Welcome to Smokey's Security Forums.
Guests only have limited access to the board and it's features, please consider registering to gain full access!
Registration is free and it only takes a few moments to complete.

Smokey's Security Forums

Please login or register.

Login with username, password and session length
Advanced search  

News:

What is phishing? How to protect yourself from scam emails and more

Don't click on that email! Find everything you need to know in this phishing guide including how to protect yourself from one of the most common forms of cyber attack.

What is phishing? How to protect yourself from scam emails and more

Malware Log Analysis & Removal Help * Ransomware Encryption & Decrytion Techniques * Official Jetico Inc. Support Forums

Share this topic on FacebookShare this topic on MySpaceShare this topic on RedditShare this topic on TwitterAuthorTopic: Google results hijack  (Read 3064 times)

0 Members and 1 Guest are viewing this topic.

Starbuck

  • Site Owner
  • *
  • Offline Offline
  • location: Midlands. UK
  • Posts: 3408
  • .: Leader Malware Analysis & Removal Team
  • -: Site Help Desk - Support Department
    • WWW
Re: Google results hijack
« Reply #15 on: March 13, 2013, 09:13:15 PM »
Quote
So I am just trying to figure out who likes which rootkit detectors etc.  For instance, why don't a lot of these boards use the rootkit detector from sysinterals or GMER?

I can only give my personal opinion here.
Up until about 2 months ago, Gmer wouldn't run on 64bit systems so we were limited as to when we could use it.
Over the last couple of years there's been a huge increase in 64bit systems.
Since it's been made 64bit compliant, it does seem to still have the odd bug.
Also, personally i don't like the Gmer report.... it seems to offer too much info sometimes and not all of it is actually needed.
I found AswMbr a very good compromise and gives just the info i'm after.
AswMbr is written jointly by Gmer and Avast and i've never had a problem running it on 64bit systems.

Quote
I have been researching some new utilities to help prevent these outbreaks:
EMET, WinPatrol, Private Firewall.

I have never used EMET nor do i know of anyone using it, so can't comment.
WinPatrol and Private Firewall get quite favourable reviews from people that i know that use them.

gsgiTopic starter

  • Gold Forum Friend
  • *
  • Offline Offline
  • Posts: 9
Re: Google results hijack
« Reply #14 on: March 11, 2013, 10:29:30 PM »
OK, I'll do the clean up.

I posted at EE because I wanted to know why catchme and mbr came up as they did.  I thought that was pretty clear from my post there.  Also, I have been a paying member there for a long time, some of their forums, sql, exchange, citrix, have experts that are very good. 

In the sql group in particular, they will help you with a query in less than half an hour.  What other forums do you use other than EE?  I have noticed the quality of it has been slipping.  I was an expert there in 2006 in a few topics.

I worked with a spyware expert there in the past.  So I am just trying to figure out who likes which rootkit detectors etc.  For instance, why don't a lot of these boards use the rootkit detector from sysinterals or GMER?

I didn't mean to offend you.  Just looking for more info on mbr and catchme.  I did want everyone to know that there was an active thread, that is why I posted a pointer to this thread.

I have been researching some new utilities to help prevent these outbreaks:
EMET, WinPatrol, Private Firewall.

Thanks,

-gsgi

Starbuck

  • Site Owner
  • *
  • Offline Offline
  • location: Midlands. UK
  • Posts: 3408
  • .: Leader Malware Analysis & Removal Team
  • -: Site Help Desk - Support Department
    • WWW
Re: Google results hijack
« Reply #13 on: March 11, 2013, 09:35:06 PM »
Hi gsgi

If the system is still running fine, we can finish off the cleaning process.

Just one thing before we do that though.
I did see this post of yours:
http://www.experts-exchange.com/Virus_and_Spyware/Anti-Virus/Q_28054775.html
and to be honest, it is looked on as being bad manners to seek a second opinion before we have even finished.
Plus as there are numerous sites that would have offered a second opinion free of charge..... why use a pay site that doesn't really have many experts.
Most of the advice given on that site can be found by doing a Google search.

Step 1
Restart MBAM.
Click on the Quarantine tab
If there are items in quarantine.....
Make sure everything is selected and then click Delete All.
Close MBAM.

Step 2
Please uninstall ComboFix by
Clicking on Start ...then run ... and type in combofix /uninstall (don't forget there's is a gap between x and /) Then press  Ok


This action will uninstall Combofix and also perform a few cleanup measures
   


Step 3
  • Please double-click OTL.exe to run it.
  • You should see a CleanUp! button, press that button,



  • This will cleanup an assortment of tools used during malware removal, plus itself
Note:
MBAM will not be removed if it's installed.


Step 4
Now you should set a New Restore Point. 
Setting a new restore point AFTER cleaning your system will help your computer to "roll-back" to a clean working state. 

Click Start >> Computer >> System Properties >> System Protection.
Here you have a list of hard drives and partitions available in your computer - mostly just one. Select the drive that has "(System)" written after it and click Configure.
select Turn off system protection under Restore Settings and click Delete button.
Click Continue in confirmation window and click Close after the restore points have been deleted.
Then click OK to close properties for the drive.

Now reboot the system.

Follow the above procedure again, only this time click Restore system settings and previous Versions of files.
Then click OK.

Your System restore will now be active again... starting with a new restore point.



Glad I was able to help.

Safe surfing.

gsgiTopic starter

  • Gold Forum Friend
  • *
  • Offline Offline
  • Posts: 9
Re: Google results hijack
« Reply #12 on: March 06, 2013, 10:20:05 PM »
Ok, yeah, I this seems clean now.  Thanks.

Starbuck

  • Site Owner
  • *
  • Offline Offline
  • location: Midlands. UK
  • Posts: 3408
  • .: Leader Malware Analysis & Removal Team
  • -: Site Help Desk - Support Department
    • WWW
Re: Google results hijack
« Reply #11 on: March 06, 2013, 10:04:00 PM »
Hi gsgi

The aswMBR report looks fine.
The report on that file would seem to indicate that it's a toolbar of some description.
As 5 have flagged it, i'd recommend deleting the file from your system.

Quote
The machine is running well now, no pauses

That's good.
When you get back, give me an update and if everything is still running ok we can start to finish off the cleaning procedure.

gsgiTopic starter

  • Gold Forum Friend
  • *
  • Offline Offline
  • Posts: 9
Re: Google results hijack
« Reply #10 on: March 06, 2013, 09:29:44 PM »
Ok, I ran the tools you requested!
I am going to my uncle's funeral.  I leave tomorrow morning and will not be back until Monday.
The machine is running well now, no pauses.

Thanks,
gsgi

Starbuck

  • Site Owner
  • *
  • Offline Offline
  • location: Midlands. UK
  • Posts: 3408
  • .: Leader Malware Analysis & Removal Team
  • -: Site Help Desk - Support Department
    • WWW
Re: Google results hijack
« Reply #9 on: March 06, 2013, 08:35:33 PM »
Hi  gsgi

Firstly it only confuses things if you run scans that aren't asked for.

Quote
Should I run combofix in safe mode?  Can I run it and just get a scan?


You have already run Combofix... why would you want to run it again?
Combofix will run in safe mode, but is better and more efficient if run in normal mode.

Quote
C:\Qoobox\Quarantine\C\Users\wa2\AppData\Roaming\C_202694.dll.vir   a variant of Win32/Kryptik.AVUC trojan
C:\Users\Valued Customer\Downloads\cnet2_2580INF_exe.exe   a variant of Win32/InstallCore.D application


The first line has already been removed by Combofix, so is nothing to worry about.
The second line would be worth checking out just in case it's a false positive.
You could upload that file and see how it checks out.

You can get the file checked at: Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.

C:\Users\Valued Customer\Downloads\cnet2_2580INF_exe.exe

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at:  Virustotal
 

As for:
Quote
device: opened successfully
user: error reading MBR
error: Read  The handle is invalid.
kernel: error reading MBR


I'd much rather you ran this...

Download aswMBR and save it to your desktop.
  • Double click the aswMBR.exe to run it.
  • The latest version gives you the option of adding the latest Avast definitions:



  • It is recommended at this time to click NO. ( as there is a possibility of crashing the system)
  • Click the Scan button to start scan.


On completion of the scan click Save log and save it to your desktop.



Please post this in your reply.

NOTE:
aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

Let me have the reports in your next reply.

Thanks

gsgiTopic starter

  • Gold Forum Friend
  • *
  • Offline Offline
  • Posts: 9
Re: Google results hijack
« Reply #8 on: March 06, 2013, 04:06:57 AM »
I posted the OTL log you asked for below.  I ran gmer and catchme and mbr.  gmer said "scan completed successfully..."  I had to run these in an elevated cmd window.   Should I run combofix in safe mode?  Can I run it and just get a scan?  The system just seems like it pauses before it does stuff, like load this thread in this forum, go to this website, etc...

c:\Users\Valued Customer\Desktop>catchme
detected NTDLL code modification:
ZwEnumerateKey 0 != 47, ZwQueryKey 0 != 19, ZwOpenKey 0 != 15, ZwClose 0 != 12,
ZwEnumerateValueKey 0 != 16, ZwQueryValueKey 0 != 20, ZwOpenFile 0 != 48, ZwQuer
yDirectoryFile 0 != 50, ZwQuerySystemInformation 0 != 51Initialization error


c:\Users\Valued Customer\Desktop>mbr
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer
.net
Windows 6.1.7601

device: opened successfully
user: error reading MBR
error: Read  The handle is invalid.
kernel: error reading MBR

c:\Users\Valued Customer\Desktop>

Thanks,
gsgi

gsgiTopic starter

  • Gold Forum Friend
  • *
  • Offline Offline
  • Posts: 9
Re: Google results hijack
« Reply #7 on: March 06, 2013, 03:43:07 AM »
Hi,

Thanks,  here you go ...

All processes killed
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DBC80044-A445-435b-BC74-9C25C1C588A9}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ deleted successfully.
C:\Users\Valued Customer\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk moved successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\wxsrv\ deleted successfully.
64bit-Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\WebCheck deleted successfully.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\WebCheck deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{cbe2f848-6899-11e1-8ecb-806e6f6e6963}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{cbe2f848-6899-11e1-8ecb-806e6f6e6963}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{cbe2f848-6899-11e1-8ecb-806e6f6e6963}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{cbe2f848-6899-11e1-8ecb-806e6f6e6963}\ not found.
File E:\autorun.exe not found.
ADS C:\ProgramData\Temp:DFC5A2B2 deleted successfully.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\Valued Customer\Desktop\cmd.bat deleted successfully.
C:\Users\Valued Customer\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
 
[EMPTYTEMP]
 
User: admin
->Temp folder emptied: 16384 bytes
->Temporary Internet Files folder emptied: 65603 bytes
 
User: All Users
 
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
User: default-admin
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 2559186 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 562 bytes
 
User: Public
->Temp folder emptied: 0 bytes
 
User: Valued Customer
->Temp folder emptied: 3054092 bytes
->Temporary Internet Files folder emptied: 42224444 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 17470724 bytes
->Google Chrome cache emptied: 12933808 bytes
->Flash cache emptied: 602 bytes
 
User: wa2
->Temp folder emptied: 344189 bytes
->Temporary Internet Files folder emptied: 81920 bytes
->Java cache emptied: 9674 bytes
->FireFox cache emptied: 68837555 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 506 bytes
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 71942 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 50333 bytes
RecycleBin emptied: 0 bytes
 
Total Files Cleaned = 141.00 mb
 
C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
 
OTL by OldTimer - Version 3.2.69.0 log created on 03052013_212940

Files\Folders moved on Reboot...
C:\Users\Valued Customer\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

-------------

I ran a nod32 online scan last night - set to report only --

C:\Qoobox\Quarantine\C\Users\wa2\AppData\Roaming\C_202694.dll.vir   a variant of Win32/Kryptik.AVUC trojan
C:\Users\Valued Customer\Downloads\cnet2_2580INF_exe.exe   a variant of Win32/InstallCore.D application

Thanks,
gsgi

Starbuck

  • Site Owner
  • *
  • Offline Offline
  • location: Midlands. UK
  • Posts: 3408
  • .: Leader Malware Analysis & Removal Team
  • -: Site Help Desk - Support Department
    • WWW
Re: Google results hijack
« Reply #6 on: March 05, 2013, 08:23:49 PM »
Hi gsgi

Quote
I donated because on further reading of the guidelines here, I am paid to do this type of work.


That's not a problem here.
Some sites don't allow help to people that are paid to fix systems.... but we don't follow that thinking here.
There are times we all need a little help.


Step 1
Double click on OTL to run it.
Copy the lines in the codebox below. (make sure that :Otl is on the first line and that you include all of the fix lines)
Code: [Select]
:otl
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No CLSID value found.
O2 - BHO: (no name) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - No CLSID value found.
O4 - HKLM..\Run: []  File not found
O4 - Startup: C:\Users\Valued Customer\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk =  File not found
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O15 - HKCU\..Trusted Domains: wxsrv ([]file in Local intranet)
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O33 - MountPoints2\{cbe2f848-6899-11e1-8ecb-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{cbe2f848-6899-11e1-8ecb-806e6f6e6963}\Shell\AutoRun\command - "" = E:\autorun.exe
@Alternate Data Stream - 125 bytes -> C:\ProgramData\Temp:DFC5A2B2

:Files
ipconfig /flushdns /c

:commands
[emptytemp]
[purity]
[RESETHOSTS]


  • Return to OTL,
  • right click in the Custom Scans/Fixes window (under the blue bar) and choose Paste.



  • Click the red Run Fix button.



  • OTL will reboot your system once the fix has completed.
  • After the reboot, you may need to double click OTL to launch the program and retrieve the log.
Copy and paste the contents of the OTL log that comes up after the fix in your next reply.

if you lose the report, there will be a copy here:
C:\_OTL\MovedFiles

Note:
Occasionally an OTL fix will stall when MalwareBytes is installed.
If the fix does stall, MBAM will need to be removed..... it can be installed again after the fix has been run.

This fix will also reset the Hosts file, so if there are custom entries in the file they will need to be reset again afterwards.

In your next reply, please submit: 
Otl fix report
and let me know how the system is running and if there are still any problems.


Thanks.

gsgiTopic starter

  • Gold Forum Friend
  • *
  • Offline Offline
  • Posts: 9
Re: Google results hijack
« Reply #5 on: March 05, 2013, 03:38:33 AM »
Originally this was a hijack thing.  So the 1st link of any google search took you to gaming sites.   I do not go to gaming sites.   (My father in law does, but not on my computers...)

I could not get the extras log this time in OTL.  It did generate on on March 1 that I have included.

I donated because on further reading of the guidelines here, I am paid to do this type of work.  Also, you did not yell at me for running combofix on my own.  Finally, this board allows you to get going, run a few things, otl, adwcleaner, tdskiller etc and post those logs up front.

I have attached the requested logs.

