Jump to content

Infected with ROOTKIT.0ACCESS


Recommended Posts

Hi,

I recently noticed Norton popping up saying malware detected.

So downloaded MBAM and ran a quick scan to find 2 infections.

Trojan.Dropper.BCMiner

Rootkit.0Access

So hit the Quarantine and was able to quarantine and delete them (atleast that's what MBAM notified).

After restart found that some of the programs installed on the laptop dont work as expected.

Sso tried restoring the system with System Restore but it also failed and MBAM displayed the following in a pop up window

MBAM has detected a malicious process attempting to start and has blocked the execution attempt.. Please select an option below.

C:\WINDOWS\INSTALLER\{SOME ALPHANUMERIC CODE}\U\80000032.@ROOTKIT.0ACCESS

Disable Protection Ignore Quarantine

I clicked the Quarantine, but not sure if the infection is removed completely and any of my files have been corrupted.

What should I do to see if the infection is still there or not?

Does my system need some files to be restored with cleaner file.

I am on Windows 7 Proferssional 64 bit.

Link to post
Share on other sites

Welcome to the forum, please start at the link below:

http://forums.malwar...?showtopic=9573

Post back the 2 logs here.....DDS.txt and Attach.txt

<====><====><====><====><====><====><====><====>

Next.......

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller to your desktop.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

MrC

Link to post
Share on other sites

ATTACH.TXT

-------------------

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2011-08-26.01)

.

Microsoft Windows 7 Professional

Boot Device: \Device\HarddiskVolume1

Install Date: 5/2/2012 5:59:02 AM

System Uptime: 8/14/2012 6:45:14 PM (1 hours ago)

.

Motherboard: LENOVO | | Base Board Product Name

Processor: Intel® Core i3-2350M CPU @ 2.30GHz | CPU1 | 1380/1333mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 98 GiB total, 56.753 GiB free.

D: is FIXED (NTFS) - 146 GiB total, 96.398 GiB free.

E: is FIXED (NTFS) - 222 GiB total, 140.419 GiB free.

F: is CDROM ()

.

==== Disabled Device Manager Items =============

.

Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}

Description: Cisco AnyConnect VPN Virtual Miniport Adapter for Windows x64

Device ID: ROOT\NET\0000

Manufacturer: Cisco Systems

Name: Cisco AnyConnect VPN Virtual Miniport Adapter for Windows x64

PNP Device ID: ROOT\NET\0000

Service: vpnva

.

Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}

Description: AGN Virtual Network Adapter

Device ID: ROOT\NET\0001

Manufacturer: AT&T

Name: AGN Virtual Network Adapter

PNP Device ID: ROOT\NET\0001

Service: avpnnic

.

==== System Restore Points ===================

.

RP94: 8/12/2012 9:37:10 PM - ComboFix created restore point

RP95: 8/12/2012 10:07:33 PM - After Virus Removal

RP96: 8/14/2012 6:39:11 PM - Restore Operation

.

==== Installed Programs ======================

.

µTorrent

Adobe Flash Player 11 ActiveX

Adobe Flash Player 11 Plugin

Adobe Reader X (10.1.3)

AT&T Global Network Client Managed VPN Edition

Atheros Communications Inc.® AR81Family Gigabit/Fast Ethernet Driver

Canon MF Toolbox 4.9.1.1.mf09

Cisco AnyConnect VPN Client

Cisco WebEx Meetings

Citrix Authentication Manager

Citrix Receiver

Citrix Receiver (HDX Flash Redirection)

Citrix Receiver Inside

Citrix Receiver(Aero)

Citrix Receiver(DV)

Citrix Receiver(USB)

Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition

Energy Management

FileZilla Client 3.5.3

Google Calendar Sync

Google Chrome

Google Talk (remove only)

Google Talk Plugin

Intel® Management Engine Components

Intel® Processor Graphics

Intel® Rapid Storage Technology

Java Auto Updater

Java 6 Update 26

Java SE Development Kit 6 Update 26

Juniper Networks Host Checker

Juniper Networks Network Connect 6.5.0

Juniper Networks Secure Application Manager

Juniper Networks Secure Meeting 7.0.0

Juniper Networks Setup Client

Lenovo EasyCamera

Lenovo OneKey Recovery

Lenovo_Wireless_Driver

Malwarebytes Anti-Malware version 1.62.0.1300

Microsoft Office 2010 Service Pack 1 (SP1)

Microsoft Office Access MUI (English) 2010

Microsoft Office Access Setup Metadata MUI (English) 2010

Microsoft Office Excel MUI (English) 2010

Microsoft Office Home and Business 2010

Microsoft Office Live Meeting 2007

Microsoft Office OneNote MUI (English) 2010

Microsoft Office Outlook MUI (English) 2010

Microsoft Office PowerPoint MUI (English) 2010

Microsoft Office Proof (English) 2010

Microsoft Office Proof (French) 2010

Microsoft Office Proof (Spanish) 2010

Microsoft Office Proofing (English) 2010

Microsoft Office Publisher MUI (English) 2010

Microsoft Office Shared MUI (English) 2010

Microsoft Office Shared Setup Metadata MUI (English) 2010

Microsoft Office Single Image 2010

Microsoft Office Word MUI (English) 2010

Microsoft Visual C++ 2005 Redistributable

Mozilla Firefox 12.0 (x86 en-US)

Mozilla Firefox 14.0.1 (x86 en-US)

Mozilla Maintenance Service

Network Print Monitor for Windows

Network Recording Player

Norton AntiVirus

Online Plug-in

Oracle Demantra Spectrum

Realtek USB 2.0 Reader Driver

Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)

Security Update for Microsoft Excel 2010 (KB2597166) 32-Bit Edition

Security Update for Microsoft InfoPath 2010 (KB2553322) 32-Bit Edition

Security Update for Microsoft Office 2010 (KB2553091)

Security Update for Microsoft Office 2010 (KB2553096)

Security Update for Microsoft Office 2010 (KB2553371) 32-Bit Edition

Security Update for Microsoft Office 2010 (KB2553447) 32-Bit Edition

Security Update for Microsoft Office 2010 (KB2589320) 32-Bit Edition

Security Update for Microsoft Office 2010 (KB2598039) 32-Bit Edition

Security Update for Microsoft Office 2010 (KB2598243) 32-Bit Edition

Security Update for Microsoft PowerPoint 2010 (KB2553185) 32-Bit Edition

Security Update for Microsoft SharePoint Workspace 2010 (KB2566445)

Security Update for Microsoft Visio Viewer 2010 (KB2597981) 32-Bit Edition

Self-service Plug-in

Skype Click to Call

Skype™ 5.10

Update for Microsoft .NET Framework 4 Client Profile (KB2468871)

Update for Microsoft .NET Framework 4 Client Profile (KB2533523)

Update for Microsoft .NET Framework 4 Client Profile (KB2600217)

Update for Microsoft Office 2010 (KB2553065)

Update for Microsoft Office 2010 (KB2553181) 32-Bit Edition

Update for Microsoft Office 2010 (KB2553267) 32-Bit Edition

Update for Microsoft Office 2010 (KB2553270) 32-Bit Edition

Update for Microsoft Office 2010 (KB2553310) 32-Bit Edition

Update for Microsoft Office 2010 (KB2566458)

Update for Microsoft Office 2010 (KB2596964) 32-Bit Edition

Update for Microsoft Office 2010 (KB2597091) 32-Bit Edition

Update for Microsoft OneNote 2010 (KB2553290) 32-Bit Edition

Update for Microsoft OneNote 2010 (KB2589345) 32-Bit Edition

Update for Microsoft Outlook 2010 (KB2553248) 32-Bit Edition

Update for Microsoft Outlook Social Connector 2010 (KB2553406) 32-Bit Edition

UserGuide

VLC media player 1.1.7

Yahoo! Messenger

Yahoo! Software Update

.

==== Event Viewer Messages From Past Week ========

.

8/9/2012 9:15:35 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}

8/9/2012 9:15:35 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}

8/9/2012 9:15:33 AM, Error: Microsoft-Windows-WLAN-AutoConfig [10000] - WLAN Extensibility Module has failed to start. Module Path: C:\Windows\System32\bcmihvsrv64.dll Error Code: 21

8/9/2012 9:15:33 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

8/9/2012 9:15:27 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}

8/9/2012 9:15:14 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: BHDrvx64 ccSet_NAV ctxusbm discache eeCtrl IDSVia64 spldr SRTSP SRTSPX SymIRON SymNetS Wanarpv6

8/9/2012 8:49:20 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1053" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}

8/9/2012 8:49:02 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Search service to connect.

8/9/2012 8:49:02 AM, Error: Service Control Manager [7000] - The Windows Search service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

8/9/2012 8:24:22 PM, Error: Server [2505] - The server could not bind to the transport \Device\NetBT_Tcpip_{18CA4AA3-C559-4156-A736-92A528ED5574} because another computer on the network has the same name. The server could not start.

8/9/2012 8:24:22 PM, Error: NetBT [4321] - The name "ADMIN-PC :20" could not be registered on the interface with IP address 10.71.3.59. The computer with the IP address 10.71.6.40 did not allow the name to be claimed by this computer.

8/9/2012 6:25:11 PM, Error: NetBT [4321] - The name "ADMIN-PC :20" could not be registered on the interface with IP address 172.30.26.253. The computer with the IP address 10.0.12.66 did not allow the name to be claimed by this computer.

8/9/2012 6:25:10 PM, Error: NetBT [4321] - The name "ADMIN-PC :0" could not be registered on the interface with IP address 172.30.26.253. The computer with the IP address 10.0.12.66 did not allow the name to be claimed by this computer.

8/9/2012 2:57:34 PM, Error: Service Control Manager [7024] - The Windows Firewall service terminated with service-specific error Access is denied..

8/9/2012 10:39:43 AM, Error: Service Control Manager [7023] - The OracleMTSRecoveryService service terminated with the following error: The wait operation timed out.

8/8/2012 5:41:18 PM, Error: Schannel [36887] - The following fatal alert was received: 10.

8/14/2012 6:46:54 PM, Error: Service Control Manager [7024] - The OracleDBConsoleorcl service terminated with service-specific error The system cannot find the file specified..

8/14/2012 6:46:17 PM, Error: Service Control Manager [7003] - The IPsec Policy Agent service depends the following service: BFE. This service might not be installed.

8/14/2012 6:45:56 PM, Error: Service Control Manager [7003] - The IKE and AuthIP IPsec Keying Modules service depends the following service: BFE. This service might not be installed.

8/14/2012 6:45:54 PM, Error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specified service does not exist as an installed service.

8/14/2012 5:32:48 AM, Error: NetBT [4321] - The name "WORKGROUP :1d" could not be registered on the interface with IP address 172.16.228.146. The computer with the IP address 172.16.229.153 did not allow the name to be claimed by this computer.

8/13/2012 7:58:35 AM, Error: NetBT [4321] - The name "WORKGROUP :1d" could not be registered on the interface with IP address 172.16.228.146. The computer with the IP address 172.16.229.68 did not allow the name to be claimed by this computer.

8/13/2012 10:24:59 AM, Error: bowser [8003] - The master browser has received a server announcement from the computer OWNER-PC that believes that it is the master browser for the domain on transport NetBT_Tcpip_{18CA4AA3-C559-4156-A736-92A528ED5574}. The master browser is stopping or an election is being forced.

8/12/2012 9:34:39 PM, Error: Service Control Manager [7034] - The Skype C2C Service service terminated unexpectedly. It has done this 1 time(s).

8/12/2012 8:00:43 PM, Error: Service Control Manager [7030] - The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.

8/12/2012 6:29:53 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the OracleMTSRecoveryService service to connect.

8/12/2012 6:29:53 PM, Error: Service Control Manager [7000] - The OracleMTSRecoveryService service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

8/12/2012 4:26:52 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the NAV service.

8/11/2012 11:35:23 PM, Error: BTHUSB [17] - The local Bluetooth adapter has failed in an undetermined manner and will not be used. The driver has been unloaded.

8/11/2012 10:33:59 PM, Error: NetBT [4321] - The name "WORKGROUP :1d" could not be registered on the interface with IP address 172.16.228.146. The computer with the IP address 172.16.223.58 did not allow the name to be claimed by this computer.

8/10/2012 8:21:10 AM, Error: NetBT [4321] - The name "WORKGROUP :1d" could not be registered on the interface with IP address 192.168.1.108. The computer with the IP address 192.168.1.104 did not allow the name to be claimed by this computer.

8/10/2012 6:49:46 AM, Error: NetBT [4321] - The name "ADMIN-PC :0" could not be registered on the interface with IP address 10.71.3.59. The computer with the IP address 10.71.6.40 did not allow the name to be claimed by this computer.

8/10/2012 12:18:59 AM, Error: NetBT [4321] - The name "WORKGROUP :1d" could not be registered on the interface with IP address 10.71.3.59. The computer with the IP address 10.71.7.49 did not allow the name to be claimed by this computer.

.

==== End Of File ===========================

DDS.TXT

-------------

.

DDS (Ver_2011-08-26.01) - NTFSAMD64

Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_26

Run by Admin at 19:28:36 on 2012-08-14

Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.4040.1567 [GMT -4:00]

.

AV: Norton AntiVirus *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: Norton AntiVirus *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\system32\WLANExt.exe

C:\Windows\system32\conhost.exe

C:\Windows\System32\spoolsv.exe

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe

C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files (x86)\Juniper Networks\Common Files\dsNcService.exe

C:\Program Files\Intel\WiFi\bin\EvtEng.exe

C:\Program Files (x86)\Common Files\Juniper Networks\JUNS\dsAccessService.exe

C:\Program Files (x86)\Norton AntiVirus\Engine\19.7.1.5\ccSvcHst.exe

C:\Program Files (x86)\AT&T Global Network Client\netcfgsvr.exe

C:\Program Files (x86)\AT&T Global Network Client\NetClientSvc.exe

d:\app\Admin\product\11.2.0\dbhome_1\bin\omtsreco.exe

C:\Windows\system32\conhost.exe

C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe

C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe

C:\Program Files (x86)\Sierra Wireless Inc\Common\SwiCardDetect64.exe

C:\Program Files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe

C:\Windows\SysWOW64\cmd.exe

d:\app\Admin\product\11.2.0\dbhome_1\jdk\bin\java.exe

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Program Files (x86)\AT&T Global Network Client\NetLogSvc.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe

C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Windows\system32\SearchIndexer.exe

C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe

C:\Program Files (x86)\Norton AntiVirus\Engine\19.7.1.5\ccSvcHst.exe

C:\Windows\system32\taskhost.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\System32\igfxtray.exe

C:\Windows\System32\hkcmd.exe

C:\Windows\System32\igfxpers.exe

C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe

C:\Program Files (x86)\Lenovo\Energy Management\utility.exe

C:\Program Files\Synaptics\SynTP\SynTPHelper.exe

C:\Windows\system32\wbem\unsecapp.exe

C:\Program Files (x86)\Skype\Phone\Skype.exe

C:\Program Files (x86)\Google\Google Talk\googletalk.exe

C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe

C:\Program Files (x86)\USB Camera2\VM332_STI.EXE

C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe

C:\Program Files (x86)\Citrix\ICA Client\concentr.exe

C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

C:\Program Files (x86)\Google\Google Calendar Sync\GoogleCalendarSync.exe

C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE

C:\Windows\SysWOW64\RunDll32.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files (x86)\Citrix\ICA Client\Receiver\Receiver.exe

C:\Program Files (x86)\Yahoo!\Messenger\ymsgr_tray.exe

C:\Program Files (x86)\AT&T Global Network Client\NetMsg.exe

C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe

C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe

d:\app\admin\product\11.2.0\dbhome_1\bin\ORACLE.EXE

C:\Windows\System32\svchost.exe -k WerSvcGroup

d:\app\Admin\product\11.2.0\dbhome_1\BIN\TNSLSNR.exe

C:\Windows\system32\svchost.exe -k bthsvcs

C:\Program Files\Lenovo\Bluetooth Software\BtStackServer.exe

C:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe

C:\Windows\system32\wuauclt.exe

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

C:\Program Files (x86)\uTorrent\uTorrent.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\conhost.exe

C:\Windows\SysWOW64\cscript.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = about:blank

mStart Page = hxxp://in.yahoo.com/?fr=fp-spt_gen

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: Norton Vulnerability Protection: {6d53ec84-6aae-4787-aeee-f4628f01010c} - C:\Program Files (x86)\Norton AntiVirus\Engine\19.7.1.5\IPS\IPSBHO.DLL

BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

uRun: [skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun

uRun: [googletalk] "C:\Program Files (x86)\Google\Google Talk\googletalk.exe" /autostart

uRun: [Messenger (Yahoo!)] "C:\PROGRA~2\Yahoo!\Messenger\YahooMessenger.exe" -quiet

uRun: [NetSP - restore settings on power failure] "C:\Program Files (x86)\AT&T Global Network Client\NetSP.exe" -show

mRun: [iAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe

mRun: [332BigDog] C:\Program Files (x86)\USB Camera2\VM332_STI.EXE

mRun: [updatePRCShortCut] "C:\Program Files\Lenovo\OneKey App\OneKey Recovery\MUITransfer\MUIStartMenu.exe" "C:\Program Files\Lenovo\OneKey App\OneKey Recovery" UpdateWithCreateOnce "Software\Lenovo\OneKey App\OneKey Recovery"

mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

mRun: [ConnectionCenter] "C:\Program Files (x86)\Citrix\ICA Client\concentr.exe" /startup

mRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

StartupFolder: C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ONENOT~1.LNK - C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\AT&TGL~1.LNK - C:\Windows\Installer\{37880B62-627C-4F6B-BB85-984BB7E26125}\NetGM1_89563E53ECF44E868145468A128BDC83.exe

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\BLUETO~1.LNK - C:\Program Files (x86)\Lenovo\Bluetooth Software\BTTray.exe

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\GOOGLE~1.LNK - C:\Program Files (x86)\Google\Google Calendar Sync\GoogleCalendarSync.exe

mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableLUA = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

mPolicies-system: PromptOnSecureDesktop = 0 (0x0)

IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~1\Office14\ONBttnIE.dll/105

IE: Send image to &Bluetooth Device... - C:\Program Files\Lenovo\Bluetooth Software\btsendto_ie_ctx.htm

IE: Send page to &Bluetooth Device... - C:\Program Files\Lenovo\Bluetooth Software\btsendto_ie.htm

IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Lenovo\Bluetooth Software\btsendto_ie.htm

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll

IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

LSP: mswsock.dll

Trusted Zone: solutionbeacon.net

DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://vpn.ultradent.com/CACHE/stc/2/binaries/vpnweb.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -

DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} -

TCP: DhcpNameServer = 172.16.0.1

TCP: Interfaces\{18CA4AA3-C559-4156-A736-92A528ED5574} : DhcpNameServer = 172.16.0.1

TCP: Interfaces\{18CA4AA3-C559-4156-A736-92A528ED5574}\F4574737964656 : DhcpNameServer = 209.26.88.31 199.2.252.10

TCP: Interfaces\{38F75B14-47DE-47B4-AEBE-9D57EE0B3643} : NameServer = 155.132.2.31,155.132.9.10

TCP: Interfaces\{7D90D1E7-7C3D-4E8E-A7E0-534AF1458588} : DhcpNameServer = 68.105.28.16 68.105.29.16

Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll

Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll

Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll

Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll

Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll

Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll

Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll

Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll

Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll

Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll

Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll

Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll

Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll

Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll

Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll

Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL

AppInit_DLLs: C:\PROGRA~2\Citrix\ICACLI~1\RSHook.dll

BHO-X64: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO-X64: 0x1 - No File

BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO-X64: AcroIEHelperStub - No File

BHO-X64: Norton Vulnerability Protection: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton AntiVirus\Engine\19.7.1.5\IPS\IPSBHO.DLL

BHO-X64: Norton Vulnerability Protection - No File

BHO-X64: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

BHO-X64: SkypeIEPluginBHO - No File

BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL

BHO-X64: URLRedirectionBHO - No File

BHO-X64: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

mRun-x64: [iAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe

mRun-x64: [332BigDog] C:\Program Files (x86)\USB Camera2\VM332_STI.EXE

mRun-x64: [updatePRCShortCut] "C:\Program Files\Lenovo\OneKey App\OneKey Recovery\MUITransfer\MUIStartMenu.exe" "C:\Program Files\Lenovo\OneKey App\OneKey Recovery" UpdateWithCreateOnce "Software\Lenovo\OneKey App\OneKey Recovery"

mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

mRun-x64: [ConnectionCenter] "C:\Program Files (x86)\Citrix\ICA Client\concentr.exe" /startup

mRun-x64: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

IE-X64: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Lenovo\Bluetooth Software\btsendto_ie.htm

AppInit_DLLs-X64: C:\PROGRA~2\Citrix\ICACLI~1\RSHook.dll

================= FIREFOX ===================

.

FF - ProfilePath - C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ncfa4qkh.default\

FF - prefs.js: keyword.URL - hxxp://www.google.com/search?btnI=I%27m+Feeling+Lucky&ie=UTF-8&oe=UTF-8&q=

FF - plugin: C:\Mozilla Firefox\plugins\npatgpc.dll

FF - plugin: C:\Mozilla Firefox\plugins\npdeployJava1.dll

FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL

FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL

FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll

FF - plugin: C:\Program Files (x86)\Citrix\ICA Client\npicaN.dll

FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: C:\Users\Admin\AppData\Local\Google\Update\1.3.21.115\npGoogleUpdate3.dll

FF - plugin: C:\Users\Admin\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll

FF - plugin: C:\Users\Admin\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll

FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_270.dll

FF - plugin: C:\Windows\SysWOW64\npdeployJava1.dll

FF - plugin: C:\Windows\SysWOW64\npmproxy.dll

.

============= SERVICES / DRIVERS ===============

.

R0 LHDmgr;LHDmgr;C:\Windows\system32\DRIVERS\LhdX64.sys --> C:\Windows\system32\DRIVERS\LhdX64.sys [?]

R0 SymDS;Symantec Data Store;C:\Windows\system32\drivers\NAVx64\1307010.005\SYMDS64.SYS --> C:\Windows\system32\drivers\NAVx64\1307010.005\SYMDS64.SYS [?]

R0 SymEFA;Symantec Extended File Attributes;C:\Windows\system32\drivers\NAVx64\1307010.005\SYMEFA64.SYS --> C:\Windows\system32\drivers\NAVx64\1307010.005\SYMEFA64.SYS [?]

R1 BHDrvx64;BHDrvx64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.0.28\Definitions\BASHDefs\20120804.001\BHDrvx64.sys [2012-8-8 1161376]

R1 ccSet_NAV;Norton AntiVirus Settings Manager;C:\Windows\system32\drivers\NAVx64\1307010.005\ccSetx64.sys --> C:\Windows\system32\drivers\NAVx64\1307010.005\ccSetx64.sys [?]

R1 ctxusbm;Citrix USB Monitor Driver;C:\Windows\system32\DRIVERS\ctxusbm.sys --> C:\Windows\system32\DRIVERS\ctxusbm.sys [?]

R1 IDSVia64;IDSVia64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.0.28\Definitions\IPSDefs\20120810.001\IDSviA64.sys [2012-8-12 509088]

R1 NEOFLTR_650_15977;Juniper Networks TDI Filter Driver (NEOFLTR_650_15977);\??\C:\Windows\system32\Drivers\NEOFLTR_650_15977.SYS --> C:\Windows\system32\Drivers\NEOFLTR_650_15977.SYS [?]

R1 SymIRON;Symantec Iron Driver;C:\Windows\system32\drivers\NAVx64\1307010.005\Ironx64.SYS --> C:\Windows\system32\drivers\NAVx64\1307010.005\Ironx64.SYS [?]

R1 SymNetS;Symantec Network Security WFP Driver;C:\Windows\system32\Drivers\NAVx64\1307010.005\SYMNETS.SYS --> C:\Windows\system32\Drivers\NAVx64\1307010.005\SYMNETS.SYS [?]

R1 VWiFiFlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]

R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-4-4 63928]

R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2012-5-2 13336]

R2 JuniperAccessService;Juniper Unified Network Service;C:\Program Files (x86)\Common Files\Juniper Networks\JUNS\dsAccessService.exe [2011-6-2 198520]

R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-8-14 655944]

R2 NAV;Norton AntiVirus;C:\Program Files (x86)\Norton AntiVirus\Engine\19.7.1.5\ccsvchst.exe [2012-5-18 138232]

R2 NetClientSvc;AT&T Global Network Client Service;C:\Program Files (x86)\AT&T Global Network Client\NetClientSvc.exe [2012-3-27 370528]

R2 Skype C2C Service;Skype C2C Service;C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe [2012-7-5 3048136]

R2 SwiCardDetectSvc;Sierra Wireless Card Detection Service;C:\Program Files (x86)\Sierra Wireless Inc\Common\SwiCardDetect64.exe [2011-6-24 317296]

R2 UNS;Intel® Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2012-5-2 2656280]

R2 vpnagent;Cisco AnyConnect VPN Agent;C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [2011-5-18 641464]

R3 ACPIVPC;Lenovo Virtual Power Controller Driver;C:\Windows\system32\DRIVERS\AcpiVpc.sys --> C:\Windows\system32\DRIVERS\AcpiVpc.sys [?]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-8-9 138912]

R3 IntcDAud;Intel® Display Audio;C:\Windows\system32\DRIVERS\IntcDAud.sys --> C:\Windows\system32\DRIVERS\IntcDAud.sys [?]

R3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;C:\Windows\system32\DRIVERS\L1C62x64.sys --> C:\Windows\system32\DRIVERS\L1C62x64.sys [?]

R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]

R3 MEIx64;Intel® Management Engine Interface;C:\Windows\system32\DRIVERS\HECIx64.sys --> C:\Windows\system32\DRIVERS\HECIx64.sys [?]

R3 NetLogSvc;NetLogSvc;C:\Program Files (x86)\AT&T Global Network Client\NetLogSvc.exe [2012-3-27 82272]

R3 OracleOraDb11g_home1TNSListener;OracleOraDb11g_home1TNSListener;d:\app\Admin\product\11.2.0\dbhome_1\BIN\TNSLSNR --> d:\app\Admin\product\11.2.0\dbhome_1\BIN\TNSLSNR [?]

R3 OracleServiceORCL;OracleServiceORCL;d:\app\admin\product\11.2.0\dbhome_1\bin\ORACLE.EXE ORCL --> d:\app\admin\product\11.2.0\dbhome_1\bin\ORACLE.EXE ORCL [?]

R3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]

R3 vm2uvcflt;Vimicro USB Camera Filter 2;C:\Windows\system32\Drivers\vm2uvcflt.sys --> C:\Windows\system32\Drivers\vm2uvcflt.sys [?]

R3 vm332avs;Lenovo Camera2;C:\Windows\system32\Drivers\vm332avs.sys --> C:\Windows\system32\Drivers\vm332avs.sys [?]

R3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\system32\DRIVERS\vwifimp.sys --> C:\Windows\system32\DRIVERS\vwifimp.sys [?]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]

S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2012-6-7 160944]

S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-5-7 250056]

S3 BTWAMPFL;BTWAMPFL;C:\Windows\system32\DRIVERS\btwampfl.sys --> C:\Windows\system32\DRIVERS\btwampfl.sys [?]

S3 btwl2cap;Bluetooth L2CAP Service;C:\Windows\system32\DRIVERS\btwl2cap.sys --> C:\Windows\system32\DRIVERS\btwl2cap.sys [?]

S3 dmvsc;dmvsc;C:\Windows\system32\drivers\dmvsc.sys --> C:\Windows\system32\drivers\dmvsc.sys [?]

S3 MozillaMaintenance;Mozilla Maintenance Service;C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-5-18 129976]

S3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [2011-1-5 340240]

S3 OracleOraDb11g_home1ClrAgent;OracleOraDb11g_home1ClrAgent;d:\app\Admin\product\11.2.0\dbhome_1\bin\OraClrAgnt.exe agent_sid=CLRExtProc max_dispatchers=2 tcp_dispatchers=0 max_task_threads=6 max_sessions=25 ENVS="EXTPROC_DLLS=ONLY:d:\app\Admin\product\11.2.0\dbhome_1\bin\oraclr11.dll" --> d:\app\Admin\product\11.2.0\dbhome_1\bin\OraClrAgnt.exe agent_sid=CLRExtProc max_dispatchers=2 tcp_dispatchers=0 max_task_threads=6 max_sessions=25 ENVS=EXTPROC_DLLS=ONLY:d:\app\Admin\product\11.2.0\dbhome_1\bin\oraclr11.dll [?]

S3 OracleVssWriterORCL;Oracle ORCL VSS Writer Service;d:\app\admin\product\11.2.0\dbhome_1\bin\OraVSSW.exe ORCL --> d:\app\admin\product\11.2.0\dbhome_1\bin\OraVSSW.exe ORCL [?]

S3 RSUSBVSTOR;RtsUVStor.Sys Realtek USB Card Reader;C:\Windows\system32\Drivers\RtsUVStor.sys --> C:\Windows\system32\Drivers\RtsUVStor.sys [?]

S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]

S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]

S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\system32\drivers\TsUsbGD.sys --> C:\Windows\system32\drivers\TsUsbGD.sys [?]

S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]

S3 wsvd;wsvd;C:\Windows\system32\DRIVERS\wsvd.sys --> C:\Windows\system32\DRIVERS\wsvd.sys [?]

S4 OracleJobSchedulerORCL;OracleJobSchedulerORCL;d:\app\admin\product\11.2.0\dbhome_1\Bin\extjob.exe ORCL --> d:\app\admin\product\11.2.0\dbhome_1\Bin\extjob.exe ORCL [?]

.

=============== File Associations ===============

.

vbefile\shell\open2\command="%SystemRoot%\System32\CScript.exe" "%1" %*

vbsfile\shell\open2\command="%SystemRoot%\System32\CScript.exe" "%1" %*

jsefile\shell\open2\command=C:\Windows\System32\CScript.exe "%1" %*

.

=============== Created Last 30 ================

.

2012-08-14 22:19:44 24904 ----a-w- C:\Windows\System32\drivers\mbam.sys

2012-08-14 22:19:44 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware

2012-08-14 20:54:51 -------- d-sh--w- C:\Windows\SysWow64\%APPDATA%

2012-08-13 00:44:42 -------- d-sh--w- C:\$RECYCLE.BIN

2012-08-12 13:25:52 -------- d-----w- C:\Users\Admin\AppData\Roaming\Malwarebytes

2012-08-12 13:25:33 -------- d-----w- C:\ProgramData\Malwarebytes

2012-08-09 13:14:01 -------- d-----w- C:\Users\Admin\AppData\Local\NPE

2012-08-09 08:31:21 27256 ----a-w- C:\Windows\System32\drivers\FixZeroAccess.sys

2012-08-02 06:12:24 -------- d-----w- C:\Users\Admin\AppData\Local\ElevatedDiagnostics

2012-07-26 13:08:09 -------- d-----w- C:\Users\Admin\Tracing

.

==================== Find3M ====================

.

2012-08-14 23:18:29 70344 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl

2012-08-14 23:18:29 426184 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe

2012-08-06 21:46:58 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll

2012-06-12 03:08:36 3148800 ----a-w- C:\Windows\System32\win32k.sys

2012-06-06 06:06:16 2004480 ----a-w- C:\Windows\System32\msxml6.dll

2012-06-06 06:06:16 1881600 ----a-w- C:\Windows\System32\msxml3.dll

2012-06-06 06:02:54 1133568 ----a-w- C:\Windows\System32\cdosys.dll

2012-06-06 05:05:52 1390080 ----a-w- C:\Windows\SysWow64\msxml6.dll

2012-06-06 05:05:52 1236992 ----a-w- C:\Windows\SysWow64\msxml3.dll

2012-06-06 05:03:06 805376 ----a-w- C:\Windows\SysWow64\cdosys.dll

2012-06-04 14:57:14 455680 ----a-w- C:\Windows\System32\deploytk.dll

2012-06-02 22:15:31 2622464 ----a-w- C:\Windows\System32\wucltux.dll

2012-06-02 22:15:08 99840 ----a-w- C:\Windows\System32\wudriver.dll

2012-06-02 12:12:17 2311680 ----a-w- C:\Windows\System32\jscript9.dll

2012-06-02 12:05:28 1392128 ----a-w- C:\Windows\System32\wininet.dll

2012-06-02 12:04:50 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl

2012-06-02 12:01:40 173056 ----a-w- C:\Windows\System32\ieUnatt.exe

2012-06-02 11:57:08 2382848 ----a-w- C:\Windows\System32\mshtml.tlb

2012-06-02 09:49:42 186752 ----a-w- C:\Windows\System32\wuwebv.dll

2012-06-02 09:45:12 36864 ----a-w- C:\Windows\System32\wuapp.exe

2012-06-02 08:33:25 1800192 ----a-w- C:\Windows\SysWow64\jscript9.dll

2012-06-02 08:25:08 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll

2012-06-02 08:25:03 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl

2012-06-02 08:20:33 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe

2012-06-02 08:16:52 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb

2012-06-02 05:50:10 458704 ----a-w- C:\Windows\System32\drivers\cng.sys

2012-06-02 05:48:16 95600 ----a-w- C:\Windows\System32\drivers\ksecdd.sys

2012-06-02 05:48:16 151920 ----a-w- C:\Windows\System32\drivers\ksecpkg.sys

2012-06-02 05:45:31 340992 ----a-w- C:\Windows\System32\schannel.dll

2012-06-02 05:44:21 307200 ----a-w- C:\Windows\System32\ncrypt.dll

2012-06-02 04:40:42 22016 ----a-w- C:\Windows\SysWow64\secur32.dll

2012-06-02 04:40:39 225280 ----a-w- C:\Windows\SysWow64\schannel.dll

2012-06-02 04:39:10 219136 ----a-w- C:\Windows\SysWow64\ncrypt.dll

2012-06-02 04:34:09 96768 ----a-w- C:\Windows\SysWow64\sspicli.dll

2012-05-18 11:08:50 544032 ----a-w- C:\Windows\System32\npdeployJava1.dll

2012-05-18 11:08:50 525600 ----a-w- C:\Windows\System32\deployJava1.dll

2012-05-17 02:44:58 93272 ----a-w- C:\Windows\System32\drivers\ctxusbm.sys

1996-05-22 10:19:02 25088 ----a-w- C:\Program Files (x86)\ZAPGRAB2.EXE

.

