dslreports logo
site
    All Forums Hot Topics Gallery
spc
Search Topic:
uniqs
6946
share rss forum feed


LoPhatPhuud
Premium,VIP,MVM
join:2002-01-06
Albuquerque, NM
kudos:26
Reviews:
·Comcast

1 recommendation

reply to nethog

Re: [Rootkit] rootkit virus? - Nethog Post 1 of 2

The MBAM reboot was due to an upgrade to the most current version. That may have affected the removal.

Run MBAM again, removing anything it finds, and post the new log in this thread.

If not log shows up, click the 'Log' tab in MBAM, That will give you a list of all logs stored. Double clicking on any log will open it so you can copy and paste.
--
When angry count four; when very angry, swear.
Microsoft MVP/Consumer Security 2005-2011
Gladiator Security Forum


nethog

join:2006-12-08
Canton, MI

Ok I reran MBAM, clicked "remove", rebooted and looked in the MBAM log area. I notice there is an mbam-log file and 2 protection-log files associated with this last run. I see that the second protection log is being updated even as I am typing this message basically ALLOWing the trojan "svchost.exe"! All three files posted below:

mbam-log:
Malwarebytes Anti-Malware 1.65.0.1400
www.malwarebytes.org

Database version: v2012.09.13.01

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Andrew :: LAPTOP [administrator]

9/12/2012 10:34:45 PM
mbam-log-2012-09-12 (22-34-45).txt

Scan type: Full scan (C:\|D:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 569612
Time elapsed: 2 hour(s), 2 minute(s), 10 second(s)

Memory Processes Detected: 1
C:\Windows\svchost.exe (Trojan.Agent) -> 5440 -> Delete on reboot.

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Windows\svchost.exe (Trojan.Agent) -> Delete on reboot.

(end)

First protection-log:
a2012/09/12 05:29:57 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW
2012/09/12 05:32:00 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW
2012/09/12 05:32:17 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW
2012/09/12 05:42:31 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW
2012/09/12 05:43:02 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW
2012/09/12 05:45:19 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW
2012/09/12 05:47:56 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW
2012/09/12 05:56:10 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW
2012/09/12 05:56:25 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW
2012/09/12 14:45:16 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW
2012/09/12 14:53:39 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW
2012/09/12 14:54:20 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW
2012/09/12 14:55:17 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW
2012/09/12 14:56:12 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW
2012/09/12 14:59:44 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW
2012/09/12 15:01:03 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW
2012/09/12 15:01:45 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW
2012/09/12 15:03:27 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW
2012/09/12 15:58:07 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW
2012/09/12 15:59:43 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW
2012/09/12 16:01:33 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW
2012/09/12 16:28:17 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW
2012/09/12 16:29:02 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW
2012/09/12 17:16:32 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW
2012/09/12 17:19:24 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW
2012/09/12 17:32:10 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW
2012/09/12 17:33:00 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW
2012/09/12 17:33:44 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW
2012/09/12 18:21:42 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW
2012/09/12 18:44:12 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW
2012/09/12 18:44:28 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW
2012/09/12 19:07:03 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW
2012/09/12 19:07:24 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW
2012/09/12 19:53:03 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW
2012/09/12 19:53:38 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW
2012/09/12 20:13:36 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW
2012/09/12 20:15:01 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW
2012/09/12 20:41:03 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW
2012/09/12 20:41:25 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW
2012/09/12 21:21:21 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW
2012/09/12 21:22:01 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW
2012/09/12 21:23:35 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW
2012/09/12 21:23:46 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW
2012/09/12 21:34:35 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW
2012/09/12 21:35:20 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW
2012/09/12 22:34:14 -0400 LAPTOP Andrew MESSAGE Starting database refresh
2012/09/12 22:35:14 -0400 LAPTOP Andrew MESSAGE Database refreshed successfully

Second protection-log:
2012/09/13 01:15:26 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW
2012/09/13 05:28:39 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW
2012/09/13 05:29:02 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW
2012/09/13 05:31:45 -0400 LAPTOP Andrew DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW


LoPhatPhuud
Premium,VIP,MVM
join:2002-01-06
Albuquerque, NM
kudos:26
Reviews:
·Comcast

1 recommendation

reply to nethog

OK. MBAM cleared the trojan. I'm surprised that Combofix did not catch it unless it was recently installed. Time to run Combofix again...

Download ComboFix from one of these locations:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.infospyware.net/antimalware/combofix/
 
* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it at least 20-30 minutes to finish if needed.

