Jump to content


Photo
- - - - -

Infected with ROOTKIT.0ACCESS


  • This topic is locked This topic is locked
13 replies to this topic

#1 shekhar

shekhar

    New Member

  • Members
  • Pip
  • 18 posts

Posted 14 August 2012 - 06:09 PM

Hi,
I recently noticed Norton popping up saying malware detected.
So downloaded MBAM and ran a quick scan to find 2 infections.

Trojan.Dropper.BCMiner
Rootkit.0Access

So hit the Quarantine and was able to quarantine and delete them (atleast that's what MBAM notified).
After restart found that some of the programs installed on the laptop dont work as expected.
Sso tried restoring the system with System Restore but it also failed and MBAM displayed the following in a pop up window


MBAM has detected a malicious process attempting to start and has blocked the execution attempt.. Please select an option below.
C:\WINDOWS\INSTALLER\{SOME ALPHANUMERIC CODE}\U\80000032.@ROOTKIT.0ACCESS

Disable Protection Ignore Quarantine


I clicked the Quarantine, but not sure if the infection is removed completely and any of my files have been corrupted.

What should I do to see if the infection is still there or not?
Does my system need some files to be restored with cleaner file.

I am on Windows 7 Proferssional 64 bit.

#2 MrCharlie

MrCharlie

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 28,193 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Posted 14 August 2012 - 06:25 PM

Welcome to the forum, please start at the link below:

http://forums.malwar...?showtopic=9573

Post back the 2 logs here.....DDS.txt and Attach.txt

<====><====><====><====><====><====><====><====>

Next.......

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller to your desktop.

For Windows XP, double-click to start.
For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.


Click Scan to scan the system.
When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#3 shekhar

shekhar

    New Member

  • Members
  • Pip
  • 18 posts

Posted 14 August 2012 - 06:41 PM

ATTACH.TXT
-------------------


.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows 7 Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 5/2/2012 5:59:02 AM
System Uptime: 8/14/2012 6:45:14 PM (1 hours ago)
.
Motherboard: LENOVO | | Base Board Product Name
Processor: Intel® Core™ i3-2350M CPU @ 2.30GHz | CPU1 | 1380/1333mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 98 GiB total, 56.753 GiB free.
D: is FIXED (NTFS) - 146 GiB total, 96.398 GiB free.
E: is FIXED (NTFS) - 222 GiB total, 140.419 GiB free.
F: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Cisco AnyConnect VPN Virtual Miniport Adapter for Windows x64
Device ID: ROOT\NET\0000
Manufacturer: Cisco Systems
Name: Cisco AnyConnect VPN Virtual Miniport Adapter for Windows x64
PNP Device ID: ROOT\NET\0000
Service: vpnva
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: AGN Virtual Network Adapter
Device ID: ROOT\NET\0001
Manufacturer: AT&T
Name: AGN Virtual Network Adapter
PNP Device ID: ROOT\NET\0001
Service: avpnnic
.
==== System Restore Points ===================
.
RP94: 8/12/2012 9:37:10 PM - ComboFix created restore point
RP95: 8/12/2012 10:07:33 PM - After Virus Removal
RP96: 8/14/2012 6:39:11 PM - Restore Operation
.
==== Installed Programs ======================
.
µTorrent
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader X (10.1.3)
AT&T Global Network Client Managed VPN Edition
Atheros Communications Inc.® AR81Family Gigabit/Fast Ethernet Driver
Canon MF Toolbox 4.9.1.1.mf09
Cisco AnyConnect VPN Client
Cisco WebEx Meetings
Citrix Authentication Manager
Citrix Receiver
Citrix Receiver (HDX Flash Redirection)
Citrix Receiver Inside
Citrix Receiver(Aero)
Citrix Receiver(DV)
Citrix Receiver(USB)
Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition
Energy Management
FileZilla Client 3.5.3
Google Calendar Sync
Google Chrome
Google Talk (remove only)
Google Talk Plugin
Intel® Management Engine Components
Intel® Processor Graphics
Intel® Rapid Storage Technology
Java Auto Updater
Java™ 6 Update 26
Java™ SE Development Kit 6 Update 26
Juniper Networks Host Checker
Juniper Networks Network Connect 6.5.0
Juniper Networks Secure Application Manager
Juniper Networks Secure Meeting 7.0.0
Juniper Networks Setup Client
Lenovo EasyCamera
Lenovo OneKey Recovery
Lenovo_Wireless_Driver
Malwarebytes Anti-Malware version 1.62.0.1300
Microsoft Office 2010 Service Pack 1 (SP1)
Microsoft Office Access MUI (English) 2010
Microsoft Office Access Setup Metadata MUI (English) 2010
Microsoft Office Excel MUI (English) 2010
Microsoft Office Home and Business 2010
Microsoft Office Live Meeting 2007
Microsoft Office OneNote MUI (English) 2010
Microsoft Office Outlook MUI (English) 2010
Microsoft Office PowerPoint MUI (English) 2010
Microsoft Office Proof (English) 2010
Microsoft Office Proof (French) 2010
Microsoft Office Proof (Spanish) 2010
Microsoft Office Proofing (English) 2010
Microsoft Office Publisher MUI (English) 2010
Microsoft Office Shared MUI (English) 2010
Microsoft Office Shared Setup Metadata MUI (English) 2010
Microsoft Office Single Image 2010
Microsoft Office Word MUI (English) 2010
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox 12.0 (x86 en-US)
Mozilla Firefox 14.0.1 (x86 en-US)
Mozilla Maintenance Service
Network Print Monitor for Windows
Network Recording Player
Norton AntiVirus
Online Plug-in
Oracle Demantra Spectrum
Realtek USB 2.0 Reader Driver
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft Excel 2010 (KB2597166) 32-Bit Edition
Security Update for Microsoft InfoPath 2010 (KB2553322) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2553091)
Security Update for Microsoft Office 2010 (KB2553096)
Security Update for Microsoft Office 2010 (KB2553371) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2553447) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2589320) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2598039) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2598243) 32-Bit Edition
Security Update for Microsoft PowerPoint 2010 (KB2553185) 32-Bit Edition
Security Update for Microsoft SharePoint Workspace 2010 (KB2566445)
Security Update for Microsoft Visio Viewer 2010 (KB2597981) 32-Bit Edition
Self-service Plug-in
Skype Click to Call
Skype™ 5.10
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft Office 2010 (KB2553065)
Update for Microsoft Office 2010 (KB2553181) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553267) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553270) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553310) 32-Bit Edition
Update for Microsoft Office 2010 (KB2566458)
Update for Microsoft Office 2010 (KB2596964) 32-Bit Edition
Update for Microsoft Office 2010 (KB2597091) 32-Bit Edition
Update for Microsoft OneNote 2010 (KB2553290) 32-Bit Edition
Update for Microsoft OneNote 2010 (KB2589345) 32-Bit Edition
Update for Microsoft Outlook 2010 (KB2553248) 32-Bit Edition
Update for Microsoft Outlook Social Connector 2010 (KB2553406) 32-Bit Edition
UserGuide
VLC media player 1.1.7
Yahoo! Messenger
Yahoo! Software Update
.
==== Event Viewer Messages From Past Week ========
.
8/9/2012 9:15:35 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
8/9/2012 9:15:35 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
8/9/2012 9:15:33 AM, Error: Microsoft-Windows-WLAN-AutoConfig [10000] - WLAN Extensibility Module has failed to start. Module Path: C:\Windows\System32\bcmihvsrv64.dll Error Code: 21
8/9/2012 9:15:33 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
8/9/2012 9:15:27 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
8/9/2012 9:15:14 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: BHDrvx64 ccSet_NAV ctxusbm discache eeCtrl IDSVia64 spldr SRTSP SRTSPX SymIRON SymNetS Wanarpv6
8/9/2012 8:49:20 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1053" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
8/9/2012 8:49:02 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Search service to connect.
8/9/2012 8:49:02 AM, Error: Service Control Manager [7000] - The Windows Search service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
8/9/2012 8:24:22 PM, Error: Server [2505] - The server could not bind to the transport \Device\NetBT_Tcpip_{18CA4AA3-C559-4156-A736-92A528ED5574} because another computer on the network has the same name. The server could not start.
8/9/2012 8:24:22 PM, Error: NetBT [4321] - The name "ADMIN-PC :20" could not be registered on the interface with IP address 10.71.3.59. The computer with the IP address 10.71.6.40 did not allow the name to be claimed by this computer.
8/9/2012 6:25:11 PM, Error: NetBT [4321] - The name "ADMIN-PC :20" could not be registered on the interface with IP address 172.30.26.253. The computer with the IP address 10.0.12.66 did not allow the name to be claimed by this computer.
8/9/2012 6:25:10 PM, Error: NetBT [4321] - The name "ADMIN-PC :0" could not be registered on the interface with IP address 172.30.26.253. The computer with the IP address 10.0.12.66 did not allow the name to be claimed by this computer.
8/9/2012 2:57:34 PM, Error: Service Control Manager [7024] - The Windows Firewall service terminated with service-specific error Access is denied..
8/9/2012 10:39:43 AM, Error: Service Control Manager [7023] - The OracleMTSRecoveryService service terminated with the following error: The wait operation timed out.
8/8/2012 5:41:18 PM, Error: Schannel [36887] - The following fatal alert was received: 10.
8/14/2012 6:46:54 PM, Error: Service Control Manager [7024] - The OracleDBConsoleorcl service terminated with service-specific error The system cannot find the file specified..
8/14/2012 6:46:17 PM, Error: Service Control Manager [7003] - The IPsec Policy Agent service depends the following service: BFE. This service might not be installed.
8/14/2012 6:45:56 PM, Error: Service Control Manager [7003] - The IKE and AuthIP IPsec Keying Modules service depends the following service: BFE. This service might not be installed.
8/14/2012 6:45:54 PM, Error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specified service does not exist as an installed service.
8/14/2012 5:32:48 AM, Error: NetBT [4321] - The name "WORKGROUP :1d" could not be registered on the interface with IP address 172.16.228.146. The computer with the IP address 172.16.229.153 did not allow the name to be claimed by this computer.
8/13/2012 7:58:35 AM, Error: NetBT [4321] - The name "WORKGROUP :1d" could not be registered on the interface with IP address 172.16.228.146. The computer with the IP address 172.16.229.68 did not allow the name to be claimed by this computer.
8/13/2012 10:24:59 AM, Error: bowser [8003] - The master browser has received a server announcement from the computer OWNER-PC that believes that it is the master browser for the domain on transport NetBT_Tcpip_{18CA4AA3-C559-4156-A736-92A528ED5574}. The master browser is stopping or an election is being forced.
8/12/2012 9:34:39 PM, Error: Service Control Manager [7034] - The Skype C2C Service service terminated unexpectedly. It has done this 1 time(s).
8/12/2012 8:00:43 PM, Error: Service Control Manager [7030] - The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
8/12/2012 6:29:53 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the OracleMTSRecoveryService service to connect.
8/12/2012 6:29:53 PM, Error: Service Control Manager [7000] - The OracleMTSRecoveryService service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
8/12/2012 4:26:52 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the NAV service.
8/11/2012 11:35:23 PM, Error: BTHUSB [17] - The local Bluetooth adapter has failed in an undetermined manner and will not be used. The driver has been unloaded.
8/11/2012 10:33:59 PM, Error: NetBT [4321] - The name "WORKGROUP :1d" could not be registered on the interface with IP address 172.16.228.146. The computer with the IP address 172.16.223.58 did not allow the name to be claimed by this computer.
8/10/2012 8:21:10 AM, Error: NetBT [4321] - The name "WORKGROUP :1d" could not be registered on the interface with IP address 192.168.1.108. The computer with the IP address 192.168.1.104 did not allow the name to be claimed by this computer.
8/10/2012 6:49:46 AM, Error: NetBT [4321] - The name "ADMIN-PC :0" could not be registered on the interface with IP address 10.71.3.59. The computer with the IP address 10.71.6.40 did not allow the name to be claimed by this computer.
8/10/2012 12:18:59 AM, Error: NetBT [4321] - The name "WORKGROUP :1d" could not be registered on the interface with IP address 10.71.3.59. The computer with the IP address 10.71.7.49 did not allow the name to be claimed by this computer.
.
==== End Of File ===========================




