Jump to content

Search the Community

Showing results for tags 'zeroaccess'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Announcements
    • Malwarebytes News
    • Beta Testing Program
  • Malware Removal Help
    • Windows Malware Removal Help & Support
    • Mac Malware Removal Help & Support
    • Mobile Malware Removal Help & Support
    • Malware Removal Self-Help Guides
  • Malwarebytes for Home Support
    • Malwarebytes for Windows Support Forum
    • Malwarebytes for Mac Support Forum
    • Malwarebytes for Android Support Forum
    • Malwarebytes for iOS Support
    • Malwarebytes Privacy
    • Malwarebytes Browser Guard
    • False Positives
    • Comments and Suggestions
  • Malwarebytes for Business Support
    • Malwarebytes Endpoint Protection
    • Malwarebytes Incident Response (includes Breach Remediation)
    • Malwarebytes Endpoint Security
    • Malwarebytes Business Products Comments and Suggestions
  • Malwarebytes Tools and Other Products
    • Malwarebytes AdwCleaner
    • Malwarebytes Junkware Removal Tool Support
    • Malwarebytes Anti-Rootkit BETA Support
    • Malwarebytes Techbench USB (Legacy)
    • Malwarebytes Secure Backup discontinued
    • Other Tools
    • Malwarebytes Tools Comments and Suggestions
  • General Computer Help and Security Updates
    • BSOD, Crashes, Kernel Debugging
    • General Windows PC Help
  • Research Center
    • Newest Rogue-Ransomware Threats
    • Newest Malware Threats
    • Newest Mobile Threats
    • Newest IP or URL Threats
    • Newest Mac Threats
    • Report Scam Phone Numbers
  • General
    • General Chat
    • Forums Announcements & Feedback

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


AIM


MSN


Website URL


ICQ


Yahoo


Jabber


Location


Interests

Found 25 results

  1. Hi M Community - I put an old desktop I had not used for some time thru a complete scrub. Clean, cept 2 issues which I cannot explain: 1xJava Exploit (2010-0840): Unexpected. Unit had been Java updated regularly. Updated to Version 5.20 (vulnerability patched) back in April 2010. Can java exploits download onto a computer with updated/patched system? Is a java exploit on a patched system harmless? Hitmanpro found inactive remnants of Zeroaccess (registry keys). I once removed a Ukash infection using system restore + AV/MBAM but that was the only active infection I previously found on this computer - nothing else ever found. Why were remnants found of an infection that was never found/removed? HMP responded saying these remnants may have been part of the Ukash but still doesnt explain the remnants... or could the remnants have survived the restore? All input/suggestions welcome...
  2. I have a possible infection and would appreciate someone looking into this. My computer has very sluggish behavior and seems to take forever to do anything, even when nothing is running. I continually get error messages from Norton on high memory usage by Com Surrogates (Syswow 64) and I also have been getting notices from MalwareBytes on malicious websites being blocked (example attached.) I ran the Farbar recovery scan tool and found the following notation: ==================== Bamital & volsnap Check ================= (There is no automatic fix for files that do not pass verification.) ATTENTION: ====> ZeroAccess. Use DeleteJunctionsIndirectory: C:\Windows\system64 I am attaching the complete files for reference. Does this mean I have a rootkit and if so, how do I remove it? Thanks much in advance for your help. FRST.txt Addition.txt
  3. I am trying to run MWB on my sister's computer that is infected with cryptowall virus. I tried to follow the instructions but malwarebytes will not run. I tried to install a new malwarebytes but keep getting some errors. Please see the FST and addition texts below: I am unable to copy and paste into this message - I can copy but paste or ctrlP will not work. FRST.txt Addition.txt Rkill.txt
  4. Hi, I have a ZeroAccess infection. I have done all the steps mentioned below, but I still think that it is there. Could anybody help please. John Paul S. ------------------------------------------------------------- #################################################################################################### ### Removing viral infection ### #################################################################################################### ==================================================================================================== 00. Infections found ==================================================================================================== 1. With ComboFix - Trojan.Sirefef.YS in Desktop.ini - Rootkit.ZeroAcess inserted into tcp/ip stack (= Message by ComboFix) 2. With RKill * ALERT: ZEROACCESS rootkit symptoms found! * C:\WINDOWS\assembly\GAC\Desktop.ini [ZA File] * ALERT: ZEROACCESS Reparse Point/Junction found! * C:\WINDOWS\$NtUninstallKB65459$\1241927679 => c:\windows\system32\config [File] 3. After running the antimalwares mentioned below, ComboFix & RKILL are not showing anything now. Especially, C:\WINDOWS\assembly\GAC\Desktop.ini has been deleted as to C:\WINDOWS\$NtUninstallKB65459$\1241927679 4. Remaining problem : - Not sure if everything is clean since some weard cookies are added in my "Cookies" directory even if there is no browser opened; this happen especillay when the network cable is plugged I have the impression that the Rootkit.ZeroAcess is still inserted into tcp/ip stack even if CombixFix is not reporting it anymore ==================================================================================================== 01. Current computer configuration ==================================================================================================== 01. Dell laptop D630 - 4 GB RAM 02. Windows XP SP3 not up to date because I think it is better to solve my viral infection first ==================================================================================================== 02. Preparatory work done ==================================================================================================== 01. Uninstallation of antivirus (otherwise will interfere with ComboFix) - Used uninstall / official remover (AvgRemover to be chosen according to version installed) 02. Uninstallation of Online Armor Firewall 03. Removed unnecessary programs from Windows startup 04. Complementary checking - Copy all virus cleaning programs to disk D:\ - Shut down computer & Disconnect all other external drives - Reboot & check that antivirus & firewall are uninstalled 05. Start computer safe mode or normal depending of the removal program - With network functionalities - Set screen to max possible ==================================================================================================== 03. Unlocking environment done ==================================================================================================== 01. Unhide program = Unhide all Windows files, especially those hiden by virus 02. Defogger = Unlock virtual DVD & CD units - Stop CD & DVD emulation software = Perturbing antivirus - Will reboot the computer (Safe Mode) - Re-enable after done!!!! 03. RKill = To kill all viral processes ==> After each reboot !!!!!!!!!!!!!!!! - Renamed to iexplore to avoid it be stopped by malicious programs - Run RKill - Problems found (mentioned above) 04. FixExec = To repair ".Exec" + ".Com3" link 05. Farbar Tools 01. GrantPerms = To grant permission to locked files 02. Farbar Service Scanner 03. MiniToolBox ==================================================================================================== 04. Core Scanning Tools Used ==================================================================================================== 00. Cleaning Tools = To be used when file with virus is found and cannot be easily deleted 01. VT Hash Check = Check file authenticity & Can also delete file before reboot if needed 02. BlitzBlank = Delete Files before Windows Boot in case needed 01. Microsoft Safety Scanner - Used for 1st detection only - Not used after 02. Kaspersky TDSSKiller - Download and rename as : iexplore.exe - Change parameters : Select "detect TDLFS file system" - Run scan 03. ComboFix - Made sure that no antivirus + Firewall are running - Made sure that running in safe mode without networking - ComboFix will sent info what was detected then ask for reboot => Accept, and if does not stop, force it (press power button) & restart in safe mode (F8) - ComboFix started again automatically before Windows starts: - Displayed completed stages (1,2...50) - Deleted files that are corrupted - ComboFix will ask to reboot itself the computer - Do not reboot manually the computer !!!!! - ComboFix will then generate a report in c:\ComboFix.txt - Rescan again with ComboFix until same report file 04. RogueKiller = Safe Mode + Network connection - Run RKill - Run RogueKiller http://www.adlice.com/zeroaccess-removal-with-roguekiller/ = Website sent as result containing a web malware! 05. MalwareBytes Chameleon = In Normal Mode ; does not work in Safe Mode even with Networking - Run svhost.exe - Perform a Quick scan & Delete all malwares found - Perform a Full Scan & Delete all malwares found 06. HitmanPro - In Normal Mode - Malware found and deleted 07. MalwareByte Anti-Rootkit 08. AdwCleaner 09. Junkware Removal 10. Eset Online Scanner 11. Emsisoft Emergency Kit 12. Farbar Recovery Scan Tool (Safe Mode) 13. SuperAntiSpyware - Found cookies and deleted them ==================================================================================================== 04. Complementary checks done ==================================================================================================== 01. OTL 02. HijackThis 03. Short-cut Cleaner ===================================================== 05. Completion ===================================================== - Re-run main "Unlocking environment" - Re-run all "Core" - Re-enable CD & DVD emulation software with Defogger!!!! - Delete all malware program quarantine folders - Uninstall all malware programs - Remove all cookies: C:\Documents & Settings\(all accounts)\Cookies
  5. I just did a clean install of Windows 7 from the recovery partition on my laptop and immediately started having problems. I've run several scans with MalwareBytes and have received various results labeled either "rootkit.0access" or "trojan.zaccess". The infection is not removed on restart; I always come back with at least a couple of "trojan.zaccess" results. I see that there have been several threads on this particular problem recently and I will do my best to include all of the commonly requested logs here. dds.txt attach.txt RKreport0_S_08292013_224349.txt FRST.txt Addition.txt Thanks in advance for your help.
  6. Hello. I have a HP AMD Athlon 64 proc...running MS Windows Vista Ultimate (32Bit) w/SP2. A few days ago Xfinity had allerted me that a "bot" was on my computer through a program called Constant Guard. Since then my computer has had a mind of its own. Several times its sprouted legs and walked away from me, lol. I downloaded Norton and had found: Trojan.Backdoor.Generic16.klk Trojan.Backdoor.Zeroacces Trojan.Backdoor.Generic2.C I remembering these out of my head, however I do believe those are what was found and Quarentined/Removed. Before removal it had rendered my Security Essentials completely useless and would not turn on - same for my Firewall. Also things such as Blue Screen, Icon removal or additions, Homepage Changes, Script Errors...you name it - it was happeneing. I removed my Sec.Ess. program when DL'ing Norton. The viruses are said to be removed, however I can run few .exe programs, my desktop background is still not working and I even got a Blue Screen when I tried to start up in Safe Mode (o.O) a few times. So I'm not sure if I'm still infected or what. I cannot find the Vista Ult. Install disk either, which is a major bummer. Was wondering if someone could walk me through removal. Normally I have always cleaned my own system and havent needed help up to this point, however, I am at a loss this time around and need tekkie help. ugh, whatta mess....be gentle! Thank you!! ~ Sherry attach.txt.txt dds.txt mbam-log-2012-12-11 (11-31-11).txt
  7. Hello. I have a HP AMD Athlon 64 proc...running MS Windows Vista Ultimate (32Bit) w/SP2. A few days ago Xfinity had allerted me that a "bot" was on my computer through a program called Constant Guard. Since then my computer has had a mind of its own. Several times its sprouted legs and walked away from me, lol. I downloaded Norton and had found: Trojan.Backdoor.Generic16.klk (twice) Trojan.Backdoor.Zeroacces Trojan.Backdoor.Generic2.C I remembering these out of my head, however I do believe those are what was found and Quarentined/Removed. Before removal it had rendered my Security Essentials completely useless and would not turn on - same for my Firewall. Also things such as Blue Screen, Icon removal or additions, Homepage Changes, Script Errors...you name it - it was happeneing. I removed my Sec.Ess. program when DL'ing Norton. The viruses are said to be removed, however I can run few .exe programs, my desktop background is still not working and I even got a Blue Screen when I tried to start up in Safe Mode (o.O) a few times. So I'm not sure if I'm still infected or what. I cannot find the Vista Ult. Install disk either, which is a major bummer. Was wondering if someone could walk me through removal. Normally I have always cleaned my own system and havent needed help up to this point, however, I am at a loss this time around and need tekkie help. When trying to run HijackThis it alerts me to Run as Admin. When I try the Run as Admin, the option is missing. When I try and Analyze and it says I have no internet connection (which I do) which causes me to not be able to make a log. It says "For some reason the systen has denied write accest to the Host file" and something about adding it to the notepad but I am unable to save it or copy/past. Ugh. Thank you!! ~ Sherry
  8. @jeffce; was responding to my topic but now the topic disappeared. attached are the dds.txt and attach.txt from dds.scr and also aswMBR.txt from aswMBR.exe aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software Run date: 2012-11-01 16:59:36 ----------------------------- 16:59:36.194 OS Version: Windows x64 6.1.7601 Service Pack 1 16:59:36.194 Number of processors: 2 586 0x403 16:59:36.194 ComputerName: AS-PC UserName: AS 16:59:37.333 Initialize success 16:59:45.024 AVAST engine defs: 12110100 16:59:47.705 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\0000005c 16:59:47.705 Disk 0 Vendor: WDC_WD75 05.0 Size: 715404MB BusType: 11 16:59:47.720 Disk 0 MBR read successfully 16:59:47.720 Disk 0 MBR scan 16:59:47.736 Disk 0 Windows 7 default MBR code 16:59:47.736 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 150000 MB offset 2048 16:59:47.752 Disk 0 Partition - 00 05 Extended 565403 MB offset 307202048 16:59:47.767 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 565402 MB offset 307204096 16:59:47.798 Disk 0 scanning C:\Windows\system32\drivers 16:59:58.063 Service scanning 17:00:14.300 Modules scanning 17:00:14.300 Disk 0 trace - called modules: 17:00:14.316 ntoskrnl.exe CLASSPNP.SYS disk.sys amdxata.sys storport.sys hal.dll amdsata.sys 17:00:14.316 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80048f53d0] 17:00:14.316 3 CLASSPNP.SYS[fffff880019ab43f] -> nt!IofCallDriver -> [0xfffffa8003aa5b80] 17:00:14.332 5 amdxata.sys[fffff880010dc7a8] -> nt!IofCallDriver -> \Device\0000005c[0xfffffa8004749060] 17:00:15.112 AVAST engine scan C:\Windows 17:00:18.590 AVAST engine scan C:\Windows\system32 17:02:47.135 AVAST engine scan C:\Windows\system32\drivers 17:02:55.653 AVAST engine scan C:\Users\AS 17:11:05.026 AVAST engine scan C:\ProgramData 17:16:30.080 Scan finished successfully 17:16:49.733 Disk 0 MBR has been saved successfully to "C:\Users\AS\Desktop\MBR.dat" 17:16:49.733 The log file has been saved successfully to "C:\Users\AS\Desktop\aswMBR.txt" dds.txt attach.txt aswMBR.txt
  9. Alright so here is my situation as it stands at this time. Caught zeroaccess over the weekend, though didn't know it at the time. Realized it on Sunday evening and been fighting it since. I typically run Malwarebytes, AVG and CCleaner. This combination has kept me clean for several years running now. When I started fighting this thing I ran all three. I have found that AVG sees it but cannot clean it. Malwarebytes thought it cleaned it but now does not see it, and the same with CCleaner. It has gotten to the point now where it has shut down access to the internet for everything but IE and hijacks that browser unless I type the address directly. If I try to follow a link it will be hijacked. I have been through the board here and followed some of the more genaric steps provided for others who have had this one, to include running a couple of the tools recommended to find it. I will attach the logs from the last day of activity. So I can find it but cannot get rid of it nor restore access to the windows firwall and the rest of internet accessing programs. Please help. avgrep.txt checkup.txt Extras.Txt FSS.txt OTL.Txt RKreport2.txt TDSSKiller.txt
