azrancher
-
Posts
4 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Everything posted by azrancher
-
Trojan.Dropper.BCMiner not yet gone
azrancher replied to azrancher's topic in Resolved Malware Removal Logs
OK did all this, re-ran ESET scanner, it found one more thing, I quarinteened that, everything seems OK now. BUT what started all this was I cannot load Symantic SEP v 11.0..5002.333 that has been loaded on all my other computers (4), 3 running Windows 7 64, and one running Vista.. It will not load and rolls back, and then gives you the pending changes screen if yoiu try to load it again, wanting you to re-boot, but that makes no difference. Is theer a location for experts on how to fix this problem, I've been all over Symantec's forum. Rancher -
Trojan.Dropper.BCMiner not yet gone
azrancher replied to azrancher's topic in Resolved Malware Removal Logs
ESETSmartInstaller@High as CAB hook log: OnlineScanner64.ocx - registred OK OnlineScanner.ocx - registred OK # version=7 # iexplore.exe=9.00.8112.16421 (WIN7_IE9_RTM.110308-0330) # OnlineScanner.ocx=1.0.0.6583 # api_version=3.0.2 # EOSSerial=8bf021ef0783de4d8d7ef6fb7ae48340 # end=finished # remove_checked=true # archives_checked=true # unwanted_checked=true # unsafe_checked=true # antistealth_checked=true # utc_time=2012-07-25 05:37:47 # local_time=2012-07-25 10:37:47 (-0700, US Mountain Standard Time) # country="United States" # lang=1033 # osver=6.1.7601 NT Service Pack 1 # compatibility_mode=5893 16776573 100 94 0 94776530 0 0 # compatibility_mode=8192 67108863 100 0 0 0 0 0 # scanned=321531 # found=22 # cleaned=22 # scan_time=4787 C:\Program Files (x86)\FoxTabMP4Converter\MP4Converter.exe a variant of Win32/InstallCore.A application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Program Files (x86)\Search Toolbar\SearchToolbar.dll.vir Win32/Toolbar.Zugo application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Users\Rancher\AppData\Roaming\Aqruoz\yhmoa.exe.vir a variant of Win32/Kryptik.AITE trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Users\Rancher\AppData\Roaming\Avriv\ylwe.exe.vir a variant of Win32/Kryptik.AITE trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Users\Rancher\AppData\Roaming\Byyx\axuf.exe.vir a variant of Win32/Kryptik.AITE trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Users\Rancher\AppData\Roaming\Efgag\enfiy.exe.vir a variant of Win32/Kryptik.AITE trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Users\Rancher\AppData\Roaming\Efusa\seyny.exe.vir a variant of Win32/Kryptik.AITE trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Users\Rancher\AppData\Roaming\Feyz\yxox.exe.vir a variant of Win32/Kryptik.AITE trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Users\Rancher\AppData\Roaming\Gahuuh\dyxo.exe.vir a variant of Win32/Kryptik.AITE trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Users\Rancher\AppData\Roaming\Kedieb\fyuzo.exe.vir a variant of Win32/Kryptik.AITE trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Users\Rancher\AppData\Roaming\Opnyz\qotai.exe.vir a variant of Win32/Kryptik.AITE trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Users\Rancher\AppData\Roaming\Qaup\biliu.exe.vir a variant of Win32/Kryptik.AITE trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Users\Rancher\AppData\Roaming\Ugocop\ezule.exe.vir a variant of Win32/Kryptik.AITE trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Users\Rancher\AppData\Roaming\Upkood\ohhi.exe.vir a variant of Win32/Kryptik.AITE trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Users\Rancher\AppData\Roaming\Uwpeu\akopz.exe.vir a variant of Win32/Kryptik.AITE trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Users\Rancher\AppData\Roaming\Vuiv\puqau.exe.vir a variant of Win32/Kryptik.AITE trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Users\Rancher\AppData\Roaming\Xinyym\ylat.exe.vir a variant of Win32/Kryptik.AITE trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Users\Rancher\AppData\Roaming\Ynor\ehqu.exe.vir a variant of Win32/Kryptik.AITE trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Users\Rancher\AppData\Roaming\Zusy\caykx.exe.vir a variant of Win32/Kryptik.AITE trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\Windows\Installer\{ca3bcf3c-1eca-c859-cb02-33ec77d20950}\U\80000032.@.vir a variant of Win32/Sirefef.FD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Users\Rancher\AppData\Local\{ca3bcf3c-1eca-c859-cb02-33ec77d20950}\U\80000000.@ Win64/Sirefef.AE trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Users\Rancher\AppData\Local\{ca3bcf3c-1eca-c859-cb02-33ec77d20950}\U\80000064.@ Win64/Sirefef.AN trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C Results of screen317's Security Check version 0.99.43 Windows 7 Service Pack 1 x64 (UAC is disabled!) Internet Explorer 9 ``````````````Antivirus/Firewall Check:`````````````` Windows Firewall Enabled! WMI entry may not exist for antivirus; attempting automatic update. `````````Anti-malware/Other Utilities Check:````````` Malwarebytes Anti-Malware version 1.62.0.1300 ExifCleaner 1.6 Java 6 Update 21 Java 6 Update 3 Java version out of Date! Adobe Reader 9 Adobe Reader out of Date! ````````Process Check: objlist.exe by Laurent```````` Malwarebytes Anti-Malware mbamservice.exe Malwarebytes Anti-Malware mbamgui.exe `````````````````System Health check````````````````` Total Fragmentation on Drive C: 0% ````````````````````End of Log`````````````````````` -
Trojan.Dropper.BCMiner not yet gone
azrancher replied to azrancher's topic in Resolved Malware Removal Logs
<div id="yiv1703862802"> <div id="yui_3_2_0_1_1343063671497210"> <div id="yui_3_2_0_1_1343063671497209" style="color: rgb(0, 0, 0); font-family: times new roman, new york, times, serif; font-size: 12pt; background-color: rgb(255, 255, 255);"> <div>Had an error window when using Combofix:</div> <div> </div> <div>Application has generated an exception that could not be handled</div> <div>Process ID=0xa74 (2676)</div> <div>Thread ID=0x87c (2172)</div> <div> </div> <div>But the log printed after I chose Cancel.</div> <div> </div> <div id="yui_3_2_0_1_1343063671497217">Malwarebytes Anti-Malware (Trial) 1.62.0.1300<br /> <a href="http://www.malwarebytes.org/" rel="nofollow" target="_blank">http://www.malwarebytes.org/</a></div> <div>Database version: v2012.07.23.10</div> <div>Windows 7 Service Pack 1 x64 NTFS<br /> Internet Explorer 9.0.8112.16421<br /> Rancher :: ROCKYCREEK-ST1 [administrator]</div> <div>Protection: Enabled</div> <div>7/23/2012 11:12:27 AM<br /> mbam-log-2012-07-23 (11-12-27).txt</div> <div>Scan type: Quick scan<br /> Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM<br /> Scan options disabled: P2P<br /> Objects scanned: 258656<br /> Time elapsed: 1 minute(s), 33 second(s)</div> <div>Memory Processes Detected: 0<br /> (No malicious items detected)</div> <div>Memory Modules Detected: 0<br /> (No malicious items detected)</div> <div>Registry Keys Detected: 0<br /> (No malicious items detected)</div> <div>Registry Values Detected: 0<br /> (No malicious items detected)</div> <div>Registry Data Items Detected: 0<br /> (No malicious items detected)</div> <div>Folders Detected: 0<br /> (No malicious items detected)</div> <div>Files Detected: 0<br /> (No malicious items detected)</div> <div>(end)<br /> </div> <div> </div> <div>ComboFix 12-07-24.01 - Rancher 07/23/2012 11:17:25.1.8 - x64<br /> Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.12279.9002 [GMT -7:00]<br /> Running from: c:\users\Rancher\Downloads\ComboFix.exe<br /> SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}<br /> .<br /> .<br /> ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))<br /> .<br /> .