Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

pdk-system


  • This topic is locked This topic is locked
11 replies to this topic

#1 stephencomputerguy

stephencomputerguy

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:55 AM

Posted 31 January 2014 - 08:07 AM

I have a recurring problem with computers in our organization where after scanning or cleaning up viruses, the computer is left with four "c:\windows\TEMP\pdk-SYSTEM\" folders which can't be deleted. Combofix finds these and deletes them, but no other malware/antivirus/antirootkit identifies these files as problems. After Combofix deletes the files, they'll stay away until the next reboot at which point they'll reappear. The computer doesn't seem to have any other symptoms of malware activity other than the reoccurrence of these files. Can someone help me identify them?

 

---------------------------------------------------------------------------------------------------------------------------------------------

ComboFix 14-01-29.01 - stephen 01/31/2014   7:42.4.4 - x64
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.3998.2689 [GMT -5:00]
Running from: \\fileserver\shared\TB\Antivirus\ComboFix.exe
AV: Trend Micro OfficeScan Antivirus *Enabled/Updated* {7193B549-236F-55EE-9AEC-F65279E59A92}
SP: Trend Micro OfficeScan Anti-spyware *Enabled/Updated* {CAF254AD-0555-5A60-A05C-CD200262D02F}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Resident AV is active
.
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\TEMP\pdk-SYSTEM\04a938823668c652aef77ba79a274400\Service.dll
c:\windows\TEMP\pdk-SYSTEM\d6fec475513d165261d38743a490dfc1\perl58.dll
c:\windows\TEMP\pdk-SYSTEM\e00cd61a82f12186df5e4de4b75a822d\Registry.dll
c:\windows\TEMP\pdk-SYSTEM\ea8ed9772b76a525d50cde8448090219\WinError.dll
.
.
(((((((((((((((((((((((((   Files Created from 2013-12-28 to 2014-01-31  )))))))))))))))))))))))))))))))
.
.
2014-01-31 12:45 . 2014-01-31 12:45 -------- d-----w- c:\users\Tech\AppData\Local\temp
2014-01-31 12:45 . 2014-01-31 12:45 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-01-30 19:16 . 2014-01-30 19:16 -------- d-----w- c:\users\stephen\AppData\Roaming\Malwarebytes
2014-01-30 19:16 . 2014-01-30 19:16 -------- d-----w- c:\programdata\Malwarebytes
2014-01-30 19:16 . 2013-04-04 19:50 25928 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-01-30 19:16 . 2014-01-30 19:16 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2014-01-30 19:16 . 2014-01-30 19:16 -------- d-----w- c:\users\stephen\AppData\Local\Programs
2014-01-30 18:49 . 2014-01-30 18:49 -------- d-----w- c:\users\stephen\AppData\Local\Brice_Lambson
2014-01-30 18:48 . 2014-01-30 18:48 -------- d-----w- c:\program files\Image Resizer for Windows
2014-01-30 18:48 . 2014-01-30 18:48 -------- d-----w- c:\program files (x86)\Image Resizer for Windows
2014-01-30 18:48 . 2014-01-30 18:48 -------- d-----w- c:\programdata\Package Cache
2014-01-30 18:45 . 2014-01-30 18:45 -------- d-----w- c:\windows\Downloaded Installations
2014-01-30 16:11 . 2014-01-30 16:11 -------- d-----w- c:\users\stephen\AppData\Roaming\InstallShield
2014-01-30 16:01 . 2002-12-18 22:04 40960 ----a-w- c:\windows\SysWow64\fjtwnop.exe
2014-01-30 16:01 . 2014-01-30 16:02 -------- d-----w- c:\windows\fjmini
2014-01-30 16:01 . 2014-01-30 16:01 -------- d-----w- c:\programdata\Fujitsu
2014-01-30 12:10 . 2014-01-30 12:10 -------- d-----w- c:\users\stephen\AppData\Roaming\SolidDocuments
2014-01-15 14:43 . 2014-01-15 14:43 -------- d-----w- c:\programdata\Hewlett-Packard
2014-01-14 12:56 . 2014-01-14 12:56 -------- d-----w- c:\users\astephen
2014-01-02 16:51 . 2014-01-02 16:51 -------- d-----w- c:\users\stephen\AppData\Local\Mozilla
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-01-29 18:35 . 2013-12-17 13:14 566480 ----a-w- c:\programdata\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe
2013-12-23 12:02 . 2013-10-30 11:58 71048 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-12-23 12:02 . 2013-10-30 11:58 692616 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2013-11-13 18:45 . 2013-08-20 13:33 82896128 ----a-w- c:\windows\system32\MRT.exe
2013-11-11 10:50 . 2010-11-21 03:27 267936 ------w- c:\windows\system32\MpSigStub.exe
2013-11-08 11:41 . 2013-11-08 11:36 29480 ----a-w- c:\windows\SysWow64\msxml3a.dll
2013-11-08 11:41 . 2003-03-19 01:14 505128 ----a-w- c:\windows\SysWow64\msvcp71.dll
2013-11-08 11:41 . 2003-02-21 09:42 353576 ----a-w- c:\windows\SysWow64\msvcr71.dll
2013-11-08 03:12 . 2013-11-27 15:29 10285968 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{EED8F076-5DC8-4CDC-BF35-EEBA8475D47D}\mpengine.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive1]
@="{F241C880-6982-4CE5-8CF7-7085BA96DA5A}"
[HKEY_CLASSES_ROOT\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}]
2013-12-17 19:21 222832 ----a-w- c:\users\stephen\AppData\Local\Microsoft\SkyDrive\17.0.2015.0811\SkyDriveShell.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive2]
@="{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}"
[HKEY_CLASSES_ROOT\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}]
2013-12-17 19:21 222832 ----a-w- c:\users\stephen\AppData\Local\Microsoft\SkyDrive\17.0.2015.0811\SkyDriveShell.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive3]
@="{BBACC218-34EA-4666-9D7A-C78F2274A524}"
[HKEY_CLASSES_ROOT\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}]
2013-12-17 19:21 222832 ----a-w- c:\users\stephen\AppData\Local\Microsoft\SkyDrive\17.0.2015.0811\SkyDriveShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2013-07-02 254336]
"RoxWatchTray"="c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe" [2010-11-25 240112]
"Desktop Disc Tool"="c:\program files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe" [2010-11-17 514544]
"RemoteControl9"="c:\program files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe" [2010-10-01 87336]
"PDVD9LanguageShortcut"="c:\program files (x86)\CyberLink\PowerDVD9\Language\Language.exe" [2010-09-17 50472]
"OfficeScanNT Monitor"="c:\program files (x86)\Trend Micro\OfficeScan Client\pccntmon.exe" [2011-08-29 1836592]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-11-21 959904]
"Acrobat Assistant 8.0"="c:\program files (x86)\Adobe\Acrobat 11.0\Acrobat\Acrotray.exe" [2013-12-21 3478392]
.
c:\users\stephen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Send to OneNote.lnk - c:\program files\Microsoft Office 15\root\office15\ONENOTEM.EXE /tsr [2014-1-29 194224]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
"EnableLinkedConnections"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLogonScripts"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-4128779970-1068091417-628957002-9059\Scripts\Logon\0\0]
"Script"=\\Gvaddc01\sysvol\GOVERNMENT.COUNTY.LOCAL\scripts\lclogon.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-4128779970-1068091417-628957002-9125\Scripts\Logon\0\0]
"Script"=\\Gvaddc01\sysvol\GOVERNMENT.COUNTY.LOCAL\scripts\lclogon.bat
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe [x]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys;c:\windows\SYSNATIVE\drivers\dmvsc.sys [x]
R3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys;c:\windows\SYSNATIVE\DRIVERS\IntcDAud.sys [x]
R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\drivers\nusb3hub.sys;c:\windows\SYSNATIVE\drivers\nusb3hub.sys [x]
R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\drivers\nusb3xhc.sys;c:\windows\SYSNATIVE\drivers\nusb3xhc.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
R3 RoxMediaDB12OEM;RoxMediaDB12OEM;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [x]
R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys;c:\windows\SYSNATIVE\drivers\terminpt.sys [x]
R3 TmProxy;OfficeScan NT Proxy Service;c:\program files (x86)\Trend Micro\OfficeScan Client\TmProxy.exe;c:\program files (x86)\Trend Micro\OfficeScan Client\TmProxy.exe [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys;c:\windows\SYSNATIVE\Drivers\PxHlpa64.sys [x]
S2 BESClientHelper;BESClientHelper;c:\program files (x86)\BigFix Enterprise\BES Client\BESClientHelper.exe;c:\program files (x86)\BigFix Enterprise\BES Client\BESClientHelper.exe [x]
S2 OfficeSvc;Microsoft Office Service;c:\program files\Microsoft Office 15\ClientX64\integratedoffice.exe;c:\program files\Microsoft Office 15\ClientX64\integratedoffice.exe [x]
S2 TeamViewer8;TeamViewer 8;c:\program files (x86)\Teamviewer\Version8\TeamViewer_Service.exe;c:\program files (x86)\Teamviewer\Version8\TeamViewer_Service.exe [x]
S2 TmFilter;Trend Micro Filter;c:\program files (x86)\Trend Micro\OfficeScan Client\TmXPFlt.sys;c:\program files (x86)\Trend Micro\OfficeScan Client\TmXPFlt.sys [x]
S2 TmPreFilter;Trend Micro PreFilter;c:\program files (x86)\Trend Micro\OfficeScan Client\TmPreFlt.sys;c:\program files (x86)\Trend Micro\OfficeScan Client\TmPreFlt.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2014-01-31 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2013-10-30 12:02]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive1]
@="{F241C880-6982-4CE5-8CF7-7085BA96DA5A}"
[HKEY_CLASSES_ROOT\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}]
2013-12-17 19:21 261744 ----a-w- c:\users\stephen\AppData\Local\Microsoft\SkyDrive\17.0.2015.0811\amd64\SkyDriveShell64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive2]
@="{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}"
[HKEY_CLASSES_ROOT\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}]
2013-12-17 19:21 261744 ----a-w- c:\users\stephen\AppData\Local\Microsoft\SkyDrive\17.0.2015.0811\amd64\SkyDriveShell64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive3]
@="{BBACC218-34EA-4666-9D7A-C78F2274A524}"
[HKEY_CLASSES_ROOT\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}]
2013-12-17 19:21 261744 ----a-w- c:\users\stephen\AppData\Local\Microsoft\SkyDrive\17.0.2015.0811\amd64\SkyDriveShell64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro1 (ErrorConflict)]
@="{8BA85C75-763B-4103-94EB-9470F12FE0F7}"
[HKEY_CLASSES_ROOT\CLSID\{8BA85C75-763B-4103-94EB-9470F12FE0F7}]
2014-01-29 18:36 2331336 ----a-w- c:\program files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro2 (SyncInProgress)]
@="{CD55129A-B1A1-438E-A425-CEBC7DC684EE}"
[HKEY_CLASSES_ROOT\CLSID\{CD55129A-B1A1-438E-A425-CEBC7DC684EE}]
2014-01-29 18:36 2331336 ----a-w- c:\program files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro3 (InSync)]
@="{E768CD3B-BDDC-436D-9C13-E1B39CA257B1}"
[HKEY_CLASSES_ROOT\CLSID\{E768CD3B-BDDC-436D-9C13-E1B39CA257B1}]
2014-01-29 18:36 2331336 ----a-w- c:\program files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2012-12-14 172144]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2012-12-14 399984]
"Persistence"="c:\windows\system32\igfxpers.exe" [2012-12-14 441968]
"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2012-09-20 444904]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://sharepoint.county.org/IT/Lists/Tasks/PersonalViews.aspx?PageView=Personal&ShowWebPart={5C59CB3E-1431-4046-9F48-26A691CA1372}
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyServer = lcproxy.county.org:8080
uInternet Settings,ProxyOverride = *.county.local;*.government.county.local;*.county.org;<local>
IE: Append Link Target to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\program files\Microsoft Office 15\Root\Office15\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\program files\Microsoft Office 15\Root\Office15\ONBttnIE.dll/105
TCP: DhcpNameServer = 10.50.2.3 10.50.1.10
FF - ProfilePath - c:\users\stephen\AppData\Roaming\Mozilla\Firefox\Profiles\6nm46ldz.default\
FF - prefs.js: browser.startup.homepage - hxxp://sharepoint.county.org/IT/Lists/Tasks/PersonalViews.aspx?PageView=Personal&ShowWebPart={5C59CB3E-1431-4046-9F48-26A691CA1372}
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_9_900_170_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_9_900_170_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_9_900_170_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_9_900_170_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_170.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_170.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_170.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_170.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files (x86)\BigFix Enterprise\BES Client\BESClient.exe
c:\program files (x86)\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
c:\program files\Microsoft Office 15\Root\Office15\MsoSync.exe
.
**************************************************************************
.
Completion time: 2014-01-31  07:51:44 - machine was rebooted
ComboFix-quarantined-files.txt  2014-01-31 12:51
ComboFix2.txt  2014-01-31 11:59
ComboFix3.txt  2014-01-30 19:14
ComboFix4.txt  2014-01-30 19:07
.
Pre-Run: 210,140,024,832 bytes free
Post-Run: 210,080,481,280 bytes free
.
- - End Of File - - C397FC959DB3460DF01C2EB03ACF0A96
A36C5E4F47E84449FF07ED3517B43A31
 

 



BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,622 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:55 AM

Posted 05 February 2014 - 08:10 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/522715 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from the following link if you no longer have it available and save it to your destop.

    DDS.com Download Link
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control can be found HERE.

