Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus in Virtual Machine


  • This topic is locked This topic is locked
13 replies to this topic

#1 KamakaZ

KamakaZ

  • Members
  • 739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Victoria
  • Local time:06:07 PM

Posted 31 January 2013 - 07:31 PM

Hi,

I have Microsoft Security Essentials (MSE) installed on my physical computer, everytime I start my Win7 VM the MSE keeps poping up saying it has detected threats and they have been cleaned, no action needed. However next time I start it, the messages pop up again.

I have ran Malware Bytes (full scan) and MSE (full scan) on the VM and removed threats - however the messages still keep coming.

Any ideas?

There's no place like 127.0.0.1
There are 10 types of people in the world, those that can read binary, and those who can't.


BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,249 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:07 AM

Posted 01 February 2013 - 06:21 AM

Hello KamakaZ,
While we sure can check out your host machine for malware, we do not clean malware on VMs, there is no point in that as you can easily restore the OS. Especially since you use VirtualPC there's no way we'll be able to clean everything with settings as they are now.

Please disable all sharing features (XP mode, shared folders) and post the DDS log for your host machine only. I recommend you to either restore the guest machine to an uninfected version or attempt to clean it without sharing enabled.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 KamakaZ

KamakaZ
  • Topic Starter

  • Members
  • 739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Victoria
  • Local time:06:07 PM

Posted 03 February 2013 - 04:07 PM

Hi Elise,

Thanks for taking my topic on! I have found a zipped backup of my vhd so i have restored that (I know it is virus free as it was backed up after installation of XP Mode). I left MSSE scanning over the weekend and good news is this morning I can run exe and com's again :) - i might be able to get some work done today while fighting this.

Here is the DDS log from my physical machine :


DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16457 BrowserJavaVersion: 10.11.2
Run by Administrator at 7:43:27 on 2013-02-04
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.61.1033.18.8126.5298 [GMT 11:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {B140BF4E-23BB-4198-90AB-A51A4C60A69C}
SP: Microsoft Security Essentials *Enabled/Updated* {0A215EAA-0581-4E16-AA1B-9E6837E7EC21}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\Hpservice.exe
C:\Windows\system32\vcsFPService.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\spoolsv.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\xampp\apache\bin\httpd.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\ProgramData\DatacardService\DCService.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe
C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe
C:\xampp\apache\bin\httpd.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\ProgramData\DatacardService\DCSHelper.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Microsoft Device Center\itype.exe
C:\Program Files\Microsoft Device Center\ipoint.exe
C:\Program Files (x86)\TechSmith\Snagit 10\Snagit32.exe
C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\QLBController.exe
C:\Users\Administrator\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\TechSmith\Snagit 10\TSCHelp.exe
C:\Program Files (x86)\MagicDisc\MagicDisc.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
c:\xampp\mysql\bin\mysqld.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\TeamViewer\Version7\TeamViewer_Service.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Microsoft Security Client\NisSrv.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files (x86)\TechSmith\Snagit 10\SnagPriv.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\System32\WUDFHost.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\TechSmith\Snagit 10\snagiteditor.exe
C:\Windows\splwow64.exe
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Program Files\Microsoft Security Client\MpCmdRun.exe
C:\Program Files\Microsoft Security Client\MpCmdRun.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com.au/
uSearch Bar = Preserve
mWinlogon: Userinit = userinit.exe
BHO: SnagIt Toolbar Loader: {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files (x86)\TechSmith\Snagit 10\SnagitBHO.dll
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
TB: Snagit: {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files (x86)\TechSmith\Snagit 10\SnagitIEAddin.dll
EB: Developer Tools: {1A6FE369-F28C-4AD9-A3E6-2BCB50807CF1} - C:\Program Files (x86)\Internet Explorer\iedvtool.dll
mRun: [QLBController] C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\QLBController.exe /start
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
StartupFolder: C:\Users\ADMINI~1\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dropbox.lnk - C:\Users\Administrator\AppData\Roaming\Dropbox\bin\Dropbox.exe
StartupFolder: C:\Users\ADMINI~1\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\MAGICD~1.LNK - C:\Program Files (x86)\MagicDisc\MagicDisc.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\SNAGIT~1.LNK - C:\Program Files (x86)\TechSmith\Snagit 10\Snagit32.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:255
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.6.2.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
TCP: NameServer = 192.168.42.20
TCP: Interfaces\{3C2AE55E-877C-44AB-943D-34C767928BA1} : DHCPNameServer = 198.142.0.51 61.88.88.88
TCP: Interfaces\{69C7E526-6B48-4380-B5CB-EB9ABE38214D} : DHCPNameServer = 192.168.42.20
TCP: Interfaces\{BB7C8254-B3E5-41F4-8CE9-92AE05447D63} : DHCPNameServer = 192.168.42.200
TCP: Interfaces\{BB7C8254-B3E5-41F4-8CE9-92AE05447D63}\24271646C6972E08993702960586F6E656 : DHCPNameServer = 198.142.0.51 61.88.88.88
TCP: Interfaces\{BB7C8254-B3E5-41F4-8CE9-92AE05447D63}\7596D26496024374D224636424 : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{BB7C8254-B3E5-41F4-8CE9-92AE05447D63}\A4C4F525F414D4 : DHCPNameServer = 192.168.42.117
TCP: Interfaces\{E0F68383-2050-47F6-9C8E-215CF9470C4E} : DHCPNameServer = 198.142.0.51 61.88.88.88
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
SSODL: WebCheck - <orphaned>
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\24.0.1312.57\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-BHO: SnagIt Toolbar Loader: {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files (x86)\TechSmith\Snagit 10\DLLx64\SnagitBHO64.dll
x64-BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL
x64-BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL
x64-BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
x64-TB: Snagit: {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files (x86)\TechSmith\Snagit 10\DLLx64\SnagitIEAddin64.dll
x64-Run: [BCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-Run: [SynTPEnh] C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe
x64-Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
x64-Run: [IntelliType Pro] "C:\Program Files\Microsoft Device Center\itype.exe"
x64-Run: [IntelliPoint] "C:\Program Files\Microsoft Device Center\ipoint.exe"
x64-DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
x64-SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL
Hosts: 192.168.42.20 autodiscover.accrivia.com.au
Hosts: 192.168.42.20 mail.accrivia.com.au
Hosts: 92.61.148.222 www.accrivia.com.au
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\5y5w37lp.default\
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.123\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
FF - plugin: C:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrlui.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_257.dll
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\System32\drivers\MpFilter.sys [2012-8-30 228768]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2011-3-28 203264]
R2 Apache2.2;Apache2.2;C:\xampp\apache\bin\httpd.exe [2011-9-10 18432]
R2 DCService.exe;DCService.exe;C:\ProgramData\DatacardService\DCService.exe [2010-8-19 229376]
R2 HPDrvMntSvc.exe;HP Quick Synchronization Service;C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-3-28 94264]
R2 hpHotkeyMonitor;hpHotkeyMonitor;C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe [2011-1-28 281656]
R2 hpsrv;HP Service;C:\Windows\System32\hpservice.exe [2011-5-13 30520]
R2 NisDrv;Microsoft Network Inspection System;C:\Windows\System32\drivers\NisDrvWFP.sys [2011-4-27 128456]
R2 TeamViewer7;TeamViewer 7;C:\Program Files (x86)\TeamViewer\Version7\TeamViewer_Service.exe [2012-3-19 2666880]
R2 vcsFPService;Validity VCS Fingerprint Service;C:\Windows\System32\vcsFPService.exe [2011-1-21 3154224]
R3 huawei_enumerator;huawei_enumerator;C:\Windows\System32\drivers\ew_jubusenum.sys [2012-11-22 86016]
R3 intelkmd;intelkmd;C:\Windows\System32\drivers\igdpmd64.sys [2011-1-27 12273408]
R3 JMCR;JMCR;C:\Windows\System32\drivers\jmcr.sys [2011-10-10 174168]
R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2012-9-12 368896]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2012-7-10 708200]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2012-7-9 104960]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2012-7-8 123856]
S3 dmvsc;dmvsc;C:\Windows\System32\drivers\dmvsc.sys [2011-4-12 71168]
S3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;C:\Windows\System32\drivers\ew_hwusbdev.sys [2012-11-22 117248]
S3 ewusbnet;HUAWEI USB-NDIS miniport;C:\Windows\System32\drivers\ewusbnet.sys [2012-11-22 256000]
S3 MsDepSvc;Web Deployment Agent Service;C:\Program Files\IIS\Microsoft Web Deploy\MsDepSvc.exe [2012-7-12 82808]
S3 Netaapl;Apple Mobile Device Ethernet Service;C:\Windows\System32\drivers\netaapl64.sys [2012-3-26 22528]
S3 netr28x;Ralink 802.11n Wireless Driver for Windows Vista;C:\Windows\System32\drivers\netr28x.sys [2009-6-11 620544]
