Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.LameShield, Trojan.0Access, Heuristics.Shuriken, Rootkit.0Access.64


  • This topic is locked This topic is locked
35 replies to this topic

#1 mattsbach

mattsbach

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Local time:04:24 PM

Posted 05 September 2012 - 03:19 PM

HI - My other computer is now infected. I ran MBAM in safe mode and got this:

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.09.05.09

Windows 7 Service Pack 1 x64 NTFS (Safe Mode/Networking)
Internet Explorer 9.0.8112.16421
Owner :: OWNER-PC110658 [administrator]

9/5/2012 3:04:53 PM
mbam-log-2012-09-05 (16-11-11).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 407178
Time elapsed: 33 minute(s), 38 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 2
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|SonyAgent (Trojan.LameShield) -> Data: C:\Windows\Temp\temp93.exe -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce|sqlldlpl (Trojan.LameShield) -> Data: C:\Users\Owner\AppData\Local\sqlldlpl.exe -> No action taken.

Registry Data Items Detected: 3
HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Detected: 0
(No malicious items detected)

Files Detected: 13
C:\Windows\temp\temp93.exe (Trojan.LameShield) -> No action taken.
C:\Users\Owner\AppData\Local\sqlldlpl.exe (Trojan.LameShield) -> No action taken.
C:\$RECYCLE.BIN\S-1-5-18\$b9a85bf4fa72097a2079c05dc739741c\n (Trojan.0Access) -> No action taken.
C:\$RECYCLE.BIN\S-1-5-18\$b9a85bf4fa72097a2079c05dc739741c\U\00000001.@ (Trojan.0Access) -> No action taken.
C:\$RECYCLE.BIN\S-1-5-18\$b9a85bf4fa72097a2079c05dc739741c\U\80000000.@ (Trojan.0Access) -> No action taken.
C:\$RECYCLE.BIN\S-1-5-18\$b9a85bf4fa72097a2079c05dc739741c\U\800000cb.@ (Trojan.0Access) -> No action taken.
C:\$RECYCLE.BIN\S-1-5-21-2155120952-764981566-888926259-1000\$b9a85bf4fa72097a2079c05dc739741c\n (Trojan.0Access) -> No action taken.
C:\Users\Owner\AppData\Local\Temp\tsft.exe (Trojan.Downloader) -> No action taken.
C:\Users\Owner\AppData\Local\Temp\~!#47ED.tmp (Trojan.LameShield) -> No action taken.
C:\Users\Owner\AppData\Local\Temp\~!#6A6F.tmp (Trojan.LameShield) -> No action taken.
C:\Users\Owner\AppData\Local\Temp\~!#7539.tmp (Heuristics.Shuriken) -> No action taken.
C:\Users\Owner\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\35\19f61963-574e4936 (Trojan.Downloader) -> No action taken.
C:\Windows\Installer\{b9a85bf4-fa72-097a-2079-c05dc739741c}\U\80000000.@ (Rootkit.0Access.64) -> No action taken.

(end)


Should I remove these MBAM or wait for your lead?

thank you, matthew

BC AdBot (Login to Remove)

 


#2 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:11:24 PM

Posted 06 September 2012 - 06:55 AM

Hello mattsbach, ! Welcome to BleepingComputer Forums! :welcome:

My name is Georgi and and I will be helping you with your computer problems.

Before we begin, please note the following:
  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The logs can take some time to research, so please be patient with me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
  • Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.



IMPORTANT NOTE: One or more of the identified infections is related to the rootkit ZeroAccess. Rootkits, backdoor Trojans, Botnets, and IRCBots are very dangerous because they compromise system integrity by making changes that allow it to be used be the attacker for malicious purposes. Rootkits are used be Trojans to conceal its presence (hide from view) in order to prevent detection of an attacker's software and make removal more difficult. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. They can disable your anti-virus and security tools to prevent detection and removal. Remote attackers use backdoors as a means of accessing and taking control of a computer that bepasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. To learn more about these types of infections, you can refer to:If your computer was used for online banking, has credit card information or other sensitive data on it, you should stay disconnected from the Internet until your system is fully cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised and change each password using a clean computer, not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:Although the infection has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired so you can never be sure that you have completely removed a rootkit. The malware may leave so many remnants behind that security tools cannot find them. Tools that claim to be able to remove rootkits cannot guarantee that all traces of it will be removed. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:


We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. If you decide to continue please do this:



Yeah, go ahead and let MBAM delete these things!



STEP 1



  • Please download RKill by Grinler from the link below and save it to your desktop.

    RKill
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious.
    Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista/7, please right-click on it and select Run As Administrator).
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply
  • A logfile of Rkill will be saved on your desktop. Please add it's content with your next answer.
  • Note: Do not reboot the computer until you've finished the next step.


STEP 2


  • Please download RogueKiller and save to the desktop.
  • Close all windows and browsers
  • Right-click the program and select 'Run as Administrator'
  • Press the scan button.
  • A report opens on the desktop named - RKreport.txt
  • Please post it in your next reply.



STEP 3



Please follow the instructions below:


  • Please download OTL from the link below:
  • Save it to your desktop/
  • Double click on the Posted Image icon on your desktop.
  • OTL should now start. Change the following settings:
    - Click on Scan All Users checkbox given at the top.Posted Image
    - Under File Scans, change File age to 90
    - Change Standard Registry to All
    - Check the boxes beside LOP Check and Purity Check
  • Copy and Paste the following code into the Posted Image textbox.
  • Don't copy the word "quoted"

    netsvcs
    msconfig
    safebootminimal
    safebootnetwork
    activex
    drivers32
    %SYSTEMDRIVE%\*.*
    %USERPROFILE%\*.*
    %USERPROFILE%\temp\*.exe
    %USERPROFILE%\AppData\Local\*.*
    %USERPROFILE%\AppData\Local\*.
    %USERPROFILE%\AppData\Local\temp\*.exe
    %USERPROFILE%\AppData\Roaming\*.*
    %USERPROFILE%\AppData\Roaming\*.
    %Public%\Documents\Softwrap\YOYOGAMESGM70FINAL\*.exe
    %Public%\Documents\Fonts\*.exe
    %Public%\Documents\Config\*.exe
    %Public%\Documents\*.*
    %ProgramData%\*.*
    %ProgramData%\*.
    %CommonProgramFiles%\*.*
    %CommonProgramFiles%\ComObjects*.exe
    %PROGRAMFILES%\*.*
    %PROGRAMFILES%\*.
    %ProgramFiles(x86)%\*.*
    %ProgramFiles(x86)%\*.
    %systemroot%\system32\config\systemprofile\AppData\Local\*.*
    %systemroot%\system32\config\systemprofile\AppData\Roaming\*.*
    %windir%\SysWOW64\config\systemprofile\AppData\Local\*.*
    %windir%\SysWOW64\config\systemprofile\AppData\Roaming\*.*
    %windir%\ServiceProfiles\LocalService\AppData\Local\Temp\*.tlb
    %windir%\ServiceProfiles\NetworkService\AppData\Local\Temp\*.tlb
    %windir%\temp\*.exe
    %windir%\*.
    %windir%\installer\*.
    %windir%\system32\*.
    %windir%\sysnative\*.
    %Temp%\smtmp\1\*.*
    %Temp%\smtmp\2\*.*
    %Temp%\smtmp\3\*.*
    %Temp%\smtmp\4\*.*
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\syswow64\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /90
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\syswow64\drivers\*.sys /90
    %systemroot%\syswow64\drivers\*.sys /lockedfiles
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\*. /rp /s
    %systemroot%\assembly\tmp\*.* /S /MD5
    %systemroot%\assembly\temp\*.* /S /MD5
    %systemroot%\assembly\GAC\*.ini
    %systemroot%\assembly\GAC_32\*.ini
    %systemroot%\assembly\GAC_64\*.ini
    %SystemRoot%\assembly\GAC_MSIL\*.ini
    HKEY_CLASSES_ROOT\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24} /s
    HKEY_CLASSES_ROOT\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1} /s
    HKEY_CURRENT_USER\Software\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1} /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1} /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1} /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8} /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24} /s
    HKEY_CLASSES_ROOT\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F} /s
    HKEY_CLASSES_ROOT\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9} /s
    HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9} /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F} /s
    HKEY_CURRENT_USER\Software\MSOLoad /s
    >C:\commands.txt echo list vol /raw /hide /c
    /wait
    >C:\DiskReport.txt diskpart /s C:\commands.txt /raw /hide /c
    /wait
    type c:\diskreport.txt /c
    /wait
    erase c:\commands.txt /hide /c
    /wait
    erase c:\diskreport.txt /hide /c
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    consrv.dll
    services.exe
    explorer.exe
    lsass.exe
    svchost.exe
    wininit.exe
    winlogon.exe
    userinit.exe
    atapi.sys
    iaStor.sys
    serial.sys
    volsnap.sys
    disk.sys
    redbook.sys
    i8042prt.sys
    afd.sys
    netbt.sys
    csc.sys
    tcpip.sys
    dfsc.sys
    hlp.dat
    str.sys
    crexv.ocx
    /md5stop

  • Push the Posted Image button.
  • One report will open, copy and paste it in a reply here:
    • OTL.txt <-- Will be opened


Regards,
Georgi

Edited by B-boy/StyLe/, 06 September 2012 - 06:56 AM.

cXfZ4wS.png


#3 mattsbach

mattsbach
  • Topic Starter

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Local time:04:24 PM

Posted 06 September 2012 - 10:23 AM

Thank you for responding and explaining - yes I want to continue! I will change my passwords later. here are the logs:


Rkill 2.3.6 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2012 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 09/06/2012 11:10:50 AM in x64 mode.
Windows Version: Windows 7 Professional Service Pack 1

Checking for Windows services to stop.

* No malware services found to stop.

Checking for processes to terminate.

* No malware processes found to kill.

Checking Registry for malware related settings.

* No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks.

* Windows Defender Disabled

[HKLM\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware" = dword:00000001

* ALERT: ZEROACCESS rootkit symptoms found!

* HKEY_CLASSES_ROOT\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32 [ZA Reg Hijack]
* HKEY_CLASSES_ROOT\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32 [ZA Reg Hijack]
* HKEY_CLASSES_ROOT\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32 [ZA Reg Hijack]
* C:\$Recycle.Bin\S-1-5-18\$b9a85bf4fa72097a2079c05dc739741c\ [ZA Dir]
* C:\$Recycle.Bin\S-1-5-21-2155120952-764981566-888926259-1000\$b9a85bf4fa72097a2079c05dc739741c\ [ZA Dir]

Checking Windows Service Integrity:

* Windows Firewall Authorization Driver (mpsdrv) is not Running.
Startup Type set to: Manual

* BFE [Missing Service]
* BITS [Missing Service]
* iphlpsvc [Missing Service]
* WinDefend [Missing Service]
* wscsvc [Missing Service]
* wuauserv [Missing Service]

* MpsSvc [Missing ImagePath]
* SharedAccess [Missing ImagePath]

Searching for Missing Digital Signatures:

* No issues found.

Program finished at: 09/06/2012 11:10:54 AM
Execution time: 0 hours(s), 0 minute(s), and 3 seconds(s)




RogueKiller V8.0.2 [08/31/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Owner [Admin rights]
Mode : Scan -- Date : 09/06/2012 11:12:03

Bad processes : 2
[SUSP PATH][DLL] rundll32.exe -- C:\Windows\SysWOW64\rundll32.exe : -> KILLED [TermProc]
[SUSP PATH][DLL] rundll32.exe -- C:\Windows\SysWOW64\rundll32.exe : -> KILLED [TermProc]

Registry Entries : 15
[RUN][BLACKLIST DLL] HKLM\[...]\Run : dmetwe (rundll32.exe "C:\Users\Owner\AppData\Roaming\dmetwe.dll",BeginExternalBackup) -> FOUND
[RUN][BLACKLIST DLL] HKLM\[...]\Run : rvcwet ("C:\Windows\System32\rundll32.exe" "C:\Users\Owner\AppData\Roaming\rvcwet.dll",Int_AsUnsignedLongLongMask) -> FOUND
[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ] HKLM\[...]\Wow6432Node\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND
[HJ] HKLM\[...]\Wow6432Node\System : EnableLUA (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowUser (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_TrackProgs (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\Users\Owner\AppData\Local\{b9a85bf4-fa72-097a-2079-c05dc739741c}\n.) -> FOUND
[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\$Recycle.Bin\S-1-5-21-2155120952-764981566-888926259-1000\$b9a85bf4fa72097a2079c05dc739741c\n.) -> FOUND
[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\$Recycle.Bin\S-1-5-18\$b9a85bf4fa72097a2079c05dc739741c\n.) -> FOUND
[HJ INPROC][ZeroAccess] HKLM\[...]\InprocServer32 : (C:\$Recycle.Bin\S-1-5-18\$b9a85bf4fa72097a2079c05dc739741c\n.) -> FOUND

Particular Files / Folders:
[ZeroAccess][FILE] @ : C:\Windows\Installer\{b9a85bf4-fa72-097a-2079-c05dc739741c}\@ --> FOUND
[ZeroAccess][FOLDER] U : C:\Windows\Installer\{b9a85bf4-fa72-097a-2079-c05dc739741c}\U --> FOUND
[ZeroAccess][FOLDER] L : C:\Windows\Installer\{b9a85bf4-fa72-097a-2079-c05dc739741c}\L --> FOUND
[ZeroAccess][FILE] @ : C:\Users\Owner\AppData\Local\{b9a85bf4-fa72-097a-2079-c05dc739741c}\@ --> FOUND
[ZeroAccess][FOLDER] U : C:\Users\Owner\AppData\Local\{b9a85bf4-fa72-097a-2079-c05dc739741c}\U --> FOUND
[ZeroAccess][FOLDER] L : C:\Users\Owner\AppData\Local\{b9a85bf4-fa72-097a-2079-c05dc739741c}\L --> FOUND
[ZeroAccess][FILE] @ : C:\$recycle.bin\S-1-5-18\$b9a85bf4fa72097a2079c05dc739741c\@ --> FOUND
[ZeroAccess][FILE] @ : C:\$recycle.bin\S-1-5-21-2155120952-764981566-888926259-1000\$b9a85bf4fa72097a2079c05dc739741c\@ --> FOUND
[ZeroAccess][FOLDER] U : C:\$recycle.bin\S-1-5-18\$b9a85bf4fa72097a2079c05dc739741c\U --> FOUND
[ZeroAccess][FOLDER] U : C:\$recycle.bin\S-1-5-21-2155120952-764981566-888926259-1000\$b9a85bf4fa72097a2079c05dc739741c\U --> FOUND
[ZeroAccess][FOLDER] L : C:\$recycle.bin\S-1-5-18\$b9a85bf4fa72097a2079c05dc739741c\L --> FOUND
[ZeroAccess][FOLDER] L : C:\$recycle.bin\S-1-5-21-2155120952-764981566-888926259-1000\$b9a85bf4fa72097a2079c05dc739741c\L --> FOUND

Driver : [NOT LOADED]

