Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trickster Virus of something of the sort


  • This topic is locked This topic is locked
11 replies to this topic

#1 outlaw08

outlaw08

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:27 PM

Posted 02 October 2012 - 12:42 PM

I have apparently gotten some sort of trickster virus on my machine, I first noticed it about a week ago when sites started redirecting to google after having been blocked, I fixed that by noticing that my hosts file had been edited and replacing it with a clean file. I then noticed that my DNS had been changed to 1.1.1.1 and was able to fix that by simply resetting it to automatically obtain. I also will have windows (such as IE and chrome) get locked and have to be restarted to be usable again. Yesterday I had my toolbar get locked and had to log off and log back in before it would work but when I did that my back ground had been changed and locked to a picture of a zombie. I fixed that by updating group policy and changing it back to my normal back ground. I then ran TDSS Killer by Kaspersky and FixTDSS by Symantec but they came back clean. I have run Spybot S&D, Malware Bytes, and Symantec AV and the only thing that is found are cookies. I then ran combofix at the suggestion of one of my coworkers and the following is my log. Also during this time I have had my CD tray ejected irregularly and today after the scan notice a beeping coming from my headphones and replicated it on another set to make sure it wasnt them. Again the combofix log is below. Any and all help is appreciated.

ComboFix 12-09-30.03 - kschumann 10/01/2012 17:23:08.1.4 - x64
Microsoft Windows 7 Enterprise 6.1.7601.1.1252.1.1033.18.7991.6108 [GMT -5:00]
Running from: c:\users\kschumann\Desktop\ComboFix.exe
AV: Symantec Endpoint Protection *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Symantec Endpoint Protection *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\kschumann\AppData\Local\assembly\tmp
c:\users\kschumann\g2mdlhlpx.exe
c:\users\kschumann\ResourceReader.dll
c:\windows\isRS-000.tmp
.
.
((((((((((((((((((((((((( Files Created from 2012-09-01 to 2012-10-01 )))))))))))))))))))))))))))))))
.
.
2012-10-01 21:44 . 2012-09-26 19:54 207088 ----a-w- c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Windows Helper.exe
2012-09-27 16:05 . 2012-09-27 16:04 207088 ---ha-w- c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\APCSystemCheck.exe
2012-09-27 15:22 . 2012-09-27 15:22 -------- d-----w- c:\windows\Sun
2012-09-26 16:54 . 2012-09-26 16:53 207033 ----a-w- c:\windows\system32\lock.exe
2012-09-26 16:40 . 2012-09-26 16:40 -------- d-----w- c:\users\kschumann\AppData\Roaming\vlc
2012-09-24 21:34 . 2012-09-24 21:34 -------- d-----w- c:\users\domaingod\AppData\Local\Microsoft
2012-09-21 21:11 . 2012-09-24 21:34 -------- d-----w- c:\windows\PDQDeployRunner
2012-09-21 20:58 . 2012-09-21 20:58 -------- d-----w- C:\installers
2012-09-21 15:42 . 2012-09-21 15:42 -------- d-----w- c:\programdata\Geek Squad
2012-09-21 15:37 . 2012-09-21 15:36 39424 ----a-w- c:\windows\system32\ejectcd.exe
2012-09-21 15:09 . 2012-09-22 04:41 -------- d-----w- c:\users\nswanzy
2012-09-20 20:25 . 2012-09-20 20:25 916456 ----a-w- c:\windows\system32\deployJava1.dll
2012-09-20 20:25 . 2012-09-20 20:25 289768 ----a-w- c:\windows\system32\javaws.exe
2012-09-20 20:25 . 2012-09-20 20:25 1034216 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-09-20 20:25 . 2012-09-20 20:25 189416 ----a-w- c:\windows\system32\javaw.exe
2012-09-20 20:25 . 2012-09-20 20:25 188904 ----a-w- c:\windows\system32\java.exe
2012-09-20 20:25 . 2012-09-20 20:25 108008 ----a-w- c:\windows\system32\WindowsAccessBridge-64.dll
2012-09-20 20:25 . 2012-09-20 20:25 -------- d-----w- c:\program files\Java
2012-09-20 20:24 . 2012-09-20 20:24 -------- d-----w- c:\program files (x86)\Common Files\Java
2012-09-20 20:24 . 2012-09-20 20:24 95208 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
2012-09-20 18:30 . 2012-09-20 18:30 -------- d-----w- c:\users\kschumann\AppData\Local\Hewlett-Packard
2012-09-20 18:26 . 2012-09-20 18:28 -------- d-----w- c:\programdata\Hewlett-Packard
2012-09-20 18:26 . 2012-09-20 18:27 -------- d-----w- c:\program files (x86)\Hewlett-Packard
2012-09-20 18:26 . 2012-09-20 18:27 -------- d-----w- c:\users\kschumann\AppData\Roaming\hpqLog
2012-09-20 18:26 . 2012-09-20 18:26 -------- d-----w- c:\programdata\{A8DA1505-E615-42BB-BB77-74D5CC91FE7E}
2012-09-20 18:26 . 2012-09-20 18:26 -------- d-----w- C:\System.sav
2012-09-20 18:25 . 2012-09-20 18:25 -------- d-----w- c:\users\kschumann\AppData\Roaming\WinBatch
2012-09-19 14:24 . 2012-09-19 14:24 175736 ----a-w- c:\windows\system32\drivers\SYMEVENT64x86.SYS
2012-09-19 14:24 . 2012-09-19 14:24 -------- d-----w- c:\program files\Symantec
2012-09-19 14:23 . 2012-09-19 14:23 81840 ----a-w- c:\windows\system32\FwsVpn.dll
2012-09-19 14:23 . 2012-09-19 14:23 58288 ----a-w- c:\windows\SysWow64\snacnp.dll
2012-09-19 14:23 . 2012-09-19 14:23 42632 ----a-w- c:\windows\system32\drivers\WGX64.SYS
2012-09-19 14:23 . 2012-09-19 14:23 288176 ----a-w- c:\windows\system32\SymVPN.dll
2012-09-19 14:22 . 2012-09-19 14:22 -------- d-----w- c:\programdata\regid.1992_12.com.symantec
2012-09-19 14:22 . 2012-09-19 14:22 -------- d-----w- c:\windows\system32\drivers\SEP\0C01044D
2012-09-19 14:22 . 2012-09-19 14:28 -------- d-----w- C:\TEMP
2012-09-19 14:14 . 2012-09-19 14:14 -------- d-----w- c:\users\Administrator\AppData\Roaming\Ipswitch
2012-09-19 14:14 . 2012-09-19 14:14 -------- d-----w- c:\users\Administrator\AppData\Roaming\Apple Computer
2012-09-19 14:14 . 2012-09-19 14:14 -------- d-----r- c:\users\Administrator\Virtual Machines
2012-09-18 19:31 . 2012-09-18 19:31 -------- d-----w- c:\program files\Microsoft Device Center
2012-09-17 22:34 . 2012-09-17 22:34 -------- d-----w- c:\windows\SysWow64\Adobe
2012-09-17 22:16 . 2012-05-05 08:36 503808 ----a-w- c:\windows\system32\srcore.dll
2012-09-17 22:16 . 2012-05-05 07:46 43008 ----a-w- c:\windows\SysWow64\srclient.dll
2012-09-17 22:13 . 2012-02-11 06:43 751104 ----a-w- c:\windows\system32\win32spl.dll
2012-09-17 22:13 . 2012-02-11 06:36 559104 ----a-w- c:\windows\system32\spoolsv.exe
2012-09-17 22:13 . 2012-02-11 06:36 67072 ----a-w- c:\windows\splwow64.exe
2012-09-17 22:13 . 2012-02-11 05:43 492032 ----a-w- c:\windows\SysWow64\win32spl.dll
2012-09-17 22:12 . 2012-06-16 05:16 609792 ----a-w- c:\windows\system32\vbscript.dll
2012-09-17 22:12 . 2012-06-16 05:15 911360 ----a-w- c:\windows\system32\jscript.dll
2012-09-17 22:12 . 2012-06-16 04:26 428032 ----a-w- c:\windows\SysWow64\vbscript.dll
2012-09-17 22:11 . 2012-07-04 22:16 73216 ----a-w- c:\windows\system32\netapi32.dll
2012-09-17 22:11 . 2012-07-04 22:13 59392 ----a-w- c:\windows\system32\browcli.dll
2012-09-17 22:11 . 2012-07-04 22:13 136704 ----a-w- c:\windows\system32\browser.dll
2012-09-17 22:11 . 2012-07-04 21:14 41984 ----a-w- c:\windows\SysWow64\browcli.dll
2012-09-17 22:04 . 2012-07-18 18:15 3148800 ----a-w- c:\windows\system32\win32k.sys
2012-09-17 22:04 . 2012-05-14 05:26 956928 ----a-w- c:\windows\system32\localspl.dll
2012-09-14 17:06 . 2012-08-21 18:01 33240 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2012-09-14 17:06 . 2012-09-14 17:06 -------- d-----w- c:\programdata\34BE82C4-E596-4e99-A191-52C6199EBF69
2012-09-14 17:06 . 2012-09-14 17:06 -------- d-----w- c:\program files\iTunes
2012-09-14 17:06 . 2012-09-14 17:06 -------- d-----w- c:\program files (x86)\iTunes
2012-09-14 17:06 . 2012-09-14 17:06 -------- d-----w- c:\program files\iPod
2012-09-13 18:13 . 2012-09-27 18:07 -------- d-----w- c:\users\kschumann\AppData\Roaming\webex
2012-09-13 18:12 . 2012-09-13 18:12 -------- d-----w- c:\programdata\WebEx
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-09-20 20:24 . 2012-06-13 15:34 821736 ----a-w- c:\windows\SysWow64\npdeployJava1.dll
2012-09-20 20:24 . 2010-06-04 18:20 746984 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-09-20 20:23 . 2012-04-13 14:11 696240 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-09-20 20:23 . 2011-06-20 14:17 73136 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-09-19 14:23 . 2011-08-23 19:14 58288 ----a-w- c:\windows\system32\snacnp.dll
2012-09-17 21:54 . 2011-09-13 14:00 62134624 ----a-w- c:\windows\system32\MRT.exe
2012-09-12 20:33 . 2010-06-04 05:52 87152 ----a-w- c:\windows\system32\cpwmon64.dll
2012-09-07 22:04 . 2010-06-04 05:54 25928 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-08-21 18:01 . 2011-03-02 20:35 125872 ----a-w- c:\windows\system32\GEARAspi64.dll
2012-08-21 18:01 . 2011-03-02 20:35 106928 ----a-w- c:\windows\SysWow64\GEARAspi.dll
2012-07-31 19:23 . 2012-07-31 19:23 70016 ----a-w- c:\windows\system32\drivers\S3XXx64.sys
2012-07-09 18:42 . 2012-07-09 18:42 4547984 ----a-w- c:\windows\system32\usbaaplrc.dll
2012-07-09 18:42 . 2012-07-09 18:42 52736 ----a-w- c:\windows\system32\drivers\usbaapl64.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"IMSS"="c:\program files (x86)\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe" [2009-11-04 111640]
"VirtualCloneDrive"="c:\program files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2009-01-29 52392]
"GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-27 30040]
"KeePass 2 PreLoad"="c:\program files (x86)\KeePass Password Safe 2\KeePass.exe" [2011-07-12 1764352]
"Display"="c:\program files (x86)\APC\PowerChute Personal Edition\DataCollectionLauncher.exe" [2012-01-24 284024]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
ActivClient Agent.lnk - c:\program files\ActivIdentity\ActivClient\acsagent.exe [2009-6-3 164904]
