Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Microsoft Security Essentials keeps finding Trojan:Win64/Sirefef.W


  • This topic is locked This topic is locked
16 replies to this topic

#1 Jon Carroll

Jon Carroll

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:38 AM

Posted 05 June 2012 - 11:13 AM

Hi,

Here is the attached logs. I have run GMER but it only lets me select Services, Registry and Files - all the options above it are greyed out.

Thanks in advance for your help,

Jon

DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.4.1
Run by JC at 16:31:37 on 2012-06-05
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.44.1033.18.4094.1511 [GMT 1:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\atieclxx.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe
C:\Program Files (x86)\Hotspot Shield\HssWPR\hsssrv.exe
C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe
C:\Program Files (x86)\Secunia\PSI\PSIA.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files (x86)\Secunia\PSI\sua.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskhost.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Google\Update\1.3.21.111\GoogleCrashHandler.exe
C:\Program Files (x86)\Google\Update\1.3.21.111\GoogleCrashHandler64.exe
C:\Users\JC\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe
C:\Program Files (x86)\Google\Drive\googledrivesync.exe
C:\Users\JC\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Google\Drive\googledrivesync.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Hotspot Shield\bin\openvpntray.exe
C:\Users\JC\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\JC\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\JC\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\JC\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\JC\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\JC\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\JC\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\JC\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\JC\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\JC\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\JC\AppData\Local\Google\Chrome\Application\chrome.exe
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Users\JC\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\DllHost.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Users\JC\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\sysWOW64\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Users\JC\AppData\Local\Google\Chrome\Application\chrome.exe
c:\Program Files\Microsoft Security Client\MpCmdRun.exe
\\.\globalroot\systemroot\Installer\{96c25b8a-4cd5-f194-9d3b-567c8b767c6f}\U
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mWinlogon: Userinit=userinit.exe
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: Foxit PDF Creator Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll
BHO: Hotspot Shield Class: {f9e4a054-e9b1-4bc3-83a3-76a1ae736170} - C:\Program Files (x86)\Hotspot Shield\HssIE\HssIE.dll
TB: Foxit PDF Creator Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [PeerBlock] C:\Program Files\PeerBlock\peerblock.exe
uRun: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
uRun: [Spotify Web Helper] "C:\Users\JC\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe"
uRun: [GoogleDriveSync] "C:\Program Files (x86)\Google\Drive\googledrivesync.exe" /autostart
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
StartupFolder: C:\Users\JC\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dropbox.lnk - C:\Users\JC\AppData\Roaming\Dropbox\bin\Dropbox.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Evernote 4.0 - C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll/204
IE: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
IE: {A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll/204
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {D4B68B83-8710-488B-A692-D74B50BA558E} - hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/15113/CTPIDPDE.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E705A591-DA3C-4228-B0D5-A356DBA42FBF} - hxxp://ccfiles.creative.com/Web/softwareupdate/su2/ocx/20015/CTSUEng.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/110926/CTPID.cab
TCP: Interfaces\{26474C16-5F3C-401B-8937-95A2BDEBB771} : NameServer = 208.67.222.222,208.67.220.220
TCP: Interfaces\{27477E1D-B13A-4EDC-9E65-1C964BBD90B5} : DhcpNameServer = 149.254.230.7 149.254.199.126
TCP: Interfaces\{CAA18457-992A-45BE-866C-0B5AEC0D3BAB} : NameServer = 10.1.32.1
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
BHO-X64: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO-X64: 0x1 - No File
BHO-X64: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO-X64: SkypeIEPluginBHO - No File
BHO-X64: Foxit PDF Creator Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
BHO-X64: Ask Toolbar BHO - No File
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll
BHO-X64: Hotspot Shield Class: {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - C:\Program Files (x86)\Hotspot Shield\HssIE\HssIE.dll
TB-X64: Foxit PDF Creator Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
TB-X64: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
IE-X64: {A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll/204
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\JC\AppData\Roaming\Mozilla\Firefox\Profiles\vlay7flu.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - plugin: C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.69\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.93\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.99\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdnu.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npwachk.dll
FF - plugin: C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\plugin2\npjp2.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Users\JC\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: C:\Users\JC\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
FF - plugin: C:\Users\JC\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_2_202_235.dll
FF - plugin: C:\Windows\SysWOW64\npdeployJava1.dll
FF - plugin: C:\Windows\SysWOW64\npmproxy.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS\MpFilter.sys [?]
R0 PxHlpa64;PxHlpa64;C:\Windows\system32\Drivers\PxHlpa64.sys --> C:\Windows\system32\Drivers\PxHlpa64.sys [?]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R2 hshld;Hotspot Shield Service;C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe [2012-4-11 542552]
R2 HssWd;Hotspot Shield Monitoring Service;C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe -product HSS --> C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe -product HSS [?]
R2 Secunia PSI Agent;Secunia PSI Agent;C:\Program Files (x86)\Secunia\PSI\psia.exe [2011-10-14 994360]
R2 Secunia Update Agent;Secunia Update Agent;C:\Program Files (x86)\Secunia\PSI\sua.exe [2011-10-14 399416]
R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
R3 CT20XUT.SYS;CT20XUT.SYS;C:\Windows\system32\drivers\CT20XUT.SYS --> C:\Windows\system32\drivers\CT20XUT.SYS [?]
R3 CTEXFIFX.SYS;CTEXFIFX.SYS;C:\Windows\system32\drivers\CTEXFIFX.SYS --> C:\Windows\system32\drivers\CTEXFIFX.SYS [?]
R3 CTHWIUT.SYS;CTHWIUT.SYS;C:\Windows\system32\drivers\CTHWIUT.SYS --> C:\Windows\system32\drivers\CTHWIUT.SYS [?]
R3 PSI;PSI;C:\Windows\system32\DRIVERS\psi_mf.sys --> C:\Windows\system32\DRIVERS\psi_mf.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-4-17 136176]
S2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2011-7-22 1153368]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2012-2-29 158856]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-4-7 257696]
S3 BrlAPI;BrlAPI;C:\cygwin\bin\cygrunsrv.exe [2011-9-13 68096]
S3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [2012-1-6 79360]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2011-4-17 79360]
S3 CT20XUT;CT20XUT;C:\Windows\system32\drivers\CT20XUT.SYS --> C:\Windows\system32\drivers\CT20XUT.SYS [?]
S3 CTEXFIFX;CTEXFIFX;C:\Windows\system32\drivers\CTEXFIFX.SYS --> C:\Windows\system32\drivers\CTEXFIFX.SYS [?]
S3 CTHWIUT;CTHWIUT;C:\Windows\system32\drivers\CTHWIUT.SYS --> C:\Windows\system32\drivers\CTHWIUT.SYS [?]
S3 ggflt;SEMC USB Flash Driver Filter;C:\Windows\system32\DRIVERS\ggflt.sys --> C:\Windows\system32\DRIVERS\ggflt.sys [?]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-4-17 136176]
S3 MozillaMaintenance;Mozilla Maintenance Service;C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-5-3 129976]
S3 Netaapl;Apple Mobile Device Ethernet Service;C:\Windows\system32\DRIVERS\netaapl64.sys --> C:\Windows\system32\DRIVERS\netaapl64.sys [?]
S3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys --> C:\Windows\system32\DRIVERS\NisDrvWFP.sys [?]
S3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2012-3-26 291696]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\system32\drivers\rdpvideominiport.sys --> C:\Windows\system32\drivers\rdpvideominiport.sys [?]
S3 Sony Ericsson PCCompanion;Sony Ericsson PCCompanion;C:\Program Files (x86)\Sony Ericsson\Sony Ericsson PC Companion\PCCService.exe [2011-4-17 155344]
S3 SwitchBoard;SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-2-19 517096]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
.
=============== Created Last 30 ================
.
2012-06-05 14:26:49 69000 -c--a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{6F4B765B-D518-4317-9E6D-E1E2E7E03178}\offreg.dll
2012-06-05 14:26:23 927800 -c--a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{532F7EF3-9C5B-468C-95BB-709B1971CD53}\gapaengine.dll
2012-06-05 14:25:36 8955792 -c--a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{6F4B765B-D518-4317-9E6D-E1E2E7E03178}\mpengine.dll
2012-06-05 14:18:46 -------- d-----w- C:\Program Files (x86)\Microsoft Security Client
2012-06-05 14:18:44 -------- d-----w- C:\Program Files\Microsoft Security Client
2012-06-05 14:06:14 -------- d-----w- C:\Users\JC\AppData\Local\{85816241-544F-4E0E-BD61-13C137121388}
2012-06-05 14:06:00 -------- d-----w- C:\Users\JC\AppData\Local\{997614AC-4A9D-4360-8E69-072D2260D093}
2012-06-05 10:03:42 -------- dc----w- C:\ProgramData\hssff
2012-06-04 21:55:12 561992 ----a-w- C:\Program Files (x86)\Mozilla Firefox\extensions\afurladvisor@anchorfree.com\components\afurladvisor12.dll
2012-06-04 21:54:20 -------- dc----w- C:\ProgramData\Hotspot Shield
2012-06-01 18:36:33 -------- d-----w- C:\Users\JC\AppData\Local\{93EADF7E-C194-45ED-97BD-C3712E146C07}
2012-06-01 18:36:22 -------- d-----w- C:\Users\JC\AppData\Local\{38C2D7FC-2C8B-4845-932D-66F37A2446E2}
2012-06-01 06:36:06 -------- d-----w- C:\Users\JC\AppData\Local\{146D6741-3591-4242-8EDD-7860FCA70F39}
2012-06-01 06:35:53 -------- d-----w- C:\Users\JC\AppData\Local\{C9EE0646-1B32-441B-81F6-0CDCD2ADCB93}
2012-05-31 18:21:04 -------- d-----w- C:\Users\JC\AppData\Local\{050FAEDD-0697-4C3E-A49F-E6D3C85D4071}
2012-05-31 18:20:46 -------- d-----w- C:\Users\JC\AppData\Local\{6C0CBEE1-6F24-4453-B208-C9FEF1E7917F}
2012-05-29 05:36:40 67464 ----a-w- C:\Windows\System32\CLEyeDevices.dll
2012-05-28 10:48:54 1809408 ----a-w- C:\Windows\SysWow64\ipnathlp.dll
2012-05-25 11:59:38 -------- d-----w- C:\Users\JC\AppData\Local\{EFC6DB4D-9381-41D9-8781-207F7E04778A}
2012-05-25 11:59:15 -------- d-----w- C:\Users\JC\AppData\Local\{E872DC43-B89D-409D-8BEC-D636E427804A}
2012-05-24 08:56:21 -------- d-----w- C:\Users\JC\AppData\Local\{CCF592B4-03E4-412F-987F-1FC9FFB18AA4}
2012-05-24 08:56:01 -------- d-----w- C:\Users\JC\AppData\Local\{1538E054-D6B7-43F3-B72A-0E60C2850660}
2012-05-23 15:26:24 -------- d-----w- C:\Users\JC\AppData\Local\{B04B6E3D-08F2-4CE7-9DFE-564538CDE8AE}
2012-05-23 15:25:37 -------- d-----w- C:\Users\JC\AppData\Local\{E836D3BA-19E1-4D9A-8794-ED96E769F8D4}
2012-05-23 11:36:25 -------- d-s---w- C:\Users\JC\Google Drive
2012-05-16 10:50:32 -------- d-----w- C:\Users\JC\AppData\Local\{684B1C28-DA77-4AA4-81FF-6876727E344F}
2012-05-16 10:50:19 -------- d-----w- C:\Users\JC\AppData\Local\{C7E8BF0B-EE89-4A08-811F-E11B662657E2}
2012-05-15 22:50:05 -------- d-----w- C:\Users\JC\AppData\Local\{E4F03B17-AEC7-4DDF-8FC5-C22183286001}
2012-05-15 22:49:53 -------- d-----w- C:\Users\JC\AppData\Local\{1134A470-BA61-4422-B8D5-3DAB9AEA7066}
2012-05-15 10:49:25 -------- d-----w- C:\Users\JC\AppData\Local\{0D63E243-D777-4B62-905B-F7F1841A0820}
2012-05-15 10:49:13 -------- d-----w- C:\Users\JC\AppData\Local\{53711105-0438-43A5-80AD-C96342E08B9A}
2012-05-15 10:37:15 -------- d-----w- C:\Program Files (x86)\Oracle
2012-05-13 15:41:24 -------- d-----w- C:\Users\JC\AppData\Local\{0A1FA0FD-2C93-4522-8690-C5BF52F3ED51}
2012-05-12 04:48:33 1544704 ----a-w- C:\Windows\System32\DWrite.dll
2012-05-12 04:48:32 1077248 ----a-w- C:\Windows\SysWow64\DWrite.dll
2012-05-12 04:48:30 5559664 ----a-w- C:\Windows\System32\ntoskrnl.exe
2012-05-12 04:48:30 3968368 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2012-05-12 04:48:30 3146240 ----a-w- C:\Windows\System32\win32k.sys
2012-05-12 04:48:29 3913072 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2012-05-12 04:48:10 75120 ----a-w- C:\Windows\System32\drivers\partmgr.sys
2012-05-12 04:48:00 1918320 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2012-05-12 04:47:59 1732096 ----a-w- C:\Program Files\Windows Journal\NBDoc.DLL
2012-05-12 04:47:59 1367552 ----a-w- C:\Program Files\Common Files\Microsoft Shared\ink\journal.dll
2012-05-12 04:47:58 936960 ----a-w- C:\Program Files (x86)\Common Files\Microsoft Shared\ink\journal.dll
2012-05-12 04:47:58 1402880 ----a-w- C:\Program Files\Windows Journal\JNWDRV.dll
2012-05-12 04:47:58 1393664 ----a-w- C:\Program Files\Windows Journal\JNTFiltr.dll
2012-05-08 09:30:08 -------- d-----w- C:\Users\JC\AppData\Local\{A0452F75-F717-4608-A2F7-FC4599D4CFDF}
2012-05-08 09:29:49 -------- d-----w- C:\Users\JC\AppData\Local\{FDDF0CC4-DF1D-48BD-8A37-0A0B706BCB69}
.
==================== Find3M ====================
.
2012-05-05 04:19:27 70304 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-05-05 04:19:27 419488 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2012-05-05 04:19:08 8744608 ----a-w- C:\Windows\SysWow64\FlashPlayerInstaller.exe
2012-04-18 19:56:30 94208 ----a-w- C:\Windows\SysWow64\QuickTimeVR.qtx
2012-04-18 19:56:30 69632 ----a-w- C:\Windows\SysWow64\QuickTime.qts
2012-04-04 17:47:08 772504 ----a-w- C:\Windows\SysWow64\npdeployJava1.dll
2012-04-04 17:47:02 687504 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2012-03-20 19:44:12 98688 ----a-w- C:\Windows\System32\drivers\NisDrvWFP.sys
2012-03-20 19:44:12 203888 ----a-w- C:\Windows\System32\drivers\MpFilter.sys
2012-03-08 17:50:28 49016 ----a-w- C:\Windows\SysWow64\sirenacm.dll
2012-03-08 17:37:20 302448 ----a-w- C:\Windows\WLXPGSS.SCR
.
============= FINISH: 16:32:40.86 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:05:38 AM

Posted 07 June 2012 - 02:26 PM

Hi Jon,

I will be handling your logs to help you get cleaned up. Please give me some time to look them over and I will get back to you as soon as possible. Thanks in advance for your patience.
Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#3 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:05:38 AM

Posted 08 June 2012 - 07:33 AM

Jon,

:welcome: to Bleeping Computer.