DDS.TXT
-------------
.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_26
Run by Admin at 19:28:36 on 2012-08-14
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.4040.1567 [GMT -4:00]
.
AV: Norton AntiVirus *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton AntiVirus *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\conhost.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files (x86)\Common Files\Juniper Networks\JUNS\dsAccessService.exe
C:\Program Files (x86)\Norton AntiVirus\Engine\19.7.1.5\ccSvcHst.exe
C:\Program Files (x86)\AT&T Global Network Client\netcfgsvr.exe
C:\Program Files (x86)\AT&T Global Network Client\NetClientSvc.exe
d:\app\Admin\product\11.2.0\dbhome_1\bin\omtsreco.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe
C:\Program Files (x86)\Sierra Wireless Inc\Common\SwiCardDetect64.exe
C:\Program Files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Windows\SysWOW64\cmd.exe
d:\app\Admin\product\11.2.0\dbhome_1\jdk\bin\java.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\AT&T Global Network Client\NetLogSvc.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Program Files (x86)\Norton AntiVirus\Engine\19.7.1.5\ccSvcHst.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe
C:\Program Files (x86)\Lenovo\Energy Management\utility.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files (x86)\Skype\Phone\Skype.exe
C:\Program Files (x86)\Google\Google Talk\googletalk.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\Program Files (x86)\USB Camera2\VM332_STI.EXE
C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe
C:\Program Files (x86)\Citrix\ICA Client\concentr.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Google\Google Calendar Sync\GoogleCalendarSync.exe
C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE
C:\Windows\SysWOW64\RunDll32.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files (x86)\Citrix\ICA Client\Receiver\Receiver.exe
C:\Program Files (x86)\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files (x86)\AT&T Global Network Client\NetMsg.exe
C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe
C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe
d:\app\admin\product\11.2.0\dbhome_1\bin\ORACLE.EXE
C:\Windows\System32\svchost.exe -k WerSvcGroup
d:\app\Admin\product\11.2.0\dbhome_1\BIN\TNSLSNR.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\Lenovo\Bluetooth Software\BtStackServer.exe
C:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Program Files (x86)\uTorrent\uTorrent.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
mStart Page = hxxp://in.yahoo.com/?fr=fp-spt_gen
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Norton Vulnerability Protection: {6d53ec84-6aae-4787-aeee-f4628f01010c} - C:\Program Files (x86)\Norton AntiVirus\Engine\19.7.1.5\IPS\IPSBHO.DLL
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
uRun: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun
uRun: [googletalk] "C:\Program Files (x86)\Google\Google Talk\googletalk.exe" /autostart
uRun: [Messenger (Yahoo!)] "C:\PROGRA~2\Yahoo!\Messenger\YahooMessenger.exe" -quiet
uRun: [NetSP - restore settings on power failure] "C:\Program Files (x86)\AT&T Global Network Client\NetSP.exe" -show
mRun: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun: [332BigDog] C:\Program Files (x86)\USB Camera2\VM332_STI.EXE
mRun: [UpdatePRCShortCut] "C:\Program Files\Lenovo\OneKey App\OneKey Recovery\MUITransfer\MUIStartMenu.exe" "C:\Program Files\Lenovo\OneKey App\OneKey Recovery" UpdateWithCreateOnce "Software\Lenovo\OneKey App\OneKey Recovery"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [ConnectionCenter] "C:\Program Files (x86)\Citrix\ICA Client\concentr.exe" /startup
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
StartupFolder: C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ONENOT~1.LNK - C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\AT&TGL~1.LNK - C:\Windows\Installer\{37880B62-627C-4F6B-BB85-984BB7E26125}\NetGM1_89563E53ECF44E868145468A128BDC83.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\BLUETO~1.LNK - C:\Program Files (x86)\Lenovo\Bluetooth Software\BTTray.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\GOOGLE~1.LNK - C:\Program Files (x86)\Google\Google Calendar Sync\GoogleCalendarSync.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~1\Office14\ONBttnIE.dll/105
IE: Send image to &Bluetooth Device... - C:\Program Files\Lenovo\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - C:\Program Files\Lenovo\Bluetooth Software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Lenovo\Bluetooth Software\btsendto_ie.htm
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
LSP: mswsock.dll
Trusted Zone: solutionbeacon.net
DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://vpn.ultradent.com/CACHE/stc/2/binaries/vpnweb.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} -
TCP: DhcpNameServer = 172.16.0.1
TCP: Interfaces\{18CA4AA3-C559-4156-A736-92A528ED5574} : DhcpNameServer = 172.16.0.1
TCP: Interfaces\{18CA4AA3-C559-4156-A736-92A528ED5574}\F4574737964656 : DhcpNameServer = 209.26.88.31 199.2.252.10
TCP: Interfaces\{38F75B14-47DE-47B4-AEBE-9D57EE0B3643} : NameServer = 155.132.2.31,155.132.9.10
TCP: Interfaces\{7D90D1E7-7C3D-4E8E-A7E0-534AF1458588} : DhcpNameServer = 68.105.28.16 68.105.29.16
Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
AppInit_DLLs: C:\PROGRA~2\Citrix\ICACLI~1\RSHook.dll
BHO-X64: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO-X64: 0x1 - No File
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Norton Vulnerability Protection: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton AntiVirus\Engine\19.7.1.5\IPS\IPSBHO.DLL
BHO-X64: Norton Vulnerability Protection - No File
BHO-X64: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO-X64: SkypeIEPluginBHO - No File
BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL
BHO-X64: URLRedirectionBHO - No File
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
mRun-x64: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun-x64: [332BigDog] C:\Program Files (x86)\USB Camera2\VM332_STI.EXE
mRun-x64: [UpdatePRCShortCut] "C:\Program Files\Lenovo\OneKey App\OneKey Recovery\MUITransfer\MUIStartMenu.exe" "C:\Program Files\Lenovo\OneKey App\OneKey Recovery" UpdateWithCreateOnce "Software\Lenovo\OneKey App\OneKey Recovery"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [ConnectionCenter] "C:\Program Files (x86)\Citrix\ICA Client\concentr.exe" /startup
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
IE-X64: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Lenovo\Bluetooth Software\btsendto_ie.htm
AppInit_DLLs-X64: C:\PROGRA~2\Citrix\ICACLI~1\RSHook.dll
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ncfa4qkh.default\
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?btnI=I%27m+Feeling+Lucky&ie=UTF-8&oe=UTF-8&q=
FF - plugin: C:\Mozilla Firefox\plugins\npatgpc.dll
FF - plugin: C:\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Citrix\ICA Client\npicaN.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Users\Admin\AppData\Local\Google\Update\1.3.21.115\npGoogleUpdate3.dll
FF - plugin: C:\Users\Admin\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
FF - plugin: C:\Users\Admin\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_270.dll
FF - plugin: C:\Windows\SysWOW64\npdeployJava1.dll
FF - plugin: C:\Windows\SysWOW64\npmproxy.dll
.
============= SERVICES / DRIVERS ===============
.
R0 LHDmgr;LHDmgr;C:\Windows\system32\DRIVERS\LhdX64.sys --> C:\Windows\system32\DRIVERS\LhdX64.sys [?]
R0 SymDS;Symantec Data Store;C:\Windows\system32\drivers\NAVx64\1307010.005\SYMDS64.SYS --> C:\Windows\system32\drivers\NAVx64\1307010.005\SYMDS64.SYS [?]
R0 SymEFA;Symantec Extended File Attributes;C:\Windows\system32\drivers\NAVx64\1307010.005\SYMEFA64.SYS --> C:\Windows\system32\drivers\NAVx64\1307010.005\SYMEFA64.SYS [?]
R1 BHDrvx64;BHDrvx64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.0.28\Definitions\BASHDefs\20120804.001\BHDrvx64.sys [2012-8-8 1161376]
R1 ccSet_NAV;Norton AntiVirus Settings Manager;C:\Windows\system32\drivers\NAVx64\1307010.005\ccSetx64.sys --> C:\Windows\system32\drivers\NAVx64\1307010.005\ccSetx64.sys [?]
R1 ctxusbm;Citrix USB Monitor Driver;C:\Windows\system32\DRIVERS\ctxusbm.sys --> C:\Windows\system32\DRIVERS\ctxusbm.sys [?]
R1 IDSVia64;IDSVia64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.0.28\Definitions\IPSDefs\20120810.001\IDSviA64.sys [2012-8-12 509088]
R1 NEOFLTR_650_15977;Juniper Networks TDI Filter Driver (NEOFLTR_650_15977);\??\C:\Windows\system32\Drivers\NEOFLTR_650_15977.SYS --> C:\Windows\system32\Drivers\NEOFLTR_650_15977.SYS [?]
R1 SymIRON;Symantec Iron Driver;C:\Windows\system32\drivers\NAVx64\1307010.005\Ironx64.SYS --> C:\Windows\system32\drivers\NAVx64\1307010.005\Ironx64.SYS [?]
R1 SymNetS;Symantec Network Security WFP Driver;C:\Windows\system32\Drivers\NAVx64\1307010.005\SYMNETS.SYS --> C:\Windows\system32\Drivers\NAVx64\1307010.005\SYMNETS.SYS [?]
R1 VWiFiFlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-4-4 63928]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2012-5-2 13336]
R2 JuniperAccessService;Juniper Unified Network Service;C:\Program Files (x86)\Common Files\Juniper Networks\JUNS\dsAccessService.exe [2011-6-2 198520]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-8-14 655944]
R2 NAV;Norton AntiVirus;C:\Program Files (x86)\Norton AntiVirus\Engine\19.7.1.5\ccsvchst.exe [2012-5-18 138232]
R2 NetClientSvc;AT&T Global Network Client Service;C:\Program Files (x86)\AT&T Global Network Client\NetClientSvc.exe [2012-3-27 370528]
R2 Skype C2C Service;Skype C2C Service;C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe [2012-7-5 3048136]
R2 SwiCardDetectSvc;Sierra Wireless Card Detection Service;C:\Program Files (x86)\Sierra Wireless Inc\Common\SwiCardDetect64.exe [2011-6-24 317296]
R2 UNS;Intel® Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2012-5-2 2656280]
R2 vpnagent;Cisco AnyConnect VPN Agent;C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [2011-5-18 641464]
R3 ACPIVPC;Lenovo Virtual Power Controller Driver;C:\Windows\system32\DRIVERS\AcpiVpc.sys --> C:\Windows\system32\DRIVERS\AcpiVpc.sys [?]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-8-9 138912]
R3 IntcDAud;Intel® Display Audio;C:\Windows\system32\DRIVERS\IntcDAud.sys --> C:\Windows\system32\DRIVERS\IntcDAud.sys [?]
R3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;C:\Windows\system32\DRIVERS\L1C62x64.sys --> C:\Windows\system32\DRIVERS\L1C62x64.sys [?]
R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]
R3 MEIx64;Intel® Management Engine Interface;C:\Windows\system32\DRIVERS\HECIx64.sys --> C:\Windows\system32\DRIVERS\HECIx64.sys [?]
R3 NetLogSvc;NetLogSvc;C:\Program Files (x86)\AT&T Global Network Client\NetLogSvc.exe [2012-3-27 82272]
R3 OracleOraDb11g_home1TNSListener;OracleOraDb11g_home1TNSListener;d:\app\Admin\product\11.2.0\dbhome_1\BIN\TNSLSNR --> d:\app\Admin\product\11.2.0\dbhome_1\BIN\TNSLSNR [?]
R3 OracleServiceORCL;OracleServiceORCL;d:\app\admin\product\11.2.0\dbhome_1\bin\ORACLE.EXE ORCL --> d:\app\admin\product\11.2.0\dbhome_1\bin\ORACLE.EXE ORCL [?]
R3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
R3 vm2uvcflt;Vimicro USB Camera Filter 2;C:\Windows\system32\Drivers\vm2uvcflt.sys --> C:\Windows\system32\Drivers\vm2uvcflt.sys [?]
R3 vm332avs;Lenovo Camera2;C:\Windows\system32\Drivers\vm332avs.sys --> C:\Windows\system32\Drivers\vm332avs.sys [?]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\system32\DRIVERS\vwifimp.sys --> C:\Windows\system32\DRIVERS\vwifimp.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2012-6-7 160944]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-5-7 250056]
S3 BTWAMPFL;BTWAMPFL;C:\Windows\system32\DRIVERS\btwampfl.sys --> C:\Windows\system32\DRIVERS\btwampfl.sys [?]
S3 btwl2cap;Bluetooth L2CAP Service;C:\Windows\system32\DRIVERS\btwl2cap.sys --> C:\Windows\system32\DRIVERS\btwl2cap.sys [?]
S3 dmvsc;dmvsc;C:\Windows\system32\drivers\dmvsc.sys --> C:\Windows\system32\drivers\dmvsc.sys [?]
S3 MozillaMaintenance;Mozilla Maintenance Service;C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-5-18 129976]
S3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [2011-1-5 340240]
S3 OracleOraDb11g_home1ClrAgent;OracleOraDb11g_home1ClrAgent;d:\app\Admin\product\11.2.0\dbhome_1\bin\OraClrAgnt.exe agent_sid=CLRExtProc max_dispatchers=2 tcp_dispatchers=0 max_task_threads=6 max_sessions=25 ENVS="EXTPROC_DLLS=ONLY:d:\app\Admin\product\11.2.0\dbhome_1\bin\oraclr11.dll" --> d:\app\Admin\product\11.2.0\dbhome_1\bin\OraClrAgnt.exe agent_sid=CLRExtProc max_dispatchers=2 tcp_dispatchers=0 max_task_threads=6 max_sessions=25 ENVS=EXTPROC_DLLS=ONLY:d:\app\Admin\product\11.2.0\dbhome_1\bin\oraclr11.dll [?]
S3 OracleVssWriterORCL;Oracle ORCL VSS Writer Service;d:\app\admin\product\11.2.0\dbhome_1\bin\OraVSSW.exe ORCL --> d:\app\admin\product\11.2.0\dbhome_1\bin\OraVSSW.exe ORCL [?]
S3 RSUSBVSTOR;RtsUVStor.Sys Realtek USB Card Reader;C:\Windows\system32\Drivers\RtsUVStor.sys --> C:\Windows\system32\Drivers\RtsUVStor.sys [?]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\system32\drivers\TsUsbGD.sys --> C:\Windows\system32\drivers\TsUsbGD.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
S3 wsvd;wsvd;C:\Windows\system32\DRIVERS\wsvd.sys --> C:\Windows\system32\DRIVERS\wsvd.sys [?]
S4 OracleJobSchedulerORCL;OracleJobSchedulerORCL;d:\app\admin\product\11.2.0\dbhome_1\Bin\extjob.exe ORCL --> d:\app\admin\product\11.2.0\dbhome_1\Bin\extjob.exe ORCL [?]
.
=============== File Associations ===============
.
vbefile\shell\open2\command="%SystemRoot%\System32\CScript.exe" "%1" %*
vbsfile\shell\open2\command="%SystemRoot%\System32\CScript.exe" "%1" %*
jsefile\shell\open2\command=C:\Windows\System32\CScript.exe "%1" %*
.
=============== Created Last 30 ================
.
2012-08-14 22:19:44 24904 ----a-w- C:\Windows\System32\drivers\mbam.sys
2012-08-14 22:19:44 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-08-14 20:54:51 -------- d-sh--w- C:\Windows\SysWow64\%APPDATA%
2012-08-13 00:44:42 -------- d-sh--w- C:\$RECYCLE.BIN
2012-08-12 13:25:52 -------- d-----w- C:\Users\Admin\AppData\Roaming\Malwarebytes
2012-08-12 13:25:33 -------- d-----w- C:\ProgramData\Malwarebytes
2012-08-09 13:14:01 -------- d-----w- C:\Users\Admin\AppData\Local\NPE
2012-08-09 08:31:21 27256 ----a-w- C:\Windows\System32\drivers\FixZeroAccess.sys
2012-08-02 06:12:24 -------- d-----w- C:\Users\Admin\AppData\Local\ElevatedDiagnostics
2012-07-26 13:08:09 -------- d-----w- C:\Users\Admin\Tracing
.
==================== Find3M ====================
.
2012-08-14 23:18:29 70344 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-08-14 23:18:29 426184 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2012-08-06 21:46:58 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2012-06-12 03:08:36 3148800 ----a-w- C:\Windows\System32\win32k.sys
2012-06-06 06:06:16 2004480 ----a-w- C:\Windows\System32\msxml6.dll
2012-06-06 06:06:16 1881600 ----a-w- C:\Windows\System32\msxml3.dll
2012-06-06 06:02:54 1133568 ----a-w- C:\Windows\System32\cdosys.dll
2012-06-06 05:05:52 1390080 ----a-w- C:\Windows\SysWow64\msxml6.dll
2012-06-06 05:05:52 1236992 ----a-w- C:\Windows\SysWow64\msxml3.dll
2012-06-06 05:03:06 805376 ----a-w- C:\Windows\SysWow64\cdosys.dll
2012-06-04 14:57:14 455680 ----a-w- C:\Windows\System32\deploytk.dll
2012-06-02 22:15:31 2622464 ----a-w- C:\Windows\System32\wucltux.dll
2012-06-02 22:15:08 99840 ----a-w- C:\Windows\System32\wudriver.dll
2012-06-02 12:12:17 2311680 ----a-w- C:\Windows\System32\jscript9.dll
2012-06-02 12:05:28 1392128 ----a-w- C:\Windows\System32\wininet.dll
2012-06-02 12:04:50 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl
2012-06-02 12:01:40 173056 ----a-w- C:\Windows\System32\ieUnatt.exe
2012-06-02 11:57:08 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2012-06-02 09:49:42 186752 ----a-w- C:\Windows\System32\wuwebv.dll
2012-06-02 09:45:12 36864 ----a-w- C:\Windows\System32\wuapp.exe
2012-06-02 08:33:25 1800192 ----a-w- C:\Windows\SysWow64\jscript9.dll
2012-06-02 08:25:08 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll
2012-06-02 08:25:03 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2012-06-02 08:20:33 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2012-06-02 08:16:52 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2012-06-02 05:50:10 458704 ----a-w- C:\Windows\System32\drivers\cng.sys
2012-06-02 05:48:16 95600 ----a-w- C:\Windows\System32\drivers\ksecdd.sys
2012-06-02 05:48:16 151920 ----a-w- C:\Windows\System32\drivers\ksecpkg.sys
2012-06-02 05:45:31 340992 ----a-w- C:\Windows\System32\schannel.dll
2012-06-02 05:44:21 307200 ----a-w- C:\Windows\System32\ncrypt.dll
2012-06-02 04:40:42 22016 ----a-w- C:\Windows\SysWow64\secur32.dll
2012-06-02 04:40:39 225280 ----a-w- C:\Windows\SysWow64\schannel.dll
2012-06-02 04:39:10 219136 ----a-w- C:\Windows\SysWow64\ncrypt.dll
2012-06-02 04:34:09 96768 ----a-w- C:\Windows\SysWow64\sspicli.dll
2012-05-18 11:08:50 544032 ----a-w- C:\Windows\System32\npdeployJava1.dll
2012-05-18 11:08:50 525600 ----a-w- C:\Windows\System32\deployJava1.dll
2012-05-17 02:44:58 93272 ----a-w- C:\Windows\System32\drivers\ctxusbm.sys
1996-05-22 10:19:02 25088 ----a-w- C:\Program Files (x86)\ZAPGRAB2.EXE
.
============= FINISH: 19:29:49.80 ===============

#4 MrCharlie

MrCharlie

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 28,193 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Posted 14 August 2012 - 07:04 PM

RogueKiller report please...MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#5 shekhar

shekhar

    New Member

  • Members
  • Pip
  • 18 posts

Posted 14 August 2012 - 07:08 PM

Appreciate your help MrC!!


