Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Security Shield, DDS Log


  • This topic is locked This topic is locked
60 replies to this topic

#1 SourGrapes

SourGrapes

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:35 PM

Posted 23 July 2012 - 07:49 PM

Referred from here: http://www.bleepingcomputer.com/forums/topic461825.html ~ OB

DDS Log

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_31
Run by Stacie at 19:28:17 on 2012-07-23
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.5943.4578 [GMT -5:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\conhost.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\system32\svchost.exe -k apphost
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k iissvcs
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Users\Stacie\AppData\Local\Task List Guru\Task List Guru.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\consent.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\REGSVR32.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://search.babylon.com/?affID=110195&tt=2912_5&babsrc=HP_ss&mntrId=94ce75620000000000008ca9820e48cf
uURLSearchHooks: YTNavAssistPlugin Class: {81017ea9-9aa8-4a6a-9734-7af40e7d593f} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn0\yt.dll
mWinlogon: Userinit=userinit.exe,
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn0\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn0\yt.dll
TB: {37153479-1976-43C3-A1EE-557513977B64} - No File
uRun: [SpeedTestPro] "C:\Program Files\SpeedTestPro\SpeedTestPro.exe"
uRun: [SwiftToDoList] "C:\Users\Stacie\AppData\Local\Task List Guru\Task List Guru.exe" -minimized
mRun: [Dell DataSafe Online] C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe
mRun: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
StartupFolder: C:\Users\Stacie\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ONENOT~1.LNK - C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\BLUETO~1.LNK - C:\Program Files (x86)\WIDCOMM\Bluetooth Software\BTTray.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver - C:\Windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {362C56AA-6E4F-40C7-A0B5-85501DBDAD77} - hxxp://i.dell.com/images/global/js/scanner/SysProExe.cab
DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} - hxxp://support.dell.com/systemprofiler/SysProExe.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{AC9C7903-2036-4436-B092-FC506CB4B9BA} : DhcpNameServer = 66.174.71.33 66.174.95.44
TCP: Interfaces\{C5F32881-8F1D-4853-BABF-0437F73887FC} : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{C5F32881-8F1D-4853-BABF-0437F73887FC}\2375942554339343 : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{C5F32881-8F1D-4853-BABF-0437F73887FC}\24F6274656270294E6E60213 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{FEC8AF42-D947-447E-A809-5F2FF4C83853} : DhcpNameServer = 75.116.127.154 75.116.63.154
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO-X64: &Yahoo! Toolbar Helper: {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn0\yt.dll
BHO-X64: 0x1 - No File
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO-X64: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO-X64: SingleInstance Class: {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
TB-X64: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn0\yt.dll
TB-X64: {37153479-1976-43C3-A1EE-557513977B64} - No File
mRun-x64: [Dell DataSafe Online] C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe
mRun-x64: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
IE-X64: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Stacie\AppData\Roaming\Mozilla\Firefox\Profiles\uamvunm2.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:home
FF - prefs.js: keyword.URL - hxxp://search.babylon.com/?affID=110195&tt=2912_5&babsrc=KW_ss&mntrId=94ce75620000000000008ca9820e48cf&q=
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Google\Picasa3\npPicasa3.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.115\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\NPcol400.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npMozCouponPrinter.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_265.dll
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true);user_pref(extensions.BabylonToolbar_i.babTrack, affID=110195&tt=2912_5
FF - user.js: extensions.BabylonToolbar_i.babExt -
FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
FF - user.js: extensions.BabylonToolbar_i.id - 94ce75620000000000008ca9820e48cf
FF - user.js: extensions.BabylonToolbar_i.hardId - 94ce75620000000000008ca9820e48cf
FF - user.js: extensions.BabylonToolbar_i.instlDay - 15543
FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.1714:21:18
FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon
FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar
FF - user.js: extensions.BabylonToolbar_i.aflt - babsst
FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
FF - user.js: extensions.BabylonToolbar_i.tlbrId - base
FF - user.js: extensions.BabylonToolbar_i.instlRef - sst
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS\MpFilter.sys [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-1-3 63928]
R2 TurboB;Turbo Boost UI Monitor driver;C:\Windows\system32\DRIVERS\TurboB.sys --> C:\Windows\system32\DRIVERS\TurboB.sys [?]
R3 HECIx64;Intel® Management Engine Interface;C:\Windows\system32\DRIVERS\HECIx64.sys --> C:\Windows\system32\DRIVERS\HECIx64.sys [?]
R3 Impcd;Impcd;C:\Windows\system32\DRIVERS\Impcd.sys --> C:\Windows\system32\DRIVERS\Impcd.sys [?]
R3 IntcDAud;Intel® Display Audio;C:\Windows\system32\DRIVERS\IntcDAud.sys --> C:\Windows\system32\DRIVERS\IntcDAud.sys [?]
R3 NETw5s64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;C:\Windows\system32\DRIVERS\NETw5s64.sys --> C:\Windows\system32\DRIVERS\NETw5s64.sys [?]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\system32\DRIVERS\vwifimp.sys --> C:\Windows\system32\DRIVERS\vwifimp.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-12-12 136176]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-4-7 250056]
S3 btusbflt;Bluetooth USB Filter;C:\Windows\system32\drivers\btusbflt.sys --> C:\Windows\system32\drivers\btusbflt.sys [?]
S3 btwl2cap;Bluetooth L2CAP Service;C:\Windows\system32\DRIVERS\btwl2cap.sys --> C:\Windows\system32\DRIVERS\btwl2cap.sys [?]
S3 CASprint;Sprint Con App Svc;"C:\Program Files (x86)\Sprint\Sprint SmartView\ConAppsSvc.exe" /n "CASprint" --> C:\Program Files (x86)\Sprint\Sprint SmartView\ConAppsSvc.exe [?]
S3 epmntdrv;epmntdrv;C:\Windows\System32\epmntdrv.sys [2012-3-27 14216]
S3 EuGdiDrv;EuGdiDrv;C:\Windows\System32\EuGdiDrv.sys [2012-3-27 8456]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-12-12 136176]
S3 MozillaMaintenance;Mozilla Maintenance Service;C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-5-6 113120]
S3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [2010-3-5 340240]
S3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys --> C:\Windows\system32\DRIVERS\NisDrvWFP.sys [?]
S3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2012-3-26 291696]
S3 PCDSRVC{1E208CE0-FB7451FF-06020101}_0;PCDSRVC{1E208CE0-FB7451FF-06020101}_0 - PCDR Kernel Mode Service Helper Driver;C:\Program Files\Dell Support Center\pcdsrvc_x64.pkms [2012-4-10 25072]
S3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 TurboBoost;TurboBoost;C:\Program Files\Intel\TurboBoost\TurboBoost.exe [2009-11-2 126352]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== Created Last 30 ================
.
2012-07-22 19:22:14 -------- d-----w- C:\Program Files (x86)\hpmonitor
2012-07-22 19:21:10 -------- d-----w- C:\Users\Stacie\AppData\Roaming\Babylon
2012-07-22 19:21:10 -------- d-----w- C:\ProgramData\Babylon
2012-07-22 18:29:31 -------- d-sh--w- C:\Windows\System32\%APPDATA%
2012-07-22 02:35:10 626688 ----a-w- C:\Program Files (x86)\Mozilla Firefox\msvcr80.dll
2012-07-22 02:35:10 548864 ----a-w- C:\Program Files (x86)\Mozilla Firefox\msvcp80.dll
2012-07-22 02:35:10 479232 ----a-w- C:\Program Files (x86)\Mozilla Firefox\msvcm80.dll
2012-07-22 02:35:10 43992 ----a-w- C:\Program Files (x86)\Mozilla Firefox\mozutils.dll
2012-07-22 00:02:53 9133488 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{695DDB3E-2369-4381-9382-AA27CE777620}\mpengine.dll
2012-07-21 23:51:00 9013136 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-07-13 09:01:30 3148800 ----a-w- C:\Windows\System32\win32k.sys
2012-07-12 22:46:01 1499136 ----a-w- C:\Program Files\Common Files\System\ado\msado15.dll
2012-07-12 22:46:01 1019904 ----a-w- C:\Program Files (x86)\Common Files\System\ado\msado15.dll
2012-07-12 22:46:00 805376 ----a-w- C:\Windows\SysWow64\cdosys.dll
2012-07-12 22:46:00 61440 ----a-w- C:\Program Files\Common Files\System\ado\msador15.dll
2012-07-12 22:46:00 57344 ----a-w- C:\Program Files (x86)\Common Files\System\ado\msador15.dll
2012-07-12 22:46:00 495616 ----a-w- C:\Program Files\Common Files\System\ado\msadox.dll
2012-07-12 22:46:00 466944 ----a-w- C:\Program Files\Common Files\System\ado\msadomd.dll
2012-07-12 22:46:00 352256 ----a-w- C:\Program Files (x86)\Common Files\System\ado\msadomd.dll
2012-07-12 22:46:00 258048 ----a-w- C:\Program Files\Common Files\System\msadc\msadco.dll
2012-07-12 22:44:02 2004480 ----a-w- C:\Windows\System32\msxml6.dll
2012-07-12 22:44:01 1881600 ----a-w- C:\Windows\System32\msxml3.dll
2012-07-12 22:44:01 1390080 ----a-w- C:\Windows\SysWow64\msxml6.dll
2012-07-12 22:44:00 1236992 ----a-w- C:\Windows\SysWow64\msxml3.dll
2012-07-12 22:43:59 2048 ----a-w- C:\Windows\SysWow64\msxml3r.dll
2012-07-12 22:43:59 2048 ----a-w- C:\Windows\System32\msxml3r.dll
2012-07-04 07:16:47 927800 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{791B6396-5900-4798-9955-DDC525A690A1}\gapaengine.dll
2012-06-25 21:10:04 2622464 ----a-w- C:\Windows\System32\wucltux.dll
2012-06-25 21:09:53 99840 ----a-w- C:\Windows\System32\wudriver.dll
2012-06-25 21:09:31 36864 ----a-w- C:\Windows\System32\wuapp.exe
2012-06-25 21:09:31 186752 ----a-w- C:\Windows\System32\wuwebv.dll
.
==================== Find3M ====================
.
2012-07-12 21:22:11 426184 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2012-07-12 21:22:10 70344 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-06-06 06:02:54 1133568 ----a-w- C:\Windows\System32\cdosys.dll
2012-06-02 12:12:17 2311680 ----a-w- C:\Windows\System32\jscript9.dll
2012-06-02 12:05:28 1392128 ----a-w- C:\Windows\System32\wininet.dll
2012-06-02 12:04:50 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl
2012-06-02 12:01:40 173056 ----a-w- C:\Windows\System32\ieUnatt.exe
2012-06-02 11:57:08 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2012-06-02 08:33:25 1800192 ----a-w- C:\Windows\SysWow64\jscript9.dll
2012-06-02 08:25:08 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll
2012-06-02 08:25:03 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2012-06-02 08:20:33 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2012-06-02 08:16:52 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2012-06-02 05:50:10 458704 ----a-w- C:\Windows\System32\drivers\cng.sys
2012-06-02 05:48:16 95600 ----a-w- C:\Windows\System32\drivers\ksecdd.sys
2012-06-02 05:48:16 151920 ----a-w- C:\Windows\System32\drivers\ksecpkg.sys
2012-06-02 05:45:31 340992 ----a-w- C:\Windows\System32\schannel.dll
2012-06-02 05:44:21 307200 ----a-w- C:\Windows\System32\ncrypt.dll
2012-06-02 04:40:42 22016 ----a-w- C:\Windows\SysWow64\secur32.dll
2012-06-02 04:40:39 225280 ----a-w- C:\Windows\SysWow64\schannel.dll
2012-06-02 04:39:10 219136 ----a-w- C:\Windows\SysWow64\ncrypt.dll
2012-06-02 04:34:09 96768 ----a-w- C:\Windows\SysWow64\sspicli.dll
2012-05-04 11:06:22 5559664 ----a-w- C:\Windows\System32\ntoskrnl.exe
2012-05-04 10:03:53 3968368 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2012-05-04 10:03:50 3913072 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2012-05-01 05:40:20 209920 ----a-w- C:\Windows\System32\profsvc.dll
2012-04-28 03:55:21 210944 ----a-w- C:\Windows\System32\drivers\rdpwd.sys
2012-04-26 05:41:56 77312 ----a-w- C:\Windows\System32\rdpwsx.dll
2012-04-26 05:41:55 149504 ----a-w- C:\Windows\System32\rdpcorekmts.dll
2012-04-26 05:34:27 9216 ----a-w- C:\Windows\System32\rdrmemptylst.exe
.
============= FINISH: 19:37:39.18 ===============

Edited by Orange Blossom, 29 July 2012 - 12:35 PM.


BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,701 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:35 AM

Posted 29 July 2012 - 02:00 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/462162 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows, you should not bother creating a GMER log.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:12:35 AM

Posted 29 July 2012 - 11:56 AM

My name is bloopie and I'll be helping you with your problems as best I can! :thumbup2:

Some things to keep in mind while we are working together:

  • If you have since resolved the original problem you were having, I would appreciate it if you let me know.
  • Please tell me if you have your original Windows CD/DVD available.
  • If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • Upon completing the steps below I will review your topic an do my best to resolve your issues.
  • If you have already posted a DDS log, please do so again, as your situation may have changed.
  • Be sure to copy and paste all logs here, please do not attach them.
  • If you are unsure about any of the steps, please stop and ask me!
  • And finally, please make no further changes to your machine unless instructed to do so, as this could hamper the cleaning process!!

==========

:step1:
I need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links.. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results. And attach.txt will be minimized.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

==========

:step2:
64-bit machines may skip this step

I also need a log from the GMER anti-rootkit Scanner, please do the following:

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


==========

What I would like to see in your next reply!

  • The DDS log
  • The minimized attach.txt from the DDS scan
  • The GMER log (32-bit machines only)
bloopie

#4 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:12:35 AM

Posted 30 July 2012 - 12:24 PM

Hello again,

I see you have CCleaner installed, please refrain from using the registry cleaner portion of that program. The registry is delicate and one mistake there could leave your machine unbootable! Those programs are not perfect, nor are they foolproof!

:step1:
Warning!

One or more of the identified infections, ZeroAccess, is a backdoor trojan!

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

If you still wish to go on with the cleaning process, then continue reading:

==========

:step2:
Run Combofix

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
  • Close any open browsers or any other programs that are open.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you C:\Combofix.txt. Please include that in your next reply.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

==========

Please include the log from Combofix (C:\Combofix.txt) in your next reply.

bloopie

#5 SourGrapes

SourGrapes
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:35 PM

Posted 31 July 2012 - 04:18 PM

Thank you! (I am still infected, at least I believe I am) I do have the OS Reinstallation DVD and the other Discs that come with the laptop when shipped.

Here is the latest DDS log:

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_31
Run by Stacie at 16:03:07 on 2012-07-31
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.5943.4392 [GMT -5:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\conhost.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\system32\svchost.exe -k apphost
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Program Files (x86)\Secunia\PSI\sua.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k iissvcs
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\REGSVR32.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uURLSearchHooks: YTNavAssistPlugin Class: {81017ea9-9aa8-4a6a-9734-7af40e7d593f} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn0\yt.dll
mWinlogon: Userinit=userinit.exe,
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn0\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn0\yt.dll
TB: {37153479-1976-43C3-A1EE-557513977B64} - No File
uRun: [SpeedTestPro] "C:\Program Files\SpeedTestPro\SpeedTestPro.exe"
uRun: [SwiftToDoList] "C:\Users\Stacie\AppData\Local\Task List Guru\Task List Guru.exe" -minimized
mRun: [Dell DataSafe Online] C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe
mRun: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
StartupFolder: C:\Users\Stacie\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ONENOT~1.LNK - C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\BLUETO~1.LNK - C:\Program Files (x86)\WIDCOMM\Bluetooth Software\BTTray.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver - C:\Windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {362C56AA-6E4F-40C7-A0B5-85501DBDAD77} - hxxp://i.dell.com/images/global/js/scanner/SysProExe.cab
DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} - hxxp://support.dell.com/systemprofiler/SysProExe.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{AC9C7903-2036-4436-B092-FC506CB4B9BA} : DhcpNameServer = 66.174.71.33 66.174.95.44
TCP: Interfaces\{C5F32881-8F1D-4853-BABF-0437F73887FC} : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{C5F32881-8F1D-4853-BABF-0437F73887FC}\2375942554339343 : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{C5F32881-8F1D-4853-BABF-0437F73887FC}\24F6274656270294E6E60213 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{FEC8AF42-D947-447E-A809-5F2FF4C83853} : DhcpNameServer = 75.116.127.154 75.116.63.154
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO-X64: &Yahoo! Toolbar Helper: {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn0\yt.dll
BHO-X64: 0x1 - No File
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO-X64: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO-X64: SingleInstance Class: {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
TB-X64: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn0\yt.dll
TB-X64: {37153479-1976-43C3-A1EE-557513977B64} - No File
mRun-x64: [Dell DataSafe Online] C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe
mRun-x64: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
IE-X64: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Stacie\AppData\Roaming\Mozilla\Firefox\Profiles\uamvunm2.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:home
FF - prefs.js: keyword.URL - hxxp://search.babylon.com/?affID=110195&tt=2912_5&babsrc=KW_ss&mntrId=94ce75620000000000008ca9820e48cf&q=
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Google\Picasa3\npPicasa3.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.115\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\NPcol400.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npMozCouponPrinter.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Windows\SysWOW64\Adobe\Director\np32dsw.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_268.dll
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true);user_pref(extensions.BabylonToolbar_i.babTrack, affID=110195&tt=2912_5
FF - user.js: extensions.BabylonToolbar_i.babExt -
FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
FF - user.js: extensions.BabylonToolbar_i.id - 94ce75620000000000008ca9820e48cf
FF - user.js: extensions.BabylonToolbar_i.hardId - 94ce75620000000000008ca9820e48cf
FF - user.js: extensions.BabylonToolbar_i.instlDay - 15543
FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.1714:21:18
FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon
FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar
FF - user.js: extensions.BabylonToolbar_i.aflt - babsst
FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
FF - user.js: extensions.BabylonToolbar_i.tlbrId - base
FF - user.js: extensions.BabylonToolbar_i.instlRef - sst
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS\MpFilter.sys [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-1-3 63928]
R2 Secunia Update Agent;Secunia Update Agent;C:\Program Files (x86)\Secunia\PSI\sua.exe [2012-7-25 681056]
R2 TurboB;Turbo Boost UI Monitor driver;C:\Windows\system32\DRIVERS\TurboB.sys --> C:\Windows\system32\DRIVERS\TurboB.sys [?]
R3 HECIx64;Intel® Management Engine Interface;C:\Windows\system32\DRIVERS\HECIx64.sys --> C:\Windows\system32\DRIVERS\HECIx64.sys [?]
R3 Impcd;Impcd;C:\Windows\system32\DRIVERS\Impcd.sys --> C:\Windows\system32\DRIVERS\Impcd.sys [?]
R3 IntcDAud;Intel® Display Audio;C:\Windows\system32\DRIVERS\IntcDAud.sys --> C:\Windows\system32\DRIVERS\IntcDAud.sys [?]
R3 NETw5s64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;C:\Windows\system32\DRIVERS\NETw5s64.sys --> C:\Windows\system32\DRIVERS\NETw5s64.sys [?]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\system32\DRIVERS\vwifimp.sys --> C:\Windows\system32\DRIVERS\vwifimp.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-12-12 136176]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-4-7 250056]
S3 btusbflt;Bluetooth USB Filter;C:\Windows\system32\drivers\btusbflt.sys --> C:\Windows\system32\drivers\btusbflt.sys [?]
S3 btwl2cap;Bluetooth L2CAP Service;C:\Windows\system32\DRIVERS\btwl2cap.sys --> C:\Windows\system32\DRIVERS\btwl2cap.sys [?]
S3 CASprint;Sprint Con App Svc;"C:\Program Files (x86)\Sprint\Sprint SmartView\ConAppsSvc.exe" /n "CASprint" --> C:\Program Files (x86)\Sprint\Sprint SmartView\ConAppsSvc.exe [?]
S3 epmntdrv;epmntdrv;C:\Windows\System32\epmntdrv.sys [2012-3-27 14216]
S3 EuGdiDrv;EuGdiDrv;C:\Windows\System32\EuGdiDrv.sys [2012-3-27 8456]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-12-12 136176]
S3 MozillaMaintenance;Mozilla Maintenance Service;C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-5-6 113120]
S3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [2010-3-5 340240]
S3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys --> C:\Windows\system32\DRIVERS\NisDrvWFP.sys [?]
S3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2012-3-26 291696]
S3 PCDSRVC{1E208CE0-FB7451FF-06020101}_0;PCDSRVC{1E208CE0-FB7451FF-06020101}_0 - PCDR Kernel Mode Service Helper Driver;C:\Program Files\Dell Support Center\pcdsrvc_x64.pkms [2012-4-10 25072]
S3 PSI;PSI;C:\Windows\system32\DRIVERS\psi_mf.sys --> C:\Windows\system32\DRIVERS\psi_mf.sys [?]
S3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
S3 Secunia PSI Agent;Secunia PSI Agent;C:\Program Files (x86)\Secunia\PSI\psia.exe [2012-7-25 1326176]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 TurboBoost;TurboBoost;C:\Program Files\Intel\TurboBoost\TurboBoost.exe [2009-11-2 126352]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== Created Last 30 ================
.
2012-07-27 20:39:16 770384 ----a-w- C:\Program Files (x86)\Mozilla Firefox\msvcr100.dll
2012-07-27 20:39:16 421200 ----a-w- C:\Program Files (x86)\Mozilla Firefox\msvcp100.dll
2012-07-27 20:12:03 -------- d-----w- C:\Users\Stacie\AppData\Local\Secunia PSI
2012-07-27 20:11:35 -------- d-----w- C:\Program Files (x86)\Secunia
2012-07-27 20:06:02 69000 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{6734BF10-4A34-45E5-AF39-1AB37432C6BC}\offreg.dll
2012-07-27 10:35:49 328704 ----a-w- C:\Windows\System32\services.exe.C5BD94CE888A7AD8
2012-07-27 10:32:50 328704 ----a-w- C:\Windows\System32\services.exe.4A64ECBBE70F8C94
2012-07-27 10:29:23 328704 ----a-w- C:\Windows\System32\services.exe.939E51EB11A59637
2012-07-27 10:26:32 328704 ----a-w- C:\Windows\System32\services.exe.F3742CF0AB02C375
2012-07-27 10:23:02 328704 ----a-w- C:\Windows\System32\services.exe.4C710F464EBEA74C
2012-07-27 10:20:33 328704 ----a-w- C:\Windows\System32\services.exe.A6932E5EC48C4A35
2012-07-27 10:18:02 328704 ----a-w- C:\Windows\System32\services.exe.ABCD36C67F038783
2012-07-27 10:04:17 328704 ----a-w- C:\Windows\System32\services.exe.ED7872B1181B2684
2012-07-27 09:43:13 328704 ----a-w- C:\Windows\System32\services.exe.7152222E0FBF7A72
2012-07-27 09:41:43 927800 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{33713BA8-B2C7-4FB5-8C8A-934184A54266}\gapaengine.dll
2012-07-27 09:41:07 9133488 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{6734BF10-4A34-45E5-AF39-1AB37432C6BC}\mpengine.dll
2012-07-27 09:26:41 -------- d-----w- C:\Program Files (x86)\Microsoft Security Client
2012-07-27 09:26:39 -------- d-----w- C:\Program Files\Microsoft Security Client
2012-07-27 09:24:18 -------- d-----w- C:\5635117269da0e89e27b13610c1d8d
2012-07-27 08:19:52 9821896 ----a-w- C:\Windows\SysWow64\FlashPlayerInstaller.exe
2012-07-27 07:56:27 68576 ----a-w- C:\Program Files (x86)\Mozilla Firefox\mozglue.dll
2012-07-27 07:56:27 573920 ----a-w- C:\Program Files (x86)\Mozilla Firefox\gkmedias.dll
2012-07-27 07:56:27 157608 ----a-w- C:\Program Files (x86)\Mozilla Firefox\maintenanceservice_installer.exe
2012-07-27 07:56:27 113120 ----a-w- C:\Program Files (x86)\Mozilla Firefox\maintenanceservice.exe
2012-07-25 06:30:52 -------- d-----w- C:\Users\Stacie\AppData\Local\{94E29254-2BE0-4AE8-8555-2F9290CA3A07}
2012-07-22 19:22:14 -------- d-----w- C:\Program Files (x86)\hpmonitor
2012-07-22 19:21:10 -------- d-----w- C:\Users\Stacie\AppData\Roaming\Babylon
2012-07-22 19:21:10 -------- d-----w- C:\ProgramData\Babylon
2012-07-22 18:29:31 -------- d-sh--w- C:\Windows\System32\%APPDATA%
2012-07-13 09:01:30 3148800 ----a-w- C:\Windows\System32\win32k.sys
2012-07-12 22:46:01 1499136 ----a-w- C:\Program Files\Common Files\System\ado\msado15.dll
2012-07-12 22:46:01 1019904 ----a-w- C:\Program Files (x86)\Common Files\System\ado\msado15.dll
2012-07-12 22:46:00 805376 ----a-w- C:\Windows\SysWow64\cdosys.dll
2012-07-12 22:46:00 61440 ----a-w- C:\Program Files\Common Files\System\ado\msador15.dll
2012-07-12 22:46:00 57344 ----a-w- C:\Program Files (x86)\Common Files\System\ado\msador15.dll
2012-07-12 22:46:00 495616 ----a-w- C:\Program Files\Common Files\System\ado\msadox.dll
2012-07-12 22:46:00 466944 ----a-w- C:\Program Files\Common Files\System\ado\msadomd.dll
2012-07-12 22:46:00 352256 ----a-w- C:\Program Files (x86)\Common Files\System\ado\msadomd.dll
2012-07-12 22:46:00 258048 ----a-w- C:\Program Files\Common Files\System\msadc\msadco.dll
2012-07-12 22:44:02 2004480 ----a-w- C:\Windows\System32\msxml6.dll
2012-07-12 22:44:01 1881600 ----a-w- C:\Windows\System32\msxml3.dll
2012-07-12 22:44:01 1390080 ----a-w- C:\Windows\SysWow64\msxml6.dll
2012-07-12 22:44:00 1236992 ----a-w- C:\Windows\SysWow64\msxml3.dll
2012-07-12 22:43:59 2048 ----a-w- C:\Windows\SysWow64\msxml3r.dll
2012-07-12 22:43:59 2048 ----a-w- C:\Windows\System32\msxml3r.dll
.
==================== Find3M ====================
.
2012-07-27 10:38:30 328704 ----a-w- C:\Windows\System32\services.exe
2012-07-27 09:22:57 70344 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-07-27 09:22:57 426184 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2012-06-06 06:02:54 1133568 ----a-w- C:\Windows\System32\cdosys.dll
2012-06-02 22:15:31 2622464 ----a-w- C:\Windows\System32\wucltux.dll
2012-06-02 22:15:08 99840 ----a-w- C:\Windows\System32\wudriver.dll
2012-06-02 20:19:42 186752 ----a-w- C:\Windows\System32\wuwebv.dll
2012-06-02 20:15:12 36864 ----a-w- C:\Windows\System32\wuapp.exe
2012-06-02 12:12:17 2311680 ----a-w- C:\Windows\System32\jscript9.dll
2012-06-02 12:05:28 1392128 ----a-w- C:\Windows\System32\wininet.dll
2012-06-02 12:04:50 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl
2012-06-02 12:01:40 173056 ----a-w- C:\Windows\System32\ieUnatt.exe
2012-06-02 11:57:08 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2012-06-02 08:33:25 1800192 ----a-w- C:\Windows\SysWow64\jscript9.dll
2012-06-02 08:25:08 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll
2012-06-02 08:25:03 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2012-06-02 08:20:33 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2012-06-02 08:16:52 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2012-06-02 05:50:10 458704 ----a-w- C:\Windows\System32\drivers\cng.sys
2012-06-02 05:48:16 95600 ----a-w- C:\Windows\System32\drivers\ksecdd.sys
2012-06-02 05:48:16 151920 ----a-w- C:\Windows\System32\drivers\ksecpkg.sys
2012-06-02 05:45:31 340992 ----a-w- C:\Windows\System32\schannel.dll
2012-06-02 05:44:21 307200 ----a-w- C:\Windows\System32\ncrypt.dll
2012-06-02 04:40:42 22016 ----a-w- C:\Windows\SysWow64\secur32.dll
2012-06-02 04:40:39 225280 ----a-w- C:\Windows\SysWow64\schannel.dll
2012-06-02 04:39:10 219136 ----a-w- C:\Windows\SysWow64\ncrypt.dll
2012-06-02 04:34:09 96768 ----a-w- C:\Windows\SysWow64\sspicli.dll
2012-05-04 11:06:22 5559664 ----a-w- C:\Windows\System32\ntoskrnl.exe
2012-05-04 10:03:53 3968368 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2012-05-04 10:03:50 3913072 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
.
============= FINISH: 16:12:44.31 ===============

