Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows 7 infected with consrv.dll


  • This topic is locked This topic is locked
22 replies to this topic

#1 andyat

andyat

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:25 AM

Posted 08 April 2012 - 07:42 AM

Hi,

I am running Windows 7 (64-bit) with AVG and Spybot. I noticed that my ACG wasn't updating, so I downloaded a new version and ran a scan which detected consrv.dll in my System32 folder.

When AVG quarantined this my computer would not restart, and the system repair brought it back without AVG and with consrv.dll back in the system folder.

I tried deleting it manually and the same thing happened. How can I go about getting rid of consrv.dll without crashing my computer?

Here is the log from DDS. Attach file is attatched below.

Thanks in advance!
Andy

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_31
Run by Andrew at 8:35:28 on 2012-04-08
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.61.1033.18.4044.1495 [GMT -4:00]
.
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\IDT\WDM\STacSV64.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\Hpservice.exe
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\conhost.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\IDT\WDM\AESTSr64.exe
C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe
C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe
C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe
C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
C:\Program Files (x86)\VERIZONDM\bin\sprtsvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\VERIZONDM\bin\tgsrvc.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
C:\Program Files\IDT\WDM\sttray64.exe
C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files (x86)\Steam\Steam.exe
C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
C:\Program Files (x86)\Skype\Phone\Skype.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files (x86)\PictureMover\Bin\PictureMover.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\VERIZONDM\bin\sprtcmd.exe
C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\SysWOW64\RunDll32.exe
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\Common Files\Steam\SteamService.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\hpCaslNotification.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\calc.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\SysWOW64\ping.exe
C:\Windows\system32\conhost.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\SysWOW64\ping.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\ping.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyOverride = *.local
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO: TrueSuite Website Log On: {8590886e-ec8c-43c1-a32c-e4c2b0b6395b} - C:\Program Files (x86)\HP SimplePass 2011\IEBHO.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
uRun: [LightScribe Control Panel] C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
uRun: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
uRun: [Steam] "C:\Program Files (x86)\Steam\Steam.exe" -silent
uRun: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
uRun: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /nosplash /minimized
uRun: [Facebook Update] "C:\Users\Andrew\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver
mRun: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [NUSB3MON] "C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"
mRun: [<NO NAME>]
mRun: [HP Quick Launch] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [VERIZONDM] "C:\Program Files (x86)\VERIZONDM\bin\sprtcmd.exe" /P VERIZONDM
mRun: [HPOSD] C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
StartupFolder: C:\Users\Andrew\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\FACEBO~1.LNK - C:\Users\Andrew\AppData\Local\Facebook\Messenger\2.0.4478.0\FacebookMessenger.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\BLUETO~1.LNK - C:\Program Files (x86)\WIDCOMM\Bluetooth Software\BTTray.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\SNAPFI~1.LNK - C:\Program Files (x86)\PictureMover\Bin\PictureMover.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
LSP: mswsock.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{A248E49D-2F4D-4B18-B8A0-A542FE3E1AEA} : DhcpNameServer = 4.2.2.1
TCP: Interfaces\{CE4CBDB6-1CB8-41B9-AD9A-F752B8FA2B08} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{CE4CBDB6-1CB8-41B9-AD9A-F752B8FA2B08}\05471627D6967616E694E6E6 : DhcpNameServer = 216.237.254.4 216.237.254.5
TCP: Interfaces\{CE4CBDB6-1CB8-41B9-AD9A-F752B8FA2B08}\35471627C4F657E67656 : DhcpNameServer = 209.137.136.3 209.137.146.2
TCP: Interfaces\{CE4CBDB6-1CB8-41B9-AD9A-F752B8FA2B08}\37A6E65647 : DhcpNameServer = 192.168.1.254 192.168.0.1
TCP: Interfaces\{CE4CBDB6-1CB8-41B9-AD9A-F752B8FA2B08}\455677B6563726572797 : DhcpNameServer = 10.0.0.1
TCP: Interfaces\{CE4CBDB6-1CB8-41B9-AD9A-F752B8FA2B08}\E65647765616271313 : DhcpNameServer = 192.168.0.1
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SubSystems: Windows = basesrv,1 winsrv:UserServerDllInitialization,3 consrv:ConServerDllInitialization,2 sxssrv,4
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "C:\Program Files (x86)\Common Files\LightScribe\LSRunOnce.exe"
BHO-X64: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO-X64: 0x1 - No File
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO-X64: WormRadar.com IESiteBlocker.NavFilter - No File
BHO-X64: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
BHO-X64: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO-X64: TrueSuite Website Log On: {8590886E-EC8C-43C1-A32C-E4C2B0B6395B} - C:\Program Files (x86)\HP SimplePass 2011\IEBHO.dll
BHO-X64: TSBHO Class - No File
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO-X64: SkypeIEPluginBHO - No File
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB-X64: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
mRun-x64: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun-x64: [NUSB3MON] "C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"
mRun-x64: [(Default)]
mRun-x64: [HP Quick Launch] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [VERIZONDM] "C:\Program Files (x86)\VERIZONDM\bin\sprtcmd.exe" /P VERIZONDM
mRun-x64: [HPOSD] C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
IE-X64: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Andrew\AppData\Roaming\Mozilla\Firefox\Profiles\n8lvxl0a.default\
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.1.10111.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Users\Andrew\AppData\Local\Facebook\Messenger\2.0.4478.0\npFbDesktopPlugin.dll
FF - plugin: C:\Users\Andrew\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll
FF - plugin: C:\Users\Andrew\AppData\Roaming\Mozilla\plugins\npicaN.dll
FF - plugin: C:\Windows\SysWOW64\Adobe\Director\np32dsw.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_2_202_228.dll
.
============= SERVICES / DRIVERS ===============
.
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-1-3 63928]
R2 AESTFilters;Andrea ST Filters Service;C:\Program Files\IDT\WDM\AESTSr64.exe [2011-11-29 89600]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R2 AMPPALR3;Intel« Centrino« Wireless Bluetooth« 3.0 + High Speed Service;C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe [2011-8-31 1166848]
R2 BTHSSecurityMgr;Intel® Centrino® Wireless Bluetooth® 3.0 + High Speed Security Service;C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe [2011-6-3 134928]
R2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE [2012-1-4 822624]
R2 FPLService;TrueSuiteService;C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe [2010-12-7 249672]
R2 HP Support Assistant Service;HP Support Assistant Service;C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSA_Service.exe [2011-9-9 86072]
R2 HP Wireless Assistant Service;HP Wireless Assistant Service;C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe [2010-7-21 103992]
R2 HPClientSvc;HP Client Services;C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe [2010-8-5 291896]
R2 HPDrvMntSvc.exe;HP Quick Synchronization Service;C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-9-1 227896]
R2 hpsrv;HP Service;C:\Windows\system32\Hpservice.exe --> C:\Windows\system32\Hpservice.exe [?]
R2 HPWMISVC;HPWMISVC;C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [2010-11-9 26680]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2011-3-22 13592]
R2 IconMan_R;IconMan_R;C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe [2011-11-29 2413056]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2011-5-9 1153368]
R2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-1 508776]
R2 sprtsvc_verizondm;SupportSoft Sprocket Service (verizondm);C:\Program Files (x86)\VERIZONDM\bin\sprtsvc.exe [2011-5-16 206120]
R2 tgsrvc_verizondm;SupportSoft Repair Service (verizondm);C:\Program Files (x86)\VERIZONDM\bin\tgsrvc.exe [2011-5-16 185640]
R2 UNS;Intel® Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-3-22 2656280]
R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
R3 AMPPAL;Intel« Centrino« Wireless Bluetooth« 3.0 + High Speed Virtual Adapter;C:\Windows\system32\DRIVERS\AMPPAL.sys --> C:\Windows\system32\DRIVERS\AMPPAL.sys [?]
R3 clwvd;CyberLink WebCam Virtual Driver;C:\Windows\system32\DRIVERS\clwvd.sys --> C:\Windows\system32\DRIVERS\clwvd.sys [?]
R3 IntcDAud;Intel® Display Audio;C:\Windows\system32\DRIVERS\IntcDAud.sys --> C:\Windows\system32\DRIVERS\IntcDAud.sys [?]
R3 intelkmd;intelkmd;C:\Windows\system32\DRIVERS\igdpmd64.sys --> C:\Windows\system32\DRIVERS\igdpmd64.sys [?]
R3 MEIx64;Intel® Management Engine Interface;C:\Windows\system32\DRIVERS\HECIx64.sys --> C:\Windows\system32\DRIVERS\HECIx64.sys [?]
R3 NETwNs64;___ Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;C:\Windows\system32\DRIVERS\NETwNs64.sys --> C:\Windows\system32\DRIVERS\NETwNs64.sys [?]
R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;C:\Windows\system32\DRIVERS\nusb3hub.sys --> C:\Windows\system32\DRIVERS\nusb3hub.sys [?]
R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;C:\Windows\system32\DRIVERS\nusb3xhc.sys --> C:\Windows\system32\DRIVERS\nusb3xhc.sys [?]
R3 RSPCIESTOR;Realtek PCIE CardReader Driver;C:\Windows\system32\DRIVERS\RtsPStor.sys --> C:\Windows\system32\DRIVERS\RtsPStor.sys [?]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
R3 Sftfs;Sftfs;C:\Windows\system32\DRIVERS\Sftfslh.sys --> C:\Windows\system32\DRIVERS\Sftfslh.sys [?]
R3 Sftplay;Sftplay;C:\Windows\system32\DRIVERS\Sftplaylh.sys --> C:\Windows\system32\DRIVERS\Sftplaylh.sys [?]
R3 Sftredir;Sftredir;C:\Windows\system32\DRIVERS\Sftredirlh.sys --> C:\Windows\system32\DRIVERS\Sftredirlh.sys [?]
R3 Sftvol;Sftvol;C:\Windows\system32\DRIVERS\Sftvollh.sys --> C:\Windows\system32\DRIVERS\Sftvollh.sys [?]
R3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-1 219496]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\system32\DRIVERS\vwifimp.sys --> C:\Windows\system32\DRIVERS\vwifimp.sys [?]
R3 wdkmd;Intel WiDi KMD;C:\Windows\system32\DRIVERS\WDKMD.sys --> C:\Windows\system32\DRIVERS\WDKMD.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-17 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-4-6 253600]
S3 AMPPALP;Intel« Centrino« Wireless Bluetooth« 3.0 + High Speed Protocol;C:\Windows\system32\DRIVERS\amppal.sys --> C:\Windows\system32\DRIVERS\amppal.sys [?]
S3 btwampfl;Bluetooth AMP USB Filter;C:\Windows\system32\drivers\btwampfl.sys --> C:\Windows\system32\drivers\btwampfl.sys [?]
S3 btwl2cap;Bluetooth L2CAP Service;C:\Windows\system32\DRIVERS\btwl2cap.sys --> C:\Windows\system32\DRIVERS\btwl2cap.sys [?]
S3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [2011-7-27 340240]
S3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;C:\Windows\system32\DRIVERS\netw5v64.sys --> C:\Windows\system32\DRIVERS\netw5v64.sys [?]
S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
S3 SrvHsfHDA;SrvHsfHDA;C:\Windows\system32\DRIVERS\VSTAZL6.SYS --> C:\Windows\system32\DRIVERS\VSTAZL6.SYS [?]
S3 SrvHsfV92;SrvHsfV92;C:\Windows\system32\DRIVERS\VSTDPV6.SYS --> C:\Windows\system32\DRIVERS\VSTDPV6.SYS [?]
S3 SrvHsfWinac;SrvHsfWinac;C:\Windows\system32\DRIVERS\VSTCNXT6.SYS --> C:\Windows\system32\DRIVERS\VSTCNXT6.SYS [?]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk62x64.sys --> C:\Windows\system32\DRIVERS\yk62x64.sys [?]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== Created Last 30 ================
.
2012-04-08 11:35:39 -------- d-----we C:\Windows\system64
2012-04-08 02:54:08 -------- d-----w- C:\Windows\SysWow64\drivers\AVG
2012-04-08 01:17:31 -------- d-----w- C:\Users\Andrew\AppData\Local\{43C81E79-AA6D-4A4D-BCE3-C6296B0D6F03}
2012-04-08 00:59:45 -------- d-----w- C:\Users\Andrew\AppData\Local\{93217E64-E306-405B-9A20-9DC146C9A608}
2012-04-07 13:43:26 -------- d-----w- C:\Program Files (x86)\AVG
2012-04-07 12:15:22 -------- d-----w- C:\Users\Andrew\AppData\Local\{313A8B0F-6CB8-4C06-B632-2566F4338852}
2012-04-06 23:37:35 -------- d-----w- C:\Users\Andrew\AppData\Local\{5A2065A4-A00D-4DB5-A036-3430FE5EC323}
2012-04-06 15:28:45 0 --sha-w- C:\Windows\System32\dds_trash_log.cmd
2012-04-06 15:27:51 418464 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2012-04-06 11:37:19 -------- d-----w- C:\Users\Andrew\AppData\Local\{7B4B45E3-BDF8-424C-9941-0C99A41224A9}
2012-04-05 15:51:54 -------- d-----w- C:\Users\Andrew\AppData\Local\{4FA547B8-A527-4166-9577-1C62D8889ED1}
2012-04-03 07:09:00 -------- d-----w- C:\Users\Andrew\AppData\Local\{AA754899-D507-4FFD-83FE-D7FCD28EC319}
2012-03-31 15:09:26 -------- d-----w- C:\Users\Andrew\AppData\Local\{73B4B055-E68E-4A40-993F-A22C108B72C3}
2012-03-22 15:03:17 -------- d-----w- C:\Users\Andrew\AppData\Local\CyberLink
2012-03-22 14:39:05 -------- d-----w- C:\Users\Andrew\AppData\Local\{45F7C4B5-C817-4F28-B48E-73EAAD328686}
2012-03-22 14:38:29 -------- d-----w- C:\Users\Andrew\AppData\Local\{4087996F-54A3-4F35-9934-6BE3B7C46F22}
2012-03-22 02:01:02 -------- d-----w- C:\Users\Andrew\AppData\Local\{85468810-D3FD-4E40-95EE-F82875DF76AA}
2012-03-22 02:00:47 -------- d-----w- C:\Users\Andrew\AppData\Local\{20D7B21A-7AF3-4ACA-88F6-8F5E19B84C35}
2012-03-21 14:00:36 -------- d-----w- C:\Users\Andrew\AppData\Local\{EB127CE6-F379-4A8F-9E41-3633D5D1F759}
2012-03-21 00:37:26 -------- d-----w- C:\Users\Andrew\AppData\Local\{8B329B0F-467B-441B-BB53-C7E220917669}
2012-03-20 12:37:05 -------- d-----w- C:\Users\Andrew\AppData\Local\{9305FA85-6B1F-469B-B1AE-7400FAF537F3}
2012-03-19 22:52:27 -------- d-----w- C:\Users\Andrew\AppData\Local\{59047FEC-A62A-41AC-A42F-2CEFDB8E5E81}
2012-03-19 22:52:08 -------- d-----w- C:\Users\Andrew\AppData\Local\{D9D0CBDC-4E63-46DE-803E-29685433F643}
2012-03-19 12:34:40 5559152 ----a-w- C:\Windows\System32\ntoskrnl.exe
2012-03-19 12:34:39 3968368 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2012-03-19 12:34:39 3913584 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2012-03-18 13:04:12 -------- d-----w- C:\Users\Andrew\AppData\Local\{E5F56977-232A-4841-BA5C-E564BE97DD47}
2012-03-18 13:03:54 -------- d-----w- C:\Users\Andrew\AppData\Local\{542A9853-4B4D-4E36-8526-F30DDC82A872}
2012-03-17 21:41:11 -------- d-----w- C:\Users\Andrew\AppData\Local\{32093011-B7FA-433F-81C0-0F032FCCC6B3}
2012-03-17 21:40:20 -------- d-----w- C:\Users\Andrew\AppData\Local\{F44D89A9-006A-4325-840B-0C1A3CD6D97B}
2012-03-16 11:14:59 -------- d-----w- C:\Users\Andrew\AppData\Local\{FA4B4CF3-96BF-431A-A0BA-85F0707220C0}
2012-03-16 11:14:48 -------- d-----w- C:\Users\Andrew\AppData\Local\{C3FDCAA9-4715-476E-8C7D-E74FABA04214}
2012-03-15 21:59:07 -------- d-----w- C:\Users\Andrew\AppData\Local\{FFC6965E-93CF-46E1-B56E-53C5F4148010}
2012-03-15 21:58:58 -------- d-----w- C:\Users\Andrew\AppData\Local\{F149DC84-E0D1-4518-A097-5C65136F3213}
2012-03-15 02:46:05 -------- d-----w- C:\Users\Andrew\AppData\Local\{0028F642-57CB-4EDD-A522-48E31B3A64D5}
2012-03-15 02:45:55 -------- d-----w- C:\Users\Andrew\AppData\Local\{88AC3B10-D644-428C-9AFA-85FEBA96ACE9}
2012-03-14 21:34:41 3145728 ----a-w- C:\Windows\System32\win32k.sys
2012-03-14 21:34:40 1544192 ----a-w- C:\Windows\System32\DWrite.dll
2012-03-14 21:34:40 1077248 ----a-w- C:\Windows\SysWow64\DWrite.dll
2012-03-14 12:15:52 9216 ----a-w- C:\Windows\System32\rdrmemptylst.exe
2012-03-14 12:15:52 826880 ----a-w- C:\Windows\SysWow64\rdpcore.dll
2012-03-14 12:15:52 77312 ----a-w- C:\Windows\System32\rdpwsx.dll
2012-03-14 12:15:52 23552 ----a-w- C:\Windows\System32\drivers\tdtcp.sys
2012-03-14 12:15:52 210944 ----a-w- C:\Windows\System32\drivers\rdpwd.sys
2012-03-14 12:15:52 149504 ----a-w- C:\Windows\System32\rdpcorekmts.dll
2012-03-14 12:15:52 1031680 ----a-w- C:\Windows\System32\rdpcore.dll
2012-03-14 12:04:12 -------- d-----w- C:\Users\Andrew\AppData\Local\{3E1E1696-C4FC-431B-80C9-95413856D155}
2012-03-14 12:03:56 -------- d-----w- C:\Users\Andrew\AppData\Local\{0DCEEE92-E971-46D4-8F11-DB3F6937055B}
2012-03-13 23:26:43 -------- d-----w- C:\Users\Andrew\AppData\Local\{A24A7E3B-025D-42F0-8AFD-C1DAAD177E97}
2012-03-13 23:26:33 -------- d-----w- C:\Users\Andrew\AppData\Local\{0F38C099-79A9-416C-A526-739EEB22ED52}
2012-03-13 11:26:20 -------- d-----w- C:\Users\Andrew\AppData\Local\{C0F284EC-1370-4B5C-8D97-FA51E1A81305}
2012-03-13 11:25:59 -------- d-----w- C:\Users\Andrew\AppData\Local\{847F6E86-04F3-43C4-8941-3B8975CD60FE}
.
==================== Find3M ====================
.
2012-04-07 12:40:19 70304 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-03-27 22:27:19 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
.
============= FINISH: 8:35:54.67 ===============

BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:25 AM

Posted 08 April 2012 - 08:13 AM

Hi

Please run the following:


For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to the disclaimer.
[*]Place a check next to List Drivers MD5 as well as the default check marks that are already there
[*]Press Scan button.
[*]type exit and reboot the computer normally
[*]FRST will make a log (FRST.txt) on the flash drive, please copy and paste the log in your reply.[/list]

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 andyat

andyat
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:25 AM

Posted 10 April 2012 - 06:20 AM

Hi CatByte

Here is the log from FRST

Scan result of Farbar Recovery Scan Tool Version: 15-03-2012
Ran by SYSTEM at 10-04-2012 07:09:30
Running from H:\
Windows 7 Home Premium (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2799912 2011-11-29] (Synaptics Incorporated)
HKLM\...\Run: [HPWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\DelayedAppStarter.exe 120 C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe /hidden [363064 2010-07-21] (Hewlett-Packard Company)
HKLM\...\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe [167960 2011-03-25] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [391704 2011-03-25] (Intel Corporation)
HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [418840 2011-03-25] (Intel Corporation)
HKLM\...\Run: [IntelPAN] "C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" /tf Intel PAN Tray [1935120 2011-07-27] (Intel® Corporation)
HKLM\...\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe [1128448 2011-11-29] (IDT, Inc.)
HKLM-x32\...\Run: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284440 2011-05-20] (Intel Corporation)
HKLM-x32\...\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [336384 2010-12-30] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [NUSB3MON] "C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [113288 2011-11-29] (Renesas Electronics Corporation)
HKLM-x32\...\Run: [] [x]
HKLM-x32\...\Run: [HP Quick Launch] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe [586296 2010-11-09] (Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2010-11-28] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421160 2011-04-26] (Apple Inc.)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [VERIZONDM] "C:\Program Files (x86)\VERIZONDM\bin\sprtcmd.exe" /P VERIZONDM [206120 2011-05-15] (SupportSoft, Inc.)
HKLM-x32\...\Run: [HPOSD] C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe [379960 2011-08-19] (Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)
HKU\Andrew\...\Run: [LightScribe Control Panel] C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden [2736128 2010-11-22] (Hewlett-Packard Company)
HKU\Andrew\...\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2260480 2009-03-05] (Safer-Networking Ltd.)
HKU\Andrew\...\Run: [Steam] "C:\Program Files (x86)\Steam\Steam.exe" -silent [1242448 2011-08-12] (Valve Corporation)
HKU\Andrew\...\Run: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background [4283256 2011-05-12] (Microsoft Corporation)
HKU\Andrew\...\Run: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /nosplash /minimized [17351304 2011-10-13] (Skype Technologies S.A.)
HKU\Andrew\...\Run: [Facebook Update] "C:\Users\Andrew\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver [137536 2012-04-06] (Facebook Inc.)
HKU\Andrew\...\Run: [Google Update] "C:\Users\Andrew\AppData\Local\Google\Update\GoogleUpdate.exe" /c [116648 2012-04-09] (Google Inc.)
HKU\Andrew\...\Policies\system: [disableregistrytools] 0
HKU\Marina\...\Run: [LightScribe Control Panel] C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden [2736128 2010-11-22] (Hewlett-Packard Company)
Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
SubSystems: [Windows] ==> ZeroAccess

==================== Services (Whitelisted) ======

3 AdobeFlashPlayerUpdateSvc; C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [253600 2012-04-07] (Adobe Systems Incorporated)
2 AMPPALR3; C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe [1166848 2011-08-31] (Intel Corporation)
2 BTHSSecurityMgr; "C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe" [134928 2011-06-03] (Intel® Corporation)
2 FPLService; "C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe" [249672 2010-12-07] (HP)
2 HP Support Assistant Service; "C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe" [86072 2011-09-09] (Hewlett-Packard Company)
2 HP Wireless Assistant Service; "C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe" [103992 2010-07-21] (Hewlett-Packard Company)
2 HPClientSvc; "C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe" [291896 2010-08-05] (Hewlett-Packard Company)
2 hpsrv; C:\Windows\System32\Hpservice.exe [30520 2011-05-13] (Hewlett-Packard Company)
2 HPWMISVC; C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [26680 2010-11-09] (Hewlett-Packard Development Company, L.P.)
2 IAStorDataMgrSvc; "C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe" [13592 2011-05-20] (Intel Corporation)
2 IconMan_R; "C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe" [2413056 2011-11-29] (Realsil Microelectronics Inc.)
3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [340240 2011-07-27] ()
2 rrspy; C:\Windows\System32\zebrsce.dll [6656 2009-07-13] (Oak Technology Inc.)
2 SBSDWSCService; C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [1153368 2009-01-25] (Safer Networking Ltd.)
2 sprtsvc_verizondm; C:\Program Files (x86)\VERIZONDM\bin\sprtsvc.exe /service /p verizondm [206120 2011-05-15] (SupportSoft, Inc.)
2 tgsrvc_verizondm; C:\Program Files (x86)\VERIZONDM\bin\tgsrvc.exe /p verizondm [185640 2011-05-15] (SupportSoft, Inc.)
2 UNS; "C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe" [2656280 2010-11-23] (Intel Corporation)
2 WinDefend; %ProgramFiles(x86)%\Windows Defender\mpsvc.dll [x]

========================== Drivers (Whitelisted) =============

3 Accelerometer; C:\Windows\System32\Drivers\Accelerometer.sys [43320 2011-05-13] (Hewlett-Packard Company)
3 AMPPAL; C:\Windows\System32\Drivers\AMPPAL.sys [299008 2011-08-08] (Windows ® Win 7 DDK provider)
3 AMPPALP; C:\Windows\System32\DRIVERS\amppal.sys [299008 2011-08-08] (Windows ® Win 7 DDK provider)
3 BridgeMP; C:\Windows\System32\DRIVERS\bridge.sys [95232 2009-07-13] (Microsoft Corporation)
3 clwvd; C:\Windows\System32\Drivers\clwvd.sys [31088 2010-12-10] (CyberLink Corporation)
0 hpdskflt; C:\Windows\System32\Drivers\hpdskflt.sys [30008 2011-05-13] (Hewlett-Packard Company)
3 intelkmd; C:\Windows\System32\DRIVERS\igdpmd64.sys [12262336 2011-03-25] (Intel Corporation)
3 NETwNs64; C:\Windows\System32\Drivers\NETwNs64.sys [8604672 2011-08-03] (Intel Corporation)
3 RSPCIESTOR; C:\Windows\System32\DRIVERS\RtsPStor.sys [338536 2011-11-29] (Realtek Semiconductor Corp.)
3 wdkmd; C:\Windows\System32\Drivers\wdkmd.sys [42392 2010-12-01] (Intel Corporation)

========================== NetSvcs (Whitelisted) ===========
NETSVC: framework
NETSVC: rrspy

============ One Month Created Files and Folders ==============

2012-04-09 17:25 - 2012-04-09 17:25 - 0002322 ____A C:\Users\Andrew\Desktop\Google Chrome.lnk
2012-04-09 17:24 - 2012-04-10 02:52 - 0000912 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3743259936-2353452010-2355427409-1001UA.job
2012-04-09 17:24 - 2012-04-09 17:29 - 0000860 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3743259936-2353452010-2355427409-1001Core.job
2012-04-09 17:23 - 2012-04-09 17:23 - 0739824 ____A (Google Inc.) C:\Users\Andrew\Downloads\ChromeSetup(1).exe
2012-04-08 07:48 - 2012-04-08 07:48 - 0000000 ____D C:\Users\Andrew\AppData\Local\{988670CC-B6DE-4118-B949-232D894EEF53}
2012-04-08 04:41 - 2012-04-08 04:41 - 0019912 ____A C:\Users\Andrew\Desktop\Attach.txt
2012-04-08 04:29 - 2012-04-08 04:29 - 0607260 ____R (Swearware) C:\Users\Andrew\Desktop\dds.scr
2012-04-08 03:35 - 2012-04-08 03:35 - 0000000 ____D C:\Windows\system64
2012-04-07 19:12 - 2012-04-07 19:12 - 0000000 __ASH C:\Windows\System32\config\system.tmp.LOG2
2012-04-07 19:12 - 2012-04-07 19:12 - 0000000 __ASH C:\Windows\System32\config\system.tmp.LOG1
2012-04-07 19:12 - 2012-04-07 19:12 - 0000000 __ASH C:\Windows\System32\config\software.tmp.LOG2
2012-04-07 19:12 - 2012-04-07 19:12 - 0000000 __ASH C:\Windows\System32\config\software.tmp.LOG1
2012-04-07 19:12 - 2012-04-07 19:12 - 0000000 __ASH C:\Windows\System32\config\security.tmp.LOG2
2012-04-07 19:12 - 2012-04-07 19:12 - 0000000 __ASH C:\Windows\System32\config\security.tmp.LOG1
2012-04-07 19:12 - 2012-04-07 19:12 - 0000000 __ASH C:\Windows\System32\config\sam.tmp.LOG2
2012-04-07 19:12 - 2012-04-07 19:12 - 0000000 __ASH C:\Windows\System32\config\sam.tmp.LOG1
2012-04-07 19:12 - 2012-04-07 19:12 - 0000000 __ASH C:\Windows\System32\config\default.tmp.LOG2
2012-04-07 19:12 - 2012-04-07 19:12 - 0000000 __ASH C:\Windows\System32\config\default.tmp.LOG1
2012-04-07 19:01 - 2012-04-08 03:59 - 0000000 ____D C:\Windows\ERDNT
2012-04-07 18:54 - 2012-04-08 07:33 - 0000000 ____D C:\Windows\SysWOW64\Drivers\AVG
2012-04-07 18:47 - 2012-04-07 18:47 - 3869480 ____A (AVG Technologies) C:\Users\Andrew\Downloads\avg_free_stb_all_2012_2125_cnet.exe
2012-04-07 18:44 - 2012-04-08 03:59 - 0000000 ___SD C:\32788R22FWJFW
2012-04-07 17:17 - 2012-04-07 17:17 - 0000000 ____D C:\Users\Andrew\AppData\Local\{43C81E79-AA6D-4A4D-BCE3-C6296B0D6F03}
2012-04-07 16:59 - 2012-04-07 16:59 - 0000000 ____D C:\Users\Andrew\AppData\Local\{93217E64-E306-405B-9A20-9DC146C9A608}
2012-04-07 14:27 - 2012-04-07 14:27 - 0441300 ___RA C:\Windows\System32\Drivers\etc\hosts
2012-04-07 05:43 - 2012-04-07 18:15 - 0000000 ____D C:\Program Files (x86)\AVG
2012-04-07 05:33 - 2012-04-07 05:39 - 0405204 ____A C:\Users\Andrew\Downloads\avgremover.log
2012-04-07 05:33 - 2012-04-07 05:33 - 2899344 ____A (AVG Technologies CZ, s.r.o.) C:\Users\Andrew\Downloads\avg_remover_stf_x64_2012_2125.exe
2012-04-07 05:33 - 2012-04-07 05:33 - 0060373 ____A C:\Users\Andrew\Downloads\avgremover_msilog.txt
2012-04-07 05:28 - 2012-04-07 05:28 - 3867712 ____A (AVG Technologies) C:\Users\Andrew\Downloads\avg_isct_stb_all_2012_2126_free.exe
2012-04-07 04:15 - 2012-04-07 04:15 - 0000000 ____D C:\Users\Andrew\AppData\Local\{313A8B0F-6CB8-4C06-B632-2566F4338852}
2012-04-06 17:59 - 2012-04-06 17:59 - 0493512 ____A (Facebook Inc.) C:\Users\Andrew\Downloads\FacebookMessengerSetup.exe
2012-04-06 17:59 - 2012-04-06 17:59 - 0001338 ____A C:\Users\Andrew\Start Menu\Programs\Startup\Facebook Messenger.lnk
2012-04-06 17:59 - 2012-04-06 17:59 - 0001338 ____A C:\Users\Andrew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Facebook Messenger.lnk
2012-04-06 15:37 - 2012-04-06 15:37 - 0000000 ____D C:\Users\Andrew\AppData\Local\{5A2065A4-A00D-4DB5-A036-3430FE5EC323}
2012-04-06 07:28 - 2012-04-08 03:36 - 0000000 __ASH C:\Windows\System32\dds_trash_log.cmd
2012-04-06 07:27 - 2012-04-10 02:52 - 0000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-04-06 07:27 - 2012-04-07 18:43 - 0000000 ____D C:\Users\All Users\Yahoo!
2012-04-06 07:27 - 2012-04-07 18:43 - 0000000 ____D C:\ProgramData\Yahoo!
2012-04-06 07:27 - 2012-04-07 04:40 - 0418464 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-04-06 07:25 - 2012-04-06 07:25 - 0424072 ____A (Yahoo! Inc.) C:\Users\Andrew\Downloads\msgr11us(1).exe
2012-04-06 03:37 - 2012-04-06 03:37 - 0000000 ____D C:\Users\Andrew\AppData\Local\{7B4B45E3-BDF8-424C-9941-0C99A41224A9}
2012-04-05 07:51 - 2012-04-05 07:52 - 0000000 ____D C:\Users\Andrew\AppData\Local\{4FA547B8-A527-4166-9577-1C62D8889ED1}
2012-04-02 23:09 - 2012-04-04 13:17 - 0000000 ____D C:\Users\Andrew\AppData\Local\{AA754899-D507-4FFD-83FE-D7FCD28EC319}
2012-03-31 11:19 - 2012-03-31 11:19 - 0013573 ____A C:\Users\Andrew\Downloads\687d4e74.gif
2012-03-31 07:09 - 2012-03-31 07:09 - 0000000 ____D C:\Users\Andrew\AppData\Local\{73B4B055-E68E-4A40-993F-A22C108B72C3}
2012-03-27 14:27 - 2012-03-27 14:27 - 0157472 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\javaws.exe
2012-03-27 14:27 - 2012-03-27 14:27 - 0149280 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\javaw.exe
2012-03-27 14:27 - 2012-03-27 14:27 - 0149280 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\java.exe
2012-03-22 07:03 - 2012-04-07 18:15 - 0000000 ____D C:\Users\Andrew\AppData\Local\CyberLink
2012-03-22 07:03 - 2012-03-22 07:03 - 0000000 ____D C:\Users\Andrew\Documents\Youcam
2012-03-22 07:03 - 2012-03-22 07:03 - 0000000 ____D C:\Users\Andrew\AppData\Roaming\CyberLink
2012-03-22 06:39 - 2012-03-22 06:39 - 0000000 ____D C:\Users\Andrew\AppData\Local\{45F7C4B5-C817-4F28-B48E-73EAAD328686}
2012-03-22 06:38 - 2012-03-22 06:39 - 0000000 ____D C:\Users\Andrew\AppData\Local\{4087996F-54A3-4F35-9934-6BE3B7C46F22}
2012-03-21 18:01 - 2012-03-21 18:01 - 0000000 ____D C:\Users\Andrew\AppData\Local\{85468810-D3FD-4E40-95EE-F82875DF76AA}
2012-03-21 18:00 - 2012-03-21 18:01 - 0000000 ____D C:\Users\Andrew\AppData\Local\{20D7B21A-7AF3-4ACA-88F6-8F5E19B84C35}
2012-03-21 06:00 - 2012-03-21 06:00 - 0000000 ____D C:\Users\Andrew\AppData\Local\{EB127CE6-F379-4A8F-9E41-3633D5D1F759}
2012-03-20 16:37 - 2012-03-20 16:37 - 0000000 ____D C:\Users\Andrew\AppData\Local\{8B329B0F-467B-441B-BB53-C7E220917669}
2012-03-20 04:37 - 2012-03-20 04:37 - 0000000 ____D C:\Users\Andrew\AppData\Local\{9305FA85-6B1F-469B-B1AE-7400FAF537F3}
2012-03-19 14:52 - 2012-03-21 06:00 - 0000000 ____D C:\Users\Andrew\AppData\Local\{D9D0CBDC-4E63-46DE-803E-29685433F643}
2012-03-19 14:52 - 2012-03-19 14:52 - 0000000 ____D C:\Users\Andrew\AppData\Local\{59047FEC-A62A-41AC-A42F-2CEFDB8E5E81}
2012-03-19 04:34 - 2011-11-19 07:20 - 5559152 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-03-19 04:34 - 2011-11-19 06:50 - 3968368 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2012-03-19 04:34 - 2011-11-19 06:50 - 3913584 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2012-03-18 05:04 - 2012-03-18 05:04 - 0000000 ____D C:\Users\Andrew\AppData\Local\{E5F56977-232A-4841-BA5C-E564BE97DD47}
2012-03-18 05:03 - 2012-03-18 05:04 - 0000000 ____D C:\Users\Andrew\AppData\Local\{542A9853-4B4D-4E36-8526-F30DDC82A872}
2012-03-17 13:41 - 2012-03-17 13:41 - 0000000 ____D C:\Users\Andrew\AppData\Local\{32093011-B7FA-433F-81C0-0F032FCCC6B3}
2012-03-17 13:40 - 2012-03-17 13:41 - 0000000 ____D C:\Users\Andrew\AppData\Local\{F44D89A9-006A-4325-840B-0C1A3CD6D97B}
2012-03-16 03:14 - 2012-03-16 03:15 - 0000000 ____D C:\Users\Andrew\AppData\Local\{FA4B4CF3-96BF-431A-A0BA-85F0707220C0}
2012-03-16 03:14 - 2012-03-16 03:14 - 0000000 ____D C:\Users\Andrew\AppData\Local\{C3FDCAA9-4715-476E-8C7D-E74FABA04214}
2012-03-15 13:59 - 2012-03-15 13:59 - 0000000 ____D C:\Users\Andrew\AppData\Local\{FFC6965E-93CF-46E1-B56E-53C5F4148010}
2012-03-15 13:58 - 2012-03-15 13:59 - 0000000 ____D C:\Users\Andrew\AppData\Local\{F149DC84-E0D1-4518-A097-5C65136F3213}
2012-03-14 18:46 - 2012-03-14 18:46 - 0000000 ____D C:\Users\Andrew\AppData\Local\{0028F642-57CB-4EDD-A522-48E31B3A64D5}
2012-03-14 18:45 - 2012-03-14 18:46 - 0000000 ____D C:\Users\Andrew\AppData\Local\{88AC3B10-D644-428C-9AFA-85FEBA96ACE9}
2012-03-14 13:34 - 2012-02-09 22:36 - 1544192 ____A (Microsoft Corporation) C:\Windows\System32\DWrite.dll
2012-03-14 13:34 - 2012-02-09 21:38 - 1077248 ____A (Microsoft Corporation) C:\Windows\SysWOW64\DWrite.dll
2012-03-14 13:34 - 2012-02-02 20:34 - 3145728 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-03-14 04:15 - 2012-02-16 22:38 - 1031680 ____A (Microsoft Corporation) C:\Windows\System32\rdpcore.dll
2012-03-14 04:15 - 2012-02-16 21:34 - 0826880 ____A (Microsoft Corporation) C:\Windows\SysWOW64\rdpcore.dll
2012-03-14 04:15 - 2012-02-16 20:58 - 0210944 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
2012-03-14 04:15 - 2012-02-16 20:57 - 0023552 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tdtcp.sys
2012-03-14 04:15 - 2012-01-24 22:38 - 0149504 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll
2012-03-14 04:15 - 2012-01-24 22:38 - 0077312 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll
2012-03-14 04:15 - 2012-01-24 22:33 - 0009216 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe
2012-03-14 04:04 - 2012-03-14 04:04 - 0000000 ____D C:\Users\Andrew\AppData\Local\{3E1E1696-C4FC-431B-80C9-95413856D155}
2012-03-14 04:03 - 2012-03-14 04:04 - 0000000 ____D C:\Users\Andrew\AppData\Local\{0DCEEE92-E971-46D4-8F11-DB3F6937055B}
2012-03-13 15:26 - 2012-03-13 15:26 - 0000000 ____D C:\Users\Andrew\AppData\Local\{A24A7E3B-025D-42F0-8AFD-C1DAAD177E97}
2012-03-13 15:26 - 2012-03-13 15:26 - 0000000 ____D C:\Users\Andrew\AppData\Local\{0F38C099-79A9-416C-A526-739EEB22ED52}
2012-03-13 03:26 - 2012-03-13 03:26 - 0000000 ____D C:\Users\Andrew\AppData\Local\{C0F284EC-1370-4B5C-8D97-FA51E1A81305}
2012-03-13 03:25 - 2012-03-13 03:26 - 0000000 ____D C:\Users\Andrew\AppData\Local\{847F6E86-04F3-43C4-8941-3B8975CD60FE}


