Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Zero Access,Internet Security 2013,root Kits,SysWOW64 file combo dds log attach


  • This topic is locked This topic is locked
31 replies to this topic

#1 jillmarten

jillmarten

  • Members
  • 102 posts
  • OFFLINE
  •  
  • Local time:01:01 AM

Posted 21 January 2014 - 03:51 PM

Hello, Sorry if this is jumbled, I am helping a friend with there computer when they gave it to me they were unable to get into windows because there password didn't work. So I fixed that and got into windows and then I saw the root of the problem... TONS of malware and viruses. It wouldn't connect to the internet even. So the first step was booted in safemode with networking, used RKILL, then used TDSKILLER, after it found things( I don't have the logs sorry) I then was able to install and update MALWAREBYTES before this I couldn't get a connection after running TDSkiller i was able to get a connection but it would only hold for like 5 min at a time. So I installed MALWAREBYTES, updated it and ran a full scan which took 6hrs by the way which spent most of the time in a folder C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\WIndows\Temporyinternetfiles and same thing with the ending content.ie5....(byt the way I have never seen a folder scan this long) I scan my own computer all the time and it never does this)  I even went to look for this folder on here and the tempfilefolder isn't there or the content.ie5.... going on...SORRY. what Malwarebytes found I removed it was a lot of Zero Access and the Internet security2013. I then rebooted the computer. don't have this log either. I then ran malwarebytes rootkit and it also found stuff. removed them as well. I then ran superanti spyware it found about 29 items. removed them. and I then ran CCLEANER.. restarted the computer I have been updating the windows files and everything because that was turned off and there was also no antivirus on this Computer either. But It still doesn't seem right because everyscan I ran takes FOREVER. and I have never noticed the SYSWOW64 folder like that before.  I am now running a full scan with microsoft security essentials I started it before I went to bed and here I am 14hrs later it is still running where I know for a fact it spent the majority of its time in the syswow64 tempinternet folder and syswow64\temp\content.ie5. what is that? I know that is a system folder but why is  there a hidden temporary internet folder in there that I can't see. ( I have view hidden folders on). I just don't understand what is going on....My computer that I have has a bigger harddrive and more files on it than the infected computer and it never ever ever takes this long for a scan... So there is something up with that hidden temp folder in the syswow64 folder... PLEASE HELP... 

 

Oh I also ran combofix... that is one log I do have....

 

and the microsoft security essentials that is still running that finally now just got out of the syswow64 folder says Prelimanry scan rsults show that malicious or ptentially unwanted software might exist on your system. You can view detected items when the scan has completed.  That scan finally just completed.... it found

 

Backdoor:Win32/Cycbot!cfg   action taken removed

Exploit:Java/CVE-2010-4452  action taken removed

Trojan:Win64Alureon.J          action taken removed 

 

 

 

COMBO FIX LOG:

ComboFix 14-01-16.03 - L645D-S4025 01/19/2014  20:22:00.1.2 - x64

Microsoft Windows 7 Home Premium   6.1.7600.0.1252.1.1033.18.2811.1418 [GMT -6:00]
Running from: c:\users\L645D-S4025\Desktop\ComboFix.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\4S3c85VJ.exe.b
c:\programdata\4S3c85VJ.exe_.b
.
.
(((((((((((((((((((((((((   Files Created from 2013-12-20 to 2014-01-20  )))))))))))))))))))))))))))))))
.
.
2014-01-20 02:29 . 2014-01-20 02:29 -------- d-----w- c:\users\Kiosk\AppData\Local\temp
2014-01-20 02:29 . 2014-01-20 02:29 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-01-20 00:44 . 2014-01-20 01:44 -------- d-----w- c:\programdata\Malwarebytes' Anti-Malware (portable)
2014-01-20 00:44 . 2014-01-20 00:44 117464 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-01-20 00:43 . 2014-01-20 00:43 89304 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-01-20 00:33 . 2014-01-20 00:33 17838984 ----a-w- c:\windows\SysWow64\FlashPlayerInstaller.exe
2014-01-19 16:49 . 2014-01-19 16:49 -------- d-----w- c:\users\L645D-S4025\AppData\Roaming\SUPERAntiSpyware.com
2014-01-19 16:40 . 2014-01-19 16:40 -------- d-----w- c:\program files\CCleaner
2014-01-19 01:55 . 2014-01-19 01:55 -------- d-----w- c:\users\L645D-S4025\AppData\Roaming\Malwarebytes
2014-01-19 01:55 . 2014-01-19 01:55 -------- d-----w- c:\programdata\Malwarebytes
2014-01-19 01:54 . 2014-01-19 01:54 -------- d-----w- c:\users\L645D-S4025\AppData\Local\Programs
2014-01-19 01:49 . 2014-01-20 00:22 -------- d-----w- c:\program files (x86)\VS Revo Group
2014-01-19 01:40 . 2014-01-19 01:40 229984 ----a-w- c:\windows\system32\drivers\02196881.sys
2014-01-19 01:39 . 2014-01-19 01:39 229984 ----a-w- c:\windows\system32\drivers\13745872.sys
2014-01-19 01:03 . 2009-07-14 01:39 1402880 ----a-w- C:\Utilman.exe
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-01-20 00:33 . 2013-04-10 17:01 692616 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2014-01-20 00:33 . 2011-11-18 01:57 71048 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2014-01-19 02:03 . 2009-07-13 23:19 328704 ----a-w- c:\windows\system32\services.exe
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"ToshibaServiceStation"="c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" [2009-10-06 1294136]
"TWebCamera"="c:\program files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" [2010-02-24 2454840]
"NortonOnlineBackupReminder"="c:\program files (x86)\TOSHIBA\Toshiba Online Backup\Activation\TobuActivation.exe" [2009-08-10 529256]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
R3 04200409;04200409;c:\windows\system32\drivers\02196881.sys;c:\windows\SYSNATIVE\drivers\02196881.sys [x]
R3 48906018;48906018;c:\windows\system32\drivers\13745872.sys;c:\windows\SYSNATIVE\drivers\13745872.sys [x]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys;c:\windows\SYSNATIVE\Drivers\RtsUStor.sys [x]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS;c:\windows\SYSNATIVE\DRIVERS\VSTAZL6.SYS [x]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS;c:\windows\SYSNATIVE\DRIVERS\VSTDPV6.SYS [x]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS;c:\windows\SYSNATIVE\DRIVERS\VSTCNXT6.SYS [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe;c:\windows\SYSNATIVE\atiesrxx.exe [x]
S2 Norton PC Checkup Application Launcher;Toshiba Laptop Checkup Application Launcher;c:\program files (x86)\Norton PC Checkup\Engine\2.0.3.198\SymcPCCULaunchSvc.exe;c:\program files (x86)\Norton PC Checkup\Engine\2.0.3.198\SymcPCCULaunchSvc.exe [x]
S2 PCCUJobMgr;Common Client Job Manager Service;c:\program files (x86)\Norton PC Checkup\Engine\2.0.3.198\ccSvcHst.exe;c:\program files (x86)\Norton PC Checkup\Engine\2.0.3.198\ccSvcHst.exe [x]
S2 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;c:\program files\TOSHIBA\TECO\TecoService.exe;c:\program files\TOSHIBA\TECO\TecoService.exe [x]
S2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;c:\windows\system32\DRIVERS\TVALZFL.sys;c:\windows\SYSNATIVE\DRIVERS\TVALZFL.sys [x]
S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x64.sys;c:\windows\SYSNATIVE\DRIVERS\L1C62x64.sys [x]
S3 PGEffect;Pangu effect driver;c:\windows\system32\DRIVERS\pgeffect.sys;c:\windows\SYSNATIVE\DRIVERS\pgeffect.sys [x]
S3 QIOMem;Generic IO & Memory Access;c:\windows\system32\DRIVERS\QIOMem.sys;c:\windows\SYSNATIVE\DRIVERS\QIOMem.sys [x]
S3 rtl8192se;Realtek Wireless LAN 802.11n PCI-E NIC NT Driver;c:\windows\system32\DRIVERS\rtl8192se.sys;c:\windows\SYSNATIVE\DRIVERS\rtl8192se.sys [x]
S3 TMachInfo;TMachInfo;c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe;c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [x]
S3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [x]
S3 TPCHSrv;TPCH Service;c:\program files\TOSHIBA\TPHM\TPCHSrv.exe;c:\program files\TOSHIBA\TPHM\TPCHSrv.exe [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-01-19 15:02 1211672 ----a-w- c:\program files (x86)\Google\Chrome\Application\32.0.1700.76\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-01-20 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2013-04-10 00:33]
.
2014-01-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-11-18 01:57]
.
2014-01-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-11-18 01:57]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cAudioFilterAgent"="c:\program files\Conexant\cAudioFilterAgent\cAudioFilterAgent64.exe" [2010-01-29 517176]
"TosVolRegulator"="c:\program files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe" [2009-11-11 24376]
"TosSENotify"="c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe" [2010-02-06 709976]
"SmartAudio"="c:\program files\CONEXANT\SAII\SAIICpl.exe" [2010-04-28 307768]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://start.toshiba.com/
mDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~4\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
SafeBoot-04200409.sys
SafeBoot-27735958.sys
SafeBoot-48906018.sys
Toolbar-Locked - (no file)
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
HKLM-Run-TPwrMain - c:\program files (x86)\TOSHIBA\Power Saver\TPwrMain.EXE
HKLM-Run-HSON - c:\program files (x86)\TOSHIBA\TBS\HSON.exe
HKLM-Run-SmoothView - c:\program files (x86)\Toshiba\SmoothView\SmoothView.exe
HKLM-Run-00TCrdMain - c:\program files (x86)\TOSHIBA\FlashCards\TCrdMain.exe
HKLM-Run-TosWaitSrv - c:\program files (x86)\TOSHIBA\TPHM\TosWaitSrv.exe
HKLM-Run-Teco - c:\program files (x86)\TOSHIBA\TECO\Teco.exe
HKLM-Run-SmartFaceVWatcher - c:\program files (x86)\Toshiba\SmartFaceV\SmartFaceVWatcher.exe
HKLM-Run-TosNC - c:\program files (x86)\Toshiba\BulletinBoard\TosNcCore.exe
HKLM-Run-TosReelTimeMonitor - c:\program files (x86)\TOSHIBA\ReelTime\TosReelTimeMonitor.exe
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\PCCUJobMgr]
"ImagePath"="\"c:\program files (x86)\Norton PC Checkup\Engine\2.0.3.198\ccSvcHst.exe\" /s \"PCCUJobMgr\" /m \"c:\program files (x86)\Norton PC Checkup\Engine\2.0.3.198\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\system32\\Macromed\\Flash\\FlashUtil64_12_0_0_38_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\windows\\system32\\Macromed\\Flash\\FlashUtil64_12_0_0_38_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_12_0_0_38_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_12_0_0_38_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_12_0_0_38.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_12_0_0_38.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_12_0_0_38.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_12_0_0_38.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2014-01-19  20:31:04
ComboFix-quarantined-files.txt  2014-01-20 02:31
.
Pre-Run: 169,466,445,824 bytes free
Post-Run: 169,131,749,376 bytes free
.
- - End Of File - - D2020EBF2699E134B07E98B9AC3F4411
5B5E648D12FCADC244C1EC30318E1EB9
 
