trojan dropper svchost fake

mstrom · July 27, 2012

From what I can tell, this virus is preventing me from running malware bytes by shutting my machine off during the scan.

The logs I'm instructed to give here

http://forums.malwarebytes.org//index.php?showtopic=9573

Are copied and attached, as requested

DDS text:

.

DDS (Ver_2011-08-26.01) - NTFSAMD64

Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_31

Run by Michele at 20:19:21 on 2012-07-26

Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3838.2390 [GMT -4:00]

.

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\system32\atiesrxx.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\atieclxx.exe

C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE

C:\Windows\system32\svchost.exe -k apphost

C:\Program Files\Gateway\Gateway Power Management\ePowerSvc.exe

C:\Program Files (x86)\Gateway\Registration\GregHSRW.exe

C:\Windows\system32\svchost.exe -k HsfXAudioService

C:\Program Files\IIS\Microsoft Web Deploy\MsDepSvc.exe

c:\Program Files\Microsoft SQL Server\MSSQL10_50.SQLEXPRESS\MSSQL\Binn\sqlservr.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe

C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\IScheduleSvc.exe

c:\Program Files\Microsoft SQL Server\MSRS10_50.SQLEXPRESS\Reporting Services\ReportServer\bin\ReportingServicesService.exe

c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\Program Files\Gateway\Gateway Updater\UpdaterService.exe

C:\Windows\system32\svchost.exe -k iissvcs

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

c:\Program Files\Microsoft SQL Server\MSSQL10_50.SQLEXPRESS\MSSQL\Binn\fdlauncher.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

c:\Program Files\Microsoft SQL Server\MSSQL10_50.SQLEXPRESS\MSSQL\Binn\fdhost.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files (x86)\Common Files\Intuit\Update Service\IntuitUpdateService.exe

C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe

C:\Windows\System32\svchost.exe -k secsvcs

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\taskhost.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\CONEXANT\cAudioFilterAgent\cAudioFilterAgent64.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Gateway\Gateway Power Management\ePowerTray.exe

C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\BackupManagerTray.exe

C:\Program Files (x86)\Video Web Camera\traybar.exe

C:\Windows\system32\wbem\unsecapp.exe

C:\Program Files\Gateway\Gateway Power Management\ePowerEvent.exe

C:\Program Files (x86)\Video Web Camera\CEC_MAIN.exe

C:\Program Files\Synaptics\SynTP\SynTPHelper.exe

C:\Program Files (x86)\Launch Manager\LManager.exe

C:\Program Files (x86)\Cyberlink\Power2Go\CLMLSvc.exe

C:\Program Files (x86)\Cyberlink\PowerDVD8\PDVD8Serv.exe

C:\Program Files (x86)\IOGEAR Auto Printer Sharing Switch\AutoPrt.exe

C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe

C:\Windows\SysWOW64\Macromed\Flash\FlashUtil11f_ActiveX.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\DllHost.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\conhost.exe

C:\Windows\SysWOW64\cscript.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uSearch Bar = Preserve

uStart Page = hxxp://www.google.com/

mDefault_Page_URL = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&m=nv52_series&r=2736110995b6l0340z195a4891t228

mStart Page = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&m=nv52_series&r=2736110995b6l0340z195a4891t228

mWinlogon: Userinit=userinit.exe,

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

BHO: ChromeFrame BHO: {ecb3c477-1a0a-44bd-bb57-78f9efe34fa7} - C:\Program Files (x86)\Google\Chrome\Application\20.0.1132.57\npchrome_frame.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

uRun: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background

uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

uRun: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

uRunOnce: [Application Restart #2] C:\Program Files (x86)\Google\Chrome\Application\chrome.exe --automation-channel=ChromeTestingInterface:4300.2 --chrome-frame --no-first-run --disable-background-mode --disable-popup-blocking --disable-print-preview --user-data-dir="C:\Users\Michele\AppData\Local\Google\Chrome Frame\User Data\iexplore" --chrome-version=18.0.1025.168 --lang=en-US --flag-switches-begin --flag-switches-end --restore-last-session

mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"

mRun: [backupManagerTray] "C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\BackupManagerTray.exe" -h -k

mRun: [startCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

mRun: [Camera Assistant Software] "C:\Program Files (x86)\Video Web Camera\traybar.exe"

mRun: [LManager] C:\Program Files (x86)\Launch Manager\LManager.exe

mRun: [CLMLServer] "c:\Program Files (x86)\Cyberlink\Power2Go\CLMLSvc.exe"

mRun: [RemoteControl8] "c:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe"

mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

mRun: [iOGEAR Auto Printer Sharing Switch] C:\Program Files (x86)\IOGEAR Auto Printer Sharing Switch\AutoPrt.exe start

mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime

mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"

mRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

mRunOnce: [Malwarebytes' Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

mPolicies-explorer: NoActiveDesktop = 1 (0x1)

mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)

mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL

Trusted Zone: intuit.com\ttlc

DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab

DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.6.2.cab

DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://webvpn.progress-energy.com/CACHE/stc/3/binaries/vpnweb.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: DhcpNameServer = 192.168.1.254

TCP: Interfaces\{990FC366-3581-4E0F-9180-5B2B0892A93E} : DhcpNameServer = 192.168.1.254

TCP: Interfaces\{990FC366-3581-4E0F-9180-5B2B0892A93E}\C41626F69725F657475627 : DhcpNameServer = 192.168.2.1

TCP: Interfaces\{B5B3D626-D852-44BC-9022-67E0A9E25F76} : DhcpNameServer = 192.168.1.254

Handler: gcf - {9875BFAF-B04D-445E-8A69-BE36838CDE3E} - C:\Program Files (x86)\Google\Chrome\Application\20.0.1132.57\npchrome_frame.dll

Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll

BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO-X64: AcroIEHelperStub - No File

BHO-X64: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll

BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO-X64: Windows Live Messenger Companion Helper: {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll

BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

BHO-X64: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll

BHO-X64: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

BHO-X64: ChromeFrame BHO: {ECB3C477-1A0A-44BD-BB57-78F9EFE34FA7} - C:\Program Files (x86)\Google\Chrome\Application\20.0.1132.57\npchrome_frame.dll

BHO-X64: ChromeFrame BHO - No File

TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"

mRun-x64: [backupManagerTray] "C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\BackupManagerTray.exe" -h -k

mRun-x64: [startCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

mRun-x64: [Camera Assistant Software] "C:\Program Files (x86)\Video Web Camera\traybar.exe"

mRun-x64: [LManager] C:\Program Files (x86)\Launch Manager\LManager.exe

mRun-x64: [CLMLServer] "c:\Program Files (x86)\Cyberlink\Power2Go\CLMLSvc.exe"

mRun-x64: [RemoteControl8] "c:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe"

mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

mRun-x64: [iOGEAR Auto Printer Sharing Switch] C:\Program Files (x86)\IOGEAR Auto Printer Sharing Switch\AutoPrt.exe start

mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime

mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"

mRun-x64: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

mRunOnce-x64: [Malwarebytes' Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

.

================= FIREFOX ===================

.

FF - ProfilePath - C:\Users\Michele\AppData\Roaming\Mozilla\Firefox\Profiles\gm1kwx2x.default\

FF - plugin: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll

FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll

FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.111\npGoogleUpdate3.dll

FF - plugin: C:\Program Files (x86)\Java\jre6\bin\npdeployJava1.dll

FF - plugin: C:\Program Files (x86)\Java\jre6\bin\npjpi160_31.dll

FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npdeployJava1.dll

FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll

FF - plugin: C:\Program Files (x86)\Microsoft\Office Live\npOLW.dll

FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll

FF - plugin: C:\Program Files\Microsoft\Web Platform Installer\NPWPIDetector.dll

FF - plugin: C:\Users\Michele\AppData\Roaming\Move Networks\plugins\npqmp071701000002.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - C:\Program Files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}

FF - Ext: Move Media Player: moveplayer@movenetworks.com - C:\Users\Michele\AppData\Roaming\Move Networks

.