RogueKiller V7.6.6 [08/10/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com
Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User: Admin [Admin rights]
Mode: Scan -- Date: 08/14/2012 19:36:13
¤¤¤ Bad processes: 1 ¤¤¤
[SUSP PATH] c2c_service.exe -- C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe -> KILLED [TermProc]
¤¤¤ Registry Entries: 9 ¤¤¤
[DNS] HKLM\[...]\ControlSet001\Parameters\Interfaces\{38F75B14-47DE-47B4-AEBE-9D57EE0B3643} : NameServer (155.132.2.31,155.132.9.10) -> FOUND
[DNS] HKLM\[...]\ControlSet002\Parameters\Interfaces\{38F75B14-47DE-47B4-AEBE-9D57EE0B3643} : NameServer (155.132.2.31,155.132.9.10) -> FOUND
[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND
[ZeroAccess] HKCR\[...]\InprocServer32 : (C:\Users\Admin\AppData\Local\{ae963f8e-ac3e-59ff-8e3e-cf2ef11cd12e}\n.) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_TrackProgs (0) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][FILE] @ : c:\windows\installer\{ae963f8e-ac3e-59ff-8e3e-cf2ef11cd12e}\@ --> FOUND
[ZeroAccess][FOLDER] U : c:\windows\installer\{ae963f8e-ac3e-59ff-8e3e-cf2ef11cd12e}\U --> FOUND
[ZeroAccess][FOLDER] L : c:\windows\installer\{ae963f8e-ac3e-59ff-8e3e-cf2ef11cd12e}\L --> FOUND
[ZeroAccess][FILE] @ : c:\users\admin\appdata\local\{ae963f8e-ac3e-59ff-8e3e-cf2ef11cd12e}\@ --> FOUND
[ZeroAccess][FOLDER] U : c:\users\admin\appdata\local\{ae963f8e-ac3e-59ff-8e3e-cf2ef11cd12e}\U --> FOUND
[ZeroAccess][FOLDER] L : c:\users\admin\appdata\local\{ae963f8e-ac3e-59ff-8e3e-cf2ef11cd12e}\L --> FOUND
[ZeroAccess][FILE] Desktop.ini : c:\windows\assembly\gac_32\desktop.ini --> FOUND
[ZeroAccess][FILE] Desktop.ini : c:\windows\assembly\gac_64\desktop.ini --> FOUND
[Susp.ASLR][ASLR WIPED-OFF] services.exe : c:\windows\system32\services.exe --> FOUND
¤¤¤ Driver: [NOT LOADED] ¤¤¤
¤¤¤ Infection : ZeroAccess ¤¤¤
¤¤¤ HOSTS File: ¤¤¤
¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: HITACHI HTS545050B9A300 +++++
--- User ---
[MBR] aa0b2ff107add63d95adeafa737941cc
[BSP] 15fc16227e8fccae680f59a76c9e4889 : Windows 7 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 99900 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 204802048 | Size: 150000 Mo
3 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 512002048 | Size: 226938 Mo
User = LL1 ... OK!
User = LL2 ... OK!
Finished : << RKreport[1].txt >>
RKreport[1].txt

#6 MrCharlie

MrCharlie

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 28,193 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Posted 14 August 2012 - 07:20 PM

Here you go......

Your computer is infected with a nasty rootkit. Please read the following information first.

You're infected with Rootkit.ZeroAccess, a BackDoor Trojan.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall
http://www.dslreports.com/faq/10063

I will try my best to clean this machine but I can't guarantee that it will be 100% secure afterwards.

Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.


-----------------------------------------

Please make sure system restore is running and create a new restore point before continuing!

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.<-------

How to tell > 32 or 64 bit

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
On the System Recovery Options menu you will get the following options:

    • Startup Repair
      System Restore
      Windows Complete PC Restore
      Windows Memory Diagnostic Tool
      Command Prompt
  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • FRST will let you know when the scan is complete and has written the FRST.txt to file, close out this message, then type the following into the search box:
    services.exe
  • Now press the Search button
  • When the search is complete, search.txt will also be written to your USB
  • Type exit and reboot the computer normally
  • Please copy and paste both logs in your reply.(FRST.txt and Search.txt)
MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#7 shekhar

shekhar

    New Member

  • Members
  • Pip
  • 18 posts

Posted 14 August 2012 - 07:56 PM

SEARCH.TXT
===========

Farbar Recovery Scan Tool Version: 09-08-2012
Ran by SYSTEM at 2012-08-14 20:37:30
Running from H:\
================== Search: "services.exe" ===================
C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB
C:\Windows\System32\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 014A9CB92514E27C0107614DF764BC06
C:\Windows\erdnt\cache64\services.exe
[2012-08-12 16:01] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB
====== End Of Search ======





FRST.TXT
========
Scan result of Farbar Recovery Scan Tool Version: 09-08-2012
Ran by SYSTEM at 14-08-2012 20:32:06
Running from H:\
Windows 7 Professional Service Pack 1 (X64) OS Language: English(US)
The current controlset is ControlSet001
========================== Registry (Whitelisted) =============
HKLM\...\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe [167960 2011-03-29] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [391704 2011-03-29] (Intel Corporation)
HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [418840 2011-03-29] (Intel Corporation)
HKLM\...\Run: [SmartAudio] C:\Program Files\CONEXANT\SAII\SAIICpl.exe /t [307768 2010-04-27] ()
HKLM\...\Run: [IntelWireless] "C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" /tf Intel Wireless Tray [1933584 2011-01-05] (Intel® Corporation)
HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2741544 2011-04-07] (Synaptics Incorporated)
HKLM\...\Run: [Energy Management] C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe [9753024 2012-05-02] (Lenovo (Beijing) Limited)
HKLM\...\Run: [EnergyUtility] C:\Program Files (x86)\Lenovo\Energy Management\Utility.exe [5908928 2012-05-02] (Lenovo(beijing) Limited)
HKLM\...\Run: [UpdatePRCShortCut] "C:\Program Files\Lenovo\OneKey App\OneKey Recovery\MUITransfer\MUIStartMenu.exe" "C:\Program Files\Lenovo\OneKey App\OneKey Recovery" UpdateWithCreateOnce "Software\Lenovo\OneKey App\OneKey Recovery" [222504 2009-05-13] (CyberLink Corp.)
HKLM-x32\...\Run: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [283160 2011-02-17] (Intel Corporation)
HKLM-x32\...\Run: [332BigDog] C:\Program Files (x86)\USB Camera2\VM332_STI.EXE [536576 2010-01-18] (Vimicro)
HKLM-x32\...\Run: [UpdatePRCShortCut] "C:\Program Files\Lenovo\OneKey App\OneKey Recovery\MUITransfer\MUIStartMenu.exe" "C:\Program Files\Lenovo\OneKey App\OneKey Recovery" UpdateWithCreateOnce "Software\Lenovo\OneKey App\OneKey Recovery" [222504 2009-05-13] (CyberLink Corp.)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-04-03] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [ConnectionCenter] "C:\Program Files (x86)\Citrix\ICA Client\concentr.exe" /startup [371896 2012-05-22] (Citrix Systems, Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2011-04-08] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray [462920 2012-07-03] (Malwarebytes Corporation)
HKU\Admin\...\Run: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun [17418928 2012-07-13] (Skype Technologies S.A.)
HKU\Admin\...\Run: [googletalk] "C:\Program Files (x86)\Google\Google Talk\googletalk.exe" /autostart [3289088 2007-11-20] (Google)
HKU\Admin\...\Run: [Messenger (Yahoo!)] "C:\PROGRA~2\Yahoo!\Messenger\YahooMessenger.exe" -quiet [6591800 2012-02-22] (Yahoo! Inc.)
HKU\Admin\...\Run: [NetSP - restore settings on power failure] "C:\Program Files (x86)\AT&T Global Network Client\NetSP.exe" -show [55136 2012-03-27] (AT&T)
Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)
Tcpip\Parameters: [DhcpNameServer] 172.16.0.1
Tcpip\..\Interfaces\{38F75B14-47DE-47B4-AEBE-9D57EE0B3643}: [NameServer]155.132.2.31,155.132.9.10
Startup: C:\Users\Admin\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2010 Screen Clipper and Launcher.lnk -> C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation)
Startup: C:\Users\All Users\Start Menu\Programs\Startup\AT&T Global Network Client Monitor.lnk
ShortcutTarget: AT&T Global Network Client Monitor.lnk -> C:\Windows\Installer\{37880B62-627C-4F6B-BB85-984BB7E26125}\NetGM1_89563E53ECF44E868145468A128BDC83.exe (Flexera Software, Inc.)
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
ShortcutTarget: Bluetooth.lnk -> C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Google Calendar Sync.lnk
ShortcutTarget: Google Calendar Sync.lnk -> C:\Program Files (x86)\Google\Google Calendar Sync\GoogleCalendarSync.exe (Google)
==================== Services (Whitelisted) ======
2 btwdins; C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe [953632 2010-12-14] (Broadcom Corporation.)
2 MBAMService; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe" [655944 2012-07-03] (Malwarebytes Corporation)
3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [340240 2011-01-04] ()
2 NAV; "C:\Program Files (x86)\Norton AntiVirus\Engine\19.7.1.5\ccSvcHst.exe" /s "NAV" /m "C:\Program Files (x86)\Norton AntiVirus\Engine\19.7.1.5\diMaster.dll" /prefetch:1 [309688 2012-04-12] (Symantec Corporation)
2 netcfgsvr; "C:\Program Files (x86)\AT&T Global Network Client\netcfgsvr.exe" [1124192 2012-03-27] (AT&T)
2 NetClientSvc; "C:\Program Files (x86)\AT&T Global Network Client\NetClientSvc.exe" [370528 2012-03-27] (AT&T)
3 NetLogSvc; C:\Program Files (x86)\AT&T Global Network Client\NetLogSvc.exe [82272 2012-03-27] (AT&T)
2 SwiCardDetectSvc; "C:\Program Files (x86)\Sierra Wireless Inc\Common\SwiCardDetect64.exe" [317296 2011-06-23] (Sierra Wireless, Inc.)
2 UNS; "C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe" [2656280 2010-12-20] (Intel Corporation)
2 OracleDBConsoleorcl; C:\app\Admin\product\11.2.0\dbhome_1\bin\nmesrvc.exe [x]
4 OracleJobSchedulerORCL; C:\app\admin\product\11.2.0\dbhome_1\Bin\extjob.exe ORCL [x]
2 OracleMTSRecoveryService; C:\app\Admin\product\11.2.0\dbhome_1\bin\omtsreco.exe "OracleMTSRecoveryService" [x]
3 OracleOraDb11g_home1ClrAgent; C:\app\Admin\product\11.2.0\dbhome_1\bin\OraClrAgnt.exe agent_sid=CLRExtProc max_dispatchers=2 tcp_dispatchers=0 max_task_threads=6 max_sessions=25 ENVS="EXTPROC_DLLS=ONLY:C:\app\Admin\product\11.2.0\dbhome_1\bin\oraclr11.dll" [x]
3 OracleServiceORCL; C:\app\admin\product\11.2.0\dbhome_1\bin\ORACLE.EXE ORCL [x]
3 OracleVssWriterORCL; C:\app\admin\product\11.2.0\dbhome_1\bin\OraVSSW.exe ORCL [x]
========================== Drivers (Whitelisted) =============
1 agnfilt; C:\Windows\System32\Drivers\agnfilt.sys [201728 2012-03-27] (AT&T)
3 avpnnic; C:\Windows\System32\Drivers\avpnnic.sys [14848 2012-03-27] (AT&T)
1 BHDrvx64; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.0.28\Definitions\BASHDefs\20120804.001\BHDrvx64.sys [1161376 2012-06-18] (Symantec Corporation)
1 ccSet_NAV; C:\Windows\system32\drivers\NAVx64\1307010.005\ccSetx64.sys [167048 2011-11-29] (Symantec Corporation)
1 ctxusbm; C:\Windows\System32\Drivers\ctxusbm.sys [93272 2012-05-16] (Citrix Systems, Inc.)
1 eeCtrl; \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [484512 2012-08-09] (Symantec Corporation)
3 EraserUtilRebootDrv; \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [138912 2012-08-09] (Symantec Corporation)
1 IDSVia64; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.0.28\Definitions\IPSDefs\20120810.001\IDSvia64.sys [509088 2012-06-14] (Symantec Corporation)
3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [24904 2012-07-03] (Malwarebytes Corporation)
3 NAVENG; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.0.28\Definitions\VirusDefs\20120811.008\ENG64.SYS [120440 2012-08-12] (Symantec Corporation)
3 NAVEX15; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.0.28\Definitions\VirusDefs\20120811.008\EX64.SYS [2068600 2012-08-12] (Symantec Corporation)
1 NEOFLTR_650_15977; C:\Windows\System32\Drivers\NEOFLTR_650_15977.sys [100472 2010-06-04] (Juniper Networks)
1 SRTSP; C:\Windows\System32\Drivers\NAVx64\1307010.005\SRTSP64.SYS [737912 2012-03-28] (Symantec Corporation)
1 SRTSPX; C:\Windows\system32\drivers\NAVx64\1307010.005\SRTSPX64.SYS [37496 2012-03-28] (Symantec Corporation)
0 SymDS; C:\Windows\System32\drivers\NAVx64\1307010.005\SYMDS64.SYS [451192 2011-07-25] (Symantec Corporation)
0 SymEFA; C:\Windows\System32\drivers\NAVx64\1307010.005\SYMEFA64.SYS [1092728 2012-03-28] (Symantec Corporation)
3 SymEvent; \??\C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [175736 2012-05-03] (Symantec Corporation)
1 SymIRON; C:\Windows\system32\drivers\NAVx64\1307010.005\Ironx64.SYS [190072 2012-03-28] (Symantec Corporation)
1 SymNetS; C:\Windows\System32\Drivers\NAVx64\1307010.005\SYMNETS.SYS [405624 2012-03-28] (Symantec Corporation)
3 OracleOraDb11g_home1TNSListener; d:\app\Admin\product\11.2.0\dbhome_1\BIN\TNSLSNR [x]
========================== NetSvcs (Whitelisted) ===========

