Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Trojan.Zeroaccess.B, and Google re-directs


  • This topic is locked This topic is locked
30 replies to this topic

#1 Michaeli

Michaeli

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:04:49 AM

Posted 17 April 2012 - 03:50 PM

Also when clicking on links in Google, they appear to go to random or the wrong website.

GMER scan returned a message saying "GMER hasn't found any system modifications. The forum would not accept the empty ark.txt file (as there was nothing in it I suspect). When I was trying to attach, received message saying "Error no file was selected for upload".

I am hoping this is not posting twice, it does not appear my first one took. It timed out, and I checked my posts, which showed 0.

Thank you in advance, you guys are fantastic, and I recognize this is done through the goodness of your hearts. Thank you.

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_29
Run by Michael at 12:42:36 on 2012-04-17
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.8187.4563 [GMT -7:00]
.
AV: Norton Internet Security *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton Internet Security *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton Internet Security *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\atieclxx.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Windows\System32\spoolsv.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\crypserv.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\SysWOW64\XSrvSetup.exe
C:\Program Files (x86)\Livedrive\VSSService.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files (x86)\Norton Internet Security\Engine\17.9.0.12\ccSvcHst.exe
C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files (x86)\Realtek\Smart Dual Lan\SDLService.exe
C:\Program Files (x86)\TeamViewer\Version7\TeamViewer_Service.exe
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
C:\Program Files (x86)\Western Digital\WD SmartWare\Front Parlor\WDFME\WDFME.exe
C:\Program Files (x86)\Western Digital\WD SmartWare\Front Parlor\WDSC.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\Tablet.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\Norton Internet Security\Engine\17.9.0.12\ccSvcHst.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\TabTip32.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files (x86)\Livedrive\Livedrive.exe
C:\Windows\system32\WTablet\TabUserW.exe
C:\Users\Michael\AppData\Local\dplaysvr.exe
C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe
C:\Windows\system32\Tablet.exe
C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
C:\Program Files (x86)\CyberLink\InstantBurn\Win2K\IBurn.exe
C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe
C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe
C:\Program Files (x86)\CyberLink\Shared files\brs.exe
C:\Program Files (x86)\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\notepad.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_2_202_233_ActiveX.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\system32\conhost.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\splwow64.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.24-7pressrelease.com/
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: SearchHook Class: {bc86e1ab-eda5-4059-938f-ce307b0c6f0a} - C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\AddressBarSearch.dll
mWinlogon: Userinit=userinit.exe
BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - C:\Program Files (x86)\TechSmith\Snagit 10\SnagitBHO.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - C:\Program Files (x86)\Norton Internet Security\Engine\17.9.0.12\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - C:\Program Files (x86)\Norton Internet Security\Engine\17.9.0.12\IPSBHO.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: FlashFXP Helper for Internet Explorer: {e5a1691b-d188-4419-ad02-90002030b8ee} - C:\PROGRA~2\FlashFXP\IEFlash.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - C:\Program Files (x86)\Norton Internet Security\Engine\17.9.0.12\coIEPlg.dll
TB: Snagit: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - C:\Program Files (x86)\TechSmith\Snagit 10\SnagitIEAddin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
uRun: [Livedrive] "C:\Program Files (x86)\Livedrive\Livedrive.exe"
uRun: [dplaysvr] C:\Users\Michael\AppData\Local\dplaysvr.exe
mRun: [BCU] "C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe"
mRun: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe
mRun: [NUSB3MON] "C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"
mRun: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
mRun: [AdobeCS5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin
mRun: [InstantBurn] C:\PROGRA~2\CYBERL~1\INSTAN~1\Win2K\IBurn.exe
mRun: [MDS_Menu] "C:\Program Files (x86)\CyberLink\MediaShow4\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\MediaShow4" UpdateWithCreateOnce "Software\CyberLink\MediaShow\4.1"
mRun: [CLMLServer] "C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe"
mRun: [UpdateP2GoShortCut] "C:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0"
mRun: [UpdatePDRShortCut] "C:\Program Files (x86)\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\PowerDirector" UpdateWithCreateOnce "Software\CyberLink\PowerDirector\8.0"
mRun: [RemoteControl8] "C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe"
mRun: [PDVD8LanguageShortcut] "C:\Program Files (x86)\CyberLink\PowerDVD8\Language\Language.exe"
mRun: [BDRegion] C:\Program Files (x86)\Cyberlink\Shared Files\brs.exe
mRun: [UpdatePPShortCut] "C:\Program Files (x86)\CyberLink\PowerProducer\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\PowerProducer" UpdateWithCreateOnce "Software\CyberLink\PowerProducer\5.0"
mRun: [UpdatePSTShortCut] "C:\Program Files (x86)\CyberLink\Blu-ray Disc Suite\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\Blu-ray Disc Suite" UpdateWithCreateOnce "Software\CyberLink\PowerStarter"
mRun: [AdobeCS4ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [ATICustomerCare] "C:\Program Files (x86)\ATI\ATICustomerCare\ATICustomerCare.exe"
mRun: [TkBellExe] "C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe" -osboot
mRun: [AppleSyncNotifier] C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\APCUPS~1.LNK - C:\Program Files (x86)\APC\APC PowerChute Personal Edition\Display.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\QUICKB~1.LNK - C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\SCREEN~1.LNK - C:\Program Files (x86)\ChangeRequest.com\ChangeRequest Screenshot Tool\UNWISE.EXE
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\WDDMST~1.LNK - C:\Program Files (x86)\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://costco.pnimedia.com/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
DPF: {C7DEDA04-2FFF-4B81-AE66-0A0E0EF4AD2F} - hxxp://photoexpert.lifepics.com/NET/Uploader/LPUploader57.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 64.59.144.92 64.59.144.93 64.59.150.135
TCP: Interfaces\{34A976DF-2448-4823-8395-F157099793D0} : DhcpNameServer = 64.59.144.92 64.59.144.93 64.59.150.135
BHO-X64: SnagIt Toolbar Loader: {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files (x86)\TechSmith\Snagit 10\SnagitBHO.dll
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Symantec NCO BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Internet Security\Engine\17.9.0.12\coIEPlg.dll
BHO-X64: Symantec NCO BHO - No File
BHO-X64: Symantec Intrusion Prevention: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Internet Security\Engine\17.9.0.12\IPSBHO.DLL
BHO-X64: Symantec Intrusion Prevention - No File
BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO-X64: FlashFXP Helper for Internet Explorer: {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~2\FlashFXP\IEFlash.dll
TB-X64: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\17.9.0.12\coIEPlg.dll
TB-X64: Snagit: {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files (x86)\TechSmith\Snagit 10\SnagitIEAddin.dll
TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB-X64: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
TB-X64: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
mRun-x64: [BCU] "C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe"
mRun-x64: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe
mRun-x64: [NUSB3MON] "C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"
mRun-x64: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
mRun-x64: [AdobeCS5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin
mRun-x64: [InstantBurn] C:\PROGRA~2\CYBERL~1\INSTAN~1\Win2K\IBurn.exe
mRun-x64: [MDS_Menu] "C:\Program Files (x86)\CyberLink\MediaShow4\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\MediaShow4" UpdateWithCreateOnce "Software\CyberLink\MediaShow\4.1"
mRun-x64: [CLMLServer] "C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe"
mRun-x64: [UpdateP2GoShortCut] "C:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0"
mRun-x64: [UpdatePDRShortCut] "C:\Program Files (x86)\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\PowerDirector" UpdateWithCreateOnce "Software\CyberLink\PowerDirector\8.0"
mRun-x64: [RemoteControl8] "C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe"
mRun-x64: [PDVD8LanguageShortcut] "C:\Program Files (x86)\CyberLink\PowerDVD8\Language\Language.exe"
mRun-x64: [BDRegion] C:\Program Files (x86)\Cyberlink\Shared Files\brs.exe
mRun-x64: [UpdatePPShortCut] "C:\Program Files (x86)\CyberLink\PowerProducer\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\PowerProducer" UpdateWithCreateOnce "Software\CyberLink\PowerProducer\5.0"
mRun-x64: [UpdatePSTShortCut] "C:\Program Files (x86)\CyberLink\Blu-ray Disc Suite\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\Blu-ray Disc Suite" UpdateWithCreateOnce "Software\CyberLink\PowerStarter"
mRun-x64: [AdobeCS4ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun-x64: [ATICustomerCare] "C:\Program Files (x86)\ATI\ATICustomerCare\ATICustomerCare.exe"
mRun-x64: [TkBellExe] "C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe" -osboot
mRun-x64: [AppleSyncNotifier] C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Michael\AppData\Roaming\Mozilla\Firefox\Profiles\eh1scdqo.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.24-7pressrelease.com/
FF - component: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\coFFPlgn_2010_9_0_6\components\coFFPlgn.dll
FF - component: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Photosynth\npPhotosynthMozilla.dll
FF - plugin: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_2_202_233.dll
.
============= SERVICES / DRIVERS ===============
.
R0 PxHlpa64;PxHlpa64;C:\Windows\system32\Drivers\PxHlpa64.sys --> C:\Windows\system32\Drivers\PxHlpa64.sys [?]
R0 SymDS;Symantec Data Store;C:\Windows\system32\drivers\NISx64\1109000.00C\SYMDS64.SYS --> C:\Windows\system32\drivers\NISx64\1109000.00C\SYMDS64.SYS [?]
R0 SymEFA;Symantec Extended File Attributes;C:\Windows\system32\drivers\NISx64\1109000.00C\SYMEFA64.SYS --> C:\Windows\system32\drivers\NISx64\1109000.00C\SYMEFA64.SYS [?]
R1 BHDrvx64;BHDrvx64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20120402.001\BHDrvx64.sys [2012-4-2 1160824]
R1 CbFs;CbFs;\??\C:\Windows\system32\drivers\cbfs.sys --> C:\Windows\system32\drivers\cbfs.sys [?]
R1 ccHP;Symantec Hash Provider;C:\Windows\system32\drivers\NISx64\1109000.00C\ccHPx64.sys --> C:\Windows\system32\drivers\NISx64\1109000.00C\ccHPx64.sys [?]
R1 CLBStor;InstantBurn Storage Helper Driver;C:\Windows\system32\DRIVERS\CLBStor.sys --> C:\Windows\system32\DRIVERS\CLBStor.sys [?]
R1 IDSVia64;IDSVia64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20120416.001\IDSviA64.sys [2012-4-16 488568]
R1 SymIRON;Symantec Iron Driver;C:\Windows\system32\drivers\NISx64\1109000.00C\Ironx64.SYS --> C:\Windows\system32\drivers\NISx64\1109000.00C\Ironx64.SYS [?]
R1 SYMTDIv;Symantec Vista Network Dispatch Driver;C:\Windows\system32\Drivers\NISx64\1109000.00C\SYMTDIV.SYS --> C:\Windows\system32\Drivers\NISx64\1109000.00C\SYMTDIV.SYS [?]
R2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};Power Control [2010/05/04 19:53:12];C:\Program Files (x86)\CyberLink\PowerDVD8\000.fcl [2009-8-28 146928]
R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-1-3 63928]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R2 BCUService;Browser Configuration Utility Service;C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe [2010-5-1 219360]
R2 CLBUDF;CyberLink InstantBurn UDF Filesystem;C:\Windows\system32\drivers\CLBUDF.sys --> C:\Windows\system32\drivers\CLBUDF.sys [?]
R2 JMB36X;JMB36X;C:\Windows\SysWOW64\XSrvSetup.exe [2010-5-1 65536]
R2 LivedriveVSSService;Livedrive VSS Service;C:\Program Files (x86)\Livedrive\VSSService.exe [2012-2-7 210616]
R2 NIS;Norton Internet Security;C:\Program Files (x86)\Norton Internet Security\Engine\17.9.0.12\ccsvchst.exe [2011-10-11 126400]
R2 SDLService;SDLService;C:\Program Files (x86)\Realtek\Smart Dual Lan\SDLService.exe [2010-5-1 88064]
R2 TeamViewer7;TeamViewer 7;C:\Program Files (x86)\TeamViewer\Version7\TeamViewer_Service.exe [2012-2-10 2886528]
R2 WDDMService;WDDMService;C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [2010-11-8 288256]
R2 WDFME;WD File Management Engine;C:\Program Files (x86)\Western Digital\WD SmartWare\Front Parlor\WDFME\WDFME.exe [2010-11-8 1060352]
R2 WDSC;WD File Management Shadow Engine;C:\Program Files (x86)\Western Digital\WD SmartWare\Front Parlor\WDSC.exe [2010-11-8 485376]
R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
R3 appliandMP;appliandMP;C:\Windows\system32\DRIVERS\appliand.sys --> C:\Windows\system32\DRIVERS\appliand.sys [?]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-2-3 138360]
R3 nusb3hub;NEC Electronics USB 3.0 Hub Driver;C:\Windows\system32\DRIVERS\nusb3hub.sys --> C:\Windows\system32\DRIVERS\nusb3hub.sys [?]
R3 nusb3xhc;NEC Electronics USB 3.0 Host Controller Driver;C:\Windows\system32\DRIVERS\nusb3xhc.sys --> C:\Windows\system32\DRIVERS\nusb3xhc.sys [?]
R3 rtkio;rtkio;C:\Program Files (x86)\Realtek\Smart Dual Lan\rtkio.sys [2010-5-1 17392]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-5-2 136176]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-4-16 253088]
S3 appliand;Applian Network Service;C:\Windows\system32\DRIVERS\appliand.sys --> C:\Windows\system32\DRIVERS\appliand.sys [?]
S3 EyeOneDisplay;EyeOneDisplay;C:\Windows\system32\Drivers\i1display_x64.sys --> C:\Windows\system32\Drivers\i1display_x64.sys [?]
S3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [2010-5-5 1038088]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-5-2 136176]
S3 McComponentHostService;McAfee Security Scan Component Host Service;C:\Program Files (x86)\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 RemoteControl-USBLAN;RemoteControl-USBLAN;C:\Windows\system32\DRIVERS\rcblan.sys --> C:\Windows\system32\DRIVERS\rcblan.sys [?]
S3 silabenm;Silicon Labs CP210x USB to UART Bridge Serial Port Enumerator Driver;C:\Windows\system32\DRIVERS\silabenm.sys --> C:\Windows\system32\DRIVERS\silabenm.sys [?]
S3 silabser;Silicon Labs CP210x USB to UART Bridge Driver;C:\Windows\system32\DRIVERS\silabser.sys --> C:\Windows\system32\DRIVERS\silabser.sys [?]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 SwitchBoard;Adobe SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-2-19 517096]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;C:\Windows\system32\DRIVERS\wdcsam64.sys --> C:\Windows\system32\DRIVERS\wdcsam64.sys [?]
.
=============== Created Last 30 ================
.
2012-04-17 05:24:20 27256 ----a-w- C:\Windows\System32\drivers\FixZeroAccess.sys
2012-04-16 16:52:03 8741536 ----a-w- C:\Windows\SysWow64\FlashPlayerInstaller.exe
2012-04-16 16:16:40 418464 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2012-04-16 16:13:38 16896 --sh--w- C:\Users\Michael\AppData\Local\dplayx.dll
2012-04-16 16:13:38 102952 --sh--w- C:\Users\Michael\AppData\Local\dplaysvr.exe
2012-04-12 04:42:57 5559152 ----a-w- C:\Windows\System32\ntoskrnl.exe
2012-04-12 04:42:56 3968368 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2012-04-12 04:42:56 3913072 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2012-04-12 04:40:55 81408 ----a-w- C:\Windows\System32\imagehlp.dll
2012-04-12 04:40:55 23408 ----a-w- C:\Windows\System32\drivers\fs_rec.sys
2012-04-12 04:40:55 159232 ----a-w- C:\Windows\SysWow64\imagehlp.dll
2012-04-12 04:40:54 5120 ----a-w- C:\Windows\SysWow64\wmi.dll
2012-04-12 04:40:54 5120 ----a-w- C:\Windows\System32\wmi.dll
2012-04-12 04:40:54 220672 ----a-w- C:\Windows\System32\wintrust.dll
2012-04-12 04:40:54 172544 ----a-w- C:\Windows\SysWow64\wintrust.dll
2012-04-02 18:57:48 -------- d-----w- C:\Mike
2012-03-31 00:32:01 -------- d-----w- C:\Users\Michael\AppData\Local\Sonos,_Inc
2012-03-30 22:45:32 -------- d-----w- C:\ProgramData\Sonos,_Inc
2012-03-30 22:44:42 -------- d-----w- C:\Windows\Downloaded Installations
2012-03-23 13:25:05 592824 ----a-w- C:\Program Files (x86)\Mozilla Firefox\gkmedias.dll
2012-03-23 13:25:05 44472 ----a-w- C:\Program Files (x86)\Mozilla Firefox\mozglue.dll
.
==================== Find3M ====================
.
2012-04-16 16:52:19 70304 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-02-28 06:56:48 2311168 ----a-w- C:\Windows\System32\jscript9.dll
2012-02-28 06:49:56 1390080 ----a-w- C:\Windows\System32\wininet.dll
2012-02-28 06:48:57 1493504 ----a-w- C:\Windows\System32\inetcpl.cpl
2012-02-28 06:42:55 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2012-02-28 01:18:55 1799168 ----a-w- C:\Windows\SysWow64\jscript9.dll
2012-02-28 01:11:21 1427456 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2012-02-28 01:11:07 1127424 ----a-w- C:\Windows\SysWow64\wininet.dll
2012-02-28 01:03:16 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2012-02-17 06:38:26 1031680 ----a-w- C:\Windows\System32\rdpcore.dll
2012-02-17 05:34:22 826880 ----a-w- C:\Windows\SysWow64\rdpcore.dll
2012-02-17 04:58:24 210944 ----a-w- C:\Windows\System32\drivers\rdpwd.sys
2012-02-17 04:57:32 23552 ----a-w- C:\Windows\System32\drivers\tdtcp.sys
2012-02-10 06:36:07 1544192 ----a-w- C:\Windows\System32\DWrite.dll
2012-02-10 05:38:43 1077248 ----a-w- C:\Windows\SysWow64\DWrite.dll
2012-02-08 00:48:58 609464 ----a-w- C:\Windows\System32\LivedriveControlPanel.cpl
2012-02-07 18:02:40 1070352 ----a-w- C:\Windows\SysWow64\MSCOMCTL.OCX
2012-02-03 04:34:34 3145728 ----a-w- C:\Windows\System32\win32k.sys
2012-01-25 06:38:39 77312 ----a-w- C:\Windows\System32\rdpwsx.dll
2012-01-25 06:38:38 149504 ----a-w- C:\Windows\System32\rdpcorekmts.dll
2012-01-25 06:33:30 9216 ----a-w- C:\Windows\System32\rdrmemptylst.exe
.
============= FINISH: 12:43:01.58 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:12:49 PM