============= SERVICES / DRIVERS ===============

.

R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2010-2-17 14920]

R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2010-2-17 12360]

R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]

R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2010-6-29 128752]

R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]

R2 ePowerSvc;Acer ePower Service;C:\Program Files\Gateway\Gateway Power Management\ePowerSvc.exe [2009-10-3 844320]

R2 Greg_Service;GRegService;C:\Program Files (x86)\Gateway\Registration\GregHSRW.exe [2009-6-4 1150496]

R2 HsfXAudioService;HsfXAudioService;C:\Windows\system32\svchost.exe -k HsfXAudioService [2009-7-13 20992]

R2 IntuitUpdateServiceV4;Intuit Update Service v4;C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [2011-8-25 13672]

R2 MsDepSvc;Web Deployment Agent Service;C:\Program Files\IIS\Microsoft Web Deploy\MsDepSvc.exe [2011-4-1 67400]

R2 NTI IScheduleSvc;NTI IScheduleSvc;C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\IScheduleSvc.exe [2009-8-20 62720]

R2 ReportServer$SQLEXPRESS;SQL Server Reporting Services (SQLEXPRESS);C:\Program Files\Microsoft SQL Server\MSRS10_50.SQLEXPRESS\Reporting Services\ReportServer\bin\ReportingServicesService.exe [2011-4-24 2175328]

R2 Updater Service;Updater Service;C:\Program Files\Gateway\Gateway Updater\UpdaterService.exe [2009-8-15 240160]

R2 vpnagent;Cisco AnyConnect VPN Agent;C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [2009-2-3 427192]

R3 CAXHWAZL;CAXHWAZL;C:\Windows\system32\DRIVERS\CAXHWAZL.sys --> C:\Windows\system32\DRIVERS\CAXHWAZL.sys [?]

R3 k57nd60a;Broadcom NetLink Gigabit Ethernet - NDIS 6.0;C:\Windows\system32\DRIVERS\k57nd60a.sys --> C:\Windows\system32\DRIVERS\k57nd60a.sys [?]

R3 MSSQLFDLauncher$SQLEXPRESS;SQL Full-text Filter Daemon Launcher (SQLEXPRESS);C:\Program Files\Microsoft SQL Server\MSSQL10_50.SQLEXPRESS\MSSQL\Binn\fdlauncher.exe [2010-4-3 32096]

R3 usbfilter;AMD USB Filter Driver;C:\Windows\system32\DRIVERS\usbfilter.sys --> C:\Windows\system32\DRIVERS\usbfilter.sys [?]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]

S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-1-31 135664]

S3 btusbflt;Bluetooth USB Filter;C:\Windows\system32\drivers\btusbflt.sys --> C:\Windows\system32\drivers\btusbflt.sys [?]

S3 fssfltr;fssfltr;C:\Windows\system32\DRIVERS\fssfltr.sys --> C:\Windows\system32\DRIVERS\fssfltr.sys [?]

S3 fsssvc;Windows Live Family Safety Service;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2012-3-8 1492840]

S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-1-31 135664]

S3 netr28x;Ralink 802.11n Wireless Driver for Windows Vista;C:\Windows\system32\DRIVERS\netr28x.sys --> C:\Windows\system32\DRIVERS\netr28x.sys [?]

S3 SrvHsfHDA;SrvHsfHDA;C:\Windows\system32\DRIVERS\VSTAZL6.SYS --> C:\Windows\system32\DRIVERS\VSTAZL6.SYS [?]

S3 SrvHsfV92;SrvHsfV92;C:\Windows\system32\DRIVERS\VSTDPV6.SYS --> C:\Windows\system32\DRIVERS\VSTDPV6.SYS [?]

S3 SrvHsfWinac;SrvHsfWinac;C:\Windows\system32\DRIVERS\VSTCNXT6.SYS --> C:\Windows\system32\DRIVERS\VSTCNXT6.SYS [?]

S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]

S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]

S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]

S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;C:\Program Files\Microsoft SQL Server\100\Shared\sqladhlp.exe [2010-4-3 59744]

S4 RsFx0150;RsFx0150 Driver;C:\Windows\system32\DRIVERS\RsFx0150.sys --> C:\Windows\system32\DRIVERS\RsFx0150.sys [?]

S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);C:\Program Files\Microsoft SQL Server\MSSQL10_50.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2011-4-24 428384]

S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]

.

=============== Created Last 30 ================

.

2012-07-26 23:34:29 38224 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys

2012-07-26 23:34:26 24152 ----a-w- C:\Windows\System32\drivers\mbam.sys

2012-07-26 23:34:25 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware

2012-07-26 22:41:34 -------- d-----w- C:\Users\Michele\AppData\Local\{D9A15D1F-4D54-4282-9308-8C4AD67861C2}

2012-07-26 22:40:50 -------- d-----w- C:\Users\Michele\AppData\Local\{2BF79A84-8F7F-415B-9CCB-023415E44D2D}

2012-07-26 21:57:52 -------- d-----w- C:\Users\Michele\AppData\Local\{7B3599E8-EB08-435F-B466-D618F6FA91F5}

2012-07-26 19:23:35 -------- d-----w- C:\Users\Michele\AppData\Local\{20947E5E-605B-440F-BA68-FD9B1226E83D}

2012-07-26 18:42:37 -------- d-----w- C:\Users\Michele\AppData\Local\{E36143E5-73A4-4A7E-BF64-20AA6669B2B4}

2012-07-26 18:10:15 9133488 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{5C242EC8-EB8C-499F-A150-6320755E4209}\mpengine.dll

2012-07-26 18:09:08 -------- d-----w- C:\Users\Michele\AppData\Local\{3873BB2C-3750-46C4-AB8A-F314E5545516}

2012-07-26 13:22:14 -------- d-----w- C:\Users\Michele\AppData\Local\{C69D83ED-9C2E-4A5A-97CC-D8F23383F509}

2012-07-26 13:22:03 -------- d-----w- C:\Users\Michele\AppData\Local\{CE9ED033-A8BD-4AE2-88EF-69465F429052}

2012-07-26 13:21:30 -------- d-----w- C:\Users\Michele\AppData\Local\{82BBDADB-2396-41C3-9C2C-0737F2745413}

2012-07-26 01:21:13 -------- d-----w- C:\Users\Michele\AppData\Local\{66505DF6-53D6-4268-B8CD-DFE8B271D48D}

2012-07-26 01:20:58 -------- d-----w- C:\Users\Michele\AppData\Local\{AC9E9FF0-C03C-40E7-BE9C-22A08A190F41}

2012-07-26 01:20:43 -------- d-----w- C:\Users\Michele\AppData\Local\{927741F8-054B-4231-9873-24E6EBBAF401}

2012-07-25 13:20:02 -------- d-----w- C:\Users\Michele\AppData\Local\{7826658D-676D-490A-998B-6A8E6C1A48CE}

2012-07-25 13:19:27 -------- d-----w- C:\Users\Michele\AppData\Local\{1ABA9759-60C6-480E-BAF8-6F9EC7A981FA}

2012-07-25 01:18:58 -------- d-----w- C:\Users\Michele\AppData\Local\{1FA26169-6A10-4A2C-BD96-4975939F12D2}

2012-07-25 01:18:35 -------- d-----w- C:\Users\Michele\AppData\Local\{4228F05D-7AF0-4E44-9CE2-B08D4962B5E7}

2012-07-24 12:46:08 -------- d-----w- C:\Users\Michele\AppData\Local\{A5D6EF4D-F461-4891-8B55-3766CC9C973D}