============= FINISH: 19:29:49.80 ===============

Link to post
Share on other sites

Appreciate your help MrC!!

RogueKiller V7.6.6 [08/10/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version

Started in : Normal mode

User: Admin [Admin rights]

Mode: Scan -- Date: 08/14/2012 19:36:13

¤¤¤ Bad processes: 1 ¤¤¤

[sUSP PATH] c2c_service.exe -- C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe -> KILLED [TermProc]

¤¤¤ Registry Entries: 9 ¤¤¤

[DNS] HKLM\[...]\ControlSet001\Parameters\Interfaces\{38F75B14-47DE-47B4-AEBE-9D57EE0B3643} : NameServer (155.132.2.31,155.132.9.10) -> FOUND

[DNS] HKLM\[...]\ControlSet002\Parameters\Interfaces\{38F75B14-47DE-47B4-AEBE-9D57EE0B3643} : NameServer (155.132.2.31,155.132.9.10) -> FOUND

[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND

[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND

[ZeroAccess] HKCR\[...]\InprocServer32 : (C:\Users\Admin\AppData\Local\{ae963f8e-ac3e-59ff-8e3e-cf2ef11cd12e}\n.) -> FOUND

[HJ] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND

[HJ] HKCU\[...]\Advanced : Start_TrackProgs (0) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

[ZeroAccess][FILE] @ : c:\windows\installer\{ae963f8e-ac3e-59ff-8e3e-cf2ef11cd12e}\@ --> FOUND

[ZeroAccess][FOLDER] U : c:\windows\installer\{ae963f8e-ac3e-59ff-8e3e-cf2ef11cd12e}\U --> FOUND

[ZeroAccess][FOLDER] L : c:\windows\installer\{ae963f8e-ac3e-59ff-8e3e-cf2ef11cd12e}\L --> FOUND

[ZeroAccess][FILE] @ : c:\users\admin\appdata\local\{ae963f8e-ac3e-59ff-8e3e-cf2ef11cd12e}\@ --> FOUND

[ZeroAccess][FOLDER] U : c:\users\admin\appdata\local\{ae963f8e-ac3e-59ff-8e3e-cf2ef11cd12e}\U --> FOUND

[ZeroAccess][FOLDER] L : c:\users\admin\appdata\local\{ae963f8e-ac3e-59ff-8e3e-cf2ef11cd12e}\L --> FOUND

[ZeroAccess][FILE] Desktop.ini : c:\windows\assembly\gac_32\desktop.ini --> FOUND

[ZeroAccess][FILE] Desktop.ini : c:\windows\assembly\gac_64\desktop.ini --> FOUND

[susp.ASLR][ASLR WIPED-OFF] services.exe : c:\windows\system32\services.exe --> FOUND

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: HITACHI HTS545050B9A300 +++++

--- User ---

[MBR] aa0b2ff107add63d95adeafa737941cc

[bSP] 15fc16227e8fccae680f59a76c9e4889 : Windows 7 MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 99900 Mo

2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 204802048 | Size: 150000 Mo

3 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 512002048 | Size: 226938 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[1].txt >>

RKreport[1].txt

Link to post
Share on other sites

Here you go......

Your computer is infected with a nasty rootkit. Please read the following information first.

You're infected with Rootkit.ZeroAccess, a BackDoor Trojan.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall

http://www.dslreports.com/faq/10063

I will try my best to clean this machine but I can't guarantee that it will be 100% secure afterwards.

Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

-----------------------------------------

Please make sure system restore is running and create a new restore point before continuing!

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.

For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.<-------

How to tell > 32 or 64 bit

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:

  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:



    • Startup Repair
      System Restore
      Windows Complete PC Restore
      Windows Memory Diagnostic Tool
      Command Prompt

    [*]Select Command Prompt

    [*]In the command window type in notepad and press Enter.

    [*]The notepad opens. Under File menu select Open.

    [*]Select "Computer" and find your flash drive letter and close the notepad.

    [*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter

    Note: Replace letter e with the drive letter of your flash drive.

    [*]The tool will start to run.

    [*]When the tool opens click Yes to disclaimer.

    [*]Press Scan button.

    [*]FRST will let you know when the scan is complete and has written the FRST.txt to file, close out this message, then type the following into the search box:

    services.exe

    [*]Now press the Search button

    [*]When the search is complete, search.txt will also be written to your USB

    [*]Type exit and reboot the computer normally

    [*]Please copy and paste both logs in your reply.(FRST.txt and Search.txt)

MrC

Link to post
Share on other sites

SEARCH.TXT

===========

Farbar Recovery Scan Tool Version: 09-08-2012

Ran by SYSTEM at 2012-08-14 20:37:30

Running from H:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe

[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

C:\Windows\System32\services.exe

[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 014A9CB92514E27C0107614DF764BC06

C:\Windows\erdnt\cache64\services.exe

[2012-08-12 16:01] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

====== End Of Search ======

FRST.TXT

========

Scan result of Farbar Recovery Scan Tool Version: 09-08-2012

Ran by SYSTEM at 14-08-2012 20:32:06

Running from H:\

Windows 7 Professional Service Pack 1 (X64) OS Language: English(US)

The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [igfxTray] C:\Windows\system32\igfxtray.exe [167960 2011-03-29] (Intel Corporation)

HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [391704 2011-03-29] (Intel Corporation)

HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [418840 2011-03-29] (Intel Corporation)

HKLM\...\Run: [smartAudio] C:\Program Files\CONEXANT\SAII\SAIICpl.exe /t [307768 2010-04-27] ()

HKLM\...\Run: [intelWireless] "C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" /tf Intel Wireless Tray [1933584 2011-01-05] (Intel® Corporation)

HKLM\...\Run: [synTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2741544 2011-04-07] (Synaptics Incorporated)

HKLM\...\Run: [Energy Management] C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe [9753024 2012-05-02] (Lenovo (Beijing) Limited)

HKLM\...\Run: [EnergyUtility] C:\Program Files (x86)\Lenovo\Energy Management\Utility.exe [5908928 2012-05-02] (Lenovo(beijing) Limited)

HKLM\...\Run: [updatePRCShortCut] "C:\Program Files\Lenovo\OneKey App\OneKey Recovery\MUITransfer\MUIStartMenu.exe" "C:\Program Files\Lenovo\OneKey App\OneKey Recovery" UpdateWithCreateOnce "Software\Lenovo\OneKey App\OneKey Recovery" [222504 2009-05-13] (CyberLink Corp.)

HKLM-x32\...\Run: [iAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [283160 2011-02-17] (Intel Corporation)

HKLM-x32\...\Run: [332BigDog] C:\Program Files (x86)\USB Camera2\VM332_STI.EXE [536576 2010-01-18] (Vimicro)

HKLM-x32\...\Run: [updatePRCShortCut] "C:\Program Files\Lenovo\OneKey App\OneKey Recovery\MUITransfer\MUIStartMenu.exe" "C:\Program Files\Lenovo\OneKey App\OneKey Recovery" UpdateWithCreateOnce "Software\Lenovo\OneKey App\OneKey Recovery" [222504 2009-05-13] (CyberLink Corp.)

HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-04-03] (Adobe Systems Incorporated)

HKLM-x32\...\Run: [ConnectionCenter] "C:\Program Files (x86)\Citrix\ICA Client\concentr.exe" /startup [371896 2012-05-22] (Citrix Systems, Inc.)

HKLM-x32\...\Run: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2011-04-08] (Sun Microsystems, Inc.)

HKLM-x32\...\Run: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray [462920 2012-07-03] (Malwarebytes Corporation)

HKU\Admin\...\Run: [skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun [17418928 2012-07-13] (Skype Technologies S.A.)

HKU\Admin\...\Run: [googletalk] "C:\Program Files (x86)\Google\Google Talk\googletalk.exe" /autostart [3289088 2007-11-20] (Google)

HKU\Admin\...\Run: [Messenger (Yahoo!)] "C:\PROGRA~2\Yahoo!\Messenger\YahooMessenger.exe" -quiet [6591800 2012-02-22] (Yahoo! Inc.)

HKU\Admin\...\Run: [NetSP - restore settings on power failure] "C:\Program Files (x86)\AT&T Global Network Client\NetSP.exe" -show [55136 2012-03-27] (AT&T)

Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)

Tcpip\Parameters: [DhcpNameServer] 172.16.0.1

Tcpip\..\Interfaces\{38F75B14-47DE-47B4-AEBE-9D57EE0B3643}: [NameServer]155.132.2.31,155.132.9.10

Startup: C:\Users\Admin\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk

ShortcutTarget: OneNote 2010 Screen Clipper and Launcher.lnk -> C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation)

Startup: C:\Users\All Users\Start Menu\Programs\Startup\AT&T Global Network Client Monitor.lnk

ShortcutTarget: AT&T Global Network Client Monitor.lnk -> C:\Windows\Installer\{37880B62-627C-4F6B-BB85-984BB7E26125}\NetGM1_89563E53ECF44E868145468A128BDC83.exe (Flexera Software, Inc.)

Startup: C:\Users\All Users\Start Menu\Programs\Startup\Bluetooth.lnk

ShortcutTarget: Bluetooth.lnk -> C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe (Broadcom Corporation.)

Startup: C:\Users\All Users\Start Menu\Programs\Startup\Google Calendar Sync.lnk

ShortcutTarget: Google Calendar Sync.lnk -> C:\Program Files (x86)\Google\Google Calendar Sync\GoogleCalendarSync.exe (Google)

==================== Services (Whitelisted) ======

2 btwdins; C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe [953632 2010-12-14] (Broadcom Corporation.)

2 MBAMService; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe" [655944 2012-07-03] (Malwarebytes Corporation)

3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [340240 2011-01-04] ()

2 NAV; "C:\Program Files (x86)\Norton AntiVirus\Engine\19.7.1.5\ccSvcHst.exe" /s "NAV" /m "C:\Program Files (x86)\Norton AntiVirus\Engine\19.7.1.5\diMaster.dll" /prefetch:1 [309688 2012-04-12] (Symantec Corporation)

2 netcfgsvr; "C:\Program Files (x86)\AT&T Global Network Client\netcfgsvr.exe" [1124192 2012-03-27] (AT&T)

2 NetClientSvc; "C:\Program Files (x86)\AT&T Global Network Client\NetClientSvc.exe" [370528 2012-03-27] (AT&T)

3 NetLogSvc; C:\Program Files (x86)\AT&T Global Network Client\NetLogSvc.exe [82272 2012-03-27] (AT&T)

2 SwiCardDetectSvc; "C:\Program Files (x86)\Sierra Wireless Inc\Common\SwiCardDetect64.exe" [317296 2011-06-23] (Sierra Wireless, Inc.)

2 UNS; "C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe" [2656280 2010-12-20] (Intel Corporation)

2 OracleDBConsoleorcl; C:\app\Admin\product\11.2.0\dbhome_1\bin\nmesrvc.exe [x]

4 OracleJobSchedulerORCL; C:\app\admin\product\11.2.0\dbhome_1\Bin\extjob.exe ORCL [x]

2 OracleMTSRecoveryService; C:\app\Admin\product\11.2.0\dbhome_1\bin\omtsreco.exe "OracleMTSRecoveryService" [x]

3 OracleOraDb11g_home1ClrAgent; C:\app\Admin\product\11.2.0\dbhome_1\bin\OraClrAgnt.exe agent_sid=CLRExtProc max_dispatchers=2 tcp_dispatchers=0 max_task_threads=6 max_sessions=25 ENVS="EXTPROC_DLLS=ONLY:C:\app\Admin\product\11.2.0\dbhome_1\bin\oraclr11.dll" [x]

3 OracleServiceORCL; C:\app\admin\product\11.2.0\dbhome_1\bin\ORACLE.EXE ORCL [x]

3 OracleVssWriterORCL; C:\app\admin\product\11.2.0\dbhome_1\bin\OraVSSW.exe ORCL [x]

========================== Drivers (Whitelisted) =============

1 agnfilt; C:\Windows\System32\Drivers\agnfilt.sys [201728 2012-03-27] (AT&T)

3 avpnnic; C:\Windows\System32\Drivers\avpnnic.sys [14848 2012-03-27] (AT&T)

1 BHDrvx64; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.0.28\Definitions\BASHDefs\20120804.001\BHDrvx64.sys [1161376 2012-06-18] (Symantec Corporation)

1 ccSet_NAV; C:\Windows\system32\drivers\NAVx64\1307010.005\ccSetx64.sys [167048 2011-11-29] (Symantec Corporation)

1 ctxusbm; C:\Windows\System32\Drivers\ctxusbm.sys [93272 2012-05-16] (Citrix Systems, Inc.)

1 eeCtrl; \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [484512 2012-08-09] (Symantec Corporation)

3 EraserUtilRebootDrv; \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [138912 2012-08-09] (Symantec Corporation)

1 IDSVia64; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.0.28\Definitions\IPSDefs\20120810.001\IDSvia64.sys [509088 2012-06-14] (Symantec Corporation)

3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [24904 2012-07-03] (Malwarebytes Corporation)

3 NAVENG; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.0.28\Definitions\VirusDefs\20120811.008\ENG64.SYS [120440 2012-08-12] (Symantec Corporation)

3 NAVEX15; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.0.28\Definitions\VirusDefs\20120811.008\EX64.SYS [2068600 2012-08-12] (Symantec Corporation)

1 NEOFLTR_650_15977; C:\Windows\System32\Drivers\NEOFLTR_650_15977.sys [100472 2010-06-04] (Juniper Networks)

1 SRTSP; C:\Windows\System32\Drivers\NAVx64\1307010.005\SRTSP64.SYS [737912 2012-03-28] (Symantec Corporation)

1 SRTSPX; C:\Windows\system32\drivers\NAVx64\1307010.005\SRTSPX64.SYS [37496 2012-03-28] (Symantec Corporation)

0 SymDS; C:\Windows\System32\drivers\NAVx64\1307010.005\SYMDS64.SYS [451192 2011-07-25] (Symantec Corporation)

0 SymEFA; C:\Windows\System32\drivers\NAVx64\1307010.005\SYMEFA64.SYS [1092728 2012-03-28] (Symantec Corporation)

3 SymEvent; \??\C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [175736 2012-05-03] (Symantec Corporation)

1 SymIRON; C:\Windows\system32\drivers\NAVx64\1307010.005\Ironx64.SYS [190072 2012-03-28] (Symantec Corporation)

1 SymNetS; C:\Windows\System32\Drivers\NAVx64\1307010.005\SYMNETS.SYS [405624 2012-03-28] (Symantec Corporation)

3 OracleOraDb11g_home1TNSListener; d:\app\Admin\product\11.2.0\dbhome_1\BIN\TNSLSNR [x]

========================== NetSvcs (Whitelisted) ===========

============ One Month Created Files and Folders ==============

2012-08-14 16:03 - 2012-08-14 16:03 - 00000000 ____D C:\Program Files\7-Zip

2012-08-14 15:38 - 2012-08-14 15:38 - 00027406 ____A C:\Users\Admin\Desktop\DDS.txt

2012-08-14 15:36 - 2012-08-14 15:42 - 00002993 ____A C:\Users\Admin\Desktop\RKreport[1].txt

2012-08-14 15:35 - 2012-08-14 15:36 - 00000000 ____D C:\Users\Admin\Desktop\RK_Quarantine

