Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

BOD's, Weird Files only listed in GMER, Am I infected?


  • This topic is locked This topic is locked
49 replies to this topic

#1 infinitevs

infinitevs

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 03 July 2012 - 12:53 AM

Hi All,

I'm trying to figure out if I'm infected, I installed an app the other day and saw a weird firewall request for an install.exe file executing out of a random directory to connect to the internet, i blocked it and went to check the file but it wasn't there any longer which i thought strange. I have been receiving random BSOD's over the last month as well as excessive hard disk access.

I am running windows 7 x64 with symantec endpoint security as my firewall and virus scanner and have done many full scans with that but that found nothing except for cookies.

I have also done some scans with sophos anti rootkit, malwarebytes, otl, combofix and mbr in addition to the required GMER and dds ones. Combofix seemed to find a couple of things and deleted them. As well sophos found a couple of entries I have got log files if you need them.

What I'm especially worried about is in GMER files tab I can see 2 weird files that start with ":", that cannot be removed. Also when I check on other systems with the same setup these files don't exist, additionally I can't get any other programs/utilities to display these files on this system other than GMER?? I have included a screenshot :(

Posted Image


Additionally catchme.exe won't even run and gives an error and mbr indicates a similar error, and doesn't seem to run, i've included their logs below as they are short:

mbr.exe:
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.1.7601 

device: opened successfully
user: error reading MBR 
error: Read  The handle is invalid.
kernel: error reading MBR

catchme.exe:
detected NTDLL code modification:
ZwEnumerateKey 0 != 47, ZwQueryKey 0 != 19, ZwOpenKey 0 != 15, ZwClose 0 != 12, ZwEnumerateValueKey 0 != 16, ZwQueryValueKey 0 != 20, ZwOpenFile 0 != 48, ZwQueryDirectoryFile 0 != 50, ZwQuerySystemInformation 0 != 51Initialization error
 
