Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Sirefef found by Windows Defender


  • This topic is locked This topic is locked
32 replies to this topic

#1 lwells

lwells

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:03:39 AM

Posted 12 August 2012 - 03:53 PM

Sirefef trojen found and cleaned by Windows Defender. It comes back after reboot, I get popups "Windows Firewall has blocked......."
Can you help me remove it?
Thanks,
LWells

DDS Log>
.
DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK
Internet Explorer: 9.0.8112.16421
Run by Tomco_HP at 14:26:14 on 2012-08-12
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.1782.964 [GMT -5:00]
.
AV: Norton Internet Security *Disabled/Outdated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton Internet Security *Disabled/Outdated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton Internet Security *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ===============
.
C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
c:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\Bin\DPAgent.exe
C:\windows\Explorer.EXE
C:\windows\system32\ctfmon.exe
C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\windows\System32\svchost.exe -k secsvcs
C:\Program Files\Windows Defender\MSASCui.exe
C:\Users\Tomco_HP\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Tomco_HP\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Tomco_HP\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Tomco_HP\AppData\Local\Google\Chrome\Application\chrome.exe
C:\windows\system32\notepad.exe
C:\windows\system32\notepad.exe
C:\Users\Tomco_HP\AppData\Local\Google\Chrome\Application\chrome.exe
\\.\globalroot\??\C:\Users\Tomco_HP\AppData\Local\{82cf78cd-3273-5450-7215-1006348b8d21}\U
C:\windows\system32\DllHost.exe
C:\windows\system32\conhost.exe
C:\windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\program files\hewlett-packard\hp protecttools security manager\bin\DPAgent.exe,
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: File Sanitizer for HP ProtectTools: {3134413b-49b4-425c-98a5-893c1f195601} - c:\program files\hewlett-packard\file sanitizer\IEBHO.dll
BHO: HP ProtectTools Security Manager Extension: {395610ae-c624-4f58-b89e-23733ea00f9a} - c:\program files\hewlett-packard\hp protecttools security manager\bin\DpOtsPluginIe8.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\18.7.2.3\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\18.7.2.3\ips\IPSBHO.DLL
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~1\office14\GROOVEEX.DLL
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~1\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\18.7.2.3\coIEPlg.dll
uRun: [Google Update] "c:\users\tomco_hp\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [kxypev] rundll32.exe "c:\users\tomco_hp\appdata\roaming\kxypev.dll",PSTCreateTypeSubType_NoUI
uRun: [wmslap] "c:\windows\system32\rundll32.exe" "c:\users\tomco_hp\appdata\roaming\wmslap.dll",_Contains
mRun: [HPPowerAssistant] c:\program files\hewlett-packard\hp power assistant\HPPA_Main.exe /hidden
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [SysTrayApp] c:\program files\idt\wdm\sttray.exe
mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~1\office14\ONBttnIE.dll/105
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
TCP: DhcpNameServer = 68.94.156.1 68.94.157.1
TCP: Interfaces\{47A0F2B8-99DA-4150-AE82-1B0200DDCA65} : DhcpNameServer = 68.94.156.1 68.94.157.1
TCP: Interfaces\{47A0F2B8-99DA-4150-AE82-1B0200DDCA65}\057424740303331323 : DhcpNameServer = 172.17.17.17 172.28.28.28 172.17.19.19
TCP: Interfaces\{47A0F2B8-99DA-4150-AE82-1B0200DDCA65}\276636C61333E647C6162626 : DhcpNameServer = 172.17.17.17 172.28.28.28 172.17.19.19
TCP: Interfaces\{47A0F2B8-99DA-4150-AE82-1B0200DDCA65}\8454247457563747 : DhcpNameServer = 173.226.143.254 24.153.242.254
TCP: Interfaces\{E6539FB4-D61B-454D-A837-D1A55197DEEA} : DhcpNameServer = 67.214.64.174 68.65.153.114
TCP: Interfaces\{E6539FB4-D61B-454D-A837-D1A55197DEEA}\276636C61333E647 : DhcpNameServer = 67.214.64.174 68.65.153.114
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: DeviceNP - DeviceNP.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~1\office14\GROOVEEX.DLL
LSA: Notification Packages = DPPassFilter scecli
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
.
============= SERVICES / DRIVERS ===============
.
R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\SafeBoot.sys [2010-1-26 110520]
R0 SbAlg;SbAlg;c:\windows\system32\drivers\SbAlg.sys [2010-1-26 51800]
R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [2010-1-26 13256]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1207020.003\symds.sys [2012-6-13 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1207020.003\symefa.sys [2012-6-13 744568]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-13 14336]
S1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\definitions\bashdefs\20100810.004\BHDrvx86.sys [2011-5-29 692272]
S1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\definitions\ipsdefs\20100706.002\IDSVix86.sys [2011-5-29 344112]
S1 RsvLock;RsvLock;c:\windows\system32\drivers\rsvlock.sys [2010-1-26 40088]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1207020.003\ironx86.sys [2012-6-13 136312]
S1 SymNetS;Symantec Network Security WFP Driver;c:\windows\system32\drivers\nis\1207020.003\symnets.sys [2012-6-13 299640]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2012-1-3 63928]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\driverstore\filerepository\stwrt.inf_x86_neutral_9b219d80a8843bf8\AEstSrv.exe [2011-5-29 81920]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-8-4 176128]
S2 BFLS_Server_Service;BFLS_Server_Service;c:\program files\bizerba\bfls\BFLS_Server_Service.exe [2012-4-19 1269760]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 HP Power Assistant Service;HP Power Assistant Service;c:\program files\hewlett-packard\hp power assistant\HPPA_Service.exe [2010-8-23 103992]
S2 HP ProtectTools Service;HP ProtectTools Service;c:\program files\hewlett-packard\2009 password filter for hp protecttools\PTChangeFilterService.exe [2010-1-12 36864]
S2 HP Wireless Assistant Service;HP Wireless Assistant Service;c:\program files\hewlett-packard\hp wireless assistant\HPWA_Service.exe [2010-1-27 102968]
S2 HPDayStarterService;HP DayStarter Service;c:\program files\hewlett-packard\hp quicklook\HPDayStarterService.exe [2010-5-10 90112]
S2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files\hewlett-packard\shared\HPDrvMntSvc.exe [2010-6-15 92216]
S2 HpFkCryptService;Drive Encryption Service;c:\program files\hewlett-packard\drive encryption\HpFkCrypt.exe [2010-1-26 281192]
S2 HPFSService;File Sanitizer for HP ProtectTools;c:\program files\hewlett-packard\file sanitizer\HPFSService.exe [2010-1-19 297984]
S2 hpHotkeyMonitor;HP Hotkey Monitor;c:\program files\hewlett-packard\hp hotkey support\hpHotkeyMonitor.exe [2010-3-1 264248]
S2 hpsrv;HP Service;c:\windows\system32\hpservice.exe [2011-5-13 26168]
S2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\18.7.2.3\ccsvchst.exe [2012-6-13 130008]
S2 Pervasive.SQL (relational);Pervasive.SQL (relational);c:\pvsw\bin\w3sqlmgr.exe [2006-5-18 28724]
S2 Pervasive.SQL (transactional);Pervasive.SQL (transactional);c:\pvsw\bin\ntbtrv.exe [2006-5-18 69680]
S2 uArcCapture;ArcCapture;c:\windows\system32\uArcCapture.exe [2011-5-29 506472]
S2 vcsFPService;Validity VCS Fingerprint Service;c:\windows\system32\vcsFPService.exe [2010-2-18 1664304]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-5-15 250056]
S3 amdkmdag;amdkmdag;c:\windows\system32\drivers\atikmdag.sys [2010-8-4 5587456]
S3 amdkmdap;amdkmdap;c:\windows\system32\drivers\atikmpag.sys [2010-8-4 210432]
S3 ARCVCAM;ARCVCAM, ArcSoft Webcam Sharing Manager Driver;c:\windows\system32\drivers\ArcSoftVCapture.sys [2011-5-29 29824]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 BFLS_System_Service;BFLS_System_Service;c:\program files\bizerba\bfls\BFLS_System_Service.exe [2012-4-19 131072]
S3 btwampfl;Bluetooth AMP USB Filter;c:\windows\system32\drivers\btwampfl.sys [2011-5-29 294952]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2011-5-29 33320]
S3 DAMDrv;DAMDrv;c:\windows\system32\drivers\DAMDrv.sys [2009-10-21 32312]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-5-29 102448]
S3 FLCDLOCK;HP ProtectTools Device Locking / Auditing;c:\windows\system32\flcdlock.exe [2009-12-7 362040]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2010-3-25 30969208]
S3 netr28;Ralink 802.11n Wireless Driver for Windows Vista;c:\windows\system32\drivers\netr28.sys [2009-6-10 530944]
S3 netr28u;RT2870 USB Extensible Wireless LAN Card Driver;c:\windows\system32\drivers\netr28u.sys [2009-5-25 734208]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2010-12-8 186912]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2010-12-8 257568]
S3 rtsuvc;HP Webcam [2 MP Fixed];c:\windows\system32\drivers\rtsuvc.sys [2011-5-29 78848]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2012-2-17 52224]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2012-2-18 1343400]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
.
=============== Created Last 30 ================
.
2012-08-12 18:28:10 56200 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{1c46ca28-e6ed-4816-8ee8-c8c5de9932e3}\offreg.dll
2012-08-12 16:59:17 -------- d-----w- c:\program files\Advanced IP Scanner
2012-08-12 15:19:16 6891424 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{1c46ca28-e6ed-4816-8ee8-c8c5de9932e3}\mpengine.dll
2012-08-12 14:50:17 -------- d-----w- c:\programdata\036E1BAFFB0508B1000964D2F875EF7E
2012-08-12 14:50:02 -------- d-----w- c:\users\tomco_hp\appdata\local\{FB06B986-E48C-11E1-8270-B8AC6F996F26}
2012-08-12 14:49:58 452096 ----a-w- c:\users\tomco_hp\appdata\roaming\wmslap.dll
2012-08-12 14:49:07 174080 --sha-w- c:\users\tomco_hp\appdata\roaming\kxypev.dll
2012-07-25 22:44:20 -------- d-----w- C:\PFiles
2012-07-24 23:09:38 -------- d-----w- c:\users\tomco_hp\appdata\local\Google
2012-07-23 14:41:50 2345984 ----a-w- c:\windows\system32\win32k.sys
2012-07-19 15:48:48 -------- d-----w- c:\program files\Winwaed Software Technology LLC
.
==================== Find3M ====================
.
2012-08-02 23:41:50 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-08-02 23:41:50 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-06-06 05:05:52 1390080 ----a-w- c:\windows\system32\msxml6.dll
2012-06-06 05:05:52 1236992 ----a-w- c:\windows\system32\msxml3.dll
2012-06-06 05:03:06 805376 ----a-w- c:\windows\system32\cdosys.dll
2012-06-02 22:12:32 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:12:13 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 20:19:42 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 20:12:20 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-06-02 08:33:25 1800192 ----a-w- c:\windows\system32\jscript9.dll
2012-06-02 08:25:08 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-06-02 08:25:03 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-06-02 08:20:33 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-06-02 08:16:52 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-06-02 04:45:04 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-06-02 04:45:03 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2012-06-02 04:40:59 369336 ----a-w- c:\windows\system32\drivers\cng.sys
2012-06-02 04:40:39 225280 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 04:39:10 219136 ----a-w- c:\windows\system32\ncrypt.dll
2012-05-31 17:25:14 237072 ------w- c:\windows\system32\MpSigStub.exe
.
============= FINISH: 14:27:09.61 ===============

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-08-12 15:38:03
Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 TOSHIBA_MK3261GSYN rev.MH000C
Running: gmer.exe; Driver: C:\Users\Tomco_HP\AppData\Local\Temp\uxldipog.sys


---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwRollbackEnlistment + 140D 822933C9 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 822CCD52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
? C:\Users\Tomco_HP\AppData\Local\Temp\mbr.sys The system cannot find the file specified. !