<br /> c:\program files (x86)\Search Toolbar<br /> c:\program files (x86)\Search Toolbar\icon.ico<br /> c:\program files (x86)\Search Toolbar\SearchToolbar.dll<br /> c:\program files (x86)\Search Toolbar\SearchToolbarUninstall.exe<br /> c:\program files (x86)\Search Toolbar\SearchToolbarUpdater.exe<br /> c:\users\Rancher\AppData\Roaming\Adoruk<br /> c:\users\Rancher\AppData\Roaming\Adoruk\laqo.cye<br /> c:\users\Rancher\AppData\Roaming\Afviad<br /> c:\users\Rancher\AppData\Roaming\Afviad\ihnyi.iho<br /> c:\users\Rancher\AppData\Roaming\Anqu<br /> c:\users\Rancher\AppData\Roaming\Anqu\aqid.etw<br /> c:\users\Rancher\AppData\Roaming\Aqruoz<br /> c:\users\Rancher\AppData\Roaming\Aqruoz\yhmoa.exe<br /> c:\users\Rancher\AppData\Roaming\Aspis<br /> c:\users\Rancher\AppData\Roaming\Aspis\duolu.sey<br /> c:\users\Rancher\AppData\Roaming\Avriv<br /> c:\users\Rancher\AppData\Roaming\Avriv\ylwe.exe<br /> c:\users\Rancher\AppData\Roaming\Avze<br /> c:\users\Rancher\AppData\Roaming\Avze\fied.epb<br /> c:\users\Rancher\AppData\Roaming\Baygor<br /> c:\users\Rancher\AppData\Roaming\Baygor\agem.hyy<br /> c:\users\Rancher\AppData\Roaming\Byxi<br /> c:\users\Rancher\AppData\Roaming\Byxi\ahnuu.nai<br /> c:\users\Rancher\AppData\Roaming\Byyx<br /> c:\users\Rancher\AppData\Roaming\Byyx\axuf.exe<br /> c:\users\Rancher\AppData\Roaming\Cucew<br /> c:\users\Rancher\AppData\Roaming\Cucew\opnoi.kei<br /> c:\users\Rancher\AppData\Roaming\Ebzail<br /> c:\users\Rancher\AppData\Roaming\Ebzail\lues.ahi<br /> c:\users\Rancher\AppData\Roaming\Efgag<br /> c:\users\Rancher\AppData\Roaming\Efgag\enfiy.exe<br /> c:\users\Rancher\AppData\Roaming\Efusa<br /> c:\users\Rancher\AppData\Roaming\Efusa\seyny.exe<br /> c:\users\Rancher\AppData\Roaming\Feyz<br /> c:\users\Rancher\AppData\Roaming\Feyz\yxox.exe<br /> c:\users\Rancher\AppData\Roaming\Fygec<br /> c:\users\Rancher\AppData\Roaming\Fygec\cafun.ubw<br /> c:\users\Rancher\AppData\Roaming\Gahuuh<br /> c:\users\Rancher\AppData\Roaming\Gahuuh\dyxo.exe<br /> c:\users\Rancher\AppData\Roaming\Haob<br /> c:\users\Rancher\AppData\Roaming\Haob\yhyzu.uri<br /> c:\users\Rancher\AppData\Roaming\Icka<br /> c:\users\Rancher\AppData\Roaming\Icka\apino.oga<br /> c:\users\Rancher\AppData\Roaming\Isnyad<br /> c:\users\Rancher\AppData\Roaming\Isnyad\uvkea.bai<br /> c:\users\Rancher\AppData\R oaming\Kapau<br /> c:\users\Rancher\AppData\Roaming\Kapau\gazo.fuy<br /> c:\users\Rancher\AppData\Roaming\Kedieb<br /> c:\users\Rancher\AppData\Roaming\Kedieb\fyuzo.exe<br /> c:\users\Rancher\AppData\Roaming\Kuuhxo<br /> c:\users\Rancher\AppData\Roaming\Kuuhxo\caik.dio<br /> c:\users\Rancher\AppData\Roaming\Microsoft\~DFK5c9cc74a.tmp<br /> c:\users\Rancher\AppData\Roaming\Microsoft\1eaadjc.dll<br /> c:\users\Rancher\AppData\Roaming\Microsoft\bass.dll<br /> c:\users\Rancher\AppData\Roaming\Microsoft\engine_vx.dll<br /> c:\users\Rancher\AppData\Roaming\Microsoft\peaadje.dll<br /> c:\users\Rancher\AppData\Roaming\Microsoft\qwadjb.dll<br /> c:\users\Rancher\AppData\Roaming\Microsoft\rsaadjd.dll<br /> c:\users\Rancher\AppData\Roaming\Miva<br /> c:\users\Rancher\AppData\Roaming\Miva\etyb.hic<br /> c:\users\Rancher\AppData\Roaming\Myif<br /> c:\users\Rancher\AppData\Roaming\Myif\axcav.aqd<br /> c:\users\Rancher\AppData\Roaming\Nava<br /> c:\users\Rancher\AppData\Roaming\Nava\yhsa.omd<br /> c:\users\Rancher\AppData\R oaming\Noutr<br /> c:\users\Rancher\AppData\Roaming\Noutr\veugl.sif<br /> c:\users\Rancher\AppData\Roaming\Opnyz<br /> c:\users\Rancher\AppData\Roaming\Opnyz\qotai.exe<br /> c:\users\Rancher\AppData\Roaming\Ovby<br /> c:\users\Rancher\AppData\Roaming\Ovby\gyxu.kiy<br /> c:\users\Rancher\AppData\Roaming\Oxnu<br /> c:\users\Rancher\AppData\Roaming\Oxnu\imivs.puy<br /> c:\users\Rancher\AppData\Roaming\Paiki<br /> c:\users\Rancher\AppData\Roaming\Paiki\naahr.hav<br /> c:\users\Rancher\AppData\Roaming\Pieklu<br /> c:\users\Rancher\AppData\Roaming\Pieklu\obek.esx<br /> c:\users\Rancher\AppData\Roaming\Qaup<br /> c:\users\Rancher\AppData\Roaming\Qaup\biliu.exe<br /> c:\users\Rancher\AppData\Roaming\Qenyav<br /> c:\users\Rancher\AppData\Roaming\Qenyav\zeyp.itw<br /> c:\users\Rancher\AppData\Roaming\Qoict<br /> c:\users\Rancher\AppData\Roaming\Qoict\hibav.cef<br /> c:\users\Rancher\AppData\Roaming\Qutyox<br /> c:\users\Rancher\AppData\Roaming\Qutyox\ofhyb.ila<br /> c:\users\Rancher\AppData\Roaming\Ucgao<br /> c:\users\Ranch er\AppData\Roaming\Ucgao\simur.wer<br /> c:\users\Rancher\AppData\Roaming\Ugocop<br /> c:\users\Rancher\AppData\Roaming\Ugocop\ezule.exe<br /> c:\users\Rancher\AppData\Roaming\Upkood<br /> c:\users\Rancher\AppData\Roaming\Upkood\ohhi.exe<br /> c:\users\Rancher\AppData\Roaming\Uqxowa<br /> c:\users\Rancher\AppData\Roaming\Uqxowa\seci.uro<br /> c:\users\Rancher\AppData\Roaming\Uwpeu<br /> c:\users\Rancher\AppData\Roaming\Uwpeu\akopz.exe<br /> c:\users\Rancher\AppData\Roaming\Vuiv<br /> c:\users\Rancher\AppData\Roaming\Vuiv\puqau.exe<br /> c:\users\Rancher\AppData\Roaming\Xakiy<br /> c:\users\Rancher\AppData\Roaming\Xakiy\emahe.eqg<br /> c:\users\Rancher\AppData\Roaming\Xinyym<br /> c:\users\Rancher\AppData\Roaming\Xinyym\ylat.exe<br /> c:\users\Rancher\AppData\Roaming\Yltuo<br /> c:\users\Rancher\AppData\Roaming\Yltuo\elrif.huu<br /> c:\users\Rancher\AppData\Roaming\Ymbe<br /> c:\users\Rancher\AppData\Roaming\Ymbe\buot.arq<br /> c:\users\Rancher\AppData\Roaming\Ynor<br /> c:\users\Rancher\AppData\Roaming\Ynor\ehqu .exe<br /> c:\users\Rancher\AppData\Roaming\Zusy<br /> c:\users\Rancher\AppData\Roaming\Zusy\caykx.exe<br /> c:\users\Rancher\AppData\Roaming\Zytyob<br /> c:\users\Rancher\AppData\Roaming\Zytyob\ucozh.sud<br /> c:\windows\Installer\{ca3bcf3c-1eca-c859-cb02-33ec77d20950}\@<br /> c:\windows\Installer\{ca3bcf3c-1eca-c859-cb02-33ec77d20950}\L\00000004.@<br /> c:\windows\Installer\{ca3bcf3c-1eca-c859-cb02-33ec77d20950}\L\1afb2d56<br /> c:\windows\Installer\{ca3bcf3c-1eca-c859-cb02-33ec77d20950}\L\201d3dde<br /> c:\windows\Installer\{ca3bcf3c-1eca-c859-cb02-33ec77d20950}\U\00000004.@<br /> c:\windows\Installer\{ca3bcf3c-1eca-c859-cb02-33ec77d20950}\U\000000cb.@<br /> c:\windows\Installer\{ca3bcf3c-1eca-c859-cb02-33ec77d20950}\U\80000000.@<br /> c:\windows\Installer\{ca3bcf3c-1eca-c859-cb02-33ec77d20950}\U\80000032.@<br /> c:\windows\Installer\{ca3bcf3c-1eca-c859-cb02-33ec77d20950}\U\80000064.@<br /> .<br /> .<br /> ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))<br /> .<br /> .<br /> -------\Legacy_KXESCORE<br /> .<br /> .<br /> ((((((((((((((((((((((((( Files Created from 2012-06-23 to 2012-07-23 )))))))))))))))))))))))))))))))<br /> .<br /> .<br /> 2012-07-23 18:24 . 2012-07-23 18:24 -------- d-----w- c:\users\Terri\AppData\Local\temp<br /> 2012-07-23 18:24 . 2012-07-23 18:24 -------- d-----w- c:\users\Default\AppData\Local\temp<br /> 2012-07-23 18:24 . 2012-07-23 18:24 -------- d-----w- c:\users\_ocster_backup_\AppData\Local\temp<br /> 2012-07-21 21:39 . 2012-07-21 21:39 -------- d-----w- c:\programdata\Malwarebytes<br /> 2012-07-21 21:39 . 2012-07-03 20:46 24904 ----a-w- c:\windows\system32\drivers\mbam.sys<br /> 2012-07-21 21:39 . 2012-07-21 22:49 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware<br /> 2012-07-21 19:21 . 2012-07-21 22:38 -------- d-----w- c:\programdata\PLAV<br /> 2012-07-21 19:20 . 2012-07-21 19:20 -------- d-----w- c:\programdata\ParetoLogic Anti-Virus PLUS<br /> 2012-07-20 22:24 . 2012-07-20 22:24 -------- d-----w- c:\windows\system32\SPReview<br /> 2012-07-20 22:23 . 2012-07-20 22:23 -------- d-----w- c:\windows\system32\EventProviders<br /> 2012-07-19 16:45 . 2012-07-19 16:45 -------- d-----w- C:\DD-WRT bin<br /> 2012-07-19 16:44 . 2012-07-19 16:44 -------- d-----w- C:\App Remover<br /> 2012-07-18 17:27 . 2012-07-18 17:28 -------- d-----w- C:\SEP<br /> 2012-07-18 15:13 . 2012-07-21 21:39 -------- d-----w- c:\users\Rancher\AppData\Roaming\Malwarebytes<br /> 2012-07-18 02:16 . 2012-07-18 02:16 -------- d-----w- c:\users\Rancher\AppData\Local\Threat Expert<br /> 2012-07-18 01:43 . 2007-03-22 03:33 348160 ----a-w- c:\windows\SysWow64\MSVCR71.DLL<br /> 2012-07-17 21:49 . 2012-07-18 21:47 -------- d-----w- c:\program files (x86)\Common Files\PC Tools<br /> 2012-07-17 21:49 . 2012-05-11 18:14 251528 ----a-w- c:\windows\system32\drivers\PCTSD64.sys<br /> 2012-07-17 21:47 . 2012-07-18 21:46 -------- d-----w- c:\programdata\PC Tools<br /> 2012-07-17 21:47 . 2012-07-17 21:47 -------- d-----w- c:\users\Rancher\AppData\Roaming\TestApp<br /> 2012-07-17 21:19 . 2012-07-18 14:16 -------- d--h--w- c:\users\Rancher\AppData\Roaming\815267D4<br /> 2012-07-17 20:18 . 2012-07-17 20:18 -------- d-sh--w- c:\windows\SysWow64\%APPDATA%<br /> 2012-07-17 17:43 . 2012-07-17 17:43 -------- d-----w- c:\users\Rancher\AppData\Roaming\Pieg<br /> 2012-07-17 17:43 . 2012-07-23 13:33 -------- d-----w- c:\users\Rancher\AppData\Roaming\Mutumo<br /> 2012-07-17 12:41 . 2012-06-29 10:04 9133488 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{270AE8F7-E834-4856-B201-9C7975642BD6}\mpengine.dll<br /> 2012-07-11 10:05 . 2012-06-12 03:08 3148800 ----a-w- c:\windows\system32\win32k.sys<br /> 2012-07-11 06:58 . 2012-06-06 06:06 2004480 ----a-w- c:\windows\system32\msxml6.dll<br /> 2012-07-11 06:53 . 2012-06-06 06:05 495616 ----a-w- c:\program files\Common Files\System\ado\msadox.dll<br /> 2012-07-11 06:53 . 2012-06-06 06:05 61440 ----a-w- c:\program files\Common Files\System\ado\msador15.dll<br /> 2012-07-11 06:53 . 