Thanks,
gsgi

Starbuck

  • Site Owner
  • *
  • Offline Offline
  • location: Midlands. UK
  • Posts: 3408
  • .: Leader Malware Analysis & Removal Team
  • -: Site Help Desk - Support Department
    • WWW
Re: Google results hijack
« Reply #4 on: March 04, 2013, 10:00:15 PM »
Hi gsgi

Firstly i'd like to thank you for the donation, it is very much appreciated.
I have altered your forum status to that of 'Gold Forum Friend' to reflect our gratitude.

Quote
To be honest, I am not sure if we ran it with MSE uninstalled.


It doesn't really matter if MSSE is installed or not.
They will work well together anyway.
It's only Combofix that requires your resident AV to be disabled.

Quote
Whatever this is hid from Malwarebytes and currently lets me browse without going to gaming sites,

but interestingly if I try this forum in chrome, IE, or Firefox I go nowhere.


Please can you clarify..... are you trying to go to a gaming site but are being blocked? or are you being redirected to a Gaming site?

Quote
HOSTS FILE - yes the top 6 entries we added....


Ok, later on when we run an OTL fix, we reset the Hosts file as standard .... so we'll bare this in mind.

Step 1
Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on the Delete button.
  • A logfile will automatically open after the scan has finished.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.



Step 2
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. A malicious site could render Java content under older, vulnerable versions of Sun's software if the user has not removed them. Please follow these steps to remove older version Java components and update:
  • Download the latest version of  Java Runtime Environment (JRE) 7 Update 15 and save it to your desktop.
  • Scroll down to where it says "Java SE 7 Update 15".
  • Click the "Download JRE" button to the right.
  • Accept the license agreement.
  • select  'Windows x64.exe'  from the list.
  • Save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on downloaded icon to install the newest version.
.

Step 3
Let's get a fresh set of OTL reports now, so that we can see what is left.
I also need the 'Extras.txt' from Otl .... if you follow the instructions below, the 'Extras.txt' will be produced.
It will be minimised.... a copy will also be saved in the same directory as Otl. (Folder = C:\Users\wa2\Downloads)

Click on OTL to run it again.
  • Under Extra Registry section, select Use SafeList.
  • Don't check the boxes beside 'LOP Check' and 'Purity Check' this time.
.
Now copy the lines in bold below.

netsvcs
msconfig
%SYSTEMDRIVE%\*.*
%systemroot%\system32\Spool\prtprocs\w32x86\*.dll
%systemroot%\*. /mp /s
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\system32\*.exe /lockedfiles
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\*
%USERPROFILE%\..|smtmp;true;true;true /FP
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
CREATERESTOREPOINT


  • right click in the Custom Scans/Fixes window (under the blue bar) and choose Paste.


    .
  • Click the Run Scan button.



  • Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them with your next reply.
In your next reply, please submit: 
AdwCleaner report
and both reports from OTL.


Thanks.

gsgiTopic starter

  • Gold Forum Friend
  • *
  • Offline Offline
  • Posts: 9
Re: Google results hijack
« Reply #3 on: March 04, 2013, 04:57:23 AM »
Yes, Malwarebytes showed nothing.  To be honest, I am not sure if we ran it with MSE uninstalled.  Same for TDSKiller.  We definately ran combofix with MSE uninstalled, then ran malwarebytes again, then reinstalled MSE, then ran the MS Saftey scanner.   But we ran nothing in SAFE MODE. Whatever this is hid from Malwarebytes and currently lets me browse without going to gaming sites, but interestingly if I try this forum in chrome, IE, or Firefox I go nowhere.  Whatever this is put stuff in the hosts file.  We overwrote it with a clean hosts file.   Hmmm, now that I look at it, I do not remember these spybot entries....  I really appreciate your time and effort and help!!!!!!!!!!!

HOSTS FILE - yes the top 6 entries we added....  see attachment


COMBOFIX LOG
ComboFix 13-02-26.01 - admin 02/28/2013  17:57:32.1.2 - x64
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.1993.779 [GMT -5:00]
Running from: g:\crap_removal\ComboFix.exe
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\Install.exe
c:\users\wa2\AppData\Roaming\C_202694.dll
c:\windows\security\Database\tmp.edb
c:\windows\SysWow64\SETF43E.tmp
c:\windows\SysWow64\spool\prtprocs\w32x86\HPZPPLHN.DLL
c:\windows\SysWow64\spool\prtprocs\w32x86\HPZPPWN7.DLL
c:\windows\SysWow64\spool\prtprocs\w32x86\jnwppr.dll
c:\windows\SysWow64\spool\prtprocs\w32x86\winprint.dll
.
.
(((((((((((((((((((((((((   Files Created from 2013-01-28 to 2013-02-28  )))))))))))))))))))))))))))))))
.
.
2013-02-28 23:03 . 2013-02-28 23:03   --------   d-----w-   c:\users\Valued Customer\AppData\Local\temp
2013-02-28 21:33 . 2013-02-28 21:33   --------   d-----w-   c:\users\wa2\AppData\Roaming\Malwarebytes
2013-02-28 21:10 . 2013-02-28 21:10   --------   d-----w-   c:\users\admin\AppData\Roaming\Malwarebytes
2013-02-28 21:10 . 2013-02-28 21:10   --------   d-----w-   c:\programdata\Malwarebytes
2013-02-28 21:10 . 2013-02-28 21:10   --------   d-----w-   c:\program files (x86)\Malwarebytes' Anti-Malware
2013-02-28 21:10 . 2012-12-14 21:49   24176   ----a-w-   c:\windows\system32\drivers\mbam.sys
2013-02-28 21:10 . 2013-02-28 21:10   --------   d-----w-   c:\users\admin\AppData\Local\Programs
2013-02-28 20:39 . 2013-02-28 22:34   --------   d-----w-   c:\users\admin\AppData\Local\Adobe
2013-02-15 22:04 . 2013-02-15 22:04   208448   ----a-w-   c:\program files (x86)\Mozilla Firefox\Plugins\nppdf32.dll
2013-02-15 22:04 . 2013-02-15 22:04   208448   ----a-w-   c:\program files (x86)\Internet Explorer\Plugins\nppdf32.dll
2013-02-14 15:06 . 2013-01-09 01:10   996352   ----a-w-   c:\program files\Common Files\Microsoft Shared\VGX\VGX.dll
2013-02-14 15:06 . 2013-01-08 22:01   768000   ----a-w-   c:\program files (x86)\Common Files\Microsoft Shared\VGX\VGX.dll
2013-02-13 20:01 . 2013-01-05 05:53   5553512   ----a-w-   c:\windows\system32\ntoskrnl.exe
2013-02-13 20:01 . 2013-01-05 05:00   3967848   ----a-w-   c:\windows\SysWow64\ntkrnlpa.exe
2013-02-13 20:01 . 2013-01-05 05:00   3913064   ----a-w-   c:\windows\SysWow64\ntoskrnl.exe
2013-02-13 20:01 . 2013-01-04 03:26   3153408   ----a-w-   c:\windows\system32\win32k.sys
2013-02-13 20:01 . 2013-01-04 05:46   215040   ----a-w-   c:\windows\system32\winsrv.dll
2013-02-13 20:01 . 2013-01-04 04:51   5120   ----a-w-   c:\windows\SysWow64\wow32.dll
2013-02-13 20:01 . 2013-01-04 02:47   25600   ----a-w-   c:\windows\SysWow64\setup16.exe
2013-02-13 20:01 . 2013-01-04 02:47   7680   ----a-w-   c:\windows\SysWow64\instnm.exe
2013-02-13 20:01 . 2013-01-04 02:47   14336   ----a-w-   c:\windows\SysWow64\ntvdm64.dll
2013-02-13 20:01 . 2013-01-04 02:47   2048   ----a-w-   c:\windows\SysWow64\user.exe
2013-02-13 20:01 . 2013-01-03 06:00   1913192   ----a-w-   c:\windows\system32\drivers\tcpip.sys
2013-02-13 20:01 . 2013-01-03 06:00   288088   ----a-w-   c:\windows\system32\drivers\FWPKCLNT.SYS
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-02-27 14:52 . 2012-04-13 17:48   691568   ----a-w-   c:\windows\SysWow64\FlashPlayerApp.exe
2013-02-27 14:52 . 2012-03-15 20:59   71024   ----a-w-   c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-02-14 15:09 . 2011-03-14 17:16   70004024   ----a-w-   c:\windows\system32\MRT.exe
2013-01-30 10:53 . 2011-03-14 16:28   273840   ------w-   c:\windows\system32\MpSigStub.exe
2013-01-04 04:43 . 2013-02-13 20:01   44032   ----a-w-   c:\windows\apppatch\acwow64.dll
2012-12-16 17:11 . 2012-12-21 08:00   46080   ----a-w-   c:\windows\system32\atmlib.dll
2012-12-16 14:45 . 2012-12-21 08:00   367616   ----a-w-   c:\windows\system32\atmfd.dll
2012-12-16 14:13 . 2012-12-21 08:00   295424   ----a-w-   c:\windows\SysWow64\atmfd.dll
2012-12-16 14:13 . 2012-12-21 08:00   34304   ----a-w-   c:\windows\SysWow64\atmlib.dll
2012-12-07 13:20 . 2013-01-09 16:25   441856   ----a-w-   c:\windows\system32\Wpc.dll
2012-12-07 13:15 . 2013-01-09 16:25   2746368   ----a-w-   c:\windows\system32\gameux.dll
2012-12-07 12:26 . 2013-01-09 16:25   308736   ----a-w-   c:\windows\SysWow64\Wpc.dll
2012-12-07 12:20 . 2013-01-09 16:25   2576384   ----a-w-   c:\windows\SysWow64\gameux.dll
2012-12-07 11:20 . 2013-01-09 16:25   30720   ----a-w-   c:\windows\system32\usk.rs
2012-12-07 11:20 . 2013-01-09 16:25   43520   ----a-w-   c:\windows\system32\csrr.rs
2012-12-07 11:20 . 2013-01-09 16:25   23552   ----a-w-   c:\windows\system32\oflc.rs
2012-12-07 11:20 . 2013-01-09 16:25   45568   ----a-w-   c:\windows\system32\oflc-nz.rs
2012-12-07 11:20 . 2013-01-09 16:25   44544   ----a-w-   c:\windows\system32\pegibbfc.rs
2012-12-07 11:20 . 2013-01-09 16:25   20480   ----a-w-   c:\windows\system32\pegi-fi.rs
2012-12-07 11:20 . 2013-01-09 16:25   20480   ----a-w-   c:\windows\system32\pegi-pt.rs
2012-12-07 11:19 . 2013-01-09 16:25   20480   ----a-w-   c:\windows\system32\pegi.rs
2012-12-07 11:19 . 2013-01-09 16:25   46592   ----a-w-   c:\windows\system32\fpb.rs
2012-12-07 11:19 . 2013-01-09 16:25   40960   ----a-w-   c:\windows\system32\cob-au.rs
2012-12-07 11:19 . 2013-01-09 16:25   21504   ----a-w-   c:\windows\system32\grb.rs
2012-12-07 11:19 . 2013-01-09 16:25   15360   ----a-w-   c:\windows\system32\djctq.rs
2012-12-07 11:19 . 2013-01-09 16:25   55296   ----a-w-   c:\windows\system32\cero.rs
2012-12-07 11:19 . 2013-01-09 16:25   51712   ----a-w-   c:\windows\system32\esrb.rs
2012-12-07 10:46 . 2013-01-09 16:25   43520   ----a-w-   c:\windows\SysWow64\csrr.rs
2012-12-07 10:46 . 2013-01-09 16:25   30720   ----a-w-   c:\windows\SysWow64\usk.rs
2012-12-07 10:46 . 2013-01-09 16:25   45568   ----a-w-   c:\windows\SysWow64\oflc-nz.rs
2012-12-07 10:46 . 2013-01-09 16:25   44544   ----a-w-   c:\windows\SysWow64\pegibbfc.rs
2012-12-07 10:46 . 2013-01-09 16:25   20480   ----a-w-   c:\windows\SysWow64\pegi-pt.rs
2012-12-07 10:46 . 2013-01-09 16:25   23552   ----a-w-   c:\windows\SysWow64\oflc.rs
2012-12-07 10:46 . 2013-01-09 16:25   20480   ----a-w-   c:\windows\SysWow64\pegi-fi.rs
2012-12-07 10:46 . 2013-01-09 16:25   46592   ----a-w-   c:\windows\SysWow64\fpb.rs
2012-12-07 10:46 . 2013-01-09 16:25   20480   ----a-w-   c:\windows\SysWow64\pegi.rs
2012-12-07 10:46 . 2013-01-09 16:25   21504   ----a-w-   c:\windows\SysWow64\grb.rs
2012-12-07 10:46 . 2013-01-09 16:25   40960   ----a-w-   c:\windows\SysWow64\cob-au.rs
2012-12-07 10:46 . 2013-01-09 16:25   15360   ----a-w-   c:\windows\SysWow64\djctq.rs
2012-12-07 10:46 . 2013-01-09 16:25   55296   ----a-w-   c:\windows\SysWow64\cero.rs
2012-12-07 10:46 . 2013-01-09 16:25   51712   ----a-w-   c:\windows\SysWow64\esrb.rs
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2009-07-14 . 55187FD710E27D5095D10A472C8BAF1C . 288768 . . [6.1.7600.16385] .. c:\windows\SysWOW64\w32time.dll
.
[-] 2010-11-20 . E1FB3706030FB4578A0D72C2FC3689E4 . 463360 . . [6.1.7600.16385] .. c:\windows\SoftwareDistribution\Download\18e2c83e42cc8f0cc17b5dbfaf982690\x86_microsoft-windows-w..sition-coreservices_31bf3856ad364e35_6.1.7601.17514_none_349ba4fd11957512\wiaservc.dll
[-] 2009-07-14 . A22825E7BB7018E8AF3E229A5AF17221 . 462336 . . [6.1.7600.16385] .. c:\windows\SysWOW64\wiaservc.dll
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files (x86)\Windows Sidebar\Sidebar.exe" [2010-11-20 1174016]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]
"RtHDVCpl"="c:\program files (x86)\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-12-22 8120864]
"Adobe Photo Downloader"="c:\program files (x86)\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-09-14 61440]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-10-24 421888]
"Adobe Acrobat Speed Launcher"="c:\program files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe" [2012-12-18 39136]
"Acrobat Assistant 8.0"="c:\program files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe" [2012-12-18 825560]
"UpdateLBPShortCut"="c:\program files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]
"CLMLServer"="c:\program files (x86)\CyberLink\Power2Go\CLMLSvc.exe" [2009-12-15 103720]
"UpdateP2GoShortCut"="c:\program files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]
"UCam_Menu"="c:\program files (x86)\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]
"LGODDFU"="c:\program files (x86)\lg_fwupdate\lgfw.exe" [2012-08-25 27760]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"Malwarebytes Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-12-14 512360]
"Malwarebytes Anti-Malware (cleanup)"="c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\cleanup.dll" [2012-12-14 1091432]
.
c:\users\Valued Customer\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - h:\users\defaultuser\AppData\Roaming\Dropbox\bin\Dropbox.exe [N/A]
.
c:\users\wa2\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Name Grabber.LNK - \\nxsrv\Benco\OneView\Name Grabber.exe [N/A]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
FA Reminder.lnk - c:\windows\Installer\{76DFE172-9A45-4A05-B9F1-22AD72C92277}\_3D7FE8D94B784A57E1F4EF.exe [2012-4-22 3262]
GxStart.lnk - c:\program files (x86)\Gendex\VixCfg\gxstart.exe [2012-3-8 244224]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"SoftwareSASGeneration"= 3 (0x3)
.
R2 BrcmMgmtAgent;Broadcom Management Agent;c:\program files (x86)\Broadcom\MgmtAgent\BrcmMgmtAgent.exe [2010-02-12 103936]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2012-08-23 19456]
R3 Revoflt;Revoflt;c:\windows\system32\DRIVERS\revoflt.sys [2009-12-30 31800]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2012-08-23 57856]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-03-14 1255736]
S2 ac.sharedstore;ActivIdentity Shared Store Service;c:\program files\Common Files\ActivIdentity\ac.sharedstore.exe [2009-06-03 277032]
S2 Advanced Monitoring Agent;Advanced Monitoring Agent;c:\program files (x86)\Advanced Monitoring Agent\winagent.exe [2012-07-30 2053632]
S2 Hp.Skyroom.Windows.Service;HP SkyRoom;c:\program files (x86)\Hewlett-Packard\HP SkyRoom\Hp.Skyroom.Windows.Service.exe [2009-11-20 124984]
S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-12-14 398184]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-12-14 682344]
S2 rgsender;Remote Graphics Sender Service;c:\program files (x86)\Hewlett-Packard\HP SkyRoom\remote graphics sender\rgsendersvc.exe [2009-11-19 379904]
S2 TeamViewer7;TeamViewer 7;c:\program files (x86)\TeamViewer\Version7\TeamViewer_Service.exe [2012-03-19 2666880]
S2 UNS;Intel(R) Management and Security Application User Notification Service;c:\program files (x86)\Common Files\Intel\Privacy Icon\UNS\UNS.exe [2009-07-24 2066968]
S3 e1kexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\DRIVERS\e1k62x64.sys [2011-05-05 340656]
S3 HECIx64;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2009-07-24 56344]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-12-14 24176]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 87255091
*Deregistered* - 87255091
.
Contents of the 'Scheduled Tasks' folder
.
2013-02-28 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-13 14:52]
.
2013-02-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1514188202-3766426978-948264940-1001Core.job
- c:\users\Valued Customer\AppData\Local\Google\Update\GoogleUpdate.exe [2011-09-25 19:11]
.
2013-02-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1514188202-3766426978-948264940-1001UA.job
- c:\users\Valued Customer\AppData\Local\Google\Update\GoogleUpdate.exe [2011-09-25 19:11]
.
2013-02-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1514188202-3766426978-948264940-1004Core.job
- c:\users\wa2\AppData\Local\Google\Update\GoogleUpdate.exe [2012-04-22 18:23]
.
2013-02-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1514188202-3766426978-948264940-1004UA.job
- c:\users\wa2\AppData\Local\Google\Update\GoogleUpdate.exe [2012-04-22 18:23]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-07-02 7938080]
"picon"="c:\program files (x86)\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe" [2009-07-24 796696]
"acevents"="c:\program files\ActivIdentity\ActivClient\acevents.exe" [2009-06-03 196648]
"accrdsub"="c:\program files\ActivIdentity\ActivClient\accrdsub.exe" [2009-06-03 483880]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-06-17 162584]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-06-17 386840]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-06-17 417560]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - LocalService
FontCache
.
------- Supplementary Scan -------
.
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: Interfaces\{2D661AC1-2612-44F2-B519-6424F531F51E}: NameServer = 4.2.2.2,4.2.2.5
FF - ProfilePath -
.
- - - - ORPHANS REMOVED - - - -
.
ShellIconOverlayIdentifiers-{FB314ED9-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDA-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDB-A251-47B7-93E1-CDD82E34AF8B} - (no file)
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
HKLM-RunOnce-WinSat - winsat dwm -xml results.xml
AddRemove-Citrix ICA Client - c:\progra~2\Citrix\ICACLI~1\Uninst.isu
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_171_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_171_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_171_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_171_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_171.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_171.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_171.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_171.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-02-28  18:06:19
ComboFix-quarantined-files.txt  2013-02-28 23:06
.
Pre-Run: 163,575,234,560 bytes free
Post-Run: 163,458,121,728 bytes free
.
- - End Of File - - 38374F7A577F8E1C96D65D7E22E9426B