2012-07-24 12:45:56 -------- d-----w- C:\Users\Michele\AppData\Local\{E7B53425-2F8F-4F0C-BBC1-BB0791B39896}

2012-07-23 15:46:54 -------- d-----w- C:\Users\Michele\AppData\Local\{CE554528-62D8-42B4-9453-73A8E31D15A8}

2012-07-23 15:46:31 -------- d-----w- C:\Users\Michele\AppData\Local\{CD31EDE5-4C55-45A8-921E-2745C4912CFC}

2012-07-23 03:45:55 -------- d-----w- C:\Users\Michele\AppData\Local\{1F26D0D2-99AB-40E3-8440-B090280F55EC}

2012-07-23 03:45:37 -------- d-----w- C:\Users\Michele\AppData\Local\{C77D0978-4C8B-4F01-AEE2-E389EA921F94}

2012-07-22 15:45:23 -------- d-----w- C:\Users\Michele\AppData\Local\{C7D7FE81-37B9-4BE0-A5E0-89F31625A350}

2012-07-22 15:45:11 -------- d-----w- C:\Users\Michele\AppData\Local\{E21E3B46-64E1-43E4-AB3D-C16AE2448809}

2012-07-20 12:24:16 -------- d-----w- C:\Users\Michele\AppData\Local\{7FDBB3C1-E787-4803-98E8-6BC1E65163D1}

2012-07-20 12:24:05 -------- d-----w- C:\Users\Michele\AppData\Local\{F296FA8E-0328-402D-9686-D396BC0E11C6}

2012-07-20 12:23:54 -------- d-----w- C:\Users\Michele\AppData\Local\{054C6D22-13C0-4F6B-9A44-0580E96E1803}

2012-07-19 13:46:23 -------- d-----w- C:\Users\Michele\AppData\Local\{CC8E336C-13C5-41D2-90DA-B265572A30A2}

2012-07-19 13:46:12 -------- d-----w- C:\Users\Michele\AppData\Local\{1F0C136E-4C23-476D-A972-DA85C49E1EDA}

2012-07-19 13:46:01 -------- d-----w- C:\Users\Michele\AppData\Local\{285CB606-AA33-4412-8F0A-DD6408C61457}

2012-07-19 01:45:23 -------- d-----w- C:\Users\Michele\AppData\Local\{4AEDB81F-AFB5-4292-AE45-27EB85545D72}

2012-07-18 13:45:07 -------- d-----w- C:\Users\Michele\AppData\Local\{62AA159C-1286-4C04-8549-F5AA2451139A}

2012-07-18 13:13:46 -------- d-----w- C:\Users\Michele\AppData\Local\{889C9D21-FF50-4F26-88E4-4105101969A9}

2012-07-18 01:07:15 -------- d-----w- C:\Users\Michele\AppData\Local\{C5573620-59FE-4FFB-A7D7-B1460BD91EB4}

2012-07-18 01:06:58 -------- d-----w- C:\Users\Michele\AppData\Local\{A07D7B3B-E09F-4BF8-A08B-6F61FECD476F}

2012-07-17 13:06:44 -------- d-----w- C:\Users\Michele\AppData\Local\{B18DD70A-5B67-4BC6-99DA-18F88EA158A6}

2012-07-17 13:06:31 -------- d-----w- C:\Users\Michele\AppData\Local\{A39C3C17-890B-4002-AD03-806F481E0FA4}

2012-07-16 16:39:56 -------- d-----w- C:\Users\Michele\AppData\Local\{440DDBE1-428C-41A7-A867-9DA4876F3708}

2012-07-16 16:39:43 -------- d-----w- C:\Users\Michele\AppData\Local\{659AA748-24C1-4ED7-BE1B-1F050DABFADA}

2012-07-16 11:54:32 -------- d-----w- C:\Users\Michele\AppData\Local\{A555E003-2653-441A-A975-FC2BFBABBE7D}

2012-07-15 23:15:03 -------- d-----w- C:\Users\Michele\AppData\Local\{663B41E2-CE69-4174-B25D-6D78754E4A43}

2012-07-15 23:14:51 -------- d-----w- C:\Users\Michele\AppData\Local\{5B40EC8C-3D0D-432F-8226-16E434F8116E}

2012-07-15 23:14:40 -------- d-----w- C:\Users\Michele\AppData\Local\{A1BFC810-35EC-4DE5-AD55-DBB6456E7D36}

2012-07-15 19:45:47 77664 ----a-w- C:\Windows\System32\perf-ReportServer$SQLEXPRESS-rsctr.dll

2012-07-15 19:45:47 47968 ----a-w- C:\Windows\SysWow64\perf-ReportServer$SQLEXPRESS-rsctr.dll

2012-07-15 19:43:24 47456 ----a-w- C:\Windows\SysWow64\perf-MSSQL10_50.SQLEXPRESS-sqlagtctr.dll

2012-07-15 19:43:23 77152 ----a-w- C:\Windows\System32\perf-MSSQL10_50.SQLEXPRESS-sqlagtctr.dll

2012-07-15 19:42:41 79200 ----a-w- C:\Windows\System32\perf-MSSQL$SQLEXPRESS-sqlctr10.50.1600.1.dll

2012-07-15 19:42:41 73568 ----a-w- C:\Windows\SysWow64\perf-MSSQL$SQLEXPRESS-sqlctr10.50.1600.1.dll

2012-07-15 19:34:32 -------- d-----w- C:\Windows\System32\RsFx

2012-07-15 19:19:21 -------- d-----w- C:\Program Files\Microsoft Analysis Services

2012-07-15 19:19:21 -------- d-----w- C:\Program Files (x86)\Microsoft Analysis Services

2012-07-15 11:13:57 -------- d-----w- C:\Users\Michele\AppData\Local\{953E6D52-3E15-4D82-A8BE-D04F7A040B3B}

2012-07-14 23:12:35 -------- d-----w- C:\Users\Michele\AppData\Local\{0365D254-70B8-4ADB-991E-0AD146111756}

2012-07-14 23:10:47 -------- d-----w- C:\Users\Michele\AppData\Local\{8ED7C8FA-399A-4B25-91F5-04E7EBFB8C6E}

2012-07-14 00:18:15 -------- d-----w- C:\e66a12832b4b4bc17735b97a91aaca

2012-07-13 21:28:15 -------- d-----w- C:\00a6006033da9cd7d0

2012-07-13 15:11:59 -------- d-----w- C:\Users\Michele\AppData\Local\{A011E925-D595-4FE8-8629-21641E9FB147}

2012-07-13 15:11:48 -------- d-----w- C:\Users\Michele\AppData\Local\{CB95C2F5-1BA6-4084-9D76-F39F29B86B7F}

2012-07-13 15:08:29 -------- d-----w- C:\Users\Michele\AppData\Local\{494F7108-5482-484A-AA39-E1CCCF1AC3E9}

2012-07-13 00:40:55 -------- d-----w- C:\Users\Michele\AppData\Local\{466A4F8B-5369-4A5F-AF79-8E4CBCB06E04}

2012-07-13 00:40:44 -------- d-----w- C:\Users\Michele\AppData\Local\{3B549F20-0B7A-4516-98EF-501E01080287}

2012-07-13 00:40:33 -------- d-----w- C:\Users\Michele\AppData\Local\{D8B1D8B4-29A0-4BF3-A919-45F9C691CA2D}

2012-07-13 00:40:09 -------- d-----w- C:\Users\Michele\AppData\Local\{ECC8AF5D-E057-4462-9259-36B8044F0EFD}

2012-07-12 15:31:29 -------- d-----w- C:\a3ec2b0277659583c37863d1

2012-07-12 13:28:34 82520 ----a-w- C:\Windows\System32\fssres.dll

2012-07-12 13:28:32 180312 ----a-w- C:\Windows\System32\hadrres.dll

2012-07-12 12:39:32 -------- d-----w- C:\Users\Michele\AppData\Local\{2C0B5707-8C66-44C4-A8D2-09F300AE4E6C}