  10. Below are my malwarebytes pro, dds, attach, and roguekiller logs Malwarebytes Anti-Malware (PRO) 1.62.0.1300 www.malwarebytes.org Database version: v2012.09.06.06 Windows 7 x86 NTFS Internet Explorer 9.0.8112.16421 John Nicholas :: JOHNNICHOLAS [administrator] Protection: Enabled 9/6/2012 7:12:12 AM mbam-log-2012-09-06 (08-16-18).txt Scan type: Full scan (C:\|) Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 399135 Time elapsed: 1 hour(s), 59 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 4 C:\Windows\Installer\{6d2a19bc-dc9f-c147-6976-dc0ba1959f18}\U\00000004.@ (Rootkit.Zaccess) -> No action taken. C:\Windows\Installer\{6d2a19bc-dc9f-c147-6976-dc0ba1959f18}\U\00000008.@ (Trojan.Dropper.BCMiner) -> No action taken. C:\Windows\Installer\{6d2a19bc-dc9f-c147-6976-dc0ba1959f18}\U\000000cb.@ (Rootkit.0Access) -> No action taken. C:\Windows\Installer\{6d2a19bc-dc9f-c147-6976-dc0ba1959f18}\U\80000000.@ (Trojan.Small) -> No action taken. (end) . DDS (Ver_2011-08-26.01) - NTFSx86 Internet Explorer: 9.0.8112.16421 Run by John Nicholas at 7:05:53 on 2012-09-06 Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.3037.1985 [GMT -4:00] . AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6} SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B} . ============== Running Processes =============== . C:\Windows\system32\wininit.exe C:\Windows\system32\lsm.exe C:\Windows\system32\svchost.exe -k DcomLaunch C:\Windows\system32\svchost.exe -k RPCSS C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted C:\Windows\system32\svchost.exe -k LocalService C:\Windows\system32\svchost.exe -k NetworkService C:\Windows\System32\spoolsv.exe C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork C:\Program Files\Hewlett-Packard\Shared\HPDrvMntSvc.exe C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe C:\Program Files\TightVNC\tvnserver.exe C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe C:\Program Files\Windows Media Player\wmpnetwk.exe C:\Windows\system32\taskhost.exe C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Program Files\Hewlett-Packard\HP Odometer\hpsysdrv.exe C:\Windows\System32\hkcmd.exe C:\Windows\System32\igfxpers.exe C:\Program Files\Hewlett-Packard\HP Desktop Keyboard\HPKEYBOARDx.EXE C:\Program Files\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe C:\Program Files\Hewlett-Packard\HP MAINSTREAM KEYBOARD\BATINDICATOR.exe C:\Program Files\TightVNC\tvnserver.exe C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe C:\Program Files\Adobe\Acrobat 10.0\Acrobat\acrotray.exe C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\Program Files\Hewlett-Packard\HP Desktop Keyboard\Keystatus.exe C:\Program Files\Hewlett-Packard\HP MAINSTREAM KEYBOARD\CNYHKEY.exe C:\Program Files\TightVNC\tvnserver.exe C:\Windows\system32\svchost.exe -k netsvcs C:\Windows\system32\wbem\wmiprvse.exe C:\Windows\system32\DllHost.exe C:\Windows\system32\DllHost.exe C:\Windows\system32\conhost.exe C:\Windows\system32\wbem\wmiprvse.exe . ============== Pseudo HJT Report =============== . uStart Page = hxxp://www.google.com/ BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\mif5ba~1\office14\URLREDIR.DLL BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll uRun: [Google Update] "c:\users\john nicholas\appdata\local\google\update\GoogleUpdate.exe" /c mRun: [hpsysdrv] c:\program files\hewlett-packard\hp odometer\hpsysdrv.exe mRun: [igfxTray] c:\windows\system32\igfxtray.exe mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe mRun: [Persistence] c:\windows\system32\igfxpers.exe mRun: [HP KEYBOARDx] "c:\program files\hewlett-packard\hp desktop keyboard\HPKEYBOARDx.EXE" mRun: [HP Remote Solution] %ProgramFiles%\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe mRun: [bATINDICATOR] c:\program files\hewlett-packard\hp mainstream keyboard\BATINDICATOR.exe mRun: [LaunchHPOSIAPP] c:\program files\hewlett-packard\hp mainstream keyboard\LaunchApp.exe mRun: [tvncontrol] "c:\program files\tightvnc\tvnserver.exe" -controlservice -slave mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe" mRun: [<NO NAME>] mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 10.0\acrobat\Acrobat_sl.exe" mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 10.0\acrobat\Acrotray.exe" mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe" mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray mRunOnce: [Malwarebytes Anti-Malware (cleanup)] rundll32.exe "c:\programdata\malwarebytes\malwarebytes' anti-malware\cleanup.dll",ProcessCleanupScript mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5) mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3) mPolicies-system: EnableUIADesktopToggle = 0 (0x0) mPolicies-system: PromptOnSecureDesktop = 0 (0x0) mPolicies-system: SoftwareSASGeneration = 1 (0x1) IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html IE: E&xport to Microsoft Excel - c:\progra~1\mif5ba~1\office14\EXCEL.EXE/3000 IE: Se&nd to OneNote - c:\progra~1\mif5ba~1\office14\ONBttnIE.dll/105 IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll LSP: mswsock.dll Trusted Zone: //about.htm/ Trusted Zone: //Exclude.htm/ Trusted Zone: //FWEvent.htm/ Trusted Zone: //LanguageSelection.htm/ Trusted Zone: //Message.htm/ Trusted Zone: //MyAgttryCmd.htm/ Trusted Zone: //MyAgttryNag.htm/ Trusted Zone: //MyNotification.htm/ Trusted Zone: //NOCLessUpdate.htm/ Trusted Zone: //quarantine.htm/ Trusted Zone: //ScanNow.htm/ Trusted Zone: //strings.vbs/ Trusted Zone: //Template.htm/ Trusted Zone: //Update.htm/ Trusted Zone: //VirFound.htm/ Trusted Zone: mcafee.com\* Trusted Zone: mcafeeasap.com\betavscan Trusted Zone: mcafeeasap.com\vs Trusted Zone: mcafeeasap.com\www DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab TCP: Interfaces\{88E8002B-4C31-43A5-994C-BB87BA16B602} : NameServer = 65.32.1.65,65.32.1.70 Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL Notify: igfxcui - igfxdev.dll . ============= SERVICES / DRIVERS =============== . R2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files\hewlett-packard\shared\HPDrvMntSvc.exe [2010-8-20 92216] R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-7-27 655944] R2 regi;regi;c:\windows\system32\drivers\regi.sys [2010-11-16 13880] R2 tvnserver;TightVNC Server;c:\program files\tightvnc\tvnserver.exe [2010-7-8 815704] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-7-16 22344] R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2011-1-22 279656] S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384] S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2012-3-16 136176] S2 PEVSystemStart;PEVSystemStart;c:\32788r22fwjfw\pev.3XE [2011-6-26 256000] S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-3 250056] S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888] S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2012-3-16 136176] S3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [2011-1-22 132480] S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000] S3 OxPPort;OxPPort;c:\windows\system32\drivers\OxPPort.sys [2011-1-22 82048] S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992] S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2011-5-2 1343400] . =============== Created Last 30 ================ . 2012-09-06 11:05:22 54016 ----a-w- c:\windows\system32\drivers\ivani.sys 2012-08-08 14:45:22 -------- d-----w- c:\users\john nicholas\appdata\local\Deployment 2012-08-08 14:45:22 -------- d-----w- c:\users\john nicholas\appdata\local\Apps . ==================== Find3M ==================== . 2012-08-14 18:50:34 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2012-08-14 18:50:34 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2012-07-03 17:46:44 22344 ----a-w- c:\windows\system32\drivers\mbam.sys 2012-06-12 02:44:03 2344448 ----a-w- c:\windows\system32\win32k.sys . ============= FINISH: 7:06:30.23 =============== . UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG. IF REQUESTED, ZIP IT UP & ATTACH IT . DDS (Ver_2011-08-26.01) . Microsoft Windows 7 Professional Boot Device: \Device\HarddiskVolume1 Install Date: 4/15/2011 3:31:29 PM System Uptime: 9/6/2012 6:00:17 AM (1 hours ago) . Motherboard: FOXCONN | | 2A8C Processor: Pentium® Dual-Core CPU E5700 @ 3.00GHz | CPU 1 | 3003/800mhz . ==== Disk Partitions ========================= . C: is FIXED (NTFS) - 139 GiB total, 85.787 GiB free. D: is FIXED (NTFS) - 10 GiB total, 1.252 GiB free. E: is CDROM (UDF) . ==== Disabled Device Manager Items ============= . ==== System Restore Points =================== . No restore point in system. . ==== Installed Programs ====================== . ActiveCheck component for HP Active Support Library Adobe Acrobat X Pro - English, Français, Deutsch Adobe AIR Adobe Flash Player 11 ActiveX Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition Google Apps Migration For Microsoft Outlook® 2.3.12.34 Google Apps Sync™ for Microsoft Outlook® 3.1.94.203 Google Chrome Google Cloud Connect for Microsoft Office Google Update Helper HP Auto HP Connect Solutions HP Customer Experience Enhancements HP Desktop Keyboard HP MAINSTREAM KEYBOARD HP Odometer HP Remote Solution HP Setup HP Support Assistant HP Support Information HP Vision Hardware Diagnostics HPAsset component for HP Active Support Library Intel® Graphics Media Accelerator Driver InterVideo WinDVD 8 Java Auto Updater Java 6 Update 25 Malwarebytes Anti-Malware version 1.62.0.1300 Microsoft .NET Framework 4 Client Profile Microsoft .NET Framework 4 Extended Microsoft Office 2010 Service Pack 1 (SP1) Microsoft Office Access MUI (English) 2010 Microsoft Office Access Setup Metadata MUI (English) 2010 Microsoft Office Excel MUI (English) 2010 Microsoft Office OneNote MUI (English) 2010 Microsoft Office Outlook MUI (English) 2010 Microsoft Office PowerPoint MUI (English) 2010 Microsoft Office Professional 2010 Microsoft Office Proof (English) 2010 Microsoft Office Proof (French) 2010 Microsoft Office Proof (Spanish) 2010 Microsoft Office Proofing (English) 2010 Microsoft Office Publisher MUI (English) 2010 Microsoft Office Shared MUI (English) 2010 Microsoft Office Shared Setup Metadata MUI (English) 2010 Microsoft Office Single Image 2010 Microsoft Office Word MUI (English) 2010 Microsoft Silverlight Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 Microsoft Visual C++ 2005 Redistributable Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148 Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 Microsoft_VC90_CRT_x86 Mozilla Thunderbird (3.1.10) MSXML 4.0 SP2 (KB954430) MSXML 4.0 SP2 (KB973688) PlayReady PC Runtime x86 Realtek High Definition Audio Driver Recovery Manager Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708) Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663) Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870) Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636) Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078) Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121) Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870) Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351) Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368) Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2) Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405) Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827) Security Update for Microsoft .NET Framework 4 Extended (KB2416472) Security Update for Microsoft .NET Framework 4 Extended (KB2487367) Security Update for Microsoft .NET Framework 4 Extended (KB2656351) Security Update for Microsoft Excel 2010 (KB2597166) 32-Bit Edition Security Update for Microsoft InfoPath 2010 (KB2553322) 32-Bit Edition Security Update for Microsoft Office 2010 (KB2553091) Security Update for Microsoft Office 2010 (KB2553096) Security Update for Microsoft Office 2010 (KB2553371) 32-Bit Edition Security Update for Microsoft Office 2010 (KB2553447) 32-Bit Edition Security Update for Microsoft Office 2010 (KB2589320) 32-Bit Edition Security Update for Microsoft Office 2010 (KB2598039) 32-Bit Edition Security Update for Microsoft Office 2010 (KB2598243) 32-Bit Edition Security Update for Microsoft PowerPoint 2010 (KB2553185) 32-Bit Edition Security Update for Microsoft Visio Viewer 2010 (KB2597981) 32-Bit Edition Spotify TightVNC 2.0.2 Update for Microsoft .NET Framework 4 Client Profile (KB2468871) Update for Microsoft .NET Framework 4 Client Profile (KB2473228) Update for Microsoft .NET Framework 4 Client Profile (KB2533523) Update for Microsoft .NET Framework 4 Client Profile (KB2600217) Update for Microsoft .NET Framework 4 Extended (KB2468871) Update for Microsoft .NET Framework 4 Extended (KB2533523) Update for Microsoft .NET Framework 4 Extended (KB2600217) Update for Microsoft Office 2010 (KB2494150) Update for Microsoft Office 2010 (KB2553065) Update for Microsoft Office 2010 (KB2553181) 32-Bit Edition Update for Microsoft Office 2010 (KB2553267) 32-Bit Edition Update for Microsoft Office 2010 (KB2553270) 32-Bit Edition Update for Microsoft Office 2010 (KB2553310) 32-Bit Edition Update for Microsoft Office 2010 (KB2566458) Update for Microsoft Office 2010 (KB2596964) 32-Bit Edition Update for Microsoft Office 2010 (KB2597091) 32-Bit Edition Update for Microsoft OneNote 2010 (KB2553290) 32-Bit Edition Update for Microsoft OneNote 2010 (KB2589345) 32-Bit Edition Update for Microsoft Outlook 2010 (KB2553248) 32-Bit Edition Update for Microsoft Outlook Social Connector 2010 (KB2553406) 32-Bit Edition Windows Live ID Sign-in Assistant . ==== Event Viewer Messages From Past Week ======== . 9/6/2012 6:28:56 AM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the User Profile Service service, but this action failed with the following error: An instance of the service is already running. 9/6/2012 6:28:56 AM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Multimedia Class Scheduler service, but this action failed with the following error: An instance of the service is already running. 9/6/2012 6:23:56 AM, Error: Service Control Manager [7034] - The Application Information service terminated unexpectedly. It has done this 2 time(s). 9/6/2012 6:23:56 AM, Error: Service Control Manager [7031] - The Windows Management Instrumentation service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 300000 milliseconds: Restart the service. 9/6/2012 6:23:56 AM, Error: Service Control Manager [7031] - The User Profile Service service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 300000 milliseconds: Restart the service. 9/6/2012 6:23:56 AM, Error: Service Control Manager [7031] - The Themes service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service. 9/6/2012 6:23:56 AM, Error: Service Control Manager [7031] - The Task Scheduler service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service. 9/6/2012 6:23:56 AM, Error: Service Control Manager [7031] - The System Event Notification Service service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 300000 milliseconds: Restart the service. 9/6/2012 6:23:56 AM, Error: Service Control Manager [7031] - The Server service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service. 9/6/2012 6:23:56 AM, Error: Service Control Manager [7031] - The Multimedia Class Scheduler service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 300000 milliseconds: Restart the service. 9/6/2012 6:23:56 AM, Error: Service Control Manager [7031] - The IKE and AuthIP IPsec Keying Modules service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 300000 milliseconds: Restart the service. 9/6/2012 6:23:56 AM, Error: Service Control Manager [7031] - The Group Policy Client service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 300000 milliseconds: Restart the service. 9/6/2012 6:23:56 AM, Error: Service Control Manager [7031] - The Application Experience service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service. 9/6/2012 6:23:55 AM, Error: Service Control Manager [7030] - The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly. 9/6/2012 6:18:27 AM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Application Experience service, but this action failed with the following error: An instance of the service is already running. 9/6/2012 6:17:27 AM, Error: Service Control Manager [7034] - The Application Information service terminated unexpectedly. It has done this 1 time(s). 9/6/2012 6:17:27 AM, Error: Service Control Manager [7031] - The Windows Management Instrumentation service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service. 9/6/2012 6:17:27 AM, Error: Service Control Manager [7031] - The User Profile Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service. 9/6/2012 6:17:27 AM, Error: Service Control Manager [7031] - The Themes service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service. 9/6/2012 6:17:27 AM, Error: Service Control Manager [7031] - The Task Scheduler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service. 9/6/2012 6:17:27 AM, Error: Service Control Manager [7031] - The System Event Notification Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service. 9/6/2012 6:17:27 AM, Error: Service Control Manager [7031] - The Shell Hardware Detection service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service. 9/6/2012 6:17:27 AM, Error: Service Control Manager [7031] - The Server service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service. 9/6/2012 6:17:27 AM, Error: Service Control Manager [7031] - The Multimedia Class Scheduler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service. 9/6/2012 6:17:27 AM, Error: Service Control Manager [7031] - The IKE and AuthIP IPsec Keying Modules service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service. 9/6/2012 6:17:27 AM, Error: Service Control Manager [7031] - The Group Policy Client service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service. 9/6/2012 6:17:27 AM, Error: Service Control Manager [7031] - The Application Experience service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service. 9/6/2012 6:03:15 AM, Error: Service Control Manager [7023] - The Function Discovery Resource Publication service terminated with the following error: %%-2147024891 9/6/2012 6:03:15 AM, Error: Service Control Manager [7001] - The HomeGroup Provider service depends on the Function Discovery Resource Publication service which failed to start because of the following error: %%-2147024891 9/6/2012 6:00:35 AM, Error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specified service does not exist as an installed service. . ==== End Of File =========================== RogueKiller V8.0.2 [08/31/2012] by Tigzy mail: tigzyRK<at>gmail<dot>com Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/ Blog: http://tigzyrk.blogspot.com Operating System: Windows 7 (6.1.7600 ) 32 bits version Started in : Normal mode User : John Nicholas [Admin rights] Mode : Scan -- Date : 09/06/2012 06:52:04 ¤¤¤ Bad processes : 0 ¤¤¤ ¤¤¤ Registry Entries : 6 ¤¤¤ [DNS] HKLM\[...]\ControlSet001\Services\Interfaces\{88E8002B-4C31-43A5-994C-BB87BA16B602} : NameServer (65.32.1.65,65.32.1.70) -> FOUND [DNS] HKLM\[...]\ControlSet002\Services\Interfaces\{88E8002B-4C31-43A5-994C-BB87BA16B602} : NameServer (65.32.1.65,65.32.1.70) -> FOUND [HJPOL] HKCU\[...]\System : disableregistrytools (0) -> FOUND [HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND ¤¤¤ Particular Files / Folders: ¤¤¤ [ZeroAccess][FOLDER] U : C:\Windows\Installer\{6d2a19bc-dc9f-c147-6976-dc0ba1959f18}\U --> FOUND [ZeroAccess][FOLDER] L : C:\Windows\Installer\{6d2a19bc-dc9f-c147-6976-dc0ba1959f18}\L --> FOUND [ZeroAccess][FILE] @ : C:\Users\John Nicholas\AppData\Local\{6d2a19bc-dc9f-c147-6976-dc0ba1959f18}\@ --> FOUND [ZeroAccess][FOLDER] U : C:\Users\John Nicholas\AppData\Local\{6d2a19bc-dc9f-c147-6976-dc0ba1959f18}\U --> FOUND [ZeroAccess][FOLDER] L : C:\Users\John Nicholas\AppData\Local\{6d2a19bc-dc9f-c147-6976-dc0ba1959f18}\L --> FOUND [ZeroAccess][FILE] Desktop.ini : C:\Windows\Assembly\GAC\Desktop.ini --> FOUND [susp.ASLR|Sig - ZeroAccess][FILE] services.exe : C:\Windows\system32\services.exe --> FOUND ¤¤¤ Driver : [LOADED] ¤¤¤ ¤¤¤ Infection : ZeroAccess ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤ --> C:\Windows\system32\drivers\etc\hosts ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: ST3160318AS ATA Device +++++ --- User --- [MBR] ea6acb3719542c5e4aa14d17adb2750b [bSP] 29d88a6bd94bb9282499f9c0d775a976 : Windows Vista/7 MBR Code Partition table: 0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo 1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 142007 Mo 2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 291037184 | Size: 10518 Mo User = LL1 ... OK! User = LL2 ... OK! Finished : << RKreport[1].txt >> RKreport[1].txt
  11. Hi, my computer is affected by Zeroacess for the past couple of days. I have Mcafee antivirus installed in my machine. For every 10 sec, I am getting McAfee pop stating that it has deleted trojans related to zeroacess. Can you please help me to remove the trojan completely from my laptop. I have also some of the threads in this forum and I have tried running Roguerkiller in my laptop. I herewith attached the copy of the log file generted by RogueKiller. Please help me to get rid of this. RKreport1.txt
  12. Hi, I've been trying to find help with this. I need to use my computer for some work for some non-profits this weekend. I have Norton and have ran Malware Bytes Anti Malware. I've run the Norton Power Eraser and ZeroAcess fix and it's still there. I have multiple infected files and viruses. Zeroaccess2, Zeroaccess3, Zeroaccess, Trojan.gen.2 with desktop.ini Any assistance would be very appreciate. Thanks! Attach.txt DDS.txt
  13. I started receiving messages that McAfee had removed a trojan and no further action was needed, it did this several times and then it said my pc was at risk. The firewall is turned off and will not let me turn back on. I used the McAfee virtual assistant which recognized a problem but couldnt fix. When I turned to them for support they would be glad to for 89.99. When I searched in their forums the first thing it said to do was turn off system restore, so needless to say I did and tried using my Windows disc to repair and that did not help. I downloaded the Malwarebytes anti-malware. it discovered 3 and I thought it was fixed, rebooted and after about an hour I am getting same message with firewall. Any help would be greatly appreciated! Thanks in advance, Cathy