DDS:
DDS (Ver_2012-11-20.01) - NTFS_AMD64 
Internet Explorer: 9.0.8112.16526
Run by L645D-S4025 at 14:37:14 on 2014-01-21
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.2811.824 [GMT -6:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
.
============== Running Processes ===============
.
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\windows\system32\atiesrxx.exe
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\System32\spoolsv.exe
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.3.198\SymcPCCULaunchSvc.exe
C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.3.198\ccSvcHst.exe
C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\TODDSrv.exe
C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
C:\Program Files\TOSHIBA\TECO\TecoService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\windows\system32\atieclxx.exe
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\windows\system32\taskhost.exe
C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.3.198\ccSvcHst.exe
C:\windows\system32\Dwm.exe
C:\windows\Explorer.EXE
C:\Program Files\CONEXANT\cAudioFilterAgent\cAudioFilterAgent64.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Program Files\TOSHIBA\TECO\Teco.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\TOSHIBA\BulletinBoard\TosNcCore.exe
C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe
C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe
C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe
C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe
c:\Program Files\Microsoft Security Client\NisSrv.exe
C:\windows\system32\wuauclt.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\windows\system32\taskeng.exe
C:\windows\system32\SearchProtocolHost.exe
C:\windows\system32\SearchFilterHost.exe
C:\windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA
uDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA
mDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Search Helper: {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Windows Live Messenger Companion Helper: {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
BHO: Google Dictionary Compression sdch: {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files (x86)\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
BHO: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\MSN Toolbar\Platform\6.3.2322.0\npwinext.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: TOSHIBA Media Controller Plug-in: {F3C88694-EFFA-4d78-B409-54B7B2535B14} - C:\Program Files (x86)\TOSHIBA\TOSHIBA Media Controller Plug-in\TOSHIBAMediaControllerIE.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB: @C:\Program Files (x86)\MSN Toolbar\Platform\6.3.2322.0\npwinext.dll,-100: {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\MSN Toolbar\Platform\6.3.2322.0\npwinext.dll
mRun: [ToshibaServiceStation] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60
mRun: [TWebCamera] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" autorun
mRun: [NortonOnlineBackupReminder] "C:\Program Files (x86)\TOSHIBA\Toshiba Online Backup\Activation\TobuActivation.exe" UNATTENDED
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~4\Office12\EXCEL.EXE/3000
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
TCP: NameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{9DBA840B-0D57-4194-AC8C-97A6F448487A} : DHCPNameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{9DBA840B-0D57-4194-AC8C-97A6F448487A}\1414D28405F5E4564777F627B6 : DHCPNameServer = 192.168.2.1
TCP: Interfaces\{9DBA840B-0D57-4194-AC8C-97A6F448487A}\355707562702830275962756C6563737 : DHCPNameServer = 10.0.0.1
TCP: Interfaces\{9DBA840B-0D57-4194-AC8C-97A6F448487A}\7416E6A7 : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{9DBA840B-0D57-4194-AC8C-97A6F448487A}\A4147535D20534F5E4564777F627B6 : DHCPNameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{9DBA840B-0D57-4194-AC8C-97A6F448487A}\E4544574541425 : DHCPNameServer = 192.168.1.1
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\32.0.1700.76\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-mStart Page = hxxp://start.toshiba.com/
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg64.dll
x64-TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-Run: [cAudioFilterAgent] C:\Program Files\Conexant\cAudioFilterAgent\cAudioFilterAgent64.exe
x64-Run: [SynTPEnh] C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe
x64-Run: [TPwrMain] C:\Program Files (x86)\TOSHIBA\Power Saver\TPwrMain.EXE
x64-Run: [HSON] C:\Program Files (x86)\TOSHIBA\TBS\HSON.exe
x64-Run: [SmoothView] C:\Program Files (x86)\Toshiba\SmoothView\SmoothView.exe
x64-Run: [00TCrdMain] C:\Program Files (x86)\TOSHIBA\FlashCards\TCrdMain.exe
x64-Run: [TosWaitSrv] C:\Program Files (x86)\TOSHIBA\TPHM\TosWaitSrv.exe
x64-Run: [Teco] "C:\Program Files (x86)\TOSHIBA\TECO\Teco.exe" /r
x64-Run: [SmartFaceVWatcher] C:\Program Files (x86)\Toshiba\SmartFaceV\SmartFaceVWatcher.exe
x64-Run: [TosVolRegulator] C:\Program Files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe
x64-Run: [TosSENotify] C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe
x64-Run: [TosNC] C:\Program Files (x86)\Toshiba\BulletinBoard\TosNcCore.exe
x64-Run: [TosReelTimeMonitor] C:\Program Files (x86)\TOSHIBA\ReelTime\TosReelTimeMonitor.exe
x64-Run: [SmartAudio] C:\Program Files\CONEXANT\SAII\SAIICpl.exe /t
x64-Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;C:\windows\System32\drivers\MpFilter.sys [2013-9-27 248240]
R2 AMD External Events Utility;AMD External Events Utility;C:\windows\System32\atiesrxx.exe [2010-4-23 202752]
R2 NisDrv;Microsoft Network Inspection System;C:\windows\System32\drivers\NisDrvWFP.sys [2013-9-27 134944]
R2 Norton PC Checkup Application Launcher;Toshiba Laptop Checkup Application Launcher;C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.3.198\SymcPCCULaunchSvc.exe [2010-4-23 103792]
R2 PCCUJobMgr;Common Client Job Manager Service;C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.3.198\ccSvcHst.exe [2010-4-23 126392]
R2 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;C:\Program Files\TOSHIBA\TECO\TecoService.exe [2010-4-6 258928]
R2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;C:\windows\System32\drivers\TVALZFL.sys [2009-6-19 14472]
R3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;C:\windows\System32\drivers\L1C62x64.sys [2011-4-20 169584]
R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2013-10-23 348376]
R3 PGEffect;Pangu effect driver;C:\windows\System32\drivers\PGEffect.sys [2010-4-23 35008]
R3 QIOMem;Generic IO & Memory Access;C:\windows\System32\drivers\QIOMem.sys [2009-6-15 12800]
R3 rtl8192se;Realtek Wireless LAN 802.11n PCI-E NIC NT Driver;C:\windows\System32\drivers\rtl8192se.sys [2011-6-20 1225832]
R3 TMachInfo;TMachInfo;C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2010-4-23 51512]
R3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2010-2-5 137560]
R3 TPCHSrv;TPCH Service;C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe [2010-2-23 835952]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2012-7-13 160944]
S3 04200409;04200409;C:\windows\System32\drivers\02196881.sys [2014-1-18 229984]
S3 48906018;48906018;C:\windows\System32\drivers\13745872.sys [2014-1-18 229984]
S3 fssfltr;fssfltr;C:\windows\System32\drivers\fssfltr.sys [2014-1-20 48488]
S3 fsssvc;Windows Live Family Safety Service;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2010-9-23 1493352]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\windows\System32\drivers\RtsUStor.sys [2010-4-23 239136]
S3 SrvHsfHDA;SrvHsfHDA;C:\windows\System32\drivers\VSTAZL6.SYS [2009-7-13 292864]
S3 SrvHsfV92;SrvHsfV92;C:\windows\System32\drivers\VSTDPV6.SYS [2009-7-13 1485312]
S3 SrvHsfWinac;SrvHsfWinac;C:\windows\System32\drivers\VSTCNXT6.SYS [2009-7-13 740864]
S3 TsUsbFlt;TsUsbFlt;C:\windows\System32\drivers\TsUsbFlt.sys [2014-1-20 59392]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\windows\System32\Wat\WatAdminSvc.exe [2014-1-20 1255736]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== Created Last 30 ================
.
2014-01-21 12:22:32 75888 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{5286E477-6065-463B-82CC-3C282140F83D}\offreg.dll
2014-01-21 05:59:03 965000 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{E695D91F-C24E-4D69-BC0D-4B30D2CF5E48}\gapaengine.dll
2014-01-21 05:58:38 10315576 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{5286E477-6065-463B-82CC-3C282140F83D}\mpengine.dll
2014-01-21 04:05:32 -------- d-----w- C:\windows\System32\SPReview
2014-01-21 04:04:22 -------- d-----w- C:\windows\System32\EventProviders
2014-01-21 04:02:39 10315576 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2014-01-21 03:59:08 -------- d-----w- C:\Program Files (x86)\Microsoft Security Client
2014-01-21 03:59:05 -------- d-----w- C:\Program Files\Microsoft Security Client
2014-01-21 00:20:59 577536 ----a-w- C:\windows\System32\WSDApi.dll
2014-01-21 00:19:59 91648 ----a-w- C:\windows\System32\mapistub.dll
2014-01-21 00:17:49 244736 ----a-w- C:\Program Files\Windows Portable Devices\sqmapi.dll
2014-01-21 00:17:48 529408 ----a-w- C:\windows\System32\wbemcomn.dll
2014-01-21 00:17:45 244736 ----a-w- C:\windows\System32\sqmapi.dll
2014-01-21 00:16:40 902656 ----a-w- C:\windows\System32\d2d1.dll
2014-01-21 00:16:40 739840 ----a-w- C:\windows\SysWow64\d2d1.dll
2014-01-21 00:16:40 1139200 ----a-w- C:\windows\System32\FntCache.dll
2014-01-20 23:55:07 52736 ----a-w- C:\windows\System32\drivers\usbehci.sys
2014-01-20 23:55:07 343040 ----a-w- C:\windows\System32\drivers\usbhub.sys
2014-01-20 23:55:07 325120 ----a-w- C:\windows\System32\drivers\usbport.sys
2014-01-20 23:55:06 98816 ----a-w- C:\windows\System32\drivers\usbccgp.sys
2014-01-20 23:55:06 7936 ----a-w- C:\windows\System32\drivers\usbd.sys
2014-01-20 23:55:06 30720 ----a-w- C:\windows\System32\drivers\usbuhci.sys
2014-01-20 23:55:06 25600 ----a-w- C:\windows\System32\drivers\usbohci.sys
2014-01-20 23:54:56 2565632 ----a-w- C:\windows\System32\esent.dll
2014-01-20 23:54:55 1699328 ----a-w- C:\windows\SysWow64\esent.dll
2014-01-20 23:54:55 166272 ----a-w- C:\windows\System32\drivers\nvstor.sys
2014-01-20 23:54:55 148352 ----a-w- C:\windows\System32\drivers\nvraid.sys
2014-01-20 23:54:55 107904 ----a-w- C:\windows\System32\drivers\amdsata.sys
2014-01-20 23:54:54 96768 ----a-w- C:\windows\System32\fsutil.exe
2014-01-20 23:54:54 74240 ----a-w- C:\windows\SysWow64\fsutil.exe
2014-01-20 23:54:54 410496 ----a-w- C:\windows\System32\drivers\iaStorV.sys
2014-01-20 23:54:54 27008 ----a-w- C:\windows\System32\drivers\amdxata.sys
2014-01-20 23:54:54 189824 ----a-w- C:\windows\System32\drivers\storport.sys
2014-01-20 22:46:31 2560 ----a-w- C:\windows\System32\drivers\en-US\wdf01000.sys.mui
2014-01-20 22:46:30 9728 ----a-w- C:\windows\System32\Wdfres.dll
2014-01-20 22:46:30 785512 ----a-w- C:\windows\System32\drivers\Wdf01000.sys
2014-01-20 22:46:30 54376 ----a-w- C:\windows\System32\drivers\WdfLdr.sys
2014-01-20 22:28:11 70656 ----a-w- C:\windows\SysWow64\fontsub.dll
2014-01-20 22:28:11 46080 ----a-w- C:\windows\System32\atmlib.dll
2014-01-20 22:28:11 367616 ----a-w- C:\windows\System32\atmfd.dll
2014-01-20 22:28:11 34304 ----a-w- C:\windows\SysWow64\atmlib.dll
2014-01-20 22:28:11 295424 ----a-w- C:\windows\SysWow64\atmfd.dll
2014-01-20 22:28:11 100864 ----a-w- C:\windows\System32\fontsub.dll
2014-01-20 22:26:36 87040 ----a-w- C:\windows\System32\drivers\WUDFPf.sys
2014-01-20 22:26:36 198656 ----a-w- C:\windows\System32\drivers\WUDFRd.sys
2014-01-20 22:26:35 84992 ----a-w- C:\windows\System32\WUDFSvc.dll
2014-01-20 22:26:35 744448 ----a-w- C:\windows\System32\WUDFx.dll
2014-01-20 22:26:35 45056 ----a-w- C:\windows\System32\WUDFCoinstaller.dll
2014-01-20 22:26:35 229888 ----a-w- C:\windows\System32\WUDFHost.exe
2014-01-20 22:26:35 194048 ----a-w- C:\windows\System32\WUDFPlatform.dll
2014-01-20 22:20:59 81408 ----a-w- C:\windows\System32\imagehlp.dll
2014-01-20 22:20:59 5120 ----a-w- C:\windows\SysWow64\wmi.dll
2014-01-20 22:20:59 5120 ----a-w- C:\windows\System32\wmi.dll
2014-01-20 22:20:59 23408 ----a-w- C:\windows\System32\drivers\fs_rec.sys
2014-01-20 22:20:59 159232 ----a-w- C:\windows\SysWow64\imagehlp.dll
2014-01-20 21:56:16 -------- d-----w- C:\windows\SysWow64\Wat
2014-01-20 21:56:15 -------- d-----w- C:\windows\System32\Wat
2014-01-20 20:18:40 -------- d-----w- C:\windows\en
2014-01-20 20:16:20 48488 ----a-w- C:\windows\System32\drivers\fssfltr.sys
2014-01-20 20:15:22 -------- d-----w- C:\Program Files (x86)\MSN Toolbar
2014-01-20 20:15:02 -------- d-----w- C:\Program Files (x86)\Bing Bar Installer
2014-01-20 20:14:52 69464 ----a-w- C:\windows\SysWow64\XAPOFX1_3.dll
2014-01-20 20:14:52 523088 ----a-w- C:\windows\System32\d3dx10_42.dll
2014-01-20 20:14:52 515416 ----a-w- C:\windows\SysWow64\XAudio2_5.dll
2014-01-20 20:14:52 453456 ----a-w- C:\windows\SysWow64\d3dx10_42.dll
2014-01-20 19:57:29 469256 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\d83e50ad1cf16192e\InstallManager_WLE_WLE.exe
2014-01-20 19:57:08 15712 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\cce8a3411cf161922\MeshBetaRemover.exe
2014-01-20 19:56:51 94040 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\c24f028b1cf16191a\DSETUP.dll
2014-01-20 19:56:51 525656 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\c24f028b1cf16191a\DXSETUP.exe
2014-01-20 19:56:51 1691480 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\c24f028b1cf16191a\dsetup32.dll
2014-01-20 19:56:49 94040 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\c0f5db041cf161919\DSETUP.dll
2014-01-20 19:56:49 525656 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\c0f5db041cf161919\DXSETUP.exe
2014-01-20 19:56:49 1691480 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\c0f5db041cf161919\dsetup32.dll
2014-01-20 19:55:49 -------- d-----w- C:\Users\L645D-S4025\AppData\Local\Windows Live
2014-01-20 19:16:06 -------- d-----w- C:\Users\L645D-S4025\AppData\Local\Microsoft Help
2014-01-20 19:10:57 -------- d-----r- C:\Program Files (x86)\Skype
2014-01-20 19:04:14 -------- d-----w- C:\windows\System32\MRT
2014-01-20 16:18:54 142336 ----a-w- C:\windows\System32\poqexec.exe
2014-01-20 16:17:50 2315776 ----a-w- C:\windows\System32\tquery.dll
2014-01-20 16:16:41 870912 ----a-w- C:\windows\SysWow64\XpsPrint.dll
2014-01-20 16:15:56 2002432 ----a-w- C:\windows\System32\msxml6.dll
2014-01-20 16:14:58 321024 ----a-w- C:\windows\System32\d3d10_1core.dll
2014-01-20 16:13:56 75120 ----a-w- C:\windows\System32\drivers\partmgr.sys
2014-01-20 16:12:49 95744 ----a-w- C:\windows\System32\synceng.dll
2014-01-20 16:12:49 78336 ----a-w- C:\windows\SysWow64\synceng.dll
2014-01-20 16:12:47 642944 ----a-w- C:\windows\System32\winload.efi
2014-01-20 16:12:47 605552 ----a-w- C:\windows\System32\winload.exe
2014-01-20 16:12:47 566208 ----a-w- C:\windows\System32\winresume.efi
2014-01-20 16:12:47 518672 ----a-w- C:\windows\System32\winresume.exe
2014-01-20 16:12:46 63488 ----a-w- C:\windows\System32\setbcdlocale.dll
2014-01-20 16:12:46 20352 ----a-w- C:\windows\System32\kdusb.dll
2014-01-20 16:12:46 19328 ----a-w- C:\windows\System32\kd1394.dll
2014-01-20 16:12:46 17792 ----a-w- C:\windows\System32\kdcom.dll
2014-01-20 16:10:54 1499136 ----a-w- C:\Program Files\Common Files\System\ado\msado15.dll
2014-01-20 15:57:14 77312 ----a-w- C:\windows\System32\packager.dll
2014-01-20 15:57:14 67072 ----a-w- C:\windows\SysWow64\packager.dll
2014-01-20 15:53:14 826880 ----a-w- C:\windows\SysWow64\rdpcore.dll
2014-01-20 15:53:14 23552 ----a-w- C:\windows\System32\drivers\tdtcp.sys
2014-01-20 15:53:14 1031680 ----a-w- C:\windows\System32\rdpcore.dll
2014-01-20 15:46:30 2622464 ----a-w- C:\windows\System32\wucltux.dll
2014-01-20 15:46:09 36864 ----a-w- C:\windows\System32\wuapp.exe
2014-01-20 15:46:09 186752 ----a-w- C:\windows\System32\wuwebv.dll
2014-01-20 02:31:08 -------- d-sh--w- C:\$RECYCLE.BIN
2014-01-20 02:19:44 98816 ----a-w- C:\windows\sed.exe
2014-01-20 02:19:44 256000 ----a-w- C:\windows\PEV.exe
2014-01-20 02:19:44 208896 ----a-w- C:\windows\MBR.exe
2014-01-20 00:44:34 117464 ----a-w- C:\windows\System32\drivers\MBAMSwissArmy.sys
2014-01-20 00:43:50 89304 ----a-w- C:\windows\System32\drivers\mbamchameleon.sys
2014-01-20 00:33:10 17838984 ----a-w- C:\windows\SysWow64\FlashPlayerInstaller.exe
2014-01-19 16:49:57 -------- d-----w- C:\Users\L645D-S4025\AppData\Roaming\SUPERAntiSpyware.com
2014-01-19 16:40:19 -------- d-----w- C:\Program Files\CCleaner
2014-01-19 01:55:31 -------- d-----w- C:\Users\L645D-S4025\AppData\Roaming\Malwarebytes
2014-01-19 01:55:14 -------- d-----w- C:\ProgramData\Malwarebytes
2014-01-19 01:54:11 -------- d-----w- C:\Users\L645D-S4025\AppData\Local\Programs
2014-01-19 01:49:23 -------- d-----w- C:\Program Files (x86)\VS Revo Group
2014-01-19 01:40:16 229984 ----a-w- C:\windows\System32\drivers\02196881.sys
2014-01-19 01:39:50 229984 ----a-w- C:\windows\System32\drivers\13745872.sys
2014-01-19 01:03:34 1402880 ----a-w- C:\Utilman.exe
.
==================== Find3M  ====================
.
2014-01-21 04:39:34 152576 ----a-w- C:\windows\SysWow64\msclmd.dll
2014-01-21 04:39:33 175616 ----a-w- C:\windows\System32\msclmd.dll
2014-01-20 00:33:18 71048 ----a-w- C:\windows\SysWow64\FlashPlayerCPLApp.cpl
2014-01-20 00:33:18 692616 ----a-w- C:\windows\SysWow64\FlashPlayerApp.exe
2014-01-19 07:33:29 270496 ------w- C:\windows\System32\MpSigStub.exe
2014-01-19 02:03:10 328704 ----a-w- C:\windows\System32\services.exe
.
============= FINISH: 14:39:47.53 ===============
 
ATTATCH:
Do u need this log?

Jill M***Butterfly Kisses


BC AdBot (Login to Remove)

 


m

#2 seedy21

seedy21

  • Malware Response Team
  • 742 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Yorkshire, UK
  • Local time:06:01 AM

Posted 21 January 2014 - 05:13 PM

Hi jillmarten and Welcome to BleepingComputer!

I am currently looking though your logs and will advice you on what to do in my next reply.

Please can you post the Attach.txt in your next reply so I can also review this.

“It's only after we've lost everything that we're free to do anything.”
― Chuck Palahniuk, Fight Club

unite_blue.png


#3 jillmarten

jillmarten
  • Topic Starter

  • Members
  • 102 posts
  • OFFLINE
  •  
  • Local time:01:01 AM

Posted 21 January 2014 - 05:51 PM

Hello and Thank You for your fast reply here is the Attach.txt log... 