2012-07-12 12:39:04 -------- d-----w- C:\Users\Michele\AppData\Local\{66133FBA-B679-44C2-BCEB-25A4D11F0907}

2012-07-12 12:01:50 -------- d-----w- C:\Users\Michele\AppData\Local\{73C598DA-AB34-4EF3-9527-5DFF298F0D74}

2012-07-12 00:59:32 -------- d-----w- C:\Program Files\Microsoft

2012-07-12 00:01:35 -------- d-----w- C:\Users\Michele\AppData\Local\{DB83AE61-9D92-46CA-8F58-E0A327656B6F}

2012-07-12 00:01:23 -------- d-----w- C:\Users\Michele\AppData\Local\{2F622762-9895-4154-8E77-753E93518D28}

2012-07-12 00:01:10 -------- d-----w- C:\Users\Michele\AppData\Local\{5C770DDE-2F98-489F-A8BC-E145520E2EDF}

2012-07-12 00:00:47 -------- d-----w- C:\Users\Michele\AppData\Local\{1311641E-81C9-457F-B68A-4D8AD62F06A2}

2012-07-11 22:08:19 -------- d-----w- C:\ProgramData\PreEmptive Solutions

2012-07-11 20:24:06 -------- d-----w- C:\Users\Michele\AppData\Roaming\Microsoft Corporation

2012-07-11 20:12:14 2378624 ----a-w- C:\ProgramData\Microsoft\VisualStudio\10.0\1033\ResourceCache.dll

2012-07-11 19:56:36 -------- d-----w- C:\Program Files (x86)\Microsoft F#

2012-07-11 19:56:36 -------- d-----w- C:\Program Files (x86)\HTML Help Workshop

2012-07-11 19:56:34 -------- d-----w- C:\Program Files (x86)\Common Files\Merge Modules

2012-07-11 19:13:05 3148800 ----a-w- C:\Windows\System32\win32k.sys

2012-07-11 13:31:34 105824 ----a-w- C:\Windows\System32\SQSRVRES.DLL

2012-07-11 13:12:24 -------- d-----w- C:\Windows\SysWow64\BestPractices

2012-07-11 13:12:21 -------- d-----w- C:\Windows\System32\BestPractices

2012-07-11 13:12:20 -------- d-----w- C:\inetpub

2012-07-11 12:08:58 1499136 ----a-w- C:\Program Files\Common Files\System\ado\msado15.dll

2012-07-11 12:08:58 1019904 ----a-w- C:\Program Files (x86)\Common Files\System\ado\msado15.dll

2012-07-11 12:08:57 805376 ----a-w- C:\Windows\SysWow64\cdosys.dll

2012-07-11 12:08:57 61440 ----a-w- C:\Program Files\Common Files\System\ado\msador15.dll

2012-07-11 12:08:57 57344 ----a-w- C:\Program Files (x86)\Common Files\System\ado\msador15.dll

2012-07-11 12:08:57 495616 ----a-w- C:\Program Files\Common Files\System\ado\msadox.dll

2012-07-11 12:08:57 466944 ----a-w- C:\Program Files\Common Files\System\ado\msadomd.dll

2012-07-11 12:08:57 372736 ----a-w- C:\Program Files (x86)\Common Files\System\ado\msadox.dll

2012-07-11 12:08:57 352256 ----a-w- C:\Program Files (x86)\Common Files\System\ado\msadomd.dll

2012-07-11 12:08:57 258048 ----a-w- C:\Program Files\Common Files\System\msadc\msadco.dll

2012-07-11 12:08:57 212992 ----a-w- C:\Program Files (x86)\Common Files\System\msadc\msadco.dll

2012-07-11 12:08:57 143360 ----a-w- C:\Program Files (x86)\Common Files\System\ado\msjro.dll

2012-07-11 12:08:57 1133568 ----a-w- C:\Windows\System32\cdosys.dll

2012-07-11 12:00:19 -------- d-----w- C:\Users\Michele\AppData\Local\{0A0F1BB0-56CE-46F9-BC31-D52697BAA50F}

2012-07-11 12:00:07 -------- d-----w- C:\Users\Michele\AppData\Local\{96D98980-A032-4E51-9E50-B70D12E30553}

2012-07-11 11:59:56 -------- d-----w- C:\Users\Michele\AppData\Local\{D8E438C2-C37B-4D4D-855A-88EAC2BF1BDF}

2012-07-11 11:57:19 -------- d-----w- C:\Users\Michele\AppData\Local\{B7FDF109-1E67-4A5C-996F-2CEE1EAF06FD}

2012-07-11 00:28:41 -------- d-----w- C:\Program Files (x86)\NuGet 1.2

2012-07-11 00:09:01 -------- d-----w- C:\Program Files (x86)\IIS Express

2012-07-10 23:20:01 -------- d-----w- C:\ProgramData\VS

2012-07-10 23:13:40 -------- d-----w- C:\Program Files\IIS

2012-07-10 23:13:40 -------- d-----w- C:\Program Files (x86)\IIS

2012-07-10 23:13:06 588256 ----a-w- C:\ProgramData\Microsoft\VWDExpress\10.0\1033\ResourceCache.dll

2012-07-10 23:09:58 -------- d-----w- C:\Program Files (x86)\Microsoft Visual Studio 10.0

2012-07-10 23:08:49 -------- d-----w- C:\Program Files\Microsoft Visual Studio 10.0

2012-07-10 23:08:49 -------- d-----w- C:\Program Files\Microsoft Help Viewer

2012-07-10 20:57:21 -------- d-----w- C:\NUnitRTM

2012-07-10 13:40:05 -------- d-----w- C:\Users\Michele\AppData\Local\{8F45D661-D943-496E-88FA-7B714956DBB7}

2012-07-10 13:39:50 -------- d-----w- C:\Users\Michele\AppData\Local\{F61C0AEE-CA94-4CC3-AE4C-F880FA577CD7}

2012-07-10 00:20:20 -------- d-----w- C:\Users\Michele\AppData\Local\{8A704ED1-44F9-4EA1-BE03-570325041746}

2012-07-10 00:19:58 -------- d-----w- C:\Users\Michele\AppData\Local\{62A5AE27-487F-4448-90F5-29C1C373C860}

2012-07-10 00:19:46 -------- d-----w- C:\Users\Michele\AppData\Local\{ABA20487-76FB-4EC4-8D3B-62D96ECF1CF6}

2012-07-09 12:19:21 -------- d-----w- C:\Users\Michele\AppData\Local\{ED6425A1-D7CC-46F1-9A1C-0E4A6B3741CD}

2012-07-09 12:19:10 -------- d-----w- C:\Users\Michele\AppData\Local\{A5C98C1B-0146-44CB-9001-2F8A5A3EA467}

2012-07-09 12:18:45 -------- d-----w- C:\Users\Michele\AppData\Local\{8FBEC88E-4478-4B98-A8F5-24C988674D97}

2012-07-08 14:39:10 -------- d-----w- C:\Users\Michele\AppData\Local\{5F485DD8-71E6-4BDF-9BC2-80C143702AB0}

2012-07-08 14:38:58 -------- d-----w- C:\Users\Michele\AppData\Local\{CF1721F5-AD1D-413A-B3D7-56E87E4A66B9}

2012-07-08 14:29:40 -------- d-----w- C:\Users\Michele\AppData\Local\{284BD623-EB9E-4A5B-8EC5-D37AC543AC80}

2012-07-08 14:29:28 -------- d-----w- C:\Users\Michele\AppData\Local\{63BF8F29-2B12-4AFB-A1E9-A72FA744AE42}