MALWARE BYTES  (We ran this three times) - I think it found nothing of signifigance
Malwarebytes Anti-Malware (Trial) 1.70.0.1100
http://www.malwarebytes.orghttp://

Database version: v2013.02.28.13

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
admin :: SCANSTATION2 [administrator]

Protection: Enabled

2/28/2013 4:11:49 PM
mbam-log-2013-02-28 (16-11-49).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 274582
Time elapsed: 3 minute(s), 43 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 2
C:\Users\Valued Customer\Downloads\PCmover(1).exe (PUP.Adbundler) -> Quarantined and deleted successfully.
C:\Users\Valued Customer\Downloads\PCmover.exe (PUP.Adbundler) -> Quarantined and deleted successfully.

(end)
Malwarebytes Anti-Malware (Trial) 1.70.0.1100
http://www.malwarebytes.orghttp://

Database version: v2013.02.28.13

Windows 7 Service Pack 1 x64 NTFS (Safe Mode)
Internet Explorer 9.0.8112.16421
Lee :: SCANSTATION2 [limited]

Protection: Disabled

2/28/2013 4:33:17 PM
mbam-log-2013-02-28 (16-33-17).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 164467
Time elapsed: 2 minute(s), 40 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
Malwarebytes Anti-Malware (Trial) 1.70.0.1100
http://www.malwarebytes.orghttp://

Database version: v2013.02.28.13

Windows 7 Service Pack 1 x64 NTFS (Safe Mode)
Internet Explorer 9.0.8112.16421
Lee :: SCANSTATION2 [limited]

Protection: Disabled

2/28/2013 4:36:31 PM
mbam-log-2013-02-28 (16-36-31).txt

Scan type: Full scan (C:\|D:\|F:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 326449
Time elapsed: 40 minute(s), 17 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