Posted 17 April 2012 - 04:57 PM

Good evening. :)

Download aswMBR.exe from here and save it to your Desktop.

  • Double click the tool to run it.
  • When prompted "Would you like to download latest Avast! virus definitions?" click Yes - you may need to allow access through your firewall.
  • Click the Scan button to, well, start the scan - obvious really!
  • Once the scan reports "Scan finished successfully" click Save log.
  • On my system it offers to save it to the Desktop, which may or may not be it's default behaviour, but it's as handy a place as any.
  • You'll also see a file called MBR.dat appear as well - this is a backup that it created, just in case it's needed. Keep it handy for now.

I'd like the contents of aswMBR.txt in your next reply, if you'd be so kind.

So long, and thanks for all the fish.

 

 


#3 Michaeli

Michaeli
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:04:49 AM

Posted 17 April 2012 - 07:13 PM

Wow! That was amazingly quick. Please find attached the file requested.

- Again, a HUGE thank you!

- Ummm... I just tried to attach the MBR.dat file, and received a message saying "Error you aren't permitted to upload this kind of file", so I zipped and added. I hope this is ok.

Michael.

Attached Files

  • Attached File  MBR.zip   590bytes   1 downloads


#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:12:49 PM

Posted 18 April 2012 - 02:21 PM

Good evening. :)

You'll also see a file called MBR.dat appear as well - this is a backup that it created, just in case it's needed. Keep it handy for now.

I'd like the contents of aswMBR.txt in your next reply, if you'd be so kind.


I didn't want you to attach a copy of MBR.dat but to post the contents of aswMBR.txt - would you please copy and paste them into your next reply.

So long, and thanks for all the fish.

 

 


#5 Michaeli

Michaeli
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:04:49 AM

Posted 18 April 2012 - 02:58 PM

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-04-17 16:19:47
-----------------------------
16:19:47.652 OS Version: Windows x64 6.1.7601 Service Pack 1
16:19:47.652 Number of processors: 8 586 0x1E05
16:19:47.652 ComputerName: MICHAEL-PC UserName: Michael
16:19:49.613 Initialize success
16:21:04.308 AVAST engine defs: 12041701
16:21:14.408 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP5T0L0-6
16:21:14.413 Disk 0 Vendor: WDC_WD1001FALS-00J7B0 05.00K05 Size: 953869MB BusType: 3
16:21:14.418 Disk 1 \Device\Harddisk1\DR1 -> \Device\0000007a
16:21:14.422 Disk 1 Vendor: Adaptec_ V1.0 Size: 7618550MB BusType: 8
16:21:14.436 Disk 0 MBR read successfully
16:21:14.441 Disk 0 MBR scan
16:21:14.447 Disk 0 Windows 7 default MBR code
16:21:14.451 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 220000 MB offset 2048
16:21:14.470 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 733866 MB offset 450562048
16:21:14.513 Disk 0 scanning C:\Windows\system32\drivers
16:21:22.874 Service scanning
16:21:44.666 Modules scanning
16:21:44.684 Disk 0 trace - called modules:
16:21:44.701 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys
16:21:44.711 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8007788790]
16:21:44.717 3 CLASSPNP.SYS[fffff8800185143f] -> nt!IofCallDriver -> [0xfffffa8007539670]
16:21:44.724 5 ACPI.sys[fffff88000fa37a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP5T0L0-6[0xfffffa8007577060]
16:21:50.200 AVAST engine scan C:\Windows
16:21:51.955 AVAST engine scan C:\Windows\system32
16:21:54.285 Disk 0 MBR has been saved successfully to "D:\virus\MBR.dat"
16:21:54.290 The log file has been saved successfully to "D:\virus\aswMBR.txt"
16:22:00.188 File: C:\Windows\system32\consrv.dll **INFECTED** Win32:Sirefef-HO [Rtk]
16:24:12.940 AVAST engine scan C:\Windows\system32\drivers
16:24:22.581 AVAST engine scan C:\Users\Michael
16:24:38.738 File: C:\Users\Michael\AppData\Local\dplaysvr.exe **INFECTED** Win32:Kryptik-IKZ [Trj]
16:24:38.793 File: C:\Users\Michael\AppData\Local\dplayx.dll **INFECTED** Win32:Cleaman-D [Trj]
16:27:12.138 File: C:\Users\Michael\AppData\Local\Temp\aeqzoxgyhaabsdjfigkhvdlc.exe **INFECTED** Win32:Malware-gen
16:27:29.690 File: C:\Users\Michael\AppData\Local\Temp\rkkwchyprbxumentkmtfiy.exe **INFECTED** Win32:Sirefef-TS [Trj]
16:27:29.815 File: C:\Users\Michael\AppData\Local\Temp\skxanvcprsrnfskyes.exe **INFECTED** Win32:FakeSysdef-LE [Trj]
16:54:52.102 AVAST engine scan C:\ProgramData
17:08:06.390 Scan finished successfully
17:08:29.207 Disk 0 MBR has been saved successfully to "D:\virus\MBR.dat"
17:08:29.224 The log file has been saved successfully to "D:\virus\aswMBR.txt"

#6 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:12:49 PM

Posted 18 April 2012 - 03:01 PM

Take a trip to this webpage for download links and instructions for running Combofix by sUBs: http://www.bleepingcomputer.com/combofix/how-to-use-combofix *

  • When prompted to save Combofix, change the filename BEFORE saving it - any name will do, as long as it has .exe at the end.
  • Please be aware that this tool may require the PC to be rebooted so close any programs you have open before you start.
  • When CF has finished, it will produce a log - C:\ComboFix.txt - copy and paste
  • Let me know how the PC is behaving.
* There are two points to note from the instructions page:

1) The Recovery Console.