2012-06-06 06:05 466944 ----a-w- c:\program files\Common Files\System\ado\msadomd.dll<br /> 2012-07-11 06:53 . 2012-06-06 06:05 1499136 ----a-w- c:\program files\Common Files\System\ado\msado15.dll<br /> 2012-07-11 06:53 . 2012-06-06 06:05 258048 ----a-w- c:\program files\Common Files\System\msadc\msadco.dll<br /> 2012-07-11 06:53 . 2012-06-06 06:02 1133568 ----a-w- c:\windows\system32\cdosys.dll<br /> 2012-07-11 06:53 . 2012-06-06 05:05 143360 ----a-w- c:\program files (x86)\Common Files\System\ado\msjro.dll<br /> 2012-07-11 06:53 . 2012-06-06 05:05 372736 ----a-w- c:\program files (x86)\Common Files\System\ado\msadox.dll<br /> 2012-07-11 06:53 . 2012-06-06 05:05 57344 ----a-w- c:\program files (x86)\Common Files\System\ado\msador15.dll<br /> 2012-07-11 06:53 . 2012-06-06 05:05 352256 ----a-w- c:\program files (x86)\Common Files\System\ado\msadomd.dll<br /> 2012-07-11 06:53 . 2012-06-06 05:05 212992 ----a-w- c:\program files (x86)\Common Files\System\msadc\msadco.dll<br /> 2012-07-11 06:53 . 2012-06-06 05:05 1019904 ----a-w- c:\program files (x86)\Common Files\System\ado\msado15.dll<br /> 2012-07-11 06:53 . 2012-06-06 05:03 805376 ----a-w- c:\windows\SysWow64\cdosys.dll<br /> 2012-07-01 17:13 . 2012-07-01 17:13 -------- d-----w- c:\users\Rancher\AppData\Local\MetaGeek,_LLC<br /> 2012-07-01 17:06 . 2012-07-01 17:06 -------- d-----w- c:\program files (x86)\MetaGeek<br /> 2012-07-01 16:54 . 2012-07-01 16:54 -------- d-----w- c:\programdata\Oberon Media<br /> 2012-07-01 16:54 . 2012-07-01 16:54 -------- d-----w- c:\program files (x86)\Oberon Media<br /> 2012-07-01 16:54 . 2012-07-01 16:54 -------- d-----w- c:\users\Rancher\AppData\Roaming\Oberon Media<br /> 2012-07-01 16:54 . 2012-07-01 16:54 -------- d-----w- c:\programdata\GamesBar<br /> 2012-07-01 16:54 . 2012-07-01 16:54 -------- d-----w- c:\program files (x86)\GamesBar<br /> 2012-07-01 16:54 . 2012-07-01 16:54 -------- d-----w- c:\program files (x86)\Common Files\Oberon Media<br /> .<br /> .<br /> .<br /> (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))<br /> .<br /> 2012-07-20 22:35 . 2009-07-14 02:36 175616 ----a-w- c:\windows\system32\msclmd.dll<br /> 2012-07-20 22:35 . 2009-07-14 02:36 152576 ----a-w- c:\windows\SysWow64\msclmd.dll<br /> 2012-07-11 10:02 . 2010-04-07 23:52 59701280 ----a-w- c:\windows\system32\MRT.exe<br /> 2012-06-02 22:19 . 2012-06-22 18:49 38424 ----a-w- c:\windows\system32\wups.dll<br /> 2012-06-02 22:19 . 2012-06-22 18:50 2428952 ----a-w- c:\windows\system32\wuaueng.dll<br /> 2012-06-02 22:19 . 2012-06-22 18:50 57880 ----a-w- c:\windows\system32\wuauclt.exe<br /> 2012-06-02 22:19 . 2012-06-22 18:50 44056 ----a-w- c:\windows\system32\wups2.dll<br /> 2012-06-02 22:19 . 2012-06-22 18:49 186752 ----a-w- c:\windows\system32\wuwebv.dll<br /> 2012-06-02 22:19 . 2012-06-22 18:49 701976 ----a-w- c:\windows\system32\wuapi.dll<br /> 2012-06-02 22:15 . 2012-06-22 18:50 2622464 ----a-w- c:\windows\system32\wucltux.dll<br /> 2012-06-02 22:15 . 2012-06-22 18:49 36864 ----a-w- c:\windows\system32\wuapp.exe<br /> 2012-06-02 22:15 . 2012-06-22 18:49 99840 ----a-w- c:\windows\system32\wudriver.dll<br /> 2012-05-31 19:25 . 2010-04-02 00:54 279656 ------w- c:\windows\system32\MpSigStub.exe<br /> 2012-05-04 11:06 . 2012-06-13 01:19 5559664 ----a-w- c:\windows\system32\ntoskrnl.exe<br /> 2012-05-04 10:03 . 2012-06-13 01:19 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe<br /> 2012-05-04 10:03 . 2012-06-13 01:19 3913072 ----a-w- c:\windows\SysWow64\ntoskrnl.exe<br /> 2012-05-01 05:40 . 2012-06-13 01:20 209920 ----a-w- c:\windows\system32\profsvc.dll<br /> 2012-04-28 03:55 . 2012-06-13 01:16 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys<br /> 2012-04-26 05:41 . 2012-06-13 01:25 77312 ----a-w- c:\windows\system32\rdpwsx.dll<br /> 2012-04-26 05:41 . 2012-06-13 01:25 149504 ----a-w- c:\windows\system32\rdpcorekmts.dll<br /> 2012-04-26 05:34 . 2012-06-13 01:25 9216 ----a-w- c:\windows\system32\rdrmemptylst.exe<br /> .<br /> .<br /> ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))<br /> .<br /> .<br /> *Note* empty entries & legit default entries are not shown<br /> REGEDIT4<br /> .<br /> [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]<br /> "wLite"="c:\program files (x86)\wLite\wLite.exe" [2010-05-02 5611520]<br /> "Messenger (Yahoo!)"="c:\progra~2\Yahoo!\MESSEN~1\YahooMessenger.exe" [2011-08-22 6276408]<br /> "SearchEngineProtection"="c:\program files (x86)\Gamesbar\SearchEngineProtection.exe" [2011-03-03 591248]<br /> .<br /> [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]<br /> "IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2010-03-04 284696]<br /> "Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]<br /> "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]<br /> "TkBellExe"="c:\program files (x86)\Real\RealPlayer\update\realsched.exe" [2010-10-29 274608]<br /> "Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]<br /> .<br /> c:\users\Rancher\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\<br /> DeskPins.lnk - c:\program files (x86)\DeskPins\DeskPins.exe [2004-5-2 62464]<br /> .<br /> c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\AutorunsDisabled<br /> McAfee Security Scan Plus.lnk - c:\program files (x86)\McAfee Security Scan\2.0.181\SSScheduler.exe [N/A]<br /> .<br /> [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]<br /> "ConsentPromptBehaviorAdmin"= 0 (0x0)<br /> "ConsentPromptBehaviorUser"= 3 (0x3)<br /> "EnableLUA"= 0 (0x0)<br /> "EnableUIADesktopToggle"= 0 (0x0)<br /> "PromptOnSecureDesktop"= 0 (0x0)<br /> .<br /> R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]<br /> R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-10-29 136176]<br /> R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-10-29 136176]<br /> R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]<br /> R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-14 17920]<br /> R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-04-09 1255736]<br /> R3 wxpSvc;webcamXP Service;c:\program files (x86)\wLite\wService.exe [2010-05-02 5027328]<br /> S0 hotcore3;hc3ServiceName;c:\windows\system32\DRIVERS\hotcore3.sys [2010-09-15 37392]<br /> S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]<br /> S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-03-04 13336]<br /> S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-07-03 655944]<br /> S2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-06-25 35344]<br /> S2 ocster_backup;Ocster Backup;c:\program files\Ocster Backup\bin\backupService-ox.exe [2011-05-19 21272]<br /> S2 Splunkd;Splunkd;c:\program files\Splunk\bin\splunkd.exe service [x]<br /> S2 Splunkweb;Splunkweb;c:\program files\Splunk\bin\splunkweb.exe [2011-07-14 21824]<br /> S2 ZentimoService;Zentimo Assistant;c:\program files (x86)\Zentimo\ZentimoService.exe [2011-12-10 555844]<br /> S3 Apowersoft_AudioDevice;Apowersoft_AudioDevice;c:\windows\system32\drivers\Apowersoft_AudioDevice.sys [2010-12-24 29288]<br /> S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-07-03 24904]<br /> S3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;c:\windows\system32\Drivers\nx6000.sys [2010-12-03 31744]<br /> S3 splunkdrv-win6;splunkdrv-win6;c:\program files\Splunk\bin\splunkdrv-win6.sys [2011-07-14 37752]<br /> S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [2009-06-10 389120]<br /> .<br /> .<br /> Contents of the 'Scheduled Tasks' folder<br /> .<br /> 2012-07-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job<br /> - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-10-29 20:38]<br /> .<br /> 2012-07-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job<br /> - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-10-29 20:38]<br /> .<br /> .<br /> --------- X64 Entries -----------<br /> .<br /> .<br /> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]<br /> "combofix"="c:\combofix\CF27112.3XE" [2010-11-20 345088]<br /> .<br /> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]<br /> "LoadAppInit_DLLs"=0x0<br /> .<br /> ------- Supplementary Scan -------<br /> .<br /> uLocal Page = c:\windows\system32\blank.htm<br /> uStart Page = about:blank<br /> mLocal Page = c:\windows\system32\blank.htm<br /> Trusted Zone: intuit.com\ttlc<br /> TCP: Interfaces\{8CFE23FE-29C0-4597-B93A-FDE8449C99AB}: NameServer = 64.68.248.10,64.68.252.10<br /> DPF: {8D59819B-2067-4A6B-84F4-7F84570E3C30} - hxxp://192.168.1.52/img/LinksysMLViewer.cab<br /> DPF: {CCA0B877-CB5E-4ADC-AD30-457C379512DD} - hxxp://192.168.1.51/xplugLiteDL.cab<br /> .