MBMA identifies Rootkit.0Access on notebook

DrGoodvibes · June 6, 2013

Using MBMA I was informed I had Rootkit.0Access on my notebook.

I noted there might be a problem when MicroSoft essentials was no longer active/installed and then started my investigation

I then installed Avast thinking that I should have an AV installed, half way thought it's install it started installing GoogleDrive and I thought... hay woo I don't what this installed and basically shut the system down with a poweroff.

I then rebooted in safe mode and thinking something may be odd did a quick MBMA scan and now I know why my notebook is probably acting 'funny'.

I did the MBMA scan in safe mode and was able to delete the $recycle file noted as infected with Rootkit.0Access.

It delete oK and after a reboot and another full scan with MBMA did not identifiy any further infected files. i.e. no infected files found.

Then I read up and saw this may be more serious than I first thought.

I have also include the RougeKiller v8.5.4 report as well, this can be found at the bottom of this post.

And now I'm here humbly asking for help.

The IP address in the local host file are mine. I put them there ages ago.

Hosts: 172.16.32.1 e4200.local16

Hosts: 172.16.32.10 test.local16

Hosts: 172.16.32.10 m.test.local16

Hosts: 172.16.32.10 dev.local16

DSS.txt

DDS (Ver_2012-11-20.01) - NTFS_AMD64

Internet Explorer: 10.0.9200.16576 BrowserJavaVersion: 10.21.2

Run by thomas at 21:22:42 on 2013-06-06

Microsoft Windows 7 Professional 6.1.7601.1.1252.64.1033.18.3997.1999 [GMT 12:00]

.

AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}

SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\nvvsvc.exe

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k GPSvcGroup

C:\Windows\system32\svchost.exe -k NetworkService

C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe

C:\Windows\system32\nvvsvc.exe

C:\Windows\system32\WLANExt.exe

C:\Program Files\AVAST Software\Avast\AvastSvc.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe

C:\Program Files\MySQL\MySQL Server 5.5\bin\mysqld.exe

C:\Program Files (x86)\Generic\Network Printer Wizard\NPWService.exe

C:\Windows\System32\svchost.exe -k HPZ12

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Windows\system32\svchost.exe -k imgsvc

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Windows\system32\taskhost.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\system32\PrintIsolationHost.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Synaptics\SynTP\SynTPHelper.exe

C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

C:\Windows\System32\hkcmd.exe

C:\Windows\System32\igfxpers.exe

C:\Windows\system32\igfxsrvc.exe

C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe

C:\Program Files (x86)\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe

C:\Program Files\AVAST Software\Avast\AvastUI.exe

C:\Windows\system32\SearchIndexer.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\System32\svchost.exe -k LocalServicePeerNet

\\172.16.32.10\My Downloads\security\MalwareBytes\RogueKiller.exe

C:\Program Files (x86)\Mozilla Firefox\firefox.exe

C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe

C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_7_700_202.exe

C:\Windows\system32\taskhost.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\ctfmon.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\System32\cscript.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = about:blank

uDefault_Page_URL = hxxp://www.alienware.com/

mWinlogon: Userinit = userinit.exe,

BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll

BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll

BHO: SimpleAdblock Class: {FFCB3198-32F3-4E8B-9539-4324694ED664} - C:\Program Files (x86)\Common Files\Simple Adblock\SimpleAdblock.dll

EB: Developer Tools: {1A6FE369-F28C-4AD9-A3E6-2BCB50807CF1} - C:\Program Files (x86)\Internet Explorer\iedvtool.dll

uRun: [iSUSPM Startup] C:\PROGRA~2\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

mRun: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\BLUETO~1.LNK - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\MONITO~1.LNK - C:\Program Files (x86)\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe

mPolicies-Explorer: NoActiveDesktop = dword:1

mPolicies-Explorer: NoActiveDesktopChanges = dword:1

mPolicies-System: ConsentPromptBehaviorAdmin = dword:0

mPolicies-System: ConsentPromptBehaviorUser = dword:3

mPolicies-System: EnableLUA = dword:0

mPolicies-System: EnableUIADesktopToggle = dword:0

mPolicies-System: PromptOnSecureDesktop = dword:0

mPolicies-Windows\System: UseOEMBackground = dword:0

IE: &ieSpell Options - C:\Program Files (x86)\ieSpell\iespell.dll/SPELLOPTION.HTM

IE: Check &Spelling - C:\Program Files (x86)\ieSpell\iespell.dll/SPELLCHECK.HTM

IE: Lookup on Merriam Webster - C:\Program Files (x86)\ieSpell\Merriam Webster.HTM

IE: Lookup on Wikipedia - C:\Program Files (x86)\ieSpell\wikipedia.HTM

IE: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

IE: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files (x86)\ieSpell\iespell.dll/SPELLCHECK.HTM

IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files (x86)\ieSpell\iespell.dll/SPELLOPTION.HTM

IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://utilities.pcpitstop.com/Nirvana/controls/pcmatic.cab

DPF: {362C56AA-6E4F-40C7-A0B5-85501DBDAD77} - hxxp://i.dell.com/images/global/js/scanner/SysProExe.cab

DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} - hxxp://support.dell.com/systemprofiler/SysProExe.CAB

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_10-windows-i586.cab

DPF: {CAFEEFAC-0017-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_10-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_10-windows-i586.cab

DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.3.16.0.cab

TCP: NameServer = 172.16.32.254

TCP: Interfaces\{1D6950FB-9D9A-496D-84D0-05DEE917E970} : DHCPNameServer = 172.16.32.254

TCP: Interfaces\{24621A52-EA13-4DAB-8A93-DE3A11A4BE6A} : DHCPNameServer = 172.16.32.254

TCP: Interfaces\{2AC73DDC-43A7-487E-8E4B-6168ED4B0154} : DHCPNameServer = 192.168.42.129

TCP: Interfaces\{50E2FFB1-2CFF-4864-BC8D-A6A869E53E30} : DHCPNameServer = 172.16.32.254

TCP: Interfaces\{50E2FFB1-2CFF-4864-BC8D-A6A869E53E30}\0596C6C60224F687 : DHCPNameServer = 192.168.43.1

TCP: Interfaces\{50E2FFB1-2CFF-4864-BC8D-A6A869E53E30}\24F62672370234F657E6472797022457E6B65627 : DHCPNameServer = 172.16.32.254

TCP: Interfaces\{50E2FFB1-2CFF-4864-BC8D-A6A869E53E30}\3516475727E6 : DHCPNameServer = 122.56.237.1 210.55.111.1

TCP: Interfaces\{50E2FFB1-2CFF-4864-BC8D-A6A869E53E30}\35D454253584 : DHCPNameServer = 172.17.64.254 202.27.158.40 202.27.156.72

TCP: Interfaces\{50E2FFB1-2CFF-4864-BC8D-A6A869E53E30}\3716475727E6 : DHCPNameServer = 202.27.158.40 202.27.156.72 122.56.237.1 210.55.111.1

TCP: Interfaces\{50E2FFB1-2CFF-4864-BC8D-A6A869E53E30}\C696E6B6379737D2E6 : DHCPNameServer = 202.27.158.40 202.27.156.72 122.56.237.1 210.55.111.1

TCP: Interfaces\{573B885B-5A6B-4F3B-BC27-385246E0F8D9} : DHCPNameServer = 172.17.64.254 122.56.237.1 210.55.111.1

TCP: Interfaces\{5DB81213-4708-4504-A213-FCF10DE63D20} : DHCPNameServer = 192.168.42.129

TCP: Interfaces\{CC762EE8-C456-4126-9D79-12F4D5E01B4A} : DHCPNameServer = 172.16.32.254

TCP: Interfaces\{FA4BC374-64E1-4AE3-B6D8-AAF66C3F8352} : DHCPNameServer = 192.168.42.129

AppInit_DLLs= C:\Windows\SysWOW64\nvinit.dll

SSODL: WebCheck - <orphaned>

mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "C:\Program Files (x86)\Common Files\LightScribe\LSRunOnce.exe"

x64-mWinlogon: Userinit = C:\Windows\System32\userinit.exe

x64-BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll

x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

x64-BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll

x64-BHO: SimpleAdblock Class: {FFCB3198-32F3-4E8B-9539-4324694ED664} - C:\Program Files (x86)\Common Files\Simple Adblock\SimpleAdblockx64.dll

x64-Run: [synTPEnh] C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe

x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s

x64-Run: [igfxTray] C:\Windows\System32\igfxtray.exe

x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe

x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe

x64-Run: [MSC] "c:\Program Files\Microsoft Security Client\mssecex.exe" -hide -runkey

x64-IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

x64-DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_10-windows-i586.cab

x64-DPF: {CAFEEFAC-0017-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_10-windows-i586.cab

x64-DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_10-windows-i586.cab

x64-Notify: igfxcui - igfxdev.dll

x64-Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll

x64-SSODL: WebCheck - <orphaned>

Hosts: 172.16.32.1 e4200.local16

Hosts: 172.16.32.10 test.local16

Hosts: 172.16.32.10 m.test.local16

Hosts: 172.16.32.10 dev.local16

.

Note: multiple HOSTS entries found. Please refer to Attach.txt

.

================= FIREFOX ===================

.

FF - ProfilePath - C:\Users\thomas\AppData\Roaming\Mozilla\Firefox\Profiles\p8evg2gy.default\

FF - prefs.js: browser.startup.homepage - about:blank

FF - plugin: C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll

FF - plugin: C:\Program Files (x86)\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll

FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll

FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.123\npGoogleUpdate3.dll

FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll

FF - plugin: C:\Program Files\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL

FF - plugin: C:\Windows\SysWOW64\Adobe\Director\np32dsw_1202122.dll

FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_7_700_202.dll

FF - plugin: C:\Windows\SysWOW64\npDeployJava1.dll

FF - plugin: C:\Windows\SysWOW64\npmproxy.dll

.

============= SERVICES / DRIVERS ===============

.

