Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TROJAN.GEN.2 is kicking me hard


  • This topic is locked This topic is locked
18 replies to this topic

#1 Coldham

Coldham

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 21 August 2012 - 11:10 AM

Sent here from this post: http://www.bleepingcomputer.com/forums/topic465879.html/page__gopid__2813472#entry2813472

Windows 7 64bit.

Thanks much!


GMER produced a blank log

Here is DDS
.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7601.17514
Run by BRUCE at 9:52:41 on 2012-08-21
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.3958.1791 [GMT -5:00]
.
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\IDT\WDM\STacSV64.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Common Files\SPBA\upeksvr.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Dell\DW WLAN Card\WLTRYSVC.EXE
C:\Program Files\Dell\DW WLAN Card\bcmwltry.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe
C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmService.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\IDT\WDM\AESTSr64.exe
C:\Program Files (x86)\Symantec AntiVirus\DefWatch.exe
D:\Program Files (x86)\Dell\Reader 2.1\DVMExportService.exe
C:\Program Files (x86)\Remote Backup\ExchangeBackupService.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\STMicroelectronics\AccelerometerP11\InstallFilterService.exe
C:\Program Files\Common Files\Microsoft Shared\Microsoft Online Services\MSOIDSVC.EXE
C:\Program Files (x86)\Remote Backup\rbschedule.exe
C:\Program Files\Common Files\Microsoft Shared\Microsoft Online Services\MSOIDSvcm.exe
C:\Program Files (x86)\SonicWALL\SSL-VPN\NetExtender\NEService64.exe
C:\Program Files (x86)\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\Program Files\Dell\Dell System Manager\DCPSysMgrSvc.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\UltraVNC\WinVNC.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Windows\system32\conhost.exe
C:\Program Files\IDT\WDM\sttray64.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Dell\DW WLAN Card\WLTRAY.EXE
C:\Program Files\Logitech\SetPointP\SetPoint.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE
C:\Windows\system32\igfxsrvc.exe
C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Dell\Dell System Manager\DCPSysMgr.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Users\bruce.CSASTAFF1\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\Windows\system32\igfxext.exe
D:\Program Files (x86)\Dell\Reader 2.1\DellBtrEvent.exe
C:\Program Files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe
C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe
C:\Program Files (x86)\Hewlett-Packard\HP Software Update\hpwuSchd2.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\acrotray.exe
C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe
C:\Program Files (x86)\Symantec AntiVirus\VPTray.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\svchost.exe -k wcssvc
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = https://centralserviceassociatmicrosoftonlinecom-9.sharepoint.microsoftonline.com/default.aspx
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Lync Browser Helper: {31d09ba0-12f5-4cce-be8a-2923e76605da} - C:\Program Files (x86)\Microsoft Lync\OCHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\PROGRA~2\MICROS~4\Office14\GROOVEEX.DLL
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.7725.1624\swg.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MICROS~4\Office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
uRun: [OfficeSyncProcess] "C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE"
uRun: [Adobe Acrobat Synchronizer] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\AdobeCollabSync.exe"
uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
mRun: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun: [DellBtrEvent] D:\Program Files (x86)\Dell\Reader 2.1\DellBtrEvent.exe
mRun: [RemoteControl9] "C:\Program Files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe"
mRun: [PDVD9LanguageShortcut] "C:\Program Files (x86)\CyberLink\PowerDVD9\Language\Language.exe"
mRun: [RoxWatchTray] "C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe"
mRun: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe"
mRun: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
mRun: [HPHUPD05] C:\Program Files (x86)\Hewlett-Packard\\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe
mRun: [HP Component Manager] "C:\Program Files (x86)\HP\hpcoretech\hpcmpmgr.exe"
mRun: [HP Software Update] "C:\Program Files (x86)\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
mRun: [HPHmon05] C:\Windows\SysWOW64\hphmon05.exe
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [Adobe Acrobat Speed Launcher] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe"
mRun: [Communicator] "C:\Program Files (x86)\Microsoft Lync\communicator.exe" /fromrunkey
mRun: [ccApp] "C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe"
mRun: [vptray] C:\PROGRA~2\SYMANT~1\VPTray.exe
mRun: [<NO NAME>]
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
StartupFolder: C:\Users\BRUCE~1.CSA\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dropbox.lnk - C:\Users\bruce.CSASTAFF1\AppData\Roaming\Dropbox\bin\Dropbox.exe
StartupFolder: C:\Users\BRUCE~1.CSA\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\REMOTE~1.LNK - C:\Program Files (x86)\Remote Backup\rbackup.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\DELLSY~1.LNK - C:\Program Files (x86)\Dell\Dell System Manager\DCPSysMgr.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: DisableCAD = 1 (0x1)
IE: Append Link Target to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~4\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~4\Office14\ONBttnIE.dll/105
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files (x86)\Microsoft Lync\OCHelper.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6EEFD7B1-B26C-440D-B55A-1EC677189F30} - hxxps://68.16.18.5/NELX.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 10.1.150.221 10.1.150.202
TCP: Interfaces\{68DFACDA-1BDC-4E77-A628-95AFFEA0E80E} : DhcpNameServer = 10.1.150.221 10.1.150.202
TCP: Interfaces\{68DFACDA-1BDC-4E77-A628-95AFFEA0E80E}\363716D347563686 : DhcpNameServer = 10.1.150.221 10.1.150.202
TCP: Interfaces\{68DFACDA-1BDC-4E77-A628-95AFFEA0E80E}\7554354513632303 : DhcpNameServer = 192.168.1.254 192.168.1.254
TCP: Interfaces\{FD272C42-31A1-401E-BFCB-6BA6108D3127} : DhcpNameServer = 10.1.150.221 10.1.150.202
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\PROGRA~2\MICROS~4\Office14\GROOVEEX.DLL
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Lync Browser Helper: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files (x86)\Microsoft Lync\OCHelper.dll
BHO-X64: Lync add-on BHO - No File
BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MICROS~4\Office14\GROOVEEX.DLL
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Windows Live Messenger Companion Helper: {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO-X64: Adobe PDF Conversion Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
BHO-X64: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.7725.1624\swg.dll
BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~4\Office14\URLREDIR.DLL
BHO-X64: URLRedirectionBHO - No File
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO-X64: SmartSelect Class: {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
BHO-X64: SmartSelect - No File
TB-X64: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
mRun-x64: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun-x64: [DellBtrEvent] D:\Program Files (x86)\Dell\Reader 2.1\DellBtrEvent.exe
mRun-x64: [RemoteControl9] "C:\Program Files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe"
mRun-x64: [PDVD9LanguageShortcut] "C:\Program Files (x86)\CyberLink\PowerDVD9\Language\Language.exe"
mRun-x64: [RoxWatchTray] "C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe"
mRun-x64: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe"
mRun-x64: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
mRun-x64: [HPHUPD05] C:\Program Files (x86)\Hewlett-Packard\\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe
mRun-x64: [HP Component Manager] "C:\Program Files (x86)\HP\hpcoretech\hpcmpmgr.exe"
mRun-x64: [HP Software Update] "C:\Program Files (x86)\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
mRun-x64: [HPHmon05] C:\Windows\SysWOW64\hphmon05.exe
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [Adobe Acrobat Speed Launcher] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe"
mRun-x64: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe"
mRun-x64: [Communicator] "C:\Program Files (x86)\Microsoft Lync\communicator.exe" /fromrunkey
mRun-x64: [ccApp] "C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe"
mRun-x64: [vptray] C:\PROGRA~2\SYMANT~1\VPTray.exe
mRun-x64: [(Default)]
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\PROGRA~2\MICROS~4\Office14\GROOVEEX.DLL
.
============= SERVICES / DRIVERS ===============
.
R0 PxHlpa64;PxHlpa64;C:\Windows\system32\Drivers\PxHlpa64.sys --> C:\Windows\system32\Drivers\PxHlpa64.sys [?]
R0 stdflt;Disk Filter Driver for Accelerometer;C:\Windows\system32\DRIVERS\stdfltn.sys --> C:\Windows\system32\DRIVERS\stdfltn.sys [?]
R1 DVMIO;DVMIO;D:\Program Files (x86)\Dell\Reader 2.1\dvmio_x64.sys [2010-5-4 20624]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-7-27 63960]
R2 AESTFilters;Andrea ST Filters Service;C:\Program Files\IDT\WDM\AESTSr64.exe [2011-3-26 89600]
R2 Credential Vault Host Control Service;Credential Vault Host Control Service;C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe [2010-10-28 1035680]
R2 Credential Vault Host Storage;Credential Vault Host Storage;C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe [2010-10-28 36768]
R2 dcpsysmgrsvc;Dell System Manager Service;C:\Program Files\Dell\Dell System Manager\DCPSysMgrSvc.exe [2010-8-24 517488]
R2 DvmMDES;DeviceVM Meta Data Export Service;D:\Program Files (x86)\Dell\Reader 2.1\DVMExportService.exe [2010-5-4 327680]
R2 Exchange Backup Agent;Exchange Backup Agent;C:\Program Files (x86)\Remote Backup\ExchangeBackupService.exe [2011-5-3 30096]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2011-3-26 13336]
R2 InstallFilterService;FF Install Filter Service;C:\Program Files (x86)\STMicroelectronics\AccelerometerP11\InstallFilterService.exe [2011-3-26 60928]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-8-20 655944]
R2 msoidsvc;Microsoft Online Services Sign-in Assistant;C:\Program Files\Common Files\Microsoft Shared\Microsoft Online Services\MSOIDSVC.EXE [2011-9-28 2078112]
R2 rbScheduler;Remote Backup Scheduler;C:\Program Files (x86)\Remote Backup\rbSchedule.exe [2011-5-3 157072]
R2 risdpcie;risdpcie;C:\Windows\system32\DRIVERS\risdpe64.sys --> C:\Windows\system32\DRIVERS\risdpe64.sys [?]
R2 Symantec AntiVirus;Symantec AntiVirus;C:\Program Files (x86)\Symantec AntiVirus\Rtvscan.exe [2006-12-13 1962136]
R2 uvnc_service;uvnc_service;C:\Program Files\UltraVNC\winvnc.exe [2011-4-28 1793976]
R3 Acceler;Accelerometer Service;C:\Windows\system32\DRIVERS\Accelern.sys --> C:\Windows\system32\DRIVERS\Accelern.sys [?]
R3 cvusbdrv;Dell ControlVault;C:\Windows\system32\Drivers\cvusbdrv.sys --> C:\Windows\system32\Drivers\cvusbdrv.sys [?]
R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;C:\Windows\system32\DRIVERS\e1k62x64.sys --> C:\Windows\system32\DRIVERS\e1k62x64.sys [?]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-8-15 138912]
R3 Impcd;Impcd;C:\Windows\system32\DRIVERS\Impcd.sys --> C:\Windows\system32\DRIVERS\Impcd.sys [?]
R3 IntcDAud;Intel® Display Audio;C:\Windows\system32\DRIVERS\IntcDAud.sys --> C:\Windows\system32\DRIVERS\IntcDAud.sys [?]
R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]
R3 NxDrv;SonicWALL NetExtender Adapter;C:\Windows\system32\DRIVERS\NxDrv.sys --> C:\Windows\system32\DRIVERS\NxDrv.sys [?]
R3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2012-4-19 136176]
S2 RoxWatch12;Roxio Hard Drive Watcher 12;C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe [2010-11-25 219632]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-4-12 250056]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2012-4-19 136176]
S3 LVRS64;Logitech RightSound Filter Driver;C:\Windows\system32\DRIVERS\lvrs64.sys --> C:\Windows\system32\DRIVERS\lvrs64.sys [?]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE [2011-6-12 31125880]
S3 nosGetPlusHelper;getPlus® Helper 3004;C:\Windows\System32\svchost.exe -k nosGetPlusHelper [2009-7-13 20992]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\system32\drivers\rdpvideominiport.sys --> C:\Windows\system32\drivers\rdpvideominiport.sys [?]
S3 rimspci;rimspci;C:\Windows\system32\DRIVERS\rimspe64.sys --> C:\Windows\system32\DRIVERS\rimspe64.sys [?]
S3 rixdpcie;rixdpcie;C:\Windows\system32\DRIVERS\rixdpe64.sys --> C:\Windows\system32\DRIVERS\rixdpe64.sys [?]
S3 RoxMediaDB12OEM;RoxMediaDB12OEM;C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [2010-11-25 1116656]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== File Associations ===============
.
JSEFile=C:\Windows\SysWow64\WScript.exe "%1" %*
.
=============== Created Last 30 ================
.
2012-08-20 16:38:39 24904 ----a-w- C:\Windows\System32\drivers\mbam.sys
2012-08-20 16:38:39 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-08-17 21:50:43 -------- d-----w- C:\FRST
2012-08-13 14:21:17 -------- d-----w- C:\Users\bruce.CSASTAFF1\AppData\Local\{AEA303CF-445D-47C0-B41B-503148B287E3}
2012-08-13 14:21:03 -------- d-----w- C:\Users\bruce.CSASTAFF1\AppData\Local\{C879E55C-52EF-4310-8BC8-03BF333F1475}
2012-08-08 14:03:12 -------- d-----w- C:\Users\bruce.CSASTAFF1\AppData\Roaming\Malwarebytes
2012-08-07 20:58:56 -------- d-----w- C:\Windows\en
2012-08-07 20:56:53 19720 ----a-w- C:\ProgramData\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2012-08-07 20:54:00 89944 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\c5217c151cd74de01\DSETUP.dll
2012-08-07 20:54:00 537432 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\c5217c151cd74de01\DXSETUP.exe
2012-08-07 20:54:00 1801048 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\c5217c151cd74de01\dsetup32.dll
2012-08-07 20:54:00 15712 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\c578ed221cd74de02\MeshBetaRemover.exe
2012-08-07 20:53:47 -------- d-----w- C:\Users\bruce.CSASTAFF1\AppData\Local\{89BFDD1F-BF1C-4D2D-8875-AAD0A73260F2}
2012-08-07 20:53:38 -------- d-----w- C:\Users\bruce.CSASTAFF1\AppData\Local\{DD56FC76-E935-48DD-BD23-76DA79B53ED0}
2012-08-07 20:53:29 -------- d-----w- C:\Users\bruce.CSASTAFF1\AppData\Local\{0823F2F8-E4CD-4F94-9F2A-14AA3D9534E4}
2012-08-07 20:53:19 -------- d-----w- C:\Users\bruce.CSASTAFF1\AppData\Local\{E053A83C-647C-4D2A-ABA3-52558F2591B8}
2012-08-07 20:53:10 -------- d-----w- C:\Users\bruce.CSASTAFF1\AppData\Local\{C56FF3D6-A25B-43EF-A1E8-61A58C621881}
2012-08-07 20:53:01 -------- d-----w- C:\Users\bruce.CSASTAFF1\AppData\Local\{B6EC43AA-01F0-4E42-90C7-69D069A4F244}
2012-08-07 20:52:51 -------- d-----w- C:\Users\bruce.CSASTAFF1\AppData\Local\{164B40AF-1ED2-4185-8305-57BC921B2D19}
2012-08-07 20:52:41 -------- d-----w- C:\Users\bruce.CSASTAFF1\AppData\Local\{6B44C363-48B1-4F7E-A818-336742BED3AB}
2012-08-07 20:52:32 -------- d-----w- C:\Users\bruce.CSASTAFF1\AppData\Local\{6075B58F-04FA-468B-81B4-3E03EFB30CB3}
2012-08-07 20:52:22 -------- d-----w- C:\Users\bruce.CSASTAFF1\AppData\Local\{1B97E232-30EA-44FC-B703-0EF28FBFDE8B}
2012-08-07 20:52:12 -------- d-----w- C:\Users\bruce.CSASTAFF1\AppData\Local\{8EEDF356-6ABC-44BB-BE01-FF489D06649D}
2012-08-06 20:33:10 -------- d-----w- C:\Users\bruce.CSASTAFF1\AppData\Local\{88D31A23-6D7A-4A6F-B053-9F2C7D6271F0}
2012-08-06 20:30:38 -------- d-----w- C:\Users\bruce.CSASTAFF1\AppData\Local\{8EF97472-8C50-43F5-8573-FCB6A2B041AF}
2012-08-06 14:56:22 -------- d-sh--w- C:\$RECYCLE.BIN
2012-08-02 16:04:40 156008 ----a-w- C:\Windows\System32\drivers\SYMEVENT64x86.SYS
2012-08-02 16:04:40 -------- d-----w- C:\Program Files\Symantec
2012-08-02 16:04:35 -------- d-----w- C:\Program Files\Common Files\Symantec Shared
2012-08-02 16:04:30 -------- d-----w- C:\Program Files (x86)\Symantec AntiVirus
2012-07-30 16:16:03 -------- d-----w- C:\Program Files (x86)\ESET
2012-07-30 15:33:05 -------- d-----w- C:\Users\bruce.CSASTAFF1\AppData\Local\temp
2012-07-30 13:42:44 98816 ----a-w- C:\Windows\sed.exe
2012-07-30 13:42:44 518144 ----a-w- C:\Windows\SWREG.exe
2012-07-30 13:42:44 256000 ----a-w- C:\Windows\PEV.exe
2012-07-30 13:42:44 208896 ----a-w- C:\Windows\MBR.exe
2012-07-29 19:07:39 -------- d-----w- C:\Users\bruce.CSASTAFF1\AppData\Local\CrashDumps
2012-07-27 14:13:34 -------- d-----w- C:\ProgramData\Malwarebytes
2012-07-27 13:36:29 -------- d-----w- C:\Users\bruce.CSASTAFF1\AppData\Local\NPE
2012-07-27 13:36:29 -------- d-----w- C:\ProgramData\Norton
.
==================== Find3M ====================
.
2012-08-15 13:14:10 70344 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-08-15 13:14:10 426184 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2012-07-18 18:15:06 3148800 ----a-w- C:\Windows\System32\win32k.sys
2012-07-04 22:13:27 59392 ----a-w- C:\Windows\System32\browcli.dll
2012-07-04 22:13:27 136704 ----a-w- C:\Windows\System32\browser.dll
2012-07-04 21:14:34 41984 ----a-w- C:\Windows\SysWow64\browcli.dll
2012-06-27 07:06:53 1188864 ----a-w- C:\Windows\System32\wininet.dll
2012-06-27 05:53:07 981504 ----a-w- C:\Windows\SysWow64\wininet.dll
2012-06-27 04:53:10 1638912 ----a-w- C:\Windows\System32\mshtml.tlb
2012-06-27 04:10:55 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2012-06-16 05:16:04 609792 ----a-w- C:\Windows\System32\vbscript.dll
2012-06-16 04:26:57 428032 ----a-w- C:\Windows\SysWow64\vbscript.dll
2012-06-06 13:49:52 1070152 ----a-w- C:\Windows\SysWow64\MSCOMCTL.OCX
2012-06-06 06:06:16 2004480 ----a-w- C:\Windows\System32\msxml6.dll
2012-06-06 06:06:16 1881600 ----a-w- C:\Windows\System32\msxml3.dll
2012-06-06 06:02:54 1133568 ----a-w- C:\Windows\System32\cdosys.dll
2012-06-06 05:05:52 1390080 ----a-w- C:\Windows\SysWow64\msxml6.dll
2012-06-06 05:05:52 1236992 ----a-w- C:\Windows\SysWow64\msxml3.dll
2012-06-06 05:03:06 805376 ----a-w- C:\Windows\SysWow64\cdosys.dll
2012-06-02 22:15:31 2622464 ----a-w- C:\Windows\System32\wucltux.dll
2012-06-02 22:15:08 99840 ----a-w- C:\Windows\System32\wudriver.dll
2012-06-02 20:19:42 186752 ----a-w- C:\Windows\System32\wuwebv.dll
2012-06-02 20:15:12 36864 ----a-w- C:\Windows\System32\wuapp.exe
2012-06-02 05:50:10 458704 ----a-w- C:\Windows\System32\drivers\cng.sys
2012-06-02 05:48:16 95600 ----a-w- C:\Windows\System32\drivers\ksecdd.sys
2012-06-02 05:48:16 151920 ----a-w- C:\Windows\System32\drivers\ksecpkg.sys
2012-06-02 05:45:31 340992 ----a-w- C:\Windows\System32\schannel.dll
2012-06-02 05:44:21 307200 ----a-w- C:\Windows\System32\ncrypt.dll
2012-06-02 04:40:42 22016 ----a-w- C:\Windows\SysWow64\secur32.dll
2012-06-02 04:40:39 225280 ----a-w- C:\Windows\SysWow64\schannel.dll
2012-06-02 04:39:10 219136 ----a-w- C:\Windows\SysWow64\ncrypt.dll
2012-06-02 04:34:09 96768 ----a-w- C:\Windows\SysWow64\sspicli.dll
.
============= FINISH: 9:52:57.99 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:07 PM

Posted 22 August 2012 - 10:36 PM

Greetings And Welcome To The Forums!!

My name is Gringo and I'll be glad to help you with your malware problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flash-drive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst64.exe and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.

