Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Is MBAM Infected?--ZeroAccess


  • This topic is locked This topic is locked
34 replies to this topic

#1 Tony Pal

Tony Pal

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 14 August 2012 - 07:35 AM

First, the virus blocked MBAM. I've gotten MBAM working and it has found the following viruses that keep returning:

C:\Documents and Settings\Tony\Local Settings\temp\0.04204812566829097 (Trojan.Happili)
HKCU\SOFTWARE\CLASSES\CLSID\{42AEDC87-2188-41FD-B9A3-0C966FEABEC1}\INPROCSERVER32 (Trojan.Zaccess)
HKCU\SOFTWARE\CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32| (Trojan.Zaccess)

HKCR\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32| (Trojan.Zaccess) -> Bad: (\\.\globalroot\systemroot\Installer\{0c904c13-2c91-5ff6-2d9b-7aa317c684e5}\n.) Good: (wbemess.dll) -> Quarantined and repaired successfully.
C:\Documents and Settings\All Users\Application Data\6F638BEC0009CBFA049C2EA7E56C3425\6F638BEC0009CBFA049C2EA7E56C3425.exe (Trojan.LameShield)
C:\Documents and Settings\Tony\Application Data\nprad.dll (Trojan.Agent)
C:\RECYCLER\S-1-5-21-1078081533-1677128483-1343024091-1003\Dc62.tmp (Trojan.Agent.BRVGen)
C:\WINDOWS\Installer\{0c904c13-2c91-5ff6-2d9b-7aa317c684e5}\n (Trojan.Agent.BVXGen)
C:\WINDOWS\Installer\{0c904c13-2c91-5ff6-2d9b-7aa317c684e5}\U\00000004.@ (Rootkit.Zaccess)
C:\WINDOWS\Installer\{0c904c13-2c91-5ff6-2d9b-7aa317c684e5}\U\000000cb.@ (Rootkit.0Access)
C:\WINDOWS\Installer\{0c904c13-2c91-5ff6-2d9b-7aa317c684e5}\U\80000032.@ (Rootkit.0Access)

I have run the DDS but cannot get GMER to run properly. With all applications closed and internet disconnected, GMER produces a very short incomplete scan (two entries) and some entries flicker across the screen before I can start the scan.

-----------------------------------------------------------
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_31
Run by Tony at 21:53:34 on 2012-08-13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.767.353 [GMT -4:00]
.
.
============== Running Processes ===============
.
C:\Program Files\Common Files\Virtual Token\vtserver.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WTouch\WTouchService.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WTouch\WTouchUser.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\IBM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\system32\TpShocks.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Pen_Tablet.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\IBM\Bluetooth Software\BTTray.exe
C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
mStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = 0.0.0:80
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper
mRun: [QCWLICON] c:\program files\thinkpad\connectutilities\QCWLICON.EXE
mRun: [ControlCenter] "c:\program files\ibm fingerprint software\ctlcntr.exe" /startup
mRun: [TpShocks] TpShocks.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [HP Software Update] "c:\program files\hewlett-packard\hp software update\HPWuSchd.exe"
mRun: [hpbdfawep] c:\program files\hp\dfawep\bin\hpbdfawep.exe 1
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
mRun: [DeviceDiscovery] c:\program files\hp\digital imaging\bin\hpotdd01.exe
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
dRun: [Apple Computer] rundll32.exe "c:\documents and settings\tony\local settings\application data\downloaded installations\apple computer\iqimp.dll",CreateInstance
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000002}\SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bttray.lnk - c:\program files\ibm\bluetooth software\BTTray.exe
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\ibm\bluetooth software\btsendto_ie_ctx.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\ibm\bluetooth software\btsendto_ie.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: Interfaces\{529C4521-DDA5-4743-A937-E09C322636BD} : DhcpNameServer = 192.168.1.1
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: psfus - c:\program files\ibm fingerprint software\psfus.dll
Notify: QConGina - QConGina.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\tony\application data\mozilla\firefox\profiles\90u6qsu6.default\
FF - prefs.js: browser.startup.homepage - hxxp://duckduckgo.com/
FF - component: c:\documents and settings\tony\application data\mozilla\firefox\profiles\90u6qsu6.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc.dll
FF - plugin: c:\documents and settings\tony\application data\move networks\plugins\npqmp071701000002.dll
FF - plugin: c:\documents and settings\tony\application data\move networks\plugins\npqmp071705000014.dll
FF - plugin: c:\program files\java\jre6\bin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\npjpi160_31.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}
FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\documents and settings\tony\application data\Move Networks
FF - Ext: Mozilla Safe Browsing: {3D60E777-D00C-11E1-8270-B8AC6F996F26} - c:\documents and settings\tony\local settings\application data\{3D60E777-D00C-11E1-8270-B8AC6F996F26}
FF - Ext: FireFTP: {a7c6cf7f-112c-4500-a7ea-39801a327e5f} - %profile%\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
.
---- FIREFOX POLICIES ----
.
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [2008-5-12 13480]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-9-26 189736]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2009-12-25 4408616]
R2 WTouchService;WTouch Service;c:\program files\wtouch\WTouchService.exe [2009-12-25 112936]
S3 QCNDISIF;QCNDISIF;c:\windows\system32\drivers\qcndisif.sys [2009-10-28 12288]
S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2009-12-25 15656]
.
=============== File Associations ===============
.
JSEFile=c:\windows\system32\rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.
=============== Created Last 30 ================
.
2012-08-13 18:04:22 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-08-13 18:04:21 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-08-13 18:04:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-08-13 13:30:34 -------- d-----w- c:\documents and settings\tony\application data\Malwarebytes
2012-07-30 21:21:23 -------- d-----w- c:\program files\TunnelBear
2012-07-17 13:30:58 -------- d-----w- c:\windows\system32\DBBK
2012-07-17 12:38:09 -------- d-----w- c:\documents and settings\all users\application data\6F638BEC0009CBFA049C2EA7E56C3425
2012-07-17 12:38:03 -------- d-----w- c:\documents and settings\tony\local settings\application data\{3D60E777-D00C-11E1-8270-B8AC6F996F26}
2012-07-17 12:38:00 392192 ----a-w- c:\documents and settings\tony\application data\arcsn.dll
.
==================== Find3M ====================
.
.
============= FINISH: 21:54:13.66 ===============

Attached Files


Edited by Tony Pal, 14 August 2012 - 10:18 AM.


BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:08 AM

Posted 17 August 2012 - 11:47 PM

Greetings and Welcome to The Forums!!

My name is Gringo and I'll be glad to help you with your computer problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

Security Check

  • Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.



Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 Tony Pal

Tony Pal
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 19 August 2012 - 07:58 PM

Gringo, thank you very much for your help. I ran the two programs Security Check and ComboFix without a problem.

I haven't run this PC much since my first post. The Google redirects are occurring once more. Here is one site that the browser was sent to:

bts.scour.com/index.html?3

One thing, I cannot run the MBAM Protection module because it says the trial has ended. Since my problems started when the virus prevented MBAM from running, is it OK now to get the full version?


Here are the logs:

Results of screen317's Security Check version 0.99.46
Windows XP Service Pack 2 x86
Out of date service pack!!
Internet Explorer 6 Out of date!
``````````````Antivirus/Firewall Check:``````````````
Windows Security Center service is not running! This report may not be accurate!
Windows Firewall Enabled!
WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
WinPatrol
Windows Defender
ZBot Trojan Remover v1.5
Malwarebytes Anti-Malware version 1.62.0.1300
Java™ 6 Update 31
Java version out of Date!
Adobe Flash Player 11.0.1.152
Adobe Reader 9 Adobe Reader out of Date!
Mozilla Firefox (3.6.18) Firefox out of Date!
Mozilla Thunderbird (2.0.0 Thunderbird out of Date!
````````Process Check: objlist.exe by Laurent````````
WinPatrol winpatrol.exe is disabled!
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:: 7%
````````````````````End of Log``````````````````````


ComboFix 12-08-18.03 - Tony 08/19/2012 20:31:18.4.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.767.523 [GMT -4:00]
Running from: c:\documents and settings\Tony\Desktop\ComboFix.exe
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\382186v8a170s663a634o4eia3a3
c:\documents and settings\Tony\Application Data\arcsn.dll
.
.
((((((((((((((((((((((((( Files Created from 2012-07-20 to 2012-08-20 )))))))))))))))))))))))))))))))
.
.
2012-08-13 21:18 . 2012-08-13 21:18 -------- d-----w- c:\documents and settings\Troubleshooting\Application Data\Malwarebytes
2012-08-13 18:04 . 2012-08-13 18:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-08-13 18:04 . 2012-08-13 18:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-08-13 18:04 . 2012-07-03 17:46 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-08-13 15:52 . 2012-08-13 15:53 -------- d-----w- c:\documents and settings\Administrator
2012-08-13 13:30 . 2012-08-13 13:30 -------- d-----w- c:\documents and settings\Tony\Application Data\Malwarebytes
2012-07-30 21:21 . 2012-08-10 18:14 -------- d-----w- c:\program files\TunnelBear
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((( SnapShot@2012-03-20_19.38.11 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-03-06 11:20 . 2007-02-17 14:21 63488 c:\windows\xcacls.exe
+ 2012-08-14 11:55 . 2012-08-14 11:55 16384 c:\windows\Temp\Perflib_Perfdata_7d4.dat
+ 2010-02-04 13:59 . 2010-04-21 13:28 46080 c:\windows\system32\tzchange.exe
- 2010-02-04 13:59 . 2009-10-28 15:07 46080 c:\windows\system32\tzchange.exe
+ 2009-10-28 11:15 . 2007-07-28 03:11 26488 c:\windows\system32\spupdsvc.exe
- 2009-10-28 11:15 . 2008-07-09 07:38 26488 c:\windows\system32\spupdsvc.exe
+ 2006-02-28 12:00 . 2010-04-16 15:36 39424 c:\windows\system32\pngfilt.dll
- 2006-02-28 12:00 . 2009-12-22 05:42 39424 c:\windows\system32\pngfilt.dll
+ 2006-02-28 12:00 . 2012-08-13 20:31 60778 c:\windows\system32\perfc009.dat
- 2006-02-28 12:00 . 2012-03-20 14:15 60778 c:\windows\system32\perfc009.dat
+ 2009-11-07 05:07 . 2009-11-07 05:07 49488 c:\windows\system32\netfxperf.dll
+ 2009-11-07 05:07 . 2009-11-07 05:07 11600 c:\windows\system32\mui\0409\mscorees.dll
+ 2010-05-21 09:45 . 2012-05-27 21:04 75472 c:\windows\system32\mlfcache.dat
+ 2006-02-28 12:00 . 2010-04-16 15:36 16384 c:\windows\system32\jsproxy.dll
- 2006-02-28 12:00 . 2009-12-22 05:42 16384 c:\windows\system32\jsproxy.dll
+ 2006-02-28 12:00 . 2010-04-16 15:36 96256 c:\windows\system32\inseng.dll
- 2006-02-28 12:00 . 2009-12-22 05:42 96256 c:\windows\system32\inseng.dll
+ 2006-02-28 12:00 . 2010-04-16 15:36 81920 c:\windows\system32\ieencode.dll
- 2006-02-28 12:00 . 2009-12-22 05:42 81920 c:\windows\system32\ieencode.dll
+ 2006-02-28 12:00 . 2010-04-16 15:36 55808 c:\windows\system32\extmgr.dll
- 2006-02-28 12:00 . 2009-12-22 05:42 55808 c:\windows\system32\extmgr.dll
+ 2011-07-01 09:46 . 2011-07-01 09:46 26624 c:\windows\system32\drivers\tap0901.sys
- 2006-02-28 12:00 . 2009-12-22 05:42 39424 c:\windows\system32\dllcache\pngfilt.dll
+ 2006-02-28 12:00 . 2010-04-16 15:36 39424 c:\windows\system32\dllcache\pngfilt.dll
+ 2006-02-28 12:00 . 2010-04-16 15:36 16384 c:\windows\system32\dllcache\jsproxy.dll
- 2006-02-28 12:00 . 2009-12-22 05:42 16384 c:\windows\system32\dllcache\jsproxy.dll
- 2006-02-28 12:00 . 2009-12-22 05:42 96256 c:\windows\system32\dllcache\inseng.dll
+ 2006-02-28 12:00 . 2010-04-16 15:36 96256 c:\windows\system32\dllcache\inseng.dll
- 2006-02-28 12:00 . 2009-12-22 05:42 81920 c:\windows\system32\dllcache\ieencode.dll
+ 2006-02-28 12:00 . 2010-04-16 15:36 81920 c:\windows\system32\dllcache\ieencode.dll
- 2009-10-27 21:46 . 2009-12-16 12:57 18432 c:\windows\system32\dllcache\iedw.exe
+ 2009-10-27 21:46 . 2010-04-16 13:36 18432 c:\windows\system32\dllcache\iedw.exe
- 2006-02-28 12:00 . 2009-12-22 05:42 55808 c:\windows\system32\dllcache\extmgr.dll
+ 2006-02-28 12:00 . 2010-04-16 15:36 55808 c:\windows\system32\dllcache\extmgr.dll
+ 2006-02-28 12:00 . 2010-01-13 14:10 85504 c:\windows\system32\dllcache\cabview.dll
+ 2006-02-28 12:00 . 2010-03-05 14:57 65536 c:\windows\system32\dllcache\asycfilt.dll
+ 2006-02-28 12:00 . 2010-01-13 14:10 85504 c:\windows\system32\cabview.dll
+ 2006-02-28 12:00 . 2010-03-05 14:57 65536 c:\windows\system32\asycfilt.dll
+ 2009-11-07 05:07 . 2009-11-07 05:07 13648 c:\windows\Microsoft.NET\Framework\v2.0.50727\sbscmp20_mscorlib.dll
+ 2010-03-23 09:31 . 2010-03-23 09:31 30544 c:\windows\Microsoft.NET\Framework\v2.0.50727\aspnet_wp.exe
+ 2009-11-07 05:07 . 2009-11-07 05:07 13648 c:\windows\Microsoft.NET\Framework\SharedReg12.dll
+ 2009-11-07 05:07 . 2009-11-07 05:07 13648 c:\windows\Microsoft.NET\Framework\sbscmp20_perfcounter.dll
+ 2009-11-07 05:07 . 2009-11-07 05:07 13648 c:\windows\Microsoft.NET\Framework\sbscmp20_mscorwks.dll
+ 2009-11-07 05:07 . 2009-11-07 05:07 13648 c:\windows\Microsoft.NET\Framework\sbscmp10.dll
+ 2009-11-07 05:07 . 2009-11-07 05:07 13664 c:\windows\Microsoft.NET\Framework\sbs_wminet_utils.dll
+ 2009-11-07 05:07 . 2009-11-07 05:07 13688 c:\windows\Microsoft.NET\Framework\sbs_system.enterpriseservices.dll
+ 2009-11-07 05:07 . 2009-11-07 05:07 13664 c:\windows\Microsoft.NET\Framework\sbs_system.data.dll
+ 2009-11-07 05:07 . 2009-11-07 05:07 13696 c:\windows\Microsoft.NET\Framework\sbs_system.configuration.install.dll
+ 2009-11-07 05:07 . 2009-11-07 05:07 13656 c:\windows\Microsoft.NET\Framework\sbs_mscorsec.dll
+ 2009-11-07 05:07 . 2009-11-07 05:07 13656 c:\windows\Microsoft.NET\Framework\sbs_mscorrc.dll
+ 2009-11-07 05:07 . 2009-11-07 05:07 13656 c:\windows\Microsoft.NET\Framework\sbs_mscordbi.dll
+ 2009-11-07 05:07 . 2009-11-07 05:07 13672 c:\windows\Microsoft.NET\Framework\sbs_microsoft.jscript.dll
+ 2009-11-07 05:07 . 2009-11-07 05:07 13664 c:\windows\Microsoft.NET\Framework\sbs_diasymreader.dll
+ 2009-11-07 05:07 . 2009-11-07 05:07 86864 c:\windows\Microsoft.NET\Framework\NETFXSBS10.exe
- 2009-10-28 13:03 . 2009-10-28 13:03 23040 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2009-10-28 13:03 . 2012-03-27 03:41 23040 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2009-10-28 13:03 . 2012-03-27 03:41 61440 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
- 2009-10-28 13:03 . 2009-10-28 13:03 61440 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2009-10-28 13:03 . 2012-03-27 03:41 27136 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2009-10-28 13:03 . 2009-10-28 13:03 27136 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2009-10-28 13:03 . 2009-10-28 13:03 11264 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2009-10-28 13:03 . 2012-03-27 03:41 11264 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2009-10-28 13:03 . 2012-03-27 03:41 86016 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
- 2009-10-28 13:03 . 2009-10-28 13:03 86016 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
+ 2009-10-28 13:03 . 2012-03-27 03:41 12288 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2009-10-28 13:03 . 2009-10-28 13:03 12288 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2012-08-13 20:53 . 2012-08-13 20:53 65024 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Fra#\946c582dd68fd3bd12479841e90391d4\Microsoft.Build.Framework.ni.dll
+ 2012-08-13 20:53 . 2012-08-13 20:53 14336 c:\windows\assembly\NativeImages_v2.0.50727_32\dfsvc\e3adb754fc181d07ba9798064436efab\dfsvc.ni.exe
+ 2012-08-13 20:53 . 2012-08-13 20:53 25600 c:\windows\assembly\NativeImages_v2.0.50727_32\Accessibility\4fa74462ee1789cab005c46417ab29d4\Accessibility.ni.dll
+ 2012-08-13 20:30 . 2012-08-13 20:30 77824 c:\windows\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
- 2010-10-12 00:26 . 2010-10-12 00:26 77824 c:\windows\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
- 2010-10-12 00:26 . 2010-10-12 00:26 81920 c:\windows\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll
+ 2012-08-13 20:30 . 2012-08-13 20:30 81920 c:\windows\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll
+ 2012-08-13 20:31 . 2012-08-13 20:31 81920 c:\windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
- 2010-10-12 00:26 . 2010-10-12 00:26 81920 c:\windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
- 2010-10-12 00:26 . 2010-10-12 00:26 32768 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
+ 2012-08-13 20:30 . 2012-08-13 20:30 32768 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
- 2010-10-12 00:26 . 2010-10-12 00:26 12800 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
+ 2012-08-13 20:30 . 2012-08-13 20:30 12800 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
+ 2012-08-13 20:30 . 2012-08-13 20:30 28672 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
- 2010-10-12 00:26 . 2010-10-12 00:26 28672 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
- 2010-10-12 00:26 . 2010-10-12 00:26 77824 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll
+ 2012-08-13 20:31 . 2012-08-13 20:31 77824 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll
+ 2012-08-13 20:30 . 2012-08-13 20:30 36864 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
- 2010-10-12 00:26 . 2010-10-12 00:26 36864 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
+ 2012-08-13 20:30 . 2012-08-13 20:30 77824 c:\windows\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll
- 2010-10-12 00:26 . 2010-10-12 00:26 77824 c:\windows\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll
- 2010-10-12 00:26 . 2010-10-12 00:26 13312 c:\windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll
+ 2012-08-13 20:30 . 2012-08-13 20:30 13312 c:\windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll
+ 2012-08-13 20:30 . 2012-08-13 20:30 10752 c:\windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
- 2010-10-12 00:26 . 2010-10-12 00:26 10752 c:\windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
- 2010-10-12 00:26 . 2010-10-12 00:26 72192 c:\windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll
+ 2012-08-13 20:30 . 2012-08-13 20:30 72192 c:\windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll
+ 2012-08-13 20:30 . 2012-08-13 20:30 69120 c:\windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
- 2010-10-12 00:26 . 2010-10-12 00:26 69120 c:\windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
- 2010-10-12 00:26 . 2010-10-12 00:26 8192 c:\windows\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e\IEExecRemote.dll
+ 2012-08-13 20:30 . 2012-08-13 20:30 8192 c:\windows\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e\IEExecRemote.dll
+ 2009-10-28 13:03 . 2012-03-27 03:41 4096 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2009-10-28 13:03 . 2009-10-28 13:03 4096 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2010-10-12 00:26 . 2010-10-12 00:26 7168 c:\windows\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll
+ 2012-08-13 20:30 . 2012-08-13 20:30 7168 c:\windows\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll
- 2010-10-12 00:26 . 2010-10-12 00:26 5632 c:\windows\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll
+ 2012-08-13 20:31 . 2012-08-13 20:31 5632 c:\windows\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll
- 2010-10-12 00:26 . 2010-10-12 00:26 6656 c:\windows\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll
+ 2012-08-13 20:30 . 2012-08-13 20:30 6656 c:\windows\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll
+ 2012-08-13 20:30 . 2012-08-13 20:30 8192 c:\windows\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\IEExecRemote.dll
- 2010-10-12 00:26 . 2010-10-12 00:26 8192 c:\windows\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\IEExecRemote.dll
+ 2012-08-13 20:30 . 2012-08-13 20:30 113664 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll
- 2010-10-12 00:26 . 2010-10-12 00:26 113664 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll
+ 2012-08-13 20:30 . 2012-08-13 20:30 258048 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll
- 2010-10-12 00:26 . 2010-10-12 00:26 258048 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll
+ 2009-10-27 21:49 . 2010-04-16 13:21 352768 c:\windows\system32\xpsp3res.dll
- 2009-10-27 21:49 . 2009-12-16 13:33 352768 c:\windows\system32\xpsp3res.dll
+ 2012-03-20 02:11 . 2006-02-28 12:00 221184 c:\windows\system32\wmpns.dll
+ 2006-02-28 12:00 . 2009-12-24 07:05 177664 c:\windows\system32\wintrust.dll
+ 2006-02-28 12:00 . 2010-04-16 15:36 662016 c:\windows\system32\wininet.dll
- 2006-02-28 12:00 . 2009-12-22 05:42 662016 c:\windows\system32\wininet.dll
- 2006-02-28 12:00 . 2007-12-18 14:40 417792 c:\windows\system32\vbscript.dll
+ 2006-02-28 12:00 . 2010-03-10 08:02 417792 c:\windows\system32\vbscript.dll
+ 2006-02-28 12:00 . 2010-04-16 15:36 624640 c:\windows\system32\urlmon.dll
- 2006-02-28 12:00 . 2009-12-22 05:42 624640 c:\windows\system32\urlmon.dll
+ 2006-02-28 12:00 . 2010-04-16 15:36 474112 c:\windows\system32\shlwapi.dll
- 2006-02-28 12:00 . 2009-12-08 09:13 474112 c:\windows\system32\shlwapi.dll
+ 2006-02-28 12:00 . 2012-08-13 20:31 400532 c:\windows\system32\perfh009.dat
- 2006-02-28 12:00 . 2012-03-20 14:15 400532 c:\windows\system32\perfh009.dat
+ 2006-02-28 12:00 . 2010-04-16 15:36 532480 c:\windows\system32\mstime.dll
- 2006-02-28 12:00 . 2009-12-22 05:42 532480 c:\windows\system32\mstime.dll
+ 2006-02-28 12:00 . 2010-04-16 15:36 146432 c:\windows\system32\msrating.dll
- 2006-02-28 12:00 . 2009-12-22 05:42 146432 c:\windows\system32\msrating.dll
+ 2006-02-28 12:00 . 2010-04-16 15:36 449024 c:\windows\system32\mshtmled.dll
- 2006-02-28 12:00 . 2009-12-22 05:42 449024 c:\windows\system32\mshtmled.dll
+ 2009-11-07 05:07 . 2009-11-07 05:07 297808 c:\windows\system32\mscoree.dll
+ 2012-04-04 12:38 . 2012-04-04 12:38 157472 c:\windows\system32\javaws.exe
- 2011-07-15 22:43 . 2011-07-15 22:43 157472 c:\windows\system32\javaws.exe
+ 2012-04-04 12:38 . 2012-04-04 12:38 149280 c:\windows\system32\javaw.exe
+ 2012-04-04 12:38 . 2012-04-04 12:38 149280 c:\windows\system32\java.exe
- 2009-10-27 21:46 . 2008-04-11 18:50 683520 c:\windows\system32\inetcomm.dll
+ 2009-10-27 21:46 . 2010-01-29 15:08 683520 c:\windows\system32\inetcomm.dll
- 2006-02-28 12:00 . 2009-12-22 05:42 251392 c:\windows\system32\iepeers.dll
+ 2006-02-28 12:00 . 2010-04-16 15:36 251392 c:\windows\system32\iepeers.dll
+ 2009-10-27 13:35 . 2012-08-13 20:33 368896 c:\windows\system32\FNTCACHE.DAT
- 2009-10-27 13:35 . 2011-07-17 18:46 368896 c:\windows\system32\FNTCACHE.DAT
- 2006-02-28 12:00 . 2009-12-22 05:42 205312 c:\windows\system32\dxtrans.dll
+ 2006-02-28 12:00 . 2010-04-16 15:36 205312 c:\windows\system32\dxtrans.dll
+ 2006-02-28 12:00 . 2010-04-16 15:36 357888 c:\windows\system32\dxtmsft.dll
- 2006-02-28 12:00 . 2009-12-22 05:42 357888 c:\windows\system32\dxtmsft.dll
+ 2006-02-28 12:00 . 2010-02-11 12:01 226880 c:\windows\system32\drivers\tcpip6.sys
+ 2006-02-28 12:00 . 2010-02-24 12:31 454016 c:\windows\system32\drivers\mrxsmb.sys
+ 2006-02-28 12:00 . 2009-12-24 07:05 177664 c:\windows\system32\dllcache\wintrust.dll
+ 2006-02-28 12:00 . 2010-04-16 15:36 662016 c:\windows\system32\dllcache\wininet.dll
- 2006-02-28 12:00 . 2009-12-22 05:42 662016 c:\windows\system32\dllcache\wininet.dll
- 2006-02-28 12:00 . 2007-12-18 14:40 417792 c:\windows\system32\dllcache\vbscript.dll
+ 2006-02-28 12:00 . 2010-03-10 08:02 417792 c:\windows\system32\dllcache\vbscript.dll
- 2006-02-28 12:00 . 2009-12-22 05:42 624640 c:\windows\system32\dllcache\urlmon.dll
+ 2006-02-28 12:00 . 2010-04-16 15:36 624640 c:\windows\system32\dllcache\urlmon.dll
+ 2006-02-28 12:00 . 2010-02-11 12:01 226880 c:\windows\system32\dllcache\tcpip6.sys
+ 2006-02-28 12:00 . 2010-04-16 15:36 474112 c:\windows\system32\dllcache\shlwapi.dll
- 2006-02-28 12:00 . 2009-12-08 09:13 474112 c:\windows\system32\dllcache\shlwapi.dll
+ 2006-02-28 12:00 . 2010-04-16 15:36 532480 c:\windows\system32\dllcache\mstime.dll
- 2006-02-28 12:00 . 2009-12-22 05:42 532480 c:\windows\system32\dllcache\mstime.dll
