sonus
-
Posts
16 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Everything posted by sonus
-
Ohh and the browser redirection is now gone, THANKS! Is there anything else I should do to test things further?
-
I accidentally did a Full Scan on MBAM, it only found BMC Miner in what I'm assuming was the quarantine for one of the other anti-virus programs, so I'm assuming that isn't a bad sign. Here's a log: Also Microsoft Security Essentials is asking me to come back on finally! I'm assuming that this is legitimate? Is there any way for me to check before I click the "start now" button? Malwarebytes Anti-Malware (Trial) 1.62.0.1300 www.malwarebytes.org Database version: v2012.07.14.07 Windows 7 Service Pack 1 x64 NTFS Internet Explorer 9.0.8112.16421 Chris :: CHRIS-VAIO-Z [administrator] Protection: Enabled 7/14/2012 5:25:40 PM mbam-log-2012-07-14 (17-25-40).txt Scan type: Full scan (C:\|) Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P Scan options disabled: Objects scanned: 515628 Time elapsed: 18 minute(s), 5 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 1 C:\Qoobox\Quarantine\C\Windows\Installer\{c8347dac-c04f-371f-2862-2c27f80a4694}\U\00000008.@.vir (Trojan.Dropper.BCMiner) -> Quarantined and deleted successfully. (end)
-
Ohh, I see what happened, Farbar didn't see the other's because it had already deleted their root folder.
-
Interestingly, it didn't find a couple of them. Is that a problem? Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 14-07-2012 01 Ran by SYSTEM at 2012-07-14 17:03:32 Run:1 Running from G:\ ============================================== C:\Windows\Installer\{c8347dac-c04f-371f-2862-2c27f80a4694} moved successfully. C:\Windows\Installer\{c8347dac-c04f-371f-2862-2c27f80a4694}\L not found. C:\Windows\Installer\{c8347dac-c04f-371f-2862-2c27f80a4694}\U not found. C:\Users\Chris\AppData\Local\{c8347dac-c04f-371f-2862-2c27f80a4694} moved successfully. C:\Users\Chris\AppData\Local\{c8347dac-c04f-371f-2862-2c27f80a4694}\@ not found. C:\Users\Chris\AppData\Local\{c8347dac-c04f-371f-2862-2c27f80a4694}\L not found. C:\Users\Chris\AppData\Local\{c8347dac-c04f-371f-2862-2c27f80a4694}\U not found. ==== End of Fixlog ====
-
thanks again for walking me through this. I ran FRST64 and only used SCAN, not fix as you said. Here are the results: Scan result of Farbar Recovery Scan Tool Version: 14-07-2012 01 Ran by SYSTEM at 14-07-2012 16:23:46 Running from G:\ Windows 7 Professional (X64) OS Language: English(US) The current controlset is ControlSet001 ========================== Registry (Whitelisted) ============= HKLM\...\Run: [igfxTray] C:\Windows\system32\igfxtray.exe [166424 2010-06-21] (Intel Corporation) HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [390680 2010-06-21] (Intel Corporation) HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [410136 2010-06-21] (Intel Corporation) HKLM\...\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup [16414824 2010-06-04] (NVIDIA Corporation) HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [9962016 2010-06-18] (Realtek Semiconductor) HKLM\...\Run: [vncutil] C:\Program Files\Realtek\Audio\HDA\vncutil64.exe [475680 2010-06-18] (Realtek Semiconductor Crop.) HKLM\...\Run: [synTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [1886504 2010-03-01] (Synaptics Incorporated) HKLM\...\Run: [PSQLLauncher] "C:\Program Files\Protector Suite\launcher.exe" /startup [84744 2010-04-27] (UPEK Inc.) HKLM\...\Run: [Windows Mobile-based device management] %WINDIR%\WindowsMobile\wmdcBase.exe [x] HKLM\...\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe" [163552 2011-08-05] (Microsoft Corporation) HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1271168 2012-03-26] (Microsoft Corporation) HKLM-x32\...\Run: [iAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284696 2010-03-03] (Intel Corporation) HKLM-x32\...\Run: [smartWiHelper] "C:\Program Files (x86)\Sony\SmartWi Connection Utility\SmartWiHelper.exe" /WindowsStartup [89080 2010-07-15] (Sony Electronics Corporation) HKLM-x32\...\Run: [iSBMgr.exe] "C:\Program Files (x86)\Sony\ISB Utility\ISBMgr.exe" [673136 2010-05-31] (Sony Corporation) HKLM-x32\...\Run: [PMBVolumeWatcher] C:\Program Files (x86)\Sony\PMB\PMBVolumeWatcher.exe [600928 2010-06-01] (Sony Corporation) HKLM-x32\...\Run: [AdobeCS4ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin [611712 2008-08-14] (Adobe Systems Incorporated) HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated) HKLM-x32\...\Run: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2011-06-09] (Sun Microsystems, Inc.) HKLM-x32\...\Run: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray [462920 2012-07-03] (Malwarebytes Corporation) HKU\Chris\...\Run: [ChmZoomer] C:\Program Files (x86)\ChmZoomer\ChmZoomer.exe /m [962560 2010-08-12] (www.goldgingko.com) HKU\Chris\...\Run: [OfficeSyncProcess] "C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE" [718720 2011-07-21] (Microsoft Corporation) HKU\Chris\...\Run: [skyDrive] "C:\Users\Chris\AppData\Local\Microsoft\SkyDrive\SkyDrive.exe" /background [238552 2012-07-13] (Microsoft Corporation) HKU\Chris\...\Run: [AlcoholAutomount] "C:\Program Files (x86)\Alcohol Soft\Alcohol 52\AxAutoMntSrv.exe" -automount [75624 2012-01-05] (Alcohol Soft Development Team) HKU\Chris\...\Policies\system: [DisableChangePassword] 0 HKU\Chris\...\Policies\system: [DisableLockWorkstation] 0 HKU\Mcx1-CHRIS-VAIO-Z\...\Winlogon: [shell] C:\Windows\eHome\McrMgr.exe [343552 2009-07-13] (Microsoft Corporation) Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation) Winlogon\Notify\psfus: C:\Program Files\Protector Suite\psqlpwd.dll (UPEK Inc.) Tcpip\Parameters: [DhcpNameServer] 192.168.1.1 Lsa: [Notification Packages] scecli C:\Program Files\Protector Suite\psqlpwd.dll C:\Program Files\WIDCOMM\Bluetooth Software\BtwProximityCP.dll Startup: C:\Users\All Users\Start Menu\Programs\Startup\Bluetooth.lnk ShortcutTarget: Bluetooth.lnk -> C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.) Startup: C:\Users\Chris\Start Menu\Programs\Startup\AccuWeather.lnk ShortcutTarget: AccuWeather.lnk -> C:\Program Files (x86)\AccuWeather.com Cirrus\AccuWeather.com Cirrus.exe (No File) Startup: C:\Users\Chris\Start Menu\Programs\Startup\Dropbox.lnk ShortcutTarget: Dropbox.lnk -> (No File) Startup: C:\Users\Chris\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk ShortcutTarget: OneNote 2010 Screen Clipper and Launcher.lnk -> C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation) Startup: C:\Users\Chris\Start Menu\Programs\Startup\RT-Updater.lnk ShortcutTarget: RT-Updater.lnk -> C:\Ross-Tech\VCDS\VCDS.EXE (Ross-Tech, LLC) ==================== Services (Whitelisted) ====== 3 ACDaemon; C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [113152 2010-03-18] (ArcSoft Inc.) 2 AxAutoMntSrv; C:\Program Files (x86)\Alcohol Soft\Alcohol 52\AxAutoMntSrv.exe [75624 2012-01-05] (Alcohol Soft Development Team) 2 DirMngr; "C:\Program Files (x86)\GNU\GnuPG\dirmngr.exe" --service [224256 2011-03-02] () 2 MBAMService; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe" [655944 2012-07-03] (Malwarebytes Corporation) 2 MouseWithoutBordersSvc; "C:\Program Files (x86)\Microsoft Garage\Mouse without Borders\MouseWithoutBordersSvc.exe" [17920 2011-08-31] (Microsoft) 4 msvsmon90; "C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\Remote Debugger\x64\msvsmon.exe" /service msvsmon90 [4466688 2007-11-07] (Microsoft Corporation) 3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [291696 2012-03-26] (Microsoft Corporation) 2 nlsX86cc; "C:\Windows\SysWOW64\nlssrv32.exe" [66560 2012-04-19] (Nalpeiron Ltd.) 2 NovacomD; C:\Program Files\Palm, Inc\novacomd\amd64\novacomd.exe [71168 2011-03-15] (Palm) 2 RapiMgr; C:\Windows\WindowsMobile\rapimgr.dll [225672 2007-05-31] (Microsoft Corporation) 2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [190496 2010-06-18] (Realtek Semiconductor) 2 StarWindServiceAE; C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe [370688 2009-12-23] (StarWind Software) 2 uCamMonitor; C:\Program Files (x86)\ArcSoft\Magic-i Visual Effects 2\uCamMonitor.exe [104960 2008-09-18] (ArcSoft, Inc.) 2 UNS; "C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe" [2320920 2010-02-23] (Intel Corporation) 2 WcesComm; C:\Windows\WindowsMobile\wcescomm.dll [443784 2007-05-31] (Microsoft Corporation) 3 WMZuneComm; "C:\Program Files\Zune\WMZuneComm.exe" [306400 2011-08-05] (Microsoft Corporation) 3 ZuneNetworkSvc; "C:\Program Files\Zune\ZuneNss.exe" [8277728 2011-08-05] (Microsoft Corporation) 3 ZuneWlanCfgSvc; "C:\Program Files\Zune\ZuneWlanCfgSvc.exe" [467680 2011-08-05] (Microsoft Corporation) 2 HPSLPSVC; C:\Users\Chris\AppData\Local\Temp\7zS7FBF\hpslpsvc64.dll [x] 3 rpcapd; "C:\Program Files (x86)\WinPcap\rpcapd.exe" -d -f "C:\Program Files (x86)\WinPcap\rpcapd.ini" [x] ========================== Drivers (Whitelisted) ============= 3 ArcSoftKsUFilter; C:\Windows\System32\Drivers\ArcSoftKsUFilter.sys [19968 2009-05-26] (ArcSoft, Inc.) 3 BTHprint; C:\Windows\System32\Drivers\BTHprint.sys [67072 2009-07-13] (Microsoft Corporation) 3 e1kexpress; C:\Windows\System32\DRIVERS\e1k62x64.sys [294064 2010-03-08] (Intel Corporation) 3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [24904 2012-07-03] (Malwarebytes Corporation) 2 NPF; C:\Windows\System32\Drivers\NPF.sys [35344 2010-06-25] (CACE Technologies, Inc.) 3 RT-USB; C:\Windows\System32\drivers\RT-USB64.SYS [70984 2010-06-16] (Ross-Tech LLC) 0 sptd; C:\Windows\System32\Drivers\sptd.sys [560184 2012-06-17] (Duplex Secure Ltd.) 2 WnsDrvr; C:\Windows\SysWow64\Drivers\WnsDrvr.sys [25952 2011-12-22] (Microsoft Corporation) 3 ALSysIO; \??\C:\Users\Chris\AppData\Local\Temp\ALSysIO64.sys [x] 3 catchme; \??\C:\ComboFix\catchme.sys [x] 2 MSSQL$DDNI; [x] 1 SBRE; \??\C:\Windows\system32\drivers\SBREdrv.sys [x] 3 usbbus; C:\Windows\System32\DRIVERS\lgx64bus.sys [x] 3 UsbDiag; C:\Windows\System32\DRIVERS\lgx64diag.sys [x] 3 UsbGps; C:\Windows\System32\DRIVERS\lgx64gps.sys [x] 3 USBModem; C:\Windows\System32\DRIVERS\lgx64modem.sys [x] ========================== NetSvcs (Whitelisted) =========== ============ One Month Created Files and Folders ============== 2012-07-14 12:06 - 2012-07-14 12:06 - 00002325 ____A C:\Users\Chris\Desktop\RKreport[3].txt 2012-07-14 11:59 - 2012-07-14 11:59 - 00002307 ____A C:\Users\Chris\Desktop\RKreport[2].txt 2012-07-14 11:30 - 2012-07-14 11:30 - 00000000 ____D C:\_OTL 2012-07-14 11:28 - 2012-07-14 11:28 - 00596480 ____A (OldTimer Tools) C:\Users\Chris\Desktop\OTL.exe 2012-07-14 11:14 - 2012-07-14 11:14 - 00031710 ____A C:\ComboFix.txt 2012-07-14 09:10 - 2011-06-25 22:45 - 00256000 ____A C:\Windows\PEV.exe 2012-07-14 09:10 - 2010-11-07 09:20 - 00208896 ____A C:\Windows\MBR.exe 2012-07-14 09:10 - 2009-04-19 20:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe 2012-07-14 09:10 - 2000-08-30 16:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe 2012-07-14 09:10 - 2000-08-30 16:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe 2012-07-14 09:10 - 2000-08-30 16:00 - 00098816 ____A C:\Windows\sed.exe 2012-07-14 09:10 - 2000-08-30 16:00 - 00080412 ____A C:\Windows\grep.exe 2012-07-14 09:10 - 2000-08-30 16:00 - 00068096 ____A C:\Windows\zip.exe 2012-07-14 09:08 - 2012-07-14 11:15 - 00000000 ____D C:\Qoobox 2012-07-14 09:08 - 2012-07-14 09:16 - 00000000 ____D C:\Windows\erdnt 2012-07-14 09:05 - 2012-07-14 09:05 - 04579346 ____R (Swearware) C:\Users\Chris\Desktop\ComboFix.exe 2012-07-14 08:30 - 2012-07-14 08:30 - 00002538 ____A C:\Users\Chris\Desktop\RKreport[1].txt 2012-07-14 08:29 - 2012-07-14 12:06 - 00000000 ____D C:\Users\Chris\Desktop\RK_Quarantine 2012-07-14 08:27 - 2012-07-14 08:27 - 01558528 ____A C:\Users\Chris\Desktop\RogueKiller.exe 2012-07-14 07:20 - 2012-07-14 07:20 - 00024413 ____A C:\Users\Chris\Desktop\Attach.txt 2012-07-14 07:18 - 2012-07-14 07:18 - 00034669 ____A C:\Users\Chris\Desktop\DDS.txt 2012-07-14 07:05 - 2012-07-14 07:05 - 00607260 ____A (Swearware) C:\Users\Chris\Desktop\dds.com 2012-07-14 06:54 - 2012-07-14 06:54 - 00607260 ____R (Swearware) C:\Users\Chris\Desktop\dds.scr 2012-07-14 01:05 - 2012-07-14 01:05 - 00010900 ____A C:\Users\Chris\Desktop\Book1.xlsx 2012-07-13 22:26 - 2012-07-13 22:26 - 00000000 ____D C:\Users\Chris\Downloads\Contraband.2012[DVDrip]AAC[x264]-HiGH 2012-07-13 16:32 - 2012-07-13 16:32 - 00000000 ____D C:\Users\All Users\GFI Software 2012-07-13 16:30 - 2012-07-14 11:32 - 00002822 ____A C:\Windows\PFRO.log 2012-07-13 15:47 - 2012-07-14 12:18 - 00148320 ____A C:\Windows\WindowsUpdate.log 2012-07-13 15:44 - 2012-07-14 12:15 - 00002250 ____A C:\Windows\setupact.log 2012-07-13 15:44 - 2012-07-13 15:44 - 00000000 ____A C:\Windows\setuperr.log 2012-07-13 15:41 - 2012-07-14 05:28 - 00000000 ____D C:\Users\Chris\AppData\Local\NPE 2012-07-13 15:19 - 2012-07-13 15:19 - 00001073 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk 2012-07-13 15:19 - 2012-07-13 15:19 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware 2012-07-13 07:42 - 2012-07-13 07:42 - 00000000 ____D C:\Users\Chris\AppData\Local\{7F315604-EFE1-4655-B6DC-034226C32615} 2012-07-12 20:27 - 2012-07-12 20:27 - 00000000 __SHD C:\Windows\SysWOW64\%APPDATA% 2012-07-12 19:41 - 2012-07-12 19:42 - 00000000 ____D C:\Users\Chris\AppData\Local\{ACE788B2-40AE-4BE3-9D65-8A99E6225E14} 2012-07-12 07:41 - 2012-07-13 07:42 - 00000000 ____D C:\Users\Chris\AppData\Local\{3DC1C010-2E60-4539-A43F-9C6EF33E2EAE} 2012-07-12 07:41 - 2012-07-12 07:41 - 00000000 ____D C:\Users\Chris\AppData\Local\{D1BE6231-0287-4331-8BD2-DE7435A9B23D} 2012-07-11 19:19 - 2012-06-11 19:08 - 03148800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys 2012-07-11 19:14 - 2012-06-02 04:49 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll 2012-07-11 19:14 - 2012-06-02 04:17 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll 2012-07-11 19:14 - 2012-06-02 04:12 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll 2012-07-11 19:14 - 2012-06-02 04:05 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll 2012-07-11 19:14 - 2012-06-02 04:05 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll 2012-07-11 19:14 - 2012-06-02 04:04 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl 2012-07-11 19:14 - 2012-06-02 04:04 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll 2012-07-11 19:14 - 2012-06-02 04:03 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll 2012-07-11 19:14 - 2012-06-02 04:01 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe 2012-07-11 19:14 - 2012-06-02 04:00 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll 2012-07-11 19:14 - 2012-06-02 03:59 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll 2012-07-11 19:14 - 2012-06-02 03:57 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb 2012-07-11 19:14 - 2012-06-02 03:57 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll 2012-07-11 19:14 - 2012-06-02 03:54 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll 2012-07-11 19:14 - 2012-06-02 01:07 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll 2012-07-11 19:14 - 2012-06-02 00:43 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll 2012-07-11 19:14 - 2012-06-02 00:33 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll 2012-07-11 19:14 - 2012-06-02 00:26 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll 2012-07-11 19:14 - 2012-06-02 00:25 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl 2012-07-11 19:14 - 2012-06-02 00:25 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll 2012-07-11 19:14 - 2012-06-02 00:23 