TechSpot

[A] Cannot install Malwarebytes: Access is denied

By dgeissler
Mar 6, 2012
  1. The laptop (Dell E6410) in question contracted a virus which removed all icons under All Programs in the Start menu. I ran tdssKiller which found (RootKit.Boot.SSt.a) and repaird the MBR. Then I was able restored from a previous System Restore point to get the icons back. However, when I try to install MalwareBytes an error appears stating 'Access is Denied' before the process completes and the install rolls back.
    There appears to be some residual virus issues left over which I am unable to resolve.

    Thanks in advance for any assistance.
     
  2. Broni

    Broni Malware Annihilator Posts: 52,902   +344

    Welcome aboard [​IMG]

    Please, complete all steps listed here: http://www.techspot.com/vb/topic58138.html
    Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
    Attached logs won't be reviewed.
    Complete as many steps as you can.

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.
     
  3. dgeissler

    dgeissler TS Rookie Topic Starter

    Hi Broni,

    Step 1: Ran Symantec Endpoint Protect and only found a Tracking cookie to remove.

    Step 2: MalwareBytes will not install, error Access is denied. Occurs at end of install process while 'Saving uninstall infromation...'

    Step 3: disabled Symantec Endpoint Protection and ran GMER, it did not produce a log.

    Step 4: DDS ran from desktop... logs follow:

    Step 5: Logs
    MalwareBytes - none.
    GMER - none.
    DDS
    -- Attach.txt --
    -----------------
    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows 7 Ultimate
    Boot Device: \Device\HarddiskVolume2
    Install Date: 3/31/2011 3:49:51 PM
    System Uptime: 3/6/2012 5:15:57 PM (17 hours ago)
    .
    Motherboard: Dell Inc. | |
    Processor: Intel(R) Core(TM) i7 CPU M 620 @ 2.67GHz | CPU 1 | 2667/533mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 146 GiB total, 99.902 GiB free.
    D: is FIXED (FAT32) - 2 GiB total, 1.914 GiB free.
    E: is CDROM ()
    I: is Removable
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: Microsoft Teredo Tunneling Adapter
    Device ID: ROOT\*TEREDO\0000
    Manufacturer: Microsoft
    Name: Microsoft Teredo Tunneling Adapter
    PNP Device ID: ROOT\*TEREDO\0000
    Service: tunnel
    .
    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: Cisco Systems VPN Adapter for 64-bit Windows
    Device ID: ROOT\NET\0000
    Manufacturer: Cisco Systems
    Name: Cisco Systems VPN Adapter for 64-bit Windows
    PNP Device ID: ROOT\NET\0000
    Service: CVirtA
    .
    ==== System Restore Points ===================
    .
    RP123: 3/2/2012 12:32:40 PM - Windows Update
    RP124: 3/6/2012 3:30:02 PM - Installed Windows Installer Clean Up
    .
    ==== Installed Programs ======================
    .
    AccelerometerP11
    Adobe Acrobat 9 Pro
    Adobe Acrobat 9.5.0 - CPSID_83708
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    CustomerResearchQFolder
    Dell ControlPoint Security Manager
    Dell Security Device Driver Pack
    Dell Webcam Central
    Digital Line Detect
    EMBASSY Security Center Lite
    EMBASSY Security Setup
    ESC Home Page Plugin
    FDR2010
    GenxEcf-Live - 1
    Google Toolbar for Internet Explorer
    Google Update Helper
    hppFonts
    hppQFolderP2050
    hppusgP2050
    Intel(R) Control Center
    Intel(R) Management Engine Components
    Intel(R) Rapid Storage Technology
    Java Auto Updater
    Java(TM) 6 Update 26
    Juniper Networks Host Checker
    Juniper Networks Network Connect 7.0.0
    Juniper Networks Network Connect 7.1.0
    Juniper Networks Setup Client
    Juniper Terminal Services Client
    LiveUpdate 3.3 (Symantec Corporation)
    Lotus Notes 8.5.2
    Malwarebytes' Anti-Malware
    MarketResearch
    Microsoft Visual C++ 2005 Redistributable
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    PowerDVD DX
    Reader 2.1
    Roxio Creator Audio
    Roxio Creator Copy
    Roxio Creator Data
    Roxio Creator DE 10.3
    Roxio Creator Tools
    Roxio Express Labeler 3
    Roxio Update Manager
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
    Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
    Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
    Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
    Shepards Brief Suite
    Snagit 10
    Symantec pcAnywhere
    Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
    Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
    Update for Microsoft .NET Framework 4 Extended (KB2468871)
    Update for Microsoft .NET Framework 4 Extended (KB2533523)
    Wave Support Software
    WebReg
    Webroot® Client
    West Solutions
    WestCheck
    Windows Installer Clean Up
    Windows Live Upload Tool
    WordPerfect Lightning - IPM
    WordPerfect Lightning - Messages
    WordPerfect Lightning - MSOM
    WordPerfect Office X5
    WordPerfect Office X5 - Common
    Wordperfect Office X5 - EN
    WordPerfect Office X5 - Filters
    WordPerfect Office X5 - Graphics
    WordPerfect Office X5 - IPM
    WordPerfect Office X5 - LegalTools
    WordPerfect Office X5 - Migration Manager
    WordPerfect Office X5 - Oxford
    WordPerfect Office X5 - PerfectExperts EN
    WordPerfect Office X5 - PR
    WordPerfect Office X5 - QP
    WordPerfect Office X5 - Setup Files
    WordPerfect Office X5 - Sharepoint
    WordPerfect Office X5 - Skins
    WordPerfect Office X5 - System EN
    WordPerfect Office X5 - Templates
    WordPerfect Office X5 - WP
    WordPerfect Office X5 - WT
    ZapNotes
    .
    ==== Event Viewer Messages From Past Week ========
    .
    3/7/2012 8:49:08 AM, Error: Microsoft-Windows-GroupPolicy [1129] - The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.
    3/7/2012 10:14:17 AM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk1\DR1.
    3/6/2012 5:16:32 PM, Error: Service Control Manager [7001] - The NTRU TSS v1.2.1.29 TCS service depends on the TPM Base Services service which failed to start because of the following error: The operation completed successfully.
    3/6/2012 5:15:27 PM, Error: ssidrv [31] - Invalid input parameter found.
    3/6/2012 5:15:27 PM, Error: ssidrv [26] - Failed to set monitor event rule.
    3/2/2012 12:58:16 PM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Update for Microsoft OneNote 2010 (KB2553290) 64-Bit Edition.
    3/2/2012 10:12:27 AM, Error: Microsoft-Windows-TerminalServices-RemoteConnectionManager [1067] - The terminal server cannot register 'TERMSRV' Service Principal Name to be used for server authentication. The following error occured: The specified domain either does not exist or could not be contacted. .
    3/2/2012 1:19:54 PM, Error: Service Control Manager [7023] -
    3/1/2012 10:06:16 AM, Error: Microsoft-Windows-GroupPolicy [1055] - The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one of more of the following: a) Name Resolution failure on the current domain controller. b) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller).
    3/1/2012 10:06:15 AM, Error: NETLOGON [5719] - This computer was not able to set up a secure session with a domain controller in domain CIRC5 due to the following: There are currently no logon servers available to service the logon request. This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator. ADDITIONAL INFO If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain.
    2/29/2012 3:12:43 PM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk1\DR6.
    .
    ==== End Of File ===========================