+ 2006-02-28 12:00 . 2010-04-16 15:36 146432 c:\windows\system32\dllcache\msrating.dll
- 2006-02-28 12:00 . 2009-12-22 05:42 146432 c:\windows\system32\dllcache\msrating.dll
- 2006-02-28 12:00 . 2009-12-22 05:42 449024 c:\windows\system32\dllcache\mshtmled.dll
+ 2006-02-28 12:00 . 2010-04-16 15:36 449024 c:\windows\system32\dllcache\mshtmled.dll
+ 2010-02-04 13:57 . 2010-02-24 12:31 454016 c:\windows\system32\dllcache\mrxsmb.sys
+ 2009-10-27 21:46 . 2010-01-29 15:08 683520 c:\windows\system32\dllcache\inetcomm.dll
- 2009-10-27 21:46 . 2008-04-11 18:50 683520 c:\windows\system32\dllcache\inetcomm.dll
+ 2006-02-28 12:00 . 2010-04-16 15:36 251392 c:\windows\system32\dllcache\iepeers.dll
- 2006-02-28 12:00 . 2009-12-22 05:42 251392 c:\windows\system32\dllcache\iepeers.dll
+ 2009-10-27 21:46 . 2010-06-14 14:30 743936 c:\windows\system32\dllcache\helpsvc.exe
- 2009-10-27 21:46 . 2006-02-28 12:00 743936 c:\windows\system32\dllcache\helpsvc.exe
+ 2006-02-28 12:00 . 2010-04-16 15:36 205312 c:\windows\system32\dllcache\dxtrans.dll
- 2006-02-28 12:00 . 2009-12-22 05:42 205312 c:\windows\system32\dllcache\dxtrans.dll
- 2006-02-28 12:00 . 2009-12-22 05:42 357888 c:\windows\system32\dllcache\dxtmsft.dll
+ 2006-02-28 12:00 . 2010-04-16 15:36 357888 c:\windows\system32\dllcache\dxtmsft.dll
- 2006-02-28 12:00 . 2009-12-22 05:42 151040 c:\windows\system32\dllcache\cdfview.dll
+ 2006-02-28 12:00 . 2010-04-16 15:36 151040 c:\windows\system32\dllcache\cdfview.dll
- 2006-02-28 12:00 . 2006-02-28 12:00 285696 c:\windows\system32\dllcache\atmfd.dll
+ 2006-02-28 12:00 . 2010-04-20 05:51 285696 c:\windows\system32\dllcache\atmfd.dll
+ 2006-02-28 12:00 . 2010-02-12 04:47 100864 c:\windows\system32\dllcache\6to4svc.dll
+ 2011-07-15 22:43 . 2012-04-04 12:38 472808 c:\windows\system32\deployJava1.dll
- 2011-07-15 22:43 . 2011-07-15 22:43 472808 c:\windows\system32\deployJava1.dll
- 2006-02-28 12:00 . 2009-12-22 05:42 151040 c:\windows\system32\cdfview.dll
+ 2006-02-28 12:00 . 2010-04-16 15:36 151040 c:\windows\system32\cdfview.dll
- 2006-02-28 12:00 . 2006-02-28 12:00 285696 c:\windows\system32\atmfd.dll
+ 2006-02-28 12:00 . 2010-04-20 05:51 285696 c:\windows\system32\atmfd.dll
+ 2006-02-28 12:00 . 2010-02-12 04:47 100864 c:\windows\system32\6to4svc.dll
- 2009-10-27 21:46 . 2006-02-28 12:00 743936 c:\windows\pchealth\helpctr\binaries\HelpSvc.exe
+ 2009-10-27 21:46 . 2010-06-14 14:30 743936 c:\windows\pchealth\helpctr\binaries\helpsvc.exe
+ 2010-03-23 09:31 . 2010-03-23 09:31 435024 c:\windows\Microsoft.NET\Framework\v2.0.50727\webengine.dll
- 2008-07-25 15:17 . 2008-07-25 15:17 258048 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Security.dll
+ 2010-02-09 16:22 . 2010-02-09 16:22 258048 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Security.dll
+ 2009-08-08 03:51 . 2009-08-08 03:51 989016 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscordacwks.dll
+ 2012-04-04 12:45 . 2012-04-04 12:45 203776 c:\windows\Installer\2b8429cf.msi
+ 2012-04-04 12:38 . 2012-04-04 12:38 901120 c:\windows\Installer\2b8429c1.msi
+ 2010-02-25 04:14 . 2010-02-25 04:14 543232 c:\windows\Installer\1c6466.msp
+ 2009-10-28 13:03 . 2012-03-27 03:41 409600 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2009-10-28 13:03 . 2009-10-28 13:03 409600 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2009-10-28 13:03 . 2009-10-28 13:03 286720 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2009-10-28 13:03 . 2012-03-27 03:41 286720 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2009-10-28 13:03 . 2012-03-27 03:41 249856 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2009-10-28 13:03 . 2009-10-28 13:03 249856 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2009-10-28 13:03 . 2012-03-27 03:41 794624 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2009-10-28 13:03 . 2009-10-28 13:03 794624 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2009-10-28 13:03 . 2012-03-27 03:41 135168 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2009-10-28 13:03 . 2009-10-28 13:03 135168 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2009-10-28 13:03 . 2009-10-28 13:03 593920 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
+ 2009-10-28 13:03 . 2012-03-27 03:41 593920 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
+ 2010-02-04 13:57 . 2010-02-24 12:31 454016 c:\windows\Driver Cache\i386\mrxsmb.sys
+ 2012-08-13 23:56 . 2012-08-13 23:56 202240 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.RegularE#\e6f14704fd855bf159ac6f64927f990f\System.Web.RegularExpressions.ni.dll
+ 2012-08-13 20:54 . 2012-08-13 20:54 627200 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Transactions\52afb37d620f83b71a527ad8218c4f49\System.Transactions.ni.dll
+ 2012-08-13 20:54 . 2012-08-13 20:54 212992 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\d7df79a3ca436590c00c9668876d603b\System.ServiceProcess.ni.dll
+ 2012-08-13 20:54 . 2012-08-13 20:54 679936 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Security\535e922720fe15fedc82677517d519bd\System.Security.ni.dll
+ 2012-08-13 20:54 . 2012-08-13 20:54 280064 c:\windows\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\1ebc26a635aaf5fc5a7abe54101c5ab7\System.EnterpriseServices.Wrapper.dll
+ 2012-08-13 20:54 . 2012-08-13 20:54 627712 c:\windows\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\1ebc26a635aaf5fc5a7abe54101c5ab7\System.EnterpriseServices.ni.dll
+ 2012-08-13 20:32 . 2012-08-13 20:32 208384 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Drawing.Desi#\bfc8d1f183985b4fc6d7263b760a55fa\System.Drawing.Design.ni.dll
+ 2012-08-13 20:54 . 2012-08-13 20:54 455680 c:\windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\35b648d515138fcf0bc48a2a5bb9918e\System.DirectoryServices.Protocols.ni.dll
+ 2012-08-13 20:54 . 2012-08-13 20:54 970752 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\2fb45bb85014fd6e20222f95d9ada241\System.Configuration.ni.dll
+ 2012-08-13 20:54 . 2012-08-13 20:54 144384 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Uti#\31ac48eaf98b9855df063ce65fb9a877\Microsoft.Build.Utilities.ni.dll
+ 2012-08-13 20:53 . 2012-08-13 20:53 838656 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Eng#\f0ed931b22eb66126d11011759233629\Microsoft.Build.Engine.ni.dll
+ 2012-08-13 20:53 . 2012-08-13 20:53 220672 c:\windows\assembly\NativeImages_v2.0.50727_32\CustomMarshalers\ed7165f230179ddb231ebfc2a6177bc8\CustomMarshalers.ni.dll
+ 2012-08-13 20:53 . 2012-08-13 20:53 842240 c:\windows\assembly\NativeImages_v2.0.50727_32\AspNetMMCExt\68fba626a973b2747fd459f3a1f179da\AspNetMMCExt.ni.dll
- 2010-10-12 00:26 . 2010-10-12 00:26 839680 c:\windows\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\System.Web.Services.dll
+ 2012-08-13 20:30 . 2012-08-13 20:30 839680 c:\windows\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\System.Web.Services.dll
+ 2012-08-13 20:30 . 2012-08-13 20:30 835584 c:\windows\assembly\GAC_MSIL\System.Web.Mobile\2.0.0.0__b03f5f7f11d50a3a\System.Web.Mobile.dll
- 2010-10-12 00:26 . 2010-10-12 00:26 835584 c:\windows\assembly\GAC_MSIL\System.Web.Mobile\2.0.0.0__b03f5f7f11d50a3a\System.Web.Mobile.dll
+ 2012-08-13 20:30 . 2012-08-13 20:30 114688 c:\windows\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
- 2010-10-12 00:26 . 2010-10-12 00:26 114688 c:\windows\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
- 2010-10-12 00:26 . 2010-10-12 00:26 258048 c:\windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll
+ 2012-08-13 20:30 . 2012-08-13 20:30 258048 c:\windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll
- 2010-10-12 00:26 . 2010-10-12 00:26 131072 c:\windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
+ 2012-08-13 20:30 . 2012-08-13 20:30 131072 c:\windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
- 2010-10-12 00:26 . 2010-10-12 00:26 303104 c:\windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
+ 2012-08-13 20:30 . 2012-08-13 20:30 303104 c:\windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
- 2010-10-12 00:26 . 2010-10-12 00:26 258048 c:\windows\assembly\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll
+ 2012-08-13 20:30 . 2012-08-13 20:30 258048 c:\windows\assembly\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll
- 2010-10-12 00:26 . 2010-10-12 00:26 372736 c:\windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
+ 2012-08-13 20:31 . 2012-08-13 20:31 372736 c:\windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
- 2010-10-12 00:26 . 2010-10-12 00:26 626688 c:\windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
+ 2012-08-13 20:30 . 2012-08-13 20:30 626688 c:\windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
- 2010-10-12 00:26 . 2010-10-12 00:26 401408 c:\windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
+ 2012-08-13 20:30 . 2012-08-13 20:30 401408 c:\windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
- 2010-10-12 00:26 . 2010-10-12 00:26 188416 c:\windows\assembly\GAC_MSIL\System.DirectoryServices.Protocols\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.Protocols.dll
+ 2012-08-13 20:30 . 2012-08-13 20:30 188416 c:\windows\assembly\GAC_MSIL\System.DirectoryServices.Protocols\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.Protocols.dll
- 2010-10-12 00:26 . 2010-10-12 00:26 970752 c:\windows\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
+ 2012-08-13 20:31 . 2012-08-13 20:31 970752 c:\windows\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
- 2010-10-12 00:26 . 2010-10-12 00:26 745472 c:\windows\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll
+ 2012-08-13 20:31 . 2012-08-13 20:31 745472 c:\windows\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll
+ 2012-08-13 20:31 . 2012-08-13 20:31 425984 c:\windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll
- 2010-10-12 00:26 . 2010-10-12 00:26 425984 c:\windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll
+ 2012-08-13 20:31 . 2012-08-13 20:31 110592 c:\windows\assembly\GAC_MSIL\sysglobl\2.0.0.0__b03f5f7f11d50a3a\sysglobl.dll
- 2010-10-12 00:26 . 2010-10-12 00:26 110592 c:\windows\assembly\GAC_MSIL\sysglobl\2.0.0.0__b03f5f7f11d50a3a\sysglobl.dll
+ 2012-08-13 20:30 . 2012-08-13 20:30 659456 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
- 2010-10-12 00:26 . 2010-10-12 00:26 659456 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
- 2010-10-12 00:26 . 2010-10-12 00:26 372736 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.dll
+ 2012-08-13 20:30 . 2012-08-13 20:30 372736 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.dll
+ 2012-08-13 20:30 . 2012-08-13 20:30 110592 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.dll
- 2010-10-12 00:26 . 2010-10-12 00:26 110592 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.dll
+ 2012-08-13 20:30 . 2012-08-13 20:30 749568 c:\windows\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
- 2010-10-12 00:26 . 2010-10-12 00:26 749568 c:\windows\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
+ 2012-08-13 20:30 . 2012-08-13 20:30 655360 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.dll
- 2010-10-12 00:26 . 2010-10-12 00:26 655360 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.dll
+ 2012-08-13 20:30 . 2012-08-13 20:30 348160 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll
- 2010-10-12 00:26 . 2010-10-12 00:26 348160 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll
+ 2012-08-13 20:30 . 2012-08-13 20:30 507904 c:\windows\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\AspNetMMCExt.dll
- 2010-10-12 00:26 . 2010-10-12 00:26 507904 c:\windows\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\AspNetMMCExt.dll
+ 2012-08-13 20:30 . 2012-08-13 20:30 261632 c:\windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
- 2010-10-12 00:26 . 2010-10-12 00:26 261632 c:\windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
- 2010-10-12 00:26 . 2010-10-12 00:26 113664 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll
+ 2012-08-13 20:30 . 2012-08-13 20:30 113664 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll
- 2010-10-12 00:26 . 2010-10-12 00:26 258048 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
+ 2012-08-13 20:30 . 2012-08-13 20:30 258048 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
- 2010-10-12 00:26 . 2010-10-12 00:26 486400 c:\windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll
+ 2012-08-13 20:31 . 2012-08-13 20:31 486400 c:\windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll
+ 2006-02-28 12:00 . 2010-04-08 17:53 2113536 c:\windows\system32\WMVCore.dll
+ 2006-02-28 12:00 . 2010-02-16 11:27 4734976 c:\windows\system32\wmp.dll
+ 2006-02-28 12:00 . 2010-05-02 05:56 1850880 c:\windows\system32\win32k.sys
+ 2006-02-28 12:00 . 2010-04-16 15:36 1506304 c:\windows\system32\shdocvw.dll
- 2006-02-28 12:00 . 2009-12-22 05:42 1506304 c:\windows\system32\shdocvw.dll
+ 2006-02-28 12:00 . 2010-02-05 18:40 1291264 c:\windows\system32\quartz.dll
- 2006-02-28 12:00 . 2009-11-27 17:33 1291264 c:\windows\system32\quartz.dll
+ 2006-02-28 12:00 . 2010-02-16 13:19 2181376 c:\windows\system32\ntoskrnl.exe
+ 2004-08-03 22:59 . 2010-02-16 12:39 2058368 c:\windows\system32\ntkrnlpa.exe
+ 2006-02-28 12:00 . 2010-04-16 15:36 3065344 c:\windows\system32\mshtml.dll
+ 2006-02-28 12:00 . 2010-04-08 17:53 2113536 c:\windows\system32\dllcache\WMVCore.dll
+ 2006-02-28 12:00 . 2010-02-16 11:27 4734976 c:\windows\system32\dllcache\wmp.dll
+ 2006-02-28 12:00 . 2010-05-02 05:56 1850880 c:\windows\system32\dllcache\win32k.sys
+ 2006-02-28 12:00 . 2010-04-16 15:36 1506304 c:\windows\system32\dllcache\shdocvw.dll
- 2006-02-28 12:00 . 2009-12-22 05:42 1506304 c:\windows\system32\dllcache\shdocvw.dll
+ 2006-02-28 12:00 . 2010-02-05 18:40 1291264 c:\windows\system32\dllcache\quartz.dll
- 2006-02-28 12:00 . 2009-11-27 17:33 1291264 c:\windows\system32\dllcache\quartz.dll
+ 2010-02-04 13:57 . 2010-02-16 13:19 2181376 c:\windows\system32\dllcache\ntoskrnl.exe
+ 2010-02-04 13:57 . 2010-02-16 12:39 2016768 c:\windows\system32\dllcache\ntkrpamp.exe
+ 2010-02-04 13:57 . 2010-02-16 12:39 2058368 c:\windows\system32\dllcache\ntkrnlpa.exe
+ 2010-02-04 13:57 . 2010-02-16 13:17 2137088 c:\windows\system32\dllcache\ntkrnlmp.exe
+ 2009-10-27 21:46 . 2010-01-29 15:08 1315840 c:\windows\system32\dllcache\msoe.dll
+ 2006-02-28 12:00 . 2010-04-16 15:36 3065344 c:\windows\system32\dllcache\mshtml.dll
+ 2009-10-27 21:46 . 2009-10-23 14:27 3555328 c:\windows\system32\dllcache\moviemk.exe
- 2009-10-27 21:46 . 2006-02-28 12:00 3555328 c:\windows\system32\dllcache\moviemk.exe
- 2006-02-28 12:00 . 2009-12-22 05:42 1054208 c:\windows\system32\dllcache\danim.dll
+ 2006-02-28 12:00 . 2010-04-16 15:36 1054208 c:\windows\system32\dllcache\danim.dll
+ 2006-02-28 12:00 . 2010-04-16 15:36 1023488 c:\windows\system32\dllcache\browseui.dll
- 2006-02-28 12:00 . 2009-12-22 05:42 1023488 c:\windows\system32\dllcache\browseui.dll
+ 2009-11-07 05:06 . 2009-11-07 05:06 1130824 c:\windows\system32\dfshim.dll
+ 2006-02-28 12:00 . 2010-04-16 15:36 1054208 c:\windows\system32\danim.dll
- 2006-02-28 12:00 . 2009-12-22 05:42 1054208 c:\windows\system32\danim.dll
+ 2006-02-28 12:00 . 2010-04-16 15:36 1023488 c:\windows\system32\browseui.dll
- 2006-02-28 12:00 . 2009-12-22 05:42 1023488 c:\windows\system32\browseui.dll
+ 2010-03-23 09:32 . 2010-03-23 09:32 5242880 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Web.dll
+ 2010-03-23 09:32 . 2010-03-23 09:32 3182592 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.dll
+ 2009-08-08 03:51 . 2009-08-08 03:51 5812560 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
+ 2009-08-08 03:51 . 2009-08-08 03:51 4546560 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorlib.dll
- 2008-07-25 15:17 . 2008-07-25 15:17 4546560 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorlib.dll
+ 2009-11-09 04:25 . 2009-11-09 04:25 1935360 c:\windows\Installer\1c648c.msp
+ 2010-04-09 01:38 . 2010-04-09 01:38 2607104 c:\windows\Installer\1c6472.msp
+ 2010-04-09 01:38 . 2010-04-09 01:38 4210688 c:\windows\Installer\1c6471.msp
+ 2010-02-04 13:57 . 2010-02-16 13:19 2181376 c:\windows\Driver Cache\i386\ntoskrnl.exe
+ 2010-02-04 13:57 . 2010-02-16 12:39 2016768 c:\windows\Driver Cache\i386\ntkrpamp.exe
+ 2010-02-04 13:57 . 2010-02-16 12:39 2058368 c:\windows\Driver Cache\i386\ntkrnlpa.exe
+ 2010-02-04 13:57 . 2010-02-16 13:17 2137088 c:\windows\Driver Cache\i386\ntkrnlmp.exe
+ 2012-08-13 20:32 . 2012-08-13 20:32 7949824 c:\windows\assembly\NativeImages_v2.0.50727_32\System\bbdeb12988e827a4e9fa200ad16f4520\System.ni.dll
+ 2012-08-13 20:35 . 2012-08-13 20:35 5450240 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Xml\93eb6a059bbc17168d0002d35736cad4\System.Xml.ni.dll