--
When angry count four; when very angry, swear.
Microsoft MVP/Consumer Security 2005-2011
Gladiator Security Forum

nethog

join:2006-12-08
Canton, MI

here is my combofix log:
ComboFix 12-09-13.03 - Andrew 09/13/2012 19:38:50.2.2 - x64
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.4094.2792 [GMT -4:00]
Running from: c:\users\Andrew\Desktop\ComboFix.exe
AV: Norton Security Suite *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Norton Security Suite *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Norton Security Suite *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\PCDr\6032\AddOnDownloaded\06004c97-c212-44da-81de-706b46554efe.dll
c:\programdata\PCDr\6032\AddOnDownloaded\0d03215e-4c16-4ea7-b7d7-805a2556effc.dll
c:\programdata\PCDr\6032\AddOnDownloaded\0d461521-7dbf-4cec-a29e-936c88cdf8c9.dll
c:\programdata\PCDr\6032\AddOnDownloaded\0d85b53c-d766-4bf0-8940-17b534910268.dll
c:\programdata\PCDr\6032\AddOnDownloaded\100c3865-0c76-461b-b2fd-042d6d5fa7f6.dll
c:\programdata\PCDr\6032\AddOnDownloaded\140239b3-d59a-46fa-b856-17682a46cb44.dll
c:\programdata\PCDr\6032\AddOnDownloaded\16837627-a839-41c5-a88f-3a0335128383.dll
c:\programdata\PCDr\6032\AddOnDownloaded\173c4dd2-e93c-4725-b006-db1d8f465192.dll
c:\programdata\PCDr\6032\AddOnDownloaded\1e0aaf9a-9947-4a7b-b1ae-8a89919438ed.dll
c:\programdata\PCDr\6032\AddOnDownloaded\263d6ac9-4f87-466c-947c-bd9af71d7035.dll
c:\programdata\PCDr\6032\AddOnDownloaded\2ee79d71-badc-46b4-b731-42b15f3cd1c3.dll
c:\programdata\PCDr\6032\AddOnDownloaded\3410f47b-5e8c-47c6-bf2c-234af4121d4c.dll
c:\programdata\PCDr\6032\AddOnDownloaded\378deb7f-049e-4a5e-83b2-5381dcd9e928.dll
c:\programdata\PCDr\6032\AddOnDownloaded\3972fea3-214c-4935-a7d1-96bf66115683.dll
c:\programdata\PCDr\6032\AddOnDownloaded\3a79f062-8f3e-464f-9815-2c45840494ee.dll
c:\programdata\PCDr\6032\AddOnDownloaded\3b1c7acd-5e3e-4459-ab98-5109117e2341.dll
c:\programdata\PCDr\6032\AddOnDownloaded\3e4c86d5-a5c1-4c3f-8fc7-6258992b16c5.dll
c:\programdata\PCDr\6032\AddOnDownloaded\44ddba62-3b58-480f-a775-ae7e9dd9d5df.dll
c:\programdata\PCDr\6032\AddOnDownloaded\4546f2bc-b9d9-4667-abe7-b0bacc90279e.dll
c:\programdata\PCDr\6032\AddOnDownloaded\4804ced5-915b-48a3-a465-b8a5e02714bf.dll
c:\programdata\PCDr\6032\AddOnDownloaded\4818e109-9489-4cd8-9044-44defd8ec187.dll
c:\programdata\PCDr\6032\AddOnDownloaded\493f295d-1a46-46f6-926c-63b474cedab4.dll
c:\programdata\PCDr\6032\AddOnDownloaded\5e1c102f-bfde-420c-87c0-64fe851888e5.dll
c:\programdata\PCDr\6032\AddOnDownloaded\62d1f0b0-bc9a-4f6c-bad7-93b19a91276a.dll
c:\programdata\PCDr\6032\AddOnDownloaded\67c3d4fe-b638-467a-9fe2-c5813ade3330.dll
c:\programdata\PCDr\6032\AddOnDownloaded\6820b110-e483-4f1e-9b48-438f7916f078.dll
c:\programdata\PCDr\6032\AddOnDownloaded\684a43a7-04d5-4797-bc20-4db8a316286c.dll
c:\programdata\PCDr\6032\AddOnDownloaded\6b5978fa-48d7-4309-a523-7e157768c0d8.dll
c:\programdata\PCDr\6032\AddOnDownloaded\6f4fb483-ce30-493a-8cb4-3e530ab1be5b.dll
c:\programdata\PCDr\6032\AddOnDownloaded\7014e871-cc3b-4dec-b82b-bc70222b40ed.dll
c:\programdata\PCDr\6032\AddOnDownloaded\739db3eb-d3cd-4c86-a6ea-01a49984fa3b.dll
c:\programdata\PCDr\6032\AddOnDownloaded\7bd83798-7a02-4f50-83a2-b91cabcbd1f9.dll
c:\programdata\PCDr\6032\AddOnDownloaded\7dbfef1a-6148-4748-a1b3-71627763a45a.dll
c:\programdata\PCDr\6032\AddOnDownloaded\813755dc-2229-47a2-b85b-19d0aaa641c9.dll
c:\programdata\PCDr\6032\AddOnDownloaded\872965c7-08b7-47fc-a74c-ff167590b71a.dll
c:\programdata\PCDr\6032\AddOnDownloaded\8d357f17-07ad-4392-ba06-fb67564c98cd.dll
c:\programdata\PCDr\6032\AddOnDownloaded\934f6059-2d35-4bd9-a130-a17cb5563507.dll
c:\programdata\PCDr\6032\AddOnDownloaded\a4930af9-016c-4915-a740-a3364e7618aa.dll
c:\programdata\PCDr\6032\AddOnDownloaded\a61f44a8-21a3-4c4a-a04b-993dfb73bf96.dll
c:\programdata\PCDr\6032\AddOnDownloaded\a9de0c84-9a7c-4638-9653-13aa8cf56e80.dll
c:\programdata\PCDr\6032\AddOnDownloaded\ae67b364-b69e-471e-b177-2459120b84d4.dll
c:\programdata\PCDr\6032\AddOnDownloaded\b2152f30-7380-4987-8fcf-e4c06952615d.dll
c:\programdata\PCDr\6032\AddOnDownloaded\b2ed8d53-41ce-48e6-b4ac-8b8e5e1a4fdf.dll
c:\programdata\PCDr\6032\AddOnDownloaded\b4cc2a4a-87f5-49cd-935c-18f1a80e65b7.dll
c:\programdata\PCDr\6032\AddOnDownloaded\bbfa36b0-30b0-4e36-8d8c-69df1d87626b.dll
c:\programdata\PCDr\6032\AddOnDownloaded\bc6fc708-5b6b-4a72-b336-09b3089baa7a.dll
c:\programdata\PCDr\6032\AddOnDownloaded\bf647bd7-dfb5-4746-a6b4-b7c2fdbbf3b1.dll
c:\programdata\PCDr\6032\AddOnDownloaded\c4211805-b43b-471d-81af-4e0589f8607b.dll
c:\programdata\PCDr\6032\AddOnDownloaded\c882e61c-ecc2-4db0-9a28-7cbe8bd4876b.dll
c:\programdata\PCDr\6032\AddOnDownloaded\cdda52ec-6ccd-425a-8c72-b7bbdc8b3acd.dll