APC UPS Status.lnk - c:\program files (x86)\APC\PowerChute Personal Edition\Display.exe [2012-1-24 271736]
APCSystemCheck.exe [2012-9-27 207088]
Ipswitch WS_FTP Connector.lnk - c:\program files (x86)\Ipswitch\Ad Hoc Transfer Plug-in for Outlook\AHTClientNotifier.exe [2011-6-20 276600]
Windows Helper.exe [2012-9-26 207088]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDFSTab"= 1 (0x1)
"ForceStartMenuLogOff"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 HP Support Assistant Service;HP Support Assistant Service;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [2011-09-09 86072]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-09-20 250288]
R3 androidusb;SAMSUNG Android Composite ADB Interface Driver;c:\windows\system32\Drivers\ssadadb.sys [2010-12-21 36328]
R3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2009-10-30 244736]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-04-21 129976]
R3 netr28x;Ralink 802.11n Extensible Wireless Driver;c:\windows\system32\DRIVERS\netr28x.sys [2009-05-19 702976]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 20992]
R3 S3XXx64;SCR3xx USB SmartCardReader64;c:\windows\system32\DRIVERS\S3XXx64.sys [2012-07-31 70016]
R3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\DRIVERS\ssadbus.sys [2011-01-03 157160]
R3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\DRIVERS\ssadmdfl.sys [2011-01-03 16872]
R3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\DRIVERS\ssadmdm.sys [2011-01-03 177128]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-07-09 52736]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-03-02 1255736]
R4 Skype C2C Service;Skype C2C Service;c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe [2012-08-13 3064000]
R4 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-07-13 160944]
S0 SymDS;Symantec Data Store;c:\windows\system32\Drivers\SEP\0C01044D\0191.105\x64\SYMDS64.SYS [2012-09-19 451192]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\Drivers\SEP\0C01044D\0191.105\x64\SYMEFA64.SYS [2012-09-19 932472]
S1 BHDrvx64;BHDrvx64;c:\programdata\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Data\Definitions\BASHDefs\20120928.011\BHDrvx64.sys [2012-09-20 1385120]
S1 dwvkbd;DameWare Virtual Keyboard 64 bit Driver;c:\windows\system32\DRIVERS\dwvkbd64.sys [2007-02-15 30720]
S1 IDSVia64;IDSVia64;c:\programdata\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Data\Definitions\IPSDefs\20120928.001\IDSvia64.sys [2012-09-19 513184]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\Drivers\SEP\0C01044D\0191.105\x64\Ironx64.SYS [2012-09-19 171128]
S1 SYMNETS;Symantec Network Security WFP Driver;c:\windows\system32\Drivers\SEP\0C01044D\0191.105\x64\SYMNETS.SYS [2012-09-19 386168]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
S2 ac.sharedstore;ActivIdentity Shared Store Service;c:\program files\Common Files\ActivIdentity\ac.sharedstore.exe [2009-06-03 277032]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-07-27 63960]
S2 APC Data Service;APC Data Service;c:\program files (x86)\APC\PowerChute Personal Edition\dataserv.exe [2012-01-24 21880]
S2 BrcmMgmtAgent;Broadcom Management Agent;c:\program files\Broadcom\MgmtAgent\BrcmMgmtAgent.exe [2010-02-11 125952]
S2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-03-28 94264]
S2 PDQDeploy;PDQ Deploy;c:\program files (x86)\Admin Arsenal\PDQ Deploy\PDQDeployService.exe service [x]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 SepMasterService;Symantec Endpoint Protection;c:\program files (x86)\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Bin\ccSvcHst.exe [2012-09-19 137208]
S2 UNS;Intel® Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2009-11-04 2320920]
S2 VMUSBArbService;VMware USB Arbitration Service;c:\program files (x86)\Common Files\VMware\USB\vmware-usbarbitrator.exe [2011-06-01 609904]
S3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\DRIVERS\e1k62x64.sys [2009-12-10 294064]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-09-19 138912]
S3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2009-09-17 56344]
S3 Point64;Microsoft Mouse and Keyboard Center Filter Driver;c:\windows\system32\DRIVERS\point64.sys [2012-06-27 46176]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-10-01 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-13 20:23]
.
2012-10-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2189930568-385197328-2709175921-12738Core.job
- c:\users\kschumann\AppData\Local\Google\Update\GoogleUpdate.exe [2012-09-20 20:22]
.
2012-10-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2189930568-385197328-2709175921-12738UA.job
- c:\users\kschumann\AppData\Local\Google\Update\GoogleUpdate.exe [2012-09-20 20:22]
.
2012-10-01 c:\windows\Tasks\HPCeeScheduleForkschumann.job
- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-09-14 03:15]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"acevents"="c:\program files\ActivIdentity\ActivClient\acevents.exe" [2009-06-03 196648]
"accrdsub"="c:\program files\ActivIdentity\ActivClient\accrdsub.exe" [2009-06-03 483880]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-12-08 166424]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-12-08 390168]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-12-08 409624]
"IntelliType Pro"="c:\program files\Microsoft Device Center\itype.exe" [2012-06-27 1464928]
"IntelliPoint"="c:\program files\Microsoft Device Center\ipoint.exe" [2012-06-27 2004584]
"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2012-09-20 11855976]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = https://intranet.kbsi.com/IT/Portal/Lists/CMDB/People.aspx
mLocal Page = c:\windows\SysWOW64\blank.htm
Trusted Zone: kbsi-cs.com\jackalfish
Trusted Zone: kbsi-cs.com\jftest
Trusted Zone: kbsi.com\intranet
Trusted Zone: kbsi.com\mail
Trusted Zone: kbsi.com\mysites
Trusted Zone: kbsi.com\remoteapps
Trusted Zone: kbsi.com\search
TCP: DhcpNameServer = 10.10.0.6 10.10.0.7
DPF: iLO 2 Remote Console Applet - hxxps://10.10.50.118/dvc.cab
DPF: {B94C2238-346E-4C5E-9B36-8CC627F35574}
FF - ProfilePath - c:\users\kschumann\AppData\Roaming\Mozilla\Firefox\Profiles\lytc5gze.default\
FF - prefs.js: browser.search.selectedEngine - Search Results
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://dts.search-results.com/sr?src=ffb&appid=139&systemid=406&sr=0&q=
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
FF - user.js: extensions.autoDisableScopes - 14);//iBryteuser_pref(extensions.BabylonToolbar_i.babTrack, affID=110014
FF - user.js: extensions.BabylonToolbar_i.babExt -
FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
FF - user.js: extensions.BabylonToolbar_i.id - 8c9379070000000000004061867a8de9
FF - user.js: extensions.BabylonToolbar_i.hardId - 8c9379070000000000004061867a8de9
FF - user.js: extensions.BabylonToolbar_i.instlDay - 15434
FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.1716:23
FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon
FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar
FF - user.js: extensions.BabylonToolbar_i.aflt - babsst
FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
FF - user.js: extensions.BabylonToolbar_i.tlbrId - base
FF - user.js: extensions.BabylonToolbar_i.instlRef - sst
.
.
------- File Associations -------
.
vbefile\shell\open2\command="%SystemRoot%\System32\CScript.exe" "%1" %*
vbsfile\shell\open2\command="%SystemRoot%\System32\CScript.exe" "%1" %*
jsefile\shell\open2\command=c:\windows\System32\CScript.exe "%1" %*
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-10 - (no file)
Notify-SEP - c:\program files (x86)\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Bin\WinLogoutNotifier.dll
SafeBoot-ccEvtMgr
SafeBoot-ccSetMgr
SafeBoot-Symantec Antivirus
SafeBoot-Symantec Antvirus
Toolbar-10 - (no file)
AddRemove-{6F44AF95-3CDE-4513-AD3F-6D45F17BF324} - c:\program files (x86)\InstallShield Installation Information\{6F44AF95-3CDE-4513-AD3F-6D45F17BF324}\setup.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SepMasterService]
"ImagePath"="\"c:\program files (x86)\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Bin\ccSvcHst.exe\" /s \"Symantec Endpoint Protection\" /m \"c:\program files (x86)\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Bin\sms.dll\" /prefetch:1"
--
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SmcService]
"ImagePath"="\"c:\program files (x86)\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Bin64\Smc.exe\" /prefetch:1"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SPBBCDrv]
"ImagePath"=""
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_278_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_278_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_278_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_278_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_278.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_278.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_278.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_278.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\CurrentVersion]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\APC\PowerChute Personal Edition\mainserv.exe
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
c:\program files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Windows Helper.exe
c:\program files (x86)\APC\PowerChute Personal Edition\apcsystray.exe
.
**************************************************************************
.
Completion time: 2012-10-01 17:48:24 - machine was rebooted
ComboFix-quarantined-files.txt 2012-10-01 22:48
.
Pre-Run: 67,708,698,624 bytes free
Post-Run: 67,574,546,432 bytes free
.
- - End Of File - - 97C95561B4E9327F8532798A0CC5F9E3

