Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.SHarpro.PGen


  • This topic is locked This topic is locked
64 replies to this topic

#1 rmoonks

rmoonks

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:06:15 AM

Posted 06 January 2012 - 12:30 AM

Hello,
I was recently infected with a couple of malware viruses. One of them was either the XP 2012 malware virus or the Windows 7 2012 malware virus. Not sure which one as I have both operating systems on my computer. The other malware virus was the Trojan.SHarpro.PGen which caused IE redirection issues. I have XP on my "C" Drive and Windows 7 on my "E" drive. I seem to be having the problems on my "E" drive with the Windows 7 operating system. I managed to rid my computer of the viruses with my MalwareBytes Anti-malware program and tdssKiller. Or so I thought. I don't have the IE redirect problems anymore nor do I have the 2012 Malware popups. However,after deleting the viruses I was left with 2 error messages every time I started up the computer. Both messages indicated that the following files couldn't be found:
DirectxTrayBackUPrundll32.exe and TrolltechUpdaterundll32E\users\RandyMoon\AppData\Local\VirtualStore\VirtualStoreUpdater\VirtualStoreUpdat32.DLL\DllRegisterServer
According to my research, both files are Malware or malware related. I ran msconfig and discovered both in my startup menu. I unclicked the boxes and noted the registry locations. I attempted to manually delete the files from the registry however everytime I restart the computer they showed back up. I updated MalwareBytes and re-scaned. MalwareBytes detected the malware in the registry and quarantined and deleted the 2 offending files. The problem is that only lasts for a couple of days and then the 2 files re-appear in the registry and Malwarebytes finds them again everytime is scans. It then gets rid of them all over again only for them to show up a couple days later. So, I need help getting rid of them once and for all.
Below are the log files from DDS, GMER, and aswMBR. Attached is the DDS Attach Log.
You will see the 2 suspect files listed in the logs.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_24
Run by Randy Moon at 21:42:31 on 2012-01-05
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3574.1978 [GMT -6:00]
.
AV: Symantec Endpoint Protection *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Symantec Endpoint Protection *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Symantec Endpoint Protection *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ===============
.
E:\Windows\system32\wininit.exe
E:\Windows\system32\lsm.exe
E:\Windows\system32\svchost.exe -k DcomLaunch
E:\Windows\system32\svchost.exe -k RPCSS
E:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
E:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
E:\Windows\system32\svchost.exe -k netsvcs
E:\Windows\system32\svchost.exe -k LocalService
E:\Windows\system32\WUDFHost.exe
E:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
E:\Windows\system32\svchost.exe -k NetworkService
E:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
E:\Windows\System32\spoolsv.exe
E:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
E:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
E:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
E:\Program Files\Bonjour\mDNSResponder.exe
E:\Program Files\CyberLink\Shared files\RichVideo.exe
E:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
E:\Windows\system32\svchost.exe -k bthsvcs
E:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
E:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
E:\Program Files\Windows Media Player\wmpnetwk.exe
E:\Windows\system32\SearchIndexer.exe
E:\Windows\system32\Dwm.exe
E:\Windows\system32\taskhost.exe
E:\Windows\Explorer.EXE
E:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
E:\Windows\System32\igfxtray.exe
E:\Windows\System32\hkcmd.exe
E:\Windows\System32\igfxpers.exe
E:\Windows\system32\igfxsrvc.exe
E:\Program Files\Common Files\Symantec Shared\ccApp.exe
E:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\Program Files\iPod\bin\iPodService.exe
E:\Windows\System32\svchost.exe -k LocalServicePeerNet
E:\Users\Randy Moon\Downloads\aswMBR.exe
E:\Windows\system32\svchost.exe -k SDRSVC
E:\Program Files\Internet Explorer\iexplore.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\Windows\system32\Macromed\Flash\FlashUtil11e_ActiveX.exe
E:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
E:\Program Files\Internet Explorer\iexplore.exe
E:\Windows\system32\SearchProtocolHost.exe
E:\Program Files\Symantec\Symantec Endpoint Protection\DWHWizrd.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\Windows\system32\SearchProtocolHost.exe
E:\Windows\system32\SearchFilterHost.exe
E:\Windows\system32\DllHost.exe
E:\Windows\system32\DllHost.exe
E:\Windows\system32\conhost.exe
E:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - e:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - e:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - e:\program files\java\jre6\bin\jp2ssv.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - e:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - e:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
uRun: [Trolltech Update] rundll32 "e:\users\randy moon\appdata\local\virtualstore\virtualstoreupdate\VirtualStoreupdt32.DLL",DllRegisterServer
uRun: [DirectxTrayBackup] rundll32.exe "e:\programdata\DirectxTrayBackup.dll",DllRegisterServer
mRun: [IgfxTray] e:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] e:\windows\system32\hkcmd.exe
mRun: [Persistence] e:\windows\system32\igfxpers.exe
mRun: [ccApp] "e:\program files\common files\symantec shared\ccApp.exe"
mRun: [Malwarebytes' Anti-Malware (reboot)] "e:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [Malwarebytes' Anti-Malware] "e:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [iTunesHelper] "e:\program files\itunes\iTunesHelper.exe"
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Append to existing PDF - e:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - e:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert link target to existing PDF - e:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert to Adobe PDF - e:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - e:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - e:\progra~1\micros~1\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{75FA6F4A-9030-4BC7-BBBD-1267DCBA1FF4} : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{E2A0B9C7-9857-4566-82C6-1DD655158786} : DhcpNameServer = 192.168.1.254
Notify: igfxcui - igfxdev.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - e:\users\randy moon\appdata\roaming\mozilla\firefox\profiles\30ottbsu.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=937811&p=
FF - plugin: e:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: e:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: e:\program files\winzip courier\npwzwmc.dll
.
============= SERVICES / DRIVERS ===============
.
R2 MBAMService;MBAMService;e:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-12-28 652872]
R2 Symantec AntiVirus;Symantec Endpoint Protection;e:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2011-3-10 1839888]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;e:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;e:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-12-12 106104]
R3 MBAMProtector;MBAMProtector;e:\windows\system32\drivers\mbam.sys [2011-12-14 20464]
R3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;e:\windows\system32\drivers\netw5v32.sys [2009-6-10 4231168]
R3 SrvHsfHDA;SrvHsfHDA;e:\windows\system32\drivers\VSTAZL3.SYS [2009-7-13 207360]
R3 SrvHsfV92;SrvHsfV92;e:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]
R3 SrvHsfWinac;SrvHsfWinac;e:\windows\system32\drivers\VSTCNXT3.SYS [2009-7-13 661504]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;e:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 StorSvc;Storage Service;e:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 TsUsbFlt;TsUsbFlt;e:\windows\system32\drivers\TsUsbFlt.sys [2011-12-17 52224]
S3 WatAdminSvc;Windows Activation Technologies Service;e:\windows\system32\wat\WatAdminSvc.exe [2011-12-12 1343400]
.
=============== Created Last 30 ================
.
2011-12-26 04:08:51 -------- d-----w- e:\users\randy moon\FrostWire
2011-12-26 04:08:47 -------- d-----w- e:\users\randy moon\.frostwire5
2011-12-22 23:17:43 -------- d-----w- e:\windows\system32\appmgmt
2011-12-21 22:59:57 -------- d-----w- e:\windows\system32\SPReview
2011-12-21 22:59:35 -------- d-----w- e:\windows\system32\EventProviders
2011-12-21 22:58:43 805376 ----a-w- e:\windows\system32\FntCache.dll
2011-12-21 22:58:43 739840 ----a-w- e:\windows\system32\d2d1.dll
2011-12-21 22:58:43 1076736 ----a-w- e:\windows\system32\DWrite.dll
2011-12-20 02:26:48 -------- d-----w- e:\programdata\YouTube Downloader
2011-12-20 02:23:45 -------- d-----w- e:\users\randy moon\dwhelper
2011-12-18 22:03:51 -------- d-----w- e:\programdata\ClubSanDisk
2011-12-18 22:00:11 -------- d-----w- e:\users\randy moon\appdata\roaming\SanDisk
2011-12-18 01:22:59 868864 ----a-w- e:\program files\common files\microsoft shared\ink\tipskins.dll
2011-12-18 01:21:59 96768 ----a-w- e:\windows\system32\drivers\umdf\WUDFUsbccidDriver.dll
2011-12-15 22:53:30 143360 ----a-w- e:\program files\internet explorer\plugins\npqtplugin7.dll
2011-12-15 22:53:30 143360 ----a-w- e:\program files\internet explorer\plugins\npqtplugin6.dll
2011-12-15 22:53:30 143360 ----a-w- e:\program files\internet explorer\plugins\npqtplugin5.dll
2011-12-15 22:53:30 143360 ----a-w- e:\program files\internet explorer\plugins\npqtplugin4.dll
2011-12-15 22:53:30 143360 ----a-w- e:\program files\internet explorer\plugins\npqtplugin3.dll
2011-12-15 22:53:30 143360 ----a-w- e:\program files\internet explorer\plugins\npqtplugin2.dll
2011-12-15 22:53:30 143360 ----a-w- e:\program files\internet explorer\plugins\npqtplugin.dll
2011-12-15 04:17:24 472808 ----a-w- e:\windows\system32\deployJava1.dll
2011-12-15 03:00:42 -------- d-----w- e:\users\randy moon\appdata\local\WinZip Courier
2011-12-15 02:35:03 -------- d-----w- e:\users\randy moon\appdata\local\WinZip
2011-12-15 02:34:47 -------- d-----w- e:\programdata\WinZipEC
2011-12-15 02:34:45 -------- d-----w- e:\program files\WinZip Courier
2011-12-15 02:34:36 -------- d-----w- e:\windows\CD95F661A5C411AFB2CCABCD21A325B8.TMP
2011-12-15 01:55:28 -------- d-----w- e:\users\randy moon\appdata\roaming\Malwarebytes
2011-12-15 01:55:06 -------- d-----w- e:\programdata\Malwarebytes
2011-12-15 01:55:03 20464 ----a-w- e:\windows\system32\drivers\mbam.sys
2011-12-15 01:55:03 -------- d-----w- e:\program files\Malwarebytes' Anti-Malware
2011-12-15 01:35:44 -------- d-----w- e:\program files\YouTube Downloader
2011-12-14 22:10:36 -------- d-----w- e:\users\randy moon\appdata\local\Mozilla
2011-12-14 04:17:25 134104 ----a-w- e:\program files\mozilla firefox\components\browsercomps.dll
2011-12-14 04:07:37 737072 ----a-w- e:\programdata\microsoft\ehome\packages\sportsv2\sportstemplatecore\Microsoft.MediaCenter.Sports.UI.dll
2011-12-14 04:07:00 4283672 ----a-w- e:\programdata\microsoft\ehome\packages\mceclientux\updateablemarkup\markup.dll
2011-12-14 04:06:47 42776 ----a-w- e:\programdata\microsoft\ehome\packages\mceclientux\dsm\StartResources.dll
2011-12-14 04:06:35 539984 ----a-w- e:\programdata\microsoft\ehome\packages\mcespotlight\mcespotlight\SpotlightResources.dll
2011-12-14 03:48:40 -------- d-----w- e:\users\randy moon\appdata\local\Apple Computer
2011-12-14 03:48:30 26600 ----a-w- e:\windows\system32\drivers\GEARAspiWDM.sys
2011-12-14 03:48:30 107368 ----a-w- e:\windows\system32\GEARAspi.dll
2011-12-14 03:47:53 -------- d-----w- e:\program files\iPod
2011-12-14 03:47:52 -------- d-----w- e:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2011-12-14 03:47:52 -------- d-----w- e:\program files\iTunes
2011-12-14 03:46:46 -------- d-----w- e:\users\randy moon\appdata\local\Apple
2011-12-14 03:46:22 -------- d-----w- e:\program files\Bonjour
2011-12-14 02:08:36 -------- d-----r- e:\program files\Skype
2011-12-14 01:29:50 60416 ----a-w- e:\windows\system32\drivers\BTHUSB.SYS
2011-12-14 01:29:50 393728 ----a-w- e:\windows\system32\drivers\bthport.sys
2011-12-14 01:29:50 219648 ----a-w- e:\windows\system32\fsquirt.exe
2011-12-14 01:29:48 38912 ----a-w- e:\windows\system32\csrsrv.dll
2011-12-14 01:29:46 3912560 ----a-w- e:\windows\system32\ntoskrnl.exe
2011-12-14 01:29:45 3967856 ----a-w- e:\windows\system32\ntkrnlpa.exe
2011-12-14 00:14:50 -------- d-----w- e:\programdata\Intuit
2011-12-13 23:26:02 414368 ----a-w- e:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-13 05:47:05 -------- d-----w- e:\windows\system32\Wat
2011-12-13 05:31:03 -------- d-----w- e:\users\randy moon\appdata\local\Symantec
2011-12-13 05:30:58 167936 ----a-w- e:\windows\system32\drivers\wpshelper.sys
2011-12-13 05:29:35 99744 ----a-w- e:\windows\system32\drivers\SysPlant.sys
2011-12-13 05:29:35 357792 ----a-w- e:\windows\system32\Sysfer.dll
2011-12-13 05:29:13 125488 ----a-w- e:\windows\system32\drivers\SYMEVENT.SYS
2011-12-13 05:28:39 503808 ----a-w- e:\windows\system32\MSVCP71.DLL
2011-12-13 05:28:39 348160 ----a-w- e:\windows\system32\MSVCR71.DLL
2011-12-13 05:28:39 1060864 ----a-w- e:\windows\system32\MFC71.DLL
2011-12-13 05:28:21 -------- d-----w- e:\programdata\Symantec
2011-12-13 05:28:21 -------- d-----w- e:\program files\Symantec
2011-12-13 05:28:21 -------- d-----w- e:\program files\common files\Symantec Shared
2011-12-13 05:20:01 90624 ----a-w- e:\windows\system32\spool\prtprocs\w32x86\HPZPPWN7.DLL
2011-12-13 05:15:50 -------- d-----w- e:\users\randy moon\appdata\local\ElevatedDiagnostics
2011-12-13 04:31:47 -------- d-----w- e:\program files\Protector Suite
2011-12-13 04:24:20 31232 ----a-w- e:\windows\system32\prevhost.exe
2011-12-13 04:24:12 288256 ----a-w- e:\windows\system32\XpsGdiConverter.dll
2011-12-13 04:22:54 2616320 ----a-w- e:\windows\explorer.exe
2011-12-13 04:14:06 -------- d-----w- e:\program files\common files\Macrovision Shared
2011-12-13 04:14:01 -------- d-----w- e:\users\randy moon\appdata\local\Adobe
2011-12-13 04:13:33 728448 ----a-w- e:\windows\system32\drivers\dxgkrnl.sys
2011-12-13 04:13:33 22872 ----a-r- e:\windows\system32\AdobePDFUI.dll
2011-12-13 04:13:33 219008 ----a-w- e:\windows\system32\drivers\dxgmms1.sys
2011-12-13 04:13:33 107520 ----a-w- e:\windows\system32\cdd.dll
2011-12-13 04:12:16 -------- d-----w- e:\windows\Panther
2011-12-13 03:45:35 -------- d-----w- e:\windows\PCHEALTH
2011-12-13 03:42:37 -------- d-----w- e:\program files\Microsoft Visual Studio 8
2011-12-13 03:41:54 -------- d-----w- e:\users\randy moon\appdata\local\Microsoft Help
2011-12-13 02:38:17 -------- d--h--w- E:\$AVG
2011-12-13 02:33:18 -------- d--h--w- e:\programdata\Common Files
2011-12-13 02:29:45 -------- d-sh--w- e:\windows\Installer
2011-12-13 02:29:36 -------- d-----w- e:\programdata\MFAData
2011-12-13 02:20:29 398336 ----a-w- e:\windows\system32\TVWizudlg.exe
2011-12-13 02:20:29 140288 ----a-w- e:\windows\system32\igfxtvcx.dll
2011-12-13 02:20:29 -------- d-----w- e:\windows\system32\Lang
2011-12-13 02:18:27 1002008 ----a-w- e:\windows\system32\igxpun.exe
2011-12-13 02:18:27 -------- d-----w- e:\windows\system32\x64
.
==================== Find3M ====================
.
2011-12-22 01:30:47 152576 ----a-w- e:\windows\system32\msclmd.dll
2011-11-24 04:25:27 2342912 ----a-w- e:\windows\system32\win32k.sys
2011-11-05 04:26:03 2048 ----a-w- e:\windows\system32\tzres.dll
2011-11-03 22:47:42 1798144 ----a-w- e:\windows\system32\jscript9.dll
2011-11-03 22:40:21 1427456 ----a-w- e:\windows\system32\inetcpl.cpl
2011-11-03 22:39:47 1127424 ----a-w- e:\windows\system32\wininet.dll
2011-11-03 22:31:57 2382848 ----a-w- e:\windows\system32\mshtml.tlb
2011-10-15 05:38:59 534528 ----a-w- e:\windows\system32\EncDec.dll
.
============= FINISH: 21:43:50.66 ===============


GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-01-05 23:16:59
Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-1 FUJITSU_MHW2160BJ_FFS_G2 rev.0085001C
Running: kc9l4oel.exe; Driver: E:\Users\RANDYM~1\AppData\Local\Temp\fgrdyuob.sys