2012-08-14 15:34 - 2012-08-14 15:34 - 00013337 ____A C:\Users\Admin\Desktop\Attach.txt

2012-08-14 15:32 - 2012-08-14 15:32 - 01558528 ____A C:\Users\Admin\Desktop\RogueKiller.exe

2012-08-14 15:27 - 2012-08-14 15:27 - 00607260 ____R (Swearware) C:\Users\Admin\Desktop\dds.scr

2012-08-14 14:46 - 2012-08-14 14:46 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_14_18_46_54.dmp

2012-08-14 14:38 - 2012-08-14 14:38 - 00003760 ____A C:\{F13A0D06-7D3F-400F-B04F-881773DFF0BB}

2012-08-14 14:30 - 2012-08-14 14:30 - 00003760 ____A C:\{BED12C49-D0A5-4DF1-8A70-38CFBDEE3223}

2012-08-14 14:28 - 2012-08-14 14:28 - 00023644 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_14_18_28_6.dmp

2012-08-14 14:19 - 2012-08-14 14:44 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware

2012-08-14 14:19 - 2012-08-14 14:19 - 00001109 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

2012-08-14 14:19 - 2012-07-03 09:46 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys

2012-08-14 14:10 - 2012-08-14 14:10 - 00003760 ____A C:\{4CCB44DE-5542-423D-80F5-EBBE8DA74D89}

2012-08-14 14:06 - 2012-08-14 14:06 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_14_18_6_3.dmp

2012-08-14 12:54 - 2012-08-14 12:54 - 00000000 __SHD C:\Windows\SysWOW64\%APPDATA%

2012-08-14 07:18 - 2012-08-14 07:18 - 01295536 ____A (Juniper Networks) C:\Users\Admin\Downloads\JuniperSetupClientInstaller.exe

2012-08-14 02:57 - 2012-08-14 02:57 - 00022231 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_14_6_57_18.dmp

2012-08-14 01:27 - 2012-08-14 01:27 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_14_5_27_3.dmp

2012-08-13 03:58 - 2012-08-13 03:58 - 00022231 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_13_7_58_12.dmp

2012-08-12 17:49 - 2012-08-12 17:49 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_12_21_49_48.dmp

2012-08-12 17:40 - 2012-08-12 17:40 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_12_21_40_21.dmp

2012-08-12 16:45 - 2012-08-12 16:45 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_12_20_45_0.dmp

2012-08-12 15:51 - 2012-08-12 17:36 - 00000000 ____D C:\Windows\erdnt

2012-08-12 15:36 - 2012-08-12 15:36 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_12_19_36_18.dmp

2012-08-12 15:30 - 2012-08-12 15:30 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_12_19_30_2.dmp

2012-08-12 14:43 - 2012-08-12 14:43 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_12_18_43_25.dmp

2012-08-12 14:30 - 2012-08-12 14:30 - 00021236 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_12_18_30_30.dmp

2012-08-12 12:27 - 2012-08-12 12:27 - 00021138 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_12_16_27_42.dmp

2012-08-12 07:06 - 2012-08-12 07:06 - 00000000 ____D C:\Windows\Sun

2012-08-12 05:39 - 2012-08-12 05:39 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_12_9_39_49.dmp

2012-08-12 05:25 - 2012-08-12 05:25 - 00000000 ____D C:\Users\All Users\Malwarebytes

2012-08-12 05:25 - 2012-08-12 05:25 - 00000000 ____D C:\Users\Admin\AppData\Roaming\Malwarebytes

2012-08-12 05:24 - 2012-08-12 05:24 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\Admin\Downloads\mbam-setup-1.62.0.1300.exe

2012-08-12 04:48 - 2012-08-12 04:48 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_12_8_48_53.dmp

2012-08-12 04:16 - 2012-08-12 04:16 - 00022640 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_12_8_16_43.dmp

2012-08-11 19:36 - 2012-08-11 19:36 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_11_23_36_24.dmp

2012-08-11 18:33 - 2012-08-11 18:33 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_11_22_33_40.dmp

2012-08-11 07:33 - 2012-08-11 07:33 - 00748749 ____A C:\Users\Admin\Desktop\11Aug_collaborator.log

2012-08-10 16:12 - 2012-08-10 16:12 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_10_20_12_48.dmp

2012-08-10 11:03 - 2012-08-10 11:04 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_10_15_3_59.dmp

2012-08-10 09:53 - 2012-08-10 09:54 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_10_13_53_59.dmp

2012-08-10 04:20 - 2012-08-10 04:20 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_10_8_20_51.dmp

2012-08-10 02:50 - 2012-08-10 02:50 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_10_6_50_27.dmp

2012-08-09 20:08 - 2012-08-09 20:08 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_10_0_8_7.dmp

2012-08-09 16:24 - 2012-08-09 16:24 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_9_20_24_21.dmp

2012-08-09 13:43 - 2012-08-09 13:44 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_9_17_43_57.dmp

2012-08-09 11:26 - 2012-08-09 11:26 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_9_15_26_13.dmp

2012-08-09 10:58 - 2012-08-09 10:58 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_9_14_58_22.dmp

2012-08-09 10:51 - 2012-08-09 10:51 - 00000000 ____D C:\Users\Admin\Downloads\7zip

2012-08-09 10:45 - 2012-08-11 18:39 - 00003148 ____A C:\Users\Admin\Downloads\FSS.txt

2012-08-09 09:09 - 2012-08-09 09:09 - 00022133 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_9_13_9_55.dmp

2012-08-09 07:08 - 2012-08-09 07:08 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_9_11_8_28.dmp

2012-08-09 06:40 - 2012-08-09 06:40 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_9_10_40_14.dmp

2012-08-09 06:11 - 2012-08-14 13:17 - 00327680 ____A C:\Windows\System32\Ikeext.etl

2012-08-09 06:11 - 2012-08-09 06:11 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_9_10_11_17.dmp

2012-08-09 05:38 - 2012-08-09 05:38 - 00003760 ____A C:\{2F72F050-28E6-4D0B-900E-FADBCF0344A4}

2012-08-09 05:35 - 2012-08-09 05:35 - 00022231 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_9_9_35_25.dmp

2012-08-09 05:14 - 2012-08-09 05:17 - 00000000 ____D C:\Users\Admin\AppData\Local\NPE

2012-08-09 04:38 - 2012-08-09 04:38 - 00003792 ____A C:\{AD9548B9-ED37-4797-8AE3-3C0A49B01CF7}

2012-08-09 04:10 - 2012-08-09 04:10 - 00003760 ____A C:\{5397871D-4F6A-448E-9140-E2F2E927BF55}

2012-08-09 03:06 - 2012-08-09 03:06 - 00022231 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_9_7_6_50.dmp

2012-08-09 00:49 - 2012-08-09 00:49 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_9_4_49_0.dmp

2012-08-09 00:33 - 2012-08-09 00:33 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_9_4_33_44.dmp

2012-08-09 00:31 - 2012-08-11 18:30 - 00027256 ____A (Symantec Corporation) C:\Windows\System32\Drivers\FixZeroAccess.sys

2012-08-09 00:06 - 2012-08-09 00:06 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_9_4_6_27.dmp

2012-08-08 17:05 - 2012-08-08 17:05 - 00022231 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_8_21_5_44.dmp

2012-08-08 12:56 - 2012-08-08 12:57 - 00022231 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_8_16_56_56.dmp

2012-08-08 08:50 - 2012-08-08 08:50 - 00022231 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_8_12_50_43.dmp

2012-08-08 04:51 - 2012-08-08 04:52 - 00022528 ____A C:\Users\Admin\Desktop\APQUAL_export.xls

2012-08-08 04:24 - 2012-08-08 04:25 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_8_8_24_59.dmp

2012-08-08 02:11 - 2012-08-08 02:11 - 00022231 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_8_6_11_2.dmp

2012-08-07 15:53 - 2012-08-07 15:53 - 00022133 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_7_19_53_21.dmp

2012-08-07 04:30 - 2012-08-07 04:30 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_7_8_30_35.dmp

2012-08-06 15:58 - 2012-08-06 15:58 - 00022231 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_6_19_58_43.dmp

2012-08-06 13:52 - 2012-08-13 19:42 - 00002411 ____A C:\Users\Admin\Desktop\Google Chrome.lnk

2012-08-06 13:47 - 2012-08-06 13:46 - 00157472 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\javaws.exe

2012-08-06 13:47 - 2012-08-06 13:46 - 00145184 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\javaw.exe

2012-08-06 13:47 - 2012-08-06 13:46 - 00145184 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\java.exe

2012-08-06 13:38 - 2012-08-06 13:38 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_6_17_38_29.dmp

2012-08-06 13:21 - 2012-08-06 13:21 - 00022231 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_6_17_21_5.dmp

2012-08-06 12:54 - 2012-08-06 12:54 - 00214016 ____A C:\Users\Admin\Downloads\RemoteEngineLaunch (1)

2012-08-06 12:34 - 2012-08-06 12:34 - 00214016 ____A C:\Users\Admin\Downloads\RemoteEngineLaunch

2012-08-06 04:24 - 2012-08-06 04:24 - 00022133 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_6_8_24_12.dmp

2012-08-05 15:08 - 2012-08-05 15:08 - 00022133 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_5_19_8_9.dmp

2012-08-05 06:24 - 2012-08-05 06:24 - 00023644 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_5_10_24_12.dmp

2012-08-05 05:34 - 2012-08-05 05:34 - 00022133 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_5_9_34_51.dmp

2012-08-05 04:15 - 2012-08-05 04:15 - 00022231 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_5_8_15_2.dmp

2012-08-05 04:06 - 2012-08-05 04:06 - 00022231 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_5_8_6_29.dmp

2012-08-05 01:07 - 2012-08-05 01:07 - 00022231 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_5_5_7_30.dmp

2012-08-04 18:19 - 2012-08-04 18:19 - 00022133 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_4_22_19_44.dmp

2012-08-04 17:06 - 2012-08-04 17:06 - 00022231 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_4_21_6_26.dmp

2012-08-04 16:50 - 2012-08-04 16:50 - 00022231 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_4_20_50_47.dmp

2012-08-04 15:27 - 2012-08-04 15:27 - 00022231 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_4_19_27_2.dmp

2012-08-04 04:24 - 2012-08-04 04:24 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_4_8_24_39.dmp

2012-08-04 02:13 - 2012-08-04 02:13 - 00022231 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_4_6_13_35.dmp

2012-08-03 19:25 - 2012-08-03 19:26 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_3_23_25_56.dmp

2012-08-03 08:49 - 2012-08-03 08:49 - 00022231 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_3_12_49_13.dmp

2012-08-03 08:37 - 2012-08-03 08:37 - 00023546 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_3_12_37_51.dmp

2012-08-03 08:13 - 2012-08-03 08:13 - 00023546 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_3_12_13_12.dmp

2012-08-03 06:02 - 2012-08-03 06:02 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_3_10_2_50.dmp

2012-08-03 04:22 - 2012-08-03 04:22 - 00022279 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_3_8_22_23.dmp

2012-08-03 03:14 - 2012-08-03 03:14 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_3_7_14_20.dmp

2012-08-03 01:50 - 2012-08-03 01:50 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_3_5_50_26.dmp

2012-08-02 19:17 - 2012-08-02 19:17 - 00019994 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_2_23_17_52.dmp

2012-08-02 10:25 - 2012-08-02 10:25 - 00022081 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_2_23_55_10.dmp

2012-08-01 23:18 - 2012-08-01 23:18 - 00022081 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_2_12_48_8.dmp

2012-08-01 05:30 - 2012-08-01 05:30 - 00022538 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_1_19_0_8.dmp

2012-07-31 16:14 - 2012-07-31 16:14 - 00022129 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_1_5_44_0.dmp

2012-07-31 10:20 - 2012-07-31 10:20 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_31_23_50_19.dmp

2012-07-30 18:12 - 2012-07-30 18:12 - 00022081 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_31_7_42_9.dmp

2012-07-30 10:17 - 2012-07-30 10:17 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_30_23_47_40.dmp

2012-07-30 06:38 - 2012-07-30 06:38 - 00021184 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_30_20_8_32.dmp

2012-07-29 19:25 - 2012-07-29 19:25 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_30_8_55_29.dmp

2012-07-29 09:24 - 2012-07-29 09:24 - 00022129 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_29_22_54_4.dmp

2012-07-28 22:53 - 2012-07-28 22:53 - 00022081 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_29_12_23_25.dmp

2012-07-28 06:56 - 2012-07-28 06:56 - 00022081 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_28_20_26_5.dmp

2012-07-27 19:59 - 2012-07-27 19:59 - 00022129 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_28_9_29_24.dmp

2012-07-27 05:24 - 2012-07-27 05:24 - 00021086 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_27_18_54_18.dmp

2012-07-26 18:49 - 2012-07-26 18:49 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_27_8_19_56.dmp

2012-07-26 07:03 - 2012-07-26 07:03 - 00022129 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_26_20_33_26.dmp

2012-07-26 05:08 - 2012-07-30 05:06 - 00000000 ____D C:\Users\Admin\Tracing

2012-07-26 05:08 - 2012-07-26 05:08 - 00000000 ____D C:\Users\Admin\Documents\My Meetings

2012-07-26 02:13 - 2012-07-26 02:13 - 00858939 ____A C:\Users\Admin\Downloads\collaborator[1].log

2012-07-25 19:09 - 2012-07-25 19:09 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_26_8_39_55.dmp

2012-07-25 11:13 - 2012-07-25 11:13 - 00022081 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_26_0_43_11.dmp

2012-07-25 05:15 - 2012-07-25 05:15 - 00021086 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_25_18_45_40.dmp

2012-07-24 19:08 - 2012-07-24 19:08 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_25_8_38_44.dmp

2012-07-24 09:25 - 2012-07-24 09:25 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_24_22_55_28.dmp

2012-07-24 08:09 - 2012-07-24 08:09 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_24_21_39_53.dmp

2012-07-24 07:24 - 2012-07-24 07:24 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_24_20_54_7.dmp

2012-07-24 04:28 - 2012-07-24 04:28 - 00021086 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_24_17_58_23.dmp

2012-07-24 04:24 - 2012-07-24 04:24 - 00000000 ____D C:\Users\Admin\AppData\Roaming\Canon

2012-07-24 04:24 - 2012-07-24 04:24 - 00000000 ____A C:\Users\Admin\Sti_Trace.log

2012-07-23 19:44 - 2012-07-23 19:44 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_24_9_14_47.dmp

2012-07-23 17:12 - 2012-07-23 17:12 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_24_6_42_19.dmp

2012-07-23 10:13 - 2012-07-23 10:13 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_23_23_43_22.dmp

2012-07-23 07:26 - 2012-07-23 07:26 - 00021086 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_23_20_56_26.dmp

2012-07-22 18:24 - 2012-07-22 18:24 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_23_7_54_35.dmp

2012-07-22 04:22 - 2012-07-22 04:22 - 00022129 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_22_17_52_46.dmp

2012-07-21 19:22 - 2012-07-21 19:22 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_22_8_52_49.dmp

2012-07-21 04:01 - 2012-07-21 04:01 - 00022081 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_21_17_31_45.dmp

2012-07-21 03:24 - 2012-07-21 03:24 - 00022081 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_21_16_54_2.dmp

2012-07-20 04:26 - 2012-07-20 04:26 - 00022490 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_20_17_56_50.dmp

2012-07-19 20:00 - 2012-07-19 20:00 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_20_9_30_23.dmp

2012-07-19 17:25 - 2012-07-19 17:25 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_20_6_55_29.dmp

2012-07-19 10:58 - 2012-07-19 10:58 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_20_0_28_36.dmp

2012-07-19 07:57 - 2012-07-19 07:57 - 00022129 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_19_21_27_16.dmp

2012-07-19 03:54 - 2012-07-19 03:54 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_19_17_24_1.dmp

2012-07-18 19:46 - 2012-07-18 19:46 - 00022221 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_19_9_16_49.dmp

2012-07-18 08:20 - 2012-07-18 08:20 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_18_21_50_40.dmp

2012-07-18 03:37 - 2012-07-18 03:37 - 00021276 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_18_17_7_55.dmp

2012-07-17 02:54 - 2012-07-17 02:54 - 00021320 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_17_16_24_9.dmp

2012-07-16 17:25 - 2012-07-16 17:25 - 00022221 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_17_6_55_47.dmp

2012-07-16 06:14 - 2012-07-16 06:14 - 00022221 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_16_19_44_48.dmp

2012-07-16 03:21 - 2012-07-16 03:21 - 00022582 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_16_16_51_44.dmp

2012-07-15 22:55 - 2012-07-15 23:01 - 01195181 ____A C:\Users\Admin\Documents\t_src_item_tmpl.dat