c:\programdata\PCDr\6032\AddOnDownloaded\d1f4dc82-bc4c-4916-b37c-3ab9c30ae468.dll
c:\programdata\PCDr\6032\AddOnDownloaded\d34c0cf7-889f-43dd-9283-b2b6f442aae3.dll
c:\programdata\PCDr\6032\AddOnDownloaded\daf30858-49d8-434b-b4b1-068b5dc9267c.dll
c:\programdata\PCDr\6032\AddOnDownloaded\ddb9fe5d-525c-4d5d-ac37-0bd10f2864f8.dll
c:\programdata\PCDr\6032\AddOnDownloaded\e45cd45a-4d7c-4802-881f-74582b847e5c.dll
c:\programdata\PCDr\6032\AddOnDownloaded\e9bb45d9-5a2b-47e8-9c48-168276d422cc.dll
c:\programdata\PCDr\6032\AddOnDownloaded\ef78c3e8-1d94-4219-8070-7617e119bba4.dll
c:\programdata\PCDr\6032\AddOnDownloaded\f06c5597-1a85-4d1f-ac16-a6fdd2a6bedc.dll
c:\programdata\PCDr\6032\AddOnDownloaded\f80d4ad1-1fad-43b5-b6f3-347848b5ddd5.dll
c:\programdata\PCDr\6032\AddOnDownloaded\f9dc840b-c6f7-42a5-acec-50cc7a2827fd.dll
c:\windows\svchost.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-08-13 to 2012-09-13 )))))))))))))))))))))))))))))))
.
.
2012-09-13 23:50 . 2012-09-13 23:50 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2012-09-13 23:50 . 2012-09-13 23:50 -------- d-----w- c:\users\Peter\AppData\Local\temp
2012-09-13 23:50 . 2012-09-13 23:50 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-09-13 23:50 . 2012-09-13 23:50 -------- d-----w- c:\users\Cameron\AppData\Local\temp
2012-09-13 23:50 . 2012-09-13 23:50 -------- d-----w- c:\users\Brianna\AppData\Local\temp
2012-09-13 23:50 . 2012-09-13 23:50 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2012-09-11 00:16 . 2012-09-11 00:16 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-09-11 00:16 . 2012-09-07 21:04 25928 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-09-09 11:38 . 2012-09-09 11:38 -------- d-----w- c:\users\Peter\AppData\Local\Google
2012-09-08 19:06 . 2012-09-08 19:06 27256 ----a-w- c:\windows\system32\drivers\FixZeroAccess.sys
2012-09-08 17:54 . 2012-09-08 17:54 -------- d-----w- c:\program files (x86)\WinDirStat
2012-09-08 14:26 . 2012-08-28 05:49 9310152 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{23FE69FC-3850-4F9D-AFB4-2DE3ACB0DC71}\mpengine.dll
2012-09-08 13:44 . 2012-01-04 21:06 8192 ----a-w- c:\windows\system32\drivers\rt2870.bin
2012-09-08 13:44 . 2012-09-08 13:44 -------- d-----w- c:\users\Andrew\AppData\Local\NETGEAR
2012-09-08 13:44 . 2012-09-08 13:44 -------- d-----w- c:\programdata\NETGEAR
2012-09-08 13:43 . 2012-09-08 13:43 -------- d-----w- c:\windows\Downloaded Installations
2012-09-04 21:41 . 2012-09-04 21:41 -------- d-----w- c:\program files (x86)\Microsoft XNA
2012-09-02 18:55 . 2012-09-02 18:55 -------- d-----w- c:\program files (x86)\Common Files\Java
2012-09-02 18:39 . 2012-09-02 18:38 821736 ----a-w- c:\windows\SysWow64\npDeployJava1.dll
2012-09-02 18:38 . 2012-09-02 18:38 95208 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
2012-09-02 18:34 . 2012-09-02 18:34 -------- d-----w- c:\programdata\McAfee
2012-09-01 04:44 . 2012-09-01 04:44 -------- d-----w- c:\programdata\PC-Doctor for Windows
2012-09-01 04:02 . 2012-09-01 04:02 -------- d-----w- c:\windows\system32\drivers\NSMx64
2012-09-01 04:02 . 2012-09-01 04:02 -------- d-----w- c:\program files (x86)\Norton Online
2012-09-01 04:02 . 2012-09-01 04:02 -------- d-----w- c:\windows\system32\drivers\NOFx64
2012-09-01 03:47 . 2012-09-01 03:47 -------- d-----w- c:\program files (x86)\Common Files\Symantec Shared
2012-09-01 03:28 . 2012-09-01 04:03 -------- d-----w- c:\program files\Symantec
2012-09-01 03:28 . 2012-09-01 04:03 175736 ----a-w- c:\windows\system32\drivers\SYMEVENT64x86.SYS
2012-09-01 03:26 . 2012-09-01 03:26 -------- d-----w- c:\program files (x86)\Norton Security Suite
2012-09-01 03:26 . 2012-09-01 04:02 -------- d-----w- c:\program files (x86)\NortonInstaller
2012-09-01 01:11 . 2012-09-01 03:28 -------- d-----w- c:\program files\Common Files\Symantec Shared
2012-09-01 01:10 . 2012-09-01 03:39 -------- d-----w- c:\windows\system32\drivers\N360x64
2012-08-30 21:52 . 2012-09-13 23:50 -------- d-----w- c:\users\Andrew\AppData\Local\temp
2012-08-30 02:20 . 2012-09-01 01:57 -------- d-----w- c:\program files (x86)\Sophos
2012-08-14 23:54 . 2012-08-14 23:54 -------- d-----w- c:\users\Peter\AppData\Roaming\QuickScan
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-09-08 03:59 . 2012-05-21 10:09 696520 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-09-08 03:59 . 2011-05-15 01:59 73416 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-09-02 18:38 . 2011-05-15 00:31 746984 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-07-03 07:19 . 2011-05-14 19:59 59701280 ----a-w- c:\windows\system32\MRT.exe
.
.
((((((((((((((((((((((((((((( SnapShot@2012-08-30_21.49.38 )))))))))))))))))))))))))))))))))))))))))
.