---- System - GMER 1.0.15 ----

SSDT 86857B38 ZwAlertResumeThread
SSDT 86869668 ZwAlertThread
SSDT 868465B8 ZwAllocateVirtualMemory
SSDT 86713898 ZwConnectPort
SSDT 8688C290 ZwCreateMutant
SSDT 8684E078 ZwCreateThread
SSDT 86842E70 ZwFreeVirtualMemory
SSDT 86842E38 ZwImpersonateAnonymousToken
SSDT 86857198 ZwImpersonateThread
SSDT 8684B428 ZwMapViewOfSection
SSDT 8688C1D0 ZwOpenEvent
SSDT 86850B38 ZwOpenProcessToken
SSDT 8684E5B0 ZwOpenThreadToken
SSDT \??\E:\Windows\system32\drivers\wpsdrvnt.sys ZwProtectVirtualMemory [0x8CB87B90]
SSDT 8684BD90 ZwResumeThread
SSDT 86857668 ZwSetContextThread
SSDT 8684B568 ZwSetInformationProcess
SSDT 868728B8 ZwSetInformationThread
SSDT 8688C0F0 ZwSuspendProcess
SSDT 8688C5C0 ZwSuspendThread
SSDT 86850668 ZwTerminateProcess
SSDT 86869198 ZwTerminateThread
SSDT 8688CA90 ZwUnmapViewOfSection
SSDT 866D4DA0 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKey + 13D1 82A4F369 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82A88D52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntkrnlpa.exe!KeRemoveQueueEx + 10DB 82A8FD90 8 Bytes [38, 7B, 85, 86, 68, 96, 86, ...]
.text ntkrnlpa.exe!KeRemoveQueueEx + 10F3 82A8FDA8 4 Bytes [B8, 65, 84, 86]
.text ntkrnlpa.exe!KeRemoveQueueEx + 1193 82A8FE48 4 Bytes [98, 38, 71, 86] {CWDE ; CMP [ECX-0x7a], DH}
.text ntkrnlpa.exe!KeRemoveQueueEx + 11CF 82A8FE84 4 Bytes [90, C2, 88, 86] {NOP ; RET 0x8688}
.text ntkrnlpa.exe!KeRemoveQueueEx + 1203 82A8FEB8 4 Bytes [78, E0, 84, 86]
.text ...
? System32\drivers\dgptsow.sys The system cannot find the path specified. !
PAGE peauth.sys B4825BEC 111 Bytes [2E, 22, 58, E9, 24, C6, 7E, ...]
? E:\Users\RANDYM~1\AppData\Local\Temp\aswMBR.sys The system cannot find the file specified. !
? E:\Users\RANDYM~1\AppData\Local\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text E:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[1372] kernel32.dll!SetUnhandledExceptionFilter 761EF4FB 5 Bytes JMP 652E50B8 E:\Program Files\Common Files\Microsoft Shared\office12\mso.dll (2007 Microsoft Office component/Microsoft Corporation)
.text E:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[1372] ole32.dll!OleLoadFromStream 75C56143 5 Bytes JMP 65DAEAC8 E:\Program Files\Common Files\Microsoft Shared\office12\mso.dll (2007 Microsoft Office component/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[1684] kernel32.dll!CreateThread 761EDCC2 5 Bytes JMP 69567303 E:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[1684] USER32.dll!EnableWindow 77248D02 5 Bytes JMP 695A9A14 E:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[1684] USER32.dll!GetAsyncKeyState 7724A256 5 Bytes JMP 6954DD8D E:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[1684] USER32.dll!CallNextHookEx 7724ABE1 5 Bytes JMP 695C7BB7 E:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[1684] USER32.dll!UnhookWindowsHookEx 7724ADF9 5 Bytes JMP 695EEB74 E:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[1684] USER32.dll!DefWindowProcA 7724BB1C 7 Bytes JMP 6956952D E:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[1684] USER32.dll!CreateWindowExA 7724BF40 5 Bytes JMP 69573363 E:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[1684] USER32.dll!SetWindowsHookExW 7724E30C 5 Bytes JMP 695A2194 E:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[1684] USER32.dll!CreateWindowExW 7724EC7C 5 Bytes JMP 695CFF8F E:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[1684] USER32.dll!GetKeyState 77252B4D 5 Bytes JMP 6954DC67 E:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[1684] USER32.dll!IsDialogMessageW 77254104 5 Bytes JMP 696F6D82 E:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[1684] USER32.dll!DefWindowProcW 7725507D 7 Bytes JMP 695C7C1A E:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[1684] USER32.dll!CreateDialogParamA 77261F42 5 Bytes JMP 696F65F0 E:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[1684] USER32.dll!IsDialogMessage 77262019 5 Bytes JMP 696F6D5A E:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[1684] USER32.dll!DialogBoxParamW 77263B9B 5 Bytes JMP 6950170B E:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[1684] USER32.dll!CreateDialogIndirectParamA 7726721D 5 Bytes JMP 696F6660 E:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[1684] USER32.dll!CreateDialogIndirectParamW 7726EA10 5 Bytes JMP 696F6698 E:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[1684] USER32.dll!DialogBoxIndirectParamW 77273B7F 5 Bytes JMP 696F62BE E:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[1684] USER32.dll!EndDialog 77273BA3 5 Bytes JMP 696F702E E:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[1684] USER32.dll!CreateDialogParamW 77275630 5 Bytes JMP 696F6628 E:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[1684] USER32.dll!SetKeyboardState 7727695A 5 Bytes JMP 696F7649 E:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[1684] USER32.dll!SendInput 77277019 5 Bytes JMP 696F75F1 E:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[1684] USER32.dll!SetCursorPos 7728C1B0 5 Bytes JMP 696F76CA E:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[1684] USER32.dll!DialogBoxParamA 7728CF42 5 Bytes JMP 696F6259 E:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[1684] USER32.dll!DialogBoxIndirectParamA 7728D274 5 Bytes JMP 696F6323 E:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[1684] USER32.dll!MessageBoxIndirectA 7729E869 5 Bytes JMP 696F61E0 E:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[1684] USER32.dll!MessageBoxIndirectW 7729E963 1 Byte [E9]
.text E:\Program Files\Internet Explorer\iexplore.exe[1684] USER32.dll!MessageBoxIndirectW 7729E963 5 Bytes JMP 696F6167 E:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[1684] USER32.dll!MessageBoxExA 7729E9C9 5 Bytes JMP 696F6103 E:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[1684] USER32.dll!MessageBoxExW 7729E9ED 5 Bytes JMP 696F609F E:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[1684] USER32.dll!keybd_event 7729EC3B 5 Bytes JMP 696F75AE E:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[1684] SHELL32.dll!RealDriveType + 173D 7640FDD0 4 Bytes [CF, 01, 07, 72]
.text E:\Program Files\Internet Explorer\iexplore.exe[1684] SHELL32.dll!RealDriveType + 1745 7640FDD8 8 Bytes [E0, 61, 06, 72, 79, F7, 06, ...]
.text E:\Program Files\Internet Explorer\iexplore.exe[1684] ole32.dll!OleLoadFromStream 75C56143 5 Bytes JMP 696F6A8C E:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[1692] kernel32.dll!CreateThread 761EDCC2 5 Bytes JMP 69567303 E:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[1692] USER32.dll!EnableWindow 77248D02 5 Bytes JMP 695A9A14 E:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[1692] USER32.dll!GetAsyncKeyState 7724A256 5 Bytes JMP 6954DD8D E:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[1692] USER32.dll!CallNextHookEx 7724ABE1 5 Bytes JMP 695C7BB7 E:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[1692] USER32.dll!UnhookWindowsHookEx 7724ADF9 5 Bytes JMP 695EEB74 E:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[1692] USER32.dll!DefWindowProcA 7724BB1C 7 Bytes JMP 6956952D E:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[1692] USER32.dll!CreateWindowExA 7724BF40 5 Bytes JMP 69573363 E:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[1692] USER32.dll!SetWindowsHookExW 7724E30C 5 Bytes JMP 695A2194 E:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[1692] USER32.dll!CreateWindowExW 7724EC7C 5 Bytes JMP 695CFF8F E:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[1692] USER32.dll!GetKeyState 77252B4D 5 Bytes JMP 6954DC67 E:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[1692] USER32.dll!IsDialogMessageW 77254104 5 Bytes JMP 696F6D82 E:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[1692] USER32.dll!DefWindowProcW 7725507D 7 Bytes JMP 695C7C1A E:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[1692] USER32.dll!CreateDialogParamA 77261F42 5 Bytes JMP 696F65F0 E:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[1692] USER32.dll!IsDialogMessage 77262019 5 Bytes JMP 696F6D5A E:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[1692] USER32.dll!DialogBoxParamW 77263B9B 5 Bytes JMP 6950170B E:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[1692] USER32.dll!CreateDialogIndirectParamA 7726721D 5 Bytes JMP 696F6660 E:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[1692] USER32.dll!CreateDialogIndirectParamW 7726EA10 5 Bytes JMP 696F6698 E:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[1692] USER32.dll!DialogBoxIndirectParamW 77273B7F 5 Bytes JMP 696F62BE E:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[1692] USER32.dll!EndDialog 77273BA3 5 Bytes JMP 696F702E E:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[1692] USER32.dll!CreateDialogParamW 77275630 5 Bytes JMP 696F6628 E:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[1692] USER32.dll!SetKeyboardState 7727695A 5 Bytes JMP 696F7649 E:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[1692] USER32.dll!SendInput 77277019 5 Bytes JMP 696F75F1 E:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[1692] USER32.dll!SetCursorPos 7728C1B0 5 Bytes JMP 696F76CA E:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[1692] USER32.dll!DialogBoxParamA 7728CF42 5 Bytes JMP 696F6259 E:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[1692] USER32.dll!DialogBoxIndirectParamA 7728D274 5 Bytes JMP 696F6323 E:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[1692] USER32.dll!MessageBoxIndirectA 7729E869 5 Bytes JMP 696F61E0 E:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[1692] USER32.dll!MessageBoxIndirectW 7729E963 1 Byte [E9]
.text E:\Program Files\Internet Explorer\iexplore.exe[1692] USER32.dll!MessageBoxIndirectW 7729E963 5 Bytes JMP 696F6167 E:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[1692] USER32.dll!MessageBoxExA 7729E9C9 5 Bytes JMP 696F6103 E:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[1692] USER32.dll!MessageBoxExW 7729E9ED 5 Bytes JMP 696F609F E:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[1692] USER32.dll!keybd_event 7729EC3B 5 Bytes JMP 696F75AE E:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[1692] SHELL32.dll!RealDriveType + 173D 7640FDD0 4 Bytes [CF, 01, 07, 72]
.text E:\Program Files\Internet Explorer\iexplore.exe[1692] SHELL32.dll!RealDriveType + 1745 7640FDD8 8 Bytes [E0, 61, 06, 72, 79, F7, 06, ...]
.text E:\Program Files\Internet Explorer\iexplore.exe[1692] ole32.dll!OleLoadFromStream 75C56143 5 Bytes JMP 696F6A8C E:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[3972] USER32.dll!EnableWindow 77248D02 5 Bytes JMP 695A9A14 E:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[3972] USER32.dll!DialogBoxParamW 77263B9B 5 Bytes JMP 6950170B E:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[3972] USER32.dll!DialogBoxIndirectParamW 77273B7F 5 Bytes JMP 696F62BE E:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[3972] USER32.dll!DialogBoxParamA 7728CF42 5 Bytes JMP 696F6259 E:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[3972] USER32.dll!DialogBoxIndirectParamA 7728D274 5 Bytes JMP 696F6323 E:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[3972] USER32.dll!MessageBoxIndirectA 7729E869 5 Bytes JMP 696F61E0 E:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[3972] USER32.dll!MessageBoxIndirectW 7729E963 1 Byte [E9]
.text E:\Program Files\Internet Explorer\iexplore.exe[3972] USER32.dll!MessageBoxIndirectW 7729E963 5 Bytes JMP 696F6167 E:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[3972] USER32.dll!MessageBoxExA 7729E9C9 5 Bytes JMP 696F6103 E:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[3972] USER32.dll!MessageBoxExW 7729E9ED 5 Bytes JMP 696F609F E:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device \Driver\ACPI_HAL \Device\00000055 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\tdx \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\BTHUSB \Device\00000084 bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)
Device \Driver\BTHUSB \Device\00000086 bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)

AttachedDevice \Driver\tdx \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00218641c997
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00218641c997@000761b80117 0x64 0x58 0x94 0x0A ...
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00218641c997 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00218641c997@000761b80117 0x64 0x58 0x94 0x0A ...

---- Files - GMER 1.0.15 ----

File E:\Users\Randy Moon\AppData\Roaming\Microsoft\Windows\Recent\9.0.lnk 604 bytes

---- EOF - GMER 1.0.15 ----


aswMBR version 0.9.9.1124 Copyright© 2011 AVAST Software
Run date: 2012-01-05 17:31:41
-----------------------------
17:31:41.680 OS Version: Windows 6.1.7601 Service Pack 1
17:31:41.680 Number of processors: 2 586 0x1706
17:31:41.680 ComputerName: RANDYMOON-PC UserName: Randy Moon
17:32:00.119 Initialize success
17:32:49.699 AVAST engine defs: 12010501
17:39:07.681 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-1
17:39:07.696 Disk 0 Vendor: FUJITSU_MHW2160BJ_FFS_G2 0085001C Size: 152627MB BusType: 3
17:39:07.712 Disk 0 MBR read successfully
17:39:07.712 Disk 0 MBR scan
17:39:07.712 Disk 0 Windows 7 default MBR code
17:39:07.712 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 38115 MB offset 63
17:39:07.743 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 114510 MB offset 78059835
17:39:07.743 Disk 0 scanning sectors +312576705
17:39:07.806 Disk 0 scanning E:\Windows\system32\drivers
17:39:17.587 Service scanning
17:39:18.242 Service SysPlant E:\Windows\SYSTEM32\Drivers\SysPlant.sys **LOCKED** 32
17:39:18.242 Service Teefer2 E:\Windows\system32\DRIVERS\teefer2.sys **LOCKED** 32
17:39:18.273 Service WPS E:\Windows\system32\drivers\wpsdrvnt.sys **LOCKED** 32
17:39:18.788 Service WpsHelper E:\Windows\system32\drivers\WpsHelper.sys **LOCKED** 32
17:39:19.303 Modules scanning
17:39:26.276 Disk 0 trace - called modules:
17:39:26.307 ntkrnlpa.exe CLASSPNP.SYS disk.sys ataport.SYS halmacpi.dll intelide.sys PCIIDEX.SYS atapi.sys
17:39:26.307 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x863193d8]
17:39:26.307 3 CLASSPNP.SYS[8ca3759e] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-1[0x8622d908]
17:39:27.290 AVAST engine scan E:\Windows
17:39:29.006 AVAST engine scan E:\Windows\system32
17:41:26.662 AVAST engine scan E:\Windows\system32\drivers
17:41:36.506 AVAST engine scan E:\Users\Randy Moon
17:43:43.334 AVAST engine scan E:\ProgramData
17:44:10.806 Scan finished successfully
22:12:40.737 Disk 0 MBR has been saved successfully to "E:\Users\Randy Moon\Desktop\MBR.dat"
22:12:41.158 The log file has been saved successfully to "E:\Users\Randy Moon\Desktop\aswMBR.txt"


Thanks for any help you can provide.
R. Moon

Attached Files



BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,669 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:15 AM

Posted 12 January 2012 - 12:35 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/436550 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:15 PM

Posted 13 January 2012 - 09:07 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

----------------------------------------------

There doesn't appear to be anything to see at the moment.

Can you please run OTL, a scanner like DDS

  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.