.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows 7 Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 2/13/2012 1:07:49 PM
System Uptime: 8/12/2012 1:25:06 PM (1 hours ago)
.
Motherboard: Hewlett-Packard | | 142C
Processor: AMD Athlon™ II P340 Dual-Core Processor | Unknown | 2194/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 281 GiB total, 187.363 GiB free.
F: is FIXED (FAT32) - 2 GiB total, 1.49 GiB free.
G: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Description: Security Processor Loader Driver
Device ID: ROOT\LEGACY_SPLDR\0000
Manufacturer:
Name: Security Processor Loader Driver
PNP Device ID: ROOT\LEGACY_SPLDR\0000
Service: spldr
.
==== System Restore Points ===================
.
RP42: 5/19/2012 8:41:17 AM - Windows Update
RP43: 5/28/2012 7:23:53 AM - Scheduled Checkpoint
RP44: 5/28/2012 7:52:32 AM - Windows Update
RP45: 6/14/2012 9:35:27 PM - Windows Update
RP46: 6/22/2012 7:45:42 PM - Windows Update
RP47: 7/5/2012 6:24:45 AM - Removed Java™ 6 Update 31
RP48: 7/18/2012 12:44:20 PM - Scheduled Checkpoint
RP49: 7/19/2012 10:48:20 AM - Installed MPMileage
RP50: 7/23/2012 9:40:51 AM - Windows Update
RP51: 7/25/2012 5:43:46 PM - Installed Windows Media Player Firefox Plugin
RP52: 7/27/2012 7:03:34 PM - Windows Update
RP53: 8/2/2012 6:51:58 PM - Windows Update
RP54: 8/8/2012 6:31:46 PM - Windows Update
RP55: 8/12/2012 10:18:51 AM - Windows Update
.
==== Installed Programs ======================
.
7-Zip 9.20
ActiveCheck component for HP Active Support Library
Adobe Flash Player 11 ActiveX
Adobe Reader X (10.1.2)
Advanced IP Scanner v1.5
ArcSoft TotalMedia
ArcSoft Webcam Sharing Manager
ATI Catalyst Install Manager
BIZERBA .RetailVision
Bizerba _bld.BRAIN 7.10
Bizerba Floating License Server (BFLS)
Bizerba LwDasi
Bizerba Screen Designer
Bizerba SXCom BLD
Broadcom 2070 Bluetooth 3.0
Broadcom 802.11 Wireless LAN Adapter
Catalyst Control Center - Branding
Catalyst Control Center InstallProxy
Catalyst Control Center Localization All
ccc-core-static
ccc-utility
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Czech
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Greek
CCC Help Hungarian
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Polish
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
CCC Help Thai
CCC Help Turkish
Corel Home Office
Corel Home Office - CS Templates
Corel Home Office - CT Templates
Corel Home Office - IPM
Corel Home Office - JP Templates
Corel Home Office - KR Templates
Corel Home Office - Launcher
Corel Home Office - Templates RU
Corel Home Office - Templates1
Device Access Manager for HP ProtectTools
DocReader
Drive Encryption for HP ProtectTools
Energy Star Digital Logo
Face Recognition for HP ProtectTools
File Sanitizer For HP ProtectTools
FileZilla Client 3.5.3
FLV Player
Google Chrome
HP 3D DriveGuard
HP Customer Experience Enhancements
HP Documentation
HP ESU for Microsoft Windows 7
HP HotKey Support
HP Power Assistant
HP Power Data
HP ProtectTools Security Manager
HP QuickLook
HP QuickWeb
HP Setup
HP SoftPaq Download Manager
HP Software Framework
HP Software Setup
HP Support Assistant
HP Webcam Driver
HP Wireless Assistant
HPAsset component for HP Active Support Library
IDT Audio
Java™ 6 Update 31
Light Image Resizer 4.1.1.5
LightScribe System Software
LinuxLive USB Creator
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft Access database engine 2010 (English)
Microsoft MapPoint North America 2011
Microsoft Office 2010
Microsoft Office Access MUI (English) 2010
Microsoft Office Access Setup Metadata MUI (English) 2010
Microsoft Office Excel MUI (English) 2010
Microsoft Office Groove MUI (English) 2010
Microsoft Office InfoPath MUI (English) 2010
Microsoft Office OneNote MUI (English) 2010
Microsoft Office Outlook MUI (English) 2010
Microsoft Office PowerPoint MUI (English) 2010
Microsoft Office Professional Plus 2010
Microsoft Office Proof (English) 2010
Microsoft Office Proof (French) 2010
Microsoft Office Proof (Spanish) 2010
Microsoft Office Proofing (English) 2010
Microsoft Office Publisher MUI (English) 2010
Microsoft Office Shared MUI (English) 2010
Microsoft Office Shared Setup Metadata MUI (English) 2010
Microsoft Office Word MUI (English) 2010
Microsoft Silverlight
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
MPMileage
Norton Internet Security
Norton Online Backup
Pegasus Mail
Pegasus Mail HTML Renderer 2.4.7.2
Pervasive System Analyzer
Pervasive.SQL 9 SP2 Server for Windows (9.5)
Pre-Boot Security for HP ProtectTools
Privacy Manager for HP ProtectTools
Realtek Ethernet Controller All-In-One Windows Driver
Realtek USB 2.0 Card Reader
S2000Win
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
Skype™ 4.1
Synaptics Pointing Device Driver
Theft Recovery
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft .NET Framework 4 Extended (KB2468871)
Update for Microsoft .NET Framework 4 Extended (KB2533523)
Update for Microsoft .NET Framework 4 Extended (KB2600217)
Validity Fingerprint Driver
Windows 7 Default Setting
Windows Live ID Sign-in Assistant
Windows Media Player Firefox Plugin
.
==== Event Viewer Messages From Past Week ========
.
8/12/2012 2:22:31 PM, Error: Service Control Manager [7001] - The Computer Browser service

depends on the Server service which failed to start because of the following error: The

dependency service or group failed to start.
8/12/2012 12:14:02 PM, Error: Service Control Manager [7001] - The Network List Service service

depends on the Network Location Awareness service which failed to start because of the following

error: The dependency service or group failed to start.
8/12/2012 10:42:47 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068"

attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2

-C419-11D9-A5B4-001185AD2B89}
8/12/2012 10:42:47 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068"

attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-

2166-11D1-B1D0-00805FC1270E}
8/12/2012 10:27:32 AM, Error: Service Control Manager [7026] - The following boot-start or

system-start driver(s) failed to load: AFD BHDrvx86 CSC DfsC discache eeCtrl IDSVix86 NetBIOS

NetBT nsiproxy Psched rdbss RsvLock spldr SRTSPX SymIRON SymNetS tdx vpcnfltr vpcvmm vwififlt

Wanarpv6 WfpLwf
8/12/2012 10:27:32 AM, Error: Service Control Manager [7001] - The Workstation service depends

on the Network Store Interface Service service which failed to start because of the following

error: The dependency service or group failed to start.
8/12/2012 10:27:32 AM, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service

depends on the Ancillary Function Driver for Winsock service which failed to start because of the

following error: A device attached to the system is not functioning.
8/12/2012 10:27:32 AM, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper

and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start

because of the following error: A device attached to the system is not functioning.
8/12/2012 10:27:32 AM, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector

service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start

because of the following error: The dependency service or group failed to start.
8/12/2012 10:27:32 AM, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector

service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start

because of the following error: The dependency service or group failed to start.
8/12/2012 10:27:32 AM, Error: Service Control Manager [7001] - The Network Store Interface

Service service depends on the NSI proxy service driver. service which failed to start because of

the following error: A device attached to the system is not functioning.
8/12/2012 10:27:32 AM, Error: Service Control Manager [7001] - The Network Location Awareness

service depends on the Network Store Interface Service service which failed to start because of

the following error: The dependency service or group failed to start.
8/12/2012 10:27:32 AM, Error: Service Control Manager [7001] - The IP Helper service depends on

the Network Store Interface Service service which failed to start because of the following error:

The dependency service or group failed to start.
8/12/2012 10:27:32 AM, Error: Service Control Manager [7001] - The DNS Client service depends on

the NetIO Legacy TDI Support Driver service which failed to start because of the following error:

A device attached to the system is not functioning.
8/12/2012 10:27:32 AM, Error: Service Control Manager [7001] - The DHCP Client service depends

on the Ancillary Function Driver for Winsock service which failed to start because of the

following error: A device attached to the system is not functioning.
8/12/2012 1:59:34 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084"

attempting to start the service defragsvc with arguments "" in order to run the server:

{D20A3293-3341-4AE8-9AAF-8E397CB63C34}
8/12/2012 1:27:27 PM, Error: Service Control Manager [7001] - The PnP-X IP Bus Enumerator

service depends on the Function Discovery Provider Host service which failed to start because of

the following error: The dependency service or group failed to start.
8/12/2012 1:25:45 PM, Error: Microsoft-Windows-WLAN-AutoConfig [10000] - WLAN Extensibility

Module has failed to start. Module Path: C:\windows\System32\bcmihvsrv.dll Error Code: 21
8/12/2012 1:25:41 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084"

attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-

F52A-11D8-B9A5-505054503030}
8/12/2012 1:25:41 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084"

attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-

AC08-4F1F-BEB7-5C22C517CE39}
8/12/2012 1:25:40 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084"

attempting to start the service EventSystem with arguments "" in order to run the server:

{1BE1F766-5536-11D1-B726-00C04FB926AF}
8/12/2012 1:25:32 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084"

attempting to start the service ShellHWDetection with arguments "" in order to run the server:

{DD522ACC-F821-461A-A407-50B198B896DC}
8/12/2012 1:25:27 PM, Error: Service Control Manager [7026] - The following boot-start or

system-start driver(s) failed to load: BHDrvx86 discache eeCtrl IDSVix86 RsvLock spldr SRTSPX