S3 ose64;Office 64 Source Engine;C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2010-1-9 174440]
S3 pwdrvio;pwdrvio;C:\Windows\System32\pwdrvio.sys [2012-9-14 19032]
S3 pwdspio;pwdspio;C:\Windows\System32\pwdspio.sys [2012-9-14 12384]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2010-11-21 20992]
S3 RTLE8023x64;Realtek 10/100/1000 PCI-E NIC Family NDIS XP(x64) Driver;C:\Windows\System32\drivers\Rtenic64.sys [2011-10-10 328808]
S3 Synth3dVsc;Synth3dVsc;C:\Windows\System32\drivers\Synth3dVsc.sys [2011-4-12 88960]
S3 terminpt;Microsoft Remote Desktop Input Driver;C:\Windows\System32\drivers\terminpt.sys [2011-4-12 34816]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2010-11-21 59392]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-21 31232]
S3 tsusbhub;tsusbhub;C:\Windows\System32\drivers\tsusbhub.sys [2011-4-12 117248]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2012-9-28 53760]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2011-10-11 1255736]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;C:\Program Files\Microsoft SQL Server\100\Shared\sqladhlp.exe [2009-7-22 61976]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x64\msvsmon.exe [2005-9-23 4476096]
S4 RsFx0103;RsFx0103 Driver;C:\Windows\System32\drivers\RsFx0103.sys [2009-3-30 311656]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2009-3-30 427880]
.
=============== Created Last 30 ================
.
2013-02-03 15:24:06 76232 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{890736B2-0511-4A9D-AEF7-CFEC4D76557E}\offreg.dll
2013-02-03 15:23:03 9161176 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{890736B2-0511-4A9D-AEF7-CFEC4D76557E}\mpengine.dll
2013-02-03 04:48:47 9161176 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-01-31 01:15:25 -------- d-----w- C:\Windows\ERUNT
2013-01-31 01:15:17 -------- d-----w- C:\JRT
2013-01-30 21:33:38 -------- d-----w- C:\mbar
2013-01-30 21:27:59 388096 ----a-r- C:\Users\Administrator\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2013-01-30 21:27:58 -------- d-----w- C:\Program Files (x86)\Trend Micro
2013-01-30 04:41:25 -------- d-----w- C:\Users\Administrator\AppData\Local\Programs
2013-01-15 22:28:54 -------- d-----w- C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2013-01-15 22:28:54 -------- d-----w- C:\Program Files\iTunes
2013-01-15 22:28:54 -------- d-----w- C:\Program Files\iPod
2013-01-15 22:28:54 -------- d-----w- C:\Program Files (x86)\iTunes
2013-01-15 21:22:12 95648 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2013-01-15 08:01:36 -------- d-----w- C:\Users\Administrator\AppData\Roaming\inkscape
2013-01-15 07:54:04 -------- d-----w- C:\Program Files (x86)\Inkscape
2013-01-10 22:52:21 -------- d-----w- C:\Program Files (x86)\AccriviaV10
2013-01-10 00:28:58 -------- d-----w- C:\Accrivia
2013-01-09 21:27:43 424448 ----a-w- C:\Windows\System32\KernelBase.dll
2013-01-09 00:51:05 -------- d-----w- C:\Program Files (x86)\Mozilla Maintenance Service
2013-01-09 00:51:02 73696 ----a-w- C:\Program Files (x86)\Mozilla Firefox\breakpadinjector.dll
2013-01-09 00:50:50 96256 ----a-w- C:\Program Files (x86)\Mozilla Firefox\webapprt-stub.exe
2013-01-09 00:50:50 157696 ----a-w- C:\Program Files (x86)\Mozilla Firefox\webapp-uninstaller.exe
.
==================== Find3M ====================
.
2013-01-30 10:53:22 273840 ------w- C:\Windows\System32\MpSigStub.exe
2013-01-13 21:04:41 74248 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-01-13 21:04:41 698368 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2013-01-11 00:24:53 113152 ----a-w- C:\Users\Administrator\g2ax_customer_downloadhelper_win32_x86.exe
2012-12-16 17:11:22 46080 ----a-w- C:\Windows\System32\atmlib.dll
2012-12-16 14:45:03 367616 ----a-w- C:\Windows\System32\atmfd.dll
2012-12-16 14:13:28 295424 ----a-w- C:\Windows\SysWow64\atmfd.dll
2012-12-16 14:13:20 34304 ----a-w- C:\Windows\SysWow64\atmlib.dll
2012-12-14 05:49:28 24176 ----a-w- C:\Windows\System32\drivers\mbam.sys
2012-12-07 13:20:16 441856 ----a-w- C:\Windows\System32\Wpc.dll
2012-12-07 13:15:31 2746368 ----a-w- C:\Windows\System32\gameux.dll
2012-12-07 12:26:17 308736 ----a-w- C:\Windows\SysWow64\Wpc.dll
2012-12-07 12:20:43 2576384 ----a-w- C:\Windows\SysWow64\gameux.dll
2012-12-07 11:20:04 30720 ----a-w- C:\Windows\System32\usk.rs
2012-12-07 11:20:03 43520 ----a-w- C:\Windows\System32\csrr.rs
2012-12-07 11:20:03 23552 ----a-w- C:\Windows\System32\oflc.rs
2012-12-07 11:20:01 45568 ----a-w- C:\Windows\System32\oflc-nz.rs
2012-12-07 11:20:01 44544 ----a-w- C:\Windows\System32\pegibbfc.rs
2012-12-07 11:20:01 20480 ----a-w- C:\Windows\System32\pegi-fi.rs
2012-12-07 11:20:00 20480 ----a-w- C:\Windows\System32\pegi-pt.rs
2012-12-07 11:19:59 20480 ----a-w- C:\Windows\System32\pegi.rs
2012-12-07 11:19:58 46592 ----a-w- C:\Windows\System32\fpb.rs
2012-12-07 11:19:57 40960 ----a-w- C:\Windows\System32\cob-au.rs
2012-12-07 11:19:57 21504 ----a-w- C:\Windows\System32\grb.rs
2012-12-07 11:19:57 15360 ----a-w- C:\Windows\System32\djctq.rs
2012-12-07 11:19:56 55296 ----a-w- C:\Windows\System32\cero.rs
2012-12-07 11:19:55 51712 ----a-w- C:\Windows\System32\esrb.rs
2012-11-30 05:45:35 362496 ----a-w- C:\Windows\System32\wow64win.dll
2012-11-30 05:45:35 243200 ----a-w- C:\Windows\System32\wow64.dll
2012-11-30 05:45:35 13312 ----a-w- C:\Windows\System32\wow64cpu.dll
2012-11-30 05:45:14 215040 ----a-w- C:\Windows\System32\winsrv.dll
2012-11-30 05:43:12 16384 ----a-w- C:\Windows\System32\ntvdm64.dll
2012-11-30 04:54:00 5120 ----a-w- C:\Windows\SysWow64\wow32.dll
2012-11-30 04:53:59 274944 ----a-w- C:\Windows\SysWow64\KernelBase.dll
2012-11-30 03:23:48 338432 ----a-w- C:\Windows\System32\conhost.exe
2012-11-30 02:44:06 25600 ----a-w- C:\Windows\SysWow64\setup16.exe
2012-11-30 02:44:04 7680 ----a-w- C:\Windows\SysWow64\instnm.exe
2012-11-30 02:44:04 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll
2012-11-30 02:44:03 2048 ----a-w- C:\Windows\SysWow64\user.exe
2012-11-30 02:38:59 6144 ---ha-w- C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
2012-11-30 02:38:59 4608 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
2012-11-30 02:38:59 3584 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
2012-11-30 02:38:59 3072 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
2012-11-23 03:26:31 3149824 ----a-w- C:\Windows\System32\win32k.sys
2012-11-23 03:13:57 68608 ----a-w- C:\Windows\System32\taskhost.exe
2012-11-22 05:44:23 800768 ----a-w- C:\Windows\System32\usp10.dll
2012-11-22 04:45:03 626688 ----a-w- C:\Windows\SysWow64\usp10.dll
2012-11-20 05:48:49 307200 ----a-w- C:\Windows\System32\ncrypt.dll
2012-11-20 04:51:09 220160 ----a-w- C:\Windows\SysWow64\ncrypt.dll
2012-11-14 06:11:44 2312704 ----a-w- C:\Windows\System32\jscript9.dll
2012-11-14 06:04:11 1392128 ----a-w- C:\Windows\System32\wininet.dll
2012-11-14 06:02:49 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl
2012-11-14 05:57:46 599040 ----a-w- C:\Windows\System32\vbscript.dll
2012-11-14 05:57:35 173056 ----a-w- C:\Windows\System32\ieUnatt.exe
2012-11-14 05:52:40 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2012-11-14 02:09:22 1800704 ----a-w- C:\Windows\SysWow64\jscript9.dll
2012-11-14 01:58:15 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2012-11-14 01:57:37 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll
2012-11-14 01:49:25 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2012-11-14 01:48:27 420864 ----a-w- C:\Windows\SysWow64\vbscript.dll
2012-11-14 01:44:42 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2012-11-09 05:45:32 750592 ----a-w- C:\Windows\System32\win32spl.dll
2012-11-09 05:45:09 2048 ----a-w- C:\Windows\System32\tzres.dll
2012-11-09 04:43:04 492032 ----a-w- C:\Windows\SysWow64\win32spl.dll
2012-11-09 04:42:49 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
.
============= FINISH: 7:47:33.94 ===============