#6 SourGrapes

SourGrapes
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:35 PM

Posted 31 July 2012 - 04:39 PM

Bloopie,

I posted the above DDS log, prior to reading your most recent reply.

About the CCleaner. Should I not use it and simply delete it, or are the benefits of the other cleaning functions worth keeping?

As far as reinstalling versus cleaning the computer, I would like to have a computer that I can trust; therefore, I should probably go the route of reinstallling the OS (I'd need help, as I wouldn't know where to begin with all of the software Dell had preinstalled on my laptop.

One thing: I do have school papers and media (mostly photos) on the harddrive. Is there a way to save all of them without having to worry about those files being infected? If not, then I shouold probably get busy printing up all my papers, resources, and save the photos to an onlne photo album. Right? Or, is there a simpler way to do all of this?

Can you tell me (about) how long it will take to reformat and reinstall everything? I'm late getting a paper in for class, since this computer issue has me so frustrated; so I'd like to give my professor some sort of time-frame for me to be fully-functional again.

Plus, will I need another computer, or internet access for any of the reformatting? (If so, I'll borrow my husband's.)

I can't tell you how incredibly grateful I am that you are helping me. Even with the bad news, at least I now know. I bagan to think the virus (or whatever I had caught) was taken care of with my MSE and MBAB, but was still having occasional wierd things happening (audio playing in background, even though I can't find any open windows with an audio/video feed, Home keeps getting routed to Babylon Search, and a few other random issues. At the moment, it appears all of my Library Folders and subfolders are gone (all the 'my videos', 'my photos', etc). I was able to pull up a couple of things going the WE route, so I don't think the files and contents of the folders are gone. I hope they aren't.

Thank you!

#7 SourGrapes

SourGrapes
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:35 PM

Posted 01 August 2012 - 03:58 AM

All my folders, including photos and various media and documents are all empty; however, the properties of My Pictures shows over 4GM. Is everything really gone, is there a way to get any of it back? :-(

#8 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:12:35 AM

Posted 01 August 2012 - 11:17 AM

Hello again,

I can't tell you how incredibly grateful I am that you are helping me.

It is my pleasure! :)

As far as reinstalling versus cleaning the computer, I would like to have a computer that I can trust; therefore, I should probably go the route of reinstallling the OS

A wise choice, but if you'd like to back up your files I suggest we continue with the cleaning process to prevent re-infection after the reformat.

Can you tell me (about) how long it will take to reformat and reinstall everything?

This would be hard to tell. It really depends on what you have to reinstall. Normally when choosing the "quick format" option, it should only take a couple of minutes. The "full format" option may take a few hours.

Reinstallation of Windows should take about an hour or two if your watching the progress. Installing the programs that you would like on the reformatted machine could take a while depending on how many of them you want and/or need.

I bagan to think the virus (or whatever I had caught) was taken care of with my MSE and MBAB

No, your rootkit has taken hold on your machine again seeing your latest DDS log. My suggestion is to go ahead and run Combofix with the instructions in Post #4, step 2.

==========

I can give some good links with reformatting instructions after we clean up. Sound good?