    -- DDS.txt --
    ---------------
    .
    DDS (Ver_2011-08-26.01) - NTFSAMD64
    Internet Explorer: 8.0.7601.17514
    Run by cquick at 10:14:43 on 2012-03-07
    Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.3958.2231 [GMT -6:00]
    .
    SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: Webroot® Client Security *Enabled/Updated* {E840FC75-2A0B-9A7C-D915-4D1380A5C223}
    FW: Symantec Endpoint Protection *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Program Files\IDT\WDM\STacSV64.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\WUDFHost.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\system32\WLANExt.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\System32\spoolsv.exe
    C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe
    C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
    C:\Windows\System32\svchost.exe -k NetworkService
    C:\Program Files\IDT\WDM\AESTSr64.exe
    C:\Program Files (x86)\Symantec\pcAnywhere\awhost32.exe
    c:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
    C:\Program Files (x86)\Symantec\pcAnywhere\AWHPROBE.EXE
    C:\Program Files (x86)\Cisco Systems\VPN Client\cvpnd.exe
    C:\Program Files (x86)\Juniper Networks\Common Files\dsNcService.exe
    D:\Program Files (x86)\Dell\Reader 2.1\DVMExportService.exe
    C:\Windows\dwrcs\DWRCS.EXE
    C:\Program Files\Intel\WiFi\bin\EvtEng.exe
    C:\Windows\system32\svchost.exe -k HsfXAudioService
    C:\Program Files (x86)\STMicroelectronics\AccelerometerP11\InstallFilterService.exe
    C:\Windows\system32\IProsetMonitor.exe
    C:\Program Files (x86)\Lotus\Notes\nsd.exe
    C:\Program Files (x86)\Lotus\Notes\ntmulti.exe
    C:\Windows\System32\svchost.exe -k HPZ12
    C:\Program Files (x86)\ZENworks\Patch Management Agent\GravitixService.exe
    C:\Windows\System32\svchost.exe -k HPZ12
    c:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe
    C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
    C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe
    C:\Windows\system32\nvvsvc.exe
    C:\Program Files (x86)\Webroot\Client\commagent.exe
    c:\Program Files\Dell\Dell ControlPoint\DCPButtonSvc.exe
    c:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Program Files (x86)\Webroot\Client\spysweeper.exe
    C:\Windows\System32\svchost.exe -k LocalServicePeerNet
    C:\Windows\system32\svchost.exe -k bthsvcs
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin64\Smc.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
    C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
    C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
    C:\Program Files (x86)\Webroot\Client\SSU.EXE
    C:\Windows\system32\taskhost.exe
    C:\Windows\dwrcs\DWRCST.exe
    C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\DellTPad\Apoint.exe
    C:\Program Files\IDT\WDM\sttray64.exe
    C:\Windows\System32\rundll32.exe
    C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\DellTPad\ApMsgFwd.exe
    C:\Program Files\UltraMon\UltraMon.exe
    C:\Program Files\DellTPad\HidFind.exe
    C:\Program Files\DellTPad\Apntex.exe
    D:\Program Files (x86)\Dell\Reader 2.1\DellBtrEvent.exe
    C:\Windows\system32\conhost.exe
    C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe
    C:\Program Files\UltraMon\UltraMonTaskbar.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
    C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe
    C:\Program Files (x86)\ZENworks\Patch Management Agent\NotificationManager.exe
    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
    C:\Program Files (x86)\Webroot\Client\SpySweeperUI.exe
    C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IMSS\PrivacyIconClient.exe
    C:\Program Files (x86)\Common Files\Realtime Soft\RTSHookInterop\x32\RTSHookInterop.exe
    C:\Windows\system32\taskhost.exe
    C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\WUDFHost.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\SysWOW64\cscript.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us
    uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us
    uStart Page = hxxp://www.circ5.dcn/
    mWinlogon: Userinit=userinit.exe
    BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - C:\Program Files (x86)\TechSmith\Snagit 10\SnagitBHO.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\bin\IPS\IPSBHO.DLL
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\PROGRA~2\MICROS~2\Office14\GROOVEEX.DLL
    BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll
    BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MICROS~2\Office14\URLREDIR.DLL
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    TB: Snagit: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - C:\Program Files (x86)\TechSmith\Snagit 10\SnagitIEAddin.dll
    TB: Shepard's® Brief Suite: {cbaa6f21-985c-11d4-a02b-00b0d073e889} - C:\Program Files (x86)\LexisNexis\Shepards Brief Suite\Shepards Link\ShepLinkIE.dll
    TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
    TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
    uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
    mRun: [IMSS] "C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IMSS\PIconStartup.exe"
    mRun: [DellBtrEvent] "D:\Program Files (x86)\Dell\Reader 2.1\DellBtrEvent.exe"
    mRun: [Dell Webcam Central] "C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" /mode2
    mRun: [QuickFinder Scheduler] "c:\Program Files (x86)\Corel\WordPerfect Office X5\Programs\QFSCHD150.EXE"
    mRun: [Adobe Acrobat Speed Launcher] "C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
    mRun: [<NO NAME>]
    mRun: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
    mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    mRun: [PDVDDXSrv] "C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
    mRun: [NotificationManager] "C:\Program Files (x86)\ZENworks\Patch Management Agent\NotificationManager.exe"
    mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    mRun: [WebrootClientUI] "C:\Program Files (x86)\Webroot\Client\SpySweeperUI.exe"
    StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\UltraMon.lnk - C:\Windows\Installer\{20A36691-B09B-4EF2-A371-64A5BD265E20}\IcoUltraMon.ico
    mPolicies-explorer: NoActiveDesktop = 1 (0x1)
    mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
    mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableLUA = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
    IE: Append Link Target to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Append to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert Link Target to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
    IE: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~3\Office14\EXCEL.EXE/3000
    IE: Open with WordPerfect - c:\Program Files (x86)\Corel\WordPerfect Office X5\Programs\WPLauncher.hta
    IE: Send image to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    IE: Send page to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
    IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
    Trusted Zone: ca5westkm
    Trusted Zone: circ5.dcn
    Trusted Zone: circ5.dcn\*.coa
    Trusted Zone: uscourts.gov
    Trusted Zone: westcheck.com
    Trusted Zone: westlaw.com
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {8BF7B588-F4AC-4A6E-AF63-F664449EED2E} - hxxps://jenie.ao.dcn/jenie/pwps/PA_1_NO2UF4I118ADC026HKQ8KC28K6/applets/DMPlugin.cab