Edited by hamluis, 02 October 2012 - 12:51 PM.
Moved from Win 7 to Malware Removal Logs - Hamluis.


BC AdBot (Login to Remove)

 


#2 outlaw08

outlaw08
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:27 PM

Posted 02 October 2012 - 03:27 PM

Have been able to isolate the beeping to only happen when the "a" key is pressed, not sure if that is going to help or not but definitely a symptom worth noting.

#3 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:27 PM

Posted 04 October 2012 - 08:56 AM

Hello outlaw08,

I would urge you to report all this to your company's management and to the system administrator / IT help desk.
Your company & client information 'may' be at risk.
Also, in a company environment, the safest & fastest remedy is to wipe the system, and restore from a recent clean system backup.
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#4 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:27 PM

Posted 06 October 2012 - 11:40 AM

Would you provide a status update? Did you resolve the issue thru management ?
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#5 outlaw08

outlaw08
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:27 PM

Posted 08 October 2012 - 09:44 AM

I have noticed a process called chrome instead of google chrome, but your answer is not a legitimate answer for my case

#6 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:27 PM

Posted 08 October 2012 - 11:09 AM

Hello outlaw08,

Is this system owned by you? I had the impression this system is in a corporate / organization setup.
Clarify the situation for me.
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#7 outlaw08

outlaw08
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:27 PM

Posted 08 October 2012 - 11:19 AM

It is but I am the admin, I am trying get rid of the problem so that I have the knowledge of how to fix others in the future with the same issue. Doing what you suggest is the easy way out. Hope that clarifies my position.

#8 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:27 PM

Posted 08 October 2012 - 11:26 AM

Refresh my memory and outline what the problem(s) are.