Infection : ZeroAccess

HOSTS File:
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 localhost
127.0.0.1 3dns-1.adobe.com 3dns-2.adobe.com 3dns-3.adobe.com 3dns-4.adobe.com 3dns-5.adobe.com 3dns.adobe.com activate-sea.adobe.com activate-sjc0.adobe.com activate.adobe.com activate.wip1.adobe.com activate.wip2.adobe.com activate.wip3.adobe.com activate.wip4.adobe.com adobe-dns-1.adobe.com adobe-dns-2.adobe.com
127.0.0.1 adobe-dns-3.adobe.com adobe-dns-4.adobe.com adobe-dns.adobe.com adobeereg.com ereg.adobe.com ereg.wip.adobe.com ereg.wip1.adobe.com ereg.wip2.adobe.com ereg.wip3.adobe.com ereg.wip4.adobe.com hl2rcv.adobe.com practivate.adobe practivate.adobe.com practivate.adobe.ipp practivate.adobe.newoa
127.0.0.1 practivate.adobe.ntp wip.adobe.com wip1.adobe.com wip2.adobe.com wip3.adobe.com wip4.adobe.com wwis-dubc1-vip100.adobe.com wwis-dubc1-vip101.adobe.com wwis-dubc1-vip102.adobe.com wwis-dubc1-vip103.adobe.com wwis-dubc1-vip104.adobe.com wwis-dubc1-vip105.adobe.com wwis-dubc1-vip106.adobe.com wwis-dubc1-vip107.adobe.com wwis-dubc1-vip108.adobe.com
127.0.0.1 wwis-dubc1-vip109.adobe.com wwis-dubc1-vip110.adobe.com wwis-dubc1-vip111.adobe.com wwis-dubc1-vip112.adobe.com wwis-dubc1-vip113.adobe.com wwis-dubc1-vip114.adobe.com wwis-dubc1-vip115.adobe.com wwis-dubc1-vip116.adobe.com wwis-dubc1-vip117.adobe.com wwis-dubc1-vip118.adobe.com wwis-dubc1-vip119.adobe.com wwis-dubc1-vip120.adobe.com wwis-dubc1-vip121.adobe.com wwis-dubc1-vip122.adobe.com wwis-dubc1-vip123.adobe.com
127.0.0.1 wwis-dubc1-vip124.adobe.com wwis-dubc1-vip125.adobe.com wwis-dubc1-vip30.adobe.com wwis-dubc1-vip31.adobe.com wwis-dubc1-vip32.adobe.com wwis-dubc1-vip33.adobe.com wwis-dubc1-vip34.adobe.com wwis-dubc1-vip35.adobe.com wwis-dubc1-vip36.adobe.com wwis-dubc1-vip37.adobe.com wwis-dubc1-vip38.adobe.com wwis-dubc1-vip39.adobe.com wwis-dubc1-vip40.adobe.com wwis-dubc1-vip41.adobe.com wwis-dubc1-vip42.adobe.com
127.0.0.1 wwis-dubc1-vip43.adobe.com wwis-dubc1-vip44.adobe.com wwis-dubc1-vip45.adobe.com wwis-dubc1-vip46.adobe.com wwis-dubc1-vip47.adobe.com wwis-dubc1-vip48.adobe.com wwis-dubc1-vip49.adobe.com wwis-dubc1-vip50.adobe.com wwis-dubc1-vip51.adobe.com wwis-dubc1-vip52.adobe.com wwis-dubc1-vip53.adobe.com wwis-dubc1-vip54.adobe.com wwis-dubc1-vip55.adobe.com wwis-dubc1-vip56.adobe.com wwis-dubc1-vip57.adobe.com
127.0.0.1 wwis-dubc1-vip58.adobe.com wwis-dubc1-vip59.adobe.com wwis-dubc1-vip60.adobe.com wwis-dubc1-vip61.adobe.com wwis-dubc1-vip62.adobe.com wwis-dubc1-vip63.adobe.com wwis-dubc1-vip64.adobe.com wwis-dubc1-vip65.adobe.com wwis-dubc1-vip66.adobe.com wwis-dubc1-vip67.adobe.com wwis-dubc1-vip68.adobe.com wwis-dubc1-vip69.adobe.com wwis-dubc1-vip70.adobe.com wwis-dubc1-vip71.adobe.com wwis-dubc1-vip72.adobe.com
127.0.0.1 wwis-dubc1-vip73.adobe.com wwis-dubc1-vip74.adobe.com wwis-dubc1-vip75.adobe.com wwis-dubc1-vip76.adobe.com wwis-dubc1-vip77.adobe.com wwis-dubc1-vip78.adobe.com wwis-dubc1-vip79.adobe.com wwis-dubc1-vip80.adobe.com wwis-dubc1-vip81.adobe.com wwis-dubc1-vip82.adobe.com wwis-dubc1-vip83.adobe.com wwis-dubc1-vip84.adobe.com wwis-dubc1-vip85.adobe.com wwis-dubc1-vip86.adobe.com wwis-dubc1-vip87.adobe.com
127.0.0.1 wwis-dubc1-vip88.adobe.com wwis-dubc1-vip89.adobe.com wwis-dubc1-vip90.adobe.com wwis-dubc1-vip91.adobe.com wwis-dubc1-vip92.adobe.com wwis-dubc1-vip93.adobe.com wwis-dubc1-vip94.adobe.com wwis-dubc1-vip95.adobe.com wwis-dubc1-vip96.adobe.com wwis-dubc1-vip97.adobe.com wwis-dubc1-vip98.adobe.com wwis-dubc1-vip99.adobe.com
127.0.0.1 pagead2.googlesyndication.com
127.0.0.1 partner.googleadservices.com
127.0.0.1 imageads.googleadservices.com
127.0.0.1 imageads1.googleadservices.com
127.0.0.1 imageads2.googleadservices.com
127.0.0.1 imageads3.googleadservices.com
127.0.0.1 imageads4.googleadservices.com
127.0.0.1 imageads5.googleadservices.com
127.0.0.1 imageads6.googleadservices.com
127.0.0.1 imageads7.googleadservices.com
[...]


MBR Check:

+++++ PhysicalDrive0: ST3500413AS +++++
--- User ---
[MBR] 2cac9c766e6ffc7f583a14502ca2e15a
[BSP] 63f74c59d582e555017726afdcb9fe7e : Windows 7 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 463507 Mo
1 - [XXXXXX] ACRONIS (0xbc) [VISIBLE] Offset (sectors): 949264785 | Size: 13431 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: ST31000524AS +++++
--- User ---
[MBR] 322899c2a54094e44899499ca56f7de3
[BSP] e46d8f3265d5b94631048073cd6e8668 : Windows 7 MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 953867 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive2: SAMSUNG HD103SI USB Device +++++
--- User ---
[MBR] cee59e271d2b74fd7a9292b82c412b42
[BSP] 6c8c0973d29c5252be0a356bfc0c95e9 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 953867 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

+++++ PhysicalDrive3: WD My Passport 070A USB Device +++++
--- User ---
[MBR] d978220b10d68b91d94c189e34891a9f
[BSP] 83456e26d054cf5060234c139ab1e876 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 476269 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

+++++ PhysicalDrive4: STECH Simple Drive USB Device +++++
--- User ---
[MBR] 79220d0850067126b951bf58b283ca72
[BSP] c0cbcce89308ca4fa1f9e17ee5626a04 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 476937 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[1].txt >>
RKreport[1].txt

#4 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:11:24 PM

Posted 06 September 2012 - 10:32 AM

Hi,



You will need a flasdrive.

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Click on Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
On the System Recovery Options menu you will get the following options:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the flash drive. Please copy and paste it to your reply.



Regards,
Georgi

cXfZ4wS.png


#5 mattsbach

mattsbach
  • Topic Starter

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Local time:04:24 PM

Posted 06 September 2012 - 11:09 AM

Scan result of Farbar Recovery Scan Tool (x64) Version: 05-09-2012
Ran by SYSTEM at 06-09-2012 12:04:32
Running from G:\
Windows 7 Professional Service Pack 1 (X64) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [BTMTrayAgent] rundll32.exe "C:\Program Files\Motorola\Bluetooth\btmshell.dll",TrayApp [21705296 2010-11-30] ()
HKLM\...\Run: [lxefmon.exe] "C:\Program Files (x86)\Lexmark S800 Series\lxefmon.exe" [713384 2010-09-30] ()
HKLM\...\Run: [EzPrint] "C:\Program Files (x86)\Lexmark S800 Series\ezprint.exe" [148288 2010-09-30] ()
HKLM\...\Run: [HDSPTray1] hdsp32.exe [x]
HKLM\...\Run: [HDSPTray2] hdspmix.exe [x]
HKLM\...\Run: [LogMeIn GUI] "C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe" [57928 2011-01-11] (LogMeIn, Inc.)
HKLM\...\Run: [AdobeAAMUpdater-1.0] "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [499608 2011-03-30] (Adobe Systems Incorporated)
HKLM\...\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe" [1873256 2011-08-10] (Microsoft Corporation)
HKLM\...\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2417032 2011-08-01] (Microsoft Corporation)
HKLM\...\Run: [dmetwe] rundll32.exe "C:\Users\Owner\AppData\Roaming\dmetwe.dll",BeginExternalBackup [164864 2012-09-05] ()
HKLM\...\Run: [rvcwet] "C:\Windows\System32\rundll32.exe" "C:\Users\Owner\AppData\Roaming\rvcwet.dll",Int_AsUnsignedLongLongMask [675328 2012-09-05] ()
HKLM-x32\...\Run: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [283160 2010-11-05] (Intel Corporation)
HKLM-x32\...\Run: [NUSB3MON] "C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [113288 2011-04-14] (Renesas Electronics Corporation)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [919008 2012-07-27] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Lexmark S800 Series] "C:\Program Files (x86)\Lexmark S800 Series\fm3032.exe" /s [316120 2011-03-18] ()
HKLM-x32\...\Run: [AppleSyncNotifier] C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe [59240 2011-09-27] (Apple Inc.)
HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-05-30] (Apple Inc.)
HKLM-x32\...\Run: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [AdobeCS5.5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" -launchedbylogin [1523360 2011-01-12] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2012-04-18] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421776 2012-06-07] (Apple Inc.)
HKLM-x32\...\Run: [] [x]
HKLM-x32\...\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe" [36800 2012-07-27] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe" [823224 2012-07-27] (Adobe Systems Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [252848 2012-07-03] (Sun Microsystems, Inc.)
HKU\Owner\...\Run: [MobileDocuments] C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe [59240 2012-02-23] (Apple Inc.)
HKU\Owner\...\Policies\system: [LogonHoursAction] 2
HKU\Owner\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] C:\$Recycle.Bin\S-1-5-18\$b9a85bf4fa72097a2079c05dc739741c\n. ATTENTION! ====> ZeroAccess
Startup: C:\Users\All Users\Start Menu\Programs\Startup\MozyHome Status.lnk
ShortcutTarget: MozyHome Status.lnk -> C:\Program Files\MozyHome\mozystat.exe (Mozy, Inc.)
Startup: C:\Users\Owner\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> (No File)

==================== Services ====================

3 Bluetooth Device Manager; "C:\Program Files\Motorola\Bluetooth\devmgrsrv.exe" [4150864 2010-11-30] (Motorola, Inc.)
3 Bluetooth Media Service; "C:\Program Files\Motorola\Bluetooth\audiosrv.exe" [1188616 2010-11-30] (Motorola, Inc.)
2 Bluetooth OBEX Service; "C:\Program Files\Motorola\Bluetooth\obexsrv.exe" [679176 2010-11-30] (Motorola, Inc.)
2 LMIGuardianSvc; "C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe" [375208 2012-07-11] (LogMeIn, Inc.)
2 LMIMaint; "C:\Program Files (x86)\LogMeIn\x64\RaMaint.exe" [147368 2012-07-11] (LogMeIn, Inc.)
2 LogMeIn; "C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe" [407424 2011-01-11] (LogMeIn, Inc.)
2 lxefCATSCustConnectService; C:\Windows\system32\spool\DRIVERS\x64\3\\lxefserv.exe [45224 2010-09-09] (Lexmark International, Inc.)
2 lxef_device; C:\Windows\system32\lxefcoms.exe -service [1070760 2010-09-09] ( )
2 lxef_device; C:\Windows\SysWow64\lxefcoms.exe -service [598696 2010-09-09] ( )
2 mozybackup; "C:\Program Files\MozyHome\mozybackup.exe" [54040 2011-08-04] (Mozy, Inc.)
3 OpenVPNService; C:\Program Files (x86)\OpenVPN\bin\openvpnserv.exe [36352 2009-10-01] ()
3 SandraAgentSrv; C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2011.SP3\RpcAgentSrv.exe [93848 2009-08-10] (SiSoftware)
2 SpyHunter 4 Service; C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE [995744 2012-01-18] (Enigma Software Group USA, LLC.)

==================== Drivers =================================

1 cbfs3; C:\Windows\System32\Drivers\cbfs3.sys [321424 2010-11-30] (EldoS Corporation)
3 esgiguard; \??\C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys [13088 2011-03-02] ()
3 hdsp; C:\Windows\System32\Drivers\hdsp.sys [69632 2011-08-03] (RME)
0 hotcore3; C:\Windows\System32\Drivers\hotcore3.sys [37456 2010-10-12] (Paragon Software Group)
2 LMIInfo; \??\C:\Program Files (x86)\LogMeIn\x64\RaInfo.sys [15928 2011-01-11] (LogMeIn, Inc.)
3 lmimirr; C:\Windows\System32\Drivers\lmimirr.sys [11552 2011-01-11] (LogMeIn, Inc.)
2 LMIRfsDriver; C:\Windows\System32\Drivers\LMIRfsDriver.sys [72216 2011-01-11] (LogMeIn, Inc.)
1 mozyFilter; C:\Windows\System32\DRIVERS\mozy.sys [66552 2011-08-04] (Mozy, Inc.)
0 mv61xx; C:\Windows\System32\Drivers\mv61xx.sys [181040 2010-10-26] (Marvell Semiconductor, Inc.)
3 radpms; C:\Windows\System32\Drivers\radpms.sys [14944 2011-01-11] (LogMeIn, Inc.)
3 SANDRA; \??\C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2011.SP3\WNt500x64\Sandra.sys [23112 2009-08-07] (SiSoftware)
3 tapoas; C:\Windows\System32\Drivers\tapoas.sys [30720 2011-03-23] (The OpenVPN Project)
1 UimBus; C:\Windows\System32\DRIVERS\uimx64.sys [50768 2010-10-12] (Windows ® 2000 DDK provider)
1 Uim_IM; C:\Windows\System32\Drivers\Uim_IMx64.sys [566864 2010-10-12] (Paragon)
3 catchme; \??\C:\ComboFix\catchme.sys [x]
4 LMIRfsClientNP; [x]