 

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows 7 Home Premium 
Boot Device: \Device\HarddiskVolume1
Install Date: 6/18/2010 8:43:43 AM
System Uptime: 1/20/2014 10:54:55 PM (16 hours ago)
.
Motherboard: AMD Corp. |  | Guam
Processor: AMD Athlon™ II P320 Dual-Core Processor | Socket S1G4 | 2100/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 221 GiB total, 153.801 GiB free.
D: is CDROM ()
E: is Removable
.
==== Disabled Device Manager Items =============
.
Class GUID: {eec5ad98-8080-425f-922a-dabf3de3f69a}
Description: USB2FlashStorage
Device ID: WPDBUSENUMROOT\UMB\2&37C186B&1&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_UT165&PROD_USB2FLASHSTORAGE&REV_0.00#11492215110957000064&0#
Manufacturer: Ut165   
Name: FLASHDRIVE
PNP Device ID: WPDBUSENUMROOT\UMB\2&37C186B&1&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_UT165&PROD_USB2FLASHSTORAGE&REV_0.00#11492215110957000064&0#
Service: WUDFRd
.
==== System Restore Points ===================
.
RP55: 1/20/2014 10:05:16 PM - Windows 7 Service Pack 1
RP56: 1/21/2014 3:00:13 AM - Windows Update
.
==== Installed Programs ======================
.
Adobe Flash Player 11 Plugin
Adobe Flash Player 12 ActiveX
Adobe Reader 9.3
Amazon Links
Atheros Communications Inc.® AR81Family Gigabit/Fast Ethernet Driver
ATI Catalyst Install Manager
Bejeweled 2 Deluxe
Bing Bar
Bing Bar Platform
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Common
Catalyst Control Center Graphics Previews Vista
Catalyst Control Center InstallProxy
Catalyst Control Center Localization All
ccc-core-static
ccc-utility64
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Czech
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Greek
CCC Help Hungarian
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Polish
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
CCC Help Thai
CCC Help Turkish
CCleaner
Chuzzle Deluxe
Cisco EAP-FAST Module
Cisco LEAP Module
Cisco PEAP Module
Compatibility Pack for the 2007 Office system
Conexant HD Audio
D3DX10
Escape Rosecliff Island
FATE - The Traitor Soul
Google Chrome
Google Toolbar for Internet Explorer
Google Update Helper
Java™ 6 Update 17
Jewel Quest 3
Junk Mail filter update
Label@Once 1.0
Mesh Runtime
Messenger Companion
Microsoft .NET Framework 4 Client Profile
Microsoft Application Error Reporting
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office Excel MUI (English) 2007
Microsoft Office File Validation Add-In
Microsoft Office Home and Student 2007
Microsoft Office Office 64-bit Components 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Shared 64-bit MUI (English) 2007
Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Suite Activation Assistant
Microsoft Office Word MUI (English) 2007
Microsoft Search Enhancement Pack
Microsoft Security Client
Microsoft Security Essentials
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Works
MSVCRT
MSVCRT_amd64
MSXML 4.0 SP3 Parser (KB2758694)
MSXML 4.0 SP3 Parser (KB973685)
Penguins!
PlayReady PC Runtime amd64
Polar Bowler
Quickbooks Financial Center
Realtek USB 2.0 Card Reader
Realtek WLAN Driver
Security Update for Microsoft Office 2007 suites (KB2596744) 32-Bit Edition 
Security Update for Microsoft Office 2007 suites (KB2596754) 32-Bit Edition 
Security Update for Microsoft Office 2007 suites (KB2596792) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596825) 32-Bit Edition 
Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2597969) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2597973) 32-Bit Edition 
Security Update for Microsoft Office 2007 suites (KB2760411) 32-Bit Edition 
Security Update for Microsoft Office 2007 suites (KB2760415) 32-Bit Edition 
Security Update for Microsoft Office 2007 suites (KB2760585) 32-Bit Edition 
Security Update for Microsoft Office 2007 suites (KB2760591) 32-Bit Edition 
Security Update for Microsoft Office 2007 suites (KB2817641) 32-Bit Edition 
Security Update for Microsoft Office 2007 suites (KB2827326) 32-Bit Edition 
Security Update for Microsoft Office 2007 suites (KB2837615) 32-Bit Edition 
Security Update for Microsoft Office 2007 suites (KB2850022) 32-Bit Edition 
Security Update for Microsoft Office Excel 2007 (KB2827324) 32-Bit Edition 
Security Update for Microsoft Office InfoPath 2007 (KB2687440) 32-Bit Edition 
Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
Security Update for Microsoft Office Word 2007 (KB2837617) 32-Bit Edition 
Skype Launcher
Skype™ 5.10
Spotify
Synaptics Pointing Device Driver
TOSHIBA Application Installer
TOSHIBA Assist
TOSHIBA Bulletin Board
TOSHIBA Disc Creator
TOSHIBA eco Utility
TOSHIBA Face Recognition
TOSHIBA Hardware Setup
TOSHIBA HDD/SSD Alert
Toshiba Laptop Checkup
TOSHIBA Media Controller
TOSHIBA Media Controller Plug-in
Toshiba Online Backup
TOSHIBA PC Health Monitor
TOSHIBA Quality Application
TOSHIBA Recovery Media Creator
TOSHIBA ReelTime
TOSHIBA Service Station
TOSHIBA Supervisor Password
TOSHIBA Value Added Package
TOSHIBA Web Camera Application
ToshibaRegistration
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office 2007 suites (KB2596620) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2687493) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2767849) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2767916) 32-Bit Edition
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Virtual Families
Virtual Villagers - The Secret City
WildTangent Games
WildTangent ORB Game Console
Windows Live Communications Platform
Windows Live Essentials
Windows Live Family Safety
Windows Live ID Sign-in Assistant
Windows Live Installer
Windows Live Language Selector
Windows Live Mail
Windows Live Mesh
Windows Live Mesh ActiveX Control for Remote Connections
Windows Live Messenger
Windows Live Messenger Companion Core
Windows Live MIME IFilter
Windows Live Movie Maker
Windows Live Photo Common
Windows Live Photo Gallery
Windows Live PIMT Platform
Windows Live Remote Client
Windows Live Remote Client Resources
Windows Live Remote Service
Windows Live Remote Service Resources
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live Sync
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Live Writer
Windows Live Writer Resources
Zuma's Revenge
.
==== Event Viewer Messages From Past Week ========
.
1/20/2014 5:27:46 PM, Error: Service Control Manager [7034]  - The SeaPort service terminated unexpectedly.  It has done this 1 time(s).
1/20/2014 5:27:46 PM, Error: Service Control Manager [7031]  - The Common Client Job Manager Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.
1/20/2014 5:27:45 PM, Error: Service Control Manager [7034]  - The Toshiba Laptop Checkup Application Launcher service terminated unexpectedly.  It has done this 1 time(s).
1/20/2014 5:27:33 PM, Error: Service Control Manager [7043]  - The Windows Modules Installer service did not shut down properly after receiving a preshutdown control.
1/20/2014 4:53:18 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80070643: Security Update for Microsoft Visual C++ 2008 Service Pack 1 Redistributable Package (KB2538243).
1/20/2014 4:18:33 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80070643: Security Update for Microsoft XML Core Services 4.0 Service Pack 3 for x64-based Systems (KB2758694).
1/20/2014 4:03:54 PM, Error: Service Control Manager [7043]  - The Windows Update service did not shut down properly after receiving a preshutdown control.
1/20/2014 3:36:07 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Update for Windows 7 for x64-based Systems (KB979538).
1/20/2014 3:36:07 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Update for Windows 7 for x64-based Systems (KB2661254).
1/20/2014 3:36:07 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Update for Windows 7 for x64-based Systems (KB2345886).
1/20/2014 3:36:07 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Security Update for Windows 7 for x64-based Systems (KB2644615).
1/20/2014 3:36:07 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Security Update for Windows 7 for x64-based Systems (KB2419640).
1/20/2014 3:36:07 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Security Update for Microsoft .NET Framework 3.5.1 on Windows 7 and Windows Server 2008 R2 for x64-based Systems (KB2742598).
1/20/2014 3:36:06 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Windows Live Essentials 2011 (KB2434419).
1/20/2014 3:36:06 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Update for Windows 7 for x64-based Systems (KB980408).
1/20/2014 3:36:06 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Update for Windows 7 for x64-based Systems (KB2799926).
1/20/2014 3:36:06 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Update for Windows 7 for x64-based Systems (KB2786400).
1/20/2014 3:36:06 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Update for Windows 7 for x64-based Systems (KB2773072).
1/20/2014 3:36:06 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Update for Windows 7 for x64-based Systems (KB2762895).
1/20/2014 3:36:06 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Update for Windows 7 for x64-based Systems (KB2761217).
1/20/2014 3:36:06 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Update for Windows 7 for x64-based Systems (KB2749655).
1/20/2014 3:36:06 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Update for Windows 7 for x64-based Systems (KB2748349).
1/20/2014 3:36:06 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Update for Windows 7 for x64-based Systems (KB2741355).
1/20/2014 3:36:06 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Update for Windows 7 for x64-based Systems (KB2732500).
1/20/2014 3:36:06 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Update for Windows 7 for x64-based Systems (KB2729094).
1/20/2014 3:36:06 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Update for Windows 7 for x64-based Systems (KB2726535).
1/20/2014 3:36:06 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Update for Windows 7 for x64-based Systems (KB2709630).
1/20/2014 3:36:06 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Update for Windows 7 for x64-based Systems (KB2699779).
1/20/2014 3:36:06 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Update for Windows 7 for x64-based Systems (KB2660075).
1/20/2014 3:36:06 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Update for Windows 7 for x64-based Systems (KB2603229).
1/20/2014 3:36:06 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Update for Windows 7 for x64-based Systems (KB2545698).
1/20/2014 3:36:06 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Update for Windows 7 for x64-based Systems (KB2541014).
1/20/2014 3:36:06 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Update for Windows 7 for x64-based Systems (KB2522422).
1/20/2014 3:36:06 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Update for Windows 7 for x64-based Systems (KB2511250).
1/20/2014 3:36:06 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Update for Windows 7 for x64-based Systems (KB2506928).
1/20/2014 3:36:06 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Update for Windows 7 for x64-based Systems (KB2506014).
1/20/2014 3:36:06 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Update for Windows 7 for x64-based Systems (KB2488113).
1/20/2014 3:36:06 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Update for Windows 7 for x64-based Systems (KB2484033).
1/20/2014 3:36:06 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Update for Windows 7 for x64-based Systems (KB2467023).
1/20/2014 3:36:06 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Update for Windows 7 for x64-based Systems (KB2454826).
1/20/2014 3:36:06 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Update for User-Mode Driver Framework version 1.11 for Windows 7 for x64-based Systems (KB2685813).
1/20/2014 3:36:06 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Update for Kernel-Mode Driver Framework version 1.11 for Windows 7 for x64-based Systems (KB2685811).
1/20/2014 3:36:06 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Update for Internet Explorer 8 Compatibility View List for Windows 7 for x64-based Systems (KB2598845).
1/20/2014 3:36:06 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Security Update for Windows 7 for x64-based Systems (KB982799).
1/20/2014 3:36:06 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Security Update for Windows 7 for x64-based Systems (KB982665).
1/20/2014 3:36:06 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Security Update for Windows 7 for x64-based Systems (KB978542).
1/20/2014 3:36:06 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Security Update for Windows 7 for x64-based Systems (KB2840149).
1/20/2014 3:36:06 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Security Update for Windows 7 for x64-based Systems (KB2813170).
1/20/2014 3:36:06 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Security Update for Windows 7 for x64-based Systems (KB2807986).
1/20/2014 3:36:06 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Security Update for Windows 7 for x64-based Systems (KB2790655).
1/20/2014 3:36:06 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Security Update for Windows 7 for x64-based Systems (KB2790113).
1/20/2014 3:36:06 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Security Update for Windows 7 for x64-based Systems (KB2785220).
1/20/2014 3:36:06 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Security Update for Windows 7 for x64-based Systems (KB2770660).
1/20/2014 3:36:06 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Security Update for Windows 7 for x64-based Systems (KB2758857).
1/20/2014 3:36:06 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Security Update for Windows 7 for x64-based Systems (KB2757638).
1/20/2014 3:36:06 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Security Update for Windows 7 for x64-based Systems (KB2753842).
1/20/2014 3:36:06 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Security Update for Windows 7 for x64-based Systems (KB2743555).
1/20/2014 3:36:06 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Security Update for Windows 7 for x64-based Systems (KB2727528).
1/20/2014 3:36:06 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Security Update for Windows 7 for x64-based Systems (KB2712808).
1/20/2014 3:36:06 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Security Update for Windows 7 for x64-based Systems (KB2706045).
1/20/2014 3:36:06 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Security Update for Windows 7 for x64-based Systems (KB2705219).
1/20/2014 3:36:06 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Security Update for Windows 7 for x64-based Systems (KB2698365).
1/20/2014 3:36:06 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Security Update for Windows 7 for x64-based Systems (KB2691442).
1/20/2014 3:36:06 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Security Update for Windows 7 for x64-based Systems (KB2690533).
1/20/2014 3:36:06 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Security Update for Windows 7 for x64-based Systems (KB2685939).
1/20/2014 3:36:06 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Security Update for Windows 7 for x64-based Systems (KB2676562).
1/20/2014 3:36:06 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Security Update for Windows 7 for x64-based Systems (KB2667402).
1/20/2014 3:36:06 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Security Update for Windows 7 for x64-based Systems (KB2660649).
1/20/2014 3:36:06 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Security Update for Windows 7 for x64-based Systems (KB2659262).
1/20/2014 3:36:06 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Security Update for Windows 7 for x64-based Systems (KB2655992).
1/20/2014 3:36:06 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Security Update for Windows 7 for x64-based Systems (KB2654428).
1/20/2014 3:36:06 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Security Update for Windows 7 for x64-based Systems (KB2653956).
1/20/2014 3:36:06 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Security Update for Windows 7 for x64-based Systems (KB2645640).
1/20/2014 3:36:06 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Security Update for Windows 7 for x64-based Systems (KB2621440).
1/20/2014 3:36:06 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Security Update for Windows 7 for x64-based Systems (KB2619339).
1/20/2014 3:36:06 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Security Update for Windows 7 for x64-based Systems (KB2579686).
1/20/2014 3:36:06 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Security Update for Windows 7 for x64-based Systems (KB2570947).
1/20/2014 3:36:06 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Security Update for Windows 7 for x64-based Systems (KB2564958).
1/20/2014 3:36:06 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Security Update for Windows 7 for x64-based Systems (KB2544893).
1/20/2014 3:36:06 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Security Update for Windows 7 for x64-based Systems (KB2536275).
1/20/2014 3:36:06 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Security Update for Windows 7 for x64-based Systems (KB2532531).
1/20/2014 3:36:06 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Security Update for Windows 7 for x64-based Systems (KB2511455).
1/20/2014 3:36:06 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Security Update for Windows 7 for x64-based Systems (KB2509553).
1/20/2014 3:36:06 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Security Update for Windows 7 for x64-based Systems (KB2506212).
1/20/2014 3:36:06 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Security Update for Windows 7 for x64-based Systems (KB2491683).
1/20/2014 3:36:06 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Security Update for Windows 7 for x64-based Systems (KB2483614).
1/20/2014 3:36:06 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Security Update for Windows 7 for x64-based Systems (KB2442962).
1/20/2014 3:36:06 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Security Update for Windows 7 for x64-based Systems (KB2423089).
1/20/2014 3:36:06 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Security Update for Windows 7 for x64-based Systems (KB2393802).
1/20/2014 3:36:06 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Security Update for Windows 7 for x64-based Systems (KB2387149).
1/20/2014 3:36:06 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Security Update for Windows 7 for x64-based Systems (KB2378111).
1/20/2014 3:36:06 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Security Update for Windows 7 for x64-based Systems (KB2347290).
1/20/2014 3:36:06 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Security Update for Windows 7 for x64-based Systems (KB2296011).
1/20/2014 3:36:06 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Security Update for Windows 7 for x64-based Systems (KB2281679).
1/20/2014 3:36:06 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Security Update for Windows 7 for x64-based Systems (KB2032276).
1/20/2014 3:36:06 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Security Update for Microsoft .NET Framework 3.5.1 on Windows 7 and Windows Server 2008 R2 for x64-based Systems (KB2756920).
1/20/2014 3:36:06 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Security Update for Microsoft .NET Framework 3.5.1 on Windows 7 and Windows Server 2008 R2 for x64-based Systems (KB2736418).
1/20/2014 3:36:06 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Security Update for Microsoft .NET Framework 3.5.1 on Windows 7 and Windows Server 2008 R2 for x64-based Systems (KB2729451).
1/20/2014 3:36:06 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Security Update for Microsoft .NET Framework 3.5.1 on Windows 7 and Windows Server 2008 R2 for x64-based Systems (KB2656355).
1/20/2014 3:36:06 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Microsoft .NET Framework 3.5 SP1 Update for Windows 7 and Windows Server 2008 R2 for x64-based Systems (KB982526).
1/20/2014 3:36:06 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Cumulative Update for Media Center for Windows 7 x64-based Systems (KB2284742).
1/20/2014 3:36:06 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Cumulative Security Update for Internet Explorer 8 for Windows 7 for x64-based Systems (KB2817183).
1/20/2014 3:36:05 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Update for Windows 7 for x64-based Systems (KB980846).
1/20/2014 3:36:05 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Update for Windows 7 for x64-based Systems (KB2779562).
1/20/2014 3:36:05 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Update for Windows 7 for x64-based Systems (KB2718704).
1/20/2014 3:36:05 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Update for Windows 7 for x64-based Systems (KB2640148).
1/20/2014 3:36:05 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Update for Windows 7 for x64-based Systems (KB2563227).
1/20/2014 3:36:05 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Update for Windows 7 for x64-based Systems (KB2552343).
1/20/2014 3:36:05 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Update for Windows 7 for x64-based Systems (KB2547666).
1/20/2014 3:36:05 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Update for Windows 7 for x64-based Systems (KB2387530).
1/20/2014 3:36:05 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Security Update for Windows 7 for x64-based Systems (KB982132).
1/20/2014 3:36:05 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Security Update for Windows 7 for x64-based Systems (KB979688).
1/20/2014 3:36:05 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Security Update for Windows 7 for x64-based Systems (KB979687).
1/20/2014 3:36:05 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Security Update for Windows 7 for x64-based Systems (KB979482).
1/20/2014 3:36:05 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Security Update for Windows 7 for x64-based Systems (KB979309).
1/20/2014 3:36:05 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Security Update for Windows 7 for x64-based Systems (KB2813347).
1/20/2014 3:36:05 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Security Update for Windows 7 for x64-based Systems (KB2808735).
1/20/2014 3:36:05 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Security Update for Windows 7 for x64-based Systems (KB2769369).
1/20/2014 3:36:05 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Security Update for Windows 7 for x64-based Systems (KB2658846).
1/20/2014 3:36:05 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Security Update for Windows 7 for x64-based Systems (KB2631813).
1/20/2014 3:36:05 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Security Update for Windows 7 for x64-based Systems (KB2620704).
1/20/2014 3:36:05 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Security Update for Windows 7 for x64-based Systems (KB2585542).
1/20/2014 3:36:05 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Security Update for Windows 7 for x64-based Systems (KB2560656).
1/20/2014 3:36:05 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Security Update for Windows 7 for x64-based Systems (KB2536276).
1/20/2014 3:36:05 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Security Update for Windows 7 for x64-based Systems (KB2535512).
1/20/2014 3:36:05 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Security Update for Windows 7 for x64-based Systems (KB2479943).
1/20/2014 3:36:05 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Security Update for Windows 7 for x64-based Systems (KB2305420).
1/20/2014 3:36:05 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Security Update for Microsoft .NET Framework 3.5.1 on Windows 7 and Windows Server 2008 R2 for x64-based Systems (KB2789644).
1/20/2014 3:36:05 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Security Update for Microsoft .NET Framework 3.5.1 on Windows 7 and Windows Server 2008 R2 for x64-based Systems (KB2656410).
1/20/2014 3:36:05 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Security Update for Microsoft .NET Framework 3.5.1 on Windows 7 and Windows Server 2008 R2 for x64-based Systems (KB2604114).
1/20/2014 3:36:05 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80071a2d: Cumulative Security Update for ActiveX Killbits for Windows 7 for x64-based Systems (KB2618451).
1/20/2014 3:33:07 PM, Error: Service Control Manager [7023]  - 
1/20/2014 3:29:21 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x800f0902: Windows Update Aux.
1/20/2014 11:00:27 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80242016: Update for Windows 7 for x64-based Systems (KB976422).
1/20/2014 11:00:27 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80242016: Microsoft Security Essentials - (KB2902907).
1/20/2014 10:54:31 PM, Error: Service Control Manager [7023]  - The Windows Update service terminated with the following error:  %%-2147467243
1/20/2014 10:54:01 PM, Error: Microsoft-Windows-WMPNSS-Service [14353]  - A media delivery engine with ID '0' was not initialized due to error '0x80070005' when adding the URL 'http://+:10243/WMPNSSv4/555470639/'. Restart your computer, and then restart the WMPNetworkSvc service. If the problem persists, reinstall Windows Media Player if possible.
1/20/2014 10:54:01 PM, Error: Microsoft-Windows-WMPNSS-Service [14349]  - A new media server was not initialized because the Windows Media Delivery Engine did not initialize due to error '0x80070005'. Restart your computer, and then restart the WMPNetworkSvc service. If the problem persists, reinstall Windows Media Player if possible.
1/20/2014 10:17:10 PM, Error: Service Control Manager [7009]  - A timeout was reached (30000 milliseconds) while waiting for the Windows Search service to connect.
1/20/2014 10:17:10 PM, Error: Service Control Manager [7000]  - The Windows Search service failed to start due to the following error:  The service did not respond to the start or control request in a timely fashion.
1/20/2014 10:08:15 PM, Error: Microsoft Antimalware [2001]  - Microsoft Antimalware has encountered an error trying to update signatures.   New Signature Version:   Previous Signature Version: 0.0.0.0   Update Source: Microsoft Malware Protection Center   Update Stage: Install   Source Path: http://go.microsoft.com/fwlink/?LinkID=260974&clcid=0x409&NRI=true&arch=x64&eng=0.0.0.0&sig=0.0.0.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094   Signature Type: Network Inspection System   Update Type: Full   User: L645D-S4025-PC\L645D-S4025   Current Engine Version:   Previous Engine Version: 0.0.0.0   Error code: 0x8007042c   Error description: The dependency service or group failed to start. 
1/20/2014 10:08:12 PM, Error: Microsoft Antimalware [2003]  - Microsoft Antimalware has encountered an error trying to update the engine.   New Engine Version:   Previous Engine Version:   Engine Type: Network Inspection System   User: L645D-S4025-PC\L645D-S4025   Error Code: 0x8007042c   Error description: The dependency service or group failed to start. 
1/20/2014 10:08:12 PM, Error: Microsoft Antimalware [2001]  - Microsoft Antimalware has encountered an error trying to update signatures.   New Signature Version:   Previous Signature Version:   Update Source: User   Update Stage: Install   Source Path:   Signature Type: Network Inspection System   Update Type: Full   User: L645D-S4025-PC\L645D-S4025   Current Engine Version:   Previous Engine Version:   Error code: 0x8007042c   Error description: The dependency service or group failed to start. 
1/20/2014 10:07:46 PM, Error: Microsoft Antimalware [2001]  - Microsoft Antimalware has encountered an error trying to update signatures.   New Signature Version:   Previous Signature Version: 1.165.2305.0   Update Source: Microsoft Update Server   Update Stage: Install   Source Path: http://www.microsoft.com   Signature Type: AntiVirus   Update Type: Full   User: NT AUTHORITY\SYSTEM   Current Engine Version:   Previous Engine Version: 1.1.10201.0   Error code: 0x80240016   Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support. 
1/20/2014 10:07:46 PM, Error: Microsoft Antimalware [2001]  - Microsoft Antimalware has encountered an error trying to update signatures.   New Signature Version:   Previous Signature Version: 1.165.2305.0   Update Source: Microsoft Update Server   Update Stage: Install   Source Path: http://www.microsoft.com   Signature Type: AntiVirus   Update Type: Full   User: NT AUTHORITY\SYSTEM   Current Engine Version:   Previous Engine Version: 1.1.10201.0   Error code: 0x80240016   Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support. 
1/20/2014 10:07:46 PM, Error: Microsoft Antimalware [2001]  - Microsoft Antimalware has encountered an error trying to update signatures.   New Signature Version:   Previous Signature Version: 1.165.2305.0   Update Source: Microsoft Update Server   Update Stage: Download   Source Path: http://www.microsoft.com   Signature Type: AntiVirus   Update Type: Full   User: NT AUTHORITY\SYSTEM   Current Engine Version:   Previous Engine Version: 1.1.10201.0   Error code: 0x80240016   Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support. 
1/20/2014 10:03:46 PM, Error: Microsoft Antimalware [2003]  - Microsoft Antimalware has encountered an error trying to update the engine.   New Engine Version:   Previous Engine Version:   Engine Type: Network Inspection System   User: NT AUTHORITY\NETWORK SERVICE   Error Code: 0x8007042c   Error description: The dependency service or group failed to start. 
1/20/2014 10:03:46 PM, Error: Microsoft Antimalware [2001]  - Microsoft Antimalware has encountered an error trying to update signatures.   New Signature Version:   Previous Signature Version: 1.165.2305.0   Update Source: Microsoft Malware Protection Center   Update Stage: Install   Source Path: http://go.microsoft.com/fwlink/?LinkID=260974&clcid=0x409&NRI=true&arch=x64&eng=0.0.0.0&sig=0.0.0.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094   Signature Type: AntiVirus   Update Type: Full   User: NT AUTHORITY\NETWORK SERVICE   Current Engine Version:   Previous Engine Version: 1.1.10201.0   Error code: 0x8007042c   Error description: The dependency service or group failed to start. 
1/20/2014 10:03:46 PM, Error: Microsoft Antimalware [2001]  - Microsoft Antimalware has encountered an error trying to update signatures.   New Signature Version:   Previous Signature Version: 0.0.0.0   Update Source: Microsoft Malware Protection Center   Update Stage: Install   Source Path: http://go.microsoft.com/fwlink/?LinkID=260974&clcid=0x409&NRI=true&arch=x64&eng=0.0.0.0&sig=0.0.0.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094   Signature Type: Network Inspection System   Update Type: Full   User: NT AUTHORITY\NETWORK SERVICE   Current Engine Version:   Previous Engine Version: 0.0.0.0   Error code: 0x8007042c   Error description: The dependency service or group failed to start. 
1/20/2014 10:03:46 PM, Error: Microsoft Antimalware [2001]  - Microsoft Antimalware has encountered an error trying to update signatures.   New Signature Version:   Previous Signature Version:   Update Source: User   Update Stage: Install   Source Path:   Signature Type: Network Inspection System   Update Type: Full   User: NT AUTHORITY\NETWORK SERVICE   Current Engine Version:   Previous Engine Version:   Error code: 0x8007042c   Error description: The dependency service or group failed to start. 
1/20/2014 10:03:41 PM, Error: Microsoft Antimalware [2001]  - Microsoft Antimalware has encountered an error trying to update signatures.   New Signature Version:   Previous Signature Version: 0.0.0.0   Update Source: Microsoft Malware Protection Center   Update Stage: Install   Source Path: http://go.microsoft.com/fwlink/?LinkID=260974&clcid=0x409&NRI=true&arch=x64&eng=0.0.0.0&sig=0.0.0.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094   Signature Type: Network Inspection System   Update Type: Full   User: L645D-S4025-PC\L645D-S4025   Current Engine Version:   Previous Engine Version: 0.0.0.0   Error code: 0x8007042c   Error description: The dependency service or group failed to start. 
1/20/2014 10:03:37 PM, Error: Microsoft Antimalware [2003]  - Microsoft Antimalware has encountered an error trying to update the engine.   New Engine Version:   Previous Engine Version:   Engine Type: Network Inspection System   User: L645D-S4025-PC\L645D-S4025   Error Code: 0x8007042c   Error description: The dependency service or group failed to start. 
1/20/2014 10:03:37 PM, Error: Microsoft Antimalware [2001]  - Microsoft Antimalware has encountered an error trying to update signatures.   New Signature Version:   Previous Signature Version: 1.165.2305.0   Update Source: Microsoft Malware Protection Center   Update Stage: Install   Source Path: http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x64&eng=0.0.0.0&avdelta=0.0.0.0&asdelta=0.0.0.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094   Signature Type: AntiVirus   Update Type: Full   User: NT AUTHORITY\NETWORK SERVICE   Current Engine Version:   Previous Engine Version: 1.1.10201.0   Error code: 0x8050a003   Error description: This package does not contain up-to-date definition files for this program. For more information, see Help and Support. 
1/20/2014 10:03:37 PM, Error: Microsoft Antimalware [2001]  - Microsoft Antimalware has encountered an error trying to update signatures.   New Signature Version:   Previous Signature Version: 1.165.2305.0   Update Source: Microsoft Malware Protection Center   Update Stage: Install   Source Path: http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x64&eng=0.0.0.0&avdelta=0.0.0.0&asdelta=0.0.0.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094   Signature Type: AntiVirus   Update Type: Full   User: NT AUTHORITY\NETWORK SERVICE   Current Engine Version:   Previous Engine Version: 1.1.10201.0   Error code: 0x8050a003   Error description: This package does not contain up-to-date definition files for this program. For more information, see Help and Support. 
1/20/2014 10:03:37 PM, Error: Microsoft Antimalware [2001]  - Microsoft Antimalware has encountered an error trying to update signatures.   New Signature Version:   Previous Signature Version: 1.165.2305.0   Update Source: Microsoft Malware Protection Center   Update Stage: Install   Source Path: http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x64&eng=0.0.0.0&avdelta=0.0.0.0&asdelta=0.0.0.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094   Signature Type: AntiSpyware   Update Type: Full   User: NT AUTHORITY\NETWORK SERVICE   Current Engine Version:   Previous Engine Version: 1.1.10201.0   Error code: 0x8050a003   Error description: This package does not contain up-to-date definition files for this program. For more information, see Help and Support. 
1/20/2014 10:03:37 PM, Error: Microsoft Antimalware [2001]  - Microsoft Antimalware has encountered an error trying to update signatures.   New Signature Version:   Previous Signature Version:   Update Source: User   Update Stage: Install   Source Path:   Signature Type: Network Inspection System   Update Type: Full   User: L645D-S4025-PC\L645D-S4025   Current Engine Version:   Previous Engine Version:   Error code: 0x8007042c   Error description: The dependency service or group failed to start. 
1/20/2014 10:02:21 PM, Error: Microsoft Antimalware [2001]  - Microsoft Antimalware has encountered an error trying to update signatures.   New Signature Version:   Previous Signature Version: 0.0.0.0   Update Source: Microsoft Update Server   Update Stage: Install   Source Path: http://www.microsoft.com   Signature Type: AntiVirus   Update Type: Full   User: NT AUTHORITY\SYSTEM   Current Engine Version:   Previous Engine Version: 0.0.0.0   Error code: 0x80240016   Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support. 
1/20/2014 10:02:21 PM, Error: Microsoft Antimalware [2001]  - Microsoft Antimalware has encountered an error trying to update signatures.   New Signature Version:   Previous Signature Version: 0.0.0.0   Update Source: Microsoft Update Server   Update Stage: Install   Source Path: http://www.microsoft.com   Signature Type: AntiVirus   Update Type: Full   User: NT AUTHORITY\SYSTEM   Current Engine Version:   Previous Engine Version: 0.0.0.0   Error code: 0x80240016   Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support. 
1/20/2014 10:02:21 PM, Error: Microsoft Antimalware [2001]  - Microsoft Antimalware has encountered an error trying to update signatures.   New Signature Version:   Previous Signature Version: 0.0.0.0   Update Source: Microsoft Update Server   Update Stage: Download   Source Path: http://www.microsoft.com   Signature Type: AntiVirus   Update Type: Full   User: NT AUTHORITY\SYSTEM   Current Engine Version:   Previous Engine Version: 0.0.0.0   Error code: 0x80240016   Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support. 
1/19/2014 8:29:15 PM, Error: Service Control Manager [7030]  - The PEVSystemStart service is marked as an interactive service.  However, the system is configured to not allow interactive services.  This service may not function properly.
1/19/2014 8:28:13 PM, Error: Application Popup [1060]  - \??\C:\ComboFix\catchme.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.
1/19/2014 7:43:05 PM, Error: Service Control Manager [7031]  - The Windows Search service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 30000 milliseconds: Restart the service.
1/19/2014 7:43:04 PM, Error: Service Control Manager [7024]  - The Windows Search service terminated with service-specific error %%-1073473535.
1/19/2014 7:41:39 PM, Error: Service Control Manager [7001]  - The IPsec Policy Agent service depends on the Base Filtering Engine service which failed to start because of the following error:  The service start failed since one or more services in the same process have an incompatible service SID type setting. A service with restricted service SID type can only coexist in the same process with other services with a restricted SID type. If the service SID type for this service was just configured, the hosting process must be restarted in order to start this service.
1/19/2014 7:41:39 PM, Error: Service Control Manager [7000]  - The Base Filtering Engine service failed to start due to the following error:  The service start failed since one or more services in the same process have an incompatible service SID type setting. A service with restricted service SID type can only coexist in the same process with other services with a restricted SID type. If the service SID type for this service was just configured, the hosting process must be restarted in order to start this service.
1/19/2014 7:41:26 PM, Error: Service Control Manager [7000]  - The Security Center service failed to start due to the following error:  A required privilege is not held by the client.
1/19/2014 7:41:23 PM, Error: Service Control Manager [7001]  - The Windows Firewall service depends on the Base Filtering Engine service which failed to start because of the following error:  The service start failed since one or more services in the same process have an incompatible service SID type setting. A service with restricted service SID type can only coexist in the same process with other services with a restricted SID type. If the service SID type for this service was just configured, the hosting process must be restarted in order to start this service.
1/19/2014 7:41:18 PM, Error: Service Control Manager [7001]  - The IKE and AuthIP IPsec Keying Modules service depends on the Base Filtering Engine service which failed to start because of the following error:  The service start failed since one or more services in the same process have an incompatible service SID type setting. A service with restricted service SID type can only coexist in the same process with other services with a restricted SID type. If the service SID type for this service was just configured, the hosting process must be restarted in order to start this service.
.
==== End Of File ===========================

