Quinnbeast
Posts: 30 +8
Afternoon folks!
I've been taking a look at my wife's laptop recently for some long overdue care and maintenance. Malwarebytes has thrown up a few issues, and my spidey senses are telling me that a simple scan isn't showing all the nasties hiding in there. We've had the odd issue with rogue virus scanners ("PC Optimizer") - and some of the items that M'bytes has found have since shown up again a week or so later. Any input greatly appreciated.
MB log, GMER log and Attach/DDS log as follows:
***( and before I forget, a ran an ESET scan before I landed here that showed the following) -
C:\ProgramData\Codecv\uninstall.exeWin32/Adware.MultiPlug.A applicationcleaned by deleting - quarantined
C:\Users\Lindsay\Desktop\Downloads\Codec-C (98).exeWin32/InstallMate.Gen applicationcleaned by deleting - quarantined
C:\Windows\Temp\RegistryOptimizer.exea variant of Win32/SpeedingUpMyPC applicationcleaned by deleting - quarantined
Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org
Database version: v2012.07.26.08
Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Tone :: LINDSAY-PC [administrator]
26/07/2012 10:23:39
mbam-log-2012-07-26 (10-23-39).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 197354
Time elapsed: 9 minute(s), 55 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 7
HKCR\CLSID\{65B633F7-3AA6-B7C7-D756-C02A718A69E3} (PUP.DownloadnSave) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{65B633F7-3AA6-B7C7-D756-C02A718A69E3} (PUP.DownloadnSave) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{65B633F7-3AA6-B7C7-D756-C02A718A69E3} (PUP.DownloadnSave) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{65B633F7-3AA6-B7C7-D756-C02A718A69E3} (PUP.DownloadnSave) -> Quarantined and deleted successfully.
HKCR\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC} (PUP.DownloadnSave) -> Quarantined and deleted successfully.
HKCR\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} (PUP.DownloadnSave) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CodecUpdater (Trojan.Dropper.H) -> Quarantined and deleted successfully.
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 3
C:\ProgramData\Codecv\bhoclass.dll (PUP.DownloadnSave) -> Quarantined and deleted successfully.
C:\ProgramData\CodecUpdate\ix_updater.exe (Trojan.Dropper.H) -> Quarantined and deleted successfully.
C:\Users\Tone\Local Settings\Temporary Internet Files\Content.IE5\5Z4B3KTT\updater[1].exe (Trojan.Dropper.H) -> Quarantined and deleted successfully.
(end)
------------------------------------------------------------------------------------
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2012-07-26 12:58:25
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 TOSHIBA_ rev.FG00
Running: ybqiv2p3.exe; Driver: C:\Users\Tone\AppData\Local\Temp\kwtiafob.sys
---- Devices - GMER 1.0.15 ----
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
---- EOF - GMER 1.0.15 ----
------------------------------------------------------------------------------------
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume2
Install Date: 04/10/2009 00:05:18
System Uptime: 26/07/2012 13:05:46 (0 hours ago)
.
Motherboard: Sony Corporation | | VAIO
Processor: Pentium(R) Dual-Core CPU T4200 @ 2.00GHz | N/A | 2000/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 223 GiB total, 115.986 GiB free.
D: is Removable
E: is Removable
F: is CDROM (UDF)
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
.
==== Installed Programs ======================
.
.
