.000\AppData\Roaming\aftr3sb.dat moved successfully.
C:\Users\jmcwhirt.DFD.000\AppData\Roaming\serjs58n.dat moved successfully.
C:\Users\jmcwhirt.DFD.000\AppData\Roaming\752qh.bat not found.
C:\t17k.2 moved successfully.
C:\t17k.1 moved successfully.
C:\t16c.1 moved successfully.
C:\Windows\Installer\{1832f1e1-9eb3-63f8-2d22-35e45858eaed} moved successfully.
C:\Users\jmcwhirt.DFD.000\AppData\Local\{1832f1e1-9eb3-63f8-2d22-35e45858eaed} moved successfully.
C:\Windows\assembly\GAC_32\Desktop.ini moved successfully.
C:\Windows\assembly\GAC_64\Desktop.ini moved successfully.
C:\Windows\System32\services.exe moved successfully.
C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe copied successfully to C:\Windows\System32\services.exe

==== End of Fixlog ====


ComboFix 12-08-10.02 - jmcwhirt 08/12/2012 20:35:37.2.4 - x64
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3951.2402 [GMT -4:00]
Running from: c:\users\jmcwhirt.DFD.000\Desktop\ComboFix.exe
AV: Symantec Endpoint Protection *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Symantec Endpoint Protection *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\SysWow64\IcoZipDll.DLL
.
.
((((((((((((((((((((((((( Files Created from 2012-07-13 to 2012-08-13 )))))))))))))))))))))))))))))))
.
.
2012-08-13 03:25 . 2012-08-13 03:25 -------- d-----w- C:\FRST
2012-08-13 00:41 . 2012-08-13 00:41 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2012-08-13 00:41 . 2012-08-13 00:41 -------- d-----w- c:\users\TEMP\AppData\Local\temp
2012-08-13 00:41 . 2012-08-13 00:41 -------- d-----w- c:\users\soconnor\AppData\Local\temp
2012-08-13 00:41 . 2012-08-13 00:41 -------- d-----w- c:\users\ryan\AppData\Local\temp
2012-08-13 00:41 . 2012-08-13 00:41 -------- d-----w- c:\users\jmcwhirt\AppData\Local\temp
2012-08-13 00:41 . 2012-08-13 00:41 -------- d-----w- c:\users\image\AppData\Local\temp
2012-08-13 00:41 . 2012-08-13 00:41 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-08-13 00:41 . 2012-08-13 00:41 -------- d-----w- c:\users\adminram\AppData\Local\temp
2012-08-13 00:41 . 2012-08-13 00:41 -------- d-----w- c:\users\adminmeg\AppData\Local\temp
2012-08-13 00:41 . 2012-08-13 00:41 -------- d-----w- c:\users\adminmeg.DFD\AppData\Local\temp
2012-08-13 00:41 . 2012-08-13 00:41 -------- d-----w- c:\users\admindft\AppData\Local\temp
2012-08-13 00:41 . 2012-08-13 00:41 -------- d-----w- c:\users\adminbrm\AppData\Local\temp
2012-08-12 21:19 . 2012-08-12 21:42 -------- d-----w- c:\users\jmcwhirt.DFD.000\AppData\Local\NPE
2012-08-12 19:46 . 2012-08-12 19:46 27256 ----a-w- c:\windows\system32\drivers\FixZeroAccess.sys
2012-08-12 13:40 . 2012-08-12 13:40 -------- d-----w- c:\users\jmcwhirt.DFD.000\AppData\Local\Evernote
2012-08-12 13:40 . 2012-08-12 13:40 -------- d-----w- c:\program files (x86)\Evernote
2012-08-05 23:35 . 2012-08-05 23:35 -------- d-----w- c:\windows\.jagex_cache_32
2012-07-31 16:07 . 2012-07-31 16:07 307200 ----a-w- c:\windows\system32\ncrypt.dll
2012-07-31 16:07 . 2012-07-31 16:07 96768 ----a-w- c:\windows\SysWow64\sspicli.dll
2012-07-31 16:07 . 2012-07-31 16:07 95600 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-07-31 16:07 . 2012-07-31 16:07 458704 ----a-w- c:\windows\system32\drivers\cng.sys
2012-07-31 16:07 . 2012-07-31 16:07 340992 ----a-w- c:\windows\system32\schannel.dll
2012-07-31 16:07 . 2012-07-31 16:07 225280 ----a-w- c:\windows\SysWow64\schannel.dll
2012-07-31 16:07 . 2012-07-31 16:07 22016 ----a-w- c:\windows\SysWow64\secur32.dll
2012-07-31 16:07 . 2012-07-31 16:07 219136 ----a-w- c:\windows\SysWow64\ncrypt.dll
2012-07-31 16:07 . 2012-07-31 16:07 151920 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2012-07-31 16:06 . 2012-07-31 16:06 14172672 ----a-w- c:\windows\system32\shell32.dll
2012-07-31 16:06 . 2012-07-31 16:06 3148800 ----a-w- c:\windows\system32\win32k.sys
2012-07-31 16:04 . 2012-07-31 16:04 2048 ----a-w- c:\windows\SysWow64\msxml3r.dll
2012-07-31 16:04 . 2012-07-31 16:04 2048 ----a-w- c:\windows\system32\msxml3r.dll
2012-07-31 16:04 . 2012-07-31 16:04 2004480 ----a-w- c:\windows\system32\msxml6.dll
2012-07-31 16:04 . 2012-07-31 16:04 1881600 ----a-w- c:\windows\system32\msxml3.dll
2012-07-31 16:04 . 2012-07-31 16:04 1390080 ----a-w- c:\windows\SysWow64\msxml6.dll
2012-07-31 16:04 . 2012-07-31 16:04 1236992 ----a-w- c:\windows\SysWow64\msxml3.dll
2012-07-31 16:01 . 2012-07-31 16:01 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-07-31 16:01 . 2012-07-31 16:01 9216 ----a-w- c:\windows\system32\rdrmemptylst.exe
2012-07-31 16:01 . 2012-07-31 16:01 77312 ----a-w- c:\windows\system32\rdpwsx.dll
2012-07-31 16:01 . 2012-07-31 16:01 149504 ----a-w- c:\windows\system32\rdpcorekmts.dll
2012-07-27 21:55 . 2012-07-27 21:55 -------- d-----w- c:\program files (x86)\Cisco
2012-07-20 16:43 . 2012-07-20 16:43 -------- d-----w- c:\users\jmcwhirt.DFD.000\jagexcache1
2012-07-18 18:33 . 2012-07-18 18:33 -------- d-----w- c:\program files (x86)\PuTTY
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-01 11:17 . 2012-03-29 20:51 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-08-01 11:17 . 2011-09-27 10:41 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-07-05 10:33 . 2011-08-25 10:26 174200 ----a-w- c:\windows\system32\drivers\SYMEVENT64x86.SYS
2012-07-03 17:46 . 2011-10-16 00:08 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-07-03 11:30 . 2012-05-28 01:27 69000 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{76FD73D7-D685-4217-BC08-858C785C7174}\offreg.dll ERROR(0x00000005)
2012-06-13 17:35 . 2012-06-13 17:35 20400 ----a-w- c:\windows\system32\SnacNp.dll
2012-06-13 17:35 . 2012-06-13 17:35 18352 ----a-w- c:\windows\SysWow64\SnacNp.dll
2012-06-11 16:08 . 2012-06-11 16:08 138144 ----a-w- c:\windows\SysWow64\SymVPN.dll
2012-06-11 16:08 . 2012-06-11 16:08 138144 ----a-w- c:\windows\system32\SymVPN.dll
2012-06-11 16:08 . 2012-06-11 16:08 87456 ----a-w- c:\windows\SysWow64\FwsVpn.dll
2012-06-11 16:08 . 2012-06-11 16:08 482424 ----a-w- c:\windows\SysWow64\drivers\srtspl64.sys
2012-06-11 16:08 . 2012-06-11 16:08 482424 ----a-w- c:\windows\system32\drivers\srtspl64.sys
2012-06-11 16:08 . 2012-06-11 16:08 453240 ----a-w- c:\windows\SysWow64\drivers\srtsp64.sys
2012-06-11 16:08 . 2012-06-11 16:08 453240 ----a-w- c:\windows\system32\drivers\srtsp64.sys
2012-06-11 16:08 . 2012-06-11 16:08 32376 ----a-w- c:\windows\SysWow64\drivers\srtspx64.sys
2012-06-11 16:08 . 2012-06-11 16:08 32376 ----a-w- c:\windows\system32\drivers\srtspx64.sys
2012-05-25 10:54 . 2011-01-22 19:45 57848688 ----a-w- c:\windows\system32\MRT.exe
2012-05-19 20:52 . 2012-05-19 20:52 8744608 ----a-w- c:\windows\SysWow64\FlashPlayerInstaller.exe
.
.
((((((((((((((((((((((((((((( SnapShot@2012-07-27_21.45.05 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-07-31 16:03 . 2012-07-31 16:03 67584 c:\windows\SysWOW64\mshtmled.dll
+ 2012-07-31 16:03 . 2012-07-31 16:03 68608 c:\windows\SysWOW64\migration\WininetPlugin.dll
- 2012-04-22 23:54 . 2012-02-28 05:38 68608 c:\windows\SysWOW64\migration\WininetPlugin.dll
- 2012-04-22 23:54 . 2012-02-28 05:34 48128 c:\windows\SysWOW64\jsproxy.dll
+ 2012-07-31 16:03 . 2012-07-31 16:03 48128 c:\windows\SysWOW64\jsproxy.dll
+ 2012-01-20 01:13 . 2012-08-10 01:11 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\Low\index.dat
- 2012-01-20 01:13 . 2012-07-27 20:50 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\Low\index.dat
- 2009-07-14 04:54 . 2012-07-27 21:42 65536 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:54 . 2012-08-13 00:43 65536 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2012-01-20 01:13 . 2012-08-10 01:11 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat
- 2012-01-20 01:13 . 2012-07-27 20:50 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat
- 2012-01-20 01:13 . 2012-07-27 20:50 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat
+ 2012-01-20 01:13 . 2012-08-10 01:11 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat
+ 2009-07-14 04:54 . 2012-08-13 00:43 49152 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2012-01-19 12:49 . 2012-01-19 12:58 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Feeds Cache\index.dat
+ 2012-01-19 12:49 . 2012-08-12 21:23 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Feeds Cache\index.dat
+ 2011-01-22 19:31 . 2012-08-12 16:17 38604 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-08-13 00:30 38520 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2011-08-31 16:36 . 2012-08-13 00:30 19424 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1296502284-1224127709-55231759-2522_UserData.bin
+ 2012-07-31 16:03 . 2012-07-31 16:03 97792 c:\windows\system32\mshtmled.dll
+ 2012-07-31 16:03 . 2012-07-31 16:03 95232 c:\windows\system32\migration\WininetPlugin.dll
- 2012-04-22 23:54 . 2012-02-28 06:39 95232 c:\windows\system32\migration\WininetPlugin.dll
- 2012-07-24 05:48 . 2012-07-24 01:34 67584 c:\windows\system32\LogFiles\Srt\bootstat.dat
+ 2012-07-24 05:48 . 2012-08-12 21:58 67584 c:\windows\system32\LogFiles\Srt\bootstat.dat
- 2012-04-22 23:54 . 2012-02-28 06:35 64512 c:\windows\system32\jsproxy.dll
+ 2012-07-31 16:03 . 2012-07-31 16:03 64512 c:\windows\system32\jsproxy.dll
+ 2009-07-14 05:30 . 2012-07-27 21:55 86016 c:\windows\system32\DriverStore\infpub.dat
- 2009-07-14 05:30 . 2012-07-27 20:50 86016 c:\windows\system32\DriverStore\infpub.dat
+ 2011-01-23 01:41 . 2012-08-13 00:42 65536 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2012-08-12 16:06 . 2012-08-12 16:11 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012012081220120813\index.dat
+ 2009-07-14 04:54 . 2012-08-13 00:42 49152 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2012-08-12 16:04 . 2012-08-12 16:04 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT
+ 2012-08-12 16:06 . 2012-08-12 16:11 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\DOMStore\index.dat
+ 2012-03-23 10:39 . 2012-08-12 16:11 16384 c:\windows\system32\%APPDATA%\Microsoft\Windows\IETldCache\index.dat
- 2012-03-23 10:39 . 2012-03-23 10:39 16384 c:\windows\system32\%APPDATA%\Microsoft\Windows\IETldCache\index.dat