    DPF: {983A9C21-8207-4B58-BBB8-0EBC3D7C5505} - hxxps://jran.uscourts.gov/whalecomec32af80722ce693790039b54a5db3a9bd8e035a13/whalecom0/dwa8W.cab
    DPF: {CA34C280-5156-4E04-857A-BB69604B2F09} - hxxp://ca5westkm/km/controls/aleph.cab
    DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://jport.uscourts.gov/dana-cached/sc/JuniperSetupClient.cab
    TCP: DhcpNameServer = 156.124.22.1 156.124.22.3 156.119.173.10
    TCP: Interfaces\{1F442891-8459-4135-B916-4154FB730A42} : DhcpNameServer = 156.124.22.1 156.124.22.3 156.119.173.10
    TCP: Interfaces\{56B7C82A-AAE8-4E39-B85D-0EE184291613} : DhcpNameServer = 156.119.163.10 156.119.173.10
    TCP: Interfaces\{5BC31504-0E0A-4D11-96E1-A3098E77F1AE} : DhcpNameServer = 205.152.132.23 205.152.144.23
    Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
    Notify: PCANotify - PCANotify.dll
    Notify: SEP - C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\WinLogoutNotifier.dll
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\PROGRA~2\MICROS~2\Office14\GROOVEEX.DLL
    LSA: Authentication Packages = msv1_0 wvauth
    BHO-X64: SnagIt Toolbar Loader: {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files (x86)\TechSmith\Snagit 10\SnagitBHO.dll
    BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO-X64: AcroIEHelperStub - No File
    BHO-X64: Symantec Intrusion Prevention: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\bin\IPS\IPSBHO.DLL
    BHO-X64: Symantec Intrusion Prevention - No File
    BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MICROS~2\Office14\GROOVEEX.DLL
    BHO-X64: Adobe PDF Conversion Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    BHO-X64: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll
    BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~2\Office14\URLREDIR.DLL
    BHO-X64: URLRedirectionBHO - No File
    BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    BHO-X64: SmartSelect Class: {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    BHO-X64: SmartSelect - No File
    TB-X64: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    TB-X64: Snagit: {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files (x86)\TechSmith\Snagit 10\SnagitIEAddin.dll
    TB-X64: Shepard'sr Brief Suite: {CBAA6F21-985C-11d4-A02B-00B0D073E889} - C:\Program Files (x86)\LexisNexis\Shepards Brief Suite\Shepards Link\ShepLinkIE.dll
    TB-X64: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
    TB-X64: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
    mRun-x64: [IMSS] "C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IMSS\PIconStartup.exe"
    mRun-x64: [DellBtrEvent] "D:\Program Files (x86)\Dell\Reader 2.1\DellBtrEvent.exe"
    mRun-x64: [Dell Webcam Central] "C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" /mode2
    mRun-x64: [QuickFinder Scheduler] "c:\Program Files (x86)\Corel\WordPerfect Office X5\Programs\QFSCHD150.EXE"
    mRun-x64: [Adobe Acrobat Speed Launcher] "C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
    mRun-x64: [(Default)]
    mRun-x64: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
    mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    mRun-x64: [PDVDDXSrv] "C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
    mRun-x64: [NotificationManager] "C:\Program Files (x86)\ZENworks\Patch Management Agent\NotificationManager.exe"
    mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    mRun-x64: [WebrootClientUI] "C:\Program Files (x86)\Webroot\Client\SpySweeperUI.exe"
    IE-X64: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\PROGRA~2\MICROS~2\Office14\GROOVEEX.DLL
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 PxHlpa64;PxHlpa64;C:\Windows\system32\Drivers\PxHlpa64.sys --> C:\Windows\system32\Drivers\PxHlpa64.sys [?]
    R0 ssfs0bbc;Spy Sweeper File System Filter Driver: 0BBC;C:\Windows\system32\Drivers\SSFS0BBC.SYS --> C:\Windows\system32\Drivers\SSFS0BBC.SYS [?]
    R0 stdflt;Disk Filter Driver for Accelerometer;C:\Windows\system32\DRIVERS\stdfltn.sys --> C:\Windows\system32\DRIVERS\stdfltn.sys [?]
    R0 SymDS;Symantec Data Store;C:\Windows\system32\Drivers\SEP\0C01029F\136B.105\x64\SYMDS64.SYS --> C:\Windows\system32\Drivers\SEP\0C01029F\136B.105\x64\SYMDS64.SYS [?]
    R0 SymEFA;Symantec Extended File Attributes;C:\Windows\system32\Drivers\SEP\0C01029F\136B.105\x64\SYMEFA64.SYS --> C:\Windows\system32\Drivers\SEP\0C01029F\136B.105\x64\SYMEFA64.SYS [?]
    R1 BHDrvx64;BHDrvx64;C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\Definitions\BASHDefs\20120215.011\BHDrvx64.sys [2012-2-16 1157240]
    R1 DVMIO;DVMIO;D:\Program Files (x86)\Dell\Reader 2.1\dvmio_x64.sys [2010-5-4 20624]
    R1 dwvkbd;DameWare Virtual Keyboard 64 bit Driver;C:\Windows\system32\DRIVERS\dwvkbd64.sys --> C:\Windows\system32\DRIVERS\dwvkbd64.sys [?]
    R1 IDSVia64;IDSVia64;C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\Definitions\IPSDefs\20120215.002\IDSviA64.sys [2012-2-16 488568]
    R1 SymIRON;Symantec Iron Driver;C:\Windows\system32\Drivers\SEP\0C01029F\136B.105\x64\Ironx64.SYS --> C:\Windows\system32\Drivers\SEP\0C01029F\136B.105\x64\Ironx64.SYS [?]
    R1 SYMNETS;Symantec Network Security WFP Driver;C:\Windows\system32\Drivers\SEP\0C01029F\136B.105\x64\SYMNETS.SYS --> C:\Windows\system32\Drivers\SEP\0C01029F\136B.105\x64\SYMNETS.SYS [?]
    R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
    R2 AESTFilters;Andrea ST Filters Service;C:\Program Files\IDT\WDM\AESTSr64.exe [2010-9-23 89600]
    R2 buttonsvc64;Dell ControlPoint Button Service;C:\Program Files\Dell\Dell ControlPoint\DCPButtonSvc.exe [2009-11-20 373024]
    R2 Credential Vault Host Control Service;Credential Vault Host Control Service;C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe [2010-3-23 1039776]
    R2 Credential Vault Host Storage;Credential Vault Host Storage;C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe [2010-3-23 31136]
    R2 dcpsysmgrsvc;Dell ControlPoint System Manager;C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe [2010-2-8 515952]
    R2 DvmMDES;DeviceVM Meta Data Export Service;D:\Program Files (x86)\Dell\Reader 2.1\DVMExportService.exe [2010-5-4 327680]
    R2 HsfXAudioService;HsfXAudioService;C:\Windows\system32\svchost.exe -k HsfXAudioService [2009-7-13 20992]
    R2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-9-23 13336]
    R2 InstallFilterService;FF Install Filter Service;C:\Program Files (x86)\STMicroelectronics\AccelerometerP11\InstallFilterService.exe [2010-9-23 60928]
    R2 Intel(R) PROSet Monitoring Service;Intel(R) PROSet Monitoring Service;C:\Windows\system32\IProsetMonitor.exe --> C:\Windows\system32\IProsetMonitor.exe [?]
    R2 Lotus Notes Diagnostics;Lotus Notes Diagnostics;C:\Program Files (x86)\Lotus\Notes\nsd.exe [2010-8-11 3417480]
    R2 risdpcie;risdpcie;C:\Windows\system32\DRIVERS\risdpe64.sys --> C:\Windows\system32\DRIVERS\risdpe64.sys [?]
    R2 SepMasterService;Symantec Endpoint Protection;C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe [2011-11-15 137224]
    R2 UltraMonUtility;UltraMon Utility Driver;C:\Program Files (x86)\Common Files\Realtime Soft\UltraMonMirrorDrv\x64\UltraMonUtility.sys [2008-11-14 20512]
    R2 UNS;Intel(R) Management & Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2010-9-23 2538520]
    R2 WebrootCommAgentService;Webroot CommAgent Service;C:\Program Files (x86)\Webroot\Client\CommAgent.exe [2011-2-24 715192]