7-Zip 4.65
AC3Filter 1.62b
ActionReplay Xbox
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.3.2
ArcSoft Magic-I Visual Effects 2
ArcSoft WebCam Companion 2
Choice Guard
Click to Disc
Click to Disc Editor
Codecv
DivX Setup
ESET Online Scanner v3
Google Chrome
Google Update Helper
HDAUDIO SoftV92 Data Fax Modem with SmartCP
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Intel(R) Graphics Media Accelerator Driver
Java Auto Updater
Java(TM) 6 Update 24
Malwarebytes Anti-Malware version 1.62.0.1300
Me&My VAIO
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Security Client
Microsoft Security Essentials
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Works
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Music Transfer
OpenMG Secure Module 5.3.00
Primo
Realtek High Definition Audio Driver
Roxio Central Audio
Roxio Central Copy
Roxio Central Core
Roxio Central Data
Roxio Central Tools
Roxio Easy Media Creator 10 LJ
Roxio Easy Media Creator Home
Runtime
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Setting Utility Series
Skype™ 4.2
Software Info for Me&My VAIO
Sony Home Network Library
Sony Picture Utility
Sony Video Shared Library
Spotify
Spybot - Search & Destroy
Synaptics Pointing Device Driver
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
VAIO Content Folder Setting
VAIO Content Folder Watcher
VAIO Content Metadata Intelligent Analyzing Manager
VAIO Content Metadata Manager Setting
VAIO Content Metadata XML Interface Library
VAIO Control Center
VAIO Data Restore Tool
VAIO DVD Menu Data Basic
VAIO Entertainment Platform
VAIO Event Service
VAIO Launcher
VAIO Marketing Tools
VAIO Media plus
VAIO Media plus Opening Movie
VAIO Movie Story
VAIO Movie Story 1.5 Upgrade
VAIO Movie Story Template Data
VAIO MusicBox
VAIO MusicBox Sample Music
VAIO Original Function Setting
VAIO Power Management
VAIO Presentation Support
VAIO Smart Network
VAIO Update
VAIO Wallpaper Contents
VC80CRTRedist - 8.0.50727.6195
Web Assistant 2.0.0.439
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
WinDVD for VAIO
XBCD Uninstaller
.
==== Event Viewer Messages From Past Week ========
.
26/07/2012 13:06:56, Error: Service Control Manager [7000] - The Parallel port driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
23/07/2012 13:06:31, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.131.423.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8601.0 Error code: 0x8024402c Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
20/07/2012 17:41:30, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.1.64 for the Network Card with network address 00242BF38A8F has been denied by the DHCP server 192.168.1.254 (The DHCP Server sent a DHCPNACK message).
.
==== End Of File ===========================
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_24
Run by Tone at 13:19:03 on 2012-07-26
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2938.1822 [GMT 1:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Sony\Network Utility\NSUService.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\ArcSoft\Magic-I Visual Effects 2\uCamMonitor.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Sony\VAIO Power Management\SPMService.exe
C:\Windows\system32\DllHost.exe
C:\Program Files\Common Files\Sony Shared\VAIO Content Folder Watcher\VCFw.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Web Assistant\ExtensionUpdaterService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Program Files\Sony\VAIO Event Service\VESMgrSub.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\igfxext.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Sony\ISB Utility\ISBMgr.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Sony\Network Utility\LANUtil.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Sony\VAIO Update 5\VAIOUpdt.exe
C:\Windows\System32\svchost.exe -k wdisvc
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uSearch Page = hxxp://www.google.com
uStart Page = hxxp://mystart.incredibar.com/mb139?a=6OyICepM2y&I=26
uDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=SNYT&bmod=EU01
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=SNYT&bmod=SNYT
mDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=SNYT&bmod=EU01
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll
BHO: Web Assistant: {336d0c35-8a85-403a-b9d2-65c292c39087} - c:\program files\web assistant\Extension32.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {EEE6C35B-6118-11DC-9C72-001320C79847} - No File
uRun: [NSUFloatingUI] "c:\program files\sony\network utility\LANUtil.exe"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [ISBMgr.exe] "c:\program files\sony\isb utility\ISBMgr.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: Search the Web - c:\program files\sweetim\toolbars\internet explorer\resources\menuext.html