R0 aswRvrt;aswRvrt;C:\Windows\System32\drivers\aswRvrt.sys [2013-6-6 65336]

R0 aswVmm;aswVmm;C:\Windows\System32\drivers\aswVmm.sys [2013-6-6 189936]

R0 EMSC;COMPAL Embedded System Control;C:\Windows\System32\drivers\EMSC.sys [2009-6-27 16752]

R0 johci;JMicron 1394 Filter Driver;C:\Windows\System32\drivers\johci.sys [2010-2-26 20392]

R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\System32\drivers\MpFilter.sys [2013-1-20 230320]

R0 stdflt;Disk Filter Driver for Accelerometer;C:\Windows\System32\drivers\stdflt.sys [2010-8-14 19504]

R1 aswSnx;aswSnx;C:\Windows\System32\drivers\aswSnx.sys [2013-6-6 1025808]

R1 aswSP;aswSP;C:\Windows\System32\drivers\aswSP.sys [2013-6-6 378432]

R1 HWiNFO32;HWiNFO32/64 Kernel Driver;C:\Program Files\HWiNFO64\HWiNFO64A.SYS [2012-5-12 30592]

R2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};Power Control [2010/05/20 17:39:53];C:\Program Files (x86)\CyberLink\PowerDVD8\000.fcl [2010-1-12 146928]

R2 aswFsBlk;aswFsBlk;C:\Windows\System32\drivers\aswFsBlk.sys [2013-6-6 33400]

R2 aswMonFlt;aswMonFlt;C:\Windows\System32\drivers\aswMonFlt.sys [2013-6-6 80816]

R2 avast! Antivirus;avast! Antivirus;C:\Program Files\AVAST Software\Avast\AvastSvc.exe [2013-6-6 46808]

R2 cpuz135;cpuz135;C:\Windows\System32\drivers\cpuz135_x64.sys [2010-12-29 21992]

R2 MySQL5;MySQL5;"C:\Program Files\MySQL\MySQL Server 5.5\bin\mysqld" --defaults-file="C:\Program Files\MySQL\MySQL Server 5.5\my.ini" MySQL5 --> C:\Program Files\MySQL\MySQL Server 5.5\bin\mysqld [?]

R2 NisDrv;Microsoft Network Inspection System;C:\Windows\System32\drivers\NisDrvWFP.sys [2012-3-20 130008]

R2 NPWService;NPWService;C:\Program Files (x86)\Generic\Network Printer Wizard\NPWService.exe [2009-1-15 788480]

R3 Acceler;Accelerometer Service;C:\Windows\System32\drivers\Acceler.sys [2010-8-14 25648]

R3 BcmVWL;Broadcom Virtual Wireless;C:\Windows\System32\drivers\bcmvwl64.sys [2010-7-29 20984]

R3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;C:\Windows\System32\drivers\L1C62x64.sys [2010-2-26 67072]

R3 seehcri;Sony Ericsson seehcri Device Driver;C:\Windows\System32\drivers\seehcri.sys [2011-2-15 34032]

R3 teamviewervpn;TeamViewer VPN Adapter;C:\Windows\System32\drivers\teamviewervpn.sys [2012-5-26 35112]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]

S3 Apache2.2;Apache2.2;C:\Program Files (x86)\Apache Software Foundation\Apache2.2\bin\httpd.exe [2010-3-4 24645]

S3 btusbflt;Bluetooth USB Filter;C:\Windows\System32\drivers\btusbflt.sys [2010-4-14 54824]

S3 btwl2cap;Bluetooth L2CAP Service;C:\Windows\System32\drivers\btwl2cap.sys [2010-7-29 35104]

S3 epmntdrv;epmntdrv;C:\Windows\System32\epmntdrv.sys [2012-8-24 16776]

S3 EST_Server;Network USB Device;C:\Windows\System32\drivers\GenHC.sys [2009-1-16 197632]

S3 EuGdiDrv;EuGdiDrv;C:\Windows\System32\EuGdiDrv.sys [2012-8-24 9096]

S3 FACAP;facap, FastAccess Video Capture;C:\Windows\System32\drivers\facap.sys [2008-9-25 238848]

S3 ggflt;SEMC USB Flash Driver Filter;C:\Windows\System32\drivers\ggflt.sys [2012-7-5 14448]

S3 ivusb;Initio Driver for USB Default Controller;C:\Windows\System32\drivers\ivusb.sys [2010-7-29 29720]

S3 JMCR;JMCR;C:\Windows\System32\drivers\jmcr.sys [2010-2-26 144496]

S3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;C:\Windows\System32\drivers\LEqdUsb.sys [2011-9-2 76056]

S3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;C:\Windows\System32\drivers\LHidEqd.sys [2011-9-2 15128]

S3 MosIrUsb;MosIrUsb.sys;C:\Windows\System32\drivers\MosIrUsb.sys [2007-10-11 27648]

S3 NisSrv;NisSrv;C:\Program Files\Microsoft Security Client\NisSrv.exe [2013-1-27 379360]

S3 nmwcdnsux64;Nokia USB Flashing Phone Parent;C:\Windows\System32\drivers\nmwcdnsux64.sys [2011-8-17 171008]

S3 pwdrvio;pwdrvio;C:\Windows\System32\pwdrvio.sys [2012-8-21 19032]

S3 pwdspio;pwdspio;C:\Windows\System32\pwdspio.sys [2012-8-21 9584]

S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2012-10-24 19456]

S3 RTL8192cu;Realtek RTL8192CU Wireless LAN 802.11n USB 2.0 Network Adapter;C:\Windows\System32\drivers\RTL8192cu.sys [2011-2-11 848384]

S3 s0016bus;Sony Ericsson Device 0016 driver (WDM);C:\Windows\System32\drivers\s0016bus.sys [2008-5-16 115240]

S3 s0016mdfl;Sony Ericsson Device 0016 USB WMC Modem Filter;C:\Windows\System32\drivers\s0016mdfl.sys [2008-5-16 19496]

S3 s0016mdm;Sony Ericsson Device 0016 USB WMC Modem Driver;C:\Windows\System32\drivers\s0016mdm.sys [2008-5-16 158760]

S3 s0016mgmt;Sony Ericsson Device 0016 USB WMC Device Management Drivers (WDM);C:\Windows\System32\drivers\s0016mgmt.sys [2008-5-16 137256]

S3 s0016nd5;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (NDIS);C:\Windows\System32\drivers\s0016nd5.sys [2008-5-16 34344]

S3 s0016obex;Sony Ericsson Device 0016 USB WMC OBEX Interface;C:\Windows\System32\drivers\s0016obex.sys [2008-5-16 136744]

S3 s0016unic;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (WDM);C:\Windows\System32\drivers\s0016unic.sys [2008-5-16 151592]

S3 Sony PC Companion;Sony PC Companion;C:\Program Files (x86)\Sony\Sony PC Companion\PCCService.exe [2013-4-21 155824]

S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-14 27136]

S3 tap0801;TAP-Win32 Adapter V8;C:\Windows\System32\drivers\tap0801.sys [2005-4-14 30720]

S3 tapoas;TAP-Win32 Adapter OAS;C:\Windows\System32\drivers\tapoas.sys [2010-8-3 30720]

S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2012-10-24 57856]

S3 USB_Ethernet_Adaptor;USB to Ethernet Adapter;C:\Windows\System32\drivers\USB_Ethernet_Adaptor.sys [2013-1-8 21504]

S3 VBoxUSB;VirtualBox USB;C:\Windows\System32\drivers\VBoxUSB.sys [2012-12-19 106408]

S3 vpcuxd;USB Virtualization Stub Service;C:\Windows\System32\drivers\vpcuxd.sys [2011-2-23 16384]

S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2010-3-31 1255736]

S4 AERTFilters;Andrea RT Filters Service;C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe [2012-7-12 98208]

S4 CronService;Cron Service for Prey;C:\Program Files\Prey\platform\windows\cronsvc.exe [2011-2-16 19968]

S4 Futuremark SystemInfo Service;Futuremark SystemInfo Service;C:\Program Files (x86)\Futuremark\Futuremark SystemInfo\FMSISvc.exe [2013-2-5 137488]

S4 InstallFilterService;FF Install Filter Service;C:\Program Files (x86)\STMicroelectronics\Accelerometer\InstallFilterService.exe [2010-8-14 60928]

S4 TeamViewer7;TeamViewer 7;C:\Program Files (x86)\TeamViewer\Version7\TeamViewer_Service.exe [2012-5-26 2666880]

.

=============== File Associations ===============

.

FileExt: .bat: Notepad++_file="C:\Program Files (x86)\Notepad++\notepad++.exe" "%1"

FileExt: .txt: Notepad++_file="C:\Program Files (x86)\Notepad++\notepad++.exe" "%1" [userChoice]

FileExt: .ini: Notepad++_file="C:\Program Files (x86)\Notepad++\notepad++.exe" "%1"

.

=============== Created Last 30 ================

.