==================== NetSvcs (Whitelisted) =================


==================== One Month Created Files and Folders ======================

2012-09-06 07:21 - 2012-09-06 07:21 - 00380944 ____A C:\Users\Owner\Desktop\OTL.Txt
2012-09-06 07:21 - 2012-09-06 07:21 - 00054826 ____A C:\Users\Owner\Desktop\Extras.Txt
2012-09-06 07:13 - 2012-09-06 07:13 - 00599040 ____A (OldTimer Tools) C:\Users\Owner\Desktop\OTL.scr
2012-09-06 07:12 - 2012-09-06 07:12 - 00009146 ____A C:\Users\Owner\Desktop\RKreport[1].txt
2012-09-06 07:11 - 2012-09-06 07:12 - 00000000 ____D C:\Users\Owner\Desktop\RK_Quarantine
2012-09-06 07:10 - 2012-09-06 07:10 - 01378816 ____A C:\Users\Owner\Desktop\RogueKiller.exe
2012-09-06 07:09 - 2012-09-06 07:10 - 00003886 ____A C:\Users\Owner\Desktop\Rkill.txt
2012-09-06 07:09 - 2012-09-06 07:09 - 01623456 ____A (Bleeping Computer, LLC) C:\Users\Owner\Desktop\rkill.exe
2012-09-05 10:59 - 2012-09-06 07:59 - 00006531 ____A C:\Users\Owner\AppData\Local\chromeupdate.crx
2012-09-05 10:59 - 2012-09-05 10:59 - 00675328 ____A C:\Users\Owner\AppData\Roaming\rvcwet.dll
2012-09-05 10:59 - 2012-09-05 10:59 - 00000000 ____D C:\Users\Owner\AppData\Local\{B9B14501-F78B-11E1-8270-B8AC6F996F26}
2012-09-05 10:58 - 2012-09-05 10:58 - 00095208 ____A (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2012-09-05 10:58 - 2012-09-05 10:57 - 00164864 __ASH C:\Users\Owner\AppData\Roaming\dmetwe.dll
2012-09-05 00:47 - 2012-09-05 00:47 - 00000132 ____A C:\Users\Owner\AppData\Roaming\Adobe GIF Format CS5 Prefs
2012-09-04 21:01 - 2012-09-04 21:01 - 00000000 ____D C:\ProgramData{C6C9C6CD-FFB-4EAF-99F4-23ACA04FD024}
2012-09-04 21:01 - 2012-09-04 21:01 - 00000000 ____D C:\ProgramData{98375B5F-B89D-4736-A581-7BB55E0D490E}
2012-09-04 10:36 - 2012-09-04 10:37 - 00000000 ____D C:\Users\Owner\Desktop\shellys
2012-09-02 17:37 - 2012-09-02 17:37 - 01034216 ____A (Oracle Corporation) C:\Windows\System32\npDeployJava1.dll
2012-09-02 17:37 - 2012-09-02 17:37 - 00916456 ____A (Oracle Corporation) C:\Windows\System32\deployJava1.dll
2012-09-02 17:37 - 2012-09-02 17:37 - 00289768 ____A (Oracle Corporation) C:\Windows\System32\javaws.exe
2012-09-02 17:37 - 2012-09-02 17:37 - 00189416 ____A (Oracle Corporation) C:\Windows\System32\javaw.exe
2012-09-02 17:37 - 2012-09-02 17:37 - 00188904 ____A (Oracle Corporation) C:\Windows\System32\java.exe
2012-09-02 17:37 - 2012-09-02 17:37 - 00108008 ____A (Oracle Corporation) C:\Windows\System32\WindowsAccessBridge-64.dll
2012-09-02 17:37 - 2012-09-02 17:37 - 00000000 ____D C:\Program Files\Java
2012-08-27 19:29 - 2012-08-27 19:29 - 00000000 ____D C:\Users\Owner\Desktop\purchased
2012-08-14 23:01 - 2012-06-28 20:55 - 17809920 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-08-14 23:01 - 2012-06-28 20:09 - 10925568 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-08-14 23:01 - 2012-06-28 19:56 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-08-14 23:01 - 2012-06-28 19:49 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-08-14 23:01 - 2012-06-28 19:49 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-08-14 23:01 - 2012-06-28 19:48 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-08-14 23:01 - 2012-06-28 19:47 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-08-14 23:01 - 2012-06-28 19:45 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-08-14 23:01 - 2012-06-28 19:44 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-08-14 23:01 - 2012-06-28 19:43 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-08-14 23:01 - 2012-06-28 19:42 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-08-14 23:01 - 2012-06-28 19:40 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-08-14 23:01 - 2012-06-28 19:39 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-08-14 23:01 - 2012-06-28 19:35 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-08-14 23:01 - 2012-06-28 16:52 - 12317184 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-08-14 23:01 - 2012-06-28 16:27 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-08-14 23:01 - 2012-06-28 16:16 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-08-14 23:01 - 2012-06-28 16:09 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-08-14 23:01 - 2012-06-28 16:09 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-08-14 23:01 - 2012-06-28 16:08 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-08-14 23:01 - 2012-06-28 16:07 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-08-14 23:01 - 2012-06-28 16:06 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-08-14 23:01 - 2012-06-28 16:04 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-08-14 23:01 - 2012-06-28 16:04 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-08-14 23:01 - 2012-06-28 16:01 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-08-14 23:01 - 2012-06-28 16:01 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-08-14 23:01 - 2012-06-28 16:00 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-08-14 23:01 - 2012-06-28 15:57 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-08-14 19:54 - 2012-07-18 10:15 - 03148800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-08-14 19:54 - 2012-07-04 14:16 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\netapi32.dll
2012-08-14 19:54 - 2012-07-04 14:13 - 00136704 ____A (Microsoft Corporation) C:\Windows\System32\browser.dll
2012-08-14 19:54 - 2012-07-04 14:13 - 00059392 ____A (Microsoft Corporation) C:\Windows\System32\browcli.dll
2012-08-14 19:54 - 2012-07-04 13:16 - 00057344 ____A (Microsoft Corporation) C:\Windows\SysWOW64\netapi32.dll
2012-08-14 19:54 - 2012-07-04 13:14 - 00041984 ____A (Microsoft Corporation) C:\Windows\SysWOW64\browcli.dll
2012-08-14 19:54 - 2012-05-13 21:26 - 00956928 ____A (Microsoft Corporation) C:\Windows\System32\localspl.dll
2012-08-14 19:54 - 2012-05-05 00:36 - 00503808 ____A (Microsoft Corporation) C:\Windows\System32\srcore.dll
2012-08-14 19:54 - 2012-05-04 23:46 - 00043008 ____A (Microsoft Corporation) C:\Windows\SysWOW64\srclient.dll
2012-08-14 19:54 - 2012-02-10 22:43 - 00751104 ____A (Microsoft Corporation) C:\Windows\System32\win32spl.dll
2012-08-14 19:54 - 2012-02-10 22:36 - 00559104 ____A (Microsoft Corporation) C:\Windows\System32\spoolsv.exe
2012-08-14 19:54 - 2012-02-10 22:36 - 00067072 ____A (Microsoft Corporation) C:\Windows\splwow64.exe
2012-08-14 19:54 - 2012-02-10 21:43 - 00492032 ____A (Microsoft Corporation) C:\Windows\SysWOW64\win32spl.dll

==================== 3 Months Modified Files ================================

2012-09-06 07:59 - 2012-09-05 10:59 - 00006531 ____A C:\Users\Owner\AppData\Local\chromeupdate.crx
2012-09-06 07:59 - 2012-03-05 11:43 - 00000892 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-09-06 07:59 - 2011-06-29 07:51 - 02015042 ____A C:\Windows\WindowsUpdate.log
2012-09-06 07:58 - 2012-04-02 17:09 - 00004607 ____A C:\Windows\setupact.log
2012-09-06 07:58 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-09-06 07:57 - 2011-07-23 11:06 - 00000600 ____A C:\Users\Owner\AppData\Roaming\winscp.rnd
2012-09-06 07:48 - 2011-09-01 16:21 - 00000908 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2155120952-764981566-888926259-1000UA.job
2012-09-06 07:39 - 2011-11-15 08:42 - 00001456 ____A C:\Users\Owner\AppData\Local\Adobe Save for Web 12.0 Prefs
2012-09-06 07:21 - 2012-09-06 07:21 - 00380944 ____A C:\Users\Owner\Desktop\OTL.Txt
2012-09-06 07:21 - 2012-09-06 07:21 - 00054826 ____A C:\Users\Owner\Desktop\Extras.Txt
2012-09-06 07:19 - 2012-04-16 11:50 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-09-06 07:13 - 2012-09-06 07:13 - 00599040 ____A (OldTimer Tools) C:\Users\Owner\Desktop\OTL.scr
2012-09-06 07:12 - 2012-09-06 07:12 - 00009146 ____A C:\Users\Owner\Desktop\RKreport[1].txt
2012-09-06 07:10 - 2012-09-06 07:10 - 01378816 ____A C:\Users\Owner\Desktop\RogueKiller.exe
2012-09-06 07:10 - 2012-09-06 07:09 - 00003886 ____A C:\Users\Owner\Desktop\Rkill.txt
2012-09-06 07:09 - 2012-09-06 07:09 - 01623456 ____A (Bleeping Computer, LLC) C:\Users\Owner\Desktop\rkill.exe
2012-09-06 07:04 - 2009-07-13 20:45 - 00022096 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-09-06 07:04 - 2009-07-13 20:45 - 00022096 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-09-06 07:01 - 2009-07-13 21:13 - 00730146 ____A C:\Windows\System32\PerfStringBackup.INI
2012-09-06 06:58 - 2012-03-05 11:43 - 00000896 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-09-05 13:45 - 2012-04-16 20:27 - 00009882 ____A C:\Windows\PFRO.log
2012-09-05 10:59 - 2012-09-05 10:59 - 00675328 ____A C:\Users\Owner\AppData\Roaming\rvcwet.dll
2012-09-05 10:58 - 2012-09-05 10:58 - 00095208 ____A (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2012-09-05 10:58 - 2012-08-01 13:45 - 00821736 ____A (Oracle Corporation) C:\Windows\SysWOW64\npDeployJava1.dll
2012-09-05 10:58 - 2011-11-17 13:32 - 00246760 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
2012-09-05 10:58 - 2011-11-17 13:32 - 00174056 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe
2012-09-05 10:58 - 2011-11-17 13:32 - 00174056 ____A (Oracle Corporation) C:\Windows\SysWOW64\java.exe
2012-09-05 10:58 - 2011-06-29 09:49 - 00746984 ____A (Oracle Corporation) C:\Windows\SysWOW64\deployJava1.dll
2012-09-05 10:57 - 2012-09-05 10:58 - 00164864 __ASH C:\Users\Owner\AppData\Roaming\dmetwe.dll
2012-09-05 00:47 - 2012-09-05 00:47 - 00000132 ____A C:\Users\Owner\AppData\Roaming\Adobe GIF Format CS5 Prefs
2012-09-04 23:48 - 2011-09-01 16:21 - 00000856 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2155120952-764981566-888926259-1000Core.job
2012-09-04 23:27 - 2011-08-04 11:15 - 00007254 ____A C:\Windows\mozy.blk
2012-09-04 23:27 - 2011-08-04 11:15 - 00003904 ____A C:\Windows\mozy.flt
2012-09-04 21:00 - 2011-07-23 09:40 - 00012335 ____A C:\Users\All Users\lxefJSW.log
2012-09-03 15:29 - 2012-07-25 09:56 - 00004838 ____A C:\Windows\System32\Drivers\etc\hostsbakup.txt
2012-09-02 17:37 - 2012-09-02 17:37 - 01034216 ____A (Oracle Corporation) C:\Windows\System32\npDeployJava1.dll
2012-09-02 17:37 - 2012-09-02 17:37 - 00916456 ____A (Oracle Corporation) C:\Windows\System32\deployJava1.dll
2012-09-02 17:37 - 2012-09-02 17:37 - 00289768 ____A (Oracle Corporation) C:\Windows\System32\javaws.exe
2012-09-02 17:37 - 2012-09-02 17:37 - 00189416 ____A (Oracle Corporation) C:\Windows\System32\javaw.exe
2012-09-02 17:37 - 2012-09-02 17:37 - 00188904 ____A (Oracle Corporation) C:\Windows\System32\java.exe
2012-09-02 17:37 - 2012-09-02 17:37 - 00108008 ____A (Oracle Corporation) C:\Windows\System32\WindowsAccessBridge-64.dll
2012-08-30 13:02 - 2011-09-08 20:11 - 00187296 ___AH C:\Windows\SysWOW64\mlfcache.dat
2012-08-29 13:01 - 2012-04-16 11:50 - 00696520 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-08-29 13:01 - 2011-11-21 10:51 - 00073416 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-08-28 14:41 - 2011-09-18 21:05 - 00000505 ____A C:\Windows\demdata.txt
2012-08-27 07:59 - 2009-07-13 20:45 - 05907256 ____A C:\Windows\System32\FNTCACHE.DAT
2012-08-27 00:07 - 2011-06-29 08:19 - 00109456 ____A C:\Users\Owner\AppData\Local\GDIPFONTCACHEV1.DAT
2012-08-14 23:00 - 2011-06-29 09:01 - 62134624 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-08-06 15:45 - 2012-08-06 15:44 - 00000132 ____A C:\Users\Owner\AppData\Roaming\Adobe IllExport Filter CS5 Prefs
2012-08-01 14:03 - 2009-07-13 21:08 - 00032550 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-08-01 13:02 - 2012-08-01 12:54 - 00000042 ____A C:\repairs_running.dat
2012-08-01 13:02 - 2012-08-01 12:52 - 00181064 ____A (Sysinternals) C:\Windows\PSEXESVC.EXE
2012-08-01 13:01 - 2011-09-29 16:26 - 00730320 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
2012-08-01 11:29 - 2012-08-01 11:29 - 00001187 ____A C:\AdwCleaner[S1].txt
2012-07-28 23:55 - 2009-07-13 18:34 - 00003918 ____A C:\Windows\System32\Drivers\etc\hosts_bak_285
2012-07-25 18:11 - 2012-07-25 18:11 - 20240896 ____A () C:\Users\Owner\Downloads\Adobe Tool.exe
2012-07-19 10:59 - 2009-07-13 18:34 - 00000215 ____A C:\Windows\system.ini
2012-07-18 10:15 - 2012-08-14 19:54 - 03148800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-07-11 19:58 - 2011-08-31 09:38 - 00087488 ____A (LogMeIn, Inc.) C:\Windows\System32\LMIRfsClientNP.dll
2012-07-11 19:58 - 2011-08-31 09:38 - 00080800 ____A (LogMeIn, Inc.) C:\Windows\System32\LMIinit.dll
2012-07-11 19:58 - 2011-08-31 09:38 - 00034720 ____A (LogMeIn, Inc.) C:\Windows\System32\LMIport.dll
2012-07-04 14:16 - 2012-08-14 19:54 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\netapi32.dll
2012-07-04 14:13 - 2012-08-14 19:54 - 00136704 ____A (Microsoft Corporation) C:\Windows\System32\browser.dll
2012-07-04 14:13 - 2012-08-14 19:54 - 00059392 ____A (Microsoft Corporation) C:\Windows\System32\browcli.dll
2012-07-04 13:16 - 2012-08-14 19:54 - 00057344 ____A (Microsoft Corporation) C:\Windows\SysWOW64\netapi32.dll
2012-07-04 13:14 - 2012-08-14 19:54 - 00041984 ____A (Microsoft Corporation) C:\Windows\SysWOW64\browcli.dll
2012-07-03 09:46 - 2011-07-23 11:06 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-06-28 20:55 - 2012-08-14 23:01 - 17809920 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-28 20:09 - 2012-08-14 23:01 - 10925568 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-28 19:56 - 2012-08-14 23:01 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-06-28 19:49 - 2012-08-14 23:01 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-28 19:49 - 2012-08-14 23:01 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-28 19:48 - 2012-08-14 23:01 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-06-28 19:47 - 2012-08-14 23:01 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-28 19:45 - 2012-08-14 23:01 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-28 19:44 - 2012-08-14 23:01 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-28 19:43 - 2012-08-14 23:01 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-06-28 19:42 - 2012-08-14 23:01 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-28 19:40 - 2012-08-14 23:01 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-28 19:39 - 2012-08-14 23:01 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-28 19:35 - 2012-08-14 23:01 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-28 16:52 - 2012-08-14 23:01 - 12317184 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-06-28 16:27 - 2012-08-14 23:01 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-06-28 16:16 - 2012-08-14 23:01 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-06-28 16:09 - 2012-08-14 23:01 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-06-28 16:09 - 2012-08-14 23:01 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-06-28 16:08 - 2012-08-14 23:01 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-06-28 16:07 - 2012-08-14 23:01 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-06-28 16:06 - 2012-08-14 23:01 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-06-28 16:04 - 2012-08-14 23:01 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-06-28 16:04 - 2012-08-14 23:01 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-06-28 16:01 - 2012-08-14 23:01 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-06-28 16:01 - 2012-08-14 23:01 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-06-28 16:00 - 2012-08-14 23:01 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-06-28 15:57 - 2012-08-14 23:01 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll


ZeroAccess:
C:\Windows\Installer\{b9a85bf4-fa72-097a-2079-c05dc739741c}
C:\Windows\Installer\{b9a85bf4-fa72-097a-2079-c05dc739741c}\@
C:\Windows\Installer\{b9a85bf4-fa72-097a-2079-c05dc739741c}\L
C:\Windows\Installer\{b9a85bf4-fa72-097a-2079-c05dc739741c}\U
C:\Windows\Installer\{b9a85bf4-fa72-097a-2079-c05dc739741c}\U\00000001.@
C:\Windows\Installer\{b9a85bf4-fa72-097a-2079-c05dc739741c}\U\800000cb.@