2012-07-08 01:25:09 -------- d-----w- C:\Users\Michele\AppData\Local\{60E6452D-D7FB-4C34-B697-506009C48349}

2012-07-08 01:24:57 -------- d-----w- C:\Users\Michele\AppData\Local\{48F531F3-BC87-48E1-950E-858E9B1E3B1B}

2012-07-07 10:08:28 -------- d-----w- C:\Users\Michele\AppData\Local\{B33871C5-2223-4A12-9A37-194A0F11E6AE}

2012-07-07 10:08:12 -------- d-----w- C:\Users\Michele\AppData\Local\{32114374-EEB2-426D-AA36-BAA50CFE992E}

2012-07-07 00:10:23 -------- d-----w- C:\Users\Michele\AppData\Local\{E46BEE47-C748-43E5-8AE7-F62843FBC92B}

2012-07-07 00:10:11 -------- d-----w- C:\Users\Michele\AppData\Local\{E58608CF-A662-4AED-9990-5C5C23D0863E}

2012-07-07 00:08:29 -------- d-----w- C:\Users\Michele\AppData\Roaming\Malwarebytes

2012-07-07 00:08:25 -------- d-----w- C:\ProgramData\Malwarebytes

2012-07-07 00:04:10 -------- d-----w- C:\Users\Michele\AppData\Local\{434C9B33-EE46-4B52-B3EA-CA4234C48BE8}

2012-07-07 00:03:55 -------- d-----w- C:\Users\Michele\AppData\Local\{BFC3C571-A978-4EF3-92A6-93D62A7FEB32}

2012-07-06 13:34:57 -------- d-----w- C:\Users\Michele\AppData\Local\{66E14247-0D06-4F4D-A9E3-6601C3B04E1B}

2012-07-06 13:34:44 -------- d-----w- C:\Users\Michele\AppData\Local\{004A8557-1092-4251-B656-DEB4ED3E3158}

2012-07-06 01:21:40 -------- d-----w- C:\Users\Michele\AppData\Local\{2AADA8AD-0200-4C4B-A474-1CEC92BC557D}

2012-07-06 01:21:16 -------- d-----w- C:\Users\Michele\AppData\Local\{E5420924-E8DD-490C-8317-8F060927B911}

2012-07-05 13:21:53 -------- d-----w- C:\Users\Michele\AppData\Local\{DE67DC0F-33AF-400C-823E-12B2F4570DAF}

2012-07-05 13:21:17 -------- d-----w- C:\Users\Michele\AppData\Local\{05B5C523-2032-4996-B8CC-09FA35A65039}

2012-07-04 20:15:54 -------- d-----w- C:\Users\Michele\AppData\Local\{9DBB2EBD-DE13-4F5C-859F-BB77BB8791C3}

2012-07-04 20:15:42 -------- d-----w- C:\Users\Michele\AppData\Local\{99B3766B-A079-466B-82F1-CC3660581BE7}

2012-07-04 19:52:07 -------- d-----w- C:\Users\Michele\AppData\Local\{55829EE1-9D31-4E31-8F4A-B484CE12B369}

2012-07-04 19:51:52 -------- d-----w- C:\Users\Michele\AppData\Local\{C2E9C15E-FAD7-47AD-B7D2-F8F2B3F8B8D9}

2012-07-04 15:48:12 -------- d-----w- C:\Users\Michele\AppData\Local\{9D8BD0CC-A61F-4828-996D-E6501F77BD9D}

2012-07-04 15:48:00 -------- d-----w- C:\Users\Michele\AppData\Local\{9563928E-19AE-4E1D-9FFD-70E21A728070}

2012-07-04 15:47:33 -------- d-----w- C:\Users\Michele\AppData\Local\{F4C80855-9952-42ED-8B3A-1513A4F00B9D}

2012-07-04 15:47:20 -------- d-----w- C:\Users\Michele\AppData\Local\{95AFF68E-DBFE-426E-A313-961D3065FD35}

2012-07-04 00:24:50 -------- d-----w- C:\Users\Michele\AppData\Local\{B958455C-B2C0-4A62-80F0-7CC30184352D}

2012-07-04 00:24:25 -------- d-----w- C:\Users\Michele\AppData\Local\{A93E71A6-2BC6-46E3-B4BF-B1A3FAD6BDB5}

2012-07-04 00:23:02 -------- d-----w- C:\Users\Michele\AppData\Local\{F9745DDE-4F56-43D7-A7A7-270E6DCB44BB}

2012-07-04 00:22:31 -------- d-----w- C:\Users\Michele\AppData\Local\{671A2093-547A-4ED2-B453-CE7A8676D3D9}

2012-07-03 22:58:49 -------- d-----w- C:\Users\Michele\AppData\Local\{5061B38A-CDAA-491A-A313-048EA9462DE7}

2012-07-03 22:58:12 -------- d-----w- C:\Users\Michele\AppData\Local\{12E289C3-1E7D-413D-9935-FCDBC5F082C8}

2012-07-03 10:37:27 -------- d-----w- C:\Users\Michele\AppData\Local\{E8BD6DA8-0AE4-49B2-95C3-7FC7D4E05E71}

2012-07-03 10:36:51 -------- d-----w- C:\Users\Michele\AppData\Local\{E9B8BDE6-C742-4F34-A4E3-1E99474C6EE6}

2012-07-02 15:53:55 -------- d-----w- C:\Users\Michele\AppData\Local\{B26E442C-18F4-48F8-A5BB-FFC5F0005C63}

2012-07-02 15:53:42 -------- d-----w- C:\Users\Michele\AppData\Local\{D9B59E6D-069D-43F7-ADAC-BCF400AFE9F3}

2012-07-02 14:33:54 -------- d-----w- C:\Users\Michele\AppData\Local\{5E40A5F1-CB78-46D0-A268-BE1A8F1134FA}

2012-07-02 14:33:42 -------- d-----w- C:\Users\Michele\AppData\Local\{D1DD93DD-7BFF-452C-8900-A62C1A5304DF}

2012-07-02 12:17:25 -------- d-----w- C:\Users\Michele\AppData\Local\{BC5E3515-6F97-471E-8165-AEE55602792F}

2012-07-02 12:17:01 -------- d-----w- C:\Users\Michele\AppData\Local\{2AB5E607-7701-4183-8B90-5594BE7B00D4}

2012-07-02 00:17:13 -------- d-----w- C:\Users\Michele\AppData\Local\{ABD1ACA7-36B6-42F2-AF0B-7CDF90B807FD}

2012-07-02 00:17:01 -------- d-----w- C:\Users\Michele\AppData\Local\{504BAFC1-C4D5-43CB-9030-8D8E8464D036}

2012-07-01 01:24:46 -------- d-----w- C:\Users\Michele\AppData\Local\{A0C1B390-9781-4472-A6A9-AA44D5D02D65}

2012-07-01 01:24:35 -------- d-----w- C:\Users\Michele\AppData\Local\{3877B775-A724-4537-A737-37B3E227EBAC}

2012-06-30 21:17:33 -------- d-----w- C:\Users\Michele\AppData\Local\{0BA2454C-3FE3-4DB0-BF93-D9792B1F489E}

2012-06-30 00:17:19 -------- d-----w- C:\Users\Michele\AppData\Local\{DA2CA38D-A067-44E7-92D9-BBB649445BFB}

2012-06-30 00:16:53 -------- d-----w- C:\Users\Michele\AppData\Local\{BD454BD9-1DDB-48F9-A093-FA9C55563EB0}

2012-06-28 23:05:27 -------- d-----w- C:\Users\Michele\AppData\Local\{8453CD47-991F-4453-AAB3-11B34EE9DA28}

2012-06-28 23:05:15 -------- d-----w- C:\Users\Michele\AppData\Local\{C04342E7-1ACC-4F91-A964-930F207753EF}

2012-06-27 14:24:29 -------- d-----w- C:\Users\Michele\AppData\Local\{5A735838-2073-4B0F-AFAA-0BC8EF5DACAE}

.