SymIRON SymNetS vpcvmm Wanarpv6
.
==== End Of File ===========================




---- User code sections - GMER 1.0.15 ----

? C:\windows\system32\svchost.exe[1900] C:\windows\system32\smss.exe image checksum mismatch; time/date stamp mismatch; unknown module: OLEAUT32.dllunknown module: urlmon.dllunknown module: VERSION.dll
.text C:\windows\system32\svchost.exe[1900] USER32.dll!DialogBoxIndirectParamAorW 76663B40 5 Bytes [33, C0, C2, 18, 00] {XOR EAX, EAX; RET 0x18}
.text C:\Users\Tomco_HP\AppData\Local\Google\Chrome\Application\chrome.exe[2768] ntdll.dll!NtCreateFile + 6 778155CE 4 Bytes [28, 00, 11, 00] {SUB [EAX], AL; ADC [EAX], EAX}
.text C:\Users\Tomco_HP\AppData\Local\Google\Chrome\Application\chrome.exe[2768] ntdll.dll!NtCreateFile + B 778155D3 1 Byte [E2]
.text C:\Users\Tomco_HP\AppData\Local\Google\Chrome\Application\chrome.exe[2768] ntdll.dll!NtMapViewOfSection + 6 77815C2E 1 Byte [28]
.text C:\Users\Tomco_HP\AppData\Local\Google\Chrome\Application\chrome.exe[2768] ntdll.dll!NtMapViewOfSection + 6 77815C2E 4 Bytes [28, 03, 11, 00] {SUB [EBX], AL; ADC [EAX], EAX}
.text C:\Users\Tomco_HP\AppData\Local\Google\Chrome\Application\chrome.exe[2768] ntdll.dll!NtMapViewOfSection + B 77815C33 1 Byte [E2]
.text C:\Users\Tomco_HP\AppData\Local\Google\Chrome\Application\chrome.exe[2768] ntdll.dll!NtOpenFile + 6 77815CDE 4 Bytes [68, 00, 11, 00]
.text C:\Users\Tomco_HP\AppData\Local\Google\Chrome\Application\chrome.exe[2768] ntdll.dll!NtOpenFile + B 77815CE3 1 Byte [E2]
.text C:\Users\Tomco_HP\AppData\Local\Google\Chrome\Application\chrome.exe[2768] ntdll.dll!NtOpenProcess + 6 77815D8E 4 Bytes [A8, 01, 11, 00] {TEST AL, 0x1; ADC [EAX], EAX}
.text C:\Users\Tomco_HP\AppData\Local\Google\Chrome\Application\chrome.exe[2768] ntdll.dll!NtOpenProcess + B 77815D93 1 Byte [E2]
.text C:\Users\Tomco_HP\AppData\Local\Google\Chrome\Application\chrome.exe[2768] ntdll.dll!NtOpenProcessToken + 6 77815D9E 4 Bytes CALL 76816EA4 C:\windows\system32\SHELL32.dll (Windows Shell Common Dll/Microsoft Corporation)
.text C:\Users\Tomco_HP\AppData\Local\Google\Chrome\Application\chrome.exe[2768] ntdll.dll!NtOpenProcessToken + B 77815DA3 1 Byte [E2]
.text C:\Users\Tomco_HP\AppData\Local\Google\Chrome\Application\chrome.exe[2768] ntdll.dll!NtOpenProcessTokenEx + 6 77815DAE 4 Bytes [A8, 02, 11, 00] {TEST AL, 0x2; ADC [EAX], EAX}
.text C:\Users\Tomco_HP\AppData\Local\Google\Chrome\Application\chrome.exe[2768] ntdll.dll!NtOpenProcessTokenEx + B 77815DB3 1 Byte [E2]
.text C:\Users\Tomco_HP\AppData\Local\Google\Chrome\Application\chrome.exe[2768] ntdll.dll!NtOpenThread + 6 77815E0E 4 Bytes [68, 01, 11, 00]
.text C:\Users\Tomco_HP\AppData\Local\Google\Chrome\Application\chrome.exe[2768] ntdll.dll!NtOpenThread + B 77815E13 1 Byte [E2]
.text C:\Users\Tomco_HP\AppData\Local\Google\Chrome\Application\chrome.exe[2768] ntdll.dll!NtOpenThreadToken + 6 77815E1E 4 Bytes [68, 02, 11, 00]
.text C:\Users\Tomco_HP\AppData\Local\Google\Chrome\Application\chrome.exe[2768] ntdll.dll!NtOpenThreadToken + B 77815E23 1 Byte [E2]
.text C:\Users\Tomco_HP\AppData\Local\Google\Chrome\Application\chrome.exe[2768] ntdll.dll!NtOpenThreadTokenEx + 6 77815E2E 4 Bytes CALL 76816F35 C:\windows\system32\SHELL32.dll (Windows Shell Common Dll/Microsoft Corporation)
.text C:\Users\Tomco_HP\AppData\Local\Google\Chrome\Application\chrome.exe[2768] ntdll.dll!NtOpenThreadTokenEx + B 77815E33 1 Byte [E2]
.text C:\Users\Tomco_HP\AppData\Local\Google\Chrome\Application\chrome.exe[2768] ntdll.dll!NtQueryAttributesFile + 6 77815F3E 4 Bytes [A8, 00, 11, 00] {TEST AL, 0x0; ADC [EAX], EAX}
.text C:\Users\Tomco_HP\AppData\Local\Google\Chrome\Application\chrome.exe[2768] ntdll.dll!NtQueryAttributesFile + B 77815F43 1 Byte [E2]
.text C:\Users\Tomco_HP\AppData\Local\Google\Chrome\Application\chrome.exe[2768] ntdll.dll!NtQueryFullAttributesFile + 6 77815FEE 4 Bytes CALL 768170F3 C:\windows\system32\SHELL32.dll (Windows Shell Common Dll/Microsoft Corporation)
.text C:\Users\Tomco_HP\AppData\Local\Google\Chrome\Application\chrome.exe[2768] ntdll.dll!NtQueryFullAttributesFile + B 77815FF3 1 Byte [E2]
.text C:\Users\Tomco_HP\AppData\Local\Google\Chrome\Application\chrome.exe[2768] ntdll.dll!NtSetInformationFile + 6 7781663E 4 Bytes [28, 01, 11, 00] {SUB [ECX], AL; ADC [EAX], EAX}
.text C:\Users\Tomco_HP\AppData\Local\Google\Chrome\Application\chrome.exe[2768] ntdll.dll!NtSetInformationFile + B 77816643 1 Byte [E2]
.text C:\Users\Tomco_HP\AppData\Local\Google\Chrome\Application\chrome.exe[2768] ntdll.dll!NtSetInformationThread + 6 7781669E 4 Bytes [28, 02, 11, 00] {SUB [EDX], AL; ADC [EAX], EAX}
.text C:\Users\Tomco_HP\AppData\Local\Google\Chrome\Application\chrome.exe[2768] ntdll.dll!NtSetInformationThread + B 778166A3 1 Byte [E2]
.text C:\Users\Tomco_HP\AppData\Local\Google\Chrome\Application\chrome.exe[2768] ntdll.dll!NtUnmapViewOfSection + 6 778169BE 1 Byte [68]
.text C:\Users\Tomco_HP\AppData\Local\Google\Chrome\Application\chrome.exe[2768] ntdll.dll!NtUnmapViewOfSection + 6 778169BE 4 Bytes [68, 03, 11, 00]
.text C:\Users\Tomco_HP\AppData\Local\Google\Chrome\Application\chrome.exe[2768] ntdll.dll!NtUnmapViewOfSection + B 778169C3 1 Byte [E2]
.text C:\Users\Tomco_HP\AppData\Local\Google\Chrome\Application\chrome.exe[2848] ntdll.dll!NtCreateFile + 6 778155CE 4 Bytes [28, 00, 44, 00]
.text C:\Users\Tomco_HP\AppData\Local\Google\Chrome\Application\chrome.exe[2848] ntdll.dll!NtCreateFile + B 778155D3 1 Byte [E2]
.text C:\Users\Tomco_HP\AppData\Local\Google\Chrome\Application\chrome.exe[2848] ntdll.dll!NtMapViewOfSection + 6 77815C2E 1 Byte [28]
.text C:\Users\Tomco_HP\AppData\Local\Google\Chrome\Application\chrome.exe[2848] ntdll.dll!NtMapViewOfSection + 6 77815C2E 4 Bytes [28, 03, 44, 00]
.text C:\Users\Tomco_HP\AppData\Local\Google\Chrome\Application\chrome.exe[2848] ntdll.dll!NtMapViewOfSection + B 77815C33 1 Byte [E2]
.text C:\Users\Tomco_HP\AppData\Local\Google\Chrome\Application\chrome.exe[2848] ntdll.dll!NtOpenFile + 6 77815CDE 4 Bytes [68, 00, 44, 00]
.text C:\Users\Tomco_HP\AppData\Local\Google\Chrome\Application\chrome.exe[2848] ntdll.dll!NtOpenFile + B 77815CE3 1 Byte [E2]
.text C:\Users\Tomco_HP\AppData\Local\Google\Chrome\Application\chrome.exe[2848] ntdll.dll!NtOpenProcess + 6 77815D8E 4 Bytes [A8, 01, 44, 00]
.text C:\Users\Tomco_HP\AppData\Local\Google\Chrome\Application\chrome.exe[2848] ntdll.dll!NtOpenProcess + B 77815D93 1 Byte [E2]
.text C:\Users\Tomco_HP\AppData\Local\Google\Chrome\Application\chrome.exe[2848] ntdll.dll!NtOpenProcessToken + 6 77815D9E 4 Bytes CALL 7681A1A4 C:\windows\system32\SHELL32.dll (Windows Shell Common Dll/Microsoft Corporation)
.text C:\Users\Tomco_HP\AppData\Local\Google\Chrome\Application\chrome.exe[2848] ntdll.dll!NtOpenProcessToken + B 77815DA3 1 Byte [E2]
.text C:\Users\Tomco_HP\AppData\Local\Google\Chrome\Application\chrome.exe[2848] ntdll.dll!NtOpenProcessTokenEx + 6 77815DAE 4 Bytes [A8, 02, 44, 00]
.text C:\Users\Tomco_HP\AppData\Local\Google\Chrome\Application\chrome.exe[2848] ntdll.dll!NtOpenProcessTokenEx + B 77815DB3 1 Byte [E2]
.text C:\Users\Tomco_HP\AppData\Local\Google\Chrome\Application\chrome.exe[2848] ntdll.dll!NtOpenThread + 6 77815E0E 4 Bytes [68, 01, 44, 00]
.text C:\Users\Tomco_HP\AppData\Local\Google\Chrome\Application\chrome.exe[2848] ntdll.dll!NtOpenThread + B 77815E13 1 Byte [E2]
.text C:\Users\Tomco_HP\AppData\Local\Google\Chrome\Application\chrome.exe[2848] ntdll.dll!NtOpenThreadToken + 6 77815E1E 4 Bytes [68, 02, 44, 00]
.text C:\Users\Tomco_HP\AppData\Local\Google\Chrome\Application\chrome.exe[2848] ntdll.dll!NtOpenThreadToken + B 77815E23 1 Byte [E2]
.text C:\Users\Tomco_HP\AppData\Local\Google\Chrome\Application\chrome.exe[2848] ntdll.dll!NtOpenThreadTokenEx + 6 77815E2E 4 Bytes CALL 7681A235 C:\windows\system32\SHELL32.dll (Windows Shell Common Dll/Microsoft Corporation)
.text C:\Users\Tomco_HP\AppData\Local\Google\Chrome\Application\chrome.exe[2848] ntdll.dll!NtOpenThreadTokenEx + B 77815E33 1 Byte [E2]
.text C:\Users\Tomco_HP\AppData\Local\Google\Chrome\Application\chrome.exe[2848] ntdll.dll!NtQueryAttributesFile + 6 77815F3E 4 Bytes [A8, 00, 44, 00]
.text C:\Users\Tomco_HP\AppData\Local\Google\Chrome\Application\chrome.exe[2848] ntdll.dll!NtQueryAttributesFile + B 77815F43 1 Byte [E2]
.text C:\Users\Tomco_HP\AppData\Local\Google\Chrome\Application\chrome.exe[2848] ntdll.dll!NtQueryFullAttributesFile + 6 77815FEE 4 Bytes CALL 7681A3F3 C:\windows\system32\SHELL32.dll (Windows Shell Common Dll/Microsoft Corporation)
.text C:\Users\Tomco_HP\AppData\Local\Google\Chrome\Application\chrome.exe[2848] ntdll.dll!NtQueryFullAttributesFile + B 77815FF3 1 Byte [E2]
.text C:\Users\Tomco_HP\AppData\Local\Google\Chrome\Application\chrome.exe[2848] ntdll.dll!NtSetInformationFile + 6 7781663E 4 Bytes [28, 01, 44, 00]
.text C:\Users\Tomco_HP\AppData\Local\Google\Chrome\Application\chrome.exe[2848] ntdll.dll!NtSetInformationFile + B 77816643 1 Byte [E2]
.text C:\Users\Tomco_HP\AppData\Local\Google\Chrome\Application\chrome.exe[2848] ntdll.dll!NtSetInformationThread + 6 7781669E 4 Bytes [28, 02, 44, 00]
.text C:\Users\Tomco_HP\AppData\Local\Google\Chrome\Application\chrome.exe[2848] ntdll.dll!NtSetInformationThread + B 778166A3 1 Byte [E2]
.text C:\Users\Tomco_HP\AppData\Local\Google\Chrome\Application\chrome.exe[2848] ntdll.dll!NtUnmapViewOfSection + 6 778169BE 1 Byte [68]
.text C:\Users\Tomco_HP\AppData\Local\Google\Chrome\Application\chrome.exe[2848] ntdll.dll!NtUnmapViewOfSection + 6 778169BE 4 Bytes [68, 03, 44, 00]
.text C:\Users\Tomco_HP\AppData\Local\Google\Chrome\Application\chrome.exe[2848] ntdll.dll!NtUnmapViewOfSection + B 778169C3 1 Byte [E2]
.text C:\Users\Tomco_HP\AppData\Local\Google\Chrome\Application\chrome.exe[3052] ntdll.dll!NtCreateFile + 6 778155CE 4 Bytes [28, 00, 1C, 00] {SUB [EAX], AL; SBB AL, 0x0}
.text C:\Users\Tomco_HP\AppData\Local\Google\Chrome\Application\chrome.exe[3052] ntdll.dll!NtCreateFile + B 778155D3 1 Byte [E2]
.text C:\Users\Tomco_HP\AppData\Local\Google\Chrome\Application\chrome.exe[3052] ntdll.dll!NtMapViewOfSection + 6 77815C2E 1 Byte [28]
.text C:\Users\Tomco_HP\AppData\Local\Google\Chrome\Application\chrome.exe[3052] ntdll.dll!NtMapViewOfSection + 6 77815C2E 4 Bytes [28, 03, 1C, 00] {SUB [EBX], AL; SBB AL, 0x0}
.text C:\Users\Tomco_HP\AppData\Local\Google\Chrome\Application\chrome.exe[3052] ntdll.dll!NtMapViewOfSection + B 77815C33 1 Byte [E2]
.text C:\Users\Tomco_HP\AppData\Local\Google\Chrome\Application\chrome.exe[3052] ntdll.dll!NtOpenFile + 6 77815CDE 4 Bytes [68, 00, 1C, 00]
.text C:\Users\Tomco_HP\AppData\Local\Google\Chrome\Application\chrome.exe[3052] ntdll.dll!NtOpenFile + B 77815CE3 1 Byte [E2]
.text C:\Users\Tomco_HP\AppData\Local\Google\Chrome\Application\chrome.exe[3052] ntdll.dll!NtOpenProcess + 6 77815D8E 4 Bytes [A8, 01, 1C, 00] {TEST AL, 0x1; SBB AL, 0x0}
.text C:\Users\Tomco_HP\AppData\Local\Google\Chrome\Application\chrome.exe[3052] ntdll.dll!NtOpenProcess + B 77815D93 1 Byte [E2]
.text C:\Users\Tomco_HP\AppData\Local\Google\Chrome\Application\chrome.exe[3052] ntdll.dll!NtOpenProcessToken + 6 77815D9E 4 Bytes CALL 768179A4 C:\windows\system32\SHELL32.dll (Windows Shell Common Dll/Microsoft Corporation)
.text C:\Users\Tomco_HP\AppData\Local\Google\Chrome\Application\chrome.exe[3052] ntdll.dll!NtOpenProcessToken + B 77815DA3 1 Byte [E2]
.text C:\Users\Tomco_HP\AppData\Local\Google\Chrome\Application\chrome.exe[3052] ntdll.dll!NtOpenProcessTokenEx + 6 77815DAE 4 Bytes [A8, 02, 1C, 00] {TEST AL, 0x2; SBB AL, 0x0}
.text C:\Users\Tomco_HP\AppData\Local\Google\Chrome\Application\chrome.exe[3052] ntdll.dll!NtOpenProcessTokenEx + B 77815DB3 1 Byte [E2]
.text C:\Users\Tomco_HP\AppData\Local\Google\Chrome\Application\chrome.exe[3052] ntdll.dll!NtOpenThread + 6 77815E0E 4 Bytes [68, 01, 1C, 00]
.text C:\Users\Tomco_HP\AppData\Local\Google\Chrome\Application\chrome.exe[3052] ntdll.dll!NtOpenThread + B 77815E13 1 Byte [E2]
.text C:\Users\Tomco_HP\AppData\Local\Google\Chrome\Application\chrome.exe[3052] ntdll.dll!NtOpenThreadToken + 6 77815E1E 4 Bytes [68, 02, 1C, 00]
.text C:\Users\Tomco_HP\AppData\Local\Google\Chrome\Application\chrome.exe[3052] ntdll.dll!NtOpenThreadToken + B 77815E23 1 Byte [E2]
.text C:\Users\Tomco_HP\AppData\Local\Google\Chrome\Application\chrome.exe[3052] ntdll.dll!NtOpenThreadTokenEx + 6 77815E2E 4 Bytes CALL 76817A35 C:\windows\system32\SHELL32.dll (Windows Shell Common Dll/Microsoft Corporation)
.text C:\Users\Tomco_HP\AppData\Local\Google\Chrome\Application\chrome.exe[3052] ntdll.dll!NtOpenThreadTokenEx + B 77815E33 1 Byte [E2]
.text C:\Users\Tomco_HP\AppData\Local\Google\Chrome\Application\chrome.exe[3052] ntdll.dll!NtQueryAttributesFile + 6 77815F3E 4 Bytes [A8, 00, 1C, 00] {TEST AL, 0x0; SBB AL, 0x0}
.text C:\Users\Tomco_HP\AppData\Local\Google\Chrome\Application\chrome.exe[3052] ntdll.dll!NtQueryAttributesFile + B 77815F43 1 Byte [E2]
.text C:\Users\Tomco_HP\AppData\Local\Google\Chrome\Application\chrome.exe[3052] ntdll.dll!NtQueryFullAttributesFile + 6 77815FEE 4 Bytes CALL 76817BF3 C:\windows\system32\SHELL32.dll (Windows Shell Common Dll/Microsoft Corporation)
.text C:\Users\Tomco_HP\AppData\Local\Google\Chrome\Application\chrome.exe[3052] ntdll.dll!NtQueryFullAttributesFile + B 77815FF3 1 Byte [E2]
.text C:\Users\Tomco_HP\AppData\Local\Google\Chrome\Application\chrome.exe[3052] ntdll.dll!NtSetInformationFile + 6 7781663E 4 Bytes [28, 01, 1C, 00] {SUB [ECX], AL; SBB AL, 0x0}
.text C:\Users\Tomco_HP\AppData\Local\Google\Chrome\Application\chrome.exe[3052] ntdll.dll!NtSetInformationFile + B 77816643 1 Byte [E2]
.text C:\Users\Tomco_HP\AppData\Local\Google\Chrome\Application\chrome.exe[3052] ntdll.dll!NtSetInformationThread + 6 7781669E 4 Bytes [28, 02, 1C, 00] {SUB [EDX], AL; SBB AL, 0x0}
.text C:\Users\Tomco_HP\AppData\Local\Google\Chrome\Application\chrome.exe[3052] ntdll.dll!NtSetInformationThread + B 778166A3 1 Byte [E2]
.text C:\Users\Tomco_HP\AppData\Local\Google\Chrome\Application\chrome.exe[3052] ntdll.dll!NtUnmapViewOfSection + 6 778169BE 1 Byte [68]
.text C:\Users\Tomco_HP\AppData\Local\Google\Chrome\Application\chrome.exe[3052] ntdll.dll!NtUnmapViewOfSection + 6 778169BE 4 Bytes [68, 03, 1C, 00]
.text C:\Users\Tomco_HP\AppData\Local\Google\Chrome\Application\chrome.exe[3052] ntdll.dll!NtUnmapViewOfSection + B 778169C3 1 Byte [E2]