It is recommended that you install this as, in certain circumstances, it may be the difference between a successful repair and a reformat. If you are uncertain as to whether or not you already have the Recovery Console installed, simply run CF and it will prompt you if it does not detect it.
CF will complete some, but not all, of it's removal tasks without the installation of the Console, so you are free to choose whether you want to complete this step, but it is in your interests to do so.

2) Disabling your Anti-Virus.

CF has been the victim of false-positive detections on occasion and a resident AV may incorrectly identify and delete part of the tool which won't do it much good. If you don't disable your AV, you may not get the results you hoped for!

So long, and thanks for all the fish.

 

 


#7 Michaeli

Michaeli
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:04:49 AM

Posted 18 April 2012 - 05:16 PM

Hi,

Here is the log after running ComboFix. Please note that I have had to save this to a USB stick and transfer to another computer, because ANYTHING (including Notepad, filemanager, anything), I try to run, comes up with a message saying "Illegal operation attempted on a registry key that has been marked for deletion.", then it says "The item you selectred is unavailable. It might have been moved, renamed, or removed. Do you want to remove it from the list?"

ComboFix 12-04-18.02 - Michael 04/18/2012 13:56:59.1.8 - x64
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.8187.5183 [GMT -7:00]
Running from: d:\virus\CmboFx.exe
AV: Norton Internet Security *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Norton Internet Security *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Norton Internet Security *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Michael\AppData\Local\assembly\tmp
c:\users\Michael\AppData\Local\dplayx.dll
c:\users\Michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\viewChanges.html
c:\users\Michael\AppData\Local\Temp\{bf5eaec9-e547-40d0-8b19-42b2a40891b9}\Livedrive.Native.dll
c:\windows\assembly\temp\@
c:\windows\assembly\temp\cfg.ini
D:\install.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-03-18 to 2012-04-18 )))))))))))))))))))))))))))))))
.
.
2012-04-18 21:50 . 2012-04-18 21:50 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-04-17 05:24 . 2012-04-17 05:24 27256 ----a-w- c:\windows\system32\drivers\FixZeroAccess.sys
2012-04-16 16:52 . 2012-04-16 16:52 8741536 ----a-w- c:\windows\SysWow64\FlashPlayerInstaller.exe
2012-04-16 16:16 . 2012-04-16 16:52 418464 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-04-12 04:42 . 2012-03-06 06:53 5559152 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-04-12 04:42 . 2012-03-06 05:59 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2012-04-12 04:42 . 2012-03-06 05:59 3913072 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2012-04-12 04:40 . 2012-03-01 06:46 23408 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-04-12 04:40 . 2012-03-01 06:33 81408 ----a-w- c:\windows\system32\imagehlp.dll
2012-04-12 04:40 . 2012-03-01 05:33 159232 ----a-w- c:\windows\SysWow64\imagehlp.dll
2012-04-12 04:40 . 2012-03-01 06:38 220672 ----a-w- c:\windows\system32\wintrust.dll
2012-04-12 04:40 . 2012-03-01 06:28 5120 ----a-w- c:\windows\system32\wmi.dll
2012-04-12 04:40 . 2012-03-01 05:37 172544 ----a-w- c:\windows\SysWow64\wintrust.dll
2012-04-12 04:40 . 2012-03-01 05:29 5120 ----a-w- c:\windows\SysWow64\wmi.dll
2012-04-02 18:57 . 2012-04-02 18:57 -------- d-----w- C:\Mike
2012-03-31 00:32 . 2012-03-31 00:32 -------- d-----w- c:\users\Michael\AppData\Local\Sonos,_Inc
2012-03-30 22:45 . 2012-04-11 16:27 -------- d-----w- c:\programdata\Sonos,_Inc
2012-03-30 22:44 . 2012-03-30 22:45 -------- d-----w- c:\windows\Downloaded Installations
2012-03-23 13:25 . 2012-03-23 13:25 592824 ----a-w- c:\program files (x86)\Mozilla Firefox\gkmedias.dll
2012-03-23 13:25 . 2012-03-23 13:25 44472 ----a-w- c:\program files (x86)\Mozilla Firefox\mozglue.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-16 16:52 . 2011-08-01 16:22 70304 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-02-17 06:38 . 2012-03-14 02:42 1031680 ----a-w- c:\windows\system32\rdpcore.dll
2012-02-17 05:34 . 2012-03-14 02:42 826880 ----a-w- c:\windows\SysWow64\rdpcore.dll
2012-02-17 04:58 . 2012-03-14 02:42 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-02-17 04:57 . 2012-03-14 02:42 23552 ----a-w- c:\windows\system32\drivers\tdtcp.sys
2012-02-10 06:36 . 2012-03-14 02:43 1544192 ----a-w- c:\windows\system32\DWrite.dll
2012-02-10 05:38 . 2012-03-14 02:43 1077248 ----a-w- c:\windows\SysWow64\DWrite.dll
2012-02-08 00:48 . 2012-02-08 00:48 609464 ----a-w- c:\windows\system32\LivedriveControlPanel.cpl
2012-02-07 18:02 . 2012-02-07 18:02 1070352 ----a-w- c:\windows\SysWow64\MSCOMCTL.OCX
2012-02-03 04:34 . 2012-03-14 02:43 3145728 ----a-w- c:\windows\system32\win32k.sys
2012-01-25 06:38 . 2012-03-14 02:42 77312 ----a-w- c:\windows\system32\rdpwsx.dll
2012-01-25 06:38 . 2012-03-14 02:42 149504 ----a-w- c:\windows\system32\rdpcorekmts.dll
2012-01-25 06:33 . 2012-03-14 02:42 9216 ----a-w- c:\windows\system32\rdrmemptylst.exe
2012-01-23 21:19 . 2012-01-23 21:19 86528 ----a-w- c:\windows\SysWow64\iesysprep.dll
2012-01-23 21:19 . 2012-01-23 21:19 76800 ----a-w- c:\windows\SysWow64\SetIEInstalledDate.exe
2012-01-23 21:19 . 2012-01-23 21:19 74752 ----a-w- c:\windows\SysWow64\RegisterIEPKEYs.exe
2012-01-23 21:19 . 2012-01-23 21:19 63488 ----a-w- c:\windows\SysWow64\tdc.ocx
2012-01-23 21:19 . 2012-01-23 21:19 48640 ----a-w- c:\windows\SysWow64\mshtmler.dll
2012-01-23 21:19 . 2012-01-23 21:19 367104 ----a-w- c:\windows\SysWow64\html.iec
2012-01-23 21:19 . 2012-01-23 21:19 161792 ----a-w- c:\windows\SysWow64\msls31.dll
2012-01-23 21:19 . 2012-01-23 21:19 110592 ----a-w- c:\windows\SysWow64\IEAdvpack.dll
2012-01-23 21:19 . 2012-01-23 21:19 74752 ----a-w- c:\windows\SysWow64\iesetup.dll
2012-01-23 21:19 . 2012-01-23 21:19 420864 ----a-w- c:\windows\SysWow64\vbscript.dll
2012-01-23 21:19 . 2012-01-23 21:19 35840 ----a-w- c:\windows\SysWow64\imgutil.dll
2012-01-23 21:19 . 2012-01-23 21:19 23552 ----a-w- c:\windows\SysWow64\licmgr10.dll
2012-01-23 21:19 . 2012-01-23 21:19 152064 ----a-w- c:\windows\SysWow64\wextract.exe
2012-01-23 21:19 . 2012-01-23 21:19 150528 ----a-w- c:\windows\SysWow64\iexpress.exe
2012-01-23 21:19 . 2012-01-23 21:19 142848 ----a-w- c:\windows\SysWow64\ieUnatt.exe
2012-01-23 21:19 . 2012-01-23 21:19 11776 ----a-w- c:\windows\SysWow64\mshta.exe
2012-01-23 21:19 . 2012-01-23 21:19 101888 ----a-w- c:\windows\SysWow64\admparse.dll
2012-01-23 21:19 . 2012-01-23 21:19 91648 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2012-01-23 21:19 . 2012-01-23 21:19 89088 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2012-01-23 21:19 . 2012-01-23 21:19 85504 ----a-w- c:\windows\system32\iesetup.dll
2012-01-23 21:19 . 2012-01-23 21:19 76800 ----a-w- c:\windows\system32\tdc.ocx
2012-01-23 21:19 . 2012-01-23 21:19 49664 ----a-w- c:\windows\system32\imgutil.dll
2012-01-23 21:19 . 2012-01-23 21:19 48640 ----a-w- c:\windows\system32\mshtmler.dll
2012-01-23 21:19 . 2012-01-23 21:19 448512 ----a-w- c:\windows\system32\html.iec
2012-01-23 21:19 . 2012-01-23 21:19 222208 ----a-w- c:\windows\system32\msls31.dll
2012-01-23 21:19 . 2012-01-23 21:19 173056 ----a-w- c:\windows\system32\ieUnatt.exe
2012-01-23 21:19 . 2012-01-23 21:19 135168 ----a-w- c:\windows\system32\IEAdvpack.dll
2012-01-23 21:19 . 2012-01-23 21:19 12288 ----a-w- c:\windows\system32\mshta.exe
2012-01-23 21:19 . 2012-01-23 21:19 114176 ----a-w- c:\windows\system32\admparse.dll
2012-01-23 21:19 . 2012-01-23 21:19 111616 ----a-w- c:\windows\system32\iesysprep.dll
2012-01-23 21:19 . 2012-01-23 21:19 603648 ----a-w- c:\windows\system32\vbscript.dll
2012-01-23 21:19 . 2012-01-23 21:19 30720 ----a-w- c:\windows\system32\licmgr10.dll
2012-01-23 21:19 . 2012-01-23 21:19 165888 ----a-w- c:\windows\system32\iexpress.exe
2012-01-23 21:19 . 2012-01-23 21:19 160256 ----a-w- c:\windows\system32\wextract.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-05-02 39408]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]
"Livedrive"="c:\program files (x86)\Livedrive\Livedrive.exe" [2012-02-08 1817600]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"BCU"="c:\program files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe" [2009-08-05 346320]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]
"NUSB3MON"="c:\program files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2009-10-21 106496]
"SwitchBoard"="c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS5ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-07-23 402432]
"InstantBurn"="c:\progra~2\CYBERL~1\INSTAN~1\Win2K\IBurn.exe" [2009-07-09 681256]
"MDS_Menu"="c:\program files (x86)\CyberLink\MediaShow4\MUITransfer\MUIStartMenu.exe" [2009-02-25 218408]
"CLMLServer"="c:\program files (x86)\CyberLink\Power2Go\CLMLSvc.exe" [2009-06-04 103720]
"UpdateP2GoShortCut"="c:\program files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]
"UpdatePDRShortCut"="c:\program files (x86)\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-12-04 218408]
"RemoteControl8"="c:\program files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe" [2009-07-17 91432]
"PDVD8LanguageShortcut"="c:\program files (x86)\CyberLink\PowerDVD8\Language\Language.exe" [2009-04-16 50472]
"BDRegion"="c:\program files (x86)\Cyberlink\Shared Files\brs.exe" [2009-08-28 75048]
"UpdatePPShortCut"="c:\program files (x86)\CyberLink\PowerProducer\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]
"UpdatePSTShortCut"="c:\program files (x86)\CyberLink\Blu-ray Disc Suite\MUITransfer\MUIStartMenu.exe" [2009-09-17 210216]
"AdobeCS4ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-05-05 102400]
"ATICustomerCare"="c:\program files (x86)\ATI\ATICustomerCare\ATICustomerCare.exe" [2010-03-04 311296]
"TkBellExe"="c:\program files (x86)\Common Files\Real\Update_OB\realsched.exe" [2010-07-16 202256]
"AppleSyncNotifier"="c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-07-06 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-10-10 421736]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
APC UPS Status.lnk - c:\program files (x86)\APC\APC PowerChute Personal Edition\Display.exe [2010-7-26 267520]
QuickBooks Update Agent.lnk - c:\program files (x86)\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-9-10 967960]
Screencapture Tool.lnk - c:\program files (x86)\ChangeRequest.com\ChangeRequest Screenshot Tool\UNWISE.EXE [2010-6-14 164864]
WDDMStatus.lnk - c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe [2010-11-8 4236288]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-05-02 136176]
R2 PDIHWCTL;PDIHWCTL;c:\windows\system32\drivers\pdihwctl.sys [x]
R2 SDLService;SDLService;c:\program files (x86)\Realtek\Smart Dual Lan\SDLService.exe [2009-10-23 88064]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-16 253088]
R3 appliand;Applian Network Service;c:\windows\system32\DRIVERS\appliand.sys [x]
R3 EyeOneDisplay;EyeOneDisplay;c:\windows\system32\Drivers\i1display_x64.sys [x]
R3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [2010-05-06 1038088]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-05-02 136176]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files (x86)\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-01-15 227232]
R3 RemoteControl-USBLAN;RemoteControl-USBLAN;c:\windows\system32\DRIVERS\rcblan.sys [x]
R3 silabenm;Silicon Labs CP210x USB to UART Bridge Serial Port Enumerator Driver;c:\windows\system32\DRIVERS\silabenm.sys [x]
R3 silabser;Silicon Labs CP210x USB to UART Bridge Driver;c:\windows\system32\DRIVERS\silabser.sys [x]
R3 SwitchBoard;Adobe SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam64.sys [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NISx64\1109000.00C\SYMDS64.SYS [x]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NISx64\1109000.00C\SYMEFA64.SYS [x]
S1 BHDrvx64;BHDrvx64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20120402.001\BHDrvx64.sys [2012-04-02 1160824]
S1 CbFs;CbFs;c:\windows\system32\drivers\cbfs.sys [x]
S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NISx64\1109000.00C\ccHPx64.sys [x]
S1 CLBStor;InstantBurn Storage Helper Driver;c:\windows\system32\DRIVERS\CLBStor.sys [x]
S1 IDSVia64;IDSVia64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20120417.001\IDSvia64.sys [2012-03-07 488568]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NISx64\1109000.00C\Ironx64.SYS [x]
S1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\System32\Drivers\NISx64\1109000.00C\SYMTDIV.SYS [x]
S2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};Power Control [2010/05/04 19:53];c:\program files (x86)\CyberLink\PowerDVD8\000.fcl [2009-08-29 01:36 146928]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 BCUService;Browser Configuration Utility Service;c:\program files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe [2009-08-05 219360]
S2 CLBUDF;CyberLink InstantBurn UDF Filesystem; [x]
S2 JMB36X;JMB36X;c:\windows\SysWOW64\XSrvSetup.exe [2009-08-06 65536]
S2 LivedriveVSSService;Livedrive VSS Service;c:\program files (x86)\Livedrive\VSSService.exe [2012-02-08 210616]
S2 NIS;Norton Internet Security;c:\program files (x86)\Norton Internet Security\Engine\17.9.0.12\ccSvcHst.exe [2011-08-04 126400]
S2 TeamViewer7;TeamViewer 7;c:\program files (x86)\TeamViewer\Version7\TeamViewer_Service.exe [2012-02-23 2886528]
S2 WDDMService;WDDMService;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [2010-11-08 288256]
S2 WDFME;WD File Management Engine;c:\program files (x86)\Western Digital\WD SmartWare\Front Parlor\WDFME\WDFME.exe [2010-11-08 1060352]
S2 WDSC;WD File Management Shadow Engine;c:\program files (x86)\Western Digital\WD SmartWare\Front Parlor\WDSC.exe [2010-11-08 485376]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 appliandMP;appliandMP;c:\windows\system32\DRIVERS\appliand.sys [x]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-02-04 138360]
S3 nusb3hub;NEC Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys [x]
S3 nusb3xhc;NEC Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys [x]
S3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys [x]
S3 rtkio;rtkio;c:\program files (x86)\Realtek\Smart Dual Lan\rtkio.sys [2009-07-15 17392]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-18 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-16 16:52]
.
2012-04-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-05-02 23:36]
.
2012-04-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-05-02 23:36]
.
2011-03-30 c:\windows\Tasks\RegInOut Scheduled Scan - Michael.job
- c:\program files (x86)\RegInOut\RegInOut.exe [2011-03-12 19:13]
.
2012-04-18 c:\windows\Tasks\SDMsgUpdate (TE).job
- c:\progra~2\SMARTD~1\Messages\SDNotify.exe [2012-03-02 18:22]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BackupOverlay]
@="{B44A5D93-1351-41A1-BD91-5E92435D8ECD}"
[HKEY_CLASSES_ROOT\CLSID\{B44A5D93-1351-41A1-BD91-5E92435D8ECD}]
2012-02-08 00:48 1245880 ----a-w- c:\program files (x86)\Livedrive\LivedriveExtensions.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\LivedriveDownloadOverlay]
@="{CBCDB610-6B68-4EE9-B7A2-1282FD0C9292}"
[HKEY_CLASSES_ROOT\CLSID\{CBCDB610-6B68-4EE9-B7A2-1282FD0C9292}]
2012-02-08 00:48 1245880 ----a-w- c:\program files (x86)\Livedrive\LivedriveExtensions.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\LivedriveSharedOverlay]
@="{84CEF1E4-1356-4063-845F-05047F4DD52C}"
[HKEY_CLASSES_ROOT\CLSID\{84CEF1E4-1356-4063-845F-05047F4DD52C}]
2012-02-08 00:48 1245880 ----a-w- c:\program files (x86)\Livedrive\LivedriveExtensions.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\LivedriveSyncedOverlay]
@="{42058329-2FBF-4B33-8E52-3BE5754DE0C1}"
[HKEY_CLASSES_ROOT\CLSID\{42058329-2FBF-4B33-8E52-3BE5754DE0C1}]
2012-02-08 00:48 1245880 ----a-w- c:\program files (x86)\Livedrive\LivedriveExtensions.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\LivedriveUploadOverlay]
@="{39A1715A-E4CD-4F1E-B5C4-36B5DB80124E}"
[HKEY_CLASSES_ROOT\CLSID\{39A1715A-E4CD-4F1E-B5C4-36B5DB80124E}]
2012-02-08 00:48 1245880 ----a-w- c:\program files (x86)\Livedrive\LivedriveExtensions.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-12-08 9642528]
"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2010-07-22 2306448]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.24-7pressrelease.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 64.59.144.92 64.59.144.93 64.59.150.135
FF - ProfilePath - c:\users\Michael\AppData\Roaming\Mozilla\Firefox\Profiles\eh1scdqo.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.24-7pressrelease.com/
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
AddRemove-SIUSBXP&10C4&EA61 - c:\windows\system32\Silabs\DriverUninstaller.exe USBXpress\SIUSBXP&10C4&EA61
AddRemove-SLABCOMM&10C4&EA60 - c:\windows\system32\Silabs\DriverUninstaller.exe VCP CP210x Cardinal\SLABCOMM&10C4&EA60
AddRemove-ROES.whcc - c:\windows\system32\javaws.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NIS]
"ImagePath"="\"c:\program files (x86)\Norton Internet Security\Engine\17.9.0.12\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files (x86)\Norton Internet Security\Engine\17.9.0.12\diMaster.dll\" /prefetch:1"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}]
"ImagePath"="\??\c:\program files (x86)\CyberLink\PowerDVD8\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_233_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_233_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_233.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_233.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_233.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_233.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B9A09F18-45AB-4F09-A117-A4ADDA8FA8C8}]
@Denied: (A) (Everyone)
"Solution"="{36eb6792-3a29-43b3-8cd0-f67d266fb426}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane\0]
"Key"="ActionsPane"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\8.0\\ActionsPane.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\APC\APC PowerChute Personal Edition\mainserv.exe
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\windows\system32\crypserv.exe
c:\program files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\program files (x86)\Common Files\Microsoft Shared\Ink\TabTip32.exe
.
**************************************************************************
.
Completion time: 2012-04-18 15:01:36 - machine was rebooted
ComboFix-quarantined-files.txt 2012-04-18 22:01
.
Pre-Run: 62,532,022,272 bytes free
Post-Run: 62,952,345,600 bytes free
.
- - End Of File - - F5B11DAF3F7666AB701F68C108FE7E96