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 stephencomputerguy

stephencomputerguy
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:55 AM

Posted 05 February 2014 - 09:56 AM

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16520  BrowserJavaVersion: 10.45.2
Run by stephen at 9:34:25 on 2014-02-05
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.3998.2795 [GMT -5:00]
.
AV: Trend Micro OfficeScan Antivirus *Enabled/Updated* {7193B549-236F-55EE-9AEC-F65279E59A92}
SP: Trend Micro OfficeScan Anti-spyware *Enabled/Updated* {CAF254AD-0555-5A60-A05C-CD200262D02F}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\BigFix Enterprise\BES Client\BESClientHelper.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files (x86)\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Microsoft Office 15\ClientX64\integratedoffice.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\Teamviewer\Version8\TeamViewer_Service.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files (x86)\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\BigFix Enterprise\BES Client\BESClient.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files (x86)\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\PrintIsolationHost.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE
C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe
C:\Program Files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe
C:\Program Files (x86)\Trend Micro\OfficeScan Client\PccNTMon.exe
C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe
C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Acrobat_sl.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\BigFix Enterprise\BES Client\BESClientUI.exe
C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://sharepoint.county.org/IT/Lists/Tasks/PersonalViews.aspx?PageView=Personal&ShowWebPart={5C59CB3E-1431-4046-9F48-26A691CA1372}
uProxyServer = lcproxy.county.org:8080
uProxyOverride = <local>
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Adobe Acrobat Create PDF Helper: {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office 15\root\office15\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
BHO: Adobe Acrobat Create PDF from Selection: {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll
TB: Adobe Acrobat Create PDF Toolbar: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll
TB: Adobe Acrobat Create PDF Toolbar: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [RoxWatchTray] "C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe"
mRun: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe"
mRun: [RemoteControl9] "C:\Program Files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe"
mRun: [PDVD9LanguageShortcut] "C:\Program Files (x86)\CyberLink\PowerDVD9\Language\Language.exe"
mRun: [OfficeScanNT Monitor] "C:\Program Files (x86)\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Acrotray.exe"
StartupFolder: C:\Users\stephen\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\SENDTO~1.LNK - C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
uPolicies-Explorer: NoDrives = dword:0
uPolicies-System: HideLogonScripts = dword:1
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
IE: Append Link Target to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE/3000
IE: Se&nd to OneNote - C:\Program Files\Microsoft Office 15\Root\Office15\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office 15\root\office15\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office 15\root\office15\ONBttnIELinkedNotes.dll
DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} - hxxps://support.dell.com/systemprofiler/SysProExe.CAB
DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} - hxxp://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1387199280392
TCP: NameServer = 10.50.2.3 10.50.1.10
TCP: Interfaces\{F50254F0-2836-4CBA-A886-94C2D136805B} : DHCPNameServer = 10.50.2.3 10.50.1.10
Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\office15\MSOSB.DLL
SSODL: WebCheck - <orphaned>
x64-BHO: Lync Browser Helper: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\OCHelper.dll
x64-BHO: Adobe Acrobat Create PDF Helper: {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\URLREDIR.DLL
x64-BHO: Microsoft SkyDrive Pro Browser Helper: {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL
x64-BHO: Adobe Acrobat Create PDF from Selection: {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll
x64-TB: Adobe Acrobat Create PDF Toolbar: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-Run: [AdobeAAMUpdater-1.0] "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\ONBttnIE.dll
x64-IE: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\OCHelper.dll
x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\ONBttnIELinkedNotes.dll
x64-Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - <orphaned>
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\stephen\AppData\Roaming\Mozilla\Firefox\Profiles\6nm46ldz.default\
FF - prefs.js: browser.startup.homepage - hxxp://sharepoint.county.org/IT/Lists/Tasks/PersonalViews.aspx?PageView=Personal&ShowWebPart={5C59CB3E-1431-4046-9F48-26A691CA1372}
FF - plugin: C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Air\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect32.dll
FF - plugin: C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\dtplugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.20913.0\npctrlui.dll
FF - plugin: C:\Program Files\Microsoft Office 15\root\Office15\NPSPWRAP.DLL
.
============= SERVICES / DRIVERS ===============
.
R0 PxHlpa64;PxHlpa64;C:\Windows\System32\drivers\PxHlpa64.sys [2013-11-8 55856]
R2 BESClientHelper;BESClientHelper;C:\Program Files (x86)\BigFix Enterprise\BES Client\BESClientHelper.exe [2013-12-16 737367]
R2 OfficeSvc;Microsoft Office Service;C:\Program Files\Microsoft Office 15\ClientX64\integratedoffice.exe [2013-12-17 1907896]
R2 TeamViewer8;TeamViewer 8;C:\Program Files (x86)\Teamviewer\Version8\TeamViewer_Service.exe [2013-12-11 5087584]
R2 TmFilter;Trend Micro Filter;C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmXPFlt.sys [2011-7-12 344376]
R2 TmPreFilter;Trend Micro PreFilter;C:\Program Files (x86)\Trend Micro\OfficeScan Client\tmpreflt.sys [2011-7-12 42808]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2013-8-20 872152]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2013-9-11 124088]
S2 RoxWatch12;Roxio Hard Drive Watcher 12;C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe [2010-11-25 219632]
S3 dmvsc;dmvsc;C:\Windows\System32\drivers\dmvsc.sys [2010-11-21 71168]
S3 IntcDAud;Intel® Display Audio;C:\Windows\System32\drivers\IntcDAud.sys [2013-8-20 342528]
S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;C:\Windows\System32\drivers\nusb3hub.sys [2011-2-15 80384]
S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;C:\Windows\System32\drivers\nusb3xhc.sys [2011-2-15 180736]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2013-8-20 19456]
S3 RoxMediaDB12OEM;RoxMediaDB12OEM;C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [2010-11-25 1116656]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 27136]
S3 terminpt;Microsoft Remote Desktop Input Driver;C:\Windows\System32\drivers\terminpt.sys [2013-8-20 29696]
S3 TmProxy;OfficeScan NT Proxy Service;C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmProxy.exe [2011-4-15 918032]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2013-11-13 56832]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2013-11-13 29696]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2013-8-20 1255736]
.
=============== Created Last 30 ================
.
2014-01-31 12:47:21 -------- d-sh--w- C:\$RECYCLE.BIN
2014-01-30 19:16:24 -------- d-----w- C:\Users\stephen\AppData\Roaming\Malwarebytes
2014-01-30 19:16:18 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys
2014-01-30 19:16:18 -------- d-----w- C:\ProgramData\Malwarebytes
2014-01-30 19:16:17 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2014-01-30 19:16:11 -------- d-----w- C:\Users\stephen\AppData\Local\Programs
2014-01-30 18:52:37 98816 ----a-w- C:\Windows\sed.exe
2014-01-30 18:52:37 256000 ----a-w- C:\Windows\PEV.exe
2014-01-30 18:52:37 208896 ----a-w- C:\Windows\MBR.exe
2014-01-30 18:49:01 -------- d-----w- C:\Users\stephen\AppData\Local\Brice_Lambson
2014-01-30 18:48:46 -------- d-----w- C:\Program Files\Image Resizer for Windows
2014-01-30 18:48:46 -------- d-----w- C:\Program Files (x86)\Image Resizer for Windows
2014-01-30 18:48:43 -------- d-----w- C:\ProgramData\Package Cache
2014-01-30 18:45:00 -------- d-----w- C:\Windows\Downloaded Installations
2014-01-30 16:01:58 40960 ----a-w- C:\Windows\SysWow64\fjtwnop.exe
2014-01-30 16:01:55 -------- d-----w- C:\Windows\fjmini
2014-01-30 16:01:01 -------- d-----w- C:\ProgramData\Fujitsu
2014-01-30 12:10:22 -------- d-----w- C:\Users\stephen\AppData\Roaming\SolidDocuments
.
==================== Find3M  ====================
.
2013-12-23 12:02:03 71048 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-12-23 12:02:03 692616 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2013-11-11 10:50:16 267936 ------w- C:\Windows\System32\MpSigStub.exe
2013-11-08 11:41:48 505128 ----a-w- C:\Windows\SysWow64\msvcp71.dll
2013-11-08 11:41:48 353576 ----a-w- C:\Windows\SysWow64\msvcr71.dll
2013-11-08 11:41:48 29480 ----a-w- C:\Windows\SysWow64\msxml3a.dll
.
============= FINISH:  9:36:01.07 ===============
 

Attached Files



#4 polskamachina

polskamachina

  • Malware Response Team
  • 3,928 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:55 AM

Posted 05 February 2014 - 12:21 PM

Hi stephencomputerguy :)

 

My name is polskamachina and I will be assisting you with your malware problem. Please give me some time to look over your reports and I will get back to you as soon as possible.

 

Thanks for your patience.

polskamachina



#5 polskamachina

polskamachina

  • Malware Response Team
  • 3,928 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:55 AM

Posted 07 February 2014 - 12:53 PM

Hi stephencomputerguy :)

 

I would like to officially welcome you to Bleeping Computer. What follows below are some ground rules for this forum.

I will reply as soon as possible (typically within 24-48 hours). In turn, I ask that you please respond within 72 hours. If you know you will be away longer than that, please let me know.

I am in California at GMT-8 Hours (Pacific Standard Time). If I do not respond to you within 48 hours, feel free to send me a private message.

Some points for you to keep in mind:

  • Do NOT run any tools unless instructed to do so.
  • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Do not attach logs or use code boxes, just copy and paste the text.
  • I cannot see your computer. Periodically update me on the condition of your computer, and provide as much detail as you can in every post.
  • Once things seem to be working again, please do not abandon the thread. I will give an "all-clean" message at the very end.
  • NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planned. You can put them on a CD/DVD, external drive or a flash drive, anywhere except on the computer.
  • NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. Please remember to copy the entire post so you do not miss any instructions.

----------------------------------------------------------------------------------------------------------------------

 
Let's start by running some diagnostic software.
 
Please download the 64-bit version of Farbar Recovery Scan Tool and save it to your Desktop. You should not be running the diagnostic software from the file server.

  • Right click to run as administrator.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will produce a log called FRST.txt in the same directory the tool is run from.
  • Please copy and paste log back here.
  • The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST64.exe). Please also paste that along with the FRST.txt into your reply.

Let me know if you have any questions.

polskamachina



#6 stephencomputerguy

stephencomputerguy
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:55 AM

Posted 07 February 2014 - 01:00 PM

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 07-02-2014
Ran by stephen (administrator) on 9PCJ9Y1 on 07-02-2014 12:55:44
Running from C:\Users\stephen\Downloads
Windows 7 Professional Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Normal

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(BigFix Inc.) C:\Program Files (x86)\BigFix Enterprise\BES Client\BESClientHelper.exe
(Trend Micro Inc.) C:\Program Files (x86)\Trend Micro\OfficeScan Client\Ntrtscan.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office 15\ClientX64\integratedoffice.exe
(TeamViewer GmbH) C:\Program Files (x86)\Teamviewer\Version8\TeamViewer_Service.exe
(Trend Micro Inc.) C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmListen.exe
(IBM Corp.) C:\Program Files (x86)\BigFix Enterprise\BES Client\BESClient.exe
(Trend Micro Inc.) C:\Program Files (x86)\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
(Trend Micro Inc.) C:\Program Files (x86)\Trend Micro\OfficeScan Client\PccNTMon.exe
(Adobe Systems Inc.) C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE
(Microsoft Corporation) C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE
(Attachmate Corporation) C:\Program Files (x86)\Attachmate\KEA! VT\keavt.exe
(Attachmate Corporation) C:\Program Files (x86)\Attachmate\KEA! VT\keasys.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [AdobeAAMUpdater-1.0] - C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [444904 2012-09-20] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [SunJavaUpdateSched] - C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [254336 2013-07-02] (Oracle Corporation)
HKLM-x32\...\Run: [] - [X]
HKLM-x32\...\Run: [RoxWatchTray] - C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe [240112 2010-11-25] (Sonic Solutions)
HKLM-x32\...\Run: [Desktop Disc Tool] - C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe [514544 2010-11-17] ()
HKLM-x32\...\Run: [RemoteControl9] - C:\Program Files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe [87336 2010-10-01] (CyberLink Corp.)
HKLM-x32\...\Run: [PDVD9LanguageShortcut] - C:\Program Files (x86)\CyberLink\PowerDVD9\Language\Language.exe [50472 2010-09-17] (CyberLink Corp.)
HKLM-x32\...\Run: [OfficeScanNT Monitor] - C:\Program Files (x86)\Trend Micro\OfficeScan Client\pccntmon.exe [1836592 2011-08-29] (Trend Micro Inc.)
HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Acrobat Assistant 8.0] - C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Acrotray.exe [3478392 2013-12-21] (Adobe Systems Inc.)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-4128779970-1068091417-628957002-9059\...\Policies\system: [HideLogonScripts] 1
Startup: C:\Users\stephen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk
ShortcutTarget: Send to OneNote.lnk -> C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE (Microsoft Corporation)

==================== Internet (Whitelisted) ====================

ProxyEnable: Internet Explorer proxy is enabled.
ProxyServer: lcproxy.county.org:8080
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sharepoint.county.org/IT/Lists/Tasks/PersonalViews.aspx?PageView=Personal&ShowWebPart={5C59CB3E-1431-4046-9F48-26A691CA1372}
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
BHO: Lync Browser Helper - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\OCHelper.dll (Microsoft Corporation)
BHO: Adobe Acrobat Create PDF Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll (Adobe Systems Incorporated)
BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\URLREDIR.DLL (Microsoft Corporation)
BHO: Microsoft SkyDrive Pro Browser Helper - {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} - C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL (Microsoft Corporation)
BHO: Adobe Acrobat Create PDF from Selection - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll (Adobe Systems Incorporated)
BHO-x32: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO-x32: Adobe Acrobat Create PDF Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
BHO-x32: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office 15\root\Office15\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
BHO-x32: Adobe Acrobat Create PDF from Selection - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
Toolbar: HKLM - Adobe Acrobat Create PDF Toolbar - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll (Adobe Systems Incorporated)
Toolbar: HKLM-x32 - Adobe Acrobat Create PDF Toolbar - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
Toolbar: HKCU - Adobe Acrobat Create PDF Toolbar - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll (Adobe Systems Incorporated)
DPF: HKLM-x32 {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} https://support.dell.com/systemprofiler/SysProExe.CAB
DPF: HKLM-x32 {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} http://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1387199280392
Handler-x32: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\Office15\MSOSB.DLL (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 10.50.2.3 10.50.1.10

FireFox:
========
FF ProfilePath: C:\Users\stephen\AppData\Roaming\Mozilla\Firefox\Profiles\6nm46ldz.default
FF Homepage: hxxp://sharepoint.county.org/IT/Lists/Tasks/PersonalViews.aspx?PageView=Personal&ShowWebPart={5C59CB3E-1431-4046-9F48-26A691CA1372}
FF Plugin: @microsoft.com/GENUINE - disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\5.1.20913.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: adobe.com/AdobeAAMDetect - C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll (Adobe Systems)
FF Plugin-x32: @java.com/DTPlugin,version=10.45.2 - C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.45.2 - C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE - disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files (x86)\Microsoft Silverlight\5.1.20913.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 - C:\Program Files\Microsoft Office 15\root\Office15\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: Adobe Acrobat - C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Air\nppdf32.dll (Adobe Systems Inc.)
FF Plugin-x32: adobe.com/AdobeAAMDetect - C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect32.dll (Adobe Systems)
FF HKLM-x32\...\Firefox\Extensions: [web2pdfextension@web2pdf.adobedotcom] - C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Browser\WCFirefoxExtn
FF Extension: Adobe Acrobat - Create PDF - C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Browser\WCFirefoxExtn [2013-12-10]

==================== Services (Whitelisted) =================

R2 BESClient; C:\Program Files (x86)\BigFix Enterprise\BES Client\BESClient.exe [5418872 2013-10-07] (IBM Corp.)
R2 BESClientHelper; C:\Program Files (x86)\BigFix Enterprise\BES Client\BESClientHelper.exe [737367 2013-12-16] (BigFix Inc.)
R2 ntrtscan; C:\Program Files (x86)\Trend Micro\OfficeScan Client\ntrtscan.exe [2771856 2011-08-26] (Trend Micro Inc.)
R2 OfficeSvc; C:\Program Files\Microsoft Office 15\ClientX64\integratedoffice.exe [1907896 2013-10-31] (Microsoft Corporation)
R2 tmlisten; C:\Program Files (x86)\Trend Micro\OfficeScan Client\tmlisten.exe [2772096 2011-08-26] (Trend Micro Inc.)
S3 TmProxy; C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmProxy.exe [918032 2011-04-15] (Trend Micro Inc.)