+ 2011-01-22 20:13 . 2012-08-13 00:08 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-01-22 20:13 . 2012-07-27 21:06 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-01-22 20:13 . 2012-08-13 00:08 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2011-01-22 20:13 . 2012-07-27 21:06 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2012-08-01 11:11 . 2012-08-01 11:11 54784 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Web.DynamicD#\eef76dd965ea0a8ae5fb0c734d84389c\System.Web.DynamicData.Design.ni.dll
+ 2012-08-01 11:08 . 2012-08-01 11:08 36864 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.DynamicD#\2b97ccae44726f13c418f1406180c3e8\System.Web.DynamicData.Design.ni.dll
+ 2012-08-01 11:23 . 2012-08-01 16:30 1542 c:\windows\SoftwareDistribution\EventCache\{BAF8D5CD-2766-456B-A236-F5CDA80D9CEB}.bin
+ 2012-07-30 19:19 . 2012-07-31 11:11 1542 c:\windows\SoftwareDistribution\EventCache\{05F45603-2888-4C76-84B0-0AA4141DF329}.bin
- 2012-07-24 02:55 . 2012-07-27 21:41 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-08-12 16:13 . 2012-08-13 00:42 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-08-12 16:13 . 2012-08-13 00:42 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-07-24 02:55 . 2012-07-27 21:41 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-04-22 23:54 . 2012-02-28 05:38 981504 c:\windows\SysWOW64\wininet.dll
+ 2012-07-31 16:03 . 2012-07-31 16:03 981504 c:\windows\SysWOW64\wininet.dll
- 2012-04-22 23:54 . 2012-02-28 05:38 132096 c:\windows\SysWOW64\url.dll
+ 2012-07-31 16:03 . 2012-07-31 16:03 132096 c:\windows\SysWOW64\url.dll
+ 2012-07-31 16:03 . 2012-07-31 16:03 627712 c:\windows\SysWOW64\msfeeds.dll
+ 2012-08-01 11:17 . 2012-08-01 11:17 686792 c:\windows\SysWOW64\Macromed\Flash\FlashUtil32_11_3_300_268_ActiveX.exe
+ 2012-08-01 11:17 . 2012-08-01 11:17 466632 c:\windows\SysWOW64\Macromed\Flash\FlashUtil32_11_3_300_268_ActiveX.dll
- 2012-03-29 20:51 . 2012-07-16 22:15 250056 c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
+ 2012-03-29 20:51 . 2012-08-01 11:17 250056 c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
+ 2012-07-31 16:03 . 2012-07-31 16:03 176640 c:\windows\SysWOW64\ieui.dll
- 2012-04-22 23:54 . 2012-02-28 05:34 176640 c:\windows\SysWOW64\ieui.dll
- 2012-01-19 12:49 . 2012-07-27 21:42 262144 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2012-01-19 12:49 . 2012-08-13 00:43 262144 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2012-07-31 16:05 . 2012-07-31 16:05 805376 c:\windows\SysWOW64\cdosys.dll
- 2011-03-06 21:31 . 2010-11-20 12:18 805376 c:\windows\SysWOW64\cdosys.dll
+ 2011-08-24 19:49 . 2012-08-05 23:34 216984 c:\windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_S4.bin
- 2012-04-22 23:54 . 2012-02-28 06:39 134144 c:\windows\system32\url.dll
+ 2012-07-31 16:03 . 2012-07-31 16:03 134144 c:\windows\system32\url.dll
+ 2009-07-14 02:36 . 2012-08-13 00:32 663434 c:\windows\system32\perfh009.dat
- 2009-07-14 02:36 . 2012-07-27 20:59 663434 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-08-13 00:32 122270 c:\windows\system32\perfc009.dat
- 2009-07-14 02:36 . 2012-07-27 20:59 122270 c:\windows\system32\perfc009.dat
+ 2012-07-31 16:03 . 2012-07-31 16:03 735744 c:\windows\system32\msfeeds.dll
+ 2012-08-01 11:17 . 2012-08-01 11:17 417992 c:\windows\system32\Macromed\Flash\FlashUtil64_11_3_300_268_ActiveX.exe
+ 2012-08-01 11:17 . 2012-08-01 11:17 513224 c:\windows\system32\Macromed\Flash\FlashUtil64_11_3_300_268_ActiveX.dll
- 2012-04-22 23:54 . 2012-02-28 06:35 247808 c:\windows\system32\ieui.dll
+ 2012-07-31 16:03 . 2012-07-31 16:03 247808 c:\windows\system32\ieui.dll
- 2009-07-14 04:45 . 2012-05-25 18:18 541472 c:\windows\system32\FNTCACHE.DAT
+ 2009-07-14 04:45 . 2012-08-01 11:00 541472 c:\windows\system32\FNTCACHE.DAT
+ 2009-07-14 05:30 . 2012-07-27 21:55 143360 c:\windows\system32\DriverStore\infstrng.dat
- 2009-07-14 05:30 . 2012-07-27 20:50 143360 c:\windows\system32\DriverStore\infstrng.dat
- 2009-07-14 05:12 . 2012-07-24 16:02 262144 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2009-07-14 05:12 . 2012-08-11 00:31 262144 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2011-01-23 01:41 . 2012-08-13 00:42 835584 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:46 . 2012-07-03 16:34 112472 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
+ 2009-07-14 04:46 . 2012-08-01 17:00 112472 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
+ 2012-07-31 16:01 . 2012-07-31 16:01 630784 c:\windows\Microsoft.NET\Framework64\v2.0.50727\System.Drawing.dll
+ 2012-07-31 16:01 . 2012-07-31 16:01 630784 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Drawing.dll
+ 2011-09-22 18:45 . 2011-09-22 18:45 388096 c:\windows\Installer\e07bd.msi
+ 2012-08-01 11:11 . 2012-08-01 11:11 329216 c:\windows\assembly\NativeImages_v2.0.50727_64\WindowsFormsIntegra#\f4d304fcbfda323997083a1f88b83719\WindowsFormsIntegration.ni.dll
+ 2012-08-01 11:11 . 2012-08-01 11:11 304128 c:\windows\assembly\NativeImages_v2.0.50727_64\TaskScheduler\681410f842337dccc72eb059738c3ced\TaskScheduler.ni.dll
+ 2012-08-01 11:11 . 2012-08-01 11:11 187392 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Web.Routing\72b4992e45d232251a273a59eb3333d5\System.Web.Routing.ni.dll
+ 2012-08-01 11:11 . 2012-08-01 11:11 449024 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Web.Entity\b905eb57b631a30c60caa4d68c186963\System.Web.Entity.ni.dll
+ 2012-08-01 11:11 . 2012-08-01 11:11 398848 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Web.Entity.D#\e412dfbf1aa49bbe345a02a4d23104f5\System.Web.Entity.Design.ni.dll
+ 2012-08-01 11:11 . 2012-08-01 11:11 753664 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Web.DynamicD#\815769f953ebe3f84439d522c97317b8\System.Web.DynamicData.ni.dll
+ 2012-08-01 11:11 . 2012-08-01 11:11 204800 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Web.Abstract#\c8144ee08dccdac183527e53c86aa901\System.Web.Abstractions.ni.dll
+ 2012-08-01 11:04 . 2012-08-01 11:04 295424 c:\windows\assembly\NativeImages_v2.0.50727_64\System.ServiceProce#\f71d2f65d0f149c75ac7a569dbcc8500\System.ServiceProcess.ni.dll
+ 2012-08-01 11:09 . 2012-08-01 11:09 783360 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Messaging\d5d612f7d372f500e3062e3814e79d75\System.Messaging.ni.dll
+ 2012-08-01 11:04 . 2012-08-01 11:04 288768 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Drawing.Desi#\fbc02e9f5a14bb93082ebc88bc577413\System.Drawing.Design.ni.dll
+ 2012-08-01 11:04 . 2012-08-01 11:04 192000 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Configuratio#\a88ca70ab9641b8236149bc5dd8d1564\System.Configuration.Install.ni.dll
+ 2012-08-01 11:10 . 2012-08-01 11:10 376832 c:\windows\assembly\NativeImages_v2.0.50727_64\SecurityAuditPolici#\0101faefdcc3274ba594e7a103ec0186\SecurityAuditPoliciesSnapIn.ni.dll
+ 2012-08-01 11:11 . 2012-08-01 11:11 855040 c:\windows\assembly\NativeImages_v2.0.50727_64\napsnap\2f1bad2fb963482a02443d5e7fece2b6\napsnap.ni.dll
+ 2012-08-01 11:11 . 2012-08-01 11:11 162816 c:\windows\assembly\NativeImages_v2.0.50727_64\napinit\bb4947f0ecc925a7bcfd129b6eec8f9b\napinit.ni.dll
+ 2012-08-01 11:10 . 2012-08-01 11:10 417792 c:\windows\assembly\NativeImages_v2.0.50727_64\MMCFxCommon\67240ddde494b9cc05cd732ccd099668\MMCFxCommon.ni.dll
+ 2012-08-01 11:11 . 2012-08-01 11:11 937472 c:\windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Security.#\526a33ed761cce911ff85646c4a0ec80\Microsoft.Security.ApplicationId.Wizards.AutomaticRuleGenerationWizard.ni.dll
+ 2012-08-01 11:10 . 2012-08-01 11:10 312320 c:\windows\assembly\NativeImages_v2.0.50727_64\Microsoft.MediaCent#\e29cbd30a31d3c8dae19eb17f70c4ec4\Microsoft.MediaCenter.iTv.ni.dll
+ 2012-08-01 11:10 . 2012-08-01 11:10 152576 c:\windows\assembly\NativeImages_v2.0.50727_64\Microsoft.MediaCent#\409dae089f2e041343cff71f822cd505\Microsoft.MediaCenter.ITVVM.ni.dll
+ 2012-08-01 11:10 . 2012-08-01 11:10 798720 c:\windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Managemen#\803188573fb19785a94284e097c48a67\Microsoft.ManagementConsole.ni.dll
+ 2012-08-01 11:10 . 2012-08-01 11:10 618496 c:\windows\assembly\NativeImages_v2.0.50727_64\Microsoft.GroupPoli#\167a62317f33ae61ef5d7b70ba0421c3\Microsoft.GroupPolicy.AdmTmplEditor.ni.dll
+ 2012-08-01 11:10 . 2012-08-01 11:10 423424 c:\windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Applicati#\9016fe60c2398dd6c3c8d8494e1a24b5\Microsoft.ApplicationId.Framework.ni.dll
+ 2012-08-01 11:10 . 2012-08-01 11:10 727040 c:\windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Applicati#\877ba3d01d6bac7d76ec8a5fede67baf\Microsoft.ApplicationId.RuleWizard.ni.dll
+ 2012-08-01 11:10 . 2012-08-01 11:10 549376 c:\windows\assembly\NativeImages_v2.0.50727_64\mcplayerinterop\4ae6ccc32dafb4e3765b9db05585bd48\mcplayerinterop.ni.dll
+ 2012-08-01 11:10 . 2012-08-01 11:10 696320 c:\windows\assembly\NativeImages_v2.0.50727_64\mcGlidHostObj\b0db345fd62a84c98fd8b0bf3c72e8bb\mcGlidHostObj.ni.dll
+ 2012-08-01 11:10 . 2012-08-01 11:10 659456 c:\windows\assembly\NativeImages_v2.0.50727_64\EventViewer\bc5df15ee827e248dd6f819874a85718\EventViewer.ni.dll
+ 2012-08-01 11:09 . 2012-08-01 11:09 389120 c:\windows\assembly\NativeImages_v2.0.50727_64\ehExtHost\08c9aa18b306aa47ddc0ae4a63b05d04\ehExtHost.ni.exe
+ 2012-08-01 11:08 . 2012-08-01 11:08 240128 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsFormsIntegra#\f2f8201dd3453250dfd9ed1afce630a0\WindowsFormsIntegration.ni.dll
+ 2012-08-01 11:08 . 2012-08-01 11:08 245248 c:\windows\assembly\NativeImages_v2.0.50727_32\TaskScheduler\f3e052584df9c614407da662dd3c3df3\TaskScheduler.ni.dll
+ 2012-08-01 11:08 . 2012-08-01 11:08 129536 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Routing\06e4119a0a3484bb0ca667a16145ce74\System.Web.Routing.ni.dll
+ 2012-08-01 11:08 . 2012-08-01 11:08 860160 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Extensio#\4f13c2c06fb97f6659473f02802b377b\System.Web.Extensions.Design.ni.dll
+ 2012-08-01 11:08 . 2012-08-01 11:08 328192 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Entity\bc239944bca7cc6b6ddb473259183c7d\System.Web.Entity.ni.dll
+ 2012-08-01 11:08 . 2012-08-01 11:08 301568 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Entity.D#\3701488fb9e601ebe963db25b784d684\System.Web.Entity.Design.ni.dll
+ 2012-08-01 11:08 . 2012-08-01 11:08 547328 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.DynamicD#\a09cc9877f51f16a4610b702155e8b70\System.Web.DynamicData.ni.dll