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll 2012-07-11 19:14 - 2012-06-02 00:21 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll 2012-07-11 19:14 - 2012-06-02 00:20 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe 2012-07-11 19:14 - 2012-06-02 00:19 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll 2012-07-11 19:14 - 2012-06-02 00:19 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll 2012-07-11 19:14 - 2012-06-02 00:17 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll 2012-07-11 19:14 - 2012-06-02 00:16 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb 2012-07-11 19:14 - 2012-06-02 00:14 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll 2012-07-11 19:12 - 2012-07-11 19:13 - 00002742 ____A C:\Users\Chris\Documents\registry changes backup 7-11-2012 cc_20120711_231209.reg 2012-07-11 18:50 - 2012-07-11 18:50 - 00000822 ____A C:\Users\Chris\Desktop\CCleaner.lnk 2012-07-11 18:50 - 2012-07-11 18:50 - 00000000 ____D C:\Program Files\CCleaner 2012-07-11 18:47 - 2012-07-11 18:47 - 03889704 ____A (Piriform Ltd) C:\Users\Chris\Desktop\ccsetup320.exe 2012-07-11 18:40 - 2012-07-11 18:40 - 02841104 ____A (Symantec Corporation) C:\Users\Chris\Desktop\NPE.exe 2012-07-11 18:38 - 2012-07-11 18:38 - 00000000 ____D C:\Users\Chris\AppData\Local\{FC8D9881-DDF4-4F66-9F70-8E1367413F52} 2012-07-11 18:38 - 2012-07-11 18:38 - 00000000 ____D C:\Users\Chris\AppData\Local\{9705322E-B424-4F4E-9649-0E102549FFDB} 2012-07-11 17:50 - 2012-07-11 17:50 - 00000040 ____A C:\Users\Chris\Desktop\Medfos.B.txt 2012-07-11 06:19 - 2012-07-11 06:19 - 00000000 ____D C:\Users\Chris\AppData\Local\{B63D8129-8E35-4C66-9280-458FD5662374} 2012-07-11 06:02 - 2012-06-08 21:43 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll 2012-07-11 06:02 - 2012-06-08 20:41 - 12873728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll 2012-07-11 06:02 - 2012-06-05 22:06 - 02004480 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll 2012-07-11 06:02 - 2012-06-05 22:06 - 01881600 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll 2012-07-11 06:02 - 2012-06-05 22:02 - 01133568 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll 2012-07-11 06:02 - 2012-06-05 21:05 - 01390080 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll 2012-07-11 06:02 - 2012-06-05 21:05 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll 2012-07-11 06:02 - 2012-06-05 21:03 - 00805376 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cdosys.dll 2012-07-11 06:02 - 2012-06-01 21:50 - 00458704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys 2012-07-11 06:02 - 2012-06-01 21:48 - 00151920 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys 2012-07-11 06:02 - 2012-06-01 21:48 - 00095600 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys 2012-07-11 06:02 - 2012-06-01 21:45 - 00340992 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll 2012-07-11 06:02 - 2012-06-01 21:44 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll 2012-07-11 06:02 - 2012-06-01 20:40 - 00225280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll 2012-07-11 06:02 - 2012-06-01 20:40 - 00022016 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll 2012-07-11 06:02 - 2012-06-01 20:39 - 00219136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll 2012-07-11 06:02 - 2012-06-01 20:34 - 00096768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll 2012-07-11 06:02 - 2010-06-25 19:55 - 00002048 ____A (Microsoft Corporation) C:\Windows\System32\msxml3r.dll 2012-07-11 06:02 - 2010-06-25 19:24 - 00002048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3r.dll 2012-07-10 18:19 - 2012-07-10 18:19 - 00000000 ____D C:\Users\Chris\AppData\Local\{F0A8B09F-4C79-41AA-930B-9363C4AE1D09} 2012-07-09 18:19 - 2012-07-11 06:19 - 00000000 ____D C:\Users\Chris\AppData\Local\{5D830187-D0EB-4AEB-8C07-7125D1318D3F} 2012-07-09 18:19 - 2012-07-09 18:19 - 00000000 ____D C:\Users\Chris\AppData\Local\{F5E49FAD-89A3-475A-9315-6171E08A5715} 2012-07-09 05:49 - 2012-07-09 05:49 - 00000000 ____D C:\Users\Chris\AppData\Local\{E4FE4FF7-A7A5-4729-9819-4F98021A3AD5} 2012-07-08 05:40 - 2012-07-08 05:40 - 00000000 ____D C:\Users\Chris\AppData\Local\{D0DF1F0B-6AD1-42AB-8852-419DF09B4FE2} 2012-07-07 07:06 - 2012-07-07 07:07 - 00000000 ____D C:\Users\Chris\AppData\Local\{043E782E-761B-45F8-88A2-104616396C20} 2012-07-06 19:00 - 2012-07-09 05:49 - 00000000 ____D C:\Users\Chris\AppData\Local\{48BD459C-8BC6-47B7-8977-3FAD6CC46FE8} 2012-07-06 19:00 - 2012-07-06 19:01 - 00000000 ____D C:\Users\Chris\AppData\Local\{DCCF6649-4BF3-4DA0-82F7-EB5DBE8C2C24} 2012-07-06 03:47 - 2012-07-06 03:47 - 00000000 ____D C:\Users\Chris\AppData\Local\{7B47CC37-4A4D-461F-84FD-8DAAD55411C8} 2012-07-05 06:21 - 2012-07-06 03:47 - 00000000 ____D C:\Users\Chris\AppData\Local\{49E0ECB1-D8A3-47A8-9F33-7E6A4692F1D7} 2012-07-05 06:21 - 2012-07-05 06:21 - 00000000 ____D C:\Users\Chris\AppData\Local\{C3EAE9B0-A7BC-4457-88FA-B48B8D367A18} 2012-07-04 18:20 - 2012-07-04 18:20 - 00000000 ____D C:\Users\Chris\AppData\Local\{44B9A944-75E6-4454-889C-972190C66D13} 2012-07-04 18:20 - 2012-07-04 18:20 - 00000000 ____D C:\Users\Chris\AppData\Local\{32B82434-477D-4FA2-BF05-39E5F7F65A1F} 2012-07-04 06:19 - 2012-07-04 06:20 - 00000000 ____D C:\Users\Chris\AppData\Local\{268D831B-6255-4F07-AC18-387BE247C9FC} 2012-07-04 06:19 - 2012-07-04 06:19 - 00000000 ____D C:\Users\Chris\AppData\Local\{32E1E6F6-1009-4AC6-8F2D-BF3AA6BBBB2D} 2012-07-03 19:35 - 2012-07-03 19:35 - 00000000 ____D C:\Users\Chris\AppData\Local\{C5C37CC6-8DAA-4E13-84F3-7FDAEF0B2F6B} 2012-07-03 07:35 - 2012-07-03 07:35 - 00000000 ____D C:\Users\Chris\AppData\Local\{F2BDFD0F-42F1-4C04-BC5C-DCB4131098F7} 2012-07-02 19:55 - 2012-07-03 07:35 - 00000000 ____D C:\Users\Chris\AppData\Local\{10AB0183-7548-4ECC-ABBA-8FE041769DD6} 2012-07-02 07:34 - 2012-07-02 07:34 - 00000000 ____D C:\Users\Chris\AppData\Local\{6BE8D371-E6C8-4DB5-806B-B6E3A0B81A50} 2012-07-01 19:34 - 2012-07-01 19:34 - 00000000 ____D C:\Users\Chris\AppData\Local\{4DDAF9FA-F24F-4033-AFBA-852628A500F8} 2012-07-01 07:33 - 2012-07-01 07:34 - 00000000 ____D C:\Users\Chris\AppData\Local\{B0D55516-F1C5-4B20-925E-2B1A368355C7} 2012-07-01 07:32 - 2012-07-02 07:34 - 00000000 ____D C:\Users\Chris\AppData\Local\{46A20BBD-4A69-4377-B20C-2B281CE6CDEC} 2012-06-29 20:44 - 2012-06-29 20:45 - 00000000 ____D C:\Users\Chris\AppData\Local\{3ABD4139-6F9A-4C7A-8785-8A9D1C2027E1} 2012-06-29 06:16 - 2012-06-29 06:16 - 00000000 ____D C:\Users\Chris\AppData\Local\{67C0731D-7858-4033-8AD3-129CFD80C3C2} 2012-06-28 18:16 - 2012-06-28 18:16 - 00000000 ____D C:\Users\Chris\AppData\Local\{2DE6CE17-8599-40E0-A98B-A051F183A24B} 2012-06-28 18:15 - 2012-06-29 20:44 - 00000000 ____D C:\Users\Chris\AppData\Local\{A2257105-537A-41E2-9AA9-D8D547206F6B} 2012-06-28 05:26 - 2012-06-28 05:26 - 00000000 ____D C:\Users\Chris\AppData\Local\{23E4E8D5-6638-4488-9D47-6A654EBF547C} 2012-06-27 09:49 - 2012-06-28 05:26 - 00000000 ____D C:\Users\Chris\AppData\Local\{B52F9A5E-971F-4F9D-99B9-36869D0D28EF} 2012-06-27 07:19 - 2012-06-27 07:19 - 00000696 ____A C:\Users\Chris\Downloads\Downloads - Shortcut.lnk 2012-06-26 17:53 - 2012-06-26 17:54 - 00000000 ____D C:\Users\Chris\AppData\Local\{FE877841-C08B-4A71-862D-11E5F4513B73} 2012-06-26 17:53 - 2012-06-26 17:53 - 00000000 ____D C:\Users\Chris\AppData\Local\{30F5788D-9C67-4559-BD8F-0801BB9693AB} 2012-06-26 17:42 - 2012-06-26 17:42 - 00000000 ____D C:\Windows\WPDeviceManager 2012-06-26 07:47 - 2012-06-26 07:47 - 00000000 ____D C:\Users\Chris\Desktop\GMAT 2012-06-26 05:53 - 2012-06-26 05:53 - 00000000 ____D C:\Users\Chris\AppData\Local\{861AF3D2-210E-4521-9CDD-1BBA18333DF1} 2012-06-26 05:53 - 2012-06-26 05:53 - 00000000 ____D C:\Users\Chris\AppData\Local\{697AA032-2C53-4749-966F-8AB40976FEBE} 2012-06-25 16:11 - 2012-06-25 16:11 - 00001252 ____A C:\Users\Chris\Desktop\GMAT - Shortcut.lnk 2012-06-25 12:04 - 2012-06-25 12:04 - 01394248 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml4.dll 2012-06-25 09:24 - 2012-06-25 09:24 - 00000920 ____A C:\Users\Public\Desktop\calibre - E-book management.lnk 2012-06-25 05:43 - 2012-06-25 05:44 - 00000000 ____D C:\Users\Chris\AppData\Local\{7217DEF1-1C00-4F44-995B-BC9C19D37C12} 2012-06-24 08:18 - 2012-06-24 08:19 - 00000000 ____D C:\Users\Chris\AppData\Local\{E6756747-E5F3-4233-8A9F-4677507BBBEE} 2012-06-23 16:45 - 2012-06-23 16:45 - 00000000 ____D C:\Users\Chris\AppData\Local\{B1EEC9F0-085F-4F62-B099-CC60A99FC2E4} 2012-06-23 04:44 - 2012-06-23 04:45 - 00000000 ____D C:\Users\Chris\AppData\Local\{FE86E4D8-32D4-4FD0-B6A1-5A4FC26BB90A} 2012-06-22 08:48 - 2012-06-22 08:48 - 00000000 ____D C:\Users\Chris\AppData\Local\{47CCA60B-CCF1-4B04-988A-9297D8C16489} 2012-06-21 13:51 - 2012-06-02 14:19 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll 2012-06-21 13:51 - 2012-06-02 14:19 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll 2012-06-21 13:51 - 2012-06-02 14:19 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe 2012-06-21 13:51 - 2012-06-02 14:19 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll 2012-06-21 13:51 - 2012-06-02 14:19 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll 2012-06-21 13:51 - 2012-06-02 14:15 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll 2012-06-21 13:51 - 2012-06-02 14:15 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll 2012-06-21 13:51 - 2012-06-02 11:19 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll 2012-06-21 13:51 - 2012-06-02 11:15 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe 2012-06-20 07:05 - 2012-06-20 07:05 - 00000000 ____D C:\Users\Chris\AppData\Local\{6C7E9A9D-21CC-409E-9135-930C02AFB6D3} 2012-06-19 19:05 - 2012-06-19 19:05 - 00000000 ____D C:\Users\Chris\AppData\Local\{60955BD2-21EE-442E-9EC9-FD652262004E} 2012-06-19 05:51 - 2012-06-19 05:51 - 00000000 ____D C:\Users\Chris\AppData\Local\{EEB3CB38-4CC3-4066-A0DB-80A41FD74DA4} 2012-06-18 12:22 - 2012-06-25 05:43 - 00000000 ____D C:\Users\Chris\AppData\Local\{FD0F6870-F8BA-4621-AAB1-BC83D648D363} 2012-06-17 22:09 - 2012-06-17 22:09 - 00000246 ____A C:\Users\Chris\Documents\ax_files.xml 2012-06-17 22:01 - 2012-06-17 22:01 - 00000000 ____D C:\Users\Chris\Documents\Alcohol 52% 2012-06-17 21:58 - 2012-06-17 21:58 - 00001137 ____A C:\Users\Public\Desktop\Alcohol 52%.lnk 2012-06-17 21:58 - 2012-06-17 21:58 - 00000000 ____D C:\Program Files (x86)\Alcohol Soft 2012-06-17 21:56 - 2012-06-17 21:56 - 02748420 ____A C:\Users\Chris\Desktop\IMG.psd 2012-06-17 21:56 - 2012-06-17 21:56 - 01242402 ____A C:\Users\Chris\Desktop\Untitled-1.psd 2012-06-17 21:56 - 2012-06-17 21:56 - 00560184 ____A (Duplex Secure Ltd.) C:\Windows\System32\Drivers\sptd.sys 2012-06-17 20:22 - 2012-06-17 20:22 - 00000000 ____D C:\Users\Chris\AppData\Local\{A4CE9EBC-FA89-48CA-83B6-931422D02767} 2012-06-17 18:52 - 2012-06-17 18:52 - 00000000 ____D C:\Users\Chris\AppData\Local\{38531D43-B887-4C9D-9E19-07CD042C492F} ============ 3 Months Modified Files ======================== 2012-07-14 12:18 - 2012-07-13 15:47 - 00148320 ____A C:\Windows\WindowsUpdate.log 2012-07-14 12:17 - 2009-07-13 21:13 - 00786810 ____A C:\Windows\System32\PerfStringBackup.INI 2012-07-14 12:15 - 2012-07-13 15:44 - 00002250 ____A C:\Windows\setupact.log 2012-07-14 12:11 - 2012-03-31 18:39 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job 2012-07-14 12:09 - 2009-07-13 20:45 - 00010112 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 2012-07-14 12:09 - 2009-07-13 20:45 - 00010112 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 2012-07-14 12:06 - 2012-07-14 12:06 - 00002325 ____A C:\Users\Chris\Desktop\RKreport[3].txt 2012-07-14 12:01 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT 2012-07-14 11:59 - 2012-07-14 11:59 - 00002307 ____A C:\Users\Chris\Desktop\RKreport[2].txt 2012-07-14 11:32 - 2012-07-13 16:30 - 00002822 ____A C:\Windows\PFRO.log 2012-07-14 11:28 - 2012-07-14 11:28 - 00596480 ____A (OldTimer Tools) C:\Users\Chris\Desktop\OTL.exe 2012-07-14 11:14 - 2012-07-14 11:14 - 00031710 ____A C:\ComboFix.txt 2012-07-14 10:51 - 2009-07-13 18:34 - 00000215 ____A C:\Windows\system.ini 2012-07-14 09:16 - 2011-01-24 18:28 - 00000362 _RASH C:\Users\All Users\ntuser.pol 2012-07-14 09:05 - 2012-07-14 09:05 - 04579346 ____R (Swearware) C:\Users\Chris\Desktop\ComboFix.exe 2012-07-14 08:30 - 2012-07-14 08:30 - 00002538 ____A C:\Users\Chris\Desktop\RKreport[1].txt 2012-07-14 08:27 - 2012-07-14 08:27 - 01558528 ____A C:\Users\Chris\Desktop\RogueKiller.exe 2012-07-14 07:32 - 2011-04-05 21:21 - 01220096 __ASH C:\Users\Chris\Desktop\Thumbs.db 2012-07-14 07:20 - 2012-07-14 07:20 - 00024413 ____A C:\Users\Chris\Desktop\Attach.txt 2012-07-14 07:18 - 2012-07-14 07:18 - 00034669 ____A C:\Users\Chris\Desktop\DDS.txt 2012-07-14 07:05 - 2012-07-14 07:05 - 00607260 ____A (Swearware) C:\Users\Chris\Desktop\dds.com 2012-07-14 06:54 - 2012-07-14 06:54 - 00607260 ____R (Swearware) C:\Users\Chris\Desktop\dds.scr 2012-07-14 01:05 - 2012-07-14 01:05 - 00010900 ____A C:\Users\Chris\Desktop\Book1.xlsx 2012-07-13 22:19 - 2011-01-16 21:17 - 01424896 __ASH C:\Users\Chris\Documents\Thumbs.db 2012-07-13 15:44 - 2012-07-13 15:44 - 00000000 ____A C:\Windows\setuperr.log 2012-07-13 15:19 - 2012-07-13 15:19 - 00001073 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk 2012-07-12 04:43 - 2009-07-13 20:45 - 03090440 ____A C:\Windows\System32\FNTCACHE.DAT 2012-07-11 19:15 - 2011-01-05 20:15 - 59701280 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe 2012-07-11 19:13 - 2012-07-11 19:12 - 00002742 ____A C:\Users\Chris\Documents\registry changes backup 7-11-2012 cc_20120711_231209.reg 2012-07-11 18:50 - 2012-07-11 18:50 - 00000822 ____A C:\Users\Chris\Desktop\CCleaner.lnk 2012-07-11 18:47 - 2012-07-11 18:47 - 03889704 ____A (Piriform Ltd) C:\Users\Chris\Desktop\ccsetup320.exe 2012-07-11 18:40 - 2012-07-11 18:40 - 02841104 ____A (Symantec Corporation) C:\Users\Chris\Desktop\NPE.exe 2012-07-11 17:50 - 2012-07-11 17:50 - 00000040 ____A C:\Users\Chris\Desktop\Medfos.B.txt 2012-07-11 12:15 - 2012-03-31 18:39 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe 2012-07-11 12:15 - 2011-05-17 10:24 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl 2012-07-03 09:46 - 2011-08-15 16:17 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys 2012-06-29 07:33 - 2011-01-18 11:34 - 00015137 ____A C:\Users\Chris\Documents\Beyza Thinvelope Fitment.xlsx 2012-06-29 07:27 - 2011-01-18 11:34 - 00014625 ____A C:\Users\Chris\Documents\Phones.xlsx 2012-06-27 07:19 - 2012-06-27 07:19 - 00000696 ____A C:\Users\Chris\Downloads\Downloads - Shortcut.lnk 2012-06-26 15:02 - 2011-02-23 10:16 - 00007602 ____A C:\Users\Chris\AppData\Local\resmon.resmoncfg 2012-06-25 16:11 - 2012-06-25 16:11 - 00001252 ____A C:\Users\Chris\Desktop\GMAT - Shortcut.lnk 2012-06-25 12:04 - 2012-06-25 12:04 - 01394248 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml4.dll 2012-06-25 09:24 - 2012-06-25 09:24 - 00000920 ____A C:\Users\Public\Desktop\calibre - E-book management.lnk 2012-06-17 22:09 - 2012-06-17 22:09 - 00000246 ____A C:\Users\Chris\Documents\ax_files.xml 2012-06-17 21:58 - 2012-06-17 21:58 - 00001137 ____A C:\Users\Public\Desktop\Alcohol 52%.lnk 2012-06-17 21:56 - 2012-06-17 21:56 - 02748420 ____A C:\Users\Chris\Desktop\IMG.psd 2012-06-17 21:56 - 2012-06-17 21:56 - 01242402 ____A C:\Users\Chris\Desktop\Untitled-1.psd 2012-06-17 21:56 - 2012-06-17 21:56 - 00560184 ____A (Duplex Secure Ltd.) C:\Windows\System32\Drivers\sptd.sys 2012-06-17 20:40 - 2011-09-30 14:53 - 00036399 ____A C:\Users\Chris\AppData\Local\backup.vtp 2012-06-11 19:08 - 2012-07-11 19:19 - 