============ One Month Created Files and Folders ==============
2012-08-14 16:03 - 2012-08-14 16:03 - 00000000 ____D C:\Program Files\7-Zip
2012-08-14 15:38 - 2012-08-14 15:38 - 00027406 ____A C:\Users\Admin\Desktop\DDS.txt
2012-08-14 15:36 - 2012-08-14 15:42 - 00002993 ____A C:\Users\Admin\Desktop\RKreport[1].txt
2012-08-14 15:35 - 2012-08-14 15:36 - 00000000 ____D C:\Users\Admin\Desktop\RK_Quarantine
2012-08-14 15:34 - 2012-08-14 15:34 - 00013337 ____A C:\Users\Admin\Desktop\Attach.txt
2012-08-14 15:32 - 2012-08-14 15:32 - 01558528 ____A C:\Users\Admin\Desktop\RogueKiller.exe
2012-08-14 15:27 - 2012-08-14 15:27 - 00607260 ____R (Swearware) C:\Users\Admin\Desktop\dds.scr
2012-08-14 14:46 - 2012-08-14 14:46 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_14_18_46_54.dmp
2012-08-14 14:38 - 2012-08-14 14:38 - 00003760 ____A C:\{F13A0D06-7D3F-400F-B04F-881773DFF0BB}
2012-08-14 14:30 - 2012-08-14 14:30 - 00003760 ____A C:\{BED12C49-D0A5-4DF1-8A70-38CFBDEE3223}
2012-08-14 14:28 - 2012-08-14 14:28 - 00023644 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_14_18_28_6.dmp
2012-08-14 14:19 - 2012-08-14 14:44 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-08-14 14:19 - 2012-08-14 14:19 - 00001109 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-08-14 14:19 - 2012-07-03 09:46 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-08-14 14:10 - 2012-08-14 14:10 - 00003760 ____A C:\{4CCB44DE-5542-423D-80F5-EBBE8DA74D89}
2012-08-14 14:06 - 2012-08-14 14:06 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_14_18_6_3.dmp
2012-08-14 12:54 - 2012-08-14 12:54 - 00000000 __SHD C:\Windows\SysWOW64\%APPDATA%
2012-08-14 07:18 - 2012-08-14 07:18 - 01295536 ____A (Juniper Networks) C:\Users\Admin\Downloads\JuniperSetupClientInstaller.exe
2012-08-14 02:57 - 2012-08-14 02:57 - 00022231 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_14_6_57_18.dmp
2012-08-14 01:27 - 2012-08-14 01:27 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_14_5_27_3.dmp
2012-08-13 03:58 - 2012-08-13 03:58 - 00022231 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_13_7_58_12.dmp
2012-08-12 17:49 - 2012-08-12 17:49 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_12_21_49_48.dmp
2012-08-12 17:40 - 2012-08-12 17:40 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_12_21_40_21.dmp
2012-08-12 16:45 - 2012-08-12 16:45 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_12_20_45_0.dmp
2012-08-12 15:51 - 2012-08-12 17:36 - 00000000 ____D C:\Windows\erdnt
2012-08-12 15:36 - 2012-08-12 15:36 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_12_19_36_18.dmp
2012-08-12 15:30 - 2012-08-12 15:30 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_12_19_30_2.dmp
2012-08-12 14:43 - 2012-08-12 14:43 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_12_18_43_25.dmp
2012-08-12 14:30 - 2012-08-12 14:30 - 00021236 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_12_18_30_30.dmp
2012-08-12 12:27 - 2012-08-12 12:27 - 00021138 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_12_16_27_42.dmp
2012-08-12 07:06 - 2012-08-12 07:06 - 00000000 ____D C:\Windows\Sun
2012-08-12 05:39 - 2012-08-12 05:39 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_12_9_39_49.dmp
2012-08-12 05:25 - 2012-08-12 05:25 - 00000000 ____D C:\Users\All Users\Malwarebytes
2012-08-12 05:25 - 2012-08-12 05:25 - 00000000 ____D C:\Users\Admin\AppData\Roaming\Malwarebytes
2012-08-12 05:24 - 2012-08-12 05:24 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\Admin\Downloads\mbam-setup-1.62.0.1300.exe
2012-08-12 04:48 - 2012-08-12 04:48 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_12_8_48_53.dmp
2012-08-12 04:16 - 2012-08-12 04:16 - 00022640 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_12_8_16_43.dmp
2012-08-11 19:36 - 2012-08-11 19:36 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_11_23_36_24.dmp
2012-08-11 18:33 - 2012-08-11 18:33 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_11_22_33_40.dmp
2012-08-11 07:33 - 2012-08-11 07:33 - 00748749 ____A C:\Users\Admin\Desktop\11Aug_collaborator.log
2012-08-10 16:12 - 2012-08-10 16:12 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_10_20_12_48.dmp
2012-08-10 11:03 - 2012-08-10 11:04 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_10_15_3_59.dmp
2012-08-10 09:53 - 2012-08-10 09:54 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_10_13_53_59.dmp
2012-08-10 04:20 - 2012-08-10 04:20 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_10_8_20_51.dmp
2012-08-10 02:50 - 2012-08-10 02:50 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_10_6_50_27.dmp
2012-08-09 20:08 - 2012-08-09 20:08 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_10_0_8_7.dmp
2012-08-09 16:24 - 2012-08-09 16:24 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_9_20_24_21.dmp
2012-08-09 13:43 - 2012-08-09 13:44 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_9_17_43_57.dmp
2012-08-09 11:26 - 2012-08-09 11:26 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_9_15_26_13.dmp
2012-08-09 10:58 - 2012-08-09 10:58 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_9_14_58_22.dmp
2012-08-09 10:51 - 2012-08-09 10:51 - 00000000 ____D C:\Users\Admin\Downloads\7zip
2012-08-09 10:45 - 2012-08-11 18:39 - 00003148 ____A C:\Users\Admin\Downloads\FSS.txt
2012-08-09 09:09 - 2012-08-09 09:09 - 00022133 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_9_13_9_55.dmp
2012-08-09 07:08 - 2012-08-09 07:08 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_9_11_8_28.dmp
2012-08-09 06:40 - 2012-08-09 06:40 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_9_10_40_14.dmp
2012-08-09 06:11 - 2012-08-14 13:17 - 00327680 ____A C:\Windows\System32\Ikeext.etl
2012-08-09 06:11 - 2012-08-09 06:11 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_9_10_11_17.dmp
2012-08-09 05:38 - 2012-08-09 05:38 - 00003760 ____A C:\{2F72F050-28E6-4D0B-900E-FADBCF0344A4}
2012-08-09 05:35 - 2012-08-09 05:35 - 00022231 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_9_9_35_25.dmp
2012-08-09 05:14 - 2012-08-09 05:17 - 00000000 ____D C:\Users\Admin\AppData\Local\NPE
2012-08-09 04:38 - 2012-08-09 04:38 - 00003792 ____A C:\{AD9548B9-ED37-4797-8AE3-3C0A49B01CF7}
2012-08-09 04:10 - 2012-08-09 04:10 - 00003760 ____A C:\{5397871D-4F6A-448E-9140-E2F2E927BF55}
2012-08-09 03:06 - 2012-08-09 03:06 - 00022231 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_9_7_6_50.dmp
2012-08-09 00:49 - 2012-08-09 00:49 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_9_4_49_0.dmp
2012-08-09 00:33 - 2012-08-09 00:33 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_9_4_33_44.dmp
2012-08-09 00:31 - 2012-08-11 18:30 - 00027256 ____A (Symantec Corporation) C:\Windows\System32\Drivers\FixZeroAccess.sys
2012-08-09 00:06 - 2012-08-09 00:06 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_9_4_6_27.dmp
2012-08-08 17:05 - 2012-08-08 17:05 - 00022231 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_8_21_5_44.dmp
2012-08-08 12:56 - 2012-08-08 12:57 - 00022231 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_8_16_56_56.dmp
2012-08-08 08:50 - 2012-08-08 08:50 - 00022231 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_8_12_50_43.dmp
2012-08-08 04:51 - 2012-08-08 04:52 - 00022528 ____A C:\Users\Admin\Desktop\APQUAL_export.xls
2012-08-08 04:24 - 2012-08-08 04:25 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_8_8_24_59.dmp
2012-08-08 02:11 - 2012-08-08 02:11 - 00022231 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_8_6_11_2.dmp
2012-08-07 15:53 - 2012-08-07 15:53 - 00022133 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_7_19_53_21.dmp
2012-08-07 04:30 - 2012-08-07 04:30 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_7_8_30_35.dmp
2012-08-06 15:58 - 2012-08-06 15:58 - 00022231 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_6_19_58_43.dmp
2012-08-06 13:52 - 2012-08-13 19:42 - 00002411 ____A C:\Users\Admin\Desktop\Google Chrome.lnk
2012-08-06 13:47 - 2012-08-06 13:46 - 00157472 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\javaws.exe
2012-08-06 13:47 - 2012-08-06 13:46 - 00145184 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\javaw.exe
2012-08-06 13:47 - 2012-08-06 13:46 - 00145184 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\java.exe
2012-08-06 13:38 - 2012-08-06 13:38 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_6_17_38_29.dmp
2012-08-06 13:21 - 2012-08-06 13:21 - 00022231 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_6_17_21_5.dmp
2012-08-06 12:54 - 2012-08-06 12:54 - 00214016 ____A C:\Users\Admin\Downloads\RemoteEngineLaunch (1)
2012-08-06 12:34 - 2012-08-06 12:34 - 00214016 ____A C:\Users\Admin\Downloads\RemoteEngineLaunch
2012-08-06 04:24 - 2012-08-06 04:24 - 00022133 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_6_8_24_12.dmp
2012-08-05 15:08 - 2012-08-05 15:08 - 00022133 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_5_19_8_9.dmp
2012-08-05 06:24 - 2012-08-05 06:24 - 00023644 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_5_10_24_12.dmp
2012-08-05 05:34 - 2012-08-05 05:34 - 00022133 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_5_9_34_51.dmp
2012-08-05 04:15 - 2012-08-05 04:15 - 00022231 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_5_8_15_2.dmp
2012-08-05 04:06 - 2012-08-05 04:06 - 00022231 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_5_8_6_29.dmp
2012-08-05 01:07 - 2012-08-05 01:07 - 00022231 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_5_5_7_30.dmp
2012-08-04 18:19 - 2012-08-04 18:19 - 00022133 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_4_22_19_44.dmp
2012-08-04 17:06 - 2012-08-04 17:06 - 00022231 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_4_21_6_26.dmp
2012-08-04 16:50 - 2012-08-04 16:50 - 00022231 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_4_20_50_47.dmp
2012-08-04 15:27 - 2012-08-04 15:27 - 00022231 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_4_19_27_2.dmp
2012-08-04 04:24 - 2012-08-04 04:24 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_4_8_24_39.dmp
2012-08-04 02:13 - 2012-08-04 02:13 - 00022231 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_4_6_13_35.dmp
2012-08-03 19:25 - 2012-08-03 19:26 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_3_23_25_56.dmp
2012-08-03 08:49 - 2012-08-03 08:49 - 00022231 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_3_12_49_13.dmp
2012-08-03 08:37 - 2012-08-03 08:37 - 00023546 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_3_12_37_51.dmp
2012-08-03 08:13 - 2012-08-03 08:13 - 00023546 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_3_12_13_12.dmp
2012-08-03 06:02 - 2012-08-03 06:02 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_3_10_2_50.dmp
2012-08-03 04:22 - 2012-08-03 04:22 - 00022279 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_3_8_22_23.dmp
2012-08-03 03:14 - 2012-08-03 03:14 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_3_7_14_20.dmp
2012-08-03 01:50 - 2012-08-03 01:50 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_3_5_50_26.dmp
2012-08-02 19:17 - 2012-08-02 19:17 - 00019994 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_2_23_17_52.dmp
2012-08-02 10:25 - 2012-08-02 10:25 - 00022081 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_2_23_55_10.dmp
2012-08-01 23:18 - 2012-08-01 23:18 - 00022081 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_2_12_48_8.dmp
2012-08-01 05:30 - 2012-08-01 05:30 - 00022538 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_1_19_0_8.dmp
2012-07-31 16:14 - 2012-07-31 16:14 - 00022129 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_1_5_44_0.dmp
2012-07-31 10:20 - 2012-07-31 10:20 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_31_23_50_19.dmp
2012-07-30 18:12 - 2012-07-30 18:12 - 00022081 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_31_7_42_9.dmp
2012-07-30 10:17 - 2012-07-30 10:17 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_30_23_47_40.dmp
2012-07-30 06:38 - 2012-07-30 06:38 - 00021184 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_30_20_8_32.dmp
2012-07-29 19:25 - 2012-07-29 19:25 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_30_8_55_29.dmp
2012-07-29 09:24 - 2012-07-29 09:24 - 00022129 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_29_22_54_4.dmp
2012-07-28 22:53 - 2012-07-28 22:53 - 00022081 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_29_12_23_25.dmp
2012-07-28 06:56 - 2012-07-28 06:56 - 00022081 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_28_20_26_5.dmp
2012-07-27 19:59 - 2012-07-27 19:59 - 00022129 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_28_9_29_24.dmp
2012-07-27 05:24 - 2012-07-27 05:24 - 00021086 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_27_18_54_18.dmp
2012-07-26 18:49 - 2012-07-26 18:49 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_27_8_19_56.dmp
2012-07-26 07:03 - 2012-07-26 07:03 - 00022129 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_26_20_33_26.dmp
2012-07-26 05:08 - 2012-07-30 05:06 - 00000000 ____D C:\Users\Admin\Tracing
2012-07-26 05:08 - 2012-07-26 05:08 - 00000000 ____D C:\Users\Admin\Documents\My Meetings
2012-07-26 02:13 - 2012-07-26 02:13 - 00858939 ____A C:\Users\Admin\Downloads\collaborator[1].log
2012-07-25 19:09 - 2012-07-25 19:09 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_26_8_39_55.dmp
2012-07-25 11:13 - 2012-07-25 11:13 - 00022081 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_26_0_43_11.dmp
2012-07-25 05:15 - 2012-07-25 05:15 - 00021086 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_25_18_45_40.dmp
2012-07-24 19:08 - 2012-07-24 19:08 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_25_8_38_44.dmp
2012-07-24 09:25 - 2012-07-24 09:25 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_24_22_55_28.dmp
2012-07-24 08:09 - 2012-07-24 08:09 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_24_21_39_53.dmp
2012-07-24 07:24 - 2012-07-24 07:24 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_24_20_54_7.dmp
2012-07-24 04:28 - 2012-07-24 04:28 - 00021086 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_24_17_58_23.dmp
2012-07-24 04:24 - 2012-07-24 04:24 - 00000000 ____D C:\Users\Admin\AppData\Roaming\Canon
2012-07-24 04:24 - 2012-07-24 04:24 - 00000000 ____A C:\Users\Admin\Sti_Trace.log
2012-07-23 19:44 - 2012-07-23 19:44 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_24_9_14_47.dmp
2012-07-23 17:12 - 2012-07-23 17:12 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_24_6_42_19.dmp
2012-07-23 10:13 - 2012-07-23 10:13 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_23_23_43_22.dmp
2012-07-23 07:26 - 2012-07-23 07:26 - 00021086 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_23_20_56_26.dmp
2012-07-22 18:24 - 2012-07-22 18:24 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_23_7_54_35.dmp
2012-07-22 04:22 - 2012-07-22 04:22 - 00022129 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_22_17_52_46.dmp
2012-07-21 19:22 - 2012-07-21 19:22 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_22_8_52_49.dmp
2012-07-21 04:01 - 2012-07-21 04:01 - 00022081 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_21_17_31_45.dmp
2012-07-21 03:24 - 2012-07-21 03:24 - 00022081 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_21_16_54_2.dmp
2012-07-20 04:26 - 2012-07-20 04:26 - 00022490 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_20_17_56_50.dmp
2012-07-19 20:00 - 2012-07-19 20:00 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_20_9_30_23.dmp
2012-07-19 17:25 - 2012-07-19 17:25 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_20_6_55_29.dmp
2012-07-19 10:58 - 2012-07-19 10:58 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_20_0_28_36.dmp
2012-07-19 07:57 - 2012-07-19 07:57 - 00022129 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_19_21_27_16.dmp
2012-07-19 03:54 - 2012-07-19 03:54 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_19_17_24_1.dmp
2012-07-18 19:46 - 2012-07-18 19:46 - 00022221 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_19_9_16_49.dmp
2012-07-18 08:20 - 2012-07-18 08:20 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_18_21_50_40.dmp
2012-07-18 03:37 - 2012-07-18 03:37 - 00021276 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_18_17_7_55.dmp
2012-07-17 02:54 - 2012-07-17 02:54 - 00021320 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_17_16_24_9.dmp
2012-07-16 17:25 - 2012-07-16 17:25 - 00022221 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_17_6_55_47.dmp
2012-07-16 06:14 - 2012-07-16 06:14 - 00022221 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_16_19_44_48.dmp
2012-07-16 03:21 - 2012-07-16 03:21 - 00022582 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_16_16_51_44.dmp
2012-07-15 22:55 - 2012-07-15 23:01 - 01195181 ____A C:\Users\Admin\Documents\t_src_item_tmpl.dat
2012-07-15 21:59 - 2012-07-15 23:03 - 00000000 ____D C:\Users\Admin\AppData\Roaming\FileZilla
2012-07-15 21:59 - 2012-07-15 21:59 - 00000000 ____D C:\Program Files (x86)\FileZilla FTP Client
2012-07-15 19:22 - 2012-07-15 19:22 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_16_8_52_9.dmp
2012-07-15 05:42 - 2012-07-15 05:42 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_15_19_12_8.dmp