bloopie

#9 SourGrapes

SourGrapes
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:35 PM

Posted 01 August 2012 - 07:26 PM

12-07-31.03 - Stacie 08/01/2012 18:19:24.4.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.5943.4343 [GMT -5:00]
Running from: c:\users\Stacie\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-07-01 to 2012-08-01 )))))))))))))))))))))))))))))))
.
.
2012-08-01 23:53 . 2012-08-01 23:53 -------- d-----w- c:\users\Mom\AppData\Local\temp
2012-08-01 23:53 . 2012-08-01 23:53 -------- d-----w- c:\users\Family\AppData\Local\temp
2012-08-01 23:53 . 2012-08-01 23:53 -------- d-----w- c:\users\DefaultAppPool\AppData\Local\temp
2012-08-01 23:53 . 2012-08-01 23:53 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-08-01 23:10 . 2012-08-01 23:10 69000 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{AD819871-2929-4B5F-93CA-2A3EE87FE1FF}\offreg.dll
2012-08-01 23:01 . 2012-07-16 07:40 9133488 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{AD819871-2929-4B5F-93CA-2A3EE87FE1FF}\mpengine.dll
2012-07-27 20:39 . 2012-07-14 00:16 770384 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcr100.dll
2012-07-27 20:39 . 2012-07-14 00:16 421200 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcp100.dll
2012-07-27 20:12 . 2012-07-27 20:12 -------- d-----w- c:\users\Stacie\AppData\Local\Secunia PSI
2012-07-27 20:11 . 2012-07-27 20:11 -------- d-----w- c:\program files (x86)\Secunia
2012-07-27 10:35 . 2012-07-27 10:35 328704 ----a-w- c:\windows\system32\services.exe.C5BD94CE888A7AD8
2012-07-27 10:32 . 2012-07-27 10:32 328704 ----a-w- c:\windows\system32\services.exe.4A64ECBBE70F8C94
2012-07-27 10:29 . 2012-07-27 10:29 328704 ----a-w- c:\windows\system32\services.exe.939E51EB11A59637
2012-07-27 10:26 . 2012-07-27 10:26 328704 ----a-w- c:\windows\system32\services.exe.F3742CF0AB02C375
2012-07-27 10:23 . 2012-07-27 10:23 328704 ----a-w- c:\windows\system32\services.exe.4C710F464EBEA74C
2012-07-27 10:20 . 2012-07-27 10:20 328704 ----a-w- c:\windows\system32\services.exe.A6932E5EC48C4A35
2012-07-27 10:18 . 2012-07-27 10:18 328704 ----a-w- c:\windows\system32\services.exe.ABCD36C67F038783
2012-07-27 10:04 . 2012-07-27 10:04 328704 ----a-w- c:\windows\system32\services.exe.ED7872B1181B2684
2012-07-27 09:43 . 2012-07-27 09:43 328704 ----a-w- c:\windows\system32\services.exe.7152222E0FBF7A72
2012-07-27 09:41 . 2012-02-09 19:17 927800 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{33713BA8-B2C7-4FB5-8C8A-934184A54266}\gapaengine.dll
2012-07-27 09:26 . 2012-07-27 09:26 -------- d-----w- c:\program files (x86)\Microsoft Security Client
2012-07-27 09:26 . 2012-07-27 09:26 -------- d-----w- c:\program files\Microsoft Security Client
2012-07-27 09:24 . 2012-07-27 09:24 -------- d-----w- C:\5635117269da0e89e27b13610c1d8d
2012-07-27 08:19 . 2012-07-27 09:22 9821896 ----a-w- c:\windows\SysWow64\FlashPlayerInstaller.exe
2012-07-27 07:56 . 2012-07-14 00:17 68576 ----a-w- c:\program files (x86)\Mozilla Firefox\mozglue.dll
2012-07-27 07:56 . 2012-07-14 00:17 573920 ----a-w- c:\program files (x86)\Mozilla Firefox\gkmedias.dll
2012-07-27 07:56 . 2012-07-14 00:17 157608 ----a-w- c:\program files (x86)\Mozilla Firefox\maintenanceservice_installer.exe
2012-07-27 07:56 . 2012-07-14 00:17 113120 ----a-w- c:\program files (x86)\Mozilla Firefox\maintenanceservice.exe
2012-07-27 06:47 . 2012-07-27 06:47 -------- d-----w- c:\users\Family\AppData\Roaming\Yahoo!
2012-07-22 19:22 . 2012-07-22 19:37 -------- d-----w- c:\program files (x86)\hpmonitor
2012-07-22 19:21 . 2012-07-22 19:21 247 ----a-w- C:\user.js
2012-07-22 19:21 . 2012-07-22 19:21 -------- d-----w- c:\users\Stacie\AppData\Roaming\Babylon
2012-07-22 19:21 . 2012-07-22 19:21 -------- d-----w- c:\programdata\Babylon
2012-07-22 18:29 . 2012-07-22 18:29 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-07-13 09:01 . 2012-06-12 03:08 3148800 ----a-w- c:\windows\system32\win32k.sys
2012-07-12 22:46 . 2012-06-06 06:05 1499136 ----a-w- c:\program files\Common Files\System\ado\msado15.dll
2012-07-12 22:46 . 2012-06-06 05:05 1019904 ----a-w- c:\program files (x86)\Common Files\System\ado\msado15.dll
2012-07-12 22:46 . 2012-06-06 06:05 495616 ----a-w- c:\program files\Common Files\System\ado\msadox.dll
2012-07-12 22:46 . 2012-06-06 06:05 61440 ----a-w- c:\program files\Common Files\System\ado\msador15.dll
2012-07-12 22:46 . 2012-06-06 06:05 466944 ----a-w- c:\program files\Common Files\System\ado\msadomd.dll
2012-07-12 22:46 . 2012-06-06 06:05 258048 ----a-w- c:\program files\Common Files\System\msadc\msadco.dll
2012-07-12 22:46 . 2012-06-06 05:05 57344 ----a-w- c:\program files (x86)\Common Files\System\ado\msador15.dll
2012-07-12 22:46 . 2012-06-06 05:05 352256 ----a-w- c:\program files (x86)\Common Files\System\ado\msadomd.dll
2012-07-12 22:46 . 2012-06-06 05:03 805376 ----a-w- c:\windows\SysWow64\cdosys.dll
2012-07-12 22:44 . 2012-06-06 06:06 2004480 ----a-w- c:\windows\system32\msxml6.dll
2012-07-12 22:44 . 2012-06-06 06:06 1881600 ----a-w- c:\windows\system32\msxml3.dll
2012-07-12 22:44 . 2012-06-06 05:05 1390080 ----a-w- c:\windows\SysWow64\msxml6.dll
2012-07-12 22:44 . 2012-06-06 05:05 1236992 ----a-w- c:\windows\SysWow64\msxml3.dll
2012-07-12 22:43 . 2010-06-26 03:55 2048 ----a-w- c:\windows\system32\msxml3r.dll
2012-07-12 22:43 . 2010-06-26 03:24 2048 ----a-w- c:\windows\SysWow64\msxml3r.dll
2012-07-12 22:43 . 2012-06-09 05:43 14172672 ----a-w- c:\windows\system32\shell32.dll
2012-07-07 05:28 . 2012-07-21 23:50 -------- d-----w- c:\users\DefaultAppPool.IIS APPPOOL
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-27 10:38 . 2009-07-13 23:19 328704 ----a-w- c:\windows\system32\services.exe
2012-07-27 09:22 . 2012-04-07 23:28 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-07-27 09:22 . 2011-06-17 05:12 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-07-13 08:03 . 2011-07-07 01:16 59701280 ----a-w- c:\windows\system32\MRT.exe
2012-06-02 22:19 . 2012-06-25 21:09 38424 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-25 21:10 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:19 . 2012-06-25 21:10 57880 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-25 21:10 44056 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-25 21:09 701976 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:15 . 2012-06-25 21:10 2622464 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:15 . 2012-06-25 21:09 99840 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 20:19 . 2012-06-25 21:09 186752 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 20:15 . 2012-06-25 21:09 36864 ----a-w- c:\windows\system32\wuapp.exe
2012-05-04 11:06 . 2012-06-13 17:42 5559664 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-04 10:03 . 2012-06-13 17:42 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2012-05-04 10:03 . 2012-06-13 17:42 3913072 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
.
.
((((((((((((((((((((((((((((( SnapShot@2012-08-01_18.54.09 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-06-14 17:24 . 2012-08-01 19:16 35046 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-08-01 23:01 36488 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2011-06-14 18:43 . 2012-08-01 23:01 11830 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2252547773-1828592009-4238387167-1001_UserData.bin
- 2012-07-27 20:04 . 2012-08-01 18:52 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-08-01 21:40 . 2012-08-01 22:59 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-08-01 21:40 . 2012-08-01 22:59 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-07-27 20:04 . 2012-08-01 18:52 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2011-06-14 18:25 . 2012-08-01 21:00 372298 c:\windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_S3.bin
- 2009-07-14 02:36 . 2012-07-31 22:57 714574 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-08-01 23:04 714574 c:\windows\system32\perfh009.dat
- 2009-07-14 02:36 . 2012-07-31 22:57 139586 c:\windows\system32\perfc009.dat
+ 2009-07-14 02:36 . 2012-08-01 23:04 139586 c:\windows\system32\perfc009.dat
+ 2012-07-25 19:00 . 2012-08-01 21:12 110008 c:\windows\system32\GDIPFONTCACHEV1.DAT
- 2012-07-25 19:00 . 2012-07-31 21:10 110008 c:\windows\system32\GDIPFONTCACHEV1.DAT
- 2009-07-14 05:01 . 2012-07-27 19:08 391500 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 05:01 . 2012-08-01 21:11 391500 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2011-06-17 08:19 . 2012-08-01 21:11 46158140 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2252547773-1828592009-4238387167-1001-8192.dat
- 2011-06-17 08:19 . 2012-07-27 19:08 46158140 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2252547773-1828592009-4238387167-1001-8192.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\program files (x86)\Yahoo!\Companion\Installs\cpn0\yt.dll" [2011-10-06 2015544]
.
[HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}]
[HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin.1]
[HKEY_CLASSES_ROOT\TypeLib\{003028C2-EA1C-4676-A316-B5CB50917002}]
[HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpeedTestPro"="c:\program files\SpeedTestPro\SpeedTestPro.exe" [BU]
"SwiftToDoList"="c:\users\Stacie\AppData\Local\Task List Guru\Task List Guru.exe" [2012-05-17 8549352]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Dell DataSafe Online"="c:\program files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe" [BU]
"GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-03-27 421736]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-04-19 421888]
.
c:\users\Stacie\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2009-12-29 1082656]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"mixer2"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-12-13 136176]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-27 250056]
R3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2010-03-30 53800]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2010-03-30 35104]
R3 CASprint;Sprint Con App Svc;c:\program files (x86)\Sprint\Sprint SmartView\ConAppsSvc.exe [x]
R3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2011-07-29 16776]
R3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2011-07-29 9096]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-12-13 136176]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-07-14 113120]
R3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe [2010-03-05 340240]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2012-03-21 98688]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-03-26 291696]
R3 PCDSRVC{1E208CE0-FB7451FF-06020101}_0;PCDSRVC{1E208CE0-FB7451FF-06020101}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\dell support center\pcdsrvc_x64.pkms [2012-04-10 25072]
R3 PCTINDIS5X64;PCTINDIS5X64 NDIS Protocol Driver;c:\windows\system32\PCTINDIS5X64.SYS [x]
R3 PSI;PSI;c:\windows\system32\DRIVERS\psi_mf.sys [2010-09-01 17976]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2011-06-10 539240]
R3 Secunia PSI Agent;Secunia PSI Agent;c:\program files (x86)\Secunia\PSI\PSIA.exe [2012-07-25 1326176]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
R3 TurboBoost;TurboBoost;c:\program files\Intel\TurboBoost\TurboBoost.exe [2009-11-02 126352]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-02-15 52736]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-06-17 1255736]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 57184]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
S2 Secunia Update Agent;Secunia Update Agent;c:\program files (x86)\Secunia\PSI\sua.exe [2012-07-25 681056]
S2 TurboB;Turbo Boost UI Monitor driver;c:\windows\system32\DRIVERS\TurboB.sys [2009-11-02 13784]
S3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2009-09-18 56344]
S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [2010-02-27 158976]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2010-08-30 289280]
S3 NETw5s64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;c:\windows\system32\DRIVERS\NETw5s64.sys [2010-03-18 7680512]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-14 17920]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
iissvcs REG_MULTI_SZ w3svc was
apphost REG_MULTI_SZ apphostsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-01 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-07 09:22]
.
2012-08-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-12-13 02:39]
.
2012-08-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-12-13 02:39]
.
2012-07-22 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\Dell Support Center\uaclauncher.exe [2012-04-13 06:11]
.
2012-08-01 c:\windows\Tasks\SystemToolsDailyTest.job
- c:\program files\Dell Support Center\uaclauncher.exe [2012-04-13 06:11]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2010-03-05 1928976]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2012-01-11 167704]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2012-01-11 392984]
"Persistence"="c:\windows\system32\igfxpers.exe" [2012-01-11 417560]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 1271168]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = about:blank
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\users\Stacie\AppData\Roaming\Mozilla\Firefox\Profiles\uamvunm2.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:home
FF - prefs.js: keyword.URL - hxxp://search.babylon.com/?affID=110195&tt=2912_5&babsrc=KW_ss&mntrId=94ce75620000000000008ca9820e48cf&q=
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true);user_pref(extensions.BabylonToolbar_i.babTrack, affID=110195&tt=2912_5
FF - user.js: extensions.BabylonToolbar_i.babExt -
FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
FF - user.js: extensions.BabylonToolbar_i.id - 94ce75620000000000008ca9820e48cf
FF - user.js: extensions.BabylonToolbar_i.hardId - 94ce75620000000000008ca9820e48cf
FF - user.js: extensions.BabylonToolbar_i.instlDay - 15543
FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.1714:21
FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon
FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar
FF - user.js: extensions.BabylonToolbar_i.aflt - babsst
FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
FF - user.js: extensions.BabylonToolbar_i.tlbrId - base
FF - user.js: extensions.BabylonToolbar_i.instlRef - sst
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
WebBrowser-{37153479-1976-43C3-A1EE-557513977B64} - (no file)
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\PCDSRVC{1E208CE0-FB7451FF-06020101}_0]
"ImagePath"="\??\c:\program files\dell support center\pcdsrvc_x64.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_268_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_268_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_268.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_268.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_268.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_268.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-08-01 19:13:49
ComboFix-quarantined-files.txt 2012-08-02 00:13
ComboFix2.txt 2012-08-01 22:53
.
Pre-Run: 550,322,741,248 bytes free
Post-Run: 550,014,423,040 bytes free
.
- - End Of File - - 5C170998C4954E3D1CD0B0C1C6B345D5

#10 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:12:35 AM

Posted 01 August 2012 - 10:37 PM

Hello again,

There's a few things we need to do:

:step1:
SystemLook:

Please download SystemLook from one of the links below and save it to your Desktop.

Link 1
Link 2


  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
filefind:
services.*
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Notes : The log can also be found on your Desktop entitled SystemLook.txt

==========

:step2:
Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:
  • Internet Services
  • Windows Firewall
  • System Restore
  • Security Center/Action Center
  • Windows Update
  • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

==========

Please include the following in your next reply:

The sytemlook report.
The FSS report.

bloopie

Edited by bloopie, 01 August 2012 - 10:52 PM.


#11 SourGrapes

SourGrapes
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:35 PM

Posted 02 August 2012 - 03:53 AM

This is what I got with the Lookup:

SystemLook 30.07.11 by jpshortstuff
Log created at 03:52 on 02/08/2012 by Stacie
Administrator - Elevation successful

No Context: filefind:

No Context: services.*


Here is the Log for Farbar:

Farbar Service Scanner Version: 26-07-2012
Ran by Stacie (administrator) on 02-08-2012 at 03:55:03
Running from "C:\Users\Stacie\Desktop"
Microsoft Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============

Windows Update:
============
BITS Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to retrieve start type of BITS. The value does not exist.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.


Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============

sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is set to Auto
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****

Edited by SourGrapes, 02 August 2012 - 03:57 AM.


#12 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:12:35 AM

Posted 02 August 2012 - 09:48 AM

Hi again,

Okay, I made a syntax mistake in my last systemlook post, but let's use another technique:

Run FRST by Farbar

You will need the use of a thumb/flashdrive to complete the next steps:

For x64 bit systems download Farbar Recovery Scan Tool 64-Bit and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your next reply.[/list]
bloopie

Edited by bloopie, 02 August 2012 - 07:00 PM.