Posted Image
m0le is a proud member of UNITE

#4 rmoonks

rmoonks
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:06:15 AM

Posted 13 January 2012 - 10:14 PM

Hello,
Thank you for your help. I have a partioned hard drive and I run Windows XP on my "C" drive and Windows 7 on my "E" Drive. I ran a DDS Scan on both drives today. You will see the 2 offending files listed in that Log result. I am also attaching the OTL Logs as you requested. I ran OTL on the "E" drive only. If you want me to run it on the "C" drive as well please advise. Before I ran the OTL Scan MalwareBytes deleted the 2 offending files again today so they may not show up in the OTL Log. I am currently in the process of running a GMER Scan and will post the log as soon as it is complete. Unfortunatley, Malwarebytes deleted the 2 offending files again today, before I began the GMER scan, so they may not show up in the GMER Log when I post it later. For the time being, here are the DDS Logs as requested. Over the course of the past 2 weeks I think I have eradicated most of the offending Malware from both drives using a combination of Malware Antibytes, TDSKiller, ESET Sirefef Remover, Symantec Endpoint, and ComboFix. I was infected with several malware viruses including ZeroAccess, P.GEN, and the XP 2012 virus. I show clean of all of them for now and I no longer have the re-direct problems caused by Zero Access. However, my problem of the 2 "orphaned" malware files continues. Every 2 days I get the same result from MawareBytes as reported in post #1. Malware cleans and deletes the 2 orphaned files and a day or 2 later they come back and I receive the same error messages upon startup that the computer cannot find those files. This only happens on the "E" Drive with Windows 7. It does not happen on the "C" Drive with Windows XP.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.5730.13
Run by RMoon at 7:40:45 on 2012-01-13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3574.2841 [GMT -6:00]
.
AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\AMT\atchksrv.exe
C:\Program Files\DesktopAuthority\DaMaint.exe
C:\Program Files\DesktopAuthority\DesktopAuthority.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Intel\AMT\LMS.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\ScriptLogic\Desktop Authority\Client Files\8.08004.63486\SLClient.exe
C:\WINDOWS\system32\StacSV.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Intel\AMT\UNS.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\novell\zenworks\bin\ZENPreAgent.exe
C:\Program Files\ScriptLogic\Desktop Authority\Client Files\8.08004.63486\CBM\ScriptLogic.CBM.Agent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe
C:\Program Files\ScriptLogic\Desktop Authority\Client Files\8.08004.63486\CBM\ScriptLogic.CBM.UserExperience.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtBty.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
mRun: [DesktopAuthority User Experience] "c:\program files\scriptlogic\desktop authority\client files\8.08004.63486\cbm\ScriptLogic.CBM.UserExperience.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe
uPolicies-explorer: NoSMBalloonTip = 1 (0x1)
uPolicies-explorer: TaskbarNoNotification = 1 (0x1)
uPolicies-explorer: ForceRunOnStartMenu = 1 (0x1)
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
uPolicies-explorer: NoWelcomeScreen = 1 (0x1)
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
mPolicies-system: disablecad = 1 (0x1)
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: state.ks.us\*.kcjis
Trusted Zone: state.ks.us\*.kcjis
DPF: {8CFCF42C-1C64-47D6-AEEC-F9D001832ED3} - hxxp://xserv.dell.com/DellDriverScanner/DellSystem.CAB
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{DD02CD48-D433-4EDB-BBE7-A074B241F8F5} : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{F0850862-22B1-4604-BE23-C33A3930BF0E} : DhcpNameServer = 69.78.235.35 69.78.96.14
Notify: AtiExtEvent - Ati2evxx.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\windows\system32\DAinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\rmoon\application data\mozilla\firefox\profiles\u14o2jr0.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 0
.
============= SERVICES / DRIVERS ===============
.
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2011-2-3 108456]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2011-2-3 108456]
R2 DAInfo;DAInfo;c:\program files\desktopauthority\DAinfo.sys [2010-8-30 12168]
R2 DAMaint;DA Remote Management Maintenance Service;c:\program files\desktopauthority\DAMaint.exe [2010-8-30 63496]
R2 DAtf;DAtf;c:\program files\desktopauthority\DAtf.sys [2010-8-30 11144]
R2 DesktopAuthority;DA Remote Management Service;c:\program files\desktopauthority\DesktopAuthority.exe [2010-8-30 1275912]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-12-23 652872]
R2 ScriptLogic CBM Service;ScriptLogic CBM Service;c:\program files\scriptlogic\desktop authority\client files\8.08004.63486\cbm\ScriptLogic.CBM.Agent.exe [2010-2-2 420352]
R2 SLClient;ScriptLogic Service;c:\program files\scriptlogic\desktop authority\client files\8.08004.63486\SLClient.exe [2010-2-2 552288]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2011-3-10 1839888]
R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\intel\amt\UNS.exe [2008-8-7 2521880]
R2 WNTHW;WNTHW;c:\windows\system32\drivers\WNTHW.SYS [2008-8-7 9176]
R2 ZENPreAgent;Novell ZENworks Pre Agent;c:\windows\novell\zenworks\bin\ZENPreAgent.exe [2008-8-7 163840]
R3 DAmirr;DAmirr;c:\windows\system32\drivers\DAmirr.sys [2010-8-30 9352]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-1-9 106104]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-12-23 20464]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20120109.019\NAVENG.SYS [2012-1-9 86136]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20120109.019\NAVEX15.SYS [2012-1-9 1576312]
S3 PTDCWWAN;PANTECH PC Card WWAN Controller device driver;c:\windows\system32\drivers\PTDCWWAN.sys [2010-9-1 114704]
S3 SirefefRemover;SirefefRemover;\??\c:\docume~1\rmoon\locals~1\temp\1f0f67fe6.tmp --> c:\docume~1\rmoon\locals~1\temp\1f0f67fe6.tmp [?]
S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\verizo~1\vzacce~1\SMSIVZAM5.SYS [2009-5-25 32408]
.
=============== Created Last 30 ================
.
2012-01-10 04:00:43 -------- d-----w- c:\program files\CCleaner
2012-01-10 03:35:00 -------- d-----w- C:\ComboFix
2012-01-10 03:18:20 167936 ----a-w- c:\windows\system32\drivers\wpshelper.sys
2012-01-10 03:16:49 357792 ----a-w- c:\windows\system32\Sysfer.dll
2012-01-10 03:16:48 99744 ----a-w- c:\windows\system32\drivers\SysPlant.sys
2012-01-10 03:16:10 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2012-01-10 03:16:10 125488 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2012-01-10 02:36:02 290304 ----a-w- C:\subinacl.exe
2012-01-10 02:32:59 53760 -c--a-w- c:\windows\system32\dllcache\wiamsmud.dll
2012-01-10 02:31:59 7556 -c--a-w- c:\windows\system32\dllcache\usroslba.sys
2012-01-10 02:30:59 222336 -c--a-w- c:\windows\system32\dllcache\trid3dm.sys
2012-01-10 02:29:58 30688 -c--a-w- c:\windows\system32\dllcache\sym_u3.sys
2012-01-10 02:28:59 7552 -c--a-w- c:\windows\system32\dllcache\sonyait.sys
2012-01-10 02:27:58 101760 -c--a-w- c:\windows\system32\dllcache\sis300ip.sys
2012-01-10 02:26:59 179264 -c--a-w- c:\windows\system32\dllcache\s3sav3d.dll
2012-01-10 02:25:57 40448 -c--a-w- c:\windows\system32\dllcache\ql1240.sys
2012-01-10 02:24:58 86016 -c--a-w- c:\windows\system32\dllcache\pctspk.exe
2012-01-10 02:23:58 123776 -c--a-w- c:\windows\system32\dllcache\nv3.dll
2012-01-10 02:22:59 19968 -c--a-w- c:\windows\system32\dllcache\mxicfg.dll
2012-01-10 02:21:58 7424 -c--a-w- c:\windows\system32\dllcache\mammoth.sys
2012-01-10 02:20:58 6144 -c--a-w- c:\windows\system32\dllcache\kbd106.dll
2012-01-10 02:19:59 38528 -c--a-w- c:\windows\system32\dllcache\ibmvcap.sys
2012-01-10 02:18:58 68608 -c--a-w- c:\windows\system32\dllcache\hpgt53tk.dll
2012-01-10 02:17:56 22090 -c--a-w- c:\windows\system32\dllcache\fem556n5.sys
2012-01-10 02:16:59 44103 -c--a-w- c:\windows\system32\dllcache\el515.sys
2012-01-10 02:15:58 27648 -c--a-w- c:\windows\system32\dllcache\cyzports.dll
2012-01-10 02:14:45 13824 -c--a-w- c:\windows\system32\dllcache\bulltlp3.sys
2012-01-10 02:13:58 101888 -c--a-w- c:\windows\system32\dllcache\adpu160m.sys
2012-01-10 01:45:21 -------- d-----w- C:\$RECYCLE.BIN
2012-01-10 01:27:37 382 ----a-w- C:\temp627.bat
2012-01-10 00:54:37 -------- d-----w- c:\documents and settings\all users\application data\PC Tools
2012-01-09 23:34:43 -------- d-----w- c:\program files\ESET
2012-01-09 04:35:33 98816 ----a-w- C:\sed.exe
2012-01-09 04:35:33 80412 ----a-w- C:\grep.exe
2012-01-09 04:35:33 68096 ----a-w- C:\zip.exe
2012-01-09 04:35:33 60416 ----a-w- C:\NIRCMD.exe
2012-01-09 04:35:33 518144 ----a-w- C:\SWREG.exe
2012-01-09 04:35:33 406528 ----a-w- C:\SWSC.exe
2012-01-09 04:35:33 256000 ----a-w- C:\PEV.exe
2012-01-09 04:35:33 212480 ----a-w- C:\SWXCACLS.exe
2012-01-09 04:35:33 208896 ----a-w- C:\MBR.exe
2012-01-09 04:33:31 -------- d-----w- C:\ERDNT
2012-01-09 04:27:51 -------- d---a-r- C:\cmdcons
2011-12-26 15:49:46 -------- d-----w- C:\tmp
2011-12-22 00:39:27 -------- d-----w- c:\program files\Trend Micro
.
==================== Find3M ====================
.
2011-12-10 21:24:06 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-05 01:38:37 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
============= FINISH: 7:41:37.92 ===============
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 8/30/2010 3:09:12 PM
System Uptime: 1/13/2012 7:38:10 AM (0 hours ago)
.
Motherboard: Dell Inc. | | 0HN341
Processor: Intel Pentium III Xeon processor | Microprocessor | 2493/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 37 GiB total, 14.414 GiB free.
D: is CDROM ()
E: is FIXED (NTFS) - 112 GiB total, 83.966 GiB free.
G: is Removable
H: is FIXED (NTFS) - 233 GiB total, 124.635 GiB free.
I: is FIXED (NTFS) - 233 GiB total, 185.482 GiB free.
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Intel® Wireless WiFi Link 4965AGN
Device ID: PCI\VEN_8086&DEV_4229&SUBSYS_11208086&REV_61\4&AB208E&0&00E1
Manufacturer: Intel Corporation
Name: Intel® Wireless WiFi Link 4965AGN
PNP Device ID: PCI\VEN_8086&DEV_4229&SUBSYS_11208086&REV_61\4&AB208E&0&00E1
Service: NETw5x32
.
Class GUID:
Description: Biometric Coprocessor
Device ID: USB\VID_0483&PID_2016\5&1F158A8D&0&2
Manufacturer:
Name: Biometric Coprocessor
PNP Device ID: USB\VID_0483&PID_2016\5&1F158A8D&0&2
Service:
.
==== System Restore Points ===================
.
No restore point in system.
.
==== Installed Programs ======================
.
.
AC3Filter 1.63b
Adobe Acrobat 9 Standard
Adobe Acrobat 9.4.1 - CPSID_83708
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 11 Plugin
ATI - Software Uninstall Utility
ATI Display Driver
Bluetooth Stack for Windows by Toshiba
Broadcom Gigabit Integrated Controller
CCleaner
Conexant HDA D330 MDC V.92 Modem
ConvertHelper 2.2
Critical Update for Windows Media Player 11 (KB959772)
Dell Touchpad
DNA
ESET Online Scanner v3
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
HP Deskjet 6900 series
hp deskjet 940c series
Intel PROSet Wireless
Intel® Graphics Media Accelerator Driver
Intel® PRO Network Connections Drivers
Intel® PROSet/Wireless WiFi Software
Intel® Active Management Technology
Intel® Management Engine Interface
LiveUpdate 3.3 (Symantec Corporation)
Malwarebytes Anti-Malware version 1.60.0.1800
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft English TTS Engine
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Excel MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Standard 2007
Microsoft Office Word MUI (English) 2007
Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Mozilla Firefox 8.0 (x86 en-US)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser (KB925673)
NTRU TCG Software Stack
OZ776 SCR Driver V1.1.4.202
PANTECH PC Card Software
PC5750 Firmware Updates
PowerDVD
QFolder
QuickTime
Roxio Easy Media Creator 7 Basic Edition
SAPI Wrapper
ScriptLogic Desktop Authority: Computer Agent
Security Update for 2007 Microsoft Office System (KB2277947)
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for 2007 Microsoft Office System (KB982312)
Security Update for 2007 Microsoft Office System (KB982331)
Security Update for Microsoft Office Excel 2007 (KB982308)
Security Update for Microsoft Office Outlook 2007 (KB2288953)
Security Update for Microsoft Office PowerPoint 2007 (KB982158)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2251419)
Security Update for Windows Internet Explorer 7 (KB2183461)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
SigmaTel Audio
SoundMAX
ST Microelectronics TPM Driver Installer
Symantec Endpoint Protection
system-update
TTS Wrapper
Type1027 TWAIN Driver Ver.3
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Outlook 2007 Junk Email Filter (kb2291599)
Update for Windows XP (KB2141007)
Update for Windows XP (KB942763)
Update for Windows XP (KB943729)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973815)
Vista tn3270
VZAccess Manager
WebFldrs XP
Windows Driver Package - STMicroelectronics (stmtpm) System (05/24/2007 1.00.04.15)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 11
Windows NT Messaging
Windows Presentation Foundation
Windows Search 4.0
Windows XP Service Pack 3
XML Paper Specification Shared Components Pack 1.0
.
==== Event Viewer Messages From Past Week ========
.
1/9/2012 9:34:35 PM, error: Service Control Manager [7031] - The Windows Media Player Network Sharing Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.
1/9/2012 9:22:31 PM, error: Service Control Manager [7034] - The PC Tools Security Service service terminated unexpectedly. It has done this 1 time(s).
1/9/2012 8:59:27 PM, error: Service Control Manager [7023] - The Windows Driver Foundation - User-mode Driver Framework service terminated with the following error: A device attached to the system is not functioning.
1/9/2012 8:57:50 PM, error: Dhcp [1002] - The IP address lease 169.254.229.226 for the Network Card with network address 0021706ED6FE has been denied by the DHCP server 192.168.1.254 (The DHCP Server sent a DHCPNACK message).
1/9/2012 8:52:36 PM, error: Service Control Manager [7024] - The Background Intelligent Transfer Service service terminated with service-specific error 2147952506 (0x8007277A).
1/9/2012 7:34:48 PM, error: Service Control Manager [7023] - The IPSEC Services service terminated with the following error: The requested service provider could not be loaded or initialized.
1/9/2012 7:34:48 PM, error: Service Control Manager [7023] - The DA Remote Management Service service terminated with the following error: The requested service provider could not be loaded or initialized.
1/9/2012 7:34:48 PM, error: Service Control Manager [7023] - The Automatic Updates service terminated with the following error: %%2147952506
1/9/2012 7:22:03 PM, error: Service Control Manager [7023] - The Windows Firewall/Internet Connection Sharing (ICS) service terminated with the following error: The requested service provider could not be loaded or initialized.
1/9/2012 7:22:03 PM, error: Service Control Manager [7023] - The Net Logon service terminated with the following error: The requested service provider could not be loaded or initialized.
1/9/2012 7:20:40 PM, error: NETLOGON [5737] - The system returned the following unexpected error code: The requested service provider could not be loaded or initialized.
1/9/2012 6:55:46 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
1/9/2012 5:41:57 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips intelppm Tosrfcom
1/9/2012 5:41:18 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
1/9/2012 5:41:16 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
1/8/2012 9:51:58 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
1/8/2012 9:51:51 PM, error: NETLOGON [5719] - No Domain Controller is available for domain KHP due to the following: There are currently no logon servers available to service the logon request. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.
1/8/2012 9:26:10 PM, error: Service Control Manager [7023] - The Network Location Awareness (NLA) service terminated with the following error: The specified procedure could not be found.
1/8/2012 4:19:52 PM, error: Service Control Manager [7000] - The Extend WG Protocol Driver service failed to start due to the following error: The system cannot find the file specified.
1/8/2012 10:30:01 PM, error: Service Control Manager [7034] - The Novell ZENworks Pre Agent service terminated unexpectedly. It has done this 1 time(s).
1/8/2012 10:03:28 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000243' while processing the file 'SrtETmp' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
.
==== End Of File ===========================
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_24
Run by Randy Moon at 17:57:54 on 2012-01-13
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3574.2708 [GMT -6:00]
.
AV: Symantec Endpoint Protection *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Symantec Endpoint Protection *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Symantec Endpoint Protection *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ===============
.
E:\Windows\system32\wininit.exe
E:\Windows\system32\lsm.exe
E:\Windows\system32\svchost.exe -k DcomLaunch
E:\Windows\system32\svchost.exe -k RPCSS
E:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
E:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
E:\Windows\system32\svchost.exe -k netsvcs
E:\Windows\system32\svchost.exe -k LocalService
E:\Windows\system32\WUDFHost.exe
E:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
E:\Windows\system32\svchost.exe -k NetworkService
E:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
E:\Windows\System32\spoolsv.exe
E:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
E:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
E:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
E:\Program Files\Bonjour\mDNSResponder.exe
E:\Program Files\CyberLink\Shared files\RichVideo.exe
E:\Windows\system32\svchost.exe -k imgsvc
E:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
E:\Windows\system32\taskhost.exe
E:\Windows\system32\Dwm.exe
E:\Windows\Explorer.EXE
E:\Windows\system32\svchost.exe -k bthsvcs
E:\Windows\system32\WUDFHost.exe
E:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
E:\Windows\System32\igfxtray.exe
E:\Windows\System32\hkcmd.exe
E:\Windows\System32\igfxpers.exe
E:\Windows\system32\igfxsrvc.exe
E:\Program Files\Common Files\Symantec Shared\ccApp.exe
E:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
E:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\Windows\system32\SearchIndexer.exe
E:\Program Files\Windows Media Player\wmpnetwk.exe
E:\Program Files\iPod\bin\iPodService.exe
E:\Windows\system32\wbem\wmiprvse.exe
E:\Windows\System32\svchost.exe -k LocalServicePeerNet
E:\Windows\system32\DllHost.exe
E:\Windows\system32\DllHost.exe
E:\Windows\system32\conhost.exe
E:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - e:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - e:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - e:\program files\java\jre6\bin\jp2ssv.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - e:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - e:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
uRun: [Trolltech Update] rundll32 "e:\users\randy moon\appdata\local\virtualstore\virtualstoreupdate\VirtualStoreupdt32.DLL",DllRegisterServer
uRun: [DirectxTrayBackup] rundll32.exe "e:\programdata\DirectxTrayBackup.dll",DllRegisterServer
mRun: [IgfxTray] e:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] e:\windows\system32\hkcmd.exe
mRun: [Persistence] e:\windows\system32\igfxpers.exe
mRun: [ccApp] "e:\program files\common files\symantec shared\ccApp.exe"
mRun: [Malwarebytes' Anti-Malware (reboot)] "e:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [Malwarebytes' Anti-Malware] "e:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [iTunesHelper] "e:\program files\itunes\iTunesHelper.exe"
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Append to existing PDF - e:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - e:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert link target to existing PDF - e:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert to Adobe PDF - e:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - e:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - e:\progra~1\micros~1\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{75FA6F4A-9030-4BC7-BBBD-1267DCBA1FF4} : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{E2A0B9C7-9857-4566-82C6-1DD655158786} : DhcpNameServer = 192.168.1.254
Notify: igfxcui - igfxdev.dll
.
============= SERVICES / DRIVERS ===============
.
R2 Symantec AntiVirus;Symantec Endpoint Protection;e:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2011-3-10 1839888]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;e:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;e:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-12-12 106104]
R3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;e:\windows\system32\drivers\netw5v32.sys [2009-6-10 4231168]
R3 SrvHsfHDA;SrvHsfHDA;e:\windows\system32\drivers\VSTAZL3.SYS [2009-7-13 207360]
R3 SrvHsfV92;SrvHsfV92;e:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]
R3 SrvHsfWinac;SrvHsfWinac;e:\windows\system32\drivers\VSTCNXT3.SYS [2009-7-13 661504]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;e:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 MBAMService;MBAMService;e:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-12-28 652872]
S3 MBAMProtector;MBAMProtector;e:\windows\system32\drivers\mbam.sys [2011-12-14 20464]
S3 StorSvc;Storage Service;e:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 TsUsbFlt;TsUsbFlt;e:\windows\system32\drivers\TsUsbFlt.sys [2011-12-17 52224]
S3 WatAdminSvc;Windows Activation Technologies Service;e:\windows\system32\wat\WatAdminSvc.exe [2011-12-12 1343400]
.
=============== Created Last 30 ================
.
2012-01-12 04:38:26 -------- d-sh--w- E:\$RECYCLE.BIN
2012-01-11 22:43:35 1288472 ----a-w- e:\windows\system32\ntdll.dll
2012-01-11 22:43:34 67072 ----a-w- e:\windows\system32\packager.dll
2012-01-11 22:43:33 514560 ----a-w- e:\windows\system32\qdvd.dll
2012-01-11 22:43:33 1328128 ----a-w- e:\windows\system32\quartz.dll
2012-01-10 04:30:08 -------- d-----w- e:\program files\ESET
2012-01-09 05:12:56 -------- d-----w- e:\users\randy moon\appdata\local\temp
2012-01-09 05:00:26 98816 ----a-w- e:\windows\sed.exe
2012-01-09 05:00:26 518144 ----a-w- e:\windows\SWREG.exe
2012-01-09 05:00:26 256000 ----a-w- e:\windows\PEV.exe
2012-01-09 05:00:26 208896 ----a-w- e:\windows\MBR.exe
2011-12-22 23:17:43 -------- d-----w- e:\windows\system32\appmgmt
2011-12-21 22:59:57 -------- d-----w- e:\windows\system32\SPReview
2011-12-21 22:59:35 -------- d-----w- e:\windows\system32\EventProviders
2011-12-21 22:58:43 805376 ----a-w- e:\windows\system32\FntCache.dll
2011-12-21 22:58:43 739840 ----a-w- e:\windows\system32\d2d1.dll
2011-12-21 22:58:43 1076736 ----a-w- e:\windows\system32\DWrite.dll
2011-12-20 02:26:48 -------- d-----w- e:\programdata\YouTube Downloader
2011-12-20 02:23:45 -------- d-----w- e:\users\randy moon\dwhelper
2011-12-18 22:03:51 -------- d-----w- e:\programdata\ClubSanDisk
2011-12-18 22:00:11 -------- d-----w- e:\users\randy moon\appdata\roaming\SanDisk
2011-12-18 01:22:59 868864 ----a-w- e:\program files\common files\microsoft shared\ink\tipskins.dll
2011-12-18 01:21:59 96768 ----a-w- e:\windows\system32\drivers\umdf\WUDFUsbccidDriver.dll
2011-12-15 22:53:30 143360 ----a-w- e:\program files\internet explorer\plugins\npqtplugin7.dll
2011-12-15 22:53:30 143360 ----a-w- e:\program files\internet explorer\plugins\npqtplugin6.dll
2011-12-15 22:53:30 143360 ----a-w- e:\program files\internet explorer\plugins\npqtplugin5.dll
2011-12-15 22:53:30 143360 ----a-w- e:\program files\internet explorer\plugins\npqtplugin4.dll
2011-12-15 22:53:30 143360 ----a-w- e:\program files\internet explorer\plugins\npqtplugin3.dll
2011-12-15 22:53:30 143360 ----a-w- e:\program files\internet explorer\plugins\npqtplugin2.dll
2011-12-15 22:53:30 143360 ----a-w- e:\program files\internet explorer\plugins\npqtplugin.dll
2011-12-15 04:17:24 472808 ----a-w- e:\windows\system32\deployJava1.dll
2011-12-15 03:00:42 -------- d-----w- e:\users\randy moon\appdata\local\WinZip Courier
2011-12-15 02:35:03 -------- d-----w- e:\users\randy moon\appdata\local\WinZip
2011-12-15 02:34:47 -------- d-----w- e:\programdata\WinZipEC
2011-12-15 02:34:45 -------- d-----w- e:\program files\WinZip Courier
2011-12-15 02:34:36 -------- d-----w- e:\windows\CD95F661A5C411AFB2CCABCD21A325B8.TMP
2011-12-15 01:55:28 -------- d-----w- e:\users\randy moon\appdata\roaming\Malwarebytes
2011-12-15 01:55:06 -------- d-----w- e:\programdata\Malwarebytes
2011-12-15 01:55:03 20464 ----a-w- e:\windows\system32\drivers\mbam.sys
2011-12-15 01:55:03 -------- d-----w- e:\program files\Malwarebytes' Anti-Malware
2011-12-15 01:35:44 -------- d-----w- e:\program files\YouTube Downloader
.
==================== Find3M ====================
.
2011-12-22 01:30:47 152576 ----a-w- e:\windows\system32\msclmd.dll
2011-12-20 02:23:14 414368 ----a-w- e:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-13 05:29:23 125488 ----a-w- e:\windows\system32\drivers\SYMEVENT.SYS
2011-11-24 04:25:27 2342912 ----a-w- e:\windows\system32\win32k.sys
2011-11-05 04:26:03 2048 ----a-w- e:\windows\system32\tzres.dll
2011-11-03 22:47:42 1798144 ----a-w- e:\windows\system32\jscript9.dll
2011-11-03 22:40:21 1427456 ----a-w- e:\windows\system32\inetcpl.cpl
2011-11-03 22:39:47 1127424 ----a-w- e:\windows\system32\wininet.dll
2011-11-03 22:31:57 2382848 ----a-w- e:\windows\system32\mshtml.tlb
2011-10-26 04:47:40 3967856 ----a-w- e:\windows\system32\ntkrnlpa.exe
2011-10-26 04:47:40 3912560 ----a-w- e:\windows\system32\ntoskrnl.exe
2011-10-26 04:28:12 38912 ----a-w- e:\windows\system32\csrsrv.dll
.
============= FINISH: 17:58:50.37 ===============
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows 7 Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 12/12/2011 8:15:27 PM
System Uptime: 1/13/2012 5:56:00 PM (0 hours ago)
.
Motherboard: Dell Inc. | | 0HN341
Processor: Intel® Core™2 Duo CPU T9300 @ 2.50GHz | Microprocessor | 2501/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 37 GiB total, 14.429 GiB free.
D: is CDROM ()
E: is FIXED (NTFS) - 112 GiB total, 83.951 GiB free.
F: is Removable
H: is FIXED (NTFS) - 233 GiB total, 124.631 GiB free.
I: is FIXED (NTFS) - 233 GiB total, 185.478 GiB free.
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
No restore point in system.
.
==== Installed Programs ======================
.
2007 Microsoft Office Suite Service Pack 3 (SP3)
Adobe Acrobat 9 Standard
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
AnswerWorks 5.0 English Runtime
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Bonjour
CyberLink PowerDirector
CyberLink WaveEditor
ESET Online Scanner v3
Intel® Graphics Media Accelerator Driver
Intel® TV Wizard
iTunes
Java Auto Updater
Java™ 6 Update 24
LiveUpdate 3.3 (Symantec Corporation)
Malwarebytes Anti-Malware version 1.60.0.1800
Microsoft .NET Framework 4 Client Profile
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office File Validation Add-In
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Quicken 2009
QuickTime
SanDiskSecureAccess_Manager.exe
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit Edition
Skype™ 5.5
Symantec Endpoint Protection
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office 2007 suites (KB2596651) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596686) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596789) 32-Bit Edition
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 (KB2596596) 32-Bit Edition
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
WinZip 16.0
YouTube Downloader 3.4
.
==== Event Viewer Messages From Past Week ========
.
1/9/2012 5:16:42 PM, Error: Service Control Manager [7023] - The Server service terminated with the following error: The data is invalid.
1/9/2012 5:16:42 PM, Error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: A system shutdown is in progress.
1/9/2012 10:29:45 PM, Error: Service Control Manager [7001] - The HomeGroup Provider service depends on the Function Discovery Provider Host service which failed to start because of the following error: The dependency service or group failed to start.
1/9/2012 10:29:44 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
1/9/2012 10:29:44 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
1/9/2012 10:29:35 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
1/9/2012 10:29:29 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
1/9/2012 10:28:56 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: discache eeCtrl SPBBCDrv spldr SRTSP SRTSPX SYMTDI Wanarpv6
1/11/2012 10:37:32 PM, Error: Service Control Manager [7030] - The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
1/10/2012 8:48:09 AM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
.
==== End Of File ===========================
OTL logfile created on: 1/13/2012 8:46:31 PM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = H:\Downloaded Software\Malware Rootkit Folder
Professional Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.49 Gb Total Physical Memory | 1.89 Gb Available Physical Memory | 54.03% Memory free
6.98 Gb Paging File | 5.32 Gb Available in Paging File | 76.17% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = E: | %SystemRoot% = E:\Windows | %ProgramFiles% = E:\Program Files
Drive C: | 37.22 Gb Total Space | 14.43 Gb Free Space | 38.76% Space Free | Partition Type: NTFS
Drive E: | 111.83 Gb Total Space | 83.90 Gb Free Space | 75.03% Space Free | Partition Type: NTFS
Drive F: | 7.44 Gb Total Space | 7.38 Gb Free Space | 99.22% Space Free | Partition Type: FAT32
Drive H: | 232.88 Gb Total Space | 124.63 Gb Free Space | 53.52% Space Free | Partition Type: NTFS
Drive I: | 232.88 Gb Total Space | 185.48 Gb Free Space | 79.65% Space Free | Partition Type: NTFS

Computer Name: RANDYMOON-PC | User Name: Randy Moon | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - H:\Downloaded Software\Malware Rootkit Folder\cpw79zdh.exe ()
PRC - H:\Downloaded Software\Malware Rootkit Folder\OTL.exe (OldTimer Tools)
PRC - E:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
PRC - E:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
PRC - E:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe (Symantec Corporation)
PRC - E:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe (Symantec Corporation)
PRC - E:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe (Symantec Corporation)
PRC - E:\Windows\explorer.exe (Microsoft Corporation)
PRC - E:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
PRC - E:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (Symantec Corporation)
PRC - E:\Windows\System32\taskhost.exe (Microsoft Corporation)


========== Modules (No Company Name) ==========

MOD - H:\Downloaded Software\Malware Rootkit Folder\cpw79zdh.exe ()
MOD - E:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll ()
MOD - E:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll ()
MOD - E:\Program Files\Common Files\microsoft shared\OFFICE12\MSPTLS.DLL ()
MOD - E:\Program Files\Microsoft Office\Office12\ADDINS\UmOutlookAddin.dll ()
MOD - E:\Program Files\Microsoft Office\Office12\ADDINS\ColleagueImport.dll ()
MOD - E:\Program Files\Adobe\Acrobat 9.0\PDFMaker\Common\AdobePDFMakerX.dll ()