17:51:23.0504 3964  TDSS rootkit removing tool 2.8.16.0 Feb 11 2013 18:50:42
17:51:23.0863 3964  ============================================================
17:51:23.0863 3964  Current date / time: 2013/02/28 17:51:23.0863
17:51:23.0863 3964  SystemInfo:
17:51:23.0863 3964 
17:51:23.0863 3964  OS Version: 6.1.7601 ServicePack: 1.0
17:51:23.0863 3964  Product type: Workstation
17:51:23.0863 3964  ComputerName: SCANSTATION2
17:51:23.0863 3964  UserName: admin
17:51:23.0863 3964  Windows directory: C:\Windows
17:51:23.0863 3964  System windows directory: C:\Windows
17:51:23.0863 3964  Running under WOW64
17:51:23.0863 3964  Processor architecture: Intel x64
17:51:23.0863 3964  Number of processors: 2
17:51:23.0863 3964  Page size: 0x1000
17:51:23.0863 3964  Boot type: Normal boot
17:51:23.0863 3964  ============================================================
17:51:25.0641 3964  Drive \Device\Harddisk0\DR0 - Size: 0x3A38B2E000 (232.89 Gb), SectorSize: 0x200, Cylinders: 0x76C1, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000040
17:51:25.0641 3964  Drive \Device\Harddisk1\DR1 - Size: 0x76E480000 (29.72 Gb), SectorSize: 0x200, Cylinders: 0xF28, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
17:51:25.0641 3964  Drive \Device\Harddisk2\DR2 - Size: 0xF1000000 (3.77 Gb), SectorSize: 0x200, Cylinders: 0x1EB, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
17:51:25.0641 3964  ============================================================
17:51:25.0641 3964  \Device\Harddisk0\DR0:
17:51:25.0641 3964  MBR partitions:
17:51:25.0641 3964  \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0xC80000
17:51:25.0641 3964  \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0xC80800, BlocksNum 0x19EB0000
17:51:25.0641 3964  \Device\Harddisk0\DR0\Partition3: MBR, Type 0x7, StartLBA 0x1AB30800, BlocksNum 0x2695000
17:51:25.0641 3964  \Device\Harddisk1\DR1:
17:51:25.0641 3964  MBR partitions:
17:51:25.0641 3964  \Device\Harddisk1\DR1\Partition1: MBR, Type 0x7, StartLBA 0x2000, BlocksNum 0x3B70400
17:51:25.0641 3964  \Device\Harddisk2\DR2:
17:51:25.0641 3964  MBR partitions:
17:51:25.0641 3964  \Device\Harddisk2\DR2\Partition1: MBR, Type 0xB, StartLBA 0x3F, BlocksNum 0x787FC1
17:51:25.0641 3964  ============================================================
17:51:25.0672 3964  C: <-> \Device\Harddisk0\DR0\Partition2
17:51:25.0750 3964  D: <-> \Device\Harddisk0\DR0\Partition3
17:51:25.0813 3964  F: <-> \Device\Harddisk0\DR0\Partition1
17:51:25.0813 3964  ============================================================
17:51:25.0813 3964  Initialize success
17:51:25.0813 3964  ============================================================
17:51:33.0098 1208  ============================================================
17:51:33.0098 1208  Scan started
17:51:33.0098 1208  Mode: Manual;
17:51:33.0098 1208  ============================================================
17:51:34.0315 1208  ================ Scan system memory ========================
17:51:34.0315 1208  System memory - ok
17:51:34.0315 1208  ================ Scan services =============================
17:51:34.0408 1208  [ A87D604AEA360176311474C87A63BB88 ] 1394ohci        C:\Windows\system32\drivers\1394ohci.sys
17:51:34.0408 1208  1394ohci - ok
17:51:34.0455 1208  [ 5E8EFEB338DEB1F485420B090FE6C85E ] ac.sharedstore  C:\Program Files\Common Files\ActivIdentity\ac.sharedstore.exe
17:51:34.0471 1208  ac.sharedstore - ok
17:51:34.0486 1208  [ D81D9E70B8A6DD14D42D7B4EFA65D5F2 ] ACPI            C:\Windows\system32\drivers\ACPI.sys
17:51:34.0502 1208  ACPI - ok
17:51:34.0517 1208  [ 99F8E788246D495CE3794D7E7821D2CA ] AcpiPmi         C:\Windows\system32\drivers\acpipmi.sys
17:51:34.0517 1208  AcpiPmi - ok
17:51:34.0580 1208  [ 177FF6608B48638D4066726F3A3F8444 ] AdobeActiveFileMonitor5.0 C:\Program Files (x86)\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
17:51:34.0580 1208  AdobeActiveFileMonitor5.0 - ok
17:51:34.0689 1208  [ 3927397AC60D943DAF8808AFFED582B7 ] AdobeARMservice C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
17:51:34.0689 1208  AdobeARMservice - ok
17:51:34.0767 1208  [ 9942DC4CC265CDA00486504444EF521D ] AdobeFlashPlayerUpdateSvc C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
17:51:34.0767 1208  AdobeFlashPlayerUpdateSvc - ok
17:51:34.0798 1208  [ 2F6B34B83843F0C5118B63AC634F5BF4 ] adp94xx         C:\Windows\system32\DRIVERS\adp94xx.sys
17:51:34.0814 1208  adp94xx - ok
17:51:34.0829 1208  [ 597F78224EE9224EA1A13D6350CED962 ] adpahci         C:\Windows\system32\DRIVERS\adpahci.sys
17:51:34.0829 1208  adpahci - ok
17:51:34.0829 1208  [ E109549C90F62FB570B9540C4B148E54 ] adpu320         C:\Windows\system32\DRIVERS\adpu320.sys
17:51:34.0845 1208  adpu320 - ok
17:51:34.0892 1208  [ 14E1F0929D57117D915099C6107352E2 ] Advanced Monitoring Agent C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe
17:51:34.0939 1208  Advanced Monitoring Agent - ok
17:51:34.0954 1208  [ 4B78B431F225FD8624C5655CB1DE7B61 ] AeLookupSvc     C:\Windows\System32\aelupsvc.dll
17:51:34.0954 1208  AeLookupSvc - ok
17:51:34.0985 1208  [ 1C7857B62DE5994A75B054A9FD4C3825 ] AFD             C:\Windows\system32\drivers\afd.sys
17:51:34.0985 1208  AFD - ok
17:51:35.0017 1208  [ 608C14DBA7299D8CB6ED035A68A15799 ] agp440          C:\Windows\system32\drivers\agp440.sys
17:51:35.0017 1208  agp440 - ok
17:51:35.0032 1208  [ 3290D6946B5E30E70414990574883DDB ] ALG             C:\Windows\System32\alg.exe
17:51:35.0032 1208  ALG - ok
17:51:35.0048 1208  [ 5812713A477A3AD7363C7438CA2EE038 ] aliide          C:\Windows\system32\drivers\aliide.sys
17:51:35.0048 1208  aliide - ok
17:51:35.0063 1208  [ 1FF8B4431C353CE385C875F194924C0C ] amdide          C:\Windows\system32\drivers\amdide.sys
17:51:35.0063 1208  amdide - ok
17:51:35.0095 1208  [ 7024F087CFF1833A806193EF9D22CDA9 ] AmdK8           C:\Windows\system32\DRIVERS\amdk8.sys
17:51:35.0095 1208  AmdK8 - ok
17:51:35.0095 1208  [ 1E56388B3FE0D031C44144EB8C4D6217 ] AmdPPM          C:\Windows\system32\DRIVERS\amdppm.sys
17:51:35.0095 1208  AmdPPM - ok
17:51:35.0126 1208  [ D4121AE6D0C0E7E13AA221AA57EF2D49 ] amdsata         C:\Windows\system32\drivers\amdsata.sys
17:51:35.0126 1208  amdsata - ok
17:51:35.0141 1208  [ F67F933E79241ED32FF46A4F29B5120B ] amdsbs          C:\Windows\system32\DRIVERS\amdsbs.sys
17:51:35.0141 1208  amdsbs - ok
17:51:35.0157 1208  [ 540DAF1CEA6094886D72126FD7C33048 ] amdxata         C:\Windows\system32\drivers\amdxata.sys
17:51:35.0157 1208  amdxata - ok
17:51:35.0188 1208  [ 89A69C3F2F319B43379399547526D952 ] AppID           C:\Windows\system32\drivers\appid.sys
17:51:35.0188 1208  AppID - ok
17:51:35.0204 1208  [ 0BC381A15355A3982216F7172F545DE1 ] AppIDSvc        C:\Windows\System32\appidsvc.dll
17:51:35.0204 1208  AppIDSvc - ok
17:51:35.0219 1208  [ 3977D4A871CA0D4F2ED1E7DB46829731 ] Appinfo         C:\Windows\System32\appinfo.dll
17:51:35.0219 1208  Appinfo - ok
17:51:35.0251 1208  [ 4ABA3E75A76195A3E38ED2766C962899 ] AppMgmt         C:\Windows\System32\appmgmts.dll
17:51:35.0251 1208  AppMgmt - ok
17:51:35.0266 1208  [ C484F8CEB1717C540242531DB7845C4E ] arc             C:\Windows\system32\DRIVERS\arc.sys
17:51:35.0282 1208  arc - ok
17:51:35.0282 1208  [ 019AF6924AEFE7839F61C830227FE79C ] arcsas          C:\Windows\system32\DRIVERS\arcsas.sys
17:51:35.0282 1208  arcsas - ok
17:51:35.0297 1208  [ 769765CE2CC62867468CEA93969B2242 ] AsyncMac        C:\Windows\system32\DRIVERS\asyncmac.sys
17:51:35.0297 1208  AsyncMac - ok
17:51:35.0313 1208  [ 02062C0B390B7729EDC9E69C680A6F3C ] atapi           C:\Windows\system32\drivers\atapi.sys
17:51:35.0313 1208  atapi - ok
17:51:35.0329 1208  [ F23FEF6D569FCE88671949894A8BECF1 ] AudioEndpointBuilder C:\Windows\System32\Audiosrv.dll
17:51:35.0344 1208  AudioEndpointBuilder - ok
17:51:35.0375 1208  [ F23FEF6D569FCE88671949894A8BECF1 ] AudioSrv        C:\Windows\System32\Audiosrv.dll
17:51:35.0375 1208  AudioSrv - ok
17:51:35.0407 1208  [ A6BF31A71B409DFA8CAC83159E1E2AFF ] AxInstSV        C:\Windows\System32\AxInstSV.dll
17:51:35.0407 1208  AxInstSV - ok
17:51:35.0438 1208  [ 3E5B191307609F7514148C6832BB0842 ] b06bdrv         C:\Windows\system32\DRIVERS\bxvbda.sys
17:51:35.0438 1208  b06bdrv - ok
17:51:35.0469 1208  [ B5ACE6968304A3900EEB1EBFD9622DF2 ] b57nd60a        C:\Windows\system32\DRIVERS\b57nd60a.sys
17:51:35.0469 1208  b57nd60a - ok
17:51:35.0500 1208  [ FDE360167101B4E45A96F939F388AEB0 ] BDESVC          C:\Windows\System32\bdesvc.dll
17:51:35.0500 1208  BDESVC - ok
17:51:35.0516 1208  [ 16A47CE2DECC9B099349A5F840654746 ] Beep            C:\Windows\system32\drivers\Beep.sys
17:51:35.0516 1208  Beep - ok
17:51:35.0563 1208  [ 82974D6A2FD19445CC5171FC378668A4 ] BFE             C:\Windows\System32\bfe.dll
17:51:35.0578 1208  BFE - ok
17:51:35.0609 1208  [ 1EA7969E3271CBC59E1730697DC74682 ] BITS            C:\Windows\System32\qmgr.dll
17:51:35.0625 1208  BITS - ok
17:51:35.0641 1208  [ 61583EE3C3A17003C4ACD0475646B4D3 ] blbdrive        C:\Windows\system32\DRIVERS\blbdrive.sys
17:51:35.0641 1208  blbdrive - ok
17:51:35.0672 1208  [ 6C02A83164F5CC0A262F4199F0871CF5 ] bowser          C:\Windows\system32\DRIVERS\bowser.sys
17:51:35.0672 1208  bowser - ok
17:51:35.0703 1208  [ 8A1F4965B53F418483137B4F5815F775 ] BrcmMgmtAgent   C:\Program Files (x86)\Broadcom\MgmtAgent\BrcmMgmtAgent.exe
17:51:35.0703 1208  BrcmMgmtAgent - ok
17:51:35.0719 1208  [ F09EEE9EDC320B5E1501F749FDE686C8 ] BrFiltLo        C:\Windows\system32\DRIVERS\BrFiltLo.sys
17:51:35.0719 1208  BrFiltLo - ok
17:51:35.0734 1208  [ B114D3098E9BDB8BEA8B053685831BE6 ] BrFiltUp        C:\Windows\system32\DRIVERS\BrFiltUp.sys
17:51:35.0750 1208  BrFiltUp - ok
17:51:35.0781 1208  [ 5C2F352A4E961D72518261257AAE204B ] BridgeMP        C:\Windows\system32\DRIVERS\bridge.sys
17:51:35.0781 1208  BridgeMP - ok
17:51:35.0812 1208  [ 05F5A0D14A2EE1D8255C2AA0E9E8E694 ] Browser         C:\Windows\System32\browser.dll
17:51:35.0812 1208  Browser - ok
17:51:35.0828 1208  [ 43BEA8D483BF1870F018E2D02E06A5BD ] Brserid         C:\Windows\System32\Drivers\Brserid.sys
17:51:35.0843 1208  Brserid - ok
17:51:35.0843 1208  [ A6ECA2151B08A09CACECA35C07F05B42 ] BrSerWdm        C:\Windows\System32\Drivers\BrSerWdm.sys
17:51:35.0843 1208  BrSerWdm - ok
17:51:35.0859 1208  [ B79968002C277E869CF38BD22CD61524 ] BrUsbMdm        C:\Windows\System32\Drivers\BrUsbMdm.sys
17:51:35.0859 1208  BrUsbMdm - ok
17:51:35.0859 1208  [ A87528880231C54E75EA7A44943B38BF ] BrUsbSer        C:\Windows\System32\Drivers\BrUsbSer.sys
17:51:35.0859 1208  BrUsbSer - ok
17:51:35.0859 1208  [ 9DA669F11D1F894AB4EB69BF546A42E8 ] BTHMODEM        C:\Windows\system32\DRIVERS\bthmodem.sys
17:51:35.0859 1208  BTHMODEM - ok
17:51:35.0875 1208  [ 95F9C2976059462CBBF227F7AAB10DE9 ] bthserv         C:\Windows\system32\bthserv.dll
17:51:35.0875 1208  bthserv - ok
17:51:35.0906 1208  [ B8BD2BB284668C84865658C77574381A ] cdfs            C:\Windows\system32\DRIVERS\cdfs.sys
17:51:35.0906 1208  cdfs - ok
17:51:35.0921 1208  [ F036CE71586E93D94DAB220D7BDF4416 ] cdrom           C:\Windows\system32\DRIVERS\cdrom.sys
17:51:35.0921 1208  cdrom - ok
17:51:35.0953 1208  [ F17D1D393BBC69C5322FBFAFACA28C7F ] CertPropSvc     C:\Windows\System32\certprop.dll
17:51:35.0953 1208  CertPropSvc - ok
17:51:35.0968 1208  [ D7CD5C4E1B71FA62050515314CFB52CF ] circlass        C:\Windows\system32\DRIVERS\circlass.sys
17:51:35.0968 1208  circlass - ok
17:51:35.0999 1208  [ FE1EC06F2253F691FE36217C592A0206 ] CLFS            C:\Windows\system32\CLFS.sys
17:51:36.0015 1208  CLFS - ok
17:51:36.0062 1208  [ D88040F816FDA31C3B466F0FA0918F29 ] clr_optimization_v2.0.50727_32 C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
17:51:36.0062 1208  clr_optimization_v2.0.50727_32 - ok
17:51:36.0093 1208  [ D1CEEA2B47CB998321C579651CE3E4F8 ] clr_optimization_v2.0.50727_64 C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
17:51:36.0093 1208  clr_optimization_v2.0.50727_64 - ok
17:51:36.0140 1208  [ C5A75EB48E2344ABDC162BDA79E16841 ] clr_optimization_v4.0.30319_32 C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
17:51:36.0140 1208  clr_optimization_v4.0.30319_32 - ok
17:51:36.0171 1208  [ C6F9AF94DCD58122A4D7E89DB6BED29D ] clr_optimization_v4.0.30319_64 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
17:51:36.0171 1208  clr_optimization_v4.0.30319_64 - ok
17:51:36.0202 1208  [ 0840155D0BDDF1190F84A663C284BD33 ] CmBatt          C:\Windows\system32\DRIVERS\CmBatt.sys
17:51:36.0202 1208  CmBatt - ok
17:51:36.0218 1208  [ E19D3F095812725D88F9001985B94EDD ] cmdide          C:\Windows\system32\drivers\cmdide.sys
17:51:36.0218 1208  cmdide - ok
17:51:36.0265 1208  [ AAFCB52FE0037207FB6FBEA070D25EFE ] CNG             C:\Windows\system32\Drivers\cng.sys
17:51:36.0265 1208  CNG - ok
17:51:36.0280 1208  [ 102DE219C3F61415F964C88E9085AD14 ] Compbatt        C:\Windows\system32\DRIVERS\compbatt.sys
17:51:36.0280 1208  Compbatt - ok
17:51:36.0311 1208  [ 03EDB043586CCEBA243D689BDDA370A8 ] CompositeBus    C:\Windows\system32\drivers\CompositeBus.sys
17:51:36.0311 1208  CompositeBus - ok
17:51:36.0327 1208  COMSysApp - ok
17:51:36.0343 1208  [ 1C827878A998C18847245FE1F34EE597 ] crcdisk         C:\Windows\system32\DRIVERS\crcdisk.sys
17:51:36.0343 1208  crcdisk - ok
17:51:36.0374 1208  [ 9C01375BE382E834CC26D1B7EAF2C4FE ] CryptSvc        C:\Windows\system32\cryptsvc.dll
17:51:36.0374 1208  CryptSvc - ok
17:51:36.0389 1208  [ 54DA3DFD29ED9F1619B6F53F3CE55E49 ] CSC             C:\Windows\system32\drivers\csc.sys
17:51:36.0405 1208  CSC - ok
17:51:36.0436 1208  [ 3AB183AB4D2C79DCF459CD2C1266B043 ] CscService      C:\Windows\System32\cscsvc.dll
17:51:36.0452 1208  CscService - ok
17:51:36.0483 1208  [ 5C627D1B1138676C0A7AB2C2C190D123 ] DcomLaunch      C:\Windows\system32\rpcss.dll
17:51:36.0483 1208  DcomLaunch - ok
17:51:36.0514 1208  [ 3CEC7631A84943677AA8FA8EE5B6B43D ] defragsvc       C:\Windows\System32\defragsvc.dll
17:51:36.0514 1208  defragsvc - ok
17:51:36.0530 1208  [ 9BB2EF44EAA163B29C4A4587887A0FE4 ] DfsC            C:\Windows\system32\Drivers\dfsc.sys
17:51:36.0545 1208  DfsC - ok
17:51:36.0561 1208  [ 43D808F5D9E1A18E5EEB5EBC83969E4E ] Dhcp            C:\Windows\system32\dhcpcore.dll
17:51:36.0561 1208  Dhcp - ok
17:51:36.0592 1208  [ 13096B05847EC78F0977F2C0F79E9AB3 ] discache        C:\Windows\system32\drivers\discache.sys
17:51:36.0592 1208  discache - ok
17:51:36.0623 1208  [ 9819EEE8B5EA3784EC4AF3B137A5244C ] Disk            C:\Windows\system32\DRIVERS\disk.sys
17:51:36.0623 1208  Disk - ok
17:51:36.0639 1208  [ 16835866AAA693C7D7FCEBA8FFF706E4 ] Dnscache        C:\Windows\System32\dnsrslvr.dll
17:51:36.0639 1208  Dnscache - ok
17:51:36.0686 1208  [ B1FB3DDCA0FDF408750D5843591AFBC6 ] dot3svc         C:\Windows\System32\dot3svc.dll
17:51:36.0686 1208  dot3svc - ok
17:51:36.0701 1208  [ B26F4F737E8F9DF4F31AF6CF31D05820 ] DPS             C:\Windows\system32\dps.dll
17:51:36.0701 1208  DPS - ok
17:51:36.0733 1208  [ 9B19F34400D24DF84C858A421C205754 ] drmkaud         C:\Windows\system32\drivers\drmkaud.sys
17:51:36.0733 1208  drmkaud - ok
17:51:36.0779 1208  [ F5BEE30450E18E6B83A5012C100616FD ] DXGKrnl         C:\Windows\System32\drivers\dxgkrnl.sys
17:51:36.0795 1208  DXGKrnl - ok
17:51:36.0811 1208  [ 14F16F95C1347BD50CA4FA4DFDA7E806 ] e1kexpress      C:\Windows\system32\DRIVERS\e1k62x64.sys