  14. I suspected I had some kind of virus last night after a wierd slow-down on the web. I ran a full scan and nothing was found, however after the scan messages from my antivirus keep popping up saying that a trojan has been removed. They pop up every 5-10 seconds and have not stopped for about 12 hours now. The popup claims the trojan to be a zeroaccess trojan located in C://$Recycle.Bin\ and then there is just a nonsensical alphanumeric file name. I ran MBAM and it said that there were 3 files removed however after a restart the popup persisted. I have McAfee antivirus and 64-bit Windows 7. The Log files from dds are attached. Attach.txt DDS.txt
  15. I am working on a friend's system (Windows 7 Home Premium 64) that has Norton Antivirus on it, and the other day he downloaded an "Adobe Update" that turned out to not be an Adobe Update. I ran Malwarebytes and it identified three issues: c:\Windows\Installer\{d3ed6ce9-2bc9-d767-2346-e38c72483d20}\U\00000008. c:\Windows\Installer\{d3ed6ce9-2bc9-d767-2346-e38c72483d20}\U\000000cb. c:\Windows\Installer\{d3ed6ce9-2bc9-d767-2346-e38c72483d20}\U\80000032. I finally managed to delete those from a Command Prompt window. Now, Malwarebytes is showing that the system is clean, but Norton is showing that trojan.zeroaccess!inf4 is still alive in the services.exe I ran Farbar and then ran a services.exe on Farbar as well and am attaching both of those reports. I don't normally use Windows machines and am consequently even more behind the curve than normal. Any help is greatly appreciated, thanks. Malwarebytes Anti-Malware (Trial) 1.62.0.1300 www.malwarebytes.org Database version: v2012.08.17.02 Windows 7 Service Pack 1 x64 NTFS Internet Explorer 9.0.8112.16421 RMM :: RMM-PC [administrator] Protection: Enabled 8/17/2012 12:12:35 AM mbam-log-2012-08-17 (00-12-35).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 206281 Time elapsed: 5 minute(s), 59 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) (end) Scan result of Farbar Recovery Scan Tool Version: 15-08-2012 Ran by SYSTEM at 17-08-2012 02:00:39 Running from E:\ Windows 7 Home Premium (X64) OS Language: English(US) The current controlset is ControlSet001 ========================== Registry (Whitelisted) ============= HKLM\...\Run: [synTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [1812776 2009-06-25] (Synaptics Incorporated) HKLM\...\Run: [sysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe [444416 2009-06-28] (IDT, Inc.) HKLM\...\Run: [QuickSet] C:\Program Files\Dell\QuickSet\QuickSet.exe [3180624 2009-07-02] (Dell Inc.) HKLM-x32\...\Run: [startCCC] "c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [98304 2009-06-25] (Advanced Micro Devices, Inc.) HKLM-x32\...\Run: [Dell DataSafe Online] "C:\Program Files (x86)\Dell DataSafe Online\DataSafeOnline.exe" /m [1807600 2009-11-13] () HKLM-x32\...\Run: [FATrayAlert] c:\Program Files (x86)\Sensible Vision\Fast Access\FATrayMon.exe [95496 2009-06-24] (Sensible Vision ) HKLM-x32\...\Run: [Dell Webcam Central] "C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" /mode2 [409744 2009-06-24] (Creative Technology Ltd) HKLM-x32\...\Run: [FAStartup] [x] HKLM-x32\...\Run: [Desktop Disc Tool] "c:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe" [498160 2009-10-15] () HKLM-x32\...\Run: [DellSupportCenter] "C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter [206064 2009-05-21] (SupportSoft, Inc.) HKLM-x32\...\Run: [AdobeCS4ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin [611712 2008-08-14] (Adobe Systems Incorporated) HKLM-x32\...\Run: [RemoteControl8] "C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe" [91432 2009-07-16] (CyberLink Corp.) HKLM-x32\...\Run: [PDVD8LanguageShortcut] "C:\Program Files (x86)\CyberLink\PowerDVD8\Language\Language.exe" [50472 2009-04-16] (CyberLink Corp.) HKLM-x32\...\Run: [bDRegion] C:\Program Files (x86)\Cyberlink\Shared Files\brs.exe [75048 2009-08-28] (cyberlink) HKLM-x32\...\Run: [hpqSRMon] C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe [150528 2008-07-22] (Hewlett-Packard) HKLM-x32\...\Run: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [49208 2010-06-09] (Hewlett-Packard) HKLM-x32\...\Run: [] [x] HKLM-x32\...\Run: [AppleSyncNotifier] C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe [59240 2011-09-27] (Apple Inc.) HKLM-x32\...\Run: [Microsoft Default Manager] "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume [288088 2009-11-11] (Microsoft Corporation) HKLM-x32\...\Run: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2011-04-08] (Sun Microsystems, Inc.) HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-05-30] (Apple Inc.) HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2012-04-18] (Apple Inc.) HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421776 2012-06-07] (Apple Inc.) HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [37296 2012-03-27] (Adobe Systems Incorporated) HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated) HKLM-x32\...\Run: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray [462920 2012-07-03] (Malwarebytes Corporation) HKU\Default\...\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe [1475584 2010-11-20] (Microsoft Corporation) HKU\Default User\...\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe [1475584 2010-11-20] (Microsoft Corporation) HKU\RMM\...\Run: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background [4280184 2012-03-08] (Microsoft Corporation) HKU\RMM\...\Run: [skype] "C:\Program Files (x86)\Skype\\Phone\Skype.exe" /nosplash /minimized [26102056 2010-04-06] (Skype Technologies S.A.) HKU\RMM\...\Run: [MobileDocuments] C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe [59240 2012-02-23] (Apple Inc.) HKLM\...\RunOnce: [DSUpdateLauncher] "C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\hstart.exe" /NOCONSOLE /D="C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate" /RUNAS "C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe" [161008 2009-09-17] () HKLM-x32\...\RunOnce: [Launcher] C:\Program Files (x86)\Dell DataSafe Local Backup\Components\scheduler\Launcher.exe [165104 2009-09-17] (Softthinks) HKLM-x32\...\RunOnce: [sTToasterLauncher] C:\program files (x86)\Dell DataSafe Local Backup\toasterLauncher.exe [120048 2009-09-17] () Winlogon\Notify\GoToAssist: C:\Program Files (x86)\Citrix\GoToAssist\514\G2AWinLogon_x64.dll [X] Lsa: [Notification Packages] scecli FAPassSync Startup: C:\Users\All Users\Start Menu\Programs\Startup\Bluetooth.lnk ShortcutTarget: Bluetooth.lnk -> C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.) Startup: C:\Users\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk ShortcutTarget: HP Digital Imaging Monitor.lnk -> C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.) Startup: C:\Users\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk ShortcutTarget: McAfee Security Scan Plus.lnk -> C:\Program Files (x86)\McAfee Security Scan\3.0.207\SSScheduler.exe (McAfee, Inc.) Startup: C:\Users\Default\Start Menu\Programs\Startup\Dell Dock First Run.lnk ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation) Startup: C:\Users\Default User\Start Menu\Programs\Startup\Dell Dock First Run.lnk ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation) Startup: C:\Users\RMM\Start Menu\Programs\Startup\Dell Dock.lnk ShortcutTarget: Dell Dock.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation) Startup: C:\Users\RMM\Start Menu\Programs\Startup\Dropbox.lnk ShortcutTarget: Dropbox.lnk -> (No File) ==================== Services (Whitelisted) ====== 2 BcmSqlStartupSvc; "C:\Program Files (x86)\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe" [30312 2008-01-11] (Microsoft Corporation) 2 MBAMService; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe" [655944 2012-07-03] (Malwarebytes Corporation) 3 McComponentHostService; "C:\Program Files (x86)\McAfee Security Scan\3.0.207\McCHSvc.exe" [237008 2011-06-17] (McAfee, Inc.) 3 MSSQL$MSSMLBIZ; "C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ [29293408 2010-12-10] (Microsoft Corporation) 2 NIS; "C:\Program Files (x86)\Norton Internet Security\Engine\19.8.0.14\ccSvcHst.exe" /s "NIS" /m "C:\Program Files (x86)\Norton Internet Security\Engine\19.8.0.14\diMaster.dll" /prefetch:1 [309688 2012-04-12] (Symantec Corporation) 2 RapportMgmtService; "C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe" [931640 2011-11-07] (Trusteer Ltd.) 2 RichVideo; "C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe" [271760 2009-04-16] () 2 STacSV; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_afc3018f8cfedd20\STacSV64.exe [240128 2009-06-28] (IDT, Inc.) ========================== Drivers (Whitelisted) ============= 1 BHDrvx64; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.5.1.2\Definitions\BASHDefs\20120811.003\BHDrvx64.sys [1385120 2012-08-10] (Symantec Corporation) 1 ccSet_NIS; C:\Windows\system32\drivers\NISx64\1308000.00E\ccSetx64.sys [167072 2012-06-06] (Symantec Corporation) 1 eeCtrl; \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [484512 2012-08-08] (Symantec Corporation) 3 EraserUtilRebootDrv; \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [138912 2012-08-08] (Symantec Corporation) 1 IDSVia64; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.5.1.2\Definitions\IPSDefs\20120815.002\IDSvia64.sys [509088 2012-06-14] (Symantec Corporation) 3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [24904 2012-07-03] (Malwarebytes Corporation) 3 NAVENG; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.5.1.2\Definitions\VirusDefs\20120816.021\ENG64.SYS [120440 2012-08-17] (Symantec Corporation) 3 NAVEX15; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.5.1.2\Definitions\VirusDefs\20120816.021\EX64.SYS [2068600 2012-08-17] (Symantec Corporation) 3 netr28ux; C:\Windows\System32\DRIVERS\Dnetr28ux.sys [987648 2009-08-06] (Ralink Technology Corp.) 1 RapportCerberus_34302; \??\C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\34302\RapportCerberus64_34302.sys [397520 2011-12-15] () 1 RapportEI64; \??\C:\Program Files (x86)\Trusteer\Rapport\bin\x64\RapportEI64.sys [55056 2011-11-07] (Trusteer Ltd.) 0 RapportKE64; C:\Windows\System32\Drivers\RapportKE64.sys [63760 2011-11-07] (Trusteer Ltd.) 1 RapportPG64; \??\C:\Program Files (x86)\Trusteer\Rapport\bin\x64\RapportPG64.sys [61712 2011-11-07] (Trusteer Ltd.) 1 SRTSP; C:\Windows\System32\Drivers\NISx64\1308000.00E\SRTSP64.SYS [737952 2012-07-05] (Symantec Corporation) 1 SRTSPX; C:\Windows\system32\drivers\NISx64\1308000.00E\SRTSPX64.SYS [37536 2012-07-05] (Symantec Corporation) 0 SymDS; C:\Windows\System32\drivers\NISx64\1308000.00E\SYMDS64.SYS [451192 2011-08-16] (Symantec Corporation) 0 SymEFA; C:\Windows\System32\drivers\NISx64\1308000.00E\SYMEFA64.SYS [1129120 2012-05-21] (Symantec Corporation) 3 SymEvent; \??\C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [175736 2012-03-23] (Symantec Corporation) 1 SymIM; C:\Windows\System32\DRIVERS\SymIMv.sys [43640 2012-04-17] (Symantec Corporation) 1 SymIRON; C:\Windows\system32\drivers\NISx64\1308000.00E\Ironx64.SYS [190072 2012-04-17] (Symantec Corporation) 1 SymNetS; C:\Windows\System32\Drivers\NISx64\1308000.00E\SYMNETS.SYS [405624 2012-04-17] (Symantec Corporation) 2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}; \??\C:\Program Files (x86)\CyberLink\PowerDVD8\000.fcl [146928 2009-08-28] (CyberLink Corp.) ========================== NetSvcs (Whitelisted) =========== ============ One Month Created Files and Folders ============== 2012-08-17 01:25 - 2012-08-17 01:26 - 00000000 ____D C:\FRST 2012-08-17 00:07 - 2012-08-17 00:07 - 00003720 ____A C:\{08A08690-5029-4DD2-93BD-219B6FE370E8} 2012-08-17 00:07 - 2012-08-17 00:07 - 00000061 ____A C:\Users\RMM\Application Data\mbam.context.scan 2012-08-17 00:07 - 2012-08-17 00:07 - 00000061 ____A C:\Users\RMM\AppData\Roaming\mbam.context.scan 2012-08-16 23:04 - 2012-08-16 23:05 - 00001207 ____A C:\Users\RMM\Desktop\Elev Cmd Pmpt.lnk 2012-08-16 22:12 - 2012-08-16 22:12 - 00003792 ____A C:\{97BD8F1A-6284-481E-BBF0-E3A50C4673B4} 2012-08-16 19:16 - 2012-08-16 19:16 - 00003720 ____A C:\{8FF1BC36-C401-45AF-8BBC-2F3C0617FA76} 2012-08-16 18:28 - 2012-08-16 18:28 - 00003760 ____A C:\{9B7B57C2-6A07-42EF-B7C3-DD56177B78E2} 2012-08-16 17:24 - 2012-08-16 17:24 - 00003760 ____A C:\{38CAEDBB-D3B6-4F27-AA3F-739BAE03DD39} 2012-08-16 17:23 - 2012-08-16 17:23 - 00000000 ____D C:\Users\RMM\Local Settings\Application Data\{7FEB4892-BC97-4F0C-A0C0-E61B2AFBAB3D} 2012-08-16 17:23 - 2012-08-16 17:23 - 00000000 ____D C:\Users\RMM\Local Settings\Application Data\{657D4874-07E7-41D2-A920-60E2C8BD0E55} 2012-08-16 17:23 - 2012-08-16 17:23 - 00000000 ____D C:\Users\RMM\Local Settings\{7FEB4892-BC97-4F0C-A0C0-E61B2AFBAB3D} 2012-08-16 17:23 - 2012-08-16 17:23 - 00000000 ____D C:\Users\RMM\Local Settings\{657D4874-07E7-41D2-A920-60E2C8BD0E55} 2012-08-16 17:23 - 2012-08-16 17:23 - 00000000 ____D C:\Users\RMM\AppData\Local\{7FEB4892-BC97-4F0C-A0C0-E61B2AFBAB3D} 2012-08-16 17:23 - 2012-08-16 17:23 - 00000000 ____D C:\Users\RMM\AppData\Local\{657D4874-07E7-41D2-A920-60E2C8BD0E55} 2012-08-16 17:00 - 2012-08-16 17:00 - 00003792 ____A C:\{1B5ED7CC-C2F5-4D13-8AEA-C43738DBD970} 2012-08-16 16:54 - 2012-08-16 16:54 - 00003760 ____A C:\{AFC8B51A-8808-44EE-A490-57D79F83B654} 2012-08-16 16:43 - 2012-08-16 16:43 - 00003760 ____A C:\{B5E60680-26A6-414B-AC0B-EC147D941ECD} 2012-08-16 16:28 - 2012-08-16 16:28 - 00003792 ____A C:\{924A804A-642C-468C-95A8-057C39B3A191} 2012-08-16 16:26 - 2012-08-16 16:26 - 00003760 ____A C:\{C4877D03-D463-402E-9F66-E1B5EFEEC6AC} 2012-08-16 16:24 - 2012-08-16 16:24 - 00003760 ____A C:\{5E9C62BB-DC5F-44C3-9C31-AD2C4D005624} 2012-08-16 16:23 - 2012-08-16 16:23 - 00003752 ____A C:\{3E430B90-8895-43E4-A52A-6F167DFCE4E4} 2012-08-16 16:21 - 2012-08-16 16:21 - 00003760 ____A C:\{A5974494-044E-432C-A6D1-41279C05C090} 2012-08-16 16:19 - 2012-08-16 16:19 - 00003792 ____A C:\{E1616212-E3A9-488C-ACAC-BCD28FBFD2B6} 2012-08-16 16:17 - 2012-08-16 16:17 - 00003760 ____A C:\{08B1F027-9D8B-40FA-B55D-509484305936} 2012-08-16 15:12 - 2012-08-16 15:12 - 00000000 ____D C:\Users\RMM\Application Data\Malwarebytes 2012-08-16 15:12 - 2012-08-16 15:12 - 00000000 ____D C:\Users\RMM\AppData\Roaming\Malwarebytes 2012-08-16 15:12 - 2012-08-16 15:12 - 00000000 ____D C:\Users\All Users\Malwarebytes 2012-08-16 15:12 - 2012-08-16 15:12 - 00000000 ____D C:\Users\All Users\Application Data\Malwarebytes 2012-08-16 15:12 - 2012-08-16 15:12 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware 2012-08-16 15:12 - 2012-07-03 14:46 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys 2012-08-16 15:10 - 2012-08-16 15:11 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\RMM\Downloads\mbam-setup-1.62.0.1300.exe 2012-08-15 16:45 - 2012-08-15 19:00 - 00000476 ____A C:\Windows\Tasks\PC Utility Kit Registration3.job 2012-08-15 16:45 - 2012-08-15 16:45 - 00000000 ____D C:\Users\RMM\Application Data\PC Utility Kit 2012-08-15 16:45 - 2012-08-15 16:45 - 00000000 ____D C:\Users\RMM\Application Data\DriverCure 2012-08-15 16:45 - 2012-08-15 16:45 - 00000000 ____D C:\Users\RMM\AppData\Roaming\PC Utility Kit 2012-08-15 16:45 - 2012-08-15 16:45 - 00000000 ____D C:\Users\RMM\AppData\Roaming\DriverCure 2012-08-15 16:44 - 2012-08-16 17:20 - 00000442 ____A C:\Windows\Tasks\PC Utility Kit Update3.job 2012-08-15 16:44 - 2012-08-16 17:20 - 00000440 ____A C:\Windows\Tasks\PC Utility Kit.job 2012-08-15 16:44 - 2012-08-15 16:44 - 00001234 ____A C:\Users\RMM\Desktop\PC Utility Kit.lnk 2012-08-15 16:44 - 2012-08-15 16:44 - 00000000 ____D C:\Users\All Users\PC Utility Kit 2012-08-15 16:44 - 2012-08-15 16:44 - 00000000 ____D C:\Users\All Users\Application Data\PC Utility Kit 2012-08-15 16:44 - 2012-08-15 16:44 - 00000000 ____D C:\Program Files (x86)\PC Utility Kit 2012-08-15 16:36 - 2012-08-15 16:37 - 04765704 ____A (Red Dog Media, Inc.) C:\Users\RMM\Downloads\PC Utility Kit Installer.exe 2012-08-15 16:34 - 2012-08-15 16:34 - 00003760 ____A C:\{DB641AAF-55E2-42C9-A9ED-757B07662B39} 2012-08-15 16:06 - 2012-08-15 16:06 - 00002114 ____A C:\Users\RMM\Desktop\aswMBR.txt 2012-08-15 16:06 - 2012-08-15 16:06 - 00000512 ____A C:\Users\RMM\Desktop\MBR.dat 2012-08-15 16:02 - 2012-08-15 16:02 - 00000000 __SHD C:\Windows\ftpcache 2012-08-15 16:02 - 2012-08-15 16:02 - 00000000 ____D C:\Windows\Downloaded Installations 2012-08-15 15:47 - 2012-08-15 15:47 - 00003760 ____A C:\{1C072F82-80CD-485B-83D5-52CBA779E41A} 2012-08-15 15:45 - 2012-08-15 15:45 - 00003792 ____A C:\{FC5F50EA-8B5D-455A-893A-FFBF42C2EB25} 2012-08-15 15:38 - 2012-08-15 15:38 - 00003792 ____A C:\{7503E6A2-FC1E-4F37-98DB-F29268D1701A} 2012-08-15 15:37 - 2012-08-15 15:37 - 00003760 ____A C:\{92A78B61-AC8A-4D9B-A314-B5E6CE7F7DA1} 2012-08-15 15:31 - 2012-08-15 15:31 - 00003792 ____A C:\{AD996293-A8AB-481A-B42A-DA33FBD9C63F} 2012-08-15 15:30 - 2012-08-15 15:30 - 00003760 ____A C:\{DC8BE0B0-42F6-457C-85D7-C10A9E9D660F} 2012-08-15 15:16 - 2012-08-15 15:16 - 00000856 ____A C:\Users\RMM\Downloads\Downloads - Shortcut.lnk 2012-08-15 14:24 - 2012-08-15 14:26 - 04731392 ____A (AVAST Software) C:\Users\RMM\Downloads\aswMBR.exe 2012-08-15 14:22 - 2012-08-15 14:22 - 00003792 ____A C:\{5963860B-E195-4BBA-AB90-9B7E7C3671A7} 2012-08-15 13:42 - 2012-08-15 13:42 - 00003720 ____A C:\{4C3147A9-BC32-4899-8D6F-8A047FA0EED5} 2012-08-15 12:38 - 2012-08-15 12:38 - 00003760 ____A C:\{0CF61C86-FE61-4A64-9937-66E5919030E5} 2012-08-15 09:45 - 2012-08-15 09:45 - 00000000 ____D C:\Users\RMM\Local Settings\Application Data\{A637E329-1310-49F7-8F38-4569D17FDB61} 2012-08-15 09:45 - 2012-08-15 09:45 - 00000000 ____D C:\Users\RMM\Local Settings\Application Data\{9697EFFD-403C-4745-A91D-41600FE071B6} 2012-08-15 09:45 - 2012-08-15 09:45 - 00000000 ____D C:\Users\RMM\Local Settings\{A637E329-1310-49F7-8F38-4569D17FDB61} 2012-08-15 09:45 - 2012-08-15 09:45 - 00000000 ____D C:\Users\RMM\Local Settings\{9697EFFD-403C-4745-A91D-41600FE071B6} 2012-08-15 09:45 - 2012-08-15 09:45 - 00000000 ____D C:\Users\RMM\AppData\Local\{A637E329-1310-49F7-8F38-4569D17FDB61} 2012-08-15 09:45 - 2012-08-15 09:45 - 00000000 ____D C:\Users\RMM\AppData\Local\{9697EFFD-403C-4745-A91D-41600FE071B6} 2012-08-14 22:48 - 2012-08-14 22:48 - 00003792 ____A C:\{FB76A57B-1113-452C-B6B9-93F335A15D8F} 2012-08-14 22:28 - 2012-04-17 21:13 - 00043640 ___RA (Symantec Corporation) C:\Windows\System32\Drivers\SymIMV.sys 2012-08-14 22:23 - 2012-08-14 22:23 - 00003720 ____A C:\{B4109F30-66E0-49E2-B6D2-1CC0F13EA7C7} 2012-08-14 22:01 - 2012-08-14 22:01 - 00000000 __SHD C:\Windows\SysWOW64\%APPDATA% 2012-08-14 21:49 - 2012-08-14 21:49 - 00023769 ____A C:\Users\RMM\Desktop\HP Installation Failure - MSI 1603.hta 2012-08-14 21:48 - 2012-08-14 21:48 - 00000057 ____A C:\Users\All Users\Application Data\Ament.ini 2012-08-14 21:48 - 2012-08-14 21:48 - 00000057 ____A C:\Users\All Users\Ament.ini 2012-08-14 21:41 - 2012-08-14 21:42 - 54097776 ____A C:\Users\RMM\Downloads\PSB210_231.exe 2012-08-14 21:24 - 2012-08-14 21:24 - 00003760 ____A C:\{BBD3734D-E889-43B0-A857-B4CC06C8EA78} 2012-08-14 21:18 - 2012-08-14 21:18 - 00003760 ____A C:\{50FA2A9F-E2A9-4322-91ED-E81D59F4FEC5} 2012-08-14 14:31 - 2012-08-14 14:31 - 04755448 ____A C:\Users\RMM\Downloads\HPPSdr(4).exe 2012-08-14 13:54 - 2012-08-14 13:54 - 04755448 ____A C:\Users\RMM\Downloads\HPPSdr(3).exe 2012-08-14 13:53 - 2012-08-14 13:53 - 04755448 ____A C:\Users\RMM\Downloads\HPPSdr(2).exe 2012-08-14 13:35 - 2012-08-14 13:35 - 00003760 ____A C:\{ED9F493B-59B8-417B-A4DA-C0D2B8B3199B} 2012-08-14 13:25 - 2012-08-14 13:25 - 04755448 ____A C:\Users\RMM\Downloads\HPPSdr.exe 2012-08-14 13:18 - 2012-08-14 13:18 - 00003792 ____A C:\{FFDB7126-BC32-4C79-B49C-9C3E16D3B044} 2012-08-14 12:13 - 2012-08-14 12:14 - 00003760 ____A C:\{321D1C4C-872E-4658-A7D8-43653EC0844F} 2012-08-14 12:05 - 2012-08-14 12:05 - 00000000 ____D C:\Users\RMM\Local Settings\Application Data\{FA1CF1D2-FD66-483E-9FA2-E72BFED0CEF4} 2012-08-14 12:05 - 2012-08-14 12:05 - 00000000 ____D C:\Users\RMM\Local Settings\Application Data\{A659029B-D9FD-42A8-BE71-C9081FA369DF} 2012-08-14 12:05 - 2012-08-14 12:05 - 00000000 ____D C:\Users\RMM\Local Settings\{FA1CF1D2-FD66-483E-9FA2-E72BFED0CEF4} 2012-08-14 12:05 - 2012-08-14 12:05 - 00000000 ____D C:\Users\RMM\Local Settings\{A659029B-D9FD-42A8-BE71-C9081FA369DF} 