My name is Jason and I'll be helping you with your computer problems. You can call me by my screename jntkwx or Jason is fine.

Some things to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please do not attach logs or put logs in code boxes (unless explicitly asked to)
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can also help.
  • Do not run anything while running a fix.
  • If you don't understand a step, please ask for clarification before continuing with any future steps.

Click on the Watch Topic button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

 

Posted Image One or more of the identified infections is a backdoor trojan and password stealer.

This type of infection allows hackers to access and remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.
If you do any banking or other financial transactions on the PC or if it contains any other sensitive information, then from a clean computer, change all passwords where applicable.
It would also be wise to contact those same financial institutions to appraise them of your situation.


I highly suggest you take a look at the two links provided below:
1. How Do I Handle Possible Identify Theft, Internet Fraud, and CC Fraud?
2. When should I re-format? How should I reinstall?

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.


:step1: Combofix

Please download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. If you do not know how to do this you can find out >here< or >here<
3. Double click on combofix.exe & follow the prompts.

Important:
  • Do not mouseclick combofix's window while it's running. That may cause it to stall.
  • If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

:step2: Farbar Service Scanner
Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:

    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center/Action Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

In your next reply, please include:
  • Combofix log
  • FSS log
  • How is your computer running now? Please be as descriptive as possible. Include any word-for-word error messages that you may have, and/or screenshots of strange behavior.

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#4 Jon Carroll

Jon Carroll
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:38 AM

Posted 08 June 2012 - 03:03 PM

My PC had a lot of hanging until I ran Combo-Fix, that seems to have stopped. Logs are attached.

Thanks for your help, I really appreciate it.


ComboFix 12-06-08.02 - JC 08/06/2012 19:48:56.1.4 - x64
Running from: c:\users\JC\Downloads\ComboFix.exe
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\JC\AppData\Local\Temp\_MEI30402\_cacheinvalidation.pyd
c:\users\JC\AppData\Local\Temp\_MEI30402\_ctypes.pyd
c:\users\JC\AppData\Local\Temp\_MEI30402\_elementtree.pyd
c:\users\JC\AppData\Local\Temp\_MEI30402\_hashlib.pyd
c:\users\JC\AppData\Local\Temp\_MEI30402\_socket.pyd
c:\users\JC\AppData\Local\Temp\_MEI30402\_ssl.pyd
c:\users\JC\AppData\Local\Temp\_MEI30402\pyexpat.pyd
c:\users\JC\AppData\Local\Temp\_MEI30402\pysqlite2._sqlite.pyd
c:\users\JC\AppData\Local\Temp\_MEI30402\python26.dll
c:\users\JC\AppData\Local\Temp\_MEI30402\pythoncom26.dll
c:\users\JC\AppData\Local\Temp\_MEI30402\PyWinTypes26.dll
c:\users\JC\AppData\Local\Temp\_MEI30402\select.pyd
c:\users\JC\AppData\Local\Temp\_MEI30402\win32api.pyd
c:\users\JC\AppData\Local\Temp\_MEI30402\win32com.shell.shell.pyd
c:\users\JC\AppData\Local\Temp\_MEI30402\win32crypt.pyd
c:\users\JC\AppData\Local\Temp\_MEI30402\win32event.pyd
c:\users\JC\AppData\Local\Temp\_MEI30402\win32file.pyd
c:\users\JC\AppData\Local\Temp\_MEI30402\win32inet.pyd
c:\users\JC\AppData\Local\Temp\_MEI30402\win32pdh.pyd
c:\users\JC\AppData\Local\Temp\_MEI30402\win32process.pyd
c:\users\JC\AppData\Local\Temp\_MEI30402\wx._controls_.pyd
c:\users\JC\AppData\Local\Temp\_MEI30402\wx._core_.pyd
c:\users\JC\AppData\Local\Temp\_MEI30402\wx._gdi_.pyd
c:\users\JC\AppData\Local\Temp\_MEI30402\wx._html2.pyd
c:\users\JC\AppData\Local\Temp\_MEI30402\wx._misc_.pyd
c:\users\JC\AppData\Local\Temp\_MEI30402\wx._windows_.pyd
c:\users\JC\AppData\Local\Temp\_MEI30402\wx._wizard.pyd
c:\users\JC\AppData\Local\Temp\_MEI30402\wxbase293u_net_vc.dll
c:\users\JC\AppData\Local\Temp\_MEI30402\wxbase293u_vc.dll
c:\users\JC\AppData\Local\Temp\_MEI30402\wxmsw293u_adv_vc.dll
c:\users\JC\AppData\Local\Temp\_MEI30402\wxmsw293u_core_vc.dll
c:\users\JC\AppData\Local\Temp\_MEI30402\wxmsw293u_html_vc.dll
c:\users\JC\AppData\Local\Temp\_MEI30402\wxmsw293u_webview_vc.dll
c:\users\JC\AppData\Roaming\JC3SQLite3.dll
c:\users\JC\AppData\Roaming\JClog.dat
c:\users\JC\AppData\Roaming\vso_ts_preview.xml
c:\windows\SysWow64\aaisolv.dll
c:\windows\SysWow64\avisynth.dll
c:\windows\SysWow64\devil.dll
c:\windows\SysWow64\NSREG.DLL
.
.
((((((((((((((((((((((((( Files Created from 2012-05-08 to 2012-06-08 )))))))))))))))))))))))))))))))
.
.
2012-06-08 18:55 . 2012-06-08 18:55 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-06-08 06:57 . 2012-05-15 00:41 8955792 -c--a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{849978DF-34EC-4791-8558-EF0B5004C694}\mpengine.dll
2012-06-07 06:58 . 2012-05-15 00:41 8955792 -c--a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-06-05 21:29 . 2012-06-05 21:29 -------- d-----w- c:\program files (x86)\J River
2012-06-05 21:29 . 2012-05-07 21:45 380544 ------w- c:\windows\SysWow64\MC17.exe
2012-06-05 21:29 . 2012-05-07 21:45 380544 ------w- c:\windows\system32\MC17.exe
2012-06-05 21:29 . 2011-04-15 21:26 585728 ------w- c:\windows\SysWow64\AReadyLB.dll
2012-06-05 21:29 . 2011-04-15 21:26 585728 ------w- c:\windows\system32\AReadyLB.dll
2012-06-05 21:29 . 2011-04-15 21:26 229376 ------w- c:\windows\SysWow64\AudDevicePlugin.dll
2012-06-05 21:29 . 2011-04-15 21:26 229376 ------w- c:\windows\system32\AudDevicePlugin.dll
2012-06-05 21:29 . 2012-06-05 21:29 -------- d-----w- c:\users\JC\AppData\Roaming\J River
2012-06-05 14:26 . 2012-02-09 12:17 927800 -c----w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{532F7EF3-9C5B-468C-95BB-709B1971CD53}\gapaengine.dll
2012-06-05 14:18 . 2012-06-05 14:18 -------- d-----w- c:\program files (x86)\Microsoft Security Client
2012-06-05 14:18 . 2012-06-05 14:18 -------- d-----w- c:\program files\Microsoft Security Client
2012-06-05 10:03 . 2012-06-05 10:03 -------- dc----w- c:\programdata\hssff
2012-06-04 21:55 . 2012-06-04 21:55 561992 ----a-w- c:\program files (x86)\Mozilla Firefox\extensions\afurladvisor@anchorfree.com\components\afurladvisor12.dll
2012-06-04 21:54 . 2012-06-04 21:54 -------- dc----w- c:\programdata\Hotspot Shield
2012-06-02 02:44 . 2012-06-02 02:44 -------- d-----w- c:\users\Default\AppData\Local\Google
2012-05-29 05:36 . 2012-05-29 05:36 67464 ----a-w- c:\windows\system32\CLEyeDevices.dll
2012-05-28 10:48 . 2012-05-28 10:48 1809408 ----a-w- c:\windows\SysWow64\ipnathlp.dll
2012-05-23 11:36 . 2012-06-07 06:48 -------- d-s---w- c:\users\JC\Google Drive
2012-05-16 13:30 . 2012-05-16 13:30 -------- d-----w- c:\program files (x86)\Common Files\Skype
2012-05-15 10:37 . 2012-05-15 10:37 -------- d-----w- c:\program files (x86)\Common Files\Java
2012-05-15 10:37 . 2012-05-15 10:37 -------- d-----w- c:\program files (x86)\Oracle
2012-05-12 04:48 . 2012-03-03 06:35 1544704 ----a-w- c:\windows\system32\DWrite.dll
2012-05-12 04:48 . 2012-03-03 05:31 1077248 ----a-w- c:\windows\SysWow64\DWrite.dll
2012-05-12 04:48 . 2012-03-31 06:05 5559664 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-12 04:48 . 2012-03-31 04:39 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2012-05-12 04:48 . 2012-03-31 03:10 3146240 ----a-w- c:\windows\system32\win32k.sys
2012-05-12 04:48 . 2012-03-31 04:39 3913072 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2012-05-12 04:48 . 2012-03-17 07:58 75120 ----a-w- c:\windows\system32\drivers\partmgr.sys
2012-05-12 04:48 . 2012-03-30 11:35 1918320 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-05-12 04:47 . 2012-03-31 05:42 1732096 ----a-w- c:\program files\Windows Journal\NBDoc.DLL
2012-05-12 04:47 . 2012-03-31 05:40 1367552 ----a-w- c:\program files\Common Files\Microsoft Shared\ink\journal.dll
2012-05-12 04:47 . 2012-03-31 05:40 1402880 ----a-w- c:\program files\Windows Journal\JNWDRV.dll
2012-05-12 04:47 . 2012-03-31 05:40 1393664 ----a-w- c:\program files\Windows Journal\JNTFiltr.dll
2012-05-12 04:47 . 2012-03-31 04:29 936960 ----a-w- c:\program files (x86)\Common Files\Microsoft Shared\ink\journal.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-31 21:07 . 2012-05-31 21:06 78907120 ----a-w- C:\stereogum-monthly-mix-may2012.zip
2012-05-05 04:19 . 2012-04-07 17:28 419488 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-05-05 04:19 . 2011-05-17 06:57 70304 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-05-05 04:19 . 2012-04-07 18:19 8744608 ----a-w- c:\windows\SysWow64\FlashPlayerInstaller.exe
2012-04-18 19:56 . 2012-04-18 19:56 94208 ----a-w- c:\windows\SysWow64\QuickTimeVR.qtx
2012-04-18 19:56 . 2012-04-18 19:56 69632 ----a-w- c:\windows\SysWow64\QuickTime.qts
2012-04-04 17:47 . 2012-01-05 14:40 772504 ----a-w- c:\windows\SysWow64\npdeployJava1.dll
2012-04-04 17:47 . 2011-04-17 11:16 687504 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-03-20 19:44 . 2012-03-20 19:44 98688 ----a-w- c:\windows\system32\drivers\NisDrvWFP.sys
2012-03-20 19:44 . 2012-03-20 19:44 203888 ----a-w- c:\windows\system32\drivers\MpFilter.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-01-20 10:34 1197448 ----a-w- c:\program files (x86)\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files (x86)\Ask.com\GenericAskToolbar.dll" [2010-01-20 1197448]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 94208 ----a-w- c:\users\JC\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 94208 ----a-w- c:\users\JC\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 94208 ----a-w- c:\users\JC\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PeerBlock"="c:\program files\PeerBlock\peerblock.exe" [2010-10-14 2646128]
"Spotify Web Helper"="c:\users\JC\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" [2012-05-02 932528]
"GoogleDriveSync"="c:\program files (x86)\Google\Drive\googledrivesync.exe" [2012-05-16 11921064]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-04-18 421888]
.
c:\users\JC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\JC\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-5-24 27112840]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R1 hodiriqp;hodiriqp;c:\windows\system32\drivers\hodiriqp.sys [x]
R1 slkvxjwd;slkvxjwd;c:\windows\system32\drivers\slkvxjwd.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-04-17 136176]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-02-29 158856]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-05 257696]
R3 BrlAPI;BrlAPI;c:\cygwin\bin\cygrunsrv.exe [2008-03-18 68096]
R3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;c:\program files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [2012-01-06 79360]
R3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2011-04-17 79360]
R3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.SYS [x]
R3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.SYS [x]
R3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.SYS [x]
R3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\DRIVERS\ggflt.sys [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-04-17 136176]
R3 Media Center 17 Service;Media Center 17 Service;c:\program files (x86)\J River\Media Center 17\JRService.exe [2012-05-07 392320]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-05-03 129976]
R3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\DRIVERS\netaapl64.sys [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-03-26 291696]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
R3 Sony Ericsson PCCompanion;Sony Ericsson PCCompanion;c:\program files (x86)\Sony Ericsson\Sony Ericsson PC Companion\PCCService.exe [2011-06-29 155344]
R3 SwitchBoard;SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 hshld;Hotspot Shield Service;c:\program files (x86)\Hotspot Shield\bin\openvpnas.exe [2012-04-10 542552]
S2 HssWd;Hotspot Shield Monitoring Service;c:\program files (x86)\Hotspot Shield\bin\hsswd.exe [2012-04-02 329544]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 Secunia PSI Agent;Secunia PSI Agent;c:\program files (x86)\Secunia\PSI\PSIA.exe [2011-10-14 994360]
S2 Secunia Update Agent;Secunia Update Agent;c:\program files (x86)\Secunia\PSI\sua.exe [2011-10-14 399416]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\System32\drivers\CT20XUT.SYS [x]
S3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\System32\drivers\CTEXFIFX.SYS [x]
S3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\System32\drivers\CTHWIUT.SYS [x]
S3 PSI;PSI;c:\windows\system32\DRIVERS\psi_mf.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - IPNAT
*NewlyCreated* - WS2IFSL
.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
Mcx2Svc
.
Contents of the 'Scheduled Tasks' folder
.
2012-06-08 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-07 04:19]
.
2012-06-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-04-17 07:07]
.
2012-06-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-04-17 07:07]
.
2012-06-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1156457478-1984462383-541727582-1000Core.job
- c:\users\JC\AppData\Local\Google\Update\GoogleUpdate.exe [2011-07-04 19:55]
.
2012-06-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1156457478-1984462383-541727582-1000UA.job
- c:\users\JC\AppData\Local\Google\Update\GoogleUpdate.exe [2011-07-04 19:55]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}]
2012-04-02 18:47 287048 ----a-w- c:\program files (x86)\Hotspot Shield\HssIE\HssIE_64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 97792 ----a-w- c:\users\JC\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 97792 ----a-w- c:\users\JC\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 97792 ----a-w- c:\users\JC\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 97792 ----a-w- c:\users\JC\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveBlacklistedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}]
2012-05-16 16:53 754712 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}]
2012-05-16 16:53 754712 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}]
2012-05-16 16:53 754712 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncingOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}]
2012-05-16 16:53 754712 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 1271168]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uDefault_Search_URL = hxxp://www.google.com/ie
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Evernote 4.0 - c:\program files (x86)\Evernote\Evernote\EvernoteIE.dll/204
IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
TCP: Interfaces\{26474C16-5F3C-401B-8937-95A2BDEBB771}: NameServer = 208.67.222.222,208.67.220.220
TCP: Interfaces\{CAA18457-992A-45BE-866C-0B5AEC0D3BAB}: NameServer = 10.1.32.1
DPF: {E705A591-DA3C-4228-B0D5-A356DBA42FBF} - hxxp://ccfiles.creative.com/Web/softwareupdate/su2/ocx/20015/CTSUEng.cab
FF - ProfilePath - c:\users\JC\AppData\Roaming\Mozilla\Firefox\Profiles\vlay7flu.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKLM-Run-AsioReg - CTASIO.DLL
AddRemove-1181304593.go.sky.com - c:\program files (x86)\Microsoft Silverlight\4.0.60531.0\Silverlight.Configuration.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{D4027C7F-154A-4066-A1AD-4243D8127440}"=hex:51,66,7a,6c,4c,1d,38,12,11,7f,11,
d0,78,5b,08,05,de,bb,01,03,dd,4c,30,54
"{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}"=hex:51,66,7a,6c,4c,1d,38,12,d5,94,07,
72,c2,98,42,03,c9,fd,97,9a,f4,87,69,57
"{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,38,12,0a,d7,23,
94,30,02,d1,0f,f1,da,12,24,73,56,27,d2
"{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}"=hex:51,66,7a,6c,4c,1d,38,12,07,5b,93,
aa,6e,60,ba,0b,f0,6d,b2,b7,80,44,00,83
"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,
df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd
"{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}"=hex:51,66,7a,6c,4c,1d,38,12,3a,a3,f7,
fd,83,a7,ad,0e,fc,b5,35,e1,ab,2d,25,64
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (LocalSystem)
"Timestamp"=hex:1e,ea,3b,0c,05,41,cd,01
.
[HKEY_USERS\S-1-5-21-1156457478-1984462383-541727582-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.download\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="SafariDownload"
.
[HKEY_USERS\S-1-5-21-1156457478-1984462383-541727582-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
@Denied: (2) (LocalSystem)
@Denied: (2) (S-1-5-21-1156457478-1984462383-541727582-1000)
"Progid"="SafariHTML"
.
[HKEY_USERS\S-1-5-21-1156457478-1984462383-541727582-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
@Denied: (2) (LocalSystem)
@Denied: (2) (S-1-5-21-1156457478-1984462383-541727582-1000)
"Progid"="SafariHTML"
.
[HKEY_USERS\S-1-5-21-1156457478-1984462383-541727582-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.safariextz\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="SafariExtension"
.
[HKEY_USERS\S-1-5-21-1156457478-1984462383-541727582-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice]
@Denied: (2) (LocalSystem)
@Denied: (2) (S-1-5-21-1156457478-1984462383-541727582-1000)
"Progid"="SafariHTML"
.
[HKEY_USERS\S-1-5-21-1156457478-1984462383-541727582-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="SafariHTML"
.
[HKEY_USERS\S-1-5-21-1156457478-1984462383-541727582-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.VCard.1"
.
[HKEY_USERS\S-1-5-21-1156457478-1984462383-541727582-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.webarchive\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="SafariHTML"
.
[HKEY_USERS\S-1-5-21-1156457478-1984462383-541727582-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]
@Denied: (2) (LocalSystem)
@Denied: (2) (S-1-5-21-1156457478-1984462383-541727582-1000)
"Progid"="SafariHTML"
.
[HKEY_USERS\S-1-5-21-1156457478-1984462383-541727582-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]
@Denied: (2) (LocalSystem)
@Denied: (2) (S-1-5-21-1156457478-1984462383-541727582-1000)
"Progid"="SafariHTML"
.
[HKEY_USERS\S-1-5-21-1156457478-1984462383-541727582-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="SafariHTML"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Creative\Shared Files\CTAudSvc.exe
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Hotspot Shield\HssWPR\hsssrv.exe
c:\program files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files (x86)\Google\Update\1.3.21.111\GoogleCrashHandler.exe
c:\program files (x86)\Hotspot Shield\bin\openvpntray.exe
.
**************************************************************************
.
Completion time: 2012-06-08 20:06:15 - machine was rebooted
ComboFix-quarantined-files.txt 2012-06-08 19:06
.
Pre-Run: 203,918,450,688 bytes free
Post-Run: 204,213,149,696 bytes free
.
- - End Of File - - D95147D8CD673FC6E9C86EB4ED8C2145