2013-06-06 04:31:48 72016 ----a-w- C:\Windows\System32\drivers\aswRdr2.sys

2013-06-06 04:31:47 1025808 ----a-w- C:\Windows\System32\drivers\aswSnx.sys

2013-06-06 04:31:46 80816 ----a-w- C:\Windows\System32\drivers\aswMonFlt.sys

2013-06-06 04:31:46 65336 ----a-w- C:\Windows\System32\drivers\aswRvrt.sys

2013-06-06 04:31:46 189936 ----a-w- C:\Windows\System32\drivers\aswVmm.sys

2013-06-06 04:31:35 41664 ----a-w- C:\Windows\avastSS.scr

2013-06-03 12:18:59 76232 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{1A463B6F-A7C5-4D2E-9D06-17E952AF717E}\offreg.dll

2013-06-02 15:12:23 9460464 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{1A463B6F-A7C5-4D2E-9D06-17E952AF717E}\mpengine.dll

2013-06-02 15:09:55 1930752 ----a-w- C:\Windows\System32\authui.dll

2013-06-02 15:09:54 70144 ----a-w- C:\Windows\System32\appinfo.dll

2013-06-02 15:09:54 1796096 ----a-w- C:\Windows\SysWow64\authui.dll

2013-06-02 15:09:54 111448 ----a-w- C:\Windows\System32\consent.exe

2013-06-02 15:09:50 48640 ----a-w- C:\Windows\System32\wwanprotdim.dll

2013-06-02 15:09:50 230400 ----a-w- C:\Windows\System32\wwansvc.dll

2013-06-02 15:09:47 3153920 ----a-w- C:\Windows\System32\win32k.sys

2013-06-02 11:32:46 9460464 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2013-06-01 06:01:06 225280 ----a-w- C:\Windows\USBT610phmgunin.exe

2013-06-01 06:01:00 -------- d-----w- C:\Users\thomas\AppData\Roaming\MobileAction

2013-05-31 02:25:21 49152 ----a-w- C:\Windows\SysWow64\WDec3.ocx

2013-05-31 02:25:21 180224 ----a-w- C:\Windows\SysWow64\imsised.exe

2013-05-31 02:25:20 198848 ----a-w- C:\Windows\SysWow64\MCI32.OCX

2013-05-31 02:25:20 166600 ----a-w- C:\Windows\SysWow64\msmask32.ocx

2013-05-31 02:25:20 -------- d-----w- C:\Windows\SysWow64\aspi

2013-05-31 02:25:17 -------- d-----w- C:\Program Files (x86)\intelliScore Ensemble WAV to MIDI Converter Demo

2013-05-31 02:11:29 -------- d-----w- C:\Program Files (x86)\Audacity

2013-05-23 10:16:14 237840 ----a-w- C:\Windows\System32\drivers\VBoxDrv.sys

2013-05-23 10:16:10 120080 ----a-w- C:\Windows\System32\drivers\VBoxUSBMon.sys

2013-05-23 10:16:05 -------- d-----w- C:\Program Files\Oracle

2013-05-22 05:21:06 158067944 ----a-w- C:\Users\thomas\oo33.exe

2013-05-21 22:09:38 964552 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{873A69B2-451F-4EBD-9462-4EFD717EEFD5}\gapaengine.dll

2013-05-18 15:20:41 -------- d-----w- C:\Program Files (x86)\Winamp Detect

2013-05-15 03:31:09 -------- d-----w- C:\ProgramData\Cisco Systems

2013-05-15 02:15:35 262552 ----a-w- C:\Program Files (x86)\Mozilla Firefox\browser\components\browsercomps.dll

2013-05-10 23:20:36 95648 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll

2013-05-08 04:41:27 -------- d-sh--w- C:\Users\thomas\AppData\Local\ms-drivers

2013-05-07 13:27:18 -------- d-----w- C:\Program Files (x86)\mSecure

.

==================== Find3M ====================

.

2013-06-05 08:11:37 18960 ----a-w- C:\Windows\System32\drivers\LNonPnP.sys

2013-05-22 23:11:19 71048 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl

2013-05-22 23:11:19 692104 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe

2013-05-10 23:20:26 866720 ----a-w- C:\Windows\SysWow64\npDeployJava1.dll

2013-05-10 23:20:26 788896 ----a-w- C:\Windows\SysWow64\deployJava1.dll

2013-05-02 15:29:56 278800 ------w- C:\Windows\System32\MpSigStub.exe

2013-04-13 05:49:23 135168 ----a-w- C:\Windows\apppatch\AppPatch64\AcXtrnal.dll

2013-04-13 05:49:19 350208 ----a-w- C:\Windows\apppatch\AppPatch64\AcLayers.dll

2013-04-13 05:49:19 308736 ----a-w- C:\Windows\apppatch\AppPatch64\AcGenral.dll

2013-04-13 05:49:19 111104 ----a-w- C:\Windows\apppatch\AppPatch64\acspecfc.dll

2013-04-13 04:45:16 474624 ----a-w- C:\Windows\apppatch\AcSpecfc.dll

2013-04-13 04:45:15 2176512 ----a-w- C:\Windows\apppatch\AcGenral.dll

2013-04-12 14:45:08 1656680 ----a-w- C:\Windows\System32\drivers\ntfs.sys

2013-04-10 06:01:54 265064 ----a-w- C:\Windows\System32\drivers\dxgmms1.sys

2013-04-10 06:01:53 983400 ----a-w- C:\Windows\System32\drivers\dxgkrnl.sys

2013-04-05 06:52:14 2242048 ----a-w- C:\Windows\System32\wininet.dll

2013-04-05 06:50:36 3958784 ----a-w- C:\Windows\System32\jscript9.dll

2013-04-05 06:50:31 67072 ----a-w- C:\Windows\System32\iesetup.dll

2013-04-05 06:50:31 136704 ----a-w- C:\Windows\System32\iesysprep.dll

2013-04-05 05:28:24 1767424 ----a-w- C:\Windows\SysWow64\wininet.dll

2013-04-05 05:26:26 2877440 ----a-w- C:\Windows\SysWow64\jscript9.dll

2013-04-05 05:26:21 61440 ----a-w- C:\Windows\SysWow64\iesetup.dll

2013-04-05 05:26:21 109056 ----a-w- C:\Windows\SysWow64\iesysprep.dll

2013-04-05 04:43:00 2706432 ----a-w- C:\Windows\System32\mshtml.tlb

2013-04-05 04:29:45 2706432 ----a-w- C:\Windows\SysWow64\mshtml.tlb

2013-04-05 03:51:11 89600 ----a-w- C:\Windows\System32\RegisterIEPKEYs.exe

2013-04-05 03:38:25 71680 ----a-w- C:\Windows\SysWow64\RegisterIEPKEYs.exe

2013-04-04 02:50:32 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys

2013-03-19 06:04:06 5550424 ----a-w- C:\Windows\System32\ntoskrnl.exe

2013-03-19 05:46:56 43520 ----a-w- C:\Windows\System32\csrsrv.dll

2013-03-19 05:04:13 3968856 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe

2013-03-19 05:04:10 3913560 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe

2013-03-19 04:47:50 6656 ----a-w- C:\Windows\SysWow64\apisetschema.dll

2013-03-19 03:06:33 112640 ----a-w- C:\Windows\System32\smss.exe

2013-03-15 06:14:04 131856 ----a-w- C:\Windows\System32\drivers\VBoxNetAdp.sys

.

============= FINISH: 21:23:32.39 ===============

Attached.txt

DDS (Ver_2012-11-20.01)

.

Microsoft Windows 7 Professional

Boot Device: \Device\HarddiskVolume2

Install Date: 30/03/2010 7:19:10 a.m.

System Uptime: 6/06/2013 7:18:28 p.m. (2 hours ago)

.

Motherboard: Alienware | | 0VWGCV

Processor: Genuine Intel® CPU U7300 @ 1.30GHz | U2E1 | 1729/200mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 451 GiB total, 131.205 GiB free.

.

==== Disabled Device Manager Items =============

.

Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}

Description: VirtualBox Host-Only Ethernet Adapter

Device ID: ROOT\NET\0000

Manufacturer: Oracle Corporation

Name: VirtualBox Host-Only Ethernet Adapter

PNP Device ID: ROOT\NET\0000

Service: VBoxNetAdp

.

==== System Restore Points ===================

.

RP734: 6/06/2013 4:30:47 p.m. - avast! Free Antivirus Setup

RP735: 6/06/2013 4:35:00 p.m. - avast! Free Antivirus Setup

RP736: 6/06/2013 5:03:51 p.m. - Removed Google Drive

RP737: 6/06/2013 7:23:22 p.m. - Windows Update

.

==== Hosts File Hijack ======================

.

Hosts: 172.16.32.1 e4200.local16

Hosts: 172.16.32.10 test.local16

Hosts: 172.16.32.10 m.test.local16

Hosts: 172.16.32.10 dev.local16

Hosts: 172.16.32.10 m.dev.local16

Hosts: 172.16.32.10 lockstore.local16

Hosts: 172.16.32.10 concrete.local16

.

==== Installed Programs ======================

.

3DMark

7-Zip 9.13 (x64 edition)

AbsoluteTelnet Version 9.18

Accelerometer

Active@ Partition Manager

Adobe AIR

Adobe Flash Player 11 ActiveX

Adobe Flash Player 11 Plugin

Adobe Reader XI (11.0.03)

Adobe Shockwave Player 12.0

Advertising Center

Aiseesoft Total Video Converter

Aiseesoft TS Video Converter

Alienware On-Screen Display

Android SDK Tools

Apache HTTP Server 2.2.15

Aspell English Dictionary-0.50-2

Atheros Communications Inc.® AR81Family Gigabit/Fast Ethernet Driver

Audacity 2.0.3

avast! Free Antivirus

AviSynth 2.5

Battery Meter

BlackBerry Desktop Software 7.0

Broadcom 802.11 Network Adapter

Canon Easy-PhotoPrint EX

Canon Inkjet Printer Driver Add-On Module

Canon My Printer

CanoScan Toolbox Ver4.9

CCleaner

Cisco EAP-FAST Module

Cisco LEAP Module

Cisco PEAP Module

CPUID CPU-Z 1.60

CPUID HWMonitor 1.17

Crysis®

CrystalDiskMark 3.0.1c

CyberLink DVD Suite

CyberLink PowerDVD 8

CyberLink YouCam

D3DX10

Daniusoft DVD Creator(Build 1.5.0.20)

Defraggler

Dropbox

DVD Decrypter (Remove Only)

DVD Shrink 3.2

DW WLAN Card Utility

EaseUS Partition Master 9.1.1 Home Edition

Emicsoft TRP Converter

EMSC

eReg

erLT

EVGA Precision X 3.0.3

Exact Audio Copy 1.0beta3

ffdshow [rev 2583] [2009-01-05]

FFmpeg for Audacity on Windows

FileZilla Client 3.6.0.2

FLAC 1.2.1b (remove only)