#8 Michaeli

Michaeli
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:04:49 AM

Posted 19 April 2012 - 11:37 AM

Hi,

At the end of ComboFix (log is in previous message), I was unable to run any programs as I was receiving a message "Illegal operation attempted on a registry key that has been marked for deletion.", then it would say "The item you selectred is unavailable. It might have been moved, renamed, or removed. Do you want to remove it from the list?". I tried to run NOTEPAD, CALCULATOR and even when I clicked on Windows Explorer the message would come up. This morning I rebooted and was able to run everything "as normal", however I re-ran full system scan on Norton and the "Trojan.Zeroaccess.B" is still there. Help please... THANK YOU!

Michael.

#9 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:12:49 PM

Posted 19 April 2012 - 02:46 PM

Good evening. :)

Can you tell which file(s) your anti-virus is flagging as infected.

Edited by Noviciate, 19 April 2012 - 02:46 PM.

So long, and thanks for all the fish.

 

 


#10 Michaeli

Michaeli
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:04:49 AM

Posted 19 April 2012 - 06:45 PM

Hi,

The file(s), flagged by Norton would appear to be:

c:\users\michael\appdata\local\temp\av443d.tmp
c:\windows\system32\consrv.dll

Michael

#11 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:12:49 PM

Posted 20 April 2012 - 02:22 PM

Good evening. :)

Do you have a flashdrive of at least 128 Mb that you can lay you hands on for a little play?

So long, and thanks for all the fish.

 

 


#12 Michaeli

Michaeli
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:04:49 AM

Posted 20 April 2012 - 11:08 PM

Yes....

#13 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:12:49 PM

Posted 21 April 2012 - 02:38 PM

Good evening. :)

For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Click on Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
On the System Recovery Options menu you will get the following options:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the flash drive. Please copy and paste it to your reply.

So long, and thanks for all the fish.

 

 


#14 Michaeli

Michaeli
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:04:49 AM

Posted 21 April 2012 - 03:18 PM

Hi! Thank you. Here it is...

Scan result of Farbar Recovery Scan Tool Version: 19-04-2012
Ran by SYSTEM at 21-04-2012 13:06:50
Running from H:\
Windows 7 Professional (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [9642528 2009-12-08] (Realtek Semiconductor)
HKLM\...\Run: [AdobeAAMUpdater-1.0] "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [500208 2010-03-06] (Adobe Systems Incorporated)
HKLM\...\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2306448 2010-07-21] (Microsoft Corporation)
HKLM-x32\...\Run: [BCU] "C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe" [346320 2009-08-04] (DeviceVM, Inc.)
HKLM-x32\...\Run: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe [36864 2007-03-19] ()
HKLM-x32\...\Run: [NUSB3MON] "C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [106496 2009-10-20] (NEC Electronics Corporation)
HKLM-x32\...\Run: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [AdobeCS5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin [402432 2010-07-22] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [InstantBurn] C:\PROGRA~2\CYBERL~1\INSTAN~1\Win2K\IBurn.exe [681256 2009-07-09] (CyberLink Corporation.)
HKLM-x32\...\Run: [MDS_Menu] "C:\Program Files (x86)\CyberLink\MediaShow4\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\MediaShow4" UpdateWithCreateOnce "Software\CyberLink\MediaShow\4.1" [218408 2009-02-25] (CyberLink Corp.)
HKLM-x32\...\Run: [CLMLServer] "C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe" [103720 2009-06-03] (CyberLink)
HKLM-x32\...\Run: [UpdateP2GoShortCut] "C:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0" [222504 2009-05-19] (CyberLink Corp.)
HKLM-x32\...\Run: [UpdatePDRShortCut] "C:\Program Files (x86)\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\PowerDirector" UpdateWithCreateOnce "Software\CyberLink\PowerDirector\8.0" [218408 2008-12-03] (CyberLink Corp.)
HKLM-x32\...\Run: [RemoteControl8] "C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe" [91432 2009-07-16] (CyberLink Corp.)
HKLM-x32\...\Run: [PDVD8LanguageShortcut] "C:\Program Files (x86)\CyberLink\PowerDVD8\Language\Language.exe" [50472 2009-04-15] (CyberLink Corp.)
HKLM-x32\...\Run: [BDRegion] C:\Program Files (x86)\Cyberlink\Shared Files\brs.exe [75048 2009-08-28] (cyberlink)
HKLM-x32\...\Run: [UpdatePPShortCut] "C:\Program Files (x86)\CyberLink\PowerProducer\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\PowerProducer" UpdateWithCreateOnce "Software\CyberLink\PowerProducer\5.0" [222504 2009-05-19] (CyberLink Corp.)
HKLM-x32\...\Run: [UpdatePSTShortCut] "C:\Program Files (x86)\CyberLink\Blu-ray Disc Suite\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\Blu-ray Disc Suite" UpdateWithCreateOnce "Software\CyberLink\PowerStarter" [210216 2009-09-16] (CyberLink Corp.)
HKLM-x32\...\Run: [AdobeCS4ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin [611712 2008-08-14] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [102400 2010-05-04] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [ATICustomerCare] "C:\Program Files (x86)\ATI\ATICustomerCare\ATICustomerCare.exe" [311296 2010-03-04] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [TkBellExe] "C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe" -osboot [202256 2010-07-15] (RealNetworks, Inc.)
HKLM-x32\...\Run: [AppleSyncNotifier] C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe [58656 2011-04-20] (Apple Inc.)
HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2011-09-27] (Apple Inc.)
HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2011-07-05] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421736 2011-10-09] (Apple Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2011-06-09] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-03] (Adobe Systems Incorporated)
HKU\Michael\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2010-05-02] (Google Inc.)
HKU\Michael\...\Run: [Livedrive] "C:\Program Files (x86)\Livedrive\Livedrive.exe" [1817600 2012-02-07] (Livedrive Internet Ltd)
Tcpip\Parameters: [DhcpNameServer] 64.59.144.92 64.59.144.93 64.59.150.135