========== Win32 Services (SafeList) ==========

SRV - (MBAMService) -- E:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
SRV - (WatAdminSvc) -- E:\Windows\System32\Wat\WatAdminSvc.exe (Microsoft Corporation)
SRV - (FLEXnet Licensing Service) -- E:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (Macrovision Europe Ltd.)
SRV - (Symantec AntiVirus) -- E:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe (Symantec Corporation)
SRV - (SmcService) -- E:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe (Symantec Corporation)
SRV - (SNAC) -- E:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE (Symantec Corporation)
SRV - (ccSetMgr) -- E:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (Symantec Corporation)
SRV - (ccEvtMgr) -- E:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (Symantec Corporation)
SRV - (LiveUpdate) -- E:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE (Symantec Corporation)
SRV - (StorSvc) -- E:\Windows\System32\StorSvc.dll (Microsoft Corporation)
SRV - (SensrSvc) -- E:\Windows\System32\sensrsvc.dll (Microsoft Corporation)
SRV - (PeerDistSvc) -- E:\Windows\System32\PeerDistSvc.dll (Microsoft Corporation)
SRV - (WinDefend) -- E:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)


========== Driver Services (SafeList) ==========

DRV - (SymEvent) -- E:\Windows\System32\drivers\SYMEVENT.SYS (Symantec Corporation)
DRV - (MBAMProtector) -- E:\Windows\System32\drivers\mbam.sys (Malwarebytes Corporation)
DRV - (NAVEX15) -- E:\ProgramData\Symantec\Definitions\VirusDefs\20120112.019\NAVEX15.SYS (Symantec Corporation)
DRV - (eeCtrl) -- E:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys (Symantec Corporation)
DRV - (EraserUtilRebootDrv) -- E:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys (Symantec Corporation)
DRV - (NAVENG) -- E:\ProgramData\Symantec\Definitions\VirusDefs\20120112.019\NAVENG.SYS (Symantec Corporation)
DRV - (WpsHelper) -- E:\Windows\System32\drivers\wpshelper.sys (Symantec Corporation)
DRV - (SRTSPL) -- E:\Windows\System32\drivers\srtspl.sys (Symantec Corporation)
DRV - (SRTSP) -- E:\Windows\System32\drivers\srtsp.sys (Symantec Corporation)
DRV - (SRTSPX) -- E:\Windows\System32\drivers\srtspx.sys (Symantec Corporation)
DRV - (SysPlant) -- E:\Windows\SYSTEM32\Drivers\SysPlant.sys (Symantec Corporation)
DRV - (WPS) -- E:\Windows\System32\drivers\WPSDRVnt.sys (Symantec Corporation)
DRV - (Teefer2) -- E:\Windows\System32\drivers\Teefer2.sys (Symantec Corporation)
DRV - (vmbus) -- E:\Windows\system32\drivers\vmbus.sys (Microsoft Corporation)
DRV - (storflt) -- E:\Windows\system32\drivers\vmstorfl.sys (Microsoft Corporation)
DRV - (storvsc) -- E:\Windows\system32\drivers\storvsc.sys (Microsoft Corporation)
DRV - (TsUsbFlt) -- E:\Windows\System32\drivers\TsUsbFlt.sys (Microsoft Corporation)
DRV - (WinUsb) -- E:\Windows\System32\drivers\winusb.sys (Microsoft Corporation)
DRV - (VMBusHID) -- E:\Windows\system32\drivers\VMBusHID.sys (Microsoft Corporation)
DRV - (s3cap) -- E:\Windows\system32\drivers\vms3cap.sys (Microsoft Corporation)
DRV - (SPBBCDrv) -- E:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys (Symantec Corporation)
DRV - (guardian2) -- E:\Windows\System32\drivers\oz776.sys (O2Micro)
DRV - (SYMTDI) -- E:\Windows\System32\Drivers\SYMTDI.SYS (Symantec Corporation)
DRV - (SYMREDRV) -- E:\Windows\System32\Drivers\SYMREDRV.SYS (Symantec Corporation)
DRV - (Serial) -- E:\Windows\System32\drivers\serial.sys (Brother Industries Ltd.)
DRV - (netw5v32) Intel® -- E:\Windows\System32\drivers\netw5v32.sys (Intel Corporation)


========== Standard Registry (All) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = E:\Windows\System32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = E:\Windows\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-US
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 61 CC 46 AA 3E B9 CC 01 [binary data]
IE - HKCU\..\URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - E:\Windows\System32\ieframe.dll (Microsoft Corporation)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Yahoo"
FF - prefs.js..browser.search.param.yahoo-fr: "chr-greentree_ff&type=937811&ilc=12"
FF - prefs.js..browser.search.selectedEngine: "Yahoo"
FF - prefs.js..browser.startup.homepage: "http://www.google.com/"
FF - prefs.js..keyword.URL: "http://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=937811&p="

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: E:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: E:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: E:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: e:\Program Files\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation)


[2011/12/14 16:10:54 | 000,000,000 | ---D | M] (No name found) -- E:\Users\Randy Moon\AppData\Roaming\Mozilla\Extensions
[2012/01/11 16:46:40 | 000,000,000 | ---D | M] (No name found) -- E:\Users\Randy Moon\AppData\Roaming\Mozilla\Firefox\Profiles\30ottbsu.default\extensions
[2012/01/11 16:46:40 | 000,000,000 | ---D | M] (DownloadHelper) -- E:\Users\Randy Moon\AppData\Roaming\Mozilla\Firefox\Profiles\30ottbsu.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2012/01/11 22:06:56 | 000,000,000 | ---D | M] (No name found) -- E:\Program Files\Mozilla Firefox\extensions
[2011/12/14 22:17:26 | 000,000,000 | ---D | M] (Java Console) -- E:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}