Farbar Service Scanner Version: 05-06-2012
Ran by JC (administrator) on 08-06-2012 at 20:58:29
Running from "C:\Users\JC\Downloads"
Microsoft Windows 7 Ultimate Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============

File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****

Attached Files


Edited by jntkwx, 08 June 2012 - 03:21 PM.
Including logs in post


#5 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:05:38 AM

Posted 08 June 2012 - 03:33 PM

Jon,

Looking good! :thumbup2:

Combofix took care of several things, but there's still some work to do. Also, please just copy/paste any logs asked for into your replies (unless specifically asked to otherwise); they're easier to read that way. :)

Please download Farbar Recovery Scan Tool 64-Bit and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

-OR-

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.[/list]
Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#6 Jon Carroll

Jon Carroll
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:38 AM

Posted 09 June 2012 - 01:34 AM

Scan result of Farbar Recovery Scan Tool Version: 09-06-2012
Ran by SYSTEM at 09-06-2012 07:24:37
Running from E:\
Windows 7 Ultimate (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [AsioReg] REGSVR32 /S CTASIO.DLL [x]
HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1271168 2012-03-26] (Microsoft Corporation)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [252296 2012-01-17] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2012-04-18] (Apple Inc.)
HKU\JC\...\Run: [PeerBlock] C:\Program Files\PeerBlock\peerblock.exe [2646128 2010-10-14] (PeerBlock, LLC)
HKU\JC\...\Run: [Spotify Web Helper] "C:\Users\JC\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" [932528 2012-05-02] ()
HKU\JC\...\Run: [GoogleDriveSync] "C:\Program Files (x86)\Google\Drive\googledrivesync.exe" /autostart [11921064 2012-05-16] (Google)
Tcpip\..\Interfaces\{26474C16-5F3C-401B-8937-95A2BDEBB771}: [NameServer]208.67.222.222,208.67.220.220
Tcpip\..\Interfaces\{CAA18457-992A-45BE-866C-0B5AEC0D3BAB}: [NameServer]10.1.32.1
Startup: C:\Users\JC\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> (No File)

==================== Services (Whitelisted) ======

3 BrlAPI; C:\cygwin\bin\cygrunsrv.exe [68096 2008-03-18] ()
2 hshld; C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe [542552 2012-04-10] ()
2 HssSrv; C:\Program Files (x86)\Hotspot Shield\HssWPR\hsssrv.exe [363336 2011-11-15] (AnchorFree Inc.)
3 HssTrayService; C:\Program Files (x86)\Hotspot Shield\bin\HssTrayService.EXE [77520 2012-04-10] ()
2 HssWd; C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe -product HSS [329544 2012-04-02] ()
3 Media Center 17 Service; C:\Program Files (x86)\J River\Media Center 17\JRService.exe [392320 2012-05-07] (JRiver, Inc.)
2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [12600 2012-03-26] (Microsoft Corporation)
3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [291696 2012-03-26] (Microsoft Corporation)
2 SBSDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [1153368 2009-01-26] (Safer Networking Ltd.)
2 Secunia PSI Agent; "C:\Program Files (x86)\Secunia\PSI\PSIA.exe" --start-service [994360 2011-10-13] (Secunia)
2 Secunia Update Agent; "C:\Program Files (x86)\Secunia\PSI\sua.exe" --start-service [399416 2011-10-13] (Secunia)
2 SharedAccess; C:\Windows\SysWow64\ipnathlp.dll [1809408 2012-05-28] ()
3 Sony Ericsson PCCompanion; "C:\Program Files (x86)\Sony Ericsson\Sony Ericsson PC Companion\PCCService.exe" [155344 2011-06-29] (Avanquest Software)
4 Mcx2Svc; C:\Windows\SysWOW64\Mcx2Svc.dll [x]

========================== Drivers (Whitelisted) =============

3 ggflt; C:\Windows\System32\Drivers\ggflt.sys [13352 2011-05-26] (Sony Ericsson Mobile Communications)
3 ggsemc; C:\Windows\System32\Drivers\ggsemc.sys [27176 2011-05-26] (Sony Ericsson Mobile Communications)
3 HssDrv; C:\Windows\System32\Drivers\HssDrv.sys [56832 2011-05-24] (AnchorFree Inc.)
3 PSI; C:\Windows\System32\DRIVERS\psi_mf.sys [17976 2010-09-01] (Secunia)
3 catchme; \??\C:\ComboFix\catchme.sys [x]
1 hodiriqp; \??\C:\Windows\system32\drivers\hodiriqp.sys [x]
1 slkvxjwd; \??\C:\Windows\system32\drivers\slkvxjwd.sys [x]
3 Synth3dVsc; C:\Windows\System32\drivers\synth3dvsc.sys [x]
3 tsusbhub; C:\Windows\System32\drivers\tsusbhub.sys [x]
3 VGPU; C:\Windows\System32\drivers\rdvgkmd.sys [x]

========================== NetSvcs (Whitelisted) ===========

NETSVCx32: Mcx2Svc -> C:\Windows\SysWOW64\Mcx2Svc.dll ==> No File.