==================== Services (Whitelisted) ======

2 AdaptecStorageManagerAgent; "C:\Program Files\Adaptec\Adaptec Storage Manager\StorServ.exe" [119296 2009-06-03] (Adaptec Incorporated)
3 AdobeFlashPlayerUpdateSvc; C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [253088 2012-04-16] (Adobe Systems Incorporated)
2 APC UPS Service; C:\Program Files (x86)\APC\APC PowerChute Personal Edition\mainserv.exe [689408 2007-07-19] (American Power Conversion Corporation)
2 BCUService; C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe [219360 2009-08-04] (DeviceVM, Inc.)
2 Bonjour Service; "C:\Program Files\Bonjour\mDNSResponder.exe" [462184 2011-08-30] (Apple Inc.)
2 Crypkey License; crypserv.exe [122880 2008-05-07] (CrypKey (Canada) Ltd.)
3 FLEXnet Licensing Service 64; "C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe" [1038088 2010-05-05] (Acresso Software Inc.)
2 JMB36X; C:\Windows\SysWOW64\XSrvSetup.exe [65536 2009-08-05] ()
2 LivedriveVSSService; "C:\Program Files (x86)\Livedrive\VSSService.exe" [210616 2012-02-07] ()
3 McComponentHostService; "C:\Program Files (x86)\McAfee Security Scan\2.0.181\McCHSvc.exe" [227232 2010-01-15] (McAfee, Inc.)
2 NIS; "C:\Program Files (x86)\Norton Internet Security\Engine\17.9.0.12\ccSvcHst.exe" /s "NIS" /m "C:\Program Files (x86)\Norton Internet Security\Engine\17.9.0.12\diMaster.dll" /prefetch:1 [135032 2010-04-29] (Symantec Corporation)
2 QBCFMonitorService; "C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe" [20480 2008-09-10] (Intuit)
3 QBFCService; "C:\Program Files (x86)\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe" [71184 2006-10-09] (Intuit Inc.)
2 SDLService; "C:\Program Files (x86)\Realtek\Smart Dual Lan\SDLService.exe" [88064 2009-10-22] ()
2 TabletService; C:\Windows\system32\Tablet.exe [1386544 2006-12-05] (Wacom Technology, Corp.)
2 TeamViewer7; C:\Program Files (x86)\TeamViewer\Version7\TeamViewer_Service.exe [2886528 2012-02-23] (TeamViewer GmbH)
2 WDFME; "C:\Program Files (x86)\Western Digital\WD SmartWare\Front Parlor\WDFME\WDFME.exe" [1060352 2010-11-08] ()
2 WDSC; "C:\Program Files (x86)\Western Digital\WD SmartWare\Front Parlor\WDSC.exe" [485376 2010-11-08] ()
3 aspnet_state; C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [x]

========================== Drivers (Whitelisted) =============

2 adfs; C:\Windows\System32\Drivers\adfs.sys [88632 2008-06-27] (Adobe Systems, Inc.)
2 adfs; C:\Windows\SysWow64\Drivers\adfs.sys [74720 2008-08-14] (Adobe Systems, Inc.)
3 appliand; C:\Windows\System32\Drivers\appliand.sys [33888 2010-06-24] (Applian Technologies Inc.)
3 appliandMP; C:\Windows\System32\DRIVERS\appliand.sys [33888 2010-06-24] (Applian Technologies Inc.)
1 BHDrvx64; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20120413.001\BHDrvx64.sys [1160824 2012-04-02] (Symantec Corporation)
3 BridgeMP; C:\Windows\System32\DRIVERS\bridge.sys [95232 2009-07-13] (Microsoft Corporation)
1 CbFs; C:\Windows\System32\Drivers\CbFs.sys [191960 2010-02-16] (EldoS Corporation)
1 ccHP; C:\Windows\System32\drivers\NISx64\1109000.00C\ccHPx64.sys [593544 2011-08-03] (Symantec Corporation)
1 CLBStor; C:\Windows\System32\Drivers\CLBStor.sys [24560 2009-07-07] (Cyberlink Co.,Ltd.)
2 CLBUDF; C:\Windows\System32\Drivers\CLBUDF.sys [372720 2009-07-07] (CyberLink Corporation.)
1 eeCtrl; \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [482936 2012-02-03] (Symantec Corporation)
3 EraserUtilRebootDrv; \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [138360 2012-02-03] (Symantec Corporation)
3 EyeOneDisplay; C:\Windows\System32\Drivers\i1display_x64.sys [7808 2005-12-13] (GretagMacbeth LLC)
1 IDSVia64; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20120420.001\IDSvia64.sys [488568 2012-03-06] (Symantec Corporation)
0 JRAID; C:\Windows\System32\Drivers\JRAID.sys [115824 2009-10-29] (JMicron Technology Corp.)
3 NAVENG; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20120420.019\ENG64.SYS [117880 2012-03-04] (Symantec Corporation)
3 NAVEX15; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20120420.019\EX64.SYS [2048632 2012-03-04] (Symantec Corporation)
1 NetworkX; C:\Windows\System32\ckldrv.sys [28664 2008-03-17] ()
3 nusb3hub; C:\Windows\System32\Drivers\nusb3hub.sys [75264 2009-10-26] (NEC Electronics Corporation)
3 nusb3xhc; C:\Windows\System32\Drivers\nusb3xhc.sys [176640 2009-10-26] (NEC Electronics Corporation)
3 RemoteControl-USBLAN; C:\Windows\System32\DRIVERS\rcblan.sys [46616 2007-01-24] (Belcarra Technologies)
3 rtkio; \??\C:\Program Files (x86)\Realtek\Smart Dual Lan\rtkio.sys [17392 2009-07-14] (Windows ® Codename Longhorn DDK provider)
3 silabenm; C:\Windows\System32\Drivers\silabenm.sys [27336 2011-01-27] (Silicon Laboratories)
3 silabser; C:\Windows\System32\Drivers\silabser.sys [69120 2011-01-27] (Silicon Laboratories)
1 SRTSP; C:\Windows\System32\Drivers\NISx64\1109000.00C\SRTSP64.SYS [505392 2010-04-21] (Symantec Corporation)
1 SRTSPX; C:\Windows\System32\drivers\NISx64\1109000.00C\SRTSPX64.SYS [32304 2010-04-21] (Symantec Corporation)
0 SymDS; C:\Windows\System32\drivers\NISx64\1109000.00C\SYMDS64.SYS [433200 2009-08-29] (Symantec Corporation)
0 SymEFA; C:\Windows\System32\drivers\NISx64\1109000.00C\SYMEFA64.SYS [221304 2011-08-21] (Symantec Corporation)
3 SymEvent; \??\C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [173104 2010-05-01] (Symantec Corporation)
1 SymIRON; C:\Windows\System32\drivers\NISx64\1109000.00C\Ironx64.SYS [150064 2010-04-28] (Symantec Corporation)
1 SYMTDIv; C:\Windows\System32\Drivers\NISx64\1109000.00C\SYMTDIV.SYS [451704 2011-08-21] (Symantec Corporation)
0 TPkd; C:\Windows\SysWow64\Drivers\TPkd.sys [72608 2006-10-05] (PACE Anti-Piracy, Inc.)
3 wacommousefilter; C:\Windows\System32\Drivers\wacommousefilter.sys [5632 2006-02-15] (Wacom Technology)
3 wacomvhid; C:\Windows\System32\Drivers\wacomvhid.sys [8064 2006-11-15] (Wacom Technology)
2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}; \??\C:\Program Files (x86)\CyberLink\PowerDVD8\000.fcl [146928 2009-08-28] (CyberLink Corp.)
3 catchme; \??\C:\CmboFx\catchme.sys [x]
3 gdrv; \??\C:\Windows\gdrv.sys [x]
2 PDIHWCTL; \??\C:\Windows\system32\drivers\pdihwctl.sys [x]