- 2012-08-08 07:26 . 2012-08-12 19:04 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\PrivacIE\index.dat
+ 2012-08-08 07:26 . 2012-09-12 21:31 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\PrivacIE\index.dat
+ 2012-09-02 18:28 . 2012-09-02 18:28 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\Low\index.dat
+ 2012-07-29 19:17 . 2012-09-13 21:22 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\index.dat
- 2012-07-29 19:17 . 2012-08-12 18:49 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\index.dat
+ 2012-09-02 18:28 . 2012-09-02 18:28 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat
+ 2012-09-02 18:28 . 2012-09-02 18:28 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat
+ 2012-09-09 19:37 . 2012-09-09 19:38 15360 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{CCF2619F-FAB5-11E1-803C-00219BCF4407}.dat
+ 2012-09-07 19:35 . 2012-09-07 19:36 10240 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{385DB477-F923-11E1-91D9-002269C4728E}.dat
+ 2012-09-13 20:25 . 2012-09-13 23:31 15360 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{2E97E053-FDE1-11E1-A0A0-00219BCF4407}.dat
+ 2012-09-12 21:31 . 2012-09-12 21:31 17408 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{2DCD035E-FD21-11E1-B304-00219BCF4407}.dat
+ 2012-07-29 18:42 . 2012-09-13 23:31 81920 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\DOMStore\index.dat
+ 2010-11-21 03:09 . 2012-09-13 18:46 72600 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-09-13 18:46 51858 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2011-05-15 00:02 . 2012-09-13 18:46 22318 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1613675080-3381770067-651744427-1004_UserData.bin
+ 2011-05-14 20:05 . 2012-09-09 11:29 12760 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1613675080-3381770067-651744427-1001_UserData.bin
+ 2011-05-14 19:53 . 2006-09-13 09:00 27136 c:\windows\system32\spool\prtprocs\x64\3_CNMPD7O.DLL
+ 2012-01-13 19:40 . 2012-01-13 19:40 14119 c:\windows\system32\RaCoInst.dat
+ 2009-07-14 05:30 . 2012-09-08 13:45 86016 c:\windows\system32\DriverStore\infpub.dat
- 2009-07-14 05:30 . 2012-01-07 13:41 86016 c:\windows\system32\DriverStore\infpub.dat
+ 2012-01-13 19:40 . 2012-01-13 19:40 14119 c:\windows\system32\DriverStore\FileRepository\netr28ux.inf_amd64_neutral_ae671fe85c678215\RaCoInst.dat
+ 2012-09-01 03:31 . 2012-07-06 02:17 37536 c:\windows\system32\drivers\N360x64\0603000.00E\srtspx64.sys
+ 2011-05-14 19:45 . 2012-09-13 23:22 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-05-14 19:45 . 2012-08-30 21:13 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2012-08-31 02:09 . 2012-09-13 23:22 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2012-08-14 00:19 . 2012-08-30 21:13 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-08-30 21:13 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2012-09-13 23:22 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2011-05-14 19:51 . 2011-05-14 20:04 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-05-14 19:51 . 2012-09-03 14:27 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:46 . 2012-09-10 20:41 91040 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
- 2011-05-14 19:51 . 2011-05-14 20:04 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2011-05-14 19:51 . 2012-09-03 14:27 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2011-05-14 19:51 . 2011-05-14 20:04 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-05-14 19:51 . 2012-09-03 14:27 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2012-09-04 21:41 . 2012-09-04 21:41 98304 c:\windows\assembly\GAC_32\Microsoft.Xna.Framework.Game\3.1.0.0__6d5c3888ef60e27d\Microsoft.Xna.Framework.Game.dll
+ 2012-09-09 17:29 . 2012-09-09 19:37 5120 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{DABBE800-FAA3-11E1-803C-00219BCF4407}.dat
+ 2012-09-11 20:52 . 2012-09-11 20:52 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{9266E6A9-FC52-11E1-B393-00219BCF4407}.dat
+ 2012-09-02 14:50 . 2012-09-02 14:50 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{8400F94C-F50D-11E1-AB47-00219BCF4407}.dat
+ 2012-09-06 23:49 . 2012-09-06 23:49 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{719EAD37-F87D-11E1-B394-002269C4728E}.dat
+ 2012-09-07 19:35 . 2012-09-07 19:35 5632 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{385DB474-F923-11E1-91D9-002269C4728E}.dat
+ 2012-09-13 20:25 . 2012-09-13 20:25 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{2E97E052-FDE1-11E1-A0A0-00219BCF4407}.dat
+ 2012-09-12 21:31 . 2012-09-12 22:04 5632 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{2DCD035D-FD21-11E1-B304-00219BCF4407}.dat
+ 2012-09-08 20:01 . 2012-09-09 05:03 5632 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{0908AA41-F9F0-11E1-8481-00219BCF4407}.dat