Flashtool

FormatFactory 3.00

Free Audio CD to MP3 Converter version 1.3.12.1228

Freemake Video Converter version 3.2.1

Futuremark SystemInfo

Geekbench 2.3

GIMP 2.6.11

GNU Aspell 0.50-3

GNU Privacy Guard

GOM Player

Google Chrome

Google Earth

Google Update Helper

Gordon's Gate Flash Driver 2.2.0.1

Haali Media Splitter

HandBrake 0.9.8

Hard Reset Demo

HD Tune 2.55

Hotfix for Microsoft .NET Framework 4 Client Profile (KB2461678)

HWiNFO64 Version 3.95

Hybrid Graphics Driver 260.63

iBBDemo2

ieSpell

ImagXpress

ImgBurn

Inkscape 0.48.2

inSSIDer 3

Intel® Graphics Media Accelerator Driver

intelliScore Ensemble WAV to MIDI Converter Demo

IrfanView (remove only)

Java 7 Update 11 (64-bit)

Java 7 Update 21

Java Auto Updater

JMicron 1394 Filter Driver

LAME v3.98.3 for Audacity

LightScribe System Software 1.10.27.1

Link Shell Extension

Logitech SetPoint 6.32

Logitech Unifying Software 2.10

Macromedia Fireworks MX 2004

Malwarebytes Anti-Malware version 1.75.0.1300

Microsoft .NET Framework 4 Client Profile

Microsoft .NET Framework 4 Extended

Microsoft Application Error Reporting

Microsoft Office Word Viewer 2003

Microsoft Security Client

Microsoft Security Essentials

Microsoft SkyDrive

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2005 Redistributable (x64)

Microsoft Visual C++ 2008 Redistributable - x64 9.0.21022

Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17

Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161

Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022

Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022.218

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219

Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219

Microsoft Visual Studio 2010 Tools for Office Runtime (x64)

MiniTool Partition Wizard Home Edition 7.8

Mozilla Firefox 21.0 (x86 en-US)

Mozilla Thunderbird 22.0 (x86 en-US)

mSecure

MSVCRT

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

Music Manager

MySQL Server 5.5

MySQL Workbench 5.2 CE

Nero 9 Essentials

Nero BurnRights

Nero BurnRights Help

Nero ControlCenter

Nero CoverDesigner

Nero CoverDesigner Help

Nero Disc Copy Gadget

Nero Disc Copy Gadget Help

Nero DiscSpeed

Nero DiscSpeed Help

Nero DriveSpeed

Nero DriveSpeed Help

Nero Express Help

Nero InfoTool

Nero InfoTool Help

Nero Installer

Nero Online Upgrade

Nero Rescue Agent

Nero RescueAgent Help

Nero StartSmart

Nero StartSmart Help

NeroExpress

neroxml

Network Printer Wizard

Notepad++

NVIDIA Control Panel 260.63

NVIDIA HD Audio Driver 1.3.18.0

NVIDIA Install Application

NVIDIA nView 135.36

NVIDIA nView Desktop Manager

NVIDIA PhysX

NVIDIA PhysX System Software 9.10.0514

OpenAL

OpenOffice.org 3.4

OpenVPN 2.3.0-I001

Opera 12.15

Opera Next 12.15

Oracle VM VirtualBox 4.2.12

PHP 5.3.5

Pocket version 1.0

PowerDVD

PowerProducer

PuTTY version 0.61

QMC

QNAP Finder

Realtek High Definition Audio Driver

Resistor1.00

RT 7 Lite (64-Bit)

RT 7 Lite x64

Safari

SDFormatter

SeaTools for Windows

Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2736428)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2804576)

Security Update for Microsoft .NET Framework 4 Extended (KB2487367)

Security Update for Microsoft .NET Framework 4 Extended (KB2656351)

Security Update for Microsoft .NET Framework 4 Extended (KB2736428)

Security Update for Microsoft .NET Framework 4 Extended (KB2742595)

Simple Adblock

Sony Ericsson Update Engine

Sony Mobile Update Service

Sony PC Companion 2.10.155

Sothink Video Converter

SPG Video Player 1.0

Steam

swMSM

Synaptics Pointing Device Driver

System Requirements Lab

System Requirements Lab for Intel

System Requirements Lab for Intel (64-bit)

T610-616-618-628-630 USB-Handset Manager

TAP-Windows 9.9.2

TeamViewer 7

Tftpd64 Standalone Edition (remove only)

TrueCrypt

TSDoctor

TsRemux 0.23.2

Update for Microsoft .NET Framework 4 Client Profile (KB2468871)

Update for Microsoft .NET Framework 4 Client Profile (KB2533523)

Update for Microsoft .NET Framework 4 Client Profile (KB2600217)

Update for Microsoft .NET Framework 4 Extended (KB2468871)

Update for Microsoft .NET Framework 4 Extended (KB2533523)

Update for Microsoft .NET Framework 4 Extended (KB2600217)

Video Encoder 1.4

VideoReDo TVSuite Version 4.20.6.614

VLC media player 2.0.6

VobSub v2.23 (Remove Only)

WIDCOMM Bluetooth Software

Win7 Library Tool v1.10

Winamp

Winamp Detector Plug-in

Windows Internet Explorer Platform Preview

Windows Live Communications Platform

Windows Live Essentials

Windows Live ID Sign-in Assistant

Windows Live Installer

Windows Live Language Selector

Windows Live PIMT Platform

Windows Live SOXE

Windows Live SOXE Definitions

Windows Live UX Platform

Windows Live UX Platform Language Pack

Windows Media Encoder 9 Series

WinPcap 4.1.2

WinSCP 4.3.4

Wireshark 1.6.2

.

==== Event Viewer Messages From Past Week ========

.

6/06/2013 9:15:06 a.m., Error: BTHUSB [17] - The local Bluetooth adapter has failed in an undetermined manner and will not be used. The driver has been unloaded.

6/06/2013 7:24:03 p.m., Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Definition Update for Microsoft Security Essentials - KB2310138 (Definition 1.151.1719.0).

6/06/2013 7:19:09 p.m., Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFS cdrom prodrv06 prohlp02 prosync1 sfhlp01

6/06/2013 7:18:54 p.m., Error: Service Control Manager [7000] - The Microsoft Antimalware Service service failed to start due to the following error: Access is denied.

6/06/2013 7:18:51 p.m., Error: Microsoft-Windows-Kernel-Processor-Power [35] - Performance power management features on processor 1 in group 0 are disabled due to a firmware problem. Check with the computer manufacturer for updated firmware.

6/06/2013 7:18:51 p.m., Error: Microsoft-Windows-Kernel-Processor-Power [35] - Performance power management features on processor 0 in group 0 are disabled due to a firmware problem. Check with the computer manufacturer for updated firmware.

6/06/2013 7:18:48 p.m., Error: Application Popup [1060] - \SystemRoot\SysWow64\drivers\prodrv06.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.

6/06/2013 5:45:38 p.m., Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.

6/06/2013 5:45:38 p.m., Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}

6/06/2013 5:45:38 p.m., Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}

6/06/2013 5:45:37 p.m., Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}

6/06/2013 5:45:37 p.m., Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}

6/06/2013 5:45:36 p.m., Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

6/06/2013 5:45:30 p.m., Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}

6/06/2013 5:43:44 p.m., Error: Service Control Manager [7001] - The PnP-X IP Bus Enumerator service depends on the Function Discovery Provider Host service which failed to start because of the following error: The dependency service or group failed to start.

6/06/2013 5:41:44 p.m., Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AFS aswRdr aswRvrt aswSnx aswSP aswVmm cdrom DfsC discache HWiNFO32 MpFilter NetBIOS NetBT nsiproxy prodrv06 prohlp02 prosync1 Psched rdbss sfhlp01 spldr tdx truecrypt VBoxDrv VBoxUSBMon vpcnfltr vpcvmm vwififlt Wanarpv6 WfpLwf

6/06/2013 5:41:42 p.m., Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.

6/06/2013 5:41:42 p.m., Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.

6/06/2013 5:41:42 p.m., Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.

6/06/2013 5:41:42 p.m., Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.

6/06/2013 5:41:42 p.m., Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.

6/06/2013 5:41:42 p.m., Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service driver. service which failed to start because of the following error: A device attached to the system is not functioning.

6/06/2013 5:41:42 p.m., Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.

6/06/2013 5:41:42 p.m., Error: Service Control Manager [7001] - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.

6/06/2013 5:41:42 p.m., Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.

6/06/2013 5:41:42 p.m., Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.

6/06/2013 5:41:42 p.m., Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.

6/06/2013 4:14:12 p.m., Error: Service Control Manager [7000] - The Microsoft Network Inspection service failed to start due to the following error: Access is denied.

6/06/2013 10:26:24 a.m., Error: Disk [11] - The driver detected a controller error on \Device\Harddisk2\DR20.

4/06/2013 2:21:19 a.m., Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the NisSrv service.

4/06/2013 2:20:49 a.m., Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the MsMpSvc service.

3/06/2013 2:31:58 p.m., Error: volsnap [36] - The shadow copies of volume C: were aborted because the shadow copy storage could not grow due to a user imposed limit.

.