O1 HOSTS File: ([2012/01/08 23:11:15 | 000,000,027 | ---- | M]) - E:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - E:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (SmartSelect Class) - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [ccApp] E:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [HotKeysCmds] E:\Windows\System32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [IgfxTray] E:\Windows\System32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [iTunesHelper] E:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] E:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware (reboot)] E:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [Persistence] E:\Windows\System32\igfxpers.exe (Intel Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableInstallerDetection = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableSecureUIAPaths = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableUIADesktopToggle = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableVirtualization = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ValidateAdminCodeSignatures = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: scforceoption = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: FilterAdministratorToken = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_TEXT = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_BITMAP = 2
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_OEMTEXT = 7
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIB = 8
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_PALETTE = 9
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_UNICODETEXT = 13
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIBV5 = 17
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Append to existing PDF - E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to Adobe PDF - E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: E&xport to Microsoft Excel - E:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - E:\Windows\System32\nlaapi.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - E:\Windows\System32\NapiNSP.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [] - E:\Windows\System32\pnrpnsp.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - E:\Windows\System32\pnrpnsp.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - E:\Windows\System32\wshbth.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000006 [] - E:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - E:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000008 [] - E:\Windows\System32\winrnr.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - E:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - E:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - E:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - E:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - E:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - E:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - E:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - E:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - E:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - E:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - E:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - E:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - E:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - E:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - E:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - E:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - E:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000018 - E:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - E:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000020 - E:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000021 - E:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000022 - E:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000023 - E:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000024 - E:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000025 - E:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000026 - E:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000027 - E:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000028 - E:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000029 - E:\Windows\System32\mswsock.dll (Microsoft Corporation)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{75FA6F4A-9030-4BC7-BBBD-1267DCBA1FF4}: DhcpNameServer = 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{E2A0B9C7-9857-4566-82C6-1DD655158786}: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\about {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - E:\Windows\System32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\cdl {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - E:\Windows\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\dvd {12D51199-0DB5-46FE-A120-47A3D7D937CC} - E:\Windows\System32\MSVidCtl.dll (Microsoft Corporation)
O18 - Protocol\Handler\file {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - E:\Windows\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\ftp {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - E:\Windows\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - E:\Windows\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\https {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - E:\Windows\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - E:\Windows\System32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\javascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - E:\Windows\System32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\local {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - E:\Windows\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\mailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - E:\Windows\System32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\mhtml {05300401-BCBC-11d0-85E3-00C04FD85AB4} - E:\Windows\System32\inetcomm.dll (Microsoft Corporation)
O18 - Protocol\Handler\mk {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - E:\Windows\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - E:\Program Files\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - E:\Windows\System32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\res {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - E:\Windows\System32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\tv {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - E:\Windows\System32\MSVidCtl.dll (Microsoft Corporation)
O18 - Protocol\Handler\vbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - E:\Windows\System32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - E:\Windows\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - E:\Windows\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - E:\Windows\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - E:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) -E:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (E:\Windows\system32\userinit.exe) -E:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) -E:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - Winlogon\Notify\igfxcui: DllName - (igfxdev.dll) - E:\Windows\System32\igfxdev.dll (Intel Corporation)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - E:\Windows\System32\webcheck.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (credssp.dll) -E:\Windows\System32\credssp.dll (Microsoft Corporation)
O30 - LSA: Authentication Packages - (msv1_0) -E:\Windows\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (kerberos) -E:\Windows\System32\kerberos.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (msv1_0) -E:\Windows\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (schannel) -E:\Windows\System32\schannel.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (wdigest) -E:\Windows\System32\wdigest.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (tspkg) -E:\Windows\System32\tspkg.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (pku2u) -E:\Windows\System32\pku2u.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/08/07 09:59:55 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2009/06/10 15:42:20 | 000,000,024 | ---- | M] () - E:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/01/11 22:38:45 | 000,000,000 | ---D | C] -- E:\Windows\temp
[2012/01/11 22:38:26 | 000,000,000 | -HSD | C] -- E:\$RECYCLE.BIN
[2012/01/11 22:27:34 | 000,000,000 | ---D | C] -- E:\Qoobox
[2012/01/11 22:19:47 | 000,000,000 | ---D | C] -- E:\Users\Randy Moon\Desktop\Former student sues school district_files
[2012/01/11 22:19:19 | 000,000,000 | ---D | C] -- E:\Users\Randy Moon\Desktop\Kingman teacher previously accused of sex with student_files
[2012/01/11 22:12:36 | 000,000,000 | ---D | C] -- E:\Users\Randy Moon\Desktop\Kingman-Norwich school district rejects claims of sexual harassment_files
[2012/01/11 16:43:34 | 000,067,072 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\packager.dll
[2012/01/11 16:43:33 | 001,328,128 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\quartz.dll
[2012/01/11 16:43:33 | 000,514,560 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\qdvd.dll
[2012/01/09 22:30:08 | 000,000,000 | ---D | C] -- E:\Program Files\ESET
[2012/01/08 23:12:56 | 000,000,000 | ---D | C] -- E:\Users\Randy Moon\AppData\Local\temp
[2012/01/08 23:00:26 | 000,518,144 | ---- | C] (SteelWerX) -- E:\Windows\SWREG.exe
[2012/01/08 23:00:26 | 000,406,528 | ---- | C] (SteelWerX) -- E:\Windows\SWSC.exe
[2012/01/08 23:00:26 | 000,060,416 | ---- | C] (NirSoft) -- E:\Windows\NIRCMD.exe
[2012/01/08 22:09:43 | 000,000,000 | ---D | C] -- E:\Windows\ERDNT
[2011/12/22 17:17:43 | 000,000,000 | ---D | C] -- E:\Windows\System32\appmgmt
[2011/12/21 16:59:57 | 000,000,000 | ---D | C] -- E:\Windows\System32\SPReview
[2011/12/21 16:59:35 | 000,000,000 | ---D | C] -- E:\Windows\System32\EventProviders
[2011/12/21 16:58:43 | 001,076,736 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\DWrite.dll
[2011/12/21 16:58:43 | 000,739,840 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\d2d1.dll
[2011/12/19 20:26:48 | 000,000,000 | ---D | C] -- E:\ProgramData\YouTube Downloader
[2011/12/19 20:23:45 | 000,000,000 | ---D | C] -- E:\Users\Randy Moon\dwhelper
[2011/12/18 16:03:51 | 000,000,000 | ---D | C] -- E:\ProgramData\ClubSanDisk
[2011/12/18 16:00:14 | 000,000,000 | ---D | C] -- E:\Users\Randy Moon\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SanDisk SecureAccess Manager
[2011/12/18 16:00:11 | 000,000,000 | ---D | C] -- E:\Users\Randy Moon\AppData\Roaming\SanDisk
[2011/12/17 19:23:36 | 000,052,224 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\drivers\TsUsbFlt.sys
[2011/12/17 19:23:36 | 000,011,776 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\TsUsbRedirectionGroupPolicyExtension.dll
[2011/12/17 19:23:30 | 001,171,456 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\d3d10warp.dll
[2011/12/17 19:23:29 | 000,954,752 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\mfc40.dll
[2011/12/17 19:23:29 | 000,954,288 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\mfc40u.dll
[2011/12/17 19:23:27 | 000,423,936 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\secproc_isv.dll
[2011/12/17 19:23:26 | 000,428,032 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\secproc.dll
[2011/12/17 19:23:26 | 000,327,168 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\RMActivate_isv.exe
[2011/12/17 19:23:25 | 000,322,048 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\RMActivate.exe
[2011/12/17 19:23:23 | 000,253,952 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\spwizui.dll
[2011/12/17 19:23:22 | 003,207,680 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\mf.dll
[2011/12/17 19:23:21 | 001,334,272 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\CertEnroll.dll
[2011/12/17 19:23:21 | 000,520,064 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\mcupdate_GenuineIntel.dll
[2011/12/17 19:23:19 | 000,295,264 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\PresentationHost.exe
[2011/12/17 19:23:19 | 000,099,176 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\PresentationHostProxy.dll
[2011/12/17 19:23:17 | 005,066,752 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\AuthFWSnapin.dll
[2011/12/17 19:23:17 | 001,115,136 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\RacEngn.dll
[2011/12/17 19:23:15 | 001,493,504 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\ExplorerFrame.dll
[2011/12/17 19:23:13 | 001,828,352 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\d3d9.dll
[2011/12/17 19:23:12 | 000,505,856 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\taskschd.dll
[2011/12/17 19:23:11 | 000,456,192 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\spinstall.exe
[2011/12/17 19:23:11 | 000,280,576 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\spreview.exe
[2011/12/17 19:23:11 | 000,051,200 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\PushPrinterConnections.exe
[2011/12/17 19:23:10 | 000,381,440 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\wer.dll
[2011/12/17 19:23:09 | 001,371,136 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\dwmcore.dll
[2011/12/17 19:23:08 | 003,367,424 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\WinSAT.exe
[2011/12/17 19:23:08 | 000,863,744 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\diagperf.dll
[2011/12/17 19:23:08 | 000,136,704 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\scavengeui.dll
[2011/12/17 19:23:07 | 000,597,504 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\TSWorkspace.dll
[2011/12/17 19:23:07 | 000,270,848 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\tsmf.dll
[2011/12/17 19:23:06 | 002,522,624 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\dbgeng.dll
[2011/12/17 19:23:05 | 001,619,456 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\WMVDECOD.DLL
[2011/12/17 19:23:05 | 000,522,752 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\d3d11.dll
[2011/12/17 19:23:04 | 000,584,192 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\gpprefcl.dll
[2011/12/17 19:23:04 | 000,314,880 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\webio.dll
[2011/12/17 19:23:03 | 002,151,936 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\mmcndmgr.dll
[2011/12/17 19:23:03 | 000,252,928 | ---- | C] (Microsoft) -- E:\Windows\System32\DShowRdpFilter.dll
[2011/12/17 19:23:03 | 000,049,488 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\netfxperf.dll
[2011/12/17 19:23:02 | 001,792,000 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\authui.dll
[2011/12/17 19:23:02 | 000,974,336 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\sppobjs.dll
[2011/12/17 19:23:02 | 000,732,160 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\imapi2fs.dll
[2011/12/17 19:23:02 | 000,341,504 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\msdrm.dll
[2011/12/17 19:23:01 | 000,547,840 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\PortableDeviceApi.dll
[2011/12/17 19:23:01 | 000,220,672 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\mcbuilder.exe
[2011/12/17 19:23:00 | 001,712,640 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\xpsservices.dll
[2011/12/17 19:23:00 | 001,555,456 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\certmgr.dll
[2011/12/17 19:23:00 | 000,508,904 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\winload.exe
[2011/12/17 19:23:00 | 000,323,072 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\drvstore.dll
[2011/12/17 19:22:59 | 000,412,160 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\sppwinob.dll
[2011/12/17 19:22:59 | 000,302,592 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\cmd.exe
[2011/12/17 19:22:58 | 000,296,448 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\mfds.dll
[2011/12/17 19:22:58 | 000,206,336 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\framedynos.dll
[2011/12/17 19:22:58 | 000,140,800 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\rdpendp.dll
[2011/12/17 19:22:57 | 002,414,080 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\wucltux.dll
[2011/12/17 19:22:57 | 001,063,936 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\werconcpl.dll
[2011/12/17 19:22:57 | 000,762,880 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\azroles.dll
[2011/12/17 19:22:57 | 000,442,720 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\winresume.exe
[2011/12/17 19:22:57 | 000,351,232 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\wmicmiplugin.dll
[2011/12/17 19:22:57 | 000,339,968 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\appmgr.dll
[2011/12/17 19:22:57 | 000,240,000 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\drivers\netio.sys
[2011/12/17 19:22:57 | 000,173,568 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\rdpclip.exe
[2011/12/17 19:22:57 | 000,152,064 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\ncsi.dll
[2011/12/17 19:22:55 | 000,801,280 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\NaturalLanguage6.dll
[2011/12/17 19:22:55 | 000,508,416 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\dxgi.dll
[2011/12/17 19:22:55 | 000,305,152 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\taskcomp.dll
[2011/12/17 19:22:55 | 000,196,608 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\mfreadwrite.dll
[2011/12/17 19:22:55 | 000,144,768 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\basecsp.dll
[2011/12/17 19:22:54 | 000,776,192 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\calc.exe
[2011/12/17 19:22:54 | 000,488,448 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\evr.dll
[2011/12/17 19:22:54 | 000,335,872 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\WinSATAPI.dll
[2011/12/17 19:22:53 | 000,778,240 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\sqlsrv32.dll
[2011/12/17 19:22:52 | 000,242,176 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\vpnike.dll
[2011/12/17 19:22:51 | 002,983,424 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\UIRibbon.dll
[2011/12/17 19:22:51 | 000,477,696 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\lpksetup.exe
[2011/12/17 19:22:51 | 000,271,664 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\fveapi.dll
[2011/12/17 19:22:49 | 000,155,136 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\hgprint.dll
[2011/12/17 19:22:49 | 000,116,736 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\prncache.dll
[2011/12/17 19:22:48 | 000,690,680 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\ci.dll
[2011/12/17 19:22:48 | 000,458,752 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\WSDApi.dll
[2011/12/17 19:22:48 | 000,352,256 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\wmpeffects.dll
[2011/12/17 19:22:48 | 000,142,336 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\net1.exe
[2011/12/17 19:22:48 | 000,139,264 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\rpchttp.dll
[2011/12/17 19:22:47 | 000,321,536 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\aepdu.dll
[2011/12/17 19:22:47 | 000,246,272 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\scansetting.dll
[2011/12/17 19:22:47 | 000,175,360 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\drivers\vmbus.sys
[2011/12/17 19:22:47 | 000,119,808 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\aitagent.exe
[2011/12/17 19:22:46 | 002,504,192 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\WMVCORE.DLL
[2011/12/17 19:22:46 | 000,411,648 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\wlangpui.dll
[2011/12/17 19:22:46 | 000,213,504 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\MMDevAPI.dll
[2011/12/17 19:22:46 | 000,167,936 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\QSHVHOST.DLL
[2011/12/17 19:22:46 | 000,131,584 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\aaclient.dll
[2011/12/17 19:22:45 | 001,750,528 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\pnidui.dll
[2011/12/17 19:22:45 | 000,782,336 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\webservices.dll
[2011/12/17 19:22:45 | 000,464,896 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\scrptadm.dll
[2011/12/17 19:22:45 | 000,154,624 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\tscfgwmi.dll
[2011/12/17 19:22:45 | 000,124,416 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\fde.dll
[2011/12/17 19:22:45 | 000,109,056 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\t2embed.dll
[2011/12/17 19:22:45 | 000,101,760 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\consent.exe
[2011/12/17 19:22:44 | 002,146,304 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\SyncCenter.dll
[2011/12/17 19:22:44 | 000,907,776 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\sdengin2.dll
[2011/12/17 19:22:44 | 000,560,128 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\wuapi.dll
[2011/12/17 19:22:44 | 000,225,792 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\netdiagfx.dll
[2011/12/17 19:22:44 | 000,215,552 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\vmicsvc.exe
[2011/12/17 19:22:44 | 000,051,712 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\wscapi.dll
[2011/12/17 19:22:44 | 000,033,280 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\TsUsbGDCoInstaller.dll
[2011/12/17 19:22:43 | 000,727,040 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\mcmde.dll
[2011/12/17 19:22:43 | 000,139,264 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\cscobj.dll
[2011/12/17 19:22:42 | 000,830,464 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\MSMPEG2ENC.DLL
[2011/12/17 19:22:42 | 000,826,368 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\rdpcore.dll
[2011/12/17 19:22:42 | 000,392,192 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\imapi2.dll
[2011/12/17 19:22:42 | 000,103,936 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\setupcl.exe
[2011/12/17 19:22:41 | 002,576,384 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\gameux.dll
[2011/12/17 19:22:41 | 000,630,784 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\DXPTaskRingtone.dll
[2011/12/17 19:22:41 | 000,302,592 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\aeinv.dll
[2011/12/17 19:22:40 | 001,624,064 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\WMPEncEn.dll
[2011/12/17 19:22:40 | 000,097,280 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\dwmredir.dll
[2011/12/17 19:22:39 | 002,217,856 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\bootres.dll
[2011/12/17 19:22:39 | 001,077,248 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\Narrator.exe
[2011/12/17 19:22:39 | 000,658,944 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\autofmt.exe
[2011/12/17 19:22:39 | 000,196,096 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\vaultsvc.dll
[2011/12/17 19:22:39 | 000,066,560 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\hbaapi.dll
[2011/12/17 19:22:38 | 000,679,424 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\autoconv.exe
[2011/12/17 19:22:38 | 000,195,584 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\AudioSes.dll
[2011/12/17 19:22:38 | 000,194,432 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\halmacpi.dll
[2011/12/17 19:22:38 | 000,194,432 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\hal.dll
[2011/12/17 19:22:38 | 000,166,400 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\netiohlp.dll
[2011/12/17 19:22:38 | 000,100,864 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\audiodg.exe
[2011/12/17 19:22:38 | 000,028,672 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\proquota.exe
[2011/12/17 19:22:37 | 000,441,856 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\powercpl.dll
[2011/12/17 19:22:37 | 000,400,896 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\ipsmsnap.dll
[2011/12/17 19:22:37 | 000,337,408 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\msihnd.dll
[2011/12/17 19:22:37 | 000,303,104 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\msinfo32.exe
[2011/12/17 19:22:37 | 000,301,568 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\srchadmin.dll
[2011/12/17 19:22:37 | 000,222,208 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\eapphost.dll
[2011/12/17 19:22:37 | 000,202,752 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\framedyn.dll
[2011/12/17 19:22:37 | 000,181,760 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\tcpipcfg.dll
[2011/12/17 19:22:37 | 000,179,712 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\schtasks.exe
[2011/12/17 19:22:37 | 000,042,496 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\mimefilt.dll
[2011/12/17 19:22:37 | 000,035,968 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\drivers\winusb.sys
[2011/12/17 19:22:36 | 000,665,600 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\AuxiliaryDisplayCpl.dll
[2011/12/17 19:22:36 | 000,155,472 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\mscorier.dll
[2011/12/17 19:22:35 | 001,227,776 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\wdc.dll
[2011/12/17 19:22:35 | 000,478,720 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\timedate.cpl
[2011/12/17 19:22:35 | 000,399,872 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\DXP.dll
[2011/12/17 19:22:35 | 000,346,624 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\untfs.dll
[2011/12/17 19:22:35 | 000,171,520 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\QAGENT.DLL
[2011/12/17 19:22:35 | 000,132,992 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\drivers\ataport.sys
[2011/12/17 19:22:35 | 000,117,248 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\netid.dll
[2011/12/17 19:22:35 | 000,078,848 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\nci.dll
[2011/12/17 19:22:34 | 001,326,592 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\wlanpref.dll
[2011/12/17 19:22:34 | 001,131,008 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\sdclt.exe
[2011/12/17 19:22:34 | 001,003,008 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\WMNetMgr.dll
[2011/12/17 19:22:34 | 000,933,376 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\Vault.dll
[2011/12/17 19:22:33 | 001,400,320 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\DxpTaskSync.dll
[2011/12/17 19:22:33 | 000,098,816 | ---- | C] (Microsoft) -- E:\Windows\System32\Robocopy.exe
[2011/12/17 19:22:32 | 001,040,384 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\Display.dll
[2011/12/17 19:22:32 | 000,417,792 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\msdri.dll
[2011/12/17 19:22:32 | 000,324,608 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\puiobj.dll
[2011/12/17 19:22:32 | 000,316,416 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\sharemediacpl.dll
[2011/12/17 19:22:32 | 000,135,168 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\XpsRasterService.dll
[2011/12/17 19:22:32 | 000,026,624 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\userinit.exe
[2011/12/17 19:22:31 | 001,188,864 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\DiagCpl.dll
[2011/12/17 19:22:31 | 000,352,768 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\termmgr.dll
[2011/12/17 19:22:31 | 000,288,256 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\eudcedit.exe
[2011/12/17 19:22:31 | 000,140,160 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\drivers\scsiport.sys
[2011/12/17 19:22:31 | 000,043,392 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\drivers\winhv.sys
[2011/12/17 19:22:30 | 001,066,496 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\msdtctm.dll
[2011/12/17 19:22:30 | 000,856,576 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\FirewallControlPanel.dll
[2011/12/17 19:22:30 | 000,428,032 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\biocpl.dll
[2011/12/17 19:22:30 | 000,416,768 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\wiadefui.dll
[2011/12/17 19:22:30 | 000,233,984 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\msconfig.exe
[2011/12/17 19:22:30 | 000,193,536 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\sppcomapi.dll
[2011/12/17 19:22:30 | 000,127,488 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\logoncli.dll
[2011/12/17 19:22:30 | 000,111,104 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\shsetup.dll
[2011/12/17 19:22:30 | 000,040,704 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\drivers\vmstorfl.sys
[2011/12/17 19:22:29 | 002,202,624 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\SensorsCpl.dll
[2011/12/17 19:22:29 | 002,157,568 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\themecpl.dll
[2011/12/17 19:22:29 | 000,766,464 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\wpccpl.dll
[2011/12/17 19:22:29 | 000,216,576 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\FWPUCLNT.DLL
[2011/12/17 19:22:29 | 000,109,056 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\dnscmmc.dll
[2011/12/17 19:22:29 | 000,028,032 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\drivers\storvsc.sys
[2011/12/17 19:22:28 | 000,413,696 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\PhotoScreensaver.scr
[2011/12/17 19:22:28 | 000,312,832 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\hgcpl.dll
[2011/12/17 19:22:27 | 000,481,792 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\mscms.dll
[2011/12/17 19:22:27 | 000,429,056 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\localsec.dll
[2011/12/17 19:22:27 | 000,268,800 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\mprddm.dll
[2011/12/17 19:22:27 | 000,080,720 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\mscories.dll
[2011/12/17 19:22:26 | 000,638,976 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\VAN.dll
[2011/12/17 19:22:26 | 000,600,576 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\PerfCenterCPL.dll
[2011/12/17 19:22:26 | 000,600,064 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\usercpl.dll
[2011/12/17 19:22:26 | 000,509,440 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\qedit.dll
[2011/12/17 19:22:26 | 000,410,112 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\wlanui.dll
[2011/12/17 19:22:26 | 000,400,896 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\srcore.dll
[2011/12/17 19:22:26 | 000,220,160 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\SndVolSSO.dll
[2011/12/17 19:22:26 | 000,133,632 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\bcdsrv.dll
[2011/12/17 19:22:26 | 000,078,848 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\iasacct.dll
[2011/12/17 19:22:25 | 003,727,872 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\accessibilitycpl.dll
[2011/12/17 19:22:25 | 001,644,032 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\netcenter.dll
[2011/12/17 19:22:25 | 000,941,568 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\mblctr.exe
[2011/12/17 19:22:25 | 000,352,768 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\spwizeng.dll
[2011/12/17 19:22:25 | 000,314,368 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\SndVol.exe
[2011/12/17 19:22:25 | 000,314,368 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\azroleui.dll
[2011/12/17 19:22:25 | 000,223,232 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\wksprt.exe
[2011/12/17 19:22:25 | 000,120,320 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\prntvpt.dll
[2011/12/17 19:22:25 | 000,066,048 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\w32tm.exe
[2011/12/17 19:22:24 | 000,190,976 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\drivers\ks.sys
[2011/12/17 19:22:24 | 000,059,904 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\fdeploy.dll
[2011/12/17 19:22:23 | 002,130,944 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\networkmap.dll
[2011/12/17 19:22:23 | 000,516,096 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\main.cpl
[2011/12/17 19:22:23 | 000,414,208 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\mspbda.dll
[2011/12/17 19:22:23 | 000,320,512 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\Faultrep.dll
[2011/12/17 19:22:23 | 000,314,880 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\wusa.exe
[2011/12/17 19:22:23 | 000,312,168 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\MCEWMDRMNDBootstrap.dll
[2011/12/17 19:22:23 | 000,226,304 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\MSAC3ENC.DLL
[2011/12/17 19:22:23 | 000,186,880 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\adsldp.dll
[2011/12/17 19:22:23 | 000,161,792 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\netjoin.dll
[2011/12/17 19:22:22 | 000,755,200 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\sud.dll
[2011/12/17 19:22:22 | 000,744,448 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\ActionCenter.dll
[2011/12/17 19:22:22 | 000,395,264 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\prnfldr.dll
[2011/12/17 19:22:22 | 000,218,112 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\OnLineIDCpl.dll
[2011/12/17 19:22:21 | 000,389,632 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\sysmon.ocx
[2011/12/17 19:22:21 | 000,325,632 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\slui.exe
[2011/12/17 19:22:21 | 000,271,360 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\iprtrmgr.dll
[2011/12/17 19:22:21 | 000,266,752 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\MediaMetadataHandler.dll
[2011/12/17 19:22:21 | 000,233,472 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\taskbarcpl.dll
[2011/12/17 19:22:21 | 000,220,672 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\defaultlocationcpl.dll
[2011/12/17 19:22:21 | 000,172,032 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\iasrad.dll
[2011/12/17 19:22:21 | 000,137,088 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\halacpi.dll
[2011/12/17 19:22:21 | 000,129,536 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\rdpcorekmts.dll
[2011/12/17 19:22:21 | 000,082,432 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\dot3cfg.dll
[2011/12/17 19:22:21 | 000,055,808 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\drivers\hidclass.sys
[2011/12/17 19:22:21 | 000,049,152 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\taskhost.exe
[2011/12/17 19:22:21 | 000,042,496 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\ftp.exe
[2011/12/17 19:22:20 | 000,692,736 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\bthprops.cpl
[2011/12/17 19:22:20 | 000,577,024 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\wpd_ci.dll
[2011/12/17 19:22:20 | 000,428,544 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\shwebsvc.dll
[2011/12/17 19:22:20 | 000,345,088 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\intl.cpl
[2011/12/17 19:22:20 | 000,205,312 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\efscore.dll
[2011/12/17 19:22:20 | 000,148,992 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\ifsutil.dll
[2011/12/17 19:22:20 | 000,019,456 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\sisbkup.dll
[2011/12/17 19:22:19 | 000,750,080 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\sdcpl.dll
[2011/12/17 19:22:19 | 000,738,816 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\wmpmde.dll
[2011/12/17 19:22:19 | 000,600,576 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\TabletPC.cpl
[2011/12/17 19:22:19 | 000,537,600 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\ActionCenterCPL.dll
[2011/12/17 19:22:19 | 000,484,864 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\DeviceCenter.dll
[2011/12/17 19:22:19 | 000,295,424 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\bcdedit.exe
[2011/12/17 19:22:19 | 000,146,944 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\autoplay.dll
[2011/12/17 19:22:19 | 000,135,680 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\recovery.dll
[2011/12/17 19:22:19 | 000,115,712 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\sppnp.dll
[2011/12/17 19:22:19 | 000,058,880 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\rdpwsx.dll
[2011/12/17 19:22:18 | 000,859,648 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\OobeFldr.dll
[2011/12/17 19:22:18 | 000,410,624 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\systemcpl.dll
[2011/12/17 19:22:18 | 000,297,472 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\ntprint.dll
[2011/12/17 19:22:18 | 000,210,432 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\recdisc.exe