+ 2012-08-01 11:08 . 2012-08-01 11:08 141312 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Abstract#\c6aad1edcc51862ceb26b6b65dad1490\System.Web.Abstractions.ni.dll
+ 2012-08-01 11:05 . 2012-08-01 11:05 212992 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\69ca4a43ba14b66689715ad62aed70e6\System.ServiceProcess.ni.dll
+ 2012-08-01 11:08 . 2012-08-01 11:08 593408 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Messaging\2b4d6976393bf5643a4ef2d8dffdf75b\System.Messaging.ni.dll
+ 2012-08-01 11:05 . 2012-08-01 11:05 208384 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Drawing.Desi#\912a0776c2bfd35ff76bd0b8ba977ed4\System.Drawing.Design.ni.dll
+ 2012-08-01 11:05 . 2012-08-01 11:05 141312 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Configuratio#\498d2033c60fe5b777cf923b71b25972\System.Configuration.Install.ni.dll
+ 2012-08-01 11:08 . 2012-08-01 11:08 294912 c:\windows\assembly\NativeImages_v2.0.50727_32\SecurityAuditPolici#\2b9aa0cd9971fff78931f901c901f1e0\SecurityAuditPoliciesSnapIn.ni.dll
+ 2012-08-01 11:08 . 2012-08-01 11:08 723456 c:\windows\assembly\NativeImages_v2.0.50727_32\napsnap\acfafa161ea232928cb02b01c50acf1c\napsnap.ni.dll
+ 2012-08-01 11:08 . 2012-08-01 11:08 117760 c:\windows\assembly\NativeImages_v2.0.50727_32\napinit\0abec246c5ca6ec4858bfd3ab84da0ec\napinit.ni.dll
+ 2012-08-01 11:08 . 2012-08-01 11:08 287232 c:\windows\assembly\NativeImages_v2.0.50727_32\MMCFxCommon\1e03b7c2539c5376f0665a4aba04efbd\MMCFxCommon.ni.dll
+ 2012-08-01 11:08 . 2012-08-01 11:08 839680 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Security.#\9e50f2fb3c8157aac9508d1484fca9c5\Microsoft.Security.ApplicationId.Wizards.AutomaticRuleGenerationWizard.ni.dll
+ 2012-08-01 11:08 . 2012-08-01 11:08 561664 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Managemen#\622b582866fca37f113bd97ae4c6d1f6\Microsoft.ManagementConsole.ni.dll
+ 2012-08-01 11:08 . 2012-08-01 11:08 455168 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.GroupPoli#\855b99be5878283866f6977c6dc556e8\Microsoft.GroupPolicy.AdmTmplEditor.ni.dll
+ 2012-08-01 11:08 . 2012-08-01 11:08 587776 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Applicati#\bd371ac78fe72393b9453b10e9e99d28\Microsoft.ApplicationId.RuleWizard.ni.dll
+ 2012-08-01 11:08 . 2012-08-01 11:08 316928 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Applicati#\98f7f926a9f0ad41a3773a054cc4d3a8\Microsoft.ApplicationId.Framework.ni.dll
+ 2012-08-01 11:08 . 2012-08-01 11:08 553472 c:\windows\assembly\NativeImages_v2.0.50727_32\EventViewer\02577b78c6ed2f9bda301de888dccad8\EventViewer.ni.dll
+ 2012-08-01 11:08 . 2012-08-01 11:08 254464 c:\windows\assembly\NativeImages_v2.0.50727_32\ehExtHost32\a6b8eb80cfbdd927b2fa4ecb69fc0209\ehExtHost32.ni.exe
+ 2012-07-31 16:01 . 2012-07-31 16:01 630784 c:\windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
+ 2012-08-05 23:35 . 2012-08-05 23:35 101137 c:\windows\.jagex_cache_32\loginapplet\cache-1986278970.dat
+ 2012-07-31 16:03 . 2012-07-31 16:03 1231360 c:\windows\SysWOW64\urlmon.dll
- 2012-04-22 23:54 . 2012-02-28 05:38 1231360 c:\windows\SysWOW64\urlmon.dll
+ 2012-07-31 16:03 . 2012-07-31 16:03 6027776 c:\windows\SysWOW64\mshtml.dll
- 2012-04-22 23:54 . 2012-02-28 05:34 2073600 c:\windows\SysWOW64\iertutil.dll
+ 2012-07-31 16:03 . 2012-07-31 16:03 2073600 c:\windows\SysWOW64\iertutil.dll
- 2009-07-14 04:54 . 2012-07-27 21:42 1146880 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2012-08-13 00:43 1146880 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2012-07-31 16:03 . 2012-07-31 16:03 1188864 c:\windows\system32\wininet.dll
- 2012-04-22 23:54 . 2012-02-28 06:39 1188864 c:\windows\system32\wininet.dll
- 2012-04-22 23:54 . 2012-02-28 06:39 1494016 c:\windows\system32\urlmon.dll
+ 2012-07-31 16:03 . 2012-07-31 16:03 1494016 c:\windows\system32\urlmon.dll
+ 2012-07-31 16:03 . 2012-07-31 16:03 9059840 c:\windows\system32\mshtml.dll
+ 2012-07-31 16:03 . 2012-07-31 16:03 2454528 c:\windows\system32\iertutil.dll
- 2011-03-06 21:31 . 2010-11-20 13:25 1133568 c:\windows\system32\cdosys.dll
+ 2012-07-31 16:05 . 2012-07-31 16:05 1133568 c:\windows\system32\cdosys.dll
+ 2009-07-14 04:45 . 2012-08-01 11:04 7371146 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat
- 2009-07-14 04:45 . 2012-07-02 17:51 7371146 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat
- 2012-05-25 10:39 . 2012-01-04 03:34 5025792 c:\windows\Microsoft.NET\Framework64\v2.0.50727\System.Windows.Forms.dll
+ 2012-07-31 16:04 . 2012-07-31 16:04 5025792 c:\windows\Microsoft.NET\Framework64\v2.0.50727\System.Windows.Forms.dll
+ 2012-07-31 16:04 . 2012-07-31 16:04 4927488 c:\windows\Microsoft.NET\Framework64\v2.0.50727\System.Design.dll
- 2011-03-06 21:30 . 2010-11-05 01:56 4927488 c:\windows\Microsoft.NET\Framework64\v2.0.50727\System.Design.dll
+ 2012-07-31 16:04 . 2012-07-31 16:04 5025792 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Windows.Forms.dll
- 2012-05-25 10:39 . 2012-01-04 02:51 5025792 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Windows.Forms.dll
+ 2012-07-31 16:04 . 2012-07-31 16:04 4927488 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Design.dll
- 2011-03-06 21:30 . 2010-11-05 01:58 4927488 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Design.dll
+ 2012-08-01 11:11 . 2012-08-01 11:11 1818112 c:\windows\assembly\NativeImages_v2.0.50727_64\System.WorkflowServ#\70cc5e8a5a3372fe0b104c1b20392cd2\System.WorkflowServices.ni.dll
+ 2012-08-01 11:04 . 2012-08-01 11:04 2711040 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Workflow.Run#\aa638ba79250284eb4af4adaa4a4117b\System.Workflow.Runtime.ni.dll
+ 2012-08-01 11:04 . 2012-08-01 11:04 5957632 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Workflow.Com#\996dc2af3b9e5c111130935f298908c6\System.Workflow.ComponentModel.ni.dll
+ 2012-08-01 11:04 . 2012-08-01 11:04 3895296 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Workflow.Act#\178797db84abae2eeaed835bd28ca52c\System.Workflow.Activities.ni.dll
+ 2012-08-01 11:04 . 2012-08-01 11:04 2292224 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Web.Services\a32734087cd0db5607d5744ca63235d7\System.Web.Services.ni.dll
+ 2012-08-01 11:11 . 2012-08-01 11:11 3336704 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Web.Mobile\af7689e8cbec5d2755497be23c30e293\System.Web.Mobile.ni.dll
+ 2012-08-01 11:11 . 2012-08-01 11:11 3044352 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Web.Extensio#\768ea257d75839979b4efb2d49d653f6\System.Web.Extensions.ni.dll
+ 2012-08-01 11:11 . 2012-08-01 11:11 1155072 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Web.Extensio#\2c47bc5d426a7cf9ffef1425eda08184\System.Web.Extensions.Design.ni.dll
+ 2012-08-01 11:03 . 2012-08-01 11:03 1463808 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Printing\b964519964d302b4977e1380d8d15f1a\System.Printing.ni.dll
+ 2012-08-01 11:03 . 2012-08-01 11:03 2318848 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Drawing\222eb8aa336953a6b0216db2b0c4770d\System.Drawing.ni.dll
+ 2012-08-01 11:03 . 2012-08-01 11:03 2444288 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Deployment\6e4e9b07f376d445df1718c0011fa99b\System.Deployment.ni.dll
+ 2012-08-01 11:11 . 2012-08-01 11:11 1530368 c:\windows\assembly\NativeImages_v2.0.50727_64\SrpUxSnapIn\78d5f2d52e06f6ea47b359bf4ceb7b65\SrpUxSnapIn.ni.dll
+ 2012-08-01 11:03 . 2012-08-01 11:03 3116032 c:\windows\assembly\NativeImages_v2.0.50727_64\ReachFramework\1f88a3693c8ddd527a130aff49dc58b3\ReachFramework.ni.dll
+ 2012-08-01 11:03 . 2012-08-01 11:03 2109952 c:\windows\assembly\NativeImages_v2.0.50727_64\PresentationUI\b91c32fab08ba62d8c7681cc596895be\PresentationUI.ni.dll
+ 2012-08-01 11:11 . 2012-08-01 11:11 3601920 c:\windows\assembly\NativeImages_v2.0.50727_64\Narrator\ac1ba76ed19d668ce53a74593f040453\Narrator.ni.exe
+ 2012-08-01 11:11 . 2012-08-01 11:11 2327552 c:\windows\assembly\NativeImages_v2.0.50727_64\MMCEx\df2557ab1b8e4389d846e13dc82eba57\MMCEx.ni.dll
+ 2012-08-01 11:10 . 2012-08-01 11:10 7970304 c:\windows\assembly\NativeImages_v2.0.50727_64\MIGUIControls\61812970c4743b686a67f28687e1dcb6\MIGUIControls.ni.dll
+ 2012-08-01 11:11 . 2012-08-01 11:11 2131968 c:\windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualBas#\1586ee919f86130df9771cf9b8d95d3a\Microsoft.VisualBasic.ni.dll
+ 2012-08-01 11:10 . 2012-08-01 11:10 5350912 c:\windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\ca7e936eed0de2436d87b2601ee3a20a\Microsoft.PowerShell.Editor.ni.dll
+ 2012-08-01 11:10 . 2012-08-01 11:10 2176512 c:\windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\6caa366471176a065a96d77e8ba01eeb\Microsoft.PowerShell.Commands.Utility.ni.dll
+ 2012-08-01 11:10 . 2012-08-01 11:10 2105344 c:\windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\3040e2de07177c0a6a66a49de61fdc59\Microsoft.PowerShell.GPowerShell.ni.dll
+ 2012-08-01 11:09 . 2012-08-01 11:09 1516544 c:\windows\assembly\NativeImages_v2.0.50727_64\Microsoft.MediaCent#\b2afc0af3d89ae00e973b4e6e9db382c\Microsoft.MediaCenter.ni.dll
+ 2012-08-01 11:10 . 2012-08-01 11:10 1508864 c:\windows\assembly\NativeImages_v2.0.50727_64\Microsoft.MediaCent#\73bfbdccdc1b0ae87f70a0ec594fee3c\Microsoft.MediaCenter.Bml.ni.dll
+ 2012-08-01 11:10 . 2012-08-01 11:10 8979456 c:\windows\assembly\NativeImages_v2.0.50727_64\Microsoft.MediaCent#\653e1ee01f10d658d52ca42e17e74283\Microsoft.MediaCenter.UI.ni.dll
+ 2012-08-01 11:10 . 2012-08-01 11:10 2365952 c:\windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Ink\dac69844e6333484159a4cf544190906\Microsoft.Ink.ni.dll
+ 2012-08-01 11:10 . 2012-08-01 11:10 5054976 c:\windows\assembly\NativeImages_v2.0.50727_64\Microsoft.GroupPoli#\2dace3e1a3fbdd679501e1c7c868ac3e\Microsoft.GroupPolicy.Reporting.ni.dll
+ 2012-08-01 11:10 . 2012-08-01 11:10 2218496 c:\windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Build.Tas#\4b362e9e25c33e371f06403edec8849a\Microsoft.Build.Tasks.ni.dll
+ 2012-08-01 11:10 . 2012-08-01 11:10 2682880 c:\windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Build.Tas#\33730d136a34d2f4e56a0322f49ee9b6\Microsoft.Build.Tasks.v3.5.ni.dll
+ 2012-08-01 11:10 . 2012-08-01 11:10 2801664 c:\windows\assembly\NativeImages_v2.0.50727_64\mcstore\cc4844e7242c1e35d145bf2439f944c5\mcstore.ni.dll
+ 2012-08-01 11:09 . 2012-08-01 11:09 5746688 c:\windows\assembly\NativeImages_v2.0.50727_64\AdWindows\cf9d14bdb7bb96a51d578119dedf2f08\AdWindows.ni.dll