[*]First Press the Scan button.
[*]It will make a log (FRST.txt)

[*]Second Type the following in the edit box after "Search:". services.exe
[*]Click the Search button
[*]It will make a log (Search.txt)
[/list]
I want you to poste Both the FRST.txt report and the Search.txt into your reply to me

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 Coldham

Coldham
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 23 August 2012 - 10:43 AM

Scan result of Farbar Recovery Scan Tool Version: 22-08-2012 02
Ran by SYSTEM at 23-08-2012 10:33:50
Running from G:\
Windows 7 Ultimate Service Pack 1 (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe [391024 2010-05-12] (Alps Electric Co., Ltd.)
HKLM\...\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe [487424 2010-05-26] (IDT, Inc.)
HKLM\...\Run: [Broadcom Wireless Manager UI] C:\Program Files\Dell\DW WLAN Card\WLTRAY.exe [5712896 2010-02-02] (Dell Inc.)
HKLM\...\Run: [SonicWALLNetExtender] C:\Program Files (x86)\SonicWALL\SSL-VPN\NetExtender\NEGui.exe -hideGUI -clearReboot [1103744 2010-04-01] (SonicWALL Inc.)
HKLM\...\Run: [EvtMgr6] C:\Program Files\Logitech\SetPointP\SetPoint.exe /launchGaming [1680976 2010-10-28] (Logitech, Inc.)
HKLM-x32\...\Run: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284696 2010-03-03] (Intel Corporation)
HKLM-x32\...\Run: [DellBtrEvent] D:\Program Files (x86)\Dell\Reader 2.1\DellBtrEvent.exe [x]
HKLM-x32\...\Run: [RemoteControl9] "C:\Program Files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe" [87336 2009-07-06] (CyberLink Corp.)
HKLM-x32\...\Run: [PDVD9LanguageShortcut] "C:\Program Files (x86)\CyberLink\PowerDVD9\Language\Language.exe" [50472 2010-04-29] (CyberLink Corp.)
HKLM-x32\...\Run: [RoxWatchTray] "C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe" [240112 2010-11-25] (Sonic Solutions)
HKLM-x32\...\Run: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe" [514544 2010-11-17] ()
HKLM-x32\...\Run: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices [91520 2010-03-13] (Microsoft Corporation)
HKLM-x32\...\Run: [HPHUPD05] C:\Program Files (x86)\Hewlett-Packard\\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe [49152 2005-07-07] (Hewlett-Packard)
HKLM-x32\...\Run: [HP Component Manager] "C:\Program Files (x86)\HP\hpcoretech\hpcmpmgr.exe" [241664 2003-12-22] (Hewlett-Packard Company)
HKLM-x32\...\Run: [HP Software Update] "C:\Program Files (x86)\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [49152 2003-12-05] (Hewlett-Packard)
HKLM-x32\...\Run: [HPHmon05] C:\Windows\SysWOW64\hphmon05.exe [491520 2005-07-07] (Hewlett-Packard)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2011-04-08] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe" [36800 2012-07-27] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe" [823224 2012-07-27] (Adobe Systems Inc.)
HKLM-x32\...\Run: [Communicator] "C:\Program Files (x86)\Microsoft Lync\communicator.exe" /fromrunkey [12099672 2012-06-11] (Microsoft Corporation)
HKLM-x32\...\Run: [ccApp] "C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe" [107112 2006-12-07] (Symantec Corporation)
HKLM-x32\...\Run: [vptray] C:\PROGRA~2\SYMANT~1\VPTray.exe [134808 2006-12-13] (Symantec Corporation)
HKLM-x32\...\Run: [] [x]
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [919008 2012-07-27] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray [462920 2012-07-03] (Malwarebytes Corporation)
HKU\admin\...\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe [1475584 2010-11-20] (Microsoft Corporation)
HKU\admin.clarkb\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2012-04-19] (Google Inc.)
HKU\bruce.CSASTAFF1\...\Run: [OfficeSyncProcess] "C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE" [719672 2012-01-20] (Microsoft Corporation)
HKU\bruce.CSASTAFF1\...\Run: [Adobe Acrobat Synchronizer] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\AdobeCollabSync.exe" [1261512 2012-07-27] (Adobe Systems Incorporated)
HKU\bruce.CSASTAFF1\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2012-04-19] (Google Inc.)
HKU\bruce.CSASTAFF1\...\RunOnce: [FlashPlayerUpdate] C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_3_300_271_ActiveX.exe -update activex [39408 2012-04-19] (Google Inc.)
HKU\Default\...\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe [1475584 2010-11-20] (Microsoft Corporation)
HKU\Default User\...\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe [1475584 2010-11-20] (Microsoft Corporation)
Winlogon\Notify\LBTWlgn: c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll (Logitech, Inc.)
Winlogon\Notify\spba: C:\Program Files\Common Files\SPBA\homefus2.dll (UPEK Inc.)
Tcpip\Parameters: [DhcpNameServer] 10.1.150.221 10.1.150.202
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Dell System Manager.lnk
ShortcutTarget: Dell System Manager.lnk -> C:\Program Files\Dell\Dell System Manager\DCPSysMgr.exe (Dell Inc.)
Startup: C:\Users\bruce.CSASTAFF1\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> (No File)
Startup: C:\Users\bruce.CSASTAFF1\Start Menu\Programs\Startup\Remote Backup.lnk
ShortcutTarget: Remote Backup.lnk -> C:\Program Files (x86)\Remote Backup\rbackup.exe (Remote Backup Systems)

==================== Services (Whitelisted) ======

2 ccEvtMgr; "C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [107624 2006-12-07] (Symantec Corporation)
2 ccSetMgr; "C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [107624 2006-12-07] (Symantec Corporation)
2 DefWatch; "C:\Program Files (x86)\Symantec AntiVirus\DefWatch.exe" [30872 2006-12-13] (Symantec Corporation)
2 Exchange Backup Agent; C:\Program Files (x86)\Remote Backup\ExchangeBackupService.exe [30096 2010-07-08] (Remote Backup Systems)
2 InstallFilterService; C:\Program Files (x86)\STMicroelectronics\AccelerometerP11\InstallFilterService.exe [60928 2010-01-10] ()
3 LiveUpdate; "C:\PROGRA~2\Symantec\LIVEUP~1\LUCOMS~1.EXE" [2541248 2006-10-31] (Symantec Corporation)
2 MBAMService; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe" [655944 2012-07-03] (Malwarebytes Corporation)
2 msoidsvc; "C:\Program Files\Common Files\Microsoft Shared\Microsoft Online Services\MSOIDSVC.EXE" [2078112 2011-09-28] (Microsoft Corp.)
3 nosGetPlusHelper; C:\Program Files (x86)\NOS\bin\getPlus_Helper_3004.dll [53248 2011-03-29] (NOS Microsystems Ltd.)
2 rbScheduler; C:\Program Files (x86)\Remote Backup\rbschedule.exe [157072 2010-07-08] (Remote Backup Systems, Inc)
2 SONICWALL_NetExtender; C:\Program Files (x86)\SonicWALL\SSL-VPN\NetExtender\NEService64.exe [498560 2010-04-01] (SonicWALL Inc.)
3 stllssvr; "C:\Program Files (x86)\Common Files\SureThing Shared\stllssvr.exe" [74392 2010-11-08] (MicroVision Development, Inc.)
2 Symantec AntiVirus; "C:\Program Files (x86)\Symantec AntiVirus\Rtvscan.exe" [1962136 2006-12-13] (Symantec Corporation)
2 tcsd_win32.exe; "C:\Program Files (x86)\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe" [1629696 2010-07-13] ()
2 uvnc_service; "C:\Program Files\UltraVNC\WinVNC.exe" -service [1793976 2009-12-06] (UltraVNC)
2 DvmMDES; "C:\Program Files (x86)\Dell\Reader 2.1\DVMExportService.exe" [x]

========================== Drivers (Whitelisted) =============

3 e1kexpress; C:\Windows\System32\DRIVERS\e1k62x64.sys [301232 2010-04-06] (Intel Corporation)
1 eeCtrl; \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [484512 2012-07-31] (Symantec Corporation)
3 EraserUtilRebootDrv; \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [138912 2012-07-31] (Symantec Corporation)
3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [24904 2012-07-03] (Malwarebytes Corporation)
3 NAVENG; \??\C:\PROGRA~3\Symantec\DEFINI~1\VIRUSD~1\20120822.002\ENG64.SYS [125600 2012-08-07] (Symantec Corporation)
3 NAVEX15; \??\C:\PROGRA~3\Symantec\DEFINI~1\VIRUSD~1\20120822.002\EX64.SYS [2084000 2012-08-07] (Symantec Corporation)
3 NxDrv; C:\Windows\System32\Drivers\NxDrv.sys [24264 2009-10-21] (SonicWALL Inc.)
1 SRTSP; C:\Windows\System32\Drivers\SRTSP64.SYS [394600 2006-11-22] (Symantec Corporation)
3 SRTSPL; C:\Windows\System32\Drivers\SRTSPL64.SYS [426392 2006-11-22] (Symantec Corporation)
1 SRTSPX; C:\Windows\System32\Drivers\SRTSPX64.SYS [30104 2006-11-22] (Symantec Corporation)
3 SymEvent; \??\C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [156008 2012-08-02] (Symantec Corporation)
3 catchme; \??\C:\ComboFix\catchme.sys [x]
1 DVMIO; \??\D:\Program Files (x86)\Dell\Reader 2.1\dvmio_x64.sys [x]
3 Synth3dVsc; C:\Windows\System32\drivers\synth3dvsc.sys [x]
3 tsusbhub; C:\Windows\System32\drivers\tsusbhub.sys [x]
3 VGPU; C:\Windows\System32\drivers\rdvgkmd.sys [x]

========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-08-21 07:48 - 2012-08-21 07:48 - 00020480 ____A C:\Users\bruce.CSASTAFF1\Documents\Dwane's phone number report.xls
2012-08-21 06:50 - 2012-08-21 06:50 - 00011185 ____A C:\Users\bruce.CSASTAFF1\Desktop\Book1.xlsx
2012-08-20 11:06 - 2012-08-20 11:06 - 00002458 ____A C:\Users\bruce.CSASTAFF1\Desktop\Rkill.txt
2012-08-20 11:00 - 2012-08-20 11:01 - 00000751 ____A C:\AdwCleaner[S1].txt
2012-08-20 08:38 - 2012-08-20 08:38 - 00001115 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-08-20 08:38 - 2012-08-20 08:38 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-08-20 08:38 - 2012-07-03 10:46 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-08-17 13:50 - 2012-08-17 13:50 - 00000000 ____D C:\FRST
2012-08-15 01:25 - 2012-07-18 10:15 - 03148800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-08-15 01:25 - 2012-07-04 14:16 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\netapi32.dll
2012-08-15 01:25 - 2012-07-04 14:13 - 00136704 ____A (Microsoft Corporation) C:\Windows\System32\browser.dll
2012-08-15 01:25 - 2012-07-04 14:13 - 00059392 ____A (Microsoft Corporation) C:\Windows\System32\browcli.dll
2012-08-15 01:25 - 2012-07-04 13:16 - 00057344 ____A (Microsoft Corporation) C:\Windows\SysWOW64\netapi32.dll
2012-08-15 01:25 - 2012-07-04 13:14 - 00041984 ____A (Microsoft Corporation) C:\Windows\SysWOW64\browcli.dll
2012-08-15 01:25 - 2012-06-26 23:06 - 01494016 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-08-15 01:25 - 2012-06-26 23:06 - 01188864 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-08-15 01:25 - 2012-06-26 23:06 - 00134144 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-08-15 01:25 - 2012-06-26 23:03 - 09059840 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-08-15 01:25 - 2012-06-26 23:03 - 00735744 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2012-08-15 01:25 - 2012-06-26 23:03 - 00097792 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-08-15 01:25 - 2012-06-26 23:02 - 12297216 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-08-15 01:25 - 2012-06-26 23:02 - 02453504 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-08-15 01:25 - 2012-06-26 23:02 - 00247808 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-08-15 01:25 - 2012-06-26 23:02 - 00064512 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-08-15 01:25 - 2012-06-26 21:53 - 01231360 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-08-15 01:25 - 2012-06-26 21:53 - 00981504 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-08-15 01:25 - 2012-06-26 21:53 - 00132096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-08-15 01:25 - 2012-06-26 21:51 - 06027776 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-08-15 01:25 - 2012-06-26 21:51 - 00627712 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2012-08-15 01:25 - 2012-06-26 21:51 - 00067584 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-08-15 01:25 - 2012-06-26 21:50 - 11020800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-08-15 01:25 - 2012-06-26 21:50 - 02073600 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-08-15 01:25 - 2012-06-26 21:50 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-08-15 01:25 - 2012-06-26 21:50 - 00048128 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-08-15 01:25 - 2012-06-26 20:53 - 01638912 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-08-15 01:25 - 2012-06-26 20:10 - 01638912 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-08-15 01:25 - 2012-06-15 21:16 - 00609792 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2012-08-15 01:25 - 2012-06-15 21:15 - 00911360 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-08-15 01:25 - 2012-06-15 20:26 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-08-15 01:25 - 2012-06-15 20:26 - 00428032 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2012-08-15 01:25 - 2012-05-13 21:26 - 00956928 ____A (Microsoft Corporation) C:\Windows\System32\localspl.dll
2012-08-15 01:25 - 2012-05-05 00:36 - 00503808 ____A (Microsoft Corporation) C:\Windows\System32\srcore.dll
2012-08-15 01:25 - 2012-05-04 23:46 - 00043008 ____A (Microsoft Corporation) C:\Windows\SysWOW64\srclient.dll
2012-08-15 01:25 - 2012-02-10 22:43 - 00751104 ____A (Microsoft Corporation) C:\Windows\System32\win32spl.dll
2012-08-15 01:25 - 2012-02-10 22:36 - 00559104 ____A (Microsoft Corporation) C:\Windows\System32\spoolsv.exe
2012-08-15 01:25 - 2012-02-10 22:36 - 00067072 ____A (Microsoft Corporation) C:\Windows\splwow64.exe
2012-08-15 01:25 - 2012-02-10 21:43 - 00492032 ____A (Microsoft Corporation) C:\Windows\SysWOW64\win32spl.dll
2012-08-13 06:21 - 2012-08-13 06:21 - 00000000 ____D C:\Users\bruce.CSASTAFF1\AppData\Local\{C879E55C-52EF-4310-8BC8-03BF333F1475}
2012-08-13 06:21 - 2012-08-13 06:21 - 00000000 ____D C:\Users\bruce.CSASTAFF1\AppData\Local\{AEA303CF-445D-47C0-B41B-503148B287E3}
2012-08-08 06:03 - 2012-08-08 06:03 - 00000000 ____D C:\Users\bruce.CSASTAFF1\AppData\Roaming\Malwarebytes
2012-08-08 06:02 - 2012-08-08 06:02 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\bruce.CSASTAFF1\Desktop\mbam-setup-1.62.0.1300.exe
2012-08-08 05:24 - 2012-08-08 05:24 - 00880649 ____A C:\Users\bruce.CSASTAFF1\AppData\Local\census.cache
2012-08-08 05:22 - 2012-08-08 05:22 - 00138848 ____A C:\Users\bruce.CSASTAFF1\AppData\Local\ars.cache
2012-08-08 05:11 - 2012-08-08 05:11 - 00000036 ____A C:\Users\bruce.CSASTAFF1\AppData\Local\housecall.guid.cache
2012-08-07 12:58 - 2012-08-07 12:58 - 00000000 ____D C:\Windows\en
2012-08-07 12:53 - 2012-08-07 12:53 - 00000000 ____D C:\Users\bruce.CSASTAFF1\AppData\Local\{E053A83C-647C-4D2A-ABA3-52558F2591B8}
2012-08-07 12:53 - 2012-08-07 12:53 - 00000000 ____D C:\Users\bruce.CSASTAFF1\AppData\Local\{DD56FC76-E935-48DD-BD23-76DA79B53ED0}
2012-08-07 12:53 - 2012-08-07 12:53 - 00000000 ____D C:\Users\bruce.CSASTAFF1\AppData\Local\{C56FF3D6-A25B-43EF-A1E8-61A58C621881}
2012-08-07 12:53 - 2012-08-07 12:53 - 00000000 ____D C:\Users\bruce.CSASTAFF1\AppData\Local\{B6EC43AA-01F0-4E42-90C7-69D069A4F244}
2012-08-07 12:53 - 2012-08-07 12:53 - 00000000 ____D C:\Users\bruce.CSASTAFF1\AppData\Local\{89BFDD1F-BF1C-4D2D-8875-AAD0A73260F2}
2012-08-07 12:53 - 2012-08-07 12:53 - 00000000 ____D C:\Users\bruce.CSASTAFF1\AppData\Local\{0823F2F8-E4CD-4F94-9F2A-14AA3D9534E4}
2012-08-07 12:52 - 2012-08-07 12:53 - 00000000 ____D C:\Users\bruce.CSASTAFF1\AppData\Local\{164B40AF-1ED2-4185-8305-57BC921B2D19}
2012-08-07 12:52 - 2012-08-07 12:52 - 00000000 ____D C:\Users\bruce.CSASTAFF1\AppData\Local\{8EEDF356-6ABC-44BB-BE01-FF489D06649D}
2012-08-07 12:52 - 2012-08-07 12:52 - 00000000 ____D C:\Users\bruce.CSASTAFF1\AppData\Local\{6B44C363-48B1-4F7E-A818-336742BED3AB}
2012-08-07 12:52 - 2012-08-07 12:52 - 00000000 ____D C:\Users\bruce.CSASTAFF1\AppData\Local\{6075B58F-04FA-468B-81B4-3E03EFB30CB3}
2012-08-07 12:52 - 2012-08-07 12:52 - 00000000 ____D C:\Users\bruce.CSASTAFF1\AppData\Local\{1B97E232-30EA-44FC-B703-0EF28FBFDE8B}
2012-08-06 12:33 - 2012-08-06 12:33 - 00000000 ____D C:\Users\bruce.CSASTAFF1\AppData\Local\{88D31A23-6D7A-4A6F-B053-9F2C7D6271F0}
2012-08-06 12:30 - 2012-08-06 12:30 - 00000000 ____D C:\Users\bruce.CSASTAFF1\AppData\Local\{8EF97472-8C50-43F5-8573-FCB6A2B041AF}
2012-08-02 08:04 - 2012-08-02 08:05 - 00000000 ____D C:\Program Files\Symantec
2012-08-02 08:04 - 2012-08-02 08:04 - 00156008 ____A (Symantec Corporation) C:\Windows\System32\Drivers\SYMEVENT64x86.SYS
2012-08-02 08:04 - 2012-08-02 08:04 - 00008034 ____A C:\Windows\System32\Drivers\SYMEVENT64x86.CAT
2012-08-02 08:04 - 2012-08-02 08:04 - 00000000 ____D C:\Program Files\Common Files\Symantec Shared
2012-08-02 08:04 - 2012-08-02 08:04 - 00000000 ____D C:\Program Files (x86)\Symantec AntiVirus
2012-07-30 10:52 - 2012-07-30 10:52 - 00000000 ___SD C:\Users\admin.clarkb\Documents\My Charts
2012-07-30 10:52 - 2012-07-30 10:52 - 00000000 ____D C:\Users\admin.clarkb\AppData\Roaming\OrgPlus6
2012-07-30 08:16 - 2012-07-30 08:16 - 00000000 ____D C:\Program Files (x86)\ESET
2012-07-30 05:42 - 2012-08-06 07:00 - 00000000 ____D C:\Qoobox
2012-07-30 05:42 - 2012-07-30 07:31 - 00000000 ____D C:\Windows\erdnt
2012-07-30 05:42 - 2012-07-30 05:42 - 00000000 ____D C:\Users\admin.clarkb\AppData\Local\CrashDumps
2012-07-30 05:42 - 2011-06-25 22:45 - 00256000 ____A C:\Windows\PEV.exe
2012-07-30 05:42 - 2010-11-07 09:20 - 00208896 ____A C:\Windows\MBR.exe
2012-07-30 05:42 - 2009-04-19 20:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
2012-07-30 05:42 - 2000-08-30 16:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe
2012-07-30 05:42 - 2000-08-30 16:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe
2012-07-30 05:42 - 2000-08-30 16:00 - 00098816 ____A C:\Windows\sed.exe
2012-07-30 05:42 - 2000-08-30 16:00 - 00080412 ____A C:\Windows\grep.exe
2012-07-30 05:42 - 2000-08-30 16:00 - 00068096 ____A C:\Windows\zip.exe
2012-07-30 05:41 - 2012-07-30 05:35 - 00000037 ____A C:\Users\admin.clarkb\Desktop\eset.txt
2012-07-29 11:07 - 2012-08-23 05:00 - 00000000 ____D C:\Users\bruce.CSASTAFF1\AppData\Local\CrashDumps
2012-07-27 07:24 - 2012-07-27 07:37 - 00000000 ____D C:\Users\admin.clarkb\AppData\Local\NPE
2012-07-27 07:24 - 2012-07-26 05:13 - 02841104 ____A (Symantec Corporation) C:\Users\admin.clarkb\Desktop\NPE.exe
2012-07-27 06:14 - 2012-07-30 06:14 - 00000000 ____D C:\Users\admin.clarkb\AppData\Local\Google
2012-07-27 06:14 - 2012-07-27 06:14 - 00000000 ____D C:\Users\admin.clarkb\AppData\Roaming\Google
2012-07-27 06:13 - 2012-07-27 06:13 - 00000000 ____D C:\Users\All Users\Malwarebytes
2012-07-27 06:13 - 2012-07-27 06:13 - 00000000 ____D C:\Users\admin.clarkb\AppData\Roaming\Malwarebytes
2012-07-27 06:12 - 2012-07-30 08:14 - 00000000 ____D C:\Users\admin.clarkb\Tracing
2012-07-27 06:12 - 2012-07-27 06:12 - 00000000 ____D C:\Users\admin.clarkb\AppData\Local\Adobe
2012-07-27 06:11 - 2012-07-27 06:11 - 00000000 ____D C:\Users\admin.clarkb\AppData\Roaming\Logitech
2012-07-27 05:36 - 2012-07-27 07:24 - 00000000 ____D C:\Users\bruce.CSASTAFF1\AppData\Local\NPE
2012-07-27 05:36 - 2012-07-27 05:36 - 00000000 ____D C:\Users\All Users\Norton