Download Random's System Information Tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#9 outlaw08

outlaw08
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:27 PM

Posted 08 October 2012 - 11:37 AM

there is a chrome.exe *32 process running that comes up as Chrome instead of Google Chrome (at least it did this last time before I killed it and have not had any issues since) it causes all sorts of fun issues that I have detailed above, here are the contents of the two log files

Logfile of random's system information tool 1.09 (written by random/random)
Run by kschumann at 2012-10-08 11:32:39
Microsoft Windows 7 Enterprise Service Pack 1
System drive C: has 63 GB (41%) free of 153 GB
Total RAM: 7991 MB (34% free)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:32:47 AM, on 10/8/2012
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v8.00 (8.00.7601.17514)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Bin\ccSvcHst.exe
C:\Program Files (x86)\Ipswitch\Ad Hoc Transfer Plug-in for Outlook\AHTClientNotifier.exe
C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files (x86)\APC\PowerChute Personal Edition\apcsystray.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\kschumann\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\kschumann\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\kschumann\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\kschumann\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\kschumann\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\kschumann\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\kschumann\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\kschumann\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\kschumann\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\kschumann\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\kschumann\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\kschumann\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\kschumann\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files (x86)\Skype\Phone\Skype.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\kschumann\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe
C:\Users\kschumann\AppData\Roaming\Spotify\Spotify.exe
C:\Users\kschumann\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\kschumann\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\kschumann\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\kschumann\Downloads\RSIT.exe
C:\Program Files (x86)\trend micro\kschumann.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://intranet.kbsi.com/IT/Portal/Lists/CMDB/People.aspx
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\bin\IPS\IPSBHO.DLL
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
O4 - HKLM\..\Run: [IMSS] "C:\Program Files (x86)\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe"
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [KeePass 2 PreLoad] "C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe" --preload
O4 - HKLM\..\Run: [Display] C:\Program Files (x86)\APC\PowerChute Personal Edition\DataCollectionLauncher.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [Spotify Web Helper] "C:\Users\kschumann\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe"
O4 - Global Startup: ActivClient Agent.lnk = ?
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Ipswitch WS_FTP Connector.lnk = ?
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
O15 - Trusted Zone: jackalfish.kbsi-cs.com
O15 - Trusted Zone: jftest.kbsi-cs.com
O15 - Trusted Zone: search.kbsi.com
O16 - DPF: iLO 2 Remote Console Applet - https://10.10.50.118/dvc.cab
O16 - DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} (Hewlett-Packard Online Support Services) - https://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISDataManager.CAB
O16 - DPF: {22E5D91F-89E6-4405-AD9C-0AF27BA6F06B} (HidInputMonitorX Control) - file:///D:/components/hidinputmonitorx.ocx
O16 - DPF: {4F63D44B-6274-4D60-8AB1-CAA7116B8AF3} (A9Helper.A9) - file:///D:/components/A9.ocx
O16 - DPF: {7030CC6C-1A88-4591-BB5A-651B9F7F0C30} (WMVHDRatingCtrl Class) - file:///D:/components/wmvhdrating.ocx
O16 - DPF: {B94C2238-346E-4C5E-9B36-8CC627F35574} (VMware Remote Console Plug-in 2.5.0.00000) -
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = kbsi-cs.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = kbsi-cs.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = kbsi-cs.com
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: SEP - C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Bin\WinLogoutNotifier.dll (file missing)
O23 - Service: ActivIdentity Shared Store Service (ac.sharedstore) - ActivIdentity - C:\Program Files\Common Files\ActivIdentity\ac.sharedstore.exe
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: APC Data Service - Schneider Electric - C:\Program Files (x86)\APC\PowerChute Personal Edition\dataserv.exe
O23 - Service: APC UPS Service - Schneider Electric - C:\Program Files (x86)\APC\PowerChute Personal Edition\mainserv.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Broadcom Management Agent (BrcmMgmtAgent) - Broadcom Corporation - C:\Program Files\Broadcom\MgmtAgent\BrcmMgmtAgent.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: HP Support Assistant Service - Hewlett-Packard Company - C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe
O23 - Service: HP Quick Synchronization Service (HPDrvMntSvc.exe) - Hewlett-Packard Company - C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe
O23 - Service: HP Software Framework Service (hpqwmiex) - Hewlett-Packard Company - C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe
O23 - Service: @%windir%\system32\inetsrv\iisres.dll,-30007 (IISADMIN) - Unknown owner - C:\Windows\system32\inetsrv\inetinfo.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Intel® Management and Security Application Local Management Service (LMS) - Intel Corporation - C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: PDQ Deploy (PDQDeploy) - Admin Arsenal - C:\Program Files (x86)\Admin Arsenal\PDQ Deploy\PDQDeployService.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Symantec Endpoint Protection (SepMasterService) - Symantec Corporation - C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Bin\ccSvcHst.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Bin64\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Bin64\snac64.exe
O23 - Service: SNMP Trap (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: Intel® Management & Security Application User Notification Service (UNS) - Intel Corporation - C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: VMware USB Arbitration Service (VMUSBArbService) - VMware, Inc. - C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)

--
End of file - 13356 bytes

======Scheduled tasks folder======

C:\Windows\tasks\Adobe Flash Player Updater.job
C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2189930568-385197328-2709175921-12738Core.job
C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2189930568-385197328-2709175921-12738UA.job
C:\Windows\tasks\HPCeeScheduleForkschumann.job

=========Mozilla firefox=========

ProfilePath - C:\Users\kschumann\AppData\Roaming\Mozilla\Firefox\Profiles\lytc5gze.default

prefs.js - "browser.startup.homepage" - "http://www.google.com/"
prefs.js - "keyword.URL" - "http://dts.search-results.com/sr?src=ffb&appid=139&systemid=406&sr=0&q="

"{BBDA0591-3099-440a-AA10-41764D9DB4DB}"=C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Data\IPSFFPlgn\


[HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@adobe.com/FlashPlayer]
"Description"=Adobe® Flash® Player 11.4.402.278 Plugin
"Path"=C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_4_402_278.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@adobe.com/ShockwavePlayer]
"Description"=Adobe Shockwave Player
"Path"=C:\Windows\SysWOW64\Adobe\Director\np32dsw_1166636.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@Apple.com/iTunes,version=]
"Description"=iTunes Detector Plug-in
"Path"=

[HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@Apple.com/iTunes,version=1.0]
"Description"=
"Path"=C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@java.com/DTPlugin,version=10.7.2]
"Description"=Java™ Deployment Toolkit
"Path"=C:\Windows\SysWOW64\npDeployJava1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@java.com/JavaPlugin,version=10.7.2]
"Description"=Oracle® Next Generation Java™ Plug-In
"Path"=C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@microsoft.com/GENUINE]
"Description"=
"Path"=C:\Windows\system32\Wat\npWatWeb.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0]
"Description"=Ag Player Plugin
"Path"=c:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrl.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@microsoft.com/OfficeLive,version=1.3]
"Description"=Office Live Update v1.3
"Path"=C:\Program Files (x86)\Microsoft\Office Live\npOLW.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@videolan.org/vlc,version=2.0.1]
"Description"=VLC Multimedia Plugin
"Path"=C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@vmware.com/vmrc,version=2.5.0.00000]
"Description"=VMware VMRC Browser Plugin
"Path"=C:\Program Files (x86)\Common Files\VMware\VMware VMRC Plug-in\Firefox\np-vmware-vmrc.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@vmware.com/vmrc,version=5.1.0.00000]
"Description"=VMware VMRC Browser Plugin
"Path"=C:\Program Files (x86)\Common Files\VMware\VMware Remote Console Plug-in 5.1\Firefox\np-vmware-vmrc.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\Adobe Reader]
"Description"=Handles PDFs in-place in Firefox
"Path"=C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll

C:\Program Files (x86)\Mozilla Firefox\extensions\
{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
{972ce4c6-7e08-4474-a285-3208198ce6fd}

C:\Program Files (x86)\Mozilla Firefox\components\
binary.manifest
browsercomps.dll
nsIQTScriptablePlugin.xpt

C:\Program Files (x86)\Mozilla Firefox\plugins\
nppdf32.dll
npqtplugin.dll
npqtplugin2.dll
npqtplugin3.dll
npqtplugin4.dll
npqtplugin5.dll
npqtplugin6.dll
npqtplugin7.dll
QuickTimePlugin.class

C:\Program Files (x86)\Mozilla Firefox\searchplugins\
amazondotcom.xml
bing.xml
eBay.xml
google.xml
Search_Results.xml
twitter.xml
wikipedia.xml
yahoo.xml

C:\Users\kschumann\AppData\Roaming\Mozilla\Firefox\Profiles\lytc5gze.default\searchplugins\
Search_Results.xml

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2012-07-27 63944]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll [2009-01-26 1879896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
Symantec Intrusion Prevention - C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\bin\IPS\IPSBHO.DLL [2012-09-19 210872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}]
Groove GFS Browser Helper - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll [2009-02-26 2217832]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
Java™ Plug-In SSV Helper - C:\Program Files (x86)\Java\jre7\bin\ssv.dll [2012-09-20 449512]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}]
Skype Browser Helper - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll [2012-08-13 4120256]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll [2012-09-20 157672]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"IMSS"=C:\Program Files (x86)\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe [2009-11-04 111640]
"VirtualCloneDrive"=C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe [2009-01-29 52392]
"GrooveMonitor"=C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe [2009-02-26 30040]
"KeePass 2 PreLoad"=C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe [2011-07-12 1764352]
"Display"=C:\Program Files (x86)\APC\PowerChute Personal Edition\DataCollectionLauncher.exe [2012-01-24 284024]
"SunJavaUpdateSched"=C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [2012-07-03 252848]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Spotify Web Helper"=C:\Users\kschumann\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe [2012-08-21 1193176]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
ActivClient Agent.lnk - C:\Program Files\ActivIdentity\ActivClient\acsagent.exe
APC UPS Status.lnk - C:\Program Files (x86)\APC\PowerChute Personal Edition\Display.exe
Ipswitch WS_FTP Connector.lnk - C:\Program Files (x86)\Ipswitch\Ad Hoc Transfer Plug-in for Outlook\AHTClientNotifier.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SEP]
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Bin\WinLogoutNotifier.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED}