[2011/12/17 19:22:18 | 000,152,064 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\SmartcardCredentialProvider.dll
[2011/12/17 19:22:18 | 000,151,040 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\vdsutil.dll
[2011/12/17 19:22:18 | 000,068,608 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\WSTPager.ax
[2011/12/17 19:22:17 | 000,743,424 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\blackbox.dll
[2011/12/17 19:22:17 | 000,656,384 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\nshwfp.dll
[2011/12/17 19:22:17 | 000,270,336 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\sethc.exe
[2011/12/17 19:22:17 | 000,262,656 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\rstrui.exe
[2011/12/17 19:22:17 | 000,193,536 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\ksproxy.ax
[2011/12/17 19:22:17 | 000,146,944 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\bcdboot.exe
[2011/12/17 19:22:17 | 000,107,008 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\NAPHLPR.DLL
[2011/12/17 19:22:17 | 000,093,696 | ---- | C] (Windows ® Codename Longhorn DDK provider) -- E:\Windows\System32\fms.dll
[2011/12/17 19:22:16 | 000,805,376 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\cdosys.dll
[2011/12/17 19:22:16 | 000,257,024 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\dpx.dll
[2011/12/17 19:22:16 | 000,182,272 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\wmpsrcwp.dll
[2011/12/17 19:22:16 | 000,112,128 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\AuxiliaryDisplayServices.dll
[2011/12/17 19:22:16 | 000,101,888 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\migisol.dll
[2011/12/17 19:22:15 | 000,592,384 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\msftedit.dll
[2011/12/17 19:22:15 | 000,586,752 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\dfrgui.exe
[2011/12/17 19:22:15 | 000,428,032 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\wlanmsm.dll
[2011/12/17 19:22:15 | 000,346,112 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\nshipsec.dll
[2011/12/17 19:22:15 | 000,333,824 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\dot3ui.dll
[2011/12/17 19:22:15 | 000,254,976 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\wsqmcons.exe
[2011/12/17 19:22:15 | 000,247,808 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\ReAgent.dll
[2011/12/17 19:22:15 | 000,222,208 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\wavemsp.dll
[2011/12/17 19:22:15 | 000,164,352 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\wuwebv.dll
[2011/12/17 19:22:15 | 000,086,528 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\isoburn.exe
[2011/12/17 19:22:15 | 000,067,584 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\asycfilt.dll
[2011/12/17 19:22:14 | 000,444,928 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\wvc.dll
[2011/12/17 19:22:14 | 000,438,272 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\AdmTmpl.dll
[2011/12/17 19:22:14 | 000,406,528 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\wimgapi.dll
[2011/12/17 19:22:14 | 000,198,144 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\sysclass.dll
[2011/12/17 19:22:14 | 000,197,632 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\ocsetup.exe
[2011/12/17 19:22:14 | 000,047,616 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\tzutil.exe
[2011/12/17 19:22:13 | 000,697,344 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\SmiEngine.dll
[2011/12/17 19:22:13 | 000,209,920 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\PkgMgr.exe
[2011/12/17 19:22:13 | 000,206,848 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\qasf.dll
[2011/12/17 19:22:13 | 000,190,976 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\qcap.dll
[2011/12/17 19:22:13 | 000,113,152 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\setupugc.exe
[2011/12/17 19:22:13 | 000,051,200 | ---- | C] (Twain Working Group) -- E:\Windows\twain_32.dll
[2011/12/17 19:22:12 | 000,293,888 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\ssText3d.scr
[2011/12/17 19:22:12 | 000,257,024 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\srrstr.dll
[2011/12/17 19:22:12 | 000,196,608 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\wwanconn.dll
[2011/12/17 19:22:12 | 000,170,496 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\PresentationSettings.exe
[2011/12/17 19:22:12 | 000,118,784 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\uxlib.dll
[2011/12/17 19:22:12 | 000,014,336 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\slwga.dll
[2011/12/17 19:22:11 | 000,616,960 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\wmdrmsdk.dll
[2011/12/17 19:22:11 | 000,504,320 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\msscp.dll
[2011/12/17 19:22:11 | 000,211,456 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\DevicePairingFolder.dll
[2011/12/17 19:22:11 | 000,098,304 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\nslookup.exe
[2011/12/17 19:22:11 | 000,084,480 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\mciavi32.dll
[2011/12/17 19:22:10 | 000,402,944 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\drmmgrtn.dll
[2011/12/17 19:22:10 | 000,327,680 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\wimserv.exe
[2011/12/17 19:22:10 | 000,276,480 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\diskraid.exe
[2011/12/17 19:22:10 | 000,202,240 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\input.dll
[2011/12/17 19:22:10 | 000,186,368 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\rdpencom.dll
[2011/12/17 19:22:10 | 000,157,184 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\perfmon.exe
[2011/12/17 19:22:10 | 000,045,568 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\acppage.dll
[2011/12/17 19:22:09 | 001,111,552 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\onexui.dll
[2011/12/17 19:22:09 | 000,327,168 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\nltest.exe
[2011/12/17 19:22:09 | 000,292,864 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\WindowsAnytimeUpgradeResults.exe
[2011/12/17 19:22:09 | 000,174,592 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\ocsetapi.dll
[2011/12/17 19:22:09 | 000,078,848 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\UserAccountControlSettings.dll
[2011/12/17 19:22:09 | 000,046,080 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\NAPCRYPT.DLL
[2011/12/17 19:22:09 | 000,025,600 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\vpnikeapi.dll
[2011/12/17 19:22:08 | 000,219,648 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\iTVData.dll
[2011/12/17 19:22:08 | 000,210,432 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\dxdiagn.dll
[2011/12/17 19:22:08 | 000,198,144 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\wpdwcn.dll
[2011/12/17 19:22:08 | 000,160,256 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\vdsbas.dll
[2011/12/17 19:22:08 | 000,095,232 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\logagent.exe
[2011/12/17 19:22:08 | 000,065,024 | ---- | C] (Microsoft Corporation) -- E:\Windows\bfsvc.exe
[2011/12/17 19:22:08 | 000,050,688 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\runonce.exe
[2011/12/17 19:22:07 | 000,489,984 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\d3d10level9.dll
[2011/12/17 19:22:07 | 000,242,176 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\eapp3hst.dll
[2011/12/17 19:22:07 | 000,176,128 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\MFPlay.dll
[2011/12/17 19:22:07 | 000,117,760 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\drivers\rmcast.sys
[2011/12/17 19:22:07 | 000,015,872 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\sspisrv.dll
[2011/12/17 19:22:06 | 000,507,392 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\wmdrmdev.dll
[2011/12/17 19:22:06 | 000,186,368 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\bitsadmin.exe
[2011/12/17 19:22:06 | 000,108,032 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\shacct.dll
[2011/12/17 19:22:06 | 000,087,552 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\wudriver.dll
[2011/12/17 19:22:06 | 000,061,440 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\PnPUnattend.exe
[2011/12/17 19:22:06 | 000,059,392 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\unimdmat.dll
[2011/12/17 19:22:06 | 000,028,672 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\iscsium.dll
[2011/12/17 19:22:06 | 000,021,504 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\lsmproxy.dll
[2011/12/17 19:22:05 | 001,160,192 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\OpcServices.dll
[2011/12/17 19:22:05 | 000,878,592 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\Bubbles.scr
[2011/12/17 19:22:05 | 000,350,720 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\WPDSp.dll
[2011/12/17 19:22:05 | 000,309,760 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\sqlcese30.dll
[2011/12/17 19:22:05 | 000,183,296 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\PortableDeviceSyncProvider.dll
[2011/12/17 19:22:05 | 000,084,480 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\kstvtune.ax
[2011/12/17 19:22:05 | 000,082,944 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\logman.exe
[2011/12/17 19:22:05 | 000,074,240 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\tabcal.exe
[2011/12/17 19:22:05 | 000,060,928 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\ncryptui.dll
[2011/12/17 19:22:05 | 000,059,904 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\djoin.exe
[2011/12/17 19:22:05 | 000,052,224 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\rdpd3d.dll
[2011/12/17 19:22:04 | 000,427,520 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\PortableDeviceStatus.dll
[2011/12/17 19:22:04 | 000,220,672 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\Ribbons.scr
[2011/12/17 19:22:04 | 000,162,304 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\WUDFPlatform.dll
[2011/12/17 19:22:04 | 000,132,608 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\MdSched.exe
[2011/12/17 19:22:04 | 000,099,328 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\QSVRMGMT.DLL
[2011/12/17 19:22:04 | 000,077,824 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\olethk32.dll
[2011/12/17 19:22:04 | 000,061,952 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\lpremove.exe
[2011/12/17 19:22:04 | 000,040,960 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\wwanprotdim.dll
[2011/12/17 19:22:04 | 000,036,864 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\tsgqec.dll
[2011/12/17 19:22:03 | 000,902,656 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\WMADMOD.DLL
[2011/12/17 19:22:03 | 000,318,464 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\WMPhoto.dll
[2011/12/17 19:22:03 | 000,257,536 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\WindowsAnytimeUpgrade.exe
[2011/12/17 19:22:03 | 000,221,184 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\Mystify.scr
[2011/12/17 19:22:03 | 000,179,200 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\ActionQueue.dll
[2011/12/17 19:22:03 | 000,153,600 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\VBICodec.ax
[2011/12/17 19:22:03 | 000,142,336 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\powercfg.cpl
[2011/12/17 19:22:03 | 000,115,200 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\dot3msm.dll
[2011/12/17 19:22:03 | 000,109,568 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\wiavideo.dll
[2011/12/17 19:22:03 | 000,109,568 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\CscMig.dll
[2011/12/17 19:22:03 | 000,107,008 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\Kswdmcap.ax
[2011/12/17 19:22:03 | 000,098,304 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\fphc.dll
[2011/12/17 19:22:03 | 000,076,800 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\mapistub.dll
[2011/12/17 19:22:03 | 000,076,800 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\mapi32.dll
[2011/12/17 19:22:03 | 000,051,200 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\takeown.exe
[2011/12/17 19:22:03 | 000,031,744 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\utildll.dll
[2011/12/17 19:22:03 | 000,007,680 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\TsUsbRedirectionGroupPolicyControl.exe
[2011/12/17 19:22:02 | 000,541,184 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\WMVSDECD.DLL
[2011/12/17 19:22:02 | 000,436,736 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\wmdrmnet.dll
[2011/12/17 19:22:02 | 000,283,136 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\qdv.dll
[2011/12/17 19:22:02 | 000,265,216 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\msnetobj.dll
[2011/12/17 19:22:02 | 000,189,952 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\sqmapi.dll
[2011/12/17 19:22:02 | 000,128,512 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\EhStorAPI.dll
[2011/12/17 19:22:02 | 000,100,864 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\sppinst.dll
[2011/12/17 19:22:01 | 000,739,328 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\WMSPDMOD.DLL
[2011/12/17 19:22:01 | 000,567,808 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\WUDFx.dll
[2011/12/17 19:22:01 | 000,202,240 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\unattend.dll
[2011/12/17 19:22:01 | 000,182,784 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\RelPost.exe
[2011/12/17 19:22:01 | 000,084,992 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\cmstp.exe
[2011/12/17 19:22:01 | 000,071,680 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\QCLIPROV.DLL
[2011/12/17 19:22:01 | 000,070,656 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\MuiUnattend.exe
[2011/12/17 19:22:01 | 000,066,560 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\cca.dll
[2011/12/17 19:22:01 | 000,056,832 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\vfwwdm32.dll
[2011/12/17 19:22:01 | 000,051,712 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\wsnmp32.dll
[2011/12/17 19:22:01 | 000,046,592 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\pdhui.dll
[2011/12/17 19:22:01 | 000,025,088 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\qprocess.exe
[2011/12/17 19:22:00 | 000,176,128 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\msorcl32.dll
[2011/12/17 19:22:00 | 000,122,880 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\iasrecst.dll
[2011/12/17 19:22:00 | 000,115,712 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\setupcln.dll
[2011/12/17 19:22:00 | 000,050,688 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\umb.dll
[2011/12/17 19:22:00 | 000,044,032 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\basesrv.dll
[2011/12/17 19:22:00 | 000,028,160 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\AzSqlExt.dll
[2011/12/17 19:22:00 | 000,024,576 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\msg.exe
[2011/12/17 19:22:00 | 000,022,016 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\chglogon.exe
[2011/12/17 19:21:59 | 000,144,896 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\iscsicli.exe
[2011/12/17 19:21:59 | 000,133,632 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\diskpart.exe
[2011/12/17 19:21:59 | 000,128,000 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\desk.cpl
[2011/12/17 19:21:59 | 000,070,656 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\amstream.dll
[2011/12/17 19:21:59 | 000,061,952 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\spbcd.dll
[2011/12/17 19:21:59 | 000,047,104 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\wkscli.dll
[2011/12/17 19:21:59 | 000,046,592 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\WavDest.dll
[2011/12/17 19:21:59 | 000,037,888 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\relog.exe
[2011/12/17 19:21:59 | 000,032,768 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\PrintIsolationProxy.dll
[2011/12/17 19:21:59 | 000,026,624 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\qwinsta.exe
[2011/12/17 19:21:59 | 000,025,600 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\netiougc.exe
[2011/12/17 19:21:59 | 000,023,040 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\quser.exe
[2011/12/17 19:21:58 | 001,027,584 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\IMJP10.IME
[2011/12/17 19:21:58 | 000,158,720 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\itircl.dll
[2011/12/17 19:21:58 | 000,144,384 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\wmpps.dll
[2011/12/17 19:21:58 | 000,085,504 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\secproc_ssp_isv.dll
[2011/12/17 19:21:58 | 000,085,504 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\secproc_ssp.dll
[2011/12/17 19:21:58 | 000,065,024 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\CertPolEng.dll
[2011/12/17 19:21:58 | 000,053,248 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\MultiDigiMon.exe
[2011/12/17 19:21:58 | 000,050,176 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\setbcdlocale.dll
[2011/12/17 19:21:58 | 000,048,640 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\ksxbar.ax
[2011/12/17 19:21:58 | 000,024,064 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\netbtugc.exe
[2011/12/17 19:21:58 | 000,014,848 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\syssetup.dll
[2011/12/17 19:21:58 | 000,011,776 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\nrpsrv.dll
[2011/12/17 19:21:57 | 000,430,080 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\FXSTIFF.dll
[2011/12/17 19:21:57 | 000,280,064 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\RMActivate_ssp.exe
[2011/12/17 19:21:57 | 000,278,016 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\RMActivate_ssp_isv.exe
[2011/12/17 19:21:57 | 000,094,208 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\eappgnui.dll
[2011/12/17 19:21:57 | 000,069,632 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\tlscsp.dll
[2011/12/17 19:21:57 | 000,062,976 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\findstr.exe
[2011/12/17 19:21:57 | 000,036,352 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\mciqtz32.dll
[2011/12/17 19:21:57 | 000,033,792 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\wuapp.exe
[2011/12/17 19:21:57 | 000,033,280 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\wiarpc.dll
[2011/12/17 19:21:57 | 000,028,672 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\WerFaultSecure.exe
[2011/12/17 19:21:57 | 000,022,528 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\tskill.exe
[2011/12/17 19:21:57 | 000,022,528 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\chgport.exe
[2011/12/17 19:21:57 | 000,022,016 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\tsdiscon.exe
[2011/12/17 19:21:57 | 000,022,016 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\ReAgentc.exe
[2011/12/17 19:21:57 | 000,021,504 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\tscon.exe
[2011/12/17 19:21:57 | 000,021,504 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\qappsrv.exe
[2011/12/17 19:21:57 | 000,021,504 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\logoff.exe
[2011/12/17 19:21:57 | 000,020,992 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\rwinsta.exe
[2011/12/17 19:21:57 | 000,020,992 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\chgusr.exe
[2011/12/17 19:21:56 | 000,121,344 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\sppc.dll
[2011/12/17 19:21:56 | 000,082,944 | ---- | C] (Radius Inc.) -- E:\Windows\System32\iccvid.dll
[2011/12/17 19:21:56 | 000,021,504 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\drivers\tdi.sys
[2011/12/17 19:21:56 | 000,020,992 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\shadow.exe
[2011/12/17 19:21:56 | 000,019,968 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\spopk.dll
[2011/12/17 19:21:56 | 000,013,312 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\muifontsetup.dll
[2011/12/17 19:21:55 | 000,061,952 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\manage-bde.exe
[2011/12/17 19:21:55 | 000,057,344 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\repair-bde.exe
[2011/12/17 19:21:55 | 000,053,760 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\vmicres.dll
[2011/12/17 19:21:55 | 000,052,736 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\inetmib1.dll
[2011/12/17 19:21:55 | 000,045,568 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\g711codc.ax
[2011/12/17 19:21:55 | 000,041,984 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\luainstall.dll
[2011/12/17 19:21:55 | 000,038,400 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\vmstorfltres.dll
[2011/12/17 19:21:55 | 000,034,304 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\unlodctr.exe
[2011/12/17 19:21:55 | 000,033,792 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\vbisurf.ax
[2011/12/17 19:21:55 | 000,031,744 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\wdiasqmmodule.dll
[2011/12/17 19:21:55 | 000,030,720 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\msdmo.dll
[2011/12/17 19:21:55 | 000,026,112 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\drivers\usbrpm.sys
[2011/12/17 19:21:55 | 000,025,600 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\netcfg.exe
[2011/12/17 19:21:55 | 000,022,528 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\HotStartUserAgent.dll
[2011/12/17 19:21:55 | 000,021,504 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\rdprefdrvapi.dll
[2011/12/17 19:21:55 | 000,015,360 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\reset.exe
[2011/12/17 19:21:55 | 000,014,848 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\query.exe
[2011/12/17 19:21:54 | 001,164,800 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\UIRibbonRes.dll
[2011/12/17 19:21:54 | 000,044,544 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\vmbusres.dll
[2011/12/17 19:21:54 | 000,041,984 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\browcli.dll
[2011/12/17 19:21:54 | 000,040,960 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\odbcconf.dll
[2011/12/17 19:21:54 | 000,039,936 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\WUDFCoinstaller.dll
[2011/12/17 19:21:54 | 000,028,672 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\profprov.dll
[2011/12/17 19:21:54 | 000,015,360 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\change.exe
[2011/12/17 19:21:53 | 000,039,424 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\FXSMON.dll
[2011/12/17 19:21:53 | 000,027,648 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\wups.dll
[2011/12/17 19:21:53 | 000,017,408 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\perfts.dll
[2011/12/17 19:21:52 | 000,121,856 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\RDPENCDD.dll
[2011/12/17 19:21:52 | 000,022,528 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\elsTrans.dll
[2011/12/17 19:21:52 | 000,021,504 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\TRAPI.dll
[2011/12/17 19:21:51 | 000,068,096 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\napdsnap.dll
[2011/12/17 19:21:51 | 000,030,208 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\dsauth.dll
[2011/12/17 19:21:51 | 000,019,456 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\bitsperf.dll
[2011/12/17 19:21:51 | 000,017,408 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\schedcli.dll
[2011/12/17 19:21:50 | 000,430,080 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\imkr80.ime
[2011/12/17 19:21:50 | 000,036,352 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\wups2.dll
[2011/12/17 19:21:50 | 000,021,504 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\wsdchngr.dll
[2011/12/17 19:21:50 | 000,009,728 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\sscore.dll
[2011/12/17 19:21:50 | 000,008,704 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\riched32.dll
[2011/12/17 19:21:49 | 000,017,920 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\drivers\VMBusHID.sys
[2011/12/17 19:21:49 | 000,008,704 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\rdpcfgex.dll
[2011/12/17 19:21:48 | 000,011,264 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\wshirda.dll
[2011/12/17 19:21:47 | 000,116,224 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\VmbusCoinstaller.dll
[2011/12/17 19:21:47 | 000,113,664 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\VmdCoinstall.dll
[2011/12/17 19:21:47 | 000,113,664 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\IcCoinstall.dll
[2011/12/17 19:21:47 | 000,047,616 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\vmictimeprovider.dll
[2011/12/17 19:21:47 | 000,025,856 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\drivers\USBCAMD2.sys
[2011/12/17 19:21:47 | 000,025,856 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\drivers\USBCAMD.sys
[2011/12/17 19:21:47 | 000,014,336 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\vmbuspipe.dll
[2011/12/17 19:21:47 | 000,011,264 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\C_ISCII.DLL
[2011/12/17 19:21:47 | 000,008,192 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\spwmp.dll
[2011/12/17 19:21:46 | 000,026,624 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\RDPREFDD.dll
[2011/12/17 19:21:46 | 000,010,752 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\shunimpl.dll
[2011/12/17 19:21:46 | 000,004,096 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\msdxm.ocx
[2011/12/17 19:21:46 | 000,004,096 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\dxmasf.dll
[2011/12/17 19:21:45 | 012,625,408 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\wmploc.DLL
[2011/12/17 19:21:45 | 000,006,144 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\KBDUS.DLL
[2011/12/17 19:21:45 | 000,006,144 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\KBDUGHR1.DLL
[2011/12/17 19:21:45 | 000,006,144 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\KBDTURME.DLL
[2011/12/17 19:21:45 | 000,006,144 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\KBDTAJIK.DLL
[2011/12/17 19:21:45 | 000,006,144 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\KBDMON.DLL
[2011/12/17 19:21:45 | 000,006,144 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\KBDMAORI.DLL
[2011/12/17 19:21:45 | 000,006,144 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\KBDLT1.DLL
[2011/12/17 19:21:45 | 000,006,144 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\KBDINTEL.DLL
[2011/12/17 19:21:45 | 000,006,144 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\KBDINORI.DLL
[2011/12/17 19:21:45 | 000,006,144 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\KBDINKAN.DLL
[2011/12/17 19:21:44 | 000,007,168 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\KBDSG.DLL
[2011/12/17 19:21:44 | 000,007,168 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\kbdlk41a.dll
[2011/12/17 19:21:44 | 000,006,656 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\KBDTUQ.DLL
[2011/12/17 19:21:44 | 000,006,656 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\KBDTUF.DLL
[2011/12/17 19:21:44 | 000,006,656 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\KBDSF.DLL
[2011/12/17 19:21:44 | 000,006,656 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\KBDPO.DLL
[2011/12/17 19:21:44 | 000,006,656 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\KBDNEPR.DLL
[2011/12/17 19:21:44 | 000,006,656 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\KBDINBEN.DLL
[2011/12/17 19:21:44 | 000,006,656 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\KBDGR1.DLL
[2011/12/17 19:21:44 | 000,006,656 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\KBDGKL.DLL
[2011/12/17 19:21:44 | 000,006,144 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\KBDINTAM.DLL
[2011/12/17 19:21:44 | 000,006,144 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\KBDINMAR.DLL
[2011/12/17 19:21:44 | 000,006,144 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\KBDINHIN.DLL
[2011/12/17 19:21:44 | 000,006,144 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\KBDBULG.DLL
[2011/12/17 19:21:44 | 000,006,144 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\KBDBLR.DLL
[2011/12/17 19:21:44 | 000,006,144 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\KBDBASH.DLL
[2011/12/17 19:21:44 | 000,005,632 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\KBDGEO.DLL
[2011/12/17 19:21:43 | 000,069,120 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\nlsbres.dll
[2011/12/17 19:21:43 | 000,052,736 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\BlbEvents.dll
[2011/12/17 19:21:43 | 000,035,328 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\pifmgr.dll
[2011/12/17 19:21:43 | 000,007,680 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\spwizres.dll
[2011/12/17 19:21:43 | 000,007,168 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\KBDCZ1.DLL
[2011/12/17 19:21:43 | 000,005,632 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\drivers\vms3cap.sys
[2011/12/17 19:21:43 | 000,002,560 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\dpnaddr.dll
[2011/12/17 19:21:30 | 000,189,952 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\wdscore.dll
[2011/12/17 19:21:10 | 000,363,008 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\wbemcomn.dll
[2011/12/15 16:53:06 | 000,000,000 | ---D | C] -- E:\ProgramData\Microsoft\Windows\Start Menu\Programs\QuickTime
[2011/12/15 16:52:44 | 000,000,000 | ---D | C] -- E:\Program Files\QuickTime
[2011/12/14 22:17:34 | 000,000,000 | ---D | C] -- E:\ProgramData\Sun
[2011/12/14 22:17:32 | 000,000,000 | ---D | C] -- E:\Program Files\Common Files\Java
[2011/12/14 22:17:24 | 000,472,808 | ---- | C] (Sun Microsystems, Inc.) -- E:\Windows\System32\deployJava1.dll
[2011/12/14 22:17:24 | 000,157,472 | ---- | C] (Sun Microsystems, Inc.) -- E:\Windows\System32\javaws.exe
[2011/12/14 22:17:24 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- E:\Windows\System32\javaw.exe
[2011/12/14 22:17:24 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- E:\Windows\System32\java.exe
[2011/12/14 22:16:54 | 000,000,000 | ---D | C] -- E:\Program Files\Java
[2011/12/14 21:00:42 | 000,000,000 | ---D | C] -- E:\Users\Randy Moon\AppData\Local\WinZip Courier
[1 E:\Windows\*.tmp files -> E:\Windows\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/01/13 18:04:12 | 000,014,976 | -H-- | M] () -- E:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012/01/13 18:04:12 | 000,014,976 | -H-- | M] () -- E:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012/01/13 17:56:49 | 000,067,584 | --S- | M] () -- E:\Windows\bootstat.dat
[2012/01/13 17:56:35 | 2810,683,392 | -HS- | M] () -- E:\hiberfil.sys
[2012/01/11 22:19:48 | 000,004,269 | ---- | M] () -- E:\Users\Randy Moon\Desktop\Former student sues school district.htm
[2012/01/11 22:19:20 | 000,005,568 | ---- | M] () -- E:\Users\Randy Moon\Desktop\Kingman teacher previously accused of sex with student.htm
[2012/01/11 22:12:36 | 000,006,969 | ---- | M] () -- E:\Users\Randy Moon\Desktop\Kingman-Norwich school district rejects claims of sexual harassment.htm
[2012/01/09 16:43:17 | 000,624,178 | ---- | M] () -- E:\Windows\System32\perfh009.dat
[2012/01/09 16:43:17 | 000,106,522 | ---- | M] () -- E:\Windows\System32\perfc009.dat
[2012/01/08 23:11:15 | 000,000,027 | ---- | M] () -- E:\Windows\System32\drivers\etc\hosts
[2012/01/08 21:49:11 | 000,038,423 | ---- | M] () -- E:\Users\Randy Moon\AppData\Roaming\Comma Separated Values (Windows).ADR
[2012/01/05 21:41:16 | 000,000,000 | ---- | M] () -- E:\Users\Randy Moon\defogger_reenable
[2011/12/28 08:25:20 | 000,001,081 | ---- | M] () -- E:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2011/12/26 22:27:26 | 000,002,503 | ---- | M] () -- E:\Users\Public\Desktop\Skype.lnk
[2011/12/26 11:25:16 | 000,000,000 | -H-- | M] () -- E:\Windows\System32\drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
[2011/12/24 00:15:58 | 000,001,908 | ---- | M] () -- E:\Windows\diagwrn.xml
[2011/12/24 00:15:58 | 000,001,908 | ---- | M] () -- E:\Windows\diagerr.xml
[2011/12/22 19:39:49 | 000,418,616 | ---- | M] () -- E:\Windows\System32\FNTCACHE.DAT
[2011/12/21 19:30:47 | 000,152,576 | ---- | M] (Microsoft Corporation) -- E:\Windows\System32\msclmd.dll
[2011/12/19 20:23:14 | 000,414,368 | ---- | M] (Adobe Systems Incorporated) -- E:\Windows\System32\FlashPlayerCPLApp.cpl
[2011/12/18 16:09:42 | 000,000,288 | ---- | M] () -- E:\Users\Randy Moon\AppData\Roaming\.backup.dm
[2011/12/15 16:53:06 | 000,001,825 | ---- | M] () -- E:\Users\Public\Desktop\QuickTime Player.lnk
[2011/12/14 22:16:55 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- E:\Windows\System32\deployJava1.dll
[2011/12/14 22:16:55 | 000,157,472 | ---- | M] (Sun Microsystems, Inc.) -- E:\Windows\System32\javaws.exe
[2011/12/14 22:16:55 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- E:\Windows\System32\javaw.exe
[2011/12/14 22:16:55 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- E:\Windows\System32\java.exe
[1 E:\Windows\*.tmp files -> E:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/01/11 22:19:47 | 000,004,269 | ---- | C] () -- E:\Users\Randy Moon\Desktop\Former student sues school district.htm
[2012/01/11 22:19:19 | 000,005,568 | ---- | C] () -- E:\Users\Randy Moon\Desktop\Kingman teacher previously accused of sex with student.htm
[2012/01/11 22:12:35 | 000,006,969 | ---- | C] () -- E:\Users\Randy Moon\Desktop\Kingman-Norwich school district rejects claims of sexual harassment.htm
[2012/01/08 23:00:26 | 000,256,000 | ---- | C] () -- E:\Windows\PEV.exe
[2012/01/08 23:00:26 | 000,208,896 | ---- | C] () -- E:\Windows\MBR.exe
[2012/01/08 23:00:26 | 000,098,816 | ---- | C] () -- E:\Windows\sed.exe
[2012/01/08 23:00:26 | 000,080,412 | ---- | C] () -- E:\Windows\grep.exe
[2012/01/08 23:00:26 | 000,068,096 | ---- | C] () -- E:\Windows\zip.exe
[2012/01/08 21:49:11 | 000,038,423 | ---- | C] () -- E:\Users\Randy Moon\AppData\Roaming\Comma Separated Values (Windows).ADR
[2012/01/05 21:41:16 | 000,000,000 | ---- | C] () -- E:\Users\Randy Moon\defogger_reenable
[2011/12/28 08:25:20 | 000,001,081 | ---- | C] () -- E:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2011/12/26 11:25:16 | 000,000,000 | -H-- | C] () -- E:\Windows\System32\drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
[2011/12/23 23:44:22 | 000,001,908 | ---- | C] () -- E:\Windows\diagwrn.xml
[2011/12/23 23:44:22 | 000,001,908 | ---- | C] () -- E:\Windows\diagerr.xml
[2011/12/18 15:59:15 | 000,000,288 | ---- | C] () -- E:\Users\Randy Moon\AppData\Roaming\.backup.dm
[2011/12/17 19:23:15 | 000,146,852 | ---- | C] () -- E:\Windows\System32\systemsf.ebd
[2011/12/17 19:21:57 | 000,066,048 | ---- | C] () -- E:\Windows\System32\PrintBrmUi.exe
[2011/12/17 19:21:53 | 000,010,429 | ---- | C] () -- E:\Windows\System32\ScavengeSpace.xml
[2011/12/17 19:21:41 | 000,105,559 | ---- | C] () -- E:\Windows\System32\RacRules.xml
[2011/12/15 16:53:06 | 000,001,825 | ---- | C] () -- E:\Users\Public\Desktop\QuickTime Player.lnk
[2011/12/13 18:15:02 | 000,000,165 | ---- | C] () -- E:\Windows\QUICKEN.INI
[2011/12/12 20:20:29 | 000,140,288 | ---- | C] () -- E:\Windows\System32\igfxtvcx.dll
[2009/09/23 19:16:08 | 002,050,952 | ---- | C] () -- E:\Windows\System32\igkrng400.bin
[2009/07/13 22:57:37 | 000,067,584 | --S- | C] () -- E:\Windows\bootstat.dat
[2009/07/13 22:33:53 | 000,418,616 | ---- | C] () -- E:\Windows\System32\FNTCACHE.DAT
[2009/07/13 20:05:48 | 000,624,178 | ---- | C] () -- E:\Windows\System32\perfh009.dat
[2009/07/13 20:05:48 | 000,291,294 | ---- | C] () -- E:\Windows\System32\perfi009.dat
[2009/07/13 20:05:48 | 000,106,522 | ---- | C] () -- E:\Windows\System32\perfc009.dat
[2009/07/13 20:05:48 | 000,031,548 | ---- | C] () -- E:\Windows\System32\perfd009.dat
[2009/07/13 20:05:05 | 000,000,741 | ---- | C] () -- E:\Windows\System32\NOISE.DAT
[2009/07/13 20:04:11 | 000,215,943 | ---- | C] () -- E:\Windows\System32\dssec.dat
[2009/07/13 17:55:01 | 000,043,131 | ---- | C] () -- E:\Windows\mib.bin
[2009/07/13 17:51:43 | 000,073,728 | ---- | C] () -- E:\Windows\System32\BthpanContextHandler.dll
[2009/07/13 17:42:10 | 000,064,000 | ---- | C] () -- E:\Windows\System32\BWContextHandler.dll
[2009/06/10 15:26:10 | 000,673,088 | ---- | C] () -- E:\Windows\System32\mlang.dat