============ 3 Months Modified Files ========================

2012-08-23 07:22 - 2011-04-27 13:55 - 00004174 _RASH C:\Users\All Users\ntuser.pol
2012-08-23 07:22 - 2011-04-27 07:56 - 00001408 ____A C:\Windows\System32\config\netlogon.ftl
2012-08-23 07:22 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-08-23 07:21 - 2009-07-13 20:51 - 00041240 ____A C:\Windows\setupact.log
2012-08-23 07:13 - 2009-07-13 21:10 - 02059500 ____A C:\Windows\WindowsUpdate.log
2012-08-23 06:44 - 2012-04-19 08:29 - 00000896 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-08-23 06:14 - 2012-04-12 05:03 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-08-23 05:44 - 2012-04-19 08:29 - 00000892 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-08-21 13:57 - 2009-07-13 20:45 - 00014224 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-08-21 13:57 - 2009-07-13 20:45 - 00014224 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-08-21 07:48 - 2012-08-21 07:48 - 00020480 ____A C:\Users\bruce.CSASTAFF1\Documents\Dwane's phone number report.xls
2012-08-21 06:50 - 2012-08-21 06:50 - 00011185 ____A C:\Users\bruce.CSASTAFF1\Desktop\Book1.xlsx
2012-08-20 11:06 - 2012-08-20 11:06 - 00002458 ____A C:\Users\bruce.CSASTAFF1\Desktop\Rkill.txt
2012-08-20 11:01 - 2012-08-20 11:00 - 00000751 ____A C:\AdwCleaner[S1].txt
2012-08-20 08:38 - 2012-08-20 08:38 - 00001115 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-08-20 06:32 - 2009-07-13 21:13 - 00726444 ____A C:\Windows\System32\PerfStringBackup.INI
2012-08-17 10:07 - 2012-01-06 14:43 - 00002028 ____A C:\Users\Public\Desktop\Adobe Acrobat X Pro.lnk
2012-08-16 04:57 - 2009-07-13 20:45 - 00473832 ____A C:\Windows\System32\FNTCACHE.DAT
2012-08-16 04:55 - 2011-03-26 16:29 - 00101516 ____A C:\Windows\PFRO.log
2012-08-16 02:06 - 2012-03-13 05:55 - 00000039 ____A C:\Windows\vbaddin.ini
2012-08-16 02:00 - 2011-04-26 14:06 - 62134624 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-08-15 05:14 - 2012-04-12 05:02 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-08-15 05:14 - 2011-06-16 05:05 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-08-08 06:02 - 2012-08-08 06:02 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\bruce.CSASTAFF1\Desktop\mbam-setup-1.62.0.1300.exe
2012-08-08 05:24 - 2012-08-08 05:24 - 00880649 ____A C:\Users\bruce.CSASTAFF1\AppData\Local\census.cache
2012-08-08 05:22 - 2012-08-08 05:22 - 00138848 ____A C:\Users\bruce.CSASTAFF1\AppData\Local\ars.cache
2012-08-08 05:11 - 2012-08-08 05:11 - 00000036 ____A C:\Users\bruce.CSASTAFF1\AppData\Local\housecall.guid.cache
2012-08-07 12:55 - 2011-03-26 14:56 - 00199505 ____A C:\Windows\DirectX.log
2012-08-06 06:56 - 2009-07-13 18:34 - 00000215 ____A C:\Windows\system.ini
2012-08-02 10:39 - 2011-05-03 05:40 - 00002000 ___AH C:\Users\bruce.CSASTAFF1\Documents\Default.rdp
2012-08-02 08:04 - 2012-08-02 08:04 - 00156008 ____A (Symantec Corporation) C:\Windows\System32\Drivers\SYMEVENT64x86.SYS
2012-08-02 08:04 - 2012-08-02 08:04 - 00008034 ____A C:\Windows\System32\Drivers\SYMEVENT64x86.CAT
2012-07-30 06:55 - 2009-07-13 18:34 - 83099648 ____A C:\Windows\System32\config\SOFTWARE.bak
2012-07-30 06:55 - 2009-07-13 18:34 - 16252928 ____A C:\Windows\System32\config\SYSTEM.bak
2012-07-30 06:55 - 2009-07-13 18:34 - 00524288 ____A C:\Windows\System32\config\DEFAULT.bak
2012-07-30 06:55 - 2009-07-13 18:34 - 00262144 ____A C:\Windows\System32\config\SECURITY.bak
2012-07-30 06:55 - 2009-07-13 18:34 - 00262144 ____A C:\Windows\System32\config\SAM.bak
2012-07-30 05:35 - 2012-07-30 05:41 - 00000037 ____A C:\Users\admin.clarkb\Desktop\eset.txt
2012-07-27 07:29 - 2009-07-13 21:08 - 00032634 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-07-27 06:12 - 2011-04-29 08:11 - 00126504 ____A C:\Users\admin.clarkb\AppData\Local\GDIPFONTCACHEV1.DAT
2012-07-26 05:13 - 2012-07-27 07:24 - 02841104 ____A (Symantec Corporation) C:\Users\admin.clarkb\Desktop\NPE.exe
2012-07-18 10:15 - 2012-08-15 01:25 - 03148800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-07-10 07:20 - 2011-09-20 05:50 - 00014505 ____A C:\Users\bruce.CSASTAFF1\Desktop\Disk Profile Keys.xlsx
2012-07-04 14:16 - 2012-08-15 01:25 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\netapi32.dll
2012-07-04 14:13 - 2012-08-15 01:25 - 00136704 ____A (Microsoft Corporation) C:\Windows\System32\browser.dll
2012-07-04 14:13 - 2012-08-15 01:25 - 00059392 ____A (Microsoft Corporation) C:\Windows\System32\browcli.dll
2012-07-04 13:16 - 2012-08-15 01:25 - 00057344 ____A (Microsoft Corporation) C:\Windows\SysWOW64\netapi32.dll
2012-07-04 13:14 - 2012-08-15 01:25 - 00041984 ____A (Microsoft Corporation) C:\Windows\SysWOW64\browcli.dll
2012-07-03 10:46 - 2012-08-20 08:38 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-06-26 23:06 - 2012-08-15 01:25 - 01494016 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-26 23:06 - 2012-08-15 01:25 - 01188864 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-26 23:06 - 2012-08-15 01:25 - 00134144 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-26 23:03 - 2012-08-15 01:25 - 09059840 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-26 23:03 - 2012-08-15 01:25 - 00735744 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2012-06-26 23:03 - 2012-08-15 01:25 - 00097792 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-26 23:02 - 2012-08-15 01:25 - 12297216 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-26 23:02 - 2012-08-15 01:25 - 02453504 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-26 23:02 - 2012-08-15 01:25 - 00247808 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-26 23:02 - 2012-08-15 01:25 - 00064512 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-26 21:53 - 2012-08-15 01:25 - 01231360 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-06-26 21:53 - 2012-08-15 01:25 - 00981504 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-06-26 21:53 - 2012-08-15 01:25 - 00132096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-06-26 21:51 - 2012-08-15 01:25 - 06027776 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-06-26 21:51 - 2012-08-15 01:25 - 00627712 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2012-06-26 21:51 - 2012-08-15 01:25 - 00067584 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-06-26 21:50 - 2012-08-15 01:25 - 11020800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-06-26 21:50 - 2012-08-15 01:25 - 02073600 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-06-26 21:50 - 2012-08-15 01:25 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-06-26 21:50 - 2012-08-15 01:25 - 00048128 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-06-26 20:53 - 2012-08-15 01:25 - 01638912 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-26 20:10 - 2012-08-15 01:25 - 01638912 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-06-25 06:10 - 2011-04-27 13:17 - 00126504 ____A C:\Users\bruce.CSASTAFF1\AppData\Local\GDIPFONTCACHEV1.DAT
2012-06-15 21:16 - 2012-08-15 01:25 - 00609792 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2012-06-15 21:15 - 2012-08-15 01:25 - 00911360 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-15 20:26 - 2012-08-15 01:25 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-06-15 20:26 - 2012-08-15 01:25 - 00428032 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2012-06-13 11:08 - 2011-11-29 09:06 - 00001011 ____A C:\Users\bruce.CSASTAFF1\Desktop\Dropbox.lnk
2012-06-12 11:45 - 2012-06-12 11:45 - 00000755 ____A C:\Users\bruce.CSASTAFF1\Desktop\HAR000-PPS-ENG-0001.pps - Shortcut.lnk
2012-06-08 21:43 - 2012-07-10 20:58 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-06-08 20:41 - 2012-07-10 20:57 - 12873728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2012-06-06 05:49 - 2012-06-06 05:49 - 01070152 ____A (Microsoft Corporation) C:\Windows\SysWOW64\MSCOMCTL.OCX
2012-06-05 22:06 - 2012-07-10 20:58 - 02004480 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-06-05 22:06 - 2012-07-10 20:58 - 01881600 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-06-05 22:02 - 2012-07-10 20:57 - 01133568 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll
2012-06-05 21:05 - 2012-07-10 20:58 - 01390080 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll
2012-06-05 21:05 - 2012-07-10 20:58 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
2012-06-05 21:03 - 2012-07-10 20:57 - 00805376 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cdosys.dll
2012-06-02 14:19 - 2012-06-18 17:42 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-18 17:42 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 14:19 - 2012-06-18 17:42 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-18 17:42 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-06-18 17:42 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 14:15 - 2012-06-18 17:42 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:15 - 2012-06-18 17:42 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 12:19 - 2012-06-18 17:42 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 12:15 - 2012-06-18 17:42 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-01 21:50 - 2012-07-10 20:57 - 00458704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
2012-06-01 21:48 - 2012-07-10 20:57 - 00151920 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
2012-06-01 21:48 - 2012-07-10 20:57 - 00095600 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-06-01 21:45 - 2012-07-10 20:57 - 00340992 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-06-01 21:44 - 2012-07-10 20:57 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-06-01 20:40 - 2012-07-10 20:57 - 00225280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2012-06-01 20:40 - 2012-07-10 20:57 - 00022016 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2012-06-01 20:39 - 2012-07-10 20:57 - 00219136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2012-06-01 20:34 - 2012-07-10 20:57 - 00096768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll


========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 17%
Total physical RAM: 3957.83 MB
Available physical RAM: 3280.05 MB
Total Pagefile: 3956.03 MB
Available Pagefile: 3285.37 MB
Total Virtual: 8192 MB
Available Virtual: 8191.91 MB

======================= Partitions =========================

1 Drive c: (OS) (Fixed) (Total:230.11 GB) (Free:157.84 GB) NTFS
2 Drive d: (READER) (Fixed) (Total:2 GB) (Free:1.55 GB) NTFS
3 Drive f: (Repair disc Windows 7 64-bit) (CDROM) (Total:0.17 GB) (Free:0 GB) UDF
4 Drive g: (SILVER) (Removable) (Total:3.72 GB) (Free:3.72 GB) FAT32
6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
7 Drive y: (RECOVERY) (Fixed) (Total:0.74 GB) (Free:0.51 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 232 GB 1024 KB
Disk 1 Online 3819 MB 0 B
Disk 2 No Media 0 B 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 39 MB 31 KB
Partition 2 Primary 753 MB 40 MB
Partition 3 Primary 230 GB 793 MB
Partition 0 Extended 2050 MB 230 GB
Partition 4 Logical 2049 MB 230 GB

==================================================================================

Disk: 0
Partition 1
Type : DE
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 6 FAT Partition 39 MB Healthy Hidden

==================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y RECOVERY NTFS Partition 753 MB Healthy

==================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C OS NTFS Partition 230 GB Healthy

==================================================================================

Disk: 0
Partition 4
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 D READER NTFS Partition 2049 MB Healthy

==================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 3818 MB 64 KB

==================================================================================

Disk: 1
Partition 1
Type : 0B
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 G SILVER FAT32 Removable 3818 MB Healthy

==================================================================================

Last Boot: 2012-08-16 21:37

======================= End Of Log ==========================


Farbar Recovery Scan Tool Version: 22-08-2012 02
Ran by SYSTEM at 2012-08-23 10:35:14
Running from G:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

C:\Windows\System32\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

C:\Windows\erdnt\cache64\services.exe
[2012-07-30 07:31] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

====== End Of Search ======

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:07 PM

Posted 23 August 2012 - 11:11 AM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 Coldham

Coldham
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 23 August 2012 - 02:43 PM

What is the computer doing now?

Here is a slice of SAV detections activity today.

Risk Filename Risk Type Original Location Date
Trojan.Gen.2 DWHA564.tmp File C:\Users\bruce.CSASTAFF1\AppData\Local\temp\ 8/23/2012 7:06
Trojan.Gen.2 DWHEB39.tmp File C:\Users\bruce.CSASTAFF1\AppData\Local\temp\ 8/23/2012 7:09
Trojan.Gen.2 DWH3582.tmp File C:\Users\bruce.CSASTAFF1\AppData\Local\temp\ 8/23/2012 7:09
Trojan.Gen.2 DWH7FDA.tmp File C:\Users\bruce.CSASTAFF1\AppData\Local\temp\ 8/23/2012 7:09
Trojan.Gen.2 DWHCE28.tmp File C:\Users\bruce.CSASTAFF1\AppData\Local\temp\ 8/23/2012 7:10
Trojan.Gen.2 DWH1871.tmp File C:\Users\bruce.CSASTAFF1\AppData\Local\temp\ 8/23/2012 7:10
Trojan.Gen.2 DWH62B9.tmp File C:\Users\bruce.CSASTAFF1\AppData\Local\temp\ 8/23/2012 7:10
Trojan.Gen.2 DWHB107.tmp File C:\Users\bruce.CSASTAFF1\AppData\Local\temp\ 8/23/2012 7:11
Trojan.Gen.2 DWHFB50.tmp File C:\Users\bruce.CSASTAFF1\AppData\Local\temp\ 8/23/2012 7:11
Trojan.Gen.2 DWH4D65.tmp File C:\Users\bruce.CSASTAFF1\AppData\Local\temp\ 8/23/2012 7:11
Trojan.Gen.2 DWH9BA4.tmp File C:\Users\bruce.CSASTAFF1\AppData\Local\temp\ 8/23/2012 7:12
Trojan.Gen.2 DWHE9E2.tmp File C:\Users\bruce.CSASTAFF1\AppData\Local\temp\ 8/23/2012 7:12
Trojan.Gen.2 DWH342B.tmp File C:\Users\bruce.CSASTAFF1\AppData\Local\temp\ 8/23/2012 7:12
Trojan.Gen.2 DWH7E83.tmp File C:\Users\bruce.CSASTAFF1\AppData\Local\temp\ 8/23/2012 7:13
Trojan.Gen.2 DWHC8DB.tmp File C:\Users\bruce.CSASTAFF1\AppData\Local\temp\ 8/23/2012 7:13
Trojan.Gen.2 DWH170A.tmp File C:\Users\bruce.CSASTAFF1\AppData\Local\temp\ 8/23/2012 7:13
Trojan.Gen.2 DWH6152.tmp File C:\Users\bruce.CSASTAFF1\AppData\Local\temp\ 8/23/2012 7:14
Trojan.Gen.2 DWHAF91.tmp File C:\Users\bruce.CSASTAFF1\AppData\Local\temp\ 8/23/2012 7:14
Trojan.Gen.2 DWHF9DA.tmp File C:\Users\bruce.CSASTAFF1\AppData\Local\temp\ 8/23/2012 7:14
Trojan.Gen.2 DWH4432.tmp File C:\Users\bruce.CSASTAFF1\AppData\Local\temp\ 8/23/2012 7:15
Trojan.Gen.2 DWH9261.tmp File C:\Users\bruce.CSASTAFF1\AppData\Local\temp\ 8/23/2012 7:15
Trojan.Gen.2 DWHF42F.tmp File C:\Users\bruce.CSASTAFF1\AppData\Local\temp\ 8/23/2012 7:15
Trojan.Gen.2 DWH3E77.tmp File C:\Users\bruce.CSASTAFF1\AppData\Local\temp\ 8/23/2012 7:16
Trojan.Gen.2 DWH8CB6.tmp File C:\Users\bruce.CSASTAFF1\AppData\Local\temp\ 8/23/2012 7:16
Trojan.Gen.2 DWHDAE5.tmp File C:\Users\bruce.CSASTAFF1\AppData\Local\temp\ 8/23/2012 7:16
Trojan.Gen.2 DWH253D.tmp File C:\Users\bruce.CSASTAFF1\AppData\Local\temp\ 8/23/2012 7:17
Trojan.Gen.2 DWH6F85.tmp File C:\Users\bruce.CSASTAFF1\AppData\Local\temp\ 8/23/2012 7:17
Trojan.Gen.2 DWHB9CE.tmp File C:\Users\bruce.CSASTAFF1\AppData\Local\temp\ 8/23/2012 7:17
Trojan.Gen.2 DWH80C.tmp File C:\Users\bruce.CSASTAFF1\AppData\Local\temp\ 8/23/2012 7:18
Trojan.Gen.2 DWH563B.tmp File C:\Users\bruce.CSASTAFF1\AppData\Local\temp\ 8/23/2012 7:18
Trojan.Gen.2 DWHA084.tmp File C:\Users\bruce.CSASTAFF1\AppData\Local\temp\ 8/23/2012 7:18
Trojan.Gen.2 DWHEACC.tmp File C:\Users\bruce.CSASTAFF1\AppData\Local\temp\ 8/23/2012 7:19
Trojan.Gen.2 DWH3544.tmp File C:\Users\bruce.CSASTAFF1\AppData\Local\temp\ 8/23/2012 7:19
Trojan.Gen.2 DWH8373.tmp File C:\Users\bruce.CSASTAFF1\AppData\Local\temp\ 8/23/2012 7:19
Trojan.Gen.2 DWHC9D5.tmp File C:\Users\bruce.CSASTAFF1\AppData\Local\temp\ 8/23/2012 7:20
Trojan.Gen.2 DWH142D.tmp File C:\Users\bruce.CSASTAFF1\AppData\Local\temp\ 8/23/2012 7:20
Trojan.Gen.2 DWH625C.tmp File C:\Users\bruce.CSASTAFF1\AppData\Local\temp\ 8/23/2012 7:20
Trojan.Gen.2 DWHACA4.tmp File C:\Users\bruce.CSASTAFF1\AppData\Local\temp\ 8/23/2012 7:21

I have deleted the contents of the TEMP folder in an attempt to remove this virus but it keeps coming back like somehting else outside of TEMP is pulling the file down from somewhere else to the TEMP folder