+ 2012-09-09 17:29 . 2012-09-09 17:29 5120 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{DABBE801-FAA3-11E1-803C-00219BCF4407}.dat
+ 2012-09-12 22:02 . 2012-09-12 22:03 5120 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{9B95B4F5-FD25-11E1-B304-00219BCF4407}.dat
+ 2012-09-11 20:52 . 2012-09-11 20:52 5120 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{9266E6AA-FC52-11E1-B393-00219BCF4407}.dat
+ 2012-09-02 14:50 . 2012-09-02 14:50 5120 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{8400F94D-F50D-11E1-AB47-00219BCF4407}.dat
+ 2012-09-09 05:02 . 2012-09-09 05:02 5120 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{8279C7EB-FA3B-11E1-8481-00219BCF4407}.dat
+ 2012-09-06 23:49 . 2012-09-06 23:49 4096 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{719EAD38-F87D-11E1-B394-002269C4728E}.dat
+ 2012-09-07 19:35 . 2012-09-07 19:35 5120 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{385DB475-F923-11E1-91D9-002269C4728E}.dat
+ 2012-09-08 20:01 . 2012-09-08 20:02 5120 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{0908AA42-F9F0-11E1-8481-00219BCF4407}.dat
+ 2012-09-09 18:06 . 2012-09-09 18:06 5120 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{030469D0-FAA9-11E1-803C-00219BCF4407}.dat
+ 2011-05-16 02:08 . 2012-09-13 09:20 3214 c:\windows\system32\wdi\ERCQueuedResolutions.dat
+ 2012-09-01 03:31 . 2012-05-15 01:22 8942 c:\windows\system32\drivers\N360x64\0603000.00E\symvtcer.dat
+ 2012-09-13 18:44 . 2012-09-13 18:44 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-08-30 21:40 . 2012-08-30 21:40 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-09-13 18:44 . 2012-09-13 18:44 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-08-30 21:40 . 2012-08-30 21:40 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-09-08 03:59 . 2012-09-08 03:59 690888 c:\windows\SysWOW64\Macromed\Flash\FlashUtil32_11_4_402_265_ActiveX.exe
+ 2012-05-21 10:09 . 2012-09-08 03:59 250568 c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
+ 2012-09-02 18:39 . 2012-09-02 18:38 246760 c:\windows\SysWOW64\javaws.exe
+ 2012-09-02 18:38 . 2012-09-02 18:38 174056 c:\windows\SysWOW64\javaw.exe
+ 2012-09-02 18:38 . 2012-09-02 18:38 174056 c:\windows\SysWOW64\java.exe
+ 2012-07-29 18:42 . 2012-09-13 23:31 262144 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
- 2012-07-29 18:42 . 2012-08-13 22:08 262144 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2012-08-08 07:27 . 2012-09-02 14:50 393216 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatCache\index.dat
+ 2012-08-30 10:16 . 2012-09-13 23:34 212992 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2012-09-03 03:56 . 2012-09-03 03:57 245980 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT
+ 2012-01-13 19:40 . 2012-01-13 19:40 327008 c:\windows\system32\RaCoInstx.dll
+ 2009-07-14 02:36 . 2012-09-11 00:12 636122 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-09-11 00:12 111664 c:\windows\system32\perfc009.dat
+ 2010-11-21 03:27 . 2012-05-31 16:25 279656 c:\windows\system32\MpSigStub.exe
+ 2012-09-08 03:58 . 2012-09-08 03:58 420552 c:\windows\system32\Macromed\Flash\FlashUtil64_11_4_402_265_ActiveX.exe
+ 2009-07-14 04:45 . 2012-09-01 02:06 416528 c:\windows\system32\FNTCACHE.DAT
+ 2009-07-14 05:30 . 2012-09-08 13:45 143360 c:\windows\system32\DriverStore\infstrng.dat
- 2009-07-14 05:30 . 2012-01-07 13:41 143360 c:\windows\system32\DriverStore\infstrng.dat
+ 2009-07-14 05:30 . 2012-09-08 13:44 143360 c:\windows\system32\DriverStore\infstor.dat
- 2009-07-14 05:30 . 2012-01-07 13:39 143360 c:\windows\system32\DriverStore\infstor.dat
+ 2012-01-13 19:40 . 2012-01-13 19:40 327008 c:\windows\system32\DriverStore\FileRepository\netr28ux.inf_amd64_neutral_ae671fe85c678215\RaCoInstx.dll
+ 2012-09-01 04:02 . 2011-11-17 03:38 218232 c:\windows\system32\drivers\NSMx64\0203000.01A\symrdrs.sys
+ 2012-09-01 04:02 . 2011-11-04 23:59 167048 c:\windows\system32\drivers\NOFx64\0203000.007\ccSetx64.sys
+ 2012-09-01 03:31 . 2011-11-17 03:38 405624 c:\windows\system32\drivers\N360x64\0603000.00E\symnets.sys
+ 2012-09-01 03:31 . 2011-08-16 06:51 451192 c:\windows\system32\drivers\N360x64\0603000.00E\symds64.sys
+ 2012-09-01 03:31 . 2012-07-06 02:17 737952 c:\windows\system32\drivers\N360x64\0603000.00E\srtsp64.sys
+ 2012-09-01 03:31 . 2011-11-17 03:17 190072 c:\windows\system32\drivers\N360x64\0603000.00E\ironx64.sys
+ 2012-09-01 03:31 . 2012-06-07 04:43 167072 c:\windows\system32\drivers\N360x64\0603000.00E\ccsetx64.sys
+ 2012-09-08 15:32 . 2012-09-08 15:32 262144 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\usrclass.dat
+ 2012-09-08 15:32 . 2012-09-08 15:32 262144 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\usrclass.dat