2012-07-15 21:59 - 2012-07-15 23:03 - 00000000 ____D C:\Users\Admin\AppData\Roaming\FileZilla

2012-07-15 21:59 - 2012-07-15 21:59 - 00000000 ____D C:\Program Files (x86)\FileZilla FTP Client

2012-07-15 19:22 - 2012-07-15 19:22 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_16_8_52_9.dmp

2012-07-15 05:42 - 2012-07-15 05:42 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_15_19_12_8.dmp

============ 3 Months Modified Files ========================

2012-08-14 16:30 - 2012-05-02 01:58 - 01060524 ____A C:\Windows\WindowsUpdate.log

2012-08-14 16:19 - 2012-07-12 20:49 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job

2012-08-14 16:19 - 2012-05-06 23:15 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe

2012-08-14 16:19 - 2012-05-06 23:15 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl

2012-08-14 15:42 - 2012-08-14 15:36 - 00002993 ____A C:\Users\Admin\Desktop\RKreport[1].txt

2012-08-14 15:41 - 2012-05-10 08:01 - 00000908 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-325862687-2821830248-2684448362-1000UA.job

2012-08-14 15:38 - 2012-08-14 15:38 - 00027406 ____A C:\Users\Admin\Desktop\DDS.txt

2012-08-14 15:35 - 2009-07-13 21:13 - 00735402 ____A C:\Windows\System32\PerfStringBackup.INI

2012-08-14 15:34 - 2012-08-14 15:34 - 00013337 ____A C:\Users\Admin\Desktop\Attach.txt

2012-08-14 15:32 - 2012-08-14 15:32 - 01558528 ____A C:\Users\Admin\Desktop\RogueKiller.exe

2012-08-14 15:32 - 2009-07-13 20:51 - 00054526 ____A C:\Windows\setupact.log

2012-08-14 15:27 - 2012-08-14 15:27 - 00607260 ____R (Swearware) C:\Users\Admin\Desktop\dds.scr

2012-08-14 14:54 - 2009-07-13 20:45 - 00022096 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2012-08-14 14:54 - 2009-07-13 20:45 - 00022096 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2012-08-14 14:46 - 2012-08-14 14:46 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_14_18_46_54.dmp

2012-08-14 14:45 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2012-08-14 14:38 - 2012-08-14 14:38 - 00003760 ____A C:\{F13A0D06-7D3F-400F-B04F-881773DFF0BB}

2012-08-14 14:30 - 2012-08-14 14:30 - 00003760 ____A C:\{BED12C49-D0A5-4DF1-8A70-38CFBDEE3223}

2012-08-14 14:28 - 2012-08-14 14:28 - 00023644 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_14_18_28_6.dmp

2012-08-14 14:26 - 2010-11-20 19:47 - 00101158 ____A C:\Windows\PFRO.log

2012-08-14 14:19 - 2012-08-14 14:19 - 00001109 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

2012-08-14 14:10 - 2012-08-14 14:10 - 00003760 ____A C:\{4CCB44DE-5542-423D-80F5-EBBE8DA74D89}

2012-08-14 14:06 - 2012-08-14 14:06 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_14_18_6_3.dmp

2012-08-14 13:17 - 2012-08-09 06:11 - 00327680 ____A C:\Windows\System32\Ikeext.etl

2012-08-14 09:41 - 2012-05-10 08:01 - 00000856 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-325862687-2821830248-2684448362-1000Core.job

2012-08-14 07:18 - 2012-08-14 07:18 - 01295536 ____A (Juniper Networks) C:\Users\Admin\Downloads\JuniperSetupClientInstaller.exe

2012-08-14 06:59 - 2012-05-03 20:58 - 00001996 ___AH C:\Users\Admin\Documents\Default.rdp

2012-08-14 02:57 - 2012-08-14 02:57 - 00022231 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_14_6_57_18.dmp

2012-08-14 01:27 - 2012-08-14 01:27 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_14_5_27_3.dmp

2012-08-13 19:42 - 2012-08-06 13:52 - 00002411 ____A C:\Users\Admin\Desktop\Google Chrome.lnk

2012-08-13 08:06 - 2012-07-27 05:19 - 00002779 ____A C:\Users\Admin\Desktop\todo.txt

2012-08-13 03:58 - 2012-08-13 03:58 - 00022231 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_13_7_58_12.dmp

2012-08-12 17:49 - 2012-08-12 17:49 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_12_21_49_48.dmp

2012-08-12 17:40 - 2012-08-12 17:40 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_12_21_40_21.dmp

2012-08-12 16:45 - 2012-08-12 16:45 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_12_20_45_0.dmp

2012-08-12 16:00 - 2009-07-13 18:34 - 00000215 ____A C:\Windows\system.ini

2012-08-12 15:36 - 2012-08-12 15:36 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_12_19_36_18.dmp

2012-08-12 15:30 - 2012-08-12 15:30 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_12_19_30_2.dmp

2012-08-12 14:43 - 2012-08-12 14:43 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_12_18_43_25.dmp

2012-08-12 14:30 - 2012-08-12 14:30 - 00021236 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_12_18_30_30.dmp

2012-08-12 12:27 - 2012-08-12 12:27 - 00021138 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_12_16_27_42.dmp

2012-08-12 05:39 - 2012-08-12 05:39 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_12_9_39_49.dmp

2012-08-12 05:24 - 2012-08-12 05:24 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\Admin\Downloads\mbam-setup-1.62.0.1300.exe

2012-08-12 04:48 - 2012-08-12 04:48 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_12_8_48_53.dmp

2012-08-12 04:26 - 2012-05-04 02:54 - 00748616 ____A C:\Windows\SysWOW64\PerfStringBackup.INI

2012-08-12 04:16 - 2012-08-12 04:16 - 00022640 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_12_8_16_43.dmp

2012-08-11 19:36 - 2012-08-11 19:36 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_11_23_36_24.dmp

2012-08-11 18:39 - 2012-08-09 10:45 - 00003148 ____A C:\Users\Admin\Downloads\FSS.txt

2012-08-11 18:33 - 2012-08-11 18:33 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_11_22_33_40.dmp

2012-08-11 18:30 - 2012-08-09 00:31 - 00027256 ____A (Symantec Corporation) C:\Windows\System32\Drivers\FixZeroAccess.sys

2012-08-11 07:44 - 2012-04-02 04:57 - 00013962 ____A C:\Users\Admin\Desktop\1.txt

2012-08-11 07:33 - 2012-08-11 07:33 - 00748749 ____A C:\Users\Admin\Desktop\11Aug_collaborator.log

2012-08-10 16:12 - 2012-08-10 16:12 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_10_20_12_48.dmp

2012-08-10 11:04 - 2012-08-10 11:03 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_10_15_3_59.dmp

2012-08-10 09:54 - 2012-08-10 09:53 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_10_13_53_59.dmp

2012-08-10 04:20 - 2012-08-10 04:20 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_10_8_20_51.dmp

2012-08-10 02:50 - 2012-08-10 02:50 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_10_6_50_27.dmp

2012-08-09 20:08 - 2012-08-09 20:08 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_10_0_8_7.dmp

2012-08-09 16:24 - 2012-08-09 16:24 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_9_20_24_21.dmp

2012-08-09 13:44 - 2012-08-09 13:43 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_9_17_43_57.dmp

2012-08-09 11:26 - 2012-08-09 11:26 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_9_15_26_13.dmp

2012-08-09 10:58 - 2012-08-09 10:58 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_9_14_58_22.dmp

2012-08-09 09:09 - 2012-08-09 09:09 - 00022133 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_9_13_9_55.dmp

2012-08-09 07:08 - 2012-08-09 07:08 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_9_11_8_28.dmp

2012-08-09 06:57 - 2012-06-12 23:24 - 00007601 ____A C:\Users\Admin\AppData\Local\Resmon.ResmonCfg

2012-08-09 06:40 - 2012-08-09 06:40 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_9_10_40_14.dmp

2012-08-09 06:11 - 2012-08-09 06:11 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_9_10_11_17.dmp

2012-08-09 05:38 - 2012-08-09 05:38 - 00003760 ____A C:\{2F72F050-28E6-4D0B-900E-FADBCF0344A4}

2012-08-09 05:35 - 2012-08-09 05:35 - 00022231 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_9_9_35_25.dmp

2012-08-09 04:38 - 2012-08-09 04:38 - 00003792 ____A C:\{AD9548B9-ED37-4797-8AE3-3C0A49B01CF7}

2012-08-09 04:10 - 2012-08-09 04:10 - 00003760 ____A C:\{5397871D-4F6A-448E-9140-E2F2E927BF55}

2012-08-09 03:06 - 2012-08-09 03:06 - 00022231 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_9_7_6_50.dmp

2012-08-09 00:49 - 2012-08-09 00:49 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_9_4_49_0.dmp

2012-08-09 00:33 - 2012-08-09 00:33 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_9_4_33_44.dmp

2012-08-09 00:06 - 2012-08-09 00:06 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_9_4_6_27.dmp

2012-08-08 17:05 - 2012-08-08 17:05 - 00022231 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_8_21_5_44.dmp

2012-08-08 12:57 - 2012-08-08 12:56 - 00022231 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_8_16_56_56.dmp

2012-08-08 08:50 - 2012-08-08 08:50 - 00022231 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_8_12_50_43.dmp

2012-08-08 04:52 - 2012-08-08 04:51 - 00022528 ____A C:\Users\Admin\Desktop\APQUAL_export.xls

2012-08-08 04:25 - 2012-08-08 04:24 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_8_8_24_59.dmp

2012-08-08 02:11 - 2012-08-08 02:11 - 00022231 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_8_6_11_2.dmp

2012-08-07 15:53 - 2012-08-07 15:53 - 00022133 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_7_19_53_21.dmp

2012-08-07 04:30 - 2012-08-07 04:30 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_7_8_30_35.dmp

2012-08-06 15:58 - 2012-08-06 15:58 - 00022231 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_6_19_58_43.dmp

2012-08-06 13:46 - 2012-08-06 13:47 - 00157472 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\javaws.exe

2012-08-06 13:46 - 2012-08-06 13:47 - 00145184 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\javaw.exe

2012-08-06 13:46 - 2012-08-06 13:47 - 00145184 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\java.exe

2012-08-06 13:46 - 2012-05-17 20:59 - 00472808 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\deployJava1.dll

2012-08-06 13:38 - 2012-08-06 13:38 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_6_17_38_29.dmp

2012-08-06 13:32 - 2012-05-15 05:11 - 00010710 ____A C:\Windows\SysWOW64\jupdate-1.5.0_17-b04.log

2012-08-06 13:21 - 2012-08-06 13:21 - 00022231 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_6_17_21_5.dmp

2012-08-06 12:54 - 2012-08-06 12:54 - 00214016 ____A C:\Users\Admin\Downloads\RemoteEngineLaunch (1)

2012-08-06 12:34 - 2012-08-06 12:34 - 00214016 ____A C:\Users\Admin\Downloads\RemoteEngineLaunch

2012-08-06 04:24 - 2012-08-06 04:24 - 00022133 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_6_8_24_12.dmp

2012-08-05 15:08 - 2012-08-05 15:08 - 00022133 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_5_19_8_9.dmp

2012-08-05 06:24 - 2012-08-05 06:24 - 00023644 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_5_10_24_12.dmp

2012-08-05 05:34 - 2012-08-05 05:34 - 00022133 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_5_9_34_51.dmp

2012-08-05 04:15 - 2012-08-05 04:15 - 00022231 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_5_8_15_2.dmp

2012-08-05 04:06 - 2012-08-05 04:06 - 00022231 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_5_8_6_29.dmp

2012-08-05 01:07 - 2012-08-05 01:07 - 00022231 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_5_5_7_30.dmp

2012-08-04 18:19 - 2012-08-04 18:19 - 00022133 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_4_22_19_44.dmp

2012-08-04 17:06 - 2012-08-04 17:06 - 00022231 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_4_21_6_26.dmp

2012-08-04 16:50 - 2012-08-04 16:50 - 00022231 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_4_20_50_47.dmp

2012-08-04 15:27 - 2012-08-04 15:27 - 00022231 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_4_19_27_2.dmp

2012-08-04 04:24 - 2012-08-04 04:24 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_4_8_24_39.dmp

2012-08-04 02:13 - 2012-08-04 02:13 - 00022231 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_4_6_13_35.dmp

2012-08-03 19:26 - 2012-08-03 19:25 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_3_23_25_56.dmp

2012-08-03 08:49 - 2012-08-03 08:49 - 00022231 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_3_12_49_13.dmp

2012-08-03 08:37 - 2012-08-03 08:37 - 00023546 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_3_12_37_51.dmp

2012-08-03 08:13 - 2012-08-03 08:13 - 00023546 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_3_12_13_12.dmp

2012-08-03 06:02 - 2012-08-03 06:02 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_3_10_2_50.dmp

2012-08-03 04:22 - 2012-08-03 04:22 - 00022279 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_3_8_22_23.dmp

2012-08-03 03:14 - 2012-08-03 03:14 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_3_7_14_20.dmp

2012-08-03 01:50 - 2012-08-03 01:50 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_3_5_50_26.dmp

2012-08-02 19:17 - 2012-08-02 19:17 - 00019994 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_2_23_17_52.dmp

2012-08-02 10:25 - 2012-08-02 10:25 - 00022081 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_2_23_55_10.dmp

2012-08-01 23:18 - 2012-08-01 23:18 - 00022081 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_2_12_48_8.dmp

2012-08-01 05:30 - 2012-08-01 05:30 - 00022538 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_1_19_0_8.dmp

2012-07-31 16:14 - 2012-07-31 16:14 - 00022129 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_1_5_44_0.dmp

2012-07-31 10:20 - 2012-07-31 10:20 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_31_23_50_19.dmp

2012-07-30 21:36 - 2012-05-16 05:55 - 544812872 ____A C:\Windows\MEMORY.DMP

2012-07-30 18:12 - 2012-07-30 18:12 - 00022081 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_31_7_42_9.dmp

2012-07-30 10:17 - 2012-07-30 10:17 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_30_23_47_40.dmp

2012-07-30 06:38 - 2012-07-30 06:38 - 00021184 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_30_20_8_32.dmp

2012-07-29 19:25 - 2012-07-29 19:25 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_30_8_55_29.dmp

2012-07-29 18:11 - 2012-05-13 00:06 - 00013979 ____A C:\Users\Admin\Desktop\Book1.xlsx

2012-07-29 09:24 - 2012-07-29 09:24 - 00022129 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_29_22_54_4.dmp

2012-07-28 22:53 - 2012-07-28 22:53 - 00022081 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_29_12_23_25.dmp

2012-07-28 06:56 - 2012-07-28 06:56 - 00022081 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_28_20_26_5.dmp

2012-07-27 19:59 - 2012-07-27 19:59 - 00022129 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_28_9_29_24.dmp

2012-07-27 05:24 - 2012-07-27 05:24 - 00021086 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_27_18_54_18.dmp

2012-07-26 18:49 - 2012-07-26 18:49 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_27_8_19_56.dmp

2012-07-26 07:03 - 2012-07-26 07:03 - 00022129 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_26_20_33_26.dmp

2012-07-26 02:13 - 2012-07-26 02:13 - 00858939 ____A C:\Users\Admin\Downloads\collaborator[1].log

2012-07-25 19:09 - 2012-07-25 19:09 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_26_8_39_55.dmp

2012-07-25 11:13 - 2012-07-25 11:13 - 00022081 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_26_0_43_11.dmp

2012-07-25 09:45 - 2009-07-13 21:08 - 00032644 ____A C:\Windows\Tasks\SCHEDLGU.TXT

2012-07-25 05:15 - 2012-07-25 05:15 - 00021086 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_25_18_45_40.dmp

2012-07-24 19:08 - 2012-07-24 19:08 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_25_8_38_44.dmp

2012-07-24 09:25 - 2012-07-24 09:25 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_24_22_55_28.dmp

2012-07-24 08:09 - 2012-07-24 08:09 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_24_21_39_53.dmp

2012-07-24 07:24 - 2012-07-24 07:24 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_24_20_54_7.dmp

2012-07-24 04:28 - 2012-07-24 04:28 - 00021086 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_24_17_58_23.dmp

2012-07-24 04:24 - 2012-07-24 04:24 - 00000000 ____A C:\Users\Admin\Sti_Trace.log

2012-07-23 19:44 - 2012-07-23 19:44 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_24_9_14_47.dmp

2012-07-23 17:12 - 2012-07-23 17:12 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_24_6_42_19.dmp

2012-07-23 10:13 - 2012-07-23 10:13 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_23_23_43_22.dmp