17:51:36.0826 1208  e1kexpress - ok
17:51:36.0842 1208  [ E2DDA8726DA9CB5B2C4000C9018A9633 ] EapHost         C:\Windows\System32\eapsvc.dll
17:51:36.0842 1208  EapHost - ok
17:51:36.0904 1208  [ DC5D737F51BE844D8C82C695EB17372F ] ebdrv           C:\Windows\system32\DRIVERS\evbda.sys
17:51:36.0967 1208  ebdrv - ok
17:51:36.0998 1208  [ C118A82CD78818C29AB228366EBF81C3 ] EFS             C:\Windows\System32\lsass.exe
17:51:36.0998 1208  EFS - ok
17:51:37.0045 1208  [ C4002B6B41975F057D98C439030CEA07 ] ehRecvr         C:\Windows\ehome\ehRecvr.exe
17:51:37.0060 1208  ehRecvr - ok
17:51:37.0076 1208  [ 4705E8EF9934482C5BB488CE28AFC681 ] ehSched         C:\Windows\ehome\ehsched.exe
17:51:37.0076 1208  ehSched - ok
17:51:37.0123 1208  [ 0E5DA5369A0FCAEA12456DD852545184 ] elxstor         C:\Windows\system32\DRIVERS\elxstor.sys
17:51:37.0138 1208  elxstor - ok
17:51:37.0154 1208  [ 34A3C54752046E79A126E15C51DB409B ] ErrDev          C:\Windows\system32\drivers\errdev.sys
17:51:37.0154 1208  ErrDev - ok
17:51:37.0201 1208  [ 4166F82BE4D24938977DD1746BE9B8A0 ] EventSystem     C:\Windows\system32\es.dll
17:51:37.0201 1208  EventSystem - ok
17:51:37.0216 1208  [ A510C654EC00C1E9BDD91EEB3A59823B ] exfat           C:\Windows\system32\drivers\exfat.sys
17:51:37.0232 1208  exfat - ok
17:51:37.0247 1208  [ 0ADC83218B66A6DB380C330836F3E36D ] fastfat         C:\Windows\system32\drivers\fastfat.sys
17:51:37.0247 1208  fastfat - ok
17:51:37.0279 1208  [ DBEFD454F8318A0EF691FDD2EAAB44EB ] Fax             C:\Windows\system32\fxssvc.exe
17:51:37.0294 1208  Fax - ok
17:51:37.0310 1208  [ D765D19CD8EF61F650C384F62FAC00AB ] fdc             C:\Windows\system32\DRIVERS\fdc.sys
17:51:37.0310 1208  fdc - ok
17:51:37.0325 1208  [ 0438CAB2E03F4FB61455A7956026FE86 ] fdPHost         C:\Windows\system32\fdPHost.dll
17:51:37.0325 1208  fdPHost - ok
17:51:37.0341 1208  [ 802496CB59A30349F9A6DD22D6947644 ] FDResPub        C:\Windows\system32\fdrespub.dll
17:51:37.0341 1208  FDResPub - ok
17:51:37.0357 1208  [ 655661BE46B5F5F3FD454E2C3095B930 ] FileInfo        C:\Windows\system32\drivers\fileinfo.sys
17:51:37.0357 1208  FileInfo - ok
17:51:37.0357 1208  [ 5F671AB5BC87EEA04EC38A6CD5962A47 ] Filetrace       C:\Windows\system32\drivers\filetrace.sys
17:51:37.0372 1208  Filetrace - ok
17:51:37.0372 1208  [ C172A0F53008EAEB8EA33FE10E177AF5 ] flpydisk        C:\Windows\system32\DRIVERS\flpydisk.sys
17:51:37.0372 1208  flpydisk - ok
17:51:37.0403 1208  [ DA6B67270FD9DB3697B20FCE94950741 ] FltMgr          C:\Windows\system32\drivers\fltmgr.sys
17:51:37.0403 1208  FltMgr - ok
17:51:37.0450 1208  [ C4C183E6551084039EC862DA1C945E3D ] FontCache       C:\Windows\system32\FntCache.dll
17:51:37.0466 1208  FontCache - ok
17:51:37.0513 1208  [ A8B7F3818AB65695E3A0BB3279F6DCE6 ] FontCache3.0.0.0 C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
17:51:37.0513 1208  FontCache3.0.0.0 - ok
17:51:37.0528 1208  [ D43703496149971890703B4B1B723EAC ] FsDepends       C:\Windows\system32\drivers\FsDepends.sys
17:51:37.0528 1208  FsDepends - ok
17:51:37.0544 1208  [ 6BD9295CC032DD3077C671FCCF579A7B ] Fs_Rec          C:\Windows\system32\drivers\Fs_Rec.sys
17:51:37.0559 1208  Fs_Rec - ok
17:51:37.0575 1208  [ 1F7B25B858FA27015169FE95E54108ED ] fvevol          C:\Windows\system32\DRIVERS\fvevol.sys
17:51:37.0591 1208  fvevol - ok
17:51:37.0606 1208  [ 8C778D335C9D272CFD3298AB02ABE3B6 ] gagp30kx        C:\Windows\system32\DRIVERS\gagp30kx.sys
17:51:37.0606 1208  gagp30kx - ok
17:51:37.0637 1208  [ 277BBC7E1AA1EE957F573A10ECA7EF3A ] gpsvc           C:\Windows\System32\gpsvc.dll
17:51:37.0653 1208  gpsvc - ok
17:51:37.0669 1208  [ F2523EF6460FC42405B12248338AB2F0 ] hcw85cir        C:\Windows\system32\drivers\hcw85cir.sys
17:51:37.0669 1208  hcw85cir - ok
17:51:37.0700 1208  [ 975761C778E33CD22498059B91E7373A ] HdAudAddService C:\Windows\system32\drivers\HdAudio.sys
17:51:37.0700 1208  HdAudAddService - ok
17:51:37.0715 1208  [ 97BFED39B6B79EB12CDDBFEED51F56BB ] HDAudBus        C:\Windows\system32\drivers\HDAudBus.sys
17:51:37.0731 1208  HDAudBus - ok
17:51:37.0747 1208  [ E91AFF2610114CCAEBB90D4D991BB6B2 ] HECIx64         C:\Windows\system32\DRIVERS\HECIx64.sys
17:51:37.0747 1208  HECIx64 - ok
17:51:37.0762 1208  [ 78E86380454A7B10A5EB255DC44A355F ] HidBatt         C:\Windows\system32\DRIVERS\HidBatt.sys
17:51:37.0762 1208  HidBatt - ok
17:51:37.0778 1208  [ 7FD2A313F7AFE5C4DAB14798C48DD104 ] HidBth          C:\Windows\system32\DRIVERS\hidbth.sys
17:51:37.0778 1208  HidBth - ok
17:51:37.0778 1208  [ 0A77D29F311B88CFAE3B13F9C1A73825 ] HidIr           C:\Windows\system32\DRIVERS\hidir.sys
17:51:37.0778 1208  HidIr - ok
17:51:37.0809 1208  [ BD9EB3958F213F96B97B1D897DEE006D ] hidserv         C:\Windows\System32\hidserv.dll
17:51:37.0809 1208  hidserv - ok
17:51:37.0840 1208  [ 9592090A7E2B61CD582B612B6DF70536 ] HidUsb          C:\Windows\system32\DRIVERS\hidusb.sys
17:51:37.0840 1208  HidUsb - ok
17:51:37.0871 1208  [ 387E72E739E15E3D37907A86D9FF98E2 ] hkmsvc          C:\Windows\system32\kmsvc.dll
17:51:37.0871 1208  hkmsvc - ok
17:51:37.0903 1208  [ EFDFB3DD38A4376F93E7985173813ABD ] HomeGroupListener C:\Windows\system32\ListSvc.dll
17:51:37.0903 1208  HomeGroupListener - ok
17:51:37.0918 1208  [ 908ACB1F594274965A53926B10C81E89 ] HomeGroupProvider C:\Windows\system32\provsvc.dll
17:51:37.0918 1208  HomeGroupProvider - ok
17:51:37.0981 1208  [ A1731B1204CD7EB9C244B0A6F89264DF ] Hp.Skyroom.Windows.Service C:\Program Files (x86)\Hewlett-Packard\HP SkyRoom\Hp.Skyroom.Windows.Service.exe
17:51:37.0981 1208  Hp.Skyroom.Windows.Service - ok
17:51:38.0012 1208  [ 39D2ABCD392F3D8A6DCE7B60AE7B8EFC ] HpSAMD          C:\Windows\system32\drivers\HpSAMD.sys
17:51:38.0012 1208  HpSAMD - ok
17:51:38.0043 1208  [ 0EA7DE1ACB728DD5A369FD742D6EEE28 ] HTTP            C:\Windows\system32\drivers\HTTP.sys
17:51:38.0059 1208  HTTP - ok
17:51:38.0090 1208  [ A5462BD6884960C9DC85ED49D34FF392 ] hwpolicy        C:\Windows\system32\drivers\hwpolicy.sys
17:51:38.0090 1208  hwpolicy - ok
17:51:38.0121 1208  [ FA55C73D4AFFA7EE23AC4BE53B4592D3 ] i8042prt        C:\Windows\system32\drivers\i8042prt.sys
17:51:38.0121 1208  i8042prt - ok
17:51:38.0152 1208  [ 1D004CB1DA6323B1F55CAEF7F94B61D9 ] iaStor          C:\Windows\system32\drivers\iastor.sys
17:51:38.0168 1208  iaStor - ok
17:51:38.0199 1208  [ AAAF44DB3BD0B9D1FB6969B23ECC8366 ] iaStorV         C:\Windows\system32\drivers\iaStorV.sys
17:51:38.0199 1208  iaStorV - ok
17:51:38.0230 1208  [ 5988FC40F8DB5B0739CD1E3A5D0D78BD ] idsvc           C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe
17:51:38.0261 1208  idsvc - ok
17:51:38.0417 1208  [ F59AC361DFE9BFD9BE81E20B04EADAA2 ] igfx            C:\Windows\system32\DRIVERS\igdkmd64.sys
17:51:38.0558 1208  igfx - ok
17:51:38.0605 1208  [ 5C18831C61933628F5BB0EA2675B9D21 ] iirsp           C:\Windows\system32\DRIVERS\iirsp.sys
17:51:38.0605 1208  iirsp - ok
17:51:38.0636 1208  [ FCD84C381E0140AF901E58D48882D26B ] IKEEXT          C:\Windows\System32\ikeext.dll
17:51:38.0651 1208  IKEEXT - ok
17:51:38.0698 1208  [ B16FC828CE7A76A8F1CE682E6EAD2627 ] IntcAzAudAddService C:\Windows\system32\drivers\RTKVHD64.sys
17:51:38.0729 1208  IntcAzAudAddService - ok
17:51:38.0745 1208  [ F00F20E70C6EC3AA366910083A0518AA ] intelide        C:\Windows\system32\drivers\intelide.sys
17:51:38.0745 1208  intelide - ok
17:51:38.0776 1208  [ ADA036632C664CAA754079041CF1F8C1 ] intelppm        C:\Windows\system32\DRIVERS\intelppm.sys
17:51:38.0776 1208  intelppm - ok
17:51:38.0792 1208  [ 098A91C54546A3B878DAD6A7E90A455B ] IPBusEnum       C:\Windows\system32\ipbusenum.dll
17:51:38.0792 1208  IPBusEnum - ok
17:51:38.0823 1208  [ C9F0E1BD74365A8771590E9008D22AB6 ] IpFilterDriver  C:\Windows\system32\DRIVERS\ipfltdrv.sys
17:51:38.0823 1208  IpFilterDriver - ok
17:51:38.0839 1208  [ 08C2957BB30058E663720C5606885653 ] iphlpsvc        C:\Windows\System32\iphlpsvc.dll
17:51:38.0854 1208  iphlpsvc - ok
17:51:38.0870 1208  [ 0FC1AEA580957AA8817B8F305D18CA3A ] IPMIDRV         C:\Windows\system32\drivers\IPMIDrv.sys
17:51:38.0885 1208  IPMIDRV - ok
17:51:38.0901 1208  [ AF9B39A7E7B6CAA203B3862582E9F2D0 ] IPNAT           C:\Windows\system32\drivers\ipnat.sys
17:51:38.0901 1208  IPNAT - ok
17:51:38.0917 1208  [ 3ABF5E7213EB28966D55D58B515D5CE9 ] IRENUM          C:\Windows\system32\drivers\irenum.sys
17:51:38.0917 1208  IRENUM - ok
17:51:38.0932 1208  [ 2F7B28DC3E1183E5EB418DF55C204F38 ] isapnp          C:\Windows\system32\drivers\isapnp.sys
17:51:38.0932 1208  isapnp - ok
17:51:38.0948 1208  [ D931D7309DEB2317035B07C9F9E6B0BD ] iScsiPrt        C:\Windows\system32\drivers\msiscsi.sys
17:51:38.0948 1208  iScsiPrt - ok
17:51:38.0963 1208  [ BC02336F1CBA7DCC7D1213BB588A68A5 ] kbdclass        C:\Windows\system32\DRIVERS\kbdclass.sys
17:51:38.0963 1208  kbdclass - ok
17:51:38.0995 1208  [ 0705EFF5B42A9DB58548EEC3B26BB484 ] kbdhid          C:\Windows\system32\DRIVERS\kbdhid.sys
17:51:38.0995 1208  kbdhid - ok
17:51:39.0010 1208  [ C118A82CD78818C29AB228366EBF81C3 ] KeyIso          C:\Windows\system32\lsass.exe
17:51:39.0010 1208  KeyIso - ok
17:51:39.0026 1208  [ 97A7070AEA4C058B6418519E869A63B4 ] KSecDD          C:\Windows\system32\Drivers\ksecdd.sys
17:51:39.0026 1208  KSecDD - ok
17:51:39.0057 1208  [ 7EFB9333E4ECCE6AE4AE9D777D9E553E ] KSecPkg         C:\Windows\system32\Drivers\ksecpkg.sys
17:51:39.0057 1208  KSecPkg - ok
17:51:39.0088 1208  [ 6869281E78CB31A43E969F06B57347C4 ] ksthunk         C:\Windows\system32\drivers\ksthunk.sys
17:51:39.0088 1208  ksthunk - ok
17:51:39.0104 1208  [ 6AB66E16AA859232F64DEB66887A8C9C ] KtmRm           C:\Windows\system32\msdtckrm.dll
17:51:39.0119 1208  KtmRm - ok
17:51:39.0166 1208  [ D9F42719019740BAA6D1C6D536CBDAA6 ] LanmanServer    C:\Windows\System32\srvsvc.dll
17:51:39.0166 1208  LanmanServer - ok
17:51:39.0182 1208  [ 851A1382EED3E3A7476DB004F4EE3E1A ] LanmanWorkstation C:\Windows\System32\wkssvc.dll
17:51:39.0182 1208  LanmanWorkstation - ok
17:51:39.0213 1208  [ 1538831CF8AD2979A04C423779465827 ] lltdio          C:\Windows\system32\DRIVERS\lltdio.sys
17:51:39.0213 1208  lltdio - ok
17:51:39.0244 1208  [ C1185803384AB3FEED115F79F109427F ] lltdsvc         C:\Windows\System32\lltdsvc.dll
17:51:39.0244 1208  lltdsvc - ok
17:51:39.0260 1208  [ F993A32249B66C9D622EA5592A8B76B8 ] lmhosts         C:\Windows\System32\lmhsvc.dll
17:51:39.0260 1208  lmhosts - ok
17:51:39.0291 1208  [ 2763A02188FFB04287F5034EC5B6B451 ] LMS             C:\Program Files (x86)\Intel\AMT\LMS.exe
17:51:39.0291 1208  LMS - ok
17:51:39.0322 1208  [ 1A93E54EB0ECE102495A51266DCDB6A6 ] LSI_FC          C:\Windows\system32\DRIVERS\lsi_fc.sys
17:51:39.0322 1208  LSI_FC - ok
17:51:39.0338 1208  [ 1047184A9FDC8BDBFF857175875EE810 ] LSI_SAS         C:\Windows\system32\DRIVERS\lsi_sas.sys
17:51:39.0338 1208  LSI_SAS - ok
17:51:39.0338 1208  [ 30F5C0DE1EE8B5BC9306C1F0E4A75F93 ] LSI_SAS2        C:\Windows\system32\DRIVERS\lsi_sas2.sys
17:51:39.0338 1208  LSI_SAS2 - ok
17:51:39.0353 1208  [ 0504EACAFF0D3C8AED161C4B0D369D4A ] LSI_SCSI        C:\Windows\system32\DRIVERS\lsi_scsi.sys
17:51:39.0353 1208  LSI_SCSI - ok
17:51:39.0369 1208  [ 43D0F98E1D56CCDDB0D5254CFF7B356E ] luafv           C:\Windows\system32\drivers\luafv.sys
17:51:39.0385 1208  luafv - ok
17:51:39.0400 1208  [ 92EB844D90615CB266F84C3202B8786E ] MBAMProtector   C:\Windows\system32\drivers\mbam.sys
17:51:39.0400 1208  MBAMProtector - ok
17:51:39.0463 1208  [ 1ACAA67676E9E7BDA5E0C41B6E0DECAF ] MBAMScheduler   C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
17:51:39.0463 1208  MBAMScheduler - ok
17:51:39.0509 1208  [ 916B8954AC3E06DC9E898AFFB41F3FB6 ] MBAMService     C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
17:51:39.0525 1208  MBAMService - ok
17:51:39.0556 1208  [ 0BE09CD858ABF9DF6ED259D57A1A1663 ] Mcx2Svc         C:\Windows\system32\Mcx2Svc.dll
17:51:39.0556 1208  Mcx2Svc - ok
17:51:39.0634 1208  [ 11F714F85530A2BD134074DC30E99FCA ] MDM             C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
17:51:39.0634 1208  MDM - ok
17:51:39.0650 1208  [ A55805F747C6EDB6A9080D7C633BD0F4 ] megasas         C:\Windows\system32\DRIVERS\megasas.sys
17:51:39.0650 1208  megasas - ok
17:51:39.0665 1208  [ BAF74CE0072480C3B6B7C13B2A94D6B3 ] MegaSR          C:\Windows\system32\DRIVERS\MegaSR.sys
17:51:39.0712 1208  MegaSR - ok
17:51:39.0728 1208  [ E40E80D0304A73E8D269F7141D77250B ] MMCSS           C:\Windows\system32\mmcss.dll
17:51:39.0728 1208  MMCSS - ok
17:51:39.0728 1208  [ 800BA92F7010378B09F9ED9270F07137 ] Modem           C:\Windows\system32\drivers\modem.sys
17:51:39.0728 1208  Modem - ok
17:51:39.0759 1208  [ B03D591DC7DA45ECE20B3B467E6AADAA ] monitor         C:\Windows\system32\DRIVERS\monitor.sys
17:51:39.0759 1208  monitor - ok
17:51:39.0790 1208  [ 7D27EA49F3C1F687D357E77A470AEA99 ] mouclass        C:\Windows\system32\DRIVERS\mouclass.sys
17:51:39.0790 1208  mouclass - ok
17:51:39.0806 1208  [ D3BF052C40B0C4166D9FD86A4288C1E6 ] mouhid          C:\Windows\system32\DRIVERS\mouhid.sys
17:51:39.0806 1208  mouhid - ok
17:51:39.0821 1208  [ 32E7A3D591D671A6DF2DB515A5CBE0FA ] mountmgr        C:\Windows\system32\drivers\mountmgr.sys
17:51:39.0821 1208  mountmgr - ok
17:51:39.0837 1208  [ A44B420D30BD56E145D6A2BC8768EC58 ] mpio            C:\Windows\system32\drivers\mpio.sys
17:51:39.0837 1208  mpio - ok
17:51:39.0853 1208  [ 6C38C9E45AE0EA2FA5E551F2ED5E978F ] mpsdrv          C:\Windows\system32\drivers\mpsdrv.sys
17:51:39.0853 1208  mpsdrv - ok
17:51:39.0868 1208  [ 54FFC9C8898113ACE189D4AA7199D2C1 ] MpsSvc          C:\Windows\system32\mpssvc.dll
17:51:39.0899 1208  MpsSvc - ok
17:51:39.0915 1208  [ DC722758B8261E1ABAFD31A3C0A66380 ] MRxDAV          C:\Windows\system32\drivers\mrxdav.sys
17:51:39.0915 1208  MRxDAV - ok
17:51:39.0931 1208  [ A5D9106A73DC88564C825D317CAC68AC ] mrxsmb          C:\Windows\system32\DRIVERS\mrxsmb.sys
17:51:39.0931 1208  mrxsmb - ok
17:51:39.0946 1208  [ D711B3C1D5F42C0C2415687BE09FC163 ] mrxsmb10        C:\Windows\system32\DRIVERS\mrxsmb10.sys
17:51:39.0946 1208  mrxsmb10 - ok
17:51:39.0962 1208  [ 9423E9D355C8D303E76B8CFBD8A5C30C ] mrxsmb20        C:\Windows\system32\DRIVERS\mrxsmb20.sys
17:51:39.0962 1208  mrxsmb20 - ok
17:51:39.0977 1208  [ C25F0BAFA182CBCA2DD3C851C2E75796 ] msahci          C:\Windows\system32\drivers\msahci.sys
17:51:39.0977 1208  msahci - ok
17:51:39.0993 1208  [ DB801A638D011B9633829EB6F663C900 ] msdsm           C:\Windows\system32\drivers\msdsm.sys
17:51:39.0993 1208  msdsm - ok
17:51:40.0009 1208  [ DE0ECE52236CFA3ED2DBFC03F28253A8 ] MSDTC           C:\Windows\System32\msdtc.exe
17:51:40.0024 1208  MSDTC - ok
17:51:40.0040 1208  [ AA3FB40E17CE1388FA1BEDAB50EA8F96 ] Msfs            C:\Windows\system32\drivers\Msfs.sys
17:51:40.0040 1208  Msfs - ok
17:51:40.0055 1208  [ F9D215A46A8B9753F61767FA72A20326 ] mshidkmdf       C:\Windows\System32\drivers\mshidkmdf.sys
17:51:40.0055 1208  mshidkmdf - ok
17:51:40.0071 1208  [ D916874BBD4F8B07BFB7FA9B3CCAE29D ] msisadrv        C:\Windows\system32\drivers\msisadrv.sys
17:51:40.0071 1208  msisadrv - ok
17:51:40.0087 1208  [ 808E98FF49B155C522E6400953177B08 ] MSiSCSI         C:\Windows\system32\iscsiexe.dll
17:51:40.0102 1208  MSiSCSI - ok
17:51:40.0102 1208  msiserver - ok
17:51:40.0133 1208  [ 49CCF2C4FEA34FFAD8B1B59D49439366 ] MSKSSRV         C:\Windows\system32\drivers\MSKSSRV.sys