==================== Drivers (Whitelisted) ====================

R1 omci; C:\Windows\System32\DRIVERS\omci.sys [26624 2010-03-08] (Dell Inc.)
R2 TmFilter; C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmXPFlt.sys [344376 2012-07-17] (Trend Micro Inc.)
R2 TmPreFilter; C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmPreFlt.sys [42808 2012-07-17] (Trend Micro Inc.)
R1 tmtdi; C:\Windows\System32\DRIVERS\tmtdi.sys [108624 2010-12-07] (Trend Micro Inc.)
R2 VSApiNt; C:\Program Files (x86)\Trend Micro\OfficeScan Client\VSApiNt.sys [2224952 2012-07-17] (Trend Micro Inc.)
S3 catchme; \??\C:\ComboFix\catchme.sys [X]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2014-02-07 12:55 - 2014-02-07 12:55 - 02079744 _____ (Farbar) C:\Users\stephen\Downloads\FRST64.exe
2014-02-07 12:55 - 2014-02-07 12:55 - 00010609 _____ () C:\Users\stephen\Downloads\FRST.txt
2014-02-07 12:55 - 2014-02-07 12:55 - 00000000 ____D () C:\FRST
2014-02-05 09:53 - 2014-02-05 09:53 - 00020346 _____ () C:\ComboFix.txt
2014-02-05 09:41 - 2011-06-26 01:45 - 00256000 _____ () C:\Windows\PEV.exe
2014-02-05 09:41 - 2010-11-07 12:20 - 00208896 _____ () C:\Windows\MBR.exe
2014-02-05 09:41 - 2009-04-19 23:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2014-02-05 09:41 - 2000-08-30 19:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2014-02-05 09:41 - 2000-08-30 19:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2014-02-05 09:41 - 2000-08-30 19:00 - 00098816 _____ () C:\Windows\sed.exe
2014-02-05 09:41 - 2000-08-30 19:00 - 00080412 _____ () C:\Windows\grep.exe
2014-02-05 09:41 - 2000-08-30 19:00 - 00068096 _____ () C:\Windows\zip.exe
2014-02-04 08:17 - 2014-02-04 08:17 - 00002055 _____ () C:\Users\stephen\Desktop\rkill.lnk
2014-01-30 14:16 - 2014-01-30 14:16 - 00001109 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-01-30 14:16 - 2014-01-30 14:16 - 00000000 ____D () C:\Users\stephen\AppData\Roaming\Malwarebytes
2014-01-30 14:16 - 2014-01-30 14:16 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-01-30 14:16 - 2014-01-30 14:16 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes' Anti-Malware
2014-01-30 14:16 - 2013-04-04 14:50 - 00025928 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2014-01-30 13:52 - 2014-02-05 09:53 - 00000000 ____D () C:\Qoobox
2014-01-30 13:52 - 2014-01-30 14:07 - 00000000 ____D () C:\Windows\erdnt
2014-01-30 13:49 - 2014-01-30 13:49 - 00000000 ____D () C:\Users\stephen\AppData\Local\Brice_Lambson
2014-01-30 13:48 - 2014-01-30 13:48 - 00922057 _____ (Brice Lambson) C:\Users\stephen\Desktop\ImageResizerSetup.exe
2014-01-30 13:48 - 2014-01-30 13:48 - 00000000 ____D () C:\ProgramData\Package Cache
2014-01-30 13:48 - 2014-01-30 13:48 - 00000000 ____D () C:\Program Files\Image Resizer for Windows
2014-01-30 13:48 - 2014-01-30 13:48 - 00000000 ____D () C:\Program Files (x86)\Image Resizer for Windows
2014-01-30 13:45 - 2014-01-30 13:45 - 00003316 _____ () C:\Windows\System32\Tasks\{655CF513-7EF5-4841-A8D1-8C95410C0EF7}
2014-01-30 13:45 - 2014-01-30 13:45 - 00000000 ____D () C:\Windows\Downloaded Installations
2014-01-30 11:11 - 2014-01-30 11:11 - 00000000 ____D () C:\Users\stephen\AppData\Roaming\InstallShield
2014-01-30 11:02 - 2012-09-14 13:49 - 00399763 _____ () C:\Windows\fj5530C2-x64.cab
2014-01-30 11:02 - 2012-09-14 13:46 - 00252416 _____ (PFU) C:\Windows\system32\fi55302u-x64.dll
2014-01-30 11:02 - 2012-09-14 13:46 - 00250368 _____ (PFU) C:\Windows\system32\fi55302-x64.dll
2014-01-30 11:02 - 2012-09-03 20:33 - 00254659 _____ () C:\Windows\fi6230-x64.cab
2014-01-30 11:02 - 2012-09-03 20:33 - 00254641 _____ () C:\Windows\fi6225-x64.cab
2014-01-30 11:02 - 2012-09-03 20:32 - 00254705 _____ () C:\Windows\fi6130-x64.cab
2014-01-30 11:02 - 2012-09-03 20:32 - 00254682 _____ () C:\Windows\fi6125-x64.cab
2014-01-30 11:02 - 2012-09-03 20:31 - 00252416 _____ (PFU) C:\Windows\system32\fi6225u-x64.dll
2014-01-30 11:02 - 2012-09-03 20:31 - 00252416 _____ (PFU) C:\Windows\system32\fi6130u-x64.dll
2014-01-30 11:02 - 2012-09-03 20:30 - 00252416 _____ (PFU) C:\Windows\system32\fi6230u-x64.dll
2014-01-30 11:02 - 2012-09-03 20:30 - 00252416 _____ (PFU) C:\Windows\system32\fi6125u-x64.dll
2014-01-30 11:02 - 2012-08-27 20:47 - 00356659 _____ () C:\Windows\fi6670-x64.cab
2014-01-30 11:02 - 2012-08-27 20:45 - 00356470 _____ () C:\Windows\fi6770-x64.cab
2014-01-30 11:02 - 2012-05-25 14:02 - 00251504 _____ () C:\Windows\fi6750-x64.cab
2014-01-30 11:02 - 2012-05-25 13:42 - 00258048 _____ (PFU) C:\Windows\system32\fi6670-x64.dll
2014-01-30 11:02 - 2012-05-25 13:41 - 00260608 _____ (PFU) C:\Windows\system32\fi6770u-x64.dll
2014-01-30 11:02 - 2012-05-25 13:41 - 00260608 _____ (PFU) C:\Windows\system32\fi6670u-x64.dll
2014-01-30 11:02 - 2012-05-25 13:41 - 00260096 _____ (PFU) C:\Windows\system32\fi6750u-x64.dll
2014-01-30 11:02 - 2012-05-25 13:41 - 00258048 _____ (PFU) C:\Windows\system32\fi6770-x64.dll
2014-01-30 11:02 - 2011-12-08 19:10 - 01392265 _____ () C:\Windows\fjwia-x64.cab
2014-01-30 11:02 - 2011-12-07 12:03 - 00353792 _____ (PFU) C:\Windows\system32\fi60fu-x64.dll
2014-01-30 11:02 - 2011-04-22 09:35 - 00355594 _____ () C:\Windows\fi6140C-x64.cab
2014-01-30 11:02 - 2011-04-22 09:35 - 00355568 _____ () C:\Windows\fi6240C-x64.cab
2014-01-30 11:02 - 2011-04-21 19:05 - 00249856 _____ (PFU) C:\Windows\system32\fi6240u-x64.dll
2014-01-30 11:02 - 2011-04-21 19:05 - 00249856 _____ (PFU) C:\Windows\system32\fi6140u-x64.dll
2014-01-30 11:02 - 2011-04-21 19:05 - 00247808 _____ (PFU) C:\Windows\system32\fi6240-x64.dll
2014-01-30 11:02 - 2011-04-21 19:05 - 00247808 _____ (PFU) C:\Windows\system32\fi6140-x64.dll
2014-01-30 11:02 - 2010-06-14 13:08 - 00307712 _____ (PFU) C:\Windows\system32\fi5900ex-x64.dll
2014-01-30 11:02 - 2010-06-14 13:08 - 00032256 _____ () C:\Windows\system32\fi5900ex040C-x64.dll
2014-01-30 11:02 - 2010-06-14 13:08 - 00031744 _____ () C:\Windows\system32\fi5900ex0410-x64.dll
2014-01-30 11:02 - 2010-06-14 13:08 - 00026112 _____ () C:\Windows\system32\fi5900ex0412-x64.dll
2014-01-30 11:02 - 2010-06-14 13:08 - 00025600 _____ () C:\Windows\system32\fi5900ex0411-x64.dll
2014-01-30 11:02 - 2010-06-14 13:08 - 00023552 _____ () C:\Windows\system32\fi5900ex0804-x64.dll
2014-01-30 11:02 - 2010-06-14 13:07 - 00053760 _____ () C:\Windows\system32\fi5900ex0404-x64.dll
2014-01-30 11:02 - 2010-06-14 13:07 - 00033280 _____ () C:\Windows\system32\fi5900ex0419-x64.dll
2014-01-30 11:02 - 2010-06-14 13:07 - 00032256 _____ () C:\Windows\system32\fi5900ex0C0A-x64.dll
2014-01-30 11:02 - 2010-06-14 13:07 - 00031232 _____ () C:\Windows\system32\fi5900ex0416-x64.dll
2014-01-30 11:02 - 2010-06-14 13:07 - 00030720 _____ () C:\Windows\system32\fi5900ex0407-x64.dll
2014-01-30 11:02 - 2010-06-14 13:07 - 00029696 _____ () C:\Windows\system32\fi5900ex0409-x64.dll
2014-01-30 11:02 - 2010-06-09 15:34 - 00355834 _____ () C:\Windows\fi5950-x64.cab
2014-01-30 11:02 - 2010-06-09 12:42 - 00032256 _____ () C:\Windows\system32\fi5950ex0C0A-x64.dll
2014-01-30 11:02 - 2010-06-09 12:42 - 00031744 _____ () C:\Windows\system32\fi5950ex0410-x64.dll
2014-01-30 11:02 - 2010-06-09 12:42 - 00030720 _____ () C:\Windows\system32\fi5950ex0407-x64.dll
2014-01-30 11:02 - 2010-06-09 12:42 - 00025600 _____ () C:\Windows\system32\fi5950ex0411-x64.dll
2014-01-30 11:02 - 2010-06-09 12:42 - 00023552 _____ () C:\Windows\system32\fi5950ex0804-x64.dll
2014-01-30 11:02 - 2010-06-09 12:41 - 00307712 _____ (PFU) C:\Windows\system32\fi5950ex-x64.dll
2014-01-30 11:02 - 2010-06-09 12:41 - 00055808 _____ () C:\Windows\system32\fi5950ex0404-x64.dll
2014-01-30 11:02 - 2010-06-09 12:41 - 00033280 _____ () C:\Windows\system32\fi5950ex0419-x64.dll
2014-01-30 11:02 - 2010-06-09 12:41 - 00032256 _____ () C:\Windows\system32\fi5950ex040C-x64.dll
2014-01-30 11:02 - 2010-06-09 12:41 - 00029696 _____ () C:\Windows\system32\fi5950ex0409-x64.dll
2014-01-30 11:02 - 2010-06-09 12:41 - 00026112 _____ () C:\Windows\system32\fi5950ex0412-x64.dll
2014-01-30 11:02 - 2010-06-09 12:40 - 00062464 _____ () C:\Windows\system32\fi5950ex0416-x64.dll
2014-01-30 11:02 - 2010-05-24 11:59 - 00260096 _____ (PFU) C:\Windows\system32\fi5110u-x64.dll
2014-01-30 11:02 - 2010-05-24 11:59 - 00258048 _____ (PFU) C:\Windows\system32\fi5120-x64.dll
2014-01-30 11:02 - 2010-05-24 11:58 - 00260096 _____ (PFU) C:\Windows\system32\fi5530u-x64.dll
2014-01-30 11:02 - 2010-05-24 11:58 - 00260096 _____ (PFU) C:\Windows\system32\fi5220u-x64.dll
2014-01-30 11:02 - 2010-05-24 11:58 - 00260096 _____ (PFU) C:\Windows\system32\fi5120u-x64.dll
2014-01-30 11:02 - 2010-05-24 11:58 - 00258048 _____ (PFU) C:\Windows\system32\fi5530-x64.dll
2014-01-30 11:02 - 2010-05-24 11:58 - 00258048 _____ (PFU) C:\Windows\system32\fi5220-x64.dll
2014-01-30 11:02 - 2010-03-18 18:41 - 00258560 _____ (PFU) C:\Windows\system32\fi5750u-x64.dll
2014-01-30 11:02 - 2010-03-18 18:41 - 00258560 _____ (PFU) C:\Windows\system32\fi5650u-x64.dll
2014-01-30 11:02 - 2010-03-18 18:41 - 00256512 _____ (PFU) C:\Windows\system32\fi5750-x64.dll
2014-01-30 11:02 - 2010-03-18 18:41 - 00256512 _____ (PFU) C:\Windows\system32\fi5650-x64.dll
2014-01-30 11:02 - 2010-03-18 18:12 - 00255488 _____ (PFU) C:\Windows\system32\fi5900-x64.dll
2014-01-30 11:02 - 2010-03-18 18:11 - 00257536 _____ (PFU) C:\Windows\system32\fi5900u-x64.dll
2014-01-30 11:02 - 2010-02-16 14:20 - 00257536 _____ (PFU) C:\Windows\system32\fi5950u-x64.dll
2014-01-30 11:02 - 2010-02-16 14:19 - 00254976 _____ (PFU) C:\Windows\system32\fi5950-x64.dll
2014-01-30 11:02 - 2010-02-04 10:35 - 00033280 _____ () C:\Windows\system32\fi6140ex0C0A-x64.dll
2014-01-30 11:02 - 2010-02-04 10:35 - 00032768 _____ () C:\Windows\system32\fi6140ex0410-x64.dll
2014-01-30 11:02 - 2010-02-04 10:35 - 00031744 _____ () C:\Windows\system32\fi6140ex0407-x64.dll
2014-01-30 11:02 - 2010-02-04 10:35 - 00026624 _____ () C:\Windows\system32\fi6140ex0411-x64.dll
2014-01-30 11:02 - 2010-02-04 10:35 - 00024576 _____ () C:\Windows\system32\fi6140ex0804-x64.dll
2014-01-30 11:02 - 2010-02-04 10:34 - 00317440 _____ (PFU) C:\Windows\system32\fi6140ex-x64.dll
2014-01-30 11:02 - 2010-02-04 10:34 - 00033280 _____ () C:\Windows\system32\fi6240ex0C0A-x64.dll
2014-01-30 11:02 - 2010-02-04 10:34 - 00033280 _____ () C:\Windows\system32\fi6140ex040C-x64.dll
2014-01-30 11:02 - 2010-02-04 10:34 - 00032768 _____ () C:\Windows\system32\fi6240ex0410-x64.dll
2014-01-30 11:02 - 2010-02-04 10:34 - 00032256 _____ () C:\Windows\system32\fi6140ex0416-x64.dll
2014-01-30 11:02 - 2010-02-04 10:34 - 00031744 _____ () C:\Windows\system32\fi6240ex0407-x64.dll
2014-01-30 11:02 - 2010-02-04 10:34 - 00030208 _____ () C:\Windows\system32\fi6140ex0419-x64.dll
2014-01-30 11:02 - 2010-02-04 10:34 - 00030208 _____ () C:\Windows\system32\fi6140ex0409-x64.dll
2014-01-30 11:02 - 2010-02-04 10:34 - 00026624 _____ () C:\Windows\system32\fi6240ex0411-x64.dll
2014-01-30 11:02 - 2010-02-04 10:34 - 00025600 _____ () C:\Windows\system32\fi6140ex0412-x64.dll
2014-01-30 11:02 - 2010-02-04 10:34 - 00025088 _____ () C:\Windows\system32\fi6140ex0404-x64.dll
2014-01-30 11:02 - 2010-02-04 10:34 - 00024576 _____ () C:\Windows\system32\fi6240ex0804-x64.dll
2014-01-30 11:02 - 2010-02-04 10:33 - 00317440 _____ (PFU) C:\Windows\system32\fi6240ex-x64.dll
2014-01-30 11:02 - 2010-02-04 10:33 - 00317440 _____ (PFU) C:\Windows\system32\fi6130ex-x64.dll
2014-01-30 11:02 - 2010-02-04 10:33 - 00033280 _____ () C:\Windows\system32\fi6240ex040C-x64.dll
2014-01-30 11:02 - 2010-02-04 10:33 - 00033280 _____ () C:\Windows\system32\fi6130ex0C0A-x64.dll
2014-01-30 11:02 - 2010-02-04 10:33 - 00032768 _____ () C:\Windows\system32\fi6240ex0419-x64.dll