============ 3 Months Modified Files and Folders =============

2012-04-10 07:09 - 2012-04-10 07:09 - 0000000 ____D C:\FRST
2012-04-10 03:05 - 2011-03-21 20:35 - 1923675 ____A C:\Windows\WindowsUpdate.log
2012-04-10 03:04 - 2011-12-12 18:35 - 0000932 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3743259936-2353452010-2355427409-1001UA.job
2012-04-10 02:53 - 2011-05-09 23:55 - 0000000 ____D C:\Users\Andrew\AppData\Roaming\Skype
2012-04-10 02:52 - 2012-04-09 17:24 - 0000912 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3743259936-2353452010-2355427409-1001UA.job
2012-04-10 02:52 - 2012-04-06 07:27 - 0000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-04-09 18:04 - 2011-12-12 18:35 - 0000910 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3743259936-2353452010-2355427409-1001Core.job
2012-04-09 17:29 - 2012-04-09 17:24 - 0000860 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3743259936-2353452010-2355427409-1001Core.job
2012-04-09 17:25 - 2012-04-09 17:25 - 0002322 ____A C:\Users\Andrew\Desktop\Google Chrome.lnk
2012-04-09 17:24 - 2011-08-08 22:32 - 0000000 ____D C:\Users\Andrew\AppData\Local\Google
2012-04-09 17:23 - 2012-04-09 17:23 - 0739824 ____A (Google Inc.) C:\Users\Andrew\Downloads\ChromeSetup(1).exe
2012-04-08 09:23 - 2011-06-03 21:42 - 0000000 ____D C:\Users\Andrew\AppData\Local\CrashDumps
2012-04-08 07:48 - 2012-04-08 07:48 - 0000000 ____D C:\Users\Andrew\AppData\Local\{988670CC-B6DE-4118-B949-232D894EEF53}
2012-04-08 07:34 - 2012-01-22 15:23 - 0000000 ____D C:\users\Marina
2012-04-08 07:34 - 2011-10-13 04:42 - 0000000 ____D C:\Users\All Users\AVG2012
2012-04-08 07:34 - 2011-10-13 04:42 - 0000000 ____D C:\ProgramData\AVG2012
2012-04-08 07:34 - 2009-07-13 19:18 - 0000000 __SHD C:\$Recycle.Bin
2012-04-08 07:33 - 2012-04-07 18:54 - 0000000 ____D C:\Windows\SysWOW64\Drivers\AVG
2012-04-08 07:33 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\registration
2012-04-08 07:32 - 2011-05-09 13:55 - 0000000 ____D C:\Users\All Users\MFAData
2012-04-08 07:32 - 2011-05-09 13:55 - 0000000 ____D C:\ProgramData\MFAData
2012-04-08 07:32 - 2009-07-13 19:20 - 0000000 ___RD C:\users\Public
2012-04-08 05:06 - 2009-07-13 21:13 - 0727334 ____A C:\Windows\System32\PerfStringBackup.INI
2012-04-08 04:41 - 2012-04-08 04:41 - 0019912 ____A C:\Users\Andrew\Desktop\Attach.txt
2012-04-08 04:39 - 2009-07-13 20:45 - 0023248 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-04-08 04:39 - 2009-07-13 20:45 - 0023248 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-04-08 04:29 - 2012-04-08 04:29 - 0607260 ____R (Swearware) C:\Users\Andrew\Desktop\dds.scr
2012-04-08 03:59 - 2012-04-07 19:01 - 0000000 ____D C:\Windows\ERDNT
2012-04-08 03:59 - 2012-04-07 18:44 - 0000000 ___SD C:\32788R22FWJFW
2012-04-08 03:36 - 2012-04-06 07:28 - 0000000 __ASH C:\Windows\System32\dds_trash_log.cmd
2012-04-08 03:36 - 2011-05-13 17:19 - 0000000 ____D C:\Users\Andrew\Tracing
2012-04-08 03:36 - 2011-05-10 00:58 - 0000000 ____D C:\Program Files (x86)\Steam
2012-04-08 03:36 - 2011-05-08 15:19 - 0000000 ____D C:\users\Andrew
2012-04-08 03:35 - 2012-04-08 03:35 - 0000000 ____D C:\Windows\system64
2012-04-08 03:35 - 2011-03-21 21:06 - 3180220416 __ASH C:\hiberfil.sys
2012-04-08 03:35 - 2009-07-13 21:08 - 0000006 ___AH C:\Windows\Tasks\SA.DAT
2012-04-08 03:35 - 2009-07-13 20:51 - 0064784 ____A C:\Windows\setupact.log
2012-04-08 03:35 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\System32\config\TxR
2012-04-07 21:11 - 2011-10-13 04:42 - 0000000 ____D C:\Users\Andrew\AppData\Roaming\AVG2012
2012-04-07 21:11 - 2011-05-09 14:20 - 0000000 ____D C:\Users\All Users\Spybot - Search & Destroy
2012-04-07 21:11 - 2011-05-09 14:20 - 0000000 ____D C:\ProgramData\Spybot - Search & Destroy
2012-04-07 19:13 - 2009-07-13 18:34 - 67633152 ____A C:\Windows\System32\config\software.bak
2012-04-07 19:13 - 2009-07-13 18:34 - 5505024 ____A C:\Windows\System32\config\default.bak
2012-04-07 19:13 - 2009-07-13 18:34 - 16777216 ____A C:\Windows\System32\config\system.bak
2012-04-07 19:13 - 2009-07-13 18:34 - 0262144 ____A C:\Windows\System32\config\security.bak
2012-04-07 19:13 - 2009-07-13 18:34 - 0262144 ____A C:\Windows\System32\config\sam.bak
2012-04-07 19:12 - 2012-04-07 19:12 - 0000000 __ASH C:\Windows\System32\config\system.tmp.LOG2
2012-04-07 19:12 - 2012-04-07 19:12 - 0000000 __ASH C:\Windows\System32\config\system.tmp.LOG1
2012-04-07 19:12 - 2012-04-07 19:12 - 0000000 __ASH C:\Windows\System32\config\software.tmp.LOG2
2012-04-07 19:12 - 2012-04-07 19:12 - 0000000 __ASH C:\Windows\System32\config\software.tmp.LOG1
2012-04-07 19:12 - 2012-04-07 19:12 - 0000000 __ASH C:\Windows\System32\config\security.tmp.LOG2
2012-04-07 19:12 - 2012-04-07 19:12 - 0000000 __ASH C:\Windows\System32\config\security.tmp.LOG1
2012-04-07 19:12 - 2012-04-07 19:12 - 0000000 __ASH C:\Windows\System32\config\sam.tmp.LOG2
2012-04-07 19:12 - 2012-04-07 19:12 - 0000000 __ASH C:\Windows\System32\config\sam.tmp.LOG1
2012-04-07 19:12 - 2012-04-07 19:12 - 0000000 __ASH C:\Windows\System32\config\default.tmp.LOG2
2012-04-07 19:12 - 2012-04-07 19:12 - 0000000 __ASH C:\Windows\System32\config\default.tmp.LOG1
2012-04-07 18:47 - 2012-04-07 18:47 - 3869480 ____A (AVG Technologies) C:\Users\Andrew\Downloads\avg_free_stb_all_2012_2125_cnet.exe
2012-04-07 18:43 - 2012-04-06 07:27 - 0000000 ____D C:\Users\All Users\Yahoo!
2012-04-07 18:43 - 2012-04-06 07:27 - 0000000 ____D C:\ProgramData\Yahoo!
2012-04-07 18:43 - 2012-02-16 16:24 - 0000000 ____D C:\Program Files (x86)\Yahoo!
2012-04-07 18:43 - 2011-05-08 15:19 - 0000000 ____D C:\Users\Andrew\AppData\LocalLow
2012-04-07 18:19 - 2011-11-15 17:24 - 0000000 ____D C:\Users\All Users\Intel
2012-04-07 18:19 - 2011-11-15 17:24 - 0000000 ____D C:\ProgramData\Intel
2012-04-07 18:19 - 2011-05-28 18:55 - 0000000 ____D C:\Program Files (x86)\iTunes
2012-04-07 18:19 - 2011-05-28 18:53 - 0000000 ____D C:\Program Files (x86)\Bonjour
2012-04-07 18:19 - 2011-05-09 13:53 - 0000000 ____D C:\Program Files\Mozilla Firefox
2012-04-07 18:19 - 2011-01-29 20:04 - 0000000 ____D C:\Program Files (x86)\Hewlett-Packard
2012-04-07 18:15 - 2012-04-07 05:43 - 0000000 ____D C:\Program Files (x86)\AVG
2012-04-07 18:15 - 2012-03-22 07:03 - 0000000 ____D C:\Users\Andrew\AppData\Local\CyberLink
2012-04-07 18:15 - 2012-02-05 08:59 - 0000000 ____D C:\Program Files (x86)\CamStudio 2.6b
2012-04-07 18:15 - 2011-12-28 07:33 - 0000000 ____D C:\Program Files (x86)\Ubisoft
2012-04-07 18:15 - 2011-12-12 18:35 - 0000000 ____D C:\Users\Andrew\AppData\Local\Facebook
2012-04-07 18:15 - 2011-11-29 16:01 - 0000000 ____D C:\Program Files\IDT
2012-04-07 18:15 - 2011-11-21 21:07 - 0000000 ____D C:\Windows\System32\Macromed
2012-04-07 18:15 - 2011-11-15 17:23 - 0000000 ____D C:\Program Files (x86)\Cisco
2012-04-07 18:15 - 2011-10-27 14:47 - 0000000 ____D C:\Users\Andrew\AppData\Local\SupportSoft
2012-04-07 18:15 - 2011-10-27 14:47 - 0000000 ____D C:\Users\All Users\SupportSoft
2012-04-07 18:15 - 2011-10-27 14:47 - 0000000 ____D C:\ProgramData\SupportSoft
2012-04-07 18:15 - 2011-10-27 14:47 - 0000000 ____D C:\Program Files (x86)\VERIZONDM
2012-04-07 18:15 - 2011-10-27 14:42 - 0000000 ____D C:\Users\Andrew\AppData\Roaming\TechWizard
2012-04-07 18:15 - 2011-08-24 16:12 - 0000000 ____D C:\Users\Default\AppData\Roaming\Macromedia
2012-04-07 18:15 - 2011-08-24 16:12 - 0000000 ____D C:\Users\Default User\AppData\Roaming\Macromedia
2012-04-07 18:15 - 2011-06-07 01:28 - 0000000 ____D C:\Windows\System32\SPReview
2012-04-07 18:15 - 2011-06-07 01:28 - 0000000 ____D C:\Windows\System32\EventProviders
2012-04-07 18:15 - 2011-06-05 03:52 - 0000000 ____D C:\Users\Andrew\AppData\Local\Microsoft Games
2012-04-07 18:15 - 2011-05-28 18:55 - 0000000 ____D C:\Program Files\iTunes
2012-04-07 18:15 - 2011-05-28 18:55 - 0000000 ____D C:\Program Files\iPod
2012-04-07 18:15 - 2011-05-28 18:54 - 0000000 ____D C:\Users\All Users\Apple Computer
2012-04-07 18:15 - 2011-05-28 18:54 - 0000000 ____D C:\ProgramData\Apple Computer
2012-04-07 18:15 - 2011-05-28 18:54 - 0000000 ____D C:\Program Files\Common Files\Apple
2012-04-07 18:15 - 2011-05-28 18:54 - 0000000 ____D C:\Program Files (x86)\QuickTime
2012-04-07 18:15 - 2011-05-28 18:54 - 0000000 ____D C:\Program Files (x86)\Apple Software Update
2012-04-07 18:15 - 2011-05-28 18:53 - 0000000 ____D C:\Users\All Users\Apple
2012-04-07 18:15 - 2011-05-28 18:53 - 0000000 ____D C:\ProgramData\Apple
2012-04-07 18:15 - 2011-05-28 17:54 - 0000000 ____D C:\Program Files (x86)\Win7codecs
2012-04-07 18:15 - 2011-05-28 17:53 - 0000000 ____D C:\Users\All Users\Win7codecs
2012-04-07 18:15 - 2011-05-28 17:53 - 0000000 ____D C:\ProgramData\Win7codecs
2012-04-07 18:15 - 2011-05-22 14:52 - 0000000 ____D C:\Users\Andrew\AppData\Local\Citrix
2012-04-07 18:15 - 2011-05-16 03:17 - 0000000 ____D C:\Users\All Users\Synaptics
2012-04-07 18:15 - 2011-05-16 03:17 - 0000000 ____D C:\ProgramData\Synaptics
2012-04-07 18:15 - 2011-05-13 20:03 - 0000000 ____D C:\Users\Andrew\Documents\My Games
2012-04-07 18:15 - 2011-05-13 14:44 - 0000000 ____D C:\Users\Andrew\AppData\Roaming\SoftGrid Client
2012-04-07 18:15 - 2011-05-13 14:43 - 0000000 ____D C:\Program Files\Microsoft Office
2012-04-07 18:15 - 2011-05-13 14:43 - 0000000 ____D C:\Program Files (x86)\Microsoft Application Virtualization Client
2012-04-07 17:37 - 2012-02-04 07:17 - 0366998 ____A C:\Windows\ntbtlog.txt
2012-04-07 17:17 - 2012-04-07 17:17 - 0000000 ____D C:\Users\Andrew\AppData\Local\{43C81E79-AA6D-4A4D-BCE3-C6296B0D6F03}
2012-04-07 16:59 - 2012-04-07 16:59 - 0000000 ____D C:\Users\Andrew\AppData\Local\{93217E64-E306-405B-9A20-9DC146C9A608}
2012-04-07 14:27 - 2012-04-07 14:27 - 0441300 ___RA C:\Windows\System32\Drivers\etc\hosts
2012-04-07 14:25 - 2011-05-09 14:20 - 0000000 ____D C:\Program Files\Spybot - Search & Destroy
2012-04-07 05:43 - 2011-12-09 06:09 - 0000000 ____D C:\$AVG
2012-04-07 05:39 - 2012-04-07 05:33 - 0405204 ____A C:\Users\Andrew\Downloads\avgremover.log
2012-04-07 05:34 - 2011-03-21 20:54 - 0249278 ____A C:\Windows\PFRO.log
2012-04-07 05:33 - 2012-04-07 05:33 - 2899344 ____A (AVG Technologies CZ, s.r.o.) C:\Users\Andrew\Downloads\avg_remover_stf_x64_2012_2125.exe
2012-04-07 05:33 - 2012-04-07 05:33 - 0060373 ____A C:\Users\Andrew\Downloads\avgremover_msilog.txt
2012-04-07 05:28 - 2012-04-07 05:28 - 3867712 ____A (AVG Technologies) C:\Users\Andrew\Downloads\avg_isct_stb_all_2012_2126_free.exe
2012-04-07 04:40 - 2012-04-06 07:27 - 0418464 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-04-07 04:40 - 2011-05-13 04:20 - 0070304 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-04-07 04:38 - 2012-03-06 18:43 - 0000336 ____A C:\Windows\Tasks\HPCeeScheduleForAndrew.job
2012-04-07 04:15 - 2012-04-07 04:15 - 0000000 ____D C:\Users\Andrew\AppData\Local\{313A8B0F-6CB8-4C06-B632-2566F4338852}
2012-04-06 17:59 - 2012-04-06 17:59 - 0493512 ____A (Facebook Inc.) C:\Users\Andrew\Downloads\FacebookMessengerSetup.exe
2012-04-06 17:59 - 2012-04-06 17:59 - 0001338 ____A C:\Users\Andrew\Start Menu\Programs\Startup\Facebook Messenger.lnk
2012-04-06 17:59 - 2012-04-06 17:59 - 0001338 ____A C:\Users\Andrew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Facebook Messenger.lnk
2012-04-06 15:37 - 2012-04-06 15:37 - 0000000 ____D C:\Users\Andrew\AppData\Local\{5A2065A4-A00D-4DB5-A036-3430FE5EC323}
2012-04-06 07:25 - 2012-04-06 07:25 - 0424072 ____A (Yahoo! Inc.) C:\Users\Andrew\Downloads\msgr11us(1).exe
2012-04-06 03:37 - 2012-04-06 03:37 - 0000000 ____D C:\Users\Andrew\AppData\Local\{7B4B45E3-BDF8-424C-9941-0C99A41224A9}
2012-04-05 07:52 - 2012-04-05 07:51 - 0000000 ____D C:\Users\Andrew\AppData\Local\{4FA547B8-A527-4166-9577-1C62D8889ED1}
2012-04-04 13:17 - 2012-04-02 23:09 - 0000000 ____D C:\Users\Andrew\AppData\Local\{AA754899-D507-4FFD-83FE-D7FCD28EC319}
2012-04-03 22:54 - 2011-11-15 16:48 - 0000000 ____A C:\Windows\System32\HP_ActiveX_Patch_NOT_DETECTED.txt
2012-04-03 22:54 - 2011-05-09 14:10 - 0000052 ____A C:\Windows\SysWOW64\DOErrors.log
2012-03-31 11:19 - 2012-03-31 11:19 - 0013573 ____A C:\Users\Andrew\Downloads\687d4e74.gif
2012-03-31 07:09 - 2012-03-31 07:09 - 0000000 ____D C:\Users\Andrew\AppData\Local\{73B4B055-E68E-4A40-993F-A22C108B72C3}
2012-03-27 14:27 - 2012-03-27 14:27 - 0157472 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\javaws.exe
2012-03-27 14:27 - 2012-03-27 14:27 - 0149280 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\javaw.exe
2012-03-27 14:27 - 2012-03-27 14:27 - 0149280 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\java.exe
2012-03-27 14:27 - 2011-01-29 20:21 - 0472808 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\deployJava1.dll
2012-03-25 06:27 - 2011-12-28 07:38 - 0000000 ____D C:\Users\Andrew\Documents\Settlers7
2012-03-22 07:20 - 2011-06-08 03:07 - 0000000 ____D C:\Users\Andrew\Documents\BSR Videos
2012-03-22 07:03 - 2012-03-22 07:03 - 0000000 ____D C:\Users\Andrew\Documents\Youcam
2012-03-22 07:03 - 2012-03-22 07:03 - 0000000 ____D C:\Users\Andrew\AppData\Roaming\CyberLink
2012-03-22 06:39 - 2012-03-22 06:39 - 0000000 ____D C:\Users\Andrew\AppData\Local\{45F7C4B5-C817-4F28-B48E-73EAAD328686}
2012-03-22 06:39 - 2012-03-22 06:38 - 0000000 ____D C:\Users\Andrew\AppData\Local\{4087996F-54A3-4F35-9934-6BE3B7C46F22}
2012-03-22 06:39 - 2011-08-08 22:28 - 0000000 ____D C:\Users\Andrew\AppData\Local\Windows Live
2012-03-21 18:01 - 2012-03-21 18:01 - 0000000 ____D C:\Users\Andrew\AppData\Local\{85468810-D3FD-4E40-95EE-F82875DF76AA}
2012-03-21 18:01 - 2012-03-21 18:00 - 0000000 ____D C:\Users\Andrew\AppData\Local\{20D7B21A-7AF3-4ACA-88F6-8F5E19B84C35}
2012-03-21 06:00 - 2012-03-21 06:00 - 0000000 ____D C:\Users\Andrew\AppData\Local\{EB127CE6-F379-4A8F-9E41-3633D5D1F759}
2012-03-21 06:00 - 2012-03-19 14:52 - 0000000 ____D C:\Users\Andrew\AppData\Local\{D9D0CBDC-4E63-46DE-803E-29685433F643}
2012-03-20 16:37 - 2012-03-20 16:37 - 0000000 ____D C:\Users\Andrew\AppData\Local\{8B329B0F-467B-441B-BB53-C7E220917669}
2012-03-20 04:37 - 2012-03-20 04:37 - 0000000 ____D C:\Users\Andrew\AppData\Local\{9305FA85-6B1F-469B-B1AE-7400FAF537F3}
2012-03-19 14:52 - 2012-03-19 14:52 - 0000000 ____D C:\Users\Andrew\AppData\Local\{59047FEC-A62A-41AC-A42F-2CEFDB8E5E81}
2012-03-19 14:48 - 2009-07-13 20:45 - 0276072 ____A C:\Windows\System32\FNTCACHE.DAT
2012-03-19 04:32 - 2011-05-15 14:37 - 56297240 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-03-18 05:04 - 2012-03-18 05:04 - 0000000 ____D C:\Users\Andrew\AppData\Local\{E5F56977-232A-4841-BA5C-E564BE97DD47}
2012-03-18 05:04 - 2012-03-18 05:03 - 0000000 ____D C:\Users\Andrew\AppData\Local\{542A9853-4B4D-4E36-8526-F30DDC82A872}
2012-03-17 13:41 - 2012-03-17 13:41 - 0000000 ____D C:\Users\Andrew\AppData\Local\{32093011-B7FA-433F-81C0-0F032FCCC6B3}
2012-03-17 13:41 - 2012-03-17 13:40 - 0000000 ____D C:\Users\Andrew\AppData\Local\{F44D89A9-006A-4325-840B-0C1A3CD6D97B}
2012-03-16 03:15 - 2012-03-16 03:14 - 0000000 ____D C:\Users\Andrew\AppData\Local\{FA4B4CF3-96BF-431A-A0BA-85F0707220C0}
2012-03-16 03:14 - 2012-03-16 03:14 - 0000000 ____D C:\Users\Andrew\AppData\Local\{C3FDCAA9-4715-476E-8C7D-E74FABA04214}
2012-03-15 13:59 - 2012-03-15 13:59 - 0000000 ____D C:\Users\Andrew\AppData\Local\{FFC6965E-93CF-46E1-B56E-53C5F4148010}