2012-07-23 07:26 - 2012-07-23 07:26 - 00021086 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_23_20_56_26.dmp

2012-07-22 18:24 - 2012-07-22 18:24 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_23_7_54_35.dmp

2012-07-22 04:22 - 2012-07-22 04:22 - 00022129 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_22_17_52_46.dmp

2012-07-21 19:22 - 2012-07-21 19:22 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_22_8_52_49.dmp

2012-07-21 04:01 - 2012-07-21 04:01 - 00022081 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_21_17_31_45.dmp

2012-07-21 03:24 - 2012-07-21 03:24 - 00022081 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_21_16_54_2.dmp

2012-07-20 04:26 - 2012-07-20 04:26 - 00022490 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_20_17_56_50.dmp

2012-07-19 20:00 - 2012-07-19 20:00 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_20_9_30_23.dmp

2012-07-19 17:25 - 2012-07-19 17:25 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_20_6_55_29.dmp

2012-07-19 10:58 - 2012-07-19 10:58 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_20_0_28_36.dmp

2012-07-19 07:57 - 2012-07-19 07:57 - 00022129 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_19_21_27_16.dmp

2012-07-19 03:54 - 2012-07-19 03:54 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_19_17_24_1.dmp

2012-07-18 19:46 - 2012-07-18 19:46 - 00022221 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_19_9_16_49.dmp

2012-07-18 08:20 - 2012-07-18 08:20 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_18_21_50_40.dmp

2012-07-18 03:37 - 2012-07-18 03:37 - 00021276 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_18_17_7_55.dmp

2012-07-17 02:54 - 2012-07-17 02:54 - 00021320 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_17_16_24_9.dmp

2012-07-16 17:25 - 2012-07-16 17:25 - 00022221 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_17_6_55_47.dmp

2012-07-16 06:14 - 2012-07-16 06:14 - 00022221 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_16_19_44_48.dmp

2012-07-16 03:21 - 2012-07-16 03:21 - 00022582 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_16_16_51_44.dmp

2012-07-15 23:01 - 2012-07-15 22:55 - 01195181 ____A C:\Users\Admin\Documents\t_src_item_tmpl.dat

2012-07-15 19:22 - 2012-07-15 19:22 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_16_8_52_9.dmp

2012-07-15 05:42 - 2012-07-15 05:42 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_15_19_12_8.dmp

2012-07-14 22:05 - 2012-07-14 22:05 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_15_11_35_33.dmp

2012-07-14 06:24 - 2012-07-14 06:24 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_14_19_54_21.dmp

2012-07-14 05:01 - 2012-07-14 05:01 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_14_18_31_6.dmp

2012-07-14 04:36 - 2012-07-14 04:36 - 00022221 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_14_18_6_12.dmp

2012-07-13 21:24 - 2012-07-13 21:24 - 00022221 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_14_10_54_32.dmp

2012-07-13 20:16 - 2012-07-13 20:16 - 00022221 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_14_9_46_10.dmp

2012-07-13 19:51 - 2012-07-13 19:51 - 00022221 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_14_9_21_24.dmp

2012-07-13 04:53 - 2012-07-13 04:53 - 00021276 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_13_18_23_43.dmp

2012-07-12 15:51 - 2012-07-12 15:51 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_13_5_21_32.dmp

2012-07-12 03:04 - 2012-07-12 03:04 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_12_16_34_30.dmp

2012-07-11 20:52 - 2009-07-13 20:45 - 00363328 ____A C:\Windows\System32\FNTCACHE.DAT

2012-07-11 19:31 - 2012-07-11 19:31 - 00022173 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_12_9_1_12.dmp

2012-07-11 18:33 - 2012-05-12 21:13 - 59701280 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe

2012-07-11 09:40 - 2012-07-11 09:40 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_11_23_10_20.dmp

2012-07-11 05:49 - 2012-07-11 05:49 - 00021178 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_11_19_19_31.dmp

2012-07-10 19:24 - 2012-07-10 19:24 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_11_8_54_21.dmp

2012-07-10 07:39 - 2012-07-10 07:39 - 00022221 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_10_21_9_41.dmp

2012-07-10 03:10 - 2012-07-10 03:10 - 00021276 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_10_16_40_54.dmp

2012-07-09 19:39 - 2012-07-09 19:39 - 00022221 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_10_9_9_5.dmp

2012-07-09 10:26 - 2012-07-09 10:26 - 00022173 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_9_23_56_32.dmp

2012-07-09 03:35 - 2012-07-09 03:35 - 00022173 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_9_17_5_24.dmp

2012-07-08 19:22 - 2012-07-08 19:22 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_9_8_52_43.dmp

2012-07-08 06:19 - 2012-07-08 06:19 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_8_19_49_25.dmp

2012-07-07 21:48 - 2012-07-07 21:48 - 00022221 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_8_11_18_18.dmp

2012-07-07 17:39 - 2012-07-07 17:39 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_8_7_9_24.dmp

2012-07-07 09:47 - 2012-07-07 09:47 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_7_23_17_32.dmp

2012-07-07 05:27 - 2012-07-07 05:27 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_7_18_57_32.dmp

2012-07-06 15:24 - 2012-07-06 15:24 - 00022173 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_7_4_54_4.dmp

2012-07-06 11:04 - 2012-07-06 11:04 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_7_0_34_19.dmp

2012-07-06 06:27 - 2012-07-06 06:27 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_6_19_57_22.dmp

2012-07-05 20:35 - 2012-07-05 20:35 - 00022221 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_6_10_5_53.dmp

2012-07-05 10:57 - 2012-07-05 10:57 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_6_0_27_58.dmp

2012-07-05 01:20 - 2012-07-05 01:20 - 00022173 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_5_14_50_29.dmp

2012-07-05 01:11 - 2012-07-05 01:11 - 00022221 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_5_14_41_49.dmp

2012-07-04 23:14 - 2012-07-04 23:14 - 00022173 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_5_12_44_30.dmp

2012-07-04 20:36 - 2012-07-04 20:36 - 00022221 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_5_10_6_45.dmp

2012-07-04 19:35 - 2012-07-04 19:35 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_5_9_5_56.dmp

2012-07-04 09:12 - 2012-07-04 09:12 - 00022173 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_4_22_42_40.dmp

2012-07-04 06:33 - 2012-07-04 06:33 - 00022173 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_4_20_3_29.dmp

2012-07-03 09:46 - 2012-08-14 14:19 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys

2012-07-03 08:39 - 2012-07-03 08:39 - 00022221 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_3_22_9_12.dmp

2012-07-03 06:37 - 2012-07-03 06:37 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_3_20_7_37.dmp

2012-07-03 04:30 - 2012-07-03 04:30 - 00022173 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_3_18_0_38.dmp

2012-07-02 17:59 - 2012-07-02 17:59 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_3_7_29_8.dmp

2012-07-02 09:46 - 2012-07-02 09:46 - 00022173 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_2_23_16_35.dmp

2012-07-02 05:08 - 2012-07-02 05:08 - 00022221 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_2_18_38_15.dmp

2012-07-02 04:25 - 2012-07-02 04:25 - 00021276 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_2_17_55_2.dmp

2012-07-01 18:43 - 2012-07-01 18:43 - 00022173 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_2_8_13_55.dmp

2012-06-30 22:26 - 2012-06-30 22:26 - 00022221 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_1_11_56_1.dmp

2012-06-30 04:22 - 2012-06-30 04:22 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_30_17_52_25.dmp

2012-06-29 19:49 - 2012-06-29 19:49 - 00022221 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_30_9_19_15.dmp

2012-06-29 03:20 - 2012-06-29 03:20 - 00022221 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_29_16_50_10.dmp

2012-06-29 03:13 - 2012-06-29 03:13 - 00021418 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_29_16_43_48.dmp

2012-06-29 03:13 - 2012-06-29 03:13 - 00001166 ____A C:\Users\Public\Desktop\Canon MF Toolbox 4.9.lnk

2012-06-28 22:26 - 2012-06-28 22:26 - 00002627 ____A C:\Users\Public\Desktop\AT&T Global Network Client.lnk

2012-06-28 21:35 - 2012-06-28 21:34 - 31476912 ____A (Citrix Systems, Inc.) C:\Users\Admin\Downloads\CitrixReceiver.exe

2012-06-28 16:11 - 2012-06-28 16:11 - 00022221 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_29_5_41_37.dmp

2012-06-28 09:25 - 2012-06-28 09:25 - 00022173 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_28_22_55_1.dmp

2012-06-28 05:45 - 2012-06-28 05:45 - 00022221 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_28_19_15_13.dmp

2012-06-28 03:29 - 2012-06-28 03:29 - 00022173 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_28_16_59_20.dmp

2012-06-27 19:37 - 2012-06-27 19:37 - 00022221 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_28_9_7_27.dmp

2012-06-27 10:17 - 2012-06-27 10:17 - 00022221 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_27_23_47_47.dmp

2012-06-27 08:17 - 2012-06-27 08:17 - 00022173 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_27_21_47_13.dmp

2012-06-27 03:32 - 2012-06-27 03:32 - 00021276 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_27_17_2_35.dmp

2012-06-26 22:38 - 2012-06-26 22:38 - 00008128 ____A C:\Users\Admin\Desktop\PassportApplicationForm_Main_English_V1.0_data.xml

2012-06-26 18:45 - 2012-06-26 18:45 - 00022221 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_27_8_15_30.dmp

2012-06-26 07:04 - 2012-06-26 07:04 - 00021178 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_26_20_34_10.dmp

2012-06-26 03:04 - 2012-06-26 03:04 - 00022173 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_26_16_34_45.dmp

2012-06-25 21:43 - 2012-06-25 21:43 - 02060288 ____A C:\Users\Admin\Downloads\gtm_6_2_Product_Introduction_ppt (1).exe

2012-06-25 18:19 - 2012-06-25 18:19 - 00022221 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_26_7_49_8.dmp

2012-06-25 09:30 - 2012-06-25 09:30 - 00022035 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_25_23_0_48.dmp

2012-06-25 04:28 - 2012-06-25 04:28 - 00022083 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_25_17_58_51.dmp

2012-06-25 02:30 - 2012-06-25 02:30 - 00022035 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_25_16_0_28.dmp

2012-06-24 19:12 - 2012-06-24 19:11 - 00022035 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_25_8_41_57.dmp

2012-06-24 04:09 - 2012-06-24 04:09 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_24_17_39_53.dmp

2012-06-24 03:05 - 2012-06-24 03:04 - 00022083 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_24_16_34_57.dmp

2012-06-24 02:20 - 2012-06-24 02:20 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_24_15_50_51.dmp

2012-06-23 23:55 - 2012-06-23 23:55 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_24_13_25_22.dmp

2012-06-23 22:55 - 2012-06-23 22:55 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_24_12_25_53.dmp

2012-06-23 20:13 - 2012-06-23 20:08 - 07217706 ____A (Macromedia, Inc.) C:\Users\Admin\Downloads\ibsetupws.exe

2012-06-23 07:30 - 2012-06-23 07:30 - 00022083 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_23_21_0_34.dmp

2012-06-23 05:41 - 2012-06-23 05:41 - 00022083 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_23_19_11_9.dmp

2012-06-22 20:31 - 2012-06-22 20:31 - 00022444 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_23_10_1_26.dmp

2012-06-22 04:24 - 2012-06-22 04:24 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_22_17_54_22.dmp

2012-06-22 02:29 - 2012-06-22 02:29 - 00022035 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_22_15_59_56.dmp

2012-06-22 02:01 - 2012-06-22 02:01 - 00000020 ____A C:\Users\Admin\Documents\gpfax.adr

2012-06-22 02:01 - 2012-06-22 02:01 - 00000008 ____A C:\Users\Admin\Documents\gpfax.idx

2012-06-22 01:48 - 2012-06-22 01:48 - 00266288 ____A C:\Windows\Minidump\062212-21808-01.dmp

2012-06-21 23:38 - 2012-06-21 23:37 - 11875442 ____A (Macromedia, Inc.) C:\Users\Admin\Downloads\gtm_awareness.exe

2012-06-21 20:29 - 2012-06-21 20:29 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_22_9_59_37.dmp

2012-06-21 11:03 - 2012-06-21 11:03 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_22_0_33_51.dmp

2012-06-21 05:33 - 2012-06-21 05:33 - 00021040 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_21_19_3_45.dmp

2012-06-20 17:07 - 2012-06-20 17:07 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_21_6_37_57.dmp

2012-06-20 08:41 - 2012-06-20 08:41 - 00022035 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_20_22_11_6.dmp

2012-06-20 03:46 - 2012-06-20 03:46 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_20_17_16_1.dmp

2012-06-19 18:29 - 2012-06-19 18:29 - 00022240 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_20_7_59_22.dmp

2012-06-19 07:19 - 2012-06-19 07:19 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_19_20_49_59.dmp

2012-06-19 04:24 - 2012-06-19 04:24 - 00022083 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_19_17_54_18.dmp

2012-06-19 02:58 - 2012-06-19 02:58 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_19_16_28_27.dmp

2012-06-18 19:01 - 2012-06-18 19:01 - 00022083 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_19_8_31_35.dmp

2012-06-18 08:38 - 2012-06-18 08:38 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_18_22_8_15.dmp

2012-06-18 03:56 - 2012-06-18 03:56 - 00022035 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_18_17_26_15.dmp

2012-06-17 23:02 - 2012-06-17 23:02 - 00023960 ____A C:\{6E42CBB6-5B20-4E20-953A-B25E7A02AA33}

2012-06-17 22:59 - 2012-06-17 22:59 - 00002464 ____A C:\{71F71042-64DA-4B48-9520-46035A3366DE}

2012-06-17 10:33 - 2012-06-17 10:33 - 00022083 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_18_0_3_26.dmp

2012-06-17 04:41 - 2012-06-17 04:41 - 00022083 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_17_18_11_51.dmp

2012-06-17 02:15 - 2012-06-17 02:15 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_17_15_45_5.dmp

2012-06-16 20:02 - 2012-06-16 20:02 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_17_9_32_15.dmp

2012-06-16 10:51 - 2012-06-16 10:51 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_17_0_21_31.dmp

2012-06-16 00:16 - 2012-06-16 00:16 - 00022083 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_16_13_46_55.dmp

2012-06-15 22:00 - 2012-06-15 22:00 - 00022035 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_16_11_30_4.dmp

2012-06-15 08:51 - 2012-06-15 08:51 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_15_22_21_42.dmp

2012-06-15 03:08 - 2012-06-15 03:08 - 00023448 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_15_16_38_15.dmp

2012-06-14 10:30 - 2012-06-14 10:30 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_15_0_0_45.dmp

2012-06-14 07:14 - 2012-06-14 07:14 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_14_20_44_36.dmp

2012-06-14 04:10 - 2012-06-14 04:10 - 00021138 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_14_17_40_52.dmp

2012-06-13 09:05 - 2012-06-13 09:05 - 00022173 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_13_22_35_43.dmp

2012-06-13 04:17 - 2012-06-13 04:17 - 00022490 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_13_17_47_39.dmp

2012-06-12 20:02 - 2012-06-12 20:02 - 00022129 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_13_9_32_20.dmp

2012-06-12 18:31 - 2012-06-12 18:31 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_13_8_1_16.dmp

2012-06-12 10:39 - 2012-06-12 10:38 - 00022081 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_13_0_8_57.dmp

2012-06-12 03:50 - 2012-06-12 03:50 - 00022081 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_12_17_20_22.dmp

2012-06-11 20:25 - 2012-06-11 20:25 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_12_9_55_11.dmp

2012-06-11 19:08 - 2012-07-11 18:36 - 03148800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

2012-06-11 18:09 - 2012-06-11 18:09 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_12_7_39_7.dmp

2012-06-11 07:30 - 2012-06-11 07:30 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_11_21_0_15.dmp

2012-06-10 20:02 - 2012-06-10 20:02 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_11_9_32_52.dmp

2012-06-10 05:12 - 2012-06-10 05:12 - 00022081 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_10_18_42_32.dmp

2012-06-10 01:52 - 2012-06-10 01:52 - 00019994 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_10_15_22_31.dmp

2012-06-09 18:25 - 2012-06-09 18:25 - 00022129 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_10_7_55_19.dmp

2012-06-09 11:24 - 2012-06-09 11:24 - 00021086 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_10_0_54_16.dmp

2012-06-09 08:14 - 2012-06-09 08:14 - 00022129 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_9_21_44_20.dmp

2012-06-08 21:43 - 2012-07-11 09:15 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll

2012-06-08 20:41 - 2012-07-11 09:15 - 12873728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll

2012-06-08 05:46 - 2012-06-08 05:46 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_8_19_16_11.dmp