ZeroAccess:
C:\$Recycle.Bin\S-1-5-21-2155120952-764981566-888926259-1000\$b9a85bf4fa72097a2079c05dc739741c

ZeroAccess:
C:\Users\Owner\AppData\Local\{b9a85bf4-fa72-097a-2079-c05dc739741c}
C:\Users\Owner\AppData\Local\{b9a85bf4-fa72-097a-2079-c05dc739741c}\@
C:\Users\Owner\AppData\Local\{b9a85bf4-fa72-097a-2079-c05dc739741c}\L
C:\Users\Owner\AppData\Local\{b9a85bf4-fa72-097a-2079-c05dc739741c}\U

==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-09-02 17:37:37
Restore point made on: 2012-09-02 23:23:28
Restore point made on: 2012-09-05 10:58:17

==================== Memory info ===========================

Percentage of memory in use: 9%
Total physical RAM: 8174.22 MB
Available physical RAM: 7406.12 MB
Total Pagefile: 8172.42 MB
Available Pagefile: 7393.79 MB
Total Virtual: 8192 MB
Available Virtual: 8191.91 MB

==================== Partitions ============================

1 Drive c: (OS) (Fixed) (Total:452.64 GB) (Free:374.93 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
2 Drive d: (Storage) (Fixed) (Total:931.51 GB) (Free:931.38 GB) NTFS
4 Drive f: (WD SmartWare) (CDROM) (Total:0.6 GB) (Free:0 GB) UDF
5 Drive g: (PATRIOT) (Removable) (Total:3.73 GB) (Free:3.65 GB) FAT32
6 Drive h: (My Passport) (Fixed) (Total:465.11 GB) (Free:394.3 GB) NTFS
7 Drive i: (ScribbyWibby) (Fixed) (Total:931.51 GB) (Free:53.75 GB) NTFS
8 Drive j: (SimpleDrive) (Fixed) (Total:465.76 GB) (Free:367.42 GB) NTFS
9 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 465 GB 0 B
Disk 1 Online 931 GB 0 B
Disk 2 Online 3824 MB 0 B
Disk 3 Online 465 GB 0 B
Disk 4 Online 931 GB 0 B
Disk 5 Online 465 GB 1024 KB

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 452 GB 1024 KB
Partition 2 Primary 13 GB 452 GB

==================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C OS NTFS Partition 452 GB Healthy

==================================================================================

Disk: 0
Partition 2
Type : BC
Hidden: Yes
Active: No

There is no volume associated with this partition.

==================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 931 GB 1024 KB

==================================================================================

Disk: 1
Partition 1
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 D Storage NTFS Partition 931 GB Healthy

==================================================================================

Partitions of Disk 2:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 3820 MB 4032 KB

==================================================================================

Disk: 2
Partition 1
Type : 0C
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 G PATRIOT FAT32 Removable 3820 MB Healthy

==================================================================================

Partitions of Disk 3:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 465 GB 1024 KB

==================================================================================

Disk: 3
Partition 1
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 5 H My Passport NTFS Partition 465 GB Healthy

==================================================================================

Partitions of Disk 4:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 931 GB 31 KB

==================================================================================

Disk: 4
Partition 1
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 6 I ScribbyWibb NTFS Partition 931 GB Healthy

==================================================================================

Partitions of Disk 5:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 465 GB 31 KB

==================================================================================

Disk: 5
Partition 1
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 7 J SimpleDrive NTFS Partition 465 GB Healthy

==================================================================================

Last Boot: 2012-09-05 20:30

==================== End Of Log =============================

#6 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:11:24 PM

Posted 06 September 2012 - 01:07 PM

Hi,


Please download the following file - [attachment=129696:fixlist.txt] to the USB drive.

You should now have both fixlist.txt and FRST64.exe on your flash drive.

Now please enter System Recovery Options as you did before.

Run FRST64 and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.


Regards,
Georgi

cXfZ4wS.png


#7 mattsbach

mattsbach
  • Topic Starter

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Local time:04:24 PM

Posted 06 September 2012 - 01:53 PM

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 05-09-2012
Ran by SYSTEM at 2012-09-06 14:50:18 Run:1
Running from G:\

==============================================

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\dmetwe Value deleted successfully.
C:\Users\Owner\AppData\Roaming\dmetwe.dll moved successfully.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\rvcwet Value deleted successfully.
C:\Users\Owner\AppData\Roaming\rvcwet.dll moved successfully.
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ Default Value restored successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\\Default value was restored successfully .
[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}] should be deleted in normal mode (if present).
C:\$Recycle.Bin\S-1-5-21-2155120952-764981566-888926259-1000\$b9a85bf4fa72097a2079c05dc739741c moved successfully.
C:\Windows\Installer\{b9a85bf4-fa72-097a-2079-c05dc739741c} moved successfully.
C:\Users\Owner\AppData\Local\{b9a85bf4-fa72-097a-2079-c05dc739741c} moved successfully.

==== End of Fixlog ====

#8 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:11:24 PM

Posted 06 September 2012 - 02:16 PM

Hi,



We Need to Run a Registry Script


  • Press the Windows Logo in the lower left corner of your screen.
  • In the Posted Image box, enter notepad and press Enter.
  • Highlight the contents of the following codebox, and copy and paste that text into notepad.
    Windows Registry Editor Version 5.00
    
    [-HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}]
    
  • Select File -> Save.
  • Press the Desktop button on the left side of the save dialog.
  • In the Posted Image box, type in Fix.reg.
  • Press Posted Image.
  • Close Notepad.
  • Double click Posted Image on your desktop.
  • Press Yes if prompted by User Account Control.
  • Press Yes, and then Ok, when prompted.
  • Right click on Posted Image and choose Delete.
  • Press Yes.


Next please rerun RogueKiller.
Wait until Prescan has finished.
Click on Scan.
When it is finished, there will be a log on your desktop called: RKreport[2].txt
Post the log in your next reply.


Regards,
Georgi

cXfZ4wS.png


#9 mattsbach

mattsbach
  • Topic Starter

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Local time:04:24 PM

Posted 06 September 2012 - 02:27 PM

by accident I ran Rkill before running RogueKiller, after doing the reg fix. Not sure if that's a problem but wanted to mention.


RogueKiller V8.0.2 [08/31/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Owner [Admin rights]
Mode : Scan -- Date : 09/06/2012 15:26:26

Bad processes : 0

Registry Entries : 15
[TASK][PREVRUN] ProgramDataUpdater : C:\Windows\System32\rundll32.exe -> FOUND
[TASK][PREVRUN] Proxy : C:\Windows\System32\rundll32.exe -> FOUND
[TASK][PREVRUN] SR : C:\Windows\System32\rundll32.exe -> FOUND
[TASK][PREVRUN] IpAddressConflict1 : C:\Windows\System32\rundll32.exe -> FOUND
[TASK][PREVRUN] IpAddressConflict2 : C:\Windows\System32\rundll32.exe -> FOUND
[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ] HKLM\[...]\Wow6432Node\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND
[HJ] HKLM\[...]\Wow6432Node\System : EnableLUA (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowUser (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_TrackProgs (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\Users\Owner\AppData\Local\{b9a85bf4-fa72-097a-2079-c05dc739741c}\n.) -> FOUND

Particular Files / Folders:
[ZeroAccess][FILE] @ : C:\$recycle.bin\S-1-5-18\$b9a85bf4fa72097a2079c05dc739741c\@ --> FOUND
[ZeroAccess][FOLDER] U : C:\$recycle.bin\S-1-5-18\$b9a85bf4fa72097a2079c05dc739741c\U --> FOUND
[ZeroAccess][FOLDER] L : C:\$recycle.bin\S-1-5-18\$b9a85bf4fa72097a2079c05dc739741c\L --> FOUND

Driver : [NOT LOADED]

Infection : ZeroAccess

HOSTS File:
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 localhost
127.0.0.1 3dns-1.adobe.com 3dns-2.adobe.com 3dns-3.adobe.com 3dns-4.adobe.com 3dns-5.adobe.com 3dns.adobe.com activate-sea.adobe.com activate-sjc0.adobe.com activate.adobe.com activate.wip1.adobe.com activate.wip2.adobe.com activate.wip3.adobe.com activate.wip4.adobe.com adobe-dns-1.adobe.com adobe-dns-2.adobe.com
127.0.0.1 adobe-dns-3.adobe.com adobe-dns-4.adobe.com adobe-dns.adobe.com adobeereg.com ereg.adobe.com ereg.wip.adobe.com ereg.wip1.adobe.com ereg.wip2.adobe.com ereg.wip3.adobe.com ereg.wip4.adobe.com hl2rcv.adobe.com practivate.adobe practivate.adobe.com practivate.adobe.ipp practivate.adobe.newoa
127.0.0.1 practivate.adobe.ntp wip.adobe.com wip1.adobe.com wip2.adobe.com wip3.adobe.com wip4.adobe.com wwis-dubc1-vip100.adobe.com wwis-dubc1-vip101.adobe.com wwis-dubc1-vip102.adobe.com wwis-dubc1-vip103.adobe.com wwis-dubc1-vip104.adobe.com wwis-dubc1-vip105.adobe.com wwis-dubc1-vip106.adobe.com wwis-dubc1-vip107.adobe.com wwis-dubc1-vip108.adobe.com
127.0.0.1 wwis-dubc1-vip109.adobe.com wwis-dubc1-vip110.adobe.com wwis-dubc1-vip111.adobe.com wwis-dubc1-vip112.adobe.com wwis-dubc1-vip113.adobe.com wwis-dubc1-vip114.adobe.com wwis-dubc1-vip115.adobe.com wwis-dubc1-vip116.adobe.com wwis-dubc1-vip117.adobe.com wwis-dubc1-vip118.adobe.com wwis-dubc1-vip119.adobe.com wwis-dubc1-vip120.adobe.com wwis-dubc1-vip121.adobe.com wwis-dubc1-vip122.adobe.com wwis-dubc1-vip123.adobe.com
127.0.0.1 wwis-dubc1-vip124.adobe.com wwis-dubc1-vip125.adobe.com wwis-dubc1-vip30.adobe.com wwis-dubc1-vip31.adobe.com wwis-dubc1-vip32.adobe.com wwis-dubc1-vip33.adobe.com wwis-dubc1-vip34.adobe.com wwis-dubc1-vip35.adobe.com wwis-dubc1-vip36.adobe.com wwis-dubc1-vip37.adobe.com wwis-dubc1-vip38.adobe.com wwis-dubc1-vip39.adobe.com wwis-dubc1-vip40.adobe.com wwis-dubc1-vip41.adobe.com wwis-dubc1-vip42.adobe.com
127.0.0.1 wwis-dubc1-vip43.adobe.com wwis-dubc1-vip44.adobe.com wwis-dubc1-vip45.adobe.com wwis-dubc1-vip46.adobe.com wwis-dubc1-vip47.adobe.com wwis-dubc1-vip48.adobe.com wwis-dubc1-vip49.adobe.com wwis-dubc1-vip50.adobe.com wwis-dubc1-vip51.adobe.com wwis-dubc1-vip52.adobe.com wwis-dubc1-vip53.adobe.com wwis-dubc1-vip54.adobe.com wwis-dubc1-vip55.adobe.com wwis-dubc1-vip56.adobe.com wwis-dubc1-vip57.adobe.com
127.0.0.1 wwis-dubc1-vip58.adobe.com wwis-dubc1-vip59.adobe.com wwis-dubc1-vip60.adobe.com wwis-dubc1-vip61.adobe.com wwis-dubc1-vip62.adobe.com wwis-dubc1-vip63.adobe.com wwis-dubc1-vip64.adobe.com wwis-dubc1-vip65.adobe.com wwis-dubc1-vip66.adobe.com wwis-dubc1-vip67.adobe.com wwis-dubc1-vip68.adobe.com wwis-dubc1-vip69.adobe.com wwis-dubc1-vip70.adobe.com wwis-dubc1-vip71.adobe.com wwis-dubc1-vip72.adobe.com
127.0.0.1 wwis-dubc1-vip73.adobe.com wwis-dubc1-vip74.adobe.com wwis-dubc1-vip75.adobe.com wwis-dubc1-vip76.adobe.com wwis-dubc1-vip77.adobe.com wwis-dubc1-vip78.adobe.com wwis-dubc1-vip79.adobe.com wwis-dubc1-vip80.adobe.com wwis-dubc1-vip81.adobe.com wwis-dubc1-vip82.adobe.com wwis-dubc1-vip83.adobe.com wwis-dubc1-vip84.adobe.com wwis-dubc1-vip85.adobe.com wwis-dubc1-vip86.adobe.com wwis-dubc1-vip87.adobe.com
127.0.0.1 wwis-dubc1-vip88.adobe.com wwis-dubc1-vip89.adobe.com wwis-dubc1-vip90.adobe.com wwis-dubc1-vip91.adobe.com wwis-dubc1-vip92.adobe.com wwis-dubc1-vip93.adobe.com wwis-dubc1-vip94.adobe.com wwis-dubc1-vip95.adobe.com wwis-dubc1-vip96.adobe.com wwis-dubc1-vip97.adobe.com wwis-dubc1-vip98.adobe.com wwis-dubc1-vip99.adobe.com
127.0.0.1 pagead2.googlesyndication.com
127.0.0.1 partner.googleadservices.com
127.0.0.1 imageads.googleadservices.com
127.0.0.1 imageads1.googleadservices.com
127.0.0.1 imageads2.googleadservices.com
127.0.0.1 imageads3.googleadservices.com
127.0.0.1 imageads4.googleadservices.com
127.0.0.1 imageads5.googleadservices.com
127.0.0.1 imageads6.googleadservices.com
127.0.0.1 imageads7.googleadservices.com
[...]


MBR Check:

+++++ PhysicalDrive0: ST3500413AS +++++
--- User ---
[MBR] 2cac9c766e6ffc7f583a14502ca2e15a
[BSP] 63f74c59d582e555017726afdcb9fe7e : Windows 7 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 463507 Mo
1 - [XXXXXX] ACRONIS (0xbc) [VISIBLE] Offset (sectors): 949264785 | Size: 13431 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: ST31000524AS +++++
--- User ---
[MBR] 322899c2a54094e44899499ca56f7de3
[BSP] e46d8f3265d5b94631048073cd6e8668 : Windows 7 MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 953867 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive2: SAMSUNG HD103SI USB Device +++++
--- User ---
[MBR] cee59e271d2b74fd7a9292b82c412b42
[BSP] 6c8c0973d29c5252be0a356bfc0c95e9 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 953867 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

+++++ PhysicalDrive3: Patriot Memory USB Device +++++
--- User ---
[MBR] a3bfe63a27e913360f36e2a4b12c50b8
[BSP] 1fb662aabe739956a6b9c7a11a6ada7f : MBR Code unknown
Partition table:
0 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 8064 | Size: 3820 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

+++++ PhysicalDrive4: WD My Passport 070A USB Device +++++
--- User ---
[MBR] d978220b10d68b91d94c189e34891a9f
[BSP] 83456e26d054cf5060234c139ab1e876 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 476269 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt

#10 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:11:24 PM

Posted 06 September 2012 - 02:49 PM

Hi,



Please re-run RogueKiller.
Wait until Prescan has finished.
Click on Scan.
Now click the Registry tab and locate this:

[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\Users\Owner\AppData\Local\{b9a85bf4-fa72-097a-2079-c05dc739741c}\n.) -> FOUND

Place a checkmark on it, leave the others unchecked.
Now press the Delete button.

Now click on the Files tab

Place a checkmark each of these items, leave the others unchecked.

[ZeroAccess][FILE] @ : C:\$recycle.bin\S-1-5-18\$b9a85bf4fa72097a2079c05dc739741c\@ --> FOUND
[ZeroAccess][FOLDER] U : C:\$recycle.bin\S-1-5-18\$b9a85bf4fa72097a2079c05dc739741c\U --> FOUND
[ZeroAccess][FOLDER] L : C:\$recycle.bin\S-1-5-18\$b9a85bf4fa72097a2079c05dc739741c\L --> FOUND

Now press the Delete button.
If asked to restart the computer, please do so immediately.
When it is finished, there will be a log on your desktop called: RKreport[2].txt
Post the log in your next reply.