+ 2012-08-13 23:56 . 2012-08-13 23:56 1840128 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Services\20958d5478d5266bb154ba6e9a1cd290\System.Web.Services.ni.dll
+ 2012-08-13 23:56 . 2012-08-13 23:56 2209280 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Mobile\e1385ec049eb3ec7bbde4a0742a310db\System.Web.Mobile.ni.dll
+ 2012-08-13 20:32 . 2012-08-13 20:32 1587200 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\cfea0d1795b97fa4c067e202c768ad6c\System.Drawing.ni.dll
+ 2012-08-13 20:54 . 2012-08-13 20:54 1116672 c:\windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\7fd502b9cc125fb6ef025cd192a30d6c\System.DirectoryServices.ni.dll
+ 2012-08-13 20:54 . 2012-08-13 20:54 1801216 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Deployment\c034791ede77a566a015684d2f5f26d5\System.Deployment.ni.dll
+ 2012-08-13 20:32 . 2012-08-13 20:32 6615040 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data\70cbbab9c6f208ff56856a5f97a6e331\System.Data.ni.dll
+ 2012-08-13 20:54 . 2012-08-13 20:54 1711616 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\9f1873e790b879c0ad6052e145bc6407\Microsoft.VisualBasic.ni.dll
+ 2012-08-13 20:54 . 2012-08-13 20:54 1620480 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Tas#\8c8cc9a7b874aa919a83a9d52a523f8e\Microsoft.Build.Tasks.ni.dll
+ 2012-08-13 20:31 . 2012-08-13 20:31 3182592 c:\windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
- 2010-10-12 00:26 . 2010-10-12 00:26 2048000 c:\windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll
+ 2012-08-13 20:31 . 2012-08-13 20:31 2048000 c:\windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll
+ 2012-08-13 20:30 . 2012-08-13 20:30 5025792 c:\windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
- 2010-10-12 00:26 . 2010-10-12 00:26 5025792 c:\windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
+ 2012-08-13 20:30 . 2012-08-13 20:30 5062656 c:\windows\assembly\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System.Design.dll
- 2010-10-12 00:26 . 2010-10-12 00:26 5062656 c:\windows\assembly\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System.Design.dll
+ 2012-08-13 20:30 . 2012-08-13 20:30 5242880 c:\windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll
+ 2012-08-13 20:31 . 2012-08-13 20:31 2933248 c:\windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
- 2010-10-12 00:26 . 2010-10-12 00:26 2933248 c:\windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
- 2010-10-12 00:26 . 2010-10-12 00:26 4546560 c:\windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
+ 2012-08-13 20:31 . 2012-08-13 20:31 4546560 c:\windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
+ 2012-08-13 20:23 . 2012-07-03 07:13 57442464 c:\windows\system32\MRT.exe
+ 2009-08-15 00:32 . 2009-08-15 00:32 11110912 c:\windows\Installer\1c6495.msp
+ 2012-08-13 20:35 . 2012-08-13 20:35 12430848 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\4a0512746f9f85805276d3fc20edab54\System.Windows.Forms.ni.dll
+ 2012-08-13 23:56 . 2012-08-13 23:56 11796992 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web\858ac7e88be379e730e638f615cb06b7\System.Web.ni.dll
+ 2012-08-13 20:32 . 2012-08-13 20:32 10682368 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Design\acd811957058108e632b385969f08acc\System.Design.ni.dll
+ 2012-08-13 20:31 . 2012-08-13 20:31 11485184 c:\windows\assembly\NativeImages_v2.0.50727_32\mscorlib\4b10d8196bb368996ec5d24fca777456\mscorlib.ni.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2008-10-06 118784]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-10-06 1323008]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2007-02-07 344064]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2004-02-05 897024]
"QCWLICON"="c:\program files\ThinkPad\ConnectUtilities\QCWLICON.EXE" [2005-03-18 86016]
"ControlCenter"="c:\program files\IBM fingerprint software\ctlcntr.exe" [2004-09-25 284254]
"TpShocks"="TpShocks.exe" [2004-03-27 102400]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 49152]
"hpbdfawep"="c:\program files\HP\Dfawep\bin\hpbdfawep.exe" [2006-04-12 569344]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-09-26 185640]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-10-24 233472]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-28 188416]
"DeviceDiscovery"="c:\program files\HP\Digital Imaging\bin\hpotdd01.exe" [2003-05-21 229437]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2012-03-25 329312]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2009-12-3 25214]
BTTray.lnk - c:\program files\IBM\Bluetooth Software\BTTray.exe [2004-1-20 507965]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2004-09-25 00:15 108636 ----a-w- c:\program files\IBM fingerprint software\psfus.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina]
2005-03-18 11:07 262144 ----a-w- c:\windows\system32\QConGina.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-01-18 18:02 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [5/12/2008 10:04 PM 13480]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [9/26/2009 12:32 AM 189736]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [12/25/2009 10:38 AM 4408616]
R2 WTouchService;WTouch Service;c:\program files\WTouch\WTouchService.exe [12/25/2009 10:39 AM 112936]
S3 QCNDISIF;QCNDISIF;c:\windows\system32\drivers\qcndisif.sys [10/28/2009 8:20 AM 12288]
S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [12/25/2009 10:38 AM 15656]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - kfacypoc
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-09 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]
.
2012-08-14 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2010-02-05 03:18]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = 0.0.0:80
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\IBM\Bluetooth Software\btsendto_ie_ctx.htm
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Tony\Application Data\Mozilla\Firefox\Profiles\90u6qsu6.default\
FF - prefs.js: browser.startup.homepage - hxxp://duckduckgo.com/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}
FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\documents and settings\Tony\Application Data\Move Networks
FF - Ext: Mozilla Safe Browsing: {3D60E777-D00C-11E1-8270-B8AC6F996F26} - c:\documents and settings\Tony\Local Settings\Application Data\{3D60E777-D00C-11E1-8270-B8AC6F996F26}
FF - Ext: FireFTP: {a7c6cf7f-112c-4500-a7ea-39801a327e5f} - %profile%\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
------- File Associations -------
.
JSEFile=c:\windows\system32\rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.
- - - - ORPHANS REMOVED - - - -
.
HKU-Default-Run-Apple Computer - c:\documents and settings\Tony\Local Settings\Application Data\Downloaded Installations\Apple Computer\iqimp.dll
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-08-19 20:37
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(680)
c:\windows\system32\Ati2evxx.dll
c:\program files\IBM fingerprint software\psfus.dll
c:\program files\Common Files\Virtual Token\psutil.dll
c:\windows\system32\ACTIVEDS.dll
.
Completion time: 2012-08-19 20:39:01
ComboFix-quarantined-files.txt 2012-08-20 00:38
ComboFix2.txt 2012-03-20 19:42
.
Pre-Run: 107,789,688,832 bytes free
Post-Run: 107,914,219,520 bytes free
.
- - End Of File - - 394A5517260C5CCE9CC402069AF24E71

Edited by Tony Pal, 19 August 2012 - 08:33 PM.


#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:08 AM

Posted 19 August 2012 - 09:04 PM

Greetings

lets wait on MBAM until we are sure the virus is gone

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 Tony Pal

Tony Pal
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 19 August 2012 - 09:58 PM

Gringo, thanks for your quick response! The two programs ran without a problem. I can't tell whether the PC is running better. TDSSKiller did not find anything. When aswMRM produced the log file, another file called MBR.dat also appeared on the desktop.

22:11:59.0212 2052 TDSS rootkit removing tool 2.8.6.0 Aug 13 2012 17:24:05
22:11:59.0472 2052 ============================================================
22:11:59.0472 2052 Current date / time: 2012/08/19 22:11:59.0472
22:11:59.0472 2052 SystemInfo:
22:11:59.0472 2052
22:11:59.0472 2052 OS Version: 5.1.2600 ServicePack: 2.0
22:11:59.0472 2052 Product type: Workstation
22:11:59.0472 2052 ComputerName: TONY-E2EEB9EDC8
22:11:59.0472 2052 UserName: Tony
22:11:59.0472 2052 Windows directory: C:\WINDOWS
22:11:59.0472 2052 System windows directory: C:\WINDOWS
22:11:59.0472 2052 Processor architecture: Intel x86
22:11:59.0472 2052 Number of processors: 1
22:11:59.0472 2052 Page size: 0x1000
22:11:59.0472 2052 Boot type: Normal boot
22:11:59.0472 2052 ============================================================
22:12:00.0974 2052 Drive \Device\Harddisk0\DR0 - Size: 0x25433D6000 (149.05 Gb), SectorSize: 0x200, Cylinders: 0x50C1, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xF0, Type 'K0', Flags 0x00000054
22:12:00.0974 2052 ============================================================
22:12:00.0974 2052 \Device\Harddisk0\DR0:
22:12:00.0974 2052 MBR partitions:
22:12:00.0974 2052 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x12A186D1
22:12:00.0974 2052 ============================================================
22:12:01.0014 2052 C: <-> \Device\Harddisk0\DR0\Partition1
22:12:01.0014 2052 ============================================================
22:12:01.0014 2052 Initialize success
22:12:01.0014 2052 ============================================================
22:12:22.0115 2952 ============================================================
22:12:22.0115 2952 Scan started
22:12:22.0115 2952 Mode: Manual;
22:12:22.0115 2952 ============================================================
22:12:22.0395 2952 ================ Scan services =============================
22:12:22.0535 2952 Abiosdsk - ok
22:12:22.0545 2952 abp480n5 - ok
22:12:22.0605 2952 [ a10c7534f7223f4a73a948967d00e69b ] ACPI C:\WINDOWS\system32\DRIVERS\ACPI.sys
22:12:22.0615 2952 ACPI - ok
22:12:22.0655 2952 [ 9859c0f6936e723e4892d7141b1327d5 ] ACPIEC C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
22:12:22.0665 2952 ACPIEC - ok
22:12:22.0705 2952 [ 37b124ba35bf2330e73daf9b2fdda269 ] ACS C:\WINDOWS\system32\acs.exe
22:12:22.0716 2952 ACS - ok
22:12:22.0836 2952 [ 6d182c31acf16213407f2768f1107fe3 ] Adobe LM Service C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
22:12:22.0836 2952 Adobe LM Service - ok
22:12:22.0846 2952 adpu160m - ok
22:12:22.0916 2952 [ 9f59ae2de835641fbb0c6afd80d8fa9b ] aeaudio C:\WINDOWS\system32\drivers\aeaudio.sys
22:12:22.0916 2952 aeaudio - ok
22:12:22.0946 2952 [ 841f385c6cfaf66b58fbd898722bb4f0 ] aec C:\WINDOWS\system32\drivers\aec.sys
22:12:22.0946 2952 aec - ok
22:12:23.0016 2952 [ 2c5c22990156a1063e19ad162191dc1d ] AegisP C:\WINDOWS\system32\DRIVERS\AegisP.sys
22:12:23.0016 2952 AegisP - ok
22:12:23.0076 2952 [ 55e6e1c51b6d30e54335750955453702 ] AFD C:\WINDOWS\System32\drivers\afd.sys
22:12:23.0086 2952 AFD - ok
22:12:23.0146 2952 [ 0ebb674888cbdefd5773341c16dd6a07 ] AFS2K C:\WINDOWS\system32\drivers\AFS2K.sys
22:12:23.0146 2952 AFS2K - ok
22:12:23.0186 2952 [ 2c428fa0c3e3a01ed93c9b2a27d8d4bb ] agp440 C:\WINDOWS\system32\DRIVERS\agp440.sys
22:12:23.0186 2952 agp440 - ok
22:12:23.0196 2952 Aha154x - ok
22:12:23.0216 2952 aic78u2 - ok
22:12:23.0226 2952 aic78xx - ok
22:12:23.0266 2952 [ c7ae0fd3867db0d42b03b73c18f3d671 ] Alerter C:\WINDOWS\system32\alrsvc.dll
22:12:23.0266 2952 Alerter - ok
22:12:23.0296 2952 [ f1958fbf86d5c004cf19a5951a9514b7 ] ALG C:\WINDOWS\System32\alg.exe
22:12:23.0296 2952 ALG - ok
22:12:23.0316 2952 AliIde - ok
22:12:23.0326 2952 amsint - ok
22:12:23.0366 2952 [ 11ab185a7af224800bbfb5b836974a17 ] ANC C:\WINDOWS\system32\drivers\ANC.SYS
22:12:23.0366 2952 ANC - ok
22:12:23.0427 2952 [ 4b5ae15e5c73eb4dc8dbec2788230d41 ] Apple Mobile Device C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
22:12:23.0437 2952 Apple Mobile Device - ok
22:12:23.0477 2952 [ 9c3c12975c97119412802b181fbeeffe ] AppMgmt C:\WINDOWS\System32\appmgmts.dll
22:12:23.0477 2952 AppMgmt - ok
22:12:23.0497 2952 asc - ok
22:12:23.0507 2952 asc3350p - ok
22:12:23.0527 2952 asc3550 - ok
22:12:23.0687 2952 [ 0e5e4957549056e2bf2c49f4f6b601ad ] aspnet_state C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
22:12:23.0687 2952 aspnet_state - ok
22:12:23.0717 2952 [ 02000abf34af4c218c35d257024807d6 ] AsyncMac C:\WINDOWS\system32\DRIVERS\asyncmac.sys
22:12:23.0717 2952 AsyncMac - ok
22:12:23.0757 2952 [ cdfe4411a69c224bd1d11b2da92dac51 ] atapi C:\WINDOWS\system32\DRIVERS\atapi.sys
22:12:23.0757 2952 atapi - ok
22:12:23.0767 2952 Atdisk - ok
22:12:23.0857 2952 [ bf997dfd2969902d9f7b983c1ba95811 ] Ati HotKey Poller C:\WINDOWS\system32\Ati2evxx.exe
22:12:23.0877 2952 Ati HotKey Poller - ok
22:12:23.0947 2952 [ 5719f857136ee618f6ec7a5ccd9fb7ab ] ati2mtag C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
22:12:24.0017 2952 ati2mtag - ok
22:12:24.0057 2952 [ ec88da854ab7d7752ec8be11a741bb7f ] Atmarpc C:\WINDOWS\system32\DRIVERS\atmarpc.sys
22:12:24.0057 2952 Atmarpc - ok
22:12:24.0087 2952 [ 00b76a23c05166810092f680e1994bff ] AtmelTpm C:\WINDOWS\system32\DRIVERS\AtmelTpm.sys
22:12:24.0097 2952 AtmelTpm - ok
22:12:24.0138 2952 [ db66db626e4882ebef55f136f12c1829 ] AudioSrv C:\WINDOWS\System32\audiosrv.dll
22:12:24.0138 2952 AudioSrv - ok
22:12:24.0188 2952 [ d9f724aa26c010a217c97606b160ed68 ] audstub C:\WINDOWS\system32\DRIVERS\audstub.sys
22:12:24.0188 2952 audstub - ok
22:12:24.0258 2952 [ da1f27d85e0d1525f6621372e7b685e9 ] Beep C:\WINDOWS\system32\drivers\Beep.sys
22:12:24.0258 2952 Beep - ok
22:12:24.0328 2952 [ 2c69ec7e5a311334d10dd95f338fccea ] BITS C:\WINDOWS\system32\qmgr.dll
22:12:24.0348 2952 BITS - ok
22:12:24.0428 2952 [ 3f56903e124e820aeece6d471583c6c1 ] Bonjour Service C:\Program Files\Bonjour\mDNSResponder.exe
22:12:24.0438 2952 Bonjour Service - ok
22:12:24.0468 2952 [ e3cfccdda4edd1d0dc9168b2e18f27b8 ] Browser C:\WINDOWS\System32\browser.dll
22:12:24.0468 2952 Browser - ok
22:12:24.0608 2952 [ 63cad765a65d573f0c86964634c9b55e ] BTKRNL C:\WINDOWS\system32\drivers\btkrnl.sys
22:12:24.0678 2952 BTKRNL - ok
22:12:24.0748 2952 [ e80feaea3f3e75b166ece8e47cf0a7e9 ] btwdins C:\Program Files\IBM\Bluetooth Software\bin\btwdins.exe
22:12:24.0758 2952 btwdins - ok
22:12:24.0819 2952 [ 248dfa5762dde38dfddbbd44149e9d7a ] BVRPMPR5 C:\WINDOWS\system32\drivers\BVRPMPR5.SYS
22:12:24.0819 2952 BVRPMPR5 - ok
22:12:24.0979 2952 catchme - ok
22:12:25.0019 2952 [ 90a673fc8e12a79afbed2576f6a7aaf9 ] cbidf2k C:\WINDOWS\system32\drivers\cbidf2k.sys
22:12:25.0019 2952 cbidf2k - ok
22:12:25.0039 2952 cd20xrnt - ok
22:12:25.0079 2952 [ c1b486a7658353d33a10cc15211a873b ] Cdaudio C:\WINDOWS\system32\drivers\Cdaudio.sys
22:12:25.0079 2952 Cdaudio - ok
22:12:25.0099 2952 [ cd7d5152df32b47f4e36f710b35aae02 ] Cdfs C:\WINDOWS\system32\drivers\Cdfs.sys
22:12:25.0099 2952 Cdfs - ok
22:12:25.0129 2952 [ af9c19b3100fe010496b1a27181fbf72 ] Cdrom C:\WINDOWS\system32\DRIVERS\cdrom.sys
22:12:25.0129 2952 Cdrom - ok
22:12:25.0139 2952 Changer - ok
22:12:25.0169 2952 [ 3192bd04d032a9c4a85a3278c268a13a ] CiSvc C:\WINDOWS\system32\cisvc.exe
22:12:25.0169 2952 CiSvc - ok
22:12:25.0199 2952 [ c8dec22c4137d7a90f8bdf41ca4b82ae ] ClipSrv C:\WINDOWS\system32\clipsrv.exe
22:12:25.0199 2952 ClipSrv - ok
22:12:25.0239 2952 [ d87acaed61e417bba546ced5e7e36d9c ] clr_optimization_v2.0.50727_32 c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
22:12:25.0249 2952 clr_optimization_v2.0.50727_32 - ok
22:12:25.0299 2952 [ 4266be808f85826aedf3c64c1e240203 ] CmBatt C:\WINDOWS\system32\DRIVERS\CmBatt.sys
22:12:25.0299 2952 CmBatt - ok
22:12:25.0309 2952 CmdIde - ok
22:12:25.0329 2952 [ df1b1a24bf52d0ebc01ed4ece8979f50 ] Compbatt C:\WINDOWS\system32\DRIVERS\compbatt.sys
22:12:25.0329 2952 Compbatt - ok
22:12:25.0339 2952 COMSysApp - ok
22:12:25.0369 2952 Cpqarray - ok
22:12:25.0399 2952 [ 10654f9ddcea9c46cfb77554231be73b ] CryptSvc C:\WINDOWS\System32\cryptsvc.dll
22:12:25.0399 2952 CryptSvc - ok
22:12:25.0409 2952 dac2w2k - ok
22:12:25.0419 2952 dac960nt - ok
22:12:25.0510 2952 [ 01095febf33beea00c2a0730b9b3ec28 ] DcomLaunch C:\WINDOWS\system32\rpcss.dll
22:12:25.0520 2952 DcomLaunch - ok
22:12:25.0550 2952 [ cb6ca3e5261d65f6f809eed23bf167aa ] Dhcp C:\WINDOWS\System32\dhcpcsvc.dll
22:12:25.0550 2952 Dhcp - ok
22:12:25.0570 2952 [ 00ca44e4534865f8a3b64f7c0984bff0 ] Disk C:\WINDOWS\system32\DRIVERS\disk.sys
22:12:25.0570 2952 Disk - ok
22:12:25.0590 2952 dmadmin - ok
22:12:25.0670 2952 [ c0fbb516e06e243f0cf31f597e7ebf7d ] dmboot C:\WINDOWS\system32\drivers\dmboot.sys
22:12:25.0710 2952 dmboot - ok