2012-03-15 13:59 - 2012-03-15 13:58 - 0000000 ____D C:\Users\Andrew\AppData\Local\{F149DC84-E0D1-4518-A097-5C65136F3213}
2012-03-14 18:46 - 2012-03-14 18:46 - 0000000 ____D C:\Users\Andrew\AppData\Local\{0028F642-57CB-4EDD-A522-48E31B3A64D5}
2012-03-14 18:46 - 2012-03-14 18:45 - 0000000 ____D C:\Users\Andrew\AppData\Local\{88AC3B10-D644-428C-9AFA-85FEBA96ACE9}
2012-03-14 04:04 - 2012-03-14 04:04 - 0000000 ____D C:\Users\Andrew\AppData\Local\{3E1E1696-C4FC-431B-80C9-95413856D155}
2012-03-14 04:04 - 2012-03-14 04:03 - 0000000 ____D C:\Users\Andrew\AppData\Local\{0DCEEE92-E971-46D4-8F11-DB3F6937055B}
2012-03-13 15:26 - 2012-03-13 15:26 - 0000000 ____D C:\Users\Andrew\AppData\Local\{A24A7E3B-025D-42F0-8AFD-C1DAAD177E97}
2012-03-13 15:26 - 2012-03-13 15:26 - 0000000 ____D C:\Users\Andrew\AppData\Local\{0F38C099-79A9-416C-A526-739EEB22ED52}
2012-03-13 03:26 - 2012-03-13 03:26 - 0000000 ____D C:\Users\Andrew\AppData\Local\{C0F284EC-1370-4B5C-8D97-FA51E1A81305}
2012-03-13 03:26 - 2012-03-13 03:25 - 0000000 ____D C:\Users\Andrew\AppData\Local\{847F6E86-04F3-43C4-8941-3B8975CD60FE}
2012-03-12 16:41 - 2011-05-09 14:04 - 0000344 ____A C:\Windows\Tasks\HPCeeScheduleForANDREW-HP$.job
2012-02-25 04:29 - 2012-02-25 04:28 - 0000000 ____D C:\Users\Andrew\AppData\Local\{DFD8BDE1-0745-4DAA-B3C6-86177EFCF74F}
2012-02-25 04:28 - 2012-02-25 04:28 - 0000000 ____D C:\Users\Andrew\AppData\Local\{39B0439A-D02E-4155-8245-50CFF7FF1940}
2012-02-24 15:55 - 2012-02-24 15:54 - 0000000 ____D C:\Users\Andrew\AppData\Local\{6096B248-7953-4EC9-A971-F3B8006E1FC2}
2012-02-24 15:54 - 2012-02-24 15:54 - 0000000 ____D C:\Users\Andrew\AppData\Local\{EA631540-888E-40F3-8D9A-1997D5FDAB3A}
2012-02-24 03:54 - 2012-02-24 03:54 - 0000000 ____D C:\Users\Andrew\AppData\Local\{DA6812B5-7876-4984-975C-965C99E58ABC}
2012-02-24 03:54 - 2012-02-24 03:54 - 0000000 ____D C:\Users\Andrew\AppData\Local\{D993CF02-029B-46B7-BFA3-7F47EC9D294A}
2012-02-23 15:53 - 2012-02-23 15:53 - 0000000 ____D C:\Users\Andrew\AppData\Local\{D453F626-F42D-46AC-BD25-F22A520E4FAE}
2012-02-23 15:53 - 2012-02-23 15:53 - 0000000 ____D C:\Users\Andrew\AppData\Local\{34744917-5A2B-49E8-8E0E-85B8844FACA8}
2012-02-21 03:48 - 2012-02-21 03:48 - 0000000 ____D C:\Users\Andrew\AppData\Local\{B8AF7956-D82A-4F74-9A76-ACA1CE3D2767}
2012-02-21 03:48 - 2012-02-21 03:48 - 0000000 ____D C:\Users\Andrew\AppData\Local\{63EEDFA2-5FC1-44B1-9E72-F2767C7CDFF9}
2012-02-20 15:46 - 2012-02-20 15:46 - 0000000 ____D C:\Users\Andrew\AppData\Local\{6C3018C5-6504-4564-B84B-875009A72F30}
2012-02-20 15:46 - 2012-02-20 15:46 - 0000000 ____D C:\Users\Andrew\AppData\Local\{45A57F12-2610-44A8-9218-1EBC07F60689}
2012-02-20 15:45 - 2011-05-09 00:26 - 0000174 ___SH C:\Users\Andrew\Start Menu\Programs\Startup\desktop.ini
2012-02-20 15:45 - 2011-05-09 00:26 - 0000174 ___SH C:\Users\Andrew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini
2012-02-17 05:03 - 2011-01-29 20:13 - 0000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2012-02-17 05:01 - 2011-05-28 15:53 - 0000000 ____D C:\Users\Andrew\AppData\Roaming\BitTorrent
2012-02-17 04:13 - 2012-02-17 04:13 - 0000000 ____D C:\Users\Andrew\AppData\Local\{F2718887-F3B2-4167-AE11-67370AB91401}
2012-02-17 04:13 - 2012-02-17 04:13 - 0000000 ____D C:\Users\Andrew\AppData\Local\{2A422649-903B-4E0B-A870-EB595385E28F}
2012-02-17 03:58 - 2011-05-13 14:44 - 0735726 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
2012-02-16 22:38 - 2012-03-14 04:15 - 1031680 ____A (Microsoft Corporation) C:\Windows\System32\rdpcore.dll
2012-02-16 21:34 - 2012-03-14 04:15 - 0826880 ____A (Microsoft Corporation) C:\Windows\SysWOW64\rdpcore.dll
2012-02-16 20:58 - 2012-03-14 04:15 - 0210944 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
2012-02-16 20:57 - 2012-03-14 04:15 - 0023552 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tdtcp.sys
2012-02-16 16:24 - 2012-02-16 16:24 - 0424072 ____A (Yahoo! Inc.) C:\Users\Andrew\Downloads\msgr11us.exe
2012-02-16 16:13 - 2012-02-16 16:13 - 0000000 ____D C:\Users\Andrew\AppData\Local\{ADC0EA0C-6091-4F61-BEA3-A9721BE683FE}
2012-02-16 16:13 - 2012-02-16 16:12 - 0000000 ____D C:\Users\Andrew\AppData\Local\{6C1623AD-0C69-47BF-94DB-ECCEEA11AF4A}
2012-02-16 04:12 - 2012-02-16 04:12 - 0000000 ____D C:\Users\Andrew\AppData\Local\{FA764091-D79D-48C4-8E89-34C2E0CA83F7}
2012-02-16 04:12 - 2012-02-16 04:12 - 0000000 ____D C:\Users\Andrew\AppData\Local\{169764E8-3981-44B3-814A-DB1A8C0CAD2F}
2012-02-15 15:52 - 2012-02-15 15:52 - 0000000 ____D C:\Users\Andrew\AppData\Local\{D629ECBD-B55C-4255-8C20-D2FE4C189A35}
2012-02-15 15:52 - 2012-02-15 15:52 - 0000000 ____D C:\Users\Andrew\AppData\Local\{1F978129-1848-4857-A8D8-477089425D22}
2012-02-15 03:52 - 2012-02-15 03:52 - 0000000 ____D C:\Users\Andrew\AppData\Local\{7A808D91-5FE9-4A55-8536-2B0408512178}
2012-02-15 03:52 - 2012-02-15 03:51 - 0000000 ____D C:\Users\Andrew\AppData\Local\{CB85364E-77EE-47C7-B8C3-BD0D10812D2C}
2012-02-14 03:47 - 2012-02-14 03:47 - 0000000 ____D C:\Users\Andrew\AppData\Local\{E9462719-EBDE-4F94-B9BB-B59C87FEE918}
2012-02-14 03:47 - 2012-02-12 17:30 - 0000000 ____D C:\Users\Andrew\AppData\Local\{47B37DF7-7C01-4583-9C91-A05787AE564D}
2012-02-13 15:45 - 2012-02-13 15:45 - 0000000 ____D C:\Users\Andrew\AppData\Local\{FDF45C8A-D8DD-4BD5-83E2-422A902747CC}
2012-02-12 17:31 - 2012-02-12 17:31 - 0000000 ____D C:\Users\Andrew\AppData\Local\{C60D6320-C200-4CE1-9F16-AED9FA003617}
2012-02-12 05:30 - 2012-02-12 05:30 - 0000000 ____D C:\Users\Andrew\AppData\Local\{FA45DC03-CBD9-41B5-87D4-A87330AA8218}
2012-02-12 05:30 - 2012-02-12 05:30 - 0000000 ____D C:\Users\Andrew\AppData\Local\{9130B25C-75B5-40A0-BCD6-5036EB3520A1}
2012-02-11 08:17 - 2012-02-11 08:17 - 0000000 ____D C:\Users\Andrew\AppData\Local\{040BEC2D-57E7-4407-A5DD-6911EC90B34E}
2012-02-11 08:17 - 2012-02-11 08:16 - 0000000 ____D C:\Users\Andrew\AppData\Local\{A30FBF89-3EB7-4B57-BC86-C7C8B7B304BE}
2012-02-10 20:16 - 2012-02-10 20:16 - 0000000 ____D C:\Users\Andrew\AppData\Local\{D6B03E20-2BC4-431C-A67E-A0532AC9B520}
2012-02-10 20:16 - 2012-02-10 20:16 - 0000000 ____D C:\Users\Andrew\AppData\Local\{2ABA9033-458D-4483-B5E3-38987D108749}
2012-02-09 22:36 - 2012-03-14 13:34 - 1544192 ____A (Microsoft Corporation) C:\Windows\System32\DWrite.dll
2012-02-09 21:38 - 2012-03-14 13:34 - 1077248 ____A (Microsoft Corporation) C:\Windows\SysWOW64\DWrite.dll
2012-02-09 17:44 - 2012-02-09 17:44 - 0000000 ____D C:\Users\Andrew\AppData\Local\{F490698C-9A4B-4226-B1AE-B980D725FB2C}
2012-02-09 17:44 - 2012-02-09 17:44 - 0000000 ____D C:\Users\Andrew\AppData\Local\{C41BABA9-F527-4166-AAF9-4E683F29C449}
2012-02-09 04:45 - 2012-02-09 04:45 - 0000000 ____D C:\Users\Andrew\AppData\Local\{C60842EC-9E60-4B51-A25B-7A48212DAE4B}
2012-02-09 04:45 - 2012-02-09 04:45 - 0000000 ____D C:\Users\Andrew\AppData\Local\{891733EF-444B-47EC-9764-7A853E47BA00}
2012-02-08 16:06 - 2011-01-29 20:18 - 0000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
2012-02-08 16:06 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\Help
2012-02-08 16:03 - 2012-02-08 16:03 - 0002179 ____A C:\Users\Public\Desktop\HP Support Assistant.lnk
2012-02-08 16:02 - 2012-02-08 16:02 - 0000000 ____D C:\Users\All Users\{A8DA1505-E615-42BB-BB77-74D5CC91FE7E}
2012-02-08 16:02 - 2012-02-08 16:02 - 0000000 ____D C:\ProgramData\{A8DA1505-E615-42BB-BB77-74D5CC91FE7E}
2012-02-08 16:00 - 2009-09-06 16:40 - 0000000 ____D C:\SwSetup
2012-02-08 15:32 - 2012-02-08 15:32 - 0000000 ____D C:\Users\Andrew\AppData\Local\{1D1655E4-31C3-4ABB-91E0-26143CEEBE96}
2012-02-08 15:32 - 2012-02-08 15:31 - 0000000 ____D C:\Users\Andrew\AppData\Local\{CD38CCB6-059F-403F-8A54-0A2CC8EC1A4C}
2012-02-08 03:31 - 2012-02-08 03:31 - 0000000 ____D C:\Users\Andrew\AppData\Local\{B55E0F4C-373E-432A-9FDD-AD32CEA63E07}
2012-02-08 03:31 - 2012-02-08 03:31 - 0000000 ____D C:\Users\Andrew\AppData\Local\{4D370CC6-A81D-41DA-A3FF-6BA417713429}
2012-02-07 15:30 - 2012-02-07 15:30 - 0000000 ____D C:\Users\Andrew\AppData\Local\{AE0BC0CF-D773-4B18-9101-B47820ADB67A}
2012-02-07 15:30 - 2012-02-07 15:30 - 0000000 ____D C:\Users\Andrew\AppData\Local\{94F4832A-90F4-4516-B330-822CD820ABDA}
2012-02-06 18:49 - 2012-02-06 18:49 - 0000000 ____D C:\Users\Andrew\AppData\Local\{977EFA06-6C5B-40D5-8271-7B5CB1CDB54D}
2012-02-06 18:49 - 2012-02-06 18:49 - 0000000 ____D C:\Users\Andrew\AppData\Local\{26878916-1FFD-459B-BD08-15A28AB095AA}
2012-02-06 03:46 - 2012-02-06 03:46 - 0000000 ____D C:\Users\Andrew\AppData\Local\{A272E9E8-E808-4367-9A05-421956C25DDB}
2012-02-06 03:46 - 2012-02-06 03:46 - 0000000 ____D C:\Users\Andrew\AppData\Local\{3760D106-29BD-410E-96F0-805AC8A03AEF}
2012-02-05 08:58 - 2012-02-05 08:58 - 4472121 ____A (CamStudio Open Source Dev Team ) C:\Users\Andrew\Downloads\CamStudio_Setup_v2.6b_r294_(build_24Oct2010).exe
2012-02-05 08:56 - 2011-06-08 03:07 - 0000000 ____D C:\Users\Andrew\Documents\BSR Photos
2012-02-05 07:59 - 2012-02-05 07:59 - 0000000 ____D C:\Users\Andrew\AppData\Local\{D9817D73-7A09-4FE4-9AC9-293E7540BCCF}
2012-02-05 07:59 - 2012-02-04 07:19 - 0000000 ____D C:\Users\Andrew\AppData\Local\{C856427E-2866-4C9A-8361-D13067AE25F9}
2012-02-04 20:38 - 2012-02-04 20:38 - 3114332 ____A C:\Users\Andrew\Downloads\the-shining_o_GIFSoup.com.gif
2012-02-04 19:20 - 2012-02-04 19:19 - 0000000 ____D C:\Users\Andrew\AppData\Local\{921597CB-E46B-43ED-8D81-E1095876B881}
2012-02-04 07:19 - 2012-02-04 07:19 - 0000000 ____D C:\Users\Andrew\AppData\Local\{6DDAACA3-8783-42CD-B1F2-2062E3F0DBC4}
2012-02-02 20:34 - 2012-03-14 13:34 - 3145728 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-02-02 15:44 - 2012-02-02 15:44 - 0000000 ____D C:\Users\Andrew\AppData\Local\{3A9B51C0-25A3-48B6-800A-D5FA9A7CC52C}
2012-02-02 15:44 - 2012-02-02 15:43 - 0000000 ____D C:\Users\Andrew\AppData\Local\{BB6F84AD-3FDE-4534-8B56-E600F0DB4FC2}
2012-02-02 03:43 - 2012-02-02 03:43 - 0000000 ____D C:\Users\Andrew\AppData\Local\{A7D632CF-13B8-4A48-B798-70B07E5551E4}
2012-02-02 03:43 - 2012-02-02 03:43 - 0000000 ____D C:\Users\Andrew\AppData\Local\{115B98B6-482A-4C29-9083-EAA1533E0333}
2012-02-01 15:10 - 2012-02-01 15:09 - 0000000 ____D C:\Users\Andrew\AppData\Local\{D577D61C-76F6-42E2-80D5-74012B3D8960}
2012-02-01 15:09 - 2012-02-01 15:09 - 0000000 ____D C:\Users\Andrew\AppData\Local\{465BD365-9123-4E2A-9DDB-D0617DB4629C}
2012-01-31 17:01 - 2012-01-31 17:01 - 0006360 ____A C:\Users\Andrew\Desktop\drivingrecordAA.pdf
2012-01-31 16:55 - 2012-01-31 16:55 - 0000000 ____D C:\Users\Andrew\AppData\Local\{796A2EC1-52CF-4334-B28F-85AF012B8295}
2012-01-31 16:55 - 2012-01-31 16:54 - 0000000 ____D C:\Users\Andrew\AppData\Local\{DC1EECAE-2F48-472C-80E1-5B0474B5D978}
2012-01-28 06:30 - 2012-01-28 06:30 - 0000000 ____D C:\Users\Andrew\AppData\Local\{2B5B3DFC-59C9-4256-A95A-C3C966D8649C}
2012-01-28 06:30 - 2012-01-23 03:46 - 0000000 ____D C:\Users\Andrew\AppData\Local\{BD07273D-FFEE-4F4A-9658-DAC7DEC37E0B}
2012-01-27 05:03 - 2012-01-27 05:03 - 0000000 ____D C:\Users\Andrew\AppData\Local\{7CF21852-7015-4F16-BBCF-53B5F98733FD}
2012-01-26 16:38 - 2012-01-26 16:38 - 0000000 ____D C:\Users\Andrew\AppData\Local\{DEA77487-1825-49C6-B3F1-9C45E53942EE}
2012-01-25 18:32 - 2012-01-25 18:32 - 0000000 ____D C:\Users\Andrew\AppData\Local\{0DB7AED8-8273-420B-B7A2-4CC6644F8C93}
2012-01-24 22:38 - 2012-03-14 04:15 - 0149504 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll
2012-01-24 22:38 - 2012-03-14 04:15 - 0077312 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll
2012-01-24 22:33 - 2012-03-14 04:15 - 0009216 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe
2012-01-24 04:18 - 2012-01-24 04:18 - 0000000 ____D C:\Users\Andrew\AppData\Local\{7E8C7050-E357-4BA9-8035-3D855A7071B1}
2012-01-23 16:17 - 2012-01-23 16:17 - 0000000 ____D C:\Users\Andrew\AppData\Local\{4A20730D-EB32-45FC-B64E-8E96F3EBC1F3}
2012-01-23 03:46 - 2012-01-23 03:46 - 0000000 ____D C:\Users\Andrew\AppData\Local\{D59F47A6-5179-486F-987E-DBDD5C59EE73}
2012-01-22 15:37 - 2012-01-22 15:23 - 0000000 ____D C:\Users\Marina\AppData\LocalLow
2012-01-22 15:29 - 2012-01-22 15:29 - 0000000 ____D C:\Users\Marina\AppData\Roaming\AVG2012
2012-01-22 15:29 - 2011-05-09 13:53 - 0000915 ____A C:\Users\Public\Desktop\Mozilla Firefox.lnk
2012-01-22 15:27 - 2012-01-22 15:27 - 15113064 ____A (Mozilla) C:\Users\Marina\Downloads\Firefox Setup 9.0.1.exe
2012-01-22 15:26 - 2012-01-22 15:26 - 0000000 ____D C:\Users\Marina\AppData\Roaming\Mozilla
2012-01-22 15:26 - 2012-01-22 15:26 - 0000000 ____D C:\Users\Marina\AppData\Local\Mozilla
2012-01-22 15:25 - 2012-01-22 15:25 - 0000000 ____D C:\Users\Marina\AppData\Roaming\PictureMover
2012-01-22 15:25 - 2012-01-22 15:25 - 0000000 ____D C:\Users\Marina\AppData\Roaming\ATI
2012-01-22 15:25 - 2012-01-22 15:25 - 0000000 ____D C:\Users\Marina\AppData\Roaming\Adobe
2012-01-22 15:25 - 2012-01-22 15:25 - 0000000 ____D C:\Users\Marina\AppData\Local\ATI
2012-01-22 15:24 - 2012-01-22 15:24 - 0057560 ____A C:\Users\Marina\AppData\Local\GDIPFONTCACHEV1.DAT
2012-01-22 15:24 - 2012-01-22 15:24 - 0000174 ___SH C:\Users\Marina\Start Menu\Programs\Startup\desktop.ini
2012-01-22 15:24 - 2012-01-22 15:24 - 0000174 ___SH C:\Users\Marina\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini
2012-01-22 15:24 - 2012-01-22 15:24 - 0000000 ____D C:\Users\Marina\AppData\Roaming\Synaptics
2012-01-22 15:24 - 2012-01-22 15:24 - 0000000 ____D C:\Users\Marina\AppData\Roaming\Intel Corporation
2012-01-22 15:24 - 2012-01-22 15:24 - 0000000 ____D C:\Users\Marina\AppData\Roaming\hpqLog
2012-01-22 15:24 - 2012-01-22 15:24 - 0000000 ____D C:\Users\Marina\AppData\Roaming\Apple Computer
2012-01-22 15:24 - 2012-01-22 15:24 - 0000000 ____D C:\Users\Marina\AppData\Local\SupportSoft
2012-01-22 15:23 - 2012-01-22 15:23 - 0000020 ___SH C:\Users\Marina\ntuser.ini
2012-01-22 15:23 - 2012-01-22 15:23 - 0000000 __SHD C:\Users\Marina\Templates
2012-01-22 15:23 - 2012-01-22 15:23 - 0000000 __SHD C:\Users\Marina\Start Menu
2012-01-22 15:23 - 2012-01-22 15:23 - 0000000 __SHD C:\Users\Marina\PrintHood
2012-01-22 15:23 - 2012-01-22 15:23 - 0000000 __SHD C:\Users\Marina\NetHood
2012-01-22 15:23 - 2012-01-22 15:23 - 0000000 __SHD C:\Users\Marina\My Documents
2012-01-22 15:23 - 2012-01-22 15:23 - 0000000 __SHD C:\Users\Marina\Documents\My Videos
2012-01-22 15:23 - 2012-01-22 15:23 - 0000000 __SHD C:\Users\Marina\Documents\My Pictures
2012-01-22 15:23 - 2012-01-22 15:23 - 0000000 __SHD C:\Users\Marina\Documents\My Music
2012-01-22 15:23 - 2012-01-22 15:23 - 0000000 __SHD C:\Users\Marina\AppData\Local\Temporary Internet Files
2012-01-22 15:23 - 2012-01-22 15:23 - 0000000 __SHD C:\Users\Marina\AppData\Local\History
2012-01-22 15:23 - 2012-01-22 15:23 - 0000000 ____D C:\Users\Marina\AppData\Roaming\Intel
2012-01-22 15:23 - 2012-01-22 15:23 - 0000000 ____D C:\Users\Marina\AppData\Local\VirtualStore
2012-01-22 13:38 - 2012-01-22 13:38 - 0000000 ____D C:\Users\Andrew\AppData\Local\{E006170F-D11C-4F05-A704-48E2F7C7FAB5}
2012-01-22 13:38 - 2012-01-22 13:38 - 0000000 ____D C:\Users\Andrew\AppData\Local\{AF4F67AB-CC9F-4BCE-88BD-1EB060FF77CA}
2012-01-12 19:05 - 2012-01-12 19:04 - 0000000 ____D C:\Users\Andrew\AppData\Local\{31D16738-2E57-40C3-AB99-CC0E506A79D9}
2012-01-12 19:04 - 2012-01-12 19:04 - 0000000 ____D C:\Users\Andrew\AppData\Local\{DD149337-DBFB-4BA2-B933-C244DFAFC138}