========================== NetSvcs (Whitelisted) ===========

============ One Month Created Files and Folders ==============

2012-04-21 13:06 - 2010-06-14 19:49 - 0000000 ____D C:\FRST
2012-04-21 11:52 - 2009-07-13 17:41 - 0000054 ____A C:\Windows\System32\server.log
2012-04-18 14:01 - 2012-02-09 20:02 - 0025911 ____A C:\ComboFix.txt
2012-04-18 13:56 - - 0000000 __SHD C:\$RECYCLE.BIN
2012-04-18 12:54 - 2012-01-23 13:20 - 0208896 ____A C:\Windows\MBR.exe
2012-04-18 12:54 - 2011-01-07 10:18 - 0060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
2012-04-18 12:54 - 2009-07-13 23:50 - 0080412 ____A C:\Windows\grep.exe
2012-04-18 12:54 - 2009-07-13 23:46 - 0098816 ____A C:\Windows\sed.exe
2012-04-18 12:54 - 2009-07-13 21:37 - 0000000 ____D C:\Windows\ERDNT
2012-04-18 12:54 - 2009-07-13 21:32 - 0256000 ____A C:\Windows\PEV.exe
2012-04-18 12:54 - 2009-07-13 17:39 - 0068096 ____A C:\Windows\zip.exe
2012-04-18 12:54 - 2009-06-10 12:31 - 0518144 ____A (SteelWerX) C:\Windows\SWREG.exe
2012-04-18 12:54 - 2000-08-30 16:00 - 0406528 ____A (SteelWerX) C:\Windows\SWSC.exe
2012-04-18 12:53 - 2012-04-16 21:39 - 0000000 ___AD C:\Qoobox
2012-04-16 21:24 - 2009-07-13 15:25 - 0027256 ____A (Symantec Corporation) C:\Windows\System32\Drivers\FixZeroAccess.sys
2012-04-16 08:52 - 2012-04-16 08:52 - 8741536 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
2012-04-16 08:16 - 2009-07-13 17:14 - 0418464 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-04-16 08:16 - - 0000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-04-16 08:13 - 2011-10-24 09:35 - 0012686 ____A C:\Users\Michael\Desktop\hs_err_pid6428.log
2012-04-11 20:43 - 2012-02-27 23:34 - 2382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-04-11 20:43 - 2012-02-27 22:56 - 0085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-04-11 20:43 - 2012-02-27 22:48 - 1345536 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-04-11 20:43 - 2012-02-27 22:45 - 2311168 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-04-11 20:43 - 2012-02-27 22:42 - 0096256 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-04-11 20:43 - 2012-02-27 17:52 - 2382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-04-11 20:43 - 2012-02-27 17:18 - 0065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-04-11 20:43 - 2012-02-27 17:09 - 1103360 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-04-11 20:43 - 2012-02-27 17:06 - 1799168 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-04-11 20:43 - 2012-02-27 17:03 - 0072704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-04-11 20:43 - 2012-01-23 13:19 - 9705984 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-04-11 20:43 - 2012-01-23 13:19 - 2144256 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-04-11 20:43 - 2012-01-23 13:19 - 1792000 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-04-11 20:43 - 2012-01-23 13:19 - 17790976 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-04-11 20:43 - 2012-01-23 13:19 - 12281856 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-04-11 20:43 - 2012-01-23 13:19 - 10888704 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-04-11 20:43 - 2012-01-23 13:19 - 0248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-04-11 20:43 - 2012-01-23 13:19 - 0176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-04-11 20:43 - 2011-05-02 21:29 - 1493504 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-04-11 20:43 - 2011-05-02 20:30 - 1427456 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-04-11 20:43 - 2010-11-20 05:27 - 1390080 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-04-11 20:43 - 2010-11-20 04:21 - 1127424 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-04-11 20:43 - 2009-07-13 17:41 - 0237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-04-11 20:43 - 2009-07-13 17:38 - 0818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-04-11 20:43 - 2009-07-13 17:16 - 0231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-04-11 20:43 - 2009-07-13 17:14 - 0716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-04-11 20:42 - 2009-07-13 17:41 - 5559152 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-04-11 20:42 - 2009-07-13 17:16 - 3968368 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2012-04-11 20:42 - 2009-07-13 17:16 - 3913072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2012-04-11 20:40 - 2009-07-13 17:47 - 0023408 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\fs_rec.sys
2012-04-11 20:40 - 2009-07-13 17:38 - 0081408 ____A (Microsoft Corporation) C:\Windows\System32\imagehlp.dll
2012-04-11 20:40 - 2009-07-13 17:33 - 0005120 ____A (Microsoft Corporation) C:\Windows\System32\wmi.dll
2012-04-11 20:40 - 2009-07-13 17:14 - 0159232 ____A (Microsoft Corporation) C:\Windows\SysWOW64\imagehlp.dll
2012-04-11 20:40 - 2009-07-13 17:11 - 0005120 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wmi.dll
2012-04-11 20:40 - 2006-12-05 12:17 - 0220672 ____A (Microsoft Corporation) C:\Windows\System32\wintrust.dll
2012-04-11 20:40 - 2006-12-05 12:17 - 0172544 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wintrust.dll
2012-04-09 14:10 - 2012-02-01 08:43 - 0008191 ____A C:\Users\Michael\Downloads\Michael Press Release Notes - Mar 21 2012.txt
2012-04-03 12:20 - 2010-05-01 19:22 - 15418964 ____A C:\Users\Michael\Downloads\Avicii_-_Penguin_(Original_Mix).mp3
2012-04-02 10:57 - 2010-05-02 13:57 - 0000000 ____D C:\Mike
2012-03-30 16:32 - 2010-06-26 12:35 - 0000000 ____D C:\Users\Michael\AppData\Local\Sonos,_Inc
2012-03-30 14:46 - 2012-03-02 11:23 - 0001957 ____A C:\Users\Public\Desktop\Sonos.lnk
2012-03-30 14:45 - 2011-04-03 20:49 - 0000000 ____D C:\Users\All Users\Sonos,_Inc
2012-03-30 14:45 - 2011-04-03 20:49 - 0000000 ____D C:\ProgramData\Sonos,_Inc
2012-03-30 14:44 - 2009-07-13 21:37 - 0000000 ____D C:\Windows\Downloaded Installations
2012-03-23 18:48 - 2010-05-01 18:19 - 0029696 ____A C:\Users\Michael\Downloads\12 02 20 - 258154 - Loren Rutledge.doc