2012-06-08 03:58 - 2012-06-08 03:58 - 00022490 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_8_17_28_2.dmp

2012-06-07 19:35 - 2012-06-07 19:35 - 00022129 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_8_9_5_33.dmp

2012-06-07 03:45 - 2012-06-07 03:45 - 00022129 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_7_17_15_30.dmp

2012-06-06 18:31 - 2012-06-06 18:31 - 00021897 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_7_8_1_37.dmp

2012-06-06 06:51 - 2012-06-06 06:51 - 00021086 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_6_20_21_54.dmp

2012-06-05 22:06 - 2012-07-11 09:15 - 02004480 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll

2012-06-05 22:06 - 2012-07-11 09:15 - 01881600 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll

2012-06-05 22:02 - 2012-07-11 09:09 - 01133568 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll

2012-06-05 21:05 - 2012-07-11 09:15 - 01390080 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll

2012-06-05 21:05 - 2012-07-11 09:15 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll

2012-06-05 21:03 - 2012-07-11 09:09 - 00805376 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cdosys.dll

2012-06-05 07:38 - 2012-06-05 07:38 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_5_21_8_33.dmp

2012-06-05 03:55 - 2012-06-05 03:55 - 00022538 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_5_17_25_1.dmp

2012-06-04 18:25 - 2012-06-04 18:25 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_5_7_55_35.dmp

2012-06-04 11:22 - 2012-06-04 11:22 - 00022582 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_5_0_52_28.dmp

2012-06-04 06:57 - 2012-06-04 06:57 - 00455680 ____A (Sun Microsystems, Inc.) C:\Windows\System32\deploytk.dll

2012-06-04 05:38 - 2012-06-04 05:38 - 00022081 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_4_19_8_40.dmp

2012-06-03 07:05 - 2012-06-03 07:05 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_3_20_35_2.dmp

2012-06-02 23:38 - 2012-06-02 23:38 - 00022081 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_3_13_8_20.dmp

2012-06-02 14:19 - 2012-06-25 17:46 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll

2012-06-02 14:19 - 2012-06-25 17:46 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll

2012-06-02 14:19 - 2012-06-25 17:46 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe

2012-06-02 14:19 - 2012-06-25 17:46 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll

2012-06-02 14:19 - 2012-06-25 17:46 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll

2012-06-02 14:15 - 2012-06-25 17:46 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll

2012-06-02 14:15 - 2012-06-25 17:46 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll

2012-06-02 07:04 - 2012-06-02 07:04 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_2_20_34_16.dmp

2012-06-02 04:49 - 2012-07-11 18:32 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll

2012-06-02 04:17 - 2012-07-11 18:32 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll

2012-06-02 04:12 - 2012-07-11 18:32 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll

2012-06-02 04:05 - 2012-07-11 18:32 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll

2012-06-02 04:05 - 2012-07-11 18:32 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll

2012-06-02 04:04 - 2012-07-11 18:32 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl

2012-06-02 04:04 - 2012-07-11 18:32 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll

2012-06-02 04:03 - 2012-07-11 18:32 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll

2012-06-02 04:01 - 2012-07-11 18:32 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe

2012-06-02 04:00 - 2012-07-11 18:32 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll

2012-06-02 03:59 - 2012-07-11 18:32 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll

2012-06-02 03:57 - 2012-07-11 18:32 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb

2012-06-02 03:57 - 2012-07-11 18:32 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll

2012-06-02 03:54 - 2012-07-11 18:32 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll

2012-06-02 01:49 - 2012-06-25 17:46 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll

2012-06-02 01:45 - 2012-06-25 17:46 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe

2012-06-02 01:07 - 2012-07-11 18:32 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll

2012-06-02 00:43 - 2012-07-11 18:32 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll

2012-06-02 00:33 - 2012-07-11 18:32 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll

2012-06-02 00:26 - 2012-07-11 18:32 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll

2012-06-02 00:25 - 2012-07-11 18:32 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl

2012-06-02 00:25 - 2012-07-11 18:32 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll

2012-06-02 00:23 - 2012-07-11 18:32 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll

2012-06-02 00:21 - 2012-07-11 18:32 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll

2012-06-02 00:20 - 2012-07-11 18:32 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe

2012-06-02 00:19 - 2012-07-11 18:32 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll

2012-06-02 00:19 - 2012-07-11 18:32 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll

2012-06-02 00:17 - 2012-07-11 18:32 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll

2012-06-02 00:16 - 2012-07-11 18:32 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb

2012-06-02 00:14 - 2012-07-11 18:32 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll

2012-06-01 21:50 - 2012-07-11 09:15 - 00458704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys

2012-06-01 21:48 - 2012-07-11 09:15 - 00151920 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys

2012-06-01 21:48 - 2012-07-11 09:15 - 00095600 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys

2012-06-01 21:45 - 2012-07-11 09:15 - 00340992 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll

2012-06-01 21:44 - 2012-07-11 09:15 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll

2012-06-01 20:40 - 2012-07-11 09:15 - 00225280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll

2012-06-01 20:40 - 2012-07-11 09:15 - 00022016 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll

2012-06-01 20:39 - 2012-07-11 09:15 - 00219136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll

2012-06-01 20:34 - 2012-07-11 09:15 - 00096768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll

2012-06-01 09:08 - 2012-06-01 09:08 - 00022081 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_1_22_38_46.dmp

2012-06-01 04:06 - 2012-06-01 04:06 - 00021086 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_1_17_36_44.dmp

2012-06-01 03:44 - 2012-06-01 03:42 - 02900480 ____A C:\Users\Admin\Downloads\102808_62341_ppt.exe

2012-06-01 03:44 - 2012-06-01 03:38 - 12433498 ____A (Macromedia, Inc.) C:\Users\Admin\Downloads\otm_gtm_tech_architecture.exe

2012-06-01 01:38 - 2009-07-13 18:34 - 00000824 ____A C:\Windows\System32\Drivers\etc\hostsOrig

2012-05-31 22:23 - 2012-05-31 22:23 - 02895009 ____A C:\Users\Admin\Downloads\E14525_01.zip

2012-05-31 22:16 - 2012-05-31 22:16 - 08674124 ____A C:\Users\Admin\Downloads\E20111_01.zip

2012-05-31 18:23 - 2012-05-31 18:23 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_1_7_53_55.dmp

2012-05-31 09:52 - 2012-05-31 09:52 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_5_31_23_22_36.dmp

2012-05-31 04:12 - 2012-05-31 04:12 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_5_31_17_42_0.dmp

2012-05-24 09:37 - 2012-05-24 09:37 - 00022129 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_5_24_23_7_5.dmp

2012-05-24 05:14 - 2012-05-24 05:14 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_5_24_18_44_56.dmp

2012-05-24 01:31 - 2012-05-24 01:31 - 00022129 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_5_24_15_1_27.dmp

2012-05-23 20:40 - 2012-05-23 20:40 - 00021086 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_5_24_10_10_19.dmp

2012-05-23 05:22 - 2012-05-23 05:22 - 00021184 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_5_23_18_52_47.dmp

2012-05-22 21:41 - 2012-05-22 21:41 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_5_23_11_11_19.dmp

2012-05-22 21:12 - 2012-05-22 21:12 - 00001028 ____A C:\Users\Public\Desktop\PSWizard.lnk

2012-05-22 18:37 - 2012-05-22 18:37 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_5_23_8_7_25.dmp

2012-05-22 07:07 - 2012-05-22 07:07 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_5_22_20_37_49.dmp

2012-05-22 05:16 - 2012-05-22 05:16 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_5_22_18_46_49.dmp

2012-05-22 04:02 - 2012-05-22 04:02 - 00021184 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_5_22_17_32_15.dmp

2012-05-21 19:33 - 2012-05-21 19:33 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_5_22_9_3_56.dmp

2012-05-21 09:54 - 2012-05-21 09:54 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_5_21_23_24_42.dmp

2012-05-21 01:32 - 2012-05-21 01:14 - 00006541 ____A C:\Windows\SysWOW64\jupdate-1.6.0_07-b06.log

2012-05-21 01:19 - 2012-05-21 01:19 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_5_21_14_49_20.dmp

2012-05-21 01:13 - 2012-05-21 01:02 - 15984024 ____A C:\Users\Admin\Downloads\oaj2se.exe

2012-05-20 23:59 - 2012-05-20 22:18 - 00016504 ____A C:\Users\Admin\Downloads\p14076370_7313_WINNT64.zip

2012-05-20 21:43 - 2012-05-20 21:43 - 00001860 ____A C:\Users\Public\Desktop\Network Recording Player.lnk

2012-05-20 18:59 - 2012-05-20 18:59 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_5_21_8_29_30.dmp

2012-05-20 08:14 - 2012-05-20 08:14 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_5_20_21_44_13.dmp

2012-05-19 21:31 - 2012-05-19 21:31 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_5_20_11_1_28.dmp

2012-05-19 04:59 - 2012-05-19 04:59 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_5_19_18_29_9.dmp

2012-05-18 20:58 - 2012-05-18 20:58 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_5_19_10_28_56.dmp

2012-05-18 18:25 - 2012-05-18 18:25 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_5_19_7_55_54.dmp

2012-05-18 10:23 - 2012-05-18 10:23 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_5_18_23_53_19.dmp

2012-05-18 09:57 - 2012-05-02 02:41 - 00002388 ____A C:\Users\Public\Desktop\Norton AntiVirus.lnk

2012-05-18 07:05 - 2012-05-18 07:05 - 00021346 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_5_18_20_35_53.dmp

2012-05-18 03:10 - 2012-05-18 03:10 - 00892360 ____A (Oracle Corporation) C:\Users\Admin\Downloads\jxpiinstall.exe

2012-05-18 03:08 - 2012-05-18 03:09 - 00544032 ____A (Sun Microsystems, Inc.) C:\Windows\System32\npdeployJava1.dll

2012-05-18 03:08 - 2012-05-18 00:17 - 00525600 ____A (Sun Microsystems, Inc.) C:\Windows\System32\deployJava1.dll

2012-05-18 03:00 - 2012-05-18 03:00 - 00000000 ____A C:\Windows\SysWOW64\cd.dat

2012-05-17 22:50 - 2012-05-17 22:48 - 00010686 ____A C:\Windows\SysWOW64\jupdate-1.5.0_22-b03.log

2012-05-17 19:07 - 2012-05-17 19:07 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_5_18_8_37_40.dmp

2012-05-17 08:12 - 2012-05-17 08:12 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_5_17_21_42_4.dmp

2012-05-17 05:20 - 2012-05-17 05:20 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_5_17_18_50_31.dmp

2012-05-17 03:47 - 2012-05-17 03:47 - 00022081 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_5_17_17_17_35.dmp

ZeroAccess:

C:\Windows\Installer\{ae963f8e-ac3e-59ff-8e3e-cf2ef11cd12e}

C:\Windows\Installer\{ae963f8e-ac3e-59ff-8e3e-cf2ef11cd12e}\@

C:\Windows\Installer\{ae963f8e-ac3e-59ff-8e3e-cf2ef11cd12e}\L

C:\Windows\Installer\{ae963f8e-ac3e-59ff-8e3e-cf2ef11cd12e}\U

C:\Windows\Installer\{ae963f8e-ac3e-59ff-8e3e-cf2ef11cd12e}\L\201d3dde

C:\Windows\Installer\{ae963f8e-ac3e-59ff-8e3e-cf2ef11cd12e}\U\00000008.@

C:\Windows\Installer\{ae963f8e-ac3e-59ff-8e3e-cf2ef11cd12e}\U\80000032.@

C:\Windows\Installer\{ae963f8e-ac3e-59ff-8e3e-cf2ef11cd12e}\U\80000064.@

ZeroAccess:

C:\Users\Admin\AppData\Local\{ae963f8e-ac3e-59ff-8e3e-cf2ef11cd12e}

C:\Users\Admin\AppData\Local\{ae963f8e-ac3e-59ff-8e3e-cf2ef11cd12e}\@

C:\Users\Admin\AppData\Local\{ae963f8e-ac3e-59ff-8e3e-cf2ef11cd12e}\L

C:\Users\Admin\AppData\Local\{ae963f8e-ac3e-59ff-8e3e-cf2ef11cd12e}\U

ZeroAccess:

C:\Windows\assembly\GAC_32\Desktop.ini

ZeroAccess:

C:\Windows\assembly\GAC_64\Desktop.ini

========================= Known DLLs (Whitelisted) ============

========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\SysWOW64\wininit.exe => MD5 is legit

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\SysWOW64\explorer.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\SysWOW64\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe 014A9CB92514E27C0107614DF764BC06 ZeroAccess <==== ATTENTION!.

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\SysWOW64\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\SysWOW64\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 14%

Total physical RAM: 4039.86 MB

Available physical RAM: 3435.06 MB

Total Pagefile: 4038.06 MB

Available Pagefile: 3429.48 MB

Total Virtual: 8192 MB

Available Virtual: 8191.88 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:97.56 GB) (Free:59.39 GB) NTFS

2 Drive e: () (Fixed) (Total:146.48 GB) (Free:96.4 GB) NTFS

3 Drive f: () (Fixed) (Total:221.62 GB) (Free:137.71 GB) NTFS

5 Drive h: (Transcend) (Removable) (Total:7.59 GB) (Free:6.53 GB) FAT32

6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

7 Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[system with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt

-------- ------------- ------- ------- --- ---

Disk 0 Online 465 GB 0 B

Disk 1 Online 7788 MB 0 B

Partitions of Disk 0:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 100 MB 1024 KB

Partition 2 Primary 97 GB 101 MB

Partition 3 Primary 146 GB 97 GB

Partition 4 Primary 221 GB 244 GB

==================================================================================

Disk: 0

Partition 1

Type : 07

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 1 Y System Rese NTFS Partition 100 MB Healthy

==================================================================================

Disk: 0

Partition 2

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 2 C NTFS Partition 97 GB Healthy

==================================================================================

Disk: 0

Partition 3

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 3 E NTFS Partition 146 GB Healthy

==================================================================================

Disk: 0

Partition 4

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 4 F NTFS Partition 221 GB Healthy

==================================================================================

Partitions of Disk 1:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 7787 MB 944 KB

==================================================================================

Disk: 1

Partition 1

Type : 0C

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 5 H Transcend FAT32 Removable 7787 MB Healthy

==================================================================================

Last Boot: 2012-08-07 08:24

======================= End Of Log ==========================

Link to post
Share on other sites

OK, here you go......Please carefully carry out this procedure!!!!!!

Please download the attached fixlist.txt and copy it to your flashdrive.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options. (as you did before)

Run FRST64 or FRST (which ever one you're using) and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

MrC

Link to post
Share on other sites

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 09-08-2012

Ran by SYSTEM at 2012-08-14 21:41:21 Run:1

Running from H:\

==============================================

C:\Windows\Installer\{ae963f8e-ac3e-59ff-8e3e-cf2ef11cd12e} moved successfully.

C:\Users\Admin\AppData\Local\{ae963f8e-ac3e-59ff-8e3e-cf2ef11cd12e} moved successfully.

C:\Windows\assembly\GAC_32\Desktop.ini moved successfully.

C:\Windows\assembly\GAC_64\Desktop.ini moved successfully.

C:\Windows\System32\services.exe moved successfully.

C:\Windows\erdnt\cache64\services.exe copied successfully to C:\Windows\System32\services.exe

==== End of Fixlog ====

Link to post
Share on other sites

Well Done, lets run ComboFix to clear up any leftovers.

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

Link to post
Share on other sites

ComboFix 12-08-14.05 - Admin 08/14/2012 22:49:35.2.4 - x64

Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.4040.2289 [GMT -4:00]

Running from: c:\users\Admin\Desktop\ComboFix.exe

AV: Norton AntiVirus *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}

SP: Norton AntiVirus *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((( Files Created from 2012-07-15 to 2012-08-15 )))))))))))))))))))))))))))))))

.

.