==== End Of File ===========================

RougeKiller Report

RogueKiller V8.5.4 [Mar 18 2013] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/

Website : http://tigzy.geekstogo.com/roguekiller.php

Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version

Started in : Normal mode

User : john [Admin rights]

Mode : Scan -- Date : 06/06/2013 20:51:16

| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 7 ¤¤¤

[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND

[HJ] HKLM\[...]\Wow6432Node\System : ConsentPromptBehaviorAdmin (0) -> FOUND

[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND

[HJ] HKLM\[...]\Wow6432Node\System : EnableLUA (0) -> FOUND

[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

[ZeroAccess][FILE] @ : C:\$recycle.bin\S-1-5-18\$d60782dac31c2b71800738103d4cb417\@ [-] --> FOUND

[ZeroAccess][FILE] @ : C:\$recycle.bin\S-1-5-21-1609726283-737579647-4226795270-1000\$d60782dac31c2b71800738103d4cb417\@ [-] --> FOUND

[ZeroAccess][FOLDER] U : C:\$recycle.bin\S-1-5-18\$d60782dac31c2b71800738103d4cb417\U --> FOUND

[ZeroAccess][FOLDER] U : C:\$recycle.bin\S-1-5-21-1609726283-737579647-4226795270-1000\$d60782dac31c2b71800738103d4cb417\U --> FOUND

[ZeroAccess][FOLDER] L : C:\$recycle.bin\S-1-5-18\$d60782dac31c2b71800738103d4cb417\L --> FOUND

[ZeroAccess][FOLDER] L : C:\$recycle.bin\S-1-5-21-1609726283-737579647-4226795270-1000\$d60782dac31c2b71800738103d4cb417\L --> FOUND

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 localhost

::1 localhost

127.0.0.1 dev.local

::1 dev.local

127.0.0.1 lockstore.local

::1 lockstore.local

127.0.0.1 www.lockstore.local

::1 www.lockstore.local

127.0.0.1 alien.local

::1 alien.local

127.0.0.1 popwin.local

::1 popwin.local

127.0.0.1 concrete.local

::1 concrete.local

127.0.0.1 m.concrete.local

::1 m.concrete.local

127.0.0.1 www.concrete.local

::1 www.concrete.local

127.0.0.1 media.concrete.local

::1 media.concrete.local

[...]

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST9500420AS +++++

--- User ---

[MBR] 5e95c3493df0297608f4477f570ab54a

[bSP] aa0f964089f9edd071e87baa2ed5ab73 : Windows Vista MBR Code

Partition table:

0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo

1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 81920 | Size: 15000 Mo

2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 30801920 | Size: 461899 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[1]_S_06062013_02d2051.txt >>

RKreport[1]_S_06062013_02d2051.txt

Psychotic · June 6, 2013

Hi there,

my name is Marius and I will be assisting you with your Malware related problems.

Before we move on, please read the following points carefully.

First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
Perform everything in the correct order. Sometimes one step requires the previous one.
If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.
Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

Combofix

Combofix should only be run when adviced by a team member!

Link

Important - Save the file to your desktop!

Deactivate any and all of your antivirus programs /spyware scanners - they can prevent CF from doing its work.
Run Combofix.exe

When finished, Combofix creates a log file named C:\Combofix.txt. Please post its content in your next reply.

DrGoodvibes · June 6, 2013

ComboFix 13-06-05.05 - john 06/06/2013 22:58:54.1.2 - x64

Microsoft Windows 7 Professional 6.1.7601.1.1252.64.1033.18.3997.2068 [GMT 12:00]

Running from: c:\users\john\Desktop\ComboFix.exe

AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}

SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\program files (x86)\OpenOffice.org 3\program\quickstart.exe

c:\users\john\oo33.exe

c:\users\john\Tmp969C.tmp

c:\users\john\TmpEEC5.tmp

.

((((((((((((((((((((((((( Files Created from 2013-05-06 to 2013-06-06 )))))))))))))))))))))))))))))))

.

2013-06-06 11:09 . 2013-06-06 11:09 -------- d-----w- c:\users\Default\AppData\Local\temp

2013-06-06 11:09 . 2013-06-06 11:09 -------- d-----w- c:\users\Cathie\AppData\Local\temp

2013-06-06 04:31 . 2013-05-09 08:59 378432 ----a-w- c:\windows\system32\drivers\aswSP.sys

2013-06-06 04:31 . 2013-05-09 08:59 33400 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2013-06-06 04:31 . 2013-05-09 08:59 72016 ----a-w- c:\windows\system32\drivers\aswRdr2.sys

2013-06-06 04:31 . 2013-05-09 08:59 1025808 ----a-w- c:\windows\system32\drivers\aswSnx.sys

2013-06-06 04:31 . 2013-05-09 08:59 65336 ----a-w- c:\windows\system32\drivers\aswRvrt.sys

2013-06-06 04:31 . 2013-05-09 08:59 189936 ----a-w- c:\windows\system32\drivers\aswVmm.sys

2013-06-06 04:31 . 2013-05-09 08:59 80816 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys

2013-06-06 04:31 . 2013-05-09 08:58 41664 ----a-w- c:\windows\avastSS.scr

2013-06-03 12:18 . 2013-06-03 12:18 76232 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{1A463B6F-A7C5-4D2E-9D06-17E952AF717E}\offreg.dll

2013-06-02 15:12 . 2013-05-13 06:37 9460464 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{1A463B6F-A7C5-4D2E-9D06-17E952AF717E}\mpengine.dll

2013-06-02 15:10 . 2013-04-05 06:50 2647552 ----a-w- c:\windows\system32\iertutil.dll

2013-06-02 15:09 . 2013-02-27 05:52 14172672 ----a-w- c:\windows\system32\shell32.dll

2013-06-02 15:09 . 2013-02-27 05:52 197120 ----a-w- c:\windows\system32\shdocvw.dll

2013-06-02 15:09 . 2013-02-27 05:48 1930752 ----a-w- c:\windows\system32\authui.dll

2013-06-02 15:09 . 2013-02-27 06:02 111448 ----a-w- c:\windows\system32\consent.exe

2013-06-02 15:09 . 2013-02-27 05:47 70144 ----a-w- c:\windows\system32\appinfo.dll

2013-06-02 15:09 . 2013-02-27 04:49 1796096 ----a-w- c:\windows\SysWow64\authui.dll

2013-06-02 15:09 . 2013-03-19 05:53 48640 ----a-w- c:\windows\system32\wwanprotdim.dll

2013-06-02 15:09 . 2013-03-19 05:53 230400 ----a-w- c:\windows\system32\wwansvc.dll

2013-06-02 15:09 . 2013-04-10 03:30 3153920 ----a-w- c:\windows\system32\win32k.sys

2013-06-02 11:32 . 2013-05-13 06:37 9460464 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2013-06-01 06:01 . 2002-07-23 00:17 225280 ----a-w- c:\windows\USBT610phmgunin.exe

2013-06-01 06:01 . 2013-06-01 06:01 -------- d-----w- c:\users\john\AppData\Roaming\MobileAction

2013-05-31 02:25 . 2009-06-03 18:36 180224 ----a-w- c:\windows\SysWow64\imsised.exe

2013-05-31 02:25 . 2005-12-14 00:15 49152 ----a-w- c:\windows\SysWow64\WDec3.ocx

2013-05-31 02:25 . 2013-05-31 02:25 -------- d-----w- c:\windows\SysWow64\aspi

2013-05-31 02:25 . 2005-06-12 17:02 166600 ----a-w- c:\windows\SysWow64\msmask32.ocx

2013-05-31 02:25 . 2005-06-12 17:02 198848 ----a-w- c:\windows\SysWow64\MCI32.OCX

2013-05-31 02:25 . 2013-05-31 02:25 -------- d-----w- c:\program files (x86)\intelliScore Ensemble WAV to MIDI Converter Demo

2013-05-31 02:11 . 2013-05-31 02:11 -------- d-----w- c:\program files (x86)\Audacity

2013-05-23 10:16 . 2013-04-11 23:41 237840 ----a-w- c:\windows\system32\drivers\VBoxDrv.sys

2013-05-23 10:16 . 2013-04-11 23:40 120080 ----a-w- c:\windows\system32\drivers\VBoxUSBMon.sys

2013-05-23 10:16 . 2013-05-23 10:16 -------- d-----w- c:\program files\Oracle

2013-05-21 22:09 . 2013-05-21 22:08 964552 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{873A69B2-451F-4EBD-9462-4EFD717EEFD5}\gapaengine.dll

2013-05-18 15:20 . 2013-05-18 15:20 -------- d-----w- c:\program files (x86)\Winamp Detect

2013-05-15 03:31 . 2013-05-15 03:31 -------- d-----w- c:\programdata\Cisco Systems

2013-05-15 01:37 . 2013-05-26 00:39 -------- d-----w- c:\program files (x86)\Mozilla Thunderbird

2013-05-10 23:21 . 2013-05-10 23:21 -------- d-----w- c:\program files (x86)\Common Files\Java

2013-05-10 23:20 . 2013-05-10 23:20 95648 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll

2013-05-08 04:41 . 2013-05-08 04:41 -------- d-sh--w- c:\users\john\AppData\Local\ms-drivers

2013-05-07 13:27 . 2013-05-07 13:27 -------- d-----w- c:\program files (x86)\mSecure

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2013-06-05 08:11 . 2011-06-18 23:33 18960 ----a-w- c:\windows\system32\drivers\LNonPnP.sys

2013-06-02 15:19 . 2010-03-30 09:27 75016696 ----a-w- c:\windows\system32\MRT.exe

2013-05-22 23:11 . 2011-11-25 02:46 692104 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe

2013-05-22 23:11 . 2011-03-18 02:27 71048 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2013-05-10 23:20 . 2012-10-22 11:18 866720 ----a-w- c:\windows\SysWow64\npDeployJava1.dll

2013-05-10 23:20 . 2010-07-08 13:04 788896 ----a-w- c:\windows\SysWow64\deployJava1.dll

2013-05-09 08:58 . 2012-02-27 23:27 287840 ----a-w- c:\windows\system32\aswBoot.exe

2013-05-08 07:49 . 2011-03-28 06:36 22240 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll

2013-05-02 15:29 . 2010-03-30 05:27 278800 ------w- c:\windows\system32\MpSigStub.exe

2013-04-24 04:12 . 2012-09-27 04:20 905296 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll

2013-04-13 05:49 . 2013-06-02 15:09 135168 ----a-w- c:\windows\apppatch\AppPatch64\AcXtrnal.dll

2013-04-13 05:49 . 2013-06-02 15:09 308736 ----a-w- c:\windows\apppatch\AppPatch64\AcGenral.dll

2013-04-13 05:49 . 2013-06-02 15:09 350208 ----a-w- c:\windows\apppatch\AppPatch64\AcLayers.dll