============ One Month Created Files and Folders ==============

2012-06-08 22:19 - 2012-06-08 22:19 - 01397353 ____A C:\Users\JC\Downloads\FRST64.exe
2012-06-08 12:01 - 2012-06-08 12:01 - 00001960 ____A C:\Users\JC\Desktop\FSS.txt
2012-06-08 11:58 - 2012-06-08 11:58 - 00338059 ____A C:\Users\JC\Downloads\FSS.exe
2012-06-08 11:58 - 2012-06-08 11:58 - 00001960 ____A C:\Users\JC\Downloads\FSS.txt
2012-06-08 11:36 - 2012-06-08 11:36 - 00028239 ____A C:\Users\JC\Desktop\combo log.txt
2012-06-08 11:06 - 2012-06-08 11:06 - 00028239 ____A C:\ComboFix.txt
2012-06-08 10:56 - 2012-06-08 10:56 - 00000546 ____A C:\Windows\PFRO.log
2012-06-08 10:46 - 2012-06-08 11:06 - 00000000 ____D C:\Qoobox
2012-06-08 10:46 - 2012-06-08 11:04 - 00000000 ____D C:\Windows\ERDNT
2012-06-08 10:46 - 2011-06-25 22:45 - 00256000 ____A C:\Windows\PEV.exe
2012-06-08 10:46 - 2010-11-07 09:20 - 00208896 ____A C:\Windows\MBR.exe
2012-06-08 10:46 - 2009-04-19 20:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
2012-06-08 10:46 - 2000-08-30 16:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe
2012-06-08 10:46 - 2000-08-30 16:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe
2012-06-08 10:46 - 2000-08-30 16:00 - 00098816 ____A C:\Windows\sed.exe
2012-06-08 10:46 - 2000-08-30 16:00 - 00080412 ____A C:\Windows\grep.exe
2012-06-08 10:46 - 2000-08-30 16:00 - 00068096 ____A C:\Windows\zip.exe
2012-06-08 10:44 - 2012-06-08 10:44 - 04538510 ____R (Swearware) C:\Users\JC\Downloads\ComboFix.exe
2012-06-06 22:48 - 2012-06-06 22:48 - 00000000 ____D C:\Users\JC\AppData\Local\{8B418487-F1BE-4172-8494-DADE191D9BCE}
2012-06-06 22:48 - 2012-06-06 22:48 - 00000000 ____D C:\Users\JC\AppData\Local\{1045DBF7-5F7B-4779-9A71-3DB6BCE181F1}
2012-06-05 13:46 - 2012-06-05 13:46 - 00000000 ____D C:\Users\JC\Documents\JRiver
2012-06-05 13:29 - 2012-06-05 13:29 - 00002069 ____A C:\Users\Public\Desktop\Media Center 17.lnk
2012-06-05 13:29 - 2012-06-05 13:29 - 00000000 ____D C:\Users\JC\AppData\Roaming\J River
2012-06-05 13:29 - 2012-06-05 13:29 - 00000000 ____D C:\Program Files (x86)\J River
2012-06-05 13:29 - 2012-05-07 13:45 - 00380544 ____N (JRiver, Inc.) C:\Windows\SysWOW64\MC17.exe
2012-06-05 13:29 - 2012-05-07 13:45 - 00380544 ____N (JRiver, Inc.) C:\Windows\System32\MC17.exe
2012-06-05 13:29 - 2011-04-15 13:26 - 00585728 ____N (Audible Inc.) C:\Windows\SysWOW64\AReadyLB.dll
2012-06-05 13:29 - 2011-04-15 13:26 - 00585728 ____N (Audible Inc.) C:\Windows\System32\AReadyLB.dll
2012-06-05 13:29 - 2011-04-15 13:26 - 00229376 ____N (Audible Inc.) C:\Windows\SysWOW64\AudDevicePlugin.dll
2012-06-05 13:29 - 2011-04-15 13:26 - 00229376 ____N (Audible Inc.) C:\Windows\System32\AudDevicePlugin.dll
2012-06-05 13:29 - 2011-04-15 13:26 - 00183129 ____N C:\Windows\SysWOW64\AM Install1.INF
2012-06-05 13:29 - 2011-04-15 13:26 - 00183129 ____N C:\Windows\System32\AM Install1.INF
2012-06-05 13:24 - 2012-06-05 13:27 - 00000000 ____D C:\Users\JC\Downloads\J. River Media Center 17.0.112.Incl-Patch [BssBig]
2012-06-05 08:04 - 2012-06-05 08:04 - 00000000 ____A C:\Users\JC\Desktop\gmer.log
2012-06-05 07:34 - 2012-06-05 07:34 - 00000000 ____D C:\Users\JC\Downloads\gmer
2012-06-05 07:33 - 2012-06-05 07:33 - 00022423 ____A C:\Users\JC\Desktop\DDS.txt
2012-06-05 07:33 - 2012-06-05 07:33 - 00006761 ____A C:\Users\JC\Desktop\Attach.txt
2012-06-05 07:32 - 2012-06-05 07:32 - 00294216 ____A C:\Users\JC\Downloads\gmer.zip
2012-06-05 07:30 - 2012-06-05 07:31 - 00607260 ____R (Swearware) C:\Users\JC\Downloads\dds.scr
2012-06-05 07:30 - 2012-06-05 07:30 - 00000466 ____A C:\Users\JC\Desktop\defogger_disable.log
2012-06-05 07:30 - 2012-06-05 07:30 - 00000000 ____A C:\Users\JC\defogger_reenable
2012-06-05 07:17 - 2012-06-05 07:17 - 00050477 ____A C:\Users\JC\Desktop\Defogger.exe
2012-06-05 06:48 - 2012-06-05 06:48 - 00001246 ____A C:\Users\Public\Desktop\CL-Eye Test.lnk
2012-06-05 06:45 - 2012-06-05 06:46 - 05356584 ____A (Code Laboratories, Inc.) C:\Users\JC\Downloads\CL-Eye-Driver-5.0.1.0528.exe
2012-06-05 06:18 - 2012-06-05 06:18 - 00000000 ____D C:\Program Files\Microsoft Security Client
2012-06-05 06:18 - 2012-06-05 06:18 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
2012-06-05 06:15 - 2012-06-05 06:18 - 12621696 ____A (Microsoft Corporation) C:\Users\JC\Downloads\mseinstall.exe
2012-06-05 06:06 - 2012-06-05 06:06 - 00000000 ____D C:\Users\JC\AppData\Local\{997614AC-4A9D-4360-8E69-072D2260D093}
2012-06-05 06:06 - 2012-06-05 06:06 - 00000000 ____D C:\Users\JC\AppData\Local\{85816241-544F-4E0E-BD61-13C137121388}
2012-06-05 02:03 - 2012-06-05 02:03 - 00000000 ___DC C:\Users\All Users\hssff
2012-06-05 01:13 - 2012-06-05 01:13 - 132410716 ____A C:\Users\JC\Downloads\Cold Warps - Cold Warps.zip
2012-06-04 13:54 - 2012-06-04 13:54 - 00000000 ___DC C:\Users\All Users\Hotspot Shield
2012-06-01 18:44 - 2012-06-01 18:44 - 00000000 ____D C:\Users\Default\AppData\LocalGoogle
2012-06-01 18:44 - 2012-06-01 18:44 - 00000000 ____D C:\Users\Default\AppData\Local\Google
2012-06-01 18:44 - 2012-06-01 18:44 - 00000000 ____D C:\Users\Default User\AppData\LocalGoogle
2012-06-01 18:44 - 2012-06-01 18:44 - 00000000 ____D C:\Users\Default User\AppData\Local\Google
2012-06-01 10:36 - 2012-06-01 10:36 - 00000000 ____D C:\Users\JC\AppData\Local\{93EADF7E-C194-45ED-97BD-C3712E146C07}
2012-06-01 10:36 - 2012-06-01 10:36 - 00000000 ____D C:\Users\JC\AppData\Local\{38C2D7FC-2C8B-4845-932D-66F37A2446E2}
2012-05-31 22:36 - 2012-05-31 22:36 - 00000000 ____D C:\Users\JC\AppData\Local\{146D6741-3591-4242-8EDD-7860FCA70F39}
2012-05-31 22:35 - 2012-05-31 22:36 - 00000000 ____D C:\Users\JC\AppData\Local\{C9EE0646-1B32-441B-81F6-0CDCD2ADCB93}
2012-05-31 13:06 - 2012-05-31 13:07 - 78907120 ____A C:\stereogum-monthly-mix-may2012.zip
2012-05-31 11:10 - 2012-06-05 13:39 - 00000000 ____D C:\Users\JC\Downloads\The Low End Theory
2012-05-31 10:21 - 2012-05-31 10:21 - 00000000 ____D C:\Users\JC\AppData\Local\{050FAEDD-0697-4C3E-A49F-E6D3C85D4071}
2012-05-31 10:20 - 2012-05-31 10:21 - 00000000 ____D C:\Users\JC\AppData\Local\{6C0CBEE1-6F24-4453-B208-C9FEF1E7917F}
2012-05-28 21:36 - 2012-05-28 21:36 - 00067464 ____A C:\Windows\System32\CLEyeDevices.dll
2012-05-28 02:49 - 2012-05-28 02:49 - 00000446 ____A C:\Windows\SysWOW64\ipnathlp.ocx
2012-05-28 02:48 - 2012-05-28 02:48 - 01809408 ____A C:\Windows\SysWOW64\ipnathlp.dll
2012-05-25 03:59 - 2012-05-25 03:59 - 00000000 ____D C:\Users\JC\AppData\Local\{EFC6DB4D-9381-41D9-8781-207F7E04778A}
2012-05-25 03:59 - 2012-05-25 03:59 - 00000000 ____D C:\Users\JC\AppData\Local\{E872DC43-B89D-409D-8BEC-D636E427804A}
2012-05-24 00:56 - 2012-05-24 00:56 - 00000000 ____D C:\Users\JC\AppData\Local\{CCF592B4-03E4-412F-987F-1FC9FFB18AA4}
2012-05-24 00:56 - 2012-05-24 00:56 - 00000000 ____D C:\Users\JC\AppData\Local\{1538E054-D6B7-43F3-B72A-0E60C2850660}
2012-05-23 07:26 - 2012-05-23 07:26 - 00000000 ____D C:\Users\JC\AppData\Local\{B04B6E3D-08F2-4CE7-9DFE-564538CDE8AE}
2012-05-23 07:25 - 2012-05-23 07:26 - 00000000 ____D C:\Users\JC\AppData\Local\{E836D3BA-19E1-4D9A-8794-ED96E769F8D4}
2012-05-23 03:36 - 2012-06-08 11:56 - 00000000 ___SD C:\Users\JC\Google Drive
2012-05-23 03:36 - 2012-05-23 03:36 - 00001689 ____A C:\Users\JC\Desktop\Google Drive.lnk
2012-05-23 03:32 - 2012-05-23 03:32 - 00000000 ____D C:\Users\JC\AppData\LocalGoogle
2012-05-17 23:01 - 2012-05-17 23:05 - 00000000 ____D C:\Users\JC\Downloads\30 Rock - The Complete Season 6 [HDTV]
2012-05-16 02:50 - 2012-05-16 02:50 - 00000000 ____D C:\Users\JC\AppData\Local\{C7E8BF0B-EE89-4A08-811F-E11B662657E2}
2012-05-16 02:50 - 2012-05-16 02:50 - 00000000 ____D C:\Users\JC\AppData\Local\{684B1C28-DA77-4AA4-81FF-6876727E344F}
2012-05-15 14:50 - 2012-05-15 14:50 - 00000000 ____D C:\Users\JC\AppData\Local\{E4F03B17-AEC7-4DDF-8FC5-C22183286001}
2012-05-15 14:49 - 2012-05-15 14:50 - 00000000 ____D C:\Users\JC\AppData\Local\{1134A470-BA61-4422-B8D5-3DAB9AEA7066}
2012-05-15 02:49 - 2012-05-15 02:49 - 00000000 ____D C:\Users\JC\AppData\Local\{53711105-0438-43A5-80AD-C96342E08B9A}
2012-05-15 02:49 - 2012-05-15 02:49 - 00000000 ____D C:\Users\JC\AppData\Local\{0D63E243-D777-4B62-905B-F7F1841A0820}
2012-05-15 02:37 - 2012-05-15 02:37 - 00000000 ____D C:\Program Files (x86)\Oracle
2012-05-15 02:36 - 2012-04-04 09:47 - 00227720 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
2012-05-13 07:41 - 2012-05-13 07:41 - 00000000 ____D C:\Users\JC\AppData\Local\{0A1FA0FD-2C93-4522-8690-C5BF52F3ED51}
2012-05-11 20:48 - 2012-03-30 22:05 - 05559664 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-05-11 20:48 - 2012-03-30 20:39 - 03968368 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2012-05-11 20:48 - 2012-03-30 20:39 - 03913072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2012-05-11 20:48 - 2012-03-30 19:10 - 03146240 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-05-11 20:48 - 2012-03-30 03:35 - 01918320 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2012-05-11 20:48 - 2012-03-16 23:58 - 00075120 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\partmgr.sys
2012-05-11 20:48 - 2012-03-02 22:35 - 01544704 ____A (Microsoft Corporation) C:\Windows\System32\DWrite.dll
2012-05-11 20:48 - 2012-03-02 21:31 - 01077248 ____A (Microsoft Corporation) C:\Windows\SysWOW64\DWrite.dll