22:12:25.0750 2952 [ f5e7b358a732d09f4bcf2824b88b9e28 ] dmio C:\WINDOWS\system32\drivers\dmio.sys
22:12:25.0750 2952 dmio - ok
22:12:25.0800 2952 [ e9317282a63ca4d188c0df5e09c6ac5f ] dmload C:\WINDOWS\system32\drivers\dmload.sys
22:12:25.0800 2952 dmload - ok
22:12:25.0830 2952 [ 1639d9964c9e1b2ecca95c8217d3e70d ] dmserver C:\WINDOWS\System32\dmserver.dll
22:12:25.0830 2952 dmserver - ok
22:12:25.0900 2952 [ a6f881284ac1150e37d9ae47ff601267 ] DMusic C:\WINDOWS\system32\drivers\DMusic.sys
22:12:25.0900 2952 DMusic - ok
22:12:25.0930 2952 [ 7379de06fd196e396a00aa97b990c00d ] Dnscache C:\WINDOWS\System32\dnsrslvr.dll
22:12:25.0930 2952 Dnscache - ok
22:12:25.0950 2952 dpti2o - ok
22:12:26.0010 2952 [ 1ed4dbbae9f5d558dbba4cc450e3eb2e ] drmkaud C:\WINDOWS\system32\drivers\drmkaud.sys
22:12:26.0010 2952 drmkaud - ok
22:12:26.0080 2952 [ 8179a01475f75417011e27e322c7e0e3 ] E1000 C:\WINDOWS\system32\DRIVERS\e1000325.sys
22:12:26.0080 2952 E1000 - ok
22:12:26.0100 2952 [ 67dff7bbbd0e80aab7b3cf061448db8a ] ERSvc C:\WINDOWS\System32\ersvc.dll
22:12:26.0100 2952 ERSvc - ok
22:12:26.0170 2952 [ 37561f8d4160d62da86d24ae41fae8de ] Eventlog C:\WINDOWS\system32\services.exe
22:12:26.0170 2952 Eventlog - ok
22:12:26.0241 2952 [ 60d1a6342238378bfb7545c81ee3606c ] EventSystem C:\WINDOWS\system32\es.dll
22:12:26.0251 2952 EventSystem - ok
22:12:26.0331 2952 [ 80aaa1c7520c86ca0641c69851e124af ] EvtEng C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
22:12:26.0341 2952 EvtEng - ok
22:12:26.0361 2952 [ 3117f595e9615e04f05a54fc15a03b20 ] Fastfat C:\WINDOWS\system32\drivers\Fastfat.sys
22:12:26.0371 2952 Fastfat - ok
22:12:26.0391 2952 [ e7518dc542d3ebdcb80edd98462c7821 ] FastUserSwitchingCompatibility C:\WINDOWS\System32\shsvcs.dll
22:12:26.0401 2952 FastUserSwitchingCompatibility - ok
22:12:26.0411 2952 [ ced2e8396a8838e59d8fd529c680e02c ] Fdc C:\WINDOWS\system32\DRIVERS\fdc.sys
22:12:26.0421 2952 Fdc - ok
22:12:26.0481 2952 [ e153ab8a11de5452bcf5ac7652dbf3ed ] Fips C:\WINDOWS\system32\drivers\Fips.sys
22:12:26.0481 2952 Fips - ok
22:12:26.0501 2952 [ 0dd1de43115b93f4d85e889d7a86f548 ] Flpydisk C:\WINDOWS\system32\drivers\Flpydisk.sys
22:12:26.0511 2952 Flpydisk - ok
22:12:26.0581 2952 [ 157754f0df355a9e0a6f54721914f9c6 ] FltMgr C:\WINDOWS\system32\DRIVERS\fltMgr.sys
22:12:26.0581 2952 FltMgr - ok
22:12:26.0751 2952 [ 9513b437b7adb1e6065b7f0d83d11ecf ] FreeAgentGoNext Service C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
22:12:26.0751 2952 FreeAgentGoNext Service - ok
22:12:26.0811 2952 [ 3e1e2bd4f39b0e2b7dc4f4d2bcc2779a ] Fs_Rec C:\WINDOWS\system32\drivers\Fs_Rec.sys
22:12:26.0811 2952 Fs_Rec - ok
22:12:26.0831 2952 [ 6ac26732762483366c3969c9e4d2259d ] Ftdisk C:\WINDOWS\system32\DRIVERS\ftdisk.sys
22:12:26.0831 2952 Ftdisk - ok
22:12:26.0892 2952 [ 8182ff89c65e4d38b2de4bb0fb18564e ] GEARAspiWDM C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
22:12:26.0892 2952 GEARAspiWDM - ok
22:12:26.0912 2952 [ c0f1d4a21de5a415df8170616703debf ] Gpc C:\WINDOWS\system32\DRIVERS\msgpc.sys
22:12:26.0922 2952 Gpc - ok
22:12:26.0982 2952 [ 8827911a8c37e40c027cbfc88e69d967 ] helpsvc C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
22:12:26.0992 2952 helpsvc - ok
22:12:27.0052 2952 [ 9376e6893e52b368abc6255bf54f0b28 ] HidServ C:\WINDOWS\System32\hidserv.dll
22:12:27.0052 2952 HidServ - ok
22:12:27.0122 2952 [ 1de6783b918f540149aa69943bdfeba8 ] HidUsb C:\WINDOWS\system32\DRIVERS\hidusb.sys
22:12:27.0122 2952 HidUsb - ok
22:12:27.0172 2952 [ e4e0b356a8756066cf89080d9da69f22 ] HPFXBULK C:\WINDOWS\system32\drivers\hpfxbulk.sys
22:12:27.0172 2952 HPFXBULK - ok
22:12:27.0182 2952 hpn - ok
22:12:27.0212 2952 [ d03d10f7ded688fecf50f8fbf1ea9b8a ] HPZid412 C:\WINDOWS\system32\DRIVERS\HPZid412.sys
22:12:27.0212 2952 HPZid412 - ok
22:12:27.0242 2952 [ 89f41658929393487b6b7d13c8528ce3 ] HPZipr12 C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
22:12:27.0252 2952 HPZipr12 - ok
22:12:27.0292 2952 [ abcb05ccdbf03000354b9553820e39f8 ] HPZius12 C:\WINDOWS\system32\DRIVERS\HPZius12.sys
22:12:27.0292 2952 HPZius12 - ok
22:12:27.0342 2952 [ 62003dbef083dc07e5399f44fb4e22bc ] HSFHWICH C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys
22:12:27.0352 2952 HSFHWICH - ok
22:12:27.0422 2952 [ f41cd40b94d91edf9443a527053ec549 ] HSF_DP C:\WINDOWS\system32\DRIVERS\HSF_DP.sys
22:12:27.0482 2952 HSF_DP - ok
22:12:27.0552 2952 [ 9f8b0f4276f618964fd118be4289b7cd ] HTTP C:\WINDOWS\system32\Drivers\HTTP.sys
22:12:27.0562 2952 HTTP - ok
22:12:27.0633 2952 [ 064d8581adf77c25133e7d751d917d83 ] HTTPFilter C:\WINDOWS\System32\w3ssl.dll
22:12:27.0643 2952 HTTPFilter - ok
22:12:27.0653 2952 i2omgmt - ok
22:12:27.0663 2952 i2omp - ok
22:12:27.0723 2952 [ 5502b58eef7486ee6f93f3f164dcb808 ] i8042prt C:\WINDOWS\system32\DRIVERS\i8042prt.sys
22:12:27.0723 2952 i8042prt - ok
22:12:27.0783 2952 [ b9ad9ebe354af205277fdbfce5c5daec ] IBMPMDRV C:\WINDOWS\system32\DRIVERS\ibmpmdrv.sys
22:12:27.0783 2952 IBMPMDRV - ok
22:12:27.0843 2952 [ 2df0dc8f474a63d4eb628cb3adeb2db5 ] IBMPMSVC C:\WINDOWS\system32\ibmpmsvc.exe
22:12:27.0853 2952 IBMPMSVC - ok
22:12:27.0873 2952 [ 73893e9a62d869a0409df9c12a0ebefe ] IBMTPCHK C:\WINDOWS\system32\drivers\IBMBLDID.SYS
22:12:27.0873 2952 IBMTPCHK - ok
22:12:27.0923 2952 [ f8aa320c6a0409c0380e5d8a99d76ec6 ] Imapi C:\WINDOWS\system32\DRIVERS\imapi.sys
22:12:27.0923 2952 Imapi - ok
22:12:27.0963 2952 [ fa788520bcac0f5d9d5cde5615c0d931 ] ImapiService C:\WINDOWS\system32\imapi.exe
22:12:27.0973 2952 ImapiService - ok
22:12:27.0993 2952 ini910u - ok
22:12:28.0033 2952 [ 2d722b2b54ab55b2fa475eb58d7b2aad ] IntelIde C:\WINDOWS\system32\DRIVERS\intelide.sys
22:12:28.0033 2952 IntelIde - ok
22:12:28.0053 2952 [ 279fb78702454dff2bb445f238c048d2 ] intelppm C:\WINDOWS\system32\DRIVERS\intelppm.sys
22:12:28.0063 2952 intelppm - ok
22:12:28.0083 2952 [ 4448006b6bc60e6c027932cfc38d6855 ] Ip6Fw C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
22:12:28.0093 2952 Ip6Fw - ok
22:12:28.0153 2952 [ 731f22ba402ee4b62748adaf6363c182 ] IpFilterDriver C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
22:12:28.0153 2952 IpFilterDriver - ok
22:12:28.0183 2952 [ e1ec7f5da720b640cd8fb8424f1b14bb ] IpInIp C:\WINDOWS\system32\DRIVERS\ipinip.sys
22:12:28.0183 2952 IpInIp - ok
22:12:28.0213 2952 [ b5a8e215ac29d24d60b4d1250ef05ace ] IpNat C:\WINDOWS\system32\DRIVERS\ipnat.sys
22:12:28.0223 2952 IpNat - ok
22:12:28.0314 2952 [ 7a3611564fce7c8be50b03f58cb3eb7d ] iPod Service C:\Program Files\iPod\bin\iPodService.exe
22:12:28.0344 2952 iPod Service - ok
22:12:28.0414 2952 [ 64537aa5c003a6afeee1df819062d0d1 ] IPSec C:\WINDOWS\system32\DRIVERS\ipsec.sys
22:12:28.0414 2952 IPSec - ok
22:12:28.0474 2952 [ 86c204836feec22510d434982d4221b8 ] irda C:\WINDOWS\system32\DRIVERS\irda.sys
22:12:28.0474 2952 irda - ok
22:12:28.0534 2952 [ 50708daa1b1cbb7d6ac1cf8f56a24410 ] IRENUM C:\WINDOWS\system32\DRIVERS\irenum.sys
22:12:28.0534 2952 IRENUM - ok
22:12:28.0604 2952 [ a02512c315c84f475bd89f847048b27b ] Irmon C:\WINDOWS\System32\irmon.dll
22:12:28.0604 2952 Irmon - ok
22:12:28.0624 2952 [ e504f706ccb699c2596e9a3da1596e87 ] isapnp C:\WINDOWS\system32\DRIVERS\isapnp.sys
22:12:28.0624 2952 isapnp - ok
22:12:28.0734 2952 [ 0a5709543986843d37a92290b7838340 ] JavaQuickStarterService C:\Program Files\Java\jre6\bin\jqs.exe
22:12:28.0744 2952 JavaQuickStarterService - ok
22:12:28.0774 2952 [ ebdee8a2ee5393890a1acee971c4c246 ] Kbdclass C:\WINDOWS\system32\DRIVERS\kbdclass.sys
22:12:28.0774 2952 Kbdclass - ok
22:12:28.0824 2952 [ e182fa8e49e8ee41b4adc53093f3c7e6 ] kbdhid C:\WINDOWS\system32\DRIVERS\kbdhid.sys
22:12:28.0834 2952 kbdhid - ok
22:12:28.0864 2952 [ d93cad07c5683db066b0b2d2d3790ead ] kmixer C:\WINDOWS\system32\drivers\kmixer.sys
22:12:28.0864 2952 kmixer - ok
22:12:28.0914 2952 [ 674d3e5a593475915dc6643317192403 ] KSecDD C:\WINDOWS\system32\drivers\KSecDD.sys
22:12:28.0914 2952 KSecDD - ok
22:12:28.0964 2952 [ 93d32468d34e000cb3407947d1d6e22a ] lanmanserver C:\WINDOWS\System32\srvsvc.dll
22:12:28.0975 2952 lanmanserver - ok
22:12:29.0035 2952 [ e1f27cfcd114ec9f1e1f44674b2ff9f0 ] lanmanworkstation C:\WINDOWS\System32\wkssvc.dll
22:12:29.0045 2952 lanmanworkstation - ok
22:12:29.0065 2952 lbrtfdc - ok
22:12:29.0125 2952 [ 3c3f7f424e324c6971632c5de5ff458f ] lenovo.smi C:\WINDOWS\system32\DRIVERS\smiif32.sys
22:12:29.0125 2952 lenovo.smi - ok
22:12:29.0155 2952 [ b3eff6d938c572e90a07b3d87a3c7657 ] LmHosts C:\WINDOWS\System32\lmhsvc.dll
22:12:29.0155 2952 LmHosts - ok
22:12:29.0175 2952 [ eeaea6514ba7c9d273b5e87c4e1aab30 ] mdmxsdk C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
22:12:29.0175 2952 mdmxsdk - ok
22:12:29.0205 2952 [ 95fd808e4ac22aba025a7b3eac0375d2 ] Messenger C:\WINDOWS\System32\msgsvc.dll
22:12:29.0205 2952 Messenger - ok
22:12:29.0265 2952 [ 4ae068242760a1fb6e1a44bf4e16afa6 ] mnmdd C:\WINDOWS\system32\drivers\mnmdd.sys
22:12:29.0265 2952 mnmdd - ok
22:12:29.0335 2952 [ f6415361201915b9fe3896b0e4e724ff ] mnmsrvc C:\WINDOWS\system32\mnmsrvc.exe
22:12:29.0335 2952 mnmsrvc - ok
22:12:29.0365 2952 [ 6fc6f9d7acc36dca9b914565a3aeda05 ] Modem C:\WINDOWS\system32\drivers\Modem.sys
22:12:29.0375 2952 Modem - ok
22:12:29.0405 2952 [ 34e1f0031153e491910e12551400192c ] Mouclass C:\WINDOWS\system32\DRIVERS\mouclass.sys
22:12:29.0405 2952 Mouclass - ok
22:12:29.0445 2952 [ b1c303e17fb9d46e87a98e4ba6769685 ] mouhid C:\WINDOWS\system32\DRIVERS\mouhid.sys
22:12:29.0445 2952 mouhid - ok
22:12:29.0515 2952 [ 65653f3b4477f3c63e68a9659f85ee2e ] MountMgr C:\WINDOWS\system32\drivers\MountMgr.sys
22:12:29.0525 2952 MountMgr - ok
22:12:29.0535 2952 mraid35x - ok
22:12:29.0555 2952 [ 46edcc8f2db2f322c24f48785cb46366 ] MRxDAV C:\WINDOWS\system32\DRIVERS\mrxdav.sys
22:12:29.0565 2952 MRxDAV - ok
22:12:29.0625 2952 [ fb6c89bb3ce282b08bdb1e3c179e1c39 ] MRxSmb C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
22:12:29.0645 2952 MRxSmb - ok
22:12:29.0696 2952 [ c7c3d89eb0a6f3dba622ea737fa335b1 ] MSDTC C:\WINDOWS\system32\msdtc.exe
22:12:29.0696 2952 MSDTC - ok
22:12:29.0726 2952 [ 561b3a4333ca2dbdba28b5b956822519 ] Msfs C:\WINDOWS\system32\drivers\Msfs.sys
22:12:29.0726 2952 Msfs - ok
22:12:29.0736 2952 MSIServer - ok
22:12:29.0796 2952 [ ae431a8dd3c1d0d0610cdbac16057ad0 ] MSKSSRV C:\WINDOWS\system32\drivers\MSKSSRV.sys
22:12:29.0796 2952 MSKSSRV - ok
22:12:29.0856 2952 [ 13e75fef9dfeb08eeded9d0246e1f448 ] MSPCLOCK C:\WINDOWS\system32\drivers\MSPCLOCK.sys
22:12:29.0856 2952 MSPCLOCK - ok
22:12:29.0886 2952 [ 1988a33ff19242576c3d0ef9ce785da7 ] MSPQM C:\WINDOWS\system32\drivers\MSPQM.sys
22:12:29.0886 2952 MSPQM - ok
22:12:29.0916 2952 [ 469541f8bfd2b32659d5d463a6714bce ] mssmbios C:\WINDOWS\system32\DRIVERS\mssmbios.sys
22:12:29.0916 2952 mssmbios - ok
22:12:29.0936 2952 [ 82035e0f41c2dd05ae41d27fe6cf7de1 ] Mup C:\WINDOWS\system32\drivers\Mup.sys
22:12:29.0946 2952 Mup - ok
22:12:29.0986 2952 [ 558635d3af1c7546d26067d5d9b6959e ] NDIS C:\WINDOWS\system32\drivers\NDIS.sys
22:12:29.0996 2952 NDIS - ok
22:12:30.0056 2952 [ 08d43bbdacdf23f34d79e44ed35c1b4c ] NdisTapi C:\WINDOWS\system32\DRIVERS\ndistapi.sys
22:12:30.0056 2952 NdisTapi - ok
22:12:30.0116 2952 [ 34d6cd56409da9a7ed573e1c90a308bf ] Ndisuio C:\WINDOWS\system32\DRIVERS\ndisuio.sys
22:12:30.0126 2952 Ndisuio - ok
22:12:30.0146 2952 [ 0b90e255a9490166ab368cd55a529893 ] NdisWan C:\WINDOWS\system32\DRIVERS\ndiswan.sys
22:12:30.0146 2952 NdisWan - ok
22:12:30.0156 2952 [ 59fc3fb44d2669bc144fd87826bb571f ] NDProxy C:\WINDOWS\system32\drivers\NDProxy.sys
22:12:30.0166 2952 NDProxy - ok
22:12:30.0176 2952 [ 3a2aca8fc1d7786902ca434998d7ceb4 ] NetBIOS C:\WINDOWS\system32\DRIVERS\netbios.sys
22:12:30.0176 2952 NetBIOS - ok
22:12:30.0206 2952 [ 0c80e410cd2f47134407ee7dd19cc86b ] NetBT C:\WINDOWS\system32\DRIVERS\netbt.sys
22:12:30.0216 2952 NetBT - ok
22:12:30.0246 2952 [ 05afb5ad06462257bea7495283c86d50 ] NetDDE C:\WINDOWS\system32\netdde.exe
22:12:30.0256 2952 NetDDE - ok
22:12:30.0266 2952 [ 05afb5ad06462257bea7495283c86d50 ] NetDDEdsdm C:\WINDOWS\system32\netdde.exe
22:12:30.0276 2952 NetDDEdsdm - ok
22:12:30.0316 2952 [ 84885f9b82f4d55c6146ebf6065d75d2 ] Netlogon C:\WINDOWS\system32\lsass.exe
22:12:30.0316 2952 Netlogon - ok
22:12:30.0367 2952 [ dab9e6c7105d2ef49876fe92c524f565 ] Netman C:\WINDOWS\System32\netman.dll
22:12:30.0377 2952 Netman - ok
22:12:30.0447 2952 [ 097722f235a1fb698bf9234e01b52637 ] Nla C:\WINDOWS\System32\mswsock.dll
22:12:30.0457 2952 Nla - ok
22:12:30.0467 2952 [ 4f601bcb8f64ea3ac0994f98fed03f8e ] Npfs C:\WINDOWS\system32\drivers\Npfs.sys
22:12:30.0477 2952 Npfs - ok
22:12:30.0497 2952 [ 6216798d29c3ba9d0d6f40bbbab694a5 ] NSCIRDA C:\WINDOWS\system32\DRIVERS\nscirda.sys
22:12:30.0497 2952 NSCIRDA - ok
22:12:30.0547 2952 [ b78be402c3f63dd55521f73876951cdd ] Ntfs C:\WINDOWS\system32\drivers\Ntfs.sys
22:12:30.0557 2952 Ntfs - ok
22:12:30.0577 2952 [ 84885f9b82f4d55c6146ebf6065d75d2 ] NtLmSsp C:\WINDOWS\system32\lsass.exe
22:12:30.0577 2952 NtLmSsp - ok
22:12:30.0597 2952 [ b62f29c00ac55a761b2e45877d85ea0f ] NtmsSvc C:\WINDOWS\system32\ntmssvc.dll
22:12:30.0607 2952 NtmsSvc - ok
22:12:30.0657 2952 [ 73c1e1f395918bc2c6dd67af7591a3ad ] Null C:\WINDOWS\system32\drivers\Null.sys
22:12:30.0657 2952 Null - ok
22:12:30.0707 2952 [ b305f3fad35083837ef46a0bbce2fc57 ] NwlnkFlt C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
22:12:30.0707 2952 NwlnkFlt - ok
22:12:30.0737 2952 [ c99b3415198d1aab7227f2c88fd664b9 ] NwlnkFwd C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
22:12:30.0737 2952 NwlnkFwd - ok
22:12:30.0827 2952 [ 7a56cf3e3f12e8af599963b16f50fb6a ] ose C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
22:12:30.0827 2952 ose - ok
22:12:30.0907 2952 [ 29744eb4ce659dfe3b4122deb45bc478 ] Parport C:\WINDOWS\system32\DRIVERS\parport.sys
22:12:30.0917 2952 Parport - ok
22:12:30.0937 2952 [ 3334430c29dc338092f79c38ef7b4cd0 ] PartMgr C:\WINDOWS\system32\drivers\PartMgr.sys
22:12:30.0937 2952 PartMgr - ok
22:12:30.0997 2952 [ 70e98b3fd8e963a6a46a2e6247e0bea1 ] ParVdm C:\WINDOWS\system32\drivers\ParVdm.sys
22:12:30.0997 2952 ParVdm - ok
22:12:31.0017 2952 [ 8086d9979234b603ad5bc2f5d890b234 ] PCI C:\WINDOWS\system32\DRIVERS\pci.sys
22:12:31.0017 2952 PCI - ok
22:12:31.0037 2952 PCIDump - ok
22:12:31.0047 2952 [ ccf5f451bb1a5a2a522a76e670000ff0 ] PCIIde C:\WINDOWS\system32\DRIVERS\pciide.sys
22:12:31.0047 2952 PCIIde - ok
22:12:31.0068 2952 [ 82a087207decec8456fbe8537947d579 ] Pcmcia C:\WINDOWS\system32\DRIVERS\pcmcia.sys
22:12:31.0078 2952 Pcmcia - ok
22:12:31.0088 2952 PDCOMP - ok
22:12:31.0098 2952 PDFRAME - ok
22:12:31.0118 2952 PDRELI - ok
22:12:31.0128 2952 PDRFRAME - ok
22:12:31.0148 2952 perc2 - ok
22:12:31.0158 2952 perc2hib - ok
22:12:31.0208 2952 [ 37561f8d4160d62da86d24ae41fae8de ] PlugPlay C:\WINDOWS\system32\services.exe
22:12:31.0208 2952 PlugPlay - ok
22:12:31.0248 2952 [ dedef40e1d05842639491365cb2c069e ] PMEM C:\WINDOWS\system32\drivers\PMEMNT.SYS
22:12:31.0248 2952 PMEM - ok
22:12:31.0258 2952 [ 84885f9b82f4d55c6146ebf6065d75d2 ] PolicyAgent C:\WINDOWS\system32\lsass.exe
22:12:31.0258 2952 PolicyAgent - ok
22:12:31.0288 2952 [ 1c5cc65aac0783c344f16353e60b72ac ] PptpMiniport C:\WINDOWS\system32\DRIVERS\raspptp.sys
22:12:31.0288 2952 PptpMiniport - ok
22:12:31.0298 2952 [ 84885f9b82f4d55c6146ebf6065d75d2 ] ProtectedStorage C:\WINDOWS\system32\lsass.exe
22:12:31.0298 2952 ProtectedStorage - ok
22:12:31.0308 2952 [ 48671f327553dcf1d27f6197f622a668 ] PSched C:\WINDOWS\system32\DRIVERS\psched.sys
22:12:31.0308 2952 PSched - ok
22:12:31.0328 2952 [ 80d317bd1c3dbc5d4fe7b1678c60cadd ] Ptilink C:\WINDOWS\system32\DRIVERS\ptilink.sys
22:12:31.0328 2952 Ptilink - ok
22:12:31.0378 2952 [ 8127cd3d08a48793d2c155fb4d9af8ef ] QCNDISIF C:\WINDOWS\system32\drivers\qcndisif.SYS
22:12:31.0378 2952 QCNDISIF - ok
22:12:31.0438 2952 [ 12b7b882e0087aa388ee24c4a4adbb77 ] QCONSVC C:\WINDOWS\system32\QCONSVC.EXE
22:12:31.0438 2952 QCONSVC - ok
22:12:31.0448 2952 ql1080 - ok
22:12:31.0458 2952 Ql10wnt - ok
22:12:31.0458 2952 ql12160 - ok
22:12:31.0468 2952 ql1240 - ok
22:12:31.0478 2952 ql1280 - ok
22:12:31.0488 2952 [ fe0d99d6f31e4fad8159f690d68ded9c ] RasAcd C:\WINDOWS\system32\DRIVERS\rasacd.sys
22:12:31.0488 2952 RasAcd - ok
22:12:31.0498 2952 [ 44db7a9bdd2fb58747d123fbf1d35adb ] RasAuto C:\WINDOWS\System32\rasauto.dll
22:12:31.0498 2952 RasAuto - ok
22:12:31.0558 2952 [ 0207d26ddf796a193ccd9f83047bb5fc ] Rasirda C:\WINDOWS\system32\DRIVERS\rasirda.sys
22:12:31.0558 2952 Rasirda - ok
22:12:31.0588 2952 [ 98faeb4a4dcf812ba1c6fca4aa3e115c ] Rasl2tp C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
22:12:31.0588 2952 Rasl2tp - ok
22:12:31.0598 2952 [ 41a3c11e3517c962c9b44893bcec3b34 ] RasMan C:\WINDOWS\System32\rasmans.dll
22:12:31.0598 2952 RasMan - ok
22:12:31.0658 2952 [ 7306eeed8895454cbed4669be9f79faa ] RasPppoe C:\WINDOWS\system32\DRIVERS\raspppoe.sys