============ 3 Months Modified Files ========================
2012-08-14 16:30 - 2012-05-02 01:58 - 01060524 ____A C:\Windows\WindowsUpdate.log
2012-08-14 16:19 - 2012-07-12 20:49 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-08-14 16:19 - 2012-05-06 23:15 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-08-14 16:19 - 2012-05-06 23:15 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-08-14 15:42 - 2012-08-14 15:36 - 00002993 ____A C:\Users\Admin\Desktop\RKreport[1].txt
2012-08-14 15:41 - 2012-05-10 08:01 - 00000908 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-325862687-2821830248-2684448362-1000UA.job
2012-08-14 15:38 - 2012-08-14 15:38 - 00027406 ____A C:\Users\Admin\Desktop\DDS.txt
2012-08-14 15:35 - 2009-07-13 21:13 - 00735402 ____A C:\Windows\System32\PerfStringBackup.INI
2012-08-14 15:34 - 2012-08-14 15:34 - 00013337 ____A C:\Users\Admin\Desktop\Attach.txt
2012-08-14 15:32 - 2012-08-14 15:32 - 01558528 ____A C:\Users\Admin\Desktop\RogueKiller.exe
2012-08-14 15:32 - 2009-07-13 20:51 - 00054526 ____A C:\Windows\setupact.log
2012-08-14 15:27 - 2012-08-14 15:27 - 00607260 ____R (Swearware) C:\Users\Admin\Desktop\dds.scr
2012-08-14 14:54 - 2009-07-13 20:45 - 00022096 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-08-14 14:54 - 2009-07-13 20:45 - 00022096 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-08-14 14:46 - 2012-08-14 14:46 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_14_18_46_54.dmp
2012-08-14 14:45 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-08-14 14:38 - 2012-08-14 14:38 - 00003760 ____A C:\{F13A0D06-7D3F-400F-B04F-881773DFF0BB}
2012-08-14 14:30 - 2012-08-14 14:30 - 00003760 ____A C:\{BED12C49-D0A5-4DF1-8A70-38CFBDEE3223}
2012-08-14 14:28 - 2012-08-14 14:28 - 00023644 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_14_18_28_6.dmp
2012-08-14 14:26 - 2010-11-20 19:47 - 00101158 ____A C:\Windows\PFRO.log
2012-08-14 14:19 - 2012-08-14 14:19 - 00001109 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-08-14 14:10 - 2012-08-14 14:10 - 00003760 ____A C:\{4CCB44DE-5542-423D-80F5-EBBE8DA74D89}
2012-08-14 14:06 - 2012-08-14 14:06 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_14_18_6_3.dmp
2012-08-14 13:17 - 2012-08-09 06:11 - 00327680 ____A C:\Windows\System32\Ikeext.etl
2012-08-14 09:41 - 2012-05-10 08:01 - 00000856 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-325862687-2821830248-2684448362-1000Core.job
2012-08-14 07:18 - 2012-08-14 07:18 - 01295536 ____A (Juniper Networks) C:\Users\Admin\Downloads\JuniperSetupClientInstaller.exe
2012-08-14 06:59 - 2012-05-03 20:58 - 00001996 ___AH C:\Users\Admin\Documents\Default.rdp
2012-08-14 02:57 - 2012-08-14 02:57 - 00022231 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_14_6_57_18.dmp
2012-08-14 01:27 - 2012-08-14 01:27 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_14_5_27_3.dmp
2012-08-13 19:42 - 2012-08-06 13:52 - 00002411 ____A C:\Users\Admin\Desktop\Google Chrome.lnk
2012-08-13 08:06 - 2012-07-27 05:19 - 00002779 ____A C:\Users\Admin\Desktop\todo.txt
2012-08-13 03:58 - 2012-08-13 03:58 - 00022231 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_13_7_58_12.dmp
2012-08-12 17:49 - 2012-08-12 17:49 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_12_21_49_48.dmp
2012-08-12 17:40 - 2012-08-12 17:40 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_12_21_40_21.dmp
2012-08-12 16:45 - 2012-08-12 16:45 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_12_20_45_0.dmp
2012-08-12 16:00 - 2009-07-13 18:34 - 00000215 ____A C:\Windows\system.ini
2012-08-12 15:36 - 2012-08-12 15:36 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_12_19_36_18.dmp
2012-08-12 15:30 - 2012-08-12 15:30 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_12_19_30_2.dmp
2012-08-12 14:43 - 2012-08-12 14:43 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_12_18_43_25.dmp
2012-08-12 14:30 - 2012-08-12 14:30 - 00021236 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_12_18_30_30.dmp
2012-08-12 12:27 - 2012-08-12 12:27 - 00021138 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_12_16_27_42.dmp
2012-08-12 05:39 - 2012-08-12 05:39 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_12_9_39_49.dmp
2012-08-12 05:24 - 2012-08-12 05:24 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\Admin\Downloads\mbam-setup-1.62.0.1300.exe
2012-08-12 04:48 - 2012-08-12 04:48 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_12_8_48_53.dmp
2012-08-12 04:26 - 2012-05-04 02:54 - 00748616 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
2012-08-12 04:16 - 2012-08-12 04:16 - 00022640 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_12_8_16_43.dmp
2012-08-11 19:36 - 2012-08-11 19:36 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_11_23_36_24.dmp
2012-08-11 18:39 - 2012-08-09 10:45 - 00003148 ____A C:\Users\Admin\Downloads\FSS.txt
2012-08-11 18:33 - 2012-08-11 18:33 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_11_22_33_40.dmp
2012-08-11 18:30 - 2012-08-09 00:31 - 00027256 ____A (Symantec Corporation) C:\Windows\System32\Drivers\FixZeroAccess.sys
2012-08-11 07:44 - 2012-04-02 04:57 - 00013962 ____A C:\Users\Admin\Desktop\1.txt
2012-08-11 07:33 - 2012-08-11 07:33 - 00748749 ____A C:\Users\Admin\Desktop\11Aug_collaborator.log
2012-08-10 16:12 - 2012-08-10 16:12 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_10_20_12_48.dmp
2012-08-10 11:04 - 2012-08-10 11:03 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_10_15_3_59.dmp
2012-08-10 09:54 - 2012-08-10 09:53 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_10_13_53_59.dmp
2012-08-10 04:20 - 2012-08-10 04:20 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_10_8_20_51.dmp
2012-08-10 02:50 - 2012-08-10 02:50 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_10_6_50_27.dmp
2012-08-09 20:08 - 2012-08-09 20:08 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_10_0_8_7.dmp
2012-08-09 16:24 - 2012-08-09 16:24 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_9_20_24_21.dmp
2012-08-09 13:44 - 2012-08-09 13:43 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_9_17_43_57.dmp
2012-08-09 11:26 - 2012-08-09 11:26 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_9_15_26_13.dmp
2012-08-09 10:58 - 2012-08-09 10:58 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_9_14_58_22.dmp
2012-08-09 09:09 - 2012-08-09 09:09 - 00022133 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_9_13_9_55.dmp
2012-08-09 07:08 - 2012-08-09 07:08 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_9_11_8_28.dmp
2012-08-09 06:57 - 2012-06-12 23:24 - 00007601 ____A C:\Users\Admin\AppData\Local\Resmon.ResmonCfg
2012-08-09 06:40 - 2012-08-09 06:40 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_9_10_40_14.dmp
2012-08-09 06:11 - 2012-08-09 06:11 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_9_10_11_17.dmp
2012-08-09 05:38 - 2012-08-09 05:38 - 00003760 ____A C:\{2F72F050-28E6-4D0B-900E-FADBCF0344A4}
2012-08-09 05:35 - 2012-08-09 05:35 - 00022231 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_9_9_35_25.dmp
2012-08-09 04:38 - 2012-08-09 04:38 - 00003792 ____A C:\{AD9548B9-ED37-4797-8AE3-3C0A49B01CF7}
2012-08-09 04:10 - 2012-08-09 04:10 - 00003760 ____A C:\{5397871D-4F6A-448E-9140-E2F2E927BF55}
2012-08-09 03:06 - 2012-08-09 03:06 - 00022231 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_9_7_6_50.dmp
2012-08-09 00:49 - 2012-08-09 00:49 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_9_4_49_0.dmp
2012-08-09 00:33 - 2012-08-09 00:33 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_9_4_33_44.dmp
2012-08-09 00:06 - 2012-08-09 00:06 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_9_4_6_27.dmp
2012-08-08 17:05 - 2012-08-08 17:05 - 00022231 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_8_21_5_44.dmp
2012-08-08 12:57 - 2012-08-08 12:56 - 00022231 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_8_16_56_56.dmp
2012-08-08 08:50 - 2012-08-08 08:50 - 00022231 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_8_12_50_43.dmp
2012-08-08 04:52 - 2012-08-08 04:51 - 00022528 ____A C:\Users\Admin\Desktop\APQUAL_export.xls
2012-08-08 04:25 - 2012-08-08 04:24 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_8_8_24_59.dmp
2012-08-08 02:11 - 2012-08-08 02:11 - 00022231 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_8_6_11_2.dmp
2012-08-07 15:53 - 2012-08-07 15:53 - 00022133 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_7_19_53_21.dmp
2012-08-07 04:30 - 2012-08-07 04:30 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_7_8_30_35.dmp
2012-08-06 15:58 - 2012-08-06 15:58 - 00022231 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_6_19_58_43.dmp
2012-08-06 13:46 - 2012-08-06 13:47 - 00157472 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\javaws.exe
2012-08-06 13:46 - 2012-08-06 13:47 - 00145184 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\javaw.exe
2012-08-06 13:46 - 2012-08-06 13:47 - 00145184 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\java.exe
2012-08-06 13:46 - 2012-05-17 20:59 - 00472808 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\deployJava1.dll
2012-08-06 13:38 - 2012-08-06 13:38 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_6_17_38_29.dmp
2012-08-06 13:32 - 2012-05-15 05:11 - 00010710 ____A C:\Windows\SysWOW64\jupdate-1.5.0_17-b04.log
2012-08-06 13:21 - 2012-08-06 13:21 - 00022231 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_6_17_21_5.dmp
2012-08-06 12:54 - 2012-08-06 12:54 - 00214016 ____A C:\Users\Admin\Downloads\RemoteEngineLaunch (1)
2012-08-06 12:34 - 2012-08-06 12:34 - 00214016 ____A C:\Users\Admin\Downloads\RemoteEngineLaunch
2012-08-06 04:24 - 2012-08-06 04:24 - 00022133 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_6_8_24_12.dmp
2012-08-05 15:08 - 2012-08-05 15:08 - 00022133 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_5_19_8_9.dmp
2012-08-05 06:24 - 2012-08-05 06:24 - 00023644 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_5_10_24_12.dmp
2012-08-05 05:34 - 2012-08-05 05:34 - 00022133 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_5_9_34_51.dmp
2012-08-05 04:15 - 2012-08-05 04:15 - 00022231 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_5_8_15_2.dmp
2012-08-05 04:06 - 2012-08-05 04:06 - 00022231 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_5_8_6_29.dmp
2012-08-05 01:07 - 2012-08-05 01:07 - 00022231 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_5_5_7_30.dmp
2012-08-04 18:19 - 2012-08-04 18:19 - 00022133 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_4_22_19_44.dmp
2012-08-04 17:06 - 2012-08-04 17:06 - 00022231 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_4_21_6_26.dmp
2012-08-04 16:50 - 2012-08-04 16:50 - 00022231 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_4_20_50_47.dmp
2012-08-04 15:27 - 2012-08-04 15:27 - 00022231 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_4_19_27_2.dmp
2012-08-04 04:24 - 2012-08-04 04:24 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_4_8_24_39.dmp
2012-08-04 02:13 - 2012-08-04 02:13 - 00022231 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_4_6_13_35.dmp
2012-08-03 19:26 - 2012-08-03 19:25 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_3_23_25_56.dmp
2012-08-03 08:49 - 2012-08-03 08:49 - 00022231 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_3_12_49_13.dmp
2012-08-03 08:37 - 2012-08-03 08:37 - 00023546 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_3_12_37_51.dmp
2012-08-03 08:13 - 2012-08-03 08:13 - 00023546 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_3_12_13_12.dmp
2012-08-03 06:02 - 2012-08-03 06:02 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_3_10_2_50.dmp
2012-08-03 04:22 - 2012-08-03 04:22 - 00022279 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_3_8_22_23.dmp
2012-08-03 03:14 - 2012-08-03 03:14 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_3_7_14_20.dmp
2012-08-03 01:50 - 2012-08-03 01:50 - 00022542 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_3_5_50_26.dmp
2012-08-02 19:17 - 2012-08-02 19:17 - 00019994 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_2_23_17_52.dmp
2012-08-02 10:25 - 2012-08-02 10:25 - 00022081 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_2_23_55_10.dmp
2012-08-01 23:18 - 2012-08-01 23:18 - 00022081 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_2_12_48_8.dmp
2012-08-01 05:30 - 2012-08-01 05:30 - 00022538 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_1_19_0_8.dmp
2012-07-31 16:14 - 2012-07-31 16:14 - 00022129 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_8_1_5_44_0.dmp
2012-07-31 10:20 - 2012-07-31 10:20 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_31_23_50_19.dmp
2012-07-30 21:36 - 2012-05-16 05:55 - 544812872 ____A C:\Windows\MEMORY.DMP
2012-07-30 18:12 - 2012-07-30 18:12 - 00022081 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_31_7_42_9.dmp
2012-07-30 10:17 - 2012-07-30 10:17 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_30_23_47_40.dmp
2012-07-30 06:38 - 2012-07-30 06:38 - 00021184 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_30_20_8_32.dmp
2012-07-29 19:25 - 2012-07-29 19:25 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_30_8_55_29.dmp
2012-07-29 18:11 - 2012-05-13 00:06 - 00013979 ____A C:\Users\Admin\Desktop\Book1.xlsx
2012-07-29 09:24 - 2012-07-29 09:24 - 00022129 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_29_22_54_4.dmp
2012-07-28 22:53 - 2012-07-28 22:53 - 00022081 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_29_12_23_25.dmp
2012-07-28 06:56 - 2012-07-28 06:56 - 00022081 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_28_20_26_5.dmp
2012-07-27 19:59 - 2012-07-27 19:59 - 00022129 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_28_9_29_24.dmp
2012-07-27 05:24 - 2012-07-27 05:24 - 00021086 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_27_18_54_18.dmp
2012-07-26 18:49 - 2012-07-26 18:49 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_27_8_19_56.dmp
2012-07-26 07:03 - 2012-07-26 07:03 - 00022129 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_26_20_33_26.dmp
2012-07-26 02:13 - 2012-07-26 02:13 - 00858939 ____A C:\Users\Admin\Downloads\collaborator[1].log
2012-07-25 19:09 - 2012-07-25 19:09 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_26_8_39_55.dmp
2012-07-25 11:13 - 2012-07-25 11:13 - 00022081 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_26_0_43_11.dmp
2012-07-25 09:45 - 2009-07-13 21:08 - 00032644 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-07-25 05:15 - 2012-07-25 05:15 - 00021086 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_25_18_45_40.dmp
2012-07-24 19:08 - 2012-07-24 19:08 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_25_8_38_44.dmp
2012-07-24 09:25 - 2012-07-24 09:25 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_24_22_55_28.dmp
2012-07-24 08:09 - 2012-07-24 08:09 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_24_21_39_53.dmp
2012-07-24 07:24 - 2012-07-24 07:24 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_24_20_54_7.dmp
2012-07-24 04:28 - 2012-07-24 04:28 - 00021086 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_24_17_58_23.dmp
2012-07-24 04:24 - 2012-07-24 04:24 - 00000000 ____A C:\Users\Admin\Sti_Trace.log
2012-07-23 19:44 - 2012-07-23 19:44 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_24_9_14_47.dmp
2012-07-23 17:12 - 2012-07-23 17:12 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_24_6_42_19.dmp
2012-07-23 10:13 - 2012-07-23 10:13 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_23_23_43_22.dmp
2012-07-23 07:26 - 2012-07-23 07:26 - 00021086 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_23_20_56_26.dmp
2012-07-22 18:24 - 2012-07-22 18:24 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_23_7_54_35.dmp
2012-07-22 04:22 - 2012-07-22 04:22 - 00022129 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_22_17_52_46.dmp
2012-07-21 19:22 - 2012-07-21 19:22 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_22_8_52_49.dmp
2012-07-21 04:01 - 2012-07-21 04:01 - 00022081 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_21_17_31_45.dmp
2012-07-21 03:24 - 2012-07-21 03:24 - 00022081 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_21_16_54_2.dmp
2012-07-20 04:26 - 2012-07-20 04:26 - 00022490 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_20_17_56_50.dmp
2012-07-19 20:00 - 2012-07-19 20:00 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_20_9_30_23.dmp
2012-07-19 17:25 - 2012-07-19 17:25 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_20_6_55_29.dmp
2012-07-19 10:58 - 2012-07-19 10:58 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_20_0_28_36.dmp
2012-07-19 07:57 - 2012-07-19 07:57 - 00022129 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_19_21_27_16.dmp
2012-07-19 03:54 - 2012-07-19 03:54 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_19_17_24_1.dmp
2012-07-18 19:46 - 2012-07-18 19:46 - 00022221 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_19_9_16_49.dmp
2012-07-18 08:20 - 2012-07-18 08:20 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_18_21_50_40.dmp
2012-07-18 03:37 - 2012-07-18 03:37 - 00021276 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_18_17_7_55.dmp
2012-07-17 02:54 - 2012-07-17 02:54 - 00021320 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_17_16_24_9.dmp
2012-07-16 17:25 - 2012-07-16 17:25 - 00022221 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_17_6_55_47.dmp
2012-07-16 06:14 - 2012-07-16 06:14 - 00022221 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_16_19_44_48.dmp
2012-07-16 03:21 - 2012-07-16 03:21 - 00022582 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_16_16_51_44.dmp
2012-07-15 23:01 - 2012-07-15 22:55 - 01195181 ____A C:\Users\Admin\Documents\t_src_item_tmpl.dat
2012-07-15 19:22 - 2012-07-15 19:22 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_16_8_52_9.dmp
2012-07-15 05:42 - 2012-07-15 05:42 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_15_19_12_8.dmp
2012-07-14 22:05 - 2012-07-14 22:05 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_15_11_35_33.dmp
2012-07-14 06:24 - 2012-07-14 06:24 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_14_19_54_21.dmp
2012-07-14 05:01 - 2012-07-14 05:01 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_14_18_31_6.dmp
2012-07-14 04:36 - 2012-07-14 04:36 - 00022221 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_14_18_6_12.dmp
2012-07-13 21:24 - 2012-07-13 21:24 - 00022221 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_14_10_54_32.dmp
2012-07-13 20:16 - 2012-07-13 20:16 - 00022221 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_14_9_46_10.dmp
2012-07-13 19:51 - 2012-07-13 19:51 - 00022221 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_14_9_21_24.dmp
2012-07-13 04:53 - 2012-07-13 04:53 - 00021276 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_13_18_23_43.dmp
2012-07-12 15:51 - 2012-07-12 15:51 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_13_5_21_32.dmp
2012-07-12 03:04 - 2012-07-12 03:04 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_12_16_34_30.dmp
2012-07-11 20:52 - 2009-07-13 20:45 - 00363328 ____A C:\Windows\System32\FNTCACHE.DAT
2012-07-11 19:31 - 2012-07-11 19:31 - 00022173 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_12_9_1_12.dmp
2012-07-11 18:33 - 2012-05-12 21:13 - 59701280 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-07-11 09:40 - 2012-07-11 09:40 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_11_23_10_20.dmp
2012-07-11 05:49 - 2012-07-11 05:49 - 00021178 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_11_19_19_31.dmp
2012-07-10 19:24 - 2012-07-10 19:24 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_11_8_54_21.dmp
2012-07-10 07:39 - 2012-07-10 07:39 - 00022221 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_10_21_9_41.dmp
2012-07-10 03:10 - 2012-07-10 03:10 - 00021276 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_10_16_40_54.dmp
2012-07-09 19:39 - 2012-07-09 19:39 - 00022221 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_10_9_9_5.dmp
2012-07-09 10:26 - 2012-07-09 10:26 - 00022173 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_9_23_56_32.dmp
2012-07-09 03:35 - 2012-07-09 03:35 - 00022173 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_9_17_5_24.dmp
2012-07-08 19:22 - 2012-07-08 19:22 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_9_8_52_43.dmp
2012-07-08 06:19 - 2012-07-08 06:19 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_8_19_49_25.dmp
2012-07-07 21:48 - 2012-07-07 21:48 - 00022221 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_8_11_18_18.dmp
2012-07-07 17:39 - 2012-07-07 17:39 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_8_7_9_24.dmp
2012-07-07 09:47 - 2012-07-07 09:47 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_7_23_17_32.dmp
2012-07-07 05:27 - 2012-07-07 05:27 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_7_18_57_32.dmp
2012-07-06 15:24 - 2012-07-06 15:24 - 00022173 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_7_4_54_4.dmp
2012-07-06 11:04 - 2012-07-06 11:04 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_7_0_34_19.dmp
2012-07-06 06:27 - 2012-07-06 06:27 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_6_19_57_22.dmp
2012-07-05 20:35 - 2012-07-05 20:35 - 00022221 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_6_10_5_53.dmp
2012-07-05 10:57 - 2012-07-05 10:57 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_6_0_27_58.dmp
2012-07-05 01:20 - 2012-07-05 01:20 - 00022173 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_5_14_50_29.dmp
2012-07-05 01:11 - 2012-07-05 01:11 - 00022221 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_5_14_41_49.dmp
2012-07-04 23:14 - 2012-07-04 23:14 - 00022173 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_5_12_44_30.dmp
2012-07-04 20:36 - 2012-07-04 20:36 - 00022221 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_5_10_6_45.dmp
2012-07-04 19:35 - 2012-07-04 19:35 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_5_9_5_56.dmp
2012-07-04 09:12 - 2012-07-04 09:12 - 00022173 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_4_22_42_40.dmp
2012-07-04 06:33 - 2012-07-04 06:33 - 00022173 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_4_20_3_29.dmp
2012-07-03 09:46 - 2012-08-14 14:19 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-07-03 08:39 - 2012-07-03 08:39 - 00022221 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_3_22_9_12.dmp
2012-07-03 06:37 - 2012-07-03 06:37 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_3_20_7_37.dmp
2012-07-03 04:30 - 2012-07-03 04:30 - 00022173 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_3_18_0_38.dmp
2012-07-02 17:59 - 2012-07-02 17:59 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_3_7_29_8.dmp
2012-07-02 09:46 - 2012-07-02 09:46 - 00022173 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_2_23_16_35.dmp
2012-07-02 05:08 - 2012-07-02 05:08 - 00022221 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_2_18_38_15.dmp
2012-07-02 04:25 - 2012-07-02 04:25 - 00021276 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_2_17_55_2.dmp
2012-07-01 18:43 - 2012-07-01 18:43 - 00022173 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_2_8_13_55.dmp
2012-06-30 22:26 - 2012-06-30 22:26 - 00022221 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_7_1_11_56_1.dmp
2012-06-30 04:22 - 2012-06-30 04:22 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_30_17_52_25.dmp
2012-06-29 19:49 - 2012-06-29 19:49 - 00022221 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_30_9_19_15.dmp
2012-06-29 03:20 - 2012-06-29 03:20 - 00022221 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_29_16_50_10.dmp
2012-06-29 03:13 - 2012-06-29 03:13 - 00021418 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_29_16_43_48.dmp
2012-06-29 03:13 - 2012-06-29 03:13 - 00001166 ____A C:\Users\Public\Desktop\Canon MF Toolbox 4.9.lnk
2012-06-28 22:26 - 2012-06-28 22:26 - 00002627 ____A C:\Users\Public\Desktop\AT&T Global Network Client.lnk
2012-06-28 21:35 - 2012-06-28 21:34 - 31476912 ____A (Citrix Systems, Inc.) C:\Users\Admin\Downloads\CitrixReceiver.exe
2012-06-28 16:11 - 2012-06-28 16:11 - 00022221 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_29_5_41_37.dmp
2012-06-28 09:25 - 2012-06-28 09:25 - 00022173 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_28_22_55_1.dmp
2012-06-28 05:45 - 2012-06-28 05:45 - 00022221 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_28_19_15_13.dmp
2012-06-28 03:29 - 2012-06-28 03:29 - 00022173 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_28_16_59_20.dmp
2012-06-27 19:37 - 2012-06-27 19:37 - 00022221 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_28_9_7_27.dmp
2012-06-27 10:17 - 2012-06-27 10:17 - 00022221 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_27_23_47_47.dmp
2012-06-27 08:17 - 2012-06-27 08:17 - 00022173 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_27_21_47_13.dmp
2012-06-27 03:32 - 2012-06-27 03:32 - 00021276 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_27_17_2_35.dmp
2012-06-26 22:38 - 2012-06-26 22:38 - 00008128 ____A C:\Users\Admin\Desktop\PassportApplicationForm_Main_English_V1.0_data.xml
2012-06-26 18:45 - 2012-06-26 18:45 - 00022221 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_27_8_15_30.dmp
2012-06-26 07:04 - 2012-06-26 07:04 - 00021178 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_26_20_34_10.dmp
2012-06-26 03:04 - 2012-06-26 03:04 - 00022173 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_26_16_34_45.dmp
2012-06-25 21:43 - 2012-06-25 21:43 - 02060288 ____A C:\Users\Admin\Downloads\gtm_6_2_Product_Introduction_ppt (1).exe
2012-06-25 18:19 - 2012-06-25 18:19 - 00022221 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_26_7_49_8.dmp
2012-06-25 09:30 - 2012-06-25 09:30 - 00022035 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_25_23_0_48.dmp
2012-06-25 04:28 - 2012-06-25 04:28 - 00022083 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_25_17_58_51.dmp
2012-06-25 02:30 - 2012-06-25 02:30 - 00022035 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_25_16_0_28.dmp
2012-06-24 19:12 - 2012-06-24 19:11 - 00022035 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_25_8_41_57.dmp
2012-06-24 04:09 - 2012-06-24 04:09 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_24_17_39_53.dmp
2012-06-24 03:05 - 2012-06-24 03:04 - 00022083 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_24_16_34_57.dmp
2012-06-24 02:20 - 2012-06-24 02:20 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_24_15_50_51.dmp
2012-06-23 23:55 - 2012-06-23 23:55 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_24_13_25_22.dmp
2012-06-23 22:55 - 2012-06-23 22:55 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_24_12_25_53.dmp
2012-06-23 20:13 - 2012-06-23 20:08 - 07217706 ____A (Macromedia, Inc.) C:\Users\Admin\Downloads\ibsetupws.exe
2012-06-23 07:30 - 2012-06-23 07:30 - 00022083 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_23_21_0_34.dmp
2012-06-23 05:41 - 2012-06-23 05:41 - 00022083 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_23_19_11_9.dmp
2012-06-22 20:31 - 2012-06-22 20:31 - 00022444 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_23_10_1_26.dmp
2012-06-22 04:24 - 2012-06-22 04:24 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_22_17_54_22.dmp
2012-06-22 02:29 - 2012-06-22 02:29 - 00022035 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_22_15_59_56.dmp
2012-06-22 02:01 - 2012-06-22 02:01 - 00000020 ____A C:\Users\Admin\Documents\gpfax.adr
2012-06-22 02:01 - 2012-06-22 02:01 - 00000008 ____A C:\Users\Admin\Documents\gpfax.idx
2012-06-22 01:48 - 2012-06-22 01:48 - 00266288 ____A C:\Windows\Minidump\062212-21808-01.dmp
2012-06-21 23:38 - 2012-06-21 23:37 - 11875442 ____A (Macromedia, Inc.) C:\Users\Admin\Downloads\gtm_awareness.exe
2012-06-21 20:29 - 2012-06-21 20:29 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_22_9_59_37.dmp
2012-06-21 11:03 - 2012-06-21 11:03 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_22_0_33_51.dmp
2012-06-21 05:33 - 2012-06-21 05:33 - 00021040 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_21_19_3_45.dmp
2012-06-20 17:07 - 2012-06-20 17:07 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_21_6_37_57.dmp
2012-06-20 08:41 - 2012-06-20 08:41 - 00022035 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_20_22_11_6.dmp
2012-06-20 03:46 - 2012-06-20 03:46 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_20_17_16_1.dmp
2012-06-19 18:29 - 2012-06-19 18:29 - 00022240 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_20_7_59_22.dmp
2012-06-19 07:19 - 2012-06-19 07:19 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_19_20_49_59.dmp
2012-06-19 04:24 - 2012-06-19 04:24 - 00022083 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_19_17_54_18.dmp
2012-06-19 02:58 - 2012-06-19 02:58 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_19_16_28_27.dmp
2012-06-18 19:01 - 2012-06-18 19:01 - 00022083 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_19_8_31_35.dmp
2012-06-18 08:38 - 2012-06-18 08:38 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_18_22_8_15.dmp
2012-06-18 03:56 - 2012-06-18 03:56 - 00022035 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_18_17_26_15.dmp
2012-06-17 23:02 - 2012-06-17 23:02 - 00023960 ____A C:\{6E42CBB6-5B20-4E20-953A-B25E7A02AA33}
2012-06-17 22:59 - 2012-06-17 22:59 - 00002464 ____A C:\{71F71042-64DA-4B48-9520-46035A3366DE}
2012-06-17 10:33 - 2012-06-17 10:33 - 00022083 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_18_0_3_26.dmp
2012-06-17 04:41 - 2012-06-17 04:41 - 00022083 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_17_18_11_51.dmp
2012-06-17 02:15 - 2012-06-17 02:15 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_17_15_45_5.dmp
2012-06-16 20:02 - 2012-06-16 20:02 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_17_9_32_15.dmp
2012-06-16 10:51 - 2012-06-16 10:51 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_17_0_21_31.dmp
2012-06-16 00:16 - 2012-06-16 00:16 - 00022083 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_16_13_46_55.dmp
2012-06-15 22:00 - 2012-06-15 22:00 - 00022035 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_16_11_30_4.dmp
2012-06-15 08:51 - 2012-06-15 08:51 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_15_22_21_42.dmp
2012-06-15 03:08 - 2012-06-15 03:08 - 00023448 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_15_16_38_15.dmp
2012-06-14 10:30 - 2012-06-14 10:30 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_15_0_0_45.dmp
2012-06-14 07:14 - 2012-06-14 07:14 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_14_20_44_36.dmp
2012-06-14 04:10 - 2012-06-14 04:10 - 00021138 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_14_17_40_52.dmp
2012-06-13 09:05 - 2012-06-13 09:05 - 00022173 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_13_22_35_43.dmp
2012-06-13 04:17 - 2012-06-13 04:17 - 00022490 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_13_17_47_39.dmp
2012-06-12 20:02 - 2012-06-12 20:02 - 00022129 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_13_9_32_20.dmp
2012-06-12 18:31 - 2012-06-12 18:31 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_13_8_1_16.dmp
2012-06-12 10:39 - 2012-06-12 10:38 - 00022081 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_13_0_8_57.dmp
2012-06-12 03:50 - 2012-06-12 03:50 - 00022081 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_12_17_20_22.dmp
2012-06-11 20:25 - 2012-06-11 20:25 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_12_9_55_11.dmp
2012-06-11 19:08 - 2012-07-11 18:36 - 03148800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-11 18:09 - 2012-06-11 18:09 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_12_7_39_7.dmp
2012-06-11 07:30 - 2012-06-11 07:30 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_11_21_0_15.dmp
2012-06-10 20:02 - 2012-06-10 20:02 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_11_9_32_52.dmp
2012-06-10 05:12 - 2012-06-10 05:12 - 00022081 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_10_18_42_32.dmp
2012-06-10 01:52 - 2012-06-10 01:52 - 00019994 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_10_15_22_31.dmp
2012-06-09 18:25 - 2012-06-09 18:25 - 00022129 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_10_7_55_19.dmp
2012-06-09 11:24 - 2012-06-09 11:24 - 00021086 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_10_0_54_16.dmp
2012-06-09 08:14 - 2012-06-09 08:14 - 00022129 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_9_21_44_20.dmp
2012-06-08 21:43 - 2012-07-11 09:15 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-06-08 20:41 - 2012-07-11 09:15 - 12873728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2012-06-08 05:46 - 2012-06-08 05:46 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_8_19_16_11.dmp
2012-06-08 03:58 - 2012-06-08 03:58 - 00022490 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_8_17_28_2.dmp
2012-06-07 19:35 - 2012-06-07 19:35 - 00022129 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_8_9_5_33.dmp
2012-06-07 03:45 - 2012-06-07 03:45 - 00022129 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_7_17_15_30.dmp
2012-06-06 18:31 - 2012-06-06 18:31 - 00021897 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_7_8_1_37.dmp
2012-06-06 06:51 - 2012-06-06 06:51 - 00021086 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_6_20_21_54.dmp
2012-06-05 22:06 - 2012-07-11 09:15 - 02004480 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-06-05 22:06 - 2012-07-11 09:15 - 01881600 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-06-05 22:02 - 2012-07-11 09:09 - 01133568 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll
2012-06-05 21:05 - 2012-07-11 09:15 - 01390080 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll
2012-06-05 21:05 - 2012-07-11 09:15 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
2012-06-05 21:03 - 2012-07-11 09:09 - 00805376 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cdosys.dll
2012-06-05 07:38 - 2012-06-05 07:38 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_5_21_8_33.dmp
2012-06-05 03:55 - 2012-06-05 03:55 - 00022538 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_5_17_25_1.dmp
2012-06-04 18:25 - 2012-06-04 18:25 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_5_7_55_35.dmp
2012-06-04 11:22 - 2012-06-04 11:22 - 00022582 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_5_0_52_28.dmp
2012-06-04 06:57 - 2012-06-04 06:57 - 00455680 ____A (Sun Microsystems, Inc.) C:\Windows\System32\deploytk.dll
2012-06-04 05:38 - 2012-06-04 05:38 - 00022081 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_4_19_8_40.dmp
2012-06-03 07:05 - 2012-06-03 07:05 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_3_20_35_2.dmp
2012-06-02 23:38 - 2012-06-02 23:38 - 00022081 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_3_13_8_20.dmp
2012-06-02 14:19 - 2012-06-25 17:46 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-25 17:46 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 14:19 - 2012-06-25 17:46 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-25 17:46 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-06-25 17:46 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 14:15 - 2012-06-25 17:46 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:15 - 2012-06-25 17:46 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 07:04 - 2012-06-02 07:04 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_2_20_34_16.dmp
2012-06-02 04:49 - 2012-07-11 18:32 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-02 04:17 - 2012-07-11 18:32 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-02 04:12 - 2012-07-11 18:32 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-06-02 04:05 - 2012-07-11 18:32 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-02 04:05 - 2012-07-11 18:32 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-02 04:04 - 2012-07-11 18:32 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-06-02 04:04 - 2012-07-11 18:32 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-02 04:03 - 2012-07-11 18:32 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-02 04:01 - 2012-07-11 18:32 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-06-02 04:00 - 2012-07-11 18:32 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-02 03:59 - 2012-07-11 18:32 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-02 03:57 - 2012-07-11 18:32 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-02 03:57 - 2012-07-11 18:32 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-02 03:54 - 2012-07-11 18:32 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-02 01:49 - 2012-06-25 17:46 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 01:45 - 2012-06-25 17:46 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-02 01:07 - 2012-07-11 18:32 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-06-02 00:43 - 2012-07-11 18:32 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-06-02 00:33 - 2012-07-11 18:32 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-06-02 00:26 - 2012-07-11 18:32 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-06-02 00:25 - 2012-07-11 18:32 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-06-02 00:25 - 2012-07-11 18:32 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-06-02 00:23 - 2012-07-11 18:32 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-06-02 00:21 - 2012-07-11 18:32 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-06-02 00:20 - 2012-07-11 18:32 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-06-02 00:19 - 2012-07-11 18:32 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-06-02 00:19 - 2012-07-11 18:32 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-06-02 00:17 - 2012-07-11 18:32 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-06-02 00:16 - 2012-07-11 18:32 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-06-02 00:14 - 2012-07-11 18:32 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-06-01 21:50 - 2012-07-11 09:15 - 00458704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
2012-06-01 21:48 - 2012-07-11 09:15 - 00151920 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
2012-06-01 21:48 - 2012-07-11 09:15 - 00095600 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-06-01 21:45 - 2012-07-11 09:15 - 00340992 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-06-01 21:44 - 2012-07-11 09:15 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-06-01 20:40 - 2012-07-11 09:15 - 00225280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2012-06-01 20:40 - 2012-07-11 09:15 - 00022016 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2012-06-01 20:39 - 2012-07-11 09:15 - 00219136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2012-06-01 20:34 - 2012-07-11 09:15 - 00096768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2012-06-01 09:08 - 2012-06-01 09:08 - 00022081 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_1_22_38_46.dmp
2012-06-01 04:06 - 2012-06-01 04:06 - 00021086 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_1_17_36_44.dmp
2012-06-01 03:44 - 2012-06-01 03:42 - 02900480 ____A C:\Users\Admin\Downloads\102808_62341_ppt.exe
2012-06-01 03:44 - 2012-06-01 03:38 - 12433498 ____A (Macromedia, Inc.) C:\Users\Admin\Downloads\otm_gtm_tech_architecture.exe
2012-06-01 01:38 - 2009-07-13 18:34 - 00000824 ____A C:\Windows\System32\Drivers\etc\hostsOrig
2012-05-31 22:23 - 2012-05-31 22:23 - 02895009 ____A C:\Users\Admin\Downloads\E14525_01.zip
2012-05-31 22:16 - 2012-05-31 22:16 - 08674124 ____A C:\Users\Admin\Downloads\E20111_01.zip
2012-05-31 18:23 - 2012-05-31 18:23 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_6_1_7_53_55.dmp
2012-05-31 09:52 - 2012-05-31 09:52 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_5_31_23_22_36.dmp
2012-05-31 04:12 - 2012-05-31 04:12 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_5_31_17_42_0.dmp
2012-05-24 09:37 - 2012-05-24 09:37 - 00022129 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_5_24_23_7_5.dmp
2012-05-24 05:14 - 2012-05-24 05:14 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_5_24_18_44_56.dmp
2012-05-24 01:31 - 2012-05-24 01:31 - 00022129 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_5_24_15_1_27.dmp
2012-05-23 20:40 - 2012-05-23 20:40 - 00021086 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_5_24_10_10_19.dmp
2012-05-23 05:22 - 2012-05-23 05:22 - 00021184 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_5_23_18_52_47.dmp
2012-05-22 21:41 - 2012-05-22 21:41 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_5_23_11_11_19.dmp
2012-05-22 21:12 - 2012-05-22 21:12 - 00001028 ____A C:\Users\Public\Desktop\PSWizard.lnk
2012-05-22 18:37 - 2012-05-22 18:37 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_5_23_8_7_25.dmp
2012-05-22 07:07 - 2012-05-22 07:07 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_5_22_20_37_49.dmp
2012-05-22 05:16 - 2012-05-22 05:16 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_5_22_18_46_49.dmp
2012-05-22 04:02 - 2012-05-22 04:02 - 00021184 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_5_22_17_32_15.dmp
2012-05-21 19:33 - 2012-05-21 19:33 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_5_22_9_3_56.dmp
2012-05-21 09:54 - 2012-05-21 09:54 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_5_21_23_24_42.dmp
2012-05-21 01:32 - 2012-05-21 01:14 - 00006541 ____A C:\Windows\SysWOW64\jupdate-1.6.0_07-b06.log
2012-05-21 01:19 - 2012-05-21 01:19 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_5_21_14_49_20.dmp
2012-05-21 01:13 - 2012-05-21 01:02 - 15984024 ____A C:\Users\Admin\Downloads\oaj2se.exe
2012-05-20 23:59 - 2012-05-20 22:18 - 00016504 ____A C:\Users\Admin\Downloads\p14076370_7313_WINNT64.zip
2012-05-20 21:43 - 2012-05-20 21:43 - 00001860 ____A C:\Users\Public\Desktop\Network Recording Player.lnk
2012-05-20 18:59 - 2012-05-20 18:59 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_5_21_8_29_30.dmp
2012-05-20 08:14 - 2012-05-20 08:14 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_5_20_21_44_13.dmp
2012-05-19 21:31 - 2012-05-19 21:31 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_5_20_11_1_28.dmp
2012-05-19 04:59 - 2012-05-19 04:59 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_5_19_18_29_9.dmp
2012-05-18 20:58 - 2012-05-18 20:58 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_5_19_10_28_56.dmp
2012-05-18 18:25 - 2012-05-18 18:25 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_5_19_7_55_54.dmp
2012-05-18 10:23 - 2012-05-18 10:23 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_5_18_23_53_19.dmp
2012-05-18 09:57 - 2012-05-02 02:41 - 00002388 ____A C:\Users\Public\Desktop\Norton AntiVirus.lnk
2012-05-18 07:05 - 2012-05-18 07:05 - 00021346 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_5_18_20_35_53.dmp
2012-05-18 03:10 - 2012-05-18 03:10 - 00892360 ____A (Oracle Corporation) C:\Users\Admin\Downloads\jxpiinstall.exe
2012-05-18 03:08 - 2012-05-18 03:09 - 00544032 ____A (Sun Microsystems, Inc.) C:\Windows\System32\npdeployJava1.dll
2012-05-18 03:08 - 2012-05-18 00:17 - 00525600 ____A (Sun Microsystems, Inc.) C:\Windows\System32\deployJava1.dll
2012-05-18 03:00 - 2012-05-18 03:00 - 00000000 ____A C:\Windows\SysWOW64\cd.dat
2012-05-17 22:50 - 2012-05-17 22:48 - 00010686 ____A C:\Windows\SysWOW64\jupdate-1.5.0_22-b03.log
2012-05-17 19:07 - 2012-05-17 19:07 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_5_18_8_37_40.dmp
2012-05-17 08:12 - 2012-05-17 08:12 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_5_17_21_42_4.dmp
2012-05-17 05:20 - 2012-05-17 05:20 - 00000000 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_5_17_18_50_31.dmp
2012-05-17 03:47 - 2012-05-17 03:47 - 00022081 ____A C:\Windows\SysWOW64\nmesrvc_core_2012_5_17_17_17_35.dmp
ZeroAccess:
C:\Windows\Installer\{ae963f8e-ac3e-59ff-8e3e-cf2ef11cd12e}
C:\Windows\Installer\{ae963f8e-ac3e-59ff-8e3e-cf2ef11cd12e}\@
C:\Windows\Installer\{ae963f8e-ac3e-59ff-8e3e-cf2ef11cd12e}\L
C:\Windows\Installer\{ae963f8e-ac3e-59ff-8e3e-cf2ef11cd12e}\U
C:\Windows\Installer\{ae963f8e-ac3e-59ff-8e3e-cf2ef11cd12e}\L\201d3dde
C:\Windows\Installer\{ae963f8e-ac3e-59ff-8e3e-cf2ef11cd12e}\U\00000008.@
C:\Windows\Installer\{ae963f8e-ac3e-59ff-8e3e-cf2ef11cd12e}\U\80000032.@
C:\Windows\Installer\{ae963f8e-ac3e-59ff-8e3e-cf2ef11cd12e}\U\80000064.@
ZeroAccess:
C:\Users\Admin\AppData\Local\{ae963f8e-ac3e-59ff-8e3e-cf2ef11cd12e}
C:\Users\Admin\AppData\Local\{ae963f8e-ac3e-59ff-8e3e-cf2ef11cd12e}\@
C:\Users\Admin\AppData\Local\{ae963f8e-ac3e-59ff-8e3e-cf2ef11cd12e}\L
C:\Users\Admin\AppData\Local\{ae963f8e-ac3e-59ff-8e3e-cf2ef11cd12e}\U
ZeroAccess:
C:\Windows\assembly\GAC_32\Desktop.ini
ZeroAccess:
C:\Windows\assembly\GAC_64\Desktop.ini
========================= Known DLLs (Whitelisted) ============