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{4413101C-9BCC-42C3-9561-FD43F244B389} : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{B782F2DC-03A4-43F3-A193-911035262425} : DhcpNameServer = 192.168.1.1
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
Notify: VESWinlogon - VESWinlogon.dll
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 171064]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]
R2 NSUService;NSUService;c:\program files\sony\network utility\NSUService.exe [2009-3-31 303104]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-4-18 11032]
R2 uCamMonitor;CamMonitor;c:\program files\arcsoft\magic-I visual effects 2\uCamMonitor.exe [2009-3-31 104960]
R2 VAIO Power Management;VAIO Power Management;c:\program files\sony\vaio power management\SPMService.exe [2009-3-4 415592]
R2 VCFw;VAIO Content Folder Watcher;c:\program files\common files\sony shared\vaio content folder watcher\VCFw.exe [2009-3-5 5189992]
R2 Web Assistant Updater;Web Assistant Updater;c:\program files\web assistant\ExtensionUpdaterService.exe [2012-7-21 185856]
R3 ArcSoftKsUFilter;ArcSoft Magic-I Visual Effect;c:\windows\system32\drivers\ArcSoftKsUFilter.sys [2009-3-31 17920]
R3 SFEP;Sony Firmware Extension Parser;c:\windows\system32\drivers\SFEP.sys [2009-3-4 9344]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-26 135664]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-3-26 135664]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 74112]
S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2012-3-26 214952]
S3 SOHCImp;VAIO Media plus Content Importer;c:\program files\common files\sony shared\sohlib\SOHCImp.exe [2009-3-31 120104]
S3 SOHDBSvr;VAIO Media plus Database Manager;c:\program files\common files\sony shared\sohlib\SOHDBSvr.exe [2009-3-31 70952]
S3 SOHDms;VAIO Media plus Digital Media Server;c:\program files\common files\sony shared\sohlib\SOHDms.exe [2009-3-31 390440]
S3 SOHDs;VAIO Media plus Device Searcher;c:\program files\common files\sony shared\sohlib\SOHDs.exe [2009-3-31 75048]
S3 SOHPlMgr;VAIO Media plus Playlist Manager;c:\program files\common files\sony shared\sohlib\SOHPlMgr.exe [2009-3-31 91432]
S3 VcmIAlzMgr;VAIO Content Metadata Intelligent Analyzing Manager;c:\program files\sony\vcm intelligent analyzing manager\VcmIAlzMgr.exe [2009-3-31 394536]
S3 VcmXmlIfHelper;VAIO Content Metadata XML Interface;c:\program files\common files\sony shared\vcmxml\VcmXmlIfHelper.exe [2009-3-31 83240]
S3 VUAgent;VUAgent;c:\program files\sony\vaio update 5\VUAgent.exe [2010-1-13 722288]
S3 xbreader;ActionReplay XBox Driver (xbreader.sys);c:\windows\system32\drivers\xbreader.sys [2010-1-15 19677]
.
=============== Created Last 30 ================
.
2012-07-26 11:59:466891424----a-w-c:\programdata\microsoft\microsoft antimalware\definition updates\{55c2f3f3-8418-42fa-a22f-c4650662cbbd}\mpengine.dll
2012-07-26 10:21:17--------d-----w-c:\program files\ESET
2012-07-24 18:41:436891424----a-w-c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2012-07-23 17:41:06471552----a-w-c:\windows\system32\secproc_isv.dll
2012-07-23 17:41:06471552----a-w-c:\windows\system32\secproc.dll
2012-07-23 17:41:04526336----a-w-c:\windows\system32\RMActivate_isv.exe
2012-07-23 17:41:03518144----a-w-c:\windows\system32\RMActivate.exe
2012-07-23 17:41:03347136----a-w-c:\windows\system32\RMActivate_ssp.exe
2012-07-23 17:41:03346624----a-w-c:\windows\system32\RMActivate_ssp_isv.exe
2012-07-23 17:41:02332288----a-w-c:\windows\system32\msdrm.dll
2012-07-23 17:41:02152576----a-w-c:\windows\system32\secproc_ssp_isv.dll
2012-07-23 17:41:02152064----a-w-c:\windows\system32\secproc_ssp.dll
2012-07-21 13:27:47--------d-----w-c:\programdata\CodecUpdate
2012-07-21 13:26:55--------d-----w-c:\program files\Web Assistant
2012-07-21 13:26:23--------d-----w-c:\programdata\Codecv
2012-07-12 18:34:392047488----a-w-c:\windows\system32\win32k.sys
2012-07-11 17:45:55984064----a-w-c:\windows\system32\crypt32.dll
2012-07-11 17:45:5598304----a-w-c:\windows\system32\cryptnet.dll
2012-07-11 17:45:55133120----a-w-c:\windows\system32\cryptsvc.dll
2012-07-11 17:45:48708608----a-w-c:\program files\common files\system\ado\msado15.dll
2012-07-11 17:45:461401856----a-w-c:\windows\system32\msxml6.dll
2012-07-11 17:45:461248768----a-w-c:\windows\system32\msxml3.dll
2012-07-11 17:45:45440704----a-w-c:\windows\system32\drivers\ksecdd.sys
2012-07-11 17:45:45278528----a-w-c:\windows\system32\schannel.dll
2012-07-11 17:45:45204288----a-w-c:\windows\system32\ncrypt.dll
2012-07-03 20:14:36713784------w-c:\programdata\microsoft\microsoft antimalware\definition updates\{80659e36-41a4-49c6-a329-1bcab4943d80}\gapaengine.dll
.