ComboFix 12-08-22.03 - BRUCE 08/23/2012 14:09:26.4.4 - x64
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.3958.2073 [GMT -5:00]
Running from: G:\ComboFix.exe
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-07-23 to 2012-08-23 )))))))))))))))))))))))))))))))
.
.
2012-08-23 19:14 . 2012-08-23 19:14 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-08-23 19:14 . 2012-08-23 19:14 -------- d-----w- c:\users\csaback\AppData\Local\temp
2012-08-23 19:14 . 2012-08-23 19:14 -------- d-----w- c:\users\csaadmin\AppData\Local\temp
2012-08-23 19:14 . 2012-08-23 19:14 -------- d-----w- c:\users\BRUCE~1~CSA\AppData\Local\temp
2012-08-23 19:14 . 2012-08-23 19:14 -------- d-----w- c:\users\bruce\AppData\Local\temp
2012-08-23 19:14 . 2012-08-23 19:14 -------- d-----w- c:\users\bruce.clarkb\AppData\Local\temp
2012-08-23 19:14 . 2012-08-23 19:14 -------- d-----w- c:\users\administrator\AppData\Local\temp
2012-08-23 19:14 . 2012-08-23 19:14 -------- d-----w- c:\users\admin\AppData\Local\temp
2012-08-23 19:14 . 2012-08-23 19:14 -------- d-----w- c:\users\admin.CSASTAFF1\AppData\Local\temp
2012-08-23 19:14 . 2012-08-23 19:14 -------- d-----w- c:\users\admin.clarkb\AppData\Local\temp
2012-08-17 21:50 . 2012-08-17 21:50 -------- d-----w- C:\FRST
2012-08-08 14:03 . 2012-08-08 14:03 -------- d-----w- c:\users\bruce.CSASTAFF1\AppData\Roaming\Malwarebytes
2012-08-07 20:58 . 2012-08-07 20:58 -------- d-----w- c:\windows\en
2012-08-07 20:56 . 2012-08-07 20:56 19720 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2012-08-07 20:54 . 2012-08-07 20:54 89944 ----a-w- c:\program files (x86)\Common Files\Windows Live\.cache\c5217c151cd74de01\DSETUP.dll
2012-08-07 20:54 . 2012-08-07 20:54 537432 ----a-w- c:\program files (x86)\Common Files\Windows Live\.cache\c5217c151cd74de01\DXSETUP.exe
2012-08-07 20:54 . 2012-08-07 20:54 1801048 ----a-w- c:\program files (x86)\Common Files\Windows Live\.cache\c5217c151cd74de01\dsetup32.dll
2012-08-07 20:54 . 2012-08-07 20:54 15712 ----a-w- c:\program files (x86)\Common Files\Windows Live\.cache\c578ed221cd74de02\MeshBetaRemover.exe
2012-08-02 16:04 . 2012-08-02 16:05 -------- d-----w- c:\program files\Symantec
2012-08-02 16:04 . 2012-08-02 16:04 156008 ----a-w- c:\windows\system32\drivers\SYMEVENT64x86.SYS
2012-08-02 16:04 . 2012-08-02 16:04 -------- d-----w- c:\program files\Common Files\Symantec Shared
2012-08-02 16:04 . 2012-08-02 16:04 -------- d-----w- c:\program files (x86)\Symantec AntiVirus
2012-07-30 18:52 . 2012-07-30 18:52 -------- d-----w- c:\users\admin.clarkb\AppData\Roaming\OrgPlus6
2012-07-30 16:16 . 2012-07-30 16:16 -------- d-----w- c:\program files (x86)\ESET
2012-07-30 15:33 . 2012-08-23 19:19 -------- d-----w- c:\users\bruce.CSASTAFF1\AppData\Local\temp
2012-07-30 13:42 . 2012-07-30 13:42 -------- d-----w- c:\users\admin.clarkb\AppData\Local\CrashDumps
2012-07-29 19:07 . 2012-08-23 13:00 -------- d-----w- c:\users\bruce.CSASTAFF1\AppData\Local\CrashDumps
2012-07-27 15:24 . 2012-07-27 15:37 -------- d-----w- c:\users\admin.clarkb\AppData\Local\NPE
2012-07-27 14:14 . 2012-07-30 14:14 -------- d-----w- c:\users\admin.clarkb\AppData\Local\Google
2012-07-27 14:13 . 2012-07-27 14:13 -------- d-----w- c:\users\admin.clarkb\AppData\Roaming\Malwarebytes
2012-07-27 14:13 . 2012-07-27 14:13 -------- d-----w- c:\programdata\Malwarebytes
2012-07-27 14:12 . 2012-07-30 16:14 -------- d-----w- c:\users\admin.clarkb\Tracing
2012-07-27 14:12 . 2012-07-27 14:12 -------- d-----w- c:\users\admin.clarkb\AppData\Local\Adobe
2012-07-27 14:11 . 2012-07-27 14:11 -------- d-----w- c:\users\admin.clarkb\AppData\Roaming\Logitech
2012-07-27 13:36 . 2012-07-27 15:24 -------- d-----w- c:\users\bruce.CSASTAFF1\AppData\Local\NPE
2012-07-27 13:36 . 2012-07-27 13:36 -------- d-----w- c:\programdata\Norton
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-16 10:00 . 2011-04-26 22:06 62134624 ----a-w- c:\windows\system32\MRT.exe
2012-08-15 13:14 . 2012-04-12 13:02 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-08-15 13:14 . 2011-06-16 13:05 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-06-09 05:43 . 2012-07-11 04:58 14172672 ----a-w- c:\windows\system32\shell32.dll
2012-06-06 13:49 . 2012-06-06 13:49 1070152 ----a-w- c:\windows\SysWow64\MSCOMCTL.OCX
2012-06-06 06:06 . 2012-07-11 04:58 2004480 ----a-w- c:\windows\system32\msxml6.dll
2012-06-06 06:06 . 2012-07-11 04:58 1881600 ----a-w- c:\windows\system32\msxml3.dll
2012-06-06 06:02 . 2012-07-11 04:57 1133568 ----a-w- c:\windows\system32\cdosys.dll
2012-06-06 05:05 . 2012-07-11 04:58 1390080 ----a-w- c:\windows\SysWow64\msxml6.dll
2012-06-06 05:05 . 2012-07-11 04:58 1236992 ----a-w- c:\windows\SysWow64\msxml3.dll
2012-06-06 05:03 . 2012-07-11 04:57 805376 ----a-w- c:\windows\SysWow64\cdosys.dll
2012-06-02 22:19 . 2012-06-19 01:42 38424 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-19 01:42 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:19 . 2012-06-19 01:42 57880 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-19 01:42 44056 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-19 01:42 701976 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:15 . 2012-06-19 01:42 2622464 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:15 . 2012-06-19 01:42 99840 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 20:19 . 2012-06-19 01:42 186752 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 20:15 . 2012-06-19 01:42 36864 ----a-w- c:\windows\system32\wuapp.exe
2012-06-02 05:50 . 2012-07-11 04:57 458704 ----a-w- c:\windows\system32\drivers\cng.sys
2012-06-02 05:48 . 2012-07-11 04:57 95600 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-06-02 05:48 . 2012-07-11 04:57 151920 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2012-06-02 05:45 . 2012-07-11 04:57 340992 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 05:44 . 2012-07-11 04:57 307200 ----a-w- c:\windows\system32\ncrypt.dll
2012-06-02 04:40 . 2012-07-11 04:57 22016 ----a-w- c:\windows\SysWow64\secur32.dll
2012-06-02 04:40 . 2012-07-11 04:57 225280 ----a-w- c:\windows\SysWow64\schannel.dll
2012-06-02 04:39 . 2012-07-11 04:57 219136 ----a-w- c:\windows\SysWow64\ncrypt.dll
2012-06-02 04:34 . 2012-07-11 04:57 96768 ----a-w- c:\windows\SysWow64\sspicli.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-07-30_15.30.08 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-08-15 09:25 . 2012-05-05 07:46 43008 c:\windows\SysWOW64\srclient.dll
- 2009-07-13 23:23 . 2009-07-14 01:16 43008 c:\windows\SysWOW64\srclient.dll
+ 2012-03-08 23:50 . 2012-03-08 23:50 49016 c:\windows\SysWOW64\sirenacm.dll
- 2010-11-10 07:54 . 2010-11-10 07:54 49016 c:\windows\SysWOW64\sirenacm.dll
+ 2012-08-15 09:25 . 2012-07-04 21:16 57344 c:\windows\SysWOW64\netapi32.dll
- 2012-06-13 08:24 . 2012-04-20 04:57 67584 c:\windows\SysWOW64\mshtmled.dll
+ 2012-08-15 09:25 . 2012-06-27 05:51 67584 c:\windows\SysWOW64\mshtmled.dll
- 2012-06-13 08:24 . 2012-05-15 03:03 68608 c:\windows\SysWOW64\migration\WininetPlugin.dll
+ 2012-08-15 09:25 . 2012-06-27 05:53 68608 c:\windows\SysWOW64\migration\WininetPlugin.dll
- 2012-06-13 08:24 . 2012-05-15 03:00 48128 c:\windows\SysWOW64\jsproxy.dll
+ 2012-08-15 09:25 . 2012-06-27 05:50 48128 c:\windows\SysWOW64\jsproxy.dll
+ 2006-11-22 21:17 . 2006-11-22 21:17 30104 c:\windows\SysWOW64\drivers\srtspx64.sys
- 2009-07-14 04:54 . 2012-07-30 12:01 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:54 . 2012-08-23 12:03 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:54 . 2012-08-23 12:03 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-07-30 12:01 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2012-08-23 12:03 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 04:54 . 2012-07-30 12:01 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2011-04-29 15:58 . 2010-11-20 12:18 41984 c:\windows\SysWOW64\browcli.dll
+ 2012-08-15 09:25 . 2012-07-04 21:14 41984 c:\windows\SysWOW64\browcli.dll
+ 2011-03-26 22:41 . 2012-08-23 19:06 45784 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-08-23 19:06 34708 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2011-04-27 15:59 . 2012-08-23 19:06 11830 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1063663236-1276589662-1683584401-1015_UserData.bin
+ 2012-08-15 09:25 . 2012-07-04 22:16 73216 c:\windows\system32\netapi32.dll
- 2012-06-13 08:24 . 2012-04-20 05:42 97792 c:\windows\system32\mshtmled.dll
+ 2012-08-15 09:25 . 2012-06-27 07:03 97792 c:\windows\system32\mshtmled.dll
- 2012-06-13 08:24 . 2012-05-15 04:01 95232 c:\windows\system32\migration\WininetPlugin.dll
+ 2012-08-15 09:25 . 2012-06-27 07:06 95232 c:\windows\system32\migration\WininetPlugin.dll
+ 2012-08-15 09:25 . 2012-06-27 07:02 64512 c:\windows\system32\jsproxy.dll
- 2012-06-13 08:24 . 2012-05-15 03:59 64512 c:\windows\system32\jsproxy.dll
- 2009-07-14 05:30 . 2012-02-20 21:19 86016 c:\windows\system32\DriverStore\infpub.dat
+ 2009-07-14 05:30 . 2012-08-16 10:22 86016 c:\windows\system32\DriverStore\infpub.dat
+ 2011-07-13 15:15 . 2011-04-28 03:54 80384 c:\windows\system32\DriverStore\FileRepository\bth.inf_amd64_neutral_de0494b6391d872c\BTHUSB.SYS
+ 2009-07-14 00:06 . 2009-07-14 00:06 41984 c:\windows\system32\DriverStore\FileRepository\bth.inf_amd64_neutral_de0494b6391d872c\bthenum.sys
+ 2006-11-22 21:17 . 2006-11-22 21:17 30104 c:\windows\system32\drivers\srtspx64.sys
- 2011-04-26 20:40 . 2012-07-30 11:51 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-04-26 20:40 . 2012-08-23 10:25 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-04-26 20:40 . 2012-07-30 11:51 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2011-04-26 20:40 . 2012-08-23 10:25 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-07-30 11:51 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2012-08-23 10:25 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2012-08-15 09:25 . 2012-07-04 22:13 59392 c:\windows\system32\browcli.dll
- 2011-04-29 15:59 . 2010-11-20 13:25 67072 c:\windows\splwow64.exe
+ 2012-08-15 09:25 . 2012-02-11 06:36 67072 c:\windows\splwow64.exe
- 2009-07-14 04:46 . 2012-07-30 11:52 84704 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
+ 2009-07-14 04:46 . 2012-08-21 21:52 84704 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
- 2011-04-26 22:09 . 2012-07-30 15:08 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-04-26 22:09 . 2012-08-23 19:13 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-04-26 22:09 . 2012-07-30 15:08 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-04-26 22:09 . 2012-08-23 19:13 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2012-08-07 20:54 . 2012-08-07 20:54 24576 c:\windows\Installer\657c4dd.msp
+ 2011-03-26 23:01 . 2011-03-26 23:01 56832 c:\windows\Installer\657c4d6.msi
+ 2012-08-07 20:54 . 2012-08-07 20:54 30720 c:\windows\Installer\657c4d1.msp
+ 2011-03-26 23:01 . 2011-03-26 23:01 74240 c:\windows\Installer\657c4cc.msi
+ 2012-08-07 20:54 . 2012-08-07 20:54 23552 c:\windows\Installer\657c4c7.msp
+ 2011-03-26 23:01 . 2011-03-26 23:01 29696 c:\windows\Installer\657c4c2.msi
+ 2012-08-07 20:54 . 2012-08-07 20:54 60416 c:\windows\Installer\657c4bc.msp
+ 2012-08-07 20:54 . 2012-08-07 20:54 29184 c:\windows\Installer\657c44e.msp
+ 2011-03-26 23:01 . 2011-03-26 23:01 67072 c:\windows\Installer\657c448.msi
+ 2012-08-07 20:54 . 2012-08-07 20:54 39936 c:\windows\Installer\657c285.msp
+ 2011-03-26 23:00 . 2011-03-26 23:00 74240 c:\windows\Installer\657c280.msi
+ 2012-08-07 20:54 . 2012-08-07 20:54 26112 c:\windows\Installer\657c277.msi
+ 2012-08-07 20:57 . 2012-08-07 20:57 80395 c:\windows\Installer\{E5B21F11-6933-4E0B-A25C-7963E3C07D11}\MsblIco.Exe
+ 2012-08-02 16:04 . 2012-08-02 16:04 25214 c:\windows\Installer\{A8D232A5-667B-44C5-AF79-BDFADBFD013B}\ARPPRODUCTICON.exe
- 2011-04-28 21:30 . 2011-04-28 21:30 25214 c:\windows\Installer\{A8D232A5-667B-44C5-AF79-BDFADBFD013B}\ARPPRODUCTICON.exe
+ 2012-03-13 13:55 . 2012-08-16 10:06 34144 c:\windows\Installer\{90140000-0057-0000-0000-0000000FF1CE}\oisicon.exe
- 2012-03-13 13:55 . 2012-07-12 10:05 34144 c:\windows\Installer\{90140000-0057-0000-0000-0000000FF1CE}\oisicon.exe
+ 2012-03-13 13:55 . 2012-08-16 10:06 43608 c:\windows\Installer\{90140000-0057-0000-0000-0000000FF1CE}\msouc.exe
+ 2012-03-07 17:12 . 2012-08-16 10:06 19296 c:\windows\Installer\{90140000-0057-0000-0000-0000000FF1CE}\cagicon.exe
- 2012-03-07 17:12 . 2012-07-12 10:05 19296 c:\windows\Installer\{90140000-0057-0000-0000-0000000FF1CE}\cagicon.exe
- 2011-05-03 20:56 . 2012-07-12 10:05 34144 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\oisicon.exe
+ 2011-05-03 20:56 . 2012-08-16 10:05 34144 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\oisicon.exe
+ 2011-05-03 20:56 . 2012-08-16 10:05 43608 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\msouc.exe
- 2011-05-03 20:56 . 2012-07-12 10:05 19296 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\cagicon.exe
+ 2011-05-03 20:56 . 2012-08-16 10:05 19296 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\cagicon.exe
+ 2012-08-07 21:23 . 2012-08-07 21:23 61440 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLiveWriter\6f2890f46db84bc57f09b9e898dcc0e2\WindowsLiveWriter.ni.exe
+ 2012-08-07 21:23 . 2012-08-07 21:23 80896 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\b139a1cda26d066860aaa83ff1f0ff91\WindowsLive.Writer.Passport.ni.dll
- 2011-05-06 21:46 . 2012-07-26 14:47 3130 c:\windows\system32\wdi\ERCQueuedResolutions.dat
+ 2011-05-06 21:46 . 2012-08-21 16:10 3130 c:\windows\system32\wdi\ERCQueuedResolutions.dat
+ 2012-07-27 14:12 . 2012-07-30 15:31 2782 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3582915596-4283593236-287707610-1003_UserData.bin
- 2012-07-30 15:03 . 2012-07-30 15:03 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-08-23 19:18 . 2012-08-23 19:18 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-07-30 15:03 . 2012-07-30 15:03 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-08-23 19:18 . 2012-08-23 19:18 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-03-08 23:37 . 2012-03-08 23:37 302448 c:\windows\WLXPGSS.SCR
- 2012-06-13 08:24 . 2012-05-15 03:03 981504 c:\windows\SysWOW64\wininet.dll
+ 2012-08-15 09:25 . 2012-06-27 05:53 981504 c:\windows\SysWOW64\wininet.dll
+ 2012-08-15 09:25 . 2012-02-11 05:43 492032 c:\windows\SysWOW64\win32spl.dll
- 2011-04-29 15:59 . 2010-11-20 12:21 492032 c:\windows\SysWOW64\win32spl.dll
- 2011-04-26 22:04 . 2011-02-18 05:43 428032 c:\windows\SysWOW64\vbscript.dll
+ 2012-08-15 09:25 . 2012-06-16 04:26 428032 c:\windows\SysWOW64\vbscript.dll
+ 2012-08-15 09:25 . 2012-06-27 05:53 132096 c:\windows\SysWOW64\url.dll
- 2012-06-13 08:24 . 2012-04-20 05:00 132096 c:\windows\SysWOW64\url.dll
- 2012-06-13 08:24 . 2012-04-20 04:57 627712 c:\windows\SysWOW64\msfeeds.dll
+ 2012-08-15 09:25 . 2012-06-27 05:51 627712 c:\windows\SysWOW64\msfeeds.dll
+ 2012-08-15 13:14 . 2012-08-15 13:14 686792 c:\windows\SysWOW64\Macromed\Flash\FlashUtil32_11_3_300_271_ActiveX.exe
+ 2012-08-15 13:14 . 2012-08-15 13:14 466632 c:\windows\SysWOW64\Macromed\Flash\FlashUtil32_11_3_300_271_ActiveX.dll
+ 2012-04-12 13:02 . 2012-08-15 13:14 250056 c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
- 2012-04-12 13:02 . 2012-07-27 18:14 250056 c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
+ 2011-03-29 01:31 . 2011-03-29 01:31 209280 c:\windows\SysWOW64\LIVESSP.DLL
+ 2012-08-15 09:25 . 2012-06-16 04:26 717824 c:\windows\SysWOW64\jscript.dll
- 2012-06-13 08:24 . 2012-04-20 04:56 176640 c:\windows\SysWOW64\ieui.dll
+ 2012-08-15 09:25 . 2012-06-27 05:50 176640 c:\windows\SysWOW64\ieui.dll
+ 2006-11-22 21:17 . 2006-11-22 21:17 426392 c:\windows\SysWOW64\drivers\srtspl64.sys
+ 2006-11-22 21:17 . 2006-11-22 21:17 394600 c:\windows\SysWOW64\drivers\srtsp64.sys
- 2011-04-29 15:59 . 2010-11-20 13:27 751104 c:\windows\system32\win32spl.dll
+ 2012-08-15 09:25 . 2012-02-11 06:43 751104 c:\windows\system32\win32spl.dll
+ 2011-04-26 21:58 . 2012-08-14 20:41 241424 c:\windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2012-08-15 09:25 . 2012-06-16 05:16 609792 c:\windows\system32\vbscript.dll
+ 2012-08-15 09:25 . 2012-06-27 07:06 134144 c:\windows\system32\url.dll
- 2012-06-13 08:24 . 2012-04-20 05:42 134144 c:\windows\system32\url.dll
+ 2012-08-15 09:25 . 2012-05-05 08:36 503808 c:\windows\system32\srcore.dll
+ 2012-08-15 09:25 . 2012-02-11 06:36 559104 c:\windows\system32\spoolsv.exe
- 2011-04-29 15:59 . 2010-11-20 13:25 559104 c:\windows\system32\spoolsv.exe
+ 2009-07-14 02:36 . 2012-08-20 14:32 626024 c:\windows\system32\perfh009.dat
- 2009-07-14 02:36 . 2012-07-27 14:13 626024 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-08-20 14:32 107358 c:\windows\system32\perfc009.dat
- 2009-07-14 02:36 . 2012-07-27 14:13 107358 c:\windows\system32\perfc009.dat
- 2012-06-13 08:24 . 2012-04-20 05:42 735744 c:\windows\system32\msfeeds.dll
+ 2012-08-15 09:25 . 2012-06-27 07:03 735744 c:\windows\system32\msfeeds.dll
+ 2012-08-15 13:14 . 2012-08-15 13:14 417992 c:\windows\system32\Macromed\Flash\FlashUtil64_11_3_300_271_ActiveX.exe
+ 2012-08-15 13:14 . 2012-08-15 13:14 513224 c:\windows\system32\Macromed\Flash\FlashUtil64_11_3_300_271_ActiveX.dll
+ 2012-08-15 09:25 . 2012-05-14 05:26 956928 c:\windows\system32\localspl.dll
+ 2011-03-29 02:11 . 2011-03-29 02:11 252800 c:\windows\system32\LIVESSP.DLL
- 2010-09-21 19:49 . 2010-09-21 19:49 252800 c:\windows\system32\LIVESSP.DLL
+ 2012-08-15 09:25 . 2012-06-16 05:15 911360 c:\windows\system32\jscript.dll
+ 2012-08-15 09:25 . 2012-06-27 07:02 247808 c:\windows\system32\ieui.dll
- 2012-06-13 08:24 . 2012-04-20 05:42 247808 c:\windows\system32\ieui.dll
- 2009-07-14 04:45 . 2012-07-12 12:58 473832 c:\windows\system32\FNTCACHE.DAT
+ 2009-07-14 04:45 . 2012-08-16 12:57 473832 c:\windows\system32\FNTCACHE.DAT
- 2009-07-14 05:30 . 2012-02-20 21:19 143360 c:\windows\system32\DriverStore\infstrng.dat
+ 2009-07-14 05:30 . 2012-08-16 10:22 143360 c:\windows\system32\DriverStore\infstrng.dat
+ 2009-07-14 05:30 . 2012-08-16 10:22 143360 c:\windows\system32\DriverStore\infstor.dat
- 2009-07-14 05:30 . 2012-02-20 21:19 143360 c:\windows\system32\DriverStore\infstor.dat
+ 2011-04-29 15:58 . 2010-11-20 13:24 229376 c:\windows\system32\DriverStore\FileRepository\bth.inf_amd64_neutral_de0494b6391d872c\fsquirt.exe
+ 2012-08-16 10:06 . 2012-07-06 20:07 552960 c:\windows\system32\DriverStore\FileRepository\bth.inf_amd64_neutral_de0494b6391d872c\bthport.sys
+ 2009-07-14 05:31 . 2012-08-16 10:22 399360 c:\windows\system32\DriverStore\drvindex.dat
- 2009-07-14 05:31 . 2011-08-24 13:15 399360 c:\windows\system32\DriverStore\drvindex.dat
+ 2006-11-22 21:17 . 2006-11-22 21:17 426392 c:\windows\system32\drivers\srtspl64.sys
+ 2006-11-22 21:17 . 2006-11-22 21:17 394600 c:\windows\system32\drivers\srtsp64.sys
+ 2012-08-15 09:25 . 2012-07-04 22:13 136704 c:\windows\system32\browser.dll
+ 2009-07-14 05:01 . 2012-08-23 19:15 429828 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2011-03-26 23:01 . 2011-03-26 23:01 153600 c:\windows\Installer\657c4b7.msi
+ 2012-08-07 20:54 . 2012-08-07 20:54 509952 c:\windows\Installer\657c4a0.msp
+ 2012-08-07 20:54 . 2012-08-07 20:54 635904 c:\windows\Installer\657c496.msp
+ 2012-08-07 20:54 . 2012-08-07 20:54 468480 c:\windows\Installer\657c46b.msp
+ 2012-08-07 20:54 . 2012-08-07 20:54 625664 c:\windows\Installer\657c45c.msp
+ 2012-08-07 20:54 . 2012-08-07 20:54 276480 c:\windows\Installer\657c421.msp
+ 2012-08-07 20:54 . 2012-08-07 20:54 205824 c:\windows\Installer\657c3cc.msp
+ 2011-03-26 23:01 . 2011-03-26 23:01 775168 c:\windows\Installer\657c3c3.msi
+ 2012-08-07 20:54 . 2012-08-07 20:54 715264 c:\windows\Installer\657c2da.msp
+ 2012-08-07 20:54 . 2012-08-07 20:54 136704 c:\windows\Installer\657c2bc.msp
+ 2011-03-26 23:01 . 2011-03-26 23:01 429056 c:\windows\Installer\657c2b7.msi
+ 2012-07-04 12:59 . 2012-07-04 12:59 261120 c:\windows\Installer\325b246f.msp
+ 2012-01-06 22:43 . 2012-08-17 18:07 335872 c:\windows\Installer\{AC76BA86-1033-F400-7760-000000000005}\SC_Designer_PFM.70DBED24_B579_40CB_AB0B_F1221A3E9EC5.exe
- 2012-01-06 22:43 . 2012-04-13 12:57 335872 c:\windows\Installer\{AC76BA86-1033-F400-7760-000000000005}\SC_Designer_PFM.70DBED24_B579_40CB_AB0B_F1221A3E9EC5.exe
- 2012-03-13 13:55 . 2012-07-12 10:05 571232 c:\windows\Installer\{90140000-0057-0000-0000-0000000FF1CE}\misc.exe
+ 2012-03-13 13:55 . 2012-08-16 10:06 571232 c:\windows\Installer\{90140000-0057-0000-0000-0000000FF1CE}\misc.exe
- 2011-05-03 20:56 . 2012-07-12 10:05 415584 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\pubs.exe
+ 2011-05-03 20:56 . 2012-08-16 10:05 415584 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\pubs.exe
- 2011-05-03 20:56 . 2012-07-12 10:05 303456 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\outicon.exe
+ 2011-05-03 20:56 . 2012-08-16 10:05 303456 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\outicon.exe
+ 2011-05-03 20:56 . 2012-08-16 10:05 571232 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\misc.exe
- 2011-05-03 20:56 . 2012-07-12 10:05 571232 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\misc.exe
- 2011-05-03 20:56 . 2012-07-12 10:05 326496 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\joticon.exe
+ 2011-05-03 20:56 . 2012-08-16 10:05 326496 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\joticon.exe
+ 2011-05-03 20:56 . 2012-08-16 10:05 470616 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\inficon.exe
- 2011-05-03 20:56 . 2012-07-12 10:05 470616 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\inficon.exe
- 2011-05-03 20:56 . 2012-07-12 10:05 178528 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\grvicons.exe
+ 2011-05-03 20:56 . 2012-08-16 10:05 178528 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\grvicons.exe
+ 2011-06-06 17:55 . 2011-06-06 17:55 686464 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\JP2KLib.dll
+ 2012-01-03 07:37 . 2012-01-03 07:37 320456 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\adobearmhelper.exe
+ 2012-01-03 11:10 . 2012-01-03 11:10 942464 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\jp2klib.dll
+ 2010-10-25 21:13 . 2010-10-25 21:13 595344 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\AXSLE.dll
+ 2012-01-03 07:37 . 2012-01-03 07:37 320456 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\adobearmhelper.exe
+ 2011-01-07 15:38 . 2011-01-07 15:38 121208 c:\windows\Installer\$PatchCache$\Managed\00004109110000000000000000F01FEC\14.0.6029\MSCONV97.DLL
+ 2012-08-07 21:23 . 2012-08-07 21:23 634368 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLiveLocal.Wr#\bdd46a26ce7bdf525935a8f749582f27\WindowsLiveLocal.WriterPlugin.ni.dll
+ 2012-08-07 21:23 . 2012-08-07 21:23 891392 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\fde371df4eed408b0611b5746655803e\WindowsLive.Writer.HtmlEditor.ni.dll
+ 2012-08-07 21:23 . 2012-08-07 21:23 780800 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\ebe797d14df7e907371da3a1662dab6f\WindowsLive.Writer.Controls.ni.dll
+ 2012-08-07 21:23 . 2012-08-07 21:23 122368 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\e27dd50210bed6d2b453e9477146e1c9\WindowsLive.Writer.Extensibility.ni.dll
+ 2012-08-07 21:23 . 2012-08-07 21:23 174080 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\d52eba13edf8fcdfeec4764164319c2c\WindowsLive.Writer.BrowserControl.ni.dll
+ 2012-08-07 21:23 . 2012-08-07 21:23 665600 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\cb1ae89f088d0e74bd461cf5d3a32cf1\WindowsLive.Writer.Interop.ni.dll
+ 2012-08-07 21:23 . 2012-08-07 21:23 871424 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\caeb427eec30805ba61d4d6a575a8a3a\WindowsLive.Writer.BlogClient.ni.dll
+ 2012-08-07 21:23 . 2012-08-07 21:23 146432 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\7868ce7aef400105ccd415151a24053e\WindowsLive.Writer.Instrumentation.ni.dll
+ 2012-08-07 21:23 . 2012-08-07 21:23 328192 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\76d1ee2da5d966f20e3ffa55b89c96f2\WindowsLive.Writer.Mshtml.ni.dll
+ 2012-08-07 21:23 . 2012-08-07 21:23 156672 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\68e3097a2465cdbc3d61b919c309ce0a\WindowsLive.Writer.HtmlParser.ni.dll
+ 2012-08-07 21:23 . 2012-08-07 21:23 326144 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\5b335503bc9b547e960407aee5c86cb3\WindowsLive.Writer.SpellChecker.ni.dll
+ 2012-08-07 21:23 . 2012-08-07 21:23 119296 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\5a361ed04d214905d7213dd3a8d8e48e\WindowsLive.Writer.FileDestinations.ni.dll
+ 2012-08-07 21:23 . 2012-08-07 21:23 101376 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\44b1907dd0854a35bde93fb53d1db776\WindowsLive.Writer.Api.ni.dll
+ 2012-08-07 21:23 . 2012-08-07 21:23 374272 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\315bb426fe9c648562b1ead5e3cd989d\WindowsLive.Writer.Interop.Mshtml.ni.dll
+ 2012-08-07 21:23 . 2012-08-07 21:23 222720 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Client\3212bd156ec4eee886a0b48ec506e835\WindowsLive.Client.ni.dll
- 2012-06-13 08:24 . 2012-04-20 05:00 1231360 c:\windows\SysWOW64\urlmon.dll
+ 2012-08-15 09:25 . 2012-06-27 05:53 1231360 c:\windows\SysWOW64\urlmon.dll
+ 2012-08-15 09:25 . 2012-06-27 05:51 6027776 c:\windows\SysWOW64\mshtml.dll
- 2012-06-13 08:24 . 2012-04-20 04:57 6027776 c:\windows\SysWOW64\mshtml.dll
+ 2012-08-15 09:25 . 2012-06-27 05:50 2073600 c:\windows\SysWOW64\iertutil.dll
- 2012-06-13 08:24 . 2012-04-20 04:56 2073600 c:\windows\SysWOW64\iertutil.dll
+ 2012-08-15 09:25 . 2012-06-27 07:06 1188864 c:\windows\system32\wininet.dll
- 2012-06-13 08:24 . 2012-05-15 04:01 1188864 c:\windows\system32\wininet.dll
- 2012-07-12 10:06 . 2012-06-12 03:08 3148800 c:\windows\system32\win32k.sys
+ 2012-08-15 09:25 . 2012-07-18 18:15 3148800 c:\windows\system32\win32k.sys
- 2012-06-13 08:24 . 2012-04-20 05:42 1494016 c:\windows\system32\urlmon.dll
+ 2012-08-15 09:25 . 2012-06-27 07:06 1494016 c:\windows\system32\urlmon.dll
- 2012-06-13 08:24 . 2012-04-20 05:42 9059840 c:\windows\system32\mshtml.dll
+ 2012-08-15 09:25 . 2012-06-27 07:03 9059840 c:\windows\system32\mshtml.dll
+ 2012-08-15 09:25 . 2012-06-27 07:02 2453504 c:\windows\system32\iertutil.dll
+ 2009-07-14 04:45 . 2012-08-16 13:01 5838573 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat
- 2009-07-14 04:45 . 2012-07-12 13:03 5838573 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat
+ 2011-08-11 10:25 . 2012-08-23 19:02 3169268 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1063663236-1276589662-1683584401-1015-8192.dat
+ 2006-12-13 23:12 . 2006-12-13 23:12 6144000 c:\windows\Installer\9861f5.msi
+ 2012-08-07 20:54 . 2012-08-07 20:54 2146304 c:\windows\Installer\657c4b1.msp
+ 2011-03-26 23:01 . 2011-03-26 23:01 4250112 c:\windows\Installer\657c4a6.msi
+ 2011-03-26 23:01 . 2011-03-26 23:01 4175360 c:\windows\Installer\657c49b.msi
+ 2011-03-26 23:01 . 2011-03-26 23:01 3410944 c:\windows\Installer\657c490.msi
+ 2012-08-07 20:54 . 2012-08-07 20:54 5124096 c:\windows\Installer\657c48a.msp
+ 2012-08-07 20:54 . 2012-08-07 20:54 6661632 c:\windows\Installer\657c480.msi
+ 2011-03-26 23:01 . 2011-03-26 23:01 1070592 c:\windows\Installer\657c461.msi
+ 2011-03-26 23:01 . 2011-03-26 23:01 1492992 c:\windows\Installer\657c453.msi
+ 2012-08-07 20:54 . 2012-08-07 20:54 1829376 c:\windows\Installer\657c443.msp
+ 2011-03-26 23:01 . 2011-03-26 23:01 3454976 c:\windows\Installer\657c43a.msi
+ 2012-08-07 20:54 . 2012-08-07 20:54 3105792 c:\windows\Installer\657c434.msp
+ 2011-03-26 23:01 . 2011-03-26 23:01 6195200 c:\windows\Installer\657c429.msi
+ 2012-08-07 20:54 . 2012-08-07 20:54 6363136 c:\windows\Installer\657c3e4.msi
+ 2012-08-07 20:54 . 2012-08-07 20:54 3734016 c:\windows\Installer\657c3ba.msp
+ 2012-08-07 20:54 . 2012-08-07 20:54 2957312 c:\windows\Installer\657c372.msp
+ 2011-03-26 23:01 . 2011-03-26 23:01 8313856 c:\windows\Installer\657c358.msi
+ 2012-08-07 20:54 . 2012-08-07 20:54 5868544 c:\windows\Installer\657c353.msp
+ 2012-08-07 20:54 . 2012-08-07 20:54 5535744 c:\windows\Installer\657c335.msp
+ 2012-08-07 20:54 . 2012-08-07 20:54 3312128 c:\windows\Installer\657c2fe.msp
+ 2011-03-26 23:01 . 2011-03-26 23:01 8332288 c:\windows\Installer\657c2e2.msi
+ 2011-03-26 23:01 . 2011-03-26 23:01 2310656 c:\windows\Installer\657c2d2.msi
+ 2012-08-07 20:54 . 2012-08-07 20:54 1139712 c:\windows\Installer\657c2cd.msp
+ 2011-03-26 23:01 . 2011-03-26 23:01 4004864 c:\windows\Installer\657c2c1.msi
+ 2012-08-07 20:54 . 2012-08-07 20:54 2932224 c:\windows\Installer\657c2b2.msp
+ 2011-03-26 23:01 . 2011-03-26 23:01 7710720 c:\windows\Installer\657c29e.msi
+ 2012-08-07 20:54 . 2012-08-07 20:54 4426240 c:\windows\Installer\657c299.msp
+ 2011-03-26 23:00 . 2011-03-26 23:00 9433088 c:\windows\Installer\657c28a.msi
+ 2012-08-07 20:54 . 2012-08-07 20:54 8822784 c:\windows\Installer\657c273.msi
+ 2012-07-19 07:45 . 2012-07-19 07:45 3464704 c:\windows\Installer\325b2526.msp
+ 2012-07-04 13:04 . 2012-07-04 13:04 1292288 c:\windows\Installer\325b250f.msp
+ 2012-07-04 13:12 . 2012-07-04 13:12 4772352 c:\windows\Installer\325b2505.msp
+ 2012-07-04 13:09 . 2012-07-04 13:09 1284096 c:\windows\Installer\325b24e1.msp
+ 2012-07-04 13:01 . 2012-07-04 13:01 9082368 c:\windows\Installer\325b24be.msp
+ 2012-07-04 12:58 . 2012-07-04 12:58 6163456 c:\windows\Installer\325b2493.msp
+ 2012-03-13 13:55 . 2012-08-16 10:06 1162592 c:\windows\Installer\{90140000-0057-0000-0000-0000000FF1CE}\visicon.exe
- 2012-03-13 13:55 . 2012-07-12 10:05 1162592 c:\windows\Installer\{90140000-0057-0000-0000-0000000FF1CE}\visicon.exe
+ 2011-05-03 20:56 . 2012-08-16 10:05 1479520 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\xlicons.exe
- 2011-05-03 20:56 . 2012-07-12 10:05 1479520 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\xlicons.exe
+ 2011-05-03 20:56 . 2012-08-16 10:05 1858400 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\wordicon.exe
- 2011-05-03 20:56 . 2012-07-12 10:05 1858400 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\wordicon.exe
- 2011-05-03 20:56 . 2012-07-12 10:05 3792736 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\pptico.exe
+ 2011-05-03 20:56 . 2012-08-16 10:05 3792736 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\pptico.exe
+ 2011-05-03 20:56 . 2012-08-16 10:05 1449312 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\accicons.exe
- 2011-05-03 20:56 . 2012-07-12 10:05 1449312 c:\windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\accicons.exe
+ 2011-06-06 17:55 . 2011-06-06 17:55 5509512 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AGM.dll
+ 2011-06-06 18:55 . 2011-06-06 18:55 8293256 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\agm.dll
+ 2012-08-07 21:23 . 2012-08-07 21:23 7025152 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\f6cac6d0e82d3714667b5fe78442bb26\WindowsLive.Writer.PostEditor.ni.dll
+ 2012-08-07 21:23 . 2012-08-07 21:23 2193408 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\adb0e58139fd3acff774fafea2b34d5f\WindowsLive.Writer.CoreServices.ni.dll
+ 2012-08-07 21:23 . 2012-08-07 21:23 1346560 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\a77dc72d1b8dab87fdbf73252925c3de\WindowsLive.Writer.Localization.ni.dll
+ 2012-08-07 21:23 . 2012-08-07 21:23 1285632 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\2a7f76b6857454c1216089b694d7d72a\WindowsLive.Writer.ApplicationFramework.ni.dll
+ 2012-08-15 09:25 . 2012-06-27 05:50 11020800 c:\windows\SysWOW64\ieframe.dll
- 2012-06-13 08:24 . 2012-04-20 04:56 11020800 c:\windows\SysWOW64\ieframe.dll
+ 2009-07-14 02:34 . 2012-08-16 10:22 11010048 c:\windows\system32\SMI\Store\Machine\schema.dat
- 2009-07-14 02:34 . 2012-07-12 10:22 11010048 c:\windows\system32\SMI\Store\Machine\schema.dat
+ 2012-08-15 09:25 . 2012-06-27 07:02 12297216 c:\windows\system32\ieframe.dll
- 2012-06-13 08:24 . 2012-04-20 05:42 12297216 c:\windows\system32\ieframe.dll
+ 2011-03-26 23:01 . 2011-03-26 23:01 11846656 c:\windows\Installer\657c3b1.msi
+ 2012-08-07 20:54 . 2012-08-07 20:54 14624256 c:\windows\Installer\657c3a9.msp
+ 2011-03-26 23:01 . 2011-03-26 23:01 34193408 c:\windows\Installer\657c37d.msi
+ 2011-03-26 23:01 . 2011-03-26 23:01 13850624 c:\windows\Installer\657c33c.msi
+ 2012-08-07 20:54 . 2012-08-07 20:54 22647296 c:\windows\Installer\657c311.msi
+ 2012-07-04 13:15 . 2012-07-04 13:15 13106176 c:\windows\Installer\325b2545.msp
+ 2012-07-28 01:47 . 2012-07-28 01:47 13123584 c:\windows\Installer\2ed99.msp
+ 2012-07-28 01:47 . 2012-07-28 01:47 13123584 c:\windows\Installer\1a7b5.msp
+ 2012-07-28 01:22 . 2012-07-28 01:22 105082880 c:\windows\Installer\64171ce.msp
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OfficeSyncProcess"="c:\program files (x86)\Microsoft Office\Office14\MSOSYNC.EXE" [2012-01-21 719672]
"Adobe Acrobat Synchronizer"="c:\program files (x86)\Adobe\Acrobat 10.0\Acrobat\AdobeCollabSync.exe" [2012-07-27 1261512]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2012-04-19 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2010-03-04 284696]
"DellBtrEvent"="d:\program files (x86)\Dell\Reader 2.1\DellBtrEvent.exe" [2010-05-04 147456]
"RemoteControl9"="c:\program files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe" [2009-07-06 87336]
"PDVD9LanguageShortcut"="c:\program files (x86)\CyberLink\PowerDVD9\Language\Language.exe" [2010-04-29 50472]
"RoxWatchTray"="c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe" [2010-11-25 240112]
"Desktop Disc Tool"="c:\program files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe" [2010-11-17 514544]
"BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"HPHUPD05"="c:\program files (x86)\Hewlett-Packard\\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe" [2005-07-08 49152]
"HP Component Manager"="c:\program files (x86)\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"HP Software Update"="c:\program files (x86)\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2003-12-05 49152]
"HPHmon05"="c:\windows\SysWOW64\hphmon05.exe" [2005-07-08 491520]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"Adobe Acrobat Speed Launcher"="c:\program files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe" [2012-07-27 36800]
"Acrobat Assistant 8.0"="c:\program files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe" [2012-07-27 823224]
"Communicator"="c:\program files (x86)\Microsoft Lync\communicator.exe" [2012-06-12 12099672]
"ccApp"="c:\program files (x86)\Common Files\Symantec Shared\ccApp.exe" [2006-12-07 107112]
"vptray"="c:\progra~2\SYMANT~1\VPTray.exe" [2006-12-13 134808]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
.
c:\users\bruce.CSASTAFF1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\bruce.CSASTAFF1\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-5-24 27112840]
Remote Backup.lnk - c:\program files (x86)\Remote Backup\rbackup.exe [2011-5-3 647168]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Dell System Manager.lnk - c:\program files\Dell\Dell System Manager\DCPSysMgr.exe [2010-8-24 1549680]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"DisableCAD"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u msoidssp livessp
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1063663236-1276589662-1683584401-1015\Scripts\Logon\0\0]
"Script"=remove_bpos.cmd
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-04-19 136176]
R2 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe [2010-11-25 219632]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-15 250056]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-04-19 136176]
R3 LVRS64;Logitech RightSound Filter Driver;c:\windows\system32\DRIVERS\lvrs64.sys [2012-01-18 351136]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files (x86)\Microsoft Office\Office14\GROOVE.EXE [2011-06-12 31125880]
R3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe [2009-07-14 27136]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 20992]
R3 rimspci;rimspci;c:\windows\system32\DRIVERS\rimspe64.sys [2010-03-21 61952]
R3 rixdpcie;rixdpcie;c:\windows\system32\DRIVERS\rixdpe64.sys [2010-03-21 55808]
R3 RoxMediaDB12OEM;RoxMediaDB12OEM;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [2010-11-25 1116656]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-04-29 1255736]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 57184]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2010-03-19 55856]
S0 stdflt;Disk Filter Driver for Accelerometer;c:\windows\system32\DRIVERS\stdfltn.sys [2010-01-18 21040]
S1 DVMIO;DVMIO;d:\program files (x86)\Dell\Reader 2.1\dvmio_x64.sys [2010-05-04 20624]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-07-27 63960]
S2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\AESTSr64.exe [2010-05-26 89600]
S2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe [2010-10-28 1035680]
S2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe [2010-10-28 36768]
S2 dcpsysmgrsvc;Dell System Manager Service;c:\program files\Dell\Dell System Manager\DCPSysMgrSvc.exe [2010-08-24 517488]
S2 DvmMDES;DeviceVM Meta Data Export Service;d:\program files (x86)\Dell\Reader 2.1\DVMExportService.exe [2010-05-04 327680]
S2 Exchange Backup Agent;Exchange Backup Agent;c:\program files (x86)\Remote Backup\ExchangeBackupService.exe [2010-07-08 30096]
S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-03-04 13336]
S2 InstallFilterService;FF Install Filter Service;c:\program files (x86)\STMicroelectronics\AccelerometerP11\InstallFilterService.exe [2010-01-10 60928]
S2 msoidsvc;Microsoft Online Services Sign-in Assistant;c:\program files\Common Files\Microsoft Shared\Microsoft Online Services\MSOIDSVC.EXE [2011-09-28 2078112]
S2 rbScheduler;Remote Backup Scheduler;c:\program files (x86)\Remote Backup\rbschedule.exe [2010-07-08 157072]
S2 risdpcie;risdpcie;c:\windows\system32\DRIVERS\risdpe64.sys [2010-03-21 81920]
S2 uvnc_service;uvnc_service;c:\program files\UltraVNC\WinVNC.exe [2009-12-07 1793976]
S3 Acceler;Accelerometer Service;c:\windows\system32\DRIVERS\Accelern.sys [2010-01-18 26160]
S3 cvusbdrv;Dell ControlVault;c:\windows\system32\Drivers\cvusbdrv.sys [2010-08-20 38440]
S3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\DRIVERS\e1k62x64.sys [2010-04-06 301232]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-08-01 138912]
S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [2010-02-27 158976]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2010-06-21 287232]
S3 NxDrv;SonicWALL NetExtender Adapter;c:\windows\system32\DRIVERS\NxDrv.sys [2009-10-21 24264]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-23 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-12 13:14]
.
2012-08-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-04-19 16:29]
.
2012-08-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-04-19 16:29]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-10-31 21:02 97792 ----a-w- c:\users\bruce.CSASTAFF1\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-10-31 21:02 97792 ----a-w- c:\users\bruce.CSASTAFF1\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-10-31 21:02 97792 ----a-w- c:\users\bruce.CSASTAFF1\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-10-31 21:02 97792 ----a-w- c:\users\bruce.CSASTAFF1\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EnabledUnlockedFDEIconOverlay]
@="{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}"
[HKEY_CLASSES_ROOT\CLSID\{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}]
2010-10-16 21:17 138608 ----a-w- c:\program files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmIconOverlay.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UninitializedFdeIconOverlay]
@="{CF08DA3E-C97D-4891-A66B-E39B28DD270F}"
[HKEY_CLASSES_ROOT\CLSID\{CF08DA3E-C97D-4891-A66B-E39B28DD270F}]
2010-10-16 21:17 138608 ----a-w- c:\program files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmIconOverlay.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2010-05-13 391024]
"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2010-05-26 487424]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-07-28 161304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-07-28 386584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-07-28 415256]
"Broadcom Wireless Manager UI"="c:\program files\Dell\DW WLAN Card\WLTRAY.exe" [2010-02-02 5712896]
"SonicWALLNetExtender"="c:\program files (x86)\SonicWALL\SSL-VPN\NetExtender\NEGui.exe" [2010-04-02 1103744]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2010-10-28 1680976]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = https://centralserviceassociatmicrosoftonlinecom-9.sharepoint.microsoftonline.com/default.aspx
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: Append Link Target to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~4\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MICROS~4\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 10.1.150.221 10.1.150.202
.
.
------- File Associations -------
.
JSEFile=c:\windows\SysWow64\WScript.exe "%1" %*
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_271_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_271_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files (x86)\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
c:\program files (x86)\Symantec AntiVirus\DefWatch.exe
c:\program files (x86)\Symantec AntiVirus\Rtvscan.exe
.
**************************************************************************
.
Completion time: 2012-08-23 14:23:08 - machine was rebooted
ComboFix-quarantined-files.txt 2012-08-23 19:23
ComboFix2.txt 2012-07-30 15:33
.
Pre-Run: 172,286,529,536 bytes free
Post-Run: 172,010,827,776 bytes free
.
- - End Of File - - C6523C7B65D87F27E89CCCC9011FFC00