========================= Bamital & volsnap Check ============
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe 014A9CB92514E27C0107614DF764BC06 ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
==================== EXE ASSOCIATION =====================
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
========================= Memory info ======================
Percentage of memory in use: 14%
Total physical RAM: 4039.86 MB
Available physical RAM: 3435.06 MB
Total Pagefile: 4038.06 MB
Available Pagefile: 3429.48 MB
Total Virtual: 8192 MB
Available Virtual: 8191.88 MB
======================= Partitions =========================
1 Drive c: () (Fixed) (Total:97.56 GB) (Free:59.39 GB) NTFS
2 Drive e: () (Fixed) (Total:146.48 GB) (Free:96.4 GB) NTFS
3 Drive f: () (Fixed) (Total:221.62 GB) (Free:137.71 GB) NTFS
5 Drive h: (Transcend) (Removable) (Total:7.59 GB) (Free:6.53 GB) FAT32
6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
7 Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 465 GB 0 B
Disk 1 Online 7788 MB 0 B
Partitions of Disk 0:
===============
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 100 MB 1024 KB
Partition 2 Primary 97 GB 101 MB
Partition 3 Primary 146 GB 97 GB
Partition 4 Primary 221 GB 244 GB
==================================================================================
Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y System Rese NTFS Partition 100 MB Healthy
==================================================================================
Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 97 GB Healthy
==================================================================================
Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 E NTFS Partition 146 GB Healthy
==================================================================================
Disk: 0
Partition 4
Type : 07
Hidden: No
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 F NTFS Partition 221 GB Healthy
==================================================================================
Partitions of Disk 1:
===============
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 7787 MB 944 KB
==================================================================================
Disk: 1
Partition 1
Type : 0C
Hidden: No
Active: Yes
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 5 H Transcend FAT32 Removable 7787 MB Healthy
==================================================================================
Last Boot: 2012-08-07 08:24
======================= End Of Log ==========================