22:12:31.0658 2952 RasPppoe - ok
22:12:31.0718 2952 [ fdbb1d60066fcfbb7452fd8f9829b242 ] Raspti C:\WINDOWS\system32\DRIVERS\raspti.sys
22:12:31.0718 2952 Raspti - ok
22:12:31.0748 2952 [ 29d66245adba878fff574cd66abd2884 ] Rdbss C:\WINDOWS\system32\DRIVERS\rdbss.sys
22:12:31.0748 2952 Rdbss - ok
22:12:31.0759 2952 [ 4912d5b403614ce99c28420f75353332 ] RDPCDD C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
22:12:31.0769 2952 RDPCDD - ok
22:12:31.0789 2952 [ a2cae2c60bc37e0751ef9dda7ceaf4ad ] rdpdr C:\WINDOWS\system32\DRIVERS\rdpdr.sys
22:12:31.0789 2952 rdpdr - ok
22:12:31.0869 2952 [ d4f5643d7714ef499ae9527fdcd50894 ] RDPWD C:\WINDOWS\system32\drivers\RDPWD.sys
22:12:31.0869 2952 RDPWD - ok
22:12:31.0929 2952 [ 729798e0933076b8fcfcd9934698f164 ] RDSessMgr C:\WINDOWS\system32\sessmgr.exe
22:12:31.0939 2952 RDSessMgr - ok
22:12:31.0949 2952 [ b31b4588e4086d8d84adbf9845c2402b ] redbook C:\WINDOWS\system32\DRIVERS\redbook.sys
22:12:31.0949 2952 redbook - ok
22:12:32.0009 2952 [ f8489639e1d60d21f63f69a0605dd667 ] RegSrvc C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
22:12:32.0009 2952 RegSrvc - ok
22:12:32.0079 2952 [ 3046db917e3cfa040632799dd9b14865 ] RemoteAccess C:\WINDOWS\System32\mprdim.dll
22:12:32.0079 2952 RemoteAccess - ok
22:12:32.0109 2952 [ 3151427db7d87107d1c5be58fac53960 ] RemoteRegistry C:\WINDOWS\system32\regsvc.dll
22:12:32.0109 2952 RemoteRegistry - ok
22:12:32.0149 2952 [ 793f04a09b15e7c6c11dbdffaf06c0ab ] RpcLocator C:\WINDOWS\system32\locator.exe
22:12:32.0149 2952 RpcLocator - ok
22:12:32.0219 2952 [ 01095febf33beea00c2a0730b9b3ec28 ] RpcSs C:\WINDOWS\System32\rpcss.dll
22:12:32.0229 2952 RpcSs - ok
22:12:32.0269 2952 [ 471b3f9741d762abe75e9deea4787e47 ] RSVP C:\WINDOWS\system32\rsvp.exe
22:12:32.0279 2952 RSVP - ok
22:12:32.0339 2952 [ 3962b7c74e9e335faa419ccbf4bd1835 ] S24EventMonitor C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
22:12:32.0349 2952 S24EventMonitor - ok
22:12:32.0379 2952 [ 85a26a3bb748dfd3170cdbf45b0dd7fd ] s24trans C:\WINDOWS\system32\DRIVERS\s24trans.sys
22:12:32.0379 2952 s24trans - ok
22:12:32.0409 2952 [ 84885f9b82f4d55c6146ebf6065d75d2 ] SamSs C:\WINDOWS\system32\lsass.exe
22:12:32.0409 2952 SamSs - ok
22:12:32.0429 2952 [ 25d8de134df108e3dbc8d7d23b1aa58e ] SCardSvr C:\WINDOWS\System32\SCardSvr.exe
22:12:32.0439 2952 SCardSvr - ok
22:12:32.0510 2952 [ 92360854316611f6cc471612213c3d92 ] Schedule C:\WINDOWS\system32\schedsvc.dll
22:12:32.0520 2952 Schedule - ok
22:12:32.0550 2952 [ d26e26ea516450af9d072635c60387f4 ] Secdrv C:\WINDOWS\system32\DRIVERS\secdrv.sys
22:12:32.0550 2952 Secdrv - ok
22:12:32.0570 2952 [ b1e0ce09895376871746f36dc5773b4f ] seclogon C:\WINDOWS\System32\seclogon.dll
22:12:32.0580 2952 seclogon - ok
22:12:32.0600 2952 [ dfd9870cf39c791d86c4c209da9fa919 ] SENS C:\WINDOWS\system32\sens.dll
22:12:32.0610 2952 SENS - ok
22:12:32.0670 2952 [ a2d868aeeff612e70e213c451a70cafb ] serenum C:\WINDOWS\system32\DRIVERS\serenum.sys
22:12:32.0670 2952 serenum - ok
22:12:32.0740 2952 [ cd9404d115a00d249f70a371b46d5a26 ] Serial C:\WINDOWS\system32\DRIVERS\serial.sys
22:12:32.0750 2952 Serial - ok
22:12:32.0760 2952 [ 0d13b6df6e9e101013a7afb0ce629fe0 ] Sfloppy C:\WINDOWS\system32\DRIVERS\sfloppy.sys
22:12:32.0760 2952 Sfloppy - ok
22:12:32.0840 2952 [ 36cc8c01b5e50163037bef56cb96deff ] SharedAccess C:\WINDOWS\System32\ipnathlp.dll
22:12:32.0860 2952 SharedAccess - ok
22:12:32.0930 2952 [ e7518dc542d3ebdcb80edd98462c7821 ] ShellHWDetection C:\WINDOWS\System32\shsvcs.dll
22:12:32.0930 2952 ShellHWDetection - ok
22:12:32.0970 2952 [ 482ddb9f0f6d88f0503910e1b9728042 ] ShockMgr C:\WINDOWS\system32\drivers\ShockMgr.sys
22:12:32.0970 2952 ShockMgr - ok
22:12:33.0010 2952 [ 3d593b089133f134f52d6de29b0d058b ] Shockprf C:\WINDOWS\system32\drivers\Shockprf.sys
22:12:33.0010 2952 Shockprf - ok
22:12:33.0030 2952 Simbad - ok
22:12:33.0070 2952 [ 1319ea66a96250d59665d133c0ff7cd0 ] smwdm C:\WINDOWS\system32\drivers\smwdm.sys
22:12:33.0080 2952 smwdm - ok
22:12:33.0130 2952 [ 3978f082274f723ad5a0a8058c2417dd ] SoundMAX Agent Service (default) C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
22:12:33.0130 2952 SoundMAX Agent Service (default) - ok
22:12:33.0151 2952 Sparrow - ok
22:12:33.0161 2952 [ 8e186b8f23295d1e42c573b82b80d548 ] splitter C:\WINDOWS\system32\drivers\splitter.sys
22:12:33.0171 2952 splitter - ok
22:12:33.0211 2952 [ 7435b108b935e42ea92ca94f59c8e717 ] Spooler C:\WINDOWS\system32\spoolsv.exe
22:12:33.0211 2952 Spooler - ok
22:12:33.0231 2952 [ e41b6d037d6cd08461470af04500dc24 ] sr C:\WINDOWS\system32\DRIVERS\sr.sys
22:12:33.0231 2952 sr - ok
22:12:33.0281 2952 [ 92bdf74f12d6cbec43c94d4b7f804838 ] srservice C:\WINDOWS\system32\srsvc.dll
22:12:33.0291 2952 srservice - ok
22:12:33.0331 2952 [ 7a4f147cc6b133f905f6e65e2f8669fb ] Srv C:\WINDOWS\system32\DRIVERS\srv.sys
22:12:33.0341 2952 Srv - ok
22:12:33.0391 2952 [ 4b8d61792f7175bed48859cc18ce4e38 ] SSDPSRV C:\WINDOWS\System32\ssdpsrv.dll
22:12:33.0391 2952 SSDPSRV - ok
22:12:33.0461 2952 [ d9f6c4f6b1e188adafc42b561d9bc2e6 ] stisvc C:\WINDOWS\system32\wiaservc.dll
22:12:33.0471 2952 stisvc - ok
22:12:33.0501 2952 [ 03c1bae4766e2450219d20b993d6e046 ] swenum C:\WINDOWS\system32\DRIVERS\swenum.sys
22:12:33.0501 2952 swenum - ok
22:12:33.0531 2952 [ 94abc808fc4b6d7d2bbf42b85e25bb4d ] swmidi C:\WINDOWS\system32\drivers\swmidi.sys
22:12:33.0531 2952 swmidi - ok
22:12:33.0541 2952 SwPrv - ok
22:12:33.0561 2952 symc810 - ok
22:12:33.0581 2952 symc8xx - ok
22:12:33.0591 2952 sym_hi - ok
22:12:33.0601 2952 sym_u3 - ok
22:12:33.0671 2952 [ 31801b16a0da62afa55e49f1e4c16045 ] SynTP C:\WINDOWS\system32\DRIVERS\SynTP.sys
22:12:33.0681 2952 SynTP - ok
22:12:33.0721 2952 [ 650ad082d46bac0e64c9c0e0928492fd ] sysaudio C:\WINDOWS\system32\drivers\sysaudio.sys
22:12:33.0721 2952 sysaudio - ok
22:12:33.0781 2952 [ 8b54aa346d1b1b113ffaa75501b8b1b2 ] SysmonLog C:\WINDOWS\system32\smlogsvc.exe
22:12:33.0781 2952 SysmonLog - ok
22:12:34.0072 2952 [ 629021756c8fc4c579849a823c471cb3 ] TabletServicePen C:\WINDOWS\system32\Pen_Tablet.exe
22:12:34.0292 2952 TabletServicePen - ok
22:12:34.0342 2952 [ 98a1e6bc9f766b0b0a5bf00af847ef20 ] tap0901 C:\WINDOWS\system32\DRIVERS\tap0901.sys
22:12:34.0342 2952 tap0901 - ok
22:12:34.0412 2952 [ eb4a4187d74a8efdcbea3ea2cb1bdfbd ] TapiSrv C:\WINDOWS\System32\tapisrv.dll
22:12:34.0422 2952 TapiSrv - ok
22:12:34.0472 2952 [ 2a5554fc5b1e04e131230e3ce035c3f9 ] Tcpip C:\WINDOWS\system32\DRIVERS\tcpip.sys
22:12:34.0482 2952 Tcpip - ok
22:12:34.0553 2952 [ bbb66f80b72932182d8015f80934e527 ] TcUsb C:\WINDOWS\system32\Drivers\tcusb.sys
22:12:34.0553 2952 TcUsb - ok
22:12:34.0613 2952 [ 38d437cf2d98965f239b0abcd66dcb0f ] TDPIPE C:\WINDOWS\system32\drivers\TDPIPE.sys
22:12:34.0613 2952 TDPIPE - ok
22:12:34.0643 2952 [ ed0580af02502d00ad8c4c066b156be9 ] TDTCP C:\WINDOWS\system32\drivers\TDTCP.sys
22:12:34.0653 2952 TDTCP - ok
22:12:34.0673 2952 [ a540a99c281d933f3d69d55e48727f47 ] TermDD C:\WINDOWS\system32\DRIVERS\termdd.sys
22:12:34.0683 2952 TermDD - ok
22:12:34.0753 2952 [ b60c877d16d9c880b952fda04adf16e6 ] TermService C:\WINDOWS\System32\termsrv.dll
22:12:34.0763 2952 TermService - ok
22:12:34.0833 2952 [ e7518dc542d3ebdcb80edd98462c7821 ] Themes C:\WINDOWS\System32\shsvcs.dll
22:12:34.0843 2952 Themes - ok
22:12:34.0863 2952 [ 37db0a7d097310e8b4de803fc3119c78 ] TlntSvr C:\WINDOWS\system32\tlntsvr.exe
22:12:34.0873 2952 TlntSvr - ok
22:12:34.0893 2952 TosIde - ok
22:12:34.0953 2952 [ dfb268ff0a6dcb9280015ff527f892ff ] TpKmpSVC C:\WINDOWS\system32\TpKmpSVC.exe
22:12:34.0963 2952 TpKmpSVC - ok
22:12:34.0983 2952 [ 6d9ac544b30f96c57f8206566c1fb6a1 ] TrkWks C:\WINDOWS\system32\trkwks.dll
22:12:34.0993 2952 TrkWks - ok
22:12:35.0083 2952 [ 12f70256f140cd7d52c58c7048fde657 ] Udfs C:\WINDOWS\system32\drivers\Udfs.sys
22:12:35.0083 2952 Udfs - ok
22:12:35.0103 2952 ultra - ok
22:12:35.0163 2952 [ aff2e5045961bbc0a602bb6f95eb1345 ] Update C:\WINDOWS\system32\DRIVERS\update.sys
22:12:35.0163 2952 Update - ok
22:12:35.0193 2952 [ 0546477bde979e33294fe97f6b3de84a ] upnphost C:\WINDOWS\System32\upnphost.dll
22:12:35.0203 2952 upnphost - ok
22:12:35.0223 2952 [ 3f5df65b0758675f95a2d43918a740a3 ] UPS C:\WINDOWS\System32\ups.exe
22:12:35.0223 2952 UPS - ok
22:12:35.0284 2952 [ 1df89c499bf45d878b87ebd4421d462d ] USBAAPL C:\WINDOWS\system32\Drivers\usbaapl.sys
22:12:35.0284 2952 USBAAPL - ok
22:12:35.0344 2952 [ bffd9f120cc63bcbaa3d840f3eef9f79 ] usbccgp C:\WINDOWS\system32\DRIVERS\usbccgp.sys
22:12:35.0344 2952 usbccgp - ok
22:12:35.0414 2952 [ 15e993ba2f6946b2bfbbfcd30398621e ] usbehci C:\WINDOWS\system32\DRIVERS\usbehci.sys
22:12:35.0414 2952 usbehci - ok
22:12:35.0474 2952 [ c72f40947f92cea56a8fb532edf025f1 ] usbhub C:\WINDOWS\system32\DRIVERS\usbhub.sys
22:12:35.0484 2952 usbhub - ok
22:12:35.0494 2952 [ a42369b7cd8886cd7c70f33da6fcbcf5 ] usbprint C:\WINDOWS\system32\DRIVERS\usbprint.sys
22:12:35.0494 2952 usbprint - ok
22:12:35.0554 2952 [ a6bc71402f4f7dd5b77fd7f4a8ddba85 ] usbscan C:\WINDOWS\system32\DRIVERS\usbscan.sys
22:12:35.0554 2952 usbscan - ok
22:12:35.0594 2952 [ 6cd7b22193718f1d17a47a1cd6d37e75 ] USBSTOR C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
22:12:35.0594 2952 USBSTOR - ok
22:12:35.0644 2952 [ f8fd1400092e23c8f2f31406ef06167b ] usbuhci C:\WINDOWS\system32\DRIVERS\usbuhci.sys
22:12:35.0644 2952 usbuhci - ok
22:12:35.0664 2952 [ 8a60edd72b4ea5aea8202daf0e427925 ] VgaSave C:\WINDOWS\System32\drivers\vga.sys
22:12:35.0674 2952 VgaSave - ok
22:12:35.0684 2952 ViaIde - ok
22:12:35.0734 2952 [ ee4660083deba849ff6c485d944b379b ] VolSnap C:\WINDOWS\system32\drivers\VolSnap.sys
22:12:35.0734 2952 VolSnap - ok
22:12:35.0784 2952 [ 3ee00364ae0fd8d604f46cbaf512838a ] VSS C:\WINDOWS\System32\vssvc.exe
22:12:35.0794 2952 VSS - ok
22:12:35.0914 2952 [ 42ae2a486e5f6b2d340cb143474327d4 ] vtserver C:\Program Files\Common Files\Virtual Token\vtserver.exe
22:12:35.0914 2952 vtserver - ok
22:12:36.0135 2952 [ 39ac581f5b57e3074e3e5cdab9e7dff1 ] w29n51 C:\WINDOWS\system32\DRIVERS\w29n51.sys
22:12:36.0325 2952 w29n51 - ok
22:12:36.0385 2952 [ 2b281958f5d0cf99ed626e3ef39d5c8d ] W32Time C:\WINDOWS\system32\w32time.dll
22:12:36.0395 2952 W32Time - ok
22:12:36.0465 2952 [ 826a053968d0faf39afd8aecff580cb6 ] wacmoumonitor C:\WINDOWS\system32\DRIVERS\wacmoumonitor.sys
22:12:36.0475 2952 wacmoumonitor - ok
22:12:36.0535 2952 [ 427a8bc96f16c40df81c2d2f4edd32dd ] wacommousefilter C:\WINDOWS\system32\DRIVERS\wacommousefilter.sys
22:12:36.0535 2952 wacommousefilter - ok
22:12:36.0605 2952 [ 51d580f30d1a1f2ea4965af6abc2bcb2 ] wacomvhid C:\WINDOWS\system32\DRIVERS\wacomvhid.sys
22:12:36.0615 2952 wacomvhid - ok
22:12:36.0646 2952 [ 889459833432b161cb99cfdf84a1a9bb ] WacomVKHid C:\WINDOWS\system32\DRIVERS\WacomVKHid.sys
22:12:36.0656 2952 WacomVKHid - ok
22:12:36.0686 2952 [ 984ef0b9788abf89974cfed4bfbaacbc ] Wanarp C:\WINDOWS\system32\DRIVERS\wanarp.sys
22:12:36.0696 2952 Wanarp - ok
22:12:36.0776 2952 [ bbcfeab7e871cddac2d397ee7fa91fdc ] Wdf01000 C:\WINDOWS\system32\Drivers\wdf01000.sys
22:12:36.0806 2952 Wdf01000 - ok
22:12:36.0816 2952 WDICA - ok
22:12:36.0866 2952 [ 2797f33ebf50466020c430ee4f037933 ] wdmaud C:\WINDOWS\system32\drivers\wdmaud.sys
22:12:36.0866 2952 wdmaud - ok
22:12:36.0896 2952 [ 5d0a442864bfbf3b19dcca4cd29f6e99 ] WebClient C:\WINDOWS\System32\webclnt.dll
22:12:36.0896 2952 WebClient - ok
22:12:36.0996 2952 [ 542a5f528a6cfebb4487b09538596d78 ] winachsf C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
22:12:37.0036 2952 winachsf - ok
22:12:37.0136 2952 [ f399242a80c4066fd155efa4cf96658e ] winmgmt C:\WINDOWS\system32\wbem\WMIsvc.dll
22:12:37.0146 2952 winmgmt - ok
22:12:37.0226 2952 [ c086483e3dba8c1c0a687ec8d5b3d4c1 ] WmdmPmSN C:\WINDOWS\system32\mspmsnsv.dll
22:12:37.0236 2952 WmdmPmSN - ok
22:12:37.0357 2952 [ 1081c185aed0660b2b5f173c3e023b23 ] Wmi C:\WINDOWS\System32\advapi32.dll
22:12:37.0387 2952 Wmi - ok
22:12:37.0437 2952 [ ba8cecc3e813e1f7c441b20393d4f86c ] WmiApSrv C:\WINDOWS\system32\wbem\wmiapsrv.exe
22:12:37.0437 2952 WmiApSrv - ok
22:12:37.0497 2952 [ 6abe6e225adb5a751622a9cc3bc19ce8 ] WS2IFSL C:\WINDOWS\System32\drivers\ws2ifsl.sys
22:12:37.0507 2952 WS2IFSL - ok
22:12:37.0577 2952 [ 4d59daa66c60858cdf4f67a900f42d4a ] wscsvc C:\WINDOWS\system32\wscsvc.dll
22:12:37.0587 2952 wscsvc - ok
22:12:37.0657 2952 [ f37569c373a4475007835ed77593475c ] WTouchService C:\Program Files\WTouch\WTouchService.exe
22:12:37.0657 2952 WTouchService - ok
22:12:37.0717 2952 [ 13d72740963cba12d9ff76a7f218bcd8 ] wuauserv C:\WINDOWS\system32\wuauserv.dll
22:12:37.0727 2952 wuauserv - ok
22:12:37.0787 2952 [ 5a91e6feab9f901302fa7ff768c0120f ] WZCSVC C:\WINDOWS\System32\wzcsvc.dll
22:12:37.0807 2952 WZCSVC - ok
22:12:37.0877 2952 [ eef46dab68229a14da3d8e73c99e2959 ] xmlprov C:\WINDOWS\System32\xmlprov.dll
22:12:37.0887 2952 xmlprov - ok
22:12:37.0917 2952 ================ Scan global ===============================
22:12:37.0967 2952 (00ef9c3af83edbaf18ca7a2837750117) C:\WINDOWS\system32\basesrv.dll
22:12:38.0007 2952 (442d0ead5534e4adcf6d4469043c82c0) C:\WINDOWS\system32\winsrv.dll
22:12:38.0048 2952 (442d0ead5534e4adcf6d4469043c82c0) C:\WINDOWS\system32\winsrv.dll
22:12:38.0078 2952 (37561f8d4160d62da86d24ae41fae8de) C:\WINDOWS\system32\services.exe
22:12:38.0078 2952 [Global] - ok
22:12:38.0088 2952 ================ Scan MBR ==================================
22:12:38.0118 2952 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
22:12:38.0388 2952 \Device\Harddisk0\DR0 - ok
22:12:38.0388 2952 ================ Scan VBR ==================================
22:12:38.0398 2952 Boot (0x1200) (a979b47a798a1109696587fb4f44a1f1) \Device\Harddisk0\DR0\Partition1
22:12:38.0398 2952 \Device\Harddisk0\DR0\Partition1 - ok
22:12:38.0398 2952 ============================================================
22:12:38.0398 2952 Scan finished
22:12:38.0398 2952 ============================================================
22:12:38.0428 0616 Detected object count: 0
22:12:38.0428 0616 Actual detected object count: 0


aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-08-19 22:16:05
-----------------------------
22:16:05.746 OS Version: Windows 5.1.2600 Service Pack 2
22:16:05.746 Number of processors: 1 586 0xD06
22:16:05.746 ComputerName: TONY-E2EEB9EDC8 UserName: Tony
22:16:06.417 Initialize success
22:18:19.619 AVAST engine defs: 12081900
22:18:51.785 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
22:18:51.785 Disk 0 Vendor: WDC_WD1600BEVE-00UYT0 01.04A01 Size: 152627MB BusType: 3
22:18:51.815 Disk 0 MBR read successfully
22:18:51.815 Disk 0 MBR scan
22:18:51.895 Disk 0 Windows XP default MBR code
22:18:51.895 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 152624 MB offset 63
22:18:51.895 Disk 0 scanning sectors +312575760
22:18:51.995 Disk 0 scanning C:\WINDOWS\system32\drivers
22:19:04.323 Service scanning
22:19:24.542 Modules scanning
22:19:32.123 Disk 0 trace - called modules:
22:19:32.133 ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
22:19:32.133 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8376eab8]
22:19:32.463 3 CLASSPNP.SYS[f788105b] -> nt!IofCallDriver -> \Device\00000081[0x8370d1b8]
22:19:32.463 5 ACPI.sys[f77e7620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8374b940]
22:19:32.974 AVAST engine scan C:\WINDOWS
22:19:42.618 AVAST engine scan C:\WINDOWS\system32
22:21:49.751 AVAST engine scan C:\WINDOWS\system32\drivers
22:22:06.315 AVAST engine scan C:\Documents and Settings\Tony
22:34:42.592 AVAST engine scan C:\Documents and Settings\All Users
22:35:07.588 Scan finished successfully
22:38:44.350 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Tony\Desktop\MBR.dat"
22:38:44.350 The log file has been saved successfully to "C:\Documents and Settings\Tony\Desktop\aswMBR.txt"


Best,

Tony

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:08 AM

Posted 19 August 2012 - 10:11 PM

Greetings

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 Tony Pal

Tony Pal
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 19 August 2012 - 10:48 PM

Gringo, I ran the CFSript as directed without any problems. Nevertheless, the Google redirect still is occurring.


ComboFix 12-08-18.03 - Tony 08/19/2012 23:28:50.5.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.767.400 [GMT -4:00]
Running from: c:\documents and settings\Tony\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Tony\Desktop\CFScript.txt
.
.
((((((((((((((((((((((((( Files Created from 2012-07-20 to 2012-08-20 )))))))))))))))))))))))))))))))
.
.
2012-08-13 21:18 . 2012-08-13 21:18 -------- d-----w- c:\documents and settings\Troubleshooting\Application Data\Malwarebytes