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\0000005f halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- Processes - GMER 1.0.15 ----

Library c:\windows\system32\n (*** hidden *** ) @ C:\windows\Explorer.EXE [1352] 0x45670000
Library c:\windows\system32\n (*** hidden *** ) @ C:\windows\system32\NOTEPAD.EXE [1640] 0x45670000
Library c:\windows\system32\n (*** hidden *** ) @ C:\windows\system32\NOTEPAD.EXE [3696] 0x45670000
Library c:\windows\system32\n (*** hidden *** ) @ C:\windows\system32\notepad.exe [3864] 0x45670000

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\70f395f6a1ff
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\cc52af6cc4dc
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\cc52af6cc4dc@0018913e6c32 0x7E 0xC8 0x40 0xD2 ...
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\70f395f6a1ff (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\cc52af6cc4dc (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\cc52af6cc4dc@0018913e6c32 0x7E 0xC8 0x40 0xD2 ...

---- EOF - GMER 1.0.15 ----

Attached Files

  • Attached File  Ark.txt   20.33KB   2 downloads
  • Attached File  DDS.txt   15.32KB   0 downloads

Edited by lwells, 12 August 2012 - 05:36 PM.


BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:39 AM

Posted 13 August 2012 - 10:49 AM

please run the following:

download Farbar Recovery Scan Tool and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to the disclaimer.
[*]Place a check next to List Drivers MD5 as well as the default check marks that are already there
[*]Press Scan button.
[*]FRST will let you know when the scan is complete and has written the FRST.txt to file, close out this message, then type the following into the search box:
services.exe
[*]now press the search button
[*]when the search is complete, search.txt will also be written to your USB
[*]type exit and reboot the computer normally
[*]please copy and paste both logs in your reply.(FRST.txt and Search.txt)[/list]

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 lwells

lwells
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:03:39 AM

Posted 13 August 2012 - 02:09 PM

Hello Bleepin' Curls,
I am responding from a clean PC.
The infected lap top boots ok,
I have the ethernet turned off. If I turn it on the Trojen starts it's funny business.
I have Windows Defender off.

Is it ok that the frst.exe was in a subdir of the USB(H:\"Virus Tool")?
Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 10-08-2012
Ran by SYSTEM at 13-08-2012 13:55:49
Running from H:\Virus Repair
(X86) OS Language: English(US)
Attention: Could not load system hive.Attention: System hive is missing.

========================== Registry (Whitelisted) =============

Attention: Software hive is missing.

HKLM\...\Winlogon: [Userinit] [x]
HKLM\...\Winlogon: [Shell] [x ] ()

================================ Services (Whitelisted) ==================


========================== Drivers (Whitelisted) =============


========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============


============ 3 Months Modified Files ========================


========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\explorer.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\winlogon.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\svchost.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\services.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\User32.dll IS MISSING <==== ATTENTION!.
C:\Windows\System32\userinit.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\Drivers\volsnap.sys IS MISSING <==== ATTENTION!.

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: <===== ATTENTION!
HKLM\...\exefile\DefaultIcon: <===== ATTENTION!
HKLM\...\exefile\open\command: <===== ATTENTION!

========================= Memory info ======================

Percentage of memory in use: 17%
Total physical RAM: 1782.43 MB
Available physical RAM: 1463.82 MB
Total Pagefile: 1782.43 MB
Available Pagefile: 1462.71 MB
Total Virtual: 2047.88 MB
Available Virtual: 1962.62 MB

======================= Partitions =========================

1 Drive d: () (Fixed) (Total:280.8 GB) (Free:188.19 GB) NTFS ==>[System with boot components (obtained from reading drive)]
2 Drive e: (HP_RECOVERY) (Fixed) (Total:15 GB) (Free:4.23 GB) NTFS ==>[System with boot components (obtained from reading drive)]
3 Drive f: (HP_TOOLS) (Fixed) (Total:1.99 GB) (Free:1.49 GB) FAT32
5 Drive h: () (Removable) (Total:3.81 GB) (Free:1.75 GB) FAT32
6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
7 Drive y: (SYSTEM) (Fixed) (Total:0.29 GB) (Free:0.25 GB) NTFS ==>[System with boot components (obtained from reading drive)]

======================= End Of Log ==========================

Farbar Recovery Scan Tool Version: 10-08-2012
Ran by SYSTEM at 2012-08-13 13:56:39
Running from H:\Virus Repair

================== Search: "services.exe" ===================

=== End Of Search ===
Thanks,
LWells

#4 lwells

lwells
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:03:39 AM

Posted 13 August 2012 - 02:18 PM

Sorry,
I answered my own question. Ignore logs in previos reply.
New Logs shortly

#5 lwells

lwells
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:03:39 AM

Posted 13 August 2012 - 02:21 PM

Correct Logs>
Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 10-08-2012
Ran by SYSTEM at 13-08-2012 14:14:13
Running from H:\
Windows 7 Professional (X86) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [HPPowerAssistant] C:\Program Files\Hewlett-Packard\HP Power Assistant\HPPA_Main.exe /hidden [1691192 2010-08-23] (Hewlett-Packard Company)
HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [1791272 2010-06-04] (Synaptics Incorporated)
HKLM\...\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [98304 2010-08-05] (Advanced Micro Devices, Inc.)
HKLM\...\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray.exe [495708 2010-01-28] (IDT, Inc.)
HKLM\...\Run: [BCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices [91520 2010-03-13] (Microsoft Corporation)
HKU\Tomco_HP\...\Run: [Google Update] "C:\Users\Tomco_HP\AppData\Local\Google\Update\GoogleUpdate.exe" /c [116648 2012-07-24] (Google Inc.)
HKU\Tomco_HP\...\Run: [kxypev] rundll32.exe "C:\Users\Tomco_HP\AppData\Roaming\kxypev.dll",PSTCreateTypeSubType_NoUI [174080 2012-08-12] (Crytek)
HKU\Tomco_HP\...\Run: [wmslap] "C:\Windows\System32\rundll32.exe" "C:\Users\Tomco_HP\AppData\Roaming\wmslap.dll",_Contains [452096 2012-08-12] (C-Media Electronics Inc.)
HKLM\...\Winlogon: [Userinit] C:\Windows\system32\userinit.exe,c:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\Bin\DPAgent.exe, [x]
Winlogon\Notify\DeviceNP: DeviceNP.dll (Hewlett-Packard Limited)
Lsa: [Notification Packages] DPPassFilter
scecli

================================ Services (Whitelisted) ==================

3 ACDaemon; C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [113152 2010-03-18] (ArcSoft Inc.)
2 AESTFilters; C:\windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_9b219d80a8843bf8\aestsrv.exe [81920 2009-03-03] (Andrea Electronics Corporation)
2 BFLS_Server_Service; C:\Program Files\Bizerba\BFLS\bfls_server_service.exe [1269760 2008-01-22] (Bizerba)
3 BFLS_System_Service; C:\Program Files\Bizerba\BFLS\bfls_system_service.exe [131072 2007-07-05] ()
2 btwdins; C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe [656672 2010-06-08] (Broadcom Corporation.)
2 eventlog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [20992 2009-07-13] (Microsoft Corporation)
2 HP Health Check Service; "C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe" [121344 2010-06-30] (Hewlett-Packard Company)
2 HP Power Assistant Service; "C:\Program Files\Hewlett-Packard\HP Power Assistant\HPPA_Service.exe" [103992 2010-08-23] (Hewlett-Packard Company)
2 HP Wireless Assistant Service; "C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe" [102968 2010-01-27] (Hewlett-Packard)
2 HPFSService; C:\Program Files\Hewlett-Packard\File Sanitizer\HPFSService.exe [297984 2010-01-19] (Hewlett-Packard)
2 hpHotkeyMonitor; "C:\Program Files\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe" [264248 2010-03-01] (Hewlett-Packard Company)
2 NIS; "C:\Program Files\Norton Internet Security\Engine\18.7.2.3\ccSvcHst.exe" /s "NIS" /m "C:\Program Files\Norton Internet Security\Engine\18.7.2.3\diMaster.dll" /prefetch:1 [262584 2011-03-31] (Symantec Corporation)
2 Pervasive.SQL (relational); C:\PVSW\bin\w3sqlmgr.exe [28724 2006-05-18] (Pervasive Software Inc.)
2 Pervasive.SQL (transactional); C:\PVSW\bin\ntbtrv.exe [69680 2006-05-18] ()
2 STacSV; C:\windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_9b219d80a8843bf8\STacSV.exe [229458 2010-01-28] (IDT, Inc.)
2 uArcCapture; C:\windows\system32\uArcCapture.exe [506472 2009-12-04] (ArcSoft, Inc.)
2 vcsFPService; C:\windows\system32\vcsFPService.exe [1664304 2010-02-18] (Validity Sensors, Inc.)
2 DpHost; c:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\Bin\DpHostW.exe [x]
3 FLCDLOCK; c:\Windows\system32\flcdlock.exe [x]
2 HP ProtectTools Service; "c:\Program Files\Hewlett-Packard\2009 Password Filter for HP ProtectTools\PTChangeFilterService.exe" [x]
2 HPDayStarterService; "c:\Program Files\Hewlett-Packard\HP QuickLook\HPDayStarterService.exe" [x]
2 HpFkCryptService; "c:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe" [x]
2 PSI_SVC_2; "c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe" [x]