2014-01-30 11:02 - 2010-02-04 10:33 - 00032768 _____ () C:\Windows\system32\fi6130ex0410-x64.dll
2014-01-30 11:02 - 2010-02-04 10:33 - 00032256 _____ () C:\Windows\system32\fi6240ex0416-x64.dll
2014-01-30 11:02 - 2010-02-04 10:33 - 00031744 _____ () C:\Windows\system32\fi6130ex0407-x64.dll
2014-01-30 11:02 - 2010-02-04 10:33 - 00030208 _____ () C:\Windows\system32\fi6240ex0409-x64.dll
2014-01-30 11:02 - 2010-02-04 10:33 - 00026624 _____ () C:\Windows\system32\fi6130ex0411-x64.dll
2014-01-30 11:02 - 2010-02-04 10:33 - 00025600 _____ () C:\Windows\system32\fi6240ex0412-x64.dll
2014-01-30 11:02 - 2010-02-04 10:33 - 00025088 _____ () C:\Windows\system32\fi6240ex0404-x64.dll
2014-01-30 11:02 - 2010-02-04 10:33 - 00024576 _____ () C:\Windows\system32\fi6130ex0804-x64.dll
2014-01-30 11:02 - 2010-02-04 10:32 - 00317440 _____ (PFU) C:\Windows\system32\fi6230ex-x64.dll
2014-01-30 11:02 - 2010-02-04 10:32 - 00033280 _____ () C:\Windows\system32\fi6230ex0C0A-x64.dll
2014-01-30 11:02 - 2010-02-04 10:32 - 00033280 _____ () C:\Windows\system32\fi6130ex040C-x64.dll
2014-01-30 11:02 - 2010-02-04 10:32 - 00032768 _____ () C:\Windows\system32\fi6230ex0410-x64.dll
2014-01-30 11:02 - 2010-02-04 10:32 - 00032768 _____ () C:\Windows\system32\fi6130ex0419-x64.dll
2014-01-30 11:02 - 2010-02-04 10:32 - 00032256 _____ () C:\Windows\system32\fi6130ex0416-x64.dll
2014-01-30 11:02 - 2010-02-04 10:32 - 00031744 _____ () C:\Windows\system32\fi6230ex0407-x64.dll
2014-01-30 11:02 - 2010-02-04 10:32 - 00030208 _____ () C:\Windows\system32\fi6130ex0409-x64.dll
2014-01-30 11:02 - 2010-02-04 10:32 - 00026624 _____ () C:\Windows\system32\fi6230ex0411-x64.dll
2014-01-30 11:02 - 2010-02-04 10:32 - 00025600 _____ () C:\Windows\system32\fi6130ex0412-x64.dll
2014-01-30 11:02 - 2010-02-04 10:32 - 00025088 _____ () C:\Windows\system32\fi6130ex0404-x64.dll
2014-01-30 11:02 - 2010-02-04 10:32 - 00024576 _____ () C:\Windows\system32\fi6230ex0804-x64.dll
2014-01-30 11:02 - 2010-02-04 10:31 - 00317440 _____ (PFU) C:\Windows\system32\fi6125ex-x64.dll
2014-01-30 11:02 - 2010-02-04 10:31 - 00033280 _____ () C:\Windows\system32\fi6230ex040C-x64.dll
2014-01-30 11:02 - 2010-02-04 10:31 - 00033280 _____ () C:\Windows\system32\fi6125ex0C0A-x64.dll
2014-01-30 11:02 - 2010-02-04 10:31 - 00033280 _____ () C:\Windows\system32\fi6125ex0410-x64.dll
2014-01-30 11:02 - 2010-02-04 10:31 - 00032768 _____ () C:\Windows\system32\fi6230ex0419-x64.dll
2014-01-30 11:02 - 2010-02-04 10:31 - 00032256 _____ () C:\Windows\system32\fi6230ex0416-x64.dll
2014-01-30 11:02 - 2010-02-04 10:31 - 00031744 _____ () C:\Windows\system32\fi6125ex0407-x64.dll
2014-01-30 11:02 - 2010-02-04 10:31 - 00030208 _____ () C:\Windows\system32\fi6230ex0409-x64.dll
2014-01-30 11:02 - 2010-02-04 10:31 - 00026624 _____ () C:\Windows\system32\fi6125ex0411-x64.dll
2014-01-30 11:02 - 2010-02-04 10:31 - 00025600 _____ () C:\Windows\system32\fi6230ex0412-x64.dll
2014-01-30 11:02 - 2010-02-04 10:31 - 00025088 _____ () C:\Windows\system32\fi6230ex0404-x64.dll
2014-01-30 11:02 - 2010-02-04 10:31 - 00024576 _____ () C:\Windows\system32\fi6125ex0804-x64.dll
2014-01-30 11:02 - 2010-02-04 10:30 - 00317440 _____ (PFU) C:\Windows\system32\fi6225ex-x64.dll
2014-01-30 11:02 - 2010-02-04 10:30 - 00033280 _____ () C:\Windows\system32\fi6225ex0C0A-x64.dll
2014-01-30 11:02 - 2010-02-04 10:30 - 00033280 _____ () C:\Windows\system32\fi6225ex0410-x64.dll
2014-01-30 11:02 - 2010-02-04 10:30 - 00033280 _____ () C:\Windows\system32\fi6125ex040C-x64.dll
2014-01-30 11:02 - 2010-02-04 10:30 - 00032768 _____ () C:\Windows\system32\fi6125ex0419-x64.dll
2014-01-30 11:02 - 2010-02-04 10:30 - 00032256 _____ () C:\Windows\system32\fi6125ex0416-x64.dll
2014-01-30 11:02 - 2010-02-04 10:30 - 00031744 _____ () C:\Windows\system32\fi6225ex0407-x64.dll
2014-01-30 11:02 - 2010-02-04 10:30 - 00030720 _____ () C:\Windows\system32\fi6125ex0409-x64.dll
2014-01-30 11:02 - 2010-02-04 10:30 - 00026624 _____ () C:\Windows\system32\fi6225ex0411-x64.dll
2014-01-30 11:02 - 2010-02-04 10:30 - 00025600 _____ () C:\Windows\system32\fi6125ex0412-x64.dll
2014-01-30 11:02 - 2010-02-04 10:30 - 00025088 _____ () C:\Windows\system32\fi6125ex0404-x64.dll
2014-01-30 11:02 - 2010-02-04 10:30 - 00024576 _____ () C:\Windows\system32\fi6225ex0804-x64.dll
2014-01-30 11:02 - 2010-02-04 10:29 - 00033280 _____ () C:\Windows\system32\fi6225ex040C-x64.dll
2014-01-30 11:02 - 2010-02-04 10:29 - 00032768 _____ () C:\Windows\system32\fi6225ex0419-x64.dll
2014-01-30 11:02 - 2010-02-04 10:29 - 00030720 _____ () C:\Windows\system32\fi6225ex0409-x64.dll
2014-01-30 11:02 - 2010-02-04 10:29 - 00025600 _____ () C:\Windows\system32\fi6225ex0412-x64.dll
2014-01-30 11:02 - 2010-02-04 10:29 - 00025088 _____ () C:\Windows\system32\fi6225ex0404-x64.dll
2014-01-30 11:02 - 2010-02-04 10:28 - 00032256 _____ () C:\Windows\system32\fi6225ex0416-x64.dll
2014-01-30 11:02 - 2009-01-05 20:10 - 00361773 _____ () C:\Windows\fi6130T-x64.cab
2014-01-30 11:02 - 2009-01-05 19:40 - 00259072 _____ (PFU) C:\Windows\system32\fi6130Tu-x64.dll
2014-01-30 11:02 - 2009-01-05 19:40 - 00257024 _____ (PFU) C:\Windows\system32\fi6130T-x64.dll
2014-01-30 11:02 - 2008-09-15 10:29 - 00361029 _____ () C:\Windows\fi6230T-x64.cab
2014-01-30 11:02 - 2008-09-15 10:23 - 00258560 _____ (PFU) C:\Windows\system32\fi6230Tu-x64.dll
2014-01-30 11:02 - 2008-09-15 10:22 - 00256512 _____ (PFU) C:\Windows\system32\fi6230T-x64.dll
2014-01-30 11:02 - 2008-03-27 09:01 - 00305664 _____ (PFU) C:\Windows\system32\fi6750ex-x64.dll
2014-01-30 11:02 - 2008-03-27 09:01 - 00058880 _____ () C:\Windows\system32\fi6750ex0416-x64.dll
2014-01-30 11:02 - 2008-03-27 09:01 - 00031744 _____ () C:\Windows\system32\fi6750ex0C0A-x64.dll
2014-01-30 11:02 - 2008-03-27 09:01 - 00031744 _____ () C:\Windows\system32\fi6750ex040C-x64.dll
2014-01-30 11:02 - 2008-03-27 09:01 - 00031232 _____ () C:\Windows\system32\fi6750ex0419-x64.dll
2014-01-30 11:02 - 2008-03-27 09:01 - 00030208 _____ () C:\Windows\system32\fi6750ex0407-x64.dll
2014-01-30 11:02 - 2008-03-27 09:01 - 00029184 _____ () C:\Windows\system32\fi6750ex0409-x64.dll
2014-01-30 11:02 - 2008-03-27 09:01 - 00025088 _____ () C:\Windows\system32\fi6750ex0411-x64.dll
2014-01-30 11:02 - 2008-03-27 09:01 - 00024576 _____ () C:\Windows\system32\fi6750ex0412-x64.dll
2014-01-30 11:02 - 2008-03-27 09:01 - 00024064 _____ () C:\Windows\system32\fi6750ex0404-x64.dll
2014-01-30 11:02 - 2008-03-27 09:01 - 00023552 _____ () C:\Windows\system32\fi6750ex0804-x64.dll
2014-01-30 11:02 - 2008-03-27 09:00 - 00031232 _____ () C:\Windows\system32\fi6750ex0410-x64.dll
2014-01-30 11:02 - 2007-11-08 16:39 - 00031744 _____ () C:\Windows\system32\fi6670ex040C-x64.dll
2014-01-30 11:02 - 2007-11-08 16:39 - 00029184 _____ () C:\Windows\system32\fi6670ex0409-x64.dll
2014-01-30 11:02 - 2007-11-08 16:39 - 00025088 _____ () C:\Windows\system32\fi6670ex0411-x64.dll
2014-01-30 11:02 - 2007-11-08 16:39 - 00023552 _____ () C:\Windows\system32\fi6670ex0804-x64.dll
2014-01-30 11:02 - 2007-11-08 16:38 - 00305152 _____ (PFU) C:\Windows\system32\fi6670ex-x64.dll
2014-01-30 11:02 - 2007-11-08 16:38 - 00058880 _____ () C:\Windows\system32\fi6670ex0416-x64.dll
2014-01-30 11:02 - 2007-11-08 16:38 - 00031744 _____ () C:\Windows\system32\fi6770ex040C-x64.dll
2014-01-30 11:02 - 2007-11-08 16:38 - 00031744 _____ () C:\Windows\system32\fi6670ex0C0A-x64.dll
2014-01-30 11:02 - 2007-11-08 16:38 - 00031232 _____ () C:\Windows\system32\fi6670ex0419-x64.dll
2014-01-30 11:02 - 2007-11-08 16:38 - 00031232 _____ () C:\Windows\system32\fi6670ex0410-x64.dll
2014-01-30 11:02 - 2007-11-08 16:38 - 00030208 _____ () C:\Windows\system32\fi6670ex0407-x64.dll
2014-01-30 11:02 - 2007-11-08 16:38 - 00025088 _____ () C:\Windows\system32\fi6770ex0411-x64.dll
2014-01-30 11:02 - 2007-11-08 16:38 - 00024576 _____ () C:\Windows\system32\fi6670ex0412-x64.dll
2014-01-30 11:02 - 2007-11-08 16:38 - 00024064 _____ () C:\Windows\system32\fi6670ex0404-x64.dll
2014-01-30 11:02 - 2007-11-08 16:38 - 00023552 _____ () C:\Windows\system32\fi6770ex0804-x64.dll
2014-01-30 11:02 - 2007-11-08 16:37 - 00305152 _____ (PFU) C:\Windows\system32\fi6770ex-x64.dll
2014-01-30 11:02 - 2007-11-08 16:37 - 00058880 _____ () C:\Windows\system32\fi6770ex0416-x64.dll
2014-01-30 11:02 - 2007-11-08 16:37 - 00031744 _____ () C:\Windows\system32\fi6770ex0C0A-x64.dll
2014-01-30 11:02 - 2007-11-08 16:37 - 00031232 _____ () C:\Windows\system32\fi6770ex0419-x64.dll
2014-01-30 11:02 - 2007-11-08 16:37 - 00031232 _____ () C:\Windows\system32\fi6770ex0410-x64.dll
2014-01-30 11:02 - 2007-11-08 16:37 - 00030208 _____ () C:\Windows\system32\fi6770ex0407-x64.dll
2014-01-30 11:02 - 2007-11-08 16:37 - 00029184 _____ () C:\Windows\system32\fi6770ex0409-x64.dll
2014-01-30 11:02 - 2007-11-08 16:37 - 00024576 _____ () C:\Windows\system32\fi6770ex0412-x64.dll
2014-01-30 11:02 - 2007-11-08 16:37 - 00024064 _____ () C:\Windows\system32\fi6770ex0404-x64.dll
2014-01-30 11:02 - 2007-07-12 17:15 - 00316928 _____ (PFU) C:\Windows\system32\fi6130Tex-x64.dll
2014-01-30 11:02 - 2007-07-12 17:15 - 00033280 _____ () C:\Windows\system32\fi6130Tex0C0A-x64.dll
2014-01-30 11:02 - 2007-07-12 17:15 - 00033280 _____ () C:\Windows\system32\fi6130Tex0410-x64.dll
2014-01-30 11:02 - 2007-07-12 17:15 - 00031744 _____ () C:\Windows\system32\fi6130Tex0407-x64.dll
2014-01-30 11:02 - 2007-07-12 17:15 - 00026624 _____ () C:\Windows\system32\fi6130Tex0411-x64.dll
2014-01-30 11:02 - 2007-07-12 17:15 - 00024576 _____ () C:\Windows\system32\fi6130Tex0804-x64.dll
2014-01-30 11:02 - 2007-07-12 17:14 - 00316928 _____ (PFU) C:\Windows\system32\fi6230Tex-x64.dll
2014-01-30 11:02 - 2007-07-12 17:14 - 00033280 _____ () C:\Windows\system32\fi6230Tex040C-x64.dll
2014-01-30 11:02 - 2007-07-12 17:14 - 00033280 _____ () C:\Windows\system32\fi6130Tex040C-x64.dll
2014-01-30 11:02 - 2007-07-12 17:14 - 00032768 _____ () C:\Windows\system32\fi6130Tex0419-x64.dll
2014-01-30 11:02 - 2007-07-12 17:14 - 00030720 _____ () C:\Windows\system32\fi6130Tex0409-x64.dll
2014-01-30 11:02 - 2007-07-12 17:14 - 00025600 _____ () C:\Windows\system32\fi6130Tex0412-x64.dll
2014-01-30 11:02 - 2007-07-12 17:14 - 00025088 _____ () C:\Windows\system32\fi6130Tex0404-x64.dll
2014-01-30 11:02 - 2007-07-12 17:14 - 00024576 _____ () C:\Windows\system32\fi6230Tex0804-x64.dll
2014-01-30 11:02 - 2007-07-12 17:13 - 00033280 _____ () C:\Windows\system32\fi6230Tex0C0A-x64.dll
2014-01-30 11:02 - 2007-07-12 17:13 - 00033280 _____ () C:\Windows\system32\fi6230Tex0410-x64.dll
2014-01-30 11:02 - 2007-07-12 17:13 - 00032768 _____ () C:\Windows\system32\fi6230Tex0419-x64.dll
2014-01-30 11:02 - 2007-07-12 17:13 - 00031744 _____ () C:\Windows\system32\fi6230Tex0407-x64.dll
2014-01-30 11:02 - 2007-07-12 17:13 - 00030720 _____ () C:\Windows\system32\fi6230Tex0409-x64.dll
2014-01-30 11:02 - 2007-07-12 17:13 - 00026624 _____ () C:\Windows\system32\fi6230Tex0411-x64.dll
2014-01-30 11:02 - 2007-07-12 17:13 - 00025600 _____ () C:\Windows\system32\fi6230Tex0412-x64.dll
2014-01-30 11:02 - 2007-07-12 17:13 - 00025088 _____ () C:\Windows\system32\fi6230Tex0404-x64.dll
2014-01-30 11:02 - 2007-03-12 14:21 - 00309248 _____ (PFU) C:\Windows\system32\fi60fex-x64.dll
2014-01-30 11:02 - 2007-03-12 14:21 - 00031744 _____ () C:\Windows\system32\fi60fex040C-x64.dll
2014-01-30 11:02 - 2007-03-12 14:21 - 00031232 _____ () C:\Windows\system32\fi60fex0410-x64.dll
2014-01-30 11:02 - 2007-03-12 14:21 - 00025600 _____ () C:\Windows\system32\fi60fex0411-x64.dll
2014-01-30 11:02 - 2007-03-12 14:21 - 00023552 _____ () C:\Windows\system32\fi60fex0804-x64.dll
2014-01-30 11:02 - 2007-03-12 14:20 - 00031744 _____ () C:\Windows\system32\fi60fex0C0A-x64.dll