==================== Find3M ====================
.
2012-07-03 12:46:4422344----a-w-c:\windows\system32\drivers\mbam.sys
2012-06-02 22:12:322422272----a-w-c:\windows\system32\wucltux.dll
2012-06-02 22:12:1388576----a-w-c:\windows\system32\wudriver.dll
2012-06-02 14:19:42171904----a-w-c:\windows\system32\wuwebv.dll
2012-06-02 14:12:2033792----a-w-c:\windows\system32\wuapp.exe
2012-06-02 08:33:251800192----a-w-c:\windows\system32\jscript9.dll
2012-06-02 08:25:081129472----a-w-c:\windows\system32\wininet.dll
2012-06-02 08:25:031427968----a-w-c:\windows\system32\inetcpl.cpl
2012-06-02 08:20:33142848----a-w-c:\windows\system32\ieUnatt.exe
2012-06-02 08:16:522382848----a-w-c:\windows\system32\mshtml.tlb
2012-05-01 14:03:49180736----a-w-c:\windows\system32\drivers\rdpwd.sys
.
============= FINISH: 13:19:58.59 ===============
I've been taking a look at my wife's laptop recently for some long overdue care and maintenance. Malwarebytes has thrown up a few issues, and my spidey senses are telling me that a simple scan isn't showing all the nasties hiding in there. We've had the odd issue with rogue virus scanners ("PC Optimizer") - and some of the items that M'bytes has found have since shown up again a week or so later. Any input greatly appreciated.
MB log, GMER log and Attach/DDS log as follows:
***( and before I forget, a ran an ESET scan before I landed here that showed the following) -
C:\ProgramData\Codecv\uninstall.exeWin32/Adware.MultiPlug.A applicationcleaned by deleting - quarantined
C:\Users\Lindsay\Desktop\Downloads\Codec-C (98).exeWin32/InstallMate.Gen applicationcleaned by deleting - quarantined
C:\Windows\Temp\RegistryOptimizer.exea variant of Win32/SpeedingUpMyPC applicationcleaned by deleting - quarantined
Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org
Database version: v2012.07.26.08
Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Tone :: LINDSAY-PC [administrator]
26/07/2012 10:23:39
mbam-log-2012-07-26 (10-23-39).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 197354
Time elapsed: 9 minute(s), 55 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 7
HKCR\CLSID\{65B633F7-3AA6-B7C7-D756-C02A718A69E3} (PUP.DownloadnSave) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{65B633F7-3AA6-B7C7-D756-C02A718A69E3} (PUP.DownloadnSave) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{65B633F7-3AA6-B7C7-D756-C02A718A69E3} (PUP.DownloadnSave) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{65B633F7-3AA6-B7C7-D756-C02A718A69E3} (PUP.DownloadnSave) -> Quarantined and deleted successfully.
HKCR\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC} (PUP.DownloadnSave) -> Quarantined and deleted successfully.
HKCR\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} (PUP.DownloadnSave) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CodecUpdater (Trojan.Dropper.H) -> Quarantined and deleted successfully.
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 3
C:\ProgramData\Codecv\bhoclass.dll (PUP.DownloadnSave) -> Quarantined and deleted successfully.