+ 2012-08-01 11:09 . 2012-08-01 11:09 2653184 c:\windows\assembly\NativeImages_v2.0.50727_64\AcWindows\5c41438ec417c75579da62081b39080e\AcWindows.ni.dll
+ 2012-08-01 11:09 . 2012-08-01 11:09 7667200 c:\windows\assembly\NativeImages_v2.0.50727_64\acmgd\7427a31d2144e4f72e8e3ee598666496\acmgd.ni.dll
+ 2012-08-01 11:09 . 2012-08-01 11:09 1817088 c:\windows\assembly\NativeImages_v2.0.50727_64\AcLayer\bc0047546dab0e2a54ea5b39e468bb14\AcLayer.ni.dll
+ 2012-08-01 11:09 . 2012-08-01 11:09 2155008 c:\windows\assembly\NativeImages_v2.0.50727_64\AcCui\16a347cfed7862b3369f92c5fb47efc9\AcCui.ni.dll
+ 2012-08-01 11:08 . 2012-08-01 11:08 1358336 c:\windows\assembly\NativeImages_v2.0.50727_32\System.WorkflowServ#\e3e5aa45736b95804bf6bb7eca08a57b\System.WorkflowServices.ni.dll
+ 2012-08-01 11:05 . 2012-08-01 11:05 1917952 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Run#\88bfc62ac0195a8ae673c444a3339505\System.Workflow.Runtime.ni.dll
+ 2012-08-01 11:05 . 2012-08-01 11:05 4516352 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Com#\cfb739be21092d5b8f7b4fde529e6aaa\System.Workflow.ComponentModel.ni.dll
+ 2012-08-01 11:05 . 2012-08-01 11:05 2994688 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Act#\a815fffab98375c1919df68b5b292725\System.Workflow.Activities.ni.dll
+ 2012-08-01 11:05 . 2012-08-01 11:05 1840640 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Services\761fd1afc17f11bf6d49c3a7d16465ca\System.Web.Services.ni.dll
+ 2012-08-01 11:08 . 2012-08-01 11:08 2209792 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Mobile\4a90802e36dee6e10d9bf54832cbf549\System.Web.Mobile.ni.dll
+ 2012-08-01 11:08 . 2012-08-01 11:08 2404352 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Extensio#\c45efc7ec92c1da8e67eb597559ec39c\System.Web.Extensions.ni.dll
+ 2012-08-01 11:05 . 2012-08-01 11:05 1044480 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Printing\991dbe40be5b114ed705bb5b48e6b330\System.Printing.ni.dll
+ 2012-08-01 11:05 . 2012-08-01 11:05 1591808 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\6bb439b3f87736d3248ae27d43e2c0d6\System.Drawing.ni.dll
+ 2012-08-01 11:05 . 2012-08-01 11:05 1806848 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Deployment\3421b96c2885b8e4137a376ff3d95fa5\System.Deployment.ni.dll
+ 2012-08-01 11:08 . 2012-08-01 11:08 1351168 c:\windows\assembly\NativeImages_v2.0.50727_32\SrpUxSnapIn\0f05778da82962003762ac22f0ab4b91\SrpUxSnapIn.ni.dll
+ 2012-08-01 11:05 . 2012-08-01 11:05 2157056 c:\windows\assembly\NativeImages_v2.0.50727_32\ReachFramework\87f73de6e080d37be93adfc7d5c31d7a\ReachFramework.ni.dll
+ 2012-08-01 11:05 . 2012-08-01 11:05 1658368 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationUI\163517c8a195fb48f7ef6ee17c585bdb\PresentationUI.ni.dll
+ 2012-08-01 11:08 . 2012-08-01 11:08 2623488 c:\windows\assembly\NativeImages_v2.0.50727_32\Narrator\17add09c98fa34255142d42697db53df\Narrator.ni.exe
+ 2012-08-01 11:08 . 2012-08-01 11:08 1545216 c:\windows\assembly\NativeImages_v2.0.50727_32\MMCEx\21abde8efab609732b2ade3f05234e79\MMCEx.ni.dll
+ 2012-08-01 11:08 . 2012-08-01 11:08 6438912 c:\windows\assembly\NativeImages_v2.0.50727_32\MIGUIControls\0e7da0df83f0619e3b0e0a7d7ee05fa3\MIGUIControls.ni.dll
+ 2012-08-01 11:08 . 2012-08-01 11:08 1670144 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\6c59a14a23f734093e80d6093e25302a\Microsoft.VisualBasic.ni.dll
+ 2012-08-01 11:08 . 2012-08-01 11:08 1681920 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\99ae5f32cd1dc3618659bc3c77f2b2a9\Microsoft.PowerShell.Commands.Utility.ni.dll
+ 2012-08-01 11:08 . 2012-08-01 11:08 1704960 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\77b5496d214dd5034294b058c0bb0e8d\Microsoft.PowerShell.GPowerShell.ni.dll
+ 2012-08-01 11:08 . 2012-08-01 11:08 3724288 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\72765e5fab12761eb6d3f58180fa34d7\Microsoft.PowerShell.Editor.ni.dll
+ 2012-08-01 11:08 . 2012-08-01 11:08 6499840 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.MediaCent#\8ce1d10f94b40f054017865757552f2d\Microsoft.MediaCenter.UI.ni.dll
+ 2012-08-01 11:08 . 2012-08-01 11:08 1009664 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.MediaCent#\7fab1ec8f5ed6a55a8a73b2c590bd7cd\Microsoft.MediaCenter.ni.dll
+ 2012-08-01 11:08 . 2012-08-01 11:08 1361408 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Ink\4d381048e3b9c0914c0f72c6aa0a599d\Microsoft.Ink.ni.dll
+ 2012-08-01 11:08 . 2012-08-01 11:08 4071424 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.GroupPoli#\efbe64bfafaaaec44b5c0e487c0b2c4a\Microsoft.GroupPolicy.Reporting.ni.dll
+ 2012-08-01 11:08 . 2012-08-01 11:08 1620992 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Tas#\3893fa9a19b52dee8b2cc424840d5d08\Microsoft.Build.Tasks.ni.dll
+ 2012-08-01 11:08 . 2012-08-01 11:08 1970176 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Tas#\1d2250044b1ecff755e26ed12f6d27cb\Microsoft.Build.Tasks.v3.5.ni.dll
+ 2012-08-01 11:08 . 2012-08-01 11:08 2035712 c:\windows\assembly\NativeImages_v2.0.50727_32\mcstore\3a4e56a8d1075cf0af0619c383b3e592\mcstore.ni.dll
+ 2012-07-31 16:04 . 2012-07-31 16:04 5025792 c:\windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
- 2012-05-25 10:39 . 2012-01-04 02:51 5025792 c:\windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
+ 2012-07-31 16:04 . 2012-07-31 16:04 4927488 c:\windows\assembly\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System.Design.dll
- 2011-03-06 21:30 . 2010-11-05 01:58 4927488 c:\windows\assembly\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System.Design.dll
+ 2012-07-31 16:06 . 2012-07-31 16:06 12873728 c:\windows\SysWOW64\shell32.dll
+ 2012-07-31 16:03 . 2012-07-31 16:03 11020800 c:\windows\SysWOW64\ieframe.dll
+ 2009-07-14 02:34 . 2012-07-31 22:16 10747904 c:\windows\system32\SMI\Store\Machine\SCHEMA.DAT
- 2009-07-14 02:34 . 2012-07-24 05:46 10747904 c:\windows\system32\SMI\Store\Machine\SCHEMA.DAT
+ 2012-07-31 16:03 . 2012-07-31 16:03 12297216 c:\windows\system32\ieframe.dll
+ 2012-08-12 13:39 . 2012-08-12 13:39 50442240 c:\windows\Installer\7f977bb.msi
+ 2012-08-01 11:03 . 2012-08-01 11:03 17383424 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Windows.Forms\dc5bb74eefdbf954cdfb70dd534d5564\System.Windows.Forms.ni.dll
+ 2012-08-01 11:04 . 2012-08-01 11:04 15270912 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Web\95f38e7485bbe2b73b6055c45196fedd\System.Web.ni.dll
+ 2012-08-01 11:04 . 2012-08-01 11:04 13609472 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Design\582144c0ee317038621aebc626187b56\System.Design.ni.dll
+ 2012-08-01 11:03 . 2012-08-01 11:03 19198464 c:\windows\assembly\NativeImages_v2.0.50727_64\PresentationFramewo#\47054c4d5b7e522c21a9d57797410302\PresentationFramework.ni.dll
+ 2012-08-01 11:03 . 2012-08-01 11:03 16543232 c:\windows\assembly\NativeImages_v2.0.50727_64\PresentationCore\3a9d13514a8c4c710fa5ce8e9b5393fe\PresentationCore.ni.dll
+ 2012-08-01 11:10 . 2012-08-01 11:10 25470976 c:\windows\assembly\NativeImages_v2.0.50727_64\ehshell\0c1f96a4136efe532bbb8eb91d3de300\ehshell.ni.dll
+ 2012-08-01 11:09 . 2012-08-01 11:09 14931968 c:\windows\assembly\NativeImages_v2.0.50727_64\acdbmgd\41383b25c44aec6a18c1534d7e37df36\acdbmgd.ni.dll
+ 2012-08-01 11:05 . 2012-08-01 11:05 12436480 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\7b7fbe651c6e72f12099a298654c9594\System.Windows.Forms.ni.dll
+ 2012-08-01 11:05 . 2012-08-01 11:05 11833344 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web\a501b7960f6c6e2e39162b83f3303aaa\System.Web.ni.dll
+ 2012-08-01 11:05 . 2012-08-01 11:05 10580480 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Design\7c144f89b1f8f292d6940a1b2f8ffbec\System.Design.ni.dll
+ 2012-08-01 11:05 . 2012-08-01 11:05 14340608 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\e717a230496832656b05b515eb9f3bc5\PresentationFramework.ni.dll
+ 2012-08-01 11:05 . 2012-08-01 11:05 12237824 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationCore\14a87218ea49639f38097e278b98a3da\PresentationCore.ni.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
@="{95A27763-F62A-4114-9072-E81D87DE3B68}"
[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
2012-03-17 01:06 1008784 ----a-r- c:\program files (x86)\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"
[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2012-03-17 01:06 1008784 ----a-r- c:\program files (x86)\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"
[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
2012-03-17 01:06 1008784 ----a-r- c:\program files (x86)\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 94208 ----a-w- c:\users\jmcwhirt.DFD.000\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 94208 ----a-w- c:\users\jmcwhirt.DFD.000\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 94208 ----a-w- c:\users\jmcwhirt.DFD.000\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 94208 ----a-w- c:\users\jmcwhirt.DFD.000\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Acrobat Synchronizer"="c:\program files (x86)\Adobe\Acrobat 10.0\Acrobat\AdobeCollabSync.exe" [2012-04-04 1261472]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"QlbCtrl.exe"="c:\program files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2010-02-25 287800]
"ccApp"="c:\program files (x86)\Common Files\Symantec Shared\ccApp.exe" [2012-06-11 115624]
"EEventManager"="c:\program files (x86)\Epson Software\Event Manager\EEventManager.exe" [2010-10-12 979328]
"FUFAXRCV"="c:\program files (x86)\Epson Software\FAX Utility\FUFAXRCV.exe" [2011-03-09 495616]
"FUFAXSTM"="c:\program files (x86)\Epson Software\FAX Utility\FUFAXSTM.exe" [2011-03-09 856064]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-05-31 59280]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"Adobe Acrobat Speed Launcher"="c:\program files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe" [2012-04-04 36760]
"Acrobat Assistant 8.0"="c:\program files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe" [2012-04-04 815512]
"Carbonite Backup"="c:\program files (x86)\Carbonite\Carbonite Backup\CarboniteUI.exe" [2012-03-17 1059984]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-04-19 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-06-07 421776]