    R3 Acceler;Accelerometer Service;C:\Windows\system32\DRIVERS\Accelern.sys --> C:\Windows\system32\DRIVERS\Accelern.sys [?]
    R3 btwampfl;Bluetooth AMP USB Filter;C:\Windows\system32\drivers\btwampfl.sys --> C:\Windows\system32\drivers\btwampfl.sys [?]
    R3 btwl2cap;Bluetooth L2CAP Service;C:\Windows\system32\DRIVERS\btwl2cap.sys --> C:\Windows\system32\DRIVERS\btwl2cap.sys [?]
    R3 CAXHWAZL;CAXHWAZL;C:\Windows\system32\DRIVERS\CAXHWAZL.sys --> C:\Windows\system32\DRIVERS\CAXHWAZL.sys [?]
    R3 CtClsFlt;Creative Camera Class Upper Filter Driver;C:\Windows\system32\DRIVERS\CtClsFlt.sys --> C:\Windows\system32\DRIVERS\CtClsFlt.sys [?]
    R3 cvusbdrv;Dell ControlVault;C:\Windows\system32\Drivers\cvusbdrv.sys --> C:\Windows\system32\Drivers\cvusbdrv.sys [?]
    R3 DwMirror;DwMirror;C:\Windows\system32\DRIVERS\DamewareMini.sys --> C:\Windows\system32\DRIVERS\DamewareMini.sys [?]
    R3 e1kexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver K;C:\Windows\system32\DRIVERS\e1k62x64.sys --> C:\Windows\system32\DRIVERS\e1k62x64.sys [?]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-2-8 138360]
    R3 HECIx64;Intel(R) Management Engine Interface;C:\Windows\system32\DRIVERS\HECIx64.sys --> C:\Windows\system32\DRIVERS\HECIx64.sys [?]
    R3 Impcd;Impcd;C:\Windows\system32\DRIVERS\Impcd.sys --> C:\Windows\system32\DRIVERS\Impcd.sys [?]
    R3 NETw5s64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;C:\Windows\system32\DRIVERS\NETw5s64.sys --> C:\Windows\system32\DRIVERS\NETw5s64.sys [?]
    R3 NVHDA;Service for NVIDIA High Definition Audio Driver;C:\Windows\system32\drivers\nvhda64v.sys --> C:\Windows\system32\drivers\nvhda64v.sys [?]
    R3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\system32\DRIVERS\vwifimp.sys --> C:\Windows\system32\DRIVERS\vwifimp.sys [?]
    R3 WebrootSpySweeperService;Webroot Spy Sweeper Engine;C:\Program Files (x86)\Webroot\Client\SPYSWEEPER.EXE [2011-2-24 4114488]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
    S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-10-13 136176]
    S3 dmvsc;dmvsc;C:\Windows\system32\drivers\dmvsc.sys --> C:\Windows\system32\drivers\dmvsc.sys [?]
    S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-10-13 136176]
    S3 ioatdma1;ioatdma1;C:\Windows\system32\Drivers\qd162x64.sys --> C:\Windows\system32\Drivers\qd162x64.sys [?]
    S3 ioatdma2;Intel(R) QuickData Technology device ver.2;C:\Windows\system32\Drivers\qd262x64.sys --> C:\Windows\system32\Drivers\qd262x64.sys [?]
    S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;C:\Program Files\Microsoft Office\Office14\GROOVE.EXE [2011-6-12 51740536]
    S3 ose64;Office 64 Source Engine;C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2010-1-9 174440]
    S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
    S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\system32\drivers\rdpvideominiport.sys --> C:\Windows\system32\drivers\rdpvideominiport.sys [?]
    S3 rimspci;rimspci;C:\Windows\system32\drivers\rimspe64.sys --> C:\Windows\system32\drivers\rimspe64.sys [?]
    S3 rixdpcie;rixdpcie;C:\Windows\system32\drivers\rixdpe64.sys --> C:\Windows\system32\drivers\rixdpe64.sys [?]
    S3 SyDvCtrl;SyDvCtrl;C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin64\SyDvCtrl64.sys [2011-11-15 29664]
    S3 Synth3dVsc;Microsoft Virtual 3D Video Transport Driver;C:\Windows\system32\drivers\Synth3dVsc.sys --> C:\Windows\system32\drivers\Synth3dVsc.sys [?]
    S3 terminpt;Microsoft Remote Desktop Input Driver;C:\Windows\system32\drivers\terminpt.sys --> C:\Windows\system32\drivers\terminpt.sys [?]
    S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
    S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\system32\drivers\TsUsbGD.sys --> C:\Windows\system32\drivers\TsUsbGD.sys [?]
    S3 tsusbhub;Remote Deskotop USB Hub;C:\Windows\system32\drivers\tsusbhub.sys --> C:\Windows\system32\drivers\tsusbhub.sys [?]
    S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
    .
    =============== Created Last 30 ================
    .
    2012-03-06 21:53:21 24416 ----a-r- C:\Windows\System32\AdobePDFUI.dll
    2012-03-06 21:50:51 -------- d-----w- C:\_AcroTemp
    2012-03-06 21:33:41 -------- d-----w- C:\Users\cquick\AppData\Roaming\Malwarebytes
    2012-03-06 21:30:27 3584 ----a-r- C:\Users\cquick\AppData\Roaming\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
    2012-03-06 21:30:27 -------- d-----w- C:\Program Files (x86)\Windows Installer Clean Up
    2012-03-06 21:29:55 -------- d-----w- C:\Program Files (x86)\MSECACHE
    2012-03-02 18:31:56 142336 ----a-w- C:\Windows\System32\poqexec.exe
    2012-03-02 18:30:59 498688 ----a-w- C:\Windows\System32\drivers\afd.sys
    2012-03-02 18:30:57 634880 ----a-w- C:\Windows\System32\msvcrt.dll
    2012-03-02 18:30:56 690688 ----a-w- C:\Windows\SysWow64\msvcrt.dll
    2012-03-02 18:30:54 98816 ----a-w- C:\Windows\System32\drivers\usbccgp.sys
    2012-03-02 18:30:54 7936 ----a-w- C:\Windows\System32\drivers\usbd.sys
    2012-03-02 18:30:54 52736 ----a-w- C:\Windows\System32\drivers\usbehci.sys
    2012-03-02 18:30:54 343040 ----a-w- C:\Windows\System32\drivers\usbhub.sys
    2012-03-02 18:30:54 325120 ----a-w- C:\Windows\System32\drivers\usbport.sys
    2012-03-02 18:30:54 30720 ----a-w- C:\Windows\System32\drivers\usbuhci.sys
    2012-03-02 18:30:54 25600 ----a-w- C:\Windows\System32\drivers\usbohci.sys
    2012-03-02 18:30:52 6144 ----a-w- C:\Program Files\Internet Explorer\iecompat.dll
    2012-03-02 18:30:52 6144 ----a-w- C:\Program Files (x86)\Internet Explorer\iecompat.dll
    2012-02-28 15:03:35 -------- d-----w- C:\Users\cquick\AppData\Roaming\smkits
    .
    ==================== Find3M ====================
    .
    2012-02-16 20:56:15 952 --sha-w- C:\ProgramData\KGyGaAvL.sys
    2012-01-14 04:06:27 3145728 ----a-w- C:\Windows\System32\win32k.sys
    2012-01-11 21:41:59 77312 ----a-w- C:\Windows\System32\packager.dll
    2012-01-11 21:41:59 67072 ----a-w- C:\Windows\SysWow64\packager.dll
    2012-01-11 21:41:47 514560 ----a-w- C:\Windows\SysWow64\qdvd.dll
    2012-01-11 21:41:47 366592 ----a-w- C:\Windows\System32\qdvd.dll
    2012-01-11 21:41:47 1572864 ----a-w- C:\Windows\System32\quartz.dll
    2012-01-11 21:41:47 1328128 ----a-w- C:\Windows\SysWow64\quartz.dll
    2012-01-11 21:41:22 1731920 ----a-w- C:\Windows\System32\ntdll.dll
    2012-01-11 21:41:22 1292080 ----a-w- C:\Windows\SysWow64\ntdll.dll
    2012-01-04 10:44:20 509952 ----a-w- C:\Windows\System32\ntshrui.dll
    2012-01-04 08:58:41 442880 ----a-w- C:\Windows\SysWow64\ntshrui.dll
    2011-12-30 06:26:08 515584 ----a-w- C:\Windows\System32\timedate.cpl
    2011-12-30 05:27:56 478720 ----a-w- C:\Windows\SysWow64\timedate.cpl
    2011-12-16 18:30:50 43520 ----a-w- C:\Windows\System32\csrsrv.dll
    2011-12-16 17:52:57 723456 ----a-w- C:\Windows\System32\EncDec.dll
    2011-12-16 17:52:57 534528 ----a-w- C:\Windows\SysWow64\EncDec.dll
    2011-12-16 08:47:38 1188864 ----a-w- C:\Windows\System32\wininet.dll
    2011-12-16 07:54:22 981504 ----a-w- C:\Windows\SysWow64\wininet.dll
    2011-12-16 06:44:38 1638912 ----a-w- C:\Windows\System32\mshtml.tlb
    2011-12-16 06:09:17 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb
    2011-12-10 21:24:08 23152 ----a-w- C:\Windows\System32\drivers\mbam.sys
    .
    ============= FINISH: 10:15:28.74 ===============