There's no place like 127.0.0.1
There are 10 types of people in the world, those that can read binary, and those who can't.


#4 KamakaZ

KamakaZ
  • Topic Starter

  • Members
  • 739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Victoria
  • Local time:06:07 PM

Posted 03 February 2013 - 04:13 PM

Accrivia is the company I work for - the host entries are supposed to be there (sometimes have problems resolving). Accrivia is also the name of the software package we develop hence entries in Program Files.

There's no place like 127.0.0.1
There are 10 types of people in the world, those that can read binary, and those who can't.


#5 KamakaZ

KamakaZ
  • Topic Starter

  • Members
  • 739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Victoria
  • Local time:06:07 PM

Posted 03 February 2013 - 07:14 PM

F-Secure is reporting pretty much all my .exe's as being infected as Win32/Parite. From Googling, it looks like it has spread to all my exe and src files? Would I be better off reinstalling Windows or is there a fix for this?

There's no place like 127.0.0.1
There are 10 types of people in the world, those that can read binary, and those who can't.


#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,249 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:07 AM

Posted 04 February 2013 - 03:03 AM

That is a file infector. As you mentioned this is your work computer, I don't think it would be wise to attempt to clean it; one infected flash drive is enough to spread it to your host or other computer. Besides, cleaning might take more time than reinstalling and there is no guarantee the files will not be corrupted after removing the viral code.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 KamakaZ

KamakaZ
  • Topic Starter

  • Members
  • 739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Victoria
  • Local time:06:07 PM

Posted 04 February 2013 - 03:50 AM

I have also found through ESET online scanner that this infection is on our data server (win 2008 rc2). I'm really not wanting to reinstall this server, is there a way that the infection can be removed off both my machine and the server? I have taken both machines off the network and out of action until this is resolved.

There's no place like 127.0.0.1
There are 10 types of people in the world, those that can read binary, and those who can't.


#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,249 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:07 AM

Posted 04 February 2013 - 07:28 AM

You could try Kasperksy rescue disk, but really, if the server is infected, all connected terminals may be as well. All removable devices that were at any point connected need to be checked out as well.

At this forum we don't offer help with this type of infection though as it is almost impossible to clean, and the files may remain corrupt after disinfection.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 KamakaZ

KamakaZ
  • Topic Starter

  • Members
  • 739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Victoria
  • Local time:06:07 PM

Posted 04 February 2013 - 11:09 PM

Thanks Elise,

I have bit the bullet and reinstalled my system and have started reinstalling server. Can we run a check to macke sure my machine is clean before I reconnect to the main network?

I dare say I will be out of action still for a couple of days getting the server back to where it was - I will let me instructor know what's going on.

There's no place like 127.0.0.1
There are 10 types of people in the world, those that can read binary, and those who can't.


#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,249 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:07 AM

Posted 05 February 2013 - 03:04 AM

Yes, that is okay, you can post a DDS log. However, please be aware that file infectors don't show up well in logs. Very important also to clean all removable storage devices (don't forget phones, cameras and the like).

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 KamakaZ

KamakaZ
  • Topic Starter

  • Members
  • 739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Victoria
  • Local time:06:07 PM

Posted 05 February 2013 - 09:36 PM

Hi Elise,

Thanks, I fully understand that they won't show up in logs (just want to make sure I'm clean of anything else also!).

DDS log:

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16457
Run by BradAdmin at 13:30:55 on 2013-02-06
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.61.1033.18.8126.5604 [GMT 11:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {B140BF4E-23BB-4198-90AB-A51A4C60A69C}
SP: Microsoft Security Essentials *Enabled/Updated* {0A215EAA-0581-4E16-AA1B-9E6837E7EC21}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\Hpservice.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
D:\xampp\apache\bin\httpd.exe
C:\Windows\system32\svchost.exe -k apphost
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
D:\xampp\apache\bin\httpd.exe
C:\Program Files\Bonjour\mDNSResponder.exe
D:\xampp\mysql\bin\mysqld.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Microsoft Virtual Server\vmh.exe
C:\Program Files\Microsoft Virtual Server\vssrvc.exe
c:\Program Files\Microsoft Security Client\NisSrv.exe
C:\Windows\System32\WUDFHost.exe
C:\Windows\System32\WUDFHost.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files (x86)\TechSmith\Snagit 10\Snagit32.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\iTunes\iTunes.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\TechSmith\Snagit 10\TSCHelp.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\TechSmith\Snagit 10\SnagPriv.exe
C:\Program Files (x86)\TechSmith\Snagit 10\snagiteditor.exe
C:\Windows\splwow64.exe
C:\Windows\system32\msiexec.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe
C:\Program Files (x86)\Common Files\Apple\Apple Application Support\distnoted.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\ATH.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\SyncServer.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files (x86)\MagicDisc\MagicDisc.exe
C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\wuauclt.exe
C:\Windows\SoftwareDistribution\Download\Install\NDP40-KB2600217-x64.exe
d:\7ae8d5e304c31d73ebfd51\Setup.exe
C:\Windows\system32\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe
C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
mWinlogon: Userinit = userinit.exe
BHO: SnagIt Toolbar Loader: {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files (x86)\TechSmith\Snagit 10\SnagitBHO.dll
BHO: Lync Browser Helper: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files (x86)\Microsoft Office\Office15\OCHelper.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office15\URLREDIR.DLL
BHO: Microsoft SkyDrive Pro Browser Helper: {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} - C:\Program Files (x86)\Microsoft Office\Office15\GROOVEEX.DLL
TB: Snagit: {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files (x86)\TechSmith\Snagit 10\SnagitIEAddin.dll
mRun: [DWPersistentQueuedReporting] C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE -a
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\SNAGIT~1.LNK - C:\Program Files (x86)\TechSmith\Snagit 10\Snagit32.exe
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~4\Office15\EXCEL.EXE/3000
IE: Se&nd to OneNote - C:\PROGRA~1\MICROS~4\Office15\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office15\ONBttnIE.dll
IE: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files (x86)\Microsoft Office\Office15\OCHelper.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office15\ONBttnIELinkedNotes.dll
Trusted Zone: Brad
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.6.2.cab
TCP: NameServer = 192.168.42.20
TCP: Interfaces\{2CFFCBDF-D13C-4762-A99C-CD9CBA68090B} : DHCPNameServer = 192.168.42.200
TCP: Interfaces\{7E6B26DB-2EC1-4AA4-B478-19378F2722AA} : DHCPNameServer = 192.168.42.20
Filter: text/xml - {807583E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE15\MSOXMLMF.DLL
Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files (x86)\Microsoft Office\Office15\MSOSB.DLL
SSODL: WebCheck - <orphaned>
x64-BHO: SnagIt Toolbar Loader: {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files (x86)\TechSmith\Snagit 10\DLLx64\SnagitBHO64.dll
x64-BHO: Lync Browser Helper: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office\Office15\OCHelper.dll
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office15\URLREDIR.DLL
x64-BHO: Microsoft SkyDrive Pro Browser Helper: {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} - C:\Program Files\Microsoft Office\Office15\GROOVEEX.DLL
x64-TB: Snagit: {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files (x86)\TechSmith\Snagit 10\DLLx64\SnagitIEAddin64.dll
x64-Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-Run: [SynTPEnh] C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe
x64-Run: [DWPersistentQueuedReporting] C:\PROGRA~1\COMMON~1\MICROS~1\DW\DWTRIG20.EXE -a
x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office15\ONBttnIE.dll
x64-IE: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office\Office15\OCHelper.dll
x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office15\ONBttnIELinkedNotes.dll
x64-Filter: text/xml - {807583E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE15\MSOXMLMF.DLL
x64-Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office\Office15\MSOSB.DLL
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\System32\drivers\MpFilter.sys [2012-8-30 228768]
R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2011-7-23 14928]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2011-7-13 12368]
R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2012-7-12 140672]
R2 Apache2.4;Apache2.4;D:\XAMPP\apache\bin\httpd.exe [2012-8-18 22016]
R2 hpsrv;HP Service;C:\Windows\System32\hpservice.exe [2011-5-13 30520]
R2 NisDrv;Microsoft Network Inspection System;C:\Windows\System32\drivers\NisDrvWFP.sys [2012-8-30 128456]
R2 Virtual Server;Virtual Server;C:\Program Files\Microsoft Virtual Server\vssrvc.exe [2007-5-24 6018936]
R3 netr28x;Ralink 802.11n Wireless Driver for Windows Vista;C:\Windows\System32\drivers\netr28x.sys [2009-6-11 620544]