========================== Drivers (Whitelisted) =============

3 Afc; C:\Windows\System32\drivers\Afc.sys [18688 2006-11-10] (Arcsoft, Inc.)
3 akshasp; C:\Windows\System32\DRIVERS\akshasp.sys [238208 2011-02-09] (Aladdin Knowledge Systems Ltd.)
3 aksusb; C:\Windows\System32\DRIVERS\aksusb.sys [16512 2011-08-09] (SafeNet Inc.)
3 ARCVCAM; C:\Windows\System32\DRIVERS\ArcSoftVCapture.sys [29824 2009-12-04] (ArcSoft, Inc.)
1 BHDrvx86; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\BASHDefs\20100810.004\BHDrvx86.sys [692272 2010-08-08] (Symantec Corporation)
3 btwampfl; C:\Windows\System32\drivers\btwampfl.sys [294952 2010-06-09] (Broadcom Corporation.)
3 DAMDrv; C:\Windows\System32\DRIVERS\DAMDrv.sys [32312 2009-10-21] (Hewlett-Packard Development Company L.P.)
1 eeCtrl; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [371248 2010-08-13] (Symantec Corporation)
3 EraserUtilRebootDrv; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [102448 2010-08-13] (Symantec Corporation)
2 hardlock; \??\C:\windows\system32\drivers\hardlock.sys [596424 2011-09-08] (SafeNet Inc.)
2 Haspnt; \??\C:\windows\system32\drivers\Haspnt.sys [47616 2012-04-19] (Aladdin Knowledge Systems)
1 IDSVix86; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\IPSDefs\20100706.002\IDSVix86.sys [344112 2010-06-26] (Symantec Corporation)
3 NAVENG; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\VirusDefs\20100813.009\NAVENG.SYS [85424 2010-08-13] (Symantec Corporation)
3 NAVEX15; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\VirusDefs\20100813.009\NAVEX15.SYS [1362608 2010-08-13] (Symantec Corporation)
3 netr28u; C:\Windows\System32\DRIVERS\netr28u.sys [734208 2009-05-25] (Ralink Technology Corp.)
1 RsvLock; C:\Windows\System32\Drivers\RsvLock.sys [40088 2010-01-26] (McAfee, Inc.)
3 rtsuvc; C:\Windows\System32\DRIVERS\rtsuvc.sys [78848 2010-05-20] (Realtek Semiconductor Corp.)
0 SafeBoot; C:\Windows\System32\Drivers\SafeBoot.sys [110520 2010-01-26] (McAfee, Inc.)
0 SbAlg; C:\Windows\System32\Drivers\SbAlg.sys [51800 2010-01-26] (McAfee, Inc.)
0 SbFsLock; C:\Windows\System32\Drivers\SbFsLock.sys [13256 2010-01-26] (McAfee, Inc.)
3 SRTSP; C:\Windows\System32\Drivers\NIS\1207020.003\SRTSP.SYS [516216 2011-03-30] (Symantec Corporation)
1 SRTSPX; C:\Windows\system32\drivers\NIS\1207020.003\SRTSPX.SYS [50168 2011-03-30] (Symantec Corporation)
0 SymDS; C:\Windows\System32\drivers\NIS\1207020.003\SYMDS.SYS [340088 2011-01-26] (Symantec Corporation)
0 SymEFA; C:\Windows\System32\drivers\NIS\1207020.003\SYMEFA.SYS [744568 2011-03-14] (Symantec Corporation)
3 SymEvent; \??\C:\windows\system32\Drivers\SYMEVENT.SYS [126584 2012-02-13] (Symantec Corporation)
1 SymIRON; C:\Windows\system32\drivers\NIS\1207020.003\Ironx86.SYS [136312 2011-01-26] (Symantec Corporation)
1 SymNetS; C:\Windows\System32\Drivers\NIS\1207020.003\SYMNETS.SYS [299640 2011-04-20] (Symantec Corporation)
3 vpcbus; C:\Windows\System32\DRIVERS\vpchbus.sys [172416 2010-11-20] (Microsoft Corporation)
1 vpcnfltr; C:\Windows\System32\DRIVERS\vpcnfltr.sys [48128 2010-11-20] (Microsoft Corporation)
3 vpcusb; C:\Windows\System32\DRIVERS\vpcusb.sys [78336 2010-11-20] (Microsoft Corporation)
1 vpcvmm; C:\Windows\System32\drivers\vpcvmm.sys [296064 2010-11-20] (Microsoft Corporation)

========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-08-13 14:14 - 2012-08-13 14:14 - 00000000 ____D C:\FRST
2012-08-12 18:32 - 2012-08-12 18:34 - 00000000 ____D C:\Users\Tomco_HP\Desktop\VirusTools
2012-08-12 18:28 - 2012-08-12 18:35 - 00000000 ____D C:\Users\Tomco_HP\Desktop\TCPIPview
2012-08-12 18:04 - 2012-08-12 18:04 - 00291606 ____A C:\Users\Tomco_HP\Downloads\TCPView.zip
2012-08-12 10:58 - 2012-08-12 10:58 - 00881494 ____A C:\Users\Tomco_HP\Downloads\SecurityCheck.exe
2012-08-12 10:48 - 2012-08-12 10:48 - 00000478 ____A C:\Users\Tomco_HP\Downloads\defogger_disable.log
2012-08-12 10:48 - 2012-08-12 10:48 - 00000000 ____A C:\Users\Tomco_HP\defogger_reenable
2012-08-12 10:47 - 2012-08-12 10:47 - 00050477 ____A C:\Users\Tomco_HP\Downloads\Defogger.exe
2012-08-12 08:59 - 2012-08-12 08:59 - 00000000 ____D C:\Program Files\Advanced IP Scanner
2012-08-12 06:50 - 2012-08-12 06:50 - 00000000 ____D C:\Users\Tomco_HP\AppData\Local\{FB06B986-E48C-11E1-8270-B8AC6F996F26}
2012-08-12 06:50 - 2012-08-12 06:50 - 00000000 ____D C:\Users\All Users\036E1BAFFB0508B1000964D2F875EF7E
2012-08-12 06:49 - 2012-08-12 06:50 - 00452096 ____A (C-Media Electronics Inc.) C:\Users\Tomco_HP\AppData\Roaming\wmslap.dll
2012-08-12 06:49 - 2012-08-12 06:48 - 00174080 __ASH (Crytek) C:\Users\Tomco_HP\AppData\Roaming\kxypev.dll
2012-07-29 18:35 - 2012-07-29 18:39 - 00000000 ____D C:\Users\Tomco_HP\Desktop\Restoring Love
2012-07-26 12:05 - 2012-07-26 12:06 - 08683262 ____A C:\Users\Tomco_HP\Downloads\1AD1Z7H732_61068117171 (2).zip
2012-07-26 12:00 - 2012-07-26 12:02 - 08683262 ____A C:\Users\Tomco_HP\Downloads\1AD1Z7H732_61068117171 (1).zip
2012-07-25 15:51 - 2012-07-25 15:51 - 00318904 ____A (Microsoft Corporation) C:\Users\Tomco_HP\Downloads\wmpfirefoxplugin (2).exe
2012-07-25 15:36 - 2012-07-25 15:36 - 00318904 ____A (Microsoft Corporation) C:\Users\Tomco_HP\Downloads\wmpfirefoxplugin (1).exe
2012-07-25 14:44 - 2012-07-25 14:44 - 00000000 ____D C:\PFiles
2012-07-25 14:43 - 2012-07-25 14:43 - 00318904 ____A (Microsoft Corporation) C:\Users\Tomco_HP\Downloads\wmpfirefoxplugin.exe
2012-07-24 15:09 - 2012-08-13 10:19 - 00000920 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1533287311-4156738050-4180187752-1001UA.job
2012-07-24 15:09 - 2012-08-11 15:28 - 00000868 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1533287311-4156738050-4180187752-1001Core.job
2012-07-24 15:09 - 2012-07-24 15:12 - 00000000 ____D C:\Users\Tomco_HP\AppData\Local\Google
2012-07-23 06:44 - 2012-06-02 01:07 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-07-23 06:44 - 2012-06-02 00:43 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-07-23 06:44 - 2012-06-02 00:33 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-07-23 06:44 - 2012-06-02 00:26 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-07-23 06:44 - 2012-06-02 00:25 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-07-23 06:44 - 2012-06-02 00:25 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-07-23 06:44 - 2012-06-02 00:23 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-07-23 06:44 - 2012-06-02 00:21 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-07-23 06:44 - 2012-06-02 00:20 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-07-23 06:44 - 2012-06-02 00:19 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-07-23 06:44 - 2012-06-02 00:19 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-07-23 06:44 - 2012-06-02 00:17 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-07-23 06:44 - 2012-06-02 00:16 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-07-23 06:44 - 2012-06-02 00:14 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-07-23 06:41 - 2012-06-11 18:40 - 02345984 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-07-23 06:40 - 2012-06-08 20:41 - 12873728 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-07-23 06:40 - 2012-06-05 21:05 - 01390080 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-07-23 06:40 - 2012-06-05 21:05 - 01236992 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-07-23 06:40 - 2012-06-05 21:03 - 00805376 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll
2012-07-23 06:40 - 2012-06-01 20:45 - 00134000 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
2012-07-23 06:40 - 2012-06-01 20:45 - 00067440 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-07-23 06:40 - 2012-06-01 20:40 - 00369336 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
2012-07-23 06:40 - 2012-06-01 20:40 - 00225280 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-07-23 06:40 - 2012-06-01 20:39 - 00219136 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-07-23 06:40 - 2012-04-23 20:36 - 01158656 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2012-07-23 06:40 - 2012-04-23 20:36 - 00140288 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2012-07-23 06:40 - 2012-04-23 20:36 - 00103936 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2012-07-23 06:40 - 2010-06-25 19:24 - 00002048 ____A (Microsoft Corporation) C:\Windows\System32\msxml3r.dll
2012-07-19 09:38 - 2012-07-19 08:58 - 00380928 ____A C:\Users\Tomco_HP\Desktop\WalMartStores 2012.ptm
2012-07-19 07:48 - 2012-07-19 07:48 - 00000000 ____D C:\Program Files\Winwaed Software Technology LLC
2012-07-19 07:48 - 2012-07-19 07:31 - 00102550 ____A C:\Users\Tomco_HP\Desktop\examples.zip
2012-07-19 07:48 - 2012-07-19 07:28 - 03250176 ____A C:\Users\Tomco_HP\Desktop\MPMileageSetup.msi
2012-07-15 11:42 - 2012-07-15 11:42 - 00018101 ____A C:\Users\Tomco_HP\Desktop\Copy of Edit of SunflowerStoreSystemsConversion_BizerbaServiceSchedule_dis copy.xlsx
2012-07-15 07:55 - 2012-07-15 07:55 - 00000000 ____D C:\Users\Tomco_HP\Desktop\image