+ 2009-07-14 05:01 . 2012-09-13 10:10 386868 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2011-05-14 21:30 . 2012-09-01 04:05 733008 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1613675080-3381770067-651744427-1001-8192.dat
+ 2012-09-02 18:55 . 2012-09-02 18:55 179200 c:\windows\Installer\11b35aa.msi
+ 2012-09-01 01:30 . 2012-09-13 23:34 5619712 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2012-01-13 19:40 . 2012-01-13 19:40 1675840 c:\windows\system32\DriverStore\FileRepository\netr28ux.inf_amd64_neutral_ae671fe85c678215\netr28ux.sys
+ 2012-01-13 19:40 . 2012-01-13 19:40 1675840 c:\windows\system32\drivers\netr28ux.sys
+ 2012-09-01 03:31 . 2012-05-22 01:37 1129120 c:\windows\system32\drivers\N360x64\0603000.00E\symefa64.sys
+ 2012-09-08 05:39 . 2012-09-13 09:21 1956280 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2012-07-30 03:03 . 2012-09-13 10:10 9816552 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-18-16384.dat
+ 2012-09-08 13:43 . 2012-09-08 13:43 4807168 c:\windows\Installer\759d5c.msi
+ 2012-09-04 21:37 . 2012-09-04 21:37 7671808 c:\windows\Installer\1656b3c.msi
+ 2012-09-08 13:43 . 2012-09-08 13:43 4807168 c:\windows\Downloaded Installations\{441B6121-45DC-4A59-BC38-4E9E55A6A41A}\NETGEAR WNDA4100.msi
+ 2012-09-04 21:41 . 2012-09-04 21:41 1034752 c:\windows\assembly\GAC_32\Microsoft.Xna.Framework\3.1.0.0__6d5c3888ef60e27d\Microsoft.Xna.Framework.dll
+ 2009-07-14 04:54 . 2012-09-13 23:34 16187392 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 04:54 . 2012-08-30 21:12 16187392 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-05-15 04:29 . 2012-09-09 13:38 10209076 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1613675080-3381770067-651744427-1004-8192.dat
+ 2011-05-15 04:29 . 2012-09-13 10:10 46600062 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1613675080-3381770067-651744427-1004-12288.dat
+ 2011-05-14 23:54 . 2012-09-09 12:04 12983476 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1613675080-3381770067-651744427-1001-12288.dat
+ 2012-09-02 18:34 . 2012-09-02 18:34 27545600 c:\windows\Installer\1085b2f.msi
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files (x86)\Steam\Steam.exe" [2012-09-01 1353080]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-21 1475584]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2007-05-09 36864]
"BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"Razer Imperator Driver"="c:\program files (x86)\Razer\Imperator\RazerImperatorSysTray.exe" [2011-06-03 979360]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
QuickSet.lnk - c:\program files\Dell\QuickSet\quickset.exe [2008-2-22 1556560]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-09-08 250568]
R3 AE1000;Linksys AE1000 Driver;c:\windows\system32\DRIVERS\ae1000w7.sys [2010-03-23 1101600]
R3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2010-04-14 54824]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-21 71168]
R3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\AB3E.tmp [x]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files (x86)\Microsoft Office\Office14\GROOVE.EXE [2011-06-12 31125880]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys [2011-04-13 45432]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-21 20992]
R3 SYMRDR_{78CA3BF0-9C3B-40e1-B46D-38C877EF059A};Symantec Redirector - Norton Safety Minder;c:\windows\system32\drivers\NSMx64\0203000.01A\SymRdrS.SYS [2011-11-17 218232]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [2010-11-21 88960]
R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [2010-11-21 34816]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [2010-11-21 117248]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-05-14 1255736]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360x64\0603000.00E\SYMDS64.SYS [2011-08-16 451192]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360x64\0603000.00E\SYMEFA64.SYS [2012-05-22 1129120]
S1 BHDrvx64;BHDrvx64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.0.0.145\Definitions\BASHDefs\20120905.001\BHDrvx64.sys [2012-08-31 1385120]
S1 ccSet_N360;Norton Security Suite Settings Manager;c:\windows\system32\drivers\N360x64\0603000.00E\ccSetx64.sys [2012-06-07 167072]
S1 ccSet_NOF;Norton Online Settings Manager;c:\windows\system32\drivers\NOFx64\0203000.007\ccSetx64.sys [2011-11-04 167048]
S1 IDSVia64;IDSVia64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.0.0.145\Definitions\IPSDefs\20120912.001\IDSvia64.sys [2012-09-01 513184]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360x64\0603000.00E\Ironx64.SYS [2011-11-17 190072]