#8 MrCharlie

MrCharlie

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 28,193 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Posted 14 August 2012 - 08:17 PM

OK, here you go......Please carefully carry out this procedure!!!!!!

Please download the attached fixlist.txt and copy it to your flashdrive.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options. (as you did before)

Run FRST64 or FRST (which ever one you're using) and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#9 shekhar

shekhar

    New Member

  • Members
  • Pip
  • 18 posts

Posted 14 August 2012 - 08:50 PM

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 09-08-2012
Ran by SYSTEM at 2012-08-14 21:41:21 Run:1
Running from H:\
==============================================
C:\Windows\Installer\{ae963f8e-ac3e-59ff-8e3e-cf2ef11cd12e} moved successfully.
C:\Users\Admin\AppData\Local\{ae963f8e-ac3e-59ff-8e3e-cf2ef11cd12e} moved successfully.
C:\Windows\assembly\GAC_32\Desktop.ini moved successfully.
C:\Windows\assembly\GAC_64\Desktop.ini moved successfully.
C:\Windows\System32\services.exe moved successfully.
C:\Windows\erdnt\cache64\services.exe copied successfully to C:\Windows\System32\services.exe
==== End of Fixlog ====

#10 MrCharlie

MrCharlie

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 28,193 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Posted 14 August 2012 - 09:10 PM

Well Done, lets run ComboFix to clear up any leftovers.