Starbuck

  • Site Owner
  • *
  • Offline Offline
  • location: Midlands. UK
  • Posts: 3408
  • .: Leader Malware Analysis & Removal Team
  • -: Site Help Desk - Support Department
    • WWW
Re: Google results hijack
« Reply #2 on: March 03, 2013, 09:08:23 PM »
Hi gsgi and welcome to Smokeys

Quote
I have an OTL log.  The Anti Malware bytes log and tdskiller log is on the machine



Before we continue, i'd like to see the reports from MalwareBytes and TDSSKiller (if you have it on the machine... i can't see any entries for TDSSKiller).
I see you have recently run Combofix as well.... i'd like to see the report from that also.

MalwareBytes:
Start Malwarebytes AntiMalware.
Click on the logs tab.
The logs are date stamped ... double click on the log that showed the infection items.



It'll open in notepad.

Please copy/paste the report in your next reply.


TDSSKiller:
The report can be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file in your next reply.

Combofix
The combofix report can be found here:
C:\ComboFix.txt

Thanks

gsgiTopic starter

  • Gold Forum Friend
  • *
  • Offline Offline
  • Posts: 9
Google results hijack
« Reply #1 on: March 03, 2013, 04:28:18 PM »
When I click on a google results link, I was taken to a gaming site.  I ran Anti Malware bytes.  I want to make sure it is gone.  I have an OTL log.  The Anti Malware bytes log and tdskiller log is on the machine - I'll get it.