============ 3 Months Modified Files and Folders =============

2012-06-09 07:24 - 2012-06-09 07:24 - 00000000 ____D C:\FRST
2012-06-08 22:22 - 2011-04-17 02:33 - 00063172 ____A C:\Windows\System32\BMXStateBkp-{00000002-00000000-00000001-00001102-00000005-60071102}.rfx
2012-06-08 22:22 - 2011-04-17 02:33 - 00063172 ____A C:\Windows\System32\BMXState-{00000002-00000000-00000001-00001102-00000005-60071102}.rfx
2012-06-08 22:22 - 2011-04-17 02:33 - 00000788 ____A C:\Windows\System32\DVCState-{00000002-00000000-00000001-00001102-00000005-60071102}.rfx
2012-06-08 22:22 - 2011-04-16 22:16 - 01820339 ____A C:\Windows\WindowsUpdate.log
2012-06-08 22:20 - 2009-07-13 21:13 - 00729944 ____A C:\Windows\System32\PerfStringBackup.INI
2012-06-08 22:19 - 2012-06-08 22:19 - 01397353 ____A C:\Users\JC\Downloads\FRST64.exe
2012-06-08 22:19 - 2012-04-07 09:28 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-06-08 21:47 - 2011-07-04 12:05 - 00000896 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1156457478-1984462383-541727582-1000UA.job
2012-06-08 21:44 - 2011-04-16 23:08 - 00000890 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-06-08 12:01 - 2012-06-08 12:01 - 00001960 ____A C:\Users\JC\Desktop\FSS.txt
2012-06-08 11:58 - 2012-06-08 11:58 - 00338059 ____A C:\Users\JC\Downloads\FSS.exe
2012-06-08 11:58 - 2012-06-08 11:58 - 00001960 ____A C:\Users\JC\Downloads\FSS.txt
2012-06-08 11:56 - 2012-05-23 03:36 - 00000000 ___SD C:\Users\JC\Google Drive
2012-06-08 11:56 - 2012-02-20 23:19 - 00000000 ___RD C:\Users\JC\Dropbox
2012-06-08 11:56 - 2012-02-20 23:17 - 00000000 ____D C:\Users\JC\AppData\Roaming\Dropbox
2012-06-08 11:56 - 2011-04-16 23:07 - 00000886 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-06-08 11:47 - 2009-07-13 20:45 - 00013760 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-06-08 11:47 - 2009-07-13 20:45 - 00013760 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-06-08 11:39 - 2012-05-08 11:33 - 00002558 ____A C:\Windows\setupact.log
2012-06-08 11:39 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-06-08 11:36 - 2012-06-08 11:36 - 00028239 ____A C:\Users\JC\Desktop\combo log.txt
2012-06-08 11:06 - 2012-06-08 11:06 - 00028239 ____A C:\ComboFix.txt
2012-06-08 11:06 - 2012-06-08 10:46 - 00000000 ____D C:\Qoobox
2012-06-08 11:06 - 2009-07-13 19:20 - 00000000 __RHD C:\users\Default
2012-06-08 11:04 - 2012-06-08 10:46 - 00000000 ____D C:\Windows\ERDNT
2012-06-08 10:59 - 2009-07-13 18:34 - 00000215 ____A C:\Windows\system.ini
2012-06-08 10:58 - 2009-07-13 18:34 - 00000027 ____A C:\Windows\System32\Drivers\etc\hosts
2012-06-08 10:56 - 2012-06-08 10:56 - 00000546 ____A C:\Windows\PFRO.log
2012-06-08 10:44 - 2012-06-08 10:44 - 04538510 ____R (Swearware) C:\Users\JC\Downloads\ComboFix.exe
2012-06-08 10:35 - 2012-02-20 02:25 - 00000000 ____D C:\Users\JC\AppData\Local\Spotify
2012-06-08 10:20 - 2012-02-20 02:25 - 00000000 ____D C:\Users\JC\AppData\Roaming\Spotify
2012-06-08 04:47 - 2011-07-04 12:05 - 00000844 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1156457478-1984462383-541727582-1000Core.job
2012-06-06 22:48 - 2012-06-06 22:48 - 00000000 ____D C:\Users\JC\AppData\Local\{8B418487-F1BE-4172-8494-DADE191D9BCE}
2012-06-06 22:48 - 2012-06-06 22:48 - 00000000 ____D C:\Users\JC\AppData\Local\{1045DBF7-5F7B-4779-9A71-3DB6BCE181F1}
2012-06-06 22:48 - 2011-04-17 01:51 - 00000000 ____D C:\Users\JC\AppData\Local\Windows Live
2012-06-06 22:47 - 2011-04-19 06:56 - 00000000 ____D C:\Users\JC\Tracing
2012-06-05 22:59 - 2011-04-17 03:14 - 00000000 ____D C:\Users\JC\AppData\Roaming\uTorrent
2012-06-05 13:46 - 2012-06-05 13:46 - 00000000 ____D C:\Users\JC\Documents\JRiver
2012-06-05 13:39 - 2012-05-31 11:10 - 00000000 ____D C:\Users\JC\Downloads\The Low End Theory
2012-06-05 13:29 - 2012-06-05 13:29 - 00002069 ____A C:\Users\Public\Desktop\Media Center 17.lnk
2012-06-05 13:29 - 2012-06-05 13:29 - 00000000 ____D C:\Users\JC\AppData\Roaming\J River
2012-06-05 13:29 - 2012-06-05 13:29 - 00000000 ____D C:\Program Files (x86)\J River
2012-06-05 13:27 - 2012-06-05 13:24 - 00000000 ____D C:\Users\JC\Downloads\J. River Media Center 17.0.112.Incl-Patch [BssBig]
2012-06-05 12:35 - 2012-01-12 10:51 - 00000000 __SHD C:\Users\JC\AppData\Local\{96c25b8a-4cd5-f194-9d3b-567c8b767c6f}
2012-06-05 08:04 - 2012-06-05 08:04 - 00000000 ____A C:\Users\JC\Desktop\gmer.log
2012-06-05 07:34 - 2012-06-05 07:34 - 00000000 ____D C:\Users\JC\Downloads\gmer
2012-06-05 07:33 - 2012-06-05 07:33 - 00022423 ____A C:\Users\JC\Desktop\DDS.txt
2012-06-05 07:33 - 2012-06-05 07:33 - 00006761 ____A C:\Users\JC\Desktop\Attach.txt
2012-06-05 07:32 - 2012-06-05 07:32 - 00294216 ____A C:\Users\JC\Downloads\gmer.zip
2012-06-05 07:31 - 2012-06-05 07:30 - 00607260 ____R (Swearware) C:\Users\JC\Downloads\dds.scr
2012-06-05 07:30 - 2012-06-05 07:30 - 00000466 ____A C:\Users\JC\Desktop\defogger_disable.log
2012-06-05 07:30 - 2012-06-05 07:30 - 00000000 ____A C:\Users\JC\defogger_reenable
2012-06-05 07:30 - 2011-04-16 23:04 - 00000000 ____D C:\users\JC
2012-06-05 07:17 - 2012-06-05 07:17 - 00050477 ____A C:\Users\JC\Desktop\Defogger.exe
2012-06-05 06:48 - 2012-06-05 06:48 - 00001246 ____A C:\Users\Public\Desktop\CL-Eye Test.lnk
2012-06-05 06:46 - 2012-06-05 06:45 - 05356584 ____A (Code Laboratories, Inc.) C:\Users\JC\Downloads\CL-Eye-Driver-5.0.1.0528.exe
2012-06-05 06:20 - 2011-04-17 00:41 - 00001945 ____A C:\Windows\epplauncher.mif
2012-06-05 06:18 - 2012-06-05 06:18 - 00000000 ____D C:\Program Files\Microsoft Security Client
2012-06-05 06:18 - 2012-06-05 06:18 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
2012-06-05 06:18 - 2012-06-05 06:15 - 12621696 ____A (Microsoft Corporation) C:\Users\JC\Downloads\mseinstall.exe
2012-06-05 06:18 - 2011-04-16 23:26 - 00735282 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
2012-06-05 06:10 - 2011-04-17 03:16 - 00000000 ____D C:\Users\JC\Downloads\JC
2012-06-05 06:06 - 2012-06-05 06:06 - 00000000 ____D C:\Users\JC\AppData\Local\{997614AC-4A9D-4360-8E69-072D2260D093}
2012-06-05 06:06 - 2012-06-05 06:06 - 00000000 ____D C:\Users\JC\AppData\Local\{85816241-544F-4E0E-BD61-13C137121388}
2012-06-05 02:03 - 2012-06-05 02:03 - 00000000 ___DC C:\Users\All Users\hssff
2012-06-05 02:03 - 2012-04-01 22:41 - 00000000 ____D C:\Users\JC\Downloads\Game of Thrones
2012-06-05 01:46 - 2011-04-17 00:32 - 00000000 ___DC C:\Users\All Users\Soulseek
2012-06-05 01:13 - 2012-06-05 01:13 - 132410716 ____A C:\Users\JC\Downloads\Cold Warps - Cold Warps.zip
2012-06-04 13:54 - 2012-06-04 13:54 - 00000000 ___DC C:\Users\All Users\Hotspot Shield
2012-06-04 13:54 - 2011-09-27 06:22 - 00000000 ____D C:\Program Files (x86)\Hotspot Shield
2012-06-03 04:20 - 2011-04-18 22:34 - 00000000 ____D C:\Users\JC\AppData\Local\Last.fm
2012-06-03 00:34 - 2011-04-19 02:44 - 00000000 ____D C:\Users\JC\AppData\Local\ElevatedDiagnostics
2012-06-03 00:34 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\NDF
2012-06-01 21:54 - 2011-10-23 04:54 - 00267198 ___AC C:\Users\All Users\ITFW.log
2012-06-01 21:54 - 2011-07-28 00:12 - 00000000 ____D C:\Users\JC\AppData\Local\Apple Computer
2012-06-01 18:44 - 2012-06-01 18:44 - 00000000 ____D C:\Users\Default\AppData\LocalGoogle
2012-06-01 18:44 - 2012-06-01 18:44 - 00000000 ____D C:\Users\Default\AppData\Local\Google
2012-06-01 18:44 - 2012-06-01 18:44 - 00000000 ____D C:\Users\Default User\AppData\LocalGoogle
2012-06-01 18:44 - 2012-06-01 18:44 - 00000000 ____D C:\Users\Default User\AppData\Local\Google
2012-06-01 10:36 - 2012-06-01 10:36 - 00000000 ____D C:\Users\JC\AppData\Local\{93EADF7E-C194-45ED-97BD-C3712E146C07}
2012-06-01 10:36 - 2012-06-01 10:36 - 00000000 ____D C:\Users\JC\AppData\Local\{38C2D7FC-2C8B-4845-932D-66F37A2446E2}
2012-05-31 22:36 - 2012-05-31 22:36 - 00000000 ____D C:\Users\JC\AppData\Local\{146D6741-3591-4242-8EDD-7860FCA70F39}
2012-05-31 22:36 - 2012-05-31 22:35 - 00000000 ____D C:\Users\JC\AppData\Local\{C9EE0646-1B32-441B-81F6-0CDCD2ADCB93}
2012-05-31 13:07 - 2012-05-31 13:06 - 78907120 ____A C:\stereogum-monthly-mix-may2012.zip
2012-05-31 11:48 - 2011-12-03 12:42 - 00000000 ____D C:\Program Files (x86)\Safari
2012-05-31 10:21 - 2012-05-31 10:21 - 00000000 ____D C:\Users\JC\AppData\Local\{050FAEDD-0697-4C3E-A49F-E6D3C85D4071}
2012-05-31 10:21 - 2012-05-31 10:20 - 00000000 ____D C:\Users\JC\AppData\Local\{6C0CBEE1-6F24-4453-B208-C9FEF1E7917F}
2012-05-30 23:36 - 2011-04-18 13:20 - 00001080 ____A C:\Windows\System32\settingsbkup.sfm
2012-05-30 23:36 - 2011-04-18 13:20 - 00001080 ____A C:\Windows\System32\settings.sfm
2012-05-29 00:03 - 2011-04-19 06:48 - 00000000 ____D C:\Users\JC\AppData\Roaming\Skype
2012-05-28 21:36 - 2012-05-28 21:36 - 00067464 ____A C:\Windows\System32\CLEyeDevices.dll
2012-05-28 02:49 - 2012-05-28 02:49 - 00000446 ____A C:\Windows\SysWOW64\ipnathlp.ocx
2012-05-28 02:48 - 2012-05-28 02:48 - 01809408 ____A C:\Windows\SysWOW64\ipnathlp.dll
2012-05-25 04:54 - 2011-04-17 03:03 - 00000000 ___DC C:\Users\All Users\Creative
2012-05-25 03:59 - 2012-05-25 03:59 - 00000000 ____D C:\Users\JC\AppData\Local\{EFC6DB4D-9381-41D9-8781-207F7E04778A}
2012-05-25 03:59 - 2012-05-25 03:59 - 00000000 ____D C:\Users\JC\AppData\Local\{E872DC43-B89D-409D-8BEC-D636E427804A}
2012-05-24 00:56 - 2012-05-24 00:56 - 00000000 ____D C:\Users\JC\AppData\Local\{CCF592B4-03E4-412F-987F-1FC9FFB18AA4}
2012-05-24 00:56 - 2012-05-24 00:56 - 00000000 ____D C:\Users\JC\AppData\Local\{1538E054-D6B7-43F3-B72A-0E60C2850660}
2012-05-23 07:26 - 2012-05-23 07:26 - 00000000 ____D C:\Users\JC\AppData\Local\{B04B6E3D-08F2-4CE7-9DFE-564538CDE8AE}
2012-05-23 07:26 - 2012-05-23 07:25 - 00000000 ____D C:\Users\JC\AppData\Local\{E836D3BA-19E1-4D9A-8794-ED96E769F8D4}
2012-05-23 05:06 - 2011-04-29 09:55 - 00000000 ____D C:\Program Files\PeerBlock
2012-05-23 04:59 - 2011-04-17 03:04 - 00000000 ____D C:\Program Files (x86)\Creative
2012-05-23 04:58 - 2011-04-17 02:13 - 00000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
2012-05-23 03:36 - 2012-05-23 03:36 - 00001689 ____A C:\Users\JC\Desktop\Google Drive.lnk
2012-05-23 03:32 - 2012-05-23 03:32 - 00000000 ____D C:\Users\JC\AppData\LocalGoogle
2012-05-23 03:32 - 2011-04-16 23:07 - 00000000 ____D C:\Users\JC\AppData\Local\Google
2012-05-23 03:32 - 2011-04-16 23:07 - 00000000 ____D C:\Program Files (x86)\Google
2012-05-22 06:47 - 2011-04-16 23:19 - 00000000 ____D C:\Users\JC\AppData\Roaming\Mozilla
2012-05-21 05:28 - 2012-04-16 00:41 - 00000000 ____D C:\Users\JC\Desktop\Pics To Keep
2012-05-21 04:50 - 2012-02-08 01:19 - 00315392 __ASH C:\Users\JC\Desktop\Thumbs.db
2012-05-17 23:05 - 2012-05-17 23:01 - 00000000 ____D C:\Users\JC\Downloads\30 Rock - The Complete Season 6 [HDTV]
2012-05-17 20:43 - 2011-09-08 11:58 - 00000000 ____D C:\Program Files (x86)\QuickTime
2012-05-16 05:30 - 2011-04-19 06:47 - 00000000 ___RD C:\Program Files (x86)\Skype
2012-05-16 05:30 - 2011-04-19 06:47 - 00000000 ___DC C:\Users\All Users\Skype
2012-05-16 02:50 - 2012-05-16 02:50 - 00000000 ____D C:\Users\JC\AppData\Local\{C7E8BF0B-EE89-4A08-811F-E11B662657E2}
2012-05-16 02:50 - 2012-05-16 02:50 - 00000000 ____D C:\Users\JC\AppData\Local\{684B1C28-DA77-4AA4-81FF-6876727E344F}
2012-05-15 14:50 - 2012-05-15 14:50 - 00000000 ____D C:\Users\JC\AppData\Local\{E4F03B17-AEC7-4DDF-8FC5-C22183286001}
2012-05-15 14:50 - 2012-05-15 14:49 - 00000000 ____D C:\Users\JC\AppData\Local\{1134A470-BA61-4422-B8D5-3DAB9AEA7066}
2012-05-15 02:49 - 2012-05-15 02:49 - 00000000 ____D C:\Users\JC\AppData\Local\{53711105-0438-43A5-80AD-C96342E08B9A}
2012-05-15 02:49 - 2012-05-15 02:49 - 00000000 ____D C:\Users\JC\AppData\Local\{0D63E243-D777-4B62-905B-F7F1841A0820}
2012-05-15 02:37 - 2012-05-15 02:37 - 00000000 ____D C:\Program Files (x86)\Oracle
2012-05-15 02:36 - 2012-03-22 02:45 - 00174024 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe
2012-05-15 02:36 - 2012-03-22 02:45 - 00174024 ____A (Oracle Corporation) C:\Windows\SysWOW64\java.exe
2012-05-15 02:36 - 2011-04-16 23:04 - 00000000 ____D C:\Users\JC\AppData\LocalLow
2012-05-14 01:43 - 2011-04-27 22:31 - 00000000 ____D C:\Users\JC\AppData\Roaming\Media Player Classic
2012-05-13 07:41 - 2012-05-13 07:41 - 00000000 ____D C:\Users\JC\AppData\Local\{0A1FA0FD-2C93-4522-8690-C5BF52F3ED51}
2012-05-12 19:04 - 2009-07-13 20:45 - 04857192 ____A C:\Windows\System32\FNTCACHE.DAT
2012-05-12 19:02 - 2011-04-17 01:54 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2012-05-12 18:42 - 2011-09-07 07:32 - 00000000 ____D C:\Users\JC\AppData\Roaming\Winamp
2012-05-12 18:14 - 2011-04-17 02:22 - 57848688 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-05-12 18:01 - 2009-07-13 23:46 - 00000000 ____D C:\Program Files\Windows Journal
2012-05-10 09:30 - 2012-05-09 23:12 - 00000000 ____D C:\Users\JC\Downloads\Comic Book Men
2012-05-08 11:33 - 2012-05-08 11:33 - 00000000 ____A C:\Windows\setuperr.log
2012-05-08 11:19 - 2011-07-21 19:37 - 00000000 ___DC C:\Users\All Users\Spybot - Search & Destroy
2012-05-08 11:17 - 2011-10-06 11:47 - 00000000 ____D C:\Users\JC\AppData\Roaming\Vso
2012-05-08 11:17 - 2011-04-17 07:13 - 00000000 ____D C:\Windows\Panther
2012-05-08 11:16 - 2011-07-28 09:26 - 00000822 ____A C:\Users\Public\Desktop\CCleaner.lnk
2012-05-08 11:16 - 2011-07-28 09:26 - 00000000 ____D C:\Program Files\CCleaner
2012-05-08 01:30 - 2012-05-08 01:30 - 00000000 ____D C:\Users\JC\AppData\Local\{A0452F75-F717-4608-A2F7-FC4599D4CFDF}
2012-05-08 01:30 - 2012-05-08 01:29 - 00000000 ____D C:\Users\JC\AppData\Local\{FDDF0CC4-DF1D-48BD-8A37-0A0B706BCB69}
2012-05-07 13:45 - 2012-06-05 13:29 - 00380544 ____N (JRiver, Inc.) C:\Windows\SysWOW64\MC17.exe
2012-05-07 13:45 - 2012-06-05 13:29 - 00380544 ____N (JRiver, Inc.) C:\Windows\System32\MC17.exe
2012-05-04 22:48 - 2012-05-04 22:48 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_Kernel_netaapl64_01009.Wdf
2012-05-04 22:07 - 2012-05-04 21:42 - 00000000 ____D C:\Users\JC\Downloads\Beastie Boys - Studio Discography 1986 - 2011 [FLAC] [h33t] - Kitlope
2012-05-04 21:40 - 2012-05-04 21:40 - 00000943 ____A C:\Users\Public\Desktop\µTorrent.lnk
2012-05-04 21:40 - 2011-04-17 03:14 - 00000000 ____D C:\Program Files (x86)\uTorrent
2012-05-04 20:19 - 2012-04-07 10:19 - 08744608 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
2012-05-04 20:19 - 2012-04-07 09:28 - 00419488 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-05-04 20:19 - 2011-05-16 22:57 - 00070304 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-05-03 23:19 - 2012-05-03 22:55 - 00000000 ____D C:\Users\JC\Downloads\Frank Zappa - One Size Fits All [Au20 Mastering]
2012-05-03 02:37 - 2012-05-03 02:37 - 00000000 ___DC C:\Users\All Users\Mozilla
2012-05-03 02:37 - 2012-05-03 02:37 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2012-05-03 02:36 - 2011-04-16 23:19 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2012-05-02 23:34 - 2012-05-02 23:33 - 00000000 ____D C:\Users\JC\AppData\Local\{268837C4-A1B9-4D92-8005-2F1E9C6AA97F}
2012-05-02 23:33 - 2012-05-02 23:33 - 00000000 ____D C:\Users\JC\AppData\Local\{02DFFFC2-2274-463B-9759-990C37462705}
2012-05-02 03:09 - 2012-05-01 22:36 - 00000000 ____D C:\Users\JC\Downloads\Frank Zappa - Hot Rats [200gr - 24bit -96kHz]
2012-04-28 22:55 - 2012-04-28 22:55 - 00000000 ____D C:\Users\JC\AppData\Local\{E8D02374-2DE4-4CD3-AC68-358B496B72D2}
2012-04-28 22:55 - 2012-04-28 22:54 - 00000000 ____D C:\Users\JC\AppData\Local\{9CF25FA5-FC96-410B-9F5F-826548BE5FA4}
2012-04-19 16:57 - 2012-04-19 16:57 - 00000000 ____D C:\Users\JC\AppData\Local\{53FEC825-8D4E-4564-A6D2-C2FBE2B7DF59}
2012-04-19 16:56 - 2012-04-19 16:56 - 00000000 ____D C:\Users\JC\AppData\Local\{C8322704-451B-4025-919C-E26A332B618D}
2012-04-19 04:56 - 2012-04-19 04:56 - 00000000 ____D C:\Users\JC\AppData\Local\{3092A716-4905-4A24-9598-D6DD3513FF35}
2012-04-19 04:56 - 2012-04-19 04:56 - 00000000 ____D C:\Users\JC\AppData\Local\{0F50F470-7177-47D9-8F27-28AA39966B97}
2012-04-18 16:56 - 2012-04-18 16:56 - 00000000 ____D C:\Users\JC\AppData\Local\{F6CAC24A-0AB5-4ECE-B298-3E9AFF9D5D7D}
2012-04-18 16:56 - 2012-04-18 16:55 - 00000000 ____D C:\Users\JC\AppData\Local\{3E17EACC-C7B4-40E1-B876-F9899018150A}
2012-04-18 11:56 - 2012-04-18 11:56 - 00094208 ____A (Apple Inc.) C:\Windows\SysWOW64\QuickTimeVR.qtx
2012-04-18 11:56 - 2012-04-18 11:56 - 00069632 ____A (Apple Inc.) C:\Windows\SysWOW64\QuickTime.qts
2012-04-16 12:25 - 2012-04-16 12:25 - 00001172 ____A C:\Users\Public\Desktop\Xilisoft DVD Copy 2.lnk
2012-04-16 12:25 - 2011-04-25 08:40 - 00000000 ____D C:\Users\JC\AppData\Roaming\Xilisoft
2012-04-16 12:25 - 2011-04-25 08:38 - 00000000 ___DC C:\Users\All Users\Xilisoft
2012-04-16 12:24 - 2012-04-16 12:24 - 00001215 ____A C:\Users\Public\Desktop\Xilisoft Audio Converter Pro.lnk
2012-04-16 12:24 - 2012-04-16 12:24 - 00001179 ____A C:\Users\Public\Desktop\Xilisoft DVD Creator.lnk
2012-04-16 12:24 - 2011-04-25 08:38 - 00000000 ____D C:\Program Files (x86)\Xilisoft
2012-04-16 12:23 - 2012-04-16 12:23 - 00001215 ____A C:\Users\Public\Desktop\Xilisoft DVD Ripper Ultimate.lnk
2012-04-16 12:22 - 2012-04-16 12:22 - 00001250 ____A C:\Users\Public\Desktop\Xilisoft Video Converter Ultimate.lnk
2012-04-13 10:40 - 2012-04-13 10:14 - 00000000 ____D C:\Users\JC\Downloads\Giant Collection of UFO eBooks
2012-04-13 03:22 - 2011-04-22 06:17 - 00000000 ____D C:\Windows\pss
2012-04-13 03:18 - 2012-04-13 03:18 - 00000000 ____D C:\Users\JC\AppData\Local\{7CF4A7C0-2D28-47EA-B314-48DA6C09D637}
2012-04-13 03:15 - 2012-04-13 03:15 - 00000000 ____D C:\Windows\en
2012-04-13 03:13 - 2011-04-19 06:52 - 00000000 ____D C:\Program Files (x86)\Windows Live
2012-04-13 03:05 - 2012-04-13 03:05 - 00000000 ____D C:\Users\JC\AppData\Local\{66FE239C-0773-4CB7-B855-66F437016B94}
2012-04-13 03:04 - 2011-10-16 08:35 - 00000000 ____D C:\jexepackres
2012-04-13 03:02 - 2012-04-13 03:02 - 00001793 ____A C:\Users\Public\Desktop\ImgBurn.lnk
2012-04-13 02:48 - 2012-04-13 02:48 - 00000000 ____D C:\Users\JC\AppData\Local\Secunia PSI
2012-04-13 02:47 - 2012-04-13 02:47 - 00000000 ____D C:\Program Files (x86)\Secunia
2012-04-13 02:39 - 2012-03-17 21:32 - 00000000 ____D C:\Windows\Minidump
2012-04-13 02:21 - 2012-04-13 02:21 - 00000000 ____D C:\Users\JC\AppData\Local\{0C16DE57-2600-4301-B471-8A1EB6198B04}
2012-04-11 21:37 - 2012-04-11 21:37 - 00000000 ____D C:\Users\JC\AppData\Local\{E6FE6D31-8575-425A-9361-2669AA3FDE55}
2012-04-09 08:52 - 2011-08-10 12:06 - 00031232 ____A C:\Users\JC\Downloads\Jon Carroll CV Oct11.doc
2012-04-07 09:28 - 2012-04-07 09:27 - 00000000 ____D C:\Users\JC\AppData\Local\{EC4CAA29-0FDC-449A-A0A9-F924E0473A61}
2012-04-04 09:47 - 2012-05-15 02:36 - 00227720 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
2012-04-04 09:47 - 2012-01-05 06:40 - 00772504 ____A (Oracle Corporation) C:\Windows\SysWOW64\npdeployJava1.dll
2012-04-04 09:47 - 2011-04-17 03:16 - 00687504 ____A (Oracle Corporation) C:\Windows\SysWOW64\deployJava1.dll
2012-03-30 22:05 - 2012-05-11 20:48 - 05559664 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-03-30 20:39 - 2012-05-11 20:48 - 03968368 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2012-03-30 20:39 - 2012-05-11 20:48 - 03913072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2012-03-30 19:10 - 2012-05-11 20:48 - 03146240 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-03-30 03:35 - 2012-05-11 20:48 - 01918320 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2012-03-29 22:25 - 2012-03-29 22:23 - 00000000 ____D C:\Program Files\iTunes
2012-03-29 22:25 - 2011-09-08 12:00 - 00000000 ____D C:\Program Files (x86)\iTunes
2012-03-29 22:23 - 2012-03-29 22:23 - 00000000 ____D C:\Program Files\iPod
2012-03-29 06:43 - 2012-03-29 06:43 - 00000000 ____D C:\Users\JC\AppData\Local\{75E348AA-8AB0-4EFA-A7F4-4986D805C4E3}
2012-03-26 23:28 - 2012-03-26 23:28 - 00000000 ____D C:\Users\JC\AppData\Local\{DC8F66EB-7B60-475A-842C-EF34F902DFAA}
2012-03-26 23:28 - 2012-03-26 23:28 - 00000000 ____D C:\Users\JC\AppData\Local\{41A4FAE1-49D3-47FF-8E37-147E46D33647}
2012-03-23 12:23 - 2012-03-23 12:23 - 00000000 ____D C:\Users\JC\AppData\Local\{271843C2-F4A3-47A9-A5C7-FE6A40543A32}
2012-03-23 12:22 - 2012-03-23 12:22 - 00000000 ____D C:\Users\JC\AppData\Local\{10F0CFB8-B8FB-4B8D-A75E-39597F7383A4}
2012-03-23 00:22 - 2012-03-23 00:22 - 00000000 ____D C:\Users\JC\AppData\Local\{728490D7-5308-4E76-A409-A030B4370F1A}
2012-03-23 00:22 - 2012-03-23 00:22 - 00000000 ____D C:\Users\JC\AppData\Local\{5DDF68B0-8047-41F9-B2E2-7482DC016A35}
2012-03-22 12:22 - 2012-03-22 12:21 - 00000000 ____D C:\Users\JC\AppData\Local\{F03CBFD7-C8B1-422B-A69D-5DC84C87E686}
2012-03-22 12:21 - 2012-03-22 12:21 - 00000000 ____D C:\Users\JC\AppData\Local\{14D680B0-79EC-409A-A51C-F1657C675798}
2012-03-22 02:45 - 2011-04-17 03:15 - 00000000 ____D C:\Program Files (x86)\Java
2012-03-22 00:21 - 2012-03-22 00:21 - 00000000 ____D C:\Users\JC\AppData\Local\{F9A42A0A-1A62-4DA9-A8EF-8C6575815D7C}
2012-03-22 00:21 - 2012-03-22 00:21 - 00000000 ____D C:\Users\JC\AppData\Local\{E4EA6101-D48D-40FD-A79A-FF0B21FC946E}
2012-03-20 11:44 - 2012-03-20 11:44 - 00203888 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\MpFilter.sys
2012-03-20 11:44 - 2012-03-20 11:44 - 00098688 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\NisDrvWFP.sys
2012-03-19 15:15 - 2012-03-19 11:44 - 783650816 ____A C:\Users\JC\Downloads\BBC.Chemistry.A.Volatile.History.2of3.The.Order.of.the.Elements.PDTV.XviD.AC3.MVGroup.org.avi
2012-03-19 14:35 - 2012-03-19 11:45 - 783482880 ____A C:\Users\JC\Downloads\BBC.Chemistry.A.Volatile.History.1of3.Discovering.the.Elements.PDTV.XviD.AC3.MVGroup.org.avi
2012-03-19 12:34 - 2012-03-19 11:44 - 783542272 ____A C:\Users\JC\Downloads\BBC.Chemistry.A.Volatile.History.3of3.The.Power.of.the.Elements.PDTV.XviD.AC3.MVGroup.org.avi
2012-03-17 21:32 - 2012-03-17 21:32 - 00000000 ____A C:\Windows\SysWOW64\cd.dat
2012-03-16 23:58 - 2012-05-11 20:48 - 00075120 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\partmgr.sys
2012-03-14 23:30 - 2012-03-14 23:30 - 00000000 ____D C:\Users\JC\AppData\Local\{0E280AEE-A38B-4C67-B2A3-B55440FE9F7E}
2012-03-13 23:51 - 2012-03-13 23:51 - 00000000 ____D C:\Users\JC\AppData\Local\{E867417A-BAD5-4570-8DA0-422EB3103731}
2012-03-13 23:50 - 2012-03-13 23:50 - 00000000 ____D C:\Users\JC\AppData\Local\{31B35FE9-6AEC-41C2-AB44-5FCC4CA3FAD9}
2012-03-13 23:50 - 2011-07-28 00:12 - 00000000 ____D C:\Users\JC\AppData\Roaming\Apple Computer