dds.scr


DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by infinitevs at 14:56:33 on 2012-07-03
Microsoft Windows 7 Enterprise 6.1.7601.1.1252.61.1033.18.8191.5280 [GMT 10:00]
.
AV: Symantec Endpoint Protection *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Symantec Endpoint Protection *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Symantec Endpoint Protection *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Bin\ccSvcHst.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Bin64\Smc.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Bin\ccSvcHst.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe
C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\Browny02\BrYNSvc.exe
C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\acrotray.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Program Files (x86)\Sophos\Sophos Anti-Rootkit\sargui.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe
C:\Program Files (x86)\Adobe\Adobe Dreamweaver CS6\dreamweaver.exe
C:\Program Files (x86)\Opera\opera.exe
C:\Program Files (x86)\Opera\pluginwrapper\opera_plugin_wrapper.exe
C:\Program Files\CCleaner\CCleaner64.exe
C:\Program Files (x86)\Mozilla Thunderbird\thunderbird.exe
C:\Users\infinitevs\AppData\Local\Temp\qnwmbq.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
.
============== Pseudo HJT Report ===============
.
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\bin\IPS\IPSBHO.DLL
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
BHO: {DBC80044-A445-435b-BC74-9C25C1C588A9} - No File
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
TB: Zend Studio: {95188727-288f-4581-a48d-eab3bd027314} - C:\PROGRA~2\Zend\ZENDST~1.3\toolbars\ZENDIE~1.DLL
uRun: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [ControlCenter4] C:\Program Files (x86)\ControlCenter4\BrCcBoot.exe /autorun
mRun: [BrStsMon00] C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe /AUTORUN
mRun: [VirtualCloneDrive] "C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [AMD AVT] Cmd.exe /c start "AMD Accelerated Video Transcoding device initialization" /min "C:\Program Files (x86)\AMD AVT\bin\kdbsync.exe" aml
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [Adobe Acrobat Speed Launcher] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe"
mRun: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\EVENTP~1.LNK - C:\Program Files (x86)\Creative Home\Hallmark Card Studio 2012 Deluxe\Planner\PLNRnote.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote
IE: {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - {95188727-288F-4581-A48D-EAB3BD027314} - C:\PROGRA~2\Zend\ZENDST~1.3\toolbars\ZENDIE~1.DLL
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} - hxxp://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
DPF: {CAA6C3B6-662B-4D14-BB64-EADB88213BFE} - hxxp://threestorms.dyndns.org/IPCamPluginTM.cab
DPF: {D4B68B83-8710-488B-A692-D74B50BA558E} - hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/15113/CTPIDPDE.cab
DPF: {E705A591-DA3C-4228-B0D5-A356DBA42FBF} - hxxp://ccfiles.creative.com/Web/softwareupdate/su2/ocx/20015/CTSUEng.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/110926/CTPID.cab
TCP: Interfaces\{368CB9D1-250A-43D7-95E6-3B16B12CAC13} : NameServer = 192.168.0.7,192.168.0.42
TCP: Interfaces\{A817ABC0-B61B-464C-BD10-E4CA441FBD3A} : DhcpNameServer = 192.168.0.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
Notify: SEP - C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Bin\WinLogoutNotifier.dll
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Symantec Intrusion Prevention: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\bin\IPS\IPSBHO.DLL
BHO-X64: Symantec Intrusion Prevention - No File
BHO-X64: Adobe PDF Conversion Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
BHO-X64: {DBC80044-A445-435b-BC74-9C25C1C588A9} - No File
BHO-X64: SmartSelect Class: {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
BHO-X64: SmartSelect - No File
TB-X64: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
TB-X64: Zend Studio: {95188727-288F-4581-A48D-EAB3BD027314} - C:\PROGRA~2\Zend\ZENDST~1.3\toolbars\ZENDIE~1.DLL
mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun-x64: [ControlCenter4] C:\Program Files (x86)\ControlCenter4\BrCcBoot.exe /autorun
mRun-x64: [BrStsMon00] C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe /AUTORUN
mRun-x64: [VirtualCloneDrive] "C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
mRun-x64: [CTxfiHlp] CTXFIHLP.EXE
mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun-x64: [AMD AVT] Cmd.exe /c start "AMD Accelerated Video Transcoding device initialization" /min "C:\Program Files (x86)\AMD AVT\bin\kdbsync.exe" aml
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [Adobe Acrobat Speed Launcher] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe"
mRun-x64: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe"
mRun-x64: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
.
============= SERVICES / DRIVERS ===============
.
R0 asahci64;asahci64;C:\Windows\system32\DRIVERS\asahci64.sys --> C:\Windows\system32\DRIVERS\asahci64.sys [?]
R0 PxHlpa64;PxHlpa64;C:\Windows\system32\Drivers\PxHlpa64.sys --> C:\Windows\system32\Drivers\PxHlpa64.sys [?]
R0 SymDS;Symantec Data Store;C:\Windows\system32\Drivers\SEP\0C01044D\0191.105\x64\SYMDS64.SYS --> C:\Windows\system32\Drivers\SEP\0C01044D\0191.105\x64\SYMDS64.SYS [?]
R0 SymEFA;Symantec Extended File Attributes;C:\Windows\system32\Drivers\SEP\0C01044D\0191.105\x64\SYMEFA64.SYS --> C:\Windows\system32\Drivers\SEP\0C01044D\0191.105\x64\SYMEFA64.SYS [?]
R1 BHDrvx64;BHDrvx64;C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Data\Definitions\BASHDefs\20120620.012\BHDrvx64.sys [2012-6-26 1161376]
R1 IDSVia64;IDSVia64;C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Data\Definitions\IPSDefs\20120702.002\IDSviA64.sys [2012-7-3 509088]
R1 SymIRON;Symantec Iron Driver;C:\Windows\system32\Drivers\SEP\0C01044D\0191.105\x64\Ironx64.SYS --> C:\Windows\system32\Drivers\SEP\0C01044D\0191.105\x64\Ironx64.SYS [?]
R1 SYMNETS;Symantec Network Security WFP Driver;C:\Windows\system32\Drivers\SEP\0C01044D\0191.105\x64\SYMNETS.SYS --> C:\Windows\system32\Drivers\SEP\0C01044D\0191.105\x64\SYMNETS.SYS [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R2 AMD FUEL Service;AMD FUEL Service;C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2012-5-22 361984]
R2 cpuz135;cpuz135;\??\C:\Windows\system32\drivers\cpuz135_x64.sys --> C:\Windows\system32\drivers\cpuz135_x64.sys [?]
R2 SepMasterService;Symantec Endpoint Protection;C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Bin\ccSvcHst.exe [2012-6-26 137208]
R3 amdiox64;AMD IO Driver;C:\Windows\system32\DRIVERS\amdiox64.sys --> C:\Windows\system32\DRIVERS\amdiox64.sys [?]
R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;C:\Windows\system32\drivers\AtihdW76.sys --> C:\Windows\system32\drivers\AtihdW76.sys [?]
R3 AVerAF15;AVerMedia A815;C:\Windows\system32\Drivers\AVerAF15.sys --> C:\Windows\system32\Drivers\AVerAF15.sys [?]
R3 BrYNSvc;BrYNSvc;C:\Program Files (x86)\Browny02\BrYNSvc.exe [2012-6-4 245760]
R3 CT20XUT.SYS;CT20XUT.SYS;C:\Windows\system32\drivers\CT20XUT.SYS --> C:\Windows\system32\drivers\CT20XUT.SYS [?]
R3 CTEXFIFX.SYS;CTEXFIFX.SYS;C:\Windows\system32\drivers\CTEXFIFX.SYS --> C:\Windows\system32\drivers\CTEXFIFX.SYS [?]
R3 CTHWIUT.SYS;CTHWIUT.SYS;C:\Windows\system32\drivers\CTHWIUT.SYS --> C:\Windows\system32\drivers\CTHWIUT.SYS [?]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-6-28 138912]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-7-1 257224]
S3 atillk64;atillk64;C:\Program Files (x86)\GIGABYTE\atBIOS\ATITool\atillk64.sys [2006-7-19 14608]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2012-6-12 79360]
S3 CT20XUT;CT20XUT;C:\Windows\system32\drivers\CT20XUT.SYS --> C:\Windows\system32\drivers\CT20XUT.SYS [?]
S3 CTEXFIFX;CTEXFIFX;C:\Windows\system32\drivers\CTEXFIFX.SYS --> C:\Windows\system32\drivers\CTEXFIFX.SYS [?]
S3 CTHWIUT;CTHWIUT;C:\Windows\system32\drivers\CTHWIUT.SYS --> C:\Windows\system32\drivers\CTHWIUT.SYS [?]
S3 DCamUSBET;ET USB 2760 Camera;C:\Windows\system32\DRIVERS\etDevice64.sys --> C:\Windows\system32\DRIVERS\etDevice64.sys [?]
S3 dmvsc;dmvsc;C:\Windows\system32\drivers\dmvsc.sys --> C:\Windows\system32\drivers\dmvsc.sys [?]
S3 FiltUSBET;ET USB Device Lower Filter;C:\Windows\system32\DRIVERS\etFilter64.sys --> C:\Windows\system32\DRIVERS\etFilter64.sys [?]
S3 Futuremark SystemInfo Service;Futuremark SystemInfo Service;C:\Program Files (x86)\Common Files\Futuremark Shared\Futuremark SystemInfo\FMSISvc.exe [2012-3-30 135584]
S3 MEMSWEEP2;MEMSWEEP2;\??\C:\Windows\system32\55F.tmp --> C:\Windows\system32\55F.tmp [?]
S3 ose64;Office 64 Source Engine;C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2010-1-9 174440]
S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\system32\drivers\rdpvideominiport.sys --> C:\Windows\system32\drivers\rdpvideominiport.sys [?]
S3 ScanUSBET;ET USB Still Image Capture Device;C:\Windows\system32\DRIVERS\etScan64.sys --> C:\Windows\system32\DRIVERS\etScan64.sys [?]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-14 20992]
S3 SwitchBoard;SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-2-19 517096]
S3 SyDvCtrl;SyDvCtrl;C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Bin64\SyDvCtrl64.sys [2012-6-26 29664]
S3 Synth3dVsc;Synth3dVsc;C:\Windows\system32\drivers\synth3dvsc.sys --> C:\Windows\system32\drivers\synth3dvsc.sys [?]
S3 terminpt;Microsoft Remote Desktop Input Driver;C:\Windows\system32\drivers\terminpt.sys --> C:\Windows\system32\drivers\terminpt.sys [?]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\system32\drivers\TsUsbGD.sys --> C:\Windows\system32\drivers\TsUsbGD.sys [?]
S3 tsusbhub;tsusbhub;C:\Windows\system32\drivers\tsusbhub.sys --> C:\Windows\system32\drivers\tsusbhub.sys [?]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\system32\DRIVERS\vwifimp.sys --> C:\Windows\system32\DRIVERS\vwifimp.sys [?]
S3 WSDPrintDevice;WSD Print Support via UMB;C:\Windows\system32\DRIVERS\WSDPrint.sys --> C:\Windows\system32\DRIVERS\WSDPrint.sys [?]
S3 WSDScan;WSD Scan Support via UMB;C:\Windows\system32\DRIVERS\WSDScan.sys --> C:\Windows\system32\DRIVERS\WSDScan.sys [?]
.
=============== Created Last 30 ================
.
2012-07-03 04:07:16 -------- d-sh--w- C:\$RECYCLE.BIN
2012-07-03 04:02:59 6144 ------w- C:\Windows\System32\55F.tmp
2012-07-03 04:02:24 6144 ------w- C:\Windows\System32\7FCB.tmp
2012-07-03 03:25:02 98816 ----a-w- C:\Windows\sed.exe
2012-07-03 03:25:02 518144 ----a-w- C:\Windows\SWREG.exe
2012-07-03 03:25:02 256000 ----a-w- C:\Windows\PEV.exe
2012-07-03 03:25:02 208896 ----a-w- C:\Windows\MBR.exe
2012-07-03 02:12:42 -------- d-----w- C:\Users\infinitevs\AppData\Roaming\Malwarebytes
2012-07-03 02:12:36 24904 ----a-w- C:\Windows\System32\drivers\mbam.sys
2012-07-03 02:12:36 -------- d-----w- C:\ProgramData\Malwarebytes
2012-07-03 02:12:36 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-07-02 23:29:56 -------- d-----w- C:\ProgramData\Sophos
2012-07-02 23:29:50 73728 ----a-r- C:\Users\infinitevs\AppData\Roaming\Microsoft\Installer\{B829E117-D072-41EA-9606-9826A38D34C1}\SVRTgui.exe1_810EDD9E2F0A4E2BACF86673C38D9F48.exe
2012-07-02 23:29:50 73728 ----a-r- C:\Users\infinitevs\AppData\Roaming\Microsoft\Installer\{B829E117-D072-41EA-9606-9826A38D34C1}\SVRTgui.exe_810EDD9E2F0A4E2BACF86673C38D9F48.exe
2012-07-02 23:29:50 73728 ----a-r- C:\Users\infinitevs\AppData\Roaming\Microsoft\Installer\{B829E117-D072-41EA-9606-9826A38D34C1}\ARPPRODUCTICON.exe
2012-07-02 23:29:48 -------- d-----w- C:\Program Files (x86)\Sophos
2012-07-01 21:59:00 -------- d-----w- C:\Users\infinitevs\.zend
2012-07-01 21:46:59 -------- d-----w- C:\Program Files (x86)\Zend
2012-07-01 12:35:02 -------- d-----w- C:\Users\infinitevs\.ZendStudio
2012-07-01 07:44:39 -------- d-----w- C:\Users\infinitevs\AppData\Local\Macromedia
2012-07-01 07:44:28 70344 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-07-01 07:44:28 426184 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2012-07-01 07:25:52 -------- d-----w- C:\Users\infinitevs\AppData\Local\Flash Builder
2012-07-01 06:07:04 -------- d-----w- C:\Users\infinitevs\AppData\Roaming\StageManager.BD092818F67280F4B42B04877600987F0111B594.1
2012-07-01 05:55:14 -------- d-----w- C:\ProgramData\ALM
2012-07-01 05:52:45 -------- d-----w- C:\Users\infinitevs\Adobe Flash Builder 4.6
2012-07-01 05:30:15 -------- d-----w- C:\Users\infinitevs\AppData\Local\Adobe
2012-07-01 05:10:29 -------- d-----w- C:\Program Files (x86)\My Company Name
2012-06-30 17:43:06 -------- d-----w- C:\Users\infinitevs\Zend
2012-06-28 03:05:06 -------- d-----w- C:\Users\infinitevs\AppData\Roaming\Carambis
2012-06-27 00:02:11 -------- d-----w- C:\Program Files\ATI Technologies
2012-06-26 21:32:21 -------- d-----w- C:\Program Files (x86)\Microsoft CAPICOM 2.1.0.2
2012-06-26 07:31:06 -------- d-----w- C:\ProgramData\Symantec Shared
2012-06-26 04:03:58 206336 ----a-w- C:\Windows\System32\unrar.dll
2012-06-26 04:03:57 92160 ----a-w- C:\Windows\System32\ff_vfw.dll
2012-06-26 04:03:56 -------- d-----w- C:\Program Files\K-Lite Codec Pack x64
2012-06-26 04:03:27 -------- d-----w- C:\Program Files (x86)\K-Lite Codec Pack
2012-06-26 00:48:54 -------- d-----w- C:\Windows\System32\drivers\SEP\0C01044D\0191.105\x64
2012-06-26 00:48:54 -------- d-----w- C:\Windows\System32\drivers\SEP\0C01044D\0191.105
2012-06-26 00:48:54 -------- d-----w- C:\Windows\System32\drivers\SEP\0C01044D
2012-06-26 00:48:35 932472 ----a-w- C:\Windows\System32\drivers\SEP\0C01044D\0191.105\x64\SymEFA64.sys
2012-06-26 00:48:35 678008 ----a-w- C:\Windows\System32\drivers\SEP\0C01044D\0191.105\x64\srtsp64.sys
2012-06-26 00:48:35 39032 ----a-w- C:\Windows\System32\drivers\SEP\0C01044D\0191.105\x64\srtspx64.sys
2012-06-26 00:48:35 386168 ----a-w- C:\Windows\System32\drivers\SEP\0C01044D\0191.105\x64\symnets.sys
2012-06-26 00:42:53 81840 ----a-w- C:\Windows\System32\FwsVpn.dll
2012-06-26 00:35:01 -------- d-----w- C:\ProgramData\regid.1992_12.com.symantec
2012-06-26 00:34:58 -------- d-----w- C:\Windows\System32\drivers\SEP\0C0103E8\009D.105\x64
2012-06-26 00:34:58 -------- d-----w- C:\Windows\System32\drivers\SEP\0C0103E8\009D.105
2012-06-26 00:34:58 -------- d-----w- C:\Windows\System32\drivers\SEP\0C0103E8
2012-06-26 00:34:39 386168 ----a-w- C:\Windows\System32\drivers\SEP\0C0103E8\009D.105\x64\symnets.sys
2012-06-26 00:34:38 931448 ----a-w- C:\Windows\System32\drivers\SEP\0C0103E8\009D.105\x64\SymEFA64.sys
2012-06-26 00:34:38 678008 ----a-w- C:\Windows\System32\drivers\SEP\0C0103E8\009D.105\x64\srtsp64.sys
2012-06-26 00:34:38 39032 ----a-w- C:\Windows\System32\drivers\SEP\0C0103E8\009D.105\x64\srtspx64.sys
2012-06-26 00:34:37 171128 ----a-w- C:\Windows\System32\drivers\SEP\0C01044D\0191.105\x64\Ironx64.sys
2012-06-26 00:34:37 171128 ----a-w- C:\Windows\System32\drivers\SEP\0C0103E8\009D.105\x64\Ironx64.sys
2012-06-24 02:02:19 -------- d-----w- C:\Program Files (x86)\Microsoft Synchronization Services
2012-06-24 02:02:19 -------- d-----w- C:\Program Files (x86)\Microsoft SQL Server Compact Edition
2012-06-24 01:56:46 -------- d-----w- C:\Program Files (x86)\Creative Home
2012-06-22 06:15:44 -------- d-----w- C:\Program Files (x86)\SlySoft
2012-06-22 03:13:03 -------- d-----w- C:\Users\infinitevs\AppData\Roaming\AUSkey
2012-06-22 03:13:02 -------- d-----w- C:\Program Files (x86)\ABR
2012-06-22 01:56:26 2622464 ----a-w- C:\Windows\System32\wucltux.dll
2012-06-22 01:56:15 99840 ----a-w- C:\Windows\System32\wudriver.dll
2012-06-22 01:56:06 36864 ----a-w- C:\Windows\System32\wuapp.exe
2012-06-22 01:56:06 186752 ----a-w- C:\Windows\System32\wuwebv.dll
2012-06-21 13:48:46 1 ----a-w- C:\Windows\SysWow64\uuddc32.dll
2012-06-21 13:48:45 -------- d-----w- C:\Program Files (x86)\BayGenie
2012-06-13 06:13:13 184320 ----a-w- C:\Windows\System32\cryptsvc.dll
2012-06-13 06:13:13 1462272 ----a-w- C:\Windows\System32\crypt32.dll
2012-06-13 06:13:13 140288 ----a-w- C:\Windows\SysWow64\cryptsvc.dll
2012-06-13 06:13:13 140288 ----a-w- C:\Windows\System32\cryptnet.dll
2012-06-13 06:13:13 1158656 ----a-w- C:\Windows\SysWow64\crypt32.dll
2012-06-13 06:13:13 103936 ----a-w- C:\Windows\SysWow64\cryptnet.dll
2012-06-13 02:48:50 210944 ----a-w- C:\Windows\System32\drivers\rdpwd.sys
2012-06-13 02:48:50 1112064 ----a-w- C:\Windows\System32\rdpcorets.dll
2012-06-13 02:48:47 3146752 ----a-w- C:\Windows\System32\win32k.sys
2012-06-13 02:48:46 5559664 ----a-w- C:\Windows\System32\ntoskrnl.exe
2012-06-13 02:48:45 3968368 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2012-06-13 02:48:45 3913072 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2012-06-13 02:48:44 209920 ----a-w- C:\Windows\System32\profsvc.dll
2012-06-13 02:48:34 514560 ----a-w- C:\Windows\SysWow64\qdvd.dll
2012-06-13 02:48:34 366592 ----a-w- C:\Windows\System32\qdvd.dll
2012-06-13 02:48:34 3216384 ----a-w- C:\Windows\System32\msi.dll
2012-06-13 02:48:34 2342400 ----a-w- C:\Windows\SysWow64\msi.dll
2012-06-12 06:39:09 -------- d-----w- C:\Program Files (x86)\Common Files\Creative
2012-06-12 06:39:00 -------- d-----w- C:\Program Files (x86)\Common Files\Creative Labs Shared
2012-06-12 06:38:49 -------- d-----w- C:\Program Files\Creative
2012-06-12 06:37:14 69715 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\ctor.dll
2012-06-12 06:37:14 5632 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\DotNetInstaller.exe
2012-06-12 06:37:14 266240 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\iscript.dll
2012-06-12 06:37:14 192512 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\iuser.dll
2012-06-12 06:37:13 729088 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\iKernel.dll
2012-06-12 06:37:13 188548 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\iGdi.dll
2012-06-12 06:37:10 311428 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\setup.dll
2012-06-12 03:07:44 -------- d-----w- C:\Program Files (x86)\Common Files\Sonic Shared
2012-06-12 03:07:44 -------- d-----w- C:\Program Files (x86)\Common Files\PX Storage Engine
2012-06-12 02:18:24 -------- d-----w- C:\Program Files (x86)\Elaborate Bytes
2012-06-12 00:20:30 770384 ----a-w- C:\Program Files (x86)\Mozilla Firefox\msvcr100.dll
2012-06-12 00:20:30 421200 ----a-w- C:\Program Files (x86)\Mozilla Firefox\msvcp100.dll
2012-06-04 13:25:11 -------- d-----w- C:\Users\infinitevs\AppData\Roaming\ControlCenter4
2012-06-04 13:15:42 -------- d-----w- C:\Brother
2012-06-04 13:15:36 -------- d-----w- C:\ProgramData\ControlCenter4
2012-06-04 13:15:36 -------- d-----w- C:\Program Files (x86)\Browny02
2012-06-04 13:15:25 180224 ----a-w- C:\Windows\SysWow64\BROSNMP.DLL
2012-06-04 13:15:21 5120 ------w- C:\Windows\SysWow64\BrDctF2L.dll
2012-06-04 13:15:19 73728 ------w- C:\Windows\SysWow64\BrDctF2.dll
2012-06-04 13:15:19 3072 ------w- C:\Windows\SysWow64\BrDctF2S.dll
2012-06-04 12:46:49 -------- d-----w- C:\Program Files (x86)\ControlCenter4
2012-06-04 12:46:32 -------- d-----w- C:\Program Files (x86)\Brother
2012-06-04 12:44:03 -------- d-----w- C:\ProgramData\Brother
2012-06-04 04:41:48 312064 ----a-w- C:\Windows\System32\drivers\AVerAF15.sys
2012-06-04 03:22:38 -------- d-----w- C:\Program Files (x86)\NirSoft
2012-06-03 07:02:37 -------- d-----w- C:\Users\infinitevs\AppData\Local\CrashDumps
.
==================== Find3M ====================
.
2012-06-26 02:35:44 58288 ----a-w- C:\Windows\SysWow64\snacnp.dll
2012-06-26 02:35:44 58288 ----a-w- C:\Windows\System32\snacnp.dll
2012-06-26 02:35:44 42632 ----a-w- C:\Windows\System32\drivers\WGX64.SYS
2012-06-26 02:35:44 288176 ----a-w- C:\Windows\System32\SymVPN.dll
2012-06-26 02:35:43 380848 ----a-w- C:\Windows\SysWow64\sysfer.dll
2012-06-26 02:35:43 119816 ----a-w- C:\Windows\System32\drivers\SysPlant.sys
2012-06-26 02:35:43 10672 ----a-w- C:\Windows\SysWow64\sysferThunk.dll
2012-06-26 02:35:42 519600 ----a-w- C:\Windows\System32\sysfer.dll
2012-06-26 02:35:42 11184 ----a-w- C:\Windows\System32\sysferThunk.dll
2012-06-26 00:49:39 175736 ----a-w- C:\Windows\System32\drivers\SYMEVENT64x86.SYS
2012-06-26 00:34:32 62672 ----a-w- C:\Windows\System32\drivers\Teefer.sys
2012-06-12 06:38:01 466520 ----a-w- C:\Windows\System32\wrap_oal.dll
2012-06-12 06:38:01 445016 ----a-w- C:\Windows\SysWow64\wrap_oal.dll
2012-06-12 06:38:01 123480 ----a-w- C:\Windows\System32\OpenAL32.dll
2012-06-12 06:38:01 109144 ----a-w- C:\Windows\SysWow64\OpenAL32.dll
2012-06-12 05:33:20 1668 ----a-w- C:\Windows\System32\ASOROSet.bin
2012-06-09 17:21:56 178688 ----a-w- C:\Windows\SysWow64\unrar.dll
2012-06-04 02:40:57 525544 ----a-w- C:\Windows\System32\deployJava1.dll
2012-05-23 03:15:36 10248704 ----a-w- C:\Windows\System32\drivers\atikmdag.sys
2012-05-23 03:11:56 24826368 ----a-w- C:\Windows\System32\atio6axx.dll
2012-05-23 02:43:24 20467200 ----a-w- C:\Windows\SysWow64\atioglxx.dll
2012-05-23 02:08:42 163840 ----a-w- C:\Windows\System32\atiapfxx.exe
2012-05-23 02:08:34 924160 ----a-w- C:\Windows\SysWow64\aticfx32.dll
2012-05-23 02:06:46 1090560 ----a-w- C:\Windows\System32\aticfx64.dll
2012-05-23 02:03:26 442368 ----a-w- C:\Windows\System32\ATIDEMGX.dll
2012-05-23 02:03:22 532992 ----a-w- C:\Windows\System32\atieclxx.exe
2012-05-23 02:02:36 239616 ----a-w- C:\Windows\System32\atiesrxx.exe
2012-05-23 02:01:18 120320 ----a-w- C:\Windows\System32\atitmm64.dll
2012-05-23 02:01:04 21504 ----a-w- C:\Windows\System32\atimuixx.dll
2012-05-23 02:00:58 59392 ----a-w- C:\Windows\System32\atiedu64.dll
2012-05-23 02:00:54 43520 ----a-w- C:\Windows\SysWow64\ati2edxx.dll
2012-05-23 02:00:12 6301184 ----a-w- C:\Windows\SysWow64\atidxx32.dll
2012-05-23 01:56:24 70144 ----a-w- C:\Windows\System32\coinst_8.98.dll
2012-05-23 01:44:48 6914560 ----a-w- C:\Windows\System32\atidxx64.dll
2012-05-23 01:31:04 4246528 ----a-w- C:\Windows\System32\atiumd6a.dll
2012-05-23 01:28:20 5480448 ----a-w- C:\Windows\SysWow64\atiumdag.dll
2012-05-23 01:26:44 51200 ----a-w- C:\Windows\System32\aticalrt64.dll
2012-05-23 01:26:42 46080 ----a-w- C:\Windows\SysWow64\aticalrt.dll
2012-05-23 01:26:38 44544 ----a-w- C:\Windows\System32\aticalcl64.dll
2012-05-23 01:26:36 44032 ----a-w- C:\Windows\SysWow64\aticalcl.dll
2012-05-23 01:26:24 15703040 ----a-w- C:\Windows\System32\aticaldd64.dll
2012-05-23 01:23:34 4729344 ----a-w- C:\Windows\SysWow64\atiumdva.dll
2012-05-23 01:22:10 13277696 ----a-w- C:\Windows\SysWow64\aticaldd.dll
2012-05-23 01:19:28 6605312 ----a-w- C:\Windows\System32\atiumd64.dll
2012-05-23 01:09:24 539136 ----a-w- C:\Windows\System32\atiadlxx.dll
2012-05-23 01:09:14 368640 ----a-w- C:\Windows\SysWow64\atiadlxy.dll
2012-05-23 01:09:02 17920 ----a-w- C:\Windows\System32\atig6pxx.dll
2012-05-23 01:08:58 14848 ----a-w- C:\Windows\SysWow64\atiglpxx.dll
2012-05-23 01:08:58 14848 ----a-w- C:\Windows\System32\atiglpxx.dll
2012-05-23 01:08:54 41984 ----a-w- C:\Windows\System32\atig6txx.dll
2012-05-23 01:08:48 33280 ----a-w- C:\Windows\SysWow64\atigktxx.dll
2012-05-23 01:08:40 367616 ----a-w- C:\Windows\System32\drivers\atikmpag.sys
2012-05-23 01:07:48 54784 ----a-w- C:\Windows\System32\atiuxp64.dll
2012-05-23 01:07:42 42496 ----a-w- C:\Windows\SysWow64\atiuxpag.dll
2012-05-23 01:07:36 45056 ----a-w- C:\Windows\System32\atiu9p64.dll
2012-05-23 01:07:28 32768 ----a-w- C:\Windows\SysWow64\atiu9pag.dll
2012-05-23 01:06:54 53248 ----a-w- C:\Windows\System32\drivers\ati2erec.dll
2012-05-23 01:05:22 56320 ----a-w- C:\Windows\System32\atimpc64.dll
2012-05-23 01:05:22 56320 ----a-w- C:\Windows\System32\amdpcom64.dll
2012-05-23 01:05:18 56832 ----a-w- C:\Windows\SysWow64\atimpc32.dll
2012-05-23 01:05:18 56832 ----a-w- C:\Windows\SysWow64\amdpcom32.dll
2012-05-22 12:28:36 187392 ----a-w- C:\Windows\System32\clinfo.exe
2012-05-22 12:28:20 75264 ----a-w- C:\Windows\System32\OpenVideo64.dll
2012-05-22 12:28:14 65024 ----a-w- C:\Windows\SysWow64\OpenVideo.dll
2012-05-22 12:28:08 63488 ----a-w- C:\Windows\System32\OVDecode64.dll
2012-05-22 12:28:04 56320 ----a-w- C:\Windows\SysWow64\OVDecode.dll
2012-05-22 12:27:56 16457728 ----a-w- C:\Windows\System32\amdocl64.dll
2012-05-22 12:27:10 13008896 ----a-w- C:\Windows\SysWow64\amdocl.dll
2012-05-18 02:06:48 2311680 ----a-w- C:\Windows\System32\jscript9.dll
2012-05-18 01:59:14 1392128 ----a-w- C:\Windows\System32\wininet.dll
2012-05-18 01:58:39 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl
2012-05-18 01:55:22 173056 ----a-w- C:\Windows\System32\ieUnatt.exe
2012-05-18 01:51:30 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2012-05-17 22:45:37 1800192 ----a-w- C:\Windows\SysWow64\jscript9.dll
2012-05-17 22:35:47 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll
2012-05-17 22:35:39 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2012-05-17 22:29:45 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2012-05-17 22:24:45 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2012-05-15 07:44:19 0 ----a-w- C:\Windows\ativpsrm.bin
2012-05-10 06:35:16 43520 ----a-w- C:\Windows\System32\kdbsdk64.dll
2012-05-10 06:35:16 29184 ----a-w- C:\Windows\SysWow64\kdbsdk32.dll
2012-04-26 05:41:56 77312 ----a-w- C:\Windows\System32\rdpwsx.dll
2012-04-26 05:41:55 149504 ----a-w- C:\Windows\System32\rdpcorekmts.dll
2012-04-26 05:34:27 9216 ----a-w- C:\Windows\System32\rdrmemptylst.exe
2012-04-22 03:51:38 25600 ----a-w- C:\Windows\System32\drivers\pccsmcfdx64.sys
2012-04-18 10:56:30 94208 ----a-w- C:\Windows\SysWow64\QuickTimeVR.qtx
2012-04-18 10:56:30 69632 ----a-w- C:\Windows\SysWow64\QuickTime.qts
2012-04-06 01:35:24 1120768 ----a-w- C:\Windows\System32\atiumd6v.dll
2012-04-06 01:34:50 1831424 ----a-w- C:\Windows\SysWow64\atiumdmv.dll
2012-04-04 08:33:18 955800 ----a-w- C:\Windows\System32\npdeployJava1.dll
.
============= FINISH: 14:56:54.96 ===============
 
Any help would be greatly appreciated, I can't afford to lose data on this computer.

Regards :)

Infin.

Attached Files


Edited by nasdaq, 04 July 2012 - 10:33 AM.
Code box removed around the DDS log


BC AdBot (Login to Remove)

 


#2 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:02:08 PM

Posted 07 July 2012 - 09:44 AM

Hi infinitevs,

:welcome: to Bleeping Computer.

My name is Jason and I'll be helping you with your computer problems. You can call me by my screename jntkwx or Jason is fine.

Some things to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please do not attach logs or put logs in code boxes (unless explicitly asked to)
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can also help.
  • Do not run anything while running a fix.
  • If you don't understand a step, please ask for clarification before continuing with any future steps.

Click on the Watch Topic button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Note to others: The instructions here are intended for the person who began this topic. If you need help, please create your own topic in the appropriate forum.

 

Please do the following. You will need a USB drive with no less than 64 mb of space.