Jill M***Butterfly Kisses


#4 seedy21

seedy21

  • Malware Response Team
  • 742 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Yorkshire, UK
  • Local time:06:01 AM

Posted 22 January 2014 - 02:01 AM

Hello jillmarten

I'm Seedy21 and I will be helping you with your issues.

Please note the following information about the malware forum:

  • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by me
  • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
  • Please reply within 48 hours, if you are going to be away for longer please let us know or the topic will be closed for been inactive
  • If you are using Cracked or Illegal software your thread will be closed
  • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close.

Before we start I would like to warn you that Using Combofix without Supervision can disable your computer and in some cases can make it unbootable. More information can be found at this link http://www.bleepingcomputer.com/forums/t/273628/combofix-usage-questions-help-look-here/.


Step 1

I assume you still have ComboFix on your system. If not, please download Combofix from one of the following locations:

Please open Notepad (Through Start Menu -> Accessories -> Notepad) and copy/paste this code into notepad, exactly as it is: (DON'T include the 'Quote:')
 

KILLALL::

Driver::
04200409
48906018

File::
c:\windows\system32\drivers\02196881.sys
c:\windows\system32\drivers\13745872.sys

DirLook::
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\WIndows\Temporyinternetfiles

DDS::
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

JavaClearCache::


Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

Make sure your Anti-Virus is disabled while we do this. You can disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, please read this.

CFScriptB-4.gif

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.

ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.

When the scan finished, it will execute the script and reboot your computer automatically. Don't reboot your computer manually, let ComboFix do it.

Once your computer is rebooted, ComboFix will start preparing a log. Please let it do so unhindered. After a few minutes, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Step 2

1. Download Malwarebytes Anti-Rootkit from this link http://www.malwarebytes.org/products/mbar/
2. Unzip the File to a convenient location. (Recommend the Desktop)
3. Open the folder where the contents were unzipped to run mbar.exe

Image1.png

4. Double-click on the mbar.exe file, you may receive a User Account Control prompt asking if you are sure you wish to allow the program to run. Please allow the program to run and MBAR will now start to install any necessary drivers that are required for the program to operate correctly. If a rootkit is interfering with the installation of the drivers you will see a message that states that the DDA driver was not installed and that you should reboot your computer to install it. You will see this image:

mbarwm.png

5. If you receive this message, please click on the Yes button and Malwarebytes Anti-Rootkit will now restart your computer. Once the computer is rebooted and you login, MBAR will automatically start and you will now be at the start screen. (If no Rootkit warning you will go from step 4 to 6.)