2013-04-13 05:49 . 2013-06-02 15:09 111104 ----a-w- c:\windows\apppatch\AppPatch64\acspecfc.dll

2013-04-13 04:45 . 2013-06-02 15:09 474624 ----a-w- c:\windows\apppatch\AcSpecfc.dll

2013-04-13 04:45 . 2013-06-02 15:09 2176512 ----a-w- c:\windows\apppatch\AcGenral.dll

2013-04-12 14:45 . 2013-04-24 05:05 1656680 ----a-w- c:\windows\system32\drivers\ntfs.sys

2013-04-04 02:50 . 2011-05-31 16:13 25928 ----a-w- c:\windows\system32\drivers\mbam.sys

2013-03-27 01:22 . 2013-03-27 01:22 1054720 ----a-w- c:\windows\system32\MsSpellCheckingFacility.exe

2013-03-27 01:22 . 2013-03-27 01:22 226304 ----a-w- c:\windows\system32\elshyph.dll

2013-03-27 01:22 . 2013-03-27 01:22 185344 ----a-w- c:\windows\SysWow64\elshyph.dll

2013-03-27 01:22 . 2013-03-27 01:22 158720 ----a-w- c:\windows\SysWow64\msls31.dll

2013-03-27 01:22 . 2013-03-27 01:22 719360 ----a-w- c:\windows\SysWow64\mshtmlmedia.dll

2013-03-27 01:22 . 2013-03-27 01:22 523264 ----a-w- c:\windows\SysWow64\vbscript.dll

2013-03-27 01:22 . 2013-03-27 01:22 150528 ----a-w- c:\windows\SysWow64\iexpress.exe

2013-03-27 01:22 . 2013-03-27 01:22 138752 ----a-w- c:\windows\SysWow64\wextract.exe

2013-03-27 01:22 . 2013-03-27 01:22 137216 ----a-w- c:\windows\SysWow64\ieUnatt.exe

2013-03-27 01:22 . 2013-03-27 01:22 73728 ----a-w- c:\windows\SysWow64\SetIEInstalledDate.exe

2013-03-27 01:22 . 2013-03-27 01:22 48640 ----a-w- c:\windows\SysWow64\mshtmler.dll

2013-03-27 01:22 . 2013-03-27 01:22 38400 ----a-w- c:\windows\SysWow64\imgutil.dll

2013-03-27 01:22 . 2013-03-27 01:22 12800 ----a-w- c:\windows\SysWow64\mshta.exe

2013-03-27 01:22 . 2013-03-27 01:22 110592 ----a-w- c:\windows\SysWow64\IEAdvpack.dll

2013-03-27 01:22 . 2013-03-27 01:22 61952 ----a-w- c:\windows\SysWow64\tdc.ocx

2013-03-27 01:22 . 2013-03-27 01:22 361984 ----a-w- c:\windows\SysWow64\html.iec

2013-03-27 01:22 . 2013-03-27 01:22 23040 ----a-w- c:\windows\SysWow64\licmgr10.dll

2013-03-27 01:22 . 2013-03-27 01:22 1441280 ----a-w- c:\windows\SysWow64\inetcpl.cpl

2013-03-27 01:22 . 2013-03-27 01:22 216064 ----a-w- c:\windows\system32\msls31.dll

2013-03-27 01:22 . 2013-03-27 01:22 197120 ----a-w- c:\windows\system32\msrating.dll

2013-03-27 01:22 . 2013-03-27 01:22 441856 ----a-w- c:\windows\system32\html.iec

2013-03-27 01:22 . 2013-03-27 01:22 97280 ----a-w- c:\windows\system32\mshtmled.dll

2013-03-27 01:22 . 2013-03-27 01:22 905728 ----a-w- c:\windows\system32\mshtmlmedia.dll

2013-03-27 01:22 . 2013-03-27 01:22 81408 ----a-w- c:\windows\system32\icardie.dll

2013-03-27 01:22 . 2013-03-27 01:22 762368 ----a-w- c:\windows\system32\ieapfltr.dll

2013-03-27 01:22 . 2013-03-27 01:22 599552 ----a-w- c:\windows\system32\vbscript.dll

2013-03-27 01:22 . 2013-03-27 01:22 452096 ----a-w- c:\windows\system32\dxtmsft.dll

2013-03-27 01:22 . 2013-03-27 01:22 281600 ----a-w- c:\windows\system32\dxtrans.dll

2013-03-27 01:22 . 2013-03-27 01:22 27648 ----a-w- c:\windows\system32\licmgr10.dll

2013-03-27 01:22 . 2013-03-27 01:22 270848 ----a-w- c:\windows\system32\iedkcs32.dll

2013-03-27 01:22 . 2013-03-27 01:22 247296 ----a-w- c:\windows\system32\webcheck.dll

2013-03-27 01:22 . 2013-03-27 01:22 235008 ----a-w- c:\windows\system32\url.dll

2013-03-27 01:22 . 2013-03-27 01:22 167424 ----a-w- c:\windows\system32\iexpress.exe

2013-03-27 01:22 . 2013-03-27 01:22 1509376 ----a-w- c:\windows\system32\inetcpl.cpl

2013-03-27 01:22 . 2013-03-27 01:22 144896 ----a-w- c:\windows\system32\wextract.exe

2013-03-27 01:22 . 2013-03-27 01:22 1400416 ----a-w- c:\windows\system32\ieapfltr.dat

2013-03-27 01:22 . 2013-03-27 01:22 102912 ----a-w- c:\windows\system32\inseng.dll

2013-03-27 01:22 . 2013-03-27 01:22 173568 ----a-w- c:\windows\system32\ieUnatt.exe

2013-03-27 01:22 . 2013-03-27 01:22 92160 ----a-w- c:\windows\system32\SetIEInstalledDate.exe

2013-03-27 01:22 . 2013-03-27 01:22 62976 ----a-w- c:\windows\system32\pngfilt.dll

2013-03-27 01:22 . 2013-03-27 01:22 52224 ----a-w- c:\windows\system32\msfeedsbs.dll

2013-03-27 01:22 . 2013-03-27 01:22 51200 ----a-w- c:\windows\system32\imgutil.dll

2013-03-27 01:22 . 2013-03-27 01:22 48640 ----a-w- c:\windows\system32\mshtmler.dll

2013-03-27 01:22 . 2013-03-27 01:22 149504 ----a-w- c:\windows\system32\occache.dll

2013-03-27 01:22 . 2013-03-27 01:22 13824 ----a-w- c:\windows\system32\mshta.exe

2013-03-27 01:22 . 2013-03-27 01:22 136192 ----a-w- c:\windows\system32\iepeers.dll

2013-03-27 01:22 . 2013-03-27 01:22 135680 ----a-w- c:\windows\system32\IEAdvpack.dll

2013-03-27 01:22 . 2013-03-27 01:22 12800 ----a-w- c:\windows\system32\msfeedssync.exe

2013-03-27 01:22 . 2013-03-27 01:22 77312 ----a-w- c:\windows\system32\tdc.ocx

2013-03-19 06:04 . 2013-04-11 11:14 5550424 ----a-w- c:\windows\system32\ntoskrnl.exe

2013-03-19 05:46 . 2013-04-11 11:14 43520 ----a-w- c:\windows\system32\csrsrv.dll

2013-03-19 05:04 . 2013-04-11 11:14 3968856 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe

2013-03-19 05:04 . 2013-04-11 11:14 3913560 ----a-w- c:\windows\SysWow64\ntoskrnl.exe

2013-03-19 04:47 . 2013-04-11 11:14 6656 ----a-w- c:\windows\SysWow64\apisetschema.dll

2013-03-19 03:06 . 2013-04-11 11:14 112640 ----a-w- c:\windows\system32\smss.exe

2013-03-15 06:14 . 2013-03-15 06:14 131856 ----a-w- c:\windows\system32\drivers\VBoxNetAdp.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive1]

@="{F241C880-6982-4CE5-8CF7-7085BA96DA5A}"

[HKEY_CLASSES_ROOT\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}]

2012-07-16 17:06 220632 ----a-w- c:\users\john\AppData\Local\Microsoft\SkyDrive\16.4.6003.0710\SkyDriveShell.dll

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive2]

@="{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}"

[HKEY_CLASSES_ROOT\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}]

2012-07-16 17:06 220632 ----a-w- c:\users\john\AppData\Local\Microsoft\SkyDrive\16.4.6003.0710\SkyDriveShell.dll

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive3]

@="{BBACC218-34EA-4666-9D7A-C78F2274A524}"

[HKEY_CLASSES_ROOT\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}]

2012-07-16 17:06 220632 ----a-w- c:\users\john\AppData\Local\Microsoft\SkyDrive\16.4.6003.0710\SkyDriveShell.dll

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]

@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]

2013-04-04 22:12 130736 ----a-w- c:\users\john\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]

@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]

2013-04-04 22:12 130736 ----a-w- c:\users\john\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]

@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]

2013-04-04 22:12 130736 ----a-w- c:\users\john\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]

@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]

2013-04-04 22:12 130736 ----a-w- c:\users\john\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ISUSPM Startup"="c:\progra~2\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-08-09 221184]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]

"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2013-05-09 4858968]

.

c:\users\Cathie\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

OpenOffice.org 3.3.lnk - c:\program files (x86)\OpenOffice.org 3\program\quickstart.exe [N/A]

OpenOffice.org 3.4.lnk - c:\program files (x86)\OpenOffice.org 3\program\quickstart.exe [N/A]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2009-7-1 1079584]

Monitor Apache Servers.lnk - c:\program files (x86)\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe [2010-3-4 41051]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 0 (0x0)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

"PromptOnSecureDesktop"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]

"LoadAppInit_DLLs"=1 (0x1)

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

.