2012-08-14 12:05 - 2012-08-14 12:05 - 00000000 ____D C:\Users\RMM\AppData\Local\{FA1CF1D2-FD66-483E-9FA2-E72BFED0CEF4} 2012-08-14 12:05 - 2012-08-14 12:05 - 00000000 ____D C:\Users\RMM\AppData\Local\{A659029B-D9FD-42A8-BE71-C9081FA369DF} 2012-08-14 11:12 - 2012-08-16 17:17 - 00000000 ____D C:\Users\RMM\Local Settings\NPE 2012-08-14 11:12 - 2012-08-16 17:17 - 00000000 ____D C:\Users\RMM\Local Settings\Application Data\NPE 2012-08-14 11:12 - 2012-08-16 17:17 - 00000000 ____D C:\Users\RMM\AppData\Local\NPE 2012-08-14 11:12 - 2012-08-14 11:12 - 02841104 ____A (Symantec Corporation) C:\Users\RMM\Downloads\NPE.exe 2012-08-14 11:06 - 2012-08-16 19:11 - 00027256 ____A (Symantec Corporation) C:\Windows\System32\Drivers\FixZeroAccess.sys 2012-08-14 11:05 - 2012-08-14 11:05 - 01805736 ____A (Symantec Corporation) C:\Users\RMM\Downloads\FixZeroAccess.exe 2012-08-14 00:04 - 2012-08-14 00:04 - 00000000 ____D C:\Users\RMM\Local Settings\Application Data\{05DB830E-2A99-4969-9EA2-7F34FB8D1B3D} 2012-08-14 00:04 - 2012-08-14 00:04 - 00000000 ____D C:\Users\RMM\Local Settings\{05DB830E-2A99-4969-9EA2-7F34FB8D1B3D} 2012-08-14 00:04 - 2012-08-14 00:04 - 00000000 ____D C:\Users\RMM\AppData\Local\{05DB830E-2A99-4969-9EA2-7F34FB8D1B3D} 2012-08-13 08:45 - 2012-08-14 00:04 - 00000000 ____D C:\Users\RMM\Local Settings\Application Data\{B9F73F73-B830-472A-B73C-16EFB047B9C7} 2012-08-13 08:45 - 2012-08-14 00:04 - 00000000 ____D C:\Users\RMM\Local Settings\{B9F73F73-B830-472A-B73C-16EFB047B9C7} 2012-08-13 08:45 - 2012-08-14 00:04 - 00000000 ____D C:\Users\RMM\AppData\Local\{B9F73F73-B830-472A-B73C-16EFB047B9C7} 2012-08-13 08:45 - 2012-08-13 08:45 - 00000000 ____D C:\Users\RMM\Local Settings\Application Data\{89A2C94F-4866-4CC8-934D-0F92B4B76518} 2012-08-13 08:45 - 2012-08-13 08:45 - 00000000 ____D C:\Users\RMM\Local Settings\{89A2C94F-4866-4CC8-934D-0F92B4B76518} 2012-08-13 08:45 - 2012-08-13 08:45 - 00000000 ____D C:\Users\RMM\AppData\Local\{89A2C94F-4866-4CC8-934D-0F92B4B76518} 2012-08-12 11:17 - 2012-08-12 11:17 - 00000000 ____D C:\Users\RMM\Local Settings\Application Data\{F6F60CF3-E7B5-4460-BA5E-7C50E4880127} 2012-08-12 11:17 - 2012-08-12 11:17 - 00000000 ____D C:\Users\RMM\Local Settings\Application Data\{99FFF4B5-2A37-4FEF-9202-3C2078AB6309} 2012-08-12 11:17 - 2012-08-12 11:17 - 00000000 ____D C:\Users\RMM\Local Settings\{F6F60CF3-E7B5-4460-BA5E-7C50E4880127} 2012-08-12 11:17 - 2012-08-12 11:17 - 00000000 ____D C:\Users\RMM\Local Settings\{99FFF4B5-2A37-4FEF-9202-3C2078AB6309} 2012-08-12 11:17 - 2012-08-12 11:17 - 00000000 ____D C:\Users\RMM\AppData\Local\{F6F60CF3-E7B5-4460-BA5E-7C50E4880127} 2012-08-12 11:17 - 2012-08-12 11:17 - 00000000 ____D C:\Users\RMM\AppData\Local\{99FFF4B5-2A37-4FEF-9202-3C2078AB6309} 2012-08-11 23:14 - 2012-08-11 23:14 - 00000000 ____D C:\Users\RMM\Local Settings\Application Data\{F0328180-0ECD-4A21-A37C-FF946F2765EE} 2012-08-11 23:14 - 2012-08-11 23:14 - 00000000 ____D C:\Users\RMM\Local Settings\Application Data\{09554217-218F-4D25-90E4-4F81B6C0DDD5} 2012-08-11 23:14 - 2012-08-11 23:14 - 00000000 ____D C:\Users\RMM\Local Settings\{F0328180-0ECD-4A21-A37C-FF946F2765EE} 2012-08-11 23:14 - 2012-08-11 23:14 - 00000000 ____D C:\Users\RMM\Local Settings\{09554217-218F-4D25-90E4-4F81B6C0DDD5} 2012-08-11 23:14 - 2012-08-11 23:14 - 00000000 ____D C:\Users\RMM\AppData\Local\{F0328180-0ECD-4A21-A37C-FF946F2765EE} 2012-08-11 23:14 - 2012-08-11 23:14 - 00000000 ____D C:\Users\RMM\AppData\Local\{09554217-218F-4D25-90E4-4F81B6C0DDD5} 2012-08-11 17:52 - 2012-08-11 17:52 - 00000000 ___HD C:\Windows\AxInstSV 2012-08-11 11:14 - 2012-08-11 11:14 - 00000000 ____D C:\Users\RMM\Local Settings\Application Data\{837D1F1C-3597-41B3-A30C-07A708DAF902} 2012-08-11 11:14 - 2012-08-11 11:14 - 00000000 ____D C:\Users\RMM\Local Settings\{837D1F1C-3597-41B3-A30C-07A708DAF902} 2012-08-11 11:14 - 2012-08-11 11:14 - 00000000 ____D C:\Users\RMM\AppData\Local\{837D1F1C-3597-41B3-A30C-07A708DAF902} 2012-08-11 11:13 - 2012-08-11 11:14 - 00000000 ____D C:\Users\RMM\Local Settings\Application Data\{F882A269-9FDD-4815-A2D6-E83B1E8D84C1} 2012-08-11 11:13 - 2012-08-11 11:14 - 00000000 ____D C:\Users\RMM\Local Settings\{F882A269-9FDD-4815-A2D6-E83B1E8D84C1} 2012-08-11 11:13 - 2012-08-11 11:14 - 00000000 ____D C:\Users\RMM\AppData\Local\{F882A269-9FDD-4815-A2D6-E83B1E8D84C1} 2012-08-10 23:13 - 2012-08-10 23:13 - 00000000 ____D C:\Users\RMM\Local Settings\Application Data\{119B9C3A-093C-47A5-B24A-5DE1FAD9E1E4} 2012-08-10 23:13 - 2012-08-10 23:13 - 00000000 ____D C:\Users\RMM\Local Settings\{119B9C3A-093C-47A5-B24A-5DE1FAD9E1E4} 2012-08-10 23:13 - 2012-08-10 23:13 - 00000000 ____D C:\Users\RMM\AppData\Local\{119B9C3A-093C-47A5-B24A-5DE1FAD9E1E4} 2012-08-10 09:22 - 2012-08-10 23:13 - 00000000 ____D C:\Users\RMM\Local Settings\Application Data\{AC115FEE-ED27-4B62-A56E-9F59D7DCDA12} 2012-08-10 09:22 - 2012-08-10 23:13 - 00000000 ____D C:\Users\RMM\Local Settings\{AC115FEE-ED27-4B62-A56E-9F59D7DCDA12} 2012-08-10 09:22 - 2012-08-10 23:13 - 00000000 ____D C:\Users\RMM\AppData\Local\{AC115FEE-ED27-4B62-A56E-9F59D7DCDA12} 2012-08-10 09:22 - 2012-08-10 09:23 - 00000000 ____D C:\Users\RMM\Local Settings\Application Data\{E9C68CDF-6D2F-4D7F-A845-31C93F6BBEB1} 2012-08-10 09:22 - 2012-08-10 09:23 - 00000000 ____D C:\Users\RMM\Local Settings\{E9C68CDF-6D2F-4D7F-A845-31C93F6BBEB1} 2012-08-10 09:22 - 2012-08-10 09:23 - 00000000 ____D C:\Users\RMM\AppData\Local\{E9C68CDF-6D2F-4D7F-A845-31C93F6BBEB1} 2012-08-09 21:18 - 2012-08-09 21:18 - 00000000 ____D C:\Users\RMM\Local Settings\Application Data\{3E5898FE-CC5A-4AB8-91CB-D510FC7394D1} 2012-08-09 21:18 - 2012-08-09 21:18 - 00000000 ____D C:\Users\RMM\Local Settings\{3E5898FE-CC5A-4AB8-91CB-D510FC7394D1} 2012-08-09 21:18 - 2012-08-09 21:18 - 00000000 ____D C:\Users\RMM\AppData\Local\{3E5898FE-CC5A-4AB8-91CB-D510FC7394D1} 2012-08-09 09:18 - 2012-08-09 21:18 - 00000000 ____D C:\Users\RMM\Local Settings\Application Data\{D9885B25-37DF-49CD-83DF-FBCECD18C2FB} 2012-08-09 09:18 - 2012-08-09 21:18 - 00000000 ____D C:\Users\RMM\Local Settings\{D9885B25-37DF-49CD-83DF-FBCECD18C2FB} 2012-08-09 09:18 - 2012-08-09 21:18 - 00000000 ____D C:\Users\RMM\AppData\Local\{D9885B25-37DF-49CD-83DF-FBCECD18C2FB} 2012-08-09 09:18 - 2012-08-09 09:18 - 00000000 ____D C:\Users\RMM\Local Settings\Application Data\{991CF80A-6D78-4746-9592-18C07DE0D60F} 2012-08-09 09:18 - 2012-08-09 09:18 - 00000000 ____D C:\Users\RMM\Local Settings\{991CF80A-6D78-4746-9592-18C07DE0D60F} 2012-08-09 09:18 - 2012-08-09 09:18 - 00000000 ____D C:\Users\RMM\AppData\Local\{991CF80A-6D78-4746-9592-18C07DE0D60F} 2012-08-08 12:27 - 2012-08-08 12:27 - 00000000 ____D C:\Users\RMM\Local Settings\Application Data\{675CBA03-E7C3-41B3-9C13-0F40A5586FFF} 2012-08-08 12:27 - 2012-08-08 12:27 - 00000000 ____D C:\Users\RMM\Local Settings\{675CBA03-E7C3-41B3-9C13-0F40A5586FFF} 2012-08-08 12:27 - 2012-08-08 12:27 - 00000000 ____D C:\Users\RMM\AppData\Local\{675CBA03-E7C3-41B3-9C13-0F40A5586FFF} 2012-08-08 12:26 - 2012-08-08 12:27 - 00000000 ____D C:\Users\RMM\Local Settings\Application Data\{F60F0D4B-06AF-4DEF-8B75-8D53D5F92673} 2012-08-08 12:26 - 2012-08-08 12:27 - 00000000 ____D C:\Users\RMM\Local Settings\{F60F0D4B-06AF-4DEF-8B75-8D53D5F92673} 2012-08-08 12:26 - 2012-08-08 12:27 - 00000000 ____D C:\Users\RMM\AppData\Local\{F60F0D4B-06AF-4DEF-8B75-8D53D5F92673} 2012-08-08 00:26 - 2012-08-08 00:26 - 00000000 ____D C:\Users\RMM\Local Settings\Application Data\{D67EA215-9F25-4610-9A89-FA536602AF56} 2012-08-08 00:26 - 2012-08-08 00:26 - 00000000 ____D C:\Users\RMM\Local Settings\{D67EA215-9F25-4610-9A89-FA536602AF56} 2012-08-08 00:26 - 2012-08-08 00:26 - 00000000 ____D C:\Users\RMM\AppData\Local\{D67EA215-9F25-4610-9A89-FA536602AF56} 2012-08-07 12:25 - 2012-08-08 00:26 - 00000000 ____D C:\Users\RMM\Local Settings\Application Data\{76CB3C6B-97C6-4AF3-AA21-3965DBB2B1F3} 2012-08-07 12:25 - 2012-08-08 00:26 - 00000000 ____D C:\Users\RMM\Local Settings\{76CB3C6B-97C6-4AF3-AA21-3965DBB2B1F3} 2012-08-07 12:25 - 2012-08-08 00:26 - 00000000 ____D C:\Users\RMM\AppData\Local\{76CB3C6B-97C6-4AF3-AA21-3965DBB2B1F3} 2012-08-07 12:25 - 2012-08-07 12:26 - 00000000 ____D C:\Users\RMM\Local Settings\Application Data\{2B39B171-CE07-41FD-BBE6-2BF2DBF389FD} 2012-08-07 12:25 - 2012-08-07 12:26 - 00000000 ____D C:\Users\RMM\Local Settings\{2B39B171-CE07-41FD-BBE6-2BF2DBF389FD} 2012-08-07 12:25 - 2012-08-07 12:26 - 00000000 ____D C:\Users\RMM\AppData\Local\{2B39B171-CE07-41FD-BBE6-2BF2DBF389FD} 2012-08-07 00:25 - 2012-08-07 00:25 - 00000000 ____D C:\Users\RMM\Local Settings\Application Data\{593B54A5-82EA-44D3-BA96-2CC0017D55EF} 2012-08-07 00:25 - 2012-08-07 00:25 - 00000000 ____D C:\Users\RMM\Local Settings\{593B54A5-82EA-44D3-BA96-2CC0017D55EF} 2012-08-07 00:25 - 2012-08-07 00:25 - 00000000 ____D C:\Users\RMM\AppData\Local\{593B54A5-82EA-44D3-BA96-2CC0017D55EF} 2012-08-06 12:24 - 2012-08-07 00:25 - 00000000 ____D C:\Users\RMM\Local Settings\Application Data\{91D3D61E-800A-495E-B315-62E7D04D5377} 2012-08-06 12:24 - 2012-08-07 00:25 - 00000000 ____D C:\Users\RMM\Local Settings\{91D3D61E-800A-495E-B315-62E7D04D5377} 2012-08-06 12:24 - 2012-08-07 00:25 - 00000000 ____D C:\Users\RMM\AppData\Local\{91D3D61E-800A-495E-B315-62E7D04D5377} 2012-08-06 12:24 - 2012-08-06 12:24 - 00000000 ____D C:\Users\RMM\Local Settings\Application Data\{5633E9FE-3E8D-4D58-BDA8-9DC77EF82D3E} 2012-08-06 12:24 - 2012-08-06 12:24 - 00000000 ____D C:\Users\RMM\Local Settings\{5633E9FE-3E8D-4D58-BDA8-9DC77EF82D3E} 2012-08-06 12:24 - 2012-08-06 12:24 - 00000000 ____D C:\Users\RMM\AppData\Local\{5633E9FE-3E8D-4D58-BDA8-9DC77EF82D3E} 2012-08-06 00:24 - 2012-08-06 00:24 - 00000000 ____D C:\Users\RMM\Local Settings\Application Data\{FDB91CF9-3094-46E1-B264-FB81B1B93C0E} 2012-08-06 00:24 - 2012-08-06 00:24 - 00000000 ____D C:\Users\RMM\Local Settings\{FDB91CF9-3094-46E1-B264-FB81B1B93C0E} 2012-08-06 00:24 - 2012-08-06 00:24 - 00000000 ____D C:\Users\RMM\AppData\Local\{FDB91CF9-3094-46E1-B264-FB81B1B93C0E} 2012-08-06 00:23 - 2012-08-06 00:24 - 00000000 ____D C:\Users\RMM\Local Settings\Application Data\{3F0D996E-6247-4B0F-B818-3999076A925D} 2012-08-06 00:23 - 2012-08-06 00:24 - 00000000 ____D C:\Users\RMM\Local Settings\{3F0D996E-6247-4B0F-B818-3999076A925D} 2012-08-06 00:23 - 2012-08-06 00:24 - 00000000 ____D C:\Users\RMM\AppData\Local\{3F0D996E-6247-4B0F-B818-3999076A925D} 2012-08-05 09:40 - 2012-08-05 09:40 - 00000000 ____D C:\Users\RMM\Local Settings\Application Data\{1D300A15-51E3-4990-BE39-C0CE1BD5EBC7} 2012-08-05 09:40 - 2012-08-05 09:40 - 00000000 ____D C:\Users\RMM\Local Settings\{1D300A15-51E3-4990-BE39-C0CE1BD5EBC7} 2012-08-05 09:40 - 2012-08-05 09:40 - 00000000 ____D C:\Users\RMM\AppData\Local\{1D300A15-51E3-4990-BE39-C0CE1BD5EBC7} 2012-08-05 09:39 - 2012-08-05 09:40 - 00000000 ____D C:\Users\RMM\Local Settings\Application Data\{8474DDF2-EAD0-459C-B40F-B8277E36432B} 2012-08-05 09:39 - 2012-08-05 09:40 - 00000000 ____D C:\Users\RMM\Local Settings\{8474DDF2-EAD0-459C-B40F-B8277E36432B} 2012-08-05 09:39 - 2012-08-05 09:40 - 00000000 ____D C:\Users\RMM\AppData\Local\{8474DDF2-EAD0-459C-B40F-B8277E36432B} 2012-08-04 12:47 - 2012-08-04 12:48 - 00000000 ____D C:\Users\RMM\Local Settings\Application Data\{463D5658-B30B-42B3-8E5D-2030832BC0E8} 2012-08-04 12:47 - 2012-08-04 12:48 - 00000000 ____D C:\Users\RMM\Local Settings\{463D5658-B30B-42B3-8E5D-2030832BC0E8} 2012-08-04 12:47 - 2012-08-04 12:48 - 00000000 ____D C:\Users\RMM\AppData\Local\{463D5658-B30B-42B3-8E5D-2030832BC0E8} 2012-08-04 12:47 - 2012-08-04 12:47 - 00000000 ____D C:\Users\RMM\Local Settings\Application Data\{28F7CEF4-E731-479D-AF05-59F0ED2C2787} 2012-08-04 12:47 - 2012-08-04 12:47 - 00000000 ____D C:\Users\RMM\Local Settings\{28F7CEF4-E731-479D-AF05-59F0ED2C2787} 2012-08-04 12:47 - 2012-08-04 12:47 - 00000000 ____D C:\Users\RMM\AppData\Local\{28F7CEF4-E731-479D-AF05-59F0ED2C2787} 2012-08-04 00:47 - 2012-08-04 00:47 - 00000000 ____D C:\Users\RMM\Local Settings\Application Data\{F8A91784-BA0E-48A2-B46E-0CC2988CC242} 2012-08-04 00:47 - 2012-08-04 00:47 - 00000000 ____D C:\Users\RMM\Local Settings\Application Data\{DB4EA400-5C5B-4B32-B397-8DE70B21C33B} 2012-08-04 00:47 - 2012-08-04 00:47 - 00000000 ____D C:\Users\RMM\Local Settings\{F8A91784-BA0E-48A2-B46E-0CC2988CC242} 2012-08-04 00:47 - 2012-08-04 00:47 - 00000000 ____D C:\Users\RMM\Local Settings\{DB4EA400-5C5B-4B32-B397-8DE70B21C33B} 2012-08-04 00:47 - 2012-08-04 00:47 - 00000000 ____D C:\Users\RMM\AppData\Local\{F8A91784-BA0E-48A2-B46E-0CC2988CC242} 2012-08-04 00:47 - 2012-08-04 00:47 - 00000000 ____D C:\Users\RMM\AppData\Local\{DB4EA400-5C5B-4B32-B397-8DE70B21C33B} 2012-08-03 12:16 - 2012-08-03 12:16 - 00000000 ____D C:\Users\RMM\Local Settings\Application Data\{6B057843-2ACA-4A9A-AE30-4DBC774971C2} 2012-08-03 12:16 - 2012-08-03 12:16 - 00000000 ____D C:\Users\RMM\Local Settings\Application Data\{52D300EF-52F5-4D3B-859E-2C4631FDD93D} 2012-08-03 12:16 - 2012-08-03 12:16 - 00000000 ____D C:\Users\RMM\Local Settings\{6B057843-2ACA-4A9A-AE30-4DBC774971C2} 2012-08-03 12:16 - 2012-08-03 12:16 - 00000000 ____D C:\Users\RMM\Local Settings\{52D300EF-52F5-4D3B-859E-2C4631FDD93D} 2012-08-03 12:16 - 2012-08-03 12:16 - 00000000 ____D C:\Users\RMM\AppData\Local\{6B057843-2ACA-4A9A-AE30-4DBC774971C2} 2012-08-03 12:16 - 2012-08-03 12:16 - 00000000 ____D C:\Users\RMM\AppData\Local\{52D300EF-52F5-4D3B-859E-2C4631FDD93D} 2012-08-03 00:15 - 2012-08-03 00:16 - 00000000 ____D C:\Users\RMM\Local Settings\Application Data\{4DA5AD36-5D87-47B2-BBAC-E4000FCA7BFC} 2012-08-03 00:15 - 2012-08-03 00:16 - 00000000 ____D C:\Users\RMM\Local Settings\{4DA5AD36-5D87-47B2-BBAC-E4000FCA7BFC} 2012-08-03 00:15 - 2012-08-03 00:16 - 00000000 ____D C:\Users\RMM\AppData\Local\{4DA5AD36-5D87-47B2-BBAC-E4000FCA7BFC} 2012-08-02 08:46 - 2012-08-03 00:15 - 00000000 ____D C:\Users\RMM\Local Settings\Application Data\{34FFEAFE-29B4-40E4-9A72-DFCAFFA9C2E3} 2012-08-02 08:46 - 2012-08-03 00:15 - 00000000 ____D C:\Users\RMM\Local Settings\{34FFEAFE-29B4-40E4-9A72-DFCAFFA9C2E3} 2012-08-02 08:46 - 2012-08-03 00:15 - 00000000 ____D C:\Users\RMM\AppData\Local\{34FFEAFE-29B4-40E4-9A72-DFCAFFA9C2E3} 2012-08-02 08:46 - 2012-08-02 08:46 - 00000000 ____D C:\Users\RMM\Local Settings\Application Data\{0940972B-E206-43CC-AC82-2E09491CA6FA} 2012-08-02 08:46 - 2012-08-02 08:46 - 00000000 ____D C:\Users\RMM\Local Settings\{0940972B-E206-43CC-AC82-2E09491CA6FA} 2012-08-02 08:46 - 2012-08-02 08:46 - 00000000 ____D C:\Users\RMM\AppData\Local\{0940972B-E206-43CC-AC82-2E09491CA6FA} 2012-08-01 13:15 - 2012-08-01 13:15 - 00000000 ____D C:\Users\RMM\Local Settings\Application Data\{96EC2E17-4384-46FE-ACE0-FC5842A59C14} 2012-08-01 13:15 - 2012-08-01 13:15 - 00000000 ____D C:\Users\RMM\Local Settings\Application Data\{60117C8A-9AD0-4919-B211-476FC6083680} 2012-08-01 13:15 - 2012-08-01 13:15 - 00000000 ____D C:\Users\RMM\Local Settings\{96EC2E17-4384-46FE-ACE0-FC5842A59C14} 2012-08-01 13:15 - 2012-08-01 13:15 - 00000000 ____D C:\Users\RMM\Local Settings\{60117C8A-9AD0-4919-B211-476FC6083680} 2012-08-01 13:15 - 2012-08-01 13:15 - 00000000 ____D C:\Users\RMM\AppData\Local\{96EC2E17-4384-46FE-ACE0-FC5842A59C14} 2012-08-01 13:15 - 2012-08-01 13:15 - 00000000 ____D C:\Users\RMM\AppData\Local\{60117C8A-9AD0-4919-B211-476FC6083680} 2012-08-01 00:01 - 2012-08-01 00:01 - 00000000 ____D C:\Users\RMM\Local Settings\Application Data\{3F0F3C9E-6870-4426-B90A-0A1BA1346D86} 2012-08-01 00:01 - 2012-08-01 00:01 - 00000000 ____D C:\Users\RMM\Local Settings\{3F0F3C9E-6870-4426-B90A-0A1BA1346D86} 2012-08-01 00:01 - 2012-08-01 00:01 - 00000000 ____D C:\Users\RMM\AppData\Local\{3F0F3C9E-6870-4426-B90A-0A1BA1346D86} 2012-07-31 10:32 - 2012-08-01 00:01 - 00000000 ____D C:\Users\RMM\Local Settings\Application Data\{B09D69B9-F64B-4E78-8659-C1535B5327E0} 2012-07-31 10:32 - 2012-08-01 00:01 - 00000000 ____D C:\Users\RMM\Local Settings\{B09D69B9-F64B-4E78-8659-C1535B5327E0} 2012-07-31 10:32 - 2012-08-01 00:01 - 00000000 ____D C:\Users\RMM\AppData\Local\{B09D69B9-F64B-4E78-8659-C1535B5327E0} 2012-07-31 10:32 - 2012-07-31 10:32 - 00000000 ____D C:\Users\RMM\Local Settings\Application Data\{79207371-F4B0-42D6-90A6-6792E2B2D1F1} 2012-07-31 10:32 - 2012-07-31 10:32 - 00000000 ____D C:\Users\RMM\Local Settings\{79207371-F4B0-42D6-90A6-6792E2B2D1F1} 2012-07-31 10:32 - 2012-07-31 10:32 - 00000000 ____D C:\Users\RMM\AppData\Local\{79207371-F4B0-42D6-90A6-6792E2B2D1F1} 2012-07-30 22:31 - 2012-07-30 22:32 - 00000000 ____D C:\Users\RMM\Local Settings\Application Data\{13967209-734A-46EE-8378-F75FC02BFEFB} 2012-07-30 22:31 - 2012-07-30 22:32 - 00000000 ____D C:\Users\RMM\Local Settings\{13967209-734A-46EE-8378-F75FC02BFEFB} 2012-07-30 22:31 - 2012-07-30 22:32 - 00000000 ____D C:\Users\RMM\AppData\Local\{13967209-734A-46EE-8378-F75FC02BFEFB} 2012-07-30 10:31 - 2012-07-30 22:31 - 00000000 ____D C:\Users\RMM\Local Settings\Application Data\{A9B999A4-00BA-4D85-B94B-D4A4ADC08EF8} 2012-07-30 10:31 - 2012-07-30 22:31 - 00000000 ____D C:\Users\RMM\Local Settings\{A9B999A4-00BA-4D85-B94B-D4A4ADC08EF8} 2012-07-30 10:31 - 2012-07-30 22:31 - 00000000 ____D C:\Users\RMM\AppData\Local\{A9B999A4-00BA-4D85-B94B-D4A4ADC08EF8} 2012-07-30 10:31 - 2012-07-30 10:31 - 00000000 ____D C:\Users\RMM\Local Settings\Application Data\{7D5DD3AC-B5EE-4962-86EA-D98BB26D8C2C} 2012-07-30 10:31 - 2012-07-30 10:31 - 00000000 ____D C:\Users\RMM\Local Settings\{7D5DD3AC-B5EE-4962-86EA-D98BB26D8C2C} 2012-07-30 10:31 - 2012-07-30 10:31 - 00000000 ____D C:\Users\RMM\AppData\Local\{7D5DD3AC-B5EE-4962-86EA-D98BB26D8C2C} 2012-07-29 22:30 - 2012-07-29 22:31 - 00000000 ____D C:\Users\RMM\Local Settings\Application Data\{ED4CD015-95E9-4D1E-A1A9-15375DD5EFEB} 2012-07-29 22:30 - 2012-07-29 22:31 - 00000000 ____D C:\Users\RMM\Local Settings\{ED4CD015-95E9-4D1E-A1A9-15375DD5EFEB} 2012-07-29 22:30 - 2012-07-29 22:31 - 00000000 ____D C:\Users\RMM\AppData\Local\{ED4CD015-95E9-4D1E-A1A9-15375DD5EFEB} 2012-07-29 10:30 - 2012-07-29 22:30 - 00000000 ____D C:\Users\RMM\Local Settings\Application Data\{0624BC34-907A-4F4B-9306-AE9A37580D04} 2012-07-29 10:30 - 2012-07-29 22:30 - 00000000 ____D C:\Users\RMM\Local Settings\{0624BC34-907A-4F4B-9306-AE9A37580D04} 2012-07-29 10:30 - 2012-07-29 22:30 - 00000000 ____D C:\Users\RMM\AppData\Local\{0624BC34-907A-4F4B-9306-AE9A37580D04} 2012-07-29 10:30 - 2012-07-29 10:30 - 00000000 ____D C:\Users\RMM\Local Settings\Application Data\{39D7EA90-31E8-43F4-BB89-04EB06D8A4E3} 2012-07-29 10:30 - 2012-07-29 10:30 - 00000000 ____D C:\Users\RMM\Local Settings\{39D7EA90-31E8-43F4-BB89-04EB06D8A4E3} 2012-07-29 10:30 - 2012-07-29 10:30 - 00000000 ____D C:\Users\RMM\AppData\Local\{39D7EA90-31E8-43F4-BB89-04EB06D8A4E3} 2012-07-28 22:29 - 2012-07-28 22:30 - 00000000 ____D C:\Users\RMM\Local Settings\Application Data\{6C4A065D-3118-420D-A326-6D4D1BAAD61F} 2012-07-28 22:29 - 2012-07-28 22:30 - 00000000 ____D C:\Users\RMM\Local Settings\{6C4A065D-3118-420D-A326-6D4D1BAAD61F} 2012-07-28 22:29 - 2012-07-28 22:30 - 00000000 ____D C:\Users\RMM\AppData\Local\{6C4A065D-3118-420D-A326-6D4D1BAAD61F} 2012-07-28 22:29 - 2012-07-28 22:29 - 00000000 ____D C:\Users\RMM\Local Settings\Application Data\{3CC97B82-DAEF-4309-A3AF-A9EB65D84CA1} 2012-07-28 22:29 - 2012-07-28 22:29 - 00000000 ____D C:\Users\RMM\Local Settings\{3CC97B82-DAEF-4309-A3AF-A9EB65D84CA1} 2012-07-28 22:29 - 2012-07-28 22:29 - 00000000 ____D C:\Users\RMM\AppData\Local\{3CC97B82-DAEF-4309-A3AF-A9EB65D84CA1} 2012-07-28 10:29 - 2012-07-28 10:29 - 00000000 ____D C:\Users\RMM\Local Settings\Application Data\{EBE28A12-BD75-447B-B9ED-220B04132C69} 2012-07-28 10:29 - 2012-07-28 10:29 - 00000000 ____D C:\Users\RMM\Local Settings\Application Data\{51DDDA2E-2F45-467B-AA5E-9C06AF4E78B8} 2012-07-28 10:29 - 2012-07-28 10:29 - 00000000 ____D C:\Users\RMM\Local Settings\{EBE28A12-BD75-447B-B9ED-220B04132C69} 2012-07-28 10:29 - 2012-07-28 10:29 - 00000000 ____D C:\Users\RMM\Local Settings\{51DDDA2E-2F45-467B-AA5E-9C06AF4E78B8} 2012-07-28 10:29 - 2012-07-28 10:29 - 00000000 ____D C:\Users\RMM\AppData\Local\{EBE28A12-BD75-447B-B9ED-220B04132C69} 2012-07-28 