R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2012-9-12 368896]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2011-6-10 539240]
R3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2012-9-28 53760]
R3 vmh;Virtual Machine Helper;C:\Program Files\Microsoft Virtual Server\vmh.exe [2007-5-24 269208]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 dmvsc;dmvsc;C:\Windows\System32\drivers\dmvsc.sys [2011-4-12 71168]
S3 ose64;Office 64 Source Engine;C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2012-10-1 178824]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2013-2-5 19456]
S3 Synth3dVsc;Synth3dVsc;C:\Windows\System32\drivers\Synth3dVsc.sys [2011-4-12 88960]
S3 terminpt;Microsoft Remote Desktop Input Driver;C:\Windows\System32\drivers\terminpt.sys [2013-2-5 29696]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2013-2-5 57856]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2013-2-5 30208]
S3 tsusbhub;tsusbhub;C:\Windows\System32\drivers\tsusbhub.sys [2011-4-12 117248]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2013-2-5 1255736]
.
=============== Created Last 30 ================
.
2013-02-06 02:17:49 -------- d-----w- C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2013-02-06 02:07:06 33240 ----a-w- C:\Windows\System32\drivers\GEARAspiWDM.sys
2013-02-06 02:07:04 9161176 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{218946FD-1AF6-42F5-BF49-7874AE74FDB7}\mpengine.dll
2013-02-06 02:06:29 -------- d-----w- C:\Program Files\iPod
2013-02-06 02:06:28 -------- d-----w- C:\Program Files\iTunes
2013-02-06 02:06:28 -------- d-----w- C:\Program Files (x86)\iTunes
2013-02-06 02:05:42 -------- d-----w- C:\Users\BradAdmin\AppData\Local\Apple
2013-02-06 02:03:08 -------- d-----w- C:\Program Files\Bonjour
2013-02-06 02:03:08 -------- d-----w- C:\Program Files (x86)\Bonjour
2013-02-06 01:36:16 -------- d-----w- C:\Program Files\Microsoft Virtual Server
2013-02-06 01:22:43 -------- d-----w- C:\Program Files (x86)\PHP
2013-02-06 00:54:54 -------- d-----w- C:\inetpub
2013-02-05 23:49:58 -------- d-----w- C:\Program Files (x86)\FastReports
2013-02-05 23:23:25 314880 ----a-w- C:\Windows\SysWow64\DelZip190.dll
2013-02-05 23:05:50 69632 ----a-w- C:\Windows\SysWow64\registerw2w4.exe
2013-02-05 23:04:45 -------- d-----w- C:\Program Files (x86)\Woll2Woll
2013-02-05 23:00:57 -------- d-----w- C:\Program Files (x86)\XLSSuit4
2013-02-05 22:51:52 81920 ----a-w- C:\Windows\SysWow64\adsdxe2dstudio.bpl
2013-02-05 22:51:46 482816 ----a-w- C:\Windows\SysWow64\adsdxe2studio.bpl
2013-02-05 22:51:34 -------- d-----w- C:\Program Files (x86)\Advantage 10.10
2013-02-05 22:31:00 -------- d-----w- C:\Users\BradAdmin\AppData\Local\Downloaded Installations
2013-02-05 22:23:49 -------- d-----w- C:\ProgramData\SmartBear
2013-02-05 22:10:14 -------- dc-h--w- C:\ProgramData\{16DDC977-28D8-44E8-8358-8BBFBEE97FE7}
2013-02-05 22:09:36 512160 ----a-w- C:\Windows\SysWow64\CodeSiteExpressPkg160.bpl
2013-02-05 22:09:35 3402752 ----a-w- C:\Windows\SysWow64\vcl160.bpl
2013-02-05 22:09:35 -------- d-----w- C:\ProgramData\Raize
2013-02-05 22:09:34 2876416 ----a-w- C:\Windows\SysWow64\rtl160.bpl
2013-02-05 22:09:34 144536 ----a-w- C:\Windows\SysWow64\CodeSitePlugIns160.bpl
2013-02-05 22:09:32 -------- d-----w- C:\Program Files (x86)\Raize
2013-02-05 22:08:01 -------- d-----w- C:\Users\BradAdmin\AppData\Local\assembly
2013-02-05 22:08:00 -------- d-----w- C:\Users\BradAdmin\AppData\Local\TechSmith
2013-02-05 22:07:52 150528 ----a-w- C:\Windows\SysWow64\TLBINF32.dll
2013-02-05 22:07:51 -------- d-----w- C:\ProgramData\VSoft
2013-02-05 22:07:42 -------- d-----w- C:\Program Files (x86)\FinalBuilder 7 XE2
2013-02-05 22:07:42 -------- d-----w- C:\Program Files (x86)\Common Files\VSoft
2013-02-05 22:02:51 -------- d-----w- C:\Program Files (x86)\SmartBear
2013-02-05 22:00:37 -------- d-----w- C:\Program Files (x86)\Delphi Basics
2013-02-05 21:43:35 -------- d-----w- C:\Program Files (x86)\Workreg
2013-02-05 21:32:00 -------- d-----w- C:\Program Files (x86)\Common Files\CodeGear Shared
2013-02-05 21:31:35 -------- d-----w- C:\Program Files (x86)\Accrivia
2013-02-05 21:31:07 -------- d-----w- C:\Windows\Downloaded Installations
2013-02-05 21:30:14 -------- d-----w- C:\Windows\System32\appmgmt
2013-02-05 21:29:45 -------- d-----w- C:\ProgramData\PDF Architect
2013-02-05 20:44:35 -------- d--h--w- C:\ProgramData\{05500BA0-5731-46FD-9326-FA79A36E6D46}
2013-02-05 18:26:41 -------- d-----w- C:\Windows\Panther
2013-02-05 12:18:57 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0
2013-02-05 04:57:06 1312768 ----a-w- C:\Windows\SysWow64\Rave100VCL160.bpl
2013-02-05 04:57:02 -------- d-----w- C:\Program Files (x86)\DevJet
2013-02-05 04:57:02 -------- d-----w- C:\Program Files (x86)\CollabNet
2013-02-05 04:51:12 -------- d-----w- C:\ProgramData\Embarcadero
2013-02-05 04:51:12 -------- d-----w- C:\Program Files (x86)\Embarcadero
2013-02-05 04:50:52 -------- d-----w- C:\Program Files (x86)\Common Files\Borland Shared
2013-02-05 04:41:34 -------- d-----w- C:\Users\BradAdmin\AppData\Roaming\Synaptics
2013-02-05 04:41:00 -------- d-----w- C:\Users\BradAdmin\AppData\Local\VirtualStore
2013-02-05 04:18:52 -------- d-----w- C:\Program Files (x86)\Microsoft SQL Server
2013-02-05 04:18:43 -------- d-----w- C:\ProgramData\regid.1991-06.com.microsoft
2013-02-05 04:18:24 -------- d-----w- C:\Windows\PCHEALTH
2013-02-05 04:18:24 -------- d-----w- C:\Program Files\Microsoft SQL Server
2013-02-05 04:16:03 -------- d-----w- C:\Users\BradAdmin\AppData\Local\PackageAware
2013-02-05 04:15:31 -------- d-----w- C:\Program Files\Microsoft Analysis Services
2013-02-05 04:15:31 -------- d-----w- C:\Program Files (x86)\Microsoft Analysis Services
2013-02-05 04:15:18 -------- d-----w- C:\Users\BradAdmin\AppData\Local\Microsoft Help
2013-02-05 03:37:51 -------- d-----w- C:\Program Files\Sublime Text 2
2013-02-05 03:36:01 -------- d-----w- C:\Program Files (x86)\Beyond Compare 3
2013-02-05 03:35:37 -------- d-----w- C:\Users\BradAdmin\AppData\Roaming\pdfforge