2012-08-15 04:32 . 2012-08-15 04:32 -------- d-----w- C:\FRST

2012-08-15 02:53 . 2012-08-15 02:53 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-08-15 02:32 . 2012-07-06 20:07 552960 ----a-w- c:\windows\system32\drivers\bthport.sys

2012-08-15 00:03 . 2012-08-15 00:03 -------- d-----w- c:\program files\7-Zip

2012-08-14 22:19 . 2012-08-14 22:44 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware

2012-08-14 22:19 . 2012-07-03 17:46 24904 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-08-14 20:54 . 2012-08-14 20:54 -------- d-sh--w- c:\windows\SysWow64\%APPDATA%

2012-08-12 15:06 . 2012-08-12 15:06 -------- d-----w- c:\windows\Sun

2012-08-12 13:25 . 2012-08-12 13:25 -------- d-----w- c:\users\Admin\AppData\Roaming\Malwarebytes

2012-08-12 13:25 . 2012-08-12 13:25 -------- d-----w- c:\programdata\Malwarebytes

2012-08-09 13:14 . 2012-08-09 13:17 -------- d-----w- c:\users\Admin\AppData\Local\NPE

2012-08-09 08:31 . 2012-08-12 02:30 27256 ----a-w- c:\windows\system32\drivers\FixZeroAccess.sys

2012-08-02 06:12 . 2012-08-02 06:12 -------- d-----w- c:\users\Admin\AppData\Local\ElevatedDiagnostics

2012-07-26 13:08 . 2012-07-30 13:06 -------- d-----w- c:\users\Admin\Tracing

2012-07-24 12:24 . 2012-07-24 12:24 -------- d-----w- c:\users\Admin\AppData\Roaming\Canon

2012-07-16 05:59 . 2012-07-16 07:03 -------- d-----w- c:\users\Admin\AppData\Roaming\FileZilla

2012-07-16 05:59 . 2012-07-16 05:59 -------- d-----w- c:\program files (x86)\FileZilla FTP Client

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-08-15 02:27 . 2012-05-13 05:13 62134624 ----a-w- c:\windows\system32\MRT.exe

2012-08-15 00:19 . 2012-05-07 07:15 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2012-08-15 00:19 . 2012-05-07 07:15 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe

2012-08-06 21:46 . 2012-05-18 04:59 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll

2012-06-09 05:43 . 2012-07-11 17:15 14172672 ----a-w- c:\windows\system32\shell32.dll

2012-06-06 12:49 . 2012-06-06 12:49 1070152 ----a-w- c:\windows\SysWow64\MSCOMCTL.OCX

2012-06-06 06:06 . 2012-07-11 17:15 2004480 ----a-w- c:\windows\system32\msxml6.dll

2012-06-06 06:06 . 2012-07-11 17:15 1881600 ----a-w- c:\windows\system32\msxml3.dll

2012-06-06 06:02 . 2012-07-11 17:09 1133568 ----a-w- c:\windows\system32\cdosys.dll

2012-06-06 05:05 . 2012-07-11 17:15 1390080 ----a-w- c:\windows\SysWow64\msxml6.dll

2012-06-06 05:05 . 2012-07-11 17:15 1236992 ----a-w- c:\windows\SysWow64\msxml3.dll

2012-06-06 05:03 . 2012-07-11 17:09 805376 ----a-w- c:\windows\SysWow64\cdosys.dll

2012-06-04 14:57 . 2012-06-04 14:57 455680 ----a-w- c:\windows\system32\deploytk.dll

2012-06-02 22:19 . 2012-06-26 01:46 38424 ----a-w- c:\windows\system32\wups.dll

2012-06-02 22:19 . 2012-06-26 01:46 2428952 ----a-w- c:\windows\system32\wuaueng.dll

2012-06-02 22:19 . 2012-06-26 01:46 57880 ----a-w- c:\windows\system32\wuauclt.exe

2012-06-02 22:19 . 2012-06-26 01:46 44056 ----a-w- c:\windows\system32\wups2.dll

2012-06-02 22:19 . 2012-06-26 01:46 701976 ----a-w- c:\windows\system32\wuapi.dll

2012-06-02 22:15 . 2012-06-26 01:46 2622464 ----a-w- c:\windows\system32\wucltux.dll

2012-06-02 22:15 . 2012-06-26 01:46 99840 ----a-w- c:\windows\system32\wudriver.dll

2012-06-02 09:49 . 2012-06-26 01:46 186752 ----a-w- c:\windows\system32\wuwebv.dll

2012-06-02 09:45 . 2012-06-26 01:46 36864 ----a-w- c:\windows\system32\wuapp.exe

2012-06-02 05:50 . 2012-07-11 17:15 458704 ----a-w- c:\windows\system32\drivers\cng.sys

2012-06-02 05:48 . 2012-07-11 17:15 151920 ----a-w- c:\windows\system32\drivers\ksecpkg.sys

2012-06-02 05:48 . 2012-07-11 17:15 95600 ----a-w- c:\windows\system32\drivers\ksecdd.sys

2012-06-02 05:45 . 2012-07-11 17:15 340992 ----a-w- c:\windows\system32\schannel.dll

2012-06-02 05:44 . 2012-07-11 17:15 307200 ----a-w- c:\windows\system32\ncrypt.dll

2012-06-02 04:40 . 2012-07-11 17:15 22016 ----a-w- c:\windows\SysWow64\secur32.dll

2012-06-02 04:40 . 2012-07-11 17:15 225280 ----a-w- c:\windows\SysWow64\schannel.dll

2012-06-02 04:39 . 2012-07-11 17:15 219136 ----a-w- c:\windows\SysWow64\ncrypt.dll

2012-06-02 04:34 . 2012-07-11 17:15 96768 ----a-w- c:\windows\SysWow64\sspicli.dll

2012-05-18 11:08 . 2012-05-18 11:09 544032 ----a-w- c:\windows\system32\npdeployJava1.dll

2012-05-18 11:08 . 2012-05-18 08:17 525600 ----a-w- c:\windows\system32\deployJava1.dll

1996-05-22 10:19 . 1996-05-22 10:19 25088 ----a-w- c:\program files (x86)\ZAPGRAB2.EXE

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2012-07-13 17418928]

"googletalk"="c:\program files (x86)\Google\Google Talk\googletalk.exe" [2007-11-21 3289088]

"Messenger (Yahoo!)"="c:\progra~2\Yahoo!\Messenger\YahooMessenger.exe" [2012-02-22 6591800]

"NetSP - restore settings on power failure"="c:\program files (x86)\AT&T Global Network Client\NetSP.exe" [2012-03-28 55136]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2011-02-18 283160]

"332BigDog"="c:\program files (x86)\USB Camera2\VM332_STI.EXE" [2010-01-19 536576]

"UpdatePRCShortCut"="c:\program files\Lenovo\OneKey App\OneKey Recovery\MUITransfer\MUIStartMenu.exe" [2009-05-13 222504]

"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-04-04 843712]

"ConnectionCenter"="c:\program files (x86)\Citrix\ICA Client\concentr.exe" [2012-05-23 371896]

"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]

"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]

.

c:\users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office14\ONENOTEM.EXE [2010-12-20 227712]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

AT&T Global Network Client Monitor.lnk - c:\windows\Installer\{37880B62-627C-4F6B-BB85-984BB7E26125}\NetGM1_89563E53ECF44E868145468A128BDC83.exe [2012-6-29 91504]

Bluetooth.lnk - c:\program files\Lenovo\Bluetooth Software\BTTray.exe [2010-12-14 1133856]

Google Calendar Sync.lnk - c:\program files (x86)\Google\Google Calendar Sync\GoogleCalendarSync.exe [2011-4-8 542264]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 0 (0x0)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

"PromptOnSecureDesktop"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=c:\progra~2\Citrix\ICACLI~1\RSHook.dll

.

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-06-07 160944]

R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-15 250056]

R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-21 71168]

R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-04-21 129976]

R3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe [2011-01-05 340240]

R3 OracleOraDb11g_home1ClrAgent;OracleOraDb11g_home1ClrAgent;d:\app\Admin\product\11.2.0\dbhome_1\bin\OraClrAgnt.exe [2010-02-27 38400]

R3 OracleOraDb11g_home1TNSListener;OracleOraDb11g_home1TNSListener;d:\app\Admin\product\11.2.0\dbhome_1\BIN\TNSLSNR [x]

R3 OracleServiceORCL;OracleServiceORCL;d:\app\admin\product\11.2.0\dbhome_1\bin\ORACLE.EXE ORCL [x]

R3 OracleVssWriterORCL;Oracle ORCL VSS Writer Service;d:\app\admin\product\11.2.0\dbhome_1\bin\OraVSSW.exe ORCL [x]

R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4925184]

R3 RSUSBVSTOR;RtsUVStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUVStor.sys [2010-09-30 299520]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]

R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-05-03 1255736]

R3 wsvd;wsvd;c:\windows\system32\DRIVERS\wsvd.sys [2009-07-21 121840]

R4 OracleJobSchedulerORCL;OracleJobSchedulerORCL;d:\app\admin\product\11.2.0\dbhome_1\Bin\extjob.exe ORCL [x]

S0 LHDmgr;LHDmgr;c:\windows\System32\DRIVERS\LhdX64.sys [2012-05-02 39008]

S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAVx64\1307010.005\SYMDS64.SYS [2011-07-26 451192]

S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAVx64\1307010.005\SYMEFA64.SYS [2012-03-29 1092728]

S1 BHDrvx64;BHDrvx64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.0.28\Definitions\BASHDefs\20120804.001\BHDrvx64.sys [2012-06-19 1161376]

S1 ccSet_NAV;Norton AntiVirus Settings Manager;c:\windows\system32\drivers\NAVx64\1307010.005\ccSetx64.sys [2011-11-29 167048]

S1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\DRIVERS\ctxusbm.sys [2012-05-17 93272]

S1 IDSVia64;IDSVia64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.0.28\Definitions\IPSDefs\20120810.001\IDSvia64.sys [2012-06-14 509088]

S1 NEOFLTR_650_15977;Juniper Networks TDI Filter Driver (NEOFLTR_650_15977);c:\windows\system32\Drivers\NEOFLTR_650_15977.SYS [2010-06-04 100472]

S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAVx64\1307010.005\Ironx64.SYS [2012-03-29 190072]

S1 SymNetS;Symantec Network Security WFP Driver;c:\windows\System32\Drivers\NAVx64\1307010.005\SYMNETS.SYS [2012-03-29 405624]

S1 VWiFiFlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]

S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-04-04 63928]

S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2011-02-18 13336]

S2 JuniperAccessService;Juniper Unified Network Service;c:\program files (x86)\Common Files\Juniper Networks\JUNS\dsAccessService.exe [2011-06-02 198520]

S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-07-03 655944]

S2 NAV;Norton AntiVirus;c:\program files (x86)\Norton AntiVirus\Engine\19.7.1.5\ccSvcHst.exe [2012-03-27 138232]

S2 NetClientSvc;AT&T Global Network Client Service;c:\program files (x86)\AT&T Global Network Client\NetClientSvc.exe [2012-03-28 370528]

S2 Skype C2C Service;Skype C2C Service;c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe [2012-07-05 3048136]

S2 SwiCardDetectSvc;Sierra Wireless Card Detection Service;c:\program files (x86)\Sierra Wireless Inc\Common\SwiCardDetect64.exe [2011-06-24 317296]

S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2010-12-21 2656280]

S2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [2011-05-18 641464]

S3 ACPIVPC;Lenovo Virtual Power Controller Driver;c:\windows\system32\DRIVERS\AcpiVpc.sys [2012-05-02 29792]

S3 BTWAMPFL;BTWAMPFL;c:\windows\system32\DRIVERS\btwampfl.sys [2010-12-15 349224]

S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2010-12-15 39464]

S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-08-09 138912]

S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2010-10-14 317440]

S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x64.sys [2010-10-21 76912]

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-07-03 24904]

S3 MEIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2010-10-20 56344]

S3 NetLogSvc;NetLogSvc;c:\program files (x86)\AT&T Global Network Client\NetLogSvc.exe [2012-03-28 82272]

S3 vm2uvcflt;Vimicro USB Camera Filter 2;c:\windows\system32\Drivers\vm2uvcflt.sys [2010-09-21 15056]

S3 vm332avs;Lenovo Camera2;c:\windows\system32\Drivers\vm332avs.sys [2010-12-10 234960]

S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-14 17920]

.

.

Contents of the 'Scheduled Tasks' folder

.

2012-08-15 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-07 00:19]

.

2012-08-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-325862687-2821830248-2684448362-1000Core.job

- c:\users\Admin\AppData\Local\Google\Update\GoogleUpdate.exe [2012-05-10 16:01]

.

2012-08-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-325862687-2821830248-2684448362-1000UA.job

- c:\users\Admin\AppData\Local\Google\Update\GoogleUpdate.exe [2012-05-10 16:01]

.

.

--------- X64 Entries -----------

.

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-03-29 167960]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-03-29 391704]

"Persistence"="c:\windows\system32\igfxpers.exe" [2011-03-29 418840]

"SmartAudio"="c:\program files\CONEXANT\SAII\SAIICpl.exe" [2010-04-28 307768]

"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2011-01-05 1933584]

"Energy Management"="c:\program files (x86)\Lenovo\Energy Management\Energy Management.exe" [2012-05-02 9753024]

"EnergyUtility"="c:\program files (x86)\Lenovo\Energy Management\Utility.exe" [2012-05-02 5908928]

"UpdatePRCShortCut"="c:\program files\Lenovo\OneKey App\OneKey Recovery\MUITransfer\MUIStartMenu.exe" [2009-05-13 222504]

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

uStart Page = about:blank

mStart Page = hxxp://in.yahoo.com/?fr=fp-spt_gen

mLocal Page = c:\windows\SysWOW64\blank.htm

IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105

IE: Send image to &Bluetooth Device... - c:\program files\Lenovo\Bluetooth Software\btsendto_ie_ctx.htm

IE: Send page to &Bluetooth Device... - c:\program files\Lenovo\Bluetooth Software\btsendto_ie.htm

Trusted Zone: solutionbeacon.net

TCP: DhcpNameServer = 172.16.0.1

TCP: Interfaces\{38F75B14-47DE-47B4-AEBE-9D57EE0B3643}: NameServer = 155.132.2.31,155.132.9.10

DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://vpn.ultradent.com/CACHE/stc/2/binaries/vpnweb.cab

FF - ProfilePath - c:\users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ncfa4qkh.default\

FF - prefs.js: keyword.URL - hxxp://www.google.com/search?btnI=I%27m+Feeling+Lucky&ie=UTF-8&oe=UTF-8&q=

.

.

------- File Associations -------

.

vbefile\shell\open2\command="%SystemRoot%\System32\CScript.exe" "%1" %*

vbsfile\shell\open2\command="%SystemRoot%\System32\CScript.exe" "%1" %*

jsefile\shell\open2\command=c:\windows\System32\CScript.exe "%1" %*

.

- - - - ORPHANS REMOVED - - - -

.

BHO-{F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - c:\program files (x86)\Hotspot Shield\HssIE\HssIE_64.dll

HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe

.

.

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\services\NAV]

"ImagePath"="\"c:\program files (x86)\Norton AntiVirus\Engine\19.7.1.5\ccSvcHst.exe\" /s \"NAV\" /m \"c:\program files (x86)\Norton AntiVirus\Engine\19.7.1.5\diMaster.dll\" /prefetch:1"

--

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\services\OracleOraDb11g_home1ClrAgent]

"ImagePath"="d:\app\Admin\product\11.2.0\dbhome_1\bin\OraClrAgnt.exe agent_sid=CLRExtProc max_dispatchers=2 tcp_dispatchers=0 max_task_threads=6 max_sessions=25 ENVS=\"EXTPROC_DLLS=ONLY:d:\app\Admin\product\11.2.0\dbhome_1\bin\oraclr11.dll\""

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\services\OracleOraDb11g_home1TNSListener]

"ImagePath"="d:\app\Admin\product\11.2.0\dbhome_1\BIN\TNSLSNR "

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_271_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_271_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.11"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx, 1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx, 1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]

@Denied: (A) (Everyone)

"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"

.

[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3]

@Denied: (A) (Everyone)

.

[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]

"Key"="ActionsPane3"

"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

------------------------ Other Running Processes ------------------------

.

c:\program files (x86)\Juniper Networks\Common Files\dsNcService.exe

c:\program files (x86)\AT&T Global Network Client\netcfgsvr.exe

d:\app\Admin\product\11.2.0\dbhome_1\bin\omtsreco.exe

d:\app\Admin\product\11.2.0\dbhome_1\jdk\bin\java.exe

c:\program files (x86)\Citrix\ICA Client\Receiver\Receiver.exe

c:\program files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe

c:\program files (x86)\Citrix\ICA Client\wfcrun32.exe

c:\windows\SysWOW64\RunDll32.exe

c:\program files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe

c:\program files (x86)\Yahoo!\Messenger\ymsgr_tray.exe

c:\program files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe

.

**************************************************************************

.

Completion time: 2012-08-14 23:02:09 - machine was rebooted

ComboFix-quarantined-files.txt 2012-08-15 03:02

.

Pre-Run: 62,695,464,960 bytes free

Post-Run: 62,335,385,600 bytes free

.

- - End Of File - - 0C73BE7F1B9690BAC3F90F2ABF9775E9

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.