    Thanks again for your assistance!
    Don
     
  4. Broni

    Broni Malware Annihilator Posts: 52,902   +344

    Can you explain your security programs settings:
    What is your AV program, what is your firewall?

    Then....

    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
    Click the "Scan" button to start scan.
    On completion of the scan click "Save log", save it to your desktop and post in your next reply.

    NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

    =================================================================

    Download Bootkit Remover to your desktop.

    • Unzip downloaded file to your Desktop.
    • Double-click on boot_cleaner.exe to run the program (Vista/7 users,right click on boot_cleaner.exe and click Run As Administrator).
    • It will show a Black screen with some data on it.
    • Right click on the screen and click Select All.
    • Press CTRL+C
    • Open a Notepad and press CTRL+V
    • Post the output back here.
     
  5. dgeissler

    dgeissler TS Rookie Topic Starter

    Hi Broni,

    I believe Webroot stops spyware, adware, etc. and Symantec Endpoint Protection is main AV program. Neither programs stopped this machine from getting infected.
    The Firewall is managed by Symantec Endpoint Protection.

    -- aswMBR log: --
    ----------------------
    aswMBR version 0.9.9.1649 Copyright(c) 2011 AVAST Software
    Run date: 2012-03-07 14:33:48
    -----------------------------
    14:33:48.085 OS Version: Windows x64 6.1.7601 Service Pack 1
    14:33:48.085 Number of processors: 4 586 0x2505
    14:33:48.085 ComputerName: CQUICK-W7 UserName: cquick
    14:33:54.843 Initialize success
    14:35:00.232 AVAST engine defs: 12030700
    14:35:40.327 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
    14:35:40.327 Disk 0 Vendor: ST916041 D005 Size: 152627MB BusType: 8
    14:35:40.342 Disk 0 MBR read successfully
    14:35:40.358 Disk 0 MBR scan
    14:35:40.374 Disk 0 Windows XP default MBR code
    14:35:40.374 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 290 MB offset 63
    14:35:40.389 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 750 MB offset 595968
    14:35:40.405 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 149524 MB offset 2131968
    14:35:40.420 Disk 0 Partition - 00 0F Extended LBA 2062 MB offset 308357120
    14:35:40.452 Disk 0 Partition 4 00 0B FAT32 MSDOS5.0 2061 MB offset 308359168
    14:35:40.514 Disk 0 scanning C:\Windows\system32\drivers
    14:35:59.305 Service scanning
    14:36:31.377 Modules scanning
    14:36:31.393 Disk 0 trace - called modules:
    14:36:31.533 ntoskrnl.exe CLASSPNP.SYS disk.sys stdfltn.sys ACPI.sys iaStor.sys
    14:36:31.549 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80066d9060]
    14:36:31.565 3 CLASSPNP.SYS[fffff88001f9943f] -> nt!IofCallDriver -> [0xfffffa8006575b60]
    14:36:31.565 5 stdfltn.sys[fffff88001ed8af2] -> nt!IofCallDriver -> [0xfffffa8003877be0]
    14:36:31.565 7 ACPI.sys[fffff88000f917a1] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa80042ca050]
    14:36:32.626 AVAST engine scan C:\Windows
    14:36:34.780 AVAST engine scan C:\Windows\system32
    14:40:22.241 AVAST engine scan C:\Windows\system32\drivers
    14:40:41.947 AVAST engine scan C:\Users\cquick
    14:43:39.952 AVAST engine scan C:\ProgramData
    14:44:44.306 Scan finished successfully
    14:48:02.750 Disk 0 MBR has been saved successfully to "C:\Users\cquick\Desktop\MBR.dat"
    14:48:02.766 The log file has been saved successfully to "C:\Users\cquick\Desktop\aswMBR.txt"


    aswMBR version 0.9.9.1649 Copyright(c) 2011 AVAST Software
    Run date: 2012-03-07 14:33:48
    -----------------------------
    14:33:48.085 OS Version: Windows x64 6.1.7601 Service Pack 1
    14:33:48.085 Number of processors: 4 586 0x2505
    14:33:48.085 ComputerName: CQUICK-W7 UserName: cquick
    14:33:54.843 Initialize success
    14:35:00.232 AVAST engine defs: 12030700
    14:35:40.327 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
    14:35:40.327 Disk 0 Vendor: ST916041 D005 Size: 152627MB BusType: 8
    14:35:40.342 Disk 0 MBR read successfully
    14:35:40.358 Disk 0 MBR scan
    14:35:40.374 Disk 0 Windows XP default MBR code
    14:35:40.374 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 290 MB offset 63
    14:35:40.389 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 750 MB offset 595968
    14:35:40.405 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 149524 MB offset 2131968
    14:35:40.420 Disk 0 Partition - 00 0F Extended LBA 2062 MB offset 308357120
    14:35:40.452 Disk 0 Partition 4 00 0B FAT32 MSDOS5.0 2061 MB offset 308359168
    14:35:40.514 Disk 0 scanning C:\Windows\system32\drivers
    14:35:59.305 Service scanning
    14:36:31.377 Modules scanning
    14:36:31.393 Disk 0 trace - called modules:
    14:36:31.533 ntoskrnl.exe CLASSPNP.SYS disk.sys stdfltn.sys ACPI.sys iaStor.sys
    14:36:31.549 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80066d9060]
    14:36:31.565 3 CLASSPNP.SYS[fffff88001f9943f] -> nt!IofCallDriver -> [0xfffffa8006575b60]
    14:36:31.565 5 stdfltn.sys[fffff88001ed8af2] -> nt!IofCallDriver -> [0xfffffa8003877be0]
    14:36:31.565 7 ACPI.sys[fffff88000f917a1] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa80042ca050]
    14:36:32.626 AVAST engine scan C:\Windows
    14:36:34.780 AVAST engine scan C:\Windows\system32
    14:40:22.241 AVAST engine scan C:\Windows\system32\drivers
    14:40:41.947 AVAST engine scan C:\Users\cquick
    14:43:39.952 AVAST engine scan C:\ProgramData
    14:44:44.306 Scan finished successfully
    14:48:02.750 Disk 0 MBR has been saved successfully to "C:\Users\cquick\Desktop\MBR.dat"
    14:48:02.766 The log file has been saved successfully to "C:\Users\cquick\Desktop\aswMBR.txt"
    16:02:22.881 Disk 0 MBR has been saved successfully to "C:\Users\cquick\Desktop\MBR.dat"
    16:02:22.897 The log file has been saved successfully to "C:\Users\cquick\Desktop\aswMBR.txt"


    -- Bootkit Log --
    --------------------
    Bootkit Remover
    (c) 2009 Esage Lab
    www.esagelab.com

    Program version: 1.2.0.1
    OS Version: Microsoft Windows 7 Ultimate Edition Service Pack 1 (build 7601), 64
    -bit

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`41100000
    Boot sector MD5 is: 6def5ffcbcdbdb4082f1015625e597bd

    Size Device Name MBR Status
    --------------------------------------------
    149 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


    Done;
    Press any key to quit...
     
  6. Broni

    Broni Malware Annihilator Posts: 52,902   +344

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    • Never rename Combofix unless instructed.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    • Double click on combofix.exe & follow the prompts.

    • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
    **Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.
    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
    There are 4 different versions. If one of them won't run then download and try to run the other one.
    Vista and Win7 users need to right click Rkill and choose Run as Administrator
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    * Rkill.com
    * Rkill.scr
    * Rkill.exe
    • Double-click on the Rkill icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.
    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  7. dgeissler

    dgeissler TS Rookie Topic Starter

    Hi Broni,

    ComboFix ran over night... the log is posted below.