2012-08-13 18:04 . 2012-08-13 18:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-08-13 18:04 . 2012-08-13 18:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-08-13 18:04 . 2012-07-03 17:46 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-08-13 15:52 . 2012-08-13 15:53 -------- d-----w- c:\documents and settings\Administrator
2012-08-13 13:30 . 2012-08-13 13:30 -------- d-----w- c:\documents and settings\Tony\Application Data\Malwarebytes
2012-07-30 21:21 . 2012-08-10 18:14 -------- d-----w- c:\program files\TunnelBear
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2008-10-06 118784]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-10-06 1323008]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2007-02-07 344064]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2004-02-05 897024]
"QCWLICON"="c:\program files\ThinkPad\ConnectUtilities\QCWLICON.EXE" [2005-03-18 86016]
"ControlCenter"="c:\program files\IBM fingerprint software\ctlcntr.exe" [2004-09-25 284254]
"TpShocks"="TpShocks.exe" [2004-03-27 102400]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 49152]
"hpbdfawep"="c:\program files\HP\Dfawep\bin\hpbdfawep.exe" [2006-04-12 569344]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-09-26 185640]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-10-24 233472]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-28 188416]
"DeviceDiscovery"="c:\program files\HP\Digital Imaging\bin\hpotdd01.exe" [2003-05-21 229437]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2012-03-25 329312]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2009-12-3 25214]
BTTray.lnk - c:\program files\IBM\Bluetooth Software\BTTray.exe [2004-1-20 507965]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2004-09-25 00:15 108636 ----a-w- c:\program files\IBM fingerprint software\psfus.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina]
2005-03-18 11:07 262144 ----a-w- c:\windows\system32\QConGina.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-01-18 18:02 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [5/12/2008 10:04 PM 13480]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [9/26/2009 12:32 AM 189736]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [12/25/2009 10:38 AM 4408616]
R2 WTouchService;WTouch Service;c:\program files\WTouch\WTouchService.exe [12/25/2009 10:39 AM 112936]
S3 QCNDISIF;QCNDISIF;c:\windows\system32\drivers\qcndisif.sys [10/28/2009 8:20 AM 12288]
S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [12/25/2009 10:38 AM 15656]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 42233445
*NewlyCreated* - ASWMBR
*Deregistered* - 42233445
*Deregistered* - aswMBR
*Deregistered* - kfacypoc
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-09 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]
.
2012-08-14 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2010-02-05 03:18]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = 0.0.0:80
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\IBM\Bluetooth Software\btsendto_ie_ctx.htm
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Tony\Application Data\Mozilla\Firefox\Profiles\90u6qsu6.default\
FF - prefs.js: browser.startup.homepage - hxxp://duckduckgo.com/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}
FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\documents and settings\Tony\Application Data\Move Networks
FF - Ext: Mozilla Safe Browsing: {3D60E777-D00C-11E1-8270-B8AC6F996F26} - c:\documents and settings\Tony\Local Settings\Application Data\{3D60E777-D00C-11E1-8270-B8AC6F996F26}
FF - Ext: FireFTP: {a7c6cf7f-112c-4500-a7ea-39801a327e5f} - %profile%\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-08-19 23:34
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(680)
c:\windows\system32\Ati2evxx.dll
c:\program files\IBM fingerprint software\psfus.dll
c:\program files\Common Files\Virtual Token\psutil.dll
c:\windows\system32\ACTIVEDS.dll
.
Completion time: 2012-08-19 23:35:45
ComboFix-quarantined-files.txt 2012-08-20 03:35
ComboFix2.txt 2012-03-20 19:42
.
Pre-Run: 107,781,844,992 bytes free
Post-Run: 107,896,901,632 bytes free
.
- - End Of File - - 47A0AEC597D03A154F009267C6F99CAA

Tony

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:08 AM

Posted 19 August 2012 - 11:07 PM

Hello

Lets get a deeper look into the system and see if something shows up.

Download and run OTL

Download OTL by Old Timer and save it to your Desktop.
  • Double click on OTL.exe to run it.
  • Under Output, ensure that Minimal Output is selected.
  • Under Extra Registry section, select Use SafeList.
  • Click the Scan All Users checkbox.
  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened and the that I need posted back here
    • Extra.txt <-- Will be minimized - save this one on your desktop in case I ask for it later
  • Please post the contents of OTL.txt in your next reply.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 Tony Pal

Tony Pal
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 19 August 2012 - 11:31 PM

OK, Gringo, I ran the OTL successfully. Two things I should mention: (1) At no time has any of these programs you have had me run asked to restart the computer. Is that OK? (2) I haven't shut down and restarted this PC for a few days.

OTL logfile created on: 8/20/2012 12:18:35 AM - Run 1
OTL by OldTimer - Version 3.2.58.1 Folder = C:\Documents and Settings\Tony\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

766.92 Mb Total Physical Memory | 428.50 Mb Available Physical Memory | 55.87% Memory free
1.83 Gb Paging File | 1.57 Gb Available in Paging File | 86.05% Paging File free
Paging file location(s): C:\pagefile.sys 1152 2304 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.05 Gb Total Space | 100.51 Gb Free Space | 67.44% Space Free | Partition Type: NTFS

Computer Name: TONY-E2EEB9EDC8 | User Name: Tony | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Tony\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe (Seagate Technology LLC)
PRC - C:\Program Files\WTouch\WTouchUser.exe (Wacom Technology, Corp.)
PRC - C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe (Wacom Technology, Corp.)
PRC - C:\Program Files\WTouch\WTouchService.exe (Wacom Technology, Corp.)
PRC - C:\WINDOWS\system32\Pen_Tablet.exe (Wacom Technology, Corp.)
PRC - C:\Program Files\Synaptics\SynTP\SynTPLpr.exe (Synaptics, Inc.)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE (IBM Corp.)
PRC - C:\WINDOWS\system32\QCONSVC.EXE (IBM Corp.)
PRC - C:\Program Files\Adobe\Acrobat 7.0\Distillr\acrotray.exe (Adobe Systems Inc.)
PRC - C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe (Analog Devices, Inc.)
PRC - C:\Program Files\Common Files\Virtual Token\vtserver.exe (UPEK Inc.)
PRC - C:\Program Files\IBM\Bluetooth Software\BTTray.exe (WIDCOMM, Inc.)
PRC - C:\Program Files\IBM\Bluetooth Software\bin\btwdins.exe (WIDCOMM, Inc.)
PRC - C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe (HP)
PRC - C:\Program Files\Hewlett-Packard\HP Software Update\hpwuSchd.exe (Hewlett-Packard)
PRC - C:\Program Files\HP\Digital Imaging\bin\hpotdd01.exe (Hewlett-Packard)
PRC - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe (Analog Devices, Inc.)


========== Modules (No Company Name) ==========

MOD - C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll ()
MOD - C:\Program Files\Common Files\Apple\Apple Application Support\ASL.dll ()
MOD - C:\Program Files\ThinkPad\ConnectUtilities\Res\US\IconRes.dll ()
MOD - C:\Program Files\IBM\Bluetooth Software\BTKeyInd.dll ()


========== Win32 Services (SafeList) ==========

SRV - (FreeAgentGoNext Service) -- C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe (Seagate Technology LLC)
SRV - (WTouchService) -- C:\Program Files\WTouch\WTouchService.exe (Wacom Technology, Corp.)
SRV - (TabletServicePen) -- C:\WINDOWS\system32\Pen_Tablet.exe (Wacom Technology, Corp.)
SRV - (QCONSVC) -- C:\WINDOWS\system32\QCONSVC.EXE (IBM Corp.)
SRV - (ACS) -- C:\WINDOWS\system32\acs.exe ()
SRV - (vtserver) -- C:\Program Files\Common Files\Virtual Token\vtserver.exe (UPEK Inc.)
SRV - (btwdins) -- C:\Program Files\IBM\Bluetooth Software\bin\btwdins.exe (WIDCOMM, Inc.)
SRV - (TpKmpSVC) -- C:\WINDOWS\system32\TpKmpSvc.exe ()
SRV - (SoundMAX Agent Service (default) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe (Analog Devices, Inc.)


========== Driver Services (SafeList) ==========

DRV - (WDICA) -- File not found
DRV - (PDRFRAME) -- File not found
DRV - (PDRELI) -- File not found
DRV - (PDFRAME) -- File not found
DRV - (PDCOMP) -- File not found
DRV - (PCIDump) -- File not found
DRV - (mbr) -- C:\ComboFix\mbr.sys File not found
DRV - (lbrtfdc) -- File not found
DRV - (kfacypoc) -- C:\DOCUME~1\Tony\LOCALS~1\Temp\kfacypoc.sys File not found
DRV - (i2omgmt) -- File not found
DRV - (Changer) -- File not found
DRV - (catchme) -- C:\DOCUME~1\Tony\LOCALS~1\Temp\catchme.sys File not found
DRV - (aswMBR) -- C:\DOCUME~1\Tony\LOCALS~1\Temp\aswMBR.sys File not found
DRV - (tap0901) -- C:\WINDOWS\system32\drivers\tap0901.sys (The OpenVPN Project)
DRV - (BVRPMPR5) -- C:\WINDOWS\system32\drivers\BVRPMPR5.SYS (Avanquest Software)
DRV - (wacomvhid) -- C:\WINDOWS\system32\drivers\wacomvhid.sys (Wacom Technology)
DRV - (wacmoumonitor) -- C:\WINDOWS\system32\drivers\wacmoumonitor.sys (Wacom Technology)
DRV - (lenovo.smi) -- C:\WINDOWS\system32\drivers\smiif32.sys (Lenovo Group Limited)
DRV - (wacommousefilter) -- C:\WINDOWS\system32\drivers\wacommousefilter.sys (Wacom Technology)
DRV - (WacomVKHid) -- C:\WINDOWS\system32\drivers\WacomVKHid.sys (Wacom Technology)
DRV - (ati2mtag) -- C:\WINDOWS\system32\drivers\ati2mtag.sys (ATI Technologies Inc.)
DRV - (HPFXBULK) -- C:\WINDOWS\system32\drivers\hpfxbulk.sys (Hewlett Packard)
DRV - (QCNDISIF) -- C:\WINDOWS\system32\drivers\qcndisif.sys (IBM Corporation.)
DRV - (ANC) -- C:\WINDOWS\system32\drivers\ANC.sys (IBM Corp.)
DRV - (IBMTPCHK) -- C:\WINDOWS\system32\drivers\IBMBLDID.SYS ()
DRV - (w29n51) -- C:\WINDOWS\system32\drivers\w29n51.sys (Intel® Corporation)
DRV - (s24trans) -- C:\WINDOWS\system32\drivers\s24trans.sys (Intel Corporation)
DRV - (AFS2K) -- C:\WINDOWS\System32\drivers\AFS2K.SYS (Oak Technology Inc.)
DRV - (HSFHWICH) -- C:\WINDOWS\system32\drivers\HSFHWICH.sys (Conexant Systems, Inc.)
DRV - (winachsf) -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys (Conexant Systems, Inc.)
DRV - (HSF_DP) -- C:\WINDOWS\system32\drivers\HSF_DP.sys (Conexant Systems, Inc.)
DRV - (BTKRNL) -- C:\WINDOWS\system32\drivers\btkrnl.sys (WIDCOMM, Inc.)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1078081533-1677128483-1343024091-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKU\S-1-5-21-1078081533-1677128483-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1078081533-1677128483-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
IE - HKU\S-1-5-21-1078081533-1677128483-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 0.0.0:80

========== FireFox ==========

FF - prefs.js..browser.search.update: false
FF - prefs.js..browser.startup.homepage: "http://duckduckgo.com/"
FF - prefs.js..extensions.enabledItems: {a7c6cf7f-112c-4500-a7ea-39801a327e5f}:1.0.7
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}:6.0.31
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: moveplayer@movenetworks.com:7
FF - prefs.js..extensions.enabledItems: {3D60E777-D00C-11E1-8270-B8AC6F996F26}:2.0.14


FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@movenetworks.com/Quantum Media Player: C:\Documents and Settings\Tony\Application Data\Move Networks\plugins\npqmp071705000014.dll (Move Networks)
FF - HKCU\Software\MozillaPlugins\@movenetworks.com/Quantum Media Player: C:\Documents and Settings\Tony\Application Data\Move Networks\plugins\npqmp071705000014.dll (Move Networks)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.18\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/06/25 10:59:10 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.18\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/08/09 18:27:59 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 2.0.0.22\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2009/12/26 22:36:59 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 2.0.0.22\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\moveplayer@movenetworks.com: C:\Documents and Settings\Tony\Application Data\Move Networks [2010/01/19 15:48:15 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\{3D60E777-D00C-11E1-8270-B8AC6F996F26}: C:\Documents and Settings\Tony\Local Settings\Application Data\{3D60E777-D00C-11E1-8270-B8AC6F996F26}\ [2012/07/17 08:38:03 | 000,000,000 | ---D | M]

[2009/10/27 18:57:25 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Tony\Application Data\Mozilla\Extensions
[2012/08/14 18:38:15 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Tony\Application Data\Mozilla\Firefox\Profiles\90u6qsu6.default\extensions
[2010/01/26 11:54:26 | 000,000,000 | ---D | M] (FireFTP) -- C:\Documents and Settings\Tony\Application Data\Mozilla\Firefox\Profiles\90u6qsu6.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}
[2012/08/14 18:38:15 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/04/04 08:38:47 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}
[2010/01/19 15:48:15 | 000,000,000 | ---D | M] (Move Media Player) -- C:\DOCUMENTS AND SETTINGS\TONY\APPLICATION DATA\MOVE NETWORKS
[2012/07/17 08:38:03 | 000,000,000 | ---D | M] (Mozilla Safe Browsing) -- C:\DOCUMENTS AND SETTINGS\TONY\LOCAL SETTINGS\APPLICATION DATA\{3D60E777-D00C-11E1-8270-B8AC6F996F26}
[2012/04/04 08:38:32 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2012/04/04 08:38:32 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2012/08/19 20:36:55 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (AcroIEToolbarHelper Class) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\S-1-5-21-1078081533-1677128483-1343024091-1003\..\Toolbar\ShellBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\S-1-5-21-1078081533-1677128483-1343024091-1003\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Acrobat Assistant 7.0] C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [ControlCenter] C:\Program Files\IBM fingerprint software\ctlcntr.exe (UPEK Inc.)
O4 - HKLM..\Run: [DeviceDiscovery] C:\Program Files\HP\Digital Imaging\bin\hpotdd01.exe (Hewlett-Packard)
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe (Hewlett-Packard)
O4 - HKLM..\Run: [hpbdfawep] C:\Program Files\HP\Dfawep\bin\hpbdfawep.exe ()
O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe (HP)
O4 - HKLM..\Run: [MaxMenuMgr] C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe (Seagate LLC)
O4 - HKLM..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE (IBM Corp.)
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe (Analog Devices, Inc.)
O4 - HKLM..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe (Synaptics, Inc.)
O4 - HKLM..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe (IBM Corp.)
O4 - HKLM..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe (BillP Studios)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk = C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BTTray.lnk = C:\Program Files\IBM\Bluetooth Software\BTTray.exe (WIDCOMM, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1078081533-1677128483-1343024091-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1078081533-1677128483-1343024091-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1078081533-1677128483-1343024091-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-1078081533-1677128483-1343024091-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\IBM\Bluetooth Software\btsendto_ie_ctx.htm ()
O9 - Extra Button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\IBM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\IBM\Bluetooth Software\btsendto_ie.htm ()
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{529C4521-DDA5-4743-A937-E09C322636BD}: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\cetihpz {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll (Hewlett-Packard Company)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - (Ati2evxx.dll) - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\psfus: DllName - (C:\Program Files\IBM fingerprint software\psfus.dll) - C:\Program Files\IBM fingerprint software\psfus.dll (UPEK Inc.)
O20 - Winlogon\Notify\QConGina: DllName - (QConGina.dll) - C:\WINDOWS\System32\QConGina.dll (IBM Corp.)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/10/27 17:48:45 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012/08/20 00:16:13 | 000,596,480 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Tony\Desktop\OTL.exe
[2012/08/19 22:10:42 | 004,731,392 | ---- | C] (AVAST Software) -- C:\Documents and Settings\Tony\Desktop\aswMBR.exe