==================== Find3M ====================

.

2012-06-06 06:06:16 2004480 ----a-w- C:\Windows\System32\msxml6.dll

2012-06-06 06:06:16 1881600 ----a-w- C:\Windows\System32\msxml3.dll

2012-06-06 05:05:52 1390080 ----a-w- C:\Windows\SysWow64\msxml6.dll

2012-06-06 05:05:52 1236992 ----a-w- C:\Windows\SysWow64\msxml3.dll

2012-06-02 22:15:31 2622464 ----a-w- C:\Windows\System32\wucltux.dll

2012-06-02 22:15:08 99840 ----a-w- C:\Windows\System32\wudriver.dll

2012-06-02 19:19:42 186752 ----a-w- C:\Windows\System32\wuwebv.dll

2012-06-02 19:15:12 36864 ----a-w- C:\Windows\System32\wuapp.exe

2012-06-02 05:50:10 458704 ----a-w- C:\Windows\System32\drivers\cng.sys

2012-06-02 05:48:16 95600 ----a-w- C:\Windows\System32\drivers\ksecdd.sys

2012-06-02 05:48:16 151920 ----a-w- C:\Windows\System32\drivers\ksecpkg.sys

2012-06-02 05:45:31 340992 ----a-w- C:\Windows\System32\schannel.dll

2012-06-02 05:44:21 307200 ----a-w- C:\Windows\System32\ncrypt.dll

2012-06-02 04:40:42 22016 ----a-w- C:\Windows\SysWow64\secur32.dll

2012-06-02 04:40:39 225280 ----a-w- C:\Windows\SysWow64\schannel.dll

2012-06-02 04:39:10 219136 ----a-w- C:\Windows\SysWow64\ncrypt.dll

2012-06-02 04:34:09 96768 ----a-w- C:\Windows\SysWow64\sspicli.dll

2012-05-31 16:25:12 279656 ----a-w- C:\Windows\System32\MpSigStub.exe

2012-05-15 04:01:31 1188864 ----a-w- C:\Windows\System32\wininet.dll

2012-05-15 03:03:54 981504 ----a-w- C:\Windows\SysWow64\wininet.dll

2012-05-04 11:06:22 5559664 ----a-w- C:\Windows\System32\ntoskrnl.exe

2012-05-04 10:03:53 3968368 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe

2012-05-04 10:03:50 3913072 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe

2012-05-01 05:40:20 209920 ----a-w- C:\Windows\System32\profsvc.dll

2012-04-28 03:55:21 210944 ----a-w- C:\Windows\System32\drivers\rdpwd.sys

.

============= FINISH: 20:21:04.36 ===============

- Michele

Attach.txt

MrCharlie · July 27, 2012

Welcome to the forum.

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller to your desktop.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

MrC

mstrom · July 27, 2012

RogueKiller V7.6.4 [07/17/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version

Started in : Normal mode

User: Michele [Admin rights]

Mode: Scan -- Date: 07/27/2012 07:42:58

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 3 ¤¤¤

[HJ] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: Hitachi HTS545032B9A300 ATA Device +++++

--- User ---

[MBR] 3a97e95e6eede83ee629323686704eb5

[bSP] 197378bd88490744b0a380f8269312e7 : Windows Vista MBR Code

Partition table:

0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 12000 Mo

1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 24578048 | Size: 100 Mo

2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 24782848 | Size: 293143 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[1].txt >>

RKreport[1].txt

mstrom · July 27, 2012

Here it is again from another account on my machine - this is the one I've actually seen the computer shut down from:

RogueKiller V7.6.4 [07/17/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version

Started in : Normal mode

User: Michele [Admin rights]

Mode: Scan -- Date: 07/27/2012 07:50:06

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 3 ¤¤¤

[HJ] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: Hitachi HTS545032B9A300 ATA Device +++++

--- User ---

[MBR] 3a97e95e6eede83ee629323686704eb5

[bSP] 197378bd88490744b0a380f8269312e7 : Windows Vista MBR Code

Partition table:

0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 12000 Mo

1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 24578048 | Size: 100 Mo

2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 24782848 | Size: 293143 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[3].txt >>

RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt

MrCharlie · July 27, 2012

Not much showing, lets run some scans.......

Please make sure system restore is running and create a new restore point before continuing.

XP <===> Vista & W7

XP users > please back up the registry using ERUNT.

-----------------------------------------

Please download and run TDSSKiller to your desktop as outlined below:

Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

-------------------------

Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

------------------------

Click the Start Scan button.

-----------------------

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

----------------------

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

--------------------

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.

Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.

-------------------

Here's a summary of what to do if you would like to print it out:

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

MrC

mstrom · July 27, 2012

First one is from 2:37 EST today.

Second is from 2:32 EST Today.

I happened to run it last night, so the third is from last night:

TDSSKiller.2.7.48.0_27.07.2012_14.32.41_log.txt

TDSSKiller.2.7.48.0_27.07.2012_14.32.12_log.txt

TDSSKiller.2.5.4.0_26.07.2012_19.32.24_log.txt

mstrom · July 27, 2012

That third one was from the other account, btw.

Here's a scan today from the other account (the one that keeps shutting off when I run malware bytes on it)

By the way. While creating a restore point, I notice my points only go back to 7/16. I've had this laptop for over 2 1/2 years. Should there be more restore points - could the virus have deleted old ones?

- Michele

TDSSKiller.2.7.48.0_27.07.2012_14.46.13_log.txt

MrCharlie · July 27, 2012

That was clean.............

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingc...to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

mstrom · July 27, 2012

ComboFix 12-07-27.03 - Michele 07/27/2012 15:54:35.1.2 - x64

Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3838.2476 [GMT -4:00]

Running from: c:\users\Michele\Desktop\ComboFix.exe

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

((((((((((((((((((((((((( Files Created from 2012-06-27 to 2012-07-27 )))))))))))))))))))))))))))))))

.

2012-07-27 20:05 . 2012-07-27 20:05 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-07-27 20:05 . 2012-07-27 20:05 -------- d-----w- c:\users\Onelchela\AppData\Local\temp

2012-07-27 11:42 . 2012-06-29 10:04 9133488 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{06699AA0-CEB3-4777-AE0C-CC5E267D1219}\mpengine.dll

2012-07-26 23:34 . 2010-12-20 22:09 38224 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys

2012-07-26 23:34 . 2010-12-20 22:08 24152 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-07-26 23:34 . 2012-07-26 23:34 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware

2012-07-26 18:14 . 2012-07-26 18:14 -------- d-----w- c:\users\Onelchela\AppData\Roaming\Apple Computer

2012-07-26 15:05 . 2012-07-26 15:05 -------- d-----w- c:\users\Onelchela\AppData\Roaming\Malwarebytes

2012-07-25 19:33 . 2012-07-26 19:53 -------- d-----w- c:\users\DefaultAppPool

2012-07-14 00:18 . 2012-07-14 00:24 -------- d-----w- C:\e66a12832b4b4bc17735b97a91aaca

2012-07-13 21:28 . 2012-07-13 21:28 -------- d-----w- C:\00a6006033da9cd7d0

2012-07-12 15:31 . 2012-07-13 15:18 -------- d-----w- C:\a3ec2b0277659583c37863d1

2012-07-12 13:30 . 2012-07-26 19:53 -------- d-----w- c:\users\MSSQL$SQLEXPRESS

2012-07-12 13:28 . 2012-02-11 12:46 82520 ----a-w- c:\windows\system32\fssres.dll

2012-07-12 13:28 . 2012-02-11 12:46 180312 ----a-w- c:\windows\system32\hadrres.dll