6. The following image opens, select Next.

Image2.png

7. The following image opens, select Update

Image3.png

8. When the Update completes, select Next

Image4.png

9. In the following window ensure "Targets" are ticked. Then select "Scan"

Image5.png

10. If an infection/s is found the "Cleanup Button" to remove threats will be available. A list of infected files will be listed like the following example:

MBAntiRKclean.png

11. Do not select the "Clean up Button" select the "Exit" button, there will be a warning as follows:

MBAntiRKclean1.png

12. Select "Yes" to close down the program. If NO infections were found you will see the following image:

Image6.png

13. Select "Exit" to close down.
14. Copy and paste the two following logs from the mbar folder:

System - log
Mbar - log Date and time of scan will also be shown

Image10.png


Post those two logs in your reply.


“It's only after we've lost everything that we're free to do anything.”
― Chuck Palahniuk, Fight Club

unite_blue.png


#5 jillmarten

jillmarten
  • Topic Starter

  • Members
  • 102 posts
  • OFFLINE
  •  
  • Local time:01:01 AM

Posted 22 January 2014 - 10:20 AM

Hello, Okay I did what you said. what was the KillAll script I copied over to combofix? MBAR didn't find any rootkits. I still don't understand about the hidden temp file in the syswow64 folder. Here are the logs... Looking forward to hearing back from you.

 

COMBOFIX:

 

ComboFix 14-01-22.01 - L645D-S4025 01/22/2014   8:26.2.2 - x64

Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.2811.1647 [GMT -6:00]
Running from: c:\users\L645D-S4025\Desktop\ComboFix.exe
Command switches used :: c:\users\L645D-S4025\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Microsoft Security Essentials *Disabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\windows\system32\drivers\02196881.sys"
"c:\windows\system32\drivers\13745872.sys"
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_04200409
-------\Service_04200409
-------\Service_48906018
.
.
(((((((((((((((((((((((((   Files Created from 2013-12-22 to 2014-01-22  )))))))))))))))))))))))))))))))
.
.
2014-01-22 14:42 . 2014-01-22 14:42 -------- d-----w- c:\users\Kiosk\AppData\Local\temp
2014-01-22 14:42 . 2014-01-22 14:42 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-01-22 11:03 . 2013-05-10 04:30 167424 ----a-w- c:\program files\Windows Media Player\wmplayer.exe
2014-01-22 11:03 . 2013-05-10 03:48 164864 ----a-w- c:\program files (x86)\Windows Media Player\wmplayer.exe
2014-01-22 11:03 . 2013-05-10 05:56 12625920 ----a-w- c:\windows\system32\wmploc.DLL
2014-01-22 11:03 . 2013-05-10 04:56 12625408 ----a-w- c:\windows\SysWow64\wmploc.DLL
2014-01-22 11:03 . 2013-05-10 05:56 14631424 ----a-w- c:\windows\system32\wmp.dll
2014-01-22 10:05 . 2014-01-22 10:05 4096 ---ha-w- c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
2014-01-22 05:08 . 2013-12-16 07:54 10315576 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{FE97AF08-5212-47CD-B710-0899DE3209E5}\mpengine.dll
2014-01-21 18:17 . 2013-10-30 02:32 335360 ----a-w- c:\windows\system32\msieftp.dll
2014-01-21 18:17 . 2013-10-30 02:19 301568 ----a-w- c:\windows\SysWow64\msieftp.dll
2014-01-21 18:16 . 2013-07-04 12:50 633856 ----a-w- c:\windows\system32\comctl32.dll
2014-01-21 18:16 . 2013-07-04 11:50 530432 ----a-w- c:\windows\SysWow64\comctl32.dll
2014-01-21 18:16 . 2012-10-09 18:17 226816 ----a-w- c:\windows\system32\dhcpcore6.dll
2014-01-21 18:16 . 2012-10-09 18:17 55296 ----a-w- c:\windows\system32\dhcpcsvc6.dll
2014-01-21 18:16 . 2012-10-09 17:40 44032 ----a-w- c:\windows\SysWow64\dhcpcsvc6.dll
2014-01-21 18:16 . 2012-10-09 17:40 193536 ----a-w- c:\windows\SysWow64\dhcpcore6.dll
2014-01-21 18:16 . 2013-07-09 05:52 224256 ----a-w- c:\windows\system32\wintrust.dll
2014-01-21 18:16 . 2013-07-09 04:52 175104 ----a-w- c:\windows\SysWow64\wintrust.dll
2014-01-21 18:15 . 2013-02-27 06:02 111448 ----a-w- c:\windows\system32\consent.exe
2014-01-21 18:15 . 2013-02-27 05:47 70144 ----a-w- c:\windows\system32\appinfo.dll
2014-01-21 18:14 . 2013-03-19 05:53 48640 ----a-w- c:\windows\system32\wwanprotdim.dll
2014-01-21 18:14 . 2013-03-19 05:53 230400 ----a-w- c:\windows\system32\wwansvc.dll
2014-01-21 18:14 . 2013-10-05 20:25 1474048 ----a-w- c:\windows\system32\crypt32.dll
2014-01-21 18:14 . 2013-10-05 19:57 1168384 ----a-w- c:\windows\SysWow64\crypt32.dll
2014-01-21 18:14 . 2013-07-09 05:46 184320 ----a-w- c:\windows\system32\cryptsvc.dll
2014-01-21 18:14 . 2013-07-09 05:46 139776 ----a-w- c:\windows\system32\cryptnet.dll
2014-01-21 18:14 . 2013-07-09 04:46 140288 ----a-w- c:\windows\SysWow64\cryptsvc.dll
2014-01-21 18:14 . 2013-07-09 04:46 103936 ----a-w- c:\windows\SysWow64\cryptnet.dll
2014-01-21 18:14 . 2013-10-19 02:18 81408 ----a-w- c:\windows\system32\imagehlp.dll
2014-01-21 18:14 . 2013-10-19 01:36 159232 ----a-w- c:\windows\SysWow64\imagehlp.dll
2014-01-21 18:14 . 2013-11-12 02:23 2048 ----a-w- c:\windows\system32\tzres.dll
2014-01-21 18:14 . 2013-11-12 02:07 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2014-01-21 18:12 . 2013-04-25 23:30 1505280 ----a-w- c:\windows\SysWow64\d3d11.dll
2014-01-21 18:11 . 2013-11-26 10:32 3156480 ----a-w- c:\windows\system32\win32k.sys
2014-01-21 18:10 . 2013-09-08 02:30 1903552 ----a-w- c:\windows\system32\drivers\tcpip.sys
2014-01-21 18:10 . 2013-11-26 11:40 376768 ----a-w- c:\windows\system32\drivers\netio.sys
2014-01-21 18:10 . 2013-07-26 02:24 14172672 ----a-w- c:\windows\system32\shell32.dll
2014-01-21 18:10 . 2013-07-26 02:24 197120 ----a-w- c:\windows\system32\shdocvw.dll
2014-01-21 18:09 . 2013-04-26 05:51 751104 ----a-w- c:\windows\system32\win32spl.dll
2014-01-21 18:09 . 2013-04-26 04:55 492544 ----a-w- c:\windows\SysWow64\win32spl.dll
2014-01-21 18:09 . 2013-10-03 02:23 404480 ----a-w- c:\windows\system32\gdi32.dll
2014-01-21 18:09 . 2013-10-03 02:00 311808 ----a-w- c:\windows\SysWow64\gdi32.dll
2014-01-21 18:09 . 2013-05-10 05:49 30720 ----a-w- c:\windows\system32\cryptdlg.dll
2014-01-21 18:09 . 2013-05-10 03:20 24576 ----a-w- c:\windows\SysWow64\cryptdlg.dll
2014-01-21 18:08 . 2013-04-10 05:48 1732608 ----a-w- c:\program files\Windows Journal\NBDoc.DLL
2014-01-21 18:08 . 2013-04-10 05:46 1402880 ----a-w- c:\program files\Windows Journal\JNWDRV.dll
2014-01-21 18:08 . 2013-04-10 05:46 1393152 ----a-w- c:\program files\Windows Journal\JNTFiltr.dll
2014-01-21 18:08 . 2013-04-10 05:46 1367040 ----a-w- c:\program files\Common Files\Microsoft Shared\ink\journal.dll
2014-01-21 18:08 . 2013-04-10 05:03 936448 ----a-w- c:\program files (x86)\Common Files\Microsoft Shared\ink\journal.dll
2014-01-21 18:08 . 2013-07-20 10:33 102608 ----a-w- c:\windows\SysWow64\PresentationCFFRasterizerNative_v0300.dll
2014-01-21 18:08 . 2013-07-20 10:33 124112 ----a-w- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2014-01-21 18:08 . 2013-05-13 03:43 1192448 ----a-w- c:\windows\system32\certutil.exe
2014-01-21 18:08 . 2013-05-13 03:08 903168 ----a-w- c:\windows\SysWow64\certutil.exe
2014-01-21 18:08 . 2013-05-13 05:50 52224 ----a-w- c:\windows\system32\certenc.dll
2014-01-21 18:08 . 2013-05-13 03:08 43008 ----a-w- c:\windows\SysWow64\certenc.dll
2014-01-21 18:06 . 2013-10-12 02:32 150016 ----a-w- c:\windows\system32\wshom.ocx
2014-01-21 18:06 . 2013-10-12 02:04 121856 ----a-w- c:\windows\SysWow64\wshom.ocx
2014-01-21 18:06 . 2013-10-12 02:31 202752 ----a-w- c:\windows\system32\scrrun.dll
2014-01-21 18:06 . 2013-10-12 02:03 163840 ----a-w- c:\windows\SysWow64\scrrun.dll
2014-01-21 18:06 . 2013-10-12 01:33 156160 ----a-w- c:\windows\system32\cscript.exe
2014-01-21 18:06 . 2013-10-12 01:33 168960 ----a-w- c:\windows\system32\wscript.exe
2014-01-21 18:06 . 2013-10-12 01:15 141824 ----a-w- c:\windows\SysWow64\wscript.exe
2014-01-21 18:06 . 2013-10-12 01:15 126976 ----a-w- c:\windows\SysWow64\cscript.exe
2014-01-21 18:06 . 2013-08-01 12:09 983488 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2014-01-21 18:06 . 2013-04-10 06:01 265064 ----a-w- c:\windows\system32\drivers\dxgmms1.sys
2014-01-21 18:06 . 2011-02-03 11:25 144384 ----a-w- c:\windows\system32\cdd.dll
2014-01-21 17:43 . 2013-10-12 02:29 859648 ----a-w- c:\windows\system32\IKEEXT.DLL
2014-01-21 17:43 . 2013-10-12 02:30 830464 ----a-w- c:\windows\system32\nshwfp.dll
2014-01-21 17:43 . 2013-10-12 02:29 324096 ----a-w- c:\windows\system32\FWPUCLNT.DLL
2014-01-21 17:43 . 2013-10-12 02:01 216576 ----a-w- c:\windows\SysWow64\FWPUCLNT.DLL
2014-01-21 17:43 . 2013-10-12 02:03 656896 ----a-w- c:\windows\SysWow64\nshwfp.dll
2014-01-21 17:43 . 2013-08-28 01:12 461312 ----a-w- c:\windows\system32\scavengeui.dll
2014-01-21 05:59 . 2014-01-21 05:58 965000 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E695D91F-C24E-4D69-BC0D-4B30D2CF5E48}\gapaengine.dll
2014-01-21 05:58 . 2013-12-16 07:54 10315576 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2014-01-21 04:05 . 2014-01-21 04:05 -------- d-----w- c:\windows\system32\SPReview
2014-01-21 04:04 . 2014-01-21 04:04 -------- d-----w- c:\windows\system32\EventProviders
2014-01-21 03:59 . 2014-01-21 03:59 -------- d-----w- c:\program files (x86)\Microsoft Security Client
2014-01-21 03:59 . 2014-01-21 03:59 -------- d-----w- c:\program files\Microsoft Security Client
2014-01-21 00:20 . 2010-11-20 13:27 577536 ----a-w- c:\windows\system32\WSDApi.dll
2014-01-21 00:19 . 2010-11-20 13:27 636416 ----a-w- c:\windows\system32\wmdrmdev.dll
2014-01-21 00:17 . 2010-11-20 13:27 244736 ----a-w- c:\program files\Windows Portable Devices\sqmapi.dll
2014-01-21 00:17 . 2010-11-20 13:27 529408 ----a-w- c:\windows\system32\wbemcomn.dll
2014-01-21 00:17 . 2010-11-20 13:27 244736 ----a-w- c:\windows\system32\sqmapi.dll
2014-01-20 23:54 . 2011-03-11 06:33 2565632 ----a-w- c:\windows\system32\esent.dll
2014-01-20 23:54 . 2011-03-11 06:41 166272 ----a-w- c:\windows\system32\drivers\nvstor.sys
2014-01-20 23:54 . 2011-03-11 06:41 148352 ----a-w- c:\windows\system32\drivers\nvraid.sys
2014-01-20 23:54 . 2011-03-11 06:41 107904 ----a-w- c:\windows\system32\drivers\amdsata.sys
2014-01-20 23:54 . 2011-03-11 05:33 1699328 ----a-w- c:\windows\SysWow64\esent.dll
2014-01-20 23:54 . 2011-03-11 06:41 189824 ----a-w- c:\windows\system32\drivers\storport.sys
2014-01-20 23:54 . 2011-03-11 06:41 410496 ----a-w- c:\windows\system32\drivers\iaStorV.sys
2014-01-20 23:54 . 2011-03-11 06:41 27008 ----a-w- c:\windows\system32\drivers\amdxata.sys
2014-01-20 23:54 . 2011-03-11 06:30 96768 ----a-w- c:\windows\system32\fsutil.exe
2014-01-20 23:54 . 2011-03-11 05:31 74240 ----a-w- c:\windows\SysWow64\fsutil.exe
2014-01-20 23:54 . 2011-03-11 04:37 91648 ----a-w- c:\windows\system32\drivers\USBSTOR.SYS
2014-01-20 22:46 . 2012-07-26 04:47 2560 ----a-w- c:\windows\system32\drivers\en-US\wdf01000.sys.mui
2014-01-20 22:46 . 2012-07-26 04:55 54376 ----a-w- c:\windows\system32\drivers\WdfLdr.sys
2014-01-20 22:46 . 2012-07-26 02:36 9728 ----a-w- c:\windows\system32\Wdfres.dll
2014-01-20 22:26 . 2012-07-26 02:26 87040 ----a-w- c:\windows\system32\drivers\WUDFPf.sys
2014-01-20 22:26 . 2012-07-26 02:26 198656 ----a-w- c:\windows\system32\drivers\WUDFRd.sys
2014-01-20 22:26 . 2012-07-26 03:08 229888 ----a-w- c:\windows\system32\WUDFHost.exe
2014-01-20 22:26 . 2012-07-26 03:08 84992 ----a-w- c:\windows\system32\WUDFSvc.dll
2014-01-20 22:26 . 2012-07-26 03:08 744448 ----a-w- c:\windows\system32\WUDFx.dll
2014-01-20 22:26 . 2012-07-26 03:08 45056 ----a-w- c:\windows\system32\WUDFCoinstaller.dll
2014-01-20 22:26 . 2012-07-26 03:08 194048 ----a-w- c:\windows\system32\WUDFPlatform.dll
2014-01-20 22:20 . 2012-03-01 06:46 23408 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2014-01-20 22:20 . 2012-03-01 06:28 5120 ----a-w- c:\windows\system32\wmi.dll
2014-01-20 22:20 . 2012-03-01 05:29 5120 ----a-w- c:\windows\SysWow64\wmi.dll
2014-01-20 21:56 . 2014-01-20 21:56 -------- d-----w- c:\windows\SysWow64\Wat
2014-01-20 21:56 . 2014-01-20 21:56 -------- d-----w- c:\windows\system32\Wat
2014-01-20 20:18 . 2014-01-20 20:18 -------- d-----w- c:\windows\en
2014-01-20 20:16 . 2014-01-20 20:16 -------- dc----w- c:\windows\system32\DRVSTORE
2014-01-20 20:16 . 2010-09-23 06:36 48488 ----a-w- c:\windows\system32\drivers\fssfltr.sys
2014-01-20 20:16 . 2014-01-20 20:16 -------- d-----w- c:\program files\Windows Live
2014-01-20 20:15 . 2014-01-20 20:15 -------- d-----w- c:\program files (x86)\MSN Toolbar
2014-01-20 20:15 . 2014-01-20 20:15 -------- d-----w- c:\program files (x86)\Bing Bar Installer
2014-01-20 20:14 . 2009-09-04 23:44 69464 ----a-w- c:\windows\SysWow64\XAPOFX1_3.dll
2014-01-20 20:14 . 2009-09-04 23:44 515416 ----a-w- c:\windows\SysWow64\XAudio2_5.dll
2014-01-20 20:14 . 2009-09-04 23:29 453456 ----a-w- c:\windows\SysWow64\d3dx10_42.dll
2014-01-20 20:14 . 2009-09-04 23:29 523088 ----a-w- c:\windows\system32\d3dx10_42.dll
2014-01-20 19:57 . 2014-01-20 19:57 469256 ----a-w- c:\program files (x86)\Common Files\Windows Live\.cache\d83e50ad1cf16192e\InstallManager_WLE_WLE.exe
2014-01-20 19:57 . 2014-01-20 19:57 15712 ----a-w- c:\program files (x86)\Common Files\Windows Live\.cache\cce8a3411cf161922\MeshBetaRemover.exe
2014-01-20 19:56 . 2014-01-20 19:56 94040 ----a-w- c:\program files (x86)\Common Files\Windows Live\.cache\c24f028b1cf16191a\DSETUP.dll
2014-01-20 19:56 . 2014-01-20 19:56 525656 ----a-w- c:\program files (x86)\Common Files\Windows Live\.cache\c24f028b1cf16191a\DXSETUP.exe
2014-01-20 19:56 . 2014-01-20 19:56 1691480 ----a-w- c:\program files (x86)\Common Files\Windows Live\.cache\c24f028b1cf16191a\dsetup32.dll
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-01-21 04:39 . 2009-07-14 02:36 152576 ----a-w- c:\windows\SysWow64\msclmd.dll
2014-01-21 04:39 . 2009-07-14 02:36 175616 ----a-w- c:\windows\system32\msclmd.dll
2014-01-20 20:16 . 2010-06-24 17:33 22240 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2014-01-20 00:33 . 2013-04-10 17:01 692616 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2014-01-20 00:33 . 2011-11-18 01:57 71048 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2014-01-19 07:33 . 2011-07-17 06:11 270496 ------w- c:\windows\system32\MpSigStub.exe
2014-01-19 02:03 . 2009-07-13 23:19 328704 ----a-w- c:\windows\system32\services.exe
.
.
((((((((((((((((((((((((((((((((((((((((((((   Look   )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\WIndows\Temporyinternetfiles ----
.
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"ToshibaServiceStation"="c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" [2009-10-06 1294136]
"TWebCamera"="c:\program files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" [2010-02-24 2454840]
"NortonOnlineBackupReminder"="c:\program files (x86)\TOSHIBA\Toshiba Online Backup\Activation\TobuActivation.exe" [2009-08-10 529256]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys;c:\windows\SYSNATIVE\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe;c:\program files\Microsoft Security Client\NisSrv.exe [x]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys;c:\windows\SYSNATIVE\Drivers\RtsUStor.sys [x]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS;c:\windows\SYSNATIVE\DRIVERS\VSTAZL6.SYS [x]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS;c:\windows\SYSNATIVE\DRIVERS\VSTDPV6.SYS [x]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS;c:\windows\SYSNATIVE\DRIVERS\VSTCNXT6.SYS [x]
R3 TMachInfo;TMachInfo;c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe;c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [x]
R3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [x]
R3 TPCHSrv;TPCH Service;c:\program files\TOSHIBA\TPHM\TPCHSrv.exe;c:\program files\TOSHIBA\TPHM\TPCHSrv.exe [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe;c:\program files\Windows Live\Mesh\wlcrasvc.exe [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe;c:\windows\SYSNATIVE\atiesrxx.exe [x]
S2 Norton PC Checkup Application Launcher;Toshiba Laptop Checkup Application Launcher;c:\program files (x86)\Norton PC Checkup\Engine\2.0.3.198\SymcPCCULaunchSvc.exe;c:\program files (x86)\Norton PC Checkup\Engine\2.0.3.198\SymcPCCULaunchSvc.exe [x]
S2 PCCUJobMgr;Common Client Job Manager Service;c:\program files (x86)\Norton PC Checkup\Engine\2.0.3.198\ccSvcHst.exe;c:\program files (x86)\Norton PC Checkup\Engine\2.0.3.198\ccSvcHst.exe [x]
S2 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;c:\program files\TOSHIBA\TECO\TecoService.exe;c:\program files\TOSHIBA\TECO\TecoService.exe [x]
S2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;c:\windows\system32\DRIVERS\TVALZFL.sys;c:\windows\SYSNATIVE\DRIVERS\TVALZFL.sys [x]
S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x64.sys;c:\windows\SYSNATIVE\DRIVERS\L1C62x64.sys [x]
S3 PGEffect;Pangu effect driver;c:\windows\system32\DRIVERS\pgeffect.sys;c:\windows\SYSNATIVE\DRIVERS\pgeffect.sys [x]
S3 QIOMem;Generic IO & Memory Access;c:\windows\system32\DRIVERS\QIOMem.sys;c:\windows\SYSNATIVE\DRIVERS\QIOMem.sys [x]
S3 rtl8192se;Realtek Wireless LAN 802.11n PCI-E NIC NT Driver;c:\windows\system32\DRIVERS\rtl8192se.sys;c:\windows\SYSNATIVE\DRIVERS\rtl8192se.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-01-19 15:02 1211672 ----a-w- c:\program files (x86)\Google\Chrome\Application\32.0.1700.76\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-01-22 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2013-04-10 00:33]
.
2014-01-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-11-18 01:57]
.
2014-01-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-11-18 01:57]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cAudioFilterAgent"="c:\program files\Conexant\cAudioFilterAgent\cAudioFilterAgent64.exe" [2010-01-29 517176]
"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
"TPwrMain"="c:\program files (x86)\TOSHIBA\Power Saver\TPwrMain.EXE" [BU]
"HSON"="c:\program files (x86)\TOSHIBA\TBS\HSON.exe" [BU]
"SmoothView"="c:\program files (x86)\Toshiba\SmoothView\SmoothView.exe" [BU]
"00TCrdMain"="c:\program files (x86)\TOSHIBA\FlashCards\TCrdMain.exe" [BU]
"TosWaitSrv"="c:\program files (x86)\TOSHIBA\TPHM\TosWaitSrv.exe" [BU]
"Teco"="c:\program files (x86)\TOSHIBA\TECO\Teco.exe" [BU]
"SmartFaceVWatcher"="c:\program files (x86)\Toshiba\SmartFaceV\SmartFaceVWatcher.exe" [BU]
"TosVolRegulator"="c:\program files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe" [2009-11-11 24376]
"TosSENotify"="c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe" [2010-02-06 709976]
"TosNC"="c:\program files (x86)\Toshiba\BulletinBoard\TosNcCore.exe" [BU]
"TosReelTimeMonitor"="c:\program files (x86)\TOSHIBA\ReelTime\TosReelTimeMonitor.exe" [BU]
"SmartAudio"="c:\program files\CONEXANT\SAII\SAIICpl.exe" [2010-04-28 307768]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-10-23 1266912]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~4\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\PCCUJobMgr]
"ImagePath"="\"c:\program files (x86)\Norton PC Checkup\Engine\2.0.3.198\ccSvcHst.exe\" /s \"PCCUJobMgr\" /m \"c:\program files (x86)\Norton PC Checkup\Engine\2.0.3.198\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2053550242-2687663662-3722822742-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.Email.1"
.
[HKEY_USERS\S-1-5-21-2053550242-2687663662-3722822742-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.VCard.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\system32\\Macromed\\Flash\\FlashUtil64_12_0_0_38_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\windows\\system32\\Macromed\\Flash\\FlashUtil64_12_0_0_38_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_12_0_0_38_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_12_0_0_38_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_12_0_0_38.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_12_0_0_38.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_12_0_0_38.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_12_0_0_38.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
.
**************************************************************************
.
Completion time: 2014-01-22  08:52:57 - machine was rebooted
ComboFix-quarantined-files.txt  2014-01-22 14:52
.
Pre-Run: 161,503,363,072 bytes free
Post-Run: 161,513,738,240 bytes free
.
- - End Of File - - EF9C82DF7E24C20FFB242F161A90E134
5B5E648D12FCADC244C1EC30318E1EB9
 