2014-01-30 11:02 - 2007-03-12 14:20 - 00031232 _____ () C:\Windows\system32\fi60fex0419-x64.dll
2014-01-30 11:02 - 2007-03-12 14:20 - 00030208 _____ () C:\Windows\system32\fi60fex0407-x64.dll
2014-01-30 11:02 - 2007-03-12 14:20 - 00029184 _____ () C:\Windows\system32\fi60fex0409-x64.dll
2014-01-30 11:02 - 2007-02-14 15:11 - 00315392 _____ (PFU) C:\Windows\system32\fi55302ex-x64.dll
2014-01-30 11:02 - 2007-02-14 15:11 - 00033280 _____ () C:\Windows\system32\fi55302ex0C0A-x64.dll
2014-01-30 11:02 - 2007-02-14 15:09 - 00033280 _____ () C:\Windows\system32\fi55302ex0410-x64.dll
2014-01-30 11:02 - 2007-02-14 15:09 - 00033280 _____ () C:\Windows\system32\fi55302ex040C-x64.dll
2014-01-30 11:02 - 2007-02-14 15:09 - 00032768 _____ () C:\Windows\system32\fi55302ex0419-x64.dll
2014-01-30 11:02 - 2007-02-14 15:09 - 00030720 _____ () C:\Windows\system32\fi55302ex0409-x64.dll
2014-01-30 11:02 - 2007-02-14 15:09 - 00026624 _____ () C:\Windows\system32\fi55302ex0411-x64.dll
2014-01-30 11:02 - 2007-02-14 15:09 - 00025600 _____ () C:\Windows\system32\fi55302ex0412-x64.dll
2014-01-30 11:02 - 2007-02-14 15:09 - 00024576 _____ () C:\Windows\system32\fi55302ex0804-x64.dll
2014-01-30 11:02 - 2007-02-14 15:08 - 00031744 _____ () C:\Windows\system32\fi55302ex0407-x64.dll
2014-01-30 11:02 - 2006-12-18 17:20 - 00031744 _____ () C:\Windows\system32\fi5120ex0407-x64.dll
2014-01-30 11:02 - 2006-12-18 17:19 - 00314880 _____ (PFU) C:\Windows\system32\fi5120ex-x64.dll
2014-01-30 11:02 - 2006-12-18 17:19 - 00033280 _____ () C:\Windows\system32\fi5120ex0C0A-x64.dll
2014-01-30 11:02 - 2006-12-18 17:19 - 00032768 _____ () C:\Windows\system32\fi5120ex0410-x64.dll
2014-01-30 11:02 - 2006-12-18 17:19 - 00026624 _____ () C:\Windows\system32\fi5120ex0411-x64.dll
2014-01-30 11:02 - 2006-12-18 17:19 - 00024576 _____ () C:\Windows\system32\fi5120ex0804-x64.dll
2014-01-30 11:02 - 2006-12-18 17:18 - 00033280 _____ () C:\Windows\system32\fi5120ex040C-x64.dll
2014-01-30 11:02 - 2006-12-18 17:18 - 00032768 _____ () C:\Windows\system32\fi5120ex0419-x64.dll
2014-01-30 11:02 - 2006-12-18 17:18 - 00030208 _____ () C:\Windows\system32\fi5120ex0409-x64.dll
2014-01-30 11:02 - 2006-12-18 17:18 - 00025600 _____ () C:\Windows\system32\fi5120ex0412-x64.dll
2014-01-30 11:02 - 2006-12-18 17:18 - 00024576 _____ () C:\Windows\system32\fi5220ex0804-x64.dll
2014-01-30 11:02 - 2006-12-18 17:17 - 00314880 _____ (PFU) C:\Windows\system32\fi5220ex-x64.dll
2014-01-30 11:02 - 2006-12-18 17:17 - 00033280 _____ () C:\Windows\system32\fi5220ex040C-x64.dll
2014-01-30 11:02 - 2006-12-18 17:17 - 00032768 _____ () C:\Windows\system32\fi5220ex0419-x64.dll
2014-01-30 11:02 - 2006-12-18 17:17 - 00031744 _____ () C:\Windows\system32\fi5220ex0407-x64.dll
2014-01-30 11:02 - 2006-12-18 17:17 - 00030208 _____ () C:\Windows\system32\fi5220ex0409-x64.dll
2014-01-30 11:02 - 2006-12-18 17:17 - 00025600 _____ () C:\Windows\system32\fi5220ex0412-x64.dll
2014-01-30 11:02 - 2006-12-18 17:16 - 00033280 _____ () C:\Windows\system32\fi5220ex0C0A-x64.dll
2014-01-30 11:02 - 2006-12-18 17:16 - 00032768 _____ () C:\Windows\system32\fi5220ex0410-x64.dll
2014-01-30 11:02 - 2006-12-18 17:16 - 00026624 _____ () C:\Windows\system32\fi5220ex0411-x64.dll
2014-01-30 11:02 - 2006-10-31 18:01 - 00033280 _____ () C:\Windows\system32\fi5530ex0C0A-x64.dll
2014-01-30 11:02 - 2006-10-31 18:00 - 00314880 _____ (PFU) C:\Windows\system32\fi5530ex-x64.dll
2014-01-30 11:02 - 2006-10-31 17:59 - 00033280 _____ () C:\Windows\system32\fi5530ex0410-x64.dll
2014-01-30 11:02 - 2006-10-31 17:59 - 00033280 _____ () C:\Windows\system32\fi5530ex040C-x64.dll
2014-01-30 11:02 - 2006-10-31 17:59 - 00032768 _____ () C:\Windows\system32\fi5530ex0419-x64.dll
2014-01-30 11:02 - 2006-10-31 17:59 - 00030720 _____ () C:\Windows\system32\fi5530ex0409-x64.dll
2014-01-30 11:02 - 2006-10-31 17:59 - 00026624 _____ () C:\Windows\system32\fi5530ex0411-x64.dll
2014-01-30 11:02 - 2006-10-31 17:59 - 00025600 _____ () C:\Windows\system32\fi5530ex0412-x64.dll
2014-01-30 11:02 - 2006-10-31 17:59 - 00024576 _____ () C:\Windows\system32\fi5530ex0804-x64.dll
2014-01-30 11:02 - 2006-10-31 17:58 - 00031744 _____ () C:\Windows\system32\fi5530ex0407-x64.dll
2014-01-30 11:02 - 2006-10-31 17:49 - 00032256 _____ () C:\Windows\system32\fi5110ex0410-x64.dll
2014-01-30 11:02 - 2006-10-31 17:48 - 00307712 _____ (PFU) C:\Windows\system32\fi5110ex-x64.dll
2014-01-30 11:02 - 2006-10-31 17:48 - 00032256 _____ () C:\Windows\system32\fi5110ex040C-x64.dll
2014-01-30 11:02 - 2006-10-31 17:48 - 00031744 _____ () C:\Windows\system32\fi5110ex0419-x64.dll
2014-01-30 11:02 - 2006-10-31 17:48 - 00030208 _____ () C:\Windows\system32\fi5110ex0409-x64.dll
2014-01-30 11:02 - 2006-10-31 17:48 - 00026112 _____ () C:\Windows\system32\fi5110ex0411-x64.dll
2014-01-30 11:02 - 2006-10-31 17:48 - 00024064 _____ () C:\Windows\system32\fi5110ex0804-x64.dll
2014-01-30 11:02 - 2006-10-31 17:47 - 00032768 _____ () C:\Windows\system32\fi5110ex0C0A-x64.dll
2014-01-30 11:02 - 2006-10-31 17:47 - 00031232 _____ () C:\Windows\system32\fi5110ex0407-x64.dll
2014-01-30 11:02 - 2006-10-31 17:39 - 00025088 _____ () C:\Windows\system32\fi5750ex0411-x64.dll
2014-01-30 11:02 - 2006-10-31 17:39 - 00023040 _____ () C:\Windows\system32\fi5750ex0804-x64.dll
2014-01-30 11:02 - 2006-10-31 17:38 - 00031232 _____ () C:\Windows\system32\fi5750ex040C-x64.dll
2014-01-30 11:02 - 2006-10-31 17:38 - 00028672 _____ () C:\Windows\system32\fi5750ex0409-x64.dll
2014-01-30 11:02 - 2006-10-31 17:37 - 00303616 _____ (PFU) C:\Windows\system32\fi5750ex-x64.dll
2014-01-30 11:02 - 2006-10-31 17:37 - 00031232 _____ () C:\Windows\system32\fi5750ex0C0A-x64.dll
2014-01-30 11:02 - 2006-10-31 17:37 - 00030720 _____ () C:\Windows\system32\fi5750ex0419-x64.dll
2014-01-30 11:02 - 2006-10-31 17:37 - 00030208 _____ () C:\Windows\system32\fi5750ex0407-x64.dll
2014-01-30 11:02 - 2006-10-31 17:36 - 00303616 _____ (PFU) C:\Windows\system32\fi5650ex-x64.dll
2014-01-30 11:02 - 2006-10-31 17:36 - 00031232 _____ () C:\Windows\system32\fi5750ex0410-x64.dll
2014-01-30 11:02 - 2006-10-31 17:36 - 00031232 _____ () C:\Windows\system32\fi5650ex0C0A-x64.dll
2014-01-30 11:02 - 2006-10-31 17:36 - 00031232 _____ () C:\Windows\system32\fi5650ex0410-x64.dll
2014-01-30 11:02 - 2006-10-31 17:36 - 00030208 _____ () C:\Windows\system32\fi5650ex0407-x64.dll
2014-01-30 11:02 - 2006-10-31 17:36 - 00025088 _____ () C:\Windows\system32\fi5650ex0411-x64.dll
2014-01-30 11:02 - 2006-10-31 17:34 - 00031232 _____ () C:\Windows\system32\fi5650ex040C-x64.dll
2014-01-30 11:02 - 2006-10-31 17:34 - 00028672 _____ () C:\Windows\system32\fi5650ex0419-x64.dll
2014-01-30 11:02 - 2006-10-31 17:34 - 00028672 _____ () C:\Windows\system32\fi5650ex0409-x64.dll
2014-01-30 11:02 - 2006-10-31 17:34 - 00023040 _____ () C:\Windows\system32\fi5650ex0804-x64.dll
2014-01-30 11:02 - 2001-03-26 20:40 - 00000058 _____ () C:\Windows\system32\FJTWAIN.URL
2014-01-30 11:01 - 2014-01-30 11:02 - 00000000 ____D () C:\Windows\fjmini
2014-01-30 11:01 - 2014-01-30 11:01 - 00000000 ____D () C:\ProgramData\Fujitsu
2014-01-30 11:01 - 2002-12-18 17:04 - 00040960 _____ (PFU) C:\Windows\SysWOW64\fjtwnop.exe
2014-01-30 11:01 - 2001-03-26 20:40 - 00000058 _____ () C:\Windows\FJTWAIN.URL
2014-01-29 14:21 - 2014-01-29 14:21 - 00001196 _____ () C:\Users\stephen\Desktop\printers.txt
2014-01-15 09:43 - 2014-01-15 09:43 - 00000000 ____D () C:\ProgramData\Hewlett-Packard
2014-01-15 09:42 - 2014-01-15 09:42 - 00000000 _____ () C:\Windows\HPMProp.INI
2014-01-15 09:42 - 2012-11-26 04:36 - 00418304 _____ (Hewlett-Packard Corporation) C:\Windows\system32\hpcpn140.dll
2014-01-15 09:42 - 2012-11-26 04:34 - 00210944 _____ (Hewlett-Packard) C:\Windows\system32\hpmml140.dll
2014-01-15 09:42 - 2012-11-26 04:33 - 00193536 _____ (Hewlett-Packard) C:\Windows\system32\hpmja140.dll
2014-01-15 09:42 - 2012-11-26 04:33 - 00183296 _____ (Hewlett-Packard) C:\Windows\system32\hpmpm081.dll
2014-01-15 09:42 - 2012-11-26 04:33 - 00155648 _____ (Hewlett-Packard) C:\Windows\system32\hpmtp140.dll
2014-01-15 09:42 - 2012-11-26 04:33 - 00133632 _____ (Hewlett-Packard) C:\Windows\system32\hpcjpm.dll
2014-01-15 09:42 - 2012-11-26 04:33 - 00067584 _____ (Hewlett-Packard) C:\Windows\system32\hpmpw081.dll
2014-01-15 09:42 - 2012-11-26 04:29 - 00417280 _____ () C:\Windows\SysWOW64\hpcc3140.dll
2014-01-15 09:42 - 2012-09-28 19:37 - 00512000 _____ (HP) C:\Windows\SysWOW64\hpcdmc32.dll
2014-01-15 09:42 - 2012-08-23 11:02 - 00230912 _____ (Hewlett-Packard Company) C:\Windows\system32\hpmlm135.dll
2014-01-15 09:42 - 2011-02-11 14:23 - 00193592 _____ (Hewlett-Packard) C:\Windows\system32\hppdcompio.dll
2014-01-15 09:42 - 2011-02-11 14:23 - 00167480 _____ (Hewlett-Packard) C:\Windows\SysWOW64\hppccompio.dll
2014-01-15 09:42 - 2009-02-25 16:32 - 00060440 _____ (Hewlett-Packard) C:\Windows\system32\FxCompChannel_x64.dll
2014-01-14 07:56 - 2014-01-14 07:56 - 00001830 __RSH () C:\Users\astephen\ntuser.pol
2014-01-14 07:56 - 2014-01-14 07:56 - 00001443 _____ () C:\Users\astephen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2014-01-14 07:56 - 2014-01-14 07:56 - 00001409 _____ () C:\Users\astephen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer (64-bit).lnk
2014-01-14 07:56 - 2014-01-14 07:56 - 00000000 ___RD () C:\Users\astephen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
2014-01-14 07:56 - 2014-01-14 07:56 - 00000000 ___RD () C:\Users\astephen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools
2014-01-14 07:56 - 2014-01-14 07:56 - 00000000 ____D () C:\Users\astephen\AppData\Local\VirtualStore
2014-01-14 07:56 - 2014-01-14 07:56 - 00000000 ____D () C:\Users\astephen\AppData\Local\Adobe
2014-01-14 07:56 - 2014-01-14 07:56 - 00000000 ____D () C:\Users\astephen
2014-01-14 07:56 - 2013-12-10 12:27 - 00002096 _____ () C:\Users\astephen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Microsoft SkyDrive.lnk
2014-01-14 07:56 - 2013-11-08 06:43 - 00000000 ____D () C:\Users\astephen\AppData\Roaming\Roxio Burn
2014-01-14 07:56 - 2013-11-08 06:38 - 00000000 ____D () C:\Users\astephen\AppData\Roaming\CyberLink
2014-01-14 07:56 - 2013-11-08 06:38 - 00000000 ____D () C:\Users\astephen\AppData\Local\Cyberlink
2014-01-14 07:56 - 2013-11-08 06:36 - 00000000 ____D () C:\Users\astephen\AppData\Roaming\Macrovision
2014-01-14 07:56 - 2013-11-08 06:35 - 00074856 _____ () C:\Users\astephen\AppData\Local\GDIPFONTCACHEV1.DAT
2014-01-14 07:56 - 2013-11-08 06:35 - 00000000 ____D () C:\Users\astephen\AppData\Local\Sonic_Solutions
2014-01-14 07:56 - 2013-11-08 06:34 - 00000000 ____D () C:\Users\astephen\AppData\Roaming\Roxio
2014-01-14 07:56 - 2013-11-08 06:22 - 00000000 ____D () C:\Users\astephen\AppData\Roaming\Roxio Log Files
2014-01-14 07:56 - 2013-11-04 10:31 - 00000118 _____ () C:\Users\astephen\Desktop\LCARS.url
2014-01-14 07:56 - 2013-10-30 06:58 - 00000000 ____D () C:\Users\astephen\AppData\Roaming\Macromedia
2014-01-14 07:56 - 2013-10-30 06:58 - 00000000 ____D () C:\Users\astephen\AppData\Roaming\Adobe
2014-01-14 07:56 - 2013-08-20 07:51 - 00000000 ____D () C:\Users\astephen\AppData\Local\WindowsUpdate
2014-01-14 07:56 - 2013-08-20 07:38 - 00000020 ___SH () C:\Users\astephen\ntuser.ini
2014-01-14 07:56 - 2013-08-20 07:38 - 00000000 ____D () C:\Users\astephen\AppData\Local\Conexant
2014-01-14 07:56 - 2009-07-13 23:54 - 00000000 ___RD () C:\Users\astephen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
2014-01-14 07:56 - 2009-07-13 23:49 - 00000000 ___RD () C:\Users\astephen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance
2014-01-14 07:56 - 2006-08-22 05:56 - 00002310 _____ () C:\Users\astephen\Desktop\Security.lnk