#13 SourGrapes

SourGrapes
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:35 PM

Posted 03 August 2012 - 12:44 AM

Copy of FRST log:

Scan result of Farbar Recovery Scan Tool Version: 25-07-2012 01
Ran by SYSTEM at 03-08-2012 00:34:11
Running from F:\
Windows 7 Home Premium (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [IntelWireless] "C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" /tf Intel Wireless Tray [1928976 2010-03-05] (Intel® Corporation)
HKLM\...\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe [167704 2012-01-10] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [392984 2012-01-10] (Intel Corporation)
HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [417560 2012-01-10] (Intel Corporation)
HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1271168 2012-03-26] (Microsoft Corporation)
HKLM-x32\...\Run: [Dell DataSafe Online] C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe [x]
HKLM-x32\...\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [30040 2009-02-26] (Microsoft Corporation)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2012-02-20] (Apple Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421736 2012-03-27] (Apple Inc.)
HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2012-04-18] (Apple Inc.)
HKU\Family\...\Policies\system: [LogonHoursAction] 2
HKU\Family\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
HKU\Mom\...\Run: [DW6] "C:\Program Files (x86)\The Weather Channel FW\Desktop\DesktopWeather.exe" [x]
HKU\Mom\...\Policies\system: [LogonHoursAction] 2
HKU\Mom\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
HKU\Stacie\...\Run: [SpeedTestPro] "C:\Program Files\SpeedTestPro\SpeedTestPro.exe" [x]
HKU\Stacie\...\Run: [SwiftToDoList] "C:\Users\Stacie\AppData\Local\Task List Guru\Task List Guru.exe" -minimized [8549352 2012-05-16] (Dextronet)
HKU\Stacie\...\Policies\system: [LogonHoursAction] 2
HKU\Stacie\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
ShortcutTarget: Bluetooth.lnk -> C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
Startup: C:\Users\Stacie\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2007 Screen Clipper and Launcher.lnk -> C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)

==================== Services (Whitelisted) ======

2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [12600 2012-03-26] (Microsoft Corporation)
3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [340240 2010-03-05] ()
2 NetPipeActivator; "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe" [116560 2009-06-10] (Microsoft Corporation)
2 NetTcpActivator; "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe" [116560 2009-06-10] (Microsoft Corporation)
3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [291696 2012-03-26] (Microsoft Corporation)
2 W3SVC; C:\Windows\system32\inetsrv\iisw3adm.dll [453120 2010-11-20] (Microsoft Corporation)
2 W3SVC; C:\Windows\SysWow64\inetsrv\iisw3adm.dll [397824 2010-11-20] (Microsoft Corporation)
3 CASprint; "C:\Program Files (x86)\Sprint\Sprint SmartView\ConAppsSvc.exe" /n "CASprint" [x]
3 SprintRcAppSvc; "C:\Program Files (x86)\Sprint\Sprint SmartView\RcAppSvc.exe" /n "SprintRcAppSvc" [x]

========================== Drivers (Whitelisted) =============

3 epmntdrv; \??\C:\Windows\system32\epmntdrv.sys [16776 2011-07-29] ()
3 EuGdiDrv; \??\C:\Windows\system32\EuGdiDrv.sys [9096 2011-07-29] ()
3 swmsflt; C:\Windows\System32\Drivers\swmsflt.sys [28808 2008-10-15] ()
3 swmsflt; C:\Windows\SysWow64\Drivers\swmsflt.sys [28808 2008-10-15] ()
3 SWNC5E00; C:\Windows\System32\Drivers\SWNC5E00.sys [202248 2008-10-15] (Sierra Wireless Inc.)
2 TurboB; C:\Windows\System32\Drivers\TurboB.sys [13784 2009-11-02] ()
3 catchme; \??\C:\Users\Stacie\AppData\Local\Temp\catchme.sys [x]
3 PCDSRVC{1E208CE0-FB7451FF-06020101}_0; \??\c:\program files\dell support center\pcdsrvc_x64.pkms [x]
3 PCTINDIS5X64; \??\C:\Windows\system32\PCTINDIS5X64.SYS [x]

========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-08-02 20:45 - 2012-08-02 20:45 - 01438391 ____A (Farbar) C:\Users\Stacie\Desktop\FRST64.exe
2012-08-01 19:14 - 2012-08-01 19:14 - 00311808 ____A C:\Users\Stacie\AppData\Local\vhefjt.exe
2012-08-01 16:14 - 2012-08-01 16:14 - 00023885 ____A C:\ComboFix.txt
2012-08-01 15:12 - 2012-08-01 16:14 - 00000000 ____D C:\ComboFix
2012-08-01 10:52 - 2012-08-02 20:58 - 00327680 ____A C:\Windows\System32\Ikeext.etl
2012-08-01 08:29 - 2011-06-25 22:45 - 00256000 ____A C:\Windows\PEV.exe
2012-08-01 08:29 - 2010-11-07 09:20 - 00208896 ____A C:\Windows\MBR.exe
2012-08-01 08:29 - 2009-04-19 20:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
2012-08-01 08:29 - 2000-08-30 16:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe
2012-08-01 08:29 - 2000-08-30 16:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe
2012-08-01 08:29 - 2000-08-30 16:00 - 00080412 ____A C:\Windows\grep.exe
2012-08-01 08:29 - 2000-08-30 16:00 - 00068096 ____A C:\Windows\zip.exe
2012-08-01 08:26 - 2012-08-01 16:14 - 00000000 ____D C:\Qoobox
2012-08-01 08:25 - 2012-08-01 14:33 - 00000000 ____D C:\Windows\erdnt
2012-07-27 12:12 - 2012-07-27 12:12 - 00000000 ____D C:\Users\Stacie\AppData\Local\Secunia PSI
2012-07-27 12:11 - 2012-07-27 12:11 - 00000000 ____D C:\Program Files (x86)\Secunia
2012-07-27 12:09 - 2012-07-27 12:10 - 03098616 ____A (Secunia) C:\Users\Stacie\Desktop\PSISetup.exe
2012-07-27 11:16 - 2012-07-27 11:18 - 00000361 ____A C:\rkill.log
2012-07-27 11:14 - 2012-07-27 11:14 - 01012656 ____A C:\Users\Stacie\Desktop\iExplore.exe
2012-07-27 11:13 - 2012-07-27 11:13 - 01012656 ____A C:\Users\Stacie\Desktop\rkill.exe
2012-07-27 02:36 - 2012-07-27 02:22 - 00426163 ____A C:\Users\Stacie\Desktop\Windows6.1-KB976586-x86-1.msu
2012-07-27 02:36 - 2012-07-27 02:21 - 00426163 ____A C:\Users\Stacie\Desktop\Windows6.1-KB976586-x86.msu
2012-07-27 02:35 - 2012-07-27 02:35 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.C5BD94CE888A7AD8
2012-07-27 02:32 - 2012-07-27 02:32 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.4A64ECBBE70F8C94
2012-07-27 02:29 - 2012-07-27 02:29 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.939E51EB11A59637
2012-07-27 02:26 - 2012-07-27 02:26 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.F3742CF0AB02C375
2012-07-27 02:23 - 2012-07-27 02:23 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.4C710F464EBEA74C
2012-07-27 02:20 - 2012-07-27 02:20 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.A6932E5EC48C4A35
2012-07-27 02:18 - 2012-07-27 02:18 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.ABCD36C67F038783
2012-07-27 02:04 - 2012-07-27 02:04 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.ED7872B1181B2684
2012-07-27 01:43 - 2012-07-27 01:43 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.7152222E0FBF7A72
2012-07-27 01:26 - 2012-07-27 01:26 - 00000000 ____D C:\Program Files\Microsoft Security Client
2012-07-27 01:26 - 2012-07-27 01:26 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
2012-07-27 01:24 - 2012-07-27 01:24 - 00000000 ____D C:\5635117269da0e89e27b13610c1d8d
2012-07-27 00:19 - 2012-07-27 01:22 - 09821896 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
2012-07-26 22:47 - 2012-07-26 22:47 - 00000000 ____D C:\Users\Family\AppData\Roaming\Yahoo!
2012-07-25 11:00 - 2012-08-02 19:27 - 00110008 ____A C:\Windows\System32\GDIPFONTCACHEV1.DAT
2012-07-24 22:56 - 2012-07-24 22:57 - 12621696 ____A (Microsoft Corporation) C:\Users\Stacie\Desktop\mseinstall.exe
2012-07-24 22:30 - 2012-07-24 22:31 - 00000000 ____D C:\Users\Stacie\AppData\Local\{94E29254-2BE0-4AE8-8555-2F9290CA3A07}
2012-07-24 21:06 - 2012-07-24 21:06 - 04337721 ____A C:\Users\Stacie\Desktop\Bartz Party Supplies.xps
2012-07-23 16:49 - 2012-07-23 16:49 - 00000000 ____A C:\Users\Stacie\defogger_reenable
2012-07-22 13:56 - 2012-07-22 14:12 - 158429236 ____A C:\Users\Stacie\Desktop\audio study tools for cb3.zip
2012-07-22 13:56 - 2012-07-22 13:57 - 00413184 ____A C:\Users\Stacie\Desktop\docs study tools for cb3.zip
2012-07-22 11:22 - 2012-07-22 11:37 - 00000000 ____D C:\Program Files (x86)\hpmonitor
2012-07-22 11:21 - 2012-07-22 11:21 - 00000247 ____A C:\user.js
2012-07-22 11:21 - 2012-07-22 11:21 - 00000000 ____D C:\Users\Stacie\AppData\Roaming\Babylon
2012-07-22 11:21 - 2012-07-22 11:21 - 00000000 ____D C:\Users\All Users\Babylon
2012-07-22 11:19 - 2012-07-22 11:19 - 01759445 ____A C:\Users\Stacie\Desktop\extractor_setup.exe
2012-07-22 10:29 - 2012-07-22 10:29 - 00000000 __SHD C:\Windows\System32\%APPDATA%
2012-07-21 21:43 - 2012-07-21 21:48 - 00005926 ____A C:\Users\Stacie\Downloads\rarkey.rar
2012-07-21 21:03 - 2012-07-21 21:03 - 00403395 ____A (Farbar) C:\Users\Stacie\Downloads\MiniToolBox.exe
2012-07-21 19:07 - 2012-07-27 11:07 - 00001115 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-07-21 18:30 - 2012-07-27 12:39 - 00001136 ____A C:\Users\Public\Desktop\Mozilla Firefox.lnk
2012-07-21 15:33 - 2012-07-21 15:33 - 00000096 ___AH C:\Users\All Users\-W3lnGFb9QAKW8hr
2012-07-21 15:33 - 2012-07-21 15:33 - 00000096 ___AH C:\Users\All Users\-W3lnGFb9QAKW8h
2012-07-16 19:11 - 2012-07-16 19:11 - 02136664 ____A (Kaspersky Lab ZAO) C:\Users\Stacie\Desktop\TDSSKiller.exe
2012-07-13 23:28 - 2012-07-13 23:28 - 01179580 ___AH C:\Users\Stacie\Desktop\Study Audio Files for CB3.zip
2012-07-13 23:28 - 2012-07-13 23:28 - 00413184 ___AH C:\Users\Stacie\Desktop\Study Docs for CB3.zip
2012-07-13 01:01 - 2012-06-11 19:08 - 03148800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-07-13 00:01 - 2012-06-02 04:49 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-07-13 00:01 - 2012-06-02 04:17 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-07-13 00:01 - 2012-06-02 04:12 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-07-13 00:01 - 2012-06-02 04:05 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-07-13 00:01 - 2012-06-02 04:05 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-07-13 00:01 - 2012-06-02 04:04 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-07-13 00:01 - 2012-06-02 04:04 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-07-13 00:01 - 2012-06-02 04:03 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-07-13 00:01 - 2012-06-02 04:01 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-07-13 00:01 - 2012-06-02 04:00 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-07-13 00:01 - 2012-06-02 03:59 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-07-13 00:01 - 2012-06-02 03:57 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-07-13 00:01 - 2012-06-02 03:57 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-07-13 00:01 - 2012-06-02 03:54 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-07-13 00:01 - 2012-06-02 01:07 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-07-13 00:01 - 2012-06-02 00:43 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-07-13 00:01 - 2012-06-02 00:33 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-07-13 00:01 - 2012-06-02 00:26 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-07-13 00:01 - 2012-06-02 00:25 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-07-13 00:01 - 2012-06-02 00:25 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-07-13 00:01 - 2012-06-02 00:23 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-07-13 00:01 - 2012-06-02 00:21 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-07-13 00:01 - 2012-06-02 00:20 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-07-13 00:01 - 2012-06-02 00:19 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-07-13 00:01 - 2012-06-02 00:19 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-07-13 00:01 - 2012-06-02 00:17 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-07-13 00:01 - 2012-06-02 00:16 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-07-13 00:01 - 2012-06-02 00:14 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-07-12 14:46 - 2012-06-05 21:03 - 00805376 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cdosys.dll
2012-07-12 14:45 - 2012-06-05 22:02 - 01133568 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll
2012-07-12 14:45 - 2012-06-01 21:50 - 00458704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
2012-07-12 14:45 - 2012-06-01 21:48 - 00151920 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
2012-07-12 14:45 - 2012-06-01 21:48 - 00095600 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-07-12 14:45 - 2012-06-01 21:45 - 00340992 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-07-12 14:45 - 2012-06-01 21:44 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-07-12 14:45 - 2012-06-01 20:40 - 00225280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2012-07-12 14:45 - 2012-06-01 20:40 - 00022016 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2012-07-12 14:45 - 2012-06-01 20:39 - 00219136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2012-07-12 14:45 - 2012-06-01 20:34 - 00096768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2012-07-12 14:44 - 2012-06-05 22:06 - 02004480 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-07-12 14:44 - 2012-06-05 22:06 - 01881600 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-07-12 14:44 - 2012-06-05 21:05 - 01390080 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll
2012-07-12 14:44 - 2012-06-05 21:05 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
2012-07-12 14:43 - 2012-06-08 21:43 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-07-12 14:43 - 2012-06-08 20:41 - 12873728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2012-07-12 14:43 - 2010-06-25 19:55 - 00002048 ____A (Microsoft Corporation) C:\Windows\System32\msxml3r.dll
2012-07-12 14:43 - 2010-06-25 19:24 - 00002048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3r.dll
2012-07-06 21:28 - 2012-07-21 15:50 - 00000000 ____D C:\users\DefaultAppPool.IIS APPPOOL
2012-07-06 21:28 - 2012-07-06 21:28 - 00000020 ___SH C:\Users\DefaultAppPool.IIS APPPOOL\ntuser.ini
2012-07-06 21:28 - 2011-06-19 00:00 - 00000000 ____D C:\Users\DefaultAppPool.IIS APPPOOL\AppData\Local\Microsoft Help