============ 3 Months Modified Files and Folders =============

2012-04-21 13:07 - 2012-04-21 13:06 - 0000000 ____D C:\FRST
2012-04-21 12:01 - 2010-05-01 18:12 - 1564759 ____A C:\Windows\WindowsUpdate.log
2012-04-21 12:01 - 2009-07-13 20:45 - 0015056 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-04-21 12:01 - 2009-07-13 20:45 - 0015056 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-04-21 11:59 - 2009-07-13 21:13 - 0744006 ____A C:\Windows\System32\PerfStringBackup.INI
2012-04-21 11:53 - 2012-04-16 08:16 - 0000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-04-21 11:53 - 2011-03-18 20:20 - 0000000 ____D C:\Users\Michael\AppData\Local\Livedrive
2012-04-21 11:53 - 2010-07-09 14:23 - 0000000 ____D C:\Users\Michael\AppData\Roaming\WTablet
2012-04-21 11:52 - 2012-04-21 11:52 - 0000054 ____A C:\Windows\System32\server.log
2012-04-21 11:52 - 2012-03-02 11:23 - 0000476 ____A C:\Windows\Tasks\SDMsgUpdate (TE).job
2012-04-21 11:52 - 2012-02-09 20:01 - 0007440 ____A C:\Windows\error.log
2012-04-21 11:52 - 2010-05-02 15:36 - 0000896 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-04-21 11:51 - 2012-02-09 20:01 - 0003081 ____A C:\Windows\errord.log
2012-04-21 11:51 - 2010-05-02 09:02 - 2143776768 __ASH C:\hiberfil.sys
2012-04-21 11:51 - 2009-07-13 21:08 - 0000006 ___AH C:\Windows\Tasks\SA.DAT
2012-04-21 11:51 - 2009-07-13 20:51 - 0083625 ____A C:\Windows\setupact.log
2012-04-20 19:33 - 2010-05-02 15:36 - 0000900 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-04-19 08:53 - 2010-08-07 08:40 - 0000000 ____D C:\Users\Michael\dwhelper
2012-04-19 06:59 - 2010-05-04 10:16 - 0000000 ____D C:\Users\Michael\AppData\Roaming\vlc
2012-04-18 14:01 - 2012-04-18 14:01 - 0025911 ____A C:\ComboFix.txt
2012-04-18 14:01 - 2012-04-18 12:53 - 0000000 ___AD C:\Qoobox
2012-04-18 14:01 - 2009-07-13 19:20 - 0000000 __RHD C:\users\Default
2012-04-18 14:01 - 2009-07-13 19:20 - 0000000 ___RD C:\users\Public
2012-04-18 14:00 - 2012-04-18 12:54 - 0000000 ____D C:\Windows\ERDNT
2012-04-18 13:56 - 2012-04-18 13:56 - 0000000 __SHD C:\$RECYCLE.BIN
2012-04-18 13:56 - 2009-07-13 18:34 - 0000215 ____A C:\Windows\system.ini
2012-04-18 13:56 - 2009-07-13 18:34 - 0000027 ____A C:\Windows\System32\Drivers\etc\hosts
2012-04-18 13:53 - 2010-05-01 21:16 - 0036256 ____A C:\Windows\PFRO.log
2012-04-17 16:08 - 2010-12-18 11:11 - 0000000 ____D C:\Griffin lesley cam
2012-04-17 11:03 - 2010-07-15 21:38 - 0000000 ____D C:\Users\Michael\AppData\Local\CrashDumps
2012-04-17 08:10 - 2011-03-29 18:47 - 0000000 ____D C:\Users\All Users\Backup
2012-04-17 08:10 - 2011-03-29 18:47 - 0000000 ____D C:\ProgramData\Backup
2012-04-16 21:24 - 2012-04-16 21:24 - 0027256 ____A (Symantec Corporation) C:\Windows\System32\Drivers\FixZeroAccess.sys
2012-04-16 08:52 - 2012-04-16 08:52 - 8741536 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
2012-04-16 08:52 - 2012-04-16 08:16 - 0418464 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-04-16 08:52 - 2011-08-01 08:22 - 0070304 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-04-16 08:13 - 2012-04-16 08:13 - 0012686 ____A C:\Users\Michael\Desktop\hs_err_pid6428.log
2012-04-11 20:44 - 2010-05-01 19:59 - 0000000 ____D C:\Users\All Users\Microsoft Help
2012-04-11 20:44 - 2010-05-01 19:59 - 0000000 ____D C:\ProgramData\Microsoft Help
2012-04-11 20:41 - 2010-06-04 19:24 - 57249312 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-04-11 08:27 - 2012-03-30 14:45 - 0000000 ____D C:\Users\All Users\Sonos,_Inc
2012-04-11 08:27 - 2012-03-30 14:45 - 0000000 ____D C:\ProgramData\Sonos,_Inc
2012-04-09 14:10 - 2012-04-09 14:10 - 0008191 ____A C:\Users\Michael\Downloads\Michael Press Release Notes - Mar 21 2012.txt
2012-04-03 12:20 - 2012-04-03 12:20 - 15418964 ____A C:\Users\Michael\Downloads\Avicii_-_Penguin_(Original_Mix).mp3
2012-04-02 11:42 - 2011-01-07 09:15 - 0000000 ____D C:\Users\Michael\AppData\Local\ApplicationHistory
2012-04-02 10:57 - 2012-04-02 10:57 - 0000000 ____D C:\Mike
2012-03-30 16:32 - 2012-03-30 16:32 - 0000000 ____D C:\Users\Michael\AppData\Local\Sonos,_Inc
2012-03-30 14:46 - 2012-03-30 14:46 - 0001957 ____A C:\Users\Public\Desktop\Sonos.lnk
2012-03-30 14:46 - 2011-01-01 17:26 - 0000000 ____D C:\Program Files (x86)\Sonos
2012-03-30 14:45 - 2012-03-30 14:44 - 0000000 ____D C:\Windows\Downloaded Installations
2012-03-30 14:45 - 2010-06-12 20:54 - 0000000 ____D C:\Users\Michael\AppData\Local\Downloaded Installations
2012-03-27 13:48 - 2010-08-12 16:31 - 0000000 ____D C:\WTablet
2012-03-23 18:48 - 2012-03-23 18:48 - 0029696 ____A C:\Users\Michael\Downloads\12 02 20 - 258154 - Loren Rutledge.doc
2012-03-23 05:25 - 2010-06-04 09:42 - 0000000 ____D C:\Program Files (x86)\Mozilla Firefox
2012-03-20 02:05 - 2009-07-13 18:34 - 0000478 ____A C:\Windows\win.ini
2012-03-19 12:15 - 2010-05-02 15:36 - 0000000 ____D C:\Users\Michael\AppData\Local\Google
2012-03-17 16:36 - 2012-03-17 16:36 - 0000955 ____A C:\Users\Public\Desktop\Balsamiq Mockups.lnk
2012-03-17 16:36 - 2012-03-17 16:36 - 0000000 ____D C:\Users\Michael\AppData\Roaming\BalsamiqMockupsForDesktop.EDE15CF69E11F7F7D45B5430C7D37CC6C3545E3C.1
2012-03-17 16:36 - 2012-03-17 16:36 - 0000000 ____D C:\Program Files (x86)\Balsamiq Mockups
2012-03-17 16:36 - 2010-05-01 20:09 - 0000000 ____D C:\Program Files (x86)\Adobe
2012-03-17 16:35 - 2010-05-01 20:08 - 0000000 ____D C:\Users\Michael\AppData\Local\Adobe
2012-03-17 15:07 - 2012-03-17 15:07 - 0001795 ____A C:\Users\Michael\Desktop\Photomatix Pro 4.1.4 (64-bit).lnk
2012-03-17 15:07 - 2011-01-14 11:19 - 0000000 ____D C:\Program Files\PhotomatixPro4
2012-03-15 19:33 - 2012-03-15 19:33 - 0000000 ____D C:\Users\Michael\AppData\Roaming\TeamViewer
2012-03-15 19:32 - 2012-02-10 16:24 - 0001170 ____A C:\Users\Public\Desktop\TeamViewer 7.lnk
2012-03-15 19:30 - 2012-03-15 19:30 - 3898304 ____A (TeamViewer GmbH) C:\Users\Michael\Downloads\TeamViewer_Setup_en(1).exe
2012-03-14 06:10 - 2009-07-13 20:45 - 5011544 ____A C:\Windows\System32\FNTCACHE.DAT
2012-03-05 22:53 - 2012-04-11 20:42 - 5559152 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-03-05 21:59 - 2012-04-11 20:42 - 3968368 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2012-03-05 21:59 - 2012-04-11 20:42 - 3913072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2012-03-02 11:40 - 2012-03-02 11:24 - 0000000 ____D C:\Users\Michael\AppData\Roaming\SmartDraw
2012-03-02 11:25 - 2012-03-02 11:25 - 0001016 ____A C:\Users\Michael\Desktop\SmartDraw 2012.lnk
2012-03-02 11:25 - 2012-03-02 11:25 - 0000000 ____D C:\Users\Michael\Documents\SmartDraw
2012-03-02 11:24 - 2012-03-02 11:24 - 0000000 ____D C:\Users\Michael\AppData\System
2012-03-02 11:23 - 2012-03-02 11:23 - 0000986 ____A C:\Users\Public\Desktop\SmartDraw 2012.lnk
2012-03-02 11:23 - 2012-03-02 11:23 - 0000000 ____D C:\Program Files (x86)\SmartDraw 2012
2012-02-29 22:46 - 2012-04-11 20:40 - 0023408 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\fs_rec.sys
2012-02-29 22:38 - 2012-04-11 20:40 - 0220672 ____A (Microsoft Corporation) C:\Windows\System32\wintrust.dll
2012-02-29 22:33 - 2012-04-11 20:40 - 0081408 ____A (Microsoft Corporation) C:\Windows\System32\imagehlp.dll
2012-02-29 22:28 - 2012-04-11 20:40 - 0005120 ____A (Microsoft Corporation) C:\Windows\System32\wmi.dll
2012-02-29 21:37 - 2012-04-11 20:40 - 0172544 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wintrust.dll
2012-02-29 21:33 - 2012-04-11 20:40 - 0159232 ____A (Microsoft Corporation) C:\Windows\SysWOW64\imagehlp.dll
2012-02-29 21:29 - 2012-04-11 20:40 - 0005120 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wmi.dll
2012-02-29 13:43 - 2012-02-29 13:43 - 0000000 ____D C:\Users\Michael\Documents\Add-in Express
2012-02-29 13:43 - 2012-02-29 13:43 - 0000000 ____D C:\Users\Michael\AppData\Local\IsolatedStorage
2012-02-29 13:42 - 2012-02-29 13:42 - 0000000 ____D C:\Users\Michael\AppData\Roaming\BreezeTree
2012-02-27 23:34 - 2012-04-11 20:43 - 17790976 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-02-27 23:02 - 2012-04-11 20:43 - 10888704 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-02-27 22:56 - 2012-04-11 20:43 - 2311168 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-02-27 22:50 - 2012-04-11 20:43 - 1345536 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-02-27 22:49 - 2012-04-11 20:43 - 1390080 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-02-27 22:48 - 2012-04-11 20:43 - 1493504 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-02-27 22:48 - 2012-04-11 20:43 - 0237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-02-27 22:47 - 2012-04-11 20:43 - 0085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-02-27 22:45 - 2012-04-11 20:43 - 0818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-02-27 22:43 - 2012-04-11 20:43 - 2144256 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-02-27 22:43 - 2012-04-11 20:43 - 0096256 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-02-27 22:42 - 2012-04-11 20:43 - 2382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-02-27 22:39 - 2012-04-11 20:43 - 0248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-02-27 17:52 - 2012-04-11 20:43 - 12281856 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-02-27 17:27 - 2012-04-11 20:43 - 9705984 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-02-27 17:18 - 2012-04-11 20:43 - 1799168 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-02-27 17:12 - 2012-04-11 20:43 - 1103360 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-02-27 17:11 - 2012-04-11 20:43 - 1427456 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-02-27 17:11 - 2012-04-11 20:43 - 1127424 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-02-27 17:09 - 2012-04-11 20:43 - 0231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-02-27 17:08 - 2012-04-11 20:43 - 0065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-02-27 17:06 - 2012-04-11 20:43 - 0716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-02-27 17:04 - 2012-04-11 20:43 - 1792000 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-02-27 17:03 - 2012-04-11 20:43 - 2382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-02-27 17:03 - 2012-04-11 20:43 - 0072704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-02-27 16:59 - 2012-04-11 20:43 - 0176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-02-22 21:08 - 2012-02-22 21:06 - 0000000 ____D C:\Program Files (x86)\Livedrive
2012-02-22 21:07 - 2012-02-22 21:07 - 0001726 ____A C:\Users\Public\Desktop\Livedrive Control Panel.lnk
2012-02-22 21:05 - 2012-02-22 21:05 - 0000000 ____D C:\Users\Michael\AppData\Roaming\Livedrive Internet Limited
2012-02-20 17:22 - 2010-05-01 18:12 - 0000000 ____D C:\users\Michael
2012-02-20 17:19 - 2011-04-03 20:40 - 0000325 ____A C:\Users\All Users\DEFRAG_HISTORY.xml
2012-02-20 17:19 - 2011-04-03 20:40 - 0000325 ____A C:\ProgramData\DEFRAG_HISTORY.xml
2012-02-20 17:11 - 2010-05-01 18:12 - 0000000 ____D C:\Users\Michael\AppData\LocalLow
2012-02-20 17:10 - 2010-05-16 12:04 - 0000000 ____D C:\Users\Michael\AppData\Roaming\uTorrent
2012-02-20 17:00 - 2011-04-03 15:46 - 0000673 ____A C:\Users\All Users\SYSTEM_CLEANER_HISTORY.xml
2012-02-20 17:00 - 2011-04-03 15:46 - 0000673 ____A C:\ProgramData\SYSTEM_CLEANER_HISTORY.xml
2012-02-16 22:38 - 2012-03-13 18:42 - 1031680 ____A (Microsoft Corporation) C:\Windows\System32\rdpcore.dll
2012-02-16 21:34 - 2012-03-13 18:42 - 0826880 ____A (Microsoft Corporation) C:\Windows\SysWOW64\rdpcore.dll
2012-02-16 20:58 - 2012-03-13 18:42 - 0210944 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
2012-02-16 20:57 - 2012-03-13 18:42 - 0023552 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tdtcp.sys
2012-02-15 19:24 - 2010-05-01 18:12 - 0000174 ___SH C:\Users\Michael\Start Menu\Programs\Startup\desktop.ini
2012-02-15 19:24 - 2010-05-01 18:12 - 0000174 ___SH C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini
2012-02-10 16:48 - 2012-02-10 16:48 - 0002067 ____A C:\Users\Michael\Documents\usprnews.com
2012-02-10 16:48 - 2012-02-10 16:48 - 0002067 ____A C:\Users\Michael\Documents\24-7.key
2012-02-10 16:24 - 2012-02-10 16:24 - 0000000 ____D C:\Program Files (x86)\TeamViewer
2012-02-10 16:23 - 2012-02-10 16:23 - 4015488 ____A (TeamViewer GmbH) C:\Users\Michael\Downloads\TeamViewer_Setup_en.exe
2012-02-10 14:51 - 2010-06-06 12:04 - 0000000 ____D C:\Users\Michael\AppData\Roaming\Apple Computer
2012-02-10 14:51 - 2010-06-06 12:04 - 0000000 ____D C:\Users\Michael\AppData\Local\Apple Computer
2012-02-10 14:50 - 2012-02-10 14:50 - 0000000 ____D C:\Users\Michael\AppData\Roaming\Artisteer
2012-02-10 14:19 - 2012-02-10 14:19 - 0001133 ____A C:\Users\Michael\Desktop\Artisteer 3.lnk
2012-02-10 14:16 - 2012-02-10 14:16 - 0000000 ____D C:\Program Files (x86)\Artisteer 3
2012-02-10 09:39 - 2012-02-10 09:39 - 0000000 ____D C:\Users\Michael\AppData\Roaming\Adobe Mini Bridge CS5
2012-02-09 22:36 - 2012-03-13 18:43 - 1544192 ____A (Microsoft Corporation) C:\Windows\System32\DWrite.dll
2012-02-09 21:51 - 2012-02-09 20:23 - 1588233216 ____A C:\Users\Michael\Outlook.pst
2012-02-09 21:38 - 2012-03-13 18:43 - 1077248 ____A (Microsoft Corporation) C:\Windows\SysWOW64\DWrite.dll
2012-02-09 20:22 - 2012-02-09 20:02 - 0000004 ____A C:\Windows\vx86036.dat
2012-02-09 20:22 - 2012-02-09 20:01 - 0001680 ____A C:\Windows\System32\esnecil.ind
2012-02-09 20:22 - 2011-01-07 09:13 - 0757012 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
2012-02-09 20:02 - 2012-02-09 20:02 - 0000131 ____A C:\CKINFO.TXT
2012-02-09 20:01 - 2012-02-09 20:01 - 0001062 ____A C:\Users\Michael\Desktop\Stellar Phoenix Outlook PST Repair.lnk
2012-02-09 20:01 - 2012-02-09 20:01 - 0000074 ____A C:\Windows\Crypkey.ini
2012-02-09 20:01 - 2012-02-09 20:01 - 0000000 ____D C:\Users\All Users\CrypKey
2012-02-09 20:01 - 2012-02-09 20:01 - 0000000 ____D C:\ProgramData\CrypKey
2012-02-09 20:01 - 2012-02-09 20:01 - 0000000 ____D C:\Program Files (x86)\Stellar Phoenix Outlook PST Repair
2012-02-09 16:25 - 2012-02-09 16:25 - 0000162 ____A C:\Users\Michael\Desktop\WPTurbo WordPress Autoblogging Plugin.url
2012-02-09 10:09 - 2012-02-09 10:09 - 0000184 ____A C:\Users\Michael\Desktop\PR Daily News Public Relations news and marketing in the age of social media Main.url
2012-02-07 16:48 - 2012-02-07 16:48 - 0609464 ____A (Livedrive Internet Ltd) C:\Windows\System32\LivedriveControlPanel.cpl
2012-02-07 14:52 - 2010-05-01 18:23 - 0119496 ____A C:\Users\Michael\AppData\Local\GDIPFONTCACHEV1.DAT
2012-02-07 10:02 - 2012-02-07 10:02 - 1070352 ____A (Microsoft Corporation) C:\Windows\SysWOW64\MSCOMCTL.OCX
2012-02-06 10:07 - 2010-05-02 20:26 - 0001456 ____A C:\Users\Michael\AppData\Local\Adobe Save for Web 12.0 Prefs
2012-02-02 20:34 - 2012-03-13 18:43 - 3145728 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-02-01 08:45 - 2010-06-04 09:42 - 0001138 ____A C:\Users\Public\Desktop\Mozilla Firefox.lnk
2012-02-01 08:43 - 2012-02-01 08:42 - 15795464 ____A (Mozilla) C:\Users\Michael\Downloads\Firefox Setup 10.0.exe
2012-01-31 06:25 - 2010-05-01 20:09 - 0000000 ____D C:\Users\All Users\Adobe
2012-01-31 06:25 - 2010-05-01 20:09 - 0000000 ____D C:\ProgramData\Adobe
2012-01-30 21:16 - 2012-01-30 21:16 - 0000132 ____A C:\Users\Michael\AppData\Roaming\Adobe PNG Format CS5 Prefs
2012-01-30 20:31 - 2012-01-30 20:31 - 0000000 ____A C:\Users\Michael\Downloads\Richard Sturdevant Texas School 2012 Program.doc
2012-01-30 19:51 - 2010-05-01 20:09 - 0000000 ____D C:\Users\Michael\AppData\Roaming\Adobe
2012-01-30 14:57 - 2012-01-30 14:57 - 0002023 ____A C:\Users\Public\Desktop\Adobe Reader X.lnk
2012-01-26 21:16 - 2012-01-26 21:16 - 2615682 ____A C:\Users\Michael\Downloads\dreamstimefree_6849425.jpg
2012-01-24 22:38 - 2012-03-13 18:42 - 0149504 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll
2012-01-24 22:38 - 2012-03-13 18:42 - 0077312 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll
2012-01-24 22:33 - 2012-03-13 18:42 - 0009216 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe
2012-01-23 14:46 - 2012-01-23 14:46 - 0000609 ____A C:\Users\Michael\Desktop\IZ - Shortcut.lnk
2012-01-23 14:02 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\rescache
2012-01-23 13:22 - 2011-08-09 18:36 - 0008069 ____A C:\Windows\IE9_main.log
2012-01-23 13:22 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\PolicyDefinitions
2012-01-23 13:19 - 2012-01-23 13:19 - 3695416 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dat
2012-01-23 13:19 - 2012-01-23 13:19 - 3695416 ____A (Microsoft Corporation) C:\Windows\System32\ieapfltr.dat
2012-01-23 13:19 - 2012-01-23 13:19 - 0697344 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2012-01-23 13:19 - 2012-01-23 13:19 - 0603648 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2012-01-23 13:19 - 2012-01-23 13:19 - 0580608 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2012-01-23 13:19 - 2012-01-23 13:19 - 0534528 ____A (Microsoft Corporation) C:\Windows\System32\ieapfltr.dll
2012-01-23 13:19 - 2012-01-23 13:19 - 0452608 ____A (Microsoft Corporation) C:\Windows\System32\dxtmsft.dll
2012-01-23 13:19 - 2012-01-23 13:19 - 0448512 ____A (Microsoft Corporation) C:\Windows\System32\html.iec
2012-01-23 13:19 - 2012-01-23 13:19 - 0434176 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2012-01-23 13:19 - 2012-01-23 13:19 - 0420864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2012-01-23 13:19 - 2012-01-23 13:19 - 0403248 ____A (Microsoft Corporation) C:\Windows\System32\iedkcs32.dll
2012-01-23 13:19 - 2012-01-23 13:19 - 0367104 ____A (Microsoft Corporation) C:\Windows\SysWOW64\html.iec
2012-01-23 13:19 - 2012-01-23 13:19 - 0353792 ____A (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2012-01-23 13:19 - 2012-01-23 13:19 - 0353584 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2012-01-23 13:19 - 2012-01-23 13:19 - 0282112 ____A (Microsoft Corporation) C:\Windows\System32\dxtrans.dll
2012-01-23 13:19 - 2012-01-23 13:19 - 0267776 ____A (Microsoft Corporation) C:\Windows\System32\ieaksie.dll
2012-01-23 13:19 - 2012-01-23 13:19 - 0249344 ____A (Microsoft Corporation) C:\Windows\System32\webcheck.dll
2012-01-23 13:19 - 2012-01-23 13:19 - 0227840 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieaksie.dll
2012-01-23 13:19 - 2012-01-23 13:19 - 0223232 ____A (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2012-01-23 13:19 - 2012-01-23 13:19 - 0222208 ____A (Microsoft Corporation) C:\Windows\System32\msls31.dll
2012-01-23 13:19 - 2012-01-23 13:19 - 0203776 ____A (Microsoft Corporation) C:\Windows\SysWOW64\webcheck.dll
2012-01-23 13:19 - 2012-01-23 13:19 - 0197120 ____A (Microsoft Corporation) C:\Windows\System32\msrating.dll
2012-01-23 13:19 - 2012-01-23 13:19 - 0173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-01-23 13:19 - 2012-01-23 13:19 - 0165888 ____A (Microsoft Corporation) C:\Windows\System32\iexpress.exe
2012-01-23 13:19 - 2012-01-23 13:19 - 0163840 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieakui.dll
2012-01-23 13:19 - 2012-01-23 13:19 - 0163840 ____A (Microsoft Corporation) C:\Windows\System32\ieakui.dll
2012-01-23 13:19 - 2012-01-23 13:19 - 0162304 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2012-01-23 13:19 - 2012-01-23 13:19 - 0161792 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msls31.dll
2012-01-23 13:19 - 2012-01-23 13:19 - 0160256 ____A (Microsoft Corporation) C:\Windows\System32\wextract.exe
2012-01-23 13:19 - 2012-01-23 13:19 - 0160256 ____A (Microsoft Corporation) C:\Windows\System32\ieakeng.dll
2012-01-23 13:19 - 2012-01-23 13:19 - 0152064 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wextract.exe
2012-01-23 13:19 - 2012-01-23 13:19 - 0150528 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iexpress.exe
2012-01-23 13:19 - 2012-01-23 13:19 - 0149504 ____A (Microsoft Corporation) C:\Windows\System32\occache.dll
2012-01-23 13:19 - 2012-01-23 13:19 - 0145920 ____A (Microsoft Corporation) C:\Windows\System32\iepeers.dll
2012-01-23 13:19 - 2012-01-23 13:19 - 0142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-01-23 13:19 - 2012-01-23 13:19 - 0135168 ____A (Microsoft Corporation) C:\Windows\System32\IEAdvpack.dll
2012-01-23 13:19 - 2012-01-23 13:19 - 0130560 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieakeng.dll
2012-01-23 13:19 - 2012-01-23 13:19 - 0123392 ____A (Microsoft Corporation) C:\Windows\SysWOW64\occache.dll
2012-01-23 13:19 - 2012-01-23 13:19 - 0118784 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iepeers.dll
2012-01-23 13:19 - 2012-01-23 13:19 - 0114176 ____A (Microsoft Corporation) C:\Windows\System32\admparse.dll
2012-01-23 13:19 - 2012-01-23 13:19 - 0111616 ____A (Microsoft Corporation) C:\Windows\System32\iesysprep.dll
2012-01-23 13:19 - 2012-01-23 13:19 - 0110592 ____A (Microsoft Corporation) C:\Windows\SysWOW64\IEAdvpack.dll
2012-01-23 13:19 - 2012-01-23 13:19 - 0103936 ____A (Microsoft Corporation) C:\Windows\System32\inseng.dll
2012-01-23 13:19 - 2012-01-23 13:19 - 0101888 ____A (Microsoft Corporation) C:\Windows\SysWOW64\admparse.dll
2012-01-23 13:19 - 2012-01-23 13:19 - 0091648 ____A (Microsoft Corporation) C:\Windows\System32\SetIEInstalledDate.exe
2012-01-23 13:19 - 2012-01-23 13:19 - 0089088 ____A (Microsoft Corporation) C:\Windows\System32\RegisterIEPKEYs.exe
2012-01-23 13:19 - 2012-01-23 13:19 - 0089088 ____A (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2012-01-23 13:19 - 2012-01-23 13:19 - 0086528 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll
2012-01-23 13:19 - 2012-01-23 13:19 - 0085504 ____A (Microsoft Corporation) C:\Windows\System32\iesetup.dll
2012-01-23 13:19 - 2012-01-23 13:19 - 0082432 ____A (Microsoft Corporation) C:\Windows\System32\icardie.dll
2012-01-23 13:19 - 2012-01-23 13:19 - 0078848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inseng.dll
2012-01-23 13:19 - 2012-01-23 13:19 - 0076800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\SetIEInstalledDate.exe
2012-01-23 13:19 - 2012-01-23 13:19 - 0076800 ____A (Microsoft Corporation) C:\Windows\System32\tdc.ocx
2012-01-23 13:19 - 2012-01-23 13:19 - 0074752 ____A (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe
2012-01-23 13:19 - 2012-01-23 13:19 - 0074752 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2012-01-23 13:19 - 2012-01-23 13:19 - 0074240 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ie4uinit.exe
2012-01-23 13:19 - 2012-01-23 13:19 - 0072822 ____A C:\Windows\SysWOW64\ieuinit.inf
2012-01-23 13:19 - 2012-01-23 13:19 - 0072822 ____A C:\Windows\System32\ieuinit.inf
2012-01-23 13:19 - 2012-01-23 13:19 - 0066048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\icardie.dll
2012-01-23 13:19 - 2012-01-23 13:19 - 0065024 ____A (Microsoft Corporation) C:\Windows\System32\pngfilt.dll
2012-01-23 13:19 - 2012-01-23 13:19 - 0063488 ____A (Microsoft Corporation) C:\Windows\SysWOW64\tdc.ocx
2012-01-23 13:19 - 2012-01-23 13:19 - 0055296 ____A (Microsoft Corporation) C:\Windows\System32\msfeedsbs.dll
2012-01-23 13:19 - 2012-01-23 13:19 - 0054272 ____A (Microsoft Corporation) C:\Windows\SysWOW64\pngfilt.dll
2012-01-23 13:19 - 2012-01-23 13:19 - 0049664 ____A (Microsoft Corporation) C:\Windows\System32\imgutil.dll
2012-01-23 13:19 - 2012-01-23 13:19 - 0048640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmler.dll
2012-01-23 13:19 - 2012-01-23 13:19 - 0048640 ____A (Microsoft Corporation) C:\Windows\System32\mshtmler.dll
2012-01-23 13:19 - 2012-01-23 13:19 - 0041472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeedsbs.dll
2012-01-23 13:19 - 2012-01-23 13:19 - 0039936 ____A (Microsoft Corporation) C:\Windows\System32\iernonce.dll
2012-01-23 13:19 - 2012-01-23 13:19 - 0035840 ____A (Microsoft Corporation) C:\Windows\SysWOW64\imgutil.dll
2012-01-23 13:19 - 2012-01-23 13:19 - 0031744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2012-01-23 13:19 - 2012-01-23 13:19 - 0030720 ____A (Microsoft Corporation) C:\Windows\System32\licmgr10.dll
2012-01-23 13:19 - 2012-01-23 13:19 - 0023552 ____A (Microsoft Corporation) C:\Windows\SysWOW64\licmgr10.dll
2012-01-23 13:19 - 2012-01-23 13:19 - 0012288 ____A (Microsoft Corporation) C:\Windows\System32\mshta.exe
2012-01-23 13:19 - 2012-01-23 13:19 - 0011776 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshta.exe
2012-01-23 13:19 - 2012-01-23 13:19 - 0010752 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeedssync.exe
2012-01-23 13:19 - 2012-01-23 13:19 - 0010752 ____A (Microsoft Corporation) C:\Windows\System32\msfeedssync.exe