============ 3 Months Modified Files ========================

2012-08-13 11:10 - 2009-07-13 20:34 - 00020944 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-08-13 11:10 - 2009-07-13 20:34 - 00020944 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-08-13 11:07 - 2010-12-08 06:54 - 00778556 ____A C:\Windows\System32\PerfStringBackup.INI
2012-08-13 11:02 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-08-13 11:02 - 2009-07-13 20:39 - 00077108 ____A C:\Windows\setupact.log
2012-08-13 10:37 - 2012-05-15 16:57 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-08-13 10:19 - 2012-07-24 15:09 - 00000920 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1533287311-4156738050-4180187752-1001UA.job
2012-08-13 07:39 - 2011-05-29 02:06 - 01204576 ____A C:\Windows\WindowsUpdate.log
2012-08-12 18:04 - 2012-08-12 18:04 - 00291606 ____A C:\Users\Tomco_HP\Downloads\TCPView.zip
2012-08-12 10:58 - 2012-08-12 10:58 - 00881494 ____A C:\Users\Tomco_HP\Downloads\SecurityCheck.exe
2012-08-12 10:48 - 2012-08-12 10:48 - 00000478 ____A C:\Users\Tomco_HP\Downloads\defogger_disable.log
2012-08-12 10:48 - 2012-08-12 10:48 - 00000000 ____A C:\Users\Tomco_HP\defogger_reenable
2012-08-12 10:47 - 2012-08-12 10:47 - 00050477 ____A C:\Users\Tomco_HP\Downloads\Defogger.exe
2012-08-12 06:50 - 2012-08-12 06:49 - 00452096 ____A (C-Media Electronics Inc.) C:\Users\Tomco_HP\AppData\Roaming\wmslap.dll
2012-08-12 06:48 - 2012-08-12 06:49 - 00174080 __ASH (Crytek) C:\Users\Tomco_HP\AppData\Roaming\kxypev.dll
2012-08-11 15:28 - 2012-07-24 15:09 - 00000868 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1533287311-4156738050-4180187752-1001Core.job
2012-08-02 15:41 - 2012-05-15 16:57 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2012-08-02 15:41 - 2012-02-18 19:04 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2012-07-30 15:51 - 2012-02-20 12:31 - 00009738 ____A C:\Windows\pvsw.log
2012-07-26 12:06 - 2012-07-26 12:05 - 08683262 ____A C:\Users\Tomco_HP\Downloads\1AD1Z7H732_61068117171 (2).zip
2012-07-26 12:02 - 2012-07-26 12:00 - 08683262 ____A C:\Users\Tomco_HP\Downloads\1AD1Z7H732_61068117171 (1).zip
2012-07-25 15:51 - 2012-07-25 15:51 - 00318904 ____A (Microsoft Corporation) C:\Users\Tomco_HP\Downloads\wmpfirefoxplugin (2).exe
2012-07-25 15:36 - 2012-07-25 15:36 - 00318904 ____A (Microsoft Corporation) C:\Users\Tomco_HP\Downloads\wmpfirefoxplugin (1).exe
2012-07-25 14:43 - 2012-07-25 14:43 - 00318904 ____A (Microsoft Corporation) C:\Users\Tomco_HP\Downloads\wmpfirefoxplugin.exe
2012-07-23 06:50 - 2009-07-13 20:33 - 00413280 ____A C:\Windows\System32\FNTCACHE.DAT
2012-07-23 06:42 - 2012-02-17 18:13 - 57442464 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-07-19 08:58 - 2012-07-19 09:38 - 00380928 ____A C:\Users\Tomco_HP\Desktop\WalMartStores 2012.ptm
2012-07-19 07:31 - 2012-07-19 07:48 - 00102550 ____A C:\Users\Tomco_HP\Desktop\examples.zip
2012-07-19 07:28 - 2012-07-19 07:48 - 03250176 ____A C:\Users\Tomco_HP\Desktop\MPMileageSetup.msi
2012-07-18 06:26 - 2012-07-07 09:50 - 00015452 ____A C:\Users\Tomco_HP\Documents\Plating Guide.xlsx
2012-07-15 11:42 - 2012-07-15 11:42 - 00018101 ____A C:\Users\Tomco_HP\Desktop\Copy of Edit of SunflowerStoreSystemsConversion_BizerbaServiceSchedule_dis copy.xlsx
2012-07-10 14:43 - 2012-02-13 18:05 - 00011228 ____A C:\Windows\PFRO.log
2012-07-01 03:31 - 2012-01-23 05:45 - 00824320 ____A C:\Users\Tomco_HP\Desktop\HEB.BIZERBA.INVENTORY 5-15-12.xls
2012-07-01 03:17 - 2012-06-26 17:33 - 00038400 ____A C:\Users\Tomco_HP\Desktop\SunflowerStoreSystemsConversion_BizerbaServiceSchedule_dis copy.xls
2012-06-29 15:41 - 2012-06-29 15:00 - 00070313 ____A C:\Users\Tomco_HP\Documents\PTC_Offers_6-29-2012 zip 75165.xlsx
2012-06-29 15:38 - 2012-06-29 15:38 - 00102182 ____A C:\Users\Tomco_HP\Documents\PTC_Offers_6-29-2012 zip Code 76104.csv
2012-06-29 15:38 - 2012-06-29 15:38 - 00052731 ____A C:\Users\Tomco_HP\Documents\PTC_Offers_6-29-2012 Zip Code 76104.xlsx
2012-06-29 15:36 - 2012-06-29 15:33 - 00225307 ____A C:\Users\Tomco_HP\Documents\PTC_AllOffers_6-29-2012 All Zip Codes.xlsx
2012-06-29 15:32 - 2012-06-29 15:32 - 00625521 ____A C:\Users\Tomco_HP\Documents\PTC_AllOffers_6-29-2012 all zip codes.csv
2012-06-28 18:34 - 2012-06-28 18:34 - 00002328 ____A C:\Users\Tomco_HP\Documents\dnsbenchmark.ini
2012-06-28 18:32 - 2012-06-28 18:32 - 00002316 ____A C:\Users\Tomco_HP\Downloads\DNSBench.ini
2012-06-12 03:21 - 2012-07-10 08:42 - 00292793 ____A C:\Users\Tomco_HP\Desktop\WlanUsbRt3572LinuxDriver_V1.03_B020_61066611103.zip
2012-06-12 03:21 - 2012-07-10 08:41 - 00802754 ____A C:\Users\Tomco_HP\Desktop\drivers_v332_b0072_lin_61997850332.zip
2012-06-11 18:40 - 2012-07-23 06:41 - 02345984 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-08 20:41 - 2012-07-23 06:40 - 12873728 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-06-08 18:51 - 2012-06-08 18:51 - 00660240 ____A C:\Users\Tomco_HP\Downloads\FLVPlayerSetup.exe
2012-06-05 21:05 - 2012-07-23 06:40 - 01390080 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-06-05 21:05 - 2012-07-23 06:40 - 01236992 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-06-05 21:03 - 2012-07-23 06:40 - 00805376 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll
2012-06-05 16:09 - 2012-06-05 16:09 - 01103656 ____A C:\Users\Tomco_HP\Desktop\Odessa Errors.xlsx
2012-06-05 15:27 - 2012-06-05 15:27 - 01110476 ____A C:\Users\Tomco_HP\Downloads\7z920.exe
2012-06-02 14:47 - 2012-06-02 14:26 - 00000003 ____A C:\Users\Tomco_HP\AppData\Roaming\userdict-csj
2012-06-02 14:19 - 2012-06-22 16:46 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-22 16:46 - 00577048 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 14:19 - 2012-06-22 16:46 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-22 16:46 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-06-22 16:46 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 14:12 - 2012-06-22 16:46 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:12 - 2012-06-22 16:46 - 00088576 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 12:19 - 2012-06-22 16:46 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 12:12 - 2012-06-22 16:46 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-02 01:07 - 2012-07-23 06:44 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-02 00:43 - 2012-07-23 06:44 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-02 00:33 - 2012-07-23 06:44 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-06-02 00:26 - 2012-07-23 06:44 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-02 00:25 - 2012-07-23 06:44 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-06-02 00:25 - 2012-07-23 06:44 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-02 00:23 - 2012-07-23 06:44 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-02 00:21 - 2012-07-23 06:44 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-02 00:20 - 2012-07-23 06:44 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-06-02 00:19 - 2012-07-23 06:44 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-02 00:19 - 2012-07-23 06:44 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-02 00:17 - 2012-07-23 06:44 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-02 00:16 - 2012-07-23 06:44 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-02 00:14 - 2012-07-23 06:44 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-01 20:45 - 2012-07-23 06:40 - 00134000 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
2012-06-01 20:45 - 2012-07-23 06:40 - 00067440 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-06-01 20:40 - 2012-07-23 06:40 - 00369336 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
2012-06-01 20:40 - 2012-07-23 06:40 - 00225280 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-06-01 20:39 - 2012-07-23 06:40 - 00219136 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-05-31 09:25 - 2012-02-13 11:22 - 00237072 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe
2012-05-16 18:02 - 2012-05-16 17:55 - 98977792 ____A C:\Users\Tomco_HP\Downloads\FreeNAS-8.0.4-RELEASE-p2-x86.iso


ZeroAccess:
C:\Users\Tomco_HP\AppData\Local\{82cf78cd-3273-5450-7215-1006348b8d21}
C:\Users\Tomco_HP\AppData\Local\{82cf78cd-3273-5450-7215-1006348b8d21}\@
C:\Users\Tomco_HP\AppData\Local\{82cf78cd-3273-5450-7215-1006348b8d21}\L
C:\Users\Tomco_HP\AppData\Local\{82cf78cd-3273-5450-7215-1006348b8d21}\n
C:\Users\Tomco_HP\AppData\Local\{82cf78cd-3273-5450-7215-1006348b8d21}\U
C:\Users\Tomco_HP\AppData\Local\{82cf78cd-3273-5450-7215-1006348b8d21}\U\80000000.@
C:\Users\Tomco_HP\AppData\Local\{82cf78cd-3273-5450-7215-1006348b8d21}\U\800000cb.@

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 23%
Total physical RAM: 1782.43 MB
Available physical RAM: 1365.85 MB
Total Pagefile: 1782.43 MB
Available Pagefile: 1367.45 MB
Total Virtual: 2047.88 MB
Available Virtual: 1970.3 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:280.8 GB) (Free:188.13 GB) NTFS ==>[System with boot components (obtained from reading drive)]
2 Drive e: (HP_RECOVERY) (Fixed) (Total:15 GB) (Free:4.23 GB) NTFS ==>[System with boot components (obtained from reading drive)]
3 Drive f: (HP_TOOLS) (Fixed) (Total:1.99 GB) (Free:1.49 GB) FAT32
5 Drive h: () (Removable) (Total:3.81 GB) (Free:1.75 GB) FAT32
6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
7 Drive y: (SYSTEM) (Fixed) (Total:0.29 GB) (Free:0.25 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 298 GB 0 B
Disk 1 Online 3912 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 300 MB 1024 KB
Partition 2 Primary 280 GB 301 MB
Partition 3 Primary 15 GB 281 GB
Partition 4 Primary 2043 MB 296 GB

==================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y SYSTEM NTFS Partition 300 MB Healthy

==================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 280 GB Healthy

==================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 E HP_RECOVERY NTFS Partition 15 GB Healthy

==================================================================================

Disk: 0
Partition 4
Type : 0C
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 F HP_TOOLS FAT32 Partition 2043 MB Healthy

==================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
* Partition 1 Primary 3912 MB 0 B

==================================================================================

Disk: 1
There is no partition selected.

There is no partition selected.
Please select a partition and try again.

==================================================================================

Last Boot: 2012-08-10 04:03

======================= End Of Log ==========================

Farbar Recovery Scan Tool Version: 10-08-2012
Ran by SYSTEM at 2012-08-13 14:16:30
Running from H:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe
[2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) 5F1B6A9C35D3D5CA72D6D6FDEF9747D6

C:\Windows\System32\services.exe
[2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) 5F1B6A9C35D3D5CA72D6D6FDEF9747D6

=== End Of Search ===
LWells

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:39 AM

Posted 13 August 2012 - 02:39 PM

Please do the following:


Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
HKU\Tomco_HP\...\Run: [kxypev] rundll32.exe "C:\Users\Tomco_HP\AppData\Roaming\kxypev.dll",PSTCreateTypeSubType_NoUI [174080 2012-08-12] (Crytek)
HKU\Tomco_HP\...\Run: [wmslap] "C:\Windows\System32\rundll32.exe" "C:\Users\Tomco_HP\AppData\Roaming\wmslap.dll",_Contains [452096 2012-08-12] (C-Media Electronics Inc.)
2012-08-12 06:50 - 2012-08-12 06:50 - 00000000 ____D C:\Users\Tomco_HP\AppData\Local\{FB06B986-E48C-11E1-8270-B8AC6F996F26}
2012-08-12 06:50 - 2012-08-12 06:50 - 00000000 ____D C:\Users\All Users\036E1BAFFB0508B1000964D2F875EF7E
2012-08-12 06:49 - 2012-08-12 06:50 - 00452096 ____A (C-Media Electronics Inc.) C:\Users\Tomco_HP\AppData\Roaming\wmslap.dll
2012-08-12 06:49 - 2012-08-12 06:48 - 00174080 __ASH (Crytek) C:\Users\Tomco_HP\AppData\Roaming\kxypev.dll
C:\Users\Tomco_HP\AppData\Local\{82cf78cd-3273-5450-7215-1006348b8d21}
end

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST (or FRST64 if you have the 64bit version) and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Reboot Normally.


NEXT


Refer to the ComboFix User's Guide

  • Download ComboFix from the following location:

    Link

    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  • Double click on ComboFix.exe & follow the prompts.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 lwells

lwells
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:03:39 AM

Posted 13 August 2012 - 02:58 PM

Here ya go>
Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 10-08-2012
Ran by SYSTEM at 2012-08-13 14:56:41 Run:1
Running from H:\

==============================================

HKEY_USERS\Tomco_HP\Software\Microsoft\Windows\CurrentVersion\Run\\kxypev Value deleted successfully.
HKEY_USERS\Tomco_HP\Software\Microsoft\Windows\CurrentVersion\Run\\wmslap Value deleted successfully.
C:\Users\Tomco_HP\AppData\Local\{FB06B986-E48C-11E1-8270-B8AC6F996F26} moved successfully.
C:\Users\All Users\036E1BAFFB0508B1000964D2F875EF7E moved successfully.
C:\Users\Tomco_HP\AppData\Roaming\wmslap.dll moved successfully.
C:\Users\Tomco_HP\AppData\Roaming\kxypev.dll moved successfully.
C:\Users\Tomco_HP\AppData\Local\{82cf78cd-3273-5450-7215-1006348b8d21} moved successfully.

==== End of Fixlog ====
LWells

#8 lwells

lwells
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:03:39 AM

Posted 13 August 2012 - 03:32 PM

Here it is, So far so good...