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingc...to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#11 shekhar

shekhar

    New Member

  • Members
  • Pip
  • 18 posts

Posted 14 August 2012 - 10:08 PM

ComboFix 12-08-14.05 - Admin 08/14/2012 22:49:35.2.4 - x64
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.4040.2289 [GMT -4:00]
Running from: c:\users\Admin\Desktop\ComboFix.exe
AV: Norton AntiVirus *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Norton AntiVirus *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-07-15 to 2012-08-15 )))))))))))))))))))))))))))))))
.
.
2012-08-15 04:32 . 2012-08-15 04:32 -------- d-----w- C:\FRST
2012-08-15 02:53 . 2012-08-15 02:53 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-08-15 02:32 . 2012-07-06 20:07 552960 ----a-w- c:\windows\system32\drivers\bthport.sys
2012-08-15 00:03 . 2012-08-15 00:03 -------- d-----w- c:\program files\7-Zip
2012-08-14 22:19 . 2012-08-14 22:44 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-08-14 22:19 . 2012-07-03 17:46 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-08-14 20:54 . 2012-08-14 20:54 -------- d-sh--w- c:\windows\SysWow64\%APPDATA%
2012-08-12 15:06 . 2012-08-12 15:06 -------- d-----w- c:\windows\Sun
2012-08-12 13:25 . 2012-08-12 13:25 -------- d-----w- c:\users\Admin\AppData\Roaming\Malwarebytes
2012-08-12 13:25 . 2012-08-12 13:25 -------- d-----w- c:\programdata\Malwarebytes
2012-08-09 13:14 . 2012-08-09 13:17 -------- d-----w- c:\users\Admin\AppData\Local\NPE
2012-08-09 08:31 . 2012-08-12 02:30 27256 ----a-w- c:\windows\system32\drivers\FixZeroAccess.sys
2012-08-02 06:12 . 2012-08-02 06:12 -------- d-----w- c:\users\Admin\AppData\Local\ElevatedDiagnostics
2012-07-26 13:08 . 2012-07-30 13:06 -------- d-----w- c:\users\Admin\Tracing
2012-07-24 12:24 . 2012-07-24 12:24 -------- d-----w- c:\users\Admin\AppData\Roaming\Canon
2012-07-16 05:59 . 2012-07-16 07:03 -------- d-----w- c:\users\Admin\AppData\Roaming\FileZilla
2012-07-16 05:59 . 2012-07-16 05:59 -------- d-----w- c:\program files (x86)\FileZilla FTP Client
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-15 02:27 . 2012-05-13 05:13 62134624 ----a-w- c:\windows\system32\MRT.exe
2012-08-15 00:19 . 2012-05-07 07:15 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-08-15 00:19 . 2012-05-07 07:15 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-08-06 21:46 . 2012-05-18 04:59 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-06-09 05:43 . 2012-07-11 17:15 14172672 ----a-w- c:\windows\system32\shell32.dll
2012-06-06 12:49 . 2012-06-06 12:49 1070152 ----a-w- c:\windows\SysWow64\MSCOMCTL.OCX
2012-06-06 06:06 . 2012-07-11 17:15 2004480 ----a-w- c:\windows\system32\msxml6.dll
2012-06-06 06:06 . 2012-07-11 17:15 1881600 ----a-w- c:\windows\system32\msxml3.dll
2012-06-06 06:02 . 2012-07-11 17:09 1133568 ----a-w- c:\windows\system32\cdosys.dll
2012-06-06 05:05 . 2012-07-11 17:15 1390080 ----a-w- c:\windows\SysWow64\msxml6.dll
2012-06-06 05:05 . 2012-07-11 17:15 1236992 ----a-w- c:\windows\SysWow64\msxml3.dll
2012-06-06 05:03 . 2012-07-11 17:09 805376 ----a-w- c:\windows\SysWow64\cdosys.dll
2012-06-04 14:57 . 2012-06-04 14:57 455680 ----a-w- c:\windows\system32\deploytk.dll
2012-06-02 22:19 . 2012-06-26 01:46 38424 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-26 01:46 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:19 . 2012-06-26 01:46 57880 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-26 01:46 44056 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-26 01:46 701976 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:15 . 2012-06-26 01:46 2622464 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:15 . 2012-06-26 01:46 99840 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 09:49 . 2012-06-26 01:46 186752 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 09:45 . 2012-06-26 01:46 36864 ----a-w- c:\windows\system32\wuapp.exe
2012-06-02 05:50 . 2012-07-11 17:15 458704 ----a-w- c:\windows\system32\drivers\cng.sys
2012-06-02 05:48 . 2012-07-11 17:15 151920 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2012-06-02 05:48 . 2012-07-11 17:15 95600 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-06-02 05:45 . 2012-07-11 17:15 340992 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 05:44 . 2012-07-11 17:15 307200 ----a-w- c:\windows\system32\ncrypt.dll
2012-06-02 04:40 . 2012-07-11 17:15 22016 ----a-w- c:\windows\SysWow64\secur32.dll
2012-06-02 04:40 . 2012-07-11 17:15 225280 ----a-w- c:\windows\SysWow64\schannel.dll
2012-06-02 04:39 . 2012-07-11 17:15 219136 ----a-w- c:\windows\SysWow64\ncrypt.dll
2012-06-02 04:34 . 2012-07-11 17:15 96768 ----a-w- c:\windows\SysWow64\sspicli.dll
2012-05-18 11:08 . 2012-05-18 11:09 544032 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-05-18 11:08 . 2012-05-18 08:17 525600 ----a-w- c:\windows\system32\deployJava1.dll
1996-05-22 10:19 . 1996-05-22 10:19 25088 ----a-w- c:\program files (x86)\ZAPGRAB2.EXE
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2012-07-13 17418928]
"googletalk"="c:\program files (x86)\Google\Google Talk\googletalk.exe" [2007-11-21 3289088]
"Messenger (Yahoo!)"="c:\progra~2\Yahoo!\Messenger\YahooMessenger.exe" [2012-02-22 6591800]
"NetSP - restore settings on power failure"="c:\program files (x86)\AT&T Global Network Client\NetSP.exe" [2012-03-28 55136]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2011-02-18 283160]
"332BigDog"="c:\program files (x86)\USB Camera2\VM332_STI.EXE" [2010-01-19 536576]
"UpdatePRCShortCut"="c:\program files\Lenovo\OneKey App\OneKey Recovery\MUITransfer\MUIStartMenu.exe" [2009-05-13 222504]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-04-04 843712]
"ConnectionCenter"="c:\program files (x86)\Citrix\ICA Client\concentr.exe" [2012-05-23 371896]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]
.
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office14\ONENOTEM.EXE [2010-12-20 227712]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
AT&T Global Network Client Monitor.lnk - c:\windows\Installer\{37880B62-627C-4F6B-BB85-984BB7E26125}\NetGM1_89563E53ECF44E868145468A128BDC83.exe [2012-6-29 91504]
Bluetooth.lnk - c:\program files\Lenovo\Bluetooth Software\BTTray.exe [2010-12-14 1133856]
Google Calendar Sync.lnk - c:\program files (x86)\Google\Google Calendar Sync\GoogleCalendarSync.exe [2011-4-8 542264]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~2\Citrix\ICACLI~1\RSHook.dll
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-06-07 160944]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-15 250056]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-21 71168]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-04-21 129976]
R3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe [2011-01-05 340240]
R3 OracleOraDb11g_home1ClrAgent;OracleOraDb11g_home1ClrAgent;d:\app\Admin\product\11.2.0\dbhome_1\bin\OraClrAgnt.exe [2010-02-27 38400]
R3 OracleOraDb11g_home1TNSListener;OracleOraDb11g_home1TNSListener;d:\app\Admin\product\11.2.0\dbhome_1\BIN\TNSLSNR [x]
R3 OracleServiceORCL;OracleServiceORCL;d:\app\admin\product\11.2.0\dbhome_1\bin\ORACLE.EXE ORCL [x]
R3 OracleVssWriterORCL;Oracle ORCL VSS Writer Service;d:\app\admin\product\11.2.0\dbhome_1\bin\OraVSSW.exe ORCL [x]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4925184]
R3 RSUSBVSTOR;RtsUVStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUVStor.sys [2010-09-30 299520]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-05-03 1255736]
R3 wsvd;wsvd;c:\windows\system32\DRIVERS\wsvd.sys [2009-07-21 121840]
R4 OracleJobSchedulerORCL;OracleJobSchedulerORCL;d:\app\admin\product\11.2.0\dbhome_1\Bin\extjob.exe ORCL [x]
S0 LHDmgr;LHDmgr;c:\windows\System32\DRIVERS\LhdX64.sys [2012-05-02 39008]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAVx64\1307010.005\SYMDS64.SYS [2011-07-26 451192]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAVx64\1307010.005\SYMEFA64.SYS [2012-03-29 1092728]
S1 BHDrvx64;BHDrvx64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.0.28\Definitions\BASHDefs\20120804.001\BHDrvx64.sys [2012-06-19 1161376]
S1 ccSet_NAV;Norton AntiVirus Settings Manager;c:\windows\system32\drivers\NAVx64\1307010.005\ccSetx64.sys [2011-11-29 167048]
S1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\DRIVERS\ctxusbm.sys [2012-05-17 93272]
S1 IDSVia64;IDSVia64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.0.28\Definitions\IPSDefs\20120810.001\IDSvia64.sys [2012-06-14 509088]
S1 NEOFLTR_650_15977;Juniper Networks TDI Filter Driver (NEOFLTR_650_15977);c:\windows\system32\Drivers\NEOFLTR_650_15977.SYS [2010-06-04 100472]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAVx64\1307010.005\Ironx64.SYS [2012-03-29 190072]
S1 SymNetS;Symantec Network Security WFP Driver;c:\windows\System32\Drivers\NAVx64\1307010.005\SYMNETS.SYS [2012-03-29 405624]
S1 VWiFiFlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-04-04 63928]
S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2011-02-18 13336]
S2 JuniperAccessService;Juniper Unified Network Service;c:\program files (x86)\Common Files\Juniper Networks\JUNS\dsAccessService.exe [2011-06-02 198520]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-07-03 655944]
S2 NAV;Norton AntiVirus;c:\program files (x86)\Norton AntiVirus\Engine\19.7.1.5\ccSvcHst.exe [2012-03-27 138232]
S2 NetClientSvc;AT&T Global Network Client Service;c:\program files (x86)\AT&T Global Network Client\NetClientSvc.exe [2012-03-28 370528]
S2 Skype C2C Service;Skype C2C Service;c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe [2012-07-05 3048136]
S2 SwiCardDetectSvc;Sierra Wireless Card Detection Service;c:\program files (x86)\Sierra Wireless Inc\Common\SwiCardDetect64.exe [2011-06-24 317296]
S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2010-12-21 2656280]
S2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [2011-05-18 641464]
S3 ACPIVPC;Lenovo Virtual Power Controller Driver;c:\windows\system32\DRIVERS\AcpiVpc.sys [2012-05-02 29792]
S3 BTWAMPFL;BTWAMPFL;c:\windows\system32\DRIVERS\btwampfl.sys [2010-12-15 349224]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2010-12-15 39464]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-08-09 138912]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2010-10-14 317440]
S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x64.sys [2010-10-21 76912]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-07-03 24904]
S3 MEIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2010-10-20 56344]
S3 NetLogSvc;NetLogSvc;c:\program files (x86)\AT&T Global Network Client\NetLogSvc.exe [2012-03-28 82272]
S3 vm2uvcflt;Vimicro USB Camera Filter 2;c:\windows\system32\Drivers\vm2uvcflt.sys [2010-09-21 15056]
S3 vm332avs;Lenovo Camera2;c:\windows\system32\Drivers\vm332avs.sys [2010-12-10 234960]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-14 17920]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-15 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-07 00:19]
.
2012-08-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-325862687-2821830248-2684448362-1000Core.job
- c:\users\Admin\AppData\Local\Google\Update\GoogleUpdate.exe [2012-05-10 16:01]
.
2012-08-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-325862687-2821830248-2684448362-1000UA.job
- c:\users\Admin\AppData\Local\Google\Update\GoogleUpdate.exe [2012-05-10 16:01]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-03-29 167960]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-03-29 391704]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-03-29 418840]
"SmartAudio"="c:\program files\CONEXANT\SAII\SAIICpl.exe" [2010-04-28 307768]
"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2011-01-05 1933584]
"Energy Management"="c:\program files (x86)\Lenovo\Energy Management\Energy Management.exe" [2012-05-02 9753024]
"EnergyUtility"="c:\program files (x86)\Lenovo\Energy Management\Utility.exe" [2012-05-02 5908928]
"UpdatePRCShortCut"="c:\program files\Lenovo\OneKey App\OneKey Recovery\MUITransfer\MUIStartMenu.exe" [2009-05-13 222504]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = about:blank
mStart Page = hxxp://in.yahoo.com/?fr=fp-spt_gen
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105
IE: Send image to &Bluetooth Device... - c:\program files\Lenovo\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\Lenovo\Bluetooth Software\btsendto_ie.htm
Trusted Zone: solutionbeacon.net
TCP: DhcpNameServer = 172.16.0.1
TCP: Interfaces\{38F75B14-47DE-47B4-AEBE-9D57EE0B3643}: NameServer = 155.132.2.31,155.132.9.10
DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://vpn.ultradent.com/CACHE/stc/2/binaries/vpnweb.cab
FF - ProfilePath - c:\users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ncfa4qkh.default\
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?btnI=I%27m+Feeling+Lucky&ie=UTF-8&oe=UTF-8&q=
.
.
------- File Associations -------
.
vbefile\shell\open2\command="%SystemRoot%\System32\CScript.exe" "%1" %*
vbsfile\shell\open2\command="%SystemRoot%\System32\CScript.exe" "%1" %*
jsefile\shell\open2\command=c:\windows\System32\CScript.exe "%1" %*
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - c:\program files (x86)\Hotspot Shield\HssIE\HssIE_64.dll
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\NAV]
"ImagePath"="\"c:\program files (x86)\Norton AntiVirus\Engine\19.7.1.5\ccSvcHst.exe\" /s \"NAV\" /m \"c:\program files (x86)\Norton AntiVirus\Engine\19.7.1.5\diMaster.dll\" /prefetch:1"
--
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\OracleOraDb11g_home1ClrAgent]
"ImagePath"="d:\app\Admin\product\11.2.0\dbhome_1\bin\OraClrAgnt.exe agent_sid=CLRExtProc max_dispatchers=2 tcp_dispatchers=0 max_task_threads=6 max_sessions=25 ENVS=\"EXTPROC_DLLS=ONLY:d:\app\Admin\product\11.2.0\dbhome_1\bin\oraclr11.dll\""
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\OracleOraDb11g_home1TNSListener]
"ImagePath"="d:\app\Admin\product\11.2.0\dbhome_1\BIN\TNSLSNR "
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_271_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_271_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Juniper Networks\Common Files\dsNcService.exe
c:\program files (x86)\AT&T Global Network Client\netcfgsvr.exe
d:\app\Admin\product\11.2.0\dbhome_1\bin\omtsreco.exe
d:\app\Admin\product\11.2.0\dbhome_1\jdk\bin\java.exe
c:\program files (x86)\Citrix\ICA Client\Receiver\Receiver.exe
c:\program files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe
c:\program files (x86)\Citrix\ICA Client\wfcrun32.exe
c:\windows\SysWOW64\RunDll32.exe
c:\program files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe
c:\program files (x86)\Yahoo!\Messenger\ymsgr_tray.exe
c:\program files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
.
**************************************************************************
.
Completion time: 2012-08-14 23:02:09 - machine was rebooted
ComboFix-quarantined-files.txt 2012-08-15 03:02
.
Pre-Run: 62,695,464,960 bytes free
Post-Run: 62,335,385,600 bytes free
.
- - End Of File - - 0C73BE7F1B9690BAC3F90F2ABF9775E9

#12 MrCharlie

MrCharlie

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 28,193 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Posted 15 August 2012 - 06:20 AM

Looks Good.....

Please Update and run a Quick Scan with MBAM, post the report.

Make sure that everything is checked, and click Remove Selected.

Please let me know how computer is running now, MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#13 MrCharlie

MrCharlie

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 28,193 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Posted 18 August 2012 - 04:12 PM

How are we doing??

Do you still need help or can I close this post??

MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#14 Maurice Naggar

Maurice Naggar

    Staff

  • Moderators
  • PipPipPipPipPipPip
  • 14,550 posts
  • Gender:Male
  • Location:USA
  • Interests:Security, Windows, Windows Update, malware prevention

Posted 20 August 2012 - 06:45 AM

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!
Maurice Naggar
Product Support

staff.png

Follow us: Twitter, Become a fan: Facebook

I close my threads if there is 5 days without a response.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users