  • Insert your USB drive.
  • Press Start > My Computer > right click your USB drive > choose Format > Quick format (Note that this will erase any files you have on your flashdrive. Please move any files you want to keep to your computer before completing this step.)
  • Download xPUD 0.9.2 iso, saving the file to your Desktop.
  • Download UNetbootin and save it to your Desktop as well.
  • Double click the unetbootin-windows-latest.exe that you just downloaded.
  • Select the DiskImage option then click the browse button located on the right side of the textbox field.
  • Browse to and select the xpud-0.9.2.iso file you downloaded
  • Verify the correct drive letter is selected for your USB device then click OK
  • It will write files to your USB device and make it bootable
  • Once the files have been written to the device you will be prompted to reboot ~ do NOT reboot and instead just Exit the UNetbootin interface
  • Next, download dumpit and save it to the same flash drive where you installed xPUD.
  • Remove the USB and insert it in the ailing computer
  • Power on the computer and press F12 then choose to boot from the USB
  • After selecting a language and readying the system, a Welcome to xPUD screen will appear
  • Click the File tab
  • Expand mnt by clicking the plus sign to it's left
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Double click dumpit.
  • It will create some MBR copies on the USB drive.
  • When it completes press Enter to exit the Terminal window.
  • Remove the USB drive, then locate on it an mbr.zip file, and upload that here as an attachment please.
mbr.zip should be created on your flash drive, please attach it to your next reply.
Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#3 infinitevs

infinitevs
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 07 July 2012 - 10:00 PM

Hi Jason,

I appreciate you taking the time to help me :) I have attempted the directions you posted but xPUD would not boot for me, see below:

Fatal Server Error:
no screens found.

ddxSigGiveUp: Closing log.
giving up.

xinit: No such file or directory (errno 2) unable to connect to X Server.
xinit: no such process (errno 3): Server not found.
xauth: (argv):1: bad display name "(none):0" in "remove" command.

Note: I also tried manually mounting the usb and running the dumpit application but it wouldn't run and complained of requiring a GUI.

I am running a Radeon 6850 which seems to be incompatible with xPUD.

Please let me know what to do next..


kindest regards,

infin.

#4 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:02:08 PM

Posted 08 July 2012 - 01:42 PM

infinitevs,

Please try this instead...

If you don't understand a step, or have any questions, please ask before continuing with any future steps!

Please create this bootable CD.

You will need a CD and a USB drive..


  • Save these files to your Desktop
  • Open BurnCDCC and Extract All files to to it's own folder
  • Double Click BurnCDCC
  • Click Browse and navigate to the Puppy Linux ISO file you just downloaded
  • click on it and click Open
  • IMPORTANT: Adjust the speed bar to CD: 4x DVD: 1x
  • Click Start
  • Your CD Burner Tray will open automatically
  • Insert a blank CD and close the tray
  • Click OK
The CD should eject when finished.

Download and save pldumpit.exe to your USB device. To do this, right click on the link, and click on Save File As..., and save it without a file extension (change the Save as type to All Files, and delete the .exe)


To use the CD

  • Insert the CD and restart the computer
  • When the computer first starts please press the key indicated on the screen to enter the bios or setup.
  • Make the necessary changes to make the CD first in the boot order
  • Save the changes and exit the bios/setup
  • Your computer will restart and boot from the Puppy Linux Live CD
You can save these instructions to a notepad on your usb device. Once you have mounted the drives you should be able view them by clicking on them.

  • Set your language, time. etc preferences and continue
  • Click the Mount Icon located at the top left of your desktop (should be 3rd from the left top row)
  • A Window will open, click mount for each drive listed
  • if you have a USB Flash Drive connected it's usually automatically mounted upon boot, but click the "usbdrv" tab and make sure it is mounted.

In the lower left you will see some icons with a green light on them. Click on the one that represents your usb device. Usually sdb1..
  • locate and click on pldumpit
  • a window will open please hit enter when told to to close the window
  • there should now be a file named mbr.zip in the list of files
  • close all windows
  • click menu
  • highlight shutdown
  • click reboot
  • use the arrow key to select Do not save
  • hit enter
  • remove the CD before the computer restarts and allow the computer to boot

Please attach MBR.zip that it created on your USB drive in your next reply.
Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#5 infinitevs

infinitevs
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 08 July 2012 - 05:26 PM

Hi Jason,

Sorry I posted last night but it hasn't seemed to have registered I got dumpit to work via debian before you replied, here is the required MBR.zip, did you still need me to use the above method?

Cheers,

infin.

Attached Files

  • Attached File  mbr.zip   4.52KB   2 downloads


#6 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:02:08 PM

Posted 08 July 2012 - 05:47 PM

Awesome job! :thumbup2:

No, I do not need to you to follow my other instructions.

I'll post again shortly with further instructions.
Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#7 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:02:08 PM

Posted 08 July 2012 - 06:06 PM

infinitevs,

Please download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. If you do not know how to do this you can find out >here< or >here<
3. Double click on combofix.exe & follow the prompts.

Important:
  • Do not mouseclick combofix's window while it's running. That may cause it to stall.
  • If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

In your next reply, please include:
  • Combofix log
  • How is your computer running now? Please be as descriptive as possible. Include any word-for-word error messages that you may have, and/or screenshots of strange behavior.

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#8 infinitevs

infinitevs
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 08 July 2012 - 08:52 PM

Hi Jason,

Thanks okay I have done that, included is the combofix.txt file you requested.

My computer seems to be running slightly better although I have checked with GMER and those files I mentioned are still there!

I still can't see them in windows or linux only in GMER additionally as mentioned previously using GMER I am not able to delete the files as it gives me an access violation but I am able to output the files contents so I have attached them so hopefully you can shed some light on what they are for me!!



Thanks in advance,

infin.

 


ComboFix 12-07-08.01 - infinitevs 09/07/2012 10:21:46.3.2 - x64
Microsoft Windows 7 Enterprise 6.1.7601.1.1252.61.1033.18.8191.6185 [GMT 10:00]
Running from: C:\Users\infinitevs\Desktop\ComboFix.exe
AV: Symantec Endpoint Protection *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Symantec Endpoint Protection *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Symantec Endpoint Protection *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point


((((((((((((((((((((((((( Files Created from 2012-06-09 to 2012-07-09 )))))))))))))))))))))))))))))))


2012-07-09 00:31:59 . 2012-07-09 00:31:59 -------- d-----w- C:\Users\Default\AppData\Local\temp
2012-07-09 00:31:59 . 2012-07-09 00:31:59 -------- d-----w- C:\Users\Administrator\AppData\Local\temp
2012-07-04 23:15:39 . 2012-07-08 02:12:38 -------- d-----w- C:\ProgramData\RegRun
2012-07-04 23:15:35 . 2012-07-04 23:15:35 2 --shatr- C:\Windows\winstart.bat
2012-07-04 23:15:27 . 2012-07-08 02:12:38 -------- d-----w- C:\Program Files (x86)\UnHackMe
2012-07-03 05:40:58 . 2011-05-12 04:05:32 18816 ------w- C:\Windows\SysWow64\SAVRKBootTasks.sys
2012-07-03 04:02:59 . 2011-05-12 04:03:12 6144 ------w- C:\Windows\system32\55F.tmp
2012-07-03 04:02:24 . 2011-05-12 04:03:12 6144 ------w- C:\Windows\system32\7FCB.tmp
2012-07-03 02:12:42 . 2012-07-03 02:12:42 -------- d-----w- C:\Users\infinitevs\AppData\Roaming\Malwarebytes
2012-07-03 02:12:36 . 2012-07-03 02:12:38 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-07-03 02:12:36 . 2012-07-03 02:12:36 -------- d-----w- C:\ProgramData\Malwarebytes
2012-07-03 02:12:36 . 2012-04-04 05:56:40 24904 ----a-w- C:\Windows\system32\drivers\mbam.sys
2012-07-02 23:29:56 . 2012-07-02 23:29:56 -------- d-----w- C:\ProgramData\Sophos
2012-07-02 23:29:50 . 2012-07-02 23:29:50 73728 ----a-r- C:\Users\infinitevs\AppData\Roaming\Microsoft\Installer\{B829E117-D072-41EA-9606-9826A38D34C1}\SVRTgui.exe1_810EDD9E2F0A4E2BACF86673C38D9F48.exe
2012-07-02 23:29:50 . 2012-07-02 23:29:50 73728 ----a-r- C:\Users\infinitevs\AppData\Roaming\Microsoft\Installer\{B829E117-D072-41EA-9606-9826A38D34C1}\SVRTgui.exe_810EDD9E2F0A4E2BACF86673C38D9F48.exe
2012-07-02 23:29:50 . 2012-07-02 23:29:50 73728 ----a-r- C:\Users\infinitevs\AppData\Roaming\Microsoft\Installer\{B829E117-D072-41EA-9606-9826A38D34C1}\ARPPRODUCTICON.exe
2012-07-02 23:29:48 . 2012-07-03 04:02:17 -------- d-----w- C:\Program Files (x86)\Sophos
2012-07-01 21:59:00 . 2012-07-01 21:59:00 -------- d-----w- C:\Users\infinitevs\.zend
2012-07-01 21:46:59 . 2012-07-01 21:46:59 -------- d-----w- C:\Program Files (x86)\Zend
2012-07-01 12:35:02 . 2012-07-01 12:35:02 -------- d-----w- C:\Users\infinitevs\.ZendStudio
2012-07-01 07:44:39 . 2012-07-01 07:44:39 -------- d-----w- C:\Users\infinitevs\AppData\Local\Macromedia
2012-07-01 07:44:28 . 2012-07-01 07:45:36 70344 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-07-01 07:44:28 . 2012-07-01 07:45:36 426184 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2012-07-01 07:25:52 . 2012-07-01 09:22:05 -------- d-----w- C:\Users\infinitevs\AppData\Local\Flash Builder
2012-07-01 06:07:04 . 2012-07-01 06:07:04 -------- d-----w- C:\Users\infinitevs\AppData\Roaming\StageManager.BD092818F67280F4B42B04877600987F0111B594.1
2012-07-01 05:55:14 . 2012-07-01 05:55:14 -------- d-----w- C:\ProgramData\ALM
2012-07-01 05:52:45 . 2012-07-01 09:06:18 -------- d-----w- C:\Users\infinitevs\Adobe Flash Builder 4.6
2012-07-01 05:42:17 . 2012-07-01 05:42:17 -------- d-----w- C:\Program Files (x86)\Common Files\Adobe AIR
2012-07-01 05:38:09 . 2012-07-01 09:06:49 -------- d-----w- C:\Program Files\Common Files\Adobe
2012-07-01 05:31:33 . 2012-07-01 09:00:26 -------- d-----w- C:\Program Files (x86)\Common Files\Adobe
2012-07-01 05:30:15 . 2012-07-08 16:50:28 -------- d-----w- C:\Users\infinitevs\AppData\Local\Adobe
2012-07-01 05:10:29 . 2012-07-01 05:10:29 -------- d-----w- C:\Program Files (x86)\My Company Name
2012-06-30 17:43:06 . 2012-06-30 17:43:06 -------- d-----w- C:\Users\infinitevs\Zend
2012-06-29 15:53:38 . 2012-07-02 23:33:34 -------- d-----w- C:\Users\infinitevs\AppData\Roaming\Media Player Classic
2012-06-28 03:05:06 . 2012-06-28 03:05:06 -------- d-----w- C:\Users\infinitevs\AppData\Roaming\Carambis
2012-06-28 02:54:58 . 2012-06-28 02:54:58 -------- d-----w- C:\ProgramData\PC Suite
2012-06-27 00:12:14 . 2012-06-27 00:12:14 -------- d-----w- C:\ProgramData\ATI
2012-06-27 00:02:11 . 2012-06-27 00:05:22 -------- d-----w- C:\Program Files\ATI Technologies
2012-06-26 21:32:21 . 2012-06-26 21:32:21 -------- d-----w- C:\Program Files (x86)\Microsoft CAPICOM 2.1.0.2
2012-06-26 07:31:06 . 2012-06-26 07:31:06 -------- d-----w- C:\ProgramData\Symantec Shared
2012-06-26 04:03:58 . 2012-06-09 17:21:50 206336 ----a-w- C:\Windows\system32\unrar.dll
2012-06-26 04:03:57 . 2012-06-18 18:00:00 92160 ----a-w- C:\Windows\system32\ff_vfw.dll
2012-06-26 04:03:56 . 2012-06-26 04:03:59 -------- d-----w- C:\Program Files\K-Lite Codec Pack x64
2012-06-26 04:03:27 . 2012-06-26 04:03:42 -------- d-----w- C:\Program Files (x86)\K-Lite Codec Pack
2012-06-26 00:48:54 . 2012-06-26 00:48:54 -------- d-----w- C:\Windows\system32\drivers\SEP\0C01044D
2012-06-26 00:42:53 . 2012-06-26 02:35:44 81840 ----a-w- C:\Windows\system32\FwsVpn.dll
2012-06-26 00:35:01 . 2012-06-26 00:48:58 -------- d-----w- C:\ProgramData\regid.1992_12.com.symantec
2012-06-26 00:34:58 . 2012-06-26 00:34:58 -------- d-----w- C:\Windows\system32\drivers\SEP\0C0103E8
2012-06-24 02:02:19 . 2012-06-24 02:02:19 -------- d-----w- C:\Program Files (x86)\Microsoft Synchronization Services
2012-06-24 02:02:19 . 2012-06-24 02:02:19 -------- d-----w- C:\Program Files (x86)\Microsoft SQL Server Compact Edition
2012-06-24 01:56:46 . 2012-06-24 01:56:46 -------- d-----w- C:\Program Files (x86)\Creative Home
2012-06-22 06:15:44 . 2012-06-22 06:15:44 -------- d-----w- C:\Program Files (x86)\SlySoft
2012-06-22 03:13:03 . 2012-07-08 22:42:22 -------- d-----w- C:\Users\infinitevs\AppData\Roaming\AUSkey
2012-06-22 03:13:02 . 2012-06-22 03:13:02 -------- d-----w- C:\Program Files (x86)\ABR
2012-06-22 01:56:26 . 2012-06-02 22:19:43 2428952 ----a-w- C:\Windows\system32\wuaueng.dll
2012-06-22 01:56:26 . 2012-06-02 22:19:42 57880 ----a-w- C:\Windows\system32\wuauclt.exe
2012-06-22 01:56:26 . 2012-06-02 22:19:42 44056 ----a-w- C:\Windows\system32\wups2.dll
2012-06-22 01:56:26 . 2012-06-02 22:15:31 2622464 ----a-w- C:\Windows\system32\wucltux.dll
2012-06-22 01:56:15 . 2012-06-02 22:19:46 38424 ----a-w- C:\Windows\system32\wups.dll
2012-06-22 01:56:15 . 2012-06-02 22:19:23 701976 ----a-w- C:\Windows\system32\wuapi.dll
2012-06-22 01:56:15 . 2012-06-02 22:15:08 99840 ----a-w- C:\Windows\system32\wudriver.dll
2012-06-22 01:56:06 . 2012-06-02 05:19:42 186752 ----a-w- C:\Windows\system32\wuwebv.dll
2012-06-22 01:56:06 . 2012-06-02 05:15:12 36864 ----a-w- C:\Windows\system32\wuapp.exe
2012-06-21 13:48:46 . 2000-07-28 07:15:00 1 ----a-w- C:\Windows\SysWow64\uuddc32.dll
2012-06-21 13:48:45 . 2012-06-21 13:48:45 -------- d-----w- C:\Program Files (x86)\BayGenie
2012-06-13 06:13:13 . 2012-04-24 05:37:37 184320 ----a-w- C:\Windows\system32\cryptsvc.dll
2012-06-13 06:13:13 . 2012-04-24 05:37:37 140288 ----a-w- C:\Windows\system32\cryptnet.dll
2012-06-13 06:13:13 . 2012-04-24 05:37:36 1462272 ----a-w- C:\Windows\system32\crypt32.dll
2012-06-13 06:13:13 . 2012-04-24 04:36:42 140288 ----a-w- C:\Windows\SysWow64\cryptsvc.dll
2012-06-13 06:13:13 . 2012-04-24 04:36:42 1158656 ----a-w- C:\Windows\SysWow64\crypt32.dll
2012-06-13 06:13:13 . 2012-04-24 04:36:42 103936 ----a-w- C:\Windows\SysWow64\cryptnet.dll
2012-06-13 02:48:50 . 2012-04-28 05:32:05 1112064 ----a-w- C:\Windows\system32\rdpcorets.dll
2012-06-13 02:48:50 . 2012-04-28 03:55:21 210944 ----a-w- C:\Windows\system32\drivers\rdpwd.sys
2012-06-13 02:48:47 . 2012-05-15 01:32:33 3146752 ----a-w- C:\Windows\system32\win32k.sys
2012-06-13 02:48:46 . 2012-05-04 11:06:22 5559664 ----a-w- C:\Windows\system32\ntoskrnl.exe
2012-06-13 02:48:45 . 2012-05-04 10:03:53 3968368 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2012-06-13 02:48:45 . 2012-05-04 10:03:50 3913072 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2012-06-13 02:48:44 . 2012-05-01 05:40:20 209920 ----a-w- C:\Windows\system32\profsvc.dll
2012-06-13 02:48:34 . 2012-05-04 11:00:43 366592 ----a-w- C:\Windows\system32\qdvd.dll
2012-06-13 02:48:34 . 2012-05-04 09:59:54 514560 ----a-w- C:\Windows\SysWow64\qdvd.dll
2012-06-13 02:48:34 . 2012-04-07 12:31:40 3216384 ----a-w- C:\Windows\system32\msi.dll
2012-06-13 02:48:34 . 2012-04-07 11:26:29 2342400 ----a-w- C:\Windows\SysWow64\msi.dll
2012-06-12 08:45:19 . 2012-06-12 08:45:19 -------- d-----w- C:\Users\Public\Roaming
2012-06-12 06:39:09 . 2012-06-12 06:39:09 -------- d-----w- C:\Program Files (x86)\Common Files\Creative
2012-06-12 06:39:00 . 2012-06-12 06:39:00 -------- d-----w- C:\Program Files (x86)\Common Files\Creative Labs Shared
2012-06-12 06:38:49 . 2012-06-12 06:39:19 -------- d-----w- C:\Program Files\Creative
2012-06-12 06:37:14 . 2003-11-10 08:13:28 69715 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\ctor.dll
2012-06-12 06:37:14 . 2003-11-10 08:12:42 266240 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\iscript.dll
2012-06-12 06:37:14 . 2003-11-10 08:12:12 192512 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\iuser.dll
2012-06-12 06:37:14 . 2003-11-10 08:11:58 5632 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\DotNetInstaller.exe
2012-06-12 06:37:13 . 2012-06-12 06:37:13 188548 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\iGdi.dll
2012-06-12 06:37:13 . 2003-11-10 08:14:46 729088 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\iKernel.dll
2012-06-12 06:37:10 . 2012-06-12 06:37:10 311428 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\setup.dll
2012-06-12 04:56:42 . 2012-06-12 04:56:42 -------- d-----w- C:\ProgramData\WinZip
2012-06-12 03:07:44 . 2012-07-01 05:45:24 -------- d-----w- C:\Program Files (x86)\Common Files\PX Storage Engine
2012-06-12 03:07:44 . 2012-06-12 03:07:44 -------- d-----w- C:\Program Files (x86)\Common Files\Sonic Shared
2012-06-12 02:18:24 . 2012-06-12 02:18:24 -------- d-----w- C:\Program Files (x86)\Elaborate Bytes
2012-06-12 00:20:30 . 2012-06-12 00:20:30 770384 ----a-w- C:\Program Files (x86)\Mozilla Firefox\msvcr100.dll
2012-06-12 00:20:30 . 2012-06-12 00:20:30 421200 ----a-w- C:\Program Files (x86)\Mozilla Firefox\msvcp100.dll
.