C:\ProgramData\CodecUpdate\ix_updater.exe (Trojan.Dropper.H) -> Quarantined and deleted successfully.
C:\Users\Tone\Local Settings\Temporary Internet Files\Content.IE5\5Z4B3KTT\updater[1].exe (Trojan.Dropper.H) -> Quarantined and deleted successfully.
(end)
------------------------------------------------------------------------------------
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2012-07-26 12:58:25
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 TOSHIBA_ rev.FG00
Running: ybqiv2p3.exe; Driver: C:\Users\Tone\AppData\Local\Temp\kwtiafob.sys
---- Devices - GMER 1.0.15 ----
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
---- EOF - GMER 1.0.15 ----
------------------------------------------------------------------------------------
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume2
Install Date: 04/10/2009 00:05:18
System Uptime: 26/07/2012 13:05:46 (0 hours ago)
.
Motherboard: Sony Corporation | | VAIO
Processor: Pentium(R) Dual-Core CPU T4200 @ 2.00GHz | N/A | 2000/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 223 GiB total, 115.986 GiB free.
D: is Removable
E: is Removable
F: is CDROM (UDF)
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
.
==== Installed Programs ======================
.
.
7-Zip 4.65
AC3Filter 1.62b
ActionReplay Xbox
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.3.2
ArcSoft Magic-I Visual Effects 2
ArcSoft WebCam Companion 2
Choice Guard
Click to Disc
Click to Disc Editor
Codecv
DivX Setup
ESET Online Scanner v3
Google Chrome
Google Update Helper
HDAUDIO SoftV92 Data Fax Modem with SmartCP
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Intel(R) Graphics Media Accelerator Driver
Java Auto Updater
Java(TM) 6 Update 24
Malwarebytes Anti-Malware version 1.62.0.1300
Me&My VAIO
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Security Client
Microsoft Security Essentials
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Works
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Music Transfer
OpenMG Secure Module 5.3.00
Primo
Realtek High Definition Audio Driver
Roxio Central Audio
Roxio Central Copy
Roxio Central Core
Roxio Central Data
Roxio Central Tools
Roxio Easy Media Creator 10 LJ
Roxio Easy Media Creator Home
Runtime
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Setting Utility Series
Skype™ 4.2
Software Info for Me&My VAIO
Sony Home Network Library
Sony Picture Utility
Sony Video Shared Library
Spotify
Spybot - Search & Destroy
Synaptics Pointing Device Driver
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
VAIO Content Folder Setting
VAIO Content Folder Watcher
VAIO Content Metadata Intelligent Analyzing Manager
VAIO Content Metadata Manager Setting
VAIO Content Metadata XML Interface Library
VAIO Control Center
VAIO Data Restore Tool
VAIO DVD Menu Data Basic
VAIO Entertainment Platform
VAIO Event Service
VAIO Launcher
VAIO Marketing Tools
VAIO Media plus
VAIO Media plus Opening Movie
VAIO Movie Story
VAIO Movie Story 1.5 Upgrade
VAIO Movie Story Template Data
VAIO MusicBox
VAIO MusicBox Sample Music
VAIO Original Function Setting
VAIO Power Management
VAIO Presentation Support
VAIO Smart Network
VAIO Update
VAIO Wallpaper Contents
VC80CRTRedist - 8.0.50727.6195
Web Assistant 2.0.0.439
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
WinDVD for VAIO
XBCD Uninstaller
.
==== Event Viewer Messages From Past Week ========
.
26/07/2012 13:06:56, Error: Service Control Manager [7000] - The Parallel port driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
23/07/2012 13:06:31, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.131.423.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8601.0 Error code: 0x8024402c Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
20/07/2012 17:41:30, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.1.64 for the Network Card with network address 00242BF38A8F has been denied by the DHCP server 192.168.1.254 (The DHCP Server sent a DHCPNACK message).
.