10:29 - 2012-07-28 10:29 - 00000000 ____D C:\Users\RMM\AppData\Local\{51DDDA2E-2F45-467B-AA5E-9C06AF4E78B8} 2012-07-27 12:51 - 2012-07-27 12:51 - 00000000 ____D C:\Users\RMM\Local Settings\Application Data\{4E0A70B0-5A67-418D-83BA-C1DE9DCAA350} 2012-07-27 12:51 - 2012-07-27 12:51 - 00000000 ____D C:\Users\RMM\Local Settings\{4E0A70B0-5A67-418D-83BA-C1DE9DCAA350} 2012-07-27 12:51 - 2012-07-27 12:51 - 00000000 ____D C:\Users\RMM\AppData\Local\{4E0A70B0-5A67-418D-83BA-C1DE9DCAA350} 2012-07-27 12:50 - 2012-07-27 12:51 - 00000000 ____D C:\Users\RMM\Local Settings\Application Data\{4751DAAB-8D45-4430-A540-0FF564C9799E} 2012-07-27 12:50 - 2012-07-27 12:51 - 00000000 ____D C:\Users\RMM\Local Settings\{4751DAAB-8D45-4430-A540-0FF564C9799E} 2012-07-27 12:50 - 2012-07-27 12:51 - 00000000 ____D C:\Users\RMM\AppData\Local\{4751DAAB-8D45-4430-A540-0FF564C9799E} 2012-07-27 00:50 - 2012-07-27 00:50 - 00000000 ____D C:\Users\RMM\Local Settings\Application Data\{591F3CE8-744D-43AC-8040-1E1887FDA0C5} 2012-07-27 00:50 - 2012-07-27 00:50 - 00000000 ____D C:\Users\RMM\Local Settings\{591F3CE8-744D-43AC-8040-1E1887FDA0C5} 2012-07-27 00:50 - 2012-07-27 00:50 - 00000000 ____D C:\Users\RMM\AppData\Local\{591F3CE8-744D-43AC-8040-1E1887FDA0C5} 2012-07-26 11:06 - 2012-07-27 00:50 - 00000000 ____D C:\Users\RMM\Local Settings\Application Data\{BE44E587-A7D0-4EE8-A3DD-18F05C6CAA05} 2012-07-26 11:06 - 2012-07-27 00:50 - 00000000 ____D C:\Users\RMM\Local Settings\{BE44E587-A7D0-4EE8-A3DD-18F05C6CAA05} 2012-07-26 11:06 - 2012-07-27 00:50 - 00000000 ____D C:\Users\RMM\AppData\Local\{BE44E587-A7D0-4EE8-A3DD-18F05C6CAA05} 2012-07-26 11:06 - 2012-07-26 11:06 - 00000000 ____D C:\Users\RMM\Local Settings\Application Data\{1ED25BEE-AFF3-4E48-979D-C3F71CD01F48} 2012-07-26 11:06 - 2012-07-26 11:06 - 00000000 ____D C:\Users\RMM\Local Settings\{1ED25BEE-AFF3-4E48-979D-C3F71CD01F48} 2012-07-26 11:06 - 2012-07-26 11:06 - 00000000 ____D C:\Users\RMM\AppData\Local\{1ED25BEE-AFF3-4E48-979D-C3F71CD01F48} 2012-07-25 23:05 - 2012-07-25 23:06 - 00000000 ____D C:\Users\RMM\Local Settings\Application Data\{5D92EC0E-D32E-4FD5-B387-4455B75B147A} 2012-07-25 23:05 - 2012-07-25 23:06 - 00000000 ____D C:\Users\RMM\Local Settings\{5D92EC0E-D32E-4FD5-B387-4455B75B147A} 2012-07-25 23:05 - 2012-07-25 23:06 - 00000000 ____D C:\Users\RMM\AppData\Local\{5D92EC0E-D32E-4FD5-B387-4455B75B147A} 2012-07-25 11:05 - 2012-07-25 23:05 - 00000000 ____D C:\Users\RMM\Local Settings\Application Data\{25947CF4-129E-4F04-8B7B-F5C6C1F1D290} 2012-07-25 11:05 - 2012-07-25 23:05 - 00000000 ____D C:\Users\RMM\Local Settings\{25947CF4-129E-4F04-8B7B-F5C6C1F1D290} 2012-07-25 11:05 - 2012-07-25 23:05 - 00000000 ____D C:\Users\RMM\AppData\Local\{25947CF4-129E-4F04-8B7B-F5C6C1F1D290} 2012-07-25 11:05 - 2012-07-25 11:05 - 00000000 ____D C:\Users\RMM\Local Settings\Application Data\{5F3E208D-29BA-494D-9D4E-A4CDF749AC63} 2012-07-25 11:05 - 2012-07-25 11:05 - 00000000 ____D C:\Users\RMM\Local Settings\{5F3E208D-29BA-494D-9D4E-A4CDF749AC63} 2012-07-25 11:05 - 2012-07-25 11:05 - 00000000 ____D C:\Users\RMM\AppData\Local\{5F3E208D-29BA-494D-9D4E-A4CDF749AC63} 2012-07-24 23:04 - 2012-07-24 23:05 - 00000000 ____D C:\Users\RMM\Local Settings\Application Data\{2A306726-00D0-455E-9D20-0F7384B484BB} 2012-07-24 23:04 - 2012-07-24 23:05 - 00000000 ____D C:\Users\RMM\Local Settings\{2A306726-00D0-455E-9D20-0F7384B484BB} 2012-07-24 23:04 - 2012-07-24 23:05 - 00000000 ____D C:\Users\RMM\AppData\Local\{2A306726-00D0-455E-9D20-0F7384B484BB} 2012-07-24 11:04 - 2012-07-24 23:04 - 00000000 ____D C:\Users\RMM\Local Settings\Application Data\{D05B55E7-7005-47F3-9105-570DAD623928} 2012-07-24 11:04 - 2012-07-24 23:04 - 00000000 ____D C:\Users\RMM\Local Settings\{D05B55E7-7005-47F3-9105-570DAD623928} 2012-07-24 11:04 - 2012-07-24 23:04 - 00000000 ____D C:\Users\RMM\AppData\Local\{D05B55E7-7005-47F3-9105-570DAD623928} 2012-07-24 11:04 - 2012-07-24 11:04 - 00000000 ____D C:\Users\RMM\Local Settings\Application Data\{AE4DEE3D-2C59-4223-B77C-E57733C55994} 2012-07-24 11:04 - 2012-07-24 11:04 - 00000000 ____D C:\Users\RMM\Local Settings\{AE4DEE3D-2C59-4223-B77C-E57733C55994} 2012-07-24 11:04 - 2012-07-24 11:04 - 00000000 ____D C:\Users\RMM\AppData\Local\{AE4DEE3D-2C59-4223-B77C-E57733C55994} 2012-07-23 23:03 - 2012-07-23 23:03 - 00000000 ____D C:\Users\RMM\Local Settings\Application Data\{C80711FD-DE96-4198-A832-25BBA3E7E453} 2012-07-23 23:03 - 2012-07-23 23:03 - 00000000 ____D C:\Users\RMM\Local Settings\{C80711FD-DE96-4198-A832-25BBA3E7E453} 2012-07-23 23:03 - 2012-07-23 23:03 - 00000000 ____D C:\Users\RMM\AppData\Local\{C80711FD-DE96-4198-A832-25BBA3E7E453} 2012-07-23 11:03 - 2012-07-23 23:03 - 00000000 ____D C:\Users\RMM\Local Settings\Application Data\{85C1CAEF-D585-4298-AFEA-069813DCACC3} 2012-07-23 11:03 - 2012-07-23 23:03 - 00000000 ____D C:\Users\RMM\Local Settings\{85C1CAEF-D585-4298-AFEA-069813DCACC3} 2012-07-23 11:03 - 2012-07-23 23:03 - 00000000 ____D C:\Users\RMM\AppData\Local\{85C1CAEF-D585-4298-AFEA-069813DCACC3} 2012-07-23 11:03 - 2012-07-23 11:03 - 00000000 ____D C:\Users\RMM\Local Settings\Application Data\{90DDC845-624E-46D5-BDAD-177F007D6CB0} 2012-07-23 11:03 - 2012-07-23 11:03 - 00000000 ____D C:\Users\RMM\Local Settings\{90DDC845-624E-46D5-BDAD-177F007D6CB0} 2012-07-23 11:03 - 2012-07-23 11:03 - 00000000 ____D C:\Users\RMM\AppData\Local\{90DDC845-624E-46D5-BDAD-177F007D6CB0} 2012-07-22 23:02 - 2012-07-22 23:02 - 00000000 ____D C:\Users\RMM\Local Settings\Application Data\{AD726F8B-2977-400D-AFA0-7F836174ADE3} 2012-07-22 23:02 - 2012-07-22 23:02 - 00000000 ____D C:\Users\RMM\Local Settings\Application Data\{4D60AC6A-E8BF-43CE-B354-0E0063DB2E4B} 2012-07-22 23:02 - 2012-07-22 23:02 - 00000000 ____D C:\Users\RMM\Local Settings\{AD726F8B-2977-400D-AFA0-7F836174ADE3} 2012-07-22 23:02 - 2012-07-22 23:02 - 00000000 ____D C:\Users\RMM\Local Settings\{4D60AC6A-E8BF-43CE-B354-0E0063DB2E4B} 2012-07-22 23:02 - 2012-07-22 23:02 - 00000000 ____D C:\Users\RMM\AppData\Local\{AD726F8B-2977-400D-AFA0-7F836174ADE3} 2012-07-22 23:02 - 2012-07-22 23:02 - 00000000 ____D C:\Users\RMM\AppData\Local\{4D60AC6A-E8BF-43CE-B354-0E0063DB2E4B} 2012-07-22 00:41 - 2012-07-22 00:41 - 00000000 ____D C:\Users\RMM\Local Settings\Application Data\{D0650365-2E00-44B3-AD69-30377163F88E} 2012-07-22 00:41 - 2012-07-22 00:41 - 00000000 ____D C:\Users\RMM\Local Settings\{D0650365-2E00-44B3-AD69-30377163F88E} 2012-07-22 00:41 - 2012-07-22 00:41 - 00000000 ____D C:\Users\RMM\AppData\Local\{D0650365-2E00-44B3-AD69-30377163F88E} 2012-07-21 12:28 - 2012-07-21 12:28 - 00000000 ____D C:\Users\RMM\Local Settings\Application Data\{9E895D5D-E94D-4142-A96E-81BEC88D8855} 2012-07-21 12:28 - 2012-07-21 12:28 - 00000000 ____D C:\Users\RMM\Local Settings\{9E895D5D-E94D-4142-A96E-81BEC88D8855} 2012-07-21 12:28 - 2012-07-21 12:28 - 00000000 ____D C:\Users\RMM\AppData\Local\{9E895D5D-E94D-4142-A96E-81BEC88D8855} 2012-07-21 12:27 - 2012-07-22 00:41 - 00000000 ____D C:\Users\RMM\Local Settings\Application Data\{E91597F3-A23C-4C69-BE16-D90E8E18F004} 2012-07-21 12:27 - 2012-07-22 00:41 - 00000000 ____D C:\Users\RMM\Local Settings\{E91597F3-A23C-4C69-BE16-D90E8E18F004} 2012-07-21 12:27 - 2012-07-22 00:41 - 00000000 ____D C:\Users\RMM\AppData\Local\{E91597F3-A23C-4C69-BE16-D90E8E18F004} 2012-07-21 00:27 - 2012-07-21 00:27 - 00000000 ____D C:\Users\RMM\Local Settings\Application Data\{D7FBD547-B5C2-43D3-A7B2-150F850E7613} 2012-07-21 00:27 - 2012-07-21 00:27 - 00000000 ____D C:\Users\RMM\Local Settings\{D7FBD547-B5C2-43D3-A7B2-150F850E7613} 2012-07-21 00:27 - 2012-07-21 00:27 - 00000000 ____D C:\Users\RMM\AppData\Local\{D7FBD547-B5C2-43D3-A7B2-150F850E7613} 2012-07-20 11:42 - 2012-07-20 11:42 - 00000000 ____D C:\Users\RMM\Local Settings\Application Data\{1A8A2434-B52F-4DB0-8A4B-C33792EA35B8} 2012-07-20 11:42 - 2012-07-20 11:42 - 00000000 ____D C:\Users\RMM\Local Settings\{1A8A2434-B52F-4DB0-8A4B-C33792EA35B8} 2012-07-20 11:42 - 2012-07-20 11:42 - 00000000 ____D C:\Users\RMM\AppData\Local\{1A8A2434-B52F-4DB0-8A4B-C33792EA35B8} 2012-07-20 11:41 - 2012-07-21 00:27 - 00000000 ____D C:\Users\RMM\Local Settings\Application Data\{30D51098-FAEF-41A3-895A-0921E9930B45} 2012-07-20 11:41 - 2012-07-21 00:27 - 00000000 ____D C:\Users\RMM\Local Settings\{30D51098-FAEF-41A3-895A-0921E9930B45} 2012-07-20 11:41 - 2012-07-21 00:27 - 00000000 ____D C:\Users\RMM\AppData\Local\{30D51098-FAEF-41A3-895A-0921E9930B45} 2012-07-19 23:41 - 2012-07-19 23:41 - 00000000 ____D C:\Users\RMM\Local Settings\Application Data\{2567E23A-9109-460A-91A1-C21D453DB40E} 2012-07-19 23:41 - 2012-07-19 23:41 - 00000000 ____D C:\Users\RMM\Local Settings\{2567E23A-9109-460A-91A1-C21D453DB40E} 2012-07-19 23:41 - 2012-07-19 23:41 - 00000000 ____D C:\Users\RMM\AppData\Local\{2567E23A-9109-460A-91A1-C21D453DB40E} 2012-07-19 15:52 - 2012-07-19 15:52 - 20275048 ____A (Microsoft Corporation) C:\Users\RMM\Downloads\BOIE9_ENUS_BO0085_WIN7.EXE 2012-07-19 11:40 - 2012-07-19 23:41 - 00000000 ____D C:\Users\RMM\Local Settings\Application Data\{C80B05FD-6D1C-46BC-88E0-993C381DBE66} 2012-07-19 11:40 - 2012-07-19 23:41 - 00000000 ____D C:\Users\RMM\Local Settings\{C80B05FD-6D1C-46BC-88E0-993C381DBE66} 2012-07-19 11:40 - 2012-07-19 23:41 - 00000000 ____D C:\Users\RMM\AppData\Local\{C80B05FD-6D1C-46BC-88E0-993C381DBE66} 2012-07-19 11:40 - 2012-07-19 11:41 - 00000000 ____D C:\Users\RMM\Local Settings\Application Data\{F1C5AD37-A60D-457E-9A80-8311F8600FA3} 2012-07-19 11:40 - 2012-07-19 11:41 - 00000000 ____D C:\Users\RMM\Local Settings\{F1C5AD37-A60D-457E-9A80-8311F8600FA3} 2012-07-19 11:40 - 2012-07-19 11:41 - 00000000 ____D C:\Users\RMM\AppData\Local\{F1C5AD37-A60D-457E-9A80-8311F8600FA3} 2012-07-18 22:48 - 2012-07-18 22:48 - 00000000 ____D C:\Users\RMM\Local Settings\Application Data\{E47E6D1D-AA7C-4B94-A734-4F4B901F5DA5} 2012-07-18 22:48 - 2012-07-18 22:48 - 00000000 ____D C:\Users\RMM\Local Settings\{E47E6D1D-AA7C-4B94-A734-4F4B901F5DA5} 2012-07-18 22:48 - 2012-07-18 22:48 - 00000000 ____D C:\Users\RMM\AppData\Local\{E47E6D1D-AA7C-4B94-A734-4F4B901F5DA5} 2012-07-18 10:47 - 2012-07-18 22:48 - 00000000 ____D C:\Users\RMM\Local Settings\Application Data\{777675C5-D0CC-4E85-83B8-ECC74E85B907} 2012-07-18 10:47 - 2012-07-18 22:48 - 00000000 ____D C:\Users\RMM\Local Settings\{777675C5-D0CC-4E85-83B8-ECC74E85B907} 2012-07-18 10:47 - 2012-07-18 22:48 - 00000000 ____D C:\Users\RMM\AppData\Local\{777675C5-D0CC-4E85-83B8-ECC74E85B907} 2012-07-18 10:47 - 2012-07-18 10:47 - 00000000 ____D C:\Users\RMM\Local Settings\Application Data\{B0B58347-A620-4A51-82DA-70C8A9122907} 2012-07-18 10:47 - 2012-07-18 10:47 - 00000000 ____D C:\Users\RMM\Local Settings\{B0B58347-A620-4A51-82DA-70C8A9122907} 2012-07-18 10:47 - 2012-07-18 10:47 - 00000000 ____D C:\Users\RMM\AppData\Local\{B0B58347-A620-4A51-82DA-70C8A9122907} ============ 3 Months Modified Files ======================== 2012-08-17 01:56 - 2009-07-13 23:51 - 00253218 ____A C:\Windows\setupact.log 2012-08-17 01:53 - 2010-01-26 05:29 - 00000073 ____A C:\Windows\SysWOW64\ToasterLauncherLog.log 2012-08-17 01:52 - 2010-02-27 23:06 - 00058288 ____A (Absolute Software Corp.) C:\Windows\SysWOW64\rpcnet.dll 2012-08-17 01:52 - 2009-07-14 00:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT 2012-08-17 01:42 - 2009-07-13 23:45 - 00014240 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 2012-08-17 01:42 - 2009-07-13 23:45 - 00014240 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 2012-08-17 01:38 - 2009-07-14 00:13 - 00803420 ____A C:\Windows\System32\PerfStringBackup.INI 2012-08-17 01:18 - 2012-05-08 09:11 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job 2012-08-17 00:07 - 2012-08-17 00:07 - 00003720 ____A C:\{08A08690-5029-4DD2-93BD-219B6FE370E8} 2012-08-17 00:07 - 2012-08-17 00:07 - 00000061 ____A C:\Users\RMM\Application Data\mbam.context.scan 2012-08-17 00:07 - 2012-08-17 00:07 - 00000061 ____A C:\Users\RMM\AppData\Roaming\mbam.context.scan 2012-08-17 00:02 - 2010-01-26 06:44 - 00499516 ____A C:\Windows\PFRO.log 2012-08-16 23:05 - 2012-08-16 23:04 - 00001207 ____A C:\Users\RMM\Desktop\Elev Cmd Pmpt.lnk 2012-08-16 22:12 - 2012-08-16 22:12 - 00003792 ____A C:\{97BD8F1A-6284-481E-BBF0-E3A50C4673B4} 2012-08-16 19:16 - 2012-08-16 19:16 - 00003720 ____A C:\{8FF1BC36-C401-45AF-8BBC-2F3C0617FA76} 2012-08-16 19:11 - 2012-08-14 11:06 - 00027256 ____A (Symantec Corporation) C:\Windows\System32\Drivers\FixZeroAccess.sys 2012-08-16 18:28 - 2012-08-16 18:28 - 00003760 ____A C:\{9B7B57C2-6A07-42EF-B7C3-DD56177B78E2} 2012-08-16 17:24 - 2012-08-16 17:24 - 00003760 ____A C:\{38CAEDBB-D3B6-4F27-AA3F-739BAE03DD39} 2012-08-16 17:20 - 2012-08-15 16:44 - 00000442 ____A C:\Windows\Tasks\PC Utility Kit Update3.job 2012-08-16 17:20 - 2012-08-15 16:44 - 00000440 ____A C:\Windows\Tasks\PC Utility Kit.job 2012-08-16 17:00 - 2012-08-16 17:00 - 00003792 ____A C:\{1B5ED7CC-C2F5-4D13-8AEA-C43738DBD970} 2012-08-16 16:54 - 2012-08-16 16:54 - 00003760 ____A C:\{AFC8B51A-8808-44EE-A490-57D79F83B654} 2012-08-16 16:43 - 2012-08-16 16:43 - 00003760 ____A C:\{B5E60680-26A6-414B-AC0B-EC147D941ECD} 2012-08-16 16:28 - 2012-08-16 16:28 - 00003792 ____A C:\{924A804A-642C-468C-95A8-057C39B3A191} 2012-08-16 16:26 - 2012-08-16 16:26 - 00003760 ____A C:\{C4877D03-D463-402E-9F66-E1B5EFEEC6AC} 2012-08-16 16:24 - 2012-08-16 16:24 - 00003760 ____A C:\{5E9C62BB-DC5F-44C3-9C31-AD2C4D005624} 2012-08-16 16:23 - 2012-08-16 16:23 - 00003752 ____A C:\{3E430B90-8895-43E4-A52A-6F167DFCE4E4} 2012-08-16 16:21 - 2012-08-16 16:21 - 00003760 ____A C:\{A5974494-044E-432C-A6D1-41279C05C090} 2012-08-16 16:19 - 2012-08-16 16:19 - 00003792 ____A C:\{E1616212-E3A9-488C-ACAC-BCD28FBFD2B6} 2012-08-16 16:17 - 2012-08-16 16:17 - 00003760 ____A C:\{08B1F027-9D8B-40FA-B55D-509484305936} 2012-08-16 15:11 - 2012-08-16 15:10 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\RMM\Downloads\mbam-setup-1.62.0.1300.exe 2012-08-15 19:00 - 2012-08-15 16:45 - 00000476 ____A C:\Windows\Tasks\PC Utility Kit Registration3.job 2012-08-15 16:44 - 2012-08-15 16:44 - 00001234 ____A C:\Users\RMM\Desktop\PC Utility Kit.lnk 2012-08-15 16:37 - 2012-08-15 16:36 - 04765704 ____A (Red Dog Media, Inc.) C:\Users\RMM\Downloads\PC Utility Kit Installer.exe 2012-08-15 16:34 - 2012-08-15 16:34 - 00003760 ____A C:\{DB641AAF-55E2-42C9-A9ED-757B07662B39} 2012-08-15 16:06 - 2012-08-15 16:06 - 00002114 ____A C:\Users\RMM\Desktop\aswMBR.txt 2012-08-15 16:06 - 2012-08-15 16:06 - 00000512 ____A C:\Users\RMM\Desktop\MBR.dat 2012-08-15 15:47 - 2012-08-15 15:47 - 00003760 ____A C:\{1C072F82-80CD-485B-83D5-52CBA779E41A} 2012-08-15 15:45 - 2012-08-15 15:45 - 00003792 ____A C:\{FC5F50EA-8B5D-455A-893A-FFBF42C2EB25} 2012-08-15 15:38 - 2012-08-15 15:38 - 00003792 ____A C:\{7503E6A2-FC1E-4F37-98DB-F29268D1701A} 2012-08-15 15:37 - 2012-08-15 15:37 - 00003760 ____A C:\{92A78B61-AC8A-4D9B-A314-B5E6CE7F7DA1} 2012-08-15 15:31 - 2012-08-15 15:31 - 00003792 ____A C:\{AD996293-A8AB-481A-B42A-DA33FBD9C63F} 2012-08-15 15:30 - 2012-08-15 15:30 - 00003760 ____A C:\{DC8BE0B0-42F6-457C-85D7-C10A9E9D660F} 2012-08-15 15:16 - 2012-08-15 15:16 - 00000856 ____A C:\Users\RMM\Downloads\Downloads - Shortcut.lnk 2012-08-15 14:37 - 2009-07-14 00:10 - 01932677 ____A C:\Windows\WindowsUpdate.log 2012-08-15 14:26 - 2012-08-15 14:24 - 04731392 ____A (AVAST Software) C:\Users\RMM\Downloads\aswMBR.exe 2012-08-15 14:22 - 2012-08-15 14:22 - 00003792 ____A C:\{5963860B-E195-4BBA-AB90-9B7E7C3671A7} 2012-08-15 13:42 - 2012-08-15 13:42 - 00003720 ____A C:\{4C3147A9-BC32-4899-8D6F-8A047FA0EED5} 2012-08-15 12:38 - 2012-08-15 12:38 - 00003760 ____A C:\{0CF61C86-FE61-4A64-9937-66E5919030E5} 2012-08-15 12:18 - 2012-05-08 09:11 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe 2012-08-15 12:18 - 2011-06-01 20:48 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl 2012-08-14 22:48 - 2012-08-14 22:48 - 00003792 ____A C:\{FB76A57B-1113-452C-B6B9-93F335A15D8F} 2012-08-14 22:23 - 2012-08-14 22:23 - 00003720 ____A C:\{B4109F30-66E0-49E2-B6D2-1CC0F13EA7C7} 2012-08-14 21:49 - 2012-08-14 21:49 - 00023769 ____A C:\Users\RMM\Desktop\HP Installation Failure - MSI 1603.hta 2012-08-14 21:48 - 2012-08-14 21:48 - 00000057 ____A C:\Users\All Users\Application Data\Ament.ini 2012-08-14 21:48 - 2012-08-14 21:48 - 00000057 ____A C:\Users\All Users\Ament.ini 2012-08-14 21:42 - 2012-08-14 21:41 - 54097776 ____A C:\Users\RMM\Downloads\PSB210_231.exe 2012-08-14 21:24 - 2012-08-14 21:24 - 00003760 ____A C:\{BBD3734D-E889-43B0-A857-B4CC06C8EA78} 2012-08-14 21:18 - 2012-08-14 21:18 - 00003760 ____A C:\{50FA2A9F-E2A9-4322-91ED-E81D59F4FEC5} 2012-08-14 21:14 - 2010-02-09 03:05 - 00002503 ____A C:\Users\Public\Desktop\Norton Internet Security.lnk 2012-08-14 21:14 - 2010-02-09 03:05 - 00002503 ____A C:\Users\All Users\Desktop\Norton Internet Security.lnk 2012-08-14 14:31 - 2012-08-14 14:31 - 04755448 ____A C:\Users\RMM\Downloads\HPPSdr(4).exe 2012-08-14 13:54 - 2012-08-14 13:54 - 04755448 ____A C:\Users\RMM\Downloads\HPPSdr(3).exe 2012-08-14 13:53 - 2012-08-14 13:53 - 04755448 ____A C:\Users\RMM\Downloads\HPPSdr(2).exe 2012-08-14 13:35 - 2012-08-14 13:35 - 00003760 ____A C:\{ED9F493B-59B8-417B-A4DA-C0D2B8B3199B} 2012-08-14 13:25 - 2012-08-14 13:25 - 04755448 ____A C:\Users\RMM\Downloads\HPPSdr.exe 2012-08-14 13:18 - 2012-08-14 13:18 - 00003792 ____A C:\{FFDB7126-BC32-4C79-B49C-9C3E16D3B044} 2012-08-14 12:14 - 2012-08-14 12:13 - 00003760 ____A C:\{321D1C4C-872E-4658-A7D8-43653EC0844F} 2012-08-14 11:12 - 2012-08-14 11:12 - 02841104 ____A (Symantec Corporation) C:\Users\RMM\Downloads\NPE.exe 2012-08-14 11:05 - 2012-08-14 11:05 - 01805736 ____A (Symantec Corporation) C:\Users\RMM\Downloads\FixZeroAccess.exe 2012-07-19 15:52 - 2012-07-19 15:52 - 20275048 ____A (Microsoft Corporation) C:\Users\RMM\Downloads\BOIE9_ENUS_BO0085_WIN7.EXE 2012-07-16 17:16 - 2012-07-16 17:15 - 00002016 ____A C:\Users\Public\Desktop\Adobe Reader 9.lnk 2012-07-16 17:16 - 2012-07-16 17:15 - 00002016 ____A C:\Users\All Users\Desktop\Adobe Reader 9.lnk 2012-07-12 08:49 - 2009-07-13 23:45 - 03018408 ____A C:\Windows\System32\FNTCACHE.DAT 2012-07-11 23:55 - 2009-07-13 21:34 - 00000478 ____A C:\Windows\win.ini 2012-07-11 23:51 - 2010-02-09 01:31 - 59701280 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe 2012-07-03 14:46 - 2012-08-16 15:12 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys 2012-06-29 00:24 - 2012-06-20 21:53 - 00002096 ____A C:\Users\Public\Desktop\McAfee Security Scan Plus.lnk 2012-06-29 00:24 - 2012-06-20 21:53 - 00002096 ____A C:\Users\All Users\Desktop\McAfee Security Scan Plus.lnk 2012-06-25 00:15 - 2010-01-26 05:13 - 00032519 ____A C:\Windows\DirectX.log 2012-06-20 07:52 - 2009-07-14 00:08 - 00032640 ____A C:\Windows\Tasks\SCHEDLGU.TXT 2012-06-15 09:42 - 2012-06-15 09:42 - 00001785 ____A C:\Users\Public\Desktop\iTunes.lnk 2012-06-15 09:42 - 2012-06-15 09:42 - 00001785 ____A C:\Users\All Users\Desktop\iTunes.lnk 2012-06-11 22:08 - 2012-07-11 23:55 - 03148800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys 2012-06-09 00:43 - 2012-07-11 08:18 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll 2012-06-08 23:41 - 2012-07-11 08:18 - 12873728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll 2012-06-08 10:59 - 2010-04-13 17:07 - 00013160 ____A (Absolute Software Corp.) C:\Windows\SysWOW64\Upgrd.exe 2012-06-08 10:59 - 2010-02-27 23:06 - 00058288 ____N (Absolute Software Corp.) C:\Windows\SysWOW64\rpcnet.exe 2012-06-06 01:06 - 2012-07-11 08:18 - 02004480 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll 2012-06-06 01:06 - 2012-07-11 08:18 - 01881600 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll 2012-06-06 01:02 - 2012-07-11 08:18 - 01133568 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll 2012-06-06 00:05 - 2012-07-11 08:18 - 01390080 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll 2012-06-06 00:05 - 2012-07-11 08:18 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll 2012-06-06 00:03 - 2012-07-11 08:18 - 00805376 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cdosys.dll 2012-06-03 23:15 - 2011-08-11 14:19 - 00001013 ____A C:\Users\RMM\Desktop\Dropbox.lnk 