<br /> - - - - ORPHANS REMOVED - - - -<br /> .<br /> Toolbar-Locked - (no file)<br /> Wow6432Node-HKCU-Run-fsm - (no file)<br /> Wow6432Node-HKCU-Run-Unoselhic - c:\users\Rancher\AppData\Roaming\Aqruoz\yhmoa.exe<br /> Wow6432Node-HKLM-Run-SunJavaUpdateSched - c:\program files (x86)\Java\jre6\bin\jusched.exe<br /> WebBrowser-{B80F591E-FE9A-46CF-A13E-180377240586} - (no file)<br /> AddRemove-Easy Watermark Studio2.1 - c:\program files (x86)\Easy Watermark Studio\Uninstall\uninstall.exe<br /> AddRemove-Search Toolbar - c:\program files (x86)\Search Toolbar\SearchToolbarUninstall.exe<br /> AddRemove-wLite - c:\program files (x86)\wLite\wl-uninst.exe<br /> .<br /> .<br /> .<br /> [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wxpSvc]<br /> "ImagePath"="c:\program files (x86)\wLite\wService.exe /startedbyscm:5053B757-40E35B3B-webcamSRV"<br /> .<br /> --------------------- LOCKED REGISTRY KEYS ---------------------<br /> .<br /> [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]<br /> @Denied: (A 2) (Everyone)<br /> @="FlashBroker"<br /> "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11f_ActiveX.exe,-101"<br /> .<br /> [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]<br /> "Enabled"=dword:00000001<br /> .<br /> [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]<br /> @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11f_ActiveX.exe"<br /> .<br /> [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]<br /> @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"<br /> .<br /> [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]<br /> @Denied: (A 2) (Everyone)<br /> @="Shockwave Flash Object"<br /> .<br /> [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]<br /> @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11f.ocx"<br /> "ThreadingModel"="Apartment"<br /> .<br /> [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]<br /> @="0"<br /> .<br /> [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]<br /> @="ShockwaveFlash.ShockwaveFlash.10"<br /> .<br /> [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]<br /> @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11f.ocx, 1"<br /> .<br /> [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]<br /> @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"<br /> .<br /> [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]<br /> @="1.0"<br /> .<br /> [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]<br /> @="ShockwaveFlash.ShockwaveFlash"<br /> .<br /> [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]<br /> @Denied: (A 2) (Everyone)<br /> @="Macromedia Flash Factory Object"<br /> .<br /> [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]<br /> @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11f.ocx"<br /> "ThreadingModel"="Apartment"<br /> .<br /> [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]<br /> @="FlashFactory.FlashFactory.1"<br /> .<br /> [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]<br /> @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11f.ocx, 1"<br /> .<br /> [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]<br /> @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"<br /> .<br /> [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]<br /> @="1.0"<br /> .<br /> [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]<br /> @="FlashFactory.FlashFactory"<br /> .<br /> [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]<br /> @Denied: (A 2) (Everyone)<br /> @="IFlashBroker4"<br /> .<br /> [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]<br /> @="{00020424-0000-0000-C000-000000000046}"<br /> .<br /> [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]<br /> @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"<br /> "Version"="1.0"<br /> .<br /> [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]<br /> @Denied: (Full) (Everyone)<br /> .<br /> ------------------------ Other Running Processes ------------------------<br /> .<br /> c:\program files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe<br /> c:\program files (x86)\Common Files\Intuit\Update Service\IntuitUpdateService.exe<br /> c:\program files (x86)\Full Uninstall\FullUninstallAgent.exe<br /> .<br /> **************************************************************************<br /> .<br /> Completion time: 2012-07-23 11:40:25 - machine was rebooted<br /> ComboFix-quarantined-files.txt 2012-07-23 18:40<br /> .<br /> Pre-Run: 78,291,451,904 bytes free<br /> Post-Run: 79,412,862,976 bytes free<br /> .<br /> - - End Of File - - 538009FFBCB5B3CEC8A3873F423781F8</div> <div> </div> <div id="yui_3_2_0_1_1343063671497218">.<br /> DDS (Ver_2011-08-26.01) - NTFSAMD64<br /> Internet Explorer: 9.0.8112.16421<br /> Run by Rancher at 12:06:45 on 2012-07-23<br /> Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.12279.10315 [GMT -7:00]<br /> .<br /> SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}<br /> .<br /> ============== Running Processes ===============<br /> .<br /> C:\Windows\system32\wininit.exe<br /> C:\Windows\system32\lsm.exe<br /> C:\Windows\system32\svchost.exe -k DcomLaunch<br /> C:\Program Files (x86)\Zentimo\ZentimoService.exe<br /> C:\Windows\system32\svchost.exe -k RPCSS<br /> C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted<br /> C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted<br /> C:\Windows\system32\svchost.exe -k netsvcs<br /> C:\Windows\system32\svchost.exe -k LocalService<br /> C:\Windows\system32\svchost.exe -k NetworkService<br /> C:\Windows\System32\spoolsv.exe<br /> C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork<br /> C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation<br /> c:\Program Files\Ocster Backup\bin\backupService-ox.exe<br /> C:\Program Files\Splunk\bin\splunkd.exe<br /> C:\Windows\system32\conhost.exe<br /> C:\Program Files\Splunk\bin\splunkweb.exe<br /> c:\Program Files\Ocster Backup\bin\oxHelper.exe<br /> C:\Program Files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe<br /> C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe<br /> C:\Program Files (x86)\Common Files\Intuit\Update Service\IntuitUpdateService.exe<br /> C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe<br /> C:\Program Files\Windows Media Player\wmpnetwk.exe<br /> C:\Windows\system32\SearchIndexer.exe<br /> C:\Windows\system32\Dwm.exe<br /> C:\Windows\Explorer.EXE<br /> C:\Windows\system32\taskhost.exe<br /> C:\Windows\system32\taskeng.exe<br /> C:\Program Files (x86)\Full Uninstall\FullUninstallAgent.exe<br /> C:\Program Files (x86)\GamesBar\SearchEngineProtection.exe<br /> C:\Program Files (x86)\DeskPins\DeskPins.exe<br /> C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe<br /> C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe<br /> C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe<br /> C:\Windows\system32\wbem\unsecapp.exe<br /> C:\Program Files (x86)\Internet Explorer\iexplore.exe<br /> C:\Program Files (x86)\Internet Explorer\iexplore.exe<br /> C:\Program Files (x86)\Internet Explorer\iexplore.exe<br /> C:\Windows\system32\NOTEPAD.EXE<br /> C:\Windows\system32\taskhost.exe<br /> C:\Windows\system32\DllHost.exe<br /> C:\Windows\SysWOW64\cmd.exe<br /> C:\Windows\system32\conhost.exe<br /> C:\Windows\SysWOW64\cscript.exe<br /> C:\Windows\system32\wbem\wmiprvse.exe<br /> .<br /> ============== Pseudo HJT Report ===============<br /> .<br /> uStart Page = about:blank<br /> BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn4\yt.dll<br /> BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll<br /> BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll<br /> BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\PROGRA~2\MICROS~1\Office12\GR469A~1.DLL<br /> BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll<br /> BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll<br /> BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll<br /> BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn3\YTSingleInstance.dll<br /> TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn4\yt.dll<br /> TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll<br /> TB: {B80F591E-FE9A-46CF-A13E-180377240586} - No File<br /> TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File<br /> uRun: [wLite] "C:\Program Files (x86)\wLite\wLite.exe" -auto<br /> uRun: [Messenger (Yahoo!)] "C:\PROGRA~2\Yahoo!