[2012/08/19 22:10:20 | 002,208,856 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Tony\Desktop\tdsskiller.exe
[2012/08/19 21:00:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tony\Desktop\BleepingComputer--Gringo
[2012/08/19 20:26:25 | 004,735,580 | R--- | C] (Swearware) -- C:\Documents and Settings\Tony\Desktop\ComboFix.exe
[2012/08/13 22:04:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tony\Desktop\gmer
[2012/08/13 21:50:50 | 000,607,260 | R--- | C] (Swearware) -- C:\Documents and Settings\Tony\Desktop\dds.com
[2012/08/13 17:54:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tony\My Documents\Utilities
[2012/08/13 14:04:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/08/13 14:04:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2012/08/13 14:04:21 | 000,022,344 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2012/08/13 14:04:21 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2012/08/13 14:02:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tony\Desktop\mbam-chameleon
[2012/08/13 09:30:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tony\Application Data\Malwarebytes
[2012/08/11 20:40:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tony\My Documents\Malware Logs
[2012/08/09 16:48:06 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2012/08/09 15:53:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2012/07/30 17:21:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tony\Start Menu\Programs\TunnelBear
[2012/07/30 17:21:23 | 000,000,000 | ---D | C] -- C:\Program Files\TunnelBear
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/08/20 00:16:14 | 000,596,480 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Tony\Desktop\OTL.exe
[2012/08/19 22:38:44 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\Tony\Desktop\MBR.dat
[2012/08/19 22:11:11 | 004,731,392 | ---- | M] (AVAST Software) -- C:\Documents and Settings\Tony\Desktop\aswMBR.exe
[2012/08/19 22:10:22 | 002,208,856 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Tony\Desktop\tdsskiller.exe
[2012/08/19 20:36:55 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2012/08/19 20:26:26 | 004,735,580 | R--- | M] (Swearware) -- C:\Documents and Settings\Tony\Desktop\ComboFix.exe
[2012/08/14 14:43:35 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/08/14 07:56:02 | 000,002,335 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
[2012/08/14 07:55:56 | 000,000,260 | ---- | M] () -- C:\WINDOWS\tasks\WGASetup.job
[2012/08/14 07:55:06 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/08/13 22:03:40 | 000,294,216 | ---- | M] () -- C:\Documents and Settings\Tony\Desktop\gmer.zip
[2012/08/13 21:50:50 | 000,607,260 | R--- | M] (Swearware) -- C:\Documents and Settings\Tony\Desktop\dds.com
[2012/08/13 17:56:52 | 000,000,065 | ---- | M] () -- C:\Documents and Settings\Tony\Application Data\mbam.context.scan
[2012/08/13 16:33:27 | 000,368,896 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/08/13 16:31:45 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2012/08/13 16:31:17 | 000,400,532 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/08/13 16:31:17 | 000,060,778 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/08/13 14:04:23 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/08/09 22:19:30 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2012/08/09 15:53:33 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/08/08 17:28:20 | 000,566,185 | ---- | M] () -- C:\Documents and Settings\Tony\My Documents\PageRank Algorithm - The Mathematics of Google Search.pdf
[2012/07/30 17:21:24 | 000,000,503 | ---- | M] () -- C:\Documents and Settings\Tony\Desktop\TunnelBear.lnk
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2099/01/01 12:00:00 | 000,006,456 | -H-- | C] () -- C:\WINDOWS\System32\hatekeri
[2012/08/19 22:38:44 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\Tony\Desktop\MBR.dat
[2012/08/13 22:03:39 | 000,294,216 | ---- | C] () -- C:\Documents and Settings\Tony\Desktop\gmer.zip
[2012/08/13 17:56:52 | 000,000,065 | ---- | C] () -- C:\Documents and Settings\Tony\Application Data\mbam.context.scan
[2012/08/13 14:04:23 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/08/08 17:26:56 | 000,566,185 | ---- | C] () -- C:\Documents and Settings\Tony\My Documents\PageRank Algorithm - The Mathematics of Google Search.pdf
[2012/07/30 17:21:24 | 000,000,503 | ---- | C] () -- C:\Documents and Settings\Tony\Desktop\TunnelBear.lnk
[2012/07/17 08:37:34 | 000,000,804 | ---- | C] () -- C:\WINDOWS\Installer\{0c904c13-2c91-5ff6-2d9b-7aa317c684e5}\L\00000004.@
[2012/04/12 11:39:37 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/03/26 23:56:20 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2012/03/26 23:56:20 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2012/03/26 23:56:20 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2012/03/26 23:56:20 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2012/03/26 23:56:20 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/12/22 19:17:28 | 000,023,624 | ---- | C] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2011/12/22 10:13:15 | 000,014,612 | -HS- | C] () -- C:\Documents and Settings\Tony\Local Settings\Application Data\382186v8a170s663a634o4eia3a3
[2010/02/02 21:39:16 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\Tony\Local Settings\Application Data\housecall.guid.cache
[2010/01/31 19:45:30 | 000,004,895 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\odmmsmge.nhd
[2006/02/28 08:00:00 | 000,002,048 | -HS- | C] () -- C:\WINDOWS\Installer\{0c904c13-2c91-5ff6-2d9b-7aa317c684e5}\@

< End of report >

Thank you!

Tony

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:08 AM

Posted 20 August 2012 - 12:20 AM

I will not be able to anylize that report until the morning so go ahead and restart ther computer and check things out and report how things are



gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:08 AM

Posted 20 August 2012 - 07:26 AM

Hello

Run this custom script and when it is complete I need to know how the computer is doing

Run OTL Script

  • Double-click OTL.exe to start the program.
  • Copy and Paste the following code into the Posted Image textbox. Do not include the word Code
    :OTL
    FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
    [2012/07/17 08:37:34 | 000,000,804 | ---- | C] () -- C:\WINDOWS\Installer\{0c904c13-2c91-5ff6-2d9b-7aa317c684e5}\L\00000004.@
    [2011/12/22 10:13:15 | 000,014,612 | -HS- | C] () -- C:\Documents and Settings\Tony\Local Settings\Application Data\382186v8a170s663a634o4eia3a3
    :Files
    C:\WINDOWS\Installer\{0c904c13-2c91-5ff6-2d9b-7aa317c684e5}
    ipconfig /flushdns /c
    :Commands
    [PURITY]
    [emptyjava]
    [EMPTYFLASH]
    
  • Then click the Run Fix button at the top.
  • Click Posted Image.
  • OTL may ask to reboot the machine. Please do so if asked.
  • The report should appear in Notepad after the reboot.Copy and Paste that report in your next reply.

Let me know How things are doing

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 Tony Pal

Tony Pal
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 20 August 2012 - 09:06 AM

Good morning, Gringo, I ran the script successfully. No reboot required. So far there are no redirects. And I don't see anything unusual in the Windows/Installer folder.

========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@Apple.com/iTunes,version=\ deleted successfully.
C:\WINDOWS\Installer\{0c904c13-2c91-5ff6-2d9b-7aa317c684e5}\L\00000004.@ moved successfully.
C:\Documents and Settings\Tony\Local Settings\Application Data\382186v8a170s663a634o4eia3a3 moved successfully.
========== FILES ==========
C:\WINDOWS\Installer\{0c904c13-2c91-5ff6-2d9b-7aa317c684e5}\U folder moved successfully.
C:\WINDOWS\Installer\{0c904c13-2c91-5ff6-2d9b-7aa317c684e5}\L folder moved successfully.
C:\WINDOWS\Installer\{0c904c13-2c91-5ff6-2d9b-7aa317c684e5} folder moved successfully.
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\Tony\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Tony\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYJAVA]

User: Administrator

User: All Users

User: Default User

User: LocalService

User: NetworkService
->Java cache emptied: 0 bytes

User: Tony
->Java cache emptied: 0 bytes

User: Troubleshooting
->Java cache emptied: 0 bytes

Total Java Files Cleaned = 0.00 mb


[EMPTYFLASH]

User: Administrator

User: All Users

User: Default User

User: LocalService
->Flash cache emptied: 405 bytes

User: NetworkService
->Flash cache emptied: 3734 bytes

User: Tony
->Flash cache emptied: 286303 bytes

User: Troubleshooting
->Flash cache emptied: 456 bytes

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.58.1 log created on 08202012_092313

Best,

Tony

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:08 AM

Posted 20 August 2012 - 11:27 AM

Greetings

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 Tony Pal

Tony Pal
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 20 August 2012 - 07:58 PM

Gringo, when I ran the CFScript, first a message appeared asking if I wanted to update ComboFix to the newest version. I selected yes. Apparently an entirely new scan was produced. Here is the log. By the way there have been no redirects today.

ComboFix 12-08-20.02 - Tony 08/20/2012 20:42:12.6.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.767.457 [GMT -4:00]
Running from: c:\documents and settings\Tony\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Tony\Desktop\CFScript.txt
.
.
((((((((((((((((((((((((( Files Created from 2012-07-21 to 2012-08-21 )))))))))))))))))))))))))))))))
.
.
2012-08-20 13:23 . 2012-08-20 13:23 -------- d-----w- C:\_OTL
2012-08-13 21:18 . 2012-08-13 21:18 -------- d-----w- c:\documents and settings\Troubleshooting\Application Data\Malwarebytes
2012-08-13 18:04 . 2012-08-13 18:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-08-13 18:04 . 2012-08-13 18:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-08-13 18:04 . 2012-07-03 17:46 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-08-13 15:52 . 2012-08-13 15:53 -------- d-----w- c:\documents and settings\Administrator
2012-08-13 13:30 . 2012-08-13 13:30 -------- d-----w- c:\documents and settings\Tony\Application Data\Malwarebytes
2012-07-30 21:21 . 2012-08-10 18:14 -------- d-----w- c:\program files\TunnelBear
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((( SnapShot_2012-08-20_00.37.02 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-08-20 14:55 . 2012-08-20 14:55 16384 c:\windows\Temp\Perflib_Perfdata_534.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2008-10-06 118784]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-10-06 1323008]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2007-02-07 344064]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2004-02-05 897024]
"QCWLICON"="c:\program files\ThinkPad\ConnectUtilities\QCWLICON.EXE" [2005-03-18 86016]
"ControlCenter"="c:\program files\IBM fingerprint software\ctlcntr.exe" [2004-09-25 284254]
"TpShocks"="TpShocks.exe" [2004-03-27 102400]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 49152]
"hpbdfawep"="c:\program files\HP\Dfawep\bin\hpbdfawep.exe" [2006-04-12 569344]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-09-26 185640]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-10-24 233472]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-28 188416]
"DeviceDiscovery"="c:\program files\HP\Digital Imaging\bin\hpotdd01.exe" [2003-05-21 229437]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2012-03-25 329312]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2009-12-3 25214]
BTTray.lnk - c:\program files\IBM\Bluetooth Software\BTTray.exe [2004-1-20 507965]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2004-09-25 00:15 108636 ----a-w- c:\program files\IBM fingerprint software\psfus.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina]
2005-03-18 11:07 262144 ----a-w- c:\windows\system32\QConGina.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-01-18 18:02 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [5/12/2008 10:04 PM 13480]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [9/26/2009 12:32 AM 189736]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [12/25/2009 10:38 AM 4408616]
R2 WTouchService;WTouch Service;c:\program files\WTouch\WTouchService.exe [12/25/2009 10:39 AM 112936]
S3 QCNDISIF;QCNDISIF;c:\windows\system32\drivers\qcndisif.sys [10/28/2009 8:20 AM 12288]
S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [12/25/2009 10:38 AM 15656]
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-09 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]
.
2012-08-20 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2010-02-05 03:18]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = 0.0.0:80
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\IBM\Bluetooth Software\btsendto_ie_ctx.htm
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Tony\Application Data\Mozilla\Firefox\Profiles\90u6qsu6.default\
FF - prefs.js: browser.startup.homepage - hxxp://duckduckgo.com/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}
FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\documents and settings\Tony\Application Data\Move Networks
FF - Ext: Mozilla Safe Browsing: {3D60E777-D00C-11E1-8270-B8AC6F996F26} - c:\documents and settings\Tony\Local Settings\Application Data\{3D60E777-D00C-11E1-8270-B8AC6F996F26}
FF - Ext: FireFTP: {a7c6cf7f-112c-4500-a7ea-39801a327e5f} - %profile%\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-08-20 20:48
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(880)
c:\windows\system32\Ati2evxx.dll
c:\program files\IBM fingerprint software\psfus.dll
c:\program files\Common Files\Virtual Token\psutil.dll
.
- - - - - - - > 'explorer.exe'(2248)
c:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL
.
Completion time: 2012-08-20 20:49:59
ComboFix-quarantined-files.txt 2012-08-21 00:49
ComboFix2.txt 2012-08-20 03:35
ComboFix3.txt 2012-03-20 19:42
.
Pre-Run: 108,042,153,984 bytes free
Post-Run: 108,029,423,616 bytes free
.
- - End Of File - - 11EEB6121A096A2AF7C0E320192EE557

Thanks,

Tony

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:08 AM

Posted 21 August 2012 - 05:35 PM

These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

You can remove these programs using add/remove or you can use the free uninstaller from Revo (Revo does allot better of a job)

Programs to remove

Adobe Reader 9.2
Java™ 6 Update 31
[/list]


  • Please download and install Revo Uninstaller Free
  • Double click Revo Uninstaller to run it.
  • From the list of programs double click on The Program to remove
  • When prompted if you want to uninstall click Yes.
  • Be sure the Moderate option is selected then click Next.
  • The program will run, If prompted again click Yes
  • when the built-in uninstaller is finished click on Next.
  • Once the program has searched for leftovers click Next.
  • Check/tick the bolded items only on the list then click Delete
  • when prompted click on Yes and then on next.
  • put a check on any folders that are found and select delete
  • when prompted select yes then on next
  • Once done click Finish.
.

Update Adobe Reader

Recently there have been vulnerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

You can download it from http://www.adobe.com/products/acrobat/readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions.
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

If you don't like Adobe Reader (53 MB), you can download Foxit PDF Reader(7 MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

Note: When installing FoxitReader, be careful not to install anything to do with AskBar.
[/list]

Install Java:

Please go here to install Java

  • click on the Free Java Download Button
  • click on Agree and start Free download
  • click on Run
  • click on run again
  • click on install
  • when install is complete click on close

Clean Out Temp Files

  • This small application you may want to keep and use once a week to keep the computer clean.

    Download CCleaner from here http://www.ccleaner.com/

  • Run the installer to install the application.
  • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
  • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
  • Click Run Cleaner.
  • Close CCleaner.

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidentally close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a log file button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the Analyze This button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users