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"=C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll [2009-02-26 2217832]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"=credssp.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\AFD]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\SepMasterService]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\SmcService]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"ConsentPromptBehaviorAdmin"=0
"ConsentPromptBehaviorUser"=3
"EnableLUA"=0
"EnableUIADesktopToggle"=1
"PromptOnSecureDesktop"=0
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"disablecad"=0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
"NoDFSTab"=1
"Intellimenus"=1
"NoDesktopCleanupWizard"=1
"ForceStartMenuLogOff"=1
"NoRecentDocsNetHood"=1
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDrives"=0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]
"vidc.mrle"=msrle32.dll
"vidc.msvc"=msvidc32.dll
"msacm.imaadpcm"=imaadp32.acm
"msacm.msg711"=msg711.acm
"msacm.msgsm610"=msgsm32.acm
"msacm.msadpcm"=msadp32.acm
"midimapper"=midimap.dll
"wavemapper"=msacm32.drv
"vidc.uyvy"=msyuv.dll
"vidc.yuy2"=msyuv.dll
"vidc.yvyu"=msyuv.dll
"vidc.iyuv"=iyuv_32.dll
"vidc.i420"=iyuv_32.dll
"vidc.yvu9"=tsbyuv.dll
"msacm.l3acm"=C:\Windows\SysWOW64\l3codeca.acm
"vidc.cvid"=iccvid.dll
"wave1"=wdmaud.drv
"midi1"=wdmaud.drv
"mixer1"=wdmaud.drv
"aux1"=wdmaud.drv
"vidc.tscc"=tsccvid.dll
"msacm.voxacm160"=vct3216.acm
"vidc.divx"=divx.dll
"vidc.yv12"=divx.dll
"vidc.xvid"=xvidvfw.dll
"vidc.ffds"=ff_vfw.dll
"msacm.ac3filter"=ac3filter.acm
"msacm.divxa32"=DivXa32.acm
"msacm.lameacm"=LameACM.acm
"wave2"=wdmaud.drv
"midi2"=wdmaud.drv
"mixer2"=wdmaud.drv
"aux2"=wdmaud.drv
"wave3"=wdmaud.drv
"midi3"=wdmaud.drv
"mixer3"=wdmaud.drv
"aux3"=wdmaud.drv
"wave4"=wdmaud.drv
"midi4"=wdmaud.drv
"mixer4"=wdmaud.drv
"aux4"=wdmaud.drv
"wave"=wdmaud.drv
"midi"=wdmaud.drv
"mixer"=wdmaud.drv
"aux"=wdmaud.drv
"wave5"=wdmaud.drv
"midi5"=wdmaud.drv
"mixer5"=wdmaud.drv
"aux5"=wdmaud.drv

======File associations======

.js - edit - C:\Windows\System32\Notepad.exe %1

======List of files/folders created in the last 3 months======

2012-10-08 11:32:39 ----D---- C:\rsit
2012-10-08 11:32:39 ----D---- C:\Program Files (x86)\trend micro
2012-10-04 13:50:21 ----D---- C:\Windows\LastGood
2012-10-01 17:48:29 ----A---- C:\ComboFix.txt
2012-10-01 17:34:15 ----D---- C:\$RECYCLE.BIN
2012-10-01 17:21:14 ----A---- C:\Windows\zip.exe
2012-10-01 17:21:14 ----A---- C:\Windows\SWSC.exe
2012-10-01 17:21:14 ----A---- C:\Windows\SWREG.exe
2012-10-01 17:21:14 ----A---- C:\Windows\sed.exe
2012-10-01 17:21:14 ----A---- C:\Windows\PEV.exe
2012-10-01 17:21:14 ----A---- C:\Windows\NIRCMD.exe
2012-10-01 17:21:14 ----A---- C:\Windows\MBR.exe
2012-10-01 17:21:14 ----A---- C:\Windows\grep.exe
2012-10-01 17:20:56 ----D---- C:\Qoobox
2012-10-01 16:53:28 ----A---- C:\TDSSKiller.2.8.10.0_01.10.2012_16.53.28_log.txt
2012-10-01 16:50:16 ----A---- C:\TDSSKiller.2.7.48.0_01.10.2012_16.50.16_log.txt
2012-10-01 16:32:59 ----D---- C:\Windows\erdnt
2012-09-27 10:22:13 ----D---- C:\Windows\Sun
2012-09-26 11:40:17 ----D---- C:\Users\kschumann\AppData\Roaming\vlc
2012-09-26 09:18:30 ----A---- C:\Windows\SysWOW64\mshtmled.dll
2012-09-26 09:18:28 ----A---- C:\Windows\SysWOW64\mshtml.dll
2012-09-26 09:18:28 ----A---- C:\Windows\SysWOW64\iertutil.dll
2012-09-26 09:18:27 ----A---- C:\Windows\SysWOW64\wininet.dll
2012-09-26 09:18:27 ----A---- C:\Windows\SysWOW64\msfeeds.dll
2012-09-26 09:18:27 ----A---- C:\Windows\SysWOW64\ieui.dll
2012-09-26 09:18:26 ----A---- C:\Windows\SysWOW64\url.dll
2012-09-26 09:18:26 ----A---- C:\Windows\SysWOW64\jsproxy.dll
2012-09-26 09:18:25 ----A---- C:\Windows\SysWOW64\urlmon.dll
2012-09-26 09:18:21 ----A---- C:\Windows\SysWOW64\ieframe.dll
2012-09-23 18:59:47 ----A---- C:\Windows\SysWOW64\PerfStringBackup.INI
2012-09-21 16:11:22 ----A---- C:\Windows\remoterunnerdebuglog.txt
2012-09-21 16:11:21 ----D---- C:\Windows\PDQDeployRunner
2012-09-21 15:58:10 ----D---- C:\installers
2012-09-21 15:31:36 ----D---- C:\Windows\pss
2012-09-21 10:42:14 ----D---- C:\ProgramData\Geek Squad
2012-09-20 15:24:58 ----D---- C:\Program Files (x86)\Common Files\Java
2012-09-20 15:24:56 ----A---- C:\Windows\SysWOW64\javaws.exe
2012-09-20 15:24:49 ----A---- C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2012-09-20 15:24:49 ----A---- C:\Windows\SysWOW64\javaw.exe
2012-09-20 15:24:49 ----A---- C:\Windows\SysWOW64\java.exe
2012-09-20 13:34:57 ----D---- C:\Windows\SysWOW64\RTCOM
2012-09-20 13:34:42 ----A---- C:\Windows\SysWOW64\SFCOM.dll
2012-09-20 13:34:41 ----HD---- C:\Program Files (x86)\Temp
2012-09-20 13:34:41 ----D---- C:\Program Files (x86)\Realtek
2012-09-20 13:34:40 ----A---- C:\Windows\RtlExUpd.dll
2012-09-20 13:34:36 ----D---- C:\Program Files (x86)\Common Files\InstallShield
2012-09-20 13:34:14 ----D---- C:\Users\kschumann\AppData\Roaming\Hewlett-Packard
2012-09-20 13:26:46 ----D---- C:\ProgramData\Hewlett-Packard
2012-09-20 13:26:34 ----D---- C:\Users\kschumann\AppData\Roaming\hpqLog
2012-09-20 13:26:34 ----D---- C:\Program Files (x86)\Hewlett-Packard
2012-09-20 13:26:26 ----D---- C:\ProgramData\{A8DA1505-E615-42BB-BB77-74D5CC91FE7E}
2012-09-20 13:26:11 ----D---- C:\System.sav
2012-09-20 13:25:51 ----D---- C:\Users\kschumann\AppData\Roaming\WinBatch
2012-09-19 09:23:02 ----A---- C:\Windows\SysWOW64\snacnp.dll
2012-09-19 09:22:58 ----D---- C:\ProgramData\regid.1992_12.com.symantec
2012-09-19 09:22:05 ----D---- C:\TEMP
2012-09-17 17:34:44 ----D---- C:\Windows\SysWOW64\Adobe
2012-09-17 17:16:11 ----A---- C:\Windows\SysWOW64\srclient.dll
2012-09-17 17:13:56 ----A---- C:\Windows\SysWOW64\win32spl.dll
2012-09-17 17:13:56 ----A---- C:\Windows\splwow64.exe
2012-09-17 17:12:06 ----A---- C:\Windows\SysWOW64\vbscript.dll
2012-09-17 17:12:06 ----A---- C:\Windows\SysWOW64\jscript.dll
2012-09-17 17:11:44 ----A---- C:\Windows\SysWOW64\netapi32.dll
2012-09-17 17:11:44 ----A---- C:\Windows\SysWOW64\browcli.dll
2012-09-14 12:06:17 ----D---- C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2012-09-14 12:06:17 ----D---- C:\Program Files (x86)\iTunes
2012-09-13 13:13:04 ----D---- C:\Users\kschumann\AppData\Roaming\webex
2012-09-13 13:12:23 ----D---- C:\ProgramData\WebEx
2012-08-28 13:07:17 ----D---- C:\ProgramData\Admin Arsenal
2012-08-28 13:07:11 ----D---- C:\Program Files (x86)\Admin Arsenal
2012-08-28 12:42:34 ----D---- C:\Program Files (x86)\Citrix
2012-08-16 14:25:08 ----D---- C:\Mount
2012-08-14 16:50:39 ----A---- C:\Windows\SysWOW64\msxml3r.dll
2012-08-14 16:50:38 ----A---- C:\Windows\SysWOW64\msxml6.dll
2012-08-14 16:50:38 ----A---- C:\Windows\SysWOW64\msxml3.dll
2012-08-14 16:49:57 ----A---- C:\Windows\SysWOW64\shell32.dll
2012-08-14 16:49:18 ----A---- C:\Windows\SysWOW64\schannel.dll
2012-08-14 16:49:17 ----A---- C:\Windows\SysWOW64\sspicli.dll
2012-08-14 16:49:17 ----A---- C:\Windows\SysWOW64\secur32.dll
2012-08-14 16:49:17 ----A---- C:\Windows\SysWOW64\ncrypt.dll
2012-08-14 16:42:50 ----A---- C:\Windows\SysWOW64\cryptsvc.dll
2012-08-14 16:42:50 ----A---- C:\Windows\SysWOW64\cryptnet.dll
2012-08-14 16:42:49 ----A---- C:\Windows\SysWOW64\crypt32.dll
2012-08-14 16:41:44 ----A---- C:\Windows\SysWOW64\cdosys.dll
2012-07-30 11:20:27 ----A---- C:\Windows\SysWOW64\qdvd.dll
2012-07-30 11:15:07 ----A---- C:\Windows\SysWOW64\ntoskrnl.exe
2012-07-30 11:15:07 ----A---- C:\Windows\SysWOW64\ntkrnlpa.exe
2012-07-30 11:13:33 ----A---- C:\Windows\SysWOW64\msi.dll