\MESSEN~1\YahooMessenger.exe" -quiet<br /> uRun: [searchEngineProtection] C:\Program Files (x86)\Gamesbar\SearchEngineProtection.exe<br /> mRun: [iAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe<br /> mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"<br /> mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"<br /> mRun: [TkBellExe] "C:\Program Files (x86)\Real\RealPlayer\update\realsched.exe" -osboot<br /> mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray<br /> StartupFolder: C:\Users\Rancher\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\DeskPins.lnk - C:\Program Files (x86)\DeskPins\DeskPins.exe<br /> StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\AUTORU~1\MCAFEE~1.LNK - C:\Program Files (x86)\McAfee Security Scan\2.0.181\SSScheduler.exe<br /> mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)<br /> mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)<br /> mPolicies-system: EnableLUA = 0 (0x0)<br /> mPolicies-system: EnableUIADesktopToggle = 0 (0x0)<br /> mPolicies-system: PromptOnSecureDesktop = 0 (0x0)<br /> IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll<br /> IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL<br /> Trusted Zone: intuit.com\ttlc<br /> DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab<br /> DPF: {8D59819B-2067-4A6B-84F4-7F84570E3C30} - hxxp://192.168.1.52/img/LinksysMLViewer.cab<br /> DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab<br /> DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab<br /> DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab<br /> DPF: {CCA0B877-CB5E-4ADC-AD30-457C379512DD} - hxxp://192.168.1.51/xplugLiteDL.cab<br /> DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab<br /> TCP: Interfaces\{8CFE23FE-29C0-4597-B93A-FDE8449C99AB} : NameServer = 64.68.248.10,64.68.252.10<br /> TCP: Interfaces\{8CFE23FE-29C0-4597-B93A-FDE8449C99AB}\25F434B49534255454B4 : DhcpNameServer = 64.68.248.10 64.68.252.10 64.68.244.250<br /> Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~2\MICROS~1\Office12\GRA32A~1.DLL<br /> Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL<br /> SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\PROGRA~2\MICROS~1\Office12\GR469A~1.DLL<br /> BHO-X64: &Yahoo! Toolbar Helper: {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn4\yt.dll<br /> BHO-X64: 0x1 - No File<br /> BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll<br /> BHO-X64: AcroIEHelperStub - No File<br /> BHO-X64: RealPlayer Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll<br /> BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MICROS~1\Office12\GR469A~1.DLL<br /> BHO-X64: SSVHelper Class: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll<br /> BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll<br /> BHO-X64: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll<br /> BHO-X64: SingleInstance Class: {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn3\YTSingleInstance.dll<br /> TB-X64: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn4\yt.dll<br /> TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll<br /> TB-X64: {B80F591E-FE9A-46CF-A13E-180377240586} - No File<br /> TB-X64: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File<br /> mRun-x64: [iAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe<br /> mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"<br /> mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"<br /> mRun-x64: [TkBellExe] "C:\Program Files (x86)\Real\RealPlayer\update\realsched.exe" -osboot<br /> mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray<br /> SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\PROGRA~2\MICROS~1\Office12\GR469A~1.DLL<br /> .<br /> ============= SERVICES / DRIVERS ===============<br /> .<br /> R0 hotcore3;hc3ServiceName;C:\Windows\system32\DRIVERS\hotcore3.sys --> C:\Windows\system32\DRIVERS\hotcore3.sys [?]<br /> R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]<br /> R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-4-1 13336]<br /> R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-7-21 655944]<br /> R2 ocster_backup;Ocster Backup;C:\Program Files\Ocster Backup\bin\backupService-ox.exe [2011-5-18 21272]<br /> R2 Splunkd;Splunkd;C:\Program Files\Splunk\bin\splunkd.exe [2011-7-14 23355200]<br /> R2 Splunkweb;Splunkweb;C:\Program Files\Splunk\bin\splunkweb.exe [2011-7-14 21824]<br /> R2 ZentimoService;Zentimo Assistant;C:\Program Files (x86)\Zentimo\ZentimoService.exe [2011-12-12 555844]<br /> R3 Apowersoft_AudioDevice;Apowersoft_AudioDevice;C:\Windows\system32\drivers\Apowersoft_AudioDevice.sys --> C:\Windows\system32\drivers\Apowersoft_AudioDevice.sys [?]<br /> R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]<br /> R3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;C:\Windows\system32\Drivers\nx6000.sys --> C:\Windows\system32\Drivers\nx6000.sys [?]<br /> R3 splunkdrv-win6;splunkdrv-win6;C:\Program Files\Splunk\bin\splunkdrv-win6.sys [2011-7-14 37752]<br /> R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk62x64.sys --> C:\Windows\system32\DRIVERS\yk62x64.sys [?]<br /> S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]<br /> S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]<br /> S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-10-29 136176]<br /> S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-10-29 136176]<br /> S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]<br /> S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]<br /> S3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\system32\DRIVERS\vwifimp.sys --> C:\Windows\system32\DRIVERS\vwifimp.sys [?]<br /> S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]<br /> S3 wxpSvc;webcamXP Service;C:\Program Files (x86)\wLite\wService.exe [2010-5-2 5027328]<br /> .<br /> =============== Created Last 30 ================<br /> .<br /> 2012-07-23 18:15:50 98816 ----a-w- C:\Windows\sed.exe<br /> 2012-07-23 18:15:50 518144 ----a-w- C:\Windows\SWREG.exe<br /> 2012-07-23 18:15:50 256000 ----a-w- C:\Windows\PEV.exe<br /> 2012-07-23 18:15:50 208896 ----a-w- C:\Windows\MBR.exe<br /> 2012-07-21 21:39:04 24904 ----a-w- C:\Windows\System32\drivers\mbam.sys<br /> 2012-07-21 21:39:04 -------- d-----w- C:\ProgramData\Malwarebytes<br /> 2012-07-21 21:39:03 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware<br /> 2012-07-21 19:21:56 -------- d-----w- C:\ProgramData\PLAV<br /> 2012-07-21 19:20:24 -------- d-----w- C:\ProgramData\ParetoLogic Anti-Virus PLUS<br /> 2012-07-20 22:24:25 -------- d-----w- C:\Windows\System32\SPReview<br /> 2012-07-20 22:23:16 -------- d-----w- C:\Windows\System32\EventProviders<br /> 2012-07-19 16:45:08 -------- d-----w- C:\DD-WRT bin<br /> 2012-07-19 16:44:14 -------- d-----w- C:\App Remover<br /> 2012-07-18 17:27:58 -------- d-----w- C:\SEP<br /> 2012-07-18 15:13:01 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Malwarebytes<br /> 2012-07-18 02:16:54 -------- d-----w- C:\Users\Rancher\AppData\Local\Threat Expert<br /> 2012-07-18 01:43:28 348160 ----a-w- C:\Windows\SysWow64\MSVCR71.DLL<br /> 2012-07-17 21:49:46 251528 ----a-w- C:\Windows\System32\drivers\PCTSD64.sys<br /> 2012-07-17 21:49:46 -------- d-----w- C:\Program Files (x86)\Common Files\PC Tools<br /> 2012-07-17 21:47:29 -------- d-----w- C:\ProgramData\PC Tools<br /> 2012-07-17 21:47:28 -------- d-----w- C:\Users\Rancher\AppData\Roaming\TestApp<br /> 2012-07-17 21:19:42 -------- d--h--w- C:\Users\Rancher\AppData\Roaming\815267D4<br /> 2012-07-17 20:18:05 -------- d-sh--w- C:\Windows\SysWow64\%APPDATA%<br /> 2012-07-17 17:43:43 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Pieg<br /> 2012-07-17 17:43:42 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Mutumo<br /> 2012-07-17 12:41:03 9133488 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{270AE8F7-E834-4856-B201-9C7975642BD6}\mpengine.dll<br /> 2012-07-11 10:05:02 3148800 ----a-w- C:\Windows\System32\win32k.sys<br /> 2012-07-11 06:58:37 2004480 ----a-w- C:\Windows\System32\msxml6.dll<br /> 2012-07-11 06:53:20 805376 ----a-w- C:\Windows\SysWow64\cdosys.dll<br /> 2012-07-11 06:53:20 61440 ----a-w- C:\Program Files\Common Files\System\ado\msador15.dll<br /> 2012-07-11 06:53:20 57344 ----a-w- C:\Program Files (x86)\Common Files\System\ado\msador15.dll<br /> 2012-07-11 06:53:20 495616 ----a-w- C:\Program Files\Common Files\System\ado\msadox.dll<br /> 2012-07-11 06:53:20 466944 ----a-w- C:\Program Files\Common Files\System\ado\msadomd.dll<br /> 2012-07-11 06:53:20 372736 ----a-w- C:\Program Files (x86)\Common Files\System\ado\msadox.dll<br /> 2012-07-11 06:53:20 352256 ----a-w- C:\Program Files (x86)\Common Files\System\ado\msadomd.dll<br /> 2012-07-11 06:53:20 258048 ----a-w- C:\Program Files\Common Files\System\msadc\msadco.dll<br /> 2012-07-11 06:53:20 212992 ----a-w- C:\Program Files (x86)\Common Files\System\msadc\msadco.dll<br /> 2012-07-11 06:53:20 1499136 ----a-w- C:\Program Files\Common Files\System\ado\msado15.dll<br /> 2012-07-11 06:53:20 143360 ----a-w- C:\Program Files (x86)\Common Files\System\ado\msjro.dll<br /> 2012-07-11 06:53:20 1133568 ----a-w- C:\Windows\System32\cdosys.dll<br /> 2012-07-11 06:53:20 1019904 ----a-w- C:\Program Files (x86)\Common Files\System\ado\msado15.dll<br /> 2012-07-01 17:13:26 -------- d-----w- C:\Users\Rancher\AppData\Local\MetaGeek,_LLC<br /> 2012-07-01 17:06:13 -------- d-----w- C:\Program Files (x86)\MetaGeek<br /> 2012-07-01 16:54:56 -------- d-----w- C:\ProgramData\Oberon Media<br /> 2012-07-01 16:54:56 -------- d-----w- C:\Program Files (x86)\Oberon Media<br /> 2012-07-01 16:54:50 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Oberon Media<br /> 2012-07-01 16:54:50 -------- d-----w- C:\ProgramData\GamesBar<br /> 2012-07-01 16:54:47 -------- d-----w- C:\Program Files (x86)\GamesBar<br /> 2012-07-01 16:54:47 -------- d-----w- C:\Program Files (x86)\Common Files\Oberon Media<br /> .