MBARLOG
 
Malwarebytes Anti-Rootkit BETA 1.07.0.1008
www.malwarebytes.org
 
Database version: v2014.01.22.07
 
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.16750
L645D-S4025 :: L645D-S4025-PC [administrator]
 
1/22/2014 8:58:03 AM
mbar-log-2014-01-22 (08-58-03).txt
 
Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled: 
Objects scanned: 254309
Time elapsed: 13 minute(s), 4 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 0
(No malicious items detected)
 
Physical Sectors Detected: 0
(No malicious items detected)
 
(end)
 
 
SYSTEM-LOG
 
---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.07.0.1008
 
© Malwarebytes Corporation 2011-2012
 
OS version: 6.1.7601 Windows 7 Service Pack 1 x64
 
Account is Administrative
 
Internet Explorer version: 10.0.9200.16750
 
Java version: 1.6.0_17
 
File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 2.094000 GHz
Memory total: 2947440640, free: 1924321280
 
Downloaded database version: v2014.01.22.07
Downloaded database version: v2013.12.18.01
=======================================
Initializing...
------------ Kernel report ------------
     01/22/2014 08:57:57
------------ Loaded modules -----------
\SystemRoot\system32\ntoskrnl.exe
\SystemRoot\system32\hal.dll
\SystemRoot\system32\kdcom.dll
\SystemRoot\system32\mcupdate_AuthenticAMD.dll
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\CLFS.SYS
\SystemRoot\system32\CI.dll
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\system32\drivers\ACPI.sys
\SystemRoot\system32\drivers\WMILIB.SYS
\SystemRoot\system32\drivers\msisadrv.sys
\SystemRoot\system32\drivers\pci.sys
\SystemRoot\system32\drivers\vdrvroot.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\system32\DRIVERS\compbatt.sys
\SystemRoot\system32\DRIVERS\BATTC.SYS
\SystemRoot\system32\drivers\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\system32\drivers\pciide.sys
\SystemRoot\system32\drivers\PCIIDEX.SYS
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\system32\drivers\atapi.sys
\SystemRoot\system32\drivers\ataport.SYS
\SystemRoot\system32\drivers\msahci.sys
\SystemRoot\system32\drivers\amdxata.sys
\SystemRoot\system32\drivers\fltmgr.sys
\SystemRoot\system32\drivers\fileinfo.sys
\SystemRoot\system32\DRIVERS\MpFilter.sys
\SystemRoot\System32\Drivers\Ntfs.sys
\SystemRoot\System32\Drivers\msrpc.sys
\SystemRoot\System32\Drivers\ksecdd.sys
\SystemRoot\System32\Drivers\cng.sys
\SystemRoot\System32\drivers\pcw.sys
\SystemRoot\System32\Drivers\Fs_Rec.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\Drivers\ksecpkg.sys
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\system32\drivers\volsnap.sys
\SystemRoot\system32\DRIVERS\TVALZ_O.SYS
\SystemRoot\System32\Drivers\spldr.sys
\SystemRoot\System32\drivers\rdyboost.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\System32\drivers\hwpolicy.sys
\SystemRoot\System32\DRIVERS\fvevol.sys
\SystemRoot\system32\DRIVERS\disk.sys
\SystemRoot\system32\DRIVERS\CLASSPNP.SYS
\SystemRoot\system32\DRIVERS\AtiPcie.sys
\SystemRoot\system32\drivers\cdrom.sys
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\drivers\VIDEOPRT.SYS
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\system32\drivers\rdpencdd.sys
\SystemRoot\system32\drivers\rdprefmp.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\drivers\ws2ifsl.sys
\SystemRoot\system32\DRIVERS\wfplwf.sys
\SystemRoot\system32\DRIVERS\pacer.sys
\SystemRoot\system32\DRIVERS\vwififlt.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\drivers\termdd.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\system32\drivers\mssmbios.sys
\SystemRoot\System32\drivers\discache.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\system32\DRIVERS\blbdrive.sys
\SystemRoot\system32\DRIVERS\tunnel.sys
\SystemRoot\system32\DRIVERS\amdppm.sys
\SystemRoot\system32\DRIVERS\atikmpag.sys
\SystemRoot\system32\DRIVERS\atipmdag.sys
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\dxgmms1.sys
\SystemRoot\system32\DRIVERS\rtl8192se.sys
\SystemRoot\system32\DRIVERS\vwifibus.sys
\SystemRoot\system32\DRIVERS\L1C62x64.sys
\SystemRoot\system32\DRIVERS\tdcmdpst.sys
\SystemRoot\system32\DRIVERS\usbohci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\drivers\HDAudBus.sys
\SystemRoot\system32\drivers\i8042prt.sys
\SystemRoot\system32\drivers\kbdclass.sys
\SystemRoot\system32\DRIVERS\SynTP.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\system32\drivers\mouclass.sys
\SystemRoot\system32\DRIVERS\TVALZFL.sys
\SystemRoot\system32\DRIVERS\QIOMem.sys
\SystemRoot\system32\DRIVERS\CmBatt.sys
\SystemRoot\system32\drivers\wmiacpi.sys
\SystemRoot\system32\drivers\CompositeBus.sys
\SystemRoot\system32\DRIVERS\AgileVpn.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\rassstp.sys
\SystemRoot\system32\drivers\swenum.sys
\SystemRoot\system32\drivers\ks.sys
\SystemRoot\system32\drivers\umbus.sys
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\drivers\CHDRT64.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\drivers\ksthunk.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\system32\drivers\USBSTOR.SYS
\SystemRoot\system32\DRIVERS\monitor.sys
\SystemRoot\system32\DRIVERS\usbccgp.sys
\SystemRoot\System32\Drivers\usbvideo.sys
\SystemRoot\system32\DRIVERS\pgeffect.sys
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\Drivers\dump_dumpata.sys
\SystemRoot\System32\Drivers\dump_msahci.sys
\SystemRoot\System32\Drivers\dump_dumpfve.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\System32\cdd.dll
\SystemRoot\system32\drivers\luafv.sys
\SystemRoot\system32\drivers\WudfPf.sys
\SystemRoot\system32\DRIVERS\lltdio.sys
\SystemRoot\system32\DRIVERS\nwifi.sys
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\system32\DRIVERS\rspndr.sys
\SystemRoot\System32\Drivers\fastfat.SYS
\SystemRoot\system32\drivers\HTTP.sys
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\System32\drivers\mpsdrv.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\System32\DRIVERS\srv.sys
\SystemRoot\system32\drivers\peauth.sys
\SystemRoot\System32\Drivers\secdrv.SYS
\SystemRoot\System32\drivers\tcpipreg.sys
\??\C:\windows\system32\Drivers\PROCEXP113.SYS
\??\C:\windows\system32\drivers\mbamchameleon.sys
\??\C:\windows\system32\drivers\MBAMSwissArmy.sys
\Windows\System32\ntdll.dll
\Windows\System32\smss.exe
\Windows\System32\apisetschema.dll
\Windows\System32\autochk.exe
\Windows\System32\difxapi.dll
\Windows\System32\advapi32.dll
\Windows\System32\shlwapi.dll
\Windows\System32\nsi.dll
\Windows\System32\rpcrt4.dll
\Windows\System32\iertutil.dll
\Windows\System32\ole32.dll
\Windows\System32\kernel32.dll
\Windows\System32\oleaut32.dll
\Windows\System32\wininet.dll
\Windows\System32\msctf.dll
\Windows\System32\ws2_32.dll
\Windows\System32\comdlg32.dll
\Windows\System32\normaliz.dll
\Windows\System32\sechost.dll
\Windows\System32\clbcatq.dll
\Windows\System32\msvcrt.dll
----------- End -----------
Done!
<<<1>>>
Upper Device Name: \Device\Harddisk1\DR1
Upper Device Object: 0xfffffa8004d26060
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\0000006e\
Lower Device Object: 0xfffffa8004d15b60
Lower Device Driver Name: \Driver\USBSTOR\
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xfffffa800317a060
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IdeDeviceP0T0L0-0\
Lower Device Object: 0xfffffa8003067060
Lower Device Driver Name: \Driver\atapi\
<<<2>>>
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xfffffa800317a060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa800317ab90, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa800317a060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa8003067060, DeviceName: \Device\Ide\IdeDeviceP0T0L0-0\, DriverName: \Driver\atapi\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 99540982
 
Partition information:
 
    Partition 0 type is Other (0x27)
    Partition is ACTIVE.
    Partition starts at LBA: 2048  Numsec = 3072000
    Partition file system is NTFS
    Partition is bootable
 
    Partition 1 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 3074048  Numsec = 464201728
 
    Partition 2 type is HIDDEN (0x17)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 467275776  Numsec = 21121024
    Partition is not bootable
Hidden partition VBR is not infected.
 
    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
 
Disk Size: 250059350016 bytes
Sector size: 512 bytes
 
Scanning physical sectors of unpartitioned space on drive 0 (1-2047-488377168-488397168)...
Done!
Physical Sector Size: 512
Drive: 1, DevicePointer: 0xfffffa8004d26060, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa8004d26b90, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa8004d26060, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa8004d15b60, DeviceName: \Device\0000006e\, DriverName: \Driver\USBSTOR\
------------ End ----------
Alternate DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
Drive 1
Scanning MBR on drive 1...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 4ED3766
 
Partition information:
 
    Partition 0 type is Other (0xb)
    Partition is ACTIVE.
    Partition starts at LBA: 63  Numsec = 7891977
    Partition file system is FAT32
    Partition is not bootable
 
    Partition 1 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
 
    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
 
    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
 
Disk Size: 4040724480 bytes
Sector size: 512 bytes
 
Done!
Scan finished
=======================================
 
 
Removal queue found; removal started
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR_0_i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\Bootstrap_0_0_2048_i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\Bootstrap_0_2_467275776_i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR_0_r.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR_1_i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\Bootstrap_1_0_63_i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR_1_r.mbam...
Removal finished
 

Jill M***Butterfly Kisses


#6 seedy21

seedy21

  • Malware Response Team
  • 742 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Yorkshire, UK
  • Local time:06:01 AM

Posted 22 January 2014 - 03:24 PM

Hi jillmarten

what was the KillAll script I copied over to combofix?


This was a custom scripted I made for you to target any Malware I could see in your Logs.

I still don't understand about the hidden temp file in the syswow64 folder


This is a TEMP folder created to store information for Internet Explorer.