R0 AFS;AFS; [x]

R1 bweeknts;bweeknts;c:\windows\system32\drivers\bweeknts.sys;c:\windows\SYSNATIVE\drivers\bweeknts.sys [x]

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]

R3 Apache2.2;Apache2.2;c:\program files (x86)\Apache Software Foundation\Apache2.2\bin\httpd.exe;c:\program files (x86)\Apache Software Foundation\Apache2.2\bin\httpd.exe [x]

R3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys;c:\windows\SYSNATIVE\drivers\btusbflt.sys [x]

R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys;c:\windows\SYSNATIVE\DRIVERS\btwl2cap.sys [x]

R3 connctfy;Connectify Service;c:\windows\system32\DRIVERS\connctfy.sys;c:\windows\SYSNATIVE\DRIVERS\connctfy.sys [x]

R3 connctfyMP;connctfyMP;c:\windows\system32\DRIVERS\connctfy.sys;c:\windows\SYSNATIVE\DRIVERS\connctfy.sys [x]

R3 cpuz136;cpuz136;c:\windows\TEMP\cpuz136\cpuz136_x64.sys;c:\windows\TEMP\cpuz136\cpuz136_x64.sys [x]

R3 dc3d;MS Hardware Device Detection Driver (HID);c:\windows\system32\DRIVERS\dc3d.sys;c:\windows\SYSNATIVE\DRIVERS\dc3d.sys [x]

R3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys;c:\windows\SYSNATIVE\epmntdrv.sys [x]

R3 EST_BusEnum;Network USB Device Bus;c:\windows\system32\DRIVERS\GenBus.sys;c:\windows\SYSNATIVE\DRIVERS\GenBus.sys [x]

R3 EST_Server;Network USB Device;c:\windows\system32\DRIVERS\GenHC.sys;c:\windows\SYSNATIVE\DRIVERS\GenHC.sys [x]

R3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys;c:\windows\SYSNATIVE\EuGdiDrv.sys [x]

R3 FACAP;facap, FastAccess Video Capture;c:\windows\system32\DRIVERS\facap.sys;c:\windows\SYSNATIVE\DRIVERS\facap.sys [x]

R3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\DRIVERS\ggflt.sys;c:\windows\SYSNATIVE\DRIVERS\ggflt.sys [x]

R3 ivusb;Initio Driver for USB Default Controller;c:\windows\system32\DRIVERS\ivusb.sys;c:\windows\SYSNATIVE\DRIVERS\ivusb.sys [x]

R3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys;c:\windows\SYSNATIVE\DRIVERS\jmcr.sys [x]

R3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;c:\windows\system32\DRIVERS\LEqdUsb.Sys;c:\windows\SYSNATIVE\DRIVERS\LEqdUsb.Sys [x]

R3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;c:\windows\system32\DRIVERS\LHidEqd.Sys;c:\windows\SYSNATIVE\DRIVERS\LHidEqd.Sys [x]

R3 MosIrUsb;MosIrUsb.sys;c:\windows\system32\DRIVERS\MosIrUsb.sys;c:\windows\SYSNATIVE\DRIVERS\MosIrUsb.sys [x]

R3 NANMp50;NANMp50 NDIS Protocol Driver;c:\windows\system32\Drivers\NANMp50.sys;c:\windows\SYSNATIVE\Drivers\NANMp50.sys [x]

R3 NANSp50;NANSp50 NDIS Protocol Driver;c:\windows\system32\Drivers\NANSp50.sys;c:\windows\SYSNATIVE\Drivers\NANSp50.sys [x]

R3 NisSrv;NisSrv;c:\program files\Microsoft Security Client\NisSrv.exe;c:\program files\Microsoft Security Client\NisSrv.exe [x]

R3 nmwcdnsux64;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsux64.sys;c:\windows\SYSNATIVE\drivers\nmwcdnsux64.sys [x]

R3 pwdrvio;pwdrvio;c:\windows\system32\pwdrvio.sys;c:\windows\SYSNATIVE\pwdrvio.sys [x]

R3 pwdspio;pwdspio;c:\windows\system32\pwdspio.sys;c:\windows\SYSNATIVE\pwdspio.sys [x]

R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]

R3 RTL8192cu;Realtek RTL8192CU Wireless LAN 802.11n USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8192cu.sys;c:\windows\SYSNATIVE\DRIVERS\RTL8192cu.sys [x]

R3 s0016bus;Sony Ericsson Device 0016 driver (WDM);c:\windows\system32\DRIVERS\s0016bus.sys;c:\windows\SYSNATIVE\DRIVERS\s0016bus.sys [x]

R3 s0016mdfl;Sony Ericsson Device 0016 USB WMC Modem Filter;c:\windows\system32\DRIVERS\s0016mdfl.sys;c:\windows\SYSNATIVE\DRIVERS\s0016mdfl.sys [x]

R3 s0016mdm;Sony Ericsson Device 0016 USB WMC Modem Driver;c:\windows\system32\DRIVERS\s0016mdm.sys;c:\windows\SYSNATIVE\DRIVERS\s0016mdm.sys [x]

R3 s0016mgmt;Sony Ericsson Device 0016 USB WMC Device Management Drivers (WDM);c:\windows\system32\DRIVERS\s0016mgmt.sys;c:\windows\SYSNATIVE\DRIVERS\s0016mgmt.sys [x]

R3 s0016nd5;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (NDIS);c:\windows\system32\DRIVERS\s0016nd5.sys;c:\windows\SYSNATIVE\DRIVERS\s0016nd5.sys [x]

R3 s0016obex;Sony Ericsson Device 0016 USB WMC OBEX Interface;c:\windows\system32\DRIVERS\s0016obex.sys;c:\windows\SYSNATIVE\DRIVERS\s0016obex.sys [x]

R3 s0016unic;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (WDM);c:\windows\system32\DRIVERS\s0016unic.sys;c:\windows\SYSNATIVE\DRIVERS\s0016unic.sys [x]

R3 Sony PC Companion;Sony PC Companion;c:\program files (x86)\Sony\Sony PC Companion\PCCService.exe;c:\program files (x86)\Sony\Sony PC Companion\PCCService.exe [x]

R3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\DRIVERS\tap0801.sys;c:\windows\SYSNATIVE\DRIVERS\tap0801.sys [x]

R3 tapoas;TAP-Win32 Adapter OAS;c:\windows\system32\DRIVERS\tapoas.sys;c:\windows\SYSNATIVE\DRIVERS\tapoas.sys [x]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]

R3 USB_Ethernet_Adaptor;USB to Ethernet Adapter;c:\windows\system32\DRIVERS\USB_Ethernet_Adaptor.sys;c:\windows\SYSNATIVE\DRIVERS\USB_Ethernet_Adaptor.sys [x]

R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\DRIVERS\VBoxNetAdp.sys;c:\windows\SYSNATIVE\DRIVERS\VBoxNetAdp.sys [x]

R3 VBoxNetFlt;VirtualBox Bridged Networking Service;c:\windows\system32\DRIVERS\VBoxNetFlt.sys;c:\windows\SYSNATIVE\DRIVERS\VBoxNetFlt.sys [x]

R3 VBoxUSB;VirtualBox USB;c:\windows\system32\Drivers\VBoxUSB.sys;c:\windows\SYSNATIVE\Drivers\VBoxUSB.sys [x]

R3 vpcuxd;USB Virtualization Stub Service;c:\windows\system32\DRIVERS\vpcuxd.sys;c:\windows\SYSNATIVE\DRIVERS\vpcuxd.sys [x]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]

R4 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSr64.exe;c:\program files\Realtek\Audio\HDA\AERTSr64.exe [x]

R4 CronService;Cron Service for Prey;c:\program files\Prey\platform\windows\cronsvc.exe;c:\program files\Prey\platform\windows\cronsvc.exe [x]

R4 Futuremark SystemInfo Service;Futuremark SystemInfo Service;c:\program files (x86)\Futuremark\Futuremark SystemInfo\FMSISvc.exe;c:\program files (x86)\Futuremark\Futuremark SystemInfo\FMSISvc.exe [x]

R4 InstallFilterService;FF Install Filter Service;c:\program files (x86)\STMicroelectronics\Accelerometer\InstallFilterService.exe;c:\program files (x86)\STMicroelectronics\Accelerometer\InstallFilterService.exe [x]

R4 nvpciflt;nvpciflt;c:\windows\system32\DRIVERS\nvpciflt.sys;c:\windows\SYSNATIVE\DRIVERS\nvpciflt.sys [x]

R4 TeamViewer7;TeamViewer 7;c:\program files (x86)\TeamViewer\Version7\TeamViewer_Service.exe;c:\program files (x86)\TeamViewer\Version7\TeamViewer_Service.exe [x]

S0 aswRvrt;aswRvrt; [x]

S0 aswVmm;aswVmm; [x]

S0 EMSC;COMPAL Embedded System Control;c:\windows\system32\DRIVERS\EMSC.SYS;c:\windows\SYSNATIVE\DRIVERS\EMSC.SYS [x]

S0 johci;JMicron 1394 Filter Driver;c:\windows\system32\DRIVERS\johci.sys;c:\windows\SYSNATIVE\DRIVERS\johci.sys [x]

S0 stdflt;Disk Filter Driver for Accelerometer;c:\windows\system32\DRIVERS\stdflt.sys;c:\windows\SYSNATIVE\DRIVERS\stdflt.sys [x]

S1 aswSnx;aswSnx; [x]

S1 aswSP;aswSP; [x]

S1 HWiNFO32;HWiNFO32/64 Kernel Driver;c:\program files\HWiNFO64\HWiNFO64A.SYS;c:\program files\HWiNFO64\HWiNFO64A.SYS [x]

S1 VBoxDrv;VirtualBox Service;c:\windows\system32\DRIVERS\VBoxDrv.sys;c:\windows\SYSNATIVE\DRIVERS\VBoxDrv.sys [x]

S1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\DRIVERS\VBoxUSBMon.sys;c:\windows\SYSNATIVE\DRIVERS\VBoxUSBMon.sys [x]