======List of files/folders modified in the last 3 months======

2012-10-08 11:32:47 ----D---- C:\Windows\Temp
2012-10-08 11:32:47 ----D---- C:\Windows\Prefetch
2012-10-08 11:32:39 ----RD---- C:\Program Files (x86)
2012-10-08 11:25:10 ----D---- C:\Users\kschumann\AppData\Roaming\Skype
2012-10-08 10:15:02 ----D---- C:\Users\kschumann\AppData\Roaming\Spotify
2012-10-05 16:03:26 ----D---- C:\Users\kschumann\AppData\Roaming\VMware
2012-10-05 13:31:25 ----D---- C:\Windows\Tasks
2012-10-04 13:50:32 ----D---- C:\Windows\inf
2012-10-04 13:50:21 ----D---- C:\Windows
2012-10-04 11:16:44 ----D---- C:\Windows\System32
2012-10-04 11:04:14 ----D---- C:\Users\kschumann\AppData\Roaming\Apple Computer
2012-10-03 09:17:47 ----A---- C:\Windows\SysWOW64\log.txt
2012-10-03 09:16:30 ----SHD---- C:\System Volume Information
2012-10-02 19:51:55 ----A---- C:\Windows\SysWOW64\PCPELog.txt
2012-10-02 10:06:27 ----SHD---- C:\Windows\Installer
2012-10-02 10:04:54 ----D---- C:\Program Files (x86)\Common Files\VMware
2012-10-01 17:34:32 ----A---- C:\Windows\system.ini
2012-10-01 17:26:37 ----D---- C:\Windows\SysWOW64\drivers
2012-10-01 17:26:37 ----D---- C:\Windows\SysWOW64
2012-10-01 17:26:37 ----D---- C:\Windows\AppPatch
2012-10-01 17:26:36 ----D---- C:\Program Files (x86)\Common Files
2012-10-01 16:23:57 ----D---- C:\ProgramData
2012-10-01 11:54:14 ----D---- C:\Users\kschumann\AppData\Roaming\KeePass
2012-09-28 11:53:43 ----D---- C:\Windows\winsxs
2012-09-28 09:28:05 ----D---- C:\imaging
2012-09-26 14:52:51 ----D---- C:\ProgramData\Skype
2012-09-26 13:30:07 ----D---- C:\Windows\SysWOW64\migration
2012-09-26 13:30:07 ----D---- C:\Program Files (x86)\Internet Explorer
2012-09-26 11:35:06 ----D---- C:\swsetup
2012-09-26 09:51:50 ----SD---- C:\Users\kschumann\AppData\Roaming\Microsoft
2012-09-21 10:09:18 ----RD---- C:\Users
2012-09-20 15:25:41 ----RD---- C:\Program Files
2012-09-20 15:24:46 ----A---- C:\Windows\SysWOW64\npdeployJava1.dll
2012-09-20 15:24:46 ----A---- C:\Windows\SysWOW64\deployJava1.dll
2012-09-20 15:24:45 ----D---- C:\Program Files (x86)\Java
2012-09-20 15:23:47 ----A---- C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-09-20 15:18:46 ----D---- C:\Program Files (x86)\Common Files\AOL
2012-09-20 13:34:41 ----HD---- C:\Program Files (x86)\InstallShield Installation Information
2012-09-20 13:31:55 ----RSD---- C:\Windows\assembly
2012-09-20 13:28:31 ----D---- C:\Windows\Help
2012-09-19 09:22:32 ----D---- C:\ProgramData\Symantec
2012-09-18 14:31:08 ----RSD---- C:\Windows\Fonts
2012-09-17 17:17:51 ----D---- C:\ProgramData\Microsoft Help
2012-09-17 15:57:26 ----D---- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-09-14 12:06:17 ----D---- C:\Program Files (x86)\Common Files\Apple
2012-09-05 11:57:55 ----D---- C:\Windows\Minidump
2012-08-29 10:58:36 ----D---- C:\Windows\Microsoft.NET
2012-08-28 13:02:04 ----D---- C:\Windows\SysWOW64\en-US
2012-08-28 13:01:38 ----D---- C:\Program Files (x86)\Microsoft.NET
2012-08-27 16:41:35 ----D---- C:\ProgramData\Spybot - Search & Destroy
2012-08-27 16:40:30 ----D---- C:\Program Files (x86)\Spybot - Search & Destroy
2012-08-21 13:01:20 ----A---- C:\Windows\SysWOW64\GEARAspi.dll
2012-08-20 15:19:43 ----D---- C:\Program Files (x86)\Common Files\Adobe
2012-08-14 17:36:11 ----D---- C:\Windows\rescache
2012-08-14 16:51:02 ----A---- C:\Windows\win.ini
2012-07-30 11:13:12 ----RD---- C:\Program Files (x86)\Skype
2012-07-09 14:47:29 ----D---- C:\Windows\Downloaded Program Files

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R0 pciide;pciide; C:\Windows\system32\DRIVERS\pciide.sys []
R0 rdyboost;ReadyBoost; C:\Windows\System32\drivers\rdyboost.sys []
R0 SymDS;Symantec Data Store; C:\Windows\system32\Drivers\SEP\0C01044D\0191.105\x64\SYMDS64.SYS []
R0 SymEFA;Symantec Extended File Attributes; C:\Windows\system32\Drivers\SEP\0C01044D\0191.105\x64\SYMEFA64.SYS []
R0 vmbus;@%SystemRoot%\system32\vmbusres.dll,-1000; C:\Windows\system32\drivers\vmbus.sys []
R1 BHDrvx64;BHDrvx64; \??\C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Data\Definitions\BASHDefs\20120928.011\BHDrvx64.sys [2012-09-20 1385120]
R1 CSC;@%systemroot%\system32\cscsvc.dll,-202; C:\Windows\system32\drivers\csc.sys []
R1 dwvkbd;DameWare Virtual Keyboard 64 bit Driver; C:\Windows\system32\DRIVERS\dwvkbd64.sys []
R1 eeCtrl;Symantec Eraser Control driver; \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [2012-08-08 484512]
R1 ElbyCDIO;ElbyCDIO Driver; C:\Windows\System32\Drivers\ElbyCDIO.sys []
R1 IDSVia64;IDSVia64; \??\C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Data\Definitions\IPSDefs\20121005.002\IDSvia64.sys [2012-09-18 513184]
R1 SRTSP;Symantec Real Time Storage Protection x64; C:\Windows\system32\Drivers\SEP\0C01044D\0191.105\x64\SRTSP64.SYS []
R1 SRTSPX;Symantec Real Time Storage Protection (PEL) x64; C:\Windows\system32\Drivers\SEP\0C01044D\0191.105\x64\SRTSPX64.SYS []
R1 SymIRON;Symantec Iron Driver; C:\Windows\system32\Drivers\SEP\0C01044D\0191.105\x64\Ironx64.SYS []
R1 SYMNETS;Symantec Network Security WFP Driver; C:\Windows\system32\Drivers\SEP\0C01044D\0191.105\x64\SYMNETS.SYS []
R1 vpcnfltr;Virtual PC Network Filter Driver; C:\Windows\system32\DRIVERS\vpcnfltr.sys []
R1 vpcvmm;@%SystemRoot%\system32\drivers\vpcvmm.sys,-100; C:\Windows\system32\drivers\vpcvmm.sys []
R1 vwififlt;Virtual WiFi Filter Driver; C:\Windows\system32\DRIVERS\vwififlt.sys []
R2 hcmon;VMware hcmon; \??\C:\Windows\system32\drivers\hcmon.sys []
R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K; C:\Windows\system32\DRIVERS\e1k62x64.sys []
R3 EraserUtilRebootDrv;EraserUtilRebootDrv; \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-09-19 138912]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\Windows\system32\DRIVERS\GEARAspiWDM.sys []
R3 HECIx64;Intel® Management Engine Interface; C:\Windows\system32\DRIVERS\HECIx64.sys []
R3 igfx;igfx; C:\Windows\system32\DRIVERS\igdkmd64.sys []
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\Windows\system32\drivers\RTKVHD64.sys []
R3 NAVENG;NAVENG; \??\C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Data\Definitions\VirusDefs\20121007.005\ENG64.SYS [2012-09-23 126112]
R3 NAVEX15;NAVEX15; \??\C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Data\Definitions\VirusDefs\20121007.005\EX64.SYS [2012-09-23 2084000]
R3 Point64;Microsoft Mouse and Keyboard Center Filter Driver; C:\Windows\system32\DRIVERS\point64.sys []
R3 RDPDR;Terminal Server Device Redirector Driver; C:\Windows\System32\drivers\rdpdr.sys []
R3 SymEvent;SymEvent; \??\C:\Windows\system32\Drivers\SYMEVENT64x86.SYS []
R3 TPM;TPM; C:\Windows\system32\drivers\tpm.sys []
R3 VClone;VClone; C:\Windows\system32\DRIVERS\VClone.sys []
R3 vpcbus;Virtual PC Host Bus Service; C:\Windows\system32\DRIVERS\vpchbus.sys []
R3 vpcusb;USB Virtualization Connector Service; C:\Windows\system32\DRIVERS\vpcusb.sys []
R3 WinUsb;WinUsb; C:\Windows\system32\DRIVERS\WinUSB.sys []
S3 androidusb;SAMSUNG Android Composite ADB Interface Driver; C:\Windows\System32\Drivers\ssadadb.sys []
S3 Blfp;Broadcom Advanced Server Program Driver; C:\Windows\system32\DRIVERS\basp.sys []
S3 BridgeMP;@%SystemRoot%\system32\bridgeres.dll,-1; C:\Windows\system32\DRIVERS\bridge.sys []
S3 catchme;catchme; \??\C:\ComboFix\catchme.sys []
S3 IntcDAud;Intel® Display Audio; C:\Windows\system32\DRIVERS\IntcDAud.sys []
S3 netr28x;Ralink 802.11n Extensible Wireless Driver; C:\Windows\system32\DRIVERS\netr28x.sys []
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver; C:\Windows\System32\drivers\rdpvideominiport.sys []
S3 s3cap;s3cap; C:\Windows\system32\drivers\vms3cap.sys []
S3 S3XXx64;SCR3xx USB SmartCardReader64; C:\Windows\system32\DRIVERS\S3XXx64.sys []
S3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM); C:\Windows\system32\DRIVERS\ssadbus.sys []
S3 ssadmdfl;SAMSUNG Android USB Modem (Filter); C:\Windows\system32\DRIVERS\ssadmdfl.sys []
S3 ssadmdm;SAMSUNG Android USB Modem Drivers; C:\Windows\system32\DRIVERS\ssadmdm.sys []
S3 sscdbus;SAMSUNG USB Composite Device driver (WDM); C:\Windows\system32\DRIVERS\sscdbus.sys []
S3 sscdmdfl;SAMSUNG Mobile Modem Filter; C:\Windows\system32\DRIVERS\sscdmdfl.sys []
S3 sscdmdm;SAMSUNG Mobile Modem Drivers; C:\Windows\system32\DRIVERS\sscdmdm.sys []
S3 storvsc;storvsc; C:\Windows\system32\drivers\storvsc.sys []
S3 Synth3dVsc;Synth3dVsc; C:\Windows\System32\drivers\synth3dvsc.sys []
S3 TsUsbFlt;TsUsbFlt; C:\Windows\system32\drivers\tsusbflt.sys []
S3 tsusbhub;@%SystemRoot%\system32\drivers\tsusbhub.sys,-1; C:\Windows\system32\drivers\tsusbhub.sys []
S3 USBAAPL64;Apple Mobile USB Driver; C:\Windows\System32\Drivers\usbaapl64.sys []
S3 VGPU;VGPU; C:\Windows\System32\drivers\rdvgkmd.sys []
S3 VMBusHID;VMBusHID; C:\Windows\system32\drivers\VMBusHID.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 ac.sharedstore;ActivIdentity Shared Store Service; C:\Program Files\Common Files\ActivIdentity\ac.sharedstore.exe [2009-06-03 277032]
R2 AdobeARMservice;Adobe Acrobat Update Service; C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-07-27 63960]
R2 APC Data Service;APC Data Service; C:\Program Files (x86)\APC\PowerChute Personal Edition\dataserv.exe [2012-01-24 21880]
R2 APC UPS Service;APC UPS Service; C:\Program Files (x86)\APC\PowerChute Personal Edition\mainserv.exe [2012-01-24 705912]
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [2012-08-11 55184]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2011-08-30 462184]
R2 BrcmMgmtAgent;Broadcom Management Agent; C:\Program Files\Broadcom\MgmtAgent\BrcmMgmtAgent.exe [2010-02-11 125952]
R2 HP Support Assistant Service;HP Support Assistant Service; C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [2011-09-09 86072]
R2 HPDrvMntSvc.exe;HP Quick Synchronization Service; C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-03-28 94264]
R2 IISADMIN;@%windir%\system32\inetsrv\iisres.dll,-30007; C:\Windows\system32\inetsrv\inetinfo.exe []
R2 LMS;Intel® Management and Security Application Local Management Service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe [2009-11-04 268824]
R2 SepMasterService;Symantec Endpoint Protection; C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Bin\ccSvcHst.exe [2012-09-19 137208]
R2 UNS;Intel® Management & Security Application User Notification Service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2009-11-04 2320920]
R2 VMUSBArbService;VMware USB Arbitration Service; C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe [2012-07-06 856728]
R3 AppMgmt;@appmgmts.dll,-3250; C:\Windows\system32\svchost.exe [2009-07-13 20992]
R3 SmcService;Symantec Management Client; C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Bin64\Smc.exe [2012-09-19 2601544]
R3 UmRdpService;@%SystemRoot%\system32\umrdp.dll,-1000; C:\Windows\System32\svchost.exe [2009-07-13 20992]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86; C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64; C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
S2 ose;Office Source Engine; C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S2 PDQDeploy;PDQ Deploy; C:\Program Files (x86)\Admin Arsenal\PDQ Deploy\PDQDeployService.exe [2012-06-25 56504]
S2 SBSDWSCService;SBSD Security Center Service; C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service; C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-09-20 250288]
S3 hpqwmiex;HP Software Framework Service; C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe [2011-03-28 799800]
S3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2012-09-09 936848]
S3 Microsoft Office Groove Audit Service;Microsoft Office Groove Audit Service; C:\Program Files (x86)\Microsoft Office\Office12\GrooveAuditService.exe [2009-02-26 64856]
S3 MozillaMaintenance;Mozilla Maintenance Service; C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-04-20 129976]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2011-07-20 440696]
S3 PeerDistSvc;@%SystemRoot%\system32\peerdistsvc.dll,-9000; C:\Windows\System32\svchost.exe [2009-07-13 20992]
S3 SNAC;Symantec Network Access Control; C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Bin64\snac64.exe [2012-09-19 325040]
S3 StorSvc;@%SystemRoot%\System32\StorSvc.dll,-100; C:\Windows\System32\svchost.exe [2009-07-13 20992]
S3 WatAdminSvc;@%SystemRoot%\system32\Wat\WatUX.exe,-601; C:\Windows\system32\Wat\WatAdminSvc.exe []
S4 CscService;Offline Files; C:\Windows\System32\svchost.exe [2009-07-13 20992]
S4 Skype C2C Service;Skype C2C Service; C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe [2012-08-13 3064000]
S4 SkypeUpdate;Skype Updater; C:\Program Files (x86)\Skype\Updater\Updater.exe [2012-07-13 160944]