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2012-07-05 09:13:25 . 2012-05-14 08:16:51 48648 ----a-w- C:\ProgramData\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\Markup.dll
2012-06-26 02:35:44 . 2012-02-09 06:37:15 58288 ----a-w- C:\Windows\SysWow64\snacnp.dll
2012-06-26 02:35:44 . 2012-02-09 06:37:15 42632 ----a-w- C:\Windows\system32\drivers\WGX64.SYS
2012-06-26 02:35:44 . 2011-06-16 08:29:48 58288 ----a-w- C:\Windows\system32\snacnp.dll
2012-06-26 02:35:44 . 2011-06-16 08:29:48 288176 ----a-w- C:\Windows\system32\SymVPN.dll
2012-06-26 02:35:43 . 2012-02-09 06:37:14 380848 ----a-w- C:\Windows\SysWow64\sysfer.dll
2012-06-26 02:35:43 . 2012-02-09 06:37:14 10672 ----a-w- C:\Windows\SysWow64\sysferThunk.dll
2012-06-26 02:35:43 . 2012-02-09 06:37:13 119816 ----a-w- C:\Windows\system32\drivers\SysPlant.sys
2012-06-26 02:35:42 . 2012-02-09 06:37:13 519600 ----a-w- C:\Windows\system32\sysfer.dll
2012-06-26 02:35:42 . 2012-02-09 06:37:13 11184 ----a-w- C:\Windows\system32\sysferThunk.dll
2012-06-26 00:49:39 . 2012-02-09 06:38:11 175736 ----a-w- C:\Windows\system32\drivers\SYMEVENT64x86.SYS
2012-06-26 00:34:32 . 2011-05-21 00:50:02 62672 ----a-w- C:\Windows\system32\drivers\Teefer.sys
2012-06-12 06:38:01 . 2011-06-16 16:34:01 466520 ----a-w- C:\Windows\system32\wrap_oal.dll
2012-06-12 06:38:01 . 2011-06-16 16:34:01 445016 ----a-w- C:\Windows\SysWow64\wrap_oal.dll
2012-06-12 06:38:01 . 2011-06-16 16:34:01 123480 ----a-w- C:\Windows\system32\OpenAL32.dll
2012-06-12 06:38:01 . 2011-06-16 16:34:01 109144 ----a-w- C:\Windows\SysWow64\OpenAL32.dll
2012-06-12 05:33:20 . 2012-05-15 04:36:56 1668 ----a-w- C:\Windows\system32\ASOROSet.bin
2012-06-09 17:21:56 . 2011-06-16 15:58:54 178688 ----a-w- C:\Windows\SysWow64\unrar.dll
2012-06-04 02:40:57 . 2011-06-16 16:29:29 525544 ----a-w- C:\Windows\system32\deployJava1.dll
2012-05-23 03:15:36 . 2012-05-23 03:15:36 10248704 ----a-w- C:\Windows\system32\drivers\atikmdag.sys
2012-05-23 03:11:56 . 2012-05-23 03:11:56 24826368 ----a-w- C:\Windows\system32\atio6axx.dll
2012-05-23 02:43:24 . 2012-05-23 02:43:24 20467200 ----a-w- C:\Windows\SysWow64\atioglxx.dll
2012-05-23 02:08:42 . 2012-05-23 02:08:42 163840 ----a-w- C:\Windows\system32\atiapfxx.exe
2012-05-23 02:08:34 . 2012-04-06 02:21:52 924160 ----a-w- C:\Windows\SysWow64\aticfx32.dll
2012-05-23 02:06:46 . 2012-04-06 02:20:04 1090560 ----a-w- C:\Windows\system32\aticfx64.dll
2012-05-23 02:03:26 . 2012-05-23 02:03:26 442368 ----a-w- C:\Windows\system32\ATIDEMGX.dll
2012-05-23 02:03:22 . 2012-05-23 02:03:22 532992 ----a-w- C:\Windows\system32\atieclxx.exe
2012-05-23 02:02:36 . 2012-05-23 02:02:36 239616 ----a-w- C:\Windows\system32\atiesrxx.exe
2012-05-23 02:01:18 . 2012-05-23 02:01:18 120320 ----a-w- C:\Windows\system32\atitmm64.dll
2012-05-23 02:01:04 . 2012-05-23 02:01:04 21504 ----a-w- C:\Windows\system32\atimuixx.dll
2012-05-23 02:00:58 . 2012-05-23 02:00:58 59392 ----a-w- C:\Windows\system32\atiedu64.dll
2012-05-23 02:00:54 . 2012-05-23 02:00:54 43520 ----a-w- C:\Windows\SysWow64\ati2edxx.dll
2012-05-23 02:00:12 . 2012-05-23 02:00:12 6301184 ----a-w- C:\Windows\SysWow64\atidxx32.dll
2012-05-23 01:56:24 . 2012-05-23 01:56:24 70144 ----a-w- C:\Windows\system32\coinst_8.98.dll
2012-05-23 01:44:48 . 2012-04-06 01:54:46 6914560 ----a-w- C:\Windows\system32\atidxx64.dll
2012-05-23 01:31:04 . 2012-05-23 01:31:04 4246528 ----a-w- C:\Windows\system32\atiumd6a.dll
2012-05-23 01:28:20 . 2012-04-06 01:34:04 5480448 ----a-w- C:\Windows\SysWow64\atiumdag.dll
2012-05-23 01:26:44 . 2012-05-23 01:26:44 51200 ----a-w- C:\Windows\system32\aticalrt64.dll
2012-05-23 01:26:42 . 2012-05-23 01:26:42 46080 ----a-w- C:\Windows\SysWow64\aticalrt.dll
2012-05-23 01:26:38 . 2012-05-23 01:26:38 44544 ----a-w- C:\Windows\system32\aticalcl64.dll
2012-05-23 01:26:36 . 2012-05-23 01:26:36 44032 ----a-w- C:\Windows\SysWow64\aticalcl.dll
2012-05-23 01:26:24 . 2012-05-23 01:26:24 15703040 ----a-w- C:\Windows\system32\aticaldd64.dll
2012-05-23 01:23:34 . 2012-04-06 01:22:54 4729344 ----a-w- C:\Windows\SysWow64\atiumdva.dll
2012-05-23 01:22:10 . 2012-05-23 01:22:10 13277696 ----a-w- C:\Windows\SysWow64\aticaldd.dll
2012-05-23 01:19:28 . 2012-05-23 01:19:28 6605312 ----a-w- C:\Windows\system32\atiumd64.dll
2012-05-23 01:09:24 . 2012-05-23 01:09:24 539136 ----a-w- C:\Windows\system32\atiadlxx.dll
2012-05-23 01:09:14 . 2012-05-23 01:09:14 368640 ----a-w- C:\Windows\SysWow64\atiadlxy.dll
2012-05-23 01:09:02 . 2012-05-23 01:09:02 17920 ----a-w- C:\Windows\system32\atig6pxx.dll
2012-05-23 01:08:58 . 2012-05-23 01:08:58 14848 ----a-w- C:\Windows\SysWow64\atiglpxx.dll
2012-05-23 01:08:58 . 2012-05-23 01:08:58 14848 ----a-w- C:\Windows\system32\atiglpxx.dll
2012-05-23 01:08:54 . 2012-05-23 01:08:54 41984 ----a-w- C:\Windows\system32\atig6txx.dll
2012-05-23 01:08:48 . 2012-05-23 01:08:48 33280 ----a-w- C:\Windows\SysWow64\atigktxx.dll
2012-05-23 01:08:40 . 2012-05-23 01:08:40 367616 ----a-w- C:\Windows\system32\drivers\atikmpag.sys
2012-05-23 01:07:48 . 2012-04-06 01:09:56 54784 ----a-w- C:\Windows\system32\atiuxp64.dll
2012-05-23 01:07:42 . 2012-05-23 01:07:42 42496 ----a-w- C:\Windows\SysWow64\atiuxpag.dll
2012-05-23 01:07:36 . 2012-05-23 01:07:36 45056 ----a-w- C:\Windows\system32\atiu9p64.dll
2012-05-23 01:07:28 . 2012-04-06 01:09:34 32768 ----a-w- C:\Windows\SysWow64\atiu9pag.dll
2012-05-23 01:06:54 . 2012-05-23 01:06:54 53248 ----a-w- C:\Windows\system32\drivers\ati2erec.dll
2012-05-23 01:05:22 . 2012-05-23 01:05:22 56320 ----a-w- C:\Windows\system32\atimpc64.dll
2012-05-23 01:05:22 . 2012-05-23 01:05:22 56320 ----a-w- C:\Windows\system32\amdpcom64.dll
2012-05-23 01:05:18 . 2012-05-23 01:05:18 56832 ----a-w- C:\Windows\SysWow64\atimpc32.dll
2012-05-23 01:05:18 . 2012-05-23 01:05:18 56832 ----a-w- C:\Windows\SysWow64\amdpcom32.dll
2012-05-22 12:28:36 . 2012-05-22 12:28:36 187392 ----a-w- C:\Windows\system32\clinfo.exe
2012-05-22 12:28:20 . 2012-05-22 12:28:20 75264 ----a-w- C:\Windows\system32\OpenVideo64.dll
2012-05-22 12:28:14 . 2012-05-22 12:28:14 65024 ----a-w- C:\Windows\SysWow64\OpenVideo.dll
2012-05-22 12:28:08 . 2012-05-22 12:28:08 63488 ----a-w- C:\Windows\system32\OVDecode64.dll
2012-05-22 12:28:04 . 2012-05-22 12:28:04 56320 ----a-w- C:\Windows\SysWow64\OVDecode.dll
2012-05-22 12:27:56 . 2012-05-22 12:27:56 16457728 ----a-w- C:\Windows\system32\amdocl64.dll
2012-05-22 12:27:10 . 2012-05-22 12:27:10 13008896 ----a-w- C:\Windows\SysWow64\amdocl.dll
2012-05-15 10:09:06 . 2012-05-15 10:09:06 48648 ----a-w- C:\ProgramData\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-2\Markup.dll
2012-05-10 06:35:16 . 2012-05-10 06:35:16 43520 ----a-w- C:\Windows\system32\kdbsdk64.dll
2012-05-10 06:35:16 . 2012-05-10 06:35:16 29184 ----a-w- C:\Windows\SysWow64\kdbsdk32.dll
2012-04-22 03:51:38 . 2011-10-24 05:17:08 25600 ----a-w- C:\Windows\system32\drivers\pccsmcfdx64.sys
2012-04-18 10:56:30 . 2012-04-18 10:56:30 94208 ----a-w- C:\Windows\SysWow64\QuickTimeVR.qtx
2012-04-18 10:56:30 . 2012-04-18 10:56:30 69632 ----a-w- C:\Windows\SysWow64\QuickTime.qts


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="C:\Program Files (x86)\Skype\Phone\Skype.exe" [2012-06-14 00:46:36 17424048]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"AMD AVT"="start AMD Accelerated Video Transcoding device initialization" [X]
"APSDaemon"="C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-20 11:28:32 59240]
"ControlCenter4"="C:\Program Files (x86)\ControlCenter4\BrCcBoot.exe" [2012-03-01 04:58:58 143360]
"BrStsMon00"="C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe" [2011-05-18 23:51:52 2629632]
"VirtualCloneDrive"="C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2011-03-07 13:33:08 89456]
"CTxfiHlp"="CTXFIHLP.EXE" [2011-08-22 01:57:30 25600]
"StartCCC"="C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2012-05-22 13:16:20 641704]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\AutorunsDisabled
Event Planner Reminder.lnk - C:\Program Files (x86)\Creative Home\Hallmark Card Studio 2012 Deluxe\Planner\PLNRnote.exe [2011-7-28 365984]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /p \??\C:\0autocheck autochk *

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 04:27:14 138576]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-01 07:45:36 257224]
R3 ALSysIO;ALSysIO;C:\Users\INFINI~1\AppData\Local\Temp\ALSysIO64.sys [x]
R3 atillk64;atillk64;C:\Program Files (x86)\GIGABYTE\atBIOS\ATITool\atillk64.sys [2006-07-19 01:04:00 14608]
R3 AVerAF15;AVerMedia A815;C:\Windows\system32\Drivers\AVerAF15.sys [2009-12-04 05:54:12 312064]
R3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2012-06-12 06:39:00 79360]
R3 CT20XUT;CT20XUT;C:\Windows\system32\drivers\CT20XUT.SYS [2011-08-22 03:25:06 202840]
R3 CTEXFIFX;CTEXFIFX;C:\Windows\system32\drivers\CTEXFIFX.SYS [2011-08-22 03:25:30 1417304]
R3 CTHWIUT;CTHWIUT;C:\Windows\system32\drivers\CTHWIUT.SYS [2011-08-22 03:25:16 94808]
R3 DCamUSBET;ET USB 2760 Camera;C:\Windows\system32\DRIVERS\etDevice64.sys [2007-07-23 10:59:12 527744]
R3 dmvsc;dmvsc;C:\Windows\system32\drivers\dmvsc.sys [2010-11-21 03:23:48 71168]
R3 FiltUSBET;ET USB Device Lower Filter;C:\Windows\system32\DRIVERS\etFilter64.sys [2007-06-14 06:11:12 281088]
R3 Futuremark SystemInfo Service;Futuremark SystemInfo Service;C:\Program Files (x86)\Common Files\Futuremark Shared\Futuremark SystemInfo\FMSISvc.exe [2011-12-09 03:39:52 135584]
R3 MEMSWEEP2;MEMSWEEP2;C:\Windows\system32\55F.tmp [2011-05-12 04:03:12 6144]
R3 ose64;Office 64 Source Engine;C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2010-01-09 11:20:56 174440]
R3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 11:34:24 4925184]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\system32\drivers\rdpvideominiport.sys [2010-11-21 03:24:43 20992]
R3 ScanUSBET;ET USB Still Image Capture Device;C:\Windows\system32\DRIVERS\etScan64.sys [2007-07-23 11:00:18 9216]
R3 SyDvCtrl;SyDvCtrl;C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Bin64\SyDvCtrl64.sys [2012-06-26 00:48:27 29664]
R3 Synth3dVsc;Synth3dVsc;C:\Windows\system32\drivers\synth3dvsc.sys [2010-11-21 03:23:48 88960]
R3 terminpt;Microsoft Remote Desktop Input Driver;C:\Windows\system32\drivers\terminpt.sys [2010-11-21 03:23:48 34816]
R3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys [2010-11-21 03:24:33 59392]
R3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\system32\drivers\TsUsbGD.sys [2010-11-21 03:23:47 31232]
R3 tsusbhub;tsusbhub;C:\Windows\system32\drivers\tsusbhub.sys [2010-11-21 03:23:48 117248]
R3 VGPU;VGPU;C:\Windows\system32\drivers\rdvgkmd.sys [x]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\system32\DRIVERS\vwifimp.sys [2009-07-14 00:07:28 17920]
R3 WSDPrintDevice;WSD Print Support via UMB;C:\Windows\system32\DRIVERS\WSDPrint.sys [2009-07-14 00:39:20 23040]
R3 WSDScan;WSD Scan Support via UMB;C:\Windows\system32\DRIVERS\WSDScan.sys [2009-07-14 00:35:37 25088]
R4 SAVRKBootTasks;Boot Tasks Driver;C:\Windows\system32\SAVRKBootTasks.sys [x]
R4 sptd;sptd;C:\Windows\System32\Drivers\sptd.sys [x]
R4 SwitchBoard;SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 03:37:14 517096]
S0 asahci64;asahci64;C:\Windows\system32\DRIVERS\asahci64.sys [2011-09-21 07:56:24 49760]
S0 PxHlpa64;PxHlpa64;C:\Windows\System32\Drivers\PxHlpa64.sys [2011-11-02 17:01:00 56208]
S0 SymDS;Symantec Data Store;C:\Windows\system32\Drivers\SEP\0C01044D\0191.105\x64\SYMDS64.SYS [2011-05-03 01:18:59 451192]
S0 SymEFA;Symantec Extended File Attributes;C:\Windows\system32\Drivers\SEP\0C01044D\0191.105\x64\SYMEFA64.SYS [2012-06-26 00:48:35 932472]
S1 BHDrvx64;BHDrvx64;C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Data\Definitions\BASHDefs\20120620.012\BHDrvx64.sys [2012-06-20 00:09:46 1161376]
S1 IDSVia64;IDSVia64;C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Data\Definitions\IPSDefs\20120705.002\IDSvia64.sys [2012-06-26 05:35:48 509088]
S1 SymIRON;Symantec Iron Driver;C:\Windows\system32\Drivers\SEP\0C01044D\0191.105\x64\Ironx64.SYS [2012-06-26 00:34:37 171128]
S1 SYMNETS;Symantec Network Security WFP Driver;C:\Windows\system32\Drivers\SEP\0C01044D\0191.105\x64\SYMNETS.SYS [2012-06-26 00:48:35 386168]
S1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys [2009-07-14 00:07:22 59904]
S2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe [2012-05-23 02:02:36 239616]
S2 AMD FUEL Service;AMD FUEL Service;C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2012-05-22 11:52:22 361984]
S2 cpuz135;cpuz135;C:\Windows\system32\drivers\cpuz135_x64.sys [2012-03-09 00:57:36 23816]
S2 SepMasterService;Symantec Endpoint Protection;C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Bin\ccSvcHst.exe [2012-06-26 00:48:23 137208]
S3 amdiox64;AMD IO Driver;C:\Windows\system32\DRIVERS\amdiox64.sys [2010-02-17 22:18:24 46136]
S3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys [2012-05-23 03:15:36 10248704]
S3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys [2012-05-23 01:08:40 367616]
S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;C:\Windows\system32\drivers\AtihdW76.sys [2012-02-23 12:32:04 95760]
S3 BrYNSvc;BrYNSvc;C:\Program Files (x86)\Browny02\BrYNSvc.exe [2010-01-24 22:22:56 245760]
S3 CT20XUT.SYS;CT20XUT.SYS;C:\Windows\System32\drivers\CT20XUT.SYS [2011-08-22 03:25:06 202840]
S3 CTEXFIFX.SYS;CTEXFIFX.SYS;C:\Windows\System32\drivers\CTEXFIFX.SYS [2011-08-22 03:25:30 1417304]
S3 CTHWIUT.SYS;CTHWIUT.SYS;C:\Windows\System32\drivers\CTHWIUT.SYS [2011-08-22 03:25:16 94808]
S3 dc3d;MS Hardware Device Detection Driver (USB);C:\Windows\system32\DRIVERS\dc3d.sys [2011-05-17 21:08:32 47616]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-06-26 08:02:50 138912]
S3 Point64;Microsoft IntelliPoint Filter Driver;C:\Windows\system32\DRIVERS\point64.sys [2011-08-01 04:59:06 45416]
S3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys [2011-08-22 19:57:24 565352]