ZeroAccess:
C:\Windows\Installer\{96c25b8a-4cd5-f194-9d3b-567c8b767c6f}
C:\Windows\Installer\{96c25b8a-4cd5-f194-9d3b-567c8b767c6f}\@
C:\Windows\Installer\{96c25b8a-4cd5-f194-9d3b-567c8b767c6f}\L
C:\Windows\Installer\{96c25b8a-4cd5-f194-9d3b-567c8b767c6f}\U
C:\Windows\Installer\{96c25b8a-4cd5-f194-9d3b-567c8b767c6f}\U\00000001.@
C:\Windows\Installer\{96c25b8a-4cd5-f194-9d3b-567c8b767c6f}\U\800000cb.@

ZeroAccess:
C:\Users\JC\AppData\Local\{96c25b8a-4cd5-f194-9d3b-567c8b767c6f}
C:\Users\JC\AppData\Local\{96c25b8a-4cd5-f194-9d3b-567c8b767c6f}\@
C:\Users\JC\AppData\Local\{96c25b8a-4cd5-f194-9d3b-567c8b767c6f}\L
C:\Users\JC\AppData\Local\{96c25b8a-4cd5-f194-9d3b-567c8b767c6f}\U

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 14%
Total physical RAM: 4094.18 MB
Available physical RAM: 3512.9 MB
Total Pagefile: 4092.32 MB
Available Pagefile: 3501.5 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:435.36 GB) (Free:189.87 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
3 Drive e: (KINGSTON) (Removable) (Total:3.73 GB) (Free:3.73 GB) FAT32
8 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 465 GB 30 GB *
Disk 1 Online 3824 MB 0 B
Disk 2 No Media 0 B 0 B
Disk 3 No Media 0 B 0 B
Disk 4 No Media 0 B 0 B
Disk 5 No Media 0 B 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 70 MB 31 KB
Partition 2 Dynamic Data 30 GB 70 MB
Partition 3 Dynamic Data 435 GB 30 GB
Partition 4 Dynamic Data 1112 KB 465 GB

======================================================================================================

Disk: 0
Partition 1
Type : DE
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 7 FAT Partition 70 MB Healthy Hidden

======================================================================================================

Disk: 0
Partition 2
Type : 42
Hidden: Yes
Active: No

There is no volume associated with this partition.