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

========================= Memory info ======================

Percentage of memory in use: 17%
Total physical RAM: 4043.86 MB
Available physical RAM: 3347.68 MB
Total Pagefile: 4042.01 MB
Available Pagefile: 3332.06 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:581.34 GB) (Free:417.19 GB) NTFS ==>[System with boot components (obtained from reading drive)]
2 Drive e: (RECOVERY) (Fixed) (Total:14.54 GB) (Free:1.82 GB) NTFS ==>[System with boot components (obtained from reading drive)]
3 Drive f: (HP_TOOLS) (Fixed) (Total:0.1 GB) (Free:0.08 GB) FAT32
5 Drive h: () (Removable) (Total:1.96 GB) (Free:1.96 GB) FAT
6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
7 Drive y: (SYSTEM) (Fixed) (Total:0.19 GB) (Free:0.16 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 596 GB 0 B
Disk 1 Online 2011 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 199 MB 1024 KB
Partition 2 Primary 581 GB 200 MB
Partition 3 Primary 14 GB 581 GB
Partition 4 Primary 103 MB 596 GB

======================================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y SYSTEM NTFS Partition 199 MB Healthy

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 581 GB Healthy

======================================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 E RECOVERY NTFS Partition 14 GB Healthy

======================================================================================================

Disk: 0
Partition 4
Type : 0C
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 F HP_TOOLS FAT32 Partition 103 MB Healthy

======================================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
* Partition 1 Primary 2011 MB 0 B

======================================================================================================

Disk: 1
There is no partition selected.

There is no partition selected.
Please select a partition and try again.

======================================================================================================

==========================================================

Last Boot: 2012-04-02 09:37

======================= End Of Log ==========================

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:25 AM

Posted 10 April 2012 - 06:33 PM

Hi

Please do the following:


Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
script removed

end

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Now restart, let it boot normally and tell me how it went.


NEXT


Refer to the ComboFix User's Guide

  • Download ComboFix from one of these locations:

    Link 1
    Link 2

    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  • Double click on ComboFix.exe & follow the prompts.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Edited by CatByte, 03 July 2012 - 09:32 PM.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 andyat

andyat
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:25 AM

Posted 11 April 2012 - 05:28 AM

Right, here is the FRST log

Fix result of Farbar Recovery Scan Tool (FRST written by farbar) Version: 15-03-2012
Ran by SYSTEM at 2012-04-10 20:49:22 R:1
Running from H:\

==============================================

HKLM-x32\\\.\.\.\\Run\\HKLM-x32\...\Run: [] [x] Value not found.
HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session Manager\SubSystems\\Windows Value was restored.
rrspy service deleted successfully.
C:\Windows\System32\zebrsce.dll moved successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\\netsvcs rrspy Deleted successfully.