Thanks,
gsgi

OTL logfile created on: 3/1/2013 5:44:43 PM - Run 1
OTL by OldTimer - Version 3.2.69.0     Folder = C:\Users\wa2\Downloads
64bit- Professional Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
1.95 Gb Total Physical Memory | 0.82 Gb Available Physical Memory | 42.13% Memory free
3.89 Gb Paging File | 2.48 Gb Available in Paging File | 63.71% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 207.34 Gb Total Space | 153.01 Gb Free Space | 73.79% Space Free | Partition Type: NTFS
Drive D: | 19.29 Gb Total Space | 13.80 Gb Free Space | 71.52% Space Free | Partition Type: NTFS
Drive F: | 6.25 Gb Total Space | 5.89 Gb Free Space | 94.19% Space Free | Partition Type: NTFS
Computer Name: SCANSTATION2 | User Name: default-admin | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
========== Processes (SafeList) ==========
PRC - [2013/03/01 17:42:00 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\wa2\Downloads\OTL.exe
PRC - [2012/12/18 09:28:26 | 000,825,560 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\acrotray.exe
PRC - [2012/12/18 06:28:10 | 000,065,192 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
PRC - [2012/12/14 16:49:28 | 000,682,344 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2012/12/14 16:49:28 | 000,512,360 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
PRC - [2012/12/14 16:49:28 | 000,398,184 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
PRC - [2012/08/25 14:41:19 | 000,871,536 | ---- | M] (BitLeader) -- C:\Program Files (x86)\lg_fwupdate\fwupdate.exe
PRC - [2012/07/30 10:11:36 | 002,053,632 | ---- | M] (Remote Monitoring) -- C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe
PRC - [2012/03/19 06:38:47 | 007,357,824 | ---- | M] (TeamViewer GmbH) -- C:\Program Files (x86)\TeamViewer\Version7\TeamViewer.exe
PRC - [2012/03/19 06:38:47 | 002,666,880 | ---- | M] (TeamViewer GmbH) -- C:\Program Files (x86)\TeamViewer\Version7\TeamViewer_Service.exe
PRC - [2012/03/19 06:29:38 | 000,106,368 | ---- | M] (TeamViewer GmbH) -- C:\Program Files (x86)\TeamViewer\Version7\tv_w32.exe
PRC - [2011/05/04 14:43:28 | 000,055,808 | ---- | M] () -- C:\Program Files (x86)\FastAttach\NEA\NEATaskbar.exe
PRC - [2010/03/23 23:04:38 | 000,244,224 | ---- | M] (Gxstart) -- C:\Program Files (x86)\Gendex\VixCfg\gxstart.exe
PRC - [2009/12/15 12:47:00 | 000,103,720 | ---- | M] (CyberLink) -- C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe
PRC - [2009/11/20 16:10:06 | 000,124,984 | ---- | M] (Hewlett-Packard) -- C:\Program Files (x86)\Hewlett-Packard\HP SkyRoom\Hp.Skyroom.Windows.Service.exe
PRC - [2009/11/20 15:39:16 | 000,081,920 | ---- | M] (Hewlett-Packard) -- c:\Program Files (x86)\Hewlett-Packard\HP SkyRoom\remote graphics sender\Plugins\Ice\Hp.SkyRoom.Windows.RgsPlugin.Licensing\Hp.SkyRoom.Windows.RgsPlugin.Licensing.exe
PRC - [2009/11/20 15:39:06 | 000,090,112 | ---- | M] (Hewlett-Packard) -- c:\Program Files (x86)\Hewlett-Packard\HP SkyRoom\remote graphics sender\Plugins\Ice\Hp.SkyRoom.Windows.RgsPlugin.Lens\Hp.SkyRoom.Windows.RgsPlugin.Lens.exe
PRC - [2009/11/20 15:38:56 | 000,094,208 | ---- | M] (Hewlett-Packard) -- c:\Program Files (x86)\Hewlett-Packard\HP SkyRoom\remote graphics sender\Plugins\Ice\Hp.SkyRoom.Windows.RgsPlugin.Authentication\Hp.SkyRoom.Windows.RgsPlugin.Authentication.exe
PRC - [2009/11/19 13:01:10 | 003,788,800 | ---- | M] (Hewlett-Packard) -- c:\Program Files (x86)\Hewlett-Packard\HP SkyRoom\remote graphics sender\rgsender.exe
PRC - [2009/11/19 11:42:42 | 000,379,904 | ---- | M] (Hewlett-Packard, Inc.) -- c:\Program Files (x86)\Hewlett-Packard\HP SkyRoom\remote graphics sender\rgsendersvc.exe
PRC - [2009/11/19 11:32:12 | 000,442,368 | ---- | M] (Hewlett-Packard) -- c:\Program Files (x86)\Hewlett-Packard\HP SkyRoom\remote graphics sender\rgsender_gui.exe
PRC - [2009/07/24 06:29:52 | 002,066,968 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Common Files\Intel\Privacy Icon\UNS\UNS.exe
PRC - [2009/07/24 06:29:38 | 000,174,616 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\AMT\LMS.exe
PRC - [2006/09/14 06:56:06 | 000,102,400 | ---- | M] () -- C:\Program Files (x86)\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
PRC - [2006/09/14 06:55:52 | 000,061,440 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files (x86)\Adobe\Photoshop Elements 5.0\apdproxy.exe
========== Modules (No Company Name) ==========
MOD - [2013/02/14 15:32:47 | 001,840,640 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web.Services\64cf6c356be66bb17c4667d6d8aa467b\System.Web.Services.ni.dll
MOD - [2013/02/14 15:32:31 | 012,436,480 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\cb562e2e4f74ae607f1186f6ec50cec7\System.Windows.Forms.ni.dll
MOD - [2013/01/10 03:38:07 | 006,611,456 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Data\dd20416f723ee13ffb4173ec1afc4ec4\System.Data.ni.dll
MOD - [2013/01/10 03:37:41 | 001,592,832 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\eead6629e384a5b69f9ae35284b7eeed\System.Drawing.ni.dll
MOD - [2013/01/10 03:37:25 | 005,453,312 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\f687c43e9fdec031988b33ae722c4613\System.Xml.ni.dll
MOD - [2013/01/10 03:37:22 | 007,989,760 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System\369f8bdca364e2b4936d18dea582912c\System.ni.dll
MOD - [2013/01/10 03:37:22 | 000,971,264 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\195a77fcc6206f8bb35d419ff2cf0d72\System.Configuration.ni.dll
MOD - [2013/01/10 03:37:16 | 011,493,376 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\7150b9136fad5b79e88f6c7f9d3d2c39\mscorlib.ni.dll
MOD - [2011/05/04 14:43:28 | 000,055,808 | ---- | M] () -- C:\Program Files (x86)\FastAttach\NEA\NEATaskbar.exe
MOD - [2010/11/04 20:58:05 | 002,927,616 | ---- | M] () -- C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
MOD - [2010/03/29 17:47:16 | 000,351,744 | ---- | M] () -- C:\Program Files (x86)\Gendex\VixCfg\GXS700.dll
MOD - [2010/03/19 03:46:50 | 000,105,984 | ---- | M] () -- C:\Program Files (x86)\Gendex\Languages\gxenglish.dll
MOD - [2010/03/09 11:22:22 | 000,271,360 | ---- | M] () -- C:\Program Files (x86)\Gendex\VixCfg\FusionLib.dll
MOD - [2009/12/15 12:49:20 | 000,013,096 | ---- | M] () -- C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvcPS.dll
MOD - [2009/12/15 12:46:38 | 000,619,816 | ---- | M] () -- C:\Program Files (x86)\CyberLink\Power2Go\CLMediaLibrary.dll
MOD - [2009/07/24 14:10:56 | 008,024,064 | R--- | M] () -- c:\Program Files (x86)\Hewlett-Packard\HP SkyRoom\remote graphics sender\QtGui4.dll
MOD - [2009/07/24 14:10:28 | 002,199,552 | R--- | M] () -- c:\Program Files (x86)\Hewlett-Packard\HP SkyRoom\remote graphics sender\QtCore4.dll
MOD - [2008/01/09 13:10:42 | 000,159,744 | R--- | M] () -- c:\Program Files (x86)\Hewlett-Packard\HP SkyRoom\remote graphics sender\iceutil32.dll
MOD - [2008/01/09 13:10:00 | 000,167,936 | R--- | M] () -- c:\Program Files (x86)\Hewlett-Packard\HP SkyRoom\remote graphics sender\icessl32.dll
MOD - [2008/01/09 13:08:00 | 001,245,184 | R--- | M] () -- c:\Program Files (x86)\Hewlett-Packard\HP SkyRoom\remote graphics sender\ice32.dll
MOD - [2008/01/09 13:06:54 | 000,065,536 | R--- | M] () -- c:\Program Files (x86)\Hewlett-Packard\HP SkyRoom\remote graphics sender\bzip2.dll
========== Services (SafeList) ==========
SRV:64bit: - [2013/01/27 11:34:32 | 000,379,360 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- c:\Program Files\Microsoft Security Client\NisSrv.exe -- (NisSrv)
SRV:64bit: - [2013/01/27 11:34:32 | 000,022,056 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc)
SRV:64bit: - [2009/07/13 20:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV:64bit: - [2009/07/13 20:40:01 | 000,193,536 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\appmgmts.dll -- (AppMgmt)
SRV:64bit: - [2009/06/03 18:38:36 | 000,277,032 | ---- | M] (ActivIdentity) [Auto | Running] -- C:\Program Files\Common Files\ActivIdentity\ac.sharedstore.exe -- (ac.sharedstore)
SRV - [2013/02/27 09:52:17 | 000,251,248 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012/12/18 06:28:10 | 000,065,192 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2012/12/14 16:49:28 | 000,682,344 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2012/12/14 16:49:28 | 000,398,184 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe -- (MBAMScheduler)
SRV - [2012/07/30 10:11:36 | 002,053,632 | ---- | M] (Remote Monitoring) [Auto | Running] -- C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe -- (Advanced Monitoring Agent)
SRV - [2012/03/19 06:38:47 | 002,666,880 | ---- | M] (TeamViewer GmbH) [Auto | Running] -- C:\Program Files (x86)\TeamViewer\Version7\TeamViewer_Service.exe -- (TeamViewer7)
SRV - [2011/09/29 02:00:54 | 001,343,400 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysWOW64\Wat\WatAdminSvc.exe -- (WatAdminSvc)
SRV - [2010/11/01 23:36:16 | 000,801,792 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysWOW64\FntCache.dll -- (FontCache)
SRV - [2010/03/18 12:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2010/02/11 19:35:02 | 000,103,936 | ---- | M] (Broadcom Corporation) [Auto | Stopped] -- C:\Program Files (x86)\Broadcom\MgmtAgent\BrcmMgmtAgent.exe -- (BrcmMgmtAgent)
SRV - [2009/11/20 16:10:06 | 000,124,984 | ---- | M] (Hewlett-Packard) [Auto | Running] -- C:\Program Files (x86)\Hewlett-Packard\HP SkyRoom\Hp.Skyroom.Windows.Service.exe -- (Hp.Skyroom.Windows.Service)
SRV - [2009/11/19 11:42:42 | 000,379,904 | ---- | M] (Hewlett-Packard, Inc.) [Auto | Running] -- c:\Program Files (x86)\Hewlett-Packard\HP SkyRoom\remote graphics sender\rgsendersvc.exe -- (rgsender)
SRV - [2009/07/24 06:29:52 | 002,066,968 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files (x86)\Common Files\Intel\Privacy Icon\UNS\UNS.exe -- (UNS)
SRV - [2009/07/24 06:29:38 | 000,174,616 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files (x86)\Intel\AMT\LMS.exe -- (LMS)
SRV - [2009/07/13 20:16:21 | 000,185,856 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysWOW64\wwansvc.dll -- (WwanSvc)
SRV - [2009/07/13 20:16:18 | 001,086,464 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysWOW64\wevtsvc.dll -- (eventlog)
SRV - [2009/07/13 20:16:17 | 000,151,552 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysWOW64\wbiosrvc.dll -- (WbioSrvc)
SRV - [2009/07/13 20:16:17 | 000,119,808 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysWOW64\umpo.dll -- (Power)
SRV - [2009/07/13 20:16:16 | 000,037,376 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysWOW64\themeservice.dll -- (Themes)
SRV - [2009/07/13 20:16:15 | 000,053,760 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysWOW64\sppuinotify.dll -- (sppuinotify)
SRV - [2009/07/13 20:16:15 | 000,016,384 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysWOW64\StorSvc.dll -- (StorSvc)
SRV - [2009/07/13 20:16:13 | 000,043,520 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysWOW64\RpcEpMap.dll -- (RpcEptMapper)
SRV - [2009/07/13 20:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysWOW64\sensrsvc.dll -- (SensrSvc)
SRV - [2009/07/13 20:16:12 | 001,004,544 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysWOW64\PeerDistSvc.dll -- (PeerDistSvc)
SRV - [2009/07/13 20:16:12 | 000,269,824 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysWOW64\pnrpsvc.dll -- (PNRPsvc)
SRV - [2009/07/13 20:16:12 | 000,269,824 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysWOW64\pnrpsvc.dll -- (p2pimsvc)
SRV - [2009/07/13 20:16:12 | 000,020,480 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysWOW64\pnrpauto.dll -- (PNRPAutoReg)
SRV - [2009/07/13 20:15:36 | 000,194,560 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysWOW64\ListSvc.dll -- (HomeGroupListener)
SRV - [2009/07/13 20:15:25 | 000,054,272 | ---- | M] (Hewlett-Packard) [Auto | Running] -- C:\Windows\SysWOW64\HPZIPM12.DLL -- (Pml Driver HPZ12)
SRV - [2009/07/13 20:15:10 | 000,218,624 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysWOW64\defragsvc.dll -- (defragsvc)
SRV - [2009/07/13 20:14:59 | 000,076,800 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysWOW64\bdesvc.dll -- (BDESVC)
SRV - [2009/07/13 20:14:58 | 000,088,064 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysWOW64\AxInstSv.dll -- (AxInstSV)
SRV - [2009/07/13 20:14:53 | 000,027,648 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysWOW64\appidsvc.dll -- (AppIDSvc)
SRV - [2009/07/13 20:14:29 | 003,179,520 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\SysWOW64\sppsvc.exe -- (sppsvc)
SRV - [2009/06/10 16:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2006/09/14 06:56:06 | 000,102,400 | ---- | M] () [Auto | Running] -- C:\Program Files (x86)\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe -- (AdobeActiveFileMonitor5.0)
========== Driver Services (SafeList) ==========
DRV:64bit: - [2013/01/20 15:59:04 | 000,130,008 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\NisDrvWFP.sys -- (NisDrv)
DRV:64bit: - [2012/12/14 16:49:28 | 000,024,176 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\Windows\SysNative\drivers\mbam.sys -- (MBAMProtector)
DRV:64bit: - [2012/08/23 09:10:20 | 000,019,456 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\rdpvideominiport.sys -- (RdpVideoMiniport)
DRV:64bit: - [2012/08/23 09:07:35 | 000,057,856 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV:64bit: - [2012/03/01 01:46:16 | 000,023,408 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec)
DRV:64bit: - [2011/06/03 13:34:10 | 010,628,800 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\igdkmd64.sys -- (igfx)
DRV:64bit: - [2011/05/04 23:20:32 | 000,340,656 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\e1k62x64.sys -- (e1kexpress)
DRV:64bit: - [2011/03/11 01:41:12 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2011/03/11 01:41:12 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2010/11/20 08:33:35 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2009/12/30 09:21:26 | 000,031,800 | ---- | M] (VS Revo Group) [File_System | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\revoflt.sys -- (Revoflt)
DRV:64bit: - [2009/07/24 06:30:10 | 000,056,344 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\HECIx64.sys -- (HECIx64)
DRV:64bit: - [2009/07/13 20:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009/07/13 20:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009/07/13 20:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009/07/13 18:21:48 | 000,038,400 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\tpm.sys -- (TPM)
DRV:64bit: - [2009/06/10 15:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/10 15:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/10 15:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009/06/10 15:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV:64bit: - [2009/06/04 13:54:36 | 000,408,600 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\iaStor.sys -- (iaStor)
DRV - [2009/07/13 20:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)
DRV - [2009/07/13 16:41:34 | 000,002,864 | ---- | M] (Microsoft Corporation) [Adapter | On_Demand | Unknown] -- C:\Windows\SysWow64\WINSOCK.DLL -- (Winsock)
========== Standard Registry (SafeList) ==========
========== Internet Explorer ==========
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/HPCOM/1
IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {993E3C0C-125B-481C-B542-23CC37699062}
IE:64bit: - HKLM\..\SearchScopes\{993E3C0C-125B-481C-B542-23CC37699062}: "URL" = http://www.bing.com/search?q={searchTerms}&form=CMDTDF&pc=CMDTDF&src=IE-SearchBox
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/HPCOM/1
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/HPCOM/1
IE - HKLM\..\SearchScopes,DefaultScope = {993E3C0C-125B-481C-B542-23CC37699062}
IE - HKLM\..\SearchScopes\{993E3C0C-125B-481C-B542-23CC37699062}: "URL" = http://www.bing.com/search?q={searchTerms}&form=CMDTDF&pc=CMDTDF&src=IE-SearchBox
IE - HKLM\..\SearchScopes\{E766569B-AB5F-4798-9544-4CFFD32FE4C5}: "URL" = http://www.bing.com/search?q={searchTerms}&form=CMDTDF&pc=CMDTDF&src=IE-SearchBox
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.com/?ocid=OIE9HP
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\..\SearchScopes,DefaultScope = {993E3C0C-125B-481C-B542-23CC37699062}
IE - HKCU\..\SearchScopes\{993E3C0C-125B-481C-B542-23CC37699062}: "URL" = http://www.bing.com/search?q={searchTerms}&form=CMDTDF&pc=CMDTDF&src=IE-SearchBox
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
========== FireFox ==========
FF - prefs.js..extensions.enabledAddons: {73a6fe31-595d-460b-a920-fcc0f8843232}:2.3.5
FF - user.js - File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_6_602_171.dll File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_6_602_171.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\SysWOW64\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\Adobe Acrobat: C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Air\nppdf32.dll (Adobe Systems Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\Valued Customer\AppData\Local\Google\Update\1.3.21.135\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\Valued Customer\AppData\Local\Google\Update\1.3.21.135\npGoogleUpdate3.dll (Google Inc.)
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\web2pdfextension@web2pdf.adobedotcom: C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn [2013/02/28 15:38:17 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0.1\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2012/04/28 16:29:44 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0.1\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2013/02/28 17:36:26 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Thunderbird\Extensions\\eplgTb@eset.com: C:\Program Files (x86)\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird
[2012/03/12 16:13:46 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Valued Customer\AppData\Roaming\mozilla\Extensions
[2012/03/27 19:09:51 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Valued Customer\AppData\Roaming\mozilla\Firefox\Profiles\imewx5i3.default\extensions
[2012/03/27 19:09:51 | 000,521,058 | ---- | M] () (No name found) -- C:\Users\Valued Customer\AppData\Roaming\mozilla\firefox\profiles\imewx5i3.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi
[2012/03/12 15:10:33 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions
[2012/03/27 19:09:49 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browsercomps.dll
[2008/08/16 16:42:02 | 000,070,456 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files (x86)\mozilla firefox\plugins\CgpCore.dll
[2008/08/16 16:42:12 | 000,091,448 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\plugins\confmgr.dll
[2008/08/16 16:42:08 | 000,020,800 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\plugins\ctxlogging.dll
[2007/11/09 15:10:50 | 000,034,384 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\plugins\logging.dll
[2008/05/21 07:41:08 | 000,479,232 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\mozilla firefox\plugins\msvcm80.dll
[2008/05/21 07:41:08 | 000,548,864 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\mozilla firefox\plugins\msvcp80.dll
[2008/05/21 07:41:08 | 000,626,688 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\mozilla firefox\plugins\msvcr80.dll
[2008/08/16 16:44:46 | 000,427,312 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\plugins\npicaN.dll
[2008/08/16 16:42:04 | 000,023,864 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files (x86)\mozilla firefox\plugins\TcpPServ.dll
[2011/09/28 19:26:50 | 000,002,252 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml
[2012/03/27 19:09:49 | 000,002,040 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\twitter.xml
========== Chrome  ==========
CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}client=chrome&hl={language}&q={searchTerms}
CHR - homepage: http://www.google.com/