======================================================================================================

Disk: 0
Partition 3
Type : 42
Hidden: Yes
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 0 C NTFS Simple 435 GB Healthy

======================================================================================================

Disk: 0
Partition 4
Type : 42
Hidden: Yes
Active: No

There is no volume associated with this partition.

======================================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 3823 MB 31 KB

======================================================================================================

Disk: 1
Partition 1
Type : 0B
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 E KINGSTON FAT32 Removable 3823 MB Healthy

======================================================================================================

==========================================================

Last Boot: 2012-06-07 15:35

======================= End Of Log ==========================

#7 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:05:38 AM

Posted 09 June 2012 - 08:59 AM

Jon,

Please delete your current version of FRST64, and download a NEW version of Farbar Recovery Scan Tool 64-Bit and save it to a flash drive.

Open notepad and copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt

4 Mcx2Svc; C:\Windows\SysWOW64\Mcx2Svc.dll
NETSVCx32: Mcx2Svc
1 hodiriqp; \??\C:\Windows\system32\drivers\hodiriqp.sys
1 slkvxjwd; \??\C:\Windows\system32\drivers\slkvxjwd.sys
3 Synth3dVsc; C:\Windows\System32\drivers\synth3dvsc.sys
3 tsusbhub; C:\Windows\System32\drivers\tsusbhub.sys
3 VGPU; C:\Windows\System32\drivers\rdvgkmd.sys
C:\Windows\Installer\{96c25b8a-4cd5-f194-9d3b-567c8b767c6f}
C:\Users\JC\AppData\Local\{96c25b8a-4cd5-f194-9d3b-567c8b767c6f}

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Please enter System Recovery Options, as we've done previously.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Edited by jntkwx, 09 June 2012 - 08:14 PM.

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#8 Jon Carroll

Jon Carroll
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:38 AM

Posted 10 June 2012 - 03:12 AM

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 09-06-2012
Ran by SYSTEM at 2012-06-09 19:09:04 Run:1
Running from E:\

==============================================

Mcx2Svc service deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\SvcHost\\netsvcs NETSVCx32: Mcx2Svc not found.
hodiriqp service deleted successfully.
slkvxjwd service deleted successfully.
Synth3dVsc service deleted successfully.
tsusbhub service deleted successfully.
VGPU service deleted successfully.
C:\Windows\Installer\{96c25b8a-4cd5-f194-9d3b-567c8b767c6f} moved successfully.
C:\Users\JC\AppData\Local\{96c25b8a-4cd5-f194-9d3b-567c8b767c6f} moved successfully.

========= reg delete HKCU\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1} =========

#9 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:05:38 AM

Posted 10 June 2012 - 01:05 PM

Jon,

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

DirLook::
C:\Users\All Users\hssff
C:\Windows\System32\NDF
C:\jexepackres

NetSvc::
Mcx2Svc
Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

If asked to update Combfix, please click Yes to allow it to update.

When finished, it shall produce a log for you at C:\ComboFix.txt.


In your next reply, please include:
  • Combofix log
  • How's your computer running now? Please be as descriptive as possible.

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#10 Jon Carroll

Jon Carroll
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:38 AM

Posted 11 June 2012 - 01:25 AM

PC seems to be running a lot smoother. Nothing weird seems to be happening at all. No freezing or lagging. Internet seems to be a lot faster too.