S2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};Power Control [2010/05/20 17:39];c:\program files (x86)\CyberLink\PowerDVD8\000.fcl;c:\program files (x86)\CyberLink\PowerDVD8\000.fcl [x]

S2 aswFsBlk;aswFsBlk; [x]

S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys;c:\windows\SYSNATIVE\drivers\aswMonFlt.sys [x]

S2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x64.sys;c:\windows\SYSNATIVE\drivers\cpuz135_x64.sys [x]

S2 MySQL5;MySQL5;c:\program files\MySQL\MySQL Server 5.5\bin\mysqld --defaults-file=c:\program files\MySQL\MySQL Server 5.5\my.ini MySQL5;c:\program files\MySQL\MySQL Server 5.5\bin\mysqld --defaults-file=c:\program files\MySQL\MySQL Server 5.5\my.ini MySQL5 [x]

S2 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys;c:\windows\SYSNATIVE\DRIVERS\NisDrvWFP.sys [x]

S2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys;c:\windows\SYSNATIVE\drivers\npf.sys [x]

S2 NPWService;NPWService;c:\program files (x86)\Generic\Network Printer Wizard\NPWService.exe;c:\program files (x86)\Generic\Network Printer Wizard\NPWService.exe [x]

S3 Acceler;Accelerometer Service;c:\windows\system32\DRIVERS\Acceler.sys;c:\windows\SYSNATIVE\DRIVERS\Acceler.sys [x]

S3 BcmVWL;Broadcom Virtual Wireless;c:\windows\system32\DRIVERS\bcmvwl64.sys;c:\windows\SYSNATIVE\DRIVERS\bcmvwl64.sys [x]

S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x64.sys;c:\windows\SYSNATIVE\DRIVERS\L1C62x64.sys [x]

S3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\DRIVERS\seehcri.sys;c:\windows\SYSNATIVE\DRIVERS\seehcri.sys [x]

S3 teamviewervpn;TeamViewer VPN Adapter;c:\windows\system32\DRIVERS\teamviewervpn.sys;c:\windows\SYSNATIVE\DRIVERS\teamviewervpn.sys [x]

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]

2007-12-05 00:27 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe

.

Contents of the 'Scheduled Tasks' folder

.

2013-06-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-06-06 04:31]

.

2013-06-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-06-06 04:31]

.

--------- X64 Entries -----------

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive1]

@="{F241C880-6982-4CE5-8CF7-7085BA96DA5A}"

[HKEY_CLASSES_ROOT\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}]

2012-07-16 17:06 244688 ----a-w- c:\users\john\AppData\Local\Microsoft\SkyDrive\16.4.6003.0710\amd64\SkyDriveShell64.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive2]

@="{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}"

[HKEY_CLASSES_ROOT\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}]

2012-07-16 17:06 244688 ----a-w- c:\users\john\AppData\Local\Microsoft\SkyDrive\16.4.6003.0710\amd64\SkyDriveShell64.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive3]

@="{BBACC218-34EA-4666-9D7A-C78F2274A524}"

[HKEY_CLASSES_ROOT\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}]

2012-07-16 17:06 244688 ----a-w- c:\users\john\AppData\Local\Microsoft\SkyDrive\16.4.6003.0710\amd64\SkyDriveShell64.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]

@="{472083B0-C522-11CF-8763-00608CC02F24}"

[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]

2013-05-09 08:58 133840 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]

@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]

2013-04-04 22:12 164016 ----a-w- c:\users\john\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]

@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]

2013-04-04 22:12 164016 ----a-w- c:\users\john\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]

@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]

2013-04-04 22:12 164016 ----a-w- c:\users\john\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]

@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]

2013-04-04 22:12 164016 ----a-w- c:\users\john\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\HardLinkMenu]

@="{0A479751-02BC-11d3-A855-0004AC2568AA}"

[HKEY_CLASSES_ROOT\CLSID\{0A479751-02BC-11d3-A855-0004AC2568AA}]

2011-06-24 06:03 456704 ----a-w- c:\program files\LinkShellExtension\HardlinkShellExt.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IconOverlayHardLink]

@="{0A479751-02BC-11d3-A855-0004AC2568DD}"

[HKEY_CLASSES_ROOT\CLSID\{0A479751-02BC-11d3-A855-0004AC2568DD}]

2011-06-24 06:03 456704 ----a-w- c:\program files\LinkShellExtension\HardlinkShellExt.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IconOverlaySymbolicLink]

@="{0A479751-02BC-11d3-A855-0004AC2568EE}"

[HKEY_CLASSES_ROOT\CLSID\{0A479751-02BC-11d3-A855-0004AC2568EE}]

2011-06-24 06:03 456704 ----a-w- c:\program files\LinkShellExtension\HardlinkShellExt.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2011-10-17 13307496]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-01-06 165912]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-01-06 387608]

"Persistence"="c:\windows\system32\igfxpers.exe" [2010-01-06 365592]

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

uStart Page = about:blank

mLocal Page = c:\windows\SysWOW64\blank.htm

uInternet Settings,ProxyOverride = *.local

IE: &ieSpell Options - c:\program files (x86)\ieSpell\iespell.dll/SPELLOPTION.HTM

IE: Check &Spelling - c:\program files (x86)\ieSpell\iespell.dll/SPELLCHECK.HTM

IE: Lookup on Merriam Webster - file://c:\program files (x86)\ieSpell\Merriam Webster.HTM

IE: Lookup on Wikipedia - file://c:\program files (x86)\ieSpell\wikipedia.HTM

IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

TCP: DhcpNameServer = 172.16.32.254

FF - ProfilePath - c:\users\john\AppData\Roaming\Mozilla\Firefox\Profiles\p8evg2gy.default\

FF - prefs.js: browser.startup.homepage - about:blank

.

------- File Associations -------

.

.txt=Notepad++_file

.

- - - - ORPHANS REMOVED - - - -

.

Toolbar-Locked - (no file)

SafeBoot-mcmscsvc

SafeBoot-MCODS

SafeBoot-SolutoService

HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start

Toolbar-Locked - (no file)

HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe

HKLM-Run-MSC - c:\program files\Microsoft Security Client\mssecex.exe

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MySQL5]

"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.5\bin\mysqld\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.5\my.ini\" MySQL5"

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}]

"ImagePath"="\??\c:\program files (x86)\CyberLink\PowerDVD8\000.fcl"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (LocalSystem)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,dd,c3,1d,c3,84,e6,36,44,8b,5d,0d,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,dd,c3,1d,c3,84,e6,36,44,8b,5d,0d,\

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_268_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_268_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_268.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.11"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_268.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_268.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_268.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0007\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0008\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0009\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0011\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0012\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Completion time: 2013-06-06 23:13:24

ComboFix-quarantined-files.txt 2013-06-06 11:13

.

Pre-Run: 140,694,364,160 bytes free

Post-Run: 140,747,923,456 bytes free

.

- - End Of File - - 69460904EE72C0F9C955B96F9554C8ED

Psychotic · June 6, 2013

TCP: DhcpNameServer = 172.16.32.254

Did you set this DHCP server entry?

DrGoodvibes · June 6, 2013

Yes, this is a Linksys E4200 wireless router with DNS and DHCP servers enabled.

Psychotic · June 6, 2013

CF-Script

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Download the attached CFScript.txt and save it to the location where Combofix is.

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

CFScript.txt

DrGoodvibes · June 6, 2013

It reboots my notebook??? Is that correct.

Psychotic · June 6, 2013

Restart your computer in safe mode with networking and try again.

Combofix should complete its run and offer you a logfile which contents I need.

Reset is not correct.

DrGoodvibes · June 6, 2013

It did complete. It run through the numbered phases, rebooted and then completed the writing on the log file once I logged in again.

Started again in safe mode anyway.

Psychotic · June 6, 2013

OK, then post up the log.

Psychotic · June 6, 2013

Ah, I misunderstood!

Your computer was rebooted by Combofix during the removal - it didn´t crash or something like that.

DrGoodvibes · June 6, 2013

Yes, you are correct. It appeared to be a controlled reboot, maybe to get exclusive access to something.

I just wasn't expecting it, as I don't trust my notebook as far as I can kick it.

ComboFix asked me to download an updated version. I said NO!

And in safe mode, Avast! seems to have a resident process active with no 'noob' way to shut it down.

If one starts Avast up on the pretence of shutting it down, it has it's on 'Safe Mode' UI and it's mail, file etc proccesses are already stopped.

Plus Microsoft Essentuals seem to have a 'process' running now too.

I uninstall Microsoft Security Essentials and just 'disabled' Avast when re-running the ComboFix tool

So, I did have a few attempts before I got a clean run of ComboFix.

----------------------------------------------------------------------------------------

ComboFix 13-06-05.05 - john 07/06/2013 1:52.3.2 - x64

Microsoft Windows 7 Professional 6.1.7601.1.1252.64.1033.18.3997.2645 [GMT 12:00]

Running from: c:\users\john\Desktop\ComboFix.exe

Command switches used :: c:\users\john\Desktop\CFScript.txt

AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}

SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}

SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\data . . . . Failed to delete

c:\data\ibdata1 . . . . Failed to delete

.

((((((((((((((((((((((((( Files Created from 2013-05-06 to 2013-06-06 )))))))))))))))))))))))))))))))

.

2013-06-06 14:01 . 2013-06-06 14:01 -------- d-----w- c:\users\Default\AppData\Local\temp

2013-06-06 14:01 . 2013-06-06 14:01 -------- d-----w- c:\users\Cathie\AppData\Local\temp

2013-06-06 14:01 . 2013-06-06 14:01 -------- d-----w- c:\users\BenchMark\AppData\Local\temp

2013-06-06 14:01 . 2013-06-06 14:01 -------- d-----w- c:\users\Administrator\AppData\Local\temp

2013-06-06 14:01 . 2013-06-06 14:01 -------- d-----w- c:\users\Administrator.alien51\AppData\Local\temp

2013-06-06 14:01 . 2013-06-06 14:01 -------- d-----w- c:\users\Admin\AppData\Local\temp