-----------------EOF-----------------

info.txt logfile of random's system information tool 1.09 2012-10-08 11:32:49

======Uninstall list======

Update for Microsoft Office 2007 (KB2508958)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {0C5823AA-7B6F-44E1-8D5B-8FD1FF0E6438}
Ad Hoc Transfer Plug-in for Outlook 2.0-->MsiExec.exe /I{223EDE72-6D76-4C10-8AFD-221A095B8687}
Adobe Flash Player 11 ActiveX-->C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_4_402_278_ActiveX.exe -maintain activex
Adobe Flash Player 11 Plugin-->C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_4_402_278_Plugin.exe -maintain plugin
Adobe Reader X (10.1.4)-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-AA1000000001}
Adobe Shockwave Player 11.6-->"C:\Windows\SysWOW64\Adobe\Shockwave 11\uninstaller.exe"
Apple Application Support-->MsiExec.exe /I{63EC2120-1742-4625-AA47-C6A8AEC9C64C}
Apple Software Update-->MsiExec.exe /I{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}
Camtasia-->C:\Program Files (x86)\TechSmith\Camtasia\CTuninst.EXE
Cisco WebEx Meetings-->C:\progra~3\webex\atcliun.exe
FileZilla Client 3.5.0-->C:\Program Files (x86)\FileZilla FTP Client\uninstall.exe
Hewlett-Packard ACLM.NET v1.1.2.0-->MsiExec.exe /I{6F340107-F9AA-47C6-B54C-C3A19F11553F}
Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB946040)-->C:\Windows\SysWOW64\msiexec.exe /package {AA4A4B2C-0465-3CF8-BA76-27A027D8ACAB} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB946308)-->C:\Windows\SysWOW64\msiexec.exe /package {AA4A4B2C-0465-3CF8-BA76-27A027D8ACAB} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB946344)-->C:\Windows\SysWOW64\msiexec.exe /package {AA4A4B2C-0465-3CF8-BA76-27A027D8ACAB} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB947540)-->C:\Windows\SysWOW64\msiexec.exe /package {AA4A4B2C-0465-3CF8-BA76-27A027D8ACAB} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB947789)-->C:\Windows\SysWOW64\msiexec.exe /package {AA4A4B2C-0465-3CF8-BA76-27A027D8ACAB} /uninstall /qb+ REBOOTPROMPT=""
HP Customer Experience Enhancements-->MsiExec.exe /X{07FA4960-B038-49EB-891B-9F95930AA544}
HP Support Assistant-->"C:\Program Files (x86)\InstallShield Installation Information\{6F44AF95-3CDE-4513-AD3F-6D45F17BF324}\setup.exe" -runfromtemp -l0x0409 -removeonly
ImgBurn-->"C:\Program Files (x86)\ImgBurn\uninstall.exe"
InstallRoot 3.15.1-->MsiExec.exe /I{0405D5EE-76D3-457F-A50F-6CF75D2392D7}
Intel® Control Center-->C:\Program Files (x86)\Intel\Intel Control Center\uninstaller\SetupICC.exe -uninstall -force -confirm
Intel® Graphics Media Accelerator Driver-->C:\Program Files (x86)\Intel\Intel® Graphics Media Accelerator Driver\Uninstall\setup.exe -uninstall
Intel® Management Engine Components-->C:\Program Files (x86)\Intel\Intel® Management Engine Components\Uninstall\setup.exe -uninstall
Java 7 Update 7-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83217007FF}
KDiff3 (remove only)-->"C:\Program Files (x86)\KDiff3\Uninstall.exe"
KeePass Password Safe 2.16-->"C:\Program Files (x86)\KeePass Password Safe 2\unins000.exe"
Kies mini-->"C:\Program Files (x86)\InstallShield Installation Information\{EE43894E-FDCF-4A8C-BCD6-3AAA9A48B486}\setup.exe" -runfromtemp -l0x0409 -removeonly
Kies mini-->MsiExec.exe /X{EE43894E-FDCF-4A8C-BCD6-3AAA9A48B486}
Malwarebytes Anti-Malware version 1.65.0.1400-->"C:\Program Files (x86)\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Choice Guard-->MsiExec.exe /X{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}
Microsoft Office 2007 Service Pack 3 (SP3)-->msiexec /package {90120000-0015-0409-0000-0000000FF1CE} /uninstall {AAA19365-932B-49BD-8138-BE28CEE9C4B4}
Microsoft Office 2007 Service Pack 3 (SP3)-->msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {AAA19365-932B-49BD-8138-BE28CEE9C4B4}
Microsoft Office 2007 Service Pack 3 (SP3)-->msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {AAA19365-932B-49BD-8138-BE28CEE9C4B4}
Microsoft Office 2007 Service Pack 3 (SP3)-->msiexec /package {90120000-0019-0409-0000-0000000FF1CE} /uninstall {AAA19365-932B-49BD-8138-BE28CEE9C4B4}
Microsoft Office 2007 Service Pack 3 (SP3)-->msiexec /package {90120000-001A-0409-0000-0000000FF1CE} /uninstall {AAA19365-932B-49BD-8138-BE28CEE9C4B4}
Microsoft Office 2007 Service Pack 3 (SP3)-->msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {AAA19365-932B-49BD-8138-BE28CEE9C4B4}
Microsoft Office 2007 Service Pack 3 (SP3)-->msiexec /package {90120000-002A-0000-1000-0000000FF1CE} /uninstall {664655D8-B9BB-455D-8A58-7EAF7B0B2862}
Microsoft Office 2007 Service Pack 3 (SP3)-->msiexec /package {90120000-002A-0409-1000-0000000FF1CE} /uninstall {98333358-268C-4164-B6D4-C96DF5153727}
Microsoft Office 2007 Service Pack 3 (SP3)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {6E107EB7-8B55-48BF-ACCB-199F86A2CD93}
Microsoft Office 2007 Service Pack 3 (SP3)-->msiexec /package {90120000-0044-0409-0000-0000000FF1CE} /uninstall {AAA19365-932B-49BD-8138-BE28CEE9C4B4}
Microsoft Office 2007 Service Pack 3 (SP3)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {98333358-268C-4164-B6D4-C96DF5153727}
Microsoft Office 2007 Service Pack 3 (SP3)-->msiexec /package {90120000-00A1-0409-0000-0000000FF1CE} /uninstall {AAA19365-932B-49BD-8138-BE28CEE9C4B4}
Microsoft Office 2007 Service Pack 3 (SP3)-->msiexec /package {90120000-00BA-0409-0000-0000000FF1CE} /uninstall {AAA19365-932B-49BD-8138-BE28CEE9C4B4}
Microsoft Office 2007 Service Pack 3 (SP3)-->msiexec /package {90120000-0114-0409-0000-0000000FF1CE} /uninstall {AAA19365-932B-49BD-8138-BE28CEE9C4B4}
Microsoft Office 2007 Service Pack 3 (SP3)-->msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {98333358-268C-4164-B6D4-C96DF5153727}
Microsoft Office 2007 Service Pack 3 (SP3)-->msiexec /package {90120000-0116-0409-1000-0000000FF1CE} /uninstall {98333358-268C-4164-B6D4-C96DF5153727}
Microsoft Office 2007 Service Pack 3 (SP3)-->msiexec /package {90120000-0117-0409-0000-0000000FF1CE} /uninstall {AAA19365-932B-49BD-8138-BE28CEE9C4B4}
Microsoft Office Access MUI (English) 2007-->MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Enterprise 2007-->"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall ENTERPRISE /dll OSETUP.DLL
Microsoft Office Enterprise 2007-->MsiExec.exe /X{90120000-0030-0000-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007-->MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office File Validation Add-In-->MsiExec.exe /I{90140000-2005-0000-0000-0000000FF1CE}
Microsoft Office Groove MUI (English) 2007-->MsiExec.exe /X{90120000-00BA-0409-0000-0000000FF1CE}
Microsoft Office Groove Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0114-0409-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (English) 2007-->MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE}
Microsoft Office Live Add-in 1.3-->MsiExec.exe /I{57F0ED40-8F11-41AA-B926-4A66D0D1A9CC}
Microsoft Office OneNote MUI (English) 2007-->MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office Outlook Connector-->MsiExec.exe /I{95120000-0122-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007-->MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007-->MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007-->MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007-->MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007-->MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007-->MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)-->msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {1FF96026-A04A-4C3E-B50A-BB7022654D0F}
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)-->msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {71F055E8-E2C6-4214-BB3D-BFE03561B89E}
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)-->msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {2314F9A1-126F-45CC-8A5E-DFAF866F3FBC}
Microsoft Office Publisher MUI (English) 2007-->MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007-->MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007-->MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft SQL Server 2008 Books Online (English)-->MsiExec.exe /I{3431A7A3-6287-46B0-8AF1-BE2452A1FE62}
Microsoft SQL Server 2008 Policies-->MsiExec.exe /I{01C5A10F-AD9B-405B-853A-6659841A1242}
Microsoft SQL Server Compact 3.5 SP1 English-->MsiExec.exe /I{E59113EB-0285-4BFD-A37A-B79EAC6B8F4B}
Microsoft SQL Server Compact 3.5 SP1 Query Tools English-->MsiExec.exe /I{64CDE8F2-3791-46F5-BAD2-72FFF5252FAB}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17-->MsiExec.exe /X{9A25302D-30C0-39D9-BD6F-21E6EC160475}
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148-->MsiExec.exe /X{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}
Microsoft Visual Studio Tools for Applications 2.0 - ENU-->MsiExec.exe /X{AA4A4B2C-0465-3CF8-BA76-27A027D8ACAB}
Mozilla Firefox 12.0 (x86 en-US)-->C:\Program Files (x86)\Mozilla Firefox\uninstall\helper.exe
Mozilla Maintenance Service-->"C:\Program Files (x86)\Mozilla Maintenance Service\uninstall.exe"
Notepad++-->C:\Program Files (x86)\Notepad++\uninstall.exe
PDQ Deploy-->MsiExec.exe /X{BF46C1AB-B36F-43F6-AFD8-89CC7477F346}
PE Builder 3.1.10a-->"c:\pebuilder3110a\unins000.exe"
PowerChute Personal Edition 3.0.2-->MsiExec.exe /X{8ED262EE-FC73-47A9-BB86-D92223246881}
Quest PowerGUI® 3.2-->Msiexec.exe /I{BFD6DCA9-54C3-4E89-8E5A-BA713A578A25}
Quest PowerGUI® 3.2-->MsiExec.exe /I{BFD6DCA9-54C3-4E89-8E5A-BA713A578A25}
QuickTime-->MsiExec.exe /I{0E64B098-8018-4256-BA23-C316A43AD9B0}
Realtek High Definition Audio Driver-->RunDll32 C:\PROGRA~2\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files (x86)\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\Setup.exe" -removeonly
Safari-->MsiExec.exe /I{C779648B-410E-4BBA-B75B-5815BCEFE71D}
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)-->C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\Client\setup.exe /uninstallpatch {6AF6C62E-4E3D-33BF-A591-9E4D53BDF22F} /parameterfolder Client
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)-->C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\Client\setup.exe /uninstallpatch {E59B2174-E924-311F-8549-AD714C14664D} /parameterfolder Client
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)-->C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\Client\setup.exe /uninstallpatch {DA36C2E5-6B34-3A6A-9C0A-7D1CC1C5A768} /parameterfolder Client
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)-->C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\Client\setup.exe /uninstallpatch {7B82A51A-768B-3A7B-ADFA-F777097A8079} /parameterfolder Client
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)-->C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\Client\setup.exe /uninstallpatch {E40184A4-4A61-3D2E-9035-CB6E1E610E07} /parameterfolder Client
Security Update for Microsoft Office 2007 suites (KB2596615) 32-Bit Edition -->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {C6997D22-CC93-4ED9-AD8A-02C3F3D2F1F9}
Security Update for Microsoft Office 2007 suites (KB2596666) 32-Bit Edition -->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {27609E26-63D9-4180-BD50-08837BD3B1DC}
Security Update for Microsoft Office 2007 suites (KB2596672) 32-Bit Edition -->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {5DD3FF90-B302-45B2-A188-C5EA7ACD5D46}
Security Update for Microsoft Office 2007 suites (KB2596744) 32-Bit Edition -->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {D33B9EF5-3801-496A-A2D6-B7F4BE972D75}
Security Update for Microsoft Office 2007 suites (KB2596754) 32-Bit Edition -->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {B145DBBB-7778-4A5D-9D2B-DA6569F02391}
Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {A0D5F849-D9D5-48ED-99D0-C74D7BFA6A09}
Security Update for Microsoft Office 2007 suites (KB2596792) 32-Bit Edition-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {E34960DB-2A93-45DB-A208-02650F7AB09C}
Security Update for Microsoft Office 2007 suites (KB2596856) 32-Bit Edition -->msiexec /package {90120000-002A-0000-1000-0000000FF1CE} /uninstall {2623A96B-78E5-42CC-AB55-6A3969B32E36}
Security Update for Microsoft Office 2007 suites (KB2596856) 32-Bit Edition -->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {2623A96B-78E5-42CC-AB55-6A3969B32E36}
Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {293FB6BE-D3EB-4162-B522-F9108040B9FE}
Security Update for Microsoft Office 2007 suites (KB2596880) 32-Bit Edition -->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {31C0F635-15AD-4AA3-A3C6-B542B403D0EE}
Security Update for Microsoft Office 2007 suites (KB2597162) 32-Bit Edition -->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {3069CE04-082C-4669-9BA1-E6AA66330C1F}
Security Update for Microsoft Office 2007 suites (KB2597969) 32-Bit Edition-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {2B3C041A-A7F2-4A24-968D-4BEB6A123D15}
Security Update for Microsoft Office 2007 suites (KB2687441) 32-Bit Edition -->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {EF5B5C7F-20CB-4A3A-AC3D-F5DE2C2BFDC7}
Security Update for Microsoft Office Excel 2007 (KB2597161) 32-Bit Edition -->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {B4C12F08-B0EF-4CC4-AD5F-381DD62BF640}
Security Update for Microsoft Office InfoPath 2007 (KB2596786) 32-Bit Edition -->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {7BCF7F6B-4AC0-4915-83B2-5CFF6BE9BF77}
Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {AEA16A27-0B97-4670-818F-A98D06EC0A6F}
Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {0EF0D4FB-BB23-4515-AAEA-1240AC2DA525}
Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit Edition-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {5A8732F0-C20F-4A9B-A2A9-66FE7A586C35}
Security Update for Microsoft Office Word 2007 (KB2596917) 32-Bit Edition -->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {075C2272-0881-46D3-B3A5-1D83D6940270}
Skype Click to Call-->MsiExec.exe /I{B6CF2967-C81E-40C0-9815-C05774FEF120}
Skype™ 5.10-->MsiExec.exe /X{EE7257A2-39A2-4D2F-9DAC-F9F25B8AE1D8}
Spotify-->"C:\Program Files (x86)\Spotify\uninstall.exe"
Spybot - Search & Destroy-->"C:\Program Files (x86)\Spybot - Search & Destroy\unins000.exe"
StarTeam 4.0-->C:\Windows\IsUninst.exe -f"C:\Program Files\StarTeam 4.0\DeIsL1.isu"
swMSM-->MsiExec.exe /I{612C34C7-5E90-47D8-9B5C-0F717DD82726}
Update for 2007 Microsoft Office System (KB967642)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {C444285D-5E4F-48A4-91DD-47AAAA68E92D}
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)-->C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\Client\setup.exe /uninstallpatch {29C7BE97-DE59-37A2-A687-2ADD5321948A} /parameterfolder Client
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)-->C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\Client\setup.exe /uninstallpatch {7D799A81-5661-3159-BF92-754161CED6E6} /parameterfolder Client
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)-->C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\Client\setup.exe /uninstallpatch {4DFA8287-EA36-3469-99FE-F568FEC81653} /parameterfolder Client
Update for Microsoft Office 2007 Help for Common Features (KB963673)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {AB365889-0395-4FAD-B702-CA5985D53D42}
Update for Microsoft Office Access 2007 Help (KB963663)-->msiexec /package {90120000-0015-0409-0000-0000000FF1CE} /uninstall {6B76A18A-AA1E-42AB-A7AD-6C84BBB43987}
Update for Microsoft Office Excel 2007 Help (KB963678)-->msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {199DF7B6-169C-448C-B511-1054101BE9C9}
Update for Microsoft Office Infopath 2007 Help (KB963662)-->msiexec /package {90120000-0044-0409-0000-0000000FF1CE} /uninstall {716B81B8-B13C-41DF-8EAC-7A2F656CAB63}
Update for Microsoft Office OneNote 2007 Help (KB963670)-->msiexec /package {90120000-00A1-0409-0000-0000000FF1CE} /uninstall {2744EF05-38E1-4D5D-B333-E021EDAEA245}
Update for Microsoft Office Outlook 2007 (KB2596598) 32-Bit Edition-->msiexec /package {90120000-001A-0409-0000-0000000FF1CE} /uninstall {8F32B14E-F85E-482C-BF8C-C04E1A5ADE4F}
Update for Microsoft Office Outlook 2007 (KB2596598) 32-Bit Edition-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {8B689F89-5E1C-4DA9-B2B1-7B3843275596}
Update for Microsoft Office Outlook 2007 Help (KB963677)-->msiexec /package {90120000-001A-0409-0000-0000000FF1CE} /uninstall {0451F231-E3E3-4943-AB9F-58EB96171784}
Update for Microsoft Office Outlook 2007 Junk Email Filter (KB2687400) 32-Bit Edition-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {C9D29EE3-75A6-4EB9-BB97-1030E88A1CFF}
Update for Microsoft Office Powerpoint 2007 Help (KB963669)-->msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {397B1D4F-ED7B-4ACA-A637-43B670843876}
Update for Microsoft Office Publisher 2007 Help (KB963667)-->msiexec /package {90120000-0019-0409-0000-0000000FF1CE} /uninstall {2E40DE55-B289-4C8B-8901-5D369B16814F}
Update for Microsoft Office Script Editor Help (KB963671)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {CD11C6A2-FFC6-4271-8EAB-79C3582F505C}
Update for Microsoft Office Word 2007 Help (KB963665)-->msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {80E762AA-C921-4839-9D7D-DB62A72C0726}
VirtualCloneDrive-->"C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\vcd-uninst.exe" /D="C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive"
VLC media player 2.0.1-->C:\Program Files (x86)\VideoLAN\VLC\uninstall.exe
VMware Remote Console Plug-in-->MsiExec.exe /X{D2F28E39-9813-41D3-8EC9-BAADA38C426D}
VMware vCenter Update Manager Client 4.1 Update 1-->MsiExec.exe /X{CA1DC67A-A059-45D7-A2CF-F99D15876B6B}
VMware vSphere Client 4.1-->MsiExec.exe /X{A0B433B1-941D-46F5-AE59-286263534232}
VMware vSphere Client 5.0-->MsiExec.exe /X{04805AB6-F757-496A-8D56-37A0FC5FF6F3}
VMware vSphere Client 5.1-->MsiExec.exe /X{09DC364B-A77A-49A0-972B-E43F0DACC5E3}
Windows 7 Codec Pack 3.3.0-->C:\Windows\SysWOW64\C2MP\Uninst.exe
Windows 7 USB/DVD Download Tool-->MsiExec.exe /X{CCF298AF-9CE1-4B26-B251-486E98A34789}
Windows Media Encoder 9 Series SDK-->MsiExec.exe /X{84BBFA13-C40E-4287-85EF-E8B1034451AA}

======System event log======

Computer Name: CS-ITS-0758-100.kbsi-cs.com
Event Code: 219
Message: The driver \Driver\WUDFRd failed to load for the device USB\VID_04E6&PID_5116\6&36a0a7db&0&5.
Record Number: 1087536
Source Name: Microsoft-Windows-Kernel-PnP
Time Written: 20121001214042.422833-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM

Computer Name: CS-ITS-0758-100.kbsi-cs.com
Event Code: 4001
Message: WLAN AutoConfig service has successfully stopped.