Contents of the 'Scheduled Tasks' folder

2012-07-09 C:\Windows\Tasks\Adobe Flash Player Updater.job
- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-01 07:44:28 . 2012-07-01 07:45:36]

2012-07-02 C:\Windows\Tasks\Defraggler Volume C Task.job
- C:\Program Files\Defraggler\df64.exe [2012-06-06 13:14:08 . 2012-06-06 13:14:08]


--------- X64 Entries -----------


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2010-03-20 22:55:16 99080 ----a-w- C:\Program Files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2010-03-20 22:55:16 99080 ----a-w- C:\Program Files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2010-03-20 22:55:16 99080 ----a-w- C:\Program Files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2010-03-20 22:55:16 99080 ----a-w- C:\Program Files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2010-03-20 22:55:16 99080 ----a-w- C:\Program Files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2010-03-20 22:55:16 99080 ----a-w- C:\Program Files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2010-03-20 22:55:16 99080 ----a-w- C:\Program Files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2010-03-20 22:55:16 99080 ----a-w- C:\Program Files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2010-03-20 22:55:16 99080 ----a-w- C:\Program Files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2011-08-10 05:40:58 1873256]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2011-08-01 04:59:06 2417032]
"AdobeAAMUpdater-1.0"="C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2012-04-03 20:09:46 446392]

------- Supplementary Scan -------

uLocal Page = C:\Windows\system32\blank.htm
IE: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote
TCP: Interfaces\{368CB9D1-250A-43D7-95E6-3B16B12CAC13}: NameServer = 192.168.0.7,192.168.0.42
DPF: {CAA6C3B6-662B-4D14-BB64-EADB88213BFE} - hxxp://threestorms.dyndns.org/IPCamPluginTM.cab
DPF: {E705A591-DA3C-4228-B0D5-A356DBA42FBF} - hxxp://ccfiles.creative.com/Web/softwareupdate/su2/ocx/20015/CTSUEng.cab

- - - - ORPHANS REMOVED - - - -

Notify-SEP - C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Bin\WinLogoutNotifier.dll

Attached Files


Edited by jntkwx, 08 July 2012 - 08:56 PM.
Including logs in post (easier to read)


#9 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:02:08 PM

Posted 08 July 2012 - 09:17 PM

infin.,

In the future, please just copy and paste any logs asked for directly into your reply, they're easier for me to read that way.


Do you recognize this file?
C:\Windows\winstart.bat

I haven't forgotten about those two odd files. They do look suspicious. I think you got the error with GMER because they're locked, so GMER can't remove them. We'll take care of them soon.

:step1: Rerun Combofix
Please open notepad and copy/paste the text in the quotebox below into it:

http://www.bleepingcomputer.com/forums/topic459153.html

Suspect::[139]
C:\Users\INFINI~1\AppData\Local\Temp\ALSysIO64.sys
C:\Windows\winstart.bat

Save this as CFScript.txt

Posted Image


Refering to the picture above, drag CFScript.txt into ComboFix.exe

If asked to update Combofix, please allow it to update.

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**
When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
Ensure you are connected to the internet and click OK on the message box.

:step2: aswMBR
Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

In your next reply, please include:
  • Combofix log
  • aswMBR log

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#10 infinitevs

infinitevs
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 09 July 2012 - 05:03 AM

Hi Jason,

No worries pasting it is :)

I've completed the steps you directed, ComboFix ran fine and produced the log as expected, aswMBR.exe scanned for about 40 minutes then the whole computer crashed saying something about a kernel modification being detected, here's the exact bluescreen info -->
==================================================
Dump File : 070912-34257-01.dmp
Crash Time : 9/07/2012 2:48:35 PM
Bug Check String :
Bug Check Code : 0x00000109
Parameter 1 : a3a039d8`a99df7d1
Parameter 2 : b3b7465e`fc1c330f
Parameter 3 : fffff800`00b95080
Parameter 4 : 00000000`00000002
Caused By Driver : ntoskrnl.exe
Caused By Address : ntoskrnl.exe+7f1c0
File Description : NT Kernel & System
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 6.1.7601.17835 (win7sp1_gdr.120503-2030)
Processor : x64
Crash Address : ntoskrnl.exe+7f1c0
Stack Address 1 :
Stack Address 2 :
Stack Address 3 :
Computer Name :
Full Path : C:\Windows\Minidump\070912-34257-01.dmp
Processors Count : 2
Major Version : 15
Minor Version : 7601
Dump File Size : 287,701
==================================================

I rebooted and ran aswMBR and this time it scanned right though :)