#6 Coldham

Coldham
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 23 August 2012 - 04:50 PM

Just wanted to let you know I will not be able to respond to this thread again until 8/27

Thanks,
CH

#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:07 PM

Posted 23 August 2012 - 08:29 PM

greetings


have a read here for the DWHA*.tmp Files http://www.symantec.com/connect/forums/generic-trojan-dwhtmp-temp-folder


Greetings

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:07 PM

Posted 26 August 2012 - 01:36 AM

Greetings


I have not heard from you in a couple of days so I am coming by to check on you to see if you are having problems or you just need some more time.

Also to remind you that it is very important that we finish the process completely so as to not get reinfected. I will let you know when we are complete and I will ask to remove our tools




Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 Coldham

Coldham
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 27 August 2012 - 08:40 AM

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-08-27 08:31:29
-----------------------------
08:31:29.352 OS Version: Windows x64 6.1.7601 Service Pack 1
08:31:29.353 Number of processors: 4 586 0x2505
08:31:29.354 ComputerName: CLARK-B UserName: BRUCE
08:31:31.855 Initialize success
08:31:52.645 AVAST engine defs: 12082700
08:32:03.665 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
08:32:03.667 Disk 0 Vendor: TOSHIBA_ MC00 Size: 238475MB BusType: 8
08:32:03.686 Disk 0 MBR read successfully
08:32:03.688 Disk 0 MBR scan
08:32:03.693 Disk 0 Windows VISTA default MBR code
08:32:03.696 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 39 MB offset 63
08:32:03.710 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 753 MB offset 81920
08:32:03.721 Disk 0 Partition 3 00 07 HPFS/NTFS 235632 MB offset 1624064
08:32:03.727 Disk 0 Partition - 00 0F Extended LBA 2050 MB offset 484198400
08:32:03.756 Disk 0 Partition 4 00 07 HPFS/NTFS NTFS 2049 MB offset 484200448
08:32:03.790 Disk 0 scanning C:\Windows\system32\drivers
08:32:03.794 Service scanning
08:32:37.838 Modules scanning
08:32:37.848 Disk 0 trace - called modules:
08:32:37.881 ntoskrnl.exe CLASSPNP.SYS disk.sys stdfltn.sys ACPI.sys iaStor.sys hal.dll
08:32:37.887 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8006472060]
08:32:37.892 3 CLASSPNP.SYS[fffff8800180143f] -> nt!IofCallDriver -> [0xfffffa8006315ad0]
08:32:37.896 5 stdfltn.sys[fffff88001af4af2] -> nt!IofCallDriver -> [0xfffffa800363f210]
08:32:37.900 7 ACPI.sys[fffff88000fa57a1] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8004407050]
08:32:39.642 AVAST engine scan C:\Windows
08:32:39.656 AVAST engine scan C:\Windows\system32
08:32:39.665 AVAST engine scan C:\Windows\system32\drivers
08:32:39.672 AVAST engine scan C:\Users\bruce.CSASTAFF1
08:32:39.679 AVAST engine scan C:\ProgramData
08:32:39.683 Scan finished successfully
08:33:01.573 Disk 0 MBR has been saved successfully to "G:\MBR.dat"
08:33:01.591 The log file has been saved successfully to "G:\aswMBR.txt"