==================== One Month Modified Files and Folders =======

2014-02-07 12:55 - 2014-02-07 12:55 - 02079744 _____ (Farbar) C:\Users\stephen\Downloads\FRST64.exe
2014-02-07 12:55 - 2014-02-07 12:55 - 00010609 _____ () C:\Users\stephen\Downloads\FRST.txt
2014-02-07 12:55 - 2014-02-07 12:55 - 00000000 ____D () C:\FRST
2014-02-07 12:47 - 2013-12-05 06:33 - 01648402 _____ () C:\Windows\WindowsUpdate.log
2014-02-07 12:44 - 2013-12-23 07:02 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-02-07 11:53 - 2013-12-05 07:04 - 00000472 _____ () C:\Windows\system32\config\netlogon.ftl
2014-02-07 01:23 - 2013-12-10 12:35 - 00389764 _____ () C:\Windows\SysWOW64\TmInstall.log
2014-02-07 01:23 - 2013-12-10 12:33 - 00225362 _____ () C:\Windows\system32\TmInstall.log
2014-02-05 09:56 - 2009-07-13 23:45 - 00030496 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-02-05 09:56 - 2009-07-13 23:45 - 00030496 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-02-05 09:53 - 2014-02-05 09:53 - 00020346 _____ () C:\ComboFix.txt
2014-02-05 09:53 - 2014-01-30 13:52 - 00000000 ____D () C:\Qoobox
2014-02-05 09:49 - 2009-07-13 21:34 - 00000215 _____ () C:\Windows\system.ini
2014-02-05 09:48 - 2013-11-27 11:40 - 00010271 _____ () C:\Windows\setupact.log
2014-02-05 09:48 - 2010-11-20 22:47 - 00152368 _____ () C:\Windows\PFRO.log
2014-02-05 09:48 - 2009-07-14 00:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-02-04 09:09 - 2009-07-14 00:13 - 00817274 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-02-04 08:17 - 2014-02-04 08:17 - 00002055 _____ () C:\Users\stephen\Desktop\rkill.lnk
2014-01-31 08:21 - 2013-12-10 13:17 - 00002080 _____ () C:\Users\stephen\Desktop\ComboFix.lnk
2014-01-30 14:18 - 2013-11-27 10:30 - 00813632 _____ () C:\Windows\SysWOW64\PerfStringBackup.INI
2014-01-30 14:16 - 2014-01-30 14:16 - 00001109 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-01-30 14:16 - 2014-01-30 14:16 - 00000000 ____D () C:\Users\stephen\AppData\Roaming\Malwarebytes
2014-01-30 14:16 - 2014-01-30 14:16 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-01-30 14:16 - 2014-01-30 14:16 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes' Anti-Malware
2014-01-30 14:08 - 2009-07-13 22:20 - 00000000 __RHD () C:\Users\Default
2014-01-30 14:07 - 2014-01-30 13:52 - 00000000 ____D () C:\Windows\erdnt
2014-01-30 13:49 - 2014-01-30 13:49 - 00000000 ____D () C:\Users\stephen\AppData\Local\Brice_Lambson
2014-01-30 13:48 - 2014-01-30 13:48 - 00922057 _____ (Brice Lambson) C:\Users\stephen\Desktop\ImageResizerSetup.exe
2014-01-30 13:48 - 2014-01-30 13:48 - 00000000 ____D () C:\ProgramData\Package Cache
2014-01-30 13:48 - 2014-01-30 13:48 - 00000000 ____D () C:\Program Files\Image Resizer for Windows
2014-01-30 13:48 - 2014-01-30 13:48 - 00000000 ____D () C:\Program Files (x86)\Image Resizer for Windows
2014-01-30 13:45 - 2014-01-30 13:45 - 00003316 _____ () C:\Windows\System32\Tasks\{655CF513-7EF5-4841-A8D1-8C95410C0EF7}
2014-01-30 13:45 - 2014-01-30 13:45 - 00000000 ____D () C:\Windows\Downloaded Installations
2014-01-30 11:11 - 2014-01-30 11:11 - 00000000 ____D () C:\Users\stephen\AppData\Roaming\InstallShield
2014-01-30 11:11 - 2013-11-08 06:38 - 00000000 ___HD () C:\Program Files (x86)\InstallShield Installation Information
2014-01-30 11:02 - 2014-01-30 11:01 - 00000000 ____D () C:\Windows\fjmini
2014-01-30 11:01 - 2014-01-30 11:01 - 00000000 ____D () C:\ProgramData\Fujitsu
2014-01-29 14:21 - 2014-01-29 14:21 - 00001196 _____ () C:\Users\stephen\Desktop\printers.txt
2014-01-29 13:38 - 2013-12-17 08:12 - 00000000 ____D () C:\Program Files\Microsoft Office 15
2014-01-27 07:02 - 2013-12-10 12:30 - 00026778 _____ () C:\ProgramData\SCID.LOG
2014-01-27 07:02 - 2013-12-10 12:30 - 00002925 _____ () C:\ProgramData\SCD.LOG
2014-01-27 07:02 - 2013-12-10 12:30 - 00001568 _____ () C:\ProgramData\SSIHistory.dat
2014-01-22 09:54 - 2009-07-13 22:20 - 00000000 __RHD () C:\Users\Public\Libraries
2014-01-15 09:43 - 2014-01-15 09:43 - 00000000 ____D () C:\ProgramData\Hewlett-Packard
2014-01-15 09:42 - 2014-01-15 09:42 - 00000000 _____ () C:\Windows\HPMProp.INI
2014-01-14 07:56 - 2014-01-14 07:56 - 00001830 __RSH () C:\Users\astephen\ntuser.pol
2014-01-14 07:56 - 2014-01-14 07:56 - 00001443 _____ () C:\Users\astephen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2014-01-14 07:56 - 2014-01-14 07:56 - 00001409 _____ () C:\Users\astephen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer (64-bit).lnk
2014-01-14 07:56 - 2014-01-14 07:56 - 00000000 ___RD () C:\Users\astephen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
2014-01-14 07:56 - 2014-01-14 07:56 - 00000000 ___RD () C:\Users\astephen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools
2014-01-14 07:56 - 2014-01-14 07:56 - 00000000 ____D () C:\Users\astephen\AppData\Local\VirtualStore
2014-01-14 07:56 - 2014-01-14 07:56 - 00000000 ____D () C:\Users\astephen\AppData\Local\Adobe
2014-01-14 07:56 - 2014-01-14 07:56 - 00000000 ____D () C:\Users\astephen

Files to move or delete:
====================
C:\ProgramData\SSIHistory.dat

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

LastRegBack: 2014-01-29 00:47

==================== End Of Log ============================

 

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 07-02-2014
Ran by stephen at 2014-02-07 12:56:15
Running from C:\Users\stephen\Downloads
Boot Mode: Normal
==========================================================

==================== Security Center ========================

AV: Trend Micro OfficeScan Antivirus (Enabled - Up to date) {7193B549-236F-55EE-9AEC-F65279E59A92}
AS: Trend Micro OfficeScan Anti-spyware (Enabled - Up to date) {CAF254AD-0555-5A60-A05C-CD200262D02F}
AS: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

64 Bit HP CIO Components Installer (Version: 13.2.1 - Hewlett-Packard) Hidden
Adobe Acrobat XI Standard (x32 Version: 11.0.06 - Adobe Systems)
Adobe Flash Player 11 ActiveX (x32 Version: 11.9.900.170 - Adobe Systems Incorporated)
Conexant HD Audio (Version: 8.50.5.51 - Conexant)
CyberLink PowerDVD 9.5 (x32 Version: 9.5.1.6523 - CyberLink Corp.)
CyberLink PowerDVD 9.5 (x32 Version: 9.5.1.6523 - CyberLink Corp.) Hidden
DirectX 9 Runtime (x32 Version: 1.00.0000 - Sonic Solutions) Hidden
IBM Endpoint Manager Client (x32 Version: 9.0.787.0 - IBM Corp.)
Image Resizer for Windows (64 bit) (Version: 3.0.4802.35565 - Brice Lambson) Hidden
Image Resizer for Windows (x32 Version: 3.0.4802.35565 - Brice Lambson)
Intel® Processor Graphics (x32 Version: 9.17.10.2932 - Intel Corporation)
Java 7 Update 45 (x32 Version: 7.0.450 - Oracle)
Java Auto Updater (x32 Version: 2.1.9.8 - Sun Microsystems, Inc.) Hidden
KEA2008 (x32 Version: 1.0.0.0 - Attachmate)
KEAVT v5.10 (x32 Version:  - )
Malwarebytes Anti-Malware version 1.75.0.1300 (x32 Version: 1.75.0.1300 - Malwarebytes Corporation)
Microsoft .NET Framework 4.5.1 (Version: 4.5.50938 - Microsoft Corporation) Hidden
Microsoft Office Professional 2013 - en-us (Version: 15.0.4551.1512 - Microsoft Corporation)
Microsoft Silverlight (Version: 5.1.20913.0 - Microsoft Corporation)
Microsoft SkyDrive (HKCU Version: 17.0.2015.0811 - Microsoft Corporation)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (x32 Version: 8.0.50727.4053 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x32 Version: 8.0.61001 - Microsoft Corporation)
Mozilla Firefox 26.0 (x86 en-US) (x32 Version: 26.0 - Mozilla)
MSXML 4.0 SP2 (KB954430) (x32 Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (x32 Version: 4.20.9876.0 - Microsoft Corporation)
Office 15 Click-to-Run Extensibility Component (x32 Version: 15.0.4551.1512 - Microsoft Corporation) Hidden
Office 15 Click-to-Run Licensing Component (Version: 15.0.4551.1512 - Microsoft Corporation) Hidden
Office 15 Click-to-Run Localization Component (x32 Version: 15.0.4551.1512 - Microsoft Corporation) Hidden
PhotoShowExpress (x32 Version: 2.0.063 - Sonic Solutions) Hidden
RBVirtualFolder64Inst (Version: 1.00.0000 - Roxio, Inc.) Hidden
Roxio Activation Module (x32 Version: 1.0 - Roxio) Hidden
Roxio BackOnTrack (x32 Version: 1.3.3 - Roxio) Hidden
Roxio Burn (x32 Version: 1.8 - Roxio) Hidden
Roxio Creator Starter (x32 Version: 1.0.439 - Roxio) Hidden
Roxio Creator Starter (x32 Version: 12.1.77.0 - Roxio)
Roxio Creator Starter (x32 Version: 5.0.0 - Roxio) Hidden
Roxio Express Labeler 3 (x32 Version: 3.2.2 - Roxio) Hidden
Roxio File Backup (Version: 1.3.2 - Roxio) Hidden
Sonic CinePlayer Decoder Pack (x32 Version: 4.3.0 - Sonic Solutions) Hidden
TeamViewer 8 (MSI Wrapper) (x32 Version: 8.0.22298 - TeamViewer)
TeamViewer 8 (x32 Version: 8.0.22298 - TeamViewer)
Trend Micro OfficeScan Client (x32 Version: 10.6 - Trend Micro)

==================== Restore Points  =========================

13-01-2014 14:36:07 Scheduled Checkpoint
21-01-2014 13:59:30 Scheduled Checkpoint
29-01-2014 05:00:02 Scheduled Checkpoint
30-01-2014 16:01:25 Installed Scanner Utility for Microsoft Windows
30-01-2014 16:02:18 Installed FUJITSU Scanner USB HotFix
30-01-2014 16:10:56 Removed Software Operation Panel
30-01-2014 16:11:25 Removed Scanner Utility for Microsoft Windows
30-01-2014 16:12:21 Removed FUJITSU Scanner USB HotFix
30-01-2014 18:45:34 Installed Image Resizer Powertoy for Windows XP
30-01-2014 18:48:36 Image Resizer for Windows
31-01-2014 18:08:27 Removed Image Resizer Powertoy for Windows XP
05-02-2014 14:41:50 ComboFix created restore point
06-02-2014 03:00:11 Windows Update

==================== Hosts content: ==========================

2009-07-13 21:34 - 2014-02-05 09:49 - 00000027 ____A C:\Windows\system32\Drivers\etc\hosts
127.0.0.1       localhost

==================== Scheduled Tasks (whitelisted) =============

Task: {649E1B48-09B2-415F-A338-16D234F44692} - System32\Tasks\Microsoft Office 15 Sync Maintenance for GOVERNMENT-stephen 9PCJ9Y1.GOVERNMENT.COUNTY.LOCAL => C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe [2014-01-29] (Microsoft Corporation)
Task: {7432846F-8ADB-4324-8CE4-7FF4C16FF461} - System32\Tasks\Microsoft\Office\Office Automatic Updates => C:\Program Files\Microsoft Office 15\ClientX64\integratedoffice.exe [2013-10-31] (Microsoft Corporation)
Task: {835CB013-387E-46CB-B828-2AA9B85CD4EE} - System32\Tasks\Microsoft Office 15 Sync Maintenance for {87efe7a8-4e68-42fe-995f-aaa90cd5b4a6} 9PCJ9Y1.GOVERNMENT.COUNTY.LOCAL => C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe [2014-01-29] (Microsoft Corporation)
Task: {9C774CD1-7D32-4887-81EB-28A37D873111} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2013-12-23] (Adobe Systems Incorporated)
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe

==================== Loaded Modules (whitelisted) =============

2014-01-29 13:35 - 2014-01-29 13:35 - 08866472 _____ () C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\1033\GrooveIntlResource.dll
2013-12-17 08:12 - 2013-12-17 08:14 - 00121920 _____ () C:\Program Files\Microsoft Office 15\root\Office15\JitV.dll
2014-01-29 13:34 - 2014-01-29 13:34 - 00316584 _____ () C:\Program Files\Microsoft Office 15\root\Office15\AppVIsvStream32.dll
2014-01-29 13:34 - 2014-01-29 13:34 - 00359592 _____ () C:\Program Files\Microsoft Office 15\root\Office15\c2r32.dll
2014-01-29 13:34 - 2014-01-29 13:34 - 00316584 _____ () C:\Program Files\Microsoft Office 15\root\office15\AppVIsvStream32.dll
2014-01-29 13:34 - 2014-01-29 13:34 - 00359592 _____ () C:\Program Files\Microsoft Office 15\root\office15\c2r32.dll
2014-01-29 13:34 - 2014-01-29 13:35 - 01027240 _____ () C:\Program Files\Microsoft Office 15\Root\Office15\ADDINS\UmOutlookAddin.dll
2014-01-29 13:36 - 2014-01-29 13:36 - 00321704 _____ () C:\Program Files\Microsoft Office 15\root\office15\msfad.dll
2014-01-29 13:34 - 2014-01-29 13:34 - 00316584 _____ () C:\Program Files\Microsoft Office 15\Root\Office15\AppVIsvStream32.dll
2014-01-29 13:34 - 2014-01-29 13:34 - 00359592 _____ () C:\Program Files\Microsoft Office 15\Root\Office15\c2r32.dll

==================== Alternate Data Streams (whitelisted) =========

==================== Safe Mode (whitelisted) ===================

==================== Faulty Device Manager Devices =============

==================== Event log errors: =========================

Application errors:
==================
Error: (02/05/2014 09:50:27 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (02/05/2014 09:34:17 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (01/31/2014 08:13:15 AM) (Source: Microsoft-Windows-LoadPerf) (User: NT AUTHORITY)
Description: The performance counter name string value in the registry is not formatted correctly. The malformed string is 9938. The first DWORD in the Data section contains the index value to the malformed string while the second and third DWORDs in the Data section contain the last valid index values.