2012-07-12 12:37 . 2012-07-13 17:03 -------- d-----w- c:\users\Michele\AppData\Roaming\Download Manager

2012-07-12 00:59 . 2012-07-12 00:59 -------- d-----w- c:\program files\Microsoft

2012-07-11 22:08 . 2012-07-11 22:08 -------- d-----w- c:\programdata\PreEmptive Solutions

2012-07-11 20:24 . 2012-07-11 20:24 -------- d-----w- c:\users\Michele\AppData\Roaming\Microsoft Corporation

2012-07-11 20:20 . 2012-07-11 20:20 -------- d-----w- c:\program files\Microsoft Sync Framework

2012-07-11 20:12 . 2012-07-13 21:28 2378624 ----a-w- c:\programdata\Microsoft\VisualStudio\10.0\1033\ResourceCache.dll

2012-07-11 19:56 . 2012-07-11 20:03 -------- d-----w- c:\program files (x86)\Microsoft F#

2012-07-11 19:56 . 2012-07-11 19:58 -------- d-----w- c:\program files (x86)\HTML Help Workshop

2012-07-11 19:56 . 2012-07-12 11:57 -------- d-----w- c:\program files (x86)\Common Files\Merge Modules

2012-07-11 19:38 . 2012-07-11 19:38 -------- d-----w- c:\windows\symbols

2012-07-11 19:13 . 2012-06-12 03:08 3148800 ----a-w- c:\windows\system32\win32k.sys

2012-07-11 13:31 . 2010-04-03 14:50 105824 ----a-w- c:\windows\system32\SQSRVRES.DLL

2012-07-11 13:15 . 2012-07-26 19:53 -------- d-----w- c:\users\Classic .NET AppPool

2012-07-11 13:12 . 2012-07-11 13:12 -------- d-----w- c:\windows\SysWow64\BestPractices

2012-07-11 13:12 . 2012-07-11 13:12 -------- d-----w- c:\windows\system32\BestPractices

2012-07-11 13:12 . 2012-07-11 13:12 -------- d-----w- C:\inetpub

2012-07-11 12:08 . 2012-06-06 06:05 1499136 ----a-w- c:\program files\Common Files\System\ado\msado15.dll

2012-07-11 12:08 . 2012-06-06 05:05 1019904 ----a-w- c:\program files (x86)\Common Files\System\ado\msado15.dll

2012-07-11 12:08 . 2012-06-06 06:05 495616 ----a-w- c:\program files\Common Files\System\ado\msadox.dll

2012-07-11 12:08 . 2012-06-06 06:05 61440 ----a-w- c:\program files\Common Files\System\ado\msador15.dll

2012-07-11 12:08 . 2012-06-06 06:05 466944 ----a-w- c:\program files\Common Files\System\ado\msadomd.dll

2012-07-11 12:08 . 2012-06-06 06:05 258048 ----a-w- c:\program files\Common Files\System\msadc\msadco.dll

2012-07-11 12:08 . 2012-06-06 06:02 1133568 ----a-w- c:\windows\system32\cdosys.dll

2012-07-11 12:08 . 2012-06-06 05:05 143360 ----a-w- c:\program files (x86)\Common Files\System\ado\msjro.dll

2012-07-11 12:08 . 2012-06-06 05:05 372736 ----a-w- c:\program files (x86)\Common Files\System\ado\msadox.dll

2012-07-11 12:08 . 2012-06-06 05:05 57344 ----a-w- c:\program files (x86)\Common Files\System\ado\msador15.dll

2012-07-11 12:08 . 2012-06-06 05:05 352256 ----a-w- c:\program files (x86)\Common Files\System\ado\msadomd.dll

2012-07-11 12:08 . 2012-06-06 05:05 212992 ----a-w- c:\program files (x86)\Common Files\System\msadc\msadco.dll

2012-07-11 12:08 . 2012-06-06 05:03 805376 ----a-w- c:\windows\SysWow64\cdosys.dll

2012-07-11 00:28 . 2012-07-11 00:28 -------- d-----w- c:\program files (x86)\NuGet 1.2

2012-07-11 00:09 . 2012-07-11 00:09 -------- d-----w- c:\program files (x86)\IIS Express

2012-07-10 23:20 . 2012-07-10 23:20 -------- d-----w- c:\programdata\VS

2012-07-10 23:13 . 2012-07-11 00:19 -------- d-----w- c:\program files\IIS

2012-07-10 23:13 . 2012-07-11 00:19 -------- d-----w- c:\program files (x86)\IIS

2012-07-10 23:13 . 2012-07-13 21:20 588256 ----a-w- c:\programdata\Microsoft\VWDExpress\10.0\1033\ResourceCache.dll

2012-07-10 23:09 . 2012-07-13 16:19 -------- d-----w- c:\program files (x86)\Microsoft Visual Studio 10.0

2012-07-10 23:08 . 2012-07-10 23:08 -------- d-----w- c:\program files\Microsoft Visual Studio 10.0

2012-07-10 23:08 . 2012-07-10 23:08 -------- d-----w- c:\program files\Microsoft Help Viewer

2012-07-10 20:57 . 2012-07-10 21:00 -------- d-----w- C:\NUnitRTM

2012-07-07 00:08 . 2012-07-07 00:08 -------- d-----w- c:\users\Michele\AppData\Roaming\Malwarebytes

2012-07-07 00:08 . 2012-07-07 00:08 -------- d-----w- c:\programdata\Malwarebytes

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-07-11 13:33 . 2009-11-30 09:35 59701280 ----a-w- c:\windows\system32\MRT.exe

2012-06-02 22:19 . 2012-06-08 20:56 38424 ----a-w- c:\windows\system32\wups.dll

2012-06-02 22:19 . 2012-06-08 20:56 2428952 ----a-w- c:\windows\system32\wuaueng.dll

2012-06-02 22:19 . 2012-06-08 20:56 57880 ----a-w- c:\windows\system32\wuauclt.exe

2012-06-02 22:19 . 2012-06-08 20:56 44056 ----a-w- c:\windows\system32\wups2.dll

2012-06-02 22:19 . 2012-06-08 20:56 701976 ----a-w- c:\windows\system32\wuapi.dll

2012-06-02 22:15 . 2012-06-08 20:56 2622464 ----a-w- c:\windows\system32\wucltux.dll

2012-06-02 22:15 . 2012-06-08 20:56 99840 ----a-w- c:\windows\system32\wudriver.dll

2012-06-02 19:19 . 2012-06-08 20:56 186752 ----a-w- c:\windows\system32\wuwebv.dll

2012-06-02 19:15 . 2012-06-08 20:56 36864 ----a-w- c:\windows\system32\wuapp.exe

2012-05-31 16:25 . 2010-01-28 23:30 279656 ------w- c:\windows\system32\MpSigStub.exe

2012-05-15 04:01 . 2012-06-13 23:57 1188864 ----a-w- c:\windows\system32\wininet.dll

2012-05-15 03:59 . 2012-06-13 23:57 64512 ----a-w- c:\windows\system32\jsproxy.dll

2012-05-15 03:03 . 2012-06-13 23:57 981504 ----a-w- c:\windows\SysWow64\wininet.dll

2012-05-04 11:06 . 2012-06-13 23:57 5559664 ----a-w- c:\windows\system32\ntoskrnl.exe

2012-05-04 10:03 . 2012-06-13 23:57 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe

2012-05-04 10:03 . 2012-06-13 23:57 3913072 ----a-w- c:\windows\SysWow64\ntoskrnl.exe

2012-05-01 05:40 . 2012-06-13 23:57 209920 ----a-w- c:\windows\system32\profsvc.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-08-15 39408]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-01-13 2988784]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296]

"BackupManagerTray"="c:\program files (x86)\NewTech Infosystems\Gateway MyBackup\BackupManagerTray.exe" [2009-08-21 244480]

"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-07-02 98304]

"Camera Assistant Software"="c:\program files (x86)\Video Web Camera\traybar.exe" [2009-04-13 630784]

"LManager"="c:\program files (x86)\Launch Manager\LManager.exe" [2009-08-27 1194504]

"CLMLServer"="c:\program files (x86)\Cyberlink\Power2Go\CLMLSvc.exe" [2009-06-04 103720]

"RemoteControl8"="c:\program files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe" [2009-04-16 91432]

"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]

"IOGEAR Auto Printer Sharing Switch"="c:\program files (x86)\IOGEAR Auto Printer Sharing Switch\AutoPrt.exe" [2010-03-05 867328]

"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-10-24 421888]

"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]

"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]

"aux"=wdmaud.drv

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]

@=""

.