here are the logs -->

combofix --->

ComboFix 12-07-08.01 - infinitevs 09/07/2012 13:15:25.4.2 - x64
Microsoft Windows 7 Enterprise 6.1.7601.1.1252.61.1033.18.8191.5904 [GMT 10:00]
Running from: c:\users\infinitevs\Desktop\ComboFix.exe
Command switches used :: c:\users\infinitevs\Desktop\CFScript.txt
AV: Symantec Endpoint Protection *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Symantec Endpoint Protection *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Symantec Endpoint Protection *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\infinitevs\AppData\Roaming\mIRC\logs\status.log
.
.
((((((((((((((((((((((((( Files Created from 2012-06-09 to 2012-07-09 )))))))))))))))))))))))))))))))
.
.
2012-07-09 03:27 . 2012-07-09 03:27 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-07-09 03:27 . 2012-07-09 03:27 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2012-07-04 23:15 . 2012-07-08 02:12 -------- d-----w- c:\programdata\RegRun
2012-07-04 23:15 . 2012-07-04 23:15 2 -----tw- c:\windows\winstart.bat
2012-07-04 23:15 . 2012-07-08 02:12 -------- d-----w- c:\program files (x86)\UnHackMe
2012-07-03 05:40 . 2011-05-12 04:05 18816 ------w- c:\windows\SysWow64\SAVRKBootTasks.sys
2012-07-03 04:02 . 2011-05-12 04:03 6144 ------w- c:\windows\system32\55F.tmp
2012-07-03 04:02 . 2011-05-12 04:03 6144 ------w- c:\windows\system32\7FCB.tmp
2012-07-03 02:12 . 2012-07-03 02:12 -------- d-----w- c:\users\infinitevs\AppData\Roaming\Malwarebytes
2012-07-03 02:12 . 2012-07-03 02:12 -------- d-----w- c:\programdata\Malwarebytes
2012-07-02 23:29 . 2012-07-02 23:29 -------- d-----w- c:\programdata\Sophos
2012-07-02 23:29 . 2012-07-02 23:29 73728 ----a-r- c:\users\infinitevs\AppData\Roaming\Microsoft\Installer\{B829E117-D072-41EA-9606-9826A38D34C1}\SVRTgui.exe1_810EDD9E2F0A4E2BACF86673C38D9F48.exe
2012-07-02 23:29 . 2012-07-02 23:29 73728 ----a-r- c:\users\infinitevs\AppData\Roaming\Microsoft\Installer\{B829E117-D072-41EA-9606-9826A38D34C1}\SVRTgui.exe_810EDD9E2F0A4E2BACF86673C38D9F48.exe
2012-07-02 23:29 . 2012-07-02 23:29 73728 ----a-r- c:\users\infinitevs\AppData\Roaming\Microsoft\Installer\{B829E117-D072-41EA-9606-9826A38D34C1}\ARPPRODUCTICON.exe
2012-07-02 23:29 . 2012-07-03 04:02 -------- d-----w- c:\program files (x86)\Sophos
2012-07-01 21:59 . 2012-07-01 21:59 -------- d-----w- c:\users\infinitevs\.zend
2012-07-01 21:46 . 2012-07-01 21:46 -------- d-----w- c:\program files (x86)\Zend
2012-07-01 12:35 . 2012-07-01 12:35 -------- d-----w- c:\users\infinitevs\.ZendStudio
2012-07-01 07:44 . 2012-07-01 07:44 -------- d-----w- c:\users\infinitevs\AppData\Local\Macromedia
2012-07-01 07:44 . 2012-07-01 07:45 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-07-01 07:44 . 2012-07-01 07:45 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-07-01 07:25 . 2012-07-01 09:22 -------- d-----w- c:\users\infinitevs\AppData\Local\Flash Builder
2012-07-01 06:07 . 2012-07-01 06:07 -------- d-----w- c:\users\infinitevs\AppData\Roaming\StageManager.BD092818F67280F4B42B04877600987F0111B594.1
2012-07-01 05:55 . 2012-07-01 05:55 -------- d-----w- c:\programdata\ALM
2012-07-01 05:52 . 2012-07-01 09:06 -------- d-----w- c:\users\infinitevs\Adobe Flash Builder 4.6
2012-07-01 05:42 . 2012-07-01 05:42 -------- d-----w- c:\program files (x86)\Common Files\Adobe AIR
2012-07-01 05:38 . 2012-07-01 09:06 -------- d-----w- c:\program files\Common Files\Adobe
2012-07-01 05:31 . 2012-07-01 09:00 -------- d-----w- c:\program files (x86)\Common Files\Adobe
2012-07-01 05:30 . 2012-07-08 16:50 -------- d-----w- c:\users\infinitevs\AppData\Local\Adobe
2012-07-01 05:10 . 2012-07-01 05:10 -------- d-----w- c:\program files (x86)\My Company Name
2012-06-30 17:43 . 2012-06-30 17:43 -------- d-----w- c:\users\infinitevs\Zend
2012-06-29 15:53 . 2012-07-02 23:33 -------- d-----w- c:\users\infinitevs\AppData\Roaming\Media Player Classic
2012-06-28 03:05 . 2012-06-28 03:05 -------- d-----w- c:\users\infinitevs\AppData\Roaming\Carambis
2012-06-28 02:54 . 2012-06-28 02:54 -------- d-----w- c:\programdata\PC Suite
2012-06-27 00:12 . 2012-06-27 00:12 -------- d-----w- c:\programdata\ATI
2012-06-27 00:02 . 2012-06-27 00:05 -------- d-----w- c:\program files\ATI Technologies
2012-06-26 21:32 . 2012-06-26 21:32 -------- d-----w- c:\program files (x86)\Microsoft CAPICOM 2.1.0.2
2012-06-26 07:31 . 2012-06-26 07:31 -------- d-----w- c:\programdata\Symantec Shared
2012-06-26 04:03 . 2012-06-09 17:21 206336 ----a-w- c:\windows\system32\unrar.dll
2012-06-26 04:03 . 2012-06-18 18:00 92160 ----a-w- c:\windows\system32\ff_vfw.dll
2012-06-26 04:03 . 2012-06-26 04:03 -------- d-----w- c:\program files\K-Lite Codec Pack x64
2012-06-26 04:03 . 2012-06-26 04:03 -------- d-----w- c:\program files (x86)\K-Lite Codec Pack
2012-06-26 00:48 . 2012-06-26 00:48 -------- d-----w- c:\windows\system32\drivers\SEP\0C01044D
2012-06-26 00:42 . 2012-06-26 02:35 81840 ----a-w- c:\windows\system32\FwsVpn.dll
2012-06-26 00:35 . 2012-06-26 00:48 -------- d-----w- c:\programdata\regid.1992_12.com.symantec
2012-06-26 00:34 . 2012-06-26 00:34 -------- d-----w- c:\windows\system32\drivers\SEP\0C0103E8
2012-06-24 02:02 . 2012-06-24 02:02 -------- d-----w- c:\program files (x86)\Microsoft Synchronization Services
2012-06-24 02:02 . 2012-06-24 02:02 -------- d-----w- c:\program files (x86)\Microsoft SQL Server Compact Edition
2012-06-24 01:56 . 2012-06-24 01:56 -------- d-----w- c:\program files (x86)\Creative Home
2012-06-22 06:15 . 2012-06-22 06:15 -------- d-----w- c:\program files (x86)\SlySoft
2012-06-22 03:13 . 2012-07-08 22:42 -------- d-----w- c:\users\infinitevs\AppData\Roaming\AUSkey
2012-06-22 03:13 . 2012-06-22 03:13 -------- d-----w- c:\program files (x86)\ABR
2012-06-22 01:56 . 2012-06-02 22:19 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-22 01:56 . 2012-06-02 22:19 57880 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-22 01:56 . 2012-06-02 22:19 44056 ----a-w- c:\windows\system32\wups2.dll
2012-06-22 01:56 . 2012-06-02 22:15 2622464 ----a-w- c:\windows\system32\wucltux.dll
2012-06-22 01:56 . 2012-06-02 22:19 38424 ----a-w- c:\windows\system32\wups.dll
2012-06-22 01:56 . 2012-06-02 22:19 701976 ----a-w- c:\windows\system32\wuapi.dll
2012-06-22 01:56 . 2012-06-02 22:15 99840 ----a-w- c:\windows\system32\wudriver.dll
2012-06-22 01:56 . 2012-06-02 05:19 186752 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-22 01:56 . 2012-06-02 05:15 36864 ----a-w- c:\windows\system32\wuapp.exe
2012-06-21 13:48 . 2000-07-28 07:15 1 ----a-w- c:\windows\SysWow64\uuddc32.dll
2012-06-21 13:48 . 2012-06-21 13:48 -------- d-----w- c:\program files (x86)\BayGenie
2012-06-13 06:13 . 2012-04-24 05:37 184320 ----a-w- c:\windows\system32\cryptsvc.dll
2012-06-13 06:13 . 2012-04-24 05:37 140288 ----a-w- c:\windows\system32\cryptnet.dll
2012-06-13 06:13 . 2012-04-24 05:37 1462272 ----a-w- c:\windows\system32\crypt32.dll
2012-06-13 06:13 . 2012-04-24 04:36 140288 ----a-w- c:\windows\SysWow64\cryptsvc.dll
2012-06-13 06:13 . 2012-04-24 04:36 1158656 ----a-w- c:\windows\SysWow64\crypt32.dll
2012-06-13 06:13 . 2012-04-24 04:36 103936 ----a-w- c:\windows\SysWow64\cryptnet.dll
2012-06-13 02:48 . 2012-04-28 05:32 1112064 ----a-w- c:\windows\system32\rdpcorets.dll
2012-06-13 02:48 . 2012-04-28 03:55 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-06-13 02:48 . 2012-05-15 01:32 3146752 ----a-w- c:\windows\system32\win32k.sys
2012-06-13 02:48 . 2012-05-04 11:06 5559664 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-06-13 02:48 . 2012-05-04 10:03 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2012-06-13 02:48 . 2012-05-04 10:03 3913072 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2012-06-13 02:48 . 2012-05-01 05:40 209920 ----a-w- c:\windows\system32\profsvc.dll
2012-06-13 02:48 . 2012-05-04 11:00 366592 ----a-w- c:\windows\system32\qdvd.dll
2012-06-13 02:48 . 2012-05-04 09:59 514560 ----a-w- c:\windows\SysWow64\qdvd.dll
2012-06-13 02:48 . 2012-04-07 12:31 3216384 ----a-w- c:\windows\system32\msi.dll
2012-06-13 02:48 . 2012-04-07 11:26 2342400 ----a-w- c:\windows\SysWow64\msi.dll
2012-06-12 08:45 . 2012-06-12 08:45 -------- d-----w- c:\users\Public\Roaming
2012-06-12 06:39 . 2012-06-12 06:39 -------- d-----w- c:\program files (x86)\Common Files\Creative
2012-06-12 06:39 . 2012-06-12 06:39 -------- d-----w- c:\program files (x86)\Common Files\Creative Labs Shared
2012-06-12 06:38 . 2012-06-12 06:39 -------- d-----w- c:\program files\Creative
2012-06-12 06:37 . 2003-11-10 08:13 69715 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\ctor.dll
2012-06-12 06:37 . 2003-11-10 08:12 266240 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\iscript.dll
2012-06-12 06:37 . 2003-11-10 08:12 192512 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\iuser.dll
2012-06-12 06:37 . 2003-11-10 08:11 5632 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\DotNetInstaller.exe
2012-06-12 06:37 . 2012-06-12 06:37 188548 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\iGdi.dll
2012-06-12 06:37 . 2003-11-10 08:14 729088 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\iKernel.dll
2012-06-12 06:37 . 2012-06-12 06:37 311428 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\setup.dll
2012-06-12 04:56 . 2012-06-12 04:56 -------- d-----w- c:\programdata\WinZip
2012-06-12 03:07 . 2012-07-01 05:45 -------- d-----w- c:\program files (x86)\Common Files\PX Storage Engine
2012-06-12 03:07 . 2012-06-12 03:07 -------- d-----w- c:\program files (x86)\Common Files\Sonic Shared
2012-06-12 02:18 . 2012-06-12 02:18 -------- d-----w- c:\program files (x86)\Elaborate Bytes
2012-06-12 00:20 . 2012-06-12 00:20 770384 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcr100.dll
2012-06-12 00:20 . 2012-06-12 00:20 421200 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcp100.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-05 09:13 . 2012-05-14 08:16 48648 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\Markup.dll
2012-06-26 02:35 . 2012-02-09 06:37 58288 ----a-w- c:\windows\SysWow64\snacnp.dll
2012-06-26 02:35 . 2012-02-09 06:37 42632 ----a-w- c:\windows\system32\drivers\WGX64.SYS
2012-06-26 02:35 . 2011-06-16 08:29 58288 ----a-w- c:\windows\system32\snacnp.dll
2012-06-26 02:35 . 2011-06-16 08:29 288176 ----a-w- c:\windows\system32\SymVPN.dll
2012-06-26 02:35 . 2012-02-09 06:37 380848 ----a-w- c:\windows\SysWow64\sysfer.dll
2012-06-26 02:35 . 2012-02-09 06:37 10672 ----a-w- c:\windows\SysWow64\sysferThunk.dll
2012-06-26 02:35 . 2012-02-09 06:37 119816 ----a-w- c:\windows\system32\drivers\SysPlant.sys
2012-06-26 02:35 . 2012-02-09 06:37 519600 ----a-w- c:\windows\system32\sysfer.dll
2012-06-26 02:35 . 2012-02-09 06:37 11184 ----a-w- c:\windows\system32\sysferThunk.dll
2012-06-26 00:49 . 2012-02-09 06:38 175736 ----a-w- c:\windows\system32\drivers\SYMEVENT64x86.SYS
2012-06-26 00:34 . 2011-05-21 00:50 62672 ----a-w- c:\windows\system32\drivers\Teefer.sys
2012-06-12 06:38 . 2011-06-16 16:34 466520 ----a-w- c:\windows\system32\wrap_oal.dll
2012-06-12 06:38 . 2011-06-16 16:34 445016 ----a-w- c:\windows\SysWow64\wrap_oal.dll
2012-06-12 06:38 . 2011-06-16 16:34 123480 ----a-w- c:\windows\system32\OpenAL32.dll
2012-06-12 06:38 . 2011-06-16 16:34 109144 ----a-w- c:\windows\SysWow64\OpenAL32.dll
2012-06-12 05:33 . 2012-05-15 04:36 1668 ----a-w- c:\windows\system32\ASOROSet.bin
2012-06-09 17:21 . 2011-06-16 15:58 178688 ----a-w- c:\windows\SysWow64\unrar.dll
2012-06-04 02:40 . 2011-06-16 16:29 525544 ----a-w- c:\windows\system32\deployJava1.dll
2012-05-23 03:15 . 2012-05-23 03:15 10248704 ----a-w- c:\windows\system32\drivers\atikmdag.sys
2012-05-23 03:11 . 2012-05-23 03:11 24826368 ----a-w- c:\windows\system32\atio6axx.dll
2012-05-23 02:43 . 2012-05-23 02:43 20467200 ----a-w- c:\windows\SysWow64\atioglxx.dll
2012-05-23 02:08 . 2012-05-23 02:08 163840 ----a-w- c:\windows\system32\atiapfxx.exe
2012-05-23 02:08 . 2012-04-06 02:21 924160 ----a-w- c:\windows\SysWow64\aticfx32.dll
2012-05-23 02:06 . 2012-04-06 02:20 1090560 ----a-w- c:\windows\system32\aticfx64.dll
2012-05-23 02:03 . 2012-05-23 02:03 442368 ----a-w- c:\windows\system32\ATIDEMGX.dll
2012-05-23 02:03 . 2012-05-23 02:03 532992 ----a-w- c:\windows\system32\atieclxx.exe
2012-05-23 02:02 . 2012-05-23 02:02 239616 ----a-w- c:\windows\system32\atiesrxx.exe
2012-05-23 02:01 . 2012-05-23 02:01 120320 ----a-w- c:\windows\system32\atitmm64.dll
2012-05-23 02:01 . 2012-05-23 02:01 21504 ----a-w- c:\windows\system32\atimuixx.dll
2012-05-23 02:00 . 2012-05-23 02:00 59392 ----a-w- c:\windows\system32\atiedu64.dll
2012-05-23 02:00 . 2012-05-23 02:00 43520 ----a-w- c:\windows\SysWow64\ati2edxx.dll
2012-05-23 02:00 . 2012-05-23 02:00 6301184 ----a-w- c:\windows\SysWow64\atidxx32.dll
2012-05-23 01:56 . 2012-05-23 01:56 70144 ----a-w- c:\windows\system32\coinst_8.98.dll
2012-05-23 01:44 . 2012-04-06 01:54 6914560 ----a-w- c:\windows\system32\atidxx64.dll
2012-05-23 01:31 . 2012-05-23 01:31 4246528 ----a-w- c:\windows\system32\atiumd6a.dll
2012-05-23 01:28 . 2012-04-06 01:34 5480448 ----a-w- c:\windows\SysWow64\atiumdag.dll
2012-05-23 01:26 . 2012-05-23 01:26 51200 ----a-w- c:\windows\system32\aticalrt64.dll
2012-05-23 01:26 . 2012-05-23 01:26 46080 ----a-w- c:\windows\SysWow64\aticalrt.dll
2012-05-23 01:26 . 2012-05-23 01:26 44544 ----a-w- c:\windows\system32\aticalcl64.dll
2012-05-23 01:26 . 2012-05-23 01:26 44032 ----a-w- c:\windows\SysWow64\aticalcl.dll
2012-05-23 01:26 . 2012-05-23 01:26 15703040 ----a-w- c:\windows\system32\aticaldd64.dll
2012-05-23 01:23 . 2012-04-06 01:22 4729344 ----a-w- c:\windows\SysWow64\atiumdva.dll
2012-05-23 01:22 . 2012-05-23 01:22 13277696 ----a-w- c:\windows\SysWow64\aticaldd.dll
2012-05-23 01:19 . 2012-05-23 01:19 6605312 ----a-w- c:\windows\system32\atiumd64.dll
2012-05-23 01:09 . 2012-05-23 01:09 539136 ----a-w- c:\windows\system32\atiadlxx.dll
2012-05-23 01:09 . 2012-05-23 01:09 368640 ----a-w- c:\windows\SysWow64\atiadlxy.dll
2012-05-23 01:09 . 2012-05-23 01:09 17920 ----a-w- c:\windows\system32\atig6pxx.dll
2012-05-23 01:08 . 2012-05-23 01:08 14848 ----a-w- c:\windows\SysWow64\atiglpxx.dll
2012-05-23 01:08 . 2012-05-23 01:08 14848 ----a-w- c:\windows\system32\atiglpxx.dll
2012-05-23 01:08 . 2012-05-23 01:08 41984 ----a-w- c:\windows\system32\atig6txx.dll
2012-05-23 01:08 . 2012-05-23 01:08 33280 ----a-w- c:\windows\SysWow64\atigktxx.dll
2012-05-23 01:08 . 2012-05-23 01:08 367616 ----a-w- c:\windows\system32\drivers\atikmpag.sys
2012-05-23 01:07 . 2012-04-06 01:09 54784 ----a-w- c:\windows\system32\atiuxp64.dll
2012-05-23 01:07 . 2012-05-23 01:07 42496 ----a-w- c:\windows\SysWow64\atiuxpag.dll
2012-05-23 01:07 . 2012-05-23 01:07 45056 ----a-w- c:\windows\system32\atiu9p64.dll
2012-05-23 01:07 . 2012-04-06 01:09 32768 ----a-w- c:\windows\SysWow64\atiu9pag.dll
2012-05-23 01:06 . 2012-05-23 01:06 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2012-05-23 01:05 . 2012-05-23 01:05 56320 ----a-w- c:\windows\system32\atimpc64.dll
2012-05-23 01:05 . 2012-05-23 01:05 56320 ----a-w- c:\windows\system32\amdpcom64.dll
2012-05-23 01:05 . 2012-05-23 01:05 56832 ----a-w- c:\windows\SysWow64\atimpc32.dll
2012-05-23 01:05 . 2012-05-23 01:05 56832 ----a-w- c:\windows\SysWow64\amdpcom32.dll
2012-05-22 12:28 . 2012-05-22 12:28 187392 ----a-w- c:\windows\system32\clinfo.exe
2012-05-22 12:28 . 2012-05-22 12:28 75264 ----a-w- c:\windows\system32\OpenVideo64.dll
2012-05-22 12:28 . 2012-05-22 12:28 65024 ----a-w- c:\windows\SysWow64\OpenVideo.dll
2012-05-22 12:28 . 2012-05-22 12:28 63488 ----a-w- c:\windows\system32\OVDecode64.dll
2012-05-22 12:28 . 2012-05-22 12:28 56320 ----a-w- c:\windows\SysWow64\OVDecode.dll
2012-05-22 12:27 . 2012-05-22 12:27 16457728 ----a-w- c:\windows\system32\amdocl64.dll
2012-05-22 12:27 . 2012-05-22 12:27 13008896 ----a-w- c:\windows\SysWow64\amdocl.dll
2012-05-15 10:09 . 2012-05-15 10:09 48648 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-2\Markup.dll
2012-05-10 06:35 . 2012-05-10 06:35 43520 ----a-w- c:\windows\system32\kdbsdk64.dll
2012-05-10 06:35 . 2012-05-10 06:35 29184 ----a-w- c:\windows\SysWow64\kdbsdk32.dll
2012-04-22 03:51 . 2011-10-24 05:17 25600 ----a-w- c:\windows\system32\drivers\pccsmcfdx64.sys
2012-04-18 10:56 . 2012-04-18 10:56 94208 ----a-w- c:\windows\SysWow64\QuickTimeVR.qtx
2012-04-18 10:56 . 2012-04-18 10:56 69632 ----a-w- c:\windows\SysWow64\QuickTime.qts
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2012-06-14 17424048]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"AMD AVT"="start AMD Accelerated Video Transcoding device initialization" [X]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-20 59240]
"ControlCenter4"="c:\program files (x86)\ControlCenter4\BrCcBoot.exe" [2012-03-01 143360]
"BrStsMon00"="c:\program files (x86)\Browny02\Brother\BrStMonW.exe" [2011-05-18 2629632]
"VirtualCloneDrive"="c:\program files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2011-03-07 89456]
"CTxfiHlp"="CTXFIHLP.EXE" [2011-08-22 25600]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2012-05-22 641704]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\AutorunsDisabled
Event Planner Reminder.lnk - c:\program files (x86)\Creative Home\Hallmark Card Studio 2012 Deluxe\Planner\PLNRnote.exe [2011-7-28 365984]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SEP]
c:\program files (x86)\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Bin\WinLogoutNotifier.dll [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-01 257224]
R3 ALSysIO;ALSysIO;c:\users\INFINI~1\AppData\Local\Temp\ALSysIO64.sys [x]
R3 atillk64;atillk64;c:\program files (x86)\GIGABYTE\atBIOS\ATITool\atillk64.sys [2006-07-19 14608]
R3 AVerAF15;AVerMedia A815;c:\windows\system32\Drivers\AVerAF15.sys [2009-12-04 312064]
R3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2012-06-12 79360]
R3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.SYS [2011-08-22 202840]
R3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.SYS [2011-08-22 1417304]
R3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.SYS [2011-08-22 94808]
R3 DCamUSBET;ET USB 2760 Camera;c:\windows\system32\DRIVERS\etDevice64.sys [2007-07-23 527744]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-21 71168]
R3 FiltUSBET;ET USB Device Lower Filter;c:\windows\system32\DRIVERS\etFilter64.sys [2007-06-14 281088]
R3 Futuremark SystemInfo Service;Futuremark SystemInfo Service;c:\program files (x86)\Common Files\Futuremark Shared\Futuremark SystemInfo\FMSISvc.exe [2011-12-09 135584]
R3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\55F.tmp [2011-05-12 6144]
R3 ose64;Office 64 Source Engine;c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2010-01-09 174440]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4925184]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-21 20992]
R3 ScanUSBET;ET USB Still Image Capture Device;c:\windows\system32\DRIVERS\etScan64.sys [2007-07-23 9216]
R3 SyDvCtrl;SyDvCtrl;c:\program files (x86)\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Bin64\SyDvCtrl64.sys [2012-06-26 29664]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [2010-11-21 88960]
R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [2010-11-21 34816]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [2010-11-21 117248]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-14 17920]
R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [2009-07-14 23040]
R3 WSDScan;WSD Scan Support via UMB;c:\windows\system32\DRIVERS\WSDScan.sys [2009-07-14 25088]
R4 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [x]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [x]
R4 SwitchBoard;SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
S0 asahci64;asahci64;c:\windows\system32\DRIVERS\asahci64.sys [2011-09-21 49760]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2011-11-02 56208]
S0 SymDS;Symantec Data Store;c:\windows\system32\Drivers\SEP\0C01044D\0191.105\x64\SYMDS64.SYS [2011-05-03 451192]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\Drivers\SEP\0C01044D\0191.105\x64\SYMEFA64.SYS [2012-06-26 932472]
S1 BHDrvx64;BHDrvx64;c:\programdata\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Data\Definitions\BASHDefs\20120620.012\BHDrvx64.sys [2012-06-20 1161376]
S1 IDSVia64;IDSVia64;c:\programdata\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Data\Definitions\IPSDefs\20120705.002\IDSvia64.sys [2012-06-26 509088]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\Drivers\SEP\0C01044D\0191.105\x64\Ironx64.SYS [2012-06-26 171128]
S1 SYMNETS;Symantec Network Security WFP Driver;c:\windows\system32\Drivers\SEP\0C01044D\0191.105\x64\SYMNETS.SYS [2012-06-26 386168]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2012-05-23 239616]
S2 AMD FUEL Service;AMD FUEL Service;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2012-05-22 361984]
S2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x64.sys [2012-03-09 23816]
S2 SepMasterService;Symantec Endpoint Protection;c:\program files (x86)\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Bin\ccSvcHst.exe [2012-06-26 137208]
S3 amdiox64;AMD IO Driver;c:\windows\system32\DRIVERS\amdiox64.sys [2010-02-17 46136]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2012-05-23 10248704]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2012-05-23 367616]
S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [2012-02-23 95760]
S3 BrYNSvc;BrYNSvc;c:\program files (x86)\Browny02\BrYNSvc.exe [2010-01-24 245760]
S3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\System32\drivers\CT20XUT.SYS [2011-08-22 202840]
S3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\System32\drivers\CTEXFIFX.SYS [2011-08-22 1417304]
S3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\System32\drivers\CTHWIUT.SYS [2011-08-22 94808]
S3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [2011-05-17 47616]
S3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys [2011-08-01 45416]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2011-08-22 565352]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-09 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-01 07:45]
.
2012-07-02 c:\windows\Tasks\Defraggler Volume C Task.job
- c:\program files\Defraggler\df64.exe [2012-06-06 13:14]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2010-03-20 22:55 99080 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2010-03-20 22:55 99080 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2010-03-20 22:55 99080 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2010-03-20 22:55 99080 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2010-03-20 22:55 99080 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2010-03-20 22:55 99080 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2010-03-20 22:55 99080 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2010-03-20 22:55 99080 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2010-03-20 22:55 99080 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2011-08-10 1873256]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-08-01 2417032]
"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2012-04-03 446392]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote
TCP: Interfaces\{368CB9D1-250A-43D7-95E6-3B16B12CAC13}: NameServer = 192.168.0.7,192.168.0.42
DPF: {CAA6C3B6-662B-4D14-BB64-EADB88213BFE} - hxxp://threestorms.dyndns.org/IPCamPluginTM.cab
DPF: {E705A591-DA3C-4228-B0D5-A356DBA42FBF} - hxxp://ccfiles.creative.com/Web/softwareupdate/su2/ocx/20015/CTSUEng.cab
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SepMasterService]
"ImagePath"="\"c:\program files (x86)\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Bin\ccSvcHst.exe\" /s \"Symantec Endpoint Protection\" /m \"c:\program files (x86)\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Bin\sms.dll\" /prefetch:1"
--
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SmcService]
"ImagePath"="\"c:\program files (x86)\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Bin64\Smc.exe\" /prefetch:1"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\55F.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:e2,8e,7b,e3,76,7e,f0,9b,76,4e,f3,29,dd,fb,9a,43,4a,b5,3b,a4,78,
35,42,5a,4d,a5,4e,ef,d5,90,5f,c1,d1,7c,55,8a,f8,42,01,ee,09,15,b6,00,bd,f4,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:e2,8e,7b,e3,76,7e,f0,9b,76,4e,f3,29,dd,fb,9a,43,4a,b5,3b,a4,78,
35,42,5a,4d,a5,4e,ef,d5,90,5f,c1,d1,7c,55,8a,f8,42,01,ee,09,15,b6,00,bd,f4,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\CurrentVersion]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-07-09 13:46:07
ComboFix-quarantined-files.txt 2012-07-09 03:46
.
Pre-Run: 101,595,795,456 bytes free
Post-Run: 101,524,115,456 bytes free
.
- - End Of File - - 493450FD470C0DBED82C125BA2A880DD

aswMBR --->

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-07-09 15:00:47
-----------------------------
15:00:47.551 OS Version: Windows x64 6.1.7601 Service Pack 1
15:00:47.551 Number of processors: 2 586 0x4303
15:00:47.551 ComputerName: STATIC-AA0066FF UserName: infinitevs
15:00:48.156 Initialize success
15:00:53.396 AVAST engine defs: 12070801
15:01:12.712 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-4
15:01:12.712 Disk 0 Vendor: SAMSUNG_HD400LJ ZZ100-15 Size: 381554MB BusType: 3
15:01:12.712 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP3T1L0-6
15:01:12.712 Disk 1 Vendor: SAMSUNG_HD400LJ ZZ100-15 Size: 381554MB BusType: 3
15:01:12.712 Disk 2 \Device\Harddisk2\DR2 -> \Device\Ide\IdeDeviceP2T1L0-5
15:01:12.712 Disk 2 Vendor: SAMSUNG_HD103SI 1AG01118 Size: 953869MB BusType: 3
15:01:12.728 Disk 0 MBR read successfully
15:01:12.728 Disk 0 MBR scan
15:01:12.728 Disk 0 Windows 7 default MBR code
15:01:12.743 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
15:01:12.759 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 381452 MB offset 206848
15:01:12.790 Disk 0 scanning C:\Windows\system32\drivers
15:01:23.239 Service scanning
15:01:44.446 Modules scanning
15:01:44.446 Disk 0 trace - called modules:
15:01:44.462 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys
15:01:44.462 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80079de410]
15:01:44.462 3 CLASSPNP.SYS[fffff8800180143f] -> nt!IofCallDriver -> [0xfffffa8007812520]
15:01:44.462 5 ACPI.sys[fffff88000f447a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP3T0L0-4[0xfffffa800780b060]
15:01:45.129 AVAST engine scan C:\Windows
15:01:48.028 AVAST engine scan C:\Windows\system32
15:05:18.145 AVAST engine scan C:\Windows\system32\drivers
15:05:40.418 AVAST engine scan C:\Users\infinitevs
16:53:02.693 AVAST engine scan C:\ProgramData
17:00:20.320 Scan finished successfully
17:05:37.593 Disk 0 MBR has been saved successfully to "C:\Users\infinitevs\Desktop\MBR.dat"
17:05:37.593 The log file has been saved successfully to "C:\Users\infinitevs\Desktop\aswMBR.txt"

#11 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:02:08 PM

Posted 09 July 2012 - 08:01 AM

infin.,

Do you recognize this file?
C:\Windows\winstart.bat

For some odd reason, the Combofix run didn't do what I expected.