2012-06-02 17:19 - 2012-06-24 10:12 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll 2012-06-02 17:19 - 2012-06-24 10:12 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll 2012-06-02 17:19 - 2012-06-24 10:12 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe 2012-06-02 17:19 - 2012-06-24 10:12 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll 2012-06-02 17:19 - 2012-06-24 10:12 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll 2012-06-02 17:15 - 2012-06-24 10:12 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll 2012-06-02 17:15 - 2012-06-24 10:12 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll 2012-06-02 16:19 - 2012-06-24 10:11 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll 2012-06-02 16:15 - 2012-06-24 10:11 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe 2012-06-02 12:21 - 2012-06-02 12:21 - 00001847 ____A C:\Users\Public\Desktop\QuickTime Player.lnk 2012-06-02 12:21 - 2012-06-02 12:21 - 00001847 ____A C:\Users\All Users\Desktop\QuickTime Player.lnk 2012-06-02 07:49 - 2012-07-11 23:50 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll 2012-06-02 07:17 - 2012-07-11 23:50 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll 2012-06-02 07:12 - 2012-07-11 23:50 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll 2012-06-02 07:05 - 2012-07-11 23:50 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll 2012-06-02 07:05 - 2012-07-11 23:50 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll 2012-06-02 07:04 - 2012-07-11 23:50 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl 2012-06-02 07:04 - 2012-07-11 23:50 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll 2012-06-02 07:03 - 2012-07-11 23:50 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll 2012-06-02 07:01 - 2012-07-11 23:50 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe 2012-06-02 07:00 - 2012-07-11 23:50 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll 2012-06-02 06:59 - 2012-07-11 23:50 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll 2012-06-02 06:57 - 2012-07-11 23:50 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb 2012-06-02 06:57 - 2012-07-11 23:50 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll 2012-06-02 06:54 - 2012-07-11 23:50 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll 2012-06-02 04:07 - 2012-07-11 23:50 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll 2012-06-02 03:43 - 2012-07-11 23:50 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll 2012-06-02 03:33 - 2012-07-11 23:50 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll 2012-06-02 03:26 - 2012-07-11 23:50 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll 2012-06-02 03:25 - 2012-07-11 23:50 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl 2012-06-02 03:25 - 2012-07-11 23:50 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll 2012-06-02 03:23 - 2012-07-11 23:50 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll 2012-06-02 03:21 - 2012-07-11 23:50 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll 2012-06-02 03:20 - 2012-07-11 23:50 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe 2012-06-02 03:19 - 2012-07-11 23:50 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll 2012-06-02 03:19 - 2012-07-11 23:50 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll 2012-06-02 03:17 - 2012-07-11 23:50 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll 2012-06-02 03:16 - 2012-07-11 23:50 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb 2012-06-02 03:14 - 2012-07-11 23:50 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll 2012-06-02 00:50 - 2012-07-11 08:18 - 00458704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys 2012-06-02 00:48 - 2012-07-11 08:18 - 00151920 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys 2012-06-02 00:48 - 2012-07-11 08:18 - 00095600 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys 2012-06-02 00:45 - 2012-07-11 08:18 - 00340992 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll 2012-06-02 00:44 - 2012-07-11 08:18 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll 2012-06-01 23:40 - 2012-07-11 08:18 - 00225280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll 2012-06-01 23:40 - 2012-07-11 08:18 - 00022016 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll 2012-06-01 23:39 - 2012-07-11 08:18 - 00219136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll 2012-06-01 23:34 - 2012-07-11 08:18 - 00096768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll ZeroAccess: C:\Users\RMM\AppData\Local\{d3ed6ce9-2bc9-d767-2346-e38c72483d20} C:\Users\RMM\AppData\Local\{d3ed6ce9-2bc9-d767-2346-e38c72483d20}\@ C:\Users\RMM\AppData\Local\{d3ed6ce9-2bc9-d767-2346-e38c72483d20}\L C:\Users\RMM\AppData\Local\{d3ed6ce9-2bc9-d767-2346-e38c72483d20}\U ZeroAccess: C:\Windows\assembly\GAC_32\Desktop.ini ZeroAccess: C:\Windows\assembly\GAC_64\Desktop.ini ========================= Known DLLs (Whitelisted) ============ ========================= Bamital & volsnap Check ============ C:\Windows\System32\winlogon.exe => MD5 is legit C:\Windows\System32\wininit.exe => MD5 is legit C:\Windows\SysWOW64\wininit.exe => MD5 is legit C:\Windows\explorer.exe => MD5 is legit C:\Windows\SysWOW64\explorer.exe => MD5 is legit C:\Windows\System32\svchost.exe => MD5 is legit C:\Windows\SysWOW64\svchost.exe => MD5 is legit C:\Windows\System32\services.exe 014A9CB92514E27C0107614DF764BC06 ZeroAccess <==== ATTENTION!. C:\Windows\System32\User32.dll => MD5 is legit C:\Windows\SysWOW64\User32.dll => MD5 is legit C:\Windows\System32\userinit.exe => MD5 is legit C:\Windows\SysWOW64\userinit.exe => MD5 is legit C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit ==================== EXE ASSOCIATION ===================== HKLM\...\.exe: exefile => OK HKLM\...\exefile\DefaultIcon: %1 => OK HKLM\...\exefile\open\command: "%1" %* => OK ========================= Memory info ====================== Percentage of memory in use: 9% Total physical RAM: 8156.85 MB Available physical RAM: 7351.02 MB Total Pagefile: 8155 MB Available Pagefile: 7351.45 MB Total Virtual: 8192 MB Available Virtual: 8191.91 MB ======================= Partitions ========================= 1 Drive c: (OS) (Fixed) (Total:451.07 GB) (Free:288.85 GB) NTFS 3 Drive e: () (Removable) (Total:0.48 GB) (Free:0.05 GB) FAT 4 Drive f: (RECOVERY) (Fixed) (Total:14.65 GB) (Free:8.99 GB) NTFS ==>[system with boot components (obtained from reading drive)] 5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS Disk ### Status Size Free Dyn Gpt -------- ------------- ------- ------- --- --- Disk 0 Online 465 GB 0 B Disk 1 Online 488 MB 0 B Partitions of Disk 0: =============== Partition ### Type Size Offset ------------- ---------------- ------- ------- Partition 1 OEM 39 MB 31 KB Partition 2 Primary 14 GB 39 MB Partition 3 Primary 451 GB 14 GB ================================================================================== Disk: 0 Partition 1 Type : DE Hidden: Yes Active: No Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- * Volume 4 FAT Partition 39 MB Healthy Hidden ================================================================================== Disk: 0 Partition 2 Type : 07 Hidden: No Active: Yes Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- * Volume 1 F RECOVERY NTFS Partition 14 GB Healthy ================================================================================== Disk: 0 Partition 3 Type : 07 Hidden: No Active: No Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- * Volume 2 C OS NTFS Partition 451 GB Healthy ================================================================================== Partitions of Disk 1: =============== Partition ### Type Size Offset ------------- ---------------- ------- ------- Partition 1 Primary 488 MB 116 KB ================================================================================== Disk: 1 Partition 1 Type : 06 Hidden: No Active: No Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- * Volume 3 E FAT Removable 488 MB Healthy ================================================================================== Last Boot: 2012-08-07 10:49 ======================= End Of Log ========================== Farbar Recovery Scan Tool Version: 15-08-2012 Ran by SYSTEM at 2012-08-17 02:04:20 Running from E:\ ================== Search: "services.exe" =================== C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe [2009-07-13 18:19] - [2009-07-13 20:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB C:\Windows\System32\services.exe [2009-07-13 18:19] - [2009-07-13 20:39] - 0328704 ____A (Microsoft Corporation) 014A9CB92514E27C0107614DF764BC06 ====== End Of Search ======
  16. Hello Malwarebytes community! A friend came to me the other day, she is a co-worker and simply stated that her computer was acting strange. After looking it over, her Symantic Endpoint Protection virus protection kept popping up saying it has detected Trojan.ZeroAccess (and sometimes Trojan.ZeroAccess.C) rootkit and has deleted it. However after a few minutes it comes back up with the same message. By the way, she is running Windows 7 PRO SP1. I have tried multiple virus removals to no avail. MBAM, SuperAntiSpyware, and Kaspersky. With Kaspersky it said that system32\services.exe was infected, it deleted that file, rebooted, and the computer crashed and would not boot up! Luckily I had created a restore before attemping to remove the virus myself and was able to get back with the windows startup repair tool. Anyways, now I'm back to square one, and I could really use someone's help in removing this! Here is an MBAM log and DDS report (attached as .txt logs). Thank you to anyone kind enough to lend me a hand, it is much appreciated!!! :) Attach.txt DDS.txt mbam-log-2012-08-14 (07-59-27).txt
  17. McAfee firewall began turning on and off and alerted to a trojan - zeroaccess. Followed the "I'm infected thread" Ran Defogger as Admin but it did not follow through to re-boot and this is the text file. Malware results attached. Ran DDS and text attached as well as attach zip. GMER ran as Admin and failed in 3 attempts. Program received an error and stopped working. Results of Defogger: Checking for autostart values... HKCU\~\Run values retrieved. HKLM\~\Run values retrieved. Checking for services/drivers... -=E.O.F=- Malwarebytes Anti-Malware 1.62.0.1300 www.malwarebytes.org Database version: v2012.07.29.09 Windows 7 Service Pack 1 x86 NTFS Internet Explorer 9.0.8112.16421 Windsor Castle :: TECHTOP [administrator] 7/29/2012 10:34:48 PM mbam-log-2012-07-29 (22-34-48).txt Scan type: Full scan (C:\|D:\|E:\|) Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 438717 Time elapsed: 2 hour(s), 45 minute(s), 49 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) (end) . DDS (Ver_2011-08-26.01) - NTFSx86 Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.4.1 Run by Windsor Castle at 6:34:09 on 2012-07-30 Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.3005.1730 [GMT -5:00] . AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637} SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A} FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C} . ============== Running Processes =============== . C:\Windows\system32\wininit.exe C:\Windows\system32\lsm.exe C:\Windows\system32\svchost.exe -k DcomLaunch C:\Windows\system32\svchost.exe -k RPCSS C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted C:\Program Files\Sensible Vision\Fast Access\FAService.exe C:\Windows\system32\svchost.exe -k netsvcs C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_61cf005dca0fb599\STacSV.exe C:\Windows\system32\svchost.exe -k LocalService C:\Program Files\Dell\DellDock\DockLogin.exe C:\Windows\system32\svchost.exe -k NetworkService C:\Windows\System32\spoolsv.exe C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_61cf005dca0fb599\aestsrv.exe C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork C:\Program Files\Kodak\Digital Display\OrbKodakLauncher\DllStartupService.exe C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe C:\Windows\system32\mfevtps.exe C:\Program Files\NETGEAR Genie\bin\NETGEARGenieDaemon.exe C:\Windows\system32\rundll32.exe C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe C:\Windows\system32\taskhost.exe C:\Windows\system32\Dwm.exe C:\Program Files\Google\Update\1.3.21.115\GoogleCrashHandler.exe C:\Windows\Explorer.EXE C:\Program Files\Microsoft\BingBar\SeaPort.EXE C:\Windows\system32\svchost.exe -k imgsvc C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe C:\Program Files\Dell\DellDock\DellDock.exe C:\Program Files\DellTPad\Apoint.exe C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDell.exe C:\Program Files\Dell\MediaDirect\PCMService.exe C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe C:\Windows\Samsung\PanelMgr\SSMMgr.exe C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe C:\Program Files\McAfee.com\Agent\mcagent.exe C:\Program Files\McAfee\MAT\McPvTray.exe C:\Program Files\Sensible Vision\Fast Access\FATrayMon.exe C:\Windows\System32\igfxtray.exe C:\Windows\System32\hkcmd.exe C:\Windows\System32\igfxpers.exe C:\Program Files\Freecorder\FLVSrvc.exe C:\Program Files\Sensible Vision\Fast Access\FATrayAlert.exe C:\Program Files\Zune\ZuneLauncher.exe C:\Program Files\HTC\HTC Sync 3.0\htcUPCTLoader.exe C:\Windows\system32\SearchIndexer.exe C:\Program Files\DellTPad\ApMsgFwd.exe C:\Program Files\DellTPad\Apntex.exe C:\Windows\system32\conhost.exe C:\Program Files\DellTPad\HidFind.exe C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\Program Files\Windows Sidebar\sidebar.exe C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe C:\Users\Windsor Castle\AppData\Local\RockMelt\Update\1.2.189.1\RockMeltCrashHandler.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\Program Files\NETGEAR Genie\bin\NETGEARGenie.exe C:\Program Files\MozyHome\mozystat.exe C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE C:\Program Files\OpenOffice.org 3\program\soffice.exe C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE C:\Program Files\OpenOffice.org 3\program\soffice.bin C:\Program Files\NETGEAR Genie\bin\genie_tray.exe C:\Program Files\MozyHome\mozybackup.exe C:\Program Files\MozyHome\mozybackup.exe C:\Program Files\Windows Media Player\wmpnetwk.exe C:\Windows\system32\NOTEPAD.EXE C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\plugin-container.exe C:\Windows\system32\SearchProtocolHost.exe C:\Windows\system32\SearchFilterHost.exe C:\Windows\system32\wbem\wmiprvse.exe C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe C:\Windows\system32\DllHost.exe C:\Windows\system32\DllHost.exe C:\Windows\system32\conhost.exe . ============== Pseudo HJT Report =============== . uStart Page = hxxp://aims.jocogov.org uURLSearchHooks: TVersitybar Toolbar: {66bd2442-241b-44cd-8c7a-b51037053cdb} - c:\program files\tversitybar\prxtbTVer.dll mURLSearchHooks: TVersitybar Toolbar: {66bd2442-241b-44cd-8c7a-b51037053cdb} - c:\program files\tversitybar\prxtbTVer.dll mURLSearchHooks: H - No File BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: Winamp Toolbar Loader: {25cee8ec-5730-41bc-8b58-22ddc8ab8c20} - c:\program files\winamp toolbar\winamptb.dll BHO: jZip Webmail plugin: {647fd14a-c4f1-46f4-8fc3-0b40f54226f7} - c:\program files\jzip\WebmailPlugin.dll BHO: TVersitybar Toolbar: {66bd2442-241b-44cd-8c7a-b51037053cdb} - c:\program files\tversitybar\prxtbTVer.dll BHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\oracle\javafx 2.1 runtime\bin\ssv.dll BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20120624195720.dll BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~3\office14\URLREDIR.DLL BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "c:\program files\microsoft\bingbar\BingExt.dll" BHO: Face recognition web login for FastAccess: {da5bce70-d057-4d63-943d-5f3927ec59f1} - c:\program files\sensible vision\fast access\FAIESSO.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\oracle\javafx 2.1 runtime\bin\jp2ssv.dll BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll TB: Winamp Toolbar: {ebf2ba02-9094-4c5a-858b-bb198f3d8de2} - c:\program files\winamp toolbar\winamptb.dll TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "c:\program files\microsoft\bingbar\BingExt.dll" TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll TB: TVersitybar Toolbar: {66bd2442-241b-44cd-8c7a-b51037053cdb} - c:\program files\tversitybar\prxtbTVer.dll TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File uRun: [sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe uRun: [iSUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler uRun: [RockMelt Update] "c:\users\windsor castle\appdata\local\rockmelt\update\RockMeltUpdate.exe" /c uRun: [Google Update] "c:\users\windsor castle\appdata\local\google\update\GoogleUpdate.exe" /c uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe" uRun: [NETGEARGenie] "c:\program files\netgear genie\bin\NETGEARGenie.exe" -mini -redirect mRun: [Apoint] c:\program files\delltpad\Apoint.exe mRun: [Dell Webcam Central] "c:\program files\dell webcam\dell webcam central\WebcamDell.exe" /mode2 mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe" mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\10.0\sharedcom\RoxWatchTray10.exe" mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE mRun: [intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup mRun: [AmazonGSDownloaderTray] c:\program files\amazon\amazon games & software downloader\AmazonGSDownloaderTray.exe mRun: [samsung PanelMgr] c:\windows\samsung\panelmgr\SSMMgr.exe /autorun mRun: [FAStartup] mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey mRun: [McPvTray_exe] "c:\program files\mcafee\mat\McPvTray.exe" mRun: [FATrayAlert] c:\program files\sensible vision\fast access\FATrayMon.exe mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe" mRun: [igfxTray] c:\windows\system32\igfxtray.exe mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe mRun: [Persistence] c:\windows\system32\igfxpers.exe mRun: [OA001Cfg.exe] OA001Cfg.exe mRun: [Freecorder FLV Service] "c:\program files\freecorder\FLVSrvc.exe" /run mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe" mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe" mRun: [HTC Sync Loader] "c:\program files\htc\htc sync 3.0\htcUPCTLoader.exe" -startup mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe" StartupFolder: c:\users\windso~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\delldo~1.lnk - c:\program files\dell\delldock\DellDock.exe StartupFolder: c:\users\windso~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office14\ONENOTEM.EXE StartupFolder: c:\users\windso~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\mozyho~1.lnk - c:\program files\mozyhome\mozystat.exe mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0) mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5) mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3) mPolicies-system: EnableUIADesktopToggle = 0 (0x0) IE: &Winamp Search - c:\programdata\winamp toolbar\ietoolbar\resources\en-us\local\search.html IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office14\EXCEL.EXE/3000 IE: Se&nd to OneNote - c:\progra~1\micros~3\office14\ONBttnIE.dll/105 IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll Trusted Zone: cacu.com\secureaccess DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.4.24.0.cab TCP: DhcpNameServer = 192.168.1.1 TCP: Interfaces\{819B9705-A185-4FC0-B57B-BB9234A2EB3F} : DhcpNameServer = 192.168.1.1 TCP: Interfaces\{A8908502-DFBB-4D1B-996E-D174745CC8C7} : DhcpNameServer = 192.168.1.1 TCP: Interfaces\{A8908502-DFBB-4D1B-996E-D174745CC8C7}\74F6C64656E645275656 : DhcpNameServer = 12.127.16.67 4.2.2.1 Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\progra~1\mcafee\msc\McSnIePl.dll Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - c:\program files\intuit\quickbooks 2010\HelpAsyncPluggableProtocol.dll Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll Notify: FastAccess - c:\program files\sensible vision\fast access\FALogNot.dll Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll Notify: igfxcui - igfxdev.dll LSA: Notification Packages = scecli FAPassSync . ================= FIREFOX =================== . FF - ProfilePath - c:\users\windsor castle\appdata\roaming\mozilla\firefox\profiles\ookkq5vc.default\ FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2548838&SearchSource=3&q={searchTerms} FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - hxxps://www.facebook.com/ FF - plugin: c:\progra~1\mcafee\msc\npMcSnFFPl.dll FF - plugin: c:\progra~1\micros~3\office14\NPAUTHZ.DLL FF - plugin: c:\progra~1\micros~3\office14\NPSPWRAP.DLL FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll FF - plugin: c:\program files\google\picasa3\npPicasa3.dll FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll FF - plugin: c:\program files\google\update\1.3.21.111\npGoogleUpdate3.dll FF - plugin: c:\program files\google\update\1.3.21.115\npGoogleUpdate3.dll FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll FF - plugin: c:\program files\google\update\1.3.21.69\npGoogleUpdate3.dll FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll FF - plugin: c:\program files\google\update\1.3.21.99\npGoogleUpdate3.dll FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll FF - plugin: c:\program files\mcafee\siteadvisor\NPMcFFPlg32.dll FF - plugin: c:\program files\microsoft silverlight\4.1.10329.0\npctrlui.dll FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll FF - plugin: c:\program files\oracle\javafx 2.1 runtime\bin\plugin2\npjp2.dll FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll FF - plugin: c:\users\windsor castle\appdata\local\google\update\1.3.21.115\npGoogleUpdate3.dll FF - plugin: c:\users\windsor castle\appdata\local\rockmelt\update\1.2.189.1\npRockMeltOneClick8.dll FF - plugin: c:\users\windsor castle\appdata\roaming\move networks\plugins\npqmp071500000347.dll FF - plugin: c:\users\windsor castle\appdata\roaming\mozilla\firefox\profiles\ookkq5vc.default\extensions\2020player_ikea@2020technologies.com\plugins\NP_2020Player_IKEA.dll FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_3_300_268.dll FF - plugin: c:\windows\system32\npDeployJava1.dll FF - plugin: c:\windows\system32\npmproxy.dll FF - plugin: c:\windows\system32\wat\npWatWeb.dll . ============= SERVICES / DRIVERS =============== . R0 McPvDrv;McPvDrv Driver;c:\windows\system32\drivers\McPvDrv.sys [2011-5-9 64048] R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2011-3-13 464304] R0 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2011-5-9 169608] R1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\drivers\mfenlfk.sys [2011-5-9 64912] R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2012-1-3 63928] R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\driverstore\filerepository\stwrt.inf_x86_neutral_61cf005dca0fb599\AEstSrv.exe [2009-4-7 81920] R2 Amazon Download Agent;Amazon Download Agent;c:\program files\amazon\amazon games & software downloader\AmazonGSDownloaderService.exe [2010-7-8 401920] R2 DockLoginService;Dock Login Service;c:\program files\dell\delldock\DockLogin.exe [2010-1-11 155648] R2 FAService;FAService;c:\program files\sensible vision\fast access\FAService.exe [2011-4-23 2412728] R2 KodakDigitalDisplayService;KodakDigitalDisplayService;c:\program files\kodak\digital display\orbkodaklauncher\DllStartupService.exe [2009-5-14 98304] R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-5-9 214904] R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-5-9 214904] R2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-5-9 214904] R2 McShield;McAfee McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2011-5-9 166288] R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2011-5-9 161632] R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-5-9 151880] R2 NETGEARGenieDaemon;NETGEARGenieDaemon;c:\program files\netgear genie\bin\NETGEARGenieDaemon.exe [2012-3-7 1029408] R2 PassThru Service;Internet Pass-Through Service;c:\program files\htc\internet pass-through\PassThruSvr.exe [2011-9-15 88576] R2 SSPORT;SSPORT;c:\windows\system32\drivers\SSPORT.SYS [2010-12-5 5120] R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2009-11-13 92008] R3 FACAP;facap, FastAccess Video Capture;c:\windows\system32\drivers\facap.sys [2008-9-24 232832] R3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2010-3-15 127488] R3 itecir;ITECIR Infrared Receiver;c:\windows\system32\drivers\itecir.sys [2009-6-12 54784] R3 k57nd60x;Broadcom NetLink Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\k57nd60x.sys [2009-7-13 229888] R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2011-5-9 180848] R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-5-9 340920] R3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\netw5v32.sys [2009-6-10 4231168] R3 OA001Ufd;Creative Camera OA001 Upper Filter Driver;c:\windows\system32\drivers\OA001Ufd.sys [2009-3-6 133632] R3 OA001Vid;Creative Camera OA001 Function Driver;c:\windows\system32\drivers\OA001Vid.sys [2009-3-8 280096] S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384] S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-10-6 136176] S2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-5-9 214904] S2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxWatch10.exe [2009-6-10 166384] S2 SessionLauncher;SessionLauncher;c:\users\windso~1\appdata\local\temp\dx9\sessionlauncher.exe --> c:\users\windso~1\appdata\local\temp\dx9\SessionLauncher.exe [?] S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-2-29 158856] S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888] S3 BBSvc;Bing Bar Update Service;c:\program files\microsoft\bingbar\BBSvc.EXE [2011-2-28 183560] S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-5-9 57600] S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-10-6 136176] S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [2009-10-26 25088] S3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\drivers\htcnprot.sys [2010-6-23 23040] S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2011-5-9 59456] S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-5-9 87656] S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-4-25 113120] S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000] S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2011-4-8 15872] S3 RoxMediaDB10;RoxMediaDB10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxMediaDB10.exe [2009-6-10 1124848] S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-4-8 52224] S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-7-2 1343400] S3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\zune\WMZuneComm.exe [2011-8-5 268512] S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\wpffontcache_v0400.exe --> c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [?] S4 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxLiveShare10.exe [2009-6-10 309744] . =============== Created Last 30 ================ . 2012-07-29 23:07:37 22344 ----a-w- c:\windows\system32\drivers\mbam.sys 2012-07-29 23:07:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2012-07-11 18:05:02 2345984 ----a-w- c:\windows\system32\win32k.sys 2012-07-02 11:32:53 -------- d-----w- c:\users\windsor castle\appdata\roaming\Ableton 2012-07-02 11:31:22 -------- d-----w- c:\program files\common files\Propellerhead Software . ==================== Find3M ==================== . 2012-07-29 12:00:12 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2012-07-29 12:00:12 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2012-06-25 21:04:24 1394248 ----a-w- c:\windows\system32\msxml4.dll 2012-06-12 16:22:03 96784 ----a-w- c:\windows\system32\packet.dll 2012-06-12 16:22:03 35088 ----a-w- c:\windows\system32\drivers\npf.sys 2012-06-12 16:22:03 281104 ----a-w- c:\windows\system32\wpcap.dll 2012-06-06 05:05:52 1390080 ----a-w- c:\windows\system32\msxml6.dll 2012-06-06 05:05:52 1236992 ----a-w- c:\windows\system32\msxml3.dll 2012-06-06 05:03:06 805376 ----a-w- c:\windows\system32\cdosys.dll 2012-06-02 22:12:32 2422272 ----a-w- c:\windows\system32\wucltux.dll 2012-06-02 22:12:13 88576 ----a-w- c:\windows\system32\wudriver.dll 2012-06-02 20:19:42 171904 ----a-w- c:\windows\system32\wuwebv.dll 2012-06-02 20:12:20 33792 ----a-w- c:\windows\system32\wuapp.exe 2012-06-02 08:33:25 1800192 ----a-w- c:\windows\system32\jscript9.dll 2012-06-02 08:25:08 1129472 ----a-w- c:\windows\system32\wininet.dll 2012-06-02 08:25:03 1427968 ----a-w- c:\windows\system32\inetcpl.cpl 2012-06-02 08:20:33 142848 ----a-w- c:\windows\system32\ieUnatt.exe 2012-06-02 08:16:52 2382848 ----a-w- c:\windows\system32\mshtml.tlb 2012-06-02 04:45:04 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys 2012-06-02 04:45:03 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys 2012-06-02 04:40:59 369336 ----a-w- c:\windows\system32\drivers\cng.sys 2012-06-02 04:40:39 225280 ----a-w- c:\windows\system32\schannel.dll 2012-06-02 04:39:10 219136 ----a-w- c:\windows\system32\ncrypt.dll . ============= FINISH: 6:35:08.13 =============== Attach.zip
  18. Hello, I'm working on a friend's PC, which was having problems with IE9 links redirecting to shopping/ad sites, ads playing on the speakers (only) without open windows, and with Avira warning messages of various viruses popping (like HTML/IFrame.aeu, TR/ATRAPS.Gen2, W32/Patched.UB, and more). I performed System Restore on it, then ran a full scan with Avira, MWB, and ESET online scanner - which came up as clean, but seem to have only taken care of secondary/tertiary infections (?), some odd problems remained and the old ones popped back up after a few hours of testing. In working on it and investigating, I was led to this topic and (appropriately) directed to start a new thread. I copied a HJT log and (after reading the previous topic) a RogueKiller log onto USB and have them here for review. I'm fairly confident based on the previous topic and multiple others recently that the PC in question as the zeroAccess RK, but I'm not sure what else. Further, I tried to go a step further and download Farbar Recovery Scan Tool and use it, however, I don't have access to that PC's Win7 disk, and can not enter System Recovery Options from the Advanced Boot Options: I'm getting an "ERROR : F3-F100-0004" when I try that. So, if it is a rootkit, is there another option (I have a USB boot drive with some Unix flavor floating around somewhere)? Thank you for your time. Log attached RKreport1.txt hijackthis_2012-07-19-0628.txt
  19. I know I posted a topic on this before, and I'm terribly sorry, I completely forgot about it. I have Farbar downloaded onto my jumpdrive, plugged it into the infected machine, accessed BIOS Settings, started Repair, Windows is still loading files... I promise to stay into this, this time.. Will have the logs soon!
  20. Hello I'm hoping someone may be able to help me. Several nights ago I received notification via Norton Anti-Virus that several threats were detected and had been blocked. Since Norton said they were blocked, I thought everything was okay until I ran MBAM and received the following results: Malwarebytes Anti-Malware 1.62.0.1300 www.malwarebytes.org Database version: v2012.07.20.02 Windows 7 Service Pack 1 x64 NTFS Internet Explorer 9.0.8112.16421 ******** :: ********-HP [administrator] 7/19/2012 11:33:47 PM mbam-log-2012-07-19 (23-33-47).txt Scan type: Full scan (C:\|D:\|E:\|G:\|Q:\|) Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 438486 Time elapsed: 1 hour(s), 22 minute(s), 50 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 3 C:\Users\********\AppData\Local\Temp\0.4284575629757891 (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Users\********\AppData\Local\Temp\msimg32.dll (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Users\********\AppData\Local\{507829e3-236d-f5e0-6282-8b3c371a03ca}\U\00000008.@ (Trojan.Dropper.BCMiner) -> Quarantined and deleted successfully. (end) I've tried my best to remove the items from my system, but I'm not certain if the threats are resolved. I've run Norton and MBAM again several times and received clean reports but today I decided to run TDSSKiller and received the following: 22:08:15.0357 5460 Detected object count: 1 22:08:15.0357 5460 Actual detected object count: 1 22:08:18.0490 5460 Akamai ( HiddenFile.Multi.Generic ) - skipped by user 22:08:18.0490 5460 Akamai ( HiddenFile.Multi.Generic ) - User select action: Skip I understand that this type of threat can be tricky to get rid of and I have no idea where to go from here. Any help would be greatly appreciated! Thank you.
  21. Hello, Having the same problem as this thread: http://forums.malwarebytes.org/index.php?showtopic=112607
  22. I was asked to take a look at a Dell Optiplex 330 running Vista Business SP2 because it had picked up the ZeroAccess rootkit/trojan. The PC was running McAfee Security as a Service, but the subscription was no longer up to date. I have run MBAM several times, sometimes detecting the infection, sometimes not. McAfee was not removing the infection, only detecting/blocking it, so I removed McAfee and replaced with Microsoft Security Essentials so it would, at the least, remain updated. Running a full scan overnight detected the infection again. I tried removing and rebooting, but then the PC began to act strangely. For starters, when I rebooted, every icon from the desktop (not just fixes against the infection) vanished, only to return about 1 full hour into a complete MBAM scan. Durring the scan, I noticed Internet Explorer starting to redirect me for the first time to some fake "AVG" search site. MBAM's full scan found a PUP, but identified Kaspersky's TDSS Killer as the culprit. I downloaded it from CNET and assumed it to be the genuine article, but who knows. My quick scans from Security Essentials are coming up clean now, but I am not sure if I can trust it. I have attached both the DDS and Attach logs. Any further info or instructions to check if this thing is clean or not would be greatly appreciated. It never seems this easy to get rid of a rootkit, so I am suspicious that it is still lying in waiting. Thanks, jt83 DDS_Attach.zip
  23. Merged two post We look for post with 0 replies, so when you replied to your own topic, we assume you were being helped. Do Not bump your topic. I have a user who is still suffering from Google redirects. MWB comes up clean, Trend Micro WFB reports no infections, SAS comes up clean, TDSS Killer comes up clean, MBR Check came up clean, et cetera, et cetera. HitmanPro intially reported some ZeroAccess stuff which it allegedly removed. Combofix does not delete any files. Yes, I know I'm not supposed to run Combofix without being asked to. Hopefully you all will anoint me for my sins. I just need a resolution. I'm at IT Professional (or at least I play one on TV), and I have a disk image backup prior to trying anything. After running all of these tools, and straight from reboot, the System Idle Process starts jabbering out to random locations on the Internet. I know this from running Netstat. I thought that was strange. It's a Windows 7 Pro machine as you'll tell, as well is mine. My System Idle Process does not show any connections out to the Internet. Here's the Combofix Log ComboFix 12-06-26.02 - jeanne 06/27/2012 11:27:29.4.4 - x64 Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.2035.974 [GMT -4:00] Running from: c:\users\jeanne\Desktop\ComboFix.exe AV: Trend Micro Client/Server Security Agent Antivirus *Disabled/Updated* {7193B549-236F-55EE-9AEC-F65279E59A92} FW: Trend Micro Personal Firewall *Disabled* {50C2E989-60CF-0845-AFD3-290B7D301E79} SP: Trend Micro Client/Server Security Agent Anti-spyware *Disabled/Updated* {CAF254AD-0555-5A60-A05C-CD200262D02F} SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . . ((((((((((((((((((((((((( Files Created from 2012-05-27 to 2012-06-27 ))))))))))))))))))))))))))))))) . . 2012-06-27 15:34 . 2012-06-27 15:34 -------- d-----w- c:\users\SMS\AppData\Local\temp 2012-06-27 15:34 . 2012-06-27 15:34 -------- d-----w- c:\users\Default\AppData\Local\temp 2012-06-27 15:34 . 2012-06-27 15:34 -------- d-----w- c:\users\administrator\AppData\Local\temp 2012-06-27 15:34 . 2012-06-27 15:34 -------- d-----w- c:\users\Administrator.SMSPC16\AppData\Local\temp 2012-06-27 15:02 . 2012-06-27 15:02 -------- d-----w- c:\users\jeanne\AppData\Roaming\SUPERAntiSpyware.com 2012-06-27 15:01 . 2012-06-27 15:02 -------- d-----w- c:\program files\SUPERAntiSpyware 2012-06-27 15:01 . 2012-06-27 15:01 -------- d-----w- c:\programdata\SUPERAntiSpyware.com 2012-06-27 14:43 . 2012-06-27 14:43 12872 ----a-w- c:\windows\system32\bootdelete.exe 2012-06-25 12:17 . 2012-06-25 12:17 -------- d-----w- c:\users\jeanne\AppData\Local\Macromedia 2012-06-22 21:00 . 2012-06-22 21:00 -------- d-----w- c:\program files (x86)\Dell Digital Delivery 2012-06-21 12:24 . 2012-06-21 12:24 770384 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcr100.dll 2012-06-21 12:24 . 2012-06-21 12:24 421200 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcp100.dll 2012-06-19 16:35 . 2012-06-19 16:35 -------- d-----w- c:\users\DefaultAppPool 2012-06-18 00:41 . 2012-06-18 00:41 -------- d-----w- c:\windows\system32\log 2012-06-18 00:40 . 2012-06-18 00:41 -------- d-----w- c:\program files (x86)\Trend Micro 2012-06-13 07:04 . 2012-04-26 05:41 77312 ----a-w- c:\windows\system32\rdpwsx.dll 2012-06-13 07:04 . 2012-04-26 05:41 149504 ----a-w- c:\windows\system32\rdpcorekmts.dll 2012-06-13 07:04 . 2012-04-26 05:34 9216 ----a-w- c:\windows\system32\rdrmemptylst.exe 2012-06-13 07:01 . 2012-05-04 11:06 5559664 ----a-w- c:\windows\system32\ntoskrnl.exe 2012-06-13 07:01 . 2012-05-04 10:03 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe 2012-06-13 07:01 . 2012-05-04 10:03 3913072 ----a-w- c:\windows\SysWow64\ntoskrnl.exe 2012-06-13 07:01 . 2012-05-15 01:32 3146752 ----a-w- c:\windows\system32\win32k.sys 2012-06-13 07:01 . 2012-04-28 03:55 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys 2012-06-03 21:27 . 2012-06-03 21:27 -------- d-----w- c:\users\jeanne\AppData\Local\Apple 2012-06-01 19:27 . 2012-06-27 14:44 -------- d-----w- c:\programdata\HitmanPro 2012-06-01 18:15 . 2012-06-01 18:15 -------- d-----w- c:\users\Administrator.SMSPC16\AppData\Local\Mozilla 2012-06-01 17:46 . 2012-06-27 15:37 -------- d-----w- c:\users\jeanne\AppData\Local\temp 2012-05-31 16:21 . 2012-05-31 16:21 -------- d-----w- c:\users\jeanne\AppData\Roaming\Malwarebytes 2012-05-31 13:00 . 2012-05-31 13:00 -------- d-----w- c:\users\Administrator.SMSPC16\AppData\Roaming\Malwarebytes 2012-05-31 12:59 . 2012-05-31 12:59 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware 2012-05-31 12:59 . 2012-05-31 12:59 -------- d-----w- c:\programdata\Malwarebytes 2012-05-31 12:59 . 2012-04-04 19:56 24904 ----a-w- c:\windows\system32\drivers\mbam.sys 2012-05-31 12:31 . 2012-05-31 12:31 -------- d-----w- c:\users\Administrator.SMSPC16\AppData\Roaming\Roxio Burn 2012-05-31 12:08 . 2012-05-31 12:08 -------- d-----w- c:\users\Administrator.SMSPC16\AppData\Roaming\ICAClient 2012-05-31 12:08 . 2012-05-31 12:08 -------- d-----w- c:\users\Administrator.SMSPC16\AppData\Roaming\Hewlett-Packard Company 2012-05-31 12:08 . 2012-05-31 12:08 -------- d-----w- c:\users\Administrator.SMSPC16\AppData\Local\Citrix 2012-05-31 12:08 . 2012-05-31 12:08 -------- d-----w- c:\users\Administrator.SMSPC16\AppData\Local\{2D5CE1D8-AA7F-11E1-8270-B8AC6F996F26} 2012-05-31 12:08 . 2012-05-31 12:08 -------- d-----w- c:\users\Administrator.SMSPC16\AppData\Local\LogMeIn 2012-05-30 17:45 . 2012-05-30 17:45 -------- d-----w- c:\users\jeanne\AppData\Local\{2D5CE1D8-AA7F-11E1-8270-B8AC6F996F26} 2012-05-30 17:38 . 2012-05-30 17:38 -------- d-sh--w- c:\windows\system32\%APPDATA% 2012-05-30 17:35 . 2012-05-31 16:27 -------- d-----w- c:\program files (x86)\Common Files\Outlook 2012-05-30 17:34 . 2012-05-31 11:52 -------- d-----w- c:\users\jeanne\AppData\Roaming\Ifysi 2012-05-30 17:34 . 