"RIMBBLaunchAgent.exe"="c:\program files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe" [2011-11-02 90448]
.
c:\users\ryan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Uninstall Webroot RunOnce.lnk - c:\users\ryan\AppData\Roaming\wruninstall.exe [2012-4-18 6664768]
.
c:\users\soconnor\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Uninstall Webroot RunOnce.lnk - c:\users\soconnor\AppData\Roaming\wruninstall.exe [2012-4-18 6664768]
.
c:\users\admindft\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Uninstall Webroot RunOnce.lnk - c:\users\admindft\AppData\Roaming\wruninstall.exe [2012-4-18 6664768]
.
c:\users\adminmeg\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Uninstall Webroot RunOnce.lnk - c:\users\adminmeg\AppData\Roaming\wruninstall.exe [2012-4-18 6664768]
.
c:\users\adminmeg.DFD\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Uninstall Webroot RunOnce.lnk - c:\users\adminmeg.DFD\AppData\Roaming\wruninstall.exe [2012-4-18 6664768]
.
c:\users\image\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Uninstall Webroot RunOnce.lnk - c:\users\image\AppData\Roaming\wruninstall.exe [2012-4-18 6664768]
.
c:\users\jmcwhirt\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Uninstall Webroot RunOnce.lnk - c:\users\jmcwhirt\AppData\Roaming\wruninstall.exe [2012-4-18 6664768]
.
c:\users\jmcwhirt.DFD.000\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
EvernoteClipper.lnk - c:\program files (x86)\Evernote\Evernote\EvernoteClipper.exe [2012-6-13 1014112]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2127427544-4167719798-1118733611-1242\Scripts\Logon\0\0]
"Script"=logon.bat
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\run-]
"OrderReminder"=c:\program files (x86)\Hewlett-Packard\OrderReminder\OrderReminder.exe
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-11-25 136176]
R3 androidusb;ADB Interface Driver;c:\windows\system32\Drivers\androidusb.sys [2010-04-29 32768]
R3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [2011-07-28 52584]
R3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [2011-08-25 1431888]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-11-25 136176]
R3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys [2011-08-01 45416]
R3 PTUMLBUS;PTUML USB Composite Device Driver;c:\windows\system32\DRIVERS\PTUMLBUS.sys [2011-10-17 105600]
R3 PTUMLCVsp;PANTECH UML290 Connection Manager Port;c:\windows\system32\DRIVERS\PTUMLCVsp.sys [2011-10-17 183424]
R3 PTUMLMBMP;PANTECH UML290 Mobile Broadband;c:\windows\system32\DRIVERS\PTUMLMBMP.sys [2011-10-17 235776]
R3 PTUMLMdm;PANTECH UML290;c:\windows\system32\DRIVERS\PTUMLMdm.sys [2011-10-17 183424]
R3 PTUMLNET61;PANTECH UML290 WWAN (NDIS6.1);c:\windows\system32\DRIVERS\PTUMLNET61.sys [2011-10-17 111872]
R3 PTUMLNVsp;PANTECH UML290 NMEA Port;c:\windows\system32\DRIVERS\PTUMLNVsp.sys [2011-10-17 184448]
R3 PTUMLRMNET;PANTECH UML290 RMNET Service;c:\windows\system32\DRIVERS\PTUMLRMNET.sys [2011-10-17 63744]
R3 PTUMLVsp;PANTECH UML290 Diagnostic Port;c:\windows\system32\DRIVERS\PTUMLVsp.sys [2011-10-17 183424]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-02-15 52736]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-01-22 1255736]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2007-02-02 52856]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
S2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\AESTSr64.exe [2009-03-02 89600]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2009-07-14 27136]
S2 aksdf;aksdf;c:\windows\system32\DRIVERS\aksdf.sys [2011-11-24 78208]
S2 AMPAgent;Dell KACE Agent;c:\program files (x86)\Dell\KACE\AMPAgent.exe [2011-09-21 2753640]
S2 Autodesk Content Service;Autodesk Content Service;c:\program files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe [2011-02-02 18656]
S2 CommunicatorSvc;ProVision Communicator Service;c:\program files (x86)\Power Monitors, Inc\ProVision\CommunicatorSvc.exe [2011-10-11 53248]
S2 EpsonCustomerParticipation;EpsonCustomerParticipation;c:\program files\EPSON\EpsonCustomerParticipation\EPCP.exe [2011-06-09 555392]
S2 hasplms;HASP License Manager;c:\windows\system32\hasplms.exe [2011-12-02 4913608]
S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [2011-05-13 30520]
S2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [2011-08-25 13672]
S2 ptumlcmsvc;PTUML290 Connection Manager Service;c:\windows\system32\ptumlcmsvc64.exe [2011-11-24 174592]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 TomTomHOMEService;TomTomHOMEService;c:\program files (x86)\TomTom HOME 2\TomTomHOMEService.exe [2012-01-23 92592]
S2 vcsFPService;Validity VCS Fingerprint Service;c:\windows\system32\vcsFPService.exe [2009-12-30 2019120]
S2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [2011-09-22 645048]
S3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2010-04-14 54824]
S3 Com4QLBEx;Com4QLBEx;c:\program files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2010-02-25 227896]
S3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\DRIVERS\e1k62x64.sys [2011-05-05 340656]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-08-09 138912]
S3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2009-09-17 56344]
S3 NETw5s64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;c:\windows\system32\DRIVERS\NETw5s64.sys [2010-01-13 7675392]
S3 nusb3hub;NEC Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys [2009-11-21 75776]
S3 nusb3xhc;NEC Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys [2009-11-21 177152]
S3 RICOH SmartCard Reader;RICOH SmartCard Reader;c:\windows\system32\DRIVERS\rismcx64.sys [2006-10-03 79488]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-14 17920]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-11-25 14:25]
.
2012-08-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-11-25 14:25]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
@="{95A27763-F62A-4114-9072-E81D87DE3B68}"
[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
2012-03-17 00:58 1279120 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"
[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2012-03-17 00:58 1279120 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"
[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
2012-03-17 00:58 1279120 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 97792 ----a-w- c:\users\jmcwhirt.DFD.000\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 97792 ----a-w- c:\users\jmcwhirt.DFD.000\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 97792 ----a-w- c:\users\jmcwhirt.DFD.000\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 97792 ----a-w- c:\users\jmcwhirt.DFD.000\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-11-04 1875048]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-08-01 2417032]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2011-08-10 1873256]
"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2010-09-08 489472]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.bizjournals.com/washington/
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: Add to Evernote 4.0 - c:\program files (x86)\Evernote\Evernote\EvernoteIE.dll/204
IE: Append Link Target to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
Trusted Zone: intuit.com\ttlc
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{2B16A7A5-7C21-4531-B1A5-01757BEC6949}: NameServer = 66.174.71.33 66.174.95.44
TCP: Interfaces\{562EB158-C4E0-41CB-B50A-BE5BBE6143F7}: NameServer = 66.174.95.44 69.78.96.14
TCP: Interfaces\{6431DF15-24E2-4946-9B86-3B3C48CA34A8}: NameServer = 66.174.71.33 66.174.95.44
DPF: {0A36238C-2E5E-11D3-85BF-00105AC8B715} - hxxp://dashboard-acc5.dft.com/Support/isDigitalLibrary.cab
DPF: {1791C036-8981-492A-BD28-F2331BC9B7C7} - hxxp://dashboard-acc5.dft.com/Support/iPlotLibrary.cab
DPF: {48817CB3-6E86-4395-A428-F1511C786233} - hxxp://10.10.8.2/powerlogicweb/CabFiles/PSWebInstaller.cab
DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://access1.dft.com/CACHE/stc/1/binaries/vpnweb.cab
DPF: {57802C16-9A15-11D4-B2A8-0090272E599B} - hxxp://10.10.8.3/WebHMI/cabs/IcoSetServer.cab
DPF: {5B829641-F33D-46EC-B1F1-CB7EE8192FA3} - hxxp://10.10.8.2/powerlogicweb/CabFiles/Communications.cab
DPF: {673204A0-F8B3-4090-8506-80658C5D02C6} - hxxp://10.10.16.254/nwcv3setup.exe
DPF: {98A5DDE3-563B-11CF-A343-487C03C10000} - hxxp://10.10.8.3/WebHMI/cabs/GWXview32U.cab
DPF: {A1B8A30B-8AAA-4A3E-8869-1DA509E8A011} - hxxp://10.10.8.2/crystalreportviewers10/ActiveXControls/ActiveXViewer.cab
DPF: {C5412DD5-2E2F-11D3-85BF-00105AC8B715} - hxxps://dashboard-acc6.dft.com/Support/isAnalogLibrary.cab
DPF: {CC679CB8-DC4B-458B-B817-D447B3B6AC31} - hxxps://access.dft.com/CACHE/stc/1/binaries/vpnweb.cab
DPF: {D25FCAFC-F795-4609-89BB-5F78B4ACAF2C} - hxxp://10.10.8.3/WebHMI/cabs/GenVersion.cab
DPF: {E29C6B91-3542-4F37-82CE-2BFB7B8933D3} - hxxp://dashboard-acc5.dft.com/Support/iProfessionalLibrary.cab
FF - ProfilePath - c:\users\jmcwhirt.DFD.000\AppData\Roaming\Mozilla\Firefox\Profiles\ybcrpzc8.default\
FF - prefs.js: network.proxy.type - 0
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Akamai]
"ServiceDll"="c:\program files (x86)\common files\akamai/netsession_win_4f7fccd.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_268_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_268_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_268.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_268.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_268.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_268.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Nico Mak Computing\WinZip]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\program files (x86)\Symantec\Symantec Endpoint Protection\ProtectionUtilSurrogate.exe
c:\program files (x86)\Hewlett-Packard\HP Quick Launch Buttons\VolCtrl.exe
c:\program files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe
.
**************************************************************************
.
Completion time: 2012-08-12 20:49:23 - machine was rebooted
ComboFix-quarantined-files.txt 2012-08-13 00:49
ComboFix2.txt 2012-07-27 21:50
.
Pre-Run: 211,112,181,760 bytes free
Post-Run: 211,338,178,560 bytes free
.
- - End Of File - - CCF3087DEF746842F253ADEDA1F1FC4C