============ 3 Months Modified Files ========================

2012-08-02 20:58 - 2012-08-01 10:52 - 00327680 ____A C:\Windows\System32\Ikeext.etl
2012-08-02 20:58 - 2012-06-01 11:00 - 00004300 ____A C:\Windows\setupact.log
2012-08-02 20:58 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-08-02 20:57 - 2009-07-13 21:10 - 01751669 ____A C:\Windows\WindowsUpdate.log
2012-08-02 20:57 - 2009-07-13 20:45 - 00014240 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-08-02 20:57 - 2009-07-13 20:45 - 00014240 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-08-02 20:56 - 2009-07-13 21:13 - 00852934 ____A C:\Windows\System32\PerfStringBackup.INI
2012-08-02 20:54 - 2012-04-17 12:08 - 00000506 ____A C:\Windows\Tasks\SystemToolsDailyTest.job
2012-08-02 20:45 - 2012-08-02 20:45 - 01438391 ____A (Farbar) C:\Users\Stacie\Desktop\FRST64.exe
2012-08-02 20:19 - 2012-04-07 15:28 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-08-02 20:16 - 2011-12-12 18:39 - 00000898 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-08-02 19:27 - 2012-07-25 11:00 - 00110008 ____A C:\Windows\System32\GDIPFONTCACHEV1.DAT
2012-08-02 18:39 - 2011-12-12 18:39 - 00000894 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-08-01 19:14 - 2012-08-01 19:14 - 00311808 ____A C:\Users\Stacie\AppData\Local\vhefjt.exe
2012-08-01 16:15 - 2012-06-03 12:49 - 00007974 ____A C:\Windows\PFRO.log
2012-08-01 16:14 - 2012-08-01 16:14 - 00023885 ____A C:\ComboFix.txt
2012-08-01 15:55 - 2009-07-13 18:34 - 00000215 ____A C:\Windows\system.ini
2012-07-28 01:19 - 2009-07-13 21:08 - 00032576 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-07-27 12:39 - 2012-07-21 18:30 - 00001136 ____A C:\Users\Public\Desktop\Mozilla Firefox.lnk
2012-07-27 12:10 - 2012-07-27 12:09 - 03098616 ____A (Secunia) C:\Users\Stacie\Desktop\PSISetup.exe
2012-07-27 11:18 - 2012-07-27 11:16 - 00000361 ____A C:\rkill.log
2012-07-27 11:14 - 2012-07-27 11:14 - 01012656 ____A C:\Users\Stacie\Desktop\iExplore.exe
2012-07-27 11:13 - 2012-07-27 11:13 - 01012656 ____A C:\Users\Stacie\Desktop\rkill.exe
2012-07-27 11:07 - 2012-07-21 19:07 - 00001115 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-07-27 02:38 - 2009-07-13 15:19 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe
2012-07-27 02:35 - 2012-07-27 02:35 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.C5BD94CE888A7AD8
2012-07-27 02:32 - 2012-07-27 02:32 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.4A64ECBBE70F8C94
2012-07-27 02:29 - 2012-07-27 02:29 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.939E51EB11A59637
2012-07-27 02:26 - 2012-07-27 02:26 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.F3742CF0AB02C375
2012-07-27 02:23 - 2012-07-27 02:23 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.4C710F464EBEA74C
2012-07-27 02:22 - 2012-07-27 02:36 - 00426163 ____A C:\Users\Stacie\Desktop\Windows6.1-KB976586-x86-1.msu
2012-07-27 02:21 - 2012-07-27 02:36 - 00426163 ____A C:\Users\Stacie\Desktop\Windows6.1-KB976586-x86.msu
2012-07-27 02:20 - 2012-07-27 02:20 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.A6932E5EC48C4A35
2012-07-27 02:18 - 2012-07-27 02:18 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.ABCD36C67F038783
2012-07-27 02:04 - 2012-07-27 02:04 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.ED7872B1181B2684
2012-07-27 01:43 - 2012-07-27 01:43 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.7152222E0FBF7A72
2012-07-27 01:26 - 2011-06-14 10:39 - 00867084 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
2012-07-27 01:22 - 2012-07-27 00:19 - 09821896 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
2012-07-27 01:22 - 2012-04-07 15:28 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-07-27 01:22 - 2011-06-16 21:12 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-07-27 01:18 - 2011-06-14 10:39 - 00001945 ____A C:\Windows\epplauncher.mif
2012-07-26 22:47 - 2012-07-02 12:44 - 00110008 ____A C:\Users\Family\AppData\Local\GDIPFONTCACHEV1.DAT
2012-07-26 13:04 - 2012-06-03 12:50 - 00413400 ____A C:\Windows\System32\FNTCACHE.DAT
2012-07-25 13:22 - 2012-03-29 05:35 - 01809920 __ASH C:\Users\Stacie\Desktop\Thumbs.db
2012-07-24 22:57 - 2012-07-24 22:56 - 12621696 ____A (Microsoft Corporation) C:\Users\Stacie\Desktop\mseinstall.exe
2012-07-24 21:06 - 2012-07-24 21:06 - 04337721 ____A C:\Users\Stacie\Desktop\Bartz Party Supplies.xps
2012-07-23 16:49 - 2012-07-23 16:49 - 00000000 ____A C:\Users\Stacie\defogger_reenable
2012-07-22 14:12 - 2012-07-22 13:56 - 158429236 ____A C:\Users\Stacie\Desktop\audio study tools for cb3.zip
2012-07-22 13:57 - 2012-07-22 13:56 - 00413184 ____A C:\Users\Stacie\Desktop\docs study tools for cb3.zip
2012-07-22 11:21 - 2012-07-22 11:21 - 00000247 ____A C:\user.js
2012-07-22 11:19 - 2012-07-22 11:19 - 01759445 ____A C:\Users\Stacie\Desktop\extractor_setup.exe
2012-07-21 21:48 - 2012-07-21 21:43 - 00005926 ____A C:\Users\Stacie\Downloads\rarkey.rar
2012-07-21 21:03 - 2012-07-21 21:03 - 00403395 ____A (Farbar) C:\Users\Stacie\Downloads\MiniToolBox.exe
2012-07-21 16:05 - 2012-04-17 12:08 - 00000564 ____A C:\Windows\Tasks\PCDoctorBackgroundMonitorTask.job
2012-07-21 15:33 - 2012-07-21 15:33 - 00000096 ___AH C:\Users\All Users\-W3lnGFb9QAKW8hr
2012-07-21 15:33 - 2012-07-21 15:33 - 00000096 ___AH C:\Users\All Users\-W3lnGFb9QAKW8h
2012-07-16 19:11 - 2012-07-16 19:11 - 02136664 ____A (Kaspersky Lab ZAO) C:\Users\Stacie\Desktop\TDSSKiller.exe
2012-07-13 23:28 - 2012-07-13 23:28 - 01179580 ___AH C:\Users\Stacie\Desktop\Study Audio Files for CB3.zip
2012-07-13 23:28 - 2012-07-13 23:28 - 00413184 ___AH C:\Users\Stacie\Desktop\Study Docs for CB3.zip
2012-07-13 01:00 - 2009-07-13 18:34 - 00000478 ____A C:\Windows\win.ini
2012-07-13 00:03 - 2011-07-06 17:16 - 59701280 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-07-06 21:28 - 2012-07-06 21:28 - 00000020 ___SH C:\Users\DefaultAppPool.IIS APPPOOL\ntuser.ini
2012-07-02 12:43 - 2012-07-02 12:43 - 00001234 _RASH C:\Users\Family\ntuser.pol
2012-07-02 12:43 - 2012-07-02 12:43 - 00000020 ___SH C:\Users\Family\ntuser.ini
2012-07-02 12:41 - 2012-07-02 12:40 - 00000632 _RASH C:\Users\Stacie\ntuser.pol
2012-07-02 12:41 - 2012-07-02 12:40 - 00000632 _RASH C:\Users\Mom\ntuser.pol
2012-07-02 12:37 - 2011-07-27 10:26 - 00109224 ____A C:\Users\Mom\AppData\Local\GDIPFONTCACHEV1.DAT
2012-06-12 17:32 - 2012-06-12 17:32 - 451126067 ____A C:\Windows\MEMORY.DMP
2012-06-12 17:32 - 2012-06-12 17:32 - 00735424 ____A C:\Windows\Minidump\061212-16988-01.dmp
2012-06-11 19:08 - 2012-07-13 01:01 - 03148800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-09 15:15 - 2012-06-09 15:15 - 00271901 ___AH C:\Users\Stacie\Desktop\Did Clinton Send a Coded Message.xps
2012-06-08 21:43 - 2012-07-12 14:43 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-06-08 20:41 - 2012-07-12 14:43 - 12873728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2012-06-05 22:06 - 2012-07-12 14:44 - 02004480 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-06-05 22:06 - 2012-07-12 14:44 - 01881600 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-06-05 22:02 - 2012-07-12 14:45 - 01133568 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll
2012-06-05 21:05 - 2012-07-12 14:44 - 01390080 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll
2012-06-05 21:05 - 2012-07-12 14:44 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
2012-06-05 21:03 - 2012-07-12 14:46 - 00805376 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cdosys.dll
2012-06-05 20:04 - 2012-06-05 20:04 - 00900489 ___AH C:\Users\Stacie\Desktop\Index Cards 4.xps
2012-06-05 20:04 - 2012-06-05 20:03 - 00590814 ___AH C:\Users\Stacie\Desktop\Great Colorful Energy Index Cards.xps
2012-06-05 20:02 - 2012-06-05 20:02 - 00367952 ___AH C:\Users\Stacie\Desktop\Index Card 3.xps
2012-06-05 20:02 - 2012-06-05 20:02 - 00281395 ___AH C:\Users\Stacie\Desktop\Energy Index Cards 2.xps
2012-06-05 20:01 - 2012-06-05 20:01 - 00225056 ___AH C:\Users\Stacie\Desktop\Work power and energy.xps
2012-06-05 19:59 - 2012-06-05 19:59 - 00205011 ___AH C:\Users\Stacie\Desktop\Kinetic and potential energy 2.xps
2012-06-05 19:58 - 2012-06-05 19:58 - 00205011 ___AH C:\Users\Stacie\Desktop\Kinetic and potential energy.xps
2012-06-02 14:19 - 2012-06-25 13:10 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-25 13:10 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-25 13:10 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-06-25 13:09 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 14:19 - 2012-06-25 13:09 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 14:15 - 2012-06-25 13:10 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:15 - 2012-06-25 13:09 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 12:19 - 2012-06-25 13:09 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 12:15 - 2012-06-25 13:09 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-02 04:49 - 2012-07-13 00:01 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-02 04:17 - 2012-07-13 00:01 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-02 04:12 - 2012-07-13 00:01 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-06-02 04:05 - 2012-07-13 00:01 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-02 04:05 - 2012-07-13 00:01 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-02 04:04 - 2012-07-13 00:01 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-06-02 04:04 - 2012-07-13 00:01 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-02 04:03 - 2012-07-13 00:01 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-02 04:01 - 2012-07-13 00:01 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-06-02 04:00 - 2012-07-13 00:01 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-02 03:59 - 2012-07-13 00:01 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-02 03:57 - 2012-07-13 00:01 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-02 03:57 - 2012-07-13 00:01 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-02 03:54 - 2012-07-13 00:01 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-02 01:07 - 2012-07-13 00:01 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-06-02 00:43 - 2012-07-13 00:01 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-06-02 00:33 - 2012-07-13 00:01 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-06-02 00:26 - 2012-07-13 00:01 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-06-02 00:25 - 2012-07-13 00:01 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-06-02 00:25 - 2012-07-13 00:01 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-06-02 00:23 - 2012-07-13 00:01 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-06-02 00:21 - 2012-07-13 00:01 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-06-02 00:20 - 2012-07-13 00:01 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-06-02 00:19 - 2012-07-13 00:01 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-06-02 00:19 - 2012-07-13 00:01 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-06-02 00:17 - 2012-07-13 00:01 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-06-02 00:16 - 2012-07-13 00:01 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-06-02 00:14 - 2012-07-13 00:01 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-06-01 21:50 - 2012-07-12 14:45 - 00458704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
2012-06-01 21:48 - 2012-07-12 14:45 - 00151920 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
2012-06-01 21:48 - 2012-07-12 14:45 - 00095600 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-06-01 21:45 - 2012-07-12 14:45 - 00340992 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-06-01 21:44 - 2012-07-12 14:45 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-06-01 20:40 - 2012-07-12 14:45 - 00225280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2012-06-01 20:40 - 2012-07-12 14:45 - 00022016 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2012-06-01 20:39 - 2012-07-12 14:45 - 00219136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2012-06-01 20:34 - 2012-07-12 14:45 - 00096768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2012-06-01 11:00 - 2012-06-01 11:00 - 00000000 ____A C:\Windows\setuperr.log
2012-06-01 07:31 - 2012-06-01 07:31 - 00109224 ___AH C:\Users\Stacie\AppData\Local\GDIPFONTCACHEV1.DAT
2012-05-31 23:45 - 2012-05-31 23:44 - 03862112 ____A (Piriform Ltd) C:\Users\Stacie\Downloads\ccsetup319.exe
2012-05-27 16:26 - 2012-05-27 16:25 - 00463080 ____A (CNET Download.com) C:\Users\Stacie\Downloads\cnet2_touchpad-blocker_exe(1).exe
2012-05-27 16:25 - 2012-05-27 16:24 - 00463080 ____A (CNET Download.com) C:\Users\Stacie\Downloads\cnet2_touchpad-blocker_exe.exe
2012-05-25 18:33 - 2012-05-25 18:31 - 15608160 ____A (Dextronet ) C:\Users\Stacie\Downloads\tasklistguru(2).exe
2012-05-25 18:29 - 2012-05-25 18:29 - 00463080 ____A (CNET Download.com) C:\Users\Stacie\Downloads\cnet2_EfficientCalendarFree-Setup_exe(1).exe
2012-05-25 18:21 - 2012-05-25 18:18 - 31784856 ____A (IObit ) C:\Users\Stacie\Downloads\asc-setup.exe
2012-05-18 12:44 - 2012-05-18 12:40 - 39483256 ____A (Apple Inc.) C:\Users\Stacie\Downloads\QuickTimeInstaller.exe
2012-05-07 12:13 - 2012-05-07 12:08 - 42553504 ____A (Xerox) C:\Users\Stacie\Downloads\OfficeMax-PhotoGifts.exe
2012-05-06 17:52 - 2012-05-06 17:46 - 15458168 ____A (Dextronet ) C:\Users\Stacie\Downloads\tasklistguru(1).exe
2012-05-06 17:48 - 2012-05-06 17:47 - 00463080 ____A (CNET Download.com) C:\Users\Stacie\Downloads\cnet2_w2dsetup_exe.exe
2012-05-06 17:45 - 2012-05-06 17:45 - 00463080 ____A (CNET Download.com) C:\Users\Stacie\Downloads\cnet2_EfficientCalendarFree-Setup_exe.exe
2012-05-06 17:43 - 2012-05-06 17:42 - 04789789 ____A (Splinterware Software Solutions ) C:\Users\Stacie\Downloads\iddfree(1).exe