==== End Of File ===========================
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_24
Run by Tone at 13:19:03 on 2012-07-26
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2938.1822 [GMT 1:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Sony\Network Utility\NSUService.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\ArcSoft\Magic-I Visual Effects 2\uCamMonitor.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Sony\VAIO Power Management\SPMService.exe
C:\Windows\system32\DllHost.exe
C:\Program Files\Common Files\Sony Shared\VAIO Content Folder Watcher\VCFw.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Web Assistant\ExtensionUpdaterService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Program Files\Sony\VAIO Event Service\VESMgrSub.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\igfxext.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Sony\ISB Utility\ISBMgr.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Sony\Network Utility\LANUtil.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Sony\VAIO Update 5\VAIOUpdt.exe
C:\Windows\System32\svchost.exe -k wdisvc
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uSearch Page = hxxp://www.google.com
uStart Page = hxxp://mystart.incredibar.com/mb139?a=6OyICepM2y&I=26
uDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=SNYT&bmod=EU01
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=SNYT&bmod=SNYT
mDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=SNYT&bmod=EU01
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll
BHO: Web Assistant: {336d0c35-8a85-403a-b9d2-65c292c39087} - c:\program files\web assistant\Extension32.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {EEE6C35B-6118-11DC-9C72-001320C79847} - No File
uRun: [NSUFloatingUI] "c:\program files\sony\network utility\LANUtil.exe"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [ISBMgr.exe] "c:\program files\sony\isb utility\ISBMgr.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: Search the Web - c:\program files\sweetim\toolbars\internet explorer\resources\menuext.html
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{4413101C-9BCC-42C3-9561-FD43F244B389} : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{B782F2DC-03A4-43F3-A193-911035262425} : DhcpNameServer = 192.168.1.1
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
Notify: VESWinlogon - VESWinlogon.dll
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 171064]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]
R2 NSUService;NSUService;c:\program files\sony\network utility\NSUService.exe [2009-3-31 303104]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-4-18 11032]
R2 uCamMonitor;CamMonitor;c:\program files\arcsoft\magic-I visual effects 2\uCamMonitor.exe [2009-3-31 104960]
R2 VAIO Power Management;VAIO Power Management;c:\program files\sony\vaio power management\SPMService.exe [2009-3-4 415592]
R2 VCFw;VAIO Content Folder Watcher;c:\program files\common files\sony shared\vaio content folder watcher\VCFw.exe [2009-3-5 5189992]
R2 Web Assistant Updater;Web Assistant Updater;c:\program files\web assistant\ExtensionUpdaterService.exe [2012-7-21 185856]
R3 ArcSoftKsUFilter;ArcSoft Magic-I Visual Effect;c:\windows\system32\drivers\ArcSoftKsUFilter.sys [2009-3-31 17920]
R3 SFEP;Sony Firmware Extension Parser;c:\windows\system32\drivers\SFEP.sys [2009-3-4 9344]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-26 135664]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-3-26 135664]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 74112]
S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2012-3-26 214952]
S3 SOHCImp;VAIO Media plus Content Importer;c:\program files\common files\sony shared\sohlib\SOHCImp.exe [2009-3-31 120104]
S3 SOHDBSvr;VAIO Media plus Database Manager;c:\program files\common files\sony shared\sohlib\SOHDBSvr.exe [2009-3-31 70952]
S3 SOHDms;VAIO Media plus Digital Media Server;c:\program files\common files\sony shared\sohlib\SOHDms.exe [2009-3-31 390440]
S3 SOHDs;VAIO Media plus Device Searcher;c:\program files\common files\sony shared\sohlib\SOHDs.exe [2009-3-31 75048]
S3 SOHPlMgr;VAIO Media plus Playlist Manager;c:\program files\common files\sony shared\sohlib\SOHPlMgr.exe [2009-3-31 91432]
S3 VcmIAlzMgr;VAIO Content Metadata Intelligent Analyzing Manager;c:\program files\sony\vcm intelligent analyzing manager\VcmIAlzMgr.exe [2009-3-31 394536]
S3 VcmXmlIfHelper;VAIO Content Metadata XML Interface;c:\program files\common files\sony shared\vcmxml\VcmXmlIfHelper.exe [2009-3-31 83240]
S3 VUAgent;VUAgent;c:\program files\sony\vaio update 5\VUAgent.exe [2010-1-13 722288]
S3 xbreader;ActionReplay XBox Driver (xbreader.sys);c:\windows\system32\drivers\xbreader.sys [2010-1-15 19677]
.