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,360 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:18 PM

Posted 12 August 2012 - 08:02 PM

please do the following:

  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif
Microsoft MVP - 2010, 2011, 2012, 2013

#11 mcwhirtj

mcwhirtj
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:05:18 PM

Posted 12 August 2012 - 10:20 PM

Nothin found with MBAM....

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.08.12.06

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 8.0.7601.17514
jmcwhirt :: JMCWH1LP-USFOX2 [administrator]

8/12/2012 9:09:13 PM
mbam-log-2012-08-12 (21-09-13).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 411695
Time elapsed: 3 minute(s), 6 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

ESET Results:

C:\FRST\Quarantine\services.exe Win64/Patched.B.Gen trojan
C:\FRST\Quarantine\{BAA72C26-E495-11E1-8270-B8AC6F996F26}\chrome\content\browser.xul JS/Redirector.NIQ trojan
C:\Users\jmcwhirt.DFD.000\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\48\437057b0-20395c68 a variant of Java/Exploit.CVE-2012-1723.AJ trojan
C:\Users\jmcwhirt.DFD.000\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\62\50a63a7e-2cd89eea multiple threats
C:\Users\jmcwhirt.DFD.000\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\63\375f92ff-38316189 a variant of Java/TrojanDownloader.Agent.NDJ trojan

#12 mcwhirtj

mcwhirtj
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:05:18 PM

Posted 13 August 2012 - 08:20 AM

Looks like everything is cleared up except the Trojan.Gen.2 which Symantec finds and quarantines each time I run a scan.

BTW thanks for you time and help on this so far....

#13 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,360 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:18 PM

Posted 13 August 2012 - 08:46 AM

please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

File::
C:\Users\jmcwhirt.DFD.000\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\48\437057b0-20395c68 
C:\Users\jmcwhirt.DFD.000\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\62\50a63a7e-2cd89eea 
C:\Users\jmcwhirt.DFD.000\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\63\375f92ff-38316189 

ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT



Your Java is out of date, so go to Start > Control Panel > Programs and Features > scroll down to the Java installation and Remove it, now download the latest Java version 7 update 5 and install it: http://java.com/en/download/index.jsp



NEXT


Please download Farbar Service Scanner to your desktop and run it.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.


NEXT


Please advise how the computer is running now and if there are any outstanding issues
The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif
Microsoft MVP - 2010, 2011, 2012, 2013