Rerun Combofix
Please open notepad and copy/paste the text in the quotebox below into it:

http://www.bleepingcomputer.com/forums/topic459153.html

Suspect::[139]
c:\users\infinitevs\AppData\Local\Temp\ALSysIO64.sys
C:\Windows\winstart.bat

Save this as CFScript.txt

Posted Image


Refering to the picture above, drag CFScript.txt into ComboFix.exe

If asked to update Combofix, please allow it to update.

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**
When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
Ensure you are connected to the internet and click OK on the message box.
Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#12 infinitevs

infinitevs
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 09 July 2012 - 01:00 PM

Hi Jason,

No that file isn't familiar to me, I check it though and it doesn't seem to have any contents.

I have re-run combofix this time the file upload worked properly I think - here's the log -->

ComboFix 12-07-08.02 - infinitevs 10/07/2012 3:29.6.2 - x64
Microsoft Windows 7 Enterprise 6.1.7601.1.1252.61.1033.18.8191.6448 [GMT 10:00]
Running from: c:\users\infinitevs\Desktop\ComboFix.exe
Command switches used :: c:\users\infinitevs\Desktop\CFScript.txt
AV: Symantec Endpoint Protection *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Symantec Endpoint Protection *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Symantec Endpoint Protection *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
.
((((((((((((((((((((((((( Files Created from 2012-06-09 to 2012-07-09 )))))))))))))))))))))))))))))))
.
.
2012-07-09 17:39 . 2012-07-09 17:39 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-07-09 17:39 . 2012-07-09 17:39 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2012-07-04 23:15 . 2012-07-08 02:12 -------- d-----w- c:\programdata\RegRun
2012-07-04 23:15 . 2012-07-04 23:15 2 -----tw- c:\windows\winstart.bat
2012-07-04 23:15 . 2012-07-08 02:12 -------- d-----w- c:\program files (x86)\UnHackMe
2012-07-03 05:40 . 2011-05-12 04:05 18816 ------w- c:\windows\SysWow64\SAVRKBootTasks.sys
2012-07-03 04:02 . 2011-05-12 04:03 6144 ------w- c:\windows\system32\55F.tmp
2012-07-03 04:02 . 2011-05-12 04:03 6144 ------w- c:\windows\system32\7FCB.tmp
2012-07-03 02:12 . 2012-07-03 02:12 -------- d-----w- c:\users\infinitevs\AppData\Roaming\Malwarebytes
2012-07-03 02:12 . 2012-07-03 02:12 -------- d-----w- c:\programdata\Malwarebytes
2012-07-02 23:29 . 2012-07-02 23:29 -------- d-----w- c:\programdata\Sophos
2012-07-02 23:29 . 2012-07-02 23:29 73728 ----a-r- c:\users\infinitevs\AppData\Roaming\Microsoft\Installer\{B829E117-D072-41EA-9606-9826A38D34C1}\SVRTgui.exe1_810EDD9E2F0A4E2BACF86673C38D9F48.exe
2012-07-02 23:29 . 2012-07-02 23:29 73728 ----a-r- c:\users\infinitevs\AppData\Roaming\Microsoft\Installer\{B829E117-D072-41EA-9606-9826A38D34C1}\SVRTgui.exe_810EDD9E2F0A4E2BACF86673C38D9F48.exe
2012-07-02 23:29 . 2012-07-02 23:29 73728 ----a-r- c:\users\infinitevs\AppData\Roaming\Microsoft\Installer\{B829E117-D072-41EA-9606-9826A38D34C1}\ARPPRODUCTICON.exe
2012-07-02 23:29 . 2012-07-03 04:02 -------- d-----w- c:\program files (x86)\Sophos
2012-07-01 21:59 . 2012-07-01 21:59 -------- d-----w- c:\users\infinitevs\.zend
2012-07-01 21:46 . 2012-07-01 21:46 -------- d-----w- c:\program files (x86)\Zend
2012-07-01 12:35 . 2012-07-01 12:35 -------- d-----w- c:\users\infinitevs\.ZendStudio
2012-07-01 07:44 . 2012-07-01 07:44 -------- d-----w- c:\users\infinitevs\AppData\Local\Macromedia
2012-07-01 07:44 . 2012-07-01 07:45 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-07-01 07:44 . 2012-07-01 07:45 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-07-01 07:25 . 2012-07-01 09:22 -------- d-----w- c:\users\infinitevs\AppData\Local\Flash Builder
2012-07-01 06:07 . 2012-07-01 06:07 -------- d-----w- c:\users\infinitevs\AppData\Roaming\StageManager.BD092818F67280F4B42B04877600987F0111B594.1
2012-07-01 05:55 . 2012-07-01 05:55 -------- d-----w- c:\programdata\ALM
2012-07-01 05:52 . 2012-07-01 09:06 -------- d-----w- c:\users\infinitevs\Adobe Flash Builder 4.6
2012-07-01 05:42 . 2012-07-01 05:42 -------- d-----w- c:\program files (x86)\Common Files\Adobe AIR
2012-07-01 05:38 . 2012-07-01 09:06 -------- d-----w- c:\program files\Common Files\Adobe
2012-07-01 05:31 . 2012-07-01 09:00 -------- d-----w- c:\program files (x86)\Common Files\Adobe
2012-07-01 05:30 . 2012-07-09 16:00 -------- d-----w- c:\users\infinitevs\AppData\Local\Adobe
2012-07-01 05:10 . 2012-07-01 05:10 -------- d-----w- c:\program files (x86)\My Company Name
2012-06-30 17:43 . 2012-06-30 17:43 -------- d-----w- c:\users\infinitevs\Zend
2012-06-29 15:53 . 2012-07-02 23:33 -------- d-----w- c:\users\infinitevs\AppData\Roaming\Media Player Classic
2012-06-28 03:05 . 2012-06-28 03:05 -------- d-----w- c:\users\infinitevs\AppData\Roaming\Carambis
2012-06-28 02:54 . 2012-06-28 02:54 -------- d-----w- c:\programdata\PC Suite
2012-06-27 00:12 . 2012-06-27 00:12 -------- d-----w- c:\programdata\ATI
2012-06-27 00:02 . 2012-06-27 00:05 -------- d-----w- c:\program files\ATI Technologies
2012-06-26 21:32 . 2012-06-26 21:32 -------- d-----w- c:\program files (x86)\Microsoft CAPICOM 2.1.0.2
2012-06-26 07:31 . 2012-06-26 07:31 -------- d-----w- c:\programdata\Symantec Shared
2012-06-26 04:03 . 2012-06-09 17:21 206336 ----a-w- c:\windows\system32\unrar.dll
2012-06-26 04:03 . 2012-06-18 18:00 92160 ----a-w- c:\windows\system32\ff_vfw.dll
2012-06-26 04:03 . 2012-06-26 04:03 -------- d-----w- c:\program files\K-Lite Codec Pack x64
2012-06-26 04:03 . 2012-06-26 04:03 -------- d-----w- c:\program files (x86)\K-Lite Codec Pack
2012-06-26 00:48 . 2012-06-26 00:48 -------- d-----w- c:\windows\system32\drivers\SEP\0C01044D
2012-06-26 00:42 . 2012-06-26 02:35 81840 ----a-w- c:\windows\system32\FwsVpn.dll
2012-06-26 00:35 . 2012-06-26 00:48 -------- d-----w- c:\programdata\regid.1992_12.com.symantec
2012-06-26 00:34 . 2012-06-26 00:34 -------- d-----w- c:\windows\system32\drivers\SEP\0C0103E8
2012-06-24 02:02 . 2012-06-24 02:02 -------- d-----w- c:\program files (x86)\Microsoft Synchronization Services
2012-06-24 02:02 . 2012-06-24 02:02 -------- d-----w- c:\program files (x86)\Microsoft SQL Server Compact Edition
2012-06-24 01:56 . 2012-06-24 01:56 -------- d-----w- c:\program files (x86)\Creative Home
2012-06-22 06:15 . 2012-06-22 06:15 -------- d-----w- c:\program files (x86)\SlySoft
2012-06-22 03:13 . 2012-07-08 22:42 -------- d-----w- c:\users\infinitevs\AppData\Roaming\AUSkey
2012-06-22 03:13 . 2012-06-22 03:13 -------- d-----w- c:\program files (x86)\ABR
2012-06-22 01:56 . 2012-06-02 22:19 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-22 01:56 . 2012-06-02 22:19 57880 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-22 01:56 . 2012-06-02 22:19 44056 ----a-w- c:\windows\system32\wups2.dll
2012-06-22 01:56 . 2012-06-02 22:15 2622464 ----a-w- c:\windows\system32\wucltux.dll
2012-06-22 01:56 . 2012-06-02 22:19 38424 ----a-w- c:\windows\system32\wups.dll
2012-06-22 01:56 . 2012-06-02 22:19 701976 ----a-w- c:\windows\system32\wuapi.dll
2012-06-22 01:56 . 2012-06-02 22:15 99840 ----a-w- c:\windows\system32\wudriver.dll
2012-06-22 01:56 . 2012-06-02 05:19 186752 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-22 01:56 . 2012-06-02 05:15 36864 ----a-w- c:\windows\system32\wuapp.exe
2012-06-21 13:48 . 2000-07-28 07:15 1 ----a-w- c:\windows\SysWow64\uuddc32.dll
2012-06-21 13:48 . 2012-06-21 13:48 -------- d-----w- c:\program files (x86)\BayGenie
2012-06-13 06:13 . 2012-04-24 05:37 184320 ----a-w- c:\windows\system32\cryptsvc.dll
2012-06-13 06:13 . 2012-04-24 05:37 140288 ----a-w- c:\windows\system32\cryptnet.dll
2012-06-13 06:13 . 2012-04-24 05:37 1462272 ----a-w- c:\windows\system32\crypt32.dll
2012-06-13 06:13 . 2012-04-24 04:36 140288 ----a-w- c:\windows\SysWow64\cryptsvc.dll
2012-06-13 06:13 . 2012-04-24 04:36 1158656 ----a-w- c:\windows\SysWow64\crypt32.dll
2012-06-13 06:13 . 2012-04-24 04:36 103936 ----a-w- c:\windows\SysWow64\cryptnet.dll
2012-06-13 02:48 . 2012-04-28 05:32 1112064 ----a-w- c:\windows\system32\rdpcorets.dll
2012-06-13 02:48 . 2012-04-28 03:55 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-06-13 02:48 . 2012-05-15 01:32 3146752 ----a-w- c:\windows\system32\win32k.sys
2012-06-13 02:48 . 2012-05-04 11:06 5559664 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-06-13 02:48 . 2012-05-04 10:03 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2012-06-13 02:48 . 2012-05-04 10:03 3913072 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2012-06-13 02:48 . 2012-05-01 05:40 209920 ----a-w- c:\windows\system32\profsvc.dll
2012-06-13 02:48 . 2012-05-04 11:00 366592 ----a-w- c:\windows\system32\qdvd.dll
2012-06-13 02:48 . 2012-05-04 09:59 514560 ----a-w- c:\windows\SysWow64\qdvd.dll
2012-06-13 02:48 . 2012-04-07 12:31 3216384 ----a-w- c:\windows\system32\msi.dll
2012-06-13 02:48 . 2012-04-07 11:26 2342400 ----a-w- c:\windows\SysWow64\msi.dll
2012-06-12 08:45 . 2012-06-12 08:45 -------- d-----w- c:\users\Public\Roaming
2012-06-12 06:39 . 2012-06-12 06:39 -------- d-----w- c:\program files (x86)\Common Files\Creative
2012-06-12 06:39 . 2012-06-12 06:39 -------- d-----w- c:\program files (x86)\Common Files\Creative Labs Shared
2012-06-12 06:38 . 2012-06-12 06:39 -------- d-----w- c:\program files\Creative
2012-06-12 06:37 . 2003-11-10 08:13 69715 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\ctor.dll
2012-06-12 06:37 . 2003-11-10 08:12 266240 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\iscript.dll
2012-06-12 06:37 . 2003-11-10 08:12 192512 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\iuser.dll
2012-06-12 06:37 . 2003-11-10 08:11 5632 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\DotNetInstaller.exe
2012-06-12 06:37 . 2012-06-12 06:37 188548 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\iGdi.dll
2012-06-12 06:37 . 2003-11-10 08:14 729088 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\iKernel.dll
2012-06-12 06:37 . 2012-06-12 06:37 311428 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\setup.dll
2012-06-12 04:56 . 2012-06-12 04:56 -------- d-----w- c:\programdata\WinZip
2012-06-12 03:07 . 2012-07-01 05:45 -------- d-----w- c:\program files (x86)\Common Files\PX Storage Engine
2012-06-12 03:07 . 2012-06-12 03:07 -------- d-----w- c:\program files (x86)\Common Files\Sonic Shared
2012-06-12 02:18 . 2012-06-12 02:18 -------- d-----w- c:\program files (x86)\Elaborate Bytes
2012-06-12 00:20 . 2012-06-12 00:20 770384 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcr100.dll
2012-06-12 00:20 . 2012-06-12 00:20 421200 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcp100.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-05 09:13 . 2012-05-14 08:16 48648 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\Markup.dll
2012-06-26 02:35 . 2012-02-09 06:37 58288 ----a-w- c:\windows\SysWow64\snacnp.dll
2012-06-26 02:35 . 2012-02-09 06:37 42632 ----a-w- c:\windows\system32\drivers\WGX64.SYS
2012-06-26 02:35 . 2011-06-16 08:29 58288 ----a-w- c:\windows\system32\snacnp.dll
2012-06-26 02:35 . 2011-06-16 08:29 288176 ----a-w- c:\windows\system32\SymVPN.dll
2012-06-26 02:35 . 2012-02-09 06:37 380848 ----a-w- c:\windows\SysWow64\sysfer.dll
2012-06-26 02:35 . 2012-02-09 06:37 10672 ----a-w- c:\windows\SysWow64\sysferThunk.dll
2012-06-26 02:35 . 2012-02-09 06:37 119816 ----a-w- c:\windows\system32\drivers\SysPlant.sys
2012-06-26 02:35 . 2012-02-09 06:37 519600 ----a-w- c:\windows\system32\sysfer.dll
2012-06-26 02:35 . 2012-02-09 06:37 11184 ----a-w- c:\windows\system32\sysferThunk.dll
2012-06-26 00:49 . 2012-02-09 06:38 175736 ----a-w- c:\windows\system32\drivers\SYMEVENT64x86.SYS
2012-06-26 00:34 . 2011-05-21 00:50 62672 ----a-w- c:\windows\system32\drivers\Teefer.sys
2012-06-12 06:38 . 2011-06-16 16:34 466520 ----a-w- c:\windows\system32\wrap_oal.dll
2012-06-12 06:38 . 2011-06-16 16:34 445016 ----a-w- c:\windows\SysWow64\wrap_oal.dll
2012-06-12 06:38 . 2011-06-16 16:34 123480 ----a-w- c:\windows\system32\OpenAL32.dll
2012-06-12 06:38 . 2011-06-16 16:34 109144 ----a-w- c:\windows\SysWow64\OpenAL32.dll
2012-06-12 05:33 . 2012-05-15 04:36 1668 ----a-w- c:\windows\system32\ASOROSet.bin
2012-06-09 17:21 . 2011-06-16 15:58 178688 ----a-w- c:\windows\SysWow64\unrar.dll
2012-06-04 02:40 . 2011-06-16 16:29 525544 ----a-w- c:\windows\system32\deployJava1.dll
2012-05-23 03:15 . 2012-05-23 03:15 10248704 ----a-w- c:\windows\system32\drivers\atikmdag.sys
2012-05-23 03:11 . 2012-05-23 03:11 24826368 ----a-w- c:\windows\system32\atio6axx.dll
2012-05-23 02:43 . 2012-05-23 02:43 20467200 ----a-w- c:\windows\SysWow64\atioglxx.dll
2012-05-23 02:08 . 2012-05-23 02:08 163840 ----a-w- c:\windows\system32\atiapfxx.exe
2012-05-23 02:08 . 2012-04-06 02:21 924160 ----a-w- c:\windows\SysWow64\aticfx32.dll
2012-05-23 02:06 . 2012-04-06 02:20 1090560 ----a-w- c:\windows\system32\aticfx64.dll
2012-05-23 02:03 . 2012-05-23 02:03 442368 ----a-w- c:\windows\system32\ATIDEMGX.dll
2012-05-23 02:03 . 2012-05-23 02:03 532992 ----a-w- c:\windows\system32\atieclxx.exe
2012-05-23 02:02 . 2012-05-23 02:02 239616 ----a-w- c:\windows\system32\atiesrxx.exe
2012-05-23 02:01 . 2012-05-23 02:01 120320 ----a-w- c:\windows\system32\atitmm64.dll
2012-05-23 02:01 . 2012-05-23 02:01 21504 ----a-w- c:\windows\system32\atimuixx.dll
2012-05-23 02:00 . 2012-05-23 02:00 59392 ----a-w- c:\windows\system32\atiedu64.dll
2012-05-23 02:00 . 2012-05-23 02:00 43520 ----a-w- c:\windows\SysWow64\ati2edxx.dll
2012-05-23 02:00 . 2012-05-23 02:00 6301184 ----a-w- c:\windows\SysWow64\atidxx32.dll
2012-05-23 01:56 . 2012-05-23 01:56 70144 ----a-w- c:\windows\system32\coinst_8.98.dll
2012-05-23 01:44 . 2012-04-06 01:54 6914560 ----a-w- c:\windows\system32\atidxx64.dll
2012-05-23 01:31 . 2012-05-23 01:31 4246528 ----a-w- c:\windows\system32\atiumd6a.dll
2012-05-23 01:28 . 2012-04-06 01:34 5480448 ----a-w- c:\windows\SysWow64\atiumdag.dll
2012-05-23 01:26 . 2012-05-23 01:26 51200 ----a-w- c:\windows\system32\aticalrt64.dll
2012-05-23 01:26 . 2012-05-23 01:26 46080 ----a-w- c:\windows\SysWow64\aticalrt.dll
2012-05-23 01:26 . 2012-05-23 01:26 44544 ----a-w- c:\windows\system32\aticalcl64.dll
2012-05-23 01:26 . 2012-05-23 01:26 44032 ----a-w- c:\windows\SysWow64\aticalcl.dll
2012-05-23 01:26 . 2012-05-23 01:26 15703040 ----a-w- c:\windows\system32\aticaldd64.dll
2012-05-23 01:23 . 2012-04-06 01:22 4729344 ----a-w- c:\windows\SysWow64\atiumdva.dll
2012-05-23 01:22 . 2012-05-23 01:22 13277696 ----a-w- c:\windows\SysWow64\aticaldd.dll
2012-05-23 01:19 . 2012-05-23 01:19 6605312 ----a-w- c:\windows\system32\atiumd64.dll
2012-05-23 01:09 . 2012-05-23 01:09 539136 ----a-w- c:\windows\system32\atiadlxx.dll
2012-05-23 01:09 . 2012-05-23 01:09 368640 ----a-w- c:\windows\SysWow64\atiadlxy.dll
2012-05-23 01:09 . 2012-05-23 01:09 17920 ----a-w- c:\windows\system32\atig6pxx.dll
2012-05-23 01:08 . 2012-05-23 01:08 14848 ----a-w- c:\windows\SysWow64\atiglpxx.dll
2012-05-23 01:08 . 2012-05-23 01:08 14848 ----a-w- c:\windows\system32\atiglpxx.dll
2012-05-23 01:08 . 2012-05-23 01:08 41984 ----a-w- c:\windows\system32\atig6txx.dll
2012-05-23 01:08 . 2012-05-23 01:08 33280 ----a-w- c:\windows\SysWow64\atigktxx.dll