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-01-31 135664]

R3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2010-04-14 54824]

R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-01-31 135664]

R3 netr28x;Ralink 802.11n Wireless Driver for Windows Vista;c:\windows\system32\DRIVERS\netr28x.sys [2009-06-10 620544]

R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]

R3 RtsUIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys [x]

R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [2009-06-10 292864]

R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [2009-06-10 1485312]

R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [2009-06-10 740864]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-03-30 1255736]

R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [2010-04-03 59744]

R4 RsFx0150;RsFx0150 Driver;c:\windows\system32\DRIVERS\RsFx0150.sys [2010-04-03 313696]

R4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10_50.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2011-04-24 428384]

R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 57184]

S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2010-02-17 14920]

S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2010-02-17 12360]

S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]

S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2010-06-29 128752]

S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-07-02 203264]

S2 ePowerSvc;Acer ePower Service;c:\program files\Gateway\Gateway Power Management\ePowerSvc.exe [2009-08-06 844320]

S2 Greg_Service;GRegService;c:\program files (x86)\Gateway\Registration\GregHSRW.exe [2009-06-04 1150496]

S2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe [2009-07-14 27136]

S2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [2011-08-25 13672]

S2 MsDepSvc;Web Deployment Agent Service;c:\program files\IIS\Microsoft Web Deploy\MsDepSvc.exe [2011-04-02 67400]

S2 NTI IScheduleSvc;NTI IScheduleSvc;c:\program files (x86)\NewTech Infosystems\Gateway MyBackup\IScheduleSvc.exe [2009-08-21 62720]

S2 ReportServer$SQLEXPRESS;SQL Server Reporting Services (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSRS10_50.SQLEXPRESS\Reporting Services\ReportServer\bin\ReportingServicesService.exe [2011-04-24 2175328]

S2 Updater Service;Updater Service;c:\program files\Gateway\Gateway Updater\UpdaterService.exe [2009-07-04 240160]

S2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [2009-02-03 427192]

S3 CAXHWAZL;CAXHWAZL;c:\windows\system32\DRIVERS\CAXHWAZL.sys [2009-02-13 292864]

S3 k57nd60a;Broadcom NetLink Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60a.sys [2009-06-20 317480]

S3 MSSQLFDLauncher$SQLEXPRESS;SQL Full-text Filter Daemon Launcher (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10_50.SQLEXPRESS\MSSQL\Binn\fdlauncher.exe [2010-04-03 32096]

S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\DRIVERS\usbfilter.sys [2009-04-03 34872]

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]

iissvcs REG_MULTI_SZ w3svc was

apphost REG_MULTI_SZ apphostsvc

.

Contents of the 'Scheduled Tasks' folder

.

2012-07-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-01-31 22:43]

.

2012-07-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-01-31 22:43]

.

--------- X64 Entries -----------

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"cAudioFilterAgent"="c:\program files\Conexant\cAudioFilterAgent\cAudioFilterAgent64.exe" [2009-07-20 503864]

"Acer ePower Management"="c:\program files\Gateway\Gateway Power Management\ePowerTray.exe" [2009-08-06 828960]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"LoadAppInit_DLLs"=0x0

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

uStart Page = hxxp://www.google.com/

mStart Page = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&m=nv52_series&r=2736110995b6l0340z195a4891t228

mLocal Page = c:\windows\SysWOW64\blank.htm

Trusted Zone: intuit.com\ttlc

TCP: DhcpNameServer = 192.168.1.254

DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://webvpn.progress-energy.com/CACHE/stc/3/binaries/vpnweb.cab

FF - ProfilePath - c:\users\Michele\AppData\Roaming\Mozilla\Firefox\Profiles\gm1kwx2x.default\

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}

FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\users\Michele\AppData\Roaming\Move Networks

.

- - - - ORPHANS REMOVED - - - -

.

Toolbar-Locked - (no file)

HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\services\MsDepSvc]

"ImagePath"="\"c:\program files\IIS\Microsoft Web Deploy\MsDepSvc.exe\" -runService:MsDepSvc"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-4173360909-679456854-1895235350-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]

@Denied: (2) (LocalSystem)

"Progid"="WindowsLiveMail.Email.1"

.

[HKEY_USERS\S-1-5-21-4173360909-679456854-1895235350-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]

@Denied: (2) (LocalSystem)

"Progid"="WindowsLiveMail.VCard.1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11f_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11f_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11f.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.10"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11f.ocx, 1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11f.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11f.ocx, 1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Completion time: 2012-07-27 16:10:27

ComboFix-quarantined-files.txt 2012-07-27 20:10

.

Pre-Run: 229,764,104,192 bytes free

Post-Run: 232,078,237,696 bytes free

.

- - End Of File - - 3D53E6BE10CB9AE6BC14E0CE2C9ACBCD

During the scan, it sent me a message that something called pev had stopped working, fyi

MrCharlie · July 27, 2012

That looks OK, "what" is telling you that you have "trojan dropper svchost fake"?

-------------------------------------

Please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

http://www.eset.eu/online-scanner

Tick the box next to YES, I accept the Terms of Use.

Click Start

When asked, allow the ActiveX control to install

Click Start

Make sure that the options Remove found threats and the option Scan unwanted applications is checked

Click Advanced settings and select the following:

Scan potentially unwanted applications
Scan for potentially unsafe applications
Enable Anti-Stealth technology

Click Start

Wait for the scan to finish

Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt

Copy and paste that log as a reply to this topic

MrC

mstrom · July 27, 2012

I've seen that name several days in a row in super anti spyware.

Now that could be it reacting to my adding malwarebytes and specifically the chameleon mode (the whole interference between two antiviruses issue) however, i did see a trojan when scanning with malware bytes a few days ago.

The thing that set me on this path, was that yesterday I saw some strange behavior on my machine and turned it off, thinking it was a virus. Since then I've not been able to run malware bytes sucessfully. My research on the virus showed me that it can turn malware bytes or even your machine off - which is just what happens to me, it runs for a few minutes, then the machine shuts off.

I'll try it again today and see what happens.

MrCharlie · July 27, 2012

Malwarebytes is not an anti-virus and is compatible with other anti-virus programs.

Please run the ESET Online Scanner when you get a chance and post the log, MrC

mstrom · July 27, 2012

ComboFix 12-07-27.03 - Michele 07/27/2012 16:24:01.2.2 - x64

Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3838.2049 [GMT -4:00]

Running from: c:\users\Onelchela\Desktop\ComboFix.exe

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\AutoRun.ini

.

((((((((((((((((((((((((( Files Created from 2012-06-27 to 2012-07-27 )))))))))))))))))))))))))))))))

.

2012-07-27 20:57 . 2012-07-27 20:57 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-07-27 20:57 . 2012-07-27 20:57 -------- d-----w- c:\users\Administrator\AppData\Local\temp

2012-07-27 20:29 . 2012-07-27 20:29 69000 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{06699AA0-CEB3-4777-AE0C-CC5E267D1219}\offreg.dll