This process will clean out your Temp files and your Temporary Internet Files. Please do all steps:


Step 1:Custom Script

Click on Start, clicking All Programs, clicking Accessories, and then Right clicking Command Prompt and Select Run As Administrator.

Copy and paste the following at the command prompt (including the quotes), and then press <Enter>
DEL /A/F/Q "C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\*.*"

Copy and paste the following at the command line (including the quotes), and then press <Enter>
DEL /A/F/Q "C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\*.*"

You should get no errors or feedback. If any errors were reported please let me know what they were.

Close the command Window.


Step 2:Delete Temp Files
To clean out your temp files, click on Start and then run, and type %temp% and press the ok button.

This should open up the temp directory that your machine uses. Please delete all files that are found there. If you get an error when deleting a file, skip that file and delete all the others. If you had trouble deleting a file, reboot into Safe Mode and follow this step again. You should now be able to delete all the files.

Step 3: Delete Temporary Internet Files
Now I want you to open up Internet Explorer, and click on the Tools menu and then Internet Options. At the General tab, which should be the first tab you are currently on, click on the Delete Files button and put a checkmark in Delete offline content. Then press the OK button. This may take quite a while, so do not be alarmed with how long it takes. When it is done, your Temporary Internet Files will now be deleted.

Step 4 - Test MSE

Please perform another Scan with Microsoft Security Essentials and let me know how this runs this time.

“It's only after we've lost everything that we're free to do anything.”
― Chuck Palahniuk, Fight Club

unite_blue.png


#7 jillmarten

jillmarten
  • Topic Starter

  • Members
  • 102 posts
  • OFFLINE
  •  
  • Local time:01:01 AM

Posted 22 January 2014 - 03:50 PM

Okay will do that now. I just don't understand why they don't clean out when I clean the rest of them out regularly.... do I have to do the below everytime I want to clean that out or is there a way to stop them from being stored in there? I guess I just don't get why they don't normally clean out.

 

Copy and paste the following at the command prompt (including the quotes), and then press <Enter>

DEL /A/F/Q "C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\*.*"

Copy and paste the following at the command line (including the quotes), and then press <Enter>
DEL /A/F/Q "C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\*.*"

 

and the %temp% and open up internet explorer and delete.. I guess I am asking why doesn't the regular cleaner or ccleaner clean these? 

 

I DID all of those steps microsoft security essentials is currently running now. Will post back if it gets stuck again in the syswow64 folder forever or post again when it is done hopefully it isn't 14+hours like last time


Jill M***Butterfly Kisses


#8 jillmarten

jillmarten
  • Topic Starter

  • Members
  • 102 posts
  • OFFLINE
  •  
  • Local time:01:01 AM

Posted 22 January 2014 - 04:04 PM

okay I can already see I didn't delete these files.... in the C;\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows|Temporary Internet FIiles\Content.IE5   They are scanning now.  I think I also read somewhere that this folder can't be accessed in regular mode. So it has to be done in safemode. Because other people have had problems with this Internet explorer/windows 7 glitch. Seems to me I might have to delete them in Safe Mode. What about doing that? And wish Microsoft had a way to stop stuff from being stored here.  Because this ISN'T RIGHT!!!


Jill M***Butterfly Kisses


#9 seedy21

seedy21

  • Malware Response Team
  • 742 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Yorkshire, UK
  • Local time:06:01 AM

Posted 23 January 2014 - 11:51 AM

Hi jillmarten

Step 1

Click on Start, clicking All Programs, clicking Accessories, and then Right clicking Command Prompt and Select Run As Administrator.

Copy and past the following at the command prompt (including the quotes), and then press <Enter>
dir /a /s "C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files"

Right-Click on the open command window, and click Select All
Right-Click again (this copies command window content to the windows clipboard)
Paste the copied command window content into your next reply by right-clicking the reply Window and hitting Paste

You should get no errors or feedback. If any errors were reported please let me know what they were.

Close the command Window.

“It's only after we've lost everything that we're free to do anything.”
― Chuck Palahniuk, Fight Club

unite_blue.png


#10 jillmarten

jillmarten
  • Topic Starter

  • Members
  • 102 posts
  • OFFLINE
  •  
  • Local time:01:01 AM

Posted 23 January 2014 - 02:58 PM

Just so u know the command window is still running the dir you told me to enter. It has been running for about 5 min now. so do u want me to copy and paste it or attach it because it looks to me it might be pretty long


Jill M***Butterfly Kisses


#11 jillmarten

jillmarten
  • Topic Starter

  • Members
  • 102 posts
  • OFFLINE
  •  
  • Local time:01:01 AM

Posted 23 January 2014 - 03:03 PM

Well I guess not. It was showing so much stuff and going fast. but at the end this is all that ended up copying and pasting when it was done. what was that command?

 

here is what u asked for when I SELECTED ALL

 

03/16/2013  11:28 PM                35 URL[1].gif
03/15/2013  11:13 AM            68,097 usbuildingdigest_com[1].txt
03/27/2013  11:21 AM            67,664 usbuildingdigest_com[2].txt
04/22/2013  10:40 AM            14,740 USCC_eBay_300_base[1].swf
04/22/2013  10:41 AM            21,017 USCC_EBAY_AMAZON_300x250_base[1].swf
04/22/2013  10:41 AM            89,254 USCC_EBAY_AMAZON_300x250_rich_thin[1].swf
 
03/29/2013  11:47 PM            40,127 USCC_P1C_BrandedEvent_Std_4G_300x250[1].s
wf
04/27/2013  08:22 AM                 0 USCC_P2B_Unlimited_Multi_728_rich[1].swf
06/27/2013  11:28 AM            52,521 US_DMT_EN_160x600_Q2Gifting_Starting_At_5
_D[1].swf
06/27/2013  11:29 AM            47,889 US_MXLACA_EN_728x90_Q2Gifting_Starting_At
_5_D[1].swf
04/20/2013  12:16 AM            31,958 v6uX7xDOS4a83Eir2iG14Q[1].png
03/16/2013  11:24 PM            11,291 v9flash[1].js
04/02/2013  10:52 AM             2,236 v=5;m=3;l=23938;c=331558;b=1879904;ts=201
30402125237;u=javascript%3Awindow%5B%22contents%22%5D[1].txt
03/28/2013  07:45 PM             2,180 v=5;m=3;l=32408;c=331413;b=1875040;ts=201
30328214530;u=javascript%3Awindow%5B%22contents%22%5D[1].txt
03/25/2013  10:02 AM             6,814 v=5;m=3;l=32408;c=334440;b=1884278;ts=201
30325120158;u=javascript%3Awindow%5B%22contents%22%5D[1].txt
03/24/2013  11:37 PM             2,211 v=5;m=3;l=32409;c=331611;b=1874063;ts=201
30325013709;u=javascript%3Awindow%5B%22contents%22%5D[1].txt
03/13/2013  09:54 AM             2,230 v=5;m=3;l=33312;c=358419;b=1998720;ts=201
30313115357;u=http%3A%2F%2Fwww.usbuildingdigest.com%2Frubicon%2Frubicon_160_600_
atf-ros[1].html
04/23/2013  12:09 AM             6,858 v=5;m=3;l=42616;c=372878;b=2070433;ts=201
30423020921;u=javascript%3Awindow%5B%22contents%22%5D[1].txt
04/10/2013  10:39 AM             2,238 v=5;m=3;l=42617;c=331440;b=1875005;ts=201
30410123917;u=javascript%3Awindow%5B%22contents%22%5D[1].txt
04/04/2013  10:47 AM            43,902 varicose-spider-veins[1].txt
04/24/2013  08:58 AM            31,890 vasectomy[1].txt
03/16/2013  11:26 PM            35,642 VastTranslator[1].swf
03/29/2013  11:47 PM            80,083 VastVpaidShim[1].swf
04/22/2013  10:42 AM            80,139 VastVpaidShim[2].swf
05/27/2013  01:59 PM                 0 VastVpaidShim[3].swf
03/16/2013  11:28 PM             1,064 vastvpaid[2].xml
04/20/2013  12:23 AM            23,476 verify[1].js
03/16/2013  11:26 PM             3,557 video-vitaminc.video[1].jpg
03/30/2013  08:59 PM                 0 videoplayer_movie[1].php
04/22/2013  10:41 AM            15,961 videoSearch[1].txt
04/22/2013  10:41 AM             9,199 videowall[1].css
04/22/2013  10:41 AM             2,683 videowall[1].js
03/20/2013  09:47 AM            92,335 video[1].txt
04/20/2013  12:16 AM                 0 view[1].txt
05/20/2013  11:32 AM               975 view_ex[4].htm
06/22/2013  11:36 AM                 0 visitCA0RI5H5.js
06/25/2013  08:59 PM                 0 visitCA2CYPBG.js
06/23/2013  10:09 AM                 0 visitCA2L1CAR.js
06/21/2013  01:04 PM                 0 visitCA2TBKWF.js
06/24/2013  09:39 AM                 0 visitCA39C0QV.js
06/24/2013  09:53 AM                 0 visitCA3EZ6US.js
06/25/2013  08:09 AM                 0 visitCA3SRFCY.js
06/23/2013  10:25 AM                 0 visitCA3ZE7PE.js
06/16/2013  10:44 AM                 0 visitCA62KFZK.js
06/27/2013  03:53 PM                 0 visitCA69W9W7.js
06/27/2013  11:29 AM                 0 visitCA735I9I.js
06/22/2013  11:34 AM                 0 visitCA741R12.js
06/27/2013  03:55 PM                 0 visitCA764Z6C.js
06/15/2013  09:06 AM                 0 visitCA7EF264.js
06/25/2013  08:09 AM                 0 visitCA7J0N8D.js
06/22/2013  12:27 PM                 0 visitCA966CD3.js
06/18/2013  11:52 AM                 0 visitCAA1DL84.js
06/26/2013  10:06 AM                 0 visitCAAJZVVK.js
06/21/2013  10:50 AM                 0 visitCAAOUGTG.js
06/26/2013  10:06 AM                 0 visitCAAT0C22.js
06/22/2013  12:24 PM                 0 visitCABLUCN2.js
06/27/2013  11:28 AM                 0 visitCAC00HCE.js
06/25/2013  08:09 AM                 0 visitCADRJ1WG.js
06/22/2013  12:24 PM                 0 visitCAE2U3CO.js
06/26/2013  12:54 PM                 0 visitCAF41RRV.js
06/14/2013  08:18 AM                 0 visitCAFKFQ6J.js
06/25/2013  07:52 AM                 0 visitCAGKCM02.js
06/22/2013  01:08 PM                 0 visitCAJM6XWV.js
06/22/2013  12:10 PM                 0 visitCAJYGGNZ.js
06/21/2013  10:50 AM                 0 visitCAKK4MXL.js
06/15/2013  09:06 AM                 0 visitCAKUEKA7.js
06/18/2013  11:52 AM                 0 visitCAN57KYS.js
06/23/2013  11:13 AM                 0 visitCAODS4HP.js
06/22/2013  12:05 PM                 0 visitCAPWFX57.js
06/27/2013  03:55 PM                 0 visitCATHHXGL.js
06/14/2013  08:17 AM                 0 visitCATUD098.js
06/21/2013  10:50 AM                 0 visitCATW3I9K.js
06/22/2013  01:09 PM                 0 visitCAU1GUCA.js
06/23/2013  10:41 AM                 0 visitCAU7R6HM.js
06/22/2013  12:27 PM                 0 visitCAURGVW7.js
06/14/2013  08:17 AM                 0 visitCAVHLWBL.js
06/22/2013  11:36 AM                 0 visitCAW69GP4.js
06/16/2013  10:45 AM                 0 visitCAWCD307.js
06/22/2013  11:36 AM                 0 visitCAXM3W83.js
06/15/2013  09:09 AM                 0 visitCAYPWZE1.js
06/27/2013  03:55 PM                 0 visitCAYWLY18.js
06/17/2013  01:23 PM                 0 visitCAZZN5BK.js
03/29/2013  11:48 PM               305 visitinview[1].jpg
04/20/2013  12:19 AM               305 visitinview[2].jpg
04/20/2013  12:20 AM               305 visitinview[3].jpg
04/20/2013  12:21 AM               305 visitinview[4].jpg
03/10/2013  10:03 PM             2,250 visitormatch[1].txt
03/10/2013  10:03 PM             2,250 visitormatch[2].txt
03/12/2013  10:17 AM             2,329 visitormatch[3].txt
04/03/2013  09:07 AM             2,250 visitormatch[4].txt
06/15/2013  12:53 AM                 0 visit[10].js
06/13/2013  10:09 AM                 0 visit[11].js
03/16/2013  11:28 PM                 0 visit[1].js
03/29/2013  11:48 PM               439 visit[2].js
04/20/2013  12:17 AM               440 visit[3].js
04/20/2013  12:25 AM                 0 visit[4].js
04/22/2013  10:41 AM               441 visit[5].js
06/15/2013  09:09 AM                 0 visit[6].js
06/15/2013  01:03 AM                 0 visit[7].js
06/13/2013  09:33 AM                 0 visit[8].js
06/13/2013  09:33 AM                 0 visit[9].js
03/16/2013  11:26 PM            21,337 vitamincskincare_com[1].txt
04/20/2013  12:16 AM             8,787 vizuloader[1].gif
03/24/2013  10:21 AM             3,300 vj[2]
04/29/2013  10:34 AM               111 vj[3]
04/20/2013  12:20 AM             7,989 VkzYRe71KsI-198x120[1].jpg
04/20/2013  12:17 AM             5,390 VkzYRe71KsI-218x68[1].jpg
04/20/2013  12:18 AM            17,192 VkzYRe71KsI-362x210[1].jpg
03/16/2013  11:25 PM            86,863 VpaidAdPlayer[1].swf
03/16/2013  11:27 PM            86,863 VpaidAdPlayer[2].swf
03/16/2013  11:31 PM            86,863 VpaidAdPlayer[3].swf
03/16/2013  11:26 PM            28,739 VPAIDPlayer[2].swf
03/16/2013  11:28 PM            41,914 VPAIDVPR[1].swf
03/16/2013  11:28 PM            41,914 VPAIDVPR[2].swf
04/20/2013  12:20 AM            15,305 vpsurvey[1].swf
04/12/2013  12:03 PM             1,144 vp[1].js
04/20/2013  12:22 AM             6,811 vp_c[1].html
04/20/2013  12:20 AM             2,241 vp_c[1].swf
04/20/2013  12:20 AM         2,511,145 VSBX3051000640x480-040313112045948-38133_
4-040313112135029-11691[1].FLV
05/18/2013  11:51 PM                 0 vtcall.4.336[1].htm
06/22/2013  11:37 AM                 0 VW_TIER-I_BTInMarket_160x600_DYNAMIC_NA_J
ETTA-TDI_FLASH_06172013_BuildPrice_NA_NA_NA[1].swf
06/27/2013  03:55 PM            38,691 VW_TIER-I_BTInMarket_300x250_DYNAMIC_NA_J
ETTA-HYBRID_FLASH_06172013_Inventory_NA_NA_NA[1].swf
06/11/2013  09:03 PM         1,525,125 vz_2013_lumia30_03429_us_640x360_h264[1].
mp4
04/24/2013  01:44 PM                 0 watch_as3-vfl4_8uTk[1].swf
04/23/2013  10:00 AM            27,907 Watch_The_Guy_In_Red[1].txt
04/20/2013  12:20 AM            34,825 wb25348st_Wood_AOL_728x90[1].swf
06/26/2013  01:10 PM             1,349 wdfb_facebook_login[1].js
04/22/2013  10:41 AM             2,135 white-hover-play-tiny[1].png
04/22/2013  10:41 AM             4,000 white-hover-play[1].png
04/20/2013  12:17 AM            11,718 widget-icons-sprite[1].png
06/22/2013  01:09 PM            19,940 widget1[1].aspx
04/23/2013  10:46 AM                 0 widgetEventCA1H41LO.txt
04/23/2013  10:45 AM                 0 widgetEventCA4LVGUB.txt
04/14/2013  09:36 AM                 0 widgetEventCA6Z6MYF.txt
04/18/2013  05:24 AM                 0 widgetEventCAIYM065.txt
04/14/2013  09:36 AM                 0 widgetEvent[10].txt
04/14/2013  09:36 AM                 0 widgetEvent[11].txt
03/26/2013  10:10 AM                 0 widgetEvent[1].txt
03/26/2013  10:10 AM                 0 widgetEvent[2].txt
03/26/2013  10:10 AM                 0 widgetEvent[3].txt
03/26/2013  10:10 AM                 0 widgetEvent[4].txt
03/26/2013  10:11 AM                 0 widgetEvent[5].txt
04/14/2013  09:36 AM                 0 widgetEvent[6].txt
04/14/2013  09:36 AM                 0 widgetEvent[7].txt
04/14/2013  09:36 AM                 0 widgetEvent[8].txt
04/14/2013  09:36 AM                 0 widgetEvent[9].txt
03/11/2013  12:51 PM            44,205 widget[1].html
04/07/2013  10:16 AM            43,436 widget[2].html
05/15/2013  10:04 AM                 0 widget_script[10].aspx
05/15/2013  10:05 AM                 0 widget_script[11].aspx
03/18/2013  12:14 PM                 0 widget_script[1].aspx
03/26/2013  10:23 AM                 0 widget_script[2].aspx
04/10/2013  11:22 PM                 0 widget_script[3].aspx
04/13/2013  10:36 AM                 0 widget_script[4].aspx
04/20/2013  09:58 AM                 0 widget_script[5].aspx
04/23/2013  10:37 AM                 0 widget_script[6].aspx
04/26/2013  07:47 AM                 0 widget_script[7].aspx
05/12/2013  01:14 PM                 0 widget_script[8].aspx
05/13/2013  09:42 PM                 0 widget_script[9].aspx
04/20/2013  12:19 AM             8,615 wildcrazykittensontheloose1333762899_0-19
8x120[1].jpg
03/30/2013  10:50 AM            15,955 wine-cocktails[1].txt
06/27/2013  03:55 PM            34,397 WM3MA4_Maytag_Dish2013_brand_where_728x90
[1].swf
04/20/2013  12:16 AM             5,156 woman-holding-100-dollar-bills[1].jpg
04/22/2013  09:21 AM           103,036 womenshealthbase_com[1].txt
03/16/2013  11:27 PM            14,196 wpop[1].pli
03/30/2013  10:00 AM             2,380 ww.directorslive.com%2Frubicon%2Frubicon_
160_600_btf-ros.html;r=http%3A%2F%2Fwww.directorslive[1].com%2Fshort-films%2Fsho
rt-film-payload%2F
03/30/2013  10:00 AM             2,186 ww.directorslive.com%2Frubicon%2Frubicon_
160_600_btf-ros.html;r=http%3A%2F%2Fwww.directorslive[2].com%2Fshort-films%2Fsho
rt-film-payload%2F
04/20/2013  12:17 AM             1,610 wysiwyg[1].png
04/16/2013  09:46 AM             3,948 W_xFwzBVLKfH8vnVqd9rtm0kzGtt.e1Xnor674ey9
FK1t659TOD4CGDi4QIsePIgWAhbAgB4lNIzhOckrU.aXToT2CjRhggr_e2Kapa412Mvz8j[1].iJZ%25
26redirectURL%253D
04/29/2013  09:12 AM               107 x1195r2317535[1].txt
03/30/2013  10:00 AM               248 x914r8378340[1].txt
04/22/2013  10:41 AM             5,723 xpBbTQ6JSGO_9gfxVBYGQg[1].jpg
03/16/2013  11:30 PM                43 xrefid[1].gif
03/16/2013  11:24 PM            47,793 XumoVPR[1].swf
03/16/2013  11:25 PM            47,793 XumoVPR[2].swf
03/16/2013  11:25 PM           211,588 Xumo[1].swf
03/16/2013  11:26 PM           211,588 Xumo[2].swf
03/16/2013  11:26 PM           211,588 Xumo[3].swf
04/15/2013  10:17 AM            12,212 xypzny[1].txt
03/16/2013  11:28 PM                43 x[1].gif
03/16/2013  11:28 PM                43 x[2].gif
03/16/2013  11:29 PM                43 x[3].gif
04/20/2013  12:20 AM                43 x[4].gif
04/22/2013  10:41 AM             4,948 x_OkeT9TcLj[1].css
04/20/2013  12:16 AM             7,679 y%3DClick%26b%3Dorp402.ovq.wiz.cebq2%26me
ssage%3DeJwNzTkSwzAMQ9G7oFbBRaQM3kYeO5UnXapM7h6i.6_BF4rC9BTyyrWnn2em7inJV_Nc9xLa
Vl5kYiBQHqI[1].htm
04/20/2013  12:17 AM            10,774 ygOm_Ie9229[1].css
04/20/2013  12:16 AM             5,429 yIXxUlfGTWiG8iYfPaLKpg[1].jpg
04/22/2013  10:41 AM            46,835 yume[1].js
04/20/2013  12:25 AM            74,454 yume_ad_library[1].swf
04/22/2013  10:41 AM            74,454 yume_ad_library[2].swf
05/01/2013  01:29 PM                 0 ZaABAagB099nsAECugEVMjEzOTQzNTMxNTg5NzQxM
TE2NDowwAGBhdcEyAHguseM5ifaARMzMDk0NzI0ODIyNTI0NzM3MjE26AFk%3Bredirecturl2%3D;or
d=436549651[1].htm
04/28/2013  09:32 AM                 0 ZAPSegments@x96[1].htm
05/18/2013  09:46 AM             1,610 ZAPSegments@x96[2].htm
04/22/2013  10:41 AM           175,925 ZggV7al0PVI[1].js
03/28/2013  07:10 PM                 0 [object%20Object][1].txt
03/28/2013  07:10 PM                 0 [object%20Object][2].txt
03/25/2013  10:31 AM                 0 [order_id][1]
04/08/2013  10:31 AM                 0 [order_id][2]
06/27/2013  03:53 PM            23,472 _Fair_0_728x90_flash_v4_R3[1].swf
03/16/2013  11:24 PM             2,128 _HRIhxiyrr7NnJMXsYCc6IZA3ODX0HBSrllO0RSv2
bJSi2THAF05wlsPDgoU6K_V[1].xml
03/16/2013  11:24 PM             1,622 _HRIhxiyrr7NnJMXsYCc6IZA3ODX0HBSrllO0RSv2
bJSi2THAF05wlsPDgoU6K_V[2].xml
03/16/2013  11:24 PM             2,146 _HRIhxiyrr7NnJMXsYCc6IZA3ODX0HBSrllO0RSv2
bJSi2THAF05wlsPDgoU6K_V[3].xml
03/16/2013  11:25 PM             2,128 _HRIhxiyrr7NnJMXsYCc6IZA3ODX0HBSrllO0RSv2
bJSi2THAF05wlsPDgoU6K_V[4].xml
03/16/2013  11:26 PM             2,128 _HRIhxiyrr7NnJMXsYCc6IZA3ODX0HBSrllO0RSv2
bJSi2THAF05wlsPDgoU6K_V[5].xml
03/16/2013  11:27 PM             4,550 _HRIhxiyrr7NnJMXsYCc6IZA3ODX0HBSrllO0RSv2
bJSi2THAF05wlsPDgoU6K_V[6].xml
03/16/2013  11:29 PM             2,128 _HRIhxiyrr7NnJMXsYCc6IZA3ODX0HBSrllO0RSv2
bJSi2THAF05wlsPDgoU6K_V[7].xml
03/16/2013  11:30 PM             2,126 _HRIhxiyrr7NnJMXsYCc6IZA3ODX0HBSrllO0RSv2
bJSi2THAF05wlsPDgoU6K_V[8].xml
05/15/2013  10:26 AM             2,273 _source%3D6f2rxe%26utm_campaign%3D6f2rxe_
575465_280245_114403_27181_27181%26click%3D5193b73333c5414d66286b32.2[1].634%26u
tm_medium%3D6f2rxe
04/20/2013  12:16 AM           408,815 _static[1]
04/20/2013  12:16 AM            96,496 _static[1].txt
04/02/2013  11:23 AM                35 __utmCA35KO40.gif
04/18/2013  05:40 AM                35 __utmCA4JQ9RB.gif
03/24/2013  10:47 AM                35 __utmCA52SFBY.gif
04/03/2013  10:22 AM                35 __utmCA897MTL.gif
04/09/2013  08:56 PM                35 __utmCA9C3OX5.gif
04/30/2013  09:48 AM                35 __utmCABGRXLT.gif
04/02/2013  11:23 AM                35 __utmCAFI6QJB.gif
04/10/2013  10:38 AM                35 __utmCAFMJ01P.gif
04/21/2013  12:23 PM                35 __utmCAFT67Z0.gif
04/27/2013  12:43 PM                35 __utmCAG8MUY7.gif
04/18/2013  05:40 AM                35 __utmCAGKG0VS.gif
04/12/2013  12:07 PM                35 __utmCAMTRCG0.gif
04/18/2013  05:40 AM                35 __utmCAQDAF8P.gif
04/02/2013  11:23 AM                35 __utmCAQNUU72.gif
04/12/2013  12:07 PM                35 __utmCARK73YK.gif
04/28/2013  10:39 AM                35 __utmCARURYI2.gif
04/07/2013  10:13 AM                35 __utmCAUMGYI4.gif
04/02/2013  11:23 AM                35 __utmCAUSDWQ2.gif
04/18/2013  05:40 AM                35 __utmCAX9MMLT.gif
03/30/2013  10:36 AM                35 __utmCAXI41NS.gif
04/27/2013  12:43 PM                35 __utmCAY3R7YS.gif
04/07/2013  09:48 AM                35 __utm[10].gif
04/02/2013  10:59 AM                35 __utm[11].gif
03/30/2013  10:38 AM                35 __utm[1].gif
03/30/2013  10:48 AM                35 __utm[2].gif
03/22/2013  11:10 AM                35 __utm[3].gif
03/28/2013  06:13 PM                35 __utm[4].gif
03/19/2013  07:50 PM                35 __utm[5].gif
03/24/2013  06:15 PM                35 __utm[6].gif
04/14/2013  10:08 AM                35 __utm[7].gif
03/12/2013  11:23 PM                35 __utm[8].gif
05/09/2013  08:58 PM                35 __utm[9].gif
            7369 File(s)  1,030,605,410 bytes
 