2012-05-23 01:08 . 2012-05-23 01:08 367616 ----a-w- c:\windows\system32\drivers\atikmpag.sys
2012-05-23 01:07 . 2012-04-06 01:09 54784 ----a-w- c:\windows\system32\atiuxp64.dll
2012-05-23 01:07 . 2012-05-23 01:07 42496 ----a-w- c:\windows\SysWow64\atiuxpag.dll
2012-05-23 01:07 . 2012-05-23 01:07 45056 ----a-w- c:\windows\system32\atiu9p64.dll
2012-05-23 01:07 . 2012-04-06 01:09 32768 ----a-w- c:\windows\SysWow64\atiu9pag.dll
2012-05-23 01:06 . 2012-05-23 01:06 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2012-05-23 01:05 . 2012-05-23 01:05 56320 ----a-w- c:\windows\system32\atimpc64.dll
2012-05-23 01:05 . 2012-05-23 01:05 56320 ----a-w- c:\windows\system32\amdpcom64.dll
2012-05-23 01:05 . 2012-05-23 01:05 56832 ----a-w- c:\windows\SysWow64\atimpc32.dll
2012-05-23 01:05 . 2012-05-23 01:05 56832 ----a-w- c:\windows\SysWow64\amdpcom32.dll
2012-05-22 12:28 . 2012-05-22 12:28 187392 ----a-w- c:\windows\system32\clinfo.exe
2012-05-22 12:28 . 2012-05-22 12:28 75264 ----a-w- c:\windows\system32\OpenVideo64.dll
2012-05-22 12:28 . 2012-05-22 12:28 65024 ----a-w- c:\windows\SysWow64\OpenVideo.dll
2012-05-22 12:28 . 2012-05-22 12:28 63488 ----a-w- c:\windows\system32\OVDecode64.dll
2012-05-22 12:28 . 2012-05-22 12:28 56320 ----a-w- c:\windows\SysWow64\OVDecode.dll
2012-05-22 12:27 . 2012-05-22 12:27 16457728 ----a-w- c:\windows\system32\amdocl64.dll
2012-05-22 12:27 . 2012-05-22 12:27 13008896 ----a-w- c:\windows\SysWow64\amdocl.dll
2012-05-15 10:09 . 2012-05-15 10:09 48648 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-2\Markup.dll
2012-05-10 06:35 . 2012-05-10 06:35 43520 ----a-w- c:\windows\system32\kdbsdk64.dll
2012-05-10 06:35 . 2012-05-10 06:35 29184 ----a-w- c:\windows\SysWow64\kdbsdk32.dll
2012-04-22 03:51 . 2011-10-24 05:17 25600 ----a-w- c:\windows\system32\drivers\pccsmcfdx64.sys
2012-04-18 10:56 . 2012-04-18 10:56 94208 ----a-w- c:\windows\SysWow64\QuickTimeVR.qtx
2012-04-18 10:56 . 2012-04-18 10:56 69632 ----a-w- c:\windows\SysWow64\QuickTime.qts
.
.
((((((((((((((((((((((((((((( SnapShot@2012-07-09_03.28.30 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-11-21 03:09 . 2012-07-09 17:20 64656 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
- 2009-07-14 05:10 . 2012-07-09 01:41 56470 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-07-09 17:20 56470 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2011-06-16 04:34 . 2012-07-09 17:20 22412 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2906397762-4872399-3345623861-1000_UserData.bin
- 2012-07-09 01:40 . 2012-07-09 01:40 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-07-09 17:18 . 2012-07-09 17:18 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-07-09 01:40 . 2012-07-09 01:40 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-07-09 17:18 . 2012-07-09 17:18 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-07-14 04:46 . 2012-07-09 04:55 114360 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
- 2009-07-14 05:01 . 2012-07-09 01:38 563124 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 05:01 . 2012-07-09 17:16 563124 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2012-03-27 05:07 . 2012-07-09 17:16 5500720 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
- 2012-03-27 05:07 . 2012-07-09 01:38 5500720 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2011-06-16 08:36 . 2012-07-09 17:16 22219016 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2906397762-4872399-3345623861-1000-12288.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2012-06-14 17424048]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-20 59240]
"ControlCenter4"="c:\program files (x86)\ControlCenter4\BrCcBoot.exe" [2012-03-01 143360]
"BrStsMon00"="c:\program files (x86)\Browny02\Brother\BrStMonW.exe" [2011-05-18 2629632]
"VirtualCloneDrive"="c:\program files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2011-03-07 89456]
"CTxfiHlp"="CTXFIHLP.EXE" [2011-08-22 25600]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2012-05-22 641704]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\AutorunsDisabled
Event Planner Reminder.lnk - c:\program files (x86)\Creative Home\Hallmark Card Studio 2012 Deluxe\Planner\PLNRnote.exe [2011-7-28 365984]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SEP]
c:\program files (x86)\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Bin\WinLogoutNotifier.dll [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-01 257224]
R3 ALSysIO;ALSysIO;c:\users\INFINI~1\AppData\Local\Temp\ALSysIO64.sys [x]
R3 atillk64;atillk64;c:\program files (x86)\GIGABYTE\atBIOS\ATITool\atillk64.sys [2006-07-19 14608]
R3 AVerAF15;AVerMedia A815;c:\windows\system32\Drivers\AVerAF15.sys [2009-12-04 312064]
R3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2012-06-12 79360]
R3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.SYS [2011-08-22 202840]
R3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.SYS [2011-08-22 1417304]
R3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.SYS [2011-08-22 94808]
R3 DCamUSBET;ET USB 2760 Camera;c:\windows\system32\DRIVERS\etDevice64.sys [2007-07-23 527744]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-21 71168]
R3 FiltUSBET;ET USB Device Lower Filter;c:\windows\system32\DRIVERS\etFilter64.sys [2007-06-14 281088]
R3 Futuremark SystemInfo Service;Futuremark SystemInfo Service;c:\program files (x86)\Common Files\Futuremark Shared\Futuremark SystemInfo\FMSISvc.exe [2011-12-09 135584]
R3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\55F.tmp [2011-05-12 6144]
R3 ose64;Office 64 Source Engine;c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2010-01-09 174440]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4925184]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-21 20992]
R3 ScanUSBET;ET USB Still Image Capture Device;c:\windows\system32\DRIVERS\etScan64.sys [2007-07-23 9216]
R3 SyDvCtrl;SyDvCtrl;c:\program files (x86)\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Bin64\SyDvCtrl64.sys [2012-06-26 29664]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [2010-11-21 88960]
R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [2010-11-21 34816]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [2010-11-21 117248]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-14 17920]
R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [2009-07-14 23040]
R3 WSDScan;WSD Scan Support via UMB;c:\windows\system32\DRIVERS\WSDScan.sys [2009-07-14 25088]
R4 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [x]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [x]
R4 SwitchBoard;SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
S0 asahci64;asahci64;c:\windows\system32\DRIVERS\asahci64.sys [2011-09-21 49760]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2011-11-02 56208]
S0 SymDS;Symantec Data Store;c:\windows\system32\Drivers\SEP\0C01044D\0191.105\x64\SYMDS64.SYS [2011-05-03 451192]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\Drivers\SEP\0C01044D\0191.105\x64\SYMEFA64.SYS [2012-06-26 932472]
S1 BHDrvx64;BHDrvx64;c:\programdata\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Data\Definitions\BASHDefs\20120620.012\BHDrvx64.sys [2012-06-20 1161376]
S1 IDSVia64;IDSVia64;c:\programdata\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Data\Definitions\IPSDefs\20120705.002\IDSvia64.sys [2012-06-26 509088]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\Drivers\SEP\0C01044D\0191.105\x64\Ironx64.SYS [2012-06-26 171128]
S1 SYMNETS;Symantec Network Security WFP Driver;c:\windows\system32\Drivers\SEP\0C01044D\0191.105\x64\SYMNETS.SYS [2012-06-26 386168]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2012-05-23 239616]
S2 AMD FUEL Service;AMD FUEL Service;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2012-05-22 361984]
S2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x64.sys [2012-03-09 23816]
S2 SepMasterService;Symantec Endpoint Protection;c:\program files (x86)\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Bin\ccSvcHst.exe [2012-06-26 137208]
S3 amdiox64;AMD IO Driver;c:\windows\system32\DRIVERS\amdiox64.sys [2010-02-17 46136]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2012-05-23 10248704]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2012-05-23 367616]
S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [2012-02-23 95760]
S3 BrYNSvc;BrYNSvc;c:\program files (x86)\Browny02\BrYNSvc.exe [2010-01-24 245760]
S3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\System32\drivers\CT20XUT.SYS [2011-08-22 202840]
S3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\System32\drivers\CTEXFIFX.SYS [2011-08-22 1417304]
S3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\System32\drivers\CTHWIUT.SYS [2011-08-22 94808]
S3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [2011-05-17 47616]
S3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys [2011-08-01 45416]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2011-08-22 565352]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-09 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-01 07:45]
.
2012-07-02 c:\windows\Tasks\Defraggler Volume C Task.job
- c:\program files\Defraggler\df64.exe [2012-06-06 13:14]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2010-03-20 22:55 99080 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2010-03-20 22:55 99080 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2010-03-20 22:55 99080 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2010-03-20 22:55 99080 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2010-03-20 22:55 99080 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2010-03-20 22:55 99080 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2010-03-20 22:55 99080 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2010-03-20 22:55 99080 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2010-03-20 22:55 99080 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2011-08-10 1873256]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-08-01 2417032]
"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2012-04-03 446392]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote
TCP: Interfaces\{368CB9D1-250A-43D7-95E6-3B16B12CAC13}: NameServer = 192.168.0.7,192.168.0.42
DPF: {CAA6C3B6-662B-4D14-BB64-EADB88213BFE} - hxxp://threestorms.dyndns.org/IPCamPluginTM.cab
DPF: {E705A591-DA3C-4228-B0D5-A356DBA42FBF} - hxxp://ccfiles.creative.com/Web/softwareupdate/su2/ocx/20015/CTSUEng.cab
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SepMasterService]
"ImagePath"="\"c:\program files (x86)\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Bin\ccSvcHst.exe\" /s \"Symantec Endpoint Protection\" /m \"c:\program files (x86)\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Bin\sms.dll\" /prefetch:1"
--
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SmcService]
"ImagePath"="\"c:\program files (x86)\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Bin64\Smc.exe\" /prefetch:1"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\55F.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:e2,8e,7b,e3,76,7e,f0,9b,76,4e,f3,29,dd,fb,9a,43,4a,b5,3b,a4,78,
35,42,5a,4d,a5,4e,ef,d5,90,5f,c1,d1,7c,55,8a,f8,42,01,ee,09,15,b6,00,bd,f4,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:e2,8e,7b,e3,76,7e,f0,9b,76,4e,f3,29,dd,fb,9a,43,4a,b5,3b,a4,78,
35,42,5a,4d,a5,4e,ef,d5,90,5f,c1,d1,7c,55,8a,f8,42,01,ee,09,15,b6,00,bd,f4,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\CurrentVersion]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-07-10 03:54:46
ComboFix-quarantined-files.txt 2012-07-09 17:54
.
Pre-Run: 104,399,323,136 bytes free
Post-Run: 104,096,890,880 bytes free
.
- - End Of File - - 531774853644FA3E45A60F0C8B024A6C
Upload was successful

#13 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:02:08 PM

Posted 09 July 2012 - 02:15 PM

infin.,

Yes, the upload was successful, but I still don't see the file I'm looking for. Let's upload it for a second opinion on what it actually is.

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:
How to see hidden files in Windows

Virustotal: http://www.virustotal.com/

When the Virustotal page has finished loading, click the Choose File button and navigate to the following file and click Send File.

c:\users\infinitevs\AppData\Local\Temp\ALSysIO64.sys

If prompted to reanalyze a file, please do so.

Please post back the website addresses (URLs) of the Virustotal result in your next post.
Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#14 infinitevs

infinitevs
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 09 July 2012 - 06:14 PM

Hi Jason.

I was able to see the winstart.bat file as I mentioned earlier, renamed it and moved it to quarantine just to be sure.

But the ALSysIO64.sys file doesn't seem to exist in that location as far as I can tell, I can't see it there, its not a hidden or system file as I am showing both of those in folder options. Additionally I can not see the file in GMER but I can see another file "kwlyrfob.sys"! This file also doesn't appear in the normal windows file system, although I haven't checked in linux. I have outputted that file and attached it to the next post I have also uploaded THAT file to the website for checking.

https://www.virustotal.com/file/49c9df7fb2200e3e20aedb8f8a69aa28bf858adfbc3ae286957d2479832abb8b/analysis/1341876495/

It looks like GMER creates that file, phew...

But Where is the other file referenced?? Could it be that aswMBR removed that file when it crashed that time? in the last combofix log there is a [x] next to the entry for that file.


example : R3 ALSysIO;ALSysIO;C:\Users\INFINI~1\AppData\Local\Temp\ALSysIO64.sys [x]

is that a registry key or an autorun entry if so I can remove it with autoruns manually?


I failed to mention this before but Its worth noting that as a side result of combofix (or the processes related to it) the default gateway of 192.168.0.1 keeps getting removed from ipv4 settings and internet can only be restored by re-adding the entry manually. Also the hosts file (which I have manual entries as I am a web developer) keeps getting reset. Is this normal behaviour or could this indicate a deeper infection?


cheers,

Sean.

Edited by infinitevs, 09 July 2012 - 06:41 PM.


#15 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:02:08 PM

Posted 09 July 2012 - 06:31 PM

infin.,

You're partially correct. If you can't find the file, then it doesn't exist. aswMBR didn't remove the file, that program is more of a diagnostic tool. This is actually is is called an orphan registry entry (since the file it points to no longer exists). Combofix can actually take care of it with the following instructions:



1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Driver::
ALSysIO

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

If asked to update Combofix, please allow it to update.

When finished, it shall produce a log for you at C:\ComboFix.txt.


In your next reply, please include:
  • Combofix log
  • Copy and paste the contents of C:\Qoobox\Add-Remove Programs.txt
  • How's your computer running now? Please be as descriptive as possible.

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users