2012-05-30 17:44 -------- d-----w- c:\users\jeanne\AppData\Roaming\Elor 2012-05-30 17:34 . 2012-05-30 17:34 -------- d-----w- c:\users\jeanne\AppData\Roaming\Akpuor . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-06-23 15:20 . 2012-04-04 19:19 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe 2012-06-23 15:20 . 2012-03-28 15:42 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl 2012-06-23 15:20 . 2012-04-13 20:20 9815752 ----a-w- c:\windows\SysWow64\FlashPlayerInstaller.exe 2012-05-22 15:52 . 2012-05-22 15:52 608 --sha-w- c:\windows\system32\winzvprt5.sys 2012-05-22 12:13 . 2012-04-22 18:23 87456 ----a-w- c:\windows\system32\LMIRfsClientNP.dll 2012-05-22 12:13 . 2012-04-22 18:23 34688 ----a-w- c:\windows\system32\LMIport.dll 2012-05-22 12:13 . 2012-04-22 18:23 80768 ----a-w- c:\windows\system32\LMIinit.dll 2012-05-08 17:02 . 2012-05-30 03:04 8955792 ------w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{310DB10C-D086-496B-86CD- 8E51A4A25BE9}\mpengine.dll 2012-04-04 16:39 . 2010-06-24 16:33 19352 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll 2012-03-30 11:35 . 2012-05-09 07:00 1918320 ----a-w- c:\windows\system32\drivers\tcpip.sys . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "AutomatedTaskLauncher"="c:\program files (x86)\Comdata\Shared\Applications\CDAtl.exe" [2004-06-01 77824] "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-06-26 4787072] . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] "Dell DataSafe Online"="c:\program files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe" [2010-08-26 1117528] "RoxWatchTray"="c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe" [2010-11-25 240112] "Desktop Disc Tool"="c:\program files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe" [2010-11-17 514544] "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712] "APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240] "QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-10-24 421888] "HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208] "ConnectionCenter"="c:\program files (x86)\Citrix\ICA Client\concentr.exe" [2012-04-05 371864] "ToolboxFX"="c:\program files (x86)\HP\ToolboxFX\bin\HPTLBXFX.exe" [2010-10-25 58936] "OfficeScanNT Monitor"="c:\program files (x86)\Trend Micro\Client Server Security Agent\pccntmon.exe" [2012-01-09 1712656] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorAdmin"= 0 (0x0) "ConsentPromptBehaviorUser"= 3 (0x3) "EnableLUA"= 0 (0x0) "EnableUIADesktopToggle"= 0 (0x0) "PromptOnSecureDesktop"= 0 (0x0) "EnableLinkedConnections"= 1 (0x1) . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=c:\progra~2\Citrix\ICACLI~1\RSHook.dll . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32] "aux"=wdmaud.drv . [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3699739257-3343509579-3915199227-500\Scripts\Logon\0\0] "Script"=LaunchNotificationUI.cmd . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36.sys] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro36Crusader] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro36CrusaderBoot] @="" . [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 . R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576] R2 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe [2010-11-25 219632] R2 SftService;SoftThinks Agent Service;c:\program files (x86)\Dell DataSafe Local Backup\sftservice.EXE [2011-12-20 1691848] R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-23 250056] R3 BBUpdate;BBUpdate;c:\program files (x86)\Microsoft\BingBar\7.1.361.0\SeaPort.exe [2012-02-10 240408] R3 dc3d;MS Hardware Device Detection Driver;c:\windows\system32\DRIVERS\dc3d.sys [2011-05-18 47616] R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-21 71168] R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-06-21 113120] R3 netvsc;netvsc;c:\windows\system32\DRIVERS\netvsc60.sys [2010-11-21 168448] R3 RoxMediaDB12OEM;RoxMediaDB12OEM;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [2010-11-25 1116656] R3 SynthVid;SynthVid;c:\windows\system32\DRIVERS\VMBusVideoM.sys [2010-11-21 22528] R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392] R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232] R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-04-04 1255736] R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 57184] S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2010-03-19 55856] S1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\DRIVERS\ctxusbm.sys [2012-02-14 93272] S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2011-07-22 14928] S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2011-07-12 12368] S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2011-08-11 140672] S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928] S2 BBSvc;BingBar Service;c:\program files (x86)\Microsoft\BingBar\7.1.361.0\BBSvc.exe [2012-02-10 193816] S2 DellDigitalDelivery;Dell Digital Delivery Service;c:\program files (x86)\Dell Digital Delivery\DeliveryService.exe [2012-06-19 173056] S2 HP LaserJet Service;HP LaserJet Service;c:\program files (x86)\HP\HPLaserJetService\HPLaserJetService.exe [2010-10-25 145920] S2 LMIGuardianSvc;LMIGuardianSvc;c:\program files (x86)\LogMeIn\x64\LMIGuardianSvc.exe [2012-05-22 375176] S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files (x86)\LogMeIn\x64\RaInfo.sys [2011-09-16 15928] S2 NOBU;Dell DataSafe Online;c:\program files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe SERVICE [x] S2 svcGenericHost;Trend Micro Client/Server Security Agent;c:\program files (x86)\Trend Micro\Client Server Security Agent\HostedAgent\svcGenericHost.exe [2012-05-14 50704] S2 TmFilter;Trend Micro Filter;c:\program files (x86)\Trend Micro\Client Server Security Agent\TmXPFlt.sys [2011-07-12 342288] S2 TmPreFilter;Trend Micro PreFilter;c:\program files (x86)\Trend Micro\Client Server Security Agent\TmPreFlt.sys [2011-07-12 42768] S3 HPFXBULKLEDM;HPFXBULKLEDM;c:\windows\system32\drivers\hppdbulkio.sys [2010-12-14 22040] S3 HPFXFAX;HPFXFAX;c:\windows\system32\drivers\hppdfaxio.sys [2010-12-14 23576] S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2010-10-15 317440] S3 MEIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2010-10-20 56344] S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2011-06-10 539240] S3 TmProxy;Trend Micro Client/Server Security Agent Proxy Service;c:\program files (x86)\Trend Micro\Client Server Security Agent\TmProxy.exe [2012-04-27 918032] . . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost] iissvcs REG_MULTI_SZ w3svc was apphost REG_MULTI_SZ apphostsvc . Contents of the 'Scheduled Tasks' folder . 2012-06-27 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-04 15:20] . 2012-05-28 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job - c:\program files\Dell Support Center\uaclauncher.exe [2011-12-14 04:09] . 2012-06-26 c:\windows\Tasks\SystemToolsDailyTest.job - c:\program files\Dell Support Center\pcdrcui.exe [2011-12-14 04:09] . . --------- X64 Entries ----------- . . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-02-04 167960] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-02-04 391704] "Persistence"="c:\windows\system32\igfxpers.exe" [2011-02-04 418328] "LogMeIn GUI"="c:\program files (x86)\LogMeIn\x64\LogMeInSystray.exe" [2011-09-16 57928] "HP LaserJet Professional M1530 MFP Series Fax"="c:\program files (x86)\HP\Digital Imaging\Fax\Fax Driver 0.6 Base\hppfaxprintersrv.exe" [2010-08-24 3706424] . ------- Supplementary Scan ------- . uLocal Page = c:\windows\system32\blank.htm uStart Page = hxxp://www.foxnews.com/ mLocal Page = c:\windows\SysWOW64\blank.htm IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000 Trusted Zone: iconnectdata.com\w6 Trusted Zone: vospro.net\go TCP: DhcpNameServer = 192.168.0.2 FF - ProfilePath - c:\users\jeanne\AppData\Roaming\Mozilla\Firefox\Profiles\ar10f2xn.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.foxnews.com/|http://www.drudgereport.com/|http://www.msn.com/ FF - prefs.js: network.proxy.type - 0 FF - user.js: network.cookie.cookieBehavior - 0 FF - user.js: privacy.clearOnShutdown.cookies - false FF - user.js: security.warn_viewing_mixed - false FF - user.js: security.warn_viewing_mixed.show_once - false FF - user.js: security.warn_submit_insecure - false FF - user.js: security.warn_submit_insecure.show_once - false . - - - - ORPHANS REMOVED - - - - . Toolbar-Locked - (no file) AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe . . . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Shockwave Flash Object" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus] @="0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID] @="ShockwaveFlash.ShockwaveFlash.11" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="ShockwaveFlash.ShockwaveFlash" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Macromedia Flash Factory Object" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID] @="FlashFactory.FlashFactory.1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="FlashFactory.FlashFactory" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security] @Denied: (Full) (Everyone) . ------------------------ Other Running Processes ------------------------ . c:\program files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe c:\program files (x86)\Trend Micro\Client Server Security Agent\HostedAgent\HostedAgent.exe c:\program files (x86)\Citrix\ICA Client\Receiver\Receiver.exe c:\program files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe c:\program files (x86)\Citrix\ICA Client\wfcrun32.exe c:\program files (x86)\Citrix\SelfServicePlugin\SelfService.exe . ************************************************************************** . Completion time: 2012-06-27 11:42:45 - machine was rebooted ComboFix-quarantined-files.txt 2012-06-27 15:42 ComboFix2.txt 2012-06-01 17:46 . Pre-Run: 419,192,397,824 bytes free Post-Run: 419,038,064,640 bytes free . Here's the Netstat Log: Active Connections Proto Local Address Foreign Address State PID TCP 0.0.0.0:7 SMSPC16:0 LISTENING 2516 TCP 0.0.0.0:9 SMSPC16:0 LISTENING 2516 TCP 0.0.0.0:13 SMSPC16:0 LISTENING 2516 TCP 0.0.0.0:17 SMSPC16:0 LISTENING 2516 TCP 0.0.0.0:19 SMSPC16:0 LISTENING 2516 TCP 0.0.0.0:80 SMSPC16:0 LISTENING 4 TCP 0.0.0.0:135 SMSPC16:0 LISTENING 772 TCP 0.0.0.0:445 SMSPC16:0 LISTENING 4 TCP 0.0.0.0:515 SMSPC16:0 LISTENING 1548 TCP 0.0.0.0:2002 SMSPC16:0 LISTENING 2036 TCP 0.0.0.0:3389 SMSPC16:0 LISTENING 1084 TCP 0.0.0.0:5357 SMSPC16:0 LISTENING 4 TCP 0.0.0.0:49152 SMSPC16:0 LISTENING 432 TCP 0.0.0.0:49153 SMSPC16:0 LISTENING 856 TCP 0.0.0.0:49154 SMSPC16:0 LISTENING 948 TCP 0.0.0.0:49187 SMSPC16:0 LISTENING 508 TCP 0.0.0.0:49197 SMSPC16:0 LISTENING 492 TCP 0.0.0.0:61116 SMSPC16:0 LISTENING 1240 TCP 127.0.0.1:2002 SMSPC16:49246 ESTABLISHED 2036 TCP 127.0.0.1:6999 SMSPC16:0 LISTENING 2616 TCP 127.0.0.1:6999 SMSPC16:49346 TIME_WAIT 0 TCP 127.0.0.1:6999 SMSPC16:49349 TIME_WAIT 0 TCP 127.0.0.1:6999 SMSPC16:49350 TIME_WAIT 0 TCP 127.0.0.1:6999 SMSPC16:49351 TIME_WAIT 0 TCP 127.0.0.1:6999 SMSPC16:49353 TIME_WAIT 0 TCP 127.0.0.1:6999 SMSPC16:49354 TIME_WAIT 0 TCP 127.0.0.1:6999 SMSPC16:49355 TIME_WAIT 0 TCP 127.0.0.1:6999 SMSPC16:49364 TIME_WAIT 0 TCP 127.0.0.1:6999 SMSPC16:49367 TIME_WAIT 0 TCP 127.0.0.1:6999 SMSPC16:49372 TIME_WAIT 0 TCP 127.0.0.1:21112 SMSPC16:0 LISTENING 2868 TCP 127.0.0.1:49246 SMSPC16:2002 ESTABLISHED 4392 TCP 127.0.0.1:49361 SMSPC16:6999 TIME_WAIT 0 TCP 127.0.0.1:49369 SMSPC16:6999 TIME_WAIT 0 TCP 192.168.0.127:139 SMSPC16:0 LISTENING 4 TCP 192.168.0.127:49191 smssrvr:ldap ESTABLISHED 316 TCP 192.168.0.127:49210 a23-64-249-83:https ESTABLISHED 2152 TCP 192.168.0.127:49211 a23-64-249-83:https ESTABLISHED 2152 TCP 192.168.0.127:49213 a23-64-249-83:https ESTABLISHED 2152 TCP 192.168.0.127:49214 a23-64-249-83:https ESTABLISHED 2152 TCP 192.168.0.127:49219 smssrvr:microsoft-ds ESTABLISHED 4 TCP 192.168.0.127:49229 a23-64-249-83:https ESTABLISHED 2152 TCP 192.168.0.127:49244 smssrvr:6012 ESTABLISHED 1332 TCP 192.168.0.127:49274 smssrvr:6012 ESTABLISHED 1332 TCP 192.168.0.127:49288 a23-64-249-83:https ESTABLISHED 2152 TCP 192.168.0.127:49292 64.74.103.163:https ESTABLISHED 2036 TCP 192.168.0.127:49317 64.74.103.163:https ESTABLISHED 2036 TCP 192.168.0.127:49320 64.74.103.163:https ESTABLISHED 2036 TCP 192.168.0.127:49327 64.74.103.163:https ESTABLISHED 2036 TCP 192.168.0.127:49334 network-098-027-088-048:http TIME_WAIT 0 TCP 192.168.0.127:49341 65.55.53.190:http TIME_WAIT 0 TCP 192.168.0.127:49342 network-098-027-088-030:http TIME_WAIT 0 TCP 192.168.0.127:49348 network-098-027-088-030:http TIME_WAIT 0 TCP 192.168.0.127:49362 216.35.15.168:http TIME_WAIT 0 TCP 192.168.0.127:49363 network-098-027-088-030:http TIME_WAIT 0 TCP 192.168.0.127:49370 iad23s06-in-f1:http TIME_WAIT 0 TCP 192.168.0.127:49371 network-098-027-088-030:http TIME_WAIT 0 TCP [::]:7 SMSPC16:0 LISTENING 2516 TCP [::]:9 SMSPC16:0 LISTENING 2516 TCP [::]:13 SMSPC16:0 LISTENING 2516 TCP [::]:17 SMSPC16:0 LISTENING 2516 TCP [::]:19 SMSPC16:0 LISTENING 2516 TCP [::]:80 SMSPC16:0 LISTENING 4 TCP [::]:135 SMSPC16:0 LISTENING 772 TCP [::]:445 SMSPC16:0 LISTENING 4 TCP [::]:515 SMSPC16:0 LISTENING 1548 TCP [::]:3389 SMSPC16:0 LISTENING 1084 TCP [::]:5357 SMSPC16:0 LISTENING 4 TCP [::]:49152 SMSPC16:0 LISTENING 432 TCP [::]:49153 SMSPC16:0 LISTENING 856 TCP [::]:49154 SMSPC16:0 LISTENING 948 TCP [::]:49187 SMSPC16:0 LISTENING 508 TCP [::]:49197 SMSPC16:0 LISTENING 492 UDP 0.0.0.0:7 *:* 2516 UDP 0.0.0.0:9 *:* 2516 UDP 0.0.0.0:13 *:* 2516 UDP 0.0.0.0:17 *:* 2516 UDP 0.0.0.0:19 *:* 2516 UDP 0.0.0.0:123 *:* 328 UDP 0.0.0.0:427 *:* 5848 UDP 0.0.0.0:500 *:* 948 UDP 0.0.0.0:3702 *:* 1812 UDP 0.0.0.0:3702 *:* 1812 UDP 0.0.0.0:4500 *:* 948 UDP 0.0.0.0:5355 *:* 1084 UDP 0.0.0.0:51335 *:* 1812 UDP 0.0.0.0:56305 *:* 1240 UDP 0.0.0.0:61117 *:* 1240 UDP 127.0.0.1:1900 *:* 1812 UDP 127.0.0.1:51265 *:* 316 UDP 127.0.0.1:51709 *:* 3144 UDP 127.0.0.1:53037 *:* 1084 UDP 127.0.0.1:58742 *:* 508 UDP 127.0.0.1:63173 *:* 1812 UDP 192.168.0.127:137 *:* 4 UDP 192.168.0.127:138 *:* 4 UDP 192.168.0.127:427 *:* 5848 UDP 192.168.0.127:1900 *:* 1812 UDP 192.168.0.127:32527 *:* 2036 UDP 192.168.0.127:32528 *:* 2036 UDP 192.168.0.127:63172 *:* 1812 UDP [::]:7 *:* 2516 UDP [::]:9 *:* 2516 UDP [::]:13 *:* 2516 UDP [::]:17 *:* 2516 UDP [::]:19 *:* 2516 UDP [::]:123 *:* 328 UDP [::]:500 *:* 948 UDP [::]:3702 *:* 1812 UDP [::]:3702 *:* 1812 UDP [::]:4500 *:* 948 UDP [::]:5355 *:* 1084 UDP [::]:51336 *:* 1812 UDP [::1]:1900 *:* 1812 UDP [::1]:63171 *:* 1812 UDP [fe80::3473:e559:9252:a169%11]:1900 *:* 1812 UDP [fe80::3473:e559:9252:a169%11]:63170 *:* 1812 bump...
  24. I ran DDS but it just runs and runs... I've been fighting it since Friday! I have attached logs from OTL, High Jack This, and a few other tools that I have run. Combofix is the only program that reports that I have ZeroAccess and that it has infected the TCP/IP stack, but iCombofix just runs but never runs any steps. I appreciate the help! Robert AntiZeroAccess_Log.txt AntiZeroAccess_Log.txt dberr.txt Extras.Txt hijackthis.log OTL.Txt SCHEDLGU.TXT
  25. So ComboFix tells me I have Rootkit.ZeroAccess, and further research tells me that this may not be good. In 15 years of working with computers professionally, this is the worst one I've seen, although part of that may be of my own doing. First off, I know I'm supposed to have logs from DDS. Wish it were that easy. DDS hangs both in normal (tested 10 mins) and safe mode (tested 30 mins). This is the same as ComboFix, which I tested up to an hour and a half in safe mode where it hangs right after alerting me to the Rootkit. (This symptom continues even after everything below.) As a result of no DDS logs, I apologize for the long post but I wanted to provide all potentially relevant information. Note, before getting to the above steps, I got a clean scan on AVG, Spybot Search & Destroy, and TDSSKiller. Also, I've run Malwarebytes Anti-Malware Pro (trial) which picked up the infection, told me to reboot to clean, and got clean scan after those steps. I still had symptom of PING.exe running in the background and Comodo Firewall was picking up a lot of activity on it. While going through all these steps, things have been going downhill. When I said DDS & ComboFix hang, cursor remains blinking, but Windows is non-responsive. The DDS & ComboFix windows will not close, although the close button animates to respond to the click. I can get one action in explorer (e.g. attempt to run something on the start menu, ctl-alt-del splash screen and click task manager, use a menu on a system tray icon, click shutdown off the start menu) but although the action seems to complete (e.g. start menu closes after I hit shutdown) the action never takes place. Explorer is then unresponsive to further actions although the mouse is active. This occurs in both normal and safe modes. As such, I've had probably a dozen hard shutdowns in the past 24 hours. Although the HDD indicator light is inactive, listening carefully to the drive itself, the drive sounds active. I've lost the keyboard and mouse drivers (I've been running on a USB keyboard/mouse instead of built-in keyboard and touchpad), audio driver, and experienced a 0x0a blue screen related to a USB drive I inserted to transfer new diagnostic tools. While trying to fix keyboard/mouse drivers, ran startup repair off of a Win7 Ultimate x86 CD and that picked up some problems (and repaired them). Additionally I've had a few random crashes (literal freeze where mouse freezes as well). Another note: It seems the Windows crashes occur more frequently when I've disabled the wlan card via an external switch on the laptop - not sure if this is coincidence or causal correlation. Seems like corruption, or possibly even newly bad sectors, but I've been mainly focused on this Regarding my setup: Basic System specs are at the bottom of the post. The system is configured to dual-boot Win7 on an NTFS partition and Ubuntu 11.10 on an ext4 partition. I can use Ubuntu without difficulty, of course, despite the Windows mess. I believe Ubuntu could mount the NTFS partition and that could be used for troubleshooting. Additionally, I have a spare hard drive with a clean install of Win7 Ultimate which I could drop in the laptop and run the problem drive externally. Because it seems like every troubleshooting step I try that results in a hang and hard shutdown actually sets me back further, I'm done with trial & (certain) error. I apologize for asking for help after creating such a mess. I feel that I should only take steps guided by someone with experience in order to reduce further collateral damage. As such, I haven't taken steps like generating at HJT log in order to avoid another hang/hard shutdown if HJT is unhelpful. I noted the ubuntu-NTFS-mount or run-drive-externally options if it's better to repair first, heal infection later instead of visa versa. I do also have a system restore dated 1/30 available, although the infection only occurred on 2/6 @ 2:30pm PST so I was hoping not to lose a week of system changes unless necessary. Since my handwriting is horrible and thus I can't get by without a laptop for note-taking for law school, I will have the system with me 24/7. At school, I'd be reduced to transferring utilities from within ubuntu to the Windows partition/USB drive. (Don't want to put Windows on the internet due to infection.) Note: Mouse/Keyboard drivers are corrupted right now on Windows (ubuntu's fine), so I have no way to operate Windows unless I'm near a box where I can borrow keyboard/mouse. At home I have a separate desktop (with keyboard and mouse) so no problem there. Again, I apologize since I think I've made this more of a mess than needs to be. I thank you in advance for leading me out of the woods. -Ed Layperson's Tech Guru Tech Guru's worst nightmare Basic System Specs: Win7 Home Premium SP1 x86 Dell XPS M1530, 2.4Ghz Core 2, 4gb RAM
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.