========== LOP Check ==========

[2011/12/20 13:15:16 | 000,000,000 | ---D | M] -- E:\Users\Randy Moon\AppData\Roaming\SanDisk
[2009/07/13 22:53:46 | 000,022,512 | ---- | M] () -- E:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



< End of report >
OTL Extras logfile created on: 1/13/2012 8:46:31 PM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = H:\Downloaded Software\Malware Rootkit Folder
Professional Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.49 Gb Total Physical Memory | 1.89 Gb Available Physical Memory | 54.03% Memory free
6.98 Gb Paging File | 5.32 Gb Available in Paging File | 76.17% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = E: | %SystemRoot% = E:\Windows | %ProgramFiles% = E:\Program Files
Drive C: | 37.22 Gb Total Space | 14.43 Gb Free Space | 38.76% Space Free | Partition Type: NTFS
Drive E: | 111.83 Gb Total Space | 83.90 Gb Free Space | 75.03% Space Free | Partition Type: NTFS
Drive F: | 7.44 Gb Total Space | 7.38 Gb Free Space | 99.22% Space Free | Partition Type: FAT32
Drive H: | 232.88 Gb Total Space | 124.63 Gb Free Space | 53.52% Space Free | Partition Type: NTFS
Drive I: | 232.88 Gb Total Space | 185.48 Gb Free Space | 79.65% Space Free | Partition Type: NTFS

Computer Name: RANDYMOON-PC | User Name: Randy Moon | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- E:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- E:\Windows\winhlp32.exe (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"UpdatesDisableNotify" = 0
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{1a413f37-ed88-4fec-9666-5c48dc4b7bb7}" = YouTube Downloader 3.4
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{26A24AE4-039D-4CA4-87B4-2F83216024FF}" = Java™ 6 Update 24
"{324F76CC-D8DD-4D87-B77D-D4AF5E1AA7B3}" = CyberLink WaveEditor
"{343666E2-A059-48AC-AD67-230BF74E2DB2}" = Apple Application Support
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{79155F2B-9895-49D7-8612-D92580E0DE5B}" = Bonjour
"{8153ED9A-C94A-426E-9880-5E6775C08B62}" = Apple Mobile Device Support
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = 2007 Microsoft Office Suite Service Pack 3 (SP3)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = 2007 Microsoft Office Suite Service Pack 3 (SP3)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = 2007 Microsoft Office Suite Service Pack 3 (SP3)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = 2007 Microsoft Office Suite Service Pack 3 (SP3)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = 2007 Microsoft Office Suite Service Pack 3 (SP3)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = 2007 Microsoft Office Suite Service Pack 3 (SP3)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{1FF96026-A04A-4C3E-B50A-BB7022654D0F}" = 2007 Microsoft Office Suite Service Pack 3 (SP3)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISE_{71F055E8-E2C6-4214-BB3D-BFE03561B89E}" = 2007 Microsoft Office Suite Service Pack 3 (SP3)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISE_{2314F9A1-126F-45CC-8A5E-DFAF866F3FBC}" = 2007 Microsoft Office Suite Service Pack 3 (SP3)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}" = 2007 Microsoft Office Suite Service Pack 3 (SP3)
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = 2007 Microsoft Office Suite Service Pack 3 (SP3)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISE_{98333358-268C-4164-B6D4-C96DF5153727}" = 2007 Microsoft Office Suite Service Pack 3 (SP3)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = 2007 Microsoft Office Suite Service Pack 3 (SP3)
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = 2007 Microsoft Office Suite Service Pack 3 (SP3)
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = 2007 Microsoft Office Suite Service Pack 3 (SP3)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_ENTERPRISE_{98333358-268C-4164-B6D4-C96DF5153727}" = 2007 Microsoft Office Suite Service Pack 3 (SP3)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = 2007 Microsoft Office Suite Service Pack 3 (SP3)
"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{AA59DDE4-B672-4621-A016-4C248204957A}" = Skype™ 5.5
"{AAE221D5-C3DD-4FE2-A063-C1368FE730A5}" = Symantec Endpoint Protection
"{AC76BA86-1033-0000-BA7E-000000000004}" = Adobe Acrobat 9 Standard
"{AC76BA86-1033-0000-BA7E-000000000004}{AC76BA86-1033-0000-BA7E-000000000004}" = Adobe Acrobat 9 Standard
"{B7DBF6E8-0D17-4BE4-853B-ACD6EFBD4A1F}" = iTunes
"{C78EAC6F-7A73-452E-8134-DBB2165C5A68}" = QuickTime
"{CB099890-1D5F-11D5-9EA9-0050BAE317E1}" = CyberLink PowerDirector
"{CD95F661-A5C4-44F5-A6AA-ECDD91C240C8}" = WinZip 16.0
"{DBCC73BA-C69A-4BF5-B4BF-F07501EE7039}" = AnswerWorks 5.0 English Runtime
"{ED2A3C11-3EA8-4380-B59C-F2C1832731B0}" = Quicken 2009
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"ENTERPRISE" = Microsoft Office Enterprise 2007
"ESET Online Scanner" = ESET Online Scanner v3
"HDMI" = Intel® Graphics Media Accelerator Driver
"InstallShield_{324F76CC-D8DD-4D87-B77D-D4AF5E1AA7B3}" = CyberLink WaveEditor
"InstallShield_{CB099890-1D5F-11D5-9EA9-0050BAE317E1}" = CyberLink PowerDirector
"LiveUpdate" = LiveUpdate 3.3 (Symantec Corporation)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.60.0.1800
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"TVWiz" = Intel® TV Wizard

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"@@__UNKNOWN__@@SanDiskSecureAccess_Manager.exe" = SanDiskSecureAccess_Manager.exe

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 1/8/2012 5:00:17 PM | Computer Name = RandyMoon-PC | Source = Application Error | ID = 1000
Description = Faulting application name: iexplore.exe, version: 9.0.8112.16421,
time stamp: 0x4d76255d Faulting module name: ole32.dll, version: 6.1.7601.17514,
time stamp: 0x4ce7b96f Exception code: 0xc0000005 Fault offset: 0x0001e642 Faulting
process id: 0x1084 Faulting application start time: 0x01ccce3b9e0d7c0e Faulting application
path: E:\Program Files\Internet Explorer\iexplore.exe Faulting module path: E:\Windows\system32\ole32.dll
Report
Id: c4555e6c-3a3b-11e1-bafa-00218641c997

Error - 1/8/2012 5:29:38 PM | Computer Name = RandyMoon-PC | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Trojan.Maljava in File: c:\WINDOWS\Temp\jar_cache3683986048553263798.tmp
by: Scheduled scan. Action: Delete succeeded. Action Description: The file was
deleted successfully.

Error - 1/8/2012 5:30:25 PM | Computer Name = RandyMoon-PC | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Trojan.Maljava in File: c:\WINDOWS\Temp\jar_cache5351450336807162750.tmp
by: Scheduled scan. Action: Delete succeeded. Action Description: The file was
deleted successfully.

Error - 1/8/2012 5:31:12 PM | Computer Name = RandyMoon-PC | Source = Application Error | ID = 1000
Description = Faulting application name: SavUI.exe, version: 11.0.6300.541, time
stamp: 0x4d791283 Faulting module name: ole32.dll, version: 6.1.7601.17514, time
stamp: 0x4ce7b96f Exception code: 0xc0000005 Fault offset: 0x0001e642 Faulting process
id: 0x644 Faulting application start time: 0x01cccdb7e794582e Faulting application
path: E:\Program Files\Symantec\Symantec Endpoint Protection\SavUI.exe Faulting
module path: E:\Windows\system32\ole32.dll Report Id: 15f11164-3a40-11e1-bafa-00218641c997

Error - 1/8/2012 5:41:58 PM | Computer Name = RandyMoon-PC | Source = Application Error | ID = 1000
Description = Faulting application name: iexplore.exe, version: 9.0.8112.16421,
time stamp: 0x4d76255d Faulting module name: unknown, version: 0.0.0.0, time stamp:
0x00000000 Exception code: 0xc0000005 Fault offset: 0x65007400 Faulting process id:
0xde4 Faulting application start time: 0x01ccce38e9de12f0 Faulting application path:
E:\Program Files\Internet Explorer\iexplore.exe Faulting module path: unknown Report
Id: 96f5efec-3a41-11e1-bafa-00218641c997

Error - 1/9/2012 1:05:17 AM | Computer Name = RandyMoon-PC | Source = SescLU | ID = 13
Description = LiveUpdate returned a non-critical error. Available content updates
may have failed to install.

Error - 1/10/2012 2:24:40 PM | Computer Name = RandyMoon-PC | Source = SideBySide | ID = 16842785
Description = Activation context generation failed for "e:\program files\cyberlink\powerdirector\muitransfer\MUIStartMenuX64.exe".
Dependent
Assembly Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"
could not be found. Please use sxstrace.exe for detailed diagnosis.

Error - 1/11/2012 7:30:18 PM | Computer Name = RandyMoon-PC | Source = Application Error | ID = 1000
Description = Faulting application name: plugin-container.exe, version: 8.0.1.4341,
time stamp: 0x4ec9a0a8 Faulting module name: ole32.dll, version: 6.1.7601.17514,
time stamp: 0x4ce7b96f Exception code: 0xc0000005 Fault offset: 0x0001e642 Faulting
process id: 0x488 Faulting application start time: 0x01ccd0b76bd669d6 Faulting application
path: E:\Program Files\Mozilla Firefox\plugin-container.exe Faulting module path:
E:\Windows\system32\ole32.dll Report Id: 38534f8d-3cac-11e1-9f20-00218641c997

Error - 1/11/2012 8:04:16 PM | Computer Name = RandyMoon-PC | Source = SideBySide | ID = 16842785
Description = Activation context generation failed for "e:\program files\cyberlink\powerdirector\muitransfer\MUIStartMenuX64.exe".
Dependent
Assembly Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"
could not be found. Please use sxstrace.exe for detailed diagnosis.

Error - 1/12/2012 7:43:25 PM | Computer Name = RandyMoon-PC | Source = SideBySide | ID = 16842785
Description = Activation context generation failed for "e:\program files\cyberlink\powerdirector\muitransfer\MUIStartMenuX64.exe".
Dependent
Assembly Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"
could not be found. Please use sxstrace.exe for detailed diagnosis.

[ System Events ]
Error - 1/10/2012 10:43:21 AM | Computer Name = RandyMoon-PC | Source = Service Control Manager | ID = 7001
Description = The Computer Browser service depends on the Server service which failed
to start because of the following error: %%1068

Error - 1/10/2012 10:43:21 AM | Computer Name = RandyMoon-PC | Source = Service Control Manager | ID = 7001
Description = The Computer Browser service depends on the Server service which failed
to start because of the following error: %%1068

Error - 1/10/2012 10:43:21 AM | Computer Name = RandyMoon-PC | Source = Service Control Manager | ID = 7001
Description = The Computer Browser service depends on the Server service which failed
to start because of the following error: %%1068

Error - 1/10/2012 10:48:09 AM | Computer Name = RandyMoon-PC | Source = Service Control Manager | ID = 7001
Description = The Computer Browser service depends on the Server service which failed
to start because of the following error: %%1068

Error - 1/10/2012 10:48:09 AM | Computer Name = RandyMoon-PC | Source = Service Control Manager | ID = 7001
Description = The Computer Browser service depends on the Server service which failed
to start because of the following error: %%1068

Error - 1/10/2012 10:48:09 AM | Computer Name = RandyMoon-PC | Source = Service Control Manager | ID = 7001
Description = The Computer Browser service depends on the Server service which failed
to start because of the following error: %%1068

Error - 1/12/2012 12:31:14 AM | Computer Name = RandyMoon-PC | Source = Service Control Manager | ID = 7030
Description = The PEVSystemStart service is marked as an interactive service. However,
the system is configured to not allow interactive services. This service may not
function properly.

Error - 1/12/2012 12:34:33 AM | Computer Name = RandyMoon-PC | Source = Service Control Manager | ID = 7030
Description = The PEVSystemStart service is marked as an interactive service. However,
the system is configured to not allow interactive services. This service may not
function properly.

Error - 1/12/2012 12:37:32 AM | Computer Name = RandyMoon-PC | Source = Service Control Manager | ID = 7030
Description = The PEVSystemStart service is marked as an interactive service. However,
the system is configured to not allow interactive services. This service may not
function properly.

Error - 1/13/2012 7:56:03 PM | Computer Name = RandyMoon-PC | Source = volsnap | ID = 393245
Description = The shadow copies of volume E: were aborted during detection.


< End of report >

#5 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:15 PM

Posted 14 January 2012 - 05:33 PM

Please post an MBAM log which shows the two files.
Posted Image
m0le is a proud member of UNITE

#6 rmoonks

rmoonks
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:06:15 AM

Posted 14 January 2012 - 07:17 PM

The Malwarebytes log is attached. You will see the 2 files in the registry values detected. I am also attaching a screenshot (.jpeg) file. It shows a screenshot of the Malwarebytes Quarantine Log so that you can see how often (every couple of days) that Malwarebytes detects these registry values and then quarantines or deletes them. Of course they come back in a day or so. I will also send you another screenshot in my next post right after this one of the 2 error messages that I get at startup concerning these 2 files. I can't send both screenshots in this posting as they are too big based on the size restrictions per posting. Also, I tried running GMER to post a log for you, but it ran for 24 hours straight and was still running at the time of this posting. I finally had to stop it as it slows my computer down greatly. Is it normal for GMER to run for that long? Do you still need a GMER Log?





Malwarebytes Anti-Malware (PRO) 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.13.02

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
Randy Moon :: RANDYMOON-PC [administrator]

Protection: Enabled

1/13/2012 7:00:03 PM
mbam-log-2012-01-13 (19-00-03).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 204331
Time elapsed: 11 minute(s), 20 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 2
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Trolltech Update (Trojan.SHarpro.PGen) -> Data: rundll32 "E:\Users\Randy Moon\AppData\Local\VirtualStore\VirtualStoreUpdate\VirtualStoreupdt32.DLL",DllRegisterServer -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|DirectxTrayBackup (Trojan.SHarpro.PGen) -> Data: rundll32.exe "E:\ProgramData\DirectxTrayBackup.dll",DllRegisterServer -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Attached Files



#7 rmoonks

rmoonks
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:06:15 AM

Posted 14 January 2012 - 07:41 PM

Attached is the second screenshot I referred to in my last post. This shows the 2 error messages that I get upon startup every couple of days. This is always after Malwarebytes has previously quarantined or deleted these files. As I said earlier, I get this message at startup and both of these files show up again in my registry. Once Malwarebytes starts up, it detects them,quarantines or deletes them and all is good for a day or two and then they come back and I get the error messages all over again.

Attached Files



#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:15 PM

Posted 14 January 2012 - 08:41 PM

The second screenshot is evidence that the missing files are attempting to be run by the troublesome registry entries from the MBAM log.

Gmer takes no more than 20 minutes, a bit longer depending on the machine. Never 24 hours. Please don't run any tools without my recommendation.

It seems that the registry entries are being added back in by something so we are going to run a malware removal tool called Combofix

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications including Firewalls, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#9 rmoonks

rmoonks
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:06:15 AM

Posted 14 January 2012 - 08:57 PM

Ok, I will download and run ComboFix shortly. Here is the Malwarebytes Log that just ran a few minutes ago. As you can see it detected and quarantined the 2 registry entries again. Will send the ComboFix log shortly.



Malwarebytes Anti-Malware (PRO) 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.14.01

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
Randy Moon :: RANDYMOON-PC [administrator]

Protection: Enabled

1/14/2012 7:00:02 PM
mbam-log-2012-01-14 (19-00-02).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 199969
Time elapsed: 3 minute(s), 21 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 2
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Trolltech Update (Trojan.SHarpro.PGen) -> Data: rundll32 "E:\Users\Randy Moon\AppData\Local\VirtualStore\VirtualStoreUpdate\VirtualStoreupdt32.DLL",DllRegisterServer -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|DirectxTrayBackup (Trojan.SHarpro.PGen) -> Data: rundll32.exe "E:\ProgramData\DirectxTrayBackup.dll",DllRegisterServer -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

#10 rmoonks

rmoonks
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:06:15 AM

Posted 14 January 2012 - 09:12 PM

Here is teh ComboFix Log as you requested.