03148800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys 2012-06-08 21:43 - 2012-07-11 06:02 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll 2012-06-08 20:41 - 2012-07-11 06:02 - 12873728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll 2012-06-07 19:49 - 2012-06-07 19:49 - 00001121 ____A C:\Users\Chris\Desktop\Audi TT - Shortcut.lnk 2012-06-05 22:06 - 2012-07-11 06:02 - 02004480 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll 2012-06-05 22:06 - 2012-07-11 06:02 - 01881600 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll 2012-06-05 22:02 - 2012-07-11 06:02 - 01133568 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll 2012-06-05 21:05 - 2012-07-11 06:02 - 01390080 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll 2012-06-05 21:05 - 2012-07-11 06:02 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll 2012-06-05 21:03 - 2012-07-11 06:02 - 00805376 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cdosys.dll 2012-06-02 14:19 - 2012-06-21 13:51 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll 2012-06-02 14:19 - 2012-06-21 13:51 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll 2012-06-02 14:19 - 2012-06-21 13:51 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe 2012-06-02 14:19 - 2012-06-21 13:51 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll 2012-06-02 14:19 - 2012-06-21 13:51 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll 2012-06-02 14:15 - 2012-06-21 13:51 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll 2012-06-02 14:15 - 2012-06-21 13:51 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll 2012-06-02 11:19 - 2012-06-21 13:51 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll 2012-06-02 11:15 - 2012-06-21 13:51 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe 2012-06-02 04:49 - 2012-07-11 19:14 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll 2012-06-02 04:17 - 2012-07-11 19:14 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll 2012-06-02 04:12 - 2012-07-11 19:14 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll 2012-06-02 04:05 - 2012-07-11 19:14 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll 2012-06-02 04:05 - 2012-07-11 19:14 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll 2012-06-02 04:04 - 2012-07-11 19:14 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl 2012-06-02 04:04 - 2012-07-11 19:14 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll 2012-06-02 04:03 - 2012-07-11 19:14 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll 2012-06-02 04:01 - 2012-07-11 19:14 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe 2012-06-02 04:00 - 2012-07-11 19:14 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll 2012-06-02 03:59 - 2012-07-11 19:14 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll 2012-06-02 03:57 - 2012-07-11 19:14 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb 2012-06-02 03:57 - 2012-07-11 19:14 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll 2012-06-02 03:54 - 2012-07-11 19:14 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll 2012-06-02 01:07 - 2012-07-11 19:14 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll 2012-06-02 00:43 - 2012-07-11 19:14 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll 2012-06-02 00:33 - 2012-07-11 19:14 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll 2012-06-02 00:26 - 2012-07-11 19:14 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll 2012-06-02 00:25 - 2012-07-11 19:14 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl 2012-06-02 00:25 - 2012-07-11 19:14 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll 2012-06-02 00:23 - 2012-07-11 19:14 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll 2012-06-02 00:21 - 2012-07-11 19:14 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll 2012-06-02 00:20 - 2012-07-11 19:14 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe 2012-06-02 00:19 - 2012-07-11 19:14 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll 2012-06-02 00:19 - 2012-07-11 19:14 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll 2012-06-02 00:17 - 2012-07-11 19:14 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll 2012-06-02 00:16 - 2012-07-11 19:14 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb 2012-06-02 00:14 - 2012-07-11 19:14 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll 2012-06-01 21:50 - 2012-07-11 06:02 - 00458704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys 2012-06-01 21:48 - 2012-07-11 06:02 - 00151920 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys 2012-06-01 21:48 - 2012-07-11 06:02 - 00095600 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys 2012-06-01 21:45 - 2012-07-11 06:02 - 00340992 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll 2012-06-01 21:44 - 2012-07-11 06:02 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll 2012-06-01 20:40 - 2012-07-11 06:02 - 00225280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll 2012-06-01 20:40 - 2012-07-11 06:02 - 00022016 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll 2012-06-01 20:39 - 2012-07-11 06:02 - 00219136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll 2012-06-01 20:34 - 2012-07-11 06:02 - 00096768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll 2012-05-31 19:43 - 2012-05-31 19:43 - 00001113 ____A C:\Users\Public\Desktop\Bluetooth Problem Report.lnk 2012-05-31 19:40 - 2012-05-31 19:41 - 00210984 ____A (Broadcom Corporation.) C:\Windows\System32\Drivers\btwavdt.sys 2012-05-31 19:40 - 2012-05-31 19:41 - 00184872 ____A (Broadcom Corporation.) C:\Windows\System32\Drivers\btwaudio.sys 2012-05-31 19:40 - 2012-05-31 19:41 - 00039976 ____A (Broadcom Corporation.) C:\Windows\System32\Drivers\btwl2cap.sys 2012-05-31 19:40 - 2012-05-31 19:41 - 00021544 ____A (Broadcom Corporation.) C:\Windows\System32\Drivers\btwrchid.sys 2012-05-31 19:40 - 2010-12-14 22:20 - 00594472 ____A (Broadcom Corporation.) C:\Windows\System32\Drivers\btwampfl.sys 2012-05-31 19:29 - 2011-01-05 11:35 - 00000021 ____A C:\Windows\Model.txt 2012-05-27 20:03 - 2012-05-27 20:03 - 00002526 ____A C:\Users\Chris\Desktop\Windows 7 USB DVD Download Tool.lnk 2012-05-04 03:06 - 2012-06-12 11:59 - 05559664 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe 2012-05-04 02:03 - 2012-06-12 11:59 - 03968368 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe 2012-05-04 02:03 - 2012-06-12 11:59 - 03913072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe 2012-04-30 21:40 - 2012-06-12 11:59 - 00209920 ____A (Microsoft Corporation) C:\Windows\System32\profsvc.dll 2012-04-29 23:01 - 2011-01-05 19:34 - 00001945 ____A C:\Windows\epplauncher.mif 2012-04-29 23:01 - 2011-01-05 19:27 - 00805710 ____A C:\Windows\SysWOW64\PerfStringBackup.INI 2012-04-27 19:55 - 2012-06-12 11:59 - 00210944 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys 2012-04-25 21:41 - 2012-06-12 11:59 - 00149504 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll 2012-04-25 21:41 - 2012-06-12 11:59 - 00077312 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll 2012-04-25 21:34 - 2012-06-12 11:59 - 00009216 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe 2012-04-23 21:37 - 2012-06-12 11:59 - 01462272 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll 2012-04-23 21:37 - 2012-06-12 11:59 - 00184320 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll 2012-04-23 21:37 - 2012-06-12 11:59 - 00140288 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll 2012-04-23 20:36 - 2012-06-12 11:59 - 01158656 ____A (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll 2012-04-23 20:36 - 2012-06-12 11:59 - 00140288 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll 2012-04-23 20:36 - 2012-06-12 11:59 - 00103936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll 2012-04-19 14:34 - 2012-06-11 14:34 - 00066560 ____A (Nalpeiron Ltd.) C:\Windows\SysWOW64\nlssrv32.exe 2012-04-19 09:41 - 2012-04-19 09:41 - 00243100 ____A C:\Users\Chris\Documents\USAA Reward Redemption.xps ZeroAccess: C:\Windows\Installer\{c8347dac-c04f-371f-2862-2c27f80a4694} C:\Windows\Installer\{c8347dac-c04f-371f-2862-2c27f80a4694}\L C:\Windows\Installer\{c8347dac-c04f-371f-2862-2c27f80a4694}\U ZeroAccess: C:\Users\Chris\AppData\Local\{c8347dac-c04f-371f-2862-2c27f80a4694} C:\Users\Chris\AppData\Local\{c8347dac-c04f-371f-2862-2c27f80a4694}\@ C:\Users\Chris\AppData\Local\{c8347dac-c04f-371f-2862-2c27f80a4694}\L C:\Users\Chris\AppData\Local\{c8347dac-c04f-371f-2862-2c27f80a4694}\U ========================= Known DLLs (Whitelisted) ============ ========================= Bamital & volsnap Check ============ C:\Windows\System32\winlogon.exe => MD5 is legit C:\Windows\System32\wininit.exe => MD5 is legit C:\Windows\SysWOW64\wininit.exe => MD5 is legit C:\Windows\explorer.exe => MD5 is legit C:\Windows\SysWOW64\explorer.exe => MD5 is legit C:\Windows\System32\svchost.exe => MD5 is legit C:\Windows\SysWOW64\svchost.exe => MD5 is legit C:\Windows\System32\services.exe => MD5 is legit C:\Windows\System32\User32.dll => MD5 is legit C:\Windows\SysWOW64\User32.dll => MD5 is legit C:\Windows\System32\userinit.exe => MD5 is legit C:\Windows\SysWOW64\userinit.exe => MD5 is legit C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit ==================== EXE ASSOCIATION ===================== HKLM\...\.exe: exefile => OK HKLM\...\exefile\DefaultIcon: %1 => OK HKLM\...\exefile\open\command: "%1" %* => OK ========================= Memory info ====================== Percentage of memory in use: 16% Total physical RAM: 3765.82 MB Available physical RAM: 3131.65 MB Total Pagefile: 3763.97 MB Available Pagefile: 3129.25 MB Total Virtual: 8192 MB Available Virtual: 8191.9 MB ======================= Partitions ========================= 1 Drive c: () (Fixed) (Total:226.99 GB) (Free:46.71 GB) NTFS ==>[system with boot components (obtained from reading drive)] 2 Drive e: (Recovery) (Fixed) (Total:11.39 GB) (Free:0.76 GB) NTFS ==>[system with boot components (obtained from reading drive)] 4 Drive g: () (Removable) (Total:1.95 GB) (Free:1.95 GB) FAT 5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS 6 Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.03 GB) NTFS ==>[system with boot components (obtained from reading drive)] Disk ### Status Size Free Dyn Gpt -------- ------------- ------- ------- --- --- Disk 0 Online 238 GB 0 B Disk 1 Online 1997 MB 0 B Partitions of Disk 0: =============== Partition ### Type Size Offset ------------- ---------------- ------- ------- Partition 1 Recovery 11 GB 1024 KB Partition 2 Primary 100 MB 11 GB Partition 3 Primary 226 GB 11 GB ================================================================================== Disk: 0 Partition 1 Type : 27 Hidden: Yes Active: No Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- * Volume 3 E Recovery NTFS Partition 11 GB Healthy Hidden ================================================================================== Disk: 0 Partition 2 Type : 07 Hidden: No Active: Yes Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- * Volume 1 Y System Rese NTFS Partition 100 MB Healthy ================================================================================== Disk: 0 Partition 3 Type : 07 Hidden: No Active: No Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- * Volume 2 C NTFS Partition 226 GB Healthy ================================================================================== Partitions of Disk 1: =============== Partition ### Type Size Offset ------------- ---------------- ------- ------- Partition 1 Primary 1996 MB 16 KB ================================================================================== Disk: 1 Partition 1 Type : 06 Hidden: No Active: Yes Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- * Volume 4 G FAT Removable 1996 MB Healthy ================================================================================== ========================================================== Last Boot: 2012-07-08 09:50 ======================= End Of Log ==========================
-
RogueKiller found some stuff though RogueKiller V7.6.3 [07/08/2012] by Tigzy mail: tigzyRK<at>gmail<dot>com Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/ Blog: http://tigzyrk.blogspot.com Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version Started in : Normal mode User: Chris [Admin rights] Mode: Scan -- Date: 07/14/2012 16:06:33 ¤¤¤ Bad processes: 1 ¤¤¤ [sUSP PATH] SkyDrive.exe -- C:\Users\Chris\AppData\Local\Microsoft\SkyDrive\SkyDrive.exe -> KILLED [TermProc] ¤¤¤ Registry Entries: 5 ¤¤¤ [sUSP PATH] HKCU\[...]\Run : SkyDrive ("C:\Users\Chris\AppData\Local\Microsoft\SkyDrive\SkyDrive.exe" /background) -> FOUND [sUSP PATH] HKUS\S-1-5-21-3163081078-1936475789-1318037429-1006[...]\Run : SkyDrive ("C:\Users\Chris\AppData\Local\Microsoft\SkyDrive\SkyDrive.exe" /background) -> FOUND [HJ] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND [HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND [HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND ¤¤¤ Particular Files / Folders: ¤¤¤ [ZeroAccess][FOLDER] U : c:\windows\installer\{c8347dac-c04f-371f-2862-2c27f80a4694}\U --> FOUND [ZeroAccess][FOLDER] L : c:\windows\installer\{c8347dac-c04f-371f-2862-2c27f80a4694}\L --> FOUND [ZeroAccess][FILE] @ : c:\users\chris\appdata\local\{c8347dac-c04f-371f-2862-2c27f80a4694}\@ --> FOUND [ZeroAccess][FOLDER] U : c:\users\chris\appdata\local\{c8347dac-c04f-371f-2862-2c27f80a4694}\U --> FOUND [ZeroAccess][FOLDER] L : c:\users\chris\appdata\local\{c8347dac-c04f-371f-2862-2c27f80a4694}\L --> FOUND ¤¤¤ Driver: [NOT LOADED] ¤¤¤ ¤¤¤ Infection : ZeroAccess ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤ 127.0.0.1 localhost ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: Volume0 +++++ --- User --- [MBR] 617d3c715ac63a654f92f626b16eb325 [bSP] a9707318c43c5b2342c276b877c3e886 : Windows 7 MBR Code Partition table: 0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 11665 Mo 1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 23891968 | Size: 100 Mo 2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 24096768 | Size: 232437 Mo User = LL1 ... OK! Error reading LL2 MBR! Finished : << RKreport[3].txt >> RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt
-
Quick Scan in Malware-Bytes Anti Malware found nothing: Malwarebytes Anti-Malware (Trial) 1.62.0.1300 www.malwarebytes.org Database version: v2012.07.14.07 Windows 7 Service Pack 1 x64 NTFS Internet Explorer 9.0.8112.16421 Chris :: CHRIS-VAIO-Z [administrator] Protection: Enabled 7/14/2012 4:03:17 PM mbam-log-2012-07-14 (16-03-17).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P Scan options disabled: Objects scanned: 273288 Time elapsed: 1 minute(s), 3 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) (end)
-