Regards,
Georgi

cXfZ4wS.png


#11 mattsbach

mattsbach
  • Topic Starter

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Local time:04:24 PM

Posted 06 September 2012 - 02:59 PM

RogueKiller V8.0.2 [08/31/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Owner [Admin rights]
Mode : Remove -- Date : 09/06/2012 15:55:10

Bad processes : 0

Registry Entries : 14
[TASK][PREVRUN] ProgramDataUpdater : C:\Windows\System32\rundll32.exe -> NOT SELECTED
[TASK][PREVRUN] Proxy : C:\Windows\System32\rundll32.exe -> NOT SELECTED
[TASK][PREVRUN] SR : C:\Windows\System32\rundll32.exe -> NOT SELECTED
[TASK][PREVRUN] IpAddressConflict1 : C:\Windows\System32\rundll32.exe -> NOT SELECTED
[TASK][PREVRUN] IpAddressConflict2 : C:\Windows\System32\rundll32.exe -> NOT SELECTED
[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> NOT SELECTED
[HJ] HKLM\[...]\Wow6432Node\System : ConsentPromptBehaviorAdmin (0) -> NOT SELECTED
[HJ] HKLM\[...]\System : EnableLUA (0) -> NOT SELECTED
[HJ] HKLM\[...]\Wow6432Node\System : EnableLUA (0) -> NOT SELECTED
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowUser (0) -> NOT SELECTED
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> NOT SELECTED
[HJ SMENU] HKCU\[...]\Advanced : Start_TrackProgs (0) -> NOT SELECTED
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> NOT SELECTED
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> NOT SELECTED

Particular Files / Folders:

Driver : [NOT LOADED]

Infection :

HOSTS File:
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 localhost
127.0.0.1 3dns-1.adobe.com 3dns-2.adobe.com 3dns-3.adobe.com 3dns-4.adobe.com 3dns-5.adobe.com 3dns.adobe.com activate-sea.adobe.com activate-sjc0.adobe.com activate.adobe.com activate.wip1.adobe.com activate.wip2.adobe.com activate.wip3.adobe.com activate.wip4.adobe.com adobe-dns-1.adobe.com adobe-dns-2.adobe.com
127.0.0.1 adobe-dns-3.adobe.com adobe-dns-4.adobe.com adobe-dns.adobe.com adobeereg.com ereg.adobe.com ereg.wip.adobe.com ereg.wip1.adobe.com ereg.wip2.adobe.com ereg.wip3.adobe.com ereg.wip4.adobe.com hl2rcv.adobe.com practivate.adobe practivate.adobe.com practivate.adobe.ipp practivate.adobe.newoa
127.0.0.1 practivate.adobe.ntp wip.adobe.com wip1.adobe.com wip2.adobe.com wip3.adobe.com wip4.adobe.com wwis-dubc1-vip100.adobe.com wwis-dubc1-vip101.adobe.com wwis-dubc1-vip102.adobe.com wwis-dubc1-vip103.adobe.com wwis-dubc1-vip104.adobe.com wwis-dubc1-vip105.adobe.com wwis-dubc1-vip106.adobe.com wwis-dubc1-vip107.adobe.com wwis-dubc1-vip108.adobe.com
127.0.0.1 wwis-dubc1-vip109.adobe.com wwis-dubc1-vip110.adobe.com wwis-dubc1-vip111.adobe.com wwis-dubc1-vip112.adobe.com wwis-dubc1-vip113.adobe.com wwis-dubc1-vip114.adobe.com wwis-dubc1-vip115.adobe.com wwis-dubc1-vip116.adobe.com wwis-dubc1-vip117.adobe.com wwis-dubc1-vip118.adobe.com wwis-dubc1-vip119.adobe.com wwis-dubc1-vip120.adobe.com wwis-dubc1-vip121.adobe.com wwis-dubc1-vip122.adobe.com wwis-dubc1-vip123.adobe.com
127.0.0.1 wwis-dubc1-vip124.adobe.com wwis-dubc1-vip125.adobe.com wwis-dubc1-vip30.adobe.com wwis-dubc1-vip31.adobe.com wwis-dubc1-vip32.adobe.com wwis-dubc1-vip33.adobe.com wwis-dubc1-vip34.adobe.com wwis-dubc1-vip35.adobe.com wwis-dubc1-vip36.adobe.com wwis-dubc1-vip37.adobe.com wwis-dubc1-vip38.adobe.com wwis-dubc1-vip39.adobe.com wwis-dubc1-vip40.adobe.com wwis-dubc1-vip41.adobe.com wwis-dubc1-vip42.adobe.com
127.0.0.1 wwis-dubc1-vip43.adobe.com wwis-dubc1-vip44.adobe.com wwis-dubc1-vip45.adobe.com wwis-dubc1-vip46.adobe.com wwis-dubc1-vip47.adobe.com wwis-dubc1-vip48.adobe.com wwis-dubc1-vip49.adobe.com wwis-dubc1-vip50.adobe.com wwis-dubc1-vip51.adobe.com wwis-dubc1-vip52.adobe.com wwis-dubc1-vip53.adobe.com wwis-dubc1-vip54.adobe.com wwis-dubc1-vip55.adobe.com wwis-dubc1-vip56.adobe.com wwis-dubc1-vip57.adobe.com
127.0.0.1 wwis-dubc1-vip58.adobe.com wwis-dubc1-vip59.adobe.com wwis-dubc1-vip60.adobe.com wwis-dubc1-vip61.adobe.com wwis-dubc1-vip62.adobe.com wwis-dubc1-vip63.adobe.com wwis-dubc1-vip64.adobe.com wwis-dubc1-vip65.adobe.com wwis-dubc1-vip66.adobe.com wwis-dubc1-vip67.adobe.com wwis-dubc1-vip68.adobe.com wwis-dubc1-vip69.adobe.com wwis-dubc1-vip70.adobe.com wwis-dubc1-vip71.adobe.com wwis-dubc1-vip72.adobe.com
127.0.0.1 wwis-dubc1-vip73.adobe.com wwis-dubc1-vip74.adobe.com wwis-dubc1-vip75.adobe.com wwis-dubc1-vip76.adobe.com wwis-dubc1-vip77.adobe.com wwis-dubc1-vip78.adobe.com wwis-dubc1-vip79.adobe.com wwis-dubc1-vip80.adobe.com wwis-dubc1-vip81.adobe.com wwis-dubc1-vip82.adobe.com wwis-dubc1-vip83.adobe.com wwis-dubc1-vip84.adobe.com wwis-dubc1-vip85.adobe.com wwis-dubc1-vip86.adobe.com wwis-dubc1-vip87.adobe.com
127.0.0.1 wwis-dubc1-vip88.adobe.com wwis-dubc1-vip89.adobe.com wwis-dubc1-vip90.adobe.com wwis-dubc1-vip91.adobe.com wwis-dubc1-vip92.adobe.com wwis-dubc1-vip93.adobe.com wwis-dubc1-vip94.adobe.com wwis-dubc1-vip95.adobe.com wwis-dubc1-vip96.adobe.com wwis-dubc1-vip97.adobe.com wwis-dubc1-vip98.adobe.com wwis-dubc1-vip99.adobe.com
127.0.0.1 pagead2.googlesyndication.com
127.0.0.1 partner.googleadservices.com
127.0.0.1 imageads.googleadservices.com
127.0.0.1 imageads1.googleadservices.com
127.0.0.1 imageads2.googleadservices.com
127.0.0.1 imageads3.googleadservices.com
127.0.0.1 imageads4.googleadservices.com
127.0.0.1 imageads5.googleadservices.com
127.0.0.1 imageads6.googleadservices.com
127.0.0.1 imageads7.googleadservices.com
[...]


MBR Check:

+++++ PhysicalDrive0: ST3500413AS +++++
--- User ---
[MBR] 2cac9c766e6ffc7f583a14502ca2e15a
[BSP] 63f74c59d582e555017726afdcb9fe7e : Windows 7 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 463507 Mo
1 - [XXXXXX] ACRONIS (0xbc) [VISIBLE] Offset (sectors): 949264785 | Size: 13431 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: ST31000524AS +++++
--- User ---
[MBR] 322899c2a54094e44899499ca56f7de3
[BSP] e46d8f3265d5b94631048073cd6e8668 : Windows 7 MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 953867 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive2: SAMSUNG HD103SI USB Device +++++
--- User ---
[MBR] cee59e271d2b74fd7a9292b82c412b42
[BSP] 6c8c0973d29c5252be0a356bfc0c95e9 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 953867 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

+++++ PhysicalDrive3: Patriot Memory USB Device +++++
--- User ---
[MBR] a3bfe63a27e913360f36e2a4b12c50b8
[BSP] 1fb662aabe739956a6b9c7a11a6ada7f : MBR Code unknown
Partition table:
0 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 8064 | Size: 3820 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

+++++ PhysicalDrive4: WD My Passport 070A USB Device +++++
--- User ---
[MBR] d978220b10d68b91d94c189e34891a9f
[BSP] 83456e26d054cf5060234c139ab1e876 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 476269 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[5].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt ; RKreport[4].txt ; RKreport[5].txt

#12 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:11:24 PM

Posted 06 September 2012 - 03:14 PM

Hi,


Please re-run RogueKiller.
Wait until Prescan has finished.
When the scan completes > click on the Hosts tab
Now click Fix Host on the right hand column under Options




  • Please download a fresh copy of Combofix from here.
  • Save it to your Desktop.
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Please refer to this link for instructions.
  • Double click it & follow the prompts.
  • If you receive a UAC prompt asking if you want to continue running the program, you should press the Continue button.
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a log for you.
  • Please include the C:\ComboFix.txt in your next reply.
  • Note: After running Combofix, you may receive an error about "illegal operation on a registry key that has been marked for deletion." If you receive this error, please reboot and it should disappear.

Do not touch your mouse/keyboard until the ComboFix scan has completed, as this may cause the process to stall or the computer to lock.