ZeroAccess:
C:\Windows\Installer\{5a9f9217-cba6-679a-3696-f81deab3792b}
C:\Windows\Installer\{5a9f9217-cba6-679a-3696-f81deab3792b}\L
C:\Windows\Installer\{5a9f9217-cba6-679a-3696-f81deab3792b}\U

ZeroAccess:
C:\Users\Stacie\AppData\Local\{5a9f9217-cba6-679a-3696-f81deab3792b}
C:\Users\Stacie\AppData\Local\{5a9f9217-cba6-679a-3696-f81deab3792b}\@
C:\Users\Stacie\AppData\Local\{5a9f9217-cba6-679a-3696-f81deab3792b}\L
C:\Users\Stacie\AppData\Local\{5a9f9217-cba6-679a-3696-f81deab3792b}\U

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 15%
Total physical RAM: 5942.68 MB
Available physical RAM: 5025.81 MB
Total Pagefile: 5940.83 MB
Available Pagefile: 5008.34 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

======================= Partitions =========================

1 Drive c: (OS) (Fixed) (Total:585.27 GB) (Free:512.72 GB) NTFS
2 Drive e: (WIN_7_HOMEPREMIUM) (CDROM) (Total:5.75 GB) (Free:0 GB) UDF
3 Drive f: () (Removable) (Total:0.49 GB) (Free:0.48 GB) FAT
4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
5 Drive y: (RECOVERY) (Fixed) (Total:10.76 GB) (Free:1.26 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 596 GB 0 B
Disk 1 Online 505 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 133 MB 31 KB
Partition 2 Primary 10 GB 134 MB
Partition 3 Primary 585 GB 10 GB
Partition 4 Primary 10 MB 596 GB

==================================================================================

Disk: 0
Partition 1
Type : DE
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 FAT Partition 133 MB Healthy Hidden

==================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y RECOVERY NTFS Partition 10 GB Healthy

==================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C OS NTFS Partition 585 GB Healthy

==================================================================================

Disk: 0
Partition 4
Type : 17 (Suspicious Type)
Hidden: Yes
Active: Yes

There is no volume associated with this partition.

==================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 504 MB 16 KB

==================================================================================

Disk: 1
Partition 1
Type : 06
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 F FAT Removable 504 MB Healthy

==================================================================================

==========================================================

Last Boot: 2012-06-03 14:36

======================= End Of Log ==========================

#14 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:12:35 AM

Posted 03 August 2012 - 06:13 PM

Hi again,

Okay let's run this FRST script:

Open notepad. Please copy the contents of the box below. To do this, highlight the contents of the codebox below and right click on it, and select Copy. Now paste this into the open notepad. Then save it on the flashdrive as fixlist.txt

C:\Windows\Installer\{5a9f9217-cba6-679a-3696-f81deab3792b}
C:\Users\Stacie\AppData\Local\{5a9f9217-cba6-679a-3696-f81deab3792b}
2012-08-01 19:14 - 2012-08-01 19:14 - 00311808 ____A C:\Users\Stacie\AppData\Local\vhefjt.exe
2012-07-27 01:24 - 2012-07-27 01:24 - 00000000 ____D C:\5635117269da0e89e27b13610c1d8d
2012-07-24 22:30 - 2012-07-24 22:31 - 00000000 ____D C:\Users\Stacie\AppData\Local\{94E29254-2BE0-4AE8-8555-2F9290CA3A07}
2012-07-22 11:21 - 2012-07-22 11:21 - 00000000 ____D C:\Users\Stacie\AppData\Roaming\Babylon
2012-07-22 11:21 - 2012-07-22 11:21 - 00000000 ____D C:\Users\All Users\Babylon
2012-07-21 15:33 - 2012-07-21 15:33 - 00000096 ___AH C:\Users\All Users\-W3lnGFb9QAKW8hr
2012-07-21 15:33 - 2012-07-21 15:33 - 00000096 ___AH C:\Users\All Users\-W3lnGFb9QAKW8h
2012-07-22 11:19 - 2012-07-22 11:19 - 01759445 ____A C:\Users\Stacie\Desktop\extractor_setup.exe
Folder: C:\Windows\System32\%APPDATA%

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options as you did before.
Run FRST64 and press the Fix button only once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

==========

Now let's rerun ComboFix:

Double click on combofix.exe from your desktop & follow the prompts.
When finished, it will produce a report for you C:\Combofix.txt

==========

In your next reply, please include both logs from:

  • Fixlog.txt from FRST found on your flashdrive
  • And the latest ComboFix log found at C:\Combofix.txt from your computer.
bloopie

#15 SourGrapes

SourGrapes
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:35 PM

Posted 04 August 2012 - 04:22 AM

FRST Log:

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 25-07-2012 01
Ran by SYSTEM at 2012-08-04 03:02:38 Run:2
Running from F:\

==============================================

C:\Windows\Installer\{5a9f9217-cba6-679a-3696-f81deab3792b} not found.
C:\Users\Stacie\AppData\Local\{5a9f9217-cba6-679a-3696-f81deab3792b} not found.
C:\Users\Stacie\AppData\Local\vhefjt.exe not found.
C:\5635117269da0e89e27b13610c1d8d not found.
C:\Users\Stacie\AppData\Local\{94E29254-2BE0-4AE8-8555-2F9290CA3A07} not found.
C:\Users\Stacie\AppData\Roaming\Babylon not found.
C:\Users\All Users\Babylon not found.
C:\Users\All Users\-W3lnGFb9QAKW8hr not found.
C:\Users\All Users\-W3lnGFb9QAKW8h not found.
C:\Users\Stacie\Desktop\extractor_setup.exe not found.

========================= Folder: C:\Windows\System32\%APPDATA% ========================

2012-07-22 10:29 - 2012-07-22 10:29 - 0000000 __SHD () C:\Windows\System32\%APPDATA%\Microsoft
2012-07-22 10:29 - 2012-07-22 10:29 - 0000000 __SHD () C:\Windows\System32\%APPDATA%\Microsoft\Windows
2012-07-22 10:29 - 2012-07-22 10:29 - 0000000 __SHD () C:\Windows\System32\%APPDATA%\Microsoft\Windows\IETldCache
2012-07-22 10:29 - 2012-07-27 01:36 - 0262144 __ASH () C:\Windows\System32\%APPDATA%\Microsoft\Windows\IETldCache\index.dat

====== End of Folder: ======

==== End of Fixlog ====

Combofix Log:

ComboFix 12-08-04.02 - Stacie 08/04/2012 3:18.5.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.5943.4437 [GMT -5:00]
Running from: c:\users\Stacie\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2012-07-04 to 2012-08-04 )))))))))))))))))))))))))))))))
.
.
2012-08-04 08:53 . 2012-08-04 08:53 -------- d-----w- c:\users\Mom\AppData\Local\temp
2012-08-04 08:53 . 2012-08-04 08:53 -------- d-----w- c:\users\Family\AppData\Local\temp
2012-08-04 08:53 . 2012-08-04 08:53 -------- d-----w- c:\users\DefaultAppPool\AppData\Local\temp
2012-08-04 08:53 . 2012-08-04 08:53 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-08-04 08:04 . 2012-08-04 08:04 69000 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B991F822-4ADF-4DC6-9114-56ECB882AD79}\offreg.dll
2012-08-03 08:34 . 2012-08-03 08:34 -------- d-----w- C:\FRST
2012-08-02 03:24 . 2012-07-16 07:40 9133488 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B991F822-4ADF-4DC6-9114-56ECB882AD79}\mpengine.dll
2012-08-02 03:16 . 2012-07-16 07:40 9133488 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-07-27 20:39 . 2012-07-14 00:16 770384 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcr100.dll
2012-07-27 20:39 . 2012-07-14 00:16 421200 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcp100.dll
2012-07-27 20:12 . 2012-07-27 20:12 -------- d-----w- c:\users\Stacie\AppData\Local\Secunia PSI
2012-07-27 20:11 . 2012-07-27 20:11 -------- d-----w- c:\program files (x86)\Secunia
2012-07-27 10:35 . 2012-07-27 10:35 328704 ----a-w- c:\windows\system32\services.exe.C5BD94CE888A7AD8
2012-07-27 10:32 . 2012-07-27 10:32 328704 ----a-w- c:\windows\system32\services.exe.4A64ECBBE70F8C94
2012-07-27 10:29 . 2012-07-27 10:29 328704 ----a-w- c:\windows\system32\services.exe.939E51EB11A59637
2012-07-27 10:26 . 2012-07-27 10:26 328704 ----a-w- c:\windows\system32\services.exe.F3742CF0AB02C375
2012-07-27 10:23 . 2012-07-27 10:23 328704 ----a-w- c:\windows\system32\services.exe.4C710F464EBEA74C
2012-07-27 10:20 . 2012-07-27 10:20 328704 ----a-w- c:\windows\system32\services.exe.A6932E5EC48C4A35
2012-07-27 10:18 . 2012-07-27 10:18 328704 ----a-w- c:\windows\system32\services.exe.ABCD36C67F038783
2012-07-27 10:04 . 2012-07-27 10:04 328704 ----a-w- c:\windows\system32\services.exe.ED7872B1181B2684
2012-07-27 09:43 . 2012-07-27 09:43 328704 ----a-w- c:\windows\system32\services.exe.7152222E0FBF7A72
2012-07-27 09:41 . 2012-02-09 19:17 927800 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{33713BA8-B2C7-4FB5-8C8A-934184A54266}\gapaengine.dll
2012-07-27 09:26 . 2012-07-27 09:26 -------- d-----w- c:\program files (x86)\Microsoft Security Client
2012-07-27 09:26 . 2012-07-27 09:26 -------- d-----w- c:\program files\Microsoft Security Client
2012-07-27 08:19 . 2012-08-03 14:18 9827016 ----a-w- c:\windows\SysWow64\FlashPlayerInstaller.exe
2012-07-27 07:56 . 2012-07-14 00:17 68576 ----a-w- c:\program files (x86)\Mozilla Firefox\mozglue.dll
2012-07-27 07:56 . 2012-07-14 00:17 573920 ----a-w- c:\program files (x86)\Mozilla Firefox\gkmedias.dll
2012-07-27 07:56 . 2012-07-14 00:17 157608 ----a-w- c:\program files (x86)\Mozilla Firefox\maintenanceservice_installer.exe
2012-07-27 07:56 . 2012-07-14 00:17 113120 ----a-w- c:\program files (x86)\Mozilla Firefox\maintenanceservice.exe
2012-07-27 06:47 . 2012-07-27 06:47 -------- d-----w- c:\users\Family\AppData\Roaming\Yahoo!
2012-07-22 19:22 . 2012-07-22 19:37 -------- d-----w- c:\program files (x86)\hpmonitor
2012-07-22 19:21 . 2012-07-22 19:21 247 ----a-w- C:\user.js
2012-07-22 18:29 . 2012-07-22 18:29 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-07-13 09:01 . 2012-06-12 03:08 3148800 ----a-w- c:\windows\system32\win32k.sys
2012-07-12 22:46 . 2012-06-06 06:05 1499136 ----a-w- c:\program files\Common Files\System\ado\msado15.dll
2012-07-12 22:46 . 2012-06-06 05:05 1019904 ----a-w- c:\program files (x86)\Common Files\System\ado\msado15.dll
2012-07-12 22:46 . 2012-06-06 06:05 495616 ----a-w- c:\program files\Common Files\System\ado\msadox.dll
2012-07-12 22:46 . 2012-06-06 06:05 61440 ----a-w- c:\program files\Common Files\System\ado\msador15.dll
2012-07-12 22:46 . 2012-06-06 06:05 466944 ----a-w- c:\program files\Common Files\System\ado\msadomd.dll
2012-07-12 22:46 . 2012-06-06 06:05 258048 ----a-w- c:\program files\Common Files\System\msadc\msadco.dll
2012-07-12 22:46 . 2012-06-06 05:05 57344 ----a-w- c:\program files (x86)\Common Files\System\ado\msador15.dll
2012-07-12 22:46 . 2012-06-06 05:05 352256 ----a-w- c:\program files (x86)\Common Files\System\ado\msadomd.dll
2012-07-12 22:46 . 2012-06-06 05:03 805376 ----a-w- c:\windows\SysWow64\cdosys.dll
2012-07-12 22:44 . 2012-06-06 06:06 2004480 ----a-w- c:\windows\system32\msxml6.dll
2012-07-12 22:44 . 2012-06-06 06:06 1881600 ----a-w- c:\windows\system32\msxml3.dll
2012-07-12 22:44 . 2012-06-06 05:05 1390080 ----a-w- c:\windows\SysWow64\msxml6.dll
2012-07-12 22:44 . 2012-06-06 05:05 1236992 ----a-w- c:\windows\SysWow64\msxml3.dll
2012-07-12 22:43 . 2010-06-26 03:55 2048 ----a-w- c:\windows\system32\msxml3r.dll
2012-07-12 22:43 . 2010-06-26 03:24 2048 ----a-w- c:\windows\SysWow64\msxml3r.dll
2012-07-12 22:43 . 2012-06-09 05:43 14172672 ----a-w- c:\windows\system32\shell32.dll
2012-07-07 05:28 . 2012-07-21 23:50 -------- d-----w- c:\users\DefaultAppPool.IIS APPPOOL
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-03 14:19 . 2012-04-07 23:28 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-08-03 14:19 . 2011-06-17 05:12 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-07-27 10:38 . 2009-07-13 23:19 328704 ----a-w- c:\windows\system32\services.exe
2012-07-13 08:03 . 2011-07-07 01:16 59701280 ----a-w- c:\windows\system32\MRT.exe
2012-06-02 22:19 . 2012-06-25 21:09 38424 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-25 21:10 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:19 . 2012-06-25 21:10 57880 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-25 21:10 44056 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-25 21:09 701976 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:15 . 2012-06-25 21:10 2622464 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:15 . 2012-06-25 21:09 99840 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 20:19 . 2012-06-25 21:09 186752 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 20:15 . 2012-06-25 21:09 36864 ----a-w- c:\windows\system32\wuapp.exe
.
.
((((((((((((((((((((((((((((( SnapShot@2012-08-01_18.54.09 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-14 04:54 . 2012-08-03 14:18 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-07-14 04:54 . 2012-07-30 02:06 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-07-14 04:54 . 2012-07-30 02:06 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2012-08-03 14:18 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-07-30 02:06 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2012-08-03 14:18 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-06-14 17:24 . 2012-08-04 08:05 35954 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-08-04 08:05 36608 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2011-06-14 18:43 . 2012-08-04 08:05 11830 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2252547773-1828592009-4238387167-1001_UserData.bin
+ 2012-08-04 08:03 . 2012-08-04 08:03 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-07-27 20:04 . 2012-08-01 18:52 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-08-04 08:03 . 2012-08-04 08:03 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-07-27 20:04 . 2012-08-01 18:52 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-08-03 14:19 . 2012-08-03 14:19 686792 c:\windows\SysWOW64\Macromed\Flash\FlashUtil32_11_3_300_270_Plugin.exe
+ 2012-08-03 12:15 . 2012-08-03 12:15 686792 c:\windows\SysWOW64\Macromed\Flash\FlashUtil32_11_3_300_270_ActiveX.exe
+ 2012-08-03 12:15 . 2012-08-03 12:15 466632 c:\windows\SysWOW64\Macromed\Flash\FlashUtil32_11_3_300_270_ActiveX.dll
+ 2011-06-14 18:25 . 2012-08-04 05:27 251964 c:\windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_S3.bin
- 2009-07-14 02:36 . 2012-07-31 22:57 714574 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-08-04 08:09 714574 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-08-04 08:09 139586 c:\windows\system32\perfc009.dat
- 2009-07-14 02:36 . 2012-07-31 22:57 139586 c:\windows\system32\perfc009.dat
+ 2012-08-03 14:18 . 2012-08-03 14:18 417992 c:\windows\system32\Macromed\Flash\FlashUtil64_11_3_300_270_Plugin.exe
+ 2012-08-03 10:15 . 2012-08-03 10:15 417992 c:\windows\system32\Macromed\Flash\FlashUtil64_11_3_300_270_ActiveX.exe
+ 2012-08-03 10:15 . 2012-08-03 10:15 513224 c:\windows\system32\Macromed\Flash\FlashUtil64_11_3_300_270_ActiveX.dll
- 2012-07-25 19:00 . 2012-07-31 21:10 110008 c:\windows\system32\GDIPFONTCACHEV1.DAT
+ 2012-07-25 19:00 . 2012-08-03 19:00 110008 c:\windows\system32\GDIPFONTCACHEV1.DAT
- 2011-06-14 18:01 . 2012-07-27 14:53 409600 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-06-14 18:01 . 2012-08-03 14:18 409600 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2012-06-25 03:53 . 2012-07-27 19:08 661360 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2012-06-25 03:53 . 2012-08-03 19:03 661360 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2009-07-14 05:01 . 2012-08-04 07:39 391500 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2009-07-14 05:01 . 2012-07-27 19:08 391500 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2012-08-03 14:19 . 2012-08-03 14:19 9465032 c:\windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_270.dll
+ 2012-08-03 14:19 . 2012-08-03 14:19 1536712 c:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe
+ 2011-06-14 18:01 . 2012-08-03 14:18 3751936 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2011-06-14 18:01 . 2012-07-27 14:53 3751936 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2012-08-03 14:18 . 2012-08-03 14:18 12315336 c:\windows\system32\Macromed\Flash\NPSWF64_11_3_300_270.dll
+ 2009-07-14 04:54 . 2012-08-03 14:18 16187392 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 04:54 . 2012-07-27 14:53 16187392 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-06-17 08:19 . 2012-08-04 07:39 46412168 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2252547773-1828592009-4238387167-1001-8192.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\program files (x86)\Yahoo!\Companion\Installs\cpn0\yt.dll" [2011-10-06 2015544]
.
[HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}]
[HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin.1]
[HKEY_CLASSES_ROOT\TypeLib\{003028C2-EA1C-4676-A316-B5CB50917002}]
[HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpeedTestPro"="c:\program files\SpeedTestPro\SpeedTestPro.exe" [BU]
"SwiftToDoList"="c:\users\Stacie\AppData\Local\Task List Guru\Task List Guru.exe" [2012-05-17 8549352]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Dell DataSafe Online"="c:\program files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe" [BU]
"GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-03-27 421736]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-04-19 421888]
.
c:\users\Stacie\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2009-12-29 1082656]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"mixer2"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-12-13 136176]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-27 250056]
R3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2010-03-30 53800]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2010-03-30 35104]
R3 CASprint;Sprint Con App Svc;c:\program files (x86)\Sprint\Sprint SmartView\ConAppsSvc.exe [x]
R3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2011-07-29 16776]
R3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2011-07-29 9096]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-12-13 136176]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-07-14 113120]
R3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe [2010-03-05 340240]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2012-03-21 98688]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-03-26 291696]
R3 PCDSRVC{1E208CE0-FB7451FF-06020101}_0;PCDSRVC{1E208CE0-FB7451FF-06020101}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\dell support center\pcdsrvc_x64.pkms [2012-04-10 25072]
R3 PCTINDIS5X64;PCTINDIS5X64 NDIS Protocol Driver;c:\windows\system32\PCTINDIS5X64.SYS [x]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2011-06-10 539240]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
R3 TurboBoost;TurboBoost;c:\program files\Intel\TurboBoost\TurboBoost.exe [2009-11-02 126352]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-02-15 52736]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-06-17 1255736]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 57184]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
S2 TurboB;Turbo Boost UI Monitor driver;c:\windows\system32\DRIVERS\TurboB.sys [2009-11-02 13784]
S3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2009-09-18 56344]
S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [2010-02-27 158976]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2010-08-30 289280]
S3 NETw5s64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;c:\windows\system32\DRIVERS\NETw5s64.sys [2010-03-18 7680512]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-14 17920]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
iissvcs REG_MULTI_SZ w3svc was
apphost REG_MULTI_SZ apphostsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-04 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-07 09:22]
.
2012-08-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-12-13 02:39]
.
2012-08-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-12-13 02:39]
.
2012-07-22 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\Dell Support Center\uaclauncher.exe [2012-04-13 06:11]
.
2012-08-03 c:\windows\Tasks\SystemToolsDailyTest.job
- c:\program files\Dell Support Center\uaclauncher.exe [2012-04-13 06:11]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2010-03-05 1928976]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2012-01-11 167704]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2012-01-11 392984]
"Persistence"="c:\windows\system32\igfxpers.exe" [2012-01-11 417560]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 1271168]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = about:blank
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\users\Stacie\AppData\Roaming\Mozilla\Firefox\Profiles\uamvunm2.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:home
FF - prefs.js: keyword.URL - hxxp://search.babylon.com/?affID=110195&tt=2912_5&babsrc=KW_ss&mntrId=94ce75620000000000008ca9820e48cf&q=
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true);user_pref(extensions.BabylonToolbar_i.babTrack, affID=110195&tt=2912_5
FF - user.js: extensions.BabylonToolbar_i.babExt -
FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
FF - user.js: extensions.BabylonToolbar_i.id - 94ce75620000000000008ca9820e48cf
FF - user.js: extensions.BabylonToolbar_i.hardId - 94ce75620000000000008ca9820e48cf
FF - user.js: extensions.BabylonToolbar_i.instlDay - 15543
FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.1714:21
FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon
FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar
FF - user.js: extensions.BabylonToolbar_i.aflt - babsst
FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
FF - user.js: extensions.BabylonToolbar_i.tlbrId - base
FF - user.js: extensions.BabylonToolbar_i.instlRef - sst
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
WebBrowser-{37153479-1976-43C3-A1EE-557513977B64} - (no file)
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\PCDSRVC{1E208CE0-FB7451FF-06020101}_0]
"ImagePath"="\??\c:\program files\dell support center\pcdsrvc_x64.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_270_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_270_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-08-04 04:14:05
ComboFix-quarantined-files.txt 2012-08-04 09:13
ComboFix2.txt 2012-08-02 00:14
ComboFix3.txt 2012-08-01 22:53
.
Pre-Run: 550,245,199,872 bytes free
Post-Run: 550,004,420,608 bytes free
.
- - End Of File - - 50DB992C93FE4B8DFBFAE65F3A54BAD9


I hope I did this correctly. ;-)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users