<br /> ==================== Find3M ====================<br /> .<br /> 2012-07-20 22:35:11 175616 ----a-w- C:\Windows\System32\msclmd.dll<br /> 2012-07-20 22:35:11 152576 ----a-w- C:\Windows\SysWow64\msclmd.dll<br /> 2012-06-06 06:06:16 1881600 ----a-w- C:\Windows\System32\msxml3.dll<br /> 2012-06-06 05:05:52 1390080 ----a-w- C:\Windows\SysWow64\msxml6.dll<br /> 2012-06-06 05:05:52 1236992 ----a-w- C:\Windows\SysWow64\msxml3.dll<br /> 2012-06-02 22:19:42 186752 ----a-w- C:\Windows\System32\wuwebv.dll<br /> 2012-06-02 22:15:31 2622464 ----a-w- C:\Windows\System32\wucltux.dll<br /> 2012-06-02 22:15:12 36864 ----a-w- C:\Windows\System32\wuapp.exe<br /> 2012-06-02 22:15:08 99840 ----a-w- C:\Windows\System32\wudriver.dll<br /> 2012-06-02 12:12:17 2311680 ----a-w- C:\Windows\System32\jscript9.dll<br /> 2012-06-02 12:05:28 1392128 ----a-w- C:\Windows\System32\wininet.dll<br /> 2012-06-02 12:04:50 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl<br /> 2012-06-02 12:01:40 173056 ----a-w- C:\Windows\System32\ieUnatt.exe<br /> 2012-06-02 11:57:08 2382848 ----a-w- C:\Windows\System32\mshtml.tlb<br /> 2012-06-02 08:33:25 1800192 ----a-w- C:\Windows\SysWow64\jscript9.dll<br /> 2012-06-02 08:25:08 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll<br /> 2012-06-02 08:25:03 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl<br /> 2012-06-02 08:20:33 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe<br /> 2012-06-02 08:16:52 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb<br /> 2012-06-02 05:50:10 458704 ----a-w- C:\Windows\System32\drivers\cng.sys<br /> 2012-06-02 05:48:16 95600 ----a-w- C:\Windows\System32\drivers\ksecdd.sys<br /> 2012-06-02 05:48:16 151920 ----a-w- C:\Windows\System32\drivers\ksecpkg.sys<br /> 2012-06-02 05:45:31 340992 ----a-w- C:\Windows\System32\schannel.dll<br /> 2012-06-02 05:44:21 307200 ----a-w- C:\Windows\System32\ncrypt.dll<br /> 2012-06-02 04:40:42 22016 ----a-w- C:\Windows\SysWow64\secur32.dll<br /> 2012-06-02 04:40:39 225280 ----a-w- C:\Windows\SysWow64\schannel.dll<br /> 2012-06-02 04:39:10 219136 ----a-w- C:\Windows\SysWow64\ncrypt.dll<br /> 2012-06-02 04:34:09 96768 ----a-w- C:\Windows\SysWow64\sspicli.dll<br /> 2012-05-31 19:25:12 279656 ------w- C:\Windows\System32\MpSigStub.exe<br /> 2012-05-04 11:06:22 5559664 ----a-w- C:\Windows\System32\ntoskrnl.exe<br /> 2012-05-04 10:03:53 3968368 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe<br /> 2012-05-04 10:03:50 3913072 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe<br /> 2012-05-01 05:40:20 209920 ----a-w- C:\Windows\System32\profsvc.dll<br /> 2012-04-28 03:55:21 210944 ----a-w- C:\Windows\System32\drivers\rdpwd.sys<br /> 2012-04-26 05:41:56 77312 ----a-w- C:\Windows\System32\rdpwsx.dll<br /> 2012-04-26 05:41:55 149504 ----a-w- C:\Windows\System32\rdpcorekmts.dll<br /> 2012-04-26 05:34:27 9216 ----a-w- C:\Windows\System32\rdrmemptylst.exe<br /> .<br /> ============= FINISH: 12:07:03.93 ===============</div> </div> </div> </div> <p> </p> -
Trojan.Dropper.BCMiner was detected several days ago by malwarebytes, I've been trying different things to remove it, latest log from mbam no longer shows it, however when I type www.malwarebytes.org into IE, it goes to Google, also when I type www.symantec.com into IE it goes to Google, and SEP will not load. mbam log from yesterday: Malwarebytes Anti-Malware (Trial) 1.62.0.1300 www.malwarebytes.org Database version: v2012.07.22.03 Windows 7 Service Pack 1 x64 NTFS Internet Explorer 9.0.8112.16421 Rancher :: ROCKYCREEK-ST1 [administrator] Protection: Enabled 7/22/2012 7:30:09 AM mbam-log-2012-07-22 (07-42-11).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 262203 Time elapsed: 9 minute(s), 12 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 1 C:\Windows\Installer\{ca3bcf3c-1eca-c859-cb02-33ec77d20950}\U\00000008.@ (Trojan.Dropper.BCMiner) -> No action taken. (end) mbam log from today: Malwarebytes Anti-Malware (Trial) 1.62.0.1300 www.malwarebytes.org Database version: v2012.07.23.04 Windows 7 Service Pack 1 x64 NTFS Internet Explorer 9.0.8112.16421 Rancher :: ROCKYCREEK-ST1 [administrator] Protection: Enabled 7/23/2012 9:49:49 AM mbam-log-2012-07-23 (09-49-49).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 258368 Time elapsed: 8 minute(s), 51 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) (end) favr log from yesterday: Fake Antivirus Remover 1.0.0.1019 Pattern version: 100024 Scan mode: Scan All Processes Time elapsed: 00 minute(s), 07 second(s) Summary ------------------------------------ Processes Detected: 0 Files Detected: 1 Folders Detected: 0 Registry Keys Detected: 0 Registry Values Detected: 0 Registry Data Detected: 0 Detailed Information ------------------------------------ Files Detected: C:\Users\Rancher\AppData\Local\GDIPFONTCACHEV1.DAT -> Delete (Quarantined and deleted successfully.) DDS log from today: . DDS (Ver_2011-08-26.01) - NTFSAMD64 Internet Explorer: 9.0.8112.16421 Run by Rancher at 9:36:25 on 2012-07-23 Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.12279.9131 [GMT -7:00] . SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . ============== Running Processes =============== . C:\Windows\system32\wininit.exe C:\Windows\system32\lsm.exe C:\Windows\system32\svchost.exe -k DcomLaunch C:\Program Files (x86)\Zentimo\ZentimoService.exe C:\Windows\system32\svchost.exe -k RPCSS C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted C:\Windows\system32\svchost.exe -k netsvcs C:\Windows\system32\svchost.exe -k LocalService C:\Windows\system32\svchost.exe -k NetworkService C:\Windows\System32\spoolsv.exe C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation c:\Program Files\Ocster Backup\bin\backupService-ox.exe C:\Program Files\Splunk\bin\splunkd.exe C:\Windows\system32\conhost.exe C:\Program Files\Splunk\bin\splunkweb.exe c:\Program Files\Ocster Backup\bin\oxHelper.exe C:\Program Files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe C:\Program Files (x86)\Common Files\Intuit\Update Service\IntuitUpdateService.exe C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe C:\Program Files\Windows Media Player\wmpnetwk.exe C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\taskhost.exe C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Program Files (x86)\GamesBar\SearchEngineProtection.exe C:\Program Files (x86)\DeskPins\DeskPins.exe C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe C:\Windows\system32\taskeng.exe C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe C:\Program Files (x86)\Full Uninstall\FullUninstallAgent.exe C:\Windows\system32\wbem\unsecapp.exe C:\Users\Rancher\AppData\Roaming\Aqruoz\yhmoa.exe C:\Program Files (x86)\Yahoo!\Messenger\ymsgr_tray.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Windows\system32\taskeng.exe C:\Windows\system32\SearchProtocolHost.exe C:\Windows\system32\SearchFilterHost.exe C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\conhost.exe C:\Windows\SysWOW64\cscript.exe C:\Windows\system32\wbem\wmiprvse.exe . ============== Pseudo HJT Report =============== . uStart Page = about:blank uSearch Bar = Preserve mWinlogon: Userinit=userinit.exe, BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn4\yt.dll BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\PROGRA~2\MICROS~1\Office12\GR469A~1.DLL BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll BHO: Search Toolbar: {9d425283-d487-4337-bab6-ab8354a81457} - C:\Program Files (x86)\Search Toolbar\SearchToolbar.dll BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll BHO: GamesBarBHO Class: {cb0d163c-e9f4-4236-9496-0597e24b23a5} - C:\Program Files (x86)\GamesBar\2.0.1.82\oberontb.