08:29:35.0892 1540 TDSS rootkit removing tool 2.8.8.0 Aug 24 2012 13:27:48
08:29:36.0417 1540 ============================================================
08:29:36.0417 1540 Current date / time: 2012/08/27 08:29:36.0417
08:29:36.0417 1540 SystemInfo:
08:29:36.0417 1540
08:29:36.0417 1540 OS Version: 6.1.7601 ServicePack: 1.0
08:29:36.0417 1540 Product type: Workstation
08:29:36.0417 1540 ComputerName: CLARK-B
08:29:36.0417 1540 UserName: BRUCE
08:29:36.0417 1540 Windows directory: C:\Windows
08:29:36.0417 1540 System windows directory: C:\Windows
08:29:36.0417 1540 Running under WOW64
08:29:36.0417 1540 Processor architecture: Intel x64
08:29:36.0417 1540 Number of processors: 4
08:29:36.0417 1540 Page size: 0x1000
08:29:36.0417 1540 Boot type: Normal boot
08:29:36.0417 1540 ============================================================
08:29:37.0001 1540 Drive \Device\Harddisk0\DR0 - Size: 0x3A38B2E000 (232.89 Gb), SectorSize: 0x200, Cylinders: 0x76C1, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000040
08:29:37.0094 1540 Drive \Device\Harddisk2\DR3 - Size: 0xEEB00000 (3.73 Gb), SectorSize: 0x200, Cylinders: 0x1E6, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
08:29:37.0098 1540 ============================================================
08:29:37.0098 1540 \Device\Harddisk0\DR0:
08:29:37.0098 1540 MBR partitions:
08:29:37.0098 1540 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x14000, BlocksNum 0x178800
08:29:37.0098 1540 \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x18C800, BlocksNum 0x1CC38000
08:29:37.0124 1540 \Device\Harddisk0\DR0\Partition3: MBR, Type 0x7, StartLBA 0x1CDC5000, BlocksNum 0x400800
08:29:37.0124 1540 \Device\Harddisk2\DR3:
08:29:37.0125 1540 MBR partitions:
08:29:37.0125 1540 \Device\Harddisk2\DR3\Partition1: MBR, Type 0xB, StartLBA 0x80, BlocksNum 0x775780
08:29:37.0125 1540 ============================================================
08:29:37.0150 1540 C: <-> \Device\Harddisk0\DR0\Partition2
08:29:37.0194 1540 D: <-> \Device\Harddisk0\DR0\Partition3
08:29:37.0194 1540 ============================================================
08:29:37.0194 1540 Initialize success
08:29:37.0194 1540 ============================================================
08:29:55.0459 3724 ============================================================
08:29:55.0459 3724 Scan started
08:29:55.0459 3724 Mode: Manual;
08:29:55.0459 3724 ============================================================
08:29:56.0685 3724 ================ Scan system memory ========================
08:29:56.0685 3724 System memory - ok
08:29:56.0685 3724 ================ Scan services =============================
08:29:56.0743 3724 1394ohci - ok
08:29:56.0768 3724 Acceler - ok
08:29:56.0781 3724 ACPI - ok
08:29:56.0789 3724 AcpiPmi - ok
08:29:56.0813 3724 AdobeARMservice - ok
08:29:56.0835 3724 AdobeFlashPlayerUpdateSvc - ok
08:29:56.0849 3724 adp94xx - ok
08:29:56.0854 3724 adpahci - ok
08:29:56.0860 3724 adpu320 - ok
08:29:56.0868 3724 AeLookupSvc - ok
08:29:56.0881 3724 AESTFilters - ok
08:29:56.0890 3724 AFD - ok
08:29:56.0894 3724 agp440 - ok
08:29:56.0899 3724 ALG - ok
08:29:56.0915 3724 aliide - ok
08:29:56.0919 3724 amdide - ok
08:29:56.0923 3724 AmdK8 - ok
08:29:56.0928 3724 AmdPPM - ok
08:29:56.0932 3724 amdsata - ok
08:29:56.0936 3724 amdsbs - ok
08:29:56.0963 3724 amdxata - ok
08:29:56.0967 3724 ApfiltrService - ok
08:29:56.0980 3724 AppID - ok
08:29:56.0984 3724 AppIDSvc - ok
08:29:56.0989 3724 Appinfo - ok
08:29:56.0993 3724 AppMgmt - ok
08:29:56.0997 3724 arc - ok
08:29:57.0001 3724 arcsas - ok
08:29:57.0018 3724 AsyncMac - ok
08:29:57.0022 3724 atapi - ok
08:29:57.0026 3724 AudioEndpointBuilder - ok
08:29:57.0029 3724 AudioSrv - ok
08:29:57.0037 3724 AxInstSV - ok
08:29:57.0041 3724 b06bdrv - ok
08:29:57.0046 3724 b57nd60a - ok
08:29:57.0052 3724 BCM42RLY - ok
08:29:57.0055 3724 BCM43XX - ok
08:29:57.0078 3724 BDESVC - ok
08:29:57.0082 3724 Beep - ok
08:29:57.0112 3724 BFE - ok
08:29:57.0116 3724 BITS - ok
08:29:57.0120 3724 blbdrive - ok
08:29:57.0124 3724 bowser - ok
08:29:57.0129 3724 BrFiltLo - ok
08:29:57.0132 3724 BrFiltUp - ok
08:29:57.0162 3724 BridgeMP - ok
08:29:57.0166 3724 Browser - ok
08:29:57.0170 3724 Brserid - ok
08:29:57.0175 3724 BrSerWdm - ok
08:29:57.0179 3724 BrUsbMdm - ok
08:29:57.0183 3724 BrUsbSer - ok
08:29:57.0186 3724 BTHMODEM - ok
08:29:57.0193 3724 bthserv - ok
08:29:57.0197 3724 catchme - ok
08:29:57.0216 3724 ccEvtMgr - ok
08:29:57.0233 3724 ccSetMgr - ok
08:29:57.0237 3724 cdfs - ok
08:29:57.0241 3724 cdrom - ok
08:29:57.0247 3724 CertPropSvc - ok
08:29:57.0250 3724 circlass - ok
08:29:57.0255 3724 CLFS - ok
08:29:57.0260 3724 clr_optimization_v2.0.50727_32 - ok
08:29:57.0264 3724 clr_optimization_v2.0.50727_64 - ok
08:29:57.0289 3724 clr_optimization_v4.0.30319_32 - ok
08:29:57.0293 3724 clr_optimization_v4.0.30319_64 - ok
08:29:57.0304 3724 CmBatt - ok
08:29:57.0308 3724 cmdide - ok
08:29:57.0313 3724 CNG - ok
08:29:57.0334 3724 Compbatt - ok
08:29:57.0340 3724 CompositeBus - ok
08:29:57.0344 3724 COMSysApp - ok
08:29:57.0348 3724 crcdisk - ok
08:29:57.0352 3724 Credential Vault Host Control Service - ok
08:29:57.0357 3724 Credential Vault Host Storage - ok
08:29:57.0362 3724 CryptSvc - ok
08:29:57.0367 3724 CSC - ok
08:29:57.0370 3724 CscService - ok
08:29:57.0374 3724 cvusbdrv - ok
08:29:57.0380 3724 DcomLaunch - ok
08:29:57.0384 3724 dcpsysmgrsvc - ok
08:29:57.0389 3724 defragsvc - ok
08:29:57.0393 3724 DefWatch - ok
08:29:57.0397 3724 DfsC - ok
08:29:57.0401 3724 Dhcp - ok
08:29:57.0404 3724 discache - ok
08:29:57.0426 3724 Disk - ok
08:29:57.0430 3724 Dnscache - ok
08:29:57.0438 3724 dot3svc - ok
08:29:57.0442 3724 DPS - ok
08:29:57.0449 3724 drmkaud - ok
08:29:57.0511 3724 [ AD00375D9ABA8DB72D0E38129AF0277A ] DVMIO D:\Program Files (x86)\Dell\Reader 2.1\dvmio_x64.sys
08:29:57.0518 3724 DVMIO - ok
08:29:57.0560 3724 [ 6F0952F5A3C8D9E90DF1F88B84541145 ] DvmMDES D:\Program Files (x86)\Dell\Reader 2.1\DVMExportService.exe
08:29:57.0594 3724 DvmMDES - ok
08:29:57.0597 3724 DXGKrnl - ok
08:29:57.0618 3724 e1kexpress - ok
08:29:57.0623 3724 EapHost - ok
08:29:57.0627 3724 ebdrv - ok
08:29:57.0648 3724 eeCtrl - ok
08:29:57.0675 3724 EFS - ok
08:29:57.0679 3724 ehRecvr - ok
08:29:57.0683 3724 ehSched - ok
08:29:57.0687 3724 elxstor - ok
08:29:57.0709 3724 EraserUtilRebootDrv - ok
08:29:57.0714 3724 ErrDev - ok
08:29:57.0721 3724 EventSystem - ok
08:29:57.0735 3724 Exchange Backup Agent - ok
08:29:57.0748 3724 exfat - ok
08:29:57.0754 3724 fastfat - ok
08:29:57.0760 3724 Fax - ok
08:29:57.0764 3724 fdc - ok
08:29:57.0768 3724 fdPHost - ok
08:29:57.0771 3724 FDResPub - ok
08:29:57.0775 3724 FileInfo - ok
08:29:57.0779 3724 Filetrace - ok
08:29:57.0783 3724 flpydisk - ok
08:29:57.0787 3724 FltMgr - ok
08:29:57.0791 3724 FontCache - ok
08:29:57.0797 3724 FontCache3.0.0.0 - ok
08:29:57.0800 3724 FsDepends - ok
08:29:57.0804 3724 Fs_Rec - ok
08:29:57.0808 3724 fvevol - ok
08:29:57.0814 3724 gagp30kx - ok
08:29:57.0818 3724 gpsvc - ok
08:29:57.0837 3724 gupdate - ok
08:29:57.0841 3724 gupdatem - ok
08:29:57.0846 3724 gusvc - ok
08:29:57.0850 3724 hcw85cir - ok
08:29:57.0853 3724 HDAudBus - ok
08:29:57.0857 3724 HidBatt - ok
08:29:57.0861 3724 HidBth - ok
08:29:57.0865 3724 HidIr - ok
08:29:57.0869 3724 hidserv - ok
08:29:57.0875 3724 HidUsb - ok
08:29:57.0878 3724 hkmsvc - ok
08:29:57.0882 3724 HomeGroupListener - ok
08:29:57.0886 3724 HomeGroupProvider - ok
08:29:57.0890 3724 HpSAMD - ok
08:29:57.0894 3724 HTTP - ok
08:29:57.0898 3724 hwpolicy - ok
08:29:57.0902 3724 i8042prt - ok
08:29:57.0915 3724 iaStor - ok
08:29:57.0926 3724 IAStorDataMgrSvc - ok
08:29:57.0930 3724 iaStorV - ok
08:29:57.0934 3724 idsvc - ok
08:29:57.0938 3724 igfx - ok
08:29:57.0942 3724 iirsp - ok
08:29:57.0946 3724 IKEEXT - ok
08:29:57.0950 3724 Impcd - ok
08:29:57.0969 3724 InstallFilterService - ok
08:29:57.0973 3724 IntcDAud - ok
08:29:57.0977 3724 intelide - ok
08:29:57.0981 3724 intelppm - ok
08:29:57.0984 3724 IPBusEnum - ok
08:29:57.0988 3724 IpFilterDriver - ok
08:29:58.0000 3724 iphlpsvc - ok
08:29:58.0003 3724 IPMIDRV - ok
08:29:58.0007 3724 IPNAT - ok
08:29:58.0011 3724 IRENUM - ok
08:29:58.0015 3724 isapnp - ok
08:29:58.0019 3724 iScsiPrt - ok
08:29:58.0023 3724 kbdclass - ok
08:29:58.0034 3724 kbdhid - ok
08:29:58.0048 3724 KeyIso - ok
08:29:58.0052 3724 KSecDD - ok
08:29:58.0055 3724 KSecPkg - ok
08:29:58.0060 3724 ksthunk - ok
08:29:58.0063 3724 KtmRm - ok
08:29:58.0071 3724 LanmanServer - ok
08:29:58.0075 3724 LanmanWorkstation - ok
08:29:58.0088 3724 LBTServ - ok
08:29:58.0094 3724 LHidFilt - ok
08:29:58.0103 3724 LiveUpdate - ok
08:29:58.0117 3724 lltdio - ok
08:29:58.0120 3724 lltdsvc - ok
08:29:58.0125 3724 lmhosts - ok
08:29:58.0133 3724 LMouFilt - ok
08:29:58.0139 3724 LSI_FC - ok
08:29:58.0143 3724 LSI_SAS - ok
08:29:58.0146 3724 LSI_SAS2 - ok
08:29:58.0150 3724 LSI_SCSI - ok
08:29:58.0154 3724 luafv - ok
08:29:58.0165 3724 LVRS64 - ok
08:29:58.0169 3724 Mcx2Svc - ok
08:29:58.0173 3724 megasas - ok
08:29:58.0176 3724 MegaSR - ok
08:29:58.0181 3724 Microsoft SharePoint Workspace Audit Service - ok
08:29:58.0184 3724 MMCSS - ok
08:29:58.0188 3724 Modem - ok
08:29:58.0192 3724 monitor - ok
08:29:58.0197 3724 mouclass - ok
08:29:58.0201 3724 mouhid - ok
08:29:58.0206 3724 mountmgr - ok
08:29:58.0209 3724 mpio - ok
08:29:58.0214 3724 mpsdrv - ok
08:29:58.0218 3724 MpsSvc - ok
08:29:58.0222 3724 MRxDAV - ok
08:29:58.0225 3724 mrxsmb - ok
08:29:58.0229 3724 mrxsmb10 - ok
08:29:58.0233 3724 mrxsmb20 - ok
08:29:58.0237 3724 msahci - ok
08:29:58.0240 3724 msdsm - ok
08:29:58.0244 3724 MSDTC - ok
08:29:58.0251 3724 Msfs - ok
08:29:58.0255 3724 mshidkmdf - ok
08:29:58.0260 3724 msisadrv - ok
08:29:58.0263 3724 MSiSCSI - ok
08:29:58.0266 3724 msiserver - ok
08:29:58.0270 3724 MSKSSRV - ok
08:29:58.0292 3724 msoidsvc - ok
08:29:58.0297 3724 MSPCLOCK - ok
08:29:58.0301 3724 MSPQM - ok
08:29:58.0305 3724 MsRPC - ok
08:29:58.0312 3724 mssmbios - ok
08:29:58.0316 3724 MSTEE - ok
08:29:58.0320 3724 MTConfig - ok
08:29:58.0323 3724 Mup - ok
08:29:58.0327 3724 napagent - ok
08:29:58.0337 3724 NativeWifiP - ok
08:29:58.0341 3724 NAVENG - ok
08:29:58.0345 3724 NAVEX15 - ok
08:29:58.0349 3724 NDIS - ok
08:29:58.0353 3724 NdisCap - ok
08:29:58.0363 3724 NdisTapi - ok
08:29:58.0367 3724 Ndisuio - ok
08:29:58.0370 3724 NdisWan - ok
08:29:58.0374 3724 NDProxy - ok
08:29:58.0379 3724 NetBIOS - ok
08:29:58.0382 3724 NetBT - ok
08:29:58.0389 3724 Netlogon - ok
08:29:58.0395 3724 Netman - ok
08:29:58.0399 3724 netprofm - ok
08:29:58.0402 3724 NetTcpPortSharing - ok
08:29:58.0422 3724 nfrd960 - ok
08:29:58.0427 3724 NlaSvc - ok
08:29:58.0438 3724 nosGetPlusHelper - ok
08:29:58.0442 3724 Npfs - ok
08:29:58.0446 3724 nsi - ok
08:29:58.0449 3724 nsiproxy - ok
08:29:58.0454 3724 Ntfs - ok
08:29:58.0459 3724 Null - ok
08:29:58.0463 3724 nvraid - ok
08:29:58.0466 3724 nvstor - ok
08:29:58.0482 3724 nv_agp - ok
08:29:58.0491 3724 NxDrv - ok
08:29:58.0495 3724 ohci1394 - ok
08:29:58.0500 3724 ose - ok
08:29:58.0503 3724 osppsvc - ok
08:29:58.0509 3724 p2pimsvc - ok
08:29:58.0514 3724 p2psvc - ok
08:29:58.0519 3724 Parport - ok
08:29:58.0522 3724 partmgr - ok
08:29:58.0527 3724 PBADRV - ok
08:29:58.0531 3724 PcaSvc - ok
08:29:58.0534 3724 pci - ok
08:29:58.0538 3724 pciide - ok
08:29:58.0542 3724 pcmcia - ok
08:29:58.0546 3724 pcw - ok
08:29:58.0549 3724 PEAUTH - ok
08:29:58.0553 3724 PeerDistSvc - ok
08:29:58.0559 3724 PerfHost - ok
08:29:58.0568 3724 pla - ok
08:29:58.0571 3724 PlugPlay - ok
08:29:58.0574 3724 PNRPAutoReg - ok
08:29:58.0578 3724 PNRPsvc - ok
08:29:58.0582 3724 PolicyAgent - ok
08:29:58.0587 3724 Power - ok
08:29:58.0591 3724 PptpMiniport - ok
08:29:58.0595 3724 Processor - ok
08:29:58.0599 3724 ProfSvc - ok
08:29:58.0602 3724 ProtectedStorage - ok
08:29:58.0606 3724 Psched - ok
08:29:58.0609 3724 PxHlpa64 - ok
08:29:58.0613 3724 ql2300 - ok
08:29:58.0617 3724 ql40xx - ok
08:29:58.0621 3724 QWAVE - ok
08:29:58.0624 3724 QWAVEdrv - ok
08:29:58.0628 3724 RasAcd - ok
08:29:58.0632 3724 RasAgileVpn - ok
08:29:58.0636 3724 RasAuto - ok
08:29:58.0639 3724 Rasl2tp - ok
08:29:58.0648 3724 RasMan - ok
08:29:58.0653 3724 RasPppoe - ok
08:29:58.0656 3724 RasSstp - ok
08:29:58.0663 3724 rbScheduler - ok
08:29:58.0666 3724 rdbss - ok
08:29:58.0671 3724 rdpbus - ok
08:29:58.0675 3724 RDPCDD - ok
08:29:58.0680 3724 RDPDR - ok
08:29:58.0684 3724 RDPENCDD - ok
08:29:58.0690 3724 RDPREFMP - ok
08:29:58.0705 3724 RdpVideoMiniport - ok
08:29:58.0709 3724 RDPWD - ok
08:29:58.0715 3724 rdyboost - ok
08:29:58.0719 3724 RemoteAccess - ok
08:29:58.0722 3724 RemoteRegistry - ok
08:29:58.0726 3724 rimspci - ok
08:29:58.0730 3724 risdpcie - ok
08:29:58.0733 3724 rixdpcie - ok
08:29:58.0739 3724 RoxMediaDB12OEM - ok
08:29:58.0742 3724 RoxWatch12 - ok
08:29:58.0746 3724 RpcEptMapper - ok
08:29:58.0749 3724 RpcLocator - ok
08:29:58.0754 3724 RpcSs - ok
08:29:58.0765 3724 rspndr - ok
08:29:58.0768 3724 s3cap - ok
08:29:58.0772 3724 SamSs - ok
08:29:58.0777 3724 sbp2port - ok
08:29:58.0780 3724 SCardSvr - ok
08:29:58.0784 3724 scfilter - ok
08:29:58.0788 3724 Schedule - ok
08:29:58.0793 3724 SCPolicySvc - ok
08:29:58.0796 3724 SDRSVC - ok
08:29:58.0810 3724 secdrv - ok
08:29:58.0813 3724 seclogon - ok
08:29:58.0818 3724 SecureStorageService - ok
08:29:58.0822 3724 SENS - ok
08:29:58.0826 3724 SensrSvc - ok
08:29:58.0830 3724 Serenum - ok
08:29:58.0834 3724 Serial - ok
08:29:58.0838 3724 sermouse - ok
08:29:58.0847 3724 SessionEnv - ok
08:29:58.0851 3724 sffdisk - ok
08:29:58.0854 3724 sffp_mmc - ok
08:29:58.0859 3724 sffp_sd - ok
08:29:58.0863 3724 sfloppy - ok
08:29:58.0884 3724 SharedAccess - ok
08:29:58.0888 3724 ShellHWDetection - ok
08:29:58.0899 3724 SiSRaid2 - ok
08:29:58.0902 3724 SiSRaid4 - ok
08:29:58.0905 3724 Smb - ok
08:29:58.0917 3724 SNMPTRAP - ok
08:29:58.0920 3724 SONICWALL_NetExtender - ok
08:29:58.0925 3724 spldr - ok
08:29:58.0929 3724 Spooler - ok
08:29:58.0932 3724 sppsvc - ok
08:29:58.0936 3724 sppuinotify - ok
08:29:58.0940 3724 SRTSP - ok
08:29:58.0944 3724 SRTSPL - ok
08:29:58.0947 3724 SRTSPX - ok
08:29:58.0951 3724 srv - ok
08:29:58.0955 3724 srv2 - ok
08:29:58.0959 3724 srvnet - ok
08:29:58.0970 3724 SSDPSRV - ok
08:29:58.0974 3724 SstpSvc - ok
08:29:58.0978 3724 STacSV - ok
08:29:58.0982 3724 stdflt - ok
08:29:58.0986 3724 stexstor - ok
08:29:58.0990 3724 STHDA - ok
08:29:58.0994 3724 stisvc - ok
08:29:58.0997 3724 stllssvr - ok
08:29:59.0001 3724 storflt - ok
08:29:59.0005 3724 storvsc - ok
08:29:59.0009 3724 swenum - ok
08:29:59.0013 3724 swprv - ok
08:29:59.0018 3724 Symantec AntiVirus - ok
08:29:59.0035 3724 SymEvent - ok
08:29:59.0053 3724 Synth3dVsc - ok
08:29:59.0058 3724 SysMain - ok
08:29:59.0062 3724 TabletInputService - ok
08:29:59.0065 3724 TapiSrv - ok
08:29:59.0069 3724 TBS - ok
08:29:59.0072 3724 Tcpip - ok
08:29:59.0076 3724 TCPIP6 - ok
08:29:59.0081 3724 tcpipreg - ok
08:29:59.0095 3724 tcsd_win32.exe - ok
08:29:59.0101 3724 TdmService - ok
08:29:59.0105 3724 TDPIPE - ok
08:29:59.0109 3724 TDTCP - ok
08:29:59.0113 3724 tdx - ok
08:29:59.0116 3724 TermDD - ok
08:29:59.0121 3724 TermService - ok
08:29:59.0125 3724 Themes - ok
08:29:59.0129 3724 THREADORDER - ok
08:29:59.0135 3724 TPM - ok
08:29:59.0139 3724 TrkWks - ok
08:29:59.0143 3724 TrustedInstaller - ok
08:29:59.0148 3724 tssecsrv - ok
08:29:59.0153 3724 TsUsbFlt - ok
08:29:59.0156 3724 tsusbhub - ok
08:29:59.0167 3724 tunnel - ok
08:29:59.0171 3724 uagp35 - ok
08:29:59.0174 3724 udfs - ok
08:29:59.0182 3724 UI0Detect - ok
08:29:59.0191 3724 uliagpkx - ok
08:29:59.0195 3724 umbus - ok
08:29:59.0198 3724 UmPass - ok
08:29:59.0202 3724 UmRdpService - ok
08:29:59.0207 3724 upnphost - ok
08:29:59.0221 3724 usbaudio - ok
08:29:59.0225 3724 usbccgp - ok
08:29:59.0238 3724 usbcir - ok
08:29:59.0242 3724 usbehci - ok
08:29:59.0246 3724 usbhub - ok
08:29:59.0249 3724 usbohci - ok
08:29:59.0253 3724 usbprint - ok
08:29:59.0257 3724 USBSTOR - ok
08:29:59.0261 3724 usbuhci - ok
08:29:59.0270 3724 usbvideo - ok
08:29:59.0274 3724 uvnc_service - ok
08:29:59.0278 3724 UxSms - ok
08:29:59.0281 3724 VaultSvc - ok
08:29:59.0290 3724 vdrvroot - ok
08:29:59.0303 3724 vds - ok
08:29:59.0307 3724 vga - ok
08:29:59.0311 3724 VgaSave - ok
08:29:59.0315 3724 VGPU - ok
08:29:59.0318 3724 vhdmp - ok
08:29:59.0322 3724 viaide - ok
08:29:59.0326 3724 vmbus - ok
08:29:59.0330 3724 VMBusHID - ok
08:29:59.0333 3724 volmgr - ok
08:29:59.0338 3724 volmgrx - ok
08:29:59.0342 3724 volsnap - ok
08:29:59.0346 3724 vpcbus - ok
08:29:59.0351 3724 vpcnfltr - ok
08:29:59.0355 3724 vpcusb - ok
08:29:59.0358 3724 vpcvmm - ok
08:29:59.0363 3724 vsmraid - ok
08:29:59.0366 3724 VSS - ok
08:29:59.0370 3724 vwifibus - ok
08:29:59.0382 3724 vwififlt - ok
08:29:59.0390 3724 W32Time - ok
08:29:59.0395 3724 WacomPen - ok
08:29:59.0399 3724 WANARP - ok
08:29:59.0403 3724 Wanarpv6 - ok
08:29:59.0418 3724 WatAdminSvc - ok
08:29:59.0421 3724 wbengine - ok
08:29:59.0425 3724 WbioSrvc - ok
08:29:59.0430 3724 wcncsvc - ok
08:29:59.0433 3724 WcsPlugInService - ok
08:29:59.0436 3724 Wd - ok
08:29:59.0440 3724 Wdf01000 - ok
08:29:59.0444 3724 WdiServiceHost - ok
08:29:59.0448 3724 WdiSystemHost - ok
08:29:59.0451 3724 WebClient - ok
08:29:59.0455 3724 Wecsvc - ok
08:29:59.0459 3724 wercplsupport - ok
08:29:59.0463 3724 WerSvc - ok
08:29:59.0467 3724 WfpLwf - ok
08:29:59.0471 3724 WIMMount - ok
08:29:59.0475 3724 WinDefend - ok
08:29:59.0480 3724 WinHttpAutoProxySvc - ok
08:29:59.0485 3724 Winmgmt - ok
08:29:59.0488 3724 WinRM - ok
08:29:59.0503 3724 WinUsb - ok
08:29:59.0507 3724 Wlansvc - ok
08:29:59.0512 3724 wlcrasvc - ok
08:29:59.0521 3724 wlidsvc - ok
08:29:59.0526 3724 wltrysvc - ok
08:29:59.0530 3724 WmiAcpi - ok
08:29:59.0535 3724 wmiApSrv - ok
08:29:59.0539 3724 WMPNetworkSvc - ok
08:29:59.0544 3724 WPCSvc - ok
08:29:59.0547 3724 WPDBusEnum - ok
08:29:59.0552 3724 ws2ifsl - ok
08:29:59.0555 3724 wscsvc - ok
08:29:59.0559 3724 WSearch - ok
08:29:59.0565 3724 wuauserv - ok
08:29:59.0569 3724 WudfPf - ok
08:29:59.0572 3724 WUDFRd - ok
08:29:59.0576 3724 wudfsvc - ok
08:29:59.0581 3724 WwanSvc - ok
08:29:59.0588 3724 ================ Scan global ===============================
08:29:59.0590 3724 [Global] - ok
08:29:59.0592 3724 ================ Scan MBR ==================================
08:29:59.0602 3724 [ 5C616939100B85E558DA92B899A0FC36 ] \Device\Harddisk0\DR0
08:29:59.0948 3724 \Device\Harddisk0\DR0 - ok
08:29:59.0953 3724 [ A36C5E4F47E84449FF07ED3517B43A31 ] \Device\Harddisk2\DR3
08:30:06.0475 3724 \Device\Harddisk2\DR3 - ok
08:30:06.0475 3724 ================ Scan VBR ==================================
08:30:06.0507 3724 [ A955343372021254E6A3812574F330F3 ] \Device\Harddisk0\DR0\Partition1
08:30:06.0509 3724 \Device\Harddisk0\DR0\Partition1 - ok
08:30:06.0518 3724 [ BA62D8FC1CDA4334A841473421931005 ] \Device\Harddisk0\DR0\Partition2
08:30:06.0519 3724 \Device\Harddisk0\DR0\Partition2 - ok
08:30:06.0545 3724 [ F1167C4E8D022AE26BA930C74EC49967 ] \Device\Harddisk0\DR0\Partition3
08:30:06.0547 3724 \Device\Harddisk0\DR0\Partition3 - ok
08:30:06.0550 3724 [ 779B7E104E8AB0EE420A8F45D18FE907 ] \Device\Harddisk2\DR3\Partition1
08:30:06.0552 3724 \Device\Harddisk2\DR3\Partition1 - ok
08:30:06.0552 3724 ============================================================
08:30:06.0552 3724 Scan finished
08:30:06.0552 3724 ============================================================
08:30:06.0561 6204 Detected object count: 0
08:30:06.0561 6204 Actual detected object count: 0

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:07 PM

Posted 27 August 2012 - 01:18 PM

Greetings

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 Coldham

Coldham
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 27 August 2012 - 03:07 PM

Things seem to be ok except for the weird TROJAN.GEN.2 stuff showing up.

I read the forum post from symantec you linked. Could that be the problem?