#14 mcwhirtj

mcwhirtj
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:05:18 PM

Posted 13 August 2012 - 11:07 AM

ComboFix 12-08-13.01 - jmcwhirt 08/13/2012 11:37:13.3.4 - x64
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3951.2187 [GMT -4:00]
Running from: c:\users\jmcwhirt.DFD.000\Desktop\ComboFix.exe
Command switches used :: c:\users\jmcwhirt.DFD.000\Desktop\CFScript.txt
AV: Symantec Endpoint Protection *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Symantec Endpoint Protection *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\users\jmcwhirt.DFD.000\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\48\437057b0-20395c68"
"c:\users\jmcwhirt.DFD.000\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\62\50a63a7e-2cd89eea"
"c:\users\jmcwhirt.DFD.000\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\63\375f92ff-38316189"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\SysWow64\IcoZipDll.DLL
.
.
((((((((((((((((((((((((( Files Created from 2012-07-13 to 2012-08-13 )))))))))))))))))))))))))))))))
.
.
2012-08-13 03:25 . 2012-08-13 03:25 -------- d-----w- C:\FRST
2012-08-13 01:15 . 2012-08-13 01:15 -------- d-----w- c:\program files (x86)\ESET
2012-08-12 21:19 . 2012-08-12 21:42 -------- d-----w- c:\users\jmcwhirt.DFD.000\AppData\Local\NPE
2012-08-12 19:46 . 2012-08-12 19:46 27256 ----a-w- c:\windows\system32\drivers\FixZeroAccess.sys
2012-08-12 13:40 . 2012-08-12 13:40 -------- d-----w- c:\users\jmcwhirt.DFD.000\AppData\Local\Evernote
2012-08-12 13:40 . 2012-08-12 13:40 -------- d-----w- c:\program files (x86)\Evernote
2012-08-05 23:35 . 2012-08-05 23:35 -------- d-----w- c:\windows\.jagex_cache_32
2012-07-31 16:07 . 2012-07-31 16:07 307200 ----a-w- c:\windows\system32\ncrypt.dll
2012-07-31 16:07 . 2012-07-31 16:07 96768 ----a-w- c:\windows\SysWow64\sspicli.dll
2012-07-31 16:07 . 2012-07-31 16:07 95600 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-07-31 16:07 . 2012-07-31 16:07 458704 ----a-w- c:\windows\system32\drivers\cng.sys
2012-07-31 16:07 . 2012-07-31 16:07 340992 ----a-w- c:\windows\system32\schannel.dll
2012-07-31 16:07 . 2012-07-31 16:07 225280 ----a-w- c:\windows\SysWow64\schannel.dll
2012-07-31 16:07 . 2012-07-31 16:07 22016 ----a-w- c:\windows\SysWow64\secur32.dll
2012-07-31 16:07 . 2012-07-31 16:07 219136 ----a-w- c:\windows\SysWow64\ncrypt.dll
2012-07-31 16:07 . 2012-07-31 16:07 151920 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2012-07-31 16:06 . 2012-07-31 16:06 14172672 ----a-w- c:\windows\system32\shell32.dll
2012-07-31 16:06 . 2012-07-31 16:06 3148800 ----a-w- c:\windows\system32\win32k.sys
2012-07-31 16:04 . 2012-07-31 16:04 2048 ----a-w- c:\windows\SysWow64\msxml3r.dll
2012-07-31 16:04 . 2012-07-31 16:04 2048 ----a-w- c:\windows\system32\msxml3r.dll
2012-07-31 16:04 . 2012-07-31 16:04 2004480 ----a-w- c:\windows\system32\msxml6.dll
2012-07-31 16:04 . 2012-07-31 16:04 1881600 ----a-w- c:\windows\system32\msxml3.dll
2012-07-31 16:04 . 2012-07-31 16:04 1390080 ----a-w- c:\windows\SysWow64\msxml6.dll
2012-07-31 16:04 . 2012-07-31 16:04 1236992 ----a-w- c:\windows\SysWow64\msxml3.dll
2012-07-31 16:01 . 2012-07-31 16:01 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-07-31 16:01 . 2012-07-31 16:01 9216 ----a-w- c:\windows\system32\rdrmemptylst.exe
2012-07-31 16:01 . 2012-07-31 16:01 77312 ----a-w- c:\windows\system32\rdpwsx.dll
2012-07-31 16:01 . 2012-07-31 16:01 149504 ----a-w- c:\windows\system32\rdpcorekmts.dll
2012-07-27 21:55 . 2012-07-27 21:55 -------- d-----w- c:\program files (x86)\Cisco
2012-07-20 16:43 . 2012-07-20 16:43 -------- d-----w- c:\users\jmcwhirt.DFD.000\jagexcache1
2012-07-18 18:33 . 2012-07-18 18:33 -------- d-----w- c:\program files (x86)\PuTTY
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-01 11:17 . 2012-03-29 20:51 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-08-01 11:17 . 2011-09-27 10:41 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-07-05 10:33 . 2011-08-25 10:26 174200 ----a-w- c:\windows\system32\drivers\SYMEVENT64x86.SYS
2012-07-03 17:46 . 2011-10-16 00:08 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-07-03 11:30 . 2012-05-28 01:27 69000 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{76FD73D7-D685-4217-BC08-858C785C7174}\offreg.dll ERROR(0x00000005)
2012-06-13 17:35 . 2012-06-13 17:35 20400 ----a-w- c:\windows\system32\SnacNp.dll
2012-06-13 17:35 . 2012-06-13 17:35 18352 ----a-w- c:\windows\SysWow64\SnacNp.dll
2012-06-11 16:08 . 2012-06-11 16:08 138144 ----a-w- c:\windows\SysWow64\SymVPN.dll
2012-06-11 16:08 . 2012-06-11 16:08 138144 ----a-w- c:\windows\system32\SymVPN.dll
2012-06-11 16:08 . 2012-06-11 16:08 87456 ----a-w- c:\windows\SysWow64\FwsVpn.dll
2012-06-11 16:08 . 2012-06-11 16:08 482424 ----a-w- c:\windows\SysWow64\drivers\srtspl64.sys
2012-06-11 16:08 . 2012-06-11 16:08 482424 ----a-w- c:\windows\system32\drivers\srtspl64.sys
2012-06-11 16:08 . 2012-06-11 16:08 453240 ----a-w- c:\windows\SysWow64\drivers\srtsp64.sys
2012-06-11 16:08 . 2012-06-11 16:08 453240 ----a-w- c:\windows\system32\drivers\srtsp64.sys
2012-06-11 16:08 . 2012-06-11 16:08 32376 ----a-w- c:\windows\SysWow64\drivers\srtspx64.sys
2012-06-11 16:08 . 2012-06-11 16:08 32376 ----a-w- c:\windows\system32\drivers\srtspx64.sys
2012-05-25 10:54 . 2011-01-22 19:45 57848688 ----a-w- c:\windows\system32\MRT.exe
2012-05-19 20:52 . 2012-05-19 20:52 8744608 ----a-w- c:\windows\SysWow64\FlashPlayerInstaller.exe
.
.
((((((((((((((((((((((((((((( SnapShot_2012-08-13_00.45.12 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-01-20 01:13 . 2012-08-13 15:03 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\Low\index.dat
- 2012-01-20 01:13 . 2012-08-10 01:11 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\Low\index.dat
- 2009-07-14 04:54 . 2012-08-13 00:43 65536 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:54 . 2012-08-13 15:03 65536 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2012-01-20 01:13 . 2012-08-10 01:11 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat
+ 2012-01-20 01:13 . 2012-08-13 15:03 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat
+ 2012-01-20 01:13 . 2012-08-13 15:03 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat
- 2012-01-20 01:13 . 2012-08-10 01:11 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat
- 2009-07-14 04:54 . 2012-08-13 00:43 49152 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2012-08-13 15:03 49152 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 05:10 . 2012-08-13 00:30 38520 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-08-13 10:20 38520 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2011-08-31 16:36 . 2012-08-13 10:20 19596 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1296502284-1224127709-55231759-2522_UserData.bin
- 2011-01-23 01:41 . 2012-08-13 00:42 65536 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-01-23 01:41 . 2012-08-13 15:28 65536 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-07-14 04:54 . 2012-08-13 00:42 49152 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2012-08-13 15:28 49152 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2011-01-22 20:13 . 2012-08-13 00:08 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-01-22 20:13 . 2012-08-13 15:08 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-01-22 20:13 . 2012-08-13 00:08 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-01-22 20:13 . 2012-08-13 15:08 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2012-08-12 16:13 . 2012-08-13 10:17 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-08-12 16:13 . 2012-08-13 00:42 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-08-12 16:13 . 2012-08-13 10:17 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-08-12 16:13 . 2012-08-13 00:42 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-01-19 12:49 . 2012-08-13 10:20 262144 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
- 2012-01-19 12:49 . 2012-08-13 00:43 262144 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
- 2009-07-14 02:36 . 2012-08-13 00:32 663434 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-08-13 15:31 663434 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-08-13 15:31 122270 c:\windows\system32\perfc009.dat
- 2009-07-14 02:36 . 2012-08-13 00:32 122270 c:\windows\system32\perfc009.dat
- 2011-01-23 01:41 . 2012-08-13 00:42 835584 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2011-01-23 01:41 . 2012-08-13 15:28 835584 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-08-13 00:43 1146880 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2012-08-13 15:03 1146880 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
@="{95A27763-F62A-4114-9072-E81D87DE3B68}"
[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
2012-03-17 01:06 1008784 ----a-r- c:\program files (x86)\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"
[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2012-03-17 01:06 1008784 ----a-r- c:\program files (x86)\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"
[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
2012-03-17 01:06 1008784 ----a-r- c:\program files (x86)\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 94208 ----a-w- c:\users\jmcwhirt.DFD.000\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 94208 ----a-w- c:\users\jmcwhirt.DFD.000\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 94208 ----a-w- c:\users\jmcwhirt.DFD.000\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 94208 ----a-w- c:\users\jmcwhirt.DFD.000\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Acrobat Synchronizer"="c:\program files (x86)\Adobe\Acrobat 10.0\Acrobat\AdobeCollabSync.exe" [2012-04-04 1261472]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"QlbCtrl.exe"="c:\program files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2010-02-25 287800]
"ccApp"="c:\program files (x86)\Common Files\Symantec Shared\ccApp.exe" [2012-06-11 115624]
"EEventManager"="c:\program files (x86)\Epson Software\Event Manager\EEventManager.exe" [2010-10-12 979328]
"FUFAXRCV"="c:\program files (x86)\Epson Software\FAX Utility\FUFAXRCV.exe" [2011-03-09 495616]
"FUFAXSTM"="c:\program files (x86)\Epson Software\FAX Utility\FUFAXSTM.exe" [2011-03-09 856064]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-05-31 59280]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"Adobe Acrobat Speed Launcher"="c:\program files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe" [2012-04-04 36760]
"Acrobat Assistant 8.0"="c:\program files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe" [2012-04-04 815512]
"Carbonite Backup"="c:\program files (x86)\Carbonite\Carbonite Backup\CarboniteUI.exe" [2012-03-17 1059984]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-04-19 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-06-07 421776]
"RIMBBLaunchAgent.exe"="c:\program files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe" [2011-11-02 90448]
.
c:\users\ryan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Uninstall Webroot RunOnce.lnk - c:\users\ryan\AppData\Roaming\wruninstall.exe [2012-4-18 6664768]
.
c:\users\soconnor\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Uninstall Webroot RunOnce.lnk - c:\users\soconnor\AppData\Roaming\wruninstall.exe [2012-4-18 6664768]
.
c:\users\admindft\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Uninstall Webroot RunOnce.lnk - c:\users\admindft\AppData\Roaming\wruninstall.exe [2012-4-18 6664768]
.
c:\users\adminmeg\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Uninstall Webroot RunOnce.lnk - c:\users\adminmeg\AppData\Roaming\wruninstall.exe [2012-4-18 6664768]
.
c:\users\adminmeg.DFD\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Uninstall Webroot RunOnce.lnk - c:\users\adminmeg.DFD\AppData\Roaming\wruninstall.exe [2012-4-18 6664768]
.
c:\users\image\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Uninstall Webroot RunOnce.lnk - c:\users\image\AppData\Roaming\wruninstall.exe [2012-4-18 6664768]
.
c:\users\jmcwhirt\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Uninstall Webroot RunOnce.lnk - c:\users\jmcwhirt\AppData\Roaming\wruninstall.exe [2012-4-18 6664768]
.
c:\users\jmcwhirt.DFD.000\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
EvernoteClipper.lnk - c:\program files (x86)\Evernote\Evernote\EvernoteClipper.exe [2012-6-13 1014112]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2127427544-4167719798-1118733611-1242\Scripts\Logon\0\0]
"Script"=logon.bat
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\run-]
"OrderReminder"=c:\program files (x86)\Hewlett-Packard\OrderReminder\OrderReminder.exe
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-11-25 136176]
R3 androidusb;ADB Interface Driver;c:\windows\system32\Drivers\androidusb.sys [2010-04-29 32768]
R3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [2011-08-25 1431888]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-11-25 136176]
R3 PTUMLBUS;PTUML USB Composite Device Driver;c:\windows\system32\DRIVERS\PTUMLBUS.sys [2011-10-17 105600]
R3 PTUMLCVsp;PANTECH UML290 Connection Manager Port;c:\windows\system32\DRIVERS\PTUMLCVsp.sys [2011-10-17 183424]
R3 PTUMLMBMP;PANTECH UML290 Mobile Broadband;c:\windows\system32\DRIVERS\PTUMLMBMP.sys [2011-10-17 235776]
R3 PTUMLMdm;PANTECH UML290;c:\windows\system32\DRIVERS\PTUMLMdm.sys [2011-10-17 183424]
R3 PTUMLNET61;PANTECH UML290 WWAN (NDIS6.1);c:\windows\system32\DRIVERS\PTUMLNET61.sys [2011-10-17 111872]
R3 PTUMLNVsp;PANTECH UML290 NMEA Port;c:\windows\system32\DRIVERS\PTUMLNVsp.sys [2011-10-17 184448]
R3 PTUMLRMNET;PANTECH UML290 RMNET Service;c:\windows\system32\DRIVERS\PTUMLRMNET.sys [2011-10-17 63744]
R3 PTUMLVsp;PANTECH UML290 Diagnostic Port;c:\windows\system32\DRIVERS\PTUMLVsp.sys [2011-10-17 183424]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-02-15 52736]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-01-22 1255736]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2007-02-02 52856]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
S2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\AESTSr64.exe [2009-03-02 89600]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2009-07-14 27136]
S2 aksdf;aksdf;c:\windows\system32\DRIVERS\aksdf.sys [2011-11-24 78208]
S2 AMPAgent;Dell KACE Agent;c:\program files (x86)\Dell\KACE\AMPAgent.exe [2011-09-21 2753640]
S2 Autodesk Content Service;Autodesk Content Service;c:\program files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe [2011-02-02 18656]
S2 CommunicatorSvc;ProVision Communicator Service;c:\program files (x86)\Power Monitors, Inc\ProVision\CommunicatorSvc.exe [2011-10-11 53248]
S2 EpsonCustomerParticipation;EpsonCustomerParticipation;c:\program files\EPSON\EpsonCustomerParticipation\EPCP.exe [2011-06-09 555392]
S2 hasplms;HASP License Manager;c:\windows\system32\hasplms.exe [2011-12-02 4913608]
S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [2011-05-13 30520]
S2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [2011-08-25 13672]
S2 ptumlcmsvc;PTUML290 Connection Manager Service;c:\windows\system32\ptumlcmsvc64.exe [2011-11-24 174592]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 TomTomHOMEService;TomTomHOMEService;c:\program files (x86)\TomTom HOME 2\TomTomHOMEService.exe [2012-01-23 92592]
S2 vcsFPService;Validity VCS Fingerprint Service;c:\windows\system32\vcsFPService.exe [2009-12-30 2019120]
S2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [2011-09-22 645048]
S3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2010-04-14 54824]
S3 Com4QLBEx;Com4QLBEx;c:\program files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2010-02-25 227896]
S3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [2011-07-28 52584]
S3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\DRIVERS\e1k62x64.sys [2011-05-05 340656]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-08-09 138912]
S3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2009-09-17 56344]
S3 NETw5s64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;c:\windows\system32\DRIVERS\NETw5s64.sys [2010-01-13 7675392]
S3 nusb3hub;NEC Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys [2009-11-21 75776]
S3 nusb3xhc;NEC Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys [2009-11-21 177152]
S3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys [2011-08-01 45416]
S3 RICOH SmartCard Reader;RICOH SmartCard Reader;c:\windows\system32\DRIVERS\rismcx64.sys [2006-10-03 79488]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-14 17920]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-11-25 14:25]
.
2012-08-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-11-25 14:25]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
@="{95A27763-F62A-4114-9072-E81D87DE3B68}"
[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
2012-03-17 00:58 1279120 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"
[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2012-03-17 00:58 1279120 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"
[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
2012-03-17 00:58 1279120 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 97792 ----a-w- c:\users\jmcwhirt.DFD.000\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 97792 ----a-w- c:\users\jmcwhirt.DFD.000\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 97792 ----a-w- c:\users\jmcwhirt.DFD.000\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 97792 ----a-w- c:\users\jmcwhirt.DFD.000\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-11-04 1875048]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-08-01 2417032]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2011-08-10 1873256]
"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2010-09-08 489472]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.bizjournals.com/washington/
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: Add to Evernote 4.0 - c:\program files (x86)\Evernote\Evernote\EvernoteIE.dll/204
IE: Append Link Target to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
Trusted Zone: intuit.com\ttlc
TCP: DhcpNameServer = 10.10.4.8 10.6.4.8
TCP: Interfaces\{2B16A7A5-7C21-4531-B1A5-01757BEC6949}: NameServer = 66.174.71.33 66.174.95.44
TCP: Interfaces\{562EB158-C4E0-41CB-B50A-BE5BBE6143F7}: NameServer = 66.174.95.44 69.78.96.14
TCP: Interfaces\{6431DF15-24E2-4946-9B86-3B3C48CA34A8}: NameServer = 66.174.71.33 66.174.95.44
DPF: {0A36238C-2E5E-11D3-85BF-00105AC8B715} - hxxp://dashboard-acc5.dft.com/Support/isDigitalLibrary.cab
DPF: {1791C036-8981-492A-BD28-F2331BC9B7C7} - hxxp://dashboard-acc5.dft.com/Support/iPlotLibrary.cab
DPF: {48817CB3-6E86-4395-A428-F1511C786233} - hxxp://10.10.8.2/powerlogicweb/CabFiles/PSWebInstaller.cab
DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://access1.dft.com/CACHE/stc/1/binaries/vpnweb.cab
DPF: {57802C16-9A15-11D4-B2A8-0090272E599B} - hxxp://10.10.8.3/WebHMI/cabs/IcoSetServer.cab
DPF: {5B829641-F33D-46EC-B1F1-CB7EE8192FA3} - hxxp://10.10.8.2/powerlogicweb/CabFiles/Communications.cab
DPF: {673204A0-F8B3-4090-8506-80658C5D02C6} - hxxp://10.10.16.254/nwcv3setup.exe
DPF: {98A5DDE3-563B-11CF-A343-487C03C10000} - hxxp://10.10.8.3/WebHMI/cabs/GWXview32U.cab
DPF: {A1B8A30B-8AAA-4A3E-8869-1DA509E8A011} - hxxp://10.10.8.2/crystalreportviewers10/ActiveXControls/ActiveXViewer.cab
DPF: {C5412DD5-2E2F-11D3-85BF-00105AC8B715} - hxxps://dashboard-acc6.dft.com/Support/isAnalogLibrary.cab
DPF: {CC679CB8-DC4B-458B-B817-D447B3B6AC31} - hxxps://access.dft.com/CACHE/stc/1/binaries/vpnweb.cab
DPF: {D25FCAFC-F795-4609-89BB-5F78B4ACAF2C} - hxxp://10.10.8.3/WebHMI/cabs/GenVersion.cab
DPF: {E29C6B91-3542-4F37-82CE-2BFB7B8933D3} - hxxp://dashboard-acc5.dft.com/Support/iProfessionalLibrary.cab
FF - ProfilePath - c:\users\jmcwhirt.DFD.000\AppData\Roaming\Mozilla\Firefox\Profiles\ybcrpzc8.default\
FF - prefs.js: network.proxy.type - 0
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Akamai]
"ServiceDll"="c:\program files (x86)\common files\akamai/netsession_win_4f7fccd.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_268_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_268_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_268.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_268.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_268.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_268.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Nico Mak Computing\WinZip]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-08-13 11:51:26
ComboFix-quarantined-files.txt 2012-08-13 15:51
ComboFix2.txt 2012-08-13 00:49
ComboFix3.txt 2012-07-27 21:50
.
Pre-Run: 210,861,436,928 bytes free
Post-Run: 210,519,359,488 bytes free
.
- - End Of File - - C6994C716876722912C7F14117A966C2