=============== Created Last 30 ================
.
2012-07-26 11:59:466891424----a-w-c:\programdata\microsoft\microsoft antimalware\definition updates\{55c2f3f3-8418-42fa-a22f-c4650662cbbd}\mpengine.dll
2012-07-26 10:21:17--------d-----w-c:\program files\ESET
2012-07-24 18:41:436891424----a-w-c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2012-07-23 17:41:06471552----a-w-c:\windows\system32\secproc_isv.dll
2012-07-23 17:41:06471552----a-w-c:\windows\system32\secproc.dll
2012-07-23 17:41:04526336----a-w-c:\windows\system32\RMActivate_isv.exe
2012-07-23 17:41:03518144----a-w-c:\windows\system32\RMActivate.exe
2012-07-23 17:41:03347136----a-w-c:\windows\system32\RMActivate_ssp.exe
2012-07-23 17:41:03346624----a-w-c:\windows\system32\RMActivate_ssp_isv.exe
2012-07-23 17:41:02332288----a-w-c:\windows\system32\msdrm.dll
2012-07-23 17:41:02152576----a-w-c:\windows\system32\secproc_ssp_isv.dll
2012-07-23 17:41:02152064----a-w-c:\windows\system32\secproc_ssp.dll
2012-07-21 13:27:47--------d-----w-c:\programdata\CodecUpdate
2012-07-21 13:26:55--------d-----w-c:\program files\Web Assistant
2012-07-21 13:26:23--------d-----w-c:\programdata\Codecv
2012-07-12 18:34:392047488----a-w-c:\windows\system32\win32k.sys
2012-07-11 17:45:55984064----a-w-c:\windows\system32\crypt32.dll
2012-07-11 17:45:5598304----a-w-c:\windows\system32\cryptnet.dll
2012-07-11 17:45:55133120----a-w-c:\windows\system32\cryptsvc.dll
2012-07-11 17:45:48708608----a-w-c:\program files\common files\system\ado\msado15.dll
2012-07-11 17:45:461401856----a-w-c:\windows\system32\msxml6.dll
2012-07-11 17:45:461248768----a-w-c:\windows\system32\msxml3.dll
2012-07-11 17:45:45440704----a-w-c:\windows\system32\drivers\ksecdd.sys
2012-07-11 17:45:45278528----a-w-c:\windows\system32\schannel.dll
2012-07-11 17:45:45204288----a-w-c:\windows\system32\ncrypt.dll
2012-07-03 20:14:36713784------w-c:\programdata\microsoft\microsoft antimalware\definition updates\{80659e36-41a4-49c6-a329-1bcab4943d80}\gapaengine.dll
.
==================== Find3M ====================
.
2012-07-03 12:46:4422344----a-w-c:\windows\system32\drivers\mbam.sys
2012-06-02 22:12:322422272----a-w-c:\windows\system32\wucltux.dll
2012-06-02 22:12:1388576----a-w-c:\windows\system32\wudriver.dll
2012-06-02 14:19:42171904----a-w-c:\windows\system32\wuwebv.dll
2012-06-02 14:12:2033792----a-w-c:\windows\system32\wuapp.exe
2012-06-02 08:33:251800192----a-w-c:\windows\system32\jscript9.dll
2012-06-02 08:25:081129472----a-w-c:\windows\system32\wininet.dll
2012-06-02 08:25:031427968----a-w-c:\windows\system32\inetcpl.cpl
2012-06-02 08:20:33142848----a-w-c:\windows\system32\ieUnatt.exe
2012-06-02 08:16:522382848----a-w-c:\windows\system32\mshtml.tlb
2012-05-01 14:03:49180736----a-w-c:\windows\system32\drivers\rdpwd.sys
.
============= FINISH: 13:19:58.59 ===============