2013-02-05 03:35:35 662288 ----a-w- C:\Windows\SysWow64\MSCOMCT2.OCX
2013-02-05 03:35:35 137000 ----a-w- C:\Windows\SysWow64\MSMAPI32.OCX
2013-02-05 03:35:35 1070152 ----a-w- C:\Windows\SysWow64\MSCOMCTL.OCX
2013-02-05 03:35:35 103936 ----a-w- C:\Windows\System32\pdfcmon.dll
2013-02-05 03:35:34 23552 ----a-w- C:\Windows\SysWow64\MSMPIDE.DLL
2013-02-05 03:35:34 -------- d-----w- C:\Program Files (x86)\PDFCreator
2013-02-05 03:34:34 -------- d-----w- C:\Windows\Start Menu
2013-02-05 03:34:14 255552 ----a-w- C:\Windows\SysWow64\drivers\mcdbus.sys
2013-02-05 03:34:14 255552 ----a-w- C:\Windows\System32\drivers\mcdbus.sys
2013-02-05 03:34:13 -------- d-----w- C:\Program Files (x86)\MagicDisc
2013-02-05 03:32:15 -------- d-----w- C:\Users\BradAdmin\AppData\Local\Programs
2013-02-05 03:04:54 2560 ----a-w- C:\Windows\System32\drivers\ja-JP\wdf01000.sys.mui
2013-02-05 03:04:36 3072 ----a-w- C:\Windows\System32\drivers\ja-JP\tsusbflt.sys.mui
2013-02-05 03:04:08 -------- d-----w- C:\Windows\SysWow64\Wat
2013-02-05 03:04:08 -------- d-----w- C:\Windows\System32\Wat
2013-02-05 02:49:52 -------- d-----w- C:\Windows\ja-JP
2013-02-05 02:49:44 -------- d-----w- C:\Windows\SysWow64\XPSViewer
2013-02-05 02:49:44 -------- d-----w- C:\Windows\SysWow64\ja
2013-02-05 02:49:44 -------- d-----w- C:\Windows\SysWow64\drivers\UMDF\ja-JP
2013-02-05 02:49:44 -------- d-----w- C:\Windows\SysWow64\drivers\ja-JP
2013-02-05 02:49:44 -------- d-----w- C:\Windows\SysWow64\0411
2013-02-05 02:49:43 -------- d-----w- C:\Windows\SysWow64\wbem\ja-JP
2013-02-05 02:49:30 -------- d-----w- C:\Windows\System32\ja
2013-02-05 02:49:30 -------- d-----w- C:\Windows\System32\0411
2013-02-05 02:49:29 -------- d-----w- C:\Windows\System32\drivers\UMDF\ja-JP
2013-02-05 02:49:29 -------- d-----w- C:\Windows\System32\drivers\ja-JP
2013-02-05 02:49:23 -------- d-----w- C:\Windows\System32\wbem\ja-JP
2013-02-05 02:01:19 287744 ----a-w- C:\Windows\System32\lzhfldr2.dll
2013-02-05 02:01:19 266240 ----a-w- C:\Windows\SysWow64\lzhfldr2.dll
2013-02-05 02:01:18 6144 ----a-w- C:\Windows\System32\drivers\ja-JP\tunnel.sys.mui
2013-02-05 02:01:17 3584 ----a-w- C:\Windows\System32\drivers\ja-JP\tsusbhub.sys.mui
2013-02-05 02:01:17 24064 ----a-w- C:\Windows\System32\drivers\ja-JP\usbport.sys.mui
2013-02-05 02:01:15 11264 ----a-w- C:\Windows\System32\drivers\ja-JP\pacer.sys.mui
2013-02-05 02:01:14 5120 ----a-w- C:\Windows\System32\drivers\ja-JP\rdvgkmd.sys.mui
2013-02-05 02:01:14 2560 ----a-w- C:\Windows\System32\drivers\ja-JP\rdpwd.sys.mui
2013-02-05 02:01:09 9728 ----a-w- C:\Windows\System32\drivers\ja-JP\battc.sys.mui
2013-02-05 01:49:08 9728 ----a-w- C:\Windows\System32\Wdfres.dll
2013-02-05 01:49:08 785512 ----a-w- C:\Windows\System32\drivers\Wdf01000.sys
2013-02-05 01:49:08 54376 ----a-w- C:\Windows\System32\drivers\WdfLdr.sys
2013-02-05 01:49:08 2560 ----a-w- C:\Windows\System32\drivers\en-US\wdf01000.sys.mui
2013-02-05 01:41:57 -------- d-----w- C:\Program Files\Synaptics
2013-02-05 01:37:07 70656 ----a-w- C:\Windows\SysWow64\fontsub.dll
2013-02-05 01:37:07 46080 ----a-w- C:\Windows\System32\atmlib.dll
2013-02-05 01:37:07 34304 ----a-w- C:\Windows\SysWow64\atmlib.dll
2013-02-05 01:37:07 100864 ----a-w- C:\Windows\System32\fontsub.dll
2013-02-05 01:37:06 367616 ----a-w- C:\Windows\System32\atmfd.dll
2013-02-05 01:37:06 295424 ----a-w- C:\Windows\SysWow64\atmfd.dll
2013-02-05 01:36:39 87040 ----a-w- C:\Windows\System32\drivers\WUDFPf.sys
2013-02-05 01:36:39 84992 ----a-w- C:\Windows\System32\WUDFSvc.dll
2013-02-05 01:36:39 198656 ----a-w- C:\Windows\System32\drivers\WUDFRd.sys
2013-02-05 01:36:38 744448 ----a-w- C:\Windows\System32\WUDFx.dll
2013-02-05 01:36:38 45056 ----a-w- C:\Windows\System32\WUDFCoinstaller.dll
2013-02-05 01:36:38 229888 ----a-w- C:\Windows\System32\WUDFHost.exe
2013-02-05 01:36:38 194048 ----a-w- C:\Windows\System32\WUDFPlatform.dll
2013-02-05 01:34:58 81408 ----a-w- C:\Windows\System32\imagehlp.dll
2013-02-05 01:34:58 5120 ----a-w- C:\Windows\SysWow64\wmi.dll
2013-02-05 01:34:58 5120 ----a-w- C:\Windows\System32\wmi.dll
2013-02-05 01:34:58 23408 ----a-w- C:\Windows\System32\drivers\fs_rec.sys
2013-02-05 01:34:58 159232 ----a-w- C:\Windows\SysWow64\imagehlp.dll
2013-02-05 01:32:03 -------- d-----w- C:\Intel
2013-02-05 01:30:32 902656 ----a-w- C:\Windows\System32\d2d1.dll
2013-02-05 01:30:32 739840 ----a-w- C:\Windows\SysWow64\d2d1.dll
2013-02-05 01:30:32 1139200 ----a-w- C:\Windows\System32\FntCache.dll
2013-02-05 00:30:03 -------- d-----w- C:\ProgramData\Malwarebytes
2013-02-05 00:30:02 24176 ----a-w- C:\Windows\System32\drivers\mbam.sys
2013-02-05 00:30:02 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-02-05 00:29:18 -------- d-----w- C:\ProgramData\SUPERAntiSpyware.com
2013-02-05 00:29:18 -------- d-----w- C:\Program Files\SUPERAntiSpyware
2013-02-05 00:05:39 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2013-02-05 00:04:54 961024 ----a-w- C:\Windows\System32\CPFilters.dll
2013-02-05 00:03:55 2871808 ----a-w- C:\Windows\explorer.exe
2013-02-04 23:58:41 77312 ----a-w- C:\Windows\System32\packager.dll
2013-02-04 23:58:41 67072 ----a-w- C:\Windows\SysWow64\packager.dll
2013-02-04 23:53:04 826880 ----a-w- C:\Windows\SysWow64\rdpcore.dll
2013-02-04 23:53:04 23552 ----a-w- C:\Windows\System32\drivers\tdtcp.sys
2013-02-04 23:53:04 1031680 ----a-w- C:\Windows\System32\rdpcore.dll
2013-02-04 23:49:37 -------- d-----w- C:\Program Files (x86)\Microsoft Security Client
2013-02-04 23:49:14 -------- d-sh--w- C:\Windows\Installer
2013-02-04 23:49:11 -------- d-----w- C:\Program Files\Microsoft Security Client
2013-02-04 23:42:40 2622464 ----a-w- C:\Windows\System32\wucltux.dll
2013-02-04 23:42:34 99840 ----a-w- C:\Windows\System32\wudriver.dll
2013-02-04 23:42:27 36864 ----a-w- C:\Windows\System32\wuapp.exe
2013-02-04 23:42:27 186752 ----a-w- C:\Windows\System32\wuwebv.dll
2013-02-04 23:38:51 -------- d-sh--w- C:\Recovery
.
==================== Find3M ====================
.