Regards,
Georgi

cXfZ4wS.png


#13 mattsbach

mattsbach
  • Topic Starter

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Local time:04:24 PM

Posted 06 September 2012 - 03:30 PM

ComboFix 12-09-06.02 - Owner 09/06/2012 16:18:26.2.8 - x64
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.8174.6753 [GMT -4:00]
Running from: c:\users\Owner\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-08-06 to 2012-09-06 )))))))))))))))))))))))))))))))
.
.
2012-09-06 20:22 . 2012-09-06 20:22 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2012-09-06 20:22 . 2012-09-06 20:22 -------- d-----w- c:\users\Public\AppData\Local\temp
2012-09-06 20:22 . 2012-09-06 20:22 -------- d-----w- c:\users\LogMeInRemoteUser\AppData\Local\temp
2012-09-06 20:22 . 2012-09-06 20:22 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-09-05 18:59 . 2012-09-05 18:59 -------- d-----w- c:\users\Owner\AppData\Local\{B9B14501-F78B-11E1-8270-B8AC6F996F26}
2012-09-05 18:58 . 2012-09-05 18:58 -------- d-----w- c:\program files (x86)\Common Files\Java
2012-09-05 18:58 . 2012-09-05 18:58 95208 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
2012-09-05 05:01 . 2012-09-05 05:01 -------- d-----w- C:\ProgramData{C6C9C6CD-FFB-4EAF-99F4-23ACA04FD024}
2012-09-05 05:01 . 2012-09-05 05:01 -------- d-----w- C:\ProgramData{98375B5F-B89D-4736-A581-7BB55E0D490E}
2012-09-03 01:37 . 2012-09-03 01:37 916456 ----a-w- c:\windows\system32\deployJava1.dll
2012-09-03 01:37 . 2012-09-03 01:37 289768 ----a-w- c:\windows\system32\javaws.exe
2012-09-03 01:37 . 2012-09-03 01:37 1034216 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-09-03 01:37 . 2012-09-03 01:37 189416 ----a-w- c:\windows\system32\javaw.exe
2012-09-03 01:37 . 2012-09-03 01:37 188904 ----a-w- c:\windows\system32\java.exe
2012-09-03 01:37 . 2012-09-03 01:37 108008 ----a-w- c:\windows\system32\WindowsAccessBridge-64.dll
2012-09-03 01:37 . 2012-09-03 01:37 -------- d-----w- c:\program files\Java
2012-08-29 05:28 . 2012-08-29 05:28 73696 ----a-w- c:\program files (x86)\Mozilla Firefox\breakpadinjector.dll
2012-08-15 03:54 . 2012-05-05 08:36 503808 ----a-w- c:\windows\system32\srcore.dll
2012-08-15 03:54 . 2012-05-05 07:46 43008 ----a-w- c:\windows\SysWow64\srclient.dll
2012-08-15 03:54 . 2012-07-04 22:16 73216 ----a-w- c:\windows\system32\netapi32.dll
2012-08-15 03:54 . 2012-07-04 22:13 59392 ----a-w- c:\windows\system32\browcli.dll
2012-08-15 03:54 . 2012-07-04 22:13 136704 ----a-w- c:\windows\system32\browser.dll
2012-08-15 03:54 . 2012-07-04 21:14 41984 ----a-w- c:\windows\SysWow64\browcli.dll
2012-08-15 03:54 . 2012-02-11 06:43 751104 ----a-w- c:\windows\system32\win32spl.dll
2012-08-15 03:54 . 2012-02-11 06:36 559104 ----a-w- c:\windows\system32\spoolsv.exe
2012-08-15 03:54 . 2012-02-11 06:36 67072 ----a-w- c:\windows\splwow64.exe
2012-08-15 03:54 . 2012-02-11 05:43 492032 ----a-w- c:\windows\SysWow64\win32spl.dll
2012-08-15 03:54 . 2012-07-18 18:15 3148800 ----a-w- c:\windows\system32\win32k.sys
2012-08-15 03:54 . 2012-05-14 05:26 956928 ----a-w- c:\windows\system32\localspl.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-09-05 18:58 . 2012-08-01 21:45 821736 ----a-w- c:\windows\SysWow64\npDeployJava1.dll
2012-09-05 18:58 . 2011-06-29 17:49 746984 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-08-29 21:01 . 2012-04-16 19:50 696520 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-08-29 21:01 . 2011-11-21 18:51 73416 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-08-15 07:00 . 2011-06-29 17:01 62134624 ----a-w- c:\windows\system32\MRT.exe
2012-08-01 21:02 . 2012-08-01 20:52 181064 ----a-w- c:\windows\PSEXESVC.EXE
2012-07-12 03:58 . 2011-08-31 17:38 87488 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2012-07-12 03:58 . 2011-08-31 17:38 34720 ----a-w- c:\windows\system32\LMIport.dll
2012-07-12 03:58 . 2011-08-31 17:38 80800 ----a-w- c:\windows\system32\LMIinit.dll
2012-07-03 17:46 . 2011-07-23 19:06 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-09 05:43 . 2012-07-10 22:01 14172672 ----a-w- c:\windows\system32\shell32.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-07-19_18.59.34 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-08-15 03:54 . 2012-07-04 21:16 57344 c:\windows\SysWOW64\netapi32.dll
+ 2012-08-15 07:01 . 2012-06-29 00:01 73216 c:\windows\SysWOW64\mshtmled.dll
- 2012-07-11 07:00 . 2012-06-02 08:17 73216 c:\windows\SysWOW64\mshtmled.dll
+ 2012-08-15 07:01 . 2012-06-29 00:06 66048 c:\windows\SysWOW64\migration\WininetPlugin.dll
- 2012-07-11 07:00 . 2012-06-02 08:22 66048 c:\windows\SysWOW64\migration\WininetPlugin.dll
- 2012-07-11 07:00 . 2012-06-02 08:21 65024 c:\windows\SysWOW64\jsproxy.dll
+ 2012-08-15 07:01 . 2012-06-29 00:06 65024 c:\windows\SysWOW64\jsproxy.dll
- 2009-07-14 04:54 . 2012-07-12 12:19 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:54 . 2012-08-15 14:19 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-07-14 04:54 . 2012-07-12 12:19 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2012-08-02 23:19 . 2012-08-15 14:19 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-07-12 12:19 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2012-08-15 14:19 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-11-21 03:09 . 2012-09-06 20:26 55322 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-09-06 20:26 32714 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2011-06-29 15:59 . 2012-09-06 19:58 12388 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2155120952-764981566-888926259-1000_UserData.bin
- 2011-08-31 06:26 . 2011-06-06 19:55 37264 c:\windows\system32\spool\drivers\x64\3\ADREGP.DLL
+ 2010-10-25 19:13 . 2011-06-06 19:55 37264 c:\windows\system32\spool\drivers\x64\3\ADREGP.DLL
+ 2012-08-15 07:01 . 2012-06-29 03:40 96768 c:\windows\system32\mshtmled.dll
- 2012-07-11 07:00 . 2012-06-02 11:57 96768 c:\windows\system32\mshtmled.dll
+ 2012-08-15 07:01 . 2012-06-29 03:46 86528 c:\windows\system32\migration\WininetPlugin.dll
- 2012-07-11 07:00 . 2012-06-02 12:03 86528 c:\windows\system32\migration\WininetPlugin.dll
+ 2012-08-15 07:01 . 2012-06-29 03:45 85504 c:\windows\system32\jsproxy.dll
- 2012-07-11 07:00 . 2012-06-02 12:03 85504 c:\windows\system32\jsproxy.dll
- 2009-07-14 05:30 . 2012-06-13 20:10 86016 c:\windows\system32\DriverStore\infpub.dat
+ 2009-07-14 05:30 . 2012-08-15 07:17 86016 c:\windows\system32\DriverStore\infpub.dat
+ 2011-08-31 09:10 . 2011-04-28 03:54 80384 c:\windows\system32\DriverStore\FileRepository\bth.inf_amd64_neutral_de0494b6391d872c\BTHUSB.SYS
+ 2009-07-14 00:06 . 2009-07-14 00:06 41984 c:\windows\system32\DriverStore\FileRepository\bth.inf_amd64_neutral_de0494b6391d872c\bthenum.sys
+ 2012-07-26 19:38 . 2012-08-01 16:37 32768 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\index.dat
+ 2012-07-28 05:49 . 2012-07-28 12:14 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012012072820120729\index.dat
+ 2012-07-27 04:44 . 2012-07-28 02:20 65536 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012012072720120728\index.dat
+ 2012-07-26 19:21 . 2012-07-27 01:34 65536 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012012072620120727\index.dat
+ 2012-07-26 18:07 . 2012-09-05 21:43 65536 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\DOMStore\index.dat
+ 2012-04-04 05:53 . 2012-04-04 05:53 24984 c:\windows\system32\AdobePDFUI.dll
- 2011-09-05 17:04 . 2011-09-05 17:04 24984 c:\windows\system32\AdobePDFUI.dll
+ 2012-04-04 05:53 . 2012-04-04 05:53 53656 c:\windows\system32\AdobePDF.dll
- 2011-09-05 17:05 . 2011-09-05 17:05 53656 c:\windows\system32\AdobePDF.dll
+ 2012-07-26 01:54 . 2012-07-26 01:54 10134 c:\windows\Installer\{D92BBB52-82FF-42ED-8A3C-4E062F944AB7}\ARPPRODUCTICON.exe
- 2011-11-12 06:01 . 2011-11-12 06:01 10134 c:\windows\Installer\{D92BBB52-82FF-42ED-8A3C-4E062F944AB7}\ARPPRODUCTICON.exe
- 2011-11-12 06:01 . 2011-11-12 06:01 10134 c:\windows\Installer\{D1A19B02-817E-4296-A45B-07853FD74D57}\ARPPRODUCTICON.exe
+ 2012-07-26 01:54 . 2012-07-26 01:54 10134 c:\windows\Installer\{D1A19B02-817E-4296-A45B-07853FD74D57}\ARPPRODUCTICON.exe
- 2011-11-12 06:01 . 2011-11-12 06:01 10134 c:\windows\Installer\{B6D38690-755E-4F40-A35A-23F8BC2B86AC}\ARPPRODUCTICON.exe
+ 2012-07-26 01:54 . 2012-07-26 01:54 10134 c:\windows\Installer\{B6D38690-755E-4F40-A35A-23F8BC2B86AC}\ARPPRODUCTICON.exe
- 2011-11-12 06:01 . 2011-11-12 06:01 10134 c:\windows\Installer\{92D58719-BBC1-4CC3-A08B-56C9E884CC2C}\ARPPRODUCTICON.exe
+ 2012-07-26 01:54 . 2012-07-26 01:54 10134 c:\windows\Installer\{92D58719-BBC1-4CC3-A08B-56C9E884CC2C}\ARPPRODUCTICON.exe
+ 2012-07-26 01:54 . 2012-07-26 01:54 10134 c:\windows\Installer\{635FED5B-2C6D-49BE-87E6-7A6FCD22BC5A}\ARPPRODUCTICON.exe
- 2011-11-12 06:01 . 2011-11-12 06:01 10134 c:\windows\Installer\{635FED5B-2C6D-49BE-87E6-7A6FCD22BC5A}\ARPPRODUCTICON.exe
+ 2012-07-26 01:54 . 2012-07-26 01:54 10134 c:\windows\Installer\{0F3647F8-E51D-4FCC-8862-9A8D0C5ACF25}\ARPPRODUCTICON.exe
- 2011-11-12 06:02 . 2011-11-12 06:02 10134 c:\windows\Installer\{0F3647F8-E51D-4FCC-8862-9A8D0C5ACF25}\ARPPRODUCTICON.exe
- 2011-11-12 06:01 . 2011-11-12 06:01 10134 c:\windows\Installer\{08D2E121-7F6A-43EB-97FD-629B44903403}\ARPPRODUCTICON.exe
+ 2012-07-26 01:54 . 2012-07-26 01:54 10134 c:\windows\Installer\{08D2E121-7F6A-43EB-97FD-629B44903403}\ARPPRODUCTICON.exe
- 2011-11-12 06:01 . 2011-11-12 06:01 10134 c:\windows\Installer\{033E378E-6AD3-4AD5-BDEB-CBD69B31046C}\ARPPRODUCTICON.exe
+ 2012-07-26 01:54 . 2012-07-26 01:54 10134 c:\windows\Installer\{033E378E-6AD3-4AD5-BDEB-CBD69B31046C}\ARPPRODUCTICON.exe
+ 2012-04-04 02:54 . 2012-04-04 02:54 74136 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\wow_helper.exe
+ 2010-10-25 19:13 . 2010-10-25 19:13 17304 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\ViewerPS.dll
- 2010-10-25 20:13 . 2010-10-25 20:13 17304 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\ViewerPS.dll
+ 2010-10-25 19:13 . 2010-10-25 19:13 63384 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\PrintInf64.exe
- 2010-10-25 20:13 . 2010-10-25 20:13 63384 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\PrintInf64.exe
- 2010-10-25 20:13 . 2010-10-25 20:13 16808 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\piaglbreakfinder.dll
+ 2010-10-25 19:13 . 2010-10-25 19:13 16808 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\piaglbreakfinder.dll
- 2010-10-25 20:13 . 2010-10-25 20:13 84896 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\PDFPrevHndlr.dll
+ 2010-10-25 19:13 . 2010-10-25 19:13 84896 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\PDFPrevHndlr.dll
+ 2010-10-25 19:13 . 2010-10-25 19:13 28568 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\FileDlgExt.dll
- 2010-10-25 20:13 . 2010-10-25 20:13 28568 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\FileDlgExt.dll
+ 2010-10-25 19:13 . 2010-10-25 19:13 17816 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\Exch_AcrobatInfo.exe
- 2010-10-25 20:13 . 2010-10-25 20:13 17816 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\Exch_AcrobatInfo.exe
- 2010-10-25 20:13 . 2010-10-25 20:13 70584 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\adobeextractfiles.dll
+ 2010-10-25 19:13 . 2010-10-25 19:13 70584 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\adobeextractfiles.dll
- 2010-10-25 20:13 . 2010-10-25 20:13 49064 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\acrotextextractor.exe
+ 2010-10-25 19:13 . 2010-10-25 19:13 49064 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\acrotextextractor.exe
- 2010-10-25 20:13 . 2010-10-25 20:13 97168 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\AcroIF.dll
+ 2010-10-25 19:13 . 2010-10-25 19:13 97168 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\AcroIF.dll
+ 2010-10-25 19:13 . 2010-10-25 19:13 62376 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\acroiehelpershim.dll
- 2010-10-25 20:13 . 2010-10-25 20:13 64928 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\AcroIEHelper.dll
+ 2010-10-25 19:13 . 2010-10-25 19:13 64928 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\AcroIEHelper.dll
- 2010-10-25 20:13 . 2010-10-25 20:13 63384 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\Acrofx32.dll
+ 2010-10-25 19:13 . 2010-10-25 19:13 63384 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\Acrofx32.dll
+ 2010-10-25 19:13 . 2010-10-25 19:13 36760 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\acrobat_sl.exe
- 2010-10-25 20:13 . 2010-10-25 20:13 36760 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\acrobat_sl.exe
- 2012-07-19 18:58 . 2012-07-19 18:58 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-09-06 20:24 . 2012-09-06 20:24 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-07-19 18:58 . 2012-07-19 18:58 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-09-06 20:24 . 2012-09-06 20:24 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-08-15 07:01 . 2012-06-29 00:07 231936 c:\windows\SysWOW64\url.dll
- 2012-07-11 07:00 . 2012-06-02 08:23 231936 c:\windows\SysWOW64\url.dll
+ 2011-09-09 04:11 . 2012-08-30 21:02 187296 c:\windows\SysWOW64\mlfcache.dat
+ 2012-08-29 21:01 . 2012-08-29 21:01 690888 c:\windows\SysWOW64\Macromed\Flash\FlashUtil32_11_4_402_265_Plugin.exe
+ 2012-08-15 13:19 . 2012-08-15 13:19 686792 c:\windows\SysWOW64\Macromed\Flash\FlashUtil32_11_3_300_271_ActiveX.exe
+ 2012-08-15 13:19 . 2012-08-15 13:19 466632 c:\windows\SysWOW64\Macromed\Flash\FlashUtil32_11_3_300_271_ActiveX.dll
+ 2012-04-16 19:50 . 2012-08-29 21:01 250568 c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
+ 2012-08-15 07:01 . 2012-06-29 00:04 717824 c:\windows\SysWOW64\jscript.dll
+ 2011-11-17 21:32 . 2012-09-05 18:58 246760 c:\windows\SysWOW64\javaws.exe
+ 2011-11-17 21:32 . 2012-09-05 18:58 174056 c:\windows\SysWOW64\javaw.exe
+ 2011-11-17 21:32 . 2012-09-05 18:58 174056 c:\windows\SysWOW64\java.exe
- 2012-07-11 07:00 . 2012-06-02 08:20 142848 c:\windows\SysWOW64\ieUnatt.exe
+ 2012-08-15 07:01 . 2012-06-29 00:04 142848 c:\windows\SysWOW64\ieUnatt.exe
- 2012-07-11 07:00 . 2012-06-02 08:14 176640 c:\windows\SysWOW64\ieui.dll
+ 2012-08-15 07:01 . 2012-06-28 23:57 176640 c:\windows\SysWOW64\ieui.dll
+ 2012-08-15 07:01 . 2012-06-29 03:47 237056 c:\windows\system32\url.dll
- 2012-07-11 07:00 . 2012-06-02 12:04 237056 c:\windows\system32\url.dll
+ 2010-10-25 19:13 . 2011-06-06 19:55 464272 c:\windows\system32\spool\drivers\x64\3\ADUIGP.DLL
- 2011-08-31 06:26 . 2011-06-06 19:55 464272 c:\windows\system32\spool\drivers\x64\3\ADUIGP.DLL
+ 2009-07-14 02:36 . 2012-09-06 20:04 626844 c:\windows\system32\perfh009.dat
- 2009-07-14 02:36 . 2012-07-19 04:04 626844 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-09-06 20:04 107160 c:\windows\system32\perfc009.dat
- 2009-07-14 02:36 . 2012-07-19 04:04 107160 c:\windows\system32\perfc009.dat
+ 2012-08-29 21:01 . 2012-08-29 21:01 420552 c:\windows\system32\Macromed\Flash\FlashUtil64_11_4_402_265_Plugin.exe
+ 2012-08-15 13:19 . 2012-08-15 13:19 417992 c:\windows\system32\Macromed\Flash\FlashUtil64_11_3_300_271_ActiveX.exe
+ 2012-08-15 13:19 . 2012-08-15 13:19 513224 c:\windows\system32\Macromed\Flash\FlashUtil64_11_3_300_271_ActiveX.dll
+ 2012-08-15 07:01 . 2012-06-29 03:44 816640 c:\windows\system32\jscript.dll
- 2012-07-11 07:00 . 2012-06-02 12:01 173056 c:\windows\system32\ieUnatt.exe
+ 2012-08-15 07:01 . 2012-06-29 03:43 173056 c:\windows\system32\ieUnatt.exe
+ 2012-08-15 07:01 . 2012-06-29 03:35 248320 c:\windows\system32\ieui.dll
- 2012-07-11 07:00 . 2012-06-02 11:54 248320 c:\windows\system32\ieui.dll
+ 2009-07-14 05:30 . 2012-08-15 07:17 143360 c:\windows\system32\DriverStore\infstrng.dat
- 2009-07-14 05:30 . 2012-06-13 20:10 143360 c:\windows\system32\DriverStore\infstrng.dat
- 2009-07-14 05:30 . 2012-06-12 17:35 143360 c:\windows\system32\DriverStore\infstor.dat
+ 2009-07-14 05:30 . 2012-08-15 07:17 143360 c:\windows\system32\DriverStore\infstor.dat
+ 2010-11-21 03:23 . 2010-11-21 03:23 229376 c:\windows\system32\DriverStore\FileRepository\bth.inf_amd64_neutral_de0494b6391d872c\fsquirt.exe
+ 2012-08-15 07:01 . 2012-07-06 20:07 552960 c:\windows\system32\DriverStore\FileRepository\bth.inf_amd64_neutral_de0494b6391d872c\bthport.sys
+ 2009-07-14 05:31 . 2012-08-15 07:17 399360 c:\windows\system32\DriverStore\drvindex.dat
- 2009-07-14 05:31 . 2011-08-31 09:19 399360 c:\windows\system32\DriverStore\drvindex.dat
+ 2009-07-14 05:12 . 2012-09-05 21:43 262144 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
- 2009-07-14 05:12 . 2011-06-29 15:51 262144 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2011-06-29 18:13 . 2012-09-06 16:07 704512 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2012-07-26 18:07 . 2012-09-05 19:01 262144 c:\windows\system32\%APPDATA%\Microsoft\Windows\IETldCache\index.dat
- 2009-07-14 04:46 . 2012-07-13 07:01 108784 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
+ 2009-07-14 04:46 . 2012-08-22 20:49 108784 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
+ 2009-07-14 05:01 . 2012-09-06 20:22 671532 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2012-08-01 21:45 . 2012-08-01 21:45 461312 c:\windows\Installer\6c0f8.msi
+ 2011-05-11 07:01 . 2011-05-11 07:01 607744 c:\windows\Installer\3a472.msi
+ 2011-05-11 07:01 . 2011-05-11 07:01 915456 c:\windows\Installer\3a467.msi
+ 2011-05-11 07:01 . 2011-05-11 07:01 606208 c:\windows\Installer\3a45c.msi
+ 2011-05-11 07:01 . 2011-05-11 07:01 725504 c:\windows\Installer\3a446.msi
+ 2012-09-05 18:58 . 2012-09-05 18:58 179200 c:\windows\Installer\223cc177.msi
+ 2012-09-05 18:58 . 2012-09-05 18:58 877056 c:\windows\Installer\223cc161.msi
+ 2012-09-03 01:37 . 2012-09-03 01:37 902144 c:\windows\Installer\143743ff.msi
- 2011-11-12 06:06 . 2012-04-16 18:55 335872 c:\windows\Installer\{AC76BA86-1033-F400-7760-000000000005}\SC_Designer_PFM.70DBED24_B579_40CB_AB0B_F1221A3E9EC5.exe
+ 2012-07-26 01:55 . 2012-08-20 03:31 335872 c:\windows\Installer\{AC76BA86-1033-F400-7760-000000000005}\SC_Designer_PFM.70DBED24_B579_40CB_AB0B_F1221A3E9EC5.exe
+ 2011-06-06 16:55 . 2011-06-06 16:55 686464 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\JP2KLib.dll
+ 2012-01-03 07:37 . 2012-01-03 07:37 320456 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\adobearmhelper.exe
- 2010-10-25 20:13 . 2010-10-25 20:13 109472 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\wcfirefoxextn.dll
+ 2010-10-25 19:13 . 2010-10-25 19:13 109472 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\wcfirefoxextn.dll
+ 2010-10-25 19:13 . 2010-10-25 19:13 249232 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\sqlite.dll
- 2010-10-25 20:13 . 2010-10-25 20:13 249232 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\sqlite.dll
- 2010-10-25 20:13 . 2010-10-25 20:13 108864 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\spal.dll
+ 2010-10-25 19:13 . 2010-10-25 19:13 108864 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\spal.dll
+ 2010-10-25 19:13 . 2010-10-25 19:13 905536 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\solidcore.dll
- 2010-10-25 20:13 . 2010-10-25 20:13 905536 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\solidcore.dll
+ 2010-10-25 19:13 . 2010-10-25 19:13 133440 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\solid_wxbase_xml.dll
- 2010-10-25 20:13 . 2010-10-25 20:13 133440 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\solid_wxbase_xml.dll
+ 2010-10-25 19:13 . 2010-10-25 19:13 404800 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\securepdfsdk.dll
- 2010-10-25 20:13 . 2010-10-25 20:13 404800 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\securepdfsdk.dll
- 2010-10-25 20:13 . 2010-10-25 20:13 147776 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\scpdfbridge.dll
+ 2010-10-25 19:13 . 2010-10-25 19:13 147776 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\scpdfbridge.dll
+ 2010-10-25 19:13 . 2010-10-25 19:13 338856 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\readerupdater.exe
- 2010-10-25 20:13 . 2010-10-25 20:13 338856 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\readerupdater.exe
- 2010-10-25 20:13 . 2010-10-25 20:13 457120 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\PDFMPublisher.dll
+ 2010-10-25 19:13 . 2010-10-25 19:13 457120 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\PDFMPublisher.dll
- 2010-10-25 20:13 . 2010-10-25 20:13 106904 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\PDFMProject.dll
+ 2010-10-25 19:13 . 2010-10-25 19:13 106904 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\PDFMProject.dll
- 2010-10-25 20:13 . 2010-10-25 20:13 641440 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\PDFMPowerPoint.dll
+ 2010-10-25 19:13 . 2010-10-25 19:13 641440 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\PDFMPowerPoint.dll
+ 2010-10-25 19:13 . 2010-10-25 19:13 385952 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\PDFMOfficeAddin.dll
- 2010-10-25 20:13 . 2010-10-25 20:13 385952 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\PDFMOfficeAddin.dll
+ 2010-10-25 19:13 . 2010-10-25 19:13 319808 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\pdfmeta.dll
- 2010-10-25 20:13 . 2010-10-25 20:13 319808 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\pdfmeta.dll
- 2010-10-25 20:13 . 2010-10-25 20:13 528792 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\PDFMEngine.dll
+ 2010-10-25 19:13 . 2010-10-25 19:13 528792 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\PDFMEngine.dll
- 2010-10-25 20:13 . 2010-10-25 20:13 221592 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\PDFMakerAPI.dll
+ 2010-10-25 19:13 . 2010-10-25 19:13 221592 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\PDFMakerAPI.dll
+ 2010-10-25 19:13 . 2010-10-25 19:13 217496 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\PDFMAccess.dll
- 2010-10-25 20:13 . 2010-10-25 20:13 217496 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\PDFMAccess.dll
+ 2010-10-25 19:13 . 2010-10-25 19:13 435520 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\ocr.dll
- 2010-10-25 20:13 . 2010-10-25 20:13 435520 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\ocr.dll
+ 2010-10-25 19:13 . 2010-10-25 19:13 135568 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\nppdf32.dll
- 2010-10-25 20:13 . 2010-10-25 20:13 135568 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\nppdf32.dll
- 2010-10-25 20:13 . 2010-10-25 20:13 344480 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\MDKitAdapter.dll
+ 2010-10-25 19:13 . 2010-10-25 19:13 344480 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\MDKitAdapter.dll
+ 2012-04-04 02:54 . 2012-04-04 02:54 942464 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\jp2klib.dll
- 2010-10-25 20:13 . 2010-10-25 20:13 316824 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\ImpCommWord.dll
+ 2010-10-25 19:13 . 2010-10-25 19:13 316824 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\ImpCommWord.dll
- 2010-10-25 20:13 . 2010-10-25 20:13 858944 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\imagetool.dll
+ 2010-10-25 19:13 . 2010-10-25 19:13 858944 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\imagetool.dll
+ 2012-04-04 02:53 . 2012-04-04 02:53 120240 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\html2pdfwrapfor64bit.exe
- 2011-09-05 15:04 . 2011-09-05 15:04 120240 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\html2pdfwrapfor64bit.exe
+ 2010-10-25 19:13 . 2010-10-25 19:13 681872 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\Exch_JP2KLib.dll
- 2010-10-25 20:13 . 2010-10-25 20:13 681872 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\Exch_JP2KLib.dll
+ 2010-10-25 19:13 . 2010-10-25 19:13 329104 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\Exch_Acrobat.exe
- 2010-10-25 20:13 . 2010-10-25 20:13 329104 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\Exch_Acrobat.exe
+ 2010-10-25 19:13 . 2010-10-25 19:13 709528 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\Dist_adistres.dll
- 2010-10-25 20:13 . 2010-10-25 20:13 709528 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\Dist_adistres.dll