ComboFix 12-06-10.01 - JC 10/06/2012 22:04:12.2.4 - x64
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.44.1033.18.4094.2691 [GMT 1:00]
Running from: c:\users\JC\Downloads\ComboFix.exe
Command switches used :: c:\users\JC\Downloads\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\JC\AppData\Local\Temp\_MEI32322\_cacheinvalidation.pyd
c:\users\JC\AppData\Local\Temp\_MEI32322\_ctypes.pyd
c:\users\JC\AppData\Local\Temp\_MEI32322\_elementtree.pyd
c:\users\JC\AppData\Local\Temp\_MEI32322\_hashlib.pyd
c:\users\JC\AppData\Local\Temp\_MEI32322\_socket.pyd
c:\users\JC\AppData\Local\Temp\_MEI32322\_ssl.pyd
c:\users\JC\AppData\Local\Temp\_MEI32322\pyexpat.pyd
c:\users\JC\AppData\Local\Temp\_MEI32322\pysqlite2._sqlite.pyd
c:\users\JC\AppData\Local\Temp\_MEI32322\python26.dll
c:\users\JC\AppData\Local\Temp\_MEI32322\pythoncom26.dll
c:\users\JC\AppData\Local\Temp\_MEI32322\PyWinTypes26.dll
c:\users\JC\AppData\Local\Temp\_MEI32322\select.pyd
c:\users\JC\AppData\Local\Temp\_MEI32322\win32api.pyd
c:\users\JC\AppData\Local\Temp\_MEI32322\win32com.shell.shell.pyd
c:\users\JC\AppData\Local\Temp\_MEI32322\win32crypt.pyd
c:\users\JC\AppData\Local\Temp\_MEI32322\win32event.pyd
c:\users\JC\AppData\Local\Temp\_MEI32322\win32file.pyd
c:\users\JC\AppData\Local\Temp\_MEI32322\win32inet.pyd
c:\users\JC\AppData\Local\Temp\_MEI32322\win32pdh.pyd
c:\users\JC\AppData\Local\Temp\_MEI32322\win32process.pyd
c:\users\JC\AppData\Local\Temp\_MEI32322\wx._controls_.pyd
c:\users\JC\AppData\Local\Temp\_MEI32322\wx._core_.pyd
c:\users\JC\AppData\Local\Temp\_MEI32322\wx._gdi_.pyd
c:\users\JC\AppData\Local\Temp\_MEI32322\wx._html2.pyd
c:\users\JC\AppData\Local\Temp\_MEI32322\wx._misc_.pyd
c:\users\JC\AppData\Local\Temp\_MEI32322\wx._windows_.pyd
c:\users\JC\AppData\Local\Temp\_MEI32322\wx._wizard.pyd
c:\users\JC\AppData\Local\Temp\_MEI32322\wxbase293u_net_vc.dll
c:\users\JC\AppData\Local\Temp\_MEI32322\wxbase293u_vc.dll
c:\users\JC\AppData\Local\Temp\_MEI32322\wxmsw293u_adv_vc.dll
c:\users\JC\AppData\Local\Temp\_MEI32322\wxmsw293u_core_vc.dll
c:\users\JC\AppData\Local\Temp\_MEI32322\wxmsw293u_html_vc.dll
c:\users\JC\AppData\Local\Temp\_MEI32322\wxmsw293u_webview_vc.dll
.
.
((((((((((((((((((((((((( Files Created from 2012-05-11 to 2012-06-11 )))))))))))))))))))))))))))))))
.
.
2012-06-10 21:10 . 2012-06-10 21:10 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-06-10 11:38 . 2012-06-10 11:38 -------- d-----w- c:\users\JC\AppData\Local\Unity
2012-06-09 22:11 . 2012-05-15 00:41 8955792 -c--a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{D8553AA1-F12B-4F81-B024-D649057112AE}\mpengine.dll
2012-06-09 15:24 . 2012-06-09 15:25 -------- d-----w- C:\FRST
2012-06-08 20:04 . 2012-05-15 00:41 8955792 -c--a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-06-05 21:29 . 2012-06-05 21:29 -------- d-----w- c:\program files (x86)\J River
2012-06-05 21:29 . 2012-05-07 21:45 380544 ------w- c:\windows\SysWow64\MC17.exe
2012-06-05 21:29 . 2012-05-07 21:45 380544 ------w- c:\windows\system32\MC17.exe
2012-06-05 21:29 . 2011-04-15 21:26 585728 ------w- c:\windows\SysWow64\AReadyLB.dll
2012-06-05 21:29 . 2011-04-15 21:26 585728 ------w- c:\windows\system32\AReadyLB.dll
2012-06-05 21:29 . 2011-04-15 21:26 229376 ------w- c:\windows\SysWow64\AudDevicePlugin.dll
2012-06-05 21:29 . 2011-04-15 21:26 229376 ------w- c:\windows\system32\AudDevicePlugin.dll
2012-06-05 21:29 . 2012-06-05 21:29 -------- d-----w- c:\users\JC\AppData\Roaming\J River
2012-06-05 14:26 . 2012-02-09 12:17 927800 -c----w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{532F7EF3-9C5B-468C-95BB-709B1971CD53}\gapaengine.dll
2012-06-05 14:18 . 2012-06-05 14:18 -------- d-----w- c:\program files (x86)\Microsoft Security Client
2012-06-05 14:18 . 2012-06-05 14:18 -------- d-----w- c:\program files\Microsoft Security Client
2012-06-05 10:03 . 2012-06-05 10:03 -------- dc----w- c:\programdata\hssff
2012-06-04 21:55 . 2012-06-04 21:55 561992 ----a-w- c:\program files (x86)\Mozilla Firefox\extensions\afurladvisor@anchorfree.com\components\afurladvisor12.dll
2012-06-04 21:54 . 2012-06-04 21:54 -------- dc----w- c:\programdata\Hotspot Shield
2012-06-02 02:44 . 2012-06-02 02:44 -------- d-----w- c:\users\Default\AppData\Local\Google
2012-05-29 05:36 . 2012-05-29 05:36 67464 ----a-w- c:\windows\system32\CLEyeDevices.dll
2012-05-28 10:48 . 2012-05-28 10:48 1809408 ----a-w- c:\windows\SysWow64\ipnathlp.dll
2012-05-23 11:36 . 2012-06-10 08:11 -------- d-s---w- c:\users\JC\Google Drive
2012-05-16 13:30 . 2012-05-16 13:30 -------- d-----w- c:\program files (x86)\Common Files\Skype
2012-05-15 10:37 . 2012-05-15 10:37 -------- d-----w- c:\program files (x86)\Common Files\Java
2012-05-15 10:37 . 2012-05-15 10:37 -------- d-----w- c:\program files (x86)\Oracle
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-31 21:07 . 2012-05-31 21:06 78907120 ----a-w- C:\stereogum-monthly-mix-may2012.zip
2012-05-05 04:19 . 2012-04-07 17:28 419488 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-05-05 04:19 . 2011-05-17 06:57 70304 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-05-05 04:19 . 2012-04-07 18:19 8744608 ----a-w- c:\windows\SysWow64\FlashPlayerInstaller.exe
2012-04-18 19:56 . 2012-04-18 19:56 94208 ----a-w- c:\windows\SysWow64\QuickTimeVR.qtx
2012-04-18 19:56 . 2012-04-18 19:56 69632 ----a-w- c:\windows\SysWow64\QuickTime.qts
2012-04-04 17:47 . 2012-01-05 14:40 772504 ----a-w- c:\windows\SysWow64\npdeployJava1.dll
2012-04-04 17:47 . 2011-04-17 11:16 687504 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-03-31 06:05 . 2012-05-12 04:48 5559664 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-03-31 04:39 . 2012-05-12 04:48 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2012-03-31 04:39 . 2012-05-12 04:48 3913072 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2012-03-31 03:10 . 2012-05-12 04:48 3146240 ----a-w- c:\windows\system32\win32k.sys
2012-03-30 11:35 . 2012-05-12 04:48 1918320 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-03-20 19:44 . 2012-03-20 19:44 98688 ----a-w- c:\windows\system32\drivers\NisDrvWFP.sys
2012-03-20 19:44 . 2012-03-20 19:44 203888 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2012-03-17 07:58 . 2012-05-12 04:48 75120 ----a-w- c:\windows\system32\drivers\partmgr.sys
.
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of C:\jexepackres ----
.
2012-04-13 10:20 . 2012-04-13 10:20 55808 ----a-w- c:\jexepackres\JX157AD50\WinProcess.dll
2012-04-13 10:20 . 2012-04-13 10:20 6656 ----a-w- c:\jexepackres\JX157AD50\winp.dll
2012-04-13 10:20 . 2012-04-13 10:20 77824 ----a-w- c:\jexepackres\JX157AD50\swt-xulrunner-win32-3631.dll
2012-04-13 10:20 . 2012-04-13 10:20 385024 ----a-w- c:\jexepackres\JX157AD50\swt-win32-3631.dll
2012-04-13 10:20 . 2012-04-13 10:20 61440 ----a-w- c:\jexepackres\JX157AD50\swt-wgl-win32-3631.dll
2012-04-13 10:20 . 2012-04-13 10:20 118784 ----a-w- c:\jexepackres\JX157AD50\swt-gdip-win32-3631.dll
2012-04-13 10:20 . 2012-04-13 10:20 53248 ----a-w- c:\jexepackres\JX157AD50\swt-awt-win32-3631.dll
2012-04-13 10:20 . 2012-04-13 10:20 34166 ----a-w- c:\jexepackres\JX157AD50\natpmp.dll
2012-04-13 10:20 . 2012-04-13 10:20 79480 ----a-w- c:\jexepackres\JX157AD50\miniupnpc.dll
2012-04-13 10:20 . 2012-04-13 10:20 347258 ----a-w- c:\jexepackres\JX157AD50\jnidispatch.dll
2012-04-13 10:20 . 2012-04-13 10:20 75040 ----a-w- c:\jexepackres\JX157AD50\jdns_sd.dll
2012-04-13 10:20 . 2012-04-13 10:20 714528 ----a-w- c:\jexepackres\JX157AD50\_installjava_.exe
2012-04-13 10:20 . 2012-04-13 10:20 132529 ----a-w- c:\jexepackres\JX157AD50\jar\servlet-api-2.5-6.1.5.jar
2012-04-13 10:20 . 2012-04-13 10:20 1495625 ----a-w- c:\jexepackres\JX157AD50\jar\swt.jar
2012-04-13 10:20 . 2012-04-13 10:20 137751 ----a-w- c:\jexepackres\JX157AD50\jar\jetty-util-6.1.5.jar
2012-04-13 10:20 . 2012-04-13 10:20 130630 ----a-w- c:\jexepackres\JX157AD50\jar\jna-3.2.2.jar
2012-04-13 10:20 . 2012-04-13 10:20 239025 ----a-w- c:\jexepackres\JX157AD50\jar\jdbm-1.0-SNAPSHOT.jar
2012-04-13 10:20 . 2012-04-13 10:20 485891 ----a-w- c:\jexepackres\JX157AD50\jar\jetty-6.1.5.jar
2012-04-13 10:20 . 2012-04-13 10:20 1083433 ----a-w- c:\jexepackres\JX157AD50\jar\AirVideoServer.jar
2012-04-13 10:20 . 2012-04-13 10:20 17044 ----a-w- c:\jexepackres\JX157AD50\jar\dns_sd.jar
.
---- Directory of c:\users\All Users\hssff ----
.
2012-06-05 10:03 . 2012-06-05 10:03 0 -c--a-w- c:\users\All Users\hssff\lock
.
---- Directory of c:\windows\System32\NDF ----
.
1601-01-01 00:00 . 1601-01-01 00:00 0 ----a-w- c:\windows\System32\NDF\eventlog.etl
.
.
((((((((((((((((((((((((((((( SnapShot@2012-06-08_18.59.00 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-07-14 04:54 . 2012-06-08 18:57 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:54 . 2012-06-10 21:12 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:54 . 2012-06-10 21:12 49152 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 04:54 . 2012-06-08 18:57 49152 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 05:10 . 2012-06-09 06:32 26862 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2011-04-19 06:29 . 2012-06-09 06:32 14032 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1156457478-1984462383-541727582-1000_UserData.bin
- 2012-06-08 18:57 . 2012-06-08 18:57 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-06-10 21:12 . 2012-06-10 21:12 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-06-08 18:57 . 2012-06-08 18:57 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-06-10 21:12 . 2012-06-10 21:12 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2011-08-04 21:36 . 2012-06-08 18:57 262144 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2011-08-04 21:36 . 2012-06-10 21:12 262144 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2009-07-14 04:54 . 2012-06-10 21:12 196608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-06-08 18:57 196608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 02:36 . 2012-06-09 06:20 630542 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-06-09 06:20 111626 c:\windows\system32\perfc009.dat
+ 2011-04-17 06:37 . 2012-06-10 15:54 573440 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-04-17 06:37 . 2012-06-05 20:23 573440 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-07-14 05:01 . 2012-06-08 18:56 361440 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 05:01 . 2012-06-10 21:11 361440 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2011-04-17 06:37 . 2012-06-05 20:23 5865472 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2011-04-17 06:37 . 2012-06-10 15:54 5865472 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2012-06-10 15:54 16187392 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 04:54 . 2012-06-05 20:23 16187392 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-04-17 08:41 . 2012-06-10 21:11 53144912 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1156457478-1984462383-541727582-1000-8192.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-01-20 10:34 1197448 ----a-w- c:\program files (x86)\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files (x86)\Ask.com\GenericAskToolbar.dll" [2010-01-20 1197448]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 94208 ----a-w- c:\users\JC\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 94208 ----a-w- c:\users\JC\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 94208 ----a-w- c:\users\JC\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PeerBlock"="c:\program files\PeerBlock\peerblock.exe" [2010-10-14 2646128]
"Spotify Web Helper"="c:\users\JC\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" [2012-05-02 932528]
"GoogleDriveSync"="c:\program files (x86)\Google\Drive\googledrivesync.exe" [2012-05-16 11921064]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-04-18 421888]
.
c:\users\JC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\JC\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-5-24 27112840]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-04-17 136176]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-02-29 158856]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-05 257696]
R3 BrlAPI;BrlAPI;c:\cygwin\bin\cygrunsrv.exe [2008-03-18 68096]
R3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;c:\program files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [2012-01-06 79360]
R3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2011-04-17 79360]
R3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.SYS [x]
R3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.SYS [x]
R3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.SYS [x]
R3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\DRIVERS\ggflt.sys [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-04-17 136176]
R3 Media Center 17 Service;Media Center 17 Service;c:\program files (x86)\J River\Media Center 17\JRService.exe [2012-05-07 392320]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-05-03 129976]
R3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\DRIVERS\netaapl64.sys [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-03-26 291696]
R3 PSI;PSI;c:\windows\system32\DRIVERS\psi_mf.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
R3 Sony Ericsson PCCompanion;Sony Ericsson PCCompanion;c:\program files (x86)\Sony Ericsson\Sony Ericsson PC Companion\PCCService.exe [2011-06-29 155344]
R3 SwitchBoard;SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 hshld;Hotspot Shield Service;c:\program files (x86)\Hotspot Shield\bin\openvpnas.exe [2012-04-10 542552]
S2 HssWd;Hotspot Shield Monitoring Service;c:\program files (x86)\Hotspot Shield\bin\hsswd.exe [2012-04-02 329544]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 Secunia PSI Agent;Secunia PSI Agent;c:\program files (x86)\Secunia\PSI\PSIA.exe [2011-10-14 994360]
S2 Secunia Update Agent;Secunia Update Agent;c:\program files (x86)\Secunia\PSI\sua.exe [2011-10-14 399416]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\System32\drivers\CT20XUT.SYS [x]
S3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\System32\drivers\CTEXFIFX.SYS [x]
S3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\System32\drivers\CTHWIUT.SYS [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-06-11 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-07 04:19]
.
2012-06-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-04-17 07:07]
.
2012-06-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-04-17 07:07]
.
2012-06-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1156457478-1984462383-541727582-1000Core.job
- c:\users\JC\AppData\Local\Google\Update\GoogleUpdate.exe [2011-07-04 19:55]
.
2012-06-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1156457478-1984462383-541727582-1000UA.job
- c:\users\JC\AppData\Local\Google\Update\GoogleUpdate.exe [2011-07-04 19:55]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 97792 ----a-w- c:\users\JC\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 97792 ----a-w- c:\users\JC\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 97792 ----a-w- c:\users\JC\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 97792 ----a-w- c:\users\JC\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveBlacklistedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}]
2012-05-16 16:53 754712 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}]
2012-05-16 16:53 754712 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}]
2012-05-16 16:53 754712 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncingOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}]
2012-05-16 16:53 754712 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AsioReg"="CTASIO.DLL" [BU]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 1271168]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uDefault_Search_URL = hxxp://www.google.com/ie
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Evernote 4.0 - c:\program files (x86)\Evernote\Evernote\EvernoteIE.dll/204
IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
TCP: Interfaces\{26474C16-5F3C-401B-8937-95A2BDEBB771}: NameServer = 208.67.222.222,208.67.220.220
TCP: Interfaces\{CAA18457-992A-45BE-866C-0B5AEC0D3BAB}: NameServer = 10.1.32.1
DPF: {E705A591-DA3C-4228-B0D5-A356DBA42FBF} - hxxp://ccfiles.creative.com/Web/softwareupdate/su2/ocx/20015/CTSUEng.cab
FF - ProfilePath - c:\users\JC\AppData\Roaming\Mozilla\Firefox\Profiles\vlay7flu.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{D4027C7F-154A-4066-A1AD-4243D8127440}"=hex:51,66,7a,6c,4c,1d,38,12,11,7f,11,
d0,78,5b,08,05,de,bb,01,03,dd,4c,30,54
"{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}"=hex:51,66,7a,6c,4c,1d,38,12,d5,94,07,
72,c2,98,42,03,c9,fd,97,9a,f4,87,69,57
"{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,38,12,0a,d7,23,
94,30,02,d1,0f,f1,da,12,24,73,56,27,d2
"{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}"=hex:51,66,7a,6c,4c,1d,38,12,07,5b,93,
aa,6e,60,ba,0b,f0,6d,b2,b7,80,44,00,83
"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,
df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd
"{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}"=hex:51,66,7a,6c,4c,1d,38,12,3a,a3,f7,
fd,83,a7,ad,0e,fc,b5,35,e1,ab,2d,25,64
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (LocalSystem)
"Timestamp"=hex:1e,ea,3b,0c,05,41,cd,01
.
[HKEY_USERS\S-1-5-21-1156457478-1984462383-541727582-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.download\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="SafariDownload"
.
[HKEY_USERS\S-1-5-21-1156457478-1984462383-541727582-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
@Denied: (2) (LocalSystem)
@Denied: (2) (S-1-5-21-1156457478-1984462383-541727582-1000)
"Progid"="SafariHTML"
.
[HKEY_USERS\S-1-5-21-1156457478-1984462383-541727582-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
@Denied: (2) (LocalSystem)
@Denied: (2) (S-1-5-21-1156457478-1984462383-541727582-1000)
"Progid"="SafariHTML"
.
[HKEY_USERS\S-1-5-21-1156457478-1984462383-541727582-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.safariextz\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="SafariExtension"
.
[HKEY_USERS\S-1-5-21-1156457478-1984462383-541727582-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice]
@Denied: (2) (LocalSystem)
@Denied: (2) (S-1-5-21-1156457478-1984462383-541727582-1000)
"Progid"="SafariHTML"
.
[HKEY_USERS\S-1-5-21-1156457478-1984462383-541727582-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="SafariHTML"
.
[HKEY_USERS\S-1-5-21-1156457478-1984462383-541727582-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.VCard.1"
.
[HKEY_USERS\S-1-5-21-1156457478-1984462383-541727582-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.webarchive\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="SafariHTML"
.
[HKEY_USERS\S-1-5-21-1156457478-1984462383-541727582-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]
@Denied: (2) (LocalSystem)
@Denied: (2) (S-1-5-21-1156457478-1984462383-541727582-1000)
"Progid"="SafariHTML"
.
[HKEY_USERS\S-1-5-21-1156457478-1984462383-541727582-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]
@Denied: (2) (LocalSystem)
@Denied: (2) (S-1-5-21-1156457478-1984462383-541727582-1000)
"Progid"="SafariHTML"
.
[HKEY_USERS\S-1-5-21-1156457478-1984462383-541727582-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="SafariHTML"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Creative\Shared Files\CTAudSvc.exe
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Hotspot Shield\HssWPR\hsssrv.exe
c:\program files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files (x86)\Google\Update\1.3.21.111\GoogleCrashHandler.exe
c:\program files (x86)\Hotspot Shield\bin\openvpntray.exe
.
**************************************************************************
.
Completion time: 2012-06-11 06:38:50 - machine was rebooted
ComboFix-quarantined-files.txt 2012-06-11 05:38
ComboFix2.txt 2012-06-08 19:06
.
Pre-Run: 163,717,341,184 bytes free
Post-Run: 163,315,687,424 bytes free
.
- - End Of File - - E9A3A3BBE5216358AAB8302F2C5BE87D

#11 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:05:38 AM

Posted 11 June 2012 - 09:00 AM

Jon,

Please download Malwarebytes Anti-Malware and save it to your desktop.
Download Link 1
Download Link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#12 Jon Carroll

Jon Carroll
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:38 AM

Posted 11 June 2012 - 12:48 PM

Malwarebytes Anti-Malware (Trial) 1.61.0.1400
www.malwarebytes.org

Database version: v2012.06.11.06

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
JC :: JC-PC [administrator]

Protection: Enabled

11/06/2012 18:43:26
mbam-log-2012-06-11 (18-43-26).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 210439
Time elapsed: 2 minute(s), 47 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

#13 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:05:38 AM

Posted 11 June 2012 - 04:40 PM

Jon,

:step1: I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image
      icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.

:step2: Important Note: Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 7 and save it to your desktop.
  • Look for "Java Platform, Standard Edition".
  • Click the "Download JRE" button to the right.
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • From the list, select your OS and Platform (32-bit or 64-bit).
    64-bit OS users, should read: Which Java download should I choose for my 64-bit Windows operating system?
  • If a download for an Offline Installation is available, it is recommended to choose that and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Posted Image > Control Panel, double-click on Add/Remove Programs or Programs and Features in Vista/Windows 7 and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-7u4-windows-i586.exe (or jre-7u4-windows-x64.exe for 64-bit) to install the newest version.
  • If using Windows 7 or Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered any unwanted software or toolbars during installation, just uncheck the box before continuing unless you want it.
  • The McAfee Security Scan Plus tool is installed by default unless you uncheck the McAfee installation box when updating Java.
Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications but it's not necessary.
To disable the JQS service if you don't want to use it:
  • Go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter.
  • Click Ok and reboot your computer.

In your next reply, please include:
  • ESET log

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#14 Jon Carroll

Jon Carroll
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:38 AM

Posted 12 June 2012 - 02:26 PM

C:\Program Files (x86)\Mozilla Firefox\custom\root\givmeroot.tar Android/Exploit.Lotoor.AK trojan deleted - quarantined

#15 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:05:38 AM

Posted 13 June 2012 - 08:44 AM

Jon,

Your computer looks clean! How is it running now?

Let's take some preventative steps to ensure you don't get infected again:


:step1: Uninstall Combofix
Hold down the Windows key Posted Image and press the R key.
In the Run window, type the following bolded text and click OK:

Combofix.exe /Uninstall

:step2: Please download OTCleanIt and save it to desktop.
  • Double-click OTCleanIt.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.

:step3: Make Internet Explorer more secure:
Hold down the Windows Key, and press the R key.
In the Run Dialog box, type: inetcpl.cpl & click OK
Click on the Security tab,
Click Reset all zones to default level
Next Click OK, then Apply button and then OK to exit the Internet Properties page.

:step4: Install the Latest Version of Common Software:
It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting http://secunia.com/vulnerability_scanning/online/ and http://www.calendarofupdates.com/updates/calendar.html.

I recommend FileHippo's update checker that scans your computer for programs it recognizes and allows you to easily download new versions of common software: http://filehippo.com/updatechecker/UpdateChecker.exe

:step5: Finally, read this tutorial and follow each of the steps:
http://www.bleepingcomputer.com/tutorials/tutorial82.html

Please feel free to post any future computer problems in the appropriate forum. Have a great day! :)
Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users