S1 SymNetS;Symantec Network Security WFP Driver;c:\windows\System32\Drivers\N360x64\0603000.00E\SYMNETS.SYS [2011-11-17 405624]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-07-27 63960]
S2 HiPatchService;Hi-Rez Studios Authenticate and Update Service;c:\program files (x86)\Hi-Rez Studios\HiPatchService.exe [2012-07-12 8704]
S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-09-07 399432]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-09-07 676936]
S2 N360;Norton Security Suite;c:\program files (x86)\Norton Security Suite\Engine\6.3.0.14\ccSvcHst.exe [2012-06-16 138272]
S2 NOF;Norton Online;c:\program files (x86)\Norton Online\Engine\2.3.0.7\ccSvcHst.exe [2011-11-30 138248]
S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-10-15 2253120]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-10-15 381248]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-09-01 138912]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-09-07 25928]
S3 netr28ux;RT2870 USB Extensible Wireless LAN Card Driver;c:\windows\system32\DRIVERS\netr28ux.sys [2012-01-13 1675840]
S3 netw5v64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [2009-06-10 5434368]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-09-13 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-21 03:59]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-04-13 2399632]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-10-26 1211688]
"Launch LgDeviceAgent"="c:\program files\Logitech\GamePanel Software\LgDevAgt.exe" [2010-08-03 415816]
"Launch LCDMon"="c:\program files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2010-08-03 2412616]
"NVHotkey"="c:\windows\system32\nvHotkey.dll" [2011-10-15 539456]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.bing.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKCU-Run-Dxtory Update Checker 2.0 - c:\program files (x86)\Dxtory Software\Dxtory2.0\UpdateChecker.exe
Wow6432Node-HKU-Default-RunOnce-FlashPlayerUpdate - c:\windows\SysWOW64\Macromed\Flash\FlashUtil32_11_3_300_271_ActiveX.exe
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\N360]
"ImagePath"="\"c:\program files (x86)\Norton Security Suite\Engine\6.3.0.14\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files (x86)\Norton Security Suite\Engine\6.3.0.14\diMaster.dll\" /prefetch:1"
--
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\NOF]
"ImagePath"="\"c:\program files (x86)\Norton Online\Engine\2.3.0.7\ccSvcHst.exe\" /s \"NOF\" /m \"c:\program files (x86)\Norton Online\Engine\2.3.0.7\diMaster.dll\" /prefetch:1"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\AB3E.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"=hex:51,66,7a,6c,4c,1d,38,12,8d,ec,f8,
7b,2b,25,27,06,e7,c4,bc,f0,98,15,0d,de
"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,
1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7
"{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}"=hex:51,66,7a,6c,4c,1d,38,12,60,d8,39,
64,cd,04,79,07,f5,b7,d6,9a,c1,81,e0,1c
"{6D53EC84-6AAE-4787-AEEE-F4628F01010C}"=hex:51,66,7a,6c,4c,1d,38,12,ea,ef,40,
69,9c,24,e9,02,d1,f8,b7,22,8a,5f,45,18
"{72853161-30C5-4D22-B7F9-0BBC1D38A37E}"=hex:51,66,7a,6c,4c,1d,38,12,0f,32,96,
76,f7,7e,4c,08,c8,ef,48,fc,18,66,e7,6a
"{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,38,12,0a,d7,23,
94,30,02,d1,0f,f1,da,12,24,73,56,27,d2
"{B4F3A835-0E21-4959-BA22-42B3008E02FF}"=hex:51,66,7a,6c,4c,1d,38,12,5b,ab,e0,
b0,13,40,37,0c,c5,34,01,f3,05,d0,46,eb
"{B8E07826-0971-4F16-B133-047B88034E89}"=hex:51,66,7a,6c,4c,1d,38,12,48,7b,f3,
bc,43,47,78,0a,ce,25,47,3b,8d,5d,0a,9d
"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,
df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd
"{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}"=hex:51,66,7a,6c,4c,1d,38,12,70,05,61,
f9,ec,d1,23,0d,da,9c,48,eb,44,0f,8e,cc
"{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}"=hex:51,66,7a,6c,4c,1d,38,12,8f,19,47,
2e,c4,15,0b,03,d7,b5,8c,e9,62,70,06,85
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (LocalSystem)
"Timestamp"=hex:5c,e1,7b,1f,37,75,cd,01
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_265_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_265_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_265_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_265_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_265.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_265.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_265.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_265.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-09-13 19:56:25
ComboFix-quarantined-files.txt 2012-09-13 23:56
.
Pre-Run: 173,584,371,712 bytes free
Post-Run: 175,528,013,824 bytes free
.
- - End Of File - - 127BB92CC27A3CFC2622E3ECE17CB231