    Happy Friday!!
    Thanks,
    Don

    -- ComboFix --
    ------------------
    ComboFix 12-03-08.02 - cquick 03/08/2012 13:19:20.1.4 - x64
    Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.3958.2243 [GMT -6:00]
    Running from: c:\users\cquick\Desktop\ComboFix.exe
    FW: Symantec Endpoint Protection *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
    SP: Webroot® Client Security *Disabled/Updated* {E840FC75-2A0B-9A7C-D915-4D1380A5C223}
    SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    * Created a new restore point
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\users\court\AppData\Local\assembly\tmp
    c:\users\cquick\AppData\Local\assembly\tmp
    c:\users\cquick\WINDOWS
    c:\users\cquick\WINDOWS\BO5170DN.INI
    c:\users\cquick\WINDOWS\CORELPF.LRS
    c:\users\cquick\WINDOWS\iltwain.ctx
    c:\users\cquick\WINDOWS\inifile.upd
    c:\users\cquick\WINDOWS\notes.ini
    c:\users\cquick\WINDOWS\nsreg.dat
    c:\users\cquick\WINDOWS\ODBC.ctx
    c:\users\cquick\WINDOWS\odbc.ini
    c:\users\cquick\WINDOWS\system.ini
    c:\users\cquick\WINDOWS\win.ctx
    c:\users\cquick\WINDOWS\win.ini
    c:\windows\SysWow64\Gdiplus.dll
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-02-09 to 2012-03-09 )))))))))))))))))))))))))))))))
    .
    .
    2012-03-07 16:14 . 2012-03-07 16:14 -------- d-----w- c:\users\cquick\AppData\Roaming\CyberLink
    2012-03-06 21:53 . 2009-08-20 04:50 24416 ----a-r- c:\windows\system32\AdobePDFUI.dll
    2012-03-06 21:50 . 2012-03-06 23:16 -------- d-----w- C:\_AcroTemp
    2012-03-06 21:33 . 2012-03-06 21:33 -------- d-----w- c:\users\cquick\AppData\Roaming\Malwarebytes
    2012-03-06 21:30 . 2012-03-06 21:30 3584 ----a-r- c:\users\cquick\AppData\Roaming\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
    2012-03-06 21:30 . 2012-03-06 21:30 -------- d-----w- c:\program files (x86)\Windows Installer Clean Up
    2012-03-06 21:29 . 2012-03-06 21:29 -------- d-----w- c:\program files (x86)\MSECACHE
    2012-03-02 18:31 . 2011-04-09 06:58 142336 ----a-w- c:\windows\system32\poqexec.exe
    2012-03-02 18:30 . 2011-12-28 03:59 498688 ----a-w- c:\windows\system32\drivers\afd.sys
    2012-03-02 18:30 . 2011-12-16 08:46 634880 ----a-w- c:\windows\system32\msvcrt.dll
    2012-03-02 18:30 . 2011-12-16 07:52 690688 ----a-w- c:\windows\SysWow64\msvcrt.dll
    2012-03-02 18:30 . 2011-03-25 03:29 343040 ----a-w- c:\windows\system32\drivers\usbhub.sys
    2012-03-02 18:30 . 2011-03-25 03:29 98816 ----a-w- c:\windows\system32\drivers\usbccgp.sys
    2012-03-02 18:30 . 2011-03-25 03:29 325120 ----a-w- c:\windows\system32\drivers\usbport.sys
    2012-03-02 18:30 . 2011-03-25 03:29 52736 ----a-w- c:\windows\system32\drivers\usbehci.sys
    2012-03-02 18:30 . 2011-03-25 03:29 25600 ----a-w- c:\windows\system32\drivers\usbohci.sys
    2012-03-02 18:30 . 2011-03-25 03:29 30720 ----a-w- c:\windows\system32\drivers\usbuhci.sys
    2012-03-02 18:30 . 2011-03-25 03:28 7936 ----a-w- c:\windows\system32\drivers\usbd.sys
    2012-03-02 18:30 . 2011-08-13 05:27 6144 ----a-w- c:\program files\Internet Explorer\iecompat.dll
    2012-03-02 18:30 . 2011-08-13 04:18 6144 ----a-w- c:\program files (x86)\Internet Explorer\iecompat.dll
    2012-02-28 21:55 . 2012-02-28 21:55 -------- d-----w- c:\users\Administrator\AppData\Roaming\CyberLink
    2012-02-28 19:49 . 2012-02-28 19:49 -------- d-----w- c:\users\Administrator\AppData\Local\Wave Systems Corp
    2012-02-28 15:03 . 2012-03-06 15:08 -------- d-----w- c:\users\cquick\AppData\Roaming\smkits
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-02-16 20:56 . 2010-10-12 20:20 952 --sha-w- c:\programdata\KGyGaAvL.sys
    2012-01-11 21:42 . 2012-01-11 21:42 96768 ----a-w- c:\windows\SysWow64\sspicli.dll
    2012-01-11 21:42 . 2012-01-11 21:42 95600 ----a-w- c:\windows\system32\drivers\ksecdd.sys
    2012-01-11 21:42 . 2012-01-11 21:42 459232 ----a-w- c:\windows\system32\drivers\cng.sys
    2012-01-11 21:42 . 2012-01-11 21:42 395776 ----a-w- c:\windows\system32\webio.dll
    2012-01-11 21:42 . 2012-01-11 21:42 340992 ----a-w- c:\windows\system32\schannel.dll
    2012-01-11 21:42 . 2012-01-11 21:42 314880 ----a-w- c:\windows\SysWow64\webio.dll
    2012-01-11 21:42 . 2012-01-11 21:42 31232 ----a-w- c:\windows\system32\lsass.exe
    2012-01-11 21:42 . 2012-01-11 21:42 29184 ----a-w- c:\windows\system32\sspisrv.dll
    2012-01-11 21:42 . 2012-01-11 21:42 28160 ----a-w- c:\windows\system32\secur32.dll
    2012-01-11 21:42 . 2012-01-11 21:42 224768 ----a-w- c:\windows\SysWow64\schannel.dll
    2012-01-11 21:42 . 2012-01-11 21:42 22016 ----a-w- c:\windows\SysWow64\secur32.dll
    2012-01-11 21:42 . 2012-01-11 21:42 152432 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
    2012-01-11 21:42 . 2012-01-11 21:42 1447936 ----a-w- c:\windows\system32\lsasrv.dll
    2012-01-11 21:42 . 2012-01-11 21:42 136192 ----a-w- c:\windows\system32\sspicli.dll
    2012-01-11 21:41 . 2012-01-11 21:41 77312 ----a-w- c:\windows\system32\packager.dll
    2012-01-11 21:41 . 2012-01-11 21:41 67072 ----a-w- c:\windows\SysWow64\packager.dll
    2012-01-11 21:41 . 2012-01-11 21:41 514560 ----a-w- c:\windows\SysWow64\qdvd.dll
    2012-01-11 21:41 . 2012-01-11 21:41 366592 ----a-w- c:\windows\system32\qdvd.dll
    2012-01-11 21:41 . 2012-01-11 21:41 1572864 ----a-w- c:\windows\system32\quartz.dll
    2012-01-11 21:41 . 2012-01-11 21:41 1328128 ----a-w- c:\windows\SysWow64\quartz.dll
    2012-01-11 21:41 . 2012-01-11 21:41 1731920 ----a-w- c:\windows\system32\ntdll.dll
    2012-01-11 21:41 . 2012-01-11 21:41 1292080 ----a-w- c:\windows\SysWow64\ntdll.dll
    2011-12-16 18:30 . 2011-12-16 18:30 43520 ----a-w- c:\windows\system32\csrsrv.dll
    2011-12-16 17:52 . 2011-12-16 17:52 723456 ----a-w- c:\windows\system32\EncDec.dll
    2011-12-16 17:52 . 2011-12-16 17:52 534528 ----a-w- c:\windows\SysWow64\EncDec.dll
    2011-12-10 21:24 . 2010-10-15 16:42 23152 ----a-w- c:\windows\system32\drivers\mbam.sys
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-10-13 39408]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "IMSS"="c:\program files (x86)\Intel\Intel(R) Management Engine Components\IMSS\PIconStartup.exe" [2010-09-16 112152]
    "DellBtrEvent"="d:\program files (x86)\Dell\Reader 2.1\DellBtrEvent.exe" [2010-05-04 147456]
    "Dell Webcam Central"="c:\program files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" [2010-03-12 462993]
    "QuickFinder Scheduler"="c:\program files (x86)\Corel\WordPerfect Office X5\Programs\QFSCHD150.EXE" [2010-10-26 136600]
    "Adobe Acrobat Speed Launcher"="c:\program files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2012-01-04 40376]
    "Acrobat Assistant 8.0"="c:\program files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2012-01-03 640440]
    "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
    "PDVDDXSrv"="c:\program files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-06-25 140520]
    "NotificationManager"="c:\program files (x86)\ZENworks\Patch Management Agent\NotificationManager.exe" [2010-01-09 587104]
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    UltraMon.lnk - c:\windows\Installer\{20A36691-B09B-4EF2-A371-64A5BD265E20}\IcoUltraMon.ico [2010-10-14 29310]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
    2007-04-27 17:10 18744 ----a-w- c:\windows\System32\PCANotify.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3154170777-1272860701-3980530197-1341\Scripts\Logon\0\0]
    "Script"=\\circ5.dcn\netlogon\SAOLogon.vbs
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-10-13 136176]
    R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [x]
    R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-10-13 136176]
    R3 ioatdma1;ioatdma1;c:\windows\System32\Drivers\qd162x64.sys [x]
    R3 ioatdma2;Intel(R) QuickData Technology device ver.2;c:\windows\System32\Drivers\qd262x64.sys [x]
    R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [2011-06-12 51740536]
    R3 ose64;Office 64 Source Engine;c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2010-01-10 174440]
    R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
    R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
    R3 rimspci;rimspci;c:\windows\system32\drivers\rimspe64.sys [x]
    R3 rixdpcie;rixdpcie;c:\windows\system32\drivers\rixdpe64.sys [x]
    R3 SyDvCtrl;SyDvCtrl;c:\program files (x86)\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin64\SyDvCtrl64.sys [2011-11-15 29664]
    R3 Synth3dVsc;Microsoft Virtual 3D Video Transport Driver;c:\windows\system32\drivers\Synth3dVsc.sys [x]
    R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [x]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
    R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]
    R3 tsusbhub;Remote Deskotop USB Hub;c:\windows\system32\drivers\tsusbhub.sys [x]