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn3\YTSingleInstance.dll TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn4\yt.dll TB: Search Toolbar: {9d425283-d487-4337-bab6-ab8354a81457} - C:\Program Files (x86)\Search Toolbar\SearchToolbar.dll TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll TB: GamesBar: {6f282b65-56bf-4bd1-a8b2-a4449a05863d} - C:\Program Files (x86)\GamesBar\2.0.1.82\oberontb.dll TB: {B80F591E-FE9A-46CF-A13E-180377240586} - No File TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File uRun: [wLite] "C:\Program Files (x86)\wLite\wLite.exe" -auto uRun: [fsm] uRun: [Messenger (Yahoo!)] "C:\PROGRA~2\Yahoo!\MESSEN~1\YahooMessenger.exe" -quiet uRun: [searchEngineProtection] C:\Program Files (x86)\Gamesbar\SearchEngineProtection.exe uRun: [unoselhic] C:\Users\Rancher\AppData\Roaming\Aqruoz\yhmoa.exe mRun: [iAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe mRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Java\jre6\bin\jusched.exe" mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" mRun: [TkBellExe] "C:\Program Files (x86)\Real\RealPlayer\update\realsched.exe" -osboot mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray StartupFolder: C:\Users\Rancher\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\DeskPins.lnk - C:\Program Files (x86)\DeskPins\DeskPins.exe StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\AUTORU~1\MCAFEE~1.LNK - C:\Program Files (x86)\McAfee Security Scan\2.0.181\SSScheduler.exe mPolicies-explorer: NoActiveDesktop = 1 (0x1) mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1) mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0) mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3) mPolicies-system: EnableLUA = 0 (0x0) mPolicies-system: EnableUIADesktopToggle = 0 (0x0) mPolicies-system: PromptOnSecureDesktop = 0 (0x0) IE: {1A93C934-025B-4c3a-B38E-9654A7003239} - {6F282B65-56BF-4BD1-A8B2-A4449A05863D} - C:\Program Files (x86)\GamesBar\2.0.1.82\oberontb.dll IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL LSP: mswsock.dll Trusted Zone: intuit.com\ttlc DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab DPF: {8D59819B-2067-4A6B-84F4-7F84570E3C30} - hxxp://192.168.1.52/img/LinksysMLViewer.cab DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab DPF: {CCA0B877-CB5E-4ADC-AD30-457C379512DD} - hxxp://192.168.1.51/xplugLiteDL.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab TCP: Interfaces\{8CFE23FE-29C0-4597-B93A-FDE8449C99AB} : NameServer = 64.68.248.10,64.68.252.10 TCP: Interfaces\{8CFE23FE-29C0-4597-B93A-FDE8449C99AB}\25F434B49534255454B4 : DhcpNameServer = 64.68.248.10 64.68.252.10 64.68.244.250 Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~2\MICROS~1\Office12\GRA32A~1.DLL Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\PROGRA~2\MICROS~1\Office12\GR469A~1.DLL BHO-X64: &Yahoo! Toolbar Helper: {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn4\yt.dll BHO-X64: 0x1 - No File BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll BHO-X64: AcroIEHelperStub - No File BHO-X64: RealPlayer Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MICROS~1\Office12\GR469A~1.DLL BHO-X64: SSVHelper Class: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll BHO-X64: Search Toolbar: {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files (x86)\Search Toolbar\SearchToolbar.dll BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll BHO-X64: GamesBarBHO Class: {CB0D163C-E9F4-4236-9496-0597E24B23A5} - C:\Program Files (x86)\GamesBar\2.0.1.82\oberontb.dll BHO-X64: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll BHO-X64: SingleInstance Class: {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn3\YTSingleInstance.dll TB-X64: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn4\yt.dll TB-X64: Search Toolbar: {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files (x86)\Search Toolbar\SearchToolbar.dll TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll TB-X64: GamesBar: {6F282B65-56BF-4BD1-A8B2-A4449A05863D} - C:\Program Files (x86)\GamesBar\2.0.1.82\oberontb.dll TB-X64: {B80F591E-FE9A-46CF-A13E-180377240586} - No File TB-X64: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File mRun-x64: [iAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe mRun-x64: [sunJavaUpdateSched] "C:\Program Files (x86)\Java\jre6\bin\jusched.exe" mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" mRun-x64: [TkBellExe] "C:\Program Files (x86)\Real\RealPlayer\update\realsched.exe" -osboot mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\PROGRA~2\MICROS~1\Office12\GR469A~1.DLL . ============= SERVICES / DRIVERS =============== . R0 hotcore3;hc3ServiceName;C:\Windows\system32\DRIVERS\hotcore3.sys --> C:\Windows\system32\DRIVERS\hotcore3.sys [?] R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?] R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-4-1 13336] R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-7-21 655944] R2 ocster_backup;Ocster Backup;C:\Program Files\Ocster Backup\bin\backupService-ox.exe [2011-5-18 21272] R2 Splunkd;Splunkd;C:\Program Files\Splunk\bin\splunkd.exe [2011-7-14 23355200] R2 Splunkweb;Splunkweb;C:\Program Files\Splunk\bin\splunkweb.exe [2011-7-14 21824] R2 ZentimoService;Zentimo Assistant;C:\Program Files (x86)\Zentimo\ZentimoService.exe [2011-12-12 555844] R3 Apowersoft_AudioDevice;Apowersoft_AudioDevice;C:\Windows\system32\drivers\Apowersoft_AudioDevice.sys --> C:\Windows\system32\drivers\Apowersoft_AudioDevice.sys [?] R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?] R3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;C:\Windows\system32\Drivers\nx6000.sys --> C:\Windows\system32\Drivers\nx6000.sys [?] R3 splunkdrv-win6;splunkdrv-win6;C:\Program Files\Splunk\bin\splunkdrv-win6.sys [2011-7-14 37752] R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk62x64.sys --> C:\Windows\system32\DRIVERS\yk62x64.sys [?] S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384] S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576] S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-10-29 136176] S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-10-29 136176] S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992] S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?] S3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\system32\DRIVERS\vwifimp.sys --> C:\Windows\system32\DRIVERS\vwifimp.sys [?] S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?] S3 wxpSvc;webcamXP Service;C:\Program Files (x86)\wLite\wService.exe [2010-5-2 5027328] . =============== Created Last 30 ================ . 2012-07-23 15:27:17 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Pieklu 2012-07-23 15:27:17 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Efgag 2012-07-23 15:27:17 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Byxi 2012-07-23 10:26:57 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Xakiy 2012-07-23 10:26:57 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Isnyad 2012-07-23 10:26:57 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Efusa 2012-07-23 05:26:51 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Vuiv 2012-07-23 05:26:51 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Qoict 2012-07-23 05:26:51 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Ovby 2012-07-23 00:26:41 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Nava 2012-07-23 00:26:41 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Byyx 2012-07-23 00:26:41 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Avze 2012-07-22 19:26:56 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Uqxowa 2012-07-22 19:26:56 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Upkood 2012-07-22 19:26:56 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Qenyav 2012-07-22 14:25:18 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Ucgao 2012-07-22 14:25:18 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Opnyz 2012-07-22 14:25:18 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Myif 2012-07-22 06:09:23 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Xinyym 2012-07-22 06:09:23 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Afviad 2012-07-22 06:09:23 