nethog

join:2006-12-08
Canton, MI

LoPhatPhuud
Just so you know, my PC is still continuously receiving a stream of data; for example yesterday after 6 hours approximately 8Gb was received over my wireless connection. When I look at the connection status I see what appears to be 1 Mb transmitted every 2-3 seconds with NO network apps running.



LoPhatPhuud
Premium,VIP,MVM
join:2002-01-06
Albuquerque, NM
kudos:26
Reviews:
·Comcast

1 recommendation

reply to nethog

I believe the main culprit is multiple infections across multiple user accounts. That would explain the "mysterious" behavior when the logs show nothing.

Infections at this depth are best dealt with by reformat and re-install. Back up all pertinent data first.

Then either load the factory recovery program, or boot from your Windows DVD.

Operating System stability is foremost for me. If can't be assured that the removal steps will leave a stable OS, then the only recommendation I can make is reformat.
--
When angry count four; when very angry, swear.
Microsoft MVP/Consumer Security 2005-2011
Gladiator Security Forum


nethog

join:2006-12-08
Canton, MI

Would it help if I reran MBAM on the other account that is in-use on this computer?



LoPhatPhuud
Premium,VIP,MVM
join:2002-01-06
Albuquerque, NM
kudos:26
Reviews:
·Comcast

1 recommendation

reply to nethog

The problem is that your computer is infecting faster than you can clean it. MBAM may help, but it's not the preferred program for this trojan.

Again, for infections of this depth, I will only recommend reformat and re-install.

That said, if you want to try to remove the exploit from all users, you'll need to run a AV from a bootable CD/DVD.

My recommendation would be to use the Kaspersky Rescue tool. I'll post the instructions in the next post.

Please understand, my recommendation for reformat and reinstall still stands.



LoPhatPhuud
Premium,VIP,MVM
join:2002-01-06
Albuquerque, NM
kudos:26
Reviews:
·Comcast

1 recommendation

reply to nethog

The Kaspersky Rescue Disk is a bootable CD or USB based version of Kaspersky Antivirus.

You will find full instructions for download and use at the following links:

CD based: »support.kaspersky.com/faq/?qid=208282484

USB Based: »support.kaspersky.com/faq/?qid=208282163

Note: Please post the log (krd-log.txt) in your next reply
--
When angry count four; when very angry, swear.
Microsoft MVP/Consumer Security 2005-2011
Gladiator Security Forum


nethog

join:2006-12-08
Canton, MI

LoPhatPhuud:
Well I ran KRD and it detected 2 viruses. I selected "Disinfect All" and saved the log file but when I tried rebooting back to windows windows coult not start. I tried selecting a restore point but it did not work. Do you know if I can undo the changes KRD made by booting back to the USB? or some other suggestion?



LoPhatPhuud
Premium,VIP,MVM
join:2002-01-06
Albuquerque, NM
kudos:26
Reviews:
·Comcast

1 recommendation

reply to nethog

I'm not sure if you can undo the changes Kaspersky made. You can indeed try booting from the Rescue program again and see if there is an option to undo.

You could also try booting in Safe Mode. If it works, back up all valuable data if you have not already done it.


nethog

join:2006-12-08
Canton, MI

LoPhatPhuud:
I was unable to undo the KRD changes, but I did use the KRD application to copy all of my data to a flash drive (windows safe mode didn't work either) and I reloaded win7 (clean install). So thanks for all of your help - I really appreciate it.



LoPhatPhuud
Premium,VIP,MVM
join:2002-01-06
Albuquerque, NM
kudos:26
reply to nethog

Thanks for the update.