ComboFix 12-08-10.02 - Tomco_HP 08/13/2012 15:04:46.1.2 - x86
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.1782.906 [GMT -5:00]
Running from: c:\users\Tomco_HP\Desktop\ComboFix.exe
AV: Norton Internet Security *Disabled/Outdated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Norton Internet Security *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Norton Internet Security *Disabled/Outdated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\pt
c:\windows\system32\pt\DPCont32.dll.mui
.
.
((((((((((((((((((((((((( Files Created from 2012-07-13 to 2012-08-13 )))))))))))))))))))))))))))))))
.
.
2012-08-13 22:14 . 2012-08-13 22:14 -------- d-----w- C:\FRST
2012-08-13 20:12 . 2012-08-13 20:16 -------- d-----w- c:\users\Tomco_HP\AppData\Local\temp
2012-08-13 20:12 . 2012-08-13 20:12 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-08-13 20:12 . 2012-08-13 20:12 -------- d-----w- c:\users\BFLS\AppData\Local\temp
2012-08-13 20:00 . 2012-08-13 20:00 9310 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXTBOX.JS
2012-08-13 20:00 . 2012-08-13 20:00 8646 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TILEBOX.JS
2012-08-13 20:00 . 2012-08-13 20:00 8613 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\SAVEDUSER.JS
2012-08-13 20:00 . 2012-08-13 20:00 6429 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UICORE.JS
2012-08-13 20:00 . 2012-08-13 20:00 63115 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\USERTILE.JS
2012-08-13 20:00 . 2012-08-13 20:00 5927 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXT.JS
2012-08-13 20:00 . 2012-08-13 20:00 4599 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UIRESOURCE.JS
2012-08-13 19:59 . 2012-08-13 19:59 8288 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\IMAGE.JS
2012-08-13 19:59 . 2012-08-13 19:59 6910 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\NEWUSERCOMM.JS
2012-08-13 19:59 . 2012-08-13 19:59 6208 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\LINK.JS
2012-08-13 19:59 . 2012-08-13 19:59 18541 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\LOCALIZATION.JS
2012-08-13 19:59 . 2012-08-13 19:59 1651 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\QUERYSTRING.JS
2012-08-13 19:59 . 2012-08-13 19:59 51852 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\EXTERNALWRAPPER.JS
2012-08-13 19:59 . 2012-08-13 19:59 23327 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\COMBOBOX.JS
2012-08-13 19:59 . 2012-08-13 19:59 20719 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\DIVWRAPPER.JS
2012-08-13 19:59 . 2012-08-13 19:59 8782 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\BUTTON.JS
2012-08-13 19:59 . 2012-08-13 19:59 7271 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\CHECKBOX.JS
2012-08-12 16:59 . 2012-08-12 16:59 -------- d-----w- c:\program files\Advanced IP Scanner
2012-08-12 15:19 . 2012-07-16 07:41 6891424 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{1C46CA28-E6ED-4816-8EE8-C8C5DE9932E3}\mpengine.dll
2012-07-25 22:44 . 2012-07-25 22:44 -------- d-----w- C:\PFiles
2012-07-24 23:09 . 2012-07-24 23:12 -------- d-----w- c:\users\Tomco_HP\AppData\Local\Google
2012-07-23 14:41 . 2012-06-12 02:40 2345984 ----a-w- c:\windows\system32\win32k.sys
2012-07-19 15:48 . 2012-07-19 15:48 -------- d-----w- c:\program files\Winwaed Software Technology LLC
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-02 23:41 . 2012-05-16 00:57 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-08-02 23:41 . 2012-02-19 03:04 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-02 22:19 . 2012-06-23 00:46 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-23 00:46 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-23 00:46 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-23 00:46 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:19 . 2012-06-23 00:46 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:12 . 2012-06-23 00:46 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:12 . 2012-06-23 00:46 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 20:19 . 2012-06-23 00:46 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 20:12 . 2012-06-23 00:46 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-05-31 17:25 . 2012-02-13 19:22 237072 ------w- c:\windows\system32\MpSigStub.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPPowerAssistant"="c:\program files\Hewlett-Packard\HP Power Assistant\HPPA_Main.exe" [2010-08-23 1691192]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-06-04 1791272]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-08-05 98304]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2010-01-29 495708]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DeviceNP]
2009-12-07 19:36 75320 ----a-w- c:\windows\System32\DeviceNP.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ DPPassFilter scecli
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-03 13:10 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DTRun]
2009-11-19 02:06 518656 ----a-w- c:\program files\Arcsoft\TotalMedia Suite\TotalMedia Theatre 3\uDTRun.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\File Sanitizer]
2010-01-19 19:17 11266048 ----a-w- c:\program files\Hewlett-Packard\File Sanitizer\coreshredder.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPWirelessAssistant]
2010-01-27 22:00 8192 ----a-w- c:\program files\Hewlett-Packard\HP Wireless Assistant\DelayedAppStarter.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NortonOnlineBackupReminder]
2009-12-03 22:49 3331944 ----a-w- c:\program files\Symantec\Norton Online Backup\Activation\NobuActivation.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QLBController]
2010-03-01 18:26 256056 ----a-w- c:\program files\Hewlett-Packard\HP HotKey Support\QLBController.exe
.
R2 vcsFPService;Validity VCS Fingerprint Service;c:\windows\system32\vcsFPService.exe [x]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
R3 BFLS_System_Service;BFLS_System_Service;c:\program files\Bizerba\BFLS\bfls_system_service.exe [x]
R3 btwampfl;Bluetooth AMP USB Filter;c:\windows\system32\drivers\btwampfl.sys [x]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [x]
R3 DAMDrv;DAMDrv;c:\windows\system32\DRIVERS\DAMDrv.sys [x]
R3 FLCDLOCK;HP ProtectTools Device Locking / Auditing;c:\windows\system32\flcdlock.exe [x]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [x]
R3 netr28;Ralink 802.11n Wireless Driver for Windows Vista;c:\windows\system32\DRIVERS\netr28.sys [x]
R3 netr28u;RT2870 USB Extensible Wireless LAN Card Driver;c:\windows\system32\DRIVERS\netr28u.sys [x]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [x]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [x]
S0 SafeBoot;SafeBoot; [x]
S0 SbAlg;SbAlg; [x]
S0 SbFsLock;SbFsLock; [x]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1207020.003\SYMDS.SYS [x]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1207020.003\SYMEFA.SYS [x]
S1 BHDrvx86;BHDrvx86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\BASHDefs\20100810.004\BHDrvx86.sys [x]
S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\IPSDefs\20100706.002\IDSVix86.sys [x]
S1 RsvLock;RsvLock; [x]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1207020.003\Ironx86.SYS [x]
S1 SymNetS;Symantec Network Security WFP Driver;c:\windows\System32\Drivers\NIS\1207020.003\SYMNETS.SYS [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_9b219d80a8843bf8\aestsrv.exe [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 BFLS_Server_Service;BFLS_Server_Service;c:\program files\Bizerba\BFLS\bfls_server_service.exe [x]
S2 HP Power Assistant Service;HP Power Assistant Service;c:\program files\Hewlett-Packard\HP Power Assistant\HPPA_Service.exe [x]
S2 HP ProtectTools Service;HP ProtectTools Service;c:\program files\Hewlett-Packard\2009 Password Filter for HP ProtectTools\PTChangeFilterService.exe [x]
S2 HP Wireless Assistant Service;HP Wireless Assistant Service;c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe [x]
S2 HPDayStarterService;HP DayStarter Service;c:\program files\Hewlett-Packard\HP QuickLook\HPDayStarterService.exe [x]
S2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files\Hewlett-Packard\Shared\HPDrvMntSvc.exe [x]
S2 HpFkCryptService;Drive Encryption Service;c:\program files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe [x]
S2 HPFSService;File Sanitizer for HP ProtectTools;c:\program files\Hewlett-Packard\File Sanitizer\HPFSService.exe [x]
S2 hpHotkeyMonitor;HP Hotkey Monitor;c:\program files\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe [x]
S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [x]
S2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\18.7.2.3\ccSvcHst.exe [x]
S2 Pervasive.SQL (relational);Pervasive.SQL (relational);c:\pvsw\bin\w3sqlmgr.exe [x]
S2 Pervasive.SQL (transactional);Pervasive.SQL (transactional);c:\pvsw\bin\ntbtrv.exe [x]
S2 uArcCapture;ArcCapture;c:\windows\system32\uArcCapture.exe [x]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 ARCVCAM;ARCVCAM, ArcSoft Webcam Sharing Manager Driver;c:\windows\system32\DRIVERS\ArcSoftVCapture.sys [x]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [x]
S3 rtsuvc;HP Webcam [2 MP Fixed];c:\windows\system32\DRIVERS\rtsuvc.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
GPSvcGroup REG_MULTI_SZ GPSvc
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2010-01-22 19:06 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-13 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-16 23:42]
.
2012-08-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1533287311-4156738050-4180187752-1001Core.job
- c:\users\Tomco_HP\AppData\Local\Google\Update\GoogleUpdate.exe [2012-07-24 23:09]
.
2012-08-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1533287311-4156738050-4180187752-1001UA.job
- c:\users\Tomco_HP\AppData\Local\Google\Update\GoogleUpdate.exe [2012-07-24 23:09]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~1\Office14\ONBttnIE.dll/105
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-helpinit - c:\users\Tomco_HP\AppData\Local\Temp\appiator.dll
MSConfigStartUp-PDF Complete - c:\program files\PDF Complete\pdfsty.exe
AddRemove-{FC17E0A7-EAA9-4902-92F8-C83B9FD02246} - c:\program files\InstallShield Installation Information\{FC17E0A7-EAA9-4902-92F8-C83B9FD02246}\setup.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\18.7.2.3\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\18.7.2.3\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(544)
c:\windows\system32\DPFPApi.DLL
.
Completion time: 2012-08-13 15:18:47
ComboFix-quarantined-files.txt 2012-08-13 20:18
.
Pre-Run: 201,874,358,272 bytes free
Post-Run: 201,848,586,240 bytes free
.
- - End Of File - - 1C6FDEE93485E83D96FE71E4CC6E751D
LWells

#9 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:39 AM

Posted 13 August 2012 - 03:52 PM

looks better, just a couple more scans to do to make sure there are no leftovers, please run the following:


Please download Malwarebytes' Anti-Malware
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish


NEXT


Please download Farbar Service Scanner and run it
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#10 lwells

lwells
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:03:39 AM

Posted 13 August 2012 - 04:20 PM

Mbam Log>
Malwarebytes Anti-Malware (Trial) 1.62.0.1300
www.malwarebytes.org

Database version: v2012.08.13.06

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
Tomco_HP :: TOMCO [administrator]

Protection: Enabled

8/13/2012 4:03:11 PM
mbam-log-2012-08-13 (16-03-11).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 218600
Time elapsed: 3 minute(s), 45 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


Running ESET with options above now.

LWells

#11 lwells

lwells
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:03:39 AM

Posted 13 August 2012 - 07:12 PM

ESAT finished>
C:\FRST\Quarantine\kxypev.dll a variant of Win32/Medfos.CH trojan
C:\FRST\Quarantine\036E1BAFFB0508B1000964D2F875EF7E\036E1BAFFB0508B1000964D2F875EF7E.exe a variant of Win32/Kryptik.AKCX trojan
C:\FRST\Quarantine\{82cf78cd-3273-5450-7215-1006348b8d21}\n Win32/Sirefef.EV trojan
C:\FRST\Quarantine\{82cf78cd-3273-5450-7215-1006348b8d21}\U\80000000.@ a variant of Win32/Sirefef.FA trojan
C:\FRST\Quarantine\{82cf78cd-3273-5450-7215-1006348b8d21}\U\800000cb.@ probably a variant of Win32/Agent.TEO trojan
C:\Program Files\FLVPlayer\FLVPlayer.exe a variant of Win32/InstallCore.A application
C:\Program Files\FLVPlayer\Uninstall\Uninstall.exe a variant of Win32/InstallCore.X application
C:\Users\Tomco_HP\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000180 HTML/ScrInject.B.Gen virus
C:\Users\Tomco_HP\Documents\Downloads\Downloads\USB_MultiBoot_10\USB_MultiBoot_10\MULTI_CONTENT\wintools\othertools\ProduKey.exe Win32/PSWTool.ProductKey.126 application
C:\Users\Tomco_HP\Documents\Ishida\Symbol AP\tftpd32[1].284.zip a variant of Win32/TFTPD32.B application
C:\Users\Tomco_HP\Documents\Ishida\Symbol AP\Symbol CB 3000 Client Bridge\Symbol AP-5131 Access Point\tftpd32[1].284.zip a variant of Win32/TFTPD32.B application
C:\Users\Tomco_HP\Downloads\FLVPlayerSetup.exe a variant of Win32/InstallCore.X application
C:\Users\Tomco_HP\Downloads\light_image_resizer4_setup_4.1.1.5_linkular.exe Win32/Adware.Linkular.AB application

Running Farbar Service

THANKS!
LWells

#12 lwells

lwells
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:03:39 AM

Posted 13 August 2012 - 07:19 PM

CatByte,
Here is FSS.txt>
Farbar Service Scanner Version: 06-08-2012
Ran by Tomco_HP (administrator) on 13-08-2012 at 19:15:08
Running from "C:\Users\Tomco_HP\Desktop"
Microsoft Windows 7 Professional Service Pack 1 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============

Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv service is OK.

BITS Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to retrieve start type of BITS. The value does not exist.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.


Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============

Other Services:
==============


File Check:
========
C:\windows\system32\nsisvc.dll => MD5 is legit
C:\windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\windows\system32\dhcpcore.dll => MD5 is legit
C:\windows\system32\Drivers\afd.sys => MD5 is legit
C:\windows\system32\Drivers\tdx.sys => MD5 is legit
C:\windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\windows\system32\dnsrslvr.dll => MD5 is legit
C:\windows\system32\mpssvc.dll => MD5 is legit
C:\windows\system32\bfe.dll => MD5 is legit
C:\windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\windows\system32\SDRSVC.dll => MD5 is legit
C:\windows\system32\vssvc.exe => MD5 is legit
C:\windows\system32\wscsvc.dll => MD5 is legit
C:\windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\windows\system32\wuaueng.dll => MD5 is legit
C:\windows\system32\qmgr.dll => MD5 is legit
C:\windows\system32\es.dll => MD5 is legit
C:\windows\system32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\windows\system32\svchost.exe => MD5 is legit
C:\windows\system32\rpcss.dll => MD5 is legit


**** End of log ****

How are we doing?
LWells

#13 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:39 AM

Posted 13 August 2012 - 07:20 PM

Please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

File::
C:\Program Files\FLVPlayer\FLVPlayer.exe 
C:\Program Files\FLVPlayer\Uninstall\Uninstall.exe 
C:\Users\Tomco_HP\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000180 
C:\Users\Tomco_HP\Documents\Ishida\Symbol AP\tftpd32[1].284.zip 
C:\Users\Tomco_HP\Documents\Ishida\Symbol AP\Symbol CB 3000 Client Bridge\Symbol AP-5131 Access Point\tftpd32[1].284.zip 
C:\Users\Tomco_HP\Downloads\FLVPlayerSetup.exe 
C:\Users\Tomco_HP\Downloads\light_image_resizer4_setup_4.1.1.5_linkular.exe 

ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT


Please download Farbar Service Scanner to your desktop and run it.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.