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Adoruk 2012-07-22 01:09:14 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Uwpeu 2012-07-22 01:09:14 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Ebzail 2012-07-22 01:09:14 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Anqu 2012-07-21 21:39:04 24904 ----a-w- C:\Windows\System32\drivers\mbam.sys 2012-07-21 21:39:04 -------- d-----w- C:\ProgramData\Malwarebytes 2012-07-21 21:39:03 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware 2012-07-21 20:13:04 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Ynor 2012-07-21 20:13:04 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Yltuo 2012-07-21 20:13:04 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Kuuhxo 2012-07-21 19:21:56 -------- d-----w- C:\ProgramData\PLAV 2012-07-21 19:20:24 -------- d-----w- C:\ProgramData\ParetoLogic Anti-Virus PLUS 2012-07-21 08:23:05 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Qutyox 2012-07-21 08:23:05 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Qaup 2012-07-21 08:23:05 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Noutr 2012-07-21 03:22:58 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Haob 2012-07-21 03:22:58 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Avriv 2012-07-21 03:22:58 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Aspis 2012-07-20 22:24:25 -------- d-----w- C:\Windows\System32\SPReview 2012-07-20 22:23:51 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Zytyob 2012-07-20 22:23:51 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Kedieb 2012-07-20 22:23:51 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Fygec 2012-07-20 22:23:16 -------- d-----w- C:\Windows\System32\EventProviders 2012-07-20 11:29:50 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Ugocop 2012-07-20 11:29:50 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Oxnu 2012-07-20 11:29:50 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Baygor 2012-07-20 06:29:30 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Paiki 2012-07-20 06:29:30 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Icka 2012-07-20 06:29:30 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Feyz 2012-07-20 01:29:23 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Ymbe 2012-07-20 01:29:23 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Miva 2012-07-20 01:29:23 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Gahuuh 2012-07-19 16:45:08 -------- d-----w- C:\DD-WRT bin 2012-07-19 16:44:14 -------- d-----w- C:\App Remover 2012-07-19 16:42:03 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Zusy 2012-07-19 16:42:03 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Kapau 2012-07-19 16:42:03 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Cucew 2012-07-18 17:27:58 -------- d-----w- C:\SEP 2012-07-18 15:13:01 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Malwarebytes 2012-07-18 02:16:54 -------- d-----w- C:\Users\Rancher\AppData\Local\Threat Expert 2012-07-18 01:43:28 348160 ----a-w- C:\Windows\SysWow64\MSVCR71.DLL 2012-07-17 21:49:46 251528 ----a-w- C:\Windows\System32\drivers\PCTSD64.sys 2012-07-17 21:49:46 -------- d-----w- C:\Program Files (x86)\Common Files\PC Tools 2012-07-17 21:47:29 -------- d-----w- C:\ProgramData\PC Tools 2012-07-17 21:47:28 -------- d-----w- C:\Users\Rancher\AppData\Roaming\TestApp 2012-07-17 21:19:42 -------- d--h--w- C:\Users\Rancher\AppData\Roaming\815267D4 2012-07-17 20:18:05 -------- d-sh--w- C:\Windows\SysWow64\%APPDATA% 2012-07-17 17:43:43 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Pieg 2012-07-17 17:43:42 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Mutumo 2012-07-17 17:43:42 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Aqruoz 2012-07-17 12:41:03 9133488 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{270AE8F7-E834-4856-B201-9C7975642BD6}\mpengine.dll 2012-07-11 10:05:02 3148800 ----a-w- C:\Windows\System32\win32k.sys 2012-07-11 06:58:37 2004480 ----a-w- C:\Windows\System32\msxml6.dll 2012-07-11 06:53:20 805376 ----a-w- C:\Windows\SysWow64\cdosys.dll 2012-07-11 06:53:20 61440 ----a-w- C:\Program Files\Common Files\System\ado\msador15.dll 2012-07-11 06:53:20 57344 ----a-w- C:\Program Files (x86)\Common Files\System\ado\msador15.dll 2012-07-11 06:53:20 495616 ----a-w- C:\Program Files\Common Files\System\ado\msadox.dll 2012-07-11 06:53:20 466944 ----a-w- C:\Program Files\Common Files\System\ado\msadomd.dll 2012-07-11 06:53:20 372736 ----a-w- C:\Program Files (x86)\Common Files\System\ado\msadox.dll 2012-07-11 06:53:20 352256 ----a-w- C:\Program Files (x86)\Common Files\System\ado\msadomd.dll 2012-07-11 06:53:20 258048 ----a-w- C:\Program Files\Common Files\System\msadc\msadco.dll 2012-07-11 06:53:20 212992 ----a-w- C:\Program Files (x86)\Common Files\System\msadc\msadco.dll 2012-07-11 06:53:20 1499136 ----a-w- C:\Program Files\Common Files\System\ado\msado15.dll 2012-07-11 06:53:20 143360 ----a-w- C:\Program Files (x86)\Common Files\System\ado\msjro.dll 2012-07-11 06:53:20 1133568 ----a-w- C:\Windows\System32\cdosys.dll 2012-07-11 06:53:20 1019904 ----a-w- C:\Program Files (x86)\Common Files\System\ado\msado15.dll 2012-07-01 17:13:26 -------- d-----w- C:\Users\Rancher\AppData\Local\MetaGeek,_LLC 2012-07-01 17:06:13 -------- d-----w- C:\Program Files (x86)\MetaGeek 2012-07-01 16:54:56 -------- d-----w- C:\ProgramData\Oberon Media 2012-07-01 16:54:56 -------- d-----w- C:\Program Files (x86)\Oberon Media 2012-07-01 16:54:50 -------- d-----w- C:\Users\Rancher\AppData\Roaming\Oberon Media 2012-07-01 16:54:50 -------- d-----w- C:\ProgramData\GamesBar 2012-07-01 16:54:47 -------- d-----w- C:\Program Files (x86)\GamesBar 2012-07-01 16:54:47 -------- d-----w- C:\Program Files (x86)\Common Files\Oberon Media . ==================== Find3M ==================== . 2012-07-20 22:35:11 175616 ----a-w- C:\Windows\System32\msclmd.dll 2012-07-20 22:35:11 152576 ----a-w- C:\Windows\SysWow64\msclmd.dll 2012-06-06 06:06:16 1881600 ----a-w- C:\Windows\System32\msxml3.dll 2012-06-06 05:05:52 1390080 ----a-w- C:\Windows\SysWow64\msxml6.dll 2012-06-06 05:05:52 1236992 ----a-w- C:\Windows\SysWow64\msxml3.dll 2012-06-02 22:19:42 186752 ----a-w- C:\Windows\System32\wuwebv.dll 2012-06-02 22:15:31 2622464 ----a-w- C:\Windows\System32\wucltux.dll 2012-06-02 22:15:12 36864 ----a-w- C:\Windows\System32\wuapp.exe 2012-06-02 22:15:08 99840 ----a-w- C:\Windows\System32\wudriver.dll 2012-06-02 12:12:17 2311680 ----a-w- C:\Windows\System32\jscript9.dll 2012-06-02 12:05:28 1392128 ----a-w- C:\Windows\System32\wininet.dll 2012-06-02 12:04:50 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl 2012-06-02 12:01:40 173056 ----a-w- C:\Windows\System32\ieUnatt.exe 2012-06-02 11:57:08 2382848 ----a-w- C:\Windows\System32\mshtml.tlb 2012-06-02 08:33:25 1800192 ----a-w- C:\Windows\SysWow64\jscript9.dll 2012-06-02 08:25:08 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll 2012-06-02 08:25:03 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl 2012-06-02 08:20:33 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe 2012-06-02 08:16:52 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb 2012-06-02 05:50:10 458704 ----a-w- C:\Windows\System32\drivers\cng.sys 2012-06-02 05:48:16 95600 ----a-w- C:\Windows\System32\drivers\ksecdd.sys 2012-06-02 05:48:16 151920 ----a-w- C:\Windows\System32\drivers\ksecpkg.sys 2012-06-02 05:45:31 340992 ----a-w- C:\Windows\System32\schannel.dll 2012-06-02 05:44:21 307200 ----a-w- C:\Windows\System32\ncrypt.dll 2012-06-02 04:40:42 22016 ----a-w- C:\Windows\SysWow64\secur32.dll 2012-06-02 04:40:39 225280 ----a-w- C:\Windows\SysWow64\schannel.dll 2012-06-02 04:39:10 219136 ----a-w- C:\Windows\SysWow64\ncrypt.dll 2012-06-02 04:34:09 96768 ----a-w- C:\Windows\SysWow64\sspicli.dll 2012-05-31 19:25:12 279656 ------w- C:\Windows\System32\MpSigStub.exe 2012-05-04 11:06:22 5559664 ----a-w- C:\Windows\System32\ntoskrnl.exe 2012-05-04 10:03:53 3968368 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe 2012-05-04 10:03:50 3913072 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe 2012-05-01 05:40:20 209920 ----a-w- C:\Windows\System32\profsvc.dll 2012-04-28 03:55:21 210944 ----a-w- C:\Windows\System32\drivers\rdpwd.sys 2012-04-26 05:41:56 77312 ----a-w- C:\Windows\System32\rdpwsx.dll 2012-04-26 05:41:55 149504 ----a-w- C:\Windows\System32\rdpcorekmts.dll 2012-04-26 05:34:27 9216 ----a-w- C:\Windows\System32\rdrmemptylst.exe . ============= FINISH: 9:37:06.58 =============== Any and all help will be appreciated! Rancher