All processes killed ========== SERVICES/DRIVERS ========== Service exxqttpf stopped successfully! Service exxqttpf deleted successfully! ========== FILES ========== File\Folder c:\windows\system32\drivers\exxqttpf.sys not found. ========== COMMANDS ========== [EMPTYJAVA] User: All Users User: boinc_master User: Chris ->Java cache emptied: 0 bytes User: Default User: Default User User: HomeGroupUser$ User: Mcx1-CHRIS-VAIO-Z User: Public Total Java Files Cleaned = 0.00 mb [EMPTYTEMP] User: All Users User: boinc_master ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes ->Flash cache emptied: 41620 bytes User: Chris ->Temp folder emptied: 4803072 bytes ->Temporary Internet Files folder emptied: 461364 bytes ->Java cache emptied: 0 bytes ->FireFox cache emptied: 44393105 bytes ->Opera cache emptied: 52094508 bytes ->Flash cache emptied: 1212656 bytes User: Default ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 67 bytes ->Flash cache emptied: 56478 bytes User: Default User ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes ->Flash cache emptied: 0 bytes User: HomeGroupUser$ ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 67 bytes User: Mcx1-CHRIS-VAIO-Z ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 67 bytes ->Flash cache emptied: 56502 bytes User: Public ->Temp folder emptied: 0 bytes %systemdrive% .tmp files removed: 0 bytes %systemroot% .tmp files removed: 0 bytes %systemroot%\System32 .tmp files removed: 0 bytes %systemroot%\System32 (64bit) .tmp files removed: 0 bytes %systemroot%\System32\drivers .tmp files removed: 0 bytes Windows Temp folder emptied: 0 bytes %systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 84727 bytes RecycleBin emptied: 0 bytes Total Files Cleaned = 98.00 mb OTL by OldTimer - Version 3.2.54.0 log created on 07142012_153032 Files\Folders moved on Reboot... C:\Users\Chris\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully. File\Folder C:\Users\Chris\AppData\Local\Temp\~DF0F314E6CF72F4DAC.TMP not found! File\Folder C:\Users\Chris\AppData\Local\Temp\~DF146130237C3BA4D3.TMP not found! File\Folder C:\Users\Chris\AppData\Local\Temp\~DF2F8F2CF16CE85F33.TMP not found! File\Folder C:\Users\Chris\AppData\Local\Temp\~DF607F1395328DCE66.TMP not found! File\Folder C:\Users\Chris\AppData\Local\Temp\~DF9699A16764A9C950.TMP not found! File\Folder C:\Users\Chris\AppData\Local\Temp\~DFCC5E44925963E5CE.TMP not found! File\Folder C:\Users\Chris\AppData\Local\Temp\~DFD71683DC56BA284E.TMP not found! File\Folder C:\Users\Chris\AppData\Local\Temp\~DFDBA2A8932544C246.TMP not found! File\Folder C:\Users\Chris\AppData\Local\Temp\~DFEBFA5E9A2287B486.TMP not found! File\Folder C:\Users\Chris\AppData\Local\Temp\~DFF1EDBBF201CEAE21.TMP not found! PendingFileRenameOperations files... File C:\Users\Chris\AppData\Local\Temp\FXSAPIDebugLogFile.txt not found! File C:\Users\Chris\AppData\Local\Temp\~DF0F314E6CF72F4DAC.TMP not found! File C:\Users\Chris\AppData\Local\Temp\~DF146130237C3BA4D3.TMP not found! File C:\Users\Chris\AppData\Local\Temp\~DF2F8F2CF16CE85F33.TMP not found! File C:\Users\Chris\AppData\Local\Temp\~DF607F1395328DCE66.TMP not found! File C:\Users\Chris\AppData\Local\Temp\~DF9699A16764A9C950.TMP not found! File C:\Users\Chris\AppData\Local\Temp\~DFCC5E44925963E5CE.TMP not found! File C:\Users\Chris\AppData\Local\Temp\~DFD71683DC56BA284E.TMP not found! File C:\Users\Chris\AppData\Local\Temp\~DFDBA2A8932544C246.TMP not found! File C:\Users\Chris\AppData\Local\Temp\~DFEBFA5E9A2287B486.TMP not found! File C:\Users\Chris\AppData\Local\Temp\~DFF1EDBBF201CEAE21.TMP not found! Registry entries deleted on Reboot...
-
Log files!
-
Crossing my fingers, I used the script that you posted. ComboFix 12-07-14.01 - Chris 07/14/2012 14:42:29.3.4 - x64 Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3766.2092 [GMT -4:00] Running from: c:\users\Chris\Desktop\ComboFix.exe Command switches used :: c:\users\Chris\Desktop\CFScript.txt AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6} SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B} SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . . ((((((((((((((((((((((((( Files Created from 2012-06-14 to 2012-07-14 ))))))))))))))))))))))))))))))) . . 2012-07-14 18:50 . 2012-07-14 18:50 -------- d-----w- c:\users\Mcx1-CHRIS-VAIO-Z\AppData\Local\temp 2012-07-14 18:50 . 2012-07-14 18:50 -------- d-----w- c:\users\HomeGroupUser$\AppData\Local\temp 2012-07-14 18:50 . 2012-07-14 18:50 -------- d-----w- c:\users\Default\AppData\Local\temp 2012-07-14 18:50 . 2012-07-14 18:50 -------- d-----w- c:\users\boinc_master\AppData\Local\temp 2012-07-14 00:32 . 2012-07-14 00:32 -------- d-----w- c:\programdata\GFI Software 2012-07-13 23:41 . 2012-07-14 13:28 -------- d-----w- c:\users\Chris\AppData\Local\NPE 2012-07-13 23:19 . 2012-07-13 23:19 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware 2012-07-13 04:27 . 2012-07-13 04:27 -------- d-sh--w- c:\windows\SysWow64\%APPDATA% 2012-07-12 03:19 . 2012-06-12 03:08 3148800 ----a-w- c:\windows\system32\win32k.sys 2012-07-12 02:50 . 2012-07-12 02:50 -------- d-----w- c:\program files\CCleaner 2012-07-12 01:45 . 2012-05-31 04:04 9013136 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{16708B18-09A5-485B-B1C3-96D0AD8A6E83}\mpengine.dll 2012-07-11 00:51 . 2012-05-31 04:04 9013136 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll 2012-07-04 01:32 . 2012-02-12 05:19 927800 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{1F0811E6-558E-49CD-A62C-A2304026AD92}\gapaengine.dll 2012-06-27 01:42 . 2012-06-27 01:42 -------- d-----w- c:\windows\WPDeviceManager 2012-06-25 20:04 . 2012-06-25 20:04 1394248 ----a-w- c:\windows\SysWow64\msxml4.dll 2012-06-21 21:51 . 2012-06-02 22:19 44056 ----a-w- c:\windows\system32\wups2.dll 2012-06-21 21:51 . 2012-06-02 22:19 2428952 ----a-w- c:\windows\system32\wuaueng.dll 2012-06-21 21:51 . 2012-06-02 22:19 57880 ----a-w- c:\windows\system32\wuauclt.exe 2012-06-21 21:51 . 2012-06-02 22:15 2622464 ----a-w- c:\windows\system32\wucltux.dll 2012-06-21 21:51 . 2012-06-02 22:19 38424 ----a-w- c:\windows\system32\wups.dll 2012-06-21 21:51 . 2012-06-02 22:19 701976 ----a-w- c:\windows\system32\wuapi.dll 2012-06-21 21:51 . 2012-06-02 22:15 99840 ----a-w- c:\windows\system32\wudriver.dll 2012-06-21 21:51 . 2012-06-02 19:19 186752 ----a-w- c:\windows\system32\wuwebv.dll 2012-06-21 21:51 . 2012-06-02 19:15 36864 ----a-w- c:\windows\system32\wuapp.exe 2012-06-20 17:45 . 2012-06-20 17:45 -------- d-----w- C:\SkyDriveTemp 2012-06-18 05:58 . 2012-06-18 05:58 -------- d-----w- c:\program files (x86)\Alcohol Soft 2012-06-18 05:56 . 2012-06-18 05:56 560184 ----a-w- c:\windows\system32\drivers\sptd.sys . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-07-11 20:15 . 2012-04-01 02:39 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe 2012-07-11 20:15 . 2011-05-17 18:24 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl 2012-07-03 17:46 . 2011-08-16 00:17 24904 ----a-w- c:\windows\system32\drivers\mbam.sys 2012-06-01 03:40 . 2012-06-01 03:41 39976 ----a-w- c:\windows\system32\drivers\btwl2cap.sys 2012-06-01 03:40 . 2012-06-01 03:41 210984 ----a-w- c:\windows\system32\drivers\btwavdt.sys 2012-06-01 03:40 . 2012-06-01 03:41 184872 ----a-w- c:\windows\system32\drivers\btwaudio.sys 2012-06-01 03:40 . 2010-12-15 06:20 594472 ----a-w- c:\windows\system32\drivers\btwampfl.sys 2012-06-01 03:40 . 2012-06-01 03:41 21544 ----a-w- c:\windows\system32\drivers\btwrchid.sys 2012-05-28 04:03 . 2012-05-28 04:03 119808 ----a-r- c:\users\Chris\AppData\Roaming\Microsoft\Installer\{CCF298AF-9CE1-4B26-B251-486E98A34789}\icons.exe 2012-05-04 11:06 . 2012-06-12 19:59 5559664 ----a-w- c:\windows\system32\ntoskrnl.exe 2012-05-04 10:03 . 2012-06-12 19:59 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe 2012-05-04 10:03 . 2012-06-12 19:59 3913072 ----a-w- c:\windows\SysWow64\ntoskrnl.exe 2012-05-01 05:40 . 2012-06-12 19:59 209920 ----a-w- c:\windows\system32\profsvc.dll 2012-04-28 03:55 . 2012-06-12 19:59 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys 2012-04-26 05:41 . 2012-06-12 19:59 77312 ----a-w- c:\windows\system32\rdpwsx.dll 2012-04-26 05:41 . 2012-06-12 19:59 149504 ----a-w- c:\windows\system32\rdpcorekmts.dll 2012-04-26 05:34 . 2012-06-12 19:59 9216 ----a-w- c:\windows\system32\rdrmemptylst.exe 2012-04-24 05:37 . 2012-06-12 19:59 184320 ----a-w- c:\windows\system32\cryptsvc.dll 2012-04-24 05:37 . 2012-06-12 19:59 140288 ----a-w- c:\windows\system32\cryptnet.dll 2012-04-24 05:37 . 2012-06-12 19:59 1462272 ----a-w- c:\windows\system32\crypt32.dll 2012-04-24 04:36 . 2012-06-12 19:59 1158656 ----a-w- c:\windows\SysWow64\crypt32.dll 2012-04-24 04:36 . 2012-06-12 19:59 140288 ----a-w- c:\windows\SysWow64\cryptsvc.dll 2012-04-24 04:36 . 2012-06-12 19:59 103936 ----a-w- c:\windows\SysWow64\cryptnet.dll 2012-04-19 22:34 . 2012-06-11 22:34 66560 ----a-w- c:\windows\SysWow64\nlssrv32.exe 2006-05-03 18:06 163328 --sha-r- c:\windows\SysWOW64\flvDX.dll 2007-02-21 19:47 31232 --sha-r- c:\windows\SysWOW64\msfDX.dll 2008-03-16 21:30 216064 --sha-r- c:\windows\SysWOW64\nbDX.dll 2010-01-07 06:00 107520 --sha-r- c:\windows\SysWOW64\TAKDSDecoder.dll . . ((((((((((((((((((((((((((((( SnapShot@2012-07-14_17.16.11 ))))))))))))))))))))))))))))))))))))))))) . + 2010-07-19 20:30 . 2012-07-14 18:06 75396 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin + 2009-07-14 05:10 . 2012-07-14 18:06 36922 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin + 2011-01-05 19:47 . 2012-07-14 18:06 6570 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3163081078-1936475789-1318037429-1006_UserData.bin - 2011-01-05 19:47 . 2012-07-14 17:11 6570 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3163081078-1936475789-1318037429-1006_UserData.bin + 2010-07-19 20:28 . 2012-07-14 18:04 5457 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Bluetooth\bthservsdp.dat - 2010-07-19 20:28 . 2012-07-14 17:09 5457 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Bluetooth\bthservsdp.dat + 2012-07-14 18:04 . 2012-07-14 18:04 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat + 2012-07-14 18:04 . 2012-07-14 18:04 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat - 2012-07-14 17:15 . 2012-07-14 17:15 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat + 2009-07-14 02:36 . 2012-07-14 18:09 668892 c:\windows\system32\perfh009.dat - 2009-07-14 02:36 . 2012-07-14 17:14 668892 c:\windows\system32\perfh009.dat + 2009-07-14 02:36 . 2012-07-14 18:09 124658 c:\windows\system32\perfc009.dat - 2009-07-14 02:36 . 2012-07-14 17:14 124658 c:\windows\system32\perfc009.dat - 2009-07-14 05:01 . 2012-07-14 17:15 522756 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat + 2009-07-14 05:01 . 2012-07-14 18:04 522756 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat - 2010-12-15 07:31 . 2012-07-14 17:09 3428656 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat + 2010-12-15 07:31 . 2012-07-14 17:46 3428656 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat + 2011-01-05 15:08 . 2012-07-14 17:45 7471216 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-3163081078-1936475789-1318037429-1006-8192.dat - 2011-01-05 15:08 . 2012-07-14 17:09 7471216 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-3163081078-1936475789-1318037429-1006-8192.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive1] @="{F241C880-6982-4CE5-8CF7-7085BA96DA5A}" [HKEY_CLASSES_ROOT\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}] 2012-07-13 13:39 220632 ----a-w- c:\users\Chris\AppData\Local\Microsoft\SkyDrive\16.4.6003.0710\SkyDriveShell.dll . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive2] @="{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}" [HKEY_CLASSES_ROOT\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}] 2012-07-13 13:39 220632 ----a-w- c:\users\Chris\AppData\Local\Microsoft\SkyDrive\16.4.6003.0710\SkyDriveShell.dll . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive3] @="{BBACC218-34EA-4666-9D7A-C78F2274A524}" [HKEY_CLASSES_ROOT\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}] 2012-07-13 13:39 220632 ----a-w- c:\users\Chris\AppData\Local\Microsoft\SkyDrive\16.4.6003.0710\SkyDriveShell.dll . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1] @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}] 2011-02-18 05:12 94208 ----a-w- c:\users\Chris\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2] @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}] 2011-02-18 05:12 94208 ----a-w- c:\users\Chris\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3] @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}] 2011-02-18 05:12 94208 ----a-w- c:\users\Chris\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584] "ChmZoomer"="c:\program files (x86)\ChmZoomer\ChmZoomer.exe" [2010-08-13 962560] "OfficeSyncProcess"="c:\program files (x86)\Microsoft Office\Office14\MSOSYNC.EXE" [2011-07-22 718720] "SkyDrive"="c:\users\Chris\AppData\Local\Microsoft\SkyDrive\SkyDrive.exe" [2012-07-13 238552] "AlcoholAutomount"="c:\program files (x86)\Alcohol Soft\Alcohol 52\AxAutoMntSrv.exe" [2012-01-05 75624] . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] "IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2010-03-04 284696] "SmartWiHelper"="c:\program files (x86)\Sony\SmartWi Connection Utility\SmartWiHelper.exe" [2010-07-15 89080] "ISBMgr.exe"="c:\program files (x86)\Sony\ISB Utility\ISBMgr.exe" [2010-06-01 673136] "PMBVolumeWatcher"="c:\program files (x86)\Sony\PMB\PMBVolumeWatcher.exe" [2010-06-01 600928] "AdobeCS4ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712] "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712] "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696] "Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920] . c:\users\Chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ AccuWeather.lnk - c:\program files (x86)\AccuWeather.com Cirrus\AccuWeather.com Cirrus.exe [N/A] Dropbox.lnk - c:\users\Chris\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-5-24 27112840] OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office14\ONENOTEM.EXE [2010-12-21 227712] RT-Updater.lnk - c:\ross-tech\VCDS\VCDS.EXE [2012-3-28 933448] . c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2012-4-1 1390368] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorAdmin"= 5 (0x5) "ConsentPromptBehaviorUser"= 3 (0x3) "EnableUIADesktopToggle"= 0 (0x0) "DisableCAD"= 1 (0x1) . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "UseDefaultTile"= 0 (0x0) . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32] "mixer5"=wdmaud.drv . [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Notification Packages REG_MULTI_SZ scecli c:\program files\Protector Suite\psqlpwd.dll c:\program files\WIDCOMM\Bluetooth Software\BtwProximityCP.dll Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp . R1 exxqttpf;exxqttpf;c:\windows\system32\drivers\exxqttpf.sys [x] R1 SBRE;SBRE;c:\windows\system32\drivers\SBREdrv.sys [x] R2 AxAutoMntSrv;Alcohol Virtual Drive Auto-mount Service;c:\program files (x86)\Alcohol Soft\Alcohol 52\AxAutoMntSrv.exe [2012-01-05 75624] R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576] R2 DirMngr;DirMngr;c:\program files (x86)\GNU\GnuPG\dirmngr.exe [2011-03-02 224256] R2 MouseWithoutBordersSvc;Mouse without Borders Service;c:\program files (x86)\Microsoft Garage\Mouse without Borders\MouseWithoutBordersSvc.exe [2011-08-31 17920] R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-06-05 160944] R2 WnsDrvr;WnsDrvr; [x] R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-11 250056] R3 ALSysIO;ALSysIO;c:\users\Chris\AppData\Local\Temp\ALSysIO64.sys [x] R3 BBSvc;Bing Bar Update Service;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-02-28 183560] R3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [2011-01-06 1038088] R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2012-03-21 98688] R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-03-26 291696] R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [2010-06-22 86120] R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184] R3 RT-USB;Ross-Tech USB driver;c:\windows\system32\drivers\RT-USB64.SYS [2010-06-16 70984] R3 SOHCImp;VAIO Media plus Content Importer;c:\program files (x86)\Common Files\Sony Shared\SOHLib\SOHCImp.exe [2010-06-21 108400] R3 SOHDms;VAIO Media plus Digital Media Server;c:\program files (x86)\Common Files\Sony Shared\SOHLib\SOHDms.exe [2010-06-18 423280] R3 SOHDs;VAIO Media plus Device Searcher;c:\program files (x86)\Common Files\Sony Shared\SOHLib\SOHDs.exe [2010-06-21 67952] R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392] R3 UsbGps;LGE CDMA USB GPS NMEA Port;c:\windows\system32\DRIVERS\lgx64gps.sys [x] R3 VcmIAlzMgr;VAIO Content Metadata Intelligent Analyzing Manager;c:\program files\Sony\VCM Intelligent Analyzing Manager\VcmIAlzMgr.exe [2010-06-09 537456] R3 VcmINSMgr;VAIO Content Metadata Intelligent Network Service Manager;c:\program files\Sony\VCM Intelligent Network Service Manager\VcmINSMgr.exe [2010-06-09 384880] R3 VcmXmlIfHelper;VAIO Content Metadata XML Interface;c:\program files\Common Files\Sony Shared\VcmXml\VcmXmlIfHelper64.exe [2010-06-09 101232] R3 vpcuxd;USB Virtualization Stub Service;c:\windows\system32\DRIVERS\vpcuxd.sys [2010-11-20 16384] R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-01-06 1255736] R3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\Zune\WMZuneComm.exe [2011-08-05 306400] R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 57184] S0 sptd;sptd;c:\windows\\SystemRoot\System32\Drivers\sptd.sys [x] S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904] S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928] S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-03-04 13336] S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-07-03 655944] S2 NovacomD;Palm Novacom;c:\program files\Palm, Inc\novacomd\amd64\novacomd.exe [2011-03-15 71168] S2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-06-25 35344] S2 PMBDeviceInfoProvider;PMBDeviceInfoProvider;c:\program files (x86)\Sony\PMB\PMBDeviceInfoProvider.exe [2010-06-01 367456] S2 rimspci;rimspci;c:\windows\system32\drivers\rimssne64.sys [2010-06-18 94208] S2 risdsnpe;risdsnpe;c:\windows\system32\drivers\risdsne64.sys [2010-07-12 78848] S2 RtkAudioService;Realtek Audio Service;c:\program files\Realtek\Audio\HDA\RtkAudioService64.exe [2010-06-18 190496] S2 uCamMonitor;CamMonitor;c:\program files (x86)\ArcSoft\Magic-i Visual Effects 2\uCamMonitor.exe [2008-09-18 104960] S2 UNS;Intel® Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2010-02-23 2320920] S2 VAIO Power Management;VAIO Power Management;c:\program files\Sony\VAIO Power Management\SPMService.exe [2010-06-22 575856] S2 VCFw;VAIO Content Folder Watcher;c:\program files (x86)\Common Files\Sony Shared\VAIO Content Folder Watcher\VCFw.exe [2010-06-17 851824] S3 ArcSoftKsUFilter;ArcSoft Magic-I Visual Effect;c:\windows\system32\DRIVERS\ArcSoftKsUFilter.sys [2009-05-26 19968] S3 BTHprint;Microsoft Bluetooth Printer Class;c:\windows\system32\DRIVERS\bthprint.sys [2009-07-14 67072] S3 btwampfl;Bluetooth AMP USB Filter;c:\windows\system32\drivers\btwampfl.sys [2012-06-01 594472] S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2012-06-01 39976] S3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\DRIVERS\e1k62x64.sys [2010-03-08 294064] S3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\drivers\HECIx64.sys [2009-09-17 56344] S3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [2010-06-18 151936] S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-07-03 24904] S3 NETw5s64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;c:\windows\system32\DRIVERS\NETw5s64.sys [2010-05-31 7689216] S3 SFEP;Sony Firmware Extension Parser;c:\windows\system32\DRIVERS\SFEP.sys [2010-04-26 12032] S3 SpfService;VAIO Entertainment Common Service;c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\SPF\SpfService64.exe [2010-06-07 304496] S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-14 17920] . . Contents of the 'Scheduled Tasks' folder . 2012-07-14 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-01 20:15] . . --------- X64 Entries ----------- . . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive1] @="{F241C880-6982-4CE5-8CF7-7085BA96DA5A}" [HKEY_CLASSES_ROOT\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}] 2012-07-13 13:39 244688 ----a-w- c:\users\Chris\AppData\Local\Microsoft\SkyDrive\16.4.6003.0710\amd64\SkyDriveShell64.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive2] @="{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}" [HKEY_CLASSES_ROOT\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}] 2012-07-13 13:39 244688 ----a-w- c:\users\Chris\AppData\Local\Microsoft\SkyDrive\16.4.6003.0710\amd64\SkyDriveShell64.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive3] @="{BBACC218-34EA-4666-9D7A-C78F2274A524}" [HKEY_CLASSES_ROOT\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}] 2012-07-13 13:39 244688 ----a-w- c:\users\Chris\AppData\Local\Microsoft\SkyDrive\16.4.6003.0710\amd64\SkyDriveShell64.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1] @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}] 2011-02-18 05:12 97792 ----a-w- c:\users\Chris\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2] @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}] 2011-02-18 05:12 97792 ----a-w- c:\users\Chris\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3] @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}] 2011-02-18 05:12 97792 ----a-w- c:\users\Chris\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4] @="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}] 2011-02-18 05:12 97792 ----a-w- c:\users\Chris\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\HardLinkMenu] @="{0A479751-02BC-11d3-A855-0004AC2568AA}" [HKEY_CLASSES_ROOT\CLSID\{0A479751-02BC-11d3-A855-0004AC2568AA}] 2012-05-27 19:50 522440 ----a-w- c:\program files\LinkShellExtension\HardlinkShellExt.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IconOverlayHardLink] @="{0A479751-02BC-11d3-A855-0004AC2568DD}" [HKEY_CLASSES_ROOT\CLSID\{0A479751-02BC-11d3-A855-0004AC2568DD}] 2012-05-27 19:50 522440 ----a-w- c:\program files\LinkShellExtension\HardlinkShellExt.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IconOverlaySymbolicLink] @="{0A479751-02BC-11d3-A855-0004AC2568EE}" [HKEY_CLASSES_ROOT\CLSID\{0A479751-02BC-11d3-A855-0004AC2568EE}] 2012-05-27 19:50 522440 ----a-w- c:\program files\LinkShellExtension\HardlinkShellExt.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay] @="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}" [HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}] 2010-04-27 23:48 5947656 ----a-w- c:\program files\Protector Suite\farchns.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen] @="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}" [HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}] 2010-04-27 23:48 5947656 ----a-w- c:\program files\Protector Suite\farchns.dll . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-06-22 166424] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-06-22 390680] "Persistence"="c:\windows\system32\igfxpers.exe" [2010-06-22 410136] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-06-04 16414824] "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-06-18 9962016] "vncutil"="c:\program files\Realtek\Audio\HDA\vncutil64.exe" [2010-06-18 475680] "SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [bU] "PSQLLauncher"="c:\program files\Protector Suite\launcher.exe" [2010-04-27 84744] "Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdcBase.exe" [2007-05-31 660360] "Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2011-08-05 163552] "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 1271168] . ------- Supplementary Scan ------- . uLocal Page = c:\windows\system32\blank.htm uStart Page = about:blank mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=SNNT&bmod=SNNT mLocal Page = c:\windows\SysWOW64\blank.htm IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~3\Office14\EXCEL.EXE/3000 IE: Se&nd to OneNote - c:\progra~2\MICROS~3\Office14\ONBttnIE.dll/105 Trusted Zone: fordham.edu\tegrity.lawnet Trusted Zone: tulane.edu\libproxy Trusted Zone: tulane.edu\tegrity.caeph Trusted Zone: tulane.edu\tmedweb TCP: DhcpNameServer = 192.168.1.1 DPF: {54EABC7D-40DC-4667-8517-F42D00540342} - hxxp://tegrity.caeph.tulane.edu/tegrity/_Player/1.0/Code/DRMActiveX.CAB FF - ProfilePath - c:\users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\ut2plr24.default\ FF - prefs.js: browser.startup.homepage - hxxp://xfinitytv.comcast.net/ FF - prefs.js: network.proxy.type - 0 FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} FF - Ext: CHM Reader: {6e098d65-7d2d-46d4-ada0-2f882a29f795} - %profile%\extensions\{6e098d65-7d2d-46d4-ada0-2f882a29f795} FF - Ext: Auto Reload: autoreload@yz.com - %profile%\extensions\autoreload@yz.com FF - Ext: Widevine Media Transformer Plugin: widevinemediatransformer@widevine - %profile%\extensions\widevinemediatransformer@widevine FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\users\Chris\AppData\Roaming\Move Networks . . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_265_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_265_ActiveX.exe" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Shockwave Flash Object" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus] @="0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID] @="ShockwaveFlash.ShockwaveFlash.11" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx, 1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="ShockwaveFlash.ShockwaveFlash" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Macromedia Flash Factory Object" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID] @="FlashFactory.FlashFactory.1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx, 1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="FlashFactory.FlashFactory" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}] @Denied: (A) (Everyone) "Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3] @Denied: (A) (Everyone) . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0] "Key"="ActionsPane3" "Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd" . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows CE Services] "SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79, 00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\ . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security] @Denied: (Full) (Everyone) . Completion time: 2012-07-14 15:14:35 ComboFix-quarantined-files.txt 2012-07-14 19:14 ComboFix2.txt 2012-07-14 18:02 ComboFix3.txt 2012-07-14 17:17 . Pre-Run: 50,140,614,656 bytes free Post-Run: 50,075,799,552 bytes free . - - End Of File - - 6A69ED700B5BCCAF551F7AEACEB00A49
-
Hi MrC here are the results of the second combofix results using your script ComboFix 12-07-14.01 - Chris 07/14/2012 13:37:42.2.4 - x64 Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3766.2127 [GMT -4:00] Running from: c:\users\Chris\Desktop\ComboFix.exe Command switches used :: c:\users\Chris\Desktop\CFScript.txt AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6} SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B} SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . . ((((((((((((((((((((((((( Files Created from 2012-06-14 to 2012-07-14 ))))))))))))))))))))))))))))))) . . 2012-07-14 17:45 . 2012-07-14 17:45 -------- d-----w- c:\users\Mcx1-CHRIS-VAIO-Z\AppData\Local\temp 2012-07-14 17:45 . 2012-07-14 17:45 -------- d-----w- c:\users\HomeGroupUser$\AppData\Local\temp 2012-07-14 17:45 . 2012-07-14 17:45 -------- d-----w- c:\users\Default\AppData\Local\temp 2012-07-14 17:45 . 2012-07-14 17:45 -------- d-----w- c:\users\boinc_master\AppData\Local\temp 2012-07-14 00:32 . 2012-07-14 00:32 -------- d-----w- c:\programdata\GFI Software 2012-07-13 23:41 . 2012-07-14 13:28 -------- d-----w- c:\users\Chris\AppData\Local\NPE 2012-07-13 23:19 . 2012-07-13 23:19 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware 2012-07-13 04:27 . 2012-07-13 04:27 -------- d-sh--w- c:\windows\SysWow64\%APPDATA% 2012-07-12 03:19 . 2012-06-12 03:08 3148800 ----a-w- c:\windows\system32\win32k.sys 2012-07-12 02:50 . 2012-07-12 02:50 -------- d-----w- c:\program files\CCleaner 2012-07-12 01:45 . 2012-05-31 04:04 9013136 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{16708B18-09A5-485B-B1C3-96D0AD8A6E83}\mpengine.dll 2012-07-11 00:51 . 2012-05-31 04:04 9013136 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll 2012-07-04 01:32 . 2012-02-12 05:19 927800 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{1F0811E6-558E-49CD-A62C-A2304026AD92}\gapaengine.dll 2012-06-27 01:42 . 2012-06-27 01:42 -------- d-----w- c:\windows\WPDeviceManager 2012-06-25 20:04 . 2012-06-25 20:04 1394248 ----a-w- c:\windows\SysWow64\msxml4.dll 2012-06-21 21:51 . 2012-06-02 22:19 44056 ----a-w- c:\windows\system32\wups2.dll 2012-06-21 21:51 . 2012-06-02 22:19 2428952 ----a-w- c:\windows\system32\wuaueng.dll 2012-06-21 21:51 . 2012-06-02 22:19 57880 ----a-w- c:\windows\system32\wuauclt.exe 2012-06-21 21:51 . 2012-06-02 22:15 2622464 ----a-w- c:\windows\system32\wucltux.dll 2012-06-21 21:51 . 2012-06-02 22:19 38424 ----a-w- c:\windows\system32\wups.dll 2012-06-21 21:51 . 2012-06-02 22:19 701976 ----a-w- c:\windows\system32\wuapi.dll 2012-06-21 21:51 . 2012-06-02 22:15 99840 ----a-w- c:\windows\system32\wudriver.dll 2012-06-21 21:51 . 2012-06-02 19:19 186752 ----a-w- c:\windows\system32\wuwebv.dll 2012-06-21 21:51 . 2012-06-02 19:15 36864 ----a-w- c:\windows\system32\wuapp.exe 2012-06-20 17:45 . 2012-06-20 17:45 -------- d-----w- C:\SkyDriveTemp 2012-06-18 05:58 . 2012-06-18 05:58 -------- d-----w- c:\program files (x86)\Alcohol Soft 2012-06-18 05:56 . 2012-06-18 05:56 560184 ----a-w- c:\windows\system32\drivers\sptd.sys . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-07-11 20:15 . 2012-04-01 02:39 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe 2012-07-11 20:15 . 2011-05-17 18:24 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl 2012-07-03 17:46 . 2011-08-16 00:17 24904 ----a-w- c:\windows\system32\drivers\mbam.sys 2012-06-01 03:40 . 2012-06-01 03:41 39976 ----a-w- c:\windows\system32\drivers\btwl2cap.sys 2012-06-01 03:40 . 2012-06-01 03:41 210984 ----a-w- c:\windows\system32\drivers\btwavdt.sys 2012-06-01 03:40 . 2012-06-01 03:41 184872 ----a-w- c:\windows\system32\drivers\btwaudio.sys 2012-06-01 03:40 . 2010-12-15 06:20 594472 ----a-w- c:\windows\system32\drivers\btwampfl.sys 2012-06-01 03:40 . 2012-06-01 03:41 21544 ----a-w- c:\windows\system32\drivers\btwrchid.sys 2012-05-28 04:03 . 2012-05-28 04:03 119808 ----a-r- c:\users\Chris\AppData\Roaming\Microsoft\Installer\{CCF298AF-9CE1-4B26-B251-486E98A34789}\icons.exe 2012-05-04 11:06 . 2012-06-12 19:59 5559664 ----a-w- c:\windows\system32\ntoskrnl.exe 2012-05-04 10:03 . 2012-06-12 19:59 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe 2012-05-04 10:03 . 2012-06-12 19:59 3913072 ----a-w- c:\windows\SysWow64\ntoskrnl.exe 2012-05-01 05:40 . 2012-06-12 19:59 209920 ----a-w- c:\windows\system32\profsvc.dll 2012-04-28 03:55 . 2012-06-12 19:59 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys 2012-04-26 05:41 . 2012-06-12 19:59 77312 ----a-w- c:\windows\system32\rdpwsx.dll 2012-04-26 05:41 . 2012-06-12 19:59 149504 ----a-w- c:\windows\system32\rdpcorekmts.dll 2012-04-26 05:34 . 2012-06-12 19:59 9216 ----a-w- c:\windows\system32\rdrmemptylst.exe 2012-04-24 05:37 . 2012-06-12 19:59 184320 ----a-w- c:\windows\system32\cryptsvc.dll 2012-04-24 05:37 . 2012-06-12 19:59 140288 ----a-w- c:\windows\system32\cryptnet.dll 2012-04-24 05:37 . 2012-06-12 19:59 1462272 ----a-w- c:\windows\system32\crypt32.dll 2012-04-24 04:36 . 