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Users\Valued Customer\AppData\Local\Google\Chrome\Application\18.0.1025.162\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Users\Valued Customer\AppData\Local\Google\Chrome\Application\18.0.1025.162\pdf.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Users\Valued Customer\AppData\Local\Google\Chrome\Application\18.0.1025.162\gcswf32.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll
CHR - plugin: 2007 Microsoft Office system (Enabled) = C:\Program Files (x86)\Mozilla Firefox\plugins\NPOFF12.DLL
CHR - plugin: Microsoft Office 2003 (Enabled) = C:\Program Files (x86)\Mozilla Firefox\plugins\NPOFFICE.DLL
CHR - plugin: QuickTime Plug-in 7.7 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin.dll
CHR - plugin: QuickTime Plug-in 7.7 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin2.dll
CHR - plugin: QuickTime Plug-in 7.7 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin3.dll
CHR - plugin: QuickTime Plug-in 7.7 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin4.dll
CHR - plugin: QuickTime Plug-in 7.7 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin5.dll
CHR - plugin: QuickTime Plug-in 7.7 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin6.dll
CHR - plugin: QuickTime Plug-in 7.7 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin7.dll
CHR - plugin: Java(TM) Platform SE 6 U31 (Enabled) = C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll
CHR - plugin: Silverlight Plug-In (Enabled) = C:\Program Files (x86)\Microsoft Silverlight\4.1.10111.0\npctrl.dll
CHR - plugin: Google Update (Enabled) = C:\Users\Valued Customer\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll
CHR - plugin: Shockwave for Director (Enabled) = C:\Windows\SysWOW64\Adobe\Director\np32dsw.dll
CHR - plugin: Default Plug-in (Enabled) = default_plugin
CHR - Extension: YouTube = C:\Users\Valued Customer\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2_0\
CHR - Extension: Google Search = C:\Users\Valued Customer\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.14_0\
CHR - Extension: Gmail = C:\Users\Valued Customer\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\6.1.3_0\
O1 HOSTS File: ([2013/01/17 12:35:38 | 000,327,941 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O1 - Hosts: 192.168.0.31    payr-reports
O1 - Hosts: 192.168.0.31    payr
O1 - Hosts: 192.168.0.31    task-master
O1 - Hosts: 192.168.0.31    tm
O1 - Hosts: 192.168.0.31    tasks
O1 - Hosts: 192.168.0.31    task
O1 - Hosts: 127.0.0.1       localhost
O1 - Hosts: 127.0.0.1 http://www.007guard.comhttp://
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 http://www.008k.comhttp://
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 http://www.00hq.comhttp://
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 http://www.032439.comhttp://
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 http://www.100888290cs.comhttp://
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 http://www.100sexlinks.comhttp://
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 http://www.10sek.comhttp://
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 http://www.123topsearch.comhttp://
O1 - Hosts: 127.0.0.1 123topsearch.com
O1 - Hosts: 11221 more lines...
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (SmartSelect Class) - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4:64bit: - HKLM..\Run: [accrdsub] C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe (ActivIdentity)
O4:64bit: - HKLM..\Run: [acevents] C:\Program Files\ActivIdentity\ActivClient\acevents.exe (ActivIdentity)
O4:64bit: - HKLM..\Run: [HotKeysCmds] C:\Windows\SysNative\hkcmd.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [IgfxTray] C:\Windows\SysNative\igfxtray.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4:64bit: - HKLM..\Run: [Persistence] C:\Windows\SysNative\igfxpers.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [picon] C:\Program Files (x86)\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe (Realtek Semiconductor)
O4 - HKLM..\Run: []  File not found
O4 - HKLM..\Run: [Acrobat Assistant 8.0] C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [Adobe Acrobat Speed Launcher] C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Adobe Photo Downloader] C:\Program Files (x86)\Adobe\Photoshop Elements 5.0\apdproxy.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [APSDaemon] C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [CLMLServer] C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe (CyberLink)
O4 - HKLM..\Run: [LGODDFU] C:\Program Files (x86)\lg_fwupdate\lgfw.exe (Bitleader)
O4 - HKLM..\Run: [UpdateLBPShortCut] C:\Program Files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
O4 - HKLM..\Run: [UpdateP2GoShortCut] C:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
O4 - Startup: C:\Users\Valued Customer\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk =  File not found
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: SoftwareSASGeneration = 3
O13 - gopher Prefix: missing
O15 - HKCU\..Trusted Domains: microsoft.com ([windows] http in Local intranet)
O15 - HKCU\..Trusted Domains: wxsrv ([]file in Local intranet)
O16 - DPF: {74F4F118-91E6-4AFC-B8D2-04066781F239} https://www.member-data.com/rdc/EZTwainX.cab (EZTwainX by Dosadi)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{2D661AC1-2612-44F2-B519-6424F531F51E}: NameServer = 4.2.2.2,4.2.2.5
O18:64bit: - Protocol\Handler\msdaipp - No CLSID value found
O18:64bit: - Protocol\Handler\msdaipp\0x00000001 - No CLSID value found
O18:64bit: - Protocol\Handler\msdaipp\oledb - No CLSID value found
O18:64bit: - Protocol\Handler\ms-help - No CLSID value found
O18:64bit: - Protocol\Handler\ms-itss - No CLSID value found
O18:64bit: - Protocol\Handler\mso-offdap11 - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation)
O20:64bit: - Winlogon\Notify\igfxcui: DllName - (igfxdev.dll) - C:\Windows\SysNative\igfxdev.dll (Intel Corporation)
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O33 - MountPoints2\{cbe2f848-6899-11e1-8ecb-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{cbe2f848-6899-11e1-8ecb-806e6f6e6963}\Shell\AutoRun\command - "" = E:\autorun.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = ComFile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)
========== Files/Folders - Created Within 30 Days ==========
[2013/02/28 18:34:34 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft Security Client
[2013/02/28 18:34:10 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Client
[2013/02/28 18:23:48 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2013/02/28 18:06:21 | 000,000,000 | ---D | C] -- C:\Users\Valued Customer\AppData\Local\temp
[2013/02/28 17:55:36 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2013/02/28 17:55:36 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2013/02/28 17:55:36 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2013/02/28 17:43:14 | 000,000,000 | ---D | C] -- C:\Qoobox
[2013/02/28 17:42:40 | 000,000,000 | ---D | C] -- C:\Windows\erdnt
[2013/02/28 16:10:15 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2013/02/28 16:10:15 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2013/02/28 16:10:14 | 000,024,176 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
[2013/02/28 16:10:14 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
[2013/02/28 03:00:49 | 002,284,544 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\msmpeg2vdec.dll
[2013/02/28 03:00:48 | 002,776,576 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msmpeg2vdec.dll
[2013/02/28 03:00:48 | 000,221,184 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\UIAnimation.dll
[2013/02/28 03:00:48 | 000,187,392 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\UIAnimation.dll
[2013/02/28 03:00:42 | 000,465,920 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\WMPhoto.dll
[2013/02/28 03:00:42 | 000,417,792 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\WMPhoto.dll
[2013/02/28 03:00:36 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-downlevel-advapi32-l2-1-0.dll
[2013/02/28 03:00:36 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-downlevel-advapi32-l2-1-0.dll
[2013/02/28 03:00:35 | 002,565,120 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\d3d10warp.dll
[2013/02/28 03:00:35 | 000,194,560 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\d3d10_1.dll
[2013/02/28 03:00:35 | 000,010,752 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-downlevel-advapi32-l1-1-0.dll
[2013/02/28 03:00:35 | 000,010,752 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-downlevel-advapi32-l1-1-0.dll
[2013/02/28 03:00:35 | 000,009,728 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll
[2013/02/28 03:00:35 | 000,009,728 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-downlevel-shlwapi-l1-1-0.dll
[2013/02/28 03:00:35 | 000,002,560 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-downlevel-normaliz-l1-1-0.dll
[2013/02/28 03:00:35 | 000,002,560 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-downlevel-normaliz-l1-1-0.dll
[2013/02/28 03:00:34 | 000,522,752 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\XpsGdiConverter.dll
[2013/02/28 03:00:34 | 000,364,544 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\XpsGdiConverter.dll
[2013/02/28 03:00:34 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-downlevel-version-l1-1-0.dll
[2013/02/28 03:00:34 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-downlevel-version-l1-1-0.dll
[2013/02/28 03:00:34 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-downlevel-shell32-l1-1-0.dll
[2013/02/28 03:00:33 | 000,005,632 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-downlevel-shlwapi-l2-1-0.dll
[2013/02/28 03:00:33 | 000,005,632 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-downlevel-shlwapi-l2-1-0.dll
[2013/02/28 03:00:33 | 000,005,632 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-downlevel-ole32-l1-1-0.dll
[2013/02/28 03:00:33 | 000,005,632 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-downlevel-ole32-l1-1-0.dll
[2013/02/28 03:00:33 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-downlevel-user32-l1-1-0.dll
[2013/02/28 03:00:33 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-downlevel-user32-l1-1-0.dll
[2013/02/28 03:00:33 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-downlevel-shell32-l1-1-0.dll
[2013/02/28 03:00:32 | 001,887,232 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\d3d11.dll
[2013/02/28 03:00:32 | 001,504,768 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\d3d11.dll
[2013/02/28 03:00:32 | 001,238,528 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\d3d10.dll
[2013/02/28 03:00:32 | 001,158,144 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\XpsPrint.dll
[2013/02/28 03:00:32 | 000,648,192 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\d3d10level9.dll
[2013/02/28 03:00:32 | 000,363,008 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\dxgi.dll
[2013/02/28 03:00:32 | 000,333,312 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\d3d10_1core.dll
[2013/02/28 03:00:32 | 000,296,960 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\d3d10core.dll
[2013/02/28 03:00:31 | 003,928,064 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\d2d1.dll
[2013/02/28 03:00:31 | 001,682,432 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\XpsPrint.dll
[2013/02/28 03:00:31 | 001,643,520 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\DWrite.dll
[2013/02/28 03:00:31 | 001,424,384 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\WindowsCodecs.dll
[2013/02/28 03:00:31 | 000,245,248 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\WindowsCodecsExt.dll
[2013/02/14 03:00:50 | 000,096,768 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mshtmled.dll
[2013/02/14 03:00:50 | 000,073,216 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mshtmled.dll
[2013/02/14 03:00:49 | 000,248,320 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieui.dll
[2013/02/14 03:00:49 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieui.dll
[2013/02/14 03:00:48 | 000,237,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\url.dll
[2013/02/14 03:00:48 | 000,231,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\url.dll
[2013/02/14 03:00:48 | 000,173,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieUnatt.exe
[2013/02/14 03:00:48 | 000,142,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieUnatt.exe
[2013/02/14 03:00:47 | 001,427,968 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\inetcpl.cpl
[2013/02/14 03:00:46 | 002,312,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\jscript9.dll
[2013/02/14 03:00:46 | 001,494,528 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\inetcpl.cpl
[2013/02/14 03:00:46 | 000,729,088 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msfeeds.dll
[2013/02/14 03:00:44 | 000,816,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\jscript.dll
[2013/02/14 03:00:44 | 000,717,824 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\jscript.dll
[2013/02/14 03:00:44 | 000,599,040 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\vbscript.dll
[2013/02/13 15:01:31 | 005,553,512 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ntoskrnl.exe
[2013/02/13 15:01:30 | 003,967,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ntkrnlpa.exe
[2013/02/13 15:01:30 | 003,913,064 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ntoskrnl.exe
[2013/02/13 15:01:24 | 000,215,040 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\winsrv.dll
[2013/02/13 15:01:23 | 000,025,600 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\setup16.exe
[2013/02/13 15:01:23 | 000,014,336 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ntvdm64.dll
[2013/02/13 15:01:23 | 000,007,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\instnm.exe
[2013/02/13 15:01:23 | 000,005,120 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\wow32.dll
[2013/02/13 15:01:22 | 000,002,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\user.exe
[2013/02/13 15:01:19 | 000,288,088 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\drivers\FWPKCLNT.SYS
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
========== Files - Modified Within 30 Days ==========
[2013/03/01 17:44:33 | 000,000,948 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1514188202-3766426978-948264940-1001UA.job
[2013/03/01 17:44:32 | 000,000,896 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1514188202-3766426978-948264940-1001Core.job
[2013/03/01 17:44:06 | 000,000,343 | ---- | M] () -- C:\Windows\lgfwup.ini
[2013/03/01 17:43:29 | 000,015,164 | ---- | M] () -- C:\Windows\SysNative\results.xml
[2013/03/01 17:43:00 | 000,000,900 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1514188202-3766426978-948264940-1004UA.job
[2013/03/01 17:40:23 | 000,009,920 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2013/03/01 17:40:23 | 000,009,920 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2013/03/01 17:32:20 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2013/03/01 17:32:15 | 1567,551,488 | -HS- | M] () -- C:\hiberfil.sys
[2013/03/01 16:52:00 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2013/02/28 21:43:04 | 000,000,848 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1514188202-3766426978-948264940-1004Core.job
[2013/02/28 18:35:05 | 000,001,945 | ---- | M] () -- C:\Windows\epplauncher.mif
[2013/02/28 18:03:14 | 000,000,027 | ---- | M] () -- C:\Windows\SysNative\drivers\etc\hosts old
[2013/02/28 17:35:28 | 000,002,021 | ---- | M] () -- C:\Users\Public\Desktop\Adobe Reader XI.lnk
[2013/02/28 17:32:43 | 000,624,162 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2013/02/28 17:32:43 | 000,106,538 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2013/02/28 17:32:42 | 000,726,444 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2013/02/28 16:10:15 | 000,001,111 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2013/02/28 16:04:25 | 002,300,508 | ---- | M] () -- C:\Windows\SysNative\drivers\Cat.DB
[2013/02/28 15:38:24 | 000,002,046 | ---- | M] () -- C:\Users\Public\Desktop\Adobe Acrobat X Standard.lnk
[2013/02/28 15:35:35 | 000,015,202 | ---- | M] () -- C:\Windows\SysWow64\results.xml
[2013/02/27 11:15:02 | 000,000,189 | ---- | M] () -- C:\Windows\setscan.ini
[2013/02/27 09:52:16 | 000,691,568 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerApp.exe
[2013/02/27 09:52:16 | 000,071,024 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
[2013/02/14 15:28:59 | 000,323,576 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
========== Files Created - No Company Name ==========
[2013/03/01 17:43:29 | 000,015,164 | ---- | C] () -- C:\Windows\SysNative\results.xml
[2013/02/28 18:34:55 | 000,002,119 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk
[2013/02/28 17:55:36 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2013/02/28 17:55:36 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2013/02/28 17:55:36 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2013/02/28 17:55:36 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2013/02/28 17:55:36 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2013/02/28 17:35:28 | 000,002,441 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader XI.lnk
[2013/02/28 17:35:28 | 000,002,021 | ---- | C] () -- C:\Users\Public\Desktop\Adobe Reader XI.lnk
[2013/02/28 16:10:15 | 000,001,111 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2013/02/28 16:03:43 | 002,300,508 | ---- | C] () -- C:\Windows\SysNative\drivers\Cat.DB
[2013/02/28 15:35:35 | 000,015,202 | ---- | C] () -- C:\Windows\SysWow64\results.xml
[2012/08/25 14:40:27 | 000,000,343 | ---- | C] () -- C:\Windows\lgfwup.ini
[2012/04/28 13:16:41 | 000,000,209 | ---- | C] () -- C:\Windows\ODBCINST.INI
[2012/04/22 18:04:51 | 000,000,096 | ---- | C] () -- C:\Windows\nea.ini
[2012/03/08 17:37:18 | 000,643,584 | ---- | C] () -- C:\Windows\SysWow64\gssupport.dll
[2011/10/31 15:24:45 | 000,000,640 | ---- | C] () -- C:\Windows\kofax200.ini
[2011/10/31 15:24:41 | 000,000,189 | ---- | C] () -- C:\Windows\setscan.ini
[2011/10/31 15:11:19 | 000,000,376 | ---- | C] () -- C:\Windows\ODBC.INI
[2011/09/25 13:03:55 | 000,000,281 | ---- | C] () -- C:\Windows\Mirador Instant Messenger Client.INI
[2011/03/14 14:09:01 | 000,743,066 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2009/10/17 14:05:04 | 000,004,112 | -H-- | C] () -- C:\ProgramData\MSA.INI
========== ZeroAccess Check ==========
[2009/07/13 23:55:00 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini
[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64
[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
"" = C:\Windows\SysNative\shell32.dll -- [2012/06/09 00:43:10 | 014,172,672 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2012/06/08 23:41:00 | 012,873,728 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009/07/13 20:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2010/11/20 07:19:02 | 000,606,208 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009/07/13 20:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
========== Alternate Data Streams ==========
@Alternate Data Stream - 125 bytes -> C:\ProgramData\Temp:DFC5A2B2

< End of report >
 

* Permissions
You can't post new topics.
You can't post replies.
You can't post attachments.
You can't modify your posts.
BBCode Enabled
Smilies Enabled
[img] Enabled
HTML Disabled


Except where otherwise stated, all content, graphics, banners and images included © 2006 - 2017 Smokey Services™ -- All rights reserved
Design board graphics, banners and images by Meg&Millie - Emma aka Tinker

This site does not store profiling-, tracking-, third-party and/or any other non-essential cookie(s) on client computers and is fully compliant with the EU ePrivacy Directive
Smokey's does not use any Web Analytics/Analysis Service, and also does not use any browser fingerprinting techniques

    

  

Smokey's also provides free fully qualified FRST (Farbar Recovery Scan Tool) Log / Malware Analysis & Removal Help and System Health Checks
rifle
rifle
rifle
rifle