    R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
    S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]
    S0 stdflt;Disk Filter Driver for Accelerometer;c:\windows\system32\DRIVERS\stdfltn.sys [x]
    S0 SymDS;Symantec Data Store;c:\windows\system32\Drivers\SEP\0C01029F\136B.105\x64\SYMDS64.SYS [x]
    S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\Drivers\SEP\0C01029F\136B.105\x64\SYMEFA64.SYS [x]
    S1 BHDrvx64;BHDrvx64;c:\programdata\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\Definitions\BASHDefs\20120215.011\BHDrvx64.sys [2012-02-08 1157240]
    S1 DVMIO;DVMIO;d:\program files (x86)\Dell\Reader 2.1\dvmio_x64.sys [2010-05-04 20624]
    S1 dwvkbd;DameWare Virtual Keyboard 64 bit Driver;c:\windows\system32\DRIVERS\dwvkbd64.sys [x]
    S1 IDSVia64;IDSVia64;c:\programdata\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\Definitions\IPSDefs\20120215.002\IDSvia64.sys [2011-11-08 488568]
    S1 SymIRON;Symantec Iron Driver;c:\windows\system32\Drivers\SEP\0C01029F\136B.105\x64\Ironx64.SYS [x]
    S1 SYMNETS;Symantec Network Security WFP Driver;c:\windows\system32\Drivers\SEP\0C01029F\136B.105\x64\SYMNETS.SYS [x]
    S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
    S2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\AESTSr64.exe [2010-05-26 89600]
    S2 buttonsvc64;Dell ControlPoint Button Service;c:\program files\Dell\Dell ControlPoint\DCPButtonSvc.exe [2009-11-20 373024]
    S2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe [2010-03-24 1039776]
    S2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe [2010-03-24 31136]
    S2 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe [2010-02-08 515952]
    S2 DvmMDES;DeviceVM Meta Data Export Service;d:\program files (x86)\Dell\Reader 2.1\DVMExportService.exe [2010-05-04 327680]
    S2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe [2009-07-14 27136]
    S2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-03-04 13336]
    S2 InstallFilterService;FF Install Filter Service;c:\program files (x86)\STMicroelectronics\AccelerometerP11\InstallFilterService.exe [2010-01-10 60928]
    S2 Intel(R) PROSet Monitoring Service;Intel(R) PROSet Monitoring Service;c:\windows\system32\IProsetMonitor.exe [x]
    S2 Lotus Notes Diagnostics;Lotus Notes Diagnostics;c:\program files (x86)\Lotus\Notes\nsd.exe [2010-11-30 3417480]
    S2 risdpcie;risdpcie;c:\windows\system32\DRIVERS\risdpe64.sys [x]
    S2 SepMasterService;Symantec Endpoint Protection;c:\program files (x86)\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe [2011-11-15 137224]
    S2 UltraMonUtility;UltraMon Utility Driver;c:\program files (x86)\Common Files\Realtime Soft\UltraMonMirrorDrv\x64\UltraMonUtility.sys [2008-11-14 20512]
    S2 UNS;Intel(R) Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2010-09-16 2538520]
    S3 Acceler;Accelerometer Service;c:\windows\system32\DRIVERS\Accelern.sys [x]
    S3 btwampfl;Bluetooth AMP USB Filter;c:\windows\system32\drivers\btwampfl.sys [x]
    S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [x]
    S3 CAXHWAZL;CAXHWAZL;c:\windows\system32\DRIVERS\CAXHWAZL.sys [x]
    S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys [x]
    S3 cvusbdrv;Dell ControlVault;c:\windows\system32\Drivers\cvusbdrv.sys [x]
    S3 DwMirror;DwMirror;c:\windows\system32\DRIVERS\DamewareMini.sys [x]
    S3 e1kexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\DRIVERS\e1k62x64.sys [x]
    S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-02-08 138360]
    S3 HECIx64;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [x]
    S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [x]
    S3 NETw5s64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;c:\windows\system32\DRIVERS\NETw5s64.sys [x]
    S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [x]
    S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - WS2IFSL
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-03-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-10-13 14:01]
    .
    2012-03-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-10-13 14:01]
    .
    .
    --------- x86-64 -----------
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EnabledUnlockedFDEIconOverlay]
    @="{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}"
    [HKEY_CLASSES_ROOT\CLSID\{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}]
    2010-03-29 18:00 60784 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UninitializedFdeIconOverlay]
    @="{CF08DA3E-C97D-4891-A66B-E39B28DD270F}"
    [HKEY_CLASSES_ROOT\CLSID\{CF08DA3E-C97D-4891-A66B-E39B28DD270F}]
    2010-03-29 18:00 60784 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Apoint"="c:\program files\DellTPad\Apoint.exe" [2010-06-04 392048]
    "BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 112512]
    "SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2010-05-26 487424]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-04-17 16414824]
    "NVHotkey"="c:\windows\system32\nvHotkey.dll" [2010-04-17 95336]
    "DameWare MRC Agent"="c:\windows\dwrcs\DWRCST.exe" [2011-09-06 298368]
    "combofix"="c:\combofix\CF17574.3XE" [2010-11-20 345088]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "LoadAppInit_DLLs"=0x0
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = hxxp://www.circ5.dcn/
    mLocal Page = c:\windows\SysWOW64\blank.htm
    IE: Append Link Target to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Append to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert Link Target to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office14\EXCEL.EXE/3000
    IE: Open with WordPerfect - c:\program files (x86)\Corel\WordPerfect Office X5\Programs\WPLauncher.hta
    IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    Trusted Zone: ca5westkm
    Trusted Zone: circ5.dcn
    Trusted Zone: circ5.dcn\*.coa
    Trusted Zone: uscourts.gov
    Trusted Zone: westcheck.com
    Trusted Zone: westlaw.com
    TCP: DhcpNameServer = 156.124.22.1 156.124.22.3 156.119.173.10
    DPF: {8BF7B588-F4AC-4A6E-AF63-F664449EED2E} - hxxps://jenie.ao.dcn/jenie/pwps/PA_1_NO2UF4I118ADC026HKQ8KC28K6/applets/DMPlugin.cab
    DPF: {CA34C280-5156-4E04-857A-BB69604B2F09} - hxxp://ca5westkm/km/controls/aleph.cab
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Toolbar-Locked - (no file)
    Notify-SEP - c:\program files (x86)\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\WinLogoutNotifier.dll
    SafeBoot-ccEvtMgr
    SafeBoot-ccSetMgr
    SafeBoot-Symantec Antivirus
    SafeBoot-Symantec Antvirus
    Toolbar-Locked - (no file)
    WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
    .
    .
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SepMasterService]
    "ImagePath"="\"c:\program files (x86)\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe\" /s \"Symantec Endpoint Protection\" /m \"c:\program files (x86)\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\sms.dll\" /prefetch:1"
    --
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SmcService]
    "ImagePath"="\"c:\program files (x86)\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin64\Smc.exe\" /prefetch:1"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SPBBCDrv]
    "ImagePath"=""
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10x_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10x_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10x.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.10"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10x.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10x.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10x.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion]
    "SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
    00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\CurrentVersion]
    "SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
    00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files (x86)\Symantec\pcAnywhere\awhost32.exe
    c:\program files (x86)\Symantec\pcAnywhere\AWHPROBE.EXE
    c:\program files (x86)\Cisco Systems\VPN Client\cvpnd.exe
    c:\program files (x86)\Juniper Networks\Common Files\dsNcService.exe
    c:\program files (x86)\Lotus\Notes\ntmulti.exe
    c:\program files (x86)\ZENworks\Patch Management Agent\GravitixService.exe
    c:\program files (x86)\Common Files\Protexis\License Service\PsiService_2.exe
    c:\program files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
    .
    **************************************************************************
    .
    Completion time: 2012-03-09 08:15:43 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-03-09 14:15
    .
    Pre-Run: 107,370,037,248 bytes free
    Post-Run: 107,437,916,160 bytes free
    .
    - - End Of File - - 33B0749F914E08BCB06D271693D5A064
     