ComboFix 12-01-13.05 - Randy Moon 01/14/2012 20:00:42.3.2 - x86
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3574.2260 [GMT -6:00]
Running from: e:\users\Randy Moon\Desktop\ComboFix.exe
AV: Symantec Endpoint Protection *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Symantec Endpoint Protection *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Symantec Endpoint Protection *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2011-12-15 to 2012-01-15 )))))))))))))))))))))))))))))))
.
.
2012-01-15 02:05 . 2012-01-15 02:05 -------- d-----w- e:\users\Default\AppData\Local\temp
2012-01-15 02:05 . 2012-01-15 02:05 -------- d-----w- e:\users\Administrator\AppData\Local\temp
2012-01-11 22:43 . 2011-11-17 05:38 1288472 ----a-w- e:\windows\system32\ntdll.dll
2012-01-11 22:43 . 2011-11-19 14:01 67072 ----a-w- e:\windows\system32\packager.dll
2012-01-11 22:43 . 2011-10-26 04:32 514560 ----a-w- e:\windows\system32\qdvd.dll
2012-01-11 22:43 . 2011-10-26 04:32 1328128 ----a-w- e:\windows\system32\quartz.dll
2012-01-10 04:30 . 2012-01-10 04:30 -------- d-----w- e:\program files\ESET
2012-01-09 05:12 . 2012-01-15 02:05 -------- d-----w- e:\users\Randy Moon\AppData\Local\temp
2011-12-26 17:18 . 2011-12-26 17:18 -------- d-----w- e:\users\Lauren
2011-12-21 22:59 . 2011-12-21 22:59 -------- d-----w- e:\windows\system32\SPReview
2011-12-21 22:59 . 2011-12-21 22:59 -------- d-----w- e:\windows\system32\EventProviders
2011-12-21 22:58 . 2011-02-19 06:30 805376 ----a-w- e:\windows\system32\FntCache.dll
2011-12-21 22:58 . 2011-02-19 06:30 1076736 ----a-w- e:\windows\system32\DWrite.dll
2011-12-21 22:58 . 2011-02-19 06:30 739840 ----a-w- e:\windows\system32\d2d1.dll
2011-12-20 02:26 . 2011-12-20 02:26 -------- d-----w- e:\programdata\YouTube Downloader
2011-12-20 02:23 . 2011-12-20 02:23 -------- d-----w- e:\users\Randy Moon\dwhelper
2011-12-18 22:03 . 2011-12-18 22:03 -------- d-----w- e:\programdata\ClubSanDisk
2011-12-18 22:00 . 2011-12-20 19:15 -------- d-----w- e:\users\Randy Moon\AppData\Roaming\SanDisk
2011-12-18 01:22 . 2010-11-20 12:21 204800 ----a-w- e:\windows\system32\WebClnt.dll
2011-12-18 01:21 . 2010-11-20 12:21 96768 ----a-w- e:\windows\system32\drivers\UMDF\WUDFUsbccidDriver.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-22 01:30 . 2009-07-14 02:05 152576 ----a-w- e:\windows\system32\msclmd.dll
2011-12-20 02:23 . 2011-12-13 23:26 414368 ----a-w- e:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-15 04:16 . 2011-12-15 04:17 472808 ----a-w- e:\windows\system32\deployJava1.dll
2011-12-14 04:07 . 2011-12-14 04:07 737072 ----a-w- e:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore\Microsoft.MediaCenter.Sports.UI.dll
2011-12-14 04:07 . 2011-12-14 04:07 4283672 ----a-w- e:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\markup.dll
2011-12-14 04:06 . 2011-12-14 04:06 42776 ----a-w- e:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM\StartResources.dll
2011-12-14 04:06 . 2011-12-14 04:06 539984 ----a-w- e:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2011-12-13 05:29 . 2011-12-13 05:29 125488 ----a-w- e:\windows\system32\drivers\SYMEVENT.SYS
2011-12-13 02:24 . 2011-12-13 02:24 86528 ----a-w- e:\windows\system32\iesysprep.dll
2011-12-13 02:24 . 2011-12-13 02:24 76800 ----a-w- e:\windows\system32\SetIEInstalledDate.exe
2011-12-13 02:24 . 2011-12-13 02:24 74752 ----a-w- e:\windows\system32\RegisterIEPKEYs.exe
2011-12-13 02:24 . 2011-12-13 02:24 74752 ----a-w- e:\windows\system32\iesetup.dll
2011-12-13 02:24 . 2011-12-13 02:24 63488 ----a-w- e:\windows\system32\tdc.ocx
2011-12-13 02:24 . 2011-12-13 02:24 48640 ----a-w- e:\windows\system32\mshtmler.dll
2011-12-13 02:24 . 2011-12-13 02:24 420864 ----a-w- e:\windows\system32\vbscript.dll
2011-12-13 02:24 . 2011-12-13 02:24 367104 ----a-w- e:\windows\system32\html.iec
2011-12-13 02:24 . 2011-12-13 02:24 35840 ----a-w- e:\windows\system32\imgutil.dll
2011-12-13 02:24 . 2011-12-13 02:24 23552 ----a-w- e:\windows\system32\licmgr10.dll
2011-12-13 02:24 . 2011-12-13 02:24 161792 ----a-w- e:\windows\system32\msls31.dll
2011-12-13 02:24 . 2011-12-13 02:24 152064 ----a-w- e:\windows\system32\wextract.exe
2011-12-13 02:24 . 2011-12-13 02:24 150528 ----a-w- e:\windows\system32\iexpress.exe
2011-12-13 02:24 . 2011-12-13 02:24 142848 ----a-w- e:\windows\system32\ieUnatt.exe
2011-12-13 02:24 . 2011-12-13 02:24 11776 ----a-w- e:\windows\system32\mshta.exe
2011-12-13 02:24 . 2011-12-13 02:24 110592 ----a-w- e:\windows\system32\IEAdvpack.dll
2011-12-13 02:24 . 2011-12-13 02:24 101888 ----a-w- e:\windows\system32\admparse.dll
2011-12-10 21:24 . 2011-12-15 01:55 20464 ----a-w- e:\windows\system32\drivers\mbam.sys
2011-11-24 04:25 . 2011-12-14 01:30 2342912 ----a-w- e:\windows\system32\win32k.sys
2011-11-05 04:26 . 2011-12-14 01:30 2048 ----a-w- e:\windows\system32\tzres.dll
2011-11-03 22:47 . 2011-12-14 05:16 1798144 ----a-w- e:\windows\system32\jscript9.dll
2011-11-03 22:40 . 2011-12-14 05:16 1427456 ----a-w- e:\windows\system32\inetcpl.cpl
2011-11-03 22:39 . 2011-12-14 05:16 1127424 ----a-w- e:\windows\system32\wininet.dll
2011-11-03 22:31 . 2011-12-14 05:16 2382848 ----a-w- e:\windows\system32\mshtml.tlb
2011-10-26 04:47 . 2011-12-14 01:29 3912560 ----a-w- e:\windows\system32\ntoskrnl.exe
2011-10-26 04:47 . 2011-12-14 01:29 3967856 ----a-w- e:\windows\system32\ntkrnlpa.exe
2011-10-26 04:28 . 2011-12-14 01:29 38912 ----a-w- e:\windows\system32\csrsrv.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Trolltech Update"="e:\users\Randy Moon\AppData\Local\VirtualStore\VirtualStoreUpdate\VirtualStoreupdt32.DLL" [BU]
"DirectxTrayBackup"="e:\programdata\DirectxTrayBackup.dll" [BU]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="e:\windows\system32\igfxtray.exe" [2009-09-24 141848]
"HotKeysCmds"="e:\windows\system32\hkcmd.exe" [2009-09-24 173592]
"Persistence"="e:\windows\system32\igfxpers.exe" [2009-09-24 150552]
"ccApp"="e:\program files\Common Files\Symantec Shared\ccApp.exe" [2011-02-04 115624]
"Malwarebytes' Anti-Malware (reboot)"="e:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-12-24 981680]
"Malwarebytes' Anti-Malware"="e:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-24 460872]
"iTunesHelper"="e:\program files\iTunes\iTunesHelper.exe" [2011-12-08 421736]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2008-06-12 04:43 640376 ----a-w- e:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]
2008-06-12 08:25 37232 ----a-w- e:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2011-11-02 05:25 59240 ----a-w- e:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-12-08 07:36 421736 ----a-w- e:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]
2011-12-24 23:50 460872 ----a-w- e:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-26 23:18 413696 ----a-w- e:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SanDiskSecureAccess_Manager.exe]
2011-06-29 16:56 27311232 ----a-w- e:\users\Randy Moon\AppData\Roaming\SanDisk\SanDiskSecureAccess_Manager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-10-29 20:49 249064 ----a-w- e:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;e:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 TsUsbFlt;TsUsbFlt;e:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 WatAdminSvc;Windows Activation Technologies Service;e:\windows\system32\Wat\WatAdminSvc.exe [2011-12-13 1343400]
S2 MBAMService;MBAMService;e:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-12-24 652872]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;e:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2011-11-15 106104]
S3 MBAMProtector;MBAMProtector;e:\windows\system32\drivers\mbam.sys [2011-12-10 20464]
S3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;e:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]
S3 SrvHsfHDA;SrvHsfHDA;e:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
S3 SrvHsfV92;SrvHsfV92;e:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
S3 SrvHsfWinac;SrvHsfWinac;e:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - MBAMSwissArmy
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - e:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - e:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert link target to existing PDF - e:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert to Adobe PDF - e:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - e:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.254
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-01-14 20:06:58
ComboFix-quarantined-files.txt 2012-01-15 02:06
ComboFix2.txt 2012-01-12 04:38
ComboFix3.txt 2012-01-09 05:12
.
Pre-Run: 89,658,658,816 bytes free
Post-Run: 89,487,126,528 bytes free
.
- - End Of File - - E4E0E4F0BA541EA2FC941DDA75E2E319

#11 rmoonks

rmoonks
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:06:15 AM

Posted 14 January 2012 - 09:14 PM

The first ComboFix Log was for my "E" drive which is the one with Windows 7 and the one I'm having this issue on. I will send the ComboFix Log for the "C" drive in my next post shortly.

#12 rmoonks

rmoonks
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:06:15 AM

Posted 14 January 2012 - 09:50 PM

I attempted to run ComboFix on my "C" drive. It gave me the message, "You are infected with Rootkit.Zero Access! It has inserted itself into the tcp/ip stack. This is a particularly difficult infection." It then said it needed to restart the computer. After restarting it did not finish scanning nor did it run through all the stages. I looked and could not find a ComboFox Log anywhere. I attempted to rerun ComboFix and it did the same thing. It detected the RootKit.Zero Access and then restarted the computer before running or completing all the stages of the scan. Once it restarted the computer again it did not finish the scan and did not provide a Log. So, it seems I have a problem on the "C" drive as well as the "E" drive. What's next?

#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:15 PM

Posted 15 January 2012 - 06:09 AM

The E drive issue pales into insignificance now. We'll clear it up later.

The ZeroAccess problem needs addressing now with something quieter than Combofix so please first run the following tools on your C drive.

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Then


Please download MBRCheck to your desktop.

1. Double click MBRCheck.exe to run it (Right click and run as Administrator for Vista).
2. It will open a black window, please do not fix anything (if it gives you an option).
3. Exit that window and it will produce a log (MBRCheck_date_time).
4. Please post that log when you reply.
Posted Image
m0le is a proud member of UNITE

#14 rmoonks

rmoonks
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:06:15 AM

Posted 15 January 2012 - 01:41 PM

Attached are the logs from aswMBR and MBRCheck as requested. FYI-as the aswMRR was running, my Symantec Anti-virus (I thought I had it disabled) detected the Trojan.Gen.2 in a file named unp192373006.tmp. It quarantined the file. It said the original location was C:\documents and settings\rmoon\local settings\temp_avast4_\ I tried to copy the Symantec log into this post, but it gets all jumbled up because their log is on a spreadsheet format. I can't seem to attach the Symantec Log either because it saves it as a .csv file and this site won't let me attach that type of file. This RootKitZero Access and Trojan.Gen 2 viruse are quite difficult to get rid of. I thought I had them gone once before. I really appreciate your assistance.


aswMBR version 0.9.9.1297 Copyright© 2011 AVAST Software
Run date: 2012-01-15 11:50:45
-----------------------------
11:50:45.343 OS Version: Windows 5.1.2600 Service Pack 3
11:50:45.343 Number of processors: 2 586 0x1706
11:50:45.343 ComputerName: CJIS-34505 UserName: RMoon
11:50:45.578 Initialize success
11:53:01.765 AVAST engine defs: 12011501
11:53:26.500 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-e
11:53:26.500 Disk 0 Vendor: FUJITSU_MHW2160BJ_FFS_G2 0085001C Size: 152627MB BusType: 3
11:53:26.500 Disk 0 MBR read successfully
11:53:26.500 Disk 0 MBR scan
11:53:26.546 Disk 0 Windows 7 default MBR code
11:53:26.546 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 38115 MB offset 63
11:53:26.562 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 114510 MB offset 78059835
11:53:26.562 Disk 0 scanning sectors +312576705
11:53:26.625 Disk 0 scanning C:\WINDOWS\system32\drivers
11:53:39.031 Service scanning
11:53:39.515 Service SysPlant C:\WINDOWS\SYSTEM32\Drivers\SysPlant.sys **LOCKED** 32
11:53:39.515 Service Teefer2 C:\WINDOWS\system32\DRIVERS\teefer2.sys **LOCKED** 32
11:53:39.531 Service WPS C:\WINDOWS\system32\drivers\wpsdrvnt.sys **LOCKED** 32
11:53:39.546 Service WpsHelper C:\WINDOWS\system32\drivers\WpsHelper.sys **LOCKED** 32
11:53:40.046 Modules scanning
11:53:44.890 Disk 0 trace - called modules:
11:53:44.906 ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
11:53:44.906 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8b29eab8]
11:53:44.906 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-e[0x8b2feb00]
11:53:45.250 AVAST engine scan C:\WINDOWS
11:53:49.453 AVAST engine scan C:\WINDOWS\system32
11:55:35.343 AVAST engine scan C:\WINDOWS\system32\drivers
11:55:46.312 AVAST engine scan C:\Documents and Settings\rmoon
11:56:33.000 AVAST engine scan C:\Documents and Settings\All Users
11:57:09.343 Scan finished successfully
12:00:57.187 Disk 0 MBR has been saved successfully to "G:\MBR.dat"
12:00:57.203 The log file has been saved successfully to "G:\aswMBR Log C Drive 1-15-12.txt"


MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000005c

Kernel Drivers (total 171):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E4000 \WINDOWS\system32\hal.dll
0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
0xB9F79000 ACPI.sys
0xBA5AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xB9F68000 pci.sys
0xBA0A8000 isapnp.sys
0xBA4BC000 compbatt.sys
0xBA4C0000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xBA670000 pciide.sys
0xBA328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xB9F4A000 pcmcia.sys
0xBA0B8000 MountMgr.sys
0xB9F2B000 ftdisk.sys
0xBA5AC000 dmload.sys
0xB9F05000 dmio.sys
0xBA330000 PartMgr.sys
0xBA0C8000 VolSnap.sys
0xB9EED000 atapi.sys
0xBA0D8000 disk.sys
0xBA0E8000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB9ECD000 fltmgr.sys
0xB9EBB000 sr.sys
0xB9EA4000 KSecDD.sys
0xB9E17000 Ntfs.sys
0xB9DEA000 NDIS.sys
0xBA0F8000 ohci1394.sys
0xBA108000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xB9DD0000 Mup.sys
0xBA268000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xBA288000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xB9723000 \SystemRoot\system32\DRIVERS\igxpmp32.sys
0xB970F000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xBA410000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB96EB000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xBA418000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xB96C3000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xB9698000 \SystemRoot\system32\DRIVERS\b57xp32.sys
0xBA298000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xB966C000 \SystemRoot\system32\DRIVERS\Apfiltr.sys
0xBA2A8000 \SystemRoot\system32\DRIVERS\WDFLDR.SYS
0xB95F1000 \SystemRoot\system32\DRIVERS\Wdf01000.sys
0xBA420000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xBA428000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xBA2B8000 \SystemRoot\system32\DRIVERS\serial.sys
0xBA578000 \SystemRoot\system32\DRIVERS\serenum.sys
0xB95DD000 \SystemRoot\system32\DRIVERS\parport.sys
0xBA2C8000 \SystemRoot\system32\DRIVERS\imapi.sys
0xBA2D8000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xBA2E8000 \SystemRoot\system32\DRIVERS\redbook.sys
0xB95BA000 \SystemRoot\system32\DRIVERS\ks.sys
0xBA580000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xBA584000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0xBA2F8000 \SystemRoot\System32\Drivers\tosrfcom.sys
0xBA684000 \SystemRoot\system32\DRIVERS\DAmirr.sys
0xBA685000 \SystemRoot\system32\DRIVERS\audstub.sys
0xBA308000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xBA588000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB95A3000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xBA318000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xBA128000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xBA430000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB9592000 \SystemRoot\system32\DRIVERS\psched.sys
0xBA138000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xBA438000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xBA440000 \SystemRoot\system32\DRIVERS\raspti.sys
0xB94C2000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xBA148000 \SystemRoot\system32\DRIVERS\termdd.sys
0xB949F000 \SystemRoot\system32\DRIVERS\teefer2.sys
0xBA5BA000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB9441000 \SystemRoot\system32\DRIVERS\update.sys
0xB9DAC000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xBA168000 \SystemRoot\system32\DRIVERS\tosporte.sys
0xBA178000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xBA1B8000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xBA5BE000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xA91AC000 \SystemRoot\system32\drivers\sthda.sys
0xA9188000 \SystemRoot\system32\drivers\portcls.sys
0xBA1E8000 \SystemRoot\system32\drivers\drmk.sys
0xA9154000 \SystemRoot\system32\DRIVERS\HSFHWAZL.sys
0xA9062000 \SystemRoot\system32\DRIVERS\HSF_DPV.sys
0xA8FAF000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
0xBA448000 \SystemRoot\System32\Drivers\Modem.SYS
0xA8E75000 \SystemRoot\System32\Drivers\SRTSP.SYS
0xBA278000 \SystemRoot\system32\DRIVERS\tosrfusb.sys
0xBA54C000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xB9532000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xBA480000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xA8CF5000 \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20120112.034\NAVEX15.SYS
0xBA488000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xA8CD0000 \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
0xA8CBC000 \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20120112.034\NAVENG.SYS
0xA8CA0000 \SystemRoot\system32\DRIVERS\tosrfbd.sys
0xBA560000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xA8F8F000 \SystemRoot\System32\Drivers\oz776.sys
0xBA56C000 \SystemRoot\System32\Drivers\SMCLIB.SYS
0xBA4B0000 \SystemRoot\system32\DRIVERS\usbprint.sys
0xBA340000 \SystemRoot\system32\DRIVERS\HPZius12.sys
0xA8C16000 \SystemRoot\system32\DRIVERS\Tosrfhid.sys
0xA8F6F000 \SystemRoot\System32\Drivers\tosrfbnp.sys
0xA8F4F000 \SystemRoot\System32\Drivers\SRTSPX.SYS
0xBA3B8000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xBA238000 \SystemRoot\system32\DRIVERS\HPZid412.sys
0xBA248000 \SystemRoot\System32\Drivers\Cdr4_xp.SYS
0xBA3D0000 \SystemRoot\system32\DRIVERS\tosrfnds.sys
0xBA3D8000 \SystemRoot\System32\Drivers\Cdralw2k.SYS
0xBA1C8000 \SystemRoot\system32\drivers\usbaudio.sys
0xA8BF9000 \SystemRoot\System32\Drivers\pwd_2k.SYS
0xBA664000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xBA6B1000 \SystemRoot\System32\Drivers\Null.SYS
0xBA666000 \SystemRoot\System32\Drivers\Beep.SYS
0xBA3E0000 \SystemRoot\System32\drivers\vga.sys
0xA8C28000 \SystemRoot\system32\DRIVERS\HPZipr12.sys
0xBA668000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xA8C9C000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xBA66A000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xBA6F8000 \SystemRoot\system32\drivers\Toshidpt.sys
0xA8B6A000 \SystemRoot\System32\Drivers\cdudf_xp.SYS
0xA8B35000 \SystemRoot\System32\Drivers\DVDVRRdr_xp.SYS
0xBA3E8000 \SystemRoot\System32\Drivers\Msfs.SYS
0xBA3F0000 \SystemRoot\System32\Drivers\Npfs.SYS
0xA8C68000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xA8AE8000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xA8A8F000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xB9502000 \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys
0xA8A69000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xB94F2000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xA8A14000 \SystemRoot\System32\Drivers\SYMTDI.SYS
0xA8F9F000 \SystemRoot\system32\DRIVERS\arp1394.sys
0xA89EC000 \SystemRoot\system32\DRIVERS\netbt.sys
0xA8C48000 \SystemRoot\System32\drivers\ws2ifsl.sys
0xA89CA000 \SystemRoot\System32\drivers\afd.sys
0xA8F3F000 \SystemRoot\system32\DRIVERS\netbios.sys
0xA8960000 \??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
0xA8895000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xA8825000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xA8F1F000 \SystemRoot\System32\Drivers\Fips.SYS
0xA87C7000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
0xA87A9000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
0xA8785000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xA876D000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xBA5BC000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xA8BB1000 \SystemRoot\System32\drivers\Dxapi.sys
0xBA470000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xBA6D0000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF024000 \SystemRoot\System32\igxpgd32.dll
0xBF012000 \SystemRoot\System32\igxprd32.dll
0xBF04F000 \SystemRoot\System32\igxpdv32.DLL
0xBF1E7000 \SystemRoot\System32\igxpdx32.DLL
0xBA568000 \??\C:\WINDOWS\system32\drivers\mbam.sys
0xA8619000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xBA5DC000 \??\C:\Program Files\DesktopAuthority\DAInfo.sys
0xBA5DE000 \??\C:\Program Files\DesktopAuthority\DAtf.sys
0xA8074000 \SystemRoot\System32\Drivers\HTTP.sys
0xA7FCD000 \SystemRoot\system32\DRIVERS\srv.sys
0xA8048000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xA7E78000 \SystemRoot\system32\drivers\wdmaud.sys
0xA7F5D000 \SystemRoot\system32\drivers\sysaudio.sys
0xBA5EC000 \??\C:\WINDOWS\system32\DRIVERS\WNTHW.SYS
0xBA4A8000 \SystemRoot\System32\Drivers\TDTCP.SYS
0xA7BD7000 \SystemRoot\System32\Drivers\RDPWD.SYS
0xA7A7F000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xBA390000 \SystemRoot\System32\Drivers\SYMREDRV.SYS
0xA72B7000 \SystemRoot\system32\DRIVERS\ipfltdrv.sys
0xA7F0D000 \??\C:\DOCUME~1\rmoon\LOCALS~1\Temp\aswMBR.sys
0xA6F74000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 58):
0 System Idle Process
4 System
952 C:\WINDOWS\system32\smss.exe
1012 csrss.exe
1040 C:\WINDOWS\system32\winlogon.exe
1084 C:\WINDOWS\system32\services.exe
1096 C:\WINDOWS\system32\lsass.exe
1260 C:\WINDOWS\system32\ati2evxx.exe
1280 C:\WINDOWS\system32\svchost.exe
1344 svchost.exe
1488 C:\WINDOWS\system32\svchost.exe
1564 C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
1672 svchost.exe
1788 svchost.exe
1912 C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
740 C:\WINDOWS\system32\spoolsv.exe
820 scardsvr.exe
1472 C:\Program Files\Intel\AMT\atchksrv.exe
1576 C:\Program Files\DesktopAuthority\DAMaint.exe
1588 C:\Program Files\DesktopAuthority\DesktopAuthority.exe
1852 C:\WINDOWS\system32\svchost.exe
1712 C:\Program Files\Intel\AMT\LMS.exe
216 C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
660 C:\WINDOWS\system32\ati2evxx.exe
932 C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
1020 C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZIPM12.EXE
1300 locator.exe
2080 C:\WINDOWS\system32\stacsv.exe
2164 C:\WINDOWS\system32\svchost.exe
2176 C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
2216 C:\Program Files\Intel\AMT\UNS.exe
2348 C:\WINDOWS\system32\searchindexer.exe
2476 C:\WINDOWS\novell\zenworks\bin\ZENPreAgent.exe
2808 C:\Program Files\ScriptLogic\Desktop Authority\Client Files\8.08004.63486\CBM\ScriptLogic.CBM.Agent.exe
3036 C:\Program Files\ScriptLogic\Desktop Authority\Client Files\8.08004.63486\SLClient.exe
3232 wmpnetwk.exe
3648 alg.exe
908 C:\WINDOWS\explorer.exe
2232 C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
2708 C:\WINDOWS\system32\hkcmd.exe
2936 C:\WINDOWS\system32\igfxpers.exe
2948 C:\Program Files\Toshiba\Bluetooth Toshiba Stack\ItSecMng.exe
2788 C:\Program Files\ScriptLogic\Desktop Authority\Client Files\8.08004.63486\CBM\ScriptLogic.CBM.UserExperience.exe
3064 C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
3172 C:\Program Files\Common Files\Symantec Shared\ccApp.exe
2980 C:\WINDOWS\system32\ctfmon.exe
3356 C:\WINDOWS\system32\igfxsrvc.exe
3256 C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
1272 C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
4052 C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
1948 C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtBty.exe
1420 C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHSP.exe
4060 C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe
704 C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosOBEX.exe
3132 C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtProc.exe
2580 C:\WINDOWS\system32\msiexec.exe
3120 C:\WINDOWS\system32\wuauclt.exe
2620 C:\Documents and Settings\rmoon\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\E: --> \\.\PhysicalDrive0 at offset 0x00000009`4e327600 (NTFS)

PhysicalDrive0 Model Number: FUJITSUMHW2160BJFFSG2, Rev: 0085001C

Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 Windows 7 MBR code detected
SHA1: 4379A3D43019B46FA357F7DD6A53B45A3CA8FB79


Done!

#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:15 PM

Posted 15 January 2012 - 06:42 PM

Locked drivers are suspicious so let's see if we can replace these with other copies on the machine.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    SysPlant.sys 
    teefer2.sys 
    wpsdrvnt.sys
    WpsHelper.sys
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users