- 2010-10-25 20:13 . 2010-10-25 20:13 821144 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\Dist_acrotray.exe
+ 2010-10-25 19:13 . 2010-10-25 19:13 821144 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\Dist_acrotray.exe
+ 2010-10-25 19:13 . 2010-10-25 19:13 405912 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\Dist_acrodist.exe
- 2010-10-25 20:13 . 2010-10-25 20:13 405912 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\Dist_acrodist.exe
+ 2010-10-25 19:13 . 2010-10-25 19:13 143168 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\dbcore.dll
- 2010-10-25 20:13 . 2010-10-25 20:13 143168 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\dbcore.dll
+ 2010-10-25 19:13 . 2010-10-25 19:13 170816 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\convertercorelight.dll
- 2010-10-25 20:13 . 2010-10-25 20:13 170816 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\convertercorelight.dll
- 2010-10-25 20:13 . 2010-10-25 20:13 685464 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\ContextMenu.dll
+ 2010-10-25 19:13 . 2010-10-25 19:13 685464 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\ContextMenu.dll
+ 2010-10-25 19:13 . 2010-10-25 19:13 595344 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\AXSLE.dll
- 2010-10-25 20:13 . 2010-10-25 20:13 148880 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\Aiod.dll
+ 2010-10-25 19:13 . 2010-10-25 19:13 148880 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\Aiod.dll
+ 2010-10-25 19:13 . 2010-10-25 19:13 222920 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\ahclient.dll
- 2010-10-25 20:13 . 2010-10-25 20:13 222920 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\ahclient.dll
+ 2010-10-25 19:13 . 2010-10-25 19:13 952728 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\aecfilter.dll
- 2010-10-25 20:13 . 2010-10-25 20:13 952728 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\aecfilter.dll
+ 2012-01-03 07:37 . 2012-01-03 07:37 320456 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\adobearmhelper.exe
+ 2010-10-25 19:13 . 2010-10-25 19:13 932288 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\adobearm.exe
- 2010-10-25 20:13 . 2010-10-25 20:13 932288 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\adobearm.exe
+ 2010-10-25 19:13 . 2010-10-25 19:13 226200 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\adobeafp.dll
- 2010-10-25 20:13 . 2010-10-25 20:13 226200 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\adobeafp.dll
+ 2010-10-25 19:13 . 2010-10-25 19:13 116624 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\Adist64.dll
- 2010-10-25 20:13 . 2010-10-25 20:13 116624 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\Adist64.dll
- 2010-10-25 20:13 . 2010-10-25 20:13 110480 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\Adist.dll
+ 2010-10-25 19:13 . 2010-10-25 19:13 110480 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\Adist.dll
+ 2010-10-25 19:13 . 2010-10-25 19:13 203680 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\acroscanbroker.exe
- 2010-10-25 20:13 . 2010-10-25 20:13 203680 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\acroscanbroker.exe
+ 2010-10-25 19:13 . 2010-10-25 19:13 702352 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\AcroPDF.dll
- 2010-10-25 20:13 . 2010-10-25 20:13 702352 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\AcroPDF.dll
+ 2010-10-25 19:13 . 2010-10-25 19:13 340384 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\AcroIEFavClient.dll
- 2010-10-25 20:13 . 2010-10-25 20:13 340384 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\AcroIEFavClient.dll
- 2010-10-25 20:13 . 2010-10-25 20:13 294808 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\acrobroker.exe
+ 2010-10-25 19:13 . 2010-10-25 19:13 294808 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\acrobroker.exe
- 2010-10-25 20:13 . 2010-10-25 20:13 338856 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\acrobatupdater.exe
+ 2010-10-25 19:13 . 2010-10-25 19:13 338856 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\acrobatupdater.exe
- 2010-10-25 20:13 . 2010-10-25 20:13 205720 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\a3dutils.dll
+ 2010-10-25 19:13 . 2010-10-25 19:13 205720 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\a3dutils.dll
- 2012-07-11 07:00 . 2012-06-02 08:25 1129472 c:\windows\SysWOW64\wininet.dll
+ 2012-08-15 07:01 . 2012-06-29 00:09 1129472 c:\windows\SysWOW64\wininet.dll
- 2012-07-11 07:00 . 2012-06-02 08:26 1103872 c:\windows\SysWOW64\urlmon.dll
+ 2012-08-15 07:01 . 2012-06-29 00:09 1103872 c:\windows\SysWOW64\urlmon.dll
+ 2012-08-29 21:01 . 2012-08-29 21:01 9813704 c:\windows\SysWOW64\Macromed\Flash\NPSWF32_11_4_402_265.dll
+ 2012-08-29 21:01 . 2012-08-29 21:01 1807560 c:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_4_402_265.exe
+ 2012-08-15 07:01 . 2012-06-29 00:16 1800704 c:\windows\SysWOW64\jscript9.dll
+ 2012-08-15 07:01 . 2012-06-29 00:01 1793024 c:\windows\SysWOW64\iertutil.dll
- 2012-07-11 07:00 . 2012-06-02 08:19 1793024 c:\windows\SysWOW64\iertutil.dll
- 2012-07-11 07:00 . 2012-06-02 08:43 9737728 c:\windows\SysWOW64\ieframe.dll
+ 2012-08-15 07:01 . 2012-06-29 00:27 9737728 c:\windows\SysWOW64\ieframe.dll
- 2012-07-11 07:00 . 2012-06-02 12:05 1392128 c:\windows\system32\wininet.dll
+ 2012-08-15 07:01 . 2012-06-29 03:49 1392128 c:\windows\system32\wininet.dll
+ 2012-08-15 07:01 . 2012-06-29 03:49 1346048 c:\windows\system32\urlmon.dll
- 2012-07-11 07:00 . 2012-06-02 12:05 1346048 c:\windows\system32\urlmon.dll
+ 2012-08-15 07:01 . 2012-06-29 03:56 2312704 c:\windows\system32\jscript9.dll
+ 2012-08-15 07:01 . 2012-06-29 03:42 2144768 c:\windows\system32\iertutil.dll
- 2012-07-11 07:00 . 2012-06-02 11:59 2144768 c:\windows\system32\iertutil.dll
+ 2009-07-14 04:45 . 2012-08-27 15:59 5907256 c:\windows\system32\FNTCACHE.DAT
+ 2012-08-02 04:06 . 2012-09-06 16:07 2359296 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:45 . 2012-08-20 04:18 7438596 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat
- 2009-07-14 04:45 . 2012-07-11 07:22 7438596 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat
+ 2011-05-11 06:40 . 2011-05-11 06:40 8297472 c:\windows\Installer\3a492.msi
+ 2011-05-11 07:01 . 2011-05-11 07:01 3670016 c:\windows\Installer\3a451.msi
+ 2011-05-11 07:01 . 2011-05-11 07:01 2211328 c:\windows\Installer\3a430.msi
+ 2011-05-11 07:01 . 2011-05-11 07:01 1997312 c:\windows\Installer\3a425.msi
+ 2012-08-20 03:34 . 2012-08-20 03:34 2184704 c:\windows\Installer\18efba5e.msi
+ 2011-06-06 16:55 . 2011-06-06 16:55 5509512 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AGM.dll
- 2010-10-25 20:13 . 2010-10-25 20:13 1876288 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\solid_wxbase.dll
+ 2010-10-25 19:13 . 2010-10-25 19:13 1876288 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\solid_wxbase.dll
- 2010-10-25 20:13 . 2010-10-25 20:13 2207632 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\rt3d.dll
+ 2010-10-25 19:13 . 2010-10-25 19:13 2207632 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\rt3d.dll
+ 2010-10-25 19:13 . 2010-10-25 19:13 1054096 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\pdfport.dll
- 2010-10-25 20:13 . 2010-10-25 20:13 1054096 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\pdfport.dll
- 2010-10-25 20:13 . 2010-10-25 20:13 1270680 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\PDFMWord.dll
+ 2010-10-25 19:13 . 2010-10-25 19:13 1270680 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\PDFMWord.dll
+ 2010-10-25 19:13 . 2010-10-25 19:13 2739608 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\PDFMOutlook.dll
- 2010-10-25 20:13 . 2010-10-25 20:13 2739608 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\PDFMOutlook.dll
- 2010-10-25 20:13 . 2010-10-25 20:13 2070432 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\PDFMLotus_PDFMLotusNotes.dll
+ 2010-10-25 19:13 . 2010-10-25 19:13 2070432 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\PDFMLotus_PDFMLotusNotes.dll
+ 2010-10-25 19:13 . 2010-10-25 19:13 2033040 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\PDFMLotus_Lcppn30.dll
- 2010-10-25 20:13 . 2010-10-25 20:13 2033040 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\PDFMLotus_Lcppn30.dll
- 2010-10-25 20:13 . 2010-10-25 20:13 1300888 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\PDFMExcel.dll
+ 2010-10-25 19:13 . 2010-10-25 19:13 1300888 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\PDFMExcel.dll
+ 2010-10-25 19:13 . 2010-10-25 19:13 6445376 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\pdflibtool.dll
- 2010-10-25 20:13 . 2010-10-25 20:13 6445376 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\pdflibtool.dll
- 2010-10-25 20:13 . 2010-10-25 20:13 1753504 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\OCRLibraryInf.dll
+ 2010-10-25 19:13 . 2010-10-25 19:13 1753504 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\OCRLibraryInf.dll
- 2010-10-25 20:13 . 2010-10-25 20:13 5002632 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\MPS.dll
+ 2010-10-25 19:13 . 2010-10-25 19:13 5002632 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\MPS.dll
+ 2010-10-25 19:13 . 2010-10-25 19:13 1186728 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\JSByteCodeWin.bin
- 2010-10-25 20:13 . 2010-10-25 20:13 1186728 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\JSByteCodeWin.bin
- 2010-10-25 20:13 . 2010-10-25 20:13 2795928 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\Exch_cooltype.dll
+ 2010-10-25 19:13 . 2010-10-25 19:13 2795928 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\Exch_cooltype.dll
- 2010-10-25 20:13 . 2010-10-25 20:13 4728216 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\Dist_acrodistdll.dll
+ 2010-10-25 19:13 . 2010-10-25 19:13 4728216 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\Dist_acrodistdll.dll
+ 2012-04-04 02:54 . 2012-04-04 02:54 4483480 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\cooltype.dll
+ 2010-10-25 19:13 . 2010-10-25 19:13 1591712 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\ContextMenu64.dll
- 2010-10-25 20:13 . 2010-10-25 20:13 1591712 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\ContextMenu64.dll
- 2010-10-25 20:13 . 2010-10-25 20:13 6222744 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\authplay.dll
+ 2010-10-25 19:13 . 2010-10-25 19:13 6222744 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\authplay.dll
+ 2011-06-06 16:55 . 2011-06-06 16:55 8293256 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\agm.dll
+ 2010-10-25 19:13 . 2010-10-25 19:13 2893216 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\AdobePDFMakerX.dll
- 2010-10-25 20:13 . 2010-10-25 20:13 2893216 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\AdobePDFMakerX.dll
+ 2010-10-25 19:13 . 2010-10-25 19:13 6654360 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\AdobePDFL.dll
- 2010-10-25 20:13 . 2010-10-25 20:13 6654360 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\AdobePDFL.dll
+ 2010-10-25 19:13 . 2010-10-25 19:13 1216416 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\AdobeCollabSync.exe
- 2010-10-25 20:13 . 2010-10-25 20:13 1216416 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\AdobeCollabSync.exe
+ 2012-04-04 02:54 . 2012-04-04 02:54 1496472 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\acrord32.exe
- 2010-10-25 20:13 . 2010-10-25 20:13 2572712 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\Acrobat_Elements.exe
+ 2010-10-25 19:13 . 2010-10-25 19:13 2572712 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\Acrobat_Elements.exe
+ 2012-08-15 07:01 . 2012-06-29 00:52 12317184 c:\windows\SysWOW64\mshtml.dll
+ 2009-07-14 02:34 . 2012-08-15 07:17 10485760 c:\windows\system32\SMI\Store\Machine\SCHEMA.DAT
- 2009-07-14 02:34 . 2012-07-11 07:18 10485760 c:\windows\system32\SMI\Store\Machine\SCHEMA.DAT
+ 2012-08-15 07:01 . 2012-06-29 04:55 17809920 c:\windows\system32\mshtml.dll
+ 2012-08-29 21:01 . 2012-08-29 21:01 12812488 c:\windows\system32\Macromed\Flash\NPSWF64_11_4_402_265.dll
+ 2012-08-15 07:01 . 2012-06-29 04:09 10925568 c:\windows\system32\ieframe.dll
+ 2009-07-14 04:54 . 2012-09-06 16:07 16187392 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-07-06 16:03 . 2012-09-06 20:22 29041860 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2155120952-764981566-888926259-1000-12288.dat
+ 2012-07-26 18:23 . 2012-09-05 19:02 15310652 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-18-16384.dat
+ 2011-05-11 07:01 . 2011-05-11 07:01 12719104 c:\windows\Installer\3a43b.msi
+ 2012-07-28 01:47 . 2012-07-28 01:47 13123584 c:\windows\Installer\26b84.msp
+ 2012-08-01 18:53 . 2012-08-01 18:53 99008512 c:\windows\Installer\22016.msp
+ 2010-10-25 19:13 . 2010-10-25 19:13 17201560 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\webkitag.dll
- 2010-10-25 20:13 . 2010-10-25 20:13 17201560 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\webkitag.dll
- 2010-10-25 20:13 . 2010-10-25 20:13 51284384 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\PreflightLib.dll
+ 2010-10-25 19:13 . 2010-10-25 19:13 51284384 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\PreflightLib.dll
+ 2012-04-04 02:54 . 2012-04-04 02:54 24962968 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\acrord32.dll
- 2010-10-25 20:13 . 2010-10-25 20:13 28406160 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\Acrobat.dll
+ 2010-10-25 19:13 . 2010-10-25 19:13 28406160 c:\windows\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000050\10.0.0\Acrobat.dll
+ 2012-07-28 01:22 . 2012-07-28 01:22 105082880 c:\windows\Installer\18efba4b.msp
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 14:20 64792 ----a-w- c:\program files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 14:20 64792 ----a-w- c:\program files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 14:20 64792 ----a-w- c:\program files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 14:20 64792 ----a-w- c:\program files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 14:20 64792 ----a-w- c:\program files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 14:20 64792 ----a-w- c:\program files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 14:20 64792 ----a-w- c:\program files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 14:20 64792 ----a-w- c:\program files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 14:20 64792 ----a-w- c:\program files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Owner\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Owner\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Owner\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Owner\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EldosIconOverlay]
@="{5BB532A2-BF14-4CCC-86B7-71B81EF6F8BC}"
[HKEY_CLASSES_ROOT\CLSID\{5BB532A2-BF14-4CCC-86B7-71B81EF6F8BC}]
2010-11-30 16:03 155416 ----a-w- c:\windows\SysWOW64\CbFsMntNtf3.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MobileDocuments"="c:\program files (x86)\Common Files\Apple\Internet Services\ubd.exe" [2012-02-23 59240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2010-11-06 283160]
"NUSB3MON"="c:\program files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2011-04-14 113288]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"Lexmark S800 Series"="c:\program files (x86)\Lexmark S800 Series\fm3032.exe" [2011-03-18 316120]
"AppleSyncNotifier"="c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-09-27 59240]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-05-31 59280]
"SwitchBoard"="c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS5.5ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" [2011-01-12 1523360]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-04-19 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-06-07 421776]
"Adobe Acrobat Speed Launcher"="c:\program files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe" [2012-07-27 36800]
"Acrobat Assistant 8.0"="c:\program files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe" [2012-07-27 823224]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
.
c:\users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Owner\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-5-24 27112840]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
MozyHome Status.lnk - c:\program files\MozyHome\mozystat.exe [2012-8-2 6271888]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-03-05 136176]
R2 lxefCATSCustConnectService;lxefCATSCustConnectService;c:\windows\system32\spool\DRIVERS\x64\3\\lxefserv.exe [2010-09-09 45224]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-29 250568]
R3 BTMCOM;Bluetooth Serial Port;c:\windows\system32\Drivers\btmcom.sys [2010-11-30 52736]
R3 BTMUSB;Motorola Bluetooth Radio Service;c:\windows\system32\Drivers\btmusb.sys [2010-11-30 484224]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-21 71168]
R3 esgiguard;esgiguard;c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [2011-03-02 13088]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-03-05 136176]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-08-29 114144]
R3 netr28ux;RT2870 USB Extensible Wireless LAN Card Driver;c:\windows\system32\DRIVERS\netr28ux.sys [2010-07-27 1241952]
R3 radpms;Driver for RADPMS Device;c:\windows\system32\DRIVERS\radpms.sys [2011-01-11 14944]
R3 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\SiSoftware\SiSoftware Sandra Lite 2011.SP3\RpcAgentSrv.exe [2009-08-10 93848]
R3 SwitchBoard;Adobe SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R3 tapoas;TAP-Win32 Adapter OAS;c:\windows\system32\DRIVERS\tapoas.sys [2011-03-23 30720]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-02-15 52736]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-06-29 1255736]
S0 hotcore3;hc3ServiceName;c:\windows\system32\DRIVERS\hotcore3.sys [2010-10-13 37456]
S0 mv61xx;mv61xx;c:\windows\system32\DRIVERS\mv61xx.sys [2010-10-26 181040]
S1 cbfs3;cbfs3;c:\windows\system32\drivers\cbfs3.sys [2010-11-30 321424]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-07-27 63960]
S2 Bluetooth OBEX Service;Bluetooth OBEX Service;c:\program files\Motorola\Bluetooth\obexsrv.exe [2010-11-30 679176]
S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-11-06 13336]
S2 Intel® PROSet Monitoring Service;Intel® PROSet Monitoring Service;c:\windows\system32\IProsetMonitor.exe [2011-01-17 164520]
S2 LMIGuardianSvc;LMIGuardianSvc;c:\program files (x86)\LogMeIn\x64\LMIGuardianSvc.exe [2012-07-12 375208]
S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files (x86)\LogMeIn\x64\RaInfo.sys [2011-01-11 15928]
S2 lxef_device;lxef_device;c:\windows\system32\lxefcoms.exe [2010-09-09 1070760]
S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-05-25 2214504]
S3 Bluetooth Device Manager;Bluetooth Device Manager;c:\program files\Motorola\Bluetooth\devmgrsrv.exe [2010-11-30 4150864]
S3 Bluetooth Media Service;Bluetooth Media Service;c:\program files\Motorola\Bluetooth\audiosrv.exe [2010-11-30 1188616]
S3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [2011-05-18 47616]
S3 e1cexpress;Intel® PRO/1000 PCI Express Network Connection Driver C;c:\windows\system32\DRIVERS\e1c62x64.sys [2011-02-08 328368]
S3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [2011-06-29 1028096]
S3 hdsp;RME Hammerfall Audio Device;c:\windows\system32\drivers\hdsp_64.sys [2011-08-03 102400]
S3 MEIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2010-10-19 56344]
S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys [2011-04-13 87552]
S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys [2011-04-13 207872]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [2011-05-25 174184]
S3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys [2011-08-01 45416]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam64.sys [2008-05-06 14464]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-09-06 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-16 21:01]
.
2012-09-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-03-05 19:43]
.
2012-09-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-03-05 19:43]
.
2012-09-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2155120952-764981566-888926259-1000Core.job
- c:\users\Owner\AppData\Local\Google\Update\GoogleUpdate.exe [2011-09-02 00:21]
.
2012-09-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2155120952-764981566-888926259-1000UA.job
- c:\users\Owner\AppData\Local\Google\Update\GoogleUpdate.exe [2011-09-02 00:21]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 14:20 75544 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 14:20 75544 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 14:20 75544 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 14:20 75544 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 14:20 75544 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 14:20 75544 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 14:20 75544 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 14:20 75544 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 14:20 75544 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 97792 ----a-w- c:\users\Owner\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 97792 ----a-w- c:\users\Owner\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 97792 ----a-w- c:\users\Owner\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 97792 ----a-w- c:\users\Owner\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EldosIconOverlay]
@="{5BB532A2-BF14-4CCC-86B7-71B81EF6F8BC}"
[HKEY_CLASSES_ROOT\CLSID\{5BB532A2-BF14-4CCC-86B7-71B81EF6F8BC}]
2010-11-30 16:03 188696 ----a-w- c:\windows\System32\CbFsMntNtf3.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy2]
@="{747E722C-CB46-4a9d-BDFE-192AAD5099B1}"
[HKEY_CLASSES_ROOT\CLSID\{747E722C-CB46-4a9d-BDFE-192AAD5099B1}]
2012-08-02 16:43 6301584 ----a-w- c:\program files\MozyHome\mozyshell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy3]
@="{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}"
[HKEY_CLASSES_ROOT\CLSID\{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}]
2012-08-02 16:43 6301584 ----a-w- c:\program files\MozyHome\mozyshell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BTMTrayAgent"="c:\program files\Motorola\Bluetooth\btmshell.dll" [2010-11-30 21705296]
"lxefmon.exe"="c:\program files (x86)\Lexmark S800 Series\lxefmon.exe" [2010-09-30 713384]
"EzPrint"="c:\program files (x86)\Lexmark S800 Series\ezprint.exe" [2010-09-30 148288]
"HDSPTray1"="hdsp32.exe" [2011-08-03 648192]
"HDSPTray2"="hdspmix.exe" [2011-08-03 1158144]
"LogMeIn GUI"="c:\program files (x86)\LogMeIn\x64\LogMeInSystray.exe" [2011-01-11 57928]
"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2011-03-30 499608]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2011-08-10 1873256]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-08-01 2417032]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = https://www.google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\OFFICE11\EXCEL.EXE/3000
IE: {{bd707fe6-39f6-4bda-9265-86a76719bdc5} - c:\program files\Motorola\Bluetooth\btmiesend.htm
TCP: DhcpNameServer = 192.168.1.1
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\shell32.dll
FF - ProfilePath - c:\users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\i7b7x4vw.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_271_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_271_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\windows\System32\hdsp32.exe
c:\windows\System32\hdspmix.exe
c:\program files (x86)\Common Files\Apple\Apple Application Support\distnoted.exe
c:\program files\Motorola\Bluetooth\btplayerctrl.exe
.
**************************************************************************
.
Completion time: 2012-09-06 16:28:34 - machine was rebooted
ComboFix-quarantined-files.txt 2012-09-06 20:28
.
Pre-Run: 402,592,800,768 bytes free
Post-Run: 402,160,144,384 bytes free
.
- - End Of File - - 71258D17036F9ACFE6F43D79781BD0A6