Farbar Service Scanner Version: 06-08-2012
Ran by jmcwhirt (administrator) on 13-08-2012 at 12:04:31
Running from "C:\Users\jmcwhirt.DFD.000\Desktop"
Microsoft Windows 7 Professional Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============

Windows Update:
============
BITS Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to retrieve start type of BITS. The value does not exist.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.


Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is OK.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============


File Check:
========

ATTENTION!=====> H:\Windows\System32\nsisvc.dll FILE IS MISSING AND SHOULD BE RESTORED.


ATTENTION!=====> H:\Windows\System32\drivers\nsiproxy.sys FILE IS MISSING AND SHOULD BE RESTORED.


ATTENTION!=====> H:\Windows\System32\dhcpcore.dll FILE IS MISSING AND SHOULD BE RESTORED.


ATTENTION!=====> H:\Windows\System32\drivers\afd.sys FILE IS MISSING AND SHOULD BE RESTORED.


ATTENTION!=====> H:\Windows\System32\drivers\tdx.sys FILE IS MISSING AND SHOULD BE RESTORED.


ATTENTION!=====> H:\Windows\System32\Drivers\tcpip.sys FILE IS MISSING AND SHOULD BE RESTORED.


ATTENTION!=====> H:\Windows\System32\dnsrslvr.dll FILE IS MISSING AND SHOULD BE RESTORED.


ATTENTION!=====> H:\Windows\System32\mpssvc.dll FILE IS MISSING AND SHOULD BE RESTORED.


ATTENTION!=====> H:\Windows\System32\bfe.dll FILE IS MISSING AND SHOULD BE RESTORED.


ATTENTION!=====> H:\Windows\System32\drivers\mpsdrv.sys FILE IS MISSING AND SHOULD BE RESTORED.


ATTENTION!=====> H:\Windows\System32\SDRSVC.dll FILE IS MISSING AND SHOULD BE RESTORED.


ATTENTION!=====> H:\Windows\System32\vssvc.exe FILE IS MISSING AND SHOULD BE RESTORED.


ATTENTION!=====> H:\Windows\System32\wscsvc.dll FILE IS MISSING AND SHOULD BE RESTORED.


ATTENTION!=====> H:\Windows\System32\wbem\WMIsvc.dll FILE IS MISSING AND SHOULD BE RESTORED.


ATTENTION!=====> H:\Windows\System32\wuaueng.dll FILE IS MISSING AND SHOULD BE RESTORED.


ATTENTION!=====> H:\Windows\System32\qmgr.dll FILE IS MISSING AND SHOULD BE RESTORED.


ATTENTION!=====> H:\Windows\System32\es.dll FILE IS MISSING AND SHOULD BE RESTORED.


ATTENTION!=====> H:\Windows\System32\cryptsvc.dll FILE IS MISSING AND SHOULD BE RESTORED.


ATTENTION!=====> H:\Program Files\Windows Defender\MpSvc.dll FILE IS MISSING AND SHOULD BE RESTORED.


ATTENTION!=====> H:\Windows\System32\svchost.exe FILE IS MISSING AND SHOULD BE RESTORED.


ATTENTION!=====> H:\Windows\System32\rpcss.dll FILE IS MISSING AND SHOULD BE RESTORED.



**** End of log ****

NEW Java installed....

Finally, my previous email I spoke too soon...in addition the the Gen.4 the ZeroAccess!inf4 is still showing up (but quarantined) when I scan with Symantec...the computer however is running fine.....other than the virus software picking up the trojans....

Edited by mcwhirtj, 13 August 2012 - 11:07 AM.


#15 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,360 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:18 PM

Posted 13 August 2012 - 11:35 AM

other than the virus software picking up the trojans

can you explain this a little more, where is it finding the infections, if it is finding files already in quarantine, then it is not a concern as they can't hurt your computer.
(we will remove the FRST quarantine folder at the end)

Is you H:\ drive an external storage or is it bootable?

your BITS registry key is missing so Windows Updates wont work,

so please download the attached registry fix and save it to your desktop, right click the file and choose to "run as administrator"

allow it to merge to your registry (then delete the file as you wont need it again)

[attachment=128482:bits7.reg]


let me know if there are any outstanding issues
The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif
Microsoft MVP - 2010, 2011, 2012, 2013




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users