2013-01-30 10:53:22 273840 ------w- C:\Windows\System32\MpSigStub.exe
2013-01-05 00:22:08 50800 ----a-w- C:\Windows\System32\drivers\point64.sys
2013-01-05 00:22:08 1795952 ----a-w- C:\Windows\System32\WdfCoInstaller01011.dll
2012-12-07 13:20:16 441856 ----a-w- C:\Windows\System32\Wpc.dll
2012-12-07 13:15:31 2746368 ----a-w- C:\Windows\System32\gameux.dll
2012-12-07 12:26:17 308736 ----a-w- C:\Windows\SysWow64\Wpc.dll
2012-12-07 12:20:43 2576384 ----a-w- C:\Windows\SysWow64\gameux.dll
2012-12-07 11:20:04 30720 ----a-w- C:\Windows\System32\usk.rs
2012-12-07 11:20:03 43520 ----a-w- C:\Windows\System32\csrr.rs
2012-12-07 11:20:03 23552 ----a-w- C:\Windows\System32\oflc.rs
2012-12-07 11:20:01 45568 ----a-w- C:\Windows\System32\oflc-nz.rs
2012-12-07 11:20:01 44544 ----a-w- C:\Windows\System32\pegibbfc.rs
2012-12-07 11:20:01 20480 ----a-w- C:\Windows\System32\pegi-fi.rs
2012-12-07 11:20:00 20480 ----a-w- C:\Windows\System32\pegi-pt.rs
2012-12-07 11:19:59 20480 ----a-w- C:\Windows\System32\pegi.rs
2012-12-07 11:19:58 46592 ----a-w- C:\Windows\System32\fpb.rs
2012-12-07 11:19:57 40960 ----a-w- C:\Windows\System32\cob-au.rs
2012-12-07 11:19:57 21504 ----a-w- C:\Windows\System32\grb.rs
2012-12-07 11:19:57 15360 ----a-w- C:\Windows\System32\djctq.rs
2012-12-07 11:19:56 55296 ----a-w- C:\Windows\System32\cero.rs
2012-12-07 11:19:55 51712 ----a-w- C:\Windows\System32\esrb.rs
2012-11-30 05:45:35 362496 ----a-w- C:\Windows\System32\wow64win.dll
2012-11-30 05:45:35 243200 ----a-w- C:\Windows\System32\wow64.dll
2012-11-30 05:45:35 13312 ----a-w- C:\Windows\System32\wow64cpu.dll
2012-11-30 05:45:14 215040 ----a-w- C:\Windows\System32\winsrv.dll
2012-11-30 05:43:12 16384 ----a-w- C:\Windows\System32\ntvdm64.dll
2012-11-30 05:41:07 424448 ----a-w- C:\Windows\System32\KernelBase.dll
2012-11-30 04:54:00 5120 ----a-w- C:\Windows\SysWow64\wow32.dll
2012-11-30 04:53:59 274944 ----a-w- C:\Windows\SysWow64\KernelBase.dll
2012-11-30 03:23:48 338432 ----a-w- C:\Windows\System32\conhost.exe
2012-11-30 02:44:06 25600 ----a-w- C:\Windows\SysWow64\setup16.exe
2012-11-30 02:44:04 7680 ----a-w- C:\Windows\SysWow64\instnm.exe
2012-11-30 02:44:04 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll
2012-11-30 02:44:03 2048 ----a-w- C:\Windows\SysWow64\user.exe
2012-11-30 02:38:59 6144 ---ha-w- C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
2012-11-30 02:38:59 4608 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
2012-11-30 02:38:59 3584 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
2012-11-30 02:38:59 3072 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
2012-11-27 23:42:06 402272 ----a-w- C:\Windows\SysWow64\rsnp2uvc.dll
2012-11-27 23:42:06 400736 ----a-w- C:\Windows\System32\rsnp2uvc.dll
2012-11-27 23:42:06 379232 ----a-w- C:\Windows\System32\vsnp2uvc.dll
2012-11-27 23:42:06 311648 ----a-w- C:\Windows\SysWow64\vsnp2uvc.dll
2012-11-27 23:42:06 26464 ----a-w- C:\Windows\snuvcdsm.exe
2012-11-27 23:42:06 246112 ----a-w- C:\Windows\System32\csnp2uvc.dll
2012-11-27 23:42:06 1866080 ----a-w- C:\Windows\System32\drivers\snp2uvc.sys
2012-11-23 03:26:31 3149824 ----a-w- C:\Windows\System32\win32k.sys
2012-11-23 03:13:57 68608 ----a-w- C:\Windows\System32\taskhost.exe
2012-11-22 05:44:23 800768 ----a-w- C:\Windows\System32\usp10.dll
2012-11-22 04:45:03 626688 ----a-w- C:\Windows\SysWow64\usp10.dll
2012-11-21 00:38:40 105472 ----a-w- C:\Windows\SysWow64\frxTee16.bpl
2012-11-21 00:38:22 758784 ----a-w- C:\Windows\SysWow64\frxe16.bpl
2012-11-21 00:38:04 81920 ----a-w- C:\Windows\SysWow64\frxDBX16.bpl
2012-11-21 00:37:48 62976 ----a-w- C:\Windows\SysWow64\frxIBX16.bpl
2012-11-21 00:37:30 67072 ----a-w- C:\Windows\SysWow64\frxADO16.bpl
2012-11-21 00:37:12 59904 ----a-w- C:\Windows\SysWow64\frxBDE16.bpl
2012-11-21 00:36:56 130048 ----a-w- C:\Windows\SysWow64\frxDB16.bpl
2012-11-21 00:36:38 2099712 ----a-w- C:\Windows\SysWow64\frx16.bpl
2012-11-21 00:36:20 35840 ----a-w- C:\Windows\SysWow64\fsTee16.bpl
2012-11-21 00:36:02 29696 ----a-w- C:\Windows\SysWow64\fsIBX16.bpl
2012-11-21 00:35:46 29696 ----a-w- C:\Windows\SysWow64\fsADO16.bpl
2012-11-21 00:35:30 31232 ----a-w- C:\Windows\SysWow64\fsBDE16.bpl
2012-11-21 00:35:12 60416 ----a-w- C:\Windows\SysWow64\fsDB16.bpl
2012-11-21 00:34:56 481792 ----a-w- C:\Windows\SysWow64\fs16.bpl
2012-11-21 00:34:48 229888 ----a-w- C:\Windows\SysWow64\fqb160.bpl
2012-11-20 05:48:49 307200 ----a-w- C:\Windows\System32\ncrypt.dll
2012-11-20 04:51:09 220160 ----a-w- C:\Windows\SysWow64\ncrypt.dll
2012-11-09 05:45:32 750592 ----a-w- C:\Windows\System32\win32spl.dll
2012-11-09 05:45:09 2048 ----a-w- C:\Windows\System32\tzres.dll
2012-11-09 04:43:04 492032 ----a-w- C:\Windows\SysWow64\win32spl.dll
.
============= FINISH: 13:33:14.27 ===============

There's no place like 127.0.0.1
There are 10 types of people in the world, those that can read binary, and those who can't.


#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,249 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:07 AM

Posted 06 February 2013 - 03:27 AM

That looks clean. One thing though, I'd uninstall Super Antispyware, there are a lot of issues with it lately and its detection isn't as good as it has been.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 KamakaZ

KamakaZ
  • Topic Starter

  • Members
  • 739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Victoria
  • Local time:06:07 PM

Posted 06 February 2013 - 05:05 PM

I have uninstalled it. Got the server running now, everything seems to be happy. Have also purchase Sophos licenses for the whole site (people were running there own - AVG, MSSE, Kaspersky).

Uninstalled Super Antispyware.

Thanks for everything Elise :)

There's no place like 127.0.0.1
There are 10 types of people in the world, those that can read binary, and those who can't.


#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,249 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:07 AM

Posted 07 February 2013 - 02:56 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users