#14 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:11:24 PM

Posted 06 September 2012 - 03:41 PM

Hi,



Please zip and upload the folder C:\FRST\Quarantine here



Next,


  • Press the Windows Logo in the lower left corner of your screen.
  • In the Posted Image box, enter notepad and press Enter.
  • Highlight the contents of the following codebox, and copy and paste that text into notepad.
    Windows Registry Editor Version 5.00
    
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000000
    "FirewallOverride"=dword:00000000
    
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
    "AntiVirusDisableNotify"=dword:00000000
    "AntiVirusOverride"=dword:00000000
    "FirewallDisableNotify"=dword:00000000
    "FirewallOverride"=dword:00000000
    "UpdatesDisableNotify"=dword:00000000
    
  • Select File -> Save.
  • Press the Desktop button on the left side of the save dialog.
  • In the Posted Image box, type in Fix.reg.
  • Press Posted Image.
  • Close Notepad.
  • Double click Posted Image on your desktop.
  • Press Yes if prompted by User Account Control.
  • Press Yes, and then Ok, when prompted.
  • Right click on Posted Image and choose Delete.
  • Press Yes.


And finally,
Let's check for leftovers.
The most of them should take no more than 5 minutes each.
Eset could take up to an hour or two depending on the size of your hard drive and the speed of your computer.



STEP 1


  • Please download the newest version of Malwarebytes' Anti-Malware and install it.
  • Please start the application by double-click on it's icon.
  • Once the program has loaded go to the UPDATE tab and check for updates.
  • When the update is complete, select the Scanner tab
  • Select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad.
  • Please save it to a convenient location and post the results in your next reply.



STEP 2



Please download the latest version of TDSSKiller from here and save it to your Desktop.
  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
    Posted Image
  • Put a checkmark beside loaded modules.
    Posted Image
  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.
    Posted Image
  • Click the Start Scan button.
    Posted Image
  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
    Posted Image
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    Posted Image
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.


STEP 3



I'd like us to scan your machine with ESET OnlineScan


  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Run ESET Online Scanner button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image



STEP 4



Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure that all options are checked.
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.


STEP 5



Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.



Regards,
Georgi

cXfZ4wS.png


#15 mattsbach

mattsbach
  • Topic Starter

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Local time:04:24 PM

Posted 06 September 2012 - 04:25 PM

Running eset bnow - it's going to take while. already 3 threats found, win64/sirefef.t.trojan and 2 variants of win32/medfos.de trojan

in the meantime here are the first two reports:



Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.09.06.11

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Owner :: OWNER-PC110658 [administrator]

9/6/2012 4:49:45 PM
mbam-log-2012-09-06 (16-49-45).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 245919
Time elapsed: 2 minute(s), 41 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users