Record Number: 1087508
Source Name: Microsoft-Windows-WLAN-AutoConfig
Time Written: 20121001213951.596400-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM

Computer Name: CS-ITS-0758-100.kbsi-cs.com
Event Code: 219
Message: The driver \Driver\WUDFRd failed to load for the device USB\VID_05AC&PID_12A8&MI_00\0.
Record Number: 1087351
Source Name: Microsoft-Windows-Kernel-PnP
Time Written: 20121001213631.066846-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM

Computer Name: CS-ITS-0758-100.kbsi-cs.com
Event Code: 219
Message: The driver \Driver\WUDFRd failed to load for the device USB\VID_04E6&PID_5116\6&36a0a7db&0&5.
Record Number: 1087343
Source Name: Microsoft-Windows-Kernel-PnP
Time Written: 20121001213623.266833-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM

Computer Name: CS-ITS-0758-100.kbsi-cs.com
Event Code: 4001
Message: WLAN AutoConfig service has successfully stopped.

Record Number: 1087322
Source Name: Microsoft-Windows-WLAN-AutoConfig
Time Written: 20121001213529.441573-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM

=====Application event log=====

Computer Name: CS-ITS-0758-100.kbsi-cs.com
Event Code: 1
Message: LMS Service cannot connect to Intel® MEI driver
Record Number: 18630
Source Name: LMS
Time Written: 20120919141754.000000-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM

Computer Name: CS-ITS-0758-100.kbsi-cs.com
Event Code: 1530
Message: Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.

DETAIL -
1 user registry handles leaked from \Registry\User\S-1-5-21-23187419-314940039-3981576376-500:
Process 548 (\Device\HarddiskVolume1\Windows\System32\winlogon.exe) has opened key \REGISTRY\USER\S-1-5-21-23187419-314940039-3981576376-500

Record Number: 18621
Source Name: Microsoft-Windows-User Profiles Service
Time Written: 20120919141627.740914-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM

Computer Name: CS-ITS-0758-100.kbsi-cs.com
Event Code: 3036
Message: The content source <csc://{S-1-5-21-23187419-314940039-3981576376-500}/> cannot be accessed.

Context: Application, SystemIndex Catalog

Details:
The object was not found. (HRESULT : 0x80041201) (0x80041201)

Record Number: 18611
Source Name: Microsoft-Windows-Search
Time Written: 20120919141507.000000-000
Event Type: Warning
User:

Computer Name: CS-ITS-0758-100.kbsi-cs.com
Event Code: 215
Message: WinMail (3504) WindowsMail0: The backup has been stopped because it was halted by the client or the connection with the client failed.
Record Number: 18609
Source Name: ESENT
Time Written: 20120919141417.000000-000
Event Type: Error
User:

Computer Name: CS-ITS-0758-100.kbsi-cs.com
Event Code: 215
Message: WinMail (3100) WindowsMail0: The backup has been stopped because it was halted by the client or the connection with the client failed.
Record Number: 18603
Source Name: ESENT
Time Written: 20120919141414.000000-000
Event Type: Error
User:

=====Security event log=====

Computer Name: CS-ITS-0758-100.kbsi-cs.com
Event Code: 4634
Message: An account was logged off.

Subject:
Security ID: S-1-5-21-2189930568-385197328-2709175921-500
Account Name: domaingod
Account Domain: KBSI-CS
Logon ID: 0xfe82ff9

Logon Type: 3

This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
Record Number: 2848019
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20121007170911.995488-000
Event Type: Audit Success
User:

Computer Name: CS-ITS-0758-100.kbsi-cs.com
Event Code: 4624
Message: An account was successfully logged on.

Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0

Logon Type: 3

New Logon:
Security ID: S-1-5-21-2189930568-385197328-2709175921-12738
Account Name: kschumann
Account Domain: KBSI-CS
Logon ID: 0xfe90274
Logon GUID: {794FF6DE-B4CD-1349-B708-2F866772157D}

Process Information:
Process ID: 0x0
Process Name: -

Network Information:
Workstation Name:
Source Network Address: 10.10.1.46
Source Port: 37387

Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

This event is generated when a logon session is created. It is generated on the computer that was accessed.

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Record Number: 2848018
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20121007170900.673357-000
Event Type: Audit Success
User:

Computer Name: CS-ITS-0758-100.kbsi-cs.com
Event Code: 4672
Message: Special privileges assigned to new logon.

Subject:
Security ID: S-1-5-21-2189930568-385197328-2709175921-12738
Account Name: kschumann
Account Domain: KBSI-CS
Logon ID: 0xfe90274

Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeTcbPrivilege
SeEnableDelegationPrivilege
Record Number: 2848017
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20121007170900.673357-000
Event Type: Audit Success
User:

Computer Name: CS-ITS-0758-100.kbsi-cs.com
Event Code: 4624
Message: An account was successfully logged on.

Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0

Logon Type: 3

New Logon:
Security ID: S-1-5-21-2189930568-385197328-2709175921-12738
Account Name: kschumann
Account Domain: KBSI-CS
Logon ID: 0xfe90251
Logon GUID: {FB952584-6EB7-845C-8D36-4E987D8DC197}

Process Information:
Process ID: 0x0
Process Name: -

Network Information:
Workstation Name:
Source Network Address: -
Source Port: -

Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

This event is generated when a logon session is created. It is generated on the computer that was accessed.

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Record Number: 2848016
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20121007170900.650355-000
Event Type: Audit Success
User:

Computer Name: CS-ITS-0758-100.kbsi-cs.com
Event Code: 4672
Message: Special privileges assigned to new logon.

Subject:
Security ID: S-1-5-21-2189930568-385197328-2709175921-12738
Account Name: kschumann
Account Domain: KBSI-CS
Logon ID: 0xfe90251

Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeTcbPrivilege
SeEnableDelegationPrivilege
Record Number: 2848015
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20121007170900.649355-000
Event Type: Audit Success
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\system32\wbem;%SYSTEMROOT%\System32\WindowsPowerShell\v1.0;C:\Program Files (x86)\Microsoft SQL Server\100\Tools\Binn\VSShell\Common7\IDE;C:\Program Files (x86)\Microsoft SQL Server\100\Tools\Binn;C:\Program Files\Microsoft SQL Server\100\Tools\Binn;C:\Program Files (x86)\Microsoft SQL Server\100\DTS\Binn;C:\Program Files\ActivIdentity\ActivClient;C:\Program Files (x86)\ActivIdentity\ActivClient;%SystemRoot%\System32\Windows System Resource Manager\bin;;%systemroot%\idmu\common;C:\Program Files (x86)\QuickTime\QTSystem
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
"PROCESSOR_ARCHITECTURE"=AMD64
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"USERNAME"=SYSTEM
"windir"=%SystemRoot%
"PSModulePath"=%SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\
"NUMBER_OF_PROCESSORS"=4
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=Intel64 Family 6 Model 37 Stepping 5, GenuineIntel
"PROCESSOR_REVISION"=2505
"WorkstationID"=C:\Program Files\StarTeam 4.0\ConnectionManager.ini
"STLicense"=C:\Program Files\StarTeam 4.0\
"StarTeam"=C:\Program Files\StarTeam 4.0\StarTeam.ini
"StarTeamApp"=C:\Program Files\StarTeam 4.0\
"asl.log"=Destination=file
"CLASSPATH"=.;C:\Program Files (x86)\Java\jre6\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files (x86)\Java\jre6\lib\ext\QTJava.zip

-----------------EOF-----------------

#10 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:27 PM

Posted 08 October 2012 - 11:45 AM

FYI

there is a chrome.exe *32 process running that comes up as Chrome instead of Google Chrome


A process with the name chrome.exe is what is displayed when the Google Chrome browser is started. Quite normal.
The *32 indicates the 32-bit browser.
Again, very normal.


Anything other than this that you have issue with?
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#11 outlaw08

outlaw08
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:27 PM

Posted 08 October 2012 - 11:56 AM

the description is what is off, all the other running processes show as Google Chrome, that one showed up simply as chrome, in my infinite wisdom decided to just kill the process instead of showing location and that cleared up all the issues I was having. (E key beeping every time I hit it and typing A instead, CD tray popping open randomly) Like I said earlier, its not doing anything too nefarious, just little trickster like items to annoy me.

#12 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:27 PM

Posted 08 October 2012 - 02:56 PM

We can wrap this up now.
If you have a problem with these steps, or something does not quite work here, do let me know.

The following few steps will remove tools we used. Advise me after you have completed the cleanups.

We have to remove Combofix and all its associated folders. By whichever name you named it, ( you had named it ComboFix Posted Image),
put that name in the RUN box stated just below.
The "/uninstall" in the Run line below is to start Combofix for it's cleanup & removal function.
Note the space before the slash mark.
The utility must be removed to prevent any un-intentional or accidental usage, PLUS, to free up much space on your hard disk.

  • Highlight the line in this CODEBOX.
    Select & Copy the entire line within this codebox (so that it is in Windows clipboard memory)
    c:\users\kschumann\Desktop\ComboFix.exe /uninstall

  • Start >> type in cmd >> press the Ctrl+Shift+Enter keyboard combination and cmd.exe will be launched as if you selected Run as Administrator. You will then see a User Account Control prompt asking if you would like to allow the Command Prompt to be able to make changes on your computer. Click on the Yes button and you will now be at the Elevated Command Prompt.

    Do a Right click within the command prompt window and select Paste. This must show the line from Codebox above.
    Then tap Enter

IF in the case Combofix un-install has an issue, skip that step.

NEXT

  • Download OTC to your desktop and run it
  • Click Yes to beginning the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.
ERUNT you should keep and use periodically to backup Windows registry.

Delete the following if still present:
RSIT.exe

Safer practices & malware prevention
We are finished here. Best regards. Posted Image
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users