Error: (01/31/2014 08:13:12 AM) (Source: Microsoft-Windows-LoadPerf) (User: NT AUTHORITY)
Description: Unloading the performance counter strings for service WmiApRpl (WmiApRpl) failed. The first DWORD in the Data section contains the error code.

Error: (01/31/2014 08:13:12 AM) (Source: Microsoft-Windows-LoadPerf) (User: NT AUTHORITY)
Description: The performance counter name string value in the registry is not formatted correctly. The malformed string is 9938. The first DWORD in the Data section contains the index value to the malformed string while the second and third DWORDs in the Data section contain the last valid index values.

Error: (01/31/2014 07:48:30 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (01/31/2014 07:30:28 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (01/31/2014 07:00:20 AM) (Source: Microsoft Office 15) (User: )
Description: Microsoft Outlook: Rejected Safe Mode action : Outlook couldn't start last time. Safe mode could help you troubleshoot the problem, but some features might not be available in this mode.

Do you want to start in safe mode?.
Rejected Safe Mode action : Microsoft Outlook.

Error: (01/30/2014 02:00:57 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (01/30/2014 01:45:06 PM) (Source: MsiInstaller) (User: GOVERNMENT)
Description: Product: Image Resizer Powertoy for Windows XP -- The powertoys require Windows XP or a service pack. They will not function on a version of Windows earlier or later than Windows XP.

System errors:
=============
Error: (02/07/2014 11:21:05 AM) (Source: DCOM) (User: )
Description: {995C996E-D918-4A8C-A302-45719A6F4EA7}

Error: (02/06/2014 11:16:53 AM) (Source: DCOM) (User: )
Description: {995C996E-D918-4A8C-A302-45719A6F4EA7}

Error: (02/05/2014 10:33:05 AM) (Source: DCOM) (User: )
Description: {995C996E-D918-4A8C-A302-45719A6F4EA7}

Error: (02/05/2014 09:48:41 AM) (Source: NETLOGON) (User: )
Description: This computer was not able to set up a secure session with a domain
controller in domain GOVERNMENT due to the following:
%%1311

This may lead to authentication problems. Make sure that this
computer is connected to the network. If the problem persists,
please contact your domain administrator.

 

ADDITIONAL INFO

If this computer is a domain controller for the specified domain, it
sets up the secure session to the primary domain controller emulator in the specified
domain. Otherwise, this computer sets up the secure session to any domain controller
in the specified domain.

Error: (02/05/2014 09:48:02 AM) (Source: Service Control Manager) (User: )
Description: The PEVSystemStart service is marked as an interactive service.  However, the system is configured to not allow interactive services.  This service may not function properly.

Error: (02/05/2014 09:46:57 AM) (Source: Application Popup) (User: )
Description: \??\C:\ComboFix\catchme.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.

Error: (02/05/2014 09:46:57 AM) (Source: Application Popup) (User: )
Description: \??\C:\ComboFix\catchme.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.

Error: (02/05/2014 09:44:46 AM) (Source: Service Control Manager) (User: )
Description: The PEVSystemStart service is marked as an interactive service.  However, the system is configured to not allow interactive services.  This service may not function properly.

Error: (02/05/2014 09:32:33 AM) (Source: NETLOGON) (User: )
Description: This computer was not able to set up a secure session with a domain
controller in domain GOVERNMENT due to the following:
%%1311

This may lead to authentication problems. Make sure that this
computer is connected to the network. If the problem persists,
please contact your domain administrator.

 

ADDITIONAL INFO

If this computer is a domain controller for the specified domain, it
sets up the secure session to the primary domain controller emulator in the specified
domain. Otherwise, this computer sets up the secure session to any domain controller
in the specified domain.

Error: (02/05/2014 08:53:00 AM) (Source: DCOM) (User: )
Description: {995C996E-D918-4A8C-A302-45719A6F4EA7}

Microsoft Office Sessions:
=========================
Error: (02/05/2014 09:50:27 AM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (02/05/2014 09:34:17 AM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (01/31/2014 08:13:15 AM) (Source: Microsoft-Windows-LoadPerf)(User: NT AUTHORITY)
Description: 993816D2260000D0260000D1260000B8010000

Error: (01/31/2014 08:13:12 AM) (Source: Microsoft-Windows-LoadPerf)(User: NT AUTHORITY)
Description: WmiApRplWmiApRpl8F20300004D070000

Error: (01/31/2014 08:13:12 AM) (Source: Microsoft-Windows-LoadPerf)(User: NT AUTHORITY)
Description: 993816D2260000D0260000D126000068010000

Error: (01/31/2014 07:48:30 AM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (01/31/2014 07:30:28 AM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (01/31/2014 07:00:20 AM) (Source: Microsoft Office 15)(User: )
Description: Microsoft OutlookOutlook couldn't start last time. Safe mode could help you troubleshoot the problem, but some features might not be available in this mode.

Do you want to start in safe mode?

Error: (01/30/2014 02:00:57 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (01/30/2014 01:45:06 PM) (Source: MsiInstaller)(User: GOVERNMENT)
Description: Product: Image Resizer Powertoy for Windows XP -- The powertoys require Windows XP or a service pack. They will not function on a version of Windows earlier or later than Windows XP.(NULL)(NULL)(NULL)(NULL)(NULL)

CodeIntegrity Errors:
===================================
  Date: 2014-02-05 09:46:57.947
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2014-02-05 09:46:57.916
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2014-02-05 09:46:57.901
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2014-02-05 09:46:57.869
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2014-01-31 07:45:30.176
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2014-01-31 07:45:30.144
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2014-01-31 07:45:30.129
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2014-01-31 07:45:30.098
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2014-01-30 13:57:48.973
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2014-01-30 13:57:48.942
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

==================== Memory info ===========================

Percentage of memory in use: 49%
Total physical RAM: 3998.07 MB
Available physical RAM: 2009.48 MB
Total Pagefile: 7994.33 MB
Available Pagefile: 5951.25 MB
Total Virtual: 8192 MB
Available Virtual: 8191.83 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:232.61 GB) (Free:194.74 GB) NTFS
Drive h: (usersrz) (Network) (Total:2046.99 GB) (Free:1219.25 GB) NTFS
Drive i: (department) (Network) (Total:2047 GB) (Free:112.92 GB) NTFS
Drive j: (department) (Network) (Total:2047 GB) (Free:112.92 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 233 GB) (Disk ID: B1E297C3)
Partition 1: (Active) - (Size=283 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=233 GB) - (Type=07 NTFS)

==================== End Of Log ============================



#7 polskamachina

polskamachina

  • Malware Response Team
  • 3,928 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:55 AM

Posted 09 February 2014 - 01:39 PM

Hi stephencomputerguy :)

 

Please navigate to http://www.virustotal.com and upload, one at a time, these four files for analysis.

 

c:\windows\TEMP\pdk-SYSTEM\04a938823668c652aef77ba79a274400\Service.dll
c:\windows\TEMP\pdk-SYSTEM\d6fec475513d165261d38743a490dfc1\perl58.dll
c:\windows\TEMP\pdk-SYSTEM\e00cd61a82f12186df5e4de4b75a822d\Registry.dll
c:\windows\TEMP\pdk-SYSTEM\ea8ed9772b76a525d50cde8448090219\WinError.dll

 

After a short pause for processing, a report should appear. Please copy and paste the reports for each file in your next reply to me.

 

Let me know if you have any questions.

polskamachina



#8 stephencomputerguy

stephencomputerguy
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:55 AM

Posted 10 February 2014 - 07:37 AM

SHA256:

b2c77d6ba05e9c3f5cbc2bc7e9ee8c14d804f4c31cb1da515e8af70afd3109c3

 

File name:

Service.dll

 

Detection ratio:

 0 / 50

 

Analysis date:

 2014-02-10 12:03:57 UTC ( 6 minutes ago )

Probably harmless! There are strong indicators suggesting that this file is safe to use.

? Packers identified
 

PEiD Armadillo v1.xx - v2.xx

? PE header basic information
 

Target machine Intel 386 or later processors and compatible processors

Compilation timestamp 2006-03-21 02:26:06

Link date 3:26 AM 3/21/2006

Entry Point 0x0000243A

Number of sections 4

? PE sections
 

NameVirtual addressVirtual sizeRaw sizeEntropyMD5

.text 4096537481924.32 90b86424de06f7d10654c1e3e5769b40

.rdata 12288257740963.85 b84601402defacfda7ea7525e2f15ce4

.data 163843640960.00 620f0b67a91f7f74151bc5be745b7110

.reloc 2048032840960.70 34f34472658dd7f1ce219c8f0419800e

? PE imports
 

[+] ADVAPI32.dll

CloseServiceHandle

EnumServicesStatusA

OpenServiceA

ControlService

StartServiceA

OpenSCManagerA
 

[+] KERNEL32.dll

GetLastError

DisableThreadLibraryCalls
 

[+] MSVCRT.dll

malloc

_errno

_adjust_fdiv

memset

free

_initterm

strlen

strcmp
 

[+] perl58.dll

Perl_Tcurpad_ptr

Perl_hv_store

Perl_Tmarkstack_ptr_ptr

Perl_Tstack_sp_ptr

Perl_Tstack_base_ptr

Perl_Isv_no_ptr

Perl_sv_newmortal

Perl_mg_set

Perl_sv_2pv_flags

Perl_Top_ptr

Perl_sv_2pv_nolen

Perl_croak_nocontext

Perl_get_context

Perl_sv_2mortal

Perl_newXS

Perl_croak

Perl_sv_setiv

Perl_Isv_yes_ptr

Perl_form

Perl_newSVpv

Perl_get_sv

Perl_newSViv
 
? PE exports
 

_boot_Win32__Service

boot_Win32__Service

? ExifTool file metadata
 

MIMEType

application/octet-stream

 

Subsystem

Windows GUI

 

MachineType

Intel 386 or later, and compatibles

 

TimeStamp

2006:03:21 03:26:06+01:00

 

FileType

Win32 DLL

 

PEType

PE32

 

CodeSize

8192

 

LinkerVersion

6.0

 

FileAccessDate

2014:02:10 13:00:45+01:00

 

EntryPoint

0x243a

 

InitializedDataSize

12288

 

SubsystemVersion

4.0

 

ImageVersion

0.0

 

OSVersion

4.0

 

FileCreateDate

2014:02:10 13:00:45+01:00

 

UninitializedDataSize

0

File identification
 

MD5 04a938823668c652aef77ba79a274400

SHA1 121b1b15f5ae751ab98a571758d1ae6e954f6e13

SHA256 b2c77d6ba05e9c3f5cbc2bc7e9ee8c14d804f4c31cb1da515e8af70afd3109c3

ssdeep

384:VmtJBk4Mlg35YumtAjqrcLu5CBCjDNBz+B5igPAeW3nK0Y:4DBjcWvSc7AYx

 
imphash ? c5c15ed96111b61b1c80ba8323eff968

File size 24.1 KB ( 24691 bytes )

File type Win32 DLL

Magic literal

PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit

 

 

TrID

 Win32 Dynamic Link Library (generic) (43.5%)
 Win32 Executable (generic) (29.8%)
 Generic Win/DOS Executable (13.2%)
 DOS Executable Generic (13.2%)
 Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)

 

Tags

armadillopedll

 
? VirusTotal metadata
 

First submission 2010-05-24 18:08:29 UTC ( 3 years, 8 months ago )

Last submission 2014-02-10 12:03:57 UTC ( 6 minutes ago )

 

File names

 057C00000001FD72_Service.dll_sample
 Service.dll
 Service.dll
 Service.dll.vir
 04a938823668c652aef77ba79a274400
 smona130576902045102746535

 
? Advanced heuristic and reputation engines
 

Symantec reputation Suspicious.Insight

------------------------------------------------------------------------

SHA256:

fa9cd43d0b09f2352063f2790a49af51615ebe735eba53417129fc04dd5e7b73

 

File name:

perl58.dll

 

Detection ratio:

 0 / 50

 

Analysis date:

 2014-02-10 12:12:25 UTC ( 0 minutes ago )

 

DeleteFileA

GenerateConsoleCtrlEvent

GetFullPathNameA

WaitForMultipleObjects

FindFirstFileA

GetTempFileNameA

GetComputerNameA

FindNextFileA

DuplicateHandle

GetProcAddress

CreateFileW

TlsSetValue

CreateFileA

LeaveCriticalSection

GetLastError

SystemTimeToFileTime

GetSystemInfo

GetProcessTimes

GetShortPathNameA

GetEnvironmentStrings

SetFileTime

GetCurrentDirectoryA

RaiseException

TlsFree

SetFilePointer

ReadFile

CloseHandle

UnlockFileEx

CreateProcessA

Sleep
 

[+] MSVCRT.dll

fseek

__p__environ

_ftol

fclose

fflush

_getpid

_fmode

fputc

_execv

_control87

strtod

fwrite

frexp

fputs

tmpnam

_utime

_execl

localtime

__CxxFrameHandler

_fileno

??3@YAXPAX@Z

ceil

_strupr

_isatty

__doserrno

_umask

_unlink

perror

_write

memcpy

strstr

memmove

signal

fmod

_isnan

modf

_eof

strcmp

memchr

strncmp

_access

fgetc

memset

strcat

_stricmp

_execvp

_setmode

fgets

__pioinfo

strchr

_rmdir

clock

??2@YAPAXI@Z

fgetpos

fsetpos

exit

sprintf

strrchr

freopen

gmtime

free

_fstati64

realloc

_lseeki64

cos

putchar

_flushall

strcpy

bsearch

__mb_cur_max

_initterm

strftime

_iob

rand

_fcloseall

setlocale

pow

_getcwd

strxfrm

_pipe

_open_osfhandle

_setjmp3

toupper

fopen

strncpy

getchar

_mkdir

_dup

log

puts

_sys_nerr

_chdir

qsort

_open

wcslen

putc

memcmp

srand

vprintf

_isctype

wcsncpy

_pctype

getenv

_stati64

wcscat

atoi

vfprintf

_spawnv

localeconv

strerror

wcscpy

ungetc

_close

vsprintf

rename

malloc

fread

_chmod

abort

strlen

clearerr

_fdopen

floor

getc

sqrt

_get_osfhandle

rewind

gets

sin

_mktemp

_telli64

longjmp

tolower

_dup2

_adjust_fdiv

calloc

setbuf

_exit

wcstombs

_errno

atan2

exp

time

setvbuf
 

[+] USER32.dll

SetTimer

PeekMessageA

PostMessageA

KillTimer

CreateWindowExA

MsgWaitForMultipleObjects

CharUpperA

PostThreadMessageA

DestroyWindow
 
? PE exports
 

PL_AMG_names

PL_check

PL_fold

PL_fold_locale

PL_freq

PL_memory_wrap

PL_no_aelem

PL_no_dir_func

PL_no_func

PL_no_helem

 Show all
? Number of PE resources by type
 

RT_ICON 8

RT_VERSION 1

RT_GROUP_ICON 1

? Number of PE resources by language
 

ENGLISH US 10

? ExifTool file metadata
 

SubsystemVersion

4.0

 

LinkerVersion

6.0

 

ImageVersion

0.0

 

FileSubtype

0

 

FileVersionNumber

5.8.8.817

 

UninitializedDataSize

0

 

LanguageCode

English (U.S.)