========= bootrec /FixMbr =========

 ■T h e o p e r a t i o n c o m p l e t e d s u c c e s s f u l l y .

========= End of CMD: =========


========= bootrec /fixboot =========

 ■T h e o p e r a t i o n c o m p l e t e d s u c c e s s f u l l y .

========= End of CMD: =========


==== End of Fixlog ====

and Combofix

ComboFix 12-04-10.02 - Andrew 10/04/2012 21:20:36.2.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.61.1033.18.4044.2284 [GMT -4:00]
Running from: c:\users\Andrew\Desktop\ComboFix.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\install.exe
c:\windows\assembly\GAC_32\Desktop.ini
c:\windows\assembly\GAC_64\Desktop.ini
c:\windows\assembly\temp\@
c:\windows\assembly\temp\cfg.ini
c:\windows\svcs.exe
c:\windows\system32\dds_trash_log.cmd
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_NetworkLog
.
.
((((((((((((((((((((((((( Files Created from 2012-03-11 to 2012-04-11 )))))))))))))))))))))))))))))))
.
.
2012-04-11 01:30 . 2012-04-11 01:30 -------- d-----w- c:\users\Marina\AppData\Local\temp
2012-04-11 01:30 . 2012-04-11 01:30 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-04-11 01:30 . 2012-04-11 01:30 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2012-04-10 15:09 . 2012-04-10 15:10 -------- d-----w- C:\FRST
2012-04-08 11:35 . 2012-04-08 11:35 -------- d-----we c:\windows\system64
2012-04-08 02:54 . 2012-04-08 15:33 -------- d-----w- c:\windows\SysWow64\drivers\AVG
2012-04-07 13:43 . 2012-04-08 02:15 -------- d-----w- c:\program files (x86)\AVG
2012-04-06 15:27 . 2012-04-07 12:40 418464 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-04-06 15:27 . 2012-04-08 02:43 -------- d-----w- c:\programdata\Yahoo!
2012-04-04 05:53 . 2012-04-04 05:53 182160 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\nppdf32.dll
2012-03-29 02:10 . 2012-04-08 02:15 -------- d-----w- c:\program files (x86)\Common Files\Java
2012-03-22 15:03 . 2012-03-22 15:03 -------- d-----w- c:\users\Andrew\AppData\Roaming\CyberLink
2012-03-22 15:03 . 2012-04-08 02:15 -------- d-----w- c:\users\Andrew\AppData\Local\CyberLink
2012-03-19 12:34 . 2011-11-19 15:20 5559152 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-03-19 12:34 . 2011-11-19 14:50 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2012-03-19 12:34 . 2011-11-19 14:50 3913584 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2012-03-14 21:34 . 2012-02-03 04:34 3145728 ----a-w- c:\windows\system32\win32k.sys
2012-03-14 21:34 . 2012-02-10 06:36 1544192 ----a-w- c:\windows\system32\DWrite.dll
2012-03-14 21:34 . 2012-02-10 05:38 1077248 ----a-w- c:\windows\SysWow64\DWrite.dll
2012-03-14 12:15 . 2012-02-17 06:38 1031680 ----a-w- c:\windows\system32\rdpcore.dll
2012-03-14 12:15 . 2012-02-17 05:34 826880 ----a-w- c:\windows\SysWow64\rdpcore.dll
2012-03-14 12:15 . 2012-02-17 04:58 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-03-14 12:15 . 2012-02-17 04:57 23552 ----a-w- c:\windows\system32\drivers\tdtcp.sys
2012-03-14 12:15 . 2012-01-25 06:38 77312 ----a-w- c:\windows\system32\rdpwsx.dll
2012-03-14 12:15 . 2012-01-25 06:38 149504 ----a-w- c:\windows\system32\rdpcorekmts.dll
2012-03-14 12:15 . 2012-01-25 06:33 9216 ----a-w- c:\windows\system32\rdrmemptylst.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-07 12:40 . 2011-05-13 12:20 70304 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-03-27 22:27 . 2011-01-30 04:21 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2011-12-21 07:42 . 2011-05-09 21:53 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe" [2010-11-22 2736128]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Steam"="c:\program files (x86)\Steam\Steam.exe" [2011-08-12 1242448]
"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2011-10-13 17351304]
"Facebook Update"="c:\users\Andrew\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2012-04-07 137536]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2011-05-20 284440]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-12-31 336384]
"NUSB3MON"="c:\program files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2011-11-29 113288]
"HP Quick Launch"="c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe" [2010-11-09 586296]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-04-26 421160]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"VERIZONDM"="c:\program files (x86)\VERIZONDM\bin\sprtcmd.exe" [2011-05-16 206120]
"HPOSD"="c:\program files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe" [2011-08-19 379960]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
c:\users\Andrew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Facebook Messenger.lnk - c:\users\Andrew\AppData\Local\Facebook\Messenger\2.0.4478.0\FacebookMessenger.exe [2012-4-5 204288]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2010-7-29 1132320]
Snapfish PictureMover.lnk - c:\program files (x86)\PictureMover\Bin\PictureMover.exe [2010-11-18 1040952]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 HP Support Assistant Service;HP Support Assistant Service;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [2011-09-09 86072]
R2 HP Wireless Assistant Service;HP Wireless Assistant Service;c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe [2010-07-21 103992]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-07 253600]
R3 AMPPALP;Intel« Centrino« Wireless Bluetooth« 3.0 + High Speed Protocol;c:\windows\system32\DRIVERS\amppal.sys [x]
R3 btwampfl;Bluetooth AMP USB Filter;c:\windows\system32\drivers\btwampfl.sys [x]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [x]
R3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe [2011-07-28 340240]
R3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [x]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4925184]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [x]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [x]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 57184]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
S2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\AESTSr64.exe [2011-11-30 89600]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 AMPPALR3;Intel« Centrino« Wireless Bluetooth« 3.0 + High Speed Service;c:\program files\Intel\BluetoothHS\BTHSAmpPalService.exe [2011-08-31 1166848]
S2 BTHSSecurityMgr;Intel® Centrino® Wireless Bluetooth® 3.0 + High Speed Security Service;c:\program files\Intel\BluetoothHS\BTHSSecurityMgr.exe [2011-06-03 134928]
S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2012-01-04 822624]
S2 FPLService;TrueSuiteService;c:\program files (x86)\HP SimplePass 2011\TrueSuiteService.exe [2010-12-07 249672]
S2 HPClientSvc;HP Client Services;c:\program files\Hewlett-Packard\HP Client Services\HPClientServices.exe [2010-08-06 291896]
S2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-09-01 227896]
S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [x]
S2 HPWMISVC;HPWMISVC;c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [2010-11-09 26680]
S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2011-05-20 13592]
S2 IconMan_R;IconMan_R;c:\program files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe [2011-11-29 2413056]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-01 508776]
S2 sprtsvc_verizondm;SupportSoft Sprocket Service (verizondm);c:\program files (x86)\VERIZONDM\bin\sprtsvc.exe [2011-05-16 206120]
S2 tgsrvc_verizondm;SupportSoft Repair Service (verizondm);c:\program files (x86)\VERIZONDM\bin\tgsrvc.exe [2011-05-16 185640]
S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2010-11-23 2656280]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 AMPPAL;Intel« Centrino« Wireless Bluetooth« 3.0 + High Speed Virtual Adapter;c:\windows\system32\DRIVERS\AMPPAL.sys [x]
S3 clwvd;CyberLink WebCam Virtual Driver;c:\windows\system32\DRIVERS\clwvd.sys [x]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [x]
S3 intelkmd;intelkmd;c:\windows\system32\DRIVERS\igdpmd64.sys [x]
S3 MEIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [x]
S3 NETwNs64;___ Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;c:\windows\system32\DRIVERS\NETwNs64.sys [x]
S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys [x]
S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys [x]
S3 RSPCIESTOR;Realtek PCIE CardReader Driver;c:\windows\system32\DRIVERS\RtsPStor.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [x]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [x]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [x]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [x]
S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-01 219496]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
S3 wdkmd;Intel WiDi KMD;c:\windows\system32\DRIVERS\WDKMD.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2010-11-22 21:18 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-11 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-06 12:40]
.
2012-04-10 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3743259936-2353452010-2355427409-1001Core.job
- c:\users\Andrew\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-12-13 01:59]
.
2012-04-10 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3743259936-2353452010-2355427409-1001UA.job
- c:\users\Andrew\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-12-13 01:59]
.
2012-04-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3743259936-2353452010-2355427409-1001Core.job
- c:\users\Andrew\AppData\Local\Google\Update\GoogleUpdate.exe [2012-04-10 01:24]
.
2012-04-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3743259936-2353452010-2355427409-1001UA.job
- c:\users\Andrew\AppData\Local\Google\Update\GoogleUpdate.exe [2012-04-10 01:24]
.
2012-03-13 c:\windows\Tasks\HPCeeScheduleForANDREW-HP$.job
- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-09-14 06:15]
.
2012-04-11 c:\windows\Tasks\HPCeeScheduleForAndrew.job
- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-09-14 06:15]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00Zecter]
@="{D25B32FE-CB96-491A-98FF-AD59DA382D69}"
[HKEY_CLASSES_ROOT\CLSID\{D25B32FE-CB96-491A-98FF-AD59DA382D69}]
2010-12-11 02:32 2240000 ----a-w- c:\program files (x86)\Hewlett-Packard\HP CloudDrive\ShellExt64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\01Zecter]
@="{EB24CA6D-F315-4A81-AC1A-C79CFD77F3F5}"
[HKEY_CLASSES_ROOT\CLSID\{EB24CA6D-F315-4A81-AC1A-C79CFD77F3F5}]
2010-12-11 02:32 2240000 ----a-w- c:\program files (x86)\Hewlett-Packard\HP CloudDrive\ShellExt64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\02Zecter]
@="{B3C78E40-6B64-47C3-AE34-60B770881EB8}"
[HKEY_CLASSES_ROOT\CLSID\{B3C78E40-6B64-47C3-AE34-60B770881EB8}]
2010-12-11 02:32 2240000 ----a-w- c:\program files (x86)\Hewlett-Packard\HP CloudDrive\ShellExt64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\03Zecter]
@="{622AFE52-33F6-4D9F-9966-E0BC52D7D69D}"
[HKEY_CLASSES_ROOT\CLSID\{622AFE52-33F6-4D9F-9966-E0BC52D7D69D}]
2010-12-11 02:32 2240000 ----a-w- c:\program files (x86)\Hewlett-Packard\HP CloudDrive\ShellExt64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\04Zecter]
@="{855156F0-2A0F-11DE-8C30-0800200C9A66}"
[HKEY_CLASSES_ROOT\CLSID\{855156F0-2A0F-11DE-8C30-0800200C9A66}]
2010-12-11 02:32 2240000 ----a-w- c:\program files (x86)\Hewlett-Packard\HP CloudDrive\ShellExt64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\DelayedAppStarter.exe" [2010-07-21 8192]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-03-25 167960]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-03-25 391704]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-03-25 418840]
"IntelPAN"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2011-07-28 1935120]
"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2011-11-30 1128448]
"combofix"="c:\combofix\CF28846.3XE" [2010-11-20 345088]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
framework
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
TCP: DhcpNameServer = 192.168.1.1
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - ProfilePath - c:\users\Andrew\AppData\Roaming\Mozilla\Firefox\Profiles\n8lvxl0a.default\
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
AddRemove-{6F44AF95-3CDE-4513-AD3F-6D45F17BF324} - c:\program files (x86)\InstallShield Installation Information\{6F44AF95-3CDE-4513-AD3F-6D45F17BF324}\setup.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_228_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_228_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_228.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_228.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_228.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_228.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Bonjour\mDNSResponder.exe
c:\program files (x86)\Common Files\LightScribe\LSSrvc.exe
c:\program files (x86)\CyberLink\YouCam\YCMMirage.exe
c:\program files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
.
**************************************************************************
.
Completion time: 2012-04-10 21:45:41 - machine was rebooted
ComboFix-quarantined-files.txt 2012-04-11 01:45
.
Pre-Run: 447,921,946,624 bytes free
Post-Run: 448,230,248,448 bytes free
.
- - End Of File - - 2056A9A4CE038368E31D4C06F52BF301

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:25 AM

Posted 11 April 2012 - 06:07 PM

Hi,

That's looking better,

please run the following:

Please download Malwarebytes' Anti-Malware
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish


NEXT

Please advise how the computer is running now and if there are any outstanding issues

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 andyat

andyat
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:25 AM

Posted 12 April 2012 - 06:51 AM

Right, got an all clear from Malwarebytes

Malwarebytes Anti-Malware (Trial) 1.61.0.1400
www.malwarebytes.org

Database version: v2012.04.12.01

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 8.0.7601.17514
Andrew :: ANDREW-HP [administrator]

Protection: Enabled

11/04/2012 9:49:23 PM
mbam-log-2012-04-11 (21-49-23).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 231793
Time elapsed: 2 minute(s), 13 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

ESET found 5 threats

C:\Users\Andrew\AppData\Local\Mozilla\Firefox\Profiles\n8lvxl0a.default\Cache\8\4B\34F92d01 JS/Kryptik.MD trojan
C:\Users\Andrew\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\42\611d35ea-59aedb24 multiple threats
C:\Users\Andrew\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\45\5d2a616d-11204a22 Java/Exploit.CVE-2011-3544.AV trojan
C:\Windows\assembly\temp\U\80000032.@ a variant of Win32/Sirefef.EU trojan
C:\Windows\system64\consrv.dll Win64/Sirefef.E trojan

Computer seems to be running normally again; it got pretty slow when I tried to clear consrv.dll the first time, and would redirect google searches, which also seems to have stopped now.

#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:25 AM

Posted 12 April 2012 - 04:12 PM

Hi, Please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

File::
C:\Users\Andrew\AppData\Local\Mozilla\Firefox\Profiles\n8lvxl0a.default\Cache\8\4B\34F92d01 
C:\Users\Andrew\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\42\611d35ea-59aedb24 
C:\Users\Andrew\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\45\5d2a616d-11204a22 
C:\Windows\assembly\temp\U\80000032.@
C:\Windows\system64\consrv.dll 

ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 andyat

andyat
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:25 AM

Posted 12 April 2012 - 08:49 PM

Right, here's the log from Combofix

ComboFix 12-04-10.02 - Andrew 12/04/2012 21:36:24.3.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.61.1033.18.4044.1411 [GMT -4:00]
Running from: c:\users\Andrew\Desktop\ComboFix.exe
Command switches used :: c:\users\Andrew\Desktop\CFScript.txt
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\users\Andrew\AppData\Local\Mozilla\Firefox\Profiles\n8lvxl0a.default\Cache\8\4B\34F92d01"
"c:\users\Andrew\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\42\611d35ea-59aedb24"
"c:\users\Andrew\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\45\5d2a616d-11204a22"
"c:\windows\assembly\temp\U\80000032.@"
"c:\windows\system64\consrv.dll"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Andrew\AppData\Local\Mozilla\Firefox\Profiles\n8lvxl0a.default\Cache\8\4B\34F92d01
c:\users\Andrew\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\42\611d35ea-59aedb24
c:\users\Andrew\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\45\5d2a616d-11204a22
c:\windows\assembly\temp\U\80000032.@
.
.
((((((((((((((((((((((((( Files Created from 2012-03-13 to 2012-04-13 )))))))))))))))))))))))))))))))
.
.
2012-04-13 01:41 . 2012-04-13 01:41 -------- d-----w- c:\users\Marina\AppData\Local\temp
2012-04-13 01:41 . 2012-04-13 01:41 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-04-13 01:41 . 2012-04-13 01:41 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2012-04-12 01:57 . 2012-04-12 01:57 -------- d-----w- c:\program files (x86)\ESET
2012-04-12 01:47 . 2012-04-12 01:47 -------- d-----w- c:\users\Andrew\AppData\Roaming\Malwarebytes
2012-04-12 01:47 . 2012-04-12 01:47 -------- d-----w- c:\programdata\Malwarebytes
2012-04-12 01:47 . 2012-04-12 01:47 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-04-12 01:47 . 2012-04-04 19:56 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-04-10 15:09 . 2012-04-10 15:10 -------- d-----w- C:\FRST
2012-04-08 11:35 . 2012-04-08 11:35 -------- d-----we c:\windows\system64
2012-04-08 02:54 . 2012-04-08 15:33 -------- d-----w- c:\windows\SysWow64\drivers\AVG
2012-04-07 13:43 . 2012-04-08 02:15 -------- d-----w- c:\program files (x86)\AVG
2012-04-06 15:27 . 2012-04-07 12:40 418464 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-04-06 15:27 . 2012-04-08 02:43 -------- d-----w- c:\programdata\Yahoo!
2012-04-04 05:53 . 2012-04-04 05:53 182160 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\nppdf32.dll
2012-03-29 02:10 . 2012-04-08 02:15 -------- d-----w- c:\program files (x86)\Common Files\Java
2012-03-22 15:03 . 2012-03-22 15:03 -------- d-----w- c:\users\Andrew\AppData\Roaming\CyberLink
2012-03-22 15:03 . 2012-04-08 02:15 -------- d-----w- c:\users\Andrew\AppData\Local\CyberLink
2012-03-19 12:34 . 2011-11-19 15:20 5559152 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-03-19 12:34 . 2011-11-19 14:50 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2012-03-19 12:34 . 2011-11-19 14:50 3913584 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2012-03-14 21:34 . 2012-02-03 04:34 3145728 ----a-w- c:\windows\system32\win32k.sys
2012-03-14 21:34 . 2012-02-10 06:36 1544192 ----a-w- c:\windows\system32\DWrite.dll
2012-03-14 21:34 . 2012-02-10 05:38 1077248 ----a-w- c:\windows\SysWow64\DWrite.dll
2012-03-14 12:15 . 2012-02-17 06:38 1031680 ----a-w- c:\windows\system32\rdpcore.dll
2012-03-14 12:15 . 2012-02-17 05:34 826880 ----a-w- c:\windows\SysWow64\rdpcore.dll
2012-03-14 12:15 . 2012-02-17 04:58 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-03-14 12:15 . 2012-02-17 04:57 23552 ----a-w- c:\windows\system32\drivers\tdtcp.sys
2012-03-14 12:15 . 2012-01-25 06:38 77312 ----a-w- c:\windows\system32\rdpwsx.dll
2012-03-14 12:15 . 2012-01-25 06:38 149504 ----a-w- c:\windows\system32\rdpcorekmts.dll
2012-03-14 12:15 . 2012-01-25 06:33 9216 ----a-w- c:\windows\system32\rdrmemptylst.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-07 12:40 . 2011-05-13 12:20 70304 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-03-27 22:27 . 2011-01-30 04:21 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2011-12-21 07:42 . 2011-05-09 21:53 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-04-11_01.33.17 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-04-11 01:55 . 2012-04-11 01:55 13330 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\SoftGrid Client\Icon Cache\icon_ex.dat
- 2012-04-11 01:31 . 2012-04-11 01:31 13330 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\SoftGrid Client\Icon Cache\icon_ex.dat
+ 2011-01-30 04:07 . 2012-04-11 10:25 45876 c:\windows\system64\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-04-11 10:25 33908 c:\windows\system64\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2011-05-09 08:22 . 2012-04-11 10:25 10938 c:\windows\system64\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3743259936-2353452010-2355427409-1001_UserData.bin
+ 2012-04-12 01:47 . 2012-04-04 19:56 24904 c:\windows\system64\drivers\mbam.sys
+ 2011-05-09 16:15 . 2012-04-12 01:56 16384 c:\windows\system64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-05-09 16:15 . 2012-04-11 00:23 16384 c:\windows\system64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-05-09 16:15 . 2012-04-11 00:23 32768 c:\windows\system64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2011-05-09 16:15 . 2012-04-12 01:56 32768 c:\windows\system64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2012-04-12 01:56 16384 c:\windows\system64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 04:54 . 2012-04-11 00:23 16384 c:\windows\system64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-01-30 04:07 . 2012-04-11 10:25 45876 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-04-11 10:25 33908 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2011-05-09 08:22 . 2012-04-11 10:25 10938 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3743259936-2353452010-2355427409-1001_UserData.bin
- 2011-05-09 16:15 . 2012-04-11 00:23 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-05-09 16:15 . 2012-04-12 01:56 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-05-09 16:15 . 2012-04-11 00:23 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2011-05-09 16:15 . 2012-04-12 01:56 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-04-11 00:23 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2012-04-12 01:56 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2011-05-09 10:12 . 2012-04-11 00:51 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-05-09 10:12 . 2012-04-11 01:58 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-05-09 10:12 . 2012-04-11 01:58 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2011-05-09 10:12 . 2012-04-11 00:51 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2011-05-09 10:12 . 2012-04-11 01:58 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2011-05-09 10:12 . 2012-04-11 00:51 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-05-08 23:20 . 2012-04-13 01:00 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-05-08 23:20 . 2012-04-11 01:04 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-05-08 23:20 . 2012-04-13 01:00 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2011-05-08 23:20 . 2012-04-11 01:04 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-05-10 09:07 . 2012-04-11 01:55 5186 c:\windows\system64\wdi\ERCQueuedResolutions.dat
+ 2011-05-10 09:07 . 2012-04-11 01:55 5186 c:\windows\system32\wdi\ERCQueuedResolutions.dat
- 2012-04-11 01:32 . 2012-04-11 01:32 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-04-11 01:56 . 2012-04-11 01:56 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-04-11 01:56 . 2012-04-11 01:56 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-04-11 01:32 . 2012-04-11 01:32 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2011-05-23 22:27 . 2012-04-11 01:32 262144 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2011-05-23 22:27 . 2012-04-11 01:56 262144 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2009-07-14 04:54 . 2012-04-11 01:56 327680 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-07-14 04:54 . 2012-04-11 01:32 327680 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-05-09 10:12 . 2012-04-12 21:58 306556 c:\windows\system64\wdi\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2009-07-14 02:36 . 2012-04-11 10:27 629326 c:\windows\system64\perfh009.dat
- 2009-07-14 02:36 . 2012-04-11 00:58 629326 c:\windows\system64\perfh009.dat
- 2009-07-14 02:36 . 2012-04-11 00:58 111220 c:\windows\system64\perfc009.dat
+ 2009-07-14 02:36 . 2012-04-11 10:27 111220 c:\windows\system64\perfc009.dat
- 2009-07-14 05:12 . 2012-04-11 00:23 262144 c:\windows\system64\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2009-07-14 05:12 . 2012-04-12 01:56 262144 c:\windows\system64\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2011-05-09 10:12 . 2012-04-12 21:58 306556 c:\windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2009-07-14 02:36 . 2012-04-11 10:27 629326 c:\windows\system32\perfh009.dat
- 2009-07-14 02:36 . 2012-04-11 00:58 629326 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-04-11 10:27 111220 c:\windows\system32\perfc009.dat
- 2009-07-14 02:36 . 2012-04-11 00:58 111220 c:\windows\system32\perfc009.dat
+ 2009-07-14 05:12 . 2012-04-12 01:56 262144 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
- 2009-07-14 05:12 . 2012-04-11 00:23 262144 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2009-07-14 05:01 . 2012-04-11 01:55 229568 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2009-07-14 05:01 . 2012-04-11 01:31 229568 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 04:54 . 2012-04-11 01:56 3555328 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-04-11 01:32 3555328 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-04-11 01:32 2605056 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2012-04-11 01:56 2605056 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe" [2010-11-22 2736128]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Steam"="c:\program files (x86)\Steam\Steam.exe" [2011-08-12 1242448]
"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2011-10-13 17351304]
"Facebook Update"="c:\users\Andrew\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2012-04-07 137536]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2011-05-20 284440]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-12-31 336384]
"NUSB3MON"="c:\program files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2011-11-29 113288]
"HP Quick Launch"="c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe" [2010-11-09 586296]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-04-26 421160]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"VERIZONDM"="c:\program files (x86)\VERIZONDM\bin\sprtcmd.exe" [2011-05-16 206120]
"HPOSD"="c:\program files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe" [2011-08-19 379960]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"Malwarebytes Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
.
c:\users\Andrew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Facebook Messenger.lnk - c:\users\Andrew\AppData\Local\Facebook\Messenger\2.0.4478.0\FacebookMessenger.exe [2012-4-5 204288]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2010-7-29 1132320]
Snapfish PictureMover.lnk - c:\program files (x86)\PictureMover\Bin\PictureMover.exe [2010-11-18 1040952]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-07 253600]
R3 AMPPALP;Intel« Centrino« Wireless Bluetooth« 3.0 + High Speed Protocol;c:\windows\system32\DRIVERS\amppal.sys [x]
R3 btwampfl;Bluetooth AMP USB Filter;c:\windows\system32\drivers\btwampfl.sys [x]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [x]
R3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe [2011-07-28 340240]
R3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [x]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4925184]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [x]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [x]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 57184]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
S2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\AESTSr64.exe [2011-11-30 89600]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 AMPPALR3;Intel« Centrino« Wireless Bluetooth« 3.0 + High Speed Service;c:\program files\Intel\BluetoothHS\BTHSAmpPalService.exe [2011-08-31 1166848]
S2 BTHSSecurityMgr;Intel® Centrino® Wireless Bluetooth® 3.0 + High Speed Security Service;c:\program files\Intel\BluetoothHS\BTHSSecurityMgr.exe [2011-06-03 134928]
S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2012-01-04 822624]
S2 FPLService;TrueSuiteService;c:\program files (x86)\HP SimplePass 2011\TrueSuiteService.exe [2010-12-07 249672]
S2 HP Support Assistant Service;HP Support Assistant Service;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [2011-09-09 86072]
S2 HP Wireless Assistant Service;HP Wireless Assistant Service;c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe [2010-07-21 103992]
S2 HPClientSvc;HP Client Services;c:\program files\Hewlett-Packard\HP Client Services\HPClientServices.exe [2010-08-06 291896]
S2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-09-01 227896]
S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [x]
S2 HPWMISVC;HPWMISVC;c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [2010-11-09 26680]
S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2011-05-20 13592]
S2 IconMan_R;IconMan_R;c:\program files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe [2011-11-29 2413056]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-04-04 654408]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-01 508776]
S2 sprtsvc_verizondm;SupportSoft Sprocket Service (verizondm);c:\program files (x86)\VERIZONDM\bin\sprtsvc.exe [2011-05-16 206120]
S2 tgsrvc_verizondm;SupportSoft Repair Service (verizondm);c:\program files (x86)\VERIZONDM\bin\tgsrvc.exe [2011-05-16 185640]
S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2010-11-23 2656280]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 AMPPAL;Intel« Centrino« Wireless Bluetooth« 3.0 + High Speed Virtual Adapter;c:\windows\system32\DRIVERS\AMPPAL.sys [x]
S3 clwvd;CyberLink WebCam Virtual Driver;c:\windows\system32\DRIVERS\clwvd.sys [x]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [x]
S3 intelkmd;intelkmd;c:\windows\system32\DRIVERS\igdpmd64.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
S3 MEIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [x]
S3 NETwNs64;___ Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;c:\windows\system32\DRIVERS\NETwNs64.sys [x]
S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys [x]
S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys [x]
S3 RSPCIESTOR;Realtek PCIE CardReader Driver;c:\windows\system32\DRIVERS\RtsPStor.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [x]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [x]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [x]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [x]
S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-01 219496]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
S3 wdkmd;Intel WiDi KMD;c:\windows\system32\DRIVERS\WDKMD.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MBAMPROTECTOR
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2010-11-22 21:18 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-13 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-06 12:40]
.
2012-04-12 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3743259936-2353452010-2355427409-1001Core.job
- c:\users\Andrew\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-12-13 01:59]
.
2012-04-12 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3743259936-2353452010-2355427409-1001UA.job
- c:\users\Andrew\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-12-13 01:59]
.
2012-04-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3743259936-2353452010-2355427409-1001Core.job
- c:\users\Andrew\AppData\Local\Google\Update\GoogleUpdate.exe [2012-04-10 01:24]
.
2012-04-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3743259936-2353452010-2355427409-1001UA.job
- c:\users\Andrew\AppData\Local\Google\Update\GoogleUpdate.exe [2012-04-10 01:24]
.
2012-04-12 c:\windows\Tasks\HPCeeScheduleForANDREW-HP$.job
- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-09-14 06:15]
.
2012-04-11 c:\windows\Tasks\HPCeeScheduleForAndrew.job
- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-09-14 06:15]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00Zecter]
@="{D25B32FE-CB96-491A-98FF-AD59DA382D69}"
[HKEY_CLASSES_ROOT\CLSID\{D25B32FE-CB96-491A-98FF-AD59DA382D69}]
2010-12-11 02:32 2240000 ----a-w- c:\program files (x86)\Hewlett-Packard\HP CloudDrive\ShellExt64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\01Zecter]
@="{EB24CA6D-F315-4A81-AC1A-C79CFD77F3F5}"
[HKEY_CLASSES_ROOT\CLSID\{EB24CA6D-F315-4A81-AC1A-C79CFD77F3F5}]
2010-12-11 02:32 2240000 ----a-w- c:\program files (x86)\Hewlett-Packard\HP CloudDrive\ShellExt64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\02Zecter]
@="{B3C78E40-6B64-47C3-AE34-60B770881EB8}"
[HKEY_CLASSES_ROOT\CLSID\{B3C78E40-6B64-47C3-AE34-60B770881EB8}]
2010-12-11 02:32 2240000 ----a-w- c:\program files (x86)\Hewlett-Packard\HP CloudDrive\ShellExt64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\03Zecter]
@="{622AFE52-33F6-4D9F-9966-E0BC52D7D69D}"
[HKEY_CLASSES_ROOT\CLSID\{622AFE52-33F6-4D9F-9966-E0BC52D7D69D}]
2010-12-11 02:32 2240000 ----a-w- c:\program files (x86)\Hewlett-Packard\HP CloudDrive\ShellExt64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\04Zecter]
@="{855156F0-2A0F-11DE-8C30-0800200C9A66}"
[HKEY_CLASSES_ROOT\CLSID\{855156F0-2A0F-11DE-8C30-0800200C9A66}]
2010-12-11 02:32 2240000 ----a-w- c:\program files (x86)\Hewlett-Packard\HP CloudDrive\ShellExt64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
"HPWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\DelayedAppStarter.exe" [2010-07-21 8192]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-03-25 167960]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-03-25 391704]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-03-25 418840]
"IntelPAN"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2011-07-28 1935120]
"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2011-11-30 1128448]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
framework
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
TCP: DhcpNameServer = 192.168.1.1
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - ProfilePath - c:\users\Andrew\AppData\Roaming\Mozilla\Firefox\Profiles\n8lvxl0a.default\
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_228_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_228_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_228.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_228.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_228.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_228.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-04-12 21:43:27
ComboFix-quarantined-files.txt 2012-04-13 01:43
ComboFix2.txt 2012-04-11 01:45
.
Pre-Run: 446,961,577,984 bytes free
Post-Run: 446,899,396,608 bytes free
.
- - End Of File - - 5F72549F741336427AE6838A3432871F

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:25 AM

Posted 12 April 2012 - 09:00 PM

how is the computer running now?

Are there any outstanding issues?

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 andyat

andyat
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:25 AM

Posted 13 April 2012 - 07:55 PM

Seems to be running fine, but I still have consrv.dll in my System32 folder, should that be gone?

#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:25 AM

Posted 13 April 2012 - 08:02 PM

ok, odd that it didn't show in the latest logs

please download a fresh copy of ComboFix from the link below (delete the copy you have from your desktop)

now run it and post the fresh log

(please disable your security programs before running it)