NEXT



Please advise how the computer is running now and if there are any outstanding issues.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#14 lwells

lwells
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:03:39 AM

Posted 13 August 2012 - 07:48 PM

The infected LapTop seems ok. I have not used it to download anything as I have been using a workstation to download/ upload files. The Laptop has not been rebooted nor asked to be rebooted since we started. Is there anything I should test?

ComboFix 12-08-13.01 - Tomco_HP 08/13/2012 19:34:41.2.2 - x86
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.1782.883 [GMT -5:00]
Running from: c:\users\Tomco_HP\Desktop\ComboFix.exe
Command switches used :: c:\users\Tomco_HP\Desktop\CFScript.txt
AV: Norton Internet Security *Disabled/Outdated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Norton Internet Security *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Norton Internet Security *Disabled/Outdated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\program files\FLVPlayer\FLVPlayer.exe"
"c:\program files\FLVPlayer\Uninstall\Uninstall.exe"
"c:\users\Tomco_HP\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000180"
"c:\users\Tomco_HP\Documents\Ishida\Symbol AP\Symbol CB 3000 Client Bridge\Symbol AP-5131 Access Point\tftpd32[1].284.zip"
"c:\users\Tomco_HP\Documents\Ishida\Symbol AP\tftpd32[1].284.zip"
"c:\users\Tomco_HP\Downloads\FLVPlayerSetup.exe"
"c:\users\Tomco_HP\Downloads\light_image_resizer4_setup_4.1.1.5_linkular.exe"
.
.
((((((((((((((((((((((((( Files Created from 2012-07-14 to 2012-08-14 )))))))))))))))))))))))))))))))
.
.
2012-08-14 00:41 . 2012-08-14 00:41 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-08-14 00:41 . 2012-08-14 00:41 -------- d-----w- c:\users\BFLS\AppData\Local\temp
2012-08-14 00:41 . 2012-08-14 00:41 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2012-08-13 22:14 . 2012-08-13 22:14 -------- d-----w- C:\FRST
2012-08-13 21:16 . 2012-08-13 21:16 -------- d-----w- c:\program files\ESET
2012-08-13 21:01 . 2012-08-13 21:01 -------- d-----w- c:\users\Tomco_HP\AppData\Roaming\Malwarebytes
2012-08-13 21:01 . 2012-08-13 21:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-08-13 21:01 . 2012-08-13 21:01 -------- d-----w- c:\programdata\Malwarebytes
2012-08-13 21:01 . 2012-07-03 18:46 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-08-13 20:18 . 2012-08-14 00:41 -------- d-----w- c:\users\Tomco_HP\AppData\Local\temp
2012-08-13 20:00 . 2012-08-13 20:00 9310 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXTBOX.JS
2012-08-13 20:00 . 2012-08-13 20:00 8646 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TILEBOX.JS
2012-08-13 20:00 . 2012-08-13 20:00 8613 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\SAVEDUSER.JS
2012-08-13 20:00 . 2012-08-13 20:00 6429 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UICORE.JS
2012-08-13 20:00 . 2012-08-13 20:00 63115 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\USERTILE.JS
2012-08-13 20:00 . 2012-08-13 20:00 5927 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXT.JS
2012-08-13 20:00 . 2012-08-13 20:00 4599 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UIRESOURCE.JS
2012-08-13 19:59 . 2012-08-13 19:59 8288 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\IMAGE.JS
2012-08-13 19:59 . 2012-08-13 19:59 6910 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\NEWUSERCOMM.JS
2012-08-13 19:59 . 2012-08-13 19:59 6208 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\LINK.JS
2012-08-13 19:59 . 2012-08-13 19:59 18541 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\LOCALIZATION.JS
2012-08-13 19:59 . 2012-08-13 19:59 1651 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\QUERYSTRING.JS
2012-08-13 19:59 . 2012-08-13 19:59 51852 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\EXTERNALWRAPPER.JS
2012-08-13 19:59 . 2012-08-13 19:59 23327 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\COMBOBOX.JS
2012-08-13 19:59 . 2012-08-13 19:59 20719 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\DIVWRAPPER.JS
2012-08-13 19:59 . 2012-08-13 19:59 8782 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\BUTTON.JS
2012-08-13 19:59 . 2012-08-13 19:59 7271 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\CHECKBOX.JS
2012-08-12 16:59 . 2012-08-12 16:59 -------- d-----w- c:\program files\Advanced IP Scanner
2012-08-12 15:19 . 2012-07-16 07:41 6891424 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{1C46CA28-E6ED-4816-8EE8-C8C5DE9932E3}\mpengine.dll
2012-07-25 22:44 . 2012-07-25 22:44 -------- d-----w- C:\PFiles
2012-07-24 23:09 . 2012-07-24 23:12 -------- d-----w- c:\users\Tomco_HP\AppData\Local\Google
2012-07-23 14:41 . 2012-06-12 02:40 2345984 ----a-w- c:\windows\system32\win32k.sys
2012-07-19 15:48 . 2012-07-19 15:48 -------- d-----w- c:\program files\Winwaed Software Technology LLC
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-02 23:41 . 2012-05-16 00:57 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-08-02 23:41 . 2012-02-19 03:04 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-02 22:19 . 2012-06-23 00:46 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-23 00:46 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-23 00:46 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-23 00:46 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:19 . 2012-06-23 00:46 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:12 . 2012-06-23 00:46 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:12 . 2012-06-23 00:46 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 20:19 . 2012-06-23 00:46 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 20:12 . 2012-06-23 00:46 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-05-31 17:25 . 2012-02-13 19:22 237072 ------w- c:\windows\system32\MpSigStub.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPPowerAssistant"="c:\program files\Hewlett-Packard\HP Power Assistant\HPPA_Main.exe" [2010-08-23 1691192]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-06-04 1791272]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-08-05 98304]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2010-01-29 495708]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DeviceNP]
2009-12-07 19:36 75320 ----a-w- c:\windows\System32\DeviceNP.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ DPPassFilter scecli
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-03 13:10 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DTRun]
2009-11-19 02:06 518656 ----a-w- c:\program files\Arcsoft\TotalMedia Suite\TotalMedia Theatre 3\uDTRun.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\File Sanitizer]
2010-01-19 19:17 11266048 ----a-w- c:\program files\Hewlett-Packard\File Sanitizer\coreshredder.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPWirelessAssistant]
2010-01-27 22:00 8192 ----a-w- c:\program files\Hewlett-Packard\HP Wireless Assistant\DelayedAppStarter.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NortonOnlineBackupReminder]
2009-12-03 22:49 3331944 ----a-w- c:\program files\Symantec\Norton Online Backup\Activation\NobuActivation.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QLBController]
2010-03-01 18:26 256056 ----a-w- c:\program files\Hewlett-Packard\HP HotKey Support\QLBController.exe
.
R2 vcsFPService;Validity VCS Fingerprint Service;c:\windows\system32\vcsFPService.exe [x]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
R3 BFLS_System_Service;BFLS_System_Service;c:\program files\Bizerba\BFLS\bfls_system_service.exe [x]
R3 DAMDrv;DAMDrv;c:\windows\system32\DRIVERS\DAMDrv.sys [x]
R3 FLCDLOCK;HP ProtectTools Device Locking / Auditing;c:\windows\system32\flcdlock.exe [x]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [x]
R3 netr28;Ralink 802.11n Wireless Driver for Windows Vista;c:\windows\system32\DRIVERS\netr28.sys [x]
R3 netr28u;RT2870 USB Extensible Wireless LAN Card Driver;c:\windows\system32\DRIVERS\netr28u.sys [x]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [x]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [x]
S0 SafeBoot;SafeBoot; [x]
S0 SbAlg;SbAlg; [x]
S0 SbFsLock;SbFsLock; [x]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1207020.003\SYMDS.SYS [x]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1207020.003\SYMEFA.SYS [x]
S1 BHDrvx86;BHDrvx86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\BASHDefs\20100810.004\BHDrvx86.sys [x]
S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\IPSDefs\20100706.002\IDSVix86.sys [x]
S1 RsvLock;RsvLock; [x]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1207020.003\Ironx86.SYS [x]
S1 SymNetS;Symantec Network Security WFP Driver;c:\windows\System32\Drivers\NIS\1207020.003\SYMNETS.SYS [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_9b219d80a8843bf8\aestsrv.exe [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 BFLS_Server_Service;BFLS_Server_Service;c:\program files\Bizerba\BFLS\bfls_server_service.exe [x]
S2 HP Power Assistant Service;HP Power Assistant Service;c:\program files\Hewlett-Packard\HP Power Assistant\HPPA_Service.exe [x]
S2 HP ProtectTools Service;HP ProtectTools Service;c:\program files\Hewlett-Packard\2009 Password Filter for HP ProtectTools\PTChangeFilterService.exe [x]
S2 HP Wireless Assistant Service;HP Wireless Assistant Service;c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe [x]
S2 HPDayStarterService;HP DayStarter Service;c:\program files\Hewlett-Packard\HP QuickLook\HPDayStarterService.exe [x]
S2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files\Hewlett-Packard\Shared\HPDrvMntSvc.exe [x]
S2 HpFkCryptService;Drive Encryption Service;c:\program files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe [x]
S2 HPFSService;File Sanitizer for HP ProtectTools;c:\program files\Hewlett-Packard\File Sanitizer\HPFSService.exe [x]
S2 hpHotkeyMonitor;HP Hotkey Monitor;c:\program files\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe [x]
S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [x]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [x]
S2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\18.7.2.3\ccSvcHst.exe [x]
S2 Pervasive.SQL (relational);Pervasive.SQL (relational);c:\pvsw\bin\w3sqlmgr.exe [x]
S2 Pervasive.SQL (transactional);Pervasive.SQL (transactional);c:\pvsw\bin\ntbtrv.exe [x]
S2 uArcCapture;ArcCapture;c:\windows\system32\uArcCapture.exe [x]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 ARCVCAM;ARCVCAM, ArcSoft Webcam Sharing Manager Driver;c:\windows\system32\DRIVERS\ArcSoftVCapture.sys [x]
S3 btwampfl;Bluetooth AMP USB Filter;c:\windows\system32\drivers\btwampfl.sys [x]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [x]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
S3 rtsuvc;HP Webcam [2 MP Fixed];c:\windows\system32\DRIVERS\rtsuvc.sys [x]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MBAMPROTECTOR
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
GPSvcGroup REG_MULTI_SZ GPSvc
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2010-01-22 19:06 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-14 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-16 23:42]
.
2012-08-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1533287311-4156738050-4180187752-1001Core.job
- c:\users\Tomco_HP\AppData\Local\Google\Update\GoogleUpdate.exe [2012-07-24 23:09]
.
2012-08-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1533287311-4156738050-4180187752-1001UA.job
- c:\users\Tomco_HP\AppData\Local\Google\Update\GoogleUpdate.exe [2012-07-24 23:09]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~1\Office14\ONBttnIE.dll/105
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
TCP: DhcpNameServer = 67.214.64.174 68.65.153.114
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\18.7.2.3\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\18.7.2.3\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(544)
c:\windows\system32\DPFPApi.DLL
.
- - - - - - - > 'Explorer.exe'(1348)
c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\Bin\DpoFeedb.dll
.
Completion time: 2012-08-13 19:44:59
ComboFix-quarantined-files.txt 2012-08-14 00:44
ComboFix2.txt 2012-08-13 20:18
.
Pre-Run: 201,254,354,944 bytes free
Post-Run: 201,221,066,752 bytes free
.
- - End Of File - - 049BC7D77004B2F66B2DCB16039AA1DA

Running FSS.exe again

LWells

#15 lwells

lwells
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:03:39 AM

Posted 13 August 2012 - 07:52 PM

2nd FSS Log>
Farbar Service Scanner Version: 06-08-2012
Ran by Tomco_HP (administrator) on 13-08-2012 at 19:49:20
Running from "C:\Users\Tomco_HP\Desktop"
Microsoft Windows 7 Professional Service Pack 1 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============

Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv service is OK.

BITS Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to retrieve start type of BITS. The value does not exist.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.


Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============

Other Services:
==============


File Check:
========
C:\windows\system32\nsisvc.dll => MD5 is legit
C:\windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\windows\system32\dhcpcore.dll => MD5 is legit
C:\windows\system32\Drivers\afd.sys => MD5 is legit
C:\windows\system32\Drivers\tdx.sys => MD5 is legit
C:\windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\windows\system32\dnsrslvr.dll => MD5 is legit
C:\windows\system32\mpssvc.dll => MD5 is legit
C:\windows\system32\bfe.dll => MD5 is legit
C:\windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\windows\system32\SDRSVC.dll => MD5 is legit
C:\windows\system32\vssvc.exe => MD5 is legit
C:\windows\system32\wscsvc.dll => MD5 is legit
C:\windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\windows\system32\wuaueng.dll => MD5 is legit
C:\windows\system32\qmgr.dll => MD5 is legit
C:\windows\system32\es.dll => MD5 is legit
C:\windows\system32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\windows\system32\svchost.exe => MD5 is legit
C:\windows\system32\rpcss.dll => MD5 is legit


**** End of log ****
LWells




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users