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

========================= Memory info ======================

Percentage of memory in use: 10%
Total physical RAM: 8187.29 MB
Available physical RAM: 7355.2 MB
Total Pagefile: 8185.44 MB
Available Pagefile: 7335.03 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

======================= Partitions =========================

1 Drive c: (Boot) (Fixed) (Total:214.84 GB) (Free:58.24 GB) NTFS ==>[Drive with boot components (obtanied from BCD)]
2 Drive d: (Img Data 2) (Fixed) (Total:3533.61 GB) (Free:2925.44 GB) NTFS
3 Drive f: (Data A) (Fixed) (Total:716.67 GB) (Free:633.09 GB) NTFS
5 Drive h: (TRANSCEND) (Removable) (Total:7.46 GB) (Free:3.66 GB) FAT32
7 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
8 Drive y: (Img Data 1) (Fixed) (Total:3906.25 GB) (Free:2535.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 7439 GB 2048 KB *
Disk 1 Online 931 GB 1024 KB
Disk 2 Online 7660 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Reserved 128 MB 17 KB
Partition 2 Primary 3906 GB 129 MB
Partition 3 Primary 3533 GB 3906 GB

======================================================================================================

Disk: 0
Partition 1
Type : e3c9e316-0b5c-4db8-817d-f92df00215ae
Hidden : Yes
Required: No
Attrib : 0000000000000000

There is no volume associated with this partition.

======================================================================================================

Disk: 0
Partition 2
Type : ebd0a0a2-b9e5-4433-87c0-68b6b72699c7
Hidden : No
Required: No
Attrib : 0000000000000000

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 Y Img Data 1 NTFS Partition 3906 GB Healthy

======================================================================================================

Disk: 0
Partition 3
Type : ebd0a0a2-b9e5-4433-87c0-68b6b72699c7
Hidden : No
Required: No
Attrib : 0000000000000000

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 D Img Data 2 NTFS Partition 3533 GB Healthy

======================================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 214 GB 1024 KB
Partition 2 Primary 716 GB 214 GB

======================================================================================================

Disk: 1
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 C Boot NTFS Partition 214 GB Healthy

======================================================================================================

Disk: 1
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 5 F Data A NTFS Partition 716 GB Healthy

======================================================================================================

Partitions of Disk 2:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 7656 MB 4096 KB

======================================================================================================

Disk: 2
Partition 1
Type : 0B
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 6 H TRANSCEND FAT32 Removable 7656 MB Healthy

======================================================================================================

==========================================================

Last Boot: 2012-04-19 12:08

======================= End Of Log ==========================

#15 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:12:49 PM

Posted 22 April 2012 - 02:53 PM

Good evening. :)

We'll start by looking for a replacement file for one that Symantec is flagging as infected. Boot into the System Recovery Options as before and run frst again, but this time entere the following into the Search box and click Search: consrv.dll

Once complete you should have a text file, Search.txt, on the flashdrive - i'd like the contents of that in in your next reply, as well as the following:


Download RegQuery from here and save it to your Desktop.
  • Double click the file to run it.
  • Copy the following keyname to your clipboard - either CTRL + C or right click will do.

    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\SubSystems
  • Click Paste from Clipboard and then Query.
  • A Notepad window should open with some text it - either that or you'll get a pop-up telling you to check the keyname.
  • Let me have the contents of the file in your next reply.

So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users