 Directory of C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\W
indows\Temporary Internet Files\Content.IE5\ZDYQ4LQQ
 
10/20/2012  10:38 AM    <DIR>          .
10/20/2012  10:38 AM    <DIR>          ..
10/10/2012  09:50 AM             6,433 .0%2Fafr%3Fauid%3D262946%26cb%3D%26c.part
%3D10;r=http%3A%2F%2Fmusclesandmeals[1].com%2Fbodybuilding%2Fhead-games-with-oly
mpia-contenders%2F
10/07/2012  12:57 PM               614 .net%252Fanalytics[1].php%253Fp%253Dpubma
tic%2526z%253D728x90%2526s%253Datf%2526t%253D1349636254%2526h%253De3dce26efec70f
4285520b506baa66be
               2 File(s)          7,047 bytes
 
     Total Files Listed:
           549662 File(s) 21,385,326,761 bytes
              53 Dir(s)  160,924,459,008 bytes free
 
C:\windows\system32>

Jill M***Butterfly Kisses


#12 seedy21

seedy21

  • Malware Response Team
  • 742 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Yorkshire, UK
  • Local time:06:01 AM

Posted 23 January 2014 - 04:15 PM


Hi jillmarten

what was that command?


That command was to list everything in C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files and all subfolders beneath it.

Step 1
Download Farbar Recovery Scan Tool 64-Bit and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc.
    If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
On the System Recovery Options menu you will get the following options:

    • Startup Repair
      System Restore
      Windows Complete PC Restore
      Windows Memory Diagnostic Tool
      Command Prompt
  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

“It's only after we've lost everything that we're free to do anything.”
― Chuck Palahniuk, Fight Club

unite_blue.png


#13 jillmarten

jillmarten
  • Topic Starter

  • Members
  • 102 posts
  • OFFLINE
  •  
  • Local time:01:01 AM

Posted 23 January 2014 - 05:04 PM

Okay it's done scanning. What is the Farbar and what am I doing? Sorry I just like to know what I am doing because I do have computer knowledge. And how come the DIR command from before didn't n't select all that it had scanned in that file? because there was A LOT more that it had scanned. 2 things were strange when doing the last task. It didn't give me an option to select the operating system it just went right into me doing user and password and then when I was in the notepad my flash drive was C: and my hard drive was D. and when my computer is on regularly My Hard drive is C: and my flash drive is E:. I thought that was weird. And it saved the log to the harddrive not the flash drive.

 

I attached the FRST LOG because for some reason everytime I copy and paste it into this post and try to post it says post to long.... so I attached it...Sorry I know your not supposed to do that unless told to but I didn't know what else to do.Attached File  FRST.txt   227.96KB   4 downloads


Jill M***Butterfly Kisses


#14 seedy21

seedy21

  • Malware Response Team
  • 742 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Yorkshire, UK
  • Local time:06:01 AM

Posted 25 January 2014 - 01:51 PM

Hi jillmarten

What is the Farbar and what am I doing?


The scan that we run this time was an offline scanner to diagnose malware issues.

Step 1

Open notepad. Please copy the contents of the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
Save it on the flashdrive as fixlist.txt

Start
HKU\Kiosk\...\Run: [Microsoft MDX Demo] - C:\Program Files (x86)\Microsoft Digital Experience\Microsoft.MDX.Demo.exe
HKU\Kiosk\...\Run: [Microsoft MDX DemoScheduler] - C:\Program Files (x86)\Microsoft Digital Experience\Microsoft.MDX.DemoScheduler.exe
HKU\Kiosk\...\Policies\system: [NoDispSettingsPage] 1
HKU\Kiosk\...\Policies\system: [DisableRegistryTools] 1
HKU\Kiosk\...\Policies\system: [NoDispScrSavPage] 1
HKU\Kiosk\...\Policies\system: [NoDispCPL] 1
HKU\Kiosk\...\Policies\system: [NoDispBackgroundPage] 1
HKU\Kiosk\...\Policies\system: [NoDispAppearancePage] 1
HKU\Kiosk\...\Policies\system: [DisableChangePassword] 1
HKU\Kiosk\...\Policies\system: [DisableLockWorkstation] 1
HKU\Kiosk\...\Policies\system: [DisableTaskMgr] 1
C:\ProgramData\I3si02.dat
CMD: DEL /F/Q/A "C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\*.*"
CMD: DEL /F/A/Q "C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\*.*"
CMD: ipconfig /flushdns
End
NOTICE: This script was written specifically for this user, for use on that particular machine.
Running this on another machine may cause damage to your operating system


On Vista or Windows 7: Now please enter System Recovery Options.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

“It's only after we've lost everything that we're free to do anything.”
― Chuck Palahniuk, Fight Club

unite_blue.png


#15 jillmarten

jillmarten
  • Topic Starter

  • Members
  • 102 posts
  • OFFLINE
  •  
  • Local time:01:01 AM

Posted 25 January 2014 - 03:06 PM

Okay Done here is the log...Now what.

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 23-01-2014 01
Ran by SYSTEM at 2014-01-25 14:03:53 Run:1
Running from Y:\
Boot Mode: Recovery
==============================================
 
Content of fixlist:
*****************
Start
HKU\Kiosk\...\Run: [Microsoft MDX Demo] - C:\Program Files (x86)\Microsoft Digital Experience\Microsoft.MDX.Demo.exe
HKU\Kiosk\...\Run: [Microsoft MDX DemoScheduler] - C:\Program Files (x86)\Microsoft Digital Experience\Microsoft.MDX.DemoScheduler.exe
HKU\Kiosk\...\Policies\system: [NoDispSettingsPage] 1
HKU\Kiosk\...\Policies\system: [DisableRegistryTools] 1
HKU\Kiosk\...\Policies\system: [NoDispScrSavPage] 1
HKU\Kiosk\...\Policies\system: [NoDispCPL] 1
HKU\Kiosk\...\Policies\system: [NoDispBackgroundPage] 1
HKU\Kiosk\...\Policies\system: [NoDispAppearancePage] 1
HKU\Kiosk\...\Policies\system: [DisableChangePassword] 1
HKU\Kiosk\...\Policies\system: [DisableLockWorkstation] 1
HKU\Kiosk\...\Policies\system: [DisableTaskMgr] 1
C:\ProgramData\I3si02.dat
CMD: DEL /F/Q/A "C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\*.*"
CMD: DEL /F/A/Q "C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\*.*"
CMD: ipconfig /flushdns
End
*****************
 
HKU\Kiosk\Software\Microsoft\Windows\CurrentVersion\Run\\Microsoft MDX Demo => Value deleted successfully.
HKU\Kiosk\Software\Microsoft\Windows\CurrentVersion\Run\\Microsoft MDX DemoScheduler => Value deleted successfully.
HKU\Kiosk\Software\Microsoft\Windows\CurrentVersion\Policies\system\\NoDispSettingsPage => Value deleted successfully.
HKU\Kiosk\Software\Microsoft\Windows\CurrentVersion\Policies\system\\DisableRegistryTools => Value deleted successfully.
HKU\Kiosk\Software\Microsoft\Windows\CurrentVersion\Policies\system\\NoDispScrSavPage => Value deleted successfully.
HKU\Kiosk\Software\Microsoft\Windows\CurrentVersion\Policies\system\\NoDispCPL => Value deleted successfully.
HKU\Kiosk\Software\Microsoft\Windows\CurrentVersion\Policies\system\\NoDispBackgroundPage => Value deleted successfully.
HKU\Kiosk\Software\Microsoft\Windows\CurrentVersion\Policies\system\\NoDispAppearancePage => Value deleted successfully.
HKU\Kiosk\Software\Microsoft\Windows\CurrentVersion\Policies\system\\DisableChangePassword => Value deleted successfully.
HKU\Kiosk\Software\Microsoft\Windows\CurrentVersion\Policies\system\\DisableLockWorkstation => Value deleted successfully.
HKU\Kiosk\Software\Microsoft\Windows\CurrentVersion\Policies\system\\DisableTaskMgr => Value deleted successfully.
C:\ProgramData\I3si02.dat => Moved successfully.
 
=========  DEL /F/Q/A "C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\*.*" =========
 
 
========= End of CMD: =========
 
 
=========  DEL /F/A/Q "C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\*.*" =========
 
 
========= End of CMD: =========
 
 
=========  ipconfig /flushdns =========
 
 
Windows IP Configuration
 
Could not flush the DNS Resolver Cache: Function failed during execution.
 
 
========= End of CMD: =========
 
 
==== End of Fixlog ====

Jill M***Butterfly Kisses





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users