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 andyat

andyat
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:25 AM

Posted 13 April 2012 - 09:02 PM

Here is the latest log from Combofix

ComboFix 12-04-13.01 - Andrew 13/04/2012 21:48:10.4.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.61.1033.18.4044.1533 [GMT -4:00]
Running from: c:\users\Andrew\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-03-14 to 2012-04-14 )))))))))))))))))))))))))))))))
.
.
2012-04-14 01:54 . 2012-04-14 01:54 -------- d-----w- c:\users\Marina\AppData\Local\temp
2012-04-14 01:54 . 2012-04-14 01:54 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-04-14 01:54 . 2012-04-14 01:54 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2012-04-14 01:06 . 2012-04-14 01:06 54272 ----a-w- c:\windows\SysWow64\consrv.dll
2012-04-14 00:23 . 2012-04-14 00:23 -------- d-----w- c:\users\Andrew\AppData\Roaming\AVG
2012-04-13 23:40 . 2012-04-14 00:18 -------- d-----w- c:\windows\system32\drivers\AVG
2012-04-13 23:40 . 2012-04-13 23:40 -------- d-----w- C:\$AVG
2012-04-12 01:57 . 2012-04-12 01:57 -------- d-----w- c:\program files (x86)\ESET
2012-04-12 01:47 . 2012-04-12 01:47 -------- d-----w- c:\users\Andrew\AppData\Roaming\Malwarebytes
2012-04-12 01:47 . 2012-04-12 01:47 -------- d-----w- c:\programdata\Malwarebytes
2012-04-12 01:47 . 2012-04-12 01:47 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-04-12 01:47 . 2012-04-04 19:56 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-04-10 15:09 . 2012-04-10 15:10 -------- d-----w- C:\FRST
2012-04-08 11:35 . 2012-04-08 11:35 -------- d-----we c:\windows\system64
2012-04-08 02:54 . 2012-04-13 23:41 -------- d-----w- c:\windows\SysWow64\drivers\AVG
2012-04-07 13:43 . 2012-04-14 00:22 -------- d-----w- c:\program files (x86)\AVG
2012-04-06 15:27 . 2012-04-07 12:40 418464 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-04-06 15:27 . 2012-04-08 02:43 -------- d-----w- c:\programdata\Yahoo!
2012-04-04 05:53 . 2012-04-04 05:53 182160 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\nppdf32.dll
2012-03-29 02:10 . 2012-04-08 02:15 -------- d-----w- c:\program files (x86)\Common Files\Java
2012-03-22 15:03 . 2012-03-22 15:03 -------- d-----w- c:\users\Andrew\AppData\Roaming\CyberLink
2012-03-22 15:03 . 2012-04-08 02:15 -------- d-----w- c:\users\Andrew\AppData\Local\CyberLink
2012-03-19 12:34 . 2011-11-19 15:20 5559152 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-03-19 12:34 . 2011-11-19 14:50 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2012-03-19 12:34 . 2011-11-19 14:50 3913584 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-07 12:40 . 2011-05-13 12:20 70304 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-03-27 22:27 . 2011-01-30 04:21 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-02-22 09:25 . 2012-02-22 09:25 382032 ----a-w- c:\windows\system32\drivers\avgtdia.sys
2012-02-22 09:25 . 2012-02-22 09:25 289872 ----a-w- c:\windows\system32\drivers\avgldx64.sys
2012-02-17 06:38 . 2012-03-14 12:15 1031680 ----a-w- c:\windows\system32\rdpcore.dll
2012-02-17 05:34 . 2012-03-14 12:15 826880 ----a-w- c:\windows\SysWow64\rdpcore.dll
2012-02-17 04:58 . 2012-03-14 12:15 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-02-17 04:57 . 2012-03-14 12:15 23552 ----a-w- c:\windows\system32\drivers\tdtcp.sys
2012-02-10 06:36 . 2012-03-14 21:34 1544192 ----a-w- c:\windows\system32\DWrite.dll
2012-02-10 05:38 . 2012-03-14 21:34 1077248 ----a-w- c:\windows\SysWow64\DWrite.dll
2012-02-03 04:34 . 2012-03-14 21:34 3145728 ----a-w- c:\windows\system32\win32k.sys
2012-01-31 08:46 . 2012-01-31 08:46 36944 ----a-w- c:\windows\system32\drivers\avgrkx64.sys
2012-01-25 06:38 . 2012-03-14 12:15 77312 ----a-w- c:\windows\system32\rdpwsx.dll
2012-01-25 06:38 . 2012-03-14 12:15 149504 ----a-w- c:\windows\system32\rdpcorekmts.dll
2012-01-25 06:33 . 2012-03-14 12:15 9216 ----a-w- c:\windows\system32\rdrmemptylst.exe
2011-12-21 07:42 . 2011-05-09 21:53 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot_2012-04-13_01.41.58 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-04-13 11:05 . 2012-04-13 11:05 13330 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\SoftGrid Client\Icon Cache\icon_ex.dat
- 2012-04-11 01:55 . 2012-04-11 01:55 13330 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\SoftGrid Client\Icon Cache\icon_ex.dat
+ 2009-07-14 05:10 . 2012-04-13 11:07 33932 c:\windows\system64\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2011-05-09 08:22 . 2012-04-13 11:07 11148 c:\windows\system64\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3743259936-2353452010-2355427409-1001_UserData.bin
+ 2012-01-31 08:46 . 2012-01-31 08:46 36944 c:\windows\system64\drivers\avgrkx64.sys
+ 2011-12-23 17:32 . 2011-12-23 17:32 47696 c:\windows\system64\drivers\avgmfx64.sys
+ 2011-12-23 17:32 . 2011-12-23 17:32 29776 c:\windows\system64\drivers\avgidsfiltera.sys
+ 2011-12-23 17:32 . 2011-12-23 17:32 26704 c:\windows\system64\drivers\avgidseha.sys
- 2011-05-09 16:15 . 2012-04-12 01:56 16384 c:\windows\system64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-05-09 16:15 . 2012-04-13 23:41 16384 c:\windows\system64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-05-09 16:15 . 2012-04-13 23:41 32768 c:\windows\system64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2011-05-09 16:15 . 2012-04-12 01:56 32768 c:\windows\system64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2012-04-13 23:41 16384 c:\windows\system64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 04:54 . 2012-04-12 01:56 16384 c:\windows\system64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 05:10 . 2012-04-13 11:07 33932 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2011-05-09 08:22 . 2012-04-13 11:07 11148 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3743259936-2353452010-2355427409-1001_UserData.bin
+ 2011-12-23 17:32 . 2011-12-23 17:32 47696 c:\windows\system32\drivers\avgmfx64.sys
+ 2011-12-23 17:32 . 2011-12-23 17:32 29776 c:\windows\system32\drivers\avgidsfiltera.sys
+ 2011-12-23 17:32 . 2011-12-23 17:32 26704 c:\windows\system32\drivers\avgidseha.sys
+ 2011-05-09 16:15 . 2012-04-13 23:41 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-05-09 16:15 . 2012-04-12 01:56 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-05-09 16:15 . 2012-04-12 01:56 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2011-05-09 16:15 . 2012-04-13 23:41 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-04-12 01:56 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2012-04-13 23:41 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-05-09 10:12 . 2012-04-13 11:06 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-05-09 10:12 . 2012-04-11 01:58 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-05-09 10:12 . 2012-04-11 01:58 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2011-05-09 10:12 . 2012-04-13 11:06 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2011-05-09 10:12 . 2012-04-13 11:06 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2011-05-09 10:12 . 2012-04-11 01:58 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-05-08 23:20 . 2012-04-14 01:00 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-05-08 23:20 . 2012-04-13 01:00 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-05-08 23:20 . 2012-04-13 01:00 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-05-08 23:20 . 2012-04-14 01:00 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-05-10 09:07 . 2012-04-13 11:05 5186 c:\windows\system64\wdi\ERCQueuedResolutions.dat
- 2011-05-10 09:07 . 2012-04-11 01:55 5186 c:\windows\system64\wdi\ERCQueuedResolutions.dat
+ 2011-05-10 09:07 . 2012-04-13 11:05 5186 c:\windows\system32\wdi\ERCQueuedResolutions.dat
- 2011-05-10 09:07 . 2012-04-11 01:55 5186 c:\windows\system32\wdi\ERCQueuedResolutions.dat
+ 2012-04-13 11:05 . 2012-04-13 11:05 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-04-11 01:56 . 2012-04-11 01:56 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-04-11 01:56 . 2012-04-11 01:56 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-04-13 11:05 . 2012-04-13 11:05 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2011-05-23 22:27 . 2012-04-11 01:56 262144 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2011-05-23 22:27 . 2012-04-13 11:05 262144 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
- 2009-07-14 04:54 . 2012-04-11 01:56 327680 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:54 . 2012-04-14 00:17 327680 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-05-09 10:12 . 2012-04-13 23:31 306612 c:\windows\system64\wdi\SuspendPerformanceDiagnostics_SystemData_S3.bin
- 2009-07-14 02:36 . 2012-04-11 10:27 629326 c:\windows\system64\perfh009.dat
+ 2009-07-14 02:36 . 2012-04-13 11:13 629326 c:\windows\system64\perfh009.dat
- 2009-07-14 02:36 . 2012-04-11 10:27 111220 c:\windows\system64\perfc009.dat
+ 2009-07-14 02:36 . 2012-04-13 11:13 111220 c:\windows\system64\perfc009.dat
+ 2012-02-22 09:25 . 2012-02-22 09:25 382032 c:\windows\system64\drivers\avgtdia.sys
+ 2012-02-22 09:25 . 2012-02-22 09:25 289872 c:\windows\system64\drivers\avgldx64.sys
+ 2011-12-23 17:31 . 2011-12-23 17:31 124496 c:\windows\system64\drivers\avgidsdrivera.sys
+ 2011-05-09 10:12 . 2012-04-13 23:31 306612 c:\windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_S3.bin
- 2009-07-14 02:36 . 2012-04-11 10:27 629326 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-04-13 11:13 629326 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-04-13 11:13 111220 c:\windows\system32\perfc009.dat
- 2009-07-14 02:36 . 2012-04-11 10:27 111220 c:\windows\system32\perfc009.dat
+ 2011-12-23 17:31 . 2011-12-23 17:31 124496 c:\windows\system32\drivers\avgidsdrivera.sys
+ 2009-07-14 05:01 . 2012-04-13 11:05 229568 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2009-07-14 05:01 . 2012-04-11 01:55 229568 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2009-07-14 04:54 . 2012-04-11 01:56 3555328 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2012-04-14 00:17 3555328 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2012-04-14 00:17 2605056 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 04:54 . 2012-04-11 01:56 2605056 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2011-03-22 05:08 . 2012-04-11 01:31 1544984 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2011-03-22 05:08 . 2012-04-13 11:05 1544984 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2012-04-13 23:32 . 2012-04-13 23:32 8399360 c:\windows\Installer\2b270d5.msi
+ 2011-05-10 09:07 . 2012-04-13 11:05 42416308 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-3743259936-2353452010-2355427409-1001-8192.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe" [2010-11-22 2736128]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Steam"="c:\program files (x86)\Steam\Steam.exe" [2011-08-12 1242448]
"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2011-10-13 17351304]
"Facebook Update"="c:\users\Andrew\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2012-04-07 137536]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2011-05-20 284440]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-12-31 336384]
"NUSB3MON"="c:\program files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2011-11-29 113288]
"HP Quick Launch"="c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe" [2010-11-09 586296]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-04-26 421160]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"VERIZONDM"="c:\program files (x86)\VERIZONDM\bin\sprtcmd.exe" [2011-05-16 206120]
"HPOSD"="c:\program files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe" [2011-08-19 379960]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
"AVG_TRAY"="c:\program files (x86)\AVG\AVG2012\avgtray.exe" [2012-02-16 2575712]
.
c:\users\Andrew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Facebook Messenger.lnk - c:\users\Andrew\AppData\Local\Facebook\Messenger\2.0.4478.0\FacebookMessenger.exe [2012-4-5 204288]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2010-7-29 1132320]
Snapfish PictureMover.lnk - c:\program files (x86)\PictureMover\Bin\PictureMover.exe [2010-11-18 1040952]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~2\AVG\AVG2012\avgrsa.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\DRIVERS\avgidseha.sys [x]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files (x86)\AVG\AVG2012\avgidsagent.exe [2012-02-14 5104992]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-07 253600]
R3 AMPPALP;Intel« Centrino« Wireless Bluetooth« 3.0 + High Speed Protocol;c:\windows\system32\DRIVERS\amppal.sys [x]
R3 btwampfl;Bluetooth AMP USB Filter;c:\windows\system32\drivers\btwampfl.sys [x]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [x]
R3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe [2011-07-28 340240]
R3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [x]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4925184]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [x]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [x]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 57184]
S0 Avgrkx64;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx64.sys [x]
S1 Avgldx64;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx64.sys [x]
S1 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\DRIVERS\avgmfx64.sys [x]
S1 Avgtdia;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdia.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
S2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\AESTSr64.exe [2011-11-30 89600]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 AMPPALR3;Intel« Centrino« Wireless Bluetooth« 3.0 + High Speed Service;c:\program files\Intel\BluetoothHS\BTHSAmpPalService.exe [2011-08-31 1166848]
S2 avgwd;AVG WatchDog;c:\program files (x86)\AVG\AVG2012\avgwdsvc.exe [2012-02-14 193288]
S2 BTHSSecurityMgr;Intel® Centrino® Wireless Bluetooth® 3.0 + High Speed Security Service;c:\program files\Intel\BluetoothHS\BTHSSecurityMgr.exe [2011-06-03 134928]
S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2012-01-04 822624]
S2 FPLService;TrueSuiteService;c:\program files (x86)\HP SimplePass 2011\TrueSuiteService.exe [2010-12-07 249672]
S2 HP Support Assistant Service;HP Support Assistant Service;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [2011-09-09 86072]
S2 HP Wireless Assistant Service;HP Wireless Assistant Service;c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe [2010-07-21 103992]
S2 HPClientSvc;HP Client Services;c:\program files\Hewlett-Packard\HP Client Services\HPClientServices.exe [2010-08-06 291896]
S2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-09-01 227896]
S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [x]
S2 HPWMISVC;HPWMISVC;c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [2010-11-09 26680]
S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2011-05-20 13592]
S2 IconMan_R;IconMan_R;c:\program files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe [2011-11-29 2413056]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-04-04 654408]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-01 508776]
S2 sprtsvc_verizondm;SupportSoft Sprocket Service (verizondm);c:\program files (x86)\VERIZONDM\bin\sprtsvc.exe [2011-05-16 206120]
S2 tgsrvc_verizondm;SupportSoft Repair Service (verizondm);c:\program files (x86)\VERIZONDM\bin\tgsrvc.exe [2011-05-16 185640]
S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2010-11-23 2656280]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 AMPPAL;Intel« Centrino« Wireless Bluetooth« 3.0 + High Speed Virtual Adapter;c:\windows\system32\DRIVERS\AMPPAL.sys [x]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\avgidsdrivera.sys [x]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\avgidsfiltera.sys [x]
S3 clwvd;CyberLink WebCam Virtual Driver;c:\windows\system32\DRIVERS\clwvd.sys [x]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [x]
S3 intelkmd;intelkmd;c:\windows\system32\DRIVERS\igdpmd64.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
S3 MEIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [x]
S3 NETwNs64;___ Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;c:\windows\system32\DRIVERS\NETwNs64.sys [x]
S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys [x]
S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys [x]
S3 RSPCIESTOR;Realtek PCIE CardReader Driver;c:\windows\system32\DRIVERS\RtsPStor.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [x]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [x]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [x]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [x]
S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-01 219496]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
S3 wdkmd;Intel WiDi KMD;c:\windows\system32\DRIVERS\WDKMD.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - AVGLDX64
*NewlyCreated* - AVGMFX64
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2010-11-22 21:18 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-14 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-06 12:40]
.
2012-04-13 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3743259936-2353452010-2355427409-1001Core.job
- c:\users\Andrew\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-12-13 01:59]
.
2012-04-13 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3743259936-2353452010-2355427409-1001UA.job
- c:\users\Andrew\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-12-13 01:59]
.
2012-04-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3743259936-2353452010-2355427409-1001Core.job
- c:\users\Andrew\AppData\Local\Google\Update\GoogleUpdate.exe [2012-04-10 01:24]
.
2012-04-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3743259936-2353452010-2355427409-1001UA.job
- c:\users\Andrew\AppData\Local\Google\Update\GoogleUpdate.exe [2012-04-10 01:24]
.
2012-04-12 c:\windows\Tasks\HPCeeScheduleForANDREW-HP$.job
- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-09-14 06:15]
.
2012-04-11 c:\windows\Tasks\HPCeeScheduleForAndrew.job
- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-09-14 06:15]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00Zecter]
@="{D25B32FE-CB96-491A-98FF-AD59DA382D69}"
[HKEY_CLASSES_ROOT\CLSID\{D25B32FE-CB96-491A-98FF-AD59DA382D69}]
2010-12-11 02:32 2240000 ----a-w- c:\program files (x86)\Hewlett-Packard\HP CloudDrive\ShellExt64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\01Zecter]
@="{EB24CA6D-F315-4A81-AC1A-C79CFD77F3F5}"
[HKEY_CLASSES_ROOT\CLSID\{EB24CA6D-F315-4A81-AC1A-C79CFD77F3F5}]
2010-12-11 02:32 2240000 ----a-w- c:\program files (x86)\Hewlett-Packard\HP CloudDrive\ShellExt64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\02Zecter]
@="{B3C78E40-6B64-47C3-AE34-60B770881EB8}"
[HKEY_CLASSES_ROOT\CLSID\{B3C78E40-6B64-47C3-AE34-60B770881EB8}]
2010-12-11 02:32 2240000 ----a-w- c:\program files (x86)\Hewlett-Packard\HP CloudDrive\ShellExt64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\03Zecter]
@="{622AFE52-33F6-4D9F-9966-E0BC52D7D69D}"
[HKEY_CLASSES_ROOT\CLSID\{622AFE52-33F6-4D9F-9966-E0BC52D7D69D}]
2010-12-11 02:32 2240000 ----a-w- c:\program files (x86)\Hewlett-Packard\HP CloudDrive\ShellExt64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\04Zecter]
@="{855156F0-2A0F-11DE-8C30-0800200C9A66}"
[HKEY_CLASSES_ROOT\CLSID\{855156F0-2A0F-11DE-8C30-0800200C9A66}]
2010-12-11 02:32 2240000 ----a-w- c:\program files (x86)\Hewlett-Packard\HP CloudDrive\ShellExt64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
"HPWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\DelayedAppStarter.exe" [2010-07-21 8192]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-03-25 167960]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-03-25 391704]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-03-25 418840]
"IntelPAN"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2011-07-28 1935120]
"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2011-11-30 1128448]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
framework
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
TCP: DhcpNameServer = 192.168.1.1
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - ProfilePath - c:\users\Andrew\AppData\Roaming\Mozilla\Firefox\Profiles\n8lvxl0a.default\
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_228_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_228_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_228.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_228.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_228.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_228.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-04-13 21:55:59
ComboFix-quarantined-files.txt 2012-04-14 01:55
ComboFix2.txt 2012-04-13 01:43
ComboFix3.txt 2012-04-11 01:45
.
Pre-Run: 446,305,423,360 bytes free
Post-Run: 446,239,121,408 bytes free
.
- - End Of File - - E5E95327B650404E5FD20D5F884814D2

#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:25 AM

Posted 13 April 2012 - 09:12 PM

Hi,

Please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

http://www.bleepingcomputer.com/forums/topic449350.html/page__pid__2664323#entry2664323

Collect::
c:\windows\SysWow64\consrv.dll
c:\windows\System32\consrv.dll

DirLook::
c:\windows\system64

NetSvc::
framework

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#15 andyat

andyat
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:25 AM

Posted 13 April 2012 - 09:47 PM

Right, that seems to have got it at last! The latest log from Combofix is too large to paste or attach (it's a little over 2Mb). Should I try to compress it, or cut it up to post it?

I had to reboot to get Firefox working, and everything seems to be back to normal.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users