  8. Broni

    Broni Malware Annihilator Posts: 52,902   +344

    Looks good.

    1. Uninstall Malwarebytes' Anti-Malware using Add/Remove programs in the control panel.
    2. Restart your computer (very important).
    3. Download and run this utility.
    4. It will ask to restart your computer (please allow it to).
    5. After the computer restarts, install the latest version from here.

    See if it'll run now.
     
  9. dgeissler

    dgeissler TS Rookie Topic Starter

    Hi Broni,

    I received the following error trying to uninstall MalwareBytes:
    "Internal error: Cannot find utCompiled Code record for this version of the uninstaller."
    Only option is to click OK.

    Please advise.

    Thanks,
    Don
     
  10. Broni

    Broni Malware Annihilator Posts: 52,902   +344

    Proceed with step 3 from my previous reply.
     
  11. dgeissler

    dgeissler TS Rookie Topic Starter

    Hi Broni,

    Excellent!!
    I was able to install MalwareBytes and run a full system scan. Nothing was found.

    Thanks,
    Don
     
  12. Broni

    Broni Malware Annihilator Posts: 52,902   +344

    Good news :)

    Download OTL to your Desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Click the Scan All Users checkbox.
    • Under the Custom Scan box paste this in:


    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lnk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %systemroot%\*.config
    %systemroot%\system32\*.db
    %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
    %USERPROFILE%\Desktop\*.exe
    %PROGRAMFILES%\Common Files\*.*
    %systemroot%\*.src
    %systemroot%\install\*.*
    %systemroot%\system32\DLL\*.*
    %systemroot%\system32\HelpFiles\*.*
    %systemroot%\tasks\*.*
    %systemroot%\system32\rundll\*.*
    %systemroot%\winn32\*.*
    %systemroot%\Java\*.*
    %systemroot%\system32\test\*.*
    %systemroot%\system32\Rundll32\*.*
    %systemroot%\AppPatch\Custom\*.*
    %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
    %PROGRAMFILES%\PC-Doctor\Downloads\*.*
    %PROGRAMFILES%\Internet Explorer\*.tmp
    %PROGRAMFILES%\Internet Explorer\*.dat
    %USERPROFILE%\My Documents\*.exe
    %USERPROFILE%\*.exe
    %systemroot%\ADDINS\*.*
    %systemroot%\assembly\*.bak2
    %systemroot%\Config\*.*
    %systemroot%\REPAIR\*.bak2
    %systemroot%\SECURITY\Database\*.sdb /x
    %systemroot%\SYSTEM\*.bak2
    %systemroot%\Web\*.bak2
    %systemroot%\Driver Cache\*.*
    %PROGRAMFILES%\Mozilla Firefox\0*.exe
    %ProgramFiles%\Microsoft Common\*.*
    %ProgramFiles%\TinyProxy.
    %USERPROFILE%\Favorites\*.url /x
    %systemroot%\system32\*.bk
    %systemroot%\*.te
    %systemroot%\system32\system32\*.*
    %ALLUSERSPROFILE%\*.dat /x
    %systemroot%\system32\drivers\*.rmv
    dir /b "%systemroot%\system32\*.exe" | find /i " " /c
    dir /b "%systemroot%\*.exe" | find /i " " /c
    %PROGRAMFILES%\Microsoft\*.*
    %systemroot%\System32\Wbem\proquota.exe
    %PROGRAMFILES%\Mozilla Firefox\*.dat
    %USERPROFILE%\Cookies\*.txt /x
    %SystemRoot%\system32\fonts\*.*
    %systemroot%\system32\winlog\*.*
    %systemroot%\system32\Language\*.*
    %systemroot%\system32\Settings\*.*
    %systemroot%\system32\*.quo
    %SYSTEMROOT%\AppPatch\*.exe
    %SYSTEMROOT%\inf\*.exe
    %SYSTEMROOT%\Installer\*.exe
    %systemroot%\system32\config\*.bak2
    %systemroot%\system32\Computers\*.*
    %SystemRoot%\system32\Sound\*.*
    %SystemRoot%\system32\SpecialImg\*.*
    %SystemRoot%\system32\code\*.*
    %SystemRoot%\system32\draft\*.*
    %SystemRoot%\system32\MSSSys\*.*
    %ProgramFiles%\Javascript\*.*
    %systemroot%\pchealth\helpctr\System\*.exe /s
    %systemroot%\Web\*.exe
    %systemroot%\system32\msn\*.*
    %systemroot%\system32\*.tro
    %AppData%\Microsoft\Installer\msupdates\*.*
    %ProgramFiles%\Messenger\*.*
    %systemroot%\system32\systhem32\*.*
    %systemroot%\system\*.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    /md5start
    /md5stop


    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...