ComboFix 12-08-25.04 - BRUCE 08/27/2012 14:07:15.5.4 - x64
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.3958.2086 [GMT -5:00]
Running from: G:\ComboFix.exe
Command switches used :: G:\CFScript.txt
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-07-27 to 2012-08-27 )))))))))))))))))))))))))))))))
.
.
2012-08-27 19:13 . 2012-08-27 19:13 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-08-27 19:13 . 2012-08-27 19:13 -------- d-----w- c:\users\csaback\AppData\Local\temp
2012-08-27 19:13 . 2012-08-27 19:13 -------- d-----w- c:\users\csaadmin\AppData\Local\temp
2012-08-27 19:13 . 2012-08-27 19:13 -------- d-----w- c:\users\BRUCE~1~CSA\AppData\Local\temp
2012-08-27 19:13 . 2012-08-27 19:13 -------- d-----w- c:\users\bruce\AppData\Local\temp
2012-08-27 19:13 . 2012-08-27 19:13 -------- d-----w- c:\users\bruce.clarkb\AppData\Local\temp
2012-08-27 19:13 . 2012-08-27 19:13 -------- d-----w- c:\users\administrator\AppData\Local\temp
2012-08-27 19:13 . 2012-08-27 19:13 -------- d-----w- c:\users\admin\AppData\Local\temp
2012-08-27 19:13 . 2012-08-27 19:13 -------- d-----w- c:\users\admin.CSASTAFF1\AppData\Local\temp
2012-08-27 19:13 . 2012-08-27 19:13 -------- d-----w- c:\users\admin.clarkb\AppData\Local\temp
2012-08-17 21:50 . 2012-08-17 21:50 -------- d-----w- C:\FRST
2012-08-08 14:03 . 2012-08-08 14:03 -------- d-----w- c:\users\bruce.CSASTAFF1\AppData\Roaming\Malwarebytes
2012-08-07 20:58 . 2012-08-07 20:58 -------- d-----w- c:\windows\en
2012-08-07 20:56 . 2012-08-07 20:56 19720 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2012-08-07 20:54 . 2012-08-07 20:54 89944 ----a-w- c:\program files (x86)\Common Files\Windows Live\.cache\c5217c151cd74de01\DSETUP.dll
2012-08-07 20:54 . 2012-08-07 20:54 537432 ----a-w- c:\program files (x86)\Common Files\Windows Live\.cache\c5217c151cd74de01\DXSETUP.exe
2012-08-07 20:54 . 2012-08-07 20:54 1801048 ----a-w- c:\program files (x86)\Common Files\Windows Live\.cache\c5217c151cd74de01\dsetup32.dll
2012-08-07 20:54 . 2012-08-07 20:54 15712 ----a-w- c:\program files (x86)\Common Files\Windows Live\.cache\c578ed221cd74de02\MeshBetaRemover.exe
2012-08-02 16:04 . 2012-08-02 16:05 -------- d-----w- c:\program files\Symantec
2012-08-02 16:04 . 2012-08-02 16:04 156008 ----a-w- c:\windows\system32\drivers\SYMEVENT64x86.SYS
2012-08-02 16:04 . 2012-08-02 16:04 -------- d-----w- c:\program files\Common Files\Symantec Shared
2012-08-02 16:04 . 2012-08-02 16:04 -------- d-----w- c:\program files (x86)\Symantec AntiVirus
2012-07-30 18:52 . 2012-07-30 18:52 -------- d-----w- c:\users\admin.clarkb\AppData\Roaming\OrgPlus6
2012-07-30 16:16 . 2012-07-30 16:16 -------- d-----w- c:\program files (x86)\ESET
2012-07-30 15:33 . 2012-08-27 19:20 -------- d-----w- c:\users\bruce.CSASTAFF1\AppData\Local\temp
2012-07-30 13:42 . 2012-07-30 13:42 -------- d-----w- c:\users\admin.clarkb\AppData\Local\CrashDumps
2012-07-29 19:07 . 2012-08-23 13:00 -------- d-----w- c:\users\bruce.CSASTAFF1\AppData\Local\CrashDumps
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-16 10:00 . 2011-04-26 22:06 62134624 ----a-w- c:\windows\system32\MRT.exe
2012-08-15 13:14 . 2012-04-12 13:02 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-08-15 13:14 . 2011-06-16 13:05 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-06-09 05:43 . 2012-07-11 04:58 14172672 ----a-w- c:\windows\system32\shell32.dll
2012-06-06 13:49 . 2012-06-06 13:49 1070152 ----a-w- c:\windows\SysWow64\MSCOMCTL.OCX
2012-06-06 06:06 . 2012-07-11 04:58 2004480 ----a-w- c:\windows\system32\msxml6.dll
2012-06-06 06:06 . 2012-07-11 04:58 1881600 ----a-w- c:\windows\system32\msxml3.dll
2012-06-06 06:02 . 2012-07-11 04:57 1133568 ----a-w- c:\windows\system32\cdosys.dll
2012-06-06 05:05 . 2012-07-11 04:58 1390080 ----a-w- c:\windows\SysWow64\msxml6.dll
2012-06-06 05:05 . 2012-07-11 04:58 1236992 ----a-w- c:\windows\SysWow64\msxml3.dll
2012-06-06 05:03 . 2012-07-11 04:57 805376 ----a-w- c:\windows\SysWow64\cdosys.dll
2012-06-02 22:19 . 2012-06-19 01:42 38424 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-19 01:42 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:19 . 2012-06-19 01:42 57880 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-19 01:42 44056 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-19 01:42 701976 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:15 . 2012-06-19 01:42 2622464 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:15 . 2012-06-19 01:42 99840 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 20:19 . 2012-06-19 01:42 186752 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 20:15 . 2012-06-19 01:42 36864 ----a-w- c:\windows\system32\wuapp.exe
2012-06-02 05:50 . 2012-07-11 04:57 458704 ----a-w- c:\windows\system32\drivers\cng.sys
2012-06-02 05:48 . 2012-07-11 04:57 95600 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-06-02 05:48 . 2012-07-11 04:57 151920 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2012-06-02 05:45 . 2012-07-11 04:57 340992 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 05:44 . 2012-07-11 04:57 307200 ----a-w- c:\windows\system32\ncrypt.dll
2012-06-02 04:40 . 2012-07-11 04:57 22016 ----a-w- c:\windows\SysWow64\secur32.dll
2012-06-02 04:40 . 2012-07-11 04:57 225280 ----a-w- c:\windows\SysWow64\schannel.dll
2012-06-02 04:39 . 2012-07-11 04:57 219136 ----a-w- c:\windows\SysWow64\ncrypt.dll
2012-06-02 04:34 . 2012-07-11 04:57 96768 ----a-w- c:\windows\SysWow64\sspicli.dll
.
.
((((((((((((((((((((((((((((( SnapShot_2012-08-23_19.19.10 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-07-14 04:54 . 2012-08-23 12:03 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:54 . 2012-08-27 12:03 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:54 . 2012-08-27 12:03 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-08-23 12:03 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-08-23 12:03 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2012-08-27 12:03 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-03-26 22:41 . 2012-08-23 19:30 46050 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-08-23 19:30 34708 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
- 2009-07-14 05:10 . 2012-08-23 19:06 34708 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2011-04-27 15:59 . 2012-08-23 19:30 11854 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1063663236-1276589662-1683584401-1015_UserData.bin
- 2011-04-26 20:40 . 2012-08-23 10:25 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-04-26 20:40 . 2012-08-27 16:00 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-04-26 20:40 . 2012-08-23 10:25 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2011-04-26 20:40 . 2012-08-27 16:00 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2012-08-27 16:00 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 04:54 . 2012-08-23 10:25 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2011-04-26 22:09 . 2012-08-23 19:13 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-04-26 22:09 . 2012-08-27 19:07 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-04-26 22:09 . 2012-08-23 19:13 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-04-26 22:09 . 2012-08-27 19:07 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2011-05-06 21:46 . 2012-08-21 16:10 3130 c:\windows\system32\wdi\ERCQueuedResolutions.dat
+ 2011-05-06 21:46 . 2012-08-27 19:14 3130 c:\windows\system32\wdi\ERCQueuedResolutions.dat
+ 2012-08-27 19:18 . 2012-08-27 19:18 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-08-23 19:18 . 2012-08-23 19:18 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-08-23 19:18 . 2012-08-23 19:18 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-08-27 19:18 . 2012-08-27 19:18 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-07-14 05:01 . 2012-08-27 19:14 429828 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2009-07-14 05:01 . 2012-08-23 19:15 429828 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OfficeSyncProcess"="c:\program files (x86)\Microsoft Office\Office14\MSOSYNC.EXE" [2012-01-21 719672]
"Adobe Acrobat Synchronizer"="c:\program files (x86)\Adobe\Acrobat 10.0\Acrobat\AdobeCollabSync.exe" [2012-07-27 1261512]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2012-04-19 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2010-03-04 284696]
"DellBtrEvent"="d:\program files (x86)\Dell\Reader 2.1\DellBtrEvent.exe" [2010-05-04 147456]
"RemoteControl9"="c:\program files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe" [2009-07-06 87336]
"PDVD9LanguageShortcut"="c:\program files (x86)\CyberLink\PowerDVD9\Language\Language.exe" [2010-04-29 50472]
"RoxWatchTray"="c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe" [2010-11-25 240112]
"Desktop Disc Tool"="c:\program files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe" [2010-11-17 514544]
"BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"HPHUPD05"="c:\program files (x86)\Hewlett-Packard\\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe" [2005-07-08 49152]
"HP Component Manager"="c:\program files (x86)\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"HP Software Update"="c:\program files (x86)\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2003-12-05 49152]
"HPHmon05"="c:\windows\SysWOW64\hphmon05.exe" [2005-07-08 491520]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"Adobe Acrobat Speed Launcher"="c:\program files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe" [2012-07-27 36800]
"Acrobat Assistant 8.0"="c:\program files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe" [2012-07-27 823224]
"Communicator"="c:\program files (x86)\Microsoft Lync\communicator.exe" [2012-06-12 12099672]
"ccApp"="c:\program files (x86)\Common Files\Symantec Shared\ccApp.exe" [2006-12-07 107112]
"vptray"="c:\progra~2\SYMANT~1\VPTray.exe" [2006-12-13 134808]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
.
c:\users\bruce.CSASTAFF1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\bruce.CSASTAFF1\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-5-24 27112840]
Remote Backup.lnk - c:\program files (x86)\Remote Backup\rbackup.exe [2011-5-3 647168]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Dell System Manager.lnk - c:\program files\Dell\Dell System Manager\DCPSysMgr.exe [2010-8-24 1549680]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"DisableCAD"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u msoidssp livessp
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1063663236-1276589662-1683584401-1015\Scripts\Logon\0\0]
"Script"=remove_bpos.cmd
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-04-19 136176]
R2 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe [2010-11-25 219632]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-15 250056]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-04-19 136176]
R3 LVRS64;Logitech RightSound Filter Driver;c:\windows\system32\DRIVERS\lvrs64.sys [2012-01-18 351136]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files (x86)\Microsoft Office\Office14\GROOVE.EXE [2011-06-12 31125880]
R3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe [2009-07-14 27136]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 20992]
R3 rimspci;rimspci;c:\windows\system32\DRIVERS\rimspe64.sys [2010-03-21 61952]
R3 rixdpcie;rixdpcie;c:\windows\system32\DRIVERS\rixdpe64.sys [2010-03-21 55808]
R3 RoxMediaDB12OEM;RoxMediaDB12OEM;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [2010-11-25 1116656]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-04-29 1255736]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 57184]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2010-03-19 55856]
S0 stdflt;Disk Filter Driver for Accelerometer;c:\windows\system32\DRIVERS\stdfltn.sys [2010-01-18 21040]
S1 DVMIO;DVMIO;d:\program files (x86)\Dell\Reader 2.1\dvmio_x64.sys [2010-05-04 20624]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-07-27 63960]
S2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\AESTSr64.exe [2010-05-26 89600]
S2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe [2010-10-28 1035680]
S2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe [2010-10-28 36768]
S2 dcpsysmgrsvc;Dell System Manager Service;c:\program files\Dell\Dell System Manager\DCPSysMgrSvc.exe [2010-08-24 517488]
S2 DvmMDES;DeviceVM Meta Data Export Service;d:\program files (x86)\Dell\Reader 2.1\DVMExportService.exe [2010-05-04 327680]
S2 Exchange Backup Agent;Exchange Backup Agent;c:\program files (x86)\Remote Backup\ExchangeBackupService.exe [2010-07-08 30096]
S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-03-04 13336]
S2 InstallFilterService;FF Install Filter Service;c:\program files (x86)\STMicroelectronics\AccelerometerP11\InstallFilterService.exe [2010-01-10 60928]
S2 msoidsvc;Microsoft Online Services Sign-in Assistant;c:\program files\Common Files\Microsoft Shared\Microsoft Online Services\MSOIDSVC.EXE [2011-09-28 2078112]
S2 rbScheduler;Remote Backup Scheduler;c:\program files (x86)\Remote Backup\rbschedule.exe [2010-07-08 157072]
S2 risdpcie;risdpcie;c:\windows\system32\DRIVERS\risdpe64.sys [2010-03-21 81920]
S2 uvnc_service;uvnc_service;c:\program files\UltraVNC\WinVNC.exe [2009-12-07 1793976]
S3 Acceler;Accelerometer Service;c:\windows\system32\DRIVERS\Accelern.sys [2010-01-18 26160]
S3 cvusbdrv;Dell ControlVault;c:\windows\system32\Drivers\cvusbdrv.sys [2010-08-20 38440]
S3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\DRIVERS\e1k62x64.sys [2010-04-06 301232]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-08-01 138912]
S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [2010-02-27 158976]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2010-06-21 287232]
S3 NxDrv;SonicWALL NetExtender Adapter;c:\windows\system32\DRIVERS\NxDrv.sys [2009-10-21 24264]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-27 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-12 13:14]
.
2012-08-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-04-19 16:29]
.
2012-08-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-04-19 16:29]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-10-31 21:02 97792 ----a-w- c:\users\bruce.CSASTAFF1\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-10-31 21:02 97792 ----a-w- c:\users\bruce.CSASTAFF1\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-10-31 21:02 97792 ----a-w- c:\users\bruce.CSASTAFF1\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-10-31 21:02 97792 ----a-w- c:\users\bruce.CSASTAFF1\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EnabledUnlockedFDEIconOverlay]
@="{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}"
[HKEY_CLASSES_ROOT\CLSID\{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}]
2010-10-16 21:17 138608 ----a-w- c:\program files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmIconOverlay.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UninitializedFdeIconOverlay]
@="{CF08DA3E-C97D-4891-A66B-E39B28DD270F}"
[HKEY_CLASSES_ROOT\CLSID\{CF08DA3E-C97D-4891-A66B-E39B28DD270F}]
2010-10-16 21:17 138608 ----a-w- c:\program files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmIconOverlay.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2010-05-13 391024]
"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2010-05-26 487424]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-07-28 161304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-07-28 386584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-07-28 415256]
"Broadcom Wireless Manager UI"="c:\program files\Dell\DW WLAN Card\WLTRAY.exe" [2010-02-02 5712896]
"SonicWALLNetExtender"="c:\program files (x86)\SonicWALL\SSL-VPN\NetExtender\NEGui.exe" [2010-04-02 1103744]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2010-10-28 1680976]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = https://centralserviceassociatmicrosoftonlinecom-9.sharepoint.microsoftonline.com/default.aspx
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: Append Link Target to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~4\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MICROS~4\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 10.1.150.221 10.1.150.202
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_271_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_271_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files (x86)\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
c:\program files (x86)\Symantec AntiVirus\DefWatch.exe
c:\program files (x86)\Symantec AntiVirus\Rtvscan.exe
.
**************************************************************************
.
Completion time: 2012-08-27 14:24:07 - machine was rebooted
ComboFix-quarantined-files.txt 2012-08-27 19:24
ComboFix2.txt 2012-07-30 15:33
.
Pre-Run: 171,363,405,824 bytes free
Post-Run: 171,115,409,408 bytes free
.
- - End Of File - - BA2B56B551F282BB06D5B8932DE704FA

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:07 PM

Posted 27 August 2012 - 03:41 PM

Greetings

Things seem to be ok except for the weird TROJAN.GEN.2 stuff showing up.

I read the forum post from symantec you linked. Could that be the problem?


With norton yes




Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

You can remove these programs using add/remove or you can use the free uninstaller from Revo (Revo does allot better of a job)

Programs to remove

Java™ 6 Update 26 [/list]


  • Please download and install Revo Uninstaller Free
  • Double click Revo Uninstaller to run it.
  • From the list of programs double click on The Program to remove
  • When prompted if you want to uninstall click Yes.
  • Be sure the Moderate option is selected then click Next.
  • The program will run, If prompted again click Yes
  • when the built-in uninstaller is finished click on Next.
  • Once the program has searched for leftovers click Next.
  • Check/tick the bolded items only on the list then click Delete
  • when prompted click on Yes and then on next.
  • put a check on any folders that are found and select delete
  • when prompted select yes then on next
  • Once done click Finish.
.



Install Java:

Please go here to install Java

  • click on the Free Java Download Button
  • click on Agree and start Free download
  • click on Run
  • click on run again
  • click on install
  • when install is complete click on close

Clean Out Temp Files

  • This small application you may want to keep and use once a week to keep the computer clean.

    Download CCleaner from here http://www.ccleaner.com/

  • Run the installer to install the application.
  • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
  • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
  • Click Run Cleaner.
  • Close CCleaner.

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidentally close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a log file button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the Analyze This button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 Coldham

Coldham
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 27 August 2012 - 05:03 PM

Computer seems to be ok at this time. I will check it again first thing in the morning.

THANKS SO MUCH!!!!!


Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.08.27.05

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 8.0.7601.17514
BRUCE :: CLARK-B [administrator]

08/27/2012 4:50:43 PM
mbam-log-2012-08-27 (16-50-43).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 377917
Time elapsed: 3 minute(s), 18 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 4:58:36 PM, on 08/27/2012
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v8.00 (8.00.7601.17514)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\SonicWALL\SSL-VPN\NetExtender\NEGui.exe
C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE
C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Users\bruce.CSASTAFF1\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
D:\Program Files (x86)\Dell\Reader 2.1\DellBtrEvent.exe
C:\Program Files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe
C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe
C:\Program Files (x86)\Hewlett-Packard\HP Software Update\hpwuSchd2.exe
C:\Windows\SysWOW64\hphmon05.exe
C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\acrotray.exe
C:\Program Files (x86)\Microsoft Lync\communicator.exe
C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe
C:\Program Files (x86)\Symantec AntiVirus\VPTray.exe
C:\Program Files (x86)\Microsoft Lync\UcMapi.exe
C:\Users\bruce.CSASTAFF1\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://centralserviceassociatmicrosoftonlinecom-9.sharepoint.microsoftonline.com/default.aspx
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Lync add-on BHO - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files (x86)\Microsoft Lync\OCHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MICROS~4\Office14\GROOVEEX.DLL
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Messenger Companion Helper - {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.7725.1624\swg.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~4\Office14\URLREDIR.DLL
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
O4 - HKLM\..\Run: [DellBtrEvent] D:\Program Files (x86)\Dell\Reader 2.1\DellBtrEvent.exe
O4 - HKLM\..\Run: [RemoteControl9] "C:\Program Files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe"
O4 - HKLM\..\Run: [PDVD9LanguageShortcut] "C:\Program Files (x86)\CyberLink\PowerDVD9\Language\Language.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe"
O4 - HKLM\..\Run: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe"
O4 - HKLM\..\Run: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files (x86)\Hewlett-Packard\\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files (x86)\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files (x86)\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\Windows\SysWOW64\hphmon05.exe
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Communicator] "C:\Program Files (x86)\Microsoft Lync\communicator.exe" /fromrunkey
O4 - HKLM\..\Run: [ccApp] "C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~2\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [OfficeSyncProcess] "C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE"
O4 - HKCU\..\Run: [Adobe Acrobat Synchronizer] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\AdobeCollabSync.exe"
O4 - HKCU\..\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - Startup: Dropbox.lnk = C:\Users\bruce.CSASTAFF1\AppData\Roaming\Dropbox\bin\Dropbox.exe
O4 - Startup: Remote Backup.lnk = C:\Program Files (x86)\Remote Backup\rbackup.exe
O4 - Global Startup: Dell System Manager.lnk = C:\Program Files\Dell\Dell System Manager\DCPSysMgr.exe
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~4\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~2\MICROS~4\Office14\ONBttnIE.dll/105
O9 - Extra button: @C:\Program Files (x86)\Windows Live\Companion\companionlang.dll,-600 - {0000036B-C524-4050-81A0-243669A86B9F} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
O9 - Extra button: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra button: Lync add-on - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files (x86)\Microsoft Lync\OCHelper.dll
O9 - Extra 'Tools' menuitem: Lync add-on - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files (x86)\Microsoft Lync\OCHelper.dll
O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O16 - DPF: {6EEFD7B1-B26C-440D-B55A-1EC677189F30} (NELaunchCtrl Class) - https://68.16.18.5/NELX.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = csa1.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = csa1.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = csa1.com
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Program Files\IDT\WDM\AESTSr64.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Credential Vault Host Control Service - Broadcom Corporation - C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe
O23 - Service: Credential Vault Host Storage - Broadcom Corporation - C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe
O23 - Service: Dell System Manager Service (dcpsysmgrsvc) - Dell Inc. - c:\Program Files\Dell\Dell System Manager\DCPSysMgrSvc.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files (x86)\Symantec AntiVirus\DefWatch.exe
O23 - Service: DeviceVM Meta Data Export Service (DvmMDES) - DeviceVM, Inc. - D:\Program Files (x86)\Dell\Reader 2.1\DVMExportService.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: Exchange Backup Agent - Remote Backup Systems - C:\Program Files (x86)\Remote Backup\ExchangeBackupService.exe
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Rapid Storage Technology (IAStorDataMgrSvc) - Intel Corporation - C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
O23 - Service: FF Install Filter Service (InstallFilterService) - Unknown owner - C:\Program Files (x86)\STMicroelectronics\AccelerometerP11\InstallFilterService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\LogiShrd\Bluetooth\lbtserv.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~2\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: Netlogon - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Remote Backup Scheduler (rbScheduler) - Remote Backup Systems, Inc - C:\Program Files (x86)\Remote Backup\rbschedule.exe
O23 - Service: RoxMediaDB12OEM - Sonic Solutions - C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe
O23 - Service: Roxio Hard Drive Watcher 12 (RoxWatch12) - Sonic Solutions - C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: SecureStorageService - Wave Systems Corp. - C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Secure Storage Manager\SecureStorageService.exe
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: SonicWALL NetExtender Service (SONICWALL_NetExtender) - SonicWALL Inc. - C:\Program Files (x86)\SonicWALL\SSL-VPN\NetExtender\NEService64.exe
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\stlang64.dll,-10101 (STacSV) - IDT, Inc. - C:\Program Files\IDT\WDM\STacSV64.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files (x86)\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files (x86)\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NTRU TSS v1.2.1.34 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files (x86)\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
O23 - Service: TdmService - Wave Systems Corp. - C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmService.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: uvnc_service - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: DW WLAN Tray Service (wltrysvc) - Dell Inc. - C:\Program Files\Dell\DW WLAN Card\WLTRYSVC.EXE
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 16836 bytes

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:07 PM

Posted 28 August 2012 - 07:31 AM

Greetings

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded start-up entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    • O4 - HKLM\..\Run: [DellBtrEvent] D:\Program Files (x86)\Dell\Reader 2.1\DellBtrEvent.exe
      O4 - HKLM\..\Run: [RemoteControl9] "C:\Program Files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe"
      O4 - HKLM\..\Run: [PDVD9LanguageShortcut] "C:\Program Files (x86)\CyberLink\PowerDVD9\Language\Language.exe"
      O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe"
      O4 - HKLM\..\Run: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe"
      O4 - HKLM\..\Run: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
      O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files (x86)\Hewlett-Packard\\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe
      O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files (x86)\HP\hpcoretech\hpcmpmgr.exe"
      O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files (x86)\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
      O4 - HKLM\..\Run: [HPHmon05] C:\Windows\SysWOW64\hphmon05.exe
      O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe"
      O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe"
      O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
      O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
      O4 - HKCU\..\Run: [OfficeSyncProcess] "C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE"
      O4 - HKCU\..\Run: [Adobe Acrobat Synchronizer] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\AdobeCollabSync.exe"
      O4 - HKCU\..\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
      O4 - Startup: Dropbox.lnk = C:\Users\bruce.CSASTAFF1\AppData\Roaming\Dropbox\bin\Dropbox.exe
  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

    NOTE**You can research each of those lines >here< and see if you want to keep them or not
    just copy the name between the brackets and paste into the search space
    O4 - HKLM\..\Run: [IntelliPoint]


NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scanner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the Run ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the add/on to be installed
    • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings, ensure the options
    Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • wait for the virus definitions to be downloaded
  • Wait for the scan to finish

When the scan is complete

  • If no threats were found
  • put a checkmark in "Uninstall application on close"
  • close program
  • report to me that nothing was found

  • If threats were found
  • click on "list of threats found"
  • click on "export to text file" and save it as ESET SCAN and save to the desktop
  • Click on back
  • put a checkmark in "Uninstall application on close"
  • click on finish
  • close program
  • copy and paste the report here


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 Coldham

Coldham
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 28 August 2012 - 03:19 PM

ESET found nothing

Symantec found this

Risk Filename Date
Trojan.Gen.2 DWHAB50.tmp 8/28/2012 8:42
Trojan.Gen.2 DWH64EE.tmp 8/28/2012 8:42
Trojan.Gen.2 DWHED3.tmp 8/28/2012 8:41
Trojan.Gen.2 DWHC094.tmp 8/28/2012 8:41
Trojan.Gen.2 DWH762D.tmp 8/28/2012 8:41
Trojan.Gen.2 DWH27EE.tmp 8/28/2012 8:40
Trojan.Gen.2 DWHDD96.tmp 8/28/2012 8:40
Trojan.Gen.2 DWH934D.tmp 8/28/2012 8:40
Trojan.Gen.2 DWH48F5.tmp 8/28/2012 8:39
Trojan.Gen.2 DWHFEAD.tmp 8/28/2012 8:39
Trojan.Gen.2 DWHB455.tmp 8/28/2012 8:39
Trojan.Gen.2 DWH6DD3.tmp 8/28/2012 8:38
Trojan.Gen.2 DWH1F95.tmp 8/28/2012 8:38
Trojan.Gen.2 DWHD54C.tmp 8/28/2012 8:38
Trojan.Gen.2 DWH86FE.tmp 8/28/2012 8:38
Trojan.Gen.2 DWH3CB6.tmp 8/28/2012 8:37
Trojan.Gen.2 DWHF21F.tmp 8/28/2012 8:37
Trojan.Gen.2 DWHA3B2.tmp 8/28/2012 8:37
Trojan.Gen.2 DWH593A.tmp 8/28/2012 8:36
Trojan.Gen.2 DWHADD.tmp 8/28/2012 8:36
Trojan.Gen.2 DWHC065.tmp 8/28/2012 8:36
Trojan.Gen.2 DWH75B0.tmp 8/28/2012 8:35
Trojan.Gen.2 DWH2752.tmp 8/28/2012 8:35
Trojan.Gen.2 DWHDCDB.tmp 8/28/2012 8:35
Trojan.Gen.2 DWH8E6D.tmp 8/28/2012 8:34
Trojan.Gen.2 DWH43F6.tmp 8/28/2012 8:34
Trojan.Gen.2 DWHF97F.tmp 8/28/2012 8:34
Trojan.Gen.2 DWHAB11.tmp 8/28/2012 8:33
Trojan.Gen.2 DWH605C.tmp 8/28/2012 8:33
Trojan.Gen.2 DWH11EE.tmp 8/28/2012 8:33
Trojan.Gen.2 DWHC739.tmp 8/28/2012 8:32
Trojan.Gen.2 DWH80A8.tmp 8/28/2012 8:32
Trojan.Gen.2 DWH324A.tmp 8/28/2012 8:32
Trojan.Gen.2 DWHE7C3.tmp 8/28/2012 8:31
Trojan.Gen.2 DWH9936.tmp 8/28/2012 8:31
Trojan.Gen.2 DWH4EBF.tmp 8/28/2012 8:31
Trojan.Gen.2 DWH83E.tmp 8/28/2012 8:30
Trojan.Gen.2 DWHBDC6.tmp 8/28/2012 8:30
Trojan.Gen.2 DWH7340.tmp 8/28/2012 8:30
Trojan.Gen.2 DWH24E2.tmp 8/28/2012 8:29
Trojan.Gen.2 DWHDA6A.tmp 8/28/2012 8:29
Trojan.Gen.2 DWH8817.tmp 8/28/2012 8:29
Trojan.Gen.2 DWH39A9.tmp 8/28/2012 8:28
Trojan.Gen.2 DWHEF23.tmp 8/28/2012 8:28
Trojan.Gen.2 DWHA096.tmp 8/28/2012 8:28
Trojan.Gen.2 DWH561F.tmp 8/28/2012 8:27
Trojan.Gen.2 DWHBB7.tmp 8/28/2012 8:27
Trojan.Gen.2 DWHC120.tmp 8/28/2012 8:27
Trojan.Gen.2 DWH72C3.tmp 8/28/2012 8:26
Trojan.Gen.2 DWH284B.tmp 8/28/2012 8:26
Trojan.Gen.2 DWHE1AB.tmp 8/28/2012 8:26
Trojan.Gen.2 DWH932E.tmp 8/28/2012 8:26
Trojan.Gen.2 DWH48A7.tmp 8/28/2012 8:25
Trojan.Gen.2 DWHFA3A.tmp 8/28/2012 8:25
Trojan.Gen.2 DWHABBD.tmp 8/28/2012 8:25
Trojan.Gen.2 DWH6145.tmp 8/28/2012 8:24
Trojan.Gen.2 DWH16AF.tmp 8/28/2012 8:24
Trojan.Gen.2 DWHC842.tmp 8/28/2012 8:24
Trojan.Gen.2 DWH7DCA.tmp 8/28/2012 8:23
Trojan.Gen.2 DWH3334.tmp 8/28/2012 8:23
Trojan.Gen.2 DWHE4D6.tmp 8/28/2012 8:23
Trojan.Gen.2 DWH9A5F.tmp 8/28/2012 8:22
Trojan.Gen.2 DWH4FE7.tmp 8/28/2012 8:22
Trojan.Gen.2 DWH560.tmp 8/28/2012 8:22
Trojan.Gen.2 DWHB6F3.tmp 8/28/2012 8:21
Trojan.Gen.2 DWH649F.tmp 8/28/2012 8:21
Trojan.Gen.2 DWH1642.tmp 8/28/2012 8:21
Trojan.Gen.2 DWHCFB1.tmp 8/28/2012 8:20
Trojan.Gen.2 DWH8143.tmp 8/28/2012 8:20
Trojan.Gen.2 DWH36CC.tmp 8/28/2012 8:20
Trojan.Gen.2 DWHEC55.tmp 8/28/2012 8:19
Trojan.Gen.2 DWH8DF0.tmp 8/28/2012 8:19
Trojan.Gen.2 DWH3F83.tmp 8/28/2012 8:19
Trojan.Gen.2 DWHF116.tmp 8/28/2012 8:18
Trojan.Gen.2 DWHA69E.tmp 8/28/2012 8:18
Trojan.Gen.2 DWH5831.tmp 8/28/2012 8:18
Trojan.Gen.2 DWH5ED.tmp 8/28/2012 8:17
Trojan.Gen.2 DWHB78F.tmp 8/28/2012 8:17
Trojan.Gen.2 DWH70FE.tmp 8/28/2012 8:17
Trojan.Gen.2 DWH2A6D.tmp 8/28/2012 8:16
Trojan.Gen.2 DWHD80A.tmp 8/28/2012 8:16
Trojan.Gen.2 DWH8D73.tmp 8/28/2012 8:16
Trojan.Gen.2 DWH3F25.tmp 8/28/2012 8:15
Trojan.Gen.2 DWHF48F.tmp 8/28/2012 8:15
Trojan.Gen.2 DWHA25A.tmp 8/28/2012 8:15
Trojan.Gen.2 DWH57E3.tmp 8/28/2012 8:14
Trojan.Gen.2 DWH975.tmp 8/28/2012 8:14
Trojan.Gen.2 DWHBEEF.tmp 8/28/2012 8:14
Trojan.Gen.2 DWH7468.tmp 8/28/2012 8:13
Trojan.Gen.2 DWH29F0.tmp 8/28/2012 8:13
Trojan.Gen.2 DWHDF5A.tmp 8/28/2012 8:13
Trojan.Gen.2 DWH90DD.tmp 8/28/2012 8:12
Trojan.Gen.2 DWH4666.tmp 8/28/2012 8:12
Trojan.Gen.2 DWHFBEE.tmp 8/28/2012 8:12
Trojan.Gen.2 DWHB54E.tmp 8/28/2012 8:11
Trojan.Gen.2 DWH66E0.tmp 8/28/2012 8:11
Trojan.Gen.2 DWH1C69.tmp 8/28/2012 8:11
Trojan.Gen.2 DWHCDEC.tmp 8/28/2012 8:11
Trojan.Gen.2 DWH7B79.tmp 8/28/2012 8:10
Trojan.Gen.2 DWH2916.tmp 8/28/2012 8:10
Trojan.Gen.2 DWHCED6.tmp 8/28/2012 8:09
Trojan.Gen.2 DWH8069.tmp 8/28/2012 8:09
Trojan.Gen.2 DWH39D8.tmp 8/28/2012 8:09
Trojan.Gen.2 DWHEB6B.tmp 8/28/2012 8:08
Trojan.Gen.2 DWHA0E4.tmp 8/28/2012 8:08
Trojan.Gen.2 DWH5A53.tmp 8/28/2012 8:08
Trojan.Gen.2 DWH13B2.tmp 8/28/2012 8:07
Trojan.Gen.2 DWHC545.tmp 8/28/2012 8:07
Trojan.Gen.2 DWH7ACE.tmp 8/28/2012 8:07
Trojan.Gen.2 DWH3047.tmp 8/28/2012 8:07
Trojan.Gen.2 DWHE5CF.tmp 8/28/2012 8:06
Trojan.Gen.2 DWH9B48.tmp 8/28/2012 8:06
Trojan.Gen.2 DWH50D1.tmp 8/28/2012 8:06
Trojan.Gen.2 DWH65A.tmp 8/28/2012 8:05
Trojan.Gen.2 DWHBBD3.tmp 8/28/2012 8:05
Trojan.Gen.2 DWH714C.tmp 8/28/2012 8:05
Trojan.Gen.2 DWH22DF.tmp 8/28/2012 8:04
Trojan.Gen.2 DWHD877.tmp 8/28/2012 8:04
Trojan.Gen.2 DWH8E00.tmp 8/28/2012 8:04
Trojan.Gen.2 DWH475F.tmp 8/28/2012 8:03
Trojan.Gen.2 DWHF8F2.tmp 8/28/2012 8:03
Trojan.Gen.2 DWHA69E.tmp 8/28/2012 8:03
Trojan.Gen.2 DWH5C27.tmp 8/28/2012 8:02
Trojan.Gen.2 DWHDB9.tmp 8/28/2012 8:02
Trojan.Gen.2 DWHBB66.tmp 8/28/2012 8:02
Trojan.Gen.2 DWH6CF8.tmp 8/28/2012 8:01
Trojan.Gen.2 DWH2290.tmp 8/28/2012 8:01
Trojan.Gen.2 DWHD423.tmp 8/28/2012 8:01
Trojan.Gen.2 DWH89AC.tmp 8/28/2012 8:00
Trojan.Gen.2 DWH3F25.tmp 8/28/2012 8:00
Trojan.Gen.2 DWHF0C7.tmp 8/28/2012 8:00
Trojan.Gen.2 DWH8DFF.tmp 8/28/2012 7:59
Trojan.Gen.2 DWH3BEA.tmp 8/28/2012 7:59
Trojan.Gen.2 DWHF1A2.tmp 8/28/2012 7:59
Trojan.Gen.2 DWHA759.tmp 8/28/2012 7:58
Trojan.Gen.2 DWH592A.tmp 8/28/2012 7:58
Trojan.Gen.2 DWHEE2.tmp 8/28/2012 7:58
Trojan.Gen.2 DWHC499.tmp 8/28/2012 7:57
Trojan.Gen.2 DWH7E37.tmp 8/28/2012 7:57
Trojan.Gen.2 DWH3008.tmp 8/28/2012 7:57
Trojan.Gen.2 DWHE5CF.tmp 8/28/2012 7:56
Trojan.Gen.2 DWH9B67.tmp 8/28/2012 7:56
Trojan.Gen.2 DWH512E.tmp 8/28/2012 7:56
Trojan.Gen.2 DWH6D6.tmp 8/28/2012 7:55
Trojan.Gen.2 DWHB4B1.tmp 8/28/2012 7:55
Trojan.Gen.2 DWH629C.tmp 8/28/2012 7:55
Trojan.Gen.2 DWH1854.tmp 8/28/2012 7:54
Trojan.Gen.2 DWHCA25.tmp 8/28/2012 7:54
Trojan.Gen.2 DWH7FEC.tmp 8/28/2012 7:54
Trojan.Gen.2 DWH35A3.tmp 8/28/2012 7:53
Trojan.Gen.2 DWHE774.tmp 8/28/2012 7:53
Trojan.Gen.2 DWH9D1C.tmp 8/28/2012 7:53
Trojan.Gen.2 DWH4EED.tmp 8/28/2012 7:52
Trojan.Gen.2 DWH4B4.tmp 8/28/2012 7:52
Trojan.Gen.2 DWHB28F.tmp 8/28/2012 7:52
Trojan.Gen.2 DWH6847.tmp 8/28/2012 7:51
Trojan.Gen.2 DWH1DFE.tmp 8/28/2012 7:51
Trojan.Gen.2 DWHD3B6.tmp 8/28/2012 7:51
Trojan.Gen.2 DWH896D.tmp 8/28/2012 7:51
Trojan.Gen.2 DWH3F25.tmp 8/28/2012 7:50
Trojan.Gen.2 DWHF4DC.tmp 8/28/2012 7:50
Trojan.Gen.2 DWHA6AD.tmp 8/28/2012 7:50
Trojan.Gen.2 DWH587E.tmp 8/28/2012 7:49
Trojan.Gen.2 DWHE36.tmp 8/28/2012 7:49
Trojan.Gen.2 DWHC3FD.tmp 8/28/2012 7:49
Trojan.Gen.2 DWH75CE.tmp 8/28/2012 7:48
Trojan.Gen.2 DWH2B85.tmp 8/28/2012 7:48
Trojan.Gen.2 DWHDD57.tmp 8/28/2012 7:48
Trojan.Gen.2 DWH930E.tmp 8/28/2012 7:47
Trojan.Gen.2 DWH48C5.tmp 8/28/2012 7:47
Trojan.Gen.2 DWHF6A1.tmp 8/28/2012 7:47
Trojan.Gen.2 DWHAC58.tmp 8/28/2012 7:46
Trojan.Gen.2 DWH5A43.tmp 8/28/2012 7:46
Trojan.Gen.2 DWH100A.tmp 8/28/2012 7:46
Trojan.Gen.2 DWHC5C1.tmp 8/28/2012 7:45
Trojan.Gen.2 DWH7B79.tmp 8/28/2012 7:45
Trojan.Gen.2 DWH3130.tmp 8/28/2012 7:45
Trojan.Gen.2 DWHE6F7.tmp 8/28/2012 7:44
Trojan.Gen.2 DWH9CAF.tmp 8/28/2012 7:44
Trojan.Gen.2 DWH5266.tmp 8/28/2012 7:44
Trojan.Gen.2 DWHC04.tmp 8/28/2012 7:43
Trojan.Gen.2 DWHC5A2.tmp 8/28/2012 7:43
Trojan.Gen.2 DWH7F40.tmp 8/28/2012 7:43
Trojan.Gen.2 DWH38ED.tmp 8/28/2012 7:43
Trojan.Gen.2 DWHF26C.tmp 8/28/2012 7:42
Trojan.Gen.2 DWHAC1A.tmp 8/28/2012 7:42
Trojan.Gen.2 DWH65B7.tmp 8/28/2012 7:42
Trojan.Gen.2 DWH1F55.tmp 8/28/2012 7:41
Trojan.Gen.2 DWHD117.tmp 8/28/2012 7:41
Trojan.Gen.2 DWH86CE.tmp 8/28/2012 7:41
Trojan.Gen.2 DWH3C86.tmp 8/28/2012 7:40
Trojan.Gen.2 DWHF23D.tmp 8/28/2012 7:40
Trojan.Gen.2 DWHA7F5.tmp 8/28/2012 7:40
Trojan.Gen.2 DWH5DAC.tmp 8/28/2012 7:39
Trojan.Gen.2 DWH174A.tmp 8/28/2012 7:39
Trojan.Gen.2 DWHC91B.tmp 8/28/2012 7:39
Trojan.Gen.2 DWH7E94.tmp 8/28/2012 7:38
Trojan.Gen.2 DWH345B.tmp 8/28/2012 7:38
Trojan.Gen.2 DWHE62C.tmp 8/28/2012 7:38
Trojan.Gen.2 DWH9BE4.tmp 8/28/2012 7:38
Trojan.Gen.2 DWH519B.tmp 8/28/2012 7:37
Trojan.Gen.2 DWH753.tmp 8/28/2012 7:37
Trojan.Gen.2 DWHBD0A.tmp 8/28/2012 7:37
Trojan.Gen.2 DWH72D1.tmp 8/28/2012 7:36
Trojan.Gen.2 DWH2889.tmp 8/28/2012 7:36
Trojan.Gen.2 DWHDE40.tmp 8/28/2012 7:36
Trojan.Gen.2 DWH93F8.tmp 8/28/2012 7:35
Trojan.Gen.2 DWH45C9.tmp 8/28/2012 7:35
Trojan.Gen.2 DWHFB71.tmp 8/28/2012 7:35
Trojan.Gen.2 DWHB128.tmp 8/28/2012 7:34
Trojan.Gen.2 DWH66E0.tmp 8/28/2012 7:34
Trojan.Gen.2 DWH1C97.tmp 8/28/2012 7:34
Trojan.Gen.2 DWHCE68.tmp 8/28/2012 7:33
Trojan.Gen.2 DWH8420.tmp 8/28/2012 7:33
Trojan.Gen.2 DWH39D7.tmp 8/28/2012 7:33
Trojan.Gen.2 DWHF375.tmp 8/28/2012 7:32
Trojan.Gen.2 DWHA546.tmp 8/28/2012 7:32
Trojan.Gen.2 DWH5AFE.tmp 8/28/2012 7:32
Trojan.Gen.2 DWH10B5.tmp 8/28/2012 7:31
Trojan.Gen.2 DWHC66D.tmp 8/28/2012 7:31
Trojan.Gen.2 DWH7C14.tmp 8/28/2012 7:31
Trojan.Gen.2 DWH31CC.tmp 8/28/2012 7:30
Trojan.Gen.2 DWHE783.tmp 8/28/2012 7:30
Trojan.Gen.2 DWH9D3B.tmp 8/28/2012 7:30
Trojan.Gen.2 DWH52E3.tmp 8/28/2012 7:30
Trojan.Gen.2 DWHC81.tmp 8/28/2012 7:29
Trojan.Gen.2 DWHC61F.tmp 8/28/2012 7:29
Trojan.Gen.2 DWH7FBC.tmp 8/28/2012 7:29
Trojan.Gen.2 DWH393B.tmp 8/28/2012 7:28
Trojan.Gen.2 DWHEB0C.tmp 8/28/2012 7:28
Trojan.Gen.2 DWHA0B4.tmp 8/28/2012 7:28
Trojan.Gen.2 DWH5A62.tmp 8/28/2012 7:27
Trojan.Gen.2 DWH13FF.tmp 8/28/2012 7:27
Trojan.Gen.2 DWHCD9D.tmp 8/28/2012 7:27
Trojan.Gen.2 DWH873B.tmp 8/28/2012 7:26
Trojan.Gen.2 DWH390C.tmp 8/28/2012 7:26
Trojan.Gen.2 DWHEEC4.tmp 8/28/2012 7:26
Trojan.Gen.2 DWHA47B.tmp 8/28/2012 7:26
Trojan.Gen.2 DWH5E19.tmp 8/28/2012 7:25
Trojan.Gen.2 DWHFDB.tmp 8/28/2012 7:25
Trojan.Gen.2 DWHC592.tmp 8/28/2012 7:25
Trojan.Gen.2 DWH7763.tmp 8/28/2012 7:24
Trojan.Gen.2 DWH2D1B.tmp 8/28/2012 7:24
Trojan.Gen.2 DWHE2D2.tmp 8/28/2012 7:24
Trojan.Gen.2 DWH9494.tmp 8/28/2012 7:23
Trojan.Gen.2 DWH4A4B.tmp 8/28/2012 7:23
Trojan.Gen.2 DWH3.tmp 8/28/2012 7:23
Trojan.Gen.2 DWHB5BA.tmp 8/28/2012 7:22
Trojan.Gen.2 DWH6B71.tmp 8/28/2012 7:22
Trojan.Gen.2 DWH2119.tmp 8/28/2012 7:22
Trojan.Gen.2 DWHD6D1.tmp 8/28/2012 7:21
Trojan.Gen.2 DWH8C88.tmp 8/28/2012 7:21
Trojan.Gen.2 DWH4240.tmp 8/28/2012 7:21
Trojan.Gen.2 DWHF411.tmp 8/28/2012 7:20
Trojan.Gen.2 DWHA9C8.tmp 8/28/2012 7:20
Trojan.Gen.2 DWH5B99.tmp 8/28/2012 7:20
Trojan.Gen.2 DWH1151.tmp 8/28/2012 7:19
Trojan.Gen.2 DWHC708.tmp 8/28/2012 7:19
Trojan.Gen.2 DWH78D9.tmp 8/28/2012 7:19
Trojan.Gen.2 DWH2E91.tmp 8/28/2012 7:18
Trojan.Gen.2 DWHE83E.tmp 8/28/2012 7:18
Trojan.Gen.2 DWH9DF6.tmp 8/28/2012 7:18
Trojan.Gen.2 DWH4F79.tmp 8/28/2012 7:18
Trojan.Gen.2 DWH530.tmp 8/28/2012 7:17
Trojan.Gen.2 DWHBAE8.tmp 8/28/2012 7:17
Trojan.Gen.2 DWH709F.tmp 8/28/2012 7:17
Trojan.Gen.2 DWH2657.tmp 8/28/2012 7:16
Trojan.Gen.2 DWHDC0E.tmp 8/28/2012 7:16
Trojan.Gen.2 DWH91C6.tmp 8/28/2012 7:16
Trojan.Gen.2 DWH477D.tmp 8/28/2012 7:15
Trojan.Gen.2 DWHFD35.tmp 8/28/2012 7:15
Trojan.Gen.2 DWHB2EC.tmp 8/28/2012 7:15
Trojan.Gen.2 DWH5514.tmp 8/28/2012 7:14
Trojan.Gen.2 DWHACC.tmp 8/28/2012 7:14
Trojan.Gen.2 DWHBC8D.tmp 8/28/2012 7:14
Trojan.Gen.2 DWH762B.tmp 8/28/2012 7:13
Trojan.Gen.2 DWH2FC9.tmp 8/28/2012 7:13
Trojan.Gen.2 DWHE967.tmp 8/28/2012 7:13
Trojan.Gen.2 DWHA305.tmp 8/28/2012 7:12
Trojan.Gen.2 DWH5CA2.tmp 8/28/2012 7:12
Trojan.Gen.2 DWHE74.tmp 8/28/2012 7:12
Trojan.Gen.2 DWHC42B.tmp 8/28/2012 7:11
Trojan.Gen.2 DWH7DC9.tmp 8/28/2012 7:11
Trojan.Gen.2 DWH3767.tmp 8/28/2012 7:11
Trojan.Gen.2 DWHED1E.tmp 8/28/2012 7:11
Trojan.Gen.2 DWHA2D6.tmp 8/28/2012 7:10
Trojan.Gen.2 DWH588D.tmp 8/28/2012 7:10
Trojan.Gen.2 DWHE35.tmp 8/28/2012 7:10
Trojan.Gen.2 DWHC006.tmp 8/28/2012 7:09
Trojan.Gen.2 DWH75CD.tmp 8/28/2012 7:09
Trojan.Gen.2 DWH277F.tmp 8/28/2012 7:09
Trojan.Gen.2 DWHF597.tmp 8/28/2012 7:06




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users