2012-06-12 19:59 1158656 ----a-w- c:\windows\SysWow64\crypt32.dll 2012-04-24 04:36 . 2012-06-12 19:59 140288 ----a-w- c:\windows\SysWow64\cryptsvc.dll 2012-04-24 04:36 . 2012-06-12 19:59 103936 ----a-w- c:\windows\SysWow64\cryptnet.dll 2012-04-19 22:34 . 2012-06-11 22:34 66560 ----a-w- c:\windows\SysWow64\nlssrv32.exe 2006-05-03 18:06 163328 --sha-r- c:\windows\SysWOW64\flvDX.dll 2007-02-21 19:47 31232 --sha-r- c:\windows\SysWOW64\msfDX.dll 2008-03-16 21:30 216064 --sha-r- c:\windows\SysWOW64\nbDX.dll 2010-01-07 06:00 107520 --sha-r- c:\windows\SysWOW64\TAKDSDecoder.dll . . ((((((((((((((((((((((((((((( SnapShot@2012-07-14_17.16.11 ))))))))))))))))))))))))))))))))))))))))) . + 2010-07-19 20:30 . 2012-07-14 17:23 75232 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin + 2009-07-14 05:10 . 2012-07-14 17:23 36906 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin - 2011-01-05 19:47 . 2012-07-14 17:11 6570 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3163081078-1936475789-1318037429-1006_UserData.bin + 2011-01-05 19:47 . 2012-07-14 17:23 6570 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3163081078-1936475789-1318037429-1006_UserData.bin + 2010-07-19 20:28 . 2012-07-14 17:45 5457 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Bluetooth\bthservsdp.dat - 2010-07-19 20:28 . 2012-07-14 17:09 5457 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Bluetooth\bthservsdp.dat - 2012-07-14 17:15 . 2012-07-14 17:15 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat + 2012-07-14 17:46 . 2012-07-14 17:46 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat - 2009-07-14 02:36 . 2012-07-14 17:14 668892 c:\windows\system32\perfh009.dat + 2009-07-14 02:36 . 2012-07-14 17:25 668892 c:\windows\system32\perfh009.dat + 2009-07-14 02:36 . 2012-07-14 17:25 124658 c:\windows\system32\perfc009.dat - 2009-07-14 02:36 . 2012-07-14 17:14 124658 c:\windows\system32\perfc009.dat - 2009-07-14 05:01 . 2012-07-14 17:15 522756 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat + 2009-07-14 05:01 . 2012-07-14 17:45 522756 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat + 2010-12-15 07:31 . 2012-07-14 17:46 3428656 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat - 2010-12-15 07:31 . 2012-07-14 17:09 3428656 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat + 2011-01-05 15:08 . 2012-07-14 17:45 7471216 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-3163081078-1936475789-1318037429-1006-8192.dat - 2011-01-05 15:08 . 2012-07-14 17:09 7471216 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-3163081078-1936475789-1318037429-1006-8192.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive1] @="{F241C880-6982-4CE5-8CF7-7085BA96DA5A}" [HKEY_CLASSES_ROOT\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}] 2012-07-13 13:39 220632 ----a-w- c:\users\Chris\AppData\Local\Microsoft\SkyDrive\16.4.6003.0710\SkyDriveShell.dll . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive2] @="{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}" [HKEY_CLASSES_ROOT\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}] 2012-07-13 13:39 220632 ----a-w- c:\users\Chris\AppData\Local\Microsoft\SkyDrive\16.4.6003.0710\SkyDriveShell.dll . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive3] @="{BBACC218-34EA-4666-9D7A-C78F2274A524}" [HKEY_CLASSES_ROOT\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}] 2012-07-13 13:39 220632 ----a-w- c:\users\Chris\AppData\Local\Microsoft\SkyDrive\16.4.6003.0710\SkyDriveShell.dll . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1] @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}] 2011-02-18 05:12 94208 ----a-w- c:\users\Chris\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2] @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}] 2011-02-18 05:12 94208 ----a-w- c:\users\Chris\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3] @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}] 2011-02-18 05:12 94208 ----a-w- c:\users\Chris\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584] "ChmZoomer"="c:\program files (x86)\ChmZoomer\ChmZoomer.exe" [2010-08-13 962560] "OfficeSyncProcess"="c:\program files (x86)\Microsoft Office\Office14\MSOSYNC.EXE" [2011-07-22 718720] "SkyDrive"="c:\users\Chris\AppData\Local\Microsoft\SkyDrive\SkyDrive.exe" [2012-07-13 238552] "AlcoholAutomount"="c:\program files (x86)\Alcohol Soft\Alcohol 52\AxAutoMntSrv.exe" [2012-01-05 75624] . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] "IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2010-03-04 284696] "SmartWiHelper"="c:\program files (x86)\Sony\SmartWi Connection Utility\SmartWiHelper.exe" [2010-07-15 89080] "ISBMgr.exe"="c:\program files (x86)\Sony\ISB Utility\ISBMgr.exe" [2010-06-01 673136] "PMBVolumeWatcher"="c:\program files (x86)\Sony\PMB\PMBVolumeWatcher.exe" [2010-06-01 600928] "AdobeCS4ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712] "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712] "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696] "Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920] . c:\users\Chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ AccuWeather.lnk - c:\program files (x86)\AccuWeather.com Cirrus\AccuWeather.com Cirrus.exe [N/A] Dropbox.lnk - c:\users\Chris\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-5-24 27112840] OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office14\ONENOTEM.EXE [2010-12-21 227712] RT-Updater.lnk - c:\ross-tech\VCDS\VCDS.EXE [2012-3-28 933448] . c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2012-4-1 1390368] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorAdmin"= 5 (0x5) "ConsentPromptBehaviorUser"= 3 (0x3) "EnableUIADesktopToggle"= 0 (0x0) "DisableCAD"= 1 (0x1) . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "UseDefaultTile"= 0 (0x0) . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32] "mixer5"=wdmaud.drv . [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Notification Packages REG_MULTI_SZ scecli c:\program files\Protector Suite\psqlpwd.dll c:\program files\WIDCOMM\Bluetooth Software\BtwProximityCP.dll Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp . R1 exxqttpf;exxqttpf;c:\windows\system32\drivers\exxqttpf.sys [x] R1 SBRE;SBRE;c:\windows\system32\drivers\SBREdrv.sys [x] R2 AxAutoMntSrv;Alcohol Virtual Drive Auto-mount Service;c:\program files (x86)\Alcohol Soft\Alcohol 52\AxAutoMntSrv.exe [2012-01-05 75624] R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576] R2 DirMngr;DirMngr;c:\program files (x86)\GNU\GnuPG\dirmngr.exe [2011-03-02 224256] R2 MouseWithoutBordersSvc;Mouse without Borders Service;c:\program files (x86)\Microsoft Garage\Mouse without Borders\MouseWithoutBordersSvc.exe [2011-08-31 17920] R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-06-05 160944] R2 WnsDrvr;WnsDrvr; [x] R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-11 250056] R3 ALSysIO;ALSysIO;c:\users\Chris\AppData\Local\Temp\ALSysIO64.sys [x] R3 BBSvc;Bing Bar Update Service;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-02-28 183560] R3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [2011-01-06 1038088] R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2012-03-21 98688] R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-03-26 291696] R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [2010-06-22 86120] R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184] R3 RT-USB;Ross-Tech USB driver;c:\windows\system32\drivers\RT-USB64.SYS [2010-06-16 70984] R3 SOHCImp;VAIO Media plus Content Importer;c:\program files (x86)\Common Files\Sony Shared\SOHLib\SOHCImp.exe [2010-06-21 108400] R3 SOHDms;VAIO Media plus Digital Media Server;c:\program files (x86)\Common Files\Sony Shared\SOHLib\SOHDms.exe [2010-06-18 423280] R3 SOHDs;VAIO Media plus Device Searcher;c:\program files (x86)\Common Files\Sony Shared\SOHLib\SOHDs.exe [2010-06-21 67952] R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392] R3 UsbGps;LGE CDMA USB GPS NMEA Port;c:\windows\system32\DRIVERS\lgx64gps.sys [x] R3 VcmIAlzMgr;VAIO Content Metadata Intelligent Analyzing Manager;c:\program files\Sony\VCM Intelligent Analyzing Manager\VcmIAlzMgr.exe [2010-06-09 537456] R3 VcmINSMgr;VAIO Content Metadata Intelligent Network Service Manager;c:\program files\Sony\VCM Intelligent Network Service Manager\VcmINSMgr.exe [2010-06-09 384880] R3 VcmXmlIfHelper;VAIO Content Metadata XML Interface;c:\program files\Common Files\Sony Shared\VcmXml\VcmXmlIfHelper64.exe [2010-06-09 101232] R3 vpcuxd;USB Virtualization Stub Service;c:\windows\system32\DRIVERS\vpcuxd.sys [2010-11-20 16384] R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-01-06 1255736] R3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\Zune\WMZuneComm.exe [2011-08-05 306400] R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 57184] S0 sptd;sptd;c:\windows\\SystemRoot\System32\Drivers\sptd.sys [x] S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904] S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928] S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-03-04 13336] S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-07-03 655944] S2 NovacomD;Palm Novacom;c:\program files\Palm, Inc\novacomd\amd64\novacomd.exe [2011-03-15 71168] S2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-06-25 35344] S2 PMBDeviceInfoProvider;PMBDeviceInfoProvider;c:\program files (x86)\Sony\PMB\PMBDeviceInfoProvider.exe [2010-06-01 367456] S2 rimspci;rimspci;c:\windows\system32\drivers\rimssne64.sys [2010-06-18 94208] S2 risdsnpe;risdsnpe;c:\windows\system32\drivers\risdsne64.sys [2010-07-12 78848] S2 RtkAudioService;Realtek Audio Service;c:\program files\Realtek\Audio\HDA\RtkAudioService64.exe [2010-06-18 190496] S2 uCamMonitor;CamMonitor;c:\program files (x86)\ArcSoft\Magic-i Visual Effects 2\uCamMonitor.exe [2008-09-18 104960] S2 UNS;Intel® Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2010-02-23 2320920] S2 VAIO Power Management;VAIO Power Management;c:\program files\Sony\VAIO Power Management\SPMService.exe [2010-06-22 575856] S2 VCFw;VAIO Content Folder Watcher;c:\program files (x86)\Common Files\Sony Shared\VAIO Content Folder Watcher\VCFw.exe [2010-06-17 851824] S3 ArcSoftKsUFilter;ArcSoft Magic-I Visual Effect;c:\windows\system32\DRIVERS\ArcSoftKsUFilter.sys [2009-05-26 19968] S3 BTHprint;Microsoft Bluetooth Printer Class;c:\windows\system32\DRIVERS\bthprint.sys [2009-07-14 67072] S3 btwampfl;Bluetooth AMP USB Filter;c:\windows\system32\drivers\btwampfl.sys [2012-06-01 594472] S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2012-06-01 39976] S3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\DRIVERS\e1k62x64.sys [2010-03-08 294064] S3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\drivers\HECIx64.sys [2009-09-17 56344] S3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [2010-06-18 151936] S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-07-03 24904] S3 NETw5s64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;c:\windows\system32\DRIVERS\NETw5s64.sys [2010-05-31 7689216] S3 SFEP;Sony Firmware Extension Parser;c:\windows\system32\DRIVERS\SFEP.sys [2010-04-26 12032] S3 SpfService;VAIO Entertainment Common Service;c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\SPF\SpfService64.exe [2010-06-07 304496] S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-14 17920] . . Contents of the 'Scheduled Tasks' folder . 2012-07-14 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-01 20:15] . . --------- X64 Entries ----------- . . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive1] @="{F241C880-6982-4CE5-8CF7-7085BA96DA5A}" [HKEY_CLASSES_ROOT\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}] 2012-07-13 13:39 244688 ----a-w- c:\users\Chris\AppData\Local\Microsoft\SkyDrive\16.4.6003.0710\amd64\SkyDriveShell64.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive2] @="{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}" [HKEY_CLASSES_ROOT\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}] 2012-07-13 13:39 244688 ----a-w- c:\users\Chris\AppData\Local\Microsoft\SkyDrive\16.4.6003.0710\amd64\SkyDriveShell64.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive3] @="{BBACC218-34EA-4666-9D7A-C78F2274A524}" [HKEY_CLASSES_ROOT\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}] 2012-07-13 13:39 244688 ----a-w- c:\users\Chris\AppData\Local\Microsoft\SkyDrive\16.4.6003.0710\amd64\SkyDriveShell64.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1] @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}] 2011-02-18 05:12 97792 ----a-w- c:\users\Chris\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2] @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}] 2011-02-18 05:12 97792 ----a-w- c:\users\Chris\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3] @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}] 2011-02-18 05:12 97792 ----a-w- c:\users\Chris\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4] @="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}] 2011-02-18 05:12 97792 ----a-w- c:\users\Chris\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\HardLinkMenu] @="{0A479751-02BC-11d3-A855-0004AC2568AA}" [HKEY_CLASSES_ROOT\CLSID\{0A479751-02BC-11d3-A855-0004AC2568AA}] 2012-05-27 19:50 522440 ----a-w- c:\program files\LinkShellExtension\HardlinkShellExt.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IconOverlayHardLink] @="{0A479751-02BC-11d3-A855-0004AC2568DD}" [HKEY_CLASSES_ROOT\CLSID\{0A479751-02BC-11d3-A855-0004AC2568DD}] 2012-05-27 19:50 522440 ----a-w- c:\program files\LinkShellExtension\HardlinkShellExt.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IconOverlaySymbolicLink] @="{0A479751-02BC-11d3-A855-0004AC2568EE}" [HKEY_CLASSES_ROOT\CLSID\{0A479751-02BC-11d3-A855-0004AC2568EE}] 2012-05-27 19:50 522440 ----a-w- c:\program files\LinkShellExtension\HardlinkShellExt.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay] @="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}" [HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}] 2010-04-27 23:48 5947656 ----a-w- c:\program files\Protector Suite\farchns.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen] @="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}" [HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}] 2010-04-27 23:48 5947656 ----a-w- c:\program files\Protector Suite\farchns.dll . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-06-22 166424] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-06-22 390680] "Persistence"="c:\windows\system32\igfxpers.exe" [2010-06-22 410136] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-06-04 16414824] "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-06-18 9962016] "vncutil"="c:\program files\Realtek\Audio\HDA\vncutil64.exe" [2010-06-18 475680] "SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [bU] "PSQLLauncher"="c:\program files\Protector Suite\launcher.exe" [2010-04-27 84744] "Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdcBase.exe" [2007-05-31 660360] "Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2011-08-05 163552] "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 1271168] . ------- Supplementary Scan ------- . uLocal Page = c:\windows\system32\blank.htm uStart Page = about:blank mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=SNNT&bmod=SNNT mLocal Page = c:\windows\SysWOW64\blank.htm IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~3\Office14\EXCEL.EXE/3000 IE: Se&nd to OneNote - c:\progra~2\MICROS~3\Office14\ONBttnIE.dll/105 Trusted Zone: fordham.edu\tegrity.lawnet Trusted Zone: tulane.edu\libproxy Trusted Zone: tulane.edu\tegrity.caeph Trusted Zone: tulane.edu\tmedweb TCP: DhcpNameServer = 192.168.1.1 DPF: {54EABC7D-40DC-4667-8517-F42D00540342} - hxxp://tegrity.caeph.tulane.edu/tegrity/_Player/1.0/Code/DRMActiveX.CAB FF - ProfilePath - c:\users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\ut2plr24.default\ FF - prefs.js: browser.startup.homepage - hxxp://xfinitytv.comcast.net/ FF - prefs.js: network.proxy.type - 0 FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} FF - Ext: CHM Reader: {6e098d65-7d2d-46d4-ada0-2f882a29f795} - %profile%\extensions\{6e098d65-7d2d-46d4-ada0-2f882a29f795} FF - Ext: Auto Reload: autoreload@yz.com - %profile%\extensions\autoreload@yz.com FF - Ext: Widevine Media Transformer Plugin: widevinemediatransformer@widevine - %profile%\extensions\widevinemediatransformer@widevine FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\users\Chris\AppData\Roaming\Move Networks . . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_265_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_265_ActiveX.exe" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Shockwave Flash Object" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus] @="0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID] @="ShockwaveFlash.ShockwaveFlash.11" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx, 1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="ShockwaveFlash.ShockwaveFlash" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Macromedia Flash Factory Object" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID] @="FlashFactory.FlashFactory.1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx, 1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="FlashFactory.FlashFactory" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}] @Denied: (A) (Everyone) "Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3] @Denied: (A) (Everyone) . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0] "Key"="ActionsPane3" "Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd" . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows CE Services] "SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79, 00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\ . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security] @Denied: (Full) (Everyone) . ------------------------ Other Running Processes ------------------------ . c:\program files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe c:\windows\SysWOW64\nlssrv32.exe c:\program files (x86)\Microsoft\BingBar\SeaPort.EXE c:\program files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe c:\program files (x86)\Sony\VAIO Event Service\VESMgr.exe c:\windows\SysWOW64\DllHost.exe c:\program files (x86)\Sony\VAIO Event Service\VESMgrSub.exe . ************************************************************************** . Completion time: 2012-07-14 14:02:40 - machine was rebooted ComboFix-quarantined-files.txt 2012-07-14 18:02 ComboFix2.txt 2012-07-14 17:17 . Pre-Run: 49,908,682,752 bytes free Post-Run: 50,057,953,280 bytes free . - - End Of File - - C1EB6C445708D2FC411DDC75D6209B95
-
Here are the combofix log results: ComboFix 12-07-14.01 - Chris 07/14/2012 13:11:35.1.4 - x64 Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3766.2616 [GMT -4:00] Running from: c:\users\Chris\Desktop\ComboFix.exe AV: Lavasoft Ad-Aware *Disabled/Updated* {445B48C3-0FA4-6B16-8F07-6506F305D800} AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6} FW: Lavasoft Ad-Aware *Disabled* {7C60C9E6-45CB-6A4E-A458-CC330DD69F7B} SP: Lavasoft Ad-Aware *Disabled/Updated* {FF3AA927-299E-6498-B5B7-5E74888292BD} SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B} SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\program files (x86)\Isilo c:\program files (x86)\Isilo\iSilo\help\iSilo.chm c:\program files (x86)\Isilo\iSilo\iSilo.exe c:\program files (x86)\Isilo\iSilo\iSiloDisplaySample.pdb c:\program files (x86)\Isilo\iSilo\license.txt c:\program files (x86)\Isilo\iSilo\readme.txt c:\users\Chris\AppData\Local\assembly\tmp c:\users\Chris\Documents\~WRL0001.tmp c:\users\Chris\Documents\~WRL0003.tmp c:\users\Chris\Documents\~WRL0004.tmp c:\users\Chris\Documents\~WRL0005.tmp c:\users\Chris\Documents\~WRL0310.tmp c:\users\Chris\Documents\~WRL0461.tmp c:\users\Chris\Documents\~WRL1501.tmp c:\users\Chris\Documents\~WRL1541.tmp c:\users\Chris\Documents\~WRL1711.tmp c:\users\Chris\Documents\~WRL1999.tmp c:\users\Chris\Documents\~WRL2079.tmp c:\users\Chris\Documents\~WRL2238.tmp c:\users\Chris\Documents\~WRL2267.tmp c:\users\Chris\Documents\~WRL2510.tmp c:\users\Chris\Documents\~WRL3733.tmp c:\users\Chris\Documents\~WRL3802.tmp c:\users\Chris\Documents\~WRL3969.tmp c:\users\Chris\Documents\~WRL4025.tmp c:\windows\assembly\GAC_32\Desktop.ini c:\windows\assembly\GAC_64\Desktop.ini c:\windows\Installer\{c8347dac-c04f-371f-2862-2c27f80a4694}\@ c:\windows\Installer\{c8347dac-c04f-371f-2862-2c27f80a4694}\L\00000004.@ c:\windows\Installer\{c8347dac-c04f-371f-2862-2c27f80a4694}\L\1afb2d56 c:\windows\Installer\{c8347dac-c04f-371f-2862-2c27f80a4694}\L\201d3dde c:\windows\Installer\{c8347dac-c04f-371f-2862-2c27f80a4694}\U\00000004.@ c:\windows\Installer\{c8347dac-c04f-371f-2862-2c27f80a4694}\U\00000008.@ c:\windows\Installer\{c8347dac-c04f-371f-2862-2c27f80a4694}\U\000000cb.@ c:\windows\Installer\{c8347dac-c04f-371f-2862-2c27f80a4694}\U\80000000.@ c:\windows\Installer\{c8347dac-c04f-371f-2862-2c27f80a4694}\U\80000032.@ c:\windows\Installer\{c8347dac-c04f-371f-2862-2c27f80a4694}\U\80000064.@ . Infected copy of c:\windows\system32\services.exe was found and disinfected Restored copy from - c:\32788r22fwjfw\HarddiskVolumeShadowCopy5_!Windows!System32!services.exe . . ((((((((((((((((((((((((( Files Created from 2012-06-14 to 2012-07-14 ))))))))))))))))))))))))))))))) . . 2012-07-14 17:15 . 2012-07-14 17:15 -------- d-----w- c:\users\Mcx1-CHRIS-VAIO-Z\AppData\Local\temp 2012-07-14 17:15 . 2012-07-14 17:15 -------- d-----w- c:\users\HomeGroupUser$\AppData\Local\temp 2012-07-14 17:15 . 2012-07-14 17:15 -------- d-----w- c:\users\Default\AppData\Local\temp 2012-07-14 17:15 . 2012-07-14 17:15 -------- d-----w- c:\users\boinc_master\AppData\Local\temp 2012-07-14 00:32 . 2012-07-14 00:32 -------- d-----w- c:\programdata\GFI Software 2012-07-13 23:41 . 2012-07-14 13:28 -------- d-----w- c:\users\Chris\AppData\Local\NPE 2012-07-13 23:19 . 2012-07-13 23:19 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware 2012-07-13 04:27 . 2012-07-13 04:27 -------- d-sh--w- c:\windows\SysWow64\%APPDATA% 2012-07-12 03:19 . 2012-06-12 03:08 3148800 ----a-w- c:\windows\system32\win32k.sys 2012-07-12 02:50 . 2012-07-12 02:50 -------- d-----w- c:\program files\CCleaner 2012-07-12 01:45 . 2012-05-31 04:04 9013136 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{16708B18-09A5-485B-B1C3-96D0AD8A6E83}\mpengine.dll 2012-07-11 00:51 . 2012-05-31 04:04 9013136 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll 2012-07-04 01:32 . 2012-02-12 05:19 927800 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{1F0811E6-558E-49CD-A62C-A2304026AD92}\gapaengine.dll 2012-06-27 01:42 . 2012-06-27 01:42 -------- d-----w- c:\windows\WPDeviceManager 2012-06-25 20:04 . 2012-06-25 20:04 1394248 ----a-w- c:\windows\SysWow64\msxml4.dll 2012-06-21 21:51 . 2012-06-02 22:19 44056 ----a-w- c:\windows\system32\wups2.dll 2012-06-21 21:51 . 2012-06-02 22:19 2428952 ----a-w- c:\windows\system32\wuaueng.dll 2012-06-21 21:51 . 2012-06-02 22:19 57880 ----a-w- c:\windows\system32\wuauclt.exe 2012-06-21 21:51 . 2012-06-02 22:15 2622464 ----a-w- c:\windows\system32\wucltux.dll 2012-06-21 21:51 . 2012-06-02 22:19 38424 ----a-w- c:\windows\system32\wups.dll 2012-06-21 21:51 . 2012-06-02 22:19 701976 ----a-w- c:\windows\system32\wuapi.dll 2012-06-21 21:51 . 2012-06-02 22:15 99840 ----a-w- c:\windows\system32\wudriver.dll 2012-06-21 21:51 . 2012-06-02 19:19 186752 ----a-w- c:\windows\system32\wuwebv.dll 2012-06-21 21:51 . 2012-06-02 19:15 36864 ----a-w- c:\windows\system32\wuapp.exe 2012-06-20 17:45 . 2012-06-20 17:45 -------- d-----w- C:\SkyDriveTemp 2012-06-18 05:58 . 2012-06-18 05:58 -------- d-----w- c:\program files (x86)\Alcohol Soft 2012-06-18 05:56 . 2012-06-18 05:56 560184 ----a-w- c:\windows\system32\drivers\sptd.sys . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-07-11 20:15 . 2012-04-01 02:39 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe 2012-07-11 20:15 . 2011-05-17 18:24 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl 2012-07-03 17:46 . 2011-08-16 00:17 24904 ----a-w- c:\windows\system32\drivers\mbam.sys 2012-06-01 03:40 . 2012-06-01 03:41 39976 ----a-w- c:\windows\system32\drivers\btwl2cap.sys 2012-06-01 03:40 . 2012-06-01 03:41 210984 ----a-w- c:\windows\system32\drivers\btwavdt.sys 2012-06-01 03:40 . 2012-06-01 03:41 184872 ----a-w- c:\windows\system32\drivers\btwaudio.sys 2012-06-01 03:40 . 2010-12-15 06:20 594472 ----a-w- c:\windows\system32\drivers\btwampfl.sys 2012-06-01 03:40 . 2012-06-01 03:41 21544 ----a-w- c:\windows\system32\drivers\btwrchid.sys 2012-05-28 04:03 . 2012-05-28 04:03 119808 ----a-r- c:\users\Chris\AppData\Roaming\Microsoft\Installer\{CCF298AF-9CE1-4B26-B251-486E98A34789}\icons.exe 2012-05-04 11:06 . 2012-06-12 19:59 5559664 ----a-w- c:\windows\system32\ntoskrnl.exe 2012-05-04 10:03 . 2012-06-12 19:59 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe 2012-05-04 10:03 . 2012-06-12 19:59 3913072 ----a-w- c:\windows\SysWow64\ntoskrnl.exe 2012-05-01 05:40 . 2012-06-12 19:59 209920 ----a-w- c:\windows\system32\profsvc.dll 2012-04-28 03:55 . 2012-06-12 19:59 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys 2012-04-26 05:41 . 2012-06-12 19:59 77312 ----a-w- c:\windows\system32\rdpwsx.dll 2012-04-26 05:41 . 2012-06-12 19:59 149504 ----a-w- c:\windows\system32\rdpcorekmts.dll 2012-04-26 05:34 . 2012-06-12 19:59 9216 ----a-w- c:\windows\system32\rdrmemptylst.exe 2012-04-24 05:37 . 2012-06-12 19:59 184320 ----a-w- c:\windows\system32\cryptsvc.dll 2012-04-24 05:37 . 2012-06-12 19:59 140288 ----a-w- c:\windows\system32\cryptnet.dll 2012-04-24 05:37 . 2012-06-12 19:59 1462272 ----a-w- c:\windows\system32\crypt32.dll 2012-04-24 04:36 . 2012-06-12 19:59 1158656 ----a-w- c:\windows\SysWow64\crypt32.dll 2012-04-24 04:36 . 2012-06-12 19:59 140288 ----a-w- c:\windows\SysWow64\cryptsvc.dll 2012-04-24 04:36 . 2012-06-12 19:59 103936 ----a-w- c:\windows\SysWow64\cryptnet.dll 2012-04-19 22:34 . 2012-06-11 22:34 66560 ----a-w- c:\windows\SysWow64\nlssrv32.exe 2006-05-03 18:06 163328 --sha-r- c:\windows\SysWOW64\flvDX.dll 2007-02-21 19:47 31232 --sha-r- c:\windows\SysWOW64\msfDX.dll 2008-03-16 21:30 216064 --sha-r- c:\windows\SysWOW64\nbDX.dll 2010-01-07 06:00 107520 --sha-r- c:\windows\SysWOW64\TAKDSDecoder.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive1] @="{F241C880-6982-4CE5-8CF7-7085BA96DA5A}" [HKEY_CLASSES_ROOT\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}] 2012-07-13 13:39 220632 ----a-w- c:\users\Chris\AppData\Local\Microsoft\SkyDrive\16.4.6003.0710\SkyDriveShell.dll . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive2] @="{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}" [HKEY_CLASSES_ROOT\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}] 2012-07-13 13:39 220632 ----a-w- c:\users\Chris\AppData\Local\Microsoft\SkyDrive\16.4.6003.0710\SkyDriveShell.dll . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive3] @="{BBACC218-34EA-4666-9D7A-C78F2274A524}" [HKEY_CLASSES_ROOT\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}] 2012-07-13 13:39 220632 ----a-w- c:\users\Chris\AppData\Local\Microsoft\SkyDrive\16.4.6003.0710\SkyDriveShell.dll . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1] @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}] 2011-02-18 05:12 94208 ----a-w- c:\users\Chris\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2] @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}] 2011-02-18 05:12 94208 ----a-w- c:\users\Chris\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3] @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}] 2011-02-18 05:12 94208 ----a-w- c:\users\Chris\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584] "ChmZoomer"="c:\program files (x86)\ChmZoomer\ChmZoomer.exe" [2010-08-13 962560] "OfficeSyncProcess"="c:\program files (x86)\Microsoft Office\Office14\MSOSYNC.EXE" [2011-07-22 718720] "SkyDrive"="c:\users\Chris\AppData\Local\Microsoft\SkyDrive\SkyDrive.exe" [2012-07-13 238552] "AlcoholAutomount"="c:\program files (x86)\Alcohol Soft\Alcohol 52\AxAutoMntSrv.exe" [2012-01-05 75624] . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] "IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2010-03-04 284696] "SmartWiHelper"="c:\program files (x86)\Sony\SmartWi Connection Utility\SmartWiHelper.exe" [2010-07-15 89080] "ISBMgr.exe"="c:\program files (x86)\Sony\ISB Utility\ISBMgr.exe" [2010-06-01 673136] "PMBVolumeWatcher"="c:\program files (x86)\Sony\PMB\PMBVolumeWatcher.exe" [2010-06-01 600928] "AdobeCS4ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712] "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712] "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696] "Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920] . c:\users\Chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ AccuWeather.lnk - c:\program files (x86)\AccuWeather.com Cirrus\AccuWeather.com Cirrus.exe [N/A] Dropbox.lnk - c:\users\Chris\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-5-24 27112840] OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office14\ONENOTEM.EXE [2010-12-21 227712] RT-Updater.lnk - c:\ross-tech\VCDS\VCDS.EXE [2012-3-28 933448] . c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2012-4-1 1390368] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorAdmin"= 5 (0x5) "ConsentPromptBehaviorUser"= 3 (0x3) "EnableUIADesktopToggle"= 0 (0x0) "DisableCAD"= 1 (0x1) . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "UseDefaultTile"= 0 (0x0) . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32] "mixer5"=wdmaud.drv . [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Notification Packages REG_MULTI_SZ scecli c:\program files\Protector Suite\psqlpwd.dll c:\program files\WIDCOMM\Bluetooth Software\BtwProximityCP.dll Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp . R1 exxqttpf;exxqttpf;c:\windows\system32\drivers\exxqttpf.sys [x] R1 SBRE;SBRE;c:\windows\system32\drivers\SBREdrv.sys [x] R2 AxAutoMntSrv;Alcohol Virtual Drive Auto-mount Service;c:\program files (x86)\Alcohol Soft\Alcohol 52\AxAutoMntSrv.exe [2012-01-05 75624] R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576] R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-03-04 13336] R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-07-03 655944] R2 MouseWithoutBordersSvc;Mouse without Borders Service;c:\program files (x86)\Microsoft Garage\Mouse without Borders\MouseWithoutBordersSvc.exe [2011-08-31 17920] R2 UNS;Intel® Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2010-02-23 2320920] R2 VAIO Power Management;VAIO Power Management;c:\program files\Sony\VAIO Power Management\SPMService.exe [2010-06-22 575856] R2 VCFw;VAIO Content Folder Watcher;c:\program files (x86)\Common Files\Sony Shared\VAIO Content Folder Watcher\VCFw.exe [2010-06-17 851824] R2 WnsDrvr;WnsDrvr; [x] R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-11 250056] R3 ALSysIO;ALSysIO;c:\users\Chris\AppData\Local\Temp\ALSysIO64.sys [x] R3 BBSvc;Bing Bar Update Service;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-02-28 183560] R3 BTHprint;Microsoft Bluetooth Printer Class;c:\windows\system32\DRIVERS\bthprint.sys [2009-07-14 67072] R3 btwampfl;Bluetooth AMP USB Filter;c:\windows\system32\drivers\btwampfl.sys [2012-06-01 594472] R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2012-06-01 39976] R3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [2011-01-06 1038088] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-07-03 24904] R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2012-03-21 98688] R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-03-26 291696] R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [2010-06-22 86120] R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184] R3 RT-USB;Ross-Tech USB driver;c:\windows\system32\drivers\RT-USB64.SYS [2010-06-16 70984] R3 SOHCImp;VAIO Media plus Content Importer;c:\program files (x86)\Common Files\Sony Shared\SOHLib\SOHCImp.exe [2010-06-21 108400] R3 SOHDms;VAIO Media plus Digital Media Server;c:\program files (x86)\Common Files\Sony Shared\SOHLib\SOHDms.exe [2010-06-18 423280] R3 SOHDs;VAIO Media plus Device Searcher;c:\program files (x86)\Common Files\Sony Shared\SOHLib\SOHDs.exe [2010-06-21 67952] R3 SpfService;VAIO Entertainment Common Service;c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\SPF\SpfService64.exe [2010-06-07 304496] R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392] R3 UsbGps;LGE CDMA USB GPS NMEA Port;c:\windows\system32\DRIVERS\lgx64gps.sys [x] R3 VcmIAlzMgr;VAIO Content Metadata Intelligent Analyzing Manager;c:\program files\Sony\VCM Intelligent Analyzing Manager\VcmIAlzMgr.exe [2010-06-09 537456] R3 VcmINSMgr;VAIO Content Metadata Intelligent Network Service Manager;c:\program files\Sony\VCM Intelligent Network Service Manager\VcmINSMgr.exe [2010-06-09 384880] R3 VcmXmlIfHelper;VAIO Content Metadata XML Interface;c:\program files\Common Files\Sony Shared\VcmXml\VcmXmlIfHelper64.exe [2010-06-09 101232] R3 vpcuxd;USB Virtualization Stub Service;c:\windows\system32\DRIVERS\vpcuxd.sys [2010-11-20 16384] R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-01-06 1255736] R3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\Zune\WMZuneComm.exe [2011-08-05 306400] R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 57184] S0 sptd;sptd;c:\windows\\SystemRoot\System32\Drivers\sptd.sys [x] S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904] S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928] S2 DirMngr;DirMngr;c:\program files (x86)\GNU\GnuPG\dirmngr.exe [2011-03-02 224256] S2 NovacomD;Palm Novacom;c:\program files\Palm, Inc\novacomd\amd64\novacomd.exe [2011-03-15 71168] S2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-06-25 35344] S2 PMBDeviceInfoProvider;PMBDeviceInfoProvider;c:\program files (x86)\Sony\PMB\PMBDeviceInfoProvider.exe [2010-06-01 367456] S2 rimspci;rimspci;c:\windows\system32\drivers\rimssne64.sys [2010-06-18 94208] S2 risdsnpe;risdsnpe;c:\windows\system32\drivers\risdsne64.sys [2010-07-12 78848] S2 RtkAudioService;Realtek Audio Service;c:\program files\Realtek\Audio\HDA\RtkAudioService64.exe [2010-06-18 190496] S2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-06-05 160944] S2 uCamMonitor;CamMonitor;c:\program files (x86)\ArcSoft\Magic-i Visual Effects 2\uCamMonitor.exe [2008-09-18 104960] S3 ArcSoftKsUFilter;ArcSoft Magic-I Visual Effect;c:\windows\system32\DRIVERS\ArcSoftKsUFilter.sys [2009-05-26 19968] S3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\DRIVERS\e1k62x64.sys [2010-03-08 294064] S3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\drivers\HECIx64.sys [2009-09-17 56344] S3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [2010-06-18 151936] S3 NETw5s64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;c:\windows\system32\DRIVERS\NETw5s64.sys [2010-05-31 7689216] S3 SFEP;Sony Firmware Extension Parser;c:\windows\system32\DRIVERS\SFEP.sys [2010-04-26 12032] S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-14 17920] . . Contents of the 'Scheduled Tasks' folder . 2012-07-14 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-01 20:15] . . --------- X64 Entries ----------- . . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive1] @="{F241C880-6982-4CE5-8CF7-7085BA96DA5A}" [HKEY_CLASSES_ROOT\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}] 2012-07-13 13:39 244688 ----a-w- c:\users\Chris\AppData\Local\Microsoft\SkyDrive\16.4.6003.0710\amd64\SkyDriveShell64.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive2] @="{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}" [HKEY_CLASSES_ROOT\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}] 2012-07-13 13:39 244688 ----a-w- c:\users\Chris\AppData\Local\Microsoft\SkyDrive\16.4.6003.0710\amd64\SkyDriveShell64.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive3] @="{BBACC218-34EA-4666-9D7A-C78F2274A524}" [HKEY_CLASSES_ROOT\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}] 2012-07-13 13:39 244688 ----a-w- c:\users\Chris\AppData\Local\Microsoft\SkyDrive\16.4.6003.0710\amd64\SkyDriveShell64.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1] @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}] 2011-02-18 05:12 97792 ----a-w- c:\users\Chris\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2] @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}] 2011-02-18 05:12 97792 ----a-w- c:\users\Chris\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3] @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}] 2011-02-18 05:12 97792 ----a-w- c:\users\Chris\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4] @="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}] 2011-02-18 05:12 97792 ----a-w- c:\users\Chris\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\HardLinkMenu] @="{0A479751-02BC-11d3-A855-0004AC2568AA}" [HKEY_CLASSES_ROOT\CLSID\{0A479751-02BC-11d3-A855-0004AC2568AA}] 2012-05-27 19:50 522440 ----a-w- c:\program files\LinkShellExtension\HardlinkShellExt.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IconOverlayHardLink] @="{0A479751-02BC-11d3-A855-0004AC2568DD}" [HKEY_CLASSES_ROOT\CLSID\{0A479751-02BC-11d3-A855-0004AC2568DD}] 2012-05-27 19:50 522440 ----a-w- c:\program files\LinkShellExtension\HardlinkShellExt.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IconOverlaySymbolicLink] @="{0A479751-02BC-11d3-A855-0004AC2568EE}" [HKEY_CLASSES_ROOT\CLSID\{0A479751-02BC-11d3-A855-0004AC2568EE}] 2012-05-27 19:50 522440 ----a-w- c:\program files\LinkShellExtension\HardlinkShellExt.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay] @="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}" [HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}] 2010-04-27 23:48 5947656 ----a-w- c:\program files\Protector Suite\farchns.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen] @="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}" [HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}] 2010-04-27 23:48 5947656 ----a-w- c:\program files\Protector Suite\farchns.dll . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-06-22 166424] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-06-22 390680] "Persistence"="c:\windows\system32\igfxpers.exe" [2010-06-22 410136] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-06-04 16414824] "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-06-18 9962016] "vncutil"="c:\program files\Realtek\Audio\HDA\vncutil64.exe" [2010-06-18 475680] "PSQLLauncher"="c:\program files\Protector Suite\launcher.exe" [2010-04-27 84744] "Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdcBase.exe" [2007-05-31 660360] "Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2011-08-05 163552] "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 1271168] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "LoadAppInit_DLLs"=0x0 . ------- Supplementary Scan ------- . uLocal Page = c:\windows\system32\blank.htm uStart Page = about:blank mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=SNNT&bmod=SNNT mLocal Page = c:\windows\SysWOW64\blank.htm IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~3\Office14\EXCEL.EXE/3000 IE: Se&nd to OneNote - c:\progra~2\MICROS~3\Office14\ONBttnIE.dll/105 Trusted Zone: fordham.edu\tegrity.lawnet Trusted Zone: tulane.edu\libproxy Trusted Zone: tulane.edu\tegrity.caeph Trusted Zone: tulane.edu\tmedweb DPF: {54EABC7D-40DC-4667-8517-F42D00540342} - hxxp://tegrity.caeph.tulane.edu/tegrity/_Player/1.0/Code/DRMActiveX.CAB FF - ProfilePath - c:\users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\ut2plr24.default\ FF - prefs.js: browser.startup.homepage - hxxp://xfinitytv.comcast.net/ FF - prefs.js: network.proxy.type - 0 FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} FF - Ext: CHM Reader: {6e098d65-7d2d-46d4-ada0-2f882a29f795} - %profile%\extensions\{6e098d65-7d2d-46d4-ada0-2f882a29f795} FF - Ext: Auto Reload: autoreload@yz.com - %profile%\extensions\autoreload@yz.com FF - Ext: Widevine Media Transformer Plugin: widevinemediatransformer@widevine - %profile%\extensions\widevinemediatransformer@widevine FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\users\Chris\AppData\Roaming\Move Networks . - - - - ORPHANS REMOVED - - - - . Wow6432Node-HKCU-Run-AdobeBridge - (no file) SafeBoot-MsMpSvc HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe AddRemove-Microsoft Visual Studio 2010 Express for Windows Phone - ENU - c:\program files (x86)\Microsoft Visual Studio 10.0\Microsoft Visual Studio 2010 Express for Windows Phone - ENU\setup.exe AddRemove-TextCrawler - c:\program files (x86)\TextCrawler2\uninst.exe AddRemove-{0131D7EF-65FF-478F-8ABD-5ABEE24EC8EF} - c:\programdata\{F77EE8EF-305B-4394-A018-C1A57D2D66B5}\VAIO Messenger Setup 2.0.291.0.exe . . . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MpsSvc] "ImagePath"="." . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MpsSvc] "ImagePath"="." . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_265_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_265_ActiveX.exe" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Shockwave Flash Object" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus] @="0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID] @="ShockwaveFlash.ShockwaveFlash.11" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx, 1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="ShockwaveFlash.ShockwaveFlash" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Macromedia Flash Factory Object" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID] @="FlashFactory.FlashFactory.1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx, 1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="FlashFactory.FlashFactory" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}] @Denied: (A) (Everyone) "Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3] @Denied: (A) (Everyone) . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0] "Key"="ActionsPane3" "Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd" . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows CE Services] "SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79, 00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\ . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security] @Denied: (Full) (Everyone) . ------------------------ Other Running Processes ------------------------ . c:\program files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe c:\windows\SysWOW64\nlssrv32.exe c:\program files (x86)\Microsoft\BingBar\SeaPort.EXE c:\program files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe c:\program files (x86)\Sony\VAIO Event Service\VESMgr.exe c:\windows\SysWOW64\DllHost.exe c:\program files (x86)\Sony\VAIO Event Service\VESMgrSub.exe . ************************************************************************** . Completion time: 2012-07-14 13:17:54 - machine was rebooted ComboFix-quarantined-files.txt 2012-07-14 17:17 . Pre-Run: 50,001,154,048 bytes free Post-Run: 49,775,325,184 bytes free . - - End Of File - - A8FEDE07B5018C40B3E731C00079329C
-
It is the trial version (still within the trial period) *with realtime protection*. And yes, I'll definitely take your help as I don't have my installation discs to reformat the computer and won't have access to them for a month or two.
-
Also, should I automatically disable Maleware Anti-Bytes when following any of directions? I forgot to disable it as I ran rogueKiller.
-
Thanks for offering your time! Here's the log. RogueKiller V7.6.3 [07/08/2012] by Tigzy mail: tigzyRK<at>gmail<dot>com Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/ Blog: http://tigzyrk.blogspot.com Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version Started in : Normal mode User: Chris [Admin rights] Mode: Scan -- Date: 07/14/2012 12:30:47 ¤¤¤ Bad processes: 0 ¤¤¤ ¤¤¤ Registry Entries: 6 ¤¤¤ [sUSP PATH] HKCU\[...]\Run : SkyDrive ("C:\Users\Chris\AppData\Local\Microsoft\SkyDrive\SkyDrive.exe" /background) -> FOUND [sUSP PATH] HKUS\S-1-5-21-3163081078-1936475789-1318037429-1006[...]\Run : SkyDrive ("C:\Users\Chris\AppData\Local\Microsoft\SkyDrive\SkyDrive.exe" /background) -> FOUND [ZeroAccess] HKCR\[...]\InprocServer32 : (C:\Users\Chris\AppData\Local\{c8347dac-c04f-371f-2862-2c27f80a4694}\n.) -> FOUND [HJ] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND [HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND [HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND ¤¤¤ Particular Files / Folders: ¤¤¤ [ZeroAccess][FILE] @ : c:\windows\installer\{c8347dac-c04f-371f-2862-2c27f80a4694}\@ --> FOUND [ZeroAccess][FOLDER] U : c:\windows\installer\{c8347dac-c04f-371f-2862-2c27f80a4694}\U --> FOUND [ZeroAccess][FOLDER] L : c:\windows\installer\{c8347dac-c04f-371f-2862-2c27f80a4694}\L --> FOUND [ZeroAccess][FILE] @ : c:\users\chris\appdata\local\{c8347dac-c04f-371f-2862-2c27f80a4694}\@ --> FOUND [ZeroAccess][FOLDER] U : c:\users\chris\appdata\local\{c8347dac-c04f-371f-2862-2c27f80a4694}\U --> FOUND [ZeroAccess][FOLDER] L : c:\users\chris\appdata\local\{c8347dac-c04f-371f-2862-2c27f80a4694}\L --> FOUND [ZeroAccess][FILE] Desktop.ini : c:\windows\assembly\gac_32\desktop.ini --> FOUND [ZeroAccess][FILE] Desktop.ini : c:\windows\assembly\gac_64\desktop.ini --> FOUND ¤¤¤ Driver: [NOT LOADED] ¤¤¤ ¤¤¤ Infection : ZeroAccess ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤ ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: Volume0 +++++ --- User --- [MBR] 617d3c715ac63a654f92f626b16eb325 [bSP] a9707318c43c5b2342c276b877c3e886 : Windows 7 MBR Code Partition table: 0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 11665 Mo 1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 23891968 | Size: 100 Mo 2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 24096768 | Size: 232437 Mo User = LL1 ... OK! Error reading LL2 MBR! Finished : << RKreport[1].txt >> RKreport[1].txt
-
Please help, I'm hoping to not have to perform a full reformat to fix this issue. I first noticed that my Google searches were being redirected a few weeks back, I cleaned this with MS Security Essentials, but the infection would return every so often, and finally the infection disabled MS Security Essentials. After trying a few other AV prodcuts, I installed MalewareBytes which reports a Trojan.Dropper.BCMiner, and every time it cleans the trojan, the trojan comes back. My Google searches are still being redirected, and every now and then I get a pop up. Attach.txt DDS.txt