 

FileFlagsMask

0x003f

 

CharacterSet

Windows, Latin1

 

InitializedDataSize

200704

 

FileOS

Windows NT 32-bit

 

MIMEType

application/octet-stream

 

LegalCopyright

Copyright 1987-2006, Larry Wall, Binary build by ActiveState, http://www.ActiveState.com

 

FileVersion

5,8,8,817

 

TimeStamp

2006:03:21 02:55:17+01:00

 

FileType

Win32 DLL

 

PEType

PE32

 

InternalName

perl58.dll

 

FileAccessDate

2014:02:10 13:12:37+01:00

 

ProductVersion

Build 817 [257965]

 

FileDescription

Perl Interpreter

 

OSVersion

4.0

 

FileCreateDate

2014:02:10 13:12:37+01:00

 

OriginalFilename

perl58.dll

 

Subsystem

Windows GUI

 

MachineType

Intel 386 or later, and compatibles

 

CompanyName

ActiveState

 

CodeSize

606208

 

ProductName

ActivePerl

 

ProductVersionNumber

5.8.8.817

 

EntryPoint

0x94c03

 

ObjectFileType

Dynamic link library

File identification
 

MD5 d6fec475513d165261d38743a490dfc1

SHA1 b593136ed5bc0167e6715a41c7abf70603f40361

SHA256 fa9cd43d0b09f2352063f2790a49af51615ebe735eba53417129fc04dd5e7b73

ssdeep

12288:axMQYulkUYSdnezsl3CHp+RaFBj/Ac1J3jA/pF2OUHlEbweMFex5R:0cYez034EicoTIcOUHqfsexn

 
imphash ? 29bd8a7a45bca16c193484e7927fe4ec

File size 784.1 KB ( 802897 bytes )

File type Win32 DLL

Magic literal

PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit

 

 

TrID

 Win32 Executable MS Visual C++ (generic) (52.5%)
 Windows Screen Saver (22.0%)
 Win32 Dynamic Link Library (generic) (11.0%)
 Win32 Executable (generic) (7.5%)
 Generic Win/DOS Executable (3.3%)

 

Tags

armadillopedll

 
? VirusTotal metadata
 

First submission 2010-04-20 14:09:27 UTC ( 3 years, 9 months ago )

Last submission 2014-02-10 12:12:25 UTC ( 2 minutes ago )

 

File names

 perl58.dll
 perl58.dll.vir
 smona130558588608211923831
 smona130576902015453578792
 PERL58.DLL
 perl58.dll
 57112782
 d6fec475513d165261d38743a490dfc1

------------------------------------------------------------------------

SHA256:

1ccc9430ecc438942d00919247e9107ed77d31d654955ec09d424a18dd6d2e80

 

File name:

Registry.dll

 

Detection ratio:

 0 / 50

 

Analysis date:

 2014-02-10 12:16:06 UTC ( 0 minutes ago )

? Packers identified
 

PEiD Armadillo v1.xx - v2.xx

? PE header basic information
 

Target machine Intel 386 or later processors and compatible processors

Compilation timestamp 2006-03-21 02:24:17

Entry Point 0x00021507

Number of sections 4

? PE sections
 

NameVirtual addressVirtual sizeRaw sizeEntropyMD5

.text 40961325541351685.60 df9db5f4c9f35a5d0fc9acccd61d3775

.rdata 1392649402122884.71 938494a26aab8109ef5bd95d06c8053c

.data 1515524040960.00 620f0b67a91f7f74151bc5be745b7110

.reloc 155648126440962.09 a8630d3c2632aa12128b447a9552e8f4

? PE imports
 

[+] ADVAPI32.dll

RegRestoreKeyA

RegCreateKeyExW

LookupPrivilegeValueA

RegCloseKey

RegNotifyChangeKeyValue

RegDeleteKeyW

RegEnumValueA

RegQueryValueExA

RegSetValueA

RegCreateKeyW

AdjustTokenPrivileges

RegSetKeySecurity

RegEnumKeyW

RegRestoreKeyW

RegSetValueW

RegCreateKeyA

RegQueryValueExW

GetSecurityDescriptorLength

RegGetKeySecurity

RegReplaceKeyA

RegOpenKeyA

OpenProcessToken

RegSetValueExA

RegQueryValueA

RegConnectRegistryW

RegOpenKeyExW

RegFlushKey

RegReplaceKeyW

RegOpenKeyW

RegEnumKeyA

AbortSystemShutdownA

RegConnectRegistryA

RegQueryValueW

RegDeleteKeyA

InitiateSystemShutdownA

RegLoadKeyA

RegQueryInfoKeyW

AbortSystemShutdownW

RegEnumKeyExW

RegOpenKeyExA

InitiateSystemShutdownW

RegLoadKeyW

RegEnumKeyExA

RegQueryInfoKeyA

RegCreateKeyExA

RegUnLoadKeyA

RegDeleteValueW

RegSaveKeyA

RegSetValueExW

RegEnumValueW

RegQueryMultipleValuesW

RegSaveKeyW

RegDeleteValueA

RegQueryMultipleValuesA

RegUnLoadKeyW
 

[+] KERNEL32.dll

GetLastError

GetCurrentProcess

DisableThreadLibraryCalls

SetLastError

CloseHandle
 

[+] MSVCRT.dll

malloc

_adjust_fdiv

free

wcslen

strtoul

_initterm

strlen

strcmp
 

[+] perl58.dll

Perl_sv_pvn_force_flags

Perl_sv_setpvn

Perl_sv_grow

Perl_Tmarkstack_ptr_ptr

Perl_av_len

Perl_Tstack_sp_ptr

Perl_Tstack_base_ptr

Perl_Isv_no_ptr

Perl_sv_2uv

Perl_sv_newmortal

Perl_mg_set

Perl_sv_2pv_flags

Perl_Tna_ptr

Perl_looks_like_number

Perl_croak_nocontext

Perl_get_context

Perl_sv_2bool

Perl_sv_setsv_flags

Perl_TXpv_ptr

Perl_newXS

Perl_croak

Perl_sv_2iv

Perl_Isv_yes_ptr

Perl_form

Perl_sv_setiv

Perl_get_sv

Perl_sv_setuv
 
? PE exports
 

_boot_Win32API__Registry

boot_Win32API__Registry

? ExifTool file metadata
 

MIMEType

application/octet-stream

 

Subsystem

Windows GUI

 

MachineType

Intel 386 or later, and compatibles

 

TimeStamp

2006:03:21 03:24:17+01:00

 

FileType

Win32 DLL

 

PEType

PE32

 

CodeSize

135168

 

LinkerVersion

6.0

 

FileAccessDate

2014:02:10 13:16:22+01:00

 

EntryPoint

0x21507

 

InitializedDataSize

20480

 

SubsystemVersion

4.0

 

ImageVersion

0.0

 

OSVersion

4.0

 

FileCreateDate

2014:02:10 13:16:22+01:00

 

UninitializedDataSize

0

File identification
 

MD5 e00cd61a82f12186df5e4de4b75a822d

SHA1 b740d7cfb05b2fd5e226978b51c67e68f6c0a785

SHA256 1ccc9430ecc438942d00919247e9107ed77d31d654955ec09d424a18dd6d2e80

ssdeep

3072:nas9DmL2SHcqs6ThUyUCeFDbr2nvNbrUcZucfPtQhWXNqvLxq10wUU:nas9DmLBHcqs6tUyUCracfP9XNqvLxqV

 
imphash ? a09413efa643d92da990cc30592fd310

File size 156.1 KB ( 159864 bytes )

File type Win32 DLL

Magic literal

PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit

 

 

TrID

 Win32 Dynamic Link Library (generic) (43.5%)
 Win32 Executable (generic) (29.8%)
 Generic Win/DOS Executable (13.2%)
 DOS Executable Generic (13.2%)
 Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)

 

Tags

armadillopedll

 
? VirusTotal metadata
 

First submission 2010-05-24 18:13:52 UTC ( 3 years, 8 months ago )

Last submission 2014-02-10 12:16:06 UTC ( 1 minute ago )

 

File names

 055700000001FD69_Registry.dll_sample
 smona130576902032643698472
 e00cd61a82f12186df5e4de4b75a822d
 126537863
 Registry.dll
 Registry.dll.vir

 
? Advanced heuristic and reputation engines
 

Symantec reputation Suspicious.Insight

------------------------------------------------------------------------

SHA256:

3c432ee2c74417c44c8497d6046a4db2739bebf86aa04fd5961200467ebfb282

 

File name:

WinError.dll

 

Detection ratio:

 0 / 50

 

Analysis date:

 2014-02-10 12:18:18 UTC ( 0 minutes ago )

Packers identified
 

PEiD Armadillo v1.xx - v2.xx

? PE header basic information
 

Target machine Intel 386 or later processors and compatible processors

Compilation timestamp 2006-03-21 02:26:27

Entry Point 0x00007ED1

Number of sections 4

? PE sections
 

NameVirtual addressVirtual sizeRaw sizeEntropyMD5

.text 409628564286725.44 09354486befc627ded78a99075b4e55a

.rdata 3276833460368644.26 bdb2916d0d2a8dbe9037a05e848dd169

.data 696323640960.00 620f0b67a91f7f74151bc5be745b7110

.reloc 73728412681924.26 8581063bd3780da6a04817c1e7ff641f

? PE imports
 

[+] KERNEL32.dll

DisableThreadLibraryCalls
 

[+] MSVCRT.dll

malloc

_errno

_adjust_fdiv

free

_initterm

strcmp
 

[+] perl58.dll

Perl_Tcurpad_ptr

Perl_get_context

Perl_croak

Perl_sv_2iv

Perl_Isv_yes_ptr

Perl_form

Perl_newXS

Perl_sv_newmortal

Perl_Tmarkstack_ptr_ptr

Perl_get_sv

Perl_sv_setnv

Perl_mg_set

Perl_sv_2pv_flags

Perl_Top_ptr

Perl_Tstack_sp_ptr

Perl_sv_2pv_nolen

Perl_Tstack_base_ptr
 
? PE exports
 

_boot_Win32__WinError

boot_Win32__WinError

? ExifTool file metadata
 

MIMEType

application/octet-stream

 

Subsystem

Windows GUI

 

MachineType

Intel 386 or later, and compatibles

 

TimeStamp

2006:03:21 03:26:27+01:00

 

FileType

Win32 DLL

 

PEType

PE32

 

CodeSize

28672

 

LinkerVersion

6.0

 

FileAccessDate

2014:02:10 13:14:15+01:00

 

EntryPoint

0x7ed1

 

InitializedDataSize

49152

 

SubsystemVersion

4.0

 

ImageVersion

0.0

 

OSVersion

4.0

 

FileCreateDate

2014:02:10 13:14:15+01:00

 

UninitializedDataSize

0

File identification
 

MD5 ea8ed9772b76a525d50cde8448090219

SHA1 594c8dc2f593de7d9c26904061480fc2d9a7e362

SHA256 3c432ee2c74417c44c8497d6046a4db2739bebf86aa04fd5961200467ebfb282

ssdeep

768:BzWTH1YWZA4GHZe1vmxVyIfuocg/FRUV7XiPk+4Bqt59f7nPZiHCmdBpyf3sxyAQ:BKTHye1+J2o9/Fiji34KL/iyKe

 
imphash ? 151d22e96ae63e168b455c8ff9446385

File size 80.1 KB ( 82037 bytes )

File type Win32 DLL

Magic literal

PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit

 

 

TrID

 Windows Screen Saver (46.4%)
 Win32 Dynamic Link Library (generic) (23.3%)
 Win32 Executable (generic) (15.9%)
 Generic Win/DOS Executable (7.1%)
 DOS Executable Generic (7.0%)

 

Tags

armadillopedll

 
? VirusTotal metadata
 

First submission 2010-05-24 18:19:25 UTC ( 3 years, 8 months ago )

Last submission 2014-02-10 12:18:18 UTC ( 1 minute ago )

 

File names

 ea8ed9772b76a525d50cde8448090219
 WinError.dll
 smona130576902056065478347
 57397793
 WinError.dll
 WinError.dll.vir
 058700000001FD6F_WinError.dll_sample

 
? Advanced heuristic and reputation engines
 

Symantec reputation Suspicious.Insight



#9 polskamachina

polskamachina

  • Malware Response Team
  • 3,928 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:55 AM

Posted 11 February 2014 - 10:16 PM

Hi stephencomputerguy,
Good job with the file reports. :thumbup2:
 
We need to check your system with the following software:

ESET Online Scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Windows 7 users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

  • Please go here to run the scan.
    Quote

    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

  • Select the option YES, I accept the Terms of Use then click on: EOLS2.gif
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: EOLS3.gif
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on: EOLS4.gif
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!
 
Let me know if you have any questions.
polskamachina



#10 stephencomputerguy

stephencomputerguy
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:55 AM

Posted 12 February 2014 - 08:02 AM

ESETSmartInstaller@High as CAB hook log:
OnlineScanner64.ocx - registred OK
OnlineScanner.ocx - registred OK
Update failed (41217). Trying proxy lcproxy.lehighcounty.org8080
finished. ret_update=0 e_gle=0
# version=8
# iexplore.exe=9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)
# OnlineScanner.ocx=1.0.0.6920
# api_version=3.0.2
# EOSSerial=0702bf240299a743ab2f6a0b57d8281e
# engine=17042
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2014-02-12 01:01:11
# local_time=2014-02-12 08:01:11 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=5893 16776573 100 94 0 143753521 0 0
# scanned=136435
# found=0
# cleaned=0
# scan_time=2149
 



#11 polskamachina

polskamachina

  • Malware Response Team
  • 3,928 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:55 AM

Posted 14 February 2014 - 04:30 PM

Hi stephencomputerguy :)
 
Your reports show that the files in the pdk-SYSTEM folder are not malware. The fact that ComboFix is able to remove them and then they are regenerated may seem strange but in the final analysis, it will not harm your machine.
 
Important Note: Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.
- Kaspersky Lab report: Evaluating the threat level of software vulnerabilities
- Microsoft: Unprecedented Wave of Java Exploitation
- Ghosts of Java Haunt Users

Please follow these steps to remove older version Java components and update:

  • Download the latest version of Java Runtime Environment (JRE) Version 7 and save it to your desktop.
  • Look for "Java Platform, Standard Edition".
  • Click the "Download JRE" button to the right.
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • From the list, select your OS and Platform which is 64-bit. 64-bit OS users should read: Which Java download should I choose for my 64-bit Windows operating system?
  • If a download for an Offline Installation is available, it is recommended to choose that and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to StartBtn.gif > Control Panel, double-click on Programs and Features  and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-7u51-windows-x64.exe to install the newest version.
  • If  the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered any unwanted software or toolbars during installation, just uncheck the box before continuing unless you want it. The McAfee Security Scan Plus may be installed unless you uncheck the McAfee installation box when updating Java.

-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.

Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications but it's not necessary. To disable the JQS service if you don't want to use it:

  • Go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter.
  • Click Ok and reboot your computer.

FINAL STEPS

If you are not experiencing any other malware related issues, it is time to do our final steps:

  • Any programs that we had you download and/or install can be removed at this time.
  • If we had you create or download any custom fixes, these can be deleted at this time.
  • If we had you download and run ComboFix, here is how to uninstall it:
    • Press and hold the Windows key Windows_Logo_key.gif and then press the letter R on your keyboard.
    • This opens the Run dialog box.
    • Copy and paste the below text inside the text-field:
      • "%userprofile%\desktop\ComboFix" /uninstall
    • Now press ENTER
    • ComboFix will extract its files one last time and you should receive a notification that ComboFix has been uninstalled shortly after.
  • If you used DeFogger to disable your Disk Emulation Software, you can reopen DeFogger and use the "Enable" button.
  • You can download this tool to delete more traces of our tools. Delete the tool itself afterwards.
  • Toggle System Restore OFF and then back ON.
  • You should delete your old, potentially infected System Restore points and create a new, clean restore point.

Be safe :hello:

 

Let me know if you have any questions.

 

polskamachina



#12 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:02:55 PM

Posted 27 February 2014 - 06:33 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users